From a13fef2935855f62fcde2d9ad9c36ca132fd6437 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 Jul 2017 18:48:46 -0700 Subject: [PATCH] 4.9-stable patches added patches: cx88-fix-regression-in-initial-video-standard-setting.patch drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch ext2-don-t-clear-sgid-when-inheriting-acls.patch f2fs-don-t-clear-sgid-when-inheriting-acls.patch f2fs-sanity-check-size-of-nat-and-sit-cache.patch ipmi-ssif-add-missing-unlock-in-error-branch.patch ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch libnvdimm-fix-badblock-range-handling-of-ars-range.patch raid5-should-update-rdev-sectors-after-reshape.patch s390-syscalls-fix-out-of-bounds-arguments-access.patch xfs-don-t-clear-sgid-when-inheriting-acls.patch --- ...on-in-initial-video-standard-setting.patch | 68 ++++++++++ ...initiating-read-out-of-range-on-vram.patch | 39 ++++++ ...-switching-for-high-refresh-rates-v2.patch | 42 ++++++ ...x-edp-for-single-display-imac10-1-v2.patch | 88 +++++++++++++ ...on-t-clear-sgid-when-inheriting-acls.patch | 99 ++++++++++++++ ...on-t-clear-sgid-when-inheriting-acls.patch | 34 +++++ ...nity-check-size-of-nat-and-sit-cache.patch | 43 ++++++ ...f-add-missing-unlock-in-error-branch.patch | 35 +++++ ...-around-call-to-intf-handlers-sender.patch | 124 ++++++++++++++++++ ...fix-btt_rw_page-not-returning-errors.patch | 45 +++++++ ...badblock-range-handling-of-ars-range.patch | 47 +++++++ ...ld-update-rdev-sectors-after-reshape.patch | 53 ++++++++ ...s-fix-out-of-bounds-arguments-access.patch | 58 ++++++++ queue-4.9/series | 14 ++ ...on-t-clear-sgid-when-inheriting-acls.patch | 82 ++++++++++++ 15 files changed, 871 insertions(+) create mode 100644 queue-4.9/cx88-fix-regression-in-initial-video-standard-setting.patch create mode 100644 queue-4.9/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch create mode 100644 queue-4.9/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch create mode 100644 queue-4.9/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch create mode 100644 queue-4.9/ext2-don-t-clear-sgid-when-inheriting-acls.patch create mode 100644 queue-4.9/f2fs-don-t-clear-sgid-when-inheriting-acls.patch create mode 100644 queue-4.9/f2fs-sanity-check-size-of-nat-and-sit-cache.patch create mode 100644 queue-4.9/ipmi-ssif-add-missing-unlock-in-error-branch.patch create mode 100644 queue-4.9/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch create mode 100644 queue-4.9/libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch create mode 100644 queue-4.9/libnvdimm-fix-badblock-range-handling-of-ars-range.patch create mode 100644 queue-4.9/raid5-should-update-rdev-sectors-after-reshape.patch create mode 100644 queue-4.9/s390-syscalls-fix-out-of-bounds-arguments-access.patch create mode 100644 queue-4.9/xfs-don-t-clear-sgid-when-inheriting-acls.patch diff --git a/queue-4.9/cx88-fix-regression-in-initial-video-standard-setting.patch b/queue-4.9/cx88-fix-regression-in-initial-video-standard-setting.patch new file mode 100644 index 00000000000..4a26ba85bb6 --- /dev/null +++ b/queue-4.9/cx88-fix-regression-in-initial-video-standard-setting.patch @@ -0,0 +1,68 @@ +From 4e0973a918b9a42e217093f078e04a61e5dd95a5 Mon Sep 17 00:00:00 2001 +From: Devin Heitmueller +Date: Sat, 20 Sep 2014 09:23:44 -0300 +Subject: [media] cx88: Fix regression in initial video standard setting + +From: Devin Heitmueller + +commit 4e0973a918b9a42e217093f078e04a61e5dd95a5 upstream. + +Setting initial standard at the top of cx8800_initdev would cause the +first call to cx88_set_tvnorm() to return without programming any +registers (leaving the driver saying it's set to NTSC but the hardware +isn't programmed). Even worse, any subsequent attempt to explicitly +set it to NTSC-M will return success but actually fail to program the +underlying registers unless first changing the standard to something +other than NTSC-M. + +Set the initial standard later in the process, and make sure the field +is zero at the beginning to ensure that the call always goes through. + +This regression was introduced in the following commit: + +commit ccd6f1d488e7 ("[media] cx88: move width, height and field to core +struct") + +Author: Hans Verkuil + +[media] cx88: move width, height and field to core struct + +Signed-off-by: Devin Heitmueller +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/cx88/cx88-cards.c | 9 ++++++++- + drivers/media/pci/cx88/cx88-video.c | 2 +- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/cx88/cx88-cards.c ++++ b/drivers/media/pci/cx88/cx88-cards.c +@@ -3691,7 +3691,14 @@ struct cx88_core *cx88_core_create(struc + core->nr = nr; + sprintf(core->name, "cx88[%d]", core->nr); + +- core->tvnorm = V4L2_STD_NTSC_M; ++ /* ++ * Note: Setting initial standard here would cause first call to ++ * cx88_set_tvnorm() to return without programming any registers. Leave ++ * it blank for at this point and it will get set later in ++ * cx8800_initdev() ++ */ ++ core->tvnorm = 0; ++ + core->width = 320; + core->height = 240; + core->field = V4L2_FIELD_INTERLACED; +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -1422,7 +1422,7 @@ static int cx8800_initdev(struct pci_dev + + /* initial device configuration */ + mutex_lock(&core->lock); +- cx88_set_tvnorm(core, core->tvnorm); ++ cx88_set_tvnorm(core, V4L2_STD_NTSC_M); + v4l2_ctrl_handler_setup(&core->video_hdl); + v4l2_ctrl_handler_setup(&core->audio_hdl); + cx88_video_mux(core, 0); diff --git a/queue-4.9/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch b/queue-4.9/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch new file mode 100644 index 00000000000..a03fd4b0732 --- /dev/null +++ b/queue-4.9/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch @@ -0,0 +1,39 @@ +From 9156e723301c0a7a7def4cde820e018ce791b842 Mon Sep 17 00:00:00 2001 +From: Tom St Denis +Date: Tue, 23 May 2017 11:35:22 -0400 +Subject: drm/amd/amdgpu: Return error if initiating read out of range on vram +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom St Denis + +commit 9156e723301c0a7a7def4cde820e018ce791b842 upstream. + +If you initiate a read that is out of the VRAM address space return +ENXIO instead of 0. + +Reads that begin below that point will read upto the VRAM limit as +before. + +Signed-off-by: Tom St Denis +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1419,6 +1419,9 @@ static ssize_t amdgpu_ttm_vram_read(stru + if (size & 0x3 || *pos & 0x3) + return -EINVAL; + ++ if (*pos >= adev->mc.mc_vram_size) ++ return -ENXIO; ++ + while (size) { + unsigned long flags; + uint32_t value; diff --git a/queue-4.9/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch b/queue-4.9/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch new file mode 100644 index 00000000000..daee33439a1 --- /dev/null +++ b/queue-4.9/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch @@ -0,0 +1,42 @@ +From ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 11 May 2017 13:14:14 -0400 +Subject: drm/radeon/ci: disable mclk switching for high refresh rates (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f upstream. + +Even if the vblank period would allow it, it still seems to +be problematic on some cards. + +v2: fix logic inversion (Nils) + +bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868 + +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/ci_dpm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -782,6 +782,12 @@ bool ci_dpm_vblank_too_short(struct rade + if (r600_dpm_get_vrefresh(rdev) > 120) + return true; + ++ /* disable mclk switching if the refresh is >120Hz, even if the ++ * blanking period would allow it ++ */ ++ if (r600_dpm_get_vrefresh(rdev) > 120) ++ return true; ++ + if (vblank_time < switch_limit) + return true; + else diff --git a/queue-4.9/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch b/queue-4.9/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch new file mode 100644 index 00000000000..1d4fb72e454 --- /dev/null +++ b/queue-4.9/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch @@ -0,0 +1,88 @@ +From 564d8a2cf3abf16575af48bdc3e86e92ee8a617d Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Fri, 7 Jul 2017 04:57:04 +0200 +Subject: drm/radeon: Fix eDP for single-display iMac10,1 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Kleiner + +commit 564d8a2cf3abf16575af48bdc3e86e92ee8a617d upstream. + +The late 2009, 27 inch Apple iMac10,1 has an +internal eDP display and an external Mini- +Displayport output, driven by a DCE-3.2, RV730 +Radeon Mobility HD-4670. + +The machine worked fine in a dual-display setup +with eDP panel + externally connected HDMI +or DVI-D digital display sink, connected via +MiniDP to DVI or HDMI adapter. + +However, booting the machine single-display with +only eDP panel results in a completely black +display - even backlight powering off, as soon as +the radeon modesetting driver loads. + +This patch fixes the single dispay eDP case by +assigning encoders based on dig->linkb, similar +to DCE-4+. While this should not be generally +necessary (Alex: "...atom on normal boards +should be able to handle any mapping."), Apple +seems to use some special routing here. + +One remaining problem not solved by this patch +is that an external Minidisplayport->DP sink +does still not work on iMac10,1, whereas external +DVI and HDMI sinks continue to work. + +The problem affects at least all tested kernels +since Linux 3.13 - didn't test earlier kernels, so +backporting to stable probably makes sense. + +v2: With the original patch from 2016, Alex was worried it + will break other DCE3.2 systems. Use dmi_match() to + apply this special encoder assignment only for the + Apple iMac 10,1 from late 2009. + +Signed-off-by: Mario Kleiner +Cc: Alex Deucher +Cc: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -30,6 +30,7 @@ + #include "radeon_audio.h" + #include "atom.h" + #include ++#include + + extern int atom_debug; + +@@ -2183,9 +2184,17 @@ int radeon_atom_pick_dig_encoder(struct + goto assigned; + } + +- /* on DCE32 and encoder can driver any block so just crtc id */ ++ /* ++ * On DCE32 any encoder can drive any block so usually just use crtc id, ++ * but Apple thinks different at least on iMac10,1, so there use linkb, ++ * otherwise the internal eDP panel will stay dark. ++ */ + if (ASIC_IS_DCE32(rdev)) { +- enc_idx = radeon_crtc->crtc_id; ++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1")) ++ enc_idx = (dig->linkb) ? 1 : 0; ++ else ++ enc_idx = radeon_crtc->crtc_id; ++ + goto assigned; + } + diff --git a/queue-4.9/ext2-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.9/ext2-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..c0c34c60145 --- /dev/null +++ b/queue-4.9/ext2-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,99 @@ +From a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 21 Jun 2017 14:34:15 +0200 +Subject: ext2: Don't clear SGID when inheriting ACLs + +From: Jan Kara + +commit a992f2d38e4ce17b8c7d1f7f67b2de0eebdea069 upstream. + +When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit +set, DIR1 is expected to have SGID bit set (and owning group equal to +the owning group of 'DIR0'). However when 'DIR0' also has some default +ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on +'DIR1' to get cleared if user is not member of the owning group. + +Fix the problem by creating __ext2_set_acl() function that does not call +posix_acl_update_mode() and use it when inheriting ACLs. That prevents +SGID bit clearing and the mode has been properly set by +posix_acl_create() anyway. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +CC: linux-ext4@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext2/acl.c | 36 ++++++++++++++++++++++-------------- + 1 file changed, 22 insertions(+), 14 deletions(-) + +--- a/fs/ext2/acl.c ++++ b/fs/ext2/acl.c +@@ -175,11 +175,8 @@ ext2_get_acl(struct inode *inode, int ty + return acl; + } + +-/* +- * inode->i_mutex: down +- */ +-int +-ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) ++static int ++__ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { + int name_index; + void *value = NULL; +@@ -189,13 +186,6 @@ ext2_set_acl(struct inode *inode, struct + switch(type) { + case ACL_TYPE_ACCESS: + name_index = EXT2_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { +- error = posix_acl_update_mode(inode, &inode->i_mode, &acl); +- if (error) +- return error; +- inode->i_ctime = current_time(inode); +- mark_inode_dirty(inode); +- } + break; + + case ACL_TYPE_DEFAULT: +@@ -222,6 +212,24 @@ ext2_set_acl(struct inode *inode, struct + } + + /* ++ * inode->i_mutex: down ++ */ ++int ++ext2_set_acl(struct inode *inode, struct posix_acl *acl, int type) ++{ ++ int error; ++ ++ if (type == ACL_TYPE_ACCESS && acl) { ++ error = posix_acl_update_mode(inode, &inode->i_mode, &acl); ++ if (error) ++ return error; ++ inode->i_ctime = current_time(inode); ++ mark_inode_dirty(inode); ++ } ++ return __ext2_set_acl(inode, acl, type); ++} ++ ++/* + * Initialize the ACLs of a new inode. Called from ext2_new_inode. + * + * dir->i_mutex: down +@@ -238,12 +246,12 @@ ext2_init_acl(struct inode *inode, struc + return error; + + if (default_acl) { +- error = ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); ++ error = __ext2_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); + posix_acl_release(default_acl); + } + if (acl) { + if (!error) +- error = ext2_set_acl(inode, acl, ACL_TYPE_ACCESS); ++ error = __ext2_set_acl(inode, acl, ACL_TYPE_ACCESS); + posix_acl_release(acl); + } + return error; diff --git a/queue-4.9/f2fs-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.9/f2fs-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..0346390d221 --- /dev/null +++ b/queue-4.9/f2fs-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,34 @@ +From c925dc162f770578ff4a65ec9b08270382dba9e6 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 11 Jul 2017 14:56:49 -0700 +Subject: f2fs: Don't clear SGID when inheriting ACLs + +From: Jaegeuk Kim + +commit c925dc162f770578ff4a65ec9b08270382dba9e6 upstream. + +This patch copies commit b7f8a09f80: +"btrfs: Don't clear SGID when inheriting ACLs" written by Jan. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +Signed-off-by: Jan Kara +Reviewed-by: Chao Yu +Reviewed-by: Jan Kara +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -211,7 +211,7 @@ static int __f2fs_set_acl(struct inode * + switch (type) { + case ACL_TYPE_ACCESS: + name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { ++ if (acl && !ipage) { + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) + return error; diff --git a/queue-4.9/f2fs-sanity-check-size-of-nat-and-sit-cache.patch b/queue-4.9/f2fs-sanity-check-size-of-nat-and-sit-cache.patch new file mode 100644 index 00000000000..60455261ce3 --- /dev/null +++ b/queue-4.9/f2fs-sanity-check-size-of-nat-and-sit-cache.patch @@ -0,0 +1,43 @@ +From 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d Mon Sep 17 00:00:00 2001 +From: Jin Qian +Date: Thu, 1 Jun 2017 11:18:30 -0700 +Subject: f2fs: sanity check size of nat and sit cache + +From: Jin Qian + +commit 21d3f8e1c3b7996ce239ab6fa82e9f7a8c47d84d upstream. + +Make sure number of entires doesn't exceed max journal size. + +Signed-off-by: Jin Qian +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/segment.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -1805,6 +1805,8 @@ static int read_normal_summaries(struct + + static int restore_curseg_summaries(struct f2fs_sb_info *sbi) + { ++ struct f2fs_journal *sit_j = CURSEG_I(sbi, CURSEG_COLD_DATA)->journal; ++ struct f2fs_journal *nat_j = CURSEG_I(sbi, CURSEG_HOT_DATA)->journal; + int type = CURSEG_HOT_DATA; + int err; + +@@ -1831,6 +1833,11 @@ static int restore_curseg_summaries(stru + return err; + } + ++ /* sanity check for summary blocks */ ++ if (nats_in_cursum(nat_j) > NAT_JOURNAL_ENTRIES || ++ sits_in_cursum(sit_j) > SIT_JOURNAL_ENTRIES) ++ return -EINVAL; ++ + return 0; + } + diff --git a/queue-4.9/ipmi-ssif-add-missing-unlock-in-error-branch.patch b/queue-4.9/ipmi-ssif-add-missing-unlock-in-error-branch.patch new file mode 100644 index 00000000000..36f22014d50 --- /dev/null +++ b/queue-4.9/ipmi-ssif-add-missing-unlock-in-error-branch.patch @@ -0,0 +1,35 @@ +From 4495ec6d770e1bca7a04e93ac453ab6720c56c5d Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Fri, 30 Jun 2017 07:18:08 -0500 +Subject: ipmi:ssif: Add missing unlock in error branch + +From: Corey Minyard + +commit 4495ec6d770e1bca7a04e93ac453ab6720c56c5d upstream. + +When getting flags, a response to a different message would +result in a deadlock because of a missing unlock. Add that +unlock and a comment. Found by static analysis. + +Reported-by: Dan Carpenter +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_ssif.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -762,6 +762,11 @@ static void msg_done_handler(struct ssif + result, len, data[2]); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { ++ /* ++ * Don't abort here, maybe it was a queued ++ * response to a previous command. ++ */ ++ ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Invalid response getting flags: %x %x\n", + data[0], data[1]); + } else { diff --git a/queue-4.9/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch b/queue-4.9/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch new file mode 100644 index 00000000000..d41c8c2cb89 --- /dev/null +++ b/queue-4.9/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch @@ -0,0 +1,124 @@ +From cdea46566bb21ce309725a024208322a409055cc Mon Sep 17 00:00:00 2001 +From: Tony Camuso +Date: Mon, 19 Jun 2017 13:17:33 -0400 +Subject: ipmi: use rcu lock around call to intf->handlers->sender() + +From: Tony Camuso + +commit cdea46566bb21ce309725a024208322a409055cc upstream. + +A vendor with a system having more than 128 CPUs occasionally encounters +the following crash during shutdown. This is not an easily reproduceable +event, but the vendor was able to provide the following analysis of the +crash, which exhibits the same footprint each time. + +crash> bt +PID: 0 TASK: ffff88017c70ce70 CPU: 5 COMMAND: "swapper/5" + #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b + #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2 + #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0 + #3 [ffff88085c143c10] oops_end at ffffffff8168ef88 + #4 [ffff88085c143c38] no_context at ffffffff8167ebb3 + #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49 + #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3 + #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e + #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5 + #9 [ffff88085c143d70] page_fault at ffffffff8168e188 + [exception RIP: unknown or invalid address] + RIP: ffffffffa053c800 RSP: ffff88085c143e28 RFLAGS: 00010206 + RAX: ffff88017c72bfd8 RBX: ffff88017a8dc000 RCX: ffff8810588b5ac8 + RDX: ffff8810588b5a00 RSI: ffffffffa053c800 RDI: ffff8810588b5a00 + RBP: ffff88085c143e58 R8: ffff88017c70d408 R9: ffff88017a8dc000 + R10: 0000000000000002 R11: ffff88085c143da0 R12: ffff8810588b5ac8 + R13: 0000000000000100 R14: ffffffffa053c800 R15: ffff8810588b5a00 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + + [exception RIP: cpuidle_enter_state+82] + RIP: ffffffff81514192 RSP: ffff88017c72be50 RFLAGS: 00000202 + RAX: 0000001e4c3c6f16 RBX: 000000000000f8a0 RCX: 0000000000000018 + RDX: 0000000225c17d03 RSI: ffff88017c72bfd8 RDI: 0000001e4c3c6f16 + RBP: ffff88017c72be78 R8: 000000000000237e R9: 0000000000000018 + R10: 0000000000002494 R11: 0000000000000001 R12: ffff88017c72be20 + R13: ffff88085c14f8e0 R14: 0000000000000082 R15: 0000001e4c3bb400 + ORIG_RAX: ffffffffffffff10 CS: 0010 SS: 0018 + +This is the corresponding stack trace + +It has crashed because the area pointed with RIP extracted from timer +element is already removed during a shutdown process. + +The function is smi_timeout(). + +And we think ffff8810588b5a00 in RDX is a parameter struct smi_info + +crash> rd ffff8810588b5a00 20 +ffff8810588b5a00: ffff8810588b6000 0000000000000000 .`.X............ +ffff8810588b5a10: ffff880853264400 ffffffffa05417e0 .D&S......T..... +ffff8810588b5a20: 24a024a000000000 0000000000000000 .....$.$........ +ffff8810588b5a30: 0000000000000000 0000000000000000 ................ +ffff8810588b5a30: 0000000000000000 0000000000000000 ................ +ffff8810588b5a40: ffffffffa053a040 ffffffffa053a060 @.S.....`.S..... +ffff8810588b5a50: 0000000000000000 0000000100000001 ................ +ffff8810588b5a60: 0000000000000000 0000000000000e00 ................ +ffff8810588b5a70: ffffffffa053a580 ffffffffa053a6e0 ..S.......S..... +ffff8810588b5a80: ffffffffa053a4a0 ffffffffa053a250 ..S.....P.S..... +ffff8810588b5a90: 0000000500000002 0000000000000000 ................ + +Unfortunately the top of this area is already detroyed by someone. +But because of two reasonns we think this is struct smi_info + 1) The address included in between ffff8810588b5a70 and ffff8810588b5a80: + are inside of ipmi_si_intf.c see crash> module ffff88085779d2c0 + + 2) We've found the area which point this. + It is offset 0x68 of ffff880859df4000 + +crash> rd ffff880859df4000 100 +ffff880859df4000: 0000000000000000 0000000000000001 ................ +ffff880859df4010: ffffffffa0535290 dead000000000200 .RS............. +ffff880859df4020: ffff880859df4020 ffff880859df4020 @.Y.... @.Y.... +ffff880859df4030: 0000000000000002 0000000000100010 ................ +ffff880859df4040: ffff880859df4040 ffff880859df4040 @@.Y....@@.Y.... +ffff880859df4050: 0000000000000000 0000000000000000 ................ +ffff880859df4060: 0000000000000000 ffff8810588b5a00 .........Z.X.... +ffff880859df4070: 0000000000000001 ffff880859df4078 ........x@.Y.... + + If we regards it as struct ipmi_smi in shutdown process + it looks consistent. + +The remedy for this apparent race is affixed below. + +Signed-off-by: Tony Camuso +Signed-off-by: Greg Kroah-Hartman + +This was first introduced in 7ea0ed2b5be817 ipmi: Make the +message handler easier to use for SMI interfaces +where some code was moved outside of the rcu_read_lock() +and the lock was not added. + +Signed-off-by: Corey Minyard + +--- + drivers/char/ipmi/ipmi_msghandler.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -3877,6 +3877,9 @@ static void smi_recv_tasklet(unsigned lo + * because the lower layer is allowed to hold locks while calling + * message delivery. + */ ++ ++ rcu_read_lock(); ++ + if (!run_to_completion) + spin_lock_irqsave(&intf->xmit_msgs_lock, flags); + if (intf->curr_msg == NULL && !intf->in_shutdown) { +@@ -3899,6 +3902,8 @@ static void smi_recv_tasklet(unsigned lo + if (newmsg) + intf->handlers->sender(intf->send_info, newmsg); + ++ rcu_read_unlock(); ++ + handle_new_recv_msgs(intf); + } + diff --git a/queue-4.9/libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch b/queue-4.9/libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch new file mode 100644 index 00000000000..3cd690539b8 --- /dev/null +++ b/queue-4.9/libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch @@ -0,0 +1,45 @@ +From c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc Mon Sep 17 00:00:00 2001 +From: Vishal Verma +Date: Thu, 29 Jun 2017 16:59:11 -0600 +Subject: libnvdimm, btt: fix btt_rw_page not returning errors + +From: Vishal Verma + +commit c13c43d54f2c6a3be1c675766778ac1ad8dfbfcc upstream. + +btt_rw_page was not propagating errors frm btt_do_bvec, resulting in any +IO errors via the rw_page path going unnoticed. the pmem driver recently +fixed this in e10624f pmem: fail io-requests to known bad blocks +but same problem in BTT went neglected. + +Fixes: 5212e11fde4d ("nd_btt: atomic sector updates") +Cc: Toshi Kani +Cc: Dan Williams +Cc: Jeff Moyer +Signed-off-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/btt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/nvdimm/btt.c ++++ b/drivers/nvdimm/btt.c +@@ -1203,10 +1203,13 @@ static int btt_rw_page(struct block_devi + struct page *page, bool is_write) + { + struct btt *btt = bdev->bd_disk->private_data; ++ int rc; + +- btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector); +- page_endio(page, is_write, 0); +- return 0; ++ rc = btt_do_bvec(btt, NULL, page, PAGE_SIZE, 0, is_write, sector); ++ if (rc == 0) ++ page_endio(page, is_write, 0); ++ ++ return rc; + } + + diff --git a/queue-4.9/libnvdimm-fix-badblock-range-handling-of-ars-range.patch b/queue-4.9/libnvdimm-fix-badblock-range-handling-of-ars-range.patch new file mode 100644 index 00000000000..e1798abdd23 --- /dev/null +++ b/queue-4.9/libnvdimm-fix-badblock-range-handling-of-ars-range.patch @@ -0,0 +1,47 @@ +From 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Fri, 7 Jul 2017 17:44:26 -0600 +Subject: libnvdimm: fix badblock range handling of ARS range + +From: Toshi Kani + +commit 4e3f0701f25ab194c5362576b1146a1e6cc6c2e7 upstream. + +__add_badblock_range() does not account sector alignment when +it sets 'num_sectors'. Therefore, an ARS error record range +spanning across two sectors is set to a single sector length, +which leaves the 2nd sector unprotected. + +Change __add_badblock_range() to set 'num_sectors' properly. + +Fixes: 0caeef63e6d2 ("libnvdimm: Add a poison list and export badblocks") +Signed-off-by: Toshi Kani +Reviewed-by: Vishal Verma +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nvdimm/core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/nvdimm/core.c ++++ b/drivers/nvdimm/core.c +@@ -450,14 +450,15 @@ static void set_badblock(struct badblock + static void __add_badblock_range(struct badblocks *bb, u64 ns_offset, u64 len) + { + const unsigned int sector_size = 512; +- sector_t start_sector; ++ sector_t start_sector, end_sector; + u64 num_sectors; + u32 rem; + + start_sector = div_u64(ns_offset, sector_size); +- num_sectors = div_u64_rem(len, sector_size, &rem); ++ end_sector = div_u64_rem(ns_offset + len, sector_size, &rem); + if (rem) +- num_sectors++; ++ end_sector++; ++ num_sectors = end_sector - start_sector; + + if (unlikely(num_sectors > (u64)INT_MAX)) { + u64 remaining = num_sectors; diff --git a/queue-4.9/raid5-should-update-rdev-sectors-after-reshape.patch b/queue-4.9/raid5-should-update-rdev-sectors-after-reshape.patch new file mode 100644 index 00000000000..fbb6a481d1e --- /dev/null +++ b/queue-4.9/raid5-should-update-rdev-sectors-after-reshape.patch @@ -0,0 +1,53 @@ +From b5d27718f38843a74552e9a93d32e2391fd3999f Mon Sep 17 00:00:00 2001 +From: Xiao Ni +Date: Wed, 5 Jul 2017 17:34:04 +0800 +Subject: Raid5 should update rdev->sectors after reshape + +From: Xiao Ni + +commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream. + +The raid5 md device is created by the disks which we don't use the total size. For example, +the size of the device is 5G and it just uses 3G of the devices to create one raid5 device. +Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid +and assemble it again. It fails. +mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean +mdadm /dev/md0 --grow --chunk=64 +wait reshape to finish +mdadm -S /dev/md0 +mdadm -As +The error messages: +[197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing! +[197519.821686] md: md_import_device returned -22 + +After reshape the data offset is changed. It selects backwards direction in this condition. +In function super_1_load it compares the available space of the underlying device with +sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL. +rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based +on rdev->sectors. So add md_finish_reshape in end_reshape. + +Signed-off-by: Xiao Ni +Acked-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7560,12 +7560,10 @@ static void end_reshape(struct r5conf *c + { + + if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) { +- struct md_rdev *rdev; + + spin_lock_irq(&conf->device_lock); + conf->previous_raid_disks = conf->raid_disks; +- rdev_for_each(rdev, conf->mddev) +- rdev->data_offset = rdev->new_data_offset; ++ md_finish_reshape(conf->mddev); + smp_wmb(); + conf->reshape_progress = MaxSector; + conf->mddev->reshape_position = MaxSector; diff --git a/queue-4.9/s390-syscalls-fix-out-of-bounds-arguments-access.patch b/queue-4.9/s390-syscalls-fix-out-of-bounds-arguments-access.patch new file mode 100644 index 00000000000..b052ba2e6a6 --- /dev/null +++ b/queue-4.9/s390-syscalls-fix-out-of-bounds-arguments-access.patch @@ -0,0 +1,58 @@ +From c46fc0424ced3fb71208e72bd597d91b9169a781 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 29 Jun 2017 11:38:11 +0200 +Subject: s390/syscalls: Fix out of bounds arguments access + +From: Jiri Olsa + +commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream. + +Zorro reported following crash while having enabled +syscall tracing (CONFIG_FTRACE_SYSCALLS): + + Unable to handle kernel pointer dereference at virtual ... + Oops: 0011 [#1] SMP DEBUG_PAGEALLOC + + SNIP + + Call Trace: + ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8) + [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8 + [<0000000000730f1c>] sysc_tracesys+0x1a/0x32 + [<000003fffcf946a2>] 0x3fffcf946a2 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<000000000022dd44>] rb_event_data+0x34/0x40 + ---[ end trace 8c795f86b1b3f7b9 ]--- + +The crash happens in syscall_get_arguments function for +syscalls with zero arguments, that will try to access +first argument (args[0]) in event entry, but it's not +allocated. + +Bail out of there are no arguments. + +Reported-by: Zorro Lang +Signed-off-by: Jiri Olsa +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/syscall.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/s390/include/asm/syscall.h ++++ b/arch/s390/include/asm/syscall.h +@@ -64,6 +64,12 @@ static inline void syscall_get_arguments + { + unsigned long mask = -1UL; + ++ /* ++ * No arguments for this syscall, there's nothing to do. ++ */ ++ if (!n) ++ return; ++ + BUG_ON(i + n > 6); + #ifdef CONFIG_COMPAT + if (test_tsk_thread_flag(task, TIF_31BIT)) diff --git a/queue-4.9/series b/queue-4.9/series index 899746c58a7..09c33b8d6ad 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -56,3 +56,17 @@ usb-renesas_usbhs-fix-usbhsc_resume-for-usbhsf_runtime_pwctrl.patch usb-renesas_usbhs-gadget-disable-all-eps-when-the-driver-stops.patch md-don-t-use-flush_signals-in-userspace-processes.patch x86-xen-allow-userspace-access-during-hypercalls.patch +cx88-fix-regression-in-initial-video-standard-setting.patch +libnvdimm-btt-fix-btt_rw_page-not-returning-errors.patch +libnvdimm-fix-badblock-range-handling-of-ars-range.patch +ext2-don-t-clear-sgid-when-inheriting-acls.patch +raid5-should-update-rdev-sectors-after-reshape.patch +s390-syscalls-fix-out-of-bounds-arguments-access.patch +drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch +drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch +drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch +ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch +ipmi-ssif-add-missing-unlock-in-error-branch.patch +xfs-don-t-clear-sgid-when-inheriting-acls.patch +f2fs-sanity-check-size-of-nat-and-sit-cache.patch +f2fs-don-t-clear-sgid-when-inheriting-acls.patch diff --git a/queue-4.9/xfs-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.9/xfs-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..b2bfcddd148 --- /dev/null +++ b/queue-4.9/xfs-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,82 @@ +From 8ba358756aa08414fa9e65a1a41d28304ed6fd7f Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 26 Jun 2017 08:48:18 -0700 +Subject: xfs: Don't clear SGID when inheriting ACLs + +From: Jan Kara + +commit 8ba358756aa08414fa9e65a1a41d28304ed6fd7f upstream. + +When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit +set, DIR1 is expected to have SGID bit set (and owning group equal to +the owning group of 'DIR0'). However when 'DIR0' also has some default +ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on +'DIR1' to get cleared if user is not member of the owning group. + +Fix the problem by calling __xfs_set_acl() instead of xfs_set_acl() when +setting up inode in xfs_generic_create(). That prevents SGID bit +clearing and mode is properly set by posix_acl_create() anyway. We also +reorder arguments of __xfs_set_acl() to match the ordering of +xfs_set_acl() to make things consistent. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +CC: Darrick J. Wong +CC: linux-xfs@vger.kernel.org +Signed-off-by: Jan Kara +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_acl.c | 6 +++--- + fs/xfs/xfs_acl.h | 1 + + fs/xfs/xfs_iops.c | 4 ++-- + 3 files changed, 6 insertions(+), 5 deletions(-) + +--- a/fs/xfs/xfs_acl.c ++++ b/fs/xfs/xfs_acl.c +@@ -170,8 +170,8 @@ xfs_get_acl(struct inode *inode, int typ + return acl; + } + +-STATIC int +-__xfs_set_acl(struct inode *inode, int type, struct posix_acl *acl) ++int ++__xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type) + { + struct xfs_inode *ip = XFS_I(inode); + unsigned char *ea_name; +@@ -268,5 +268,5 @@ xfs_set_acl(struct inode *inode, struct + } + + set_acl: +- return __xfs_set_acl(inode, type, acl); ++ return __xfs_set_acl(inode, acl, type); + } +--- a/fs/xfs/xfs_acl.h ++++ b/fs/xfs/xfs_acl.h +@@ -24,6 +24,7 @@ struct posix_acl; + #ifdef CONFIG_XFS_POSIX_ACL + extern struct posix_acl *xfs_get_acl(struct inode *inode, int type); + extern int xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type); ++extern int __xfs_set_acl(struct inode *inode, struct posix_acl *acl, int type); + #else + static inline struct posix_acl *xfs_get_acl(struct inode *inode, int type) + { +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -190,12 +190,12 @@ xfs_generic_create( + + #ifdef CONFIG_XFS_POSIX_ACL + if (default_acl) { +- error = xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); ++ error = __xfs_set_acl(inode, default_acl, ACL_TYPE_DEFAULT); + if (error) + goto out_cleanup_inode; + } + if (acl) { +- error = xfs_set_acl(inode, acl, ACL_TYPE_ACCESS); ++ error = __xfs_set_acl(inode, acl, ACL_TYPE_ACCESS); + if (error) + goto out_cleanup_inode; + } -- 2.47.3