From 8392b39e039a8237fc85d08d62d60a03b0d0c408 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Apr 2018 17:00:50 +0200 Subject: [PATCH] 4.14-stable patches added patches: acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch alarmtimer-init-nanosleep-alarm-timer-on-stack.patch alsa-hda-use-is_reachable-for-dependency-on-input.patch arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch asm-generic-provide-generic_pmdp_establish.patch asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch bcache-fix-for-allocator-and-register-thread-race.patch bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch bcache-properly-set-task-state-in-bch_writeback_thread.patch bcache-return-attach-error-when-no-cache-set-exist.patch blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch blk-mq-fix-discard-merge-with-scheduler-attached.patch blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch block-set-bio_trace_completion-on-new-bio-during-split.patch bpf-fix-rlimit-in-reuseport-net-selftest.patch bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch bpf-test_maps-cleanup-sockmaps-when-test-ends.patch btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch btrfs-fix-scrub-to-repair-raid6-corruption.patch btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch btrfs-set-plug-for-fsync.patch cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch device-property-define-type-of-property_enrty_-macros.patch dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch fm10k-fix-failed-to-kill-vid-message-for-vf.patch fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch gianfar-prevent-integer-wrapping-in-the-rx-handler.patch hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch i40e-fix-reported-mask-for-ntuple-filters.patch i40e-program-fragmented-ipv4-filter-input-set.patch i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch i40evf-ignore-link-up-if-not-running.patch i40iw-free-ieq-resources.patch i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch ib-ipoib-fix-for-potential-no-carrier-state.patch igb-allow-to-remove-administratively-set-mac-on-vfs.patch igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch input-stmfts-set-irq_noautoen-to-the-irq-flag.patch input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch iommu-exynos-don-t-unconditionally-steal-bus-ops.patch iommu-vt-d-use-domain-instead-of-cache-fetching.patch ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch irqchip-gic-v3-ignore-disabled-its-nodes.patch ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch kconfig-don-t-leak-main-menus-during-parsing.patch kconfig-fix-automatic-menu-creation-mem-leak.patch kconfig-fix-expr_free-e_not-leak.patch kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch kvm-s390-use-created_vcpus-in-more-places.patch kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch libbpf-makefile-set-specified-permission-mode.patch locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch mips-generic-fix-machine-compatible-matching.patch mips-generic-support-gic-in-eic-mode.patch mips-txx9-use-is_builtin-for-config_leds_class.patch mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch mm-mempolicy-fix-the-check-of-nodemask-from-user.patch mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch netfilter-compat-reject-huge-allocation-requests.patch netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch netfilter-x_tables-add-counters-allocation-wrapper.patch netfilter-x_tables-cap-allocations-at-512-mbyte.patch netfilter-x_tables-fix-pointer-leaks-to-userspace.patch netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch nfp-fix-error-return-code-in-nfp_pci_probe.patch nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch ntb_transport-fix-bug-with-max_mw_size-parameter.patch ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch perf-callchain-fix-attr.sample_max_stack-setting.patch perf-evsel-fix-period-freq-terms-setup.patch perf-fix-sample_max_stack-maximum-check.patch perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch perf-record-fix-period-option-handling.patch perf-return-proper-values-for-user-stack-errors.patch perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch pm-domains-fix-up-domain-idle-states-of-parsing.patch pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch powerpc-numa-ensure-nodes-initialized-for-hotplug.patch powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch proc-fix-proc-map_files-lookup.patch rdma-cma-check-existence-of-netdevice-during-port-validation.patch rdma-core-clarify-rdma_ah_find_type.patch rdma-core-reduce-poll-batch-for-direct-cq-polling.patch rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch rds-ib-fix-null-pointer-issue.patch revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch rxrpc-don-t-put-crypto-buffers-on-the-stack.patch s390-eadm-fix-config_block-include-dependency.patch samples-bpf-partially-fixes-the-bpf.o-build.patch scsi-devinfo-fix-format-of-the-device-list.patch scsi-fas216-fix-sense-buffer-initialization.patch scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch selftests-ftrace-add-some-missing-glob-checks.patch sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch spi-a3700-clear-data_out-when-performing-a-read.patch sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch svcrdma-fix-read-chunk-round-up.patch tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch tty-serial-exar-relocate-sleep-wake-up-handling.patch ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch watchdog-sp5100_tco-fix-watchdog-disable-bit.patch x86-dumpstack-avoid-uninitlized-variable.patch x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch x86-hyperv-stop-suppressing-x86_feature_pcid.patch x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch x86-power-fix-swsusp_arch_resume-prototype.patch x86-tsc-allow-tsc-calibration-without-pit.patch xen-grant-table-use-put_page-instead-of-free_page.patch xen-netfront-fix-race-between-device-setup-and-open.patch xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch --- ...tery-devices-with-unmet-dependencies.patch | 52 + ...g-during-noirq-suspend-resume-phases.patch | 53 + ..._dev-for-devs-without-mmio-resources.patch | 52 + ...ppc-change-notification-if-not-ready.patch | 100 + ...-to-initialize-acpi_type_device-devs.patch | 92 + ...-init-nanosleep-alarm-timer-on-stack.patch | 122 + ...is_reachable-for-dependency-on-input.patch | 61 + ...tical-trylock-a-b-a-with-lse-atomics.patch | 42 + ...neric-provide-generic_pmdp_establish.patch | 88 + ...timeout-tests-in-au1xac97c_ac97_read.patch | 46 + ...use-dummy_dai-for-rt5514-dsp-dailink.patch | 68 + ...r-allocator-and-register-thread-race.patch | 167 + ...fter-re-attaching-an-attached-device.patch | 122 + ...t-task-state-in-bch_writeback_thread.patch | 113 + ...attach-error-when-no-cache-set-exist.patch | 61 + ...n-attributes-with-seq_operations-set.patch | 45 + ...iscard-merge-with-scheduler-attached.patch | 159 + ...in-__blk_mq_run_hw_queue-into-printk.patch | 61 + ...e_completion-on-new-bio-during-split.patch | 33 + ...fix-rlimit-in-reuseport-net-selftest.patch | 95 + ...lure-when-config_bpf_jit_always_on-y.patch | 173 + ...with-attached-but-not-detached-progs.patch | 84 + ...maps-cleanup-sockmaps-when-test-ends.patch | 68 + ...flag-is-not-in-btrfs_super_flag_supp.patch | 45 + ...f-bounds-access-in-btrfs_search_slot.patch | 65 + ...fix-scrub-to-repair-raid6-corruption.patch | 85 + ...xpected-eexist-from-btrfs_get_extent.patch | 150 + ...tween-merge_bio-and-rbio_orig_end_io.patch | 90 + queue-4.14/btrfs-set-plug-for-fsync.patch | 52 + ...r-warnings-showing-up-with-gcc-8.0.0.patch | 41 + ...ble-hwp-during-system-resume-on-cpu0.patch | 49 + ...ach_cpu_wrap-available-on-up-as-well.patch | 43 + ...select-on-non-existing-crypto_sha384.patch | 32 + ...efine-type-of-property_enrty_-macros.patch | 78 + ...ueue-on-blk-mq-rq-allocation-failure.patch | 50 + ...relative-to-low-water-mark-threshold.patch | 45 + ...-fuc-don-t-use-movw-directly-anymore.patch | 3088 +++++++++++++++++ ...gc-encrypted-block-if-io_bits-is-set.patch | 116 + ...zed-dma-reads-on-jmicron-controllers.patch | 48 + ...an-fix-handling-of-empty-dmi-strings.patch | 86 + ...ix-failed-to-kill-vid-message-for-vf.patch | 85 + ...-when-there-is-no-pmd-support-in-dax.patch | 41 + ...t-integer-wrapping-in-the-rx-handler.patch | 84 + ...s-read-in-kovaplus_profile_activated.patch | 36 + ...fix-reported-mask-for-ntuple-filters.patch | 61 + ...ram-fragmented-ipv4-filter-input-set.patch | 63 + ...et_task-when-device-is-being-removed.patch | 63 + ...i40evf-ignore-link-up-if-not-running.patch | 73 + queue-4.14/i40iw-free-ieq-resources.patch | 62 + ...onsumer-key-on-allocate-stag-for-fmr.patch | 36 + ...pe-to-undefined-in-rdma_ah_find_type.patch | 71 + ...oll-context-for-ib_process_cq_direct.patch | 99 + ...tial-refcount-leak-in-hfi1_open_file.patch | 45 + ...eanup-to-address-driver-cleanup-race.patch | 145 + ...b-fix-for-potential-no-carrier-state.patch | 47 + ...move-administratively-set-mac-on-vfs.patch | 117 + ...r-txstmp-when-ptp_tx_work-is-timeout.patch | 74 + ...-detection-when-protocol-is-disabled.patch | 89 + ...fts-set-irq_noautoen-to-the-irq-flag.patch | 58 + ..._x-y-fuzz-after-initializing-mt-axes.patch | 50 + ...-don-t-unconditionally-steal-bus-ops.patch | 52 + ...use-domain-instead-of-cache-fetching.patch | 100 + ...or-return-code-in-ipmi_powernv_probe.patch | 37 + ...-change-pr_debug-message-to-pr_devel.patch | 162 + ...hip-gic-v3-ignore-disabled-its-nodes.patch | 78 + ...gbe-don-t-set-rxdctl.rlpml-for-82599.patch | 49 + ...-in-jffs2_iget-s-error-handling-path.patch | 86 + ...don-t-leak-main-menus-during-parsing.patch | 116 + ...fix-automatic-menu-creation-mem-leak.patch | 59 + .../kconfig-fix-expr_free-e_not-leak.patch | 56 + ...mory-regions-as-writable-if-possible.patch | 60 + ...le-migration-of-decrementer-register.patch | 106 + ...secondary-hpteg-in-hpt-resizing-code.patch | 50 + ...390-use-created_vcpus-in-more-places.patch | 48 + ...-read_once-to-access-some-scb-fields.patch | 190 + ...kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch | 52 + ...kefile-set-specified-permission-mode.patch | 38 + ...-is-updated-before-initialising-node.patch | 53 + ...le-memory-leak-in-hwsim_new_radio_nl.patch | 38 + ...-clean-of-vmlinuz.-32-ecoff-bin-srec.patch | 37 + ...eric-fix-machine-compatible-matching.patch | 43 + ...mips-generic-support-gic-in-eic-mode.patch | 77 + ...use-is_builtin-for-config_leds_class.patch | 61 + ...-partial-page-if-endbyte-is-also-eof.patch | 218 ++ ...es_empty-check-in-sysc_migrate_pages.patch | 64 + ...-fix-the-check-of-nodemask-from-user.patch | 111 + ...ncing-it-while-isolating-an-lru-page.patch | 94 + ...ck-in-khugepaged-to-avoid-long-block.patch | 95 + ...ion-of-arch_get_platform_mac_address.patch | 44 + ...d-flags-in-interrupt-status-register.patch | 47 + ...etting-the-rgmii-tx-clock-on-meson8b.patch | 62 + ...ate-rate-changes-to-the-parent-clock.patch | 55 + ...compat_init_offsets-to-return-errors.patch | 171 + ...mpat-reject-huge-allocation-requests.patch | 68 + ...g-kill-frag-queue-on-rfc2460-failure.patch | 37 + ...pass-on-packets-to-stack-per-rfc2460.patch | 103 + ...bles-add-counters-allocation-wrapper.patch | 91 + ..._tables-cap-allocations-at-512-mbyte.patch | 40 + ...ables-fix-pointer-leaks-to-userspace.patch | 85 + ...ocation-requests-for-blob-rule-heads.patch | 32 + ...x-error-return-code-in-nfp_pci_probe.patch | 33 + ...t-nfs_idmap_cache_timeout-to-jiffies.patch | 39 + ...et-nfs_lock_lost-when-a-lock-is-lost.patch | 105 + ...t-fix-bug-with-max_mw_size-parameter.patch | 46 + ...o-protect-getting-extended-attribute.patch | 92 + ...ount.ocfs2-if-inode-block-is-invalid.patch | 67 + ...attempt-to-access-a-dirty-bh-in-jbd2.patch | 99 + ...acket-before-l3-conntrack-processing.patch | 100 + ...qd_intx_xlate-for-config_pci-n-build.patch | 56 + ...n-1-dma-alias-quirk-for-marvell-9128.patch | 37 + ...in-fix-attr.sample_max_stack-setting.patch | 103 + ...rf-evsel-fix-period-freq-terms-setup.patch | 65 + ...f-fix-sample_max_stack-maximum-check.patch | 90 + ...-memory-allocation-for-get_cpuid_str.patch | 42 + ...rf-record-fix-period-option-handling.patch | 105 + ...-proper-values-for-user-stack-errors.patch | 46 + ...ce-probe_libc_inet_pton.sh-for-s390x.patch | 146 + ...e-global-callchain_param.record_mode.patch | 250 ++ ...ous-keyboard-backlight-change-events.patch | 103 + ...uppress-warning-about-palm-detection.patch | 59 + ...fix-up-domain-idle-states-of-parsing.patch | 139 + ...ix-unbalanced-irq-enable-for-wakeirq.patch | 70 + ...-hash64-zero-pgd-pages-on-allocation.patch | 59 + ...ensure-nodes-initialized-for-hotplug.patch | 137 + ...y-domains-to-discover-possible-nodes.patch | 132 + ...-of-bounds-memory-access-at-shutdown.patch | 65 + ...aving-oops-using-die-synchronisation.patch | 43 + .../proc-fix-proc-map_files-lookup.patch | 106 + ...-of-netdevice-during-port-validation.patch | 46 + .../rdma-core-clarify-rdma_ah_find_type.patch | 39 + ...uce-poll-batch-for-direct-cq-polling.patch | 107 + ...leak-in-case-of-xrcd-dealloc-failure.patch | 44 + ...eference-while-accessing-xrc_tgt-qps.patch | 77 + ...guous-errno-for-method-not-supported.patch | 77 + .../rds-ib-fix-null-pointer-issue.patch | 85 + ...ram-accessing-even-if-vm-is-shutdown.patch | 72 + ...on-t-put-crypto-buffers-on-the-stack.patch | 246 ++ ...-fix-config_block-include-dependency.patch | 41 + ...-bpf-partially-fixes-the-bpf.o-build.patch | 47 + ...evinfo-fix-format-of-the-device-list.patch | 55 + ...s216-fix-sense-buffer-initialization.patch | 42 + ...arning-in-qla2x00_async_iocb_timeout.patch | 45 + ...fix-to-pick-text-symbols-for-kprobes.patch | 41 + ...-ftrace-add-some-missing-glob-checks.patch | 42 + queue-4.14/series | 167 + ...p_invalidate-to-return-old-pmd-value.patch | 85 + ...lear-data_out-when-performing-a-read.patch | 40 + ...inc_stats-from-a-preemptible-context.patch | 62 + .../svcrdma-fix-read-chunk-round-up.patch | 88 + ...tial-integer-overflow-in-tcpnv_acked.patch | 43 + ...ix-get_field_str-for-dynamic-strings.patch | 56 + ...plify-pointer-print-logic-and-fix-pf.patch | 61 + ...pf-elf-objects-containing-.eh_frames.patch | 89 + ...l-clock-bases-and-modes-into-account.patch | 69 + ...exar-relocate-sleep-wake-up-handling.patch | 163 + ...ialized-variable-in-search_dh_cookie.patch | 74 + ...ault-when-dumping-vsyscall-user-page.patch | 74 + ...-sp5100_tco-fix-watchdog-disable-bit.patch | 36 + ...dumpstack-avoid-uninitlized-variable.patch | 49 + ...r-required-priviliges-in-hyperv_init.patch | 59 + ...rv-stop-suppressing-x86_feature_pcid.patch | 86 + ...th-for-fast-mmio-when-running-nested.patch | 78 + ...am-range-table-entries-less-than-1gb.patch | 62 + ...wer-fix-swsusp_arch_resume-prototype.patch | 88 + ...sc-allow-tsc-calibration-without-pit.patch | 94 + ...le-use-put_page-instead-of-free_page.patch | 51 + ...x-race-between-device-setup-and-open.patch | 178 + ...nel-allocation-of-extra-rpcrdma_reps.patch | 142 + 168 files changed, 16118 insertions(+) create mode 100644 queue-4.14/acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch create mode 100644 queue-4.14/acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch create mode 100644 queue-4.14/acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch create mode 100644 queue-4.14/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch create mode 100644 queue-4.14/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch create mode 100644 queue-4.14/alarmtimer-init-nanosleep-alarm-timer-on-stack.patch create mode 100644 queue-4.14/alsa-hda-use-is_reachable-for-dependency-on-input.patch create mode 100644 queue-4.14/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch create mode 100644 queue-4.14/asm-generic-provide-generic_pmdp_establish.patch create mode 100644 queue-4.14/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch create mode 100644 queue-4.14/asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch create mode 100644 queue-4.14/bcache-fix-for-allocator-and-register-thread-race.patch create mode 100644 queue-4.14/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch create mode 100644 queue-4.14/bcache-properly-set-task-state-in-bch_writeback_thread.patch create mode 100644 queue-4.14/bcache-return-attach-error-when-no-cache-set-exist.patch create mode 100644 queue-4.14/blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch create mode 100644 queue-4.14/blk-mq-fix-discard-merge-with-scheduler-attached.patch create mode 100644 queue-4.14/blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch create mode 100644 queue-4.14/block-set-bio_trace_completion-on-new-bio-during-split.patch create mode 100644 queue-4.14/bpf-fix-rlimit-in-reuseport-net-selftest.patch create mode 100644 queue-4.14/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch create mode 100644 queue-4.14/bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch create mode 100644 queue-4.14/bpf-test_maps-cleanup-sockmaps-when-test-ends.patch create mode 100644 queue-4.14/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch create mode 100644 queue-4.14/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch create mode 100644 queue-4.14/btrfs-fix-scrub-to-repair-raid6-corruption.patch create mode 100644 queue-4.14/btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch create mode 100644 queue-4.14/btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch create mode 100644 queue-4.14/btrfs-set-plug-for-fsync.patch create mode 100644 queue-4.14/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch create mode 100644 queue-4.14/cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch create mode 100644 queue-4.14/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch create mode 100644 queue-4.14/crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch create mode 100644 queue-4.14/device-property-define-type-of-property_enrty_-macros.patch create mode 100644 queue-4.14/dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch create mode 100644 queue-4.14/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch create mode 100644 queue-4.14/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch create mode 100644 queue-4.14/f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch create mode 100644 queue-4.14/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch create mode 100644 queue-4.14/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch create mode 100644 queue-4.14/fm10k-fix-failed-to-kill-vid-message-for-vf.patch create mode 100644 queue-4.14/fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch create mode 100644 queue-4.14/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch create mode 100644 queue-4.14/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch create mode 100644 queue-4.14/i40e-fix-reported-mask-for-ntuple-filters.patch create mode 100644 queue-4.14/i40e-program-fragmented-ipv4-filter-input-set.patch create mode 100644 queue-4.14/i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch create mode 100644 queue-4.14/i40evf-ignore-link-up-if-not-running.patch create mode 100644 queue-4.14/i40iw-free-ieq-resources.patch create mode 100644 queue-4.14/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch create mode 100644 queue-4.14/ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch create mode 100644 queue-4.14/ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch create mode 100644 queue-4.14/ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch create mode 100644 queue-4.14/ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch create mode 100644 queue-4.14/ib-ipoib-fix-for-potential-no-carrier-state.patch create mode 100644 queue-4.14/igb-allow-to-remove-administratively-set-mac-on-vfs.patch create mode 100644 queue-4.14/igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch create mode 100644 queue-4.14/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch create mode 100644 queue-4.14/input-stmfts-set-irq_noautoen-to-the-irq-flag.patch create mode 100644 queue-4.14/input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch create mode 100644 queue-4.14/iommu-exynos-don-t-unconditionally-steal-bus-ops.patch create mode 100644 queue-4.14/iommu-vt-d-use-domain-instead-of-cache-fetching.patch create mode 100644 queue-4.14/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch create mode 100644 queue-4.14/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch create mode 100644 queue-4.14/irqchip-gic-v3-ignore-disabled-its-nodes.patch create mode 100644 queue-4.14/ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch create mode 100644 queue-4.14/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch create mode 100644 queue-4.14/kconfig-don-t-leak-main-menus-during-parsing.patch create mode 100644 queue-4.14/kconfig-fix-automatic-menu-creation-mem-leak.patch create mode 100644 queue-4.14/kconfig-fix-expr_free-e_not-leak.patch create mode 100644 queue-4.14/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch create mode 100644 queue-4.14/kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch create mode 100644 queue-4.14/kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch create mode 100644 queue-4.14/kvm-s390-use-created_vcpus-in-more-places.patch create mode 100644 queue-4.14/kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch create mode 100644 queue-4.14/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch create mode 100644 queue-4.14/libbpf-makefile-set-specified-permission-mode.patch create mode 100644 queue-4.14/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch create mode 100644 queue-4.14/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch create mode 100644 queue-4.14/mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch create mode 100644 queue-4.14/mips-generic-fix-machine-compatible-matching.patch create mode 100644 queue-4.14/mips-generic-support-gic-in-eic-mode.patch create mode 100644 queue-4.14/mips-txx9-use-is_builtin-for-config_leds_class.patch create mode 100644 queue-4.14/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch create mode 100644 queue-4.14/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch create mode 100644 queue-4.14/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch create mode 100644 queue-4.14/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch create mode 100644 queue-4.14/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch create mode 100644 queue-4.14/net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch create mode 100644 queue-4.14/net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch create mode 100644 queue-4.14/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch create mode 100644 queue-4.14/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch create mode 100644 queue-4.14/netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch create mode 100644 queue-4.14/netfilter-compat-reject-huge-allocation-requests.patch create mode 100644 queue-4.14/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch create mode 100644 queue-4.14/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch create mode 100644 queue-4.14/netfilter-x_tables-add-counters-allocation-wrapper.patch create mode 100644 queue-4.14/netfilter-x_tables-cap-allocations-at-512-mbyte.patch create mode 100644 queue-4.14/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch create mode 100644 queue-4.14/netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch create mode 100644 queue-4.14/nfp-fix-error-return-code-in-nfp_pci_probe.patch create mode 100644 queue-4.14/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch create mode 100644 queue-4.14/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch create mode 100644 queue-4.14/ntb_transport-fix-bug-with-max_mw_size-parameter.patch create mode 100644 queue-4.14/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch create mode 100644 queue-4.14/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch create mode 100644 queue-4.14/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch create mode 100644 queue-4.14/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch create mode 100644 queue-4.14/pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch create mode 100644 queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch create mode 100644 queue-4.14/perf-callchain-fix-attr.sample_max_stack-setting.patch create mode 100644 queue-4.14/perf-evsel-fix-period-freq-terms-setup.patch create mode 100644 queue-4.14/perf-fix-sample_max_stack-maximum-check.patch create mode 100644 queue-4.14/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch create mode 100644 queue-4.14/perf-record-fix-period-option-handling.patch create mode 100644 queue-4.14/perf-return-proper-values-for-user-stack-errors.patch create mode 100644 queue-4.14/perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch create mode 100644 queue-4.14/perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch create mode 100644 queue-4.14/platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch create mode 100644 queue-4.14/platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch create mode 100644 queue-4.14/pm-domains-fix-up-domain-idle-states-of-parsing.patch create mode 100644 queue-4.14/pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch create mode 100644 queue-4.14/powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch create mode 100644 queue-4.14/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch create mode 100644 queue-4.14/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch create mode 100644 queue-4.14/powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch create mode 100644 queue-4.14/powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch create mode 100644 queue-4.14/proc-fix-proc-map_files-lookup.patch create mode 100644 queue-4.14/rdma-cma-check-existence-of-netdevice-during-port-validation.patch create mode 100644 queue-4.14/rdma-core-clarify-rdma_ah_find_type.patch create mode 100644 queue-4.14/rdma-core-reduce-poll-batch-for-direct-cq-polling.patch create mode 100644 queue-4.14/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch create mode 100644 queue-4.14/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch create mode 100644 queue-4.14/rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch create mode 100644 queue-4.14/rds-ib-fix-null-pointer-issue.patch create mode 100644 queue-4.14/revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch create mode 100644 queue-4.14/rxrpc-don-t-put-crypto-buffers-on-the-stack.patch create mode 100644 queue-4.14/s390-eadm-fix-config_block-include-dependency.patch create mode 100644 queue-4.14/samples-bpf-partially-fixes-the-bpf.o-build.patch create mode 100644 queue-4.14/scsi-devinfo-fix-format-of-the-device-list.patch create mode 100644 queue-4.14/scsi-fas216-fix-sense-buffer-initialization.patch create mode 100644 queue-4.14/scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch create mode 100644 queue-4.14/selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch create mode 100644 queue-4.14/selftests-ftrace-add-some-missing-glob-checks.patch create mode 100644 queue-4.14/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch create mode 100644 queue-4.14/spi-a3700-clear-data_out-when-performing-a-read.patch create mode 100644 queue-4.14/sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch create mode 100644 queue-4.14/svcrdma-fix-read-chunk-round-up.patch create mode 100644 queue-4.14/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch create mode 100644 queue-4.14/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch create mode 100644 queue-4.14/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch create mode 100644 queue-4.14/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch create mode 100644 queue-4.14/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch create mode 100644 queue-4.14/tty-serial-exar-relocate-sleep-wake-up-handling.patch create mode 100644 queue-4.14/ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch create mode 100644 queue-4.14/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch create mode 100644 queue-4.14/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch create mode 100644 queue-4.14/x86-dumpstack-avoid-uninitlized-variable.patch create mode 100644 queue-4.14/x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch create mode 100644 queue-4.14/x86-hyperv-stop-suppressing-x86_feature_pcid.patch create mode 100644 queue-4.14/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch create mode 100644 queue-4.14/x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch create mode 100644 queue-4.14/x86-power-fix-swsusp_arch_resume-prototype.patch create mode 100644 queue-4.14/x86-tsc-allow-tsc-calibration-without-pit.patch create mode 100644 queue-4.14/xen-grant-table-use-put_page-instead-of-free_page.patch create mode 100644 queue-4.14/xen-netfront-fix-race-between-device-setup-and-open.patch create mode 100644 queue-4.14/xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch diff --git a/queue-4.14/acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch b/queue-4.14/acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch new file mode 100644 index 00000000000..911bf3bf68a --- /dev/null +++ b/queue-4.14/acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Hans de Goede +Date: Fri, 26 Jan 2018 16:02:58 +0100 +Subject: ACPI / bus: Do not call _STA on battery devices with unmet dependencies + +From: Hans de Goede + + +[ Upstream commit 54ddce7062242036402242242c07c60c0b505f84 ] + +The battery code uses acpi_device->dep_unmet to check for unmet deps and +if there are unmet deps it does not bind to the device to avoid errors +about missing OpRegions when calling ACPI methods on the device. + +The missing OpRegions when there are unmet deps problem also applies to +the _STA method of some battery devices and calling it too early results +in errors like these: + +[ 0.123579] ACPI Error: No handler for Region [ECRM] (00000000ba9edc4c) + [GenericSerialBus] (20170831/evregion-166) +[ 0.123601] ACPI Error: Region GenericSerialBus (ID=9) has no handler + (20170831/exfldio-299) +[ 0.123618] ACPI Error: Method parse/execution failed + \_SB.I2C1.BAT1._STA, AE_NOT_EXIST (20170831/psparse-550) + +This commit fixes these errors happening when acpi_get_bus_status gets +called by checking dep_unmet for battery devices and reporting a status +of 0 until all dependencies are met. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/bus.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -146,6 +146,12 @@ int acpi_bus_get_status(struct acpi_devi + return 0; + } + ++ /* Battery devices must have their deps met before calling _STA */ ++ if (acpi_device_is_battery(device) && device->dep_unmet) { ++ acpi_set_device_status(device, 0); ++ return 0; ++ } ++ + status = acpi_bus_get_status_handle(device->handle, &sta); + if (ACPI_FAILURE(status)) + return -ENODEV; diff --git a/queue-4.14/acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch b/queue-4.14/acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch new file mode 100644 index 00000000000..8a0b9953e99 --- /dev/null +++ b/queue-4.14/acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Rafael J. Wysocki" +Date: Fri, 9 Feb 2018 22:55:28 +0100 +Subject: ACPI / EC: Restore polling during noirq suspend/resume phases + +From: "Rafael J. Wysocki" + + +[ Upstream commit 3cd091a773936c54344a519f7ee1379ccb620bee ] + +Commit 662591461c4b (ACPI / EC: Drop EC noirq hooks to fix a +regression) modified the ACPI EC driver so that it doesn't switch +over to busy polling mode during noirq stages of system suspend and +resume in an attempt to fix an issue resulting from that behavior. + +However, that modification introduced a system resume regression on +Thinkpad X240, so make the EC driver switch over to the polling mode +during noirq stages of system suspend and resume again, which +effectively reverts the problematic commit. + +Fixes: 662591461c4b (ACPI / EC: Drop EC noirq hooks to fix a regression) +Link: https://bugzilla.kernel.org/show_bug.cgi?id=197863 +Reported-by: Markus Demleitner +Tested-by: Markus Demleitner +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ec.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1927,6 +1927,9 @@ static int acpi_ec_suspend_noirq(struct + ec->reference_count >= 1) + acpi_set_gpe(NULL, ec->gpe, ACPI_GPE_DISABLE); + ++ if (acpi_sleep_no_ec_events()) ++ acpi_ec_enter_noirq(ec); ++ + return 0; + } + +@@ -1934,6 +1937,9 @@ static int acpi_ec_resume_noirq(struct d + { + struct acpi_ec *ec = acpi_driver_data(to_acpi_device(dev)); + ++ if (acpi_sleep_no_ec_events()) ++ acpi_ec_leave_noirq(ec); ++ + if (ec_no_wakeup && test_bit(EC_FLAGS_STARTED, &ec->flags) && + ec->reference_count >= 1) + acpi_set_gpe(NULL, ec->gpe, ACPI_GPE_ENABLE); diff --git a/queue-4.14/acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch b/queue-4.14/acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch new file mode 100644 index 00000000000..71261ca8edf --- /dev/null +++ b/queue-4.14/acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Hans de Goede +Date: Sun, 14 Jan 2018 21:01:48 +0100 +Subject: ACPI / LPSS: Do not instiate platform_dev for devs without MMIO resources + +From: Hans de Goede + + +[ Upstream commit e1681599345b8466786b6e54a2db2a00a068a3f3 ] + +acpi_lpss_create_device() skips handling LPSS devices which do not have +a mmio resources in their resource list (typically these devices are +disabled by the firmware). But since the LPSS code does not bind to the +device, acpi_bus_attach() ends up still creating a platform device for +it and the regular platform_driver for the ACPI HID still tries to bind +to it. + +This happens e.g. on some boards which do not use the pwm-controller +and have an empty or invalid resource-table for it. Currently this causes +these error messages to get logged: + +[ 3.281966] pwm-lpss 80862288:00: invalid resource +[ 3.287098] pwm-lpss: probe of 80862288:00 failed with error -22 + +This commit stops the undesirable creation of a platform_device for +disabled LPSS devices by setting pnp.type.platform_id to 0. Note that +acpi_scan_attach_handler() also sets pnp.type.platform_id to 0 when there +is a matching handler for the device and that handler has no attach +callback, so we simply behave as a handler without an attach function +in this case. + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_lpss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/acpi/acpi_lpss.c ++++ b/drivers/acpi/acpi_lpss.c +@@ -465,6 +465,8 @@ static int acpi_lpss_create_device(struc + acpi_dev_free_resource_list(&resource_list); + + if (!pdata->mmio_base) { ++ /* Avoid acpi_bus_attach() instantiating a pdev for this dev. */ ++ adev->pnp.type.platform_id = 0; + /* Skip the device, but continue the namespace scan. */ + ret = 0; + goto err_out; diff --git a/queue-4.14/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch b/queue-4.14/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch new file mode 100644 index 00000000000..d3b8f835357 --- /dev/null +++ b/queue-4.14/acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch @@ -0,0 +1,100 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Chen Yu +Date: Mon, 29 Jan 2018 10:26:46 +0800 +Subject: ACPI: processor_perflib: Do not send _PPC change notification if not ready + +From: Chen Yu + + +[ Upstream commit ba1edb9a5125a617d612f98eead14b9b84e75c3a ] + +The following warning was triggered after resumed from S3 - +if all the nonboot CPUs were put offline before suspend: + +[ 1840.329515] unchecked MSR access error: RDMSR from 0x771 at rIP: 0xffffffff86061e3a (native_read_msr+0xa/0x30) +[ 1840.329516] Call Trace: +[ 1840.329521] __rdmsr_on_cpu+0x33/0x50 +[ 1840.329525] generic_exec_single+0x81/0xb0 +[ 1840.329527] smp_call_function_single+0xd2/0x100 +[ 1840.329530] ? acpi_ds_result_pop+0xdd/0xf2 +[ 1840.329532] ? acpi_ds_create_operand+0x215/0x23c +[ 1840.329534] rdmsrl_on_cpu+0x57/0x80 +[ 1840.329536] ? cpumask_next+0x1b/0x20 +[ 1840.329538] ? rdmsrl_on_cpu+0x57/0x80 +[ 1840.329541] intel_pstate_update_perf_limits+0xf3/0x220 +[ 1840.329544] ? notifier_call_chain+0x4a/0x70 +[ 1840.329546] intel_pstate_set_policy+0x4e/0x150 +[ 1840.329548] cpufreq_set_policy+0xcd/0x2f0 +[ 1840.329550] cpufreq_update_policy+0xb2/0x130 +[ 1840.329552] ? cpufreq_update_policy+0x130/0x130 +[ 1840.329556] acpi_processor_ppc_has_changed+0x65/0x80 +[ 1840.329558] acpi_processor_notify+0x80/0x100 +[ 1840.329561] acpi_ev_notify_dispatch+0x44/0x5c +[ 1840.329563] acpi_os_execute_deferred+0x14/0x20 +[ 1840.329565] process_one_work+0x193/0x3c0 +[ 1840.329567] worker_thread+0x35/0x3b0 +[ 1840.329569] kthread+0x125/0x140 +[ 1840.329571] ? process_one_work+0x3c0/0x3c0 +[ 1840.329572] ? kthread_park+0x60/0x60 +[ 1840.329575] ? do_syscall_64+0x67/0x180 +[ 1840.329577] ret_from_fork+0x25/0x30 +[ 1840.329585] unchecked MSR access error: WRMSR to 0x774 (tried to write 0x0000000000000000) at rIP: 0xffffffff86061f78 (native_write_msr+0x8/0x30) +[ 1840.329586] Call Trace: +[ 1840.329587] __wrmsr_on_cpu+0x37/0x40 +[ 1840.329589] generic_exec_single+0x81/0xb0 +[ 1840.329592] smp_call_function_single+0xd2/0x100 +[ 1840.329594] ? acpi_ds_create_operand+0x215/0x23c +[ 1840.329595] ? cpumask_next+0x1b/0x20 +[ 1840.329597] wrmsrl_on_cpu+0x57/0x70 +[ 1840.329598] ? rdmsrl_on_cpu+0x57/0x80 +[ 1840.329599] ? wrmsrl_on_cpu+0x57/0x70 +[ 1840.329602] intel_pstate_hwp_set+0xd3/0x150 +[ 1840.329604] intel_pstate_set_policy+0x119/0x150 +[ 1840.329606] cpufreq_set_policy+0xcd/0x2f0 +[ 1840.329607] cpufreq_update_policy+0xb2/0x130 +[ 1840.329610] ? cpufreq_update_policy+0x130/0x130 +[ 1840.329613] acpi_processor_ppc_has_changed+0x65/0x80 +[ 1840.329615] acpi_processor_notify+0x80/0x100 +[ 1840.329617] acpi_ev_notify_dispatch+0x44/0x5c +[ 1840.329619] acpi_os_execute_deferred+0x14/0x20 +[ 1840.329620] process_one_work+0x193/0x3c0 +[ 1840.329622] worker_thread+0x35/0x3b0 +[ 1840.329624] kthread+0x125/0x140 +[ 1840.329625] ? process_one_work+0x3c0/0x3c0 +[ 1840.329626] ? kthread_park+0x60/0x60 +[ 1840.329628] ? do_syscall_64+0x67/0x180 +[ 1840.329631] ret_from_fork+0x25/0x30 + +This is because if there's only one online CPU, the MSR_PM_ENABLE +(package wide)can not be enabled after resumed, due to +intel_pstate_hwp_enable() will only be invoked on AP's online +process after resumed - if there's no AP online, the HWP remains +disabled after resumed (BIOS has disabled it in S3). Then if +there comes a _PPC change notification which touches HWP register +during this stage, the warning is triggered. + +Since we don't call acpi_processor_register_performance() when +HWP is enabled, the pr->performance will be NULL. When this is +NULL we don't need to do _PPC change notification. + +Reported-by: Doug Smythies +Suggested-by: Srinivas Pandruvada +Signed-off-by: Yu Chen +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_perflib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/processor_perflib.c ++++ b/drivers/acpi/processor_perflib.c +@@ -159,7 +159,7 @@ void acpi_processor_ppc_has_changed(stru + { + int ret; + +- if (ignore_ppc) { ++ if (ignore_ppc || !pr->performance) { + /* + * Only when it is notification event, the _OST object + * will be evaluated. Otherwise it is skipped. diff --git a/queue-4.14/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch b/queue-4.14/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch new file mode 100644 index 00000000000..063eef45680 --- /dev/null +++ b/queue-4.14/acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch @@ -0,0 +1,92 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Hans de Goede +Date: Fri, 26 Jan 2018 16:02:59 +0100 +Subject: ACPI / scan: Use acpi_bus_get_status() to initialize ACPI_TYPE_DEVICE devs + +From: Hans de Goede + + +[ Upstream commit 63347db0affadcbccd5613116ea8431c70139b3e ] + +The acpi_get_bus_status wrapper for acpi_bus_get_status_handle has some +code to handle certain device quirks, in some cases we also need this +quirk handling for the initial _STA call. + +Specifically on some devices calling _STA before all _DEP dependencies +are met results in errors like these: + +[ 0.123579] ACPI Error: No handler for Region [ECRM] (00000000ba9edc4c) + [GenericSerialBus] (20170831/evregion-166) +[ 0.123601] ACPI Error: Region GenericSerialBus (ID=9) has no handler + (20170831/exfldio-299) +[ 0.123618] ACPI Error: Method parse/execution failed + \_SB.I2C1.BAT1._STA, AE_NOT_EXIST (20170831/psparse-550) + +acpi_get_bus_status already has code to avoid this, so by using it we +also silence these errors from the initial _STA call. + +Note that in order for the acpi_get_bus_status handling for this to work, +we initialize dep_unmet to 1 until acpi_device_dep_initialize gets called, +this means that battery devices will be instantiated with an initial +status of 0. This is not a problem, acpi_bus_attach will get called soon +after the instantiation anyways and it will update the status as first +point of order. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/scan.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1568,6 +1568,8 @@ void acpi_init_device_object(struct acpi + device_initialize(&device->dev); + dev_set_uevent_suppress(&device->dev, true); + acpi_init_coherency(device); ++ /* Assume there are unmet deps until acpi_device_dep_initialize() runs */ ++ device->dep_unmet = 1; + } + + void acpi_device_add_finalize(struct acpi_device *device) +@@ -1591,6 +1593,14 @@ static int acpi_add_single_object(struct + } + + acpi_init_device_object(device, handle, type, sta); ++ /* ++ * For ACPI_BUS_TYPE_DEVICE getting the status is delayed till here so ++ * that we can call acpi_bus_get_status() and use its quirk handling. ++ * Note this must be done before the get power-/wakeup_dev-flags calls. ++ */ ++ if (type == ACPI_BUS_TYPE_DEVICE) ++ acpi_bus_get_status(device); ++ + acpi_bus_get_power_flags(device); + acpi_bus_get_wakeup_device_flags(device); + +@@ -1663,9 +1673,11 @@ static int acpi_bus_type_and_status(acpi + return -ENODEV; + + *type = ACPI_BUS_TYPE_DEVICE; +- status = acpi_bus_get_status_handle(handle, sta); +- if (ACPI_FAILURE(status)) +- *sta = 0; ++ /* ++ * acpi_add_single_object updates this once we've an acpi_device ++ * so that acpi_bus_get_status' quirk handling can be used. ++ */ ++ *sta = 0; + break; + case ACPI_TYPE_PROCESSOR: + *type = ACPI_BUS_TYPE_PROCESSOR; +@@ -1763,6 +1775,8 @@ static void acpi_device_dep_initialize(s + acpi_status status; + int i; + ++ adev->dep_unmet = 0; ++ + if (!acpi_has_method(adev->handle, "_DEP")) + return; + diff --git a/queue-4.14/alarmtimer-init-nanosleep-alarm-timer-on-stack.patch b/queue-4.14/alarmtimer-init-nanosleep-alarm-timer-on-stack.patch new file mode 100644 index 00000000000..47f3725300a --- /dev/null +++ b/queue-4.14/alarmtimer-init-nanosleep-alarm-timer-on-stack.patch @@ -0,0 +1,122 @@ +From bd03143007eb9b03a7f2316c677780561b68ba2a Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 26 Mar 2018 15:29:57 +0200 +Subject: alarmtimer: Init nanosleep alarm timer on stack + +From: Thomas Gleixner + +commit bd03143007eb9b03a7f2316c677780561b68ba2a upstream. + +syszbot reported the following debugobjects splat: + + ODEBUG: object is on stack, but not annotated + WARNING: CPU: 0 PID: 4185 at lib/debugobjects.c:328 + + RIP: 0010:debug_object_is_on_stack lib/debugobjects.c:327 [inline] + debug_object_init+0x17/0x20 lib/debugobjects.c:391 + debug_hrtimer_init kernel/time/hrtimer.c:410 [inline] + debug_init kernel/time/hrtimer.c:458 [inline] + hrtimer_init+0x8c/0x410 kernel/time/hrtimer.c:1259 + alarm_init kernel/time/alarmtimer.c:339 [inline] + alarm_timer_nsleep+0x164/0x4d0 kernel/time/alarmtimer.c:787 + SYSC_clock_nanosleep kernel/time/posix-timers.c:1226 [inline] + SyS_clock_nanosleep+0x235/0x330 kernel/time/posix-timers.c:1204 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +This happens because the hrtimer for the alarm nanosleep is on stack, but +the code does not use the proper debug objects initialization. + +Split out the code for the allocated use cases and invoke +hrtimer_init_on_stack() for the nanosleep related functions. + +Reported-by: syzbot+a3e0726462b2e346a31d@syzkaller.appspotmail.com +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Cc: syzkaller-bugs@googlegroups.com +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1803261528270.1585@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/alarmtimer.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -326,6 +326,17 @@ static int alarmtimer_resume(struct devi + } + #endif + ++static void ++__alarm_init(struct alarm *alarm, enum alarmtimer_type type, ++ enum alarmtimer_restart (*function)(struct alarm *, ktime_t)) ++{ ++ timerqueue_init(&alarm->node); ++ alarm->timer.function = alarmtimer_fired; ++ alarm->function = function; ++ alarm->type = type; ++ alarm->state = ALARMTIMER_STATE_INACTIVE; ++} ++ + /** + * alarm_init - Initialize an alarm structure + * @alarm: ptr to alarm to be initialized +@@ -335,13 +346,9 @@ static int alarmtimer_resume(struct devi + void alarm_init(struct alarm *alarm, enum alarmtimer_type type, + enum alarmtimer_restart (*function)(struct alarm *, ktime_t)) + { +- timerqueue_init(&alarm->node); + hrtimer_init(&alarm->timer, alarm_bases[type].base_clockid, +- HRTIMER_MODE_ABS); +- alarm->timer.function = alarmtimer_fired; +- alarm->function = function; +- alarm->type = type; +- alarm->state = ALARMTIMER_STATE_INACTIVE; ++ HRTIMER_MODE_ABS); ++ __alarm_init(alarm, type, function); + } + EXPORT_SYMBOL_GPL(alarm_init); + +@@ -719,6 +726,8 @@ static int alarmtimer_do_nsleep(struct a + + __set_current_state(TASK_RUNNING); + ++ destroy_hrtimer_on_stack(&alarm->timer); ++ + if (!alarm->data) + return 0; + +@@ -740,6 +749,15 @@ static int alarmtimer_do_nsleep(struct a + return -ERESTART_RESTARTBLOCK; + } + ++static void ++alarm_init_on_stack(struct alarm *alarm, enum alarmtimer_type type, ++ enum alarmtimer_restart (*function)(struct alarm *, ktime_t)) ++{ ++ hrtimer_init_on_stack(&alarm->timer, alarm_bases[type].base_clockid, ++ HRTIMER_MODE_ABS); ++ __alarm_init(alarm, type, function); ++} ++ + /** + * alarm_timer_nsleep_restart - restartblock alarmtimer nsleep + * @restart: ptr to restart block +@@ -752,7 +770,7 @@ static long __sched alarm_timer_nsleep_r + ktime_t exp = restart->nanosleep.expires; + struct alarm alarm; + +- alarm_init(&alarm, type, alarmtimer_nsleep_wakeup); ++ alarm_init_on_stack(&alarm, type, alarmtimer_nsleep_wakeup); + + return alarmtimer_do_nsleep(&alarm, exp, type); + } +@@ -784,7 +802,7 @@ static int alarm_timer_nsleep(const cloc + if (!capable(CAP_WAKE_ALARM)) + return -EPERM; + +- alarm_init(&alarm, type, alarmtimer_nsleep_wakeup); ++ alarm_init_on_stack(&alarm, type, alarmtimer_nsleep_wakeup); + + exp = timespec64_to_ktime(*tsreq); + /* Convert (if necessary) to absolute time */ diff --git a/queue-4.14/alsa-hda-use-is_reachable-for-dependency-on-input.patch b/queue-4.14/alsa-hda-use-is_reachable-for-dependency-on-input.patch new file mode 100644 index 00000000000..13cc095fa9d --- /dev/null +++ b/queue-4.14/alsa-hda-use-is_reachable-for-dependency-on-input.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Takashi Iwai +Date: Mon, 15 Jan 2018 10:44:35 +0100 +Subject: ALSA: hda - Use IS_REACHABLE() for dependency on input + +From: Takashi Iwai + + +[ Upstream commit c469652bb5e8fb715db7d152f46d33b3740c9b87 ] + +The commit ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek +HD-audio codec") introduced the reverse-selection of CONFIG_INPUT for +Realtek codec in order to avoid the mess with dependency between +built-in and modules. Later on, we obtained IS_REACHABLE() macro +exactly for this kind of problems, and now we can remove th INPUT +selection in Kconfig and put IS_REACHABLE(INPUT) to the appropriate +places in the code, so that the driver doesn't need to select other +subsystem forcibly. + +Fixes: ffcd28d88e4f ("ALSA: hda - Select INPUT for Realtek HD-audio codec") +Reported-by: Randy Dunlap +Acked-by: Randy Dunlap # and build-tested +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/Kconfig | 1 - + sound/pci/hda/patch_realtek.c | 5 +++++ + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/Kconfig ++++ b/sound/pci/hda/Kconfig +@@ -88,7 +88,6 @@ config SND_HDA_PATCH_LOADER + config SND_HDA_CODEC_REALTEK + tristate "Build Realtek HD-audio codec support" + select SND_HDA_GENERIC +- select INPUT + help + Say Y or M here to include Realtek HD-audio codec support in + snd-hda-intel driver, such as ALC880. +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -3721,6 +3721,7 @@ static void alc280_fixup_hp_gpio4(struct + } + } + ++#if IS_REACHABLE(INPUT) + static void gpio2_mic_hotkey_event(struct hda_codec *codec, + struct hda_jack_callback *event) + { +@@ -3853,6 +3854,10 @@ static void alc233_fixup_lenovo_line2_mi + spec->kb_dev = NULL; + } + } ++#else /* INPUT */ ++#define alc280_fixup_hp_gpio2_mic_hotkey NULL ++#define alc233_fixup_lenovo_line2_mic_hotkey NULL ++#endif /* INPUT */ + + static void alc269_fixup_hp_line1_mic1_led(struct hda_codec *codec, + const struct hda_fixup *fix, int action) diff --git a/queue-4.14/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch b/queue-4.14/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch new file mode 100644 index 00000000000..b1c25ddcf5b --- /dev/null +++ b/queue-4.14/arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Will Deacon +Date: Wed, 31 Jan 2018 12:12:20 +0000 +Subject: arm64: spinlock: Fix theoretical trylock() A-B-A with LSE atomics + +From: Will Deacon + + +[ Upstream commit 202fb4ef81e3ec765c23bd1e6746a5c25b797d0e ] + +If the spinlock "next" ticket wraps around between the initial LDR +and the cmpxchg in the LSE version of spin_trylock, then we can erroneously +think that we have successfuly acquired the lock because we only check +whether the next ticket return by the cmpxchg is equal to the owner ticket +in our updated lock word. + +This patch fixes the issue by performing a full 32-bit check of the lock +word when trying to determine whether or not the CASA instruction updated +memory. + +Reported-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/spinlock.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/spinlock.h ++++ b/arch/arm64/include/asm/spinlock.h +@@ -89,8 +89,8 @@ static inline int arch_spin_trylock(arch + " cbnz %w1, 1f\n" + " add %w1, %w0, %3\n" + " casa %w0, %w1, %2\n" +- " and %w1, %w1, #0xffff\n" +- " eor %w1, %w1, %w0, lsr #16\n" ++ " sub %w1, %w1, %3\n" ++ " eor %w1, %w1, %w0\n" + "1:") + : "=&r" (lockval), "=&r" (tmp), "+Q" (*lock) + : "I" (1 << TICKET_SHIFT) diff --git a/queue-4.14/asm-generic-provide-generic_pmdp_establish.patch b/queue-4.14/asm-generic-provide-generic_pmdp_establish.patch new file mode 100644 index 00000000000..2ebd420b858 --- /dev/null +++ b/queue-4.14/asm-generic-provide-generic_pmdp_establish.patch @@ -0,0 +1,88 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Kirill A. Shutemov" +Date: Wed, 31 Jan 2018 16:17:43 -0800 +Subject: asm-generic: provide generic_pmdp_establish() + +From: "Kirill A. Shutemov" + + +[ Upstream commit c58f0bb77ed8bf93dfdde762b01cb67eebbdfc29 ] + +Patch series "Do not lose dirty bit on THP pages", v4. + +Vlastimil noted that pmdp_invalidate() is not atomic and we can lose +dirty and access bits if CPU sets them after pmdp dereference, but +before set_pmd_at(). + +The bug can lead to data loss, but the race window is tiny and I haven't +seen any reports that suggested that it happens in reality. So I don't +think it worth sending it to stable. + +Unfortunately, there's no way to address the issue in a generic way. We +need to fix all architectures that support THP one-by-one. + +All architectures that have THP supported have to provide atomic +pmdp_invalidate() that returns previous value. + +If generic implementation of pmdp_invalidate() is used, architecture +needs to provide atomic pmdp_estabish(). + +pmdp_estabish() is not used out-side generic implementation of +pmdp_invalidate() so far, but I think this can change in the future. + +This patch (of 12): + +This is an implementation of pmdp_establish() that is only suitable for +an architecture that doesn't have hardware dirty/accessed bits. In this +case we can't race with CPU which sets these bits and non-atomic +approach is fine. + +Link: http://lkml.kernel.org/r/20171213105756.69879-2-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Cc: Vlastimil Babka +Cc: Andrea Arcangeli +Cc: Michal Hocko +Cc: Aneesh Kumar K.V +Cc: Catalin Marinas +Cc: David Daney +Cc: David Miller +Cc: H. Peter Anvin +Cc: Hugh Dickins +Cc: Ingo Molnar +Cc: Martin Schwidefsky +Cc: Nitin Gupta +Cc: Ralf Baechle +Cc: Thomas Gleixner +Cc: Vineet Gupta +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/pgtable.h | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/include/asm-generic/pgtable.h ++++ b/include/asm-generic/pgtable.h +@@ -309,6 +309,21 @@ extern void pgtable_trans_huge_deposit(s + extern pgtable_t pgtable_trans_huge_withdraw(struct mm_struct *mm, pmd_t *pmdp); + #endif + ++#ifdef CONFIG_TRANSPARENT_HUGEPAGE ++/* ++ * This is an implementation of pmdp_establish() that is only suitable for an ++ * architecture that doesn't have hardware dirty/accessed bits. In this case we ++ * can't race with CPU which sets these bits and non-atomic aproach is fine. ++ */ ++static inline pmd_t generic_pmdp_establish(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t old_pmd = *pmdp; ++ set_pmd_at(vma->vm_mm, address, pmdp, pmd); ++ return old_pmd; ++} ++#endif ++ + #ifndef __HAVE_ARCH_PMDP_INVALIDATE + extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); diff --git a/queue-4.14/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch b/queue-4.14/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch new file mode 100644 index 00000000000..cb4f4919185 --- /dev/null +++ b/queue-4.14/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Dan Carpenter +Date: Mon, 15 Jan 2018 11:08:38 +0300 +Subject: ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() + +From: Dan Carpenter + + +[ Upstream commit 123af9043e93cb6f235207d260d50f832cdb5439 ] + +The loop timeout doesn't work because it's a post op and ends with "tmo" +set to -1. I changed it from a post-op to a pre-op and I changed the +initial the starting value from 5 to 6 so we still iterate 5 times. I +left the other as it was because it's a large number. + +Fixes: b3c70c9ea62a ("ASoC: Alchemy AC97C/I2SC audio support") +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/au1x/ac97c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/au1x/ac97c.c ++++ b/sound/soc/au1x/ac97c.c +@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_rea + do { + mutex_lock(&ctx->lock); + +- tmo = 5; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ tmo = 6; ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + udelay(21); /* wait an ac97 frame time */ + if (!tmo) { + pr_debug("ac97rd timeout #1\n"); +@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_rea + * poll, Forrest, poll... + */ + tmo = 0x10000; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + asm volatile ("nop"); + data = RD(ctx, AC97_CMDRESP); + diff --git a/queue-4.14/asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch b/queue-4.14/asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch new file mode 100644 index 00000000000..ae464972f5e --- /dev/null +++ b/queue-4.14/asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jeffy Chen +Date: Tue, 21 Nov 2017 16:25:17 +0800 +Subject: ASoC: rockchip: Use dummy_dai for rt5514 dsp dailink + +From: Jeffy Chen + + +[ Upstream commit fde7f9dbc71365230eeb8c8ea97ce9b552c8e5bd ] + +The rt5514 dsp captures pcm data through spi directly, so we should not +use rockchip-i2s as it's cpu dai like other codecs. + +Use dummy_dai for rt5514 dsp dailink to make voice wakeup work again. + +Reported-by: Jimmy Cheng-Yi Chiang +Fixes: (72cfb0f20c75 ASoC: rockchip: Use codec of_node and dai_name for rt5514 dsp) +Signed-off-by: Jeffy Chen +Tested-by: Brian Norris +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/rockchip/rk3399_gru_sound.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/sound/soc/rockchip/rk3399_gru_sound.c ++++ b/sound/soc/rockchip/rk3399_gru_sound.c +@@ -387,7 +387,8 @@ static const struct snd_soc_dai_link roc + [DAILINK_RT5514_DSP] = { + .name = "RT5514 DSP", + .stream_name = "Wake on Voice", +- .codec_dai_name = "rt5514-dsp-cpu-dai", ++ .codec_name = "snd-soc-dummy", ++ .codec_dai_name = "snd-soc-dummy-dai", + }, + }; + +@@ -432,7 +433,18 @@ static int rockchip_sound_of_parse_dais( + if (index < 0) + continue; + +- np_cpu = (index == DAILINK_CDNDP) ? np_cpu1 : np_cpu0; ++ switch (index) { ++ case DAILINK_CDNDP: ++ np_cpu = np_cpu1; ++ break; ++ case DAILINK_RT5514_DSP: ++ np_cpu = np_codec; ++ break; ++ default: ++ np_cpu = np_cpu0; ++ break; ++ } ++ + if (!np_cpu) { + dev_err(dev, "Missing 'rockchip,cpu' for %s\n", + rockchip_dais[index].name); +@@ -442,7 +454,8 @@ static int rockchip_sound_of_parse_dais( + dai = &card->dai_link[card->num_links++]; + *dai = rockchip_dais[index]; + +- dai->codec_of_node = np_codec; ++ if (!dai->codec_name) ++ dai->codec_of_node = np_codec; + dai->platform_of_node = np_cpu; + dai->cpu_of_node = np_cpu; + } diff --git a/queue-4.14/bcache-fix-for-allocator-and-register-thread-race.patch b/queue-4.14/bcache-fix-for-allocator-and-register-thread-race.patch new file mode 100644 index 00000000000..094f53c45cf --- /dev/null +++ b/queue-4.14/bcache-fix-for-allocator-and-register-thread-race.patch @@ -0,0 +1,167 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:43 -0800 +Subject: bcache: fix for allocator and register thread race + +From: Tang Junhui + + +[ Upstream commit 682811b3ce1a5a4e20d700939a9042f01dbc66c4 ] + +After long time running of random small IO writing, +I reboot the machine, and after the machine power on, +I found bcache got stuck, the stack is: +[root@ceph153 ~]# cat /proc/2510/task/*/stack +[] closure_sync+0x25/0x90 [bcache] +[] bch_journal+0x118/0x2b0 [bcache] +[] bch_journal_meta+0x47/0x70 [bcache] +[] bch_prio_write+0x237/0x340 [bcache] +[] bch_allocator_thread+0x3c8/0x3d0 [bcache] +[] kthread+0xcf/0xe0 +[] ret_from_fork+0x58/0x90 +[] 0xffffffffffffffff +[root@ceph153 ~]# cat /proc/2038/task/*/stack +[] __bch_btree_map_nodes+0x12d/0x150 [bcache] +[] bch_btree_insert+0xf1/0x170 [bcache] +[] bch_journal_replay+0x13f/0x230 [bcache] +[] run_cache_set+0x79a/0x7c2 [bcache] +[] register_bcache+0xd48/0x1310 [bcache] +[] kobj_attr_store+0xf/0x20 +[] sysfs_write_file+0xc6/0x140 +[] vfs_write+0xbd/0x1e0 +[] SyS_write+0x7f/0xe0 +[] system_call_fastpath+0x16/0x1 +The stack shows the register thread and allocator thread +were getting stuck when registering cache device. + +I reboot the machine several times, the issue always +exsit in this machine. + +I debug the code, and found the call trace as bellow: +register_bcache() + ==>run_cache_set() + ==>bch_journal_replay() + ==>bch_btree_insert() + ==>__bch_btree_map_nodes() + ==>btree_insert_fn() + ==>btree_split() //node need split + ==>btree_check_reserve() +In btree_check_reserve(), It will check if there is enough buckets +of RESERVE_BTREE type, since allocator thread did not work yet, so +no buckets of RESERVE_BTREE type allocated, so the register thread +waits on c->btree_cache_wait, and goes to sleep. + +Then the allocator thread initialized, the call trace is bellow: +bch_allocator_thread() +==>bch_prio_write() + ==>bch_journal_meta() + ==>bch_journal() + ==>journal_wait_for_write() +In journal_wait_for_write(), It will check if journal is full by +journal_full(), but the long time random small IO writing +causes the exhaustion of journal buckets(journal.blocks_free=0), +In order to release the journal buckets, +the allocator calls btree_flush_write() to flush keys to +btree nodes, and waits on c->journal.wait until btree nodes writing +over or there has already some journal buckets space, then the +allocator thread goes to sleep. but in btree_flush_write(), since +bch_journal_replay() is not finished, so no btree nodes have journal +(condition "if (btree_current_write(b)->journal)" never satisfied), +so we got no btree node to flush, no journal bucket released, +and allocator sleep all the times. + +Through the above analysis, we can see that: +1) Register thread wait for allocator thread to allocate buckets of + RESERVE_BTREE type; +2) Alloctor thread wait for register thread to replay journal, so it + can flush btree nodes and get journal bucket. + then they are all got stuck by waiting for each other. + +Hua Rui provided a patch for me, by allocating some buckets of +RESERVE_BTREE type in advance, so the register thread can get bucket +when btree node splitting and no need to waiting for the allocator +thread. I tested it, it has effect, and register thread run a step +forward, but finally are still got stuck, the reason is only 8 bucket +of RESERVE_BTREE type were allocated, and in bch_journal_replay(), +after 2 btree nodes splitting, only 4 bucket of RESERVE_BTREE type left, +then btree_check_reserve() is not satisfied anymore, so it goes to sleep +again, and in the same time, alloctor thread did not flush enough btree +nodes to release a journal bucket, so they all got stuck again. + +So we need to allocate more buckets of RESERVE_BTREE type in advance, +but how much is enough? By experience and test, I think it should be +as much as journal buckets. Then I modify the code as this patch, +and test in the machine, and it works. + +This patch modified base on Hua Rui’s patch, and allocate more buckets +of RESERVE_BTREE type in advance to avoid register thread and allocate +thread going to wait for each other. + +[patch v2] ca->sb.njournal_buckets would be 0 in the first time after +cache creation, and no journal exists, so just 8 btree buckets is OK. + +Signed-off-by: Hua Rui +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/btree.c | 9 ++++++--- + drivers/md/bcache/super.c | 13 ++++++++++++- + 2 files changed, 18 insertions(+), 4 deletions(-) + +--- a/drivers/md/bcache/btree.c ++++ b/drivers/md/bcache/btree.c +@@ -1868,14 +1868,17 @@ void bch_initial_gc_finish(struct cache_ + */ + for_each_cache(ca, c, i) { + for_each_bucket(b, ca) { +- if (fifo_full(&ca->free[RESERVE_PRIO])) ++ if (fifo_full(&ca->free[RESERVE_PRIO]) && ++ fifo_full(&ca->free[RESERVE_BTREE])) + break; + + if (bch_can_invalidate_bucket(ca, b) && + !GC_MARK(b)) { + __bch_invalidate_one_bucket(ca, b); +- fifo_push(&ca->free[RESERVE_PRIO], +- b - ca->buckets); ++ if (!fifo_push(&ca->free[RESERVE_PRIO], ++ b - ca->buckets)) ++ fifo_push(&ca->free[RESERVE_BTREE], ++ b - ca->buckets); + } + } + } +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1829,6 +1829,7 @@ void bch_cache_release(struct kobject *k + static int cache_alloc(struct cache *ca) + { + size_t free; ++ size_t btree_buckets; + struct bucket *b; + + __module_get(THIS_MODULE); +@@ -1836,9 +1837,19 @@ static int cache_alloc(struct cache *ca) + + bio_init(&ca->journal.bio, ca->journal.bio.bi_inline_vecs, 8); + ++ /* ++ * when ca->sb.njournal_buckets is not zero, journal exists, ++ * and in bch_journal_replay(), tree node may split, ++ * so bucket of RESERVE_BTREE type is needed, ++ * the worst situation is all journal buckets are valid journal, ++ * and all the keys need to replay, ++ * so the number of RESERVE_BTREE type buckets should be as much ++ * as journal buckets ++ */ ++ btree_buckets = ca->sb.njournal_buckets ?: 8; + free = roundup_pow_of_two(ca->sb.nbuckets) >> 10; + +- if (!init_fifo(&ca->free[RESERVE_BTREE], 8, GFP_KERNEL) || ++ if (!init_fifo(&ca->free[RESERVE_BTREE], btree_buckets, GFP_KERNEL) || + !init_fifo_exact(&ca->free[RESERVE_PRIO], prio_buckets(ca), GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_MOVINGGC], free, GFP_KERNEL) || + !init_fifo(&ca->free[RESERVE_NONE], free, GFP_KERNEL) || diff --git a/queue-4.14/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch b/queue-4.14/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch new file mode 100644 index 00000000000..7ebee70ac5b --- /dev/null +++ b/queue-4.14/bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch @@ -0,0 +1,122 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:46 -0800 +Subject: bcache: fix for data collapse after re-attaching an attached device + +From: Tang Junhui + + +[ Upstream commit 73ac105be390c1de42a2f21643c9778a5e002930 ] + +back-end device sdm has already attached a cache_set with ID +f67ebe1f-f8bc-4d73-bfe5-9dc88607f119, then try to attach with +another cache set, and it returns with an error: +[root]# cd /sys/block/sdm/bcache +[root]# echo 5ccd0a63-148e-48b8-afa2-aca9cbd6279f > attach +-bash: echo: write error: Invalid argument + +After that, execute a command to modify the label of bcache +device: +[root]# echo data_disk1 > label + +Then we reboot the system, when the system power on, the back-end +device can not attach to cache_set, a messages show in the log: +Feb 5 12:05:52 ceph152 kernel: [922385.508498] bcache: +bch_cached_dev_attach() couldn't find uuid for sdm in set + +In sysfs_attach(), dc->sb.set_uuid was assigned to the value +which input through sysfs, no matter whether it is success +or not in bch_cached_dev_attach(). For example, If the back-end +device has already attached to an cache set, bch_cached_dev_attach() +would fail, but dc->sb.set_uuid was changed. Then modify the +label of bcache device, it will call bch_write_bdev_super(), +which would write the dc->sb.set_uuid to the super block, so we +record a wrong cache set ID in the super block, after the system +reboot, the cache set couldn't find the uuid of the back-end +device, so the bcache device couldn't exist and use any more. + +In this patch, we don't assigned cache set ID to dc->sb.set_uuid +in sysfs_attach() directly, but input it into bch_cached_dev_attach(), +and assigned dc->sb.set_uuid to the cache set ID after the back-end +device attached to the cache set successful. + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/bcache.h | 2 +- + drivers/md/bcache/super.c | 10 ++++++---- + drivers/md/bcache/sysfs.c | 6 ++++-- + 3 files changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -906,7 +906,7 @@ void bcache_write_super(struct cache_set + + int bch_flash_dev_create(struct cache_set *c, uint64_t size); + +-int bch_cached_dev_attach(struct cached_dev *, struct cache_set *); ++int bch_cached_dev_attach(struct cached_dev *, struct cache_set *, uint8_t *); + void bch_cached_dev_detach(struct cached_dev *); + void bch_cached_dev_run(struct cached_dev *); + void bcache_device_stop(struct bcache_device *); +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -939,7 +939,8 @@ void bch_cached_dev_detach(struct cached + cached_dev_put(dc); + } + +-int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c) ++int bch_cached_dev_attach(struct cached_dev *dc, struct cache_set *c, ++ uint8_t *set_uuid) + { + uint32_t rtime = cpu_to_le32(get_seconds()); + struct uuid_entry *u; +@@ -948,7 +949,8 @@ int bch_cached_dev_attach(struct cached_ + + bdevname(dc->bdev, buf); + +- if (memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16)) ++ if ((set_uuid && memcmp(set_uuid, c->sb.set_uuid, 16)) || ++ (!set_uuid && memcmp(dc->sb.set_uuid, c->sb.set_uuid, 16))) + return -ENOENT; + + if (dc->disk.c) { +@@ -1190,7 +1192,7 @@ static void register_bdev(struct cache_s + + list_add(&dc->list, &uncached_devices); + list_for_each_entry(c, &bch_cache_sets, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + if (BDEV_STATE(&dc->sb) == BDEV_STATE_NONE || + BDEV_STATE(&dc->sb) == BDEV_STATE_STALE) +@@ -1712,7 +1714,7 @@ static void run_cache_set(struct cache_s + bcache_write_super(c); + + list_for_each_entry_safe(dc, t, &uncached_devices, list) +- bch_cached_dev_attach(dc, c); ++ bch_cached_dev_attach(dc, c, NULL); + + flash_devs_run(c); + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -265,11 +265,13 @@ STORE(__cached_dev) + } + + if (attr == &sysfs_attach) { +- if (bch_parse_uuid(buf, dc->sb.set_uuid) < 16) ++ uint8_t set_uuid[16]; ++ ++ if (bch_parse_uuid(buf, set_uuid) < 16) + return -EINVAL; + + list_for_each_entry(c, &bch_cache_sets, list) { +- v = bch_cached_dev_attach(dc, c); ++ v = bch_cached_dev_attach(dc, c, set_uuid); + if (!v) + return size; + } diff --git a/queue-4.14/bcache-properly-set-task-state-in-bch_writeback_thread.patch b/queue-4.14/bcache-properly-set-task-state-in-bch_writeback_thread.patch new file mode 100644 index 00000000000..90966788f5f --- /dev/null +++ b/queue-4.14/bcache-properly-set-task-state-in-bch_writeback_thread.patch @@ -0,0 +1,113 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Coly Li +Date: Wed, 7 Feb 2018 11:41:41 -0800 +Subject: bcache: properly set task state in bch_writeback_thread() + +From: Coly Li + + +[ Upstream commit 99361bbf26337186f02561109c17a4c4b1a7536a ] + +Kernel thread routine bch_writeback_thread() has the following code block, + +447 down_write(&dc->writeback_lock); +448~450 if (check conditions) { +451 up_write(&dc->writeback_lock); +452 set_current_state(TASK_INTERRUPTIBLE); +453 +454 if (kthread_should_stop()) +455 return 0; +456 +457 schedule(); +458 continue; +459 } + +If condition check is true, its task state is set to TASK_INTERRUPTIBLE +and call schedule() to wait for others to wake up it. + +There are 2 issues in current code, +1, Task state is set to TASK_INTERRUPTIBLE after the condition checks, if + another process changes the condition and call wake_up_process(dc-> + writeback_thread), then at line 452 task state is set back to + TASK_INTERRUPTIBLE, the writeback kernel thread will lose a chance to be + waken up. +2, At line 454 if kthread_should_stop() is true, writeback kernel thread + will return to kernel/kthread.c:kthread() with TASK_INTERRUPTIBLE and + call do_exit(). It is not good to enter do_exit() with task state + TASK_INTERRUPTIBLE, in following code path might_sleep() is called and a + warning message is reported by __might_sleep(): "WARNING: do not call + blocking ops when !TASK_RUNNING; state=1 set at [xxxx]". + +For the first issue, task state should be set before condition checks. +Ineed because dc->writeback_lock is required when modifying all the +conditions, calling set_current_state() inside code block where dc-> +writeback_lock is hold is safe. But this is quite implicit, so I still move +set_current_state() before all the condition checks. + +For the second issue, frankley speaking it does not hurt when kernel thread +exits with TASK_INTERRUPTIBLE state, but this warning message scares users, +makes them feel there might be something risky with bcache and hurt their +data. Setting task state to TASK_RUNNING before returning fixes this +problem. + +In alloc.c:allocator_wait(), there is also a similar issue, and is also +fixed in this patch. + +Changelog: +v3: merge two similar fixes into one patch +v2: fix the race issue in v1 patch. +v1: initial buggy fix. + +Signed-off-by: Coly Li +Reviewed-by: Hannes Reinecke +Reviewed-by: Michael Lyle +Cc: Michael Lyle +Cc: Junhui Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/alloc.c | 4 +++- + drivers/md/bcache/writeback.c | 7 +++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -287,8 +287,10 @@ do { \ + break; \ + \ + mutex_unlock(&(ca)->set->bucket_lock); \ +- if (kthread_should_stop()) \ ++ if (kthread_should_stop()) { \ ++ set_current_state(TASK_RUNNING); \ + return 0; \ ++ } \ + \ + schedule(); \ + mutex_lock(&(ca)->set->bucket_lock); \ +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -420,18 +420,21 @@ static int bch_writeback_thread(void *ar + + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); ++ set_current_state(TASK_INTERRUPTIBLE); + if (!atomic_read(&dc->has_dirty) || + (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && + !dc->writeback_running)) { + up_write(&dc->writeback_lock); +- set_current_state(TASK_INTERRUPTIBLE); + +- if (kthread_should_stop()) ++ if (kthread_should_stop()) { ++ set_current_state(TASK_RUNNING); + return 0; ++ } + + schedule(); + continue; + } ++ set_current_state(TASK_RUNNING); + + searched_full_index = refill_dirty(dc); + diff --git a/queue-4.14/bcache-return-attach-error-when-no-cache-set-exist.patch b/queue-4.14/bcache-return-attach-error-when-no-cache-set-exist.patch new file mode 100644 index 00000000000..bf233eb5eb6 --- /dev/null +++ b/queue-4.14/bcache-return-attach-error-when-no-cache-set-exist.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Tang Junhui +Date: Wed, 7 Feb 2018 11:41:45 -0800 +Subject: bcache: return attach error when no cache set exist + +From: Tang Junhui + + +[ Upstream commit 7f4fc93d4713394ee8f1cd44c238e046e11b4f15 ] + +I attach a back-end device to a cache set, and the cache set is not +registered yet, this back-end device did not attach successfully, and no +error returned: +[root]# echo 87859280-fec6-4bcc-20df7ca8f86b > /sys/block/sde/bcache/attach +[root]# + +In sysfs_attach(), the return value "v" is initialized to "size" in +the beginning, and if no cache set exist in bch_cache_sets, the "v" value +would not change any more, and return to sysfs, sysfs regard it as success +since the "size" is a positive number. + +This patch fixes this issue by assigning "v" with "-ENOENT" in the +initialization. + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -193,7 +193,7 @@ STORE(__cached_dev) + { + struct cached_dev *dc = container_of(kobj, struct cached_dev, + disk.kobj); +- ssize_t v = size; ++ ssize_t v; + struct cache_set *c; + struct kobj_uevent_env *env; + +@@ -270,6 +270,7 @@ STORE(__cached_dev) + if (bch_parse_uuid(buf, set_uuid) < 16) + return -EINVAL; + ++ v = -ENOENT; + list_for_each_entry(c, &bch_cache_sets, list) { + v = bch_cached_dev_attach(dc, c, set_uuid); + if (!v) +@@ -277,7 +278,7 @@ STORE(__cached_dev) + } + + pr_err("Can't attach %s: cache set not found", buf); +- size = v; ++ return v; + } + + if (attr == &sysfs_detach && dc->disk.c) diff --git a/queue-4.14/blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch b/queue-4.14/blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch new file mode 100644 index 00000000000..8d2272f27a0 --- /dev/null +++ b/queue-4.14/blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Eryu Guan +Date: Wed, 24 Jan 2018 01:20:00 +0800 +Subject: blk-mq-debugfs: don't allow write on attributes with seq_operations set + +From: Eryu Guan + + +[ Upstream commit 6b136a24b05c81a24e0b648a4bd938bcd0c4f69e ] + +Attributes that only implement .seq_ops are read-only, any write to +them should be rejected. But currently kernel would crash when +writing to such debugfs entries, e.g. + +chmod +w /sys/kernel/debug/block//requeue_list +echo 0 > /sys/kernel/debug/block//requeue_list +chmod -w /sys/kernel/debug/block//requeue_list + +Fix it by returning -EPERM in blk_mq_debugfs_write() when writing to +such attributes. + +Cc: Ming Lei +Signed-off-by: Eryu Guan +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq-debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/block/blk-mq-debugfs.c ++++ b/block/blk-mq-debugfs.c +@@ -704,7 +704,11 @@ static ssize_t blk_mq_debugfs_write(stru + const struct blk_mq_debugfs_attr *attr = m->private; + void *data = d_inode(file->f_path.dentry->d_parent)->i_private; + +- if (!attr->write) ++ /* ++ * Attributes that only implement .seq_ops are read-only and 'attr' is ++ * the same with 'data' in this case. ++ */ ++ if (attr == data || !attr->write) + return -EPERM; + + return attr->write(data, buf, count, ppos); diff --git a/queue-4.14/blk-mq-fix-discard-merge-with-scheduler-attached.patch b/queue-4.14/blk-mq-fix-discard-merge-with-scheduler-attached.patch new file mode 100644 index 00000000000..0a82dba0495 --- /dev/null +++ b/queue-4.14/blk-mq-fix-discard-merge-with-scheduler-attached.patch @@ -0,0 +1,159 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jens Axboe +Date: Thu, 1 Feb 2018 14:01:02 -0700 +Subject: blk-mq: fix discard merge with scheduler attached + +From: Jens Axboe + + +[ Upstream commit 445251d0f4d329aa061f323546cd6388a3bb7ab5 ] + +I ran into an issue on my laptop that triggered a bug on the +discard path: + +WARNING: CPU: 2 PID: 207 at drivers/nvme/host/core.c:527 nvme_setup_cmd+0x3d3/0x430 + Modules linked in: rfcomm fuse ctr ccm bnep arc4 binfmt_misc snd_hda_codec_hdmi nls_iso8859_1 nls_cp437 vfat snd_hda_codec_conexant fat snd_hda_codec_generic iwlmvm snd_hda_intel snd_hda_codec snd_hwdep mac80211 snd_hda_core snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq x86_pkg_temp_thermal intel_powerclamp kvm_intel uvcvideo iwlwifi btusb snd_seq_device videobuf2_vmalloc btintel videobuf2_memops kvm snd_timer videobuf2_v4l2 bluetooth irqbypass videobuf2_core aesni_intel aes_x86_64 crypto_simd cryptd snd glue_helper videodev cfg80211 ecdh_generic soundcore hid_generic usbhid hid i915 psmouse e1000e ptp pps_core xhci_pci xhci_hcd intel_gtt + CPU: 2 PID: 207 Comm: jbd2/nvme0n1p7- Tainted: G U 4.15.0+ #176 + Hardware name: LENOVO 20FBCTO1WW/20FBCTO1WW, BIOS N1FET59W (1.33 ) 12/19/2017 + RIP: 0010:nvme_setup_cmd+0x3d3/0x430 + RSP: 0018:ffff880423e9f838 EFLAGS: 00010217 + RAX: 0000000000000000 RBX: ffff880423e9f8c8 RCX: 0000000000010000 + RDX: ffff88022b200010 RSI: 0000000000000002 RDI: 00000000327f0000 + RBP: ffff880421251400 R08: ffff88022b200000 R09: 0000000000000009 + R10: 0000000000000000 R11: 0000000000000000 R12: 000000000000ffff + R13: ffff88042341e280 R14: 000000000000ffff R15: ffff880421251440 + FS: 0000000000000000(0000) GS:ffff880441500000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000055b684795030 CR3: 0000000002e09006 CR4: 00000000001606e0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + Call Trace: + nvme_queue_rq+0x40/0xa00 + ? __sbitmap_queue_get+0x24/0x90 + ? blk_mq_get_tag+0xa3/0x250 + ? wait_woken+0x80/0x80 + ? blk_mq_get_driver_tag+0x97/0xf0 + blk_mq_dispatch_rq_list+0x7b/0x4a0 + ? deadline_remove_request+0x49/0xb0 + blk_mq_do_dispatch_sched+0x4f/0xc0 + blk_mq_sched_dispatch_requests+0x106/0x170 + __blk_mq_run_hw_queue+0x53/0xa0 + __blk_mq_delay_run_hw_queue+0x83/0xa0 + blk_mq_run_hw_queue+0x6c/0xd0 + blk_mq_sched_insert_request+0x96/0x140 + __blk_mq_try_issue_directly+0x3d/0x190 + blk_mq_try_issue_directly+0x30/0x70 + blk_mq_make_request+0x1a4/0x6a0 + generic_make_request+0xfd/0x2f0 + ? submit_bio+0x5c/0x110 + submit_bio+0x5c/0x110 + ? __blkdev_issue_discard+0x152/0x200 + submit_bio_wait+0x43/0x60 + ext4_process_freed_data+0x1cd/0x440 + ? account_page_dirtied+0xe2/0x1a0 + ext4_journal_commit_callback+0x4a/0xc0 + jbd2_journal_commit_transaction+0x17e2/0x19e0 + ? kjournald2+0xb0/0x250 + kjournald2+0xb0/0x250 + ? wait_woken+0x80/0x80 + ? commit_timeout+0x10/0x10 + kthread+0x111/0x130 + ? kthread_create_worker_on_cpu+0x50/0x50 + ? do_group_exit+0x3a/0xa0 + ret_from_fork+0x1f/0x30 + Code: 73 89 c1 83 ce 10 c1 e1 10 09 ca 83 f8 04 0f 87 0f ff ff ff 8b 4d 20 48 8b 7d 00 c1 e9 09 48 01 8c c7 00 08 00 00 e9 f8 fe ff ff <0f> ff 4c 89 c7 41 bc 0a 00 00 00 e8 0d 78 d6 ff e9 a1 fc ff ff + ---[ end trace 50d361cc444506c8 ]--- + print_req_error: I/O error, dev nvme0n1, sector 847167488 + +Decoding the assembly, the request claims to have 0xffff segments, +while nvme counts two. This turns out to be because we don't check +for a data carrying request on the mq scheduler path, and since +blk_phys_contig_segment() returns true for a non-data request, +we decrement the initial segment count of 0 and end up with +0xffff in the unsigned short. + +There are a few issues here: + +1) We should initialize the segment count for a discard to 1. +2) The discard merging is currently using the data limits for + segments and sectors. + +Fix this up by having attempt_merge() correctly identify the +request, and by initializing the segment count correctly +for discards. + +This can only be triggered with mq-deadline on discard capable +devices right now, which isn't a common configuration. + +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-core.c | 2 ++ + block/blk-merge.c | 29 ++++++++++++++++++++++++++--- + 2 files changed, 28 insertions(+), 3 deletions(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -3065,6 +3065,8 @@ void blk_rq_bio_prep(struct request_queu + { + if (bio_has_data(bio)) + rq->nr_phys_segments = bio_phys_segments(q, bio); ++ else if (bio_op(bio) == REQ_OP_DISCARD) ++ rq->nr_phys_segments = 1; + + rq->__data_len = bio->bi_iter.bi_size; + rq->bio = rq->biotail = bio; +--- a/block/blk-merge.c ++++ b/block/blk-merge.c +@@ -551,6 +551,24 @@ static bool req_no_special_merge(struct + return !q->mq_ops && req->special; + } + ++static bool req_attempt_discard_merge(struct request_queue *q, struct request *req, ++ struct request *next) ++{ ++ unsigned short segments = blk_rq_nr_discard_segments(req); ++ ++ if (segments >= queue_max_discard_segments(q)) ++ goto no_merge; ++ if (blk_rq_sectors(req) + bio_sectors(next->bio) > ++ blk_rq_get_max_sectors(req, blk_rq_pos(req))) ++ goto no_merge; ++ ++ req->nr_phys_segments = segments + blk_rq_nr_discard_segments(next); ++ return true; ++no_merge: ++ req_set_nomerge(q, req); ++ return false; ++} ++ + static int ll_merge_requests_fn(struct request_queue *q, struct request *req, + struct request *next) + { +@@ -684,9 +702,13 @@ static struct request *attempt_merge(str + * If we are allowed to merge, then append bio list + * from next to rq and release next. merge_requests_fn + * will have updated segment counts, update sector +- * counts here. ++ * counts here. Handle DISCARDs separately, as they ++ * have separate settings. + */ +- if (!ll_merge_requests_fn(q, req, next)) ++ if (req_op(req) == REQ_OP_DISCARD) { ++ if (!req_attempt_discard_merge(q, req, next)) ++ return NULL; ++ } else if (!ll_merge_requests_fn(q, req, next)) + return NULL; + + /* +@@ -716,7 +738,8 @@ static struct request *attempt_merge(str + + req->__data_len += blk_rq_bytes(next); + +- elv_merge_requests(q, req, next); ++ if (req_op(req) != REQ_OP_DISCARD) ++ elv_merge_requests(q, req, next); + + /* + * 'next' is going away, so update stats accordingly diff --git a/queue-4.14/blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch b/queue-4.14/blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch new file mode 100644 index 00000000000..0f301a0b2f9 --- /dev/null +++ b/queue-4.14/blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ming Lei +Date: Thu, 18 Jan 2018 00:41:52 +0800 +Subject: blk-mq: turn WARN_ON in __blk_mq_run_hw_queue into printk + +From: Ming Lei + + +[ Upstream commit 7df938fbc4ee641e70e05002ac67c24b19e86e74 ] + +We know this WARN_ON is harmless and in reality it may be trigged, +so convert it to printk() and dump_stack() to avoid to confusing +people. + +Also add comment about two releated races here. + +Cc: Christian Borntraeger +Cc: Stefan Haberland +Cc: Christoph Hellwig +Cc: Thomas Gleixner +Cc: "jianchao.wang" +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1143,9 +1143,27 @@ static void __blk_mq_run_hw_queue(struct + /* + * We should be running this queue from one of the CPUs that + * are mapped to it. ++ * ++ * There are at least two related races now between setting ++ * hctx->next_cpu from blk_mq_hctx_next_cpu() and running ++ * __blk_mq_run_hw_queue(): ++ * ++ * - hctx->next_cpu is found offline in blk_mq_hctx_next_cpu(), ++ * but later it becomes online, then this warning is harmless ++ * at all ++ * ++ * - hctx->next_cpu is found online in blk_mq_hctx_next_cpu(), ++ * but later it becomes offline, then the warning can't be ++ * triggered, and we depend on blk-mq timeout handler to ++ * handle dispatched requests to this hctx + */ +- WARN_ON(!cpumask_test_cpu(raw_smp_processor_id(), hctx->cpumask) && +- cpu_online(hctx->next_cpu)); ++ if (!cpumask_test_cpu(raw_smp_processor_id(), hctx->cpumask) && ++ cpu_online(hctx->next_cpu)) { ++ printk(KERN_WARNING "run queue from wrong CPU %d, hctx %s\n", ++ raw_smp_processor_id(), ++ cpumask_empty(hctx->cpumask) ? "inactive": "active"); ++ dump_stack(); ++ } + + /* + * We can't run the queue inline with ints disabled. Ensure that diff --git a/queue-4.14/block-set-bio_trace_completion-on-new-bio-during-split.patch b/queue-4.14/block-set-bio_trace_completion-on-new-bio-during-split.patch new file mode 100644 index 00000000000..517d17686ba --- /dev/null +++ b/queue-4.14/block-set-bio_trace_completion-on-new-bio-during-split.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Goldwyn Rodrigues +Date: Tue, 23 Jan 2018 09:10:19 -0700 +Subject: block: Set BIO_TRACE_COMPLETION on new bio during split + +From: Goldwyn Rodrigues + + +[ Upstream commit 20d59023c5ec4426284af492808bcea1f39787ef ] + +We inadvertently set it again on the source bio, but we need +to set it on the new split bio instead. + +Fixes: fbbaf700e7b1 ("block: trace completion of all bios.") +Signed-off-by: Goldwyn Rodrigues +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/bio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1893,7 +1893,7 @@ struct bio *bio_split(struct bio *bio, i + bio_advance(bio, split->bi_iter.bi_size); + + if (bio_flagged(bio, BIO_TRACE_COMPLETION)) +- bio_set_flag(bio, BIO_TRACE_COMPLETION); ++ bio_set_flag(split, BIO_TRACE_COMPLETION); + + return split; + } diff --git a/queue-4.14/bpf-fix-rlimit-in-reuseport-net-selftest.patch b/queue-4.14/bpf-fix-rlimit-in-reuseport-net-selftest.patch new file mode 100644 index 00000000000..76c5d5744dd --- /dev/null +++ b/queue-4.14/bpf-fix-rlimit-in-reuseport-net-selftest.patch @@ -0,0 +1,95 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Daniel Borkmann +Date: Fri, 9 Feb 2018 14:49:44 +0100 +Subject: bpf: fix rlimit in reuseport net selftest + +From: Daniel Borkmann + + +[ Upstream commit 941ff6f11c020913f5cddf543a9ec63475d7c082 ] + +Fix two issues in the reuseport_bpf selftests that were +reported by Linaro CI: + + [...] + + ./reuseport_bpf + ---- IPv4 UDP ---- + Testing EBPF mod 10... + Reprograming, testing mod 5... + ./reuseport_bpf: ebpf error. log: + 0: (bf) r6 = r1 + 1: (20) r0 = *(u32 *)skb[0] + 2: (97) r0 %= 10 + 3: (95) exit + processed 4 insns + : Operation not permitted + + echo FAIL + [...] + ---- IPv4 TCP ---- + Testing EBPF mod 10... + ./reuseport_bpf: failed to bind send socket: Address already in use + + echo FAIL + [...] + +For the former adjust rlimit since this was the cause of +failure for loading the BPF prog, and for the latter add +SO_REUSEADDR. + +Reported-by: Naresh Kamboju +Link: https://bugs.linaro.org/show_bug.cgi?id=3502 +Signed-off-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/reuseport_bpf.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/reuseport_bpf.c ++++ b/tools/testing/selftests/net/reuseport_bpf.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #ifndef ARRAY_SIZE +@@ -190,11 +191,14 @@ static void send_from(struct test_params + struct sockaddr * const saddr = new_any_sockaddr(p.send_family, sport); + struct sockaddr * const daddr = + new_loopback_sockaddr(p.send_family, p.recv_port); +- const int fd = socket(p.send_family, p.protocol, 0); ++ const int fd = socket(p.send_family, p.protocol, 0), one = 1; + + if (fd < 0) + error(1, errno, "failed to create send socket"); + ++ if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one))) ++ error(1, errno, "failed to set reuseaddr"); ++ + if (bind(fd, saddr, sockaddr_size())) + error(1, errno, "failed to bind send socket"); + +@@ -433,6 +437,21 @@ void enable_fastopen(void) + } + } + ++static struct rlimit rlim_old, rlim_new; ++ ++static __attribute__((constructor)) void main_ctor(void) ++{ ++ getrlimit(RLIMIT_MEMLOCK, &rlim_old); ++ rlim_new.rlim_cur = rlim_old.rlim_cur + (1UL << 20); ++ rlim_new.rlim_max = rlim_old.rlim_max + (1UL << 20); ++ setrlimit(RLIMIT_MEMLOCK, &rlim_new); ++} ++ ++static __attribute__((destructor)) void main_dtor(void) ++{ ++ setrlimit(RLIMIT_MEMLOCK, &rlim_old); ++} ++ + int main(void) + { + fprintf(stderr, "---- IPv4 UDP ----\n"); diff --git a/queue-4.14/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch b/queue-4.14/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch new file mode 100644 index 00000000000..74d73321202 --- /dev/null +++ b/queue-4.14/bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch @@ -0,0 +1,173 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Yonghong Song +Date: Fri, 2 Feb 2018 22:37:15 -0800 +Subject: bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y + +From: Yonghong Song + + +[ Upstream commit 09584b406742413ac4c8d7e030374d4daa045b69 ] + +With CONFIG_BPF_JIT_ALWAYS_ON is defined in the config file, +tools/testing/selftests/bpf/test_kmod.sh failed like below: + [root@localhost bpf]# ./test_kmod.sh + sysctl: setting key "net.core.bpf_jit_enable": Invalid argument + [ JIT enabled:0 hardened:0 ] + [ 132.175681] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 132.458834] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:0 ] + [ 133.456025] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 133.730935] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:1 ] + [ 134.769730] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 135.050864] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [ JIT enabled:1 hardened:2 ] + [ 136.442882] test_bpf: #297 BPF_MAXINSNS: Jump, gap, jump, ... FAIL to prog_create err=-524 len=4096 + [ 136.821810] test_bpf: Summary: 348 PASSED, 1 FAILED, [340/340 JIT'ed] + [root@localhost bpf]# + +The test_kmod.sh load/remove test_bpf.ko multiple times with different +settings for sysctl net.core.bpf_jit_{enable,harden}. The failed test #297 +of test_bpf.ko is designed such that JIT always fails. + +Commit 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) +introduced the following tightening logic: + ... + if (!bpf_prog_is_dev_bound(fp->aux)) { + fp = bpf_int_jit_compile(fp); + #ifdef CONFIG_BPF_JIT_ALWAYS_ON + if (!fp->jited) { + *err = -ENOTSUPP; + return fp; + } + #endif + ... +With this logic, Test #297 always gets return value -ENOTSUPP +when CONFIG_BPF_JIT_ALWAYS_ON is defined, causing the test failure. + +This patch fixed the failure by marking Test #297 as expected failure +when CONFIG_BPF_JIT_ALWAYS_ON is defined. + +Fixes: 290af86629b2 (bpf: introduce BPF_JIT_ALWAYS_ON config) +Signed-off-by: Yonghong Song +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_bpf.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +--- a/lib/test_bpf.c ++++ b/lib/test_bpf.c +@@ -83,6 +83,7 @@ struct bpf_test { + __u32 result; + } test[MAX_SUBTESTS]; + int (*fill_helper)(struct bpf_test *self); ++ int expected_errcode; /* used when FLAG_EXPECTED_FAIL is set in the aux */ + __u8 frag_data[MAX_DATA]; + int stack_depth; /* for eBPF only, since tests don't call verifier */ + }; +@@ -1987,7 +1988,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: div_k_0", +@@ -1997,7 +2000,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: unknown insn", +@@ -2008,7 +2013,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: out of range spill/fill", +@@ -2018,7 +2025,9 @@ static struct bpf_test tests[] = { + }, + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, +- { } ++ { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "JUMPS + HOLES", +@@ -2110,6 +2119,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { + "check: LDX + RET X", +@@ -2120,6 +2131,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "M[]: alt STX + LDX", +@@ -2294,6 +2307,8 @@ static struct bpf_test tests[] = { + CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, + { }, + { }, ++ .fill_helper = NULL, ++ .expected_errcode = -EINVAL, + }, + { /* Passes checker but fails during runtime. */ + "LD [SKF_AD_OFF-1]", +@@ -5356,6 +5371,7 @@ static struct bpf_test tests[] = { + { }, + { }, + .fill_helper = bpf_fill_maxinsns4, ++ .expected_errcode = -EINVAL, + }, + { /* Mainly checking JIT here. */ + "BPF_MAXINSNS: Very long jump", +@@ -5411,10 +5427,15 @@ static struct bpf_test tests[] = { + { + "BPF_MAXINSNS: Jump, gap, jump, ...", + { }, ++#ifdef CONFIG_BPF_JIT_ALWAYS_ON ++ CLASSIC | FLAG_NO_DATA | FLAG_EXPECTED_FAIL, ++#else + CLASSIC | FLAG_NO_DATA, ++#endif + { }, + { { 0, 0xababcbac } }, + .fill_helper = bpf_fill_maxinsns11, ++ .expected_errcode = -ENOTSUPP, + }, + { + "BPF_MAXINSNS: ld_abs+get_processor_id", +@@ -6193,7 +6214,7 @@ static struct bpf_prog *generate_filter( + + *err = bpf_prog_create(&fp, &fprog); + if (tests[which].aux & FLAG_EXPECTED_FAIL) { +- if (*err == -EINVAL) { ++ if (*err == tests[which].expected_errcode) { + pr_cont("PASS\n"); + /* Verifier rejected filter as expected. */ + *err = 0; diff --git a/queue-4.14/bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch b/queue-4.14/bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch new file mode 100644 index 00000000000..05a28772e95 --- /dev/null +++ b/queue-4.14/bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch @@ -0,0 +1,84 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: John Fastabend +Date: Mon, 5 Feb 2018 10:17:54 -0800 +Subject: bpf: sockmap, fix leaking maps with attached but not detached progs + +From: John Fastabend + + +[ Upstream commit 3d9e952697de89b53227f06d4241f275eb99cfc4 ] + +When a program is attached to a map we increment the program refcnt +to ensure that the program is not removed while it is potentially +being referenced from sockmap side. However, if this same program +also references the map (this is a reasonably common pattern in +my programs) then the verifier will also increment the maps refcnt +from the verifier. This is to ensure the map doesn't get garbage +collected while the program has a reference to it. + +So we are left in a state where the map holds the refcnt on the +program stopping it from being removed and releasing the map refcnt. +And vice versa the program holds a refcnt on the map stopping it +from releasing the refcnt on the prog. + +All this is fine as long as users detach the program while the +map fd is still around. But, if the user omits this detach command +we are left with a dangling map we can no longer release. + +To resolve this when the map fd is released decrement the program +references and remove any reference from the map to the program. +This fixes the issue with possibly dangling map and creates a +user side API constraint. That is, the map fd must be held open +for programs to be attached to a map. + +Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/sockmap.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/kernel/bpf/sockmap.c ++++ b/kernel/bpf/sockmap.c +@@ -601,11 +601,6 @@ static void sock_map_free(struct bpf_map + } + rcu_read_unlock(); + +- if (stab->bpf_verdict) +- bpf_prog_put(stab->bpf_verdict); +- if (stab->bpf_parse) +- bpf_prog_put(stab->bpf_parse); +- + sock_map_remove_complete(stab); + } + +@@ -877,6 +872,19 @@ static int sock_map_update_elem(struct b + return err; + } + ++static void sock_map_release(struct bpf_map *map, struct file *map_file) ++{ ++ struct bpf_stab *stab = container_of(map, struct bpf_stab, map); ++ struct bpf_prog *orig; ++ ++ orig = xchg(&stab->bpf_parse, NULL); ++ if (orig) ++ bpf_prog_put(orig); ++ orig = xchg(&stab->bpf_verdict, NULL); ++ if (orig) ++ bpf_prog_put(orig); ++} ++ + const struct bpf_map_ops sock_map_ops = { + .map_alloc = sock_map_alloc, + .map_free = sock_map_free, +@@ -884,6 +892,7 @@ const struct bpf_map_ops sock_map_ops = + .map_get_next_key = sock_map_get_next_key, + .map_update_elem = sock_map_update_elem, + .map_delete_elem = sock_map_delete_elem, ++ .map_release = sock_map_release, + }; + + BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock, diff --git a/queue-4.14/bpf-test_maps-cleanup-sockmaps-when-test-ends.patch b/queue-4.14/bpf-test_maps-cleanup-sockmaps-when-test-ends.patch new file mode 100644 index 00000000000..b3432611cc9 --- /dev/null +++ b/queue-4.14/bpf-test_maps-cleanup-sockmaps-when-test-ends.patch @@ -0,0 +1,68 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Prashant Bhole +Date: Tue, 23 Jan 2018 13:30:44 +0900 +Subject: bpf: test_maps: cleanup sockmaps when test ends + +From: Prashant Bhole + + +[ Upstream commit 783687810e986a15ffbf86c516a1a48ff37f38f7 ] + +Bug: BPF programs and maps related to sockmaps test exist +in memory even after test_maps ends. + +This patch fixes it as a short term workaround (sockmap +kernel side needs real fixing) by empyting sockmaps when +test ends. + +Fixes: 6f6d33f3b3d0f ("bpf: selftests add sockmap tests") +Signed-off-by: Prashant Bhole +[ daniel: Note on workaround. ] +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_maps.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -463,7 +463,7 @@ static void test_devmap(int task, void * + #define SOCKMAP_VERDICT_PROG "./sockmap_verdict_prog.o" + static void test_sockmap(int tasks, void *data) + { +- int one = 1, map_fd_rx, map_fd_tx, map_fd_break, s, sc, rc; ++ int one = 1, map_fd_rx = 0, map_fd_tx = 0, map_fd_break, s, sc, rc; + struct bpf_map *bpf_map_rx, *bpf_map_tx, *bpf_map_break; + int ports[] = {50200, 50201, 50202, 50204}; + int err, i, fd, udp, sfd[6] = {0xdeadbeef}; +@@ -868,9 +868,12 @@ static void test_sockmap(int tasks, void + goto out_sockmap; + } + +- /* Test map close sockets */ +- for (i = 0; i < 6; i++) ++ /* Test map close sockets and empty maps */ ++ for (i = 0; i < 6; i++) { ++ bpf_map_delete_elem(map_fd_tx, &i); ++ bpf_map_delete_elem(map_fd_rx, &i); + close(sfd[i]); ++ } + close(fd); + close(map_fd_rx); + bpf_object__close(obj); +@@ -881,8 +884,13 @@ out: + printf("Failed to create sockmap '%i:%s'!\n", i, strerror(errno)); + exit(1); + out_sockmap: +- for (i = 0; i < 6; i++) ++ for (i = 0; i < 6; i++) { ++ if (map_fd_tx) ++ bpf_map_delete_elem(map_fd_tx, &i); ++ if (map_fd_rx) ++ bpf_map_delete_elem(map_fd_rx, &i); + close(sfd[i]); ++ } + close(fd); + exit(1); + } diff --git a/queue-4.14/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch b/queue-4.14/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch new file mode 100644 index 00000000000..187d7c858d0 --- /dev/null +++ b/queue-4.14/btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Anand Jain +Date: Tue, 9 Jan 2018 09:05:43 +0800 +Subject: btrfs: fail mount when sb flag is not in BTRFS_SUPER_FLAG_SUPP + +From: Anand Jain + + +[ Upstream commit 6f794e3c5c8f8fdd3b5bb20d9ded894e685b5bbe ] + +It appears from the original commit [1] that there isn't any design +specific reason not to fail the mount instead of just warning. This +patch will change it to fail. + +[1] + commit 319e4d0661e5323c9f9945f0f8fb5905e5fe74c3 + btrfs: Enhance super validation check + +Fixes: 319e4d0661e5323 ("btrfs: Enhance super validation check") +Signed-off-by: Anand Jain +Reviewed-by: Qu Wenruo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -4063,9 +4063,11 @@ static int btrfs_check_super_valid(struc + btrfs_err(fs_info, "no valid FS found"); + ret = -EINVAL; + } +- if (btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP) +- btrfs_warn(fs_info, "unrecognized super flag: %llu", ++ if (btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP) { ++ btrfs_err(fs_info, "unrecognized or unsupported super flag: %llu", + btrfs_super_flags(sb) & ~BTRFS_SUPER_FLAG_SUPP); ++ ret = -EINVAL; ++ } + if (btrfs_super_root_level(sb) >= BTRFS_MAX_LEVEL) { + btrfs_err(fs_info, "tree_root level too big: %d >= %d", + btrfs_super_root_level(sb), BTRFS_MAX_LEVEL); diff --git a/queue-4.14/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch b/queue-4.14/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch new file mode 100644 index 00000000000..af4d1153a61 --- /dev/null +++ b/queue-4.14/btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Nikolay Borisov +Date: Tue, 12 Dec 2017 11:14:49 +0200 +Subject: btrfs: Fix out of bounds access in btrfs_search_slot + +From: Nikolay Borisov + + +[ Upstream commit 9ea2c7c9da13c9073e371c046cbbc45481ecb459 ] + +When modifying a tree where the root is at BTRFS_MAX_LEVEL - 1 then +the level variable is going to be 7 (this is the max height of the +tree). On the other hand btrfs_cow_block is always called with +"level + 1" as an index into the nodes and slots arrays. This leads to +an out of bounds access. Admittdely this will be benign since an OOB +access of the nodes array will likely read the 0th element from the +slots array, which in this case is going to be 0 (since we start CoW at +the top of the tree). The OOB access into the slots array in turn will +read the 0th and 1st values of the locks array, which would both be 0 +at the time. However, this benign behavior relies on the fact that the +path being passed hasn't been initialised, if it has already been used to +query a btree then it could potentially have populated the nodes/slots arrays. + +Fix it by explicitly checking if we are at level 7 (the maximum allowed +index in nodes/slots arrays) and explicitly call the CoW routine with +NULL for parent's node/slot. + +Signed-off-by: Nikolay Borisov +Fixes-coverity-id: 711515 +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2774,6 +2774,8 @@ again: + * contention with the cow code + */ + if (cow) { ++ bool last_level = (level == (BTRFS_MAX_LEVEL - 1)); ++ + /* + * if we don't really need to cow this block + * then we don't want to set the path blocking, +@@ -2798,9 +2800,13 @@ again: + } + + btrfs_set_path_blocking(p); +- err = btrfs_cow_block(trans, root, b, +- p->nodes[level + 1], +- p->slots[level + 1], &b); ++ if (last_level) ++ err = btrfs_cow_block(trans, root, b, NULL, 0, ++ &b); ++ else ++ err = btrfs_cow_block(trans, root, b, ++ p->nodes[level + 1], ++ p->slots[level + 1], &b); + if (err) { + ret = err; + goto done; diff --git a/queue-4.14/btrfs-fix-scrub-to-repair-raid6-corruption.patch b/queue-4.14/btrfs-fix-scrub-to-repair-raid6-corruption.patch new file mode 100644 index 00000000000..4d1afab921e --- /dev/null +++ b/queue-4.14/btrfs-fix-scrub-to-repair-raid6-corruption.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Liu Bo +Date: Tue, 2 Jan 2018 13:36:41 -0700 +Subject: Btrfs: fix scrub to repair raid6 corruption + +From: Liu Bo + + +[ Upstream commit 762221f095e3932669093466aaf4b85ed9ad2ac1 ] + +The raid6 corruption is that, +suppose that all disks can be read without problems and if the content +that was read out doesn't match its checksum, currently for raid6 +btrfs at most retries twice, + +- the 1st retry is to rebuild with all other stripes, it'll eventually + be a raid5 xor rebuild, +- if the 1st fails, the 2nd retry will deliberately fail parity p so + that it will do raid6 style rebuild, + +however, the chances are that another non-parity stripe content also +has something corrupted, so that the above retries are not able to +return correct content. + +We've fixed normal reads to rebuild raid6 correctly with more retries +in Patch "Btrfs: make raid6 rebuild retry more"[1], this is to fix +scrub to do the exactly same rebuild process. + +[1]: https://patchwork.kernel.org/patch/10091755/ + +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/raid56.c | 18 ++++++++++++++---- + fs/btrfs/volumes.c | 9 ++++++++- + 2 files changed, 22 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -2159,11 +2159,21 @@ int raid56_parity_recover(struct btrfs_f + } + + /* +- * reconstruct from the q stripe if they are +- * asking for mirror 3 ++ * Loop retry: ++ * for 'mirror == 2', reconstruct from all other stripes. ++ * for 'mirror_num > 2', select a stripe to fail on every retry. + */ +- if (mirror_num == 3) +- rbio->failb = rbio->real_stripes - 2; ++ if (mirror_num > 2) { ++ /* ++ * 'mirror == 3' is to fail the p stripe and ++ * reconstruct from the q stripe. 'mirror > 3' is to ++ * fail a data stripe and reconstruct from p+q stripe. ++ */ ++ rbio->failb = rbio->real_stripes - (mirror_num - 1); ++ ASSERT(rbio->failb > 0); ++ if (rbio->failb <= rbio->faila) ++ rbio->failb--; ++ } + + ret = lock_stripe_add(rbio); + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -5101,7 +5101,14 @@ int btrfs_num_copies(struct btrfs_fs_inf + else if (map->type & BTRFS_BLOCK_GROUP_RAID5) + ret = 2; + else if (map->type & BTRFS_BLOCK_GROUP_RAID6) +- ret = 3; ++ /* ++ * There could be two corrupted data stripes, we need ++ * to loop retry in order to rebuild the correct data. ++ * ++ * Fail a stripe at a time on every retry except the ++ * stripe under reconstruction. ++ */ ++ ret = map->num_stripes; + else + ret = 1; + free_extent_map(em); diff --git a/queue-4.14/btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch b/queue-4.14/btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch new file mode 100644 index 00000000000..7f93aad5373 --- /dev/null +++ b/queue-4.14/btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch @@ -0,0 +1,150 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Liu Bo +Date: Fri, 5 Jan 2018 12:51:09 -0700 +Subject: Btrfs: fix unexpected EEXIST from btrfs_get_extent + +From: Liu Bo + + +[ Upstream commit 18e83ac75bfe67009c4ddcdd581bba8eb16f4030 ] + +This fixes a corner case that is caused by a race of dio write vs dio +read/write. + +Here is how the race could happen. + +Suppose that no extent map has been loaded into memory yet. +There is a file extent [0, 32K), two jobs are running concurrently +against it, t1 is doing dio write to [8K, 32K) and t2 is doing dio +read from [0, 4K) or [4K, 8K). + +t1 goes ahead of t2 and splits em [0, 32K) to em [0K, 8K) and [8K 32K). + +------------------------------------------------------ + t1 t2 + btrfs_get_blocks_direct() btrfs_get_blocks_direct() + -> btrfs_get_extent() -> btrfs_get_extent() + -> lookup_extent_mapping() + -> add_extent_mapping() -> lookup_extent_mapping() + # load [0, 32K) + -> btrfs_new_extent_direct() + -> btrfs_drop_extent_cache() + # split [0, 32K) and + # drop [8K, 32K) + -> add_extent_mapping() + # add [8K, 32K) + -> add_extent_mapping() + # handle -EEXIST when adding + # [0, 32K) +------------------------------------------------------ +About how t2(dio read/write) runs into -EEXIST: + +a) add_extent_mapping() gets -EEXIST for adding em [0, 32k), + +b) search_extent_mapping() then returns [0, 8k) as the existing em, + even though start == existing->start, em is [0, 32k) so that + extent_map_end(em) > extent_map_end(existing), i.e. 32k > 8k, + +c) then it goes thru merge_extent_mapping() which tries to add a [8k, 8k) + (with a length 0) and returns -EEXIST as [8k, 32k) is already in tree, + +d) so btrfs_get_extent() ends up returning -EEXIST to dio read/write, + which is confusing applications. + +Here I conclude all the possible situations, +1) start < existing->start + + +-----------+em+-----------+ ++--prev---+ | +-------------+ | +| | | | | | ++---------+ + +---+existing++ ++ + + + | + + + start + +2) start == existing->start + + +------------em------------+ + | +-------------+ | + | | | | + + +----existing-+ + + | + | + + + start + +3) start > existing->start && start < (existing->start + existing->len) + + +------------em------------+ + | +-------------+ | + | | | | + + +----existing-+ + + | + | + + + start + +4) start >= (existing->start + existing->len) + ++-----------+em+-----------+ +| +-------------+ | +--next---+ +| | | | | | ++ +---+existing++ + +---------+ + + + | + + + start + +As we can see, it turns out that if start is within existing em (front +inclusive), then the existing em should be returned as is, otherwise, +we try our best to merge candidate em with sibling ems to form a +larger em (in order to reduce the total number of em). + +Reported-by: David Vallender +Signed-off-by: Liu Bo +Reviewed-by: Josef Bacik +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 17 +++-------------- + 1 file changed, 3 insertions(+), 14 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -7265,19 +7265,12 @@ insert: + * existing will always be non-NULL, since there must be + * extent causing the -EEXIST. + */ +- if (existing->start == em->start && +- extent_map_end(existing) >= extent_map_end(em) && +- em->block_start == existing->block_start) { +- /* +- * The existing extent map already encompasses the +- * entire extent map we tried to add. +- */ ++ if (start >= existing->start && ++ start < extent_map_end(existing)) { + free_extent_map(em); + em = existing; + err = 0; +- +- } else if (start >= extent_map_end(existing) || +- start <= existing->start) { ++ } else { + /* + * The existing extent map is the one nearest to + * the [start, start + len) range which overlaps +@@ -7289,10 +7282,6 @@ insert: + free_extent_map(em); + em = NULL; + } +- } else { +- free_extent_map(em); +- em = existing; +- err = 0; + } + } + write_unlock(&em_tree->lock); diff --git a/queue-4.14/btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch b/queue-4.14/btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch new file mode 100644 index 00000000000..ca258e789c2 --- /dev/null +++ b/queue-4.14/btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch @@ -0,0 +1,90 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Liu Bo +Date: Tue, 9 Jan 2018 18:36:25 -0700 +Subject: Btrfs: raid56: fix race between merge_bio and rbio_orig_end_io + +From: Liu Bo + + +[ Upstream commit 7583d8d088ff2c323b1d4f15b191ca2c23d32558 ] + +Before rbio_orig_end_io() goes to free rbio, rbio may get merged with +more bios from other rbios and rbio->bio_list becomes non-empty, +in that case, these newly merged bios don't end properly. + +Once unlock_stripe() is done, rbio->bio_list will not be updated any +more and we can call bio_endio() on all queued bios. + +It should only happen in error-out cases, the normal path of recover +and full stripe write have already set RBIO_RMW_LOCKED_BIT to disable +merge before doing IO, so rbio_orig_end_io() called by them doesn't +have the above issue. + +Reported-by: Jérôme Carretero +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/raid56.c | 37 +++++++++++++++++++++++++------------ + 1 file changed, 25 insertions(+), 12 deletions(-) + +--- a/fs/btrfs/raid56.c ++++ b/fs/btrfs/raid56.c +@@ -858,10 +858,17 @@ static void __free_raid_bio(struct btrfs + kfree(rbio); + } + +-static void free_raid_bio(struct btrfs_raid_bio *rbio) ++static void rbio_endio_bio_list(struct bio *cur, blk_status_t err) + { +- unlock_stripe(rbio); +- __free_raid_bio(rbio); ++ struct bio *next; ++ ++ while (cur) { ++ next = cur->bi_next; ++ cur->bi_next = NULL; ++ cur->bi_status = err; ++ bio_endio(cur); ++ cur = next; ++ } + } + + /* +@@ -871,20 +878,26 @@ static void free_raid_bio(struct btrfs_r + static void rbio_orig_end_io(struct btrfs_raid_bio *rbio, blk_status_t err) + { + struct bio *cur = bio_list_get(&rbio->bio_list); +- struct bio *next; ++ struct bio *extra; + + if (rbio->generic_bio_cnt) + btrfs_bio_counter_sub(rbio->fs_info, rbio->generic_bio_cnt); + +- free_raid_bio(rbio); ++ /* ++ * At this moment, rbio->bio_list is empty, however since rbio does not ++ * always have RBIO_RMW_LOCKED_BIT set and rbio is still linked on the ++ * hash list, rbio may be merged with others so that rbio->bio_list ++ * becomes non-empty. ++ * Once unlock_stripe() is done, rbio->bio_list will not be updated any ++ * more and we can call bio_endio() on all queued bios. ++ */ ++ unlock_stripe(rbio); ++ extra = bio_list_get(&rbio->bio_list); ++ __free_raid_bio(rbio); + +- while (cur) { +- next = cur->bi_next; +- cur->bi_next = NULL; +- cur->bi_status = err; +- bio_endio(cur); +- cur = next; +- } ++ rbio_endio_bio_list(cur, err); ++ if (extra) ++ rbio_endio_bio_list(extra, err); + } + + /* diff --git a/queue-4.14/btrfs-set-plug-for-fsync.patch b/queue-4.14/btrfs-set-plug-for-fsync.patch new file mode 100644 index 00000000000..8b9bbaaacf8 --- /dev/null +++ b/queue-4.14/btrfs-set-plug-for-fsync.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Liu Bo +Date: Wed, 15 Nov 2017 16:10:28 -0700 +Subject: Btrfs: set plug for fsync + +From: Liu Bo + + +[ Upstream commit 343e4fc1c60971b0734de26dbbd475d433950982 ] + +Setting plug can merge adjacent IOs before dispatching IOs to the disk +driver. + +Without plug, it'd not be a problem for single disk usecases, but for +multiple disks using raid profile, a large IO can be split to several +IOs of stripe length, and plug can be helpful to bring them together +for each disk so that we can save several disk access. + +Moreover, fsync issues synchronous writes, so plug can really take +effect. + +Signed-off-by: Liu Bo +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2018,10 +2018,19 @@ int btrfs_release_file(struct inode *ino + static int start_ordered_ops(struct inode *inode, loff_t start, loff_t end) + { + int ret; ++ struct blk_plug plug; + ++ /* ++ * This is only called in fsync, which would do synchronous writes, so ++ * a plug can merge adjacent IOs as much as possible. Esp. in case of ++ * multiple disks using raid profile, a large IO can be split to ++ * several segments of stripe length (currently 64K). ++ */ ++ blk_start_plug(&plug); + atomic_inc(&BTRFS_I(inode)->sync_writers); + ret = btrfs_fdatawrite_range(inode, start, end); + atomic_dec(&BTRFS_I(inode)->sync_writers); ++ blk_finish_plug(&plug); + + return ret; + } diff --git a/queue-4.14/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch b/queue-4.14/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch new file mode 100644 index 00000000000..9cd16c093e9 --- /dev/null +++ b/queue-4.14/cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 16:48:47 +0100 +Subject: cifs: silence compiler warnings showing up with gcc-8.0.0 + +From: Arnd Bergmann + + +[ Upstream commit ade7db991b47ab3016a414468164f4966bd08202 ] + +This bug was fixed before, but came up again with the latest +compiler in another function: + +fs/cifs/cifssmb.c: In function 'CIFSSMBSetEA': +fs/cifs/cifssmb.c:6362:3: error: 'strncpy' offset 8 is out of the bounds [0, 4] [-Werror=array-bounds] + strncpy(parm_data->list[0].name, ea_name, name_len); + +Let's apply the same fix that was used for the other instances. + +Fixes: b2a3ad9ca502 ("cifs: silence compiler warnings showing up with gcc-4.7.0") +Signed-off-by: Arnd Bergmann +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifssmb.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -6331,9 +6331,7 @@ SetEARetry: + pSMB->InformationLevel = + cpu_to_le16(SMB_SET_FILE_EA); + +- parm_data = +- (struct fealist *) (((char *) &pSMB->hdr.Protocol) + +- offset); ++ parm_data = (void *)pSMB + offsetof(struct smb_hdr, Protocol) + offset; + pSMB->ParameterOffset = cpu_to_le16(param_offset); + pSMB->DataOffset = cpu_to_le16(offset); + pSMB->SetupCount = 1; diff --git a/queue-4.14/cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch b/queue-4.14/cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch new file mode 100644 index 00000000000..95f9fb73990 --- /dev/null +++ b/queue-4.14/cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Chen Yu +Date: Mon, 29 Jan 2018 10:27:57 +0800 +Subject: cpufreq: intel_pstate: Enable HWP during system resume on CPU0 + +From: Chen Yu + + +[ Upstream commit 70f6bf2a3b7e40c3f802b0ea837762a8bc6c1430 ] + +When maxcpus=1 is in the kernel command line, the BP is responsible +for re-enabling the HWP - because currently only the APs invoke +intel_pstate_hwp_enable() during their online process - which might +put the system into unstable state after resume. + +Fix this by enabling the HWP explicitly on BP during resume. + +Reported-by: Doug Smythies +Suggested-by: Srinivas Pandruvada +Signed-off-by: Yu Chen +[ rjw: Subject/changelog, minor modifications ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/intel_pstate.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -779,6 +779,8 @@ static int intel_pstate_hwp_save_state(s + return 0; + } + ++static void intel_pstate_hwp_enable(struct cpudata *cpudata); ++ + static int intel_pstate_resume(struct cpufreq_policy *policy) + { + if (!hwp_active) +@@ -786,6 +788,9 @@ static int intel_pstate_resume(struct cp + + mutex_lock(&intel_pstate_limits_lock); + ++ if (policy->cpu == 0) ++ intel_pstate_hwp_enable(all_cpu_data[policy->cpu]); ++ + all_cpu_data[policy->cpu]->epp_policy = 0; + intel_pstate_hwp_set(policy->cpu); + diff --git a/queue-4.14/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch b/queue-4.14/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch new file mode 100644 index 00000000000..e528348fd77 --- /dev/null +++ b/queue-4.14/cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Michael Kelley +Date: Wed, 14 Feb 2018 02:54:03 +0000 +Subject: cpumask: Make for_each_cpu_wrap() available on UP as well + +From: Michael Kelley + + +[ Upstream commit d207af2eab3f8668b95ad02b21930481c42806fd ] + +for_each_cpu_wrap() was originally added in the #else half of a +large "#if NR_CPUS == 1" statement, but was omitted in the #if +half. This patch adds the missing #if half to prevent compile +errors when NR_CPUS is 1. + +Reported-by: kbuild test robot +Signed-off-by: Michael Kelley +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kys@microsoft.com +Cc: martin.petersen@oracle.com +Cc: mikelley@microsoft.com +Fixes: c743f0a5c50f ("sched/fair, cpumask: Export for_each_cpu_wrap()") +Link: http://lkml.kernel.org/r/SN6PR1901MB2045F087F59450507D4FCC17CBF50@SN6PR1901MB2045.namprd19.prod.outlook.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/cpumask.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/cpumask.h ++++ b/include/linux/cpumask.h +@@ -165,6 +165,8 @@ static inline unsigned int cpumask_local + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask) + #define for_each_cpu_not(cpu, mask) \ + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask) ++#define for_each_cpu_wrap(cpu, mask, start) \ ++ for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask, (void)(start)) + #define for_each_cpu_and(cpu, mask, and) \ + for ((cpu) = 0; (cpu) < 1; (cpu)++, (void)mask, (void)and) + #else diff --git a/queue-4.14/crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch b/queue-4.14/crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch new file mode 100644 index 00000000000..2c3def30d44 --- /dev/null +++ b/queue-4.14/crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Corentin LABBE +Date: Wed, 17 Jan 2018 19:50:56 +0100 +Subject: crypto: artpec6 - remove select on non-existing CRYPTO_SHA384 + +From: Corentin LABBE + + +[ Upstream commit 980b4c95e78e4113cb7b9f430f121dab1c814b6c ] + +Since CRYPTO_SHA384 does not exists, Kconfig should not select it. +Anyway, all SHA384 stuff is in CRYPTO_SHA512 which is already selected. + +Fixes: a21eb94fc4d3i ("crypto: axis - add ARTPEC-6/7 crypto accelerator driver") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/crypto/Kconfig ++++ b/drivers/crypto/Kconfig +@@ -721,7 +721,6 @@ config CRYPTO_DEV_ARTPEC6 + select CRYPTO_HASH + select CRYPTO_SHA1 + select CRYPTO_SHA256 +- select CRYPTO_SHA384 + select CRYPTO_SHA512 + help + Enables the driver for the on-chip crypto accelerator diff --git a/queue-4.14/device-property-define-type-of-property_enrty_-macros.patch b/queue-4.14/device-property-define-type-of-property_enrty_-macros.patch new file mode 100644 index 00000000000..ba390bac1a7 --- /dev/null +++ b/queue-4.14/device-property-define-type-of-property_enrty_-macros.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Andy Shevchenko +Date: Mon, 22 Jan 2018 18:01:42 +0200 +Subject: device property: Define type of PROPERTY_ENRTY_*() macros + +From: Andy Shevchenko + + +[ Upstream commit c505cbd45f6e9c539d57dd171d95ec7e5e9f9cd0 ] + +Some of the drivers may use the macro at runtime flow, like + + struct property_entry p[10]; +... + p[index++] = PROPERTY_ENTRY_U8("u8 property", u8_data); + +In that case and absence of the data type compiler fails the build: + +drivers/char/ipmi/ipmi_dmi.c:79:29: error: Expected ; at end of statement +drivers/char/ipmi/ipmi_dmi.c:79:29: error: got { + +Acked-by: Corey Minyard +Cc: Corey Minyard +Signed-off-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/property.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/include/linux/property.h ++++ b/include/linux/property.h +@@ -206,7 +206,7 @@ struct property_entry { + */ + + #define PROPERTY_ENTRY_INTEGER_ARRAY(_name_, _type_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = ARRAY_SIZE(_val_) * sizeof(_type_), \ + .is_array = true, \ +@@ -224,7 +224,7 @@ struct property_entry { + PROPERTY_ENTRY_INTEGER_ARRAY(_name_, u64, _val_) + + #define PROPERTY_ENTRY_STRING_ARRAY(_name_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = ARRAY_SIZE(_val_) * sizeof(const char *), \ + .is_array = true, \ +@@ -233,7 +233,7 @@ struct property_entry { + } + + #define PROPERTY_ENTRY_INTEGER(_name_, _type_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = sizeof(_type_), \ + .is_string = false, \ +@@ -250,7 +250,7 @@ struct property_entry { + PROPERTY_ENTRY_INTEGER(_name_, u64, _val_) + + #define PROPERTY_ENTRY_STRING(_name_, _val_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + .length = sizeof(_val_), \ + .is_string = true, \ +@@ -258,7 +258,7 @@ struct property_entry { + } + + #define PROPERTY_ENTRY_BOOL(_name_) \ +-{ \ ++(struct property_entry) { \ + .name = _name_, \ + } + diff --git a/queue-4.14/dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch b/queue-4.14/dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch new file mode 100644 index 00000000000..efd791aac84 --- /dev/null +++ b/queue-4.14/dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ming Lei +Date: Thu, 11 Jan 2018 14:01:56 +0800 +Subject: dm mpath: return DM_MAPIO_REQUEUE on blk-mq rq allocation failure + +From: Ming Lei + + +[ Upstream commit 050af08ffb1b62af69196d61c22a0755f9a3cdbd ] + +blk-mq will rerun queue via RESTART or dispatch wake after one request +is completed, so not necessary to wait random time for requeuing, we +should trust blk-mq to do it. + +More importantly, we need to return BLK_STS_RESOURCE to blk-mq so that +dequeuing from the I/O scheduler can be stopped, this results in +improved I/O merging. + +Signed-off-by: Ming Lei +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-mpath.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -502,8 +502,20 @@ static int multipath_clone_and_map(struc + if (queue_dying) { + atomic_inc(&m->pg_init_in_progress); + activate_or_offline_path(pgpath); ++ return DM_MAPIO_DELAY_REQUEUE; + } +- return DM_MAPIO_DELAY_REQUEUE; ++ ++ /* ++ * blk-mq's SCHED_RESTART can cover this requeue, so we ++ * needn't deal with it by DELAY_REQUEUE. More importantly, ++ * we have to return DM_MAPIO_REQUEUE so that blk-mq can ++ * get the queue busy feedback (via BLK_STS_RESOURCE), ++ * otherwise I/O merging can suffer. ++ */ ++ if (q->mq_ops) ++ return DM_MAPIO_REQUEUE; ++ else ++ return DM_MAPIO_DELAY_REQUEUE; + } + clone->bio = clone->biotail = NULL; + clone->rq_disk = bdev->bd_disk; diff --git a/queue-4.14/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch b/queue-4.14/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch new file mode 100644 index 00000000000..45e3bcbebc8 --- /dev/null +++ b/queue-4.14/dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: mulhern +Date: Mon, 27 Nov 2017 10:02:39 -0500 +Subject: dm thin: fix documentation relative to low water mark threshold + +From: mulhern + + +[ Upstream commit 9b28a1102efc75d81298198166ead87d643a29ce ] + +Fixes: +1. The use of "exceeds" when the opposite of exceeds, falls below, +was meant. +2. Properly speaking, a table can not exceed a threshold. + +It emphasizes the important point, which is that it is the userspace +daemon's responsibility to check for low free space when a device +is resumed, since it won't get a special event indicating low free +space in that situation. + +Signed-off-by: mulhern +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/device-mapper/thin-provisioning.txt | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/Documentation/device-mapper/thin-provisioning.txt ++++ b/Documentation/device-mapper/thin-provisioning.txt +@@ -112,9 +112,11 @@ $low_water_mark is expressed in blocks o + free space on the data device drops below this level then a dm event + will be triggered which a userspace daemon should catch allowing it to + extend the pool device. Only one such event will be sent. +-Resuming a device with a new table itself triggers an event so the +-userspace daemon can use this to detect a situation where a new table +-already exceeds the threshold. ++ ++No special event is triggered if a just resumed device's free space is below ++the low water mark. However, resuming a device always triggers an ++event; a userspace daemon should verify that free space exceeds the low ++water mark when handling this event. + + A low water mark for the metadata device is maintained in the kernel and + will trigger a dm event if free space on the metadata device drops below diff --git a/queue-4.14/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch b/queue-4.14/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch new file mode 100644 index 00000000000..5b7b19d90c0 --- /dev/null +++ b/queue-4.14/drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch @@ -0,0 +1,3088 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Karol Herbst +Date: Mon, 6 Nov 2017 16:32:41 +0100 +Subject: drm/nouveau/pmu/fuc: don't use movw directly anymore + +From: Karol Herbst + + +[ Upstream commit fe9748b7b41cee11f8db57fb8b20bc540a33102a ] + +Fixes failure to compile with recent envyas as a result of the 'movw' +alias being removed for v5. + +A bit of history: + +v3 only has a 16-bit sign-extended immediate mov op. In order to set +the high bits, there's a separate 'sethi' op. envyas validates that +the value passed to mov(imm) is between -0x8000 and 0x7fff. In order +to simplify macros that load both the low and high word, a 'movw' +alias was added which takes an unsigned 16-bit immediate. However the +actual hardware op still sign extends. + +v5 has a full 32-bit immediate mov op. The v3 16-bit immediate mov op +is gone (loads 0 into the dst reg). However due to a bug in envyas, +the movw alias still existed, and selected the no-longer-present v3 +16-bit immediate mov op. As a result usage of movw on v5 is the same +as mov with a 0x0 argument. + +The proper fix throughout is to only ever use the 'movw' alias in +combination with 'sethi'. Anything else should get the sign-extended +validation to ensure that the intended value ends up in the +destination register. + +Changes in fuc3 binaries is the result of a different encoding being +selected for a mov with an 8-bit value. + +v2: added commit message written by Ilia, thanks for that! +v3: messed up rebasing, now it should apply + +Signed-off-by: Karol Herbst +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h | 746 +++++------ + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h | 802 +++++------ + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h | 1006 +++++++-------- + drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc | 30 + 4 files changed, 1292 insertions(+), 1292 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gf100.fuc3.h +@@ -47,8 +47,8 @@ static uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x00000756, +- 0x00000748, ++ 0x00000754, ++ 0x00000746, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -69,8 +69,8 @@ static uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x0000075a, + 0x00000758, ++ 0x00000756, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -91,8 +91,8 @@ static uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x00000b8a, +- 0x00000a2d, ++ 0x00000b88, ++ 0x00000a2b, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -113,8 +113,8 @@ static uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000bb3, +- 0x00000b8c, ++ 0x00000bb1, ++ 0x00000b8a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -135,8 +135,8 @@ static uint32_t gf100_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000bbf, + 0x00000bbd, ++ 0x00000bbb, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -237,19 +237,19 @@ static uint32_t gf100_pmu_data[] = { + 0x000005d3, + 0x00000003, + 0x00000002, +- 0x0000069d, ++ 0x0000069b, + 0x00040004, + 0x00000000, +- 0x000006b9, ++ 0x000006b7, + 0x00010005, + 0x00000000, +- 0x000006d6, ++ 0x000006d4, + 0x00010006, + 0x00000000, + 0x0000065b, + 0x00000007, + 0x00000000, +- 0x000006e1, ++ 0x000006df, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1373,432 +1373,432 @@ static uint32_t gf100_pmu_code[] = { + /* 0x065b: memx_func_wait_vblank */ + 0x9800f840, + 0x66b00016, +- 0x130bf400, ++ 0x120bf400, + 0xf40166b0, + 0x0ef4060b, + /* 0x066d: memx_func_wait_vblank_head1 */ +- 0x2077f12e, +- 0x070ef400, +-/* 0x0674: memx_func_wait_vblank_head0 */ +- 0x000877f1, +-/* 0x0678: memx_func_wait_vblank_0 */ +- 0x07c467f1, +- 0xcf0664b6, +- 0x67fd0066, +- 0xf31bf404, +-/* 0x0688: memx_func_wait_vblank_1 */ +- 0x07c467f1, +- 0xcf0664b6, +- 0x67fd0066, +- 0xf30bf404, +-/* 0x0698: memx_func_wait_vblank_fini */ +- 0xf80410b6, +-/* 0x069d: memx_func_wr32 */ +- 0x00169800, +- 0xb6011598, +- 0x60f90810, +- 0xd0fc50f9, +- 0x21f4e0fc, +- 0x0242b640, +- 0xf8e91bf4, +-/* 0x06b9: memx_func_wait */ +- 0x2c87f000, +- 0xcf0684b6, +- 0x1e980088, +- 0x011d9800, +- 0x98021c98, +- 0x10b6031b, +- 0xa321f410, +-/* 0x06d6: memx_func_delay */ +- 0x1e9800f8, +- 0x0410b600, +- 0xf87e21f4, +-/* 0x06e1: memx_func_train */ +-/* 0x06e3: memx_exec */ +- 0xf900f800, +- 0xb9d0f9e0, +- 0xb2b902c1, +-/* 0x06ed: memx_exec_next */ +- 0x00139802, +- 0xe70410b6, +- 0xe701f034, +- 0xb601e033, +- 0x30f00132, +- 0xde35980c, +- 0x12b855f9, +- 0xe41ef406, +- 0x98f10b98, +- 0xcbbbf20c, +- 0xc4b7f102, +- 0x06b4b607, +- 0xfc00bbcf, +- 0xf5e0fcd0, +- 0xf8033621, +-/* 0x0729: memx_info */ +- 0x01c67000, +-/* 0x072f: memx_info_data */ +- 0xf10e0bf4, +- 0xf103ccc7, +- 0xf40800b7, +-/* 0x073a: memx_info_train */ +- 0xc7f10b0e, +- 0xb7f10bcc, +-/* 0x0742: memx_info_send */ +- 0x21f50100, +- 0x00f80336, +-/* 0x0748: memx_recv */ +- 0xf401d6b0, +- 0xd6b0980b, +- 0xd80bf400, +-/* 0x0756: memx_init */ +- 0x00f800f8, +-/* 0x0758: perf_recv */ +-/* 0x075a: perf_init */ ++ 0x2077f02c, ++/* 0x0673: memx_func_wait_vblank_head0 */ ++ 0xf0060ef4, ++/* 0x0676: memx_func_wait_vblank_0 */ ++ 0x67f10877, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x0686: memx_func_wait_vblank_1 */ ++ 0x67f1f31b, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x0696: memx_func_wait_vblank_fini */ ++ 0x10b6f30b, ++/* 0x069b: memx_func_wr32 */ ++ 0x9800f804, ++ 0x15980016, ++ 0x0810b601, ++ 0x50f960f9, ++ 0xe0fcd0fc, ++ 0xb64021f4, ++ 0x1bf40242, ++/* 0x06b7: memx_func_wait */ ++ 0xf000f8e9, ++ 0x84b62c87, ++ 0x0088cf06, ++ 0x98001e98, ++ 0x1c98011d, ++ 0x031b9802, ++ 0xf41010b6, ++ 0x00f8a321, ++/* 0x06d4: memx_func_delay */ ++ 0xb6001e98, ++ 0x21f40410, ++/* 0x06df: memx_func_train */ ++ 0xf800f87e, ++/* 0x06e1: memx_exec */ ++ 0xf9e0f900, ++ 0x02c1b9d0, ++/* 0x06eb: memx_exec_next */ ++ 0x9802b2b9, ++ 0x10b60013, ++ 0xf034e704, ++ 0xe033e701, ++ 0x0132b601, ++ 0x980c30f0, ++ 0x55f9de35, ++ 0xf40612b8, ++ 0x0b98e41e, ++ 0xf20c98f1, ++ 0xf102cbbb, ++ 0xb607c4b7, ++ 0xbbcf06b4, ++ 0xfcd0fc00, ++ 0x3621f5e0, ++/* 0x0727: memx_info */ ++ 0x7000f803, ++ 0x0bf401c6, ++/* 0x072d: memx_info_data */ ++ 0xccc7f10e, ++ 0x00b7f103, ++ 0x0b0ef408, ++/* 0x0738: memx_info_train */ ++ 0x0bccc7f1, ++ 0x0100b7f1, ++/* 0x0740: memx_info_send */ ++ 0x033621f5, ++/* 0x0746: memx_recv */ ++ 0xd6b000f8, ++ 0x980bf401, ++ 0xf400d6b0, ++ 0x00f8d80b, ++/* 0x0754: memx_init */ ++/* 0x0756: perf_recv */ + 0x00f800f8, +-/* 0x075c: i2c_drive_scl */ +- 0xf40036b0, +- 0x07f1110b, +- 0x04b607e0, +- 0x0001d006, +- 0x00f804bd, +-/* 0x0770: i2c_drive_scl_lo */ +- 0x07e407f1, +- 0xd00604b6, +- 0x04bd0001, +-/* 0x077e: i2c_drive_sda */ ++/* 0x0758: perf_init */ ++/* 0x075a: i2c_drive_scl */ + 0x36b000f8, + 0x110bf400, + 0x07e007f1, + 0xd00604b6, +- 0x04bd0002, +-/* 0x0792: i2c_drive_sda_lo */ ++ 0x04bd0001, ++/* 0x076e: i2c_drive_scl_lo */ + 0x07f100f8, + 0x04b607e4, ++ 0x0001d006, ++ 0x00f804bd, ++/* 0x077c: i2c_drive_sda */ ++ 0xf40036b0, ++ 0x07f1110b, ++ 0x04b607e0, + 0x0002d006, + 0x00f804bd, +-/* 0x07a0: i2c_sense_scl */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0431fd00, +- 0xf4060bf4, +-/* 0x07b6: i2c_sense_scl_done */ +- 0x00f80131, +-/* 0x07b8: i2c_sense_sda */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0432fd00, +- 0xf4060bf4, +-/* 0x07ce: i2c_sense_sda_done */ +- 0x00f80131, +-/* 0x07d0: i2c_raise_scl */ +- 0x47f140f9, +- 0x37f00898, +- 0x5c21f501, +-/* 0x07dd: i2c_raise_scl_wait */ +- 0xe8e7f107, +- 0x7e21f403, +- 0x07a021f5, +- 0xb60901f4, +- 0x1bf40142, +-/* 0x07f1: i2c_raise_scl_done */ +- 0xf840fcef, +-/* 0x07f5: i2c_start */ +- 0xa021f500, +- 0x0d11f407, +- 0x07b821f5, +- 0xf40611f4, +-/* 0x0806: i2c_start_rep */ +- 0x37f0300e, +- 0x5c21f500, +- 0x0137f007, +- 0x077e21f5, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0xd021f550, +- 0x0464b607, +-/* 0x0833: i2c_start_send */ +- 0xf01f11f4, ++/* 0x0790: i2c_drive_sda_lo */ ++ 0x07e407f1, ++ 0xd00604b6, ++ 0x04bd0002, ++/* 0x079e: i2c_sense_scl */ ++ 0x32f400f8, ++ 0xc437f101, ++ 0x0634b607, ++ 0xfd0033cf, ++ 0x0bf40431, ++ 0x0131f406, ++/* 0x07b4: i2c_sense_scl_done */ ++/* 0x07b6: i2c_sense_sda */ ++ 0x32f400f8, ++ 0xc437f101, ++ 0x0634b607, ++ 0xfd0033cf, ++ 0x0bf40432, ++ 0x0131f406, ++/* 0x07cc: i2c_sense_sda_done */ ++/* 0x07ce: i2c_raise_scl */ ++ 0x40f900f8, ++ 0x089847f1, ++ 0xf50137f0, ++/* 0x07db: i2c_raise_scl_wait */ ++ 0xf1075a21, ++ 0xf403e8e7, ++ 0x21f57e21, ++ 0x01f4079e, ++ 0x0142b609, ++/* 0x07ef: i2c_raise_scl_done */ ++ 0xfcef1bf4, ++/* 0x07f3: i2c_start */ ++ 0xf500f840, ++ 0xf4079e21, ++ 0x21f50d11, ++ 0x11f407b6, ++ 0x300ef406, ++/* 0x0804: i2c_start_rep */ ++ 0xf50037f0, ++ 0xf0075a21, ++ 0x21f50137, ++ 0x76bb077c, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb607ce21, ++ 0x11f40464, ++/* 0x0831: i2c_start_send */ ++ 0x0037f01f, ++ 0x077c21f5, ++ 0x1388e7f1, ++ 0xf07e21f4, + 0x21f50037, +- 0xe7f1077e, ++ 0xe7f1075a, + 0x21f41388, +- 0x0037f07e, +- 0x075c21f5, +- 0x1388e7f1, +-/* 0x084f: i2c_start_out */ +- 0xf87e21f4, +-/* 0x0851: i2c_stop */ +- 0x0037f000, +- 0x075c21f5, +- 0xf50037f0, +- 0xf1077e21, +- 0xf403e8e7, +- 0x37f07e21, +- 0x5c21f501, +- 0x88e7f107, +- 0x7e21f413, ++/* 0x084d: i2c_start_out */ ++/* 0x084f: i2c_stop */ ++ 0xf000f87e, ++ 0x21f50037, ++ 0x37f0075a, ++ 0x7c21f500, ++ 0xe8e7f107, ++ 0x7e21f403, + 0xf50137f0, +- 0xf1077e21, ++ 0xf1075a21, + 0xf41388e7, +- 0x00f87e21, +-/* 0x0884: i2c_bitw */ +- 0x077e21f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x07d021f5, +- 0xf40464b6, +- 0xe7f11811, +- 0x21f41388, +- 0x0037f07e, +- 0x075c21f5, +- 0x1388e7f1, +-/* 0x08c3: i2c_bitw_out */ +- 0xf87e21f4, +-/* 0x08c5: i2c_bitr */ +- 0x0137f000, +- 0x077e21f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x07d021f5, +- 0xf40464b6, +- 0x21f51b11, +- 0x37f007b8, +- 0x5c21f500, ++ 0x37f07e21, ++ 0x7c21f501, + 0x88e7f107, + 0x7e21f413, +- 0xf4013cf0, +-/* 0x090a: i2c_bitr_done */ +- 0x00f80131, +-/* 0x090c: i2c_get_byte */ +- 0xf00057f0, +-/* 0x0912: i2c_get_byte_next */ +- 0x54b60847, +- 0x0076bb01, ++/* 0x0882: i2c_bitw */ ++ 0x21f500f8, ++ 0xe7f1077c, ++ 0x21f403e8, ++ 0x0076bb7e, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b608c5, +- 0x2b11f404, +- 0xb60553fd, +- 0x1bf40142, +- 0x0137f0d8, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0x8421f550, +- 0x0464b608, +-/* 0x095c: i2c_get_byte_done */ +-/* 0x095e: i2c_put_byte */ +- 0x47f000f8, +-/* 0x0961: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, ++ 0x64b607ce, ++ 0x1811f404, ++ 0x1388e7f1, ++ 0xf07e21f4, ++ 0x21f50037, ++ 0xe7f1075a, ++ 0x21f41388, ++/* 0x08c1: i2c_bitw_out */ ++/* 0x08c3: i2c_bitr */ ++ 0xf000f87e, ++ 0x21f50137, ++ 0xe7f1077c, ++ 0x21f403e8, ++ 0x0076bb7e, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b607ce, ++ 0x1b11f404, ++ 0x07b621f5, ++ 0xf50037f0, ++ 0xf1075a21, ++ 0xf41388e7, ++ 0x3cf07e21, ++ 0x0131f401, ++/* 0x0908: i2c_bitr_done */ ++/* 0x090a: i2c_get_byte */ ++ 0x57f000f8, ++ 0x0847f000, ++/* 0x0910: i2c_get_byte_next */ ++ 0xbb0154b6, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x088421f5, ++ 0x08c321f5, + 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0xc521f550, +- 0x0464b608, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x09b7: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x09b9: i2c_addr */ +- 0x0076bb00, ++ 0x53fd2b11, ++ 0x0142b605, ++ 0xf0d81bf4, ++ 0x76bb0137, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb6088221, ++/* 0x095a: i2c_get_byte_done */ ++ 0x00f80464, ++/* 0x095c: i2c_put_byte */ ++/* 0x095f: i2c_put_byte_next */ ++ 0xb60847f0, ++ 0x54ff0142, ++ 0x0076bb38, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b607f5, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, ++ 0x64b60882, ++ 0x3411f404, ++ 0xf40046b0, ++ 0x76bbd81b, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb6095e21, +-/* 0x09fe: i2c_addr_done */ +- 0x00f80464, +-/* 0x0a00: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b702e4, +- 0xee980d1c, +-/* 0x0a0f: i2c_acquire */ +- 0xf500f800, +- 0xf40a0021, +- 0xd9f00421, +- 0x4021f403, +-/* 0x0a1e: i2c_release */ +- 0x21f500f8, +- 0x21f40a00, +- 0x03daf004, +- 0xf84021f4, +-/* 0x0a2d: i2c_recv */ +- 0x0132f400, +- 0xb6f8c1c7, +- 0x16b00214, +- 0x3a1ff528, +- 0xf413a001, +- 0x0032980c, +- 0x0ccc13a0, +- 0xf4003198, +- 0xd0f90231, +- 0xd0f9e0f9, +- 0x000067f1, +- 0x100063f1, +- 0xbb016792, ++ 0xb608c321, ++ 0x11f40464, ++ 0x0076bb0f, ++ 0xf40136b0, ++ 0x32f4061b, ++/* 0x09b5: i2c_put_byte_done */ ++/* 0x09b7: i2c_addr */ ++ 0xbb00f801, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0a0f21f5, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b31bf5, +- 0xbb0057f0, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x09b921f5, +- 0xf50464b6, +- 0xc700d011, +- 0x76bbe0c5, +- 0x0465b600, +- 0x659450f9, +- 0x0256bb04, +- 0x75fd50bd, +- 0xf550fc04, +- 0xb6095e21, +- 0x11f50464, +- 0x57f000ad, ++ 0x07f321f5, ++ 0xf40464b6, ++ 0xc3e72911, ++ 0x34b6012e, ++ 0x0553fd01, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x5c21f550, ++ 0x0464b609, ++/* 0x09fc: i2c_addr_done */ ++/* 0x09fe: i2c_acquire_addr */ ++ 0xcec700f8, ++ 0x02e4b6f8, ++ 0x0d1ce0b7, ++ 0xf800ee98, ++/* 0x0a0d: i2c_acquire */ ++ 0xfe21f500, ++ 0x0421f409, ++ 0xf403d9f0, ++ 0x00f84021, ++/* 0x0a1c: i2c_release */ ++ 0x09fe21f5, ++ 0xf00421f4, ++ 0x21f403da, ++/* 0x0a2b: i2c_recv */ ++ 0xf400f840, ++ 0xc1c70132, ++ 0x0214b6f8, ++ 0xf52816b0, ++ 0xa0013a1f, ++ 0x980cf413, ++ 0x13a00032, ++ 0x31980ccc, ++ 0x0231f400, ++ 0xe0f9d0f9, ++ 0x67f1d0f9, ++ 0x63f10000, ++ 0x67921000, + 0x0076bb01, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b609b9, +- 0x8a11f504, ++ 0x64b60a0d, ++ 0xb0d0fc04, ++ 0x1bf500d6, ++ 0x57f000b3, + 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b6090c, +- 0x6a11f404, +- 0xbbe05bcb, ++ 0x64b609b7, ++ 0xd011f504, ++ 0xe0c5c700, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x5c21f550, ++ 0x0464b609, ++ 0x00ad11f5, ++ 0xbb0157f0, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x085121f5, +- 0xb90464b6, +- 0x74bd025b, +-/* 0x0b33: i2c_recv_not_rd08 */ +- 0xb0430ef4, +- 0x1bf401d6, +- 0x0057f03d, +- 0x09b921f5, +- 0xc73311f4, +- 0x21f5e0c5, +- 0x11f4095e, +- 0x0057f029, +- 0x09b921f5, +- 0xc71f11f4, +- 0x21f5e0b5, +- 0x11f4095e, +- 0x5121f515, +- 0xc774bd08, +- 0x1bf408c5, +- 0x0232f409, +-/* 0x0b73: i2c_recv_not_wr08 */ +-/* 0x0b73: i2c_recv_done */ +- 0xc7030ef4, +- 0x21f5f8ce, +- 0xe0fc0a1e, +- 0x12f4d0fc, +- 0x027cb90a, +- 0x033621f5, +-/* 0x0b88: i2c_recv_exit */ +-/* 0x0b8a: i2c_init */ +- 0x00f800f8, +-/* 0x0b8c: test_recv */ +- 0x05d817f1, ++ 0x09b721f5, ++ 0xf50464b6, ++ 0xbb008a11, ++ 0x65b60076, ++ 0x9450f904, ++ 0x56bb0465, ++ 0xfd50bd02, ++ 0x50fc0475, ++ 0x090a21f5, ++ 0xf40464b6, ++ 0x5bcb6a11, ++ 0x0076bbe0, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b6084f, ++ 0x025bb904, ++ 0x0ef474bd, ++/* 0x0b31: i2c_recv_not_rd08 */ ++ 0x01d6b043, ++ 0xf03d1bf4, ++ 0x21f50057, ++ 0x11f409b7, ++ 0xe0c5c733, ++ 0x095c21f5, ++ 0xf02911f4, ++ 0x21f50057, ++ 0x11f409b7, ++ 0xe0b5c71f, ++ 0x095c21f5, ++ 0xf51511f4, ++ 0xbd084f21, ++ 0x08c5c774, ++ 0xf4091bf4, ++ 0x0ef40232, ++/* 0x0b71: i2c_recv_not_wr08 */ ++/* 0x0b71: i2c_recv_done */ ++ 0xf8cec703, ++ 0x0a1c21f5, ++ 0xd0fce0fc, ++ 0xb90a12f4, ++ 0x21f5027c, ++/* 0x0b86: i2c_recv_exit */ ++ 0x00f80336, ++/* 0x0b88: i2c_init */ ++/* 0x0b8a: test_recv */ ++ 0x17f100f8, ++ 0x14b605d8, ++ 0x0011cf06, ++ 0xf10110b6, ++ 0xb605d807, ++ 0x01d00604, ++ 0xf104bd00, ++ 0xf1d900e7, ++ 0xf5134fe3, ++ 0xf8025621, ++/* 0x0bb1: test_init */ ++ 0x00e7f100, ++ 0x5621f508, ++/* 0x0bbb: idle_recv */ ++ 0xf800f802, ++/* 0x0bbd: idle */ ++ 0x0031f400, ++ 0x05d417f1, + 0xcf0614b6, + 0x10b60011, +- 0xd807f101, ++ 0xd407f101, + 0x0604b605, + 0xbd0001d0, +- 0x00e7f104, +- 0x4fe3f1d9, +- 0x5621f513, +-/* 0x0bb3: test_init */ +- 0xf100f802, +- 0xf50800e7, +- 0xf8025621, +-/* 0x0bbd: idle_recv */ +-/* 0x0bbf: idle */ +- 0xf400f800, +- 0x17f10031, +- 0x14b605d4, +- 0x0011cf06, +- 0xf10110b6, +- 0xb605d407, +- 0x01d00604, +-/* 0x0bdb: idle_loop */ +- 0xf004bd00, +- 0x32f45817, +-/* 0x0be1: idle_proc */ +-/* 0x0be1: idle_proc_exec */ +- 0xb910f902, +- 0x21f5021e, +- 0x10fc033f, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0bf5: idle_proc_next */ +- 0x5810b6ef, +- 0xf4061fb8, +- 0x02f4e61b, +- 0x0028f4dd, +- 0x00bb0ef4, ++/* 0x0bd9: idle_loop */ ++ 0x5817f004, ++/* 0x0bdf: idle_proc */ ++/* 0x0bdf: idle_proc_exec */ ++ 0xf90232f4, ++ 0x021eb910, ++ 0x033f21f5, ++ 0x11f410fc, ++ 0x0231f409, ++/* 0x0bf3: idle_proc_next */ ++ 0xb6ef0ef4, ++ 0x1fb85810, ++ 0xe61bf406, ++ 0xf4dd02f4, ++ 0x0ef40028, ++ 0x000000bb, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gk208.fuc5.h +@@ -47,8 +47,8 @@ static uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x000005f3, +- 0x000005e5, ++ 0x000005ee, ++ 0x000005e0, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -69,8 +69,8 @@ static uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x000005f7, +- 0x000005f5, ++ 0x000005f2, ++ 0x000005f0, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -91,8 +91,8 @@ static uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x000009f8, +- 0x000008a2, ++ 0x000009f3, ++ 0x0000089d, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -113,8 +113,8 @@ static uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000a16, +- 0x000009fa, ++ 0x00000a11, ++ 0x000009f5, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -135,8 +135,8 @@ static uint32_t gk208_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000a21, +- 0x00000a1f, ++ 0x00000a1c, ++ 0x00000a1a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -234,22 +234,22 @@ static uint32_t gk208_pmu_data[] = { + /* 0x037c: memx_func_next */ + 0x00000002, + 0x00000000, +- 0x000004cf, ++ 0x000004cc, + 0x00000003, + 0x00000002, +- 0x00000546, ++ 0x00000541, + 0x00040004, + 0x00000000, +- 0x00000563, ++ 0x0000055e, + 0x00010005, + 0x00000000, +- 0x0000057d, ++ 0x00000578, + 0x00010006, + 0x00000000, +- 0x00000541, ++ 0x0000053c, + 0x00000007, + 0x00000000, +- 0x00000589, ++ 0x00000584, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1239,454 +1239,454 @@ static uint32_t gk208_pmu_code[] = { + 0x0001f604, + 0x00f804bd, + /* 0x045c: memx_func_enter */ +- 0x162067f1, +- 0xf55d77f1, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90487fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0x0700002d, +- 0x7e6eb2fe, ++ 0x47162046, ++ 0x6eb2f55d, ++ 0x0000047e, ++ 0x87fdd8b2, ++ 0xf960f904, ++ 0xfcd0fc80, ++ 0x002d7ee0, ++ 0xb2fe0700, ++ 0x00047e6e, ++ 0xfdd8b200, ++ 0x60f90487, ++ 0xd0fc80f9, ++ 0x2d7ee0fc, ++ 0xf0460000, ++ 0x7e6eb226, + 0xb2000004, + 0x0487fdd8, + 0x80f960f9, + 0xe0fcd0fc, + 0x00002d7e, +- 0x26f067f1, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90487fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0x0600002d, +- 0x07e04004, +- 0xbd0006f6, +-/* 0x04b9: memx_func_enter_wait */ +- 0x07c04604, +- 0xf00066cf, +- 0x0bf40464, +- 0xcf2c06f7, +- 0x06b50066, +-/* 0x04cf: memx_func_leave */ +- 0x0600f8f1, +- 0x0066cf2c, +- 0x06f206b5, +- 0x07e44004, +- 0xbd0006f6, +-/* 0x04e1: memx_func_leave_wait */ +- 0x07c04604, +- 0xf00066cf, +- 0x1bf40464, +- 0xf067f1f7, ++ 0xe0400406, ++ 0x0006f607, ++/* 0x04b6: memx_func_enter_wait */ ++ 0xc04604bd, ++ 0x0066cf07, ++ 0xf40464f0, ++ 0x2c06f70b, ++ 0xb50066cf, ++ 0x00f8f106, ++/* 0x04cc: memx_func_leave */ ++ 0x66cf2c06, ++ 0xf206b500, ++ 0xe4400406, ++ 0x0006f607, ++/* 0x04de: memx_func_leave_wait */ ++ 0xc04604bd, ++ 0x0066cf07, ++ 0xf40464f0, ++ 0xf046f71b, + 0xb2010726, + 0x00047e6e, + 0xfdd8b200, + 0x60f90587, + 0xd0fc80f9, + 0x2d7ee0fc, +- 0x67f10000, +- 0x6eb21620, +- 0x0000047e, +- 0x87fdd8b2, +- 0xf960f905, +- 0xfcd0fc80, +- 0x002d7ee0, +- 0x0aa24700, +- 0x047e6eb2, +- 0xd8b20000, +- 0xf90587fd, +- 0xfc80f960, +- 0x7ee0fcd0, +- 0xf800002d, +-/* 0x0541: memx_func_wait_vblank */ ++ 0x20460000, ++ 0x7e6eb216, ++ 0xb2000004, ++ 0x0587fdd8, ++ 0x80f960f9, ++ 0xe0fcd0fc, ++ 0x00002d7e, ++ 0xb20aa247, ++ 0x00047e6e, ++ 0xfdd8b200, ++ 0x60f90587, ++ 0xd0fc80f9, ++ 0x2d7ee0fc, ++ 0x00f80000, ++/* 0x053c: memx_func_wait_vblank */ ++ 0xf80410b6, ++/* 0x0541: memx_func_wr32 */ ++ 0x00169800, ++ 0xb6011598, ++ 0x60f90810, ++ 0xd0fc50f9, ++ 0x2d7ee0fc, ++ 0x42b60000, ++ 0xe81bf402, ++/* 0x055e: memx_func_wait */ ++ 0x2c0800f8, ++ 0x980088cf, ++ 0x1d98001e, ++ 0x021c9801, ++ 0xb6031b98, ++ 0x747e1010, ++ 0x00f80000, ++/* 0x0578: memx_func_delay */ ++ 0xb6001e98, ++ 0x587e0410, ++ 0x00f80000, ++/* 0x0584: memx_func_train */ ++/* 0x0586: memx_exec */ ++ 0xe0f900f8, ++ 0xc1b2d0f9, ++/* 0x058e: memx_exec_next */ ++ 0x1398b2b2, + 0x0410b600, +-/* 0x0546: memx_func_wr32 */ +- 0x169800f8, +- 0x01159800, +- 0xf90810b6, +- 0xfc50f960, ++ 0x01f034e7, ++ 0x01e033e7, ++ 0xf00132b6, ++ 0x35980c30, ++ 0xa655f9de, ++ 0xe51ef412, ++ 0x98f10b98, ++ 0xcbbbf20c, ++ 0x07c44b02, ++ 0xfc00bbcf, + 0x7ee0fcd0, +- 0xb600002d, +- 0x1bf40242, +-/* 0x0563: memx_func_wait */ +- 0x0800f8e8, +- 0x0088cf2c, +- 0x98001e98, +- 0x1c98011d, +- 0x031b9802, +- 0x7e1010b6, +- 0xf8000074, +-/* 0x057d: memx_func_delay */ +- 0x001e9800, +- 0x7e0410b6, +- 0xf8000058, +-/* 0x0589: memx_func_train */ +-/* 0x058b: memx_exec */ +- 0xf900f800, +- 0xb2d0f9e0, +-/* 0x0593: memx_exec_next */ +- 0x98b2b2c1, +- 0x10b60013, +- 0xf034e704, +- 0xe033e701, +- 0x0132b601, +- 0x980c30f0, +- 0x55f9de35, +- 0x1ef412a6, +- 0xf10b98e5, +- 0xbbf20c98, +- 0xc44b02cb, +- 0x00bbcf07, +- 0xe0fcd0fc, +- 0x00029f7e, +-/* 0x05ca: memx_info */ +- 0xc67000f8, +- 0x0c0bf401, +-/* 0x05d0: memx_info_data */ +- 0x4b03cc4c, +- 0x0ef40800, +-/* 0x05d9: memx_info_train */ +- 0x0bcc4c09, +-/* 0x05df: memx_info_send */ +- 0x7e01004b, + 0xf800029f, +-/* 0x05e5: memx_recv */ +- 0x01d6b000, +- 0xb0a30bf4, +- 0x0bf400d6, +-/* 0x05f3: memx_init */ +- 0xf800f8dc, +-/* 0x05f5: perf_recv */ +-/* 0x05f7: perf_init */ +- 0xf800f800, +-/* 0x05f9: i2c_drive_scl */ +- 0x0036b000, +- 0x400d0bf4, +- 0x01f607e0, +- 0xf804bd00, +-/* 0x0609: i2c_drive_scl_lo */ +- 0x07e44000, +- 0xbd0001f6, +-/* 0x0613: i2c_drive_sda */ +- 0xb000f804, +- 0x0bf40036, +- 0x07e0400d, +- 0xbd0002f6, +-/* 0x0623: i2c_drive_sda_lo */ +- 0x4000f804, +- 0x02f607e4, +- 0xf804bd00, +-/* 0x062d: i2c_sense_scl */ +- 0x0132f400, +- 0xcf07c443, +- 0x31fd0033, +- 0x060bf404, +-/* 0x063f: i2c_sense_scl_done */ +- 0xf80131f4, +-/* 0x0641: i2c_sense_sda */ +- 0x0132f400, +- 0xcf07c443, +- 0x32fd0033, +- 0x060bf404, +-/* 0x0653: i2c_sense_sda_done */ +- 0xf80131f4, +-/* 0x0655: i2c_raise_scl */ +- 0x4440f900, +- 0x01030898, +- 0x0005f97e, +-/* 0x0660: i2c_raise_scl_wait */ +- 0x7e03e84e, +- 0x7e000058, +- 0xf400062d, +- 0x42b60901, +- 0xef1bf401, +-/* 0x0674: i2c_raise_scl_done */ +- 0x00f840fc, +-/* 0x0678: i2c_start */ +- 0x00062d7e, +- 0x7e0d11f4, +- 0xf4000641, +- 0x0ef40611, +-/* 0x0689: i2c_start_rep */ +- 0x7e00032e, +- 0x030005f9, +- 0x06137e01, ++/* 0x05c5: memx_info */ ++ 0x01c67000, ++/* 0x05cb: memx_info_data */ ++ 0x4c0c0bf4, ++ 0x004b03cc, ++ 0x090ef408, ++/* 0x05d4: memx_info_train */ ++ 0x4b0bcc4c, ++/* 0x05da: memx_info_send */ ++ 0x9f7e0100, ++ 0x00f80002, ++/* 0x05e0: memx_recv */ ++ 0xf401d6b0, ++ 0xd6b0a30b, ++ 0xdc0bf400, ++/* 0x05ee: memx_init */ ++ 0x00f800f8, ++/* 0x05f0: perf_recv */ ++/* 0x05f2: perf_init */ ++ 0x00f800f8, ++/* 0x05f4: i2c_drive_scl */ ++ 0xf40036b0, ++ 0xe0400d0b, ++ 0x0001f607, ++ 0x00f804bd, ++/* 0x0604: i2c_drive_scl_lo */ ++ 0xf607e440, ++ 0x04bd0001, ++/* 0x060e: i2c_drive_sda */ ++ 0x36b000f8, ++ 0x0d0bf400, ++ 0xf607e040, ++ 0x04bd0002, ++/* 0x061e: i2c_drive_sda_lo */ ++ 0xe44000f8, ++ 0x0002f607, ++ 0x00f804bd, ++/* 0x0628: i2c_sense_scl */ ++ 0x430132f4, ++ 0x33cf07c4, ++ 0x0431fd00, ++ 0xf4060bf4, ++/* 0x063a: i2c_sense_scl_done */ ++ 0x00f80131, ++/* 0x063c: i2c_sense_sda */ ++ 0x430132f4, ++ 0x33cf07c4, ++ 0x0432fd00, ++ 0xf4060bf4, ++/* 0x064e: i2c_sense_sda_done */ ++ 0x00f80131, ++/* 0x0650: i2c_raise_scl */ ++ 0x984440f9, ++ 0x7e010308, ++/* 0x065b: i2c_raise_scl_wait */ ++ 0x4e0005f4, ++ 0x587e03e8, ++ 0x287e0000, ++ 0x01f40006, ++ 0x0142b609, ++/* 0x066f: i2c_raise_scl_done */ ++ 0xfcef1bf4, ++/* 0x0673: i2c_start */ ++ 0x7e00f840, ++ 0xf4000628, ++ 0x3c7e0d11, ++ 0x11f40006, ++ 0x2e0ef406, ++/* 0x0684: i2c_start_rep */ ++ 0xf47e0003, ++ 0x01030005, ++ 0x00060e7e, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x06507e50, ++ 0x0464b600, ++/* 0x06af: i2c_start_send */ ++ 0x031d11f4, ++ 0x060e7e00, ++ 0x13884e00, ++ 0x0000587e, ++ 0xf47e0003, ++ 0x884e0005, ++ 0x00587e13, ++/* 0x06c9: i2c_start_out */ ++/* 0x06cb: i2c_stop */ ++ 0x0300f800, ++ 0x05f47e00, ++ 0x7e000300, ++ 0x4e00060e, ++ 0x587e03e8, ++ 0x01030000, ++ 0x0005f47e, ++ 0x7e13884e, ++ 0x03000058, ++ 0x060e7e01, ++ 0x13884e00, ++ 0x0000587e, ++/* 0x06fa: i2c_bitw */ ++ 0x0e7e00f8, ++ 0xe84e0006, ++ 0x00587e03, + 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0x557e50fc, ++ 0x507e50fc, + 0x64b60006, +- 0x1d11f404, +-/* 0x06b4: i2c_start_send */ +- 0x137e0003, +- 0x884e0006, +- 0x00587e13, +- 0x7e000300, +- 0x4e0005f9, +- 0x587e1388, +-/* 0x06ce: i2c_start_out */ +- 0x00f80000, +-/* 0x06d0: i2c_stop */ +- 0xf97e0003, +- 0x00030005, +- 0x0006137e, +- 0x7e03e84e, ++ 0x1711f404, ++ 0x7e13884e, + 0x03000058, +- 0x05f97e01, ++ 0x05f47e00, + 0x13884e00, + 0x0000587e, +- 0x137e0103, +- 0x884e0006, +- 0x00587e13, +-/* 0x06ff: i2c_bitw */ +- 0x7e00f800, +- 0x4e000613, +- 0x587e03e8, +- 0x76bb0000, ++/* 0x0738: i2c_bitw_out */ ++/* 0x073a: i2c_bitr */ ++ 0x010300f8, ++ 0x00060e7e, ++ 0x7e03e84e, ++ 0xbb000058, ++ 0x65b60076, ++ 0x9450f904, ++ 0x56bb0465, ++ 0xfd50bd02, ++ 0x50fc0475, ++ 0x0006507e, ++ 0xf40464b6, ++ 0x3c7e1a11, ++ 0x00030006, ++ 0x0005f47e, ++ 0x7e13884e, ++ 0xf0000058, ++ 0x31f4013c, ++/* 0x077d: i2c_bitr_done */ ++/* 0x077f: i2c_get_byte */ ++ 0x0500f801, ++/* 0x0783: i2c_get_byte_next */ ++ 0xb6080400, ++ 0x76bb0154, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0x7e50fc04, +- 0xb6000655, ++ 0xb600073a, + 0x11f40464, +- 0x13884e17, +- 0x0000587e, +- 0xf97e0003, +- 0x884e0005, +- 0x00587e13, +-/* 0x073d: i2c_bitw_out */ +-/* 0x073f: i2c_bitr */ +- 0x0300f800, +- 0x06137e01, +- 0x03e84e00, +- 0x0000587e, ++ 0x0553fd2a, ++ 0xf40142b6, ++ 0x0103d81b, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0x06557e50, ++ 0x06fa7e50, + 0x0464b600, +- 0x7e1a11f4, +- 0x03000641, +- 0x05f97e00, +- 0x13884e00, +- 0x0000587e, +- 0xf4013cf0, +-/* 0x0782: i2c_bitr_done */ +- 0x00f80131, +-/* 0x0784: i2c_get_byte */ +- 0x08040005, +-/* 0x0788: i2c_get_byte_next */ +- 0xbb0154b6, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x00073f7e, +- 0xf40464b6, +- 0x53fd2a11, +- 0x0142b605, +- 0x03d81bf4, +- 0x0076bb01, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0xff7e50fc, +- 0x64b60006, +-/* 0x07d1: i2c_get_byte_done */ +-/* 0x07d3: i2c_put_byte */ +- 0x0400f804, +-/* 0x07d5: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, ++/* 0x07cc: i2c_get_byte_done */ ++/* 0x07ce: i2c_put_byte */ ++ 0x080400f8, ++/* 0x07d0: i2c_put_byte_next */ ++ 0xff0142b6, ++ 0x76bb3854, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb60006fa, ++ 0x11f40464, ++ 0x0046b034, ++ 0xbbd81bf4, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0006ff7e, ++ 0x00073a7e, + 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, ++ 0x76bb0f11, ++ 0x0136b000, ++ 0xf4061bf4, ++/* 0x0826: i2c_put_byte_done */ ++ 0x00f80132, ++/* 0x0828: i2c_addr */ + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0x073f7e50, ++ 0x06737e50, + 0x0464b600, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x082b: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x082d: i2c_addr */ +- 0x0076bb00, ++ 0xe72911f4, ++ 0xb6012ec3, ++ 0x53fd0134, ++ 0x0076bb05, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0x787e50fc, +- 0x64b60006, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, +- 0x0465b600, +- 0x659450f9, +- 0x0256bb04, +- 0x75fd50bd, +- 0x7e50fc04, +- 0xb60007d3, +-/* 0x0872: i2c_addr_done */ +- 0x00f80464, +-/* 0x0874: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b705e4, +- 0x00f8d014, +-/* 0x0880: i2c_acquire */ +- 0x0008747e, ++ 0xce7e50fc, ++ 0x64b60007, ++/* 0x086d: i2c_addr_done */ ++/* 0x086f: i2c_acquire_addr */ ++ 0xc700f804, ++ 0xe4b6f8ce, ++ 0x14e0b705, ++/* 0x087b: i2c_acquire */ ++ 0x7e00f8d0, ++ 0x7e00086f, ++ 0xf0000004, ++ 0x2d7e03d9, ++ 0x00f80000, ++/* 0x088c: i2c_release */ ++ 0x00086f7e, + 0x0000047e, +- 0x7e03d9f0, ++ 0x7e03daf0, + 0xf800002d, +-/* 0x0891: i2c_release */ +- 0x08747e00, +- 0x00047e00, +- 0x03daf000, +- 0x00002d7e, +-/* 0x08a2: i2c_recv */ +- 0x32f400f8, +- 0xf8c1c701, +- 0xb00214b6, +- 0x1ff52816, +- 0x13b80134, +- 0x98000cf4, +- 0x13b80032, +- 0x98000ccc, +- 0x31f40031, +- 0xf9d0f902, +- 0xd6d0f9e0, +- 0x10000000, +- 0xbb016792, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x0008807e, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b01bf5, +- 0x76bb0005, ++/* 0x089d: i2c_recv */ ++ 0x0132f400, ++ 0xb6f8c1c7, ++ 0x16b00214, ++ 0x341ff528, ++ 0xf413b801, ++ 0x3298000c, ++ 0xcc13b800, ++ 0x3198000c, ++ 0x0231f400, ++ 0xe0f9d0f9, ++ 0x00d6d0f9, ++ 0x92100000, ++ 0x76bb0167, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0x7e50fc04, +- 0xb600082d, +- 0x11f50464, +- 0xc5c700cc, +- 0x0076bbe0, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0xd37e50fc, +- 0x64b60007, +- 0xa911f504, +- 0xbb010500, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x00082d7e, +- 0xf50464b6, +- 0xbb008711, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x0007847e, +- 0xf40464b6, +- 0x5bcb6711, +- 0x0076bbe0, ++ 0xb600087b, ++ 0xd0fc0464, ++ 0xf500d6b0, ++ 0x0500b01b, ++ 0x0076bb00, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, +- 0xd07e50fc, +- 0x64b60006, +- 0xbd5bb204, +- 0x410ef474, +-/* 0x09a4: i2c_recv_not_rd08 */ +- 0xf401d6b0, +- 0x00053b1b, +- 0x00082d7e, +- 0xc73211f4, +- 0xd37ee0c5, +- 0x11f40007, +- 0x7e000528, +- 0xf400082d, +- 0xb5c71f11, +- 0x07d37ee0, +- 0x1511f400, +- 0x0006d07e, +- 0xc5c774bd, +- 0x091bf408, +- 0xf40232f4, +-/* 0x09e2: i2c_recv_not_wr08 */ +-/* 0x09e2: i2c_recv_done */ +- 0xcec7030e, +- 0x08917ef8, +- 0xfce0fc00, +- 0x0912f4d0, +- 0x9f7e7cb2, +-/* 0x09f6: i2c_recv_exit */ +- 0x00f80002, +-/* 0x09f8: i2c_init */ +-/* 0x09fa: test_recv */ +- 0x584100f8, +- 0x0011cf04, +- 0x400110b6, +- 0x01f60458, +- 0xde04bd00, +- 0x134fd900, +- 0x0001de7e, +-/* 0x0a16: test_init */ +- 0x004e00f8, +- 0x01de7e08, +-/* 0x0a1f: idle_recv */ ++ 0x287e50fc, ++ 0x64b60008, ++ 0xcc11f504, ++ 0xe0c5c700, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x07ce7e50, ++ 0x0464b600, ++ 0x00a911f5, ++ 0x76bb0105, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb6000828, ++ 0x11f50464, ++ 0x76bb0087, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0x7e50fc04, ++ 0xb600077f, ++ 0x11f40464, ++ 0xe05bcb67, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x06cb7e50, ++ 0x0464b600, ++ 0x74bd5bb2, ++/* 0x099f: i2c_recv_not_rd08 */ ++ 0xb0410ef4, ++ 0x1bf401d6, ++ 0x7e00053b, ++ 0xf4000828, ++ 0xc5c73211, ++ 0x07ce7ee0, ++ 0x2811f400, ++ 0x287e0005, ++ 0x11f40008, ++ 0xe0b5c71f, ++ 0x0007ce7e, ++ 0x7e1511f4, ++ 0xbd0006cb, ++ 0x08c5c774, ++ 0xf4091bf4, ++ 0x0ef40232, ++/* 0x09dd: i2c_recv_not_wr08 */ ++/* 0x09dd: i2c_recv_done */ ++ 0xf8cec703, ++ 0x00088c7e, ++ 0xd0fce0fc, ++ 0xb20912f4, ++ 0x029f7e7c, ++/* 0x09f1: i2c_recv_exit */ ++/* 0x09f3: i2c_init */ + 0xf800f800, +-/* 0x0a21: idle */ +- 0x0031f400, +- 0xcf045441, +- 0x10b60011, +- 0x04544001, +- 0xbd0001f6, +-/* 0x0a35: idle_loop */ +- 0xf4580104, +-/* 0x0a3a: idle_proc */ +-/* 0x0a3a: idle_proc_exec */ +- 0x10f90232, +- 0xa87e1eb2, +- 0x10fc0002, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0a4d: idle_proc_next */ +- 0x5810b6f0, +- 0x1bf41fa6, +- 0xe002f4e8, +- 0xf40028f4, +- 0x0000c60e, ++/* 0x09f5: test_recv */ ++ 0x04584100, ++ 0xb60011cf, ++ 0x58400110, ++ 0x0001f604, ++ 0x00de04bd, ++ 0x7e134fd9, ++ 0xf80001de, ++/* 0x0a11: test_init */ ++ 0x08004e00, ++ 0x0001de7e, ++/* 0x0a1a: idle_recv */ ++ 0x00f800f8, ++/* 0x0a1c: idle */ ++ 0x410031f4, ++ 0x11cf0454, ++ 0x0110b600, ++ 0xf6045440, ++ 0x04bd0001, ++/* 0x0a30: idle_loop */ ++ 0x32f45801, ++/* 0x0a35: idle_proc */ ++/* 0x0a35: idle_proc_exec */ ++ 0xb210f902, ++ 0x02a87e1e, ++ 0xf410fc00, ++ 0x31f40911, ++ 0xf00ef402, ++/* 0x0a48: idle_proc_next */ ++ 0xa65810b6, ++ 0xe81bf41f, ++ 0xf4e002f4, ++ 0x0ef40028, ++ 0x000000c6, ++ 0x00000000, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/gt215.fuc3.h +@@ -47,8 +47,8 @@ static uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x584d454d, +- 0x0000083a, +- 0x0000082c, ++ 0x00000833, ++ 0x00000825, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -69,8 +69,8 @@ static uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x46524550, +- 0x0000083e, +- 0x0000083c, ++ 0x00000837, ++ 0x00000835, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -91,8 +91,8 @@ static uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x5f433249, +- 0x00000c6e, +- 0x00000b11, ++ 0x00000c67, ++ 0x00000b0a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -113,8 +113,8 @@ static uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x54534554, +- 0x00000c97, +- 0x00000c70, ++ 0x00000c90, ++ 0x00000c69, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -135,8 +135,8 @@ static uint32_t gt215_pmu_data[] = { + 0x00000000, + 0x00000000, + 0x454c4449, +- 0x00000ca3, +- 0x00000ca1, ++ 0x00000c9c, ++ 0x00000c9a, + 0x00000000, + 0x00000000, + 0x00000000, +@@ -234,22 +234,22 @@ static uint32_t gt215_pmu_data[] = { + /* 0x037c: memx_func_next */ + 0x00000002, + 0x00000000, +- 0x000005a0, ++ 0x0000059f, + 0x00000003, + 0x00000002, +- 0x00000632, ++ 0x0000062f, + 0x00040004, + 0x00000000, +- 0x0000064e, ++ 0x0000064b, + 0x00010005, + 0x00000000, +- 0x0000066b, ++ 0x00000668, + 0x00010006, + 0x00000000, +- 0x000005f0, ++ 0x000005ef, + 0x00000007, + 0x00000000, +- 0x00000676, ++ 0x00000673, + /* 0x03c4: memx_func_tail */ + /* 0x03c4: memx_ts_start */ + 0x00000000, +@@ -1305,560 +1305,560 @@ static uint32_t gt215_pmu_code[] = { + 0x67f102d7, + 0x63f1fffc, + 0x76fdffff, +- 0x0267f104, +- 0x0576fd00, +- 0x70f980f9, +- 0xe0fcd0fc, +- 0xf04021f4, ++ 0x0267f004, ++ 0xf90576fd, ++ 0xfc70f980, ++ 0xf4e0fcd0, ++ 0x67f04021, ++ 0xe007f104, ++ 0x0604b607, ++ 0xbd0006d0, ++/* 0x0581: memx_func_enter_wait */ ++ 0xc067f104, ++ 0x0664b607, ++ 0xf00066cf, ++ 0x0bf40464, ++ 0x2c67f0f3, ++ 0xcf0664b6, ++ 0x06800066, ++/* 0x059f: memx_func_leave */ ++ 0xf000f8f1, ++ 0x64b62c67, ++ 0x0066cf06, ++ 0xf0f20680, + 0x07f10467, +- 0x04b607e0, ++ 0x04b607e4, + 0x0006d006, +-/* 0x0582: memx_func_enter_wait */ ++/* 0x05ba: memx_func_leave_wait */ + 0x67f104bd, + 0x64b607c0, + 0x0066cf06, + 0xf40464f0, +- 0x67f0f30b, +- 0x0664b62c, +- 0x800066cf, +- 0x00f8f106, +-/* 0x05a0: memx_func_leave */ +- 0xb62c67f0, +- 0x66cf0664, +- 0xf2068000, +- 0xf10467f0, +- 0xb607e407, +- 0x06d00604, +-/* 0x05bb: memx_func_leave_wait */ +- 0xf104bd00, +- 0xb607c067, +- 0x66cf0664, +- 0x0464f000, +- 0xf1f31bf4, +- 0xb9161087, +- 0x21f4028e, +- 0x02d7b904, +- 0xffcc67f1, +- 0xffff63f1, +- 0xf90476fd, +- 0xfc70f980, +- 0xf4e0fcd0, +- 0x00f84021, +-/* 0x05f0: memx_func_wait_vblank */ +- 0xb0001698, +- 0x0bf40066, +- 0x0166b013, +- 0xf4060bf4, +-/* 0x0602: memx_func_wait_vblank_head1 */ +- 0x77f12e0e, +- 0x0ef40020, +-/* 0x0609: memx_func_wait_vblank_head0 */ +- 0x0877f107, +-/* 0x060d: memx_func_wait_vblank_0 */ +- 0xc467f100, +- 0x0664b607, +- 0xfd0066cf, +- 0x1bf40467, +-/* 0x061d: memx_func_wait_vblank_1 */ +- 0xc467f1f3, +- 0x0664b607, +- 0xfd0066cf, +- 0x0bf40467, +-/* 0x062d: memx_func_wait_vblank_fini */ +- 0x0410b6f3, +-/* 0x0632: memx_func_wr32 */ +- 0x169800f8, +- 0x01159800, +- 0xf90810b6, +- 0xfc50f960, +- 0xf4e0fcd0, +- 0x42b64021, +- 0xe91bf402, +-/* 0x064e: memx_func_wait */ +- 0x87f000f8, +- 0x0684b62c, +- 0x980088cf, +- 0x1d98001e, +- 0x021c9801, +- 0xb6031b98, +- 0x21f41010, +-/* 0x066b: memx_func_delay */ +- 0x9800f8a3, +- 0x10b6001e, +- 0x7e21f404, +-/* 0x0676: memx_func_train */ +- 0x57f100f8, +- 0x77f10003, +- 0x97f10000, +- 0x93f00000, +- 0x029eb970, +- 0xb90421f4, +- 0xe7f102d8, +- 0x21f42710, +-/* 0x0695: memx_func_train_loop_outer */ +- 0x0158e07e, +- 0x0083f101, +- 0xe097f102, +- 0x1193f011, +- 0x80f990f9, ++ 0x87f1f31b, ++ 0x8eb91610, ++ 0x0421f402, ++ 0xf102d7b9, ++ 0xf1ffcc67, ++ 0xfdffff63, ++ 0x80f90476, ++ 0xd0fc70f9, ++ 0x21f4e0fc, ++/* 0x05ef: memx_func_wait_vblank */ ++ 0x9800f840, ++ 0x66b00016, ++ 0x120bf400, ++ 0xf40166b0, ++ 0x0ef4060b, ++/* 0x0601: memx_func_wait_vblank_head1 */ ++ 0x2077f02c, ++/* 0x0607: memx_func_wait_vblank_head0 */ ++ 0xf0060ef4, ++/* 0x060a: memx_func_wait_vblank_0 */ ++ 0x67f10877, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x061a: memx_func_wait_vblank_1 */ ++ 0x67f1f31b, ++ 0x64b607c4, ++ 0x0066cf06, ++ 0xf40467fd, ++/* 0x062a: memx_func_wait_vblank_fini */ ++ 0x10b6f30b, ++/* 0x062f: memx_func_wr32 */ ++ 0x9800f804, ++ 0x15980016, ++ 0x0810b601, ++ 0x50f960f9, + 0xe0fcd0fc, +- 0xf94021f4, +- 0x0067f150, +-/* 0x06b5: memx_func_train_loop_inner */ +- 0x1187f100, +- 0x9068ff11, +- 0xfd109894, +- 0x97f10589, +- 0x93f00720, +- 0xf990f910, +- 0xfcd0fc80, +- 0x4021f4e0, +- 0x008097f1, +- 0xb91093f0, +- 0x21f4029e, +- 0x02d8b904, +- 0xf92088c5, ++ 0xb64021f4, ++ 0x1bf40242, ++/* 0x064b: memx_func_wait */ ++ 0xf000f8e9, ++ 0x84b62c87, ++ 0x0088cf06, ++ 0x98001e98, ++ 0x1c98011d, ++ 0x031b9802, ++ 0xf41010b6, ++ 0x00f8a321, ++/* 0x0668: memx_func_delay */ ++ 0xb6001e98, ++ 0x21f40410, ++/* 0x0673: memx_func_train */ ++ 0xf000f87e, ++ 0x77f00357, ++ 0x0097f100, ++ 0x7093f000, ++ 0xf4029eb9, ++ 0xd8b90421, ++ 0x10e7f102, ++ 0x7e21f427, ++/* 0x0690: memx_func_train_loop_outer */ ++ 0x010158e0, ++ 0x020083f1, ++ 0x11e097f1, ++ 0xf91193f0, ++ 0xfc80f990, ++ 0xf4e0fcd0, ++ 0x50f94021, ++/* 0x06af: memx_func_train_loop_inner */ ++ 0xf10067f0, ++ 0xff111187, ++ 0x98949068, ++ 0x0589fd10, ++ 0x072097f1, ++ 0xf91093f0, + 0xfc80f990, + 0xf4e0fcd0, + 0x97f14021, +- 0x93f0053c, +- 0x0287f110, +- 0x0083f130, +- 0xf990f980, ++ 0x93f00080, ++ 0x029eb910, ++ 0xb90421f4, ++ 0x88c502d8, ++ 0xf990f920, + 0xfcd0fc80, + 0x4021f4e0, +- 0x0560e7f1, +- 0xf110e3f0, +- 0xf10000d7, +- 0x908000d3, +- 0xb7f100dc, +- 0xb3f08480, +- 0xa321f41e, +- 0x000057f1, +- 0xffff97f1, +- 0x830093f1, +-/* 0x0734: memx_func_train_loop_4x */ +- 0x0080a7f1, +- 0xb910a3f0, +- 0x21f402ae, +- 0x02d8b904, +- 0xffdfb7f1, +- 0xffffb3f1, +- 0xf9048bfd, +- 0xfc80f9a0, ++ 0x053c97f1, ++ 0xf11093f0, ++ 0xf1300287, ++ 0xf9800083, ++ 0xfc80f990, + 0xf4e0fcd0, +- 0xa7f14021, +- 0xa3f0053c, +- 0x0287f110, +- 0x0083f130, +- 0xf9a0f980, +- 0xfcd0fc80, +- 0x4021f4e0, +- 0x0560e7f1, +- 0xf110e3f0, +- 0xf10000d7, +- 0xb98000d3, +- 0xb7f102dc, +- 0xb3f02710, +- 0xa321f400, +- 0xf402eeb9, +- 0xddb90421, +- 0x949dff02, ++ 0xe7f14021, ++ 0xe3f00560, ++ 0x00d7f110, ++ 0x00d3f100, ++ 0x00dc9080, ++ 0x8480b7f1, ++ 0xf41eb3f0, ++ 0x57f0a321, ++ 0xff97f100, ++ 0x0093f1ff, ++/* 0x072d: memx_func_train_loop_4x */ ++ 0x80a7f183, ++ 0x10a3f000, ++ 0xf402aeb9, ++ 0xd8b90421, ++ 0xdfb7f102, ++ 0xffb3f1ff, ++ 0x048bfdff, ++ 0x80f9a0f9, ++ 0xe0fcd0fc, ++ 0xf14021f4, ++ 0xf0053ca7, ++ 0x87f110a3, ++ 0x83f13002, ++ 0xa0f98000, ++ 0xd0fc80f9, ++ 0x21f4e0fc, ++ 0x60e7f140, ++ 0x10e3f005, ++ 0x0000d7f1, ++ 0x8000d3f1, ++ 0xf102dcb9, ++ 0xf02710b7, ++ 0x21f400b3, ++ 0x02eeb9a3, ++ 0xb90421f4, ++ 0x9dff02dd, ++ 0x0150b694, ++ 0xf4045670, ++ 0x7aa0921e, ++ 0xa9800bcc, ++ 0x0160b600, ++ 0x700470b6, ++ 0x1ef51066, ++ 0x50fcff01, + 0x700150b6, +- 0x1ef40456, +- 0xcc7aa092, +- 0x00a9800b, +- 0xb60160b6, +- 0x66700470, +- 0x001ef510, +- 0xb650fcff, +- 0x56700150, +- 0xd41ef507, +-/* 0x07c7: memx_exec */ +- 0xf900f8fe, +- 0xb9d0f9e0, +- 0xb2b902c1, +-/* 0x07d1: memx_exec_next */ +- 0x00139802, +- 0xe70410b6, +- 0xe701f034, +- 0xb601e033, +- 0x30f00132, +- 0xde35980c, +- 0x12b855f9, +- 0xe41ef406, +- 0x98f10b98, +- 0xcbbbf20c, +- 0xc4b7f102, +- 0x06b4b607, +- 0xfc00bbcf, +- 0xf5e0fcd0, ++ 0x1ef50756, ++ 0x00f8fed6, ++/* 0x07c0: memx_exec */ ++ 0xd0f9e0f9, ++ 0xb902c1b9, ++/* 0x07ca: memx_exec_next */ ++ 0x139802b2, ++ 0x0410b600, ++ 0x01f034e7, ++ 0x01e033e7, ++ 0xf00132b6, ++ 0x35980c30, ++ 0xb855f9de, ++ 0x1ef40612, ++ 0xf10b98e4, ++ 0xbbf20c98, ++ 0xb7f102cb, ++ 0xb4b607c4, ++ 0x00bbcf06, ++ 0xe0fcd0fc, ++ 0x033621f5, ++/* 0x0806: memx_info */ ++ 0xc67000f8, ++ 0x0e0bf401, ++/* 0x080c: memx_info_data */ ++ 0x03ccc7f1, ++ 0x0800b7f1, ++/* 0x0817: memx_info_train */ ++ 0xf10b0ef4, ++ 0xf10bccc7, ++/* 0x081f: memx_info_send */ ++ 0xf50100b7, + 0xf8033621, +-/* 0x080d: memx_info */ +- 0x01c67000, +-/* 0x0813: memx_info_data */ +- 0xf10e0bf4, +- 0xf103ccc7, +- 0xf40800b7, +-/* 0x081e: memx_info_train */ +- 0xc7f10b0e, +- 0xb7f10bcc, +-/* 0x0826: memx_info_send */ +- 0x21f50100, +- 0x00f80336, +-/* 0x082c: memx_recv */ +- 0xf401d6b0, +- 0xd6b0980b, +- 0xd80bf400, +-/* 0x083a: memx_init */ +- 0x00f800f8, +-/* 0x083c: perf_recv */ +-/* 0x083e: perf_init */ +- 0x00f800f8, +-/* 0x0840: i2c_drive_scl */ +- 0xf40036b0, +- 0x07f1110b, +- 0x04b607e0, +- 0x0001d006, +- 0x00f804bd, +-/* 0x0854: i2c_drive_scl_lo */ +- 0x07e407f1, +- 0xd00604b6, +- 0x04bd0001, +-/* 0x0862: i2c_drive_sda */ +- 0x36b000f8, +- 0x110bf400, +- 0x07e007f1, +- 0xd00604b6, +- 0x04bd0002, +-/* 0x0876: i2c_drive_sda_lo */ +- 0x07f100f8, +- 0x04b607e4, +- 0x0002d006, +- 0x00f804bd, +-/* 0x0884: i2c_sense_scl */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0431fd00, +- 0xf4060bf4, +-/* 0x089a: i2c_sense_scl_done */ +- 0x00f80131, +-/* 0x089c: i2c_sense_sda */ +- 0xf10132f4, +- 0xb607c437, +- 0x33cf0634, +- 0x0432fd00, +- 0xf4060bf4, +-/* 0x08b2: i2c_sense_sda_done */ +- 0x00f80131, +-/* 0x08b4: i2c_raise_scl */ +- 0x47f140f9, +- 0x37f00898, +- 0x4021f501, +-/* 0x08c1: i2c_raise_scl_wait */ ++/* 0x0825: memx_recv */ ++ 0x01d6b000, ++ 0xb0980bf4, ++ 0x0bf400d6, ++/* 0x0833: memx_init */ ++ 0xf800f8d8, ++/* 0x0835: perf_recv */ ++/* 0x0837: perf_init */ ++ 0xf800f800, ++/* 0x0839: i2c_drive_scl */ ++ 0x0036b000, ++ 0xf1110bf4, ++ 0xb607e007, ++ 0x01d00604, ++ 0xf804bd00, ++/* 0x084d: i2c_drive_scl_lo */ ++ 0xe407f100, ++ 0x0604b607, ++ 0xbd0001d0, ++/* 0x085b: i2c_drive_sda */ ++ 0xb000f804, ++ 0x0bf40036, ++ 0xe007f111, ++ 0x0604b607, ++ 0xbd0002d0, ++/* 0x086f: i2c_drive_sda_lo */ ++ 0xf100f804, ++ 0xb607e407, ++ 0x02d00604, ++ 0xf804bd00, ++/* 0x087d: i2c_sense_scl */ ++ 0x0132f400, ++ 0x07c437f1, ++ 0xcf0634b6, ++ 0x31fd0033, ++ 0x060bf404, ++/* 0x0893: i2c_sense_scl_done */ ++ 0xf80131f4, ++/* 0x0895: i2c_sense_sda */ ++ 0x0132f400, ++ 0x07c437f1, ++ 0xcf0634b6, ++ 0x32fd0033, ++ 0x060bf404, ++/* 0x08ab: i2c_sense_sda_done */ ++ 0xf80131f4, ++/* 0x08ad: i2c_raise_scl */ ++ 0xf140f900, ++ 0xf0089847, ++ 0x21f50137, ++/* 0x08ba: i2c_raise_scl_wait */ ++ 0xe7f10839, ++ 0x21f403e8, ++ 0x7d21f57e, ++ 0x0901f408, ++ 0xf40142b6, ++/* 0x08ce: i2c_raise_scl_done */ ++ 0x40fcef1b, ++/* 0x08d2: i2c_start */ ++ 0x21f500f8, ++ 0x11f4087d, ++ 0x9521f50d, ++ 0x0611f408, ++/* 0x08e3: i2c_start_rep */ ++ 0xf0300ef4, ++ 0x21f50037, ++ 0x37f00839, ++ 0x5b21f501, ++ 0x0076bb08, ++ 0xf90465b6, ++ 0x04659450, ++ 0xbd0256bb, ++ 0x0475fd50, ++ 0x21f550fc, ++ 0x64b608ad, ++ 0x1f11f404, ++/* 0x0910: i2c_start_send */ ++ 0xf50037f0, ++ 0xf1085b21, ++ 0xf41388e7, ++ 0x37f07e21, ++ 0x3921f500, ++ 0x88e7f108, ++ 0x7e21f413, ++/* 0x092c: i2c_start_out */ ++/* 0x092e: i2c_stop */ ++ 0x37f000f8, ++ 0x3921f500, ++ 0x0037f008, ++ 0x085b21f5, ++ 0x03e8e7f1, ++ 0xf07e21f4, ++ 0x21f50137, ++ 0xe7f10839, ++ 0x21f41388, ++ 0x0137f07e, ++ 0x085b21f5, ++ 0x1388e7f1, ++ 0xf87e21f4, ++/* 0x0961: i2c_bitw */ ++ 0x5b21f500, + 0xe8e7f108, + 0x7e21f403, +- 0x088421f5, +- 0xb60901f4, +- 0x1bf40142, +-/* 0x08d5: i2c_raise_scl_done */ +- 0xf840fcef, +-/* 0x08d9: i2c_start */ +- 0x8421f500, +- 0x0d11f408, +- 0x089c21f5, +- 0xf40611f4, +-/* 0x08ea: i2c_start_rep */ +- 0x37f0300e, +- 0x4021f500, +- 0x0137f008, +- 0x086221f5, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0xb421f550, ++ 0xad21f550, + 0x0464b608, +-/* 0x0917: i2c_start_send */ +- 0xf01f11f4, +- 0x21f50037, +- 0xe7f10862, +- 0x21f41388, +- 0x0037f07e, +- 0x084021f5, +- 0x1388e7f1, +-/* 0x0933: i2c_start_out */ +- 0xf87e21f4, +-/* 0x0935: i2c_stop */ +- 0x0037f000, +- 0x084021f5, +- 0xf50037f0, +- 0xf1086221, +- 0xf403e8e7, ++ 0xf11811f4, ++ 0xf41388e7, + 0x37f07e21, +- 0x4021f501, ++ 0x3921f500, + 0x88e7f108, + 0x7e21f413, +- 0xf50137f0, +- 0xf1086221, +- 0xf41388e7, +- 0x00f87e21, +-/* 0x0968: i2c_bitw */ +- 0x086221f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x08b421f5, +- 0xf40464b6, +- 0xe7f11811, ++/* 0x09a0: i2c_bitw_out */ ++/* 0x09a2: i2c_bitr */ ++ 0x37f000f8, ++ 0x5b21f501, ++ 0xe8e7f108, ++ 0x7e21f403, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0xad21f550, ++ 0x0464b608, ++ 0xf51b11f4, ++ 0xf0089521, ++ 0x21f50037, ++ 0xe7f10839, + 0x21f41388, +- 0x0037f07e, +- 0x084021f5, +- 0x1388e7f1, +-/* 0x09a7: i2c_bitw_out */ +- 0xf87e21f4, +-/* 0x09a9: i2c_bitr */ +- 0x0137f000, +- 0x086221f5, +- 0x03e8e7f1, +- 0xbb7e21f4, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x08b421f5, +- 0xf40464b6, +- 0x21f51b11, +- 0x37f0089c, +- 0x4021f500, +- 0x88e7f108, +- 0x7e21f413, +- 0xf4013cf0, +-/* 0x09ee: i2c_bitr_done */ +- 0x00f80131, +-/* 0x09f0: i2c_get_byte */ +- 0xf00057f0, +-/* 0x09f6: i2c_get_byte_next */ +- 0x54b60847, ++ 0x013cf07e, ++/* 0x09e7: i2c_bitr_done */ ++ 0xf80131f4, ++/* 0x09e9: i2c_get_byte */ ++ 0x0057f000, ++/* 0x09ef: i2c_get_byte_next */ ++ 0xb60847f0, ++ 0x76bb0154, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb609a221, ++ 0x11f40464, ++ 0x0553fd2b, ++ 0xf40142b6, ++ 0x37f0d81b, + 0x0076bb01, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b609a9, +- 0x2b11f404, +- 0xb60553fd, +- 0x1bf40142, +- 0x0137f0d8, +- 0xb60076bb, +- 0x50f90465, +- 0xbb046594, +- 0x50bd0256, +- 0xfc0475fd, +- 0x6821f550, +- 0x0464b609, +-/* 0x0a40: i2c_get_byte_done */ +-/* 0x0a42: i2c_put_byte */ +- 0x47f000f8, +-/* 0x0a45: i2c_put_byte_next */ +- 0x0142b608, +- 0xbb3854ff, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x096821f5, +- 0xf40464b6, +- 0x46b03411, +- 0xd81bf400, ++ 0x64b60961, ++/* 0x0a39: i2c_get_byte_done */ ++/* 0x0a3b: i2c_put_byte */ ++ 0xf000f804, ++/* 0x0a3e: i2c_put_byte_next */ ++ 0x42b60847, ++ 0x3854ff01, + 0xb60076bb, + 0x50f90465, + 0xbb046594, + 0x50bd0256, + 0xfc0475fd, +- 0xa921f550, ++ 0x6121f550, + 0x0464b609, +- 0xbb0f11f4, +- 0x36b00076, +- 0x061bf401, +-/* 0x0a9b: i2c_put_byte_done */ +- 0xf80132f4, +-/* 0x0a9d: i2c_addr */ +- 0x0076bb00, ++ 0xb03411f4, ++ 0x1bf40046, ++ 0x0076bbd8, + 0xf90465b6, + 0x04659450, + 0xbd0256bb, + 0x0475fd50, + 0x21f550fc, +- 0x64b608d9, +- 0x2911f404, +- 0x012ec3e7, +- 0xfd0134b6, +- 0x76bb0553, ++ 0x64b609a2, ++ 0x0f11f404, ++ 0xb00076bb, ++ 0x1bf40136, ++ 0x0132f406, ++/* 0x0a94: i2c_put_byte_done */ ++/* 0x0a96: i2c_addr */ ++ 0x76bb00f8, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb60a4221, +-/* 0x0ae2: i2c_addr_done */ +- 0x00f80464, +-/* 0x0ae4: i2c_acquire_addr */ +- 0xb6f8cec7, +- 0xe0b702e4, +- 0xee980d1c, +-/* 0x0af3: i2c_acquire */ +- 0xf500f800, +- 0xf40ae421, +- 0xd9f00421, +- 0x4021f403, +-/* 0x0b02: i2c_release */ +- 0x21f500f8, +- 0x21f40ae4, +- 0x03daf004, +- 0xf84021f4, +-/* 0x0b11: i2c_recv */ +- 0x0132f400, +- 0xb6f8c1c7, +- 0x16b00214, +- 0x3a1ff528, +- 0xf413a001, +- 0x0032980c, +- 0x0ccc13a0, +- 0xf4003198, +- 0xd0f90231, +- 0xd0f9e0f9, +- 0x000067f1, +- 0x100063f1, +- 0xbb016792, ++ 0xb608d221, ++ 0x11f40464, ++ 0x2ec3e729, ++ 0x0134b601, ++ 0xbb0553fd, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0af321f5, +- 0xfc0464b6, +- 0x00d6b0d0, +- 0x00b31bf5, +- 0xbb0057f0, ++ 0x0a3b21f5, ++/* 0x0adb: i2c_addr_done */ ++ 0xf80464b6, ++/* 0x0add: i2c_acquire_addr */ ++ 0xf8cec700, ++ 0xb702e4b6, ++ 0x980d1ce0, ++ 0x00f800ee, ++/* 0x0aec: i2c_acquire */ ++ 0x0add21f5, ++ 0xf00421f4, ++ 0x21f403d9, ++/* 0x0afb: i2c_release */ ++ 0xf500f840, ++ 0xf40add21, ++ 0xdaf00421, ++ 0x4021f403, ++/* 0x0b0a: i2c_recv */ ++ 0x32f400f8, ++ 0xf8c1c701, ++ 0xb00214b6, ++ 0x1ff52816, ++ 0x13a0013a, ++ 0x32980cf4, ++ 0xcc13a000, ++ 0x0031980c, ++ 0xf90231f4, ++ 0xf9e0f9d0, ++ 0x0067f1d0, ++ 0x0063f100, ++ 0x01679210, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0xec21f550, ++ 0x0464b60a, ++ 0xd6b0d0fc, ++ 0xb31bf500, ++ 0x0057f000, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x9621f550, ++ 0x0464b60a, ++ 0x00d011f5, ++ 0xbbe0c5c7, + 0x65b60076, + 0x9450f904, + 0x56bb0465, + 0xfd50bd02, + 0x50fc0475, +- 0x0a9d21f5, ++ 0x0a3b21f5, + 0xf50464b6, +- 0xc700d011, +- 0x76bbe0c5, ++ 0xf000ad11, ++ 0x76bb0157, + 0x0465b600, + 0x659450f9, + 0x0256bb04, + 0x75fd50bd, + 0xf550fc04, +- 0xb60a4221, ++ 0xb60a9621, + 0x11f50464, +- 0x57f000ad, +- 0x0076bb01, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0x21f550fc, +- 0x64b60a9d, +- 0x8a11f504, +- 0x0076bb00, +- 0xf90465b6, +- 0x04659450, +- 0xbd0256bb, +- 0x0475fd50, +- 0x21f550fc, +- 0x64b609f0, +- 0x6a11f404, +- 0xbbe05bcb, +- 0x65b60076, +- 0x9450f904, +- 0x56bb0465, +- 0xfd50bd02, +- 0x50fc0475, +- 0x093521f5, +- 0xb90464b6, +- 0x74bd025b, +-/* 0x0c17: i2c_recv_not_rd08 */ +- 0xb0430ef4, +- 0x1bf401d6, +- 0x0057f03d, +- 0x0a9d21f5, +- 0xc73311f4, +- 0x21f5e0c5, +- 0x11f40a42, +- 0x0057f029, +- 0x0a9d21f5, +- 0xc71f11f4, +- 0x21f5e0b5, +- 0x11f40a42, +- 0x3521f515, +- 0xc774bd09, +- 0x1bf408c5, +- 0x0232f409, +-/* 0x0c57: i2c_recv_not_wr08 */ +-/* 0x0c57: i2c_recv_done */ +- 0xc7030ef4, +- 0x21f5f8ce, +- 0xe0fc0b02, +- 0x12f4d0fc, +- 0x027cb90a, +- 0x033621f5, +-/* 0x0c6c: i2c_recv_exit */ +-/* 0x0c6e: i2c_init */ ++ 0x76bb008a, ++ 0x0465b600, ++ 0x659450f9, ++ 0x0256bb04, ++ 0x75fd50bd, ++ 0xf550fc04, ++ 0xb609e921, ++ 0x11f40464, ++ 0xe05bcb6a, ++ 0xb60076bb, ++ 0x50f90465, ++ 0xbb046594, ++ 0x50bd0256, ++ 0xfc0475fd, ++ 0x2e21f550, ++ 0x0464b609, ++ 0xbd025bb9, ++ 0x430ef474, ++/* 0x0c10: i2c_recv_not_rd08 */ ++ 0xf401d6b0, ++ 0x57f03d1b, ++ 0x9621f500, ++ 0x3311f40a, ++ 0xf5e0c5c7, ++ 0xf40a3b21, ++ 0x57f02911, ++ 0x9621f500, ++ 0x1f11f40a, ++ 0xf5e0b5c7, ++ 0xf40a3b21, ++ 0x21f51511, ++ 0x74bd092e, ++ 0xf408c5c7, ++ 0x32f4091b, ++ 0x030ef402, ++/* 0x0c50: i2c_recv_not_wr08 */ ++/* 0x0c50: i2c_recv_done */ ++ 0xf5f8cec7, ++ 0xfc0afb21, ++ 0xf4d0fce0, ++ 0x7cb90a12, ++ 0x3621f502, ++/* 0x0c65: i2c_recv_exit */ ++/* 0x0c67: i2c_init */ ++ 0xf800f803, ++/* 0x0c69: test_recv */ ++ 0xd817f100, ++ 0x0614b605, ++ 0xb60011cf, ++ 0x07f10110, ++ 0x04b605d8, ++ 0x0001d006, ++ 0xe7f104bd, ++ 0xe3f1d900, ++ 0x21f5134f, ++ 0x00f80256, ++/* 0x0c90: test_init */ ++ 0x0800e7f1, ++ 0x025621f5, ++/* 0x0c9a: idle_recv */ + 0x00f800f8, +-/* 0x0c70: test_recv */ +- 0x05d817f1, +- 0xcf0614b6, +- 0x10b60011, +- 0xd807f101, +- 0x0604b605, +- 0xbd0001d0, +- 0x00e7f104, +- 0x4fe3f1d9, +- 0x5621f513, +-/* 0x0c97: test_init */ +- 0xf100f802, +- 0xf50800e7, +- 0xf8025621, +-/* 0x0ca1: idle_recv */ +-/* 0x0ca3: idle */ +- 0xf400f800, +- 0x17f10031, +- 0x14b605d4, +- 0x0011cf06, +- 0xf10110b6, +- 0xb605d407, +- 0x01d00604, +-/* 0x0cbf: idle_loop */ +- 0xf004bd00, +- 0x32f45817, +-/* 0x0cc5: idle_proc */ +-/* 0x0cc5: idle_proc_exec */ +- 0xb910f902, +- 0x21f5021e, +- 0x10fc033f, +- 0xf40911f4, +- 0x0ef40231, +-/* 0x0cd9: idle_proc_next */ +- 0x5810b6ef, +- 0xf4061fb8, +- 0x02f4e61b, +- 0x0028f4dd, +- 0x00bb0ef4, ++/* 0x0c9c: idle */ ++ 0xf10031f4, ++ 0xb605d417, ++ 0x11cf0614, ++ 0x0110b600, ++ 0x05d407f1, ++ 0xd00604b6, ++ 0x04bd0001, ++/* 0x0cb8: idle_loop */ ++ 0xf45817f0, ++/* 0x0cbe: idle_proc */ ++/* 0x0cbe: idle_proc_exec */ ++ 0x10f90232, ++ 0xf5021eb9, ++ 0xfc033f21, ++ 0x0911f410, ++ 0xf40231f4, ++/* 0x0cd2: idle_proc_next */ ++ 0x10b6ef0e, ++ 0x061fb858, ++ 0xf4e61bf4, ++ 0x28f4dd02, ++ 0xbb0ef400, ++ 0x00000000, ++ 0x00000000, + 0x00000000, + 0x00000000, + 0x00000000, +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/pmu/fuc/memx.fuc +@@ -82,15 +82,15 @@ memx_train_tail: + // $r0 - zero + memx_func_enter: + #if NVKM_PPWR_CHIPSET == GT215 +- movw $r8 0x1610 ++ mov $r8 0x1610 + nv_rd32($r7, $r8) + imm32($r6, 0xfffffffc) + and $r7 $r6 +- movw $r6 0x2 ++ mov $r6 0x2 + or $r7 $r6 + nv_wr32($r8, $r7) + #else +- movw $r6 0x001620 ++ mov $r6 0x001620 + imm32($r7, ~0x00000aa2); + nv_rd32($r8, $r6) + and $r8 $r7 +@@ -101,7 +101,7 @@ memx_func_enter: + and $r8 $r7 + nv_wr32($r6, $r8) + +- movw $r6 0x0026f0 ++ mov $r6 0x0026f0 + nv_rd32($r8, $r6) + and $r8 $r7 + nv_wr32($r6, $r8) +@@ -136,19 +136,19 @@ memx_func_leave: + bra nz #memx_func_leave_wait + + #if NVKM_PPWR_CHIPSET == GT215 +- movw $r8 0x1610 ++ mov $r8 0x1610 + nv_rd32($r7, $r8) + imm32($r6, 0xffffffcc) + and $r7 $r6 + nv_wr32($r8, $r7) + #else +- movw $r6 0x0026f0 ++ mov $r6 0x0026f0 + imm32($r7, 0x00000001) + nv_rd32($r8, $r6) + or $r8 $r7 + nv_wr32($r6, $r8) + +- movw $r6 0x001620 ++ mov $r6 0x001620 + nv_rd32($r8, $r6) + or $r8 $r7 + nv_wr32($r6, $r8) +@@ -177,11 +177,11 @@ memx_func_wait_vblank: + bra #memx_func_wait_vblank_fini + + memx_func_wait_vblank_head1: +- movw $r7 0x20 ++ mov $r7 0x20 + bra #memx_func_wait_vblank_0 + + memx_func_wait_vblank_head0: +- movw $r7 0x8 ++ mov $r7 0x8 + + memx_func_wait_vblank_0: + nv_iord($r6, NV_PPWR_INPUT) +@@ -273,13 +273,13 @@ memx_func_train: + // $r5 - outer loop counter + // $r6 - inner loop counter + // $r7 - entry counter (#memx_train_head + $r7) +- movw $r5 0x3 +- movw $r7 0x0 ++ mov $r5 0x3 ++ mov $r7 0x0 + + // Read random memory to wake up... things + imm32($r9, 0x700000) + nv_rd32($r8,$r9) +- movw $r14 0x2710 ++ mov $r14 0x2710 + call(nsec) + + memx_func_train_loop_outer: +@@ -289,9 +289,9 @@ memx_func_train: + nv_wr32($r9, $r8) + push $r5 + +- movw $r6 0x0 ++ mov $r6 0x0 + memx_func_train_loop_inner: +- movw $r8 0x1111 ++ mov $r8 0x1111 + mulu $r9 $r6 $r8 + shl b32 $r8 $r9 0x10 + or $r8 $r9 +@@ -315,7 +315,7 @@ memx_func_train: + + // $r5 - inner inner loop counter + // $r9 - result +- movw $r5 0 ++ mov $r5 0 + imm32($r9, 0x8300ffff) + memx_func_train_loop_4x: + imm32($r10, 0x100080) diff --git a/queue-4.14/f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch b/queue-4.14/f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch new file mode 100644 index 00000000000..9d8c139f4e8 --- /dev/null +++ b/queue-4.14/f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Sheng Yong +Date: Wed, 17 Jan 2018 12:11:31 +0800 +Subject: f2fs: avoid hungtask when GC encrypted block if io_bits is set + +From: Sheng Yong + + +[ Upstream commit a9d572c7550044d5b217b5287d99a2e6d34b97b0 ] + +When io_bits is set, GCing encrypted block may hit the following hungtask. +Since io_bits requires aligned block address, f2fs_submit_page_write may +return -EAGAIN if new_blkaddr does not satisify io_bits alignment. As a +result, the encrypted page will never be writtenback. + +This patch makes move_data_block aware the EAGAIN error and cancel the +writeback. + +[ 246.751371] INFO: task kworker/u4:4:797 blocked for more than 90 seconds. +[ 246.752423] Not tainted 4.15.0-rc4+ #11 +[ 246.754176] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[ 246.755336] kworker/u4:4 D25448 797 2 0x80000000 +[ 246.755597] Workqueue: writeback wb_workfn (flush-7:0) +[ 246.755616] Call Trace: +[ 246.755695] ? __schedule+0x322/0xa90 +[ 246.755761] ? blk_init_request_from_bio+0x120/0x120 +[ 246.755773] ? pci_mmcfg_check_reserved+0xb0/0xb0 +[ 246.755801] ? __radix_tree_create+0x19e/0x200 +[ 246.755813] ? delete_node+0x136/0x370 +[ 246.755838] schedule+0x43/0xc0 +[ 246.755904] io_schedule+0x17/0x40 +[ 246.755939] wait_on_page_bit_common+0x17b/0x240 +[ 246.755950] ? wake_page_function+0xa0/0xa0 +[ 246.755961] ? add_to_page_cache_lru+0x160/0x160 +[ 246.755972] ? page_cache_tree_insert+0x170/0x170 +[ 246.755983] ? __lru_cache_add+0x96/0xb0 +[ 246.756086] __filemap_fdatawait_range+0x14f/0x1c0 +[ 246.756097] ? wait_on_page_bit_common+0x240/0x240 +[ 246.756120] ? __wake_up_locked_key_bookmark+0x20/0x20 +[ 246.756167] ? wait_on_all_pages_writeback+0xc9/0x100 +[ 246.756179] ? __remove_ino_entry+0x120/0x120 +[ 246.756192] ? wait_woken+0x100/0x100 +[ 246.756204] filemap_fdatawait_range+0x9/0x20 +[ 246.756216] write_checkpoint+0x18a1/0x1f00 +[ 246.756254] ? blk_get_request+0x10/0x10 +[ 246.756265] ? cpumask_next_and+0x43/0x60 +[ 246.756279] ? f2fs_sync_inode_meta+0x160/0x160 +[ 246.756289] ? remove_element.isra.4+0xa0/0xa0 +[ 246.756300] ? __put_compound_page+0x40/0x40 +[ 246.756310] ? f2fs_sync_fs+0xec/0x1c0 +[ 246.756320] ? f2fs_sync_fs+0x120/0x1c0 +[ 246.756329] f2fs_sync_fs+0x120/0x1c0 +[ 246.756357] ? trace_event_raw_event_f2fs__page+0x260/0x260 +[ 246.756393] ? ata_build_rw_tf+0x173/0x410 +[ 246.756397] f2fs_balance_fs_bg+0x198/0x390 +[ 246.756405] ? drop_inmem_page+0x230/0x230 +[ 246.756415] ? ahci_qc_prep+0x1bb/0x2e0 +[ 246.756418] ? ahci_qc_issue+0x1df/0x290 +[ 246.756422] ? __accumulate_pelt_segments+0x42/0xd0 +[ 246.756426] ? f2fs_write_node_pages+0xd1/0x380 +[ 246.756429] f2fs_write_node_pages+0xd1/0x380 +[ 246.756437] ? sync_node_pages+0x8f0/0x8f0 +[ 246.756440] ? update_curr+0x53/0x220 +[ 246.756444] ? __accumulate_pelt_segments+0xa2/0xd0 +[ 246.756448] ? __update_load_avg_se.isra.39+0x349/0x360 +[ 246.756452] ? do_writepages+0x2a/0xa0 +[ 246.756456] do_writepages+0x2a/0xa0 +[ 246.756460] __writeback_single_inode+0x70/0x490 +[ 246.756463] ? check_preempt_wakeup+0x199/0x310 +[ 246.756467] writeback_sb_inodes+0x2a2/0x660 +[ 246.756471] ? is_empty_dir_inode+0x40/0x40 +[ 246.756474] ? __writeback_single_inode+0x490/0x490 +[ 246.756477] ? string+0xbf/0xf0 +[ 246.756480] ? down_read_trylock+0x35/0x60 +[ 246.756484] __writeback_inodes_wb+0x9f/0xf0 +[ 246.756488] wb_writeback+0x41d/0x4b0 +[ 246.756492] ? writeback_inodes_wb.constprop.55+0x150/0x150 +[ 246.756498] ? set_worker_desc+0xf7/0x130 +[ 246.756502] ? current_is_workqueue_rescuer+0x60/0x60 +[ 246.756511] ? _find_next_bit+0x2c/0xa0 +[ 246.756514] ? wb_workfn+0x400/0x5d0 +[ 246.756518] wb_workfn+0x400/0x5d0 +[ 246.756521] ? finish_task_switch+0xdf/0x2a0 +[ 246.756525] ? inode_wait_for_writeback+0x30/0x30 +[ 246.756529] process_one_work+0x3a7/0x6f0 +[ 246.756533] worker_thread+0x82/0x750 +[ 246.756537] kthread+0x16f/0x1c0 +[ 246.756541] ? trace_event_raw_event_workqueue_work+0x110/0x110 +[ 246.756544] ? kthread_create_worker_on_cpu+0xb0/0xb0 +[ 246.756548] ret_from_fork+0x1f/0x30 + +Signed-off-by: Sheng Yong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -696,7 +696,12 @@ static void move_data_block(struct inode + fio.op = REQ_OP_WRITE; + fio.op_flags = REQ_SYNC; + fio.new_blkaddr = newaddr; +- f2fs_submit_page_write(&fio); ++ err = f2fs_submit_page_write(&fio); ++ if (err) { ++ if (PageWriteback(fio.encrypted_page)) ++ end_page_writeback(fio.encrypted_page); ++ goto put_page_out; ++ } + + f2fs_update_iostat(fio.sbi, FS_GC_DATA_IO, F2FS_BLKSIZE); + diff --git a/queue-4.14/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch b/queue-4.14/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch new file mode 100644 index 00000000000..5157a9fa2db --- /dev/null +++ b/queue-4.14/firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Hector Martin +Date: Fri, 3 Nov 2017 20:28:57 +0900 +Subject: firewire-ohci: work around oversized DMA reads on JMicron controllers + +From: Hector Martin + + +[ Upstream commit 188775181bc05f29372b305ef96485840e351fde ] + +At least some JMicron controllers issue buggy oversized DMA reads when +fetching context descriptors, always fetching 0x20 bytes at once for +descriptors which are only 0x10 bytes long. This is often harmless, but +can cause page faults on modern systems with IOMMUs: + +DMAR: [DMA Read] Request device [05:00.0] fault addr fff56000 [fault reason 06] PTE Read access is not set +firewire_ohci 0000:05:00.0: DMA context IT0 has stopped, error code: evt_descriptor_read + +This works around the problem by always leaving 0x10 padding bytes at +the end of descriptor buffer pages, which should be harmless to do +unconditionally for controllers in case others have the same behavior. + +Signed-off-by: Hector Martin +Reviewed-by: Clemens Ladisch +Signed-off-by: Stefan Richter +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firewire/ohci.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -1130,7 +1130,13 @@ static int context_add_buffer(struct con + return -ENOMEM; + + offset = (void *)&desc->buffer - (void *)desc; +- desc->buffer_size = PAGE_SIZE - offset; ++ /* ++ * Some controllers, like JMicron ones, always issue 0x20-byte DMA reads ++ * for descriptors, even 0x10-byte ones. This can cause page faults when ++ * an IOMMU is in use and the oversized read crosses a page boundary. ++ * Work around this by always leaving at least 0x10 bytes of padding. ++ */ ++ desc->buffer_size = PAGE_SIZE - offset - 0x10; + desc->buffer_bus = bus_addr + offset; + desc->used = 0; + diff --git a/queue-4.14/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch b/queue-4.14/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch new file mode 100644 index 00000000000..caaae437ebe --- /dev/null +++ b/queue-4.14/firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch @@ -0,0 +1,86 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jean Delvare +Date: Sat, 3 Feb 2018 11:25:20 +0100 +Subject: firmware: dmi_scan: Fix handling of empty DMI strings + +From: Jean Delvare + + +[ Upstream commit a7770ae194569e96a93c48aceb304edded9cc648 ] + +The handling of empty DMI strings looks quite broken to me: +* Strings from 1 to 7 spaces are not considered empty. +* True empty DMI strings (string index set to 0) are not considered + empty, and result in allocating a 0-char string. +* Strings with invalid index also result in allocating a 0-char + string. +* Strings starting with 8 spaces are all considered empty, even if + non-space characters follow (sounds like a weird thing to do, but + I have actually seen occurrences of this in DMI tables before.) +* Strings which are considered empty are reported as 8 spaces, + instead of being actually empty. + +Some of these issues are the result of an off-by-one error in memcmp, +the rest is incorrect by design. + +So let's get it square: missing strings and strings made of only +spaces, regardless of their length, should be treated as empty and +no memory should be allocated for them. All other strings are +non-empty and should be allocated. + +Signed-off-by: Jean Delvare +Fixes: 79da4721117f ("x86: fix DMI out of memory problems") +Cc: Parag Warudkar +Cc: Ingo Molnar +Cc: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/dmi_scan.c | 22 +++++++++------------- + 1 file changed, 9 insertions(+), 13 deletions(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -18,7 +18,7 @@ EXPORT_SYMBOL_GPL(dmi_kobj); + * of and an antecedent to, SMBIOS, which stands for System + * Management BIOS. See further: http://www.dmtf.org/standards + */ +-static const char dmi_empty_string[] = " "; ++static const char dmi_empty_string[] = ""; + + static u32 dmi_ver __initdata; + static u32 dmi_len; +@@ -44,25 +44,21 @@ static int dmi_memdev_nr; + static const char * __init dmi_string_nosave(const struct dmi_header *dm, u8 s) + { + const u8 *bp = ((u8 *) dm) + dm->length; ++ const u8 *nsp; + + if (s) { +- s--; +- while (s > 0 && *bp) { ++ while (--s > 0 && *bp) + bp += strlen(bp) + 1; +- s--; +- } + +- if (*bp != 0) { +- size_t len = strlen(bp)+1; +- size_t cmp_len = len > 8 ? 8 : len; +- +- if (!memcmp(bp, dmi_empty_string, cmp_len)) +- return dmi_empty_string; ++ /* Strings containing only spaces are considered empty */ ++ nsp = bp; ++ while (*nsp == ' ') ++ nsp++; ++ if (*nsp != '\0') + return bp; +- } + } + +- return ""; ++ return dmi_empty_string; + } + + static const char * __init dmi_string(const struct dmi_header *dm, u8 s) diff --git a/queue-4.14/fm10k-fix-failed-to-kill-vid-message-for-vf.patch b/queue-4.14/fm10k-fix-failed-to-kill-vid-message-for-vf.patch new file mode 100644 index 00000000000..7ffeaf7c5cc --- /dev/null +++ b/queue-4.14/fm10k-fix-failed-to-kill-vid-message-for-vf.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ngai-Mint Kwan +Date: Wed, 24 Jan 2018 14:18:22 -0800 +Subject: fm10k: fix "failed to kill vid" message for VF + +From: Ngai-Mint Kwan + + +[ Upstream commit cf315ea596ec26d7aa542a9ce354990875a920c0 ] + +When a VF is under PF VLAN assignment: + +ip link set vf <#> vlan + +This will remove all previous entries in the VLAN table including those +generated by VLAN interfaces created on the VF. The issue arises when +the VF is under PF VLAN assignment and one or more of these VLAN +interfaces of the VF are deleted. When deleting these VLAN interfaces, +the following message will be generated in "dmesg": + +failed to kill vid 0081/ for device + +This is due to the fact that "ndo_vlan_rx_kill_vid" exits with an error. +The handler for this ndo is "fm10k_update_vid". Any calls to this +function while under PF VLAN management will exit prematurely and, thus, +it will generate the failure message. + +Additionally, since "fm10k_update_vid" exits prematurely, none of the +VLAN update is performed. So, even though the actual VLAN interfaces of +the VF will be deleted, the active_vlans bitmask is not cleared. When +the VF is no longer under PF VLAN assignment, the driver mistakenly +restores the previous entries of the VLAN table based on an +unsynchronized list of active VLANs. + +The solution to this issue involves checking the VLAN update action type +before exiting "fm10k_update_vid". If the VLAN update action type is to +"add", this action will not be permitted while the VF is under PF VLAN +assignment and the VLAN update is abandoned like before. + +However, if the VLAN update action type is to "kill", then we need to +also clear the active_vlans bitmask. However, we don't need to actually +queue any messages to the PF, because the MAC and VLAN tables have +already been cleared, and the PF would silently ignore these requests +anyways. + +Signed-off-by: Ngai-Mint Kwan +Signed-off-by: Jacob Keller +Tested-by: Krishneil Singh +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/fm10k/fm10k_netdev.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_netdev.c +@@ -815,8 +815,12 @@ static int fm10k_update_vid(struct net_d + if (vid >= VLAN_N_VID) + return -EINVAL; + +- /* Verify we have permission to add VLANs */ +- if (hw->mac.vlan_override) ++ /* Verify that we have permission to add VLANs. If this is a request ++ * to remove a VLAN, we still want to allow the user to remove the ++ * VLAN device. In that case, we need to clear the bit in the ++ * active_vlans bitmask. ++ */ ++ if (set && hw->mac.vlan_override) + return -EACCES; + + /* update active_vlans bitmask */ +@@ -835,6 +839,12 @@ static int fm10k_update_vid(struct net_d + rx_ring->vid &= ~FM10K_VLAN_CLEAR; + } + ++ /* If our VLAN has been overridden, there is no reason to send VLAN ++ * removal requests as they will be silently ignored. ++ */ ++ if (hw->mac.vlan_override) ++ return 0; ++ + /* Do not remove default VLAN ID related entries from VLAN and MAC + * tables + */ diff --git a/queue-4.14/fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch b/queue-4.14/fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch new file mode 100644 index 00000000000..e29a675f623 --- /dev/null +++ b/queue-4.14/fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Jan H. Schönherr" +Date: Wed, 31 Jan 2018 16:14:04 -0800 +Subject: fs/dax.c: release PMD lock even when there is no PMD support in DAX + +From: "Jan H. Schönherr" + + +[ Upstream commit ee190ca6516bc8257e3d36187ca6f0f71a9ec477 ] + +follow_pte_pmd() can theoretically return after having acquired a PMD +lock, even when DAX was not compiled with CONFIG_FS_DAX_PMD. + +Release the PMD lock unconditionally. + +Link: http://lkml.kernel.org/r/20180118133839.20587-1-jschoenh@amazon.de +Fixes: f729c8c9b24f ("dax: wrprotect pmd_t in dax_mapping_entry_mkclean") +Signed-off-by: Jan H. Schönherr +Reviewed-by: Ross Zwisler +Reviewed-by: Andrew Morton +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dax.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dax.c ++++ b/fs/dax.c +@@ -630,8 +630,8 @@ static void dax_mapping_entry_mkclean(st + set_pmd_at(vma->vm_mm, address, pmdp, pmd); + mmu_notifier_invalidate_range(vma->vm_mm, start, end); + unlock_pmd: +- spin_unlock(ptl); + #endif ++ spin_unlock(ptl); + } else { + if (pfn != pte_pfn(*ptep)) + goto unlock_pte; diff --git a/queue-4.14/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch b/queue-4.14/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch new file mode 100644 index 00000000000..8718cff8fdf --- /dev/null +++ b/queue-4.14/gianfar-prevent-integer-wrapping-in-the-rx-handler.patch @@ -0,0 +1,84 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Andy Spencer +Date: Thu, 25 Jan 2018 19:37:50 -0800 +Subject: gianfar: prevent integer wrapping in the rx handler + +From: Andy Spencer + + +[ Upstream commit 202a0a70e445caee1d0ec7aae814e64b1189fa4d ] + +When the frame check sequence (FCS) is split across the last two frames +of a fragmented packet, part of the FCS gets counted twice, once when +subtracting the FCS, and again when subtracting the previously received +data. + +For example, if 1602 bytes are received, and the first fragment contains +the first 1600 bytes (including the first two bytes of the FCS), and the +second fragment contains the last two bytes of the FCS: + + 'skb->len == 1600' from the first fragment + + size = lstatus & BD_LENGTH_MASK; # 1602 + size -= ETH_FCS_LEN; # 1598 + size -= skb->len; # -2 + +Since the size is unsigned, it wraps around and causes a BUG later in +the packet handling, as shown below: + + kernel BUG at ./include/linux/skbuff.h:2068! + Oops: Exception in kernel mode, sig: 5 [#1] + ... + NIP [c021ec60] skb_pull+0x24/0x44 + LR [c01e2fbc] gfar_clean_rx_ring+0x498/0x690 + Call Trace: + [df7edeb0] [c01e2c1c] gfar_clean_rx_ring+0xf8/0x690 (unreliable) + [df7edf20] [c01e33a8] gfar_poll_rx_sq+0x3c/0x9c + [df7edf40] [c023352c] net_rx_action+0x21c/0x274 + [df7edf90] [c0329000] __do_softirq+0xd8/0x240 + [df7edff0] [c000c108] call_do_irq+0x24/0x3c + [c0597e90] [c00041dc] do_IRQ+0x64/0xc4 + [c0597eb0] [c000d920] ret_from_except+0x0/0x18 + --- interrupt: 501 at arch_cpu_idle+0x24/0x5c + +Change the size to a signed integer and then trim off any part of the +FCS that was received prior to the last fragment. + +Fixes: 6c389fc931bc ("gianfar: fix size of scatter-gathered frames") +Signed-off-by: Andy Spencer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -2932,7 +2932,7 @@ static irqreturn_t gfar_transmit(int irq + static bool gfar_add_rx_frag(struct gfar_rx_buff *rxb, u32 lstatus, + struct sk_buff *skb, bool first) + { +- unsigned int size = lstatus & BD_LENGTH_MASK; ++ int size = lstatus & BD_LENGTH_MASK; + struct page *page = rxb->page; + bool last = !!(lstatus & BD_LFLAG(RXBD_LAST)); + +@@ -2947,11 +2947,16 @@ static bool gfar_add_rx_frag(struct gfar + if (last) + size -= skb->len; + +- /* in case the last fragment consisted only of the FCS */ ++ /* Add the last fragment if it contains something other than ++ * the FCS, otherwise drop it and trim off any part of the FCS ++ * that was already received. ++ */ + if (size > 0) + skb_add_rx_frag(skb, skb_shinfo(skb)->nr_frags, page, + rxb->page_offset + RXBUF_ALIGNMENT, + size, GFAR_RXB_TRUESIZE); ++ else if (size < 0) ++ pskb_trim(skb, skb->len + size); + } + + /* try reuse page */ diff --git a/queue-4.14/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch b/queue-4.14/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch new file mode 100644 index 00000000000..f1fda17dddb --- /dev/null +++ b/queue-4.14/hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Dan Carpenter +Date: Wed, 10 Jan 2018 12:39:03 +0300 +Subject: HID: roccat: prevent an out of bounds read in kovaplus_profile_activated() + +From: Dan Carpenter + + +[ Upstream commit 7ad81482cad67cbe1ec808490d1ddfc420c42008 ] + +We get the "new_profile_index" value from the mouse device when we're +handling raw events. Smatch taints it as untrusted data and complains +that we need a bounds check. This seems like a reasonable warning +otherwise there is a small read beyond the end of the array. + +Fixes: 0e70f97f257e ("HID: roccat: Add support for Kova[+] mouse") +Signed-off-by: Dan Carpenter +Acked-by: Silvan Jegen +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-roccat-kovaplus.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-roccat-kovaplus.c ++++ b/drivers/hid/hid-roccat-kovaplus.c +@@ -37,6 +37,8 @@ static uint kovaplus_convert_event_cpi(u + static void kovaplus_profile_activated(struct kovaplus_device *kovaplus, + uint new_profile_index) + { ++ if (new_profile_index >= ARRAY_SIZE(kovaplus->profile_settings)) ++ return; + kovaplus->actual_profile = new_profile_index; + kovaplus->actual_cpi = kovaplus->profile_settings[new_profile_index].cpi_startup_level; + kovaplus->actual_x_sensitivity = kovaplus->profile_settings[new_profile_index].sensitivity_x; diff --git a/queue-4.14/i40e-fix-reported-mask-for-ntuple-filters.patch b/queue-4.14/i40e-fix-reported-mask-for-ntuple-filters.patch new file mode 100644 index 00000000000..86f0546ac2d --- /dev/null +++ b/queue-4.14/i40e-fix-reported-mask-for-ntuple-filters.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jacob Keller +Date: Wed, 27 Dec 2017 08:26:33 -0500 +Subject: i40e: fix reported mask for ntuple filters + +From: Jacob Keller + + +[ Upstream commit 40339af33c703bacb336493157d43c86a8bf2fed ] + +In commit 36777d9fa24c ("i40e: check current configured input set when +adding ntuple filters") some code was added to report the input set +mask for a given filter when reporting it to the user. + +This code is necessary so that the reported filter correctly displays +that it is or is not masking certain fields. + +Unfortunately the code was incorrect. Development error accidentally +swapped the mask values for the IPv4 addresses with the L4 port numbers. +The port numbers are only 16bits wide while IPv4 addresses are 32 bits. +Unfortunately we assigned only 16 bits to the IPv4 address masks. +Additionally we assigned 32bit value 0xFFFFFFF to the TCP port numbers. +This second part does not matter as the value would be truncated to +16bits regardless, but it is unnecessary. + +Fix the reported masks to properly report that the entire field is +masked. + +Fixes: 36777d9fa24c ("i40e: check current configured input set when adding ntuple filters") +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -2588,16 +2588,16 @@ static int i40e_get_ethtool_fdir_entry(s + + no_input_set: + if (input_set & I40E_L3_SRC_MASK) +- fsp->m_u.tcp_ip4_spec.ip4src = htonl(0xFFFF); ++ fsp->m_u.tcp_ip4_spec.ip4src = htonl(0xFFFFFFFF); + + if (input_set & I40E_L3_DST_MASK) +- fsp->m_u.tcp_ip4_spec.ip4dst = htonl(0xFFFF); ++ fsp->m_u.tcp_ip4_spec.ip4dst = htonl(0xFFFFFFFF); + + if (input_set & I40E_L4_SRC_MASK) +- fsp->m_u.tcp_ip4_spec.psrc = htons(0xFFFFFFFF); ++ fsp->m_u.tcp_ip4_spec.psrc = htons(0xFFFF); + + if (input_set & I40E_L4_DST_MASK) +- fsp->m_u.tcp_ip4_spec.pdst = htons(0xFFFFFFFF); ++ fsp->m_u.tcp_ip4_spec.pdst = htons(0xFFFF); + + if (rule->dest_ctl == I40E_FILTER_PROGRAM_DESC_DEST_DROP_PACKET) + fsp->ring_cookie = RX_CLS_FLOW_DISC; diff --git a/queue-4.14/i40e-program-fragmented-ipv4-filter-input-set.patch b/queue-4.14/i40e-program-fragmented-ipv4-filter-input-set.patch new file mode 100644 index 00000000000..e7a14cd4dbe --- /dev/null +++ b/queue-4.14/i40e-program-fragmented-ipv4-filter-input-set.patch @@ -0,0 +1,63 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jacob Keller +Date: Wed, 27 Dec 2017 08:24:12 -0500 +Subject: i40e: program fragmented IPv4 filter input set + +From: Jacob Keller + + +[ Upstream commit 02b4016bfe43d2d5ed043be7ffa56cda6a4d1100 ] + +When implementing support for IP_USER_FLOW filters, we correctly +programmed a filter for both the non fragmented IPv4/Other filter, as +well as the fragmented IPv4 filters. However, we did not properly +program the input set for fragmented IPv4 PCTYPE. This meant that the +filters would almost certainly not match, unless the user specified all +of the flow types. + +Add support to program the fragmented IPv4 filter input set. Since we +always program these filters together, we'll assume that the two input +sets must match, and will thus always program the input sets to the same +value. + +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 10 ++++++++++ + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 2 files changed, 13 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c +@@ -3648,6 +3648,16 @@ static int i40e_check_fdir_input_set(str + + i40e_write_fd_input_set(pf, index, new_mask); + ++ /* IP_USER_FLOW filters match both IPv4/Other and IPv4/Fragmented ++ * frames. If we're programming the input set for IPv4/Other, we also ++ * need to program the IPv4/Fragmented input set. Since we don't have ++ * separate support, we'll always assume and enforce that the two flow ++ * types must have matching input sets. ++ */ ++ if (index == I40E_FILTER_PCTYPE_NONF_IPV4_OTHER) ++ i40e_write_fd_input_set(pf, I40E_FILTER_PCTYPE_FRAG_IPV4, ++ new_mask); ++ + /* Add the new offset and update table, if necessary */ + if (new_flex_offset) { + err = i40e_add_flex_offset(&pf->l4_flex_pit_list, src_offset, +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -5828,6 +5828,9 @@ static void i40e_fdir_filter_exit(struct + /* Reprogram the default input set for Other/IPv4 */ + i40e_write_fd_input_set(pf, I40E_FILTER_PCTYPE_NONF_IPV4_OTHER, + I40E_L3_SRC_MASK | I40E_L3_DST_MASK); ++ ++ i40e_write_fd_input_set(pf, I40E_FILTER_PCTYPE_FRAG_IPV4, ++ I40E_L3_SRC_MASK | I40E_L3_DST_MASK); + } + + /** diff --git a/queue-4.14/i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch b/queue-4.14/i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch new file mode 100644 index 00000000000..dad006ecc84 --- /dev/null +++ b/queue-4.14/i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch @@ -0,0 +1,63 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Avinash Dayanand +Date: Mon, 18 Dec 2017 05:16:43 -0500 +Subject: i40evf: Don't schedule reset_task when device is being removed + +From: Avinash Dayanand + + +[ Upstream commit 06aa040f039404a0039a5158cd12f41187487a1f ] + +When a host disables and enables a PF device, all the associated +VFs are removed and added back in. It also generates a PFR which in turn +resets all the connected VFs. This behaviour is different from that of +Linux guest on Linux host. Hence we end up in a situation where there's +a PFR and device removal at the same time. And watchdog doesn't have a +clue about this and schedules a reset_task. This patch adds code to send +signal to reset_task that the device is currently being removed. + +Signed-off-by: Avinash Dayanand +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40evf/i40evf.h | 1 + + drivers/net/ethernet/intel/i40evf/i40evf_main.c | 9 ++++++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/i40evf/i40evf.h ++++ b/drivers/net/ethernet/intel/i40evf/i40evf.h +@@ -186,6 +186,7 @@ enum i40evf_state_t { + enum i40evf_critical_section_t { + __I40EVF_IN_CRITICAL_TASK, /* cannot be interrupted */ + __I40EVF_IN_CLIENT_TASK, ++ __I40EVF_IN_REMOVE_TASK, /* device being removed */ + }; + + /* board specific private data structure */ +--- a/drivers/net/ethernet/intel/i40evf/i40evf_main.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_main.c +@@ -1839,6 +1839,12 @@ static void i40evf_reset_task(struct wor + int i = 0, err; + bool running; + ++ /* When device is being removed it doesn't make sense to run the reset ++ * task, just return in such a case. ++ */ ++ if (test_bit(__I40EVF_IN_REMOVE_TASK, &adapter->crit_section)) ++ return; ++ + while (test_and_set_bit(__I40EVF_IN_CLIENT_TASK, + &adapter->crit_section)) + usleep_range(500, 1000); +@@ -3022,7 +3028,8 @@ static void i40evf_remove(struct pci_dev + struct i40evf_mac_filter *f, *ftmp; + struct i40e_hw *hw = &adapter->hw; + int err; +- ++ /* Indicate we are in remove and not to run reset_task */ ++ set_bit(__I40EVF_IN_REMOVE_TASK, &adapter->crit_section); + cancel_delayed_work_sync(&adapter->init_task); + cancel_work_sync(&adapter->reset_task); + cancel_delayed_work_sync(&adapter->client_task); diff --git a/queue-4.14/i40evf-ignore-link-up-if-not-running.patch b/queue-4.14/i40evf-ignore-link-up-if-not-running.patch new file mode 100644 index 00000000000..e9b939cf7ea --- /dev/null +++ b/queue-4.14/i40evf-ignore-link-up-if-not-running.patch @@ -0,0 +1,73 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Alan Brady +Date: Fri, 5 Jan 2018 04:55:21 -0500 +Subject: i40evf: ignore link up if not running + +From: Alan Brady + + +[ Upstream commit e0346f9fcb6c636d2f870e6666de8781413f34ea ] + +If we receive the link status message from PF with link up before queues +are actually enabled, it will trigger a TX hang. This fixes the issue +by ignoring a link up message if the VF state is not yet in RUNNING +state. + +Signed-off-by: Alan Brady +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c | 35 +++++++++++++------- + 1 file changed, 23 insertions(+), 12 deletions(-) + +--- a/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c +@@ -937,23 +937,34 @@ void i40evf_virtchnl_completion(struct i + if (v_opcode == VIRTCHNL_OP_EVENT) { + struct virtchnl_pf_event *vpe = + (struct virtchnl_pf_event *)msg; ++ bool link_up = vpe->event_data.link_event.link_status; + switch (vpe->event) { + case VIRTCHNL_EVENT_LINK_CHANGE: + adapter->link_speed = + vpe->event_data.link_event.link_speed; +- if (adapter->link_up != +- vpe->event_data.link_event.link_status) { +- adapter->link_up = +- vpe->event_data.link_event.link_status; +- if (adapter->link_up) { +- netif_tx_start_all_queues(netdev); +- netif_carrier_on(netdev); +- } else { +- netif_tx_stop_all_queues(netdev); +- netif_carrier_off(netdev); +- } +- i40evf_print_link_message(adapter); ++ ++ /* we've already got the right link status, bail */ ++ if (adapter->link_up == link_up) ++ break; ++ ++ /* If we get link up message and start queues before ++ * our queues are configured it will trigger a TX hang. ++ * In that case, just ignore the link status message, ++ * we'll get another one after we enable queues and ++ * actually prepared to send traffic. ++ */ ++ if (link_up && adapter->state != __I40EVF_RUNNING) ++ break; ++ ++ adapter->link_up = link_up; ++ if (link_up) { ++ netif_tx_start_all_queues(netdev); ++ netif_carrier_on(netdev); ++ } else { ++ netif_tx_stop_all_queues(netdev); ++ netif_carrier_off(netdev); + } ++ i40evf_print_link_message(adapter); + break; + case VIRTCHNL_EVENT_RESET_IMPENDING: + dev_info(&adapter->pdev->dev, "PF reset warning received\n"); diff --git a/queue-4.14/i40iw-free-ieq-resources.patch b/queue-4.14/i40iw-free-ieq-resources.patch new file mode 100644 index 00000000000..a54a6ada0c8 --- /dev/null +++ b/queue-4.14/i40iw-free-ieq-resources.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Mustafa Ismail +Date: Thu, 11 Jan 2018 18:10:54 -0600 +Subject: i40iw: Free IEQ resources + +From: Mustafa Ismail + + +[ Upstream commit f20d429511affab6a2a9129f46042f43e6ffe396 ] + +The iWARP Exception Queue (IEQ) resources are not freed when a QP is +destroyed. Fix this by freeing IEQ resources when freeing QP resources. + +Fixes: d37498417947 ("i40iw: add files for iwarp interface") +Signed-off-by: Mustafa Ismail +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_puda.c | 3 +-- + drivers/infiniband/hw/i40iw/i40iw_puda.h | 1 + + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 + + 3 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_puda.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_puda.c +@@ -48,7 +48,6 @@ static void i40iw_ieq_tx_compl(struct i4 + static void i40iw_ilq_putback_rcvbuf(struct i40iw_sc_qp *qp, u32 wqe_idx); + static enum i40iw_status_code i40iw_puda_replenish_rq(struct i40iw_puda_rsrc + *rsrc, bool initial); +-static void i40iw_ieq_cleanup_qp(struct i40iw_puda_rsrc *ieq, struct i40iw_sc_qp *qp); + /** + * i40iw_puda_get_listbuf - get buffer from puda list + * @list: list to use for buffers (ILQ or IEQ) +@@ -1480,7 +1479,7 @@ static void i40iw_ieq_tx_compl(struct i4 + * @ieq: ieq resource + * @qp: all pending fpdu buffers + */ +-static void i40iw_ieq_cleanup_qp(struct i40iw_puda_rsrc *ieq, struct i40iw_sc_qp *qp) ++void i40iw_ieq_cleanup_qp(struct i40iw_puda_rsrc *ieq, struct i40iw_sc_qp *qp) + { + struct i40iw_puda_buf *buf; + struct i40iw_pfpdu *pfpdu = &qp->pfpdu; +--- a/drivers/infiniband/hw/i40iw/i40iw_puda.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_puda.h +@@ -186,4 +186,5 @@ enum i40iw_status_code i40iw_cqp_qp_crea + enum i40iw_status_code i40iw_cqp_cq_create_cmd(struct i40iw_sc_dev *dev, struct i40iw_sc_cq *cq); + void i40iw_cqp_qp_destroy_cmd(struct i40iw_sc_dev *dev, struct i40iw_sc_qp *qp); + void i40iw_cqp_cq_destroy_cmd(struct i40iw_sc_dev *dev, struct i40iw_sc_cq *cq); ++void i40iw_ieq_cleanup_qp(struct i40iw_puda_rsrc *ieq, struct i40iw_sc_qp *qp); + #endif +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -428,6 +428,7 @@ void i40iw_free_qp_resources(struct i40i + { + struct i40iw_pbl *iwpbl = &iwqp->iwpbl; + ++ i40iw_ieq_cleanup_qp(iwdev->vsi.ieq, &iwqp->sc_qp); + i40iw_dealloc_push_page(iwdev, &iwqp->sc_qp); + if (qp_num) + i40iw_free_resource(iwdev, iwdev->allocated_qps, qp_num); diff --git a/queue-4.14/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch b/queue-4.14/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch new file mode 100644 index 00000000000..e3fb03f0caf --- /dev/null +++ b/queue-4.14/i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Shiraz Saleem +Date: Thu, 11 Jan 2018 18:10:51 -0600 +Subject: i40iw: Zero-out consumer key on allocate stag for FMR + +From: Shiraz Saleem + + +[ Upstream commit 6376e926af1a8661dd1b2e6d0896e07f84a35844 ] + +If the application invalidates the MR before the FMR WR, HW parses the +consumer key portion of the stag and returns an invalid stag key +Asynchronous Event (AE) that tears down the QP. + +Fix this by zeroing-out the consumer key portion of the allocated stag +returned to application for FMR. + +Fixes: ee855d3b93f3 ("RDMA/i40iw: Add base memory management extensions") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1656,6 +1656,7 @@ static struct ib_mr *i40iw_alloc_mr(stru + err_code = -EOVERFLOW; + goto err; + } ++ stag &= ~I40IW_CQPSQ_STAG_KEY_MASK; + iwmr->stag = stag; + iwmr->ibmr.rkey = stag; + iwmr->ibmr.lkey = stag; diff --git a/queue-4.14/ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch b/queue-4.14/ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch new file mode 100644 index 00000000000..e0b8ca017d7 --- /dev/null +++ b/queue-4.14/ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Don Hiatt +Date: Thu, 1 Feb 2018 10:57:03 -0800 +Subject: IB/core: Map iWarp AH type to undefined in rdma_ah_find_type + +From: Don Hiatt + + +[ Upstream commit 87daac68f77a3e21a1113f816e6a7be0b38bdde8 ] + +iWarp devices do not support the creation of address handles +so return AH_ATTR_TYPE_UNDEFINED for all iWarp devices. + +While we are here reduce the size of port_num to u8 and add +a comment. + +Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types") +Reported-by: Parav Pandit +CC: Sean Hefty +Reviewed-by: Ira Weiny +Reviewed-by: Shiraz Saleem +Signed-off-by: Don Hiatt +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/rdma/ib_verbs.h | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -866,6 +866,7 @@ struct ib_mr_status { + __attribute_const__ enum ib_rate mult_to_ib_rate(int mult); + + enum rdma_ah_attr_type { ++ RDMA_AH_ATTR_TYPE_UNDEFINED, + RDMA_AH_ATTR_TYPE_IB, + RDMA_AH_ATTR_TYPE_ROCE, + RDMA_AH_ATTR_TYPE_OPA, +@@ -3762,17 +3763,24 @@ static inline void rdma_ah_set_grh(struc + grh->traffic_class = traffic_class; + } + +-/*Get AH type */ ++/** ++ * rdma_ah_find_type - Return address handle type. ++ * ++ * @dev: Device to be checked ++ * @port_num: Port number ++ */ + static inline enum rdma_ah_attr_type rdma_ah_find_type(struct ib_device *dev, +- u32 port_num) ++ u8 port_num) + { + if (rdma_protocol_roce(dev, port_num)) + return RDMA_AH_ATTR_TYPE_ROCE; +- else if ((rdma_protocol_ib(dev, port_num)) && +- (rdma_cap_opa_ah(dev, port_num))) +- return RDMA_AH_ATTR_TYPE_OPA; +- else ++ if (rdma_protocol_ib(dev, port_num)) { ++ if (rdma_cap_opa_ah(dev, port_num)) ++ return RDMA_AH_ATTR_TYPE_OPA; + return RDMA_AH_ATTR_TYPE_IB; ++ } ++ ++ return RDMA_AH_ATTR_TYPE_UNDEFINED; + } + + /** diff --git a/queue-4.14/ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch b/queue-4.14/ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch new file mode 100644 index 00000000000..98db4cf81bb --- /dev/null +++ b/queue-4.14/ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch @@ -0,0 +1,99 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Sagi Grimberg +Date: Sun, 14 Jan 2018 17:07:50 +0200 +Subject: IB/cq: Don't force IB_POLL_DIRECT poll context for ib_process_cq_direct + +From: Sagi Grimberg + + +[ Upstream commit 246d8b184c100e8eb6b4e8c88f232c2ed2a4e672 ] + +polling the completion queue directly does not interfere +with the existing polling logic, hence drop the requirement. +Be aware that running ib_process_cq_direct with non IB_POLL_DIRECT +CQ may trigger concurrent CQ processing. + +This can be used for polling mode ULPs. + +Cc: Bart Van Assche +Reported-by: Steve Wise +Signed-off-by: Sagi Grimberg +[maxg: added wcs array argument to __ib_process_cq] +Signed-off-by: Max Gurtovoy +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cq.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/cq.c ++++ b/drivers/infiniband/core/cq.c +@@ -25,9 +25,10 @@ + #define IB_POLL_FLAGS \ + (IB_CQ_NEXT_COMP | IB_CQ_REPORT_MISSED_EVENTS) + +-static int __ib_process_cq(struct ib_cq *cq, int budget) ++static int __ib_process_cq(struct ib_cq *cq, int budget, struct ib_wc *poll_wc) + { + int i, n, completed = 0; ++ struct ib_wc *wcs = poll_wc ? : cq->wc; + + /* + * budget might be (-1) if the caller does not +@@ -35,9 +36,9 @@ static int __ib_process_cq(struct ib_cq + * minimum here. + */ + while ((n = ib_poll_cq(cq, min_t(u32, IB_POLL_BATCH, +- budget - completed), cq->wc)) > 0) { ++ budget - completed), wcs)) > 0) { + for (i = 0; i < n; i++) { +- struct ib_wc *wc = &cq->wc[i]; ++ struct ib_wc *wc = &wcs[i]; + + if (wc->wr_cqe) + wc->wr_cqe->done(cq, wc); +@@ -60,18 +61,20 @@ static int __ib_process_cq(struct ib_cq + * @cq: CQ to process + * @budget: number of CQEs to poll for + * +- * This function is used to process all outstanding CQ entries on a +- * %IB_POLL_DIRECT CQ. It does not offload CQ processing to a different +- * context and does not ask for completion interrupts from the HCA. ++ * This function is used to process all outstanding CQ entries. ++ * It does not offload CQ processing to a different context and does ++ * not ask for completion interrupts from the HCA. ++ * Using direct processing on CQ with non IB_POLL_DIRECT type may trigger ++ * concurrent processing. + * + * Note: do not pass -1 as %budget unless it is guaranteed that the number + * of completions that will be processed is small. + */ + int ib_process_cq_direct(struct ib_cq *cq, int budget) + { +- WARN_ON_ONCE(cq->poll_ctx != IB_POLL_DIRECT); ++ struct ib_wc wcs[IB_POLL_BATCH]; + +- return __ib_process_cq(cq, budget); ++ return __ib_process_cq(cq, budget, wcs); + } + EXPORT_SYMBOL(ib_process_cq_direct); + +@@ -85,7 +88,7 @@ static int ib_poll_handler(struct irq_po + struct ib_cq *cq = container_of(iop, struct ib_cq, iop); + int completed; + +- completed = __ib_process_cq(cq, budget); ++ completed = __ib_process_cq(cq, budget, NULL); + if (completed < budget) { + irq_poll_complete(&cq->iop); + if (ib_req_notify_cq(cq, IB_POLL_FLAGS) > 0) +@@ -105,7 +108,7 @@ static void ib_cq_poll_work(struct work_ + struct ib_cq *cq = container_of(work, struct ib_cq, work); + int completed; + +- completed = __ib_process_cq(cq, IB_POLL_BUDGET_WORKQUEUE); ++ completed = __ib_process_cq(cq, IB_POLL_BUDGET_WORKQUEUE, NULL); + if (completed >= IB_POLL_BUDGET_WORKQUEUE || + ib_req_notify_cq(cq, IB_POLL_FLAGS) > 0) + queue_work(ib_comp_wq, &cq->work); diff --git a/queue-4.14/ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch b/queue-4.14/ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch new file mode 100644 index 00000000000..0c846e1d433 --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Alex Estrin +Date: Thu, 1 Feb 2018 10:43:58 -0800 +Subject: IB/hfi1: Fix for potential refcount leak in hfi1_open_file() + +From: Alex Estrin + + +[ Upstream commit 2b1e7fe16124e86ee9242aeeee859c79a843e3a2 ] + +The dd refcount is speculatively incremented prior to allocating +the fd memory with kzalloc(). If that kzalloc() failed the dd +refcount leaks. +Increment refcount on kzalloc success. + +Fixes: e11ffbd57520 ("IB/hfi1: Do not free hfi1 cdev parent structure early") +Reviewed-by: Michael J Ruhl +Signed-off-by: Alex Estrin +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/file_ops.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -191,9 +191,6 @@ static int hfi1_file_open(struct inode * + if (!atomic_inc_not_zero(&dd->user_refcount)) + return -ENXIO; + +- /* Just take a ref now. Not all opens result in a context assign */ +- kobject_get(&dd->kobj); +- + /* The real work is performed later in assign_ctxt() */ + + fd = kzalloc(sizeof(*fd), GFP_KERNEL); +@@ -203,6 +200,7 @@ static int hfi1_file_open(struct inode * + fd->mm = current->mm; + mmgrab(fd->mm); + fd->dd = dd; ++ kobject_get(&fd->dd->kobj); + fp->private_data = fd; + } else { + fp->private_data = NULL; diff --git a/queue-4.14/ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch b/queue-4.14/ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch new file mode 100644 index 00000000000..d95d4ce2cab --- /dev/null +++ b/queue-4.14/ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch @@ -0,0 +1,145 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Michael J. Ruhl" +Date: Thu, 1 Feb 2018 10:43:42 -0800 +Subject: IB/hfi1: Re-order IRQ cleanup to address driver cleanup race + +From: "Michael J. Ruhl" + + +[ Upstream commit 82a979265638c505e12fbe7ba40980dc0901436d ] + +The pci_request_irq() interfaces always adds the IRQF_SHARED bit to +all IRQ requests. + +When the kernel is built with CONFIG_DEBUG_SHIRQ config flag, if the +IRQF_SHARED bit is set, a call to the IRQ handler is made from the +__free_irq() function. This is testing a race condition between the +IRQ cleanup and an IRQ racing the cleanup. The HFI driver should be +able to handle this race, but does not. + +This race can cause traces that start with this footprint: + +BUG: unable to handle kernel NULL pointer dereference at (null) +Call Trace: + + ... + __free_irq+0x1b3/0x2d0 + free_irq+0x35/0x70 + pci_free_irq+0x1c/0x30 + clean_up_interrupts+0x53/0xf0 [hfi1] + hfi1_start_cleanup+0x122/0x190 [hfi1] + postinit_cleanup+0x1d/0x280 [hfi1] + remove_one+0x233/0x250 [hfi1] + pci_device_remove+0x39/0xc0 + +Export IRQ cleanup function so it can be called from other modules. + +Using the exported cleanup function: + + Re-order the driver cleanup code to clean up IRQ resources before + other resources, eliminating the race. + + Re-order error path for init so that the race does not occur. + +Reduce severity on spurious error message for SDMA IRQs to info. + +Reviewed-by: Alex Estrin +Reviewed-by: Patel Jay P +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 18 ++++++++++++------ + drivers/infiniband/hw/hfi1/hfi.h | 1 + + drivers/infiniband/hw/hfi1/init.c | 4 +++- + 3 files changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -8294,8 +8294,8 @@ static irqreturn_t sdma_interrupt(int ir + /* handle the interrupt(s) */ + sdma_engine_interrupt(sde, status); + } else { +- dd_dev_err_ratelimited(dd, "SDMA engine %u interrupt, but no status bits set\n", +- sde->this_idx); ++ dd_dev_info_ratelimited(dd, "SDMA engine %u interrupt, but no status bits set\n", ++ sde->this_idx); + } + return IRQ_HANDLED; + } +@@ -12967,7 +12967,14 @@ static void disable_intx(struct pci_dev + pci_intx(pdev, 0); + } + +-static void clean_up_interrupts(struct hfi1_devdata *dd) ++/** ++ * hfi1_clean_up_interrupts() - Free all IRQ resources ++ * @dd: valid device data data structure ++ * ++ * Free the MSI or INTx IRQs and assoicated PCI resources, ++ * if they have been allocated. ++ */ ++void hfi1_clean_up_interrupts(struct hfi1_devdata *dd) + { + int i; + +@@ -13344,7 +13351,7 @@ static int set_up_interrupts(struct hfi1 + return 0; + + fail: +- clean_up_interrupts(dd); ++ hfi1_clean_up_interrupts(dd); + return ret; + } + +@@ -14770,7 +14777,6 @@ void hfi1_start_cleanup(struct hfi1_devd + aspm_exit(dd); + free_cntrs(dd); + free_rcverr(dd); +- clean_up_interrupts(dd); + finish_chip_resources(dd); + } + +@@ -15229,7 +15235,7 @@ bail_free_rcverr: + bail_free_cntrs: + free_cntrs(dd); + bail_clear_intr: +- clean_up_interrupts(dd); ++ hfi1_clean_up_interrupts(dd); + bail_cleanup: + hfi1_pcie_ddcleanup(dd); + bail_free: +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1954,6 +1954,7 @@ void hfi1_verbs_unregister_sysfs(struct + int qsfp_dump(struct hfi1_pportdata *ppd, char *buf, int len); + + int hfi1_pcie_init(struct pci_dev *pdev, const struct pci_device_id *ent); ++void hfi1_clean_up_interrupts(struct hfi1_devdata *dd); + void hfi1_pcie_cleanup(struct pci_dev *pdev); + int hfi1_pcie_ddinit(struct hfi1_devdata *dd, struct pci_dev *pdev); + void hfi1_pcie_ddcleanup(struct hfi1_devdata *); +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1039,8 +1039,9 @@ static void shutdown_device(struct hfi1_ + } + dd->flags &= ~HFI1_INITTED; + +- /* mask interrupts, but not errors */ ++ /* mask and clean up interrupts, but not errors */ + set_intr_state(dd, 0); ++ hfi1_clean_up_interrupts(dd); + + for (pidx = 0; pidx < dd->num_pports; ++pidx) { + ppd = dd->pport + pidx; +@@ -1696,6 +1697,7 @@ static int init_one(struct pci_dev *pdev + dd_dev_err(dd, "Failed to create /dev devices: %d\n", -j); + + if (initfail || ret) { ++ hfi1_clean_up_interrupts(dd); + stop_timers(dd); + flush_workqueue(ib_wq); + for (pidx = 0; pidx < dd->num_pports; ++pidx) { diff --git a/queue-4.14/ib-ipoib-fix-for-potential-no-carrier-state.patch b/queue-4.14/ib-ipoib-fix-for-potential-no-carrier-state.patch new file mode 100644 index 00000000000..775efc20f9e --- /dev/null +++ b/queue-4.14/ib-ipoib-fix-for-potential-no-carrier-state.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Alex Estrin +Date: Thu, 1 Feb 2018 10:55:41 -0800 +Subject: IB/ipoib: Fix for potential no-carrier state + +From: Alex Estrin + + +[ Upstream commit 1029361084d18cc270f64dfd39529fafa10cfe01 ] + +On reboot SM can program port pkey table before ipoib registered its +event handler, which could result in missing pkey event and leave root +interface with initial pkey value from index 0. + +Since OPA port starts with invalid pkey in index 0, root interface will +fail to initialize and stay down with no-carrier flag. + +For IB ipoib interface may end up with pkey different from value +opensm put in pkey table idx 0, resulting in connectivity issues +(different mcast groups, for example). + +Close the window by calling event handler after registration +to make sure ipoib pkey is in sync with port pkey table. + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Ira Weiny +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -2273,6 +2273,9 @@ static struct net_device *ipoib_add_port + priv->ca, ipoib_event); + ib_register_event_handler(&priv->event_handler); + ++ /* call event handler to ensure pkey in sync */ ++ queue_work(ipoib_workqueue, &priv->flush_heavy); ++ + result = register_netdev(priv->dev); + if (result) { + printk(KERN_WARNING "%s: couldn't register ipoib port %d; error %d\n", diff --git a/queue-4.14/igb-allow-to-remove-administratively-set-mac-on-vfs.patch b/queue-4.14/igb-allow-to-remove-administratively-set-mac-on-vfs.patch new file mode 100644 index 00000000000..2a68424000e --- /dev/null +++ b/queue-4.14/igb-allow-to-remove-administratively-set-mac-on-vfs.patch @@ -0,0 +1,117 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Corinna Vinschen +Date: Mon, 10 Apr 2017 10:58:14 +0200 +Subject: igb: Allow to remove administratively set MAC on VFs + +From: Corinna Vinschen + + +[ Upstream commit 177132df5e45b134c147f419f567a3b56aafaf2b ] + +Before libvirt modifies the MAC address and vlan tag for an SRIOV VF +for use by a virtual machine (either using vfio device assignment or +macvtap passthru mode), it saves the current MAC address and vlan tag +so that it can reset them to their original value when the guest is +done. Libvirt can't leave the VF MAC set to the value used by the +now-defunct guest since it may be started again later using a +different VF, but it certainly shouldn't just pick any random value, +either. So it saves the state of everything prior to using the VF, and +resets it to that. + +The igb driver initializes the MAC addresses of all VFs to +00:00:00:00:00:00, and reports that when asked (via an RTM_GETLINK +netlink message, also visible in the list of VFs in the output of "ip +link show"). But when libvirt attempts to restore the MAC address back +to 00:00:00:00:00:00 (using an RTM_SETLINK netlink message) the kernel +responds with "Invalid argument". + +Forbidding a reset back to the original value leaves the VF MAC at the +value set for the now-defunct virtual machine. Especially on a system +with NetworkManager enabled, this has very bad consequences, since +NetworkManager forces all interfacess to be IFF_UP all the time - if +the same virtual machine is restarted using a different VF (or even on +a different host), there will be multiple interfaces watching for +traffic with the same MAC address. + +To allow libvirt to revert to the original state, we need a way to +remove the administrative set MAC on a VF, to allow normal host +operation again, and to reset/overwrite the VF MAC via VF netdev. + +This patch implements the outlined scenario by allowing to set the +VF MAC to 00:00:00:00:00:00 via RTM_SETLINK on the PF. +igb_ndo_set_vf_mac resets the IGB_VF_FLAG_PF_SET_MAC flag to 0, +so it's possible to reset the VF MAC back to the original value via +the VF netdev. + +Note: Recent patches to libvirt allow for a workaround if the NIC +isn't capable of resetting the administrative MAC back to all 0, but +in theory the NIC should allow resetting the MAC in the first place. + +Signed-off-by: Corinna Vinschen +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_main.c | 42 ++++++++++++++++++++++-------- + 1 file changed, 31 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -8373,7 +8373,8 @@ static void igb_rar_set_index(struct igb + + /* Indicate to hardware the Address is Valid. */ + if (adapter->mac_table[index].state & IGB_MAC_STATE_IN_USE) { +- rar_high |= E1000_RAH_AV; ++ if (is_valid_ether_addr(addr)) ++ rar_high |= E1000_RAH_AV; + + if (hw->mac.type == e1000_82575) + rar_high |= E1000_RAH_POOL_1 * +@@ -8411,17 +8412,36 @@ static int igb_set_vf_mac(struct igb_ada + static int igb_ndo_set_vf_mac(struct net_device *netdev, int vf, u8 *mac) + { + struct igb_adapter *adapter = netdev_priv(netdev); +- if (!is_valid_ether_addr(mac) || (vf >= adapter->vfs_allocated_count)) ++ ++ if (vf >= adapter->vfs_allocated_count) ++ return -EINVAL; ++ ++ /* Setting the VF MAC to 0 reverts the IGB_VF_FLAG_PF_SET_MAC ++ * flag and allows to overwrite the MAC via VF netdev. This ++ * is necessary to allow libvirt a way to restore the original ++ * MAC after unbinding vfio-pci and reloading igbvf after shutting ++ * down a VM. ++ */ ++ if (is_zero_ether_addr(mac)) { ++ adapter->vf_data[vf].flags &= ~IGB_VF_FLAG_PF_SET_MAC; ++ dev_info(&adapter->pdev->dev, ++ "remove administratively set MAC on VF %d\n", ++ vf); ++ } else if (is_valid_ether_addr(mac)) { ++ adapter->vf_data[vf].flags |= IGB_VF_FLAG_PF_SET_MAC; ++ dev_info(&adapter->pdev->dev, "setting MAC %pM on VF %d\n", ++ mac, vf); ++ dev_info(&adapter->pdev->dev, ++ "Reload the VF driver to make this change effective."); ++ /* Generate additional warning if PF is down */ ++ if (test_bit(__IGB_DOWN, &adapter->state)) { ++ dev_warn(&adapter->pdev->dev, ++ "The VF MAC address has been set, but the PF device is not up.\n"); ++ dev_warn(&adapter->pdev->dev, ++ "Bring the PF device up before attempting to use the VF device.\n"); ++ } ++ } else { + return -EINVAL; +- adapter->vf_data[vf].flags |= IGB_VF_FLAG_PF_SET_MAC; +- dev_info(&adapter->pdev->dev, "setting MAC %pM on VF %d\n", mac, vf); +- dev_info(&adapter->pdev->dev, +- "Reload the VF driver to make this change effective."); +- if (test_bit(__IGB_DOWN, &adapter->state)) { +- dev_warn(&adapter->pdev->dev, +- "The VF MAC address has been set, but the PF device is not up.\n"); +- dev_warn(&adapter->pdev->dev, +- "Bring the PF device up before attempting to use the VF device.\n"); + } + return igb_set_vf_mac(adapter, vf, mac); + } diff --git a/queue-4.14/igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch b/queue-4.14/igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch new file mode 100644 index 00000000000..fdb18f8d012 --- /dev/null +++ b/queue-4.14/igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Daniel Hua +Date: Tue, 2 Jan 2018 08:33:18 +0800 +Subject: igb: Clear TXSTMP when ptp_tx_work() is timeout + +From: Daniel Hua + + +[ Upstream commit 3a53285228165225a7f76c7d5ff1ddc0213ce0e4 ] + +Problem description: +After ethernet cable connect and disconnect for several iterations on a +device with i210, tx timestamp will stop being put into the socket. + +Steps to reproduce: +1. Setup a device with i210 and wire it to a 802.1AS capable switch ( +Extreme Networks Summit x440 is used in our case) +2. Have the gptp daemon running on the device and make sure it is synced +with the switch +3. Have the switch disable and enable the port, wait for the device gets +resynced with the switch +4. Iterates step 3 until the device is not albe to get resynced +5. Review the log in dmesg and you will see warning message "igb : clearing +Tx timestamp hang" + +Root cause: +If ptp_tx_work() gets scheduled just before the port gets disabled, a LINK +DOWN event will be processed before ptp_tx_work(), which may cause timeout +in ptp_tx_work(). In the timeout logic, the TSYNCTXCTL's TXTT bit (Transmit +timestamp valid bit) is not cleared, causing no new timestamp loaded to +TXSTMP register. Consequently therefore, no new interrupt is triggerred by +TSICR.TXTS bit and no more Tx timestamp send to the socket. + +Signed-off-by: Daniel Hua +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_ptp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -643,6 +643,10 @@ static void igb_ptp_tx_work(struct work_ + adapter->ptp_tx_skb = NULL; + clear_bit_unlock(__IGB_PTP_TX_IN_PROGRESS, &adapter->state); + adapter->tx_hwtstamp_timeouts++; ++ /* Clear the tx valid bit in TSYNCTXCTL register to enable ++ * interrupt ++ */ ++ rd32(E1000_TXSTMPH); + dev_warn(&adapter->pdev->dev, "clearing Tx timestamp hang\n"); + return; + } +@@ -717,6 +721,7 @@ void igb_ptp_rx_hang(struct igb_adapter + */ + void igb_ptp_tx_hang(struct igb_adapter *adapter) + { ++ struct e1000_hw *hw = &adapter->hw; + bool timeout = time_is_before_jiffies(adapter->ptp_tx_start + + IGB_PTP_TX_TIMEOUT); + +@@ -736,6 +741,10 @@ void igb_ptp_tx_hang(struct igb_adapter + adapter->ptp_tx_skb = NULL; + clear_bit_unlock(__IGB_PTP_TX_IN_PROGRESS, &adapter->state); + adapter->tx_hwtstamp_timeouts++; ++ /* Clear the tx valid bit in TSYNCTXCTL register to enable ++ * interrupt ++ */ ++ rd32(E1000_TXSTMPH); + dev_warn(&adapter->pdev->dev, "clearing Tx timestamp hang\n"); + } + } diff --git a/queue-4.14/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch b/queue-4.14/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch new file mode 100644 index 00000000000..0b1e60196a8 --- /dev/null +++ b/queue-4.14/input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch @@ -0,0 +1,89 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Dmitry Torokhov +Date: Tue, 9 Jan 2018 13:44:46 -0800 +Subject: Input: psmouse - fix Synaptics detection when protocol is disabled + +From: Dmitry Torokhov + + +[ Upstream commit 2bc4298f59d2f15175bb568e2d356b5912d0cdd9 ] + +When Synaptics protocol is disabled, we still need to try and detect the +hardware, so we can switch to SMBus device if SMbus is detected, or we know +that it is Synaptics device and reset it properly for the bare PS/2 +protocol. + +Fixes: c378b5119eb0 ("Input: psmouse - factor out common protocol probing code") +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/psmouse-base.c | 34 +++++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 13 deletions(-) + +--- a/drivers/input/mouse/psmouse-base.c ++++ b/drivers/input/mouse/psmouse-base.c +@@ -975,6 +975,21 @@ static void psmouse_apply_defaults(struc + psmouse->pt_deactivate = NULL; + } + ++static bool psmouse_do_detect(int (*detect)(struct psmouse *, bool), ++ struct psmouse *psmouse, bool allow_passthrough, ++ bool set_properties) ++{ ++ if (psmouse->ps2dev.serio->id.type == SERIO_PS_PSTHRU && ++ !allow_passthrough) { ++ return false; ++ } ++ ++ if (set_properties) ++ psmouse_apply_defaults(psmouse); ++ ++ return detect(psmouse, set_properties) == 0; ++} ++ + static bool psmouse_try_protocol(struct psmouse *psmouse, + enum psmouse_type type, + unsigned int *max_proto, +@@ -986,15 +1001,8 @@ static bool psmouse_try_protocol(struct + if (!proto) + return false; + +- if (psmouse->ps2dev.serio->id.type == SERIO_PS_PSTHRU && +- !proto->try_passthru) { +- return false; +- } +- +- if (set_properties) +- psmouse_apply_defaults(psmouse); +- +- if (proto->detect(psmouse, set_properties) != 0) ++ if (!psmouse_do_detect(proto->detect, psmouse, proto->try_passthru, ++ set_properties)) + return false; + + if (set_properties && proto->init && init_allowed) { +@@ -1027,8 +1035,8 @@ static int psmouse_extensions(struct psm + * Always check for focaltech, this is safe as it uses pnp-id + * matching. + */ +- if (psmouse_try_protocol(psmouse, PSMOUSE_FOCALTECH, +- &max_proto, set_properties, false)) { ++ if (psmouse_do_detect(focaltech_detect, ++ psmouse, false, set_properties)) { + if (max_proto > PSMOUSE_IMEX && + IS_ENABLED(CONFIG_MOUSE_PS2_FOCALTECH) && + (!set_properties || focaltech_init(psmouse) == 0)) { +@@ -1074,8 +1082,8 @@ static int psmouse_extensions(struct psm + * probing for IntelliMouse. + */ + if (max_proto > PSMOUSE_PS2 && +- psmouse_try_protocol(psmouse, PSMOUSE_SYNAPTICS, &max_proto, +- set_properties, false)) { ++ psmouse_do_detect(synaptics_detect, ++ psmouse, false, set_properties)) { + synaptics_hardware = true; + + if (max_proto > PSMOUSE_IMEX) { diff --git a/queue-4.14/input-stmfts-set-irq_noautoen-to-the-irq-flag.patch b/queue-4.14/input-stmfts-set-irq_noautoen-to-the-irq-flag.patch new file mode 100644 index 00000000000..e97b943e387 --- /dev/null +++ b/queue-4.14/input-stmfts-set-irq_noautoen-to-the-irq-flag.patch @@ -0,0 +1,58 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Andi Shyti +Date: Mon, 22 Jan 2018 17:32:46 -0800 +Subject: Input: stmfts - set IRQ_NOAUTOEN to the irq flag + +From: Andi Shyti + + +[ Upstream commit cba04cdf437d745fac85220d1d692a9ae23d7004 ] + +The interrupt is requested before the device is powered on and +it's value in some cases cannot be reliable. It happens on some +devices that an interrupt is generated as soon as requested +before having the chance to disable the irq. + +Set the irq flag as IRQ_NOAUTOEN before requesting it. + +This patch mutes the error: + + stmfts 2-0049: failed to read events: -11 + +received sometimes during boot time. + +Signed-off-by: Andi Shyti +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/stmfts.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -687,6 +687,14 @@ static int stmfts_probe(struct i2c_clien + + input_set_drvdata(sdata->input, sdata); + ++ /* ++ * stmfts_power_on expects interrupt to be disabled, but ++ * at this point the device is still off and I do not trust ++ * the status of the irq line that can generate some spurious ++ * interrupts. To be on the safe side it's better to not enable ++ * the interrupts during their request. ++ */ ++ irq_set_status_flags(client->irq, IRQ_NOAUTOEN); + err = devm_request_threaded_irq(&client->dev, client->irq, + NULL, stmfts_irq_handler, + IRQF_ONESHOT, +@@ -694,9 +702,6 @@ static int stmfts_probe(struct i2c_clien + if (err) + return err; + +- /* stmfts_power_on expects interrupt to be disabled */ +- disable_irq(client->irq); +- + dev_dbg(&client->dev, "initializing ST-Microelectronics FTS...\n"); + + err = stmfts_power_on(sdata); diff --git a/queue-4.14/input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch b/queue-4.14/input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch new file mode 100644 index 00000000000..e28b05b3051 --- /dev/null +++ b/queue-4.14/input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Peter Hutterer +Date: Tue, 16 Jan 2018 15:20:58 -0800 +Subject: Input: synaptics - reset the ABS_X/Y fuzz after initializing MT axes + +From: Peter Hutterer + + +[ Upstream commit 19eb4ed1141bd1096b9bc84ba9c4d03d5830c143 ] + +input_mt_init_slots() resets the ABS_X/Y fuzz to 0 and expects the driver +to call input_mt_report_pointer_emulation(). That is based on the MT +position bits which are already defuzzed - hence a fuzz of 0. + +In the case of synaptics semi-mt devices, we report the ABS_X/Y axes +manually. This results in the MT position being defuzzed but the +single-touch emulation missing that defuzzing. + +Work around this by re-initializing the ABS_X/Y axes after the MT axis to +get the same fuzz value back. + +https://bugs.freedesktop.org/show_bug.cgi?id=104533 + +Signed-off-by: Peter Hutterer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/synaptics.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -1280,6 +1280,16 @@ static void set_input_params(struct psmo + INPUT_MT_POINTER | + (cr48_profile_sensor ? + INPUT_MT_TRACK : INPUT_MT_SEMI_MT)); ++ ++ /* ++ * For semi-mt devices we send ABS_X/Y ourselves instead of ++ * input_mt_report_pointer_emulation. But ++ * input_mt_init_slots() resets the fuzz to 0, leading to a ++ * filtered ABS_MT_POSITION_X but an unfiltered ABS_X ++ * position. Let's re-initialize ABS_X/Y here. ++ */ ++ if (!cr48_profile_sensor) ++ set_abs_position_params(dev, &priv->info, ABS_X, ABS_Y); + } + + if (SYN_CAP_PALMDETECT(info->capabilities)) diff --git a/queue-4.14/iommu-exynos-don-t-unconditionally-steal-bus-ops.patch b/queue-4.14/iommu-exynos-don-t-unconditionally-steal-bus-ops.patch new file mode 100644 index 00000000000..4e6ec8fd005 --- /dev/null +++ b/queue-4.14/iommu-exynos-don-t-unconditionally-steal-bus-ops.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Robin Murphy +Date: Tue, 9 Jan 2018 15:34:07 +0000 +Subject: iommu/exynos: Don't unconditionally steal bus ops + +From: Robin Murphy + + +[ Upstream commit dc98b8480d8a68c2ce9aa28b9f0d714fd258bc0b ] + +Removing the early device registration hook overlooked the fact that +it only ran conditionally on a compatible device being present in the +DT. With exynos_iommu_init() now running as an unconditional initcall, +problems arise on non-Exynos systems when other IOMMU drivers find +themselves unable to install their ops on the platform bus, or at worst +the Exynos ops get called with someone else's domain and all hell breaks +loose. + +The global ops/cache setup could probably all now be triggered from the +first IOMMU probe, as with dma_dev assigment, but for the time being the +simplest fix is to resurrect the logic from commit a7b67cd5d9af +("iommu/exynos: Play nice in multi-platform builds") to explicitly check +the DT for the presence of an Exynos IOMMU before trying anything. + +Fixes: 928055a01b3f ("iommu/exynos: Remove custom platform device registration code") +Signed-off-by: Robin Murphy +Acked-by: Marek Szyprowski +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/exynos-iommu.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/exynos-iommu.c ++++ b/drivers/iommu/exynos-iommu.c +@@ -1344,8 +1344,15 @@ static const struct iommu_ops exynos_iom + + static int __init exynos_iommu_init(void) + { ++ struct device_node *np; + int ret; + ++ np = of_find_matching_node(NULL, sysmmu_of_match); ++ if (!np) ++ return 0; ++ ++ of_node_put(np); ++ + lv2table_kmem_cache = kmem_cache_create("exynos-iommu-lv2table", + LV2TABLE_SIZE, LV2TABLE_SIZE, 0, NULL); + if (!lv2table_kmem_cache) { diff --git a/queue-4.14/iommu-vt-d-use-domain-instead-of-cache-fetching.patch b/queue-4.14/iommu-vt-d-use-domain-instead-of-cache-fetching.patch new file mode 100644 index 00000000000..464fedcb56e --- /dev/null +++ b/queue-4.14/iommu-vt-d-use-domain-instead-of-cache-fetching.patch @@ -0,0 +1,100 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Peter Xu +Date: Wed, 10 Jan 2018 13:51:37 +0800 +Subject: iommu/vt-d: Use domain instead of cache fetching + +From: Peter Xu + + +[ Upstream commit 9d2e6505f6d6934e681aed502f566198cb25c74a ] + +after commit a1ddcbe93010 ("iommu/vt-d: Pass dmar_domain directly into +iommu_flush_iotlb_psi", 2015-08-12), we have domain pointer as parameter +to iommu_flush_iotlb_psi(), so no need to fetch it from cache again. + +More importantly, a NULL reference pointer bug is reported on RHEL7 (and +it can be reproduced on some old upstream kernels too, e.g., v4.13) by +unplugging an 40g nic from a VM (hard to test unplug on real host, but +it should be the same): + +https://bugzilla.redhat.com/show_bug.cgi?id=1531367 + +[ 24.391863] pciehp 0000:00:03.0:pcie004: Slot(0): Attention button pressed +[ 24.393442] pciehp 0000:00:03.0:pcie004: Slot(0): Powering off due to button press +[ 29.721068] i40evf 0000:01:00.0: Unable to send opcode 2 to PF, err I40E_ERR_QUEUE_EMPTY, aq_err OK +[ 29.783557] iommu: Removing device 0000:01:00.0 from group 3 +[ 29.784662] BUG: unable to handle kernel NULL pointer dereference at 0000000000000304 +[ 29.785817] IP: iommu_flush_iotlb_psi+0xcf/0x120 +[ 29.786486] PGD 0 +[ 29.786487] P4D 0 +[ 29.786812] +[ 29.787390] Oops: 0000 [#1] SMP +[ 29.787876] Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_ng +[ 29.795371] CPU: 0 PID: 156 Comm: kworker/0:2 Not tainted 4.13.0 #14 +[ 29.796366] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.11.0-1.el7 04/01/2014 +[ 29.797593] Workqueue: pciehp-0 pciehp_power_thread +[ 29.798328] task: ffff94f5745b4a00 task.stack: ffffb326805ac000 +[ 29.799178] RIP: 0010:iommu_flush_iotlb_psi+0xcf/0x120 +[ 29.799919] RSP: 0018:ffffb326805afbd0 EFLAGS: 00010086 +[ 29.800666] RAX: ffff94f5bc56e800 RBX: 0000000000000000 RCX: 0000000200000025 +[ 29.801667] RDX: ffff94f5bc56e000 RSI: 0000000000000082 RDI: 0000000000000000 +[ 29.802755] RBP: ffffb326805afbf8 R08: 0000000000000000 R09: ffff94f5bc86bbf0 +[ 29.803772] R10: ffffb326805afba8 R11: 00000000000ffdc4 R12: ffff94f5bc86a400 +[ 29.804789] R13: 0000000000000000 R14: 00000000ffdc4000 R15: 0000000000000000 +[ 29.805792] FS: 0000000000000000(0000) GS:ffff94f5bfc00000(0000) knlGS:0000000000000000 +[ 29.806923] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.807736] CR2: 0000000000000304 CR3: 000000003499d000 CR4: 00000000000006f0 +[ 29.808747] Call Trace: +[ 29.809156] flush_unmaps_timeout+0x126/0x1c0 +[ 29.809800] domain_exit+0xd6/0x100 +[ 29.810322] device_notifier+0x6b/0x70 +[ 29.810902] notifier_call_chain+0x4a/0x70 +[ 29.812822] __blocking_notifier_call_chain+0x47/0x60 +[ 29.814499] blocking_notifier_call_chain+0x16/0x20 +[ 29.816137] device_del+0x233/0x320 +[ 29.817588] pci_remove_bus_device+0x6f/0x110 +[ 29.819133] pci_stop_and_remove_bus_device+0x1a/0x20 +[ 29.820817] pciehp_unconfigure_device+0x7a/0x1d0 +[ 29.822434] pciehp_disable_slot+0x52/0xe0 +[ 29.823931] pciehp_power_thread+0x8a/0xa0 +[ 29.825411] process_one_work+0x18c/0x3a0 +[ 29.826875] worker_thread+0x4e/0x3b0 +[ 29.828263] kthread+0x109/0x140 +[ 29.829564] ? process_one_work+0x3a0/0x3a0 +[ 29.831081] ? kthread_park+0x60/0x60 +[ 29.832464] ret_from_fork+0x25/0x30 +[ 29.833794] Code: 85 ed 74 0b 5b 41 5c 41 5d 41 5e 41 5f 5d c3 49 8b 54 24 60 44 89 f8 0f b6 c4 48 8b 04 c2 48 85 c0 74 49 45 0f b6 ff 4a 8b 3c f8 <80> bf +[ 29.838514] RIP: iommu_flush_iotlb_psi+0xcf/0x120 RSP: ffffb326805afbd0 +[ 29.840362] CR2: 0000000000000304 +[ 29.841716] ---[ end trace b10ec0d6900868d3 ]--- + +This patch fixes that problem if applied to v4.13 kernel. + +The bug does not exist on latest upstream kernel since it's fixed as a +side effect of commit 13cf01744608 ("iommu/vt-d: Make use of iova +deferred flushing", 2017-08-15). But IMHO it's still good to have this +patch upstream. + +CC: Alex Williamson +Signed-off-by: Peter Xu +Fixes: a1ddcbe93010 ("iommu/vt-d: Pass dmar_domain directly into iommu_flush_iotlb_psi") +Reviewed-by: Alex Williamson +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel-iommu.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -1603,8 +1603,7 @@ static void iommu_flush_iotlb_psi(struct + * flush. However, device IOTLB doesn't need to be flushed in this case. + */ + if (!cap_caching_mode(iommu->cap) || !map) +- iommu_flush_dev_iotlb(get_iommu_domain(iommu, did), +- addr, mask); ++ iommu_flush_dev_iotlb(domain, addr, mask); + } + + static void iommu_flush_iova(struct iova_domain *iovad) diff --git a/queue-4.14/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch b/queue-4.14/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch new file mode 100644 index 00000000000..18fd32f2736 --- /dev/null +++ b/queue-4.14/ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Wei Yongjun +Date: Thu, 18 Jan 2018 01:43:19 +0000 +Subject: ipmi/powernv: Fix error return code in ipmi_powernv_probe() + +From: Wei Yongjun + + +[ Upstream commit e749d328b0b450aa78d562fa26a0cd8872325dd9 ] + +Fix to return a negative error code from the request_irq() error +handling case instead of 0, as done elsewhere in this function. + +Fixes: dce143c3381c ("ipmi/powernv: Convert to irq event interface") +Signed-off-by: Wei Yongjun +Reviewed-by: Alexey Kardashevskiy +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_powernv.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_powernv.c ++++ b/drivers/char/ipmi/ipmi_powernv.c +@@ -251,8 +251,9 @@ static int ipmi_powernv_probe(struct pla + ipmi->irq = opal_event_request(prop); + } + +- if (request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, +- "opal-ipmi", ipmi)) { ++ rc = request_irq(ipmi->irq, ipmi_opal_event, IRQ_TYPE_LEVEL_HIGH, ++ "opal-ipmi", ipmi); ++ if (rc) { + dev_warn(dev, "Unable to request irq\n"); + goto err_dispose; + } diff --git a/queue-4.14/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch b/queue-4.14/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch new file mode 100644 index 00000000000..f4fbdba6492 --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch @@ -0,0 +1,162 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Mark Salter +Date: Fri, 2 Feb 2018 09:20:29 -0500 +Subject: irqchip/gic-v3: Change pr_debug message to pr_devel + +From: Mark Salter + + +[ Upstream commit b6dd4d83dc2f78cebc9a7e6e7e4bc2be4d29b94d ] + +The pr_debug() in gic-v3 gic_send_sgi() can trigger a circular locking +warning: + + GICv3: CPU10: ICC_SGI1R_EL1 5000400 + ====================================================== + WARNING: possible circular locking dependency detected + 4.15.0+ #1 Tainted: G W + ------------------------------------------------------ + dynamic_debug01/1873 is trying to acquire lock: + ((console_sem).lock){-...}, at: [<0000000099c891ec>] down_trylock+0x20/0x4c + + but task is already holding lock: + (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #2 (&rq->lock){-.-.}: + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock+0x4c/0x60 + task_fork_fair+0x3c/0x148 + sched_fork+0x10c/0x214 + copy_process.isra.32.part.33+0x4e8/0x14f0 + _do_fork+0xe8/0x78c + kernel_thread+0x48/0x54 + rest_init+0x34/0x2a4 + start_kernel+0x45c/0x488 + + -> #1 (&p->pi_lock){-.-.}: + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + try_to_wake_up+0x48/0x600 + wake_up_process+0x28/0x34 + __up.isra.0+0x60/0x6c + up+0x60/0x68 + __up_console_sem+0x4c/0x7c + console_unlock+0x328/0x634 + vprintk_emit+0x25c/0x390 + dev_vprintk_emit+0xc4/0x1fc + dev_printk_emit+0x88/0xa8 + __dev_printk+0x58/0x9c + _dev_info+0x84/0xa8 + usb_new_device+0x100/0x474 + hub_port_connect+0x280/0x92c + hub_event+0x740/0xa84 + process_one_work+0x240/0x70c + worker_thread+0x60/0x400 + kthread+0x110/0x13c + ret_from_fork+0x10/0x18 + + -> #0 ((console_sem).lock){-...}: + validate_chain.isra.34+0x6e4/0xa20 + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + down_trylock+0x20/0x4c + __down_trylock_console_sem+0x3c/0x9c + console_trylock+0x20/0xb0 + vprintk_emit+0x254/0x390 + vprintk_default+0x58/0x90 + vprintk_func+0xbc/0x164 + printk+0x80/0xa0 + __dynamic_pr_debug+0x84/0xac + gic_raise_softirq+0x184/0x18c + smp_cross_call+0xac/0x218 + smp_send_reschedule+0x3c/0x48 + resched_curr+0x60/0x9c + check_preempt_curr+0x70/0xdc + wake_up_new_task+0x310/0x470 + _do_fork+0x188/0x78c + SyS_clone+0x44/0x50 + __sys_trace_return+0x0/0x4 + + other info that might help us debug this: + + Chain exists of: + (console_sem).lock --> &p->pi_lock --> &rq->lock + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&rq->lock); + lock(&p->pi_lock); + lock(&rq->lock); + lock((console_sem).lock); + + *** DEADLOCK *** + + 2 locks held by dynamic_debug01/1873: + #0: (&p->pi_lock){-.-.}, at: [<000000001366df53>] wake_up_new_task+0x40/0x470 + #1: (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc + + stack backtrace: + CPU: 10 PID: 1873 Comm: dynamic_debug01 Tainted: G W 4.15.0+ #1 + Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS T48 10/02/2017 + Call trace: + dump_backtrace+0x0/0x188 + show_stack+0x24/0x2c + dump_stack+0xa4/0xe0 + print_circular_bug.isra.31+0x29c/0x2b8 + check_prev_add.constprop.39+0x6c8/0x6dc + validate_chain.isra.34+0x6e4/0xa20 + __lock_acquire+0x3b4/0x6e0 + lock_acquire+0xf4/0x2a8 + _raw_spin_lock_irqsave+0x58/0x70 + down_trylock+0x20/0x4c + __down_trylock_console_sem+0x3c/0x9c + console_trylock+0x20/0xb0 + vprintk_emit+0x254/0x390 + vprintk_default+0x58/0x90 + vprintk_func+0xbc/0x164 + printk+0x80/0xa0 + __dynamic_pr_debug+0x84/0xac + gic_raise_softirq+0x184/0x18c + smp_cross_call+0xac/0x218 + smp_send_reschedule+0x3c/0x48 + resched_curr+0x60/0x9c + check_preempt_curr+0x70/0xdc + wake_up_new_task+0x310/0x470 + _do_fork+0x188/0x78c + SyS_clone+0x44/0x50 + __sys_trace_return+0x0/0x4 + GICv3: CPU0: ICC_SGI1R_EL1 12000 + +This could be fixed with printk_deferred() but that might lessen its +usefulness for debugging. So change it to pr_devel to keep it out of +production kernels. Developers working on gic-v3 can enable it as +needed in their kernels. + +Signed-off-by: Mark Salter +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -645,7 +645,7 @@ static void gic_send_sgi(u64 cluster_id, + MPIDR_TO_SGI_AFFINITY(cluster_id, 1) | + tlist << ICC_SGI1R_TARGET_LIST_SHIFT); + +- pr_debug("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); ++ pr_devel("CPU%d: ICC_SGI1R_EL1 %llx\n", smp_processor_id(), val); + gic_write_sgi1r(val); + } + diff --git a/queue-4.14/irqchip-gic-v3-ignore-disabled-its-nodes.patch b/queue-4.14/irqchip-gic-v3-ignore-disabled-its-nodes.patch new file mode 100644 index 00000000000..4eba0723eca --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-ignore-disabled-its-nodes.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Stephen Boyd +Date: Thu, 1 Feb 2018 09:03:29 -0800 +Subject: irqchip/gic-v3: Ignore disabled ITS nodes + +From: Stephen Boyd + + +[ Upstream commit 95a2562590c2f64a0398183f978d5cf3db6d0284 ] + +On some platforms there's an ITS available but it's not enabled +because reading or writing the registers is denied by the +firmware. In fact, reading or writing them will cause the system +to reset. We could remove the node from DT in such a case, but +it's better to skip nodes that are marked as "disabled" in DT so +that we can describe the hardware that exists and use the status +property to indicate how the firmware has configured things. + +Cc: Stuart Yoder +Cc: Laurentiu Tudor +Cc: Greg Kroah-Hartman +Cc: Marc Zyngier +Cc: Rajendra Nayak +Signed-off-by: Stephen Boyd +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3-its-pci-msi.c | 2 ++ + drivers/irqchip/irq-gic-v3-its-platform-msi.c | 2 ++ + drivers/irqchip/irq-gic-v3-its.c | 2 ++ + drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c | 2 ++ + 4 files changed, 8 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3-its-pci-msi.c ++++ b/drivers/irqchip/irq-gic-v3-its-pci-msi.c +@@ -132,6 +132,8 @@ static int __init its_pci_of_msi_init(vo + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + +--- a/drivers/irqchip/irq-gic-v3-its-platform-msi.c ++++ b/drivers/irqchip/irq-gic-v3-its-platform-msi.c +@@ -154,6 +154,8 @@ static void __init its_pmsi_of_init(void + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -3083,6 +3083,8 @@ static int __init its_of_probe(struct de + + for (np = of_find_matching_node(node, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) { + pr_warn("%pOF: no msi-controller property, ITS ignored\n", + np); +--- a/drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c ++++ b/drivers/staging/fsl-mc/bus/irq-gic-v3-its-fsl-mc-msi.c +@@ -75,6 +75,8 @@ int __init its_fsl_mc_msi_init(void) + + for (np = of_find_matching_node(NULL, its_device_id); np; + np = of_find_matching_node(np, its_device_id)) { ++ if (!of_device_is_available(np)) ++ continue; + if (!of_property_read_bool(np, "msi-controller")) + continue; + diff --git a/queue-4.14/ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch b/queue-4.14/ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch new file mode 100644 index 00000000000..fa2224c640b --- /dev/null +++ b/queue-4.14/ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Emil Tantilov +Date: Fri, 12 Jan 2018 14:02:56 -0800 +Subject: ixgbe: don't set RXDCTL.RLPML for 82599 + +From: Emil Tantilov + + +[ Upstream commit 2bafa8fac19a31ca72ae1a3e48df35f73661dbed ] + +commit 2de6aa3a666e ("ixgbe: Add support for padding packet") + +Uses RXDCTL.RLPML to limit the maximum frame size on Rx when using +build_skb. Unfortunately that register does not work on 82599. + +Added an explicit check to avoid setting this register on 82599 MAC. + +Extended the comment related to the setting of RXDCTL.RLPML to better +explain its purpose. + +Signed-off-by: Emil Tantilov +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -3987,11 +3987,15 @@ void ixgbe_configure_rx_ring(struct ixgb + rxdctl &= ~0x3FFFFF; + rxdctl |= 0x080420; + #if (PAGE_SIZE < 8192) +- } else { ++ /* RXDCTL.RLPML does not work on 82599 */ ++ } else if (hw->mac.type != ixgbe_mac_82599EB) { + rxdctl &= ~(IXGBE_RXDCTL_RLPMLMASK | + IXGBE_RXDCTL_RLPML_EN); + +- /* Limit the maximum frame size so we don't overrun the skb */ ++ /* Limit the maximum frame size so we don't overrun the skb. ++ * This can happen in SRIOV mode when the MTU of the VF is ++ * higher than the MTU of the PF. ++ */ + if (ring_uses_build_skb(ring) && + !test_bit(__IXGBE_RX_3K_BUFFER, &ring->state)) + rxdctl |= IXGBE_MAX_2K_FRAME_BUILD_SKB | diff --git a/queue-4.14/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch b/queue-4.14/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch new file mode 100644 index 00000000000..3f8fcd567ed --- /dev/null +++ b/queue-4.14/jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch @@ -0,0 +1,86 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jake Daryll Obina +Date: Fri, 22 Sep 2017 00:00:14 +0800 +Subject: jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path + +From: Jake Daryll Obina + + +[ Upstream commit 5bdd0c6f89fba430e18d636493398389dadc3b17 ] + +If jffs2_iget() fails for a newly-allocated inode, jffs2_do_clear_inode() +can get called twice in the error handling path, the first call in +jffs2_iget() itself and the second through iget_failed(). This can result +to a use-after-free error in the second jffs2_do_clear_inode() call, such +as shown by the oops below wherein the second jffs2_do_clear_inode() call +was trying to free node fragments that were already freed in the first +jffs2_do_clear_inode() call. + +[ 78.178860] jffs2: error: (1904) jffs2_do_read_inode_internal: CRC failed for read_inode of inode 24 at physical location 0x1fc00c +[ 78.178914] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b7b +[ 78.185871] pgd = ffffffc03a567000 +[ 78.188794] [6b6b6b6b6b6b6b7b] *pgd=0000000000000000, *pud=0000000000000000 +[ 78.194968] Internal error: Oops: 96000004 [#1] PREEMPT SMP +... +[ 78.513147] PC is at rb_first_postorder+0xc/0x28 +[ 78.516503] LR is at jffs2_kill_fragtree+0x28/0x90 [jffs2] +[ 78.520672] pc : [] lr : [] pstate: 60000105 +[ 78.526757] sp : ffffff800cea38f0 +[ 78.528753] x29: ffffff800cea38f0 x28: ffffffc01f3f8e80 +[ 78.532754] x27: 0000000000000000 x26: ffffff800cea3c70 +[ 78.536756] x25: 00000000dc67c8ae x24: ffffffc033d6945d +[ 78.540759] x23: ffffffc036811740 x22: ffffff800891a5b8 +[ 78.544760] x21: 0000000000000000 x20: 0000000000000000 +[ 78.548762] x19: ffffffc037d48910 x18: ffffff800891a588 +[ 78.552764] x17: 0000000000000800 x16: 0000000000000c00 +[ 78.556766] x15: 0000000000000010 x14: 6f2065646f6e695f +[ 78.560767] x13: 6461657220726f66 x12: 2064656c69616620 +[ 78.564769] x11: 435243203a6c616e x10: 7265746e695f6564 +[ 78.568771] x9 : 6f6e695f64616572 x8 : ffffffc037974038 +[ 78.572774] x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000008 +[ 78.576775] x5 : 002f91d85bd44a2f x4 : 0000000000000000 +[ 78.580777] x3 : 0000000000000000 x2 : 000000403755e000 +[ 78.584779] x1 : 6b6b6b6b6b6b6b6b x0 : 6b6b6b6b6b6b6b6b +... +[ 79.038551] [] rb_first_postorder+0xc/0x28 +[ 79.042962] [] jffs2_do_clear_inode+0x88/0x100 [jffs2] +[ 79.048395] [] jffs2_evict_inode+0x3c/0x48 [jffs2] +[ 79.053443] [] evict+0xb0/0x168 +[ 79.056835] [] iput+0x1c0/0x200 +[ 79.060228] [] iget_failed+0x30/0x3c +[ 79.064097] [] jffs2_iget+0x2d8/0x360 [jffs2] +[ 79.068740] [] jffs2_lookup+0xe8/0x130 [jffs2] +[ 79.073434] [] lookup_slow+0x118/0x190 +[ 79.077435] [] walk_component+0xfc/0x28c +[ 79.081610] [] path_lookupat+0x84/0x108 +[ 79.085699] [] filename_lookup+0x88/0x100 +[ 79.089960] [] user_path_at_empty+0x58/0x6c +[ 79.094396] [] vfs_statx+0xa4/0x114 +[ 79.098138] [] SyS_newfstatat+0x58/0x98 +[ 79.102227] [] __sys_trace_return+0x0/0x4 +[ 79.106489] Code: d65f03c0 f9400001 b40000e1 aa0103e0 (f9400821) + +The jffs2_do_clear_inode() call in jffs2_iget() is unnecessary since +iget_failed() will eventually call jffs2_do_clear_inode() if needed, so +just remove it. + +Fixes: 5451f79f5f81 ("iget: stop JFFS2 from using iget() and read_inode()") +Reviewed-by: Richard Weinberger +Signed-off-by: Jake Daryll Obina +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/jffs2/fs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -362,7 +362,6 @@ error_io: + ret = -EIO; + error: + mutex_unlock(&f->sem); +- jffs2_do_clear_inode(c, f); + iget_failed(inode); + return ERR_PTR(ret); + } diff --git a/queue-4.14/kconfig-don-t-leak-main-menus-during-parsing.patch b/queue-4.14/kconfig-don-t-leak-main-menus-during-parsing.patch new file mode 100644 index 00000000000..1f30ff54448 --- /dev/null +++ b/queue-4.14/kconfig-don-t-leak-main-menus-during-parsing.patch @@ -0,0 +1,116 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:11:21 +0200 +Subject: kconfig: Don't leak main menus during parsing + +From: Ulf Magnusson + + +[ Upstream commit 0724a7c32a54e3e50d28e19e30c59014f61d4e2c ] + +If a 'mainmenu' entry appeared in the Kconfig files, two things would +leak: + + - The 'struct property' allocated for the default "Linux Kernel + Configuration" prompt. + + - The string for the T_WORD/T_WORD_QUOTE prompt after the + T_MAINMENU token, allocated on the heap in zconf.l. + +To fix it, introduce a new 'no_mainmenu_stmt' nonterminal that matches +if there's no 'mainmenu' and adds the default prompt. That means the +prompt only gets allocated once regardless of whether there's a +'mainmenu' statement or not, and managing it becomes simple. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,568 bytes in 14,352 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 344,440 bytes in 14,350 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/zconf.y | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/scripts/kconfig/zconf.y ++++ b/scripts/kconfig/zconf.y +@@ -108,7 +108,27 @@ static struct menu *current_menu, *curre + %% + input: nl start | start; + +-start: mainmenu_stmt stmt_list | stmt_list; ++start: mainmenu_stmt stmt_list | no_mainmenu_stmt stmt_list; ++ ++/* mainmenu entry */ ++ ++mainmenu_stmt: T_MAINMENU prompt nl ++{ ++ menu_add_prompt(P_MENU, $2, NULL); ++}; ++ ++/* Default main menu, if there's no mainmenu entry */ ++ ++no_mainmenu_stmt: /* empty */ ++{ ++ /* ++ * Hack: Keep the main menu title on the heap so we can safely free it ++ * later regardless of whether it comes from the 'prompt' in ++ * mainmenu_stmt or here ++ */ ++ menu_add_prompt(P_MENU, strdup("Linux Kernel Configuration"), NULL); ++}; ++ + + stmt_list: + /* empty */ +@@ -351,13 +371,6 @@ if_block: + | if_block choice_stmt + ; + +-/* mainmenu entry */ +- +-mainmenu_stmt: T_MAINMENU prompt nl +-{ +- menu_add_prompt(P_MENU, $2, NULL); +-}; +- + /* menu entry */ + + menu: T_MENU prompt T_EOL +@@ -502,6 +515,7 @@ word_opt: /* empty */ { $$ = NULL; } + + void conf_parse(const char *name) + { ++ const char *tmp; + struct symbol *sym; + int i; + +@@ -509,7 +523,6 @@ void conf_parse(const char *name) + + sym_init(); + _menu_init(); +- rootmenu.prompt = menu_add_prompt(P_MENU, "Linux Kernel Configuration", NULL); + + if (getenv("ZCONF_DEBUG")) + zconfdebug = 1; +@@ -519,8 +532,10 @@ void conf_parse(const char *name) + if (!modules_sym) + modules_sym = sym_find( "n" ); + ++ tmp = rootmenu.prompt->text; + rootmenu.prompt->text = _(rootmenu.prompt->text); + rootmenu.prompt->text = sym_expand_string_value(rootmenu.prompt->text); ++ free((char*)tmp); + + menu_finalize(&rootmenu); + for_all_symbols(i, sym) { diff --git a/queue-4.14/kconfig-fix-automatic-menu-creation-mem-leak.patch b/queue-4.14/kconfig-fix-automatic-menu-creation-mem-leak.patch new file mode 100644 index 00000000000..3df5516cb8f --- /dev/null +++ b/queue-4.14/kconfig-fix-automatic-menu-creation-mem-leak.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:35:44 +0200 +Subject: kconfig: Fix automatic menu creation mem leak + +From: Ulf Magnusson + + +[ Upstream commit ae7440ef0c8013d68c00dad6900e7cce5311bb1c ] + +expr_trans_compare() always allocates and returns a new expression, +giving the following leak outline: + + ... + *Allocate* + basedep = expr_trans_compare(basedep, E_UNEQUAL, &symbol_no); + ... + for (menu = parent->next; menu; menu = menu->next) { + ... + *Copy* + dep2 = expr_copy(basedep); + ... + *Free copy* + expr_free(dep2); + } + *basedep lost!* + +Fix by freeing 'basedep' after the loop. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 344,376 bytes in 14,349 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/menu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/kconfig/menu.c ++++ b/scripts/kconfig/menu.c +@@ -372,6 +372,7 @@ void menu_finalize(struct menu *parent) + menu->parent = parent; + last_menu = menu; + } ++ expr_free(basedep); + if (last_menu) { + parent->list = parent->next; + parent->next = last_menu->next; diff --git a/queue-4.14/kconfig-fix-expr_free-e_not-leak.patch b/queue-4.14/kconfig-fix-expr_free-e_not-leak.patch new file mode 100644 index 00000000000..2458eb459bc --- /dev/null +++ b/queue-4.14/kconfig-fix-expr_free-e_not-leak.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ulf Magnusson +Date: Sun, 8 Oct 2017 19:35:45 +0200 +Subject: kconfig: Fix expr_free() E_NOT leak + +From: Ulf Magnusson + + +[ Upstream commit 5b1374b3b3c2fc4f63a398adfa446fb8eff791a4 ] + +Only the E_NOT operand and not the E_NOT node itself was freed, due to +accidentally returning too early in expr_free(). Outline of leak: + + switch (e->type) { + ... + case E_NOT: + expr_free(e->left.expr); + return; + ... + } + *Never reached, 'e' leaked* + free(e); + +Fix by changing the 'return' to a 'break'. + +Summary from Valgrind on 'menuconfig' (ARCH=x86) before the fix: + + LEAK SUMMARY: + definitely lost: 44,448 bytes in 1,852 blocks + ... + +Summary after the fix: + + LEAK SUMMARY: + definitely lost: 1,608 bytes in 67 blocks + ... + +Signed-off-by: Ulf Magnusson +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/kconfig/expr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/kconfig/expr.c ++++ b/scripts/kconfig/expr.c +@@ -113,7 +113,7 @@ void expr_free(struct expr *e) + break; + case E_NOT: + expr_free(e->left.expr); +- return; ++ break; + case E_EQUAL: + case E_GEQ: + case E_GTH: diff --git a/queue-4.14/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch b/queue-4.14/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch new file mode 100644 index 00000000000..95e04aa2a39 --- /dev/null +++ b/queue-4.14/kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: KarimAllah Ahmed +Date: Wed, 17 Jan 2018 19:18:56 +0100 +Subject: kvm: Map PFN-type memory regions as writable (if possible) + +From: KarimAllah Ahmed + + +[ Upstream commit a340b3e229b24a56f1c7f5826b15a3af0f4b13e5 ] + +For EPT-violations that are triggered by a read, the pages are also mapped with +write permissions (if their memory region is also writable). That would avoid +getting yet another fault on the same page when a write occurs. + +This optimization only happens when you have a "struct page" backing the memory +region. So also enable it for memory regions that do not have a "struct page". + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: KarimAllah Ahmed +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/kvm_main.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1434,7 +1434,8 @@ static bool vma_is_valid(struct vm_area_ + + static int hva_to_pfn_remapped(struct vm_area_struct *vma, + unsigned long addr, bool *async, +- bool write_fault, kvm_pfn_t *p_pfn) ++ bool write_fault, bool *writable, ++ kvm_pfn_t *p_pfn) + { + unsigned long pfn; + int r; +@@ -1460,6 +1461,8 @@ static int hva_to_pfn_remapped(struct vm + + } + ++ if (writable) ++ *writable = true; + + /* + * Get a reference here because callers of *hva_to_pfn* and +@@ -1525,7 +1528,7 @@ retry: + if (vma == NULL) + pfn = KVM_PFN_ERR_FAULT; + else if (vma->vm_flags & (VM_IO | VM_PFNMAP)) { +- r = hva_to_pfn_remapped(vma, addr, async, write_fault, &pfn); ++ r = hva_to_pfn_remapped(vma, addr, async, write_fault, writable, &pfn); + if (r == -EAGAIN) + goto retry; + if (r < 0) diff --git a/queue-4.14/kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch b/queue-4.14/kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch new file mode 100644 index 00000000000..5b2fc70a457 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch @@ -0,0 +1,106 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Paul Mackerras +Date: Fri, 12 Jan 2018 20:55:20 +1100 +Subject: KVM: PPC: Book3S HV: Enable migration of decrementer register + +From: Paul Mackerras + + +[ Upstream commit 5855564c8ab2d9cefca7b2933bd19818eb795e40 ] + +This adds a register identifier for use with the one_reg interface +to allow the decrementer expiry time to be read and written by +userspace. The decrementer expiry time is in guest timebase units +and is equal to the sum of the decrementer and the guest timebase. +(The expiry time is used rather than the decrementer value itself +because the expiry time is not constantly changing, though the +decrementer value is, while the guest vcpu is not running.) + +Without this, a guest vcpu migrated to a new host will see its +decrementer set to some random value. On POWER8 and earlier, the +decrementer is 32 bits wide and counts down at 512MHz, so the +guest vcpu will potentially see no decrementer interrupts for up +to about 4 seconds, which will lead to a stall. With POWER9, the +decrementer is now 56 bits side, so the stall can be much longer +(up to 2.23 years) and more noticeable. + +To help work around the problem in cases where userspace has not been +updated to migrate the decrementer expiry time, we now set the +default decrementer expiry at vcpu creation time to the current time +rather than the maximum possible value. This should mean an +immediate decrementer interrupt when a migrated vcpu starts +running. In cases where the decrementer is 32 bits wide and more +than 4 seconds elapse between the creation of the vcpu and when it +first runs, the decrementer would have wrapped around to positive +values and there may still be a stall - but this is no worse than +the current situation. In the large-decrementer case, we are sure +to get an immediate decrementer interrupt (assuming the time from +vcpu creation to first run is less than 2.23 years) and we thus +avoid a very long stall. + +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/virtual/kvm/api.txt | 1 + + arch/powerpc/include/uapi/asm/kvm.h | 2 ++ + arch/powerpc/kvm/book3s_hv.c | 8 ++++++++ + arch/powerpc/kvm/powerpc.c | 2 +- + 4 files changed, 12 insertions(+), 1 deletion(-) + +--- a/Documentation/virtual/kvm/api.txt ++++ b/Documentation/virtual/kvm/api.txt +@@ -1837,6 +1837,7 @@ registers, find a list below: + PPC | KVM_REG_PPC_DBSR | 32 + PPC | KVM_REG_PPC_TIDR | 64 + PPC | KVM_REG_PPC_PSSCR | 64 ++ PPC | KVM_REG_PPC_DEC_EXPIRY | 64 + PPC | KVM_REG_PPC_TM_GPR0 | 64 + ... + PPC | KVM_REG_PPC_TM_GPR31 | 64 +--- a/arch/powerpc/include/uapi/asm/kvm.h ++++ b/arch/powerpc/include/uapi/asm/kvm.h +@@ -607,6 +607,8 @@ struct kvm_ppc_rmmu_info { + #define KVM_REG_PPC_TIDR (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xbc) + #define KVM_REG_PPC_PSSCR (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xbd) + ++#define KVM_REG_PPC_DEC_EXPIRY (KVM_REG_PPC | KVM_REG_SIZE_U64 | 0xbe) ++ + /* Transactional Memory checkpointed state: + * This is all GPRs, all VSX regs and a subset of SPRs + */ +--- a/arch/powerpc/kvm/book3s_hv.c ++++ b/arch/powerpc/kvm/book3s_hv.c +@@ -1497,6 +1497,10 @@ static int kvmppc_get_one_reg_hv(struct + case KVM_REG_PPC_ARCH_COMPAT: + *val = get_reg_val(id, vcpu->arch.vcore->arch_compat); + break; ++ case KVM_REG_PPC_DEC_EXPIRY: ++ *val = get_reg_val(id, vcpu->arch.dec_expires + ++ vcpu->arch.vcore->tb_offset); ++ break; + default: + r = -EINVAL; + break; +@@ -1724,6 +1728,10 @@ static int kvmppc_set_one_reg_hv(struct + case KVM_REG_PPC_ARCH_COMPAT: + r = kvmppc_set_arch_compat(vcpu, set_reg_val(id, *val)); + break; ++ case KVM_REG_PPC_DEC_EXPIRY: ++ vcpu->arch.dec_expires = set_reg_val(id, *val) - ++ vcpu->arch.vcore->tb_offset; ++ break; + default: + r = -EINVAL; + break; +--- a/arch/powerpc/kvm/powerpc.c ++++ b/arch/powerpc/kvm/powerpc.c +@@ -758,7 +758,7 @@ int kvm_arch_vcpu_init(struct kvm_vcpu * + + hrtimer_init(&vcpu->arch.dec_timer, CLOCK_REALTIME, HRTIMER_MODE_ABS); + vcpu->arch.dec_timer.function = kvmppc_decrementer_wakeup; +- vcpu->arch.dec_expires = ~(u64)0; ++ vcpu->arch.dec_expires = get_tb(); + + #ifdef CONFIG_KVM_EXIT_TIMING + mutex_init(&vcpu->arch.exit_timing_lock); diff --git a/queue-4.14/kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch b/queue-4.14/kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch new file mode 100644 index 00000000000..ad1e438f3b1 --- /dev/null +++ b/queue-4.14/kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch @@ -0,0 +1,50 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Paul Mackerras +Date: Wed, 7 Feb 2018 19:49:54 +1100 +Subject: KVM: PPC: Book3S HV: Fix handling of secondary HPTEG in HPT resizing code + +From: Paul Mackerras + + +[ Upstream commit 05f2bb0313a2855e491dadfc8319b7da261d7074 ] + +This fixes the computation of the HPTE index to use when the HPT +resizing code encounters a bolted HPTE which is stored in its +secondary HPTE group. The code inverts the HPTE group number, which +is correct, but doesn't then mask it with new_hash_mask. As a result, +new_pteg will be effectively negative, resulting in new_hptep +pointing before the new HPT, which will corrupt memory. + +In addition, this removes two BUG_ON statements. The condition that +the BUG_ONs were testing -- that we have computed the hash value +incorrectly -- has never been observed in testing, and if it did +occur, would only affect the guest, not the host. Given that +BUG_ON should only be used in conditions where the kernel (i.e. +the host kernel, in this case) can't possibly continue execution, +it is not appropriate here. + +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_hv.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_hv.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_hv.c +@@ -1348,12 +1348,8 @@ static unsigned long resize_hpt_rehash_h + } + + new_pteg = hash & new_hash_mask; +- if (vpte & HPTE_V_SECONDARY) { +- BUG_ON(~pteg != (hash & old_hash_mask)); +- new_pteg = ~new_pteg; +- } else { +- BUG_ON(pteg != (hash & old_hash_mask)); +- } ++ if (vpte & HPTE_V_SECONDARY) ++ new_pteg = ~hash & new_hash_mask; + + new_idx = new_pteg * HPTES_PER_GROUP + (idx % HPTES_PER_GROUP); + new_hptep = (__be64 *)(new->virt + (new_idx << 4)); diff --git a/queue-4.14/kvm-s390-use-created_vcpus-in-more-places.patch b/queue-4.14/kvm-s390-use-created_vcpus-in-more-places.patch new file mode 100644 index 00000000000..e08789ee3cc --- /dev/null +++ b/queue-4.14/kvm-s390-use-created_vcpus-in-more-places.patch @@ -0,0 +1,48 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Christian Borntraeger +Date: Thu, 16 Nov 2017 15:12:52 +0100 +Subject: KVM: s390: use created_vcpus in more places + +From: Christian Borntraeger + + +[ Upstream commit 241e3ec0faf5ab1a0d9b1f6c43eefa919fb9c112 ] + +commit a03825bbd0c3 ("KVM: s390: use kvm->created_vcpus") introduced +kvm->created_vcpus to avoid races with the existing kvm->online_vcpus +scheme. One place was "forgotten" and one new place was "added". +Let's fix those. + +Reported-by: Halil Pasic +Signed-off-by: Christian Borntraeger +Reviewed-by: Halil Pasic +Reviewed-by: Cornelia Huck +Reviewed-by: David Hildenbrand +Fixes: 4e0b1ab72b8a ("KVM: s390: gs support for kvm guests") +Fixes: a03825bbd0c3 ("KVM: s390: use kvm->created_vcpus") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/kvm-s390.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -601,7 +601,7 @@ static int kvm_vm_ioctl_enable_cap(struc + case KVM_CAP_S390_GS: + r = -EINVAL; + mutex_lock(&kvm->lock); +- if (atomic_read(&kvm->online_vcpus)) { ++ if (kvm->created_vcpus) { + r = -EBUSY; + } else if (test_facility(133)) { + set_kvm_facility(kvm->arch.model.fac_mask, 133); +@@ -1121,7 +1121,7 @@ static int kvm_s390_set_processor_feat(s + return -EINVAL; + + mutex_lock(&kvm->lock); +- if (!atomic_read(&kvm->online_vcpus)) { ++ if (!kvm->created_vcpus) { + bitmap_copy(kvm->arch.cpu_feat, (unsigned long *) data.feat, + KVM_S390_VM_CPU_FEAT_NR_BITS); + ret = 0; diff --git a/queue-4.14/kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch b/queue-4.14/kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch new file mode 100644 index 00000000000..bf78ba89e8d --- /dev/null +++ b/queue-4.14/kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch @@ -0,0 +1,190 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: David Hildenbrand +Date: Tue, 16 Jan 2018 18:15:25 +0100 +Subject: KVM: s390: vsie: use READ_ONCE to access some SCB fields + +From: David Hildenbrand + + +[ Upstream commit b3ecd4aa8632a86428605ab73393d14779019d82 ] + +Another VCPU might try to modify the SCB while we are creating the +shadow SCB. In general this is no problem - unless the compiler decides +to not load values once, but e.g. twice. + +For us, this is only relevant when checking/working with such values. +E.g. the prefix value, the mso, state of transactional execution and +addresses of satellite blocks. + +E.g. if we blindly forward values (e.g. general purpose registers or +execution controls after masking), we don't care. + +Leaving unpin_blocks() untouched for now, will handle it separately. + +The worst thing right now that I can see would be a missed prefix +un/remap (mso, prefix, tx) or using wrong guest addresses. Nothing +critical, but let's try to avoid unpredictable behavior. + +Signed-off-by: David Hildenbrand +Message-Id: <20180116171526.12343-2-david@redhat.com> +Reviewed-by: Christian Borntraeger +Acked-by: Cornelia Huck +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kvm/vsie.c | 50 +++++++++++++++++++++++++++++++------------------- + 1 file changed, 31 insertions(+), 19 deletions(-) + +--- a/arch/s390/kvm/vsie.c ++++ b/arch/s390/kvm/vsie.c +@@ -31,7 +31,11 @@ struct vsie_page { + * the same offset as that in struct sie_page! + */ + struct mcck_volatile_info mcck_info; /* 0x0200 */ +- /* the pinned originial scb */ ++ /* ++ * The pinned original scb. Be aware that other VCPUs can modify ++ * it while we read from it. Values that are used for conditions or ++ * are reused conditionally, should be accessed via READ_ONCE. ++ */ + struct kvm_s390_sie_block *scb_o; /* 0x0218 */ + /* the shadow gmap in use by the vsie_page */ + struct gmap *gmap; /* 0x0220 */ +@@ -143,12 +147,13 @@ static int shadow_crycb(struct kvm_vcpu + { + struct kvm_s390_sie_block *scb_s = &vsie_page->scb_s; + struct kvm_s390_sie_block *scb_o = vsie_page->scb_o; +- u32 crycb_addr = scb_o->crycbd & 0x7ffffff8U; ++ const uint32_t crycbd_o = READ_ONCE(scb_o->crycbd); ++ const u32 crycb_addr = crycbd_o & 0x7ffffff8U; + unsigned long *b1, *b2; + u8 ecb3_flags; + + scb_s->crycbd = 0; +- if (!(scb_o->crycbd & vcpu->arch.sie_block->crycbd & CRYCB_FORMAT1)) ++ if (!(crycbd_o & vcpu->arch.sie_block->crycbd & CRYCB_FORMAT1)) + return 0; + /* format-1 is supported with message-security-assist extension 3 */ + if (!test_kvm_facility(vcpu->kvm, 76)) +@@ -186,12 +191,15 @@ static void prepare_ibc(struct kvm_vcpu + { + struct kvm_s390_sie_block *scb_s = &vsie_page->scb_s; + struct kvm_s390_sie_block *scb_o = vsie_page->scb_o; ++ /* READ_ONCE does not work on bitfields - use a temporary variable */ ++ const uint32_t __new_ibc = scb_o->ibc; ++ const uint32_t new_ibc = READ_ONCE(__new_ibc) & 0x0fffU; + __u64 min_ibc = (sclp.ibc >> 16) & 0x0fffU; + + scb_s->ibc = 0; + /* ibc installed in g2 and requested for g3 */ +- if (vcpu->kvm->arch.model.ibc && (scb_o->ibc & 0x0fffU)) { +- scb_s->ibc = scb_o->ibc & 0x0fffU; ++ if (vcpu->kvm->arch.model.ibc && new_ibc) { ++ scb_s->ibc = new_ibc; + /* takte care of the minimum ibc level of the machine */ + if (scb_s->ibc < min_ibc) + scb_s->ibc = min_ibc; +@@ -256,6 +264,10 @@ static int shadow_scb(struct kvm_vcpu *v + { + struct kvm_s390_sie_block *scb_o = vsie_page->scb_o; + struct kvm_s390_sie_block *scb_s = &vsie_page->scb_s; ++ /* READ_ONCE does not work on bitfields - use a temporary variable */ ++ const uint32_t __new_prefix = scb_o->prefix; ++ const uint32_t new_prefix = READ_ONCE(__new_prefix); ++ const bool wants_tx = READ_ONCE(scb_o->ecb) & ECB_TE; + bool had_tx = scb_s->ecb & ECB_TE; + unsigned long new_mso = 0; + int rc; +@@ -302,14 +314,14 @@ static int shadow_scb(struct kvm_vcpu *v + scb_s->icpua = scb_o->icpua; + + if (!(atomic_read(&scb_s->cpuflags) & CPUSTAT_SM)) +- new_mso = scb_o->mso & 0xfffffffffff00000UL; ++ new_mso = READ_ONCE(scb_o->mso) & 0xfffffffffff00000UL; + /* if the hva of the prefix changes, we have to remap the prefix */ +- if (scb_s->mso != new_mso || scb_s->prefix != scb_o->prefix) ++ if (scb_s->mso != new_mso || scb_s->prefix != new_prefix) + prefix_unmapped(vsie_page); + /* SIE will do mso/msl validity and exception checks for us */ + scb_s->msl = scb_o->msl & 0xfffffffffff00000UL; + scb_s->mso = new_mso; +- scb_s->prefix = scb_o->prefix; ++ scb_s->prefix = new_prefix; + + /* We have to definetly flush the tlb if this scb never ran */ + if (scb_s->ihcpu != 0xffffU) +@@ -321,11 +333,11 @@ static int shadow_scb(struct kvm_vcpu *v + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_ESOP)) + scb_s->ecb |= scb_o->ecb & ECB_HOSTPROTINT; + /* transactional execution */ +- if (test_kvm_facility(vcpu->kvm, 73)) { ++ if (test_kvm_facility(vcpu->kvm, 73) && wants_tx) { + /* remap the prefix is tx is toggled on */ +- if ((scb_o->ecb & ECB_TE) && !had_tx) ++ if (!had_tx) + prefix_unmapped(vsie_page); +- scb_s->ecb |= scb_o->ecb & ECB_TE; ++ scb_s->ecb |= ECB_TE; + } + /* SIMD */ + if (test_kvm_facility(vcpu->kvm, 129)) { +@@ -544,9 +556,9 @@ static int pin_blocks(struct kvm_vcpu *v + gpa_t gpa; + int rc = 0; + +- gpa = scb_o->scaol & ~0xfUL; ++ gpa = READ_ONCE(scb_o->scaol) & ~0xfUL; + if (test_kvm_cpu_feat(vcpu->kvm, KVM_S390_VM_CPU_FEAT_64BSCAO)) +- gpa |= (u64) scb_o->scaoh << 32; ++ gpa |= (u64) READ_ONCE(scb_o->scaoh) << 32; + if (gpa) { + if (!(gpa & ~0x1fffUL)) + rc = set_validity_icpt(scb_s, 0x0038U); +@@ -566,7 +578,7 @@ static int pin_blocks(struct kvm_vcpu *v + scb_s->scaol = (u32)(u64)hpa; + } + +- gpa = scb_o->itdba & ~0xffUL; ++ gpa = READ_ONCE(scb_o->itdba) & ~0xffUL; + if (gpa && (scb_s->ecb & ECB_TE)) { + if (!(gpa & ~0x1fffU)) { + rc = set_validity_icpt(scb_s, 0x0080U); +@@ -581,7 +593,7 @@ static int pin_blocks(struct kvm_vcpu *v + scb_s->itdba = hpa; + } + +- gpa = scb_o->gvrd & ~0x1ffUL; ++ gpa = READ_ONCE(scb_o->gvrd) & ~0x1ffUL; + if (gpa && (scb_s->eca & ECA_VX) && !(scb_s->ecd & ECD_HOSTREGMGMT)) { + if (!(gpa & ~0x1fffUL)) { + rc = set_validity_icpt(scb_s, 0x1310U); +@@ -599,7 +611,7 @@ static int pin_blocks(struct kvm_vcpu *v + scb_s->gvrd = hpa; + } + +- gpa = scb_o->riccbd & ~0x3fUL; ++ gpa = READ_ONCE(scb_o->riccbd) & ~0x3fUL; + if (gpa && (scb_s->ecb3 & ECB3_RI)) { + if (!(gpa & ~0x1fffUL)) { + rc = set_validity_icpt(scb_s, 0x0043U); +@@ -617,8 +629,8 @@ static int pin_blocks(struct kvm_vcpu *v + if ((scb_s->ecb & ECB_GS) && !(scb_s->ecd & ECD_HOSTREGMGMT)) { + unsigned long sdnxc; + +- gpa = scb_o->sdnxo & ~0xfUL; +- sdnxc = scb_o->sdnxo & 0xfUL; ++ gpa = READ_ONCE(scb_o->sdnxo) & ~0xfUL; ++ sdnxc = READ_ONCE(scb_o->sdnxo) & 0xfUL; + if (!gpa || !(gpa & ~0x1fffUL)) { + rc = set_validity_icpt(scb_s, 0x10b0U); + goto unpin; +@@ -785,7 +797,7 @@ static void retry_vsie_icpt(struct vsie_ + static int handle_stfle(struct kvm_vcpu *vcpu, struct vsie_page *vsie_page) + { + struct kvm_s390_sie_block *scb_s = &vsie_page->scb_s; +- __u32 fac = vsie_page->scb_o->fac & 0x7ffffff8U; ++ __u32 fac = READ_ONCE(vsie_page->scb_o->fac) & 0x7ffffff8U; + + if (fac && test_kvm_facility(vcpu->kvm, 7)) { + retry_vsie_icpt(vsie_page); diff --git a/queue-4.14/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch b/queue-4.14/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch new file mode 100644 index 00000000000..bd3ea7d3b87 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Paolo Bonzini +Date: Thu, 26 Oct 2017 15:45:47 +0200 +Subject: kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl + +From: Paolo Bonzini + + +[ Upstream commit 51776043afa415435c7e4636204fbe4f7edc4501 ] + +This ioctl is obsolete (it was used by Xenner as far as I know) but +still let's not break it gratuitously... Its handler is copying +directly into struct kvm. Go through a bounce buffer instead, with +the added benefit that we can actually do something useful with the +flags argument---the previous code was exiting with -EINVAL but still +doing the copy. + +This technically is a userspace ABI breakage, but since no one should be +using the ioctl, it's a good occasion to see if someone actually +complains. + +Cc: kernel-hardening@lists.openwall.com +Cc: Kees Cook +Cc: Radim Krčmář +Signed-off-by: Paolo Bonzini +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/x86.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4225,13 +4225,14 @@ long kvm_arch_vm_ioctl(struct file *filp + mutex_unlock(&kvm->lock); + break; + case KVM_XEN_HVM_CONFIG: { ++ struct kvm_xen_hvm_config xhc; + r = -EFAULT; +- if (copy_from_user(&kvm->arch.xen_hvm_config, argp, +- sizeof(struct kvm_xen_hvm_config))) ++ if (copy_from_user(&xhc, argp, sizeof(xhc))) + goto out; + r = -EINVAL; +- if (kvm->arch.xen_hvm_config.flags) ++ if (xhc.flags) + goto out; ++ memcpy(&kvm->arch.xen_hvm_config, &xhc, sizeof(xhc)); + r = 0; + break; + } diff --git a/queue-4.14/libbpf-makefile-set-specified-permission-mode.patch b/queue-4.14/libbpf-makefile-set-specified-permission-mode.patch new file mode 100644 index 00000000000..354913625fb --- /dev/null +++ b/queue-4.14/libbpf-makefile-set-specified-permission-mode.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jesper Dangaard Brouer +Date: Wed, 17 Jan 2018 00:20:40 +0100 +Subject: libbpf: Makefile set specified permission mode + +From: Jesper Dangaard Brouer + + +[ Upstream commit 7110d80d53f472956420cd05a6297f49b558b674 ] + +The third parameter to do_install was not used by $(INSTALL) command. +Fix this by only setting the -m option when the third parameter is supplied. + +The use of a third parameter was introduced in commit eb54e522a000 ("bpf: +install libbpf headers on 'make install'"). + +Without this change, the header files are install as executables files (755). + +Fixes: eb54e522a000 ("bpf: install libbpf headers on 'make install'") +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/bpf/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/bpf/Makefile ++++ b/tools/lib/bpf/Makefile +@@ -183,7 +183,7 @@ define do_install + if [ ! -d '$(DESTDIR_SQ)$2' ]; then \ + $(INSTALL) -d -m 755 '$(DESTDIR_SQ)$2'; \ + fi; \ +- $(INSTALL) $1 '$(DESTDIR_SQ)$2' ++ $(INSTALL) $1 $(if $3,-m $3,) '$(DESTDIR_SQ)$2' + endef + + install_lib: all_cmd diff --git a/queue-4.14/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch b/queue-4.14/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch new file mode 100644 index 00000000000..f5b61cf8dcd --- /dev/null +++ b/queue-4.14/locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch @@ -0,0 +1,53 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Will Deacon +Date: Tue, 13 Feb 2018 13:22:57 +0000 +Subject: locking/qspinlock: Ensure node->count is updated before initialising node + +From: Will Deacon + + +[ Upstream commit 11dc13224c975efcec96647a4768a6f1bb7a19a8 ] + +When queuing on the qspinlock, the count field for the current CPU's head +node is incremented. This needn't be atomic because locking in e.g. IRQ +context is balanced and so an IRQ will return with node->count as it +found it. + +However, the compiler could in theory reorder the initialisation of +node[idx] before the increment of the head node->count, causing an +IRQ to overwrite the initialised node and potentially corrupt the lock +state. + +Avoid the potential for this harmful compiler reordering by placing a +barrier() between the increment of the head node->count and the subsequent +node initialisation. + +Signed-off-by: Will Deacon +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1518528177-19169-3-git-send-email-will.deacon@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/qspinlock.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/kernel/locking/qspinlock.c ++++ b/kernel/locking/qspinlock.c +@@ -379,6 +379,14 @@ queue: + tail = encode_tail(smp_processor_id(), idx); + + node += idx; ++ ++ /* ++ * Ensure that we increment the head node->count before initialising ++ * the actual node. If the compiler is kind enough to reorder these ++ * stores, then an IRQ could overwrite our assignments. ++ */ ++ barrier(); ++ + node->locked = 0; + node->next = NULL; + pv_init_node(node); diff --git a/queue-4.14/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch b/queue-4.14/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch new file mode 100644 index 00000000000..602bd7418f8 --- /dev/null +++ b/queue-4.14/mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "weiyongjun (A)" +Date: Thu, 18 Jan 2018 02:23:34 +0000 +Subject: mac80211_hwsim: fix possible memory leak in hwsim_new_radio_nl() + +From: "weiyongjun (A)" + + +[ Upstream commit 0ddcff49b672239dda94d70d0fcf50317a9f4b51 ] + +'hwname' is malloced in hwsim_new_radio_nl() and should be freed +before leaving from the error handling cases, otherwise it will cause +memory leak. + +Fixes: ff4dd73dd2b4 ("mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length") +Signed-off-by: Wei Yongjun +Reviewed-by: Ben Hutchings +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mac80211_hwsim.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3153,8 +3153,10 @@ static int hwsim_new_radio_nl(struct sk_ + if (info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]) { + u32 idx = nla_get_u32(info->attrs[HWSIM_ATTR_REG_CUSTOM_REG]); + +- if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) ++ if (idx >= ARRAY_SIZE(hwsim_world_regdom_custom)) { ++ kfree(hwname); + return -EINVAL; ++ } + param.regd = hwsim_world_regdom_custom[idx]; + } + diff --git a/queue-4.14/mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch b/queue-4.14/mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch new file mode 100644 index 00000000000..712a9a14346 --- /dev/null +++ b/queue-4.14/mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: James Hogan +Date: Tue, 16 Jan 2018 21:38:24 +0000 +Subject: MIPS: Fix clean of vmlinuz.{32,ecoff,bin,srec} + +From: James Hogan + + +[ Upstream commit 5f2483eb2423152445b39f2db59d372f523e664e ] + +Make doesn't expand shell style "vmlinuz.{32,ecoff,bin,srec}" to the 4 +separate files, so none of these files get cleaned up by make clean. +List the files separately instead. + +Fixes: ec3352925b74 ("MIPS: Remove all generated vmlinuz* files on "make clean"") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18491/ +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/boot/compressed/Makefile | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/mips/boot/compressed/Makefile ++++ b/arch/mips/boot/compressed/Makefile +@@ -133,4 +133,8 @@ vmlinuz.srec: vmlinuz + uzImage.bin: vmlinuz.bin FORCE + $(call if_changed,uimage,none) + +-clean-files := $(objtree)/vmlinuz $(objtree)/vmlinuz.{32,ecoff,bin,srec} ++clean-files += $(objtree)/vmlinuz ++clean-files += $(objtree)/vmlinuz.32 ++clean-files += $(objtree)/vmlinuz.ecoff ++clean-files += $(objtree)/vmlinuz.bin ++clean-files += $(objtree)/vmlinuz.srec diff --git a/queue-4.14/mips-generic-fix-machine-compatible-matching.patch b/queue-4.14/mips-generic-fix-machine-compatible-matching.patch new file mode 100644 index 00000000000..4fbe268d08c --- /dev/null +++ b/queue-4.14/mips-generic-fix-machine-compatible-matching.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: James Hogan +Date: Fri, 2 Feb 2018 22:14:09 +0000 +Subject: MIPS: generic: Fix machine compatible matching + +From: James Hogan + + +[ Upstream commit 9a9ab3078e2744a1a55163cfaec73a5798aae33e ] + +We now have a platform (Ranchu) in the "generic" platform which matches +based on the FDT compatible string using mips_machine_is_compatible(), +however that function doesn't stop at a blank struct +of_device_id::compatible as that is an array in the struct, not a +pointer to a string. + +Fix the loop completion to check the first byte of the compatible array +rather than the address of the compatible array in the struct. + +Fixes: eed0eabd12ef ("MIPS: generic: Introduce generic DT-based board support") +Signed-off-by: James Hogan +Reviewed-by: Paul Burton +Reviewed-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18580/ +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/machine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/machine.h ++++ b/arch/mips/include/asm/machine.h +@@ -52,7 +52,7 @@ mips_machine_is_compatible(const struct + if (!mach->matches) + return NULL; + +- for (match = mach->matches; match->compatible; match++) { ++ for (match = mach->matches; match->compatible[0]; match++) { + if (fdt_node_check_compatible(fdt, 0, match->compatible) == 0) + return match; + } diff --git a/queue-4.14/mips-generic-support-gic-in-eic-mode.patch b/queue-4.14/mips-generic-support-gic-in-eic-mode.patch new file mode 100644 index 00000000000..3b441ffae89 --- /dev/null +++ b/queue-4.14/mips-generic-support-gic-in-eic-mode.patch @@ -0,0 +1,77 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Matt Redfearn +Date: Fri, 5 Jan 2018 10:31:07 +0000 +Subject: MIPS: Generic: Support GIC in EIC mode + +From: Matt Redfearn + + +[ Upstream commit 7bf8b16d1b60419c865e423b907a05f413745b3e ] + +The GIC supports running in External Interrupt Controller (EIC) mode, +and will signal this via cpu_has_veic if enabled in hardware. Currently +the generic kernel will panic if cpu_has_veic is set - but the GIC can +legitimately set this flag if either configured to boot in EIC mode, or +if the GIC driver enables this mode. Make the kernel not panic in this +case, and instead just check if the GIC is present. If so, use it's CPU +local interrupt routing functions. If an EIC is present, but it is not +the GIC, then the kernel does not know how to get the VIRQ for the CPU +local interrupts and should panic. Support for alternative EICs being +present is needed here for the generic kernel to support them. + +Suggested-by: Paul Burton +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18191/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/generic/irq.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/arch/mips/generic/irq.c ++++ b/arch/mips/generic/irq.c +@@ -22,10 +22,10 @@ int get_c0_fdc_int(void) + { + int mips_cpu_fdc_irq; + +- if (cpu_has_veic) +- panic("Unimplemented!"); +- else if (mips_gic_present()) ++ if (mips_gic_present()) + mips_cpu_fdc_irq = gic_get_c0_fdc_int(); ++ else if (cpu_has_veic) ++ panic("Unimplemented!"); + else if (cp0_fdc_irq >= 0) + mips_cpu_fdc_irq = MIPS_CPU_IRQ_BASE + cp0_fdc_irq; + else +@@ -38,10 +38,10 @@ int get_c0_perfcount_int(void) + { + int mips_cpu_perf_irq; + +- if (cpu_has_veic) +- panic("Unimplemented!"); +- else if (mips_gic_present()) ++ if (mips_gic_present()) + mips_cpu_perf_irq = gic_get_c0_perfcount_int(); ++ else if (cpu_has_veic) ++ panic("Unimplemented!"); + else if (cp0_perfcount_irq >= 0) + mips_cpu_perf_irq = MIPS_CPU_IRQ_BASE + cp0_perfcount_irq; + else +@@ -54,10 +54,10 @@ unsigned int get_c0_compare_int(void) + { + int mips_cpu_timer_irq; + +- if (cpu_has_veic) +- panic("Unimplemented!"); +- else if (mips_gic_present()) ++ if (mips_gic_present()) + mips_cpu_timer_irq = gic_get_c0_compare_int(); ++ else if (cpu_has_veic) ++ panic("Unimplemented!"); + else + mips_cpu_timer_irq = MIPS_CPU_IRQ_BASE + cp0_compare_irq; + diff --git a/queue-4.14/mips-txx9-use-is_builtin-for-config_leds_class.patch b/queue-4.14/mips-txx9-use-is_builtin-for-config_leds_class.patch new file mode 100644 index 00000000000..f142ab65e1e --- /dev/null +++ b/queue-4.14/mips-txx9-use-is_builtin-for-config_leds_class.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Matt Redfearn +Date: Mon, 29 Jan 2018 11:26:45 +0000 +Subject: MIPS: TXx9: use IS_BUILTIN() for CONFIG_LEDS_CLASS + +From: Matt Redfearn + + +[ Upstream commit 0cde5b44a30f1daaef1c34e08191239dc63271c4 ] + +When commit b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") +added board support for the RBTX4939, it added a call to +led_classdev_register even if the LED class is built as a module. +Built-in arch code cannot call module code directly like this. Commit +b33b44073734 ("MIPS: TXX9: use IS_ENABLED() macro") subsequently +changed the inclusion of this code to a single check that +CONFIG_LEDS_CLASS is either builtin or a module, but the same issue +remains. + +This leads to MIPS allmodconfig builds failing when CONFIG_MACH_TX49XX=y +is set: + +arch/mips/txx9/rbtx4939/setup.o: In function `rbtx4939_led_probe': +setup.c:(.init.text+0xc0): undefined reference to `of_led_classdev_register' +make: *** [Makefile:999: vmlinux] Error 1 + +Fix this by using the IS_BUILTIN() macro instead. + +Fixes: b27311e1cace ("MIPS: TXx9: Add RBTX4939 board support") +Signed-off-by: Matt Redfearn +Reviewed-by: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18544/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/txx9/rbtx4939/setup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/txx9/rbtx4939/setup.c ++++ b/arch/mips/txx9/rbtx4939/setup.c +@@ -186,7 +186,7 @@ static void __init rbtx4939_update_ioc_p + + #define RBTX4939_MAX_7SEGLEDS 8 + +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + static u8 led_val[RBTX4939_MAX_7SEGLEDS]; + struct rbtx4939_led_data { + struct led_classdev cdev; +@@ -261,7 +261,7 @@ static inline void rbtx4939_led_setup(vo + + static void __rbtx4939_7segled_putc(unsigned int pos, unsigned char val) + { +-#if IS_ENABLED(CONFIG_LEDS_CLASS) ++#if IS_BUILTIN(CONFIG_LEDS_CLASS) + unsigned long flags; + local_irq_save(flags); + /* bit7: reserved for LED class */ diff --git a/queue-4.14/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch b/queue-4.14/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch new file mode 100644 index 00000000000..786ac167f13 --- /dev/null +++ b/queue-4.14/mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch @@ -0,0 +1,218 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "shidao.ytt" +Date: Wed, 31 Jan 2018 16:19:55 -0800 +Subject: mm/fadvise: discard partial page if endbyte is also EOF + +From: "shidao.ytt" + + +[ Upstream commit a7ab400d6fe73d0119fdc234e9982a6f80faea9f ] + +During our recent testing with fadvise(FADV_DONTNEED), we find that if +given offset/length is not page-aligned, the last page will not be +discarded. The tool we use is vmtouch (https://hoytech.com/vmtouch/), +we map a 10KB-sized file into memory and then try to run this tool to +evict the whole file mapping, but the last single page always remains +staying in the memory: + +$./vmtouch -e test_10K + Files: 1 + Directories: 0 + Evicted Pages: 3 (12K) + Elapsed: 2.1e-05 seconds + +$./vmtouch test_10K + Files: 1 + Directories: 0 + Resident Pages: 1/3 4K/12K 33.3% + Elapsed: 5.5e-05 seconds + +However when we test with an older kernel, say 3.10, this problem is +gone. So we wonder if this is a regression: + +$./vmtouch -e test_10K + Files: 1 + Directories: 0 + Evicted Pages: 3 (12K) + Elapsed: 8.2e-05 seconds + +$./vmtouch test_10K + Files: 1 + Directories: 0 + Resident Pages: 0/3 0/12K 0% <-- partial page also discarded + Elapsed: 5e-05 seconds + +After digging a little bit into this problem, we find it seems not a +regression. Not discarding partial page is likely to be on purpose +according to commit 441c228f817f ("mm: fadvise: document the +fadvise(FADV_DONTNEED) behaviour for partial pages") written by Mel +Gorman. He explained why partial pages should be preserved instead of +being discarded when using fadvise(FADV_DONTNEED). + +However, the interesting part is that the actual code did NOT work as +the same as it was described, the partial page was still discarded +anyway, due to a calculation mistake of `end_index' passed to +invalidate_mapping_pages(). This mistake has not been fixed until +recently, that's why we fail to reproduce our problem in old kernels. +The fix is done in commit 18aba41cbf ("mm/fadvise.c: do not discard +partial pages with POSIX_FADV_DONTNEED") by Oleg Drokin. + +Back to the original testing, our problem becomes that there is a +special case that, if the page-unaligned `endbyte' is also the end of +file, it is not necessary at all to preserve the last partial page, as +we all know no one else will use the rest of it. It should be safe +enough if we just discard the whole page. So we add an EOF check in +this patch. + +We also find a poosbile real world issue in mainline kernel. Assume +such scenario: A userspace backup application want to backup a huge +amount of small files (<4k) at once, the developer might (I guess) want +to use fadvise(FADV_DONTNEED) to save memory. However, FADV_DONTNEED +won't really happen since the only page mapped is a partial page, and +kernel will preserve it. Our patch also fixes this problem, since we +know the endbyte is EOF, so we discard it. + +Here is a simple reproducer to reproduce and verify each scenario we +described above: + + test_fadvise.c + ============================== + #include + #include + #include + #include + #include + #include + #include + + int main(int argc, char **argv) + { + int i, fd, ret, len; + struct stat buf; + void *addr; + unsigned char *vec; + char *strbuf; + ssize_t pagesize = getpagesize(); + ssize_t filesize; + + fd = open(argv[1], O_RDWR|O_CREAT, S_IRUSR|S_IWUSR); + if (fd < 0) + return -1; + filesize = strtoul(argv[2], NULL, 10); + + strbuf = malloc(filesize); + memset(strbuf, 42, filesize); + write(fd, strbuf, filesize); + free(strbuf); + fsync(fd); + + len = (filesize + pagesize - 1) / pagesize; + printf("length of pages: %d\n", len); + + addr = mmap(NULL, filesize, PROT_READ, MAP_SHARED, fd, 0); + if (addr == MAP_FAILED) + return -1; + + ret = posix_fadvise(fd, 0, filesize, POSIX_FADV_DONTNEED); + if (ret < 0) + return -1; + + vec = malloc(len); + ret = mincore(addr, filesize, (void *)vec); + if (ret < 0) + return -1; + + for (i = 0; i < len; i++) + printf("pages[%d]: %x\n", i, vec[i] & 0x1); + + free(vec); + close(fd); + + return 0; + } + ============================== + +Test 1: running on kernel with commit 18aba41cbf reverted: + + [root@caspar ~]# uname -r + 4.15.0-rc6.revert+ + [root@caspar ~]# ./test_fadvise file1 1024 + length of pages: 1 + pages[0]: 0 # <-- partial page discarded + [root@caspar ~]# ./test_fadvise file2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise file3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 0 # <-- partial page discarded + +Test 2: running on mainline kernel: + + [root@caspar ~]# uname -r + 4.15.0-rc6+ + [root@caspar ~]# ./test_fadvise test1 1024 + length of pages: 1 + pages[0]: 1 # <-- partial and the only page not discarded + [root@caspar ~]# ./test_fadvise test2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise test3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 1 # <-- partial page not discarded + +Test 3: running on kernel with this patch: + + [root@caspar ~]# uname -r + 4.15.0-rc6.patched+ + [root@caspar ~]# ./test_fadvise test1 1024 + length of pages: 1 + pages[0]: 0 # <-- partial page and EOF, discarded + [root@caspar ~]# ./test_fadvise test2 8192 + length of pages: 2 + pages[0]: 0 + pages[1]: 0 + [root@caspar ~]# ./test_fadvise test3 10240 + length of pages: 3 + pages[0]: 0 + pages[1]: 0 + pages[2]: 0 # <-- partial page and EOF, discarded + +[akpm@linux-foundation.org: tweak code comment] +Link: http://lkml.kernel.org/r/5222da9ee20e1695eaabb69f631f200d6e6b8876.1515132470.git.jinli.zjl@alibaba-inc.com +Signed-off-by: shidao.ytt +Signed-off-by: Caspar Zhang +Reviewed-by: Oliver Yang +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/fadvise.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/mm/fadvise.c ++++ b/mm/fadvise.c +@@ -127,7 +127,15 @@ SYSCALL_DEFINE4(fadvise64_64, int, fd, l + */ + start_index = (offset+(PAGE_SIZE-1)) >> PAGE_SHIFT; + end_index = (endbyte >> PAGE_SHIFT); +- if ((endbyte & ~PAGE_MASK) != ~PAGE_MASK) { ++ /* ++ * The page at end_index will be inclusively discarded according ++ * by invalidate_mapping_pages(), so subtracting 1 from ++ * end_index means we will skip the last page. But if endbyte ++ * is page aligned or is at the end of file, we should not skip ++ * that page - discarding the last page is safe enough. ++ */ ++ if ((endbyte & ~PAGE_MASK) != ~PAGE_MASK && ++ endbyte != inode->i_size - 1) { + /* First page is tricky as 0 - 1 = -1, but pgoff_t + * is unsigned, so the end_index >= start_index + * check below would be true and we'll discard the whole diff --git a/queue-4.14/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch b/queue-4.14/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch new file mode 100644 index 00000000000..a1a54f85497 --- /dev/null +++ b/queue-4.14/mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch @@ -0,0 +1,64 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Yisheng Xie +Date: Wed, 31 Jan 2018 16:16:15 -0800 +Subject: mm/mempolicy: add nodes_empty check in SYSC_migrate_pages + +From: Yisheng Xie + + +[ Upstream commit 0486a38bcc4749808edbc848f1bcf232042770fc ] + +As in manpage of migrate_pages, the errno should be set to EINVAL when +none of the node IDs specified by new_nodes are on-line and allowed by +the process's current cpuset context, or none of the specified nodes +contain memory. However, when test by following case: + + new_nodes = 0; + old_nodes = 0xf; + ret = migrate_pages(pid, old_nodes, new_nodes, MAX); + +The ret will be 0 and no errno is set. As the new_nodes is empty, we +should expect EINVAL as documented. + +To fix the case like above, this patch check whether target nodes AND +current task_nodes is empty, and then check whether AND +node_states[N_MEMORY] is empty. + +Link: http://lkml.kernel.org/r/1510882624-44342-4-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Acked-by: Vlastimil Babka +Cc: Andi Kleen +Cc: Chris Salls +Cc: Christopher Lameter +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Naoya Horiguchi +Cc: Tan Xiaojun +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1440,10 +1440,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi + goto out_put; + } + +- if (!nodes_subset(*new, node_states[N_MEMORY])) { +- err = -EINVAL; ++ task_nodes = cpuset_mems_allowed(current); ++ nodes_and(*new, *new, task_nodes); ++ if (nodes_empty(*new)) ++ goto out_put; ++ ++ nodes_and(*new, *new, node_states[N_MEMORY]); ++ if (nodes_empty(*new)) + goto out_put; +- } + + err = security_task_movememory(task); + if (err) diff --git a/queue-4.14/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch b/queue-4.14/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch new file mode 100644 index 00000000000..83e2f223cca --- /dev/null +++ b/queue-4.14/mm-mempolicy-fix-the-check-of-nodemask-from-user.patch @@ -0,0 +1,111 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Yisheng Xie +Date: Wed, 31 Jan 2018 16:16:11 -0800 +Subject: mm/mempolicy: fix the check of nodemask from user + +From: Yisheng Xie + + +[ Upstream commit 56521e7a02b7b84a5e72691a1fb15570e6055545 ] + +As Xiaojun reported the ltp of migrate_pages01 will fail on arm64 system +which has 4 nodes[0...3], all have memory and CONFIG_NODES_SHIFT=2: + + migrate_pages01 0 TINFO : test_invalid_nodes + migrate_pages01 14 TFAIL : migrate_pages_common.c:45: unexpected failure - returned value = 0, expected: -1 + migrate_pages01 15 TFAIL : migrate_pages_common.c:55: call succeeded unexpectedly + +In this case the test_invalid_nodes of migrate_pages01 will call: +SYSC_migrate_pages as: + + migrate_pages(0, , {0x0000000000000001}, 64, , {0x0000000000000010}, 64) = 0 + +The new nodes specifies one or more node IDs that are greater than the +maximum supported node ID, however, the errno is not set to EINVAL as +expected. + +As man pages of set_mempolicy[1], mbind[2], and migrate_pages[3] +mentioned, when nodemask specifies one or more node IDs that are greater +than the maximum supported node ID, the errno should set to EINVAL. +However, get_nodes only check whether the part of bits +[BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES), maxnode) is zero or not, and +remain [MAX_NUMNODES, BITS_PER_LONG*BITS_TO_LONGS(MAX_NUMNODES) +unchecked. + +This patch is to check the bits of [MAX_NUMNODES, maxnode) in get_nodes +to let migrate_pages set the errno to EINVAL when nodemask specifies one +or more node IDs that are greater than the maximum supported node ID, +which follows the manpage's guide. + +[1] http://man7.org/linux/man-pages/man2/set_mempolicy.2.html +[2] http://man7.org/linux/man-pages/man2/mbind.2.html +[3] http://man7.org/linux/man-pages/man2/migrate_pages.2.html + +Link: http://lkml.kernel.org/r/1510882624-44342-3-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Yisheng Xie +Reported-by: Tan Xiaojun +Acked-by: Vlastimil Babka +Cc: Andi Kleen +Cc: Chris Salls +Cc: Christopher Lameter +Cc: David Rientjes +Cc: Ingo Molnar +Cc: Naoya Horiguchi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 23 ++++++++++++++++++++--- + 1 file changed, 20 insertions(+), 3 deletions(-) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -1262,6 +1262,7 @@ static int get_nodes(nodemask_t *nodes, + unsigned long maxnode) + { + unsigned long k; ++ unsigned long t; + unsigned long nlongs; + unsigned long endmask; + +@@ -1278,13 +1279,19 @@ static int get_nodes(nodemask_t *nodes, + else + endmask = (1UL << (maxnode % BITS_PER_LONG)) - 1; + +- /* When the user specified more nodes than supported just check +- if the non supported part is all zero. */ ++ /* ++ * When the user specified more nodes than supported just check ++ * if the non supported part is all zero. ++ * ++ * If maxnode have more longs than MAX_NUMNODES, check ++ * the bits in that area first. And then go through to ++ * check the rest bits which equal or bigger than MAX_NUMNODES. ++ * Otherwise, just check bits [MAX_NUMNODES, maxnode). ++ */ + if (nlongs > BITS_TO_LONGS(MAX_NUMNODES)) { + if (nlongs > PAGE_SIZE/sizeof(long)) + return -EINVAL; + for (k = BITS_TO_LONGS(MAX_NUMNODES); k < nlongs; k++) { +- unsigned long t; + if (get_user(t, nmask + k)) + return -EFAULT; + if (k == nlongs - 1) { +@@ -1297,6 +1304,16 @@ static int get_nodes(nodemask_t *nodes, + endmask = ~0UL; + } + ++ if (maxnode > MAX_NUMNODES && MAX_NUMNODES % BITS_PER_LONG != 0) { ++ unsigned long valid_mask = endmask; ++ ++ valid_mask &= ~((1UL << (MAX_NUMNODES % BITS_PER_LONG)) - 1); ++ if (get_user(t, nmask + nlongs - 1)) ++ return -EFAULT; ++ if (t & valid_mask) ++ return -EINVAL; ++ } ++ + if (copy_from_user(nodes_addr(*nodes), nmask, nlongs*sizeof(unsigned long))) + return -EFAULT; + nodes_addr(*nodes)[nlongs-1] &= endmask; diff --git a/queue-4.14/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch b/queue-4.14/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch new file mode 100644 index 00000000000..74896148a73 --- /dev/null +++ b/queue-4.14/mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch @@ -0,0 +1,94 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Mel Gorman +Date: Wed, 31 Jan 2018 16:19:52 -0800 +Subject: mm: pin address_space before dereferencing it while isolating an LRU page + +From: Mel Gorman + + +[ Upstream commit 69d763fc6d3aee787a3e8c8c35092b4f4960fa5d ] + +Minchan Kim asked the following question -- what locks protects +address_space destroying when race happens between inode trauncation and +__isolate_lru_page? Jan Kara clarified by describing the race as follows + +CPU1 CPU2 + +truncate(inode) __isolate_lru_page() + ... + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + if (mapping && !mapping->a_ops->migratepage) +- we've dereferenced mapping which is potentially already free. + +The race is theoretically possible but unlikely. Before the +delete_from_page_cache, truncate_cleanup_page is called so the page is +likely to be !PageDirty or PageWriteback which gets skipped by the only +caller that checks the mappping in __isolate_lru_page. Even if the race +occurs, a substantial amount of work has to happen during a tiny window +with no preemption but it could potentially be done using a virtual +machine to artifically slow one CPU or halt it during the critical +window. + +This patch should eliminate the race with truncation by try-locking the +page before derefencing mapping and aborting if the lock was not +acquired. There was a suggestion from Huang Ying to use RCU as a +side-effect to prevent mapping being freed. However, I do not like the +solution as it's an unconventional means of preserving a mapping and +it's not a context where rcu_read_lock is obviously protecting rcu data. + +Link: http://lkml.kernel.org/r/20180104102512.2qos3h5vqzeisrek@techsingularity.net +Fixes: c82449352854 ("mm: compaction: make isolate_lru_page() filter-aware again") +Signed-off-by: Mel Gorman +Acked-by: Minchan Kim +Cc: "Huang, Ying" +Cc: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -1436,14 +1436,24 @@ int __isolate_lru_page(struct page *page + + if (PageDirty(page)) { + struct address_space *mapping; ++ bool migrate_dirty; + + /* + * Only pages without mappings or that have a + * ->migratepage callback are possible to migrate +- * without blocking ++ * without blocking. However, we can be racing with ++ * truncation so it's necessary to lock the page ++ * to stabilise the mapping as truncation holds ++ * the page lock until after the page is removed ++ * from the page cache. + */ ++ if (!trylock_page(page)) ++ return ret; ++ + mapping = page_mapping(page); +- if (mapping && !mapping->a_ops->migratepage) ++ migrate_dirty = mapping && mapping->a_ops->migratepage; ++ unlock_page(page); ++ if (!migrate_dirty) + return ret; + } + } diff --git a/queue-4.14/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch b/queue-4.14/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch new file mode 100644 index 00000000000..d1b53ad7d18 --- /dev/null +++ b/queue-4.14/mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch @@ -0,0 +1,95 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Yang Shi +Date: Wed, 31 Jan 2018 16:18:28 -0800 +Subject: mm: thp: use down_read_trylock() in khugepaged to avoid long block + +From: Yang Shi + + +[ Upstream commit 3b454ad35043dfbd3b5d2bb92b0991d6342afb44 ] + +In the current design, khugepaged needs to acquire mmap_sem before +scanning an mm. But in some corner cases, khugepaged may scan a process +which is modifying its memory mapping, so khugepaged blocks in +uninterruptible state. But the process might hold the mmap_sem for a +long time when modifying a huge memory space and it may trigger the +below khugepaged hung issue: + + INFO: task khugepaged:270 blocked for more than 120 seconds. + Tainted: G E 4.9.65-006.ali3000.alios7.x86_64 #1 + "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. + khugepaged D 0 270 2 0x00000000  + ffff883f3deae4c0 0000000000000000 ffff883f610596c0 ffff883f7d359440 + ffff883f63818000 ffffc90019adfc78 ffffffff817079a5 d67e5aa8c1860a64 + 0000000000000246 ffff883f7d359440 ffffc90019adfc88 ffff883f610596c0 + Call Trace: + schedule+0x36/0x80 + rwsem_down_read_failed+0xf0/0x150 + call_rwsem_down_read_failed+0x18/0x30 + down_read+0x20/0x40 + khugepaged+0x476/0x11d0 + kthread+0xe6/0x100 + ret_from_fork+0x25/0x30 + +So it sounds pointless to just block khugepaged waiting for the +semaphore so replace down_read() with down_read_trylock() to move to +scan the next mm quickly instead of just blocking on the semaphore so +that other processes can get more chances to install THP. Then +khugepaged can come back to scan the skipped mm when it has finished the +current round full_scan. + +And it appears that the change can improve khugepaged efficiency a +little bit. + +Below is the test result when running LTP on a 24 cores 4GB memory 2 +nodes NUMA VM: + + pristine w/ trylock + full_scan 197 187 + pages_collapsed 21 26 + thp_fault_alloc 40818 44466 + thp_fault_fallback 18413 16679 + thp_collapse_alloc 21 150 + thp_collapse_alloc_failed 14 16 + thp_file_alloc 369 369 + +[akpm@linux-foundation.org: coding-style fixes] +[akpm@linux-foundation.org: tweak comment] +[arnd@arndb.de: avoid uninitialized variable use] + Link: http://lkml.kernel.org/r/20171215125129.2948634-1-arnd@arndb.de +Link: http://lkml.kernel.org/r/1513281203-54878-1-git-send-email-yang.s@alibaba-inc.com +Signed-off-by: Yang Shi +Acked-by: Kirill A. Shutemov +Acked-by: Michal Hocko +Cc: Hugh Dickins +Cc: Andrea Arcangeli +Signed-off-by: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/khugepaged.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -1679,10 +1679,14 @@ static unsigned int khugepaged_scan_mm_s + spin_unlock(&khugepaged_mm_lock); + + mm = mm_slot->mm; +- down_read(&mm->mmap_sem); +- if (unlikely(khugepaged_test_exit(mm))) +- vma = NULL; +- else ++ /* ++ * Don't wait for semaphore (to avoid long wait times). Just move to ++ * the next mm on the list. ++ */ ++ vma = NULL; ++ if (unlikely(!down_read_trylock(&mm->mmap_sem))) ++ goto breakouterloop_mmap_sem; ++ if (likely(!khugepaged_test_exit(mm))) + vma = find_vma(mm, khugepaged_scan.address); + + progress++; diff --git a/queue-4.14/net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch b/queue-4.14/net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch new file mode 100644 index 00000000000..3b5187b51a5 --- /dev/null +++ b/queue-4.14/net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 7 Feb 2018 20:35:00 +0100 +Subject: net: Extra '_get' in declaration of arch_get_platform_mac_address + +From: Mathieu Malaterre + + +[ Upstream commit e728789c52afccc1275cba1dd812f03abe16ea3c ] + +In commit c7f5d105495a ("net: Add eth_platform_get_mac_address() helper."), +two declarations were added: + + int eth_platform_get_mac_address(struct device *dev, u8 *mac_addr); + unsigned char *arch_get_platform_get_mac_address(void); + +An extra '_get' was introduced in arch_get_platform_get_mac_address, remove +it. Fix compile warning using W=1: + + CC net/ethernet/eth.o +net/ethernet/eth.c:523:24: warning: no previous prototype for ‘arch_get_platform_mac_address’ [-Wmissing-prototypes] + unsigned char * __weak arch_get_platform_mac_address(void) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + AR net/ethernet/built-in.o + +Signed-off-by: Mathieu Malaterre +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/etherdevice.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/etherdevice.h ++++ b/include/linux/etherdevice.h +@@ -31,7 +31,7 @@ + #ifdef __KERNEL__ + struct device; + int eth_platform_get_mac_address(struct device *dev, u8 *mac_addr); +-unsigned char *arch_get_platform_get_mac_address(void); ++unsigned char *arch_get_platform_mac_address(void); + u32 eth_get_headlen(void *data, unsigned int max_len); + __be16 eth_type_trans(struct sk_buff *skb, struct net_device *dev); + extern const struct header_ops eth_header_ops; diff --git a/queue-4.14/net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch b/queue-4.14/net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch new file mode 100644 index 00000000000..b9893fa5b40 --- /dev/null +++ b/queue-4.14/net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Niklas Cassel +Date: Fri, 9 Feb 2018 17:22:45 +0100 +Subject: net: stmmac: discard disabled flags in interrupt status register + +From: Niklas Cassel + + +[ Upstream commit 1b84ca187510f60f00f4e15255043ce19bb30410 ] + +The interrupt status register in both dwmac1000 and dwmac4 ignores +interrupt enable (for dwmac4) / interrupt mask (for dwmac1000). +Therefore, if we want to check only the bits that can actually trigger +an irq, we have to filter the interrupt status register manually. + +Commit 0a764db10337 ("stmmac: Discard masked flags in interrupt status +register") fixed this for dwmac1000. Fix the same issue for dwmac4. + +Just like commit 0a764db10337 ("stmmac: Discard masked flags in +interrupt status register"), this makes sure that we do not get +spurious link up/link down prints. + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c +@@ -562,10 +562,12 @@ static int dwmac4_irq_status(struct mac_ + struct stmmac_extra_stats *x) + { + void __iomem *ioaddr = hw->pcsr; +- u32 intr_status; ++ u32 intr_status = readl(ioaddr + GMAC_INT_STATUS); ++ u32 intr_enable = readl(ioaddr + GMAC_INT_EN); + int ret = 0; + +- intr_status = readl(ioaddr + GMAC_INT_STATUS); ++ /* Discard disabled bits */ ++ intr_status &= intr_enable; + + /* Not used events (e.g. MMC interrupts) are not handled. */ + if ((intr_status & mmc_tx_irq)) diff --git a/queue-4.14/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch b/queue-4.14/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch new file mode 100644 index 00000000000..b0ca0254d8e --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 15 Jan 2018 18:10:14 +0100 +Subject: net: stmmac: dwmac-meson8b: fix setting the RGMII TX clock on Meson8b + +From: Martin Blumenstingl + + +[ Upstream commit 433c6cab9d298687c097f6ee82e49157044dc7c6 ] + +Meson8b only supports MPLL2 as clock input. The rate of the MPLL2 clock +set by Odroid-C1's u-boot is close to (but not exactly) 500MHz. The +exact rate is 500002394Hz, which is calculated in +drivers/clk/meson/clk-mpll.c using the following formula: +DIV_ROUND_UP_ULL((u64)parent_rate * SDM_DEN, (SDM_DEN * n2) + sdm) +Odroid-C1's u-boot configures MPLL2 with the following values: +- SDM_DEN = 16384 +- SDM = 1638 +- N2 = 5 + +The 250MHz clock (m250_div) inside dwmac-meson8b driver is derived from +the MPLL2 clock. Due to MPLL2 running slightly faster than 500MHz the +common clock framework chooses a divider which is too big to generate +the 250MHz clock (a divider of 2 would be needed, but this is rounded up +to a divider of 3). This breaks the RTL8211F RGMII PHY on Odroid-C1 +because it requires a (close to) 125MHz RGMII TX clock (on Gbit speeds, +the IP block internally divides that down to 25MHz on 100Mbit/s +connections and 2.5MHz on 10Mbit/s connections - we don't need any +special configuration for that). + +Round the divider to the closest value to prevent this issue on Meson8b. +This means we'll now end up with a clock rate for the RGMII TX clock of +125001197Hz (= 125MHz plus 1197Hz), which is close-enough to 125MHz. +This has no effect on the Meson GX SoCs since there fclk_div2 is used as +input clock, which has a rate of 1000MHz (and thus is divisible cleanly +to 250MHz and 125MHz). + +Fixes: 566e8251625304 ("net: stmmac: add a glue driver for the Amlogic Meson 8b / GXBB DWMAC") +Reported-by: Emiliano Ingrassia +Signed-off-by: Martin Blumenstingl +Reviewed-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -144,7 +144,9 @@ static int meson8b_init_clk(struct meson + dwmac->m250_div.shift = PRG_ETH0_CLK_M250_DIV_SHIFT; + dwmac->m250_div.width = PRG_ETH0_CLK_M250_DIV_WIDTH; + dwmac->m250_div.hw.init = &init; +- dwmac->m250_div.flags = CLK_DIVIDER_ONE_BASED | CLK_DIVIDER_ALLOW_ZERO; ++ dwmac->m250_div.flags = CLK_DIVIDER_ONE_BASED | ++ CLK_DIVIDER_ALLOW_ZERO | ++ CLK_DIVIDER_ROUND_CLOSEST; + + dwmac->m250_div_clk = devm_clk_register(dev, &dwmac->m250_div.hw); + if (WARN_ON(IS_ERR(dwmac->m250_div_clk))) diff --git a/queue-4.14/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch b/queue-4.14/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch new file mode 100644 index 00000000000..62b9a62a20a --- /dev/null +++ b/queue-4.14/net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Martin Blumenstingl +Date: Mon, 15 Jan 2018 18:10:15 +0100 +Subject: net: stmmac: dwmac-meson8b: propagate rate changes to the parent clock + +From: Martin Blumenstingl + + +[ Upstream commit fb7d38a70e1d8ffd54f7a7464dcc4889d7e490ad ] + +On Meson8b the only valid input clock is MPLL2. The bootloader +configures that to run at 500002394Hz which cannot be divided evenly +down to 125MHz using the m250_div clock. Currently the common clock +framework chooses a m250_div of 2 - with the internal fixed +"divide by 10" this results in a RGMII TX clock of 125001197Hz (120Hz +above the requested 125MHz). + +Letting the common clock framework propagate the rate changes up to the +parent of m250_mux allows us to get the best possible clock rate. With +this patch the common clock framework calculates a rate of +very-close-to-250MHz (249999701Hz to be exact) for the MPLL2 clock +(which is the mux input). Dividing that by 2 (which is an internal, +fixed divider for the RGMII TX clock) gives us an RGMII TX clock of +124999850Hz (which is only 150Hz off the requested 125MHz, compared to +1197Hz based on the MPLL2 rate set by u-boot and the Amlogic GPL kernel +sources). + +SoCs from the Meson GX series are not affected by this change because +the input clock is FCLK_DIV2 whose rate cannot be changed (which is fine +since it's running at 1GHz, so it's already a multiple of 250MHz and +125MHz). + +Fixes: 566e8251625304 ("net: stmmac: add a glue driver for the Amlogic Meson 8b / GXBB DWMAC") +Suggested-by: Jerome Brunet +Signed-off-by: Martin Blumenstingl +Reviewed-by: Jerome Brunet +Tested-by: Jerome Brunet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-meson8b.c +@@ -116,7 +116,7 @@ static int meson8b_init_clk(struct meson + snprintf(clk_name, sizeof(clk_name), "%s#m250_sel", dev_name(dev)); + init.name = clk_name; + init.ops = &clk_mux_ops; +- init.flags = 0; ++ init.flags = CLK_SET_RATE_PARENT; + init.parent_names = mux_parent_names; + init.num_parents = MUX_CLK_NUM_PARENTS; + diff --git a/queue-4.14/netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch b/queue-4.14/netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch new file mode 100644 index 00000000000..38b8c464d8c --- /dev/null +++ b/queue-4.14/netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch @@ -0,0 +1,171 @@ +From 9782a11efc072faaf91d4aa60e9d23553f918029 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 27 Feb 2018 19:42:34 +0100 +Subject: netfilter: compat: prepare xt_compat_init_offsets to return errors + +From: Florian Westphal + +commit 9782a11efc072faaf91d4aa60e9d23553f918029 upstream. + +should have no impact, function still always returns 0. +This patch is only to ease review. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/x_tables.h | 2 +- + net/bridge/netfilter/ebtables.c | 10 ++++++++-- + net/ipv4/netfilter/arp_tables.c | 10 +++++++--- + net/ipv4/netfilter/ip_tables.c | 8 ++++++-- + net/ipv6/netfilter/ip6_tables.c | 10 +++++++--- + net/netfilter/x_tables.c | 4 +++- + 6 files changed, 32 insertions(+), 12 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -508,7 +508,7 @@ void xt_compat_unlock(u_int8_t af); + + int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta); + void xt_compat_flush_offsets(u_int8_t af); +-void xt_compat_init_offsets(u_int8_t af, unsigned int number); ++int xt_compat_init_offsets(u8 af, unsigned int number); + int xt_compat_calc_jump(u_int8_t af, unsigned int offset); + + int xt_compat_match_offset(const struct xt_match *match); +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1819,10 +1819,14 @@ static int compat_table_info(const struc + { + unsigned int size = info->entries_size; + const void *entries = info->entries; ++ int ret; + + newinfo->entries_size = size; + +- xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries); ++ ret = xt_compat_init_offsets(NFPROTO_BRIDGE, info->nentries); ++ if (ret) ++ return ret; ++ + return EBT_ENTRY_ITERATE(entries, size, compat_calc_entry, info, + entries, newinfo); + } +@@ -2257,7 +2261,9 @@ static int compat_do_replace(struct net + + xt_compat_lock(NFPROTO_BRIDGE); + +- xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries); ++ ret = xt_compat_init_offsets(NFPROTO_BRIDGE, tmp.nentries); ++ if (ret < 0) ++ goto out_unlock; + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); + if (ret < 0) + goto out_unlock; +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -768,7 +768,9 @@ static int compat_table_info(const struc + memcpy(newinfo, info, offsetof(struct xt_table_info, entries)); + newinfo->initial_entries = 0; + loc_cpu_entry = info->entries; +- xt_compat_init_offsets(NFPROTO_ARP, info->number); ++ ret = xt_compat_init_offsets(NFPROTO_ARP, info->number); ++ if (ret) ++ return ret; + xt_entry_foreach(iter, loc_cpu_entry, info->size) { + ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo); + if (ret != 0) +@@ -1157,7 +1159,7 @@ static int translate_compat_table(struct + struct compat_arpt_entry *iter0; + struct arpt_replace repl; + unsigned int size; +- int ret = 0; ++ int ret; + + info = *pinfo; + entry0 = *pentry0; +@@ -1166,7 +1168,9 @@ static int translate_compat_table(struct + + j = 0; + xt_compat_lock(NFPROTO_ARP); +- xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); ++ ret = xt_compat_init_offsets(NFPROTO_ARP, compatr->num_entries); ++ if (ret) ++ goto out_unlock; + /* Walk through entries, checking offsets. */ + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -931,7 +931,9 @@ static int compat_table_info(const struc + memcpy(newinfo, info, offsetof(struct xt_table_info, entries)); + newinfo->initial_entries = 0; + loc_cpu_entry = info->entries; +- xt_compat_init_offsets(AF_INET, info->number); ++ ret = xt_compat_init_offsets(AF_INET, info->number); ++ if (ret) ++ return ret; + xt_entry_foreach(iter, loc_cpu_entry, info->size) { + ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo); + if (ret != 0) +@@ -1407,7 +1409,9 @@ translate_compat_table(struct net *net, + + j = 0; + xt_compat_lock(AF_INET); +- xt_compat_init_offsets(AF_INET, compatr->num_entries); ++ ret = xt_compat_init_offsets(AF_INET, compatr->num_entries); ++ if (ret) ++ goto out_unlock; + /* Walk through entries, checking offsets. */ + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -949,7 +949,9 @@ static int compat_table_info(const struc + memcpy(newinfo, info, offsetof(struct xt_table_info, entries)); + newinfo->initial_entries = 0; + loc_cpu_entry = info->entries; +- xt_compat_init_offsets(AF_INET6, info->number); ++ ret = xt_compat_init_offsets(AF_INET6, info->number); ++ if (ret) ++ return ret; + xt_entry_foreach(iter, loc_cpu_entry, info->size) { + ret = compat_calc_entry(iter, info, loc_cpu_entry, newinfo); + if (ret != 0) +@@ -1415,7 +1417,7 @@ translate_compat_table(struct net *net, + struct compat_ip6t_entry *iter0; + struct ip6t_replace repl; + unsigned int size; +- int ret = 0; ++ int ret; + + info = *pinfo; + entry0 = *pentry0; +@@ -1424,7 +1426,9 @@ translate_compat_table(struct net *net, + + j = 0; + xt_compat_lock(AF_INET6); +- xt_compat_init_offsets(AF_INET6, compatr->num_entries); ++ ret = xt_compat_init_offsets(AF_INET6, compatr->num_entries); ++ if (ret) ++ goto out_unlock; + /* Walk through entries, checking offsets. */ + xt_entry_foreach(iter0, entry0, compatr->size) { + ret = check_compat_entry_size_and_hooks(iter0, info, &size, +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -605,10 +605,12 @@ int xt_compat_calc_jump(u_int8_t af, uns + } + EXPORT_SYMBOL_GPL(xt_compat_calc_jump); + +-void xt_compat_init_offsets(u_int8_t af, unsigned int number) ++int xt_compat_init_offsets(u8 af, unsigned int number) + { + xt[af].number = number; + xt[af].cur = 0; ++ ++ return 0; + } + EXPORT_SYMBOL(xt_compat_init_offsets); + diff --git a/queue-4.14/netfilter-compat-reject-huge-allocation-requests.patch b/queue-4.14/netfilter-compat-reject-huge-allocation-requests.patch new file mode 100644 index 00000000000..16468e19a41 --- /dev/null +++ b/queue-4.14/netfilter-compat-reject-huge-allocation-requests.patch @@ -0,0 +1,68 @@ +From 7d7d7e02111e9a4dc9d0658597f528f815d820fd Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 27 Feb 2018 19:42:35 +0100 +Subject: netfilter: compat: reject huge allocation requests + +From: Florian Westphal + +commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd upstream. + +no need to bother even trying to allocating huge compat offset arrays, +such ruleset is rejected later on anyway becaus we refuse to allocate +overly large rule blobs. + +However, compat translation happens before blob allocation, so we should +add a check there too. + +This is supposed to help with fuzzing by avoiding oom-killer. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 26 ++++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -555,14 +555,8 @@ int xt_compat_add_offset(u_int8_t af, un + { + struct xt_af *xp = &xt[af]; + +- if (!xp->compat_tab) { +- if (!xp->number) +- return -EINVAL; +- xp->compat_tab = vmalloc(sizeof(struct compat_delta) * xp->number); +- if (!xp->compat_tab) +- return -ENOMEM; +- xp->cur = 0; +- } ++ if (WARN_ON(!xp->compat_tab)) ++ return -ENOMEM; + + if (xp->cur >= xp->number) + return -EINVAL; +@@ -607,6 +601,22 @@ EXPORT_SYMBOL_GPL(xt_compat_calc_jump); + + int xt_compat_init_offsets(u8 af, unsigned int number) + { ++ size_t mem; ++ ++ if (!number || number > (INT_MAX / sizeof(struct compat_delta))) ++ return -EINVAL; ++ ++ if (WARN_ON(xt[af].compat_tab)) ++ return -EINVAL; ++ ++ mem = sizeof(struct compat_delta) * number; ++ if (mem > XT_MAX_TABLE_SIZE) ++ return -ENOMEM; ++ ++ xt[af].compat_tab = vmalloc(mem); ++ if (!xt[af].compat_tab) ++ return -ENOMEM; ++ + xt[af].number = number; + xt[af].cur = 0; + diff --git a/queue-4.14/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch b/queue-4.14/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch new file mode 100644 index 00000000000..b785d44d661 --- /dev/null +++ b/queue-4.14/netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Subash Abhinov Kasiviswanathan +Date: Wed, 31 Jan 2018 04:50:01 -0700 +Subject: netfilter: ipv6: nf_defrag: Kill frag queue on RFC2460 failure + +From: Subash Abhinov Kasiviswanathan + + +[ Upstream commit ea23d5e3bf340e413b8e05c13da233c99c64142b ] + +Failures were seen in ICMPv6 fragmentation timeout tests if they were +run after the RFC2460 failure tests. Kernel was not sending out the +ICMPv6 fragment reassembly time exceeded packet after the fragmentation +reassembly timeout of 1 minute had elapsed. + +This happened because the frag queue was not released if an error in +IPv6 fragmentation header was detected by RFC2460. + +Fixes: 83f1999caeb1 ("netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460") +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -263,6 +263,7 @@ static int nf_ct_frag6_queue(struct frag + * this case. -DaveM + */ + pr_debug("end of fragment not rounded to 8 bytes.\n"); ++ inet_frag_kill(&fq->q, &nf_frags); + return -EPROTO; + } + if (end > fq->q.len) { diff --git a/queue-4.14/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch b/queue-4.14/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch new file mode 100644 index 00000000000..43bc4942312 --- /dev/null +++ b/queue-4.14/netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch @@ -0,0 +1,103 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Subash Abhinov Kasiviswanathan +Date: Fri, 12 Jan 2018 17:36:27 -0700 +Subject: netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460 + +From: Subash Abhinov Kasiviswanathan + + +[ Upstream commit 83f1999caeb14e15df205e80d210699951733287 ] + +ipv6_defrag pulls network headers before fragment header. In case of +an error, the netfilter layer is currently dropping these packets. +This results in failure of some IPv6 standards tests which passed on +older kernels due to the netfilter framework using cloning. + +The test case run here is a check for ICMPv6 error message replies +when some invalid IPv6 fragments are sent. This specific test case is +listed in https://www.ipv6ready.org/docs/Core_Conformance_Latest.pdf +in the Extension Header Processing Order section. + +A packet with unrecognized option Type 11 is sent and the test expects +an ICMP error in line with RFC2460 section 4.2 - + +11 - discard the packet and, only if the packet's Destination + Address was not a multicast address, send an ICMP Parameter + Problem, Code 2, message to the packet's Source Address, + pointing to the unrecognized Option Type. + +Since netfilter layer now drops all invalid IPv6 frag packets, we no +longer see the ICMP error message and fail the test case. + +To fix this, save the transport header. If defrag is unable to process +the packet due to RFC2460, restore the transport header and allow packet +to be processed by stack. There is no change for other packet +processing paths. + +Tested by confirming that stack sends an ICMP error when it receives +these packets. Also tested that fragmented ICMP pings succeed. + +v1->v2: Instead of cloning always, save the transport_header and +restore it in case of this specific error. Update the title and +commit message accordingly. + +Signed-off-by: Subash Abhinov Kasiviswanathan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -230,7 +230,7 @@ static int nf_ct_frag6_queue(struct frag + + if ((unsigned int)end > IPV6_MAXPLEN) { + pr_debug("offset is too large.\n"); +- return -1; ++ return -EINVAL; + } + + ecn = ip6_frag_ecn(ipv6_hdr(skb)); +@@ -263,7 +263,7 @@ static int nf_ct_frag6_queue(struct frag + * this case. -DaveM + */ + pr_debug("end of fragment not rounded to 8 bytes.\n"); +- return -1; ++ return -EPROTO; + } + if (end > fq->q.len) { + /* Some bits beyond end -> corruption. */ +@@ -357,7 +357,7 @@ found: + discard_fq: + inet_frag_kill(&fq->q, &nf_frags); + err: +- return -1; ++ return -EINVAL; + } + + /* +@@ -566,6 +566,7 @@ find_prev_fhdr(struct sk_buff *skb, u8 * + + int nf_ct_frag6_gather(struct net *net, struct sk_buff *skb, u32 user) + { ++ u16 savethdr = skb->transport_header; + struct net_device *dev = skb->dev; + int fhoff, nhoff, ret; + struct frag_hdr *fhdr; +@@ -599,8 +600,12 @@ int nf_ct_frag6_gather(struct net *net, + + spin_lock_bh(&fq->q.lock); + +- if (nf_ct_frag6_queue(fq, skb, fhdr, nhoff) < 0) { +- ret = -EINVAL; ++ ret = nf_ct_frag6_queue(fq, skb, fhdr, nhoff); ++ if (ret < 0) { ++ if (ret == -EPROTO) { ++ skb->transport_header = savethdr; ++ ret = 0; ++ } + goto out_unlock; + } + diff --git a/queue-4.14/netfilter-x_tables-add-counters-allocation-wrapper.patch b/queue-4.14/netfilter-x_tables-add-counters-allocation-wrapper.patch new file mode 100644 index 00000000000..443793c09ec --- /dev/null +++ b/queue-4.14/netfilter-x_tables-add-counters-allocation-wrapper.patch @@ -0,0 +1,91 @@ +From c84ca954ac9fa67a6ce27f91f01e4451c74fd8f6 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 27 Feb 2018 19:42:33 +0100 +Subject: netfilter: x_tables: add counters allocation wrapper + +From: Florian Westphal + +commit c84ca954ac9fa67a6ce27f91f01e4451c74fd8f6 upstream. + +allows to have size checks in a single spot. +This is supposed to reduce oom situations when fuzz-testing xtables. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/x_tables.h | 1 + + net/ipv4/netfilter/arp_tables.c | 2 +- + net/ipv4/netfilter/ip_tables.c | 2 +- + net/ipv6/netfilter/ip6_tables.c | 2 +- + net/netfilter/x_tables.c | 15 +++++++++++++++ + 5 files changed, 19 insertions(+), 3 deletions(-) + +--- a/include/linux/netfilter/x_tables.h ++++ b/include/linux/netfilter/x_tables.h +@@ -301,6 +301,7 @@ int xt_data_to_user(void __user *dst, co + + void *xt_copy_counters_from_user(const void __user *user, unsigned int len, + struct xt_counters_info *info, bool compat); ++struct xt_counters *xt_counters_alloc(unsigned int counters); + + struct xt_table *xt_register_table(struct net *net, + const struct xt_table *table, +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -883,7 +883,7 @@ static int __do_replace(struct net *net, + struct arpt_entry *iter; + + ret = 0; +- counters = vzalloc(num_counters * sizeof(struct xt_counters)); ++ counters = xt_counters_alloc(num_counters); + if (!counters) { + ret = -ENOMEM; + goto out; +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1044,7 +1044,7 @@ __do_replace(struct net *net, const char + struct ipt_entry *iter; + + ret = 0; +- counters = vzalloc(num_counters * sizeof(struct xt_counters)); ++ counters = xt_counters_alloc(num_counters); + if (!counters) { + ret = -ENOMEM; + goto out; +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1063,7 +1063,7 @@ __do_replace(struct net *net, const char + struct ip6t_entry *iter; + + ret = 0; +- counters = vzalloc(num_counters * sizeof(struct xt_counters)); ++ counters = xt_counters_alloc(num_counters); + if (!counters) { + ret = -ENOMEM; + goto out; +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1187,6 +1187,21 @@ static int xt_jumpstack_alloc(struct xt_ + return 0; + } + ++struct xt_counters *xt_counters_alloc(unsigned int counters) ++{ ++ struct xt_counters *mem; ++ ++ if (counters == 0 || counters > INT_MAX / sizeof(*mem)) ++ return NULL; ++ ++ counters *= sizeof(*mem); ++ if (counters > XT_MAX_TABLE_SIZE) ++ return NULL; ++ ++ return vzalloc(counters); ++} ++EXPORT_SYMBOL(xt_counters_alloc); ++ + struct xt_table_info * + xt_replace_table(struct xt_table *table, + unsigned int num_counters, diff --git a/queue-4.14/netfilter-x_tables-cap-allocations-at-512-mbyte.patch b/queue-4.14/netfilter-x_tables-cap-allocations-at-512-mbyte.patch new file mode 100644 index 00000000000..e448d0b9f19 --- /dev/null +++ b/queue-4.14/netfilter-x_tables-cap-allocations-at-512-mbyte.patch @@ -0,0 +1,40 @@ +From 19926968ea86a286aa6fbea16ee3f2e7442f10f0 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 27 Feb 2018 19:42:31 +0100 +Subject: netfilter: x_tables: cap allocations at 512 mbyte + +From: Florian Westphal + +commit 19926968ea86a286aa6fbea16ee3f2e7442f10f0 upstream. + +Arbitrary limit, however, this still allows huge rulesets +(> 1 million rules). This helps with automated fuzzer as it prevents +oom-killer invocation. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -40,6 +40,7 @@ MODULE_AUTHOR("Harald Welte = XT_MAX_TABLE_SIZE) + return NULL; + + /* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */ diff --git a/queue-4.14/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch b/queue-4.14/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch new file mode 100644 index 00000000000..bb1e7ddbc32 --- /dev/null +++ b/queue-4.14/netfilter-x_tables-fix-pointer-leaks-to-userspace.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Dmitry Vyukov +Date: Mon, 29 Jan 2018 13:21:20 +0100 +Subject: netfilter: x_tables: fix pointer leaks to userspace + +From: Dmitry Vyukov + + +[ Upstream commit 1e98ffea5a8935ec040ab72299e349cb44b8defd ] + +Several netfilter matches and targets put kernel pointers into +info objects, but don't set usersize in descriptors. +This leads to kernel pointer leaks if a match/target is set +and then read back to userspace. + +Properly set usersize for these matches/targets. + +Found with manual code inspection. + +Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize") +Signed-off-by: Dmitry Vyukov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_IDLETIMER.c | 1 + + net/netfilter/xt_LED.c | 1 + + net/netfilter/xt_limit.c | 3 +-- + net/netfilter/xt_nfacct.c | 1 + + net/netfilter/xt_statistic.c | 1 + + 5 files changed, 5 insertions(+), 2 deletions(-) + +--- a/net/netfilter/xt_IDLETIMER.c ++++ b/net/netfilter/xt_IDLETIMER.c +@@ -256,6 +256,7 @@ static struct xt_target idletimer_tg __r + .family = NFPROTO_UNSPEC, + .target = idletimer_tg_target, + .targetsize = sizeof(struct idletimer_tg_info), ++ .usersize = offsetof(struct idletimer_tg_info, timer), + .checkentry = idletimer_tg_checkentry, + .destroy = idletimer_tg_destroy, + .me = THIS_MODULE, +--- a/net/netfilter/xt_LED.c ++++ b/net/netfilter/xt_LED.c +@@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __rea + .family = NFPROTO_UNSPEC, + .target = led_tg, + .targetsize = sizeof(struct xt_led_info), ++ .usersize = offsetof(struct xt_led_info, internal_data), + .checkentry = led_tg_check, + .destroy = led_tg_destroy, + .me = THIS_MODULE, +--- a/net/netfilter/xt_limit.c ++++ b/net/netfilter/xt_limit.c +@@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __re + .compatsize = sizeof(struct compat_xt_rateinfo), + .compat_from_user = limit_mt_compat_from_user, + .compat_to_user = limit_mt_compat_to_user, +-#else +- .usersize = offsetof(struct xt_rateinfo, prev), + #endif ++ .usersize = offsetof(struct xt_rateinfo, prev), + .me = THIS_MODULE, + }; + +--- a/net/netfilter/xt_nfacct.c ++++ b/net/netfilter/xt_nfacct.c +@@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __r + .match = nfacct_mt, + .destroy = nfacct_mt_destroy, + .matchsize = sizeof(struct xt_nfacct_match_info), ++ .usersize = offsetof(struct xt_nfacct_match_info, nfacct), + .me = THIS_MODULE, + }; + +--- a/net/netfilter/xt_statistic.c ++++ b/net/netfilter/xt_statistic.c +@@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_r + .checkentry = statistic_mt_check, + .destroy = statistic_mt_destroy, + .matchsize = sizeof(struct xt_statistic_info), ++ .usersize = offsetof(struct xt_statistic_info, master), + .me = THIS_MODULE, + }; + diff --git a/queue-4.14/netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch b/queue-4.14/netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch new file mode 100644 index 00000000000..b759eb5e4a6 --- /dev/null +++ b/queue-4.14/netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch @@ -0,0 +1,32 @@ +From 9d5c12a7c08f67999772065afd50fb222072114e Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 27 Feb 2018 19:42:32 +0100 +Subject: netfilter: x_tables: limit allocation requests for blob rule heads + +From: Florian Westphal + +commit 9d5c12a7c08f67999772065afd50fb222072114e upstream. + +This is a very conservative limit (134217728 rules), but good +enough to not trigger frequent oom from syzkaller. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -819,6 +819,9 @@ EXPORT_SYMBOL(xt_check_entry_offsets); + */ + unsigned int *xt_alloc_entry_offsets(unsigned int size) + { ++ if (size > XT_MAX_TABLE_SIZE / sizeof(unsigned int)) ++ return NULL; ++ + return kvmalloc_array(size, sizeof(unsigned int), GFP_KERNEL | __GFP_ZERO); + + } diff --git a/queue-4.14/nfp-fix-error-return-code-in-nfp_pci_probe.patch b/queue-4.14/nfp-fix-error-return-code-in-nfp_pci_probe.patch new file mode 100644 index 00000000000..4c315673880 --- /dev/null +++ b/queue-4.14/nfp-fix-error-return-code-in-nfp_pci_probe.patch @@ -0,0 +1,33 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Wei Yongjun +Date: Tue, 23 Jan 2018 02:10:27 +0000 +Subject: nfp: fix error return code in nfp_pci_probe() + +From: Wei Yongjun + + +[ Upstream commit e58decc9c51eb61697aba35ba8eda33f4b80552d ] + +Fix to return error code -EINVAL instead of 0 when num_vfs above +limit_vfs, as done elsewhere in this function. + +Fixes: 0dc786219186 ("nfp: handle SR-IOV already enabled when driver is probing") +Signed-off-by: Wei Yongjun +Acked-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfp_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/netronome/nfp/nfp_main.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_main.c +@@ -492,6 +492,7 @@ static int nfp_pci_probe(struct pci_dev + dev_err(&pdev->dev, + "Error: %d VFs already enabled, but loaded FW can only support %d\n", + pf->num_vfs, pf->limit_vfs); ++ err = -EINVAL; + goto err_fw_unload; + } + diff --git a/queue-4.14/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch b/queue-4.14/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch new file mode 100644 index 00000000000..55f478efe56 --- /dev/null +++ b/queue-4.14/nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jan Chochol +Date: Fri, 5 Jan 2018 08:39:12 +0100 +Subject: nfs: Do not convert nfs_idmap_cache_timeout to jiffies + +From: Jan Chochol + + +[ Upstream commit cbebc6ef4fc830f4040d4140bf53484812d5d5d9 ] + +Since commit 57e62324e469 ("NFS: Store the legacy idmapper result in the +keyring") nfs_idmap_cache_timeout changed units from jiffies to seconds. +Unfortunately sysctl interface was not updated accordingly. + +As a effect updating /proc/sys/fs/nfs/idmap_cache_timeout with some +value will incorrectly multiply this value by HZ. +Also reading /proc/sys/fs/nfs/idmap_cache_timeout will show real value +divided by HZ. + +Fixes: 57e62324e469 ("NFS: Store the legacy idmapper result in the keyring") +Signed-off-by: Jan Chochol +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4sysctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4sysctl.c ++++ b/fs/nfs/nfs4sysctl.c +@@ -32,7 +32,7 @@ static struct ctl_table nfs4_cb_sysctls[ + .data = &nfs_idmap_cache_timeout, + .maxlen = sizeof(int), + .mode = 0644, +- .proc_handler = proc_dointvec_jiffies, ++ .proc_handler = proc_dointvec, + }, + { } + }; diff --git a/queue-4.14/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch b/queue-4.14/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch new file mode 100644 index 00000000000..8585a9eb912 --- /dev/null +++ b/queue-4.14/nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch @@ -0,0 +1,105 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: NeilBrown +Date: Wed, 13 Dec 2017 09:57:09 +1100 +Subject: NFSv4: always set NFS_LOCK_LOST when a lock is lost. + +From: NeilBrown + + +[ Upstream commit dce2630c7da73b0634686bca557cc8945cc450c8 ] + +There are 2 comments in the NFSv4 code which suggest that +SIGLOST should possibly be sent to a process. In these +cases a lock has been lost. +The current practice is to set NFS_LOCK_LOST so that +read/write returns EIO when a lock is lost. +So change these comments to code when sets NFS_LOCK_LOST. + +One case is when lock recovery after apparent server restart +fails with NFS4ERR_DENIED, NFS4ERR_RECLAIM_BAD, or +NFS4ERRO_RECLAIM_CONFLICT. The other case is when a lock +attempt as part of lease recovery fails with NFS4ERR_DENIED. + +In an ideal world, these should not happen. However I have +a packet trace showing an NFSv4.1 session getting +NFS4ERR_BADSESSION after an extended network parition. The +NFSv4.1 client treats this like server reboot until/unless +it get NFS4ERR_NO_GRACE, in which case it switches over to +"nograce" recovery mode. In this network trace, the client +attempts to recover a lock and the server (incorrectly) +reports NFS4ERR_DENIED rather than NFS4ERR_NO_GRACE. This +leads to the ineffective comment and the client then +continues to write using the OPEN stateid. + +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 12 ++++++++---- + fs/nfs/nfs4state.c | 5 ++++- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1885,7 +1885,7 @@ static int nfs4_open_reclaim(struct nfs4 + return ret; + } + +-static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, int err) ++static int nfs4_handle_delegation_recall_error(struct nfs_server *server, struct nfs4_state *state, const nfs4_stateid *stateid, struct file_lock *fl, int err) + { + switch (err) { + default: +@@ -1932,7 +1932,11 @@ static int nfs4_handle_delegation_recall + return -EAGAIN; + case -ENOMEM: + case -NFS4ERR_DENIED: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ if (fl) { ++ struct nfs4_lock_state *lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); ++ } + return 0; + } + return err; +@@ -1968,7 +1972,7 @@ int nfs4_open_delegation_recall(struct n + err = nfs4_open_recover_helper(opendata, FMODE_READ); + } + nfs4_opendata_put(opendata); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, NULL, err); + } + + static void nfs4_open_confirm_prepare(struct rpc_task *task, void *calldata) +@@ -6595,7 +6599,7 @@ int nfs4_lock_delegation_recall(struct f + if (err != 0) + return err; + err = _nfs4_do_setlk(state, F_SETLK, fl, NFS_LOCK_NEW); +- return nfs4_handle_delegation_recall_error(server, state, stateid, err); ++ return nfs4_handle_delegation_recall_error(server, state, stateid, fl, err); + } + + struct nfs_release_lockowner_data { +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1447,6 +1447,7 @@ static int nfs4_reclaim_locks(struct nfs + struct inode *inode = state->inode; + struct nfs_inode *nfsi = NFS_I(inode); + struct file_lock *fl; ++ struct nfs4_lock_state *lsp; + int status = 0; + struct file_lock_context *flctx = inode->i_flctx; + struct list_head *list; +@@ -1487,7 +1488,9 @@ restart: + case -NFS4ERR_DENIED: + case -NFS4ERR_RECLAIM_BAD: + case -NFS4ERR_RECLAIM_CONFLICT: +- /* kill_proc(fl->fl_pid, SIGLOST, 1); */ ++ lsp = fl->fl_u.nfs4_fl.owner; ++ if (lsp) ++ set_bit(NFS_LOCK_LOST, &lsp->ls_flags); + status = 0; + } + spin_lock(&flctx->flc_lock); diff --git a/queue-4.14/ntb_transport-fix-bug-with-max_mw_size-parameter.patch b/queue-4.14/ntb_transport-fix-bug-with-max_mw_size-parameter.patch new file mode 100644 index 00000000000..d5b1a2ffc1c --- /dev/null +++ b/queue-4.14/ntb_transport-fix-bug-with-max_mw_size-parameter.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Logan Gunthorpe +Date: Mon, 18 Dec 2017 11:25:05 -0700 +Subject: ntb_transport: Fix bug with max_mw_size parameter + +From: Logan Gunthorpe + + +[ Upstream commit cbd27448faff4843ac4b66cc71445a10623ff48d ] + +When using the max_mw_size parameter of ntb_transport to limit the size of +the Memory windows, communication cannot be established and the queues +freeze. + +This is because the mw_size that's reported to the peer is correctly +limited but the size used locally is not. So the MW is initialized +with a buffer smaller than the window but the TX side is using the +full window. This means the TX side will be writing to a region of the +window that points nowhere. + +This is easily fixed by applying the same limit to tx_size in +ntb_transport_init_queue(). + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") +Signed-off-by: Logan Gunthorpe +Acked-by: Allen Hubbe +Cc: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/ntb_transport.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -998,6 +998,9 @@ static int ntb_transport_init_queue(stru + mw_base = nt->mw_vec[mw_num].phys_addr; + mw_size = nt->mw_vec[mw_num].phys_size; + ++ if (max_mw_size && mw_size > max_mw_size) ++ mw_size = max_mw_size; ++ + tx_size = (unsigned int)mw_size / num_qps_mw; + qp_offset = tx_size * (qp_num / mw_count); + diff --git a/queue-4.14/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch b/queue-4.14/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch new file mode 100644 index 00000000000..d39e4ec8505 --- /dev/null +++ b/queue-4.14/ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch @@ -0,0 +1,92 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:14:59 -0800 +Subject: ocfs2/acl: use 'ip_xattr_sem' to protect getting extended attribute + +From: piaojun + + +[ Upstream commit 16c8d569f5704a84164f30ff01b29879f3438065 ] + +The race between *set_acl and *get_acl will cause getting incomplete +xattr data as below: + + processA processB + + ocfs2_set_acl + ocfs2_xattr_set + __ocfs2_xattr_set_handle + + ocfs2_get_acl_nolock + ocfs2_xattr_get_nolock: + +processB may get incomplete xattr data if processA hasn't set_acl done. + +So we should use 'ip_xattr_sem' to protect getting extended attribute in +ocfs2_get_acl_nolock(), as other processes could be changing it +concurrently. + +Link: http://lkml.kernel.org/r/5A5DDCFF.7030001@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Alex Chen +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/acl.c | 6 ++++++ + fs/ocfs2/xattr.c | 2 ++ + 2 files changed, 8 insertions(+) + +--- a/fs/ocfs2/acl.c ++++ b/fs/ocfs2/acl.c +@@ -311,7 +311,9 @@ struct posix_acl *ocfs2_iop_get_acl(stru + if (had_lock < 0) + return ERR_PTR(had_lock); + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, type, di_bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + + ocfs2_inode_unlock_tracker(inode, 0, &oh, had_lock); + brelse(di_bh); +@@ -330,7 +332,9 @@ int ocfs2_acl_chmod(struct inode *inode, + if (!(osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL)) + return 0; + ++ down_read(&OCFS2_I(inode)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(inode, ACL_TYPE_ACCESS, bh); ++ up_read(&OCFS2_I(inode)->ip_xattr_sem); + if (IS_ERR(acl) || !acl) + return PTR_ERR(acl); + ret = __posix_acl_chmod(&acl, GFP_KERNEL, inode->i_mode); +@@ -361,8 +365,10 @@ int ocfs2_init_acl(handle_t *handle, + + if (!S_ISLNK(inode->i_mode)) { + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl = ocfs2_get_acl_nolock(dir, ACL_TYPE_DEFAULT, + dir_bh); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (IS_ERR(acl)) + return PTR_ERR(acl); + } +--- a/fs/ocfs2/xattr.c ++++ b/fs/ocfs2/xattr.c +@@ -638,9 +638,11 @@ int ocfs2_calc_xattr_init(struct inode * + si->value_len); + + if (osb->s_mount_opt & OCFS2_MOUNT_POSIX_ACL) { ++ down_read(&OCFS2_I(dir)->ip_xattr_sem); + acl_len = ocfs2_xattr_get_nolock(dir, dir_bh, + OCFS2_XATTR_INDEX_POSIX_ACL_DEFAULT, + "", NULL, 0); ++ up_read(&OCFS2_I(dir)->ip_xattr_sem); + if (acl_len > 0) { + a_size = ocfs2_xattr_entry_real_size(0, acl_len); + if (S_ISDIR(mode)) diff --git a/queue-4.14/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch b/queue-4.14/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch new file mode 100644 index 00000000000..008f5fe7e80 --- /dev/null +++ b/queue-4.14/ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch @@ -0,0 +1,67 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:14:44 -0800 +Subject: ocfs2: return -EROFS to mount.ocfs2 if inode block is invalid + +From: piaojun + + +[ Upstream commit 025bcbde3634b2c9b316f227fed13ad6ad6817fb ] + +If metadata is corrupted such as 'invalid inode block', we will get +failed by calling 'mount()' and then set filesystem readonly as below: + + ocfs2_mount + ocfs2_initialize_super + ocfs2_init_global_system_inodes + ocfs2_iget + ocfs2_read_locked_inode + ocfs2_validate_inode_block + ocfs2_error + ocfs2_handle_error + ocfs2_set_ro_flag(osb, 0); // set readonly + +In this situation we need return -EROFS to 'mount.ocfs2', so that user +can fix it by fsck. And then mount again. In addition, 'mount.ocfs2' +should be updated correspondingly as it only return 1 for all errno. +And I will post a patch for 'mount.ocfs2' too. + +Link: http://lkml.kernel.org/r/5A4302FA.2010606@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Alex Chen +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Reviewed-by: Gang He +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/super.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/fs/ocfs2/super.c ++++ b/fs/ocfs2/super.c +@@ -474,9 +474,8 @@ static int ocfs2_init_global_system_inod + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog_errno(status); +- /* FIXME: Should ERROR_RO_FS */ + mlog(ML_ERROR, "Unable to load system inode %d, " + "possibly corrupt fs?", i); + goto bail; +@@ -505,7 +504,7 @@ static int ocfs2_init_local_system_inode + new = ocfs2_get_system_file_inode(osb, i, osb->slot_num); + if (!new) { + ocfs2_release_system_inodes(osb); +- status = -EINVAL; ++ status = ocfs2_is_soft_readonly(osb) ? -EROFS : -EINVAL; + mlog(ML_ERROR, "status=%d, sysfile=%d, slot=%d\n", + status, i, osb->slot_num); + goto bail; diff --git a/queue-4.14/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch b/queue-4.14/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch new file mode 100644 index 00000000000..5333a2c364f --- /dev/null +++ b/queue-4.14/ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch @@ -0,0 +1,99 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: piaojun +Date: Wed, 31 Jan 2018 16:15:32 -0800 +Subject: ocfs2: return error when we attempt to access a dirty bh in jbd2 + +From: piaojun + + +[ Upstream commit d984187e3a1ad7d12447a7ab2c43ce3717a2b5b3 ] + +We should not reuse the dirty bh in jbd2 directly due to the following +situation: + +1. When removing extent rec, we will dirty the bhs of extent rec and + truncate log at the same time, and hand them over to jbd2. + +2. The bhs are submitted to jbd2 area successfully. + +3. The write-back thread of device help flush the bhs to disk but + encounter write error due to abnormal storage link. + +4. After a while the storage link become normal. Truncate log flush + worker triggered by the next space reclaiming found the dirty bh of + truncate log and clear its 'BH_Write_EIO' and then set it uptodate in + __ocfs2_journal_access(): + + ocfs2_truncate_log_worker + ocfs2_flush_truncate_log + __ocfs2_flush_truncate_log + ocfs2_replay_truncate_records + ocfs2_journal_access_di + __ocfs2_journal_access // here we clear io_error and set 'tl_bh' uptodata. + +5. Then jbd2 will flush the bh of truncate log to disk, but the bh of + extent rec is still in error state, and unfortunately nobody will + take care of it. + +6. At last the space of extent rec was not reduced, but truncate log + flush worker have given it back to globalalloc. That will cause + duplicate cluster problem which could be identified by fsck.ocfs2. + +Sadly we can hardly revert this but set fs read-only in case of ruining +atomicity and consistency of space reclaim. + +Link: http://lkml.kernel.org/r/5A6E8092.8090701@huawei.com +Fixes: acf8fdbe6afb ("ocfs2: do not BUG if buffer not uptodate in __ocfs2_journal_access") +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/journal.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/fs/ocfs2/journal.c ++++ b/fs/ocfs2/journal.c +@@ -666,23 +666,24 @@ static int __ocfs2_journal_access(handle + /* we can safely remove this assertion after testing. */ + if (!buffer_uptodate(bh)) { + mlog(ML_ERROR, "giving me a buffer that's not uptodate!\n"); +- mlog(ML_ERROR, "b_blocknr=%llu\n", +- (unsigned long long)bh->b_blocknr); ++ mlog(ML_ERROR, "b_blocknr=%llu, b_state=0x%lx\n", ++ (unsigned long long)bh->b_blocknr, bh->b_state); + + lock_buffer(bh); + /* +- * A previous attempt to write this buffer head failed. +- * Nothing we can do but to retry the write and hope for +- * the best. ++ * A previous transaction with a couple of buffer heads fail ++ * to checkpoint, so all the bhs are marked as BH_Write_EIO. ++ * For current transaction, the bh is just among those error ++ * bhs which previous transaction handle. We can't just clear ++ * its BH_Write_EIO and reuse directly, since other bhs are ++ * not written to disk yet and that will cause metadata ++ * inconsistency. So we should set fs read-only to avoid ++ * further damage. + */ + if (buffer_write_io_error(bh) && !buffer_uptodate(bh)) { +- clear_buffer_write_io_error(bh); +- set_buffer_uptodate(bh); +- } +- +- if (!buffer_uptodate(bh)) { + unlock_buffer(bh); +- return -EIO; ++ return ocfs2_error(osb->sb, "A previous attempt to " ++ "write this buffer head failed\n"); + } + unlock_buffer(bh); + } diff --git a/queue-4.14/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch b/queue-4.14/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch new file mode 100644 index 00000000000..d119c75e6ad --- /dev/null +++ b/queue-4.14/openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch @@ -0,0 +1,100 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ed Swierk +Date: Wed, 31 Jan 2018 18:48:02 -0800 +Subject: openvswitch: Remove padding from packet before L3+ conntrack processing + +From: Ed Swierk + + +[ Upstream commit 9382fe71c0058465e942a633869629929102843d ] + +IPv4 and IPv6 packets may arrive with lower-layer padding that is not +included in the L3 length. For example, a short IPv4 packet may have +up to 6 bytes of padding following the IP payload when received on an +Ethernet device with a minimum packet length of 64 bytes. + +Higher-layer processing functions in netfilter (e.g. nf_ip_checksum(), +and help() in nf_conntrack_ftp) assume skb->len reflects the length of +the L3 header and payload, rather than referring back to +ip_hdr->tot_len or ipv6_hdr->payload_len, and get confused by +lower-layer padding. + +In the normal IPv4 receive path, ip_rcv() trims the packet to +ip_hdr->tot_len before invoking netfilter hooks. In the IPv6 receive +path, ip6_rcv() does the same using ipv6_hdr->payload_len. Similarly +in the br_netfilter receive path, br_validate_ipv4() and +br_validate_ipv6() trim the packet to the L3 length before invoking +netfilter hooks. + +Currently in the OVS conntrack receive path, ovs_ct_execute() pulls +the skb to the L3 header but does not trim it to the L3 length before +calling nf_conntrack_in(NF_INET_PRE_ROUTING). When +nf_conntrack_proto_tcp encounters a packet with lower-layer padding, +nf_ip_checksum() fails causing a "nf_ct_tcp: bad TCP checksum" log +message. While extra zero bytes don't affect the checksum, the length +in the IP pseudoheader does. That length is based on skb->len, and +without trimming, it doesn't match the length the sender used when +computing the checksum. + +In ovs_ct_execute(), trim the skb to the L3 length before higher-layer +processing. + +Signed-off-by: Ed Swierk +Acked-by: Pravin B Shelar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -1097,6 +1097,36 @@ static int ovs_ct_commit(struct net *net + return 0; + } + ++/* Trim the skb to the length specified by the IP/IPv6 header, ++ * removing any trailing lower-layer padding. This prepares the skb ++ * for higher-layer processing that assumes skb->len excludes padding ++ * (such as nf_ip_checksum). The caller needs to pull the skb to the ++ * network header, and ensure ip_hdr/ipv6_hdr points to valid data. ++ */ ++static int ovs_skb_network_trim(struct sk_buff *skb) ++{ ++ unsigned int len; ++ int err; ++ ++ switch (skb->protocol) { ++ case htons(ETH_P_IP): ++ len = ntohs(ip_hdr(skb)->tot_len); ++ break; ++ case htons(ETH_P_IPV6): ++ len = sizeof(struct ipv6hdr) ++ + ntohs(ipv6_hdr(skb)->payload_len); ++ break; ++ default: ++ len = skb->len; ++ } ++ ++ err = pskb_trim_rcsum(skb, len); ++ if (err) ++ kfree_skb(skb); ++ ++ return err; ++} ++ + /* Returns 0 on success, -EINPROGRESS if 'skb' is stolen, or other nonzero + * value if 'skb' is freed. + */ +@@ -1111,6 +1141,10 @@ int ovs_ct_execute(struct net *net, stru + nh_ofs = skb_network_offset(skb); + skb_pull_rcsum(skb, nh_ofs); + ++ err = ovs_skb_network_trim(skb); ++ if (err) ++ return err; ++ + if (key->ip.frag != OVS_FRAG_TYPE_NONE) { + err = handle_fragments(net, key, info->zone.id, skb); + if (err) diff --git a/queue-4.14/pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch b/queue-4.14/pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch new file mode 100644 index 00000000000..cbf84cb46d1 --- /dev/null +++ b/queue-4.14/pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Niklas Cassel +Date: Fri, 19 Jan 2018 10:39:06 +0100 +Subject: PCI: Add dummy pci_irqd_intx_xlate() for CONFIG_PCI=n build + +From: Niklas Cassel + + +[ Upstream commit 80db6f08b7af93eddc9487535e6150b220262637 ] + +Some hardware can operate in either "host" or "endpoint" mode, which means +there can be both a host bridge driver and an endpoint driver for the same +device. Those drivers share a lot of code, so sometimes they live in the +same source file. + +The host bridge driver requires CONFIG_PCI=y because it enumerates PCI +devices below the bridge using the PCI core. The endpoint driver does not +require CONFIG_PCI=y because it runs in an embedded kernel on the other +side of the device, e.g., on an adapter card. + +pci-dra7xx.c contains both host and endpoint drivers. If we select only +the endpoint driver (CONFIG_PCI=n and CONFIG_PCI_DRA7XX_EP=y), the unneeded +host driver is still compiled. It references pci_irqd_intx_xlate(), which +is not present when CONFIG_PCI=n, which causes this error: + + drivers/pci/dwc/pci-dra7xx.c:229:11: error: 'pci_irqd_intx_xlate' undeclared here (not in a function) + +Add a dummy pci_irqd_intx_xlate() for the CONFIG_PCI=n case. + +[bhelgaas: changelog] +Signed-off-by: Niklas Cassel +Signed-off-by: Bjorn Helgaas +Acked-by: Arnd Bergmann +Acked-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pci.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1688,6 +1688,13 @@ static inline int pci_get_new_domain_nr( + #define dev_is_pf(d) (false) + static inline bool pci_acs_enabled(struct pci_dev *pdev, u16 acs_flags) + { return false; } ++static inline int pci_irqd_intx_xlate(struct irq_domain *d, ++ struct device_node *node, ++ const u32 *intspec, ++ unsigned int intsize, ++ unsigned long *out_hwirq, ++ unsigned int *out_type) ++{ return -EINVAL; } + #endif /* CONFIG_PCI */ + + /* Include architecture-dependent settings and functions */ diff --git a/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch new file mode 100644 index 00000000000..3e4cb8d2752 --- /dev/null +++ b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Alex Williamson +Date: Tue, 16 Jan 2018 10:05:26 -0700 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 9128 + +From: Alex Williamson + + +[ Upstream commit aa008206634363ef800fbd5f0262016c9ff81dea ] + +The Marvell 9128 is the original device generating bug 42679, from which +many other Marvell DMA alias quirks have been sourced, but we didn't have +positive confirmation of the fix on 9128 until now. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Link: https://www.spinics.net/lists/kvm/msg161459.html +Reported-by: Binarus +Tested-by: Binarus +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3879,6 +3879,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9130, + quirk_dma_func1_alias); diff --git a/queue-4.14/perf-callchain-fix-attr.sample_max_stack-setting.patch b/queue-4.14/perf-callchain-fix-attr.sample_max_stack-setting.patch new file mode 100644 index 00000000000..1e17fe57c6a --- /dev/null +++ b/queue-4.14/perf-callchain-fix-attr.sample_max_stack-setting.patch @@ -0,0 +1,103 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnaldo Carvalho de Melo +Date: Mon, 15 Jan 2018 11:07:58 -0300 +Subject: perf callchain: Fix attr.sample_max_stack setting + +From: Arnaldo Carvalho de Melo + + +[ Upstream commit 249d98e567e25dd03e015e2d31e1b7b9648f34df ] + +When setting the "dwarf" unwinder for a specific event and not +specifying the max-stack, the attr.sample_max_stack ended up using an +uninitialized callchain_param.max_stack, fix it by using designated +initializers for that callchain_param variable, zeroing all non +explicitely initialized struct members. + +Here is what happened: + + # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + callchain: type DWARF + callchain: stack dump size 8192 + perf_event_attr: + type 2 + size 112 + config 0x730 + { sample_period, sample_freq } 1 + sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC + exclude_callchain_user 1 + { wakeup_events, wakeup_watermark } 1 + sample_regs_user 0xff0fff + sample_stack_user 8192 + sample_max_stack 50656 + sys_perf_event_open failed, error -75 + Value too large for defined data type + # perf trace -vv --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + callchain: type DWARF + callchain: stack dump size 8192 + perf_event_attr: + type 2 + size 112 + config 0x730 + sample_type IP|TID|TIME|ADDR|CALLCHAIN|CPU|PERIOD|RAW|REGS_USER|STACK_USER|DATA_SRC + exclude_callchain_user 1 + sample_regs_user 0xff0fff + sample_stack_user 8192 + sample_max_stack 30448 + sys_perf_event_open failed, error -75 + Value too large for defined data type + # + +Now the attr.sample_max_stack is set to zero and the above works as +expected: + + # perf trace --no-syscalls --max-stack 4 -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.072 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.072/0.072/0.072/0.000 ms + 0.000 probe_libc:inet_pton:(7feb7a998350)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + __GI_getaddrinfo (inlined) + [0xffffaa39b6108f3f] (/usr/bin/ping) + # + +Cc: Adrian Hunter +Cc: David Ahern +Cc: Hendrick Brueckner +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Thomas Richter +Cc: Wang Nan +Link: https://lkml.kernel.org/n/tip-is9tramondqa9jlxxsgcm9iz@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -722,14 +722,14 @@ static void apply_config_terms(struct pe + struct perf_evsel_config_term *term; + struct list_head *config_terms = &evsel->config_terms; + struct perf_event_attr *attr = &evsel->attr; +- struct callchain_param param; ++ /* callgraph default */ ++ struct callchain_param param = { ++ .record_mode = callchain_param.record_mode, ++ }; + u32 dump_size = 0; + int max_stack = 0; + const char *callgraph_buf = NULL; + +- /* callgraph default */ +- param.record_mode = callchain_param.record_mode; +- + list_for_each_entry(term, config_terms, list) { + switch (term->type) { + case PERF_EVSEL__CONFIG_TERM_PERIOD: diff --git a/queue-4.14/perf-evsel-fix-period-freq-terms-setup.patch b/queue-4.14/perf-evsel-fix-period-freq-terms-setup.patch new file mode 100644 index 00000000000..8267ea0ced3 --- /dev/null +++ b/queue-4.14/perf-evsel-fix-period-freq-terms-setup.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jiri Olsa +Date: Thu, 1 Feb 2018 09:38:10 +0100 +Subject: perf evsel: Fix period/freq terms setup + +From: Jiri Olsa + + +[ Upstream commit 49c0ae80eb32426fa133246200628e529067c595 ] + +Stephane reported that we don't set properly PERIOD sample type for +events with period term defined. + +Before: + $ perf record -e cpu/cpu-cycles,period=1000/u ls + $ perf evlist -v + cpu/cpu-cycles,period=1000/u: ... sample_type: IP|TID|TIME|PERIOD, ... + +After: + $ perf record -e cpu/cpu-cycles,period=1000/u ls + $ perf evlist -v + cpu/cpu-cycles,period=1000/u: ... sample_type: IP|TID|TIME, ... + +Setting PERIOD sample type based on period term setup. + +Committer note: + +When we use -c or a period=N term in the event definition, then we don't +need to ask the kernel, for this event, via perf_event_attr.sample_type +|= PERF_SAMPLE_PERIOD, to put the event period in each sample for this +event, as we know it already, it is in perf_event_attr.sample_period. + +Reported-by: Stephane Eranian +Signed-off-by: Jiri Olsa +Tested-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180201083812.11359-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/evsel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -736,12 +736,14 @@ static void apply_config_terms(struct pe + if (!(term->weak && opts->user_interval != ULLONG_MAX)) { + attr->sample_period = term->val.period; + attr->freq = 0; ++ perf_evsel__reset_sample_bit(evsel, PERIOD); + } + break; + case PERF_EVSEL__CONFIG_TERM_FREQ: + if (!(term->weak && opts->user_freq != UINT_MAX)) { + attr->sample_freq = term->val.freq; + attr->freq = 1; ++ perf_evsel__set_sample_bit(evsel, PERIOD); + } + break; + case PERF_EVSEL__CONFIG_TERM_TIME: diff --git a/queue-4.14/perf-fix-sample_max_stack-maximum-check.patch b/queue-4.14/perf-fix-sample_max_stack-maximum-check.patch new file mode 100644 index 00000000000..6ebb9cbc78a --- /dev/null +++ b/queue-4.14/perf-fix-sample_max_stack-maximum-check.patch @@ -0,0 +1,90 @@ +From 5af44ca53d019de47efe6dbc4003dd518e5197ed Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 15 Apr 2018 11:23:51 +0200 +Subject: perf: Fix sample_max_stack maximum check + +From: Jiri Olsa + +commit 5af44ca53d019de47efe6dbc4003dd518e5197ed upstream. + +The syzbot hit KASAN bug in perf_callchain_store having the entry stored +behind the allocated bounds [1]. + +We miss the sample_max_stack check for the initial event that allocates +callchain buffers. This missing check allows to create an event with +sample_max_stack value bigger than the global sysctl maximum: + + # sysctl -a | grep perf_event_max_stack + kernel.perf_event_max_stack = 127 + + # perf record -vv -C 1 -e cycles/max-stack=256/ kill + ... + perf_event_attr: + size 112 + ... + sample_max_stack 256 + ------------------------------------------------------------ + sys_perf_event_open: pid -1 cpu 1 group_fd -1 flags 0x8 = 4 + +Note the '-C 1', which forces perf record to create just single event. +Otherwise it opens event for every cpu, then the sample_max_stack check +fails on the second event and all's fine. + +The fix is to run the sample_max_stack check also for the first event +with callchains. + +[1] https://marc.info/?l=linux-kernel&m=152352732920874&w=2 + +Reported-by: syzbot+7c449856228b63ac951e@syzkaller.appspotmail.com +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: H. Peter Anvin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: syzkaller-bugs@googlegroups.com +Cc: x86@kernel.org +Fixes: 97c79a38cd45 ("perf core: Per event callchain limit") +Link: http://lkml.kernel.org/r/20180415092352.12403-2-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/callchain.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/kernel/events/callchain.c ++++ b/kernel/events/callchain.c +@@ -119,19 +119,22 @@ int get_callchain_buffers(int event_max_ + goto exit; + } + ++ /* ++ * If requesting per event more than the global cap, ++ * return a different error to help userspace figure ++ * this out. ++ * ++ * And also do it here so that we have &callchain_mutex held. ++ */ ++ if (event_max_stack > sysctl_perf_event_max_stack) { ++ err = -EOVERFLOW; ++ goto exit; ++ } ++ + if (count > 1) { + /* If the allocation failed, give up */ + if (!callchain_cpus_entries) + err = -ENOMEM; +- /* +- * If requesting per event more than the global cap, +- * return a different error to help userspace figure +- * this out. +- * +- * And also do it here so that we have &callchain_mutex held. +- */ +- if (event_max_stack > sysctl_perf_event_max_stack) +- err = -EOVERFLOW; + goto exit; + } + diff --git a/queue-4.14/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch b/queue-4.14/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch new file mode 100644 index 00000000000..ef34e76e4fd --- /dev/null +++ b/queue-4.14/perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Thomas Richter +Date: Wed, 17 Jan 2018 14:16:11 +0100 +Subject: perf record: Fix failed memory allocation for get_cpuid_str + +From: Thomas Richter + + +[ Upstream commit 81fccd6ca507d3b2012eaf1edeb9b1dbf4bd22db ] + +In x86 architecture dependend part function get_cpuid_str() mallocs a +128 byte buffer, but does not check if the memory allocation succeeded +or not. + +When the memory allocation fails, function __get_cpuid() is called with +first parameter being a NULL pointer. However this function references +its first parameter and operates on a NULL pointer which might cause +core dumps. + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180117131611.34319-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/x86/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/arch/x86/util/header.c ++++ b/tools/perf/arch/x86/util/header.c +@@ -70,7 +70,7 @@ get_cpuid_str(void) + { + char *buf = malloc(128); + +- if (__get_cpuid(buf, 128, "%s-%u-%X$") < 0) { ++ if (buf && __get_cpuid(buf, 128, "%s-%u-%X$") < 0) { + free(buf); + return NULL; + } diff --git a/queue-4.14/perf-record-fix-period-option-handling.patch b/queue-4.14/perf-record-fix-period-option-handling.patch new file mode 100644 index 00000000000..3880a68a27e --- /dev/null +++ b/queue-4.14/perf-record-fix-period-option-handling.patch @@ -0,0 +1,105 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jiri Olsa +Date: Thu, 1 Feb 2018 09:38:11 +0100 +Subject: perf record: Fix period option handling + +From: Jiri Olsa + + +[ Upstream commit f290aa1ffa45ed7e37599840878b4dae68269ee1 ] + +Stephan reported we don't unset PERIOD sample type when --no-period is +specified. Adding the unset check and reset PERIOD if --no-period is +specified. + +Committer notes: + +Check the sample_type, it shouldn't have PERF_SAMPLE_PERIOD there when +--no-period is used. + +Before: + + # perf record --no-period sleep 1 + [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 0.018 MB perf.data (7 samples) ] + # perf evlist -v + cycles:ppp: size: 112, { sample_period, sample_freq }: 4000, sample_type: IP|TID|TIME|PERIOD, disabled: 1, inherit: 1, mmap: 1, comm: 1, freq: 1, enable_on_exec: 1, task: 1, precise_ip: 3, sample_id_all: 1, exclude_guest: 1, mmap2: 1, comm_exec: 1 + # + +After: + +[root@jouet ~]# perf record --no-period sleep 1 +[ perf record: Woken up 1 times to write data ] +[ perf record: Captured and wrote 0.019 MB perf.data (17 samples) ] +[root@jouet ~]# perf evlist -v +cycles:ppp: size: 112, { sample_period, sample_freq }: 4000, sample_type: IP|TID|TIME, disabled: 1, inherit: 1, mmap: 1, comm: 1, freq: 1, enable_on_exec: 1, task: 1, precise_ip: 3, sample_id_all: 1, exclude_guest: 1, mmap2: 1, comm_exec: 1 +[root@jouet ~]# + +Reported-by: Stephane Eranian +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Tested-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180201083812.11359-3-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-record.c | 3 ++- + tools/perf/perf.h | 1 + + tools/perf/util/evsel.c | 11 ++++++++--- + 3 files changed, 11 insertions(+), 4 deletions(-) + +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -1611,7 +1611,8 @@ static struct option __record_options[] + OPT_BOOLEAN_SET('T', "timestamp", &record.opts.sample_time, + &record.opts.sample_time_set, + "Record the sample timestamps"), +- OPT_BOOLEAN('P', "period", &record.opts.period, "Record the sample period"), ++ OPT_BOOLEAN_SET('P', "period", &record.opts.period, &record.opts.period_set, ++ "Record the sample period"), + OPT_BOOLEAN('n', "no-samples", &record.opts.no_samples, + "don't sample"), + OPT_BOOLEAN_SET('N', "no-buildid-cache", &record.no_buildid_cache, +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -50,6 +50,7 @@ struct record_opts { + bool sample_time_set; + bool sample_cpu; + bool period; ++ bool period_set; + bool running_time; + bool full_auxtrace; + bool auxtrace_snapshot_mode; +--- a/tools/perf/util/evsel.c ++++ b/tools/perf/util/evsel.c +@@ -943,9 +943,6 @@ void perf_evsel__config(struct perf_evse + if (target__has_cpu(&opts->target) || opts->sample_cpu) + perf_evsel__set_sample_bit(evsel, CPU); + +- if (opts->period) +- perf_evsel__set_sample_bit(evsel, PERIOD); +- + /* + * When the user explicitly disabled time don't force it here. + */ +@@ -1047,6 +1044,14 @@ void perf_evsel__config(struct perf_evse + apply_config_terms(evsel, opts); + + evsel->ignore_missing_thread = opts->ignore_missing_thread; ++ ++ /* The --period option takes the precedence. */ ++ if (opts->period_set) { ++ if (opts->period) ++ perf_evsel__set_sample_bit(evsel, PERIOD); ++ else ++ perf_evsel__reset_sample_bit(evsel, PERIOD); ++ } + } + + static int perf_evsel__alloc_fd(struct perf_evsel *evsel, int ncpus, int nthreads) diff --git a/queue-4.14/perf-return-proper-values-for-user-stack-errors.patch b/queue-4.14/perf-return-proper-values-for-user-stack-errors.patch new file mode 100644 index 00000000000..feff67e62a0 --- /dev/null +++ b/queue-4.14/perf-return-proper-values-for-user-stack-errors.patch @@ -0,0 +1,46 @@ +From 78b562fbfa2cf0a9fcb23c3154756b690f4905c1 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Sun, 15 Apr 2018 11:23:50 +0200 +Subject: perf: Return proper values for user stack errors + +From: Jiri Olsa + +commit 78b562fbfa2cf0a9fcb23c3154756b690f4905c1 upstream. + +Return immediately when we find issue in the user stack checks. The +error value could get overwritten by following check for +PERF_SAMPLE_REGS_INTR. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: H. Peter Anvin +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: syzkaller-bugs@googlegroups.com +Cc: x86@kernel.org +Fixes: 60e2364e60e8 ("perf: Add ability to sample machine state on interrupt") +Link: http://lkml.kernel.org/r/20180415092352.12403-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9750,9 +9750,9 @@ static int perf_copy_attr(struct perf_ev + * __u16 sample size limit. + */ + if (attr->sample_stack_user >= USHRT_MAX) +- ret = -EINVAL; ++ return -EINVAL; + else if (!IS_ALIGNED(attr->sample_stack_user, sizeof(u64))) +- ret = -EINVAL; ++ return -EINVAL; + } + + if (attr->sample_type & PERF_SAMPLE_REGS_INTR) diff --git a/queue-4.14/perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch b/queue-4.14/perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch new file mode 100644 index 00000000000..c389d4ac851 --- /dev/null +++ b/queue-4.14/perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch @@ -0,0 +1,146 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Thomas Richter +Date: Wed, 17 Jan 2018 09:38:31 +0100 +Subject: perf test: Fix test trace+probe_libc_inet_pton.sh for s390x + +From: Thomas Richter + + +[ Upstream commit 7a92453620d42c3a5fea94a864dc6aa04c262b93 ] + +On Intel test case trace+probe_libc_inet_pton.sh succeeds and the +output is: + +[root@f27 perf]# ./perf trace --no-syscalls + -e probe_libc:inet_pton/max-stack=3/ ping -6 -c 1 ::1 +PING ::1(::1) 56 data bytes +64 bytes from ::1: icmp_seq=1 ttl=64 time=0.037 ms + + --- ::1 ping statistics --- +1 packets transmitted, 1 received, 0% packet loss, time 0ms +rtt min/avg/max/mdev = 0.037/0.037/0.037/0.000 ms + 0.000 probe_libc:inet_pton:(7fa40ac618a0)) + __GI___inet_pton (/usr/lib64/libc-2.26.so) + getaddrinfo (/usr/lib64/libc-2.26.so) + main (/usr/bin/ping) + +The kernel stack unwinder is used, it is specified implicitly +as call-graph=fp (frame pointer). + +On s390x only dwarf is available for stack unwinding. It is also +done in user space. This requires different parameter setup +and result checking for s390x and Intel. + +This patch adds separate perf trace setup and result checking +for Intel and s390x. On s390x specify this command line to +get a call-graph and handle the different call graph result +checking: + +[root@s35lp76 perf]# ./perf trace --no-syscalls + -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 +PING ::1(::1) 56 data bytes +64 bytes from ::1: icmp_seq=1 ttl=64 time=0.041 ms + + --- ::1 ping statistics --- +1 packets transmitted, 1 received, 0% packet loss, time 0ms +rtt min/avg/max/mdev = 0.041/0.041/0.041/0.000 ms + 0.000 probe_libc:inet_pton:(3ffb9942060)) + __GI___inet_pton (/usr/lib64/libc-2.26.so) + gaih_inet (inlined) + __GI_getaddrinfo (inlined) + main (/usr/bin/ping) + __libc_start_main (/usr/lib64/libc-2.26.so) + _start (/usr/bin/ping) +[root@s35lp76 perf]# + +Before: +[root@s8360047 perf]# ./perf test -vv 58 +58: probe libc's inet_pton & backtrace it with ping : + --- start --- +test child forked, pid 26349 +PING ::1(::1) 56 data bytes +64 bytes from ::1: icmp_seq=1 ttl=64 time=0.079 ms + --- ::1 ping statistics --- +1 packets transmitted, 1 received, 0% packet loss, time 0ms +rtt min/avg/max/mdev = 0.079/0.079/0.079/0.000 ms +0.000 probe_libc:inet_pton:(3ff925c2060)) +test child finished with -1 + ---- end ---- +probe libc's inet_pton & backtrace it with ping: FAILED! +[root@s8360047 perf]# + +After: +[root@s35lp76 perf]# ./perf test -vv 57 +57: probe libc's inet_pton & backtrace it with ping : + --- start --- +test child forked, pid 38708 +PING ::1(::1) 56 data bytes +64 bytes from ::1: icmp_seq=1 ttl=64 time=0.038 ms + --- ::1 ping statistics --- +1 packets transmitted, 1 received, 0% packet loss, time 0ms +rtt min/avg/max/mdev = 0.038/0.038/0.038/0.000 ms +0.000 probe_libc:inet_pton:(3ff87342060)) +__GI___inet_pton (/usr/lib64/libc-2.26.so) +gaih_inet (inlined) +__GI_getaddrinfo (inlined) +main (/usr/bin/ping) +__libc_start_main (/usr/lib64/libc-2.26.so) +_start (/usr/bin/ping) +test child finished with 0 + ---- end ---- +probe libc's inet_pton & backtrace it with ping: Ok +[root@s35lp76 perf]# + +On Intel the test case runs unchanged and succeeds. + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Tested-by: Arnaldo Carvalho de Melo +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180117083831.101001-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 21 +++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh ++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh +@@ -22,10 +22,23 @@ trace_libc_inet_pton_backtrace() { + expected[4]="rtt min.*" + expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)" + expected[6]=".*inet_pton[[:space:]]\($libc\)$" +- expected[7]="getaddrinfo[[:space:]]\($libc\)$" +- expected[8]=".*\(.*/bin/ping.*\)$" ++ case "$(uname -m)" in ++ s390x) ++ eventattr='call-graph=dwarf' ++ expected[7]="gaih_inet[[:space:]]\(inlined\)$" ++ expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$" ++ expected[9]="main[[:space:]]\(.*/bin/ping.*\)$" ++ expected[10]="__libc_start_main[[:space:]]\($libc\)$" ++ expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$" ++ ;; ++ *) ++ eventattr='max-stack=3' ++ expected[7]="getaddrinfo[[:space:]]\($libc\)$" ++ expected[8]=".*\(.*/bin/ping.*\)$" ++ ;; ++ esac + +- perf trace --no-syscalls -e probe_libc:inet_pton/max-stack=3/ ping -6 -c 1 ::1 2>&1 | grep -v ^$ | while read line ; do ++ perf trace --no-syscalls -e probe_libc:inet_pton/$eventattr/ ping -6 -c 1 ::1 2>&1 | grep -v ^$ | while read line ; do + echo $line + echo "$line" | egrep -q "${expected[$idx]}" + if [ $? -ne 0 ] ; then +@@ -33,7 +46,7 @@ trace_libc_inet_pton_backtrace() { + exit 1 + fi + let idx+=1 +- [ $idx -eq 9 ] && break ++ [ -z "${expected[$idx]}" ] && break + done + } + diff --git a/queue-4.14/perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch b/queue-4.14/perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch new file mode 100644 index 00000000000..ecb59ff543b --- /dev/null +++ b/queue-4.14/perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch @@ -0,0 +1,250 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnaldo Carvalho de Melo +Date: Mon, 15 Jan 2018 16:48:46 -0300 +Subject: perf unwind: Do not look just at the global callchain_param.record_mode + +From: Arnaldo Carvalho de Melo + + +[ Upstream commit eabad8c6856f185f876b54c426c2cc69fe0f0a7d ] + +When setting up DWARF callchains on specific events, without using +'record' or 'trace' --call-graph, but instead doing it like: + + perf trace -e cycles/call-graph=dwarf/ + +The unwind__prepare_access() call in thread__insert_map() when we +process PERF_RECORD_MMAP(2) metadata events were not being performed, +precluding us from using per-event DWARF callchains, handling them just +when we asked for all events to be DWARF, using "--call-graph dwarf". + +We do it in the PERF_RECORD_MMAP because we have to look at one of the +executable maps to figure out the executable type (64-bit, 32-bit) of +the DSO laid out in that mmap. Also to look at the architecture where +the perf.data file was recorded. + +All this probably should be deferred to when we process a sample for +some thread that has callchains, so that we do this processing only for +the threads with samples, not for all of them. + +For now, fix using DWARF on specific events. + +Before: + + # perf trace --no-syscalls -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.048 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.048/0.048/0.048/0.000 ms + 0.000 probe_libc:inet_pton:(7fe9597bb350)) + Problem processing probe_libc:inet_pton callchain, skipping... + # + +After: + + # perf trace --no-syscalls -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.060 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.060/0.060/0.060/0.000 ms + 0.000 probe_libc:inet_pton:(7fd4aa930350)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + __GI_getaddrinfo (inlined) + [0xffffaa804e51af3f] (/usr/bin/ping) + __libc_start_main (/usr/lib64/libc-2.26.so) + [0xffffaa804e51b379] (/usr/bin/ping) + # + # perf trace --call-graph=dwarf --no-syscalls -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.057 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.057/0.057/0.057/0.000 ms + 0.000 probe_libc:inet_pton:(7f9363b9e350)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + __GI_getaddrinfo (inlined) + [0xffffa9e8a14e0f3f] (/usr/bin/ping) + __libc_start_main (/usr/lib64/libc-2.26.so) + [0xffffa9e8a14e1379] (/usr/bin/ping) + # + # perf trace --call-graph=fp --no-syscalls -e probe_libc:inet_pton/call-graph=dwarf/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.077 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.077/0.077/0.077/0.000 ms + 0.000 probe_libc:inet_pton:(7f4947e1c350)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + __GI_getaddrinfo (inlined) + [0xffffaa716d88ef3f] (/usr/bin/ping) + __libc_start_main (/usr/lib64/libc-2.26.so) + [0xffffaa716d88f379] (/usr/bin/ping) + # + # perf trace --no-syscalls -e probe_libc:inet_pton/call-graph=fp/ ping -6 -c 1 ::1 + PING ::1(::1) 56 data bytes + 64 bytes from ::1: icmp_seq=1 ttl=64 time=0.078 ms + + --- ::1 ping statistics --- + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.078/0.078/0.078/0.000 ms + 0.000 probe_libc:inet_pton:(7fa157696350)) + __GI___inet_pton (/usr/lib64/libc-2.26.so) + getaddrinfo (/usr/lib64/libc-2.26.so) + [0xffffa9ba39c74f40] (/usr/bin/ping) + # + +Acked-by: Namhyung Kim +Cc: Adrian Hunter +Cc: David Ahern +Cc: Hendrick Brueckner +Cc: Jiri Olsa +Cc: Thomas Richter +Cc: Wang Nan +Link: https://lkml.kernel.org/r/20180116182650.GE16107@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-c2c.c | 5 +++-- + tools/perf/builtin-report.c | 5 +++-- + tools/perf/builtin-script.c | 5 +++-- + tools/perf/tests/dwarf-unwind.c | 1 + + tools/perf/util/callchain.c | 10 ++++++++++ + tools/perf/util/callchain.h | 2 ++ + tools/perf/util/unwind-libunwind-local.c | 9 +++------ + 7 files changed, 25 insertions(+), 12 deletions(-) + +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -2393,9 +2393,10 @@ static int setup_callchain(struct perf_e + enum perf_call_graph_mode mode = CALLCHAIN_NONE; + + if ((sample_type & PERF_SAMPLE_REGS_USER) && +- (sample_type & PERF_SAMPLE_STACK_USER)) ++ (sample_type & PERF_SAMPLE_STACK_USER)) { + mode = CALLCHAIN_DWARF; +- else if (sample_type & PERF_SAMPLE_BRANCH_STACK) ++ dwarf_callchain_users = true; ++ } else if (sample_type & PERF_SAMPLE_BRANCH_STACK) + mode = CALLCHAIN_LBR; + else if (sample_type & PERF_SAMPLE_CALLCHAIN) + mode = CALLCHAIN_FP; +--- a/tools/perf/builtin-report.c ++++ b/tools/perf/builtin-report.c +@@ -328,9 +328,10 @@ static int report__setup_sample_type(str + + if (symbol_conf.use_callchain || symbol_conf.cumulate_callchain) { + if ((sample_type & PERF_SAMPLE_REGS_USER) && +- (sample_type & PERF_SAMPLE_STACK_USER)) ++ (sample_type & PERF_SAMPLE_STACK_USER)) { + callchain_param.record_mode = CALLCHAIN_DWARF; +- else if (sample_type & PERF_SAMPLE_BRANCH_STACK) ++ dwarf_callchain_users = true; ++ } else if (sample_type & PERF_SAMPLE_BRANCH_STACK) + callchain_param.record_mode = CALLCHAIN_LBR; + else + callchain_param.record_mode = CALLCHAIN_FP; +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -2574,9 +2574,10 @@ static void script__setup_sample_type(st + + if (symbol_conf.use_callchain || symbol_conf.cumulate_callchain) { + if ((sample_type & PERF_SAMPLE_REGS_USER) && +- (sample_type & PERF_SAMPLE_STACK_USER)) ++ (sample_type & PERF_SAMPLE_STACK_USER)) { + callchain_param.record_mode = CALLCHAIN_DWARF; +- else if (sample_type & PERF_SAMPLE_BRANCH_STACK) ++ dwarf_callchain_users = true; ++ } else if (sample_type & PERF_SAMPLE_BRANCH_STACK) + callchain_param.record_mode = CALLCHAIN_LBR; + else + callchain_param.record_mode = CALLCHAIN_FP; +--- a/tools/perf/tests/dwarf-unwind.c ++++ b/tools/perf/tests/dwarf-unwind.c +@@ -173,6 +173,7 @@ int test__dwarf_unwind(struct test *test + } + + callchain_param.record_mode = CALLCHAIN_DWARF; ++ dwarf_callchain_users = true; + + if (init_live_machine(machine)) { + pr_err("Could not init machine\n"); +--- a/tools/perf/util/callchain.c ++++ b/tools/perf/util/callchain.c +@@ -37,6 +37,15 @@ struct callchain_param callchain_param = + CALLCHAIN_PARAM_DEFAULT + }; + ++/* ++ * Are there any events usind DWARF callchains? ++ * ++ * I.e. ++ * ++ * -e cycles/call-graph=dwarf/ ++ */ ++bool dwarf_callchain_users; ++ + struct callchain_param callchain_param_default = { + CALLCHAIN_PARAM_DEFAULT + }; +@@ -265,6 +274,7 @@ int parse_callchain_record(const char *a + ret = 0; + param->record_mode = CALLCHAIN_DWARF; + param->dump_size = default_stack_dump_size; ++ dwarf_callchain_users = true; + + tok = strtok_r(NULL, ",", &saveptr); + if (tok) { +--- a/tools/perf/util/callchain.h ++++ b/tools/perf/util/callchain.h +@@ -89,6 +89,8 @@ enum chain_value { + CCVAL_COUNT, + }; + ++extern bool dwarf_callchain_users; ++ + struct callchain_param { + bool enabled; + enum perf_call_graph_mode record_mode; +--- a/tools/perf/util/unwind-libunwind-local.c ++++ b/tools/perf/util/unwind-libunwind-local.c +@@ -631,9 +631,8 @@ static unw_accessors_t accessors = { + + static int _unwind__prepare_access(struct thread *thread) + { +- if (callchain_param.record_mode != CALLCHAIN_DWARF) ++ if (!dwarf_callchain_users) + return 0; +- + thread->addr_space = unw_create_addr_space(&accessors, 0); + if (!thread->addr_space) { + pr_err("unwind: Can't create unwind address space.\n"); +@@ -646,17 +645,15 @@ static int _unwind__prepare_access(struc + + static void _unwind__flush_access(struct thread *thread) + { +- if (callchain_param.record_mode != CALLCHAIN_DWARF) ++ if (!dwarf_callchain_users) + return; +- + unw_flush_cache(thread->addr_space, 0, 0); + } + + static void _unwind__finish_access(struct thread *thread) + { +- if (callchain_param.record_mode != CALLCHAIN_DWARF) ++ if (!dwarf_callchain_users) + return; +- + unw_destroy_addr_space(thread->addr_space); + } + diff --git a/queue-4.14/platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch b/queue-4.14/platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch new file mode 100644 index 00000000000..d8c39317761 --- /dev/null +++ b/queue-4.14/platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch @@ -0,0 +1,103 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Hans de Goede +Date: Thu, 11 Jan 2018 15:14:39 +0100 +Subject: platform/x86: dell-laptop: Filter out spurious keyboard backlight change events + +From: Hans de Goede + + +[ Upstream commit 4d6bde512a86c32df3a1f289d2b4cd04b17758d1 ] + +On some Dell XPS models WMI events of type 0x0000 reporting a keycode of +0xe00c get reported when the brightness of the LCD panel changes. + +This leads to us reporting false-positive kbd_led change events to +userspace which in turn leads to the kbd backlight OSD showing when it +should not. + +We already read the current keyboard backlight brightness value when +reporting events because the led_classdev_notify_brightness_hw_changed +API requires this. Compare this value to the last known value and filter +out duplicate events, fixing this. + +Note the fixed issue is esp. a problem on XPS models with an ambient light +sensor and automatic brightness adjustments turned on, this causes the kbd +backlight OSD to show all the time there. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514969 +Fixes: 9c656b0799 ("platform/x86: dell-*: Call new led hw_changed API ...") +Acked-by: Pali Rohár +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/dell-laptop.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -1177,6 +1177,7 @@ static u8 kbd_previous_mode_bit; + + static bool kbd_led_present; + static DEFINE_MUTEX(kbd_led_mutex); ++static enum led_brightness kbd_led_level; + + /* + * NOTE: there are three ways to set the keyboard backlight level. +@@ -2020,6 +2021,7 @@ static enum led_brightness kbd_led_level + static int kbd_led_level_set(struct led_classdev *led_cdev, + enum led_brightness value) + { ++ enum led_brightness new_value = value; + struct kbd_state state; + struct kbd_state new_state; + u16 num; +@@ -2049,6 +2051,9 @@ static int kbd_led_level_set(struct led_ + } + + out: ++ if (ret == 0) ++ kbd_led_level = new_value; ++ + mutex_unlock(&kbd_led_mutex); + return ret; + } +@@ -2076,6 +2081,9 @@ static int __init kbd_led_init(struct de + if (kbd_led.max_brightness) + kbd_led.max_brightness--; + } ++ ++ kbd_led_level = kbd_led_level_get(NULL); ++ + ret = led_classdev_register(dev, &kbd_led); + if (ret) + kbd_led_present = false; +@@ -2100,13 +2108,25 @@ static void kbd_led_exit(void) + static int dell_laptop_notifier_call(struct notifier_block *nb, + unsigned long action, void *data) + { ++ bool changed = false; ++ enum led_brightness new_kbd_led_level; ++ + switch (action) { + case DELL_LAPTOP_KBD_BACKLIGHT_BRIGHTNESS_CHANGED: + if (!kbd_led_present) + break; + +- led_classdev_notify_brightness_hw_changed(&kbd_led, +- kbd_led_level_get(&kbd_led)); ++ mutex_lock(&kbd_led_mutex); ++ new_kbd_led_level = kbd_led_level_get(&kbd_led); ++ if (kbd_led_level != new_kbd_led_level) { ++ kbd_led_level = new_kbd_led_level; ++ changed = true; ++ } ++ mutex_unlock(&kbd_led_mutex); ++ ++ if (changed) ++ led_classdev_notify_brightness_hw_changed(&kbd_led, ++ kbd_led_level); + break; + } + diff --git a/queue-4.14/platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch b/queue-4.14/platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch new file mode 100644 index 00000000000..f8586514e6e --- /dev/null +++ b/queue-4.14/platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: David Herrmann +Date: Fri, 12 Jan 2018 12:04:45 +0100 +Subject: platform/x86: thinkpad_acpi: suppress warning about palm detection + +From: David Herrmann + + +[ Upstream commit 587d8628fb71c3bfae29fb2bbe84c1478c59bac8 ] + +This patch prevents the thinkpad_acpi driver from warning about 2 event +codes returned for keyboard palm-detection. No behavioral changes, +other than suppressing the warning in the kernel log. The events are +still forwarded via acpi-netlink channels. + +We could, optionally, decide to forward the event through a +input-switch on the tpacpi input device. However, so far no suitable +input-code exists, and no similar drivers report such events. Hence, +leave it an acpi event for now. + +Note that the event-codes are named based on empirical studies. On the +ThinkPad X1 5th Gen the sensor can be found underneath the arrow key. + +Cc: Matthew Thode +Signed-off-by: David Herrmann +Acked-by: Henrique de Moraes Holschuh +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/thinkpad_acpi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -214,6 +214,10 @@ enum tpacpi_hkey_event_t { + /* AC-related events */ + TP_HKEY_EV_AC_CHANGED = 0x6040, /* AC status changed */ + ++ /* Further user-interface events */ ++ TP_HKEY_EV_PALM_DETECTED = 0x60b0, /* palm hoveres keyboard */ ++ TP_HKEY_EV_PALM_UNDETECTED = 0x60b1, /* palm removed */ ++ + /* Misc */ + TP_HKEY_EV_RFKILL_CHANGED = 0x7000, /* rfkill switch changed */ + }; +@@ -3973,6 +3977,12 @@ static bool hotkey_notify_6xxx(const u32 + *send_acpi_ev = false; + break; + ++ case TP_HKEY_EV_PALM_DETECTED: ++ case TP_HKEY_EV_PALM_UNDETECTED: ++ /* palm detected hovering the keyboard, forward to user-space ++ * via netlink for consumption */ ++ return true; ++ + default: + pr_warn("unknown possible thermal alarm or keyboard event received\n"); + known = false; diff --git a/queue-4.14/pm-domains-fix-up-domain-idle-states-of-parsing.patch b/queue-4.14/pm-domains-fix-up-domain-idle-states-of-parsing.patch new file mode 100644 index 00000000000..4e04414d5ed --- /dev/null +++ b/queue-4.14/pm-domains-fix-up-domain-idle-states-of-parsing.patch @@ -0,0 +1,139 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ulf Hansson +Date: Tue, 23 Jan 2018 21:43:08 +0100 +Subject: PM / domains: Fix up domain-idle-states OF parsing + +From: Ulf Hansson + + +[ Upstream commit a3381e3a65cbaf612c8f584906c4dba27e84267c ] + +Commit b539cc82d493 (PM / Domains: Ignore domain-idle-states that are +not compatible), made it possible to ignore non-compatible +domain-idle-states OF nodes. However, in case that happens while doing +the OF parsing, the number of elements in the allocated array would +exceed the numbers actually needed, thus wasting memory. + +Fix this by pre-iterating the genpd OF node and counting the number of +compatible domain-idle-states nodes, before doing the allocation. While +doing this, it makes sense to rework the code a bit to avoid open coding, +of parts responsible for the OF node iteration. + +Let's also take the opportunity to clarify the function header for +of_genpd_parse_idle_states(), about what is being returned in case of +errors. + +Fixes: b539cc82d493 (PM / Domains: Ignore domain-idle-states that are not compatible) +Signed-off-by: Ulf Hansson +Reviewed-by: Lina Iyer +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/domain.c | 76 ++++++++++++++++++++++++++------------------ + 1 file changed, 45 insertions(+), 31 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -2206,6 +2206,38 @@ static int genpd_parse_state(struct genp + return 0; + } + ++static int genpd_iterate_idle_states(struct device_node *dn, ++ struct genpd_power_state *states) ++{ ++ int ret; ++ struct of_phandle_iterator it; ++ struct device_node *np; ++ int i = 0; ++ ++ ret = of_count_phandle_with_args(dn, "domain-idle-states", NULL); ++ if (ret <= 0) ++ return ret; ++ ++ /* Loop over the phandles until all the requested entry is found */ ++ of_for_each_phandle(&it, ret, dn, "domain-idle-states", NULL, 0) { ++ np = it.node; ++ if (!of_match_node(idle_state_match, np)) ++ continue; ++ if (states) { ++ ret = genpd_parse_state(&states[i], np); ++ if (ret) { ++ pr_err("Parsing idle state node %pOF failed with err %d\n", ++ np, ret); ++ of_node_put(np); ++ return ret; ++ } ++ } ++ i++; ++ } ++ ++ return i; ++} ++ + /** + * of_genpd_parse_idle_states: Return array of idle states for the genpd. + * +@@ -2215,49 +2247,31 @@ static int genpd_parse_state(struct genp + * + * Returns the device states parsed from the OF node. The memory for the states + * is allocated by this function and is the responsibility of the caller to +- * free the memory after use. ++ * free the memory after use. If no domain idle states is found it returns ++ * -EINVAL and in case of errors, a negative error code. + */ + int of_genpd_parse_idle_states(struct device_node *dn, + struct genpd_power_state **states, int *n) + { + struct genpd_power_state *st; +- struct device_node *np; +- int i = 0; +- int err, ret; +- int count; +- struct of_phandle_iterator it; +- const struct of_device_id *match_id; ++ int ret; + +- count = of_count_phandle_with_args(dn, "domain-idle-states", NULL); +- if (count <= 0) +- return -EINVAL; ++ ret = genpd_iterate_idle_states(dn, NULL); ++ if (ret <= 0) ++ return ret < 0 ? ret : -EINVAL; + +- st = kcalloc(count, sizeof(*st), GFP_KERNEL); ++ st = kcalloc(ret, sizeof(*st), GFP_KERNEL); + if (!st) + return -ENOMEM; + +- /* Loop over the phandles until all the requested entry is found */ +- of_for_each_phandle(&it, err, dn, "domain-idle-states", NULL, 0) { +- np = it.node; +- match_id = of_match_node(idle_state_match, np); +- if (!match_id) +- continue; +- ret = genpd_parse_state(&st[i++], np); +- if (ret) { +- pr_err +- ("Parsing idle state node %pOF failed with err %d\n", +- np, ret); +- of_node_put(np); +- kfree(st); +- return ret; +- } ++ ret = genpd_iterate_idle_states(dn, st); ++ if (ret <= 0) { ++ kfree(st); ++ return ret < 0 ? ret : -EINVAL; + } + +- *n = i; +- if (!i) +- kfree(st); +- else +- *states = st; ++ *states = st; ++ *n = ret; + + return 0; + } diff --git a/queue-4.14/pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch b/queue-4.14/pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch new file mode 100644 index 00000000000..2bffa12d7d3 --- /dev/null +++ b/queue-4.14/pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch @@ -0,0 +1,70 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Tony Lindgren +Date: Fri, 9 Feb 2018 08:11:26 -0800 +Subject: PM / wakeirq: Fix unbalanced IRQ enable for wakeirq + +From: Tony Lindgren + + +[ Upstream commit 69728051f5bf15efaf6edfbcfe1b5a49a2437918 ] + +If a device is runtime PM suspended when we enter suspend and has +a dedicated wake IRQ, we can get the following warning: + +WARNING: CPU: 0 PID: 108 at kernel/irq/manage.c:526 enable_irq+0x40/0x94 +[ 102.087860] Unbalanced enable for IRQ 147 +... +(enable_irq) from [] (dev_pm_arm_wake_irq+0x4c/0x60) +(dev_pm_arm_wake_irq) from [] + (device_wakeup_arm_wake_irqs+0x58/0x9c) +(device_wakeup_arm_wake_irqs) from [] +(dpm_suspend_noirq+0x10/0x48) +(dpm_suspend_noirq) from [] +(suspend_devices_and_enter+0x30c/0xf14) +(suspend_devices_and_enter) from [] +(enter_state+0xad4/0xbd8) +(enter_state) from [] (pm_suspend+0x38/0x98) +(pm_suspend) from [] (state_store+0x68/0xc8) + +This is because the dedicated wake IRQ for the device may have been +already enabled earlier by dev_pm_enable_wake_irq_check(). Fix the +issue by checking for runtime PM suspended status. + +This issue can be easily reproduced by setting serial console log level +to zero, letting the serial console idle, and suspend the system from +an ssh terminal. On resume, dmesg will have the warning above. + +The reason why I have not run into this issue earlier has been that I +typically run my PM test cases from on a serial console instead over ssh. + +Fixes: c84345597558 (PM / wakeirq: Enable dedicated wakeirq for suspend) +Signed-off-by: Tony Lindgren +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/wakeirq.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/wakeirq.c ++++ b/drivers/base/power/wakeirq.c +@@ -323,7 +323,8 @@ void dev_pm_arm_wake_irq(struct wake_irq + return; + + if (device_may_wakeup(wirq->dev)) { +- if (wirq->status & WAKE_IRQ_DEDICATED_ALLOCATED) ++ if (wirq->status & WAKE_IRQ_DEDICATED_ALLOCATED && ++ !pm_runtime_status_suspended(wirq->dev)) + enable_irq(wirq->irq); + + enable_irq_wake(wirq->irq); +@@ -345,7 +346,8 @@ void dev_pm_disarm_wake_irq(struct wake_ + if (device_may_wakeup(wirq->dev)) { + disable_irq_wake(wirq->irq); + +- if (wirq->status & WAKE_IRQ_DEDICATED_ALLOCATED) ++ if (wirq->status & WAKE_IRQ_DEDICATED_ALLOCATED && ++ !pm_runtime_status_suspended(wirq->dev)) + disable_irq_nosync(wirq->irq); + } + } diff --git a/queue-4.14/powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch b/queue-4.14/powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch new file mode 100644 index 00000000000..02ba86147af --- /dev/null +++ b/queue-4.14/powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: "Aneesh Kumar K.V" +Date: Tue, 13 Feb 2018 16:39:33 +0530 +Subject: powerpc/mm/hash64: Zero PGD pages on allocation + +From: "Aneesh Kumar K.V" + + +[ Upstream commit fc5c2f4a55a2c258e12013cdf287cf266dbcd2a7 ] + +On powerpc we allocate page table pages from slab caches of different +sizes. Currently we have a constructor that zeroes out the objects when +we allocate them for the first time. + +We expect the objects to be zeroed out when we free the the object +back to slab cache. This happens in the unmap path. For hugetlb pages +we call huge_pte_get_and_clear() to do that. + +With the current configuration of page table size, both PUD and PGD +level tables are allocated from the same slab cache. At the PUD level, +we use the second half of the table to store the slot information. But +we never clear that when unmapping. + +When such a freed object is then allocated for a PGD page, the second +half of the page table page will not be zeroed as expected. This +results in a kernel crash. + +Fix it by always clearing PGD pages when they're allocated. + +Signed-off-by: Aneesh Kumar K.V +[mpe: Change log wording and formatting, add whitespace] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/book3s/64/pgalloc.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/book3s/64/pgalloc.h ++++ b/arch/powerpc/include/asm/book3s/64/pgalloc.h +@@ -73,10 +73,16 @@ static inline void radix__pgd_free(struc + + static inline pgd_t *pgd_alloc(struct mm_struct *mm) + { ++ pgd_t *pgd; ++ + if (radix_enabled()) + return radix__pgd_alloc(mm); +- return kmem_cache_alloc(PGT_CACHE(PGD_INDEX_SIZE), +- pgtable_gfp_flags(mm, GFP_KERNEL)); ++ ++ pgd = kmem_cache_alloc(PGT_CACHE(PGD_INDEX_SIZE), ++ pgtable_gfp_flags(mm, GFP_KERNEL)); ++ memset(pgd, 0, PGD_TABLE_SIZE); ++ ++ return pgd; + } + + static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd) diff --git a/queue-4.14/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch b/queue-4.14/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch new file mode 100644 index 00000000000..68da72ff774 --- /dev/null +++ b/queue-4.14/powerpc-numa-ensure-nodes-initialized-for-hotplug.patch @@ -0,0 +1,137 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Michael Bringmann +Date: Tue, 28 Nov 2017 16:58:40 -0600 +Subject: powerpc/numa: Ensure nodes initialized for hotplug + +From: Michael Bringmann + + +[ Upstream commit ea05ba7c559c8e5a5946c3a94a2a266e9a6680a6 ] + +This patch fixes some problems encountered at runtime with +configurations that support memory-less nodes, or that hot-add CPUs +into nodes that are memoryless during system execution after boot. The +problems of interest include: + +* Nodes known to powerpc to be memoryless at boot, but to have CPUs in + them are allowed to be 'possible' and 'online'. Memory allocations + for those nodes are taken from another node that does have memory + until and if memory is hot-added to the node. + +* Nodes which have no resources assigned at boot, but which may still + be referenced subsequently by affinity or associativity attributes, + are kept in the list of 'possible' nodes for powerpc. Hot-add of + memory or CPUs to the system can reference these nodes and bring + them online instead of redirecting the references to one of the set + of nodes known to have memory at boot. + +Note that this software operates under the context of CPU hotplug. We +are not doing memory hotplug in this code, but rather updating the +kernel's CPU topology (i.e. arch_update_cpu_topology / +numa_update_cpu_topology). We are initializing a node that may be used +by CPUs or memory before it can be referenced as invalid by a CPU +hotplug operation. CPU hotplug operations are protected by a range of +APIs including cpu_maps_update_begin/cpu_maps_update_done, +cpus_read/write_lock / cpus_read/write_unlock, device locks, and more. +Memory hotplug operations, including try_online_node, are protected by +mem_hotplug_begin/mem_hotplug_done, device locks, and more. In the +case of CPUs being hot-added to a previously memoryless node, the +try_online_node operation occurs wholly within the CPU locks with no +overlap. Using HMC hot-add/hot-remove operations, we have been able to +add and remove CPUs to any possible node without failures. HMC +operations involve a degree self-serialization, though. + +Signed-off-by: Michael Bringmann +Reviewed-by: Nathan Fontenot +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/numa.c | 47 +++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 37 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -546,7 +546,7 @@ static int numa_setup_cpu(unsigned long + nid = of_node_to_nid_single(cpu); + + out_present: +- if (nid < 0 || !node_online(nid)) ++ if (nid < 0 || !node_possible(nid)) + nid = first_online_node; + + map_cpu_to_node(lcpu, nid); +@@ -905,10 +905,8 @@ static void __init find_possible_nodes(v + goto out; + + for (i = 0; i < numnodes; i++) { +- if (!node_possible(i)) { +- setup_node_data(i, 0, 0); ++ if (!node_possible(i)) + node_set(i, node_possible_map); +- } + } + + out: +@@ -1277,6 +1275,40 @@ static long vphn_get_associativity(unsig + return rc; + } + ++static inline int find_and_online_cpu_nid(int cpu) ++{ ++ __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; ++ int new_nid; ++ ++ /* Use associativity from first thread for all siblings */ ++ vphn_get_associativity(cpu, associativity); ++ new_nid = associativity_to_nid(associativity); ++ if (new_nid < 0 || !node_possible(new_nid)) ++ new_nid = first_online_node; ++ ++ if (NODE_DATA(new_nid) == NULL) { ++#ifdef CONFIG_MEMORY_HOTPLUG ++ /* ++ * Need to ensure that NODE_DATA is initialized for a node from ++ * available memory (see memblock_alloc_try_nid). If unable to ++ * init the node, then default to nearest node that has memory ++ * installed. ++ */ ++ if (try_online_node(new_nid)) ++ new_nid = first_online_node; ++#else ++ /* ++ * Default to using the nearest node that has memory installed. ++ * Otherwise, it would be necessary to patch the kernel MM code ++ * to deal with more memoryless-node error conditions. ++ */ ++ new_nid = first_online_node; ++#endif ++ } ++ ++ return new_nid; ++} ++ + /* + * Update the CPU maps and sysfs entries for a single CPU when its NUMA + * characteristics change. This function doesn't perform any locking and is +@@ -1344,7 +1376,6 @@ int numa_update_cpu_topology(bool cpus_l + { + unsigned int cpu, sibling, changed = 0; + struct topology_update_data *updates, *ud; +- __be32 associativity[VPHN_ASSOC_BUFSIZE] = {0}; + cpumask_t updated_cpus; + struct device *dev; + int weight, new_nid, i = 0; +@@ -1379,11 +1410,7 @@ int numa_update_cpu_topology(bool cpus_l + continue; + } + +- /* Use associativity from first thread for all siblings */ +- vphn_get_associativity(cpu, associativity); +- new_nid = associativity_to_nid(associativity); +- if (new_nid < 0 || !node_online(new_nid)) +- new_nid = first_online_node; ++ new_nid = find_and_online_cpu_nid(cpu); + + if (new_nid == numa_cpu_lookup_table[cpu]) { + cpumask_andnot(&cpu_associativity_changes_mask, diff --git a/queue-4.14/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch b/queue-4.14/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch new file mode 100644 index 00000000000..23ddb67f0dd --- /dev/null +++ b/queue-4.14/powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch @@ -0,0 +1,132 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Michael Bringmann +Date: Tue, 28 Nov 2017 16:58:36 -0600 +Subject: powerpc/numa: Use ibm,max-associativity-domains to discover possible nodes + +From: Michael Bringmann + + +[ Upstream commit a346137e9142b039fd13af2e59696e3d40c487ef ] + +On powerpc systems which allow 'hot-add' of CPU or memory resources, +it may occur that the new resources are to be inserted into nodes that +were not used for these resources at bootup. In the kernel, any node +that is used must be defined and initialized. These empty nodes may +occur when, + +* Dedicated vs. shared resources. Shared resources require information + such as the VPHN hcall for CPU assignment to nodes. Associativity + decisions made based on dedicated resource rules, such as + associativity properties in the device tree, may vary from decisions + made using the values returned by the VPHN hcall. + +* memoryless nodes at boot. Nodes need to be defined as 'possible' at + boot for operation with other code modules. Previously, the powerpc + code would limit the set of possible nodes to those which have + memory assigned at boot, and were thus online. Subsequent add/remove + of CPUs or memory would only work with this subset of possible + nodes. + +* memoryless nodes with CPUs at boot. Due to the previous restriction + on nodes, nodes that had CPUs but no memory were being collapsed + into other nodes that did have memory at boot. In practice this + meant that the node assignment presented by the runtime kernel + differed from the affinity and associativity attributes presented by + the device tree or VPHN hcalls. Nodes that might be known to the + pHyp were not 'possible' in the runtime kernel because they did not + have memory at boot. + +This patch ensures that sufficient nodes are defined to support +configuration requirements after boot, as well as at boot. This patch +set fixes a couple of problems. + +* Nodes known to powerpc to be memoryless at boot, but to have CPUs in + them are allowed to be 'possible' and 'online'. Memory allocations + for those nodes are taken from another node that does have memory + until and if memory is hot-added to the node. * Nodes which have no + resources assigned at boot, but which may still be referenced + subsequently by affinity or associativity attributes, are kept in + the list of 'possible' nodes for powerpc. Hot-add of memory or CPUs + to the system can reference these nodes and bring them online + instead of redirecting to one of the set of nodes that were known to + have memory at boot. + +This patch extracts the value of the lowest domain level (number of +allocable resources) from the device tree property +"ibm,max-associativity-domains" to use as the maximum number of nodes +to setup as possibly available in the system. This new setting will +override the instruction: + + nodes_and(node_possible_map, node_possible_map, node_online_map); + +presently seen in the function arch/powerpc/mm/numa.c:initmem_init(). + +If the "ibm,max-associativity-domains" property is not present at +boot, no operation will be performed to define or enable additional +nodes, or enable the above 'nodes_and()'. + +Signed-off-by: Michael Bringmann +Reviewed-by: Nathan Fontenot +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/numa.c | 37 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 34 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/numa.c ++++ b/arch/powerpc/mm/numa.c +@@ -887,6 +887,34 @@ static void __init setup_node_data(int n + NODE_DATA(nid)->node_spanned_pages = spanned_pages; + } + ++static void __init find_possible_nodes(void) ++{ ++ struct device_node *rtas; ++ u32 numnodes, i; ++ ++ if (min_common_depth <= 0) ++ return; ++ ++ rtas = of_find_node_by_path("/rtas"); ++ if (!rtas) ++ return; ++ ++ if (of_property_read_u32_index(rtas, ++ "ibm,max-associativity-domains", ++ min_common_depth, &numnodes)) ++ goto out; ++ ++ for (i = 0; i < numnodes; i++) { ++ if (!node_possible(i)) { ++ setup_node_data(i, 0, 0); ++ node_set(i, node_possible_map); ++ } ++ } ++ ++out: ++ of_node_put(rtas); ++} ++ + void __init initmem_init(void) + { + int nid, cpu; +@@ -900,12 +928,15 @@ void __init initmem_init(void) + memblock_dump_all(); + + /* +- * Reduce the possible NUMA nodes to the online NUMA nodes, +- * since we do not support node hotplug. This ensures that we +- * lower the maximum NUMA node ID to what is actually present. ++ * Modify the set of possible NUMA nodes to reflect information ++ * available about the set of online nodes, and the set of nodes ++ * that we expect to make use of for this platform's affinity ++ * calculations. + */ + nodes_and(node_possible_map, node_possible_map, node_online_map); + ++ find_possible_nodes(); ++ + for_each_online_node(nid) { + unsigned long start_pfn, end_pfn; + diff --git a/queue-4.14/powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch b/queue-4.14/powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch new file mode 100644 index 00000000000..47a33cc4bfd --- /dev/null +++ b/queue-4.14/powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Nicholas Piggin +Date: Tue, 13 Feb 2018 17:45:11 +1000 +Subject: powerpc/powernv: IMC fix out of bounds memory access at shutdown + +From: Nicholas Piggin + + +[ Upstream commit e7bde88cdb4f0e432398a7d29ca2a15d2c18952a ] + +The OPAL IMC driver's shutdown handler disables nest PMU counters by +walking nodes and taking the first CPU out of their cpumask, which is +used to index into the paca (get_hard_smp_processor_id()). This does +not always do the right thing, and in particular for CPU-less nodes it +returns NR_CPUS and that overruns the paca and dereferences random +memory. + +Fix it by being more careful about checking returned CPU, and only +using online CPUs. It's not clear this shutdown code makes sense after +commit 885dcd709b ("powerpc/perf: Add nest IMC PMU support"), but this +should not make things worse + +Currently the bug causes us to call OPAL with a junk CPU number. A +separate patch in development to change the way pacas are allocated +escalates this bug into a crash: + + Unable to handle kernel paging request for data at address 0x2a21af1eeb000076 + Faulting instruction address: 0xc0000000000a5468 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP opal_imc_counters_shutdown+0x148/0x1d0 + LR opal_imc_counters_shutdown+0x134/0x1d0 + Call Trace: + opal_imc_counters_shutdown+0x134/0x1d0 (unreliable) + platform_drv_shutdown+0x44/0x60 + device_shutdown+0x1f8/0x350 + kernel_restart_prepare+0x54/0x70 + kernel_restart+0x28/0xc0 + SyS_reboot+0x1d0/0x2c0 + system_call+0x58/0x6c + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/opal-imc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/opal-imc.c ++++ b/arch/powerpc/platforms/powernv/opal-imc.c +@@ -126,9 +126,11 @@ static void disable_nest_pmu_counters(vo + const struct cpumask *l_cpumask; + + get_online_cpus(); +- for_each_online_node(nid) { ++ for_each_node_with_cpus(nid) { + l_cpumask = cpumask_of_node(nid); +- cpu = cpumask_first(l_cpumask); ++ cpu = cpumask_first_and(l_cpumask, cpu_online_mask); ++ if (cpu >= nr_cpu_ids) ++ continue; + opal_imc_counters_stop(OPAL_IMC_COUNTERS_NEST, + get_hard_smp_processor_id(cpu)); + } diff --git a/queue-4.14/powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch b/queue-4.14/powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch new file mode 100644 index 00000000000..acc9287eeed --- /dev/null +++ b/queue-4.14/powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Nicholas Piggin +Date: Sun, 24 Dec 2017 02:49:22 +1000 +Subject: powerpc: System reset avoid interleaving oops using die synchronisation + +From: Nicholas Piggin + + +[ Upstream commit 4552d128c26e0f0f27a5bd2fadc24092b8f6c1d7 ] + +The die() oops path contains a serializing lock to prevent oops +messages from being interleaved. In the case of a system reset +initiated oops (e.g., qemu nmi command), __die was being called +which lacks that synchronisation and oops reports could be +interleaved across CPUs. + +A recent patch 4388c9b3a6ee7 ("powerpc: Do not send system reset +request through the oops path") changed this to __die to avoid +the debugger() call, but there is no real harm to calling it twice +if the first time fell through. So go back to using die() here. +This was observed to fix the problem. + +Fixes: 4388c9b3a6ee7 ("powerpc: Do not send system reset request through the oops path") +Signed-off-by: Nicholas Piggin +Reviewed-by: David Gibson +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -336,7 +336,7 @@ void system_reset_exception(struct pt_re + * No debugger or crash dump registered, print logs then + * panic. + */ +- __die("System Reset", regs, SIGABRT); ++ die("System Reset", regs, SIGABRT); + + mdelay(2*MSEC_PER_SEC); /* Wait a little while for others to print */ + add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); diff --git a/queue-4.14/proc-fix-proc-map_files-lookup.patch b/queue-4.14/proc-fix-proc-map_files-lookup.patch new file mode 100644 index 00000000000..eb1ee557174 --- /dev/null +++ b/queue-4.14/proc-fix-proc-map_files-lookup.patch @@ -0,0 +1,106 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Alexey Dobriyan +Date: Tue, 6 Feb 2018 15:36:59 -0800 +Subject: proc: fix /proc/*/map_files lookup + +From: Alexey Dobriyan + + +[ Upstream commit ac7f1061c2c11bb8936b1b6a94cdb48de732f7a4 ] + +Current code does: + + if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) + +However sscanf() is broken garbage. + +It silently accepts whitespace between format specifiers +(did you know that?). + +It silently accepts valid strings which result in integer overflow. + +Do not use sscanf() for any even remotely reliable parsing code. + + OK + # readlink '/proc/1/map_files/55a23af39000-55a23b05b000' + /lib/systemd/systemd + + broken + # readlink '/proc/1/map_files/ 55a23af39000-55a23b05b000' + /lib/systemd/systemd + + broken + # readlink '/proc/1/map_files/55a23af39000-55a23b05b000 ' + /lib/systemd/systemd + + very broken + # readlink '/proc/1/map_files/1000000000000000055a23af39000-55a23b05b000' + /lib/systemd/systemd + +Andrei said: + +: This patch breaks criu. It was a bug in criu. And this bug is on a minor +: path, which works when memfd_create() isn't available. It is a reason why +: I ask to not backport this patch to stable kernels. +: +: In CRIU this bug can be triggered, only if this patch will be backported +: to a kernel which version is lower than v3.16. + +Link: http://lkml.kernel.org/r/20171120212706.GA14325@avx2 +Signed-off-by: Alexey Dobriyan +Cc: Pavel Emelyanov +Cc: Andrei Vagin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -100,6 +100,8 @@ + #include "internal.h" + #include "fd.h" + ++#include "../../lib/kstrtox.h" ++ + /* NOTE: + * Implementing inode permission operations in /proc is almost + * certainly an error. Permission checks need to happen during +@@ -1908,8 +1910,33 @@ end_instantiate: + static int dname_to_vma_addr(struct dentry *dentry, + unsigned long *start, unsigned long *end) + { +- if (sscanf(dentry->d_name.name, "%lx-%lx", start, end) != 2) ++ const char *str = dentry->d_name.name; ++ unsigned long long sval, eval; ++ unsigned int len; ++ ++ len = _parse_integer(str, 16, &sval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (sval != (unsigned long)sval) ++ return -EINVAL; ++ str += len; ++ ++ if (*str != '-') + return -EINVAL; ++ str++; ++ ++ len = _parse_integer(str, 16, &eval); ++ if (len & KSTRTOX_OVERFLOW) ++ return -EINVAL; ++ if (eval != (unsigned long)eval) ++ return -EINVAL; ++ str += len; ++ ++ if (*str != '\0') ++ return -EINVAL; ++ ++ *start = sval; ++ *end = eval; + + return 0; + } diff --git a/queue-4.14/rdma-cma-check-existence-of-netdevice-during-port-validation.patch b/queue-4.14/rdma-cma-check-existence-of-netdevice-during-port-validation.patch new file mode 100644 index 00000000000..d6d4cddb766 --- /dev/null +++ b/queue-4.14/rdma-cma-check-existence-of-netdevice-during-port-validation.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Parav Pandit +Date: Tue, 9 Jan 2018 15:58:54 +0200 +Subject: RDMA/cma: Check existence of netdevice during port validation + +From: Parav Pandit + + +[ Upstream commit 00db63c128dd3daf38f481371976c24d32678142 ] + +If valid netdevice is not found for RoCE, GID table should not be +searched with NULL netdevice. + +Doing so causes the search routines to ignore the netdev argument and may +match the wrong GID table entry if the netdev is deleted. + +Fixes: abae1b71dd37 ("IB/cma: cma_validate_port should verify the port and netdevice") +Signed-off-by: Parav Pandit +Reviewed-by: Mark Bloch +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -624,11 +624,13 @@ static inline int cma_validate_port(stru + if ((dev_type != ARPHRD_INFINIBAND) && rdma_protocol_ib(device, port)) + return ret; + +- if (dev_type == ARPHRD_ETHER && rdma_protocol_roce(device, port)) ++ if (dev_type == ARPHRD_ETHER && rdma_protocol_roce(device, port)) { + ndev = dev_get_by_index(&init_net, bound_if_index); +- else ++ if (!ndev) ++ return ret; ++ } else { + gid_type = IB_GID_TYPE_IB; +- ++ } + + ret = ib_find_cached_gid_by_port(device, gid, gid_type, port, + ndev, NULL); diff --git a/queue-4.14/rdma-core-clarify-rdma_ah_find_type.patch b/queue-4.14/rdma-core-clarify-rdma_ah_find_type.patch new file mode 100644 index 00000000000..d1f36a61fa9 --- /dev/null +++ b/queue-4.14/rdma-core-clarify-rdma_ah_find_type.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Parav Pandit +Date: Fri, 12 Jan 2018 07:58:42 +0200 +Subject: RDMA/core: Clarify rdma_ah_find_type + +From: Parav Pandit + + +[ Upstream commit a6532e7139660c103dda181aa5b2c734aa26ed6c ] + +iWARP does not use rdma_ah_attr_type, and for this reason we do not have a +RDMA_AH_ATTR_TYPE_IWARP. rdma_ah_find_type should not even be called on iwarp +ports and for clarity it shouldn't have a special test for iWarp. + +This changes the result from RDMA_AH_ATTR_TYPE_ROCE to RDMA_AH_ATTR_TYPE_IB +when wrongly called on an iWarp port. + +Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types") +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/rdma/ib_verbs.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3766,8 +3766,7 @@ static inline void rdma_ah_set_grh(struc + static inline enum rdma_ah_attr_type rdma_ah_find_type(struct ib_device *dev, + u32 port_num) + { +- if ((rdma_protocol_roce(dev, port_num)) || +- (rdma_protocol_iwarp(dev, port_num))) ++ if (rdma_protocol_roce(dev, port_num)) + return RDMA_AH_ATTR_TYPE_ROCE; + else if ((rdma_protocol_ib(dev, port_num)) && + (rdma_cap_opa_ah(dev, port_num))) diff --git a/queue-4.14/rdma-core-reduce-poll-batch-for-direct-cq-polling.patch b/queue-4.14/rdma-core-reduce-poll-batch-for-direct-cq-polling.patch new file mode 100644 index 00000000000..718f9ebc3c4 --- /dev/null +++ b/queue-4.14/rdma-core-reduce-poll-batch-for-direct-cq-polling.patch @@ -0,0 +1,107 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Max Gurtovoy +Date: Mon, 5 Mar 2018 20:09:48 +0200 +Subject: RDMA/core: Reduce poll batch for direct cq polling + +From: Max Gurtovoy + + +[ Upstream commit d3b9e8ad425cfd5b9116732e057f1b48e4d3bcb8 ] + +Fix warning limit for kernel stack consumption: + +drivers/infiniband/core/cq.c: In function 'ib_process_cq_direct': +drivers/infiniband/core/cq.c:78:1: error: the frame size of 1032 bytes +is larger than 1024 bytes [-Werror=frame-larger-than=] + +Using smaller ib_wc array on the stack brings us comfortably below that +limit again. + +Fixes: 246d8b184c10 ("IB/cq: Don't force IB_POLL_DIRECT poll context for ib_process_cq_direct") +Reported-by: Arnd Bergmann +Reviewed-by: Sergey Gorenko +Signed-off-by: Max Gurtovoy +Signed-off-by: Leon Romanovsky +Reviewed-by: Bart Van Assche +Acked-by: Arnd Bergmann +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cq.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/cq.c ++++ b/drivers/infiniband/core/cq.c +@@ -17,6 +17,7 @@ + + /* # of WCs to poll for with a single call to ib_poll_cq */ + #define IB_POLL_BATCH 16 ++#define IB_POLL_BATCH_DIRECT 8 + + /* # of WCs to iterate over before yielding */ + #define IB_POLL_BUDGET_IRQ 256 +@@ -25,18 +26,18 @@ + #define IB_POLL_FLAGS \ + (IB_CQ_NEXT_COMP | IB_CQ_REPORT_MISSED_EVENTS) + +-static int __ib_process_cq(struct ib_cq *cq, int budget, struct ib_wc *poll_wc) ++static int __ib_process_cq(struct ib_cq *cq, int budget, struct ib_wc *wcs, ++ int batch) + { + int i, n, completed = 0; +- struct ib_wc *wcs = poll_wc ? : cq->wc; + + /* + * budget might be (-1) if the caller does not + * want to bound this call, thus we need unsigned + * minimum here. + */ +- while ((n = ib_poll_cq(cq, min_t(u32, IB_POLL_BATCH, +- budget - completed), wcs)) > 0) { ++ while ((n = ib_poll_cq(cq, min_t(u32, batch, ++ budget - completed), wcs)) > 0) { + for (i = 0; i < n; i++) { + struct ib_wc *wc = &wcs[i]; + +@@ -48,8 +49,7 @@ static int __ib_process_cq(struct ib_cq + + completed += n; + +- if (n != IB_POLL_BATCH || +- (budget != -1 && completed >= budget)) ++ if (n != batch || (budget != -1 && completed >= budget)) + break; + } + +@@ -72,9 +72,9 @@ static int __ib_process_cq(struct ib_cq + */ + int ib_process_cq_direct(struct ib_cq *cq, int budget) + { +- struct ib_wc wcs[IB_POLL_BATCH]; ++ struct ib_wc wcs[IB_POLL_BATCH_DIRECT]; + +- return __ib_process_cq(cq, budget, wcs); ++ return __ib_process_cq(cq, budget, wcs, IB_POLL_BATCH_DIRECT); + } + EXPORT_SYMBOL(ib_process_cq_direct); + +@@ -88,7 +88,7 @@ static int ib_poll_handler(struct irq_po + struct ib_cq *cq = container_of(iop, struct ib_cq, iop); + int completed; + +- completed = __ib_process_cq(cq, budget, NULL); ++ completed = __ib_process_cq(cq, budget, cq->wc, IB_POLL_BATCH); + if (completed < budget) { + irq_poll_complete(&cq->iop); + if (ib_req_notify_cq(cq, IB_POLL_FLAGS) > 0) +@@ -108,7 +108,8 @@ static void ib_cq_poll_work(struct work_ + struct ib_cq *cq = container_of(work, struct ib_cq, work); + int completed; + +- completed = __ib_process_cq(cq, IB_POLL_BUDGET_WORKQUEUE, NULL); ++ completed = __ib_process_cq(cq, IB_POLL_BUDGET_WORKQUEUE, cq->wc, ++ IB_POLL_BATCH); + if (completed >= IB_POLL_BUDGET_WORKQUEUE || + ib_req_notify_cq(cq, IB_POLL_FLAGS) > 0) + queue_work(ib_comp_wq, &cq->work); diff --git a/queue-4.14/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch b/queue-4.14/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch new file mode 100644 index 00000000000..eead1f1b04a --- /dev/null +++ b/queue-4.14/rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch @@ -0,0 +1,44 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Leon Romanovsky +Date: Sun, 28 Jan 2018 11:25:30 +0200 +Subject: RDMA/mlx5: Avoid memory leak in case of XRCD dealloc failure + +From: Leon Romanovsky + + +[ Upstream commit b081808a66345ba725b77ecd8d759bee874cd937 ] + +Failure in XRCD FW deallocation command leaves memory leaked and +returns error to the user which he can't do anything about it. + +This patch changes behavior to always free memory and always return +success to the user. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Reviewed-by: Yuval Shaia +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/qp.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -4636,13 +4636,10 @@ int mlx5_ib_dealloc_xrcd(struct ib_xrcd + int err; + + err = mlx5_core_xrcd_dealloc(dev->mdev, xrcdn); +- if (err) { ++ if (err) + mlx5_ib_warn(dev, "failed to dealloc xrcdn 0x%x\n", xrcdn); +- return err; +- } + + kfree(xrcd); +- + return 0; + } + diff --git a/queue-4.14/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch b/queue-4.14/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch new file mode 100644 index 00000000000..7c9af786c38 --- /dev/null +++ b/queue-4.14/rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch @@ -0,0 +1,77 @@ +From 75a4598209cbe45540baa316c3b51d9db222e96e Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Sun, 11 Mar 2018 13:51:32 +0200 +Subject: RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs + +From: Leon Romanovsky + +commit 75a4598209cbe45540baa316c3b51d9db222e96e upstream. + +mlx5 modify_qp() relies on FW that the error will be thrown if wrong +state is supplied. The missing check in FW causes the following crash +while using XRC_TGT QPs. + +[ 14.769632] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 14.771085] IP: mlx5_ib_modify_qp+0xf60/0x13f0 +[ 14.771894] PGD 800000001472e067 P4D 800000001472e067 PUD 14529067 PMD 0 +[ 14.773126] Oops: 0002 [#1] SMP PTI +[ 14.773763] CPU: 0 PID: 365 Comm: ubsan Not tainted 4.16.0-rc1-00038-g8151138c0793 #119 +[ 14.775192] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +[ 14.777522] RIP: 0010:mlx5_ib_modify_qp+0xf60/0x13f0 +[ 14.778417] RSP: 0018:ffffbf48001c7bd8 EFLAGS: 00010246 +[ 14.779346] RAX: 0000000000000000 RBX: ffff9a8f9447d400 RCX: 0000000000000000 +[ 14.780643] RDX: 0000000000000000 RSI: 000000000000000a RDI: 0000000000000000 +[ 14.781930] RBP: 0000000000000000 R08: 00000000000217b0 R09: ffffffffbc9c1504 +[ 14.783214] R10: fffff4a180519480 R11: ffff9a8f94523600 R12: ffff9a8f9493e240 +[ 14.784507] R13: ffff9a8f9447d738 R14: 000000000000050a R15: 0000000000000000 +[ 14.785800] FS: 00007f545b466700(0000) GS:ffff9a8f9fc00000(0000) knlGS:0000000000000000 +[ 14.787073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 14.787792] CR2: 0000000000000000 CR3: 00000000144be000 CR4: 00000000000006b0 +[ 14.788689] Call Trace: +[ 14.789007] _ib_modify_qp+0x71/0x120 +[ 14.789475] modify_qp.isra.20+0x207/0x2f0 +[ 14.790010] ib_uverbs_modify_qp+0x90/0xe0 +[ 14.790532] ib_uverbs_write+0x1d2/0x3c0 +[ 14.791049] ? __handle_mm_fault+0x93c/0xe40 +[ 14.791644] __vfs_write+0x36/0x180 +[ 14.792096] ? handle_mm_fault+0xc1/0x210 +[ 14.792601] vfs_write+0xad/0x1e0 +[ 14.793018] SyS_write+0x52/0xc0 +[ 14.793422] do_syscall_64+0x75/0x180 +[ 14.793888] entry_SYSCALL_64_after_hwframe+0x21/0x86 +[ 14.794527] RIP: 0033:0x7f545ad76099 +[ 14.794975] RSP: 002b:00007ffd78787468 EFLAGS: 00000287 ORIG_RAX: 0000000000000001 +[ 14.795958] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f545ad76099 +[ 14.797075] RDX: 0000000000000078 RSI: 0000000020009000 RDI: 0000000000000003 +[ 14.798140] RBP: 00007ffd78787470 R08: 00007ffd78787480 R09: 00007ffd78787480 +[ 14.799207] R10: 00007ffd78787480 R11: 0000000000000287 R12: 00005599ada98760 +[ 14.800277] R13: 00007ffd78787560 R14: 0000000000000000 R15: 0000000000000000 +[ 14.801341] Code: 4c 8b 1c 24 48 8b 83 70 02 00 00 48 c7 83 cc 02 00 +00 00 00 00 00 48 c7 83 24 03 00 00 00 00 00 00 c7 83 2c 03 00 00 00 00 +00 00 00 00 00 00 00 48 8b 83 70 02 00 00 c7 40 04 00 00 00 00 4c +[ 14.804012] RIP: mlx5_ib_modify_qp+0xf60/0x13f0 RSP: ffffbf48001c7bd8 +[ 14.804838] CR2: 0000000000000000 +[ 14.805288] ---[ end trace 3f1da0df5c8b7c37 ]--- + +Cc: syzkaller +Reported-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/qp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -2923,7 +2923,8 @@ static int __mlx5_ib_modify_qp(struct ib + * If we moved a kernel QP to RESET, clean up all old CQ + * entries and reinitialize the QP. + */ +- if (new_state == IB_QPS_RESET && !ibqp->uobject) { ++ if (new_state == IB_QPS_RESET && ++ !ibqp->uobject && ibqp->qp_type != IB_QPT_XRC_TGT) { + mlx5_ib_cq_clean(recv_cq, base->mqp.qpn, + ibqp->srq ? to_msrq(ibqp->srq) : NULL); + if (send_cq != recv_cq) diff --git a/queue-4.14/rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch b/queue-4.14/rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch new file mode 100644 index 00000000000..57795d67661 --- /dev/null +++ b/queue-4.14/rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch @@ -0,0 +1,77 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jason Gunthorpe +Date: Wed, 24 Jan 2018 19:58:34 -0700 +Subject: RDMA/uverbs: Use an unambiguous errno for method not supported + +From: Jason Gunthorpe + + +[ Upstream commit 3624a8f02568f08aef299d3b117f2226f621177d ] + +Returning EOPNOTSUPP is problematic because it can also be +returned by the method function, and we use it in quite a few +places in drivers these days. + +Instead, dedicate EPROTONOSUPPORT to indicate that the ioctl framework +is enabled but the requested object and method are not supported by +the kernel. No other case will return this code, and it lets userspace +know to fall back to write(). + +grep says we do not use it today in drivers/infiniband subsystem. + +Signed-off-by: Jason Gunthorpe +Reviewed-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_ioctl.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/core/uverbs_ioctl.c ++++ b/drivers/infiniband/core/uverbs_ioctl.c +@@ -245,16 +245,13 @@ static long ib_uverbs_cmd_verbs(struct i + uintptr_t data[UVERBS_OPTIMIZE_USING_STACK_SZ / sizeof(uintptr_t)]; + #endif + +- if (hdr->reserved) +- return -EINVAL; +- + object_spec = uverbs_get_object(ib_dev, hdr->object_id); + if (!object_spec) +- return -EOPNOTSUPP; ++ return -EPROTONOSUPPORT; + + method_spec = uverbs_get_method(object_spec, hdr->method_id); + if (!method_spec) +- return -EOPNOTSUPP; ++ return -EPROTONOSUPPORT; + + if ((method_spec->flags & UVERBS_ACTION_FLAG_CREATE_ROOT) ^ !file->ucontext) + return -EINVAL; +@@ -310,6 +307,16 @@ static long ib_uverbs_cmd_verbs(struct i + + err = uverbs_handle_method(buf, ctx->uattrs, hdr->num_attrs, ib_dev, + file, method_spec, ctx->uverbs_attr_bundle); ++ ++ /* ++ * EPROTONOSUPPORT is ONLY to be returned if the ioctl framework can ++ * not invoke the method because the request is not supported. No ++ * other cases should return this code. ++ */ ++ if (unlikely(err == -EPROTONOSUPPORT)) { ++ WARN_ON_ONCE(err == -EPROTONOSUPPORT); ++ err = -EINVAL; ++ } + out: + #ifdef UVERBS_OPTIMIZE_USING_STACK_SZ + if (ctx_size > UVERBS_OPTIMIZE_USING_STACK_SZ) +@@ -348,7 +355,7 @@ long ib_uverbs_ioctl(struct file *filp, + } + + if (hdr.reserved) { +- err = -EOPNOTSUPP; ++ err = -EPROTONOSUPPORT; + goto out; + } + diff --git a/queue-4.14/rds-ib-fix-null-pointer-issue.patch b/queue-4.14/rds-ib-fix-null-pointer-issue.patch new file mode 100644 index 00000000000..be3de21bb28 --- /dev/null +++ b/queue-4.14/rds-ib-fix-null-pointer-issue.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Guanglei Li +Date: Tue, 6 Feb 2018 10:43:21 +0800 +Subject: RDS: IB: Fix null pointer issue + +From: Guanglei Li + + +[ Upstream commit 2c0aa08631b86a4678dbc93b9caa5248014b4458 ] + +Scenario: +1. Port down and do fail over +2. Ap do rds_bind syscall + +PID: 47039 TASK: ffff89887e2fe640 CPU: 47 COMMAND: "kworker/u:6" + #0 [ffff898e35f159f0] machine_kexec at ffffffff8103abf9 + #1 [ffff898e35f15a60] crash_kexec at ffffffff810b96e3 + #2 [ffff898e35f15b30] oops_end at ffffffff8150f518 + #3 [ffff898e35f15b60] no_context at ffffffff8104854c + #4 [ffff898e35f15ba0] __bad_area_nosemaphore at ffffffff81048675 + #5 [ffff898e35f15bf0] bad_area_nosemaphore at ffffffff810487d3 + #6 [ffff898e35f15c00] do_page_fault at ffffffff815120b8 + #7 [ffff898e35f15d10] page_fault at ffffffff8150ea95 + [exception RIP: unknown or invalid address] + RIP: 0000000000000000 RSP: ffff898e35f15dc8 RFLAGS: 00010282 + RAX: 00000000fffffffe RBX: ffff889b77f6fc00 RCX:ffffffff81c99d88 + RDX: 0000000000000000 RSI: ffff896019ee08e8 RDI:ffff889b77f6fc00 + RBP: ffff898e35f15df0 R8: ffff896019ee08c8 R9:0000000000000000 + R10: 0000000000000400 R11: 0000000000000000 R12:ffff896019ee08c0 + R13: ffff889b77f6fe68 R14: ffffffff81c99d80 R15: ffffffffa022a1e0 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #8 [ffff898e35f15dc8] cma_ndev_work_handler at ffffffffa022a228 [rdma_cm] + #9 [ffff898e35f15df8] process_one_work at ffffffff8108a7c6 + #10 [ffff898e35f15e58] worker_thread at ffffffff8108bda0 + #11 [ffff898e35f15ee8] kthread at ffffffff81090fe6 + +PID: 45659 TASK: ffff880d313d2500 CPU: 31 COMMAND: "oracle_45659_ap" + #0 [ffff881024ccfc98] __schedule at ffffffff8150bac4 + #1 [ffff881024ccfd40] schedule at ffffffff8150c2cf + #2 [ffff881024ccfd50] __mutex_lock_slowpath at ffffffff8150cee7 + #3 [ffff881024ccfdc0] mutex_lock at ffffffff8150cdeb + #4 [ffff881024ccfde0] rdma_destroy_id at ffffffffa022a027 [rdma_cm] + #5 [ffff881024ccfe10] rds_ib_laddr_check at ffffffffa0357857 [rds_rdma] + #6 [ffff881024ccfe50] rds_trans_get_preferred at ffffffffa0324c2a [rds] + #7 [ffff881024ccfe80] rds_bind at ffffffffa031d690 [rds] + #8 [ffff881024ccfeb0] sys_bind at ffffffff8142a670 + +PID: 45659 PID: 47039 +rds_ib_laddr_check + /* create id_priv with a null event_handler */ + rdma_create_id + rdma_bind_addr + cma_acquire_dev + /* add id_priv to cma_dev->id_list */ + cma_attach_to_dev + cma_ndev_work_handler + /* event_hanlder is null */ + id_priv->id.event_handler + +Signed-off-by: Guanglei Li +Signed-off-by: Honglei Wang +Reviewed-by: Junxiao Bi +Reviewed-by: Yanjun Zhu +Reviewed-by: Leon Romanovsky +Acked-by: Santosh Shilimkar +Acked-by: Doug Ledford +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/ib.c ++++ b/net/rds/ib.c +@@ -346,7 +346,8 @@ static int rds_ib_laddr_check(struct net + /* Create a CMA ID and try to bind it. This catches both + * IB and iWARP capable NICs. + */ +- cm_id = rdma_create_id(&init_net, NULL, NULL, RDMA_PS_TCP, IB_QPT_RC); ++ cm_id = rdma_create_id(&init_net, rds_rdma_cm_event_handler, ++ NULL, RDMA_PS_TCP, IB_QPT_RC); + if (IS_ERR(cm_id)) + return PTR_ERR(cm_id); + diff --git a/queue-4.14/revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch b/queue-4.14/revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch new file mode 100644 index 00000000000..147308b67bf --- /dev/null +++ b/queue-4.14/revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch @@ -0,0 +1,72 @@ +From 2c151b25441ae5c2da66472abd165af785c9ecd2 Mon Sep 17 00:00:00 2001 +From: Sean Christopherson +Date: Thu, 29 Mar 2018 14:48:30 -0700 +Subject: Revert "KVM: X86: Fix SMRAM accessing even if VM is shutdown" + +From: Sean Christopherson + +commit 2c151b25441ae5c2da66472abd165af785c9ecd2 upstream. + +The bug that led to commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5 +was a benign warning (no adverse affects other than the warning +itself) that was detected by syzkaller. Further inspection shows +that the WARN_ON in question, in handle_ept_misconfig(), is +unnecessary and flawed (this was also briefly discussed in the +original patch: https://patchwork.kernel.org/patch/10204649). + + * The WARN_ON is unnecessary as kvm_mmu_page_fault() will WARN + if reserved bits are set in the SPTEs, i.e. it covers the case + where an EPT misconfig occurred because of a KVM bug. + + * The WARN_ON is flawed because it will fire on any system error + code that is hit while handling the fault, e.g. -ENOMEM can be + returned by mmu_topup_memory_caches() while handling a legitmate + MMIO EPT misconfig. + +The original behavior of returning -EFAULT when userspace munmaps +an HVA without first removing the memslot is correct and desirable, +i.e. KVM is letting userspace know it has generated a bad address. +Returning RET_PF_EMULATE masks the WARN_ON in the EPT misconfig path, +but does not fix the underlying bug, i.e. the WARN_ON is bogus. + +Furthermore, returning RET_PF_EMULATE has the unwanted side effect of +causing KVM to attempt to emulate an instruction on any page fault +with an invalid HVA translation, e.g. a not-present EPT violation +on a VM_PFNMAP VMA whose fault handler failed to insert a PFN. + + * There is no guarantee that the fault is directly related to the + instruction, i.e. the fault could have been triggered by a side + effect memory access in the guest, e.g. while vectoring a #DB or + writing a tracing record. This could cause KVM to effectively + mask the fault if KVM doesn't model the behavior leading to the + fault, i.e. emulation could succeed and resume the guest. + + * If emulation does fail, KVM will return EMULATION_FAILED instead + of -EFAULT, which is a red herring as the user will either debug + a bogus emulation attempt or scratch their head wondering why we + were attempting emulation in the first place. + +TL;DR: revert to returning -EFAULT and remove the bogus WARN_ON in +handle_ept_misconfig in a future patch. + +This reverts commit 95e057e25892eaa48cad1e2d637b80d0f1a4fac5. + +Signed-off-by: Sean Christopherson +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -3019,7 +3019,7 @@ static int kvm_handle_bad_page(struct kv + return RET_PF_RETRY; + } + +- return RET_PF_EMULATE; ++ return -EFAULT; + } + + static void transparent_hugepage_adjust(struct kvm_vcpu *vcpu, diff --git a/queue-4.14/rxrpc-don-t-put-crypto-buffers-on-the-stack.patch b/queue-4.14/rxrpc-don-t-put-crypto-buffers-on-the-stack.patch new file mode 100644 index 00000000000..493c4a5654b --- /dev/null +++ b/queue-4.14/rxrpc-don-t-put-crypto-buffers-on-the-stack.patch @@ -0,0 +1,246 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: David Howells +Date: Thu, 8 Feb 2018 15:59:07 +0000 +Subject: rxrpc: Don't put crypto buffers on the stack + +From: David Howells + + +[ Upstream commit 8c2f826dc36314059ac146c78d3bf8056b626446 ] + +Don't put buffers of data to be handed to crypto on the stack as this may +cause an assertion failure in the kernel (see below). Fix this by using an +kmalloc'd buffer instead. + +kernel BUG at ./include/linux/scatterlist.h:147! +... +RIP: 0010:rxkad_encrypt_response.isra.6+0x191/0x1b0 [rxrpc] +RSP: 0018:ffffbe2fc06cfca8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: ffff989277d59900 RCX: 0000000000000028 +RDX: 0000259dc06cfd88 RSI: 0000000000000025 RDI: ffffbe30406cfd88 +RBP: ffffbe2fc06cfd60 R08: ffffbe2fc06cfd08 R09: ffffbe2fc06cfd08 +R10: 0000000000000000 R11: 0000000000000000 R12: 1ffff7c5f80d9f95 +R13: ffffbe2fc06cfd88 R14: ffff98927a3f7aa0 R15: ffffbe2fc06cfd08 +FS: 0000000000000000(0000) GS:ffff98927fc00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055b1ff28f0f8 CR3: 000000001b412003 CR4: 00000000003606f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + rxkad_respond_to_challenge+0x297/0x330 [rxrpc] + rxrpc_process_connection+0xd1/0x690 [rxrpc] + ? process_one_work+0x1c3/0x680 + ? __lock_is_held+0x59/0xa0 + process_one_work+0x249/0x680 + worker_thread+0x3a/0x390 + ? process_one_work+0x680/0x680 + kthread+0x121/0x140 + ? kthread_create_worker_on_cpu+0x70/0x70 + ret_from_fork+0x3a/0x50 + +Reported-by: Jonathan Billings +Reported-by: Marc Dionne +Signed-off-by: David Howells +Tested-by: Jonathan Billings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/conn_event.c | 1 + net/rxrpc/rxkad.c | 92 +++++++++++++++++++++++++++---------------------- + 2 files changed, 52 insertions(+), 41 deletions(-) + +--- a/net/rxrpc/conn_event.c ++++ b/net/rxrpc/conn_event.c +@@ -404,6 +404,7 @@ void rxrpc_process_connection(struct wor + case -EKEYEXPIRED: + case -EKEYREJECTED: + goto protocol_error; ++ case -ENOMEM: + case -EAGAIN: + goto requeue_and_leave; + case -ECONNABORTED: +--- a/net/rxrpc/rxkad.c ++++ b/net/rxrpc/rxkad.c +@@ -773,8 +773,7 @@ static int rxkad_respond_to_challenge(st + { + const struct rxrpc_key_token *token; + struct rxkad_challenge challenge; +- struct rxkad_response resp +- __attribute__((aligned(8))); /* must be aligned for crypto */ ++ struct rxkad_response *resp; + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + const char *eproto; + u32 version, nonce, min_level, abort_code; +@@ -818,26 +817,29 @@ static int rxkad_respond_to_challenge(st + token = conn->params.key->payload.data[0]; + + /* build the response packet */ +- memset(&resp, 0, sizeof(resp)); +- +- resp.version = htonl(RXKAD_VERSION); +- resp.encrypted.epoch = htonl(conn->proto.epoch); +- resp.encrypted.cid = htonl(conn->proto.cid); +- resp.encrypted.securityIndex = htonl(conn->security_ix); +- resp.encrypted.inc_nonce = htonl(nonce + 1); +- resp.encrypted.level = htonl(conn->params.security_level); +- resp.kvno = htonl(token->kad->kvno); +- resp.ticket_len = htonl(token->kad->ticket_len); +- +- resp.encrypted.call_id[0] = htonl(conn->channels[0].call_counter); +- resp.encrypted.call_id[1] = htonl(conn->channels[1].call_counter); +- resp.encrypted.call_id[2] = htonl(conn->channels[2].call_counter); +- resp.encrypted.call_id[3] = htonl(conn->channels[3].call_counter); ++ resp = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); ++ if (!resp) ++ return -ENOMEM; ++ ++ resp->version = htonl(RXKAD_VERSION); ++ resp->encrypted.epoch = htonl(conn->proto.epoch); ++ resp->encrypted.cid = htonl(conn->proto.cid); ++ resp->encrypted.securityIndex = htonl(conn->security_ix); ++ resp->encrypted.inc_nonce = htonl(nonce + 1); ++ resp->encrypted.level = htonl(conn->params.security_level); ++ resp->kvno = htonl(token->kad->kvno); ++ resp->ticket_len = htonl(token->kad->ticket_len); ++ resp->encrypted.call_id[0] = htonl(conn->channels[0].call_counter); ++ resp->encrypted.call_id[1] = htonl(conn->channels[1].call_counter); ++ resp->encrypted.call_id[2] = htonl(conn->channels[2].call_counter); ++ resp->encrypted.call_id[3] = htonl(conn->channels[3].call_counter); + + /* calculate the response checksum and then do the encryption */ +- rxkad_calc_response_checksum(&resp); +- rxkad_encrypt_response(conn, &resp, token->kad); +- return rxkad_send_response(conn, &sp->hdr, &resp, token->kad); ++ rxkad_calc_response_checksum(resp); ++ rxkad_encrypt_response(conn, resp, token->kad); ++ ret = rxkad_send_response(conn, &sp->hdr, resp, token->kad); ++ kfree(resp); ++ return ret; + + protocol_error: + trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); +@@ -1048,8 +1050,7 @@ static int rxkad_verify_response(struct + struct sk_buff *skb, + u32 *_abort_code) + { +- struct rxkad_response response +- __attribute__((aligned(8))); /* must be aligned for crypto */ ++ struct rxkad_response *response; + struct rxrpc_skb_priv *sp = rxrpc_skb(skb); + struct rxrpc_crypt session_key; + const char *eproto; +@@ -1061,17 +1062,22 @@ static int rxkad_verify_response(struct + + _enter("{%d,%x}", conn->debug_id, key_serial(conn->server_key)); + ++ ret = -ENOMEM; ++ response = kzalloc(sizeof(struct rxkad_response), GFP_NOFS); ++ if (!response) ++ goto temporary_error; ++ + eproto = tracepoint_string("rxkad_rsp_short"); + abort_code = RXKADPACKETSHORT; + if (skb_copy_bits(skb, sizeof(struct rxrpc_wire_header), +- &response, sizeof(response)) < 0) ++ response, sizeof(*response)) < 0) + goto protocol_error; +- if (!pskb_pull(skb, sizeof(response))) ++ if (!pskb_pull(skb, sizeof(*response))) + BUG(); + +- version = ntohl(response.version); +- ticket_len = ntohl(response.ticket_len); +- kvno = ntohl(response.kvno); ++ version = ntohl(response->version); ++ ticket_len = ntohl(response->ticket_len); ++ kvno = ntohl(response->kvno); + _proto("Rx RESPONSE %%%u { v=%u kv=%u tl=%u }", + sp->hdr.serial, version, kvno, ticket_len); + +@@ -1105,31 +1111,31 @@ static int rxkad_verify_response(struct + ret = rxkad_decrypt_ticket(conn, skb, ticket, ticket_len, &session_key, + &expiry, _abort_code); + if (ret < 0) +- goto temporary_error_free; ++ goto temporary_error_free_resp; + + /* use the session key from inside the ticket to decrypt the + * response */ +- rxkad_decrypt_response(conn, &response, &session_key); ++ rxkad_decrypt_response(conn, response, &session_key); + + eproto = tracepoint_string("rxkad_rsp_param"); + abort_code = RXKADSEALEDINCON; +- if (ntohl(response.encrypted.epoch) != conn->proto.epoch) ++ if (ntohl(response->encrypted.epoch) != conn->proto.epoch) + goto protocol_error_free; +- if (ntohl(response.encrypted.cid) != conn->proto.cid) ++ if (ntohl(response->encrypted.cid) != conn->proto.cid) + goto protocol_error_free; +- if (ntohl(response.encrypted.securityIndex) != conn->security_ix) ++ if (ntohl(response->encrypted.securityIndex) != conn->security_ix) + goto protocol_error_free; +- csum = response.encrypted.checksum; +- response.encrypted.checksum = 0; +- rxkad_calc_response_checksum(&response); ++ csum = response->encrypted.checksum; ++ response->encrypted.checksum = 0; ++ rxkad_calc_response_checksum(response); + eproto = tracepoint_string("rxkad_rsp_csum"); +- if (response.encrypted.checksum != csum) ++ if (response->encrypted.checksum != csum) + goto protocol_error_free; + + spin_lock(&conn->channel_lock); + for (i = 0; i < RXRPC_MAXCALLS; i++) { + struct rxrpc_call *call; +- u32 call_id = ntohl(response.encrypted.call_id[i]); ++ u32 call_id = ntohl(response->encrypted.call_id[i]); + + eproto = tracepoint_string("rxkad_rsp_callid"); + if (call_id > INT_MAX) +@@ -1153,12 +1159,12 @@ static int rxkad_verify_response(struct + + eproto = tracepoint_string("rxkad_rsp_seq"); + abort_code = RXKADOUTOFSEQUENCE; +- if (ntohl(response.encrypted.inc_nonce) != conn->security_nonce + 1) ++ if (ntohl(response->encrypted.inc_nonce) != conn->security_nonce + 1) + goto protocol_error_free; + + eproto = tracepoint_string("rxkad_rsp_level"); + abort_code = RXKADLEVELFAIL; +- level = ntohl(response.encrypted.level); ++ level = ntohl(response->encrypted.level); + if (level > RXRPC_SECURITY_ENCRYPT) + goto protocol_error_free; + conn->params.security_level = level; +@@ -1168,9 +1174,10 @@ static int rxkad_verify_response(struct + * as for a client connection */ + ret = rxrpc_get_server_data_key(conn, &session_key, expiry, kvno); + if (ret < 0) +- goto temporary_error_free; ++ goto temporary_error_free_ticket; + + kfree(ticket); ++ kfree(response); + _leave(" = 0"); + return 0; + +@@ -1179,12 +1186,15 @@ protocol_error_unlock: + protocol_error_free: + kfree(ticket); + protocol_error: ++ kfree(response); + trace_rxrpc_rx_eproto(NULL, sp->hdr.serial, eproto); + *_abort_code = abort_code; + return -EPROTO; + +-temporary_error_free: ++temporary_error_free_ticket: + kfree(ticket); ++temporary_error_free_resp: ++ kfree(response); + temporary_error: + /* Ignore the response packet if we got a temporary error such as + * ENOMEM. We just want to send the challenge again. Note that we diff --git a/queue-4.14/s390-eadm-fix-config_block-include-dependency.patch b/queue-4.14/s390-eadm-fix-config_block-include-dependency.patch new file mode 100644 index 00000000000..2afe2696ef5 --- /dev/null +++ b/queue-4.14/s390-eadm-fix-config_block-include-dependency.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Sebastian Ott +Date: Tue, 23 Jan 2018 13:58:05 +0100 +Subject: s390/eadm: fix CONFIG_BLOCK include dependency + +From: Sebastian Ott + + +[ Upstream commit 366b77ae43c5a3bf1a367f15ec8bc16e05035f14 ] + +Commit 2a842acab109 ("block: introduce new block status code type") +added blk_status_t usage to the eadm subchannel driver. However +blk_status_t is unknown when included via for CONFIG_BLOCK=n. + +Only include since this is the only dependency eadm has. + +This fixes build failures like below: +In file included from drivers/s390/cio/eadm_sch.c:24:0: +./arch/s390/include/asm/eadm.h:111:4: error: unknown type name 'blk_status_t'; did you mean 'si_status'? + blk_status_t error); + +Reported-by: Heiko Carstens +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/eadm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/eadm.h ++++ b/arch/s390/include/asm/eadm.h +@@ -4,7 +4,7 @@ + + #include + #include +-#include ++#include + + struct arqb { + u64 data; diff --git a/queue-4.14/samples-bpf-partially-fixes-the-bpf.o-build.patch b/queue-4.14/samples-bpf-partially-fixes-the-bpf.o-build.patch new file mode 100644 index 00000000000..9caf4caf91d --- /dev/null +++ b/queue-4.14/samples-bpf-partially-fixes-the-bpf.o-build.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Mickaël Salaün" +Date: Fri, 26 Jan 2018 01:39:30 +0100 +Subject: samples/bpf: Partially fixes the bpf.o build + +From: "Mickaël Salaün" + + +[ Upstream commit c25ef6a5e62fa212d298ce24995ce239f29b5f96 ] + +Do not build lib/bpf/bpf.o with this Makefile but use the one from the +library directory. This avoid making a buggy bpf.o file (e.g. missing +symbols). + +This patch is useful if some code (e.g. Landlock tests) needs both the +bpf.o (from tools/lib/bpf) and the bpf_load.o (from samples/bpf). + +Signed-off-by: Mickaël Salaün +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + samples/bpf/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/samples/bpf/Makefile ++++ b/samples/bpf/Makefile +@@ -179,13 +179,16 @@ LLC ?= llc + CLANG ?= clang + + # Trick to allow make to be run from this directory +-all: ++all: $(LIBBPF) + $(MAKE) -C ../../ $(CURDIR)/ + + clean: + $(MAKE) -C ../../ M=$(CURDIR) clean + @rm -f *~ + ++$(LIBBPF): FORCE ++ $(MAKE) -C $(dir $@) $(notdir $@) ++ + $(obj)/syscall_nrs.s: $(src)/syscall_nrs.c + $(call if_changed_dep,cc_s_c) + diff --git a/queue-4.14/scsi-devinfo-fix-format-of-the-device-list.patch b/queue-4.14/scsi-devinfo-fix-format-of-the-device-list.patch new file mode 100644 index 00000000000..550f90191af --- /dev/null +++ b/queue-4.14/scsi-devinfo-fix-format-of-the-device-list.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Xose Vazquez Perez +Date: Mon, 15 Jan 2018 17:47:23 +0100 +Subject: scsi: devinfo: fix format of the device list + +From: Xose Vazquez Perez + + +[ Upstream commit 3f884a0a8bdf28cfd1e9987d54d83350096cdd46 ] + +Replace "" with NULL for product revision level, and merge TEXEL +duplicate entries. + +Cc: Hannes Reinecke +Cc: Martin K. Petersen +Cc: James E.J. Bottomley +Cc: SCSI ML +Signed-off-by: Xose Vazquez Perez +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_devinfo.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -109,8 +109,8 @@ static struct { + * seagate controller, which causes SCSI code to reset bus. + */ + {"HP", "C1750A", "3226", BLIST_NOLUN}, /* scanjet iic */ +- {"HP", "C1790A", "", BLIST_NOLUN}, /* scanjet iip */ +- {"HP", "C2500A", "", BLIST_NOLUN}, /* scanjet iicx */ ++ {"HP", "C1790A", NULL, BLIST_NOLUN}, /* scanjet iip */ ++ {"HP", "C2500A", NULL, BLIST_NOLUN}, /* scanjet iicx */ + {"MEDIAVIS", "CDR-H93MV", "1.31", BLIST_NOLUN}, /* locks up */ + {"MICROTEK", "ScanMaker II", "5.61", BLIST_NOLUN}, /* responds to all lun */ + {"MITSUMI", "CD-R CR-2201CS", "6119", BLIST_NOLUN}, /* locks up */ +@@ -120,7 +120,7 @@ static struct { + {"QUANTUM", "FIREBALL ST4.3S", "0F0C", BLIST_NOLUN}, /* locks up */ + {"RELISYS", "Scorpio", NULL, BLIST_NOLUN}, /* responds to all lun */ + {"SANKYO", "CP525", "6.64", BLIST_NOLUN}, /* causes failed REQ SENSE, extra reset */ +- {"TEXEL", "CD-ROM", "1.06", BLIST_NOLUN}, ++ {"TEXEL", "CD-ROM", "1.06", BLIST_NOLUN | BLIST_BORKEN}, + {"transtec", "T5008", "0001", BLIST_NOREPORTLUN }, + {"YAMAHA", "CDR100", "1.00", BLIST_NOLUN}, /* locks up */ + {"YAMAHA", "CDR102", "1.00", BLIST_NOLUN}, /* locks up */ +@@ -255,7 +255,6 @@ static struct { + {"ST650211", "CF", NULL, BLIST_RETRY_HWERROR}, + {"SUN", "T300", "*", BLIST_SPARSELUN}, + {"SUN", "T4", "*", BLIST_SPARSELUN}, +- {"TEXEL", "CD-ROM", "1.06", BLIST_BORKEN}, + {"Tornado-", "F4", "*", BLIST_NOREPORTLUN}, + {"TOSHIBA", "CDROM", NULL, BLIST_ISROM}, + {"TOSHIBA", "CD-ROM", NULL, BLIST_ISROM}, diff --git a/queue-4.14/scsi-fas216-fix-sense-buffer-initialization.patch b/queue-4.14/scsi-fas216-fix-sense-buffer-initialization.patch new file mode 100644 index 00000000000..4dc79e6d502 --- /dev/null +++ b/queue-4.14/scsi-fas216-fix-sense-buffer-initialization.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnd Bergmann +Date: Thu, 18 Jan 2018 14:16:38 +0100 +Subject: scsi: fas216: fix sense buffer initialization + +From: Arnd Bergmann + + +[ Upstream commit 96d5eaa9bb74d299508d811d865c2c41b38b0301 ] + +While testing with the ARM specific memset() macro removed, I ran into a +compiler warning that shows an old bug: + +drivers/scsi/arm/fas216.c: In function 'fas216_rq_sns_done': +drivers/scsi/arm/fas216.c:2014:40: error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Werror=sizeof-pointer-memaccess] + +It turns out that the definition of the scsi_cmd structure changed back +in linux-2.6.25, so now we clear only four bytes (sizeof(pointer)) +instead of 96 (SCSI_SENSE_BUFFERSIZE). I did not check whether we +actually need to initialize the buffer here, but it's clear that if we +do it, we should use the correct size. + +Fixes: de25deb18016 ("[SCSI] use dynamically allocated sense buffer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/arm/fas216.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/arm/fas216.c ++++ b/drivers/scsi/arm/fas216.c +@@ -2011,7 +2011,7 @@ static void fas216_rq_sns_done(FAS216_In + * have valid data in the sense buffer that could + * confuse the higher levels. + */ +- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer)); ++ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); + //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id); + //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); } + /* diff --git a/queue-4.14/scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch b/queue-4.14/scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch new file mode 100644 index 00000000000..db6b3e2ae7d --- /dev/null +++ b/queue-4.14/scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch @@ -0,0 +1,45 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "himanshu.madhani@cavium.com" +Date: Mon, 15 Jan 2018 20:46:48 -0800 +Subject: scsi: qla2xxx: Fix warning in qla2x00_async_iocb_timeout() + +From: "himanshu.madhani@cavium.com" + + +[ Upstream commit 7ac0c332f96bb9688560726f5e80c097ed8de59a ] + +This patch fixes following Smatch warning: + +drivers/scsi/qla2xxx/qla_init.c:130 qla2x00_async_iocb_timeout() error: we previously assumed 'fcport' could be null (see line 107) + +Fixes: 5c25d451163c ("scsi: qla2xxx: Fix NULL pointer access for fcport structure") +Reported by: Dan Carpenter +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_init.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -115,6 +115,8 @@ qla2x00_async_iocb_timeout(void *data) + + switch (sp->type) { + case SRB_LOGIN_CMD: ++ if (!fcport) ++ break; + /* Retry as needed. */ + lio->u.logio.data[0] = MBS_COMMAND_ERROR; + lio->u.logio.data[1] = lio->u.logio.flags & SRB_LOGIN_RETRIED ? +@@ -128,6 +130,8 @@ qla2x00_async_iocb_timeout(void *data) + qla24xx_handle_plogi_done_event(fcport->vha, &ea); + break; + case SRB_LOGOUT_CMD: ++ if (!fcport) ++ break; + qlt_logo_completion_handler(fcport, QLA_FUNCTION_TIMEOUT); + break; + case SRB_CT_PTHRU_CMD: diff --git a/queue-4.14/selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch b/queue-4.14/selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch new file mode 100644 index 00000000000..dc923e51141 --- /dev/null +++ b/queue-4.14/selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Masami Hiramatsu +Date: Sun, 14 Jan 2018 22:50:07 +0900 +Subject: selftest: ftrace: Fix to pick text symbols for kprobes + +From: Masami Hiramatsu + + +[ Upstream commit 5e46664703b364434a2cbda3e6988fc24ae0ced5 ] + +Fix to pick text symbols for multiple kprobe testcase. +kallsyms shows text symbols with " t " or " T " but +current testcase picks all symbols including "t", +so it picks data symbols if it includes 't' (e.g. "str"). + +This fixes it to find symbol lines with " t " or " T " +(including spaces). + +Signed-off-by: Masami Hiramatsu +Reported-by: Russell King +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/multiple_kprobes.tc +@@ -12,8 +12,8 @@ case `uname -m` in + *) OFFS=0;; + esac + +-echo "Setup up to 256 kprobes" +-grep t /proc/kallsyms | cut -f3 -d" " | grep -v .*\\..* | \ ++echo "Setup up kprobes on first 256 text symbols" ++grep -i " t " /proc/kallsyms | cut -f3 -d" " | grep -v .*\\..* | \ + head -n 256 | while read i; do echo p ${i}+${OFFS} ; done > kprobe_events ||: + + echo 1 > events/kprobes/enable diff --git a/queue-4.14/selftests-ftrace-add-some-missing-glob-checks.patch b/queue-4.14/selftests-ftrace-add-some-missing-glob-checks.patch new file mode 100644 index 00000000000..363a2633560 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-some-missing-glob-checks.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Tue, 6 Feb 2018 17:19:03 -0500 +Subject: selftests/ftrace: Add some missing glob checks + +From: "Steven Rostedt (VMware)" + + +[ Upstream commit 97fe22adf33f06519bfdf7dad33bcd562e366c8f ] + +Al Viro discovered a bug in the glob ftrace filtering code where "*a*b" is +treated the same as "a*b", and functions that would be selected by "*a*b" +but not "a*b" are not selected with "*a*b". + +Add tests for patterns "*a*b" and "a*b*" to the glob selftest. + +Link: http://lkml.kernel.org/r/20180127170748.GF13338@ZenIV.linux.org.uk + +Cc: Shuah Khan +Acked-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc ++++ b/tools/testing/selftests/ftrace/test.d/ftrace/func-filter-glob.tc +@@ -29,6 +29,12 @@ ftrace_filter_check '*schedule*' '^.*sch + # filter by *, end match + ftrace_filter_check 'schedule*' '^schedule.*$' + ++# filter by *mid*end ++ftrace_filter_check '*aw*lock' '.*aw.*lock$' ++ ++# filter by start*mid* ++ftrace_filter_check 'mutex*try*' '^mutex.*try.*' ++ + # Advanced full-glob matching feature is recently supported. + # Skip the tests if we are sure the kernel does not support it. + if grep -q 'accepts: .* glob-matching-pattern' README ; then diff --git a/queue-4.14/series b/queue-4.14/series index ca8bced4c0a..6806f0a2522 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -13,3 +13,170 @@ usb-musb-fix-enumeration-after-resume.patch usb-musb-call-pm_runtime_-get-put-_sync-before-reading-vbus-registers.patch usb-musb-fix-external-abort-in-musb_remove-on-omap2430.patch powerpc-eeh-fix-race-with-driver-un-bind.patch +firewire-ohci-work-around-oversized-dma-reads-on-jmicron-controllers.patch +x86-tsc-allow-tsc-calibration-without-pit.patch +nfsv4-always-set-nfs_lock_lost-when-a-lock-is-lost.patch +acpi-lpss-do-not-instiate-platform_dev-for-devs-without-mmio-resources.patch +alsa-hda-use-is_reachable-for-dependency-on-input.patch +asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch +kvm-x86-fix-kvm_xen_hvm_config-ioctl.patch +rdma-core-clarify-rdma_ah_find_type.patch +kvm-ppc-book3s-hv-enable-migration-of-decrementer-register.patch +netfilter-ipv6-nf_defrag-pass-on-packets-to-stack-per-rfc2460.patch +tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch +kvm-s390-use-created_vcpus-in-more-places.patch +platform-x86-dell-laptop-filter-out-spurious-keyboard-backlight-change-events.patch +xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch +selftest-ftrace-fix-to-pick-text-symbols-for-kprobes.patch +pci-add-function-1-dma-alias-quirk-for-marvell-9128.patch +input-psmouse-fix-synaptics-detection-when-protocol-is-disabled.patch +libbpf-makefile-set-specified-permission-mode.patch +input-synaptics-reset-the-abs_x-y-fuzz-after-initializing-mt-axes.patch +i40iw-free-ieq-resources.patch +i40iw-zero-out-consumer-key-on-allocate-stag-for-fmr.patch +scsi-qla2xxx-fix-warning-in-qla2x00_async_iocb_timeout.patch +perf-unwind-do-not-look-just-at-the-global-callchain_param.record_mode.patch +tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch +perf-callchain-fix-attr.sample_max_stack-setting.patch +tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch +perf-record-fix-failed-memory-allocation-for-get_cpuid_str.patch +iommu-exynos-don-t-unconditionally-steal-bus-ops.patch +powerpc-system-reset-avoid-interleaving-oops-using-die-synchronisation.patch +iommu-vt-d-use-domain-instead-of-cache-fetching.patch +dm-thin-fix-documentation-relative-to-low-water-mark-threshold.patch +dm-mpath-return-dm_mapio_requeue-on-blk-mq-rq-allocation-failure.patch +blk-mq-turn-warn_on-in-__blk_mq_run_hw_queue-into-printk.patch +ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch +net-stmmac-dwmac-meson8b-fix-setting-the-rgmii-tx-clock-on-meson8b.patch +net-stmmac-dwmac-meson8b-propagate-rate-changes-to-the-parent-clock.patch +spi-a3700-clear-data_out-when-performing-a-read.patch +ib-cq-don-t-force-ib_poll_direct-poll-context-for-ib_process_cq_direct.patch +nfs-do-not-convert-nfs_idmap_cache_timeout-to-jiffies.patch +mips-fix-clean-of-vmlinuz.-32-ecoff-bin-srec.patch +pci-add-dummy-pci_irqd_intx_xlate-for-config_pci-n-build.patch +watchdog-sp5100_tco-fix-watchdog-disable-bit.patch +kconfig-don-t-leak-main-menus-during-parsing.patch +kconfig-fix-automatic-menu-creation-mem-leak.patch +kconfig-fix-expr_free-e_not-leak.patch +mac80211_hwsim-fix-possible-memory-leak-in-hwsim_new_radio_nl.patch +ipmi-powernv-fix-error-return-code-in-ipmi_powernv_probe.patch +btrfs-set-plug-for-fsync.patch +btrfs-fix-out-of-bounds-access-in-btrfs_search_slot.patch +btrfs-fix-scrub-to-repair-raid6-corruption.patch +btrfs-fail-mount-when-sb-flag-is-not-in-btrfs_super_flag_supp.patch +btrfs-fix-unexpected-eexist-from-btrfs_get_extent.patch +btrfs-raid56-fix-race-between-merge_bio-and-rbio_orig_end_io.patch +rdma-cma-check-existence-of-netdevice-during-port-validation.patch +f2fs-avoid-hungtask-when-gc-encrypted-block-if-io_bits-is-set.patch +scsi-devinfo-fix-format-of-the-device-list.patch +scsi-fas216-fix-sense-buffer-initialization.patch +input-stmfts-set-irq_noautoen-to-the-irq-flag.patch +hid-roccat-prevent-an-out-of-bounds-read-in-kovaplus_profile_activated.patch +nfp-fix-error-return-code-in-nfp_pci_probe.patch +block-set-bio_trace_completion-on-new-bio-during-split.patch +bpf-test_maps-cleanup-sockmaps-when-test-ends.patch +i40evf-don-t-schedule-reset_task-when-device-is-being-removed.patch +i40evf-ignore-link-up-if-not-running.patch +platform-x86-thinkpad_acpi-suppress-warning-about-palm-detection.patch +kvm-s390-vsie-use-read_once-to-access-some-scb-fields.patch +blk-mq-debugfs-don-t-allow-write-on-attributes-with-seq_operations-set.patch +asoc-rockchip-use-dummy_dai-for-rt5514-dsp-dailink.patch +igb-allow-to-remove-administratively-set-mac-on-vfs.patch +igb-clear-txstmp-when-ptp_tx_work-is-timeout.patch +fm10k-fix-failed-to-kill-vid-message-for-vf.patch +x86-hyperv-stop-suppressing-x86_feature_pcid.patch +tty-serial-exar-relocate-sleep-wake-up-handling.patch +device-property-define-type-of-property_enrty_-macros.patch +crypto-artpec6-remove-select-on-non-existing-crypto_sha384.patch +rdma-uverbs-use-an-unambiguous-errno-for-method-not-supported.patch +jffs2-fix-use-after-free-bug-in-jffs2_iget-s-error-handling-path.patch +ixgbe-don-t-set-rxdctl.rlpml-for-82599.patch +i40e-program-fragmented-ipv4-filter-input-set.patch +i40e-fix-reported-mask-for-ntuple-filters.patch +samples-bpf-partially-fixes-the-bpf.o-build.patch +powerpc-numa-use-ibm-max-associativity-domains-to-discover-possible-nodes.patch +powerpc-numa-ensure-nodes-initialized-for-hotplug.patch +rdma-mlx5-avoid-memory-leak-in-case-of-xrcd-dealloc-failure.patch +ntb_transport-fix-bug-with-max_mw_size-parameter.patch +gianfar-prevent-integer-wrapping-in-the-rx-handler.patch +x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch +netfilter-x_tables-fix-pointer-leaks-to-userspace.patch +tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch +kvm-map-pfn-type-memory-regions-as-writable-if-possible.patch +x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch +fs-dax.c-release-pmd-lock-even-when-there-is-no-pmd-support-in-dax.patch +ocfs2-return-erofs-to-mount.ocfs2-if-inode-block-is-invalid.patch +ocfs2-acl-use-ip_xattr_sem-to-protect-getting-extended-attribute.patch +ocfs2-return-error-when-we-attempt-to-access-a-dirty-bh-in-jbd2.patch +mm-mempolicy-fix-the-check-of-nodemask-from-user.patch +mm-mempolicy-add-nodes_empty-check-in-sysc_migrate_pages.patch +asm-generic-provide-generic_pmdp_establish.patch +sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch +mm-thp-use-down_read_trylock-in-khugepaged-to-avoid-long-block.patch +mm-pin-address_space-before-dereferencing-it-while-isolating-an-lru-page.patch +mm-fadvise-discard-partial-page-if-endbyte-is-also-eof.patch +openvswitch-remove-padding-from-packet-before-l3-conntrack-processing.patch +blk-mq-fix-discard-merge-with-scheduler-attached.patch +ib-hfi1-re-order-irq-cleanup-to-address-driver-cleanup-race.patch +ib-hfi1-fix-for-potential-refcount-leak-in-hfi1_open_file.patch +ib-ipoib-fix-for-potential-no-carrier-state.patch +ib-core-map-iwarp-ah-type-to-undefined-in-rdma_ah_find_type.patch +drm-nouveau-pmu-fuc-don-t-use-movw-directly-anymore.patch +s390-eadm-fix-config_block-include-dependency.patch +netfilter-ipv6-nf_defrag-kill-frag-queue-on-rfc2460-failure.patch +x86-power-fix-swsusp_arch_resume-prototype.patch +x86-dumpstack-avoid-uninitlized-variable.patch +firmware-dmi_scan-fix-handling-of-empty-dmi-strings.patch +acpi-processor_perflib-do-not-send-_ppc-change-notification-if-not-ready.patch +acpi-bus-do-not-call-_sta-on-battery-devices-with-unmet-dependencies.patch +acpi-scan-use-acpi_bus_get_status-to-initialize-acpi_type_device-devs.patch +bpf-fix-selftests-bpf-test_kmod.sh-failure-when-config_bpf_jit_always_on-y.patch +mips-generic-fix-machine-compatible-matching.patch +mips-txx9-use-is_builtin-for-config_leds_class.patch +perf-record-fix-period-option-handling.patch +mips-generic-support-gic-in-eic-mode.patch +perf-evsel-fix-period-freq-terms-setup.patch +xen-netfront-fix-race-between-device-setup-and-open.patch +xen-grant-table-use-put_page-instead-of-free_page.patch +bpf-sockmap-fix-leaking-maps-with-attached-but-not-detached-progs.patch +rds-ib-fix-null-pointer-issue.patch +arm64-spinlock-fix-theoretical-trylock-a-b-a-with-lse-atomics.patch +proc-fix-proc-map_files-lookup.patch +pm-domains-fix-up-domain-idle-states-of-parsing.patch +cifs-silence-compiler-warnings-showing-up-with-gcc-8.0.0.patch +bcache-properly-set-task-state-in-bch_writeback_thread.patch +bcache-fix-for-allocator-and-register-thread-race.patch +bcache-fix-for-data-collapse-after-re-attaching-an-attached-device.patch +bcache-return-attach-error-when-no-cache-set-exist.patch +cpufreq-intel_pstate-enable-hwp-during-system-resume-on-cpu0.patch +selftests-ftrace-add-some-missing-glob-checks.patch +rxrpc-don-t-put-crypto-buffers-on-the-stack.patch +svcrdma-fix-read-chunk-round-up.patch +net-extra-_get-in-declaration-of-arch_get_platform_mac_address.patch +tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch +kvm-ppc-book3s-hv-fix-handling-of-secondary-hpteg-in-hpt-resizing-code.patch +sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch +net-stmmac-discard-disabled-flags-in-interrupt-status-register.patch +bpf-fix-rlimit-in-reuseport-net-selftest.patch +acpi-ec-restore-polling-during-noirq-suspend-resume-phases.patch +pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch +vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch +powerpc-mm-hash64-zero-pgd-pages-on-allocation.patch +x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch +locking-qspinlock-ensure-node-count-is-updated-before-initialising-node.patch +powerpc-powernv-imc-fix-out-of-bounds-memory-access-at-shutdown.patch +perf-test-fix-test-trace-probe_libc_inet_pton.sh-for-s390x.patch +irqchip-gic-v3-ignore-disabled-its-nodes.patch +cpumask-make-for_each_cpu_wrap-available-on-up-as-well.patch +irqchip-gic-v3-change-pr_debug-message-to-pr_devel.patch +rdma-core-reduce-poll-batch-for-direct-cq-polling.patch +alarmtimer-init-nanosleep-alarm-timer-on-stack.patch +netfilter-x_tables-cap-allocations-at-512-mbyte.patch +netfilter-x_tables-add-counters-allocation-wrapper.patch +netfilter-compat-prepare-xt_compat_init_offsets-to-return-errors.patch +netfilter-compat-reject-huge-allocation-requests.patch +netfilter-x_tables-limit-allocation-requests-for-blob-rule-heads.patch +perf-fix-sample_max_stack-maximum-check.patch +perf-return-proper-values-for-user-stack-errors.patch +rdma-mlx5-fix-null-dereference-while-accessing-xrc_tgt-qps.patch +revert-kvm-x86-fix-smram-accessing-even-if-vm-is-shutdown.patch diff --git a/queue-4.14/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch b/queue-4.14/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch new file mode 100644 index 00000000000..b3d68e73138 --- /dev/null +++ b/queue-4.14/sparc64-update-pmdp_invalidate-to-return-old-pmd-value.patch @@ -0,0 +1,85 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Nitin Gupta +Date: Wed, 31 Jan 2018 16:18:09 -0800 +Subject: sparc64: update pmdp_invalidate() to return old pmd value + +From: Nitin Gupta + + +[ Upstream commit a8e654f01cb725d0bfd741ebca1bf4c9337969cc ] + +It's required to avoid losing dirty and accessed bits. + +[akpm@linux-foundation.org: add a `do' to the do-while loop] +Link: http://lkml.kernel.org/r/20171213105756.69879-9-kirill.shutemov@linux.intel.com +Signed-off-by: Nitin Gupta +Signed-off-by: Kirill A. Shutemov +Cc: David Miller +Cc: Vlastimil Babka +Cc: Andrea Arcangeli +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/pgtable_64.h | 2 +- + arch/sparc/mm/tlb.c | 23 ++++++++++++++++++----- + 2 files changed, 19 insertions(+), 6 deletions(-) + +--- a/arch/sparc/include/asm/pgtable_64.h ++++ b/arch/sparc/include/asm/pgtable_64.h +@@ -980,7 +980,7 @@ void update_mmu_cache_pmd(struct vm_area + pmd_t *pmd); + + #define __HAVE_ARCH_PMDP_INVALIDATE +-extern void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, ++extern pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp); + + #define __HAVE_ARCH_PGTABLE_DEPOSIT +--- a/arch/sparc/mm/tlb.c ++++ b/arch/sparc/mm/tlb.c +@@ -219,17 +219,28 @@ void set_pmd_at(struct mm_struct *mm, un + } + } + ++static inline pmd_t pmdp_establish(struct vm_area_struct *vma, ++ unsigned long address, pmd_t *pmdp, pmd_t pmd) ++{ ++ pmd_t old; ++ ++ do { ++ old = *pmdp; ++ } while (cmpxchg64(&pmdp->pmd, old.pmd, pmd.pmd) != old.pmd); ++ ++ return old; ++} ++ + /* + * This routine is only called when splitting a THP + */ +-void pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, ++pmd_t pmdp_invalidate(struct vm_area_struct *vma, unsigned long address, + pmd_t *pmdp) + { +- pmd_t entry = *pmdp; +- +- pmd_val(entry) &= ~_PAGE_VALID; ++ pmd_t old, entry; + +- set_pmd_at(vma->vm_mm, address, pmdp, entry); ++ entry = __pmd(pmd_val(*pmdp) & ~_PAGE_VALID); ++ old = pmdp_establish(vma, address, pmdp, entry); + flush_tlb_range(vma, address, address + HPAGE_PMD_SIZE); + + /* +@@ -240,6 +251,8 @@ void pmdp_invalidate(struct vm_area_stru + if ((pmd_val(entry) & _PAGE_PMD_HUGE) && + !is_huge_zero_page(pmd_page(entry))) + (vma->vm_mm)->context.thp_pte_count--; ++ ++ return old; + } + + void pgtable_trans_huge_deposit(struct mm_struct *mm, pmd_t *pmdp, diff --git a/queue-4.14/spi-a3700-clear-data_out-when-performing-a-read.patch b/queue-4.14/spi-a3700-clear-data_out-when-performing-a-read.patch new file mode 100644 index 00000000000..919d3e4b77e --- /dev/null +++ b/queue-4.14/spi-a3700-clear-data_out-when-performing-a-read.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Maxime Chevallier +Date: Wed, 17 Jan 2018 17:15:25 +0100 +Subject: spi: a3700: Clear DATA_OUT when performing a read + +From: Maxime Chevallier + + +[ Upstream commit 44a5f423e70374e5b42cecd85e78f2d79334e0f2 ] + +When performing a read using FIFO mode, the spi controller shifts out +the last 2 bytes that were written in a previous transfer on MOSI. + +This undocumented behaviour can cause devices to misinterpret the +transfer, so we explicitly clear the WFIFO before each read. + +This behaviour was noticed on EspressoBin. + +Signed-off-by: Maxime Chevallier +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-armada-3700.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/spi/spi-armada-3700.c ++++ b/drivers/spi/spi-armada-3700.c +@@ -624,6 +624,11 @@ static int a3700_spi_transfer_one(struct + a3700_spi_header_set(a3700_spi); + + if (xfer->rx_buf) { ++ /* Clear WFIFO, since it's last 2 bytes are shifted out during ++ * a read operation ++ */ ++ spireg_write(a3700_spi, A3700_SPI_DATA_OUT_REG, 0); ++ + /* Set read data length */ + spireg_write(a3700_spi, A3700_SPI_IF_DIN_CNT_REG, + a3700_spi->buf_len); diff --git a/queue-4.14/sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch b/queue-4.14/sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch new file mode 100644 index 00000000000..d6801d64668 --- /dev/null +++ b/queue-4.14/sunrpc-don-t-call-__udpx_inc_stats-from-a-preemptible-context.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Trond Myklebust +Date: Fri, 9 Feb 2018 09:39:42 -0500 +Subject: SUNRPC: Don't call __UDPX_INC_STATS() from a preemptible context + +From: Trond Myklebust + + +[ Upstream commit 0afa6b4412988019db14c6bfb8c6cbdf120ca9ad ] + +Calling __UDPX_INC_STATS() from a preemptible context leads to a +warning of the form: + + BUG: using __this_cpu_add() in preemptible [00000000] code: kworker/u5:0/31 + caller is xs_udp_data_receive_workfn+0x194/0x270 + CPU: 1 PID: 31 Comm: kworker/u5:0 Not tainted 4.15.0-rc8-00076-g90ea9f1 #2 + Workqueue: xprtiod xs_udp_data_receive_workfn + Call Trace: + dump_stack+0x85/0xc1 + check_preemption_disabled+0xce/0xe0 + xs_udp_data_receive_workfn+0x194/0x270 + process_one_work+0x318/0x620 + worker_thread+0x20a/0x390 + ? process_one_work+0x620/0x620 + kthread+0x120/0x130 + ? __kthread_bind_mask+0x60/0x60 + ret_from_fork+0x24/0x30 + +Since we're taking a spinlock in those functions anyway, let's fix the +issue by moving the call so that it occurs under the spinlock. + +Reported-by: kernel test robot +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1069,18 +1069,18 @@ static void xs_udp_data_read_skb(struct + + /* Suck it into the iovec, verify checksum if not done by hw. */ + if (csum_partial_copy_to_xdr(&rovr->rq_private_buf, skb)) { +- __UDPX_INC_STATS(sk, UDP_MIB_INERRORS); + spin_lock(&xprt->recv_lock); ++ __UDPX_INC_STATS(sk, UDP_MIB_INERRORS); + goto out_unpin; + } + +- __UDPX_INC_STATS(sk, UDP_MIB_INDATAGRAMS); + + spin_lock_bh(&xprt->transport_lock); + xprt_adjust_cwnd(xprt, task, copied); + spin_unlock_bh(&xprt->transport_lock); + spin_lock(&xprt->recv_lock); + xprt_complete_rqst(task, copied); ++ __UDPX_INC_STATS(sk, UDP_MIB_INDATAGRAMS); + out_unpin: + xprt_unpin_rqst(rovr); + out_unlock: diff --git a/queue-4.14/svcrdma-fix-read-chunk-round-up.patch b/queue-4.14/svcrdma-fix-read-chunk-round-up.patch new file mode 100644 index 00000000000..335066ab4b1 --- /dev/null +++ b/queue-4.14/svcrdma-fix-read-chunk-round-up.patch @@ -0,0 +1,88 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Chuck Lever +Date: Fri, 2 Feb 2018 14:28:59 -0500 +Subject: svcrdma: Fix Read chunk round-up + +From: Chuck Lever + + +[ Upstream commit 175e03101d36c3034f3c80038d4c28838351a7f2 ] + +A single NFSv4 WRITE compound can often have three operations: +PUTFH, WRITE, then GETATTR. + +When the WRITE payload is sent in a Read chunk, the client places +the GETATTR in the inline part of the RPC/RDMA message, just after +the WRITE operation (sans payload). The position value in the Read +chunk enables the receiver to insert the Read chunk at the correct +place in the received XDR stream; that is between the WRITE and +GETATTR. + +According to RFC 8166, an NFS/RDMA client does not have to add XDR +round-up to the Read chunk that carries the WRITE payload. The +receiver adds XDR round-up padding if it is absent and the +receiver's XDR decoder requires it to be present. + +Commit 193bcb7b3719 ("svcrdma: Populate tail iovec when receiving") +attempted to add support for receiving such a compound so that just +the WRITE payload appears in rq_arg's page list, and the trailing +GETATTR is placed in rq_arg's tail iovec. (TCP just strings the +whole compound into the head iovec and page list, without regard +to the alignment of the WRITE payload). + +The server transport logic also had to accommodate the optional XDR +round-up of the Read chunk, which it did simply by lengthening the +tail iovec when round-up was needed. This approach is adequate for +the NFSv2 and NFSv3 WRITE decoders. + +Unfortunately it is not sufficient for nfsd4_decode_write. When the +Read chunk length is a couple of bytes less than PAGE_SIZE, the +computation at the end of nfsd4_decode_write allows argp->pagelen to +go negative, which breaks the logic in read_buf that looks for the +tail iovec. + +The result is that a WRITE operation whose payload length is just +less than a multiple of a page succeeds, but the subsequent GETATTR +in the same compound fails with NFS4ERR_OP_ILLEGAL because the XDR +decoder can't find it. Clients ignore the error, but they must +update their attribute cache via a separate round trip. + +As nfsd4_decode_write appears to expect the payload itself to always +have appropriate XDR round-up, have svc_rdma_build_normal_read_chunk +add the Read chunk XDR round-up to the page_len rather than +lengthening the tail iovec. + +Reported-by: Olga Kornievskaia +Fixes: 193bcb7b3719 ("svcrdma: Populate tail iovec when receiving") +Signed-off-by: Chuck Lever +Tested-by: Olga Kornievskaia +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/svc_rdma_rw.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_rw.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_rw.c +@@ -727,12 +727,16 @@ static int svc_rdma_build_normal_read_ch + head->arg.head[0].iov_len - info->ri_position; + head->arg.head[0].iov_len = info->ri_position; + +- /* Read chunk may need XDR roundup (see RFC 5666, s. 3.7). ++ /* Read chunk may need XDR roundup (see RFC 8166, s. 3.4.5.2). + * +- * NFSv2/3 write decoders need the length of the tail to +- * contain the size of the roundup padding. ++ * If the client already rounded up the chunk length, the ++ * length does not change. Otherwise, the length of the page ++ * list is increased to include XDR round-up. ++ * ++ * Currently these chunks always start at page offset 0, ++ * thus the rounded-up length never crosses a page boundary. + */ +- head->arg.tail[0].iov_len += 4 - (info->ri_chunklen & 3); ++ info->ri_chunklen = XDR_QUADLEN(info->ri_chunklen) << 2; + + head->arg.page_len = info->ri_chunklen; + head->arg.len += info->ri_chunklen; diff --git a/queue-4.14/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch b/queue-4.14/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch new file mode 100644 index 00000000000..dcd3cba3907 --- /dev/null +++ b/queue-4.14/tcp_nv-fix-potential-integer-overflow-in-tcpnv_acked.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 30 Jan 2018 22:21:48 -0600 +Subject: tcp_nv: fix potential integer overflow in tcpnv_acked + +From: "Gustavo A. R. Silva" + + +[ Upstream commit e4823fbd229bfbba368b40cdadb8f4eeb20604cc ] + +Add suffix ULL to constant 80000 in order to avoid a potential integer +overflow and give the compiler complete information about the proper +arithmetic to use. Notice that this constant is used in a context that +expects an expression of type u64. + +The current cast to u64 effectively applies to the whole expression +as an argument of type u64 to be passed to div64_u64, but it does +not prevent it from being evaluated using 32-bit arithmetic instead +of 64-bit arithmetic. + +Also, once the expression is properly evaluated using 64-bit arithmentic, +there is no need for the parentheses and the external cast to u64. + +Addresses-Coverity-ID: 1357588 ("Unintentional integer overflow") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_nv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_nv.c ++++ b/net/ipv4/tcp_nv.c +@@ -327,7 +327,7 @@ static void tcpnv_acked(struct sock *sk, + */ + cwnd_by_slope = (u32) + div64_u64(((u64)ca->nv_rtt_max_rate) * ca->nv_min_rtt, +- (u64)(80000 * tp->mss_cache)); ++ 80000ULL * tp->mss_cache); + max_win = cwnd_by_slope + nv_pad; + + /* If cwnd > max_win, decrease cwnd diff --git a/queue-4.14/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch b/queue-4.14/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch new file mode 100644 index 00000000000..f3dc2ebad7f --- /dev/null +++ b/queue-4.14/tools-lib-traceevent-fix-get_field_str-for-dynamic-strings.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Thu, 11 Jan 2018 19:47:51 -0500 +Subject: tools lib traceevent: Fix get_field_str() for dynamic strings + +From: "Steven Rostedt (VMware)" + + +[ Upstream commit d777f8de99b05d399c0e4e51cdce016f26bd971b ] + +If a field is a dynamic string, get_field_str() returned just the +offset/size value and not the string. Have it parse the offset/size +correctly to return the actual string. Otherwise filtering fails when +trying to filter fields that are dynamic strings. + +Reported-by: Gopanapalli Pradeep +Signed-off-by: Steven Rostedt +Acked-by: Namhyung Kim +Cc: Andrew Morton +Link: http://lkml.kernel.org/r/20180112004823.146333275@goodmis.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/traceevent/parse-filter.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/lib/traceevent/parse-filter.c ++++ b/tools/lib/traceevent/parse-filter.c +@@ -1879,17 +1879,25 @@ static const char *get_field_str(struct + struct pevent *pevent; + unsigned long long addr; + const char *val = NULL; ++ unsigned int size; + char hex[64]; + + /* If the field is not a string convert it */ + if (arg->str.field->flags & FIELD_IS_STRING) { + val = record->data + arg->str.field->offset; ++ size = arg->str.field->size; ++ ++ if (arg->str.field->flags & FIELD_IS_DYNAMIC) { ++ addr = *(unsigned int *)val; ++ val = record->data + (addr & 0xffff); ++ size = addr >> 16; ++ } + + /* + * We need to copy the data since we can't be sure the field + * is null terminated. + */ +- if (*(val + arg->str.field->size - 1)) { ++ if (*(val + size - 1)) { + /* copy it */ + memcpy(arg->str.buffer, val, arg->str.field->size); + /* the buffer is already NULL terminated */ diff --git a/queue-4.14/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch b/queue-4.14/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch new file mode 100644 index 00000000000..b2880388fdb --- /dev/null +++ b/queue-4.14/tools-lib-traceevent-simplify-pointer-print-logic-and-fix-pf.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Thu, 11 Jan 2018 19:47:45 -0500 +Subject: tools lib traceevent: Simplify pointer print logic and fix %pF + +From: "Steven Rostedt (VMware)" + + +[ Upstream commit 38d70b7ca1769f26c0b79f3c08ff2cc949712b59 ] + +When processing %pX in pretty_print(), simplify the logic slightly by +incrementing the ptr to the format string if isalnum(ptr[1]) is true. +This follows the logic a bit more closely to what is in the kernel. + +Also, this fixes a small bug where %pF was not giving the offset of the +function. + +Signed-off-by: Steven Rostedt +Acked-by: Namhyung Kim +Cc: Andrew Morton +Link: http://lkml.kernel.org/r/20180112004822.260262257@goodmis.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/traceevent/event-parse.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -4949,21 +4949,22 @@ static void pretty_print(struct trace_se + else + ls = 2; + +- if (*(ptr+1) == 'F' || *(ptr+1) == 'f' || +- *(ptr+1) == 'S' || *(ptr+1) == 's') { ++ if (isalnum(ptr[1])) + ptr++; ++ ++ if (*ptr == 'F' || *ptr == 'f' || ++ *ptr == 'S' || *ptr == 's') { + show_func = *ptr; +- } else if (*(ptr+1) == 'M' || *(ptr+1) == 'm') { +- print_mac_arg(s, *(ptr+1), data, size, event, arg); +- ptr++; ++ } else if (*ptr == 'M' || *ptr == 'm') { ++ print_mac_arg(s, *ptr, data, size, event, arg); + arg = arg->next; + break; +- } else if (*(ptr+1) == 'I' || *(ptr+1) == 'i') { ++ } else if (*ptr == 'I' || *ptr == 'i') { + int n; + +- n = print_ip_arg(s, ptr+1, data, size, event, arg); ++ n = print_ip_arg(s, ptr, data, size, event, arg); + if (n > 0) { +- ptr += n; ++ ptr += n - 1; + arg = arg->next; + break; + } diff --git a/queue-4.14/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch b/queue-4.14/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch new file mode 100644 index 00000000000..e51478a0dc0 --- /dev/null +++ b/queue-4.14/tools-libbpf-handle-issues-with-bpf-elf-objects-containing-.eh_frames.patch @@ -0,0 +1,89 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Jesper Dangaard Brouer +Date: Thu, 8 Feb 2018 12:48:32 +0100 +Subject: tools/libbpf: handle issues with bpf ELF objects containing .eh_frames + +From: Jesper Dangaard Brouer + + +[ Upstream commit e3d91b0ca523d53158f435a3e13df7f0cb360ea2 ] + +V3: More generic skipping of relo-section (suggested by Daniel) + +If clang >= 4.0.1 is missing the option '-target bpf', it will cause +llc/llvm to create two ELF sections for "Exception Frames", with +section names '.eh_frame' and '.rel.eh_frame'. + +The BPF ELF loader library libbpf fails when loading files with these +sections. The other in-kernel BPF ELF loader in samples/bpf/bpf_load.c, +handle this gracefully. And iproute2 loader also seems to work with these +"eh" sections. + +The issue in libbpf is caused by bpf_object__elf_collect() skipping +some sections, and later when performing relocation it will be +pointing to a skipped section, as these sections cannot be found by +bpf_object__find_prog_by_idx() in bpf_object__collect_reloc(). + +This is a general issue that also occurs for other sections, like +debug sections which are also skipped and can have relo section. + +As suggested by Daniel. To avoid keeping state about all skipped +sections, instead perform a direct qlookup in the ELF object. Lookup +the section that the relo-section points to and check if it contains +executable machine instructions (denoted by the sh_flags +SHF_EXECINSTR). Use this check to also skip irrelevant relo-sections. + +Note, for samples/bpf/ the '-target bpf' parameter to clang cannot be used +due to incompatibility with asm embedded headers, that some of the samples +include. This is explained in more details by Yonghong Song in bpf_devel_QA. + +Signed-off-by: Jesper Dangaard Brouer +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/lib/bpf/libbpf.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/tools/lib/bpf/libbpf.c ++++ b/tools/lib/bpf/libbpf.c +@@ -661,6 +661,24 @@ bpf_object__init_maps(struct bpf_object + return bpf_object__validate_maps(obj); + } + ++static bool section_have_execinstr(struct bpf_object *obj, int idx) ++{ ++ Elf_Scn *scn; ++ GElf_Shdr sh; ++ ++ scn = elf_getscn(obj->efile.elf, idx); ++ if (!scn) ++ return false; ++ ++ if (gelf_getshdr(scn, &sh) != &sh) ++ return false; ++ ++ if (sh.sh_flags & SHF_EXECINSTR) ++ return true; ++ ++ return false; ++} ++ + static int bpf_object__elf_collect(struct bpf_object *obj) + { + Elf *elf = obj->efile.elf; +@@ -742,6 +760,14 @@ static int bpf_object__elf_collect(struc + } else if (sh.sh_type == SHT_REL) { + void *reloc = obj->efile.reloc; + int nr_reloc = obj->efile.nr_reloc + 1; ++ int sec = sh.sh_info; /* points to other section */ ++ ++ /* Only do relo for section with exec instructions */ ++ if (!section_have_execinstr(obj, sec)) { ++ pr_debug("skip relo %s(%d) for section(%d)\n", ++ name, idx, sec); ++ continue; ++ } + + reloc = realloc(reloc, + sizeof(*obj->efile.reloc) * nr_reloc); diff --git a/queue-4.14/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch b/queue-4.14/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch new file mode 100644 index 00000000000..ce984a6aed6 --- /dev/null +++ b/queue-4.14/tracing-hrtimer-fix-tracing-bugs-by-taking-all-clock-bases-and-modes-into-account.patch @@ -0,0 +1,69 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Anna-Maria Gleixner +Date: Thu, 21 Dec 2017 11:41:37 +0100 +Subject: tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into account + +From: Anna-Maria Gleixner + + +[ Upstream commit 91633eed73a3ac37aaece5c8c1f93a18bae616a9 ] + +So far only CLOCK_MONOTONIC and CLOCK_REALTIME were taken into account as +well as HRTIMER_MODE_ABS/REL in the hrtimer_init tracepoint. The query for +detecting the ABS or REL timer modes is not valid anymore, it got broken +by the introduction of HRTIMER_MODE_PINNED. + +HRTIMER_MODE_PINNED is not evaluated in the hrtimer_init() call, but for the +sake of completeness print all given modes. + +Signed-off-by: Anna-Maria Gleixner +Cc: Christoph Hellwig +Cc: John Stultz +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: keescook@chromium.org +Link: http://lkml.kernel.org/r/20171221104205.7269-9-anna-maria@linutronix.de +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/trace/events/timer.h | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/include/trace/events/timer.h ++++ b/include/trace/events/timer.h +@@ -136,6 +136,20 @@ DEFINE_EVENT(timer_class, timer_cancel, + TP_ARGS(timer) + ); + ++#define decode_clockid(type) \ ++ __print_symbolic(type, \ ++ { CLOCK_REALTIME, "CLOCK_REALTIME" }, \ ++ { CLOCK_MONOTONIC, "CLOCK_MONOTONIC" }, \ ++ { CLOCK_BOOTTIME, "CLOCK_BOOTTIME" }, \ ++ { CLOCK_TAI, "CLOCK_TAI" }) ++ ++#define decode_hrtimer_mode(mode) \ ++ __print_symbolic(mode, \ ++ { HRTIMER_MODE_ABS, "ABS" }, \ ++ { HRTIMER_MODE_REL, "REL" }, \ ++ { HRTIMER_MODE_ABS_PINNED, "ABS|PINNED" }, \ ++ { HRTIMER_MODE_REL_PINNED, "REL|PINNED" }) ++ + /** + * hrtimer_init - called when the hrtimer is initialized + * @hrtimer: pointer to struct hrtimer +@@ -162,10 +176,8 @@ TRACE_EVENT(hrtimer_init, + ), + + TP_printk("hrtimer=%p clockid=%s mode=%s", __entry->hrtimer, +- __entry->clockid == CLOCK_REALTIME ? +- "CLOCK_REALTIME" : "CLOCK_MONOTONIC", +- __entry->mode == HRTIMER_MODE_ABS ? +- "HRTIMER_MODE_ABS" : "HRTIMER_MODE_REL") ++ decode_clockid(__entry->clockid), ++ decode_hrtimer_mode(__entry->mode)) + ); + + /** diff --git a/queue-4.14/tty-serial-exar-relocate-sleep-wake-up-handling.patch b/queue-4.14/tty-serial-exar-relocate-sleep-wake-up-handling.patch new file mode 100644 index 00000000000..ccbddf16c9b --- /dev/null +++ b/queue-4.14/tty-serial-exar-relocate-sleep-wake-up-handling.patch @@ -0,0 +1,163 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Aaron Sierra +Date: Wed, 24 Jan 2018 18:19:23 -0600 +Subject: tty: serial: exar: Relocate sleep wake-up handling + +From: Aaron Sierra + + +[ Upstream commit c7e1b4059075c9e8eed101d7cc5da43e95eb5e18 ] + +Exar sleep wake-up handling has been done on a per-channel basis by +virtue of INT0 being accessible from each channel's address space. I +believe this was initially done out of necessity, but now that Exar +devices have their own driver, we can do things more efficiently by +registering a dedicated INT0 handler at the PCI device level. + +I see this change providing the following benefits: + + 1. If more than one port is active, eliminates the redundant bus + cycles for reading INT0 on every interrupt. + 2. This note associated with hooking in the per-channel handler in + 8250_port.c is resolved: + /* Fixme: probably not the best place for this */ + +Cc: Matt Schulte +Signed-off-by: Aaron Sierra +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_exar.c | 34 ++++++++++++++++++++++++++++++---- + drivers/tty/serial/8250/8250_port.c | 26 -------------------------- + 2 files changed, 30 insertions(+), 30 deletions(-) + +--- a/drivers/tty/serial/8250/8250_exar.c ++++ b/drivers/tty/serial/8250/8250_exar.c +@@ -37,6 +37,7 @@ + #define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358 + #define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358 + ++#define UART_EXAR_INT0 0x80 + #define UART_EXAR_8XMODE 0x88 /* 8X sampling rate select */ + + #define UART_EXAR_FCTR 0x08 /* Feature Control Register */ +@@ -124,6 +125,7 @@ struct exar8250_board { + struct exar8250 { + unsigned int nr; + struct exar8250_board *board; ++ void __iomem *virt; + int line[0]; + }; + +@@ -134,12 +136,9 @@ static int default_setup(struct exar8250 + const struct exar8250_board *board = priv->board; + unsigned int bar = 0; + +- if (!pcim_iomap_table(pcidev)[bar] && !pcim_iomap(pcidev, bar, 0)) +- return -ENOMEM; +- + port->port.iotype = UPIO_MEM; + port->port.mapbase = pci_resource_start(pcidev, bar) + offset; +- port->port.membase = pcim_iomap_table(pcidev)[bar] + offset; ++ port->port.membase = priv->virt + offset; + port->port.regshift = board->reg_shift; + + return 0; +@@ -423,6 +422,25 @@ static void pci_xr17v35x_exit(struct pci + port->port.private_data = NULL; + } + ++/* ++ * These Exar UARTs have an extra interrupt indicator that could fire for a ++ * few interrupts that are not presented/cleared through IIR. One of which is ++ * a wakeup interrupt when coming out of sleep. These interrupts are only ++ * cleared by reading global INT0 or INT1 registers as interrupts are ++ * associated with channel 0. The INT[3:0] registers _are_ accessible from each ++ * channel's address space, but for the sake of bus efficiency we register a ++ * dedicated handler at the PCI device level to handle them. ++ */ ++static irqreturn_t exar_misc_handler(int irq, void *data) ++{ ++ struct exar8250 *priv = data; ++ ++ /* Clear all PCI interrupts by reading INT0. No effect on IIR */ ++ ioread8(priv->virt + UART_EXAR_INT0); ++ ++ return IRQ_HANDLED; ++} ++ + static int + exar_pci_probe(struct pci_dev *pcidev, const struct pci_device_id *ent) + { +@@ -451,6 +469,9 @@ exar_pci_probe(struct pci_dev *pcidev, c + return -ENOMEM; + + priv->board = board; ++ priv->virt = pcim_iomap(pcidev, bar, 0); ++ if (!priv->virt) ++ return -ENOMEM; + + pci_set_master(pcidev); + +@@ -464,6 +485,11 @@ exar_pci_probe(struct pci_dev *pcidev, c + uart.port.irq = pci_irq_vector(pcidev, 0); + uart.port.dev = &pcidev->dev; + ++ rc = devm_request_irq(&pcidev->dev, uart.port.irq, exar_misc_handler, ++ IRQF_SHARED, "exar_uart", priv); ++ if (rc) ++ return rc; ++ + for (i = 0; i < nr_ports && i < maxnr; i++) { + rc = board->setup(priv, pcidev, &uart, i); + if (rc) { +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -458,7 +458,6 @@ static void io_serial_out(struct uart_po + } + + static int serial8250_default_handle_irq(struct uart_port *port); +-static int exar_handle_irq(struct uart_port *port); + + static void set_io_from_upio(struct uart_port *p) + { +@@ -1904,26 +1903,6 @@ static int serial8250_default_handle_irq + } + + /* +- * These Exar UARTs have an extra interrupt indicator that could +- * fire for a few unimplemented interrupts. One of which is a +- * wakeup event when coming out of sleep. Put this here just +- * to be on the safe side that these interrupts don't go unhandled. +- */ +-static int exar_handle_irq(struct uart_port *port) +-{ +- unsigned int iir = serial_port_in(port, UART_IIR); +- int ret = 0; +- +- if (((port->type == PORT_XR17V35X) || (port->type == PORT_XR17D15X)) && +- serial_port_in(port, UART_EXAR_INT0) != 0) +- ret = 1; +- +- ret |= serial8250_handle_irq(port, iir); +- +- return ret; +-} +- +-/* + * Newer 16550 compatible parts such as the SC16C650 & Altera 16550 Soft IP + * have a programmable TX threshold that triggers the THRE interrupt in + * the IIR register. In this case, the THRE interrupt indicates the FIFO +@@ -3107,11 +3086,6 @@ static void serial8250_config_port(struc + if (port->type == PORT_UNKNOWN) + serial8250_release_std_resource(up); + +- /* Fixme: probably not the best place for this */ +- if ((port->type == PORT_XR17V35X) || +- (port->type == PORT_XR17D15X)) +- port->handle_irq = exar_handle_irq; +- + register_dev_spec_attr_grp(up); + up->fcr = uart_config[up->port.type].fcr; + } diff --git a/queue-4.14/ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch b/queue-4.14/ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch new file mode 100644 index 00000000000..26d0489c289 --- /dev/null +++ b/queue-4.14/ubifs-fix-uninitialized-variable-in-search_dh_cookie.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Geert Uytterhoeven +Date: Sun, 17 Sep 2017 10:32:20 +0200 +Subject: ubifs: Fix uninitialized variable in search_dh_cookie() + +From: Geert Uytterhoeven + + +[ Upstream commit c877154d307f4a91e0b5b85b75535713dab945ae ] + +fs/ubifs/tnc.c: In function ‘search_dh_cookie’: +fs/ubifs/tnc.c:1893: warning: ‘err’ is used uninitialized in this function + +Indeed, err is always used uninitialized. + +According to an original review comment from Hyunchul, acknowledged by +Richard, err should be initialized to -ENOENT to avoid the first call to +tnc_next(). But we can achieve the same by reordering the code. + +Fixes: 781f675e2d7e ("ubifs: Fix unlink code wrt. double hash lookups") +Reported-by: Hyunchul Lee +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ubifs/tnc.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/fs/ubifs/tnc.c ++++ b/fs/ubifs/tnc.c +@@ -1890,35 +1890,28 @@ static int search_dh_cookie(struct ubifs + union ubifs_key *dkey; + + for (;;) { +- if (!err) { +- err = tnc_next(c, &znode, n); +- if (err) +- goto out; +- } +- + zbr = &znode->zbranch[*n]; + dkey = &zbr->key; + + if (key_inum(c, dkey) != key_inum(c, key) || + key_type(c, dkey) != key_type(c, key)) { +- err = -ENOENT; +- goto out; ++ return -ENOENT; + } + + err = tnc_read_hashed_node(c, zbr, dent); + if (err) +- goto out; ++ return err; + + if (key_hash(c, key) == key_hash(c, dkey) && + le32_to_cpu(dent->cookie) == cookie) { + *zn = znode; +- goto out; ++ return 0; + } +- } + +-out: +- +- return err; ++ err = tnc_next(c, &znode, n); ++ if (err) ++ return err; ++ } + } + + static int do_lookup_dh(struct ubifs_info *c, const union ubifs_key *key, diff --git a/queue-4.14/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch b/queue-4.14/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch new file mode 100644 index 00000000000..c09126c427e --- /dev/null +++ b/queue-4.14/vfs-proc-kcore-x86-mm-kcore-fix-smap-fault-when-dumping-vsyscall-user-page.patch @@ -0,0 +1,74 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: Jia Zhang +Date: Mon, 12 Feb 2018 22:44:53 +0800 +Subject: vfs/proc/kcore, x86/mm/kcore: Fix SMAP fault when dumping vsyscall user page + +From: Jia Zhang + + +[ Upstream commit 595dd46ebfc10be041a365d0a3fa99df50b6ba73 ] + +Commit: + + df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data") + +... introduced a bounce buffer to work around CONFIG_HARDENED_USERCOPY=y. +However, accessing the vsyscall user page will cause an SMAP fault. + +Replace memcpy() with copy_from_user() to fix this bug works, but adding +a common way to handle this sort of user page may be useful for future. + +Currently, only vsyscall page requires KCORE_USER. + +Signed-off-by: Jia Zhang +Reviewed-by: Jiri Olsa +Cc: Al Viro +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: jolsa@redhat.com +Link: http://lkml.kernel.org/r/1518446694-21124-2-git-send-email-zhang.jia@linux.alibaba.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/init_64.c | 3 +-- + fs/proc/kcore.c | 4 ++++ + include/linux/kcore.h | 1 + + 3 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/init_64.c ++++ b/arch/x86/mm/init_64.c +@@ -1180,8 +1180,7 @@ void __init mem_init(void) + after_bootmem = 1; + + /* Register memory areas for /proc/kcore */ +- kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, +- PAGE_SIZE, KCORE_OTHER); ++ kclist_add(&kcore_vsyscall, (void *)VSYSCALL_ADDR, PAGE_SIZE, KCORE_USER); + + mem_init_print_info(NULL); + } +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -510,6 +510,10 @@ read_kcore(struct file *file, char __use + /* we have to zero-fill user buffer even if no read */ + if (copy_to_user(buffer, buf, tsz)) + return -EFAULT; ++ } else if (m->type == KCORE_USER) { ++ /* User page is handled prior to normal kernel page: */ ++ if (copy_to_user(buffer, (char *)start, tsz)) ++ return -EFAULT; + } else { + if (kern_addr_valid(start)) { + /* +--- a/include/linux/kcore.h ++++ b/include/linux/kcore.h +@@ -10,6 +10,7 @@ enum kcore_type { + KCORE_VMALLOC, + KCORE_RAM, + KCORE_VMEMMAP, ++ KCORE_USER, + KCORE_OTHER, + }; + diff --git a/queue-4.14/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch b/queue-4.14/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch new file mode 100644 index 00000000000..45a84175417 --- /dev/null +++ b/queue-4.14/watchdog-sp5100_tco-fix-watchdog-disable-bit.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Guenter Roeck +Date: Sun, 24 Dec 2017 13:04:07 -0800 +Subject: watchdog: sp5100_tco: Fix watchdog disable bit + +From: Guenter Roeck + + +[ Upstream commit f541c09ebfc61697b586b38c9ebaf4b70defb278 ] + +According to all published information, the watchdog disable bit for SB800 +compatible controllers is bit 1 of PM register 0x48, not bit 2. For the +most part that doesn't matter in practice, since the bit has to be cleared +to enable watchdog address decoding, which is the default setting, but it +still needs to be fixed. + +Cc: Zoltán Böszörményi +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sp5100_tco.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/watchdog/sp5100_tco.h ++++ b/drivers/watchdog/sp5100_tco.h +@@ -55,7 +55,7 @@ + #define SB800_PM_WATCHDOG_CONFIG 0x4C + + #define SB800_PCI_WATCHDOG_DECODE_EN (1 << 0) +-#define SB800_PM_WATCHDOG_DISABLE (1 << 2) ++#define SB800_PM_WATCHDOG_DISABLE (1 << 1) + #define SB800_PM_WATCHDOG_SECOND_RES (3 << 0) + #define SB800_ACPI_MMIO_DECODE_EN (1 << 0) + #define SB800_ACPI_MMIO_SEL (1 << 1) diff --git a/queue-4.14/x86-dumpstack-avoid-uninitlized-variable.patch b/queue-4.14/x86-dumpstack-avoid-uninitlized-variable.patch new file mode 100644 index 00000000000..7834f706fd5 --- /dev/null +++ b/queue-4.14/x86-dumpstack-avoid-uninitlized-variable.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 15:56:17 +0100 +Subject: x86/dumpstack: Avoid uninitlized variable + +From: Arnd Bergmann + + +[ Upstream commit ebfc15019cfa72496c674ffcb0b8ef10790dcddc ] + +In some configurations, 'partial' does not get initialized, as shown by +this gcc-8 warning: + +arch/x86/kernel/dumpstack.c: In function 'show_trace_log_lvl': +arch/x86/kernel/dumpstack.c:156:4: error: 'partial' may be used uninitialized in this function [-Werror=maybe-uninitialized] + show_regs_if_on_stack(&stack_info, regs, partial); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +This initializes it to false, to get the previous behavior in this case. + +Fixes: a9cdbe72c4e8 ("x86/dumpstack: Fix partial register dumps") +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Cc: Andi Kleen +Cc: Nicolas Pitre +Cc: Peter Zijlstra +Cc: Dave Hansen +Cc: Andy Lutomirski +Cc: Josh Poimboeuf +Cc: Borislav Petkov +Cc: Vlastimil Babka +Link: https://lkml.kernel.org/r/20180202145634.200291-1-arnd@arndb.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/dumpstack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/dumpstack.c ++++ b/arch/x86/kernel/dumpstack.c +@@ -109,7 +109,7 @@ void show_trace_log_lvl(struct task_stru + struct stack_info stack_info = {0}; + unsigned long visit_mask = 0; + int graph_idx = 0; +- bool partial; ++ bool partial = false; + + printk("%sCall Trace:\n", log_lvl); + diff --git a/queue-4.14/x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch b/queue-4.14/x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch new file mode 100644 index 00000000000..f6228f6d553 --- /dev/null +++ b/queue-4.14/x86-hyperv-check-for-required-priviliges-in-hyperv_init.patch @@ -0,0 +1,59 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Vitaly Kuznetsov +Date: Wed, 24 Jan 2018 14:23:31 +0100 +Subject: x86/hyperv: Check for required priviliges in hyperv_init() + +From: Vitaly Kuznetsov + + +[ Upstream commit 89a8f6d4904c8cf3ff8fee9fdaff392a6bbb8bf6 ] + +In hyperv_init() its presumed that it always has access to VP index and +hypercall MSRs while according to the specification it should be checked if +it's allowed to access the corresponding MSRs before accessing them. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Thomas Gleixner +Reviewed-by: Thomas Gleixner +Cc: Stephen Hemminger +Cc: kvm@vger.kernel.org +Cc: Radim Krčmář +Cc: Haiyang Zhang +Cc: "Michael Kelley (EOSG)" +Cc: Roman Kagan +Cc: Andy Lutomirski +Cc: devel@linuxdriverproject.org +Cc: Paolo Bonzini +Cc: "K. Y. Srinivasan" +Cc: Cathy Avery +Cc: Mohammed Gamal +Link: https://lkml.kernel.org/r/20180124132337.30138-2-vkuznets@redhat.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/hyperv/hv_init.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/x86/hyperv/hv_init.c ++++ b/arch/x86/hyperv/hv_init.c +@@ -110,12 +110,19 @@ static int hv_cpu_init(unsigned int cpu) + */ + void hyperv_init(void) + { +- u64 guest_id; ++ u64 guest_id, required_msrs; + union hv_x64_msr_hypercall_contents hypercall_msr; + + if (x86_hyper_type != X86_HYPER_MS_HYPERV) + return; + ++ /* Absolutely required MSRs */ ++ required_msrs = HV_X64_MSR_HYPERCALL_AVAILABLE | ++ HV_X64_MSR_VP_INDEX_AVAILABLE; ++ ++ if ((ms_hyperv.features & required_msrs) != required_msrs) ++ return; ++ + /* Allocate percpu VP index */ + hv_vp_index = kmalloc_array(num_possible_cpus(), sizeof(*hv_vp_index), + GFP_KERNEL); diff --git a/queue-4.14/x86-hyperv-stop-suppressing-x86_feature_pcid.patch b/queue-4.14/x86-hyperv-stop-suppressing-x86_feature_pcid.patch new file mode 100644 index 00000000000..09699a409d0 --- /dev/null +++ b/queue-4.14/x86-hyperv-stop-suppressing-x86_feature_pcid.patch @@ -0,0 +1,86 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Vitaly Kuznetsov +Date: Wed, 24 Jan 2018 11:36:29 +0100 +Subject: x86/hyperv: Stop suppressing X86_FEATURE_PCID + +From: Vitaly Kuznetsov + + +[ Upstream commit 617ab45c9a8900e64a78b43696c02598b8cad68b ] + +When hypercall-based TLB flush was enabled for Hyper-V guests PCID feature +was deliberately suppressed as a precaution: back then PCID was never +exposed to Hyper-V guests and it wasn't clear what will happen if some day +it becomes available. The day came and PCID/INVPCID features are already +exposed on certain Hyper-V hosts. + +>From TLFS (as of 5.0b) it is unclear how TLB flush hypercalls combine with +PCID. In particular the usage of PCID is per-cpu based: the same mm gets +different CR3 values on different CPUs. If the hypercall does exact +matching this will fail. However, this is not the case. David Zhang +explains: + + "In practice, the AddressSpace argument is ignored on any VM that supports + PCIDs. + + Architecturally, the AddressSpace argument must match the CR3 with PCID + bits stripped out (i.e., the low 12 bits of AddressSpace should be 0 in + long mode). The flush hypercalls flush all PCIDs for the specified + AddressSpace." + +With this, PCID can be enabled. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Thomas Gleixner +Cc: David Zhang +Cc: Stephen Hemminger +Cc: Haiyang Zhang +Cc: "Michael Kelley (EOSG)" +Cc: Andy Lutomirski +Cc: devel@linuxdriverproject.org +Cc: "K. Y. Srinivasan" +Cc: Aditya Bhandari +Link: https://lkml.kernel.org/r/20180124103629.29980-1-vkuznets@redhat.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/hyperv/mmu.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/x86/hyperv/mmu.c ++++ b/arch/x86/hyperv/mmu.c +@@ -137,7 +137,12 @@ static void hyperv_flush_tlb_others(cons + } + + if (info->mm) { ++ /* ++ * AddressSpace argument must match the CR3 with PCID bits ++ * stripped out. ++ */ + flush->address_space = virt_to_phys(info->mm->pgd); ++ flush->address_space &= CR3_ADDR_MASK; + flush->flags = 0; + } else { + flush->address_space = 0; +@@ -219,7 +224,12 @@ static void hyperv_flush_tlb_others_ex(c + } + + if (info->mm) { ++ /* ++ * AddressSpace argument must match the CR3 with PCID bits ++ * stripped out. ++ */ + flush->address_space = virt_to_phys(info->mm->pgd); ++ flush->address_space &= CR3_ADDR_MASK; + flush->flags = 0; + } else { + flush->address_space = 0; +@@ -278,8 +288,6 @@ void hyperv_setup_mmu_ops(void) + if (!(ms_hyperv.hints & HV_X64_REMOTE_TLB_FLUSH_RECOMMENDED)) + return; + +- setup_clear_cpu_cap(X86_FEATURE_PCID); +- + if (!(ms_hyperv.hints & HV_X64_EX_PROCESSOR_MASKS_RECOMMENDED)) { + pr_info("Using hypercall for remote TLB flush\n"); + pv_mmu_ops.flush_tlb_others = hyperv_flush_tlb_others; diff --git a/queue-4.14/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch b/queue-4.14/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch new file mode 100644 index 00000000000..4ede145ff58 --- /dev/null +++ b/queue-4.14/x86-kvm-vmx-do-not-use-vm-exit-instruction-length-for-fast-mmio-when-running-nested.patch @@ -0,0 +1,78 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Vitaly Kuznetsov +Date: Thu, 25 Jan 2018 16:37:07 +0100 +Subject: x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested + +From: Vitaly Kuznetsov + + +[ Upstream commit d391f1207067268261add0485f0f34503539c5b0 ] + +I was investigating an issue with seabios >= 1.10 which stopped working +for nested KVM on Hyper-V. The problem appears to be in +handle_ept_violation() function: when we do fast mmio we need to skip +the instruction so we do kvm_skip_emulated_instruction(). This, however, +depends on VM_EXIT_INSTRUCTION_LEN field being set correctly in VMCS. +However, this is not the case. + +Intel's manual doesn't mandate VM_EXIT_INSTRUCTION_LEN to be set when +EPT MISCONFIG occurs. While on real hardware it was observed to be set, +some hypervisors follow the spec and don't set it; we end up advancing +IP with some random value. + +I checked with Microsoft and they confirmed they don't fill +VM_EXIT_INSTRUCTION_LEN on EPT MISCONFIG. + +Fix the issue by doing instruction skip through emulator when running +nested. + +Fixes: 68c3b4d1676d870f0453c31d5a52e7e65c7448ae +Suggested-by: Radim Krčmář +Suggested-by: Paolo Bonzini +Signed-off-by: Vitaly Kuznetsov +Acked-by: Michael S. Tsirkin +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 16 +++++++++++++++- + arch/x86/kvm/x86.c | 3 ++- + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -6765,7 +6765,21 @@ static int handle_ept_misconfig(struct k + if (!is_guest_mode(vcpu) && + !kvm_io_bus_write(vcpu, KVM_FAST_MMIO_BUS, gpa, 0, NULL)) { + trace_kvm_fast_mmio(gpa); +- return kvm_skip_emulated_instruction(vcpu); ++ /* ++ * Doing kvm_skip_emulated_instruction() depends on undefined ++ * behavior: Intel's manual doesn't mandate ++ * VM_EXIT_INSTRUCTION_LEN to be set in VMCS when EPT MISCONFIG ++ * occurs and while on real hardware it was observed to be set, ++ * other hypervisors (namely Hyper-V) don't set it, we end up ++ * advancing IP with some random value. Disable fast mmio when ++ * running nested and keep it for real hardware in hope that ++ * VM_EXIT_INSTRUCTION_LEN will always be set correctly. ++ */ ++ if (!static_cpu_has(X86_FEATURE_HYPERVISOR)) ++ return kvm_skip_emulated_instruction(vcpu); ++ else ++ return x86_emulate_instruction(vcpu, gpa, EMULTYPE_SKIP, ++ NULL, 0) == EMULATE_DONE; + } + + ret = kvm_mmu_page_fault(vcpu, gpa, PFERR_RSVD_MASK, NULL, 0); +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -5699,7 +5699,8 @@ int x86_emulate_instruction(struct kvm_v + * handle watchpoints yet, those would be handled in + * the emulate_ops. + */ +- if (kvm_vcpu_check_breakpoint(vcpu, &r)) ++ if (!(emulation_type & EMULTYPE_SKIP) && ++ kvm_vcpu_check_breakpoint(vcpu, &r)) + return r; + + ctxt->interruptibility = 0; diff --git a/queue-4.14/x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch b/queue-4.14/x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch new file mode 100644 index 00000000000..1a0951775ac --- /dev/null +++ b/queue-4.14/x86-platform-uv-fix-gam-range-table-entries-less-than-1gb.patch @@ -0,0 +1,62 @@ +From foo@baz Tue Apr 24 15:29:21 CEST 2018 +From: "mike.travis@hpe.com" +Date: Mon, 5 Feb 2018 16:15:04 -0600 +Subject: x86/platform/UV: Fix GAM Range Table entries less than 1GB + +From: "mike.travis@hpe.com" + + +[ Upstream commit c25d99d20ba69824a1e2cc118e04b877cd427afc ] + +The latest UV platforms include the new ApachePass NVDIMMs into the +UV address space. This has introduced address ranges in the Global +Address Map Table that are less than the previous lowest range, which +was 2GB. Fix the address calculation so it accommodates address ranges +from bytes to exabytes. + +Signed-off-by: Mike Travis +Reviewed-by: Andrew Banman +Reviewed-by: Dimitri Sivanich +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Russ Anderson +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180205221503.190219903@stormcage.americas.sgi.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/x2apic_uv_x.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -1140,16 +1140,25 @@ static void __init decode_gam_rng_tbl(un + + uv_gre_table = gre; + for (; gre->type != UV_GAM_RANGE_TYPE_UNUSED; gre++) { ++ unsigned long size = ((unsigned long)(gre->limit - lgre) ++ << UV_GAM_RANGE_SHFT); ++ int order = 0; ++ char suffix[] = " KMGTPE"; ++ ++ while (size > 9999 && order < sizeof(suffix)) { ++ size /= 1024; ++ order++; ++ } ++ + if (!index) { + pr_info("UV: GAM Range Table...\n"); + pr_info("UV: # %20s %14s %5s %4s %5s %3s %2s\n", "Range", "", "Size", "Type", "NASID", "SID", "PN"); + } +- pr_info("UV: %2d: 0x%014lx-0x%014lx %5luG %3d %04x %02x %02x\n", ++ pr_info("UV: %2d: 0x%014lx-0x%014lx %5lu%c %3d %04x %02x %02x\n", + index++, + (unsigned long)lgre << UV_GAM_RANGE_SHFT, + (unsigned long)gre->limit << UV_GAM_RANGE_SHFT, +- ((unsigned long)(gre->limit - lgre)) >> +- (30 - UV_GAM_RANGE_SHFT), /* 64M -> 1G */ ++ size, suffix[order], + gre->type, gre->nasid, gre->sockid, gre->pnode); + + lgre = gre->limit; diff --git a/queue-4.14/x86-power-fix-swsusp_arch_resume-prototype.patch b/queue-4.14/x86-power-fix-swsusp_arch_resume-prototype.patch new file mode 100644 index 00000000000..dd0cab3a68e --- /dev/null +++ b/queue-4.14/x86-power-fix-swsusp_arch_resume-prototype.patch @@ -0,0 +1,88 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Arnd Bergmann +Date: Fri, 2 Feb 2018 15:56:18 +0100 +Subject: x86/power: Fix swsusp_arch_resume prototype + +From: Arnd Bergmann + + +[ Upstream commit 328008a72d38b5bde6491e463405c34a81a65d3e ] + +The declaration for swsusp_arch_resume marks it as 'asmlinkage', but the +definition in x86-32 does not, and it fails to include the header with the +declaration. This leads to a warning when building with +link-time-optimizations: + +kernel/power/power.h:108:23: error: type of 'swsusp_arch_resume' does not match original declaration [-Werror=lto-type-mismatch] + extern asmlinkage int swsusp_arch_resume(void); + ^ +arch/x86/power/hibernate_32.c:148:0: note: 'swsusp_arch_resume' was previously declared here + int swsusp_arch_resume(void) + +This moves the declaration into a globally visible header file and fixes up +both x86 definitions to match it. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Cc: Len Brown +Cc: Andi Kleen +Cc: Nicolas Pitre +Cc: linux-pm@vger.kernel.org +Cc: "Rafael J. Wysocki" +Cc: Pavel Machek +Cc: Bart Van Assche +Link: https://lkml.kernel.org/r/20180202145634.200291-2-arnd@arndb.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/power/hibernate_32.c | 2 +- + arch/x86/power/hibernate_64.c | 2 +- + include/linux/suspend.h | 2 ++ + kernel/power/power.h | 3 --- + 4 files changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/x86/power/hibernate_32.c ++++ b/arch/x86/power/hibernate_32.c +@@ -145,7 +145,7 @@ static inline void resume_init_first_lev + #endif + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +--- a/arch/x86/power/hibernate_64.c ++++ b/arch/x86/power/hibernate_64.c +@@ -174,7 +174,7 @@ out: + return 0; + } + +-int swsusp_arch_resume(void) ++asmlinkage int swsusp_arch_resume(void) + { + int error; + +--- a/include/linux/suspend.h ++++ b/include/linux/suspend.h +@@ -384,6 +384,8 @@ extern int swsusp_page_is_forbidden(stru + extern void swsusp_set_page_free(struct page *); + extern void swsusp_unset_page_free(struct page *); + extern unsigned long get_safe_page(gfp_t gfp_mask); ++extern asmlinkage int swsusp_arch_suspend(void); ++extern asmlinkage int swsusp_arch_resume(void); + + extern void hibernation_set_ops(const struct platform_hibernation_ops *ops); + extern int hibernate(void); +--- a/kernel/power/power.h ++++ b/kernel/power/power.h +@@ -104,9 +104,6 @@ extern int in_suspend; + extern dev_t swsusp_resume_device; + extern sector_t swsusp_resume_block; + +-extern asmlinkage int swsusp_arch_suspend(void); +-extern asmlinkage int swsusp_arch_resume(void); +- + extern int create_basic_memory_bitmaps(void); + extern void free_basic_memory_bitmaps(void); + extern int hibernate_preallocate_memory(void); diff --git a/queue-4.14/x86-tsc-allow-tsc-calibration-without-pit.patch b/queue-4.14/x86-tsc-allow-tsc-calibration-without-pit.patch new file mode 100644 index 00000000000..4246737b25c --- /dev/null +++ b/queue-4.14/x86-tsc-allow-tsc-calibration-without-pit.patch @@ -0,0 +1,94 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Peter Zijlstra +Date: Fri, 22 Dec 2017 10:20:11 +0100 +Subject: x86/tsc: Allow TSC calibration without PIT + +From: Peter Zijlstra + + +[ Upstream commit 30c7e5b123673d5e570e238dbada2fb68a87212c ] + +Zhang Rui reported that a Surface Pro 4 will fail to boot with +lapic=notscdeadline. Part of the problem is that that machine doesn't have +a PIT. + +If, for some reason, the TSC init has to fall back to TSC calibration, it +relies on the PIT to be present. + +Allow TSC calibration to reliably fall back to HPET. + +The below results in an accurate TSC measurement when forced on a IVB: + + tsc: Unable to calibrate against PIT + tsc: No reference (HPET/PMTIMER) available + tsc: Unable to calibrate against PIT + tsc: using HPET reference calibration + tsc: Detected 2792.451 MHz processor + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Cc: len.brown@intel.com +Cc: rui.zhang@intel.com +Link: https://lkml.kernel.org/r/20171222092243.333145937@infradead.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/i8259.h | 5 +++++ + arch/x86/kernel/tsc.c | 18 ++++++++++++++++++ + 2 files changed, 23 insertions(+) + +--- a/arch/x86/include/asm/i8259.h ++++ b/arch/x86/include/asm/i8259.h +@@ -69,6 +69,11 @@ struct legacy_pic { + extern struct legacy_pic *legacy_pic; + extern struct legacy_pic null_legacy_pic; + ++static inline bool has_legacy_pic(void) ++{ ++ return legacy_pic != &null_legacy_pic; ++} ++ + static inline int nr_legacy_irqs(void) + { + return legacy_pic->nr_legacy_irqs; +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + unsigned int __read_mostly cpu_khz; /* TSC clocks / usec, not used here */ + EXPORT_SYMBOL(cpu_khz); +@@ -363,6 +364,20 @@ static unsigned long pit_calibrate_tsc(u + unsigned long tscmin, tscmax; + int pitcnt; + ++ if (!has_legacy_pic()) { ++ /* ++ * Relies on tsc_early_delay_calibrate() to have given us semi ++ * usable udelay(), wait for the same 50ms we would have with ++ * the PIT loop below. ++ */ ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ udelay(10 * USEC_PER_MSEC); ++ return ULONG_MAX; ++ } ++ + /* Set the Gate high, disable speaker */ + outb((inb(0x61) & ~0x02) | 0x01, 0x61); + +@@ -487,6 +502,9 @@ static unsigned long quick_pit_calibrate + u64 tsc, delta; + unsigned long d1, d2; + ++ if (!has_legacy_pic()) ++ return 0; ++ + /* Set the Gate high, disable speaker */ + outb((inb(0x61) & ~0x02) | 0x01, 0x61); + diff --git a/queue-4.14/xen-grant-table-use-put_page-instead-of-free_page.patch b/queue-4.14/xen-grant-table-use-put_page-instead-of-free_page.patch new file mode 100644 index 00000000000..bdff10cdf34 --- /dev/null +++ b/queue-4.14/xen-grant-table-use-put_page-instead-of-free_page.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ross Lagerwall +Date: Thu, 11 Jan 2018 09:36:37 +0000 +Subject: xen/grant-table: Use put_page instead of free_page + +From: Ross Lagerwall + + +[ Upstream commit 3ac7292a25db1c607a50752055a18aba32ac2176 ] + +The page given to gnttab_end_foreign_access() to free could be a +compound page so use put_page() instead of free_page() since it can +handle both compound and single pages correctly. + +This bug was discovered when migrating a Xen VM with several VIFs and +CONFIG_DEBUG_VM enabled. It hits a BUG usually after fewer than 10 +iterations. All netfront devices disconnect from the backend during a +suspend/resume and this will call gnttab_end_foreign_access() if a +netfront queue has an outstanding skb. The mismatch between calling +get_page() and free_page() on a compound page causes a reference +counting error which is detected when DEBUG_VM is enabled. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/grant-table.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -328,7 +328,7 @@ static void gnttab_handle_deferred(unsig + if (entry->page) { + pr_debug("freeing g.e. %#x (pfn %#lx)\n", + entry->ref, page_to_pfn(entry->page)); +- __free_page(entry->page); ++ put_page(entry->page); + } else + pr_info("freeing g.e. %#x\n", entry->ref); + kfree(entry); +@@ -384,7 +384,7 @@ void gnttab_end_foreign_access(grant_ref + if (gnttab_end_foreign_access_ref(ref, readonly)) { + put_free_entry(ref); + if (page != 0) +- free_page(page); ++ put_page(virt_to_page(page)); + } else + gnttab_add_deferred(ref, readonly, + page ? virt_to_page(page) : NULL); diff --git a/queue-4.14/xen-netfront-fix-race-between-device-setup-and-open.patch b/queue-4.14/xen-netfront-fix-race-between-device-setup-and-open.patch new file mode 100644 index 00000000000..ed71628ec28 --- /dev/null +++ b/queue-4.14/xen-netfront-fix-race-between-device-setup-and-open.patch @@ -0,0 +1,178 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Ross Lagerwall +Date: Thu, 11 Jan 2018 09:36:38 +0000 +Subject: xen-netfront: Fix race between device setup and open + +From: Ross Lagerwall + + +[ Upstream commit f599c64fdf7d9c108e8717fb04bc41c680120da4 ] + +When a netfront device is set up it registers a netdev fairly early on, +before it has set up the queues and is actually usable. A userspace tool +like NetworkManager will immediately try to open it and access its state +as soon as it appears. The bug can be reproduced by hotplugging VIFs +until the VM runs out of grant refs. It registers the netdev but fails +to set up any queues (since there are no more grant refs). In the +meantime, NetworkManager opens the device and the kernel crashes trying +to access the queues (of which there are none). + +Fix this in two ways: +* For initial setup, register the netdev much later, after the queues +are setup. This avoids the race entirely. +* During a suspend/resume cycle, the frontend reconnects to the backend +and the queues are recreated. It is possible (though highly unlikely) to +race with something opening the device and accessing the queues after +they have been destroyed but before they have been recreated. Extend the +region covered by the rtnl semaphore to protect against this race. There +is a possibility that we fail to recreate the queues so check for this +in the open function. + +Signed-off-by: Ross Lagerwall +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 46 +++++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 22 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -351,6 +351,9 @@ static int xennet_open(struct net_device + unsigned int i = 0; + struct netfront_queue *queue = NULL; + ++ if (!np->queues) ++ return -ENODEV; ++ + for (i = 0; i < num_queues; ++i) { + queue = &np->queues[i]; + napi_enable(&queue->napi); +@@ -1358,18 +1361,8 @@ static int netfront_probe(struct xenbus_ + #ifdef CONFIG_SYSFS + info->netdev->sysfs_groups[0] = &xennet_dev_group; + #endif +- err = register_netdev(info->netdev); +- if (err) { +- pr_warn("%s: register_netdev err=%d\n", __func__, err); +- goto fail; +- } + + return 0; +- +- fail: +- xennet_free_netdev(netdev); +- dev_set_drvdata(&dev->dev, NULL); +- return err; + } + + static void xennet_end_access(int ref, void *page) +@@ -1738,8 +1731,6 @@ static void xennet_destroy_queues(struct + { + unsigned int i; + +- rtnl_lock(); +- + for (i = 0; i < info->netdev->real_num_tx_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1748,8 +1739,6 @@ static void xennet_destroy_queues(struct + netif_napi_del(&queue->napi); + } + +- rtnl_unlock(); +- + kfree(info->queues); + info->queues = NULL; + } +@@ -1765,8 +1754,6 @@ static int xennet_create_queues(struct n + if (!info->queues) + return -ENOMEM; + +- rtnl_lock(); +- + for (i = 0; i < *num_queues; i++) { + struct netfront_queue *queue = &info->queues[i]; + +@@ -1775,7 +1762,7 @@ static int xennet_create_queues(struct n + + ret = xennet_init_queue(queue); + if (ret < 0) { +- dev_warn(&info->netdev->dev, ++ dev_warn(&info->xbdev->dev, + "only created %d queues\n", i); + *num_queues = i; + break; +@@ -1789,10 +1776,8 @@ static int xennet_create_queues(struct n + + netif_set_real_num_tx_queues(info->netdev, *num_queues); + +- rtnl_unlock(); +- + if (*num_queues == 0) { +- dev_err(&info->netdev->dev, "no queues\n"); ++ dev_err(&info->xbdev->dev, "no queues\n"); + return -EINVAL; + } + return 0; +@@ -1829,6 +1814,7 @@ static int talk_to_netback(struct xenbus + goto out; + } + ++ rtnl_lock(); + if (info->queues) + xennet_destroy_queues(info); + +@@ -1839,6 +1825,7 @@ static int talk_to_netback(struct xenbus + info->queues = NULL; + goto out; + } ++ rtnl_unlock(); + + /* Create shared ring, alloc event channel -- for each queue */ + for (i = 0; i < num_queues; ++i) { +@@ -1935,8 +1922,10 @@ abort_transaction_no_dev_fatal: + xenbus_transaction_end(xbt, 1); + destroy_ring: + xennet_disconnect_backend(info); ++ rtnl_lock(); + xennet_destroy_queues(info); + out: ++ rtnl_unlock(); + device_unregister(&dev->dev); + return err; + } +@@ -1966,6 +1955,15 @@ static int xennet_connect(struct net_dev + netdev_update_features(dev); + rtnl_unlock(); + ++ if (dev->reg_state == NETREG_UNINITIALIZED) { ++ err = register_netdev(dev); ++ if (err) { ++ pr_warn("%s: register_netdev err=%d\n", __func__, err); ++ device_unregister(&np->xbdev->dev); ++ return err; ++ } ++ } ++ + /* + * All public and private state should now be sane. Get + * ready to start sending and receiving packets and give the driver +@@ -2156,10 +2154,14 @@ static int xennet_remove(struct xenbus_d + + xennet_disconnect_backend(info); + +- unregister_netdev(info->netdev); ++ if (info->netdev->reg_state == NETREG_REGISTERED) ++ unregister_netdev(info->netdev); + +- if (info->queues) ++ if (info->queues) { ++ rtnl_lock(); + xennet_destroy_queues(info); ++ rtnl_unlock(); ++ } + xennet_free_netdev(info->netdev); + + return 0; diff --git a/queue-4.14/xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch b/queue-4.14/xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch new file mode 100644 index 00000000000..e5e3e413ffd --- /dev/null +++ b/queue-4.14/xprtrdma-fix-backchannel-allocation-of-extra-rpcrdma_reps.patch @@ -0,0 +1,142 @@ +From foo@baz Tue Apr 24 15:29:20 CEST 2018 +From: Chuck Lever +Date: Thu, 14 Dec 2017 20:56:09 -0500 +Subject: xprtrdma: Fix backchannel allocation of extra rpcrdma_reps + +From: Chuck Lever + + +[ Upstream commit d698c4a02ee02053bbebe051322ff427a2dad56a ] + +The backchannel code uses rpcrdma_recv_buffer_put to add new reps +to the free rep list. This also decrements rb_recv_count, which +spoofs the receive overrun logic in rpcrdma_buffer_get_rep. + +Commit 9b06688bc3b9 ("xprtrdma: Fix additional uses of +spin_lock_irqsave(rb_lock)") replaced the original open-coded +list_add with a call to rpcrdma_recv_buffer_put(), but then a year +later, commit 05c974669ece ("xprtrdma: Fix receive buffer +accounting") added rep accounting to rpcrdma_recv_buffer_put. +It was an oversight to let the backchannel continue to use this +function. + +The fix this, let's combine the "add to free list" logic with +rpcrdma_create_rep. + +Also, do not allocate RPCRDMA_MAX_BC_REQUESTS rpcrdma_reps in +rpcrdma_buffer_create and then allocate additional rpcrdma_reps in +rpcrdma_bc_setup_reps. Allocating the extra reps during backchannel +set-up is sufficient. + +Fixes: 05c974669ece ("xprtrdma: Fix receive buffer accounting") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/backchannel.c | 12 ++---------- + net/sunrpc/xprtrdma/verbs.c | 32 +++++++++++++++++++------------- + net/sunrpc/xprtrdma/xprt_rdma.h | 2 +- + 3 files changed, 22 insertions(+), 24 deletions(-) + +--- a/net/sunrpc/xprtrdma/backchannel.c ++++ b/net/sunrpc/xprtrdma/backchannel.c +@@ -74,21 +74,13 @@ out_fail: + static int rpcrdma_bc_setup_reps(struct rpcrdma_xprt *r_xprt, + unsigned int count) + { +- struct rpcrdma_rep *rep; + int rc = 0; + + while (count--) { +- rep = rpcrdma_create_rep(r_xprt); +- if (IS_ERR(rep)) { +- pr_err("RPC: %s: reply buffer alloc failed\n", +- __func__); +- rc = PTR_ERR(rep); ++ rc = rpcrdma_create_rep(r_xprt); ++ if (rc) + break; +- } +- +- rpcrdma_recv_buffer_put(rep); + } +- + return rc; + } + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -951,10 +951,17 @@ rpcrdma_create_req(struct rpcrdma_xprt * + return req; + } + +-struct rpcrdma_rep * ++/** ++ * rpcrdma_create_rep - Allocate an rpcrdma_rep object ++ * @r_xprt: controlling transport ++ * ++ * Returns 0 on success or a negative errno on failure. ++ */ ++int + rpcrdma_create_rep(struct rpcrdma_xprt *r_xprt) + { + struct rpcrdma_create_data_internal *cdata = &r_xprt->rx_data; ++ struct rpcrdma_buffer *buf = &r_xprt->rx_buf; + struct rpcrdma_rep *rep; + int rc; + +@@ -979,12 +986,18 @@ rpcrdma_create_rep(struct rpcrdma_xprt * + rep->rr_recv_wr.wr_cqe = &rep->rr_cqe; + rep->rr_recv_wr.sg_list = &rep->rr_rdmabuf->rg_iov; + rep->rr_recv_wr.num_sge = 1; +- return rep; ++ ++ spin_lock(&buf->rb_lock); ++ list_add(&rep->rr_list, &buf->rb_recv_bufs); ++ spin_unlock(&buf->rb_lock); ++ return 0; + + out_free: + kfree(rep); + out: +- return ERR_PTR(rc); ++ dprintk("RPC: %s: reply buffer %d alloc failed\n", ++ __func__, rc); ++ return rc; + } + + int +@@ -1027,17 +1040,10 @@ rpcrdma_buffer_create(struct rpcrdma_xpr + } + + INIT_LIST_HEAD(&buf->rb_recv_bufs); +- for (i = 0; i < buf->rb_max_requests + RPCRDMA_MAX_BC_REQUESTS; i++) { +- struct rpcrdma_rep *rep; +- +- rep = rpcrdma_create_rep(r_xprt); +- if (IS_ERR(rep)) { +- dprintk("RPC: %s: reply buffer %d alloc failed\n", +- __func__, i); +- rc = PTR_ERR(rep); ++ for (i = 0; i <= buf->rb_max_requests; i++) { ++ rc = rpcrdma_create_rep(r_xprt); ++ if (rc) + goto out; +- } +- list_add(&rep->rr_list, &buf->rb_recv_bufs); + } + + return 0; +--- a/net/sunrpc/xprtrdma/xprt_rdma.h ++++ b/net/sunrpc/xprtrdma/xprt_rdma.h +@@ -550,8 +550,8 @@ int rpcrdma_ep_post_recv(struct rpcrdma_ + * Buffer calls - xprtrdma/verbs.c + */ + struct rpcrdma_req *rpcrdma_create_req(struct rpcrdma_xprt *); +-struct rpcrdma_rep *rpcrdma_create_rep(struct rpcrdma_xprt *); + void rpcrdma_destroy_req(struct rpcrdma_req *); ++int rpcrdma_create_rep(struct rpcrdma_xprt *r_xprt); + int rpcrdma_buffer_create(struct rpcrdma_xprt *); + void rpcrdma_buffer_destroy(struct rpcrdma_buffer *); + -- 2.47.3