From d1cf1a5063b0a91c3d562fc79f9b99900ba1df78 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 1 Jul 2018 12:08:45 +0200 Subject: [PATCH] 4.14-stable patches added patches: arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch arm-dts-fix-spi-node-for-arria10.patch arm-dts-socfpga-fix-nand-controller-clock-supply.patch arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch arm-dts-socfpga-fix-nand-controller-node-compatible.patch arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch arm64-kpti-use-early_param-for-kpti-command-line-option.patch arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch branch-check-fix-long-int-truncation-when-profiling-branches.patch cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch cxl-disable-prefault_mode-in-radix-mode.patch fuse-atomic_o_trunc-should-truncate-pagecache.patch fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch fuse-fix-congested-state-leak-on-aborted-connections.patch fuse-fix-control-dir-setup-and-teardown.patch ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch ib-hfi1-fix-fault-injection-init-exit-issues.patch ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch ib-hfi1-qib-add-handling-of-kernel-restart.patch ib-hfi1-reorder-incorrect-send-context-disable.patch ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch ib-isert-fix-t10-pi-check-mask-setting.patch ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch ib-qib-fix-dma-api-warning-with-debug-kernel.patch ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch of-overlay-validate-offset-from-property-fixups.patch of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch pci-add-acs-quirk-for-intel-300-series.patch pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch pci-hv-make-sure-the-bus-domain-is-really-unique.patch pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch powerpc-fadump-unregister-fadump-on-kexec-down-path.patch powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch printk-fix-possible-reuse-of-va_list-variable.patch rdma-mlx4-discard-unknown-sqp-work-requests.patch soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch tpm-fix-race-condition-in-tpm_common_write.patch tpm-fix-use-after-free-in-tpm2_load_context.patch xprtrdma-return-enobufs-when-no-pages-are-available.patch --- ...so-that-gdb_regs-is-the-correct-size.patch | 45 ++++++ .../arm-dts-fix-spi-node-for-arria10.patch | 35 ++++ ...pga-fix-nand-controller-clock-supply.patch | 36 +++++ ...ntroller-node-compatible-for-arria10.patch | 32 ++++ ...-fix-nand-controller-node-compatible.patch | 35 ++++ ...ble-sd-uhs-modes-on-the-libretech-cc.patch | 44 +++++ ...g-around-signal-suppressed-by-tracer.patch | 72 +++++++++ ...y_param-for-kpti-command-line-option.patch | 39 +++++ ...red-wrt-subsequent-cache-maintenance.patch | 44 +++++ ...tch-failure-with-userspace-fw-loader.patch | 42 +++++ ...t-truncation-when-profiling-branches.patch | 41 +++++ ...n-from-snooze-if-next-state-disabled.patch | 146 +++++++++++++++++ ...-disable-prefault_mode-in-radix-mode.patch | 100 ++++++++++++ ...ic_o_trunc-should-truncate-pagecache.patch | 52 ++++++ ...ep-dead-fuse_conn-at-fuse_fill_super.patch | 41 +++++ ...ed-state-leak-on-aborted-connections.patch | 49 ++++++ ...e-fix-control-dir-setup-and-teardown.patch | 68 ++++++++ ...writability-a-static-inline-function.patch | 68 ++++++++ ...fix-fault-injection-init-exit-issues.patch | 122 ++++++++++++++ ...ontext-tail-allocation-for-dma_rtail.patch | 123 ++++++++++++++ ...nter-locking-when-queuing-cq-entries.patch | 119 ++++++++++++++ ...1-qib-add-handling-of-kernel-restart.patch | 134 +++++++++++++++ ...order-incorrect-send-context-disable.patch | 123 ++++++++++++++ ...for-lib-dma_debug-check_sync-warning.patch | 114 +++++++++++++ ...-isert-fix-t10-pi-check-mask-setting.patch | 37 +++++ ...if-actual-virtual-memory-is-writable.patch | 120 ++++++++++++++ ...etch-soft-wqe-s-on-fatal-error-state.patch | 82 ++++++++++ ...ix-dma-api-warning-with-debug-kernel.patch | 153 ++++++++++++++++++ ...ut-before-doing-a-capabilities-check.patch | 42 +++++ ...k-core-externalsync-for-pcie-erratum.patch | 84 ++++++++++ ...oid-walking-all-chips-when-unlocking.patch | 33 ++++ ...e-erase-functions-to-retry-for-error.patch | 91 +++++++++++ ...-write-buffer-to-check-correct-value.patch | 45 ++++++ ...02-fix-segv-unlocking-multiple-chips.patch | 54 +++++++ ...ing-requests-crossing-a-chip-boudary.patch | 36 +++++ ...0002-use-right-chip-in-do_ppb_xxlock.patch | 57 +++++++ ...validate-offset-from-property-fixups.patch | 41 +++++ ...id-dev-in-of_platform_device_destroy.patch | 120 ++++++++++++++ ...-trailing-0-in-property-length-field.patch | 63 ++++++++ ...i-add-acs-quirk-for-intel-300-series.patch | 43 +++++ ...s-quirk-for-intel-7th-8th-gen-mobile.patch | 56 +++++++ ...sure-the-bus-domain-is-really-unique.patch | 67 ++++++++ ...-link-layer-status-changed-on-resume.patch | 83 ++++++++++ ...unregister-fadump-on-kexec-down-path.patch | 39 +++++ ...ync-prior-to-kernel-stack-slb-switch.patch | 63 ++++++++ ...-core-imc-based-on-num_possible_cpus.patch | 92 +++++++++++ ...powernv-copy-paste-mask-so-bit-in-cr.patch | 34 ++++ ...nit-all-present-cpus-for-deep-states.patch | 48 ++++++ ...2-remove-redundant-free-of-tce-pages.patch | 45 ++++++ ...-fix-enforcement-of-dawr-constraints.patch | 41 +++++ ...breakpoints-with-ptrace_set_debugreg.patch | 42 +++++ ...x-possible-reuse-of-va_list-variable.patch | 52 ++++++ ...x4-discard-unknown-sqp-work-requests.patch | 32 ++++ queue-4.14/series | 57 +++++++ ...alue-when-power-up-pd-with-writemask.patch | 37 +++++ ...x-race-condition-in-tpm_common_write.patch | 139 ++++++++++++++++ ...-use-after-free-in-tpm2_load_context.patch | 36 +++++ ...-enobufs-when-no-pages-are-available.patch | 35 ++++ 58 files changed, 3823 insertions(+) create mode 100644 queue-4.14/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch create mode 100644 queue-4.14/arm-dts-fix-spi-node-for-arria10.patch create mode 100644 queue-4.14/arm-dts-socfpga-fix-nand-controller-clock-supply.patch create mode 100644 queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch create mode 100644 queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible.patch create mode 100644 queue-4.14/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch create mode 100644 queue-4.14/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch create mode 100644 queue-4.14/arm64-kpti-use-early_param-for-kpti-command-line-option.patch create mode 100644 queue-4.14/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch create mode 100644 queue-4.14/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch create mode 100644 queue-4.14/branch-check-fix-long-int-truncation-when-profiling-branches.patch create mode 100644 queue-4.14/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch create mode 100644 queue-4.14/cxl-disable-prefault_mode-in-radix-mode.patch create mode 100644 queue-4.14/fuse-atomic_o_trunc-should-truncate-pagecache.patch create mode 100644 queue-4.14/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch create mode 100644 queue-4.14/fuse-fix-congested-state-leak-on-aborted-connections.patch create mode 100644 queue-4.14/fuse-fix-control-dir-setup-and-teardown.patch create mode 100644 queue-4.14/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch create mode 100644 queue-4.14/ib-hfi1-fix-fault-injection-init-exit-issues.patch create mode 100644 queue-4.14/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch create mode 100644 queue-4.14/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch create mode 100644 queue-4.14/ib-hfi1-qib-add-handling-of-kernel-restart.patch create mode 100644 queue-4.14/ib-hfi1-reorder-incorrect-send-context-disable.patch create mode 100644 queue-4.14/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch create mode 100644 queue-4.14/ib-isert-fix-t10-pi-check-mask-setting.patch create mode 100644 queue-4.14/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch create mode 100644 queue-4.14/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch create mode 100644 queue-4.14/ib-qib-fix-dma-api-warning-with-debug-kernel.patch create mode 100644 queue-4.14/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch create mode 100644 queue-4.14/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch create mode 100644 queue-4.14/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch create mode 100644 queue-4.14/of-overlay-validate-offset-from-property-fixups.patch create mode 100644 queue-4.14/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch create mode 100644 queue-4.14/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch create mode 100644 queue-4.14/pci-add-acs-quirk-for-intel-300-series.patch create mode 100644 queue-4.14/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch create mode 100644 queue-4.14/pci-hv-make-sure-the-bus-domain-is-really-unique.patch create mode 100644 queue-4.14/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch create mode 100644 queue-4.14/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch create mode 100644 queue-4.14/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch create mode 100644 queue-4.14/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch create mode 100644 queue-4.14/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch create mode 100644 queue-4.14/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch create mode 100644 queue-4.14/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch create mode 100644 queue-4.14/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch create mode 100644 queue-4.14/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch create mode 100644 queue-4.14/printk-fix-possible-reuse-of-va_list-variable.patch create mode 100644 queue-4.14/rdma-mlx4-discard-unknown-sqp-work-requests.patch create mode 100644 queue-4.14/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch create mode 100644 queue-4.14/tpm-fix-race-condition-in-tpm_common_write.patch create mode 100644 queue-4.14/tpm-fix-use-after-free-in-tpm2_load_context.patch create mode 100644 queue-4.14/xprtrdma-return-enobufs-when-no-pages-are-available.patch diff --git a/queue-4.14/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch b/queue-4.14/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch new file mode 100644 index 00000000000..ed7656b6eba --- /dev/null +++ b/queue-4.14/arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch @@ -0,0 +1,45 @@ +From 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 Mon Sep 17 00:00:00 2001 +From: David Rivshin +Date: Wed, 25 Apr 2018 21:15:01 +0100 +Subject: ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size + +From: David Rivshin + +commit 76ed0b803a2ab793a1b27d1dfe0de7955282cd34 upstream. + +NUMREGBYTES (which is used as the size for gdb_regs[]) is incorrectly +based on DBG_MAX_REG_NUM instead of GDB_MAX_REGS. DBG_MAX_REG_NUM +is the number of total registers, while GDB_MAX_REGS is the number +of 'unsigned longs' it takes to serialize those registers. Since +FP registers require 3 'unsigned longs' each, DBG_MAX_REG_NUM is +smaller than GDB_MAX_REGS. + +This causes GDB 8.0 give the following error on connect: +"Truncated register 19 in remote 'g' packet" + +This also causes the register serialization/deserialization logic +to overflow gdb_regs[], overwriting whatever follows. + +Fixes: 834b2964b7ab ("kgdb,arm: fix register dump") +Cc: # 2.6.37+ +Signed-off-by: David Rivshin +Acked-by: Rabin Vincent +Tested-by: Daniel Thompson +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/include/asm/kgdb.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/include/asm/kgdb.h ++++ b/arch/arm/include/asm/kgdb.h +@@ -77,7 +77,7 @@ extern int kgdb_fault_expected; + + #define KGDB_MAX_NO_CPUS 1 + #define BUFMAX 400 +-#define NUMREGBYTES (DBG_MAX_REG_NUM << 2) ++#define NUMREGBYTES (GDB_MAX_REGS << 2) + #define NUMCRITREGBYTES (32 << 2) + + #define _R0 0 diff --git a/queue-4.14/arm-dts-fix-spi-node-for-arria10.patch b/queue-4.14/arm-dts-fix-spi-node-for-arria10.patch new file mode 100644 index 00000000000..f46efee93cc --- /dev/null +++ b/queue-4.14/arm-dts-fix-spi-node-for-arria10.patch @@ -0,0 +1,35 @@ +From 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 Mon Sep 17 00:00:00 2001 +From: Thor Thayer +Date: Fri, 22 Jun 2018 13:37:34 -0500 +Subject: ARM: dts: Fix SPI node for Arria10 + +From: Thor Thayer + +commit 975ba94c2c3aca4d9f1ae26f3916d7787495ce86 upstream. + +Remove the unused bus-num node and change num-chipselect +to num-cs to match SPI bindings. + +Cc: stable@vger.kernel.org +Fixes: f2d6f8f817814 ("ARM: dts: socfpga: Add SPI Master1 for Arria10 SR chip") +Signed-off-by: Thor Thayer +Signed-off-by: Dinh Nguyen +Signed-off-by: Olof Johansson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga_arria10.dtsi | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/socfpga_arria10.dtsi ++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi +@@ -593,8 +593,7 @@ + #size-cells = <0>; + reg = <0xffda5000 0x100>; + interrupts = <0 102 4>; +- num-chipselect = <4>; +- bus-num = <0>; ++ num-cs = <4>; + /*32bit_access;*/ + tx-dma-channel = <&pdma 16>; + rx-dma-channel = <&pdma 17>; diff --git a/queue-4.14/arm-dts-socfpga-fix-nand-controller-clock-supply.patch b/queue-4.14/arm-dts-socfpga-fix-nand-controller-clock-supply.patch new file mode 100644 index 00000000000..76ee2ce0f61 --- /dev/null +++ b/queue-4.14/arm-dts-socfpga-fix-nand-controller-clock-supply.patch @@ -0,0 +1,36 @@ +From 4eda9b766b042ea38d84df91581b03f6145a2ab0 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 10 May 2018 16:37:26 +0200 +Subject: ARM: dts: socfpga: Fix NAND controller clock supply + +From: Marek Vasut + +commit 4eda9b766b042ea38d84df91581b03f6145a2ab0 upstream. + +The Denali NAND x-clock should be supplied by nand_x_clk, not by +nand_clk. Fix this, otherwise the Denali driver gets incorrect +clock frequency information and incorrectly configures the NAND +timing. + +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes") +Cc: Steffen Trumtrar +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -750,7 +750,7 @@ + reg-names = "nand_data", "denali_reg"; + interrupts = <0x0 0x90 0x4>; + dma-mask = <0xffffffff>; +- clocks = <&nand_clk>; ++ clocks = <&nand_x_clk>; + status = "disabled"; + }; + diff --git a/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch b/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch new file mode 100644 index 00000000000..33aa55335f7 --- /dev/null +++ b/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch @@ -0,0 +1,32 @@ +From 3877ef7a1ccecaae378c497e1dcddbc2dccb664c Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 14 May 2018 10:15:19 -0500 +Subject: ARM: dts: socfpga: Fix NAND controller node compatible for Arria10 + +From: Dinh Nguyen + +commit 3877ef7a1ccecaae378c497e1dcddbc2dccb664c upstream. + +The NAND compatible "denali,denal-nand-dt" property has never been used and +is obsolete. Remove it. + +Cc: stable@vger.kernel.org +Fixes: f549af06e9b6("ARM: dts: socfpga: Add NAND device tree for Arria10") +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga_arria10.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga_arria10.dtsi ++++ b/arch/arm/boot/dts/socfpga_arria10.dtsi +@@ -632,7 +632,7 @@ + nand: nand@ffb90000 { + #address-cells = <1>; + #size-cells = <1>; +- compatible = "denali,denali-nand-dt", "altr,socfpga-denali-nand"; ++ compatible = "altr,socfpga-denali-nand"; + reg = <0xffb90000 0x72000>, + <0xffb80000 0x10000>; + reg-names = "nand_data", "denali_reg"; diff --git a/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible.patch b/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible.patch new file mode 100644 index 00000000000..fb20e57bb3d --- /dev/null +++ b/queue-4.14/arm-dts-socfpga-fix-nand-controller-node-compatible.patch @@ -0,0 +1,35 @@ +From d9a695f3c8098ac9684689774a151cff30d8aa25 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Thu, 10 May 2018 14:52:23 +0200 +Subject: ARM: dts: socfpga: Fix NAND controller node compatible + +From: Marek Vasut + +commit d9a695f3c8098ac9684689774a151cff30d8aa25 upstream. + +The compatible string for the Denali NAND controller is incorrect, +fix it by replacing it with one matching the DT bindings and the +driver. + +Cc: stable@vger.kernel.org +Signed-off-by: Marek Vasut +Fixes: d837a80d19 ("ARM: dts: socfpga: add nand controller nodes") +Cc: Steffen Trumtrar +Signed-off-by: Dinh Nguyen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -744,7 +744,7 @@ + nand0: nand@ff900000 { + #address-cells = <0x1>; + #size-cells = <0x1>; +- compatible = "denali,denali-nand-dt"; ++ compatible = "altr,socfpga-denali-nand"; + reg = <0xff900000 0x100000>, + <0xffb80000 0x10000>; + reg-names = "nand_data", "denali_reg"; diff --git a/queue-4.14/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch b/queue-4.14/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch new file mode 100644 index 00000000000..80fb58e6bfb --- /dev/null +++ b/queue-4.14/arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch @@ -0,0 +1,44 @@ +From d5b4885b1dff72ac670b518cfeaac719d768bd4d Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Thu, 26 Apr 2018 12:50:46 +0200 +Subject: ARM64: dts: meson: disable sd-uhs modes on the libretech-cc + +From: Jerome Brunet + +commit d5b4885b1dff72ac670b518cfeaac719d768bd4d upstream. + +There is a problem with the sd-uhs mode when doing a soft reboot. +Switching back from 1.8v to 3.3v messes with the card, which no longer +respond (timeout errors). According to the specification, we should +perform a card reset (power cycling the card) but this is something we +cannot control on this design. + +Then the only solution to restore the communication with the card is an +"unplug-plug" which is not acceptable + +Until we find a solution, if any, disable the sd-uhs modes on this design. +For the people using uhs at the moment, there will a performance drop as +a result. + +Fixes: 3cde63ebc85c ("ARM64: dts: meson-gxl: libretech-cc: enable high speed modes") +Signed-off-by: Jerome Brunet +Cc: stable@vger.kernel.org +Signed-off-by: Kevin Hilman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts | 3 --- + 1 file changed, 3 deletions(-) + +--- a/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl-s905x-libretech-cc.dts +@@ -205,9 +205,6 @@ + + bus-width = <4>; + cap-sd-highspeed; +- sd-uhs-sdr12; +- sd-uhs-sdr25; +- sd-uhs-sdr50; + max-frequency = <100000000>; + disable-wp; + diff --git a/queue-4.14/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch b/queue-4.14/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch new file mode 100644 index 00000000000..4f36090c308 --- /dev/null +++ b/queue-4.14/arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch @@ -0,0 +1,72 @@ +From 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 7 Jun 2018 12:32:05 +0100 +Subject: arm64: Fix syscall restarting around signal suppressed by tracer + +From: Dave Martin + +commit 0fe42512b2f03f9e5a20b9f55ef1013a68b4cd48 upstream. + +Commit 17c2895 ("arm64: Abstract syscallno manipulation") abstracts +out the pt_regs.syscallno value for a syscall cancelled by a tracer +as NO_SYSCALL, and provides helpers to set and check for this +condition. However, the way this was implemented has the +unintended side-effect of disabling part of the syscall restart +logic. + +This comes about because the second in_syscall() check in +do_signal() re-evaluates the "in a syscall" condition based on the +updated pt_regs instead of the original pt_regs. forget_syscall() +is explicitly called prior to the second check in order to prevent +restart logic in the ret_to_user path being spuriously triggered, +which means that the second in_syscall() check always yields false. + +This triggers a failure in +tools/testing/selftests/seccomp/seccomp_bpf.c, when using ptrace to +suppress a signal that interrups a nanosleep() syscall. + +Misbehaviour of this type is only expected in the case where a +tracer suppresses a signal and the target process is either being +single-stepped or the interrupted syscall attempts to restart via +-ERESTARTBLOCK. + +This patch restores the old behaviour by performing the +in_syscall() check only once at the start of the function. + +Fixes: 17c289586009 ("arm64: Abstract syscallno manipulation") +Signed-off-by: Dave Martin +Reported-by: Sumit Semwal +Cc: Will Deacon +Cc: # 4.14.x- +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/signal.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/signal.c ++++ b/arch/arm64/kernel/signal.c +@@ -676,11 +676,12 @@ static void do_signal(struct pt_regs *re + unsigned long continue_addr = 0, restart_addr = 0; + int retval = 0; + struct ksignal ksig; ++ bool syscall = in_syscall(regs); + + /* + * If we were from a system call, check for system call restarting... + */ +- if (in_syscall(regs)) { ++ if (syscall) { + continue_addr = regs->pc; + restart_addr = continue_addr - (compat_thumb_mode(regs) ? 2 : 4); + retval = regs->regs[0]; +@@ -732,7 +733,7 @@ static void do_signal(struct pt_regs *re + * Handle restarting a different system call. As above, if a debugger + * has chosen to restart at a different PC, ignore the restart. + */ +- if (in_syscall(regs) && regs->pc == restart_addr) { ++ if (syscall && regs->pc == restart_addr) { + if (retval == -ERESTART_RESTARTBLOCK) + setup_restart_syscall(regs); + user_rewind_single_step(current); diff --git a/queue-4.14/arm64-kpti-use-early_param-for-kpti-command-line-option.patch b/queue-4.14/arm64-kpti-use-early_param-for-kpti-command-line-option.patch new file mode 100644 index 00000000000..53929b98637 --- /dev/null +++ b/queue-4.14/arm64-kpti-use-early_param-for-kpti-command-line-option.patch @@ -0,0 +1,39 @@ +From b5b7dd647f2d21b93f734ce890671cd908e69b0a Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 22 Jun 2018 10:25:25 +0100 +Subject: arm64: kpti: Use early_param for kpti= command-line option + +From: Will Deacon + +commit b5b7dd647f2d21b93f734ce890671cd908e69b0a upstream. + +We inspect __kpti_forced early on as part of the cpufeature enable +callback which remaps the swapper page table using non-global entries. + +Ensure that __kpti_forced has been updated to reflect the kpti= +command-line option before we start using it. + +Fixes: ea1e3de85e94 ("arm64: entry: Add fake CPU feature for unmapping the kernel at EL0") +Cc: # 4.16.x- +Reported-by: Wei Xu +Tested-by: Sudeep Holla +Tested-by: Wei Xu +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/cpufeature.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/cpufeature.c ++++ b/arch/arm64/kernel/cpufeature.c +@@ -877,7 +877,7 @@ static int __init parse_kpti(char *str) + __kpti_forced = enabled ? 1 : -1; + return 0; + } +-__setup("kpti=", parse_kpti); ++early_param("kpti", parse_kpti); + #endif /* CONFIG_UNMAP_KERNEL_AT_EL0 */ + + static const struct arm64_cpu_capabilities arm64_features[] = { diff --git a/queue-4.14/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch b/queue-4.14/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch new file mode 100644 index 00000000000..eac86b3a023 --- /dev/null +++ b/queue-4.14/arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch @@ -0,0 +1,44 @@ +From 71c8fc0c96abf8e53e74ed4d891d671e585f9076 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 22 Jun 2018 16:23:45 +0100 +Subject: arm64: mm: Ensure writes to swapper are ordered wrt subsequent cache maintenance + +From: Will Deacon + +commit 71c8fc0c96abf8e53e74ed4d891d671e585f9076 upstream. + +When rewriting swapper using nG mappings, we must performance cache +maintenance around each page table access in order to avoid coherency +problems with the host's cacheable alias under KVM. To ensure correct +ordering of the maintenance with respect to Device memory accesses made +with the Stage-1 MMU disabled, DMBs need to be added between the +maintenance and the corresponding memory access. + +This patch adds a missing DMB between writing a new page table entry and +performing a clean+invalidate on the same line. + +Fixes: f992b4dfd58b ("arm64: kpti: Add ->enable callback to remap swapper using nG mappings") +Cc: # 4.16.x- +Acked-by: Mark Rutland +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/mm/proc.S | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -196,8 +196,9 @@ ENDPROC(idmap_cpu_replace_ttbr1) + + .macro __idmap_kpti_put_pgtable_ent_ng, type + orr \type, \type, #PTE_NG // Same bit for blocks and pages +- str \type, [cur_\()\type\()p] // Update the entry and ensure it +- dc civac, cur_\()\type\()p // is visible to all CPUs. ++ str \type, [cur_\()\type\()p] // Update the entry and ensure ++ dmb sy // that it is visible to all ++ dc civac, cur_\()\type\()p // CPUs. + .endm + + /* diff --git a/queue-4.14/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch b/queue-4.14/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch new file mode 100644 index 00000000000..b66d92dab8f --- /dev/null +++ b/queue-4.14/bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch @@ -0,0 +1,42 @@ +From 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 Mon Sep 17 00:00:00 2001 +From: Amit Pundir +Date: Mon, 16 Apr 2018 12:10:24 +0530 +Subject: Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader + +From: Amit Pundir + +commit 7dc5fe0814c35ec4e7d2e8fa30abab72e0e6a172 upstream. + +AOSP use userspace firmware loader to load firmwares, which will +return -EAGAIN in case qca/rampatch_00440302.bin is not found. +Since there is no rampatch for dragonboard820c QCA controller +revision, just make it work as is. + +CC: Loic Poulain +CC: Nicolas Dechesne +CC: Marcel Holtmann +CC: Johan Hedberg +CC: Stable +Signed-off-by: Amit Pundir +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_qca.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -936,6 +936,12 @@ static int qca_setup(struct hci_uart *hu + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + ret = 0; ++ } else if (ret == -EAGAIN) { ++ /* ++ * Userspace firmware loader will return -EAGAIN in case no ++ * patch/nvm-config is found, so run with original fw/config. ++ */ ++ ret = 0; + } + + /* Setup bdaddr */ diff --git a/queue-4.14/branch-check-fix-long-int-truncation-when-profiling-branches.patch b/queue-4.14/branch-check-fix-long-int-truncation-when-profiling-branches.patch new file mode 100644 index 00000000000..af46047f0be --- /dev/null +++ b/queue-4.14/branch-check-fix-long-int-truncation-when-profiling-branches.patch @@ -0,0 +1,41 @@ +From 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 30 May 2018 08:19:22 -0400 +Subject: branch-check: fix long->int truncation when profiling branches + +From: Mikulas Patocka + +commit 2026d35741f2c3ece73c11eb7e4a15d7c2df9ebe upstream. + +The function __builtin_expect returns long type (see the gcc +documentation), and so do macros likely and unlikely. Unfortunatelly, when +CONFIG_PROFILE_ANNOTATED_BRANCHES is selected, the macros likely and +unlikely expand to __branch_check__ and __branch_check__ truncates the +long type to int. This unintended truncation may cause bugs in various +kernel code (we found a bug in dm-writecache because of it), so it's +better to fix __branch_check__ to return long. + +Link: http://lkml.kernel.org/r/alpine.LRH.2.02.1805300818140.24812@file01.intranet.prod.int.rdu2.redhat.com + +Cc: Ingo Molnar +Cc: stable@vger.kernel.org +Fixes: 1f0d69a9fc815 ("tracing: profile likely and unlikely annotations") +Signed-off-by: Mikulas Patocka +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -21,7 +21,7 @@ void ftrace_likely_update(struct ftrace_ + #define unlikely_notrace(x) __builtin_expect(!!(x), 0) + + #define __branch_check__(x, expect, is_constant) ({ \ +- int ______r; \ ++ long ______r; \ + static struct ftrace_likely_data \ + __attribute__((__aligned__(4))) \ + __attribute__((section("_ftrace_annotated_branch"))) \ diff --git a/queue-4.14/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch b/queue-4.14/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch new file mode 100644 index 00000000000..63f73eb828f --- /dev/null +++ b/queue-4.14/cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch @@ -0,0 +1,146 @@ +From 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 Mon Sep 17 00:00:00 2001 +From: "Gautham R. Shenoy" +Date: Thu, 31 May 2018 17:45:09 +0530 +Subject: cpuidle: powernv: Fix promotion from snooze if next state disabled + +From: Gautham R. Shenoy + +commit 0a4ec6aa035a52c422eceb2ed51ed88392a3d6c2 upstream. + +The commit 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of +snooze to deeper idle state") introduced a timeout for the snooze idle +state so that it could be eventually be promoted to a deeper idle +state. The snooze timeout value is static and set to the target +residency of the next idle state, which would train the cpuidle +governor to pick the next idle state eventually. + +The unfortunate side-effect of this is that if the next idle state(s) +is disabled, the CPU will forever remain in snooze, despite the fact +that the system is completely idle, and other deeper idle states are +available. + +This patch fixes the issue by dynamically setting the snooze timeout +to the target residency of the next enabled state on the device. + +Before Patch: + POWER8 : Only nap disabled. + $ cpupower monitor sleep 30 + sleep took 30.01297 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | Nap | Fast + 0| 8| 0| 96.41| 0.00| 0.00 + 0| 8| 1| 96.43| 0.00| 0.00 + 0| 8| 2| 96.47| 0.00| 0.00 + 0| 8| 3| 96.35| 0.00| 0.00 + 0| 8| 4| 96.37| 0.00| 0.00 + 0| 8| 5| 96.37| 0.00| 0.00 + 0| 8| 6| 96.47| 0.00| 0.00 + 0| 8| 7| 96.47| 0.00| 0.00 + + POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1, + stop2) disabled: + $ cpupower monitor sleep 30 + sleep took 30.05033 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop + 0| 16| 0| 89.79| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 1| 90.12| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 2| 90.21| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + 0| 16| 3| 90.29| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00 + +After Patch: + POWER8 : Only nap disabled. + $ cpupower monitor sleep 30 + sleep took 30.01200 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | Nap | Fast + 0| 8| 0| 16.58| 0.00| 77.21 + 0| 8| 1| 18.42| 0.00| 75.38 + 0| 8| 2| 4.70| 0.00| 94.09 + 0| 8| 3| 17.06| 0.00| 81.73 + 0| 8| 4| 3.06| 0.00| 95.73 + 0| 8| 5| 7.00| 0.00| 96.80 + 0| 8| 6| 1.00| 0.00| 98.79 + 0| 8| 7| 5.62| 0.00| 94.17 + + POWER9: Shallow states (stop0lite, stop1lite, stop2lite, stop0, stop1, + stop2) disabled: + + $ cpupower monitor sleep 30 + sleep took 30.02110 seconds and exited with status 0 + |Idle_Stats + PKG |CORE|CPU | snoo | stop | stop | stop | stop | stop | stop | stop | stop + 0| 0| 0| 0.69| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 9.39| 89.70 + 0| 0| 1| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.05| 93.21 + 0| 0| 2| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 89.93 + 0| 0| 3| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 0.00| 93.26 + +Fixes: 78eaa10f027c ("cpuidle: powernv/pseries: Auto-promotion of snooze to deeper idle state") +Cc: stable@vger.kernel.org # v4.2+ +Signed-off-by: Gautham R. Shenoy +Reviewed-by: Balbir Singh +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle-powernv.c | 32 ++++++++++++++++++++++++++------ + 1 file changed, 26 insertions(+), 6 deletions(-) + +--- a/drivers/cpuidle/cpuidle-powernv.c ++++ b/drivers/cpuidle/cpuidle-powernv.c +@@ -43,9 +43,31 @@ struct stop_psscr_table { + + static struct stop_psscr_table stop_psscr_table[CPUIDLE_STATE_MAX] __read_mostly; + +-static u64 snooze_timeout __read_mostly; ++static u64 default_snooze_timeout __read_mostly; + static bool snooze_timeout_en __read_mostly; + ++static u64 get_snooze_timeout(struct cpuidle_device *dev, ++ struct cpuidle_driver *drv, ++ int index) ++{ ++ int i; ++ ++ if (unlikely(!snooze_timeout_en)) ++ return default_snooze_timeout; ++ ++ for (i = index + 1; i < drv->state_count; i++) { ++ struct cpuidle_state *s = &drv->states[i]; ++ struct cpuidle_state_usage *su = &dev->states_usage[i]; ++ ++ if (s->disabled || su->disable) ++ continue; ++ ++ return s->target_residency * tb_ticks_per_usec; ++ } ++ ++ return default_snooze_timeout; ++} ++ + static int snooze_loop(struct cpuidle_device *dev, + struct cpuidle_driver *drv, + int index) +@@ -56,7 +78,7 @@ static int snooze_loop(struct cpuidle_de + + local_irq_enable(); + +- snooze_exit_time = get_tb() + snooze_timeout; ++ snooze_exit_time = get_tb() + get_snooze_timeout(dev, drv, index); + ppc64_runlatch_off(); + HMT_very_low(); + while (!need_resched()) { +@@ -463,11 +485,9 @@ static int powernv_idle_probe(void) + cpuidle_state_table = powernv_states; + /* Device tree can indicate more idle states */ + max_idle_state = powernv_add_idle_states(); +- if (max_idle_state > 1) { ++ default_snooze_timeout = TICK_USEC * tb_ticks_per_usec; ++ if (max_idle_state > 1) + snooze_timeout_en = true; +- snooze_timeout = powernv_states[1].target_residency * +- tb_ticks_per_usec; +- } + } else + return -ENODEV; + diff --git a/queue-4.14/cxl-disable-prefault_mode-in-radix-mode.patch b/queue-4.14/cxl-disable-prefault_mode-in-radix-mode.patch new file mode 100644 index 00000000000..555b682a370 --- /dev/null +++ b/queue-4.14/cxl-disable-prefault_mode-in-radix-mode.patch @@ -0,0 +1,100 @@ +From b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Fri, 18 May 2018 15:12:23 +0530 +Subject: cxl: Disable prefault_mode in Radix mode + +From: Vaibhav Jain + +commit b6c84ba22ff3a198eb8d5552cf9b8fda1d792e54 upstream. + +Currently we see a kernel-oops reported on Power-9 while attaching a +context to an AFU, with radix-mode and sysfs attr 'prefault_mode' set +to anything other than 'none'. The backtrace of the oops is of this +form: + + Unable to handle kernel paging request for data at address 0x00000080 + Faulting instruction address: 0xc00800000bcf3b20 + cpu 0x1: Vector: 300 (Data Access) at [c00000037f003800] + pc: c00800000bcf3b20: cxl_load_segment+0x178/0x290 [cxl] + lr: c00800000bcf39f0: cxl_load_segment+0x48/0x290 [cxl] + sp: c00000037f003a80 + msr: 9000000000009033 + dar: 80 + dsisr: 40000000 + current = 0xc00000037f280000 + paca = 0xc0000003ffffe600 softe: 3 irq_happened: 0x01 + pid = 3529, comm = afp_no_int + + cxl_prefault+0xfc/0x248 [cxl] + process_element_entry_psl9+0xd8/0x1a0 [cxl] + cxl_attach_dedicated_process_psl9+0x44/0x130 [cxl] + native_attach_process+0xc0/0x130 [cxl] + afu_ioctl+0x3f4/0x5e0 [cxl] + do_vfs_ioctl+0xdc/0x890 + ksys_ioctl+0x68/0xf0 + sys_ioctl+0x40/0xa0 + system_call+0x58/0x6c + +The issue is caused as on Power-8 the AFU attr 'prefault_mode' was +used to improve initial storage fault performance by prefaulting +process segments. However on Power-9 with radix mode we don't have +Storage-Segments that we can prefault. Also prefaulting process Pages +will be too costly and fine-grained. + +Hence, since the prefaulting mechanism doesn't makes sense of +radix-mode, this patch updates prefault_mode_store() to not allow any +other value apart from CXL_PREFAULT_NONE when radix mode is enabled. + +Fixes: f24be42aab37 ("cxl: Add psl9 specific code") +Cc: stable@vger.kernel.org # v4.12+ +Signed-off-by: Vaibhav Jain +Acked-by: Frederic Barrat +Acked-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/testing/sysfs-class-cxl | 4 +++- + drivers/misc/cxl/sysfs.c | 16 ++++++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/Documentation/ABI/testing/sysfs-class-cxl ++++ b/Documentation/ABI/testing/sysfs-class-cxl +@@ -69,7 +69,9 @@ Date: September 2014 + Contact: linuxppc-dev@lists.ozlabs.org + Description: read/write + Set the mode for prefaulting in segments into the segment table +- when performing the START_WORK ioctl. Possible values: ++ when performing the START_WORK ioctl. Only applicable when ++ running under hashed page table mmu. ++ Possible values: + none: No prefaulting (default) + work_element_descriptor: Treat the work element + descriptor as an effective address and +--- a/drivers/misc/cxl/sysfs.c ++++ b/drivers/misc/cxl/sysfs.c +@@ -331,12 +331,20 @@ static ssize_t prefault_mode_store(struc + struct cxl_afu *afu = to_cxl_afu(device); + enum prefault_modes mode = -1; + +- if (!strncmp(buf, "work_element_descriptor", 23)) +- mode = CXL_PREFAULT_WED; +- if (!strncmp(buf, "all", 3)) +- mode = CXL_PREFAULT_ALL; + if (!strncmp(buf, "none", 4)) + mode = CXL_PREFAULT_NONE; ++ else { ++ if (!radix_enabled()) { ++ ++ /* only allowed when not in radix mode */ ++ if (!strncmp(buf, "work_element_descriptor", 23)) ++ mode = CXL_PREFAULT_WED; ++ if (!strncmp(buf, "all", 3)) ++ mode = CXL_PREFAULT_ALL; ++ } else { ++ dev_err(device, "Cannot prefault with radix enabled\n"); ++ } ++ } + + if (mode == -1) + return -EINVAL; diff --git a/queue-4.14/fuse-atomic_o_trunc-should-truncate-pagecache.patch b/queue-4.14/fuse-atomic_o_trunc-should-truncate-pagecache.patch new file mode 100644 index 00000000000..f4208312bc5 --- /dev/null +++ b/queue-4.14/fuse-atomic_o_trunc-should-truncate-pagecache.patch @@ -0,0 +1,52 @@ +From df0e91d488276086bc07da2e389986cae0048c37 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 8 Feb 2018 15:17:38 +0100 +Subject: fuse: atomic_o_trunc should truncate pagecache + +From: Miklos Szeredi + +commit df0e91d488276086bc07da2e389986cae0048c37 upstream. + +Fuse has an "atomic_o_trunc" mode, where userspace filesystem uses the +O_TRUNC flag in the OPEN request to truncate the file atomically with the +open. + +In this mode there's no need to send a SETATTR request to userspace after +the open, so fuse_do_setattr() checks this mode and returns. But this +misses the important step of truncating the pagecache. + +Add the missing parts of truncation to the ATTR_OPEN branch. + +Reported-by: Chad Austin +Fixes: 6ff958edbf39 ("fuse: add atomic open+truncate support") +Signed-off-by: Miklos Szeredi +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dir.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/fs/fuse/dir.c ++++ b/fs/fuse/dir.c +@@ -1629,8 +1629,19 @@ int fuse_do_setattr(struct dentry *dentr + return err; + + if (attr->ia_valid & ATTR_OPEN) { +- if (fc->atomic_o_trunc) ++ /* This is coming from open(..., ... | O_TRUNC); */ ++ WARN_ON(!(attr->ia_valid & ATTR_SIZE)); ++ WARN_ON(attr->ia_size != 0); ++ if (fc->atomic_o_trunc) { ++ /* ++ * No need to send request to userspace, since actual ++ * truncation has already been done by OPEN. But still ++ * need to truncate page cache. ++ */ ++ i_size_write(inode, 0); ++ truncate_pagecache(inode, 0); + return 0; ++ } + file = NULL; + } + diff --git a/queue-4.14/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch b/queue-4.14/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch new file mode 100644 index 00000000000..8dbf08e452e --- /dev/null +++ b/queue-4.14/fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch @@ -0,0 +1,41 @@ +From 543b8f8662fe6d21f19958b666ab0051af9db21a Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 1 May 2018 13:12:14 +0900 +Subject: fuse: don't keep dead fuse_conn at fuse_fill_super(). + +From: Tetsuo Handa + +commit 543b8f8662fe6d21f19958b666ab0051af9db21a upstream. + +syzbot is reporting use-after-free at fuse_kill_sb_blk() [1]. +Since sb->s_fs_info field is not cleared after fc was released by +fuse_conn_put() when initialization failed, fuse_kill_sb_blk() finds +already released fc and tries to hold the lock. Fix this by clearing +sb->s_fs_info field after calling fuse_conn_put(). + +[1] https://syzkaller.appspot.com/bug?id=a07a680ed0a9290585ca424546860464dd9658db + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: 3b463ae0c626 ("fuse: invalidation reverse calls") +Cc: John Muir +Cc: Csaba Henk +Cc: Anand Avati +Cc: # v2.6.31 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/fuse/inode.c ++++ b/fs/fuse/inode.c +@@ -1176,6 +1176,7 @@ static int fuse_fill_super(struct super_ + fuse_dev_free(fud); + err_put_conn: + fuse_conn_put(fc); ++ sb->s_fs_info = NULL; + err_fput: + fput(file); + err: diff --git a/queue-4.14/fuse-fix-congested-state-leak-on-aborted-connections.patch b/queue-4.14/fuse-fix-congested-state-leak-on-aborted-connections.patch new file mode 100644 index 00000000000..65ae7641b2b --- /dev/null +++ b/queue-4.14/fuse-fix-congested-state-leak-on-aborted-connections.patch @@ -0,0 +1,49 @@ +From 8a301eb16d99983a4961f884690ec97b92e7dcfe Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 2 Feb 2018 09:54:14 -0800 +Subject: fuse: fix congested state leak on aborted connections + +From: Tejun Heo + +commit 8a301eb16d99983a4961f884690ec97b92e7dcfe upstream. + +If a connection gets aborted while congested, FUSE can leave +nr_wb_congested[] stuck until reboot causing wait_iff_congested() to +wait spuriously which can lead to severe performance degradation. + +The leak is caused by gating congestion state clearing with +fc->connected test in request_end(). This was added way back in 2009 +by 26c3679101db ("fuse: destroy bdi on umount"). While the commit +description doesn't explain why the test was added, it most likely was +to avoid dereferencing bdi after it got destroyed. + +Since then, bdi lifetime rules have changed many times and now we're +always guaranteed to have access to the bdi while the superblock is +alive (fc->sb). + +Drop fc->connected conditional to avoid leaking congestion states. + +Signed-off-by: Tejun Heo +Reported-by: Joshua Miller +Cc: Johannes Weiner +Cc: stable@vger.kernel.org # v2.6.29+ +Acked-by: Jan Kara +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/dev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -381,8 +381,7 @@ static void request_end(struct fuse_conn + if (!fc->blocked && waitqueue_active(&fc->blocked_waitq)) + wake_up(&fc->blocked_waitq); + +- if (fc->num_background == fc->congestion_threshold && +- fc->connected && fc->sb) { ++ if (fc->num_background == fc->congestion_threshold && fc->sb) { + clear_bdi_congested(fc->sb->s_bdi, BLK_RW_SYNC); + clear_bdi_congested(fc->sb->s_bdi, BLK_RW_ASYNC); + } diff --git a/queue-4.14/fuse-fix-control-dir-setup-and-teardown.patch b/queue-4.14/fuse-fix-control-dir-setup-and-teardown.patch new file mode 100644 index 00000000000..af9f9127706 --- /dev/null +++ b/queue-4.14/fuse-fix-control-dir-setup-and-teardown.patch @@ -0,0 +1,68 @@ +From 6becdb601bae2a043d7fb9762c4d48699528ea6e Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 31 May 2018 12:26:10 +0200 +Subject: fuse: fix control dir setup and teardown + +From: Miklos Szeredi + +commit 6becdb601bae2a043d7fb9762c4d48699528ea6e upstream. + +syzbot is reporting NULL pointer dereference at fuse_ctl_remove_conn() [1]. +Since fc->ctl_ndents is incremented by fuse_ctl_add_conn() when new_inode() +failed, fuse_ctl_remove_conn() reaches an inode-less dentry and tries to +clear d_inode(dentry)->i_private field. + +Fix by only adding the dentry to the array after being fully set up. + +When tearing down the control directory, do d_invalidate() on it to get rid +of any mounts that might have been added. + +[1] https://syzkaller.appspot.com/bug?id=f396d863067238959c91c0b7cfc10b163638cac6 +Reported-by: syzbot +Fixes: bafa96541b25 ("[PATCH] fuse: add control filesystem") +Cc: # v2.6.18 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/control.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/fuse/control.c ++++ b/fs/fuse/control.c +@@ -211,10 +211,11 @@ static struct dentry *fuse_ctl_add_dentr + if (!dentry) + return NULL; + +- fc->ctl_dentry[fc->ctl_ndents++] = dentry; + inode = new_inode(fuse_control_sb); +- if (!inode) ++ if (!inode) { ++ dput(dentry); + return NULL; ++ } + + inode->i_ino = get_next_ino(); + inode->i_mode = mode; +@@ -228,6 +229,9 @@ static struct dentry *fuse_ctl_add_dentr + set_nlink(inode, nlink); + inode->i_private = fc; + d_add(dentry, inode); ++ ++ fc->ctl_dentry[fc->ctl_ndents++] = dentry; ++ + return dentry; + } + +@@ -284,7 +288,10 @@ void fuse_ctl_remove_conn(struct fuse_co + for (i = fc->ctl_ndents - 1; i >= 0; i--) { + struct dentry *dentry = fc->ctl_dentry[i]; + d_inode(dentry)->i_private = NULL; +- d_drop(dentry); ++ if (!i) { ++ /* Get rid of submounts: */ ++ d_invalidate(dentry); ++ } + dput(dentry); + } + drop_nlink(d_inode(fuse_control_sb->s_root)); diff --git a/queue-4.14/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch b/queue-4.14/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch new file mode 100644 index 00000000000..6f8fdab3296 --- /dev/null +++ b/queue-4.14/ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch @@ -0,0 +1,68 @@ +From 08bb558ac11ab944e0539e78619d7b4c356278bd Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:30 +0300 +Subject: IB/core: Make testing MR flags for writability a static inline function + +From: Jack Morgenstein + +commit 08bb558ac11ab944e0539e78619d7b4c356278bd upstream. + +Make the MR writability flags check, which is performed in umem.c, +a static inline function in file ib_verbs.h + +This allows the function to be used by low-level infiniband drivers. + +Cc: +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 11 +---------- + include/rdma/ib_verbs.h | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -119,16 +119,7 @@ struct ib_umem *ib_umem_get(struct ib_uc + umem->length = size; + umem->address = addr; + umem->page_shift = PAGE_SHIFT; +- /* +- * We ask for writable memory if any of the following +- * access flags are set. "Local write" and "remote write" +- * obviously require write access. "Remote atomic" can do +- * things like fetch and add, which will modify memory, and +- * "MW bind" can change permissions by binding a window. +- */ +- umem->writable = !!(access & +- (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | +- IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND)); ++ umem->writable = ib_access_writable(access); + + if (access & IB_ACCESS_ON_DEMAND) { + ret = ib_umem_odp_get(context, umem, access); +--- a/include/rdma/ib_verbs.h ++++ b/include/rdma/ib_verbs.h +@@ -3558,6 +3558,20 @@ static inline int ib_check_mr_access(int + return 0; + } + ++static inline bool ib_access_writable(int access_flags) ++{ ++ /* ++ * We have writable memory backing the MR if any of the following ++ * access flags are set. "Local write" and "remote write" obviously ++ * require write access. "Remote atomic" can do things like fetch and ++ * add, which will modify memory, and "MW bind" can change permissions ++ * by binding a window. ++ */ ++ return access_flags & ++ (IB_ACCESS_LOCAL_WRITE | IB_ACCESS_REMOTE_WRITE | ++ IB_ACCESS_REMOTE_ATOMIC | IB_ACCESS_MW_BIND); ++} ++ + /** + * ib_check_mr_status: lightweight check of MR status. + * This routine may provide status checks on a selected diff --git a/queue-4.14/ib-hfi1-fix-fault-injection-init-exit-issues.patch b/queue-4.14/ib-hfi1-fix-fault-injection-init-exit-issues.patch new file mode 100644 index 00000000000..8ef347b6fdd --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-fault-injection-init-exit-issues.patch @@ -0,0 +1,122 @@ +From 8c79d8223bb11b2f005695a32ddd3985de97727c Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Wed, 2 May 2018 06:42:44 -0700 +Subject: IB/hfi1: Fix fault injection init/exit issues + +From: Mike Marciniszyn + +commit 8c79d8223bb11b2f005695a32ddd3985de97727c upstream. + +There are config dependent code paths that expose panics in unload +paths both in this file and in debugfs_remove_recursive() because +CONFIG_FAULT_INJECTION and CONFIG_FAULT_INJECTION_DEBUG_FS can be +set independently. + +Having CONFIG_FAULT_INJECTION set and CONFIG_FAULT_INJECTION_DEBUG_FS +reset causes fault_create_debugfs_attr() to return an error. + +The debugfs.c routines tolerate failures, but the module unload panics +dereferencing a NULL in the two exit routines. If that is fixed, the +dir passed to debugfs_remove_recursive comes from a memory location +that was freed and potentially reused causing a segfault or corrupting +memory. + +Here is an example of the NULL deref panic: + +[66866.286829] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088 +[66866.295602] IP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] +[66866.301138] PGD 858496067 P4D 858496067 PUD 8433a7067 PMD 0 +[66866.307452] Oops: 0000 [#1] SMP +[66866.310953] Modules linked in: hfi1(-) rdmavt rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm iw_cm ib_cm ib_core rpcsec_gss_krb5 nfsv4 dns_resolver nfsv3 nfs fscache sb_edac x86_pkg_temp_thermal intel_powerclamp vfat fat coretemp kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel iTCO_wdt iTCO_vendor_support crypto_simd mei_me glue_helper cryptd mxm_wmi ipmi_si pcspkr lpc_ich sg mei ioatdma ipmi_devintf i2c_i801 mfd_core shpchp ipmi_msghandler wmi acpi_power_meter acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea sysfillrect sysimgblt igb fb_sys_fops ttm ahci ptp crc32c_intel libahci pps_core drm dca libata i2c_algo_bit i2c_core [last unloaded: opa_vnic] +[66866.385551] CPU: 8 PID: 7470 Comm: rmmod Not tainted 4.14.0-mam-tid-rdma #2 +[66866.393317] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS SE5C610.86B.01.01.0018.C4.072020161249 07/20/2016 +[66866.405252] task: ffff88084f28c380 task.stack: ffffc90008454000 +[66866.411866] RIP: 0010:hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] +[66866.417984] RSP: 0018:ffffc90008457da0 EFLAGS: 00010202 +[66866.423812] RAX: 0000000000000000 RBX: ffff880857de0000 RCX: 0000000180040001 +[66866.431773] RDX: 0000000180040002 RSI: ffffea0021088200 RDI: 0000000040000000 +[66866.439734] RBP: ffffc90008457da8 R08: ffff88084220e000 R09: 0000000180040001 +[66866.447696] R10: 000000004220e001 R11: ffff88084220e000 R12: ffff88085a31c000 +[66866.455657] R13: ffffffffa07c9820 R14: ffffffffa07c9890 R15: ffff881059d78100 +[66866.463618] FS: 00007f6876047740(0000) GS:ffff88085f800000(0000) knlGS:0000000000000000 +[66866.472644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[66866.479053] CR2: 0000000000000088 CR3: 0000000856357006 CR4: 00000000001606e0 +[66866.487013] Call Trace: +[66866.489747] remove_one+0x1f/0x220 [hfi1] +[66866.494221] pci_device_remove+0x39/0xc0 +[66866.498596] device_release_driver_internal+0x141/0x210 +[66866.504424] driver_detach+0x3f/0x80 +[66866.508409] bus_remove_driver+0x55/0xd0 +[66866.512784] driver_unregister+0x2c/0x50 +[66866.517164] pci_unregister_driver+0x2a/0xa0 +[66866.521934] hfi1_mod_cleanup+0x10/0xaa2 [hfi1] +[66866.526988] SyS_delete_module+0x171/0x250 +[66866.531558] do_syscall_64+0x67/0x1b0 +[66866.535644] entry_SYSCALL64_slow_path+0x25/0x25 +[66866.540792] RIP: 0033:0x7f6875525c27 +[66866.544777] RSP: 002b:00007ffd48528e78 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[66866.553224] RAX: ffffffffffffffda RBX: 0000000001cc01d0 RCX: 00007f6875525c27 +[66866.561185] RDX: 00007f6875596000 RSI: 0000000000000800 RDI: 0000000001cc0238 +[66866.569146] RBP: 0000000000000000 R08: 00007f68757e9060 R09: 00007f6875596000 +[66866.577120] R10: 00007ffd48528c00 R11: 0000000000000206 R12: 00007ffd48529db4 +[66866.585080] R13: 0000000000000000 R14: 0000000001cc01d0 R15: 0000000001cc0010 +[66866.593040] Code: 90 0f 1f 44 00 00 48 83 3d a3 8b 03 00 00 55 48 89 e5 53 48 89 fb 74 4e 48 8d bf 18 0c 00 00 e8 9d f2 ff ff 48 8b 83 20 0c 00 00 <48> 8b b8 88 00 00 00 e8 2a 21 b3 e0 48 8b bb 20 0c 00 00 e8 0e +[66866.614127] RIP: hfi1_dbg_ibdev_exit+0x2a/0x80 [hfi1] RSP: ffffc90008457da0 +[66866.621885] CR2: 0000000000000088 +[66866.625618] ---[ end trace c4817425783fb092 ]--- + +Fix by insuring that upon failure from fault_create_debugfs_attr() the +parent pointer for the routines is always set to NULL and guards added +in the exit routines to insure that debugfs_remove_recursive() is not +called when when the parent pointer is NULL. + +Fixes: 0181ce31b260 ("IB/hfi1: Add receive fault injection feature") +Cc: # 4.14.x +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/debugfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/debugfs.c ++++ b/drivers/infiniband/hw/hfi1/debugfs.c +@@ -1179,7 +1179,8 @@ DEBUGFS_FILE_OPS(fault_stats); + + static void fault_exit_opcode_debugfs(struct hfi1_ibdev *ibd) + { +- debugfs_remove_recursive(ibd->fault_opcode->dir); ++ if (ibd->fault_opcode) ++ debugfs_remove_recursive(ibd->fault_opcode->dir); + kfree(ibd->fault_opcode); + ibd->fault_opcode = NULL; + } +@@ -1207,6 +1208,7 @@ static int fault_init_opcode_debugfs(str + &ibd->fault_opcode->attr); + if (IS_ERR(ibd->fault_opcode->dir)) { + kfree(ibd->fault_opcode); ++ ibd->fault_opcode = NULL; + return -ENOENT; + } + +@@ -1230,7 +1232,8 @@ fail: + + static void fault_exit_packet_debugfs(struct hfi1_ibdev *ibd) + { +- debugfs_remove_recursive(ibd->fault_packet->dir); ++ if (ibd->fault_packet) ++ debugfs_remove_recursive(ibd->fault_packet->dir); + kfree(ibd->fault_packet); + ibd->fault_packet = NULL; + } +@@ -1256,6 +1259,7 @@ static int fault_init_packet_debugfs(str + &ibd->fault_opcode->attr); + if (IS_ERR(ibd->fault_packet->dir)) { + kfree(ibd->fault_packet); ++ ibd->fault_packet = NULL; + return -ENOENT; + } + diff --git a/queue-4.14/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch b/queue-4.14/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch new file mode 100644 index 00000000000..8f13e78708d --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch @@ -0,0 +1,123 @@ +From 1bc0299d976e000ececc6acd76e33b4582646cb7 Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Thu, 31 May 2018 11:30:09 -0700 +Subject: IB/hfi1: Fix user context tail allocation for DMA_RTAIL + +From: Mike Marciniszyn + +commit 1bc0299d976e000ececc6acd76e33b4582646cb7 upstream. + +The following code fails to allocate a buffer for the +tail address that the hardware DMAs into when the user +context DMA_RTAIL is set. + +if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) { + rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent( + &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail, + gfp_flags); + if (!rcd->rcvhdrtail_kvaddr) + goto bail_free; + rcd->rcvhdrqtailaddr_dma = dma_hdrqtail; +} + +So the rcvhdrtail_kvaddr would then be NULL. + +The mmap logic fails to check for a NULL rcvhdrtail_kvaddr. + +The fix is to test for both user and kernel DMA_TAIL options +during the allocation as well as testing for a NULL +rcvhdrtail_kvaddr during the mmap processing. + +Additionally, all downstream testing of the capmask for DMA_RTAIL +have been eliminated in favor of testing rcvhdrtail_kvaddr. + +Cc: # 4.9.x +Reviewed-by: Michael J. Ruhl +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/chip.c | 8 ++++---- + drivers/infiniband/hw/hfi1/file_ops.c | 2 +- + drivers/infiniband/hw/hfi1/init.c | 9 ++++----- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -6829,7 +6829,7 @@ static void rxe_kernel_unfreeze(struct h + } + rcvmask = HFI1_RCVCTRL_CTXT_ENB; + /* HFI1_RCVCTRL_TAILUPD_[ENB|DIS] needs to be set explicitly */ +- rcvmask |= HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) ? ++ rcvmask |= rcd->rcvhdrtail_kvaddr ? + HFI1_RCVCTRL_TAILUPD_ENB : HFI1_RCVCTRL_TAILUPD_DIS; + hfi1_rcvctrl(dd, rcvmask, rcd); + hfi1_rcd_put(rcd); +@@ -8341,7 +8341,7 @@ static inline int check_packet_present(s + u32 tail; + int present; + +- if (!HFI1_CAP_IS_KSET(DMA_RTAIL)) ++ if (!rcd->rcvhdrtail_kvaddr) + present = (rcd->seq_cnt == + rhf_rcv_seq(rhf_to_cpu(get_rhf_addr(rcd)))); + else /* is RDMA rtail */ +@@ -11813,7 +11813,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d + /* reset the tail and hdr addresses, and sequence count */ + write_kctxt_csr(dd, ctxt, RCV_HDR_ADDR, + rcd->rcvhdrq_dma); +- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) ++ if (rcd->rcvhdrtail_kvaddr) + write_kctxt_csr(dd, ctxt, RCV_HDR_TAIL_ADDR, + rcd->rcvhdrqtailaddr_dma); + rcd->seq_cnt = 1; +@@ -11893,7 +11893,7 @@ void hfi1_rcvctrl(struct hfi1_devdata *d + rcvctrl |= RCV_CTXT_CTRL_INTR_AVAIL_SMASK; + if (op & HFI1_RCVCTRL_INTRAVAIL_DIS) + rcvctrl &= ~RCV_CTXT_CTRL_INTR_AVAIL_SMASK; +- if (op & HFI1_RCVCTRL_TAILUPD_ENB && rcd->rcvhdrqtailaddr_dma) ++ if ((op & HFI1_RCVCTRL_TAILUPD_ENB) && rcd->rcvhdrtail_kvaddr) + rcvctrl |= RCV_CTXT_CTRL_TAIL_UPD_SMASK; + if (op & HFI1_RCVCTRL_TAILUPD_DIS) { + /* See comment on RcvCtxtCtrl.TailUpd above */ +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -622,7 +622,7 @@ static int hfi1_file_mmap(struct file *f + ret = -EINVAL; + goto done; + } +- if (flags & VM_WRITE) { ++ if ((flags & VM_WRITE) || !uctxt->rcvhdrtail_kvaddr) { + ret = -EPERM; + goto done; + } +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1808,7 +1808,6 @@ int hfi1_create_rcvhdrq(struct hfi1_devd + u64 reg; + + if (!rcd->rcvhdrq) { +- dma_addr_t dma_hdrqtail; + gfp_t gfp_flags; + + /* +@@ -1834,13 +1833,13 @@ int hfi1_create_rcvhdrq(struct hfi1_devd + goto bail; + } + +- if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL)) { ++ if (HFI1_CAP_KGET_MASK(rcd->flags, DMA_RTAIL) || ++ HFI1_CAP_UGET_MASK(rcd->flags, DMA_RTAIL)) { + rcd->rcvhdrtail_kvaddr = dma_zalloc_coherent( +- &dd->pcidev->dev, PAGE_SIZE, &dma_hdrqtail, +- gfp_flags); ++ &dd->pcidev->dev, PAGE_SIZE, ++ &rcd->rcvhdrqtailaddr_dma, gfp_flags); + if (!rcd->rcvhdrtail_kvaddr) + goto bail_free; +- rcd->rcvhdrqtailaddr_dma = dma_hdrqtail; + } + + rcd->rcvhdrq_size = amt; diff --git a/queue-4.14/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch b/queue-4.14/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch new file mode 100644 index 00000000000..2ebdad9477a --- /dev/null +++ b/queue-4.14/ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch @@ -0,0 +1,119 @@ +From af8aab71370a692eaf7e7969ba5b1a455ac20113 Mon Sep 17 00:00:00 2001 +From: Sebastian Sanchez +Date: Wed, 2 May 2018 06:43:39 -0700 +Subject: IB/hfi1: Optimize kthread pointer locking when queuing CQ entries + +From: Sebastian Sanchez + +commit af8aab71370a692eaf7e7969ba5b1a455ac20113 upstream. + +All threads queuing CQ entries on different CQs are unnecessarily +synchronized by a spin lock to check if the CQ kthread worker hasn't +been destroyed before queuing an CQ entry. + +The lock used in 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a +destroyed cq kthread worker") is a device global lock and will have +poor performance at scale as completions are entered from a large +number of CPUs. + +Convert to use RCU where the read side of RCU is rvt_cq_enter() to +determine that the worker is alive prior to triggering the +completion event. +Apply write side RCU semantics in rvt_driver_cq_init() and +rvt_cq_exit(). + +Fixes: 6efaf10f163d ("IB/rdmavt: Avoid queuing work into a destroyed cq kthread worker") +Cc: # 4.14.x +Reviewed-by: Mike Marciniszyn +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/sw/rdmavt/cq.c | 31 +++++++++++++++++++------------ + include/rdma/rdma_vt.h | 2 +- + 2 files changed, 20 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/sw/rdmavt/cq.c ++++ b/drivers/infiniband/sw/rdmavt/cq.c +@@ -121,17 +121,20 @@ void rvt_cq_enter(struct rvt_cq *cq, str + if (cq->notify == IB_CQ_NEXT_COMP || + (cq->notify == IB_CQ_SOLICITED && + (solicited || entry->status != IB_WC_SUCCESS))) { ++ struct kthread_worker *worker; ++ + /* + * This will cause send_complete() to be called in + * another thread. + */ +- spin_lock(&cq->rdi->n_cqs_lock); +- if (likely(cq->rdi->worker)) { ++ rcu_read_lock(); ++ worker = rcu_dereference(cq->rdi->worker); ++ if (likely(worker)) { + cq->notify = RVT_CQ_NONE; + cq->triggered++; +- kthread_queue_work(cq->rdi->worker, &cq->comptask); ++ kthread_queue_work(worker, &cq->comptask); + } +- spin_unlock(&cq->rdi->n_cqs_lock); ++ rcu_read_unlock(); + } + + spin_unlock_irqrestore(&cq->lock, flags); +@@ -513,7 +516,7 @@ int rvt_driver_cq_init(struct rvt_dev_in + int cpu; + struct kthread_worker *worker; + +- if (rdi->worker) ++ if (rcu_access_pointer(rdi->worker)) + return 0; + + spin_lock_init(&rdi->n_cqs_lock); +@@ -525,7 +528,7 @@ int rvt_driver_cq_init(struct rvt_dev_in + return PTR_ERR(worker); + + set_user_nice(worker->task, MIN_NICE); +- rdi->worker = worker; ++ RCU_INIT_POINTER(rdi->worker, worker); + return 0; + } + +@@ -537,15 +540,19 @@ void rvt_cq_exit(struct rvt_dev_info *rd + { + struct kthread_worker *worker; + +- /* block future queuing from send_complete() */ +- spin_lock_irq(&rdi->n_cqs_lock); +- worker = rdi->worker; ++ if (!rcu_access_pointer(rdi->worker)) ++ return; ++ ++ spin_lock(&rdi->n_cqs_lock); ++ worker = rcu_dereference_protected(rdi->worker, ++ lockdep_is_held(&rdi->n_cqs_lock)); + if (!worker) { +- spin_unlock_irq(&rdi->n_cqs_lock); ++ spin_unlock(&rdi->n_cqs_lock); + return; + } +- rdi->worker = NULL; +- spin_unlock_irq(&rdi->n_cqs_lock); ++ RCU_INIT_POINTER(rdi->worker, NULL); ++ spin_unlock(&rdi->n_cqs_lock); ++ synchronize_rcu(); + + kthread_destroy_worker(worker); + } +--- a/include/rdma/rdma_vt.h ++++ b/include/rdma/rdma_vt.h +@@ -409,7 +409,7 @@ struct rvt_dev_info { + spinlock_t pending_lock; /* protect pending mmap list */ + + /* CQ */ +- struct kthread_worker *worker; /* per device cq worker */ ++ struct kthread_worker __rcu *worker; /* per device cq worker */ + u32 n_cqs_allocated; /* number of CQs allocated for device */ + spinlock_t n_cqs_lock; /* protect count of in use cqs */ + diff --git a/queue-4.14/ib-hfi1-qib-add-handling-of-kernel-restart.patch b/queue-4.14/ib-hfi1-qib-add-handling-of-kernel-restart.patch new file mode 100644 index 00000000000..7289e56c00f --- /dev/null +++ b/queue-4.14/ib-hfi1-qib-add-handling-of-kernel-restart.patch @@ -0,0 +1,134 @@ +From 8d3e71136a080d007620472f50c7b3e63ba0f5cf Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Wed, 2 May 2018 06:43:15 -0700 +Subject: IB/{hfi1, qib}: Add handling of kernel restart + +From: Alex Estrin + +commit 8d3e71136a080d007620472f50c7b3e63ba0f5cf upstream. + +A warm restart will fail to unload the driver, leaving link state +potentially flapping up to the point the BIOS resets the adapter. +Correct the issue by hooking the shutdown pci method, +which will bring port down. + +Cc: # 4.9.x +Reviewed-by: Mike Marciniszyn +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/hfi.h | 1 + + drivers/infiniband/hw/hfi1/init.c | 13 +++++++++++++ + drivers/infiniband/hw/qib/qib.h | 1 + + drivers/infiniband/hw/qib/qib_init.c | 13 +++++++++++++ + 4 files changed, 28 insertions(+) + +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1851,6 +1851,7 @@ struct cc_state *get_cc_state_protected( + #define HFI1_HAS_SDMA_TIMEOUT 0x8 + #define HFI1_HAS_SEND_DMA 0x10 /* Supports Send DMA */ + #define HFI1_FORCED_FREEZE 0x80 /* driver forced freeze mode */ ++#define HFI1_SHUTDOWN 0x100 /* device is shutting down */ + + /* IB dword length mask in PBC (lower 11 bits); same for all chips */ + #define HFI1_PBC_LENGTH_MASK ((1 << 11) - 1) +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1029,6 +1029,10 @@ static void shutdown_device(struct hfi1_ + unsigned pidx; + int i; + ++ if (dd->flags & HFI1_SHUTDOWN) ++ return; ++ dd->flags |= HFI1_SHUTDOWN; ++ + for (pidx = 0; pidx < dd->num_pports; ++pidx) { + ppd = dd->pport + pidx; + +@@ -1353,6 +1357,7 @@ void hfi1_disable_after_error(struct hfi + + static void remove_one(struct pci_dev *); + static int init_one(struct pci_dev *, const struct pci_device_id *); ++static void shutdown_one(struct pci_dev *); + + #define DRIVER_LOAD_MSG "Intel " DRIVER_NAME " loaded: " + #define PFX DRIVER_NAME ": " +@@ -1369,6 +1374,7 @@ static struct pci_driver hfi1_pci_driver + .name = DRIVER_NAME, + .probe = init_one, + .remove = remove_one, ++ .shutdown = shutdown_one, + .id_table = hfi1_pci_tbl, + .err_handler = &hfi1_pci_err_handler, + }; +@@ -1780,6 +1786,13 @@ static void remove_one(struct pci_dev *p + postinit_cleanup(dd); + } + ++static void shutdown_one(struct pci_dev *pdev) ++{ ++ struct hfi1_devdata *dd = pci_get_drvdata(pdev); ++ ++ shutdown_device(dd); ++} ++ + /** + * hfi1_create_rcvhdrq - create a receive header queue + * @dd: the hfi1_ib device +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1250,6 +1250,7 @@ static inline struct qib_ibport *to_ipor + #define QIB_BADINTR 0x8000 /* severe interrupt problems */ + #define QIB_DCA_ENABLED 0x10000 /* Direct Cache Access enabled */ + #define QIB_HAS_QSFP 0x20000 /* device (card instance) has QSFP */ ++#define QIB_SHUTDOWN 0x40000 /* device is shutting down */ + + /* + * values for ppd->lflags (_ib_port_ related flags) +--- a/drivers/infiniband/hw/qib/qib_init.c ++++ b/drivers/infiniband/hw/qib/qib_init.c +@@ -850,6 +850,10 @@ static void qib_shutdown_device(struct q + struct qib_pportdata *ppd; + unsigned pidx; + ++ if (dd->flags & QIB_SHUTDOWN) ++ return; ++ dd->flags |= QIB_SHUTDOWN; ++ + for (pidx = 0; pidx < dd->num_pports; ++pidx) { + ppd = dd->pport + pidx; + +@@ -1189,6 +1193,7 @@ void qib_disable_after_error(struct qib_ + + static void qib_remove_one(struct pci_dev *); + static int qib_init_one(struct pci_dev *, const struct pci_device_id *); ++static void qib_shutdown_one(struct pci_dev *); + + #define DRIVER_LOAD_MSG "Intel " QIB_DRV_NAME " loaded: " + #define PFX QIB_DRV_NAME ": " +@@ -1206,6 +1211,7 @@ static struct pci_driver qib_driver = { + .name = QIB_DRV_NAME, + .probe = qib_init_one, + .remove = qib_remove_one, ++ .shutdown = qib_shutdown_one, + .id_table = qib_pci_tbl, + .err_handler = &qib_pci_err_handler, + }; +@@ -1556,6 +1562,13 @@ static void qib_remove_one(struct pci_de + qib_postinit_cleanup(dd); + } + ++static void qib_shutdown_one(struct pci_dev *pdev) ++{ ++ struct qib_devdata *dd = pci_get_drvdata(pdev); ++ ++ qib_shutdown_device(dd); ++} ++ + /** + * qib_create_rcvhdrq - create a receive header queue + * @dd: the qlogic_ib device diff --git a/queue-4.14/ib-hfi1-reorder-incorrect-send-context-disable.patch b/queue-4.14/ib-hfi1-reorder-incorrect-send-context-disable.patch new file mode 100644 index 00000000000..8ae32d1fa64 --- /dev/null +++ b/queue-4.14/ib-hfi1-reorder-incorrect-send-context-disable.patch @@ -0,0 +1,123 @@ +From a93a0a31111231bb1949f4a83b17238f0fa32d6a Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Wed, 2 May 2018 06:43:07 -0700 +Subject: IB/hfi1: Reorder incorrect send context disable + +From: Michael J. Ruhl + +commit a93a0a31111231bb1949f4a83b17238f0fa32d6a upstream. + +User send context integrity bits are cleared before the context is +disabled. If the send context is still processing data, any packets +that need those integrity bits will cause an error and halt the send +context. + +During the disable handling, the driver waits for the context to drain. +If the context is halted, the driver will eventually timeout because +the context won't drain and then incorrectly bounce the link. + +Reorder the bit clearing and the context disable. + +Examine the software state and send context status as well as the +egress status to determine if a send context is in the halted state. + +Promote the check macros to static functions for consistency with the +new check and to follow kernel style. + +Remove an unused define that refers to the egress timeout. + +Cc: # 4.9.x +Reviewed-by: Mitko Haralanov +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/file_ops.c | 2 - + drivers/infiniband/hw/hfi1/pio.c | 44 ++++++++++++++++++++++++++-------- + 2 files changed, 35 insertions(+), 11 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/file_ops.c ++++ b/drivers/infiniband/hw/hfi1/file_ops.c +@@ -807,8 +807,8 @@ static int hfi1_file_close(struct inode + * checks to default and disable the send context. + */ + if (uctxt->sc) { +- set_pio_integrity(uctxt->sc); + sc_disable(uctxt->sc); ++ set_pio_integrity(uctxt->sc); + } + + hfi1_free_ctxt_rcv_groups(uctxt); +--- a/drivers/infiniband/hw/hfi1/pio.c ++++ b/drivers/infiniband/hw/hfi1/pio.c +@@ -50,8 +50,6 @@ + #include "qp.h" + #include "trace.h" + +-#define SC_CTXT_PACKET_EGRESS_TIMEOUT 350 /* in chip cycles */ +- + #define SC(name) SEND_CTXT_##name + /* + * Send Context functions +@@ -977,15 +975,40 @@ void sc_disable(struct send_context *sc) + } + + /* return SendEgressCtxtStatus.PacketOccupancy */ +-#define packet_occupancy(r) \ +- (((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK)\ +- >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT) ++static u64 packet_occupancy(u64 reg) ++{ ++ return (reg & ++ SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SMASK) ++ >> SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_PACKET_OCCUPANCY_SHIFT; ++} + + /* is egress halted on the context? */ +-#define egress_halted(r) \ +- ((r) & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK) ++static bool egress_halted(u64 reg) ++{ ++ return !!(reg & SEND_EGRESS_CTXT_STATUS_CTXT_EGRESS_HALT_STATUS_SMASK); ++} ++ ++/* is the send context halted? */ ++static bool is_sc_halted(struct hfi1_devdata *dd, u32 hw_context) ++{ ++ return !!(read_kctxt_csr(dd, hw_context, SC(STATUS)) & ++ SC(STATUS_CTXT_HALTED_SMASK)); ++} + +-/* wait for packet egress, optionally pause for credit return */ ++/** ++ * sc_wait_for_packet_egress ++ * @sc: valid send context ++ * @pause: wait for credit return ++ * ++ * Wait for packet egress, optionally pause for credit return ++ * ++ * Egress halt and Context halt are not necessarily the same thing, so ++ * check for both. ++ * ++ * NOTE: The context halt bit may not be set immediately. Because of this, ++ * it is necessary to check the SW SFC_HALTED bit (set in the IRQ) and the HW ++ * context bit to determine if the context is halted. ++ */ + static void sc_wait_for_packet_egress(struct send_context *sc, int pause) + { + struct hfi1_devdata *dd = sc->dd; +@@ -997,8 +1020,9 @@ static void sc_wait_for_packet_egress(st + reg_prev = reg; + reg = read_csr(dd, sc->hw_context * 8 + + SEND_EGRESS_CTXT_STATUS); +- /* done if egress is stopped */ +- if (egress_halted(reg)) ++ /* done if any halt bits, SW or HW are set */ ++ if (sc->flags & SCF_HALTED || ++ is_sc_halted(dd, sc->hw_context) || egress_halted(reg)) + break; + reg = packet_occupancy(reg); + if (reg == 0) diff --git a/queue-4.14/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch b/queue-4.14/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch new file mode 100644 index 00000000000..6b6606d7e05 --- /dev/null +++ b/queue-4.14/ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch @@ -0,0 +1,114 @@ +From 763b69654bfb88ea3230d015e7d755ee8339f8ee Mon Sep 17 00:00:00 2001 +From: Alex Estrin +Date: Tue, 15 May 2018 18:31:39 -0700 +Subject: IB/isert: Fix for lib/dma_debug check_sync warning + +From: Alex Estrin + +commit 763b69654bfb88ea3230d015e7d755ee8339f8ee upstream. + +The following error message occurs on a target host in a debug build +during session login: + +[ 3524.411874] WARNING: CPU: 5 PID: 12063 at lib/dma-debug.c:1207 check_sync+0x4ec/0x5b0 +[ 3524.421057] infiniband hfi1_0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000000000000] [size=76 bytes] +......snip ..... + +[ 3524.535846] CPU: 5 PID: 12063 Comm: iscsi_np Kdump: loaded Not tainted 3.10.0-862.el7.x86_64.debug #1 +[ 3524.546764] Hardware name: Dell Inc. PowerEdge R430/03XKDV, BIOS 1.2.6 06/08/2015 +[ 3524.555740] Call Trace: +[ 3524.559102] [] dump_stack+0x19/0x1b +[ 3524.565477] [] __warn+0xd8/0x100 +[ 3524.571557] [] warn_slowpath_fmt+0x5f/0x80 +[ 3524.578610] [] check_sync+0x4ec/0x5b0 +[ 3524.585177] [] ? set_cpus_allowed_ptr+0x5f/0x1c0 +[ 3524.592812] [] debug_dma_sync_single_for_cpu+0x80/0x90 +[ 3524.601029] [] ? x2apic_send_IPI_mask+0x13/0x20 +[ 3524.608574] [] ? native_smp_send_reschedule+0x5b/0x80 +[ 3524.616699] [] ? resched_curr+0xf6/0x140 +[ 3524.623567] [] isert_create_send_desc.isra.26+0xe0/0x110 [ib_isert] +[ 3524.633060] [] isert_put_login_tx+0x55/0x8b0 [ib_isert] +[ 3524.641383] [] ? try_to_wake_up+0x1a4/0x430 +[ 3524.648561] [] iscsi_target_do_tx_login_io+0xdd/0x230 [iscsi_target_mod] +[ 3524.658557] [] iscsi_target_do_login+0x1a7/0x600 [iscsi_target_mod] +[ 3524.668084] [] ? kstrdup+0x49/0x60 +[ 3524.674420] [] iscsi_target_start_negotiation+0x56/0xc0 [iscsi_target_mod] +[ 3524.684656] [] __iscsi_target_login_thread+0x90e/0x1070 [iscsi_target_mod] +[ 3524.694901] [] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod] +[ 3524.705446] [] ? __iscsi_target_login_thread+0x1070/0x1070 [iscsi_target_mod] +[ 3524.715976] [] iscsi_target_login_thread+0x28/0x60 [iscsi_target_mod] +[ 3524.725739] [] kthread+0xef/0x100 +[ 3524.732007] [] ? insert_kthread_work+0x80/0x80 +[ 3524.739540] [] ret_from_fork_nospec_begin+0x21/0x21 +[ 3524.747558] [] ? insert_kthread_work+0x80/0x80 +[ 3524.755088] ---[ end trace 23f8bf9238bd1ed8 ]--- +[ 3595.510822] iSCSI/iqn.1994-05.com.redhat:537fa56299: Unsupported SCSI Opcode 0xa3, sending CHECK_CONDITION. + +The code calls dma_sync on login_tx_desc->dma_addr prior to initializing it +with dma-mapped address. +login_tx_desc is a part of iser_conn structure and is used only once +during login negotiation, so the issue is fixed by eliminating +dma_sync call for this buffer using a special case routine. + +Cc: +Reviewed-by: Mike Marciniszyn +Reviewed-by: Don Dutile +Signed-off-by: Alex Estrin +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -885,15 +885,9 @@ isert_login_post_send(struct isert_conn + } + + static void +-isert_create_send_desc(struct isert_conn *isert_conn, +- struct isert_cmd *isert_cmd, +- struct iser_tx_desc *tx_desc) ++__isert_create_send_desc(struct isert_device *device, ++ struct iser_tx_desc *tx_desc) + { +- struct isert_device *device = isert_conn->device; +- struct ib_device *ib_dev = device->ib_device; +- +- ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr, +- ISER_HEADERS_LEN, DMA_TO_DEVICE); + + memset(&tx_desc->iser_header, 0, sizeof(struct iser_ctrl)); + tx_desc->iser_header.flags = ISCSI_CTRL; +@@ -906,6 +900,20 @@ isert_create_send_desc(struct isert_conn + } + } + ++static void ++isert_create_send_desc(struct isert_conn *isert_conn, ++ struct isert_cmd *isert_cmd, ++ struct iser_tx_desc *tx_desc) ++{ ++ struct isert_device *device = isert_conn->device; ++ struct ib_device *ib_dev = device->ib_device; ++ ++ ib_dma_sync_single_for_cpu(ib_dev, tx_desc->dma_addr, ++ ISER_HEADERS_LEN, DMA_TO_DEVICE); ++ ++ __isert_create_send_desc(device, tx_desc); ++} ++ + static int + isert_init_tx_hdrs(struct isert_conn *isert_conn, + struct iser_tx_desc *tx_desc) +@@ -993,7 +1001,7 @@ isert_put_login_tx(struct iscsi_conn *co + struct iser_tx_desc *tx_desc = &isert_conn->login_tx_desc; + int ret; + +- isert_create_send_desc(isert_conn, NULL, tx_desc); ++ __isert_create_send_desc(device, tx_desc); + + memcpy(&tx_desc->iscsi_header, &login->rsp[0], + sizeof(struct iscsi_hdr)); diff --git a/queue-4.14/ib-isert-fix-t10-pi-check-mask-setting.patch b/queue-4.14/ib-isert-fix-t10-pi-check-mask-setting.patch new file mode 100644 index 00000000000..31e34d0a9ad --- /dev/null +++ b/queue-4.14/ib-isert-fix-t10-pi-check-mask-setting.patch @@ -0,0 +1,37 @@ +From 0e12af84cdd3056460f928adc164f9e87f4b303b Mon Sep 17 00:00:00 2001 +From: Max Gurtovoy +Date: Thu, 31 May 2018 11:05:23 +0300 +Subject: IB/isert: fix T10-pi check mask setting + +From: Max Gurtovoy + +commit 0e12af84cdd3056460f928adc164f9e87f4b303b upstream. + +A copy/paste bug (probably) caused setting of an app_tag check mask +in case where a ref_tag check was needed. + +Fixes: 38a2d0d429f1 ("IB/isert: convert to the generic RDMA READ/WRITE API") +Fixes: 9e961ae73c2c ("IB/isert: Support T10-PI protected transactions") +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Reviewed-by: Martin K. Petersen +Signed-off-by: Max Gurtovoy +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2116,7 +2116,7 @@ isert_set_sig_attrs(struct se_cmd *se_cm + + sig_attrs->check_mask = + (se_cmd->prot_checks & TARGET_DIF_CHECK_GUARD ? 0xc0 : 0) | +- (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x30 : 0) | ++ (se_cmd->prot_checks & TARGET_DIF_CHECK_APPTAG ? 0x30 : 0) | + (se_cmd->prot_checks & TARGET_DIF_CHECK_REFTAG ? 0x0f : 0); + return 0; + } diff --git a/queue-4.14/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch b/queue-4.14/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch new file mode 100644 index 00000000000..0ce9a6fd72f --- /dev/null +++ b/queue-4.14/ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch @@ -0,0 +1,120 @@ +From d8f9cc328c8888369880e2527e9186d745f2bbf6 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Wed, 23 May 2018 15:30:31 +0300 +Subject: IB/mlx4: Mark user MR as writable if actual virtual memory is writable + +From: Jack Morgenstein + +commit d8f9cc328c8888369880e2527e9186d745f2bbf6 upstream. + +To allow rereg_user_mr to modify the MR from read-only to writable without +using get_user_pages again, we needed to define the initial MR as writable. +However, this was originally done unconditionally, without taking into +account the writability of the underlying virtual memory. + +As a result, any attempt to register a read-only MR over read-only +virtual memory failed. + +To fix this, do not add the writable flag bit when the user virtual memory +is not writable (e.g. const memory). + +However, when the underlying memory is NOT writable (and we therefore +do not define the initial MR as writable), the IB core adds a +"force writable" flag to its user-pages request. If this succeeds, +the reg_user_mr caller gets a writable copy of the original pages. + +If the user-space caller then does a rereg_user_mr operation to enable +writability, this will succeed. This should not be allowed, since +the original virtual memory was not writable. + +Cc: +Fixes: 9376932d0c26 ("IB/mlx4_ib: Add support for user MR re-registration") +Signed-off-by: Jason Gunthorpe +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mr.c | 50 +++++++++++++++++++++++++++++++++------- + 1 file changed, 42 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/mr.c ++++ b/drivers/infiniband/hw/mlx4/mr.c +@@ -131,6 +131,40 @@ out: + return err; + } + ++static struct ib_umem *mlx4_get_umem_mr(struct ib_ucontext *context, u64 start, ++ u64 length, u64 virt_addr, ++ int access_flags) ++{ ++ /* ++ * Force registering the memory as writable if the underlying pages ++ * are writable. This is so rereg can change the access permissions ++ * from readable to writable without having to run through ib_umem_get ++ * again ++ */ ++ if (!ib_access_writable(access_flags)) { ++ struct vm_area_struct *vma; ++ ++ down_read(¤t->mm->mmap_sem); ++ /* ++ * FIXME: Ideally this would iterate over all the vmas that ++ * cover the memory, but for now it requires a single vma to ++ * entirely cover the MR to support RO mappings. ++ */ ++ vma = find_vma(current->mm, start); ++ if (vma && vma->vm_end >= start + length && ++ vma->vm_start <= start) { ++ if (vma->vm_flags & VM_WRITE) ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } else { ++ access_flags |= IB_ACCESS_LOCAL_WRITE; ++ } ++ ++ up_read(¤t->mm->mmap_sem); ++ } ++ ++ return ib_umem_get(context, start, length, access_flags, 0); ++} ++ + struct ib_mr *mlx4_ib_reg_user_mr(struct ib_pd *pd, u64 start, u64 length, + u64 virt_addr, int access_flags, + struct ib_udata *udata) +@@ -145,10 +179,8 @@ struct ib_mr *mlx4_ib_reg_user_mr(struct + if (!mr) + return ERR_PTR(-ENOMEM); + +- /* Force registering the memory as writable. */ +- /* Used for memory re-registeration. HCA protects the access */ +- mr->umem = ib_umem_get(pd->uobject->context, start, length, +- access_flags | IB_ACCESS_LOCAL_WRITE, 0); ++ mr->umem = mlx4_get_umem_mr(pd->uobject->context, start, length, ++ virt_addr, access_flags); + if (IS_ERR(mr->umem)) { + err = PTR_ERR(mr->umem); + goto err_free; +@@ -215,6 +247,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + } + + if (flags & IB_MR_REREG_ACCESS) { ++ if (ib_access_writable(mr_access_flags) && !mmr->umem->writable) ++ return -EPERM; ++ + err = mlx4_mr_hw_change_access(dev->dev, *pmpt_entry, + convert_access(mr_access_flags)); + +@@ -228,10 +263,9 @@ int mlx4_ib_rereg_user_mr(struct ib_mr * + + mlx4_mr_rereg_mem_cleanup(dev->dev, &mmr->mmr); + ib_umem_release(mmr->umem); +- mmr->umem = ib_umem_get(mr->uobject->context, start, length, +- mr_access_flags | +- IB_ACCESS_LOCAL_WRITE, +- 0); ++ mmr->umem = ++ mlx4_get_umem_mr(mr->uobject->context, start, length, ++ virt_addr, mr_access_flags); + if (IS_ERR(mmr->umem)) { + err = PTR_ERR(mmr->umem); + /* Prevent mlx4_ib_dereg_mr from free'ing invalid pointer */ diff --git a/queue-4.14/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch b/queue-4.14/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch new file mode 100644 index 00000000000..c536ad45ea5 --- /dev/null +++ b/queue-4.14/ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch @@ -0,0 +1,82 @@ +From 7b74a83cf54a3747e22c57e25712bd70eef8acee Mon Sep 17 00:00:00 2001 +From: Erez Shitrit +Date: Mon, 21 May 2018 11:41:01 +0300 +Subject: IB/mlx5: Fetch soft WQE's on fatal error state + +From: Erez Shitrit + +commit 7b74a83cf54a3747e22c57e25712bd70eef8acee upstream. + +On fatal error the driver simulates CQE's for ULPs that rely on +completion of all their posted work-request. + +For the GSI traffic, the mlx5 has its own mechanism that sends the +completions via software CQE's directly to the relevant CQ. + +This should be kept in fatal error too, so the driver should simulate +such CQE's with the specified error state in order to complete GSI QP +work requests. + +Without the fix the next deadlock might appears: + schedule_timeout+0x274/0x350 + wait_for_common+0xec/0x240 + mcast_remove_one+0xd0/0x120 [ib_core] + ib_unregister_device+0x12c/0x230 [ib_core] + mlx5_ib_remove+0xc4/0x270 [mlx5_ib] + mlx5_detach_device+0x184/0x1a0 [mlx5_core] + mlx5_unload_one+0x308/0x340 [mlx5_core] + mlx5_pci_err_detected+0x74/0xe0 [mlx5_core] + +Cc: # 4.7 +Fixes: 89ea94a7b6c4 ("IB/mlx5: Reset flow support for IB kernel ULPs") +Signed-off-by: Erez Shitrit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx5/cq.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -646,7 +646,7 @@ repoll: + } + + static int poll_soft_wc(struct mlx5_ib_cq *cq, int num_entries, +- struct ib_wc *wc) ++ struct ib_wc *wc, bool is_fatal_err) + { + struct mlx5_ib_dev *dev = to_mdev(cq->ibcq.device); + struct mlx5_ib_wc *soft_wc, *next; +@@ -659,6 +659,10 @@ static int poll_soft_wc(struct mlx5_ib_c + mlx5_ib_dbg(dev, "polled software generated completion on CQ 0x%x\n", + cq->mcq.cqn); + ++ if (unlikely(is_fatal_err)) { ++ soft_wc->wc.status = IB_WC_WR_FLUSH_ERR; ++ soft_wc->wc.vendor_err = MLX5_CQE_SYNDROME_WR_FLUSH_ERR; ++ } + wc[npolled++] = soft_wc->wc; + list_del(&soft_wc->list); + kfree(soft_wc); +@@ -679,12 +683,17 @@ int mlx5_ib_poll_cq(struct ib_cq *ibcq, + + spin_lock_irqsave(&cq->lock, flags); + if (mdev->state == MLX5_DEVICE_STATE_INTERNAL_ERROR) { +- mlx5_ib_poll_sw_comp(cq, num_entries, wc, &npolled); ++ /* make sure no soft wqe's are waiting */ ++ if (unlikely(!list_empty(&cq->wc_list))) ++ soft_polled = poll_soft_wc(cq, num_entries, wc, true); ++ ++ mlx5_ib_poll_sw_comp(cq, num_entries - soft_polled, ++ wc + soft_polled, &npolled); + goto out; + } + + if (unlikely(!list_empty(&cq->wc_list))) +- soft_polled = poll_soft_wc(cq, num_entries, wc); ++ soft_polled = poll_soft_wc(cq, num_entries, wc, false); + + for (npolled = 0; npolled < num_entries - soft_polled; npolled++) { + if (mlx5_poll_one(cq, &cur_qp, wc + soft_polled + npolled)) diff --git a/queue-4.14/ib-qib-fix-dma-api-warning-with-debug-kernel.patch b/queue-4.14/ib-qib-fix-dma-api-warning-with-debug-kernel.patch new file mode 100644 index 00000000000..92608bd328e --- /dev/null +++ b/queue-4.14/ib-qib-fix-dma-api-warning-with-debug-kernel.patch @@ -0,0 +1,153 @@ +From 0252f73334f9ef68868e4684200bea3565a4fcee Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 18 May 2018 17:07:01 -0700 +Subject: IB/qib: Fix DMA api warning with debug kernel + +From: Mike Marciniszyn + +commit 0252f73334f9ef68868e4684200bea3565a4fcee upstream. + +The following error occurs in a debug build when running MPI PSM: + +[ 307.415911] WARNING: CPU: 4 PID: 23867 at lib/dma-debug.c:1158 +check_unmap+0x4ee/0xa20 +[ 307.455661] ib_qib 0000:05:00.0: DMA-API: device driver failed to check map +error[device address=0x00000000df82b000] [size=4096 bytes] [mapped as page] +[ 307.517494] Modules linked in: +[ 307.531584] ib_isert iscsi_target_mod ib_srpt target_core_mod rpcrdma +sunrpc ib_srp scsi_transport_srp scsi_tgt ib_iser libiscsi ib_ipoib +scsi_transport_iscsi rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm +ib_qib intel_powerclamp coretemp rdmavt intel_rapl iosf_mbi kvm_intel kvm +irqbypass crc32_pclmul ghash_clmulni_intel ipmi_ssif ib_core aesni_intel sg +ipmi_si lrw gf128mul dca glue_helper ipmi_devintf iTCO_wdt gpio_ich hpwdt +iTCO_vendor_support ablk_helper hpilo acpi_power_meter cryptd ipmi_msghandler +ie31200_edac shpchp pcc_cpufreq lpc_ich pcspkr ip_tables xfs libcrc32c sd_mod +crc_t10dif crct10dif_generic mgag200 i2c_algo_bit drm_kms_helper syscopyarea +sysfillrect sysimgblt fb_sys_fops ttm ahci crct10dif_pclmul crct10dif_common +drm crc32c_intel libahci tg3 libata serio_raw ptp i2c_core +[ 307.846113] pps_core dm_mirror dm_region_hash dm_log dm_mod +[ 307.866505] CPU: 4 PID: 23867 Comm: mpitests-IMB-MP Kdump: loaded Not +tainted 3.10.0-862.el7.x86_64.debug #1 +[ 307.911178] Hardware name: HP ProLiant DL320e Gen8, BIOS J05 11/09/2013 +[ 307.944206] Call Trace: +[ 307.956973] [] dump_stack+0x19/0x1b +[ 307.982201] [] __warn+0xd8/0x100 +[ 308.005999] [] warn_slowpath_fmt+0x5f/0x80 +[ 308.034260] [] check_unmap+0x4ee/0xa20 +[ 308.060801] [] ? page_add_file_rmap+0x2a/0x1d0 +[ 308.090689] [] debug_dma_unmap_page+0x9d/0xb0 +[ 308.120155] [] ? might_fault+0xa0/0xb0 +[ 308.146656] [] qib_tid_free.isra.14+0x215/0x2a0 [ib_qib] +[ 308.180739] [] qib_write+0x894/0x1280 [ib_qib] +[ 308.210733] [] ? __inode_security_revalidate+0x70/0x80 +[ 308.244837] [] ? security_file_permission+0x27/0xb0 +[ 308.266025] qib_ib0.8006: multicast join failed for +ff12:401b:8006:0000:0000:0000:ffff:ffff, status -22 +[ 308.323421] [] vfs_write+0xc3/0x1f0 +[ 308.347077] [] ? fget_light+0xfc/0x510 +[ 308.372533] [] SyS_write+0x8a/0x100 +[ 308.396456] [] system_call_fastpath+0x1c/0x21 + +The code calls a qib_map_page() which has never correctly tested for a +mapping error. + +Fix by testing for pci_dma_mapping_error() in all cases and properly +handling the failure in the caller. + +Additionally, streamline qib_map_page() arguments to satisfy just +the single caller. + +Cc: +Reviewed-by: Alex Estrin +Tested-by: Don Dutile +Reviewed-by: Don Dutile +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib.h | 3 +-- + drivers/infiniband/hw/qib/qib_file_ops.c | 10 +++++++--- + drivers/infiniband/hw/qib/qib_user_pages.c | 20 ++++++++++++-------- + 3 files changed, 20 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib.h ++++ b/drivers/infiniband/hw/qib/qib.h +@@ -1448,8 +1448,7 @@ u64 qib_sps_ints(void); + /* + * dma_addr wrappers - all 0's invalid for hw + */ +-dma_addr_t qib_map_page(struct pci_dev *, struct page *, unsigned long, +- size_t, int); ++int qib_map_page(struct pci_dev *d, struct page *p, dma_addr_t *daddr); + const char *qib_get_unit_name(int unit); + const char *qib_get_card_name(struct rvt_dev_info *rdi); + struct pci_dev *qib_get_pci_dev(struct rvt_dev_info *rdi); +--- a/drivers/infiniband/hw/qib/qib_file_ops.c ++++ b/drivers/infiniband/hw/qib/qib_file_ops.c +@@ -364,6 +364,8 @@ static int qib_tid_update(struct qib_ctx + goto done; + } + for (i = 0; i < cnt; i++, vaddr += PAGE_SIZE) { ++ dma_addr_t daddr; ++ + for (; ntids--; tid++) { + if (tid == tidcnt) + tid = 0; +@@ -380,12 +382,14 @@ static int qib_tid_update(struct qib_ctx + ret = -ENOMEM; + break; + } ++ ret = qib_map_page(dd->pcidev, pagep[i], &daddr); ++ if (ret) ++ break; ++ + tidlist[i] = tid + tidoff; + /* we "know" system pages and TID pages are same size */ + dd->pageshadow[ctxttid + tid] = pagep[i]; +- dd->physshadow[ctxttid + tid] = +- qib_map_page(dd->pcidev, pagep[i], 0, PAGE_SIZE, +- PCI_DMA_FROMDEVICE); ++ dd->physshadow[ctxttid + tid] = daddr; + /* + * don't need atomic or it's overhead + */ +--- a/drivers/infiniband/hw/qib/qib_user_pages.c ++++ b/drivers/infiniband/hw/qib/qib_user_pages.c +@@ -99,23 +99,27 @@ bail: + * + * I'm sure we won't be so lucky with other iommu's, so FIXME. + */ +-dma_addr_t qib_map_page(struct pci_dev *hwdev, struct page *page, +- unsigned long offset, size_t size, int direction) ++int qib_map_page(struct pci_dev *hwdev, struct page *page, dma_addr_t *daddr) + { + dma_addr_t phys; + +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + +- if (phys == 0) { +- pci_unmap_page(hwdev, phys, size, direction); +- phys = pci_map_page(hwdev, page, offset, size, direction); ++ if (!phys) { ++ pci_unmap_page(hwdev, phys, PAGE_SIZE, PCI_DMA_FROMDEVICE); ++ phys = pci_map_page(hwdev, page, 0, PAGE_SIZE, ++ PCI_DMA_FROMDEVICE); ++ if (pci_dma_mapping_error(hwdev, phys)) ++ return -ENOMEM; + /* + * FIXME: If we get 0 again, we should keep this page, + * map another, then free the 0 page. + */ + } +- +- return phys; ++ *daddr = phys; ++ return 0; + } + + /** diff --git a/queue-4.14/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch b/queue-4.14/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch new file mode 100644 index 00000000000..2146b619840 --- /dev/null +++ b/queue-4.14/ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch @@ -0,0 +1,42 @@ +From fe50a7d0393a552e4539da2d31261a59d6415950 Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Tue, 22 May 2018 08:14:51 -0500 +Subject: ipmi:bt: Set the timeout before doing a capabilities check + +From: Corey Minyard + +commit fe50a7d0393a552e4539da2d31261a59d6415950 upstream. + +There was one place where the timeout value for an operation was +not being set, if a capabilities request was done from idle. Move +the timeout value setting to before where that change might be +requested. + +IMHO the cause here is the invisible returns in the macros. Maybe +that's a job for later, though. + +Reported-by: Nordmark Claes +Signed-off-by: Corey Minyard +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_bt_sm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -522,11 +522,12 @@ static enum si_sm_result bt_event(struct + if (status & BT_H_BUSY) /* clear a leftover H_BUSY */ + BT_CONTROL(BT_H_BUSY); + ++ bt->timeout = bt->BT_CAP_req2rsp; ++ + /* Read BT capabilities if it hasn't been done yet */ + if (!bt->BT_CAP_outreqs) + BT_STATE_CHANGE(BT_STATE_CAPABILITIES_BEGIN, + SI_SM_CALL_WITHOUT_DELAY); +- bt->timeout = bt->BT_CAP_req2rsp; + BT_SI_SM_RETURN(SI_SM_IDLE); + + case BT_STATE_XACTION_START: diff --git a/queue-4.14/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch b/queue-4.14/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch new file mode 100644 index 00000000000..a89db4f65b6 --- /dev/null +++ b/queue-4.14/mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch @@ -0,0 +1,84 @@ +From 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Sun, 3 Jun 2018 23:02:01 +0900 +Subject: MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tokunori Ikegami + +commit 2a027b47dba6b77ab8c8e47b589ae9bbc5ac6175 upstream. + +The erratum and workaround are described by BCM5300X-ES300-RDS.pdf as +below. + + R10: PCIe Transactions Periodically Fail + + Description: The BCM5300X PCIe does not maintain transaction ordering. + This may cause PCIe transaction failure. + Fix Comment: Add a dummy PCIe configuration read after a PCIe + configuration write to ensure PCIe configuration access + ordering. Set ES bit of CP0 configu7 register to enable + sync function so that the sync instruction is functional. + Resolution: hndpci.c: extpci_write_config() + hndmips.c: si_mips_init() + mipsinc.h CONF7_ES + +This is fixed by the CFE MIPS bcmsi chipset driver also for BCM47XX. +Also the dummy PCIe configuration read is already implemented in the +Linux BCMA driver. + +Enable ExternalSync in Config7 when CONFIG_BCMA_DRIVER_PCI_HOSTMODE=y +too so that the sync instruction is externalised. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Paul Burton +Acked-by: Hauke Mehrtens +Cc: Chris Packham +Cc: Rafał Miłecki +Cc: linux-mips@linux-mips.org +Cc: stable@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19461/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/bcm47xx/setup.c | 6 ++++++ + arch/mips/include/asm/mipsregs.h | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/arch/mips/bcm47xx/setup.c ++++ b/arch/mips/bcm47xx/setup.c +@@ -212,6 +212,12 @@ static int __init bcm47xx_cpu_fixes(void + */ + if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706) + cpu_wait = NULL; ++ ++ /* ++ * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail" ++ * Enable ExternalSync for sync instruction to take effect ++ */ ++ set_c0_config7(MIPS_CONF7_ES); + break; + #endif + } +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -680,6 +680,8 @@ + #define MIPS_CONF7_WII (_ULCAST_(1) << 31) + + #define MIPS_CONF7_RPS (_ULCAST_(1) << 2) ++/* ExternalSync */ ++#define MIPS_CONF7_ES (_ULCAST_(1) << 8) + + #define MIPS_CONF7_IAR (_ULCAST_(1) << 10) + #define MIPS_CONF7_AR (_ULCAST_(1) << 16) +@@ -2745,6 +2747,7 @@ __BUILD_SET_C0(status) + __BUILD_SET_C0(cause) + __BUILD_SET_C0(config) + __BUILD_SET_C0(config5) ++__BUILD_SET_C0(config7) + __BUILD_SET_C0(intcontrol) + __BUILD_SET_C0(intctl) + __BUILD_SET_C0(srsmap) diff --git a/queue-4.14/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch b/queue-4.14/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch new file mode 100644 index 00000000000..f1daf67699f --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch @@ -0,0 +1,33 @@ +From f1ce87f6080b1dda7e7b1eda3da332add19d87b9 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:30 +0200 +Subject: mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking. + +From: Joakim Tjernlund + +commit f1ce87f6080b1dda7e7b1eda3da332add19d87b9 upstream. + +cfi_ppb_unlock() walks all flash chips when unlocking sectors, +avoid walking chips unaffected by the unlock operation. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2695,6 +2695,8 @@ static int __maybe_unused cfi_ppb_unlock + i++; + + if (adr >> cfi->chipshift) { ++ if (offset >= (ofs + len)) ++ break; + adr = 0; + chipnum++; + diff --git a/queue-4.14/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch b/queue-4.14/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch new file mode 100644 index 00000000000..c935b2aa220 --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch @@ -0,0 +1,91 @@ +From 45f75b8a919a4255f52df454f1ffdee0e42443b2 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Wed, 30 May 2018 18:32:28 +0900 +Subject: mtd: cfi_cmdset_0002: Change erase functions to retry for error + +From: Tokunori Ikegami + +commit 45f75b8a919a4255f52df454f1ffdee0e42443b2 upstream. + +For the word write functions it is retried for error. +But it is not implemented to retry for the erase functions. +To make sure for the erase functions change to retry as same. + +This is needed to prevent the flash erase error caused only once. +It was caused by the error case of chip_good() in the do_erase_oneblock(). +Also it was confirmed on the MACRONIX flash device MX29GL512FHT2I-11G. +But the error issue behavior is not able to reproduce at this moment. +The flash controller is parallel Flash interface integrated on BCM53003. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Joakim Tjernlund +Cc: Chris Packham +Cc: Brian Norris +Cc: David Woodhouse +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: Cyrille Pitchen +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2241,6 +2241,7 @@ static int __xipram do_erase_chip(struct + unsigned long int adr; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr = cfi->addr_unlock1; + +@@ -2258,6 +2259,7 @@ static int __xipram do_erase_chip(struct + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2312,6 +2314,9 @@ static int __xipram do_erase_chip(struct + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + ++ if (++retry_cnt <= MAX_RETRIES) ++ goto retry; ++ + ret = -EIO; + } + +@@ -2331,6 +2336,7 @@ static int __xipram do_erase_oneblock(st + unsigned long timeo = jiffies + HZ; + DECLARE_WAITQUEUE(wait, current); + int ret = 0; ++ int retry_cnt = 0; + + adr += chip->start; + +@@ -2348,6 +2354,7 @@ static int __xipram do_erase_oneblock(st + ENABLE_VPP(map); + xip_disable(map, chip, adr); + ++ retry: + cfi_send_gen_cmd(0xAA, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x55, cfi->addr_unlock2, chip->start, map, cfi, cfi->device_type, NULL); + cfi_send_gen_cmd(0x80, cfi->addr_unlock1, chip->start, map, cfi, cfi->device_type, NULL); +@@ -2405,6 +2412,9 @@ static int __xipram do_erase_oneblock(st + map_write( map, CMD(0xF0), chip->start ); + /* FIXME - should have reset delay before continuing */ + ++ if (++retry_cnt <= MAX_RETRIES) ++ goto retry; ++ + ret = -EIO; + } + diff --git a/queue-4.14/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch b/queue-4.14/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch new file mode 100644 index 00000000000..859ed6f8eee --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch @@ -0,0 +1,45 @@ +From dfeae1073583dc35c33b32150e18b7048bbb37e6 Mon Sep 17 00:00:00 2001 +From: Tokunori Ikegami +Date: Wed, 30 May 2018 18:32:26 +0900 +Subject: mtd: cfi_cmdset_0002: Change write buffer to check correct value + +From: Tokunori Ikegami + +commit dfeae1073583dc35c33b32150e18b7048bbb37e6 upstream. + +For the word write it is checked if the chip has the correct value. +But it is not checked for the write buffer as only checked if ready. +To make sure for the write buffer change to check the value. + +It is enough as this patch is only checking the last written word. +Since it is described by data sheets to check the operation status. + +Signed-off-by: Tokunori Ikegami +Reviewed-by: Joakim Tjernlund +Cc: Chris Packham +Cc: Brian Norris +Cc: David Woodhouse +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: Cyrille Pitchen +Cc: linux-mtd@lists.infradead.org +Cc: stable@vger.kernel.org +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -1880,7 +1880,7 @@ static int __xipram do_write_buffer(stru + if (time_after(jiffies, timeo) && !chip_ready(map, adr)) + break; + +- if (chip_ready(map, adr)) { ++ if (chip_good(map, adr, datum)) { + xip_enable(map, chip, adr); + goto op_done; + } diff --git a/queue-4.14/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch b/queue-4.14/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch new file mode 100644 index 00000000000..20a9e3c3179 --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch @@ -0,0 +1,54 @@ +From 5fdfc3dbad099281bf027a353d5786c09408a8e5 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:28 +0200 +Subject: mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips + +From: Joakim Tjernlund + +commit 5fdfc3dbad099281bf027a353d5786c09408a8e5 upstream. + +cfi_ppb_unlock() tries to relock all sectors that were locked before +unlocking the whole chip. +This locking used the chip start address + the FULL offset from the +first flash chip, thereby forming an illegal address. Fix that by using +the chip offset(adr). + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2545,7 +2545,7 @@ static int cfi_atmel_unlock(struct mtd_i + + struct ppb_lock { + struct flchip *chip; +- loff_t offset; ++ unsigned long adr; + int locked; + }; + +@@ -2681,7 +2681,7 @@ static int __maybe_unused cfi_ppb_unlock + */ + if ((adr < ofs) || (adr >= (ofs + len))) { + sect[sectors].chip = &cfi->chips[chipnum]; +- sect[sectors].offset = offset; ++ sect[sectors].adr = adr; + sect[sectors].locked = do_ppb_xxlock( + map, &cfi->chips[chipnum], adr, 0, + DO_XXLOCK_ONEBLOCK_GETLOCK); +@@ -2725,7 +2725,7 @@ static int __maybe_unused cfi_ppb_unlock + */ + for (i = 0; i < sectors; i++) { + if (sect[i].locked) +- do_ppb_xxlock(map, sect[i].chip, sect[i].offset, 0, ++ do_ppb_xxlock(map, sect[i].chip, sect[i].adr, 0, + DO_XXLOCK_ONEBLOCK_LOCK); + } + diff --git a/queue-4.14/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch b/queue-4.14/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch new file mode 100644 index 00000000000..4388b0d0878 --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch @@ -0,0 +1,36 @@ +From 0cd8116f172eed018907303dbff5c112690eeb91 Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:29 +0200 +Subject: mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary + +From: Joakim Tjernlund + +commit 0cd8116f172eed018907303dbff5c112690eeb91 upstream. + +The "sector is in requested range" test used to determine whether +sectors should be re-locked or not is done on a variable that is reset +everytime we cross a chip boundary, which can lead to some blocks being +re-locked while the caller expect them to be unlocked. +Fix the check to make sure this cannot happen. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2679,7 +2679,7 @@ static int __maybe_unused cfi_ppb_unlock + * sectors shall be unlocked, so lets keep their locking + * status at "unlocked" (locked=0) for the final re-locking. + */ +- if ((adr < ofs) || (adr >= (ofs + len))) { ++ if ((offset < ofs) || (offset >= (ofs + len))) { + sect[sectors].chip = &cfi->chips[chipnum]; + sect[sectors].adr = adr; + sect[sectors].locked = do_ppb_xxlock( diff --git a/queue-4.14/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch b/queue-4.14/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch new file mode 100644 index 00000000000..b47eb1dc4d5 --- /dev/null +++ b/queue-4.14/mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch @@ -0,0 +1,57 @@ +From f93aa8c4de307069c270b2d81741961162bead6c Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Wed, 6 Jun 2018 12:13:27 +0200 +Subject: mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock() + +From: Joakim Tjernlund + +commit f93aa8c4de307069c270b2d81741961162bead6c upstream. + +do_ppb_xxlock() fails to add chip->start when querying for lock status +(and chip_ready test), which caused false status reports. +Fix that by adding adr += chip->start and adjust call sites +accordingly. + +Fixes: 1648eaaa1575 ("mtd: cfi_cmdset_0002: Support Persistent Protection Bits (PPB) locking") +Cc: stable@vger.kernel.org +Signed-off-by: Joakim Tjernlund +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/chips/cfi_cmdset_0002.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/chips/cfi_cmdset_0002.c ++++ b/drivers/mtd/chips/cfi_cmdset_0002.c +@@ -2563,8 +2563,9 @@ static int __maybe_unused do_ppb_xxlock( + unsigned long timeo; + int ret; + ++ adr += chip->start; + mutex_lock(&chip->mutex); +- ret = get_chip(map, chip, adr + chip->start, FL_LOCKING); ++ ret = get_chip(map, chip, adr, FL_LOCKING); + if (ret) { + mutex_unlock(&chip->mutex); + return ret; +@@ -2582,8 +2583,8 @@ static int __maybe_unused do_ppb_xxlock( + + if (thunk == DO_XXLOCK_ONEBLOCK_LOCK) { + chip->state = FL_LOCKING; +- map_write(map, CMD(0xA0), chip->start + adr); +- map_write(map, CMD(0x00), chip->start + adr); ++ map_write(map, CMD(0xA0), adr); ++ map_write(map, CMD(0x00), adr); + } else if (thunk == DO_XXLOCK_ONEBLOCK_UNLOCK) { + /* + * Unlocking of one specific sector is not supported, so we +@@ -2621,7 +2622,7 @@ static int __maybe_unused do_ppb_xxlock( + map_write(map, CMD(0x00), chip->start); + + chip->state = FL_READY; +- put_chip(map, chip, adr + chip->start); ++ put_chip(map, chip, adr); + mutex_unlock(&chip->mutex); + + return ret; diff --git a/queue-4.14/of-overlay-validate-offset-from-property-fixups.patch b/queue-4.14/of-overlay-validate-offset-from-property-fixups.patch new file mode 100644 index 00000000000..ffeead9c7a1 --- /dev/null +++ b/queue-4.14/of-overlay-validate-offset-from-property-fixups.patch @@ -0,0 +1,41 @@ +From 482137bf2aecd887ebfa8756456764a2f6a0e545 Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Wed, 16 May 2018 21:19:51 -0700 +Subject: of: overlay: validate offset from property fixups + +From: Frank Rowand + +commit 482137bf2aecd887ebfa8756456764a2f6a0e545 upstream. + +The smatch static checker marks the data in offset as untrusted, +leading it to warn: + + drivers/of/resolver.c:125 update_usages_of_a_phandle_reference() + error: buffer underflow 'prop->value' 's32min-s32max' + +Add check to verify that offset is within the property data. + +Reported-by: Dan Carpenter +Signed-off-by: Frank Rowand +Cc: +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/resolver.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/of/resolver.c ++++ b/drivers/of/resolver.c +@@ -129,6 +129,11 @@ static int update_usages_of_a_phandle_re + goto err_fail; + } + ++ if (offset < 0 || offset + sizeof(__be32) > prop->length) { ++ err = -EINVAL; ++ goto err_fail; ++ } ++ + *(__be32 *)(prop->value + offset) = cpu_to_be32(phandle); + } + diff --git a/queue-4.14/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch b/queue-4.14/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch new file mode 100644 index 00000000000..612e4390182 --- /dev/null +++ b/queue-4.14/of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch @@ -0,0 +1,120 @@ +From 522811e944ed9b36806faa019faec10f9d259cca Mon Sep 17 00:00:00 2001 +From: Srinivas Kandagatla +Date: Mon, 4 Jun 2018 15:14:08 +0100 +Subject: of: platform: stop accessing invalid dev in of_platform_device_destroy + +From: Srinivas Kandagatla + +commit 522811e944ed9b36806faa019faec10f9d259cca upstream. + +Immediately after the platform_device_unregister() the device will be +cleaned up. Accessing the freed pointer immediately after that will +crash the system. + +Found this bug when kernel is built with CONFIG_PAGE_POISONING and testing +loading/unloading audio drivers in a loop on Qcom platforms. + +Fix this by moving of_node_clear_flag() just before the unregister calls. + +Below is the crash trace: + +Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c03 +Mem abort info: + ESR = 0x96000021 + Exception class = DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 +Data abort info: + ISV = 0, ISS = 0x00000021 + CM = 0, WnR = 0 +[006b6b6b6b6b6c03] address between user and kernel address ranges +Internal error: Oops: 96000021 [#1] PREEMPT SMP +Modules linked in: +CPU: 2 PID: 1784 Comm: sh Tainted: G W 4.17.0-rc7-02230-ge3a63a7ef641-dirty #204 +Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) +pstate: 80000005 (Nzcv daif -PAN -UAO) +pc : clear_bit+0x18/0x2c +lr : of_platform_device_destroy+0x64/0xb8 +sp : ffff00000c9c3930 +x29: ffff00000c9c3930 x28: ffff80003d39b200 +x27: ffff000008bb1000 x26: 0000000000000040 +x25: 0000000000000124 x24: ffff80003a9a3080 +x23: 0000000000000060 x22: ffff00000939f518 +x21: ffff80003aa79e98 x20: ffff80003aa3dae0 +x19: ffff80003aa3c890 x18: ffff800009feb794 +x17: 0000000000000000 x16: 0000000000000000 +x15: ffff800009feb790 x14: 0000000000000000 +x13: ffff80003a058778 x12: ffff80003a058728 +x11: ffff80003a058750 x10: 0000000000000000 +x9 : 0000000000000006 x8 : ffff80003a825988 +x7 : bbbbbbbbbbbbbbbb x6 : 0000000000000001 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : 0000000000000008 x2 : 0000000000000001 +x1 : 6b6b6b6b6b6b6c03 x0 : 0000000000000000 +Process sh (pid: 1784, stack limit = 0x (ptrval)) +Call trace: + clear_bit+0x18/0x2c + q6afe_remove+0x20/0x38 + apr_device_remove+0x30/0x70 + device_release_driver_internal+0x170/0x208 + device_release_driver+0x14/0x20 + bus_remove_device+0xcc/0x150 + device_del+0x10c/0x310 + device_unregister+0x1c/0x70 + apr_remove_device+0xc/0x18 + device_for_each_child+0x50/0x80 + apr_remove+0x18/0x20 + rpmsg_dev_remove+0x38/0x68 + device_release_driver_internal+0x170/0x208 + device_release_driver+0x14/0x20 + bus_remove_device+0xcc/0x150 + device_del+0x10c/0x310 + device_unregister+0x1c/0x70 + qcom_smd_remove_device+0xc/0x18 + device_for_each_child+0x50/0x80 + qcom_smd_unregister_edge+0x3c/0x70 + smd_subdev_remove+0x18/0x28 + rproc_stop+0x48/0xd8 + rproc_shutdown+0x60/0xe8 + state_store+0xbc/0xf8 + dev_attr_store+0x18/0x28 + sysfs_kf_write+0x3c/0x50 + kernfs_fop_write+0x118/0x1e0 + __vfs_write+0x18/0x110 + vfs_write+0xa4/0x1a8 + ksys_write+0x48/0xb0 + sys_write+0xc/0x18 + el0_svc_naked+0x30/0x34 +Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22) +---[ end trace 32020935775616a2 ]--- + +Signed-off-by: Srinivas Kandagatla +Cc: stable@vger.kernel.org +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/platform.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/of/platform.c ++++ b/drivers/of/platform.c +@@ -533,6 +533,9 @@ int of_platform_device_destroy(struct de + if (of_node_check_flag(dev->of_node, OF_POPULATED_BUS)) + device_for_each_child(dev, NULL, of_platform_device_destroy); + ++ of_node_clear_flag(dev->of_node, OF_POPULATED); ++ of_node_clear_flag(dev->of_node, OF_POPULATED_BUS); ++ + if (dev->bus == &platform_bus_type) + platform_device_unregister(to_platform_device(dev)); + #ifdef CONFIG_ARM_AMBA +@@ -540,8 +543,6 @@ int of_platform_device_destroy(struct de + amba_device_unregister(to_amba_device(dev)); + #endif + +- of_node_clear_flag(dev->of_node, OF_POPULATED); +- of_node_clear_flag(dev->of_node, OF_POPULATED_BUS); + return 0; + } + EXPORT_SYMBOL_GPL(of_platform_device_destroy); diff --git a/queue-4.14/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch b/queue-4.14/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch new file mode 100644 index 00000000000..07767fe5513 --- /dev/null +++ b/queue-4.14/of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch @@ -0,0 +1,63 @@ +From 3b9cf7905fe3ab35ab437b5072c883e609d3498d Mon Sep 17 00:00:00 2001 +From: Stefan M Schaeckeler +Date: Mon, 21 May 2018 16:26:14 -0700 +Subject: of: unittest: for strings, account for trailing \0 in property length field + +From: Stefan M Schaeckeler + +commit 3b9cf7905fe3ab35ab437b5072c883e609d3498d upstream. + +For strings, account for trailing \0 in property length field: + +This is consistent with how dtc builds string properties. + +Function __of_prop_dup() would misbehave on such properties as it duplicates +properties based on the property length field creating new string values +without trailing \0s. + +Signed-off-by: Stefan M Schaeckeler +Reviewed-by: Frank Rowand +Tested-by: Frank Rowand +Cc: +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/unittest.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/of/unittest.c ++++ b/drivers/of/unittest.c +@@ -164,20 +164,20 @@ static void __init of_unittest_dynamic(v + /* Add a new property - should pass*/ + prop->name = "new-property"; + prop->value = "new-property-data"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) == 0, "Adding a new property failed\n"); + + /* Try to add an existing property - should fail */ + prop++; + prop->name = "new-property"; + prop->value = "new-property-data-should-fail"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_add_property(np, prop) != 0, + "Adding an existing property should have failed\n"); + + /* Try to modify an existing property - should pass */ + prop->value = "modify-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating an existing property should have passed\n"); + +@@ -185,7 +185,7 @@ static void __init of_unittest_dynamic(v + prop++; + prop->name = "modify-property"; + prop->value = "modify-missing-property-data-should-pass"; +- prop->length = strlen(prop->value); ++ prop->length = strlen(prop->value) + 1; + unittest(of_update_property(np, prop) == 0, + "Updating a missing property should have passed\n"); + diff --git a/queue-4.14/pci-add-acs-quirk-for-intel-300-series.patch b/queue-4.14/pci-add-acs-quirk-for-intel-300-series.patch new file mode 100644 index 00000000000..ae4eff36888 --- /dev/null +++ b/queue-4.14/pci-add-acs-quirk-for-intel-300-series.patch @@ -0,0 +1,43 @@ +From f154a718e6cc0d834f5ac4dc4c3b174e65f3659e Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Fri, 27 Apr 2018 13:06:30 -0500 +Subject: PCI: Add ACS quirk for Intel 300 series + +From: Mika Westerberg + +commit f154a718e6cc0d834f5ac4dc4c3b174e65f3659e upstream. + +Intel 300 series chipset still has the same ACS issue as the previous +generations so extend the ACS quirk to cover it as well. + +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4388,6 +4388,11 @@ static int pci_quirk_qcom_rp_acs(struct + * + * 0x9d10-0x9d1b PCI Express Root port #{1-12} + * ++ * The 300 series chipset suffers from the same bug so include those root ++ * ports here as well. ++ * ++ * 0xa32c-0xa343 PCI Express Root port #{0-24} ++ * + * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html + * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html + * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html +@@ -4405,6 +4410,7 @@ static bool pci_quirk_intel_spt_pch_acs_ + case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */ + case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */ + case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */ ++ case 0xa32c ... 0xa343: /* 300 series */ + return true; + } + diff --git a/queue-4.14/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch b/queue-4.14/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch new file mode 100644 index 00000000000..a8159a4ff53 --- /dev/null +++ b/queue-4.14/pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch @@ -0,0 +1,56 @@ +From e8440f4bfedc623bee40c84797ac78d9303d0db6 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 25 Apr 2018 14:27:37 -0600 +Subject: PCI: Add ACS quirk for Intel 7th & 8th Gen mobile + +From: Alex Williamson + +commit e8440f4bfedc623bee40c84797ac78d9303d0db6 upstream. + +The specification update indicates these have the same errata for +implementing non-standard ACS capabilities. + +Signed-off-by: Alex Williamson +Signed-off-by: Bjorn Helgaas +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -4377,11 +4377,24 @@ static int pci_quirk_qcom_rp_acs(struct + * 0xa290-0xa29f PCI Express Root port #{0-16} + * 0xa2e7-0xa2ee PCI Express Root port #{17-24} + * ++ * Mobile chipsets are also affected, 7th & 8th Generation ++ * Specification update confirms ACS errata 22, status no fix: (7th Generation ++ * Intel Processor Family I/O for U/Y Platforms and 8th Generation Intel ++ * Processor Family I/O for U Quad Core Platforms Specification Update, ++ * August 2017, Revision 002, Document#: 334660-002)[6] ++ * Device IDs from I/O datasheet: (7th Generation Intel Processor Family I/O ++ * for U/Y Platforms and 8th Generation Intel ® Processor Family I/O for U ++ * Quad Core Platforms, Vol 1 of 2, August 2017, Document#: 334658-003)[7] ++ * ++ * 0x9d10-0x9d1b PCI Express Root port #{1-12} ++ * + * [1] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-2.html + * [2] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-datasheet-vol-1.html + * [3] http://www.intel.com/content/www/us/en/chipsets/100-series-chipset-spec-update.html + * [4] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-spec-update.html + * [5] http://www.intel.com/content/www/us/en/chipsets/200-series-chipset-pch-datasheet-vol-1.html ++ * [6] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-spec-update.html ++ * [7] https://www.intel.com/content/www/us/en/processors/core/7th-gen-core-family-mobile-u-y-processor-lines-i-o-datasheet-vol-1.html + */ + static bool pci_quirk_intel_spt_pch_acs_match(struct pci_dev *dev) + { +@@ -4391,6 +4404,7 @@ static bool pci_quirk_intel_spt_pch_acs_ + switch (dev->device) { + case 0xa110 ... 0xa11f: case 0xa167 ... 0xa16a: /* Sunrise Point */ + case 0xa290 ... 0xa29f: case 0xa2e7 ... 0xa2ee: /* Union Point */ ++ case 0x9d10 ... 0x9d1b: /* 7th & 8th Gen Mobile */ + return true; + } + diff --git a/queue-4.14/pci-hv-make-sure-the-bus-domain-is-really-unique.patch b/queue-4.14/pci-hv-make-sure-the-bus-domain-is-really-unique.patch new file mode 100644 index 00000000000..89d15fe4c12 --- /dev/null +++ b/queue-4.14/pci-hv-make-sure-the-bus-domain-is-really-unique.patch @@ -0,0 +1,67 @@ +From 29927dfb7f69bcf2ae7fd1cda10997e646a5189c Mon Sep 17 00:00:00 2001 +From: Sridhar Pitchai +Date: Tue, 1 May 2018 17:56:32 +0000 +Subject: PCI: hv: Make sure the bus domain is really unique + +From: Sridhar Pitchai + +commit 29927dfb7f69bcf2ae7fd1cda10997e646a5189c upstream. + +When Linux runs as a guest VM in Hyper-V and Hyper-V adds the virtual PCI +bus to the guest, Hyper-V always provides unique PCI domain. + +commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain") +overrode unique domain with the serial number of the first device added to +the virtual PCI bus. + +The reason for that patch was to have a consistent and short name for the +device, but Hyper-V doesn't provide unique serial numbers. Using non-unique +serial numbers as domain IDs leads to duplicate device addresses, which +causes PCI bus registration to fail. + +commit 0c195567a8f6 ("netvsc: transparent VF management") avoids the need +for commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI +domain"). When scripts were used to configure VF devices, the name of +the VF needed to be consistent and short, but with commit 0c195567a8f6 +("netvsc: transparent VF management") all the setup is done in the kernel, +and we do not need to maintain consistent name. + +Revert commit 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI +domain") so we can reliably support multiple devices being assigned to +a guest. + +Tag the patch for stable kernels containing commit 0c195567a8f6 +("netvsc: transparent VF management"). + +Fixes: 4a9b0933bdfc ("PCI: hv: Use device serial number as PCI domain") +Signed-off-by: Sridhar Pitchai +[lorenzo.pieralisi@arm.com: trimmed commit log] +Signed-off-by: Lorenzo Pieralisi +Cc: stable@vger.kernel.org # v4.14+ +Reviewed-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-hyperv.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/drivers/pci/host/pci-hyperv.c ++++ b/drivers/pci/host/pci-hyperv.c +@@ -1610,17 +1610,6 @@ static struct hv_pci_dev *new_pcichild_d + get_pcichild(hpdev, hv_pcidev_ref_childlist); + spin_lock_irqsave(&hbus->device_list_lock, flags); + +- /* +- * When a device is being added to the bus, we set the PCI domain +- * number to be the device serial number, which is non-zero and +- * unique on the same VM. The serial numbers start with 1, and +- * increase by 1 for each device. So device names including this +- * can have shorter names than based on the bus instance UUID. +- * Only the first device serial number is used for domain, so the +- * domain number will not change after the first device is added. +- */ +- if (list_empty(&hbus->children)) +- hbus->sysdata.domain = desc->ser; + list_add_tail(&hpdev->list_entry, &hbus->children); + spin_unlock_irqrestore(&hbus->device_list_lock, flags); + return hpdev; diff --git a/queue-4.14/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch b/queue-4.14/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch new file mode 100644 index 00000000000..a21d8f4be54 --- /dev/null +++ b/queue-4.14/pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch @@ -0,0 +1,83 @@ +From 13c65840feab8109194f9490c9870587173cb29d Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Wed, 23 May 2018 17:14:39 -0500 +Subject: PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume + +From: Mika Westerberg + +commit 13c65840feab8109194f9490c9870587173cb29d upstream. + +After a suspend/resume cycle the Presence Detect or Data Link Layer Status +Changed bits might be set. If we don't clear them those events will not +fire anymore and nothing happens for instance when a device is now +hot-unplugged. + +Fix this by clearing those bits in a newly introduced function +pcie_reenable_notification(). This should be fine because immediately +after, we check if the adapter is still present by reading directly from +the status register. + +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp.h | 2 +- + drivers/pci/hotplug/pciehp_core.c | 2 +- + drivers/pci/hotplug/pciehp_hpc.c | 13 ++++++++++++- + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/pci/hotplug/pciehp.h ++++ b/drivers/pci/hotplug/pciehp.h +@@ -134,7 +134,7 @@ struct controller *pcie_init(struct pcie + int pcie_init_notification(struct controller *ctrl); + int pciehp_enable_slot(struct slot *p_slot); + int pciehp_disable_slot(struct slot *p_slot); +-void pcie_enable_notification(struct controller *ctrl); ++void pcie_reenable_notification(struct controller *ctrl); + int pciehp_power_on_slot(struct slot *slot); + void pciehp_power_off_slot(struct slot *slot); + void pciehp_get_power_status(struct slot *slot, u8 *status); +--- a/drivers/pci/hotplug/pciehp_core.c ++++ b/drivers/pci/hotplug/pciehp_core.c +@@ -297,7 +297,7 @@ static int pciehp_resume(struct pcie_dev + ctrl = get_service_data(dev); + + /* reinitialize the chipset's event detection logic */ +- pcie_enable_notification(ctrl); ++ pcie_reenable_notification(ctrl); + + slot = ctrl->slot; + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -676,7 +676,7 @@ static irqreturn_t pcie_isr(int irq, voi + return handled; + } + +-void pcie_enable_notification(struct controller *ctrl) ++static void pcie_enable_notification(struct controller *ctrl) + { + u16 cmd, mask; + +@@ -714,6 +714,17 @@ void pcie_enable_notification(struct con + pci_pcie_cap(ctrl->pcie->port) + PCI_EXP_SLTCTL, cmd); + } + ++void pcie_reenable_notification(struct controller *ctrl) ++{ ++ /* ++ * Clear both Presence and Data Link Layer Changed to make sure ++ * those events still fire after we have re-enabled them. ++ */ ++ pcie_capability_write_word(ctrl->pcie->port, PCI_EXP_SLTSTA, ++ PCI_EXP_SLTSTA_PDC | PCI_EXP_SLTSTA_DLLSC); ++ pcie_enable_notification(ctrl); ++} ++ + static void pcie_disable_notification(struct controller *ctrl) + { + u16 mask; diff --git a/queue-4.14/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch b/queue-4.14/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch new file mode 100644 index 00000000000..33980759a88 --- /dev/null +++ b/queue-4.14/powerpc-fadump-unregister-fadump-on-kexec-down-path.patch @@ -0,0 +1,39 @@ +From 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 Mon Sep 17 00:00:00 2001 +From: Mahesh Salgaonkar +Date: Fri, 27 Apr 2018 11:53:18 +0530 +Subject: powerpc/fadump: Unregister fadump on kexec down path. + +From: Mahesh Salgaonkar + +commit 722cde76d68e8cc4f3de42e71c82fd40dea4f7b9 upstream. + +Unregister fadump on kexec down path otherwise the fadump registration +in new kexec-ed kernel complains that fadump is already registered. +This makes new kernel to continue using fadump registered by previous +kernel which may lead to invalid vmcore generation. Hence this patch +fixes this issue by un-registering fadump in fadump_cleanup() which is +called during kexec path so that new kernel can register fadump with +new valid values. + +Fixes: b500afff11f6 ("fadump: Invalidate registration and release reserved memory for general use.") +Cc: stable@vger.kernel.org # v3.4+ +Signed-off-by: Mahesh Salgaonkar +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/fadump.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/fadump.c ++++ b/arch/powerpc/kernel/fadump.c +@@ -1155,6 +1155,9 @@ void fadump_cleanup(void) + init_fadump_mem_struct(&fdm, + be64_to_cpu(fdm_active->cpu_state_data.destination_address)); + fadump_invalidate_dump(&fdm); ++ } else if (fw_dump.dump_registered) { ++ /* Un-register Firmware-assisted dump if it was registered. */ ++ fadump_unregister_dump(&fdm); + } + } + diff --git a/queue-4.14/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch b/queue-4.14/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch new file mode 100644 index 00000000000..fde73b6a60f --- /dev/null +++ b/queue-4.14/powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch @@ -0,0 +1,63 @@ +From 91d06971881f71d945910de128658038513d1b24 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Wed, 30 May 2018 18:48:04 +0530 +Subject: powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch + +From: Aneesh Kumar K.V + +commit 91d06971881f71d945910de128658038513d1b24 upstream. + +Currently we do not have an isync, or any other context synchronizing +instruction prior to the slbie/slbmte in _switch() that updates the +SLB entry for the kernel stack. + +However that is not correct as outlined in the ISA. + +From Power ISA Version 3.0B, Book III, Chapter 11, page 1133: + + "Changing the contents of ... the contents of SLB entries ... can + have the side effect of altering the context in which data + addresses and instruction addresses are interpreted, and in which + instructions are executed and data accesses are performed. + ... + These side effects need not occur in program order, and therefore + may require explicit synchronization by software. + ... + The synchronizing instruction before the context-altering + instruction ensures that all instructions up to and including that + synchronizing instruction are fetched and executed in the context + that existed before the alteration." + +And page 1136: + + "For data accesses, the context synchronizing instruction before the + slbie, slbieg, slbia, slbmte, tlbie, or tlbiel instruction ensures + that all preceding instructions that access data storage have + completed to a point at which they have reported all exceptions + they will cause." + +We're not aware of any bugs caused by this, but it should be fixed +regardless. + +Add the missing isync when updating kernel stack SLB entry. + +Cc: stable@vger.kernel.org +Signed-off-by: Aneesh Kumar K.V +[mpe: Flesh out change log with more ISA text & explanation] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/entry_64.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -597,6 +597,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_1T_SEG + * actually hit this code path. + */ + ++ isync + slbie r6 + slbie r6 /* Workaround POWER5 < DD2.1 issue */ + slbmte r7,r0 diff --git a/queue-4.14/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch b/queue-4.14/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch new file mode 100644 index 00000000000..061cb08fe5e --- /dev/null +++ b/queue-4.14/powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch @@ -0,0 +1,92 @@ +From d2032678e57fc508d7878307badde8f89b632ba3 Mon Sep 17 00:00:00 2001 +From: Anju T Sudhakar +Date: Wed, 16 May 2018 12:05:18 +0530 +Subject: powerpc/perf: Fix memory allocation for core-imc based on num_possible_cpus() + +From: Anju T Sudhakar + +commit d2032678e57fc508d7878307badde8f89b632ba3 upstream. + +Currently memory is allocated for core-imc based on cpu_present_mask, +which has bit 'cpu' set iff cpu is populated. We use (cpu number / threads +per core) as the array index to access the memory. + +Under some circumstances firmware marks a CPU as GUARDed CPU and boot the +system, until cleared of errors, these CPU's are unavailable for all +subsequent boots. GUARDed CPUs are possible but not present from linux +view, so it blows a hole when we assume the max length of our allocation +is driven by our max present cpus, where as one of the cpus might be online +and be beyond the max present cpus, due to the hole. +So (cpu number / threads per core) value bounds the array index and leads +to memory overflow. + +Call trace observed during a guard test: + +Faulting instruction address: 0xc000000000149f1c +cpu 0x69: Vector: 380 (Data Access Out of Range) at [c000003fea303420] + pc:c000000000149f1c: prefetch_freepointer+0x14/0x30 + lr:c00000000014e0f8: __kmalloc+0x1a8/0x1ac + sp:c000003fea3036a0 + msr:9000000000009033 + dar:c9c54b2c91dbf6b7 + current = 0xc000003fea2c0000 + paca = 0xc00000000fddd880 softe: 3 irq_happened: 0x01 + pid = 1, comm = swapper/104 +Linux version 4.16.7-openpower1 (smc@smc-desktop) (gcc version 6.4.0 +(Buildroot 2018.02.1-00006-ga8d1126)) #2 SMP Fri May 4 16:44:54 PDT 2018 +enter ? for help +call trace: + __kmalloc+0x1a8/0x1ac + (unreliable) + init_imc_pmu+0x7f4/0xbf0 + opal_imc_counters_probe+0x3fc/0x43c + platform_drv_probe+0x48/0x80 + driver_probe_device+0x22c/0x308 + __driver_attach+0xa0/0xd8 + bus_for_each_dev+0x88/0xb4 + driver_attach+0x2c/0x40 + bus_add_driver+0x1e8/0x228 + driver_register+0xd0/0x114 + __platform_driver_register+0x50/0x64 + opal_imc_driver_init+0x24/0x38 + do_one_initcall+0x150/0x15c + kernel_init_freeable+0x250/0x254 + kernel_init+0x1c/0x150 + ret_from_kernel_thread+0x5c/0xc8 + +Allocating memory for core-imc based on cpu_possible_mask, which has +bit 'cpu' set iff cpu is populatable, will fix this issue. + +Reported-by: Pridhiviraj Paidipeddi +Signed-off-by: Anju T Sudhakar +Reviewed-by: Balbir Singh +Tested-by: Pridhiviraj Paidipeddi +Fixes: 39a846db1d57 ("powerpc/perf: Add core IMC PMU support") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/perf/imc-pmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/perf/imc-pmu.c ++++ b/arch/powerpc/perf/imc-pmu.c +@@ -1131,7 +1131,7 @@ static int init_nest_pmu_ref(void) + + static void cleanup_all_core_imc_memory(void) + { +- int i, nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core); ++ int i, nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core); + struct imc_mem_info *ptr = core_imc_pmu->mem_info; + int size = core_imc_pmu->counter_mem_size; + +@@ -1239,7 +1239,7 @@ static int imc_mem_init(struct imc_pmu * + if (!pmu_ptr->pmu.name) + return -ENOMEM; + +- nr_cores = DIV_ROUND_UP(num_present_cpus(), threads_per_core); ++ nr_cores = DIV_ROUND_UP(num_possible_cpus(), threads_per_core); + pmu_ptr->mem_info = kcalloc(nr_cores, sizeof(struct imc_mem_info), + GFP_KERNEL); + diff --git a/queue-4.14/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch b/queue-4.14/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch new file mode 100644 index 00000000000..cdfd7301f4c --- /dev/null +++ b/queue-4.14/powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch @@ -0,0 +1,34 @@ +From 75743649064ec0cf5ddd69f240ef23af66dde16e Mon Sep 17 00:00:00 2001 +From: Haren Myneni +Date: Mon, 4 Jun 2018 18:33:38 +1000 +Subject: powerpc/powernv: copy/paste - Mask SO bit in CR + +From: Haren Myneni + +commit 75743649064ec0cf5ddd69f240ef23af66dde16e upstream. + +NX can set the 3rd bit in CR register for XER[SO] (Summary overflow) +which is not related to paste request. The current paste function +returns failure for a successful request when this bit is set. So mask +this bit and check the proper return status. + +Fixes: 2392c8c8c045 ("powerpc/powernv/vas: Define copy/paste interfaces") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Haren Myneni +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/copy-paste.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/copy-paste.h ++++ b/arch/powerpc/platforms/powernv/copy-paste.h +@@ -42,5 +42,6 @@ static inline int vas_paste(void *paste_ + : "b" (offset), "b" (paste_address) + : "memory", "cr0"); + +- return (cr >> CR0_SHIFT) & CR0_MASK; ++ /* We mask with 0xE to ignore SO */ ++ return (cr >> CR0_SHIFT) & 0xE; + } diff --git a/queue-4.14/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch b/queue-4.14/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch new file mode 100644 index 00000000000..f34c0957c2e --- /dev/null +++ b/queue-4.14/powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch @@ -0,0 +1,48 @@ +From ac9816dcbab53c57bcf1d7b15370b08f1e284318 Mon Sep 17 00:00:00 2001 +From: Akshay Adiga +Date: Wed, 16 May 2018 17:32:14 +0530 +Subject: powerpc/powernv/cpuidle: Init all present cpus for deep states + +From: Akshay Adiga + +commit ac9816dcbab53c57bcf1d7b15370b08f1e284318 upstream. + +Init all present cpus for deep states instead of "all possible" cpus. +Init fails if a possible cpu is guarded. Resulting in making only +non-deep states available for cpuidle/hotplug. + +Stewart says, this means that for single threaded workloads, if you +guard out a CPU core you'll not get WoF (Workload Optimised +Frequency), which means that performance goes down when you wouldn't +expect it to. + +Fixes: 77b54e9f213f ("powernv/powerpc: Add winkle support for offline cpus") +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Akshay Adiga +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/idle.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/powernv/idle.c ++++ b/arch/powerpc/platforms/powernv/idle.c +@@ -78,7 +78,7 @@ static int pnv_save_sprs_for_deep_states + uint64_t msr_val = MSR_IDLE; + uint64_t psscr_val = pnv_deepest_stop_psscr_val; + +- for_each_possible_cpu(cpu) { ++ for_each_present_cpu(cpu) { + uint64_t pir = get_hard_smp_processor_id(cpu); + uint64_t hsprg0_val = (uint64_t)&paca[cpu]; + +@@ -741,7 +741,7 @@ static int __init pnv_init_idle_states(v + int cpu; + + pr_info("powernv: idle: Saving PACA pointers of all CPUs in their thread sibling PACA\n"); +- for_each_possible_cpu(cpu) { ++ for_each_present_cpu(cpu) { + int base_cpu = cpu_first_thread_sibling(cpu); + int idx = cpu_thread_in_core(cpu); + int i; diff --git a/queue-4.14/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch b/queue-4.14/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch new file mode 100644 index 00000000000..e3e8469a738 --- /dev/null +++ b/queue-4.14/powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch @@ -0,0 +1,45 @@ +From 98fd72fe82527fd26618062b60cfd329451f2329 Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 30 May 2018 19:22:50 +1000 +Subject: powerpc/powernv/ioda2: Remove redundant free of TCE pages + +From: Alexey Kardashevskiy + +commit 98fd72fe82527fd26618062b60cfd329451f2329 upstream. + +When IODA2 creates a PE, it creates an IOMMU table with it_ops::free +set to pnv_ioda2_table_free() which calls pnv_pci_ioda2_table_free_pages(). + +Since iommu_tce_table_put() calls it_ops::free when the last reference +to the table is released, explicit call to pnv_pci_ioda2_table_free_pages() +is not needed so let's remove it. + +This should fix double free in the case of PCI hotuplug as +pnv_pci_ioda2_table_free_pages() does not reset neither +iommu_table::it_base nor ::it_size. + +This was not exposed by SRIOV as it uses different code path via +pnv_pcibios_sriov_disable(). + +IODA1 does not inialize it_ops::free so it does not have this issue. + +Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") +Cc: stable@vger.kernel.org # v4.8+ +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3591,7 +3591,6 @@ static void pnv_pci_ioda2_release_pe_dma + WARN_ON(pe->table_group.group); + } + +- pnv_pci_ioda2_table_free_pages(tbl); + iommu_tce_table_put(tbl); + } + diff --git a/queue-4.14/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch b/queue-4.14/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch new file mode 100644 index 00000000000..e46d3b0b0a0 --- /dev/null +++ b/queue-4.14/powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch @@ -0,0 +1,41 @@ +From cd6ef7eebf171bfcba7dc2df719c2a4958775040 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 17 May 2018 15:37:14 +1000 +Subject: powerpc/ptrace: Fix enforcement of DAWR constraints + +From: Michael Neuling + +commit cd6ef7eebf171bfcba7dc2df719c2a4958775040 upstream. + +Back when we first introduced the DAWR, in commit 4ae7ebe9522a +("powerpc: Change hardware breakpoint to allow longer ranges"), we +screwed up the constraint making it a 1024 byte boundary rather than a +512. This makes the check overly permissive. Fortunately GDB is the +only real user and it always did they right thing, so we never +noticed. + +This fixes the constraint to 512 bytes. + +Fixes: 4ae7ebe9522a ("powerpc: Change hardware breakpoint to allow longer ranges") +Cc: stable@vger.kernel.org # v3.9+ +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/hw_breakpoint.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/hw_breakpoint.c ++++ b/arch/powerpc/kernel/hw_breakpoint.c +@@ -175,8 +175,8 @@ int arch_validate_hwbkpt_settings(struct + if (cpu_has_feature(CPU_FTR_DAWR)) { + length_max = 512 ; /* 64 doublewords */ + /* DAWR region can't cross 512 boundary */ +- if ((bp->attr.bp_addr >> 10) != +- ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 10)) ++ if ((bp->attr.bp_addr >> 9) != ++ ((bp->attr.bp_addr + bp->attr.bp_len - 1) >> 9)) + return -EINVAL; + } + if (info->len > diff --git a/queue-4.14/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch b/queue-4.14/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch new file mode 100644 index 00000000000..e298f719be6 --- /dev/null +++ b/queue-4.14/powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch @@ -0,0 +1,42 @@ +From 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 17 May 2018 15:37:15 +1000 +Subject: powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG + +From: Michael Neuling + +commit 4f7c06e26ec9cf7fe9f0c54dc90079b6a4f4b2c3 upstream. + +In commit e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when +validating DAWR region end") we fixed setting the DAWR end point to +its max value via PPC_PTRACE_SETHWDEBUG. Unfortunately we broke +PTRACE_SET_DEBUGREG when setting a 512 byte aligned breakpoint. + +PTRACE_SET_DEBUGREG currently sets the length of the breakpoint to +zero (memset() in hw_breakpoint_init()). This worked with +arch_validate_hwbkpt_settings() before the above patch was applied but +is now broken if the breakpoint is 512byte aligned. + +This sets the length of the breakpoint to 8 bytes when using +PTRACE_SET_DEBUGREG. + +Fixes: e2a800beaca1 ("powerpc/hw_brk: Fix off by one error when validating DAWR region end") +Cc: stable@vger.kernel.org # v3.11+ +Signed-off-by: Michael Neuling +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/ptrace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -2362,6 +2362,7 @@ static int ptrace_set_debugreg(struct ta + /* Create a new breakpoint request if one doesn't exist already */ + hw_breakpoint_init(&attr); + attr.bp_addr = hw_brk.address; ++ attr.bp_len = 8; + arch_bp_generic_fields(hw_brk.type, + &attr.bp_type); + diff --git a/queue-4.14/printk-fix-possible-reuse-of-va_list-variable.patch b/queue-4.14/printk-fix-possible-reuse-of-va_list-variable.patch new file mode 100644 index 00000000000..c7420297f79 --- /dev/null +++ b/queue-4.14/printk-fix-possible-reuse-of-va_list-variable.patch @@ -0,0 +1,52 @@ +From 988a35f8da1dec5a8cd2788054d1e717be61bf25 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 11 May 2018 19:54:19 +0900 +Subject: printk: fix possible reuse of va_list variable + +From: Tetsuo Handa + +commit 988a35f8da1dec5a8cd2788054d1e717be61bf25 upstream. + +I noticed that there is a possibility that printk_safe_log_store() causes +kernel oops because "args" parameter is passed to vsnprintf() again when +atomic_cmpxchg() detected that we raced. Fix this by using va_copy(). + +Link: http://lkml.kernel.org/r/201805112002.GIF21216.OFVHFOMLJtQFSO@I-love.SAKURA.ne.jp +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: dvyukov@google.com +Cc: syzkaller@googlegroups.com +Cc: fengguang.wu@intel.com +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Tetsuo Handa +Fixes: 42a0bb3f71383b45 ("printk/nmi: generic solution for safe printk in NMI") +Cc: 4.7+ # v4.7+ +Reviewed-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk/printk_safe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/printk/printk_safe.c ++++ b/kernel/printk/printk_safe.c +@@ -85,6 +85,7 @@ static __printf(2, 0) int printk_safe_lo + { + int add; + size_t len; ++ va_list ap; + + again: + len = atomic_read(&s->len); +@@ -103,7 +104,9 @@ again: + if (!len) + smp_rmb(); + +- add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, args); ++ va_copy(ap, args); ++ add = vscnprintf(s->buffer + len, sizeof(s->buffer) - len, fmt, ap); ++ va_end(ap); + if (!add) + return 0; + diff --git a/queue-4.14/rdma-mlx4-discard-unknown-sqp-work-requests.patch b/queue-4.14/rdma-mlx4-discard-unknown-sqp-work-requests.patch new file mode 100644 index 00000000000..4a2c83f0d64 --- /dev/null +++ b/queue-4.14/rdma-mlx4-discard-unknown-sqp-work-requests.patch @@ -0,0 +1,32 @@ +From 6b1ca7ece15e94251d1d0d919f813943e4a58059 Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Tue, 29 May 2018 14:56:14 +0300 +Subject: RDMA/mlx4: Discard unknown SQP work requests + +From: Leon Romanovsky + +commit 6b1ca7ece15e94251d1d0d919f813943e4a58059 upstream. + +There is no need to crash the machine if unknown work request was +received in SQP MAD. + +Cc: # 3.6 +Fixes: 37bfc7c1e83f ("IB/mlx4: SR-IOV multiplex and demultiplex MADs") +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mad.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -1934,7 +1934,6 @@ static void mlx4_ib_sqp_comp_worker(stru + "buf:%lld\n", wc.wr_id); + break; + default: +- BUG_ON(1); + break; + } + } else { diff --git a/queue-4.14/series b/queue-4.14/series index e7018641253..b55c65cb3f9 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -23,3 +23,60 @@ clk-renesas-cpg-mssr-stop-using-printk-format-pcr.patch lib-vsprintf-remove-atomic-unsafe-support-for-pcr.patch ftrace-selftest-have-the-reset_trigger-code-be-a-bit-more-careful.patch mips-ftrace-fix-static-function-graph-tracing.patch +branch-check-fix-long-int-truncation-when-profiling-branches.patch +ipmi-bt-set-the-timeout-before-doing-a-capabilities-check.patch +bluetooth-hci_qca-avoid-missing-rampatch-failure-with-userspace-fw-loader.patch +printk-fix-possible-reuse-of-va_list-variable.patch +fuse-fix-congested-state-leak-on-aborted-connections.patch +fuse-atomic_o_trunc-should-truncate-pagecache.patch +fuse-don-t-keep-dead-fuse_conn-at-fuse_fill_super.patch +fuse-fix-control-dir-setup-and-teardown.patch +powerpc-mm-hash-add-missing-isync-prior-to-kernel-stack-slb-switch.patch +powerpc-ptrace-fix-setting-512b-aligned-breakpoints-with-ptrace_set_debugreg.patch +powerpc-perf-fix-memory-allocation-for-core-imc-based-on-num_possible_cpus.patch +powerpc-ptrace-fix-enforcement-of-dawr-constraints.patch +powerpc-powernv-ioda2-remove-redundant-free-of-tce-pages.patch +powerpc-powernv-copy-paste-mask-so-bit-in-cr.patch +powerpc-powernv-cpuidle-init-all-present-cpus-for-deep-states.patch +cpuidle-powernv-fix-promotion-from-snooze-if-next-state-disabled.patch +powerpc-fadump-unregister-fadump-on-kexec-down-path.patch +soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch +cxl-disable-prefault_mode-in-radix-mode.patch +arm-8764-1-kgdb-fix-numregbytes-so-that-gdb_regs-is-the-correct-size.patch +arm-dts-fix-spi-node-for-arria10.patch +arm-dts-socfpga-fix-nand-controller-node-compatible.patch +arm-dts-socfpga-fix-nand-controller-clock-supply.patch +arm-dts-socfpga-fix-nand-controller-node-compatible-for-arria10.patch +arm64-fix-syscall-restarting-around-signal-suppressed-by-tracer.patch +arm64-kpti-use-early_param-for-kpti-command-line-option.patch +arm64-mm-ensure-writes-to-swapper-are-ordered-wrt-subsequent-cache-maintenance.patch +arm64-dts-meson-disable-sd-uhs-modes-on-the-libretech-cc.patch +of-overlay-validate-offset-from-property-fixups.patch +of-unittest-for-strings-account-for-trailing-0-in-property-length-field.patch +of-platform-stop-accessing-invalid-dev-in-of_platform_device_destroy.patch +tpm-fix-use-after-free-in-tpm2_load_context.patch +tpm-fix-race-condition-in-tpm_common_write.patch +ib-qib-fix-dma-api-warning-with-debug-kernel.patch +ib-hfi1-qib-add-handling-of-kernel-restart.patch +ib-mlx4-mark-user-mr-as-writable-if-actual-virtual-memory-is-writable.patch +ib-core-make-testing-mr-flags-for-writability-a-static-inline-function.patch +ib-mlx5-fetch-soft-wqe-s-on-fatal-error-state.patch +ib-isert-fix-for-lib-dma_debug-check_sync-warning.patch +ib-isert-fix-t10-pi-check-mask-setting.patch +ib-hfi1-fix-fault-injection-init-exit-issues.patch +ib-hfi1-reorder-incorrect-send-context-disable.patch +ib-hfi1-optimize-kthread-pointer-locking-when-queuing-cq-entries.patch +ib-hfi1-fix-user-context-tail-allocation-for-dma_rtail.patch +rdma-mlx4-discard-unknown-sqp-work-requests.patch +xprtrdma-return-enobufs-when-no-pages-are-available.patch +mtd-cfi_cmdset_0002-change-write-buffer-to-check-correct-value.patch +mtd-cfi_cmdset_0002-change-erase-functions-to-retry-for-error.patch +mtd-cfi_cmdset_0002-use-right-chip-in-do_ppb_xxlock.patch +mtd-cfi_cmdset_0002-fix-segv-unlocking-multiple-chips.patch +mtd-cfi_cmdset_0002-fix-unlocking-requests-crossing-a-chip-boudary.patch +mtd-cfi_cmdset_0002-avoid-walking-all-chips-when-unlocking.patch +mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch +pci-hv-make-sure-the-bus-domain-is-really-unique.patch +pci-add-acs-quirk-for-intel-7th-8th-gen-mobile.patch +pci-add-acs-quirk-for-intel-300-series.patch +pci-pciehp-clear-presence-detect-and-data-link-layer-status-changed-on-resume.patch diff --git a/queue-4.14/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch b/queue-4.14/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch new file mode 100644 index 00000000000..7a33ea807ff --- /dev/null +++ b/queue-4.14/soc-rockchip-power-domain-fix-wrong-value-when-power-up-pd-with-writemask.patch @@ -0,0 +1,37 @@ +From 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e Mon Sep 17 00:00:00 2001 +From: Finley Xiao +Date: Mon, 14 May 2018 11:29:38 +0800 +Subject: soc: rockchip: power-domain: Fix wrong value when power up pd with writemask + +From: Finley Xiao + +commit 9e59c5f66c624b43c766a9fe3b2430e0e976bf0e upstream. + +Solve the pd could only ever turn off but never turn them on again, +if the pd registers have the writemask bits. + +So far this affects the rk3328 only. + +Fixes: 79bb17ce8edb ("soc: rockchip: power-domain: Support domain control in hiword-registers") +Cc: stable@vger.kernel.org +Signed-off-by: Finley Xiao +Signed-off-by: Elaine Zhang +Reviewed-by: Ulf Hansson +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/rockchip/pm_domains.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/rockchip/pm_domains.c ++++ b/drivers/soc/rockchip/pm_domains.c +@@ -255,7 +255,7 @@ static void rockchip_do_pmu_set_power_do + return; + else if (pd->info->pwr_w_mask) + regmap_write(pmu->regmap, pmu->info->pwr_offset, +- on ? pd->info->pwr_mask : ++ on ? pd->info->pwr_w_mask : + (pd->info->pwr_mask | pd->info->pwr_w_mask)); + else + regmap_update_bits(pmu->regmap, pmu->info->pwr_offset, diff --git a/queue-4.14/tpm-fix-race-condition-in-tpm_common_write.patch b/queue-4.14/tpm-fix-race-condition-in-tpm_common_write.patch new file mode 100644 index 00000000000..a25574e6ca9 --- /dev/null +++ b/queue-4.14/tpm-fix-race-condition-in-tpm_common_write.patch @@ -0,0 +1,139 @@ +From 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Tue, 22 May 2018 14:37:18 -0700 +Subject: tpm: fix race condition in tpm_common_write() + +From: Tadeusz Struk + +commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream. + +There is a race condition in tpm_common_write function allowing +two threads on the same /dev/tpm, or two different applications +on the same /dev/tpmrm to overwrite each other commands/responses. +Fixed this by taking the priv->buffer_mutex early in the function. + +Also converted the priv->data_pending from atomic to a regular size_t +type. There is no need for it to be atomic since it is only touched +under the protection of the priv->buffer_mutex. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@vger.kernel.org +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm-dev-common.c | 40 +++++++++++++++++--------------------- + drivers/char/tpm/tpm-dev.h | 2 - + 2 files changed, 19 insertions(+), 23 deletions(-) + +--- a/drivers/char/tpm/tpm-dev-common.c ++++ b/drivers/char/tpm/tpm-dev-common.c +@@ -37,7 +37,7 @@ static void timeout_work(struct work_str + struct file_priv *priv = container_of(work, struct file_priv, work); + + mutex_lock(&priv->buffer_mutex); +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + memset(priv->data_buffer, 0, sizeof(priv->data_buffer)); + mutex_unlock(&priv->buffer_mutex); + } +@@ -46,7 +46,6 @@ void tpm_common_open(struct file *file, + struct file_priv *priv) + { + priv->chip = chip; +- atomic_set(&priv->data_pending, 0); + mutex_init(&priv->buffer_mutex); + setup_timer(&priv->user_read_timer, user_reader_timeout, + (unsigned long)priv); +@@ -59,29 +58,24 @@ ssize_t tpm_common_read(struct file *fil + size_t size, loff_t *off) + { + struct file_priv *priv = file->private_data; +- ssize_t ret_size; +- ssize_t orig_ret_size; ++ ssize_t ret_size = 0; + int rc; + + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); +- ret_size = atomic_read(&priv->data_pending); +- if (ret_size > 0) { /* relay data */ +- orig_ret_size = ret_size; +- if (size < ret_size) +- ret_size = size; ++ mutex_lock(&priv->buffer_mutex); + +- mutex_lock(&priv->buffer_mutex); ++ if (priv->data_pending) { ++ ret_size = min_t(ssize_t, size, priv->data_pending); + rc = copy_to_user(buf, priv->data_buffer, ret_size); +- memset(priv->data_buffer, 0, orig_ret_size); ++ memset(priv->data_buffer, 0, priv->data_pending); + if (rc) + ret_size = -EFAULT; + +- mutex_unlock(&priv->buffer_mutex); ++ priv->data_pending = 0; + } + +- atomic_set(&priv->data_pending, 0); +- ++ mutex_unlock(&priv->buffer_mutex); + return ret_size; + } + +@@ -92,17 +86,19 @@ ssize_t tpm_common_write(struct file *fi + size_t in_size = size; + ssize_t out_size; + ++ if (in_size > TPM_BUFSIZE) ++ return -E2BIG; ++ ++ mutex_lock(&priv->buffer_mutex); ++ + /* Cannot perform a write until the read has cleared either via + * tpm_read or a user_read_timer timeout. This also prevents split + * buffered writes from blocking here. + */ +- if (atomic_read(&priv->data_pending) != 0) ++ if (priv->data_pending != 0) { ++ mutex_unlock(&priv->buffer_mutex); + return -EBUSY; +- +- if (in_size > TPM_BUFSIZE) +- return -E2BIG; +- +- mutex_lock(&priv->buffer_mutex); ++ } + + if (copy_from_user + (priv->data_buffer, (void __user *) buf, in_size)) { +@@ -133,7 +129,7 @@ ssize_t tpm_common_write(struct file *fi + return out_size; + } + +- atomic_set(&priv->data_pending, out_size); ++ priv->data_pending = out_size; + mutex_unlock(&priv->buffer_mutex); + + /* Set a timeout by which the reader must come claim the result */ +@@ -150,5 +146,5 @@ void tpm_common_release(struct file *fil + del_singleshot_timer_sync(&priv->user_read_timer); + flush_work(&priv->work); + file->private_data = NULL; +- atomic_set(&priv->data_pending, 0); ++ priv->data_pending = 0; + } +--- a/drivers/char/tpm/tpm-dev.h ++++ b/drivers/char/tpm/tpm-dev.h +@@ -8,7 +8,7 @@ struct file_priv { + struct tpm_chip *chip; + + /* Data passed to and from the tpm via the read/write calls */ +- atomic_t data_pending; ++ size_t data_pending; + struct mutex buffer_mutex; + + struct timer_list user_read_timer; /* user needs to claim result */ diff --git a/queue-4.14/tpm-fix-use-after-free-in-tpm2_load_context.patch b/queue-4.14/tpm-fix-use-after-free-in-tpm2_load_context.patch new file mode 100644 index 00000000000..eca2541a51f --- /dev/null +++ b/queue-4.14/tpm-fix-use-after-free-in-tpm2_load_context.patch @@ -0,0 +1,36 @@ +From 8c81c24758ffbf17cf06c6835d361ffa57be2f0e Mon Sep 17 00:00:00 2001 +From: Tadeusz Struk +Date: Wed, 9 May 2018 11:55:35 -0700 +Subject: tpm: fix use after free in tpm2_load_context() + +From: Tadeusz Struk + +commit 8c81c24758ffbf17cf06c6835d361ffa57be2f0e upstream. + +If load context command returns with TPM2_RC_HANDLE or TPM2_RC_REFERENCE_H0 +then we have use after free in line 114 and double free in 117. + +Fixes: 4d57856a21ed2 ("tpm2: add session handle context saving and restoring to the space code") +Cc: stable@vger.kernel.org +Signed-off-by: Tadeusz Struk +Reviewed-by: Jarkko Sakkinen +Signed-off--by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tpm/tpm2-space.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -102,8 +102,9 @@ static int tpm2_load_context(struct tpm_ + * TPM_RC_REFERENCE_H0 means the session has been + * flushed outside the space + */ +- rc = -ENOENT; ++ *handle = 0; + tpm_buf_destroy(&tbuf); ++ return -ENOENT; + } else if (rc > 0) { + dev_warn(&chip->dev, "%s: failed with a TPM error 0x%04X\n", + __func__, rc); diff --git a/queue-4.14/xprtrdma-return-enobufs-when-no-pages-are-available.patch b/queue-4.14/xprtrdma-return-enobufs-when-no-pages-are-available.patch new file mode 100644 index 00000000000..531085cb291 --- /dev/null +++ b/queue-4.14/xprtrdma-return-enobufs-when-no-pages-are-available.patch @@ -0,0 +1,35 @@ +From a8f688ec437dc2045cc8f0c89fe877d5803850da Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 4 May 2018 15:35:46 -0400 +Subject: xprtrdma: Return -ENOBUFS when no pages are available + +From: Chuck Lever + +commit a8f688ec437dc2045cc8f0c89fe877d5803850da upstream. + +The use of -EAGAIN in rpcrdma_convert_iovs() is a latent bug: the +transport never calls xprt_write_space() when more pages become +available. -ENOBUFS will trigger the correct "delay briefly and call +again" logic. + +Fixes: 7a89f9c626e3 ("xprtrdma: Honor ->send_request API contract") +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org # 4.8+ +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/rpc_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/xprtrdma/rpc_rdma.c ++++ b/net/sunrpc/xprtrdma/rpc_rdma.c +@@ -229,7 +229,7 @@ rpcrdma_convert_iovs(struct rpcrdma_xprt + */ + *ppages = alloc_page(GFP_ATOMIC); + if (!*ppages) +- return -EAGAIN; ++ return -ENOBUFS; + } + seg->mr_page = *ppages; + seg->mr_offset = (char *)page_base; -- 2.47.3