From b6050f86147a78b8f8690e989805f4d48e54bfed Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 26 May 2018 15:24:45 +0200 Subject: [PATCH] 4.16-stable patches added patches: ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch arm64-export-tishift-functions-to-modules.patch arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch ib-umem-use-the-correct-mm-during-ib_umem_release.patch idr-fix-invalid-ptr-dereference-on-item-delete.patch ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch kasan-fix-memory-hotplug-during-boot.patch kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch kernel-sys.c-fix-potential-spectre-v1-issue.patch libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch libata-blacklist-some-sandisk-ssds-for-ncq.patch mm-kasan-don-t-vfree-nonexistent-vm_area.patch mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch powerpc-64s-clear-pcr-on-boot.patch revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch sr-pass-down-correctly-sized-scsi-sense-buffer.patch xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch --- ...d-pci-id-for-cannon-lake-pch-lp-ahci.patch | 31 ++++ ...-export-tishift-functions-to-modules.patch | 66 ++++++++ ...rs-to-some-input-output-asm-operands.patch | 148 +++++++++++++++++ ...ed-crash-in-bcma_core_mips_print_irq.patch | 41 +++++ ...mwgfx-fix-32-bit-vmw_port_hb_-macros.patch | 77 +++++++++ ...condition-in-send-context-error-path.patch | 85 ++++++++++ ...he-correct-mm-during-ib_umem_release.patch | 84 ++++++++++ ...valid-ptr-dereference-on-item-delete.patch | 82 ++++++++++ ...ress-after-round-down-when-remapping.patch | 51 ++++++ ...kasan-fix-memory-hotplug-during-boot.patch | 41 +++++ ...d-shadow-memory-on-mem_cancel_online.patch | 37 +++++ ...sys.c-fix-potential-spectre-v1-issue.patch | 60 +++++++ ...-micron-500it-ssd-with-mu01-firmware.patch | 66 ++++++++ ...-blacklist-some-sandisk-ssds-for-ncq.patch | 35 ++++ ...asan-don-t-vfree-nonexistent-vm_area.patch | 152 ++++++++++++++++++ ...ect-returned-value-in-mmc_rpmb_ioctl.patch | 43 +++++ ...i_quirk2_host_off_card_on-for-cygnus.patch | 37 +++++ ...it-writes-for-transfer_mode-register.patch | 103 ++++++++++++ ...iproc-remove-hard-coded-mmc-cap-1.8v.patch | 35 ++++ ...ndling-for-devices-with-no-callbacks.patch | 58 +++++++ .../powerpc-64s-clear-pcr-on-boot.patch | 88 ++++++++++ ...m-fix-shmat-mmap-nil-page-protection.patch | 69 ++++++++ queue-4.16/series | 24 +++ ...wn-correctly-sized-scsi-sense-buffer.patch | 61 +++++++ ...dition-for-xen_swiotlb_free_coherent.patch | 44 +++++ 25 files changed, 1618 insertions(+) create mode 100644 queue-4.16/ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch create mode 100644 queue-4.16/arm64-export-tishift-functions-to-modules.patch create mode 100644 queue-4.16/arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch create mode 100644 queue-4.16/bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch create mode 100644 queue-4.16/drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch create mode 100644 queue-4.16/ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch create mode 100644 queue-4.16/ib-umem-use-the-correct-mm-during-ib_umem_release.patch create mode 100644 queue-4.16/idr-fix-invalid-ptr-dereference-on-item-delete.patch create mode 100644 queue-4.16/ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch create mode 100644 queue-4.16/kasan-fix-memory-hotplug-during-boot.patch create mode 100644 queue-4.16/kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch create mode 100644 queue-4.16/kernel-sys.c-fix-potential-spectre-v1-issue.patch create mode 100644 queue-4.16/libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch create mode 100644 queue-4.16/libata-blacklist-some-sandisk-ssds-for-ncq.patch create mode 100644 queue-4.16/mm-kasan-don-t-vfree-nonexistent-vm_area.patch create mode 100644 queue-4.16/mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch create mode 100644 queue-4.16/mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch create mode 100644 queue-4.16/mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch create mode 100644 queue-4.16/mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch create mode 100644 queue-4.16/pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch create mode 100644 queue-4.16/powerpc-64s-clear-pcr-on-boot.patch create mode 100644 queue-4.16/revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch create mode 100644 queue-4.16/sr-pass-down-correctly-sized-scsi-sense-buffer.patch create mode 100644 queue-4.16/xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch diff --git a/queue-4.16/ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch b/queue-4.16/ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch new file mode 100644 index 00000000000..4031abb1f3d --- /dev/null +++ b/queue-4.16/ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch @@ -0,0 +1,31 @@ +From 4544e403eb25552aed7f0ee181a7a506b8800403 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 24 May 2018 11:12:16 +0300 +Subject: ahci: Add PCI ID for Cannon Lake PCH-LP AHCI + +From: Mika Westerberg + +commit 4544e403eb25552aed7f0ee181a7a506b8800403 upstream. + +This one should be using the default LPM policy for mobile chipsets so +add the PCI ID to the driver list of supported revices. + +Signed-off-by: Mika Westerberg +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -334,6 +334,7 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x9c07), board_ahci_mobile }, /* Lynx LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c0e), board_ahci_mobile }, /* Lynx LP RAID */ + { PCI_VDEVICE(INTEL, 0x9c0f), board_ahci_mobile }, /* Lynx LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9dd3), board_ahci_mobile }, /* Cannon Lake PCH-LP AHCI */ + { PCI_VDEVICE(INTEL, 0x1f22), board_ahci }, /* Avoton AHCI */ + { PCI_VDEVICE(INTEL, 0x1f23), board_ahci }, /* Avoton AHCI */ + { PCI_VDEVICE(INTEL, 0x1f24), board_ahci }, /* Avoton RAID */ diff --git a/queue-4.16/arm64-export-tishift-functions-to-modules.patch b/queue-4.16/arm64-export-tishift-functions-to-modules.patch new file mode 100644 index 00000000000..103e6fa6e91 --- /dev/null +++ b/queue-4.16/arm64-export-tishift-functions-to-modules.patch @@ -0,0 +1,66 @@ +From 255845fc43a3aaf806852a1d3bc89bff1411ebe3 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sat, 28 Apr 2018 00:42:52 +0200 +Subject: arm64: export tishift functions to modules + +From: Jason A. Donenfeld + +commit 255845fc43a3aaf806852a1d3bc89bff1411ebe3 upstream. + +Otherwise modules that use these arithmetic operations will fail to +link. We accomplish this with the usual EXPORT_SYMBOL, which on most +architectures goes in the .S file but the ARM64 maintainers prefer that +insead it goes into arm64ksyms. + +While we're at it, we also fix this up to use SPDX, and I personally +choose to relicense this as GPL2||BSD so that these symbols don't need +to be export_symbol_gpl, so all modules can use the routines, since +these are important general purpose compiler-generated function calls. + +Signed-off-by: Jason A. Donenfeld +Reported-by: PaX Team +Cc: stable@vger.kernel.org +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/arm64ksyms.c | 8 ++++++++ + arch/arm64/lib/tishift.S | 15 ++------------- + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/arch/arm64/kernel/arm64ksyms.c ++++ b/arch/arm64/kernel/arm64ksyms.c +@@ -75,3 +75,11 @@ NOKPROBE_SYMBOL(_mcount); + /* arm-smccc */ + EXPORT_SYMBOL(__arm_smccc_smc); + EXPORT_SYMBOL(__arm_smccc_hvc); ++ ++ /* tishift.S */ ++extern long long __ashlti3(long long a, int b); ++EXPORT_SYMBOL(__ashlti3); ++extern long long __ashrti3(long long a, int b); ++EXPORT_SYMBOL(__ashrti3); ++extern long long __lshrti3(long long a, int b); ++EXPORT_SYMBOL(__lshrti3); +--- a/arch/arm64/lib/tishift.S ++++ b/arch/arm64/lib/tishift.S +@@ -1,17 +1,6 @@ +-/* +- * Copyright (C) 2017 Jason A. Donenfeld . All Rights Reserved. ++/* SPDX-License-Identifier: (GPL-2.0 OR BSD-3-Clause) + * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License version 2 as +- * published by the Free Software Foundation. +- * +- * This program is distributed in the hope that it will be useful, +- * but WITHOUT ANY WARRANTY; without even the implied warranty of +- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- * GNU General Public License for more details. +- * +- * You should have received a copy of the GNU General Public License +- * along with this program. If not, see . ++ * Copyright (C) 2017-2018 Jason A. Donenfeld . All Rights Reserved. + */ + + #include diff --git a/queue-4.16/arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch b/queue-4.16/arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch new file mode 100644 index 00000000000..bf4939bb7e5 --- /dev/null +++ b/queue-4.16/arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch @@ -0,0 +1,148 @@ +From 32c3fa7cdf0c4a3eb8405fc3e13398de019e828b Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 21 May 2018 17:44:57 +0100 +Subject: arm64: lse: Add early clobbers to some input/output asm operands + +From: Will Deacon + +commit 32c3fa7cdf0c4a3eb8405fc3e13398de019e828b upstream. + +For LSE atomics that read and write a register operand, we need to +ensure that these operands are annotated as "early clobber" if the +register is written before all of the input operands have been consumed. +Failure to do so can result in the compiler allocating the same register +to both operands, leading to splats such as: + + Unable to handle kernel paging request at virtual address 11111122222221 + [...] + x1 : 1111111122222222 x0 : 1111111122222221 + Process swapper/0 (pid: 1, stack limit = 0x000000008209f908) + Call trace: + test_atomic64+0x1360/0x155c + +where x0 has been allocated as both the value to be stored and also the +atomic_t pointer. + +This patch adds the missing clobbers. + +Cc: +Cc: Dave Martin +Cc: Robin Murphy +Reported-by: Mark Salter +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/include/asm/atomic_lse.h | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +--- a/arch/arm64/include/asm/atomic_lse.h ++++ b/arch/arm64/include/asm/atomic_lse.h +@@ -117,7 +117,7 @@ static inline void atomic_and(int i, ato + /* LSE atomics */ + " mvn %w[i], %w[i]\n" + " stclr %w[i], %[v]") +- : [i] "+r" (w0), [v] "+Q" (v->counter) ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) + : "r" (x1) + : __LL_SC_CLOBBERS); + } +@@ -135,7 +135,7 @@ static inline int atomic_fetch_and##name + /* LSE atomics */ \ + " mvn %w[i], %w[i]\n" \ + " ldclr" #mb " %w[i], %w[i], %[v]") \ +- : [i] "+r" (w0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS, ##cl); \ + \ +@@ -161,7 +161,7 @@ static inline void atomic_sub(int i, ato + /* LSE atomics */ + " neg %w[i], %w[i]\n" + " stadd %w[i], %[v]") +- : [i] "+r" (w0), [v] "+Q" (v->counter) ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) + : "r" (x1) + : __LL_SC_CLOBBERS); + } +@@ -180,7 +180,7 @@ static inline int atomic_sub_return##nam + " neg %w[i], %w[i]\n" \ + " ldadd" #mb " %w[i], w30, %[v]\n" \ + " add %w[i], %w[i], w30") \ +- : [i] "+r" (w0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS , ##cl); \ + \ +@@ -207,7 +207,7 @@ static inline int atomic_fetch_sub##name + /* LSE atomics */ \ + " neg %w[i], %w[i]\n" \ + " ldadd" #mb " %w[i], %w[i], %[v]") \ +- : [i] "+r" (w0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (w0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS, ##cl); \ + \ +@@ -314,7 +314,7 @@ static inline void atomic64_and(long i, + /* LSE atomics */ + " mvn %[i], %[i]\n" + " stclr %[i], %[v]") +- : [i] "+r" (x0), [v] "+Q" (v->counter) ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) + : "r" (x1) + : __LL_SC_CLOBBERS); + } +@@ -332,7 +332,7 @@ static inline long atomic64_fetch_and##n + /* LSE atomics */ \ + " mvn %[i], %[i]\n" \ + " ldclr" #mb " %[i], %[i], %[v]") \ +- : [i] "+r" (x0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS, ##cl); \ + \ +@@ -358,7 +358,7 @@ static inline void atomic64_sub(long i, + /* LSE atomics */ + " neg %[i], %[i]\n" + " stadd %[i], %[v]") +- : [i] "+r" (x0), [v] "+Q" (v->counter) ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) + : "r" (x1) + : __LL_SC_CLOBBERS); + } +@@ -377,7 +377,7 @@ static inline long atomic64_sub_return## + " neg %[i], %[i]\n" \ + " ldadd" #mb " %[i], x30, %[v]\n" \ + " add %[i], %[i], x30") \ +- : [i] "+r" (x0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS, ##cl); \ + \ +@@ -404,7 +404,7 @@ static inline long atomic64_fetch_sub##n + /* LSE atomics */ \ + " neg %[i], %[i]\n" \ + " ldadd" #mb " %[i], %[i], %[v]") \ +- : [i] "+r" (x0), [v] "+Q" (v->counter) \ ++ : [i] "+&r" (x0), [v] "+Q" (v->counter) \ + : "r" (x1) \ + : __LL_SC_CLOBBERS, ##cl); \ + \ +@@ -435,7 +435,7 @@ static inline long atomic64_dec_if_posit + " sub x30, x30, %[ret]\n" + " cbnz x30, 1b\n" + "2:") +- : [ret] "+r" (x0), [v] "+Q" (v->counter) ++ : [ret] "+&r" (x0), [v] "+Q" (v->counter) + : + : __LL_SC_CLOBBERS, "cc", "memory"); + +@@ -516,7 +516,7 @@ static inline long __cmpxchg_double##nam + " eor %[old1], %[old1], %[oldval1]\n" \ + " eor %[old2], %[old2], %[oldval2]\n" \ + " orr %[old1], %[old1], %[old2]") \ +- : [old1] "+r" (x0), [old2] "+r" (x1), \ ++ : [old1] "+&r" (x0), [old2] "+&r" (x1), \ + [v] "+Q" (*(unsigned long *)ptr) \ + : [new1] "r" (x2), [new2] "r" (x3), [ptr] "r" (x4), \ + [oldval1] "r" (oldval1), [oldval2] "r" (oldval2) \ diff --git a/queue-4.16/bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch b/queue-4.16/bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch new file mode 100644 index 00000000000..130a0210f6e --- /dev/null +++ b/queue-4.16/bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch @@ -0,0 +1,41 @@ +From 361de091a4b97aa9081d304d742f80d486ab7125 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= +Date: Tue, 8 May 2018 11:31:04 +0200 +Subject: bcma: fix buffer size caused crash in bcma_core_mips_print_irq() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit 361de091a4b97aa9081d304d742f80d486ab7125 upstream. + +Used buffer wasn't big enough to hold whole strings. Example output of +this function is: +[ 0.180892] bcma: bus0: core 0x0800, irq: 2(S)* 3 4 5 6 D I +[ 0.180948] bcma: bus0: core 0x0812, irq: 2(S) 3* 4 5 6 D I +[ 0.180998] bcma: bus0: core 0x082d, irq: 2(S) 3 4* 5 6 D I +[ 0.181046] bcma: bus0: core 0x082c, irq: 2(S) 3 4 5 6 D I* +which means we need to store up to 24 chars. + +Fixes: 758f7e06063a8 ("bcma: Use bcma_debug and not pr_cont in MIPS driver") +Signed-off-by: Rafał Miłecki +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bcma/driver_mips.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bcma/driver_mips.c ++++ b/drivers/bcma/driver_mips.c +@@ -184,7 +184,7 @@ static void bcma_core_mips_print_irq(str + { + int i; + static const char *irq_name[] = {"2(S)", "3", "4", "5", "6", "D", "I"}; +- char interrupts[20]; ++ char interrupts[25]; + char *ints = interrupts; + + for (i = 0; i < ARRAY_SIZE(irq_name); i++) diff --git a/queue-4.16/drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch b/queue-4.16/drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch new file mode 100644 index 00000000000..3ec4a358ae2 --- /dev/null +++ b/queue-4.16/drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch @@ -0,0 +1,77 @@ +From 938ae7259c908ad031da35d551da297640bb640c Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Wed, 23 May 2018 16:11:24 +0200 +Subject: drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros + +From: Thomas Hellstrom + +commit 938ae7259c908ad031da35d551da297640bb640c upstream. + +Depending on whether the kernel is compiled with frame-pointer or not, +the temporary memory location used for the bp parameter in these macros +is referenced relative to the stack pointer or the frame pointer. +Hence we can never reference that parameter when we've modified either +the stack pointer or the frame pointer, because then the compiler would +generate an incorrect stack reference. + +Fix this by pushing the temporary memory parameter on a known location on +the stack before modifying the stack- and frame pointers. + +Cc: +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_msg.h | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_msg.h +@@ -135,17 +135,24 @@ + + #else + +-/* In the 32-bit version of this macro, we use "m" because there is no +- * more register left for bp ++/* ++ * In the 32-bit version of this macro, we store bp in a memory location ++ * because we've ran out of registers. ++ * Now we can't reference that memory location while we've modified ++ * %esp or %ebp, so we first push it on the stack, just before we push ++ * %ebp, and then when we need it we read it from the stack where we ++ * just pushed it. + */ + #define VMW_PORT_HB_OUT(cmd, in_ecx, in_si, in_di, \ + port_num, magic, bp, \ + eax, ebx, ecx, edx, si, di) \ + ({ \ +- asm volatile ("push %%ebp;" \ +- "mov %12, %%ebp;" \ ++ asm volatile ("push %12;" \ ++ "push %%ebp;" \ ++ "mov 0x04(%%esp), %%ebp;" \ + "rep outsb;" \ +- "pop %%ebp;" : \ ++ "pop %%ebp;" \ ++ "add $0x04, %%esp;" : \ + "=a"(eax), \ + "=b"(ebx), \ + "=c"(ecx), \ +@@ -167,10 +174,12 @@ + port_num, magic, bp, \ + eax, ebx, ecx, edx, si, di) \ + ({ \ +- asm volatile ("push %%ebp;" \ +- "mov %12, %%ebp;" \ ++ asm volatile ("push %12;" \ ++ "push %%ebp;" \ ++ "mov 0x04(%%esp), %%ebp;" \ + "rep insb;" \ +- "pop %%ebp" : \ ++ "pop %%ebp;" \ ++ "add $0x04, %%esp;" : \ + "=a"(eax), \ + "=b"(ebx), \ + "=c"(ecx), \ diff --git a/queue-4.16/ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch b/queue-4.16/ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch new file mode 100644 index 00000000000..78ee4bf55c8 --- /dev/null +++ b/queue-4.16/ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch @@ -0,0 +1,85 @@ +From f9e76ca3771bf23d2142a81a88ddd8f31f5c4c03 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Wed, 2 May 2018 06:42:51 -0700 +Subject: IB/hfi1: Use after free race condition in send context error path + +From: Michael J. Ruhl + +commit f9e76ca3771bf23d2142a81a88ddd8f31f5c4c03 upstream. + +A pio send egress error can occur when the PSM library attempts to +to send a bad packet. That issue is still being investigated. + +The pio error interrupt handler then attempts to progress the recovery +of the errored pio send context. + +Code inspection reveals that the handling lacks the necessary locking +if that recovery interleaves with a PSM close of the "context" object +contains the pio send context. + +The lack of the locking can cause the recovery to access the already +freed pio send context object and incorrectly deduce that the pio +send context is actually a kernel pio send context as shown by the +NULL deref stack below: + +[] _dev_info+0x6c/0x90 +[] sc_restart+0x70/0x1f0 [hfi1] +[] ? __schedule+0x424/0x9b0 +[] sc_halted+0x15/0x20 [hfi1] +[] process_one_work+0x17a/0x440 +[] worker_thread+0x126/0x3c0 +[] ? manage_workers.isra.24+0x2a0/0x2a0 +[] kthread+0xcf/0xe0 +[] ? insert_kthread_work+0x40/0x40 +[] ret_from_fork+0x58/0x90 +[] ? insert_kthread_work+0x40/0x40 + +This is the best case scenario and other scenarios can corrupt the +already freed memory. + +Fix by adding the necessary locking in the pio send context error +handler. + +Cc: # 4.9.x +Reviewed-by: Mike Marciniszyn +Reviewed-by: Dennis Dalessandro +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/chip.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -5944,6 +5944,7 @@ static void is_sendctxt_err_int(struct h + u64 status; + u32 sw_index; + int i = 0; ++ unsigned long irq_flags; + + sw_index = dd->hw_to_sw[hw_context]; + if (sw_index >= dd->num_send_contexts) { +@@ -5953,10 +5954,12 @@ static void is_sendctxt_err_int(struct h + return; + } + sci = &dd->send_contexts[sw_index]; ++ spin_lock_irqsave(&dd->sc_lock, irq_flags); + sc = sci->sc; + if (!sc) { + dd_dev_err(dd, "%s: context %u(%u): no sc?\n", __func__, + sw_index, hw_context); ++ spin_unlock_irqrestore(&dd->sc_lock, irq_flags); + return; + } + +@@ -5978,6 +5981,7 @@ static void is_sendctxt_err_int(struct h + */ + if (sc->type != SC_USER) + queue_work(dd->pport->hfi1_wq, &sc->halt_work); ++ spin_unlock_irqrestore(&dd->sc_lock, irq_flags); + + /* + * Update the counters for the corresponding status bits. diff --git a/queue-4.16/ib-umem-use-the-correct-mm-during-ib_umem_release.patch b/queue-4.16/ib-umem-use-the-correct-mm-during-ib_umem_release.patch new file mode 100644 index 00000000000..e2fc046b361 --- /dev/null +++ b/queue-4.16/ib-umem-use-the-correct-mm-during-ib_umem_release.patch @@ -0,0 +1,84 @@ +From 8e907ed4882714fd13cfe670681fc6cb5284c780 Mon Sep 17 00:00:00 2001 +From: Lidong Chen +Date: Tue, 8 May 2018 16:50:16 +0800 +Subject: IB/umem: Use the correct mm during ib_umem_release + +From: Lidong Chen + +commit 8e907ed4882714fd13cfe670681fc6cb5284c780 upstream. + +User-space may invoke ibv_reg_mr and ibv_dereg_mr in different threads. + +If ibv_dereg_mr is called after the thread which invoked ibv_reg_mr has +exited, get_pid_task will return NULL and ib_umem_release will not +decrease mm->pinned_vm. + +Instead of using threads to locate the mm, use the overall tgid from the +ib_ucontext struct instead. This matches the behavior of ODP and +disassociate in handling the mm of the process that called ibv_reg_mr. + +Cc: +Fixes: 87773dd56d54 ("IB: ib_umem_release() should decrement mm->pinned_vm from ib_umem_get") +Signed-off-by: Lidong Chen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 7 +------ + include/rdma/ib_umem.h | 1 - + 2 files changed, 1 insertion(+), 7 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -119,7 +119,6 @@ struct ib_umem *ib_umem_get(struct ib_uc + umem->length = size; + umem->address = addr; + umem->page_shift = PAGE_SHIFT; +- umem->pid = get_task_pid(current, PIDTYPE_PID); + /* + * We ask for writable memory if any of the following + * access flags are set. "Local write" and "remote write" +@@ -132,7 +131,6 @@ struct ib_umem *ib_umem_get(struct ib_uc + IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); + + if (access & IB_ACCESS_ON_DEMAND) { +- put_pid(umem->pid); + ret = ib_umem_odp_get(context, umem, access); + if (ret) { + kfree(umem); +@@ -148,7 +146,6 @@ struct ib_umem *ib_umem_get(struct ib_uc + + page_list = (struct page **) __get_free_page(GFP_KERNEL); + if (!page_list) { +- put_pid(umem->pid); + kfree(umem); + return ERR_PTR(-ENOMEM); + } +@@ -231,7 +228,6 @@ out: + if (ret < 0) { + if (need_release) + __ib_umem_release(context->device, umem, 0); +- put_pid(umem->pid); + kfree(umem); + } else + current->mm->pinned_vm = locked; +@@ -274,8 +270,7 @@ void ib_umem_release(struct ib_umem *ume + + __ib_umem_release(umem->context->device, umem, 1); + +- task = get_pid_task(umem->pid, PIDTYPE_PID); +- put_pid(umem->pid); ++ task = get_pid_task(umem->context->tgid, PIDTYPE_PID); + if (!task) + goto out; + mm = get_task_mm(task); +--- a/include/rdma/ib_umem.h ++++ b/include/rdma/ib_umem.h +@@ -48,7 +48,6 @@ struct ib_umem { + int writable; + int hugetlb; + struct work_struct work; +- struct pid *pid; + struct mm_struct *mm; + unsigned long diff; + struct ib_umem_odp *odp_data; diff --git a/queue-4.16/idr-fix-invalid-ptr-dereference-on-item-delete.patch b/queue-4.16/idr-fix-invalid-ptr-dereference-on-item-delete.patch new file mode 100644 index 00000000000..18887fd32f5 --- /dev/null +++ b/queue-4.16/idr-fix-invalid-ptr-dereference-on-item-delete.patch @@ -0,0 +1,82 @@ +From 7a4deea1aa8bddfed4ef1b35fc2b6732563d8ad5 Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Fri, 25 May 2018 14:47:24 -0700 +Subject: idr: fix invalid ptr dereference on item delete + +From: Matthew Wilcox + +commit 7a4deea1aa8bddfed4ef1b35fc2b6732563d8ad5 upstream. + +If the radix tree underlying the IDR happens to be full and we attempt +to remove an id which is larger than any id in the IDR, we will call +__radix_tree_delete() with an uninitialised 'slot' pointer, at which +point anything could happen. This was easiest to hit with a single +entry at id 0 and attempting to remove a non-0 id, but it could have +happened with 64 entries and attempting to remove an id >= 64. + +Roman said: + + The syzcaller test boils down to opening /dev/kvm, creating an + eventfd, and calling a couple of KVM ioctls. None of this requires + superuser. And the result is dereferencing an uninitialized pointer + which is likely a crash. The specific path caught by syzbot is via + KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are + other user-triggerable paths, so cc:stable is probably justified. + +Matthew added: + + We have around 250 calls to idr_remove() in the kernel today. Many of + them pass an ID which is embedded in the object they're removing, so + they're safe. Picking a few likely candidates: + + drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl. + drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar + drivers/atm/nicstar.c could be taken down by a handcrafted packet + +Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org +Fixes: 0a835c4f090a ("Reimplement IDR and IDA using the radix tree") +Reported-by: +Debugged-by: Roman Kagan +Signed-off-by: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/radix-tree.c | 4 +++- + tools/testing/radix-tree/idr-test.c | 7 +++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/lib/radix-tree.c ++++ b/lib/radix-tree.c +@@ -2034,10 +2034,12 @@ void *radix_tree_delete_item(struct radi + unsigned long index, void *item) + { + struct radix_tree_node *node = NULL; +- void __rcu **slot; ++ void __rcu **slot = NULL; + void *entry; + + entry = __radix_tree_lookup(root, index, &node, &slot); ++ if (!slot) ++ return NULL; + if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE, + get_slot_offset(node, slot)))) + return NULL; +--- a/tools/testing/radix-tree/idr-test.c ++++ b/tools/testing/radix-tree/idr-test.c +@@ -252,6 +252,13 @@ void idr_checks(void) + idr_remove(&idr, 3); + idr_remove(&idr, 0); + ++ assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == 0); ++ idr_remove(&idr, 1); ++ for (i = 1; i < RADIX_TREE_MAP_SIZE; i++) ++ assert(idr_alloc(&idr, DUMMY_PTR, 0, 0, GFP_KERNEL) == i); ++ idr_remove(&idr, 1 << 30); ++ idr_destroy(&idr); ++ + for (i = INT_MAX - 3UL; i < INT_MAX + 1UL; i++) { + struct item *item = item_create(i, 0); + assert(idr_alloc(&idr, item, i, i + 10, GFP_KERNEL) == i); diff --git a/queue-4.16/ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch b/queue-4.16/ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch new file mode 100644 index 00000000000..75d9789e7b6 --- /dev/null +++ b/queue-4.16/ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch @@ -0,0 +1,51 @@ +From 8f89c007b6dec16a1793cb88de88fcc02117bbbc Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Fri, 25 May 2018 14:47:30 -0700 +Subject: ipc/shm: fix shmat() nil address after round-down when remapping + +From: Davidlohr Bueso + +commit 8f89c007b6dec16a1793cb88de88fcc02117bbbc upstream. + +shmat()'s SHM_REMAP option forbids passing a nil address for; this is in +fact the very first thing we check for. Andrea reported that for +SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, +but we need to check again if the address was rounded down to nil. As +of this patch, such cases will return -EINVAL. + +Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 +Signed-off-by: Davidlohr Bueso +Reported-by: Andrea Arcangeli +Cc: Joe Lawrence +Cc: Manfred Spraul +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -1320,9 +1320,17 @@ long do_shmat(int shmid, char __user *sh + + if (addr) { + if (addr & (shmlba - 1)) { +- if (shmflg & SHM_RND) ++ if (shmflg & SHM_RND) { + addr &= ~(shmlba - 1); /* round down */ +- else ++ ++ /* ++ * Ensure that the round-down is non-nil ++ * when remapping. This can happen for ++ * cases when addr < shmlba. ++ */ ++ if (!addr && (shmflg & SHM_REMAP)) ++ goto out; ++ } else + #ifndef __ARCH_FORCE_SHMLBA + if (addr & ~PAGE_MASK) + #endif diff --git a/queue-4.16/kasan-fix-memory-hotplug-during-boot.patch b/queue-4.16/kasan-fix-memory-hotplug-during-boot.patch new file mode 100644 index 00000000000..f3b289cb7d8 --- /dev/null +++ b/queue-4.16/kasan-fix-memory-hotplug-during-boot.patch @@ -0,0 +1,41 @@ +From 3f1959721558a976aaf9c2024d5bc884e6411bf7 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 25 May 2018 14:48:11 -0700 +Subject: kasan: fix memory hotplug during boot + +From: David Hildenbrand + +commit 3f1959721558a976aaf9c2024d5bc884e6411bf7 upstream. + +Using module_init() is wrong. E.g. ACPI adds and onlines memory before +our memory notifier gets registered. + +This makes sure that ACPI memory detected during boot up will not result +in a kernel crash. + +Easily reproducible with QEMU, just specify a DIMM when starting up. + +Link: http://lkml.kernel.org/r/20180522100756.18478-3-david@redhat.com +Fixes: 786a8959912e ("kasan: disable memory hotplug") +Signed-off-by: David Hildenbrand +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/kasan/kasan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -897,5 +897,5 @@ static int __init kasan_memhotplug_init( + return 0; + } + +-module_init(kasan_memhotplug_init); ++core_initcall(kasan_memhotplug_init); + #endif diff --git a/queue-4.16/kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch b/queue-4.16/kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch new file mode 100644 index 00000000000..46470609280 --- /dev/null +++ b/queue-4.16/kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch @@ -0,0 +1,37 @@ +From ed1596f9ab958dd156a66c9ff1029d3761c1786a Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Fri, 25 May 2018 14:48:08 -0700 +Subject: kasan: free allocated shadow memory on MEM_CANCEL_ONLINE + +From: David Hildenbrand + +commit ed1596f9ab958dd156a66c9ff1029d3761c1786a upstream. + +We have to free memory again when we cancel onlining, otherwise a later +onlining attempt will fail. + +Link: http://lkml.kernel.org/r/20180522100756.18478-2-david@redhat.com +Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") +Signed-off-by: David Hildenbrand +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/kasan/kasan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -865,6 +865,7 @@ static int __meminit kasan_mem_notifier( + kmemleak_ignore(ret); + return NOTIFY_OK; + } ++ case MEM_CANCEL_ONLINE: + case MEM_OFFLINE: { + struct vm_struct *vm; + diff --git a/queue-4.16/kernel-sys.c-fix-potential-spectre-v1-issue.patch b/queue-4.16/kernel-sys.c-fix-potential-spectre-v1-issue.patch new file mode 100644 index 00000000000..c0da862b157 --- /dev/null +++ b/queue-4.16/kernel-sys.c-fix-potential-spectre-v1-issue.patch @@ -0,0 +1,60 @@ +From 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 25 May 2018 14:47:57 -0700 +Subject: kernel/sys.c: fix potential Spectre v1 issue + +From: Gustavo A. R. Silva + +commit 23d6aef74da86a33fa6bb75f79565e0a16ee97c2 upstream. + +`resource' can be controlled by user-space, hence leading to a potential +exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + + kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) + kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) + +Fix this by sanitizing *resource* before using it to index +current->signal->rlim + +Notice that given that speculation windows are large, the policy is to +kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Andrew Morton +Cc: Alexei Starovoitov +Cc: Dan Williams +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1401,6 +1401,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned + if (resource >= RLIM_NLIMITS) + return -EINVAL; + ++ resource = array_index_nospec(resource, RLIM_NLIMITS); + task_lock(current->group_leader); + x = current->signal->rlim[resource]; + task_unlock(current->group_leader); +@@ -1420,6 +1421,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, un + if (resource >= RLIM_NLIMITS) + return -EINVAL; + ++ resource = array_index_nospec(resource, RLIM_NLIMITS); + task_lock(current->group_leader); + r = current->signal->rlim[resource]; + task_unlock(current->group_leader); diff --git a/queue-4.16/libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch b/queue-4.16/libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch new file mode 100644 index 00000000000..5e40297bd97 --- /dev/null +++ b/queue-4.16/libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch @@ -0,0 +1,66 @@ +From 136d769e0b3475d71350aa3648a116a6ee7a8f6c Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Sat, 19 May 2018 22:29:36 +0100 +Subject: libata: blacklist Micron 500IT SSD with MU01 firmware + +From: Sudip Mukherjee + +commit 136d769e0b3475d71350aa3648a116a6ee7a8f6c upstream. + +While whitelisting Micron M500DC drives, the tweaked blacklist entry +enabled queued TRIM from M500IT variants also. But these do not support +queued TRIM. And while using those SSDs with the latest kernel we have +seen errors and even the partition table getting corrupted. + +Some part from the dmesg: +[ 6.727384] ata1.00: ATA-9: Micron_M500IT_MTFDDAK060MBD, MU01, max UDMA/133 +[ 6.727390] ata1.00: 117231408 sectors, multi 16: LBA48 NCQ (depth 31/32), AA +[ 6.741026] ata1.00: supports DRM functions and may not be fully accessible +[ 6.759887] ata1.00: configured for UDMA/133 +[ 6.762256] scsi 0:0:0:0: Direct-Access ATA Micron_M500IT_MT MU01 PQ: 0 ANSI: 5 + +and then for the error: +[ 120.860334] ata1.00: exception Emask 0x1 SAct 0x7ffc0007 SErr 0x0 action 0x6 frozen +[ 120.860338] ata1.00: irq_stat 0x40000008 +[ 120.860342] ata1.00: failed command: SEND FPDMA QUEUED +[ 120.860351] ata1.00: cmd 64/01:00:00:00:00/00:00:00:00:00/a0 tag 0 ncq dma 512 out + res 40/00:00:00:00:00/00:00:00:00:00/00 Emask 0x5 (timeout) +[ 120.860353] ata1.00: status: { DRDY } +[ 120.860543] ata1: hard resetting link +[ 121.166128] ata1: SATA link up 3.0 Gbps (SStatus 123 SControl 300) +[ 121.166376] ata1.00: supports DRM functions and may not be fully accessible +[ 121.186238] ata1.00: supports DRM functions and may not be fully accessible +[ 121.204445] ata1.00: configured for UDMA/133 +[ 121.204454] ata1.00: device reported invalid CHS sector 0 +[ 121.204541] sd 0:0:0:0: [sda] tag#18 UNKNOWN(0x2003) Result: hostbyte=0x00 driverbyte=0x08 +[ 121.204546] sd 0:0:0:0: [sda] tag#18 Sense Key : 0x5 [current] +[ 121.204550] sd 0:0:0:0: [sda] tag#18 ASC=0x21 ASCQ=0x4 +[ 121.204555] sd 0:0:0:0: [sda] tag#18 CDB: opcode=0x93 93 08 00 00 00 00 00 04 28 80 00 00 00 30 00 00 +[ 121.204559] print_req_error: I/O error, dev sda, sector 272512 + +After few reboots with these errors, and the SSD is corrupted. +After blacklisting it, the errors are not seen and the SSD does not get +corrupted any more. + +Fixes: 243918be6393 ("libata: Do not blacklist Micron M500DC") +Cc: Martin K. Petersen +Cc: stable@vger.kernel.org +Signed-off-by: Sudip Mukherjee +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4557,6 +4557,8 @@ static const struct ata_blacklist_entry + { "SanDisk SD7UB3Q*G1001", NULL, ATA_HORKAGE_NOLPM, }, + + /* devices that don't properly handle queued TRIM commands */ ++ { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.16/libata-blacklist-some-sandisk-ssds-for-ncq.patch b/queue-4.16/libata-blacklist-some-sandisk-ssds-for-ncq.patch new file mode 100644 index 00000000000..99c980b46a1 --- /dev/null +++ b/queue-4.16/libata-blacklist-some-sandisk-ssds-for-ncq.patch @@ -0,0 +1,35 @@ +From 322579dcc865b94b47345ad1b6002ad167f85405 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 8 May 2018 14:21:56 -0700 +Subject: libata: Blacklist some Sandisk SSDs for NCQ + +From: Tejun Heo + +commit 322579dcc865b94b47345ad1b6002ad167f85405 upstream. + +Sandisk SSDs SD7SN6S256G and SD8SN8U256G are regularly locking up +regularly under sustained moderate load with NCQ enabled. Blacklist +for now. + +Signed-off-by: Tejun Heo +Reported-by: Dave Jones +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4493,6 +4493,10 @@ static const struct ata_blacklist_entry + /* https://bugzilla.kernel.org/show_bug.cgi?id=15573 */ + { "C300-CTFDDAC128MAG", "0001", ATA_HORKAGE_NONCQ, }, + ++ /* Some Sandisk SSDs lock up hard with NCQ enabled. Reported on ++ SD7SN6S256G and SD8SN8U256G */ ++ { "SanDisk SD[78]SN*G", NULL, ATA_HORKAGE_NONCQ, }, ++ + /* devices which puke on READ_NATIVE_MAX */ + { "HDS724040KLSA80", "KFAOA20N", ATA_HORKAGE_BROKEN_HPA, }, + { "WDC WD3200JD-00KLB0", "WD-WCAMR1130137", ATA_HORKAGE_BROKEN_HPA }, diff --git a/queue-4.16/mm-kasan-don-t-vfree-nonexistent-vm_area.patch b/queue-4.16/mm-kasan-don-t-vfree-nonexistent-vm_area.patch new file mode 100644 index 00000000000..7c8758449fb --- /dev/null +++ b/queue-4.16/mm-kasan-don-t-vfree-nonexistent-vm_area.patch @@ -0,0 +1,152 @@ +From 0f901dcbc31f88ae41a2aaa365f7802b5d520a28 Mon Sep 17 00:00:00 2001 +From: Andrey Ryabinin +Date: Fri, 25 May 2018 14:47:38 -0700 +Subject: mm/kasan: don't vfree() nonexistent vm_area + +From: Andrey Ryabinin + +commit 0f901dcbc31f88ae41a2aaa365f7802b5d520a28 upstream. + +KASAN uses different routines to map shadow for hot added memory and +memory obtained in boot process. Attempt to offline memory onlined by +normal boot process leads to this: + + Trying to vfree() nonexistent vm area (000000005d3b34b9) + WARNING: CPU: 2 PID: 13215 at mm/vmalloc.c:1525 __vunmap+0x147/0x190 + + Call Trace: + kasan_mem_notifier+0xad/0xb9 + notifier_call_chain+0x166/0x260 + __blocking_notifier_call_chain+0xdb/0x140 + __offline_pages+0x96a/0xb10 + memory_subsys_offline+0x76/0xc0 + device_offline+0xb8/0x120 + store_mem_state+0xfa/0x120 + kernfs_fop_write+0x1d5/0x320 + __vfs_write+0xd4/0x530 + vfs_write+0x105/0x340 + SyS_write+0xb0/0x140 + +Obviously we can't call vfree() to free memory that wasn't allocated via +vmalloc(). Use find_vm_area() to see if we can call vfree(). + +Unfortunately it's a bit tricky to properly unmap and free shadow +allocated during boot, so we'll have to keep it. If memory will come +online again that shadow will be reused. + +Matthew asked: how can you call vfree() on something that isn't a +vmalloc address? + + vfree() is able to free any address returned by + __vmalloc_node_range(). And __vmalloc_node_range() gives you any + address you ask. It doesn't have to be an address in [VMALLOC_START, + VMALLOC_END] range. + + That's also how the module_alloc()/module_memfree() works on + architectures that have designated area for modules. + +[aryabinin@virtuozzo.com: improve comments] + Link: http://lkml.kernel.org/r/dabee6ab-3a7a-51cd-3b86-5468718e0390@virtuozzo.com +[akpm@linux-foundation.org: fix typos, reflow comment] +Link: http://lkml.kernel.org/r/20180201163349.8700-1-aryabinin@virtuozzo.com +Fixes: fa69b5989bb0 ("mm/kasan: add support for memory hotplug") +Signed-off-by: Andrey Ryabinin +Reported-by: Paul Menzel +Cc: Alexander Potapenko +Cc: Dmitry Vyukov +Cc: Matthew Wilcox +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/kasan/kasan.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 61 insertions(+), 2 deletions(-) + +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -791,6 +791,40 @@ DEFINE_ASAN_SET_SHADOW(f5); + DEFINE_ASAN_SET_SHADOW(f8); + + #ifdef CONFIG_MEMORY_HOTPLUG ++static bool shadow_mapped(unsigned long addr) ++{ ++ pgd_t *pgd = pgd_offset_k(addr); ++ p4d_t *p4d; ++ pud_t *pud; ++ pmd_t *pmd; ++ pte_t *pte; ++ ++ if (pgd_none(*pgd)) ++ return false; ++ p4d = p4d_offset(pgd, addr); ++ if (p4d_none(*p4d)) ++ return false; ++ pud = pud_offset(p4d, addr); ++ if (pud_none(*pud)) ++ return false; ++ ++ /* ++ * We can't use pud_large() or pud_huge(), the first one is ++ * arch-specific, the last one depends on HUGETLB_PAGE. So let's abuse ++ * pud_bad(), if pud is bad then it's bad because it's huge. ++ */ ++ if (pud_bad(*pud)) ++ return true; ++ pmd = pmd_offset(pud, addr); ++ if (pmd_none(*pmd)) ++ return false; ++ ++ if (pmd_bad(*pmd)) ++ return true; ++ pte = pte_offset_kernel(pmd, addr); ++ return !pte_none(*pte); ++} ++ + static int __meminit kasan_mem_notifier(struct notifier_block *nb, + unsigned long action, void *data) + { +@@ -812,6 +846,14 @@ static int __meminit kasan_mem_notifier( + case MEM_GOING_ONLINE: { + void *ret; + ++ /* ++ * If shadow is mapped already than it must have been mapped ++ * during the boot. This could happen if we onlining previously ++ * offlined memory. ++ */ ++ if (shadow_mapped(shadow_start)) ++ return NOTIFY_OK; ++ + ret = __vmalloc_node_range(shadow_size, PAGE_SIZE, shadow_start, + shadow_end, GFP_KERNEL, + PAGE_KERNEL, VM_NO_GUARD, +@@ -823,8 +865,25 @@ static int __meminit kasan_mem_notifier( + kmemleak_ignore(ret); + return NOTIFY_OK; + } +- case MEM_OFFLINE: +- vfree((void *)shadow_start); ++ case MEM_OFFLINE: { ++ struct vm_struct *vm; ++ ++ /* ++ * shadow_start was either mapped during boot by kasan_init() ++ * or during memory online by __vmalloc_node_range(). ++ * In the latter case we can use vfree() to free shadow. ++ * Non-NULL result of the find_vm_area() will tell us if ++ * that was the second case. ++ * ++ * Currently it's not possible to free shadow mapped ++ * during boot by kasan_init(). It's because the code ++ * to do that hasn't been written yet. So we'll just ++ * leak the memory. ++ */ ++ vm = find_vm_area((void *)shadow_start); ++ if (vm) ++ vfree((void *)shadow_start); ++ } + } + + return NOTIFY_OK; diff --git a/queue-4.16/mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch b/queue-4.16/mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch new file mode 100644 index 00000000000..965c33bbc71 --- /dev/null +++ b/queue-4.16/mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch @@ -0,0 +1,43 @@ +From b25b750df99bcba29317d3f9d9f93c4ec58890e6 Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Wed, 16 May 2018 21:20:20 +0200 +Subject: mmc: block: propagate correct returned value in mmc_rpmb_ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mathieu Malaterre + +commit b25b750df99bcba29317d3f9d9f93c4ec58890e6 upstream. + +In commit 97548575bef3 ("mmc: block: Convert RPMB to a character device") a +new function `mmc_rpmb_ioctl` was added. The final return is simply +returning a value of `0` instead of propagating the correct return code. + +Discovered during a compilation with W=1, silence the following gcc warning + +drivers/mmc/core/block.c:2470:6: warning: variable ‘ret’ set but not used +[-Wunused-but-set-variable] + +Signed-off-by: Mathieu Malaterre +Reviewed-by: Shawn Lin +Fixes: 97548575bef3 ("mmc: block: Convert RPMB to a character device") +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/block.c ++++ b/drivers/mmc/core/block.c +@@ -2492,7 +2492,7 @@ static long mmc_rpmb_ioctl(struct file * + break; + } + +- return 0; ++ return ret; + } + + #ifdef CONFIG_COMPAT diff --git a/queue-4.16/mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch b/queue-4.16/mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch new file mode 100644 index 00000000000..8dea7eb6ae9 --- /dev/null +++ b/queue-4.16/mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch @@ -0,0 +1,37 @@ +From 3de06d5a1f05c11c94cbb68af14dbfa7fb81d78b Mon Sep 17 00:00:00 2001 +From: Corneliu Doban +Date: Fri, 18 May 2018 15:03:57 -0700 +Subject: mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus + +From: Corneliu Doban + +commit 3de06d5a1f05c11c94cbb68af14dbfa7fb81d78b upstream. + +The SDHCI_QUIRK2_HOST_OFF_CARD_ON is needed for the driver to +properly reset the host controller (reset all) on initialization +after exiting deep sleep. + +Signed-off-by: Corneliu Doban +Signed-off-by: Scott Branden +Reviewed-by: Ray Jui +Reviewed-by: Srinath Mannam +Fixes: c833e92bbb60 ("mmc: sdhci-iproc: support standard byte register accesses") +Cc: stable@vger.kernel.org # v4.10+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-iproc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -186,7 +186,7 @@ static const struct sdhci_ops sdhci_ipro + + static const struct sdhci_pltfm_data sdhci_iproc_cygnus_pltfm_data = { + .quirks = SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK, +- .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN, ++ .quirks2 = SDHCI_QUIRK2_ACMD23_BROKEN | SDHCI_QUIRK2_HOST_OFF_CARD_ON, + .ops = &sdhci_iproc_32only_ops, + }; + diff --git a/queue-4.16/mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch b/queue-4.16/mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch new file mode 100644 index 00000000000..72ee2b52089 --- /dev/null +++ b/queue-4.16/mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch @@ -0,0 +1,103 @@ +From 5f651b870485ee60f5abbbd85195a6852978894a Mon Sep 17 00:00:00 2001 +From: Corneliu Doban +Date: Fri, 18 May 2018 15:03:56 -0700 +Subject: mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register + +From: Corneliu Doban + +commit 5f651b870485ee60f5abbbd85195a6852978894a upstream. + +When the host controller accepts only 32bit writes, the value of the +16bit TRANSFER_MODE register, that has the same 32bit address as the +16bit COMMAND register, needs to be saved and it will be written +in a 32bit write together with the command as this will trigger the +host to send the command on the SD interface. +When sending the tuning command, TRANSFER_MODE is written and then +sdhci_set_transfer_mode reads it back to clear AUTO_CMD12 bit and +write it again resulting in wrong value to be written because the +initial write value was saved in a shadow and the read-back returned +a wrong value, from the register. +Fix sdhci_iproc_readw to return the saved value of TRANSFER_MODE +when a saved value exist. +Same fix for read of BLOCK_SIZE and BLOCK_COUNT registers, that are +saved for a different reason, although a scenario that will cause the +mentioned problem on this registers is not probable. + +Fixes: b580c52d58d9 ("mmc: sdhci-iproc: add IPROC SDHCI driver") +Signed-off-by: Corneliu Doban +Signed-off-by: Scott Branden +Cc: stable@vger.kernel.org # v4.1+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-iproc.c | 30 +++++++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 5 deletions(-) + +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -33,6 +33,8 @@ struct sdhci_iproc_host { + const struct sdhci_iproc_data *data; + u32 shadow_cmd; + u32 shadow_blk; ++ bool is_cmd_shadowed; ++ bool is_blk_shadowed; + }; + + #define REG_OFFSET_IN_BITS(reg) ((reg) << 3 & 0x18) +@@ -48,8 +50,22 @@ static inline u32 sdhci_iproc_readl(stru + + static u16 sdhci_iproc_readw(struct sdhci_host *host, int reg) + { +- u32 val = sdhci_iproc_readl(host, (reg & ~3)); +- u16 word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff; ++ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host); ++ struct sdhci_iproc_host *iproc_host = sdhci_pltfm_priv(pltfm_host); ++ u32 val; ++ u16 word; ++ ++ if ((reg == SDHCI_TRANSFER_MODE) && iproc_host->is_cmd_shadowed) { ++ /* Get the saved transfer mode */ ++ val = iproc_host->shadow_cmd; ++ } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) && ++ iproc_host->is_blk_shadowed) { ++ /* Get the saved block info */ ++ val = iproc_host->shadow_blk; ++ } else { ++ val = sdhci_iproc_readl(host, (reg & ~3)); ++ } ++ word = val >> REG_OFFSET_IN_BITS(reg) & 0xffff; + return word; + } + +@@ -105,13 +121,15 @@ static void sdhci_iproc_writew(struct sd + + if (reg == SDHCI_COMMAND) { + /* Write the block now as we are issuing a command */ +- if (iproc_host->shadow_blk != 0) { ++ if (iproc_host->is_blk_shadowed) { + sdhci_iproc_writel(host, iproc_host->shadow_blk, + SDHCI_BLOCK_SIZE); +- iproc_host->shadow_blk = 0; ++ iproc_host->is_blk_shadowed = false; + } + oldval = iproc_host->shadow_cmd; +- } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) { ++ iproc_host->is_cmd_shadowed = false; ++ } else if ((reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) && ++ iproc_host->is_blk_shadowed) { + /* Block size and count are stored in shadow reg */ + oldval = iproc_host->shadow_blk; + } else { +@@ -123,9 +141,11 @@ static void sdhci_iproc_writew(struct sd + if (reg == SDHCI_TRANSFER_MODE) { + /* Save the transfer mode until the command is issued */ + iproc_host->shadow_cmd = newval; ++ iproc_host->is_cmd_shadowed = true; + } else if (reg == SDHCI_BLOCK_SIZE || reg == SDHCI_BLOCK_COUNT) { + /* Save the block info until the command is issued */ + iproc_host->shadow_blk = newval; ++ iproc_host->is_blk_shadowed = true; + } else { + /* Command or other regular 32-bit write */ + sdhci_iproc_writel(host, newval, reg & ~3); diff --git a/queue-4.16/mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch b/queue-4.16/mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch new file mode 100644 index 00000000000..15e8d6ac272 --- /dev/null +++ b/queue-4.16/mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch @@ -0,0 +1,35 @@ +From 4c94238f37af87a2165c3fb491b4a8b50e90649c Mon Sep 17 00:00:00 2001 +From: Srinath Mannam +Date: Fri, 18 May 2018 15:03:55 -0700 +Subject: mmc: sdhci-iproc: remove hard coded mmc cap 1.8v + +From: Srinath Mannam + +commit 4c94238f37af87a2165c3fb491b4a8b50e90649c upstream. + +Remove hard coded mmc cap 1.8v from platform data as it is board specific. +The 1.8v DDR mmc caps can be enabled using DTS property for those +boards that support it. + +Fixes: b17b4ab8ce38 ("mmc: sdhci-iproc: define MMC caps in platform data") +Signed-off-by: Srinath Mannam +Signed-off-by: Scott Branden +Reviewed-by: Ray Jui +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-iproc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-iproc.c ++++ b/drivers/mmc/host/sdhci-iproc.c +@@ -206,7 +206,6 @@ static const struct sdhci_iproc_data ipr + .caps1 = SDHCI_DRIVER_TYPE_C | + SDHCI_DRIVER_TYPE_D | + SDHCI_SUPPORT_DDR50, +- .mmc_caps = MMC_CAP_1_8V_DDR, + }; + + static const struct sdhci_pltfm_data sdhci_bcm2835_pltfm_data = { diff --git a/queue-4.16/pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch b/queue-4.16/pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch new file mode 100644 index 00000000000..793491ae7c4 --- /dev/null +++ b/queue-4.16/pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch @@ -0,0 +1,58 @@ +From c62ec4610c40bcc44f2d3d5ed1c312737279e2f3 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 22 May 2018 13:02:17 +0200 +Subject: PM / core: Fix direct_complete handling for devices with no callbacks + +From: Rafael J. Wysocki + +commit c62ec4610c40bcc44f2d3d5ed1c312737279e2f3 upstream. + +Commit 08810a4119aa (PM / core: Add NEVER_SKIP and SMART_PREPARE +driver flags) inadvertently prevented the power.direct_complete flag +from being set for devices without PM callbacks and with disabled +runtime PM which also prevents power.direct_complete from being set +for their parents. That led to problems including a resume crash on +HP ZBook 14u. + +Restore the previous behavior by causing power.direct_complete to be +set for those devices again, but do that in a more direct way to +avoid overlooking that case in the future. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199693 +Fixes: 08810a4119aa (PM / core: Add NEVER_SKIP and SMART_PREPARE driver flags) +Reported-by: Thomas Martitz +Tested-by: Thomas Martitz +Cc: 4.15+ # 4.15+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Ulf Hansson +Reviewed-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1923,10 +1923,8 @@ static int device_prepare(struct device + + dev->power.wakeup_path = false; + +- if (dev->power.no_pm_callbacks) { +- ret = 1; /* Let device go direct_complete */ ++ if (dev->power.no_pm_callbacks) + goto unlock; +- } + + if (dev->pm_domain) + callback = dev->pm_domain->ops.prepare; +@@ -1960,7 +1958,8 @@ unlock: + */ + spin_lock_irq(&dev->power.lock); + dev->power.direct_complete = state.event == PM_EVENT_SUSPEND && +- pm_runtime_suspended(dev) && ret > 0 && ++ ((pm_runtime_suspended(dev) && ret > 0) || ++ dev->power.no_pm_callbacks) && + !dev_pm_test_driver_flags(dev, DPM_FLAG_NEVER_SKIP); + spin_unlock_irq(&dev->power.lock); + return 0; diff --git a/queue-4.16/powerpc-64s-clear-pcr-on-boot.patch b/queue-4.16/powerpc-64s-clear-pcr-on-boot.patch new file mode 100644 index 00000000000..b945917e08b --- /dev/null +++ b/queue-4.16/powerpc-64s-clear-pcr-on-boot.patch @@ -0,0 +1,88 @@ +From faf37c44a105f3608115785f17cbbf3500f8bc71 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Fri, 18 May 2018 11:37:42 +1000 +Subject: powerpc/64s: Clear PCR on boot + +From: Michael Neuling + +commit faf37c44a105f3608115785f17cbbf3500f8bc71 upstream. + +Clear the PCR (Processor Compatibility Register) on boot to ensure we +are not running in a compatibility mode. + +We've seen this cause problems when a crash (and kdump) occurs while +running compat mode guests. The kdump kernel then runs with the PCR +set and causes problems. The symptom in the kdump kernel (also seen in +petitboot after fast-reboot) is early userspace programs taking +sigills on newer instructions (seen in libc). + +Signed-off-by: Michael Neuling +Cc: stable@vger.kernel.org +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/cpu_setup_power.S | 6 ++++++ + arch/powerpc/kernel/dt_cpu_ftrs.c | 1 + + 2 files changed, 7 insertions(+) + +--- a/arch/powerpc/kernel/cpu_setup_power.S ++++ b/arch/powerpc/kernel/cpu_setup_power.S +@@ -28,6 +28,7 @@ _GLOBAL(__setup_cpu_power7) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + li r4,(LPCR_LPES1 >> LPCR_LPES_SH) + bl __init_LPCR_ISA206 +@@ -41,6 +42,7 @@ _GLOBAL(__restore_cpu_power7) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + li r4,(LPCR_LPES1 >> LPCR_LPES_SH) + bl __init_LPCR_ISA206 +@@ -57,6 +59,7 @@ _GLOBAL(__setup_cpu_power8) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + ori r3, r3, LPCR_PECEDH + li r4,0 /* LPES = 0 */ +@@ -78,6 +81,7 @@ _GLOBAL(__restore_cpu_power8) + beqlr + li r0,0 + mtspr SPRN_LPID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + ori r3, r3, LPCR_PECEDH + li r4,0 /* LPES = 0 */ +@@ -99,6 +103,7 @@ _GLOBAL(__setup_cpu_power9) + mtspr SPRN_PSSCR,r0 + mtspr SPRN_LPID,r0 + mtspr SPRN_PID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) + or r3, r3, r4 +@@ -123,6 +128,7 @@ _GLOBAL(__restore_cpu_power9) + mtspr SPRN_PSSCR,r0 + mtspr SPRN_LPID,r0 + mtspr SPRN_PID,r0 ++ mtspr SPRN_PCR,r0 + mfspr r3,SPRN_LPCR + LOAD_REG_IMMEDIATE(r4, LPCR_PECEDH | LPCR_PECE_HVEE | LPCR_HVICE | LPCR_HEIC) + or r3, r3, r4 +--- a/arch/powerpc/kernel/dt_cpu_ftrs.c ++++ b/arch/powerpc/kernel/dt_cpu_ftrs.c +@@ -114,6 +114,7 @@ static void __restore_cpu_cpufeatures(vo + if (hv_mode) { + mtspr(SPRN_LPID, 0); + mtspr(SPRN_HFSCR, system_registers.hfscr); ++ mtspr(SPRN_PCR, 0); + } + mtspr(SPRN_FSCR, system_registers.fscr); + diff --git a/queue-4.16/revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch b/queue-4.16/revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch new file mode 100644 index 00000000000..bb04324d01f --- /dev/null +++ b/queue-4.16/revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch @@ -0,0 +1,69 @@ +From a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Fri, 25 May 2018 14:47:27 -0700 +Subject: Revert "ipc/shm: Fix shmat mmap nil-page protection" + +From: Davidlohr Bueso + +commit a73ab244f0dad8fffb3291b905f73e2d3eaa7c00 upstream. + +Patch series "ipc/shm: shmat() fixes around nil-page". + +These patches fix two issues reported[1] a while back by Joe and Andrea +around how shmat(2) behaves with nil-page. + +The first reverts a commit that it was incorrectly thought that mapping +nil-page (address=0) was a no no with MAP_FIXED. This is not the case, +with the exception of SHM_REMAP; which is address in the second patch. + +I chose two patches because it is easier to backport and it explicitly +reverts bogus behaviour. Both patches ought to be in -stable and ltp +testcases need updated (the added testcase around the cve can be +modified to just test for SHM_RND|SHM_REMAP). + +[1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 + +This patch (of 2): + +Commit 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") +worked on the idea that we should not be mapping as root addr=0 and +MAP_FIXED. However, it was reported that this scenario is in fact +valid, thus making the patch both bogus and breaks userspace as well. + +For example X11's libint10.so relies on shmat(1, SHM_RND) for lowmem +initialization[1]. + +[1] https://cgit.freedesktop.org/xorg/xserver/tree/hw/xfree86/os-support/linux/int10/linux.c#n347 +Link: http://lkml.kernel.org/r/20180503203243.15045-2-dave@stgolabs.net +Fixes: 95e91b831f87 ("ipc/shm: Fix shmat mmap nil-page protection") +Signed-off-by: Davidlohr Bueso +Reported-by: Joe Lawrence +Reported-by: Andrea Arcangeli +Cc: Manfred Spraul +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -1320,13 +1320,8 @@ long do_shmat(int shmid, char __user *sh + + if (addr) { + if (addr & (shmlba - 1)) { +- /* +- * Round down to the nearest multiple of shmlba. +- * For sane do_mmap_pgoff() parameters, avoid +- * round downs that trigger nil-page and MAP_FIXED. +- */ +- if ((shmflg & SHM_RND) && addr >= shmlba) +- addr &= ~(shmlba - 1); ++ if (shmflg & SHM_RND) ++ addr &= ~(shmlba - 1); /* round down */ + else + #ifndef __ARCH_FORCE_SHMLBA + if (addr & ~PAGE_MASK) diff --git a/queue-4.16/series b/queue-4.16/series index f49caa62802..dff12820bb2 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -12,3 +12,27 @@ aio-fix-io_destroy-2-vs.-lookup_ioctx-race.patch btrfs-fix-error-handling-in-btrfs_truncate.patch alsa-timer-fix-pause-event-notification.patch do-d_instantiate-unlock_new_inode-combinations-safely.patch +mmc-block-propagate-correct-returned-value-in-mmc_rpmb_ioctl.patch +mmc-sdhci-iproc-remove-hard-coded-mmc-cap-1.8v.patch +mmc-sdhci-iproc-fix-32bit-writes-for-transfer_mode-register.patch +mmc-sdhci-iproc-add-sdhci_quirk2_host_off_card_on-for-cygnus.patch +ahci-add-pci-id-for-cannon-lake-pch-lp-ahci.patch +libata-blacklist-some-sandisk-ssds-for-ncq.patch +libata-blacklist-micron-500it-ssd-with-mu01-firmware.patch +xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch +drm-vmwgfx-fix-32-bit-vmw_port_hb_-macros.patch +arm64-lse-add-early-clobbers-to-some-input-output-asm-operands.patch +arm64-export-tishift-functions-to-modules.patch +powerpc-64s-clear-pcr-on-boot.patch +ib-hfi1-use-after-free-race-condition-in-send-context-error-path.patch +ib-umem-use-the-correct-mm-during-ib_umem_release.patch +sr-pass-down-correctly-sized-scsi-sense-buffer.patch +bcma-fix-buffer-size-caused-crash-in-bcma_core_mips_print_irq.patch +idr-fix-invalid-ptr-dereference-on-item-delete.patch +revert-ipc-shm-fix-shmat-mmap-nil-page-protection.patch +ipc-shm-fix-shmat-nil-address-after-round-down-when-remapping.patch +mm-kasan-don-t-vfree-nonexistent-vm_area.patch +kasan-free-allocated-shadow-memory-on-mem_cancel_online.patch +kasan-fix-memory-hotplug-during-boot.patch +kernel-sys.c-fix-potential-spectre-v1-issue.patch +pm-core-fix-direct_complete-handling-for-devices-with-no-callbacks.patch diff --git a/queue-4.16/sr-pass-down-correctly-sized-scsi-sense-buffer.patch b/queue-4.16/sr-pass-down-correctly-sized-scsi-sense-buffer.patch new file mode 100644 index 00000000000..078c76ff3d3 --- /dev/null +++ b/queue-4.16/sr-pass-down-correctly-sized-scsi-sense-buffer.patch @@ -0,0 +1,61 @@ +From f7068114d45ec55996b9040e98111afa56e010fe Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Mon, 21 May 2018 12:21:14 -0600 +Subject: sr: pass down correctly sized SCSI sense buffer + +From: Jens Axboe + +commit f7068114d45ec55996b9040e98111afa56e010fe upstream. + +We're casting the CDROM layer request_sense to the SCSI sense +buffer, but the former is 64 bytes and the latter is 96 bytes. +As we generally allocate these on the stack, we end up blowing +up the stack. + +Fix this by wrapping the scsi_execute() call with a properly +sized sense buffer, and copying back the bits for the CDROM +layer. + +Cc: stable@vger.kernel.org +Reported-by: Piotr Gabriel Kosinski +Reported-by: Daniel Shapira +Tested-by: Kees Cook +Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sr_ioctl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sr_ioctl.c ++++ b/drivers/scsi/sr_ioctl.c +@@ -188,9 +188,13 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack + struct scsi_device *SDev; + struct scsi_sense_hdr sshdr; + int result, err = 0, retries = 0; ++ unsigned char sense_buffer[SCSI_SENSE_BUFFERSIZE], *senseptr = NULL; + + SDev = cd->device; + ++ if (cgc->sense) ++ senseptr = sense_buffer; ++ + retry: + if (!scsi_block_when_processing_errors(SDev)) { + err = -ENODEV; +@@ -198,10 +202,12 @@ int sr_do_ioctl(Scsi_CD *cd, struct pack + } + + result = scsi_execute(SDev, cgc->cmd, cgc->data_direction, +- cgc->buffer, cgc->buflen, +- (unsigned char *)cgc->sense, &sshdr, ++ cgc->buffer, cgc->buflen, senseptr, &sshdr, + cgc->timeout, IOCTL_RETRIES, 0, 0, NULL); + ++ if (cgc->sense) ++ memcpy(cgc->sense, sense_buffer, sizeof(*cgc->sense)); ++ + /* Minimal error checking. Ignore cases we know about, and report the rest. */ + if (driver_byte(result) != 0) { + switch (sshdr.sense_key) { diff --git a/queue-4.16/xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch b/queue-4.16/xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch new file mode 100644 index 00000000000..fa69f4ade2a --- /dev/null +++ b/queue-4.16/xen-swiotlb-fix-the-check-condition-for-xen_swiotlb_free_coherent.patch @@ -0,0 +1,44 @@ +From 4855c92dbb7b3b85c23e88ab7ca04f99b9677b41 Mon Sep 17 00:00:00 2001 +From: Joe Jin +Date: Thu, 17 May 2018 12:33:28 -0700 +Subject: xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent + +From: Joe Jin + +commit 4855c92dbb7b3b85c23e88ab7ca04f99b9677b41 upstream. + +When run raidconfig from Dom0 we found that the Xen DMA heap is reduced, +but Dom Heap is increased by the same size. Tracing raidconfig we found +that the related ioctl() in megaraid_sas will call dma_alloc_coherent() +to apply memory. If the memory allocated by Dom0 is not in the DMA area, +it will exchange memory with Xen to meet the requiment. Later drivers +call dma_free_coherent() to free the memory, on xen_swiotlb_free_coherent() +the check condition (dev_addr + size - 1 <= dma_mask) is always false, +it prevents calling xen_destroy_contiguous_region() to return the memory +to the Xen DMA heap. + +This issue introduced by commit 6810df88dcfc2 "xen-swiotlb: When doing +coherent alloc/dealloc check before swizzling the MFNs.". + +Signed-off-by: Joe Jin +Tested-by: John Sobecki +Reviewed-by: Rzeszutek Wilk +Cc: stable@vger.kernel.org +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/swiotlb-xen.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/swiotlb-xen.c ++++ b/drivers/xen/swiotlb-xen.c +@@ -365,7 +365,7 @@ xen_swiotlb_free_coherent(struct device + * physical address */ + phys = xen_bus_to_phys(dev_addr); + +- if (((dev_addr + size - 1 > dma_mask)) || ++ if (((dev_addr + size - 1 <= dma_mask)) || + range_straddles_page_boundary(phys, size)) + xen_destroy_contiguous_region(phys, order); + -- 2.47.2