From 96f84f2bcd5e9c882137686ee2e7edcf35a033c2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 22 Jul 2017 16:16:31 +0200 Subject: [PATCH] 4.9-stable patches added patches: asoc-compress-derive-substream-from-stream-based-on-direction.patch iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch powerpc-fix-emulation-of-mcrf-in-emulate_step.patch powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch powerpc-mm-radix-properly-clear-process-table-entry.patch powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch scsi-add-starget_created_remove-state-to-scsi_target_state.patch scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch xen-scsiback-fix-a-tmr-related-use-after-free.patch --- ...tream-from-stream-based-on-direction.patch | 47 ++++ ...und-attribute-for-non-rfc-initiators.patch | 242 ++++++++++++++++++ ...n-over-modified-list-of-device-links.patch | 43 ++++ ...er-modified-list-of-domain-providers.patch | 40 +++ ...ration-over-modified-list-of-domains.patch | 41 +++ ...omic64_inc_not_zero-to-return-an-int.patch | 59 +++++ ...pc-asm-mark-cr0-as-clobbered-in-mftb.patch | 35 +++ ...ix-emulation-of-mcrf-in-emulate_step.patch | 39 +++ ...-emulation-of-mfocrf-in-emulate_step.patch | 48 ++++ ...x-properly-clear-process-table-entry.patch | 44 ++++ ...f-pp0-in-updatepp-and-updateboltedpp.patch | 71 +++++ ...ed_remove-state-to-scsi_target_state.patch | 133 ++++++++++ ...closure-if-enclosure_add_links-fails.patch | 54 ++++ queue-4.9/series | 14 + ...ack-fix-a-tmr-related-use-after-free.patch | 110 ++++++++ 15 files changed, 1020 insertions(+) create mode 100644 queue-4.9/asoc-compress-derive-substream-from-stream-based-on-direction.patch create mode 100644 queue-4.9/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch create mode 100644 queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch create mode 100644 queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch create mode 100644 queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch create mode 100644 queue-4.9/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch create mode 100644 queue-4.9/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch create mode 100644 queue-4.9/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch create mode 100644 queue-4.9/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch create mode 100644 queue-4.9/powerpc-mm-radix-properly-clear-process-table-entry.patch create mode 100644 queue-4.9/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch create mode 100644 queue-4.9/scsi-add-starget_created_remove-state-to-scsi_target_state.patch create mode 100644 queue-4.9/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch create mode 100644 queue-4.9/xen-scsiback-fix-a-tmr-related-use-after-free.patch diff --git a/queue-4.9/asoc-compress-derive-substream-from-stream-based-on-direction.patch b/queue-4.9/asoc-compress-derive-substream-from-stream-based-on-direction.patch new file mode 100644 index 00000000000..2be04cf1ae4 --- /dev/null +++ b/queue-4.9/asoc-compress-derive-substream-from-stream-based-on-direction.patch @@ -0,0 +1,47 @@ +From 01b8cedfd0422326caae308641dcadaa85e0ca72 Mon Sep 17 00:00:00 2001 +From: Satish Babu Patakokila +Date: Fri, 16 Jun 2017 17:33:40 -0700 +Subject: ASoC: compress: Derive substream from stream based on direction + +From: Satish Babu Patakokila + +commit 01b8cedfd0422326caae308641dcadaa85e0ca72 upstream. + +Currently compress driver hardcodes direction as playback to get +substream from the stream. This results in getting the incorrect +substream for compressed capture usecase. +To fix this, remove the hardcoding and derive substream based on +the stream direction. + +Signed-off-by: Satish Babu Patakokila +Signed-off-by: Banajit Goswami +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-compress.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -68,7 +68,8 @@ out: + static int soc_compr_open_fe(struct snd_compr_stream *cstream) + { + struct snd_soc_pcm_runtime *fe = cstream->private_data; +- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream; ++ struct snd_pcm_substream *fe_substream = ++ fe->pcm->streams[cstream->direction].substream; + struct snd_soc_platform *platform = fe->platform; + struct snd_soc_dpcm *dpcm; + struct snd_soc_dapm_widget_list *list; +@@ -414,7 +415,8 @@ static int soc_compr_set_params_fe(struc + struct snd_compr_params *params) + { + struct snd_soc_pcm_runtime *fe = cstream->private_data; +- struct snd_pcm_substream *fe_substream = fe->pcm->streams[0].substream; ++ struct snd_pcm_substream *fe_substream = ++ fe->pcm->streams[cstream->direction].substream; + struct snd_soc_platform *platform = fe->platform; + int ret = 0, stream; + diff --git a/queue-4.9/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch b/queue-4.9/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch new file mode 100644 index 00000000000..2967a00b239 --- /dev/null +++ b/queue-4.9/iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch @@ -0,0 +1,242 @@ +From 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Fri, 7 Jul 2017 14:45:49 -0700 +Subject: iscsi-target: Add login_keys_workaround attribute for non RFC initiators + +From: Nicholas Bellinger + +commit 138d351eefb727ab9e41a3dc5f112ceb4f6e59f2 upstream. + +This patch re-introduces part of a long standing login workaround that +was recently dropped by: + + commit 1c99de981f30b3e7868b8d20ce5479fa1c0fea46 + Author: Nicholas Bellinger + Date: Sun Apr 2 13:36:44 2017 -0700 + + iscsi-target: Drop work-around for legacy GlobalSAN initiator + +Namely, the workaround for FirstBurstLength ended up being required by +Mellanox Flexboot PXE boot ROMs as reported by Robert. + +So this patch re-adds the work-around for FirstBurstLength within +iscsi_check_proposer_for_optional_reply(), and makes the key optional +to respond when the initiator does not propose, nor respond to it. + +Also as requested by Arun, this patch introduces a new TPG attribute +named 'login_keys_workaround' that controls the use of both the +FirstBurstLength workaround, as well as the two other existing +workarounds for gPXE iSCSI boot client. + +By default, the workaround is enabled with login_keys_workaround=1, +since Mellanox FlexBoot requires it, and Arun has verified the Qlogic +MSFT initiator already proposes FirstBurstLength, so it's uneffected +by this re-adding this part of the original work-around. + +Reported-by: Robert LeBlanc +Cc: Robert LeBlanc +Reviewed-by: Arun Easi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_configfs.c | 2 + + drivers/target/iscsi/iscsi_target_nego.c | 6 ++- + drivers/target/iscsi/iscsi_target_parameters.c | 41 +++++++++++++++++-------- + drivers/target/iscsi/iscsi_target_parameters.h | 2 - + drivers/target/iscsi/iscsi_target_tpg.c | 19 +++++++++++ + drivers/target/iscsi/iscsi_target_tpg.h | 1 + include/target/iscsi/iscsi_target_core.h | 9 +++++ + 7 files changed, 64 insertions(+), 16 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -802,6 +802,7 @@ DEF_TPG_ATTRIB(default_erl); + DEF_TPG_ATTRIB(t10_pi); + DEF_TPG_ATTRIB(fabric_prot_type); + DEF_TPG_ATTRIB(tpg_enabled_sendtargets); ++DEF_TPG_ATTRIB(login_keys_workaround); + + static struct configfs_attribute *lio_target_tpg_attrib_attrs[] = { + &iscsi_tpg_attrib_attr_authentication, +@@ -817,6 +818,7 @@ static struct configfs_attribute *lio_ta + &iscsi_tpg_attrib_attr_t10_pi, + &iscsi_tpg_attrib_attr_fabric_prot_type, + &iscsi_tpg_attrib_attr_tpg_enabled_sendtargets, ++ &iscsi_tpg_attrib_attr_login_keys_workaround, + NULL, + }; + +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -819,7 +819,8 @@ static int iscsi_target_handle_csg_zero( + SENDER_TARGET, + login->rsp_buf, + &login->rsp_length, +- conn->param_list); ++ conn->param_list, ++ conn->tpg->tpg_attrib.login_keys_workaround); + if (ret < 0) + return -1; + +@@ -889,7 +890,8 @@ static int iscsi_target_handle_csg_one(s + SENDER_TARGET, + login->rsp_buf, + &login->rsp_length, +- conn->param_list); ++ conn->param_list, ++ conn->tpg->tpg_attrib.login_keys_workaround); + if (ret < 0) { + iscsit_tx_login_rsp(conn, ISCSI_STATUS_CLS_INITIATOR_ERR, + ISCSI_LOGIN_STATUS_INIT_ERR); +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -765,7 +765,8 @@ static int iscsi_check_for_auth_key(char + return 0; + } + +-static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param) ++static void iscsi_check_proposer_for_optional_reply(struct iscsi_param *param, ++ bool keys_workaround) + { + if (IS_TYPE_BOOL_AND(param)) { + if (!strcmp(param->value, NO)) +@@ -773,19 +774,31 @@ static void iscsi_check_proposer_for_opt + } else if (IS_TYPE_BOOL_OR(param)) { + if (!strcmp(param->value, YES)) + SET_PSTATE_REPLY_OPTIONAL(param); +- /* +- * Required for gPXE iSCSI boot client +- */ +- if (!strcmp(param->name, IMMEDIATEDATA)) +- SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ if (keys_workaround) { ++ /* ++ * Required for gPXE iSCSI boot client ++ */ ++ if (!strcmp(param->name, IMMEDIATEDATA)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ } + } else if (IS_TYPE_NUMBER(param)) { + if (!strcmp(param->name, MAXRECVDATASEGMENTLENGTH)) + SET_PSTATE_REPLY_OPTIONAL(param); +- /* +- * Required for gPXE iSCSI boot client +- */ +- if (!strcmp(param->name, MAXCONNECTIONS)) +- SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ if (keys_workaround) { ++ /* ++ * Required for Mellanox Flexboot PXE boot ROM ++ */ ++ if (!strcmp(param->name, FIRSTBURSTLENGTH)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ ++ /* ++ * Required for gPXE iSCSI boot client ++ */ ++ if (!strcmp(param->name, MAXCONNECTIONS)) ++ SET_PSTATE_REPLY_OPTIONAL(param); ++ } + } else if (IS_PHASE_DECLARATIVE(param)) + SET_PSTATE_REPLY_OPTIONAL(param); + } +@@ -1422,7 +1435,8 @@ int iscsi_encode_text_output( + u8 sender, + char *textbuf, + u32 *length, +- struct iscsi_param_list *param_list) ++ struct iscsi_param_list *param_list, ++ bool keys_workaround) + { + char *output_buf = NULL; + struct iscsi_extra_response *er; +@@ -1458,7 +1472,8 @@ int iscsi_encode_text_output( + *length += 1; + output_buf = textbuf + *length; + SET_PSTATE_PROPOSER(param); +- iscsi_check_proposer_for_optional_reply(param); ++ iscsi_check_proposer_for_optional_reply(param, ++ keys_workaround); + pr_debug("Sending key: %s=%s\n", + param->name, param->value); + } +--- a/drivers/target/iscsi/iscsi_target_parameters.h ++++ b/drivers/target/iscsi/iscsi_target_parameters.h +@@ -40,7 +40,7 @@ extern int iscsi_extract_key_value(char + extern int iscsi_update_param_value(struct iscsi_param *, char *); + extern int iscsi_decode_text_input(u8, u8, char *, u32, struct iscsi_conn *); + extern int iscsi_encode_text_output(u8, u8, char *, u32 *, +- struct iscsi_param_list *); ++ struct iscsi_param_list *, bool); + extern int iscsi_check_negotiated_keys(struct iscsi_param_list *); + extern void iscsi_set_connection_parameters(struct iscsi_conn_ops *, + struct iscsi_param_list *); +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -227,6 +227,7 @@ static void iscsit_set_default_tpg_attri + a->t10_pi = TA_DEFAULT_T10_PI; + a->fabric_prot_type = TA_DEFAULT_FABRIC_PROT_TYPE; + a->tpg_enabled_sendtargets = TA_DEFAULT_TPG_ENABLED_SENDTARGETS; ++ a->login_keys_workaround = TA_DEFAULT_LOGIN_KEYS_WORKAROUND; + } + + int iscsit_tpg_add_portal_group(struct iscsi_tiqn *tiqn, struct iscsi_portal_group *tpg) +@@ -899,3 +900,21 @@ int iscsit_ta_tpg_enabled_sendtargets( + + return 0; + } ++ ++int iscsit_ta_login_keys_workaround( ++ struct iscsi_portal_group *tpg, ++ u32 flag) ++{ ++ struct iscsi_tpg_attrib *a = &tpg->tpg_attrib; ++ ++ if ((flag != 0) && (flag != 1)) { ++ pr_err("Illegal value %d\n", flag); ++ return -EINVAL; ++ } ++ ++ a->login_keys_workaround = flag; ++ pr_debug("iSCSI_TPG[%hu] - TPG enabled bit for login keys workaround: %s ", ++ tpg->tpgt, (a->login_keys_workaround) ? "ON" : "OFF"); ++ ++ return 0; ++} +--- a/drivers/target/iscsi/iscsi_target_tpg.h ++++ b/drivers/target/iscsi/iscsi_target_tpg.h +@@ -39,5 +39,6 @@ extern int iscsit_ta_default_erl(struct + extern int iscsit_ta_t10_pi(struct iscsi_portal_group *, u32); + extern int iscsit_ta_fabric_prot_type(struct iscsi_portal_group *, u32); + extern int iscsit_ta_tpg_enabled_sendtargets(struct iscsi_portal_group *, u32); ++extern int iscsit_ta_login_keys_workaround(struct iscsi_portal_group *, u32); + + #endif /* ISCSI_TARGET_TPG_H */ +--- a/include/target/iscsi/iscsi_target_core.h ++++ b/include/target/iscsi/iscsi_target_core.h +@@ -64,6 +64,14 @@ + #define TA_DEFAULT_FABRIC_PROT_TYPE 0 + /* TPG status needs to be enabled to return sendtargets discovery endpoint info */ + #define TA_DEFAULT_TPG_ENABLED_SENDTARGETS 1 ++/* ++ * Used to control the sending of keys with optional to respond state bit, ++ * as a workaround for non RFC compliant initiators,that do not propose, ++ * nor respond to specific keys required for login to complete. ++ * ++ * See iscsi_check_proposer_for_optional_reply() for more details. ++ */ ++#define TA_DEFAULT_LOGIN_KEYS_WORKAROUND 1 + + #define ISCSI_IOV_DATA_BUFFER 5 + +@@ -766,6 +774,7 @@ struct iscsi_tpg_attrib { + u8 t10_pi; + u32 fabric_prot_type; + u32 tpg_enabled_sendtargets; ++ u32 login_keys_workaround; + struct iscsi_portal_group *tpg; + }; + diff --git a/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch new file mode 100644 index 00000000000..9e681143229 --- /dev/null +++ b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch @@ -0,0 +1,43 @@ +From c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:18 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of device links + +From: Krzysztof Kozlowski + +commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream. + +pm_genpd_remove_subdomain() iterates over domain's master_links list and +removes matching element thus it has to use safe version of list +iteration. + +Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1244,7 +1244,7 @@ EXPORT_SYMBOL_GPL(pm_genpd_add_subdomain + int pm_genpd_remove_subdomain(struct generic_pm_domain *genpd, + struct generic_pm_domain *subdomain) + { +- struct gpd_link *link; ++ struct gpd_link *l, *link; + int ret = -EINVAL; + + if (IS_ERR_OR_NULL(genpd) || IS_ERR_OR_NULL(subdomain)) +@@ -1260,7 +1260,7 @@ int pm_genpd_remove_subdomain(struct gen + goto out; + } + +- list_for_each_entry(link, &genpd->master_links, master_node) { ++ list_for_each_entry_safe(link, l, &genpd->master_links, master_node) { + if (link->slave != subdomain) + continue; + diff --git a/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch new file mode 100644 index 00000000000..2335fb48f91 --- /dev/null +++ b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch @@ -0,0 +1,40 @@ +From b556b15dc04e9b9b98790f04c21acf5e24f994b2 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:19 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of domain providers + +From: Krzysztof Kozlowski + +commit b556b15dc04e9b9b98790f04c21acf5e24f994b2 upstream. + +of_genpd_del_provider() iterates over list of domain provides and +removes matching element thus it has to use safe version of list +iteration. + +Fixes: aa42240ab254 (PM / Domains: Add generic OF-based PM domain look-up) +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1607,12 +1607,12 @@ EXPORT_SYMBOL_GPL(of_genpd_add_provider_ + */ + void of_genpd_del_provider(struct device_node *np) + { +- struct of_genpd_provider *cp; ++ struct of_genpd_provider *cp, *tmp; + struct generic_pm_domain *gpd; + + mutex_lock(&gpd_list_lock); + mutex_lock(&of_genpd_mutex); +- list_for_each_entry(cp, &of_genpd_providers, link) { ++ list_for_each_entry_safe(cp, tmp, &of_genpd_providers, link) { + if (cp->node == np) { + /* + * For each PM domain associated with the diff --git a/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch new file mode 100644 index 00000000000..fbb864d0f88 --- /dev/null +++ b/queue-4.9/pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch @@ -0,0 +1,41 @@ +From a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 28 Jun 2017 16:56:20 +0200 +Subject: PM / Domains: Fix unsafe iteration over modified list of domains + +From: Krzysztof Kozlowski + +commit a7e2d1bce4c1db471f1cbc0c4666a3112bbf0994 upstream. + +of_genpd_remove_last() iterates over list of domains and removes +matching element thus it has to use safe version of list iteration. + +Fixes: 17926551c98a (PM / Domains: Add support for removing nested PM domains by provider) +Signed-off-by: Krzysztof Kozlowski +Acked-by: Ulf Hansson +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/domain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/power/domain.c ++++ b/drivers/base/power/domain.c +@@ -1752,14 +1752,14 @@ EXPORT_SYMBOL_GPL(of_genpd_add_subdomain + */ + struct generic_pm_domain *of_genpd_remove_last(struct device_node *np) + { +- struct generic_pm_domain *gpd, *genpd = ERR_PTR(-ENOENT); ++ struct generic_pm_domain *gpd, *tmp, *genpd = ERR_PTR(-ENOENT); + int ret; + + if (IS_ERR_OR_NULL(np)) + return ERR_PTR(-EINVAL); + + mutex_lock(&gpd_list_lock); +- list_for_each_entry(gpd, &gpd_list, gpd_list_node) { ++ list_for_each_entry_safe(gpd, tmp, &gpd_list, gpd_list_node) { + if (gpd->provider == &np->fwnode) { + ret = genpd_remove(gpd); + genpd = ret ? ERR_PTR(ret) : gpd; diff --git a/queue-4.9/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch b/queue-4.9/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch new file mode 100644 index 00000000000..8589c52cf41 --- /dev/null +++ b/queue-4.9/powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch @@ -0,0 +1,59 @@ +From 01e6a61aceb82e13bec29502a8eb70d9574f97ad Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 11 Jul 2017 22:10:54 +1000 +Subject: powerpc/64: Fix atomic64_inc_not_zero() to return an int + +From: Michael Ellerman + +commit 01e6a61aceb82e13bec29502a8eb70d9574f97ad upstream. + +Although it's not documented anywhere, there is an expectation that +atomic64_inc_not_zero() returns a result which fits in an int. This is +the behaviour implemented on all arches except powerpc. + +This has caused at least one bug in practice, in the percpu-refcount +code, where the long result from our atomic64_inc_not_zero() was +truncated to an int leading to lost references and stuck systems. That +was worked around in that code in commit 966d2b04e070 ("percpu-refcount: +fix reference leak during percpu-atomic transition"). + +To the best of my grepping abilities there are no other callers +in-tree which truncate the value, but we should fix it anyway. Because +the breakage is subtle and potentially very harmful I'm also tagging +it for stable. + +Code generation is largely unaffected because in most cases the +callers are just using the result for a test anyway. In particular the +case of fget() that was mentioned in commit a6cf7ed5119f +("powerpc/atomic: Implement atomic*_inc_not_zero") generates exactly +the same code. + +Fixes: a6cf7ed5119f ("powerpc/atomic: Implement atomic*_inc_not_zero") +Noticed-by: Linus Torvalds +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/atomic.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/atomic.h ++++ b/arch/powerpc/include/asm/atomic.h +@@ -560,7 +560,7 @@ static __inline__ int atomic64_add_unles + * Atomically increments @v by 1, so long as @v is non-zero. + * Returns non-zero if @v was non-zero, and zero otherwise. + */ +-static __inline__ long atomic64_inc_not_zero(atomic64_t *v) ++static __inline__ int atomic64_inc_not_zero(atomic64_t *v) + { + long t1, t2; + +@@ -579,7 +579,7 @@ static __inline__ long atomic64_inc_not_ + : "r" (&v->counter) + : "cc", "xer", "memory"); + +- return t1; ++ return t1 != 0; + } + + #endif /* __powerpc64__ */ diff --git a/queue-4.9/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch b/queue-4.9/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch new file mode 100644 index 00000000000..5ae4a15422a --- /dev/null +++ b/queue-4.9/powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch @@ -0,0 +1,35 @@ +From 2400fd822f467cb4c886c879d8ad99feac9cf319 Mon Sep 17 00:00:00 2001 +From: Oliver O'Halloran +Date: Thu, 6 Jul 2017 18:46:43 +1000 +Subject: powerpc/asm: Mark cr0 as clobbered in mftb() + +From: Oliver O'Halloran + +commit 2400fd822f467cb4c886c879d8ad99feac9cf319 upstream. + +The workaround for the CELL timebase bug does not correctly mark cr0 as +being clobbered. This means GCC doesn't know that the asm block changes cr0 and +might leave the result of an unrelated comparison in cr0 across the block, which +we then trash, leading to basically random behaviour. + +Fixes: 859deea949c3 ("[POWERPC] Cell timebase bug workaround") +Signed-off-by: Oliver O'Halloran +[mpe: Tweak change log and flag for stable] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -1283,7 +1283,7 @@ static inline void msr_check_and_clear(u + " .llong 0\n" \ + ".previous" \ + : "=r" (rval) \ +- : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL)); \ ++ : "i" (CPU_FTR_CELL_TB_BUG), "i" (SPRN_TBRL) : "cr0"); \ + rval;}) + #else + #define mftb() ({unsigned long rval; \ diff --git a/queue-4.9/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch b/queue-4.9/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch new file mode 100644 index 00000000000..0b5e0f5f36e --- /dev/null +++ b/queue-4.9/powerpc-fix-emulation-of-mcrf-in-emulate_step.patch @@ -0,0 +1,39 @@ +From 87c4b83e0fe234a1f0eed131ab6fa232036860d5 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 15 Jun 2017 09:46:38 +1000 +Subject: powerpc: Fix emulation of mcrf in emulate_step() + +From: Anton Blanchard + +commit 87c4b83e0fe234a1f0eed131ab6fa232036860d5 upstream. + +The mcrf emulation code was using the CR field number directly as the shift +value, without taking into account that CR fields are numbered from 0-7 starting +at the high bits. That meant it was looking at the CR fields in the reverse +order. + +Fixes: cf87c3f6b647 ("powerpc: Emulate icbi, mcrf and conditional-trap instructions") +Signed-off-by: Anton Blanchard +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -687,8 +687,10 @@ int __kprobes analyse_instr(struct instr + case 19: + switch ((instr >> 1) & 0x3ff) { + case 0: /* mcrf */ +- rd = (instr >> 21) & 0x1c; +- ra = (instr >> 16) & 0x1c; ++ rd = 7 - ((instr >> 23) & 0x7); ++ ra = 7 - ((instr >> 18) & 0x7); ++ rd *= 4; ++ ra *= 4; + val = (regs->ccr >> ra) & 0xf; + regs->ccr = (regs->ccr & ~(0xfUL << rd)) | (val << rd); + goto instr_done; diff --git a/queue-4.9/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch b/queue-4.9/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch new file mode 100644 index 00000000000..ac2cc7f105b --- /dev/null +++ b/queue-4.9/powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch @@ -0,0 +1,48 @@ +From 64e756c55aa46fc18fd53e8f3598b73b528d8637 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Thu, 15 Jun 2017 09:46:39 +1000 +Subject: powerpc: Fix emulation of mfocrf in emulate_step() + +From: Anton Blanchard + +commit 64e756c55aa46fc18fd53e8f3598b73b528d8637 upstream. + +From POWER4 onwards, mfocrf() only places the specified CR field into +the destination GPR, and the rest of it is set to 0. The PowerPC AS +from version 3.0 now requires this behaviour. + +The emulation code currently puts the entire CR into the destination GPR. +Fix it. + +Fixes: 6888199f7fe5 ("[POWERPC] Emulate more instructions in software") +Signed-off-by: Anton Blanchard +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/sstep.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/powerpc/lib/sstep.c ++++ b/arch/powerpc/lib/sstep.c +@@ -970,6 +970,19 @@ int __kprobes analyse_instr(struct instr + #endif + + case 19: /* mfcr */ ++ if ((instr >> 20) & 1) { ++ imm = 0xf0000000UL; ++ for (sh = 0; sh < 8; ++sh) { ++ if (instr & (0x80000 >> sh)) { ++ regs->gpr[rd] = regs->ccr & imm; ++ break; ++ } ++ imm >>= 4; ++ } ++ ++ goto instr_done; ++ } ++ + regs->gpr[rd] = regs->ccr; + regs->gpr[rd] &= 0xffffffffUL; + goto instr_done; diff --git a/queue-4.9/powerpc-mm-radix-properly-clear-process-table-entry.patch b/queue-4.9/powerpc-mm-radix-properly-clear-process-table-entry.patch new file mode 100644 index 00000000000..9e44e7d823f --- /dev/null +++ b/queue-4.9/powerpc-mm-radix-properly-clear-process-table-entry.patch @@ -0,0 +1,44 @@ +From c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Sat, 8 Jul 2017 07:45:32 -0500 +Subject: powerpc/mm/radix: Properly clear process table entry + +From: Benjamin Herrenschmidt + +commit c6bb0b8d426a8cf865ca9c8a532cc3a2927cfceb upstream. + +On radix, the process table entry we want to clear when destroying a +context is entry 0, not entry 1. This has no *immediate* consequence +on Power9, but it can cause other bugs to become worse. + +Fixes: 7e381c0ff618 ("powerpc/mm/radix: Add mmu context handling callback for radix") +Signed-off-by: Benjamin Herrenschmidt +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/mmu_context_book3s64.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/mm/mmu_context_book3s64.c ++++ b/arch/powerpc/mm/mmu_context_book3s64.c +@@ -167,9 +167,15 @@ void destroy_context(struct mm_struct *m + mm->context.cop_lockp = NULL; + #endif /* CONFIG_PPC_ICSWX */ + +- if (radix_enabled()) +- process_tb[mm->context.id].prtb1 = 0; +- else ++ if (radix_enabled()) { ++ /* ++ * Radix doesn't have a valid bit in the process table ++ * entries. However we know that at least P9 implementation ++ * will avoid caching an entry with an invalid RTS field, ++ * and 0 is invalid. So this will do. ++ */ ++ process_tb[mm->context.id].prtb0 = 0; ++ } else + subpage_prot_free(mm); + destroy_pagetable_page(mm); + __destroy_context(mm->context.id); diff --git a/queue-4.9/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch b/queue-4.9/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch new file mode 100644 index 00000000000..8c909379350 --- /dev/null +++ b/queue-4.9/powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch @@ -0,0 +1,71 @@ +From e71ff982ae4c17d176e9f0132157d54973788377 Mon Sep 17 00:00:00 2001 +From: Balbir Singh +Date: Thu, 29 Jun 2017 03:04:07 +1000 +Subject: powerpc/pseries: Fix passing of pp0 in updatepp() and updateboltedpp() + +From: Balbir Singh + +commit e71ff982ae4c17d176e9f0132157d54973788377 upstream. + +Once upon a time there were only two PP (page protection) bits. In ISA +2.03 an additional PP bit was added, but because of the layout of the +HPTE it could not be made contiguous with the existing PP bits. + +The result is that we now have three PP bits, named pp0, pp1, pp2, +where pp0 occupies bit 63 of dword 1 of the HPTE and pp1 and pp2 +occupy bits 1 and 0 respectively. Until recently Linux hasn't used +pp0, however with the addition of _PAGE_KERNEL_RO we started using it. + +The problem arises in the LPAR code, where we need to translate the PP +bits into the argument for the H_PROTECT hypercall. Currently the code +only passes bits 0-2 of newpp, which covers pp1, pp2 and N (no +execute), meaning pp0 is not passed to the hypervisor at all. + +We can't simply pass it through in bit 63, as that would collide with a +different field in the flags argument, as defined in PAPR. Instead we +have to shift it down to bit 8 (IBM bit 55). + +Fixes: e58e87adc8bf ("powerpc/mm: Update _PAGE_KERNEL_RO") +Signed-off-by: Balbir Singh +[mpe: Simplify the test, rework change log] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/lpar.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -279,7 +279,7 @@ static long pSeries_lpar_hpte_updatepp(u + int ssize, unsigned long inv_flags) + { + unsigned long lpar_rc; +- unsigned long flags = (newpp & 7) | H_AVPN; ++ unsigned long flags; + unsigned long want_v; + + want_v = hpte_encode_avpn(vpn, psize, ssize); +@@ -287,6 +287,11 @@ static long pSeries_lpar_hpte_updatepp(u + pr_devel(" update: avpnv=%016lx, hash=%016lx, f=%lx, psize: %d ...", + want_v, slot, flags, psize); + ++ flags = (newpp & 7) | H_AVPN; ++ if (mmu_has_feature(MMU_FTR_KERNEL_RO)) ++ /* Move pp0 into bit 8 (IBM 55) */ ++ flags |= (newpp & HPTE_R_PP0) >> 55; ++ + lpar_rc = plpar_pte_protect(flags, slot, want_v); + + if (lpar_rc == H_NOT_FOUND) { +@@ -358,6 +363,10 @@ static void pSeries_lpar_hpte_updatebolt + BUG_ON(slot == -1); + + flags = newpp & 7; ++ if (mmu_has_feature(MMU_FTR_KERNEL_RO)) ++ /* Move pp0 into bit 8 (IBM 55) */ ++ flags |= (newpp & HPTE_R_PP0) >> 55; ++ + lpar_rc = plpar_pte_protect(flags, slot, 0); + + BUG_ON(lpar_rc != H_SUCCESS); diff --git a/queue-4.9/scsi-add-starget_created_remove-state-to-scsi_target_state.patch b/queue-4.9/scsi-add-starget_created_remove-state-to-scsi_target_state.patch new file mode 100644 index 00000000000..bdc1cc05637 --- /dev/null +++ b/queue-4.9/scsi-add-starget_created_remove-state-to-scsi_target_state.patch @@ -0,0 +1,133 @@ +From f9279c968c257ee39b0d7bd2571a4d231a67bcc1 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Tue, 27 Jun 2017 14:55:58 -0400 +Subject: scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state + +From: Ewan D. Milne + +commit f9279c968c257ee39b0d7bd2571a4d231a67bcc1 upstream. + +The addition of the STARGET_REMOVE state had the side effect of +introducing a race condition that can cause a crash. + +scsi_target_reap_ref_release() checks the starget->state to +see if it still in STARGET_CREATED, and if so, skips calling +transport_remove_device() and device_del(), because the starget->state +is only set to STARGET_RUNNING after scsi_target_add() has called +device_add() and transport_add_device(). + +However, if an rport loss occurs while a target is being scanned, +it can happen that scsi_remove_target() will be called while the +starget is still in the STARGET_CREATED state. In this case, the +starget->state will be set to STARGET_REMOVE, and as a result, +scsi_target_reap_ref_release() will take the wrong path. The end +result is a panic: + +[ 1255.356653] Oops: 0000 [#1] SMP +[ 1255.360154] Modules linked in: x86_pkg_temp_thermal kvm_intel kvm irqbypass crc32c_intel ghash_clmulni_i +[ 1255.393234] CPU: 5 PID: 149 Comm: kworker/u96:4 Tainted: G W 4.11.0+ #8 +[ 1255.401879] Hardware name: Dell Inc. PowerEdge R320/08VT7V, BIOS 2.0.22 11/19/2013 +[ 1255.410327] Workqueue: scsi_wq_6 fc_scsi_scan_rport [scsi_transport_fc] +[ 1255.417720] task: ffff88060ca8c8c0 task.stack: ffffc900048a8000 +[ 1255.424331] RIP: 0010:kernfs_find_ns+0x13/0xc0 +[ 1255.429287] RSP: 0018:ffffc900048abbf0 EFLAGS: 00010246 +[ 1255.435123] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 1255.443083] RDX: 0000000000000000 RSI: ffffffff8188d659 RDI: 0000000000000000 +[ 1255.451043] RBP: ffffc900048abc10 R08: 0000000000000000 R09: 0000012433fe0025 +[ 1255.459005] R10: 0000000025e5a4b5 R11: 0000000025e5a4b5 R12: ffffffff8188d659 +[ 1255.466972] R13: 0000000000000000 R14: ffff8805f55e5088 R15: 0000000000000000 +[ 1255.474931] FS: 0000000000000000(0000) GS:ffff880616b40000(0000) knlGS:0000000000000000 +[ 1255.483959] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1255.490370] CR2: 0000000000000068 CR3: 0000000001c09000 CR4: 00000000000406e0 +[ 1255.498332] Call Trace: +[ 1255.501058] kernfs_find_and_get_ns+0x31/0x60 +[ 1255.505916] sysfs_unmerge_group+0x1d/0x60 +[ 1255.510498] dpm_sysfs_remove+0x22/0x60 +[ 1255.514783] device_del+0xf4/0x2e0 +[ 1255.518577] ? device_remove_file+0x19/0x20 +[ 1255.523241] attribute_container_class_device_del+0x1a/0x20 +[ 1255.529457] transport_remove_classdev+0x4e/0x60 +[ 1255.534607] ? transport_add_class_device+0x40/0x40 +[ 1255.540046] attribute_container_device_trigger+0xb0/0xc0 +[ 1255.546069] transport_remove_device+0x15/0x20 +[ 1255.551025] scsi_target_reap_ref_release+0x25/0x40 +[ 1255.556467] scsi_target_reap+0x2e/0x40 +[ 1255.560744] __scsi_scan_target+0xaa/0x5b0 +[ 1255.565312] scsi_scan_target+0xec/0x100 +[ 1255.569689] fc_scsi_scan_rport+0xb1/0xc0 [scsi_transport_fc] +[ 1255.576099] process_one_work+0x14b/0x390 +[ 1255.580569] worker_thread+0x4b/0x390 +[ 1255.584651] kthread+0x109/0x140 +[ 1255.588251] ? rescuer_thread+0x330/0x330 +[ 1255.592730] ? kthread_park+0x60/0x60 +[ 1255.596815] ret_from_fork+0x29/0x40 +[ 1255.600801] Code: 24 08 48 83 42 40 01 5b 41 5c 5d c3 66 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 +[ 1255.621876] RIP: kernfs_find_ns+0x13/0xc0 RSP: ffffc900048abbf0 +[ 1255.628479] CR2: 0000000000000068 +[ 1255.632756] ---[ end trace 34a69ba0477d036f ]--- + +Fix this by adding another scsi_target state STARGET_CREATED_REMOVE +to distinguish this case. + +Fixes: f05795d3d771 ("scsi: Add intermediate STARGET_REMOVE state to scsi_target_state") +Reported-by: David Jeffery +Signed-off-by: Ewan D. Milne +Reviewed-by: Laurence Oberman +Tested-by: Laurence Oberman +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_scan.c | 5 +++-- + drivers/scsi/scsi_sysfs.c | 8 ++++++-- + include/scsi/scsi_device.h | 1 + + 3 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/scsi_scan.c ++++ b/drivers/scsi/scsi_scan.c +@@ -384,11 +384,12 @@ static void scsi_target_reap_ref_release + = container_of(kref, struct scsi_target, reap_ref); + + /* +- * if we get here and the target is still in the CREATED state that ++ * if we get here and the target is still in a CREATED state that + * means it was allocated but never made visible (because a scan + * turned up no LUNs), so don't call device_del() on it. + */ +- if (starget->state != STARGET_CREATED) { ++ if ((starget->state != STARGET_CREATED) && ++ (starget->state != STARGET_CREATED_REMOVE)) { + transport_remove_device(&starget->dev); + device_del(&starget->dev); + } +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -1370,11 +1370,15 @@ restart: + spin_lock_irqsave(shost->host_lock, flags); + list_for_each_entry(starget, &shost->__targets, siblings) { + if (starget->state == STARGET_DEL || +- starget->state == STARGET_REMOVE) ++ starget->state == STARGET_REMOVE || ++ starget->state == STARGET_CREATED_REMOVE) + continue; + if (starget->dev.parent == dev || &starget->dev == dev) { + kref_get(&starget->reap_ref); +- starget->state = STARGET_REMOVE; ++ if (starget->state == STARGET_CREATED) ++ starget->state = STARGET_CREATED_REMOVE; ++ else ++ starget->state = STARGET_REMOVE; + spin_unlock_irqrestore(shost->host_lock, flags); + __scsi_remove_target(starget); + scsi_target_reap(starget); +--- a/include/scsi/scsi_device.h ++++ b/include/scsi/scsi_device.h +@@ -248,6 +248,7 @@ enum scsi_target_state { + STARGET_CREATED = 1, + STARGET_RUNNING, + STARGET_REMOVE, ++ STARGET_CREATED_REMOVE, + STARGET_DEL, + }; + diff --git a/queue-4.9/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch b/queue-4.9/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch new file mode 100644 index 00000000000..83ec194ba04 --- /dev/null +++ b/queue-4.9/scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch @@ -0,0 +1,54 @@ +From 62e62ffd95539b9220894a7900a619e0f3ef4756 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Tue, 27 Jun 2017 11:53:27 +0200 +Subject: scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails. + +From: Maurizio Lombardi + +commit 62e62ffd95539b9220894a7900a619e0f3ef4756 upstream. + +The enclosure_add_device() function should fail if it can't create the +relevant sysfs links. + +Signed-off-by: Maurizio Lombardi +Tested-by: Douglas Miller +Acked-by: James Bottomley +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/enclosure.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -375,6 +375,7 @@ int enclosure_add_device(struct enclosur + struct device *dev) + { + struct enclosure_component *cdev; ++ int err; + + if (!edev || component >= edev->components) + return -EINVAL; +@@ -384,12 +385,17 @@ int enclosure_add_device(struct enclosur + if (cdev->dev == dev) + return -EEXIST; + +- if (cdev->dev) ++ if (cdev->dev) { + enclosure_remove_links(cdev); +- +- put_device(cdev->dev); ++ put_device(cdev->dev); ++ } + cdev->dev = get_device(dev); +- return enclosure_add_links(cdev); ++ err = enclosure_add_links(cdev); ++ if (err) { ++ put_device(cdev->dev); ++ cdev->dev = NULL; ++ } ++ return err; + } + EXPORT_SYMBOL_GPL(enclosure_add_device); + diff --git a/queue-4.9/series b/queue-4.9/series index 225f9f7491c..c491a2a13b5 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -27,3 +27,17 @@ bluetooth-use-constant-time-memory-comparison-for-secret-values.patch wlcore-fix-64k-page-support.patch btrfs-don-t-clear-sgid-when-inheriting-acls.patch igb-explicitly-select-page-0-at-initialization.patch +asoc-compress-derive-substream-from-stream-based-on-direction.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-device-links.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-domain-providers.patch +pm-domains-fix-unsafe-iteration-over-modified-list-of-domains.patch +scsi-ses-do-not-add-a-device-to-an-enclosure-if-enclosure_add_links-fails.patch +scsi-add-starget_created_remove-state-to-scsi_target_state.patch +iscsi-target-add-login_keys_workaround-attribute-for-non-rfc-initiators.patch +xen-scsiback-fix-a-tmr-related-use-after-free.patch +powerpc-pseries-fix-passing-of-pp0-in-updatepp-and-updateboltedpp.patch +powerpc-64-fix-atomic64_inc_not_zero-to-return-an-int.patch +powerpc-fix-emulation-of-mcrf-in-emulate_step.patch +powerpc-fix-emulation-of-mfocrf-in-emulate_step.patch +powerpc-asm-mark-cr0-as-clobbered-in-mftb.patch +powerpc-mm-radix-properly-clear-process-table-entry.patch diff --git a/queue-4.9/xen-scsiback-fix-a-tmr-related-use-after-free.patch b/queue-4.9/xen-scsiback-fix-a-tmr-related-use-after-free.patch new file mode 100644 index 00000000000..364fa785976 --- /dev/null +++ b/queue-4.9/xen-scsiback-fix-a-tmr-related-use-after-free.patch @@ -0,0 +1,110 @@ +From 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Tue, 23 May 2017 16:48:36 -0700 +Subject: xen/scsiback: Fix a TMR related use-after-free + +From: Bart Van Assche + +commit 9f4ab18ac51dc87345a9cbd2527e6acf7a0a9335 upstream. + +scsiback_release_cmd() must not dereference se_cmd->se_tmr_req +because that memory is freed by target_free_cmd_mem() before +scsiback_release_cmd() is called. Fix this use-after-free by +inlining struct scsiback_tmr into struct vscsibk_pend. + +Signed-off-by: Bart Van Assche +Reviewed-by: Juergen Gross +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Cc: David Disseldorp +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-scsiback.c | 33 +++++++++------------------------ + 1 file changed, 9 insertions(+), 24 deletions(-) + +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -134,9 +134,7 @@ struct vscsibk_pend { + struct page *pages[VSCSI_MAX_GRANTS]; + + struct se_cmd se_cmd; +-}; + +-struct scsiback_tmr { + atomic_t tmr_complete; + wait_queue_head_t tmr_wait; + }; +@@ -599,26 +597,20 @@ static void scsiback_device_action(struc + struct scsiback_tpg *tpg = pending_req->v2p->tpg; + struct scsiback_nexus *nexus = tpg->tpg_nexus; + struct se_cmd *se_cmd = &pending_req->se_cmd; +- struct scsiback_tmr *tmr; + u64 unpacked_lun = pending_req->v2p->lun; + int rc, err = FAILED; + +- tmr = kzalloc(sizeof(struct scsiback_tmr), GFP_KERNEL); +- if (!tmr) { +- target_put_sess_cmd(se_cmd); +- goto err; +- } +- +- init_waitqueue_head(&tmr->tmr_wait); ++ init_waitqueue_head(&pending_req->tmr_wait); + + rc = target_submit_tmr(&pending_req->se_cmd, nexus->tvn_se_sess, + &pending_req->sense_buffer[0], +- unpacked_lun, tmr, act, GFP_KERNEL, ++ unpacked_lun, NULL, act, GFP_KERNEL, + tag, TARGET_SCF_ACK_KREF); + if (rc) + goto err; + +- wait_event(tmr->tmr_wait, atomic_read(&tmr->tmr_complete)); ++ wait_event(pending_req->tmr_wait, ++ atomic_read(&pending_req->tmr_complete)); + + err = (se_cmd->se_tmr_req->response == TMR_FUNCTION_COMPLETE) ? + SUCCESS : FAILED; +@@ -626,9 +618,8 @@ static void scsiback_device_action(struc + scsiback_do_resp_with_sense(NULL, err, 0, pending_req); + transport_generic_free_cmd(&pending_req->se_cmd, 1); + return; ++ + err: +- if (tmr) +- kfree(tmr); + scsiback_do_resp_with_sense(NULL, err, 0, pending_req); + } + +@@ -1389,12 +1380,6 @@ static int scsiback_check_stop_free(stru + static void scsiback_release_cmd(struct se_cmd *se_cmd) + { + struct se_session *se_sess = se_cmd->se_sess; +- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; +- +- if (se_tmr && se_cmd->se_cmd_flags & SCF_SCSI_TMR_CDB) { +- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; +- kfree(tmr); +- } + + percpu_ida_free(&se_sess->sess_tag_pool, se_cmd->map_tag); + } +@@ -1455,11 +1440,11 @@ static int scsiback_queue_status(struct + + static void scsiback_queue_tm_rsp(struct se_cmd *se_cmd) + { +- struct se_tmr_req *se_tmr = se_cmd->se_tmr_req; +- struct scsiback_tmr *tmr = se_tmr->fabric_tmr_ptr; ++ struct vscsibk_pend *pending_req = container_of(se_cmd, ++ struct vscsibk_pend, se_cmd); + +- atomic_set(&tmr->tmr_complete, 1); +- wake_up(&tmr->tmr_wait); ++ atomic_set(&pending_req->tmr_complete, 1); ++ wake_up(&pending_req->tmr_wait); + } + + static void scsiback_aborted_task(struct se_cmd *se_cmd) -- 2.47.3