From def19323c16f11949df6f7392e5b5e6cac30f220 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 27 May 2018 17:13:58 +0200 Subject: [PATCH] 4.14-stable patches added patches: acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch acpica-fix-memory-leak-on-unusual-memory-leak.patch alsa-vmaster-propagate-slave-error.patch arc-fix-malformed-arc_emul_unaligned-default.patch arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch arm-dts-bcm283x-fix-unit-address-of-local_intc.patch arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch arm-dts-ls1021a-specify-tbipa-register-address.patch arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch arm-dts-porter-fix-hdmi-output-routing.patch arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch arm-dts-rockchip-fix-dwmmc-clocks.patch arm-dts-socfpga-fix-gic-ppi-warning.patch arm-omap-fix-dmtimer-init-for-omap1.patch arm-omap1-clock-fix-debugfs_create_-usage.patch arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch arm-omap3-fix-prm-wake-interrupt-for-resume.patch arm-orion5x-revert-commit-4904dbda41c8.patch arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch arm64-dts-qcom-fix-spi5-config-on-msm8996.patch arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch arm64-dts-rockchip-fix-dwmmc-clocks.patch arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch arm64-perf-correct-pmuver-probing.patch arm64-relax-arm_smccc_arch_workaround_1-discovery.patch ath10k-advertize-beacon_int_min_gcd.patch ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch ath9k-fix-crash-in-spectral-scan.patch audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch batman-adv-fix-netlink-dumping-of-bla-backbones.patch batman-adv-fix-netlink-dumping-of-bla-claims.patch batman-adv-fix-packet-checksum-in-receive-path.patch batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch batman-adv-invalidate-checksum-on-fragment-reassembly.patch bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch block-display-the-correct-diskname-for-bio.patch block-null_blk-fix-invalid-parameters-when-loading-module.patch bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch brcmfmac-fix-check-for-iso3166-code.patch btrfs-bail-out-on-error-during-replay_dir_deletes.patch btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch btrfs-fix-copy_items-return-value-when-logging-an-inode.patch btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch btrfs-fix-null-pointer-dereference-in-log_dir_items.patch btrfs-fix-possible-softlock-on-single-core-machines.patch btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch bug.h-work-around-gcc-pr82365-in-bug.patch builddeb-fix-header-package-regarding-dtc-source-links.patch can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch ceph-fix-potential-memory-leak-in-init_caches.patch cfg80211-clear-wep-keys-after-disconnection.patch clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch coresight-use-px-to-print-pcsr-instead-of-p.patch cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch cpufreq-reorder-cpufreq_online-error-code-path.patch cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch cxgb4-fix-queue-free-path-of-uld-drivers.patch cxgb4-setup-fw-queues-before-registering-netdev.patch cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch dpaa_eth-fix-pause-capability-advertisement-logic.patch dpaa_eth-fix-sg-mapping.patch drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch drm-amdkfd-add-missing-include-of-mm.h.patch drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch drm-ast-fixed-1280x800-display-issue.patch drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch drm-exynos-g2d-use-monotonic-timestamps.patch drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch drm-meson-fix-vsync-buffer-update.patch drm-nouveau-bl-fix-backlight-regression.patch drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch drm-sun4i-fix-dclk_set_phase.patch drm-tegra-shutdown-on-driver-unbind.patch drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch e1000e-fix-check_for_link-return-value-with-autoneg-off.patch efi-arm-only-register-page-tables-when-they-exist.patch enic-enable-rq-before-updating-rq-descriptors.patch ext4-don-t-complain-about-incorrect-features-when-probing.patch f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch f2fs-fix-to-clear-cp_trimmed_flag.patch f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch firmware-dmi_scan-fix-uuid-length-safety-check.patch force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch fs-dcache-use-read_once-when-accessing-i_dir_seq.patch fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch gfs2-fix-fallocate-chunk-size.patch gianfar-fix-rx-byte-accounting-for-ndev-stats.patch gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch gpu-ipu-v3-prg-avoid-possible-array-underflow.patch gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch hv_netvsc-enable-multicast-if-necessary.patch hv_netvsc-filter-multicast-broadcast.patch hv_netvsc-fix-filter-flags.patch hv_netvsc-fix-locking-during-vf-setup.patch hv_netvsc-fix-locking-for-rx_mode.patch hv_netvsc-propagate-rx-filters-to-vf.patch hv_netvsc-use-napi_schedule_irqoff.patch hwmon-nct6775-fix-writing-pwmx_mode.patch hwmon-pmbus-adm1275-accept-negative-page-register-values.patch hwmon-pmbus-max8688-accept-negative-page-register-values.patch hwrng-stm32-add-reset-during-probe.patch i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch ia64-err-inject-use-get_user_pages_fast.patch ib-core-fix-possible-crash-to-access-null-netdev.patch ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch ibmvnic-clean-rx-pool-buffers-during-device-close.patch ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch ieee802154-ca8210-fix-uninitialised-data-read.patch ima-fallback-to-the-builtin-hash-algorithm.patch ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch integrity-security-fix-digsig.c-build-error-with-header-file.patch intel_th-use-correct-method-of-finding-hub.patch iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch iommu-mediatek-fix-protect-memory-setting.patch ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch ip_gre-fix-ifla_mtu-ignored-on-newlink.patch ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch iwlwifi-mvm-correctly-set-igtk-for-ap.patch iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch iwlwifi-mvm-fix-array-out-of-bounds-reference.patch iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch iwlwifi-mvm-fix-failed-to-remove-key-message.patch iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch iwlwifi-mvm-fix-security-bug-in-pn-checking.patch iwlwifi-mvm-fix-tx-of-ccmp-256.patch iwlwifi-mvm-increase-session-protection-time-after-cs.patch iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch kdb-make-mdr-command-repeat.patch kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch lan78xx-connect-phy-early.patch lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch libata-fix-compile-warning-with-ata_debug-enabled.patch libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch llc-properly-handle-dev_queue_xmit-return-value.patch locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch mac80211-do-not-disconnect-on-invalid-operating-class.patch mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch mac80211-fix-a-possible-leak-of-station-stats.patch mac80211-fix-calling-sleeping-function-in-atomic-context.patch mac80211-fix-sending-addba-response-for-an-ongoing-session.patch mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch macsec-missing-dev_put-on-error-in-macsec_newlink.patch macvlan-fix-use-after-free-in-macvlan_common_newlink.patch max17042-propagate-of_node-to-power-supply-device.patch md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch md-fix-md_write_start-deadlock-w-o-metadata-devices.patch md-free-bioset-when-md_run-fails.patch md-raid1-fix-null-pointer-dereference.patch md-raid10-fix-null-deference-in-handle_write_completed.patch md-raid5-avoid-string-overflow-warning.patch microblaze-switch-to-no_bootmem.patch mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch mips-generic-fix-machine-compatible-matching.patch mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch mm-ksm-fix-interaction-with-thp.patch mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch mm-slab-memcg_link-the-slab-s-kmem_cache.patch mm-thp-do-not-cause-memcg-oom-for-thp.patch mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch mm-vmstat.c-fix-vmstat_update-preemption-bug.patch nbd-fix-return-value-in-error-handling-path.patch net-bgmac-correctly-annotate-register-space.patch net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch net-fix-untag-for-vlan-packets-without-ethernet-header.patch net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch net-mlx5-protect-from-command-bit-overflow.patch net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch net-mvneta-fix-enable-of-all-initialized-rxqs.patch net-qcom-emac-use-proper-free-methods-during-tx.patch net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch net-smc-pay-attention-to-max_order-for-cq-entries.patch net-smc-use-link_id-of-server-in-confirm-link-reply.patch net-smsc911x-fix-unload-crash-when-link-is-up.patch net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch net-tcp-illinois-replace-broken-algorithm-reference-link.patch netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch netfilter-ebtables-convert-bug_ons-to-warn_ons.patch netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch nfc-llcp-limit-size-of-sdp-uri.patch nfs-system-crashes-after-nfs4err_moved-recovery.patch nvme-don-t-send-keep-alives-to-the-discovery-controller.patch nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch nvme-pci-fix-eeh-failure-on-ppc.patch nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch nvmet-fix-psdt-field-check-in-command-format.patch ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch perf-cgroup-fix-child-event-counting-bug.patch perf-clang-add-support-for-recent-clang-versions.patch perf-core-fix-installing-cgroup-events-on-cpu.patch perf-core-fix-perf_output_read_group.patch perf-record-fix-crash-in-pipe-mode.patch perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch perf-report-fix-wrong-jump-arrow.patch perf-stat-fix-core-dump-when-flag-t-is-used.patch perf-test-fix-test-case-inet_pton-to-accept-inlines.patch perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch perf-tools-fix-perf-builds-with-clang-support.patch perf-top-fix-top.call-graph-config-option-reading.patch perf-x86-intel-fix-event-update-for-auto-reload.patch perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch phy-qcom-qmp-fix-phy-pipe-clock-gating.patch phy-rockchip-emmc-retry-calpad-busy-trimming.patch pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch pinctrl-msm-use-dynamic-gpio-numbering.patch pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch pkcs-7-fix-direct-verification-of-signerinfo-signature.patch power-supply-ltc2941-battery-gauge-fix-temperature-units.patch powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch powerpc-add-missing-prototype-for-arch_irq_work_raise.patch powerpc-boot-fix-random-libfdt-related-build-errors.patch powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch ptr_ring-prevent-integer-overflow-when-calculating-size.patch qed-free-roce-ilt-memory-on-rmmod-qedr.patch qede-do-not-drop-rx-checksum-invalidated-packets.patch qede-fix-barrier-usage-after-tx-doorbell-write.patch qrtr-add-module_alias-macro-to-smd.patch r8152-fix-tx-packets-accounting.patch rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch rdma-bnxt_re-fix-system-crash-during-load-unload.patch rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch rdma-qedr-fix-qp-s-ack-timeout-configuration.patch rdma-qedr-fix-qp-state-initialization-race.patch rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch rdma-ucma-correct-option-size-check-using-optlen.patch rds-incorrect-reference-counting-in-tcp-socket-creation.patch regmap-correct-comparison-in-regmap_cached.patch regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch regulatory-add-nul-to-request-alpha2.patch remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch rsi-fix-kernel-panic-observed-on-64bit-machine.patch rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch rxrpc-work-around-usercopy-check.patch s390-cio-clear-timer-when-terminating-driver-i-o.patch s390-cio-fix-ccw_device_start_timeout-api.patch s390-cio-fix-return-code-after-missing-interrupt.patch s390-dasd-fix-handling-of-internal-requests.patch sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch seccomp-add-a-selftest-for-get_metadata.patch selftest-vdso-fix-o.patch selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch selftests-ftrace-add-a-testcase-for-probepoint.patch selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch selftests-ftrace-add-probe-event-argument-syntax-testcase.patch selftests-futex-fix-line-continuation-in-makefile.patch selftests-memfd-add-config-fragment-for-fuse.patch selftests-memfd-add-run_fuse_test.sh-to-test_files.patch selftests-net-fixes-psock_fanout-ebpf-test-case.patch selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch selftests-print-the-test-we-re-running-to-dev-kmsg.patch selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch selftests-sync-missing-cflags-while-compiling.patch selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch sit-fix-ifla_mtu-ignored-on-newlink.patch smsc75xx-fix-smsc75xx_set_features.patch soc-imx-gpc-de-register-power-domains-only-if-initialized.patch soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch spectrum-reference-count-vlan-entries.patch spi-bcm-qspi-fix-some-error-handling-paths.patch sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch sunvnet-does-not-support-gso-for-sctp.patch swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch tls-retrun-the-correct-iv-in-getsockopt.patch tools-hv-fix-compiler-warnings-about-major-target_fname.patch tools-thermal-tmon-fix-for-segfault.patch udf-provide-saner-default-for-invalid-uid-gid.patch vfio-ccw-fence-off-transport-mode.patch virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch virtio_net-fix-xdp-code-path-in-receive_small.patch vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch vti4-don-t-count-header-length-twice-on-tunnel-setup.patch vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch vti6-fix-dev-max_mtu-setting.patch watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch watchdog-aspeed-allow-configuring-for-alternate-boot.patch watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch watchdog-dw-rmw-the-control-register.patch watchdog-f71808e_wdt-fix-magic-close-handling.patch watchdog-sbsa-use-32-bit-read-for-wcv.patch workqueue-use-put_device-instead-of-kfree.patch x86-alternatives-fixup-alternative_call_2.patch x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch x86-devicetree-fix-device-irq-settings-in-dt.patch x86-devicetree-initialize-device-tree-before-using-it.patch x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch xen-acpi-off-by-one-in-read_acpi_id.patch xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch xen-pirq-fix-error-path-cleanup-when-binding-msis.patch xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch xen-xenbus-use-put_device-instead-of-kfree.patch xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch xfrm-fix-transport-mode-skb-control-buffer-usage.patch xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch z3fold-fix-memory-leak.patch zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch --- ...-memory-leak-in-power-saving-threads.patch | 41 ++ ...-acpi-operand-cache-leak-in-nseval.c.patch | 91 ++++ ...n-failure-from-acpi_hw_register_read.patch | 45 ++ ...x-memory-leak-on-unusual-memory-leak.patch | 34 ++ .../alsa-vmaster-propagate-slave-error.patch | 42 ++ ...malformed-arc_emul_unaligned-default.patch | 38 ++ ...alt-gfrc-counter-when-arc-cores-halt.patch | 122 +++++ ...ug-mask-when-the-new-cpu-came-online.patch | 97 ++++ ...ording-to-possible-cpus-dts-property.patch | 108 +++++ ...-define-vdso_start-vdso_end-as-array.patch | 89 ++++ ...ix-the-gpio-lookup-for-omapl138-hawk.patch | 38 ++ ...he-correct-compatible-for-the-eeprom.patch | 33 ++ ...cm283x-fix-pin-function-of-jtag-pins.patch | 34 ++ ...s-bcm283x-fix-probing-of-bcm2835-i2s.patch | 38 ++ ...m283x-fix-unit-address-of-local_intc.patch | 44 ++ ...correct-evm_sd-regulator-max-voltage.patch | 40 ++ ...r-engicam-i.corem6-duallite-solo-rqs.patch | 38 ++ ...s-imx7d-cl-som-imx7-fix-pinctrl_enet.patch | 87 ++++ ...1021a-specify-tbipa-register-address.patch | 37 ++ ...nsp-fix-amount-of-ram-on-bcm958625hr.patch | 38 ++ ...m-dts-porter-fix-hdmi-output-routing.patch | 32 ++ ...dd-missing-sound-dai-cells-on-rk3288.patch | 43 ++ .../arm-dts-rockchip-fix-dwmmc-clocks.patch | 79 ++++ .../arm-dts-socfpga-fix-gic-ppi-warning.patch | 31 ++ .../arm-omap-fix-dmtimer-init-for-omap1.patch | 45 ++ ...map1-clock-fix-debugfs_create_-usage.patch | 52 +++ ...ar_base-inititalization-for-hs-omaps.patch | 51 ++ ...kmemleak-caused-in-omap_get_timer_dt.patch | 69 +++ ...p3-fix-prm-wake-interrupt-for-resume.patch | 64 +++ ...m-orion5x-revert-commit-4904dbda41c8.patch | 201 ++++++++ ...-dts-cavium-fix-pci-bus-dtc-warnings.patch | 42 ++ ...-dts-qcom-fix-spi5-config-on-msm8996.patch | 34 ++ ...correct-ep-gpios-for-rk3399-sapphire.patch | 31 ++ .../arm64-dts-rockchip-fix-dwmmc-clocks.patch | 69 +++ ...3399-gru-s2r-pinctrl-hogs-wifi-reset.patch | 112 +++++ ...-fix-rock64-gmac2io-stability-issues.patch | 44 ++ ...ed-out-fn-for-function-graph-tracing.patch | 125 +++++ .../arm64-perf-correct-pmuver-probing.patch | 44 ++ ...rm_smccc_arch_workaround_1-discovery.patch | 46 ++ .../ath10k-advertize-beacon_int_min_gcd.patch | 46 ++ ...using-worker-ath10k_sta_rc_update_wk.patch | 104 +++++ .../ath9k-fix-crash-in-spectral-scan.patch | 147 ++++++ ...or-to-avoid-null-pointer-dereference.patch | 37 ++ ...-header-size-check-in-batadv_dbg_arp.patch | 34 ++ ...s-with-a-single-want_all_ipv4-6-flag.patch | 42 ++ ...icast-transmission-with-ap-isolation.patch | 46 ++ ...fix-netlink-dumping-of-bla-backbones.patch | 65 +++ ...dv-fix-netlink-dumping-of-bla-claims.patch | 65 +++ ...-fix-packet-checksum-in-receive-path.patch | 48 ++ ...broadcasted-dhcp-packets-to-a-server.patch | 86 ++++ ...v-fix-skbuff-rcsum-on-packet-reroute.patch | 90 ++++ ...lid-batadv_iv_gw-during-netlink-send.patch | 36 ++ ...alid-batadv_v_gw-during-netlink-send.patch | 36 ++ ...date-checksum-on-fragment-reassembly.patch | 44 ++ ...rashes-with-fio-in-raid5-backend-dev.patch | 99 ++++ ...ead-when-bcache_dev_detaching-is-set.patch | 132 ++++++ ...display-the-correct-diskname-for-bio.patch | 60 +++ ...valid-parameters-when-loading-module.patch | 167 +++++++ ...id-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch | 34 ++ ...-for-dev-hwaddr-sync-in-bond_enslave.patch | 46 ++ .../brcmfmac-fix-check-for-iso3166-code.patch | 35 ++ ...t-on-error-during-replay_dir_deletes.patch | 37 ++ ...during-umount-after-trans-is-aborted.patch | 47 ++ ...s-return-value-when-logging-an-inode.patch | 42 ++ ...lat-in-btrfs_alloc_subvolume_writers.patch | 436 +++++++++++++++++ ...after-linking-special-file-and-fsync.patch | 79 ++++ ...s-past-i_size-after-fsync-log-replay.patch | 147 ++++++ ...pointer-dereference-in-log_dir_items.patch | 39 ++ ...ble-softlock-on-single-core-machines.patch | 38 ++ ...shots-are-created-with-quota-enabled.patch | 59 +++ ...when-processing-hole-in-no-data-mode.patch | 67 +++ ...-qgroup-fix-wrong-tree-backref-level.patch | 52 +++ ...e-kvzalloc-to-allocate-btrfs_fs_info.patch | 52 +++ ...bug.h-work-around-gcc-pr82365-in-bug.patch | 259 ++++++++++ ...r-package-regarding-dtc-source-links.patch | 33 ++ ...to-bitshift-when-dealing-with-a-mask.patch | 32 ++ ...tate-in-each-suspend-resume-function.patch | 48 ++ ...-check_disk_change-inside-cdrom_open.patch | 155 ++++++ ...ry-leak-when-failing-to-init-debugfs.patch | 68 +++ ...potential-memory-leak-in-init_caches.patch | 44 ++ ...1-clear-wep-keys-after-disconnection.patch | 35 ++ ..._ftm_timer-fix-error-return-checking.patch | 42 ++ ...-correct-shift-count-to-extract-data.patch | 40 ++ ...ht-use-px-to-print-pcsr-instead-of-p.patch | 37 ++ ...ize-shared-perf-capabilities-of-cpus.patch | 53 +++ ...q-fix-cppc_cpufreq_init-failure-path.patch | 57 +++ ...order-cpufreq_online-error-code-path.patch | 49 ++ ...set-needs_free_netdev-for-mgmt-dev-s.patch | 30 ++ ...4-fix-queue-free-path-of-uld-drivers.patch | 36 ++ ...-fw-queues-before-registering-netdev.patch | 67 +++ ...available-before-issue-flush-request.patch | 127 +++++ ...-resource-by-adding-a-register-clock.patch | 93 ++++ ...e-condition-in-case-of-threaded-irqs.patch | 162 +++++++ ...get-num-channels-and-num-ees-from-dt.patch | 79 ++++ ...-lists-in-rcar_dmac_chan_get_residue.patch | 54 +++ ...ac-fix-max_chunk_size-for-r-car-gen3.patch | 34 ++ ...-access-to-phy-registers-after-reset.patch | 56 +++ ...pause-capability-advertisement-logic.patch | 33 ++ queue-4.14/dpaa_eth-fix-sg-mapping.patch | 73 +++ ...-rack-meter-really-fix-bogus-memsets.patch | 40 ++ ...orrect-vram-width-for-apus-with-gmc9.patch | 35 ++ ...-adjust-timeout-for-ib_ring_tests-v2.patch | 85 ++++ ...-ring-and-disable-pq-wptr-in-hw_fini.patch | 44 ++ ...m-amdkfd-add-missing-include-of-mm.h.patch | 28 ++ ...-fix-scratch-memory-with-hws-enabled.patch | 33 ++ ...drm-ast-fixed-1280x800-display-issue.patch | 40 ++ ...902x-retry-status-read-after-ddi-i2c.patch | 95 ++++ ...to-bitshift-when-dealing-with-a-mask.patch | 31 ++ ...d-memory-allocation-in-two-functions.patch | 44 ++ ...-exynos-g2d-use-monotonic-timestamps.patch | 69 +++ ...-of-the-vblank-event-to-atomic_flush.patch | 48 ++ ...-error-path-in-meson_drv_bind_master.patch | 36 ++ ...dling-paths-in-meson_drv_bind_master.patch | 77 +++ .../drm-meson-fix-vsync-buffer-update.patch | 82 ++++ ...-nouveau-bl-fix-backlight-regression.patch | 67 +++ ...on-code-from-component-bind-to-probe.patch | 311 ++++++++++++ ...x-the-bus-format-for-the-ontat-panel.patch | 36 ++ ...-lvds-fix-lvds-startup-on-r-car-gen2.patch | 54 +++ ...-lvds-fix-lvds-startup-on-r-car-gen3.patch | 57 +++ ...ect-page-offset-for-prime-mmap-calls.patch | 56 +++ queue-4.14/drm-sun4i-fix-dclk_set_phase.patch | 39 ++ .../drm-tegra-shutdown-on-driver-unbind.patch | 35 ++ ...n-object-backup-buffer-when-not-used.patch | 91 ++++ ...ee-binding-for-allwinner-h6-main-ccu.patch | 42 ++ ...descriptors-with-dma_zalloc_coherent.patch | 85 ++++ ...r_link-return-value-with-autoneg-off.patch | 48 ++ ...register-page-tables-when-they-exist.patch | 99 ++++ ...le-rq-before-updating-rq-descriptors.patch | 54 +++ ...bout-incorrect-features-when-probing.patch | 59 +++ ...xtent-cache-in-f2fs_drop_extent_tree.patch | 48 ++ .../f2fs-fix-to-clear-cp_trimmed_flag.patch | 33 ++ ...set-keep_size-bit-in-f2fs_zero_range.patch | 55 +++ ...getcmap_sparc-in-sbusfb_ioctl_helper.patch | 63 +++ ...mi_scan-fix-uuid-length-safety-check.patch | 37 ++ ...fore-reading-the-agf-during-a-fstrim.patch | 69 +++ ...between-d_alloc_parallel-and-__d_add.patch | 83 ++++ ...e-read_once-when-accessing-i_dir_seq.patch | 33 ++ ...ult-while-unregistering-sysctl-table.patch | 44 ++ ...-wait-on-page-discarded-by-writeback.patch | 71 +++ ...omic-context-while-adding-an-address.patch | 63 +++ .../gfs2-fix-fallocate-chunk-size.patch | 63 +++ ...ix-rx-byte-accounting-for-ndev-stats.patch | 56 +++ ...de-leak-in-ipu_pre_lookup_by_phandle.patch | 38 ++ ...3-prg-avoid-possible-array-underflow.patch | 62 +++ ...de-leak-in-ipu_prg_lookup_by_phandle.patch | 38 ++ ...netvsc-enable-multicast-if-necessary.patch | 34 ++ ...hv_netvsc-filter-multicast-broadcast.patch | 50 ++ queue-4.14/hv_netvsc-fix-filter-flags.patch | 35 ++ ...v_netvsc-fix-locking-during-vf-setup.patch | 36 ++ .../hv_netvsc-fix-locking-for-rx_mode.patch | 48 ++ ...hv_netvsc-propagate-rx-filters-to-vf.patch | 86 ++++ .../hv_netvsc-use-napi_schedule_irqoff.patch | 31 ++ .../hwmon-nct6775-fix-writing-pwmx_mode.patch | 63 +++ ...accept-negative-page-register-values.patch | 42 ++ ...accept-negative-page-register-values.patch | 32 ++ .../hwrng-stm32-add-reset-during-probe.patch | 52 +++ ...-alias-for-devices-registered-via-of.patch | 71 +++ ...y-errata-delay-only-in-standard-mode.patch | 46 ++ ...er-emp-reset-for-firmware-to-recover.patch | 43 ++ ...4-err-inject-use-get_user_pages_fast.patch | 33 ++ ...possible-crash-to-access-null-netdev.patch | 45 ++ ...hile-resolving-gid-for-ib-link-layer.patch | 61 +++ ...o-zero-in-ethernet-completion-struct.patch | 84 ++++ ...4-fix-corruption-of-rocev2-ipv4-gids.patch | 41 ++ ...leting-gids-from-hw-table-under-roce.patch | 55 +++ ...an-error-code-in-__mlx5_ib_modify_qp.patch | 36 ++ ...-active-rate-and-width-to-qdr-and-4x.patch | 43 ++ ...-rxe_register_device-on-ppc64le-arch.patch | 81 ++++ ...method-merging-in-uverbs_ioctl_merge.patch | 82 ++++ ...oops-with-duplicate-ioctl-attributes.patch | 42 ++ ...error-path-for-rdma_explicit_destroy.patch | 46 ++ ...-for-null-skb-s-in-napi-poll-routine.patch | 38 ++ ...-rx-pool-buffers-during-device-close.patch | 68 +++ ...cket-buffer-in-case-of-adapter-error.patch | 30 ++ ...-reset-is-complete-to-set-carrier-on.patch | 41 ++ ...-used-tx-descriptor-counter-on-reset.patch | 35 ++ ...4-ca8210-fix-uninitialised-data-read.patch | 64 +++ ...llback-to-the-builtin-hash-algorithm.patch | 119 +++++ ...nfig-to-select-tpm-2.0-crb-interface.patch | 37 ++ ...igsig.c-build-error-with-header-file.patch | 36 ++ ...th-use-correct-method-of-finding-hub.patch | 36 ++ ...-that-alloc_dev_data-may-return-null.patch | 36 ++ ...-mediatek-fix-protect-memory-setting.patch | 88 ++++ ...nnel-fix-ifla_mtu-ignored-on-newlink.patch | 58 +++ ..._gre-fix-ifla_mtu-ignored-on-newlink.patch | 52 +++ ...nnel-clamp-mtu-to-bounds-on-new-link.patch | 42 ++ ...fix-kernel-panic-at-msg_done_handler.patch | 56 +++ ...eceived-pmtu-net.ipv4.route.min_pmtu.patch | 221 +++++++++ ...ps_nat_mask-check-to-fix-passive-ftp.patch | 45 ++ ...llecting-firmware-dump-if-not-loaded.patch | 195 ++++++++ ...s-init-rs-with-20mhz-bandwidth-rates.patch | 100 ++++ ...ueue-is-valid-in-iwl_mvm_disable_txq.patch | 55 +++ ...d-when-unreserving-aggregation-queue.patch | 71 +++ ...wlwifi-mvm-correctly-set-igtk-for-ap.patch | 62 +++ ...orrectly-set-the-tid-for-mcast-queue.patch | 56 +++ ...ticast-frames-to-the-correct-station.patch | 39 ++ ...vm-fix-array-out-of-bounds-reference.patch | 86 ++++ ...i-mvm-fix-assert-0x2b00-on-older-fws.patch | 97 ++++ ...fix-channel-switch-for-count-0-and-1.patch | 75 +++ ...ror-checking-for-multi-broadcast-sta.patch | 42 ++ ...mvm-fix-failed-to-remove-key-message.patch | 44 ++ ...evices-that-support-station-type-api.patch | 84 ++++ ...-mvm-fix-security-bug-in-pn-checking.patch | 116 +++++ .../iwlwifi-mvm-fix-tx-of-ccmp-256.patch | 54 +++ ...ase-session-protection-time-after-cs.patch | 134 ++++++ ...sure-internal-station-has-a-valid-id.patch | 37 ++ ...rect-tid-when-we-flush-the-mcast-sta.patch | 59 +++ ...from-running-when-in-filter_all-mode.patch | 48 ++ ...ms.sh-robust-against-timestamp-races.patch | 46 ++ queue-4.14/kdb-make-mdr-command-repeat.patch | 88 ++++ ...mit-kmalloc-size-to-kmalloc_max_size.patch | 44 ++ ...g-irq_lock-to-vgic_mmio_read_pending.patch | 50 ++ ...g-for-config_have_kvm_eventfd-builds.patch | 42 ++ ..._eoi-when-in-kernel-ioapic-is-in-use.patch | 49 ++ ...pu-when-l1-is-injecting-events-to-l2.patch | 41 ++ ...-during-invalid-protected-mode-state.patch | 83 ++++ queue-4.14/lan78xx-connect-phy-early.patch | 174 +++++++ ...et-asd-in-mac_cr-when-eee-is-enabled.patch | 55 +++ ...ck-on-number-of-test-devices-created.patch | 42 ++ ...mpile-warning-with-ata_debug-enabled.patch | 38 ++ ...specifying-same-option-several-times.patch | 68 +++ ...y-handle-dev_queue_xmit-return-value.patch | 171 +++++++ ...onditional-memory-barrier-to-cmpxchg.patch | 97 ++++ ...chg-and-cmpxchg-memory-ordering-bugs.patch | 141 ++++++ ...ent-masks-for-platform-fec-ethernets.patch | 71 +++ ...isconnect-on-invalid-operating-class.patch | 66 +++ ...ed-ds-bits-from-fast-rx-to-slow-path.patch | 31 ++ ...fix-a-possible-leak-of-station-stats.patch | 32 ++ ...-sleeping-function-in-atomic-context.patch | 33 ++ ...ddba-response-for-an-ongoing-session.patch | 42 ++ ...ix-wrong-mesh-ttl-offset-calculation.patch | 79 ++++ ..._status_headroom-up-to-multiple-of-4.patch | 35 ++ ...g-dev_put-on-error-in-macsec_newlink.patch | 42 ++ ...after-free-in-macvlan_common_newlink.patch | 74 +++ ...agate-of_node-to-power-supply-device.patch | 34 ++ ...ial-deadlock-of-raid5-raid10-reshape.patch | 117 +++++ ..._start-deadlock-w-o-metadata-devices.patch | 88 ++++ .../md-free-bioset-when-md_run-fails.patch | 81 ++++ ...d-raid1-fix-null-pointer-dereference.patch | 90 ++++ ...-deference-in-handle_write_completed.patch | 62 +++ ...-raid5-avoid-string-overflow-warning.patch | 65 +++ .../microblaze-switch-to-no_bootmem.patch | 155 ++++++ ...ix-ar724x_pll_reg_pcie_config-offset.patch | 39 ++ ...eric-fix-machine-compatible-matching.patch | 42 ++ ...with-spurious-periods-after-newlines.patch | 70 +++ ...flex-keys-scratchpad-offset-conflict.patch | 55 +++ ...-unregistered-multicast-as-broadcast.patch | 49 ++ ...eference-and-free-in-page_evicatable.patch | 78 ++++ ...can-completion-before-disabling-free.patch | 79 ++++ .../mm-ksm-fix-interaction-with-thp.patch | 103 ++++ ...oid-use-uninitialized-preferred_node.patch | 46 ++ ...sion-bug-after-changing-skip-entries.patch | 85 ++++ ...lab-memcg_link-the-slab-s-kmem_cache.patch | 50 ++ ...m-thp-do-not-cause-memcg-oom-for-thp.patch | 80 ++++ ...flag-in-page_idle_clear_pte_refs_one.patch | 56 +++ ...t.c-fix-vmstat_update-preemption-bug.patch | 57 +++ ...-return-value-in-error-handling-path.patch | 34 ++ ...ac-correctly-annotate-register-space.patch | 38 ++ ...ian-access-in-bgmac_dma_tx_ring_free.patch | 34 ++ ...nal-dsa-loop-dependency-on-fixed_phy.patch | 38 ++ ...-autoloading-for-of-platform-drivers.patch | 31 ++ ...turn-from-driver-get_fecparam-method.patch | 39 ++ ...vlan-packets-without-ethernet-header.patch | 99 ++++ ...ge-and-vlan_dev-with-reorder_hdr-off.patch | 120 +++++ ...witch-support-to-depend-on-switchdev.patch | 68 +++ ...x5-protect-from-command-bit-overflow.patch | 60 +++ ...ed-when-offloading-eswitch-vlan-push.patch | 34 ++ ...a-fix-enable-of-all-initialized-rxqs.patch | 33 ++ ...ac-use-proper-free-methods-during-tx.patch | 70 +++ ..._wwan-add-broadmobi-bm806u-2020-2033.patch | 34 ++ ...-in-the-error-path-of-__tcf_ipt_init.patch | 73 +++ ...he-error-path-of-tcf_act_police_init.patch | 48 ++ ...k-in-the-error-path-of-tcf_simp_init.patch | 58 +++ ...in-the-error-path-of-tcf_skbmod_init.patch | 64 +++ ...-in-the-error-path-of-tcp_pedit_init.patch | 48 ++ ...ak-on-the-error-path-of-tcf_bpf_init.patch | 46 ++ ...in-the-error-path-of-tcf_sample_init.patch | 90 ++++ ...ttention-to-max_order-for-cq-entries.patch | 106 +++++ ...k_id-of-server-in-confirm-link-reply.patch | 44 ++ ...11x-fix-unload-crash-when-link-is-up.patch | 69 +++ ...-stmmac_mac_config_rx_queues_routing.patch | 37 ++ ...leased-ownership-before-reading-data.patch | 39 ++ ...-is-the-last-desc-to-set-the-own-bit.patch | 57 +++ ...lace-broken-algorithm-reference-link.patch | 47 ++ ...on-t-set-f_iface-on-ipv6-fib-lookups.patch | 66 +++ ...ebtables-convert-bug_ons-to-warn_ons.patch | 107 +++++ ...es-fix-erroneous-reject-of-last-rule.patch | 37 ++ ...rip-put-config-instead-of-freeing-it.patch | 55 +++ ...ct-if-we-can-t-increment-ct-refcount.patch | 47 ++ ...net6-check-sk_buff-ip-header-version.patch | 41 ++ .../nfc-llcp-limit-size-of-sdp-uri.patch | 48 ++ ...crashes-after-nfs4err_moved-recovery.patch | 72 +++ ...p-alives-to-the-discovery-controller.patch | 51 ++ ...g-nvme-ssd-960-evo-asus-prime-z370-a.patch | 45 ++ .../nvme-pci-fix-eeh-failure-on-ppc.patch | 59 +++ ...vme-queue-cleanup-if-irq-setup-fails.patch | 46 ++ ...ssible_cpus-to-pci_alloc_irq_vectors.patch | 71 +++ ...x-psdt-field-check-in-command-format.patch | 44 ++ ...grate-lockres-if-already-in-shutdown.patch | 133 ++++++ ...bus-from-hard-fail-to-soft-fail-mode.patch | 62 +++ ...dma-alias-quirk-for-marvell-88se9220.patch | 32 ++ ...runtime-resume-despite-being-unbound.patch | 87 ++++ ...uspend-aborts-during-suspend-to-idle.patch | 99 ++++ ...-cgroup-fix-child-event-counting-bug.patch | 105 +++++ ...dd-support-for-recent-clang-versions.patch | 122 +++++ ...-fix-installing-cgroup-events-on-cpu.patch | 112 +++++ ...perf-core-fix-perf_output_read_group.patch | 78 ++++ .../perf-record-fix-crash-in-pipe-mode.patch | 117 +++++ ...n-branch-history-mode-branch-history.patch | 101 ++++ .../perf-report-fix-wrong-jump-arrow.patch | 124 +++++ ...at-fix-core-dump-when-flag-t-is-used.patch | 116 +++++ ...est-case-inet_pton-to-accept-inlines.patch | 62 +++ ...x-dwarf-unwind-for-stripped-binaries.patch | 209 +++++++++ ...pare_symbol_names-to-compare-symbols.patch | 57 +++ ...s-fix-perf-builds-with-clang-support.patch | 38 ++ ...top.call-graph-config-option-reading.patch | 51 ++ ...tel-fix-event-update-for-auto-reload.patch | 238 ++++++++++ ...ge-period-handling-on-broadwell-cpus.patch | 74 +++ ...bs-real_ip-on-haswell-and-later-cpus.patch | 123 +++++ ...ore-the-pmu-state-in-the-nmi-handler.patch | 74 +++ ...y-qcom-qmp-fix-phy-pipe-clock-gating.patch | 72 +++ ...chip-emmc-retry-calpad-busy-trimming.patch | 74 +++ ...-dt-add-missing-pin-group-uart5nocts.patch | 43 ++ ...t_to_map_one_config-handling-of-hogs.patch | 52 +++ ...23s08-spi-fix-regmap-debugfs-entries.patch | 92 ++++ ...nctrl-msm-use-dynamic-gpio-numbering.patch | 34 ++ ...er-pin-assignment-for-ssi-pins-group.patch | 191 ++++++++ ...verification-of-signerinfo-signature.patch | 43 ++ ...-battery-gauge-fix-temperature-units.patch | 42 ++ ...e-of-amor-on-power9-after-deep-sleep.patch | 34 ++ ...s-no-debugger-or-crash-dump-handlers.patch | 67 +++ ...ng-prototype-for-arch_irq_work_raise.patch | 33 ++ ...x-random-libfdt-related-build-errors.patch | 52 +++ ...x-32-bit-jit-for-seccomp_data-access.patch | 39 ++ ...upts-earlier-before-calling-get_user.patch | 81 ++++ ...eck-if-cpu_possible-in-mpic_physmask.patch | 47 ++ ...-address-leak-via-sampling-registers.patch | 72 +++ ...ss-leak-to-userspace-via-bhrb-buffer.patch | 42 ++ ...-npu-fix-deadlock-in-mmio_invalidate.patch | 370 +++++++++++++++ ...teger-overflow-when-calculating-size.patch | 34 ++ ...d-free-roce-ilt-memory-on-rmmod-qedr.patch | 65 +++ ...drop-rx-checksum-invalidated-packets.patch | 43 ++ ...arrier-usage-after-tx-doorbell-write.patch | 56 +++ .../qrtr-add-module_alias-macro-to-smd.patch | 29 ++ .../r8152-fix-tx-packets-accounting.patch | 34 ++ ...tchdog-while-printing-stall-warnings.patch | 49 ++ ...-fix-incorrect-db-offset-calculation.patch | 96 ++++ ...-fix-system-crash-during-load-unload.patch | 39 ++ ...xt_re-fix-the-ib_reg-failure-cleanup.patch | 36 ++ ...nly-fence-non-wire-memory-operations.patch | 54 +++ ...-sq-and-rq-memory-if-qp-create-fails.patch | 47 ++ ...-iwarp-write-and-send-with-immediate.patch | 48 ++ ...panic-when-running-fio-over-nfsordma.patch | 43 ++ ...r-fix-qp-s-ack-timeout-configuration.patch | 62 +++ ...edr-fix-qp-state-initialization-race.patch | 80 ++++ ...ialization-on-cnq-allocation-failure.patch | 36 ++ ...rrect-option-size-check-using-optlen.patch | 35 ++ ...ence-counting-in-tcp-socket-creation.patch | 63 +++ ...-correct-comparison-in-regmap_cached.patch | 33 ++ ...ndling-paths-in-gpio_regulator_probe.patch | 86 ++++ ...-handling-path-of-of_regulator_match.patch | 30 ++ ...regulatory-add-nul-to-request-alpha2.patch | 33 ++ ...ror-handling-path-in-imx_rproc_probe.patch | 36 ++ ...rnel-panic-observed-on-64bit-machine.patch | 154 ++++++ ...n-t-treat-call-aborts-as-conn-aborts.patch | 59 +++ ...-annotation-after-initial-tx-failure.patch | 41 ++ .../rxrpc-work-around-usercopy-check.patch | 74 +++ ...ar-timer-when-terminating-driver-i-o.patch | 31 ++ ...cio-fix-ccw_device_start_timeout-api.patch | 198 ++++++++ ...-return-code-after-missing-interrupt.patch | 71 +++ ...sd-fix-handling-of-internal-requests.patch | 88 ++++ ...k_update_flags-rqcf_act_skip-warning.patch | 74 +++ ...id_ok-in-__scsi_error_from_host_byte.patch | 34 ++ ...comp-add-a-selftest-for-get_metadata.patch | 98 ++++ queue-4.14/selftest-vdso-fix-o.patch | 50 ++ ...process-without-error-in-enomem-case.patch | 45 ++ ...ftrace-add-a-testcase-for-probepoint.patch | 70 +++ ...se-for-string-type-with-kprobe_event.patch | 73 +++ ...probe-event-argument-syntax-testcase.patch | 124 +++++ ...ex-fix-line-continuation-in-makefile.patch | 43 ++ ...s-memfd-add-config-fragment-for-fuse.patch | 25 + ...d-add-run_fuse_test.sh-to-test_files.patch | 36 ++ ...et-fixes-psock_fanout-ebpf-test-case.patch | 40 ++ ...-tests-if-the-syscall-is-unavailable.patch | 65 +++ ...t-the-test-we-re-running-to-dev-kmsg.patch | 42 ++ ...-config-fragment-config_pstore_ram-m.patch | 27 ++ ...-sync-missing-cflags-while-compiling.patch | 40 ++ ...st-hugetlb-size-according-to-nr_cpus.patch | 94 ++++ queue-4.14/series | 442 ++++++++++++++++++ ...rocess-signals-before-return-to-user.patch | 32 ++ ...h_eth-fix-tsu-init-on-sh7734-r8a7740.patch | 81 ++++ .../sit-fix-ifla_mtu-ignored-on-newlink.patch | 42 ++ .../smsc75xx-fix-smsc75xx_set_features.patch | 42 ++ ...er-power-domains-only-if-initialized.patch | 51 ++ ...cnss_ctrl-fix-increment-in-nv-upload.patch | 37 ++ ...-inline-function-rather-than-a-macro.patch | 46 ++ ...pectrum-reference-count-vlan-entries.patch | 91 ++++ ...m-qspi-fix-some-error-handling-paths.patch | 44 ++ ...evice-in-revalidate-and-check_events.patch | 119 +++++ ...unvnet-does-not-support-gso-for-sctp.patch | 34 ++ ...ro-when-zero-length-swap-file-on-ssd.patch | 54 +++ ...-retrun-the-correct-iv-in-getsockopt.patch | 33 ++ ...er-warnings-about-major-target_fname.patch | 58 +++ .../tools-thermal-tmon-fix-for-segfault.patch | 81 ++++ ...de-saner-default-for-invalid-uid-gid.patch | 40 ++ .../vfio-ccw-fence-off-transport-mode.patch | 37 ++ ...expose-the-fixed-status-to-userspace.patch | 79 ++++ ...r-virtio-when-no-virtio_net_f_status.patch | 51 ++ ...t-fix-xdp-code-path-in-receive_small.patch | 46 ++ ...vlan-headers-with-reorder-header-off.patch | 165 +++++++ ...-for-packets-without-ethernet-header.patch | 62 +++ ...-header-length-twice-on-tunnel-setup.patch | 66 +++ ...passed-on-link-creation-via-ifla_mtu.patch | 33 ++ queue-4.14/vti6-fix-dev-max_mtu-setting.patch | 34 ++ ...-error-handling-in-asm9260_wdt_probe.patch | 46 ++ ...allow-configuring-for-alternate-boot.patch | 60 +++ ...ation-of-reset-mode-to-ctrl-register.patch | 53 +++ ...-error-handling-in-davinci_wdt_probe.patch | 54 +++ ...watchdog-dw-rmw-the-control-register.patch | 90 ++++ ...f71808e_wdt-fix-magic-close-handling.patch | 37 ++ ...atchdog-sbsa-use-32-bit-read-for-wcv.patch | 51 ++ ...ueue-use-put_device-instead-of-kfree.patch | 32 ++ ...lternatives-fixup-alternative_call_2.patch | 53 +++ ...-on-the-boot-cpu-if-noapic-specified.patch | 58 +++ ...cetree-fix-device-irq-settings-in-dt.patch | 62 +++ ...itialize-device-tree-before-using-it.patch | 58 +++ ...sub-directory-in-resctrl-file-system.patch | 54 +++ ...e_rw-before-init-for-__ro_after_init.patch | 64 +++ ...of-this_cpu_has-in-build_cr3_noflush.patch | 86 ++++ ...set-huge-pud-pmd-on-non-leaf-entries.patch | 99 ++++ ...rectly-across-cpu-hotplug-operations.patch | 53 +++ .../xen-acpi-off-by-one-in-read_acpi_id.patch | 39 ++ ...te_mq-to-cover-all-cases-of-new-vbds.patch | 75 +++ ...error-path-cleanup-when-binding-msis.patch | 44 ++ ...null-pointer-dereference-on-map-sock.patch | 35 ++ ...nbus-use-put_device-instead-of-kfree.patch | 37 ++ ...-when-afinfo-is-null-in-xfrm_get_tos.patch | 41 ++ ...umber-handling-for-ipsec-gso-packets.patch | 34 ++ ...ead_unlock-usage-in-xfrm_local_error.patch | 36 ++ ...nsport-mode-skb-control-buffer-usage.patch | 40 ++ ...amd-promontory-disabled-ports-wakeup.patch | 227 +++++++++ queue-4.14/z3fold-fix-memory-leak.patch | 61 +++ ...et-up-z-dev.dma_mask-for-the-dma-api.patch | 55 +++ 443 files changed, 29241 insertions(+) create mode 100644 queue-4.14/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch create mode 100644 queue-4.14/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch create mode 100644 queue-4.14/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch create mode 100644 queue-4.14/acpica-fix-memory-leak-on-unusual-memory-leak.patch create mode 100644 queue-4.14/alsa-vmaster-propagate-slave-error.patch create mode 100644 queue-4.14/arc-fix-malformed-arc_emul_unaligned-default.patch create mode 100644 queue-4.14/arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch create mode 100644 queue-4.14/arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch create mode 100644 queue-4.14/arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch create mode 100644 queue-4.14/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch create mode 100644 queue-4.14/arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch create mode 100644 queue-4.14/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch create mode 100644 queue-4.14/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch create mode 100644 queue-4.14/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch create mode 100644 queue-4.14/arm-dts-bcm283x-fix-unit-address-of-local_intc.patch create mode 100644 queue-4.14/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch create mode 100644 queue-4.14/arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch create mode 100644 queue-4.14/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch create mode 100644 queue-4.14/arm-dts-ls1021a-specify-tbipa-register-address.patch create mode 100644 queue-4.14/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch create mode 100644 queue-4.14/arm-dts-porter-fix-hdmi-output-routing.patch create mode 100644 queue-4.14/arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch create mode 100644 queue-4.14/arm-dts-rockchip-fix-dwmmc-clocks.patch create mode 100644 queue-4.14/arm-dts-socfpga-fix-gic-ppi-warning.patch create mode 100644 queue-4.14/arm-omap-fix-dmtimer-init-for-omap1.patch create mode 100644 queue-4.14/arm-omap1-clock-fix-debugfs_create_-usage.patch create mode 100644 queue-4.14/arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch create mode 100644 queue-4.14/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch create mode 100644 queue-4.14/arm-omap3-fix-prm-wake-interrupt-for-resume.patch create mode 100644 queue-4.14/arm-orion5x-revert-commit-4904dbda41c8.patch create mode 100644 queue-4.14/arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch create mode 100644 queue-4.14/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch create mode 100644 queue-4.14/arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch create mode 100644 queue-4.14/arm64-dts-rockchip-fix-dwmmc-clocks.patch create mode 100644 queue-4.14/arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch create mode 100644 queue-4.14/arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch create mode 100644 queue-4.14/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch create mode 100644 queue-4.14/arm64-perf-correct-pmuver-probing.patch create mode 100644 queue-4.14/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch create mode 100644 queue-4.14/ath10k-advertize-beacon_int_min_gcd.patch create mode 100644 queue-4.14/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch create mode 100644 queue-4.14/ath9k-fix-crash-in-spectral-scan.patch create mode 100644 queue-4.14/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch create mode 100644 queue-4.14/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch create mode 100644 queue-4.14/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch create mode 100644 queue-4.14/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch create mode 100644 queue-4.14/batman-adv-fix-netlink-dumping-of-bla-backbones.patch create mode 100644 queue-4.14/batman-adv-fix-netlink-dumping-of-bla-claims.patch create mode 100644 queue-4.14/batman-adv-fix-packet-checksum-in-receive-path.patch create mode 100644 queue-4.14/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch create mode 100644 queue-4.14/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch create mode 100644 queue-4.14/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch create mode 100644 queue-4.14/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch create mode 100644 queue-4.14/batman-adv-invalidate-checksum-on-fragment-reassembly.patch create mode 100644 queue-4.14/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch create mode 100644 queue-4.14/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch create mode 100644 queue-4.14/block-display-the-correct-diskname-for-bio.patch create mode 100644 queue-4.14/block-null_blk-fix-invalid-parameters-when-loading-module.patch create mode 100644 queue-4.14/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch create mode 100644 queue-4.14/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch create mode 100644 queue-4.14/brcmfmac-fix-check-for-iso3166-code.patch create mode 100644 queue-4.14/btrfs-bail-out-on-error-during-replay_dir_deletes.patch create mode 100644 queue-4.14/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch create mode 100644 queue-4.14/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch create mode 100644 queue-4.14/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch create mode 100644 queue-4.14/btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch create mode 100644 queue-4.14/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch create mode 100644 queue-4.14/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch create mode 100644 queue-4.14/btrfs-fix-possible-softlock-on-single-core-machines.patch create mode 100644 queue-4.14/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch create mode 100644 queue-4.14/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch create mode 100644 queue-4.14/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch create mode 100644 queue-4.14/btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch create mode 100644 queue-4.14/bug.h-work-around-gcc-pr82365-in-bug.patch create mode 100644 queue-4.14/builddeb-fix-header-package-regarding-dtc-source-links.patch create mode 100644 queue-4.14/can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch create mode 100644 queue-4.14/can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch create mode 100644 queue-4.14/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch create mode 100644 queue-4.14/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch create mode 100644 queue-4.14/ceph-fix-potential-memory-leak-in-init_caches.patch create mode 100644 queue-4.14/cfg80211-clear-wep-keys-after-disconnection.patch create mode 100644 queue-4.14/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch create mode 100644 queue-4.14/clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch create mode 100644 queue-4.14/coresight-use-px-to-print-pcsr-instead-of-p.patch create mode 100644 queue-4.14/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch create mode 100644 queue-4.14/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch create mode 100644 queue-4.14/cpufreq-reorder-cpufreq_online-error-code-path.patch create mode 100644 queue-4.14/cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch create mode 100644 queue-4.14/cxgb4-fix-queue-free-path-of-uld-drivers.patch create mode 100644 queue-4.14/cxgb4-setup-fw-queues-before-registering-netdev.patch create mode 100644 queue-4.14/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch create mode 100644 queue-4.14/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch create mode 100644 queue-4.14/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch create mode 100644 queue-4.14/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch create mode 100644 queue-4.14/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch create mode 100644 queue-4.14/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch create mode 100644 queue-4.14/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch create mode 100644 queue-4.14/dpaa_eth-fix-pause-capability-advertisement-logic.patch create mode 100644 queue-4.14/dpaa_eth-fix-sg-mapping.patch create mode 100644 queue-4.14/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch create mode 100644 queue-4.14/drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch create mode 100644 queue-4.14/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch create mode 100644 queue-4.14/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch create mode 100644 queue-4.14/drm-amdkfd-add-missing-include-of-mm.h.patch create mode 100644 queue-4.14/drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch create mode 100644 queue-4.14/drm-ast-fixed-1280x800-display-issue.patch create mode 100644 queue-4.14/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch create mode 100644 queue-4.14/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch create mode 100644 queue-4.14/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch create mode 100644 queue-4.14/drm-exynos-g2d-use-monotonic-timestamps.patch create mode 100644 queue-4.14/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch create mode 100644 queue-4.14/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch create mode 100644 queue-4.14/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch create mode 100644 queue-4.14/drm-meson-fix-vsync-buffer-update.patch create mode 100644 queue-4.14/drm-nouveau-bl-fix-backlight-regression.patch create mode 100644 queue-4.14/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch create mode 100644 queue-4.14/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch create mode 100644 queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch create mode 100644 queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch create mode 100644 queue-4.14/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch create mode 100644 queue-4.14/drm-sun4i-fix-dclk_set_phase.patch create mode 100644 queue-4.14/drm-tegra-shutdown-on-driver-unbind.patch create mode 100644 queue-4.14/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch create mode 100644 queue-4.14/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch create mode 100644 queue-4.14/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch create mode 100644 queue-4.14/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch create mode 100644 queue-4.14/efi-arm-only-register-page-tables-when-they-exist.patch create mode 100644 queue-4.14/enic-enable-rq-before-updating-rq-descriptors.patch create mode 100644 queue-4.14/ext4-don-t-complain-about-incorrect-features-when-probing.patch create mode 100644 queue-4.14/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch create mode 100644 queue-4.14/f2fs-fix-to-clear-cp_trimmed_flag.patch create mode 100644 queue-4.14/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch create mode 100644 queue-4.14/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch create mode 100644 queue-4.14/firmware-dmi_scan-fix-uuid-length-safety-check.patch create mode 100644 queue-4.14/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch create mode 100644 queue-4.14/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch create mode 100644 queue-4.14/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch create mode 100644 queue-4.14/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch create mode 100644 queue-4.14/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch create mode 100644 queue-4.14/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch create mode 100644 queue-4.14/gfs2-fix-fallocate-chunk-size.patch create mode 100644 queue-4.14/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch create mode 100644 queue-4.14/gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch create mode 100644 queue-4.14/gpu-ipu-v3-prg-avoid-possible-array-underflow.patch create mode 100644 queue-4.14/gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch create mode 100644 queue-4.14/hv_netvsc-enable-multicast-if-necessary.patch create mode 100644 queue-4.14/hv_netvsc-filter-multicast-broadcast.patch create mode 100644 queue-4.14/hv_netvsc-fix-filter-flags.patch create mode 100644 queue-4.14/hv_netvsc-fix-locking-during-vf-setup.patch create mode 100644 queue-4.14/hv_netvsc-fix-locking-for-rx_mode.patch create mode 100644 queue-4.14/hv_netvsc-propagate-rx-filters-to-vf.patch create mode 100644 queue-4.14/hv_netvsc-use-napi_schedule_irqoff.patch create mode 100644 queue-4.14/hwmon-nct6775-fix-writing-pwmx_mode.patch create mode 100644 queue-4.14/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch create mode 100644 queue-4.14/hwmon-pmbus-max8688-accept-negative-page-register-values.patch create mode 100644 queue-4.14/hwrng-stm32-add-reset-during-probe.patch create mode 100644 queue-4.14/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch create mode 100644 queue-4.14/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch create mode 100644 queue-4.14/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch create mode 100644 queue-4.14/ia64-err-inject-use-get_user_pages_fast.patch create mode 100644 queue-4.14/ib-core-fix-possible-crash-to-access-null-netdev.patch create mode 100644 queue-4.14/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch create mode 100644 queue-4.14/ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch create mode 100644 queue-4.14/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch create mode 100644 queue-4.14/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch create mode 100644 queue-4.14/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch create mode 100644 queue-4.14/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch create mode 100644 queue-4.14/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch create mode 100644 queue-4.14/ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch create mode 100644 queue-4.14/ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch create mode 100644 queue-4.14/ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch create mode 100644 queue-4.14/ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch create mode 100644 queue-4.14/ibmvnic-clean-rx-pool-buffers-during-device-close.patch create mode 100644 queue-4.14/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch create mode 100644 queue-4.14/ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch create mode 100644 queue-4.14/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch create mode 100644 queue-4.14/ieee802154-ca8210-fix-uninitialised-data-read.patch create mode 100644 queue-4.14/ima-fallback-to-the-builtin-hash-algorithm.patch create mode 100644 queue-4.14/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch create mode 100644 queue-4.14/integrity-security-fix-digsig.c-build-error-with-header-file.patch create mode 100644 queue-4.14/intel_th-use-correct-method-of-finding-hub.patch create mode 100644 queue-4.14/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch create mode 100644 queue-4.14/iommu-mediatek-fix-protect-memory-setting.patch create mode 100644 queue-4.14/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch create mode 100644 queue-4.14/ip_gre-fix-ifla_mtu-ignored-on-newlink.patch create mode 100644 queue-4.14/ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch create mode 100644 queue-4.14/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch create mode 100644 queue-4.14/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch create mode 100644 queue-4.14/ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch create mode 100644 queue-4.14/iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch create mode 100644 queue-4.14/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch create mode 100644 queue-4.14/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch create mode 100644 queue-4.14/iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch create mode 100644 queue-4.14/iwlwifi-mvm-correctly-set-igtk-for-ap.patch create mode 100644 queue-4.14/iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch create mode 100644 queue-4.14/iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-array-out-of-bounds-reference.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-failed-to-remove-key-message.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch create mode 100644 queue-4.14/iwlwifi-mvm-fix-tx-of-ccmp-256.patch create mode 100644 queue-4.14/iwlwifi-mvm-increase-session-protection-time-after-cs.patch create mode 100644 queue-4.14/iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch create mode 100644 queue-4.14/iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch create mode 100644 queue-4.14/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch create mode 100644 queue-4.14/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch create mode 100644 queue-4.14/kdb-make-mdr-command-repeat.patch create mode 100644 queue-4.14/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch create mode 100644 queue-4.14/kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch create mode 100644 queue-4.14/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch create mode 100644 queue-4.14/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch create mode 100644 queue-4.14/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch create mode 100644 queue-4.14/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch create mode 100644 queue-4.14/lan78xx-connect-phy-early.patch create mode 100644 queue-4.14/lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch create mode 100644 queue-4.14/lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch create mode 100644 queue-4.14/libata-fix-compile-warning-with-ata_debug-enabled.patch create mode 100644 queue-4.14/libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch create mode 100644 queue-4.14/llc-properly-handle-dev_queue_xmit-return-value.patch create mode 100644 queue-4.14/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch create mode 100644 queue-4.14/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch create mode 100644 queue-4.14/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch create mode 100644 queue-4.14/mac80211-do-not-disconnect-on-invalid-operating-class.patch create mode 100644 queue-4.14/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch create mode 100644 queue-4.14/mac80211-fix-a-possible-leak-of-station-stats.patch create mode 100644 queue-4.14/mac80211-fix-calling-sleeping-function-in-atomic-context.patch create mode 100644 queue-4.14/mac80211-fix-sending-addba-response-for-an-ongoing-session.patch create mode 100644 queue-4.14/mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch create mode 100644 queue-4.14/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch create mode 100644 queue-4.14/macsec-missing-dev_put-on-error-in-macsec_newlink.patch create mode 100644 queue-4.14/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch create mode 100644 queue-4.14/max17042-propagate-of_node-to-power-supply-device.patch create mode 100644 queue-4.14/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch create mode 100644 queue-4.14/md-fix-md_write_start-deadlock-w-o-metadata-devices.patch create mode 100644 queue-4.14/md-free-bioset-when-md_run-fails.patch create mode 100644 queue-4.14/md-raid1-fix-null-pointer-dereference.patch create mode 100644 queue-4.14/md-raid10-fix-null-deference-in-handle_write_completed.patch create mode 100644 queue-4.14/md-raid5-avoid-string-overflow-warning.patch create mode 100644 queue-4.14/microblaze-switch-to-no_bootmem.patch create mode 100644 queue-4.14/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch create mode 100644 queue-4.14/mips-generic-fix-machine-compatible-matching.patch create mode 100644 queue-4.14/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch create mode 100644 queue-4.14/mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch create mode 100644 queue-4.14/mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch create mode 100644 queue-4.14/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch create mode 100644 queue-4.14/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch create mode 100644 queue-4.14/mm-ksm-fix-interaction-with-thp.patch create mode 100644 queue-4.14/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch create mode 100644 queue-4.14/mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch create mode 100644 queue-4.14/mm-slab-memcg_link-the-slab-s-kmem_cache.patch create mode 100644 queue-4.14/mm-thp-do-not-cause-memcg-oom-for-thp.patch create mode 100644 queue-4.14/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch create mode 100644 queue-4.14/mm-vmstat.c-fix-vmstat_update-preemption-bug.patch create mode 100644 queue-4.14/nbd-fix-return-value-in-error-handling-path.patch create mode 100644 queue-4.14/net-bgmac-correctly-annotate-register-space.patch create mode 100644 queue-4.14/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch create mode 100644 queue-4.14/net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch create mode 100644 queue-4.14/net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch create mode 100644 queue-4.14/net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch create mode 100644 queue-4.14/net-fix-untag-for-vlan-packets-without-ethernet-header.patch create mode 100644 queue-4.14/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch create mode 100644 queue-4.14/net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch create mode 100644 queue-4.14/net-mlx5-protect-from-command-bit-overflow.patch create mode 100644 queue-4.14/net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch create mode 100644 queue-4.14/net-mvneta-fix-enable-of-all-initialized-rxqs.patch create mode 100644 queue-4.14/net-qcom-emac-use-proper-free-methods-during-tx.patch create mode 100644 queue-4.14/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch create mode 100644 queue-4.14/net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch create mode 100644 queue-4.14/net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch create mode 100644 queue-4.14/net-smc-pay-attention-to-max_order-for-cq-entries.patch create mode 100644 queue-4.14/net-smc-use-link_id-of-server-in-confirm-link-reply.patch create mode 100644 queue-4.14/net-smsc911x-fix-unload-crash-when-link-is-up.patch create mode 100644 queue-4.14/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch create mode 100644 queue-4.14/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch create mode 100644 queue-4.14/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch create mode 100644 queue-4.14/net-tcp-illinois-replace-broken-algorithm-reference-link.patch create mode 100644 queue-4.14/netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch create mode 100644 queue-4.14/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch create mode 100644 queue-4.14/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch create mode 100644 queue-4.14/netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch create mode 100644 queue-4.14/netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch create mode 100644 queue-4.14/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch create mode 100644 queue-4.14/nfc-llcp-limit-size-of-sdp-uri.patch create mode 100644 queue-4.14/nfs-system-crashes-after-nfs4err_moved-recovery.patch create mode 100644 queue-4.14/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch create mode 100644 queue-4.14/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch create mode 100644 queue-4.14/nvme-pci-fix-eeh-failure-on-ppc.patch create mode 100644 queue-4.14/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch create mode 100644 queue-4.14/nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch create mode 100644 queue-4.14/nvmet-fix-psdt-field-check-in-command-format.patch create mode 100644 queue-4.14/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch create mode 100644 queue-4.14/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch create mode 100644 queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch create mode 100644 queue-4.14/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch create mode 100644 queue-4.14/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch create mode 100644 queue-4.14/perf-cgroup-fix-child-event-counting-bug.patch create mode 100644 queue-4.14/perf-clang-add-support-for-recent-clang-versions.patch create mode 100644 queue-4.14/perf-core-fix-installing-cgroup-events-on-cpu.patch create mode 100644 queue-4.14/perf-core-fix-perf_output_read_group.patch create mode 100644 queue-4.14/perf-record-fix-crash-in-pipe-mode.patch create mode 100644 queue-4.14/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch create mode 100644 queue-4.14/perf-report-fix-wrong-jump-arrow.patch create mode 100644 queue-4.14/perf-stat-fix-core-dump-when-flag-t-is-used.patch create mode 100644 queue-4.14/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch create mode 100644 queue-4.14/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch create mode 100644 queue-4.14/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch create mode 100644 queue-4.14/perf-tools-fix-perf-builds-with-clang-support.patch create mode 100644 queue-4.14/perf-top-fix-top.call-graph-config-option-reading.patch create mode 100644 queue-4.14/perf-x86-intel-fix-event-update-for-auto-reload.patch create mode 100644 queue-4.14/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch create mode 100644 queue-4.14/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch create mode 100644 queue-4.14/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch create mode 100644 queue-4.14/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch create mode 100644 queue-4.14/phy-rockchip-emmc-retry-calpad-busy-trimming.patch create mode 100644 queue-4.14/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch create mode 100644 queue-4.14/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch create mode 100644 queue-4.14/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch create mode 100644 queue-4.14/pinctrl-msm-use-dynamic-gpio-numbering.patch create mode 100644 queue-4.14/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch create mode 100644 queue-4.14/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch create mode 100644 queue-4.14/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch create mode 100644 queue-4.14/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch create mode 100644 queue-4.14/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch create mode 100644 queue-4.14/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch create mode 100644 queue-4.14/powerpc-boot-fix-random-libfdt-related-build-errors.patch create mode 100644 queue-4.14/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch create mode 100644 queue-4.14/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch create mode 100644 queue-4.14/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch create mode 100644 queue-4.14/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch create mode 100644 queue-4.14/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch create mode 100644 queue-4.14/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch create mode 100644 queue-4.14/ptr_ring-prevent-integer-overflow-when-calculating-size.patch create mode 100644 queue-4.14/qed-free-roce-ilt-memory-on-rmmod-qedr.patch create mode 100644 queue-4.14/qede-do-not-drop-rx-checksum-invalidated-packets.patch create mode 100644 queue-4.14/qede-fix-barrier-usage-after-tx-doorbell-write.patch create mode 100644 queue-4.14/qrtr-add-module_alias-macro-to-smd.patch create mode 100644 queue-4.14/r8152-fix-tx-packets-accounting.patch create mode 100644 queue-4.14/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch create mode 100644 queue-4.14/rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch create mode 100644 queue-4.14/rdma-bnxt_re-fix-system-crash-during-load-unload.patch create mode 100644 queue-4.14/rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch create mode 100644 queue-4.14/rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch create mode 100644 queue-4.14/rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch create mode 100644 queue-4.14/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch create mode 100644 queue-4.14/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch create mode 100644 queue-4.14/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch create mode 100644 queue-4.14/rdma-qedr-fix-qp-state-initialization-race.patch create mode 100644 queue-4.14/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch create mode 100644 queue-4.14/rdma-ucma-correct-option-size-check-using-optlen.patch create mode 100644 queue-4.14/rds-incorrect-reference-counting-in-tcp-socket-creation.patch create mode 100644 queue-4.14/regmap-correct-comparison-in-regmap_cached.patch create mode 100644 queue-4.14/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch create mode 100644 queue-4.14/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch create mode 100644 queue-4.14/regulatory-add-nul-to-request-alpha2.patch create mode 100644 queue-4.14/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch create mode 100644 queue-4.14/rsi-fix-kernel-panic-observed-on-64bit-machine.patch create mode 100644 queue-4.14/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch create mode 100644 queue-4.14/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch create mode 100644 queue-4.14/rxrpc-work-around-usercopy-check.patch create mode 100644 queue-4.14/s390-cio-clear-timer-when-terminating-driver-i-o.patch create mode 100644 queue-4.14/s390-cio-fix-ccw_device_start_timeout-api.patch create mode 100644 queue-4.14/s390-cio-fix-return-code-after-missing-interrupt.patch create mode 100644 queue-4.14/s390-dasd-fix-handling-of-internal-requests.patch create mode 100644 queue-4.14/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch create mode 100644 queue-4.14/scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch create mode 100644 queue-4.14/seccomp-add-a-selftest-for-get_metadata.patch create mode 100644 queue-4.14/selftest-vdso-fix-o.patch create mode 100644 queue-4.14/selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch create mode 100644 queue-4.14/selftests-ftrace-add-a-testcase-for-probepoint.patch create mode 100644 queue-4.14/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch create mode 100644 queue-4.14/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch create mode 100644 queue-4.14/selftests-futex-fix-line-continuation-in-makefile.patch create mode 100644 queue-4.14/selftests-memfd-add-config-fragment-for-fuse.patch create mode 100644 queue-4.14/selftests-memfd-add-run_fuse_test.sh-to-test_files.patch create mode 100644 queue-4.14/selftests-net-fixes-psock_fanout-ebpf-test-case.patch create mode 100644 queue-4.14/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch create mode 100644 queue-4.14/selftests-print-the-test-we-re-running-to-dev-kmsg.patch create mode 100644 queue-4.14/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch create mode 100644 queue-4.14/selftests-sync-missing-cflags-while-compiling.patch create mode 100644 queue-4.14/selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch create mode 100644 queue-4.14/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch create mode 100644 queue-4.14/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch create mode 100644 queue-4.14/sit-fix-ifla_mtu-ignored-on-newlink.patch create mode 100644 queue-4.14/smsc75xx-fix-smsc75xx_set_features.patch create mode 100644 queue-4.14/soc-imx-gpc-de-register-power-domains-only-if-initialized.patch create mode 100644 queue-4.14/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch create mode 100644 queue-4.14/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch create mode 100644 queue-4.14/spectrum-reference-count-vlan-entries.patch create mode 100644 queue-4.14/spi-bcm-qspi-fix-some-error-handling-paths.patch create mode 100644 queue-4.14/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch create mode 100644 queue-4.14/sunvnet-does-not-support-gso-for-sctp.patch create mode 100644 queue-4.14/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch create mode 100644 queue-4.14/tls-retrun-the-correct-iv-in-getsockopt.patch create mode 100644 queue-4.14/tools-hv-fix-compiler-warnings-about-major-target_fname.patch create mode 100644 queue-4.14/tools-thermal-tmon-fix-for-segfault.patch create mode 100644 queue-4.14/udf-provide-saner-default-for-invalid-uid-gid.patch create mode 100644 queue-4.14/vfio-ccw-fence-off-transport-mode.patch create mode 100644 queue-4.14/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch create mode 100644 queue-4.14/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch create mode 100644 queue-4.14/virtio_net-fix-xdp-code-path-in-receive_small.patch create mode 100644 queue-4.14/vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch create mode 100644 queue-4.14/vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch create mode 100644 queue-4.14/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch create mode 100644 queue-4.14/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch create mode 100644 queue-4.14/vti6-fix-dev-max_mtu-setting.patch create mode 100644 queue-4.14/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch create mode 100644 queue-4.14/watchdog-aspeed-allow-configuring-for-alternate-boot.patch create mode 100644 queue-4.14/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch create mode 100644 queue-4.14/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch create mode 100644 queue-4.14/watchdog-dw-rmw-the-control-register.patch create mode 100644 queue-4.14/watchdog-f71808e_wdt-fix-magic-close-handling.patch create mode 100644 queue-4.14/watchdog-sbsa-use-32-bit-read-for-wcv.patch create mode 100644 queue-4.14/workqueue-use-put_device-instead-of-kfree.patch create mode 100644 queue-4.14/x86-alternatives-fixup-alternative_call_2.patch create mode 100644 queue-4.14/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch create mode 100644 queue-4.14/x86-devicetree-fix-device-irq-settings-in-dt.patch create mode 100644 queue-4.14/x86-devicetree-initialize-device-tree-before-using-it.patch create mode 100644 queue-4.14/x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch create mode 100644 queue-4.14/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch create mode 100644 queue-4.14/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch create mode 100644 queue-4.14/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch create mode 100644 queue-4.14/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch create mode 100644 queue-4.14/xen-acpi-off-by-one-in-read_acpi_id.patch create mode 100644 queue-4.14/xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch create mode 100644 queue-4.14/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch create mode 100644 queue-4.14/xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch create mode 100644 queue-4.14/xen-xenbus-use-put_device-instead-of-kfree.patch create mode 100644 queue-4.14/xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch create mode 100644 queue-4.14/xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch create mode 100644 queue-4.14/xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch create mode 100644 queue-4.14/xfrm-fix-transport-mode-skb-control-buffer-usage.patch create mode 100644 queue-4.14/xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch create mode 100644 queue-4.14/z3fold-fix-memory-leak.patch create mode 100644 queue-4.14/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch diff --git a/queue-4.14/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch b/queue-4.14/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch new file mode 100644 index 00000000000..3703a03db0a --- /dev/null +++ b/queue-4.14/acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Lenny Szubowicz +Date: Tue, 27 Mar 2018 09:56:40 -0400 +Subject: ACPI: acpi_pad: Fix memory leak in power saving threads + +From: Lenny Szubowicz + +[ Upstream commit 8b29d29abc484d638213dd79a18a95ae7e5bb402 ] + +Fix once per second (round_robin_time) memory leak of about 1 KB in +each acpi_pad kernel idling thread that is activated. + +Found by testing with kmemleak. + +Signed-off-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_pad.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/acpi_pad.c ++++ b/drivers/acpi/acpi_pad.c +@@ -110,6 +110,7 @@ static void round_robin_cpu(unsigned int + cpumask_andnot(tmp, cpu_online_mask, pad_busy_cpus); + if (cpumask_empty(tmp)) { + mutex_unlock(&round_robin_lock); ++ free_cpumask_var(tmp); + return; + } + for_each_cpu(cpu, tmp) { +@@ -127,6 +128,8 @@ static void round_robin_cpu(unsigned int + mutex_unlock(&round_robin_lock); + + set_cpus_allowed_ptr(current, cpumask_of(preferred_cpu)); ++ ++ free_cpumask_var(tmp); + } + + static void exit_round_robin(unsigned int tsk_index) diff --git a/queue-4.14/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch b/queue-4.14/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch new file mode 100644 index 00000000000..e9d8be30861 --- /dev/null +++ b/queue-4.14/acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Seunghun Han +Date: Wed, 14 Mar 2018 16:12:56 -0700 +Subject: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c + +From: Seunghun Han + +[ Upstream commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c ] + +I found an ACPI cache leak in ACPI early termination and boot continuing case. + +When early termination occurs due to malicious ACPI table, Linux kernel +terminates ACPI function and continues to boot process. While kernel terminates +ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. + +Boot log of ACPI operand cache leak is as follows: +>[ 0.464168] ACPI: Added _OSI(Module Device) +>[ 0.467022] ACPI: Added _OSI(Processor Device) +>[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) +>[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) +>[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.497683] ACPI: Interpreter enabled +>[ 0.499385] ACPI: (supports S0) +>[ 0.501151] ACPI: Using IOAPIC for interrupt routing +>[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) +>[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [opcode_name unavailable] (20170303/dswexec-461) +>[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) +>[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) +>[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects +>[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 +>[ 0.526795] Hardware name: innotek gmb_h virtual_box/virtual_box, BIOS virtual_box 12/01/2006 +>[ 0.529668] Call Trace: +>[ 0.530811] ? dump_stack+0x5c/0x81 +>[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 +>[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 +>[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b +>[ 0.537237] ? acpi_terminate+0xa/0x14 +>[ 0.538701] ? acpi_init+0x2af/0x34f +>[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 +>[ 0.541593] ? do_one_initcall+0x4e/0x1a0 +>[ 0.543008] ? kernel_init_freeable+0x19e/0x21f +>[ 0.546202] ? rest_init+0x80/0x80 +>[ 0.547513] ? kernel_init+0xa/0x100 +>[ 0.548817] ? ret_from_fork+0x25/0x30 +>[ 0.550587] vgaarb: loaded +>[ 0.551716] EDAC MC: Ver: 3.0.0 +>[ 0.553744] PCI: Probing PCI hardware +>[ 0.555038] PCI host bridge to bus 0000:00 +> ... Continue to boot and log is omitted ... + +I analyzed this memory leak in detail and found acpi_ns_evaluate() function +only removes Info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors +occur, the status value is not AE_CTRL_RETURN_VALUE, and Info->return_object is +also not null. Therefore, this causes acpi operand memory leak. + +This cache leak causes a security threat because an old kernel (<= 4.9) shows +memory locations of kernel functions in stack dump. Some malicious users +could use this information to neutralize kernel ASLR. + +I made a patch to fix ACPI operand cache leak. + +Signed-off-by: Seunghun Han +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/nseval.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/acpica/nseval.c ++++ b/drivers/acpi/acpica/nseval.c +@@ -308,6 +308,14 @@ acpi_status acpi_ns_evaluate(struct acpi + /* Map AE_CTRL_RETURN_VALUE to AE_OK, we are done with it */ + + status = AE_OK; ++ } else if (ACPI_FAILURE(status)) { ++ ++ /* If return_object exists, delete it */ ++ ++ if (info->return_object) { ++ acpi_ut_remove_reference(info->return_object); ++ info->return_object = NULL; ++ } + } + + ACPI_DEBUG_PRINT((ACPI_DB_NAMES, diff --git a/queue-4.14/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch b/queue-4.14/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch new file mode 100644 index 00000000000..e0964e6a408 --- /dev/null +++ b/queue-4.14/acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Erik Schmauss +Date: Wed, 14 Mar 2018 16:13:08 -0700 +Subject: ACPICA: Events: add a return on failure from acpi_hw_register_read + +From: Erik Schmauss + +[ Upstream commit b4c0de312613ca676db5bd7e696a44b56795612a ] + +This ensures that acpi_ev_fixed_event_detect() does not use fixed_status +and and fixed_enable as uninitialized variables. + +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evevent.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpica/evevent.c ++++ b/drivers/acpi/acpica/evevent.c +@@ -204,6 +204,7 @@ u32 acpi_ev_fixed_event_detect(void) + u32 fixed_status; + u32 fixed_enable; + u32 i; ++ acpi_status status; + + ACPI_FUNCTION_NAME(ev_fixed_event_detect); + +@@ -211,8 +212,12 @@ u32 acpi_ev_fixed_event_detect(void) + * Read the fixed feature status and enable registers, as all the cases + * depend on their values. Ignore errors here. + */ +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); +- (void)acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ status = acpi_hw_register_read(ACPI_REGISTER_PM1_STATUS, &fixed_status); ++ status |= ++ acpi_hw_register_read(ACPI_REGISTER_PM1_ENABLE, &fixed_enable); ++ if (ACPI_FAILURE(status)) { ++ return (int_status); ++ } + + ACPI_DEBUG_PRINT((ACPI_DB_INTERRUPTS, + "Fixed Event Block: Enable %08X Status %08X\n", diff --git a/queue-4.14/acpica-fix-memory-leak-on-unusual-memory-leak.patch b/queue-4.14/acpica-fix-memory-leak-on-unusual-memory-leak.patch new file mode 100644 index 00000000000..fde0a11aa08 --- /dev/null +++ b/queue-4.14/acpica-fix-memory-leak-on-unusual-memory-leak.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bob Moore +Date: Wed, 14 Mar 2018 16:13:01 -0700 +Subject: ACPICA: Fix memory leak on unusual memory leak + +From: Bob Moore + +[ Upstream commit 1c29c372b2d1d2415601041532745ce859f24126 ] + +Fixes a single-object memory leak on a store-to-reference method +invocation. ACPICA BZ 1439. + +Signed-off-by: Bob Moore +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/psargs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/acpi/acpica/psargs.c ++++ b/drivers/acpi/acpica/psargs.c +@@ -890,6 +890,10 @@ acpi_ps_get_next_arg(struct acpi_walk_st + ACPI_POSSIBLE_METHOD_CALL); + + if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) { ++ ++ /* Free method call op and corresponding namestring sub-ob */ ++ ++ acpi_ps_free_op(arg->common.value.arg); + acpi_ps_free_op(arg); + arg = NULL; + walk_state->arg_count = 1; diff --git a/queue-4.14/alsa-vmaster-propagate-slave-error.patch b/queue-4.14/alsa-vmaster-propagate-slave-error.patch new file mode 100644 index 00000000000..fabbbad071f --- /dev/null +++ b/queue-4.14/alsa-vmaster-propagate-slave-error.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Takashi Iwai +Date: Thu, 8 Mar 2018 08:26:48 +0100 +Subject: ALSA: vmaster: Propagate slave error + +From: Takashi Iwai + +[ Upstream commit 2e2c177ca84aff092c3c96714b0f6a12900f3946 ] + +In slave_update() of vmaster code ignores the error from the slave +get() callback and copies the values. It's not only about the missing +error code but also that this may potentially lead to a leak of +uninitialized variables when the slave get() don't clear them. + +This patch fixes slave_update() not to copy the potentially +uninitialized values when an error is returned from the slave get() +callback, and to propagate the error value properly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/vmaster.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -68,10 +68,13 @@ static int slave_update(struct link_slav + return -ENOMEM; + uctl->id = slave->slave.id; + err = slave->slave.get(&slave->slave, uctl); ++ if (err < 0) ++ goto error; + for (ch = 0; ch < slave->info.count; ch++) + slave->vals[ch] = uctl->value.integer.value[ch]; ++ error: + kfree(uctl); +- return 0; ++ return err < 0 ? err : 0; + } + + /* get the slave ctl info and save the initial values */ diff --git a/queue-4.14/arc-fix-malformed-arc_emul_unaligned-default.patch b/queue-4.14/arc-fix-malformed-arc_emul_unaligned-default.patch new file mode 100644 index 00000000000..08dffdb1919 --- /dev/null +++ b/queue-4.14/arc-fix-malformed-arc_emul_unaligned-default.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ulf Magnusson +Date: Mon, 5 Feb 2018 02:21:31 +0100 +Subject: ARC: Fix malformed ARC_EMUL_UNALIGNED default + +From: Ulf Magnusson + +[ Upstream commit 827cc2fa024dd6517d62de7a44c7b42f32af371b ] + +'default N' should be 'default n', though they happen to have the same +effect here, due to undefined symbols (N in this case) evaluating to n +in a tristate sense. + +Remove the default from ARC_EMUL_UNALIGNED instead of changing it. bool +and tristate symbols implicitly default to n. + +Discovered with the +https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_ulfalizer_Kconfiglib_blob_master_examples_list-5Fundefined.py&d=DwIBAg&c=DPL6_X_6JkXFx7AXWqB0tg&r=c14YS-cH-kdhTOW89KozFhBtBJgs1zXscZojEZQ0THs&m=WxxD8ozR7QQUVzNCBksiznaisBGO_crN7PBOvAoju8s&s=1LmxsNqxwT-7wcInVpZ6Z1J27duZKSoyKxHIJclXU_M&e= +script. + +Signed-off-by: Ulf Magnusson +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arc/Kconfig ++++ b/arch/arc/Kconfig +@@ -487,7 +487,6 @@ config ARC_CURR_IN_REG + + config ARC_EMUL_UNALIGNED + bool "Emulate unaligned memory access (userspace only)" +- default N + select SYSCTL_ARCH_UNALIGN_NO_WARN + select SYSCTL_ARCH_UNALIGN_ALLOW + depends on ISA_ARCOMPACT diff --git a/queue-4.14/arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch b/queue-4.14/arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch new file mode 100644 index 00000000000..51f03a87b36 --- /dev/null +++ b/queue-4.14/arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch @@ -0,0 +1,122 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eugeniy Paltsev +Date: Fri, 23 Feb 2018 19:41:52 +0300 +Subject: ARC: mcip: halt GFRC counter when ARC cores halt + +From: Eugeniy Paltsev + +[ Upstream commit 07423d00a2b2a71a97e4287d9262cb83c4c4c89f ] + +In SMP systems, GFRC is used for clocksource. However by default the +counter keeps running even when core is halted (say when debugging via a +JTAG debugger). This confuses Linux timekeeping and triggers flase RCU stall +splat such as below: + +| [ARCLinux]# while true; do ./shm_open_23-1.run-test ; done +| Running with 1000 processes for 1000 objects +| hrtimer: interrupt took 485060 ns +| +| create_cnt: 1000 +| Running with 1000 processes for 1000 objects +| [ARCLinux]# INFO: rcu_preempt self-detected stall on CPU +| 2-...: (1 GPs behind) idle=a01/1/0 softirq=135770/135773 fqs=0 +| INFO: rcu_preempt detected stalls on CPUs/tasks: +| 0-...: (1 GPs behind) idle=71e/0/0 softirq=135264/135264 fqs=0 +| 2-...: (1 GPs behind) idle=a01/1/0 softirq=135770/135773 fqs=0 +| 3-...: (1 GPs behind) idle=4e0/0/0 softirq=134304/134304 fqs=0 +| (detected by 1, t=13648 jiffies, g=31493, c=31492, q=1) + +Starting from ARC HS v3.0 it's possible to tie GFRC to state of up-to 4 +ARC cores with help of GFRC's CORE register where we set a mask for +cores which state we need to rely on. + +We update cpu mask every time new cpu came online instead of using +hardcoded one or using mask generated from "possible_cpus" as we +want it set correctly even if we run kernel on HW which has fewer cores +than expected (or we launch kernel via debugger and kick fever cores +than HW has) + +Note that GFRC halts when all cores have halted and thus relies on +programming of Inter-Core-dEbug register to halt all cores when one +halts. + +Signed-off-by: Alexey Brodkin +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +[vgupta: rewrote changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/mcip.c | 37 +++++++++++++++++++++++++++++++++++++ + include/soc/arc/mcip.h | 3 +++ + 2 files changed, 40 insertions(+) + +--- a/arch/arc/kernel/mcip.c ++++ b/arch/arc/kernel/mcip.c +@@ -22,10 +22,47 @@ static DEFINE_RAW_SPINLOCK(mcip_lock); + + static char smp_cpuinfo_buf[128]; + ++/* ++ * Set mask to halt GFRC if any online core in SMP cluster is halted. ++ * Only works for ARC HS v3.0+, on earlier versions has no effect. ++ */ ++static void mcip_update_gfrc_halt_mask(int cpu) ++{ ++ struct bcr_generic gfrc; ++ unsigned long flags; ++ u32 gfrc_halt_mask; ++ ++ READ_BCR(ARC_REG_GFRC_BUILD, gfrc); ++ ++ /* ++ * CMD_GFRC_SET_CORE and CMD_GFRC_READ_CORE commands were added in ++ * GFRC 0x3 version. ++ */ ++ if (gfrc.ver < 0x3) ++ return; ++ ++ raw_spin_lock_irqsave(&mcip_lock, flags); ++ ++ __mcip_cmd(CMD_GFRC_READ_CORE, 0); ++ gfrc_halt_mask = read_aux_reg(ARC_REG_MCIP_READBACK); ++ gfrc_halt_mask |= BIT(cpu); ++ __mcip_cmd_data(CMD_GFRC_SET_CORE, 0, gfrc_halt_mask); ++ ++ raw_spin_unlock_irqrestore(&mcip_lock, flags); ++} ++ + static void mcip_setup_per_cpu(int cpu) + { ++ struct mcip_bcr mp; ++ ++ READ_BCR(ARC_REG_MCIP_BCR, mp); ++ + smp_ipi_irq_setup(cpu, IPI_IRQ); + smp_ipi_irq_setup(cpu, SOFTIRQ_IRQ); ++ ++ /* Update GFRC halt mask as new CPU came online */ ++ if (mp.gfrc) ++ mcip_update_gfrc_halt_mask(cpu); + } + + static void mcip_ipi_send(int cpu) +--- a/include/soc/arc/mcip.h ++++ b/include/soc/arc/mcip.h +@@ -15,6 +15,7 @@ + + #define ARC_REG_MCIP_BCR 0x0d0 + #define ARC_REG_MCIP_IDU_BCR 0x0D5 ++#define ARC_REG_GFRC_BUILD 0x0D6 + #define ARC_REG_MCIP_CMD 0x600 + #define ARC_REG_MCIP_WDATA 0x601 + #define ARC_REG_MCIP_READBACK 0x602 +@@ -40,6 +41,8 @@ struct mcip_cmd { + + #define CMD_GFRC_READ_LO 0x42 + #define CMD_GFRC_READ_HI 0x43 ++#define CMD_GFRC_SET_CORE 0x47 ++#define CMD_GFRC_READ_CORE 0x48 + + #define CMD_IDU_ENABLE 0x71 + #define CMD_IDU_DISABLE 0x72 diff --git a/queue-4.14/arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch b/queue-4.14/arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch new file mode 100644 index 00000000000..5c271ecbf87 --- /dev/null +++ b/queue-4.14/arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch @@ -0,0 +1,97 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eugeniy Paltsev +Date: Fri, 23 Feb 2018 19:41:53 +0300 +Subject: ARC: mcip: update MCIP debug mask when the new cpu came online + +From: Eugeniy Paltsev + +[ Upstream commit f3205de98db2fc8083796dd5ad81b191e436fab8 ] + +As of today we use hardcoded MCIP debug mask, so if we launch +kernel via debugger and kick fever cores than HW has all cpus +hang at the momemt of setup MCIP debug mask. + +So update MCIP debug mask when the new cpu came online, instead of +use hardcoded MCIP debug mask. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/mcip.c | 37 ++++++++++++++++++++++++++++++++----- + include/soc/arc/mcip.h | 2 ++ + 2 files changed, 34 insertions(+), 5 deletions(-) + +--- a/arch/arc/kernel/mcip.c ++++ b/arch/arc/kernel/mcip.c +@@ -51,6 +51,34 @@ static void mcip_update_gfrc_halt_mask(i + raw_spin_unlock_irqrestore(&mcip_lock, flags); + } + ++static void mcip_update_debug_halt_mask(int cpu) ++{ ++ u32 mcip_mask = 0; ++ unsigned long flags; ++ ++ raw_spin_lock_irqsave(&mcip_lock, flags); ++ ++ /* ++ * mcip_mask is same for CMD_DEBUG_SET_SELECT and CMD_DEBUG_SET_MASK ++ * commands. So read it once instead of reading both CMD_DEBUG_READ_MASK ++ * and CMD_DEBUG_READ_SELECT. ++ */ ++ __mcip_cmd(CMD_DEBUG_READ_SELECT, 0); ++ mcip_mask = read_aux_reg(ARC_REG_MCIP_READBACK); ++ ++ mcip_mask |= BIT(cpu); ++ ++ __mcip_cmd_data(CMD_DEBUG_SET_SELECT, 0, mcip_mask); ++ /* ++ * Parameter specified halt cause: ++ * STATUS32[H]/actionpoint/breakpoint/self-halt ++ * We choose all of them (0xF). ++ */ ++ __mcip_cmd_data(CMD_DEBUG_SET_MASK, 0xF, mcip_mask); ++ ++ raw_spin_unlock_irqrestore(&mcip_lock, flags); ++} ++ + static void mcip_setup_per_cpu(int cpu) + { + struct mcip_bcr mp; +@@ -63,6 +91,10 @@ static void mcip_setup_per_cpu(int cpu) + /* Update GFRC halt mask as new CPU came online */ + if (mp.gfrc) + mcip_update_gfrc_halt_mask(cpu); ++ ++ /* Update MCIP debug mask as new CPU came online */ ++ if (mp.dbg) ++ mcip_update_debug_halt_mask(cpu); + } + + static void mcip_ipi_send(int cpu) +@@ -138,11 +170,6 @@ static void mcip_probe_n_setup(void) + IS_AVAIL1(mp.gfrc, "GFRC")); + + cpuinfo_arc700[0].extn.gfrc = mp.gfrc; +- +- if (mp.dbg) { +- __mcip_cmd_data(CMD_DEBUG_SET_SELECT, 0, 0xf); +- __mcip_cmd_data(CMD_DEBUG_SET_MASK, 0xf, 0xf); +- } + } + + struct plat_smp_ops plat_smp_ops = { +--- a/include/soc/arc/mcip.h ++++ b/include/soc/arc/mcip.h +@@ -37,7 +37,9 @@ struct mcip_cmd { + #define CMD_SEMA_RELEASE 0x12 + + #define CMD_DEBUG_SET_MASK 0x34 ++#define CMD_DEBUG_READ_MASK 0x35 + #define CMD_DEBUG_SET_SELECT 0x36 ++#define CMD_DEBUG_READ_SELECT 0x37 + + #define CMD_GFRC_READ_LO 0x42 + #define CMD_GFRC_READ_HI 0x43 diff --git a/queue-4.14/arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch b/queue-4.14/arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch new file mode 100644 index 00000000000..d54b4964cd0 --- /dev/null +++ b/queue-4.14/arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch @@ -0,0 +1,108 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eugeniy Paltsev +Date: Fri, 23 Feb 2018 19:41:54 +0300 +Subject: ARC: setup cpu possible mask according to possible-cpus dts property + +From: Eugeniy Paltsev + +[ Upstream commit a29a25275452c97fe35815f1eb9564f2a07a1965 ] + +As we have option in u-boot to set CPU mask for running linux, +we want to pass information to kernel about CPU cores should +be brought up. So we patch kernel dtb in u-boot to set +possible-cpus property. + +This also allows us to have correctly setuped MCIP debug mask. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/smp.c | 50 ++++++++++++++++++++++++++++++++++++++++---------- + 1 file changed, 40 insertions(+), 10 deletions(-) + +--- a/arch/arc/kernel/smp.c ++++ b/arch/arc/kernel/smp.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -47,6 +48,42 @@ void __init smp_prepare_boot_cpu(void) + { + } + ++static int __init arc_get_cpu_map(const char *name, struct cpumask *cpumask) ++{ ++ unsigned long dt_root = of_get_flat_dt_root(); ++ const char *buf; ++ ++ buf = of_get_flat_dt_prop(dt_root, name, NULL); ++ if (!buf) ++ return -EINVAL; ++ ++ if (cpulist_parse(buf, cpumask)) ++ return -EINVAL; ++ ++ return 0; ++} ++ ++/* ++ * Read from DeviceTree and setup cpu possible mask. If there is no ++ * "possible-cpus" property in DeviceTree pretend all [0..NR_CPUS-1] exist. ++ */ ++static void __init arc_init_cpu_possible(void) ++{ ++ struct cpumask cpumask; ++ ++ if (arc_get_cpu_map("possible-cpus", &cpumask)) { ++ pr_warn("Failed to get possible-cpus from dtb, pretending all %u cpus exist\n", ++ NR_CPUS); ++ ++ cpumask_setall(&cpumask); ++ } ++ ++ if (!cpumask_test_cpu(0, &cpumask)) ++ panic("Master cpu (cpu[0]) is missed in cpu possible mask!"); ++ ++ init_cpu_possible(&cpumask); ++} ++ + /* + * Called from setup_arch() before calling setup_processor() + * +@@ -58,10 +95,7 @@ void __init smp_prepare_boot_cpu(void) + */ + void __init smp_init_cpus(void) + { +- unsigned int i; +- +- for (i = 0; i < NR_CPUS; i++) +- set_cpu_possible(i, true); ++ arc_init_cpu_possible(); + + if (plat_smp_ops.init_early_smp) + plat_smp_ops.init_early_smp(); +@@ -70,16 +104,12 @@ void __init smp_init_cpus(void) + /* called from init ( ) => process 1 */ + void __init smp_prepare_cpus(unsigned int max_cpus) + { +- int i; +- + /* + * if platform didn't set the present map already, do it now + * boot cpu is set to present already by init/main.c + */ +- if (num_present_cpus() <= 1) { +- for (i = 0; i < max_cpus; i++) +- set_cpu_present(i, true); +- } ++ if (num_present_cpus() <= 1) ++ init_cpu_present(cpu_possible_mask); + } + + void __init smp_cpus_done(unsigned int max_cpus) diff --git a/queue-4.14/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch b/queue-4.14/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch new file mode 100644 index 00000000000..5dbdb7684ca --- /dev/null +++ b/queue-4.14/arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch @@ -0,0 +1,89 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jinbum Park +Date: Tue, 6 Mar 2018 01:37:21 +0100 +Subject: ARM: 8748/1: mm: Define vdso_start, vdso_end as array + +From: Jinbum Park + +[ Upstream commit 73b9160d0dfe44dfdaffd6465dc1224c38a4a73c ] + +Define vdso_start, vdso_end as array to avoid compile-time analysis error +for the case of built with CONFIG_FORTIFY_SOURCE. + +and, since vdso_start, vdso_end are used in vdso.c only, +move extern-declaration from vdso.h to vdso.c. + +If kernel is built with CONFIG_FORTIFY_SOURCE, +compile-time error happens at this code. +- if (memcmp(&vdso_start, "177ELF", 4)) + +The size of "&vdso_start" is recognized as 1 byte, but n is 4, +So that compile-time error is reported. + +Acked-by: Kees Cook +Signed-off-by: Jinbum Park +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/vdso.h | 2 -- + arch/arm/kernel/vdso.c | 12 +++++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +--- a/arch/arm/include/asm/vdso.h ++++ b/arch/arm/include/asm/vdso.h +@@ -12,8 +12,6 @@ struct mm_struct; + + void arm_install_vdso(struct mm_struct *mm, unsigned long addr); + +-extern char vdso_start, vdso_end; +- + extern unsigned int vdso_total_pages; + + #else /* CONFIG_VDSO */ +--- a/arch/arm/kernel/vdso.c ++++ b/arch/arm/kernel/vdso.c +@@ -39,6 +39,8 @@ + + static struct page **vdso_text_pagelist; + ++extern char vdso_start[], vdso_end[]; ++ + /* Total number of pages needed for the data and text portions of the VDSO. */ + unsigned int vdso_total_pages __ro_after_init; + +@@ -197,13 +199,13 @@ static int __init vdso_init(void) + unsigned int text_pages; + int i; + +- if (memcmp(&vdso_start, "\177ELF", 4)) { ++ if (memcmp(vdso_start, "\177ELF", 4)) { + pr_err("VDSO is not a valid ELF object!\n"); + return -ENOEXEC; + } + +- text_pages = (&vdso_end - &vdso_start) >> PAGE_SHIFT; +- pr_debug("vdso: %i text pages at base %p\n", text_pages, &vdso_start); ++ text_pages = (vdso_end - vdso_start) >> PAGE_SHIFT; ++ pr_debug("vdso: %i text pages at base %p\n", text_pages, vdso_start); + + /* Allocate the VDSO text pagelist */ + vdso_text_pagelist = kcalloc(text_pages, sizeof(struct page *), +@@ -218,7 +220,7 @@ static int __init vdso_init(void) + for (i = 0; i < text_pages; i++) { + struct page *page; + +- page = virt_to_page(&vdso_start + i * PAGE_SIZE); ++ page = virt_to_page(vdso_start + i * PAGE_SIZE); + vdso_text_pagelist[i] = page; + } + +@@ -229,7 +231,7 @@ static int __init vdso_init(void) + + cntvct_ok = cntvct_functional(); + +- patch_vdso(&vdso_start); ++ patch_vdso(vdso_start); + + return 0; + } diff --git a/queue-4.14/arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch b/queue-4.14/arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch new file mode 100644 index 00000000000..07807dd640e --- /dev/null +++ b/queue-4.14/arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bartosz Golaszewski +Date: Thu, 1 Mar 2018 11:34:48 +0100 +Subject: ARM: davinci: fix the GPIO lookup for omapl138-hawk + +From: Bartosz Golaszewski + +[ Upstream commit c4dc56be7e26040bfc60ce73425353516a356955 ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +mmc can correctly lookup the wp and cp gpios. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Fixes: c69f43fb4f26 ("ARM: davinci: hawk: use gpio descriptor for mmc pins") +Signed-off-by: Bartosz Golaszewski +[nsekhar@ti.com: add a note on where the chip label is set] +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-omapl138-hawk.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-davinci/board-omapl138-hawk.c ++++ b/arch/arm/mach-davinci/board-omapl138-hawk.c +@@ -127,8 +127,8 @@ static struct gpiod_lookup_table mmc_gpi + .dev_id = "da830-mmc.0", + .table = { + /* CD: gpio3_12: gpio60: chip 1 contains gpio range 32-63*/ +- GPIO_LOOKUP("davinci_gpio.1", 28, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.1", 29, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", 28, "cd", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", 29, "wp", GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.14/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch b/queue-4.14/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch new file mode 100644 index 00000000000..fb924be252c --- /dev/null +++ b/queue-4.14/arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Peter Rosin +Date: Tue, 16 Jan 2018 17:06:18 +0100 +Subject: ARM: dts: at91: tse850: use the correct compatible for the eeprom + +From: Peter Rosin + +[ Upstream commit 7981190fb5dd710dea08c2613cee3d05e795ca5e ] + +The used part does contain an eeprom compatible with an Atmel 24c02 +chip and it is from NXP, but it is not called 24c02. It's actually a +se97b chip. Adjust the compatible accordingly. + +Fixes: 21dd0ece34c2 ("ARM: dts: at91: add devicetree for the Axentia TSE-850") +Signed-off-by: Peter Rosin +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/at91-tse850-3.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/at91-tse850-3.dts ++++ b/arch/arm/boot/dts/at91-tse850-3.dts +@@ -245,7 +245,7 @@ + }; + + eeprom@50 { +- compatible = "nxp,24c02", "atmel,24c02"; ++ compatible = "nxp,se97b", "atmel,24c02"; + reg = <0x50>; + pagesize = <16>; + }; diff --git a/queue-4.14/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch b/queue-4.14/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch new file mode 100644 index 00000000000..dfa2172de45 --- /dev/null +++ b/queue-4.14/arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Henry Zhang +Date: Wed, 17 Jan 2018 18:41:33 -0800 +Subject: ARM: dts: bcm283x: Fix pin function of JTAG pins + +From: Henry Zhang + +[ Upstream commit 1a012cb2569f2031b3636232c3ab21c20c92d281 ] + +BCM2835 ARM Peripherals doc shows gpio pins 4, 5, 6, 12 and 13 +carry altenate function, ALT5 for ARM JTAG + +Fixes: 21ff843931b2 ("ARM: dts: bcm283x: Define standard pinctrl groups in the gpio node.") + +Signed-off-by: Henry Zhang +Acked-by: Stefan Wahren +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -251,7 +251,7 @@ + + jtag_gpio4: jtag_gpio4 { + brcm,pins = <4 5 6 12 13>; +- brcm,function = ; ++ brcm,function = ; + }; + jtag_gpio22: jtag_gpio22 { + brcm,pins = <22 23 24 25 26 27>; diff --git a/queue-4.14/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch b/queue-4.14/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch new file mode 100644 index 00000000000..bf4f03e6382 --- /dev/null +++ b/queue-4.14/arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefan Wahren +Date: Fri, 16 Feb 2018 11:55:34 +0100 +Subject: ARM: dts: bcm283x: Fix probing of bcm2835-i2s + +From: Stefan Wahren + +[ Upstream commit 79c81facdc0b43b1cef37b8d5689a8c8b78f8be0 ] + +Since 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +the bcm2835-i2s requires a clock as DT property. Unfortunately +the necessary DT change has never been applied. While we are at it +also fix the first PCM register range to cover the PCM_GRAY register. + +Fixes: 517e7a1537a ("ASoC: bcm2835: move to use the clock framework") +Signed-off-by: Stefan Wahren +Reviewed-by: Eric Anholt +Tested-by: Matthias Reichl +Signed-off-by: Eric Anholt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm283x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm283x.dtsi ++++ b/arch/arm/boot/dts/bcm283x.dtsi +@@ -396,8 +396,8 @@ + + i2s: i2s@7e203000 { + compatible = "brcm,bcm2835-i2s"; +- reg = <0x7e203000 0x20>, +- <0x7e101098 0x02>; ++ reg = <0x7e203000 0x24>; ++ clocks = <&clocks BCM2835_CLOCK_PCM>; + + dmas = <&dma 2>, + <&dma 3>; diff --git a/queue-4.14/arm-dts-bcm283x-fix-unit-address-of-local_intc.patch b/queue-4.14/arm-dts-bcm283x-fix-unit-address-of-local_intc.patch new file mode 100644 index 00000000000..bf25b64e031 --- /dev/null +++ b/queue-4.14/arm-dts-bcm283x-fix-unit-address-of-local_intc.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefan Wahren +Date: Sat, 24 Feb 2018 15:15:21 +0100 +Subject: ARM: dts: bcm283x: Fix unit address of local_intc + +From: Stefan Wahren + +[ Upstream commit 808b7de86a0c19582a7efce4c80d6b4e1da7f370 ] + +This patch fixes the following DTC warning (requires W=1): +Node /soc/local_intc simple-bus unit address format error, expected "40000000" + +Signed-off-by: Stefan Wahren +Reviewed-by: Eric Anholt +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm2836.dtsi | 2 +- + arch/arm/boot/dts/bcm2837.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm2836.dtsi ++++ b/arch/arm/boot/dts/bcm2836.dtsi +@@ -9,7 +9,7 @@ + <0x40000000 0x40000000 0x00001000>; + dma-ranges = <0xc0000000 0x00000000 0x3f000000>; + +- local_intc: local_intc { ++ local_intc: local_intc@40000000 { + compatible = "brcm,bcm2836-l1-intc"; + reg = <0x40000000 0x100>; + interrupt-controller; +--- a/arch/arm/boot/dts/bcm2837.dtsi ++++ b/arch/arm/boot/dts/bcm2837.dtsi +@@ -8,7 +8,7 @@ + <0x40000000 0x40000000 0x00001000>; + dma-ranges = <0xc0000000 0x00000000 0x3f000000>; + +- local_intc: local_intc { ++ local_intc: local_intc@40000000 { + compatible = "brcm,bcm2836-l1-intc"; + reg = <0x40000000 0x100>; + interrupt-controller; diff --git a/queue-4.14/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch b/queue-4.14/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch new file mode 100644 index 00000000000..22462e0fcd8 --- /dev/null +++ b/queue-4.14/arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ravikumar Kattekola +Date: Tue, 6 Feb 2018 18:28:02 +0530 +Subject: ARM: dts: dra71-evm: Correct evm_sd regulator max voltage + +From: Ravikumar Kattekola + +[ Upstream commit f4aa1bd5b4fc80f5f4ecd184caad832fd62c25f7 ] + +Correct vpo_sd_1v8_3v3 regulator max voltage to 3.3V + +Fixes: 9868bc585ae2 ("ARM: dts: Add support for dra718-evm") +Signed-off-by: Ravikumar Kattekola +Signed-off-by: Sekhar Nori +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra71-evm.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra71-evm.dts ++++ b/arch/arm/boot/dts/dra71-evm.dts +@@ -24,13 +24,13 @@ + + regulator-name = "vddshv8"; + regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <3000000>; ++ regulator-max-microvolt = <3300000>; + regulator-boot-on; + vin-supply = <&evm_5v0>; + + gpios = <&gpio7 11 GPIO_ACTIVE_HIGH>; + states = <1800000 0x0 +- 3000000 0x1>; ++ 3300000 0x1>; + }; + + evm_1v8_sw: fixedregulator-evm_1v8 { diff --git a/queue-4.14/arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch b/queue-4.14/arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch new file mode 100644 index 00000000000..eb5c488cfc1 --- /dev/null +++ b/queue-4.14/arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shyam Saini +Date: Tue, 20 Feb 2018 18:08:08 +0530 +Subject: ARM: dts: imx6dl: Include correct dtsi file for Engicam i.CoreM6 DualLite/Solo RQS + +From: Shyam Saini + +[ Upstream commit c0c6bb2322964bd264b4ddedaa5776f40c709f0c ] + +This patch fixes the wrongly included dtsi file which +was breaking mainline support for Engicam i.CoreM6 DualLite/Solo RQS. + +As per the board name, the correct file should be imx6dl.dtsi instead +of imx6q.dtsi + +Reported-by: Michael Trimarchi +Suggested-by: Jagan Teki +Signed-off-by: Shyam Saini +Reviewed-by: Fabio Estevam +Fixes: 7a9caba55a61 ("ARM: dts: imx6dl: Add Engicam i.CoreM6 DualLite/Solo RQS initial support") +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6dl-icore-rqs.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6dl-icore-rqs.dts ++++ b/arch/arm/boot/dts/imx6dl-icore-rqs.dts +@@ -42,7 +42,7 @@ + + /dts-v1/; + +-#include "imx6q.dtsi" ++#include "imx6dl.dtsi" + #include "imx6qdl-icore-rqs.dtsi" + + / { diff --git a/queue-4.14/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch b/queue-4.14/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch new file mode 100644 index 00000000000..0b3ef85d03c --- /dev/null +++ b/queue-4.14/arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Aapo Vienamo +Date: Wed, 31 Jan 2018 14:34:07 +0000 +Subject: ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet + +From: Aapo Vienamo + +[ Upstream commit 2bada7ac1fdcbf79a9689bd2ff65fa515ca7a31f ] + +The missing last digit of the CONFIG values is added. Looks like a typo +of some sort when comparing to the downstream dt. This fixes +intermittent behavior behaviour of the ethernet controllers. + +Signed-off-by: Aapo Vienamo +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 ++++++++++++++++---------------- + 1 file changed, 26 insertions(+), 26 deletions(-) + +--- a/arch/arm/boot/dts/imx7d-cl-som-imx7.dts ++++ b/arch/arm/boot/dts/imx7d-cl-som-imx7.dts +@@ -213,37 +213,37 @@ + &iomuxc { + pinctrl_enet1: enet1grp { + fsl,pins = < +- MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x3 +- MX7D_PAD_SD2_WP__ENET1_MDC 0x3 +- MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x1 +- MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x1 +- MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x1 +- MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x1 +- MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x1 +- MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x1 +- MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x1 +- MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x1 +- MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x1 +- MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x1 +- MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x1 +- MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x1 ++ MX7D_PAD_SD2_CD_B__ENET1_MDIO 0x30 ++ MX7D_PAD_SD2_WP__ENET1_MDC 0x30 ++ MX7D_PAD_ENET1_RGMII_TXC__ENET1_RGMII_TXC 0x11 ++ MX7D_PAD_ENET1_RGMII_TD0__ENET1_RGMII_TD0 0x11 ++ MX7D_PAD_ENET1_RGMII_TD1__ENET1_RGMII_TD1 0x11 ++ MX7D_PAD_ENET1_RGMII_TD2__ENET1_RGMII_TD2 0x11 ++ MX7D_PAD_ENET1_RGMII_TD3__ENET1_RGMII_TD3 0x11 ++ MX7D_PAD_ENET1_RGMII_TX_CTL__ENET1_RGMII_TX_CTL 0x11 ++ MX7D_PAD_ENET1_RGMII_RXC__ENET1_RGMII_RXC 0x11 ++ MX7D_PAD_ENET1_RGMII_RD0__ENET1_RGMII_RD0 0x11 ++ MX7D_PAD_ENET1_RGMII_RD1__ENET1_RGMII_RD1 0x11 ++ MX7D_PAD_ENET1_RGMII_RD2__ENET1_RGMII_RD2 0x11 ++ MX7D_PAD_ENET1_RGMII_RD3__ENET1_RGMII_RD3 0x11 ++ MX7D_PAD_ENET1_RGMII_RX_CTL__ENET1_RGMII_RX_CTL 0x11 + >; + }; + + pinctrl_enet2: enet2grp { + fsl,pins = < +- MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x1 +- MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x1 +- MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x1 +- MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x1 +- MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x1 +- MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x1 +- MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x1 +- MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x1 +- MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x1 +- MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x1 +- MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x1 +- MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x1 ++ MX7D_PAD_EPDC_GDSP__ENET2_RGMII_TXC 0x11 ++ MX7D_PAD_EPDC_SDCE2__ENET2_RGMII_TD0 0x11 ++ MX7D_PAD_EPDC_SDCE3__ENET2_RGMII_TD1 0x11 ++ MX7D_PAD_EPDC_GDCLK__ENET2_RGMII_TD2 0x11 ++ MX7D_PAD_EPDC_GDOE__ENET2_RGMII_TD3 0x11 ++ MX7D_PAD_EPDC_GDRL__ENET2_RGMII_TX_CTL 0x11 ++ MX7D_PAD_EPDC_SDCE1__ENET2_RGMII_RXC 0x11 ++ MX7D_PAD_EPDC_SDCLK__ENET2_RGMII_RD0 0x11 ++ MX7D_PAD_EPDC_SDLE__ENET2_RGMII_RD1 0x11 ++ MX7D_PAD_EPDC_SDOE__ENET2_RGMII_RD2 0x11 ++ MX7D_PAD_EPDC_SDSHR__ENET2_RGMII_RD3 0x11 ++ MX7D_PAD_EPDC_SDCE0__ENET2_RGMII_RX_CTL 0x11 + >; + }; + diff --git a/queue-4.14/arm-dts-ls1021a-specify-tbipa-register-address.patch b/queue-4.14/arm-dts-ls1021a-specify-tbipa-register-address.patch new file mode 100644 index 00000000000..daece7cd6ba --- /dev/null +++ b/queue-4.14/arm-dts-ls1021a-specify-tbipa-register-address.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Esben Haabendal +Date: Fri, 6 Apr 2018 14:46:35 +0200 +Subject: ARM: dts: ls1021a: Specify TBIPA register address + +From: Esben Haabendal + +[ Upstream commit 5571196135abb6d51e01592812997403c136067c ] + +The current (mildly evil) fsl_pq_mdio code uses an undocumented shadow of +the TBIPA register on LS1021A, which happens to be read-only. +Changing TBI PHY address therefore does not work on LS1021A. + +The real (and documented) address of the TBIPA registere lies in the eTSEC +block and not in MDIO/MII, which is read/write, so using that fixes +the problem. + +Signed-off-by: Esben Haabendal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -565,7 +565,8 @@ + device_type = "mdio"; + #address-cells = <1>; + #size-cells = <0>; +- reg = <0x0 0x2d24000 0x0 0x4000>; ++ reg = <0x0 0x2d24000 0x0 0x4000>, ++ <0x0 0x2d10030 0x0 0x4>; + }; + + ptp_clock@2d10e00 { diff --git a/queue-4.14/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch b/queue-4.14/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch new file mode 100644 index 00000000000..0dea7ed5910 --- /dev/null +++ b/queue-4.14/arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Fainelli +Date: Mon, 26 Feb 2018 17:00:35 -0800 +Subject: ARM: dts: NSP: Fix amount of RAM on BCM958625HR + +From: Florian Fainelli + +[ Upstream commit 0a5aff64f20d92c5a6e9aeed7b5950b0b817bcd9 ] + +Jon attempted to fix the amount of RAM on the BCM958625HR in commit +c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board") +but it seems like we tripped over some poorly documented schematics. + +The top-level page of the schematics says the board has 2GB, but when +you end-up scrolling to page 6, you see two chips of 4GBit (512MB) but +what the bootloader really initializes only 512MB, any attempt to use +more than that results in data aborts. Fix this again back to 512MB. + +Fixes: c53beb47f621 ("ARM: dts: NSP: Correct RAM amount for BCM958625HR board") +Acked-by: Jon Mason +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm958625hr.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm958625hr.dts ++++ b/arch/arm/boot/dts/bcm958625hr.dts +@@ -49,7 +49,7 @@ + + memory { + device_type = "memory"; +- reg = <0x60000000 0x80000000>; ++ reg = <0x60000000 0x20000000>; + }; + + gpio-restart { diff --git a/queue-4.14/arm-dts-porter-fix-hdmi-output-routing.patch b/queue-4.14/arm-dts-porter-fix-hdmi-output-routing.patch new file mode 100644 index 00000000000..b30ace90708 --- /dev/null +++ b/queue-4.14/arm-dts-porter-fix-hdmi-output-routing.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Laurent Pinchart +Date: Sat, 13 Jan 2018 01:14:23 +0200 +Subject: ARM: dts: porter: Fix HDMI output routing + +From: Laurent Pinchart + +[ Upstream commit d4b78db6ac3e084e2bdc57d5518bd247c727f396 ] + +The HDMI encoder is connected to the RGB output of the DU, which is +port@0, not port@1. Fix the incorrect DT description. + +Fixes: c5af8a4248d3 ("ARM: dts: porter: add DU DT support") +Signed-off-by: Laurent Pinchart +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7791-porter.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/r8a7791-porter.dts ++++ b/arch/arm/boot/dts/r8a7791-porter.dts +@@ -427,7 +427,7 @@ + "dclkin.0", "dclkin.1"; + + ports { +- port@1 { ++ port@0 { + endpoint { + remote-endpoint = <&adv7511_in>; + }; diff --git a/queue-4.14/arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch b/queue-4.14/arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch new file mode 100644 index 00000000000..31b5fa74ffe --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Rob Herring +Date: Thu, 1 Mar 2018 14:25:35 -0600 +Subject: ARM: dts: rockchip: Add missing #sound-dai-cells on rk3288 + +From: Rob Herring + +[ Upstream commit 4e943a890cef42e90f43ce6be64728a290b97c55 ] + +dtc now gives the following warning: + +arch/arm/boot/dts/rk3288-tinker.dtb: Warning (sound_dai_property): /sound/simple-audio-card,codec: Missing property '#sound-dai-cells' in node /hdmi@ff980000 or bad phandle (referred from sound-dai[0]) + +Add the missing #sound-dai-cells property. + +Cc: Heiko Stuebner +Cc: linux-rockchip@lists.infradead.org +Signed-off-by: Rob Herring +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/rk3288.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/rk3288.dtsi ++++ b/arch/arm/boot/dts/rk3288.dtsi +@@ -927,6 +927,7 @@ + i2s: i2s@ff890000 { + compatible = "rockchip,rk3288-i2s", "rockchip,rk3066-i2s"; + reg = <0x0 0xff890000 0x0 0x10000>; ++ #sound-dai-cells = <0>; + interrupts = ; + #address-cells = <1>; + #size-cells = <0>; +@@ -1122,6 +1123,7 @@ + compatible = "rockchip,rk3288-dw-hdmi"; + reg = <0x0 0xff980000 0x0 0x20000>; + reg-io-width = <4>; ++ #sound-dai-cells = <0>; + rockchip,grf = <&grf>; + interrupts = ; + clocks = <&cru PCLK_HDMI_CTRL>, <&cru SCLK_HDMI_HDCP>; diff --git a/queue-4.14/arm-dts-rockchip-fix-dwmmc-clocks.patch b/queue-4.14/arm-dts-rockchip-fix-dwmmc-clocks.patch new file mode 100644 index 00000000000..ad07003156c --- /dev/null +++ b/queue-4.14/arm-dts-rockchip-fix-dwmmc-clocks.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Robin Murphy +Date: Thu, 15 Feb 2018 14:05:54 +0000 +Subject: ARM: dts: rockchip: Fix DWMMC clocks + +From: Robin Murphy + +[ Upstream commit e78c637127ee7683d606737f2e62b5da6fd7b1c3 ] + +Trying to boot an RK3328 box with an HS200-capable eMMC, I see said eMMC +fail to initialise as it can't run its tuning procedure, because the +sample clock is missing. Upon closer inspection, whilst the clock is +present in the DT, its name is subtly incorrect per the binding, so +__of_clk_get_by_name() never finds it. By inspection, the drive clock +suffers from a similar problem, so has never worked properly either. + +This error has propagated across the 32-bit DTs too, so fix those up. + +Fixes: 187d7967a5ee ("ARM: dts: rockchip: add the sdio/sdmmc node for rk3036") +Fixes: faea098e1808 ("ARM: dts: rockchip: add core rk3036 dtsi") +Fixes: 9848ebeb952d ("ARM: dts: rockchip: add core rk3228 dtsi") +Signed-off-by: Robin Murphy +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/rk3036.dtsi | 4 ++-- + arch/arm/boot/dts/rk322x.dtsi | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/rk3036.dtsi ++++ b/arch/arm/boot/dts/rk3036.dtsi +@@ -261,7 +261,7 @@ + max-frequency = <37500000>; + clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>, + <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + interrupts = ; + resets = <&cru SRST_SDIO>; +@@ -279,7 +279,7 @@ + max-frequency = <37500000>; + clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>, + <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + default-sample-phase = <158>; + disable-wp; + dmas = <&pdma 12>; +--- a/arch/arm/boot/dts/rk322x.dtsi ++++ b/arch/arm/boot/dts/rk322x.dtsi +@@ -600,7 +600,7 @@ + interrupts = ; + clocks = <&cru HCLK_SDMMC>, <&cru SCLK_SDMMC>, + <&cru SCLK_SDMMC_DRV>, <&cru SCLK_SDMMC_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + pinctrl-names = "default"; + pinctrl-0 = <&sdmmc_clk &sdmmc_cmd &sdmmc_bus4>; +@@ -613,7 +613,7 @@ + interrupts = ; + clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>, + <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + pinctrl-names = "default"; + pinctrl-0 = <&sdio_clk &sdio_cmd &sdio_bus4>; +@@ -628,7 +628,7 @@ + max-frequency = <37500000>; + clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>, + <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + bus-width = <8>; + default-sample-phase = <158>; + fifo-depth = <0x100>; diff --git a/queue-4.14/arm-dts-socfpga-fix-gic-ppi-warning.patch b/queue-4.14/arm-dts-socfpga-fix-gic-ppi-warning.patch new file mode 100644 index 00000000000..01ac87a3480 --- /dev/null +++ b/queue-4.14/arm-dts-socfpga-fix-gic-ppi-warning.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Philipp Puschmann +Date: Fri, 23 Mar 2018 10:22:15 +0100 +Subject: arm: dts: socfpga: fix GIC PPI warning + +From: Philipp Puschmann + +[ Upstream commit 6d97d5aba08b26108f95dc9fb7bbe4d9436c769c ] + +Fixes the warning "GIC: PPI13 is secure or misconfigured" by +changing the interrupt type from level_low to edge_raising + +Signed-off-by: Philipp Puschmann +Signed-off-by: Dinh Nguyen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/socfpga.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/socfpga.dtsi ++++ b/arch/arm/boot/dts/socfpga.dtsi +@@ -827,7 +827,7 @@ + timer@fffec600 { + compatible = "arm,cortex-a9-twd-timer"; + reg = <0xfffec600 0x100>; +- interrupts = <1 13 0xf04>; ++ interrupts = <1 13 0xf01>; + clocks = <&mpu_periph_clk>; + }; + diff --git a/queue-4.14/arm-omap-fix-dmtimer-init-for-omap1.patch b/queue-4.14/arm-omap-fix-dmtimer-init-for-omap1.patch new file mode 100644 index 00000000000..03479644b3c --- /dev/null +++ b/queue-4.14/arm-omap-fix-dmtimer-init-for-omap1.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tony Lindgren +Date: Thu, 22 Feb 2018 10:02:49 -0800 +Subject: ARM: OMAP: Fix dmtimer init for omap1 + +From: Tony Lindgren + +[ Upstream commit ba6887836178d43b3665b9da075c2c5dfe1d207c ] + +We need to enable PM runtime on omap1 also as otherwise we +will get errors: + +omap_timer omap_timer.1: omap_dm_timer_probe: pm_runtime_get_sync failed! +omap_timer: probe of omap_timer.1 failed with error -13 +... + +We are checking for OMAP_TIMER_NEEDS_RESET flag elsewhere so this is +safe to do. + +Cc: Aaro Koskinen +Cc: Keerthy +Cc: Ladislav Michl +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/plat-omap/dmtimer.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/arch/arm/plat-omap/dmtimer.c ++++ b/arch/arm/plat-omap/dmtimer.c +@@ -890,11 +890,8 @@ static int omap_dm_timer_probe(struct pl + timer->irq = irq->start; + timer->pdev = pdev; + +- /* Skip pm_runtime_enable for OMAP1 */ +- if (!(timer->capability & OMAP_TIMER_NEEDS_RESET)) { +- pm_runtime_enable(dev); +- pm_runtime_irq_safe(dev); +- } ++ pm_runtime_enable(dev); ++ pm_runtime_irq_safe(dev); + + if (!timer->reserved) { + ret = pm_runtime_get_sync(dev); diff --git a/queue-4.14/arm-omap1-clock-fix-debugfs_create_-usage.patch b/queue-4.14/arm-omap1-clock-fix-debugfs_create_-usage.patch new file mode 100644 index 00000000000..6b104b736e9 --- /dev/null +++ b/queue-4.14/arm-omap1-clock-fix-debugfs_create_-usage.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Geert Uytterhoeven +Date: Tue, 2 Jan 2018 16:25:35 +0100 +Subject: ARM: OMAP1: clock: Fix debugfs_create_*() usage + +From: Geert Uytterhoeven + +[ Upstream commit 8cbbf1745dcde7ba7e423dc70619d223de90fd43 ] + +When exposing data access through debugfs, the correct +debugfs_create_*() functions must be used, depending on data type. + +Remove all casts from data pointers passed to debugfs_create_*() +functions, as such casts prevent the compiler from flagging bugs. + +Correct all wrong usage: + - clk.rate is unsigned long, not u32, + - clk.flags is u8, not u32, which exposed the successive + clk.rate_offset and clk.src_offset fields. + +Signed-off-by: Geert Uytterhoeven +Acked-by: Aaro Koskinen +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/clock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-omap1/clock.c ++++ b/arch/arm/mach-omap1/clock.c +@@ -1011,17 +1011,17 @@ static int clk_debugfs_register_one(stru + return -ENOMEM; + c->dent = d; + +- d = debugfs_create_u8("usecount", S_IRUGO, c->dent, (u8 *)&c->usecount); ++ d = debugfs_create_u8("usecount", S_IRUGO, c->dent, &c->usecount); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_u32("rate", S_IRUGO, c->dent, (u32 *)&c->rate); ++ d = debugfs_create_ulong("rate", S_IRUGO, c->dent, &c->rate); + if (!d) { + err = -ENOMEM; + goto err_out; + } +- d = debugfs_create_x32("flags", S_IRUGO, c->dent, (u32 *)&c->flags); ++ d = debugfs_create_x8("flags", S_IRUGO, c->dent, &c->flags); + if (!d) { + err = -ENOMEM; + goto err_out; diff --git a/queue-4.14/arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch b/queue-4.14/arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch new file mode 100644 index 00000000000..eba2bbfbb4a --- /dev/null +++ b/queue-4.14/arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tony Lindgren +Date: Fri, 9 Feb 2018 09:35:56 -0800 +Subject: ARM: OMAP2+: Fix sar_base inititalization for HS omaps + +From: Tony Lindgren + +[ Upstream commit fe27f16794f313f5fc16f6d2f42d8c2b2f4d70cc ] + +HS omaps use irq_save_secure_context() instead of irq_save_context() +so sar_base will never get initialized and irq_sar_clear() gets called +with a wrong address for HS omaps from irq_restore_context(). + +Starting with commit f4b9f40ae95b ("ARM: OMAP4+: Initialize SAR RAM +base early for proper CPU1 reset for kexec") we have it available, +and this ideally would been fixed with that commit already. + +Fixes: f4b9f40ae95b ("ARM: OMAP4+: Initialize SAR RAM base early for +proper CPU1 reset for kexec") +Cc: Andrew F. Davis +Cc: Dave Gerlach +Cc: Keerthy +Cc: Santosh Shilimkar +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap-wakeupgen.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/omap-wakeupgen.c ++++ b/arch/arm/mach-omap2/omap-wakeupgen.c +@@ -299,8 +299,6 @@ static void irq_save_context(void) + if (soc_is_dra7xx()) + return; + +- if (!sar_base) +- sar_base = omap4_get_sar_ram_base(); + if (wakeupgen_ops && wakeupgen_ops->save_context) + wakeupgen_ops->save_context(); + } +@@ -598,6 +596,8 @@ static int __init wakeupgen_init(struct + irq_hotplug_init(); + irq_pm_init(); + ++ sar_base = omap4_get_sar_ram_base(); ++ + return 0; + } + IRQCHIP_DECLARE(ti_wakeupgen, "ti,omap4-wugen-mpu", wakeupgen_init); diff --git a/queue-4.14/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch b/queue-4.14/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch new file mode 100644 index 00000000000..73fcd0e5386 --- /dev/null +++ b/queue-4.14/arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Qi Hou +Date: Thu, 11 Jan 2018 12:54:43 +0800 +Subject: ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt + +From: Qi Hou + +[ Upstream commit db35340c536f1af0108ec9a0b2126a05d358d14a ] + +When more than one GP timers are used as kernel system timers and the +corresponding nodes in device-tree are marked with the same "disabled" +property, then the "attr" field of the property will be initialized +more than once as the property being added to sys file system via +__of_add_property_sysfs(). + +In __of_add_property_sysfs(), the "name" field of pp->attr.attr is set +directly to the return value of safe_name(), without taking care of +whether it's already a valid pointer to a memory block. If it is, its +old value will always be overwritten by the new one and the memory block +allocated before will a "ghost", then a kmemleak happened. + +That the same "disabled" property being added to different nodes of device +tree would cause that kind of kmemleak overhead, at least once. + +To fix it, allocate the property dynamically, and delete static one. + +Signed-off-by: Qi Hou +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/timer.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -156,12 +156,6 @@ static struct clock_event_device clockev + .tick_resume = omap2_gp_timer_shutdown, + }; + +-static struct property device_disabled = { +- .name = "status", +- .length = sizeof("disabled"), +- .value = "disabled", +-}; +- + static const struct of_device_id omap_timer_match[] __initconst = { + { .compatible = "ti,omap2420-timer", }, + { .compatible = "ti,omap3430-timer", }, +@@ -203,8 +197,17 @@ static struct device_node * __init omap_ + of_get_property(np, "ti,timer-secure", NULL))) + continue; + +- if (!of_device_is_compatible(np, "ti,omap-counter32k")) +- of_add_property(np, &device_disabled); ++ if (!of_device_is_compatible(np, "ti,omap-counter32k")) { ++ struct property *prop; ++ ++ prop = kzalloc(sizeof(*prop), GFP_KERNEL); ++ if (!prop) ++ return NULL; ++ prop->name = "status"; ++ prop->value = "disabled"; ++ prop->length = strlen(prop->value); ++ of_add_property(np, prop); ++ } + return np; + } + diff --git a/queue-4.14/arm-omap3-fix-prm-wake-interrupt-for-resume.patch b/queue-4.14/arm-omap3-fix-prm-wake-interrupt-for-resume.patch new file mode 100644 index 00000000000..7233aa68f1d --- /dev/null +++ b/queue-4.14/arm-omap3-fix-prm-wake-interrupt-for-resume.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tony Lindgren +Date: Fri, 9 Feb 2018 08:15:53 -0800 +Subject: ARM: OMAP3: Fix prm wake interrupt for resume + +From: Tony Lindgren + +[ Upstream commit d3be6d2a08bd26580562d9714d3d97ea9ba22c73 ] + +For platform_suspend_ops, the finish call is too late to re-enable wake +irqs and we need re-enable wake irqs on wake call instead. + +Otherwise noirq resume for devices has already happened. And then +dev_pm_disarm_wake_irq() has already disabled the dedicated wake irqs +when the interrupt triggers and the wake irq is never handled. + +For devices that are already in PM runtime suspended state when we +enter suspend this means that a possible wake irq will never trigger. + +And this can lead into a situation where a device has a pending padconf +wake irq, and the device will stay unresponsive to any further wake +irqs. + +This issue can be easily reproduced by setting serial console log level +to zero, letting the serial console idle, and suspend the system from +an ssh terminal. Then try to wake up the system by typing to the serial +console. + +Note that this affects only omap3 PRM interrupt as that's currently +the only omap variant that does anything in omap_pm_wake(). + +In general, for the wake irqs to work, the interrupt must have either +IRQF_NO_SUSPEND or IRQF_EARLY_RESUME set for it to trigger before +dev_pm_disarm_wake_irq() disables the wake irqs. + +Reported-by: Grygorii Strashko +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/pm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/pm.c ++++ b/arch/arm/mach-omap2/pm.c +@@ -186,7 +186,7 @@ static void omap_pm_end(void) + cpu_idle_poll_ctrl(false); + } + +-static void omap_pm_finish(void) ++static void omap_pm_wake(void) + { + if (soc_is_omap34xx()) + omap_prcm_irq_complete(); +@@ -196,7 +196,7 @@ static const struct platform_suspend_ops + .begin = omap_pm_begin, + .end = omap_pm_end, + .enter = omap_pm_enter, +- .finish = omap_pm_finish, ++ .wake = omap_pm_wake, + .valid = suspend_valid_only_mem, + }; + diff --git a/queue-4.14/arm-orion5x-revert-commit-4904dbda41c8.patch b/queue-4.14/arm-orion5x-revert-commit-4904dbda41c8.patch new file mode 100644 index 00000000000..8b3bc1d973f --- /dev/null +++ b/queue-4.14/arm-orion5x-revert-commit-4904dbda41c8.patch @@ -0,0 +1,201 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "David S. Miller" +Date: Mon, 26 Feb 2018 13:41:47 -0500 +Subject: ARM: orion5x: Revert commit 4904dbda41c8. + +From: "David S. Miller" + +[ Upstream commit 13a55372b64e00e564a08d785ca87bd9d454ba30 ] + +It is not valid for orion5x to use mac_pton(). + +First of all, the orion5x buffer is not NULL terminated. mac_pton() +has no business operating on non-NULL terminated buffers because +only the caller can know that this is valid and in what manner it +is ok to parse this NULL'less buffer. + +Second of all, orion5x operates on an __iomem pointer, which cannot +be dereferenced using normal C pointer operations. Accesses to +such areas much be performed with the proper iomem accessors. + +Fixes: 4904dbda41c8 ("ARM: orion5x: use mac_pton() helper") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-orion5x/Kconfig | 3 - + arch/arm/mach-orion5x/dns323-setup.c | 53 +++++++++++++++++++++++++++++++++-- + arch/arm/mach-orion5x/tsx09-common.c | 49 +++++++++++++++++++++++++++++--- + 3 files changed, 95 insertions(+), 10 deletions(-) + +--- a/arch/arm/mach-orion5x/Kconfig ++++ b/arch/arm/mach-orion5x/Kconfig +@@ -58,7 +58,6 @@ config MACH_KUROBOX_PRO + + config MACH_DNS323 + bool "D-Link DNS-323" +- select GENERIC_NET_UTILS + select I2C_BOARDINFO if I2C + help + Say 'Y' here if you want your kernel to support the +@@ -66,7 +65,6 @@ config MACH_DNS323 + + config MACH_TS209 + bool "QNAP TS-109/TS-209" +- select GENERIC_NET_UTILS + help + Say 'Y' here if you want your kernel to support the + QNAP TS-109/TS-209 platform. +@@ -101,7 +99,6 @@ config MACH_LINKSTATION_LS_HGL + + config MACH_TS409 + bool "QNAP TS-409" +- select GENERIC_NET_UTILS + help + Say 'Y' here if you want your kernel to support the + QNAP TS-409 platform. +--- a/arch/arm/mach-orion5x/dns323-setup.c ++++ b/arch/arm/mach-orion5x/dns323-setup.c +@@ -173,10 +173,42 @@ static struct mv643xx_eth_platform_data + .phy_addr = MV643XX_ETH_PHY_ADDR(8), + }; + ++/* dns323_parse_hex_*() taken from tsx09-common.c; should a common copy of these ++ * functions be kept somewhere? ++ */ ++static int __init dns323_parse_hex_nibble(char n) ++{ ++ if (n >= '0' && n <= '9') ++ return n - '0'; ++ ++ if (n >= 'A' && n <= 'F') ++ return n - 'A' + 10; ++ ++ if (n >= 'a' && n <= 'f') ++ return n - 'a' + 10; ++ ++ return -1; ++} ++ ++static int __init dns323_parse_hex_byte(const char *b) ++{ ++ int hi; ++ int lo; ++ ++ hi = dns323_parse_hex_nibble(b[0]); ++ lo = dns323_parse_hex_nibble(b[1]); ++ ++ if (hi < 0 || lo < 0) ++ return -1; ++ ++ return (hi << 4) | lo; ++} ++ + static int __init dns323_read_mac_addr(void) + { + u_int8_t addr[6]; +- void __iomem *mac_page; ++ int i; ++ char *mac_page; + + /* MAC address is stored as a regular ol' string in /dev/mtdblock4 + * (0x007d0000-0x00800000) starting at offset 196480 (0x2ff80). +@@ -185,8 +217,23 @@ static int __init dns323_read_mac_addr(v + if (!mac_page) + return -ENOMEM; + +- if (!mac_pton((__force const char *) mac_page, addr)) +- goto error_fail; ++ /* Sanity check the string we're looking at */ ++ for (i = 0; i < 5; i++) { ++ if (*(mac_page + (i * 3) + 2) != ':') { ++ goto error_fail; ++ } ++ } ++ ++ for (i = 0; i < 6; i++) { ++ int byte; ++ ++ byte = dns323_parse_hex_byte(mac_page + (i * 3)); ++ if (byte < 0) { ++ goto error_fail; ++ } ++ ++ addr[i] = byte; ++ } + + iounmap(mac_page); + printk("DNS-323: Found ethernet MAC address: %pM\n", addr); +--- a/arch/arm/mach-orion5x/tsx09-common.c ++++ b/arch/arm/mach-orion5x/tsx09-common.c +@@ -53,12 +53,53 @@ struct mv643xx_eth_platform_data qnap_ts + .phy_addr = MV643XX_ETH_PHY_ADDR(8), + }; + ++static int __init qnap_tsx09_parse_hex_nibble(char n) ++{ ++ if (n >= '0' && n <= '9') ++ return n - '0'; ++ ++ if (n >= 'A' && n <= 'F') ++ return n - 'A' + 10; ++ ++ if (n >= 'a' && n <= 'f') ++ return n - 'a' + 10; ++ ++ return -1; ++} ++ ++static int __init qnap_tsx09_parse_hex_byte(const char *b) ++{ ++ int hi; ++ int lo; ++ ++ hi = qnap_tsx09_parse_hex_nibble(b[0]); ++ lo = qnap_tsx09_parse_hex_nibble(b[1]); ++ ++ if (hi < 0 || lo < 0) ++ return -1; ++ ++ return (hi << 4) | lo; ++} ++ + static int __init qnap_tsx09_check_mac_addr(const char *addr_str) + { + u_int8_t addr[6]; ++ int i; + +- if (!mac_pton(addr_str, addr)) +- return -1; ++ for (i = 0; i < 6; i++) { ++ int byte; ++ ++ /* ++ * Enforce "xx:xx:xx:xx:xx:xx\n" format. ++ */ ++ if (addr_str[(i * 3) + 2] != ((i < 5) ? ':' : '\n')) ++ return -1; ++ ++ byte = qnap_tsx09_parse_hex_byte(addr_str + (i * 3)); ++ if (byte < 0) ++ return -1; ++ addr[i] = byte; ++ } + + printk(KERN_INFO "tsx09: found ethernet mac address %pM\n", addr); + +@@ -77,12 +118,12 @@ void __init qnap_tsx09_find_mac_addr(u32 + unsigned long addr; + + for (addr = mem_base; addr < (mem_base + size); addr += 1024) { +- void __iomem *nor_page; ++ char *nor_page; + int ret = 0; + + nor_page = ioremap(addr, 1024); + if (nor_page != NULL) { +- ret = qnap_tsx09_check_mac_addr((__force const char *)nor_page); ++ ret = qnap_tsx09_check_mac_addr(nor_page); + iounmap(nor_page); + } + diff --git a/queue-4.14/arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch b/queue-4.14/arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch new file mode 100644 index 00000000000..b3f8aa25bfe --- /dev/null +++ b/queue-4.14/arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Rob Herring +Date: Thu, 1 Feb 2018 15:32:40 -0600 +Subject: arm64: dts: cavium: fix PCI bus dtc warnings + +From: Rob Herring + +[ Upstream commit e2c8d283c4e2f468bed1bcfedb80b670b1bc8ab1 ] + +dtc recently added PCI bus checks. Fix these warnings: + +arch/arm64/boot/dts/cavium/thunder2-99xx.dtb: Warning (pci_bridge): Node /pci missing bus-range for PCI bridge +arch/arm64/boot/dts/cavium/thunder2-99xx.dtb: Warning (unit_address_vs_reg): Node /pci has a reg or ranges property, but no unit name + +Signed-off-by: Rob Herring +Cc: Jayachandran C +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi ++++ b/arch/arm64/boot/dts/cavium/thunder2-99xx.dtsi +@@ -98,7 +98,7 @@ + clock-output-names = "clk125mhz"; + }; + +- pci { ++ pcie@30000000 { + compatible = "pci-host-ecam-generic"; + device_type = "pci"; + #interrupt-cells = <1>; +@@ -118,6 +118,7 @@ + ranges = + <0x02000000 0 0x40000000 0 0x40000000 0 0x20000000 + 0x43000000 0x40 0x00000000 0x40 0x00000000 0x20 0x00000000>; ++ bus-range = <0 0xff>; + interrupt-map-mask = <0 0 0 7>; + interrupt-map = + /* addr pin ic icaddr icintr */ diff --git a/queue-4.14/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch b/queue-4.14/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch new file mode 100644 index 00000000000..62d923b720d --- /dev/null +++ b/queue-4.14/arm64-dts-qcom-fix-spi5-config-on-msm8996.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ilia Lin +Date: Tue, 23 Jan 2018 09:36:18 +0200 +Subject: arm64: dts: qcom: Fix SPI5 config on MSM8996 + +From: Ilia Lin + +[ Upstream commit e723795c702b52cfceb3bb3faa63059eb4658313 ] + +Set correct clocks and interrupt values. +Fixes the incorrect SPI master configuration. This is +mandatory to make the SPI5 interface functional. + +Signed-off-by: Ilia Lin +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi +@@ -484,8 +484,8 @@ + blsp2_spi5: spi@075ba000{ + compatible = "qcom,spi-qup-v2.2.1"; + reg = <0x075ba000 0x600>; +- interrupts = ; +- clocks = <&gcc GCC_BLSP2_QUP5_SPI_APPS_CLK>, ++ interrupts = ; ++ clocks = <&gcc GCC_BLSP2_QUP6_SPI_APPS_CLK>, + <&gcc GCC_BLSP2_AHB_CLK>; + clock-names = "core", "iface"; + pinctrl-names = "default", "sleep"; diff --git a/queue-4.14/arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch b/queue-4.14/arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch new file mode 100644 index 00000000000..4ed3a342a60 --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shawn Lin +Date: Fri, 9 Feb 2018 16:51:48 +0800 +Subject: arm64: dts: rockchip: correct ep-gpios for rk3399-sapphire + +From: Shawn Lin + +[ Upstream commit 2b7d2ed1af2e2c0c90a1a8b97926b7b6c6cb03ed ] + +The endpoint control gpio for rk3399-sapphire boards is gpio2_a4, +so correct it now. + +Signed-off-by: Shawn Lin +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-sapphire.dtsi +@@ -457,7 +457,7 @@ + assigned-clocks = <&cru SCLK_PCIEPHY_REF>; + assigned-clock-parents = <&cru SCLK_PCIEPHY_REF100M>; + assigned-clock-rates = <100000000>; +- ep-gpios = <&gpio3 RK_PB5 GPIO_ACTIVE_HIGH>; ++ ep-gpios = <&gpio2 RK_PA4 GPIO_ACTIVE_HIGH>; + num-lanes = <4>; + pinctrl-names = "default"; + pinctrl-0 = <&pcie_clkreqn_cpm>; diff --git a/queue-4.14/arm64-dts-rockchip-fix-dwmmc-clocks.patch b/queue-4.14/arm64-dts-rockchip-fix-dwmmc-clocks.patch new file mode 100644 index 00000000000..0a369b4e211 --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-fix-dwmmc-clocks.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Robin Murphy +Date: Thu, 15 Feb 2018 14:05:53 +0000 +Subject: arm64: dts: rockchip: Fix DWMMC clocks + +From: Robin Murphy + +[ Upstream commit ca9eee95a2decc6f60bed65b5b836a26bff825c1 ] + +Trying to boot an RK3328 box with an HS200-capable eMMC, I see said eMMC +fail to initialise as it can't run its tuning procedure, because the +sample clock is missing. Upon closer inspection, whilst the clock is +present in the DT, its name is subtly incorrect per the binding, so +__of_clk_get_by_name() never finds it. By inspection, the drive clock +suffers from a similar problem, so has never worked properly either. + +Fix up all instances of the incorrect clock names across the 64-bit DTs. + +Fixes: d717f7352ec6 ("arm64: dts: rockchip: add sdmmc/sdio/emmc nodes for RK3328 SoCs") +Fixes: b790c2cab5ca ("arm64: dts: add Rockchip rk3368 core dtsi and board dts for the r88 board") +Signed-off-by: Robin Murphy +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3328.dtsi | 6 +++--- + arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 +- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3328.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3328.dtsi +@@ -683,7 +683,7 @@ + interrupts = ; + clocks = <&cru HCLK_SDMMC>, <&cru SCLK_SDMMC>, + <&cru SCLK_SDMMC_DRV>, <&cru SCLK_SDMMC_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + status = "disabled"; + }; +@@ -694,7 +694,7 @@ + interrupts = ; + clocks = <&cru HCLK_SDIO>, <&cru SCLK_SDIO>, + <&cru SCLK_SDIO_DRV>, <&cru SCLK_SDIO_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + status = "disabled"; + }; +@@ -705,7 +705,7 @@ + interrupts = ; + clocks = <&cru HCLK_EMMC>, <&cru SCLK_EMMC>, + <&cru SCLK_EMMC_DRV>, <&cru SCLK_EMMC_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + status = "disabled"; + }; +--- a/arch/arm64/boot/dts/rockchip/rk3368.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3368.dtsi +@@ -257,7 +257,7 @@ + max-frequency = <150000000>; + clocks = <&cru HCLK_SDIO0>, <&cru SCLK_SDIO0>, + <&cru SCLK_SDIO0_DRV>, <&cru SCLK_SDIO0_SAMPLE>; +- clock-names = "biu", "ciu", "ciu_drv", "ciu_sample"; ++ clock-names = "biu", "ciu", "ciu-drive", "ciu-sample"; + fifo-depth = <0x100>; + interrupts = ; + resets = <&cru SRST_SDIO0>; diff --git a/queue-4.14/arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch b/queue-4.14/arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch new file mode 100644 index 00000000000..05074f2a35b --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch @@ -0,0 +1,112 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Douglas Anderson +Date: Tue, 27 Feb 2018 12:47:11 -0800 +Subject: arm64: dts: rockchip: Fix rk3399-gru-* s2r (pinctrl hogs, wifi reset) + +From: Douglas Anderson + +[ Upstream commit 2560da49de5d0cfec22e9564023aebfffa094732 ] + +Back in the early days when gru devices were still under development +we found an issue where the WiFi reset line needed to be configured as +early as possible during the boot process to avoid the WiFi module +being in a bad state. + +We found that the way to get the kernel to do this in the earliest +possible place was to configure this line in the pinctrl hogs, so +that's what we did. For some history here you can see +. After the time that change landed in +the kernel, we landed a firmware change to configure this line even +earlier. See . However, even after the +firmware change landed we kept the kernel change to deal with the fact +that some people working on devices might take a little while to +update their firmware. + +At this there are definitely zero devices out in the wild that have +firmware without the fix in it. Specifically looking in the firmware +branch several critically important fixes for memory stability landed +after the patch in coreboot and I know we didn't ship without those. +Thus, by now, everyone should have the new firmware and it's safe to +not have the kernel set this up in a pinctrl hog. + +Historically, even though it wasn't needed to have this in a pinctrl +hog, we still kept it since it didn't hurt. Pinctrl would apply the +default hog at bootup and then would never touch things again. That +all changed with commit 981ed1bfbc6c ("pinctrl: Really force states +during suspend/resume"). After that commit then we'll re-apply the +default hog at resume time and that can screw up the reset state of +WiFi. ...and on rk3399 if you touch a device on PCIe in the wrong way +then the whole system can go haywire. That's what was happening. +Specifically you'd resume a rk3399-gru-* device and it would mostly +resume, then would crash with some crazy weird crash. + +One could say, perhaps, that the recent pinctrl change was at fault +(and should be fixed) since it changed behavior. ...but that's not +really true. The device tree for rk3399-gru is really to blame. +Specifically since the pinctrl is defined in the hog and not in the +"wlan-pd-n" node then the actual user of this pin doesn't have a +pinctrl entry for it. That's bad. + +Let's fix our problems by just moving the control of +"wlan_module_reset_l pinctrl" out of the hog and put them in the +proper place. + +NOTE: in theory, I think it should actually be possible to have a pin +controlled _both_ by the hog and by an actual device. Once the device +claims the pin I think the hog is supposed to let go. I'm not 100% +sure that this works and in any case this solution would be more +complex than is necessary. + +Reported-by: Marc Zyngier +Fixes: 48f4d9796d99 ("arm64: dts: rockchip: add Gru/Kevin DTS") +Fixes: 981ed1bfbc6c ("pinctrl: Really force states during suspend/resume") +Signed-off-by: Douglas Anderson +Tested-by: Enric Balletbo i Serra +Tested-by: Marc Zyngier +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi ++++ b/arch/arm64/boot/dts/rockchip/rk3399-gru.dtsi +@@ -406,8 +406,9 @@ + wlan_pd_n: wlan-pd-n { + compatible = "regulator-fixed"; + regulator-name = "wlan_pd_n"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&wlan_module_reset_l>; + +- /* Note the wlan_module_reset_l pinctrl */ + enable-active-high; + gpio = <&gpio1 11 GPIO_ACTIVE_HIGH>; + +@@ -940,12 +941,6 @@ ap_i2c_audio: &i2c8 { + pinctrl-0 = < + &ap_pwroff /* AP will auto-assert this when in S3 */ + &clk_32k /* This pin is always 32k on gru boards */ +- +- /* +- * We want this driven low ASAP; firmware should help us, but +- * we can help ourselves too. +- */ +- &wlan_module_reset_l + >; + + pcfg_output_low: pcfg-output-low { +@@ -1125,12 +1120,7 @@ ap_i2c_audio: &i2c8 { + }; + + wlan_module_reset_l: wlan-module-reset-l { +- /* +- * We want this driven low ASAP (As {Soon,Strongly} As +- * Possible), to avoid leakage through the powered-down +- * WiFi. +- */ +- rockchip,pins = <1 11 RK_FUNC_GPIO &pcfg_output_low>; ++ rockchip,pins = <1 11 RK_FUNC_GPIO &pcfg_pull_none>; + }; + + bt_host_wake_l: bt-host-wake-l { diff --git a/queue-4.14/arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch b/queue-4.14/arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch new file mode 100644 index 00000000000..6c3dc01aac8 --- /dev/null +++ b/queue-4.14/arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kamil Trzciński" +Date: Mon, 22 Jan 2018 18:46:22 +0100 +Subject: arm64: dts: rockchip: fix rock64 gmac2io stability issues + +From: "Kamil Trzciński" + +[ Upstream commit 73e42e18669934fa96cf2bb54291da54177076d7 ] + +This commit enables thresh dma mode as this forces to disable checksuming, +and chooses delay values which make the interface stable. + +These changes are needed, because ROCK64 is faced with two problems: +1. tx checksuming does not work with packets larger than 1498, +2. the default delays for tx/rx are not stable when using 1Gbps connection. + +Delays were found out with: +https://github.com/ayufan-rock64/linux-build/tree/master/recipes/gmac-delays-test + +Signed-off-by: Kamil Trzciński +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/rockchip/rk3328-rock64.dts | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/rockchip/rk3328-rock64.dts ++++ b/arch/arm64/boot/dts/rockchip/rk3328-rock64.dts +@@ -136,11 +136,12 @@ + phy-mode = "rgmii"; + pinctrl-names = "default"; + pinctrl-0 = <&rgmiim1_pins>; ++ snps,force_thresh_dma_mode; + snps,reset-gpio = <&gpio1 RK_PC2 GPIO_ACTIVE_LOW>; + snps,reset-active-low; + snps,reset-delays-us = <0 10000 50000>; +- tx_delay = <0x26>; +- rx_delay = <0x11>; ++ tx_delay = <0x24>; ++ rx_delay = <0x18>; + status = "okay"; + }; + diff --git a/queue-4.14/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch b/queue-4.14/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch new file mode 100644 index 00000000000..e063d2e76a8 --- /dev/null +++ b/queue-4.14/arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch @@ -0,0 +1,125 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Pratyush Anand +Date: Mon, 5 Feb 2018 14:28:01 +0100 +Subject: arm64: fix unwind_frame() for filtered out fn for function graph tracing + +From: Pratyush Anand + +[ Upstream commit 9f416319f40cd857d2bb517630e5855a905ef3fb ] + +do_task_stat() calls get_wchan(), which further does unwind_frame(). +unwind_frame() restores frame->pc to original value in case function +graph tracer has modified a return address (LR) in a stack frame to hook +a function return. However, if function graph tracer has hit a filtered +function, then we can't unwind it as ftrace_push_return_trace() has +biased the index(frame->graph) with a 'huge negative' +offset(-FTRACE_NOTRACE_DEPTH). + +Moreover, arm64 stack walker defines index(frame->graph) as unsigned +int, which can not compare a -ve number. + +Similar problem we can have with calling of walk_stackframe() from +save_stack_trace_tsk() or dump_backtrace(). + +This patch fixes unwind_frame() to test the index for -ve value and +restore index accordingly before we can restore frame->pc. + +Reproducer: + +cd /sys/kernel/debug/tracing/ +echo schedule > set_graph_notrace +echo 1 > options/display-graph +echo wakeup > current_tracer +ps -ef | grep -i agent + +Above commands result in: +Unable to handle kernel paging request at virtual address ffff801bd3d1e000 +pgd = ffff8003cbe97c00 +[ffff801bd3d1e000] *pgd=0000000000000000, *pud=0000000000000000 +Internal error: Oops: 96000006 [#1] SMP +[...] +CPU: 5 PID: 11696 Comm: ps Not tainted 4.11.0+ #33 +[...] +task: ffff8003c21ba000 task.stack: ffff8003cc6c0000 +PC is at unwind_frame+0x12c/0x180 +LR is at get_wchan+0xd4/0x134 +pc : [] lr : [] pstate: 60000145 +sp : ffff8003cc6c3ab0 +x29: ffff8003cc6c3ab0 x28: 0000000000000001 +x27: 0000000000000026 x26: 0000000000000026 +x25: 00000000000012d8 x24: 0000000000000000 +x23: ffff8003c1c04000 x22: ffff000008c83000 +x21: ffff8003c1c00000 x20: 000000000000000f +x19: ffff8003c1bc0000 x18: 0000fffffc593690 +x17: 0000000000000000 x16: 0000000000000001 +x15: 0000b855670e2b60 x14: 0003e97f22cf1d0f +x13: 0000000000000001 x12: 0000000000000000 +x11: 00000000e8f4883e x10: 0000000154f47ec8 +x9 : 0000000070f367c0 x8 : 0000000000000000 +x7 : 00008003f7290000 x6 : 0000000000000018 +x5 : 0000000000000000 x4 : ffff8003c1c03cb0 +x3 : ffff8003c1c03ca0 x2 : 00000017ffe80000 +x1 : ffff8003cc6c3af8 x0 : ffff8003d3e9e000 + +Process ps (pid: 11696, stack limit = 0xffff8003cc6c0000) +Stack: (0xffff8003cc6c3ab0 to 0xffff8003cc6c4000) +[...] +[] unwind_frame+0x12c/0x180 +[] do_task_stat+0x864/0x870 +[] proc_tgid_stat+0x3c/0x48 +[] proc_single_show+0x5c/0xb8 +[] seq_read+0x160/0x414 +[] __vfs_read+0x58/0x164 +[] vfs_read+0x88/0x144 +[] SyS_read+0x60/0xc0 +[] __sys_trace_return+0x0/0x4 + +Fixes: 20380bb390a4 (arm64: ftrace: fix a stack tracer's output under function graph tracer) +Signed-off-by: Pratyush Anand +Signed-off-by: Jerome Marchand +[catalin.marinas@arm.com: replace WARN_ON with WARN_ON_ONCE] +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/stacktrace.h | 2 +- + arch/arm64/kernel/stacktrace.c | 5 +++++ + arch/arm64/kernel/time.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm64/include/asm/stacktrace.h ++++ b/arch/arm64/include/asm/stacktrace.h +@@ -27,7 +27,7 @@ struct stackframe { + unsigned long fp; + unsigned long pc; + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- unsigned int graph; ++ int graph; + #endif + }; + +--- a/arch/arm64/kernel/stacktrace.c ++++ b/arch/arm64/kernel/stacktrace.c +@@ -59,6 +59,11 @@ int notrace unwind_frame(struct task_str + #ifdef CONFIG_FUNCTION_GRAPH_TRACER + if (tsk->ret_stack && + (frame->pc == (unsigned long)return_to_handler)) { ++ if (WARN_ON_ONCE(frame->graph == -1)) ++ return -EINVAL; ++ if (frame->graph < -1) ++ frame->graph += FTRACE_NOTRACE_DEPTH; ++ + /* + * This is a case where function graph tracer has + * modified a return address (LR) in a stack frame +--- a/arch/arm64/kernel/time.c ++++ b/arch/arm64/kernel/time.c +@@ -52,7 +52,7 @@ unsigned long profile_pc(struct pt_regs + frame.fp = regs->regs[29]; + frame.pc = regs->pc; + #ifdef CONFIG_FUNCTION_GRAPH_TRACER +- frame.graph = -1; /* no task info */ ++ frame.graph = current->curr_ret_stack; + #endif + do { + int ret = unwind_frame(NULL, &frame); diff --git a/queue-4.14/arm64-perf-correct-pmuver-probing.patch b/queue-4.14/arm64-perf-correct-pmuver-probing.patch new file mode 100644 index 00000000000..9927852d7a0 --- /dev/null +++ b/queue-4.14/arm64-perf-correct-pmuver-probing.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mark Rutland +Date: Wed, 14 Feb 2018 17:21:57 +0000 +Subject: arm64: perf: correct PMUVer probing + +From: Mark Rutland + +[ Upstream commit 0331365edb1d6ccd6ae68b1038111da85d4c68d1 ] + +The ID_AA64DFR0_EL1.PMUVer field doesn't follow the usual ID registers +scheme. While value 0xf indicates a non-architected PMU is implemented, +values 0x1 to 0xe indicate an increasingly featureful architected PMU, +as if the field were unsigned. + +For more details, see ARM DDI 0487C.a, D10.1.4, "Alternative ID scheme +used for the Performance Monitors Extension version". + +Currently, we treat the field as signed, and erroneously bail out for +values 0x8 to 0xe. Let's correct that. + +Signed-off-by: Mark Rutland +Reviewed-by: Robin Murphy +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/perf_event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -914,9 +914,9 @@ static void __armv8pmu_probe_pmu(void *i + int pmuver; + + dfr0 = read_sysreg(id_aa64dfr0_el1); +- pmuver = cpuid_feature_extract_signed_field(dfr0, ++ pmuver = cpuid_feature_extract_unsigned_field(dfr0, + ID_AA64DFR0_PMUVER_SHIFT); +- if (pmuver < 1) ++ if (pmuver == 0xf || pmuver == 0) + return; + + probe->present = true; diff --git a/queue-4.14/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch b/queue-4.14/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch new file mode 100644 index 00000000000..a95c73045be --- /dev/null +++ b/queue-4.14/arm64-relax-arm_smccc_arch_workaround_1-discovery.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Marc Zyngier +Date: Fri, 9 Mar 2018 15:40:50 +0000 +Subject: arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery + +From: Marc Zyngier + +[ Upstream commit e21da1c992007594d391e7b301779cf30f438691 ] + +A recent update to the ARM SMCCC ARCH_WORKAROUND_1 specification +allows firmware to return a non zero, positive value to describe +that although the mitigation is implemented at the higher exception +level, the CPU on which the call is made is not affected. + +Let's relax the check on the return value from ARCH_WORKAROUND_1 +so that we only error out if the returned value is negative. + +Fixes: b092201e0020 ("arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support") +Signed-off-by: Marc Zyngier +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/cpu_errata.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -178,7 +178,7 @@ static int enable_smccc_arch_workaround_ + case PSCI_CONDUIT_HVC: + arm_smccc_1_1_hvc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, + ARM_SMCCC_ARCH_WORKAROUND_1, &res); +- if (res.a0) ++ if ((int)res.a0 < 0) + return 0; + cb = call_hvc_arch_workaround_1; + smccc_start = __smccc_workaround_1_hvc_start; +@@ -188,7 +188,7 @@ static int enable_smccc_arch_workaround_ + case PSCI_CONDUIT_SMC: + arm_smccc_1_1_smc(ARM_SMCCC_ARCH_FEATURES_FUNC_ID, + ARM_SMCCC_ARCH_WORKAROUND_1, &res); +- if (res.a0) ++ if ((int)res.a0 < 0) + return 0; + cb = call_smc_arch_workaround_1; + smccc_start = __smccc_workaround_1_smc_start; diff --git a/queue-4.14/ath10k-advertize-beacon_int_min_gcd.patch b/queue-4.14/ath10k-advertize-beacon_int_min_gcd.patch new file mode 100644 index 00000000000..3e1ead86ec1 --- /dev/null +++ b/queue-4.14/ath10k-advertize-beacon_int_min_gcd.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Anilkumar Kolli +Date: Wed, 28 Mar 2018 12:19:40 +0300 +Subject: ath10k: advertize beacon_int_min_gcd + +From: Anilkumar Kolli + +[ Upstream commit 8ebee73b574ad3dd1f14d461f65ceaffbd637650 ] + +This patch fixes regression caused by 0c317a02ca98 +("cfg80211: support virtual interfaces with different beacon intervals"), +with this change cfg80211 expects the driver to advertize +'beacon_int_min_gcd' to support different beacon intervals in multivap +scenario. This support is added for, QCA988X/QCA99X0/QCA9984/QCA4019. + +Verifed AP + mesh bring up on QCA9984 with beacon interval 100msec and +1000msec respectively. +Frimware: firmware-5.bin_10.4-3.5.3-00053 + +Fixes: 0c317a02ca98 ("cfg80211: support virtual interfaces with different beacon intervals") +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7810,6 +7810,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 8, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | +@@ -7933,6 +7934,7 @@ static const struct ieee80211_iface_comb + .max_interfaces = 16, + .num_different_channels = 1, + .beacon_int_infra_match = true, ++ .beacon_int_min_gcd = 1, + #ifdef CONFIG_ATH10K_DFS_CERTIFIED + .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | + BIT(NL80211_CHAN_WIDTH_20) | diff --git a/queue-4.14/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch b/queue-4.14/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch new file mode 100644 index 00000000000..0f3c86e47bb --- /dev/null +++ b/queue-4.14/ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch @@ -0,0 +1,104 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Karthikeyan Periyasamy +Date: Mon, 12 Mar 2018 17:09:40 +0530 +Subject: ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) + +From: Karthikeyan Periyasamy + +[ Upstream commit 8b2d93dd22615cb7f3046a5a2083a6f8bb8052ed ] + +When attempt to run worker (ath10k_sta_rc_update_wk) after the station object +(ieee80211_sta) delete will trigger the kernel panic. + +This problem arise in AP + Mesh configuration, Where the current node AP VAP +and neighbor node mesh VAP MAC address are same. When the current mesh node +try to establish the mesh link with neighbor node, driver peer creation for +the neighbor mesh node fails due to duplication MAC address. Already the AP +VAP created with same MAC address. + +It is caused by the following scenario steps. + +Steps: +1. In above condition, ath10k driver sta_state callback (ath10k_sta_state) + fails to do the state change for a station from IEEE80211_STA_NOTEXIST + to IEEE80211_STA_NONE due to peer creation fails. Sta_state callback is + called from ieee80211_add_station() to handle the new station + (neighbor mesh node) request from the wpa_supplicant. +2. Concurrently ath10k receive the sta_rc_update callback notification from + the mesh_neighbour_update() to handle the beacon frames of the above + neighbor mesh node. since its atomic callback, ath10k driver queue the + work (ath10k_sta_rc_update_wk) to handle rc update. +3. Due to driver sta_state callback fails (step 1), mac80211 free the station + object. +4. When the worker (ath10k_sta_rc_update_wk) scheduled to run, it will access + the station object which is already deleted. so it will trigger kernel + panic. + +Added the peer exist check in sta_rc_update callback before queue the work. + +Kernel Panic log: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0204000 +[00000000] *pgd=00000000 +Internal error: Oops: 17 [#1] PREEMPT SMP ARM +CPU: 1 PID: 1833 Comm: kworker/u4:2 Not tainted 3.14.77 #1 +task: dcef0000 ti: d72b6000 task.ti: d72b6000 +PC is at pwq_activate_delayed_work+0x10/0x40 +LR is at pwq_activate_delayed_work+0xc/0x40 +pc : [] lr : [] psr: 40000193 +sp : d72b7f18 ip : 0000007a fp : d72b6000 +r10: 00000000 r9 : dd404414 r8 : d8c31998 +r7 : d72b6038 r6 : 00000004 r5 : d4907ec8 r4 : dcee1300 +r3 : ffffffe0 r2 : 00000000 r1 : 00000001 r0 : 00000000 +Flags: nZcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5787d Table: 595bc06a DAC: 00000015 +... +Process kworker/u4:2 (pid: 1833, stack limit = 0xd72b6238) +Stack: (0xd72b7f18 to 0xd72b8000) +7f00: 00000001 dcee1300 +7f20: 00000001 c02410dc d8c31980 dd404400 dd404400 c0242790 d8c31980 00000089 +7f40: 00000000 d93e1340 00000000 d8c31980 c0242568 00000000 00000000 00000000 +7f60: 00000000 c02474dc 00000000 00000000 000000f8 d8c31980 00000000 00000000 +7f80: d72b7f80 d72b7f80 00000000 00000000 d72b7f90 d72b7f90 d72b7fac d93e1340 +7fa0: c0247404 00000000 00000000 c0208d20 00000000 00000000 00000000 00000000 +7fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +7fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 +[] (pwq_activate_delayed_work) from [] (pwq_dec_nr_in_flight+0x58/0xc4) +[] (pwq_dec_nr_in_flight) from [] (worker_thread+0x228/0x360) +[] (worker_thread) from [] (kthread+0xd8/0xec) +[] (kthread) from [] (ret_from_fork+0x14/0x34) +Code: e92d4038 e1a05000 ebffffbc[69210.619376] SMP: failed to stop secondary CPUs +Rebooting in 3 seconds.. + +Signed-off-by: Karthikeyan Periyasamy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -7059,10 +7059,20 @@ static void ath10k_sta_rc_update(struct + { + struct ath10k *ar = hw->priv; + struct ath10k_sta *arsta = (struct ath10k_sta *)sta->drv_priv; ++ struct ath10k_vif *arvif = (void *)vif->drv_priv; ++ struct ath10k_peer *peer; + u32 bw, smps; + + spin_lock_bh(&ar->data_lock); + ++ peer = ath10k_peer_find(ar, arvif->vdev_id, sta->addr); ++ if (!peer) { ++ spin_unlock_bh(&ar->data_lock); ++ ath10k_warn(ar, "mac sta rc update failed to find peer %pM on vdev %i\n", ++ sta->addr, arvif->vdev_id); ++ return; ++ } ++ + ath10k_dbg(ar, ATH10K_DBG_MAC, + "mac sta rc update for %pM changed %08x bw %d nss %d smps %d\n", + sta->addr, changed, sta->bandwidth, sta->rx_nss, diff --git a/queue-4.14/ath9k-fix-crash-in-spectral-scan.patch b/queue-4.14/ath9k-fix-crash-in-spectral-scan.patch new file mode 100644 index 00000000000..fb190029c0f --- /dev/null +++ b/queue-4.14/ath9k-fix-crash-in-spectral-scan.patch @@ -0,0 +1,147 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Gottschall +Date: Sat, 3 Mar 2018 05:10:44 +0100 +Subject: ath9k: fix crash in spectral scan + +From: Sebastian Gottschall + +[ Upstream commit 221b6ec69ed9c56b6cd9a124a387a9472f14284e ] + +Fixes crash seen on arm smp systems (gateworks ventana imx6): + +Unable to handle kernel NULL pointer dereference at virtual address 00000014 +pgd = 80004000 +[00000014] *pgd=00000000 +Internal error: Oops - BUG: 17 [#1] PREEMPT SMP ARM +Modules linked in: ip6table_filter nf_conntrack_ipv6 ip6_tables nf_log_ipv6 nf_defrag_ipv6 shortcut_fe ipcomp6 xfrm_ipcomp xfrm6_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_ro xfrm6_mode_beet ip6_tunnel tunnel6 mip6 ah6 esp6 xfrm_algo sit ip_tunnel tunnel4 ipv6 ath10k_pci ath10k_core ath9k ath mac80211 cfg80211 compat ath_pci ath_hal(P) caamalg authencesn authenc caamrng caamhash caam_jr caam cdc_ncm usbnet usbcore sky2 imx2_wdt +CPU: 0 PID: 3 Comm: ksoftirqd/0 Tainted: P 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +task: bf064980 task.stack: bf07c000 +PC is at relay_buf_full+0xc/0x30 +LR is at _674+0x740/0xf10 [ath9k] +pc : [<8018bce0>] lr : [<7f1aa604>] psr: 80000013 +sp : bf07dbf0 ip : bf07dc00 fp : bf07dbfc +r10: 0000003f r9 : bf130e00 r8 : 809044b0 +r7 : 00000000 r6 : be67a9f0 r5 : 00000000 r4 : 809043e4 +r3 : c0864c24 r2 : 00000000 r1 : 00000004 r0 : 00000000 +Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c5387d Table: 4e6a004a DAC: 00000055 +Process ksoftirqd/0 (pid: 3, stack limit = 0xbf07c210) +Stack: (0xbf07dbf0 to 0xbf07e000) +dbe0: bf07dd04 bf07dc00 7f1aa604 8018bce0 +dc00: 00004014 be59e010 bf07dc34 bf07dc18 7f1a7084 7f19c07c be59c010 be6470a0 +dc20: 0000096c be648954 bf07dc6c bf07dc38 7f1c286c bf07dd90 bf07dc5c bf07dc48 +dc40: 8029ea4c 0000003c 00000001 be59c010 00000094 00000000 00000000 00000000 +dc60: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dc80: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dca0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dcc0: 00000000 00000000 00000000 00000000 00000000 00000000 8010ef24 00000030 +dce0: be94f5e8 be6485a0 bddf0200 be59c010 be6465a0 be6415a0 bf07ddf4 bf07dd08 +dd00: 7f1cf800 7f1aa55c 1fc38c4c 00000000 bf07dd58 cccccccd 66666667 be640bc0 +dd20: bf07dd54 be6415a0 1fc38c4c 00000000 00000000 be59c038 be67a9c0 be59e010 +dd40: be67a9f0 be647170 8090c904 be59c010 00000000 00000001 1fc38e84 00000000 +dd60: be640bc0 bddf0200 00000200 00000010 0000003f 00000002 20000013 be59c010 +dd80: 8092d940 bf7ca2c0 bf07ddb4 bf07dd98 1fc38c4c 2602003f 0100ff1b 80ff1b00 +dda0: 00808080 00000000 00000000 80808080 80808080 80808080 80808080 00008080 +ddc0: 00000000 00000000 7f1b62b8 00000002 be6470ec be6470f0 00000000 bf07de98 +dde0: 8092d940 be6415a0 bf07de94 bf07ddf8 7f1d1ed8 7f1cf1fc 00000000 00000000 +de00: bf7cc4c0 00000400 be6470f0 bf07de18 8015165c be59c010 8090453c 8090453c +de20: bf07dec4 be6465a0 8014f614 80148884 0000619a 00000001 bf07c000 00000100 +de40: bf07de78 00000001 7f327850 00000002 afb50401 bf064980 bf07de9c bf07de68 +de60: bf064a00 803cc668 bf064a00 be6470b4 be6470b8 80844180 00000000 bf07de98 +de80: 8092d940 bf07c000 bf07dec4 bf07de98 80124d18 7f1d1c44 80124c94 00000000 +dea0: 00000006 80902098 80902080 40000006 00000100 bf07c000 bf07df24 bf07dec8 +dec0: 8012501c 80124ca0 bf7cc4c0 bf064980 be95e1c0 04208040 80902d00 000061c7 +dee0: 0000000a 80600b54 8092d940 808441f8 80902080 bf07dec8 bf03b200 bf07c000 +df00: bf03b200 8090fe54 00000000 00000000 00000000 00000000 bf07df34 bf07df28 +df20: 80125148 80124f28 bf07df5c bf07df38 8013deb4 8012511c 00000000 bf03b240 +df40: bf03b200 8013dc90 00000000 00000000 bf07dfac bf07df60 8013ad40 8013dc9c +df60: 70448040 00000001 00000000 bf03b200 00000000 00030003 bf07df78 bf07df78 +df80: 00000000 00000000 bf07df88 bf07df88 bf03b240 8013ac48 00000000 00000000 +dfa0: 00000000 bf07dfb0 80107760 8013ac54 00000000 00000000 00000000 00000000 +dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +dfe0: 00000000 00000000 00000000 00000000 00000013 00000000 8c120004 1190ad04 +Backtrace: +[<8018bcd4>] (relay_buf_full) from [<7f1aa604>] (_674+0x740/0xf10 [ath9k]) +[<7f1aa550>] (_674 [ath9k]) from [<7f1cf800>] (_582+0x14b4/0x3708 [ath9k]) + r10:be6415a0 r9:be6465a0 r8:be59c010 r7:bddf0200 r6:be6485a0 r5:be94f5e8 + r4:00000030 +[<7f1cf1f0>] (_582 [ath9k]) from [<7f1d1ed8>] (_735+0x2a0/0xec4 [ath9k]) + r10:be6415a0 r9:8092d940 r8:bf07de98 r7:00000000 r6:be6470f0 r5:be6470ec + r4:00000002 +[<7f1d1c38>] (_735 [ath9k]) from [<80124d18>] (tasklet_action+0x84/0xf8) + r10:bf07c000 r9:8092d940 r8:bf07de98 r7:00000000 r6:80844180 r5:be6470b8 + r4:be6470b4 +[<80124c94>] (tasklet_action) from [<8012501c>] (__do_softirq+0x100/0x1f4) + r10:bf07c000 r9:00000100 r8:40000006 r7:80902080 r6:80902098 r5:00000006 + r4:00000000 r3:80124c94 +[<80124f1c>] (__do_softirq) from [<80125148>] (run_ksoftirqd+0x38/0x4c) + r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:8090fe54 r5:bf03b200 + r4:bf07c000 +[<80125110>] (run_ksoftirqd) from [<8013deb4>] (smpboot_thread_fn+0x224/0x260) +[<8013dc90>] (smpboot_thread_fn) from [<8013ad40>] (kthread+0xf8/0x100) + r9:00000000 r8:00000000 r7:8013dc90 r6:bf03b200 r5:bf03b240 r4:00000000 +[<8013ac48>] (kthread) from [<80107760>] (ret_from_fork+0x14/0x34) + r7:00000000 r6:00000000 r5:8013ac48 r4:bf03b240 +Code: e89da800 e1a0c00d e92dd800 e24cb004 (e5901014) +---[ end trace dddf11ac9111b272 ]--- +Kernel panic - not syncing: Fatal exception in interrupt +CPU1: stopping +CPU: 1 PID: 0 Comm: swapper/1 Tainted: P D 4.9.85 #19 +Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) +Backtrace: +[<8010a708>] (dump_backtrace) from [<8010a99c>] (show_stack+0x18/0x1c) + r7:bf093f58 r6:20000193 r5:809168e8 r4:00000000 +[<8010a984>] (show_stack) from [<802a09c4>] (dump_stack+0x94/0xa8) +[<802a0930>] (dump_stack) from [<8010d184>] (handle_IPI+0xe8/0x180) + r7:bf093f58 r6:00000000 r5:00000001 r4:808478c4 +[<8010d09c>] (handle_IPI) from [<801013e8>] (gic_handle_irq+0x78/0x7c) + r7:f4000100 r6:bf093f58 r5:f400010c r4:8090467c +[<80101370>] (gic_handle_irq) from [<8010b378>] (__irq_svc+0x58/0x8c) +Exception stack(0xbf093f58 to 0xbf093fa0) +3f40: bf7d62a0 00000000 +3f60: 0010a5f4 80113460 bf092000 809043e4 00000002 80904434 bf092008 412fc09a +3f80: 00000000 bf093fb4 bf093fb8 bf093fa8 8010804c 80108050 60000013 ffffffff + r9:bf092000 r8:bf092008 r7:bf093f8c r6:ffffffff r5:60000013 r4:80108050 +[<80108014>] (arch_cpu_idle) from [<80553c2c>] (default_idle_call+0x30/0x34) +[<80553bfc>] (default_idle_call) from [<80158394>] (cpu_startup_entry+0xc4/0xfc) +[<801582d0>] (cpu_startup_entry) from [<8010ce40>] (secondary_start_kernel+0x168/0x174) + r7:8092d2f8 r4:80913568 +[<8010ccd8>] (secondary_start_kernel) from [<10101488>] (0x10101488) + r5:00000055 r4:4f07806a +Rebooting in 10 seconds.. +Reboot failed -- System halted + +Signed-off-by: Sebastian Gottschall +Signed-off-by: Kalle Valo + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/common-spectral.c ++++ b/drivers/net/wireless/ath/ath9k/common-spectral.c +@@ -479,14 +479,16 @@ ath_cmn_is_fft_buf_full(struct ath_spec_ + { + int i = 0; + int ret = 0; ++ struct rchan_buf *buf; + struct rchan *rc = spec_priv->rfs_chan_spec_scan; + +- for_each_online_cpu(i) +- ret += relay_buf_full(*per_cpu_ptr(rc->buf, i)); ++ for_each_possible_cpu(i) { ++ if ((buf = *per_cpu_ptr(rc->buf, i))) { ++ ret += relay_buf_full(buf); ++ } ++ } + +- i = num_online_cpus(); +- +- if (ret == i) ++ if (ret) + return 1; + else + return 0; diff --git a/queue-4.14/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch b/queue-4.14/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch new file mode 100644 index 00000000000..f5dfc535f3e --- /dev/null +++ b/queue-4.14/audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Richard Guy Briggs +Date: Wed, 21 Feb 2018 04:30:07 -0500 +Subject: audit: return on memory error to avoid null pointer dereference + +From: Richard Guy Briggs + +[ Upstream commit 23138ead270045f1b3e912e667967b6094244999 ] + +If there is a memory allocation error when trying to change an audit +kernel feature value, the ignored allocation error will trigger a NULL +pointer dereference oops on subsequent use of that pointer. Return +instead. + +Passes audit-testsuite. +See: https://github.com/linux-audit/audit-kernel/issues/76 + +Signed-off-by: Richard Guy Briggs +[PM: not necessary (other funcs check for NULL), but a good practice] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/audit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1058,6 +1058,8 @@ static void audit_log_feature_change(int + return; + + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_FEATURE_CHANGE); ++ if (!ab) ++ return; + audit_log_task_info(ab, current); + audit_log_format(ab, " feature=%s old=%u new=%u old_lock=%u new_lock=%u res=%d", + audit_feature_names[which], !!old_feature, !!new_feature, diff --git a/queue-4.14/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch b/queue-4.14/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch new file mode 100644 index 00000000000..a55b2d5d2f2 --- /dev/null +++ b/queue-4.14/batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Matthias Schiffer +Date: Fri, 16 Mar 2018 11:29:10 +0100 +Subject: batman-adv: fix header size check in batadv_dbg_arp() + +From: Matthias Schiffer + +[ Upstream commit 6f27d2c2a8c236d296201c19abb8533ec20d212b ] + +Checking for 0 is insufficient: when an SKB without a batadv header, but +with a VLAN header is received, hdr_size will be 4, making the following +code interpret the Ethernet header as a batadv header. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/distributed-arp-table.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -391,7 +391,7 @@ static void batadv_dbg_arp(struct batadv + batadv_arp_hw_src(skb, hdr_size), &ip_src, + batadv_arp_hw_dst(skb, hdr_size), &ip_dst); + +- if (hdr_size == 0) ++ if (hdr_size < sizeof(struct batadv_unicast_packet)) + return; + + unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data; diff --git a/queue-4.14/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch b/queue-4.14/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch new file mode 100644 index 00000000000..0db8450e705 --- /dev/null +++ b/queue-4.14/batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Linus Lüssing" +Date: Sun, 4 Mar 2018 13:08:17 +0100 +Subject: batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag + +From: "Linus Lüssing" + +[ Upstream commit 74c12c630fe310eb7fcae1b292257d47781fff0a ] + +As the kernel doc describes too the code is supposed to skip adding +multicast TT entries if both the WANT_ALL_IPV4 and WANT_ALL_IPV6 flags +are present. + +Unfortunately, the current code even skips adding multicast TT entries +if only either the WANT_ALL_IPV4 or WANT_ALL_IPV6 is present. + +This could lead to IPv6 multicast packet loss if only an IGMP but not an +MLD querier is present for instance or vice versa. + +Fixes: 687937ab3489 ("batman-adv: Add multicast optimization support for bridged setups") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/multicast.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -540,8 +540,8 @@ update: + bat_priv->mcast.enabled = true; + } + +- return !(mcast_data.flags & +- (BATADV_MCAST_WANT_ALL_IPV4 | BATADV_MCAST_WANT_ALL_IPV6)); ++ return !(mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV4 && ++ mcast_data.flags & BATADV_MCAST_WANT_ALL_IPV6); + } + + /** diff --git a/queue-4.14/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch b/queue-4.14/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch new file mode 100644 index 00000000000..e4a1d740d9b --- /dev/null +++ b/queue-4.14/batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Linus Lüssing" +Date: Tue, 20 Mar 2018 03:13:27 +0100 +Subject: batman-adv: fix multicast-via-unicast transmission with AP isolation + +From: "Linus Lüssing" + +[ Upstream commit f8fb3419ead44f9a3136995acd24e35da4525177 ] + +For multicast frames AP isolation is only supposed to be checked on +the receiving nodes and never on the originating one. + +Furthermore, the isolation or wifi flag bits should only be intepreted +as such for unicast and never multicast TT entries. + +By injecting flags to the multicast TT entry claimed by a single +target node it was verified in tests that this multicast address +becomes unreachable, leading to packet loss. + +Omitting the "src" parameter to the batadv_transtable_search() call +successfully skipped the AP isolation check and made the target +reachable again. + +Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/multicast.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/batman-adv/multicast.c ++++ b/net/batman-adv/multicast.c +@@ -809,8 +809,8 @@ static struct batadv_orig_node * + batadv_mcast_forw_tt_node_get(struct batadv_priv *bat_priv, + struct ethhdr *ethhdr) + { +- return batadv_transtable_search(bat_priv, ethhdr->h_source, +- ethhdr->h_dest, BATADV_NO_FLAGS); ++ return batadv_transtable_search(bat_priv, NULL, ethhdr->h_dest, ++ BATADV_NO_FLAGS); + } + + /** diff --git a/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-backbones.patch b/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-backbones.patch new file mode 100644 index 00000000000..8bd2142e91c --- /dev/null +++ b/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-backbones.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sven Eckelmann +Date: Sat, 24 Feb 2018 12:03:37 +0100 +Subject: batman-adv: Fix netlink dumping of BLA backbones + +From: Sven Eckelmann + +[ Upstream commit fce672db548ff19e76a08a32a829544617229bc2 ] + +The function batadv_bla_backbone_dump_bucket must be able to handle +non-complete dumps of a single bucket. It tries to do that by saving the +latest dumped index in *idx_skip to inform the caller about the current +state. + +But the caller only assumes that buckets were not completely dumped when +the return code is non-zero. This function must therefore also return a +non-zero index when the dumping of an entry failed. Otherwise the caller +will just skip all remaining buckets. + +And the function must also reset *idx_skip back to zero when it finished a +bucket. Otherwise it will skip the same number of entries in the next +bucket as the previous one had. + +Fixes: ea4152e11716 ("batman-adv: add backbone table netlink support") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -2394,22 +2394,25 @@ batadv_bla_backbone_dump_bucket(struct s + { + struct batadv_bla_backbone_gw *backbone_gw; + int idx = 0; ++ int ret = 0; + + rcu_read_lock(); + hlist_for_each_entry_rcu(backbone_gw, head, hash_entry) { + if (idx++ < *idx_skip) + continue; +- if (batadv_bla_backbone_dump_entry(msg, portid, seq, +- primary_if, backbone_gw)) { ++ ++ ret = batadv_bla_backbone_dump_entry(msg, portid, seq, ++ primary_if, backbone_gw); ++ if (ret) { + *idx_skip = idx - 1; + goto unlock; + } + } + +- *idx_skip = idx; ++ *idx_skip = 0; + unlock: + rcu_read_unlock(); +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-claims.patch b/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-claims.patch new file mode 100644 index 00000000000..2f75dadcbce --- /dev/null +++ b/queue-4.14/batman-adv-fix-netlink-dumping-of-bla-claims.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sven Eckelmann +Date: Sat, 24 Feb 2018 12:03:36 +0100 +Subject: batman-adv: Fix netlink dumping of BLA claims + +From: Sven Eckelmann + +[ Upstream commit b0264ecdfeab5f889b02ec54af7ca8cc1c245e2f ] + +The function batadv_bla_claim_dump_bucket must be able to handle +non-complete dumps of a single bucket. It tries to do that by saving the +latest dumped index in *idx_skip to inform the caller about the current +state. + +But the caller only assumes that buckets were not completely dumped when +the return code is non-zero. This function must therefore also return a +non-zero index when the dumping of an entry failed. Otherwise the caller +will just skip all remaining buckets. + +And the function must also reset *idx_skip back to zero when it finished a +bucket. Otherwise it will skip the same number of entries in the next +bucket as the previous one had. + +Fixes: 04f3f5bf1883 ("batman-adv: add B.A.T.M.A.N. Dump BLA claims via netlink") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -2161,22 +2161,25 @@ batadv_bla_claim_dump_bucket(struct sk_b + { + struct batadv_bla_claim *claim; + int idx = 0; ++ int ret = 0; + + rcu_read_lock(); + hlist_for_each_entry_rcu(claim, head, hash_entry) { + if (idx++ < *idx_skip) + continue; +- if (batadv_bla_claim_dump_entry(msg, portid, seq, +- primary_if, claim)) { ++ ++ ret = batadv_bla_claim_dump_entry(msg, portid, seq, ++ primary_if, claim); ++ if (ret) { + *idx_skip = idx - 1; + goto unlock; + } + } + +- *idx_skip = idx; ++ *idx_skip = 0; + unlock: + rcu_read_unlock(); +- return 0; ++ return ret; + } + + /** diff --git a/queue-4.14/batman-adv-fix-packet-checksum-in-receive-path.patch b/queue-4.14/batman-adv-fix-packet-checksum-in-receive-path.patch new file mode 100644 index 00000000000..a0992d5b512 --- /dev/null +++ b/queue-4.14/batman-adv-fix-packet-checksum-in-receive-path.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Matthias Schiffer +Date: Tue, 23 Jan 2018 10:59:49 +0100 +Subject: batman-adv: fix packet checksum in receive path + +From: Matthias Schiffer + +[ Upstream commit abd6360591d3f8259f41c34e31ac4826dfe621b8 ] + +eth_type_trans() internally calls skb_pull(), which does not adjust the +skb checksum; skb_postpull_rcsum() is necessary to avoid log spam of the +form "bat0: hw csum failure" when packets with CHECKSUM_COMPLETE are +received. + +Note that in usual setups, packets don't reach batman-adv with +CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see +batadv's ethtype?), which is why the log messages do not occur on every +system using batman-adv. I could reproduce this issue by stacking +batman-adv on top of a VXLAN interface. + +Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") +Tested-by: Maximilian Wilhelm +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/soft-interface.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/net/batman-adv/soft-interface.c ++++ b/net/batman-adv/soft-interface.c +@@ -451,13 +451,7 @@ void batadv_interface_rx(struct net_devi + + /* skb->dev & skb->pkt_type are set here */ + skb->protocol = eth_type_trans(skb, soft_iface); +- +- /* should not be necessary anymore as we use skb_pull_rcsum() +- * TODO: please verify this and remove this TODO +- * -- Dec 21st 2009, Simon Wunderlich +- */ +- +- /* skb->ip_summed = CHECKSUM_UNNECESSARY; */ ++ skb_postpull_rcsum(skb, eth_hdr(skb), ETH_HLEN); + + batadv_inc_counter(bat_priv, BATADV_CNT_RX); + batadv_add_counter(bat_priv, BATADV_CNT_RX_BYTES, diff --git a/queue-4.14/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch b/queue-4.14/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch new file mode 100644 index 00000000000..a1e9a76c68b --- /dev/null +++ b/queue-4.14/batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Linus Lüssing" +Date: Thu, 22 Mar 2018 00:21:32 +0100 +Subject: batman-adv: fix packet loss for broadcasted DHCP packets to a server + +From: "Linus Lüssing" + +[ Upstream commit a752c0a4524889cdc0765925258fd1fd72344100 ] + +DHCP connectivity issues can currently occur if the following conditions +are met: + +1) A DHCP packet from a client to a server +2) This packet has a multicast destination +3) This destination has a matching entry in the translation table + (FF:FF:FF:FF:FF:FF for IPv4, 33:33:00:01:00:02/33:33:00:01:00:03 + for IPv6) +4) The orig-node determined by TT for the multicast destination + does not match the orig-node determined by best-gateway-selection + +In this case the DHCP packet will be dropped. + +The "gateway-out-of-range" check is supposed to only be applied to +unicasted DHCP packets to a specific DHCP server. + +In that case dropping the the unicasted frame forces the client to +retry via a broadcasted one, but now directed to the new best +gateway. + +A DHCP packet with broadcast/multicast destination is already ensured to +always be delivered to the best gateway. Dropping a multicasted +DHCP packet here will only prevent completing DHCP as there is no +other fallback. + +So far, it seems the unicast check was implicitly performed by +expecting the batadv_transtable_search() to return NULL for multicast +destinations. However, a multicast address could have always ended up in +the translation table and in fact is now common. + +To fix this potential loss of a DHCP client-to-server packet to a +multicast address this patch adds an explicit multicast destination +check to reliably bail out of the gateway-out-of-range check for such +destinations. + +The issue and fix were tested in the following three node setup: + +- Line topology, A-B-C +- A: gateway client, DHCP client +- B: gateway server, hop-penalty increased: 30->60, DHCP server +- C: gateway server, code modifications to announce FF:FF:FF:FF:FF:FF + +Without this patch, A would never transmit its DHCP Discover packet +due to an always "out-of-range" condition. With this patch, +a full DHCP handshake between A and B was possible again. + +Fixes: be7af5cf9cae ("batman-adv: refactoring gateway handling code") +Signed-off-by: Linus Lüssing +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/gateway_client.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/gateway_client.c ++++ b/net/batman-adv/gateway_client.c +@@ -705,7 +705,7 @@ bool batadv_gw_out_of_range(struct batad + { + struct batadv_neigh_node *neigh_curr = NULL; + struct batadv_neigh_node *neigh_old = NULL; +- struct batadv_orig_node *orig_dst_node; ++ struct batadv_orig_node *orig_dst_node = NULL; + struct batadv_gw_node *gw_node = NULL; + struct batadv_gw_node *curr_gw = NULL; + struct batadv_neigh_ifinfo *curr_ifinfo, *old_ifinfo; +@@ -716,6 +716,9 @@ bool batadv_gw_out_of_range(struct batad + + vid = batadv_get_vid(skb, 0); + ++ if (is_multicast_ether_addr(ethhdr->h_dest)) ++ goto out; ++ + orig_dst_node = batadv_transtable_search(bat_priv, ethhdr->h_source, + ethhdr->h_dest, vid); + if (!orig_dst_node) diff --git a/queue-4.14/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch b/queue-4.14/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch new file mode 100644 index 00000000000..4560589581d --- /dev/null +++ b/queue-4.14/batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sven Eckelmann +Date: Fri, 16 Mar 2018 21:14:32 +0100 +Subject: batman-adv: Fix skbuff rcsum on packet reroute + +From: Sven Eckelmann + +[ Upstream commit fc04fdb2c8a894283259f5621d31d75610701091 ] + +batadv_check_unicast_ttvn may redirect a packet to itself or another +originator. This involves rewriting the ttvn and the destination address in +the batadv unicast header. These field were not yet pulled (with skb rcsum +update) and thus any change to them also requires a change in the receive +checksum. + +Reported-by: Matthias Schiffer +Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/routing.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/net/batman-adv/routing.c ++++ b/net/batman-adv/routing.c +@@ -743,6 +743,7 @@ free_skb: + /** + * batadv_reroute_unicast_packet - update the unicast header for re-routing + * @bat_priv: the bat priv with all the soft interface information ++ * @skb: unicast packet to process + * @unicast_packet: the unicast header to be updated + * @dst_addr: the payload destination + * @vid: VLAN identifier +@@ -754,7 +755,7 @@ free_skb: + * Return: true if the packet header has been updated, false otherwise + */ + static bool +-batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, ++batadv_reroute_unicast_packet(struct batadv_priv *bat_priv, struct sk_buff *skb, + struct batadv_unicast_packet *unicast_packet, + u8 *dst_addr, unsigned short vid) + { +@@ -783,8 +784,10 @@ batadv_reroute_unicast_packet(struct bat + } + + /* update the packet header */ ++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + ether_addr_copy(unicast_packet->dest, orig_addr); + unicast_packet->ttvn = orig_ttvn; ++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + + ret = true; + out: +@@ -825,7 +828,7 @@ static bool batadv_check_unicast_ttvn(st + * the packet to + */ + if (batadv_tt_local_client_is_roaming(bat_priv, ethhdr->h_dest, vid)) { +- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, ++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet, + ethhdr->h_dest, vid)) + batadv_dbg_ratelimited(BATADV_DBG_TT, + bat_priv, +@@ -871,7 +874,7 @@ static bool batadv_check_unicast_ttvn(st + * destination can possibly be updated and forwarded towards the new + * target host + */ +- if (batadv_reroute_unicast_packet(bat_priv, unicast_packet, ++ if (batadv_reroute_unicast_packet(bat_priv, skb, unicast_packet, + ethhdr->h_dest, vid)) { + batadv_dbg_ratelimited(BATADV_DBG_TT, bat_priv, + "Rerouting unicast packet to %pM (dst=%pM): TTVN mismatch old_ttvn=%u new_ttvn=%u\n", +@@ -894,12 +897,14 @@ static bool batadv_check_unicast_ttvn(st + if (!primary_if) + return false; + ++ /* update the packet header */ ++ skb_postpull_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + ether_addr_copy(unicast_packet->dest, primary_if->net_dev->dev_addr); ++ unicast_packet->ttvn = curr_ttvn; ++ skb_postpush_rcsum(skb, unicast_packet, sizeof(*unicast_packet)); + + batadv_hardif_put(primary_if); + +- unicast_packet->ttvn = curr_ttvn; +- + return true; + } + diff --git a/queue-4.14/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch b/queue-4.14/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch new file mode 100644 index 00000000000..1c06bffc285 --- /dev/null +++ b/queue-4.14/batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sven Eckelmann +Date: Mon, 19 Feb 2018 14:08:52 +0100 +Subject: batman-adv: Ignore invalid batadv_iv_gw during netlink send + +From: Sven Eckelmann + +[ Upstream commit 10d570284258a30dc104c50787c5289ec49f3d23 ] + +The function batadv_iv_gw_dump stops the processing loop when +batadv_iv_gw_dump_entry returns a non-0 return code. This should only +happen when the buffer is full. Otherwise, an empty message may be +returned by batadv_gw_dump. This empty message will then stop the netlink +dumping of gateway entries. At worst, not a single entry is returned to +userspace even when plenty of possible gateways exist. + +Fixes: efb766af06e3 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -2719,7 +2719,7 @@ static int batadv_iv_gw_dump_entry(struc + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; + struct batadv_gw_node *curr_gw; +- int ret = -EINVAL; ++ int ret = 0; + void *hdr; + + router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT); diff --git a/queue-4.14/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch b/queue-4.14/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch new file mode 100644 index 00000000000..7b11ce3a874 --- /dev/null +++ b/queue-4.14/batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sven Eckelmann +Date: Mon, 19 Feb 2018 14:08:53 +0100 +Subject: batman-adv: Ignore invalid batadv_v_gw during netlink send + +From: Sven Eckelmann + +[ Upstream commit 011c935fceae5252619ef730baa610c655281dda ] + +The function batadv_v_gw_dump stops the processing loop when +batadv_v_gw_dump_entry returns a non-0 return code. This should only +happen when the buffer is full. Otherwise, an empty message may be +returned by batadv_gw_dump. This empty message will then stop the netlink +dumping of gateway entries. At worst, not a single entry is returned to +userspace even when plenty of possible gateways exist. + +Fixes: b71bb6f924fe ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -930,7 +930,7 @@ static int batadv_v_gw_dump_entry(struct + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; + struct batadv_gw_node *curr_gw; +- int ret = -EINVAL; ++ int ret = 0; + void *hdr; + + router = batadv_orig_router_get(gw_node->orig_node, BATADV_IF_DEFAULT); diff --git a/queue-4.14/batman-adv-invalidate-checksum-on-fragment-reassembly.patch b/queue-4.14/batman-adv-invalidate-checksum-on-fragment-reassembly.patch new file mode 100644 index 00000000000..8529d1fb20d --- /dev/null +++ b/queue-4.14/batman-adv-invalidate-checksum-on-fragment-reassembly.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Matthias Schiffer +Date: Tue, 23 Jan 2018 10:59:50 +0100 +Subject: batman-adv: invalidate checksum on fragment reassembly + +From: Matthias Schiffer + +[ Upstream commit 3bf2a09da956b43ecfaa630a2ef9a477f991a46a ] + +A more sophisticated implementation could try to combine fragment checksums +when all fragments have CHECKSUM_COMPLETE and are split at even offsets. +For now, we just set ip_summed to CHECKSUM_NONE to avoid "hw csum failure" +warnings in the kernel log when fragmented frames are received. In +consequence, skb_pull_rcsum() can be replaced with skb_pull(). + +Note that in usual setups, packets don't reach batman-adv with +CHECKSUM_COMPLETE (I assume NICs bail out of checksumming when they see +batadv's ethtype?), which is why the log messages do not occur on every +system using batman-adv. I could reproduce this issue by stacking +batman-adv on top of a VXLAN interface. + +Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") +Tested-by: Maximilian Wilhelm +Signed-off-by: Matthias Schiffer +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/fragmentation.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -287,7 +287,8 @@ batadv_frag_merge_packets(struct hlist_h + /* Move the existing MAC header to just before the payload. (Override + * the fragment header.) + */ +- skb_pull_rcsum(skb_out, hdr_size); ++ skb_pull(skb_out, hdr_size); ++ skb_out->ip_summed = CHECKSUM_NONE; + memmove(skb_out->data - ETH_HLEN, skb_mac_header(skb_out), ETH_HLEN); + skb_set_mac_header(skb_out, -ETH_HLEN); + skb_reset_network_header(skb_out); diff --git a/queue-4.14/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch b/queue-4.14/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch new file mode 100644 index 00000000000..a2d7352285d --- /dev/null +++ b/queue-4.14/bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tang Junhui +Date: Tue, 27 Feb 2018 09:49:30 -0800 +Subject: bcache: fix kcrashes with fio in RAID5 backend dev + +From: Tang Junhui + +[ Upstream commit 60eb34ec5526e264c2bbaea4f7512d714d791caf ] + +Kernel crashed when run fio in a RAID5 backend bcache device, the call +trace is bellow: +[ 440.012034] kernel BUG at block/blk-ioc.c:146! +[ 440.012696] invalid opcode: 0000 [#1] SMP NOPTI +[ 440.026537] CPU: 2 PID: 2205 Comm: md127_raid5 Not tainted 4.15.0 #8 +[ 440.027441] Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 07/16 +/2015 +[ 440.028615] RIP: 0010:put_io_context+0x8b/0x90 +[ 440.029246] RSP: 0018:ffffa8c882b43af8 EFLAGS: 00010246 +[ 440.029990] RAX: 0000000000000000 RBX: ffffa8c88294fca0 RCX: 0000000000 +0f4240 +[ 440.031006] RDX: 0000000000000004 RSI: 0000000000000286 RDI: ffffa8c882 +94fca0 +[ 440.032030] RBP: ffffa8c882b43b10 R08: 0000000000000003 R09: ffff949cb8 +0c1700 +[ 440.033206] R10: 0000000000000104 R11: 000000000000b71c R12: 00000000000 +01000 +[ 440.034222] R13: 0000000000000000 R14: ffff949cad84db70 R15: ffff949cb11 +bd1e0 +[ 440.035239] FS: 0000000000000000(0000) GS:ffff949cba280000(0000) knlGS: +0000000000000000 +[ 440.060190] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 440.084967] CR2: 00007ff0493ef000 CR3: 00000002f1e0a002 CR4: 00000000001 +606e0 +[ 440.110498] Call Trace: +[ 440.135443] bio_disassociate_task+0x1b/0x60 +[ 440.160355] bio_free+0x1b/0x60 +[ 440.184666] bio_put+0x23/0x30 +[ 440.208272] search_free+0x23/0x40 [bcache] +[ 440.231448] cached_dev_write_complete+0x31/0x70 [bcache] +[ 440.254468] closure_put+0xb6/0xd0 [bcache] +[ 440.277087] request_endio+0x30/0x40 [bcache] +[ 440.298703] bio_endio+0xa1/0x120 +[ 440.319644] handle_stripe+0x418/0x2270 [raid456] +[ 440.340614] ? load_balance+0x17b/0x9c0 +[ 440.360506] handle_active_stripes.isra.58+0x387/0x5a0 [raid456] +[ 440.380675] ? __release_stripe+0x15/0x20 [raid456] +[ 440.400132] raid5d+0x3ed/0x5d0 [raid456] +[ 440.419193] ? schedule+0x36/0x80 +[ 440.437932] ? schedule_timeout+0x1d2/0x2f0 +[ 440.456136] md_thread+0x122/0x150 +[ 440.473687] ? wait_woken+0x80/0x80 +[ 440.491411] kthread+0x102/0x140 +[ 440.508636] ? find_pers+0x70/0x70 +[ 440.524927] ? kthread_associate_blkcg+0xa0/0xa0 +[ 440.541791] ret_from_fork+0x35/0x40 +[ 440.558020] Code: c2 48 00 5b 41 5c 41 5d 5d c3 48 89 c6 4c 89 e7 e8 bb c2 +48 00 48 8b 3d bc 36 4b 01 48 89 de e8 7c f7 e0 ff 5b 41 5c 41 5d 5d c3 <0f> 0b +0f 1f 00 0f 1f 44 00 00 55 48 8d 47 b8 48 89 e5 41 57 41 +[ 440.610020] RIP: put_io_context+0x8b/0x90 RSP: ffffa8c882b43af8 +[ 440.628575] ---[ end trace a1fd79d85643a73e ]-- + +All the crash issue happened when a bypass IO coming, in such scenario +s->iop.bio is pointed to the s->orig_bio. In search_free(), it finishes the +s->orig_bio by calling bio_complete(), and after that, s->iop.bio became +invalid, then kernel would crash when calling bio_put(). Maybe its upper +layer's faulty, since bio should not be freed before we calling bio_put(), +but we'd better calling bio_put() first before calling bio_complete() to +notify upper layer ending this bio. + +This patch moves bio_complete() under bio_put() to avoid kernel crash. + +[mlyle: fixed commit subject for character limits] + +Reported-by: Matthias Ferdinand +Tested-by: Matthias Ferdinand +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/bcache/request.c ++++ b/drivers/md/bcache/request.c +@@ -651,11 +651,11 @@ static void do_bio_hook(struct search *s + static void search_free(struct closure *cl) + { + struct search *s = container_of(cl, struct search, cl); +- bio_complete(s); + + if (s->iop.bio) + bio_put(s->iop.bio); + ++ bio_complete(s); + closure_debug_destroy(cl); + mempool_free(s, s->d->c->search); + } diff --git a/queue-4.14/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch b/queue-4.14/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch new file mode 100644 index 00000000000..3a8c971a892 --- /dev/null +++ b/queue-4.14/bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch @@ -0,0 +1,132 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Coly Li +Date: Sun, 18 Mar 2018 17:36:15 -0700 +Subject: bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set + +From: Coly Li + +[ Upstream commit fadd94e05c02afec7b70b0b14915624f1782f578 ] + +In patch "bcache: fix cached_dev->count usage for bch_cache_set_error()", +cached_dev_get() is called when creating dc->writeback_thread, and +cached_dev_put() is called when exiting dc->writeback_thread. This +modification works well unless people detach the bcache device manually by + 'echo 1 > /sys/block/bcache/bcache/detach' +Because this sysfs interface only calls bch_cached_dev_detach() which wakes +up dc->writeback_thread but does not stop it. The reason is, before patch +"bcache: fix cached_dev->count usage for bch_cache_set_error()", inside +bch_writeback_thread(), if cache is not dirty after writeback, +cached_dev_put() will be called here. And in cached_dev_make_request() when +a new write request makes cache from clean to dirty, cached_dev_get() will +be called there. Since we don't operate dc->count in these locations, +refcount d->count cannot be dropped after cache becomes clean, and +cached_dev_detach_finish() won't be called to detach bcache device. + +This patch fixes the issue by checking whether BCACHE_DEV_DETACHING is +set inside bch_writeback_thread(). If this bit is set and cache is clean +(no existing writeback_keys), break the while-loop, call cached_dev_put() +and quit the writeback thread. + +Please note if cache is still dirty, even BCACHE_DEV_DETACHING is set the +writeback thread should continue to perform writeback, this is the original +design of manually detach. + +It is safe to do the following check without locking, let me explain why, ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + +If the kenrel thread does not sleep and continue to run due to conditions +are not updated in time on the running CPU core, it just consumes more CPU +cycles and has no hurt. This should-sleep-but-run is safe here. We just +focus on the should-run-but-sleep condition, which means the writeback +thread goes to sleep in mistake while it should continue to run. +1, First of all, no matter the writeback thread is hung or not, + kthread_stop() from cached_dev_detach_finish() will wake up it and + terminate by making kthread_should_stop() return true. And in normal + run time, bit on index BCACHE_DEV_DETACHING is always cleared, the + condition + !test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) + is always true and can be ignored as constant value. +2, If one of the following conditions is true, the writeback thread should + go to sleep, + "!atomic_read(&dc->has_dirty)" or "!dc->writeback_running)" + each of them independently controls the writeback thread should sleep or + not, let's analyse them one by one. +2.1 condition "!atomic_read(&dc->has_dirty)" + If dc->has_dirty is set from 0 to 1 on another CPU core, bcache will + call bch_writeback_queue() immediately or call bch_writeback_add() which + indirectly calls bch_writeback_queue() too. In bch_writeback_queue(), + wake_up_process(dc->writeback_thread) is called. It sets writeback + thread's task state to TASK_RUNNING and following an implicit memory + barrier, then tries to wake up the writeback thread. + In writeback thread, its task state is set to TASK_INTERRUPTIBLE before + doing the condition check. If other CPU core sets the TASK_RUNNING state + after writeback thread setting TASK_INTERRUPTIBLE, the writeback thread + will be scheduled to run very soon because its state is not + TASK_INTERRUPTIBLE. If other CPU core sets the TASK_RUNNING state before + writeback thread setting TASK_INTERRUPTIBLE, the implict memory barrier + of wake_up_process() will make sure modification of dc->has_dirty on + other CPU core is updated and observed on the CPU core of writeback + thread. Therefore the condition check will correctly be false, and + continue writeback code without sleeping. +2.2 condition "!dc->writeback_running)" + dc->writeback_running can be changed via sysfs file, every time it is + modified, a following bch_writeback_queue() is alwasy called. So the + change is always observed on the CPU core of writeback thread. If + dc->writeback_running is changed from 0 to 1 on other CPU core, this + condition check will observe the modification and allow writeback + thread to continue to run without sleeping. +Now we can see, even without a locking protection, multiple conditions +check is safe here, no deadlock or process hang up will happen. + +I compose a separte patch because that patch "bcache: fix cached_dev->count +usage for bch_cache_set_error()" already gets a "Reviewed-by:" from Hannes +Reinecke. Also this fix is not trivial and good for a separate patch. + +Signed-off-by: Coly Li +Reviewed-by: Michael Lyle +Cc: Hannes Reinecke +Cc: Huijun Tang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/writeback.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -421,9 +421,15 @@ static int bch_writeback_thread(void *ar + while (!kthread_should_stop()) { + down_write(&dc->writeback_lock); + set_current_state(TASK_INTERRUPTIBLE); +- if (!atomic_read(&dc->has_dirty) || +- (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && +- !dc->writeback_running)) { ++ /* ++ * If the bache device is detaching, skip here and continue ++ * to perform writeback. Otherwise, if no dirty data on cache, ++ * or there is dirty data on cache but writeback is disabled, ++ * the writeback thread should sleep here and wait for others ++ * to wake up it. ++ */ ++ if (!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags) && ++ (!atomic_read(&dc->has_dirty) || !dc->writeback_running)) { + up_write(&dc->writeback_lock); + + if (kthread_should_stop()) { +@@ -444,6 +450,14 @@ static int bch_writeback_thread(void *ar + cached_dev_put(dc); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_CLEAN); + bch_write_bdev_super(dc, NULL); ++ /* ++ * If bcache device is detaching via sysfs interface, ++ * writeback thread should stop after there is no dirty ++ * data on cache. BCACHE_DEV_DETACHING flag is set in ++ * bch_cached_dev_detach(). ++ */ ++ if (test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags)) ++ break; + } + + up_write(&dc->writeback_lock); diff --git a/queue-4.14/block-display-the-correct-diskname-for-bio.patch b/queue-4.14/block-display-the-correct-diskname-for-bio.patch new file mode 100644 index 00000000000..766685c237a --- /dev/null +++ b/queue-4.14/block-display-the-correct-diskname-for-bio.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiufei Xue +Date: Tue, 27 Feb 2018 20:10:18 +0800 +Subject: block: display the correct diskname for bio + +From: Jiufei Xue + +[ Upstream commit 9c0fb1e313aaf4e8edec22433c8b22dd308e466c ] + +bio_devname use __bdevname to display the device name, and can +only show the major and minor of the part0, +Fix this by using disk_name to display the correct name. + +Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index") +Reviewed-by: Omar Sandoval +Reviewed-by: Christoph Hellwig +Signed-off-by: Jiufei Xue +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 6 ++++++ + include/linux/bio.h | 4 +--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -51,6 +51,12 @@ const char *bdevname(struct block_device + + EXPORT_SYMBOL(bdevname); + ++const char *bio_devname(struct bio *bio, char *buf) ++{ ++ return disk_name(bio->bi_disk, bio->bi_partno, buf); ++} ++EXPORT_SYMBOL(bio_devname); ++ + /* + * There's very little reason to use this, you should really + * have a struct block_device just about everywhere and use +--- a/include/linux/bio.h ++++ b/include/linux/bio.h +@@ -501,6 +501,7 @@ void zero_fill_bio(struct bio *bio); + extern struct bio_vec *bvec_alloc(gfp_t, int, unsigned long *, mempool_t *); + extern void bvec_free(mempool_t *, struct bio_vec *, unsigned int); + extern unsigned int bvec_nr_vecs(unsigned short idx); ++extern const char *bio_devname(struct bio *bio, char *buffer); + + #define bio_set_dev(bio, bdev) \ + do { \ +@@ -519,9 +520,6 @@ do { \ + #define bio_dev(bio) \ + disk_devt((bio)->bi_disk) + +-#define bio_devname(bio, buf) \ +- __bdevname(bio_dev(bio), (buf)) +- + #ifdef CONFIG_BLK_CGROUP + int bio_associate_blkcg(struct bio *bio, struct cgroup_subsys_state *blkcg_css); + int bio_associate_current(struct bio *bio); diff --git a/queue-4.14/block-null_blk-fix-invalid-parameters-when-loading-module.patch b/queue-4.14/block-null_blk-fix-invalid-parameters-when-loading-module.patch new file mode 100644 index 00000000000..bf04d033908 --- /dev/null +++ b/queue-4.14/block-null_blk-fix-invalid-parameters-when-loading-module.patch @@ -0,0 +1,167 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ming Lei +Date: Tue, 6 Mar 2018 12:07:13 +0800 +Subject: block: null_blk: fix 'Invalid parameters' when loading module + +From: Ming Lei + +[ Upstream commit 66231ad3e2886ba99fbf440cea44cab547e5163f ] + +On ARM64, the default page size has been 64K on some distributions, and +we should allow ARM64 people to play null_blk. + +This patch fixes the issue by extend page bitmap size for supporting +other non-4KB PAGE_SIZE. + +Cc: Bart Van Assche +Cc: Shaohua Li +Cc: Kyungchan Koh , +Cc: weiping zhang +Cc: Yi Zhang +Reported-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/null_blk.c | 46 +++++++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 21 deletions(-) + +--- a/drivers/block/null_blk.c ++++ b/drivers/block/null_blk.c +@@ -68,6 +68,7 @@ enum nullb_device_flags { + NULLB_DEV_FL_CACHE = 3, + }; + ++#define MAP_SZ ((PAGE_SIZE >> SECTOR_SHIFT) + 2) + /* + * nullb_page is a page in memory for nullb devices. + * +@@ -82,10 +83,10 @@ enum nullb_device_flags { + */ + struct nullb_page { + struct page *page; +- unsigned long bitmap; ++ DECLARE_BITMAP(bitmap, MAP_SZ); + }; +-#define NULLB_PAGE_LOCK (sizeof(unsigned long) * 8 - 1) +-#define NULLB_PAGE_FREE (sizeof(unsigned long) * 8 - 2) ++#define NULLB_PAGE_LOCK (MAP_SZ - 1) ++#define NULLB_PAGE_FREE (MAP_SZ - 2) + + struct nullb_device { + struct nullb *nullb; +@@ -725,7 +726,7 @@ static struct nullb_page *null_alloc_pag + if (!t_page->page) + goto out_freepage; + +- t_page->bitmap = 0; ++ memset(t_page->bitmap, 0, sizeof(t_page->bitmap)); + return t_page; + out_freepage: + kfree(t_page); +@@ -735,13 +736,20 @@ out: + + static void null_free_page(struct nullb_page *t_page) + { +- __set_bit(NULLB_PAGE_FREE, &t_page->bitmap); +- if (test_bit(NULLB_PAGE_LOCK, &t_page->bitmap)) ++ __set_bit(NULLB_PAGE_FREE, t_page->bitmap); ++ if (test_bit(NULLB_PAGE_LOCK, t_page->bitmap)) + return; + __free_page(t_page->page); + kfree(t_page); + } + ++static bool null_page_empty(struct nullb_page *page) ++{ ++ int size = MAP_SZ - 2; ++ ++ return find_first_bit(page->bitmap, size) == size; ++} ++ + static void null_free_sector(struct nullb *nullb, sector_t sector, + bool is_cache) + { +@@ -756,9 +764,9 @@ static void null_free_sector(struct null + + t_page = radix_tree_lookup(root, idx); + if (t_page) { +- __clear_bit(sector_bit, &t_page->bitmap); ++ __clear_bit(sector_bit, t_page->bitmap); + +- if (!t_page->bitmap) { ++ if (null_page_empty(t_page)) { + ret = radix_tree_delete_item(root, idx, t_page); + WARN_ON(ret != t_page); + null_free_page(ret); +@@ -829,7 +837,7 @@ static struct nullb_page *__null_lookup_ + t_page = radix_tree_lookup(root, idx); + WARN_ON(t_page && t_page->page->index != idx); + +- if (t_page && (for_write || test_bit(sector_bit, &t_page->bitmap))) ++ if (t_page && (for_write || test_bit(sector_bit, t_page->bitmap))) + return t_page; + + return NULL; +@@ -892,10 +900,10 @@ static int null_flush_cache_page(struct + + t_page = null_insert_page(nullb, idx << PAGE_SECTORS_SHIFT, true); + +- __clear_bit(NULLB_PAGE_LOCK, &c_page->bitmap); +- if (test_bit(NULLB_PAGE_FREE, &c_page->bitmap)) { ++ __clear_bit(NULLB_PAGE_LOCK, c_page->bitmap); ++ if (test_bit(NULLB_PAGE_FREE, c_page->bitmap)) { + null_free_page(c_page); +- if (t_page && t_page->bitmap == 0) { ++ if (t_page && null_page_empty(t_page)) { + ret = radix_tree_delete_item(&nullb->dev->data, + idx, t_page); + null_free_page(t_page); +@@ -911,11 +919,11 @@ static int null_flush_cache_page(struct + + for (i = 0; i < PAGE_SECTORS; + i += (nullb->dev->blocksize >> SECTOR_SHIFT)) { +- if (test_bit(i, &c_page->bitmap)) { ++ if (test_bit(i, c_page->bitmap)) { + offset = (i << SECTOR_SHIFT); + memcpy(dst + offset, src + offset, + nullb->dev->blocksize); +- __set_bit(i, &t_page->bitmap); ++ __set_bit(i, t_page->bitmap); + } + } + +@@ -952,10 +960,10 @@ again: + * We found the page which is being flushed to disk by other + * threads + */ +- if (test_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap)) ++ if (test_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap)) + c_pages[i] = NULL; + else +- __set_bit(NULLB_PAGE_LOCK, &c_pages[i]->bitmap); ++ __set_bit(NULLB_PAGE_LOCK, c_pages[i]->bitmap); + } + + one_round = 0; +@@ -1008,7 +1016,7 @@ static int copy_to_nullb(struct nullb *n + kunmap_atomic(dst); + kunmap_atomic(src); + +- __set_bit(sector & SECTOR_MASK, &t_page->bitmap); ++ __set_bit(sector & SECTOR_MASK, t_page->bitmap); + + if (is_fua) + null_free_sector(nullb, sector, true); +@@ -1922,10 +1930,6 @@ static int __init null_init(void) + struct nullb *nullb; + struct nullb_device *dev; + +- /* check for nullb_page.bitmap */ +- if (sizeof(unsigned long) * 8 - 2 < (PAGE_SIZE >> SECTOR_SHIFT)) +- return -EINVAL; +- + if (g_bs > PAGE_SIZE) { + pr_warn("null_blk: invalid block size\n"); + pr_warn("null_blk: defaults block size to %lu\n", PAGE_SIZE); diff --git a/queue-4.14/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch b/queue-4.14/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch new file mode 100644 index 00000000000..20a13414cd8 --- /dev/null +++ b/queue-4.14/bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Chan +Date: Fri, 9 Mar 2018 23:46:10 -0500 +Subject: bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). + +From: Michael Chan + +[ Upstream commit 3c4fe80b32c685bdc02b280814d0cfe80d441c72 ] + +During initialization, if we encounter errors, there is a code path that +calls bnxt_hwrm_vnic_set_tpa() with invalid VNIC ID. This may cause a +warning in firmware logs. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -3808,6 +3808,9 @@ static int bnxt_hwrm_vnic_set_tpa(struct + struct bnxt_vnic_info *vnic = &bp->vnic_info[vnic_id]; + struct hwrm_vnic_tpa_cfg_input req = {0}; + ++ if (vnic->fw_vnic_id == INVALID_HW_RING_ID) ++ return 0; ++ + bnxt_hwrm_cmd_hdr_init(bp, &req, HWRM_VNIC_TPA_CFG, -1, -1); + + if (tpa_flags) { diff --git a/queue-4.14/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch b/queue-4.14/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch new file mode 100644 index 00000000000..27687422b67 --- /dev/null +++ b/queue-4.14/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:45 +0800 +Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave + +From: Xin Long + +[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ] + +vlan_vids_add_by_dev is called right after dev hwaddr sync, so on +the err path it should unsync dev hwaddr. Otherwise, the slave +dev's hwaddr will never be unsync when this err happens. + +Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones") +Signed-off-by: Xin Long +Reviewed-by: Nikolay Aleksandrov +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1528,7 +1528,7 @@ int bond_enslave(struct net_device *bond + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", + slave_dev->name); +- goto err_close; ++ goto err_hwaddr_unsync; + } + + prev_slave = bond_last_slave(bond); +@@ -1769,6 +1769,10 @@ err_detach: + synchronize_rcu(); + slave_disable_netpoll(new_slave); + ++err_hwaddr_unsync: ++ if (!bond_uses_primary(bond)) ++ bond_hw_addr_flush(bond_dev, slave_dev); ++ + err_close: + slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); diff --git a/queue-4.14/brcmfmac-fix-check-for-iso3166-code.patch b/queue-4.14/brcmfmac-fix-check-for-iso3166-code.patch new file mode 100644 index 00000000000..ad45f1bd6c9 --- /dev/null +++ b/queue-4.14/brcmfmac-fix-check-for-iso3166-code.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefan Wahren +Date: Wed, 14 Mar 2018 20:02:59 +0100 +Subject: brcmfmac: Fix check for ISO3166 code + +From: Stefan Wahren + +[ Upstream commit 9b9322db5c5a1917a66c71fe47c3848a9a31227e ] + +The commit "regulatory: add NUL to request alpha2" increases the length of +alpha2 to 3. This causes a regression on brcmfmac, because +brcmf_cfg80211_reg_notifier() expect valid ISO3166 codes in the complete +array. So fix this accordingly. + +Fixes: 657308f73e67 ("regulatory: add NUL to request alpha2") +Signed-off-by: Stefan Wahren +Acked-by: Franky Lin +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +@@ -6916,7 +6916,7 @@ static void brcmf_cfg80211_reg_notifier( + return; + + /* ignore non-ISO3166 country codes */ +- for (i = 0; i < sizeof(req->alpha2); i++) ++ for (i = 0; i < 2; i++) + if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') { + brcmf_err("not an ISO3166 code (0x%02x 0x%02x)\n", + req->alpha2[0], req->alpha2[1]); diff --git a/queue-4.14/btrfs-bail-out-on-error-during-replay_dir_deletes.patch b/queue-4.14/btrfs-bail-out-on-error-during-replay_dir_deletes.patch new file mode 100644 index 00000000000..e597651ebe8 --- /dev/null +++ b/queue-4.14/btrfs-bail-out-on-error-during-replay_dir_deletes.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:48 +0800 +Subject: Btrfs: bail out on error during replay_dir_deletes + +From: Liu Bo + +[ Upstream commit b98def7ca6e152ee55e36863dddf6f41f12d1dc6 ] + +If errors were returned by btrfs_next_leaf(), replay_dir_deletes needs +to bail out, otherwise @ret would be forced to be 0 after 'break;' and +the caller won't be aware of it. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2272,8 +2272,10 @@ again: + nritems = btrfs_header_nritems(path->nodes[0]); + if (path->slots[0] >= nritems) { + ret = btrfs_next_leaf(root, path); +- if (ret) ++ if (ret == 1) + break; ++ else if (ret < 0) ++ goto out; + } + btrfs_item_key_to_cpu(path->nodes[0], &found_key, + path->slots[0]); diff --git a/queue-4.14/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch b/queue-4.14/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch new file mode 100644 index 00000000000..b3d1e43eba1 --- /dev/null +++ b/queue-4.14/btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Liu Bo +Date: Sat, 31 Mar 2018 06:11:56 +0800 +Subject: Btrfs: clean up resources during umount after trans is aborted + +From: Liu Bo + +[ Upstream commit af7227338135d2f1b1552bf9a6d43e02dcba10b9 ] + +Currently if some fatal errors occur, like all IO get -EIO, resources +would be cleaned up when +a) transaction is being committed or +b) BTRFS_FS_STATE_ERROR is set + +However, in some rare cases, resources may be left alone after transaction +gets aborted and umount may run into some ASSERT(), e.g. +ASSERT(list_empty(&block_group->dirty_list)); + +For case a), in btrfs_commit_transaciton(), there're several places at the +beginning where we just call btrfs_end_transaction() without cleaning up +resources. For case b), it is possible that the trans handle doesn't have +any dirty stuff, then only trans hanlde is marked as aborted while +BTRFS_FS_STATE_ERROR is not set, so resources remain in memory. + +This makes btrfs also check BTRFS_FS_STATE_TRANS_ABORTED to make sure that +all resources won't stay in memory after umount. + +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -3896,7 +3896,8 @@ void close_ctree(struct btrfs_fs_info *f + btrfs_err(fs_info, "commit super ret %d", ret); + } + +- if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state)) ++ if (test_bit(BTRFS_FS_STATE_ERROR, &fs_info->fs_state) || ++ test_bit(BTRFS_FS_STATE_TRANS_ABORTED, &fs_info->fs_state)) + btrfs_error_commit_super(fs_info); + + kthread_stop(fs_info->transaction_kthread); diff --git a/queue-4.14/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch b/queue-4.14/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch new file mode 100644 index 00000000000..bf8695370a7 --- /dev/null +++ b/queue-4.14/btrfs-fix-copy_items-return-value-when-logging-an-inode.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Filipe Manana +Date: Mon, 26 Mar 2018 23:59:12 +0100 +Subject: Btrfs: fix copy_items() return value when logging an inode + +From: Filipe Manana + +[ Upstream commit 8434ec46c6e3232cebc25a910363b29f5c617820 ] + +When logging an inode, at tree-log.c:copy_items(), if we call +btrfs_next_leaf() at the loop which checks for the need to log holes, we +need to make sure copy_items() returns the value 1 to its caller and +not 0 (on success). This is because the path the caller passed was +released and is now different from what is was before, and the caller +expects a return value of 0 to mean both success and that the path +has not changed, while a return value of 1 means both success and +signals the caller that it can not reuse the path, it has to perform +another tree search. + +Even though this is a case that should not be triggered on normal +circumstances or very rare at least, its consequences can be very +unpredictable (especially when replaying a log tree). + +Fixes: 16e7549f045d ("Btrfs: incompatible format change to remove hole extents") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3918,6 +3918,7 @@ fill_holes: + ASSERT(ret == 0); + src = src_path->nodes[0]; + i = 0; ++ need_find_last_extent = true; + } + + btrfs_item_key_to_cpu(src, &key, i); diff --git a/queue-4.14/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch b/queue-4.14/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch new file mode 100644 index 00000000000..8e75f9842b7 --- /dev/null +++ b/queue-4.14/btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch @@ -0,0 +1,436 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jeff Mahoney +Date: Fri, 16 Mar 2018 14:36:27 -0400 +Subject: btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers + +From: Jeff Mahoney + +[ Upstream commit 8a5a916d9a35e13576d79cc16e24611821b13e34 ] + +While running btrfs/011, I hit the following lockdep splat. + +This is the important bit: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + +The percpu_counter_init call in btrfs_alloc_subvolume_writers +uses GFP_KERNEL, which we can't do during transaction commit. + +This switches it to GFP_NOFS. + +======================================================== +WARNING: possible irq lock inversion dependency detected +4.12.14-kvmsmall #8 Tainted: G W +-------------------------------------------------------- +kswapd0/50 just changed the state of lock: + (&delayed_node->mutex){+.+.-.}, at: [] __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] +but this lock took another, RECLAIM_FS-unsafe lock in the past: + (pcpu_alloc_mutex){+.+.+.} + +and interrupts could create inverse lock ordering between them. + +other info that might help us debug this: +Chain exists of: + &delayed_node->mutex --> &found->groups_sem --> pcpu_alloc_mutex + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(pcpu_alloc_mutex); + local_irq_disable(); + lock(&delayed_node->mutex); + lock(&found->groups_sem); + + lock(&delayed_node->mutex); + + *** DEADLOCK *** + +2 locks held by kswapd0/50: + #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x7f/0x5b0 + #1: (&type->s_umount_key#30){+++++.}, at: [] trylock_super+0x16/0x50 + +the shortest dependencies between 2nd lock and 1st lock: + -> (pcpu_alloc_mutex){+.+.+.} ops: 4904 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + kmem_cache_init_late+0x42/0x75 + start_kernel+0x343/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + RECLAIM_FS-ON-W at: + __kmalloc+0x47/0x310 + pcpu_extend_area_map+0x2b/0xc0 + pcpu_alloc+0x3ec/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + __do_tune_cpucache+0x2c/0x220 + do_tune_cpucache+0x26/0xc0 + enable_cpucache+0x6d/0xf0 + __kmem_cache_create+0x1bf/0x390 + create_cache+0xba/0x1b0 + kmem_cache_create+0x1f8/0x2b0 + ksm_init+0x6f/0x19d + do_one_initcall+0x50/0x1b0 + kernel_init_freeable+0x201/0x289 + kernel_init+0xa/0x100 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + pcpu_alloc+0x1ac/0x5e0 + alloc_kmem_cache_cpus.isra.70+0x25/0xa0 + setup_cpu_cache+0x2f/0x1f0 + __kmem_cache_create+0x1bf/0x390 + create_boot_cache+0x8b/0xb1 + kmem_cache_init+0xa1/0x19e + start_kernel+0x270/0x4cb + x86_64_start_kernel+0x127/0x134 + secondary_startup_64+0xa5/0xb0 + } + ... key at: [] pcpu_alloc_mutex+0x70/0xa0 + ... acquired at: + pcpu_alloc+0x1ac/0x5e0 + __percpu_counter_init+0x4e/0xb0 + btrfs_init_fs_root+0x99/0x1c0 [btrfs] + btrfs_get_fs_root.part.54+0x5b/0x150 [btrfs] + resolve_indirect_refs+0x130/0x830 [btrfs] + find_parent_nodes+0x69e/0xff0 [btrfs] + btrfs_find_all_roots_safe+0xa0/0x110 [btrfs] + btrfs_find_all_roots+0x50/0x70 [btrfs] + btrfs_qgroup_prepare_account_extents+0x53/0x90 [btrfs] + btrfs_commit_transaction+0x3ce/0x9b0 [btrfs] + transaction_kthread+0x176/0x1b0 [btrfs] + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + + -> (&fs_info->commit_root_sem){++++..} ops: 1566382 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + caching_thread+0x57/0x560 [btrfs] + normal_work_helper+0x1c0/0x5e0 [btrfs] + process_one_work+0x1e0/0x5c0 + worker_thread+0x44/0x390 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + down_write+0x3e/0xa0 + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + cow_file_range.isra.66+0x133/0x470 [btrfs] + run_delalloc_range+0x121/0x410 [btrfs] + writepage_delalloc.isra.50+0xfe/0x180 [btrfs] + __extent_writepage+0x19a/0x360 [btrfs] + extent_write_cache_pages.constprop.56+0x249/0x3e0 [btrfs] + extent_writepages+0x4d/0x60 [btrfs] + do_writepages+0x1a/0x70 + __filemap_fdatawrite_range+0xa7/0xe0 + btrfs_rename+0x5ee/0xdb0 [btrfs] + vfs_rename+0x52a/0x7e0 + SyS_rename+0x351/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.61970+0x0/0xfffffffffff9aa88 [btrfs] + ... acquired at: + cache_block_group+0x287/0x420 [btrfs] + find_free_extent+0x106c/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + btrfs_create_tree+0xbb/0x2a0 [btrfs] + btrfs_create_uuid_tree+0x37/0x140 [btrfs] + open_ctree+0x23c0/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + + -> (&found->groups_sem){++++..} ops: 2134587 { + HARDIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + HARDIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-R at: + down_read+0x35/0x90 + btrfs_calc_num_tolerated_disk_barrier_failures+0x113/0x1f0 [btrfs] + open_ctree+0x207b/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + INITIAL USE at: + down_write+0x3e/0xa0 + __link_block_group+0x34/0x130 [btrfs] + btrfs_read_block_groups+0x33d/0x7b0 [btrfs] + open_ctree+0x2054/0x2660 [btrfs] + btrfs_mount+0xd36/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + btrfs_mount+0x18c/0xf90 [btrfs] + mount_fs+0x3a/0x160 + vfs_kern_mount+0x66/0x150 + do_mount+0x1c1/0xcc0 + SyS_mount+0x7e/0xd0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.59101+0x0/0xfffffffffff9ab78 [btrfs] + ... acquired at: + find_free_extent+0xcb4/0x12d0 [btrfs] + btrfs_reserve_extent+0xd8/0x170 [btrfs] + btrfs_alloc_tree_block+0x12f/0x4c0 [btrfs] + __btrfs_cow_block+0x110/0x5b0 [btrfs] + btrfs_cow_block+0xd7/0x290 [btrfs] + btrfs_search_slot+0x1f6/0x960 [btrfs] + btrfs_lookup_inode+0x2a/0x90 [btrfs] + __btrfs_update_delayed_inode+0x65/0x210 [btrfs] + btrfs_commit_inode_delayed_inode+0x121/0x130 [btrfs] + btrfs_evict_inode+0x3fe/0x6a0 [btrfs] + evict+0xc4/0x190 + __dentry_kill+0xbf/0x170 + dput+0x2ae/0x2f0 + SyS_rename+0x2a6/0x3b0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +-> (&delayed_node->mutex){+.+.-.} ops: 5580204 { + HARDIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + SOFTIRQ-ON-W at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + IN-RECLAIM_FS-W at: + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + INITIAL USE at: + __mutex_lock+0x4e/0x8c0 + btrfs_delayed_update_inode+0x46/0x6e0 [btrfs] + btrfs_update_inode+0x83/0x110 [btrfs] + btrfs_dirty_inode+0x62/0xe0 [btrfs] + touch_atime+0x8c/0xb0 + do_generic_file_read+0x818/0xb10 + __vfs_read+0xdc/0x150 + vfs_read+0x8a/0x130 + SyS_read+0x45/0xa0 + do_syscall_64+0x79/0x1e0 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + } + ... key at: [] __key.56935+0x0/0xfffffffffff96b78 [btrfs] + ... acquired at: + __lock_acquire+0x264/0x11c0 + lock_acquire+0xbd/0x1e0 + __mutex_lock+0x4e/0x8c0 + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ret_from_fork+0x3a/0x50 + +stack backtrace: +CPU: 1 PID: 50 Comm: kswapd0 Tainted: G W 4.12.14-kvmsmall #8 SLE15 (unreleased) +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0x78/0xb7 + print_irq_inversion_bug.part.38+0x19f/0x1aa + check_usage_forwards+0x102/0x120 + ? ret_from_fork+0x3a/0x50 + ? check_usage_backwards+0x110/0x110 + mark_lock+0x16c/0x270 + __lock_acquire+0x264/0x11c0 + ? pagevec_lookup_entries+0x1a/0x30 + ? truncate_inode_pages_range+0x2b3/0x7f0 + lock_acquire+0xbd/0x1e0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + __mutex_lock+0x4e/0x8c0 + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + ? btrfs_evict_inode+0x1f6/0x6a0 [btrfs] + __btrfs_release_delayed_node+0x3a/0x1f0 [btrfs] + btrfs_evict_inode+0x22c/0x6a0 [btrfs] + evict+0xc4/0x190 + dispose_list+0x35/0x50 + prune_icache_sb+0x42/0x50 + super_cache_scan+0x139/0x190 + shrink_slab+0x262/0x5b0 + shrink_node+0x2eb/0x2f0 + kswapd+0x2eb/0x890 + kthread+0x102/0x140 + ? mem_cgroup_shrink_node+0x2c0/0x2c0 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x3a/0x50 + +Signed-off-by: Jeff Mahoney +Reviewed-by: Liu Bo +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/disk-io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/disk-io.c ++++ b/fs/btrfs/disk-io.c +@@ -1276,7 +1276,7 @@ static struct btrfs_subvolume_writers *b + if (!writers) + return ERR_PTR(-ENOMEM); + +- ret = percpu_counter_init(&writers->counter, 0, GFP_KERNEL); ++ ret = percpu_counter_init(&writers->counter, 0, GFP_NOFS); + if (ret < 0) { + kfree(writers); + return ERR_PTR(ret); diff --git a/queue-4.14/btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch b/queue-4.14/btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch new file mode 100644 index 00000000000..82c7b7c56aa --- /dev/null +++ b/queue-4.14/btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Filipe Manana +Date: Wed, 28 Feb 2018 15:55:40 +0000 +Subject: Btrfs: fix log replay failure after linking special file and fsync + +From: Filipe Manana + +[ Upstream commit 9a6509c4daa91400b52a5fd541a5521c649a8fea ] + +If in the same transaction we rename a special file (fifo, character/block +device or symbolic link), create a hard link for it having its old name +then sync the log, we will end up with a log that can not be replayed and +at when attempting to replay it, an EEXIST error is returned and mounting +the filesystem fails. Example scenario: + + $ mkfs.btrfs -f /dev/sdc + $ mount /dev/sdc /mnt + $ mkdir /mnt/testdir + $ mkfifo /mnt/testdir/foo + # Make sure everything done so far is durably persisted. + $ sync + + # Create some unrelated file and fsync it, this is just to create a log + # tree. The file must be in the same directory as our special file. + $ touch /mnt/testdir/f1 + $ xfs_io -c "fsync" /mnt/testdir/f1 + + # Rename our special file and then create a hard link with its old name. + $ mv /mnt/testdir/foo /mnt/testdir/bar + $ ln /mnt/testdir/bar /mnt/testdir/foo + + # Create some other unrelated file and fsync it, this is just to persist + # the log tree which was modified by the previous rename and link + # operations. Alternatively we could have modified file f1 and fsync it. + $ touch /mnt/f2 + $ xfs_io -c "fsync" /mnt/f2 + + + + $ mount /dev/sdc /mnt + mount: mount /dev/sdc on /mnt failed: File exists + +This happens because when both the log tree and the subvolume's tree have +an entry in the directory "testdir" with the same name, that is, there +is one key (258 INODE_REF 257) in the subvolume tree and another one in +the log tree (where 258 is the inode number of our special file and 257 +is the inode for directory "testdir"). Only the data of those two keys +differs, in the subvolume tree the index field for inode reference has +a value of 3 while the log tree it has a value of 5. Because the same key +exists in both trees, but have different index, the log replay fails with +an -EEXIST error when attempting to replay the inode reference from the +log tree. + +Fix this by setting the last_unlink_trans field of the inode (our special +file) to the current transaction id when a hard link is created, as this +forces logging the parent directory inode, solving the conflict at log +replay time. + +A new generic test case for fstests was also submitted. + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -5888,7 +5888,7 @@ int btrfs_log_new_name(struct btrfs_tran + * this will force the logging code to walk the dentry chain + * up for the file + */ +- if (S_ISREG(inode->vfs_inode.i_mode)) ++ if (!S_ISDIR(inode->vfs_inode.i_mode)) + inode->last_unlink_trans = trans->transid; + + /* diff --git a/queue-4.14/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch b/queue-4.14/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch new file mode 100644 index 00000000000..40c57dda8bc --- /dev/null +++ b/queue-4.14/btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch @@ -0,0 +1,147 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Filipe Manana +Date: Thu, 5 Apr 2018 22:55:12 +0100 +Subject: Btrfs: fix loss of prealloc extents past i_size after fsync log replay + +From: Filipe Manana + +[ Upstream commit 471d557afed155b85da237ec46c549f443eeb5de ] + +Currently if we allocate extents beyond an inode's i_size (through the +fallocate system call) and then fsync the file, we log the extents but +after a power failure we replay them and then immediately drop them. +This behaviour happens since about 2009, commit c71bf099abdd ("Btrfs: +Avoid orphan inodes cleanup while replaying log"), because it marks +the inode as an orphan instead of dropping any extents beyond i_size +before replaying logged extents, so after the log replay, and while +the mount operation is still ongoing, we find the inode marked as an +orphan and then perform a truncation (drop extents beyond the inode's +i_size). Because the processing of orphan inodes is still done +right after replaying the log and before the mount operation finishes, +the intention of that commit does not make any sense (at least as +of today). However reverting that behaviour is not enough, because +we can not simply discard all extents beyond i_size and then replay +logged extents, because we risk dropping extents beyond i_size created +in past transactions, for example: + + add prealloc extent beyond i_size + fsync - clears the flag BTRFS_INODE_NEEDS_FULL_SYNC from the inode + transaction commit + add another prealloc extent beyond i_size + fsync - triggers the fast fsync path + power failure + +In that scenario, we would drop the first extent and then replay the +second one. To fix this just make sure that all prealloc extents +beyond i_size are logged, and if we find too many (which is far from +a common case), fallback to a full transaction commit (like we do when +logging regular extents in the fast fsync path). + +Trivial reproducer: + + $ mkfs.btrfs -f /dev/sdb + $ mount /dev/sdb /mnt + $ xfs_io -f -c "pwrite -S 0xab 0 256K" /mnt/foo + $ sync + $ xfs_io -c "falloc -k 256K 1M" /mnt/foo + $ xfs_io -c "fsync" /mnt/foo + + + # mount to replay log + $ mount /dev/sdb /mnt + # at this point the file only has one extent, at offset 0, size 256K + +A test case for fstests follows soon, covering multiple scenarios that +involve adding prealloc extents with previous shrinking truncates and +without such truncates. + +Fixes: c71bf099abdd ("Btrfs: Avoid orphan inodes cleanup while replaying log") +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 58 insertions(+), 5 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2377,13 +2377,41 @@ static int replay_one_buffer(struct btrf + if (ret) + break; + +- /* for regular files, make sure corresponding +- * orphan item exist. extents past the new EOF +- * will be truncated later by orphan cleanup. ++ /* ++ * Before replaying extents, truncate the inode to its ++ * size. We need to do it now and not after log replay ++ * because before an fsync we can have prealloc extents ++ * added beyond the inode's i_size. If we did it after, ++ * through orphan cleanup for example, we would drop ++ * those prealloc extents just after replaying them. + */ + if (S_ISREG(mode)) { +- ret = insert_orphan_item(wc->trans, root, +- key.objectid); ++ struct inode *inode; ++ u64 from; ++ ++ inode = read_one_inode(root, key.objectid); ++ if (!inode) { ++ ret = -EIO; ++ break; ++ } ++ from = ALIGN(i_size_read(inode), ++ root->fs_info->sectorsize); ++ ret = btrfs_drop_extents(wc->trans, root, inode, ++ from, (u64)-1, 1); ++ /* ++ * If the nlink count is zero here, the iput ++ * will free the inode. We bump it to make ++ * sure it doesn't get freed until the link ++ * count fixup is done. ++ */ ++ if (!ret) { ++ if (inode->i_nlink == 0) ++ inc_nlink(inode); ++ /* Update link count and nbytes. */ ++ ret = btrfs_update_inode(wc->trans, ++ root, inode); ++ } ++ iput(inode); + if (ret) + break; + } +@@ -4234,6 +4262,31 @@ static int btrfs_log_changed_extents(str + num++; + } + ++ /* ++ * Add all prealloc extents beyond the inode's i_size to make sure we ++ * don't lose them after doing a fast fsync and replaying the log. ++ */ ++ if (inode->flags & BTRFS_INODE_PREALLOC) { ++ struct rb_node *node; ++ ++ for (node = rb_last(&tree->map); node; node = rb_prev(node)) { ++ em = rb_entry(node, struct extent_map, rb_node); ++ if (em->start < i_size_read(&inode->vfs_inode)) ++ break; ++ if (!list_empty(&em->list)) ++ continue; ++ /* Same as above loop. */ ++ if (++num > 32768) { ++ list_del_init(&tree->modified_extents); ++ ret = -EFBIG; ++ goto process; ++ } ++ refcount_inc(&em->refs); ++ set_bit(EXTENT_FLAG_LOGGING, &em->flags); ++ list_add_tail(&em->list, &extents); ++ } ++ } ++ + list_sort(NULL, &extents, extent_cmp); + btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); + /* diff --git a/queue-4.14/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch b/queue-4.14/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch new file mode 100644 index 00000000000..c05baf9b507 --- /dev/null +++ b/queue-4.14/btrfs-fix-null-pointer-dereference-in-log_dir_items.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Liu Bo +Date: Tue, 3 Apr 2018 01:59:47 +0800 +Subject: Btrfs: fix NULL pointer dereference in log_dir_items + +From: Liu Bo + +[ Upstream commit 80c0b4210a963e31529e15bf90519708ec947596 ] + +0, 1 and <0 can be returned by btrfs_next_leaf(), and when <0 is +returned, path->nodes[0] could be NULL, log_dir_items lacks such a +check for <0 and we may run into a null pointer dereference panic. + +Fixes: e02119d5a7b4 ("Btrfs: Add a write ahead tree log to optimize synchronous operations") +Reviewed-by: Nikolay Borisov +Signed-off-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -3462,8 +3462,11 @@ static noinline int log_dir_items(struct + * from this directory and from this transaction + */ + ret = btrfs_next_leaf(root, path); +- if (ret == 1) { +- last_offset = (u64)-1; ++ if (ret) { ++ if (ret == 1) ++ last_offset = (u64)-1; ++ else ++ err = ret; + goto done; + } + btrfs_item_key_to_cpu(path->nodes[0], &tmp, path->slots[0]); diff --git a/queue-4.14/btrfs-fix-possible-softlock-on-single-core-machines.patch b/queue-4.14/btrfs-fix-possible-softlock-on-single-core-machines.patch new file mode 100644 index 00000000000..04c6940ac55 --- /dev/null +++ b/queue-4.14/btrfs-fix-possible-softlock-on-single-core-machines.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Nikolay Borisov +Date: Thu, 5 Apr 2018 10:40:15 +0300 +Subject: btrfs: Fix possible softlock on single core machines + +From: Nikolay Borisov + +[ Upstream commit 1e1c50a929bc9e49bc3f9935b92450d9e69f8158 ] + +do_chunk_alloc implements a loop checking whether there is a pending +chunk allocation and if so causes the caller do loop. Generally this +loop is executed only once, however testing with btrfs/072 on a single +core vm machines uncovered an extreme case where the system could loop +indefinitely. This is due to a missing cond_resched when loop which +doesn't give a chance to the previous chunk allocator finish its job. + +The fix is to simply add the missing cond_resched. + +Fixes: 6d74119f1a3e ("Btrfs: avoid taking the chunk_mutex in do_chunk_alloc") +Signed-off-by: Nikolay Borisov +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent-tree.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -4675,6 +4675,7 @@ again: + if (wait_for_alloc) { + mutex_unlock(&fs_info->chunk_mutex); + wait_for_alloc = 0; ++ cond_resched(); + goto again; + } + diff --git a/queue-4.14/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch b/queue-4.14/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch new file mode 100644 index 00000000000..8e7cb430997 --- /dev/null +++ b/queue-4.14/btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Qu Wenruo +Date: Tue, 19 Dec 2017 15:44:54 +0800 +Subject: btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled + +From: Qu Wenruo + +[ Upstream commit 4d31778aa2fa342f5f92ca4025b293a1729161d1 ] + +When multiple pending snapshots referring to the same source subvolume +are executed, enabled quota will cause root item corruption, where root +items are using old bytenr (no backref in extent tree). + +This can be triggered by fstests btrfs/152. + +The cause is when source subvolume is still dirty, extra commit +(simplied transaction commit) of qgroup_account_snapshot() can skip +dirty roots not recorded in current transaction, making root item of +source subvolume not updated. + +Fix it by forcing recording source subvolume in current transaction +before qgroup sub-transaction commit. + +Reported-by: Justin Maggard +Signed-off-by: Qu Wenruo +Reviewed-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/transaction.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -319,7 +319,7 @@ static int record_root_in_trans(struct b + if ((test_bit(BTRFS_ROOT_REF_COWS, &root->state) && + root->last_trans < trans->transid) || force) { + WARN_ON(root == fs_info->extent_root); +- WARN_ON(root->commit_root != root->node); ++ WARN_ON(!force && root->commit_root != root->node); + + /* + * see below for IN_TRANS_SETUP usage rules +@@ -1366,6 +1366,14 @@ static int qgroup_account_snapshot(struc + return 0; + + /* ++ * Ensure dirty @src will be commited. Or, after comming ++ * commit_fs_roots() and switch_commit_roots(), any dirty but not ++ * recorded root will never be updated again, causing an outdated root ++ * item. ++ */ ++ record_root_in_trans(trans, src, 1); ++ ++ /* + * We are going to commit transaction, see btrfs_commit_transaction() + * comment for reason locking tree_log_mutex + */ diff --git a/queue-4.14/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch b/queue-4.14/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch new file mode 100644 index 00000000000..1df518920f4 --- /dev/null +++ b/queue-4.14/btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Filipe Manana +Date: Tue, 6 Feb 2018 20:39:20 +0000 +Subject: Btrfs: send, fix issuing write op when processing hole in no data mode + +From: Filipe Manana + +[ Upstream commit d4dfc0f4d39475ccbbac947880b5464a74c30b99 ] + +When doing an incremental send of a filesystem with the no-holes feature +enabled, we end up issuing a write operation when using the no data mode +send flag, instead of issuing an update extent operation. Fix this by +issuing the update extent operation instead. + +Trivial reproducer: + + $ mkfs.btrfs -f -O no-holes /dev/sdc + $ mkfs.btrfs -f /dev/sdd + $ mount /dev/sdc /mnt/sdc + $ mount /dev/sdd /mnt/sdd + + $ xfs_io -f -c "pwrite -S 0xab 0 32K" /mnt/sdc/foobar + $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap1 + + $ xfs_io -c "fpunch 8K 8K" /mnt/sdc/foobar + $ btrfs subvolume snapshot -r /mnt/sdc /mnt/sdc/snap2 + + $ btrfs send /mnt/sdc/snap1 | btrfs receive /mnt/sdd + $ btrfs send --no-data -p /mnt/sdc/snap1 /mnt/sdc/snap2 \ + | btrfs receive -vv /mnt/sdd + +Before this change the output of the second receive command is: + + receiving snapshot snap2 uuid=f6922049-8c22-e544-9ff9-fc6755918447... + utimes + write foobar, offset 8192, len 8192 + utimes foobar + BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=f6922049-8c22-e544-9ff9-... + +After this change it is: + + receiving snapshot snap2 uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... + utimes + update_extent foobar: offset=8192, len=8192 + utimes foobar + BTRFS_IOC_SET_RECEIVED_SUBVOL uuid=564d36a3-ebc8-7343-aec9-bf6fda278e64... + +Signed-off-by: Filipe Manana +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5008,6 +5008,9 @@ static int send_hole(struct send_ctx *sc + u64 len; + int ret = 0; + ++ if (sctx->flags & BTRFS_SEND_FLAG_NO_FILE_DATA) ++ return send_update_extent(sctx, offset, end - offset); ++ + p = fs_path_alloc(); + if (!p) + return -ENOMEM; diff --git a/queue-4.14/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch b/queue-4.14/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch new file mode 100644 index 00000000000..77cb271d4f7 --- /dev/null +++ b/queue-4.14/btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Qu Wenruo +Date: Tue, 27 Mar 2018 20:44:18 +0800 +Subject: btrfs: tests/qgroup: Fix wrong tree backref level + +From: Qu Wenruo + +[ Upstream commit 3c0efdf03b2d127f0e40e30db4e7aa0429b1b79a ] + +The extent tree of the test fs is like the following: + + BTRFS info (device (null)): leaf 16327509003777336587 total ptrs 1 free space 3919 + item 0 key (4096 168 4096) itemoff 3944 itemsize 51 + extent refs 1 gen 1 flags 2 + tree block key (68719476736 0 0) level 1 + ^^^^^^^ + ref#0: tree block backref root 5 + +And it's using an empty tree for fs tree, so there is no way that its +level can be 1. + +For REAL (created by mkfs) fs tree backref with no skinny metadata, the +result should look like: + + item 3 key (30408704 EXTENT_ITEM 4096) itemoff 3845 itemsize 51 + refs 1 gen 4 flags TREE_BLOCK + tree block key (256 INODE_ITEM 0) level 0 + ^^^^^^^ + tree block backref root 5 + +Fix the level to 0, so it won't break later tree level checker. + +Fixes: faa2dbf004e8 ("Btrfs: add sanity tests for new qgroup accounting code") +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tests/qgroup-tests.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/tests/qgroup-tests.c ++++ b/fs/btrfs/tests/qgroup-tests.c +@@ -63,7 +63,7 @@ static int insert_normal_tree_ref(struct + btrfs_set_extent_generation(leaf, item, 1); + btrfs_set_extent_flags(leaf, item, BTRFS_EXTENT_FLAG_TREE_BLOCK); + block_info = (struct btrfs_tree_block_info *)(item + 1); +- btrfs_set_tree_block_level(leaf, block_info, 1); ++ btrfs_set_tree_block_level(leaf, block_info, 0); + iref = (struct btrfs_extent_inline_ref *)(block_info + 1); + if (parent > 0) { + btrfs_set_extent_inline_ref_type(leaf, iref, diff --git a/queue-4.14/btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch b/queue-4.14/btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch new file mode 100644 index 00000000000..5b5bde6696f --- /dev/null +++ b/queue-4.14/btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jeff Mahoney +Date: Thu, 15 Feb 2018 22:59:47 -0500 +Subject: btrfs: use kvzalloc to allocate btrfs_fs_info + +From: Jeff Mahoney + +[ Upstream commit a8fd1f71749387c9a1053a83ff1c16287499a4e7 ] + +The srcu_struct in btrfs_fs_info scales in size with NR_CPUS. On +kernels built with NR_CPUS=8192, this can result in kmalloc failures +that prevent mounting. + +There is work in progress to try to resolve this for every user of +srcu_struct but using kvzalloc will work around the failures until +that is complete. + +As an example with NR_CPUS=512 on x86_64: the overall size of +subvol_srcu is 3460 bytes, fs_info is 6496. + +Signed-off-by: Jeff Mahoney +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.h | 2 +- + fs/btrfs/super.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ctree.h ++++ b/fs/btrfs/ctree.h +@@ -2969,7 +2969,7 @@ static inline void free_fs_info(struct b + kfree(fs_info->super_copy); + kfree(fs_info->super_for_commit); + security_free_mnt_opts(&fs_info->security_opts); +- kfree(fs_info); ++ kvfree(fs_info); + } + + /* tree mod log functions from ctree.c */ +--- a/fs/btrfs/super.c ++++ b/fs/btrfs/super.c +@@ -1581,7 +1581,7 @@ static struct dentry *btrfs_mount(struct + * it for searching for existing supers, so this lets us do that and + * then open_ctree will properly initialize everything later. + */ +- fs_info = kzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL); ++ fs_info = kvzalloc(sizeof(struct btrfs_fs_info), GFP_KERNEL); + if (!fs_info) { + error = -ENOMEM; + goto error_sec_opts; diff --git a/queue-4.14/bug.h-work-around-gcc-pr82365-in-bug.patch b/queue-4.14/bug.h-work-around-gcc-pr82365-in-bug.patch new file mode 100644 index 00000000000..fa897c53fe5 --- /dev/null +++ b/queue-4.14/bug.h-work-around-gcc-pr82365-in-bug.patch @@ -0,0 +1,259 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arnd Bergmann +Date: Wed, 21 Feb 2018 14:45:54 -0800 +Subject: bug.h: work around GCC PR82365 in BUG() + +From: Arnd Bergmann + +[ Upstream commit 173a3efd3edb2ef6ef07471397c5f542a360e9c1 ] + +Looking at functions with large stack frames across all architectures +led me discovering that BUG() suffers from the same problem as +fortify_panic(), which I've added a workaround for already. + +In short, variables that go out of scope by calling a noreturn function +or __builtin_unreachable() keep using stack space in functions +afterwards. + +A workaround that was identified is to insert an empty assembler +statement just before calling the function that doesn't return. I'm +adding a macro "barrier_before_unreachable()" to document this, and +insert calls to that in all instances of BUG() that currently suffer +from this problem. + +The files that saw the largest change from this had these frame sizes +before, and much less with my patch: + + fs/ext4/inode.c:82:1: warning: the frame size of 1672 bytes is larger than 800 bytes [-Wframe-larger-than=] + fs/ext4/namei.c:434:1: warning: the frame size of 904 bytes is larger than 800 bytes [-Wframe-larger-than=] + fs/ext4/super.c:2279:1: warning: the frame size of 1160 bytes is larger than 800 bytes [-Wframe-larger-than=] + fs/ext4/xattr.c:146:1: warning: the frame size of 1168 bytes is larger than 800 bytes [-Wframe-larger-than=] + fs/f2fs/inode.c:152:1: warning: the frame size of 1424 bytes is larger than 800 bytes [-Wframe-larger-than=] + net/netfilter/ipvs/ip_vs_core.c:1195:1: warning: the frame size of 1068 bytes is larger than 800 bytes [-Wframe-larger-than=] + net/netfilter/ipvs/ip_vs_core.c:395:1: warning: the frame size of 1084 bytes is larger than 800 bytes [-Wframe-larger-than=] + net/netfilter/ipvs/ip_vs_ftp.c:298:1: warning: the frame size of 928 bytes is larger than 800 bytes [-Wframe-larger-than=] + net/netfilter/ipvs/ip_vs_ftp.c:418:1: warning: the frame size of 908 bytes is larger than 800 bytes [-Wframe-larger-than=] + net/netfilter/ipvs/ip_vs_lblcr.c:718:1: warning: the frame size of 960 bytes is larger than 800 bytes [-Wframe-larger-than=] + drivers/net/xen-netback/netback.c:1500:1: warning: the frame size of 1088 bytes is larger than 800 bytes [-Wframe-larger-than=] + +In case of ARC and CRIS, it turns out that the BUG() implementation +actually does return (or at least the compiler thinks it does), +resulting in lots of warnings about uninitialized variable use and +leaving noreturn functions, such as: + + block/cfq-iosched.c: In function 'cfq_async_queue_prio': + block/cfq-iosched.c:3804:1: error: control reaches end of non-void function [-Werror=return-type] + include/linux/dmaengine.h: In function 'dma_maxpq': + include/linux/dmaengine.h:1123:1: error: control reaches end of non-void function [-Werror=return-type] + +This makes them call __builtin_trap() instead, which should normally +dump the stack and kill the current process, like some of the other +architectures already do. + +I tried adding barrier_before_unreachable() to panic() and +fortify_panic() as well, but that had very little effect, so I'm not +submitting that patch. + +Vineet said: + +: For ARC, it is double win. +: +: 1. Fixes 3 -Wreturn-type warnings +: +: | ../net/core/ethtool.c:311:1: warning: control reaches end of non-void function +: [-Wreturn-type] +: | ../kernel/sched/core.c:3246:1: warning: control reaches end of non-void function +: [-Wreturn-type] +: | ../include/linux/sunrpc/svc_xprt.h:180:1: warning: control reaches end of +: non-void function [-Wreturn-type] +: +: 2. bloat-o-meter reports code size improvements as gcc elides the +: generated code for stack return. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365 +Link: http://lkml.kernel.org/r/20171219114112.939391-1-arnd@arndb.de +Signed-off-by: Arnd Bergmann +Acked-by: Vineet Gupta [arch/arc] +Tested-by: Vineet Gupta [arch/arc] +Cc: Mikael Starvik +Cc: Jesper Nilsson +Cc: Tony Luck +Cc: Fenghua Yu +Cc: Geert Uytterhoeven +Cc: "David S. Miller" +Cc: Christopher Li +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Kees Cook +Cc: Ingo Molnar +Cc: Josh Poimboeuf +Cc: Will Deacon +Cc: "Steven Rostedt (VMware)" +Cc: Mark Rutland +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/bug.h | 3 ++- + arch/cris/include/arch-v10/arch/bug.h | 11 +++++++++-- + arch/ia64/include/asm/bug.h | 6 +++++- + arch/m68k/include/asm/bug.h | 3 +++ + arch/sparc/include/asm/bug.h | 6 +++++- + include/asm-generic/bug.h | 1 + + include/linux/compiler-gcc.h | 15 ++++++++++++++- + include/linux/compiler.h | 5 +++++ + 8 files changed, 44 insertions(+), 6 deletions(-) + +--- a/arch/arc/include/asm/bug.h ++++ b/arch/arc/include/asm/bug.h +@@ -23,7 +23,8 @@ void die(const char *str, struct pt_regs + + #define BUG() do { \ + pr_warn("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \ +- dump_stack(); \ ++ barrier_before_unreachable(); \ ++ __builtin_trap(); \ + } while (0) + + #define HAVE_ARCH_BUG +--- a/arch/cris/include/arch-v10/arch/bug.h ++++ b/arch/cris/include/arch-v10/arch/bug.h +@@ -44,18 +44,25 @@ struct bug_frame { + * not be used like this with newer versions of gcc. + */ + #define BUG() \ ++do { \ + __asm__ __volatile__ ("clear.d [" __stringify(BUG_MAGIC) "]\n\t"\ + "movu.w " __stringify(__LINE__) ",$r0\n\t"\ + "jump 0f\n\t" \ + ".section .rodata\n" \ + "0:\t.string \"" __FILE__ "\"\n\t" \ +- ".previous") ++ ".previous"); \ ++ unreachable(); \ ++} while (0) + #endif + + #else + + /* This just causes an oops. */ +-#define BUG() (*(int *)0 = 0) ++#define BUG() \ ++do { \ ++ barrier_before_unreachable(); \ ++ __builtin_trap(); \ ++} while (0) + + #endif + +--- a/arch/ia64/include/asm/bug.h ++++ b/arch/ia64/include/asm/bug.h +@@ -4,7 +4,11 @@ + + #ifdef CONFIG_BUG + #define ia64_abort() __builtin_trap() +-#define BUG() do { printk("kernel BUG at %s:%d!\n", __FILE__, __LINE__); ia64_abort(); } while (0) ++#define BUG() do { \ ++ printk("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \ ++ barrier_before_unreachable(); \ ++ ia64_abort(); \ ++} while (0) + + /* should this BUG be made generic? */ + #define HAVE_ARCH_BUG +--- a/arch/m68k/include/asm/bug.h ++++ b/arch/m68k/include/asm/bug.h +@@ -8,16 +8,19 @@ + #ifndef CONFIG_SUN3 + #define BUG() do { \ + pr_crit("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \ ++ barrier_before_unreachable(); \ + __builtin_trap(); \ + } while (0) + #else + #define BUG() do { \ + pr_crit("kernel BUG at %s:%d!\n", __FILE__, __LINE__); \ ++ barrier_before_unreachable(); \ + panic("BUG!"); \ + } while (0) + #endif + #else + #define BUG() do { \ ++ barrier_before_unreachable(); \ + __builtin_trap(); \ + } while (0) + #endif +--- a/arch/sparc/include/asm/bug.h ++++ b/arch/sparc/include/asm/bug.h +@@ -9,10 +9,14 @@ + void do_BUG(const char *file, int line); + #define BUG() do { \ + do_BUG(__FILE__, __LINE__); \ ++ barrier_before_unreachable(); \ + __builtin_trap(); \ + } while (0) + #else +-#define BUG() __builtin_trap() ++#define BUG() do { \ ++ barrier_before_unreachable(); \ ++ __builtin_trap(); \ ++} while (0) + #endif + + #define HAVE_ARCH_BUG +--- a/include/asm-generic/bug.h ++++ b/include/asm-generic/bug.h +@@ -50,6 +50,7 @@ struct bug_entry { + #ifndef HAVE_ARCH_BUG + #define BUG() do { \ + printk("BUG: failure at %s:%d/%s()!\n", __FILE__, __LINE__, __func__); \ ++ barrier_before_unreachable(); \ + panic("BUG!"); \ + } while (0) + #endif +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -212,6 +212,15 @@ + #endif + + /* ++ * calling noreturn functions, __builtin_unreachable() and __builtin_trap() ++ * confuse the stack allocation in gcc, leading to overly large stack ++ * frames, see https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365 ++ * ++ * Adding an empty inline assembly before it works around the problem ++ */ ++#define barrier_before_unreachable() asm volatile("") ++ ++/* + * Mark a position in code as unreachable. This can be used to + * suppress control flow warnings after asm blocks that transfer + * control elsewhere. +@@ -221,7 +230,11 @@ + * unreleased. Really, we need to have autoconf for the kernel. + */ + #define unreachable() \ +- do { annotate_unreachable(); __builtin_unreachable(); } while (0) ++ do { \ ++ annotate_unreachable(); \ ++ barrier_before_unreachable(); \ ++ __builtin_unreachable(); \ ++ } while (0) + + /* Mark a function definition as prohibited from being cloned. */ + #define __noclone __attribute__((__noclone__, __optimize__("no-tracer"))) +--- a/include/linux/compiler.h ++++ b/include/linux/compiler.h +@@ -86,6 +86,11 @@ void ftrace_likely_update(struct ftrace_ + # define barrier_data(ptr) barrier() + #endif + ++/* workaround for GCC PR82365 if needed */ ++#ifndef barrier_before_unreachable ++# define barrier_before_unreachable() do { } while (0) ++#endif ++ + /* Unreachable code */ + #ifdef CONFIG_STACK_VALIDATION + #define annotate_reachable() ({ \ diff --git a/queue-4.14/builddeb-fix-header-package-regarding-dtc-source-links.patch b/queue-4.14/builddeb-fix-header-package-regarding-dtc-source-links.patch new file mode 100644 index 00000000000..5dbb06e2249 --- /dev/null +++ b/queue-4.14/builddeb-fix-header-package-regarding-dtc-source-links.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jan Kiszka +Date: Wed, 21 Mar 2018 13:15:28 +0800 +Subject: builddeb: Fix header package regarding dtc source links + +From: Jan Kiszka + +[ Upstream commit f8437520704cfd9cc442a99d73ed708a3cdadaf9 ] + +Since d5d332d3f7e8, a couple of links in scripts/dtc/include-prefixes +are additionally required in order to build device trees with the header +package. + +Signed-off-by: Jan Kiszka +Reviewed-by: Riku Voipio +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/package/builddeb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/scripts/package/builddeb ++++ b/scripts/package/builddeb +@@ -313,7 +313,7 @@ fi + + # Build kernel header package + (cd $srctree; find . -name Makefile\* -o -name Kconfig\* -o -name \*.pl) > "$objtree/debian/hdrsrcfiles" +-(cd $srctree; find arch/*/include include scripts -type f) >> "$objtree/debian/hdrsrcfiles" ++(cd $srctree; find arch/*/include include scripts -type f -o -type l) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find arch/$SRCARCH -name module.lds -o -name Kbuild.platforms -o -name Platform) >> "$objtree/debian/hdrsrcfiles" + (cd $srctree; find $(find arch/$SRCARCH -name include -o -name scripts -type d) -type f) >> "$objtree/debian/hdrsrcfiles" + if grep -q '^CONFIG_STACK_VALIDATION=y' $KCONFIG_CONFIG ; then diff --git a/queue-4.14/can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.14/can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..f48dd174f97 --- /dev/null +++ b/queue-4.14/can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Wolfram Sang +Date: Tue, 6 Feb 2018 09:52:07 +0100 +Subject: can: m_can: change comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit b7db978ac283b237835129ac87f26cbac94d04e7 ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -246,7 +246,7 @@ enum m_can_mram_cfg { + + /* Rx FIFO 0/1 Configuration (RXF0C/RXF1C) */ + #define RXFC_FWM_SHIFT 24 +-#define RXFC_FWM_MASK (0x7f < RXFC_FWM_SHIFT) ++#define RXFC_FWM_MASK (0x7f << RXFC_FWM_SHIFT) + #define RXFC_FS_SHIFT 16 + #define RXFC_FS_MASK (0x7f << RXFC_FS_SHIFT) + diff --git a/queue-4.14/can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch b/queue-4.14/can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch new file mode 100644 index 00000000000..cb0bed564ac --- /dev/null +++ b/queue-4.14/can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bich HEMON +Date: Mon, 12 Mar 2018 08:52:37 +0000 +Subject: can: m_can: select pinctrl state in each suspend/resume function + +From: Bich HEMON + +[ Upstream commit c9b3bce18da4a0aebc27853052dea39aa64b7d75 ] + +Make sure to apply the correct pin state in suspend/resume callbacks. +Putting pins in sleep state saves power. + +Signed-off-by: Bich Hemon +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/m_can/m_can.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/can/m_can/m_can.c ++++ b/drivers/net/can/m_can/m_can.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + /* napi related */ + #define M_CAN_NAPI_WEIGHT 64 +@@ -1682,6 +1683,8 @@ static __maybe_unused int m_can_suspend( + m_can_clk_stop(priv); + } + ++ pinctrl_pm_select_sleep_state(dev); ++ + priv->can.state = CAN_STATE_SLEEPING; + + return 0; +@@ -1692,6 +1695,8 @@ static __maybe_unused int m_can_resume(s + struct net_device *ndev = dev_get_drvdata(dev); + struct m_can_priv *priv = netdev_priv(ndev); + ++ pinctrl_pm_select_default_state(dev); ++ + m_can_init_ram(priv); + + priv->can.state = CAN_STATE_ERROR_ACTIVE; diff --git a/queue-4.14/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch b/queue-4.14/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch new file mode 100644 index 00000000000..6a1dd274b73 --- /dev/null +++ b/queue-4.14/cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch @@ -0,0 +1,155 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Maurizio Lombardi +Date: Fri, 9 Mar 2018 13:59:06 +0100 +Subject: cdrom: do not call check_disk_change() inside cdrom_open() + +From: Maurizio Lombardi + +[ Upstream commit 2bbea6e117357d17842114c65e9a9cf2d13ae8a3 ] + +when mounting an ISO filesystem sometimes (very rarely) +the system hangs because of a race condition between two tasks. + +PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" + #0 [ffff880078447ae0] __schedule at ffffffff8168d605 + #1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 + #2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 + #3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef + #4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] + #5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 + #6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 + #7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] + #8 [ffff880078447da8] mount_bdev at ffffffff81202570 + #9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] +#10 [ffff880078447e28] mount_fs at ffffffff81202d09 +#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f +#12 [ffff880078447ea8] do_mount at ffffffff81220fee +#13 [ffff880078447f28] sys_mount at ffffffff812218d6 +#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 + RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 + RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 + RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 + R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 + R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 + ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b + +This task was trying to mount the cdrom. It allocated and configured a +super_block struct and owned the write-lock for the super_block->s_umount +rwsem. While exclusively owning the s_umount lock, it called +sr_block_ioctl and waited to acquire the global sr_mutex lock. + +PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" + #0 [ffff880078417898] __schedule at ffffffff8168d605 + #1 [ffff880078417900] schedule at ffffffff8168dc59 + #2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 + #3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 + #4 [ffff8800784179d0] down_read at ffffffff8168cde0 + #5 [ffff8800784179e8] get_super at ffffffff81201cc7 + #6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de + #7 [ffff880078417a40] flush_disk at ffffffff8123a94b + #8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 + #9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] +#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] +#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 +#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 +#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b +#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 +#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf +#16 [ffff880078417d00] do_last at ffffffff8120d53d +#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 +#18 [ffff880078417e48] do_filp_open at ffffffff8121082b +#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 +#20 [ffff880078417f70] sys_open at ffffffff811fde4e +#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 + RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 + RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 + RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 + RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 + R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e + R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 + ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b + +This task tried to open the cdrom device, the sr_block_open function +acquired the global sr_mutex lock. The call to check_disk_change() +then saw an event flag indicating a possible media change and tried +to flush any cached data for the device. +As part of the flush, it tried to acquire the super_block->s_umount +lock associated with the cdrom device. +This was the same super_block as created and locked by the previous task. + +The first task acquires the s_umount lock and then the sr_mutex_lock; +the second task acquires the sr_mutex_lock and then the s_umount lock. + +This patch fixes the issue by moving check_disk_change() out of +cdrom_open() and let the caller take care of it. + +Signed-off-by: Maurizio Lombardi +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/paride/pcd.c | 2 ++ + drivers/cdrom/cdrom.c | 3 --- + drivers/cdrom/gdrom.c | 3 +++ + drivers/ide/ide-cd.c | 2 ++ + drivers/scsi/sr.c | 2 ++ + 5 files changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/block/paride/pcd.c ++++ b/drivers/block/paride/pcd.c +@@ -230,6 +230,8 @@ static int pcd_block_open(struct block_d + struct pcd_unit *cd = bdev->bd_disk->private_data; + int ret; + ++ check_disk_change(bdev); ++ + mutex_lock(&pcd_mutex); + ret = cdrom_open(&cd->info, bdev, mode); + mutex_unlock(&pcd_mutex); +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -1152,9 +1152,6 @@ int cdrom_open(struct cdrom_device_info + + cd_dbg(CD_OPEN, "entering cdrom_open\n"); + +- /* open is event synchronization point, check events first */ +- check_disk_change(bdev); +- + /* if this was a O_NONBLOCK open and we should honor the flags, + * do a quick open without drive/disc integrity checks. */ + cdi->use_count++; +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -497,6 +497,9 @@ static const struct cdrom_device_ops gdr + static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode) + { + int ret; ++ ++ check_disk_change(bdev); ++ + mutex_lock(&gdrom_mutex); + ret = cdrom_open(gd.cd_info, bdev, mode); + mutex_unlock(&gdrom_mutex); +--- a/drivers/ide/ide-cd.c ++++ b/drivers/ide/ide-cd.c +@@ -1614,6 +1614,8 @@ static int idecd_open(struct block_devic + struct cdrom_info *info; + int rc = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&ide_cd_mutex); + info = ide_cd_get(bdev->bd_disk); + if (!info) +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -525,6 +525,8 @@ static int sr_block_open(struct block_de + struct scsi_cd *cd; + int ret = -ENXIO; + ++ check_disk_change(bdev); ++ + mutex_lock(&sr_mutex); + cd = scsi_cd_get(bdev->bd_disk); + if (cd) { diff --git a/queue-4.14/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch b/queue-4.14/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch new file mode 100644 index 00000000000..81af89be4d8 --- /dev/null +++ b/queue-4.14/ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chengguang Xu +Date: Fri, 9 Feb 2018 20:40:59 +0800 +Subject: ceph: fix dentry leak when failing to init debugfs + +From: Chengguang Xu + +[ Upstream commit 18106734b512664a8541026519ce4b862498b6c3 ] + +When failing from ceph_fs_debugfs_init() in ceph_real_mount(), +there is lack of dput of root_dentry and it causes slab errors, +so change the calling order of ceph_fs_debugfs_init() and +open_root_dentry() and do some cleanups to avoid this issue. + +Signed-off-by: Chengguang Xu +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -837,7 +837,6 @@ static struct dentry *ceph_real_mount(st + int err; + unsigned long started = jiffies; /* note the start time */ + struct dentry *root; +- int first = 0; /* first vfsmount for this super_block */ + + dout("mount start %p\n", fsc); + mutex_lock(&fsc->client->mount_mutex); +@@ -862,17 +861,17 @@ static struct dentry *ceph_real_mount(st + path = fsc->mount_options->server_path + 1; + dout("mount opening path %s\n", path); + } ++ ++ err = ceph_fs_debugfs_init(fsc); ++ if (err < 0) ++ goto out; ++ + root = open_root_dentry(fsc, path, started); + if (IS_ERR(root)) { + err = PTR_ERR(root); + goto out; + } + fsc->sb->s_root = dget(root); +- first = 1; +- +- err = ceph_fs_debugfs_init(fsc); +- if (err < 0) +- goto fail; + } else { + root = dget(fsc->sb->s_root); + } +@@ -882,11 +881,6 @@ static struct dentry *ceph_real_mount(st + mutex_unlock(&fsc->client->mount_mutex); + return root; + +-fail: +- if (first) { +- dput(fsc->sb->s_root); +- fsc->sb->s_root = NULL; +- } + out: + mutex_unlock(&fsc->client->mount_mutex); + return ERR_PTR(err); diff --git a/queue-4.14/ceph-fix-potential-memory-leak-in-init_caches.patch b/queue-4.14/ceph-fix-potential-memory-leak-in-init_caches.patch new file mode 100644 index 00000000000..ba5693dbc9d --- /dev/null +++ b/queue-4.14/ceph-fix-potential-memory-leak-in-init_caches.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chengguang Xu +Date: Thu, 1 Mar 2018 14:24:51 +0800 +Subject: ceph: fix potential memory leak in init_caches() + +From: Chengguang Xu + +[ Upstream commit 1c789249578895bb14ab62b4327306439b754857 ] + +There is lack of cache destroy operation for ceph_file_cachep +when failing from fscache register. + +Signed-off-by: Chengguang Xu +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -712,14 +712,17 @@ static int __init init_caches(void) + goto bad_dentry; + + ceph_file_cachep = KMEM_CACHE(ceph_file_info, SLAB_MEM_SPREAD); +- + if (!ceph_file_cachep) + goto bad_file; + +- if ((error = ceph_fscache_register())) +- goto bad_file; ++ error = ceph_fscache_register(); ++ if (error) ++ goto bad_fscache; + + return 0; ++ ++bad_fscache: ++ kmem_cache_destroy(ceph_file_cachep); + bad_file: + kmem_cache_destroy(ceph_dentry_cachep); + bad_dentry: diff --git a/queue-4.14/cfg80211-clear-wep-keys-after-disconnection.patch b/queue-4.14/cfg80211-clear-wep-keys-after-disconnection.patch new file mode 100644 index 00000000000..2971cd958a6 --- /dev/null +++ b/queue-4.14/cfg80211-clear-wep-keys-after-disconnection.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Avraham Stern +Date: Mon, 19 Feb 2018 14:48:38 +0200 +Subject: cfg80211: clear wep keys after disconnection + +From: Avraham Stern + +[ Upstream commit 3027a8e799b20fc922496a12f8ad2f9f36a8a696 ] + +When a low level driver calls cfg80211_disconnected(), wep keys are +not cleared. As a result, following connection requests will fail +since cfg80211 internal state shows a connection is still in progress. + +Fix this by clearing the wep keys when disconnecting. + +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/sme.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -989,6 +989,8 @@ void __cfg80211_disconnected(struct net_ + wdev->current_bss = NULL; + wdev->ssid_len = 0; + wdev->conn_owner_nlportid = 0; ++ kzfree(wdev->connect_keys); ++ wdev->connect_keys = NULL; + + nl80211_send_disconnected(rdev, dev, reason, ie, ie_len, from_ap); + diff --git a/queue-4.14/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch b/queue-4.14/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch new file mode 100644 index 00000000000..e86dfa8c13b --- /dev/null +++ b/queue-4.14/clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Colin Ian King +Date: Mon, 26 Feb 2018 11:36:14 +0000 +Subject: clocksource/drivers/fsl_ftm_timer: Fix error return checking + +From: Colin Ian King + +[ Upstream commit f287eb9013ccf199cbfa4eabd80c36fedfc15a73 ] + +The error checks on freq for a negative error return always fails because +freq is unsigned and can never be negative. Fix this by making freq a +signed long. + +Detected with Coccinelle: +drivers/clocksource/fsl_ftm_timer.c:287:5-9: WARNING: Unsigned expression +compared with zero: freq <= 0 +drivers/clocksource/fsl_ftm_timer.c:291:5-9: WARNING: Unsigned expression +compared with zero: freq <= 0 + +Fixes: 2529c3a33079 ("clocksource: Add Freescale FlexTimer Module (FTM) timer support") +Signed-off-by: Colin Ian King +Signed-off-by: Thomas Gleixner +Cc: Daniel Lezcano +Cc: kernel-janitors@vger.kernel.org +Link: https://lkml.kernel.org/r/20180226113614.3092-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/fsl_ftm_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clocksource/fsl_ftm_timer.c ++++ b/drivers/clocksource/fsl_ftm_timer.c +@@ -281,7 +281,7 @@ static int __init __ftm_clk_init(struct + + static unsigned long __init ftm_clk_init(struct device_node *np) + { +- unsigned long freq; ++ long freq; + + freq = __ftm_clk_init(np, "ftm-evt-counter-en", "ftm-evt"); + if (freq <= 0) diff --git a/queue-4.14/clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch b/queue-4.14/clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch new file mode 100644 index 00000000000..43daf7e874a --- /dev/null +++ b/queue-4.14/clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Felix Fietkau +Date: Wed, 28 Feb 2018 10:56:10 +0100 +Subject: clocksource/drivers/mips-gic-timer: Use correct shift count to extract data + +From: Felix Fietkau + +[ Upstream commit 5753405e27f8fe4c42c1537d3ddbd9e058e54cdc ] + +__gic_clocksource_init() extracts the GIC_CONFIG_COUNTBITS field from +read_gic_config() by right shifting the register value. The shift count is +determined by the most significant bit (__fls) of the bitmask which is +wrong as it shifts out the complete bitfield. + +Use the least significant bit (__ffs) instead to shift the bitfield down to +bit 0. + +Fixes: e07127a077c7 ("clocksource: mips-gic-timer: Use new GIC accessor functions") +Signed-off-by: Felix Fietkau +Signed-off-by: Thomas Gleixner +Cc: daniel.lezcano@linaro.org +Cc: paul.burton@imgtec.com +Link: https://lkml.kernel.org/r/20180228095610.50341-1-nbd@nbd.name +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/mips-gic-timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clocksource/mips-gic-timer.c ++++ b/drivers/clocksource/mips-gic-timer.c +@@ -164,7 +164,7 @@ static int __init __gic_clocksource_init + + /* Set clocksource mask. */ + count_width = read_gic_config() & GIC_CONFIG_COUNTBITS; +- count_width >>= __fls(GIC_CONFIG_COUNTBITS); ++ count_width >>= __ffs(GIC_CONFIG_COUNTBITS); + count_width *= 4; + count_width += 32; + gic_clocksource.mask = CLOCKSOURCE_MASK(count_width); diff --git a/queue-4.14/coresight-use-px-to-print-pcsr-instead-of-p.patch b/queue-4.14/coresight-use-px-to-print-pcsr-instead-of-p.patch new file mode 100644 index 00000000000..b5834a2ce38 --- /dev/null +++ b/queue-4.14/coresight-use-px-to-print-pcsr-instead-of-p.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Leo Yan +Date: Tue, 13 Mar 2018 11:24:30 -0600 +Subject: coresight: Use %px to print pcsr instead of %p + +From: Leo Yan + +[ Upstream commit 831c326fcd0e8e2a6ece952f898a1ec9b1dc1004 ] + +Commit ad67b74d2469 ("printk: hash addresses printed with %p") lets +printk specifier %p to hash all addresses before printing, this was +resulting in the high 32 bits of pcsr can only output zeros. So +module cannot completely print pc value and it's pointless for debugging +purpose. + +This patch fixes this by using %px to print pcsr instead. + +Cc: Mathieu Poirier +Signed-off-by: Leo Yan +Signed-off-by: Mathieu Poirier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -315,7 +315,7 @@ static void debug_dump_regs(struct debug + } + + pc = debug_adjust_pc(drvdata); +- dev_emerg(dev, " EDPCSR: [<%p>] %pS\n", (void *)pc, (void *)pc); ++ dev_emerg(dev, " EDPCSR: [<%px>] %pS\n", (void *)pc, (void *)pc); + + if (drvdata->edcidsr_present) + dev_emerg(dev, " EDCIDSR: %08x\n", drvdata->edcidsr); diff --git a/queue-4.14/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch b/queue-4.14/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch new file mode 100644 index 00000000000..105417da477 --- /dev/null +++ b/queue-4.14/cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shunyong Yang +Date: Fri, 6 Apr 2018 10:43:49 +0800 +Subject: cpufreq: CPPC: Initialize shared perf capabilities of CPUs + +From: Shunyong Yang + +[ Upstream commit 8913315e9459b146e5888ab5138e10daa061b885 ] + +When multiple CPUs are related in one cpufreq policy, the first online +CPU will be chosen by default to handle cpufreq operations. Let's take +cpu0 and cpu1 as an example. + +When cpu0 is offline, policy->cpu will be shifted to cpu1. cpu1's perf +capabilities should be initialized. Otherwise, perf capabilities are 0s +and speed change can not take effect. + +This patch copies perf capabilities of the first online CPU to other +shared CPUs when policy shared type is CPUFREQ_SHARED_TYPE_ANY. + +Acked-by: Viresh Kumar +Signed-off-by: Shunyong Yang +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -167,9 +167,19 @@ static int cppc_cpufreq_cpu_init(struct + NSEC_PER_USEC; + policy->shared_type = cpu->shared_type; + +- if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) ++ if (policy->shared_type == CPUFREQ_SHARED_TYPE_ANY) { ++ int i; ++ + cpumask_copy(policy->cpus, cpu->shared_cpu_map); +- else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { ++ ++ for_each_cpu(i, policy->cpus) { ++ if (unlikely(i == policy->cpu)) ++ continue; ++ ++ memcpy(&all_cpu_data[i]->perf_caps, &cpu->perf_caps, ++ sizeof(cpu->perf_caps)); ++ } ++ } else if (policy->shared_type == CPUFREQ_SHARED_TYPE_ALL) { + /* Support only SW_ANY for now. */ + pr_debug("Unsupported CPU co-ord type\n"); + return -EFAULT; diff --git a/queue-4.14/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch b/queue-4.14/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch new file mode 100644 index 00000000000..50faf48f0fc --- /dev/null +++ b/queue-4.14/cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chunyu Hu +Date: Mon, 5 Mar 2018 13:40:38 +0800 +Subject: cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path + +From: Chunyu Hu + +[ Upstream commit 55b55abc17f238c61921360e61dde90dd9a326d1 ] + +Kmemleak reported the below leak. When cppc_cpufreq_init went into +failure path, the cpu mask is not freed. After fix, this report is +gone. And to avaoid potential NULL pointer reference, check the cpu +value first. + +unreferenced object 0xffff800fd5ea4880 (size 128): + comm "swapper/0", pid 1, jiffies 4294939510 (age 668.680s) + hex dump (first 32 bytes): + 00 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 .... ........... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] __kmalloc_node+0x278/0x634 + [] alloc_cpumask_var_node+0x28/0x60 + [] zalloc_cpumask_var+0x14/0x1c + [] cppc_cpufreq_init+0xd0/0x19c + [] do_one_initcall+0xec/0x15c + [] kernel_init_freeable+0x1f4/0x2a4 + [] kernel_init+0x18/0x10c + [] ret_from_fork+0x10/0x18 + [] 0xffffffffffffffff + +Signed-off-by: Chunyu Hu +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cppc_cpufreq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/cppc_cpufreq.c ++++ b/drivers/cpufreq/cppc_cpufreq.c +@@ -243,8 +243,13 @@ static int __init cppc_cpufreq_init(void + return ret; + + out: +- for_each_possible_cpu(i) +- kfree(all_cpu_data[i]); ++ for_each_possible_cpu(i) { ++ cpu = all_cpu_data[i]; ++ if (!cpu) ++ break; ++ free_cpumask_var(cpu->shared_cpu_map); ++ kfree(cpu); ++ } + + kfree(all_cpu_data); + return -ENODEV; diff --git a/queue-4.14/cpufreq-reorder-cpufreq_online-error-code-path.patch b/queue-4.14/cpufreq-reorder-cpufreq_online-error-code-path.patch new file mode 100644 index 00000000000..a4d36b62d9d --- /dev/null +++ b/queue-4.14/cpufreq-reorder-cpufreq_online-error-code-path.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Viresh Kumar +Date: Thu, 22 Feb 2018 11:29:43 +0530 +Subject: cpufreq: Reorder cpufreq_online() error code path + +From: Viresh Kumar + +[ Upstream commit b24b6478e65f140610ab1ffaadc7bc6bf0be8aad ] + +Ideally the de-allocation of resources should happen in the exact +opposite order in which they were allocated. It helps maintain the code +in long term, even if nothing really breaks with incorrect ordering. + +That wasn't followed in cpufreq_online() and it has some +inconsistencies. For example, the symlinks were created from within +the locked region while they are removed only after putting the locks. +Also ->exit() should have been called only after the symlinks are +removed and the lock is dropped, as that was the case when ->init() +was first called. + +Signed-off-by: Viresh Kumar +[ rjw: Subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/cpufreq.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1315,14 +1315,14 @@ static int cpufreq_online(unsigned int c + return 0; + + out_exit_policy: ++ for_each_cpu(j, policy->real_cpus) ++ remove_cpu_dev_symlink(policy, get_cpu_device(j)); ++ + up_write(&policy->rwsem); + + if (cpufreq_driver->exit) + cpufreq_driver->exit(policy); + +- for_each_cpu(j, policy->real_cpus) +- remove_cpu_dev_symlink(policy, get_cpu_device(j)); +- + out_free_policy: + cpufreq_policy_free(policy); + return ret; diff --git a/queue-4.14/cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch b/queue-4.14/cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch new file mode 100644 index 00000000000..de3a9dd61ab --- /dev/null +++ b/queue-4.14/cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ganesh Goudar +Date: Wed, 7 Mar 2018 13:10:24 +0530 +Subject: cxgb4: do not set needs_free_netdev for mgmt dev's + +From: Ganesh Goudar + +[ Upstream commit b06ef18a4c255609388ed6e068a1c69c797545e0 ] + +Do not set 'needs_free_netdev' as we do call free_netdev +for mgmt net devices, doing both hits BUG_ON. + +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -4679,7 +4679,6 @@ static void dummy_setup(struct net_devic + /* Initialize the device structure. */ + dev->netdev_ops = &cxgb4_mgmt_netdev_ops; + dev->ethtool_ops = &cxgb4_mgmt_ethtool_ops; +- dev->needs_free_netdev = true; + } + + static int config_mgmt_dev(struct pci_dev *pdev) diff --git a/queue-4.14/cxgb4-fix-queue-free-path-of-uld-drivers.patch b/queue-4.14/cxgb4-fix-queue-free-path-of-uld-drivers.patch new file mode 100644 index 00000000000..4d6f9d0cc8a --- /dev/null +++ b/queue-4.14/cxgb4-fix-queue-free-path-of-uld-drivers.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arjun Vynipadath +Date: Thu, 15 Mar 2018 17:34:14 +0530 +Subject: cxgb4: Fix queue free path of ULD drivers + +From: Arjun Vynipadath + +[ Upstream commit d7cb44496a9bb458632cb3c18acb08949c210448 ] + +Setting sge_uld_rxq_info to NULL in free_queues_uld(). +We are referencing sge_uld_rxq_info in cxgb_up(). This +will fix a panic when interface is brought up after a +ULDq creation failure. + +Fixes: 94cdb8bb993a (cxgb4: Add support for dynamic allocation + of resources for ULD) +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudhar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c +@@ -342,6 +342,7 @@ static void free_queues_uld(struct adapt + { + struct sge_uld_rxq_info *rxq_info = adap->sge.uld_rxq_info[uld_type]; + ++ adap->sge.uld_rxq_info[uld_type] = NULL; + kfree(rxq_info->rspq_id); + kfree(rxq_info->uldrxq); + kfree(rxq_info); diff --git a/queue-4.14/cxgb4-setup-fw-queues-before-registering-netdev.patch b/queue-4.14/cxgb4-setup-fw-queues-before-registering-netdev.patch new file mode 100644 index 00000000000..5f7622506d9 --- /dev/null +++ b/queue-4.14/cxgb4-setup-fw-queues-before-registering-netdev.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arjun Vynipadath +Date: Fri, 23 Mar 2018 15:25:10 +0530 +Subject: cxgb4: Setup FW queues before registering netdev + +From: Arjun Vynipadath + +[ Upstream commit 843bd7db79c861b49e2912d723625f5fa8e94502 ] + +When NetworkManager is enabled, there are chances that interface up +is called even before probe completes. This means we have not yet +allocated the FW sge queues, hence rest of ingress queue allocation +wont be proper. Fix this by calling setup_fw_sge_queues() before +register_netdev(). + +Fixes: 0fbc81b3ad51 ('chcr/cxgb4i/cxgbit/RDMA/cxgb4: Allocate resources dynamically for all cxgb4 ULD's') +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -815,8 +815,6 @@ static int setup_fw_sge_queues(struct ad + + err = t4_sge_alloc_rxq(adap, &s->fw_evtq, true, adap->port[0], + adap->msi_idx, NULL, fwevtq_handler, NULL, -1); +- if (err) +- t4_free_sge_resources(adap); + return err; + } + +@@ -5116,6 +5114,13 @@ static int init_one(struct pci_dev *pdev + if (err) + goto out_free_dev; + ++ err = setup_fw_sge_queues(adapter); ++ if (err) { ++ dev_err(adapter->pdev_dev, ++ "FW sge queue allocation failed, err %d", err); ++ goto out_free_dev; ++ } ++ + /* + * The card is now ready to go. If any errors occur during device + * registration we do not fail the whole card but rather proceed only +@@ -5164,7 +5169,6 @@ static int init_one(struct pci_dev *pdev + cxgb4_ptp_init(adapter); + + print_adapter_info(adapter); +- setup_fw_sge_queues(adapter); + return 0; + + sriov: +@@ -5220,6 +5224,7 @@ free_mbox_log: + #endif + + out_free_dev: ++ t4_free_sge_resources(adapter); + free_some_resources(adapter); + if (adapter->flags & USING_MSIX) + free_msix_info(adapter); diff --git a/queue-4.14/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch b/queue-4.14/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch new file mode 100644 index 00000000000..a2724d65de8 --- /dev/null +++ b/queue-4.14/cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch @@ -0,0 +1,127 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Vaibhav Jain +Date: Thu, 15 Feb 2018 21:19:24 +0530 +Subject: cxl: Check if PSL data-cache is available before issue flush request + +From: Vaibhav Jain + +[ Upstream commit 94322ed8e857e3b2a33cf75118051af9baaa110f ] + +PSL9D doesn't have a data-cache that needs to be flushed before +resetting the card. However when cxl tries to flush data-cache on such +a card, it times-out as PSL_Control register never indicates flush +operation complete due to missing data-cache. This is usually +indicated in the kernel logs with this message: + +"WARNING: cache flush timed out" + +To fix this the patch checks PSL_Debug register CDC-Field(BIT:27) +which indicates the absence of a data-cache and sets a flag +'no_data_cache' in 'struct cxl_native' to indicate this. When +cxl_data_cache_flush() is called it checks the flag and if set bails +out early without requesting a data-cache flush operation to the PSL. + +Signed-off-by: Vaibhav Jain +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cxl/cxl.h | 4 ++++ + drivers/misc/cxl/native.c | 11 ++++++++++- + drivers/misc/cxl/pci.c | 19 +++++++++++++------ + 3 files changed, 27 insertions(+), 7 deletions(-) + +--- a/drivers/misc/cxl/cxl.h ++++ b/drivers/misc/cxl/cxl.h +@@ -365,6 +365,9 @@ static const cxl_p2n_reg_t CXL_PSL_WED_A + #define CXL_PSL_TFC_An_AE (1ull << (63-30)) /* Restart PSL with address error */ + #define CXL_PSL_TFC_An_R (1ull << (63-31)) /* Restart PSL transaction */ + ++/****** CXL_PSL_DEBUG *****************************************************/ ++#define CXL_PSL_DEBUG_CDC (1ull << (63-27)) /* Coherent Data cache support */ ++ + /****** CXL_XSL9_IERAT_ERAT - CAIA 2 **********************************/ + #define CXL_XSL9_IERAT_MLPID (1ull << (63-0)) /* Match LPID */ + #define CXL_XSL9_IERAT_MPID (1ull << (63-1)) /* Match PID */ +@@ -659,6 +662,7 @@ struct cxl_native { + irq_hw_number_t err_hwirq; + unsigned int err_virq; + u64 ps_off; ++ bool no_data_cache; /* set if no data cache on the card */ + const struct cxl_service_layer_ops *sl_ops; + }; + +--- a/drivers/misc/cxl/native.c ++++ b/drivers/misc/cxl/native.c +@@ -352,8 +352,17 @@ int cxl_data_cache_flush(struct cxl *ada + u64 reg; + unsigned long timeout = jiffies + (HZ * CXL_TIMEOUT); + +- pr_devel("Flushing data cache\n"); ++ /* ++ * Do a datacache flush only if datacache is available. ++ * In case of PSL9D datacache absent hence flush operation. ++ * would timeout. ++ */ ++ if (adapter->native->no_data_cache) { ++ pr_devel("No PSL data cache. Ignoring cache flush req.\n"); ++ return 0; ++ } + ++ pr_devel("Flushing data cache\n"); + reg = cxl_p1_read(adapter, CXL_PSL_Control); + reg |= CXL_PSL_Control_Fr; + cxl_p1_write(adapter, CXL_PSL_Control, reg); +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -457,6 +457,7 @@ static int init_implementation_adapter_r + u64 chipid; + u32 phb_index; + u64 capp_unit_id; ++ u64 psl_debug; + int rc; + + rc = cxl_calc_capp_routing(dev, &chipid, &phb_index, &capp_unit_id); +@@ -507,6 +508,16 @@ static int init_implementation_adapter_r + if (cxl_is_power9_dd1()) + cxl_p1_write(adapter, CXL_PSL9_GP_CT, 0x0400000000000001ULL); + ++ /* ++ * Check if PSL has data-cache. We need to flush adapter datacache ++ * when as its about to be removed. ++ */ ++ psl_debug = cxl_p1_read(adapter, CXL_PSL9_DEBUG); ++ if (psl_debug & CXL_PSL_DEBUG_CDC) { ++ dev_dbg(&dev->dev, "No data-cache present\n"); ++ adapter->native->no_data_cache = true; ++ } ++ + return 0; + } + +@@ -1450,10 +1461,8 @@ int cxl_pci_reset(struct cxl *adapter) + + /* + * The adapter is about to be reset, so ignore errors. +- * Not supported on P9 DD1 + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + /* pcie_warm_reset requests a fundamental pci reset which includes a + * PERST assert/deassert. PERST triggers a loading of the image +@@ -1898,10 +1907,8 @@ static void cxl_pci_remove_adapter(struc + + /* + * Flush adapter datacache as its about to be removed. +- * Not supported on P9 DD1. + */ +- if ((cxl_is_power8()) || (!(cxl_is_power9_dd1()))) +- cxl_data_cache_flush(adapter); ++ cxl_data_cache_flush(adapter); + + cxl_deconfigure_adapter(adapter); + diff --git a/queue-4.14/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch b/queue-4.14/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch new file mode 100644 index 00000000000..91533be0439 --- /dev/null +++ b/queue-4.14/dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch @@ -0,0 +1,93 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Gregory CLEMENT +Date: Wed, 7 Mar 2018 16:40:10 +0100 +Subject: dmaengine: mv_xor_v2: Fix clock resource by adding a register clock + +From: Gregory CLEMENT + +[ Upstream commit 3cd2c313f1d618f92d1294addc6c685c17065761 ] + +On the CP110 components which are present on the Armada 7K/8K SoC we need +to explicitly enable the clock for the registers. However it is not +needed for the AP8xx component, that's why this clock is optional. + +With this patch both clock have now a name, but in order to be backward +compatible, the name of the first clock is not used. It allows to still +use this clock with a device tree using the old binding. + +Reviewed-by: Rob Herring +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/mv-xor-v2.txt | 6 ++++ + drivers/dma/mv_xor_v2.c | 25 ++++++++++++++++---- + 2 files changed, 25 insertions(+), 6 deletions(-) + +--- a/Documentation/devicetree/bindings/dma/mv-xor-v2.txt ++++ b/Documentation/devicetree/bindings/dma/mv-xor-v2.txt +@@ -11,7 +11,11 @@ Required properties: + interrupts. + + Optional properties: +-- clocks: Optional reference to the clock used by the XOR engine. ++- clocks: Optional reference to the clocks used by the XOR engine. ++- clock-names: mandatory if there is a second clock, in this case the ++ name must be "core" for the first clock and "reg" for the second ++ one ++ + + Example: + +--- a/drivers/dma/mv_xor_v2.c ++++ b/drivers/dma/mv_xor_v2.c +@@ -163,6 +163,7 @@ struct mv_xor_v2_device { + void __iomem *dma_base; + void __iomem *glob_base; + struct clk *clk; ++ struct clk *reg_clk; + struct tasklet_struct irq_tasklet; + struct list_head free_sw_desc; + struct dma_device dmadev; +@@ -749,13 +750,26 @@ static int mv_xor_v2_probe(struct platfo + if (ret) + return ret; + ++ xor_dev->reg_clk = devm_clk_get(&pdev->dev, "reg"); ++ if (PTR_ERR(xor_dev->reg_clk) != -ENOENT) { ++ if (!IS_ERR(xor_dev->reg_clk)) { ++ ret = clk_prepare_enable(xor_dev->reg_clk); ++ if (ret) ++ return ret; ++ } else { ++ return PTR_ERR(xor_dev->reg_clk); ++ } ++ } ++ + xor_dev->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER) +- return -EPROBE_DEFER; ++ if (IS_ERR(xor_dev->clk) && PTR_ERR(xor_dev->clk) == -EPROBE_DEFER) { ++ ret = EPROBE_DEFER; ++ goto disable_reg_clk; ++ } + if (!IS_ERR(xor_dev->clk)) { + ret = clk_prepare_enable(xor_dev->clk); + if (ret) +- return ret; ++ goto disable_reg_clk; + } + + ret = platform_msi_domain_alloc_irqs(&pdev->dev, 1, +@@ -866,8 +880,9 @@ free_hw_desq: + free_msi_irqs: + platform_msi_domain_free_irqs(&pdev->dev); + disable_clk: +- if (!IS_ERR(xor_dev->clk)) +- clk_disable_unprepare(xor_dev->clk); ++ clk_disable_unprepare(xor_dev->clk); ++disable_reg_clk: ++ clk_disable_unprepare(xor_dev->reg_clk); + return ret; + } + diff --git a/queue-4.14/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch b/queue-4.14/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch new file mode 100644 index 00000000000..d799677d89a --- /dev/null +++ b/queue-4.14/dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch @@ -0,0 +1,162 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Qi Hou +Date: Tue, 6 Mar 2018 09:13:37 +0800 +Subject: dmaengine: pl330: fix a race condition in case of threaded irqs + +From: Qi Hou + +[ Upstream commit a3ca831249ca8c4c226e4ceafee04e280152e59d ] + +When booting up with "threadirqs" in command line, all irq handlers of the DMA +controller pl330 will be threaded forcedly. These threads will race for the same +list, pl330->req_done. + +Before the callback, the spinlock was released. And after it, the spinlock was +taken. This opened an race window where another threaded irq handler could steal +the spinlock and be permitted to delete entries of the list, pl330->req_done. + +If the later deleted an entry that was still referred to by the former, there would +be a kernel panic when the former was scheduled and tried to get the next sibling +of the deleted entry. + +The scenario could be depicted as below: + + Thread: T1 pl330->req_done Thread: T2 + | | | + | -A-B-C-D- | + Locked | | + | | Waiting + Del A | | + | -B-C-D- | + Unlocked | | + | | Locked + Waiting | | + | | Del B + | | | + | -C-D- Unlocked + Waiting | | + | + Locked + | + get C via B + \ + - Kernel panic + +The kernel panic looked like as below: + +Unable to handle kernel paging request at virtual address dead000000000108 +pgd = ffffff8008c9e000 +[dead000000000108] *pgd=000000027fffe003, *pud=000000027fffe003, *pmd=0000000000000000 +Internal error: Oops: 96000044 [#1] PREEMPT SMP +Modules linked in: +CPU: 0 PID: 85 Comm: irq/59-66330000 Not tainted 4.8.24-WR9.0.0.12_standard #2 +Hardware name: Broadcom NS2 SVK (DT) +task: ffffffc1f5cc3c00 task.stack: ffffffc1f5ce0000 +PC is at pl330_irq_handler+0x27c/0x390 +LR is at pl330_irq_handler+0x2a8/0x390 +pc : [] lr : [] pstate: 800001c5 +sp : ffffffc1f5ce3d00 +x29: ffffffc1f5ce3d00 x28: 0000000000000140 +x27: ffffffc1f5c530b0 x26: dead000000000100 +x25: dead000000000200 x24: 0000000000418958 +x23: 0000000000000001 x22: ffffffc1f5ccd668 +x21: ffffffc1f5ccd590 x20: ffffffc1f5ccd418 +x19: dead000000000060 x18: 0000000000000001 +x17: 0000000000000007 x16: 0000000000000001 +x15: ffffffffffffffff x14: ffffffffffffffff +x13: ffffffffffffffff x12: 0000000000000000 +x11: 0000000000000001 x10: 0000000000000840 +x9 : ffffffc1f5ce0000 x8 : ffffffc1f5cc3338 +x7 : ffffff8008ce2020 x6 : 0000000000000000 +x5 : 0000000000000000 x4 : 0000000000000001 +x3 : dead000000000200 x2 : dead000000000100 +x1 : 0000000000000140 x0 : ffffffc1f5ccd590 + +Process irq/59-66330000 (pid: 85, stack limit = 0xffffffc1f5ce0020) +Stack: (0xffffffc1f5ce3d00 to 0xffffffc1f5ce4000) +3d00: ffffffc1f5ce3d80 ffffff80080f09d0 ffffffc1f5ca0c00 ffffffc1f6f7c600 +3d20: ffffffc1f5ce0000 ffffffc1f6f7c600 ffffffc1f5ca0c00 ffffff80080f0998 +3d40: ffffffc1f5ce0000 ffffff80080f0000 0000000000000000 0000000000000000 +3d60: ffffff8008ce202c ffffff8008ce2020 ffffffc1f5ccd668 ffffffc1f5c530b0 +3d80: ffffffc1f5ce3db0 ffffff80080f0d70 ffffffc1f5ca0c40 0000000000000001 +3da0: ffffffc1f5ce0000 ffffff80080f0cfc ffffffc1f5ce3e20 ffffff80080bf4f8 +3dc0: ffffffc1f5ca0c80 ffffff8008bf3798 ffffff8008955528 ffffffc1f5ca0c00 +3de0: ffffff80080f0c30 0000000000000000 0000000000000000 0000000000000000 +3e00: 0000000000000000 0000000000000000 0000000000000000 ffffff80080f0b68 +3e20: 0000000000000000 ffffff8008083690 ffffff80080bf420 ffffffc1f5ca0c80 +3e40: 0000000000000000 0000000000000000 0000000000000000 ffffff80080cb648 +3e60: ffffff8008b1c780 0000000000000000 0000000000000000 ffffffc1f5ca0c00 +3e80: ffffffc100000000 ffffff8000000000 ffffffc1f5ce3e90 ffffffc1f5ce3e90 +3ea0: 0000000000000000 ffffff8000000000 ffffffc1f5ce3eb0 ffffffc1f5ce3eb0 +3ec0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3ee0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f40: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f60: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3f80: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fa0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +3fc0: 0000000000000000 0000000000000005 0000000000000000 0000000000000000 +3fe0: 0000000000000000 0000000000000000 0000000275ce3ff0 0000000275ce3ff8 +Call trace: +Exception stack(0xffffffc1f5ce3b30 to 0xffffffc1f5ce3c60) +3b20: dead000000000060 0000008000000000 +3b40: ffffffc1f5ce3d00 ffffff80084cb694 0000000000000008 0000000000000e88 +3b60: ffffffc1f5ce3bb0 ffffff80080dac68 ffffffc1f5ce3b90 ffffff8008826fe4 +3b80: 00000000000001c0 00000000000001c0 ffffffc1f5ce3bb0 ffffff800848dfcc +3ba0: 0000000000020000 ffffff8008b15ae4 ffffffc1f5ce3c00 ffffff800808f000 +3bc0: 0000000000000010 ffffff80088377f0 ffffffc1f5ccd590 0000000000000140 +3be0: dead000000000100 dead000000000200 0000000000000001 0000000000000000 +3c00: 0000000000000000 ffffff8008ce2020 ffffffc1f5cc3338 ffffffc1f5ce0000 +3c20: 0000000000000840 0000000000000001 0000000000000000 ffffffffffffffff +3c40: ffffffffffffffff ffffffffffffffff 0000000000000001 0000000000000007 +[] pl330_irq_handler+0x27c/0x390 +[] irq_forced_thread_fn+0x38/0x88 +[] irq_thread+0x140/0x200 +[] kthread+0xd8/0xf0 +[] ret_from_fork+0x10/0x40 +Code: f2a00838 f9405763 aa1c03e1 aa1503e0 (f9000443) +---[ end trace f50005726d31199c ]--- +Kernel panic - not syncing: Fatal exception in interrupt +SMP: stopping secondary CPUs +SMP: failed to stop secondary CPUs 0-1 +Kernel Offset: disabled +Memory Limit: none +---[ end Kernel panic - not syncing: Fatal exception in interrupt + +To fix this, re-start with the list-head after dropping the lock then +re-takeing it. + +Reviewed-by: Frank Mori Hess +Tested-by: Frank Mori Hess +Signed-off-by: Qi Hou +Signed-off-by: Vinod Koul + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -1510,7 +1510,7 @@ static void pl330_dotask(unsigned long d + /* Returns 1 if state was updated, 0 otherwise */ + static int pl330_update(struct pl330_dmac *pl330) + { +- struct dma_pl330_desc *descdone, *tmp; ++ struct dma_pl330_desc *descdone; + unsigned long flags; + void __iomem *regs; + u32 val; +@@ -1588,7 +1588,9 @@ static int pl330_update(struct pl330_dma + } + + /* Now that we are in no hurry, do the callbacks */ +- list_for_each_entry_safe(descdone, tmp, &pl330->req_done, rqd) { ++ while (!list_empty(&pl330->req_done)) { ++ descdone = list_first_entry(&pl330->req_done, ++ struct dma_pl330_desc, rqd); + list_del(&descdone->rqd); + spin_unlock_irqrestore(&pl330->lock, flags); + dma_pl330_rqcb(descdone, PL330_ERR_NONE); diff --git a/queue-4.14/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch b/queue-4.14/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch new file mode 100644 index 00000000000..68e687a437a --- /dev/null +++ b/queue-4.14/dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Srinivas Kandagatla +Date: Thu, 15 Feb 2018 12:25:09 +0000 +Subject: dmaengine: qcom: bam_dma: get num-channels and num-ees from dt + +From: Srinivas Kandagatla + +[ Upstream commit 48d163b1aa6e7f650c0b7a4f9c61c387a6def868 ] + +When Linux is master of BAM, it can directly read registers to know number +of supported channels, however when its remotely controlled reading these +registers would trigger a crash if the BAM is not yet initialized or +powered up on the remote side. + +This patch allows driver to read num-channels and num-ees from Device Tree +for remotely controlled BAM. + +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/qcom/bam_dma.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +--- a/drivers/dma/qcom/bam_dma.c ++++ b/drivers/dma/qcom/bam_dma.c +@@ -388,6 +388,7 @@ struct bam_device { + struct device_dma_parameters dma_parms; + struct bam_chan *channels; + u32 num_channels; ++ u32 num_ees; + + /* execution environment ID, from DT */ + u32 ee; +@@ -1080,15 +1081,19 @@ static int bam_init(struct bam_device *b + u32 val; + + /* read revision and configuration information */ +- val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)) >> NUM_EES_SHIFT; +- val &= NUM_EES_MASK; ++ if (!bdev->num_ees) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_REVISION)); ++ bdev->num_ees = (val >> NUM_EES_SHIFT) & NUM_EES_MASK; ++ } + + /* check that configured EE is within range */ +- if (bdev->ee >= val) ++ if (bdev->ee >= bdev->num_ees) + return -EINVAL; + +- val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); +- bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ if (!bdev->num_channels) { ++ val = readl_relaxed(bam_addr(bdev, 0, BAM_NUM_PIPES)); ++ bdev->num_channels = val & BAM_NUM_PIPES_MASK; ++ } + + if (bdev->controlled_remotely) + return 0; +@@ -1183,6 +1188,18 @@ static int bam_dma_probe(struct platform + bdev->controlled_remotely = of_property_read_bool(pdev->dev.of_node, + "qcom,controlled-remotely"); + ++ if (bdev->controlled_remotely) { ++ ret = of_property_read_u32(pdev->dev.of_node, "num-channels", ++ &bdev->num_channels); ++ if (ret) ++ dev_err(bdev->dev, "num-channels unspecified in dt\n"); ++ ++ ret = of_property_read_u32(pdev->dev.of_node, "qcom,num-ees", ++ &bdev->num_ees); ++ if (ret) ++ dev_err(bdev->dev, "num-ees unspecified in dt\n"); ++ } ++ + bdev->bamclk = devm_clk_get(bdev->dev, "bam_clk"); + if (IS_ERR(bdev->bamclk)) + return PTR_ERR(bdev->bamclk); diff --git a/queue-4.14/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch b/queue-4.14/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch new file mode 100644 index 00000000000..9ef3654e59b --- /dev/null +++ b/queue-4.14/dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yoshihiro Shimoda +Date: Fri, 2 Feb 2018 19:05:15 +0900 +Subject: dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() + +From: Yoshihiro Shimoda + +[ Upstream commit 3e081628d510b2ddbe493371d9c574d9275da17e ] + +This patch fixes an issue that a race condition happens between a client +driver and the rcar-dmac driver: + +- The rcar_dmac_isr_transfer_end() is called. + - The done list appears, and desc.running is the next active list. +- rcar_dmac_chan_get_residue() is called by a client driver before + rcar_dmac_isr_channel_thread() is called. + - The rcar_dmac_chan_get_residue() will not find any descriptors. + - And, the following WARNING happens: + WARN(1, "No descriptor for cookie!"); + +The sh-sci driver with HSCIF (921,600bps) on R-Car H3 can cause this +situation. +So, this patch checks the done lists in rcar_dmac_chan_get_residue() +and returns zero if the done lists has the argument cookie. + +Tested-by: Nguyen Viet Dung +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -1264,8 +1264,17 @@ static unsigned int rcar_dmac_chan_get_r + * If the cookie doesn't correspond to the currently running transfer + * then the descriptor hasn't been processed yet, and the residue is + * equal to the full descriptor size. ++ * Also, a client driver is possible to call this function before ++ * rcar_dmac_isr_channel_thread() runs. In this case, the "desc.running" ++ * will be the next descriptor, and the done list will appear. So, if ++ * the argument cookie matches the done list's cookie, we can assume ++ * the residue is zero. + */ + if (cookie != desc->async_tx.cookie) { ++ list_for_each_entry(desc, &chan->desc.done, node) { ++ if (cookie == desc->async_tx.cookie) ++ return 0; ++ } + list_for_each_entry(desc, &chan->desc.pending, node) { + if (cookie == desc->async_tx.cookie) + return desc->size; diff --git a/queue-4.14/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch b/queue-4.14/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch new file mode 100644 index 00000000000..6855aa5b851 --- /dev/null +++ b/queue-4.14/dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yoshihiro Shimoda +Date: Wed, 14 Feb 2018 18:40:12 +0900 +Subject: dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 + +From: Yoshihiro Shimoda + +[ Upstream commit d716d9b702bb759dd6fb50804f10a174bd156d71 ] + +According to R-Car Gen3 Rev.0.80 manual, the DMATCR can be set to +16,777,215 as maximum. So, this patch fixes the max_chunk_size for +safety on all of SoCs. Otherwise, a system may hang if the DMATCR +is set to 0 on R-Car Gen3. + +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/sh/rcar-dmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/sh/rcar-dmac.c ++++ b/drivers/dma/sh/rcar-dmac.c +@@ -880,7 +880,7 @@ rcar_dmac_chan_prep_sg(struct rcar_dmac_ + + rcar_dmac_chan_configure_desc(chan, desc); + +- max_chunk_size = (RCAR_DMATCR_MASK + 1) << desc->xfer_shift; ++ max_chunk_size = RCAR_DMATCR_MASK << desc->xfer_shift; + + /* + * Allocate and fill the transfer chunk descriptors. We own the only diff --git a/queue-4.14/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch b/queue-4.14/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch new file mode 100644 index 00000000000..486825d9430 --- /dev/null +++ b/queue-4.14/dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Esben Haabendal +Date: Sun, 8 Apr 2018 22:17:01 +0200 +Subject: dp83640: Ensure against premature access to PHY registers after reset + +From: Esben Haabendal + +[ Upstream commit 76327a35caabd1a932e83d6a42b967aa08584e5d ] + +The datasheet specifies a 3uS pause after performing a software +reset. The default implementation of genphy_soft_reset() does not +provide this, so implement soft_reset with the needed pause. + +Signed-off-by: Esben Haabendal +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/dp83640.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1207,6 +1207,23 @@ static void dp83640_remove(struct phy_de + kfree(dp83640); + } + ++static int dp83640_soft_reset(struct phy_device *phydev) ++{ ++ int ret; ++ ++ ret = genphy_soft_reset(phydev); ++ if (ret < 0) ++ return ret; ++ ++ /* From DP83640 datasheet: "Software driver code must wait 3 us ++ * following a software reset before allowing further serial MII ++ * operations with the DP83640." ++ */ ++ udelay(10); /* Taking udelay inaccuracy into account */ ++ ++ return 0; ++} ++ + static int dp83640_config_init(struct phy_device *phydev) + { + struct dp83640_private *dp83640 = phydev->priv; +@@ -1501,6 +1518,7 @@ static struct phy_driver dp83640_driver + .flags = PHY_HAS_INTERRUPT, + .probe = dp83640_probe, + .remove = dp83640_remove, ++ .soft_reset = dp83640_soft_reset, + .config_init = dp83640_config_init, + .config_aneg = genphy_config_aneg, + .read_status = genphy_read_status, diff --git a/queue-4.14/dpaa_eth-fix-pause-capability-advertisement-logic.patch b/queue-4.14/dpaa_eth-fix-pause-capability-advertisement-logic.patch new file mode 100644 index 00000000000..94529fd1157 --- /dev/null +++ b/queue-4.14/dpaa_eth-fix-pause-capability-advertisement-logic.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jake Moroni +Date: Sun, 18 Feb 2018 15:26:04 -0500 +Subject: dpaa_eth: fix pause capability advertisement logic + +From: Jake Moroni + +[ Upstream commit 3021efb440d02bf5b952b6d151c7ffee9bdd49fe ] + +The ADVERTISED_Asym_Pause bit was being improperly set when both +rx and tx pause were enabled. When rx and tx are both enabled, only +the ADVERTISED_Pause bit is supposed to be set. + +Signed-off-by: Jake Moroni +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -211,7 +211,7 @@ static int dpaa_set_pauseparam(struct ne + if (epause->rx_pause) + newadv = ADVERTISED_Pause | ADVERTISED_Asym_Pause; + if (epause->tx_pause) +- newadv |= ADVERTISED_Asym_Pause; ++ newadv ^= ADVERTISED_Asym_Pause; + + oldadv = phydev->advertising & + (ADVERTISED_Pause | ADVERTISED_Asym_Pause); diff --git a/queue-4.14/dpaa_eth-fix-sg-mapping.patch b/queue-4.14/dpaa_eth-fix-sg-mapping.patch new file mode 100644 index 00000000000..420cbeb0a8c --- /dev/null +++ b/queue-4.14/dpaa_eth-fix-sg-mapping.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Madalin Bucur +Date: Mon, 26 Feb 2018 11:24:01 -0600 +Subject: dpaa_eth: fix SG mapping + +From: Madalin Bucur + +[ Upstream commit 120d75ecf043044554abbba8507f6d22e4715beb ] + +An issue in the code mapping the skb fragments into +scatter-gather frames was evidentiated by netperf +TCP_SENDFILE tests. The size was set wrong for all +fragments but the first, affecting the transmission +of any skb with more than one fragment. + +Signed-off-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c +@@ -1930,8 +1930,10 @@ static int skb_to_sg_fd(struct dpaa_priv + goto csum_failed; + } + ++ /* SGT[0] is used by the linear part */ + sgt = (struct qm_sg_entry *)(sgt_buf + priv->tx_headroom); +- qm_sg_entry_set_len(&sgt[0], skb_headlen(skb)); ++ frag_len = skb_headlen(skb); ++ qm_sg_entry_set_len(&sgt[0], frag_len); + sgt[0].bpid = FSL_DPAA_BPID_INV; + sgt[0].offset = 0; + addr = dma_map_single(dev, skb->data, +@@ -1944,9 +1946,9 @@ static int skb_to_sg_fd(struct dpaa_priv + qm_sg_entry_set64(&sgt[0], addr); + + /* populate the rest of SGT entries */ +- frag = &skb_shinfo(skb)->frags[0]; +- frag_len = frag->size; +- for (i = 1; i <= nr_frags; i++, frag++) { ++ for (i = 0; i < nr_frags; i++) { ++ frag = &skb_shinfo(skb)->frags[i]; ++ frag_len = frag->size; + WARN_ON(!skb_frag_page(frag)); + addr = skb_frag_dma_map(dev, frag, 0, + frag_len, dma_dir); +@@ -1956,15 +1958,16 @@ static int skb_to_sg_fd(struct dpaa_priv + goto sg_map_failed; + } + +- qm_sg_entry_set_len(&sgt[i], frag_len); +- sgt[i].bpid = FSL_DPAA_BPID_INV; +- sgt[i].offset = 0; ++ qm_sg_entry_set_len(&sgt[i + 1], frag_len); ++ sgt[i + 1].bpid = FSL_DPAA_BPID_INV; ++ sgt[i + 1].offset = 0; + + /* keep the offset in the address */ +- qm_sg_entry_set64(&sgt[i], addr); +- frag_len = frag->size; ++ qm_sg_entry_set64(&sgt[i + 1], addr); + } +- qm_sg_entry_set_f(&sgt[i - 1], frag_len); ++ ++ /* Set the final bit in the last used entry of the SGT */ ++ qm_sg_entry_set_f(&sgt[nr_frags], frag_len); + + qm_fd_set_sg(fd, priv->tx_headroom, skb->len); + diff --git a/queue-4.14/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch b/queue-4.14/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch new file mode 100644 index 00000000000..69f17007a54 --- /dev/null +++ b/queue-4.14/drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Aaro Koskinen +Date: Fri, 16 Mar 2018 22:17:28 +0200 +Subject: drivers: macintosh: rack-meter: really fix bogus memsets + +From: Aaro Koskinen + +[ Upstream commit e283655b5abe26462d53d5196f186c5e8863af3b ] + +We should zero an array using sizeof instead of number of elements. + +Fixes the following compiler (GCC 7.3.0) warnings: + +drivers/macintosh/rack-meter.c: In function 'rackmeter_do_pause': +drivers/macintosh/rack-meter.c:157:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] +drivers/macintosh/rack-meter.c:158:2: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] + +Fixes: 4f7bef7a9f69 ("drivers: macintosh: rack-meter: fix bogus memsets") +Reported-by: Stephen Rothwell +Signed-off-by: Aaro Koskinen +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/rack-meter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/macintosh/rack-meter.c ++++ b/drivers/macintosh/rack-meter.c +@@ -154,8 +154,8 @@ static void rackmeter_do_pause(struct ra + DBDMA_DO_STOP(rm->dma_regs); + return; + } +- memset(rdma->buf1, 0, ARRAY_SIZE(rdma->buf1)); +- memset(rdma->buf2, 0, ARRAY_SIZE(rdma->buf2)); ++ memset(rdma->buf1, 0, sizeof(rdma->buf1)); ++ memset(rdma->buf2, 0, sizeof(rdma->buf2)); + + rm->dma_buf_v->mark = 0; + diff --git a/queue-4.14/drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch b/queue-4.14/drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch new file mode 100644 index 00000000000..8244cea5a96 --- /dev/null +++ b/queue-4.14/drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tom St Denis +Date: Mon, 26 Feb 2018 09:09:26 -0500 +Subject: drm/amd/amdgpu: Correct VRAM width for APUs with GMC9 + +From: Tom St Denis + +[ Upstream commit 585b7f161c85bd5ca675b97580faf21c506541e3 ] + +DDR4 has a 64-bit width not 128-bits. It was reporting +twice the width. Tested with my Ryzen 2400G. + +Signed-off-by: Tom St Denis +Reviewed-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gmc_v9_0.c +@@ -456,7 +456,10 @@ static int gmc_v9_0_mc_init(struct amdgp + adev->mc.vram_width = amdgpu_atomfirmware_get_vram_width(adev); + if (!adev->mc.vram_width) { + /* hbm memory channel size */ +- chansize = 128; ++ if (adev->flags & AMD_IS_APU) ++ chansize = 64; ++ else ++ chansize = 128; + + tmp = RREG32_SOC15(DF, 0, mmDF_CS_AON0_DramBaseAddress0); + tmp &= DF_CS_AON0_DramBaseAddress0__IntLvNumChan_MASK; diff --git a/queue-4.14/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch b/queue-4.14/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch new file mode 100644 index 00000000000..54090066251 --- /dev/null +++ b/queue-4.14/drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Monk Liu +Date: Tue, 23 Jan 2018 18:26:20 +0800 +Subject: drm/amdgpu: adjust timeout for ib_ring_tests(v2) + +From: Monk Liu + +[ Upstream commit dbf797655a43c6318ebb90b899e6583fcadc6472 ] + +issue: +sometime GFX/MM ib test hit timeout under SRIOV env, root cause +is that engine doesn't come back soon enough so the current +IB test considered as timed out. + +fix: +for SRIOV GFX IB test wait time need to be expanded a lot during +SRIOV runtimei mode since it couldn't really begin before GFX engine +come back. + +for SRIOV MM IB test it always need more time since MM scheduling +is not go together with GFX engine, it is controled by h/w MM +scheduler so no matter runtime or exclusive mode MM IB test +always need more time. + +v2: +use ring type instead of idx to judge + +Signed-off-by: Monk Liu +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c +@@ -322,14 +322,45 @@ int amdgpu_ib_ring_tests(struct amdgpu_d + { + unsigned i; + int r, ret = 0; ++ long tmo_gfx, tmo_mm; ++ ++ tmo_mm = tmo_gfx = AMDGPU_IB_TEST_TIMEOUT; ++ if (amdgpu_sriov_vf(adev)) { ++ /* for MM engines in hypervisor side they are not scheduled together ++ * with CP and SDMA engines, so even in exclusive mode MM engine could ++ * still running on other VF thus the IB TEST TIMEOUT for MM engines ++ * under SR-IOV should be set to a long time. 8 sec should be enough ++ * for the MM comes back to this VF. ++ */ ++ tmo_mm = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } ++ ++ if (amdgpu_sriov_runtime(adev)) { ++ /* for CP & SDMA engines since they are scheduled together so ++ * need to make the timeout width enough to cover the time ++ * cost waiting for it coming back under RUNTIME only ++ */ ++ tmo_gfx = 8 * AMDGPU_IB_TEST_TIMEOUT; ++ } + + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; ++ long tmo; + + if (!ring || !ring->ready) + continue; + +- r = amdgpu_ring_test_ib(ring, AMDGPU_IB_TEST_TIMEOUT); ++ /* MM engine need more time */ ++ if (ring->funcs->type == AMDGPU_RING_TYPE_UVD || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCE || ++ ring->funcs->type == AMDGPU_RING_TYPE_UVD_ENC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_DEC || ++ ring->funcs->type == AMDGPU_RING_TYPE_VCN_ENC) ++ tmo = tmo_mm; ++ else ++ tmo = tmo_gfx; ++ ++ r = amdgpu_ring_test_ib(ring, tmo); + if (r) { + ring->ready = false; + diff --git a/queue-4.14/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch b/queue-4.14/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch new file mode 100644 index 00000000000..9fb6a2529a9 --- /dev/null +++ b/queue-4.14/drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Monk Liu +Date: Mon, 29 Jan 2018 19:24:32 +0800 +Subject: drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini + +From: Monk Liu + +[ Upstream commit 9f0178fb67699992d38601cb923b434f9986dd68 ] + +otherwise there will be DMAR reading error comes out from CP since +GFX is still alive and CPC's WPTR_POLL is still enabled, which would +lead to DMAR read error. + +fix: +we can hault CPG after hw_fini, but cannot halt CPC becaues KIQ +stil need to be alive to let RLCV invoke, but its WPTR_POLL could +be disabled. + +Signed-off-by: Monk Liu +Acked-by: Alex Deucher +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c +@@ -2889,7 +2889,13 @@ static int gfx_v9_0_hw_fini(void *handle + amdgpu_irq_put(adev, &adev->gfx.priv_reg_irq, 0); + amdgpu_irq_put(adev, &adev->gfx.priv_inst_irq, 0); + if (amdgpu_sriov_vf(adev)) { +- pr_debug("For SRIOV client, shouldn't do anything.\n"); ++ gfx_v9_0_cp_gfx_enable(adev, false); ++ /* must disable polling for SRIOV when hw finished, otherwise ++ * CPC engine may still keep fetching WB address which is already ++ * invalid after sw finished and trigger DMAR reading error in ++ * hypervisor side. ++ */ ++ WREG32_FIELD15(GC, 0, CP_PQ_WPTR_POLL_CNTL, EN, 0); + return 0; + } + gfx_v9_0_cp_enable(adev, false); diff --git a/queue-4.14/drm-amdkfd-add-missing-include-of-mm.h.patch b/queue-4.14/drm-amdkfd-add-missing-include-of-mm.h.patch new file mode 100644 index 00000000000..b981728cd94 --- /dev/null +++ b/queue-4.14/drm-amdkfd-add-missing-include-of-mm.h.patch @@ -0,0 +1,28 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Oded Gabbay +Date: Thu, 15 Mar 2018 10:08:35 +0200 +Subject: drm/amdkfd: add missing include of mm.h + +From: Oded Gabbay + +[ Upstream commit 7420f482ea5163bf6dae39a5c7628d5397cd6307 ] + +This patch fixes kernel build in ARCH=frv + +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h +@@ -26,6 +26,7 @@ + #define AMDGPU_AMDKFD_H_INCLUDED + + #include ++#include + #include + #include + diff --git a/queue-4.14/drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch b/queue-4.14/drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch new file mode 100644 index 00000000000..01eb2c53ee5 --- /dev/null +++ b/queue-4.14/drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Felix Kuehling +Date: Fri, 23 Mar 2018 15:30:33 -0400 +Subject: drm/amdkfd: Fix scratch memory with HWS enabled + +From: Felix Kuehling + +[ Upstream commit c70a36268799cf2f902b5a31e452571fcb96bfe9 ] + +Program sh_hidden_private_base_vmid correctly in the map-process +PM4 packet. + +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_packet_manager.c +@@ -166,8 +166,7 @@ static int pm_create_map_process(struct + packet->sh_mem_ape1_base = qpd->sh_mem_ape1_base; + packet->sh_mem_ape1_limit = qpd->sh_mem_ape1_limit; + +- /* TODO: scratch support */ +- packet->sh_hidden_private_base_vmid = 0; ++ packet->sh_hidden_private_base_vmid = qpd->sh_hidden_private_base; + + packet->gds_addr_lo = lower_32_bits(qpd->gds_context_area); + packet->gds_addr_hi = upper_32_bits(qpd->gds_context_area); diff --git a/queue-4.14/drm-ast-fixed-1280x800-display-issue.patch b/queue-4.14/drm-ast-fixed-1280x800-display-issue.patch new file mode 100644 index 00000000000..fd8c3af0419 --- /dev/null +++ b/queue-4.14/drm-ast-fixed-1280x800-display-issue.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Y.C. Chen" +Date: Mon, 12 Mar 2018 11:40:23 +0800 +Subject: drm/ast: Fixed 1280x800 Display Issue + +From: "Y.C. Chen" + +[ Upstream commit 5a9f698feb11b198f17b2acebbfe0e2716a3beed ] + +The original ast driver cannot display properly if the resolution is 1280x800 and the pixel clock is 83.5MHz. +Here is the update to fix it. + +Signed-off-by: Y.C. Chen +Signed-off-by: Dave Airlie +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/ast/ast_tables.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/ast/ast_tables.h ++++ b/drivers/gpu/drm/ast/ast_tables.h +@@ -97,7 +97,7 @@ static const struct ast_vbios_dclk_info + {0x67, 0x22, 0x00}, /* 0E: VCLK157_5 */ + {0x6A, 0x22, 0x00}, /* 0F: VCLK162 */ + {0x4d, 0x4c, 0x80}, /* 10: VCLK154 */ +- {0xa7, 0x78, 0x80}, /* 11: VCLK83.5 */ ++ {0x68, 0x6f, 0x80}, /* 11: VCLK83.5 */ + {0x28, 0x49, 0x80}, /* 12: VCLK106.5 */ + {0x37, 0x49, 0x80}, /* 13: VCLK146.25 */ + {0x1f, 0x45, 0x80}, /* 14: VCLK148.5 */ +@@ -127,7 +127,7 @@ static const struct ast_vbios_dclk_info + {0x67, 0x22, 0x00}, /* 0E: VCLK157_5 */ + {0x6A, 0x22, 0x00}, /* 0F: VCLK162 */ + {0x4d, 0x4c, 0x80}, /* 10: VCLK154 */ +- {0xa7, 0x78, 0x80}, /* 11: VCLK83.5 */ ++ {0x68, 0x6f, 0x80}, /* 11: VCLK83.5 */ + {0x28, 0x49, 0x80}, /* 12: VCLK106.5 */ + {0x37, 0x49, 0x80}, /* 13: VCLK146.25 */ + {0x1f, 0x45, 0x80}, /* 14: VCLK148.5 */ diff --git a/queue-4.14/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch b/queue-4.14/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch new file mode 100644 index 00000000000..9570d6e59a7 --- /dev/null +++ b/queue-4.14/drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch @@ -0,0 +1,95 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Linus Walleij +Date: Mon, 5 Mar 2018 11:17:02 +0100 +Subject: drm/bridge: sii902x: Retry status read after DDI I2C + +From: Linus Walleij + +[ Upstream commit 2e7a66a8b5ebf1b04a866e5d7c981640f7f62934 ] + +The following happens when connection a DVI output driven +from the SiI9022 using a DVI-to-VGA adapter plug: + +i2c i2c-0: sendbytes: NAK bailout. +i2c i2c-0: sendbytes: NAK bailout. + +Then no picture. Apparently the I2C engine inside the SiI9022 +is not smart enough to try to fall back to DDC I2C. Or the +vendor have not integrated the electronics properly. I don't +know which one it is. + +After this, the I2C bus seems stalled and the first attempt to +read the status register fails, and the code returns with +negative return value, and the display fails to initialized. + +Instead, retry status readout five times and continue even +if this fails. + +Tested on the ARM Versatile Express with a DVI-to-VGA +connector, it now gives picture. + +Introduce a helper struct device *dev variable to make +the code more readable. + +Cc: Ville Syrjälä +Reviewed-by: Liviu Dudau +Signed-off-by: Linus Walleij +Link: https://patchwork.freedesktop.org/patch/msgid/20180305101702.13441-1-linus.walleij@linaro.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/sii902x.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/bridge/sii902x.c ++++ b/drivers/gpu/drm/bridge/sii902x.c +@@ -137,7 +137,9 @@ static int sii902x_get_modes(struct drm_ + struct sii902x *sii902x = connector_to_sii902x(connector); + struct regmap *regmap = sii902x->regmap; + u32 bus_format = MEDIA_BUS_FMT_RGB888_1X24; ++ struct device *dev = &sii902x->i2c->dev; + unsigned long timeout; ++ unsigned int retries; + unsigned int status; + struct edid *edid; + int num = 0; +@@ -159,7 +161,7 @@ static int sii902x_get_modes(struct drm_ + time_before(jiffies, timeout)); + + if (!(status & SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to acquire the i2c bus\n"); ++ dev_err(dev, "failed to acquire the i2c bus\n"); + return -ETIMEDOUT; + } + +@@ -179,9 +181,19 @@ static int sii902x_get_modes(struct drm_ + if (ret) + return ret; + +- ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, &status); ++ /* ++ * Sometimes the I2C bus can stall after failure to use the ++ * EDID channel. Retry a few times to see if things clear ++ * up, else continue anyway. ++ */ ++ retries = 5; ++ do { ++ ret = regmap_read(regmap, SII902X_SYS_CTRL_DATA, ++ &status); ++ retries--; ++ } while (ret && retries); + if (ret) +- return ret; ++ dev_err(dev, "failed to read status (%d)\n", ret); + + ret = regmap_update_bits(regmap, SII902X_SYS_CTRL_DATA, + SII902X_SYS_CTRL_DDC_BUS_REQ | +@@ -201,7 +213,7 @@ static int sii902x_get_modes(struct drm_ + + if (status & (SII902X_SYS_CTRL_DDC_BUS_REQ | + SII902X_SYS_CTRL_DDC_BUS_GRTD)) { +- dev_err(&sii902x->i2c->dev, "failed to release the i2c bus\n"); ++ dev_err(dev, "failed to release the i2c bus\n"); + return -ETIMEDOUT; + } + diff --git a/queue-4.14/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.14/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..08266a20da4 --- /dev/null +++ b/queue-4.14/drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Wolfram Sang +Date: Mon, 5 Feb 2018 21:09:59 +0100 +Subject: drm/exynos: fix comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit 1293b6191010672c0c9dacae8f71c6f3e4d70cbe ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Signed-off-by: Wolfram Sang +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/regs-fimc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/exynos/regs-fimc.h ++++ b/drivers/gpu/drm/exynos/regs-fimc.h +@@ -569,7 +569,7 @@ + #define EXYNOS_CIIMGEFF_FIN_EMBOSSING (4 << 26) + #define EXYNOS_CIIMGEFF_FIN_SILHOUETTE (5 << 26) + #define EXYNOS_CIIMGEFF_FIN_MASK (7 << 26) +-#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff < 13) | (0xff < 0)) ++#define EXYNOS_CIIMGEFF_PAT_CBCR_MASK ((0xff << 13) | (0xff << 0)) + + /* Real input DMA size register */ + #define EXYNOS_CIREAL_ISIZE_AUTOLOAD_ENABLE (1 << 31) diff --git a/queue-4.14/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch b/queue-4.14/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch new file mode 100644 index 00000000000..8095cfe2dc1 --- /dev/null +++ b/queue-4.14/drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Markus Elfring +Date: Thu, 8 Feb 2018 18:42:51 +0100 +Subject: drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions + +From: Markus Elfring + +[ Upstream commit 6f0a60298bbbea43ab5e3955913ab19c153076f3 ] + +Omit an extra message for a memory allocation failure in these functions. + +This issue was detected by using the Coccinelle software. + +Signed-off-by: Markus Elfring +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -286,7 +286,6 @@ static int g2d_init_cmdlist(struct g2d_d + + node = kcalloc(G2D_CMDLIST_NUM, sizeof(*node), GFP_KERNEL); + if (!node) { +- dev_err(dev, "failed to allocate memory\n"); + ret = -ENOMEM; + goto err; + } +@@ -1358,10 +1357,9 @@ int exynos_g2d_exec_ioctl(struct drm_dev + return -EFAULT; + + runqueue_node = kmem_cache_alloc(g2d->runqueue_slab, GFP_KERNEL); +- if (!runqueue_node) { +- dev_err(dev, "failed to allocate memory\n"); ++ if (!runqueue_node) + return -ENOMEM; +- } ++ + run_cmdlist = &runqueue_node->run_cmdlist; + event_list = &runqueue_node->event_list; + INIT_LIST_HEAD(run_cmdlist); diff --git a/queue-4.14/drm-exynos-g2d-use-monotonic-timestamps.patch b/queue-4.14/drm-exynos-g2d-use-monotonic-timestamps.patch new file mode 100644 index 00000000000..fd9e1123230 --- /dev/null +++ b/queue-4.14/drm-exynos-g2d-use-monotonic-timestamps.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arnd Bergmann +Date: Wed, 17 Jan 2018 18:01:21 +0100 +Subject: drm/exynos: g2d: use monotonic timestamps + +From: Arnd Bergmann + +[ Upstream commit a588a8bb7b25a3fb4f7fed00feb7aec541fc2632 ] + +The exynos DRM driver uses real-time 'struct timeval' values +for exporting its timestamps to user space. This has multiple +problems: + +1. signed seconds overflow in y2038 +2. the 'struct timeval' definition is deprecated in the kernel +3. time may jump or go backwards after a 'settimeofday()' syscall +4. other DRM timestamps are in CLOCK_MONOTONIC domain, so they + can't be compared +5. exporting microseconds requires a division by 1000, which may + be slow on some architectures. + +The code existed in two places before, but the IPP portion was +removed in 8ded59413ccc ("drm/exynos: ipp: Remove Exynos DRM +IPP subsystem"), so we no longer need to worry about it. + +Ideally timestamps should just use 64-bit nanoseconds instead, but +of course we can't change that now. Instead, this tries to address +the first four points above by using monotonic 'timespec' values. + +According to Tobias Jakobi, user space doesn't care about the +timestamp at the moment, so we can change the format. Even if +there is something looking at them, it will work just fine with +monotonic times as long as the application only looks at the +relative values between two events. + +Link: https://patchwork.kernel.org/patch/10038593/ +Cc: Tobias Jakobi +Signed-off-by: Arnd Bergmann +Reviewed-by: Tobias Jakobi +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_g2d.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.c +@@ -926,7 +926,7 @@ static void g2d_finish_event(struct g2d_ + struct drm_device *drm_dev = g2d->subdrv.drm_dev; + struct g2d_runqueue_node *runqueue_node = g2d->runqueue_node; + struct drm_exynos_pending_g2d_event *e; +- struct timeval now; ++ struct timespec64 now; + + if (list_empty(&runqueue_node->event_list)) + return; +@@ -934,9 +934,9 @@ static void g2d_finish_event(struct g2d_ + e = list_first_entry(&runqueue_node->event_list, + struct drm_exynos_pending_g2d_event, base.link); + +- do_gettimeofday(&now); ++ ktime_get_ts64(&now); + e->event.tv_sec = now.tv_sec; +- e->event.tv_usec = now.tv_usec; ++ e->event.tv_usec = now.tv_nsec / NSEC_PER_USEC; + e->event.cmdlist_no = cmdlist_no; + + drm_send_event(drm_dev, &e->base); diff --git a/queue-4.14/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch b/queue-4.14/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch new file mode 100644 index 00000000000..c53e028d120 --- /dev/null +++ b/queue-4.14/drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Lucas Stach +Date: Thu, 15 Mar 2018 10:11:59 +0100 +Subject: drm/imx: move arming of the vblank event to atomic_flush + +From: Lucas Stach + +[ Upstream commit 6a055b92de15af987b4027826d43aa103c65a3c4 ] + +Right now the vblank event completion is racing with the atomic update, +which is especially bad when the PRE is in use, as one of the hardware +issue workaround might extend the atomic commit for quite some time. + +If the vblank IRQ happens to trigger during that time, we will prematurely +signal the atomic commit completion to userspace, which causes tearing +when userspace re-uses a framebuffer we haven't managed to flip away from +yet. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/imx/ipuv3-crtc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/imx/ipuv3-crtc.c ++++ b/drivers/gpu/drm/imx/ipuv3-crtc.c +@@ -225,7 +225,11 @@ static void ipu_crtc_atomic_begin(struct + struct drm_crtc_state *old_crtc_state) + { + drm_crtc_vblank_on(crtc); ++} + ++static void ipu_crtc_atomic_flush(struct drm_crtc *crtc, ++ struct drm_crtc_state *old_crtc_state) ++{ + spin_lock_irq(&crtc->dev->event_lock); + if (crtc->state->event) { + WARN_ON(drm_crtc_vblank_get(crtc)); +@@ -293,6 +297,7 @@ static const struct drm_crtc_helper_func + .mode_set_nofb = ipu_crtc_mode_set_nofb, + .atomic_check = ipu_crtc_atomic_check, + .atomic_begin = ipu_crtc_atomic_begin, ++ .atomic_flush = ipu_crtc_atomic_flush, + .atomic_disable = ipu_crtc_atomic_disable, + .atomic_enable = ipu_crtc_atomic_enable, + }; diff --git a/queue-4.14/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch b/queue-4.14/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..f0b2f350bab --- /dev/null +++ b/queue-4.14/drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:08 +0100 +Subject: drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit e770f6bf18182bc3af6ceec30189b6c323cbc157 ] + +'drm_vblank_init()' can fail. So handle this (unlikely) error. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/6cbf3d70ac3904489c7194c895225c4103aebb96.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -221,7 +221,10 @@ static int meson_drv_bind_master(struct + + priv->vsync_irq = platform_get_irq(pdev, 0); + +- drm_vblank_init(drm, 1); ++ ret = drm_vblank_init(drm, 1); ++ if (ret) ++ goto free_drm; ++ + drm_mode_config_init(drm); + drm->mode_config.max_width = 3840; + drm->mode_config.max_height = 2160; diff --git a/queue-4.14/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch b/queue-4.14/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch new file mode 100644 index 00000000000..fbde35d7054 --- /dev/null +++ b/queue-4.14/drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch @@ -0,0 +1,77 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe JAILLET +Date: Mon, 12 Mar 2018 21:15:10 +0100 +Subject: drm/meson: Fix some error handling paths in 'meson_drv_bind_master()' + +From: Christophe JAILLET + +[ Upstream commit 2c18107b9d58972588cd45d89b8f58d0f033c110 ] + +If one of these functions fail, we whould free 'drm', as alreadry done in +the other error handling paths, below and above. + +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Christophe JAILLET +Acked-by: Neil Armstrong +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/df47e03d36c2cf7bc37ec3105fc47c16555bd946.1520885192.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_drv.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_drv.c ++++ b/drivers/gpu/drm/meson/meson_drv.c +@@ -180,35 +180,43 @@ static int meson_drv_bind_master(struct + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "vpu"); + regs = devm_ioremap_resource(dev, res); +- if (IS_ERR(regs)) +- return PTR_ERR(regs); ++ if (IS_ERR(regs)) { ++ ret = PTR_ERR(regs); ++ goto free_drm; ++ } + + priv->io_base = regs; + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "hhi"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->hhi = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->hhi)) { + dev_err(&pdev->dev, "Couldn't create the HHI regmap\n"); +- return PTR_ERR(priv->hhi); ++ ret = PTR_ERR(priv->hhi); ++ goto free_drm; + } + + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "dmc"); + /* Simply ioremap since it may be a shared register zone */ + regs = devm_ioremap(dev, res->start, resource_size(res)); +- if (!regs) +- return -EADDRNOTAVAIL; ++ if (!regs) { ++ ret = -EADDRNOTAVAIL; ++ goto free_drm; ++ } + + priv->dmc = devm_regmap_init_mmio(dev, regs, + &meson_regmap_config); + if (IS_ERR(priv->dmc)) { + dev_err(&pdev->dev, "Couldn't create the DMC regmap\n"); +- return PTR_ERR(priv->dmc); ++ ret = PTR_ERR(priv->dmc); ++ goto free_drm; + } + + priv->vsync_irq = platform_get_irq(pdev, 0); diff --git a/queue-4.14/drm-meson-fix-vsync-buffer-update.patch b/queue-4.14/drm-meson-fix-vsync-buffer-update.patch new file mode 100644 index 00000000000..cffc35b42bc --- /dev/null +++ b/queue-4.14/drm-meson-fix-vsync-buffer-update.patch @@ -0,0 +1,82 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Neil Armstrong +Date: Thu, 15 Feb 2018 11:19:36 +0100 +Subject: drm/meson: fix vsync buffer update + +From: Neil Armstrong + +[ Upstream commit e88230a3744a71a0b5ecfb45e08ddfe1c884e50d ] + +The plane buffer address/stride/height was incorrectly updated in the +plane_atomic_update operation instead of the vsync irq. +This patch delays this operation in the vsync irq along with the +other plane delayed setup. + +This issue was masked using legacy framebuffer and X11 modesetting, but +is clearly visible using gbm rendering when buffer is submitted late after +vblank, like using software decoding and OpenGL rendering in Kodi. +With this patch, tearing and other artifacts disappears completely. + +Cc: Michal Lazo +Fixes: bbbe775ec5b5 ("drm: Add support for Amlogic Meson Graphic Controller") +Signed-off-by: Neil Armstrong +Acked-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/1518689976-23292-1-git-send-email-narmstrong@baylibre.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/meson/meson_crtc.c | 6 ++++++ + drivers/gpu/drm/meson/meson_drv.h | 3 +++ + drivers/gpu/drm/meson/meson_plane.c | 7 +++---- + 3 files changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/meson/meson_crtc.c ++++ b/drivers/gpu/drm/meson/meson_crtc.c +@@ -36,6 +36,7 @@ + #include "meson_venc.h" + #include "meson_vpp.h" + #include "meson_viu.h" ++#include "meson_canvas.h" + #include "meson_registers.h" + + /* CRTC definition */ +@@ -192,6 +193,11 @@ void meson_crtc_irq(struct meson_drm *pr + } else + meson_vpp_disable_interlace_vscaler_osd1(priv); + ++ meson_canvas_setup(priv, MESON_CANVAS_ID_OSD1, ++ priv->viu.osd1_addr, priv->viu.osd1_stride, ++ priv->viu.osd1_height, MESON_CANVAS_WRAP_NONE, ++ MESON_CANVAS_BLKMODE_LINEAR); ++ + /* Enable OSD1 */ + writel_bits_relaxed(VPP_OSD1_POSTBLEND, VPP_OSD1_POSTBLEND, + priv->io_base + _REG(VPP_MISC)); +--- a/drivers/gpu/drm/meson/meson_drv.h ++++ b/drivers/gpu/drm/meson/meson_drv.h +@@ -43,6 +43,9 @@ struct meson_drm { + bool osd1_commit; + uint32_t osd1_ctrl_stat; + uint32_t osd1_blk0_cfg[5]; ++ uint32_t osd1_addr; ++ uint32_t osd1_stride; ++ uint32_t osd1_height; + } viu; + + struct { +--- a/drivers/gpu/drm/meson/meson_plane.c ++++ b/drivers/gpu/drm/meson/meson_plane.c +@@ -164,10 +164,9 @@ static void meson_plane_atomic_update(st + /* Update Canvas with buffer address */ + gem = drm_fb_cma_get_gem_obj(fb, 0); + +- meson_canvas_setup(priv, MESON_CANVAS_ID_OSD1, +- gem->paddr, fb->pitches[0], +- fb->height, MESON_CANVAS_WRAP_NONE, +- MESON_CANVAS_BLKMODE_LINEAR); ++ priv->viu.osd1_addr = gem->paddr; ++ priv->viu.osd1_stride = fb->pitches[0]; ++ priv->viu.osd1_height = fb->height; + + spin_unlock_irqrestore(&priv->drm->event_lock, flags); + } diff --git a/queue-4.14/drm-nouveau-bl-fix-backlight-regression.patch b/queue-4.14/drm-nouveau-bl-fix-backlight-regression.patch new file mode 100644 index 00000000000..0771abab5ca --- /dev/null +++ b/queue-4.14/drm-nouveau-bl-fix-backlight-regression.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Karol Herbst +Date: Mon, 19 Feb 2018 17:09:45 +0100 +Subject: drm/nouveau/bl: fix backlight regression + +From: Karol Herbst + +[ Upstream commit 9e75dc61eaa9acd1bff83c3b814ac2af6dc1f64c ] + +Fixes: 3c66c87dc9 ("drm/nouveau/disp: remove hw-specific customisation +of output paths") +Suggested-by: Ben Skeggs +Signed-off-by: Karol Herbst +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_backlight.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_backlight.c ++++ b/drivers/gpu/drm/nouveau/nouveau_backlight.c +@@ -134,7 +134,7 @@ nv50_get_intensity(struct backlight_devi + struct nouveau_encoder *nv_encoder = bl_get_data(bd); + struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev); + struct nvif_object *device = &drm->client.device.object; +- int or = nv_encoder->or; ++ int or = ffs(nv_encoder->dcb->or) - 1; + u32 div = 1025; + u32 val; + +@@ -149,7 +149,7 @@ nv50_set_intensity(struct backlight_devi + struct nouveau_encoder *nv_encoder = bl_get_data(bd); + struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev); + struct nvif_object *device = &drm->client.device.object; +- int or = nv_encoder->or; ++ int or = ffs(nv_encoder->dcb->or) - 1; + u32 div = 1025; + u32 val = (bd->props.brightness * div) / 100; + +@@ -170,7 +170,7 @@ nva3_get_intensity(struct backlight_devi + struct nouveau_encoder *nv_encoder = bl_get_data(bd); + struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev); + struct nvif_object *device = &drm->client.device.object; +- int or = nv_encoder->or; ++ int or = ffs(nv_encoder->dcb->or) - 1; + u32 div, val; + + div = nvif_rd32(device, NV50_PDISP_SOR_PWM_DIV(or)); +@@ -188,7 +188,7 @@ nva3_set_intensity(struct backlight_devi + struct nouveau_encoder *nv_encoder = bl_get_data(bd); + struct nouveau_drm *drm = nouveau_drm(nv_encoder->base.base.dev); + struct nvif_object *device = &drm->client.device.object; +- int or = nv_encoder->or; ++ int or = ffs(nv_encoder->dcb->or) - 1; + u32 div, val; + + div = nvif_rd32(device, NV50_PDISP_SOR_PWM_DIV(or)); +@@ -228,7 +228,7 @@ nv50_backlight_init(struct drm_connector + return -ENODEV; + } + +- if (!nvif_rd32(device, NV50_PDISP_SOR_PWM_CTL(nv_encoder->or))) ++ if (!nvif_rd32(device, NV50_PDISP_SOR_PWM_CTL(ffs(nv_encoder->dcb->or) - 1))) + return 0; + + if (drm->client.device.info.chipset <= 0xa0 || diff --git a/queue-4.14/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch b/queue-4.14/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch new file mode 100644 index 00000000000..71d05d186a1 --- /dev/null +++ b/queue-4.14/drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch @@ -0,0 +1,311 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Laurent Pinchart +Date: Sun, 11 Feb 2018 15:07:44 +0200 +Subject: drm: omapdrm: dss: Move initialization code from component bind to probe + +From: Laurent Pinchart + +[ Upstream commit 215003b4ae1d47035092fef73b6a22aa82037091 ] + +There's no reason to delay initialization of most of the driver (such as +mapping memory I/O, getting clocks or enabling runtime PM) to the +component master bind handler. + +This additionally fixes a real PM issue caused enabling runtime PM in +the bind handler. + +The bind handler performs the following sequence of PM operations: + + pm_runtime_enable(dev); + pm_runtime_get_sync(dev); + + ... (access the hardware to read the device revision) ... + + pm_runtime_put_sync(dev); + +If a failure occurs at this point, the error path calls +pm_runtime_disable() to balance the pm_runtime_enable() call. + +To understand the problem, it should be noted that the bind handler is +called when one of the component registers itself, which happens in the +component's probe handler. Furthermore, as the components are children +of the DSS, the device core calls pm_runtime_get_sync() on the DSS +platform device before calling the component's probe handler. This +increases the DSS power usage count but doesn't runtime resume the +device, as runtime PM is disabled at that point. + +The bind handler is thus called with runtime PM disabled, with the +device runtime suspended, but with the power usage count larger than 0. +The pm_runtime_get_sync() call will thus further increase the power +usage count and runtime resume the device. The pm_runtime_put_sync() +handler will decrease the power usage count to a non-zero value and will +thus not suspend the device. Finally, the pm_runtime_disable() call will +disable runtime PM, preventing the pm_runtime_put() call in the device +core from runtime suspending the device. The DSS device is thus left +powered on. + +To fix this, move the initialization code from the bind handler to the +probe handler. + +Signed-off-by: Laurent Pinchart +Reviewed-by: Sebastian Reichel +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++++++++++++++++------------------ + 1 file changed, 104 insertions(+), 89 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/dss.c ++++ b/drivers/gpu/drm/omapdrm/dss/dss.c +@@ -1299,88 +1299,18 @@ static const struct soc_device_attribute + + static int dss_bind(struct device *dev) + { +- struct platform_device *pdev = to_platform_device(dev); +- struct resource *dss_mem; +- u32 rev; + int r; + +- dss_mem = platform_get_resource(dss.pdev, IORESOURCE_MEM, 0); +- dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); +- if (IS_ERR(dss.base)) +- return PTR_ERR(dss.base); +- +- r = dss_get_clocks(); ++ r = component_bind_all(dev, NULL); + if (r) + return r; + +- r = dss_setup_default_clock(); +- if (r) +- goto err_setup_clocks; +- +- r = dss_video_pll_probe(pdev); +- if (r) +- goto err_pll_init; +- +- r = dss_init_ports(pdev); +- if (r) +- goto err_init_ports; +- +- pm_runtime_enable(&pdev->dev); +- +- r = dss_runtime_get(); +- if (r) +- goto err_runtime_get; +- +- dss.dss_clk_rate = clk_get_rate(dss.dss_clk); +- +- /* Select DPLL */ +- REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); +- +- dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); +- +-#ifdef CONFIG_OMAP2_DSS_VENC +- REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ +- REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ +- REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ +-#endif +- dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; +- dss.dispc_clk_source = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; +- dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; +- +- rev = dss_read_reg(DSS_REVISION); +- pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); +- +- dss_runtime_put(); +- +- r = component_bind_all(&pdev->dev, NULL); +- if (r) +- goto err_component; +- +- dss_debugfs_create_file("dss", dss_dump_regs); +- + pm_set_vt_switch(0); + + omapdss_gather_components(dev); + omapdss_set_is_initialized(true); + + return 0; +- +-err_component: +-err_runtime_get: +- pm_runtime_disable(&pdev->dev); +- dss_uninit_ports(pdev); +-err_init_ports: +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +-err_pll_init: +-err_setup_clocks: +- dss_put_clocks(); +- return r; + } + + static void dss_unbind(struct device *dev) +@@ -1390,18 +1320,6 @@ static void dss_unbind(struct device *de + omapdss_set_is_initialized(false); + + component_unbind_all(&pdev->dev, NULL); +- +- if (dss.video1_pll) +- dss_video_pll_uninit(dss.video1_pll); +- +- if (dss.video2_pll) +- dss_video_pll_uninit(dss.video2_pll); +- +- dss_uninit_ports(pdev); +- +- pm_runtime_disable(&pdev->dev); +- +- dss_put_clocks(); + } + + static const struct component_master_ops dss_component_ops = { +@@ -1433,10 +1351,46 @@ static int dss_add_child_component(struc + return 0; + } + ++static int dss_probe_hardware(void) ++{ ++ u32 rev; ++ int r; ++ ++ r = dss_runtime_get(); ++ if (r) ++ return r; ++ ++ dss.dss_clk_rate = clk_get_rate(dss.dss_clk); ++ ++ /* Select DPLL */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 0, 0); ++ ++ dss_select_dispc_clk_source(DSS_CLK_SRC_FCK); ++ ++#ifdef CONFIG_OMAP2_DSS_VENC ++ REG_FLD_MOD(DSS_CONTROL, 1, 4, 4); /* venc dac demen */ ++ REG_FLD_MOD(DSS_CONTROL, 1, 3, 3); /* venc clock 4x enable */ ++ REG_FLD_MOD(DSS_CONTROL, 0, 2, 2); /* venc clock mode = normal */ ++#endif ++ dss.dsi_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.dsi_clk_source[1] = DSS_CLK_SRC_FCK; ++ dss.dispc_clk_source = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[0] = DSS_CLK_SRC_FCK; ++ dss.lcd_clk_source[1] = DSS_CLK_SRC_FCK; ++ ++ rev = dss_read_reg(DSS_REVISION); ++ pr_info("OMAP DSS rev %d.%d\n", FLD_GET(rev, 7, 4), FLD_GET(rev, 3, 0)); ++ ++ dss_runtime_put(); ++ ++ return 0; ++} ++ + static int dss_probe(struct platform_device *pdev) + { + const struct soc_device_attribute *soc; + struct component_match *match = NULL; ++ struct resource *dss_mem; + int r; + + dss.pdev = pdev; +@@ -1451,20 +1405,69 @@ static int dss_probe(struct platform_dev + else + dss.feat = of_match_device(dss_of_match, &pdev->dev)->data; + +- r = dss_initialize_debugfs(); ++ /* Map I/O registers, get and setup clocks. */ ++ dss_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ dss.base = devm_ioremap_resource(&pdev->dev, dss_mem); ++ if (IS_ERR(dss.base)) ++ return PTR_ERR(dss.base); ++ ++ r = dss_get_clocks(); + if (r) + return r; + +- /* add all the child devices as components */ ++ r = dss_setup_default_clock(); ++ if (r) ++ goto err_put_clocks; ++ ++ /* Setup the video PLLs and the DPI and SDI ports. */ ++ r = dss_video_pll_probe(pdev); ++ if (r) ++ goto err_put_clocks; ++ ++ r = dss_init_ports(pdev); ++ if (r) ++ goto err_uninit_plls; ++ ++ /* Enable runtime PM and probe the hardware. */ ++ pm_runtime_enable(&pdev->dev); ++ ++ r = dss_probe_hardware(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ /* Initialize debugfs. */ ++ r = dss_initialize_debugfs(); ++ if (r) ++ goto err_pm_runtime_disable; ++ ++ dss_debugfs_create_file("dss", dss_dump_regs); ++ ++ /* Add all the child devices as components. */ + device_for_each_child(&pdev->dev, &match, dss_add_child_component); + + r = component_master_add_with_match(&pdev->dev, &dss_component_ops, match); +- if (r) { +- dss_uninitialize_debugfs(); +- return r; +- } ++ if (r) ++ goto err_uninit_debugfs; + + return 0; ++ ++err_uninit_debugfs: ++ dss_uninitialize_debugfs(); ++ ++err_pm_runtime_disable: ++ pm_runtime_disable(&pdev->dev); ++ dss_uninit_ports(pdev); ++ ++err_uninit_plls: ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++err_put_clocks: ++ dss_put_clocks(); ++ ++ return r; + } + + static int dss_remove(struct platform_device *pdev) +@@ -1473,6 +1476,18 @@ static int dss_remove(struct platform_de + + dss_uninitialize_debugfs(); + ++ pm_runtime_disable(&pdev->dev); ++ ++ dss_uninit_ports(pdev); ++ ++ if (dss.video1_pll) ++ dss_video_pll_uninit(dss.video1_pll); ++ ++ if (dss.video2_pll) ++ dss_video_pll_uninit(dss.video2_pll); ++ ++ dss_put_clocks(); ++ + return 0; + } + diff --git a/queue-4.14/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch b/queue-4.14/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch new file mode 100644 index 00000000000..53e291e980a --- /dev/null +++ b/queue-4.14/drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eric Anholt +Date: Fri, 9 Mar 2018 15:33:32 -0800 +Subject: drm/panel: simple: Fix the bus format for the Ontat panel + +From: Eric Anholt + +[ Upstream commit 5651e5e094591f479adad5830ac1bc45196a39b3 ] + +This fixes bad color output. When I was first testing the device I +had the DPI hardware set to 666 mode, but apparently in the refactor +to use the bus_format information from the panel driver, I failed to +actually update the panel. + +Signed-off-by: Eric Anholt +Fixes: e8b6f561b2ee ("drm/panel: simple: Add the 7" DPI panel from Adafruit") +Cc: Thierry Reding +Signed-off-by: Thierry Reding +Link: https://patchwork.freedesktop.org/patch/msgid/20180309233332.1769-1-eric@anholt.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/panel/panel-simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/panel/panel-simple.c ++++ b/drivers/gpu/drm/panel/panel-simple.c +@@ -1561,7 +1561,7 @@ static const struct panel_desc ontat_yx7 + .width = 154, + .height = 83, + }, +- .bus_format = MEDIA_BUS_FMT_RGB888_1X24, ++ .bus_format = MEDIA_BUS_FMT_RGB666_1X18, + }; + + static const struct drm_display_mode ortustech_com43h4m85ulc_mode = { diff --git a/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch b/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch new file mode 100644 index 00000000000..1de29baa976 --- /dev/null +++ b/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:05 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 + +From: Sergei Shtylyov + +[ Upstream commit 8525d04ba8a6a9ecfa4bd619c988ca873a5fc2a4 ] + +According to the latest revision 2.00 of the R-Car Gen2 manual, the LVDS +and the bias circuit must be enabled after the LVDS I/O pins are +enabled, not before. Fix the Gen2 LVDS startup sequence accordingly. + +While at it, also fix the comment preceding the first LVDCR0 write that +still talks about hardcoding the LVDS mode 0. + +Fixes: 90374b5c25c9 ("drm/rcar-du: Add internal LVDS encoder support") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -59,11 +59,8 @@ static void rcar_du_lvdsenc_start_gen2(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + +- /* +- * Select the input, hardcode mode 0, enable LVDS operation and turn +- * bias circuitry on. +- */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_BEN | LVDCR0_LVEN; ++ /* Select the input and set the LVDS mode. */ ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; + if (rcrtc->index == 2) + lvdcr0 |= LVDCR0_DUSEL; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); +@@ -74,6 +71,10 @@ static void rcar_du_lvdsenc_start_gen2(s + LVDCR1_CHSTBY_GEN2(1) | LVDCR1_CHSTBY_GEN2(0) | + LVDCR1_CLKSTBY_GEN2); + ++ /* Enable LVDS operation and turn bias circuitry on. */ ++ lvdcr0 |= LVDCR0_BEN | LVDCR0_LVEN; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* + * Turn the PLL on, wait for the startup delay, and turn the output + * on. diff --git a/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch b/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch new file mode 100644 index 00000000000..afa46f68396 --- /dev/null +++ b/queue-4.14/drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sergei Shtylyov +Date: Fri, 12 Jan 2018 23:12:04 +0300 +Subject: drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3 + +From: Sergei Shtylyov + +[ Upstream commit 796ceb9269626afaed3b4955c40d2c3d7a8c5d01 ] + +According to the latest revisions of the R-Car Gen3 manual, the LVDS mode +must be set before the LVDS I/O pins are enabled, not after -- fix the +Gen3 LVDS startup sequence accordingly. + +Fixes: e947eccbeba4 ("drm: rcar-du: Add support for LVDS mode selection") +Signed-off-by: Sergei Shtylyov +Reviewed-by: Laurent Pinchart +[Updated comment in rcar_du_lvdsenc_start_gen3()] +[Moved Gen2 startup comment update to separate commit] +[Fixed =| typo] +Tested-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c ++++ b/drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c +@@ -95,7 +95,7 @@ static void rcar_du_lvdsenc_start_gen3(s + u32 lvdcr0; + u32 pllcr; + +- /* PLL clock configuration */ ++ /* Set the PLL clock configuration and LVDS mode. */ + if (freq < 42000) + pllcr = LVDPLLCR_PLLDIVCNT_42M; + else if (freq < 85000) +@@ -107,6 +107,9 @@ static void rcar_du_lvdsenc_start_gen3(s + + rcar_lvds_write(lvds, LVDPLLCR, pllcr); + ++ lvdcr0 = lvds->mode << LVDCR0_LVMD_SHIFT; ++ rcar_lvds_write(lvds, LVDCR0, lvdcr0); ++ + /* Turn all the channels on. */ + rcar_lvds_write(lvds, LVDCR1, + LVDCR1_CHSTBY_GEN3(3) | LVDCR1_CHSTBY_GEN3(2) | +@@ -117,7 +120,7 @@ static void rcar_du_lvdsenc_start_gen3(s + * Turn the PLL on, set it to LVDS normal mode, wait for the startup + * delay and turn the output on. + */ +- lvdcr0 = (lvds->mode << LVDCR0_LVMD_SHIFT) | LVDCR0_PLLON; ++ lvdcr0 |= LVDCR0_PLLON; + rcar_lvds_write(lvds, LVDCR0, lvdcr0); + + lvdcr0 |= LVDCR0_PWD; diff --git a/queue-4.14/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch b/queue-4.14/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch new file mode 100644 index 00000000000..9c84c7c9aa4 --- /dev/null +++ b/queue-4.14/drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Ørjan Eide" +Date: Tue, 30 Jan 2018 21:28:33 +0100 +Subject: drm/rockchip: Respect page offset for PRIME mmap calls + +From: "Ørjan Eide" + +[ Upstream commit 57de50af162b67612da99207b061ade3239e57db ] + +When mapping external DMA-bufs through the PRIME mmap call, we might be +given an offset which has to be respected. However for the internal DRM +GEM mmap path, we have to ignore the fake mmap offset used to identify +the buffer only. Currently the code always zeroes out vma->vm_pgoff, +which breaks the former. + +This patch fixes the problem by moving the vm_pgoff assignment to a +function that is used only for GEM mmap path, so that the PRIME path +retains the original offset. + +Cc: Daniel Kurtz +Signed-off-by: Ørjan Eide +Signed-off-by: Tomasz Figa +Signed-off-by: Sean Paul +Signed-off-by: Thierry Escande +Tested-by: Heiko Stuebner +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20180130202913.28724-4-thierry.escande@collabora.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/rockchip/rockchip_drm_gem.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_gem.c +@@ -262,7 +262,6 @@ static int rockchip_drm_gem_object_mmap( + * VM_PFNMAP flag that was set by drm_gem_mmap_obj()/drm_gem_mmap(). + */ + vma->vm_flags &= ~VM_PFNMAP; +- vma->vm_pgoff = 0; + + if (rk_obj->pages) + ret = rockchip_drm_gem_object_mmap_iommu(obj, vma); +@@ -297,6 +296,12 @@ int rockchip_gem_mmap(struct file *filp, + if (ret) + return ret; + ++ /* ++ * Set vm_pgoff (used as a fake buffer offset by DRM) to 0 and map the ++ * whole buffer from the start. ++ */ ++ vma->vm_pgoff = 0; ++ + obj = vma->vm_private_data; + + return rockchip_drm_gem_object_mmap(obj, vma); diff --git a/queue-4.14/drm-sun4i-fix-dclk_set_phase.patch b/queue-4.14/drm-sun4i-fix-dclk_set_phase.patch new file mode 100644 index 00000000000..d38f0f0a8de --- /dev/null +++ b/queue-4.14/drm-sun4i-fix-dclk_set_phase.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Giulio Benetti +Date: Wed, 28 Feb 2018 17:46:53 +0100 +Subject: drm/sun4i: Fix dclk_set_phase + +From: Giulio Benetti + +[ Upstream commit e64b6afa98f3629d0c0c46233bbdbe8acdb56f06 ] + +Phase value is not shifted before writing. + +Shift left of 28 bits to fit right bits + +Signed-off-by: Giulio Benetti +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/1519836413-35023-1-git-send-email-giulio.benetti@micronovasrl.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun4i_dotclock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_dotclock.c ++++ b/drivers/gpu/drm/sun4i/sun4i_dotclock.c +@@ -129,10 +129,13 @@ static int sun4i_dclk_get_phase(struct c + static int sun4i_dclk_set_phase(struct clk_hw *hw, int degrees) + { + struct sun4i_dclk *dclk = hw_to_dclk(hw); ++ u32 val = degrees / 120; ++ ++ val <<= 28; + + regmap_update_bits(dclk->regmap, SUN4I_TCON0_IO_POL_REG, + GENMASK(29, 28), +- degrees / 120); ++ val); + + return 0; + } diff --git a/queue-4.14/drm-tegra-shutdown-on-driver-unbind.patch b/queue-4.14/drm-tegra-shutdown-on-driver-unbind.patch new file mode 100644 index 00000000000..e7ce74349e8 --- /dev/null +++ b/queue-4.14/drm-tegra-shutdown-on-driver-unbind.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thierry Reding +Date: Sun, 18 Mar 2018 01:13:39 +0100 +Subject: drm/tegra: Shutdown on driver unbind + +From: Thierry Reding + +[ Upstream commit 192b4af6cd28cdad9b42fd79c21a90a2aeb0bec7 ] + +Since commit 846c7dfc1193 ("drm/atomic: Try to preserve the crtc enabled +state in drm_atomic_remove_fb, v2."), removing the last framebuffer will +no longer disable the corresponding pipeline, which causes the KMS core +to complain about leaked connectors on driver unbind. + +Fix this by calling drm_atomic_helper_shutdown() on driver unbind, which +will cause all display pipelines to be shut down and therefore drop the +extra references on the connectors. + +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tegra/drm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/tegra/drm.c ++++ b/drivers/gpu/drm/tegra/drm.c +@@ -250,6 +250,7 @@ static void tegra_drm_unload(struct drm_ + + drm_kms_helper_poll_fini(drm); + tegra_drm_fb_exit(drm); ++ drm_atomic_helper_shutdown(drm); + drm_mode_config_cleanup(drm); + + err = host1x_device_exit(device); diff --git a/queue-4.14/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch b/queue-4.14/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch new file mode 100644 index 00000000000..43d5bbb4180 --- /dev/null +++ b/queue-4.14/drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Hellstrom +Date: Thu, 22 Mar 2018 10:35:18 +0100 +Subject: drm/vmwgfx: Unpin the screen object backup buffer when not used + +From: Thomas Hellstrom + +[ Upstream commit 20fb5a635a0c8478ac98f15cfafc2ea83df29565 ] + +We were relying on the pinned screen object backup buffer to be destroyed +when not used. But if we hold a copy of the atomic state, like when +hibernating, the backup buffer might not be destroyed since it's +refcounted by the atomic state. This causes us to hibernate with a +buffer pinned in VRAM. + +Fix this by only having the buffer pinned when it is actually used by a +screen object. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Sinclair Yeh +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +@@ -453,7 +453,11 @@ vmw_sou_primary_plane_cleanup_fb(struct + struct drm_plane_state *old_state) + { + struct vmw_plane_state *vps = vmw_plane_state_to_vps(old_state); ++ struct drm_crtc *crtc = plane->state->crtc ? ++ plane->state->crtc : old_state->crtc; + ++ if (vps->dmabuf) ++ vmw_dmabuf_unpin(vmw_priv(crtc->dev), vps->dmabuf, false); + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; + +@@ -491,10 +495,17 @@ vmw_sou_primary_plane_prepare_fb(struct + } + + size = new_state->crtc_w * new_state->crtc_h * 4; ++ dev_priv = vmw_priv(crtc->dev); + + if (vps->dmabuf) { +- if (vps->dmabuf_size == size) +- return 0; ++ if (vps->dmabuf_size == size) { ++ /* ++ * Note that this might temporarily up the pin-count ++ * to 2, until cleanup_fb() is called. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, ++ true); ++ } + + vmw_dmabuf_unreference(&vps->dmabuf); + vps->dmabuf_size = 0; +@@ -504,7 +515,6 @@ vmw_sou_primary_plane_prepare_fb(struct + if (!vps->dmabuf) + return -ENOMEM; + +- dev_priv = vmw_priv(crtc->dev); + vmw_svga_enable(dev_priv); + + /* After we have alloced the backing store might not be able to +@@ -515,13 +525,16 @@ vmw_sou_primary_plane_prepare_fb(struct + &vmw_vram_ne_placement, + false, &vmw_dmabuf_bo_free); + vmw_overlay_resume_all(dev_priv); +- +- if (ret != 0) ++ if (ret) { + vps->dmabuf = NULL; /* vmw_dmabuf_init frees on error */ +- else +- vps->dmabuf_size = size; ++ return ret; ++ } + +- return ret; ++ /* ++ * TTM already thinks the buffer is pinned, but make sure the ++ * pin_count is upped. ++ */ ++ return vmw_dmabuf_pin_in_vram(dev_priv, vps->dmabuf, true); + } + + diff --git a/queue-4.14/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch b/queue-4.14/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch new file mode 100644 index 00000000000..fbbfa6c65d1 --- /dev/null +++ b/queue-4.14/dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Icenowy Zheng +Date: Fri, 16 Mar 2018 22:02:12 +0800 +Subject: dt-bindings: add device tree binding for Allwinner H6 main CCU + +From: Icenowy Zheng + +[ Upstream commit 2e08e4d2ff488424919d69dd211ac860a019ac1d ] + +The Allwinner H6 main CCU uses the internal oscillator of the SoC, which +is different with old SoCs' main CCU. + +Add device tree binding for the Allwinner H6 main CCU. + +Signed-off-by: Icenowy Zheng +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/clock/sunxi-ccu.txt | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/Documentation/devicetree/bindings/clock/sunxi-ccu.txt ++++ b/Documentation/devicetree/bindings/clock/sunxi-ccu.txt +@@ -20,6 +20,7 @@ Required properties : + - "allwinner,sun50i-a64-ccu" + - "allwinner,sun50i-a64-r-ccu" + - "allwinner,sun50i-h5-ccu" ++ - "allwinner,sun50i-h6-ccu" + - "nextthing,gr8-ccu" + + - reg: Must contain the registers base address and length +@@ -31,6 +32,9 @@ Required properties : + - #clock-cells : must contain 1 + - #reset-cells : must contain 1 + ++For the main CCU on H6, one more clock is needed: ++- "iosc": the SoC's internal frequency oscillator ++ + For the PRCM CCUs on A83T/H3/A64, two more clocks are needed: + - "pll-periph": the SoC's peripheral PLL from the main CCU + - "iosc": the SoC's internal frequency oscillator diff --git a/queue-4.14/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch b/queue-4.14/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch new file mode 100644 index 00000000000..d761573d241 --- /dev/null +++ b/queue-4.14/e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Pierre-Yves Kerbrat +Date: Fri, 26 Jan 2018 11:24:12 +0100 +Subject: e1000e: allocate ring descriptors with dma_zalloc_coherent + +From: Pierre-Yves Kerbrat + +[ Upstream commit aea3fca005fb45f80869f2e8d56fd4e64c1d1fdb ] + +Descriptor rings were not initialized at zero when allocated +When area contained garbage data, it caused skb_over_panic in +e1000_clean_rx_irq (if data had E1000_RXD_STAT_DD bit set) + +This patch makes use of dma_zalloc_coherent to make sure the +ring is memset at 0 to prevent the area from containing garbage. + +Following is the signature of the panic: +IODDR0@0.0: skbuff: skb_over_panic: text:80407b20 len:64010 put:64010 head:ab46d800 data:ab46d842 tail:0xab47d24c end:0xab46df40 dev:eth0 +IODDR0@0.0: BUG: failure at net/core/skbuff.c:105/skb_panic()! +IODDR0@0.0: Kernel panic - not syncing: BUG! +IODDR0@0.0: +IODDR0@0.0: Process swapper/0 (pid: 0, threadinfo=81728000, task=8173cc00 ,cpu: 0) +IODDR0@0.0: SP = <815a1c0c> +IODDR0@0.0: Stack: 00000001 +IODDR0@0.0: b2d89800 815e33ac +IODDR0@0.0: ea73c040 00000001 +IODDR0@0.0: 60040003 0000fa0a +IODDR0@0.0: 00000002 +IODDR0@0.0: +IODDR0@0.0: 804540c0 815a1c70 +IODDR0@0.0: b2744000 602ac070 +IODDR0@0.0: 815a1c44 b2d89800 +IODDR0@0.0: 8173cc00 815a1c08 +IODDR0@0.0: +IODDR0@0.0: 00000006 +IODDR0@0.0: 815a1b50 00000000 +IODDR0@0.0: 80079434 00000001 +IODDR0@0.0: ab46df40 b2744000 +IODDR0@0.0: b2d89800 +IODDR0@0.0: +IODDR0@0.0: 0000fa0a 8045745c +IODDR0@0.0: 815a1c88 0000fa0a +IODDR0@0.0: 80407b20 b2789f80 +IODDR0@0.0: 00000005 80407b20 +IODDR0@0.0: +IODDR0@0.0: +IODDR0@0.0: Call Trace: +IODDR0@0.0: [<804540bc>] skb_panic+0xa4/0xa8 +IODDR0@0.0: [<80079430>] console_unlock+0x2f8/0x6d0 +IODDR0@0.0: [<80457458>] skb_put+0xa0/0xc0 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<804079c8>] e1000_clean_rx_irq+0x188/0x3e8 +IODDR0@0.0: [<80407b1c>] e1000_clean_rx_irq+0x2dc/0x3e8 +IODDR0@0.0: [<80468b48>] __dev_kfree_skb_any+0x88/0xa8 +IODDR0@0.0: [<804101ac>] e1000e_poll+0x94/0x288 +IODDR0@0.0: [<8046e9d4>] net_rx_action+0x19c/0x4e8 +IODDR0@0.0: ... +IODDR0@0.0: Maximum depth to print reached. Use kstack= To specify a custom value (where 0 means to display the full backtrace) +IODDR0@0.0: ---[ end Kernel panic - not syncing: BUG! + +Signed-off-by: Pierre-Yves Kerbrat +Signed-off-by: Marius Gligor +Tested-by: Aaron Brown +Reviewed-by: Alexander Duyck +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -2329,8 +2329,8 @@ static int e1000_alloc_ring_dma(struct e + { + struct pci_dev *pdev = adapter->pdev; + +- ring->desc = dma_alloc_coherent(&pdev->dev, ring->size, &ring->dma, +- GFP_KERNEL); ++ ring->desc = dma_zalloc_coherent(&pdev->dev, ring->size, &ring->dma, ++ GFP_KERNEL); + if (!ring->desc) + return -ENOMEM; + diff --git a/queue-4.14/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch b/queue-4.14/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch new file mode 100644 index 00000000000..01e031a56c8 --- /dev/null +++ b/queue-4.14/e1000e-fix-check_for_link-return-value-with-autoneg-off.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Benjamin Poirier +Date: Tue, 20 Feb 2018 15:12:00 +0900 +Subject: e1000e: Fix check_for_link return value with autoneg off + +From: Benjamin Poirier + +[ Upstream commit 4e7dc08e57c95673d2edaba8983c3de4dd1f65f5 ] + +When autoneg is off, the .check_for_link callback functions clear the +get_link_status flag and systematically return a "pseudo-error". This means +that the link is not detected as up until the next execution of the +e1000_watchdog_task() 2 seconds later. + +Fixes: 19110cfbb34d ("e1000e: Separate signaling for link check/link up") +Signed-off-by: Benjamin Poirier +Acked-by: Sasha Neftin +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/ich8lan.c | 2 +- + drivers/net/ethernet/intel/e1000e/mac.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/ich8lan.c ++++ b/drivers/net/ethernet/intel/e1000e/ich8lan.c +@@ -1602,7 +1602,7 @@ static s32 e1000_check_for_copper_link_i + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to +--- a/drivers/net/ethernet/intel/e1000e/mac.c ++++ b/drivers/net/ethernet/intel/e1000e/mac.c +@@ -450,7 +450,7 @@ s32 e1000e_check_for_copper_link(struct + * we have already determined whether we have link or not. + */ + if (!mac->autoneg) +- return -E1000_ERR_CONFIG; ++ return 1; + + /* Auto-Neg is enabled. Auto Speed Detection takes care + * of MAC speed/duplex configuration. So we only need to diff --git a/queue-4.14/efi-arm-only-register-page-tables-when-they-exist.patch b/queue-4.14/efi-arm-only-register-page-tables-when-they-exist.patch new file mode 100644 index 00000000000..d7fbdadbbca --- /dev/null +++ b/queue-4.14/efi-arm-only-register-page-tables-when-they-exist.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mark Rutland +Date: Thu, 8 Mar 2018 08:00:09 +0000 +Subject: efi/arm*: Only register page tables when they exist + +From: Mark Rutland + +[ Upstream commit 6b31a2fa1e8f7bc6c2a474b4a12dad7a145cf83d ] + +Currently the arm/arm64 runtime code registers the runtime servies +pagetables with ptdump regardless of whether runtime services page +tables have been created. + +As efi_mm.pgd is NULL in these cases, attempting to dump the efi page +tables results in a NULL pointer dereference in the ptdump code: + +/sys/kernel/debug# cat efi_page_tables +[ 479.522600] Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[ 479.522715] Mem abort info: +[ 479.522764] ESR = 0x96000006 +[ 479.522850] Exception class = DABT (current EL), IL = 32 bits +[ 479.522899] SET = 0, FnV = 0 +[ 479.522937] EA = 0, S1PTW = 0 +[ 479.528200] Data abort info: +[ 479.528230] ISV = 0, ISS = 0x00000006 +[ 479.528317] CM = 0, WnR = 0 +[ 479.528317] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000064ab0cb0 +[ 479.528449] [0000000000000000] *pgd=00000000fbbe4003, *pud=00000000fb66e003, *pmd=0000000000000000 +[ 479.528600] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 479.528664] Modules linked in: +[ 479.528699] CPU: 0 PID: 2457 Comm: cat Not tainted 4.15.0-rc3-00065-g2ad2ee7ecb5c-dirty #7 +[ 479.528799] Hardware name: FVP Base (DT) +[ 479.528899] pstate: 00400009 (nzcv daif +PAN -UAO) +[ 479.528941] pc : walk_pgd.isra.1+0x20/0x1d0 +[ 479.529011] lr : ptdump_walk_pgd+0x30/0x50 +[ 479.529105] sp : ffff00000bf4bc20 +[ 479.529185] x29: ffff00000bf4bc20 x28: 0000ffff9d22e000 +[ 479.529271] x27: 0000000000020000 x26: ffff80007b4c63c0 +[ 479.529358] x25: 00000000014000c0 x24: ffff80007c098900 +[ 479.529445] x23: ffff00000bf4beb8 x22: 0000000000000000 +[ 479.529532] x21: ffff00000bf4bd70 x20: 0000000000000001 +[ 479.529618] x19: ffff00000bf4bcb0 x18: 0000000000000000 +[ 479.529760] x17: 000000000041a1c8 x16: ffff0000082139d8 +[ 479.529800] x15: 0000ffff9d3c6030 x14: 0000ffff9d2527f4 +[ 479.529924] x13: 00000000000003f3 x12: 0000000000000038 +[ 479.530000] x11: 0000000000000003 x10: 0101010101010101 +[ 479.530099] x9 : 0000000017e94050 x8 : 000000000000003f +[ 479.530226] x7 : 0000000000000000 x6 : 0000000000000000 +[ 479.530313] x5 : 0000000000000001 x4 : 0000000000000000 +[ 479.530416] x3 : ffff000009069fd8 x2 : 0000000000000000 +[ 479.530500] x1 : 0000000000000000 x0 : 0000000000000000 +[ 479.530599] Process cat (pid: 2457, stack limit = 0x000000005d1b0e6f) +[ 479.530660] Call trace: +[ 479.530746] walk_pgd.isra.1+0x20/0x1d0 +[ 479.530833] ptdump_walk_pgd+0x30/0x50 +[ 479.530907] ptdump_show+0x10/0x20 +[ 479.530920] seq_read+0xc8/0x470 +[ 479.531023] full_proxy_read+0x60/0x90 +[ 479.531100] __vfs_read+0x18/0x100 +[ 479.531180] vfs_read+0x88/0x160 +[ 479.531267] SyS_read+0x48/0xb0 +[ 479.531299] el0_svc_naked+0x20/0x24 +[ 479.531400] Code: 91400420 f90033a0 a90707a2 f9403fa0 (f9400000) +[ 479.531499] ---[ end trace bfe8e28d8acb2b67 ]--- +Segmentation fault + +Let's avoid this problem by only registering the tables after their +successful creation, which is also less confusing when EFI runtime +services are not in use. + +Reported-by: Will Deacon +Signed-off-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Matt Fleming +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20180308080020.22828-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/arm-runtime.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/firmware/efi/arm-runtime.c ++++ b/drivers/firmware/efi/arm-runtime.c +@@ -54,6 +54,9 @@ static struct ptdump_info efi_ptdump_inf + + static int __init ptdump_init(void) + { ++ if (!efi_enabled(EFI_RUNTIME_SERVICES)) ++ return 0; ++ + return ptdump_debugfs_register(&efi_ptdump_info, "efi_page_tables"); + } + device_initcall(ptdump_init); diff --git a/queue-4.14/enic-enable-rq-before-updating-rq-descriptors.patch b/queue-4.14/enic-enable-rq-before-updating-rq-descriptors.patch new file mode 100644 index 00000000000..58e4a047d6a --- /dev/null +++ b/queue-4.14/enic-enable-rq-before-updating-rq-descriptors.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Govindarajulu Varadarajan +Date: Thu, 1 Mar 2018 11:07:23 -0800 +Subject: enic: enable rq before updating rq descriptors + +From: Govindarajulu Varadarajan + +[ Upstream commit e8588e268509292550634d9a35f2723a207683b2 ] + +rq should be enabled before posting the buffers to rq desc. If not hw sees +stale value and casuses DMAR errors. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1897,6 +1897,8 @@ static int enic_open(struct net_device * + } + + for (i = 0; i < enic->rq_count; i++) { ++ /* enable rq before updating rq desc */ ++ vnic_rq_enable(&enic->rq[i]); + vnic_rq_fill(&enic->rq[i], enic_rq_alloc_buf); + /* Need at least one buffer on ring to get going */ + if (vnic_rq_desc_used(&enic->rq[i]) == 0) { +@@ -1908,8 +1910,6 @@ static int enic_open(struct net_device * + + for (i = 0; i < enic->wq_count; i++) + vnic_wq_enable(&enic->wq[i]); +- for (i = 0; i < enic->rq_count; i++) +- vnic_rq_enable(&enic->rq[i]); + + if (!enic_is_dynamic(enic) && !enic_is_sriov_vf(enic)) + enic_dev_add_station_addr(enic); +@@ -1935,8 +1935,12 @@ static int enic_open(struct net_device * + return 0; + + err_out_free_rq: +- for (i = 0; i < enic->rq_count; i++) ++ for (i = 0; i < enic->rq_count; i++) { ++ err = vnic_rq_disable(&enic->rq[i]); ++ if (err) ++ return err; + vnic_rq_clean(&enic->rq[i], enic_free_rq_buf); ++ } + enic_dev_notify_unset(enic); + err_out_free_intr: + enic_unset_affinity_hint(enic); diff --git a/queue-4.14/ext4-don-t-complain-about-incorrect-features-when-probing.patch b/queue-4.14/ext4-don-t-complain-about-incorrect-features-when-probing.patch new file mode 100644 index 00000000000..2495c55eb40 --- /dev/null +++ b/queue-4.14/ext4-don-t-complain-about-incorrect-features-when-probing.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eric Sandeen +Date: Thu, 22 Mar 2018 11:59:00 -0400 +Subject: ext4: don't complain about incorrect features when probing + +From: Eric Sandeen + +[ Upstream commit 0d9366d67bcf066b028e57d09c9a86ce879bcc28 ] + +If mount is auto-probing for filesystem type, it will try various +filesystems in order, with the MS_SILENT flag set. We get +that flag as the silent arg to ext4_fill_super. + +If we're probing (silent==1) then don't complain about feature +incompatibilities that are found if it looks like it's actually +a different valid extN type - failed probes should be silent +in this case. + +If the on-disk features are unknown even to ext4, then complain. + +Reported-by: Joakim Tjernlund +Tested-by: Joakim Tjernlund +Signed-off-by: Eric Sandeen +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3663,6 +3663,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext2 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext[34] filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext2 due " + "to feature incompatibilities"); + goto failed_mount; +@@ -3674,6 +3680,12 @@ static int ext4_fill_super(struct super_ + ext4_msg(sb, KERN_INFO, "mounting ext3 file system " + "using the ext4 subsystem"); + else { ++ /* ++ * If we're probing be silent, if this looks like ++ * it's actually an ext4 filesystem. ++ */ ++ if (silent && ext4_feature_set_ok(sb, sb_rdonly(sb))) ++ goto failed_mount; + ext4_msg(sb, KERN_ERR, "couldn't mount as ext3 due " + "to feature incompatibilities"); + goto failed_mount; diff --git a/queue-4.14/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch b/queue-4.14/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch new file mode 100644 index 00000000000..7112458c395 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chao Yu +Date: Sat, 27 Jan 2018 17:29:49 +0800 +Subject: f2fs: fix to check extent cache in f2fs_drop_extent_tree + +From: Chao Yu + +[ Upstream commit bf617f7a92edc6bb2909db2bfa4576f50b280ee5 ] + +If noextent_cache mount option is on, we will never initialize extent tree +in inode, but still we're going to access it in f2fs_drop_extent_tree, +result in kernel panic as below: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 + IP: _raw_write_lock+0xc/0x30 + Call Trace: + ? f2fs_drop_extent_tree+0x41/0x70 [f2fs] + f2fs_fallocate+0x5a0/0xdd0 [f2fs] + ? common_file_perm+0x47/0xc0 + ? apparmor_file_permission+0x1a/0x20 + vfs_fallocate+0x15b/0x290 + SyS_fallocate+0x44/0x70 + do_syscall_64+0x6e/0x160 + entry_SYSCALL64_slow_path+0x25/0x25 + +This patch fixes to check extent cache status before using in +f2fs_drop_extent_tree. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/extent_cache.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -706,6 +706,9 @@ void f2fs_drop_extent_tree(struct inode + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct extent_tree *et = F2FS_I(inode)->extent_tree; + ++ if (!f2fs_may_extent_tree(inode)) ++ return; ++ + set_inode_flag(inode, FI_NO_EXTENT); + + write_lock(&et->lock); diff --git a/queue-4.14/f2fs-fix-to-clear-cp_trimmed_flag.patch b/queue-4.14/f2fs-fix-to-clear-cp_trimmed_flag.patch new file mode 100644 index 00000000000..2433a1f5038 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-clear-cp_trimmed_flag.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chao Yu +Date: Wed, 31 Jan 2018 09:30:34 +0800 +Subject: f2fs: fix to clear CP_TRIMMED_FLAG + +From: Chao Yu + +[ Upstream commit cd36d7a17f9da68be9aa67185ba3ad7969934a19 ] + +Once CP_TRIMMED_FLAG is set, after a reboot, we will never issue discard +before LBA becomes invalid again, fix it by clearing the flag in +checkpoint without CP_TRIMMED reason. + +Fixes: 1f43e2ad7bff ("f2fs: introduce CP_TRIMMED_FLAG to avoid unneeded discard") +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -1108,6 +1108,8 @@ static void update_ckpt_flags(struct f2f + + if (cpc->reason & CP_TRIMMED) + __set_ckpt_flags(ckpt, CP_TRIMMED_FLAG); ++ else ++ __clear_ckpt_flags(ckpt, CP_TRIMMED_FLAG); + + if (cpc->reason & CP_UMOUNT) + __set_ckpt_flags(ckpt, CP_UMOUNT_FLAG); diff --git a/queue-4.14/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch b/queue-4.14/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch new file mode 100644 index 00000000000..5e79d99e7b9 --- /dev/null +++ b/queue-4.14/f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chao Yu +Date: Sun, 25 Feb 2018 23:38:21 +0800 +Subject: f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range + +From: Chao Yu + +[ Upstream commit 17cd07ae95073c298af92c1ba14ac58ce84de33b ] + +As Jayashree Mohan reported: + +A simple workload to reproduce this would be : +1. create foo +2. Write (8K - 16K) // foo size = 16K now +3. fsync() +4. falloc zero_range , keep_size (4202496 - 4210688) // foo size must be 16K +5. fdatasync() +Crash now + +On recovery, we see that the file size is 4210688 and not 16K, which +violates the semantics of keep_size flag. We have a test case to +reproduce this using CrashMonkey on 4.15 kernel. Try this out by +simply running : + ./c_harness -f /dev/sda -d /dev/cow_ram0 -t f2fs -e 102400 -P -v + tests/generic_468_zero.so + +The root cause is that we miss to set KEEP_SIZE bit correctly in zero_range +when zeroing block cross EOF with FALLOC_FL_KEEP_SIZE, let's fix this +missing case. + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1321,8 +1321,12 @@ static int f2fs_zero_range(struct inode + } + + out: +- if (!(mode & FALLOC_FL_KEEP_SIZE) && i_size_read(inode) < new_size) +- f2fs_i_size_write(inode, new_size); ++ if (new_size > i_size_read(inode)) { ++ if (mode & FALLOC_FL_KEEP_SIZE) ++ file_set_keep_isize(inode); ++ else ++ f2fs_i_size_write(inode, new_size); ++ } + out_sem: + up_write(&F2FS_I(inode)->i_mmap_sem); + diff --git a/queue-4.14/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch b/queue-4.14/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch new file mode 100644 index 00000000000..b4137c1be18 --- /dev/null +++ b/queue-4.14/fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Peter Malone +Date: Wed, 7 Mar 2018 14:00:34 +0100 +Subject: fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). + +From: Peter Malone + +[ Upstream commit 250c6c49e3b68756b14983c076183568636e2bde ] + +Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in +sbusfb_ioctl_helper(). + +'index' is defined as an int in sbusfb_ioctl_helper(). +We retrieve this from the user: +if (get_user(index, &c->index) || + __get_user(count, &c->count) || + __get_user(ured, &c->red) || + __get_user(ugreen, &c->green) || + __get_user(ublue, &c->blue)) + return -EFAULT; + +and then we use 'index' in the following way: +red = cmap->red[index + i] >> 8; +green = cmap->green[index + i] >> 8; +blue = cmap->blue[index + i] >> 8; + +This is a classic information leak vulnerability. 'index' should be +an unsigned int, given its usage above. + +This patch is straight-forward; it changes 'index' to unsigned int +in two switch-cases: FBIOGETCMAP_SPARC && FBIOPUTCMAP_SPARC. + +This patch fixes CVE-2018-6412. + +Signed-off-by: Peter Malone +Acked-by: Mathieu Malaterre +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/sbuslib.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/sbuslib.c ++++ b/drivers/video/fbdev/sbuslib.c +@@ -122,7 +122,7 @@ int sbusfb_ioctl_helper(unsigned long cm + unsigned char __user *ured; + unsigned char __user *ugreen; + unsigned char __user *ublue; +- int index, count, i; ++ unsigned int index, count, i; + + if (get_user(index, &c->index) || + __get_user(count, &c->count) || +@@ -161,7 +161,7 @@ int sbusfb_ioctl_helper(unsigned long cm + unsigned char __user *ugreen; + unsigned char __user *ublue; + struct fb_cmap *cmap = &info->cmap; +- int index, count, i; ++ unsigned int index, count, i; + u8 red, green, blue; + + if (get_user(index, &c->index) || diff --git a/queue-4.14/firmware-dmi_scan-fix-uuid-length-safety-check.patch b/queue-4.14/firmware-dmi_scan-fix-uuid-length-safety-check.patch new file mode 100644 index 00000000000..33035e0d3e4 --- /dev/null +++ b/queue-4.14/firmware-dmi_scan-fix-uuid-length-safety-check.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jean Delvare +Date: Fri, 13 Apr 2018 15:37:59 +0200 +Subject: firmware: dmi_scan: Fix UUID length safety check + +From: Jean Delvare + +[ Upstream commit 90fe6f8ff00a07641ca893d64f75ca22ce77cca2 ] + +The test which ensures that the DMI type 1 structure is long enough +to hold the UUID is off by one. It would fail if the structure is +exactly 24 bytes long, while that's sufficient to hold the UUID. + +I don't expect this bug to cause problem in practice because all +implementations I have seen had length 8, 25 or 27 bytes, in line +with the SMBIOS specifications. But let's fix it still. + +Signed-off-by: Jean Delvare +Fixes: a814c3597a6b ("firmware: dmi_scan: Check DMI structure length") +Reviewed-by: Mika Westerberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/dmi_scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -191,7 +191,7 @@ static void __init dmi_save_uuid(const s + char *s; + int is_ff = 1, is_00 = 1, i; + +- if (dmi_ident[slot] || dm->length <= index + 16) ++ if (dmi_ident[slot] || dm->length < index + 16) + return; + + d = (u8 *) dm + index; diff --git a/queue-4.14/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch b/queue-4.14/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch new file mode 100644 index 00000000000..1cb9ca3d768 --- /dev/null +++ b/queue-4.14/force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Carlos Maiolino +Date: Tue, 10 Apr 2018 22:39:04 -0700 +Subject: Force log to disk before reading the AGF during a fstrim + +From: Carlos Maiolino + +[ Upstream commit 8c81dd46ef3c416b3b95e3020fb90dbd44e6140b ] + +Forcing the log to disk after reading the agf is wrong, we might be +calling xfs_log_force with XFS_LOG_SYNC with a metadata lock held. + +This can cause a deadlock when racing a fstrim with a filesystem +shutdown. + +The deadlock has been identified due a miscalculation bug in device-mapper +dm-thin, which returns lack of space to its users earlier than the device itself +really runs out of space, changing the device-mapper volume into an error state. + +The problem happened while filling the filesystem with a single file, +triggering the bug in device-mapper, consequently causing an IO error +and shutting down the filesystem. + +If such file is removed, and fstrim executed before the XFS finishes the +shut down process, the fstrim process will end up holding the buffer +lock, and going to sleep on the cil wait queue. + +At this point, the shut down process will try to wake up all the threads +waiting on the cil wait queue, but for this, it will try to hold the +same buffer log already held my the fstrim, locking up the filesystem. + +Signed-off-by: Carlos Maiolino +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/xfs/xfs_discard.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/xfs/xfs_discard.c ++++ b/fs/xfs/xfs_discard.c +@@ -50,19 +50,19 @@ xfs_trim_extents( + + pag = xfs_perag_get(mp, agno); + +- error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); +- if (error || !agbp) +- goto out_put_perag; +- +- cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); +- + /* + * Force out the log. This means any transactions that might have freed +- * space before we took the AGF buffer lock are now on disk, and the ++ * space before we take the AGF buffer lock are now on disk, and the + * volatile disk cache is flushed. + */ + xfs_log_force(mp, XFS_LOG_SYNC); + ++ error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); ++ if (error || !agbp) ++ goto out_put_perag; ++ ++ cur = xfs_allocbt_init_cursor(mp, NULL, agbp, agno, XFS_BTNUM_CNT); ++ + /* + * Look up the longest btree in the AGF and start with it. + */ diff --git a/queue-4.14/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch b/queue-4.14/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch new file mode 100644 index 00000000000..72d950d7847 --- /dev/null +++ b/queue-4.14/fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Will Deacon +Date: Mon, 19 Feb 2018 14:55:54 +0000 +Subject: fs: dcache: Avoid livelock between d_alloc_parallel and __d_add + +From: Will Deacon + +[ Upstream commit 015555fd4d2930bc0c86952c46ad88b3392f66e4 ] + +If d_alloc_parallel runs concurrently with __d_add, it is possible for +d_alloc_parallel to continuously retry whilst i_dir_seq has been +incremented to an odd value by __d_add: + +CPU0: +__d_add + n = start_dir_add(dir); + cmpxchg(&dir->i_dir_seq, n, n + 1) == n + +CPU1: +d_alloc_parallel +retry: + seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1; + hlist_bl_lock(b); + bit_spin_lock(0, (unsigned long *)b); // Always succeeds + +CPU0: + __d_lookup_done(dentry) + hlist_bl_lock + bit_spin_lock(0, (unsigned long *)b); // Never succeeds + +CPU1: + if (unlikely(parent->d_inode->i_dir_seq != seq)) { + hlist_bl_unlock(b); + goto retry; + } + +Since the simple bit_spin_lock used to implement hlist_bl_lock does not +provide any fairness guarantees, then CPU1 can starve CPU0 of the lock +and prevent it from reaching end_dir_add(dir), therefore CPU1 cannot +exit its retry loop because the sequence number always has the bottom +bit set. + +This patch resolves the livelock by not taking hlist_bl_lock in +d_alloc_parallel if the sequence counter is odd, since any subsequent +masked comparison with i_dir_seq will fail anyway. + +Cc: Peter Zijlstra +Cc: Al Viro +Reported-by: Naresh Madhusudana +Acked-by: Peter Zijlstra (Intel) +Reviewed-by: Matthew Wilcox +Signed-off-by: Will Deacon +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2482,7 +2482,7 @@ struct dentry *d_alloc_parallel(struct d + + retry: + rcu_read_lock(); +- seq = smp_load_acquire(&parent->d_inode->i_dir_seq) & ~1; ++ seq = smp_load_acquire(&parent->d_inode->i_dir_seq); + r_seq = read_seqbegin(&rename_lock); + dentry = __d_lookup_rcu(parent, name, &d_seq); + if (unlikely(dentry)) { +@@ -2503,6 +2503,12 @@ retry: + rcu_read_unlock(); + goto retry; + } ++ ++ if (unlikely(seq & 1)) { ++ rcu_read_unlock(); ++ goto retry; ++ } ++ + hlist_bl_lock(b); + if (unlikely(parent->d_inode->i_dir_seq != seq)) { + hlist_bl_unlock(b); diff --git a/queue-4.14/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch b/queue-4.14/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch new file mode 100644 index 00000000000..dbffe1578a9 --- /dev/null +++ b/queue-4.14/fs-dcache-use-read_once-when-accessing-i_dir_seq.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Will Deacon +Date: Mon, 19 Feb 2018 14:55:55 +0000 +Subject: fs: dcache: Use READ_ONCE when accessing i_dir_seq + +From: Will Deacon + +[ Upstream commit 8cc07c808c9d595e81cbe5aad419b7769eb2e5c9 ] + +i_dir_seq is subject to concurrent modification by a cmpxchg or +store-release operation, so ensure that the relaxed access in +d_alloc_parallel uses READ_ONCE. + +Reported-by: Peter Zijlstra +Signed-off-by: Will Deacon +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -2510,7 +2510,7 @@ retry: + } + + hlist_bl_lock(b); +- if (unlikely(parent->d_inode->i_dir_seq != seq)) { ++ if (unlikely(READ_ONCE(parent->d_inode->i_dir_seq) != seq)) { + hlist_bl_unlock(b); + rcu_read_unlock(); + goto retry; diff --git a/queue-4.14/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch b/queue-4.14/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch new file mode 100644 index 00000000000..1dd7f82a77d --- /dev/null +++ b/queue-4.14/fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Danilo Krummrich +Date: Tue, 10 Apr 2018 16:31:38 -0700 +Subject: fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table + +From: Danilo Krummrich + +[ Upstream commit a0b0d1c345d0317efe594df268feb5ccc99f651e ] + +proc_sys_link_fill_cache() does not take currently unregistering sysctl +tables into account, which might result into a page fault in +sysctl_follow_link() - add a check to fix it. + +This bug has been present since v3.4. + +Link: http://lkml.kernel.org/r/20180228013506.4915-1-danilokrummrich@dk-develop.de +Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") +Signed-off-by: Danilo Krummrich +Acked-by: Kees Cook +Reviewed-by: Andrew Morton +Cc: "Luis R . Rodriguez" +Cc: "Eric W. Biederman" +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(str + struct ctl_table *table) + { + bool ret = true; ++ + head = sysctl_head_grab(head); ++ if (IS_ERR(head)) ++ return false; + + if (S_ISLNK(table->mode)) { + /* It is not an error if we can not follow the link ignore it */ diff --git a/queue-4.14/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch b/queue-4.14/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch new file mode 100644 index 00000000000..58a2027be71 --- /dev/null +++ b/queue-4.14/fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Howells +Date: Wed, 4 Apr 2018 13:41:26 +0100 +Subject: fscache: Fix hanging wait on page discarded by writeback + +From: David Howells + +[ Upstream commit 2c98425720233ae3e135add0c7e869b32913502f ] + +If the fscache asynchronous write operation elects to discard a page that's +pending storage to the cache because the page would be over the store limit +then it needs to wake the page as someone may be waiting on completion of +the write. + +The problem is that the store limit may be updated by a different +asynchronous operation - and so may miss the write - and that the store +limit may not even get updated until later by the netfs. + +Fix the kernel hang by making fscache_write_op() mark as written any pages +that are over the limit. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/page.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/fs/fscache/page.c ++++ b/fs/fscache/page.c +@@ -776,6 +776,7 @@ static void fscache_write_op(struct fsca + + _enter("{OP%x,%d}", op->op.debug_id, atomic_read(&op->op.usage)); + ++again: + spin_lock(&object->lock); + cookie = object->cookie; + +@@ -816,10 +817,6 @@ static void fscache_write_op(struct fsca + goto superseded; + page = results[0]; + _debug("gang %d [%lx]", n, page->index); +- if (page->index >= op->store_limit) { +- fscache_stat(&fscache_n_store_pages_over_limit); +- goto superseded; +- } + + radix_tree_tag_set(&cookie->stores, page->index, + FSCACHE_COOKIE_STORING_TAG); +@@ -829,6 +826,9 @@ static void fscache_write_op(struct fsca + spin_unlock(&cookie->stores_lock); + spin_unlock(&object->lock); + ++ if (page->index >= op->store_limit) ++ goto discard_page; ++ + fscache_stat(&fscache_n_store_pages); + fscache_stat(&fscache_n_cop_write_page); + ret = object->cache->ops->write_page(op, page); +@@ -844,6 +844,11 @@ static void fscache_write_op(struct fsca + _leave(""); + return; + ++discard_page: ++ fscache_stat(&fscache_n_store_pages_over_limit); ++ fscache_end_page_write(object, page); ++ goto again; ++ + superseded: + /* this writer is going away and there aren't any more things to + * write */ diff --git a/queue-4.14/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch b/queue-4.14/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch new file mode 100644 index 00000000000..6a721b9e100 --- /dev/null +++ b/queue-4.14/fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Denis Kirjanov +Date: Sun, 4 Mar 2018 21:48:17 +0300 +Subject: fsl/fman: avoid sleeping in atomic context while adding an address + +From: Denis Kirjanov + +[ Upstream commit 803fafbe0cd522fa6b9e41ca3b96cfb2e2a2222d ] + +__dev_mc_add grabs an adress spinlock so use +atomic context in kmalloc. + +/ # ifconfig eth0 inet 192.168.0.111 +[ 89.331622] BUG: sleeping function called from invalid context at mm/slab.h:420 +[ 89.339002] in_atomic(): 1, irqs_disabled(): 0, pid: 1035, name: ifconfig +[ 89.345799] 2 locks held by ifconfig/1035: +[ 89.349908] #0: (rtnl_mutex){+.+.}, at: [<(ptrval)>] devinet_ioctl+0xc0/0x8a0 +[ 89.357258] #1: (_xmit_ETHER){+...}, at: [<(ptrval)>] __dev_mc_add+0x28/0x80 +[ 89.364520] CPU: 1 PID: 1035 Comm: ifconfig Not tainted 4.16.0-rc3-dirty #8 +[ 89.371464] Call Trace: +[ 89.373908] [e959db60] [c066f948] dump_stack+0xa4/0xfc (unreliable) +[ 89.380177] [e959db80] [c00671d8] ___might_sleep+0x248/0x280 +[ 89.385833] [e959dba0] [c01aec34] kmem_cache_alloc_trace+0x174/0x320 +[ 89.392179] [e959dbd0] [c04ab920] dtsec_add_hash_mac_address+0x130/0x240 +[ 89.398874] [e959dc00] [c04a9d74] set_multi+0x174/0x1b0 +[ 89.404093] [e959dc30] [c04afb68] dpaa_set_rx_mode+0x68/0xe0 +[ 89.409745] [e959dc40] [c057baf8] __dev_mc_add+0x58/0x80 +[ 89.415052] [e959dc60] [c060fd64] igmp_group_added+0x164/0x190 +[ 89.420878] [e959dca0] [c060ffa8] ip_mc_inc_group+0x218/0x460 +[ 89.426617] [e959dce0] [c06120fc] ip_mc_up+0x3c/0x190 +[ 89.431662] [e959dd10] [c0607270] inetdev_event+0x250/0x620 +[ 89.437227] [e959dd50] [c005f190] notifier_call_chain+0x80/0xf0 +[ 89.443138] [e959dd80] [c0573a74] __dev_notify_flags+0x54/0xf0 +[ 89.448964] [e959dda0] [c05743f8] dev_change_flags+0x48/0x60 +[ 89.454615] [e959ddc0] [c0606744] devinet_ioctl+0x544/0x8a0 +[ 89.460180] [e959de10] [c060987c] inet_ioctl+0x9c/0x1f0 +[ 89.465400] [e959de80] [c05479a8] sock_ioctl+0x168/0x460 +[ 89.470708] [e959ded0] [c01cf3ec] do_vfs_ioctl+0xac/0x8c0 +[ 89.476099] [e959df20] [c01cfc40] SyS_ioctl+0x40/0xc0 +[ 89.481147] [e959df40] [c0011318] ret_from_syscall+0x0/0x3c +[ 89.486715] --- interrupt: c01 at 0x1006943c +[ 89.486715] LR = 0x100c45ec + +Signed-off-by: Denis Kirjanov +Acked-by: Madalin Bucur +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fman/fman_dtsec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fman/fman_dtsec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_dtsec.c +@@ -1100,7 +1100,7 @@ int dtsec_add_hash_mac_address(struct fm + set_bucket(dtsec->regs, bucket, true); + + /* Create element to be added to the driver hash table */ +- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL); ++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC); + if (!hash_entry) + return -ENOMEM; + hash_entry->addr = addr; diff --git a/queue-4.14/gfs2-fix-fallocate-chunk-size.patch b/queue-4.14/gfs2-fix-fallocate-chunk-size.patch new file mode 100644 index 00000000000..e5ca29ce56d --- /dev/null +++ b/queue-4.14/gfs2-fix-fallocate-chunk-size.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andreas Gruenbacher +Date: Tue, 20 Feb 2018 08:03:24 -0700 +Subject: gfs2: Fix fallocate chunk size + +From: Andreas Gruenbacher + +[ Upstream commit 174d1232ebc84fcde8f5889d1171c9c7e74a10a7 ] + +The chunk size of allocations in __gfs2_fallocate is calculated +incorrectly. The size can collapse, causing __gfs2_fallocate to +allocate one block at a time, which is very inefficient. This needs +fixing in two places: + +In gfs2_quota_lock_check, always set ap->allowed to UINT_MAX to indicate +that there is no quota limit. This fixes callers that rely on +ap->allowed to be set even when quotas are off. + +In __gfs2_fallocate, reset max_blks to UINT_MAX in each iteration of the +loop to make sure that allocation limits from one resource group won't +spill over into another resource group. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/file.c | 5 +++-- + fs/gfs2/quota.h | 2 ++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -803,7 +803,7 @@ static long __gfs2_fallocate(struct file + struct gfs2_inode *ip = GFS2_I(inode); + struct gfs2_alloc_parms ap = { .aflags = 0, }; + unsigned int data_blocks = 0, ind_blocks = 0, rblocks; +- loff_t bytes, max_bytes, max_blks = UINT_MAX; ++ loff_t bytes, max_bytes, max_blks; + int error; + const loff_t pos = offset; + const loff_t count = len; +@@ -855,7 +855,8 @@ static long __gfs2_fallocate(struct file + return error; + /* ap.allowed tells us how many blocks quota will allow + * us to write. Check if this reduces max_blks */ +- if (ap.allowed && ap.allowed < max_blks) ++ max_blks = UINT_MAX; ++ if (ap.allowed) + max_blks = ap.allowed; + + error = gfs2_inplace_reserve(ip, &ap); +--- a/fs/gfs2/quota.h ++++ b/fs/gfs2/quota.h +@@ -45,6 +45,8 @@ static inline int gfs2_quota_lock_check( + { + struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode); + int ret; ++ ++ ap->allowed = UINT_MAX; /* Assume we are permitted a whole lot */ + if (sdp->sd_args.ar_quota == GFS2_QUOTA_OFF) + return 0; + ret = gfs2_quota_lock(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE); diff --git a/queue-4.14/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch b/queue-4.14/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch new file mode 100644 index 00000000000..ea6221e747d --- /dev/null +++ b/queue-4.14/gianfar-fix-rx-byte-accounting-for-ndev-stats.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Claudiu Manoil +Date: Tue, 27 Feb 2018 17:33:10 +0200 +Subject: gianfar: Fix Rx byte accounting for ndev stats + +From: Claudiu Manoil + +[ Upstream commit 590399ddf9561f2ed0839311c8ae1be21597ba68 ] + +Don't include in the Rx bytecount of the packet sent up the stack: +the FCB (frame control block), and the padding bytes inserted by +the controller into the frame payload, nor the FCS. All these are +being pulled out of the skb by gfar_process_frame(). +This issue is old, likely from the driver's beginnings, however +it was amplified by recent: +commit d903ec77118c ("gianfar: simplify FCS handling and fix memory leak") +which basically added the FCS to the Rx bytecount, and so brought +this to my attention. + +Signed-off-by: Claudiu Manoil +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/gianfar.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/freescale/gianfar.c ++++ b/drivers/net/ethernet/freescale/gianfar.c +@@ -3072,9 +3072,6 @@ static void gfar_process_frame(struct ne + if (ndev->features & NETIF_F_RXCSUM) + gfar_rx_checksum(skb, fcb); + +- /* Tell the skb what kind of packet this is */ +- skb->protocol = eth_type_trans(skb, ndev); +- + /* There's need to check for NETIF_F_HW_VLAN_CTAG_RX here. + * Even if vlan rx accel is disabled, on some chips + * RXFCB_VLN is pseudo randomly set. +@@ -3145,13 +3142,15 @@ int gfar_clean_rx_ring(struct gfar_priv_ + continue; + } + ++ gfar_process_frame(ndev, skb); ++ + /* Increment the number of packets */ + total_pkts++; + total_bytes += skb->len; + + skb_record_rx_queue(skb, rx_queue->qindex); + +- gfar_process_frame(ndev, skb); ++ skb->protocol = eth_type_trans(skb, ndev); + + /* Send the packet up the stack */ + napi_gro_receive(&rx_queue->grp->napi_rx, skb); diff --git a/queue-4.14/gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch b/queue-4.14/gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch new file mode 100644 index 00000000000..cc158e5c089 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tobias Jordan +Date: Thu, 15 Feb 2018 15:34:55 +0100 +Subject: gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle + +From: Tobias Jordan + +[ Upstream commit c795f3052b60b01e80485fad98c53e5e67d093c9 ] + +Before returning, call of_node_put() for the device node returned by +of_parse_phandle(). + +Fixes: d2a34232580a ("gpu: ipu-v3: add driver for Prefetch Resolve Engine") +Signed-off-by: Tobias Jordan +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/ipu-v3/ipu-pre.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/ipu-v3/ipu-pre.c ++++ b/drivers/gpu/ipu-v3/ipu-pre.c +@@ -125,11 +125,14 @@ ipu_pre_lookup_by_phandle(struct device + if (pre_node == pre->dev->of_node) { + mutex_unlock(&ipu_pre_list_mutex); + device_link_add(dev, pre->dev, DL_FLAG_AUTOREMOVE); ++ of_node_put(pre_node); + return pre; + } + } + mutex_unlock(&ipu_pre_list_mutex); + ++ of_node_put(pre_node); ++ + return NULL; + } + diff --git a/queue-4.14/gpu-ipu-v3-prg-avoid-possible-array-underflow.patch b/queue-4.14/gpu-ipu-v3-prg-avoid-possible-array-underflow.patch new file mode 100644 index 00000000000..107f26ea1d9 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-prg-avoid-possible-array-underflow.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arnd Bergmann +Date: Thu, 15 Mar 2018 17:19:57 +0100 +Subject: gpu: ipu-v3: prg: avoid possible array underflow + +From: Arnd Bergmann + +[ Upstream commit 746d024c3211813946b319411aeb2b47767f8fb0 ] + +gcc-8 reports that we access an array with a negative index +in an error case: + +drivers/gpu/ipu-v3/ipu-prg.c: In function 'ipu_prg_channel_disable': +drivers/gpu/ipu-v3/ipu-prg.c:252:43: error: array subscript -22 is below array bounds of 'struct ipu_prg_channel[3]' [-Werror=array-bounds] + +This moves the range check in front of the first time that +variable gets used. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/ipu-v3/ipu-prg.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/ipu-v3/ipu-prg.c ++++ b/drivers/gpu/ipu-v3/ipu-prg.c +@@ -252,10 +252,14 @@ void ipu_prg_channel_disable(struct ipuv + { + int prg_chan = ipu_prg_ipu_to_prg_chan(ipu_chan->num); + struct ipu_prg *prg = ipu_chan->ipu->prg_priv; +- struct ipu_prg_channel *chan = &prg->chan[prg_chan]; ++ struct ipu_prg_channel *chan; + u32 val; + +- if (!chan->enabled || prg_chan < 0) ++ if (prg_chan < 0) ++ return; ++ ++ chan = &prg->chan[prg_chan]; ++ if (!chan->enabled) + return; + + clk_prepare_enable(prg->clk_ipg); +@@ -282,13 +286,15 @@ int ipu_prg_channel_configure(struct ipu + { + int prg_chan = ipu_prg_ipu_to_prg_chan(ipu_chan->num); + struct ipu_prg *prg = ipu_chan->ipu->prg_priv; +- struct ipu_prg_channel *chan = &prg->chan[prg_chan]; ++ struct ipu_prg_channel *chan; + u32 val; + int ret; + + if (prg_chan < 0) + return prg_chan; + ++ chan = &prg->chan[prg_chan]; ++ + if (chan->enabled) { + ipu_pre_update(prg->pres[chan->used_pre], *eba); + return 0; diff --git a/queue-4.14/gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch b/queue-4.14/gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch new file mode 100644 index 00000000000..5bafecfedd3 --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tobias Jordan +Date: Thu, 15 Feb 2018 15:35:30 +0100 +Subject: gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle + +From: Tobias Jordan + +[ Upstream commit 3addaba8141bc6a4f649a48f46e552af32922147 ] + +Before returning, call of_node_put() for the device node returned by +of_parse_phandle(). + +Fixes: ea9c260514c1 ("gpu: ipu-v3: add driver for Prefetch Resolve Gasket") +Signed-off-by: Tobias Jordan +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/ipu-v3/ipu-prg.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/ipu-v3/ipu-prg.c ++++ b/drivers/gpu/ipu-v3/ipu-prg.c +@@ -101,11 +101,14 @@ ipu_prg_lookup_by_phandle(struct device + mutex_unlock(&ipu_prg_list_mutex); + device_link_add(dev, prg->dev, DL_FLAG_AUTOREMOVE); + prg->id = ipu_id; ++ of_node_put(prg_node); + return prg; + } + } + mutex_unlock(&ipu_prg_list_mutex); + ++ of_node_put(prg_node); ++ + return NULL; + } + diff --git a/queue-4.14/hv_netvsc-enable-multicast-if-necessary.patch b/queue-4.14/hv_netvsc-enable-multicast-if-necessary.patch new file mode 100644 index 00000000000..df199974195 --- /dev/null +++ b/queue-4.14/hv_netvsc-enable-multicast-if-necessary.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Tue, 27 Mar 2018 11:28:48 -0700 +Subject: hv_netvsc: enable multicast if necessary + +From: Stephen Hemminger + +[ Upstream commit f03dbb06dc380274e351ca4b1ee1587ed4529e62 ] + +My recent change to netvsc drive in how receive flags are handled +broke multicast. The Hyper-v/Azure virtual interface there is not a +multicast filter list, filtering is only all or none. The driver must +enable all multicast if any multicast address is present. + +Fixes: 009f766ca238 ("hv_netvsc: filter multicast/broadcast") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/rndis_filter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -856,7 +856,7 @@ static void rndis_set_multicast(struct w + if (flags & IFF_PROMISC) { + filter = NDIS_PACKET_TYPE_PROMISCUOUS; + } else { +- if (flags & IFF_ALLMULTI) ++ if (!netdev_mc_empty(rdev->ndev) || (flags & IFF_ALLMULTI)) + filter |= NDIS_PACKET_TYPE_ALL_MULTICAST; + if (flags & IFF_BROADCAST) + filter |= NDIS_PACKET_TYPE_BROADCAST; diff --git a/queue-4.14/hv_netvsc-filter-multicast-broadcast.patch b/queue-4.14/hv_netvsc-filter-multicast-broadcast.patch new file mode 100644 index 00000000000..da69572267b --- /dev/null +++ b/queue-4.14/hv_netvsc-filter-multicast-broadcast.patch @@ -0,0 +1,50 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Fri, 2 Mar 2018 13:49:08 -0800 +Subject: hv_netvsc: filter multicast/broadcast + +From: Stephen Hemminger + +[ Upstream commit 009f766ca2383d8788acd65c2c36c51bbfb19470 ] + +The netvsc driver was always enabling all multicast and broadcast +even if netdevice flag had not enabled it. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/rndis_filter.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -850,15 +850,19 @@ static void rndis_set_multicast(struct w + { + struct rndis_device *rdev + = container_of(w, struct rndis_device, mcast_work); ++ u32 filter = NDIS_PACKET_TYPE_DIRECTED; ++ unsigned int flags = rdev->ndev->flags; + +- if (rdev->ndev->flags & IFF_PROMISC) +- rndis_filter_set_packet_filter(rdev, +- NDIS_PACKET_TYPE_PROMISCUOUS); +- else +- rndis_filter_set_packet_filter(rdev, +- NDIS_PACKET_TYPE_BROADCAST | +- NDIS_PACKET_TYPE_ALL_MULTICAST | +- NDIS_PACKET_TYPE_DIRECTED); ++ if (flags & IFF_PROMISC) { ++ filter = NDIS_PACKET_TYPE_PROMISCUOUS; ++ } else { ++ if (flags & IFF_ALLMULTI) ++ flags |= NDIS_PACKET_TYPE_ALL_MULTICAST; ++ if (flags & IFF_BROADCAST) ++ flags |= NDIS_PACKET_TYPE_BROADCAST; ++ } ++ ++ rndis_filter_set_packet_filter(rdev, filter); + } + + void rndis_filter_update(struct netvsc_device *nvdev) diff --git a/queue-4.14/hv_netvsc-fix-filter-flags.patch b/queue-4.14/hv_netvsc-fix-filter-flags.patch new file mode 100644 index 00000000000..702cef38ab4 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-filter-flags.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Wed, 7 Mar 2018 13:49:09 -0800 +Subject: hv_netvsc: fix filter flags + +From: Stephen Hemminger + +[ Upstream commit de3d50aadd40bf68614db9fd157b275ce9c2d467 ] + +The recent change to not always enable all multicast and broadcast +was broken; meant to set filter, not change flags. + +Fixes: 009f766ca238 ("hv_netvsc: filter multicast/broadcast") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/rndis_filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -857,9 +857,9 @@ static void rndis_set_multicast(struct w + filter = NDIS_PACKET_TYPE_PROMISCUOUS; + } else { + if (flags & IFF_ALLMULTI) +- flags |= NDIS_PACKET_TYPE_ALL_MULTICAST; ++ filter |= NDIS_PACKET_TYPE_ALL_MULTICAST; + if (flags & IFF_BROADCAST) +- flags |= NDIS_PACKET_TYPE_BROADCAST; ++ filter |= NDIS_PACKET_TYPE_BROADCAST; + } + + rndis_filter_set_packet_filter(rdev, filter); diff --git a/queue-4.14/hv_netvsc-fix-locking-during-vf-setup.patch b/queue-4.14/hv_netvsc-fix-locking-during-vf-setup.patch new file mode 100644 index 00000000000..d158a95cb44 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-locking-during-vf-setup.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Wed, 7 Mar 2018 13:49:12 -0800 +Subject: hv_netvsc: fix locking during VF setup + +From: Stephen Hemminger + +[ Upstream commit b0dee7910317f41f398838992516af6a3b981d86 ] + +The dev_uc/mc_sync calls need to have the device address list +locked. This was spotted by running with lockdep enabled. + +Fixes: bee9d41b37ea ("hv_netvsc: propagate rx filters to VF") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -1848,8 +1848,12 @@ static void __netvsc_vf_setup(struct net + + /* set multicast etc flags on VF */ + dev_change_flags(vf_netdev, ndev->flags | IFF_SLAVE); ++ ++ /* sync address list from ndev to VF */ ++ netif_addr_lock_bh(ndev); + dev_uc_sync(vf_netdev, ndev); + dev_mc_sync(vf_netdev, ndev); ++ netif_addr_unlock_bh(ndev); + + if (netif_running(ndev)) { + ret = dev_open(vf_netdev); diff --git a/queue-4.14/hv_netvsc-fix-locking-for-rx_mode.patch b/queue-4.14/hv_netvsc-fix-locking-for-rx_mode.patch new file mode 100644 index 00000000000..fb018a4d3f4 --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-locking-for-rx_mode.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Wed, 7 Mar 2018 13:49:11 -0800 +Subject: hv_netvsc: fix locking for rx_mode + +From: Stephen Hemminger + +[ Upstream commit 35a57b7fef136fa3d5b735ba773f191b95110fa0 ] + +The rx_mode operation handler is different than other callbacks +in that is not always called with rtnl held. Therefore use +RCU to ensure that references are valid. + +Fixes: bee9d41b37ea ("hv_netvsc: propagate rx filters to VF") +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -89,15 +89,20 @@ static void netvsc_change_rx_flags(struc + static void netvsc_set_rx_mode(struct net_device *net) + { + struct net_device_context *ndev_ctx = netdev_priv(net); +- struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); +- struct netvsc_device *nvdev = rtnl_dereference(ndev_ctx->nvdev); ++ struct net_device *vf_netdev; ++ struct netvsc_device *nvdev; + ++ rcu_read_lock(); ++ vf_netdev = rcu_dereference(ndev_ctx->vf_netdev); + if (vf_netdev) { + dev_uc_sync(vf_netdev, net); + dev_mc_sync(vf_netdev, net); + } + +- rndis_filter_update(nvdev); ++ nvdev = rcu_dereference(ndev_ctx->nvdev); ++ if (nvdev) ++ rndis_filter_update(nvdev); ++ rcu_read_unlock(); + } + + static int netvsc_open(struct net_device *net) diff --git a/queue-4.14/hv_netvsc-propagate-rx-filters-to-vf.patch b/queue-4.14/hv_netvsc-propagate-rx-filters-to-vf.patch new file mode 100644 index 00000000000..34106cbce3f --- /dev/null +++ b/queue-4.14/hv_netvsc-propagate-rx-filters-to-vf.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Fri, 2 Mar 2018 13:49:09 -0800 +Subject: hv_netvsc: propagate rx filters to VF + +From: Stephen Hemminger + +[ Upstream commit bee9d41b37ea6b1f860e5bc0989cf1cf1d7e6ab3 ] + +The netvsc device should propagate filters to the SR-IOV VF +device (if present). The flags also need to be propagated to the +VF device as well. This only really matters on local Hyper-V +since Azure does not support multiple addresses. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc_drv.c | 40 ++++++++++++++++++++++++++++++++++++---- + 1 file changed, 36 insertions(+), 4 deletions(-) + +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -66,10 +66,36 @@ static int debug = -1; + module_param(debug, int, S_IRUGO); + MODULE_PARM_DESC(debug, "Debug level (0=none,...,16=all)"); + +-static void netvsc_set_multicast_list(struct net_device *net) ++static void netvsc_change_rx_flags(struct net_device *net, int change) + { +- struct net_device_context *net_device_ctx = netdev_priv(net); +- struct netvsc_device *nvdev = rtnl_dereference(net_device_ctx->nvdev); ++ struct net_device_context *ndev_ctx = netdev_priv(net); ++ struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); ++ int inc; ++ ++ if (!vf_netdev) ++ return; ++ ++ if (change & IFF_PROMISC) { ++ inc = (net->flags & IFF_PROMISC) ? 1 : -1; ++ dev_set_promiscuity(vf_netdev, inc); ++ } ++ ++ if (change & IFF_ALLMULTI) { ++ inc = (net->flags & IFF_ALLMULTI) ? 1 : -1; ++ dev_set_allmulti(vf_netdev, inc); ++ } ++} ++ ++static void netvsc_set_rx_mode(struct net_device *net) ++{ ++ struct net_device_context *ndev_ctx = netdev_priv(net); ++ struct net_device *vf_netdev = rtnl_dereference(ndev_ctx->vf_netdev); ++ struct netvsc_device *nvdev = rtnl_dereference(ndev_ctx->nvdev); ++ ++ if (vf_netdev) { ++ dev_uc_sync(vf_netdev, net); ++ dev_mc_sync(vf_netdev, net); ++ } + + rndis_filter_update(nvdev); + } +@@ -1582,7 +1608,8 @@ static const struct net_device_ops devic + .ndo_open = netvsc_open, + .ndo_stop = netvsc_close, + .ndo_start_xmit = netvsc_start_xmit, +- .ndo_set_rx_mode = netvsc_set_multicast_list, ++ .ndo_change_rx_flags = netvsc_change_rx_flags, ++ .ndo_set_rx_mode = netvsc_set_rx_mode, + .ndo_change_mtu = netvsc_change_mtu, + .ndo_validate_addr = eth_validate_addr, + .ndo_set_mac_address = netvsc_set_mac_addr, +@@ -1814,6 +1841,11 @@ static void __netvsc_vf_setup(struct net + netdev_warn(vf_netdev, + "unable to change mtu to %u\n", ndev->mtu); + ++ /* set multicast etc flags on VF */ ++ dev_change_flags(vf_netdev, ndev->flags | IFF_SLAVE); ++ dev_uc_sync(vf_netdev, ndev); ++ dev_mc_sync(vf_netdev, ndev); ++ + if (netif_running(ndev)) { + ret = dev_open(vf_netdev); + if (ret) diff --git a/queue-4.14/hv_netvsc-use-napi_schedule_irqoff.patch b/queue-4.14/hv_netvsc-use-napi_schedule_irqoff.patch new file mode 100644 index 00000000000..b4c3d01d1b1 --- /dev/null +++ b/queue-4.14/hv_netvsc-use-napi_schedule_irqoff.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephen Hemminger +Date: Fri, 2 Mar 2018 13:49:06 -0800 +Subject: hv_netvsc: use napi_schedule_irqoff + +From: Stephen Hemminger + +[ Upstream commit 68633edaef655ce94e51088ecef5dd4e1d2f6f34 ] + +Since the netvsc_channel_cb is already called in interrupt +context from vmbus, there is no need to do irqsave/restore. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -1261,7 +1261,7 @@ void netvsc_channel_cb(void *context) + /* disable interupts from host */ + hv_begin_read(rbi); + +- __napi_schedule(&nvchan->napi); ++ __napi_schedule_irqoff(&nvchan->napi); + } + } + diff --git a/queue-4.14/hwmon-nct6775-fix-writing-pwmx_mode.patch b/queue-4.14/hwmon-nct6775-fix-writing-pwmx_mode.patch new file mode 100644 index 00000000000..4a184bb052d --- /dev/null +++ b/queue-4.14/hwmon-nct6775-fix-writing-pwmx_mode.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Guenter Roeck +Date: Mon, 26 Mar 2018 19:50:31 -0700 +Subject: hwmon: (nct6775) Fix writing pwmX_mode + +From: Guenter Roeck + +[ Upstream commit 415eb2a1aaa4881cf85bd86c683356fdd8094a23 ] + +pwmX_mode is defined in the ABI as 0=DC mode, 1=pwm mode. The chip +register bit is set to 1 for DC mode. This got mixed up, and writing +1 into pwmX_mode resulted in DC mode enabled. Fix it up by using +the ABI definition throughout the driver for consistency. + +Fixes: 77eb5b3703d99 ("hwmon: (nct6775) Add support for pwm, pwm_mode, ... ") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/nct6775.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -1469,7 +1469,7 @@ static void nct6775_update_pwm(struct de + duty_is_dc = data->REG_PWM_MODE[i] && + (nct6775_read_value(data, data->REG_PWM_MODE[i]) + & data->PWM_MODE_MASK[i]); +- data->pwm_mode[i] = duty_is_dc; ++ data->pwm_mode[i] = !duty_is_dc; + + fanmodecfg = nct6775_read_value(data, data->REG_FAN_MODE[i]); + for (j = 0; j < ARRAY_SIZE(data->REG_PWM); j++) { +@@ -2350,7 +2350,7 @@ show_pwm_mode(struct device *dev, struct + struct nct6775_data *data = nct6775_update_device(dev); + struct sensor_device_attribute *sattr = to_sensor_dev_attr(attr); + +- return sprintf(buf, "%d\n", !data->pwm_mode[sattr->index]); ++ return sprintf(buf, "%d\n", data->pwm_mode[sattr->index]); + } + + static ssize_t +@@ -2371,9 +2371,9 @@ store_pwm_mode(struct device *dev, struc + if (val > 1) + return -EINVAL; + +- /* Setting DC mode is not supported for all chips/channels */ ++ /* Setting DC mode (0) is not supported for all chips/channels */ + if (data->REG_PWM_MODE[nr] == 0) { +- if (val) ++ if (!val) + return -EINVAL; + return count; + } +@@ -2382,7 +2382,7 @@ store_pwm_mode(struct device *dev, struc + data->pwm_mode[nr] = val; + reg = nct6775_read_value(data, data->REG_PWM_MODE[nr]); + reg &= ~data->PWM_MODE_MASK[nr]; +- if (val) ++ if (!val) + reg |= data->PWM_MODE_MASK[nr]; + nct6775_write_value(data, data->REG_PWM_MODE[nr], reg); + mutex_unlock(&data->update_lock); diff --git a/queue-4.14/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch b/queue-4.14/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..dbfb2d9c4c3 --- /dev/null +++ b/queue-4.14/hwmon-pmbus-adm1275-accept-negative-page-register-values.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:55:47 -0800 +Subject: hwmon: (pmbus/adm1275) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit ecb29abd4cb0670c616fb563a078f25d777ce530 ] + +A negative page register value means that no page needs to be +selected. This is used by status register read operations and needs +to be accepted. The failure to do so so results in missed status +and limit registers. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/adm1275.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/pmbus/adm1275.c ++++ b/drivers/hwmon/pmbus/adm1275.c +@@ -154,7 +154,7 @@ static int adm1275_read_word_data(struct + const struct adm1275_data *data = to_adm1275_data(info); + int ret = 0; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { +@@ -240,7 +240,7 @@ static int adm1275_write_word_data(struc + const struct adm1275_data *data = to_adm1275_data(info); + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.14/hwmon-pmbus-max8688-accept-negative-page-register-values.patch b/queue-4.14/hwmon-pmbus-max8688-accept-negative-page-register-values.patch new file mode 100644 index 00000000000..d415c414ca1 --- /dev/null +++ b/queue-4.14/hwmon-pmbus-max8688-accept-negative-page-register-values.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Guenter Roeck +Date: Sat, 10 Mar 2018 17:49:47 -0800 +Subject: hwmon: (pmbus/max8688) Accept negative page register values + +From: Guenter Roeck + +[ Upstream commit a46f8cd696624ef757be0311eb28f119c36778e8 ] + +A negative page register value means that no page needs to be +selected. This is used by status register evaluations and needs +to be accepted. + +Fixes: da8e48ab483e1 ("hwmon: (pmbus) Always call _pmbus_read_byte in core driver") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/pmbus/max8688.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/pmbus/max8688.c ++++ b/drivers/hwmon/pmbus/max8688.c +@@ -45,7 +45,7 @@ static int max8688_read_word_data(struct + { + int ret; + +- if (page) ++ if (page > 0) + return -ENXIO; + + switch (reg) { diff --git a/queue-4.14/hwrng-stm32-add-reset-during-probe.patch b/queue-4.14/hwrng-stm32-add-reset-during-probe.patch new file mode 100644 index 00000000000..536d6f85b79 --- /dev/null +++ b/queue-4.14/hwrng-stm32-add-reset-during-probe.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "lionel.debieve@st.com" +Date: Thu, 15 Feb 2018 14:03:08 +0100 +Subject: hwrng: stm32 - add reset during probe + +From: "lionel.debieve@st.com" + +[ Upstream commit 326ed382256475aa4b8b7eae8a2f60689fd25e78 ] + +Avoid issue when probing the RNG without +reset if bad status has been detected previously + +Signed-off-by: Lionel Debieve +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/hw_random/stm32-rng.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/char/hw_random/stm32-rng.c ++++ b/drivers/char/hw_random/stm32-rng.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #define RNG_CR 0x00 +@@ -46,6 +47,7 @@ struct stm32_rng_private { + struct hwrng rng; + void __iomem *base; + struct clk *clk; ++ struct reset_control *rst; + }; + + static int stm32_rng_read(struct hwrng *rng, void *data, size_t max, bool wait) +@@ -140,6 +142,13 @@ static int stm32_rng_probe(struct platfo + if (IS_ERR(priv->clk)) + return PTR_ERR(priv->clk); + ++ priv->rst = devm_reset_control_get(&ofdev->dev, NULL); ++ if (!IS_ERR(priv->rst)) { ++ reset_control_assert(priv->rst); ++ udelay(2); ++ reset_control_deassert(priv->rst); ++ } ++ + dev_set_drvdata(dev, priv); + + priv->rng.name = dev_driver_string(dev), diff --git a/queue-4.14/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch b/queue-4.14/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch new file mode 100644 index 00000000000..a059ad00be3 --- /dev/null +++ b/queue-4.14/i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Javier Martinez Canillas +Date: Sun, 3 Dec 2017 22:40:50 +0100 +Subject: i2c: core: report OF style module alias for devices registered via OF + +From: Javier Martinez Canillas + +[ Upstream commit af503716ac1444db61d80cb6d17cfe62929c21df ] + +The buses should honor the firmware interface used to register the device, +but the I2C core reports a MODALIAS of the form i2c: even for I2C +devices registered via OF. + +This means that user-space will never get an OF stype uevent MODALIAS even +when the drivers modules contain aliases exported from both the I2C and OF +device ID tables. For example, an Atmel maXTouch Touchscreen registered by +a DT node with compatible "atmel,maxtouch" has the following module alias: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +i2c:maxtouch + +So udev won't be able to auto-load a module for an OF-only device driver. +Many OF-only drivers duplicate the OF device ID table entries in an I2C ID +table only has a workaround for how the I2C core reports the module alias. + +This patch changes the I2C core to report an OF related MODALIAS uevent if +the device was registered via OF. So for the previous example, after this +patch, the reported MODALIAS for the Atmel maXTouch will be the following: + +$ cat /sys/class/i2c-adapter/i2c-8/8-004b/modalias +of:NtrackpadTCatmel,maxtouch + +NOTE: This patch may break out-of-tree drivers that were relying on this + behavior, and only had an I2C device ID table even when the device + was registered via OF. There are no remaining drivers in mainline + that do this, but out-of-tree drivers have to be fixed and define + a proper OF device ID table to have module auto-loading working. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Dmitry Mastykin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/i2c-core-base.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/i2c/i2c-core-base.c ++++ b/drivers/i2c/i2c-core-base.c +@@ -123,6 +123,10 @@ static int i2c_device_uevent(struct devi + struct i2c_client *client = to_i2c_client(dev); + int rc; + ++ rc = of_device_uevent_modalias(dev, env); ++ if (rc != -ENODEV) ++ return rc; ++ + rc = acpi_device_uevent_modalias(dev, env); + if (rc != -ENODEV) + return rc; +@@ -472,6 +476,10 @@ show_modalias(struct device *dev, struct + struct i2c_client *client = to_i2c_client(dev); + int len; + ++ len = of_device_modalias(dev, buf, PAGE_SIZE); ++ if (len != -ENODEV) ++ return len; ++ + len = acpi_device_modalias(dev, buf, PAGE_SIZE -1); + if (len != -ENODEV) + return len; diff --git a/queue-4.14/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch b/queue-4.14/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch new file mode 100644 index 00000000000..4e085c0f63d --- /dev/null +++ b/queue-4.14/i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Gregory CLEMENT +Date: Wed, 14 Mar 2018 18:03:40 +0100 +Subject: i2c: mv64xxx: Apply errata delay only in standard mode + +From: Gregory CLEMENT + +[ Upstream commit 31184d8c6ea49ea0676d100cdd7e1f102ad025b5 ] + +The errata FE-8471889 description has been updated. There is still a +timing violation for repeated start. But the errata now states that it +was only the case for the Standard mode (100 kHz), in Fast mode (400 kHz) +there is no issue. + +This patch limit the errata fix to the Standard mode. + +It has been tesed successfully on the clearfog (Aramda 388 based board). + +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-mv64xxx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-mv64xxx.c ++++ b/drivers/i2c/busses/i2c-mv64xxx.c +@@ -844,12 +844,16 @@ mv64xxx_of_config(struct mv64xxx_i2c_dat + */ + if (of_device_is_compatible(np, "marvell,mv78230-i2c")) { + drv_data->offload_enabled = true; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "marvell,mv78230-a0-i2c")) { + drv_data->offload_enabled = false; +- drv_data->errata_delay = true; ++ /* The delay is only needed in standard mode (100kHz) */ ++ if (bus_freq <= 100000) ++ drv_data->errata_delay = true; + } + + if (of_device_is_compatible(np, "allwinner,sun6i-a31-i2c")) diff --git a/queue-4.14/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch b/queue-4.14/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch new file mode 100644 index 00000000000..8e514c5400c --- /dev/null +++ b/queue-4.14/i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Filip Sadowski +Date: Fri, 29 Dec 2017 08:50:05 -0500 +Subject: i40e: Add delay after EMP reset for firmware to recover + +From: Filip Sadowski + +[ Upstream commit 1fa51a650e1deb50410677f1bd6c0ce17aa48a49 ] + +This patch adds necessary delay for 4.33 firmware to recover after +EMP reset. Without this patch driver occasionally reinitializes +structures too quickly to communicate with firmware after EMP reset +causing AdminQ to timeout. + +Signed-off-by: Filip Sadowski +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -7196,6 +7196,17 @@ static void i40e_rebuild(struct i40e_pf + } + i40e_get_oem_version(&pf->hw); + ++ if (test_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state) && ++ ((hw->aq.fw_maj_ver == 4 && hw->aq.fw_min_ver <= 33) || ++ hw->aq.fw_maj_ver < 4) && hw->mac.type == I40E_MAC_XL710) { ++ /* The following delay is necessary for 4.33 firmware and older ++ * to recover after EMP reset. 200 ms should suffice but we ++ * put here 300 ms to be sure that FW is ready to operate ++ * after reset. ++ */ ++ mdelay(300); ++ } ++ + /* re-verify the eeprom if we just had an EMP reset */ + if (test_and_clear_bit(__I40E_EMP_RESET_INTR_RECEIVED, pf->state)) + i40e_verify_eeprom(pf); diff --git a/queue-4.14/ia64-err-inject-use-get_user_pages_fast.patch b/queue-4.14/ia64-err-inject-use-get_user_pages_fast.patch new file mode 100644 index 00000000000..b06c79071f3 --- /dev/null +++ b/queue-4.14/ia64-err-inject-use-get_user_pages_fast.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 22 Jan 2018 09:21:37 -0800 +Subject: ia64/err-inject: Use get_user_pages_fast() + +From: Davidlohr Bueso + +[ Upstream commit 69c907022a7d9325cdc5c9dd064571e445df9a47 ] + +At the point of sysfs callback, the call to gup is +done without mmap_sem (or any lock for that matter). +This is racy. As such, use the get_user_pages_fast() +alternative and safely avoid taking the lock, if possible. + +Signed-off-by: Davidlohr Bueso +Signed-off-by: Tony Luck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/err_inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/ia64/kernel/err_inject.c ++++ b/arch/ia64/kernel/err_inject.c +@@ -142,7 +142,7 @@ store_virtual_to_phys(struct device *dev + u64 virt_addr=simple_strtoull(buf, NULL, 16); + int ret; + +- ret = get_user_pages(virt_addr, 1, FOLL_WRITE, NULL, NULL); ++ ret = get_user_pages_fast(virt_addr, 1, FOLL_WRITE, NULL); + if (ret<=0) { + #ifdef ERR_INJ_DEBUG + printk("Virtual address %lx is not existing.\n",virt_addr); diff --git a/queue-4.14/ib-core-fix-possible-crash-to-access-null-netdev.patch b/queue-4.14/ib-core-fix-possible-crash-to-access-null-netdev.patch new file mode 100644 index 00000000000..0de6ad51097 --- /dev/null +++ b/queue-4.14/ib-core-fix-possible-crash-to-access-null-netdev.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Parav Pandit +Date: Wed, 7 Mar 2018 08:07:41 +0200 +Subject: IB/core: Fix possible crash to access NULL netdev + +From: Parav Pandit + +[ Upstream commit bb7f8f199c354c4cf155b1d6d55f86eaaed7fa5a ] + +resolved_dev returned might be NULL as ifindex is transient number. +Ignoring NULL check of resolved_dev might crash the kernel. +Therefore perform NULL check before accessing resolved_dev. + +Additionally rdma_resolve_ip_route() invokes addr_resolve() which +performs check and address translation for loopback ifindex. +Therefore, checking it again in rdma_resolve_ip_route() is not helpful. +Therefore, the code is simplified to avoid IFF_LOOPBACK check. + +Fixes: 200298326b27 ("IB/core: Validate route when we init ah") +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/sa_query.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/sa_query.c ++++ b/drivers/infiniband/core/sa_query.c +@@ -1291,10 +1291,9 @@ int ib_init_ah_from_path(struct ib_devic + + resolved_dev = dev_get_by_index(dev_addr.net, + dev_addr.bound_dev_if); +- if (resolved_dev->flags & IFF_LOOPBACK) { +- dev_put(resolved_dev); +- resolved_dev = idev; +- dev_hold(resolved_dev); ++ if (!resolved_dev) { ++ dev_put(idev); ++ return -ENODEV; + } + ndev = ib_get_ndev_from_path(rec); + rcu_read_lock(); diff --git a/queue-4.14/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch b/queue-4.14/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch new file mode 100644 index 00000000000..2b4c8e12a91 --- /dev/null +++ b/queue-4.14/ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Parav Pandit +Date: Tue, 13 Mar 2018 16:06:14 +0200 +Subject: IB/core: Honor port_num while resolving GID for IB link layer + +From: Parav Pandit + +[ Upstream commit 563c4ba3bd2b8b0b21c65669ec2226b1cfa1138b ] + +ah_attr contains the port number to which cm_id is bound. However, while +searching for GID table for matching GID entry, the port number is +ignored. + +This could cause the wrong GID to be used when the ah_attr is converted to +an AH. + +Reviewed-by: Daniel Jurgens +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/multicast.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/drivers/infiniband/core/multicast.c ++++ b/drivers/infiniband/core/multicast.c +@@ -724,21 +724,19 @@ int ib_init_ah_from_mcmember(struct ib_d + { + int ret; + u16 gid_index; +- u8 p; + +- if (rdma_protocol_roce(device, port_num)) { +- ret = ib_find_cached_gid_by_port(device, &rec->port_gid, +- gid_type, port_num, +- ndev, +- &gid_index); +- } else if (rdma_protocol_ib(device, port_num)) { +- ret = ib_find_cached_gid(device, &rec->port_gid, +- IB_GID_TYPE_IB, NULL, &p, +- &gid_index); +- } else { +- ret = -EINVAL; +- } ++ /* GID table is not based on the netdevice for IB link layer, ++ * so ignore ndev during search. ++ */ ++ if (rdma_protocol_ib(device, port_num)) ++ ndev = NULL; ++ else if (!rdma_protocol_roce(device, port_num)) ++ return -EINVAL; + ++ ret = ib_find_cached_gid_by_port(device, &rec->port_gid, ++ gid_type, port_num, ++ ndev, ++ &gid_index); + if (ret) + return ret; + diff --git a/queue-4.14/ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch b/queue-4.14/ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch new file mode 100644 index 00000000000..6e64587febf --- /dev/null +++ b/queue-4.14/ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Moni Shoua +Date: Sun, 25 Feb 2018 13:39:54 +0200 +Subject: IB/mlx: Set slid to zero in Ethernet completion struct + +From: Moni Shoua + +[ Upstream commit 65389322b28f81cc137b60a41044c2d958a7b950 ] + +IB spec says that a lid should be ignored when link layer is Ethernet, +for example when building or parsing a CM request message (CA17-34). +However, since ib_lid_be16() and ib_lid_cpu16() validates the slid, +not only when link layer is IB, we set the slid to zero to prevent +false warnings in the kernel log. + +Fixes: 62ede7779904 ("Add OPA extended LID support") +Reviewed-by: Majd Dibbiny +Signed-off-by: Moni Shoua +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/cq.c | 4 +++- + drivers/infiniband/hw/mlx5/cq.c | 3 ++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/cq.c ++++ b/drivers/infiniband/hw/mlx4/cq.c +@@ -597,6 +597,7 @@ static void use_tunnel_data(struct mlx4_ + wc->dlid_path_bits = 0; + + if (is_eth) { ++ wc->slid = 0; + wc->vlan_id = be16_to_cpu(hdr->tun.sl_vid); + memcpy(&(wc->smac[0]), (char *)&hdr->tun.mac_31_0, 4); + memcpy(&(wc->smac[4]), (char *)&hdr->tun.slid_mac_47_32, 2); +@@ -845,7 +846,6 @@ repoll: + } + } + +- wc->slid = be16_to_cpu(cqe->rlid); + g_mlpath_rqpn = be32_to_cpu(cqe->g_mlpath_rqpn); + wc->src_qp = g_mlpath_rqpn & 0xffffff; + wc->dlid_path_bits = (g_mlpath_rqpn >> 24) & 0x7f; +@@ -854,6 +854,7 @@ repoll: + wc->wc_flags |= mlx4_ib_ipoib_csum_ok(cqe->status, + cqe->checksum) ? IB_WC_IP_CSUM_OK : 0; + if (is_eth) { ++ wc->slid = 0; + wc->sl = be16_to_cpu(cqe->sl_vid) >> 13; + if (be32_to_cpu(cqe->vlan_my_qpn) & + MLX4_CQE_CVLAN_PRESENT_MASK) { +@@ -865,6 +866,7 @@ repoll: + memcpy(wc->smac, cqe->smac, ETH_ALEN); + wc->wc_flags |= (IB_WC_WITH_VLAN | IB_WC_WITH_SMAC); + } else { ++ wc->slid = be16_to_cpu(cqe->rlid); + wc->sl = be16_to_cpu(cqe->sl_vid) >> 12; + wc->vlan_id = 0xffff; + } +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -224,7 +224,6 @@ static void handle_responder(struct ib_w + wc->ex.invalidate_rkey = be32_to_cpu(cqe->imm_inval_pkey); + break; + } +- wc->slid = be16_to_cpu(cqe->slid); + wc->src_qp = be32_to_cpu(cqe->flags_rqpn) & 0xffffff; + wc->dlid_path_bits = cqe->ml_path; + g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3; +@@ -239,10 +238,12 @@ static void handle_responder(struct ib_w + } + + if (ll != IB_LINK_LAYER_ETHERNET) { ++ wc->slid = be16_to_cpu(cqe->slid); + wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf; + return; + } + ++ wc->slid = 0; + vlan_present = cqe->l4_l3_hdr_type & 0x1; + roce_packet_type = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0x3; + if (vlan_present) { diff --git a/queue-4.14/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch b/queue-4.14/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch new file mode 100644 index 00000000000..1034a15860e --- /dev/null +++ b/queue-4.14/ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jack Morgenstein +Date: Mon, 5 Mar 2018 20:09:45 +0200 +Subject: IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs + +From: Jack Morgenstein + +[ Upstream commit 0077416a3d529baccbe07ab3242e8db541cfadf6 ] + +When using IPv4 addresses in RoCEv2, the GID format for the mapped +IPv4 address should be: ::ffff:<4-byte IPv4 address>. + +In the cited commit, IPv4 mapped IPV6 addresses had the 3 upper dwords +zeroed out by memset, which resulted in deleting the ffff field. + +However, since procedure ipv6_addr_v4mapped() already verifies that the +gid has format ::ffff:, no change is needed for the gid, +and the memset can simply be removed. + +Fixes: 7e57b85c444c ("IB/mlx4: Add support for setting RoCEv2 gids in hardware") +Reviewed-by: Moni Shoua +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -219,8 +219,6 @@ static int mlx4_ib_update_gids_v1_v2(str + gid_tbl[i].version = 2; + if (!ipv6_addr_v4mapped((struct in6_addr *)&gids[i].gid)) + gid_tbl[i].type = 1; +- else +- memset(&gid_tbl[i].gid, 0, 12); + } + } + diff --git a/queue-4.14/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch b/queue-4.14/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch new file mode 100644 index 00000000000..79438963379 --- /dev/null +++ b/queue-4.14/ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jack M +Date: Mon, 5 Mar 2018 20:09:46 +0200 +Subject: IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE + +From: Jack M + +[ Upstream commit a18177925c252da7801149abe217c05b80884798 ] + +The commit cited below added a gid_type field (RoCEv1 or RoCEv2) +to GID properties. + +When adding GIDs, this gid_type field was copied over to the +hardware gid table. However, when deleting GIDs, the gid_type field +was not copied over to the hardware gid table. + +As a result, when running RoCEv2, all RoCEv2 gids in the +hardware gid table were set to type RoCEv1 when any gid was deleted. + +This problem would persist until the next gid was added (which would again +restore the gid_type field for all the gids in the hardware gid table). + +Fix this by copying over the gid_type field to the hardware gid table +when deleting gids, so that the gid_type of all remaining gids is +preserved when a gid is deleted. + +Fixes: b699a859d17b ("IB/mlx4: Add gid_type to GID properties") +Reviewed-by: Moni Shoua +Signed-off-by: Jack Morgenstein +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -364,8 +364,13 @@ static int mlx4_ib_del_gid(struct ib_dev + if (!gids) { + ret = -ENOMEM; + } else { +- for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) +- memcpy(&gids[i].gid, &port_gid_table->gids[i].gid, sizeof(union ib_gid)); ++ for (i = 0; i < MLX4_MAX_PORT_GIDS; i++) { ++ memcpy(&gids[i].gid, ++ &port_gid_table->gids[i].gid, ++ sizeof(union ib_gid)); ++ gids[i].gid_type = ++ port_gid_table->gids[i].gid_type; ++ } + } + } + spin_unlock_bh(&iboe->lock); diff --git a/queue-4.14/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch b/queue-4.14/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch new file mode 100644 index 00000000000..608f87b7c71 --- /dev/null +++ b/queue-4.14/ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dan Carpenter +Date: Tue, 6 Mar 2018 13:00:31 +0300 +Subject: IB/mlx5: Fix an error code in __mlx5_ib_modify_qp() + +From: Dan Carpenter + +[ Upstream commit 5d414b178e950ce9685c253994cc730893d5d887 ] + +"err" is either zero or possibly uninitialized here. It should be +-EINVAL. + +Fixes: 427c1e7bcd7e ("{IB, net}/mlx5: Move the modify QP operation table to mlx5_ib") +Signed-off-by: Dan Carpenter +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/qp.c ++++ b/drivers/infiniband/hw/mlx5/qp.c +@@ -2881,8 +2881,10 @@ static int __mlx5_ib_modify_qp(struct ib + goto out; + + if (mlx5_cur >= MLX5_QP_NUM_STATE || mlx5_new >= MLX5_QP_NUM_STATE || +- !optab[mlx5_cur][mlx5_new]) ++ !optab[mlx5_cur][mlx5_new]) { ++ err = -EINVAL; + goto out; ++ } + + op = optab[mlx5_cur][mlx5_new]; + optpar = ib_mask_to_mlx5_opt(attr_mask); diff --git a/queue-4.14/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch b/queue-4.14/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch new file mode 100644 index 00000000000..2337fb9b4b2 --- /dev/null +++ b/queue-4.14/ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Honggang Li +Date: Fri, 16 Mar 2018 10:37:13 +0800 +Subject: IB/mlx5: Set the default active rate and width to QDR and 4X + +From: Honggang Li + +[ Upstream commit 7672ed33c4c15dbe9d56880683baaba4227cf940 ] + +Before commit f1b65df5a232 ("IB/mlx5: Add support for active_width and +active_speed in RoCE"), the mlx5_ib driver set the default active_width +and active_speed to IB_WIDTH_4X and IB_SPEED_QDR. + +When the RoCE port is down, the RoCE port does not negotiate the active +width with the remote side, causing the active width to be zero. When +running userspace ibstat to view the port status, ibstat will panic as it +reads an invalid width from sys file. + +This patch restores the original behavior. + +Fixes: f1b65df5a232 ("IB/mlx5: Add support for active_width and active_speed in RoCE"). +Signed-off-by: Honggang Li +Reviewed-by: Hal Rosenstock +Reviewed-by: Noa Osherovich +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -270,6 +270,9 @@ static int mlx5_query_port_roce(struct i + if (err) + return err; + ++ props->active_width = IB_WIDTH_4X; ++ props->active_speed = IB_SPEED_QDR; ++ + translate_eth_proto_oper(eth_prot_oper, &props->active_speed, + &props->active_width); + diff --git a/queue-4.14/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch b/queue-4.14/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch new file mode 100644 index 00000000000..15171ea26b8 --- /dev/null +++ b/queue-4.14/ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mikhail Malygin +Date: Mon, 2 Apr 2018 12:26:59 +0300 +Subject: IB/rxe: Fix for oops in rxe_register_device on ppc64le arch + +From: Mikhail Malygin + +[ Upstream commit efc365e7290d040fbd43f60b0e97653489a739d4 ] + +On ppc64le arch rxe_add command causes oops in kernel log: + +[ 92.495140] Oops: Kernel access of bad area, sig: 11 [#1] +[ 92.499710] SMP NR_CPUS=2048 NUMA pSeries +[ 92.499792] Modules linked in: ipt_MASQUERADE(E) nf_nat_masquerade_ipv4(E) nf_conntrack_netlink(E) nfnetlink(E) xfrm_user(E) iptable +_nat(E) nf_conntrack_ipv4(E) nf_defrag_ipv4(E) nf_nat_ipv4(E) xt_addrtype(E) iptable_filter(E) ip_tables(E) xt_conntrack(E) x_tables(E) + nf_nat(E) nf_conntrack(E) br_netfilter(E) bridge(E) stp(E) llc(E) overlay(E) af_packet(E) rpcrdma(E) ib_isert(E) iscsi_target_mod(E) i +b_iser(E) libiscsi(E) ib_srpt(E) target_core_mod(E) ib_srp(E) ib_ipoib(E) rdma_ucm(E) ib_ucm(E) ib_uverbs(E) ib_umad(E) bochs_drm(E) tt +m(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) drm(E) agpgart(E) virtio_rng(E) virtio_console(E) rtc_ +generic(E) dm_ec(OEN) ttln_rdma(OEN) rdma_cm(E) configfs(E) iw_cm(E) ib_cm(E) rdma_rxe(E) ip6_udp_tunnel(E) udp_tunnel(E) ib_core(E) ql +a2xxx(E) +[ 92.499832] scsi_transport_fc(E) nvme_fc(E) nvme_fabrics(E) nvme_core(E) ipmi_watchdog(E) ipmi_ssif(E) ipmi_poweroff(E) ipmi_powernv(EX) ipmi_devintf(E) ipmi_msghandler(E) dummy(E) ext4(E) crc16(E) jbd2(E) mbcache(E) dm_service_time(E) scsi_transport_iscsi(E) sd_mod(E) sr_mod(E) cdrom(E) hid_generic(E) usbhid(E) virtio_blk(E) virtio_scsi(E) virtio_net(E) ibmvscsi(EX) scsi_transport_srp(E) xhci_pci(E) xhci_hcd(E) usbcore(E) usb_common(E) virtio_pci(E) virtio_ring(E) virtio(E) sunrpc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) sg(E) dm_multipath(E) dm_mod(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) scsi_mod(E) autofs4(E) +[ 92.499834] Supported: No, Unsupported modules are loaded +[ 92.499839] CPU: 3 PID: 5576 Comm: sh Tainted: G OE NX 4.4.120-ttln.17-default #1 +[ 92.499841] task: c0000000afe8a490 ti: c0000000beba8000 task.ti: c0000000beba8000 +[ 92.499842] NIP: c00000000008ba3c LR: c000000000027644 CTR: c00000000008ba10 +[ 92.499844] REGS: c0000000bebab750 TRAP: 0300 Tainted: G OE NX (4.4.120-ttln.17-default) +[ 92.499850] MSR: 8000000000009033 CR: 28424428 XER: 20000000 +[ 92.499871] CFAR: 0000000000002424 DAR: 0000000000000208 DSISR: 40000000 SOFTE: 1 + GPR00: c000000000027644 c0000000bebab9d0 c000000000f09700 0000000000000000 + GPR04: d0000000043d7192 0000000000000002 000000000000001a fffffffffffffffe + GPR08: 000000000000009c c00000000008ba10 d0000000043e5848 d0000000043d3828 + GPR12: c00000000008ba10 c000000007a02400 0000000010062e38 0000010020388860 + GPR16: 0000000000000000 0000000000000000 00000100203885f0 00000000100f6c98 + GPR20: c0000000b3f1fcc0 c0000000b3f1fc48 c0000000b3f1fbd0 c0000000b3f1fb58 + GPR24: c0000000b3f1fae0 c0000000b3f1fa68 00000000000005dc c0000000b3f1f9f0 + GPR28: d0000000043e5848 c0000000b3f1f900 c0000000b3f1f320 c0000000b3f1f000 +[ 92.499881] NIP [c00000000008ba3c] dma_get_required_mask_pSeriesLP+0x2c/0x1a0 +[ 92.499885] LR [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499886] Call Trace: +[ 92.499891] [c0000000bebab9d0] [c0000000bebaba30] 0xc0000000bebaba30 (unreliable) +[ 92.499894] [c0000000bebaba10] [c000000000027644] dma_get_required_mask+0x44/0xac +[ 92.499904] [c0000000bebaba30] [d0000000043cb4b4] rxe_register_device+0xc4/0x430 [rdma_rxe] +[ 92.499910] [c0000000bebabab0] [d0000000043c06c8] rxe_add+0x448/0x4e0 [rdma_rxe] +[ 92.499915] [c0000000bebabb30] [d0000000043d28dc] rxe_net_add+0x4c/0xf0 [rdma_rxe] +[ 92.499921] [c0000000bebabb60] [d0000000043d305c] rxe_param_set_add+0x6c/0x1ac [rdma_rxe] +[ 92.499924] [c0000000bebabbf0] [c0000000000e78c0] param_attr_store+0xa0/0x180 +[ 92.499927] [c0000000bebabc70] [c0000000000e6448] module_attr_store+0x48/0x70 +[ 92.499932] [c0000000bebabc90] [c000000000391f60] sysfs_kf_write+0x70/0xb0 +[ 92.499935] [c0000000bebabcb0] [c000000000390f1c] kernfs_fop_write+0x18c/0x1e0 +[ 92.499939] [c0000000bebabd00] [c0000000002e22ac] __vfs_write+0x4c/0x1d0 +[ 92.499942] [c0000000bebabd90] [c0000000002e2f94] vfs_write+0xc4/0x200 +[ 92.499945] [c0000000bebabde0] [c0000000002e488c] SyS_write+0x6c/0x110 +[ 92.499948] [c0000000bebabe30] [c000000000009384] system_call+0x38/0xe4 +[ 92.499949] Instruction dump: +[ 92.499954] 4e800020 3c4c00e8 3842dcf0 7c0802a6 f8010010 60000000 7c0802a6 fba1ffe8 +[ 92.499958] fbc1fff0 fbe1fff8 f8010010 f821ffc1 7c7e1b78 2fa90000 419e0078 +[ 92.499962] ---[ end trace bed077e15eb420cf ]--- + +It fails in dma_get_required_mask, that has ppc-specific implementation, +and fail if provided device argument is NULL + +Signed-off-by: Mikhail Malygin +Reviewed-by: Yonatan Cohen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_verbs.c ++++ b/drivers/infiniband/sw/rxe/rxe_verbs.c +@@ -1206,7 +1206,7 @@ int rxe_register_device(struct rxe_dev * + rxe->ndev->dev_addr); + dev->dev.dma_ops = &dma_virt_ops; + dma_coerce_mask_and_coherent(&dev->dev, +- dma_get_required_mask(dev->dev.parent)); ++ dma_get_required_mask(&dev->dev)); + + dev->uverbs_abi_ver = RXE_UVERBS_ABI_VERSION; + dev->uverbs_cmd_mask = BIT_ULL(IB_USER_VERBS_CMD_GET_CONTEXT) diff --git a/queue-4.14/ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch b/queue-4.14/ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch new file mode 100644 index 00000000000..35b34ce4d71 --- /dev/null +++ b/queue-4.14/ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch @@ -0,0 +1,82 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Matan Barak +Date: Tue, 13 Feb 2018 12:18:32 +0200 +Subject: IB/uverbs: Fix method merging in uverbs_ioctl_merge + +From: Matan Barak + +[ Upstream commit 3d89459e2ef92cc0e5a50dde868780ccda9786c1 ] + +Fix a bug in uverbs_ioctl_merge that looked at the object's iterator +number instead of the method's iterator number when merging methods. + +While we're at it, make the uverbs_ioctl_merge code a bit more clear +and faster. + +Fixes: 118620d3686b ('IB/core: Add uverbs merge trees functionality') +Signed-off-by: Matan Barak +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_ioctl_merge.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/drivers/infiniband/core/uverbs_ioctl_merge.c ++++ b/drivers/infiniband/core/uverbs_ioctl_merge.c +@@ -114,6 +114,7 @@ static size_t get_elements_above_id(cons + short min = SHRT_MAX; + const void *elem; + int i, j, last_stored = -1; ++ unsigned int equal_min = 0; + + for_each_element(elem, i, j, elements, num_elements, num_offset, + data_offset) { +@@ -136,6 +137,10 @@ static size_t get_elements_above_id(cons + */ + iters[last_stored == i ? num_iters - 1 : num_iters++] = elem; + last_stored = i; ++ if (min == GET_ID(id)) ++ equal_min++; ++ else ++ equal_min = 1; + min = GET_ID(id); + } + +@@ -146,15 +151,10 @@ static size_t get_elements_above_id(cons + * Therefore, we need to clean the beginning of the array to make sure + * all ids of final elements are equal to min. + */ +- for (i = num_iters - 1; i >= 0 && +- GET_ID(*(u16 *)(iters[i] + id_offset)) == min; i--) +- ; +- +- num_iters -= i + 1; +- memmove(iters, iters + i + 1, sizeof(*iters) * num_iters); ++ memmove(iters, iters + num_iters - equal_min, sizeof(*iters) * equal_min); + + *min_id = min; +- return num_iters; ++ return equal_min; + } + + #define find_max_element_entry_id(num_elements, elements, num_objects_fld, \ +@@ -322,7 +322,7 @@ static struct uverbs_method_spec *build_ + hash = kzalloc(sizeof(*hash) + + ALIGN(sizeof(*hash->attrs) * (attr_max_bucket + 1), + sizeof(long)) + +- BITS_TO_LONGS(attr_max_bucket) * sizeof(long), ++ BITS_TO_LONGS(attr_max_bucket + 1) * sizeof(long), + GFP_KERNEL); + if (!hash) { + res = -ENOMEM; +@@ -509,7 +509,7 @@ static struct uverbs_object_spec *build_ + * first handler which != NULL. This also defines the + * set of flags used for this handler. + */ +- for (i = num_object_defs - 1; ++ for (i = num_method_defs - 1; + i >= 0 && !method_defs[i]->handler; i--) + ; + hash->methods[min_id++] = method; diff --git a/queue-4.14/ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch b/queue-4.14/ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch new file mode 100644 index 00000000000..a7e8d72d4ac --- /dev/null +++ b/queue-4.14/ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Matan Barak +Date: Tue, 13 Feb 2018 12:18:35 +0200 +Subject: IB/uverbs: Fix possible oops with duplicate ioctl attributes + +From: Matan Barak + +[ Upstream commit 4d39a959bc1f3d164b5a54147fdeb19f84b1ed58 ] + +If the same attribute is listed twice by the user in the ioctl attribute +list then error unwind can cause the kernel to deref garbage. + +This happens when an object with WRITE access is sent twice. The second +parse properly fails but corrupts the state required for the error unwind +it triggers. + +Fixing this by making duplicates in the attribute list invalid. This is +not something we need to support. + +The ioctl interface is currently recommended to be disabled in kConfig. + +Signed-off-by: Matan Barak +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/uverbs_ioctl.c ++++ b/drivers/infiniband/core/uverbs_ioctl.c +@@ -59,6 +59,9 @@ static int uverbs_process_attr(struct ib + return 0; + } + ++ if (test_bit(attr_id, attr_bundle_h->valid_bitmap)) ++ return -EINVAL; ++ + spec = &attr_spec_bucket->attrs[attr_id]; + e = &elements[attr_id]; + e->uattr = uattr_ptr; diff --git a/queue-4.14/ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch b/queue-4.14/ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch new file mode 100644 index 00000000000..fe4adf82a3b --- /dev/null +++ b/queue-4.14/ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jason Gunthorpe +Date: Tue, 13 Feb 2018 12:18:40 +0200 +Subject: IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy + +From: Jason Gunthorpe + +[ Upstream commit ec6f8401c48a86809237e86878a6fac6b281118f ] + +If remove_commit fails then the lock is left locked while the uobj still +exists. Eventually the kernel will deadlock. + +lockdep detects this and says: + + test/4221 is leaving the kernel with locks still held! + 1 lock held by test/4221: + #0: (&ucontext->cleanup_rwsem){.+.+}, at: [<000000001e5c7523>] rdma_explicit_destroy+0x37/0x120 [ib_uverbs] + +Fixes: 4da70da23e9b ("IB/core: Explicitly destroy an object while keeping uobject") +Signed-off-by: Leon Romanovsky +Reviewed-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/rdma_core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/rdma_core.c ++++ b/drivers/infiniband/core/rdma_core.c +@@ -486,12 +486,13 @@ int rdma_explicit_destroy(struct ib_uobj + ret = uobject->type->type_class->remove_commit(uobject, + RDMA_REMOVE_DESTROY); + if (ret) +- return ret; ++ goto out; + + uobject->type = &null_obj_type; + ++out: + up_read(&ucontext->cleanup_rwsem); +- return 0; ++ return ret; + } + + static void alloc_commit_idr_uobject(struct ib_uobject *uobj) diff --git a/queue-4.14/ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch b/queue-4.14/ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch new file mode 100644 index 00000000000..26cb5099897 --- /dev/null +++ b/queue-4.14/ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Falcon +Date: Mon, 19 Feb 2018 20:12:57 -0600 +Subject: ibmvnic: Check for NULL skb's in NAPI poll routine + +From: Thomas Falcon + +[ Upstream commit abe27a885d9e6575e663a16176dabc58ce9d7188 ] + +After introduction of commit d0869c0071e4, there were some instances of +RX queue entries from a previous session (before the device was closed +and reopened) returned to the NAPI polling routine. Since the corresponding +socket buffers were freed, this resulted in a panic on reopen. Include +a check for a NULL skb here to avoid this. + +Fixes: d0869c0071e4 ("ibmvnic: Clean RX pool buffers during device close") +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1668,6 +1668,11 @@ restart_poll: + dev_kfree_skb_any(rx_buff->skb); + remove_buff_from_pool(adapter, rx_buff); + continue; ++ } else if (!rx_buff->skb) { ++ /* free the entry */ ++ next->rx_comp.first = 0; ++ remove_buff_from_pool(adapter, rx_buff); ++ continue; + } + + length = be32_to_cpu(next->rx_comp.len); diff --git a/queue-4.14/ibmvnic-clean-rx-pool-buffers-during-device-close.patch b/queue-4.14/ibmvnic-clean-rx-pool-buffers-during-device-close.patch new file mode 100644 index 00000000000..92df222bf45 --- /dev/null +++ b/queue-4.14/ibmvnic-clean-rx-pool-buffers-during-device-close.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Falcon +Date: Tue, 13 Feb 2018 18:23:43 -0600 +Subject: ibmvnic: Clean RX pool buffers during device close + +From: Thomas Falcon + +[ Upstream commit d0869c0071e40c4407d1a4d7c9497653cf47253b ] + +During device close or reset, there were some cases of outstanding +RX socket buffers not being freed. Include a function similar to the +one that already exists to clean TX socket buffers in this case. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 31 ++++++++++++++++++++++++++++++- + 1 file changed, 30 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -933,6 +933,35 @@ static int ibmvnic_open(struct net_devic + return rc; + } + ++static void clean_rx_pools(struct ibmvnic_adapter *adapter) ++{ ++ struct ibmvnic_rx_pool *rx_pool; ++ u64 rx_entries; ++ int rx_scrqs; ++ int i, j; ++ ++ if (!adapter->rx_pool) ++ return; ++ ++ rx_scrqs = be32_to_cpu(adapter->login_rsp_buf->num_rxadd_subcrqs); ++ rx_entries = adapter->req_rx_add_entries_per_subcrq; ++ ++ /* Free any remaining skbs in the rx buffer pools */ ++ for (i = 0; i < rx_scrqs; i++) { ++ rx_pool = &adapter->rx_pool[i]; ++ if (!rx_pool) ++ continue; ++ ++ netdev_dbg(adapter->netdev, "Cleaning rx_pool[%d]\n", i); ++ for (j = 0; j < rx_entries; j++) { ++ if (rx_pool->rx_buff[j].skb) { ++ dev_kfree_skb_any(rx_pool->rx_buff[j].skb); ++ rx_pool->rx_buff[j].skb = NULL; ++ } ++ } ++ } ++} ++ + static void clean_tx_pools(struct ibmvnic_adapter *adapter) + { + struct ibmvnic_tx_pool *tx_pool; +@@ -1010,7 +1039,7 @@ static int __ibmvnic_close(struct net_de + } + } + } +- ++ clean_rx_pools(adapter); + clean_tx_pools(adapter); + adapter->state = VNIC_CLOSED; + return rc; diff --git a/queue-4.14/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch b/queue-4.14/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch new file mode 100644 index 00000000000..78b2b31c329 --- /dev/null +++ b/queue-4.14/ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Falcon +Date: Tue, 13 Feb 2018 18:23:42 -0600 +Subject: ibmvnic: Free RX socket buffer in case of adapter error + +From: Thomas Falcon + +[ Upstream commit 4b9b0f01350500173f17e2b2e65beb4df4ef99c7 ] + +If a RX buffer is returned to the client driver with an error, free the +corresponding socket buffer before continuing. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1636,6 +1636,7 @@ restart_poll: + be16_to_cpu(next->rx_comp.rc)); + /* free the entry */ + next->rx_comp.first = 0; ++ dev_kfree_skb_any(rx_buff->skb); + remove_buff_from_pool(adapter, rx_buff); + continue; + } diff --git a/queue-4.14/ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch b/queue-4.14/ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch new file mode 100644 index 00000000000..956f026bdda --- /dev/null +++ b/queue-4.14/ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Falcon +Date: Tue, 13 Feb 2018 15:32:50 -0600 +Subject: ibmvnic: Wait until reset is complete to set carrier on + +From: Thomas Falcon + +[ Upstream commit cc85c02edfe48a34865ae00f7d22298a3fdd17aa ] + +Pushes back setting the carrier on until the end of the reset +code. This resolves a bug where a watchdog timer was detecting +that a TX queue had stalled before the adapter reset was complete. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1460,8 +1460,6 @@ static int do_reset(struct ibmvnic_adapt + return 0; + } + +- netif_carrier_on(netdev); +- + /* kick napi */ + for (i = 0; i < adapter->req_rx_queues; i++) + napi_schedule(&adapter->napi[i]); +@@ -1469,6 +1467,8 @@ static int do_reset(struct ibmvnic_adapt + if (adapter->reset_reason != VNIC_RESET_FAILOVER) + netdev_notify_peers(netdev); + ++ netif_carrier_on(netdev); ++ + return 0; + } + diff --git a/queue-4.14/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch b/queue-4.14/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch new file mode 100644 index 00000000000..60a65035c77 --- /dev/null +++ b/queue-4.14/ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Falcon +Date: Fri, 6 Apr 2018 18:37:03 -0500 +Subject: ibmvnic: Zero used TX descriptor counter on reset + +From: Thomas Falcon + +[ Upstream commit 41f714672f93608751dbd2fa2291d476a8ff0150 ] + +The counter that tracks used TX descriptors pending completion +needs to be zeroed as part of a device reset. This change fixes +a bug causing transmit queues to be stopped unnecessarily and in +some cases a transmit queue stall and timeout reset. If the counter +is not reset, the remaining descriptors will not be "removed", +effectively reducing queue capacity. If the queue is over half full, +it will cause the queue to stall if stopped. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -1962,6 +1962,7 @@ static int reset_one_sub_crq_queue(struc + } + + memset(scrq->msgs, 0, 4 * PAGE_SIZE); ++ atomic_set(&scrq->used, 0); + scrq->cur = 0; + + rc = h_reg_sub_crq(adapter->vdev->unit_address, scrq->msg_token, diff --git a/queue-4.14/ieee802154-ca8210-fix-uninitialised-data-read.patch b/queue-4.14/ieee802154-ca8210-fix-uninitialised-data-read.patch new file mode 100644 index 00000000000..5b4859cb845 --- /dev/null +++ b/queue-4.14/ieee802154-ca8210-fix-uninitialised-data-read.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Harry Morris +Date: Wed, 28 Mar 2018 11:54:27 +0100 +Subject: ieee802154: ca8210: fix uninitialised data read + +From: Harry Morris + +[ Upstream commit 86674a97f5055f4c7f406563408096e8cf9364ff ] + +In ca8210_test_int_user_write() a user can request the transfer of a +frame with a length field (command.length) that is longer than the +actual buffer provided (len). In this scenario the driver will copy +the buffer contents into the uninitialised command[] buffer, then +transfer bytes over the SPI even though only bytes +had been populated, potentially leaking sensitive kernel memory. + +Also the first 6 bytes of the command buffer must be initialised in case +a malformed, short packet is written and the uninitialised bytes are +read in ca8210_test_check_upstream. + +Reported-by: Domen Puncer Kugler +Signed-off-by: Harry Morris +Tested-by: Harry Morris +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/ca8210.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ieee802154/ca8210.c ++++ b/drivers/net/ieee802154/ca8210.c +@@ -2493,13 +2493,14 @@ static ssize_t ca8210_test_int_user_writ + struct ca8210_priv *priv = filp->private_data; + u8 command[CA8210_SPI_BUF_SIZE]; + +- if (len > CA8210_SPI_BUF_SIZE) { ++ memset(command, SPI_IDLE, 6); ++ if (len > CA8210_SPI_BUF_SIZE || len < 2) { + dev_warn( + &priv->spi->dev, +- "userspace requested erroneously long write (%zu)\n", ++ "userspace requested erroneous write length (%zu)\n", + len + ); +- return -EMSGSIZE; ++ return -EBADE; + } + + ret = copy_from_user(command, in_buf, len); +@@ -2511,6 +2512,13 @@ static ssize_t ca8210_test_int_user_writ + ); + return -EIO; + } ++ if (len != command[1] + 2) { ++ dev_err( ++ &priv->spi->dev, ++ "write len does not match packet length field\n" ++ ); ++ return -EBADE; ++ } + + ret = ca8210_test_check_upstream(command, priv->spi); + if (ret == 0) { diff --git a/queue-4.14/ima-fallback-to-the-builtin-hash-algorithm.patch b/queue-4.14/ima-fallback-to-the-builtin-hash-algorithm.patch new file mode 100644 index 00000000000..6a447360411 --- /dev/null +++ b/queue-4.14/ima-fallback-to-the-builtin-hash-algorithm.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Petr Vorel +Date: Fri, 23 Mar 2018 14:41:08 +0100 +Subject: ima: Fallback to the builtin hash algorithm + +From: Petr Vorel + +[ Upstream commit ab60368ab6a452466885ef4edf0cefd089465132 ] + +IMA requires having it's hash algorithm be compiled-in due to it's +early use. The default IMA algorithm is protected by Kconfig to be +compiled-in. + +The ima_hash kernel parameter allows to choose the hash algorithm. When +the specified algorithm is not available or available as a module, IMA +initialization fails, which leads to a kernel panic (mknodat syscall calls +ima_post_path_mknod()). Therefore as fallback we force IMA to use +the default builtin Kconfig hash algorithm. + +Fixed crash: + +$ grep CONFIG_CRYPTO_MD4 .config +CONFIG_CRYPTO_MD4=m + +[ 0.000000] Command line: BOOT_IMAGE=/boot/vmlinuz-4.12.14-2.3-default root=UUID=74ae8202-9ca7-4e39-813b-22287ec52f7a video=1024x768-16 plymouth.ignore-serial-consoles console=ttyS0 console=tty resume=/dev/disk/by-path/pci-0000:00:07.0-part3 splash=silent showopts ima_hash=md4 +... +[ 1.545190] ima: Can not allocate md4 (reason: -2) +... +[ 2.610120] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 2.611903] IP: ima_match_policy+0x23/0x390 +[ 2.612967] PGD 0 P4D 0 +[ 2.613080] Oops: 0000 [#1] SMP +[ 2.613080] Modules linked in: autofs4 +[ 2.613080] Supported: Yes +[ 2.613080] CPU: 0 PID: 1 Comm: systemd Not tainted 4.12.14-2.3-default #1 +[ 2.613080] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014 +[ 2.613080] task: ffff88003e2d0040 task.stack: ffffc90000190000 +[ 2.613080] RIP: 0010:ima_match_policy+0x23/0x390 +[ 2.613080] RSP: 0018:ffffc90000193e88 EFLAGS: 00010296 +[ 2.613080] RAX: 0000000000000000 RBX: 000000000000000c RCX: 0000000000000004 +[ 2.613080] RDX: 0000000000000010 RSI: 0000000000000001 RDI: ffff880037071728 +[ 2.613080] RBP: 0000000000008000 R08: 0000000000000000 R09: 0000000000000000 +[ 2.613080] R10: 0000000000000008 R11: 61c8864680b583eb R12: 00005580ff10086f +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000008000 +[ 2.613080] FS: 00007f5c1da08940(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000 +[ 2.613080] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2.613080] CR2: 0000000000000000 CR3: 0000000037002000 CR4: 00000000003406f0 +[ 2.613080] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 2.613080] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 2.613080] Call Trace: +[ 2.613080] ? shmem_mknod+0xbf/0xd0 +[ 2.613080] ima_post_path_mknod+0x1c/0x40 +[ 2.613080] SyS_mknod+0x210/0x220 +[ 2.613080] entry_SYSCALL_64_fastpath+0x1a/0xa5 +[ 2.613080] RIP: 0033:0x7f5c1bfde570 +[ 2.613080] RSP: 002b:00007ffde1c90dc8 EFLAGS: 00000246 ORIG_RAX: 0000000000000085 +[ 2.613080] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f5c1bfde570 +[ 2.613080] RDX: 0000000000000000 RSI: 0000000000008000 RDI: 00005580ff10086f +[ 2.613080] RBP: 00007ffde1c91040 R08: 00005580ff10086f R09: 0000000000000000 +[ 2.613080] R10: 0000000000104000 R11: 0000000000000246 R12: 00005580ffb99660 +[ 2.613080] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000002 +[ 2.613080] Code: 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 57 41 56 44 8d 14 09 41 55 41 54 55 53 44 89 d3 09 cb 48 83 ec 38 48 8b 05 c5 03 29 01 <4c> 8b 20 4c 39 e0 0f 84 d7 01 00 00 4c 89 44 24 08 89 54 24 20 +[ 2.613080] RIP: ima_match_policy+0x23/0x390 RSP: ffffc90000193e88 +[ 2.613080] CR2: 0000000000000000 +[ 2.613080] ---[ end trace 9a9f0a8a73079f6a ]--- +[ 2.673052] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 +[ 2.673052] +[ 2.675337] Kernel Offset: disabled +[ 2.676405] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +Signed-off-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_crypto.c | 2 ++ + security/integrity/ima/ima_main.c | 13 +++++++++++++ + 2 files changed, 15 insertions(+) + +--- a/security/integrity/ima/ima_crypto.c ++++ b/security/integrity/ima/ima_crypto.c +@@ -78,6 +78,8 @@ int __init ima_init_crypto(void) + hash_algo_name[ima_hash_algo], rc); + return rc; + } ++ pr_info("Allocated hash algorithm: %s\n", ++ hash_algo_name[ima_hash_algo]); + return 0; + } + +--- a/security/integrity/ima/ima_main.c ++++ b/security/integrity/ima/ima_main.c +@@ -16,6 +16,9 @@ + * implements the IMA hooks: ima_bprm_check, ima_file_mmap, + * and ima_file_check. + */ ++ ++#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt ++ + #include + #include + #include +@@ -427,6 +430,16 @@ static int __init init_ima(void) + ima_init_template_list(); + hash_setup(CONFIG_IMA_DEFAULT_HASH); + error = ima_init(); ++ ++ if (error && strcmp(hash_algo_name[ima_hash_algo], ++ CONFIG_IMA_DEFAULT_HASH) != 0) { ++ pr_info("Allocating %s failed, going to use default hash algorithm %s\n", ++ hash_algo_name[ima_hash_algo], CONFIG_IMA_DEFAULT_HASH); ++ hash_setup_done = 0; ++ hash_setup(CONFIG_IMA_DEFAULT_HASH); ++ error = ima_init(); ++ } ++ + if (!error) { + ima_initialized = 1; + ima_update_policy_flag(); diff --git a/queue-4.14/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch b/queue-4.14/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch new file mode 100644 index 00000000000..05f7b9f5eed --- /dev/null +++ b/queue-4.14/ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiandi An +Date: Tue, 6 Mar 2018 23:26:26 -0600 +Subject: ima: Fix Kconfig to select TPM 2.0 CRB interface + +From: Jiandi An + +[ Upstream commit fac37c628fd5d68fd7298d9b57ae8601ee1b4723 ] + +TPM_CRB driver provides TPM CRB 2.0 support. If it is built as a +module, the TPM chip is registered after IMA init. tpm_pcr_read() in +IMA fails and displays the following message even though eventually +there is a TPM chip on the system. + +ima: No TPM chip found, activating TPM-bypass! (rc=-19) + +Fix IMA Kconfig to select TPM_CRB so TPM_CRB driver is built in the kernel +and initializes before IMA. + +Signed-off-by: Jiandi An +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/ima/Kconfig ++++ b/security/integrity/ima/Kconfig +@@ -10,6 +10,7 @@ config IMA + select CRYPTO_HASH_INFO + select TCG_TPM if HAS_IOMEM && !UML + select TCG_TIS if TCG_TPM && X86 ++ select TCG_CRB if TCG_TPM && ACPI + select TCG_IBMVTPM if TCG_TPM && PPC_PSERIES + help + The Trusted Computing Group(TCG) runtime Integrity diff --git a/queue-4.14/integrity-security-fix-digsig.c-build-error-with-header-file.patch b/queue-4.14/integrity-security-fix-digsig.c-build-error-with-header-file.patch new file mode 100644 index 00000000000..d3adceedce8 --- /dev/null +++ b/queue-4.14/integrity-security-fix-digsig.c-build-error-with-header-file.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Randy Dunlap +Date: Mon, 12 Feb 2018 17:26:20 -0800 +Subject: integrity/security: fix digsig.c build error with header file + +From: Randy Dunlap + +[ Upstream commit 120f3b11ef88fc38ce1d0ff9c9a4b37860ad3140 ] + +security/integrity/digsig.c has build errors on some $ARCH due to a +missing header file, so add it. + + security/integrity/digsig.c:146:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration] + +Reported-by: Michael Ellerman +Signed-off-by: Randy Dunlap +Cc: Mimi Zohar +Cc: linux-integrity@vger.kernel.org +Link: http://kisskb.ellerman.id.au/kisskb/head/13396/ +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/digsig.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/integrity/digsig.c ++++ b/security/integrity/digsig.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + diff --git a/queue-4.14/intel_th-use-correct-method-of-finding-hub.patch b/queue-4.14/intel_th-use-correct-method-of-finding-hub.patch new file mode 100644 index 00000000000..322121e10d9 --- /dev/null +++ b/queue-4.14/intel_th-use-correct-method-of-finding-hub.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexander Shishkin +Date: Thu, 1 Mar 2018 10:15:32 +0200 +Subject: intel_th: Use correct method of finding hub + +From: Alexander Shishkin + +[ Upstream commit 9ad577087165478c9d9be82b15ed9bf2db5835f5 ] + +Since commit 8edc514b01e9 ("intel_th: Make SOURCE devices children of the +root device") the hub is not the parent of SOURCE devices any more, so the +new helper function should be used for that instead of always using the +parent. The intel_th_set_output() path, however, still uses the old +logic, leading to the hub driver structure being aliased with something +else, like struct pci_driver or struct acpi_driver, and an incorrect call +to an address inferred from that, potentially resulting in a crash. + +Fixes: 8edc514b01e9 ("intel_th: Make SOURCE devices children of the root device") +Signed-off-by: Alexander Shishkin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/intel_th/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -935,7 +935,7 @@ EXPORT_SYMBOL_GPL(intel_th_trace_disable + int intel_th_set_output(struct intel_th_device *thdev, + unsigned int master) + { +- struct intel_th_device *hub = to_intel_th_device(thdev->dev.parent); ++ struct intel_th_device *hub = to_intel_th_hub(thdev); + struct intel_th_driver *hubdrv = to_intel_th_driver(hub->dev.driver); + + if (!hubdrv->set_output) diff --git a/queue-4.14/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch b/queue-4.14/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch new file mode 100644 index 00000000000..52328c63cf1 --- /dev/null +++ b/queue-4.14/iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Andrzej Siewior +Date: Thu, 22 Mar 2018 16:22:33 +0100 +Subject: iommu/amd: Take into account that alloc_dev_data() may return NULL + +From: Sebastian Andrzej Siewior + +[ Upstream commit 39ffe39545cd5cb5b8cee9f0469165cf24dc62c2 ] + +find_dev_data() does not check whether the return value alloc_dev_data() +is NULL. This was okay once because the pointer was returned once as-is. +Since commit df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred +call-back") the pointer may be used within find_dev_data() so a NULL +check is required. + +Cc: Baoquan He +Fixes: df3f7a6e8e85 ("iommu/amd: Use is_attach_deferred call-back") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -311,6 +311,8 @@ static struct iommu_dev_data *find_dev_d + + if (dev_data == NULL) { + dev_data = alloc_dev_data(devid); ++ if (!dev_data) ++ return NULL; + + if (translation_pre_enabled(iommu)) + dev_data->defer_attach = true; diff --git a/queue-4.14/iommu-mediatek-fix-protect-memory-setting.patch b/queue-4.14/iommu-mediatek-fix-protect-memory-setting.patch new file mode 100644 index 00000000000..2bc7f7b899a --- /dev/null +++ b/queue-4.14/iommu-mediatek-fix-protect-memory-setting.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yong Wu +Date: Sun, 18 Mar 2018 09:52:54 +0800 +Subject: iommu/mediatek: Fix protect memory setting + +From: Yong Wu + +[ Upstream commit 70ca608b2ec6dafa6bb1c2b0691852fc78f8f717 ] + +In MediaTek's IOMMU design, When a iommu translation fault occurs +(HW can NOT translate the destination address to a valid physical +address), the IOMMU HW output the dirty data into a special memory +to avoid corrupting the main memory, this is called "protect memory". +the register(0x114) for protect memory is a little different between +mt8173 and mt2712. + +In the mt8173, bit[30:6] in the register represents [31:7] of the +physical address. In the 4GB mode, the register bit[31] should be 1. +While in the mt2712, the bits don't shift. bit[31:7] in the register +represents [31:7] in the physical address, and bit[1:0] in the +register represents bit[33:32] of the physical address if it has. + +Fixes: e6dec9230862 ("iommu/mediatek: Add mt2712 IOMMU support") +Reported-by: Honghui Zhang +Signed-off-by: Yong Wu +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/mtk_iommu.c | 15 ++++++++++----- + drivers/iommu/mtk_iommu.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/mtk_iommu.c ++++ b/drivers/iommu/mtk_iommu.c +@@ -60,7 +60,7 @@ + (((prot) & 0x3) << F_MMU_TF_PROTECT_SEL_SHIFT(data)) + + #define REG_MMU_IVRP_PADDR 0x114 +-#define F_MMU_IVRP_PA_SET(pa, ext) (((pa) >> 1) | ((!!(ext)) << 31)) ++ + #define REG_MMU_VLD_PA_RNG 0x118 + #define F_MMU_VLD_PA_RNG(EA, SA) (((EA) << 8) | (SA)) + +@@ -532,8 +532,13 @@ static int mtk_iommu_hw_init(const struc + F_INT_PRETETCH_TRANSATION_FIFO_FAULT; + writel_relaxed(regval, data->base + REG_MMU_INT_MAIN_CONTROL); + +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- data->base + REG_MMU_IVRP_PADDR); ++ if (data->m4u_plat == M4U_MT8173) ++ regval = (data->protect_base >> 1) | (data->enable_4GB << 31); ++ else ++ regval = lower_32_bits(data->protect_base) | ++ upper_32_bits(data->protect_base); ++ writel_relaxed(regval, data->base + REG_MMU_IVRP_PADDR); ++ + if (data->enable_4GB && data->m4u_plat != M4U_MT8173) { + /* + * If 4GB mode is enabled, the validate PA range is from +@@ -688,6 +693,7 @@ static int __maybe_unused mtk_iommu_susp + reg->ctrl_reg = readl_relaxed(base + REG_MMU_CTRL_REG); + reg->int_control0 = readl_relaxed(base + REG_MMU_INT_CONTROL0); + reg->int_main_control = readl_relaxed(base + REG_MMU_INT_MAIN_CONTROL); ++ reg->ivrp_paddr = readl_relaxed(base + REG_MMU_IVRP_PADDR); + clk_disable_unprepare(data->bclk); + return 0; + } +@@ -710,8 +716,7 @@ static int __maybe_unused mtk_iommu_resu + writel_relaxed(reg->ctrl_reg, base + REG_MMU_CTRL_REG); + writel_relaxed(reg->int_control0, base + REG_MMU_INT_CONTROL0); + writel_relaxed(reg->int_main_control, base + REG_MMU_INT_MAIN_CONTROL); +- writel_relaxed(F_MMU_IVRP_PA_SET(data->protect_base, data->enable_4GB), +- base + REG_MMU_IVRP_PADDR); ++ writel_relaxed(reg->ivrp_paddr, base + REG_MMU_IVRP_PADDR); + if (data->m4u_dom) + writel(data->m4u_dom->cfg.arm_v7s_cfg.ttbr[0], + base + REG_MMU_PT_BASE_ADDR); +--- a/drivers/iommu/mtk_iommu.h ++++ b/drivers/iommu/mtk_iommu.h +@@ -32,6 +32,7 @@ struct mtk_iommu_suspend_reg { + u32 ctrl_reg; + u32 int_control0; + u32 int_main_control; ++ u32 ivrp_paddr; + }; + + enum mtk_iommu_plat { diff --git a/queue-4.14/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.14/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..9b4781948ba --- /dev/null +++ b/queue-4.14/ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xin Long +Date: Tue, 27 Feb 2018 19:19:40 +0800 +Subject: ip6_tunnel: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit a6aa80446234ec0ad38eecdb8efc59e91daae565 ] + +Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len +correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same +mtu fix is also needed for ip6_tunnel. + +Note that dev->hard_header_len setting for ip6_tunnel works fine, +no need to fix it. + +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1990,14 +1990,14 @@ static int ip6_tnl_newlink(struct net *s + { + struct net *net = dev_net(dev); + struct ip6_tnl_net *ip6n = net_generic(net, ip6_tnl_net_id); +- struct ip6_tnl *nt, *t; + struct ip_tunnel_encap ipencap; ++ struct ip6_tnl *nt, *t; ++ int err; + + nt = netdev_priv(dev); + + if (ip6_tnl_netlink_encap_parms(data, &ipencap)) { +- int err = ip6_tnl_encap_setup(nt, &ipencap); +- ++ err = ip6_tnl_encap_setup(nt, &ipencap); + if (err < 0) + return err; + } +@@ -2013,7 +2013,11 @@ static int ip6_tnl_newlink(struct net *s + return -EEXIST; + } + +- return ip6_tnl_create2(dev); ++ err = ip6_tnl_create2(dev); ++ if (!err && tb[IFLA_MTU]) ++ ip6_tnl_change_mtu(dev, nla_get_u32(tb[IFLA_MTU])); ++ ++ return err; + } + + static int ip6_tnl_changelink(struct net_device *dev, struct nlattr *tb[], diff --git a/queue-4.14/ip_gre-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.14/ip_gre-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..4374b7c3d45 --- /dev/null +++ b/queue-4.14/ip_gre-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xin Long +Date: Tue, 27 Feb 2018 19:19:39 +0800 +Subject: ip_gre: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit ffc2b6ee417435605ee8bb1eb4c8f02e9ff4b4a5 ] + +It's safe to remove the setting of dev's needed_headroom and mtu in +__gre_tunnel_init, as discussed in [1], ip_tunnel_newlink can do it +properly. + +Now Eric noticed that it could cover the mtu value set in do_setlink +when creating a ip_gre dev. It makes IFLA_MTU param not take effect. + +So this patch is to remove them to make IFLA_MTU work, as in other +ipv4 tunnels. + + [1]: https://patchwork.ozlabs.org/patch/823504/ + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Reported-by: Eric Garver +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_gre.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -951,9 +951,6 @@ static void __gre_tunnel_init(struct net + + t_hlen = tunnel->hlen + sizeof(struct iphdr); + +- dev->needed_headroom = LL_MAX_HEADER + t_hlen + 4; +- dev->mtu = ETH_DATA_LEN - t_hlen - 4; +- + dev->features |= GRE_FEATURES; + dev->hw_features |= GRE_FEATURES; + +@@ -1253,8 +1250,6 @@ static int erspan_tunnel_init(struct net + sizeof(struct erspanhdr); + t_hlen = tunnel->hlen + sizeof(struct iphdr); + +- dev->needed_headroom = LL_MAX_HEADER + t_hlen + 4; +- dev->mtu = ETH_DATA_LEN - t_hlen - 4; + dev->features |= GRE_FEATURES; + dev->hw_features |= GRE_FEATURES; + dev->priv_flags |= IFF_LIVE_ADDR_CHANGE; diff --git a/queue-4.14/ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch b/queue-4.14/ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch new file mode 100644 index 00000000000..e53b2d6f3d1 --- /dev/null +++ b/queue-4.14/ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:16:28 +0100 +Subject: ip_tunnel: Clamp MTU to bounds on new link + +From: Stefano Brivio + +[ Upstream commit 24fc79798b8ddfd46f2dd363a8d29072c083b977 ] + +Otherwise, it's possible to specify invalid MTU values directly +on creation of a link (via 'ip link add'). This is already +prevented on subsequent MTU changes by commit b96f9afee4eb +("ipv4/6: use core net MTU range checking"). + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -1103,8 +1103,14 @@ int ip_tunnel_newlink(struct net_device + eth_hw_addr_random(dev); + + mtu = ip_tunnel_bind_dev(dev); +- if (!tb[IFLA_MTU]) ++ if (tb[IFLA_MTU]) { ++ unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen; ++ ++ dev->mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, ++ (unsigned int)(max - sizeof(struct iphdr))); ++ } else { + dev->mtu = mtu; ++ } + + ip_tunnel_add(itn, nt); + out: diff --git a/queue-4.14/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch b/queue-4.14/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch new file mode 100644 index 00000000000..8793262f272 --- /dev/null +++ b/queue-4.14/ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Kamlakant Patel +Date: Tue, 13 Mar 2018 16:32:27 +0530 +Subject: ipmi_ssif: Fix kernel panic at msg_done_handler + +From: Kamlakant Patel + +[ Upstream commit f002612b9d86613bc6fde0a444e0095225f6053e ] + +This happens when BMC doesn't return any data and the code is trying +to print the value of data[2]. + +Getting following crash: +[ 484.728410] Unable to handle kernel NULL pointer dereference at virtual address 00000002 +[ 484.736496] pgd = ffff0000094a2000 +[ 484.739885] [00000002] *pgd=00000047fcffe003, *pud=00000047fcffd003, *pmd=0000000000000000 +[ 484.748158] Internal error: Oops: 96000005 [#1] SMP +[...] +[ 485.101451] Call trace: +[...] +[ 485.188473] [] msg_done_handler+0x668/0x700 [ipmi_ssif] +[ 485.195249] [] ipmi_ssif_thread+0x110/0x128 [ipmi_ssif] +[ 485.202038] [] kthread+0x108/0x138 +[ 485.206994] [] ret_from_fork+0x10/0x30 +[ 485.212294] Code: aa1903e1 aa1803e0 b900227f 95fef6a5 (39400aa3) + +Adding a check to validate the data len before printing data[2] to fix this issue. + +Signed-off-by: Kamlakant Patel +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -763,7 +763,7 @@ static void msg_done_handler(struct ssif + ssif_info->ssif_state = SSIF_NORMAL; + ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Error getting flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { + /* +@@ -785,7 +785,7 @@ static void msg_done_handler(struct ssif + if ((result < 0) || (len < 3) || (data[2] != 0)) { + /* Error clearing flags */ + pr_warn(PFX "Error clearing flags: %d %d, %x\n", +- result, len, data[2]); ++ result, len, (len >= 3) ? data[2] : 0); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_CLEAR_MSG_FLAGS_CMD) { + pr_warn(PFX "Invalid response clearing flags: %x %x\n", diff --git a/queue-4.14/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch b/queue-4.14/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch new file mode 100644 index 00000000000..4ee6fd563e5 --- /dev/null +++ b/queue-4.14/ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch @@ -0,0 +1,221 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sabrina Dubroca +Date: Wed, 14 Mar 2018 10:21:14 +0100 +Subject: ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu + +From: Sabrina Dubroca + +[ Upstream commit d52e5a7e7ca49457dd31fc8b42fb7c0d58a31221 ] + +Prior to the rework of PMTU information storage in commit +2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer."), +when a PMTU event advertising a PMTU smaller than +net.ipv4.route.min_pmtu was received, we would disable setting the DF +flag on packets by locking the MTU metric, and set the PMTU to +net.ipv4.route.min_pmtu. + +Since then, we don't disable DF, and set PMTU to +net.ipv4.route.min_pmtu, so the intermediate router that has this link +with a small MTU will have to drop the packets. + +This patch reestablishes pre-2.6.39 behavior by splitting +rtable->rt_pmtu into a bitfield with rt_mtu_locked and rt_pmtu. +rt_mtu_locked indicates that we shouldn't set the DF bit on that path, +and is checked in ip_dont_fragment(). + +One possible workaround is to set net.ipv4.route.min_pmtu to a value low +enough to accommodate the lowest MTU encountered. + +Fixes: 2c8cec5c10bc ("ipv4: Cache learned PMTU information in inetpeer.") +Signed-off-by: Sabrina Dubroca +Reviewed-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip.h | 11 +++++++++-- + include/net/ip_fib.h | 1 + + include/net/route.h | 3 ++- + net/ipv4/route.c | 26 +++++++++++++++++++------- + net/ipv4/xfrm4_policy.c | 1 + + 5 files changed, 32 insertions(+), 10 deletions(-) + +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -326,6 +326,13 @@ int ip_decrease_ttl(struct iphdr *iph) + return --iph->ttl; + } + ++static inline int ip_mtu_locked(const struct dst_entry *dst) ++{ ++ const struct rtable *rt = (const struct rtable *)dst; ++ ++ return rt->rt_mtu_locked || dst_metric_locked(dst, RTAX_MTU); ++} ++ + static inline + int ip_dont_fragment(const struct sock *sk, const struct dst_entry *dst) + { +@@ -333,7 +340,7 @@ int ip_dont_fragment(const struct sock * + + return pmtudisc == IP_PMTUDISC_DO || + (pmtudisc == IP_PMTUDISC_WANT && +- !(dst_metric_locked(dst, RTAX_MTU))); ++ !ip_mtu_locked(dst)); + } + + static inline bool ip_sk_accept_pmtu(const struct sock *sk) +@@ -359,7 +366,7 @@ static inline unsigned int ip_dst_mtu_ma + struct net *net = dev_net(dst->dev); + + if (net->ipv4.sysctl_ip_fwd_use_pmtu || +- dst_metric_locked(dst, RTAX_MTU) || ++ ip_mtu_locked(dst) || + !forwarding) + return dst_mtu(dst); + +--- a/include/net/ip_fib.h ++++ b/include/net/ip_fib.h +@@ -59,6 +59,7 @@ struct fib_nh_exception { + int fnhe_genid; + __be32 fnhe_daddr; + u32 fnhe_pmtu; ++ bool fnhe_mtu_locked; + __be32 fnhe_gw; + unsigned long fnhe_expires; + struct rtable __rcu *fnhe_rth_input; +--- a/include/net/route.h ++++ b/include/net/route.h +@@ -63,7 +63,8 @@ struct rtable { + __be32 rt_gateway; + + /* Miscellaneous cached information */ +- u32 rt_pmtu; ++ u32 rt_mtu_locked:1, ++ rt_pmtu:31; + + u32 rt_table_id; + +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -639,6 +639,7 @@ static inline u32 fnhe_hashfun(__be32 da + static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe) + { + rt->rt_pmtu = fnhe->fnhe_pmtu; ++ rt->rt_mtu_locked = fnhe->fnhe_mtu_locked; + rt->dst.expires = fnhe->fnhe_expires; + + if (fnhe->fnhe_gw) { +@@ -649,7 +650,7 @@ static void fill_route_from_fnhe(struct + } + + static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, +- u32 pmtu, unsigned long expires) ++ u32 pmtu, bool lock, unsigned long expires) + { + struct fnhe_hash_bucket *hash; + struct fib_nh_exception *fnhe; +@@ -686,8 +687,10 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_genid = genid; + if (gw) + fnhe->fnhe_gw = gw; +- if (pmtu) ++ if (pmtu) { + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; ++ } + fnhe->fnhe_expires = max(1UL, expires); + /* Update all cached dsts too */ + rt = rcu_dereference(fnhe->fnhe_rth_input); +@@ -711,6 +714,7 @@ static void update_or_create_fnhe(struct + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; + fnhe->fnhe_pmtu = pmtu; ++ fnhe->fnhe_mtu_locked = lock; + fnhe->fnhe_expires = max(1UL, expires); + + /* Exception created; mark the cached routes for the nexthop +@@ -792,7 +796,8 @@ static void __ip_do_redirect(struct rtab + struct fib_nh *nh = &FIB_RES_NH(res); + + update_or_create_fnhe(nh, fl4->daddr, new_gw, +- 0, jiffies + ip_rt_gc_timeout); ++ 0, false, ++ jiffies + ip_rt_gc_timeout); + } + if (kill_route) + rt->dst.obsolete = DST_OBSOLETE_KILL; +@@ -1005,15 +1010,18 @@ static void __ip_rt_update_pmtu(struct r + { + struct dst_entry *dst = &rt->dst; + struct fib_result res; ++ bool lock = false; + +- if (dst_metric_locked(dst, RTAX_MTU)) ++ if (ip_mtu_locked(dst)) + return; + + if (ipv4_mtu(dst) < mtu) + return; + +- if (mtu < ip_rt_min_pmtu) ++ if (mtu < ip_rt_min_pmtu) { ++ lock = true; + mtu = ip_rt_min_pmtu; ++ } + + if (rt->rt_pmtu == mtu && + time_before(jiffies, dst->expires - ip_rt_mtu_expires / 2)) +@@ -1023,7 +1031,7 @@ static void __ip_rt_update_pmtu(struct r + if (fib_lookup(dev_net(dst->dev), fl4, &res, 0) == 0) { + struct fib_nh *nh = &FIB_RES_NH(res); + +- update_or_create_fnhe(nh, fl4->daddr, 0, mtu, ++ update_or_create_fnhe(nh, fl4->daddr, 0, mtu, lock, + jiffies + ip_rt_mtu_expires); + } + rcu_read_unlock(); +@@ -1276,7 +1284,7 @@ static unsigned int ipv4_mtu(const struc + + mtu = READ_ONCE(dst->dev->mtu); + +- if (unlikely(dst_metric_locked(dst, RTAX_MTU))) { ++ if (unlikely(ip_mtu_locked(dst))) { + if (rt->rt_uses_gateway && mtu > 576) + mtu = 576; + } +@@ -1548,6 +1556,7 @@ struct rtable *rt_dst_alloc(struct net_d + rt->rt_is_input = 0; + rt->rt_iif = 0; + rt->rt_pmtu = 0; ++ rt->rt_mtu_locked = 0; + rt->rt_gateway = 0; + rt->rt_uses_gateway = 0; + rt->rt_table_id = 0; +@@ -2526,6 +2535,7 @@ struct dst_entry *ipv4_blackhole_route(s + rt->rt_is_input = ort->rt_is_input; + rt->rt_iif = ort->rt_iif; + rt->rt_pmtu = ort->rt_pmtu; ++ rt->rt_mtu_locked = ort->rt_mtu_locked; + + rt->rt_genid = rt_genid_ipv4(net); + rt->rt_flags = ort->rt_flags; +@@ -2628,6 +2638,8 @@ static int rt_fill_info(struct net *net, + memcpy(metrics, dst_metrics_ptr(&rt->dst), sizeof(metrics)); + if (rt->rt_pmtu && expires) + metrics[RTAX_MTU - 1] = rt->rt_pmtu; ++ if (rt->rt_mtu_locked && expires) ++ metrics[RTAX_LOCK - 1] |= BIT(RTAX_MTU); + if (rtnetlink_put_metrics(skb, metrics) < 0) + goto nla_put_failure; + +--- a/net/ipv4/xfrm4_policy.c ++++ b/net/ipv4/xfrm4_policy.c +@@ -100,6 +100,7 @@ static int xfrm4_fill_dst(struct xfrm_ds + xdst->u.rt.rt_gateway = rt->rt_gateway; + xdst->u.rt.rt_uses_gateway = rt->rt_uses_gateway; + xdst->u.rt.rt_pmtu = rt->rt_pmtu; ++ xdst->u.rt.rt_mtu_locked = rt->rt_mtu_locked; + xdst->u.rt.rt_table_id = rt->rt_table_id; + INIT_LIST_HEAD(&xdst->u.rt.rt_uncached); + diff --git a/queue-4.14/ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch b/queue-4.14/ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch new file mode 100644 index 00000000000..32351e72b15 --- /dev/null +++ b/queue-4.14/ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Julian Anastasov +Date: Sun, 25 Feb 2018 22:29:18 +0200 +Subject: ipvs: remove IPS_NAT_MASK check to fix passive FTP + +From: Julian Anastasov + +[ Upstream commit 8a949fff0302b50063f74bb345a66190015528d0 ] + +The IPS_NAT_MASK check in 4.12 replaced previous check for nfct_nat() +which was needed to fix a crash in 2.6.36-rc, see +commit 7bcbf81a2296 ("ipvs: avoid oops for passive FTP"). +But as IPVS does not set the IPS_SRC_NAT and IPS_DST_NAT bits, +checking for IPS_NAT_MASK prevents PASV response to be properly +mangled and blocks the transfer. Remove the check as it is not +needed after 3.12 commit 41d73ec053d2 ("netfilter: nf_conntrack: +make sequence number adjustments usuable without NAT") which +changes nfct_nat() with nfct_seqadj() and especially after 3.13 +commit b25adce16064 ("ipvs: correct usage/allocation of seqadj +ext in ipvs"). + +Thanks to Li Shuang and Florian Westphal for reporting the problem! + +Reported-by: Li Shuang +Fixes: be7be6e161a2 ("netfilter: ipvs: fix incorrect conflict resolution") +Signed-off-by: Julian Anastasov +Acked-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ftp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipvs/ip_vs_ftp.c ++++ b/net/netfilter/ipvs/ip_vs_ftp.c +@@ -260,7 +260,7 @@ static int ip_vs_ftp_out(struct ip_vs_ap + buf_len = strlen(buf); + + ct = nf_ct_get(skb, &ctinfo); +- if (ct && (ct->status & IPS_NAT_MASK)) { ++ if (ct) { + bool mangled; + + /* If mangling fails this function will return 0 diff --git a/queue-4.14/iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch b/queue-4.14/iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch new file mode 100644 index 00000000000..d3fdb6c4dd6 --- /dev/null +++ b/queue-4.14/iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch @@ -0,0 +1,195 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shaul Triebitz +Date: Thu, 11 Jan 2018 16:18:46 +0200 +Subject: iwlwifi: avoid collecting firmware dump if not loaded + +From: Shaul Triebitz + +[ Upstream commit 8745f12a6600dd9d31122588621d4c8ddb332cd7 ] + +Trying to collect firmware debug data while firmware +is not loaded causes various errors (e.g. failing NIC access). +This causes even a bigger issue if at that time the +HW radio is off. +In that case, when later turning the radio on, the Driver +fails to read the HW (registers contain garbage values). +(It may be that the CSR_GP_CNTRL_REG_FLAG_RFKILL_WAKE_L1A_EN +bit is cleared on faulty NIC access - since the same behavior +was seen in HW RFKILL toggling before setting that bit.) + +Signed-off-by: Shaul Triebitz +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 13 +++++++++++-- + drivers/net/wireless/intel/iwlwifi/fw/dbg.h | 3 +++ + drivers/net/wireless/intel/iwlwifi/fw/runtime.h | 3 +++ + drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c | 5 ++--- + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 8 ++++++++ + 5 files changed, 27 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2008 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -33,6 +34,7 @@ + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -928,7 +930,6 @@ dump_trans_data: + + out: + iwl_fw_free_dump_desc(fwrt); +- fwrt->dump.trig = NULL; + clear_bit(IWL_FWRT_STATUS_DUMPING, &fwrt->status); + } + IWL_EXPORT_SYMBOL(iwl_fw_error_dump); +@@ -1084,6 +1085,14 @@ void iwl_fw_error_dump_wk(struct work_st + fwrt->ops->dump_start(fwrt->ops_ctx)) + return; + ++ if (fwrt->ops && fwrt->ops->fw_running && ++ !fwrt->ops->fw_running(fwrt->ops_ctx)) { ++ IWL_ERR(fwrt, "Firmware not running - cannot dump error\n"); ++ iwl_fw_free_dump_desc(fwrt); ++ clear_bit(IWL_FWRT_STATUS_DUMPING, &fwrt->status); ++ goto out; ++ } ++ + if (fwrt->trans->cfg->device_family == IWL_DEVICE_FAMILY_7000) { + /* stop recording */ + iwl_fw_dbg_stop_recording(fwrt); +@@ -1117,7 +1126,7 @@ void iwl_fw_error_dump_wk(struct work_st + iwl_write_prph(fwrt->trans, DBGC_OUT_CTRL, out_ctrl); + } + } +- ++out: + if (fwrt->ops && fwrt->ops->dump_end) + fwrt->ops->dump_end(fwrt->ops_ctx); + } +--- a/drivers/net/wireless/intel/iwlwifi/fw/dbg.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/dbg.h +@@ -8,6 +8,7 @@ + * Copyright(c) 2008 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -33,6 +34,7 @@ + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2015 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -91,6 +93,7 @@ static inline void iwl_fw_free_dump_desc + if (fwrt->dump.desc != &iwl_dump_desc_assert) + kfree(fwrt->dump.desc); + fwrt->dump.desc = NULL; ++ fwrt->dump.trig = NULL; + } + + void iwl_fw_error_dump(struct iwl_fw_runtime *fwrt); +--- a/drivers/net/wireless/intel/iwlwifi/fw/runtime.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/runtime.h +@@ -6,6 +6,7 @@ + * GPL LICENSE SUMMARY + * + * Copyright(c) 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -26,6 +27,7 @@ + * BSD LICENSE + * + * Copyright(c) 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -68,6 +70,7 @@ + struct iwl_fw_runtime_ops { + int (*dump_start)(void *ctx); + void (*dump_end)(void *ctx); ++ bool (*fw_running)(void *ctx); + }; + + #define MAX_NUM_LMAC 2 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/debugfs.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -35,6 +36,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -1209,9 +1211,6 @@ static ssize_t iwl_dbgfs_fw_dbg_collect_ + { + int ret; + +- if (!iwl_mvm_firmware_running(mvm)) +- return -EIO; +- + ret = iwl_mvm_ref_sync(mvm, IWL_MVM_REF_PRPH_WRITE); + if (ret) + return ret; +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -35,6 +36,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -553,9 +555,15 @@ static void iwl_mvm_fwrt_dump_end(void * + iwl_mvm_unref(mvm, IWL_MVM_REF_FW_DBG_COLLECT); + } + ++static bool iwl_mvm_fwrt_fw_running(void *ctx) ++{ ++ return iwl_mvm_firmware_running(ctx); ++} ++ + static const struct iwl_fw_runtime_ops iwl_mvm_fwrt_ops = { + .dump_start = iwl_mvm_fwrt_dump_start, + .dump_end = iwl_mvm_fwrt_dump_end, ++ .fw_running = iwl_mvm_fwrt_fw_running, + }; + + static struct iwl_op_mode * diff --git a/queue-4.14/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch b/queue-4.14/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch new file mode 100644 index 00000000000..7b5bcf62fb0 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch @@ -0,0 +1,100 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Naftali Goldstein +Date: Thu, 28 Dec 2017 15:53:04 +0200 +Subject: iwlwifi: mvm: always init rs with 20mhz bandwidth rates + +From: Naftali Goldstein + +[ Upstream commit 6b7a5aea71b342ec0593d23b08383e1f33da4c9a ] + +In AP mode, when a new station associates, rs is initialized immediately +upon association completion, before the phy context is updated with the +association parameters, so the sta bandwidth might be wider than the phy +context allows. +To avoid this issue, always initialize rs with 20mhz bandwidth rate, and +after authorization, when the phy context is already up-to-date, re-init +rs with the correct bw. + +Signed-off-by: Naftali Goldstein +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 +++ + drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 28 +++++++++++++++------- + 2 files changed, 24 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -2703,6 +2703,10 @@ static int iwl_mvm_mac_sta_state(struct + + /* enable beacon filtering */ + WARN_ON(iwl_mvm_enable_beacon_filter(mvm, vif, 0)); ++ ++ iwl_mvm_rs_rate_init(mvm, sta, mvmvif->phy_ctxt->channel->band, ++ false); ++ + ret = 0; + } else if (old_state == IEEE80211_STA_AUTHORIZED && + new_state == IEEE80211_STA_ASSOC) { +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rs.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rs.c +@@ -2690,7 +2690,8 @@ static void rs_get_initial_rate(struct i + struct ieee80211_sta *sta, + struct iwl_lq_sta *lq_sta, + enum nl80211_band band, +- struct rs_rate *rate) ++ struct rs_rate *rate, ++ bool init) + { + int i, nentries; + unsigned long active_rate; +@@ -2744,14 +2745,25 @@ static void rs_get_initial_rate(struct i + */ + if (sta->vht_cap.vht_supported && + best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) { +- switch (sta->bandwidth) { +- case IEEE80211_STA_RX_BW_160: +- case IEEE80211_STA_RX_BW_80: +- case IEEE80211_STA_RX_BW_40: ++ /* ++ * In AP mode, when a new station associates, rs is initialized ++ * immediately upon association completion, before the phy ++ * context is updated with the association parameters, so the ++ * sta bandwidth might be wider than the phy context allows. ++ * To avoid this issue, always initialize rs with 20mhz ++ * bandwidth rate, and after authorization, when the phy context ++ * is already up-to-date, re-init rs with the correct bw. ++ */ ++ u32 bw = init ? RATE_MCS_CHAN_WIDTH_20 : rs_bw_from_sta_bw(sta); ++ ++ switch (bw) { ++ case RATE_MCS_CHAN_WIDTH_40: ++ case RATE_MCS_CHAN_WIDTH_80: ++ case RATE_MCS_CHAN_WIDTH_160: + initial_rates = rs_optimal_rates_vht; + nentries = ARRAY_SIZE(rs_optimal_rates_vht); + break; +- case IEEE80211_STA_RX_BW_20: ++ case RATE_MCS_CHAN_WIDTH_20: + initial_rates = rs_optimal_rates_vht_20mhz; + nentries = ARRAY_SIZE(rs_optimal_rates_vht_20mhz); + break; +@@ -2762,7 +2774,7 @@ static void rs_get_initial_rate(struct i + + active_rate = lq_sta->active_siso_rate; + rate->type = LQ_VHT_SISO; +- rate->bw = rs_bw_from_sta_bw(sta); ++ rate->bw = bw; + } else if (sta->ht_cap.ht_supported && + best_rssi > IWL_RS_LOW_RSSI_THRESHOLD) { + initial_rates = rs_optimal_rates_ht; +@@ -2844,7 +2856,7 @@ static void rs_initialize_lq(struct iwl_ + tbl = &(lq_sta->lq_info[active_tbl]); + rate = &tbl->rate; + +- rs_get_initial_rate(mvm, sta, lq_sta, band, rate); ++ rs_get_initial_rate(mvm, sta, lq_sta, band, rate, init); + rs_init_optimal_rate(mvm, sta, lq_sta); + + WARN_ONCE(rate->ant != ANT_A && rate->ant != ANT_B, diff --git a/queue-4.14/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch b/queue-4.14/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch new file mode 100644 index 00000000000..1d4e118a805 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Luca Coelho +Date: Mon, 18 Dec 2017 20:13:07 +0200 +Subject: iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq + +From: Luca Coelho + +[ Upstream commit 9a233bb8025105db9a60b5d761005cc5a6c77f3d ] + +Sometimes iwl_mvm_disable_txq() may be called with mac80211_queue == +IEEE80211_INVAL_HW_QUEUE, and this would cause us to use BIT(0xFF) +which is way too large for the u16 we used to store it in +hw_queue_to_mac820211. If this happens the following UBSAN warning +will be generated: + +[ 167.185167] UBSAN: Undefined behaviour in drivers/net/wireless/intel/iwlwifi/mvm/utils.c:838:5 +[ 167.185171] shift exponent 255 is too large for 64-bit type 'long unsigned int' + +Fix that by checking that it is not IEEE80211_INVAL_HW_QUEUE and, +while at it, add a warning if the queue number is larger than +IEEE80211_MAX_QUEUES. + +Fixes: 34e10860ae8d ("iwlwifi: mvm: remove references to queue_info in new TX path") +Reported-by: Paul Menzel +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/utils.c +@@ -810,12 +810,19 @@ int iwl_mvm_disable_txq(struct iwl_mvm * + .scd_queue = queue, + .action = SCD_CFG_DISABLE_QUEUE, + }; +- bool remove_mac_queue = true; ++ bool remove_mac_queue = mac80211_queue != IEEE80211_INVAL_HW_QUEUE; + int ret; + ++ if (WARN_ON(remove_mac_queue && mac80211_queue >= IEEE80211_MAX_QUEUES)) ++ return -EINVAL; ++ + if (iwl_mvm_has_new_tx_api(mvm)) { + spin_lock_bh(&mvm->queue_info_lock); +- mvm->hw_queue_to_mac80211[queue] &= ~BIT(mac80211_queue); ++ ++ if (remove_mac_queue) ++ mvm->hw_queue_to_mac80211[queue] &= ++ ~BIT(mac80211_queue); ++ + spin_unlock_bh(&mvm->queue_info_lock); + + iwl_trans_txq_free(mvm->trans, queue); diff --git a/queue-4.14/iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch b/queue-4.14/iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch new file mode 100644 index 00000000000..52afc654159 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Avraham Stern +Date: Wed, 7 Mar 2018 10:41:18 +0200 +Subject: iwlwifi: mvm: clear tx queue id when unreserving aggregation queue + +From: Avraham Stern + +[ Upstream commit 4b387906b1c3692bb790388c335515c0cf098a23 ] + +When a queue is reserved for aggregation, the queue id is assigned +to the tid_data. This is fine since iwl_mvm_sta_tx_agg_oper() +takes care of allocating the queue before actual tx starts. +When the reservation is cancelled (e.g. when the AP declined the +aggregation request) the tid_data is not cleared. As a result, +following tx for this tid was trying to use an unallocated queue. + +Fix this by setting the txq_id for the tid to invalid when unreserving +the queue. + +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2645,8 +2645,10 @@ out: + + static void iwl_mvm_unreserve_agg_queue(struct iwl_mvm *mvm, + struct iwl_mvm_sta *mvmsta, +- u16 txq_id) ++ struct iwl_mvm_tid_data *tid_data) + { ++ u16 txq_id = tid_data->txq_id; ++ + if (iwl_mvm_has_new_tx_api(mvm)) + return; + +@@ -2658,8 +2660,10 @@ static void iwl_mvm_unreserve_agg_queue( + * allocated through iwl_mvm_enable_txq, so we can just mark it back as + * free. + */ +- if (mvm->queue_info[txq_id].status == IWL_MVM_QUEUE_RESERVED) ++ if (mvm->queue_info[txq_id].status == IWL_MVM_QUEUE_RESERVED) { + mvm->queue_info[txq_id].status = IWL_MVM_QUEUE_FREE; ++ tid_data->txq_id = IWL_MVM_INVALID_QUEUE; ++ } + + spin_unlock_bh(&mvm->queue_info_lock); + } +@@ -2690,7 +2694,7 @@ int iwl_mvm_sta_tx_agg_stop(struct iwl_m + + mvmsta->agg_tids &= ~BIT(tid); + +- iwl_mvm_unreserve_agg_queue(mvm, mvmsta, txq_id); ++ iwl_mvm_unreserve_agg_queue(mvm, mvmsta, tid_data); + + switch (tid_data->state) { + case IWL_AGG_ON: +@@ -2757,7 +2761,7 @@ int iwl_mvm_sta_tx_agg_flush(struct iwl_ + mvmsta->agg_tids &= ~BIT(tid); + spin_unlock_bh(&mvmsta->lock); + +- iwl_mvm_unreserve_agg_queue(mvm, mvmsta, txq_id); ++ iwl_mvm_unreserve_agg_queue(mvm, mvmsta, tid_data); + + if (old_state >= IWL_AGG_ON) { + iwl_mvm_drain_sta(mvm, mvmsta, true); diff --git a/queue-4.14/iwlwifi-mvm-correctly-set-igtk-for-ap.patch b/queue-4.14/iwlwifi-mvm-correctly-set-igtk-for-ap.patch new file mode 100644 index 00000000000..efeebd0953e --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-correctly-set-igtk-for-ap.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Beni Lev +Date: Tue, 20 Feb 2018 13:41:54 +0200 +Subject: iwlwifi: mvm: Correctly set IGTK for AP + +From: Beni Lev + +[ Upstream commit e829b17caf96c2da34620e335fb777592990906c ] + +Currently when an IGTK is set for an AP, it is set as a regular key. +Since the cipher is set to CMAC, the STA_KEY_FLG_EXT flag is added to +the host command, which causes assert 0x253D on NICs that do not support +this. + +Fixes: 85aeb58cec1a ("iwlwifi: mvm: Enable security on new TX API") +Signed-off-by: Beni Lev +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -3182,17 +3182,9 @@ int iwl_mvm_set_sta_key(struct iwl_mvm * + } + sta_id = mvm_sta->sta_id; + +- if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || +- keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) { +- ret = iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, +- false); +- goto end; +- } +- + /* + * It is possible that the 'sta' parameter is NULL, and thus +- * there is a need to retrieve the sta from the local station ++ * there is a need to retrieve the sta from the local station + * table. + */ + if (!sta) { +@@ -3207,6 +3199,17 @@ int iwl_mvm_set_sta_key(struct iwl_mvm * + + if (WARN_ON_ONCE(iwl_mvm_sta_from_mac80211(sta)->vif != vif)) + return -EINVAL; ++ } else { ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ ++ sta_id = mvmvif->mcast_sta.sta_id; ++ } ++ ++ if (keyconf->cipher == WLAN_CIPHER_SUITE_AES_CMAC || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_128 || ++ keyconf->cipher == WLAN_CIPHER_SUITE_BIP_GMAC_256) { ++ ret = iwl_mvm_send_sta_igtk(mvm, keyconf, sta_id, false); ++ goto end; + } + + /* If the key_offset is not pre-assigned, we need to find a diff --git a/queue-4.14/iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch b/queue-4.14/iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch new file mode 100644 index 00000000000..8e98111e0a1 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ilan Peer +Date: Thu, 25 Jan 2018 15:22:41 +0200 +Subject: iwlwifi: mvm: Correctly set the tid for mcast queue + +From: Ilan Peer + +[ Upstream commit 6508de0305d560235b366cc2cc98f7bcfb029e92 ] + +In the scheduler config command, the meaning of tid == 0xf was intended +to indicate the configuration is for management frames. However, +tid == 0xf was also used for the multicast queue that was meant only +for multicast data frames, which resulted with the FW not encrypting +multicast data frames. + +As multicast frames do not have a QoS header, fix this by setting +tid == 0, to indicate that this is a data queue and not management +one. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2023,7 +2023,7 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm + struct iwl_trans_txq_scd_cfg cfg = { + .fifo = IWL_MVM_TX_FIFO_MCAST, + .sta_id = msta->sta_id, +- .tid = IWL_MAX_TID_COUNT, ++ .tid = 0, + .aggregate = false, + .frame_limit = IWL_FRAME_LIMIT, + }; +@@ -2074,7 +2074,7 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm + if (iwl_mvm_has_new_tx_api(mvm)) { + int queue = iwl_mvm_tvqm_enable_txq(mvm, vif->cab_queue, + msta->sta_id, +- IWL_MAX_TID_COUNT, ++ 0, + timeout); + mvmvif->cab_queue = queue; + } else if (!fw_has_api(&mvm->fw->ucode_capa, +@@ -2099,7 +2099,7 @@ int iwl_mvm_rm_mcast_sta(struct iwl_mvm + iwl_mvm_flush_sta(mvm, &mvmvif->mcast_sta, true, 0); + + iwl_mvm_disable_txq(mvm, mvmvif->cab_queue, vif->cab_queue, +- IWL_MAX_TID_COUNT, 0); ++ 0, 0); + + ret = iwl_mvm_rm_sta_common(mvm, mvmvif->mcast_sta.sta_id); + if (ret) diff --git a/queue-4.14/iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch b/queue-4.14/iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch new file mode 100644 index 00000000000..68cd069a0cf --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ilan Peer +Date: Mon, 22 Jan 2018 08:55:06 +0200 +Subject: iwlwifi: mvm: Direct multicast frames to the correct station + +From: Ilan Peer + +[ Upstream commit 7c305de2b9548ab6b65fce342c78618bbed5db73 ] + +Multicast frames for NL80211_IFTYPE_AP and NL80211_IFTYPE_ADHOC were +directed to the broadcast station, however, as the broadcast station +did not have keys configured, these frames were sent unencrypted. + +Fix this by using the multicast station which is the station for which +encryption keys are configured. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -648,7 +648,11 @@ int iwl_mvm_tx_skb_non_sta(struct iwl_mv + if (info.control.vif->type == NL80211_IFTYPE_P2P_DEVICE || + info.control.vif->type == NL80211_IFTYPE_AP || + info.control.vif->type == NL80211_IFTYPE_ADHOC) { +- sta_id = mvmvif->bcast_sta.sta_id; ++ if (info.control.vif->type == NL80211_IFTYPE_P2P_DEVICE) ++ sta_id = mvmvif->bcast_sta.sta_id; ++ else ++ sta_id = mvmvif->mcast_sta.sta_id; ++ + queue = iwl_mvm_get_ctrl_vif_queue(mvm, &info, + hdr->frame_control); + if (queue < 0) diff --git a/queue-4.14/iwlwifi-mvm-fix-array-out-of-bounds-reference.patch b/queue-4.14/iwlwifi-mvm-fix-array-out-of-bounds-reference.patch new file mode 100644 index 00000000000..5762bc7f0d1 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-array-out-of-bounds-reference.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Avraham Stern +Date: Mon, 5 Mar 2018 11:26:53 +0200 +Subject: iwlwifi: mvm: fix array out of bounds reference + +From: Avraham Stern + +[ Upstream commit 4a6d2e525b43eba5870ea7e360f59aa65de00705 ] + +When starting aggregation, the code checks the status of the queue +allocated to the aggregation tid, which might not yet be allocated +and thus the queue index may be invalid. +Fix this by reserving a new queue in case the queue id is invalid. + +While at it, clean up some unreachable code (a condition that is +already handled earlier) and remove all the non-DQA comments since +non-DQA mode is no longer supported. + +Fixes: cf961e16620f ("iwlwifi: mvm: support dqa-mode agg on non-shared queue") +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 38 +++++++-------------------- + 1 file changed, 11 insertions(+), 27 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2436,28 +2436,12 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_ + + /* + * Note the possible cases: +- * 1. In DQA mode with an enabled TXQ - TXQ needs to become agg'ed +- * 2. Non-DQA mode: the TXQ hasn't yet been enabled, so find a free +- * one and mark it as reserved +- * 3. In DQA mode, but no traffic yet on this TID: same treatment as in +- * non-DQA mode, since the TXQ hasn't yet been allocated +- * Don't support case 3 for new TX path as it is not expected to happen +- * and aggregation will be offloaded soon anyway ++ * 1. An enabled TXQ - TXQ needs to become agg'ed ++ * 2. The TXQ hasn't yet been enabled, so find a free one and mark ++ * it as reserved + */ + txq_id = mvmsta->tid_data[tid].txq_id; +- if (iwl_mvm_has_new_tx_api(mvm)) { +- if (txq_id == IWL_MVM_INVALID_QUEUE) { +- ret = -ENXIO; +- goto release_locks; +- } +- } else if (unlikely(mvm->queue_info[txq_id].status == +- IWL_MVM_QUEUE_SHARED)) { +- ret = -ENXIO; +- IWL_DEBUG_TX_QUEUES(mvm, +- "Can't start tid %d agg on shared queue!\n", +- tid); +- goto release_locks; +- } else if (mvm->queue_info[txq_id].status != IWL_MVM_QUEUE_READY) { ++ if (txq_id == IWL_MVM_INVALID_QUEUE) { + txq_id = iwl_mvm_find_free_queue(mvm, mvmsta->sta_id, + IWL_MVM_DQA_MIN_DATA_QUEUE, + IWL_MVM_DQA_MAX_DATA_QUEUE); +@@ -2466,16 +2450,16 @@ int iwl_mvm_sta_tx_agg_start(struct iwl_ + IWL_ERR(mvm, "Failed to allocate agg queue\n"); + goto release_locks; + } +- /* +- * TXQ shouldn't be in inactive mode for non-DQA, so getting +- * an inactive queue from iwl_mvm_find_free_queue() is +- * certainly a bug +- */ +- WARN_ON(mvm->queue_info[txq_id].status == +- IWL_MVM_QUEUE_INACTIVE); + + /* TXQ hasn't yet been enabled, so mark it only as reserved */ + mvm->queue_info[txq_id].status = IWL_MVM_QUEUE_RESERVED; ++ } else if (unlikely(mvm->queue_info[txq_id].status == ++ IWL_MVM_QUEUE_SHARED)) { ++ ret = -ENXIO; ++ IWL_DEBUG_TX_QUEUES(mvm, ++ "Can't start tid %d agg on shared queue!\n", ++ tid); ++ goto release_locks; + } + + spin_unlock(&mvm->queue_info_lock); diff --git a/queue-4.14/iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch b/queue-4.14/iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch new file mode 100644 index 00000000000..c64a7e1028e --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch @@ -0,0 +1,97 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Sun, 7 Jan 2018 14:30:49 +0200 +Subject: iwlwifi: mvm: fix assert 0x2B00 on older FWs + +From: Sara Sharon + +[ Upstream commit 63dd5d022f4766e6b05ee611124afcc7cbfbb953 ] + +We should add the multicast station before adding the +broadcast station. + +However, in older FW, the firmware will start beaconing +when we add the multicast station, and since the broadcast +station is not added at this point so the transmission +of the beacon will fail on assert 0x2b00. + +This is fixed in later firmware, so make the order +of addition depend on the TLV. + +Fixes: 26d6c16bed53 ("iwlwifi: mvm: add multicast station") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 45 +++++++++++++++++----- + 1 file changed, 35 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2016 - 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -2127,15 +2128,40 @@ static int iwl_mvm_start_ap_ibss(struct + if (ret) + goto out_remove; + +- ret = iwl_mvm_add_mcast_sta(mvm, vif); +- if (ret) +- goto out_unbind; +- +- /* Send the bcast station. At this stage the TBTT and DTIM time events +- * are added and applied to the scheduler */ +- ret = iwl_mvm_send_add_bcast_sta(mvm, vif); +- if (ret) +- goto out_rm_mcast; ++ /* ++ * This is not very nice, but the simplest: ++ * For older FWs adding the mcast sta before the bcast station may ++ * cause assert 0x2b00. ++ * This is fixed in later FW so make the order of removal depend on ++ * the TLV ++ */ ++ if (fw_has_api(&mvm->fw->ucode_capa, IWL_UCODE_TLV_API_STA_TYPE)) { ++ ret = iwl_mvm_add_mcast_sta(mvm, vif); ++ if (ret) ++ goto out_unbind; ++ /* ++ * Send the bcast station. At this stage the TBTT and DTIM time ++ * events are added and applied to the scheduler ++ */ ++ ret = iwl_mvm_send_add_bcast_sta(mvm, vif); ++ if (ret) { ++ iwl_mvm_rm_mcast_sta(mvm, vif); ++ goto out_unbind; ++ } ++ } else { ++ /* ++ * Send the bcast station. At this stage the TBTT and DTIM time ++ * events are added and applied to the scheduler ++ */ ++ iwl_mvm_send_add_bcast_sta(mvm, vif); ++ if (ret) ++ goto out_unbind; ++ iwl_mvm_add_mcast_sta(mvm, vif); ++ if (ret) { ++ iwl_mvm_send_rm_bcast_sta(mvm, vif); ++ goto out_unbind; ++ } ++ } + + /* must be set before quota calculations */ + mvmvif->ap_ibss_active = true; +@@ -2165,7 +2191,6 @@ out_quota_failed: + iwl_mvm_power_update_mac(mvm); + mvmvif->ap_ibss_active = false; + iwl_mvm_send_rm_bcast_sta(mvm, vif); +-out_rm_mcast: + iwl_mvm_rm_mcast_sta(mvm, vif); + out_unbind: + iwl_mvm_binding_remove_vif(mvm, vif); diff --git a/queue-4.14/iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch b/queue-4.14/iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch new file mode 100644 index 00000000000..4b7ac3b6339 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch @@ -0,0 +1,75 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andrei Otcheretianski +Date: Thu, 4 Jan 2018 17:39:08 +0200 +Subject: iwlwifi: mvm: Fix channel switch for count 0 and 1 + +From: Andrei Otcheretianski + +[ Upstream commit 40d53f4a60c9eb10d4fa58066c23ba1af8a59e39 ] + +It was assumed that apply_time==0 implies immediate scheduling, which is +wrong. Instead, the fw expects the START_IMMEDIATELY flag to be set. +Otherwise, this resulted in 0x3063 assert. +Fix that. +While at it rename the T2_V2_START_IMMEDIATELY to +TE_V2_START_IMMEDIATELY. + +Fixes: f5d8f50f271d ("iwlwifi: mvm: Fix channel switch in case of count <= 1") +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h | 4 ++-- + drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 6 ++++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h ++++ b/drivers/net/wireless/intel/iwlwifi/fw/api/time-event.h +@@ -211,7 +211,7 @@ enum { + * @TE_V2_NOTIF_HOST_FRAG_END:request/receive notification on frag end + * @TE_V2_NOTIF_INTERNAL_FRAG_START: internal FW use. + * @TE_V2_NOTIF_INTERNAL_FRAG_END: internal FW use. +- * @T2_V2_START_IMMEDIATELY: start time event immediately ++ * @TE_V2_START_IMMEDIATELY: start time event immediately + * @TE_V2_DEP_OTHER: depends on another time event + * @TE_V2_DEP_TSF: depends on a specific time + * @TE_V2_EVENT_SOCIOPATHIC: can't co-exist with other events of tha same MAC +@@ -230,7 +230,7 @@ enum iwl_time_event_policy { + TE_V2_NOTIF_HOST_FRAG_END = BIT(5), + TE_V2_NOTIF_INTERNAL_FRAG_START = BIT(6), + TE_V2_NOTIF_INTERNAL_FRAG_END = BIT(7), +- T2_V2_START_IMMEDIATELY = BIT(11), ++ TE_V2_START_IMMEDIATELY = BIT(11), + + /* placement characteristics */ + TE_V2_DEP_OTHER = BIT(TE_V2_PLACEMENT_POS), +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -621,7 +621,7 @@ void iwl_mvm_protect_session(struct iwl_ + time_cmd.repeat = 1; + time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START | + TE_V2_NOTIF_HOST_EVENT_END | +- T2_V2_START_IMMEDIATELY); ++ TE_V2_START_IMMEDIATELY); + + if (!wait_for_notif) { + iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd); +@@ -814,7 +814,7 @@ int iwl_mvm_start_p2p_roc(struct iwl_mvm + time_cmd.repeat = 1; + time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START | + TE_V2_NOTIF_HOST_EVENT_END | +- T2_V2_START_IMMEDIATELY); ++ TE_V2_START_IMMEDIATELY); + + return iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd); + } +@@ -924,6 +924,8 @@ int iwl_mvm_schedule_csa_period(struct i + time_cmd.interval = cpu_to_le32(1); + time_cmd.policy = cpu_to_le16(TE_V2_NOTIF_HOST_EVENT_START | + TE_V2_ABSENCE); ++ if (!apply_time) ++ time_cmd.policy |= cpu_to_le16(TE_V2_START_IMMEDIATELY); + + return iwl_mvm_time_event_send_add(mvm, vif, te_data, &time_cmd); + } diff --git a/queue-4.14/iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch b/queue-4.14/iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch new file mode 100644 index 00000000000..36c041e8a7c --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Johannes Berg +Date: Thu, 22 Feb 2018 13:51:21 +0100 +Subject: iwlwifi: mvm: fix error checking for multi/broadcast sta + +From: Johannes Berg + +[ Upstream commit 75fd4fec3e4c43b131c7c4958adb3ab9f1665513 ] + +The earlier patch called the station add functions but didn't +assign their return value to the ret variable, so that the +checks for it were meaningless. Fix that. + +Found by smatch: + +.../mac80211.c:2560 iwl_mvm_start_ap_ibss() warn: we tested 'ret' before and it was 'false' +.../mac80211.c:2563 iwl_mvm_start_ap_ibss() warn: we tested 'ret' before and it was 'false' + +Fixes: 3a89411cd31c ("iwlwifi: mvm: fix assert 0x2B00 on older FWs") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -2153,10 +2153,10 @@ static int iwl_mvm_start_ap_ibss(struct + * Send the bcast station. At this stage the TBTT and DTIM time + * events are added and applied to the scheduler + */ +- iwl_mvm_send_add_bcast_sta(mvm, vif); ++ ret = iwl_mvm_send_add_bcast_sta(mvm, vif); + if (ret) + goto out_unbind; +- iwl_mvm_add_mcast_sta(mvm, vif); ++ ret = iwl_mvm_add_mcast_sta(mvm, vif); + if (ret) { + iwl_mvm_send_rm_bcast_sta(mvm, vif); + goto out_unbind; diff --git a/queue-4.14/iwlwifi-mvm-fix-failed-to-remove-key-message.patch b/queue-4.14/iwlwifi-mvm-fix-failed-to-remove-key-message.patch new file mode 100644 index 00000000000..75406f14f27 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-failed-to-remove-key-message.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Mon, 15 Jan 2018 13:50:59 +0200 +Subject: iwlwifi: mvm: fix "failed to remove key" message + +From: Sara Sharon + +[ Upstream commit e4f13ad07823b24a1537518d2163bd164292fb10 ] + +When the GTK is installed, we install it to HW with the +station ID of the AP. + +Mac80211 will try to remove it only after the AP sta is +removed, which will result in a failure to remove key +since we do not have any station for it. + +This is a valid situation, but a previous commit removed +the early return and added a return with error value, which +resulted in an error message that is confusing to users. + +Remove the error return value. + +Fixes: 85aeb58cec1a ("iwlwifi: mvm: Enable security on new TX API") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -3119,8 +3119,9 @@ static int __iwl_mvm_remove_sta_key(stru + int ret, size; + u32 status; + ++ /* This is a valid situation for GTK removal */ + if (sta_id == IWL_MVM_INVALID_STA) +- return -EINVAL; ++ return 0; + + key_flags = cpu_to_le16((keyconf->keyidx << STA_KEY_FLG_KEYID_POS) & + STA_KEY_FLG_KEYID_MSK); diff --git a/queue-4.14/iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch b/queue-4.14/iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch new file mode 100644 index 00000000000..241f4e21d57 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch @@ -0,0 +1,84 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Thu, 21 Dec 2017 15:05:28 +0200 +Subject: iwlwifi: mvm: fix IBSS for devices that support station type API + +From: Sara Sharon + +[ Upstream commit fc07bd8ce19bff9e7479c04077ddb5957d1a27be ] + +In IBSS, the mac80211 sets the cab_queue to be invalid. + +However, the multicast station uses it, so we need to override it. + +A previous patch did it, but it was nested inside the if's and was +applied only for legacy FWs that don't support the new station type +API, instead of being applied for all paths. + +In addition, add a missing NL80211_IFTYPE_ADHOC to the initialization +of the queues in iwl_mvm_mac_ctxt_init() + +Fixes: ee48b72211f8 ("iwlwifi: mvm: support ibss in dqa mode") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 3 +- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 24 +++++++++++----------- + 2 files changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c +@@ -438,7 +438,8 @@ int iwl_mvm_mac_ctxt_init(struct iwl_mvm + } + + /* Allocate the CAB queue for softAP and GO interfaces */ +- if (vif->type == NL80211_IFTYPE_AP) { ++ if (vif->type == NL80211_IFTYPE_AP || ++ vif->type == NL80211_IFTYPE_ADHOC) { + /* + * For TVQM this will be overwritten later with the FW assigned + * queue value (when queue is enabled). +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -2037,6 +2037,17 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm + return -ENOTSUPP; + + /* ++ * In IBSS, ieee80211_check_queues() sets the cab_queue to be ++ * invalid, so make sure we use the queue we want. ++ * Note that this is done here as we want to avoid making DQA ++ * changes in mac80211 layer. ++ */ ++ if (vif->type == NL80211_IFTYPE_ADHOC) { ++ vif->cab_queue = IWL_MVM_DQA_GCAST_QUEUE; ++ mvmvif->cab_queue = vif->cab_queue; ++ } ++ ++ /* + * While in previous FWs we had to exclude cab queue from TFD queue + * mask, now it is needed as any other queue. + */ +@@ -2067,20 +2078,9 @@ int iwl_mvm_add_mcast_sta(struct iwl_mvm + timeout); + mvmvif->cab_queue = queue; + } else if (!fw_has_api(&mvm->fw->ucode_capa, +- IWL_UCODE_TLV_API_STA_TYPE)) { +- /* +- * In IBSS, ieee80211_check_queues() sets the cab_queue to be +- * invalid, so make sure we use the queue we want. +- * Note that this is done here as we want to avoid making DQA +- * changes in mac80211 layer. +- */ +- if (vif->type == NL80211_IFTYPE_ADHOC) { +- vif->cab_queue = IWL_MVM_DQA_GCAST_QUEUE; +- mvmvif->cab_queue = vif->cab_queue; +- } ++ IWL_UCODE_TLV_API_STA_TYPE)) + iwl_mvm_enable_txq(mvm, vif->cab_queue, vif->cab_queue, 0, + &cfg, timeout); +- } + + return 0; + } diff --git a/queue-4.14/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch b/queue-4.14/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch new file mode 100644 index 00000000000..51c274e2fc2 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-security-bug-in-pn-checking.patch @@ -0,0 +1,116 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Tue, 29 Mar 2016 10:56:57 +0300 +Subject: iwlwifi: mvm: fix security bug in PN checking + +From: Sara Sharon + +[ Upstream commit 5ab2ba931255d8bf03009c06d58dce97de32797c ] + +A previous patch allowed the same PN for packets originating from the +same AMSDU by copying PN only for the last packet in the series. + +This however is bogus since we cannot assume the last frame will be +received on the same queue, and if it is received on a different ueue +we will end up not incrementing the PN and possibly let the next +packet to have the same PN and pass through. + +Change the logic instead to driver explicitly indicate for the second +sub frame and on to be allowed to have the same PN as the first +subframe. Indicate it to mac80211 as well for the fallback queue. + +Fixes: f1ae02b186d9 ("iwlwifi: mvm: allow same PN for de-aggregated AMSDU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 39 +++++++++++++------------- + 1 file changed, 20 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c +@@ -71,6 +71,7 @@ static inline int iwl_mvm_check_pn(struc + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; + struct ieee80211_rx_status *stats = IEEE80211_SKB_RXCB(skb); + struct iwl_mvm_key_pn *ptk_pn; ++ int res; + u8 tid, keyidx; + u8 pn[IEEE80211_CCMP_PN_LEN]; + u8 *extiv; +@@ -127,12 +128,13 @@ static inline int iwl_mvm_check_pn(struc + pn[4] = extiv[1]; + pn[5] = extiv[0]; + +- if (memcmp(pn, ptk_pn->q[queue].pn[tid], +- IEEE80211_CCMP_PN_LEN) <= 0) ++ res = memcmp(pn, ptk_pn->q[queue].pn[tid], IEEE80211_CCMP_PN_LEN); ++ if (res < 0) ++ return -1; ++ if (!res && !(stats->flag & RX_FLAG_ALLOW_SAME_PN)) + return -1; + +- if (!(stats->flag & RX_FLAG_AMSDU_MORE)) +- memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN); ++ memcpy(ptk_pn->q[queue].pn[tid], pn, IEEE80211_CCMP_PN_LEN); + stats->flag |= RX_FLAG_PN_VALIDATED; + + return 0; +@@ -310,28 +312,21 @@ static void iwl_mvm_rx_csum(struct ieee8 + } + + /* +- * returns true if a packet outside BA session is a duplicate and +- * should be dropped ++ * returns true if a packet is a duplicate and should be dropped. ++ * Updates AMSDU PN tracking info + */ +-static bool iwl_mvm_is_nonagg_dup(struct ieee80211_sta *sta, int queue, +- struct ieee80211_rx_status *rx_status, +- struct ieee80211_hdr *hdr, +- struct iwl_rx_mpdu_desc *desc) ++static bool iwl_mvm_is_dup(struct ieee80211_sta *sta, int queue, ++ struct ieee80211_rx_status *rx_status, ++ struct ieee80211_hdr *hdr, ++ struct iwl_rx_mpdu_desc *desc) + { + struct iwl_mvm_sta *mvm_sta; + struct iwl_mvm_rxq_dup_data *dup_data; +- u8 baid, tid, sub_frame_idx; ++ u8 tid, sub_frame_idx; + + if (WARN_ON(IS_ERR_OR_NULL(sta))) + return false; + +- baid = (le32_to_cpu(desc->reorder_data) & +- IWL_RX_MPDU_REORDER_BAID_MASK) >> +- IWL_RX_MPDU_REORDER_BAID_SHIFT; +- +- if (baid != IWL_RX_REORDER_DATA_INVALID_BAID) +- return false; +- + mvm_sta = iwl_mvm_sta_from_mac80211(sta); + dup_data = &mvm_sta->dup_data[queue]; + +@@ -361,6 +356,12 @@ static bool iwl_mvm_is_nonagg_dup(struct + dup_data->last_sub_frame[tid] >= sub_frame_idx)) + return true; + ++ /* Allow same PN as the first subframe for following sub frames */ ++ if (dup_data->last_seq[tid] == hdr->seq_ctrl && ++ sub_frame_idx > dup_data->last_sub_frame[tid] && ++ desc->mac_flags2 & IWL_RX_MPDU_MFLG2_AMSDU) ++ rx_status->flag |= RX_FLAG_ALLOW_SAME_PN; ++ + dup_data->last_seq[tid] = hdr->seq_ctrl; + dup_data->last_sub_frame[tid] = sub_frame_idx; + +@@ -929,7 +930,7 @@ void iwl_mvm_rx_mpdu_mq(struct iwl_mvm * + if (ieee80211_is_data(hdr->frame_control)) + iwl_mvm_rx_csum(sta, skb, desc); + +- if (iwl_mvm_is_nonagg_dup(sta, queue, rx_status, hdr, desc)) { ++ if (iwl_mvm_is_dup(sta, queue, rx_status, hdr, desc)) { + kfree_skb(skb); + goto out; + } diff --git a/queue-4.14/iwlwifi-mvm-fix-tx-of-ccmp-256.patch b/queue-4.14/iwlwifi-mvm-fix-tx-of-ccmp-256.patch new file mode 100644 index 00000000000..9a36baa52a6 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-fix-tx-of-ccmp-256.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Tue, 2 Jan 2018 11:40:15 +0200 +Subject: iwlwifi: mvm: fix TX of CCMP 256 + +From: Sara Sharon + +[ Upstream commit de04d4fbf87b769ab18c480e4f020c53e74bbdd2 ] + +We don't have enough room in the TX command for a CCMP 256 +key, and need to use key from table. + +Fixes: 3264bf032bd9 ("[BUGFIX] iwlwifi: mvm: Fix CCMP IV setting") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -419,11 +419,11 @@ static void iwl_mvm_set_tx_cmd_crypto(st + { + struct ieee80211_key_conf *keyconf = info->control.hw_key; + u8 *crypto_hdr = skb_frag->data + hdrlen; ++ enum iwl_tx_cmd_sec_ctrl type = TX_CMD_SEC_CCM; + u64 pn; + + switch (keyconf->cipher) { + case WLAN_CIPHER_SUITE_CCMP: +- case WLAN_CIPHER_SUITE_CCMP_256: + iwl_mvm_set_tx_cmd_ccmp(info, tx_cmd); + iwl_mvm_set_tx_cmd_pn(info, crypto_hdr); + break; +@@ -447,13 +447,16 @@ static void iwl_mvm_set_tx_cmd_crypto(st + break; + case WLAN_CIPHER_SUITE_GCMP: + case WLAN_CIPHER_SUITE_GCMP_256: ++ type = TX_CMD_SEC_GCMP; ++ /* Fall through */ ++ case WLAN_CIPHER_SUITE_CCMP_256: + /* TODO: Taking the key from the table might introduce a race + * when PTK rekeying is done, having an old packets with a PN + * based on the old key but the message encrypted with a new + * one. + * Need to handle this. + */ +- tx_cmd->sec_ctl |= TX_CMD_SEC_GCMP | TX_CMD_SEC_KEY_FROM_TABLE; ++ tx_cmd->sec_ctl |= type | TX_CMD_SEC_KEY_FROM_TABLE; + tx_cmd->key[0] = keyconf->hw_key_idx; + iwl_mvm_set_tx_cmd_pn(info, crypto_hdr); + break; diff --git a/queue-4.14/iwlwifi-mvm-increase-session-protection-time-after-cs.patch b/queue-4.14/iwlwifi-mvm-increase-session-protection-time-after-cs.patch new file mode 100644 index 00000000000..38ee9497682 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-increase-session-protection-time-after-cs.patch @@ -0,0 +1,134 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andrei Otcheretianski +Date: Wed, 28 Feb 2018 17:18:48 +0200 +Subject: iwlwifi: mvm: Increase session protection time after CS + +From: Andrei Otcheretianski + +[ Upstream commit 19125cb0591ae63cd4591e3dfe4c22058e748518 ] + +After switching to a new channel, driver schedules session protection +time event in order to hear the beacon on the new channel. +The duration of the protection is two beacon intervals. +However, since we start to switch slightly before beacon with count 1, in +case we don't hear (or AP doesn't transmit) the very first beacon on the +new channel the protection ends without hearing any beacon at all. +At this stage the switch is not complete, the queues are closed and the +interface doesn't have quota yet or TBTT events. As the result, we are +stuck forever waiting for iwl_mvm_post_channel_switch() to be called. + +Fix this by increasing the protection time to be 3 beacon intervals and +in addition drop the connection if the time event ends before we got any +beacon. + +Signed-off-by: Andrei Otcheretianski +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 5 ++++- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +++ + drivers/net/wireless/intel/iwlwifi/mvm/time-event.c | 15 ++++++++------- + 3 files changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +@@ -3497,6 +3497,7 @@ static int __iwl_mvm_assign_vif_chanctx( + ret = 0; + goto out; + case NL80211_IFTYPE_STATION: ++ mvmvif->csa_bcn_pending = false; + break; + case NL80211_IFTYPE_MONITOR: + /* always disable PS when a monitor interface is active */ +@@ -3540,7 +3541,7 @@ static int __iwl_mvm_assign_vif_chanctx( + } + + if (switching_chanctx && vif->type == NL80211_IFTYPE_STATION) { +- u32 duration = 2 * vif->bss_conf.beacon_int; ++ u32 duration = 3 * vif->bss_conf.beacon_int; + + /* iwl_mvm_protect_session() reads directly from the + * device (the system time), so make sure it is +@@ -3553,6 +3554,7 @@ static int __iwl_mvm_assign_vif_chanctx( + /* Protect the session to make sure we hear the first + * beacon on the new channel. + */ ++ mvmvif->csa_bcn_pending = true; + iwl_mvm_protect_session(mvm, vif, duration, duration, + vif->bss_conf.beacon_int / 2, + true); +@@ -3996,6 +3998,7 @@ static int iwl_mvm_post_channel_switch(s + if (vif->type == NL80211_IFTYPE_STATION) { + struct iwl_mvm_sta *mvmsta; + ++ mvmvif->csa_bcn_pending = false; + mvmsta = iwl_mvm_sta_from_staid_protected(mvm, + mvmvif->ap_sta_id); + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -434,6 +434,9 @@ struct iwl_mvm_vif { + bool csa_failed; + u16 csa_target_freq; + ++ /* Indicates that we are waiting for a beacon on a new channel */ ++ bool csa_bcn_pending; ++ + /* TCP Checksum Offload */ + netdev_features_t features; + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/time-event.c +@@ -8,6 +8,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -18,11 +19,6 @@ + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * General Public License for more details. + * +- * You should have received a copy of the GNU General Public License +- * along with this program; if not, write to the Free Software +- * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110, +- * USA +- * + * The full GNU General Public License is included in this distribution + * in the file called COPYING. + * +@@ -35,6 +31,7 @@ + * Copyright(c) 2012 - 2014 Intel Corporation. All rights reserved. + * Copyright(c) 2013 - 2015 Intel Mobile Communications GmbH + * Copyright(c) 2017 Intel Deutschland GmbH ++ * Copyright(c) 2018 Intel Corporation + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -203,9 +200,13 @@ static bool iwl_mvm_te_check_disconnect( + struct ieee80211_vif *vif, + const char *errmsg) + { ++ struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); ++ + if (vif->type != NL80211_IFTYPE_STATION) + return false; +- if (vif->bss_conf.assoc && vif->bss_conf.dtim_period) ++ ++ if (!mvmvif->csa_bcn_pending && vif->bss_conf.assoc && ++ vif->bss_conf.dtim_period) + return false; + if (errmsg) + IWL_ERR(mvm, "%s\n", errmsg); +@@ -349,7 +350,7 @@ static void iwl_mvm_te_handle_notif(stru + * and know the dtim period. + */ + iwl_mvm_te_check_disconnect(mvm, te_data->vif, +- "No association and the time event is over already..."); ++ "No beacon heard and the time event is over already..."); + break; + default: + break; diff --git a/queue-4.14/iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch b/queue-4.14/iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch new file mode 100644 index 00000000000..325515952f6 --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Avraham Stern +Date: Tue, 6 Mar 2018 14:10:49 +0200 +Subject: iwlwifi: mvm: make sure internal station has a valid id + +From: Avraham Stern + +[ Upstream commit df65c8d1728adee2a52c30287d33da83a8c87480 ] + +If the driver failed to resume from D3, it is possible that it has +no valid aux station. In such case, fw restart will end up in sending +station related commands with an invalid station id, which will +result in an assert. + +Fix this by allocating a new station id for the aux station if it +does not have a valid id even in the case of fw restart. + +Signed-off-by: Avraham Stern +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +@@ -1679,7 +1679,8 @@ int iwl_mvm_allocate_int_sta(struct iwl_ + u32 qmask, enum nl80211_iftype iftype, + enum iwl_sta_type type) + { +- if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) { ++ if (!test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status) || ++ sta->sta_id == IWL_MVM_INVALID_STA) { + sta->sta_id = iwl_mvm_find_free_sta_id(mvm, iftype); + if (WARN_ON_ONCE(sta->sta_id == IWL_MVM_INVALID_STA)) + return -ENOSPC; diff --git a/queue-4.14/iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch b/queue-4.14/iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch new file mode 100644 index 00000000000..2b1be7ac34b --- /dev/null +++ b/queue-4.14/iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Emmanuel Grumbach +Date: Thu, 15 Feb 2018 15:48:09 +0200 +Subject: iwlwifi: mvm: set the correct tid when we flush the MCAST sta + +From: Emmanuel Grumbach + +[ Upstream commit 334167decf98f01a66c91ea84180c278bc4ad290 ] + +The tid being used for the queue (cab_queue) for the MCAST +station has been changed recently to be 0 (for BE). +The flush path still flushed only the special tid (15) +which means that the firmware wasn't flushing the right +queue and we could get a firmware crash upon remove +station if we had an MCAST packet on the ring. + +The current code that flushes queues for a station only +differentiates between internal stations (stations that +aren't instantiated in mac80211, like the MCAST station) +and the non-internal ones. +Internal stations can be either: BCAST (beacons), MCAST +(for cab_queue), GENERAL_PURPOSE (p2p dev, and sniffer +injection). The internal stations can use different tids. + +To make the code simpler, just flush all the tids always +and add the special internal tid (15) for internal +stations. The firmware will know how to handle this even +if we hadn't any queue mapped that that tid. + +Fixes: e340c1a6ef4b ("iwlwifi: mvm: Correctly set the tid for mcast queue") +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c +@@ -1879,14 +1879,12 @@ int iwl_mvm_flush_sta(struct iwl_mvm *mv + struct iwl_mvm_int_sta *int_sta = sta; + struct iwl_mvm_sta *mvm_sta = sta; + +- if (iwl_mvm_has_new_tx_api(mvm)) { +- if (internal) +- return iwl_mvm_flush_sta_tids(mvm, int_sta->sta_id, +- BIT(IWL_MGMT_TID), flags); ++ BUILD_BUG_ON(offsetof(struct iwl_mvm_int_sta, sta_id) != ++ offsetof(struct iwl_mvm_sta, sta_id)); + ++ if (iwl_mvm_has_new_tx_api(mvm)) + return iwl_mvm_flush_sta_tids(mvm, mvm_sta->sta_id, +- 0xFF, flags); +- } ++ 0xff | BIT(IWL_MGMT_TID), flags); + + if (internal) + return iwl_mvm_flush_tx_path(mvm, int_sta->tfd_queue_msk, diff --git a/queue-4.14/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch b/queue-4.14/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch new file mode 100644 index 00000000000..e5b5a2c41d9 --- /dev/null +++ b/queue-4.14/ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jacob Keller +Date: Mon, 29 Jan 2018 15:57:48 -0800 +Subject: ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode + +From: Jacob Keller + +[ Upstream commit 6704a3abf4cf4181a1ee64f5db4969347b88ca1d ] + +On hardware which supports timestamping all packets, the timestamps are +recorded in the packet buffer, and the driver no longer uses or reads +the registers. This makes the logic for checking and clearing Rx +timestamp hangs meaningless. + +If we run the ixgbe_ptp_rx_hang() function in this case, then the driver +will continuously spam the log output with "Clearing Rx timestamp hang". +These messages are spurious, and confusing to end users. + +The original code in commit a9763f3cb54c ("ixgbe: Update PTP to support +X550EM_x devices", 2015-12-03) did have a flag PTP_RX_TIMESTAMP_IN_REGISTER +which was intended to be used to avoid the Rx timestamp hang check, +however it did not actually check the flag before calling the function. + +Do so now in order to stop the checks and prevent the spurious log +messages. + +Fixes: a9763f3cb54c ("ixgbe: Update PTP to support X550EM_x devices", 2015-12-03) +Signed-off-by: Jacob Keller +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +@@ -7658,7 +7658,8 @@ static void ixgbe_service_task(struct wo + + if (test_bit(__IXGBE_PTP_RUNNING, &adapter->state)) { + ixgbe_ptp_overflow_check(adapter); +- ixgbe_ptp_rx_hang(adapter); ++ if (adapter->flags & IXGBE_FLAG_RX_HWTSTAMP_IN_REGISTER) ++ ixgbe_ptp_rx_hang(adapter); + ixgbe_ptp_tx_hang(adapter); + } + diff --git a/queue-4.14/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch b/queue-4.14/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch new file mode 100644 index 00000000000..ba7a6e6ff5d --- /dev/null +++ b/queue-4.14/kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Nicolas Pitre +Date: Thu, 15 Mar 2018 16:56:20 -0400 +Subject: kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races + +From: Nicolas Pitre + +[ Upstream commit 825d487583089f9a33d31650c9c41f6474aab7fc ] + +Some filesystems have timestamps with coarse precision that may allow +for a recently built object file to have the same timestamp as the +updated time on one of its dependency files. When that happens, the +object file doesn't get rebuilt as it should. + +This is especially the case on filesystems that don't have sub-second +time precision, such as ext3 or Ext4 with 128B inodes. + +Let's prevent that by making sure updated dependency files have a newer +timestamp than the first file we created (i.e. autoksyms.h.tmpnew). + +Reported-by: Thomas Lindroth +Signed-off-by: Nicolas Pitre +Tested-by: Thomas Lindroth +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/adjust_autoksyms.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/scripts/adjust_autoksyms.sh ++++ b/scripts/adjust_autoksyms.sh +@@ -84,6 +84,13 @@ while read sympath; do + depfile="include/config/ksym/${sympath}.h" + mkdir -p "$(dirname "$depfile")" + touch "$depfile" ++ # Filesystems with coarse time precision may create timestamps ++ # equal to the one from a file that was very recently built and that ++ # needs to be rebuild. Let's guard against that by making sure our ++ # dep files are always newer than the first file we created here. ++ while [ ! "$depfile" -nt "$new_ksyms_file" ]; do ++ touch "$depfile" ++ done + echo $((count += 1)) + done | tail -1 ) + changed=${changed:-0} diff --git a/queue-4.14/kdb-make-mdr-command-repeat.patch b/queue-4.14/kdb-make-mdr-command-repeat.patch new file mode 100644 index 00000000000..942293ac0cf --- /dev/null +++ b/queue-4.14/kdb-make-mdr-command-repeat.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Randy Dunlap +Date: Fri, 8 Dec 2017 10:19:19 -0800 +Subject: kdb: make "mdr" command repeat + +From: Randy Dunlap + +[ Upstream commit 1e0ce03bf142454f38a5fc050bf4fd698d2d36d8 ] + +The "mdr" command should repeat (continue) when only Enter/Return +is pressed, so make it do so. + +Signed-off-by: Randy Dunlap +Cc: Daniel Thompson +Cc: Jason Wessel +Cc: kgdb-bugreport@lists.sourceforge.net +Signed-off-by: Jason Wessel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/debug/kdb/kdb_main.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -1566,6 +1566,7 @@ static int kdb_md(int argc, const char * + int symbolic = 0; + int valid = 0; + int phys = 0; ++ int raw = 0; + + kdbgetintenv("MDCOUNT", &mdcount); + kdbgetintenv("RADIX", &radix); +@@ -1575,9 +1576,10 @@ static int kdb_md(int argc, const char * + repeat = mdcount * 16 / bytesperword; + + if (strcmp(argv[0], "mdr") == 0) { +- if (argc != 2) ++ if (argc == 2 || (argc == 0 && last_addr != 0)) ++ valid = raw = 1; ++ else + return KDB_ARGCOUNT; +- valid = 1; + } else if (isdigit(argv[0][2])) { + bytesperword = (int)(argv[0][2] - '0'); + if (bytesperword == 0) { +@@ -1613,7 +1615,10 @@ static int kdb_md(int argc, const char * + radix = last_radix; + bytesperword = last_bytesperword; + repeat = last_repeat; +- mdcount = ((repeat * bytesperword) + 15) / 16; ++ if (raw) ++ mdcount = repeat; ++ else ++ mdcount = ((repeat * bytesperword) + 15) / 16; + } + + if (argc) { +@@ -1630,7 +1635,10 @@ static int kdb_md(int argc, const char * + diag = kdbgetularg(argv[nextarg], &val); + if (!diag) { + mdcount = (int) val; +- repeat = mdcount * 16 / bytesperword; ++ if (raw) ++ repeat = mdcount; ++ else ++ repeat = mdcount * 16 / bytesperword; + } + } + if (argc >= nextarg+1) { +@@ -1640,8 +1648,15 @@ static int kdb_md(int argc, const char * + } + } + +- if (strcmp(argv[0], "mdr") == 0) +- return kdb_mdr(addr, mdcount); ++ if (strcmp(argv[0], "mdr") == 0) { ++ int ret; ++ last_addr = addr; ++ ret = kdb_mdr(addr, mdcount); ++ last_addr += mdcount; ++ last_repeat = mdcount; ++ last_bytesperword = bytesperword; // to make REPEAT happy ++ return ret; ++ } + + switch (radix) { + case 10: diff --git a/queue-4.14/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch b/queue-4.14/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch new file mode 100644 index 00000000000..d7cb181ccfe --- /dev/null +++ b/queue-4.14/kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Rientjes +Date: Wed, 21 Feb 2018 14:45:32 -0800 +Subject: kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE + +From: David Rientjes + +[ Upstream commit 88913bd8ea2a75d7e460a4bed5f75e1c32660d7e ] + +chan->n_subbufs is set by the user and relay_create_buf() does a kmalloc() +of chan->n_subbufs * sizeof(size_t *). + +kmalloc_slab() will generate a warning when this fails if +chan->subbufs * sizeof(size_t *) > KMALLOC_MAX_SIZE. + +Limit chan->n_subbufs to the maximum allowed kmalloc() size. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1802061216100.122576@chino.kir.corp.google.com +Fixes: f6302f1bcd75 ("relay: prevent integer overflow in relay_open()") +Signed-off-by: David Rientjes +Reviewed-by: Andrew Morton +Cc: Jens Axboe +Cc: Dave Jiang +Cc: Al Viro +Cc: Dan Carpenter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/relay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/relay.c ++++ b/kernel/relay.c +@@ -163,7 +163,7 @@ static struct rchan_buf *relay_create_bu + { + struct rchan_buf *buf; + +- if (chan->n_subbufs > UINT_MAX / sizeof(size_t *)) ++ if (chan->n_subbufs > KMALLOC_MAX_SIZE / sizeof(size_t *)) + return NULL; + + buf = kzalloc(sizeof(struct rchan_buf), GFP_KERNEL); diff --git a/queue-4.14/kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch b/queue-4.14/kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch new file mode 100644 index 00000000000..79339828bd8 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch @@ -0,0 +1,50 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andre Przywara +Date: Tue, 6 Mar 2018 09:21:06 +0000 +Subject: KVM: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending + +From: Andre Przywara + +[ Upstream commit 62b06f8f429cd233e4e2e7bbd21081ad60c9018f ] + +Our irq_is_pending() helper function accesses multiple members of the +vgic_irq struct, so we need to hold the lock when calling it. +Add that requirement as a comment to the definition and take the lock +around the call in vgic_mmio_read_pending(), where we were missing it +before. + +Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers") +Signed-off-by: Andre Przywara +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-mmio.c | 3 +++ + virt/kvm/arm/vgic/vgic.h | 1 + + 2 files changed, 4 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-mmio.c ++++ b/virt/kvm/arm/vgic/vgic-mmio.c +@@ -110,9 +110,12 @@ unsigned long vgic_mmio_read_pending(str + /* Loop over all IRQs affected by this read */ + for (i = 0; i < len * 8; i++) { + struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i); ++ unsigned long flags; + ++ spin_lock_irqsave(&irq->irq_lock, flags); + if (irq_is_pending(irq)) + value |= (1U << i); ++ spin_unlock_irqrestore(&irq->irq_lock, flags); + + vgic_put_irq(vcpu->kvm, irq); + } +--- a/virt/kvm/arm/vgic/vgic.h ++++ b/virt/kvm/arm/vgic/vgic.h +@@ -96,6 +96,7 @@ + /* we only support 64 kB translation table page size */ + #define KVM_ITS_L1E_ADDR_MASK GENMASK_ULL(51, 16) + ++/* Requires the irq_lock to be held by the caller. */ + static inline bool irq_is_pending(struct vgic_irq *irq) + { + if (irq->config == VGIC_CONFIG_EDGE) diff --git a/queue-4.14/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch b/queue-4.14/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch new file mode 100644 index 00000000000..c4e50781c4f --- /dev/null +++ b/queue-4.14/kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Ott +Date: Thu, 22 Feb 2018 13:05:41 +0100 +Subject: kvm: fix warning for CONFIG_HAVE_KVM_EVENTFD builds + +From: Sebastian Ott + +[ Upstream commit 076467490b8176eb96eddc548a14d4135c7b5852 ] + +Move the kvm_arch_irq_routing_update() prototype outside of +ifdef CONFIG_HAVE_KVM_EVENTFD guards to fix the following sparse warning: + +arch/s390/kvm/../../../virt/kvm/irqchip.c:171:28: warning: symbol 'kvm_arch_irq_routing_update' was not declared. Should it be static? + +Signed-off-by: Sebastian Ott +Acked-by: Christian Borntraeger +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1104,7 +1104,6 @@ static inline void kvm_irq_routing_updat + { + } + #endif +-void kvm_arch_irq_routing_update(struct kvm *kvm); + + static inline int kvm_ioeventfd(struct kvm *kvm, struct kvm_ioeventfd *args) + { +@@ -1113,6 +1112,8 @@ static inline int kvm_ioeventfd(struct k + + #endif /* CONFIG_HAVE_KVM_EVENTFD */ + ++void kvm_arch_irq_routing_update(struct kvm *kvm); ++ + static inline void kvm_make_request(int req, struct kvm_vcpu *vcpu) + { + /* diff --git a/queue-4.14/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch b/queue-4.14/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch new file mode 100644 index 00000000000..25446fbb522 --- /dev/null +++ b/queue-4.14/kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Vitaly Kuznetsov +Date: Fri, 9 Feb 2018 14:01:33 +0100 +Subject: KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use + +From: Vitaly Kuznetsov + +[ Upstream commit 0bcc3fb95b97ac2ca223a5a870287b37f56265ac ] + +Devices which use level-triggered interrupts under Windows 2016 with +Hyper-V role enabled don't work: Windows disables EOI broadcast in SPIV +unconditionally. Our in-kernel IOAPIC implementation emulates an old IOAPIC +version which has no EOI register so EOI never happens. + +The issue was discovered and discussed a while ago: +https://www.spinics.net/lists/kvm/msg148098.html + +While this is a guest OS bug (it should check that IOAPIC has the required +capabilities before disabling EOI broadcast) we can workaround it in KVM: +advertising DIRECTED_EOI with in-kernel IOAPIC makes little sense anyway. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -321,8 +321,16 @@ void kvm_apic_set_version(struct kvm_vcp + if (!lapic_in_kernel(vcpu)) + return; + ++ /* ++ * KVM emulates 82093AA datasheet (with in-kernel IOAPIC implementation) ++ * which doesn't have EOI register; Some buggy OSes (e.g. Windows with ++ * Hyper-V role) disable EOI broadcast in lapic not checking for IOAPIC ++ * version first and level-triggered interrupts never get EOIed in ++ * IOAPIC. ++ */ + feat = kvm_find_cpuid_entry(apic->vcpu, 0x1, 0); +- if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31)))) ++ if (feat && (feat->ecx & (1 << (X86_FEATURE_X2APIC & 31))) && ++ !ioapic_in_kernel(vcpu->kvm)) + v |= APIC_LVR_DIRECTED_EOI; + kvm_lapic_set_reg(apic, APIC_LVR, v); + } diff --git a/queue-4.14/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch b/queue-4.14/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch new file mode 100644 index 00000000000..2de74a619f5 --- /dev/null +++ b/queue-4.14/kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chao Gao +Date: Sun, 11 Feb 2018 10:06:30 +0800 +Subject: KVM: nVMX: Don't halt vcpu when L1 is injecting events to L2 + +From: Chao Gao + +[ Upstream commit 135a06c3a515bbd17729eb04f4f26316d48363d7 ] + +Although L2 is in halt state, it will be in the active state after +VM entry if the VM entry is vectoring according to SDM 26.6.2 Activity +State. Halting the vcpu here means the event won't be injected to L2 +and this decision isn't reported to L1. Thus L0 drops an event that +should be injected to L2. + +Cc: Liran Alon +Reviewed-by: Liran Alon +Signed-off-by: Chao Gao +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -11174,7 +11174,12 @@ static int nested_vmx_run(struct kvm_vcp + if (ret) + return ret; + +- if (vmcs12->guest_activity_state == GUEST_ACTIVITY_HLT) ++ /* ++ * If we're entering a halted L2 vcpu and the L2 vcpu won't be woken ++ * by event injection, halt vcpu. ++ */ ++ if ((vmcs12->guest_activity_state == GUEST_ACTIVITY_HLT) && ++ !(vmcs12->vm_entry_intr_info_field & INTR_INFO_VALID_MASK)) + return kvm_vcpu_halt(vcpu); + + vmx->nested.nested_run_pending = 1; diff --git a/queue-4.14/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch b/queue-4.14/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch new file mode 100644 index 00000000000..cdcf13df594 --- /dev/null +++ b/queue-4.14/kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch @@ -0,0 +1,83 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sean Christopherson +Date: Fri, 23 Mar 2018 09:34:00 -0700 +Subject: KVM: VMX: raise internal error for exception during invalid protected mode state + +From: Sean Christopherson + +[ Upstream commit add5ff7a216ee545a214013f26d1ef2f44a9c9f8 ] + +Exit to userspace with KVM_INTERNAL_ERROR_EMULATION if we encounter +an exception in Protected Mode while emulating guest due to invalid +guest state. Unlike Big RM, KVM doesn't support emulating exceptions +in PM, i.e. PM exceptions are always injected via the VMCS. Because +we will never do VMRESUME due to emulation_required, the exception is +never realized and we'll keep emulating the faulting instruction over +and over until we receive a signal. + +Exit to userspace iff there is a pending exception, i.e. don't exit +simply on a requested event. The purpose of this check and exit is to +aid in debugging a guest that is in all likelihood already doomed. +Invalid guest state in PM is extremely limited in normal operation, +e.g. it generally only occurs for a few instructions early in BIOS, +and any exception at this time is all but guaranteed to be fatal. +Non-vectored interrupts, e.g. INIT, SIPI and SMI, can be cleanly +handled/emulated, while checking for vectored interrupts, e.g. INTR +and NMI, without hitting false positives would add a fair amount of +complexity for almost no benefit (getting hit by lightning seems +more likely than encountering this specific scenario). + +Add a WARN_ON_ONCE to vmx_queue_exception() if we try to inject an +exception via the VMCS and emulation_required is true. + +Signed-off-by: Sean Christopherson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -2583,6 +2583,8 @@ static void vmx_queue_exception(struct k + return; + } + ++ WARN_ON_ONCE(vmx->emulation_required); ++ + if (kvm_exception_is_soft(nr)) { + vmcs_write32(VM_ENTRY_INSTRUCTION_LEN, + vmx->vcpu.arch.event_exit_inst_len); +@@ -6829,12 +6831,12 @@ static int handle_invalid_guest_state(st + goto out; + } + +- if (err != EMULATE_DONE) { +- vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; +- vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; +- vcpu->run->internal.ndata = 0; +- return 0; +- } ++ if (err != EMULATE_DONE) ++ goto emulation_error; ++ ++ if (vmx->emulation_required && !vmx->rmode.vm86_active && ++ vcpu->arch.exception.pending) ++ goto emulation_error; + + if (vcpu->arch.halt_request) { + vcpu->arch.halt_request = 0; +@@ -6850,6 +6852,12 @@ static int handle_invalid_guest_state(st + + out: + return ret; ++ ++emulation_error: ++ vcpu->run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ vcpu->run->internal.suberror = KVM_INTERNAL_ERROR_EMULATION; ++ vcpu->run->internal.ndata = 0; ++ return 0; + } + + static int __grow_ple_window(int val) diff --git a/queue-4.14/lan78xx-connect-phy-early.patch b/queue-4.14/lan78xx-connect-phy-early.patch new file mode 100644 index 00000000000..64ea0e3c1a6 --- /dev/null +++ b/queue-4.14/lan78xx-connect-phy-early.patch @@ -0,0 +1,174 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexander Graf +Date: Wed, 4 Apr 2018 00:19:35 +0200 +Subject: lan78xx: Connect phy early + +From: Alexander Graf + +[ Upstream commit 92571a1aae40d291158d16e7142637908220f470 ] + +When using wicked with a lan78xx device attached to the system, we +end up with ethtool commands issued on the device before an ifup +got issued. That lead to the following crash: + + Unable to handle kernel NULL pointer dereference at virtual address 0000039c + pgd = ffff800035b30000 + [0000039c] *pgd=0000000000000000 + Internal error: Oops: 96000004 [#1] SMP + Modules linked in: [...] + Supported: Yes + CPU: 3 PID: 638 Comm: wickedd Tainted: G E 4.12.14-0-default #1 + Hardware name: raspberrypi rpi/rpi, BIOS 2018.03-rc2 02/21/2018 + task: ffff800035e74180 task.stack: ffff800036718000 + PC is at phy_ethtool_ksettings_get+0x20/0x98 + LR is at lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + pc : [] lr : [] pstate: 20000005 + sp : ffff80003671bb20 + x29: ffff80003671bb20 x28: ffff800035e74180 + x27: ffff000008912000 x26: 000000000000001d + x25: 0000000000000124 x24: ffff000008f74d00 + x23: 0000004000114809 x22: 0000000000000000 + x21: ffff80003671bbd0 x20: 0000000000000000 + x19: ffff80003671bbd0 x18: 000000000000040d + x17: 0000000000000001 x16: 0000000000000000 + x15: 0000000000000000 x14: ffffffffffffffff + x13: 0000000000000000 x12: 0000000000000020 + x11: 0101010101010101 x10: fefefefefefefeff + x9 : 7f7f7f7f7f7f7f7f x8 : fefefeff31677364 + x7 : 0000000080808080 x6 : ffff80003671bc9c + x5 : ffff80003671b9f8 x4 : ffff80002c296190 + x3 : 0000000000000000 x2 : 0000000000000000 + x1 : ffff80003671bbd0 x0 : ffff80003671bc00 + Process wickedd (pid: 638, stack limit = 0xffff800036718000) + Call trace: + Exception stack(0xffff80003671b9e0 to 0xffff80003671bb20) + b9e0: ffff80003671bc00 ffff80003671bbd0 0000000000000000 0000000000000000 + ba00: ffff80002c296190 ffff80003671b9f8 ffff80003671bc9c 0000000080808080 + ba20: fefefeff31677364 7f7f7f7f7f7f7f7f fefefefefefefeff 0101010101010101 + ba40: 0000000000000020 0000000000000000 ffffffffffffffff 0000000000000000 + ba60: 0000000000000000 0000000000000001 000000000000040d ffff80003671bbd0 + ba80: 0000000000000000 ffff80003671bbd0 0000000000000000 0000004000114809 + baa0: ffff000008f74d00 0000000000000124 000000000000001d ffff000008912000 + bac0: ffff800035e74180 ffff80003671bb20 ffff000000dcca84 ffff80003671bb20 + bae0: ffff0000086f7f30 0000000020000005 ffff80002c296000 ffff800035223900 + bb00: 0000ffffffffffff 0000000000000000 ffff80003671bb20 ffff0000086f7f30 + [] phy_ethtool_ksettings_get+0x20/0x98 + [] lan78xx_get_link_ksettings+0x44/0x60 [lan78xx] + [] ethtool_get_settings+0x68/0x210 + [] dev_ethtool+0x214/0x2180 + [] dev_ioctl+0x400/0x630 + [] sock_do_ioctl+0x70/0x88 + [] sock_ioctl+0x208/0x368 + [] do_vfs_ioctl+0xb0/0x848 + [] SyS_ioctl+0x8c/0xa8 + Exception stack(0xffff80003671bec0 to 0xffff80003671c000) + bec0: 0000000000000009 0000000000008946 0000fffff4e841d0 0000aa0032687465 + bee0: 0000aaaafa2319d4 0000fffff4e841d4 0000000032687465 0000000032687465 + bf00: 000000000000001d 7f7fff7f7f7f7f7f 72606b622e71ff4c 7f7f7f7f7f7f7f7f + bf20: 0101010101010101 0000000000000020 ffffffffffffffff 0000ffff7f510c68 + bf40: 0000ffff7f6a9d18 0000ffff7f44ce30 000000000000040d 0000ffff7f6f98f0 + bf60: 0000fffff4e842c0 0000000000000001 0000aaaafa2c2e00 0000ffff7f6ab000 + bf80: 0000fffff4e842c0 0000ffff7f62a000 0000aaaafa2b9f20 0000aaaafa2c2e00 + bfa0: 0000fffff4e84818 0000fffff4e841a0 0000ffff7f5ad0cc 0000fffff4e841a0 + bfc0: 0000ffff7f44ce3c 0000000080000000 0000000000000009 000000000000001d + bfe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + +The culprit is quite simple: The driver tries to access the phy left and right, +but only actually has a working reference to it when the device is up. + +The fix thus is quite simple too: Get a reference to the phy on probe already +and keep it even when the device is going down. + +With this patch applied, I can successfully run wicked on my system and bring +the interface up and down as many times as I want, without getting NULL pointer +dereferences in between. + +Signed-off-by: Alexander Graf +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2083,10 +2083,6 @@ static int lan78xx_phy_init(struct lan78 + + dev->fc_autoneg = phydev->autoneg; + +- phy_start(phydev); +- +- netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); +- + return 0; + + error: +@@ -2523,9 +2519,9 @@ static int lan78xx_open(struct net_devic + if (ret < 0) + goto done; + +- ret = lan78xx_phy_init(dev); +- if (ret < 0) +- goto done; ++ phy_start(net->phydev); ++ ++ netif_dbg(dev, ifup, dev->net, "phy initialised successfully"); + + /* for Link Check */ + if (dev->urb_intr) { +@@ -2586,13 +2582,8 @@ static int lan78xx_stop(struct net_devic + if (timer_pending(&dev->stat_monitor)) + del_timer_sync(&dev->stat_monitor); + +- phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); +- phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); +- +- phy_stop(net->phydev); +- phy_disconnect(net->phydev); +- +- net->phydev = NULL; ++ if (net->phydev) ++ phy_stop(net->phydev); + + clear_bit(EVENT_DEV_OPEN, &dev->flags); + netif_stop_queue(net); +@@ -3507,8 +3498,13 @@ static void lan78xx_disconnect(struct us + return; + + udev = interface_to_usbdev(intf); +- + net = dev->net; ++ ++ phy_unregister_fixup_for_uid(PHY_KSZ9031RNX, 0xfffffff0); ++ phy_unregister_fixup_for_uid(PHY_LAN8835, 0xfffffff0); ++ ++ phy_disconnect(net->phydev); ++ + unregister_netdev(net); + + cancel_delayed_work_sync(&dev->wq); +@@ -3668,8 +3664,14 @@ static int lan78xx_probe(struct usb_inte + pm_runtime_set_autosuspend_delay(&udev->dev, + DEFAULT_AUTOSUSPEND_DELAY); + ++ ret = lan78xx_phy_init(dev); ++ if (ret < 0) ++ goto out4; ++ + return 0; + ++out4: ++ unregister_netdev(netdev); + out3: + lan78xx_unbind(dev, intf); + out2: +@@ -4017,7 +4019,7 @@ static int lan78xx_reset_resume(struct u + + lan78xx_reset(dev); + +- lan78xx_phy_init(dev); ++ phy_start(dev->net->phydev); + + return lan78xx_resume(intf); + } diff --git a/queue-4.14/lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch b/queue-4.14/lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch new file mode 100644 index 00000000000..faf88b15b08 --- /dev/null +++ b/queue-4.14/lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Raghuram Chary J +Date: Fri, 23 Mar 2018 15:48:08 +0530 +Subject: lan78xx: Set ASD in MAC_CR when EEE is enabled. + +From: Raghuram Chary J + +[ Upstream commit e69647a19c870c2f919e4d5023af8a515e8ef25f ] + +Description: +EEE does not work with lan7800 when AutoSpeed is not set. +(This can happen when EEPROM is not populated or configured incorrectly) + +Root-Cause: +When EEE is enabled, the mac config register ASD is not set +i.e. in default state, causing EEE fail. + +Fix: +Set the register when eeprom is not present. + +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver") +Signed-off-by: Raghuram Chary J +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/lan78xx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -2352,6 +2352,7 @@ static int lan78xx_reset(struct lan78xx_ + u32 buf; + int ret = 0; + unsigned long timeout; ++ u8 sig; + + ret = lan78xx_read_reg(dev, HW_CFG, &buf); + buf |= HW_CFG_LRST_; +@@ -2451,6 +2452,15 @@ static int lan78xx_reset(struct lan78xx_ + /* LAN7801 only has RGMII mode */ + if (dev->chipid == ID_REV_CHIP_ID_7801_) + buf &= ~MAC_CR_GMII_EN_; ++ ++ if (dev->chipid == ID_REV_CHIP_ID_7800_) { ++ ret = lan78xx_read_raw_eeprom(dev, 0, 1, &sig); ++ if (!ret && sig != EEPROM_INDICATOR) { ++ /* Implies there is no external eeprom. Set mac speed */ ++ netdev_info(dev->net, "No External EEPROM. Setting MAC Speed\n"); ++ buf |= MAC_CR_AUTO_DUPLEX_ | MAC_CR_AUTO_SPEED_; ++ } ++ } + ret = lan78xx_write_reg(dev, MAC_CR, buf); + + ret = lan78xx_read_reg(dev, MAC_TX, &buf); diff --git a/queue-4.14/lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch b/queue-4.14/lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch new file mode 100644 index 00000000000..a7272047b73 --- /dev/null +++ b/queue-4.14/lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Luis R. Rodriguez" +Date: Fri, 9 Mar 2018 15:51:20 -0800 +Subject: lib/test_kmod.c: fix limit check on number of test devices created + +From: "Luis R. Rodriguez" + +[ Upstream commit ac68b1b3b9c73e652dc7ce0585672e23c5a2dca4 ] + +As reported by Dan the parentheses is in the wrong place, and since +unlikely() call returns either 0 or 1 it's never less than zero. The +second issue is that signed integer overflows like "INT_MAX + 1" are +undefined behavior. + +Since num_test_devs represents the number of devices, we want to stop +prior to hitting the max, and not rely on the wrap arround at all. So +just cap at num_test_devs + 1, prior to assigning a new device. + +Link: http://lkml.kernel.org/r/20180224030046.24238-1-mcgrof@kernel.org +Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") +Reported-by: Dan Carpenter +Signed-off-by: Luis R. Rodriguez +Acked-by: Kees Cook +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/test_kmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/test_kmod.c ++++ b/lib/test_kmod.c +@@ -1149,7 +1149,7 @@ static struct kmod_test_device *register + mutex_lock(®_dev_mutex); + + /* int should suffice for number of devices, test for wrap */ +- if (unlikely(num_test_devs + 1) < 0) { ++ if (num_test_devs + 1 == INT_MAX) { + pr_err("reached limit of number of test devices\n"); + goto out; + } diff --git a/queue-4.14/libata-fix-compile-warning-with-ata_debug-enabled.patch b/queue-4.14/libata-fix-compile-warning-with-ata_debug-enabled.patch new file mode 100644 index 00000000000..f71398caedf --- /dev/null +++ b/queue-4.14/libata-fix-compile-warning-with-ata_debug-enabled.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dong Bo +Date: Fri, 26 Jan 2018 11:21:49 +0800 +Subject: libata: Fix compile warning with ATA_DEBUG enabled + +From: Dong Bo + +[ Upstream commit 0d3e45bc6507bd1f8728bf586ebd16c2d9e40613 ] + +This fixs the following comile warnings with ATA_DEBUG enabled, +which detected by Linaro GCC 5.2-2015.11: + + drivers/ata/libata-scsi.c: In function 'ata_scsi_dump_cdb': + ./include/linux/kern_levels.h:5:18: warning: format '%d' expects + argument of type 'int', but argument 6 has type 'u64 {aka long + long unsigned int}' [-Wformat=] + +tj: Patch hand-applied and description trimmed. + +Signed-off-by: Dong Bo +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-scsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4287,7 +4287,7 @@ static inline void ata_scsi_dump_cdb(str + #ifdef ATA_DEBUG + struct scsi_device *scsidev = cmd->device; + +- DPRINTK("CDB (%u:%d,%d,%d) %9ph\n", ++ DPRINTK("CDB (%u:%d,%d,%lld) %9ph\n", + ap->print_id, + scsidev->channel, scsidev->id, scsidev->lun, + cmd->cmnd); diff --git a/queue-4.14/libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch b/queue-4.14/libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch new file mode 100644 index 00000000000..31bf38aba5e --- /dev/null +++ b/queue-4.14/libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chengguang Xu +Date: Tue, 6 Feb 2018 08:25:55 +0800 +Subject: libceph, ceph: avoid memory leak when specifying same option several times + +From: Chengguang Xu + +[ Upstream commit 937441f3a3158d5510ca8cc78a82453f57a96365 ] + +When parsing string option, in order to avoid memory leak we need to +carefully free it first in case of specifying same option several times. + +Signed-off-by: Chengguang Xu +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/super.c | 2 ++ + net/ceph/ceph_common.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -224,6 +224,7 @@ static int parse_fsopt_token(char *c, vo + return -ENOMEM; + break; + case Opt_mds_namespace: ++ kfree(fsopt->mds_namespace); + fsopt->mds_namespace = kstrndup(argstr[0].from, + argstr[0].to-argstr[0].from, + GFP_KERNEL); +@@ -231,6 +232,7 @@ static int parse_fsopt_token(char *c, vo + return -ENOMEM; + break; + case Opt_fscache_uniq: ++ kfree(fsopt->fscache_uniq); + fsopt->fscache_uniq = kstrndup(argstr[0].from, + argstr[0].to-argstr[0].from, + GFP_KERNEL); +--- a/net/ceph/ceph_common.c ++++ b/net/ceph/ceph_common.c +@@ -418,11 +418,15 @@ ceph_parse_options(char *options, const + opt->flags |= CEPH_OPT_FSID; + break; + case Opt_name: ++ kfree(opt->name); + opt->name = kstrndup(argstr[0].from, + argstr[0].to-argstr[0].from, + GFP_KERNEL); + break; + case Opt_secret: ++ ceph_crypto_key_destroy(opt->key); ++ kfree(opt->key); ++ + opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL); + if (!opt->key) { + err = -ENOMEM; +@@ -433,6 +437,9 @@ ceph_parse_options(char *options, const + goto out; + break; + case Opt_key: ++ ceph_crypto_key_destroy(opt->key); ++ kfree(opt->key); ++ + opt->key = kzalloc(sizeof(*opt->key), GFP_KERNEL); + if (!opt->key) { + err = -ENOMEM; diff --git a/queue-4.14/llc-properly-handle-dev_queue_xmit-return-value.patch b/queue-4.14/llc-properly-handle-dev_queue_xmit-return-value.patch new file mode 100644 index 00000000000..8d286142dd5 --- /dev/null +++ b/queue-4.14/llc-properly-handle-dev_queue_xmit-return-value.patch @@ -0,0 +1,171 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Cong Wang +Date: Mon, 26 Mar 2018 15:08:33 -0700 +Subject: llc: properly handle dev_queue_xmit() return value + +From: Cong Wang + +[ Upstream commit b85ab56c3f81c5a24b5a5213374f549df06430da ] + +llc_conn_send_pdu() pushes the skb into write queue and +calls llc_conn_send_pdus() to flush them out. However, the +status of dev_queue_xmit() is not returned to caller, +in this case, llc_conn_state_process(). + +llc_conn_state_process() needs hold the skb no matter +success or failure, because it still uses it after that, +therefore we should hold skb before dev_queue_xmit() when +that skb is the one being processed by llc_conn_state_process(). + +For other callers, they can just pass NULL and ignore +the return value as they are. + +Reported-by: Noam Rathaus +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/llc_conn.h | 2 +- + net/llc/llc_c_ac.c | 15 +++++++++------ + net/llc/llc_conn.c | 32 +++++++++++++++++++++++--------- + 3 files changed, 33 insertions(+), 16 deletions(-) + +--- a/include/net/llc_conn.h ++++ b/include/net/llc_conn.h +@@ -104,7 +104,7 @@ void llc_sk_reset(struct sock *sk); + + /* Access to a connection */ + int llc_conn_state_process(struct sock *sk, struct sk_buff *skb); +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_rtn_pdu(struct sock *sk, struct sk_buff *skb); + void llc_conn_resend_i_pdu_as_cmd(struct sock *sk, u8 nr, u8 first_p_bit); + void llc_conn_resend_i_pdu_as_rsp(struct sock *sk, u8 nr, u8 first_f_bit); +--- a/net/llc/llc_c_ac.c ++++ b/net/llc/llc_c_ac.c +@@ -389,7 +389,7 @@ static int llc_conn_ac_send_i_cmd_p_set_ + llc_pdu_init_as_i_cmd(skb, 0, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -916,7 +916,7 @@ static int llc_conn_ac_send_i_rsp_f_set_ + llc_pdu_init_as_i_cmd(skb, llc->ack_pf, llc->vS, llc->vR); + rc = llc_mac_hdr_init(skb, llc->dev->dev_addr, llc->daddr.mac); + if (likely(!rc)) { +- llc_conn_send_pdu(sk, skb); ++ rc = llc_conn_send_pdu(sk, skb); + llc_conn_ac_inc_vs_by_1(sk, skb); + } + return rc; +@@ -935,14 +935,17 @@ static int llc_conn_ac_send_i_rsp_f_set_ + int llc_conn_ac_send_i_as_ack(struct sock *sk, struct sk_buff *skb) + { + struct llc_sock *llc = llc_sk(sk); ++ int ret; + + if (llc->ack_must_be_send) { +- llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); ++ ret = llc_conn_ac_send_i_rsp_f_set_ackpf(sk, skb); + llc->ack_must_be_send = 0 ; + llc->ack_pf = 0; +- } else +- llc_conn_ac_send_i_cmd_p_set_0(sk, skb); +- return 0; ++ } else { ++ ret = llc_conn_ac_send_i_cmd_p_set_0(sk, skb); ++ } ++ ++ return ret; + } + + /** +--- a/net/llc/llc_conn.c ++++ b/net/llc/llc_conn.c +@@ -30,7 +30,7 @@ + #endif + + static int llc_find_offset(int state, int ev_type); +-static void llc_conn_send_pdus(struct sock *sk); ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *skb); + static int llc_conn_service(struct sock *sk, struct sk_buff *skb); + static int llc_exec_conn_trans_actions(struct sock *sk, + struct llc_conn_state_trans *trans, +@@ -193,11 +193,11 @@ out_skb_put: + return rc; + } + +-void llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) ++int llc_conn_send_pdu(struct sock *sk, struct sk_buff *skb) + { + /* queue PDU to send to MAC layer */ + skb_queue_tail(&sk->sk_write_queue, skb); +- llc_conn_send_pdus(sk); ++ return llc_conn_send_pdus(sk, skb); + } + + /** +@@ -255,7 +255,7 @@ void llc_conn_resend_i_pdu_as_cmd(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -296,7 +296,7 @@ void llc_conn_resend_i_pdu_as_rsp(struct + if (howmany_resend > 0) + llc->vS = (llc->vS + 1) % LLC_2_SEQ_NBR_MODULO; + /* any PDUs to re-send are queued up; start sending to MAC */ +- llc_conn_send_pdus(sk); ++ llc_conn_send_pdus(sk, NULL); + out:; + } + +@@ -340,12 +340,16 @@ out: + /** + * llc_conn_send_pdus - Sends queued PDUs + * @sk: active connection ++ * @hold_skb: the skb held by caller, or NULL if does not care + * +- * Sends queued pdus to MAC layer for transmission. ++ * Sends queued pdus to MAC layer for transmission. When @hold_skb is ++ * NULL, always return 0. Otherwise, return 0 if @hold_skb is sent ++ * successfully, or 1 for failure. + */ +-static void llc_conn_send_pdus(struct sock *sk) ++static int llc_conn_send_pdus(struct sock *sk, struct sk_buff *hold_skb) + { + struct sk_buff *skb; ++ int ret = 0; + + while ((skb = skb_dequeue(&sk->sk_write_queue)) != NULL) { + struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb); +@@ -357,10 +361,20 @@ static void llc_conn_send_pdus(struct so + skb_queue_tail(&llc_sk(sk)->pdu_unack_q, skb); + if (!skb2) + break; +- skb = skb2; ++ dev_queue_xmit(skb2); ++ } else { ++ bool is_target = skb == hold_skb; ++ int rc; ++ ++ if (is_target) ++ skb_get(skb); ++ rc = dev_queue_xmit(skb); ++ if (is_target) ++ ret = rc; + } +- dev_queue_xmit(skb); + } ++ ++ return ret; + } + + /** diff --git a/queue-4.14/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch b/queue-4.14/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch new file mode 100644 index 00000000000..1add72d9661 --- /dev/null +++ b/queue-4.14/locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch @@ -0,0 +1,97 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andrea Parri +Date: Tue, 20 Feb 2018 19:45:56 +0100 +Subject: locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() + +From: Andrea Parri + +[ Upstream commit cb13b424e986aed68d74cbaec3449ea23c50e167 ] + +Continuing along with the fight against smp_read_barrier_depends() [1] +(or rather, against its improper use), add an unconditional barrier to +cmpxchg. This guarantees that dependency ordering is preserved when a +dependency is headed by an unsuccessful cmpxchg. As it turns out, the +change could enable further simplification of LKMM as proposed in [2]. + +[1] https://marc.info/?l=linux-kernel&m=150884953419377&w=2 + https://marc.info/?l=linux-kernel&m=150884946319353&w=2 + https://marc.info/?l=linux-kernel&m=151215810824468&w=2 + https://marc.info/?l=linux-kernel&m=151215816324484&w=2 + +[2] https://marc.info/?l=linux-kernel&m=151881978314872&w=2 + +Signed-off-by: Andrea Parri +Acked-by: Peter Zijlstra +Acked-by: Paul E. McKenney +Cc: Alan Stern +Cc: Ivan Kokshaysky +Cc: Linus Torvalds +Cc: Matt Turner +Cc: Richard Henderson +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-alpha@vger.kernel.org +Link: http://lkml.kernel.org/r/1519152356-4804-1-git-send-email-parri.andrea@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/include/asm/xchg.h | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/arch/alpha/include/asm/xchg.h ++++ b/arch/alpha/include/asm/xchg.h +@@ -128,10 +128,9 @@ ____xchg(, volatile void *ptr, unsigned + * store NEW in MEM. Return the initial value in MEM. Success is + * indicated by comparing RETURN with OLD. + * +- * The memory barrier should be placed in SMP only when we actually +- * make the change. If we don't change anything (so if the returned +- * prev is equal to old) then we aren't acquiring anything new and +- * we don't need any memory barrier as far I can tell. ++ * The memory barrier is placed in SMP unconditionally, in order to ++ * guarantee that dependency ordering is preserved when a dependency ++ * is headed by an unsuccessful operation. + */ + + static inline unsigned long +@@ -150,8 +149,8 @@ ____cmpxchg(_u8, volatile char *m, unsig + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -177,8 +176,8 @@ ____cmpxchg(_u16, volatile short *m, uns + " or %1,%2,%2\n" + " stq_c %2,0(%4)\n" + " beq %2,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -200,8 +199,8 @@ ____cmpxchg(_u32, volatile int *m, int o + " mov %4,%1\n" + " stl_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" +@@ -223,8 +222,8 @@ ____cmpxchg(_u64, volatile long *m, unsi + " mov %4,%1\n" + " stq_c %1,%2\n" + " beq %1,3f\n" +- __ASM__MB + "2:\n" ++ __ASM__MB + ".subsection 2\n" + "3: br 1b\n" + ".previous" diff --git a/queue-4.14/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch b/queue-4.14/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch new file mode 100644 index 00000000000..c7f5053f8f4 --- /dev/null +++ b/queue-4.14/locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch @@ -0,0 +1,141 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Andrea Parri +Date: Thu, 22 Feb 2018 10:24:48 +0100 +Subject: locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs + +From: Andrea Parri + +[ Upstream commit 472e8c55cf6622d1c112dc2bc777f68bbd4189db ] + +Successful RMW operations are supposed to be fully ordered, but +Alpha's xchg() and cmpxchg() do not meet this requirement. + +Will Deacon noticed the bug: + + > So MP using xchg: + > + > WRITE_ONCE(x, 1) + > xchg(y, 1) + > + > smp_load_acquire(y) == 1 + > READ_ONCE(x) == 0 + > + > would be allowed. + +... which thus violates the above requirement. + +Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations. + +Reported-by: Will Deacon +Signed-off-by: Andrea Parri +Acked-by: Paul E. McKenney +Cc: Alan Stern +Cc: Andrew Morton +Cc: Ivan Kokshaysky +Cc: Linus Torvalds +Cc: Matt Turner +Cc: Peter Zijlstra +Cc: Richard Henderson +Cc: Thomas Gleixner +Cc: linux-alpha@vger.kernel.org +Link: http://lkml.kernel.org/r/1519291488-5752-1-git-send-email-parri.andrea@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/include/asm/xchg.h | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/alpha/include/asm/xchg.h ++++ b/arch/alpha/include/asm/xchg.h +@@ -12,6 +12,10 @@ + * Atomic exchange. + * Since it can be used to implement critical sections + * it must clobber "memory" (also for interrupts in UP). ++ * ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * + */ + + static inline unsigned long +@@ -19,6 +23,7 @@ ____xchg(_u8, volatile char *m, unsigned + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " insbl %1,%4,%1\n" +@@ -43,6 +48,7 @@ ____xchg(_u16, volatile short *m, unsign + { + unsigned long ret, tmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %4,7,%3\n" + " inswl %1,%4,%1\n" +@@ -67,6 +73,7 @@ ____xchg(_u32, volatile int *m, unsigned + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -87,6 +94,7 @@ ____xchg(_u64, volatile long *m, unsigne + { + unsigned long dummy; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%4\n" + " bis $31,%3,%1\n" +@@ -128,9 +136,12 @@ ____xchg(, volatile void *ptr, unsigned + * store NEW in MEM. Return the initial value in MEM. Success is + * indicated by comparing RETURN with OLD. + * +- * The memory barrier is placed in SMP unconditionally, in order to +- * guarantee that dependency ordering is preserved when a dependency +- * is headed by an unsuccessful operation. ++ * The leading and the trailing memory barriers guarantee that these ++ * operations are fully ordered. ++ * ++ * The trailing memory barrier is placed in SMP unconditionally, in ++ * order to guarantee that dependency ordering is preserved when a ++ * dependency is headed by an unsuccessful operation. + */ + + static inline unsigned long +@@ -138,6 +149,7 @@ ____cmpxchg(_u8, volatile char *m, unsig + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " insbl %1,%5,%1\n" +@@ -165,6 +177,7 @@ ____cmpxchg(_u16, volatile short *m, uns + { + unsigned long prev, tmp, cmp, addr64; + ++ smp_mb(); + __asm__ __volatile__( + " andnot %5,7,%4\n" + " inswl %1,%5,%1\n" +@@ -192,6 +205,7 @@ ____cmpxchg(_u32, volatile int *m, int o + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldl_l %0,%5\n" + " cmpeq %0,%3,%1\n" +@@ -215,6 +229,7 @@ ____cmpxchg(_u64, volatile long *m, unsi + { + unsigned long prev, cmp; + ++ smp_mb(); + __asm__ __volatile__( + "1: ldq_l %0,%5\n" + " cmpeq %0,%3,%1\n" diff --git a/queue-4.14/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch b/queue-4.14/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch new file mode 100644 index 00000000000..edd6fcbb3e2 --- /dev/null +++ b/queue-4.14/m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Greg Ungerer +Date: Wed, 28 Mar 2018 17:12:18 +1000 +Subject: m68k: set dma and coherent masks for platform FEC ethernets + +From: Greg Ungerer + +[ Upstream commit f61e64310b75733d782e930d1fb404b84699eed6 ] + +As of commit 205e1b7f51e4 ("dma-mapping: warn when there is no +coherent_dma_mask") the Freescale FEC driver is issuing the following +warning on driver initialization on ColdFire systems: + +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 0x40159e20 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.16.0-rc7-dirty #4 +Stack from 41833dd8: + 41833dd8 40259c53 40025534 40279e26 00000003 00000000 4004e514 41827000 + 400255de 40244e42 00000204 40159e20 00000009 00000000 00000000 4024531d + 40159e20 40244e42 00000204 00000000 00000000 00000000 00000007 00000000 + 00000000 40279e26 4028d040 40226576 4003ae88 40279e26 418273f6 41833ef8 + 7fffffff 418273f2 41867028 4003c9a2 4180ac6c 00000004 41833f8c 4013e71c + 40279e1c 40279e26 40226c16 4013ced2 40279e26 40279e58 4028d040 00000000 +Call Trace: + [<40025534>] 0x40025534 + [<4004e514>] 0x4004e514 + [<400255de>] 0x400255de + [<40159e20>] 0x40159e20 + [<40159e20>] 0x40159e20 + +It is not fatal, the driver and the system continue to function normally. + +As per the warning the coherent_dma_mask is not set on this device. +There is nothing special about the DMA memory coherency on this hardware +so we can just set the mask to 32bits in the platform data for the FEC +ethernet devices. + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/coldfire/device.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/arch/m68k/coldfire/device.c ++++ b/arch/m68k/coldfire/device.c +@@ -135,7 +135,11 @@ static struct platform_device mcf_fec0 = + .id = 0, + .num_resources = ARRAY_SIZE(mcf_fec0_resources), + .resource = mcf_fec0_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec0.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + + #ifdef MCFFEC_BASE1 +@@ -167,7 +171,11 @@ static struct platform_device mcf_fec1 = + .id = 1, + .num_resources = ARRAY_SIZE(mcf_fec1_resources), + .resource = mcf_fec1_resources, +- .dev.platform_data = FEC_PDATA, ++ .dev = { ++ .dma_mask = &mcf_fec1.dev.coherent_dma_mask, ++ .coherent_dma_mask = DMA_BIT_MASK(32), ++ .platform_data = FEC_PDATA, ++ } + }; + #endif /* MCFFEC_BASE1 */ + #endif /* CONFIG_FEC */ diff --git a/queue-4.14/mac80211-do-not-disconnect-on-invalid-operating-class.patch b/queue-4.14/mac80211-do-not-disconnect-on-invalid-operating-class.patch new file mode 100644 index 00000000000..8431c4bf837 --- /dev/null +++ b/queue-4.14/mac80211-do-not-disconnect-on-invalid-operating-class.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ilan Peer +Date: Mon, 19 Feb 2018 14:48:42 +0200 +Subject: mac80211: Do not disconnect on invalid operating class + +From: Ilan Peer + +[ Upstream commit 191da271ac260700db3e5b4bb982a17ca78769d6 ] + +Some APs include a non global operating class in their extended channel +switch information element. In such a case, as the operating class is not +known, mac80211 would decide to disconnect. + +However the specification states that the operating class needs to be +taken from Annex E, but it does not specify from which table it should be +taken, so it is valid for an AP to use a non global operating class. + +To avoid possibly unneeded disconnection, in such a case ignore the +operating class and assume that the current band is used, and if the +resulting channel and band configuration is invalid disconnect. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/spectmgmt.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/net/mac80211/spectmgmt.c ++++ b/net/mac80211/spectmgmt.c +@@ -8,6 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2008, Intel Corporation + * Copyright 2008, Johannes Berg ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -27,7 +28,7 @@ int ieee80211_parse_ch_switch_ie(struct + u32 sta_flags, u8 *bssid, + struct ieee80211_csa_ie *csa_ie) + { +- enum nl80211_band new_band; ++ enum nl80211_band new_band = current_band; + int new_freq; + u8 new_chan_no; + struct ieee80211_channel *new_chan; +@@ -55,15 +56,13 @@ int ieee80211_parse_ch_switch_ie(struct + elems->ext_chansw_ie->new_operating_class, + &new_band)) { + sdata_info(sdata, +- "cannot understand ECSA IE operating class %d, disconnecting\n", ++ "cannot understand ECSA IE operating class, %d, ignoring\n", + elems->ext_chansw_ie->new_operating_class); +- return -EINVAL; + } + new_chan_no = elems->ext_chansw_ie->new_ch_num; + csa_ie->count = elems->ext_chansw_ie->count; + csa_ie->mode = elems->ext_chansw_ie->mode; + } else if (elems->ch_switch_ie) { +- new_band = current_band; + new_chan_no = elems->ch_switch_ie->new_ch_num; + csa_ie->count = elems->ch_switch_ie->count; + csa_ie->mode = elems->ch_switch_ie->mode; diff --git a/queue-4.14/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch b/queue-4.14/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch new file mode 100644 index 00000000000..1527b314852 --- /dev/null +++ b/queue-4.14/mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Felix Fietkau +Date: Fri, 23 Feb 2018 10:06:03 +0100 +Subject: mac80211: drop frames with unexpected DS bits from fast-rx to slow path + +From: Felix Fietkau + +[ Upstream commit b323ac19b7734a1c464b2785a082ee50bccd3b91 ] + +Fixes rx for 4-addr packets in AP mode. These may be used for setting +up a 4-addr link for stations that are allowed to do so. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -3928,7 +3928,7 @@ static bool ieee80211_invoke_fast_rx(str + if ((hdr->frame_control & cpu_to_le16(IEEE80211_FCTL_FROMDS | + IEEE80211_FCTL_TODS)) != + fast_rx->expected_ds_bits) +- goto drop; ++ return false; + + /* assign the key to drop unencrypted frames (later) + * and strip the IV/MIC if necessary diff --git a/queue-4.14/mac80211-fix-a-possible-leak-of-station-stats.patch b/queue-4.14/mac80211-fix-a-possible-leak-of-station-stats.patch new file mode 100644 index 00000000000..d95bb6d9bfd --- /dev/null +++ b/queue-4.14/mac80211-fix-a-possible-leak-of-station-stats.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Mon, 19 Feb 2018 14:48:35 +0200 +Subject: mac80211: fix a possible leak of station stats + +From: Sara Sharon + +[ Upstream commit d78d9ee9d40aca4781d2c5334972544601a4c3a2 ] + +If sta_info_alloc fails after allocating the per CPU statistics, +they are not properly freed. + +Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -439,6 +439,7 @@ free_txq: + if (sta->sta.txq[0]) + kfree(to_txq_info(sta->sta.txq[0])); + free: ++ free_percpu(sta->pcpu_rx_stats); + #ifdef CONFIG_MAC80211_MESH + kfree(sta->mesh); + #endif diff --git a/queue-4.14/mac80211-fix-calling-sleeping-function-in-atomic-context.patch b/queue-4.14/mac80211-fix-calling-sleeping-function-in-atomic-context.patch new file mode 100644 index 00000000000..c834f39c2c3 --- /dev/null +++ b/queue-4.14/mac80211-fix-calling-sleeping-function-in-atomic-context.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sara Sharon +Date: Mon, 19 Feb 2018 14:48:37 +0200 +Subject: mac80211: fix calling sleeping function in atomic context + +From: Sara Sharon + +[ Upstream commit 95f3ce6a77893ac828ba841df44421620de4314b ] + +sta_info_alloc can be called from atomic paths (such as RX path) +so we need to call pcpu_alloc with the correct gfp. + +Fixes: c9c5962b56c1 ("mac80211: enable collecting station statistics per-CPU") +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -314,7 +314,7 @@ struct sta_info *sta_info_alloc(struct i + + if (ieee80211_hw_check(hw, USES_RSS)) { + sta->pcpu_rx_stats = +- alloc_percpu(struct ieee80211_sta_rx_stats); ++ alloc_percpu_gfp(struct ieee80211_sta_rx_stats, gfp); + if (!sta->pcpu_rx_stats) + goto free; + } diff --git a/queue-4.14/mac80211-fix-sending-addba-response-for-an-ongoing-session.patch b/queue-4.14/mac80211-fix-sending-addba-response-for-an-ongoing-session.patch new file mode 100644 index 00000000000..81cd690f4b4 --- /dev/null +++ b/queue-4.14/mac80211-fix-sending-addba-response-for-an-ongoing-session.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ilan Peer +Date: Mon, 19 Feb 2018 14:48:43 +0200 +Subject: mac80211: Fix sending ADDBA response for an ongoing session + +From: Ilan Peer + +[ Upstream commit 3b07029729e347f288c70227cfe3c66b085d6b0b ] + +In case an ADDBA request is received while there is already +an ongoing BA sessions with the same parameters, i.e., update +flow, an ADBBA response with decline status was sent twice. Fix it. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-rx.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/net/mac80211/agg-rx.c ++++ b/net/mac80211/agg-rx.c +@@ -8,6 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -322,9 +323,6 @@ void ___ieee80211_start_rx_ba_session(st + * driver so reject the timeout update. + */ + status = WLAN_STATUS_REQUEST_DECLINED; +- ieee80211_send_addba_resp(sta->sdata, sta->sta.addr, +- tid, dialog_token, status, +- 1, buf_size, timeout); + goto end; + } + diff --git a/queue-4.14/mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch b/queue-4.14/mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch new file mode 100644 index 00000000000..e64274dbde1 --- /dev/null +++ b/queue-4.14/mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Peter Oh +Date: Fri, 26 Jan 2018 14:02:37 -0800 +Subject: mac80211: mesh: fix wrong mesh TTL offset calculation + +From: Peter Oh + +[ Upstream commit c4de37ee2b55deac7d6aeac33e02e3d6be243898 ] + +mesh TTL offset in Mesh Channel Switch Parameters element depends on +not only Secondary Channel Offset element, but also affected by +HT Control field and Wide Bandwidth Channel Switch element. +So use element structure to manipulate mesh channel swich param IE +after removing its constant attribution to correct the miscalculation. + +Signed-off-by: Peter Oh +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ieee80211_i.h | 2 +- + net/mac80211/mesh.c | 17 ++++++----------- + 2 files changed, 7 insertions(+), 12 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1466,7 +1466,7 @@ struct ieee802_11_elems { + const struct ieee80211_timeout_interval_ie *timeout_int; + const u8 *opmode_notif; + const struct ieee80211_sec_chan_offs_ie *sec_chan_offs; +- const struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie; ++ struct ieee80211_mesh_chansw_params_ie *mesh_chansw_params_ie; + const struct ieee80211_bss_max_idle_period_ie *max_idle_period_ie; + + /* length of them, respectively */ +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -1253,13 +1253,12 @@ int ieee80211_mesh_csa_beacon(struct iee + } + + static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata, +- struct ieee80211_mgmt *mgmt, size_t len) ++ struct ieee80211_mgmt *mgmt, size_t len, ++ struct ieee802_11_elems *elems) + { + struct ieee80211_mgmt *mgmt_fwd; + struct sk_buff *skb; + struct ieee80211_local *local = sdata->local; +- u8 *pos = mgmt->u.action.u.chan_switch.variable; +- size_t offset_ttl; + + skb = dev_alloc_skb(local->tx_headroom + len); + if (!skb) +@@ -1267,13 +1266,9 @@ static int mesh_fwd_csa_frame(struct iee + skb_reserve(skb, local->tx_headroom); + mgmt_fwd = skb_put(skb, len); + +- /* offset_ttl is based on whether the secondary channel +- * offset is available or not. Subtract 1 from the mesh TTL +- * and disable the initiator flag before forwarding. +- */ +- offset_ttl = (len < 42) ? 7 : 10; +- *(pos + offset_ttl) -= 1; +- *(pos + offset_ttl + 1) &= ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR; ++ elems->mesh_chansw_params_ie->mesh_ttl--; ++ elems->mesh_chansw_params_ie->mesh_flags &= ++ ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR; + + memcpy(mgmt_fwd, mgmt, len); + eth_broadcast_addr(mgmt_fwd->da); +@@ -1321,7 +1316,7 @@ static void mesh_rx_csa_frame(struct iee + + /* forward or re-broadcast the CSA frame */ + if (fwd_csa) { +- if (mesh_fwd_csa_frame(sdata, mgmt, len) < 0) ++ if (mesh_fwd_csa_frame(sdata, mgmt, len, &elems) < 0) + mcsa_dbg(sdata, "Failed to forward the CSA frame"); + } + } diff --git a/queue-4.14/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch b/queue-4.14/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch new file mode 100644 index 00000000000..3efd64b1d57 --- /dev/null +++ b/queue-4.14/mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Felix Fietkau +Date: Sat, 10 Feb 2018 13:20:34 +0100 +Subject: mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 + +From: Felix Fietkau + +[ Upstream commit 651b9920d7a694ffb1f885aef2bbb068a25d9d66 ] + +This ensures that mac80211 allocated management frames are properly +aligned, which makes copying them more efficient. +For instance, mt76 uses iowrite32_copy to copy beacon frames to beacon +template memory on the chip. +Misaligned 32-bit accesses cause CPU exceptions on MIPS and should be +avoided. + +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/mac80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -4141,7 +4141,7 @@ void ieee80211_sta_uapsd_trigger(struct + * The TX headroom reserved by mac80211 for its own tx_status functions. + * This is enough for the radiotap header. + */ +-#define IEEE80211_TX_STATUS_HEADROOM 14 ++#define IEEE80211_TX_STATUS_HEADROOM ALIGN(14, 4) + + /** + * ieee80211_sta_set_buffered - inform mac80211 about driver-buffered frames diff --git a/queue-4.14/macsec-missing-dev_put-on-error-in-macsec_newlink.patch b/queue-4.14/macsec-missing-dev_put-on-error-in-macsec_newlink.patch new file mode 100644 index 00000000000..dfbbd986e7d --- /dev/null +++ b/queue-4.14/macsec-missing-dev_put-on-error-in-macsec_newlink.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dan Carpenter +Date: Wed, 21 Mar 2018 11:09:01 +0300 +Subject: macsec: missing dev_put() on error in macsec_newlink() + +From: Dan Carpenter + +[ Upstream commit 5dcd8400884cc4a043a6d4617e042489e5d566a9 ] + +We moved the dev_hold(real_dev); call earlier in the function but forgot +to update the error paths. + +Fixes: 0759e552bce7 ("macsec: fix negative refcnt on parent link") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3248,7 +3248,7 @@ static int macsec_newlink(struct net *ne + + err = netdev_upper_dev_link(real_dev, dev); + if (err < 0) +- goto unregister; ++ goto put_dev; + + /* need to be already registered so that ->init has run and + * the MAC addr is set +@@ -3284,7 +3284,8 @@ del_dev: + macsec_del_dev(macsec); + unlink: + netdev_upper_dev_unlink(real_dev, dev); +-unregister: ++put_dev: ++ dev_put(real_dev); + unregister_netdevice(dev); + return err; + } diff --git a/queue-4.14/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch b/queue-4.14/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch new file mode 100644 index 00000000000..839d978c13e --- /dev/null +++ b/queue-4.14/macvlan-fix-use-after-free-in-macvlan_common_newlink.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexey Kodanev +Date: Thu, 22 Feb 2018 18:20:30 +0300 +Subject: macvlan: fix use-after-free in macvlan_common_newlink() + +From: Alexey Kodanev + +[ Upstream commit 4e14bf4236490306004782813b8b4494b18f5e60 ] + +The following use-after-free was reported by KASan when running +LTP macvtap01 test on 4.16-rc2: + +[10642.528443] BUG: KASAN: use-after-free in + macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450 +... +[10642.963873] Call Trace: +[10642.994352] dump_stack+0x5c/0x7c +[10643.035325] print_address_description+0x75/0x290 +[10643.092938] kasan_report+0x28d/0x390 +[10643.137971] ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10643.207963] macvlan_common_newlink+0x12ef/0x14a0 [macvlan] +[10643.275978] macvtap_newlink+0x171/0x260 [macvtap] +[10643.334532] rtnl_newlink+0xd4f/0x1300 +... +[10646.256176] Allocated by task 18450: +[10646.299964] kasan_kmalloc+0xa6/0xd0 +[10646.343746] kmem_cache_alloc_trace+0xf1/0x210 +[10646.397826] macvlan_common_newlink+0x6de/0x14a0 [macvlan] +[10646.464386] macvtap_newlink+0x171/0x260 [macvtap] +[10646.522728] rtnl_newlink+0xd4f/0x1300 +... +[10647.022028] Freed by task 18450: +[10647.061549] __kasan_slab_free+0x138/0x180 +[10647.111468] kfree+0x9e/0x1c0 +[10647.147869] macvlan_port_destroy+0x3db/0x650 [macvlan] +[10647.211411] rollback_registered_many+0x5b9/0xb10 +[10647.268715] rollback_registered+0xd9/0x190 +[10647.319675] register_netdevice+0x8eb/0xc70 +[10647.370635] macvlan_common_newlink+0xe58/0x14a0 [macvlan] +[10647.437195] macvtap_newlink+0x171/0x260 [macvtap] + +Commit d02fd6e7d293 ("macvlan: Fix one possible double free") handles +the case when register_netdevice() invokes ndo_uninit() on error and +as a result free the port. But 'macvlan_port_get_rtnl(dev))' check +(returns dev->rx_handler_data), which was added by this commit in order +to prevent double free, is not quite correct: + +* for macvlan it always returns NULL because 'lowerdev' is the one that + was used to register rx handler (port) in macvlan_port_create() as + well as to unregister it in macvlan_port_destroy(). +* for macvtap it always returns a valid pointer because macvtap registers + its own rx handler before macvlan_common_newlink(). + +Fixes: d02fd6e7d293 ("macvlan: Fix one possible double free") +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macvlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/macvlan.c ++++ b/drivers/net/macvlan.c +@@ -1448,7 +1448,7 @@ destroy_macvlan_port: + /* the macvlan port may be freed by macvlan_uninit when fail to register. + * so we destroy the macvlan port only when it's valid. + */ +- if (create && macvlan_port_get_rtnl(dev)) ++ if (create && macvlan_port_get_rtnl(lowerdev)) + macvlan_port_destroy(port->dev); + return err; + } diff --git a/queue-4.14/max17042-propagate-of_node-to-power-supply-device.patch b/queue-4.14/max17042-propagate-of_node-to-power-supply-device.patch new file mode 100644 index 00000000000..56bb8db63fe --- /dev/null +++ b/queue-4.14/max17042-propagate-of_node-to-power-supply-device.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Pierre Bourdon +Date: Tue, 20 Feb 2018 16:03:18 +0100 +Subject: max17042: propagate of_node to power supply device + +From: Pierre Bourdon + +[ Upstream commit 66ec32fc7cd116dab5c02603ea8ec28ff92da3b5 ] + +max17042_get_status uses the core power_supply_am_i_supplied. That +function relies on DT properties to figure out the power supply +topology, and will error out without DT. + +Fixes max17042 battery status being reported as "unknown". + +Signed-off-by: Pierre Bourdon +Signed-off-by: Andre Heider +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -1021,6 +1021,7 @@ static int max17042_probe(struct i2c_cli + + i2c_set_clientdata(client, chip); + psy_cfg.drv_data = chip; ++ psy_cfg.of_node = dev->of_node; + + /* When current is not measured, + * CURRENT_NOW and CURRENT_AVG properties should be invisible. */ diff --git a/queue-4.14/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch b/queue-4.14/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch new file mode 100644 index 00000000000..7cb60d28212 --- /dev/null +++ b/queue-4.14/md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch @@ -0,0 +1,117 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: BingJing Chang +Date: Thu, 22 Feb 2018 13:34:46 +0800 +Subject: md: fix a potential deadlock of raid5/raid10 reshape + +From: BingJing Chang + +[ Upstream commit 8876391e440ba615b10eef729576e111f0315f87 ] + +There is a potential deadlock if mount/umount happens when +raid5_finish_reshape() tries to grow the size of emulated disk. + +How the deadlock happens? +1) The raid5 resync thread finished reshape (expanding array). +2) The mount or umount thread holds VFS sb->s_umount lock and tries to + write through critical data into raid5 emulated block device. So it + waits for raid5 kernel thread handling stripes in order to finish it + I/Os. +3) In the routine of raid5 kernel thread, md_check_recovery() will be + called first in order to reap the raid5 resync thread. That is, + raid5_finish_reshape() will be called. In this function, it will try + to update conf and call VFS revalidate_disk() to grow the raid5 + emulated block device. It will try to acquire VFS sb->s_umount lock. +The raid5 kernel thread cannot continue, so no one can handle mount/ +umount I/Os (stripes). Once the write-through I/Os cannot be finished, +mount/umount will not release sb->s_umount lock. The deadlock happens. + +The raid5 kernel thread is an emulated block device. It is responible to +handle I/Os (stripes) from upper layers. The emulated block device +should not request any I/Os on itself. That is, it should not call VFS +layer functions. (If it did, it will try to acquire VFS locks to +guarantee the I/Os sequence.) So we have the resync thread to send +resync I/O requests and to wait for the results. + +For solving this potential deadlock, we can put the size growth of the +emulated block device as the final step of reshape thread. + +2017/12/29: +Thanks to Guoqing Jiang , +we confirmed that there is the same deadlock issue in raid10. It's +reproducible and can be fixed by this patch. For raid10.c, we can remove +the similar code to prevent deadlock as well since they has been called +before. + +Reported-by: Alex Wu +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 13 +++++++++++++ + drivers/md/raid10.c | 8 +------- + drivers/md/raid5.c | 8 +------- + 3 files changed, 15 insertions(+), 14 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -8522,6 +8522,19 @@ void md_do_sync(struct md_thread *thread + set_mask_bits(&mddev->sb_flags, 0, + BIT(MD_SB_CHANGE_PENDING) | BIT(MD_SB_CHANGE_DEVS)); + ++ if (test_bit(MD_RECOVERY_RESHAPE, &mddev->recovery) && ++ !test_bit(MD_RECOVERY_INTR, &mddev->recovery) && ++ mddev->delta_disks > 0 && ++ mddev->pers->finish_reshape && ++ mddev->pers->size && ++ mddev->queue) { ++ mddev_lock_nointr(mddev); ++ md_set_array_sectors(mddev, mddev->pers->size(mddev, 0, 0)); ++ mddev_unlock(mddev); ++ set_capacity(mddev->gendisk, mddev->array_sectors); ++ revalidate_disk(mddev->gendisk); ++ } ++ + spin_lock(&mddev->lock); + if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) { + /* We completed so min/max setting can be forgotten if used. */ +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4693,17 +4693,11 @@ static void raid10_finish_reshape(struct + return; + + if (mddev->delta_disks > 0) { +- sector_t size = raid10_size(mddev, 0, 0); +- md_set_array_sectors(mddev, size); + if (mddev->recovery_cp > mddev->resync_max_sectors) { + mddev->recovery_cp = mddev->resync_max_sectors; + set_bit(MD_RECOVERY_NEEDED, &mddev->recovery); + } +- mddev->resync_max_sectors = size; +- if (mddev->queue) { +- set_capacity(mddev->gendisk, mddev->array_sectors); +- revalidate_disk(mddev->gendisk); +- } ++ mddev->resync_max_sectors = mddev->array_sectors; + } else { + int d; + rcu_read_lock(); +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -8001,13 +8001,7 @@ static void raid5_finish_reshape(struct + + if (!test_bit(MD_RECOVERY_INTR, &mddev->recovery)) { + +- if (mddev->delta_disks > 0) { +- md_set_array_sectors(mddev, raid5_size(mddev, 0, 0)); +- if (mddev->queue) { +- set_capacity(mddev->gendisk, mddev->array_sectors); +- revalidate_disk(mddev->gendisk); +- } +- } else { ++ if (mddev->delta_disks <= 0) { + int d; + spin_lock_irq(&conf->device_lock); + mddev->degraded = raid5_calc_degraded(conf); diff --git a/queue-4.14/md-fix-md_write_start-deadlock-w-o-metadata-devices.patch b/queue-4.14/md-fix-md_write_start-deadlock-w-o-metadata-devices.patch new file mode 100644 index 00000000000..79f5672ae97 --- /dev/null +++ b/queue-4.14/md-fix-md_write_start-deadlock-w-o-metadata-devices.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Heinz Mauelshagen +Date: Fri, 2 Feb 2018 23:13:19 +0100 +Subject: md: fix md_write_start() deadlock w/o metadata devices + +From: Heinz Mauelshagen + +[ Upstream commit 4b6c1060eaa6495aa5b0032e8f2d51dd936b1257 ] + +If no metadata devices are configured on raid1/4/5/6/10 +(e.g. via dm-raid), md_write_start() unconditionally waits +for superblocks to be written thus deadlocking. + +Fix introduces mddev->has_superblocks bool, defines it in md_run() +and checks for it in md_write_start() to conditionally avoid waiting. + +Once on it, check for non-existing superblocks in md_super_write(). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=198647 +Fixes: cc27b0c78c796 ("md: fix deadlock between mddev_suspend() and md_write_start()") + +Signed-off-by: Heinz Mauelshagen +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 10 ++++++++++ + drivers/md/md.h | 2 ++ + 2 files changed, 12 insertions(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -779,6 +779,9 @@ void md_super_write(struct mddev *mddev, + struct bio *bio; + int ff = 0; + ++ if (!page) ++ return; ++ + if (test_bit(Faulty, &rdev->flags)) + return; + +@@ -5434,6 +5437,7 @@ int md_run(struct mddev *mddev) + * the only valid external interface is through the md + * device. + */ ++ mddev->has_superblocks = false; + rdev_for_each(rdev, mddev) { + if (test_bit(Faulty, &rdev->flags)) + continue; +@@ -5447,6 +5451,9 @@ int md_run(struct mddev *mddev) + set_disk_ro(mddev->gendisk, 1); + } + ++ if (rdev->sb_page) ++ mddev->has_superblocks = true; ++ + /* perform some consistency tests on the device. + * We don't want the data to overlap the metadata, + * Internal Bitmap issues have been handled elsewhere. +@@ -8022,6 +8029,7 @@ EXPORT_SYMBOL(md_done_sync); + bool md_write_start(struct mddev *mddev, struct bio *bi) + { + int did_change = 0; ++ + if (bio_data_dir(bi) != WRITE) + return true; + +@@ -8054,6 +8062,8 @@ bool md_write_start(struct mddev *mddev, + rcu_read_unlock(); + if (did_change) + sysfs_notify_dirent_safe(mddev->sysfs_state); ++ if (!mddev->has_superblocks) ++ return true; + wait_event(mddev->sb_wait, + !test_bit(MD_SB_CHANGE_PENDING, &mddev->sb_flags) || + mddev->suspended); +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -462,6 +462,8 @@ struct mddev { + void (*sync_super)(struct mddev *mddev, struct md_rdev *rdev); + struct md_cluster_info *cluster_info; + unsigned int good_device_nr; /* good device num within cluster raid */ ++ ++ bool has_superblocks:1; + }; + + enum recovery_flags { diff --git a/queue-4.14/md-free-bioset-when-md_run-fails.patch b/queue-4.14/md-free-bioset-when-md_run-fails.patch new file mode 100644 index 00000000000..cd3b2c0a515 --- /dev/null +++ b/queue-4.14/md-free-bioset-when-md_run-fails.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xiao Ni +Date: Wed, 24 Jan 2018 12:17:38 +0800 +Subject: MD: Free bioset when md_run fails + +From: Xiao Ni + +[ Upstream commit b126194cbb799f9980b92a77e58db6ad794c8082 ] + +Signed-off-by: Xiao Ni +Acked-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5479,8 +5479,10 @@ int md_run(struct mddev *mddev) + } + if (mddev->sync_set == NULL) { + mddev->sync_set = bioset_create(BIO_POOL_SIZE, 0, BIOSET_NEED_BVECS); +- if (!mddev->sync_set) +- return -ENOMEM; ++ if (!mddev->sync_set) { ++ err = -ENOMEM; ++ goto abort; ++ } + } + + spin_lock(&pers_lock); +@@ -5493,7 +5495,8 @@ int md_run(struct mddev *mddev) + else + pr_warn("md: personality for level %s is not loaded!\n", + mddev->clevel); +- return -EINVAL; ++ err = -EINVAL; ++ goto abort; + } + spin_unlock(&pers_lock); + if (mddev->level != pers->level) { +@@ -5506,7 +5509,8 @@ int md_run(struct mddev *mddev) + pers->start_reshape == NULL) { + /* This personality cannot handle reshaping... */ + module_put(pers->owner); +- return -EINVAL; ++ err = -EINVAL; ++ goto abort; + } + + if (pers->sync_request) { +@@ -5580,7 +5584,7 @@ int md_run(struct mddev *mddev) + mddev->private = NULL; + module_put(pers->owner); + bitmap_destroy(mddev); +- return err; ++ goto abort; + } + if (mddev->queue) { + bool nonrot = true; +@@ -5642,6 +5646,18 @@ int md_run(struct mddev *mddev) + sysfs_notify_dirent_safe(mddev->sysfs_action); + sysfs_notify(&mddev->kobj, NULL, "degraded"); + return 0; ++ ++abort: ++ if (mddev->bio_set) { ++ bioset_free(mddev->bio_set); ++ mddev->bio_set = NULL; ++ } ++ if (mddev->sync_set) { ++ bioset_free(mddev->sync_set); ++ mddev->sync_set = NULL; ++ } ++ ++ return err; + } + EXPORT_SYMBOL_GPL(md_run); + diff --git a/queue-4.14/md-raid1-fix-null-pointer-dereference.patch b/queue-4.14/md-raid1-fix-null-pointer-dereference.patch new file mode 100644 index 00000000000..f1e0f30fa42 --- /dev/null +++ b/queue-4.14/md-raid1-fix-null-pointer-dereference.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yufen Yu +Date: Sat, 24 Feb 2018 12:05:56 +0800 +Subject: md/raid1: fix NULL pointer dereference + +From: Yufen Yu + +[ Upstream commit 3de59bb9d551428cbdc76a9ea57883f82e350b4d ] + +In handle_write_finished(), if r1_bio->bios[m] != NULL, it thinks +the corresponding conf->mirrors[m].rdev is also not NULL. But, it +is not always true. + +Even if some io hold replacement rdev(i.e. rdev->nr_pending.count > 0), +raid1_remove_disk() can also set the rdev as NULL. That means, +bios[m] != NULL, but mirrors[m].rdev is NULL, resulting in NULL +pointer dereference in handle_write_finished and sync_request_write. + +This patch can fix BUGs as follows: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000140 + IP: [] raid1d+0x2bd/0xfc0 + PGD 12ab52067 PUD 12f587067 PMD 0 + Oops: 0000 [#1] SMP + CPU: 1 PID: 2008 Comm: md3_raid1 Not tainted 4.1.44+ #130 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 + Call Trace: + ? schedule+0x37/0x90 + ? prepare_to_wait_event+0x83/0xf0 + md_thread+0x144/0x150 + ? wake_atomic_t_function+0x70/0x70 + ? md_start_sync+0xf0/0xf0 + kthread+0xd8/0xf0 + ? kthread_worker_fn+0x160/0x160 + ret_from_fork+0x42/0x70 + ? kthread_worker_fn+0x160/0x160 + + BUG: unable to handle kernel NULL pointer dereference at 00000000000000b8 + IP: sync_request_write+0x9e/0x980 + PGD 800000007c518067 P4D 800000007c518067 PUD 8002b067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 24 PID: 2549 Comm: md3_raid1 Not tainted 4.15.0+ #118 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 + Call Trace: + ? sched_clock+0x5/0x10 + ? sched_clock_cpu+0xc/0xb0 + ? flush_pending_writes+0x3a/0xd0 + ? pick_next_task_fair+0x4d5/0x5f0 + ? __switch_to+0xa2/0x430 + raid1d+0x65a/0x870 + ? find_pers+0x70/0x70 + ? find_pers+0x70/0x70 + ? md_thread+0x11c/0x160 + md_thread+0x11c/0x160 + ? finish_wait+0x80/0x80 + kthread+0x111/0x130 + ? kthread_create_worker_on_cpu+0x70/0x70 + ? do_syscall_64+0x6f/0x190 + ? SyS_exit_group+0x10/0x10 + ret_from_fork+0x35/0x40 + +Reviewed-by: NeilBrown +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid1.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1813,6 +1813,17 @@ static int raid1_remove_disk(struct mdde + struct md_rdev *repl = + conf->mirrors[conf->raid_disks + number].rdev; + freeze_array(conf, 0); ++ if (atomic_read(&repl->nr_pending)) { ++ /* It means that some queued IO of retry_list ++ * hold repl. Thus, we cannot set replacement ++ * as NULL, avoiding rdev NULL pointer ++ * dereference in sync_request_write and ++ * handle_write_finished. ++ */ ++ err = -EBUSY; ++ unfreeze_array(conf); ++ goto abort; ++ } + clear_bit(Replacement, &repl->flags); + p->rdev = repl; + conf->mirrors[conf->raid_disks + number].rdev = NULL; diff --git a/queue-4.14/md-raid10-fix-null-deference-in-handle_write_completed.patch b/queue-4.14/md-raid10-fix-null-deference-in-handle_write_completed.patch new file mode 100644 index 00000000000..df484571f0d --- /dev/null +++ b/queue-4.14/md-raid10-fix-null-deference-in-handle_write_completed.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yufen Yu +Date: Tue, 6 Feb 2018 17:39:15 +0800 +Subject: md raid10: fix NULL deference in handle_write_completed() + +From: Yufen Yu + +[ Upstream commit 01a69cab01c184d3786af09e9339311123d63d22 ] + +In the case of 'recover', an r10bio with R10BIO_WriteError & +R10BIO_IsRecover will be progressed by handle_write_completed(). +This function traverses all r10bio->devs[copies]. +If devs[m].repl_bio != NULL, it thinks conf->mirrors[dev].replacement +is also not NULL. However, this is not always true. + +When there is an rdev of raid10 has replacement, then each r10bio +->devs[m].repl_bio != NULL in conf->r10buf_pool. However, in 'recover', +even if corresponded replacement is NULL, it doesn't clear r10bio +->devs[m].repl_bio, resulting in replacement NULL deference. + +This bug was introduced when replacement support for raid10 was +added in Linux 3.3. + +As NeilBrown suggested: + Elsewhere the determination of "is this device part of the + resync/recovery" is made by resting bio->bi_end_io. + If this is end_sync_write, then we tried to write here. + If it is NULL, then we didn't try to write. + +Fixes: 9ad1aefc8ae8 ("md/raid10: Handle replacement devices during resync.") +Cc: stable (V3.3+) +Suggested-by: NeilBrown +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2625,7 +2625,8 @@ static void handle_write_completed(struc + for (m = 0; m < conf->copies; m++) { + int dev = r10_bio->devs[m].devnum; + rdev = conf->mirrors[dev].rdev; +- if (r10_bio->devs[m].bio == NULL) ++ if (r10_bio->devs[m].bio == NULL || ++ r10_bio->devs[m].bio->bi_end_io == NULL) + continue; + if (!r10_bio->devs[m].bio->bi_status) { + rdev_clear_badblocks( +@@ -2640,7 +2641,8 @@ static void handle_write_completed(struc + md_error(conf->mddev, rdev); + } + rdev = conf->mirrors[dev].replacement; +- if (r10_bio->devs[m].repl_bio == NULL) ++ if (r10_bio->devs[m].repl_bio == NULL || ++ r10_bio->devs[m].repl_bio->bi_end_io == NULL) + continue; + + if (!r10_bio->devs[m].repl_bio->bi_status) { diff --git a/queue-4.14/md-raid5-avoid-string-overflow-warning.patch b/queue-4.14/md-raid5-avoid-string-overflow-warning.patch new file mode 100644 index 00000000000..73da890ae1e --- /dev/null +++ b/queue-4.14/md-raid5-avoid-string-overflow-warning.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arnd Bergmann +Date: Tue, 20 Feb 2018 14:09:11 +0100 +Subject: md: raid5: avoid string overflow warning + +From: Arnd Bergmann + +[ Upstream commit 53b8d89ddbdbb0e4625a46d2cdbb6f106c52f801 ] + +gcc warns about a possible overflow of the kmem_cache string, when adding +four characters to a string of the same length: + +drivers/md/raid5.c: In function 'setup_conf': +drivers/md/raid5.c:2207:34: error: '-alt' directive writing 4 bytes into a region of size between 1 and 32 [-Werror=format-overflow=] + sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); + ^~~~ +drivers/md/raid5.c:2207:2: note: 'sprintf' output between 5 and 36 bytes into a destination of size 32 + sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If I'm counting correctly, we need 11 characters for the fixed part +of the string and 18 characters for a 64-bit pointer (when no gendisk +is used), so that leaves three characters for conf->level, which should +always be sufficient. + +This makes the code use snprintf() with the correct length, to +make the code more robust against changes, and to get the compiler +to shut up. + +In commit f4be6b43f1ac ("md/raid5: ensure we create a unique name for +kmem_cache when mddev has no gendisk") from 2010, Neil said that +the pointer could be removed "shortly" once devices without gendisk +are disallowed. I have no idea if that happened, but if it did, that +should probably be changed as well. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2197,15 +2197,16 @@ static int grow_one_stripe(struct r5conf + static int grow_stripes(struct r5conf *conf, int num) + { + struct kmem_cache *sc; ++ size_t namelen = sizeof(conf->cache_name[0]); + int devs = max(conf->raid_disks, conf->previous_raid_disks); + + if (conf->mddev->gendisk) +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%s", conf->level, mdname(conf->mddev)); + else +- sprintf(conf->cache_name[0], ++ snprintf(conf->cache_name[0], namelen, + "raid%d-%p", conf->level, conf->mddev); +- sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]); ++ snprintf(conf->cache_name[1], namelen, "%.27s-alt", conf->cache_name[0]); + + conf->active_name = 0; + sc = kmem_cache_create(conf->cache_name[conf->active_name], diff --git a/queue-4.14/microblaze-switch-to-no_bootmem.patch b/queue-4.14/microblaze-switch-to-no_bootmem.patch new file mode 100644 index 00000000000..92379f85550 --- /dev/null +++ b/queue-4.14/microblaze-switch-to-no_bootmem.patch @@ -0,0 +1,155 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Rob Herring +Date: Fri, 9 Mar 2018 09:54:07 -0600 +Subject: microblaze: switch to NO_BOOTMEM + +From: Rob Herring + +[ Upstream commit 101646a24a2f9cdb61d7732459fbf068a7bbb542 ] + +Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc() +doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM. + +Similar change was already done by others architectures +"ARM: mm: Remove bootmem code and switch to NO_BOOTMEM" +(sha1: 84f452b1e8fc73ac0e31254c66e3e2260ce5263d) +or +"openrisc: Consolidate setup to use memblock instead of bootmem" +(sha1: 266c7fad157265bb54d17db1c9545f2aaa488643) +or +"parisc: Drop bootmem and switch to memblock" +(sha1: 4fe9e1d957e45ad8eba9885ee860a0e93d13a7c7) +or +"powerpc: Remove bootmem allocator" +(sha1: 10239733ee8617bac3f1c1769af43a88ed979324) +or +"s390/mm: Convert bootmem to memblock" +(sha1: 50be634507284eea38df78154d22615d21200b42) +or +"sparc64: Convert over to NO_BOOTMEM." +(sha1: 625d693e9784f988371e69c2b41a2172c0be6c11) +or +"xtensa: drop sysmem and switch to memblock" +(sha1: 0e46c1115f5816949220d62dd3ff04aa68e7ac6b) + +Issue was introduced by: +"of/fdt: use memblock_virt_alloc for early alloc" +(sha1: 0fa1c579349fdd90173381712ad78aa99c09d38b) + +Signed-off-by: Rob Herring +Tested-by: Alvaro Gamez Machado +Tested-by: Michal Simek +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/microblaze/Kconfig | 1 + arch/microblaze/mm/init.c | 56 ++++------------------------------------------ + 2 files changed, 7 insertions(+), 50 deletions(-) + +--- a/arch/microblaze/Kconfig ++++ b/arch/microblaze/Kconfig +@@ -24,6 +24,7 @@ config MICROBLAZE + select HAVE_FTRACE_MCOUNT_RECORD + select HAVE_FUNCTION_GRAPH_TRACER + select HAVE_FUNCTION_TRACER ++ select NO_BOOTMEM + select HAVE_MEMBLOCK + select HAVE_MEMBLOCK_NODE_MAP + select HAVE_OPROFILE +--- a/arch/microblaze/mm/init.c ++++ b/arch/microblaze/mm/init.c +@@ -32,9 +32,6 @@ int mem_init_done; + #ifndef CONFIG_MMU + unsigned int __page_offset; + EXPORT_SYMBOL(__page_offset); +- +-#else +-static int init_bootmem_done; + #endif /* CONFIG_MMU */ + + char *klimit = _end; +@@ -117,7 +114,6 @@ static void __init paging_init(void) + + void __init setup_memory(void) + { +- unsigned long map_size; + struct memblock_region *reg; + + #ifndef CONFIG_MMU +@@ -174,17 +170,6 @@ void __init setup_memory(void) + pr_info("%s: max_low_pfn: %#lx\n", __func__, max_low_pfn); + pr_info("%s: max_pfn: %#lx\n", __func__, max_pfn); + +- /* +- * Find an area to use for the bootmem bitmap. +- * We look for the first area which is at least +- * 128kB in length (128kB is enough for a bitmap +- * for 4GB of memory, using 4kB pages), plus 1 page +- * (in case the address isn't page-aligned). +- */ +- map_size = init_bootmem_node(NODE_DATA(0), +- PFN_UP(TOPHYS((u32)klimit)), min_low_pfn, max_low_pfn); +- memblock_reserve(PFN_UP(TOPHYS((u32)klimit)) << PAGE_SHIFT, map_size); +- + /* Add active regions with valid PFNs */ + for_each_memblock(memory, reg) { + unsigned long start_pfn, end_pfn; +@@ -196,32 +181,9 @@ void __init setup_memory(void) + &memblock.memory, 0); + } + +- /* free bootmem is whole main memory */ +- free_bootmem_with_active_regions(0, max_low_pfn); +- +- /* reserve allocate blocks */ +- for_each_memblock(reserved, reg) { +- unsigned long top = reg->base + reg->size - 1; +- +- pr_debug("reserved - 0x%08x-0x%08x, %lx, %lx\n", +- (u32) reg->base, (u32) reg->size, top, +- memory_start + lowmem_size - 1); +- +- if (top <= (memory_start + lowmem_size - 1)) { +- reserve_bootmem(reg->base, reg->size, BOOTMEM_DEFAULT); +- } else if (reg->base < (memory_start + lowmem_size - 1)) { +- unsigned long trunc_size = memory_start + lowmem_size - +- reg->base; +- reserve_bootmem(reg->base, trunc_size, BOOTMEM_DEFAULT); +- } +- } +- + /* XXX need to clip this if using highmem? */ + sparse_memory_present_with_active_regions(0); + +-#ifdef CONFIG_MMU +- init_bootmem_done = 1; +-#endif + paging_init(); + } + +@@ -398,18 +360,12 @@ asmlinkage void __init mmu_init(void) + /* This is only called until mem_init is done. */ + void __init *early_get_page(void) + { +- void *p; +- if (init_bootmem_done) { +- p = alloc_bootmem_pages(PAGE_SIZE); +- } else { +- /* +- * Mem start + kernel_tlb -> here is limit +- * because of mem mapping from head.S +- */ +- p = __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, +- memory_start + kernel_tlb)); +- } +- return p; ++ /* ++ * Mem start + kernel_tlb -> here is limit ++ * because of mem mapping from head.S ++ */ ++ return __va(memblock_alloc_base(PAGE_SIZE, PAGE_SIZE, ++ memory_start + kernel_tlb)); + } + + #endif /* CONFIG_MMU */ diff --git a/queue-4.14/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch b/queue-4.14/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch new file mode 100644 index 00000000000..25e82582e36 --- /dev/null +++ b/queue-4.14/mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mathias Kresin +Date: Thu, 11 May 2017 08:18:24 +0200 +Subject: MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset + +From: Mathias Kresin + +[ Upstream commit 05454c1bde91fb013c0431801001da82947e6b5a ] + +According to the QCA u-boot source the "PCIE Phase Lock Loop +Configuration (PCIE_PLL_CONFIG)" register is for all SoCs except the +QCA955X and QCA956X at offset 0x10. + +Since the PCIE PLL config register is only defined for the AR724x fix +only this value. The value is wrong since the day it was added and isn't +used by any driver yet. + +Signed-off-by: Mathias Kresin +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16048/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/mach-ath79/ar71xx_regs.h ++++ b/arch/mips/include/asm/mach-ath79/ar71xx_regs.h +@@ -167,7 +167,7 @@ + #define AR71XX_AHB_DIV_MASK 0x7 + + #define AR724X_PLL_REG_CPU_CONFIG 0x00 +-#define AR724X_PLL_REG_PCIE_CONFIG 0x18 ++#define AR724X_PLL_REG_PCIE_CONFIG 0x10 + + #define AR724X_PLL_FB_SHIFT 0 + #define AR724X_PLL_FB_MASK 0x3ff diff --git a/queue-4.14/mips-generic-fix-machine-compatible-matching.patch b/queue-4.14/mips-generic-fix-machine-compatible-matching.patch new file mode 100644 index 00000000000..cb48c185489 --- /dev/null +++ b/queue-4.14/mips-generic-fix-machine-compatible-matching.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: James Hogan +Date: Fri, 2 Feb 2018 22:14:09 +0000 +Subject: MIPS: generic: Fix machine compatible matching + +From: James Hogan + +[ Upstream commit 9a9ab3078e2744a1a55163cfaec73a5798aae33e ] + +We now have a platform (Ranchu) in the "generic" platform which matches +based on the FDT compatible string using mips_machine_is_compatible(), +however that function doesn't stop at a blank struct +of_device_id::compatible as that is an array in the struct, not a +pointer to a string. + +Fix the loop completion to check the first byte of the compatible array +rather than the address of the compatible array in the struct. + +Fixes: eed0eabd12ef ("MIPS: generic: Introduce generic DT-based board support") +Signed-off-by: James Hogan +Reviewed-by: Paul Burton +Reviewed-by: Matt Redfearn +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18580/ +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/machine.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/machine.h ++++ b/arch/mips/include/asm/machine.h +@@ -52,7 +52,7 @@ mips_machine_is_compatible(const struct + if (!mach->matches) + return NULL; + +- for (match = mach->matches; match->compatible; match++) { ++ for (match = mach->matches; match->compatible[0]; match++) { + if (fdt_node_check_compatible(fdt, 0, match->compatible) == 0) + return match; + } diff --git a/queue-4.14/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch b/queue-4.14/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch new file mode 100644 index 00000000000..528b1d2778b --- /dev/null +++ b/queue-4.14/mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Joe Perches +Date: Tue, 5 Dec 2017 23:04:58 -0800 +Subject: MIPS: Octeon: Fix logging messages with spurious periods after newlines + +From: Joe Perches + +[ Upstream commit db6775ca6e0353d2618ca7d5e210fc36ad43bbd4 ] + +Using a period after a newline causes bad output. + +Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") +Signed-off-by: Joe Perches +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17886/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -2271,7 +2271,7 @@ static int __init octeon_irq_init_cib(st + + parent_irq = irq_of_parse_and_map(ciu_node, 0); + if (!parent_irq) { +- pr_err("ERROR: Couldn't acquire parent_irq for %s\n.", ++ pr_err("ERROR: Couldn't acquire parent_irq for %s\n", + ciu_node->name); + return -EINVAL; + } +@@ -2283,7 +2283,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 0, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(0) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(0) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->raw_reg = (u64)phys_to_virt( +@@ -2291,7 +2291,7 @@ static int __init octeon_irq_init_cib(st + + addr = of_get_address(ciu_node, 1, NULL, NULL); + if (!addr) { +- pr_err("ERROR: Couldn't acquire reg(1) %s\n.", ciu_node->name); ++ pr_err("ERROR: Couldn't acquire reg(1) %s\n", ciu_node->name); + return -EINVAL; + } + host_data->en_reg = (u64)phys_to_virt( +@@ -2299,7 +2299,7 @@ static int __init octeon_irq_init_cib(st + + r = of_property_read_u32(ciu_node, "cavium,max-bits", &val); + if (r) { +- pr_err("ERROR: Couldn't read cavium,max-bits from %s\n.", ++ pr_err("ERROR: Couldn't read cavium,max-bits from %s\n", + ciu_node->name); + return r; + } +@@ -2309,7 +2309,7 @@ static int __init octeon_irq_init_cib(st + &octeon_irq_domain_cib_ops, + host_data); + if (!cib_domain) { +- pr_err("ERROR: Couldn't irq_domain_add_linear()\n."); ++ pr_err("ERROR: Couldn't irq_domain_add_linear()\n"); + return -ENOMEM; + } + diff --git a/queue-4.14/mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch b/queue-4.14/mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch new file mode 100644 index 00000000000..916eeea8e43 --- /dev/null +++ b/queue-4.14/mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiri Pirko +Date: Wed, 28 Feb 2018 13:12:08 +0100 +Subject: mlxsw: core: Fix flex keys scratchpad offset conflict + +From: Jiri Pirko + +[ Upstream commit 2ddc94c76cc4ccaf51b478315912b38dfdde1afc ] + +IP_TTL, IP_ECN and IP_DSCP are using the same offset within the +scratchpad as L4 ports. Fix this by shifting all up. + +Fixes: 5f57e0909136 ("mlxsw: acl: Add ip ttl acl element") +Fixes: i80d0fe4710c ("mlxsw: acl: Add ip tos acl element") +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h | 20 +++++++-------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_keys.h +@@ -107,20 +107,20 @@ static const struct mlxsw_afk_element_in + MLXSW_AFK_ELEMENT_INFO_U32(VID, 0x10, 8, 12), + MLXSW_AFK_ELEMENT_INFO_U32(PCP, 0x10, 20, 3), + MLXSW_AFK_ELEMENT_INFO_U32(TCP_FLAGS, 0x10, 23, 9), +- MLXSW_AFK_ELEMENT_INFO_U32(IP_TTL_, 0x14, 0, 8), +- MLXSW_AFK_ELEMENT_INFO_U32(IP_ECN, 0x14, 9, 2), +- MLXSW_AFK_ELEMENT_INFO_U32(IP_DSCP, 0x14, 11, 6), +- MLXSW_AFK_ELEMENT_INFO_U32(SRC_IP4, 0x18, 0, 32), +- MLXSW_AFK_ELEMENT_INFO_U32(DST_IP4, 0x1C, 0, 32), +- MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_HI, 0x18, 8), +- MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_LO, 0x20, 8), +- MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_HI, 0x28, 8), +- MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_LO, 0x30, 8), + MLXSW_AFK_ELEMENT_INFO_U32(DST_L4_PORT, 0x14, 0, 16), + MLXSW_AFK_ELEMENT_INFO_U32(SRC_L4_PORT, 0x14, 16, 16), ++ MLXSW_AFK_ELEMENT_INFO_U32(IP_TTL_, 0x18, 0, 8), ++ MLXSW_AFK_ELEMENT_INFO_U32(IP_ECN, 0x18, 9, 2), ++ MLXSW_AFK_ELEMENT_INFO_U32(IP_DSCP, 0x18, 11, 6), ++ MLXSW_AFK_ELEMENT_INFO_U32(SRC_IP4, 0x20, 0, 32), ++ MLXSW_AFK_ELEMENT_INFO_U32(DST_IP4, 0x24, 0, 32), ++ MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_HI, 0x20, 8), ++ MLXSW_AFK_ELEMENT_INFO_BUF(SRC_IP6_LO, 0x28, 8), ++ MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_HI, 0x30, 8), ++ MLXSW_AFK_ELEMENT_INFO_BUF(DST_IP6_LO, 0x38, 8), + }; + +-#define MLXSW_AFK_ELEMENT_STORAGE_SIZE 0x38 ++#define MLXSW_AFK_ELEMENT_STORAGE_SIZE 0x40 + + struct mlxsw_afk_element_inst { /* element instance in actual block */ + const struct mlxsw_afk_element_info *info; diff --git a/queue-4.14/mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch b/queue-4.14/mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch new file mode 100644 index 00000000000..2b878fd7649 --- /dev/null +++ b/queue-4.14/mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ido Schimmel +Date: Wed, 28 Feb 2018 13:12:10 +0100 +Subject: mlxsw: spectrum: Treat IPv6 unregistered multicast as broadcast + +From: Ido Schimmel + +[ Upstream commit 9d45deb04c59b628b21fc5014aff4f9a1d38f969 ] + +When multicast snooping is enabled, the Linux bridge resorts to flooding +unregistered multicast packets to all ports only in case it did not +detect a querier in the network. + +The above condition is not reflected to underlying drivers, which is +especially problematic in IPv6 environments, as multicast snooping is +enabled by default and since neighbour solicitation packets might be +treated as unregistered multicast packets in case there is no +corresponding MDB entry. + +Until the Linux bridge reflects its querier state to underlying drivers, +simply treat unregistered multicast packets as broadcast and allow them +to reach their destination. + +Fixes: 9df552ef3e21 ("mlxsw: spectrum: Improve IPv6 unregistered multicast flooding") +Signed-off-by: Ido Schimmel +Reported-by: David Ahern +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_fid.c +@@ -112,11 +112,11 @@ static const int mlxsw_sp_sfgc_bc_packet + [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_NON_IP] = 1, + [MLXSW_REG_SFGC_TYPE_IPV4_LINK_LOCAL] = 1, + [MLXSW_REG_SFGC_TYPE_IPV6_ALL_HOST] = 1, ++ [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV6] = 1, + }; + + static const int mlxsw_sp_sfgc_mc_packet_types[MLXSW_REG_SFGC_TYPE_MAX] = { + [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV4] = 1, +- [MLXSW_REG_SFGC_TYPE_UNREGISTERED_MULTICAST_IPV6] = 1, + }; + + static const int *mlxsw_sp_packet_type_sfgc_types[] = { diff --git a/queue-4.14/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch b/queue-4.14/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch new file mode 100644 index 00000000000..a05e1f9c20e --- /dev/null +++ b/queue-4.14/mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Huang Ying +Date: Thu, 5 Apr 2018 16:23:20 -0700 +Subject: mm: fix races between address_space dereference and free in page_evicatable + +From: Huang Ying + +[ Upstream commit e92bb4dd9673945179b1fc738c9817dd91bfb629 ] + +When page_mapping() is called and the mapping is dereferenced in +page_evicatable() through shrink_active_list(), it is possible for the +inode to be truncated and the embedded address space to be freed at the +same time. This may lead to the following race. + +CPU1 CPU2 + +truncate(inode) shrink_active_list() + ... page_evictable(page) + truncate_inode_page(mapping, page); + delete_from_page_cache(page) + spin_lock_irqsave(&mapping->tree_lock, flags); + __delete_from_page_cache(page, NULL) + page_cache_tree_delete(..) + ... mapping = page_mapping(page); + page->mapping = NULL; + ... + spin_unlock_irqrestore(&mapping->tree_lock, flags); + page_cache_free_page(mapping, page) + put_page(page) + if (put_page_testzero(page)) -> false +- inode now has no pages and can be freed including embedded address_space + + mapping_unevictable(mapping) + test_bit(AS_UNEVICTABLE, &mapping->flags); +- we've dereferenced mapping which is potentially already free. + +Similar race exists between swap cache freeing and page_evicatable() +too. + +The address_space in inode and swap cache will be freed after a RCU +grace period. So the races are fixed via enclosing the page_mapping() +and address_space usage in rcu_read_lock/unlock(). Some comments are +added in code to make it clear what is protected by the RCU read lock. + +Link: http://lkml.kernel.org/r/20180212081227.1940-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Reviewed-by: Jan Kara +Reviewed-by: Andrew Morton +Cc: Mel Gorman +Cc: Minchan Kim +Cc: "Huang, Ying" +Cc: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -3961,7 +3961,13 @@ int node_reclaim(struct pglist_data *pgd + */ + int page_evictable(struct page *page) + { +- return !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ int ret; ++ ++ /* Prevent address_space of inode and swap cache from being freed */ ++ rcu_read_lock(); ++ ret = !mapping_unevictable(page_mapping(page)) && !PageMlocked(page); ++ rcu_read_unlock(); ++ return ret; + } + + #ifdef CONFIG_SHMEM diff --git a/queue-4.14/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch b/queue-4.14/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch new file mode 100644 index 00000000000..2903a063574 --- /dev/null +++ b/queue-4.14/mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Vinayak Menon +Date: Wed, 28 Mar 2018 16:01:16 -0700 +Subject: mm/kmemleak.c: wait for scan completion before disabling free + +From: Vinayak Menon + +[ Upstream commit 914b6dfff790544d9b77dfd1723adb3745ec9700 ] + +A crash is observed when kmemleak_scan accesses the object->pointer, +likely due to the following race. + + TASK A TASK B TASK C + kmemleak_write + (with "scan" and + NOT "scan=on") + kmemleak_scan() + create_object + kmem_cache_alloc fails + kmemleak_disable + kmemleak_do_cleanup + kmemleak_free_enabled = 0 + kfree + kmemleak_free bails out + (kmemleak_free_enabled is 0) + slub frees object->pointer + update_checksum + crash - object->pointer + freed (DEBUG_PAGEALLOC) + +kmemleak_do_cleanup waits for the scan thread to complete, but not for +direct call to kmemleak_scan via kmemleak_write. So add a wait for +kmemleak_scan completion before disabling kmemleak_free, and while at it +fix the comment on stop_scan_thread. + +[vinmenon@codeaurora.org: fix stop_scan_thread comment] + Link: http://lkml.kernel.org/r/1522219972-22809-1-git-send-email-vinmenon@codeaurora.org +Link: http://lkml.kernel.org/r/1522063429-18992-1-git-send-email-vinmenon@codeaurora.org +Signed-off-by: Vinayak Menon +Reviewed-by: Catalin Marinas +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kmemleak.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/mm/kmemleak.c ++++ b/mm/kmemleak.c +@@ -1658,8 +1658,7 @@ static void start_scan_thread(void) + } + + /* +- * Stop the automatic memory scanning thread. This function must be called +- * with the scan_mutex held. ++ * Stop the automatic memory scanning thread. + */ + static void stop_scan_thread(void) + { +@@ -1922,12 +1921,15 @@ static void kmemleak_do_cleanup(struct w + { + stop_scan_thread(); + ++ mutex_lock(&scan_mutex); + /* +- * Once the scan thread has stopped, it is safe to no longer track +- * object freeing. Ordering of the scan thread stopping and the memory +- * accesses below is guaranteed by the kthread_stop() function. ++ * Once it is made sure that kmemleak_scan has stopped, it is safe to no ++ * longer track object freeing. Ordering of the scan thread stopping and ++ * the memory accesses below is guaranteed by the kthread_stop() ++ * function. + */ + kmemleak_free_enabled = 0; ++ mutex_unlock(&scan_mutex); + + if (!kmemleak_found_leaks) + __kmemleak_do_cleanup(); diff --git a/queue-4.14/mm-ksm-fix-interaction-with-thp.patch b/queue-4.14/mm-ksm-fix-interaction-with-thp.patch new file mode 100644 index 00000000000..6b47faa0e25 --- /dev/null +++ b/queue-4.14/mm-ksm-fix-interaction-with-thp.patch @@ -0,0 +1,103 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Claudio Imbrenda +Date: Thu, 5 Apr 2018 16:25:41 -0700 +Subject: mm/ksm: fix interaction with THP + +From: Claudio Imbrenda + +[ Upstream commit 77da2ba0648a4fd52e5ff97b8b2b8dd312aec4b0 ] + +This patch fixes a corner case for KSM. When two pages belong or +belonged to the same transparent hugepage, and they should be merged, +KSM fails to split the page, and therefore no merging happens. + +This bug can be reproduced by: +* making sure ksm is running (in case disabling ksmtuned) +* enabling transparent hugepages +* allocating a THP-aligned 1-THP-sized buffer + e.g. on amd64: posix_memalign(&p, 1<<21, 1<<21) +* filling it with the same values + e.g. memset(p, 42, 1<<21) +* performing madvise to make it mergeable + e.g. madvise(p, 1<<21, MADV_MERGEABLE) +* waiting for KSM to perform a few scans + +The expected outcome is that the all the pages get merged (1 shared and +the rest sharing); the actual outcome is that no pages get merged (1 +unshared and the rest volatile) + +The reason of this behaviour is that we increase the reference count +once for both pages we want to merge, but if they belong to the same +hugepage (or compound page), the reference counter used in both cases is +the one of the head of the compound page. This means that +split_huge_page will find a value of the reference counter too high and +will fail. + +This patch solves this problem by testing if the two pages to merge +belong to the same hugepage when attempting to merge them. If so, the +hugepage is split safely. This means that the hugepage is not split if +not necessary. + +Link: http://lkml.kernel.org/r/1521548069-24758-1-git-send-email-imbrenda@linux.vnet.ibm.com +Signed-off-by: Claudio Imbrenda +Co-authored-by: Gerald Schaefer +Reviewed-by: Andrew Morton +Cc: Andrea Arcangeli +Cc: Minchan Kim +Cc: Kirill A. Shutemov +Cc: Hugh Dickins +Cc: Christian Borntraeger +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/ksm.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/mm/ksm.c ++++ b/mm/ksm.c +@@ -2085,8 +2085,22 @@ static void cmp_and_merge_page(struct pa + tree_rmap_item = + unstable_tree_search_insert(rmap_item, page, &tree_page); + if (tree_rmap_item) { ++ bool split; ++ + kpage = try_to_merge_two_pages(rmap_item, page, + tree_rmap_item, tree_page); ++ /* ++ * If both pages we tried to merge belong to the same compound ++ * page, then we actually ended up increasing the reference ++ * count of the same compound page twice, and split_huge_page ++ * failed. ++ * Here we set a flag if that happened, and we use it later to ++ * try split_huge_page again. Since we call put_page right ++ * afterwards, the reference count will be correct and ++ * split_huge_page should succeed. ++ */ ++ split = PageTransCompound(page) ++ && compound_head(page) == compound_head(tree_page); + put_page(tree_page); + if (kpage) { + /* +@@ -2113,6 +2127,20 @@ static void cmp_and_merge_page(struct pa + break_cow(tree_rmap_item); + break_cow(rmap_item); + } ++ } else if (split) { ++ /* ++ * We are here if we tried to merge two pages and ++ * failed because they both belonged to the same ++ * compound page. We will split the page now, but no ++ * merging will take place. ++ * We do not want to add the cost of a full lock; if ++ * the page is locked, it is better to skip it and ++ * perhaps try again later. ++ */ ++ if (!trylock_page(page)) ++ return; ++ split_huge_page(page); ++ unlock_page(page); + } + } + } diff --git a/queue-4.14/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch b/queue-4.14/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch new file mode 100644 index 00000000000..3dc88cf84fc --- /dev/null +++ b/queue-4.14/mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yisheng Xie +Date: Thu, 22 Mar 2018 16:17:02 -0700 +Subject: mm/mempolicy.c: avoid use uninitialized preferred_node + +From: Yisheng Xie + +[ Upstream commit 8970a63e965b43288c4f5f40efbc2bbf80de7f16 ] + +Alexander reported a use of uninitialized memory in __mpol_equal(), +which is caused by incorrect use of preferred_node. + +When mempolicy in mode MPOL_PREFERRED with flags MPOL_F_LOCAL, it uses +numa_node_id() instead of preferred_node, however, __mpol_equal() uses +preferred_node without checking whether it is MPOL_F_LOCAL or not. + +[akpm@linux-foundation.org: slight comment tweak] +Link: http://lkml.kernel.org/r/4ebee1c2-57f6-bcb8-0e2d-1833d1ee0bb7@huawei.com +Fixes: fc36b8d3d819 ("mempolicy: use MPOL_F_LOCAL to Indicate Preferred Local Policy") +Signed-off-by: Yisheng Xie +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Reviewed-by: Andrew Morton +Cc: Dmitriy Vyukov +Cc: Vlastimil Babka +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/mempolicy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/mempolicy.c ++++ b/mm/mempolicy.c +@@ -2128,6 +2128,9 @@ bool __mpol_equal(struct mempolicy *a, s + case MPOL_INTERLEAVE: + return !!nodes_equal(a->v.nodes, b->v.nodes); + case MPOL_PREFERRED: ++ /* a's ->flags is the same as b's */ ++ if (a->flags & MPOL_F_LOCAL) ++ return true; + return a->v.preferred_node == b->v.preferred_node; + default: + BUG(); diff --git a/queue-4.14/mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch b/queue-4.14/mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch new file mode 100644 index 00000000000..aa21a3625a2 --- /dev/null +++ b/queue-4.14/mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch @@ -0,0 +1,85 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Maninder Singh +Date: Wed, 28 Mar 2018 16:01:05 -0700 +Subject: mm/page_owner: fix recursion bug after changing skip entries + +From: Maninder Singh + +[ Upstream commit 299815a4fba9f3c7a81434dba0072148f1690608 ] + +This patch fixes commit 5f48f0bd4e36 ("mm, page_owner: skip unnecessary +stack_trace entries"). + +Because if we skip first two entries then logic of checking count value +as 2 for recursion is broken and code will go in one depth recursion. + +so we need to check only one call of _RET_IP(__set_page_owner) while +checking for recursion. + +Current Backtrace while checking for recursion:- + + (save_stack) from (__set_page_owner) // (But recursion returns true here) + (__set_page_owner) from (get_page_from_freelist) + (get_page_from_freelist) from (__alloc_pages_nodemask) + (__alloc_pages_nodemask) from (depot_save_stack) + (depot_save_stack) from (save_stack) // recursion should return true here + (save_stack) from (__set_page_owner) + (__set_page_owner) from (get_page_from_freelist) + (get_page_from_freelist) from (__alloc_pages_nodemask+) + (__alloc_pages_nodemask) from (depot_save_stack) + (depot_save_stack) from (save_stack) + (save_stack) from (__set_page_owner) + (__set_page_owner) from (get_page_from_freelist) + +Correct Backtrace with fix: + + (save_stack) from (__set_page_owner) // recursion returned true here + (__set_page_owner) from (get_page_from_freelist) + (get_page_from_freelist) from (__alloc_pages_nodemask+) + (__alloc_pages_nodemask) from (depot_save_stack) + (depot_save_stack) from (save_stack) + (save_stack) from (__set_page_owner) + (__set_page_owner) from (get_page_from_freelist) + +Link: http://lkml.kernel.org/r/1521607043-34670-1-git-send-email-maninder1.s@samsung.com +Fixes: 5f48f0bd4e36 ("mm, page_owner: skip unnecessary stack_trace entries") +Signed-off-by: Maninder Singh +Signed-off-by: Vaneet Narang +Acked-by: Vlastimil Babka +Cc: Michal Hocko +Cc: Oscar Salvador +Cc: Greg Kroah-Hartman +Cc: Ayush Mittal +Cc: Prakash Gupta +Cc: Vinayak Menon +Cc: Vasyl Gomonovych +Cc: Amit Sahrawat +Cc: +Cc: Vaneet Narang +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_owner.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/mm/page_owner.c ++++ b/mm/page_owner.c +@@ -123,13 +123,13 @@ void __reset_page_owner(struct page *pag + static inline bool check_recursive_alloc(struct stack_trace *trace, + unsigned long ip) + { +- int i, count; ++ int i; + + if (!trace->nr_entries) + return false; + +- for (i = 0, count = 0; i < trace->nr_entries; i++) { +- if (trace->entries[i] == ip && ++count == 2) ++ for (i = 0; i < trace->nr_entries; i++) { ++ if (trace->entries[i] == ip) + return true; + } + diff --git a/queue-4.14/mm-slab-memcg_link-the-slab-s-kmem_cache.patch b/queue-4.14/mm-slab-memcg_link-the-slab-s-kmem_cache.patch new file mode 100644 index 00000000000..840764ec9aa --- /dev/null +++ b/queue-4.14/mm-slab-memcg_link-the-slab-s-kmem_cache.patch @@ -0,0 +1,50 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shakeel Butt +Date: Wed, 28 Mar 2018 16:00:57 -0700 +Subject: mm, slab: memcg_link the SLAB's kmem_cache + +From: Shakeel Butt + +[ Upstream commit 880cd276dff17ea29e9a8404275c9502b265afa7 ] + +All the root caches are linked into slab_root_caches which was +introduced by the commit 510ded33e075 ("slab: implement slab_root_caches +list") but it missed to add the SLAB's kmem_cache. + +While experimenting with opt-in/opt-out kmem accounting, I noticed +system crashes due to NULL dereference inside cache_from_memcg_idx() +while deferencing kmem_cache.memcg_params.memcg_caches. The upstream +clean kernel will not see these crashes but SLAB should be consistent +with SLUB which does linked its boot caches (kmem_cache_node and +kmem_cache) into slab_root_caches. + +Link: http://lkml.kernel.org/r/20180319210020.60289-1-shakeelb@google.com +Fixes: 510ded33e075c ("slab: implement slab_root_caches list") +Signed-off-by: Shakeel Butt +Cc: Tejun Heo +Cc: Vladimir Davydov +Cc: Greg Thelen +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Johannes Weiner +Cc: Michal Hocko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slab.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -1283,6 +1283,7 @@ void __init kmem_cache_init(void) + nr_node_ids * sizeof(struct kmem_cache_node *), + SLAB_HWCACHE_ALIGN); + list_add(&kmem_cache->list, &slab_caches); ++ memcg_link_cache(kmem_cache); + slab_state = PARTIAL; + + /* diff --git a/queue-4.14/mm-thp-do-not-cause-memcg-oom-for-thp.patch b/queue-4.14/mm-thp-do-not-cause-memcg-oom-for-thp.patch new file mode 100644 index 00000000000..265ec36bc59 --- /dev/null +++ b/queue-4.14/mm-thp-do-not-cause-memcg-oom-for-thp.patch @@ -0,0 +1,80 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Rientjes +Date: Thu, 22 Mar 2018 16:17:45 -0700 +Subject: mm, thp: do not cause memcg oom for thp + +From: David Rientjes + +[ Upstream commit 9d3c3354bb85bab4d865fe95039443f09a4c8394 ] + +Commit 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and +madvised allocations") changed the page allocator to no longer detect +thp allocations based on __GFP_NORETRY. + +It did not, however, modify the mem cgroup try_charge() path to avoid +oom kill for either khugepaged collapsing or thp faulting. It is never +expected to oom kill a process to allocate a hugepage for thp; reclaim +is governed by the thp defrag mode and MADV_HUGEPAGE, but allocations +(and charging) should fallback instead of oom killing processes. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1803191409420.124411@chino.kir.corp.google.com +Fixes: 2516035499b9 ("mm, thp: remove __GFP_NORETRY from khugepaged and madvised allocations") +Signed-off-by: David Rientjes +Cc: "Kirill A. Shutemov" +Cc: Michal Hocko +Cc: Vlastimil Babka +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/huge_memory.c | 5 +++-- + mm/khugepaged.c | 8 ++++++-- + 2 files changed, 9 insertions(+), 4 deletions(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -555,7 +555,8 @@ static int __do_huge_pmd_anonymous_page( + + VM_BUG_ON_PAGE(!PageCompound(page), page); + +- if (mem_cgroup_try_charge(page, vma->vm_mm, gfp, &memcg, true)) { ++ if (mem_cgroup_try_charge(page, vma->vm_mm, gfp | __GFP_NORETRY, &memcg, ++ true)) { + put_page(page); + count_vm_event(THP_FAULT_FALLBACK); + return VM_FAULT_FALLBACK; +@@ -1304,7 +1305,7 @@ alloc: + } + + if (unlikely(mem_cgroup_try_charge(new_page, vma->vm_mm, +- huge_gfp, &memcg, true))) { ++ huge_gfp | __GFP_NORETRY, &memcg, true))) { + put_page(new_page); + split_huge_pmd(vma, vmf->pmd, vmf->address); + if (page) +--- a/mm/khugepaged.c ++++ b/mm/khugepaged.c +@@ -965,7 +965,9 @@ static void collapse_huge_page(struct mm + goto out_nolock; + } + +- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { ++ /* Do not oom kill for khugepaged charges */ ++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY, ++ &memcg, true))) { + result = SCAN_CGROUP_CHARGE_FAIL; + goto out_nolock; + } +@@ -1324,7 +1326,9 @@ static void collapse_shmem(struct mm_str + goto out; + } + +- if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp, &memcg, true))) { ++ /* Do not oom kill for khugepaged charges */ ++ if (unlikely(mem_cgroup_try_charge(new_page, mm, gfp | __GFP_NORETRY, ++ &memcg, true))) { + result = SCAN_CGROUP_CHARGE_FAIL; + goto out; + } diff --git a/queue-4.14/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch b/queue-4.14/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch new file mode 100644 index 00000000000..3a746f8ab40 --- /dev/null +++ b/queue-4.14/mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yang Shi +Date: Thu, 5 Apr 2018 16:22:35 -0700 +Subject: mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one() + +From: Yang Shi + +[ Upstream commit f0849ac0b8e072073ec5fcc7fadd05a77434364e ] + +For PTE-mapped THP, the compound THP has not been split to normal 4K +pages yet, the whole THP is considered referenced if any one of sub page +is referenced. + +When walking PTE-mapped THP by pvmw, all relevant PTEs will be checked +to retrieve referenced bit. But, the current code just returns the +result of the last PTE. If the last PTE has not referenced, the +referenced flag will be cleared. + +Just set referenced when ptep{pmdp}_clear_young_notify() returns true. + +Link: http://lkml.kernel.org/r/1518212451-87134-1-git-send-email-yang.shi@linux.alibaba.com +Signed-off-by: Yang Shi +Reported-by: Gang Deng +Suggested-by: Kirill A. Shutemov +Reviewed-by: Andrew Morton +Cc: "Kirill A. Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/page_idle.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/mm/page_idle.c ++++ b/mm/page_idle.c +@@ -65,11 +65,15 @@ static bool page_idle_clear_pte_refs_one + while (page_vma_mapped_walk(&pvmw)) { + addr = pvmw.address; + if (pvmw.pte) { +- referenced = ptep_clear_young_notify(vma, addr, +- pvmw.pte); ++ /* ++ * For PTE-mapped THP, one sub page is referenced, ++ * the whole THP is referenced. ++ */ ++ if (ptep_clear_young_notify(vma, addr, pvmw.pte)) ++ referenced = true; + } else if (IS_ENABLED(CONFIG_TRANSPARENT_HUGEPAGE)) { +- referenced = pmdp_clear_young_notify(vma, addr, +- pvmw.pmd); ++ if (pmdp_clear_young_notify(vma, addr, pvmw.pmd)) ++ referenced = true; + } else { + /* unexpected pmd-mapped page? */ + WARN_ON_ONCE(1); diff --git a/queue-4.14/mm-vmstat.c-fix-vmstat_update-preemption-bug.patch b/queue-4.14/mm-vmstat.c-fix-vmstat_update-preemption-bug.patch new file mode 100644 index 00000000000..a17d23e59bc --- /dev/null +++ b/queue-4.14/mm-vmstat.c-fix-vmstat_update-preemption-bug.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Steven J. Hill" +Date: Wed, 28 Mar 2018 16:01:09 -0700 +Subject: mm/vmstat.c: fix vmstat_update() preemption BUG + +From: "Steven J. Hill" + +[ Upstream commit c7f26ccfb2c31eb1bf810ba13d044fcf583232db ] + +Attempting to hotplug CPUs with CONFIG_VM_EVENT_COUNTERS enabled can +cause vmstat_update() to report a BUG due to preemption not being +disabled around smp_processor_id(). + +Discovered on Ubiquiti EdgeRouter Pro with Cavium Octeon II processor. + + BUG: using smp_processor_id() in preemptible [00000000] code: + kworker/1:1/269 + caller is vmstat_update+0x50/0xa0 + CPU: 0 PID: 269 Comm: kworker/1:1 Not tainted + 4.16.0-rc4-Cavium-Octeon-00009-gf83bbd5-dirty #1 + Workqueue: mm_percpu_wq vmstat_update + Call Trace: + show_stack+0x94/0x128 + dump_stack+0xa4/0xe0 + check_preemption_disabled+0x118/0x120 + vmstat_update+0x50/0xa0 + process_one_work+0x144/0x348 + worker_thread+0x150/0x4b8 + kthread+0x110/0x140 + ret_from_kernel_thread+0x14/0x1c + +Link: http://lkml.kernel.org/r/1520881552-25659-1-git-send-email-steven.hill@cavium.com +Signed-off-by: Steven J. Hill +Reviewed-by: Andrew Morton +Cc: Tejun Heo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmstat.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1770,9 +1770,11 @@ static void vmstat_update(struct work_st + * to occur in the future. Keep on running the + * update worker thread. + */ ++ preempt_disable(); + queue_delayed_work_on(smp_processor_id(), mm_percpu_wq, + this_cpu_ptr(&vmstat_work), + round_jiffies_relative(sysctl_stat_interval)); ++ preempt_enable(); + } + } + diff --git a/queue-4.14/nbd-fix-return-value-in-error-handling-path.patch b/queue-4.14/nbd-fix-return-value-in-error-handling-path.patch new file mode 100644 index 00000000000..64d02375665 --- /dev/null +++ b/queue-4.14/nbd-fix-return-value-in-error-handling-path.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Mon, 12 Feb 2018 11:14:55 -0600 +Subject: nbd: fix return value in error handling path + +From: "Gustavo A. R. Silva" + +[ Upstream commit 0979962f5490abe75b3e2befb07a564fa0cf631b ] + +It seems that the proper value to return in this particular case is the +one contained into variable new_index instead of ret. + +Addresses-Coverity-ID: 1465148 ("Copy-paste error") +Fixes: e46c7287b1c2 ("nbd: add a basic netlink interface") +Reviewed-by: Omar Sandoval +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/nbd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -1591,7 +1591,7 @@ again: + if (new_index < 0) { + mutex_unlock(&nbd_index_mutex); + printk(KERN_ERR "nbd: failed to add new device\n"); +- return ret; ++ return new_index; + } + nbd = idr_find(&nbd_index_idr, new_index); + } diff --git a/queue-4.14/net-bgmac-correctly-annotate-register-space.patch b/queue-4.14/net-bgmac-correctly-annotate-register-space.patch new file mode 100644 index 00000000000..bac0ba14104 --- /dev/null +++ b/queue-4.14/net-bgmac-correctly-annotate-register-space.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:29 -0700 +Subject: net: bgmac: Correctly annotate register space + +From: Florian Fainelli + +[ Upstream commit 16a1c0646e55c3345bce8e4edfc06ad119d27c04 ] + +All the members: base, idm_base and nicpm_base should be annotated with +__iomem since they are pointers to register space. This fixes a bunch of +sparse reported warnings. + +Fixes: f6a95a24957a ("net: ethernet: bgmac: Add platform device support") +Fixes: dd5c5d037f5e ("net: ethernet: bgmac: add NS2 support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.h ++++ b/drivers/net/ethernet/broadcom/bgmac.h +@@ -479,9 +479,9 @@ struct bgmac_rx_header { + struct bgmac { + union { + struct { +- void *base; +- void *idm_base; +- void *nicpm_base; ++ void __iomem *base; ++ void __iomem *idm_base; ++ void __iomem *nicpm_base; + } plat; + struct { + struct bcma_device *core; diff --git a/queue-4.14/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch b/queue-4.14/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch new file mode 100644 index 00000000000..73e13c6aacb --- /dev/null +++ b/queue-4.14/net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 10:26:30 -0700 +Subject: net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() + +From: Florian Fainelli + +[ Upstream commit 60d6e6f0b9e422dd01aeda39257ee0428e5e2a3f ] + +bgmac_dma_tx_ring_free() assigns the ctl1 word which is a litle endian +32-bit word without using proper accessors, fix this, and because a +length cannot be negative, use unsigned int while at it. + +Fixes: 9cde94506eac ("bgmac: implement scatter/gather support") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bgmac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -532,7 +532,8 @@ static void bgmac_dma_tx_ring_free(struc + int i; + + for (i = 0; i < BGMAC_TX_RING_SLOTS; i++) { +- int len = dma_desc[i].ctl1 & BGMAC_DESC_CTL1_LEN; ++ u32 ctl1 = le32_to_cpu(dma_desc[i].ctl1); ++ unsigned int len = ctl1 & BGMAC_DESC_CTL1_LEN; + + slot = &ring->slots[i]; + dev_kfree_skb(slot->skb); diff --git a/queue-4.14/net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch b/queue-4.14/net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch new file mode 100644 index 00000000000..2dac3afaeb9 --- /dev/null +++ b/queue-4.14/net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Fainelli +Date: Tue, 20 Mar 2018 17:31:10 -0700 +Subject: net: dsa: Fix functional dsa-loop dependency on FIXED_PHY + +From: Florian Fainelli + +[ Upstream commit 40013ff20b1beed31184935fc0aea6a859d4d4ef ] + +We have a functional dependency on the FIXED_PHY MDIO bus because we register +fixed PHY devices "the old way" which only works if the code that does this has +had a chance to run before the fixed MDIO bus is probed. Make sure we account +for that and have dsa_loop_bdinfo.o be either built-in or modular depending on +whether CONFIG_FIXED_PHY reflects that too. + +Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/Makefile | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/dsa/Makefile ++++ b/drivers/net/dsa/Makefile +@@ -1,7 +1,10 @@ + # SPDX-License-Identifier: GPL-2.0 + obj-$(CONFIG_NET_DSA_BCM_SF2) += bcm-sf2.o + bcm-sf2-objs := bcm_sf2.o bcm_sf2_cfp.o +-obj-$(CONFIG_NET_DSA_LOOP) += dsa_loop.o dsa_loop_bdinfo.o ++obj-$(CONFIG_NET_DSA_LOOP) += dsa_loop.o ++ifdef CONFIG_NET_DSA_LOOP ++obj-$(CONFIG_FIXED_PHY) += dsa_loop_bdinfo.o ++endif + obj-$(CONFIG_NET_DSA_MT7530) += mt7530.o + obj-$(CONFIG_NET_DSA_MV88E6060) += mv88e6060.o + obj-$(CONFIG_NET_DSA_QCA8K) += qca8k.o diff --git a/queue-4.14/net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch b/queue-4.14/net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch new file mode 100644 index 00000000000..878c730ad34 --- /dev/null +++ b/queue-4.14/net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sean Wang +Date: Mon, 26 Mar 2018 18:07:10 +0800 +Subject: net: dsa: mt7530: fix module autoloading for OF platform drivers + +From: Sean Wang + +[ Upstream commit 3c82b372a9f44aa224b8d5106ff6f1ad516fa8a8 ] + +It's required to create a modules.alias via MODULE_DEVICE_TABLE helper +for the OF platform driver. Otherwise, module autoloading cannot work. + +Signed-off-by: Sean Wang +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mt7530.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/dsa/mt7530.c ++++ b/drivers/net/dsa/mt7530.c +@@ -1122,6 +1122,7 @@ static const struct of_device_id mt7530_ + { .compatible = "mediatek,mt7530" }, + { /* sentinel */ }, + }; ++MODULE_DEVICE_TABLE(of, mt7530_of_match); + + static struct mdio_driver mt7530_mdio_driver = { + .probe = mt7530_probe, diff --git a/queue-4.14/net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch b/queue-4.14/net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch new file mode 100644 index 00000000000..82019e1f00b --- /dev/null +++ b/queue-4.14/net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Edward Cree +Date: Wed, 28 Feb 2018 19:15:58 +0000 +Subject: net: ethtool: don't ignore return from driver get_fecparam method + +From: Edward Cree + +[ Upstream commit a6d50512b4d86ecd9f5952525e454583be1c3b14 ] + +If ethtool_ops->get_fecparam returns an error, pass that error on to the + user, rather than ignoring it. + +Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes") +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/ethtool.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -2505,11 +2505,14 @@ static int set_phy_tunable(struct net_de + static int ethtool_get_fecparam(struct net_device *dev, void __user *useraddr) + { + struct ethtool_fecparam fecparam = { ETHTOOL_GFECPARAM }; ++ int rc; + + if (!dev->ethtool_ops->get_fecparam) + return -EOPNOTSUPP; + +- dev->ethtool_ops->get_fecparam(dev, &fecparam); ++ rc = dev->ethtool_ops->get_fecparam(dev, &fecparam); ++ if (rc) ++ return rc; + + if (copy_to_user(useraddr, &fecparam, sizeof(fecparam))) + return -EFAULT; diff --git a/queue-4.14/net-fix-untag-for-vlan-packets-without-ethernet-header.patch b/queue-4.14/net-fix-untag-for-vlan-packets-without-ethernet-header.patch new file mode 100644 index 00000000000..859b70b6340 --- /dev/null +++ b/queue-4.14/net-fix-untag-for-vlan-packets-without-ethernet-header.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Toshiaki Makita +Date: Thu, 29 Mar 2018 19:05:29 +0900 +Subject: net: Fix untag for vlan packets without ethernet header + +From: Toshiaki Makita + +[ Upstream commit ae4745730cf8e693d354ccd4dbaf59ea440c09a9 ] + +In some situation vlan packets do not have ethernet headers. One example +is packets from tun devices. Users can specify vlan protocol in tun_pi +field instead of IP protocol, and skb_vlan_untag() attempts to untag such +packets. + +skb_vlan_untag() (more precisely, skb_reorder_vlan_header() called by it) +however did not expect packets without ethernet headers, so in such a case +size argument for memmove() underflowed and triggered crash. + +==== +BUG: unable to handle kernel paging request at ffff8801cccb8000 +IP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 +PGD 9cee067 P4D 9cee067 PUD 1d9401063 PMD 1cccb7063 PTE 2810100028101 +Oops: 000b [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 17663 Comm: syz-executor2 Not tainted 4.16.0-rc7+ #368 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 +RSP: 0018:ffff8801cc046e28 EFLAGS: 00010287 +RAX: ffff8801ccc244c4 RBX: fffffffffffffffe RCX: fffffffffff6c4c2 +RDX: fffffffffffffffe RSI: ffff8801cccb7ffc RDI: ffff8801cccb8000 +RBP: ffff8801cc046e48 R08: ffff8801ccc244be R09: ffffed0039984899 +R10: 0000000000000001 R11: ffffed0039984898 R12: ffff8801ccc244c4 +R13: ffff8801ccc244c0 R14: ffff8801d96b7c06 R15: ffff8801d96b7b40 +FS: 00007febd562d700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffff8801cccb8000 CR3: 00000001ccb2f006 CR4: 00000000001606e0 +DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Call Trace: + memmove include/linux/string.h:360 [inline] + skb_reorder_vlan_header net/core/skbuff.c:5031 [inline] + skb_vlan_untag+0x470/0xc40 net/core/skbuff.c:5061 + __netif_receive_skb_core+0x119c/0x3460 net/core/dev.c:4460 + __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4627 + netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4701 + netif_receive_skb+0xae/0x390 net/core/dev.c:4725 + tun_rx_batched.isra.50+0x5ee/0x870 drivers/net/tun.c:1555 + tun_get_user+0x299e/0x3c20 drivers/net/tun.c:1962 + tun_chr_write_iter+0xb9/0x160 drivers/net/tun.c:1990 + call_write_iter include/linux/fs.h:1782 [inline] + new_sync_write fs/read_write.c:469 [inline] + __vfs_write+0x684/0x970 fs/read_write.c:482 + vfs_write+0x189/0x510 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0xef/0x220 fs/read_write.c:581 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x454879 +RSP: 002b:00007febd562cc68 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 +RAX: ffffffffffffffda RBX: 00007febd562d6d4 RCX: 0000000000454879 +RDX: 0000000000000157 RSI: 0000000020000180 RDI: 0000000000000014 +RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000006b0 R14: 00000000006fc120 R15: 0000000000000000 +Code: 90 90 90 90 90 90 90 48 89 f8 48 83 fa 20 0f 82 03 01 00 00 48 39 fe 7d 0f 49 89 f0 49 01 d0 49 39 f8 0f 8f 9f 00 00 00 48 89 d1 a4 c3 48 81 fa a8 02 00 00 72 05 40 38 fe 74 3b 48 83 ea 20 +RIP: __memmove+0x24/0x1a0 arch/x86/lib/memmove_64.S:43 RSP: ffff8801cc046e28 +CR2: ffff8801cccb8000 +==== + +We don't need to copy headers for packets which do not have preceding +headers of vlan headers, so skip memmove() in that case. + +Fixes: 4bbb3e0e8239 ("net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off") +Reported-by: Eric Dumazet +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4947,8 +4947,10 @@ static struct sk_buff *skb_reorder_vlan_ + } + + mac_len = skb->data - skb_mac_header(skb); +- memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), +- mac_len - VLAN_HLEN - ETH_TLEN); ++ if (likely(mac_len > VLAN_HLEN + ETH_TLEN)) { ++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), ++ mac_len - VLAN_HLEN - ETH_TLEN); ++ } + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.14/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch b/queue-4.14/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch new file mode 100644 index 00000000000..0e21e40405e --- /dev/null +++ b/queue-4.14/net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch @@ -0,0 +1,120 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Toshiaki Makita +Date: Tue, 13 Mar 2018 14:51:27 +0900 +Subject: net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off + +From: Toshiaki Makita + +[ Upstream commit 4bbb3e0e8239f9079bf1fe20b3c0cb598714ae61 ] + +When we have a bridge with vlan_filtering on and a vlan device on top of +it, packets would be corrupted in skb_vlan_untag() called from +br_dev_xmit(). + +The problem sits in skb_reorder_vlan_header() used in skb_vlan_untag(), +which makes use of skb->mac_len. In this function mac_len is meant for +handling rx path with vlan devices with reorder_header disabled, but in +tx path mac_len is typically 0 and cannot be used, which is the problem +in this case. + +The current code even does not properly handle rx path (skb_vlan_untag() +called from __netif_receive_skb_core()) with reorder_header off actually. + +In rx path single tag case, it works as follows: + +- Before skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+-------------+------+---- + | ETH | VLAN | ETH | + | ADDRS | TPID | TCI | TYPE | + +-------------------+-------------+------+---- + <-------- mac_len ---------> + <-------------> + to be removed + +- After skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+------+---- + | ETH | ETH | + | ADDRS | TYPE | + +-------------------+------+---- + <-------- mac_len ---------> + +This is ok, but in rx double tag case, it corrupts packets: + +- Before skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+-------------+-------------+------+---- + | ETH | VLAN | VLAN | ETH | + | ADDRS | TPID | TCI | TPID | TCI | TYPE | + +-------------------+-------------+-------------+------+---- + <--------------- mac_len ----------------> + <-------------> + should be removed + <---------------------------> + actually will be removed + +- After skb_reorder_vlan_header() + + mac_header data + v v + +-------------------+------+---- + | ETH | ETH | + | ADDRS | TYPE | + +-------------------+------+---- + <--------------- mac_len ----------------> + +So, two of vlan tags are both removed while only inner one should be +removed and mac_header (and mac_len) is broken. + +skb_vlan_untag() is meant for removing the vlan header at (skb->data - 2), +so use skb->data and skb->mac_header to calculate the right offset. + +Reported-by: Brandon Carpenter +Fixes: a6e18ff11170 ("vlan: Fix untag operations of stacked vlans with REORDER_HEADER off") +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/if_ether.h | 1 + + net/core/skbuff.c | 7 +++++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/if_ether.h ++++ b/include/uapi/linux/if_ether.h +@@ -30,6 +30,7 @@ + */ + + #define ETH_ALEN 6 /* Octets in one ethernet addr */ ++#define ETH_TLEN 2 /* Octets in ethernet type field */ + #define ETH_HLEN 14 /* Total octets in header. */ + #define ETH_ZLEN 60 /* Min. octets in frame sans FCS */ + #define ETH_DATA_LEN 1500 /* Max. octets in payload */ +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4939,13 +4939,16 @@ EXPORT_SYMBOL_GPL(skb_gso_validate_mtu); + + static struct sk_buff *skb_reorder_vlan_header(struct sk_buff *skb) + { ++ int mac_len; ++ + if (skb_cow(skb, skb_headroom(skb)) < 0) { + kfree_skb(skb); + return NULL; + } + +- memmove(skb->data - ETH_HLEN, skb->data - skb->mac_len - VLAN_HLEN, +- 2 * ETH_ALEN); ++ mac_len = skb->data - skb_mac_header(skb); ++ memmove(skb_mac_header(skb) + VLAN_HLEN, skb_mac_header(skb), ++ mac_len - VLAN_HLEN - ETH_TLEN); + skb->mac_header += VLAN_HLEN; + return skb; + } diff --git a/queue-4.14/net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch b/queue-4.14/net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch new file mode 100644 index 00000000000..6515fdecb26 --- /dev/null +++ b/queue-4.14/net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch @@ -0,0 +1,68 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Or Gerlitz +Date: Thu, 15 Feb 2018 12:39:55 +0200 +Subject: net/mlx5: Make eswitch support to depend on switchdev + +From: Or Gerlitz + +[ Upstream commit f125376b06bcc57dfb0216ac8d6ec6d5dcf81025 ] + +Add dependancy for switchdev to be congfigured as any user-space control +plane SW is expected to use the HW switchdev ID to locate the representors +related to VFs of a certain PF and apply SW/offloaded switching on them. + +Fixes: e80541ecabd5 ('net/mlx5: Add CONFIG_MLX5_ESWITCH Kconfig') +Signed-off-by: Or Gerlitz +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/Kconfig | 2 +- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++-- + drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 -- + 3 files changed, 3 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/Kconfig ++++ b/drivers/net/ethernet/mellanox/mlx5/core/Kconfig +@@ -46,7 +46,7 @@ config MLX5_MPFS + + config MLX5_ESWITCH + bool "Mellanox Technologies MLX5 SRIOV E-Switch support" +- depends on MLX5_CORE_EN ++ depends on MLX5_CORE_EN && NET_SWITCHDEV + default y + ---help--- + Mellanox Technologies Ethernet SRIOV E-Switch support in ConnectX NIC. +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4022,7 +4022,7 @@ static void mlx5e_set_netdev_dev_addr(st + } + } + +-#if IS_ENABLED(CONFIG_NET_SWITCHDEV) && IS_ENABLED(CONFIG_MLX5_ESWITCH) ++#if IS_ENABLED(CONFIG_MLX5_ESWITCH) + static const struct switchdev_ops mlx5e_switchdev_ops = { + .switchdev_port_attr_get = mlx5e_attr_get, + }; +@@ -4126,7 +4126,7 @@ static void mlx5e_build_nic_netdev(struc + + mlx5e_set_netdev_dev_addr(netdev); + +-#if IS_ENABLED(CONFIG_NET_SWITCHDEV) && IS_ENABLED(CONFIG_MLX5_ESWITCH) ++#if IS_ENABLED(CONFIG_MLX5_ESWITCH) + if (MLX5_VPORT_MANAGER(mdev)) + netdev->switchdev_ops = &mlx5e_switchdev_ops; + #endif +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c +@@ -825,9 +825,7 @@ static void mlx5e_build_rep_netdev(struc + + netdev->ethtool_ops = &mlx5e_rep_ethtool_ops; + +-#ifdef CONFIG_NET_SWITCHDEV + netdev->switchdev_ops = &mlx5e_rep_switchdev_ops; +-#endif + + netdev->features |= NETIF_F_VLAN_CHALLENGED | NETIF_F_HW_TC | NETIF_F_NETNS_LOCAL; + netdev->hw_features |= NETIF_F_HW_TC; diff --git a/queue-4.14/net-mlx5-protect-from-command-bit-overflow.patch b/queue-4.14/net-mlx5-protect-from-command-bit-overflow.patch new file mode 100644 index 00000000000..a98535d29bc --- /dev/null +++ b/queue-4.14/net-mlx5-protect-from-command-bit-overflow.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Leon Romanovsky +Date: Tue, 2 Jan 2018 16:49:56 +0200 +Subject: net/mlx5: Protect from command bit overflow + +From: Leon Romanovsky + +[ Upstream commit 957f6ba8adc7be401a74ccff427e4cfd88d3bfcb ] + +The system with CONFIG_UBSAN enabled on produces the following error +during driver initialization. The reason to it that max_reg_cmds can be +larger enough to cause to "1 << max_reg_cmds" overflow the unsigned long. + +================================================================================ +UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx5/core/cmd.c:1805:42 +signed integer overflow: +-2147483648 - 1 cannot be represented in type 'int' +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2-00032-g06cda2358d9b-dirty #724 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 +Call Trace: + dump_stack+0xe9/0x18f + ? dma_virt_alloc+0x81/0x81 + ubsan_epilogue+0xe/0x4e + handle_overflow+0x187/0x20c + mlx5_cmd_init+0x73a/0x12b0 + mlx5_load_one+0x1c3d/0x1d30 + init_one+0xd02/0xf10 + pci_device_probe+0x26c/0x3b0 + driver_probe_device+0x622/0xb40 + __driver_attach+0x175/0x1b0 + bus_for_each_dev+0xef/0x190 + bus_add_driver+0x2db/0x490 + driver_register+0x16b/0x1e0 + __pci_register_driver+0x177/0x1b0 + init+0x6d/0x92 + do_one_initcall+0x15b/0x270 + kernel_init_freeable+0x2d8/0x3d0 + kernel_init+0x14/0x190 + ret_from_fork+0x24/0x30 +================================================================================ + +Signed-off-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1802,7 +1802,7 @@ int mlx5_cmd_init(struct mlx5_core_dev * + + cmd->checksum_disabled = 1; + cmd->max_reg_cmds = (1 << cmd->log_sz) - 1; +- cmd->bitmask = (1 << cmd->max_reg_cmds) - 1; ++ cmd->bitmask = (1UL << cmd->max_reg_cmds) - 1; + + cmd->cmdif_rev = ioread32be(&dev->iseg->cmdif_rev_fw_sub) >> 16; + if (cmd->cmdif_rev > CMD_IF_REV) { diff --git a/queue-4.14/net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch b/queue-4.14/net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch new file mode 100644 index 00000000000..1adf569cd12 --- /dev/null +++ b/queue-4.14/net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Or Gerlitz +Date: Tue, 30 Jan 2018 13:16:58 +0200 +Subject: net/mlx5e: Return error if prio is specified when offloading eswitch vlan push + +From: Or Gerlitz + +[ Upstream commit 001a2fc0c8cc29241305e44ffbce52d1daf8782b ] + +This isn't supported when we emulate eswitch vlan push action which +is the current state of things. + +Fixes: 8b32580df1cb ('net/mlx5e: Add TC vlan action for SRIOV offloads') +Signed-off-by: Or Gerlitz +Reviewed-by: Mark Bloch +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +@@ -2018,7 +2018,8 @@ static int parse_tc_fdb_actions(struct m + if (tcf_vlan_action(a) == TCA_VLAN_ACT_POP) { + attr->action |= MLX5_FLOW_CONTEXT_ACTION_VLAN_POP; + } else if (tcf_vlan_action(a) == TCA_VLAN_ACT_PUSH) { +- if (tcf_vlan_push_proto(a) != htons(ETH_P_8021Q)) ++ if (tcf_vlan_push_proto(a) != htons(ETH_P_8021Q) || ++ tcf_vlan_push_prio(a)) + return -EOPNOTSUPP; + + attr->action |= MLX5_FLOW_CONTEXT_ACTION_VLAN_PUSH; diff --git a/queue-4.14/net-mvneta-fix-enable-of-all-initialized-rxqs.patch b/queue-4.14/net-mvneta-fix-enable-of-all-initialized-rxqs.patch new file mode 100644 index 00000000000..f8cb1434fa8 --- /dev/null +++ b/queue-4.14/net-mvneta-fix-enable-of-all-initialized-rxqs.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yelena Krivosheev +Date: Fri, 30 Mar 2018 12:05:31 +0200 +Subject: net: mvneta: fix enable of all initialized RXQs + +From: Yelena Krivosheev + +[ Upstream commit e81b5e01c14add8395dfba7130f8829206bb507d ] + +In mvneta_port_up() we enable relevant RX and TX port queues by write +queues bit map to an appropriate register. + +q_map must be ZERO in the beginning of this process. + +Signed-off-by: Yelena Krivosheev +Acked-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -1112,6 +1112,7 @@ static void mvneta_port_up(struct mvneta + } + mvreg_write(pp, MVNETA_TXQ_CMD, q_map); + ++ q_map = 0; + /* Enable all initialized RXQs. */ + for (queue = 0; queue < rxq_number; queue++) { + struct mvneta_rx_queue *rxq = &pp->rxqs[queue]; diff --git a/queue-4.14/net-qcom-emac-use-proper-free-methods-during-tx.patch b/queue-4.14/net-qcom-emac-use-proper-free-methods-during-tx.patch new file mode 100644 index 00000000000..60a0f1ee99b --- /dev/null +++ b/queue-4.14/net-qcom-emac-use-proper-free-methods-during-tx.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Hemanth Puranik +Date: Tue, 6 Mar 2018 08:18:06 +0530 +Subject: net: qcom/emac: Use proper free methods during TX + +From: Hemanth Puranik + +[ Upstream commit cc5db3150e87fe7f7e947bf333b6c1c97f848ecb ] + +This patch fixes the warning messages/call traces seen if DMA debug is +enabled, In case of fragmented skb's memory was allocated using +dma_map_page but freed using dma_unmap_single. This patch modifies buffer +allocations in TX path to use dma_map_page in all the places and +dma_unmap_page while freeing the buffers. + +Signed-off-by: Hemanth Puranik +Acked-by: Timur Tabi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/emac/emac-mac.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +@@ -1204,9 +1204,9 @@ void emac_mac_tx_process(struct emac_ada + while (tx_q->tpd.consume_idx != hw_consume_idx) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.consume_idx); + if (tpbuf->dma_addr) { +- dma_unmap_single(adpt->netdev->dev.parent, +- tpbuf->dma_addr, tpbuf->length, +- DMA_TO_DEVICE); ++ dma_unmap_page(adpt->netdev->dev.parent, ++ tpbuf->dma_addr, tpbuf->length, ++ DMA_TO_DEVICE); + tpbuf->dma_addr = 0; + } + +@@ -1363,9 +1363,11 @@ static void emac_tx_fill_tpd(struct emac + + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data, tpbuf->length, +- DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data), ++ offset_in_page(skb->data), ++ tpbuf->length, ++ DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) +@@ -1381,9 +1383,12 @@ static void emac_tx_fill_tpd(struct emac + if (mapped_len < len) { + tpbuf = GET_TPD_BUFFER(tx_q, tx_q->tpd.produce_idx); + tpbuf->length = len - mapped_len; +- tpbuf->dma_addr = dma_map_single(adpt->netdev->dev.parent, +- skb->data + mapped_len, +- tpbuf->length, DMA_TO_DEVICE); ++ tpbuf->dma_addr = dma_map_page(adpt->netdev->dev.parent, ++ virt_to_page(skb->data + ++ mapped_len), ++ offset_in_page(skb->data + ++ mapped_len), ++ tpbuf->length, DMA_TO_DEVICE); + ret = dma_mapping_error(adpt->netdev->dev.parent, + tpbuf->dma_addr); + if (ret) diff --git a/queue-4.14/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch b/queue-4.14/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch new file mode 100644 index 00000000000..93507811176 --- /dev/null +++ b/queue-4.14/net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Pawel Dembicki +Date: Sat, 24 Mar 2018 22:08:14 +0100 +Subject: net: qmi_wwan: add BroadMobi BM806U 2020:2033 + +From: Pawel Dembicki + +[ Upstream commit 743989254ea9f132517806d8893ca9b6cf9dc86b ] + +BroadMobi BM806U is an Qualcomm MDM9225 based 3G/4G modem. +Tested hardware BM806U is mounted on D-Link DWR-921-C3 router. +The USB id is added to qmi_wwan.c to allow QMI communication with +the BM806U. + +Tested on 4.14 kernel and OpenWRT. + +Signed-off-by: Pawel Dembicki +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1184,6 +1184,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x19d2, 0x2002, 4)}, /* ZTE (Vodafone) K3765-Z */ + {QMI_FIXED_INTF(0x2001, 0x7e19, 4)}, /* D-Link DWM-221 B1 */ + {QMI_FIXED_INTF(0x2001, 0x7e35, 4)}, /* D-Link DWM-222 */ ++ {QMI_FIXED_INTF(0x2020, 0x2033, 4)}, /* BroadMobi BM806U */ + {QMI_FIXED_INTF(0x0f3d, 0x68a2, 8)}, /* Sierra Wireless MC7700 */ + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ diff --git a/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch new file mode 100644 index 00000000000..6db425d904a --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:26 +0100 +Subject: net/sched: fix idr leak in the error path of __tcf_ipt_init() + +From: Davide Caratti + +[ Upstream commit 1e46ef1762bb2e52f0f996131a4d16ed4e9fd065 ] + +__tcf_ipt_init() can fail after the idr has been successfully reserved. +When this happens, subsequent attempts to configure xt/ipt rules using +the same idr value systematically fail with -ENOSPC: + + # tc action add action xt -j LOG --log-prefix test1 index 100 + tablename: mangle hook: NF_IP_POST_ROUTING + target: LOG level warning prefix "test1" index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + Command "(null)" is unknown, try "tc actions help". + # tc action add action xt -j LOG --log-prefix test1 index 100 + tablename: mangle hook: NF_IP_POST_ROUTING + target: LOG level warning prefix "test1" index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + Command "(null)" is unknown, try "tc actions help". + # tc action add action xt -j LOG --log-prefix test1 index 100 + tablename: mangle hook: NF_IP_POST_ROUTING + target: LOG level warning prefix "test1" index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + ... + +Fix this in the error path of __tcf_ipt_init(), calling tcf_idr_release() +in place of tcf_idr_cleanup(). Since tcf_ipt_release() can now be called +when tcfi_t is NULL, we also need to protect calls to ipt_destroy_target() +to avoid NULL pointer dereference. + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ipt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/sched/act_ipt.c ++++ b/net/sched/act_ipt.c +@@ -80,9 +80,12 @@ static void ipt_destroy_target(struct xt + static void tcf_ipt_release(struct tc_action *a, int bind) + { + struct tcf_ipt *ipt = to_ipt(a); +- ipt_destroy_target(ipt->tcfi_t); ++ ++ if (ipt->tcfi_t) { ++ ipt_destroy_target(ipt->tcfi_t); ++ kfree(ipt->tcfi_t); ++ } + kfree(ipt->tcfi_tname); +- kfree(ipt->tcfi_t); + } + + static const struct nla_policy ipt_policy[TCA_IPT_MAX + 1] = { +@@ -187,7 +190,7 @@ err2: + kfree(tname); + err1: + if (ret == ACT_P_CREATED) +- tcf_idr_cleanup(*a, est); ++ tcf_idr_release(*a, bind); + return err; + } + diff --git a/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch new file mode 100644 index 00000000000..88da5b5a175 --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:24 +0100 +Subject: net/sched: fix idr leak in the error path of tcf_act_police_init() + +From: Davide Caratti + +[ Upstream commit 5bf7f8185f7c7112decdfe3d3e5c5d5e67f099a1 ] + +tcf_act_police_init() can fail after the idr has been successfully +reserved (e.g., qdisc_get_rtab() may return NULL). When this happens, +subsequent attempts to configure a police rule using the same idr value +systematiclly fail with -ENOSPC: + + # tc action add action police rate 1000 burst 1000 drop index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action add action police rate 1000 burst 1000 drop index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + # tc action add action police rate 1000 burst 1000 drop index 100 + RTNETLINK answers: No space left on device + ... + +Fix this in the error path of tcf_act_police_init(), calling +tcf_idr_release() in place of tcf_idr_cleanup(). + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_police.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_police.c ++++ b/net/sched/act_police.c +@@ -194,7 +194,7 @@ failure: + qdisc_put_rtab(P_tab); + qdisc_put_rtab(R_tab); + if (ret == ACT_P_CREATED) +- tcf_idr_cleanup(*a, est); ++ tcf_idr_release(*a, bind); + return err; + } + diff --git a/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch new file mode 100644 index 00000000000..6808138a55a --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:23 +0100 +Subject: net/sched: fix idr leak in the error path of tcf_simp_init() + +From: Davide Caratti + +[ Upstream commit 60e10b3adc3bac0f6a894c28e0eb1f2d13607362 ] + +if the kernel fails to duplicate 'sdata', creation of a new action fails +with -ENOMEM. However, subsequent attempts to install the same action +using the same value of 'index' systematically fail with -ENOSPC, and +that value of 'index' will no more be usable by act_simple, until rmmod / +insmod of act_simple.ko is done: + + # tc actions add action simple sdata hello index 100 + # tc actions list action simple + + action order 0: Simple + index 100 ref 1 bind 0 + # tc actions flush action simple + # tc actions add action simple sdata hello index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc actions flush action simple + # tc actions add action simple sdata hello index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + # tc actions add action simple sdata hello index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + ... + +Fix this in the error path of tcf_simp_init(), calling tcf_idr_release() +in place of tcf_idr_cleanup(). + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Suggested-by: Cong Wang +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_simple.c ++++ b/net/sched/act_simple.c +@@ -121,7 +121,7 @@ static int tcf_simp_init(struct net *net + d = to_defact(*a); + ret = alloc_defdata(d, defdata); + if (ret < 0) { +- tcf_idr_cleanup(*a, est); ++ tcf_idr_release(*a, bind); + return ret; + } + d->tcf_action = parm->action; diff --git a/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch new file mode 100644 index 00000000000..de4d0ac54aa --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:28 +0100 +Subject: net/sched: fix idr leak in the error path of tcf_skbmod_init() + +From: Davide Caratti + +[ Upstream commit f29cdfbe33d6915ba8056179b0041279a67e3647 ] + +tcf_skbmod_init() can fail after the idr has been successfully reserved. +When this happens, every subsequent attempt to configure skbmod rules +using the same idr value will systematically fail with -ENOSPC, unless +the first attempt was done using the 'replace' keyword: + + # tc action add action skbmod swap mac index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action add action skbmod swap mac index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + # tc action add action skbmod swap mac index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + ... + +Fix this in tcf_skbmod_init(), ensuring that tcf_idr_release() is called +on the error path when the idr has been reserved, but not yet inserted. +Also, don't test 'ovr' in the error path, to avoid a 'replace' failure +implicitly become a 'delete' that leaks refcount in act_skbmod module: + + # rmmod act_skbmod; modprobe act_skbmod + # tc action add action skbmod swap mac index 100 + # tc action add action skbmod swap mac continue index 100 + RTNETLINK answers: File exists + We have an error talking to the kernel + # tc action replace action skbmod swap mac continue index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action list action skbmod + # + # rmmod act_skbmod + rmmod: ERROR: Module act_skbmod is in use + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_skbmod.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_skbmod.c ++++ b/net/sched/act_skbmod.c +@@ -155,7 +155,7 @@ static int tcf_skbmod_init(struct net *n + ASSERT_RTNL(); + p = kzalloc(sizeof(struct tcf_skbmod_params), GFP_KERNEL); + if (unlikely(!p)) { +- if (ovr) ++ if (ret == ACT_P_CREATED) + tcf_idr_release(*a, bind); + return -ENOMEM; + } diff --git a/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch new file mode 100644 index 00000000000..41d3e929d9d --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:25 +0100 +Subject: net/sched: fix idr leak in the error path of tcp_pedit_init() + +From: Davide Caratti + +[ Upstream commit 94fa3f929ec0c048b1f3658cc335b940df4f6d22 ] + +tcf_pedit_init() can fail to allocate 'keys' after the idr has been +successfully reserved. When this happens, subsequent attempts to configure +a pedit rule using the same idr value systematically fail with -ENOSPC: + + # tc action add action pedit munge ip ttl set 63 index 100 + RTNETLINK answers: Cannot allocate memory + We have an error talking to the kernel + # tc action add action pedit munge ip ttl set 63 index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + # tc action add action pedit munge ip ttl set 63 index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + ... + +Fix this in the error path of tcf_act_pedit_init(), calling +tcf_idr_release() in place of tcf_idr_cleanup(). + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_pedit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_pedit.c ++++ b/net/sched/act_pedit.c +@@ -176,7 +176,7 @@ static int tcf_pedit_init(struct net *ne + p = to_pedit(*a); + keys = kmalloc(ksize, GFP_KERNEL); + if (keys == NULL) { +- tcf_idr_cleanup(*a, est); ++ tcf_idr_release(*a, bind); + kfree(keys_ex); + return -ENOMEM; + } diff --git a/queue-4.14/net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch b/queue-4.14/net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch new file mode 100644 index 00000000000..da26f4e31c3 --- /dev/null +++ b/queue-4.14/net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Mon, 19 Mar 2018 15:31:22 +0100 +Subject: net/sched: fix idr leak on the error path of tcf_bpf_init() + +From: Davide Caratti + +[ Upstream commit bbc09e7842a5023ba5bc0f8d559b9dd464e44006 ] + +when the following command sequence is entered + + # tc action add action bpf bytecode '4,40 0 0 12,31 0 1 2048,6 0 0 262144,6 0 0 0' index 100 + RTNETLINK answers: Invalid argument + We have an error talking to the kernel + # tc action add action bpf bytecode '4,40 0 0 12,21 0 1 2048,6 0 0 262144,6 0 0 0' index 100 + RTNETLINK answers: No space left on device + We have an error talking to the kernel + +act_bpf correctly refuses to install the first TC rule, because 31 is not +a valid instruction. However, it refuses to install the second TC rule, +even if the BPF code is correct. Furthermore, it's no more possible to +install any other rule having the same value of 'index' until act_bpf +module is unloaded/inserted again. After the idr has been reserved, call +tcf_idr_release() instead of tcf_idr_cleanup(), to fix this issue. + +Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR") +Acked-by: Jamal Hadi Salim +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sched/act_bpf.c ++++ b/net/sched/act_bpf.c +@@ -356,7 +356,7 @@ static int tcf_bpf_init(struct net *net, + return res; + out: + if (res == ACT_P_CREATED) +- tcf_idr_cleanup(*act, est); ++ tcf_idr_release(*act, bind); + + return ret; + } diff --git a/queue-4.14/net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch b/queue-4.14/net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch new file mode 100644 index 00000000000..185c1eac537 --- /dev/null +++ b/queue-4.14/net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davide Caratti +Date: Fri, 16 Mar 2018 00:00:56 +0100 +Subject: net/sched: fix NULL dereference in the error path of tcf_sample_init() + +From: Davide Caratti + +[ Upstream commit 1f110e7cae09e6c6a144616480d1a9dd99c5208a ] + +when the following command + + # tc action add action sample rate 100 group 100 index 100 + +is run for the first time, and psample_group_get(100) fails to create a +new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus +causing the following error: + + BUG: unable to handle kernel NULL pointer dereference at 000000000000001c + IP: psample_group_put+0x15/0x71 [psample] + PGD 8000000075775067 P4D 8000000075775067 PUD 7453c067 PMD 0 + Oops: 0002 [#1] SMP PTI + Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key] + CPU: 2 PID: 5740 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403 + Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 + RIP: 0010:psample_group_put+0x15/0x71 [psample] + RSP: 0018:ffffb8a80032f7d0 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000024 + RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffc06d93c0 + RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 + R10: 00000000bd003000 R11: ffff979fba04aa59 R12: 0000000000000000 + R13: 0000000000000000 R14: 0000000000000000 R15: ffff979fbba3f22c + FS: 00007f7638112740(0000) GS:ffff979fbfd00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 000000000000001c CR3: 00000000734ea001 CR4: 00000000001606e0 + Call Trace: + __tcf_idr_release+0x79/0xf0 + tcf_sample_init+0x125/0x1d0 [act_sample] + tcf_action_init_1+0x2cc/0x430 + tcf_action_init+0xd3/0x1b0 + tc_ctl_action+0x18b/0x240 + rtnetlink_rcv_msg+0x29c/0x310 + ? _cond_resched+0x15/0x30 + ? __kmalloc_node_track_caller+0x1b9/0x270 + ? rtnl_calcit.isra.28+0x100/0x100 + netlink_rcv_skb+0xd2/0x110 + netlink_unicast+0x17c/0x230 + netlink_sendmsg+0x2cd/0x3c0 + sock_sendmsg+0x30/0x40 + ___sys_sendmsg+0x27a/0x290 + ? filemap_map_pages+0x34a/0x3a0 + ? __handle_mm_fault+0xbfd/0xe20 + __sys_sendmsg+0x51/0x90 + do_syscall_64+0x6e/0x1a0 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + RIP: 0033:0x7f7637523ba0 + RSP: 002b:00007fff0473ef58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e + RAX: ffffffffffffffda RBX: 00007fff0473f080 RCX: 00007f7637523ba0 + RDX: 0000000000000000 RSI: 00007fff0473efd0 RDI: 0000000000000003 + RBP: 000000005aaaac80 R08: 0000000000000002 R09: 0000000000000000 + R10: 00007fff0473e9e0 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007fff0473f094 R14: 0000000000000001 R15: 0000000000669f60 + Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b + RIP: psample_group_put+0x15/0x71 [psample] RSP: ffffb8a80032f7d0 + CR2: 000000000000001c + +Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p) +are done only when p is not NULL. + +Fixes: cadb9c9fdbc6 ("net/sched: act_sample: Fix error path in init") +Signed-off-by: Davide Caratti +Acked-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_sample.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/act_sample.c ++++ b/net/sched/act_sample.c +@@ -103,7 +103,8 @@ static void tcf_sample_cleanup_rcu(struc + + psample_group = rcu_dereference_protected(s->psample_group, 1); + RCU_INIT_POINTER(s->psample_group, NULL); +- psample_group_put(psample_group); ++ if (psample_group) ++ psample_group_put(psample_group); + } + + static void tcf_sample_cleanup(struct tc_action *a, int bind) diff --git a/queue-4.14/net-smc-pay-attention-to-max_order-for-cq-entries.patch b/queue-4.14/net-smc-pay-attention-to-max_order-for-cq-entries.patch new file mode 100644 index 00000000000..64d78106f0b --- /dev/null +++ b/queue-4.14/net-smc-pay-attention-to-max_order-for-cq-entries.patch @@ -0,0 +1,106 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ursula Braun +Date: Wed, 14 Mar 2018 11:01:00 +0100 +Subject: net/smc: pay attention to MAX_ORDER for CQ entries + +From: Ursula Braun + +[ Upstream commit c9f4c6cf53bfafb639386a4c094929f13f573e04 ] + +smc allocates a certain number of CQ entries for used RoCE devices. For +mlx5 devices the chosen constant number results in a large allocation +causing this warning: + +[13355.124656] WARNING: CPU: 3 PID: 16535 at mm/page_alloc.c:3883 __alloc_pages_nodemask+0x2be/0x10c0 +[13355.124657] Modules linked in: smc_diag(O) smc(O) xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter mlx5_ib ib_core sunrpc mlx5_core s390_trng rng_core ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common ptp pps_core eadm_sch dm_multipath dm_mod vhost_net tun vhost tap sch_fq_codel kvm ip_tables x_tables autofs4 [last unloaded: smc] +[13355.124672] CPU: 3 PID: 16535 Comm: kworker/3:0 Tainted: G O 4.14.0uschi #1 +[13355.124673] Hardware name: IBM 3906 M04 704 (LPAR) +[13355.124675] Workqueue: events smc_listen_work [smc] +[13355.124677] task: 00000000e2f22100 task.stack: 0000000084720000 +[13355.124678] Krnl PSW : 0704c00180000000 000000000029da76 (__alloc_pages_nodemask+0x2be/0x10c0) +[13355.124681] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 +[13355.124682] Krnl GPRS: 0000000000000000 00550e00014080c0 0000000000000000 0000000000000001 +[13355.124684] 000000000029d8b6 00000000f3bfd710 0000000000000000 00000000014080c0 +[13355.124685] 0000000000000009 00000000ec277a00 0000000000200000 0000000000000000 +[13355.124686] 0000000000000000 00000000000001ff 000000000029d8b6 0000000084723720 +[13355.124708] Krnl Code: 000000000029da6a: a7110200 tmll %r1,512 + 000000000029da6e: a774ff29 brc 7,29d8c0 + #000000000029da72: a7f40001 brc 15,29da74 + >000000000029da76: a7f4ff25 brc 15,29d8c0 + 000000000029da7a: a7380000 lhi %r3,0 + 000000000029da7e: a7f4fef1 brc 15,29d860 + 000000000029da82: 5820f0c4 l %r2,196(%r15) + 000000000029da86: a53e0048 llilh %r3,72 +[13355.124720] Call Trace: +[13355.124722] ([<000000000029d8b6>] __alloc_pages_nodemask+0xfe/0x10c0) +[13355.124724] [<000000000013bd1e>] s390_dma_alloc+0x6e/0x148 +[13355.124733] [<000003ff802eeba6>] mlx5_dma_zalloc_coherent_node+0x8e/0xe0 [mlx5_core] +[13355.124740] [<000003ff802eee18>] mlx5_buf_alloc_node+0x70/0x108 [mlx5_core] +[13355.124744] [<000003ff804eb410>] mlx5_ib_create_cq+0x558/0x898 [mlx5_ib] +[13355.124749] [<000003ff80407d40>] ib_create_cq+0x48/0x88 [ib_core] +[13355.124751] [<000003ff80109fba>] smc_ib_setup_per_ibdev+0x52/0x118 [smc] +[13355.124753] [<000003ff8010bcb6>] smc_conn_create+0x65e/0x728 [smc] +[13355.124755] [<000003ff801081a2>] smc_listen_work+0x2d2/0x540 [smc] +[13355.124756] [<0000000000162c66>] process_one_work+0x1be/0x440 +[13355.124758] [<0000000000162f40>] worker_thread+0x58/0x458 +[13355.124759] [<0000000000169e7e>] kthread+0x14e/0x168 +[13355.124760] [<00000000009ce8be>] kernel_thread_starter+0x6/0xc +[13355.124762] [<00000000009ce8b8>] kernel_thread_starter+0x0/0xc +[13355.124762] Last Breaking-Event-Address: +[13355.124764] [<000000000029da72>] __alloc_pages_nodemask+0x2ba/0x10c0 +[13355.124764] ---[ end trace 34be38b581c0b585 ]--- + +This patch reduces the smc constant for the maximum number of allocated +completion queue entries SMC_MAX_CQE by 2 to avoid high round up values +in the mlx5 code, and reduces the number of allocated completion queue +entries even more, if the final allocation for an mlx5 device hits the +MAX_ORDER limit. + +Reported-by: Ihnken Menssen +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_ib.c | 10 +++++++++- + net/smc/smc_wr.h | 1 - + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/net/smc/smc_ib.c ++++ b/net/smc/smc_ib.c +@@ -23,6 +23,8 @@ + #include "smc_wr.h" + #include "smc.h" + ++#define SMC_MAX_CQE 32766 /* max. # of completion queue elements */ ++ + #define SMC_QP_MIN_RNR_TIMER 5 + #define SMC_QP_TIMEOUT 15 /* 4096 * 2 ** timeout usec */ + #define SMC_QP_RETRY_CNT 7 /* 7: infinite */ +@@ -435,9 +437,15 @@ out: + long smc_ib_setup_per_ibdev(struct smc_ib_device *smcibdev) + { + struct ib_cq_init_attr cqattr = { +- .cqe = SMC_WR_MAX_CQE, .comp_vector = 0 }; ++ .cqe = SMC_MAX_CQE, .comp_vector = 0 }; ++ int cqe_size_order, smc_order; + long rc; + ++ /* the calculated number of cq entries fits to mlx5 cq allocation */ ++ cqe_size_order = cache_line_size() == 128 ? 7 : 6; ++ smc_order = MAX_ORDER - cqe_size_order - 1; ++ if (SMC_MAX_CQE + 2 > (0x00000001 << smc_order) * PAGE_SIZE) ++ cqattr.cqe = (0x00000001 << smc_order) * PAGE_SIZE - 2; + smcibdev->roce_cq_send = ib_create_cq(smcibdev->ibdev, + smc_wr_tx_cq_handler, NULL, + smcibdev, &cqattr); +--- a/net/smc/smc_wr.h ++++ b/net/smc/smc_wr.h +@@ -19,7 +19,6 @@ + #include "smc.h" + #include "smc_core.h" + +-#define SMC_WR_MAX_CQE 32768 /* max. # of completion queue elements */ + #define SMC_WR_BUF_CNT 16 /* # of ctrl buffers per link */ + + #define SMC_WR_TX_WAIT_FREE_SLOT_TIME (10 * HZ) diff --git a/queue-4.14/net-smc-use-link_id-of-server-in-confirm-link-reply.patch b/queue-4.14/net-smc-use-link_id-of-server-in-confirm-link-reply.patch new file mode 100644 index 00000000000..7adf4fa1714 --- /dev/null +++ b/queue-4.14/net-smc-use-link_id-of-server-in-confirm-link-reply.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Karsten Graul +Date: Wed, 28 Feb 2018 12:44:08 +0100 +Subject: net/smc: use link_id of server in confirm link reply + +From: Karsten Graul + +[ Upstream commit 2be922f31606f114119f48de3207d122a90e7357 ] + +The CONFIRM LINK reply message must contain the link_id sent +by the server. And set the link_id explicitly when +initializing the link. + +Signed-off-by: Karsten Graul +Signed-off-by: Ursula Braun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/smc_core.c | 1 + + net/smc/smc_llc.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/net/smc/smc_core.c ++++ b/net/smc/smc_core.c +@@ -174,6 +174,7 @@ static int smc_lgr_create(struct smc_soc + + lnk = &lgr->lnk[SMC_SINGLE_LINK]; + /* initialize link */ ++ lnk->link_id = SMC_SINGLE_LINK; + lnk->smcibdev = smcibdev; + lnk->ibport = ibport; + lnk->path_mtu = smcibdev->pattr[ibport - 1].active_mtu; +--- a/net/smc/smc_llc.c ++++ b/net/smc/smc_llc.c +@@ -92,7 +92,7 @@ int smc_llc_send_confirm_link(struct smc + memcpy(confllc->sender_mac, mac, ETH_ALEN); + memcpy(confllc->sender_gid, gid, SMC_GID_SIZE); + hton24(confllc->sender_qp_num, link->roce_qp->qp_num); +- /* confllc->link_num = SMC_SINGLE_LINK; already done by memset above */ ++ confllc->link_num = link->link_id; + memcpy(confllc->link_uid, lgr->id, SMC_LGR_ID_SIZE); + confllc->max_links = SMC_LINKS_PER_LGR_MAX; + /* send llc message */ diff --git a/queue-4.14/net-smsc911x-fix-unload-crash-when-link-is-up.patch b/queue-4.14/net-smsc911x-fix-unload-crash-when-link-is-up.patch new file mode 100644 index 00000000000..64f7aa9868c --- /dev/null +++ b/queue-4.14/net-smsc911x-fix-unload-crash-when-link-is-up.patch @@ -0,0 +1,69 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jeremy Linton +Date: Tue, 6 Mar 2018 09:00:06 -0600 +Subject: net: smsc911x: Fix unload crash when link is up + +From: Jeremy Linton + +[ Upstream commit e06513d78d54e6c7026c9043a39e2c01ee25bdbe ] + +The smsc911x driver will crash if it is rmmod'ed while the netdev +is up like: + +Call trace: + phy_detach+0x94/0x150 + phy_disconnect+0x40/0x50 + smsc911x_stop+0x104/0x128 [smsc911x] + __dev_close_many+0xb4/0x138 + dev_close_many+0xbc/0x190 + rollback_registered_many+0x140/0x460 + rollback_registered+0x68/0xb0 + unregister_netdevice_queue+0x100/0x118 + unregister_netdev+0x28/0x38 + smsc911x_drv_remove+0x58/0x130 [smsc911x] + platform_drv_remove+0x30/0x50 + device_release_driver_internal+0x15c/0x1f8 + driver_detach+0x54/0x98 + bus_remove_driver+0x64/0xe8 + driver_unregister+0x34/0x60 + platform_driver_unregister+0x20/0x30 + smsc911x_cleanup_module+0x14/0xbca8 [smsc911x] + SyS_delete_module+0x1e8/0x238 + __sys_trace_return+0x0/0x4 + +This is caused by the mdiobus being unregistered/free'd +and the code in phy_detach() attempting to manipulate mdio +related structures from unregister_netdev() calling close() + +To fix this, we delay the mdiobus teardown until after +the netdev is deregistered. + +Reported-by: Matt Sealey +Signed-off-by: Jeremy Linton +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/smsc/smsc911x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/smsc/smsc911x.c ++++ b/drivers/net/ethernet/smsc/smsc911x.c +@@ -2335,14 +2335,14 @@ static int smsc911x_drv_remove(struct pl + pdata = netdev_priv(dev); + BUG_ON(!pdata); + BUG_ON(!pdata->ioaddr); +- WARN_ON(dev->phydev); + + SMSC_TRACE(pdata, ifdown, "Stopping driver"); + ++ unregister_netdev(dev); ++ + mdiobus_unregister(pdata->mii_bus); + mdiobus_free(pdata->mii_bus); + +- unregister_netdev(dev); + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, + "smsc911x-memory"); + if (!res) diff --git a/queue-4.14/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch b/queue-4.14/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch new file mode 100644 index 00000000000..3a5406a23c1 --- /dev/null +++ b/queue-4.14/net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Niklas Cassel +Date: Mon, 19 Feb 2018 18:11:13 +0100 +Subject: net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() + +From: Niklas Cassel + +[ Upstream commit 13138de01400762f706c5e956e70660770d61962 ] + +stmmac_mac_config_rx_queues_routing() incorrectly calls rx_queue_prio() +instead of rx_queue_routing(). + +This looks like a copy paste issue, since +stmmac_mac_config_rx_queues_prio() already calls rx_queue_prio(), +and both stmmac_mac_config_rx_queues_routing() and +stmmac_mac_config_rx_queues_prio() are very similar in structure. + +Fixes: abe80fdc6ee6 ("net: stmmac: RX queue routing configuration") +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2373,7 +2373,7 @@ static void stmmac_mac_config_rx_queues_ + continue; + + packet = priv->plat->rx_queues_cfg[queue].pkt_route; +- priv->hw->mac->rx_queue_prio(priv->hw, packet, queue); ++ priv->hw->mac->rx_queue_routing(priv->hw, packet, queue); + } + } + diff --git a/queue-4.14/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch b/queue-4.14/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch new file mode 100644 index 00000000000..eb23d56e678 --- /dev/null +++ b/queue-4.14/net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:08 +0100 +Subject: net: stmmac: ensure that the device has released ownership before reading data + +From: Niklas Cassel + +[ Upstream commit a6b25da5e7ba212af5826a662e6a035a79bffabd ] + +According to Documentation/memory-barriers.txt, we need to use a +dma_rmb() after reading the status/own bit, to ensure that all +descriptor fields are read after reading the own bit. + +This way, we ensure that the DMA engine is done with the DMA +descriptor before we read the other descriptor fields, e.g. reading +the tx hardware timestamp (if PTP is enabled). + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -1829,6 +1829,11 @@ static void stmmac_tx_clean(struct stmma + if (unlikely(status & tx_dma_own)) + break; + ++ /* Make sure descriptor fields are read after reading ++ * the own bit. ++ */ ++ dma_rmb(); ++ + /* Just consider the last segment and ...*/ + if (likely(!(status & tx_not_ls))) { + /* ... verify the status error condition */ diff --git a/queue-4.14/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch b/queue-4.14/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch new file mode 100644 index 00000000000..294a0da5a78 --- /dev/null +++ b/queue-4.14/net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Niklas Cassel +Date: Mon, 26 Feb 2018 22:47:06 +0100 +Subject: net: stmmac: ensure that the MSS desc is the last desc to set the own bit + +From: Niklas Cassel + +[ Upstream commit 15d2ee42a3087089e73ad52fd8c1b37ab496b87c ] + +A dma_wmb() is used to guarantee the ordering, with respect to +other writes, to cache coherent DMA memory. + +There is a dma_wmb() in prepare_tx_desc()/prepare_tso_tx_desc() which +ensures that TDES0/1/2 is written before TDES3 (which contains the own +bit), for First Desc. + +However, in the rare case that MSS changes, there will be a MSS +context descriptor in front of the regular DMA descriptors: + + <- DMA Next Descriptor + + + + +Thus, for this special case, we need a dma_wmb() +after prepare_tso_tx_desc()/before writing the own bit to the MSS desc, +so that we flush the write to TDES3 for First Desc, +in order to ensure that the MSS descriptor is the last descriptor to +set the own bit. + +Signed-off-by: Niklas Cassel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -2923,8 +2923,15 @@ static netdev_tx_t stmmac_tso_xmit(struc + tcp_hdrlen(skb) / 4, (skb->len - proto_hdr_len)); + + /* If context desc is used to change MSS */ +- if (mss_desc) ++ if (mss_desc) { ++ /* Make sure that first descriptor has been completely ++ * written, including its own bit. This is because MSS is ++ * actually before first descriptor, so we need to make ++ * sure that MSS's own bit is the last thing written. ++ */ ++ dma_wmb(); + priv->hw->desc->set_tx_owner(mss_desc); ++ } + + /* The own bit must be the latest setting done when prepare the + * descriptor and then barrier is needed to make sure that diff --git a/queue-4.14/net-tcp-illinois-replace-broken-algorithm-reference-link.patch b/queue-4.14/net-tcp-illinois-replace-broken-algorithm-reference-link.patch new file mode 100644 index 00000000000..096edf0c6ed --- /dev/null +++ b/queue-4.14/net-tcp-illinois-replace-broken-algorithm-reference-link.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Joey Pabalinas +Date: Tue, 27 Feb 2018 22:05:53 -1000 +Subject: net/tcp/illinois: replace broken algorithm reference link + +From: Joey Pabalinas + +[ Upstream commit ecc832758a654e375924ebf06a4ac971acb5ce60 ] + +The link to the pdf containing the algorithm description is now a +dead link; it seems http://www.ifp.illinois.edu/~srikant/ has been +moved to https://sites.google.com/a/illinois.edu/srikant/ and none of +the original papers can be found there... + +I have replaced it with the only working copy I was able to find. + +n.b. there is also a copy available at: + +http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.296.6350&rep=rep1&type=pdf + +However, this seems to only be a *cached* version, so I am unsure +exactly how reliable that link can be expected to remain over time +and have decided against using that one. + +Signed-off-by: Joey Pabalinas + + net/ipv4/tcp_illinois.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_illinois.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv4/tcp_illinois.c ++++ b/net/ipv4/tcp_illinois.c +@@ -6,7 +6,7 @@ + * The algorithm is described in: + * "TCP-Illinois: A Loss and Delay-Based Congestion Control Algorithm + * for High-Speed Networks" +- * http://www.ifp.illinois.edu/~srikant/Papers/liubassri06perf.pdf ++ * http://tamerbasar.csl.illinois.edu/LiuBasarSrikantPerfEvalArtJun2008.pdf + * + * Implemented from description in paper and ns-2 simulation. + * Copyright (C) 2007 Stephen Hemminger diff --git a/queue-4.14/netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch b/queue-4.14/netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch new file mode 100644 index 00000000000..790403069e3 --- /dev/null +++ b/queue-4.14/netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Westphal +Date: Thu, 15 Feb 2018 00:23:05 +0100 +Subject: netfilter: don't set F_IFACE on ipv6 fib lookups + +From: Florian Westphal + +[ Upstream commit 47b7e7f82802dced3ac73658bf4b77584a63063f ] + +"fib" starts to behave strangely when an ipv6 default route is +added - the FIB lookup returns a route using 'oif' in this case. + +This behaviour was inherited from ip6tables rpfilter so change +this as well. + +Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1221 +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/ip6t_rpfilter.c | 4 ---- + net/ipv6/netfilter/nft_fib_ipv6.c | 12 ++---------- + 2 files changed, 2 insertions(+), 14 deletions(-) + +--- a/net/ipv6/netfilter/ip6t_rpfilter.c ++++ b/net/ipv6/netfilter/ip6t_rpfilter.c +@@ -48,10 +48,6 @@ static bool rpfilter_lookup_reverse6(str + } + + fl6.flowi6_mark = flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0; +- if ((flags & XT_RPFILTER_LOOSE) == 0) { +- fl6.flowi6_oif = dev->ifindex; +- lookup_flags |= RT6_LOOKUP_F_IFACE; +- } + + rt = (void *) ip6_route_lookup(net, &fl6, lookup_flags); + if (rt->dst.error) +--- a/net/ipv6/netfilter/nft_fib_ipv6.c ++++ b/net/ipv6/netfilter/nft_fib_ipv6.c +@@ -182,7 +182,6 @@ void nft_fib6_eval(const struct nft_expr + } + + *dest = 0; +- again: + rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, lookup_flags); + if (rt->dst.error) + goto put_rt_err; +@@ -191,15 +190,8 @@ void nft_fib6_eval(const struct nft_expr + if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL)) + goto put_rt_err; + +- if (oif && oif != rt->rt6i_idev->dev) { +- /* multipath route? Try again with F_IFACE */ +- if ((lookup_flags & RT6_LOOKUP_F_IFACE) == 0) { +- lookup_flags |= RT6_LOOKUP_F_IFACE; +- fl6.flowi6_oif = oif->ifindex; +- ip6_rt_put(rt); +- goto again; +- } +- } ++ if (oif && oif != rt->rt6i_idev->dev) ++ goto put_rt_err; + + switch (priv->result) { + case NFT_FIB_RESULT_OIF: diff --git a/queue-4.14/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch b/queue-4.14/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch new file mode 100644 index 00000000000..0b1c152d494 --- /dev/null +++ b/queue-4.14/netfilter-ebtables-convert-bug_ons-to-warn_ons.patch @@ -0,0 +1,107 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Westphal +Date: Mon, 19 Feb 2018 01:24:53 +0100 +Subject: netfilter: ebtables: convert BUG_ONs to WARN_ONs + +From: Florian Westphal + +[ Upstream commit fc6a5d0601c5ac1d02f283a46f60b87b2033e5ca ] + +All of these conditions are not fatal and should have +been WARN_ONs from the get-go. + +Convert them to WARN_ONs and bail out. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -1641,7 +1641,8 @@ static int compat_match_to_user(struct e + int off = ebt_compat_match_offset(match, m->match_size); + compat_uint_t msize = m->match_size - off; + +- BUG_ON(off >= m->match_size); ++ if (WARN_ON(off >= m->match_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, match->name, + strlen(match->name) + 1) || put_user(msize, &cm->match_size)) +@@ -1671,7 +1672,8 @@ static int compat_target_to_user(struct + int off = xt_compat_target_offset(target); + compat_uint_t tsize = t->target_size - off; + +- BUG_ON(off >= t->target_size); ++ if (WARN_ON(off >= t->target_size)) ++ return -EINVAL; + + if (copy_to_user(cm->u.name, target->name, + strlen(target->name) + 1) || put_user(tsize, &cm->match_size)) +@@ -1907,7 +1909,8 @@ static int ebt_buf_add(struct ebt_entrie + if (state->buf_kern_start == NULL) + goto count_only; + +- BUG_ON(state->buf_kern_offset + sz > state->buf_kern_len); ++ if (WARN_ON(state->buf_kern_offset + sz > state->buf_kern_len)) ++ return -EINVAL; + + memcpy(state->buf_kern_start + state->buf_kern_offset, data, sz); + +@@ -1920,7 +1923,8 @@ static int ebt_buf_add_pad(struct ebt_en + { + char *b = state->buf_kern_start; + +- BUG_ON(b && state->buf_kern_offset > state->buf_kern_len); ++ if (WARN_ON(b && state->buf_kern_offset > state->buf_kern_len)) ++ return -EINVAL; + + if (b != NULL && sz > 0) + memset(b + state->buf_kern_offset, 0, sz); +@@ -1997,8 +2001,10 @@ static int compat_mtw_from_user(struct c + pad = XT_ALIGN(size_kern) - size_kern; + + if (pad > 0 && dst) { +- BUG_ON(state->buf_kern_len <= pad); +- BUG_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad); ++ if (WARN_ON(state->buf_kern_len <= pad)) ++ return -EINVAL; ++ if (WARN_ON(state->buf_kern_offset - (match_size + off) + size_kern > state->buf_kern_len - pad)) ++ return -EINVAL; + memset(dst + size_kern, 0, pad); + } + return off + match_size; +@@ -2048,7 +2054,8 @@ static int ebt_size_mwt(struct compat_eb + if (ret < 0) + return ret; + +- BUG_ON(ret < match32->match_size); ++ if (WARN_ON(ret < match32->match_size)) ++ return -EINVAL; + growth += ret - match32->match_size; + growth += ebt_compat_entry_padsize(); + +@@ -2157,7 +2164,8 @@ static int size_entry_mwt(struct ebt_ent + + startoff = state->buf_user_offset - startoff; + +- BUG_ON(*total < startoff); ++ if (WARN_ON(*total < startoff)) ++ return -EINVAL; + *total -= startoff; + return 0; + } +@@ -2286,7 +2294,8 @@ static int compat_do_replace(struct net + state.buf_kern_len = size64; + + ret = compat_copy_entries(entries_tmp, tmp.entries_size, &state); +- BUG_ON(ret < 0); /* parses same data again */ ++ if (WARN_ON(ret < 0)) ++ goto out_unlock; + + vfree(entries_tmp); + tmp.entries_size = size64; diff --git a/queue-4.14/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch b/queue-4.14/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch new file mode 100644 index 00000000000..daf133459b2 --- /dev/null +++ b/queue-4.14/netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Westphal +Date: Thu, 8 Mar 2018 12:54:19 +0100 +Subject: netfilter: ebtables: fix erroneous reject of last rule + +From: Florian Westphal + +[ Upstream commit 932909d9b28d27e807ff8eecb68c7748f6701628 ] + +The last rule in the blob has next_entry offset that is same as total size. +This made "ebtables32 -A OUTPUT -d de:ad:be:ef:01:02" fail on 64 bit kernel. + +Fixes: b71812168571fa ("netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/netfilter/ebtables.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -2124,8 +2124,12 @@ static int size_entry_mwt(struct ebt_ent + * offsets are relative to beginning of struct ebt_entry (i.e., 0). + */ + for (i = 0; i < 4 ; ++i) { +- if (offsets[i] >= *total) ++ if (offsets[i] > *total) + return -EINVAL; ++ ++ if (i < 3 && offsets[i] == *total) ++ return -EINVAL; ++ + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) diff --git a/queue-4.14/netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch b/queue-4.14/netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch new file mode 100644 index 00000000000..b1a753c5e47 --- /dev/null +++ b/queue-4.14/netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Westphal +Date: Fri, 16 Feb 2018 12:49:33 +0100 +Subject: netfilter: ipt_CLUSTERIP: put config instead of freeing it + +From: Florian Westphal + +[ Upstream commit 1a9da5937386dbe553ffcf6c65d985bd48c347c5 ] + +Once struct is added to per-netns list it becomes visible to other cpus, +so we cannot use kfree(). + +Also delay setting entries refcount to 1 until after everything is +initialised so that when we call clusterip_config_put() in this spot +entries is still zero. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -228,7 +228,6 @@ clusterip_config_init(struct net *net, c + c->hash_mode = i->hash_mode; + c->hash_initval = i->hash_initval; + refcount_set(&c->refcount, 1); +- refcount_set(&c->entries, 1); + + spin_lock_bh(&cn->lock); + if (__clusterip_config_find(net, ip)) { +@@ -259,8 +258,10 @@ clusterip_config_init(struct net *net, c + + c->notifier.notifier_call = clusterip_netdev_event; + err = register_netdevice_notifier(&c->notifier); +- if (!err) ++ if (!err) { ++ refcount_set(&c->entries, 1); + return c; ++ } + + #ifdef CONFIG_PROC_FS + proc_remove(c->pde); +@@ -269,7 +270,7 @@ err: + spin_lock_bh(&cn->lock); + list_del_rcu(&c->list); + spin_unlock_bh(&cn->lock); +- kfree(c); ++ clusterip_config_put(c); + + return ERR_PTR(err); + } diff --git a/queue-4.14/netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch b/queue-4.14/netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch new file mode 100644 index 00000000000..46b319cdf37 --- /dev/null +++ b/queue-4.14/netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Florian Westphal +Date: Fri, 16 Feb 2018 12:49:32 +0100 +Subject: netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount + +From: Florian Westphal + +[ Upstream commit 8ae56822812ddedc26a152ab1916eb30120b4748 ] + +This needs to put() the entry to avoid a resource leak in error path. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -492,12 +492,15 @@ static int clusterip_tg_check(const stru + return PTR_ERR(config); + } + } +- cipinfo->config = config; + + ret = nf_ct_netns_get(par->net, par->family); +- if (ret < 0) ++ if (ret < 0) { + pr_info("cannot load conntrack support for proto=%u\n", + par->family); ++ clusterip_config_entry_put(par->net, config); ++ clusterip_config_put(config); ++ return ret; ++ } + + if (!par->net->xt.clusterip_deprecated_warning) { + pr_info("ipt_CLUSTERIP is deprecated and it will removed soon, " +@@ -505,6 +508,7 @@ static int clusterip_tg_check(const stru + par->net->xt.clusterip_deprecated_warning = true; + } + ++ cipinfo->config = config; + return ret; + } + diff --git a/queue-4.14/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch b/queue-4.14/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch new file mode 100644 index 00000000000..d42cc82a5c0 --- /dev/null +++ b/queue-4.14/netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Richard Haines +Date: Mon, 13 Nov 2017 20:54:22 +0000 +Subject: netlabel: If PF_INET6, check sk_buff ip header version + +From: Richard Haines + +[ Upstream commit 213d7f94775322ba44e0bbb55ec6946e9de88cea ] + +When resolving a fallback label, check the sk_buff version as it +is possible (e.g. SCTP) to have family = PF_INET6 while +receiving ip_hdr(skb)->version = 4. + +Signed-off-by: Richard Haines +Acked-by: Paul Moore +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netlabel/netlabel_unlabeled.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/net/netlabel/netlabel_unlabeled.c ++++ b/net/netlabel/netlabel_unlabeled.c +@@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct + iface = rcu_dereference(netlbl_unlhsh_def); + if (iface == NULL || !iface->valid) + goto unlabel_getattr_nolabel; ++ ++#if IS_ENABLED(CONFIG_IPV6) ++ /* When resolving a fallback label, check the sk_buff version as ++ * it is possible (e.g. SCTP) to have family = PF_INET6 while ++ * receiving ip_hdr(skb)->version = 4. ++ */ ++ if (family == PF_INET6 && ip_hdr(skb)->version == 4) ++ family = PF_INET; ++#endif /* IPv6 */ ++ + switch (family) { + case PF_INET: { + struct iphdr *hdr4; diff --git a/queue-4.14/nfc-llcp-limit-size-of-sdp-uri.patch b/queue-4.14/nfc-llcp-limit-size-of-sdp-uri.patch new file mode 100644 index 00000000000..4c63c3b5df0 --- /dev/null +++ b/queue-4.14/nfc-llcp-limit-size-of-sdp-uri.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Kees Cook +Date: Wed, 14 Feb 2018 15:45:07 -0800 +Subject: NFC: llcp: Limit size of SDP URI + +From: Kees Cook + +[ Upstream commit fe9c842695e26d8116b61b80bfb905356f07834b ] + +The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce +this both in the NLA policy and in the code that performs the allocation +and copy, to avoid writing past the end of the allocated buffer. + +Fixes: d9b8d8e19b073 ("NFC: llcp: Service Name Lookup netlink interface") +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_commands.c | 4 ++++ + net/nfc/netlink.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/net/nfc/llcp_commands.c ++++ b/net/nfc/llcp_commands.c +@@ -149,6 +149,10 @@ struct nfc_llcp_sdp_tlv *nfc_llcp_build_ + + pr_debug("uri: %s, len: %zu\n", uri, uri_len); + ++ /* sdreq->tlv_len is u8, takes uri_len, + 3 for header, + 1 for NULL */ ++ if (WARN_ON_ONCE(uri_len > U8_MAX - 4)) ++ return NULL; ++ + sdreq = kzalloc(sizeof(struct nfc_llcp_sdp_tlv), GFP_KERNEL); + if (sdreq == NULL) + return NULL; +--- a/net/nfc/netlink.c ++++ b/net/nfc/netlink.c +@@ -61,7 +61,8 @@ static const struct nla_policy nfc_genl_ + }; + + static const struct nla_policy nfc_sdp_genl_policy[NFC_SDP_ATTR_MAX + 1] = { +- [NFC_SDP_ATTR_URI] = { .type = NLA_STRING }, ++ [NFC_SDP_ATTR_URI] = { .type = NLA_STRING, ++ .len = U8_MAX - 4 }, + [NFC_SDP_ATTR_SAP] = { .type = NLA_U8 }, + }; + diff --git a/queue-4.14/nfs-system-crashes-after-nfs4err_moved-recovery.patch b/queue-4.14/nfs-system-crashes-after-nfs4err_moved-recovery.patch new file mode 100644 index 00000000000..5a909239bdc --- /dev/null +++ b/queue-4.14/nfs-system-crashes-after-nfs4err_moved-recovery.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Bill.Baker@oracle.com" +Date: Wed, 21 Feb 2018 12:46:43 -0600 +Subject: nfs: system crashes after NFS4ERR_MOVED recovery + +From: "Bill.Baker@oracle.com" + +[ Upstream commit ad86f605c59500da82d196ac312cfbac3daba31d ] + +nfs4_update_server unconditionally releases the nfs_client for the +source server. If migration fails, this can cause the source server's +nfs_client struct to be left with a low reference count, resulting in +use-after-free. Also, adjust reference count handling for ELOOP. + +NFS: state manager: migration failed on NFSv4 server nfsvmu10 with error 6 +WARNING: CPU: 16 PID: 17960 at fs/nfs/client.c:281 nfs_put_client+0xfa/0x110 [nfs]() + nfs_put_client+0xfa/0x110 [nfs] + nfs4_run_state_manager+0x30/0x40 [nfsv4] + kthread+0xd8/0xf0 + +BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8 + nfs4_xdr_enc_write+0x6b/0x160 [nfsv4] + rpcauth_wrap_req+0xac/0xf0 [sunrpc] + call_transmit+0x18c/0x2c0 [sunrpc] + __rpc_execute+0xa6/0x490 [sunrpc] + rpc_async_schedule+0x15/0x20 [sunrpc] + process_one_work+0x160/0x470 + worker_thread+0x112/0x540 + ? rescuer_thread+0x3f0/0x3f0 + kthread+0xd8/0xf0 + +This bug was introduced by 32e62b7c ("NFS: Add nfs4_update_server"), +but the fix applies cleanly to 52442f9b ("NFS4: Avoid migration loops") + +Reported-by: Helen Chao +Fixes: 52442f9b11b7 ("NFS4: Avoid migration loops") +Signed-off-by: Bill Baker +Reviewed-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4client.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -858,8 +858,10 @@ static int nfs4_set_client(struct nfs_se + if (IS_ERR(clp)) + return PTR_ERR(clp); + +- if (server->nfs_client == clp) ++ if (server->nfs_client == clp) { ++ nfs_put_client(clp); + return -ELOOP; ++ } + + /* + * Query for the lease time on clientid setup or renewal +@@ -1217,11 +1219,11 @@ int nfs4_update_server(struct nfs_server + clp->cl_proto, clnt->cl_timeout, + clp->cl_minorversion, net); + clear_bit(NFS_MIG_TSM_POSSIBLE, &server->mig_status); +- nfs_put_client(clp); + if (error != 0) { + nfs_server_insert_lists(server); + return error; + } ++ nfs_put_client(clp); + + if (server->nfs_client->cl_hostname == NULL) + server->nfs_client->cl_hostname = kstrdup(hostname, GFP_KERNEL); diff --git a/queue-4.14/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch b/queue-4.14/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch new file mode 100644 index 00000000000..6f5d15b7134 --- /dev/null +++ b/queue-4.14/nvme-don-t-send-keep-alives-to-the-discovery-controller.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Johannes Thumshirn +Date: Thu, 12 Apr 2018 09:16:06 -0600 +Subject: nvme: don't send keep-alives to the discovery controller + +From: Johannes Thumshirn + +[ Upstream commit 74c6c71530847808d4e3be7b205719270efee80c ] + +NVMe over Fabrics 1.0 Section 5.2 "Discovery Controller Properties and +Command Support" Figure 31 "Discovery Controller – Admin Commands" +explicitly listst all commands but "Get Log Page" and "Identify" as +reserved, but NetApp report the Linux host is sending Keep Alive +commands to the discovery controller, which is a violation of the +Spec. + +We're already checking for discovery controllers when configuring the +keep alive timeout but when creating a discovery controller we're not +hard wiring the keep alive timeout to 0 and thus remain on +NVME_DEFAULT_KATO for the discovery controller. + +This can be easily remproduced when issuing a direct connect to the +discovery susbsystem using: +'nvme connect [...] --nqn=nqn.2014-08.org.nvmexpress.discovery' + +Signed-off-by: Johannes Thumshirn +Fixes: 07bfcd09a288 ("nvme-fabrics: add a generic NVMe over Fabrics library") +Reported-by: Martin George +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -606,8 +606,10 @@ static int nvmf_parse_options(struct nvm + opts->discovery_nqn = + !(strcmp(opts->subsysnqn, + NVME_DISC_SUBSYS_NAME)); +- if (opts->discovery_nqn) ++ if (opts->discovery_nqn) { ++ opts->kato = 0; + opts->nr_io_queues = 0; ++ } + break; + case NVMF_OPT_TRADDR: + p = match_strdup(args); diff --git a/queue-4.14/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch b/queue-4.14/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch new file mode 100644 index 00000000000..8efc19a795d --- /dev/null +++ b/queue-4.14/nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Jarosław Janik" +Date: Sun, 11 Mar 2018 19:51:56 +0100 +Subject: nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A + +From: "Jarosław Janik" + +[ Upstream commit 467c77d4cbefaaf65e2f44fe102d543a52fcae5b ] + +Yet another "incompatible" Samsung NVMe SSD 960 EVO and Asus motherboard +combination. 960 EVO device disappears from PCIe bus within few minutes +after boot-up when APST is in use and never gets back. Forcing +NVME_QUIRK_NO_APST is the only way to make this drive work with this +particular motherboard. NVME_QUIRK_NO_DEEPEST_PS doesn't work, upgrading +motherboard's BIOS didn't help either. +Since this is a desktop motherboard, the only drawback of not using APST +is increased device temperature. + +Signed-off-by: Jarosław Janik +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -2314,10 +2314,13 @@ static unsigned long check_vendor_combin + } else if (pdev->vendor == 0x144d && pdev->device == 0xa804) { + /* + * Samsung SSD 960 EVO drops off the PCIe bus after system +- * suspend on a Ryzen board, ASUS PRIME B350M-A. ++ * suspend on a Ryzen board, ASUS PRIME B350M-A, as well as ++ * within few minutes after bootup on a Coffee Lake board - ++ * ASUS PRIME Z370-A + */ + if (dmi_match(DMI_BOARD_VENDOR, "ASUSTeK COMPUTER INC.") && +- dmi_match(DMI_BOARD_NAME, "PRIME B350M-A")) ++ (dmi_match(DMI_BOARD_NAME, "PRIME B350M-A") || ++ dmi_match(DMI_BOARD_NAME, "PRIME Z370-A"))) + return NVME_QUIRK_NO_APST; + } + diff --git a/queue-4.14/nvme-pci-fix-eeh-failure-on-ppc.patch b/queue-4.14/nvme-pci-fix-eeh-failure-on-ppc.patch new file mode 100644 index 00000000000..cf3137645ab --- /dev/null +++ b/queue-4.14/nvme-pci-fix-eeh-failure-on-ppc.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Wen Xiong +Date: Thu, 15 Feb 2018 14:05:10 -0600 +Subject: nvme-pci: Fix EEH failure on ppc + +From: Wen Xiong + +[ Upstream commit 651438bb0af5213f1f70d66e75bf11d08cb5537a ] + +Triggering PPC EEH detection and handling requires a memory mapped read +failure. The NVMe driver removed the periodic health check MMIO, so +there's no early detection mechanism to trigger the recovery. Instead, +the detection now happens when the nvme driver handles an IO timeout +event. This takes the pci channel offline, so we do not want the driver +to proceed with escalating its own recovery efforts that may conflict +with the EEH handler. + +This patch ensures the driver will observe the channel was set to offline +after a failed MMIO read and resets the IO timer so the EEH handler has +a chance to recover the device. + +Signed-off-by: Wen Xiong +[updated change log] +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1013,12 +1013,6 @@ static bool nvme_should_reset(struct nvm + if (!(csts & NVME_CSTS_CFS) && !nssro) + return false; + +- /* If PCI error recovery process is happening, we cannot reset or +- * the recovery mechanism will surely fail. +- */ +- if (pci_channel_offline(to_pci_dev(dev->dev))) +- return false; +- + return true; + } + +@@ -1049,6 +1043,13 @@ static enum blk_eh_timer_return nvme_tim + struct nvme_command cmd; + u32 csts = readl(dev->bar + NVME_REG_CSTS); + ++ /* If PCI error recovery process is happening, we cannot reset or ++ * the recovery mechanism will surely fail. ++ */ ++ mb(); ++ if (pci_channel_offline(to_pci_dev(dev->dev))) ++ return BLK_EH_RESET_TIMER; ++ + /* + * Reset immediately if the controller is failed + */ diff --git a/queue-4.14/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch b/queue-4.14/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch new file mode 100644 index 00000000000..474d37be2bf --- /dev/null +++ b/queue-4.14/nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jianchao Wang +Date: Thu, 15 Feb 2018 19:13:41 +0800 +Subject: nvme-pci: Fix nvme queue cleanup if IRQ setup fails + +From: Jianchao Wang + +[ Upstream commit f25a2dfc20e3a3ed8fe6618c331799dd7bd01190 ] + +This patch fixes nvme queue cleanup if requesting an IRQ handler for +the queue's vector fails. It does this by resetting the cq_vector to +the uninitialized value of -1 so it is ignored for a controller reset. + +Signed-off-by: Jianchao Wang +[changelog updates, removed misc whitespace changes] +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1322,7 +1322,7 @@ static int nvme_create_queue(struct nvme + nvmeq->cq_vector = qid - 1; + result = adapter_alloc_cq(dev, qid, nvmeq); + if (result < 0) +- return result; ++ goto release_vector; + + result = adapter_alloc_sq(dev, qid, nvmeq); + if (result < 0) +@@ -1336,9 +1336,12 @@ static int nvme_create_queue(struct nvme + return result; + + release_sq: ++ dev->online_queues--; + adapter_delete_sq(dev, qid); + release_cq: + adapter_delete_cq(dev, qid); ++ release_vector: ++ nvmeq->cq_vector = -1; + return result; + } + diff --git a/queue-4.14/nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch b/queue-4.14/nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch new file mode 100644 index 00000000000..fcc2e993d88 --- /dev/null +++ b/queue-4.14/nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ming Lei +Date: Tue, 6 Feb 2018 20:17:42 +0800 +Subject: nvme: pci: pass max vectors as num_possible_cpus() to pci_alloc_irq_vectors + +From: Ming Lei + +[ Upstream commit 16ccfff2897613007b5eda9e29d65303c6280026 ] + +84676c1f21 ("genirq/affinity: assign vectors to all possible CPUs") +has switched to do irq vectors spread among all possible CPUs, so +pass num_possible_cpus() as max vecotrs to be assigned. + +For example, in a 8 cores system, 0~3 online, 4~8 offline/not present, +see 'lscpu': + + [ming@box]$lscpu + Architecture: x86_64 + CPU op-mode(s): 32-bit, 64-bit + Byte Order: Little Endian + CPU(s): 4 + On-line CPU(s) list: 0-3 + Thread(s) per core: 1 + Core(s) per socket: 2 + Socket(s): 2 + NUMA node(s): 2 + ... + NUMA node0 CPU(s): 0-3 + NUMA node1 CPU(s): + ... + +1) before this patch, follows the allocated vectors and their affinity: + irq 47, cpu list 0,4 + irq 48, cpu list 1,6 + irq 49, cpu list 2,5 + irq 50, cpu list 3,7 + +2) after this patch, follows the allocated vectors and their affinity: + irq 43, cpu list 0 + irq 44, cpu list 1 + irq 45, cpu list 2 + irq 46, cpu list 3 + irq 47, cpu list 4 + irq 48, cpu list 6 + irq 49, cpu list 5 + irq 50, cpu list 7 + +Cc: Keith Busch +Cc: Sagi Grimberg +Cc: Thomas Gleixner +Cc: Christoph Hellwig +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1770,7 +1770,7 @@ static int nvme_setup_io_queues(struct n + int result, nr_io_queues; + unsigned long size; + +- nr_io_queues = num_present_cpus(); ++ nr_io_queues = num_possible_cpus(); + result = nvme_set_queue_count(&dev->ctrl, &nr_io_queues); + if (result < 0) + return result; diff --git a/queue-4.14/nvmet-fix-psdt-field-check-in-command-format.patch b/queue-4.14/nvmet-fix-psdt-field-check-in-command-format.patch new file mode 100644 index 00000000000..3a17fc50e93 --- /dev/null +++ b/queue-4.14/nvmet-fix-psdt-field-check-in-command-format.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Max Gurtovoy +Date: Wed, 24 Jan 2018 17:31:45 +0200 +Subject: nvmet: fix PSDT field check in command format + +From: Max Gurtovoy + +[ Upstream commit bffd2b61670feef18d2535e9b53364d270a1c991 ] + +PSDT field section according to NVM_Express-1.3: +"This field specifies whether PRPs or SGLs are used for any data +transfer associated with the command. PRPs shall be used for all +Admin commands for NVMe over PCIe. SGLs shall be used for all Admin +and I/O commands for NVMe over Fabrics. This field shall be set to +01b for NVMe over Fabrics 1.0 implementations. + +Suggested-by: Idan Burstein +Signed-off-by: Max Gurtovoy +Reviewed-by: Christoph Hellwig +Signed-off-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -505,9 +505,12 @@ bool nvmet_req_init(struct nvmet_req *re + goto fail; + } + +- /* either variant of SGLs is fine, as we don't support metadata */ +- if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF && +- (flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METASEG)) { ++ /* ++ * For fabrics, PSDT field shall describe metadata pointer (MPTR) that ++ * contains an address of a single contiguous physical buffer that is ++ * byte aligned. ++ */ ++ if (unlikely((flags & NVME_CMD_SGL_ALL) != NVME_CMD_SGL_METABUF)) { + status = NVME_SC_INVALID_FIELD | NVME_SC_DNR; + goto fail; + } diff --git a/queue-4.14/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch b/queue-4.14/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch new file mode 100644 index 00000000000..8817b20afbf --- /dev/null +++ b/queue-4.14/ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch @@ -0,0 +1,133 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jun Piao +Date: Thu, 5 Apr 2018 16:18:48 -0700 +Subject: ocfs2/dlm: don't handle migrate lockres if already in shutdown + +From: Jun Piao + +[ Upstream commit bb34f24c7d2c98d0c81838a7700e6068325b17a0 ] + +We should not handle migrate lockres if we are already in +'DLM_CTXT_IN_SHUTDOWN', as that will cause lockres remains after leaving +dlm domain. At last other nodes will get stuck into infinite loop when +requsting lock from us. + +The problem is caused by concurrency umount between nodes. Before +receiveing N1's DLM_BEGIN_EXIT_DOMAIN_MSG, N2 has picked up N1 as the +migrate target. So N2 will continue sending lockres to N1 even though +N1 has left domain. + + N1 N2 (owner) + touch file + + access the file, + and get pr lock + + begin leave domain and + pick up N1 as new owner + + begin leave domain and + migrate all lockres done + + begin migrate lockres to N1 + + end leave domain, but + the lockres left + unexpectedly, because + migrate task has passed + +[piaojun@huawei.com: v3] + Link: http://lkml.kernel.org/r/5A9CBD19.5020107@huawei.com +Link: http://lkml.kernel.org/r/5A99F028.2090902@huawei.com +Signed-off-by: Jun Piao +Reviewed-by: Yiwen Jiang +Reviewed-by: Joseph Qi +Reviewed-by: Changwei Ge +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/dlm/dlmdomain.c | 14 -------------- + fs/ocfs2/dlm/dlmdomain.h | 25 ++++++++++++++++++++++++- + fs/ocfs2/dlm/dlmrecovery.c | 9 +++++++++ + 3 files changed, 33 insertions(+), 15 deletions(-) + +--- a/fs/ocfs2/dlm/dlmdomain.c ++++ b/fs/ocfs2/dlm/dlmdomain.c +@@ -676,20 +676,6 @@ static void dlm_leave_domain(struct dlm_ + spin_unlock(&dlm->spinlock); + } + +-int dlm_shutting_down(struct dlm_ctxt *dlm) +-{ +- int ret = 0; +- +- spin_lock(&dlm_domain_lock); +- +- if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) +- ret = 1; +- +- spin_unlock(&dlm_domain_lock); +- +- return ret; +-} +- + void dlm_unregister_domain(struct dlm_ctxt *dlm) + { + int leave = 0; +--- a/fs/ocfs2/dlm/dlmdomain.h ++++ b/fs/ocfs2/dlm/dlmdomain.h +@@ -28,7 +28,30 @@ + extern spinlock_t dlm_domain_lock; + extern struct list_head dlm_domains; + +-int dlm_shutting_down(struct dlm_ctxt *dlm); ++static inline int dlm_joined(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_JOINED) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ ++static inline int dlm_shutting_down(struct dlm_ctxt *dlm) ++{ ++ int ret = 0; ++ ++ spin_lock(&dlm_domain_lock); ++ if (dlm->dlm_state == DLM_CTXT_IN_SHUTDOWN) ++ ret = 1; ++ spin_unlock(&dlm_domain_lock); ++ ++ return ret; ++} ++ + void dlm_fire_domain_eviction_callbacks(struct dlm_ctxt *dlm, + int node_num); + +--- a/fs/ocfs2/dlm/dlmrecovery.c ++++ b/fs/ocfs2/dlm/dlmrecovery.c +@@ -1378,6 +1378,15 @@ int dlm_mig_lockres_handler(struct o2net + if (!dlm_grab(dlm)) + return -EINVAL; + ++ if (!dlm_joined(dlm)) { ++ mlog(ML_ERROR, "Domain %s not joined! " ++ "lockres %.*s, master %u\n", ++ dlm->name, mres->lockname_len, ++ mres->lockname, mres->master); ++ dlm_put(dlm); ++ return -EINVAL; ++ } ++ + BUG_ON(!(mres->flags & (DLM_MRES_RECOVERY|DLM_MRES_MIGRATION))); + + real_master = mres->master; diff --git a/queue-4.14/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch b/queue-4.14/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch new file mode 100644 index 00000000000..5c0edca6ba5 --- /dev/null +++ b/queue-4.14/parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Helge Deller +Date: Sun, 25 Mar 2018 14:04:22 +0200 +Subject: parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode + +From: Helge Deller + +[ Upstream commit b845f66f78bf42a4ce98e5cfe0e94fab41dd0742 ] + +Carlo Pisani noticed that his C3600 workstation behaved unstable during heavy +I/O on the PCI bus with a VIA VT6421 IDE/SATA PCI card. + +To avoid such instability, this patch switches the LBA PCI bus from Hard Fail +mode into Soft Fail mode. In this mode the bus will return -1UL for timed out +MMIO transactions, which is exactly how the x86 (and most other architectures) +PCI busses behave. + +This patch is based on a proposal by Grant Grundler and Kyle McMartin 10 +years ago: +https://www.spinics.net/lists/linux-parisc/msg01027.html + +Cc: Carlo Pisani +Cc: Kyle McMartin +Reviewed-by: Grant Grundler +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/lba_pci.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -1403,9 +1403,27 @@ lba_hw_init(struct lba_device *d) + WRITE_REG32(stat, d->hba.base_addr + LBA_ERROR_CONFIG); + } + +- /* Set HF mode as the default (vs. -1 mode). */ ++ ++ /* ++ * Hard Fail vs. Soft Fail on PCI "Master Abort". ++ * ++ * "Master Abort" means the MMIO transaction timed out - usually due to ++ * the device not responding to an MMIO read. We would like HF to be ++ * enabled to find driver problems, though it means the system will ++ * crash with a HPMC. ++ * ++ * In SoftFail mode "~0L" is returned as a result of a timeout on the ++ * pci bus. This is like how PCI busses on x86 and most other ++ * architectures behave. In order to increase compatibility with ++ * existing (x86) PCI hardware and existing Linux drivers we enable ++ * Soft Faul mode on PA-RISC now too. ++ */ + stat = READ_REG32(d->hba.base_addr + LBA_STAT_CTL); ++#if defined(ENABLE_HARDFAIL) + WRITE_REG32(stat | HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#else ++ WRITE_REG32(stat & ~HF_ENABLE, d->hba.base_addr + LBA_STAT_CTL); ++#endif + + /* + ** Writing a zero to STAT_CTL.rf (bit 0) will clear reset signal diff --git a/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch new file mode 100644 index 00000000000..f28dd173d82 --- /dev/null +++ b/queue-4.14/pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Vincent-Cross +Date: Tue, 27 Feb 2018 20:20:36 +1100 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 + +From: Thomas Vincent-Cross + +[ Upstream commit 832e4e1f76b8a84991e9db56fdcef1ebce839b8b ] + +Add Marvell 88SE9220 DMA quirk as found and tested on bug 42679. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679 +Signed-off-by: Thomas Vincent-Cross +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3896,6 +3896,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, ++ quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c49 */ + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, + quirk_dma_func1_alias); diff --git a/queue-4.14/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch b/queue-4.14/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch new file mode 100644 index 00000000000..e1c6b9e205d --- /dev/null +++ b/queue-4.14/pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch @@ -0,0 +1,87 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Rafael J. Wysocki" +Date: Sat, 3 Mar 2018 10:53:24 +0100 +Subject: PCI: Restore config space on runtime resume despite being unbound + +From: "Rafael J. Wysocki" + +[ Upstream commit 5775b843a619b3c93f946e2b55a208d9f0f48b59 ] + +We leave PCI devices not bound to a driver in D0 during runtime suspend. +But they may have a parent which is bound and can be transitioned to +D3cold at runtime. Once the parent goes to D3cold, the unbound child +may go to D3cold as well. When the child goes to D3cold, its internal +state, including configuration of BARs, MSI, ASPM, MPS, etc., is lost. + +One example are recent hybrid graphics laptops which cut power to the +discrete GPU when the root port above it goes to ACPI power state D3. +Users may provoke this by unbinding the GPU driver and allowing runtime +PM on the GPU via sysfs: The PM core will then treat the GPU as +"suspended", which in turn allows the root port to runtime suspend, +causing the power resources listed in its _PR3 object to be powered off. +The GPU's BARs will be uninitialized when a driver later probes it. + +Another example are hybrid graphics laptops where the GPU itself (rather +than the root port) is capable of runtime suspending to D3cold. If the +GPU's integrated HDA controller is not bound and the GPU's driver +decides to runtime suspend to D3cold, the HDA controller's BARs will be +uninitialized when a driver later probes it. + +Fix by saving and restoring config space over a runtime suspend cycle +even if the device is not bound. + +Acked-by: Bjorn Helgaas +Tested-by: Peter Wu # Nvidia Optimus +Tested-by: Lukas Wunner # MacBook Pro +Signed-off-by: Rafael J. Wysocki +[lukas: add commit message, bikeshed code comments for clarity] +Signed-off-by: Lukas Wunner +Link: https://patchwork.freedesktop.org/patch/msgid/92fb6e6ae2730915eb733c08e2f76c6a313e3860.1520068884.git.lukas@wunner.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -1164,11 +1164,14 @@ static int pci_pm_runtime_suspend(struct + int error; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * If pci_dev->driver is not set (unbound), we leave the device in D0, ++ * but it may go to D3cold when the bridge above it runtime suspends. ++ * Save its config space in case that happens. + */ +- if (!pci_dev->driver) ++ if (!pci_dev->driver) { ++ pci_save_state(pci_dev); + return 0; ++ } + + if (!pm || !pm->runtime_suspend) + return -ENOSYS; +@@ -1216,16 +1219,18 @@ static int pci_pm_runtime_resume(struct + const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL; + + /* +- * If pci_dev->driver is not set (unbound), the device should +- * always remain in D0 regardless of the runtime PM status ++ * Restoring config space is necessary even if the device is not bound ++ * to a driver because although we left it in D0, it may have gone to ++ * D3cold when the bridge above it runtime suspended. + */ ++ pci_restore_standard_config(pci_dev); ++ + if (!pci_dev->driver) + return 0; + + if (!pm || !pm->runtime_resume) + return -ENOSYS; + +- pci_restore_standard_config(pci_dev); + pci_fixup_device(pci_fixup_resume_early, pci_dev); + pci_enable_wake(pci_dev, PCI_D0, false); + pci_fixup_device(pci_fixup_resume, pci_dev); diff --git a/queue-4.14/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch b/queue-4.14/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch new file mode 100644 index 00000000000..a092fb338a8 --- /dev/null +++ b/queue-4.14/pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Rafael J. Wysocki" +Date: Wed, 21 Feb 2018 13:24:16 +0100 +Subject: PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle + +From: "Rafael J. Wysocki" + +[ Upstream commit dbdd0f58fd2cdde5cf945c9da67a2d52d32ba550 ] + +There is a problem with PCMCIA system resume callbacks with respect +to suspend-to-idle in which the ->suspend_noirq() callback may be +invoked after the ->resume_noirq() one without resuming the system +entirely in some cases. This doesn't work for PCMCIA because of +the lack of symmetry between its system suspend and system resume +"noirq" callbacks. + +The system resume handling in PCMCIA is split between +socket_early_resume() and socket_late_resume() which are called in +different phases of system resume and both need to run for +socket_suspend() (invoked by the system suspend "noirq" callback) +to work. Specifically, socket_suspend() returns an error when +called after socket_early_resume() without socket_late_resume(), +so if the suspend-to-idle core detects a spurious wakeup event and +attempts to put the system back to sleep, that is aborted by the +error coming from socket_suspend(). + +Avoid that by using a new socket state flag, SOCKET_IN_RESUME, +to indicate that socket_early_resume() has already run for the +socket in which case socket_suspend() will do minimum handling +and return 0. + +This change has been tested on my venerable Toshiba Portege R500 +(which is where the problem has been discovered in the first place), +but admittedly I have no PCMCIA cards to test along with the socket +itself. + +Fixes: 33e4f80ee69b (ACPI / PM: Ignore spurious SCI wakeups from suspend-to-idle) +Signed-off-by: Rafael J. Wysocki +[linux@dominikbrodowski.net: follow same codepaths for both suspend variants; call ->suspend()] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pcmcia/cs.c | 10 +++++++--- + drivers/pcmcia/cs_internal.h | 1 + + 2 files changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -452,17 +452,20 @@ static int socket_insert(struct pcmcia_s + + static int socket_suspend(struct pcmcia_socket *skt) + { +- if (skt->state & SOCKET_SUSPEND) ++ if ((skt->state & SOCKET_SUSPEND) && !(skt->state & SOCKET_IN_RESUME)) + return -EBUSY; + + mutex_lock(&skt->ops_mutex); +- skt->suspended_state = skt->state; ++ /* store state on first suspend, but not after spurious wakeups */ ++ if (!(skt->state & SOCKET_IN_RESUME)) ++ skt->suspended_state = skt->state; + + skt->socket = dead_socket; + skt->ops->set_socket(skt, &skt->socket); + if (skt->ops->suspend) + skt->ops->suspend(skt); + skt->state |= SOCKET_SUSPEND; ++ skt->state &= ~SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -475,6 +478,7 @@ static int socket_early_resume(struct pc + skt->ops->set_socket(skt, &skt->socket); + if (skt->state & SOCKET_PRESENT) + skt->resume_status = socket_setup(skt, resume_delay); ++ skt->state |= SOCKET_IN_RESUME; + mutex_unlock(&skt->ops_mutex); + return 0; + } +@@ -484,7 +488,7 @@ static int socket_late_resume(struct pcm + int ret = 0; + + mutex_lock(&skt->ops_mutex); +- skt->state &= ~SOCKET_SUSPEND; ++ skt->state &= ~(SOCKET_SUSPEND | SOCKET_IN_RESUME); + mutex_unlock(&skt->ops_mutex); + + if (!(skt->state & SOCKET_PRESENT)) { +--- a/drivers/pcmcia/cs_internal.h ++++ b/drivers/pcmcia/cs_internal.h +@@ -70,6 +70,7 @@ struct pccard_resource_ops { + /* Flags in socket state */ + #define SOCKET_PRESENT 0x0008 + #define SOCKET_INUSE 0x0010 ++#define SOCKET_IN_RESUME 0x0040 + #define SOCKET_SUSPEND 0x0080 + #define SOCKET_WIN_REQ(i) (0x0100<<(i)) + #define SOCKET_CARDBUS 0x8000 diff --git a/queue-4.14/perf-cgroup-fix-child-event-counting-bug.patch b/queue-4.14/perf-cgroup-fix-child-event-counting-bug.patch new file mode 100644 index 00000000000..8c0c19d145b --- /dev/null +++ b/queue-4.14/perf-cgroup-fix-child-event-counting-bug.patch @@ -0,0 +1,105 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Song Liu +Date: Mon, 12 Mar 2018 09:59:43 -0700 +Subject: perf/cgroup: Fix child event counting bug + +From: Song Liu + +[ Upstream commit c917e0f259908e75bd2a65877e25f9d90c22c848 ] + +When a perf_event is attached to parent cgroup, it should count events +for all children cgroups: + + parent_group <---- perf_event + \ + - child_group <---- process(es) + +However, in our tests, we found this perf_event cannot report reliable +results. Here is an example case: + + # create cgroups + mkdir -p /sys/fs/cgroup/p/c + # start perf for parent group + perf stat -e instructions -G "p" + + # on another console, run test process in child cgroup: + stressapptest -s 2 -M 1000 & echo $! > /sys/fs/cgroup/p/c/cgroup.procs + + # after the test process is done, stop perf in the first console shows + + instructions p + +The instruction should not be "not counted" as the process runs in the +child cgroup. + +We found this is because perf_event->cgrp and cpuctx->cgrp are not +identical, thus perf_event->cgrp are not updated properly. + +This patch fixes this by updating perf_cgroup properly for ancestor +cgroup(s). + +Reported-by: Ephraim Park +Signed-off-by: Song Liu +Signed-off-by: Peter Zijlstra (Intel) +Cc: +Cc: +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Link: http://lkml.kernel.org/r/20180312165943.1057894-1-songliubraving@fb.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -642,9 +642,15 @@ static inline void __update_cgrp_time(st + + static inline void update_cgrp_time_from_cpuctx(struct perf_cpu_context *cpuctx) + { +- struct perf_cgroup *cgrp_out = cpuctx->cgrp; +- if (cgrp_out) +- __update_cgrp_time(cgrp_out); ++ struct perf_cgroup *cgrp = cpuctx->cgrp; ++ struct cgroup_subsys_state *css; ++ ++ if (cgrp) { ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ __update_cgrp_time(cgrp); ++ } ++ } + } + + static inline void update_cgrp_time_from_event(struct perf_event *event) +@@ -672,6 +678,7 @@ perf_cgroup_set_timestamp(struct task_st + { + struct perf_cgroup *cgrp; + struct perf_cgroup_info *info; ++ struct cgroup_subsys_state *css; + + /* + * ctx->lock held by caller +@@ -682,8 +689,12 @@ perf_cgroup_set_timestamp(struct task_st + return; + + cgrp = perf_cgroup_from_task(task, ctx); +- info = this_cpu_ptr(cgrp->info); +- info->timestamp = ctx->timestamp; ++ ++ for (css = &cgrp->css; css; css = css->parent) { ++ cgrp = container_of(css, struct perf_cgroup, css); ++ info = this_cpu_ptr(cgrp->info); ++ info->timestamp = ctx->timestamp; ++ } + } + + static DEFINE_PER_CPU(struct list_head, cgrp_cpuctx_list); diff --git a/queue-4.14/perf-clang-add-support-for-recent-clang-versions.patch b/queue-4.14/perf-clang-add-support-for-recent-clang-versions.patch new file mode 100644 index 00000000000..252ce838d1b --- /dev/null +++ b/queue-4.14/perf-clang-add-support-for-recent-clang-versions.patch @@ -0,0 +1,122 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:18 +0530 +Subject: perf clang: Add support for recent clang versions + +From: Sandipan Das + +[ Upstream commit 7854e499f33fd9c7e63288692ffb754d9b1d02fd ] + +The clang API calls used by perf have changed in recent releases and +builds succeed with libclang-3.9 only. This introduces compatibility +with libclang-4.0 and above. + +Without this patch, we will see the following compilation errors with +libclang-4.0+: + + util/c++/clang.cpp: In function ‘clang::CompilerInvocation* perf::createCompilerInvocation(llvm::opt::ArgStringList, llvm::StringRef&, clang::DiagnosticsEngine&)’: + util/c++/clang.cpp:62:33: error: ‘IK_C’ was not declared in this scope + Opts.Inputs.emplace_back(Path, IK_C); + ^~~~ + util/c++/clang.cpp: In function ‘std::unique_ptr perf::getModuleFromSource(llvm::opt::ArgStringList, llvm::StringRef, llvm::IntrusiveRefCntPtr)’: + util/c++/clang.cpp:75:26: error: no matching function for call to ‘clang::CompilerInstance::setInvocation(clang::CompilerInvocation*)’ + Clang.setInvocation(&*CI); + ^ + In file included from util/c++/clang.cpp:14:0: + /usr/include/clang/Frontend/CompilerInstance.h:231:8: note: candidate: void clang::CompilerInstance::setInvocation(std::shared_ptr) + void setInvocation(std::shared_ptr Value); + ^~~~~~~~~~~~~ + +Committer testing: + +Tested on Fedora 27 after installing the clang-devel and llvm-devel +packages, versions: + + # rpm -qa | egrep llvm\|clang + llvm-5.0.1-6.fc27.x86_64 + clang-libs-5.0.1-5.fc27.x86_64 + clang-5.0.1-5.fc27.x86_64 + clang-tools-extra-5.0.1-5.fc27.x86_64 + llvm-libs-5.0.1-6.fc27.x86_64 + llvm-devel-5.0.1-6.fc27.x86_64 + clang-devel-5.0.1-5.fc27.x86_64 + # + +Make sure you don't have some older version lying around in /usr/local, +etc, then: + + $ make LIBCLANGLLVM=1 -C tools/perf install-bin + +And in the end perf will be linked agains these libraries: + + # ldd ~/bin/perf | egrep -i llvm\|clang + libclangAST.so.5 => /lib64/libclangAST.so.5 (0x00007f8bb2eb4000) + libclangBasic.so.5 => /lib64/libclangBasic.so.5 (0x00007f8bb29e3000) + libclangCodeGen.so.5 => /lib64/libclangCodeGen.so.5 (0x00007f8bb23f7000) + libclangDriver.so.5 => /lib64/libclangDriver.so.5 (0x00007f8bb2060000) + libclangFrontend.so.5 => /lib64/libclangFrontend.so.5 (0x00007f8bb1d06000) + libclangLex.so.5 => /lib64/libclangLex.so.5 (0x00007f8bb1a3e000) + libclangTooling.so.5 => /lib64/libclangTooling.so.5 (0x00007f8bb17d4000) + libclangEdit.so.5 => /lib64/libclangEdit.so.5 (0x00007f8bb15c5000) + libclangSema.so.5 => /lib64/libclangSema.so.5 (0x00007f8bb0cc9000) + libclangAnalysis.so.5 => /lib64/libclangAnalysis.so.5 (0x00007f8bb0a23000) + libclangParse.so.5 => /lib64/libclangParse.so.5 (0x00007f8bb0725000) + libclangSerialization.so.5 => /lib64/libclangSerialization.so.5 (0x00007f8bb039a000) + libLLVM-5.0.so => /lib64/libLLVM-5.0.so (0x00007f8bace98000) + libclangASTMatchers.so.5 => /lib64/../lib64/libclangASTMatchers.so.5 (0x00007f8bab735000) + libclangFormat.so.5 => /lib64/../lib64/libclangFormat.so.5 (0x00007f8bab4b2000) + libclangRewrite.so.5 => /lib64/../lib64/libclangRewrite.so.5 (0x00007f8bab2a1000) + libclangToolingCore.so.5 => /lib64/../lib64/libclangToolingCore.so.5 (0x00007f8bab08e000) + # + +Signed-off-by: Sandipan Das +Tested-by: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: 00b86691c77c ("perf clang: Add builtin clang support ant test case") +Link: http://lkml.kernel.org/r/20180404180419.19056-2-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/c++/clang.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/c++/clang.cpp ++++ b/tools/perf/util/c++/clang.cpp +@@ -9,6 +9,7 @@ + * Copyright (C) 2016 Huawei Inc. + */ + ++#include "clang/Basic/Version.h" + #include "clang/CodeGen/CodeGenAction.h" + #include "clang/Frontend/CompilerInvocation.h" + #include "clang/Frontend/CompilerInstance.h" +@@ -58,7 +59,8 @@ createCompilerInvocation(llvm::opt::ArgS + + FrontendOptions& Opts = CI->getFrontendOpts(); + Opts.Inputs.clear(); +- Opts.Inputs.emplace_back(Path, IK_C); ++ Opts.Inputs.emplace_back(Path, ++ FrontendOptions::getInputKindForExtension("c")); + return CI; + } + +@@ -71,10 +73,17 @@ getModuleFromSource(llvm::opt::ArgString + + Clang.setVirtualFileSystem(&*VFS); + ++#if CLANG_VERSION_MAJOR < 4 + IntrusiveRefCntPtr CI = + createCompilerInvocation(std::move(CFlags), Path, + Clang.getDiagnostics()); + Clang.setInvocation(&*CI); ++#else ++ std::shared_ptr CI( ++ createCompilerInvocation(std::move(CFlags), Path, ++ Clang.getDiagnostics())); ++ Clang.setInvocation(CI); ++#endif + + std::unique_ptr Act(new EmitLLVMOnlyAction(&*LLVMCtx)); + if (!Clang.ExecuteAction(*Act)) diff --git a/queue-4.14/perf-core-fix-installing-cgroup-events-on-cpu.patch b/queue-4.14/perf-core-fix-installing-cgroup-events-on-cpu.patch new file mode 100644 index 00000000000..6ee7b6f2a97 --- /dev/null +++ b/queue-4.14/perf-core-fix-installing-cgroup-events-on-cpu.patch @@ -0,0 +1,112 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "leilei.lin" +Date: Tue, 6 Mar 2018 17:36:37 +0800 +Subject: perf/core: Fix installing cgroup events on CPU + +From: "leilei.lin" + +[ Upstream commit 33801b94741d6c3be9713c10aa627477216c21e2 ] + +There's two problems when installing cgroup events on CPUs: firstly +list_update_cgroup_event() only tries to set cpuctx->cgrp for the +first event, if that mismatches on @cgrp we'll not try again for later +additions. + +Secondly, when we install a cgroup event into an active context, only +issue an event reprogram when the event matches the current cgroup +context. This avoids a pointless event reprogramming. + +Signed-off-by: leilei.lin +[ Improved the changelog and comments. ] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: brendan.d.gregg@gmail.com +Cc: eranian@gmail.com +Cc: linux-kernel@vger.kernel.org +Cc: yang_oliver@hotmail.com +Link: http://lkml.kernel.org/r/20180306093637.28247-1-linxiulei@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 46 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 35 insertions(+), 11 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -900,27 +900,39 @@ list_update_cgroup_event(struct perf_eve + if (!is_cgroup_event(event)) + return; + +- if (add && ctx->nr_cgroups++) +- return; +- else if (!add && --ctx->nr_cgroups) +- return; + /* + * Because cgroup events are always per-cpu events, + * this will always be called from the right CPU. + */ + cpuctx = __get_cpu_context(ctx); +- cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; +- /* cpuctx->cgrp is NULL unless a cgroup event is active in this CPU .*/ +- if (add) { ++ ++ /* ++ * Since setting cpuctx->cgrp is conditional on the current @cgrp ++ * matching the event's cgroup, we must do this for every new event, ++ * because if the first would mismatch, the second would not try again ++ * and we would leave cpuctx->cgrp unset. ++ */ ++ if (add && !cpuctx->cgrp) { + struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); + +- list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); + if (cgroup_is_descendant(cgrp->css.cgroup, event->cgrp->css.cgroup)) + cpuctx->cgrp = cgrp; +- } else { +- list_del(cpuctx_entry); +- cpuctx->cgrp = NULL; + } ++ ++ if (add && ctx->nr_cgroups++) ++ return; ++ else if (!add && --ctx->nr_cgroups) ++ return; ++ ++ /* no cgroup running */ ++ if (!add) ++ cpuctx->cgrp = NULL; ++ ++ cpuctx_entry = &cpuctx->cgrp_cpuctx_entry; ++ if (add) ++ list_add(cpuctx_entry, this_cpu_ptr(&cgrp_cpuctx_list)); ++ else ++ list_del(cpuctx_entry); + } + + #else /* !CONFIG_CGROUP_PERF */ +@@ -2404,6 +2416,18 @@ static int __perf_install_in_context(vo + raw_spin_lock(&task_ctx->lock); + } + ++#ifdef CONFIG_CGROUP_PERF ++ if (is_cgroup_event(event)) { ++ /* ++ * If the current cgroup doesn't match the event's ++ * cgroup, we should not try to schedule it. ++ */ ++ struct perf_cgroup *cgrp = perf_cgroup_from_task(current, ctx); ++ reprogram = cgroup_is_descendant(cgrp->css.cgroup, ++ event->cgrp->css.cgroup); ++ } ++#endif ++ + if (reprogram) { + ctx_sched_out(ctx, cpuctx, EVENT_TIME); + add_event_to_ctx(event, ctx); diff --git a/queue-4.14/perf-core-fix-perf_output_read_group.patch b/queue-4.14/perf-core-fix-perf_output_read_group.patch new file mode 100644 index 00000000000..99dd216e9a5 --- /dev/null +++ b/queue-4.14/perf-core-fix-perf_output_read_group.patch @@ -0,0 +1,78 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Peter Zijlstra +Date: Fri, 9 Mar 2018 12:52:04 +0100 +Subject: perf/core: Fix perf_output_read_group() + +From: Peter Zijlstra + +[ Upstream commit 9e5b127d6f33468143d90c8a45ca12410e4c3fa7 ] + +Mark reported his arm64 perf fuzzer runs sometimes splat like: + + armv8pmu_read_counter+0x1e8/0x2d8 + armpmu_event_update+0x8c/0x188 + armpmu_read+0xc/0x18 + perf_output_read+0x550/0x11e8 + perf_event_read_event+0x1d0/0x248 + perf_event_exit_task+0x468/0xbb8 + do_exit+0x690/0x1310 + do_group_exit+0xd0/0x2b0 + get_signal+0x2e8/0x17a8 + do_signal+0x144/0x4f8 + do_notify_resume+0x148/0x1e8 + work_pending+0x8/0x14 + +which asserts that we only call pmu::read() on ACTIVE events. + +The above callchain does: + + perf_event_exit_task() + perf_event_exit_task_context() + task_ctx_sched_out() // INACTIVE + perf_event_exit_event() + perf_event_set_state(EXIT) // EXIT + sync_child_event() + perf_event_read_event() + perf_output_read() + perf_output_read_group() + leader->pmu->read() + +Which results in doing a pmu::read() on an !ACTIVE event. + +I _think_ this is 'new' since we added attr.inherit_stat, which added +the perf_event_read_event() to the exit path, without that +perf_event_read_output() would only trigger from samples and for +@event to trigger a sample, it's leader _must_ be ACTIVE too. + +Still, adding this check makes it consistent with the @sub case for +the siblings. + +Reported-and-Tested-by: Mark Rutland +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5837,7 +5837,8 @@ static void perf_output_read_group(struc + if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) + values[n++] = running; + +- if (leader != event) ++ if ((leader != event) && ++ (leader->state == PERF_EVENT_STATE_ACTIVE)) + leader->pmu->read(leader); + + values[n++] = perf_event_count(leader); diff --git a/queue-4.14/perf-record-fix-crash-in-pipe-mode.patch b/queue-4.14/perf-record-fix-crash-in-pipe-mode.patch new file mode 100644 index 00000000000..c0f31c82c73 --- /dev/null +++ b/queue-4.14/perf-record-fix-crash-in-pipe-mode.patch @@ -0,0 +1,117 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiri Olsa +Date: Fri, 2 Mar 2018 17:13:54 +0100 +Subject: perf record: Fix crash in pipe mode + +From: Jiri Olsa + +[ Upstream commit ad46e48c65fa1f204fa29eaff1b91174d314a94b ] + +Currently we can crash perf record when running in pipe mode, like: + + $ perf record ls | perf report + # To display the perf.data header info, please use --header/--header-only options. + # + perf: Segmentation fault + Error: + The - file has no samples! + +The callstack of the crash is: + + 0x0000000000515242 in perf_event__synthesize_event_update_name + 3513 ev = event_update_event__new(len + 1, PERF_EVENT_UPDATE__NAME, evsel->id[0]); + (gdb) bt + #0 0x0000000000515242 in perf_event__synthesize_event_update_name + #1 0x00000000005158a4 in perf_event__synthesize_extra_attr + #2 0x0000000000443347 in record__synthesize + #3 0x00000000004438e3 in __cmd_record + #4 0x000000000044514e in cmd_record + #5 0x00000000004cbc95 in run_builtin + #6 0x00000000004cbf02 in handle_internal_command + #7 0x00000000004cc054 in run_argv + #8 0x00000000004cc422 in main + +The reason of the crash is that the evsel does not have ids array +allocated and the pipe's synthesize code tries to access it. + +We don't force evsel ids allocation when we have single event, because +it's not needed. However we need it when we are in pipe mode even for +single event as a key for evsel update event. + +Fixing this by forcing evsel ids allocation event for single event, when +we are in pipe mode. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180302161354.30192-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-record.c | 9 +++++++++ + tools/perf/perf.h | 1 + + tools/perf/util/record.c | 8 ++++++-- + 3 files changed, 16 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-record.c ++++ b/tools/perf/builtin-record.c +@@ -926,6 +926,15 @@ static int __cmd_record(struct record *r + } + } + ++ /* ++ * If we have just single event and are sending data ++ * through pipe, we need to force the ids allocation, ++ * because we synthesize event name through the pipe ++ * and need the id for that. ++ */ ++ if (data->is_pipe && rec->evlist->nr_entries == 1) ++ rec->opts.sample_id = true; ++ + if (record__open(rec) != 0) { + err = -1; + goto out_child; +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -61,6 +61,7 @@ struct record_opts { + bool tail_synthesize; + bool overwrite; + bool ignore_missing_thread; ++ bool sample_id; + unsigned int freq; + unsigned int mmap_pages; + unsigned int auxtrace_mmap_pages; +--- a/tools/perf/util/record.c ++++ b/tools/perf/util/record.c +@@ -137,6 +137,7 @@ void perf_evlist__config(struct perf_evl + struct perf_evsel *evsel; + bool use_sample_identifier = false; + bool use_comm_exec; ++ bool sample_id = opts->sample_id; + + /* + * Set the evsel leader links before we configure attributes, +@@ -163,8 +164,7 @@ void perf_evlist__config(struct perf_evl + * match the id. + */ + use_sample_identifier = perf_can_sample_identifier(); +- evlist__for_each_entry(evlist, evsel) +- perf_evsel__set_sample_id(evsel, use_sample_identifier); ++ sample_id = true; + } else if (evlist->nr_entries > 1) { + struct perf_evsel *first = perf_evlist__first(evlist); + +@@ -174,6 +174,10 @@ void perf_evlist__config(struct perf_evl + use_sample_identifier = perf_can_sample_identifier(); + break; + } ++ sample_id = true; ++ } ++ ++ if (sample_id) { + evlist__for_each_entry(evlist, evsel) + perf_evsel__set_sample_id(evsel, use_sample_identifier); + } diff --git a/queue-4.14/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch b/queue-4.14/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch new file mode 100644 index 00000000000..70c2ca67f51 --- /dev/null +++ b/queue-4.14/perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch @@ -0,0 +1,101 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiri Olsa +Date: Fri, 16 Feb 2018 13:36:19 +0100 +Subject: perf report: Fix memory corruption in --branch-history mode --branch-history + +From: Jiri Olsa + +[ Upstream commit e3ebaa465136ecfedf9c6f4671df02bf625f8125 ] + +Jin Yao reported memory corrupton in perf report with +branch info used for stack trace: + + > Following command lines will cause perf crash. + + > perf record -j call -g -a + > perf report --branch-history + > + > *** Error in `perf': double free or corruption (!prev): 0x00000000104aa040 *** + > ======= Backtrace: ========= + > /lib/x86_64-linux-gnu/libc.so.6(+0x77725)[0x7f6b37254725] + > /lib/x86_64-linux-gnu/libc.so.6(+0x7ff4a)[0x7f6b3725cf4a] + > /lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f6b37260abc] + > perf[0x51b914] + > perf(hist_entry_iter__add+0x1e5)[0x51f305] + > perf[0x43cf01] + > perf[0x4fa3bf] + > perf[0x4fa923] + > perf[0x4fd396] + > perf[0x4f9614] + > perf(perf_session__process_events+0x89e)[0x4fc38e] + > perf(cmd_report+0x15d2)[0x43f202] + > perf[0x4a059f] + > perf(main+0x631)[0x427b71] + > /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f6b371fd830] + > perf(_start+0x29)[0x427d89] + +For the cumulative output, we allocate the he_cache array based on the +--max-stack option value and populate it with data from 'callchain_cursor'. + +The --max-stack option value does not ensure now the limit for number of +callchain_cursor nodes, so the cumulative iter code will allocate smaller array +than it's actually needed and cause above corruption. + +I think the --max-stack limit does not apply here anyway, because we add +callchain data as normal hist entries, while the --max-stack control the limit +of single entry callchain depth. + +Using the callchain_cursor.nr as he_cache array count to fix this. Also +removing struct hist_entry_iter::max_stack, because there's no longer any use +for it. + +We need more fixes to ensure that the branch stack code follows properly the +logic of --max-stack, which is not the case at the moment. + +Original-patch-by: Jin Yao +Signed-off-by: Jiri Olsa +Reported-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180216123619.GA9945@krava +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/hist.c | 4 +--- + tools/perf/util/hist.h | 1 - + 2 files changed, 1 insertion(+), 4 deletions(-) + +--- a/tools/perf/util/hist.c ++++ b/tools/perf/util/hist.c +@@ -878,7 +878,7 @@ iter_prepare_cumulative_entry(struct his + * cumulated only one time to prevent entries more than 100% + * overhead. + */ +- he_cache = malloc(sizeof(*he_cache) * (iter->max_stack + 1)); ++ he_cache = malloc(sizeof(*he_cache) * (callchain_cursor.nr + 1)); + if (he_cache == NULL) + return -ENOMEM; + +@@ -1043,8 +1043,6 @@ int hist_entry_iter__add(struct hist_ent + if (err) + return err; + +- iter->max_stack = max_stack_depth; +- + err = iter->ops->prepare_entry(iter, al); + if (err) + goto out; +--- a/tools/perf/util/hist.h ++++ b/tools/perf/util/hist.h +@@ -107,7 +107,6 @@ struct hist_entry_iter { + int curr; + + bool hide_unresolved; +- int max_stack; + + struct perf_evsel *evsel; + struct perf_sample *sample; diff --git a/queue-4.14/perf-report-fix-wrong-jump-arrow.patch b/queue-4.14/perf-report-fix-wrong-jump-arrow.patch new file mode 100644 index 00000000000..bd913c9558b --- /dev/null +++ b/queue-4.14/perf-report-fix-wrong-jump-arrow.patch @@ -0,0 +1,124 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jin Yao +Date: Mon, 29 Jan 2018 18:57:53 +0800 +Subject: perf report: Fix wrong jump arrow + +From: Jin Yao + +[ Upstream commit b40982e8468b46b8f7f5bba5a7e541ec04a29d7d ] + +When we use perf report interactive annotate view, we can see +the position of jump arrow is not correct. For example, + +1. perf record -b ... +2. perf report +3. In interactive mode, select Annotate 'function' + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.4┌── 1 ↓ je 82 + │ │ x += x / y + y / x; + 0.00 │0.4│ 1310 movsd (%rsp),%xmm0 + 0.00 │0.4│ 565 movsd 0x8(%rsp),%xmm4 + │0.4│ movsd 0x8(%rsp),%xmm1 + │0.4│ movsd (%rsp),%xmm3 + │0.4│ divsd %xmm4,%xmm0 + 0.00 │0.4│ 579 divsd %xmm3,%xmm1 + │0.4│ movsd (%rsp),%xmm2 + │0.4│ addsd %xmm1,%xmm0 + │0.4│ addsd %xmm2,%xmm0 + 0.00 │0.4│ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.4└─→ 82: sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +The jump arrow in above example is not correct. It should add the +width of IPC and Cycle. + +With this patch, the result is: + +Percent│ IPC Cycle + │ if (flag) + 1.37 │0.48 1 ┌──je 82 + │ │ x += x / y + y / x; + 0.00 │0.48 1310 │ movsd (%rsp),%xmm0 + 0.00 │0.48 565 │ movsd 0x8(%rsp),%xmm4 + │0.48 │ movsd 0x8(%rsp),%xmm1 + │0.48 │ movsd (%rsp),%xmm3 + │0.48 │ divsd %xmm4,%xmm0 + 0.00 │0.48 579 │ divsd %xmm3,%xmm1 + │0.48 │ movsd (%rsp),%xmm2 + │0.48 │ addsd %xmm1,%xmm0 + │0.48 │ addsd %xmm2,%xmm0 + 0.00 │0.48 │ movsd %xmm0,(%rsp) + │ │ volatile double x = 1212121212, y = 121212; + │ │ + │ │ s_randseed = time(0); + │ │ srand(s_randseed); + │ │ + │ │ for (i = 0; i < 2000000000; i++) { + 1.37 │0.48 82:└─→sub $0x1,%ebx + 28.21 │0.48 17 ↑ jne 38 + +Committer notes: + +Please note that only from LBRv5 (according to Jiri) onwards, i.e. >= +Skylake is that we'll have the cycles counts in each branch record +entry, so to see the Cycles and IPC columns, and be able to test this +patch, one need a capable hardware. + +While applying this I first tested it on a Broadwell class machine and +couldn't get those columns, will add code to the annotate browser to +warn the user about that, i.e. you have branch records, but no cycles, +use a more recent hardware to get the cycles and IPC columns. + +Signed-off-by: Jin Yao +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1517223473-14750-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/ui/browsers/annotate.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/ui/browsers/annotate.c ++++ b/tools/perf/ui/browsers/annotate.c +@@ -312,6 +312,7 @@ static void annotate_browser__draw_curre + struct map_symbol *ms = ab->b.priv; + struct symbol *sym = ms->sym; + u8 pcnt_width = annotate_browser__pcnt_width(ab); ++ int width = 0; + + /* PLT symbols contain external offsets */ + if (strstr(sym->name, "@plt")) +@@ -335,13 +336,17 @@ static void annotate_browser__draw_curre + to = (u64)btarget->idx; + } + ++ if (ab->have_cycles) ++ width = IPC_WIDTH + CYCLES_WIDTH; ++ + ui_browser__set_color(browser, HE_COLORSET_JUMP_ARROWS); +- __ui_browser__line_arrow(browser, pcnt_width + 2 + ab->addr_width, ++ __ui_browser__line_arrow(browser, ++ pcnt_width + 2 + ab->addr_width + width, + from, to); + + if (is_fused(ab, cursor)) { + ui_browser__mark_fused(browser, +- pcnt_width + 3 + ab->addr_width, ++ pcnt_width + 3 + ab->addr_width + width, + from - 1, + to > from ? true : false); + } diff --git a/queue-4.14/perf-stat-fix-core-dump-when-flag-t-is-used.patch b/queue-4.14/perf-stat-fix-core-dump-when-flag-t-is-used.patch new file mode 100644 index 00000000000..c3e260a751f --- /dev/null +++ b/queue-4.14/perf-stat-fix-core-dump-when-flag-t-is-used.patch @@ -0,0 +1,116 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Richter +Date: Thu, 8 Mar 2018 15:57:35 +0100 +Subject: perf stat: Fix core dump when flag T is used + +From: Thomas Richter + +[ Upstream commit fca32340a5e8b896f57d41fd94b8b1701df25eb1 ] + +Executing command 'perf stat -T -- ls' dumps core on x86 and s390. + +Here is the call back chain (done on x86): + + # gdb ./perf + .... + (gdb) r stat -T -- ls +... +Program received signal SIGSEGV, Segmentation fault. +0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 +(gdb) where + #0 0x00007ffff56d1963 in vasprintf () from /lib64/libc.so.6 + #1 0x00007ffff56ae484 in asprintf () from /lib64/libc.so.6 + #2 0x00000000004f1982 in __parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930, auto_merge_stats=false) at util/parse-events.c:1233 + #3 0x00000000004f1c8e in parse_events_add_pmu (parse_state=0x7fffffffd580, + list=0xbfb970, name=0xbf3ef0 "cpu", + head_config=0xbfb930) at util/parse-events.c:1288 + #4 0x0000000000537ce3 in parse_events_parse (_parse_state=0x7fffffffd580, + scanner=0xbf4210) at util/parse-events.y:234 + #5 0x00000000004f2c7a in parse_events__scanner (str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", + parse_state=0x7fffffffd580, start_token=258) at util/parse-events.c:1673 + #6 0x00000000004f2e23 in parse_events (evlist=0xbe9990, str=0x6b66c0 + "task-clock,{instructions,cycles,cpu/cycles-t/,cpu/tx-start/}", err=0x0) + at util/parse-events.c:1713 + #7 0x000000000044e137 in add_default_attributes () at builtin-stat.c:2281 + #8 0x000000000044f7b5 in cmd_stat (argc=1, argv=0x7fffffffe3b0) at + builtin-stat.c:2828 + #9 0x00000000004c8b0f in run_builtin (p=0xab01a0 , argc=4, + argv=0x7fffffffe3b0) at perf.c:297 + #10 0x00000000004c8d7c in handle_internal_command (argc=4, + argv=0x7fffffffe3b0) at perf.c:349 + #11 0x00000000004c8ece in run_argv (argcp=0x7fffffffe20c, + argv=0x7fffffffe200) at perf.c:393 + #12 0x00000000004c929c in main (argc=4, argv=0x7fffffffe3b0) at perf.c:537 +(gdb) + +It turns out that a NULL pointer is referenced. Here are the +function calls: + + ... + cmd_stat() + +---> add_default_attributes() + +---> parse_events(evsel_list, transaction_attrs, NULL); + 3rd parameter set to NULL + +Function parse_events(xx, xx, struct parse_events_error *err) dives +into a bison generated scanner and creates +parser state information for it first: + + struct parse_events_state parse_state = { + .list = LIST_HEAD_INIT(parse_state.list), + .idx = evlist->nr_entries, + .error = err, <--- NULL POINTER !!! + .evlist = evlist, + }; + +Now various functions inside the bison scanner are called to end up in +__parse_events_add_pmu(struct parse_events_state *parse_state, ..) with +first parameter being a pointer to above structure definition. + +Now the PMU event name is not found (because being executed in a VM) and +this function tries to create an error message with + + asprintf(&parse_state->error.str, ....) + +which references a NULL pointer and dumps core. + +Fix this by providing a pointer to the necessary error information +instead of NULL. Technically only the else part is needed to avoid the +core dump, just lets be safe... + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180308145735.64717-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-stat.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-stat.c ++++ b/tools/perf/builtin-stat.c +@@ -2185,11 +2185,16 @@ static int add_default_attributes(void) + return 0; + + if (transaction_run) { ++ struct parse_events_error errinfo; ++ + if (pmu_have_event("cpu", "cycles-ct") && + pmu_have_event("cpu", "el-start")) +- err = parse_events(evsel_list, transaction_attrs, NULL); ++ err = parse_events(evsel_list, transaction_attrs, ++ &errinfo); + else +- err = parse_events(evsel_list, transaction_limited_attrs, NULL); ++ err = parse_events(evsel_list, ++ transaction_limited_attrs, ++ &errinfo); + if (err) { + fprintf(stderr, "Cannot set up transaction events\n"); + return -1; diff --git a/queue-4.14/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch b/queue-4.14/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch new file mode 100644 index 00000000000..50d7b81ab37 --- /dev/null +++ b/queue-4.14/perf-test-fix-test-case-inet_pton-to-accept-inlines.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Thomas Richter +Date: Wed, 14 Feb 2018 08:03:03 +0100 +Subject: perf test: Fix test case inet_pton to accept inlines. + +From: Thomas Richter + +[ Upstream commit 0f19a038afdc592176c9a302f0d08be6a68ad74a ] + +Using Fedora 27 and latest Linux kernel the test case +trace+probe_libc_inet_pton.sh fails again on s390. This time is the +inlining of functions which does not match. After an update of the +glibc (from 2.26-16 to 2.26-24) the output is different + +The expected output is: + + __inet_pton (/usr/lib64/libc-2.26.so) + gaih_inet (inlined) + .... + +The actual output is: + + 1 packets transmitted, 1 received, 0% packet loss, time 0ms + rtt min/avg/max/mdev = 0.061/0.061/0.061/0.000 ms + 0.000 probe_libc:inet_pton:(3ffb2140448)) + __inet_pton (inlined) + gaih_inet.constprop.7 (/usr/lib64/libc-2.26.so) + ... + +Fix this by being less strict on 'inlined' verses library name and +accept both + +Signed-off-by: Thomas Richter +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Link: http://lkml.kernel.org/r/20180214070303.55757-1-tmricht@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh ++++ b/tools/perf/tests/shell/trace+probe_libc_inet_pton.sh +@@ -21,12 +21,12 @@ trace_libc_inet_pton_backtrace() { + expected[3]=".*packets transmitted.*" + expected[4]="rtt min.*" + expected[5]="[0-9]+\.[0-9]+[[:space:]]+probe_libc:inet_pton:\([[:xdigit:]]+\)" +- expected[6]=".*inet_pton[[:space:]]\($libc\)$" ++ expected[6]=".*inet_pton[[:space:]]\($libc|inlined\)$" + case "$(uname -m)" in + s390x) + eventattr='call-graph=dwarf' +- expected[7]="gaih_inet[[:space:]]\(inlined\)$" +- expected[8]="__GI_getaddrinfo[[:space:]]\(inlined\)$" ++ expected[7]="gaih_inet.*[[:space:]]\($libc|inlined\)$" ++ expected[8]="__GI_getaddrinfo[[:space:]]\($libc|inlined\)$" + expected[9]="main[[:space:]]\(.*/bin/ping.*\)$" + expected[10]="__libc_start_main[[:space:]]\($libc\)$" + expected[11]="_start[[:space:]]\(.*/bin/ping.*\)$" diff --git a/queue-4.14/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch b/queue-4.14/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch new file mode 100644 index 00000000000..aeeb67fd4ff --- /dev/null +++ b/queue-4.14/perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch @@ -0,0 +1,209 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiri Olsa +Date: Tue, 6 Feb 2018 19:18:12 +0100 +Subject: perf tests: Fix dwarf unwind for stripped binaries + +From: Jiri Olsa + +[ Upstream commit fdf7c49c200d1b9909e2204cec5bd68b48605c71 ] + +When we strip the perf binary, dwarf unwind test stop +to work. The reason is that strip will remove static +function symbols, which we need to check for unwind. + +This change will keep this test working in cases where +the global symbols are put into dynamic symbol table, +which is the case on x86. It still won't work on powerpc. + +Making those 5 local functions global, and adding +'test_dwarf_unwind__' to their names. + +Committer testing: + +Before: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : FAILED! + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 6590 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7ffce6c48098 val 48563f, offset 1144 + unwind: test__dwarf_unwind:ip = 0x4a54e5 (0xa54e5) + got: test__dwarf_unwind 0xa54e5, expecting test__dwarf_unwind + unwind: '':ip = 0x4a50bb (0xa50bb) + failed: got unresolved address 0xa50bb + unwind failed + test child finished with -1 + ---- end ---- + DWARF unwind: FAILED! + # + +After: + + # perf test dwarf + 58: DWARF unwind : Ok + # strip ~/bin/perf + # perf test dwarf + 58: DWARF unwind : Ok + # + # perf test -v dwarf + 58: DWARF unwind : + --- start --- + test child forked, pid 7219 + unwind: thread map already set, dso=/home/acme/bin/perf + + unwind: access_mem addr 0x7fff007da2c8 val 48575f, offset 1144 + unwind: test__arch_unwind_sample:ip = 0x589044 (0x189044) + got: test__arch_unwind_sample 0x189044, expecting test__arch_unwind_sample + unwind: test_dwarf_unwind__thread:ip = 0x4a52f7 (0xa52f7) + got: test_dwarf_unwind__thread 0xa52f7, expecting test_dwarf_unwind__thread + unwind: test_dwarf_unwind__compare:ip = 0x4a5468 (0xa5468) + got: test_dwarf_unwind__compare 0xa5468, expecting test_dwarf_unwind__compare + unwind: bsearch:ip = 0x7f6608ae94d8 (0x394d8) + got: bsearch 0x394d8, expecting bsearch + unwind: test_dwarf_unwind__krava_3:ip = 0x4a54d1 (0xa54d1) + got: test_dwarf_unwind__krava_3 0xa54d1, expecting test_dwarf_unwind__krava_3 + unwind: test_dwarf_unwind__krava_2:ip = 0x4a550b (0xa550b) + got: test_dwarf_unwind__krava_2 0xa550b, expecting test_dwarf_unwind__krava_2 + unwind: test_dwarf_unwind__krava_1:ip = 0x4a554b (0xa554b) + got: test_dwarf_unwind__krava_1 0xa554b, expecting test_dwarf_unwind__krava_1 + unwind: test__dwarf_unwind:ip = 0x4a5605 (0xa5605) + got: test__dwarf_unwind 0xa5605, expecting test__dwarf_unwind + test child finished with 0 + ---- end ---- + DWARF unwind: Ok + # + +Signed-off-by: Jiri Olsa +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180206181813.10943-17-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/dwarf-unwind.c | 46 ++++++++++++++++++++++++++-------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +--- a/tools/perf/tests/dwarf-unwind.c ++++ b/tools/perf/tests/dwarf-unwind.c +@@ -37,6 +37,19 @@ static int init_live_machine(struct mach + mmap_handler, machine, true, 500); + } + ++/* ++ * We need to keep these functions global, despite the ++ * fact that they are used only locally in this object, ++ * in order to keep them around even if the binary is ++ * stripped. If they are gone, the unwind check for ++ * symbol fails. ++ */ ++int test_dwarf_unwind__thread(struct thread *thread); ++int test_dwarf_unwind__compare(void *p1, void *p2); ++int test_dwarf_unwind__krava_3(struct thread *thread); ++int test_dwarf_unwind__krava_2(struct thread *thread); ++int test_dwarf_unwind__krava_1(struct thread *thread); ++ + #define MAX_STACK 8 + + static int unwind_entry(struct unwind_entry *entry, void *arg) +@@ -45,12 +58,12 @@ static int unwind_entry(struct unwind_en + char *symbol = entry->sym ? entry->sym->name : NULL; + static const char *funcs[MAX_STACK] = { + "test__arch_unwind_sample", +- "unwind_thread", +- "compare", ++ "test_dwarf_unwind__thread", ++ "test_dwarf_unwind__compare", + "bsearch", +- "krava_3", +- "krava_2", +- "krava_1", ++ "test_dwarf_unwind__krava_3", ++ "test_dwarf_unwind__krava_2", ++ "test_dwarf_unwind__krava_1", + "test__dwarf_unwind" + }; + /* +@@ -77,7 +90,7 @@ static int unwind_entry(struct unwind_en + return strcmp((const char *) symbol, funcs[idx]); + } + +-static noinline int unwind_thread(struct thread *thread) ++noinline int test_dwarf_unwind__thread(struct thread *thread) + { + struct perf_sample sample; + unsigned long cnt = 0; +@@ -108,7 +121,7 @@ static noinline int unwind_thread(struct + + static int global_unwind_retval = -INT_MAX; + +-static noinline int compare(void *p1, void *p2) ++noinline int test_dwarf_unwind__compare(void *p1, void *p2) + { + /* Any possible value should be 'thread' */ + struct thread *thread = *(struct thread **)p1; +@@ -117,17 +130,17 @@ static noinline int compare(void *p1, vo + /* Call unwinder twice for both callchain orders. */ + callchain_param.order = ORDER_CALLER; + +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + if (!global_unwind_retval) { + callchain_param.order = ORDER_CALLEE; +- global_unwind_retval = unwind_thread(thread); ++ global_unwind_retval = test_dwarf_unwind__thread(thread); + } + } + + return p1 - p2; + } + +-static noinline int krava_3(struct thread *thread) ++noinline int test_dwarf_unwind__krava_3(struct thread *thread) + { + struct thread *array[2] = {thread, thread}; + void *fp = &bsearch; +@@ -141,18 +154,19 @@ static noinline int krava_3(struct threa + size_t, int (*)(void *, void *)); + + _bsearch = fp; +- _bsearch(array, &thread, 2, sizeof(struct thread **), compare); ++ _bsearch(array, &thread, 2, sizeof(struct thread **), ++ test_dwarf_unwind__compare); + return global_unwind_retval; + } + +-static noinline int krava_2(struct thread *thread) ++noinline int test_dwarf_unwind__krava_2(struct thread *thread) + { +- return krava_3(thread); ++ return test_dwarf_unwind__krava_3(thread); + } + +-static noinline int krava_1(struct thread *thread) ++noinline int test_dwarf_unwind__krava_1(struct thread *thread) + { +- return krava_2(thread); ++ return test_dwarf_unwind__krava_2(thread); + } + + int test__dwarf_unwind(struct test *test __maybe_unused, int subtest __maybe_unused) +@@ -189,7 +203,7 @@ int test__dwarf_unwind(struct test *test + goto out; + } + +- err = krava_1(thread); ++ err = test_dwarf_unwind__krava_1(thread); + thread__put(thread); + + out: diff --git a/queue-4.14/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch b/queue-4.14/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch new file mode 100644 index 00000000000..488c3682a34 --- /dev/null +++ b/queue-4.14/perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch @@ -0,0 +1,57 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jiri Olsa +Date: Thu, 15 Feb 2018 13:26:35 +0100 +Subject: perf tests: Use arch__compare_symbol_names to compare symbols + +From: Jiri Olsa + +[ Upstream commit ab6e9a99345131cd8e54268d1d0dc04a33f7ed11 ] + +The symbol search called by machine__find_kernel_symbol_by_name is using +internally arch__compare_symbol_names function to compare 2 symbol +names, because different archs have different ways of comparing symbols. +Mostly for skipping '.' prefixes and similar. + +In test 1 when we try to find matching symbols in kallsyms and vmlinux, +by address and by symbol name. When either is found we compare the pair +symbol names by simple strcmp, which is not good enough for reasons +explained in previous paragraph. + +On powerpc this can cause lockup, because even thought we found the +pair, the compared names are different and don't match simple strcmp. +Following code path is executed, that leads to lockup: + + - we find the pair in kallsyms by sym->start +next_pair: + - we compare the names and it fails + - we find the pair by sym->name + - the pair addresses match so we call goto next_pair + because we assume the names match in this case + +Signed-off-by: Jiri Olsa +Tested-by: Naveen N. Rao +Acked-by: Naveen N. Rao +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 031b84c407c3 ("perf probe ppc: Enable matching against dot symbols automatically") +Link: http://lkml.kernel.org/r/20180215122635.24029-10-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/vmlinux-kallsyms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/vmlinux-kallsyms.c ++++ b/tools/perf/tests/vmlinux-kallsyms.c +@@ -125,7 +125,7 @@ int test__vmlinux_matches_kallsyms(struc + + if (pair && UM(pair->start) == mem_start) { + next_pair: +- if (strcmp(sym->name, pair->name) == 0) { ++ if (arch__compare_symbol_names(sym->name, pair->name) == 0) { + /* + * kallsyms don't have the symbol end, so we + * set that by using the next symbol start - 1, diff --git a/queue-4.14/perf-tools-fix-perf-builds-with-clang-support.patch b/queue-4.14/perf-tools-fix-perf-builds-with-clang-support.patch new file mode 100644 index 00000000000..b7899947229 --- /dev/null +++ b/queue-4.14/perf-tools-fix-perf-builds-with-clang-support.patch @@ -0,0 +1,38 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sandipan Das +Date: Wed, 4 Apr 2018 23:34:17 +0530 +Subject: perf tools: Fix perf builds with clang support + +From: Sandipan Das + +[ Upstream commit c2fb54a183cfe77c6fdc9d71e2d5299c1c302a6e ] + +For libclang, some distro packages provide static libraries (.a) while +some provide shared libraries (.so). Currently, perf code can only be +linked with static libraries. This makes perf build possible for both +cases. + +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Naveen N. Rao +Fixes: d58ac0bf8d1e ("perf build: Add clang and llvm compile and linking support") +Link: http://lkml.kernel.org/r/20180404180419.19056-1-sandipan@linux.vnet.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/Makefile.perf | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/perf/Makefile.perf ++++ b/tools/perf/Makefile.perf +@@ -368,7 +368,8 @@ LIBS = -Wl,--whole-archive $(PERFLIBS) $ + + ifeq ($(USE_CLANG), 1) + CLANGLIBS_LIST = AST Basic CodeGen Driver Frontend Lex Tooling Edit Sema Analysis Parse Serialization +- LIBCLANG = $(foreach l,$(CLANGLIBS_LIST),$(wildcard $(shell $(LLVM_CONFIG) --libdir)/libclang$(l).a)) ++ CLANGLIBS_NOEXT_LIST = $(foreach l,$(CLANGLIBS_LIST),$(shell $(LLVM_CONFIG) --libdir)/libclang$(l)) ++ LIBCLANG = $(foreach l,$(CLANGLIBS_NOEXT_LIST),$(wildcard $(l).a $(l).so)) + LIBS += -Wl,--start-group $(LIBCLANG) -Wl,--end-group + endif + diff --git a/queue-4.14/perf-top-fix-top.call-graph-config-option-reading.patch b/queue-4.14/perf-top-fix-top.call-graph-config-option-reading.patch new file mode 100644 index 00000000000..625bbe6bfd0 --- /dev/null +++ b/queue-4.14/perf-top-fix-top.call-graph-config-option-reading.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Yisheng Xie +Date: Mon, 12 Mar 2018 19:25:56 +0800 +Subject: perf top: Fix top.call-graph config option reading + +From: Yisheng Xie + +[ Upstream commit a3a4a3b37c9b911af4c375b2475cea0fd2b84d38 ] + +When trying to add the "call-graph" variable for top into the +.perfconfig file, like: + + [top] + call-graph = fp + +I that perf_top_config() do not parse this variable. + +Fix it by calling perf_default_config() when the top.call-graph variable +is set. + +Signed-off-by: Yisheng Xie +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Wang Nan +Fixes: b8cbb349061e ("perf config: Bring perf_default_config to the very beginning at main()") +Link: http://lkml.kernel.org/r/1520853957-36106-1-git-send-email-xieyisheng1@huawei.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-top.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-top.c ++++ b/tools/perf/builtin-top.c +@@ -1080,8 +1080,10 @@ parse_callchain_opt(const struct option + + static int perf_top_config(const char *var, const char *value, void *cb __maybe_unused) + { +- if (!strcmp(var, "top.call-graph")) +- var = "call-graph.record-mode"; /* fall-through */ ++ if (!strcmp(var, "top.call-graph")) { ++ var = "call-graph.record-mode"; ++ return perf_default_config(var, value, cb); ++ } + if (!strcmp(var, "top.children")) { + symbol_conf.cumulate_callchain = perf_config_bool(var, value); + return 0; diff --git a/queue-4.14/perf-x86-intel-fix-event-update-for-auto-reload.patch b/queue-4.14/perf-x86-intel-fix-event-update-for-auto-reload.patch new file mode 100644 index 00000000000..5b115211b66 --- /dev/null +++ b/queue-4.14/perf-x86-intel-fix-event-update-for-auto-reload.patch @@ -0,0 +1,238 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Kan Liang +Date: Mon, 12 Feb 2018 14:20:31 -0800 +Subject: perf/x86/intel: Fix event update for auto-reload + +From: Kan Liang + +[ Upstream commit d31fc13fdcb20e1c317f9a7dd6273c18fbd58308 ] + +There is a bug when reading event->count with large PEBS enabled. + +Here is an example: + + # ./read_count + 0x71f0 + 0x122c0 + 0x1000000001c54 + 0x100000001257d + 0x200000000bdc5 + +In fixed period mode, the auto-reload mechanism could be enabled for +PEBS events, but the calculation of event->count does not take the +auto-reload values into account. + +Anyone who reads event->count will get the wrong result, e.g x86_pmu_read(). + +This bug was introduced with the auto-reload mechanism enabled since +commit: + + 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") + +Introduce intel_pmu_save_and_restart_reload() to calculate the +event->count only for auto-reload. + +Since the counter increments a negative counter value and overflows on +the sign switch, giving the interval: + + [-period, 0] + +the difference between two consequtive reads is: + + A) value2 - value1; + when no overflows have happened in between, + B) (0 - value1) + (value2 - (-period)); + when one overflow happened in between, + C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); + when @n overflows happened in between. + +Here A) is the obvious difference, B) is the extension to the discrete +interval, where the first term is to the top of the interval and the +second term is from the bottom of the next interval and C) the extension +to multiple intervals, where the middle term is the whole intervals +covered. + +The equation for all cases is: + + value2 - value1 + n * period + +Previously the event->count is updated right before the sample output. +But for case A, there is no PEBS record ready. It needs to be specially +handled. + +Remove the auto-reload code from x86_perf_event_set_period() since +we'll not longer call that function in this case. + +Based-on-code-from: Peter Zijlstra (Intel) +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Fixes: 851559e35fd5 ("perf/x86/intel: Use the PEBS auto reload mechanism when possible") +Link: http://lkml.kernel.org/r/1518474035-21006-2-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/core.c | 15 ++----- + arch/x86/events/intel/ds.c | 92 +++++++++++++++++++++++++++++++++++++++++++-- + 2 files changed, 94 insertions(+), 13 deletions(-) + +--- a/arch/x86/events/core.c ++++ b/arch/x86/events/core.c +@@ -1162,16 +1162,13 @@ int x86_perf_event_set_period(struct per + + per_cpu(pmc_prev_left[idx], smp_processor_id()) = left; + +- if (!(hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) || +- local64_read(&hwc->prev_count) != (u64)-left) { +- /* +- * The hw event starts counting from this event offset, +- * mark it to be able to extra future deltas: +- */ +- local64_set(&hwc->prev_count, (u64)-left); ++ /* ++ * The hw event starts counting from this event offset, ++ * mark it to be able to extra future deltas: ++ */ ++ local64_set(&hwc->prev_count, (u64)-left); + +- wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); +- } ++ wrmsrl(hwc->event_base, (u64)(-left) & x86_pmu.cntval_mask); + + /* + * Due to erratum on certan cpu we need +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1312,17 +1312,84 @@ get_next_pebs_record_by_bit(void *base, + return NULL; + } + ++/* ++ * Special variant of intel_pmu_save_and_restart() for auto-reload. ++ */ ++static int ++intel_pmu_save_and_restart_reload(struct perf_event *event, int count) ++{ ++ struct hw_perf_event *hwc = &event->hw; ++ int shift = 64 - x86_pmu.cntval_bits; ++ u64 period = hwc->sample_period; ++ u64 prev_raw_count, new_raw_count; ++ s64 new, old; ++ ++ WARN_ON(!period); ++ ++ /* ++ * drain_pebs() only happens when the PMU is disabled. ++ */ ++ WARN_ON(this_cpu_read(cpu_hw_events.enabled)); ++ ++ prev_raw_count = local64_read(&hwc->prev_count); ++ rdpmcl(hwc->event_base_rdpmc, new_raw_count); ++ local64_set(&hwc->prev_count, new_raw_count); ++ ++ /* ++ * Since the counter increments a negative counter value and ++ * overflows on the sign switch, giving the interval: ++ * ++ * [-period, 0] ++ * ++ * the difference between two consequtive reads is: ++ * ++ * A) value2 - value1; ++ * when no overflows have happened in between, ++ * ++ * B) (0 - value1) + (value2 - (-period)); ++ * when one overflow happened in between, ++ * ++ * C) (0 - value1) + (n - 1) * (period) + (value2 - (-period)); ++ * when @n overflows happened in between. ++ * ++ * Here A) is the obvious difference, B) is the extension to the ++ * discrete interval, where the first term is to the top of the ++ * interval and the second term is from the bottom of the next ++ * interval and C) the extension to multiple intervals, where the ++ * middle term is the whole intervals covered. ++ * ++ * An equivalent of C, by reduction, is: ++ * ++ * value2 - value1 + n * period ++ */ ++ new = ((s64)(new_raw_count << shift) >> shift); ++ old = ((s64)(prev_raw_count << shift) >> shift); ++ local64_add(new - old + count * period, &event->count); ++ ++ perf_event_update_userpage(event); ++ ++ return 0; ++} ++ + static void __intel_pmu_pebs_event(struct perf_event *event, + struct pt_regs *iregs, + void *base, void *top, + int bit, int count) + { ++ struct hw_perf_event *hwc = &event->hw; + struct perf_sample_data data; + struct pt_regs regs; + void *at = get_next_pebs_record_by_bit(base, top, bit); + +- if (!intel_pmu_save_and_restart(event) && +- !(event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD)) ++ if (hwc->flags & PERF_X86_EVENT_AUTO_RELOAD) { ++ /* ++ * Now, auto-reload is only enabled in fixed period mode. ++ * The reload value is always hwc->sample_period. ++ * May need to change it, if auto-reload is enabled in ++ * freq mode later. ++ */ ++ intel_pmu_save_and_restart_reload(event, count); ++ } else if (!intel_pmu_save_and_restart(event)) + return; + + while (count > 1) { +@@ -1374,8 +1441,11 @@ static void intel_pmu_drain_pebs_core(st + return; + + n = top - at; +- if (n <= 0) ++ if (n <= 0) { ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); + return; ++ } + + __intel_pmu_pebs_event(event, iregs, at, top, 0, n); + } +@@ -1398,8 +1468,22 @@ static void intel_pmu_drain_pebs_nhm(str + + ds->pebs_index = ds->pebs_buffer_base; + +- if (unlikely(base >= top)) ++ if (unlikely(base >= top)) { ++ /* ++ * The drain_pebs() could be called twice in a short period ++ * for auto-reload event in pmu::read(). There are no ++ * overflows have happened in between. ++ * It needs to call intel_pmu_save_and_restart_reload() to ++ * update the event->count for this case. ++ */ ++ for_each_set_bit(bit, (unsigned long *)&cpuc->pebs_enabled, ++ x86_pmu.max_pebs_events) { ++ event = cpuc->events[bit]; ++ if (event->hw.flags & PERF_X86_EVENT_AUTO_RELOAD) ++ intel_pmu_save_and_restart_reload(event, 0); ++ } + return; ++ } + + for (at = base; at < top; at += x86_pmu.pebs_record_size) { + struct pebs_record_nhm *p = at; diff --git a/queue-4.14/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch b/queue-4.14/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch new file mode 100644 index 00000000000..610938f3472 --- /dev/null +++ b/queue-4.14/perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Kan Liang +Date: Thu, 1 Mar 2018 12:54:54 -0500 +Subject: perf/x86/intel: Fix large period handling on Broadwell CPUs + +From: Kan Liang + +[ Upstream commit f605cfca8c39ffa2b98c06d2b9f30ba64f1e54e3 ] + +Large fixed period values could be truncated on Broadwell, for example: + + perf record -e cycles -c 10000000000 + +Here the fixed period is 0x2540BE400, but the period which finally applied is +0x540BE400 - which is wrong. + +The reason is that x86_pmu::limit_period() uses an u32 parameter, so the +high 32 bits of 'period' get truncated. + +This bug was introduced in: + + commit 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") + +It's safe to use u64 instead of u32: + + - Although the 'left' is s64, the value of 'left' must be positive when + calling limit_period(). + + - bdw_limit_period() only modifies the lowest 6 bits, it doesn't touch + the higher 32 bits. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 294fe0f52a44 ("perf/x86/intel: Add INST_RETIRED.ALL workarounds") +Link: http://lkml.kernel.org/r/1519926894-3520-1-git-send-email-kan.liang@linux.intel.com +[ Rewrote unacceptably bad changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + arch/x86/events/perf_event.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3196,7 +3196,7 @@ glp_get_event_constraints(struct cpu_hw_ + * Therefore the effective (average) period matches the requested period, + * despite coarser hardware granularity. + */ +-static unsigned bdw_limit_period(struct perf_event *event, unsigned left) ++static u64 bdw_limit_period(struct perf_event *event, u64 left) + { + if ((event->hw.config & INTEL_ARCH_EVENT_MASK) == + X86_CONFIG(.event=0xc0, .umask=0x01)) { +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -556,7 +556,7 @@ struct x86_pmu { + struct x86_pmu_quirk *quirks; + int perfctr_second_write; + bool late_ack; +- unsigned (*limit_period)(struct perf_event *event, unsigned l); ++ u64 (*limit_period)(struct perf_event *event, u64 l); + + /* + * sysfs attrs diff --git a/queue-4.14/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch b/queue-4.14/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch new file mode 100644 index 00000000000..7da9bf5a8b9 --- /dev/null +++ b/queue-4.14/perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch @@ -0,0 +1,123 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stephane Eranian +Date: Fri, 23 Mar 2018 00:01:47 -0700 +Subject: perf/x86/intel: Fix linear IP of PEBS real_ip on Haswell and later CPUs + +From: Stephane Eranian + +[ Upstream commit 71eb9ee9596d8df3d5723c3cfc18774c6235e8b1 ] + +this patch fix a bug in how the pebs->real_ip is handled in the PEBS +handler. real_ip only exists in Haswell and later processor. It is +actually the eventing IP, i.e., where the event occurred. As opposed +to the pebs->ip which is the PEBS interrupt IP which is always off +by one. + +The problem is that the real_ip just like the IP needs to be fixed up +because PEBS does not record all the machine state registers, and +in particular the code segement (cs). This is why we have the set_linear_ip() +function. The problem was that set_linear_ip() was only used on the pebs->ip +and not the pebs->real_ip. + +We have profiles which ran into invalid callstacks because of this. +Here is an example: + + ..... 0: ffffffffffffff80 recent entry, marker kernel v + ..... 1: 000000000040044d <= user address in kernel space! + ..... 2: fffffffffffffe00 marker enter user v + ..... 3: 000000000040044d + ..... 4: 00000000004004b6 oldest entry + +Debugging output in get_perf_callchain(): + + [ 857.769909] CALLCHAIN: CPU8 ip=40044d regs->cs=10 user_mode(regs)=0 + +The problem is that the kernel entry in 1: points to a user level +address. How can that be? + +The reason is that with PEBS sampling the instruction that caused the event +to occur and the instruction where the CPU was when the interrupt was posted +may be far apart. And sometime during that time window, the privilege level may +change. This happens, for instance, when the PEBS sample is taken close to a +kernel entry point. Here PEBS, eventing IP (real_ip) captured a user level +instruction. But by the time the PMU interrupt fired, the processor had already +entered kernel space. This is why the debug output shows a user address with +user_mode() false. + +The problem comes from PEBS not recording the code segment (cs) register. +The register is used in x86_64 to determine if executing in kernel vs user +space. This is okay because the kernel has a software workaround called +set_linear_ip(). But the issue in setup_pebs_sample_data() is that +set_linear_ip() is never called on the real_ip value when it is available +(Haswell and later) and precise_ip > 1. + +This patch fixes this problem and eliminates the callchain discrepancy. + +The patch restructures the code around set_linear_ip() to minimize the number +of times the IP has to be set. + +Signed-off-by: Stephane Eranian +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: kan.liang@intel.com +Link: http://lkml.kernel.org/r/1521788507-10231-1-git-send-email-eranian@google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/ds.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/arch/x86/events/intel/ds.c ++++ b/arch/x86/events/intel/ds.c +@@ -1150,6 +1150,7 @@ static void setup_pebs_sample_data(struc + if (pebs == NULL) + return; + ++ regs->flags &= ~PERF_EFLAGS_EXACT; + sample_type = event->attr.sample_type; + dsrc = sample_type & PERF_SAMPLE_DATA_SRC; + +@@ -1194,7 +1195,6 @@ static void setup_pebs_sample_data(struc + */ + *regs = *iregs; + regs->flags = pebs->flags; +- set_linear_ip(regs, pebs->ip); + + if (sample_type & PERF_SAMPLE_REGS_INTR) { + regs->ax = pebs->ax; +@@ -1230,13 +1230,22 @@ static void setup_pebs_sample_data(struc + #endif + } + +- if (event->attr.precise_ip > 1 && x86_pmu.intel_cap.pebs_format >= 2) { +- regs->ip = pebs->real_ip; +- regs->flags |= PERF_EFLAGS_EXACT; +- } else if (event->attr.precise_ip > 1 && intel_pmu_pebs_fixup_ip(regs)) +- regs->flags |= PERF_EFLAGS_EXACT; +- else +- regs->flags &= ~PERF_EFLAGS_EXACT; ++ if (event->attr.precise_ip > 1) { ++ /* Haswell and later have the eventing IP, so use it: */ ++ if (x86_pmu.intel_cap.pebs_format >= 2) { ++ set_linear_ip(regs, pebs->real_ip); ++ regs->flags |= PERF_EFLAGS_EXACT; ++ } else { ++ /* Otherwise use PEBS off-by-1 IP: */ ++ set_linear_ip(regs, pebs->ip); ++ ++ /* ... and try to fix it up using the LBR entries: */ ++ if (intel_pmu_pebs_fixup_ip(regs)) ++ regs->flags |= PERF_EFLAGS_EXACT; ++ } ++ } else ++ set_linear_ip(regs, pebs->ip); ++ + + if ((sample_type & (PERF_SAMPLE_ADDR | PERF_SAMPLE_PHYS_ADDR)) && + x86_pmu.intel_cap.pebs_format >= 1) diff --git a/queue-4.14/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch b/queue-4.14/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch new file mode 100644 index 00000000000..1dbce1fa0b8 --- /dev/null +++ b/queue-4.14/perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Kan Liang +Date: Tue, 20 Feb 2018 02:11:50 -0800 +Subject: perf/x86/intel: Properly save/restore the PMU state in the NMI handler + +From: Kan Liang + +[ Upstream commit 82d71ed0277efc45360828af8c4e4d40e1b45352 ] + +The PMU is disabled in intel_pmu_handle_irq(), but cpuc->enabled is not updated +accordingly. + +This is fine in current usage because no-one checks it - but fix it +for future code: for example, the drain_pebs() will be modified to +fix an auto-reload bug. + +Properly save/restore the old PMU state. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: kernel test robot +Link: http://lkml.kernel.org/r/6f44ee84-56f8-79f1-559b-08e371eaeb78@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2201,16 +2201,23 @@ static int intel_pmu_handle_irq(struct p + int bit, loops; + u64 status; + int handled; ++ int pmu_enabled; + + cpuc = this_cpu_ptr(&cpu_hw_events); + + /* ++ * Save the PMU state. ++ * It needs to be restored when leaving the handler. ++ */ ++ pmu_enabled = cpuc->enabled; ++ /* + * No known reason to not always do late ACK, + * but just in case do it opt-in. + */ + if (!x86_pmu.late_ack) + apic_write(APIC_LVTPC, APIC_DM_NMI); + intel_bts_disable_local(); ++ cpuc->enabled = 0; + __intel_pmu_disable_all(); + handled = intel_pmu_drain_bts_buffer(); + handled += intel_bts_interrupt(); +@@ -2320,7 +2327,8 @@ again: + + done: + /* Only restore PMU state when it's active. See x86_pmu_disable(). */ +- if (cpuc->enabled) ++ cpuc->enabled = pmu_enabled; ++ if (pmu_enabled) + __intel_pmu_enable_all(0, true); + intel_bts_enable_local(); + diff --git a/queue-4.14/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch b/queue-4.14/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch new file mode 100644 index 00000000000..e0b10d254c1 --- /dev/null +++ b/queue-4.14/phy-qcom-qmp-fix-phy-pipe-clock-gating.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Vivek Gautam +Date: Tue, 16 Jan 2018 16:26:56 +0530 +Subject: phy: qcom-qmp: Fix phy pipe clock gating + +From: Vivek Gautam + +[ Upstream commit f8ba22a39e985c93e278709b1d5f20857a26b49b ] + +Pipe clock comes out of the phy and is available as long as +the phy is turned on. Clock controller fails to gate this +clock after the phy is turned off and generates a warning. + +/ # [ 33.048561] gcc_usb3_phy_pipe_clk status stuck at 'on' +[ 33.048585] ------------[ cut here ]------------ +[ 33.052621] WARNING: CPU: 1 PID: 18 at ../drivers/clk/qcom/clk-branch.c:97 clk_branch_wait+0xf0/0x108 +[ 33.057384] Modules linked in: +[ 33.066497] CPU: 1 PID: 18 Comm: kworker/1:0 Tainted: G W 4.12.0-rc7-00024-gfe926e34c36d-dirty #96 +[ 33.069451] Hardware name: Qualcomm Technologies, Inc. DB820c (DT) +... +[ 33.278565] [] clk_branch_wait+0xf0/0x108 +[ 33.286375] [] clk_branch2_disable+0x28/0x34 +[ 33.291761] [] clk_core_disable+0x5c/0x88 +[ 33.297660] [] clk_core_disable_lock+0x20/0x34 +[ 33.303129] [] clk_disable+0x1c/0x24 +[ 33.309384] [] qcom_qmp_phy_poweroff+0x20/0x48 +[ 33.314328] [] phy_power_off+0x80/0xdc +[ 33.320492] [] dwc3_core_exit+0x94/0xa0 +[ 33.325784] [] dwc3_suspend_common+0x50/0x60 +[ 33.331080] [] dwc3_runtime_suspend+0x48/0x6c +[ 33.336810] [] pm_generic_runtime_suspend+0x28/0x38 +[ 33.342627] [] __rpm_callback+0x150/0x254 +[ 33.349222] [] rpm_callback+0x24/0x78 +[ 33.354604] [] rpm_suspend+0xe0/0x4e4 +[ 33.359813] [] pm_runtime_work+0xdc/0xf0 +[ 33.365028] [] process_one_work+0x12c/0x28c +[ 33.370576] [] worker_thread+0x58/0x3b8 +[ 33.376393] [] kthread+0x100/0x12c +[ 33.381776] [] ret_from_fork+0x10/0x50 + +Fix this by disabling it as the first thing in phy_exit(). + +Fixes: e78f3d15e115 ("phy: qcom-qmp: new qmp phy driver for qcom-chipsets") +Signed-off-by: Vivek Gautam +Signed-off-by: Manu Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/qualcomm/phy-qcom-qmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/phy/qualcomm/phy-qcom-qmp.c ++++ b/drivers/phy/qualcomm/phy-qcom-qmp.c +@@ -751,8 +751,6 @@ static int qcom_qmp_phy_poweroff(struct + struct qmp_phy *qphy = phy_get_drvdata(phy); + struct qcom_qmp *qmp = qphy->qmp; + +- clk_disable_unprepare(qphy->pipe_clk); +- + regulator_bulk_disable(qmp->cfg->num_vregs, qmp->vregs); + + return 0; +@@ -936,6 +934,8 @@ static int qcom_qmp_phy_exit(struct phy + const struct qmp_phy_cfg *cfg = qmp->cfg; + int i = cfg->num_clks; + ++ clk_disable_unprepare(qphy->pipe_clk); ++ + /* PHY reset */ + qphy_setbits(qphy->pcs, cfg->regs[QPHY_SW_RESET], SW_RESET); + diff --git a/queue-4.14/phy-rockchip-emmc-retry-calpad-busy-trimming.patch b/queue-4.14/phy-rockchip-emmc-retry-calpad-busy-trimming.patch new file mode 100644 index 00000000000..2f33a97b4b8 --- /dev/null +++ b/queue-4.14/phy-rockchip-emmc-retry-calpad-busy-trimming.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Shawn Lin +Date: Thu, 11 Jan 2018 10:40:26 +0800 +Subject: phy: rockchip-emmc: retry calpad busy trimming + +From: Shawn Lin + +[ Upstream commit a4781c2a74b249cad814ceea7272997bbd20051e ] + +It turns out that 5us isn't enough for all cases, so let's +retry some more times to wait for caldone. + +Signed-off-by: Shawn Lin +Tested-by: Ziyuan Xu +Signed-off-by: Caesar Wang +Reviewed-by: Douglas Anderson +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/phy/rockchip/phy-rockchip-emmc.c ++++ b/drivers/phy/rockchip/phy-rockchip-emmc.c +@@ -76,6 +76,10 @@ + #define PHYCTRL_OTAPDLYSEL_MASK 0xf + #define PHYCTRL_OTAPDLYSEL_SHIFT 0x7 + ++#define PHYCTRL_IS_CALDONE(x) \ ++ ((((x) >> PHYCTRL_CALDONE_SHIFT) & \ ++ PHYCTRL_CALDONE_MASK) == PHYCTRL_CALDONE_DONE) ++ + struct rockchip_emmc_phy { + unsigned int reg_offset; + struct regmap *reg_base; +@@ -90,6 +94,7 @@ static int rockchip_emmc_phy_power(struc + unsigned int freqsel = PHYCTRL_FREQSEL_200M; + unsigned long rate; + unsigned long timeout; ++ int ret; + + /* + * Keep phyctrl_pdb and phyctrl_endll low to allow +@@ -160,17 +165,19 @@ static int rockchip_emmc_phy_power(struc + PHYCTRL_PDB_SHIFT)); + + /* +- * According to the user manual, it asks driver to +- * wait 5us for calpad busy trimming ++ * According to the user manual, it asks driver to wait 5us for ++ * calpad busy trimming. However it is documented that this value is ++ * PVT(A.K.A process,voltage and temperature) relevant, so some ++ * failure cases are found which indicates we should be more tolerant ++ * to calpad busy trimming. + */ +- udelay(5); +- regmap_read(rk_phy->reg_base, +- rk_phy->reg_offset + GRF_EMMCPHY_STATUS, +- &caldone); +- caldone = (caldone >> PHYCTRL_CALDONE_SHIFT) & PHYCTRL_CALDONE_MASK; +- if (caldone != PHYCTRL_CALDONE_DONE) { +- pr_err("rockchip_emmc_phy_power: caldone timeout.\n"); +- return -ETIMEDOUT; ++ ret = regmap_read_poll_timeout(rk_phy->reg_base, ++ rk_phy->reg_offset + GRF_EMMCPHY_STATUS, ++ caldone, PHYCTRL_IS_CALDONE(caldone), ++ 0, 50); ++ if (ret) { ++ pr_err("%s: caldone failed, ret=%d\n", __func__, ret); ++ return ret; + } + + /* Set the frequency of the DLL operation */ diff --git a/queue-4.14/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch b/queue-4.14/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch new file mode 100644 index 00000000000..74447121591 --- /dev/null +++ b/queue-4.14/pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Niklas Cassel +Date: Thu, 22 Feb 2018 16:22:46 +0100 +Subject: pinctrl: artpec6: dt: add missing pin group uart5nocts + +From: Niklas Cassel + +[ Upstream commit 7e065fb9ccce89fe667fdbd9a177eaec59a359fc ] + +Add missing pin group uart5nocts (all pins except cts), which has been +supported by the artpec6 pinctrl driver since its initial submission. + +Fixes: 00df0582eab1 ("pinctrl: Add pincontrol driver for ARTPEC-6 SoC") +Signed-off-by: Niklas Cassel +Reviewed-by: Rob Herring +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/axis,artpec6-pinctrl.txt +@@ -20,7 +20,8 @@ Required subnode-properties: + gpio: cpuclkoutgrp0, udlclkoutgrp0, i2c1grp0, i2c2grp0, + i2c3grp0, i2s0grp0, i2s1grp0, i2srefclkgrp0, spi0grp0, + spi1grp0, pciedebuggrp0, uart0grp0, uart0grp1, uart1grp0, +- uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0 ++ uart2grp0, uart2grp1, uart3grp0, uart4grp0, uart5grp0, ++ uart5nocts + cpuclkout: cpuclkoutgrp0 + udlclkout: udlclkoutgrp0 + i2c1: i2c1grp0 +@@ -37,7 +38,7 @@ Required subnode-properties: + uart2: uart2grp0, uart2grp1 + uart3: uart3grp0 + uart4: uart4grp0 +- uart5: uart5grp0 ++ uart5: uart5grp0, uart5nocts + nand: nandgrp0 + sdio0: sdio0grp0 + sdio1: sdio1grp0 diff --git a/queue-4.14/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch b/queue-4.14/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch new file mode 100644 index 00000000000..56d5b02d2b1 --- /dev/null +++ b/queue-4.14/pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Richard Fitzgerald +Date: Wed, 28 Feb 2018 15:53:06 +0000 +Subject: pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs + +From: Richard Fitzgerald + +[ Upstream commit b89405b6102fcc3746f43697b826028caa94c823 ] + +When dt_to_map_one_config() is called with a pinctrl_dev passed +in, it should only be using this if the node being looked up +is a hog. The code was always using the passed pinctrl_dev +without checking whether the dt node referred to it. + +A pin controller can have pinctrl-n dependencies on other pin +controllers in these cases: + +- the pin controller hardware is external, for example I2C, so + needs other pin controller(s) to be setup to communicate with + the hardware device. + +- it is a child of a composite MFD so its of_node is shared with + the parent MFD and other children of that MFD. Any part of that + MFD could have dependencies on other pin controllers. + +Because of this, dt_to_map_one_config() can't assume that if it +has a pinctrl_dev passed in then the node it looks up must be +a hog. It could be a reference to some other pin controller. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/devicetree.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -122,8 +122,10 @@ static int dt_to_map_one_config(struct p + /* OK let's just assume this will appear later then */ + return -EPROBE_DEFER; + } +- if (!pctldev) +- pctldev = get_pinctrl_dev_from_of_node(np_pctldev); ++ /* If we're creating a hog we can use the passed pctldev */ ++ if (pctldev && (np_pctldev == p->dev->of_node)) ++ break; ++ pctldev = get_pinctrl_dev_from_of_node(np_pctldev); + if (pctldev) + break; + /* Do not defer probing of hogs (circular loop) */ diff --git a/queue-4.14/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch b/queue-4.14/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch new file mode 100644 index 00000000000..6dc02fe3a47 --- /dev/null +++ b/queue-4.14/pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch @@ -0,0 +1,92 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Jan Kundrát" +Date: Thu, 25 Jan 2018 18:29:15 +0100 +Subject: pinctrl: mcp23s08: spi: Fix regmap debugfs entries + +From: "Jan Kundrát" + +[ Upstream commit 9b3e4207661e67f04c72af15e29f74cd944f5964 ] + +The SPI version of this chip allows several devices to be present on the +same SPI bus via a local address. If this is in action and if the kernel +has debugfs, however, the code attempts to create duplicate entries for +the regmap's debugfs: + + mcp23s08 spi1.1: Failed to create debugfs directory + +This patch simply assigns a local name matching the device logical +address to the `struct regmap_config`. + +No changes are needed for MCP23S18 because that device does not support +any logical addressing. Similarly, I2C devices do not need any action, +either, because they are already different in their I2C address. + +A similar problem is present for the pinctrl debugfs instance, but that +one is not addressed by this patch. + +Signed-off-by: Jan Kundrát +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-mcp23s08.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/pinctrl/pinctrl-mcp23s08.c ++++ b/drivers/pinctrl/pinctrl-mcp23s08.c +@@ -779,6 +779,7 @@ static int mcp23s08_probe_one(struct mcp + { + int status, ret; + bool mirror = false; ++ struct regmap_config *one_regmap_config = NULL; + + mutex_init(&mcp->lock); + +@@ -799,22 +800,36 @@ static int mcp23s08_probe_one(struct mcp + switch (type) { + #ifdef CONFIG_SPI_MASTER + case MCP_TYPE_S08: +- mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x08_regmap); +- mcp->reg_shift = 0; +- mcp->chip.ngpio = 8; +- mcp->chip.label = "mcp23s08"; +- break; +- + case MCP_TYPE_S17: ++ switch (type) { ++ case MCP_TYPE_S08: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x08_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 0; ++ mcp->chip.ngpio = 8; ++ mcp->chip.label = "mcp23s08"; ++ break; ++ case MCP_TYPE_S17: ++ one_regmap_config = ++ devm_kmemdup(dev, &mcp23x17_regmap, ++ sizeof(struct regmap_config), GFP_KERNEL); ++ mcp->reg_shift = 1; ++ mcp->chip.ngpio = 16; ++ mcp->chip.label = "mcp23s17"; ++ break; ++ } ++ if (!one_regmap_config) ++ return -ENOMEM; ++ ++ one_regmap_config->name = devm_kasprintf(dev, GFP_KERNEL, "%d", (addr & ~0x40) >> 1); + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, +- &mcp23x17_regmap); +- mcp->reg_shift = 1; +- mcp->chip.ngpio = 16; +- mcp->chip.label = "mcp23s17"; ++ one_regmap_config); + break; + + case MCP_TYPE_S18: ++ if (!one_regmap_config) ++ return -ENOMEM; + mcp->regmap = devm_regmap_init(dev, &mcp23sxx_spi_regmap, mcp, + &mcp23x17_regmap); + mcp->reg_shift = 1; diff --git a/queue-4.14/pinctrl-msm-use-dynamic-gpio-numbering.patch b/queue-4.14/pinctrl-msm-use-dynamic-gpio-numbering.patch new file mode 100644 index 00000000000..355e0ef5528 --- /dev/null +++ b/queue-4.14/pinctrl-msm-use-dynamic-gpio-numbering.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bjorn Andersson +Date: Sun, 28 Jan 2018 16:59:48 -0800 +Subject: pinctrl: msm: Use dynamic GPIO numbering + +From: Bjorn Andersson + +[ Upstream commit a7aa75a2a7dba32594291a71c3704000a2fd7089 ] + +The base of the TLMM gpiochip should not be statically defined as 0, fix +this to not artificially restrict the existence of multiple pinctrl-msm +devices. + +Fixes: f365be092572 ("pinctrl: Add Qualcomm TLMM driver") +Reported-by: Timur Tabi +Signed-off-by: Bjorn Andersson +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pinctrl/qcom/pinctrl-msm.c ++++ b/drivers/pinctrl/qcom/pinctrl-msm.c +@@ -818,7 +818,7 @@ static int msm_gpio_init(struct msm_pinc + return -EINVAL; + + chip = &pctrl->chip; +- chip->base = 0; ++ chip->base = -1; + chip->ngpio = ngpio; + chip->label = dev_name(pctrl->dev); + chip->parent = pctrl->dev; diff --git a/queue-4.14/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch b/queue-4.14/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch new file mode 100644 index 00000000000..08ba1f5ec7f --- /dev/null +++ b/queue-4.14/pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch @@ -0,0 +1,191 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Takeshi Kihara +Date: Fri, 16 Feb 2018 15:25:03 +0100 +Subject: pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group + +From: Takeshi Kihara + +[ Upstream commit b418c4609d5052d174668ad6d13efe023c45c595 ] + +This patch fixes MOD_SEL1 bit20 and MOD_SEL2 bit20, bit21 pin assignment +for SSI pins group. + +This is a correction to the incorrect implementation of MOD_SEL register +pin assignment for R8A7796 SoC specification of R-Car Gen3 Hardware +User's Manual Rev.0.51E or later. + +Fixes: f9aece7344bd ("pinctrl: sh-pfc: Initial R8A7796 PFC support") +Signed-off-by: Takeshi Kihara +Signed-off-by: Ulrich Hecht +Reviewed-by: Simon Horman +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/drivers/pinctrl/sh-pfc/pfc-r8a7796.c ++++ b/drivers/pinctrl/sh-pfc/pfc-r8a7796.c +@@ -1,7 +1,7 @@ + /* + * R8A7796 processor support - PFC hardware block. + * +- * Copyright (C) 2016 Renesas Electronics Corp. ++ * Copyright (C) 2016-2017 Renesas Electronics Corp. + * + * This file is based on the drivers/pinctrl/sh-pfc/pfc-r8a7795.c + * +@@ -477,7 +477,7 @@ FM(IP16_31_28) IP16_31_28 FM(IP17_31_28) + #define MOD_SEL1_26 FM(SEL_TIMER_TMU_0) FM(SEL_TIMER_TMU_1) + #define MOD_SEL1_25_24 FM(SEL_SSP1_1_0) FM(SEL_SSP1_1_1) FM(SEL_SSP1_1_2) FM(SEL_SSP1_1_3) + #define MOD_SEL1_23_22_21 FM(SEL_SSP1_0_0) FM(SEL_SSP1_0_1) FM(SEL_SSP1_0_2) FM(SEL_SSP1_0_3) FM(SEL_SSP1_0_4) F_(0, 0) F_(0, 0) F_(0, 0) +-#define MOD_SEL1_20 FM(SEL_SSI_0) FM(SEL_SSI_1) ++#define MOD_SEL1_20 FM(SEL_SSI1_0) FM(SEL_SSI1_1) + #define MOD_SEL1_19 FM(SEL_SPEED_PULSE_0) FM(SEL_SPEED_PULSE_1) + #define MOD_SEL1_18_17 FM(SEL_SIMCARD_0) FM(SEL_SIMCARD_1) FM(SEL_SIMCARD_2) FM(SEL_SIMCARD_3) + #define MOD_SEL1_16 FM(SEL_SDHI2_0) FM(SEL_SDHI2_1) +@@ -1224,7 +1224,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_11_8, HSCK0), + PINMUX_IPSR_MSEL(IP13_11_8, MSIOF1_SCK_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP13_11_8, AUDIO_CLKB_A, SEL_ADG_B_0), +- PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_11_8, SSI_SDATA1_B, SEL_SSI1_1), + PINMUX_IPSR_MSEL(IP13_11_8, TS_SCK0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_11_8, STP_ISCLK_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_11_8, RIF0_CLK_C, SEL_DRIF0_2), +@@ -1232,14 +1232,14 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP13_15_12, HRX0), + PINMUX_IPSR_MSEL(IP13_15_12, MSIOF1_RXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_15_12, SSI_SDATA2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP13_15_12, TS_SDEN0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_15_12, STP_ISEN_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_15_12, RIF0_D0_C, SEL_DRIF0_2), + + PINMUX_IPSR_GPSR(IP13_19_16, HTX0), + PINMUX_IPSR_MSEL(IP13_19_16, MSIOF1_TXD_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP13_19_16, SSI_SDATA9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP13_19_16, TS_SDAT0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_19_16, STP_ISD_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_19_16, RIF0_D1_C, SEL_DRIF0_2), +@@ -1247,7 +1247,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_23_20, HCTS0_N), + PINMUX_IPSR_MSEL(IP13_23_20, RX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_23_20, MSIOF1_SYNC_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_23_20, SSI_SCK9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_23_20, TS_SPSYNC0_D, SEL_TSIF0_3), + PINMUX_IPSR_MSEL(IP13_23_20, STP_ISSYNC_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_23_20, RIF0_SYNC_C, SEL_DRIF0_2), +@@ -1256,7 +1256,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_GPSR(IP13_27_24, HRTS0_N), + PINMUX_IPSR_MSEL(IP13_27_24, TX2_B, SEL_SCIF2_1), + PINMUX_IPSR_MSEL(IP13_27_24, MSIOF1_SS1_D, SEL_MSIOF1_3), +- PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP13_27_24, SSI_WS9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP13_27_24, STP_IVCXO27_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_MSEL(IP13_27_24, BPFCLK_A, SEL_FM_0), + PINMUX_IPSR_GPSR(IP13_27_24, AUDIO_CLKOUT2_A), +@@ -1271,7 +1271,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_3_0, RX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_3_0, NFWP_N_A, SEL_NDF_0), + PINMUX_IPSR_MSEL(IP14_3_0, AUDIO_CLKA_C, SEL_ADG_A_2), +- PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_3_0, SSI_SCK2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_3_0, STP_IVCXO27_0_C, SEL_SSP1_0_2), + PINMUX_IPSR_GPSR(IP14_3_0, AUDIO_CLKOUT3_A), + PINMUX_IPSR_MSEL(IP14_3_0, TCLK1_B, SEL_TIMER_TMU_1), +@@ -1280,7 +1280,7 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_7_4, TX5_A, SEL_SCIF5_0), + PINMUX_IPSR_MSEL(IP14_7_4, MSIOF1_SS2_D, SEL_MSIOF1_3), + PINMUX_IPSR_MSEL(IP14_7_4, AUDIO_CLKC_A, SEL_ADG_C_0), +- PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP14_7_4, SSI_WS2_A, SEL_SSI2_0), + PINMUX_IPSR_MSEL(IP14_7_4, STP_OPWM_0_D, SEL_SSP1_0_3), + PINMUX_IPSR_GPSR(IP14_7_4, AUDIO_CLKOUT_D), + PINMUX_IPSR_MSEL(IP14_7_4, SPEEDIN_B, SEL_SPEED_PULSE_1), +@@ -1308,10 +1308,10 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP14_31_28, MSIOF1_SS2_F, SEL_MSIOF1_5), + + /* IPSR15 */ +- PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP15_3_0, SSI_SDATA1_A, SEL_SSI1_0), + +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI_0), +- PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SDATA2_A, SEL_SSI2_0), ++ PINMUX_IPSR_MSEL(IP15_7_4, SSI_SCK1_B, SEL_SSI1_1), + + PINMUX_IPSR_GPSR(IP15_11_8, SSI_SCK349), + PINMUX_IPSR_MSEL(IP15_11_8, MSIOF1_SS1_A, SEL_MSIOF1_0), +@@ -1397,11 +1397,11 @@ static const u16 pinmux_data[] = { + PINMUX_IPSR_MSEL(IP16_27_24, RIF1_D1_A, SEL_DRIF1_0), + PINMUX_IPSR_MSEL(IP16_27_24, RIF3_D1_A, SEL_DRIF3_0), + +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_SDATA9_A, SEL_SSI9_0), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK2_B, SEL_HSCIF2_1), + PINMUX_IPSR_MSEL(IP16_31_28, MSIOF1_SS1_C, SEL_MSIOF1_2), + PINMUX_IPSR_MSEL(IP16_31_28, HSCK1_A, SEL_HSCIF1_0), +- PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP16_31_28, SSI_WS1_B, SEL_SSI1_1), + PINMUX_IPSR_GPSR(IP16_31_28, SCK1), + PINMUX_IPSR_MSEL(IP16_31_28, STP_IVCXO27_1_A, SEL_SSP1_1_0), + PINMUX_IPSR_MSEL(IP16_31_28, SCK5_A, SEL_SCIF5_0), +@@ -1433,7 +1433,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_19_16, USB1_PWEN), + PINMUX_IPSR_MSEL(IP17_19_16, SIM0_CLK_C, SEL_SIMCARD_2), +- PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_19_16, SSI_SCK1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_19_16, TS_SCK0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_19_16, STP_ISCLK_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_19_16, FMCLK_B, SEL_FM_1), +@@ -1443,7 +1443,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_23_20, USB1_OVC), + PINMUX_IPSR_MSEL(IP17_23_20, MSIOF1_SS2_C, SEL_MSIOF1_2), +- PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI_0), ++ PINMUX_IPSR_MSEL(IP17_23_20, SSI_WS1_A, SEL_SSI1_0), + PINMUX_IPSR_MSEL(IP17_23_20, TS_SDAT0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP17_23_20, STP_ISD_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP17_23_20, FMIN_B, SEL_FM_1), +@@ -1453,7 +1453,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_27_24, USB30_PWEN), + PINMUX_IPSR_GPSR(IP17_27_24, AUDIO_CLKOUT_B), +- PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_27_24, SSI_SCK2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_27_24, TS_SDEN1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_ISEN_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_27_24, STP_OPWM_0_E, SEL_SSP1_0_4), +@@ -1465,7 +1465,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP17_31_28, USB30_OVC), + PINMUX_IPSR_GPSR(IP17_31_28, AUDIO_CLKOUT1_B), +- PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP17_31_28, SSI_WS2_B, SEL_SSI2_1), + PINMUX_IPSR_MSEL(IP17_31_28, TS_SPSYNC1_D, SEL_TSIF1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_ISSYNC_1_D, SEL_SSP1_1_3), + PINMUX_IPSR_MSEL(IP17_31_28, STP_IVCXO27_0_E, SEL_SSP1_0_4), +@@ -1476,7 +1476,7 @@ static const u16 pinmux_data[] = { + /* IPSR18 */ + PINMUX_IPSR_GPSR(IP18_3_0, GP6_30), + PINMUX_IPSR_GPSR(IP18_3_0, AUDIO_CLKOUT2_B), +- PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_3_0, SSI_SCK9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_3_0, TS_SDEN0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_3_0, STP_ISEN_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_3_0, RIF2_D0_B, SEL_DRIF2_1), +@@ -1486,7 +1486,7 @@ static const u16 pinmux_data[] = { + + PINMUX_IPSR_GPSR(IP18_7_4, GP6_31), + PINMUX_IPSR_GPSR(IP18_7_4, AUDIO_CLKOUT3_B), +- PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI_1), ++ PINMUX_IPSR_MSEL(IP18_7_4, SSI_WS9_B, SEL_SSI9_1), + PINMUX_IPSR_MSEL(IP18_7_4, TS_SPSYNC0_E, SEL_TSIF0_4), + PINMUX_IPSR_MSEL(IP18_7_4, STP_ISSYNC_0_E, SEL_SSP1_0_4), + PINMUX_IPSR_MSEL(IP18_7_4, RIF2_D1_B, SEL_DRIF2_1), diff --git a/queue-4.14/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch b/queue-4.14/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch new file mode 100644 index 00000000000..dce04c93e79 --- /dev/null +++ b/queue-4.14/pkcs-7-fix-direct-verification-of-signerinfo-signature.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eric Biggers +Date: Thu, 22 Feb 2018 14:38:33 +0000 +Subject: PKCS#7: fix direct verification of SignerInfo signature + +From: Eric Biggers + +[ Upstream commit 6459ae386699a5fe0dc52cf30255f75274fa43a4 ] + +If none of the certificates in a SignerInfo's certificate chain match a +trusted key, nor is the last certificate signed by a trusted key, then +pkcs7_validate_trust_one() tries to check whether the SignerInfo's +signature was made directly by a trusted key. But, it actually fails to +set the 'sig' variable correctly, so it actually verifies the last +signature seen. That will only be the SignerInfo's signature if the +certificate chain is empty; otherwise it will actually be the last +certificate's signature. + +This is not by itself a security problem, since verifying any of the +certificates in the chain should be sufficient to verify the SignerInfo. +Still, it's not working as intended so it should be fixed. + +Fix it by setting 'sig' correctly for the direct verification case. + +Fixes: 757932e6da6d ("PKCS#7: Handle PKCS#7 messages that contain no X.509 certs") +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/pkcs7_trust.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/asymmetric_keys/pkcs7_trust.c ++++ b/crypto/asymmetric_keys/pkcs7_trust.c +@@ -106,6 +106,7 @@ static int pkcs7_validate_trust_one(stru + pr_devel("sinfo %u: Direct signer is key %x\n", + sinfo->index, key_serial(key)); + x509 = NULL; ++ sig = sinfo->sig; + goto matched; + } + if (PTR_ERR(key) != -ENOKEY) diff --git a/queue-4.14/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch b/queue-4.14/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch new file mode 100644 index 00000000000..cb2eba363b8 --- /dev/null +++ b/queue-4.14/power-supply-ltc2941-battery-gauge-fix-temperature-units.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ladislav Michl +Date: Thu, 22 Feb 2018 18:21:36 +0100 +Subject: power: supply: ltc2941-battery-gauge: Fix temperature units + +From: Ladislav Michl + +[ Upstream commit dde5953f05a89eb63a0d666ffe51d447b2ac3e05 ] + +Temperature is measured in tenths of degree Celsius. + +Fixes: 085bc24d1553 ("Add LTC2941/LTC2943 Battery Gauge Driver") +Signed-off-by: Ladislav Michl +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/ltc2941-battery-gauge.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/power/supply/ltc2941-battery-gauge.c ++++ b/drivers/power/supply/ltc2941-battery-gauge.c +@@ -316,15 +316,15 @@ static int ltc294x_get_temperature(const + + if (info->id == LTC2942_ID) { + reg = LTC2942_REG_TEMPERATURE_MSB; +- value = 60000; /* Full-scale is 600 Kelvin */ ++ value = 6000; /* Full-scale is 600 Kelvin */ + } else { + reg = LTC2943_REG_TEMPERATURE_MSB; +- value = 51000; /* Full-scale is 510 Kelvin */ ++ value = 5100; /* Full-scale is 510 Kelvin */ + } + ret = ltc294x_read_regs(info->client, reg, &datar[0], 2); + value *= (datar[0] << 8) | datar[1]; +- /* Convert to centidegrees */ +- *val = value / 0xFFFF - 27215; ++ /* Convert to tenths of degree Celsius */ ++ *val = value / 0xFFFF - 2722; + return ret; + } + diff --git a/queue-4.14/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch b/queue-4.14/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch new file mode 100644 index 00000000000..be384a829d1 --- /dev/null +++ b/queue-4.14/powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Nicholas Piggin +Date: Thu, 5 Apr 2018 16:10:00 +1000 +Subject: powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep + +From: Nicholas Piggin + +[ Upstream commit c1b25a17d24925b0961c319cfc3fd7e1dc778914 ] + +POWER8 restores AMOR when waking from deep sleep, but POWER9 does not, +because it does not go through the subcore restore. + +Have POWER9 restore it in core restore. + +Fixes: ee97b6b99f42 ("powerpc/mm/radix: Setup AMOR in HV mode to allow key 0") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/idle_book3s.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/idle_book3s.S ++++ b/arch/powerpc/kernel/idle_book3s.S +@@ -838,6 +838,8 @@ BEGIN_FTR_SECTION + mtspr SPRN_PTCR,r4 + ld r4,_RPR(r1) + mtspr SPRN_RPR,r4 ++ ld r4,_AMOR(r1) ++ mtspr SPRN_AMOR,r4 + END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + + ld r4,_TSCR(r1) diff --git a/queue-4.14/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch b/queue-4.14/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch new file mode 100644 index 00000000000..2a035b5b147 --- /dev/null +++ b/queue-4.14/powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch @@ -0,0 +1,67 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Nicholas Piggin +Date: Tue, 27 Mar 2018 01:01:16 +1000 +Subject: powerpc/64s: sreset panic if there is no debugger or crash dump handlers + +From: Nicholas Piggin + +[ Upstream commit d40b6768e45bd9213139b2d91d30c7692b6007b1 ] + +system_reset_exception does most of its own crash handling now, +invoking the debugger or crash dumps if they are registered. If not, +then it goes through to die() to print stack traces, and then is +supposed to panic (according to comments). + +However after die() prints oopses, it does its own handling which +doesn't allow system_reset_exception to panic (e.g., it may just +kill the current process). This patch causes sreset exceptions to +return from die after it prints messages but before acting. + +This also stops die from invoking the debugger on 0x100 crashes. +system_reset_exception similarly calls the debugger. It had been +thought this was harmless (because if the debugger was disabled, +neither call would fire, and if it was enabled the first call +would return). However in some cases like xmon 'X' command, the +debugger returns 0, which currently causes it to be entered +again (first in system_reset_exception, then in die), which is +confusing. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -182,6 +182,12 @@ static void oops_end(unsigned long flags + } + raw_local_irq_restore(flags); + ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) == 0x100) ++ return; ++ + crash_fadump(regs, "die oops"); + + if (kexec_should_crash(current)) +@@ -246,8 +252,13 @@ void die(const char *str, struct pt_regs + { + unsigned long flags; + +- if (debugger(regs)) +- return; ++ /* ++ * system_reset_excption handles debugger, crash dump, panic, for 0x100 ++ */ ++ if (TRAP(regs) != 0x100) { ++ if (debugger(regs)) ++ return; ++ } + + flags = oops_begin(regs); + if (__die(str, regs, err)) diff --git a/queue-4.14/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch b/queue-4.14/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch new file mode 100644 index 00000000000..c0c76f32824 --- /dev/null +++ b/queue-4.14/powerpc-add-missing-prototype-for-arch_irq_work_raise.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mathieu Malaterre +Date: Sun, 25 Feb 2018 18:22:29 +0100 +Subject: powerpc: Add missing prototype for arch_irq_work_raise() + +From: Mathieu Malaterre + +[ Upstream commit f5246862f82f1e16bbf84cda4cddf287672b30fe ] + +In commit 4f8b50bbbe63 ("irq_work, ppc: Fix up arch hooks") a new +function arch_irq_work_raise() was added without a prototype in header +irq_work.h. + +Fix the following warning (treated as error in W=1): + arch/powerpc/kernel/time.c:523:6: error: no previous prototype for ‘arch_irq_work_raise’ + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/irq_work.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/include/asm/irq_work.h ++++ b/arch/powerpc/include/asm/irq_work.h +@@ -6,5 +6,6 @@ static inline bool arch_irq_work_has_int + { + return true; + } ++extern void arch_irq_work_raise(void); + + #endif /* _ASM_POWERPC_IRQ_WORK_H */ diff --git a/queue-4.14/powerpc-boot-fix-random-libfdt-related-build-errors.patch b/queue-4.14/powerpc-boot-fix-random-libfdt-related-build-errors.patch new file mode 100644 index 00000000000..08d00e0e63f --- /dev/null +++ b/queue-4.14/powerpc-boot-fix-random-libfdt-related-build-errors.patch @@ -0,0 +1,52 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Guenter Roeck +Date: Fri, 23 Feb 2018 12:55:59 -0800 +Subject: powerpc/boot: Fix random libfdt related build errors + +From: Guenter Roeck + +[ Upstream commit 64c3f648c25d108f346fdc96c15180c6b7d250e9 ] + +Once in a while I see build errors similar to the following +when building images from a clean tree. + + Building powerpc:virtex-ml507:44x/virtex5_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + Building powerpc:bamboo:smpdev:44x/bamboo_defconfig ... failed + ------------ + Error log: + arch/powerpc/boot/treeboot-akebono.c:37:20: fatal error: + libfdt.h: No such file or directory + + arch/powerpc/boot/treeboot-currituck.c:35:20: fatal error: + libfdt.h: No such file or directory + +Rebuilds will succeed. + +Turns out that several source files in arch/powerpc/boot/ include +libfdt.h, but Makefile dependencies are incomplete. Let's fix that. + +Signed-off-by: Guenter Roeck +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/boot/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/boot/Makefile ++++ b/arch/powerpc/boot/Makefile +@@ -101,7 +101,8 @@ $(addprefix $(obj)/,$(zlib-y)): \ + libfdt := fdt.c fdt_ro.c fdt_wip.c fdt_sw.c fdt_rw.c fdt_strerror.c + libfdtheader := fdt.h libfdt.h libfdt_internal.h + +-$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o): \ ++$(addprefix $(obj)/,$(libfdt) libfdt-wrapper.o simpleboot.o epapr.o opal.o \ ++ treeboot-akebono.o treeboot-currituck.o treeboot-iss4xx.o): \ + $(addprefix $(obj)/,$(libfdtheader)) + + src-wlib-y := string.S crt0.S stdio.c decompress.c main.c \ diff --git a/queue-4.14/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch b/queue-4.14/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch new file mode 100644 index 00000000000..a70e30f7c74 --- /dev/null +++ b/queue-4.14/powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Mark Lord +Date: Tue, 20 Feb 2018 14:49:20 -0500 +Subject: powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access + +From: Mark Lord + +[ Upstream commit 083b20907185b076f21c265b30fe5b5f24c03d8c ] + +I am using SECCOMP to filter syscalls on a ppc32 platform, and noticed +that the JIT compiler was failing on the BPF even though the +interpreter was working fine. + +The issue was that the compiler was missing one of the instructions +used by SECCOMP, so here is a patch to enable JIT for that +instruction. + +Fixes: eb84bab0fb38 ("ppc: Kconfig: Enable BPF JIT on ppc32") +Signed-off-by: Mark Lord +Acked-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/net/bpf_jit_comp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/net/bpf_jit_comp.c ++++ b/arch/powerpc/net/bpf_jit_comp.c +@@ -329,6 +329,9 @@ static int bpf_jit_build_body(struct bpf + BUILD_BUG_ON(FIELD_SIZEOF(struct sk_buff, len) != 4); + PPC_LWZ_OFFS(r_A, r_skb, offsetof(struct sk_buff, len)); + break; ++ case BPF_LDX | BPF_W | BPF_ABS: /* A = *((u32 *)(seccomp_data + K)); */ ++ PPC_LWZ_OFFS(r_A, r_skb, K); ++ break; + case BPF_LDX | BPF_W | BPF_LEN: /* X = skb->len; */ + PPC_LWZ_OFFS(r_X, r_skb, offsetof(struct sk_buff, len)); + break; diff --git a/queue-4.14/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch b/queue-4.14/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch new file mode 100644 index 00000000000..71dc47731bf --- /dev/null +++ b/queue-4.14/powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Anshuman Khandual +Date: Thu, 29 Mar 2018 11:53:37 +0530 +Subject: powerpc/fscr: Enable interrupts earlier before calling get_user() + +From: Anshuman Khandual + +[ Upstream commit 709b973c844c0b4d115ac3a227a2e5a68722c912 ] + +The function get_user() can sleep while trying to fetch instruction +from user address space and causes the following warning from the +scheduler. + +BUG: sleeping function called from invalid context + +Though interrupts get enabled back but it happens bit later after +get_user() is called. This change moves enabling these interrupts +earlier covering the function get_user(). While at this, lets check +for kernel mode and crash as this interrupt should not have been +triggered from the kernel context. + +Signed-off-by: Anshuman Khandual +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/traps.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1379,6 +1379,22 @@ void facility_unavailable_exception(stru + value = mfspr(SPRN_FSCR); + + status = value >> 56; ++ if ((hv || status >= 2) && ++ (status < ARRAY_SIZE(facility_strings)) && ++ facility_strings[status]) ++ facility = facility_strings[status]; ++ ++ /* We should not have taken this interrupt in kernel */ ++ if (!user_mode(regs)) { ++ pr_emerg("Facility '%s' unavailable (%d) exception in kernel mode at %lx\n", ++ facility, status, regs->nip); ++ die("Unexpected facility unavailable exception", regs, SIGABRT); ++ } ++ ++ /* We restore the interrupt state now */ ++ if (!arch_irq_disabled_regs(regs)) ++ local_irq_enable(); ++ + if (status == FSCR_DSCR_LG) { + /* + * User is accessing the DSCR register using the problem +@@ -1445,25 +1461,11 @@ void facility_unavailable_exception(stru + return; + } + +- if ((hv || status >= 2) && +- (status < ARRAY_SIZE(facility_strings)) && +- facility_strings[status]) +- facility = facility_strings[status]; +- +- /* We restore the interrupt state now */ +- if (!arch_irq_disabled_regs(regs)) +- local_irq_enable(); +- + pr_err_ratelimited("%sFacility '%s' unavailable (%d), exception at 0x%lx, MSR=%lx\n", + hv ? "Hypervisor " : "", facility, status, regs->nip, regs->msr); + + out: +- if (user_mode(regs)) { +- _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); +- return; +- } +- +- die("Unexpected facility unavailable exception", regs, SIGABRT); ++ _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); + } + #endif + diff --git a/queue-4.14/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch b/queue-4.14/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch new file mode 100644 index 00000000000..aa82e5a0f8e --- /dev/null +++ b/queue-4.14/powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Ellerman +Date: Fri, 30 Mar 2018 23:27:25 +1100 +Subject: powerpc/mpic: Check if cpu_possible() in mpic_physmask() + +From: Michael Ellerman + +[ Upstream commit 0834d627fbea00c1444075eb3e448e1974da452d ] + +In mpic_physmask() we loop over all CPUs up to 32, then get the hard +SMP processor id of that CPU. + +Currently that's possibly walking off the end of the paca array, but +in a future patch we will change the paca array to be an array of +pointers, and in that case we will get a NULL for missing CPUs and +oops. eg: + + Unable to handle kernel paging request for data at address 0x88888888888888b8 + Faulting instruction address: 0xc00000000004e380 + Oops: Kernel access of bad area, sig: 11 [#1] + ... + NIP .mpic_set_affinity+0x60/0x1a0 + LR .irq_do_set_affinity+0x48/0x100 + +Fix it by checking the CPU is possible, this also fixes the code if +there are gaps in the CPU numbering which probably never happens on +mpic systems but who knows. + +Debugged-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpic.c ++++ b/arch/powerpc/sysdev/mpic.c +@@ -626,7 +626,7 @@ static inline u32 mpic_physmask(u32 cpum + int i; + u32 mask = 0; + +- for (i = 0; i < min(32, NR_CPUS); ++i, cpumask >>= 1) ++ for (i = 0; i < min(32, NR_CPUS) && cpu_possible(i); ++i, cpumask >>= 1) + mask |= (cpumask & 1) << get_hard_smp_processor_id(i); + return mask; + } diff --git a/queue-4.14/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch b/queue-4.14/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch new file mode 100644 index 00000000000..cb51ac056b7 --- /dev/null +++ b/queue-4.14/powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch @@ -0,0 +1,72 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Ellerman +Date: Wed, 21 Mar 2018 17:10:24 +0530 +Subject: powerpc/perf: Fix kernel address leak via sampling registers + +From: Michael Ellerman + +[ Upstream commit e1ebd0e5b9d0a10ba65e63a3514b6da8c6a5a819 ] + +Current code in power_pmu_disable() does not clear the sampling +registers like Sampling Instruction Address Register (SIAR) and +Sampling Data Address Register (SDAR) after disabling the PMU. Since +these are userspace readable and could contain kernel addresses, add +code to explicitly clear the content of these registers. + +Also add a "context synchronizing instruction" to enforce no further +updates to these registers as suggested by Power ISA v3.0B. From +section 9.4, on page 1108: + + "If an mtspr instruction is executed that changes the value of a + Performance Monitor register other than SIAR, SDAR, and SIER, the + change is not guaranteed to have taken effect until after a + subsequent context synchronizing instruction has been executed (see + Chapter 11. "Synchronization Requirements for Context Alterations" + on page 1133)." + +Signed-off-by: Madhavan Srinivasan +[mpe: Massage change log and add ISA reference] +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -1236,6 +1236,7 @@ static void power_pmu_disable(struct pmu + */ + write_mmcr0(cpuhw, val); + mb(); ++ isync(); + + /* + * Disable instruction sampling if it was enabled +@@ -1244,12 +1245,26 @@ static void power_pmu_disable(struct pmu + mtspr(SPRN_MMCRA, + cpuhw->mmcr[2] & ~MMCRA_SAMPLE_ENABLE); + mb(); ++ isync(); + } + + cpuhw->disabled = 1; + cpuhw->n_added = 0; + + ebb_switch_out(mmcr0); ++ ++#ifdef CONFIG_PPC64 ++ /* ++ * These are readable by userspace, may contain kernel ++ * addresses and are not switched by context switch, so clear ++ * them now to avoid leaking anything to userspace in general ++ * including to another process. ++ */ ++ if (ppmu->flags & PPMU_ARCH_207S) { ++ mtspr(SPRN_SDAR, 0); ++ mtspr(SPRN_SIAR, 0); ++ } ++#endif + } + + local_irq_restore(flags); diff --git a/queue-4.14/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch b/queue-4.14/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch new file mode 100644 index 00000000000..638fa816b04 --- /dev/null +++ b/queue-4.14/powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Madhavan Srinivasan +Date: Wed, 21 Mar 2018 17:10:25 +0530 +Subject: powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer + +From: Madhavan Srinivasan + +[ Upstream commit bb19af816025d495376bd76bf6fbcf4244f9a06d ] + +The current Branch History Rolling Buffer (BHRB) code does not check +for any privilege levels before updating the data from BHRB. This +could leak kernel addresses to userspace even when profiling only with +userspace privileges. Add proper checks to prevent it. + +Acked-by: Balbir Singh +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/perf/core-book3s.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/perf/core-book3s.c ++++ b/arch/powerpc/perf/core-book3s.c +@@ -457,6 +457,16 @@ static void power_pmu_bhrb_read(struct c + /* invalid entry */ + continue; + ++ /* ++ * BHRB rolling buffer could very much contain the kernel ++ * addresses at this point. Check the privileges before ++ * exporting it to userspace (avoid exposure of regions ++ * where we could have speculative execution) ++ */ ++ if (perf_paranoid_kernel() && !capable(CAP_SYS_ADMIN) && ++ is_kernel_addr(addr)) ++ continue; ++ + /* Branches are read most recent first (ie. mfbhrb 0 is + * the most recent branch). + * There are two types of valid entries: diff --git a/queue-4.14/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch b/queue-4.14/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch new file mode 100644 index 00000000000..e7df800e5ba --- /dev/null +++ b/queue-4.14/powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch @@ -0,0 +1,370 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alistair Popple +Date: Fri, 2 Mar 2018 16:18:45 +1100 +Subject: powerpc/powernv/npu: Fix deadlock in mmio_invalidate() + +From: Alistair Popple + +[ Upstream commit 2b74e2a9b39df40a2b489af2d24079617c61ee0e ] + +When sending TLB invalidates to the NPU we need to send extra flushes due +to a hardware issue. The original implementation would lock the all the +ATSD MMIO registers sequentially before unlocking and relocking each of +them sequentially to do the extra flush. + +This introduced a deadlock as it is possible for one thread to hold one +ATSD register whilst waiting for another register to be freed while the +other thread is holding that register waiting for the one in the first +thread to be freed. + +For example if there are two threads and two ATSD registers: + + Thread A Thread B + ---------------------- + Acquire 1 + Acquire 2 + Release 1 Acquire 1 + Wait 1 Wait 2 + +Both threads will be stuck waiting to acquire a register resulting in an +RCU stall warning or soft lockup. + +This patch solves the deadlock by refactoring the code to ensure registers +are not released between flushes and to ensure all registers are either +acquired or released together and in order. + +Fixes: bbd5ff50afff ("powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD") +Signed-off-by: Alistair Popple +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/npu-dma.c | 227 +++++++++++++++++++------------ + 1 file changed, 140 insertions(+), 87 deletions(-) + +--- a/arch/powerpc/platforms/powernv/npu-dma.c ++++ b/arch/powerpc/platforms/powernv/npu-dma.c +@@ -413,6 +413,11 @@ struct npu_context { + void *priv; + }; + ++struct mmio_atsd_reg { ++ struct npu *npu; ++ int reg; ++}; ++ + /* + * Find a free MMIO ATSD register and mark it in use. Return -ENOSPC + * if none are available. +@@ -422,7 +427,7 @@ static int get_mmio_atsd_reg(struct npu + int i; + + for (i = 0; i < npu->mmio_atsd_count; i++) { +- if (!test_and_set_bit(i, &npu->mmio_atsd_usage)) ++ if (!test_and_set_bit_lock(i, &npu->mmio_atsd_usage)) + return i; + } + +@@ -431,86 +436,90 @@ static int get_mmio_atsd_reg(struct npu + + static void put_mmio_atsd_reg(struct npu *npu, int reg) + { +- clear_bit(reg, &npu->mmio_atsd_usage); ++ clear_bit_unlock(reg, &npu->mmio_atsd_usage); + } + + /* MMIO ATSD register offsets */ + #define XTS_ATSD_AVA 1 + #define XTS_ATSD_STAT 2 + +-static int mmio_launch_invalidate(struct npu *npu, unsigned long launch, +- unsigned long va) ++static void mmio_launch_invalidate(struct mmio_atsd_reg *mmio_atsd_reg, ++ unsigned long launch, unsigned long va) + { +- int mmio_atsd_reg; +- +- do { +- mmio_atsd_reg = get_mmio_atsd_reg(npu); +- cpu_relax(); +- } while (mmio_atsd_reg < 0); ++ struct npu *npu = mmio_atsd_reg->npu; ++ int reg = mmio_atsd_reg->reg; + + __raw_writeq(cpu_to_be64(va), +- npu->mmio_atsd_regs[mmio_atsd_reg] + XTS_ATSD_AVA); ++ npu->mmio_atsd_regs[reg] + XTS_ATSD_AVA); + eieio(); +- __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[mmio_atsd_reg]); +- +- return mmio_atsd_reg; ++ __raw_writeq(cpu_to_be64(launch), npu->mmio_atsd_regs[reg]); + } + +-static int mmio_invalidate_pid(struct npu *npu, unsigned long pid, bool flush) ++static void mmio_invalidate_pid(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate matching PID */ +- launch = PPC_BIT(12); ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ /* IS set to invalidate matching PID */ ++ launch = PPC_BIT(12); + +- /* PRS set to process-scoped */ +- launch |= PPC_BIT(13); ++ /* PRS set to process-scoped */ ++ launch |= PPC_BIT(13); + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); + +- /* Invalidating the entire process doesn't use a va */ +- return mmio_launch_invalidate(npu, launch, 0); ++ /* Invalidating the entire process doesn't use a va */ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, 0); ++ } + } + +-static int mmio_invalidate_va(struct npu *npu, unsigned long va, +- unsigned long pid, bool flush) ++static void mmio_invalidate_va(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], ++ unsigned long va, unsigned long pid, bool flush) + { ++ int i; + unsigned long launch; + +- /* IS set to invalidate target VA */ +- launch = 0; ++ for (i = 0; i <= max_npu2_index; i++) { ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; + +- /* PRS set to process scoped */ +- launch |= PPC_BIT(13); ++ /* IS set to invalidate target VA */ ++ launch = 0; + +- /* AP */ +- launch |= (u64) mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); ++ /* PRS set to process scoped */ ++ launch |= PPC_BIT(13); + +- /* PID */ +- launch |= pid << PPC_BITLSHIFT(38); ++ /* AP */ ++ launch |= (u64) ++ mmu_get_ap(mmu_virtual_psize) << PPC_BITLSHIFT(17); + +- /* No flush */ +- launch |= !flush << PPC_BITLSHIFT(39); ++ /* PID */ ++ launch |= pid << PPC_BITLSHIFT(38); + +- return mmio_launch_invalidate(npu, launch, va); ++ /* No flush */ ++ launch |= !flush << PPC_BITLSHIFT(39); ++ ++ mmio_launch_invalidate(&mmio_atsd_reg[i], launch, va); ++ } + } + + #define mn_to_npu_context(x) container_of(x, struct npu_context, mn) + +-struct mmio_atsd_reg { +- struct npu *npu; +- int reg; +-}; +- + static void mmio_invalidate_wait( +- struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS], bool flush) ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) + { + struct npu *npu; + int i, reg; +@@ -525,16 +534,67 @@ static void mmio_invalidate_wait( + reg = mmio_atsd_reg[i].reg; + while (__raw_readq(npu->mmio_atsd_regs[reg] + XTS_ATSD_STAT)) + cpu_relax(); ++ } ++} ++ ++/* ++ * Acquires all the address translation shootdown (ATSD) registers required to ++ * launch an ATSD on all links this npu_context is active on. ++ */ ++static void acquire_atsd_reg(struct npu_context *npu_context, ++ struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i, j; ++ struct npu *npu; ++ struct pci_dev *npdev; ++ struct pnv_phb *nphb; ++ ++ for (i = 0; i <= max_npu2_index; i++) { ++ mmio_atsd_reg[i].reg = -1; ++ for (j = 0; j < NV_MAX_LINKS; j++) { ++ /* ++ * There are no ordering requirements with respect to ++ * the setup of struct npu_context, but to ensure ++ * consistent behaviour we need to ensure npdev[][] is ++ * only read once. ++ */ ++ npdev = READ_ONCE(npu_context->npdev[i][j]); ++ if (!npdev) ++ continue; ++ ++ nphb = pci_bus_to_host(npdev->bus)->private_data; ++ npu = &nphb->npu; ++ mmio_atsd_reg[i].npu = npu; ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ while (mmio_atsd_reg[i].reg < 0) { ++ mmio_atsd_reg[i].reg = get_mmio_atsd_reg(npu); ++ cpu_relax(); ++ } ++ break; ++ } ++ } ++} + +- put_mmio_atsd_reg(npu, reg); ++/* ++ * Release previously acquired ATSD registers. To avoid deadlocks the registers ++ * must be released in the same order they were acquired above in ++ * acquire_atsd_reg. ++ */ ++static void release_atsd_reg(struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]) ++{ ++ int i; + ++ for (i = 0; i <= max_npu2_index; i++) { + /* +- * The GPU requires two flush ATSDs to ensure all entries have +- * been flushed. We use PID 0 as it will never be used for a +- * process on the GPU. ++ * We can't rely on npu_context->npdev[][] being the same here ++ * as when acquire_atsd_reg() was called, hence we use the ++ * values stored in mmio_atsd_reg during the acquire phase ++ * rather than re-reading npdev[][]. + */ +- if (flush) +- mmio_invalidate_pid(npu, 0, true); ++ if (mmio_atsd_reg[i].reg < 0) ++ continue; ++ ++ put_mmio_atsd_reg(mmio_atsd_reg[i].npu, mmio_atsd_reg[i].reg); + } + } + +@@ -545,10 +605,6 @@ static void mmio_invalidate_wait( + static void mmio_invalidate(struct npu_context *npu_context, int va, + unsigned long address, bool flush) + { +- int i, j; +- struct npu *npu; +- struct pnv_phb *nphb; +- struct pci_dev *npdev; + struct mmio_atsd_reg mmio_atsd_reg[NV_MAX_NPUS]; + unsigned long pid = npu_context->mm->context.id; + +@@ -562,37 +618,25 @@ static void mmio_invalidate(struct npu_c + * Loop over all the NPUs this process is active on and launch + * an invalidate. + */ +- for (i = 0; i <= max_npu2_index; i++) { +- mmio_atsd_reg[i].reg = -1; +- for (j = 0; j < NV_MAX_LINKS; j++) { +- npdev = npu_context->npdev[i][j]; +- if (!npdev) +- continue; ++ acquire_atsd_reg(npu_context, mmio_atsd_reg); ++ if (va) ++ mmio_invalidate_va(mmio_atsd_reg, address, pid, flush); ++ else ++ mmio_invalidate_pid(mmio_atsd_reg, pid, flush); + +- nphb = pci_bus_to_host(npdev->bus)->private_data; +- npu = &nphb->npu; +- mmio_atsd_reg[i].npu = npu; +- +- if (va) +- mmio_atsd_reg[i].reg = +- mmio_invalidate_va(npu, address, pid, +- flush); +- else +- mmio_atsd_reg[i].reg = +- mmio_invalidate_pid(npu, pid, flush); +- +- /* +- * The NPU hardware forwards the shootdown to all GPUs +- * so we only have to launch one shootdown per NPU. +- */ +- break; +- } ++ mmio_invalidate_wait(mmio_atsd_reg); ++ if (flush) { ++ /* ++ * The GPU requires two flush ATSDs to ensure all entries have ++ * been flushed. We use PID 0 as it will never be used for a ++ * process on the GPU. ++ */ ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); ++ mmio_invalidate_pid(mmio_atsd_reg, 0, true); ++ mmio_invalidate_wait(mmio_atsd_reg); + } +- +- mmio_invalidate_wait(mmio_atsd_reg, flush); +- if (flush) +- /* Wait for the flush to complete */ +- mmio_invalidate_wait(mmio_atsd_reg, false); ++ release_atsd_reg(mmio_atsd_reg); + } + + static void pnv_npu2_mn_release(struct mmu_notifier *mn, +@@ -735,7 +779,16 @@ struct npu_context *pnv_npu2_init_contex + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return ERR_PTR(-ENODEV); +- npu_context->npdev[npu->index][nvlink_index] = npdev; ++ ++ /* ++ * npdev is a pci_dev pointer setup by the PCI code. We assign it to ++ * npdev[][] to indicate to the mmu notifiers that an invalidation ++ * should also be sent over this nvlink. The notifiers don't use any ++ * other fields in npu_context, so we just need to ensure that when they ++ * deference npu_context->npdev[][] it is either a valid pointer or ++ * NULL. ++ */ ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], npdev); + + return npu_context; + } +@@ -774,7 +827,7 @@ void pnv_npu2_destroy_context(struct npu + if (WARN_ON(of_property_read_u32(nvlink_dn, "ibm,npu-link-index", + &nvlink_index))) + return; +- npu_context->npdev[npu->index][nvlink_index] = NULL; ++ WRITE_ONCE(npu_context->npdev[npu->index][nvlink_index], NULL); + opal_npu_destroy_context(nphb->opal_id, npu_context->mm->context.id, + PCI_DEVID(gpdev->bus->number, gpdev->devfn)); + kref_put(&npu_context->kref, pnv_npu2_release_context); diff --git a/queue-4.14/ptr_ring-prevent-integer-overflow-when-calculating-size.patch b/queue-4.14/ptr_ring-prevent-integer-overflow-when-calculating-size.patch new file mode 100644 index 00000000000..8252ccf6114 --- /dev/null +++ b/queue-4.14/ptr_ring-prevent-integer-overflow-when-calculating-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jason Wang +Date: Sun, 11 Feb 2018 11:28:12 +0800 +Subject: ptr_ring: prevent integer overflow when calculating size + +From: Jason Wang + +[ Upstream commit 54e02162d4454a99227f520948bf4494c3d972d0 ] + +Switch to use dividing to prevent integer overflow when size is too +big to calculate allocation size properly. + +Reported-by: Eric Biggers +Fixes: 6e6e41c31122 ("ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE") +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ptr_ring.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/ptr_ring.h ++++ b/include/linux/ptr_ring.h +@@ -450,7 +450,7 @@ static inline int ptr_ring_consume_batch + */ + static inline void **__ptr_ring_init_queue_alloc(unsigned int size, gfp_t gfp) + { +- if (size * sizeof(void *) > KMALLOC_MAX_SIZE) ++ if (size > KMALLOC_MAX_SIZE / sizeof(void *)) + return NULL; + return kvmalloc_array(size, sizeof(void *), gfp | __GFP_ZERO); + } diff --git a/queue-4.14/qed-free-roce-ilt-memory-on-rmmod-qedr.patch b/queue-4.14/qed-free-roce-ilt-memory-on-rmmod-qedr.patch new file mode 100644 index 00000000000..afd5af3bb55 --- /dev/null +++ b/queue-4.14/qed-free-roce-ilt-memory-on-rmmod-qedr.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michal Kalderon +Date: Mon, 5 Mar 2018 23:50:46 +0200 +Subject: qed: Free RoCE ILT Memory on rmmod qedr + +From: Michal Kalderon + +[ Upstream commit 9de506a547c0d172d13a91d69b1a399e6a2c0efa ] + +Rdma requires ILT Memory to be allocated for it's QPs. +Each ILT entry points to a page used by several Rdma QPs. +To avoid allocating all the memory in advance, the rdma +implementation dynamically allocates memory as more QPs are +added, however it does not dynamically free the memory. +The memory should have been freed on rmmod qedr, but isn't. +This patch adds the memory freeing on rmmod qedr (currently +it will be freed with qed is removed). + +An outcome of this bug, is that if qedr is unloaded and loaded +without unloaded qed, there will be no more RoCE traffic. + +The reason these are related, is that the logic of detecting the +first QP ever opened is by asking whether ILT memory for RoCE has +been allocated. + +In addition, this patch modifies freeing of the Task context to +always use the PROTOCOLID_ROCE and not the protocol passed, +this is because task context for iWARP and ROCE both use the +ROCE protocol id, as opposed to the connection context. + +Fixes: dbb799c39717 ("qed: Initialize hardware for new protocols") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_cxt.c | 5 ++++- + drivers/net/ethernet/qlogic/qed/qed_rdma.c | 1 + + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c +@@ -2471,7 +2471,10 @@ int qed_cxt_free_proto_ilt(struct qed_hw + if (rc) + return rc; + +- /* Free Task CXT */ ++ /* Free Task CXT ( Intentionally RoCE as task-id is shared between ++ * RoCE and iWARP ) ++ */ ++ proto = PROTOCOLID_ROCE; + rc = qed_cxt_free_ilt_range(p_hwfn, QED_ELEM_TASK, 0, + qed_cxt_get_proto_tid_count(p_hwfn, proto)); + if (rc) +--- a/drivers/net/ethernet/qlogic/qed/qed_rdma.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_rdma.c +@@ -360,6 +360,7 @@ static void qed_rdma_free(struct qed_hwf + DP_VERBOSE(p_hwfn, QED_MSG_RDMA, "Freeing RDMA\n"); + + qed_rdma_resc_free(p_hwfn); ++ qed_cxt_free_proto_ilt(p_hwfn, p_hwfn->p_rdma_info->proto); + } + + static void qed_rdma_get_guid(struct qed_hwfn *p_hwfn, u8 *guid) diff --git a/queue-4.14/qede-do-not-drop-rx-checksum-invalidated-packets.patch b/queue-4.14/qede-do-not-drop-rx-checksum-invalidated-packets.patch new file mode 100644 index 00000000000..d97f8be54dd --- /dev/null +++ b/queue-4.14/qede-do-not-drop-rx-checksum-invalidated-packets.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Manish Chopra +Date: Wed, 28 Mar 2018 03:35:52 -0700 +Subject: qede: Do not drop rx-checksum invalidated packets. + +From: Manish Chopra + +[ Upstream commit 58f101bf87e32753342a6924772c6ebb0fbde24a ] + +Today, driver drops received packets which are indicated as +invalid checksum by the device. Instead of dropping such packets, +pass them to the stack with CHECKSUM_NONE indication in skb. + +Signed-off-by: Ariel Elior +Signed-off-by: Manish Chopra +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -1245,16 +1245,10 @@ static int qede_rx_process_cqe(struct qe + + csum_flag = qede_check_csum(parse_flag); + if (unlikely(csum_flag == QEDE_CSUM_ERROR)) { +- if (qede_pkt_is_ip_fragmented(fp_cqe, parse_flag)) { ++ if (qede_pkt_is_ip_fragmented(fp_cqe, parse_flag)) + rxq->rx_ip_frags++; +- } else { +- DP_NOTICE(edev, +- "CQE has error, flags = %x, dropping incoming packet\n", +- parse_flag); ++ else + rxq->rx_hw_errors++; +- qede_recycle_rx_bd_ring(rxq, fp_cqe->bd_num); +- return 0; +- } + } + + /* Basic validation passed; Need to prepare an SKB. This would also diff --git a/queue-4.14/qede-fix-barrier-usage-after-tx-doorbell-write.patch b/queue-4.14/qede-fix-barrier-usage-after-tx-doorbell-write.patch new file mode 100644 index 00000000000..a06452c3073 --- /dev/null +++ b/queue-4.14/qede-fix-barrier-usage-after-tx-doorbell-write.patch @@ -0,0 +1,56 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Manish Chopra +Date: Tue, 27 Mar 2018 06:34:41 -0700 +Subject: qede: Fix barrier usage after tx doorbell write. + +From: Manish Chopra + +[ Upstream commit b9fc828debc8ac2bb21b5819a44d2aea456f1c95 ] + +Since commit c5ad119fb6c09b0297446be05bd66602fa564758 +("net: sched: pfifo_fast use skb_array") driver is exposed +to an issue where it is hitting NULL skbs while handling TX +completions. Driver uses mmiowb() to flush the writes to the +doorbell bar which is a write-combined bar, however on x86 +mmiowb() does not flush the write combined buffer. + +This patch fixes this problem by replacing mmiowb() with wmb() +after the write combined doorbell write so that writes are +flushed and synchronized from more than one processor. + +V1->V2: +------- +This patch was marked as "superseded" in patchwork. +(Not really sure for what reason).Resending it as v2. + +Signed-off-by: Ariel Elior +Signed-off-by: Manish Chopra + +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_fp.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_fp.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_fp.c +@@ -320,13 +320,11 @@ static inline void qede_update_tx_produc + barrier(); + writel(txq->tx_db.raw, txq->doorbell_addr); + +- /* mmiowb is needed to synchronize doorbell writes from more than one +- * processor. It guarantees that the write arrives to the device before +- * the queue lock is released and another start_xmit is called (possibly +- * on another CPU). Without this barrier, the next doorbell can bypass +- * this doorbell. This is applicable to IA64/Altix systems. ++ /* Fence required to flush the write combined buffer, since another ++ * CPU may write to the same doorbell address and data may be lost ++ * due to relaxed order nature of write combined bar. + */ +- mmiowb(); ++ wmb(); + } + + static int qede_xdp_xmit(struct qede_dev *edev, struct qede_fastpath *fp, diff --git a/queue-4.14/qrtr-add-module_alias-macro-to-smd.patch b/queue-4.14/qrtr-add-module_alias-macro-to-smd.patch new file mode 100644 index 00000000000..2adc427b65a --- /dev/null +++ b/queue-4.14/qrtr-add-module_alias-macro-to-smd.patch @@ -0,0 +1,29 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ramon Fried +Date: Sun, 25 Feb 2018 09:49:37 +0200 +Subject: qrtr: add MODULE_ALIAS macro to smd + +From: Ramon Fried + +[ Upstream commit c77f5fbbefc04612755117775e8555c2a7006cac ] + +Added MODULE_ALIAS("rpmsg:IPCRTR") to ensure qrtr-smd and qrtr will load +when IPCRTR channel is detected. + +Signed-off-by: Ramon Fried +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/smd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/qrtr/smd.c ++++ b/net/qrtr/smd.c +@@ -114,5 +114,6 @@ static struct rpmsg_driver qcom_smd_qrtr + + module_rpmsg_driver(qcom_smd_qrtr_driver); + ++MODULE_ALIAS("rpmsg:IPCRTR"); + MODULE_DESCRIPTION("Qualcomm IPC-Router SMD interface driver"); + MODULE_LICENSE("GPL v2"); diff --git a/queue-4.14/r8152-fix-tx-packets-accounting.patch b/queue-4.14/r8152-fix-tx-packets-accounting.patch new file mode 100644 index 00000000000..f288cff33b7 --- /dev/null +++ b/queue-4.14/r8152-fix-tx-packets-accounting.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eric Dumazet +Date: Sun, 25 Feb 2018 19:12:10 -0800 +Subject: r8152: fix tx packets accounting + +From: Eric Dumazet + +[ Upstream commit 4c27bf3c5b7434ccb9ab962301da661c26b467a4 ] + +r8152 driver handles TSO packets (limited to ~16KB) quite well, +but pretends each TSO logical packet is a single packet on the wire. + +There is also some error since headers are accounted once, but +error rate is small enough that we do not care. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/r8152.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1793,7 +1793,7 @@ static int r8152_tx_agg_fill(struct r815 + + tx_data += len; + agg->skb_len += len; +- agg->skb_num++; ++ agg->skb_num += skb_shinfo(skb)->gso_segs ?: 1; + + dev_kfree_skb_any(skb); + diff --git a/queue-4.14/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch b/queue-4.14/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch new file mode 100644 index 00000000000..a633dceea1b --- /dev/null +++ b/queue-4.14/rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch @@ -0,0 +1,49 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tejun Heo +Date: Tue, 9 Jan 2018 10:38:17 -0800 +Subject: rcu: Call touch_nmi_watchdog() while printing stall warnings + +From: Tejun Heo + +[ Upstream commit 3caa973b7a260e7a2a69edc94c300ab9c65148c3 ] + +When RCU stall warning triggers, it can print out a lot of messages +while holding spinlocks. If the console device is slow (e.g. an +actual or IPMI serial console), it may end up triggering NMI hard +lockup watchdog like the following. + +--- + kernel/rcu/tree_plugin.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/kernel/rcu/tree_plugin.h ++++ b/kernel/rcu/tree_plugin.h +@@ -559,8 +559,14 @@ static void rcu_print_detail_task_stall_ + } + t = list_entry(rnp->gp_tasks->prev, + struct task_struct, rcu_node_entry); +- list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) ++ list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) { ++ /* ++ * We could be printing a lot while holding a spinlock. ++ * Avoid triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); + sched_show_task(t); ++ } + raw_spin_unlock_irqrestore_rcu_node(rnp, flags); + } + +@@ -1677,6 +1683,12 @@ static void print_cpu_stall_info(struct + char *ticks_title; + unsigned long ticks_value; + ++ /* ++ * We could be printing a lot while holding a spinlock. Avoid ++ * triggering hard lockup. ++ */ ++ touch_nmi_watchdog(); ++ + if (rsp->gpnum == rdp->gpnum) { + ticks_title = "ticks this GP"; + ticks_value = rdp->ticks_this_gp; diff --git a/queue-4.14/rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch b/queue-4.14/rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch new file mode 100644 index 00000000000..15314b818da --- /dev/null +++ b/queue-4.14/rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch @@ -0,0 +1,96 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Devesh Sharma +Date: Mon, 26 Feb 2018 01:51:38 -0800 +Subject: RDMA/bnxt_re: Fix incorrect DB offset calculation + +From: Devesh Sharma + +[ Upstream commit c354dff00db8df80f271418d8392065e10ffffb6 ] + +To support host systems with non 4K page size, l2_db_size shall be +calculated with 4096 instead of PAGE_SIZE. Also, supply the host page size +to FW during initialization. + +Signed-off-by: Devesh Sharma +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 6 +++++- + drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 1 + + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 3 ++- + drivers/infiniband/hw/bnxt_re/roce_hsi.h | 25 ++++++++++++++++++++++++- + 4 files changed, 32 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.c +@@ -457,7 +457,11 @@ int bnxt_qplib_init_rcfw(struct bnxt_qpl + int rc; + + RCFW_CMD_PREP(req, INITIALIZE_FW, cmd_flags); +- ++ /* Supply (log-base-2-of-host-page-size - base-page-shift) ++ * to bono to adjust the doorbell page sizes. ++ */ ++ req.log2_dbr_pg_size = cpu_to_le16(PAGE_SHIFT - ++ RCFW_DBR_BASE_PAGE_SHIFT); + /* + * VFs need not setup the HW context area, PF + * shall setup this area for VF. Skipping the +--- a/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h ++++ b/drivers/infiniband/hw/bnxt_re/qplib_rcfw.h +@@ -49,6 +49,7 @@ + #define RCFW_COMM_SIZE 0x104 + + #define RCFW_DBR_PCI_BAR_REGION 2 ++#define RCFW_DBR_BASE_PAGE_SHIFT 12 + + #define RCFW_CMD_PREP(req, CMD, cmd_flags) \ + do { \ +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -130,7 +130,8 @@ int bnxt_qplib_get_dev_attr(struct bnxt_ + attr->max_pkey = le32_to_cpu(sb->max_pkeys); + + attr->max_inline_data = le32_to_cpu(sb->max_inline_data); +- attr->l2_db_size = (sb->l2_db_space_size + 1) * PAGE_SIZE; ++ attr->l2_db_size = (sb->l2_db_space_size + 1) * ++ (0x01 << RCFW_DBR_BASE_PAGE_SHIFT); + attr->max_sgid = le32_to_cpu(sb->max_gid); + + strlcpy(attr->fw_ver, "20.6.28.0", sizeof(attr->fw_ver)); +--- a/drivers/infiniband/hw/bnxt_re/roce_hsi.h ++++ b/drivers/infiniband/hw/bnxt_re/roce_hsi.h +@@ -1734,7 +1734,30 @@ struct cmdq_initialize_fw { + #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_2M (0x3UL << 4) + #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_8M (0x4UL << 4) + #define CMDQ_INITIALIZE_FW_TIM_PG_SIZE_PG_1G (0x5UL << 4) +- __le16 reserved16; ++ /* This value is (log-base-2-of-DBR-page-size - 12). ++ * 0 for 4KB. HW supported values are enumerated below. ++ */ ++ __le16 log2_dbr_pg_size; ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_MASK 0xfUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_SFT 0 ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_4K 0x0UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_8K 0x1UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_16K 0x2UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_32K 0x3UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_64K 0x4UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128K 0x5UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_256K 0x6UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_512K 0x7UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_1M 0x8UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_2M 0x9UL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_4M 0xaUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_8M 0xbUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_16M 0xcUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_32M 0xdUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_64M 0xeUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128M 0xfUL ++ #define CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_LAST \ ++ CMDQ_INITIALIZE_FW_LOG2_DBR_PG_SIZE_PG_128M + __le64 qpc_page_dir; + __le64 mrw_page_dir; + __le64 srq_page_dir; diff --git a/queue-4.14/rdma-bnxt_re-fix-system-crash-during-load-unload.patch b/queue-4.14/rdma-bnxt_re-fix-system-crash-during-load-unload.patch new file mode 100644 index 00000000000..369557e6b28 --- /dev/null +++ b/queue-4.14/rdma-bnxt_re-fix-system-crash-during-load-unload.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Selvin Xavier +Date: Thu, 15 Feb 2018 21:20:12 -0800 +Subject: RDMA/bnxt_re: Fix system crash during load/unload + +From: Selvin Xavier + +[ Upstream commit dcdaba08062b4726500b9456f8664bfda896c664 ] + +During driver unload, the driver proceeds with cleanup +without waiting for the scheduled events. So the device +pointers get freed up and driver crashes when the events +are scheduled later. + +Flush the bnxt_re_task work queue before starting +device removal. + +Signed-off-by: Selvin Xavier +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1398,6 +1398,11 @@ static void __exit bnxt_re_mod_exit(void + + list_for_each_entry(rdev, &to_be_deleted, list) { + dev_info(rdev_to_dev(rdev), "Unregistering Device"); ++ /* ++ * Flush out any scheduled tasks before destroying the ++ * resources ++ */ ++ flush_workqueue(bnxt_re_wq); + bnxt_re_dev_stop(rdev); + bnxt_re_ib_unreg(rdev, true); + bnxt_re_remove_one(rdev); diff --git a/queue-4.14/rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch b/queue-4.14/rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch new file mode 100644 index 00000000000..48d369845a2 --- /dev/null +++ b/queue-4.14/rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Selvin Xavier +Date: Mon, 26 Feb 2018 01:51:39 -0800 +Subject: RDMA/bnxt_re: Fix the ib_reg failure cleanup + +From: Selvin Xavier + +[ Upstream commit 497158aa5f520db50452ef928c0f955cb42f2e77 ] + +Release the netdev references in the cleanup path. Invokes the cleanup +routines if bnxt_re_ib_reg fails. + +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/main.c ++++ b/drivers/infiniband/hw/bnxt_re/main.c +@@ -1240,9 +1240,12 @@ static void bnxt_re_task(struct work_str + switch (re_work->event) { + case NETDEV_REGISTER: + rc = bnxt_re_ib_reg(rdev); +- if (rc) ++ if (rc) { + dev_err(rdev_to_dev(rdev), + "Failed to register with IB: %#x", rc); ++ bnxt_re_remove_one(rdev); ++ bnxt_re_dev_unreg(rdev); ++ } + break; + case NETDEV_UP: + bnxt_re_dispatch_event(&rdev->ibdev, NULL, 1, diff --git a/queue-4.14/rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch b/queue-4.14/rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch new file mode 100644 index 00000000000..8ab287c7c7b --- /dev/null +++ b/queue-4.14/rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Devesh Sharma +Date: Mon, 26 Feb 2018 01:51:37 -0800 +Subject: RDMA/bnxt_re: Unconditionly fence non wire memory operations + +From: Devesh Sharma + +[ Upstream commit a45bc17b360d75fac9ced85e99fda14bf38b4dc3 ] + +HW requires an unconditonal fence for all non-wire memory operations +through SQ. This guarantees the completions of these memory operations. + +Signed-off-by: Devesh Sharma +Signed-off-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1963,10 +1963,13 @@ static int bnxt_re_build_inv_wqe(struct + wqe->type = BNXT_QPLIB_SWQE_TYPE_LOCAL_INV; + wqe->local_inv.inv_l_key = wr->ex.invalidate_rkey; + ++ /* Need unconditional fence for local invalidate ++ * opcode to work as expected. ++ */ ++ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE; ++ + if (wr->send_flags & IB_SEND_SIGNALED) + wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SIGNAL_COMP; +- if (wr->send_flags & IB_SEND_FENCE) +- wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE; + if (wr->send_flags & IB_SEND_SOLICITED) + wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SOLICIT_EVENT; + +@@ -1987,8 +1990,12 @@ static int bnxt_re_build_reg_wqe(struct + wqe->frmr.levels = qplib_frpl->hwq.level + 1; + wqe->type = BNXT_QPLIB_SWQE_TYPE_REG_MR; + +- if (wr->wr.send_flags & IB_SEND_FENCE) +- wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE; ++ /* Need unconditional fence for reg_mr ++ * opcode to function as expected. ++ */ ++ ++ wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_UC_FENCE; ++ + if (wr->wr.send_flags & IB_SEND_SIGNALED) + wqe->flags |= BNXT_QPLIB_SWQE_FLAGS_SIGNAL_COMP; + diff --git a/queue-4.14/rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch b/queue-4.14/rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch new file mode 100644 index 00000000000..67bdeb91e60 --- /dev/null +++ b/queue-4.14/rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch @@ -0,0 +1,47 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Devesh Sharma +Date: Thu, 15 Feb 2018 21:20:10 -0800 +Subject: RDMA/bnxt_re: Unpin SQ and RQ memory if QP create fails + +From: Devesh Sharma + +[ Upstream commit 6b4521f5174c26020ae0deb3ef7f2c28557cf445 ] + +Driver leaves the QP memory pinned if QP create command +fails from the FW. Avoids this scenario by adding a proper +exit path if the FW command fails. + +Signed-off-by: Devesh Sharma +Signed-off-by: Selvin Xavier +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/ib_verbs.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/bnxt_re/ib_verbs.c ++++ b/drivers/infiniband/hw/bnxt_re/ib_verbs.c +@@ -1180,7 +1180,7 @@ struct ib_qp *bnxt_re_create_qp(struct i + rc = bnxt_qplib_create_qp(&rdev->qplib_res, &qp->qplib_qp); + if (rc) { + dev_err(rdev_to_dev(rdev), "Failed to create HW QP"); +- goto fail; ++ goto free_umem; + } + } + +@@ -1208,6 +1208,13 @@ struct ib_qp *bnxt_re_create_qp(struct i + return &qp->ib_qp; + qp_destroy: + bnxt_qplib_destroy_qp(&rdev->qplib_res, &qp->qplib_qp); ++free_umem: ++ if (udata) { ++ if (qp->rumem) ++ ib_umem_release(qp->rumem); ++ if (qp->sumem) ++ ib_umem_release(qp->sumem); ++ } + fail: + kfree(qp); + return ERR_PTR(rc); diff --git a/queue-4.14/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch b/queue-4.14/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch new file mode 100644 index 00000000000..dd27bb14b44 --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch @@ -0,0 +1,48 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kalderon, Michal" +Date: Mon, 5 Mar 2018 10:50:11 +0200 +Subject: RDMA/qedr: Fix iWARP write and send with immediate + +From: "Kalderon, Michal" + +[ Upstream commit 551e1c67b4207455375a2e7a285dea1c7e8fc361 ] + +iWARP does not support RDMA WRITE or SEND with immediate data. +Driver should check this before submitting to FW and return an +immediate error + +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -2832,6 +2832,11 @@ static int __qedr_post_send(struct ib_qp + + switch (wr->opcode) { + case IB_WR_SEND_WITH_IMM: ++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) { ++ rc = -EINVAL; ++ *bad_wr = wr; ++ break; ++ } + wqe->req_type = RDMA_SQ_REQ_TYPE_SEND_WITH_IMM; + swqe = (struct rdma_sq_send_wqe_1st *)wqe; + swqe->wqe_size = 2; +@@ -2873,6 +2878,11 @@ static int __qedr_post_send(struct ib_qp + break; + + case IB_WR_RDMA_WRITE_WITH_IMM: ++ if (unlikely(rdma_protocol_iwarp(&dev->ibdev, 1))) { ++ rc = -EINVAL; ++ *bad_wr = wr; ++ break; ++ } + wqe->req_type = RDMA_SQ_REQ_TYPE_RDMA_WR_WITH_IMM; + rwqe = (struct rdma_sq_rdma_wqe_1st *)wqe; + diff --git a/queue-4.14/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch b/queue-4.14/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch new file mode 100644 index 00000000000..4d266cc8da0 --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kalderon, Michal" +Date: Mon, 5 Mar 2018 10:50:10 +0200 +Subject: RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA + +From: "Kalderon, Michal" + +[ Upstream commit e3fd112cbf21d049faf64ba1471d72b93c22109a ] + +Race in qedr_poll_cq, lastest_cqe wasn't protected by lock, +leading to a case where two context's accessing poll_cq at +the same time lead to one of them having a pointer to an old +latest_cqe and reading an invalid cqe element + +Signed-off-by: Amit Radzi +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -3518,7 +3518,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int + { + struct qedr_dev *dev = get_qedr_dev(ibcq->device); + struct qedr_cq *cq = get_qedr_cq(ibcq); +- union rdma_cqe *cqe = cq->latest_cqe; ++ union rdma_cqe *cqe; + u32 old_cons, new_cons; + unsigned long flags; + int update = 0; +@@ -3535,6 +3535,7 @@ int qedr_poll_cq(struct ib_cq *ibcq, int + return qedr_gsi_poll_cq(ibcq, num_entries, wc); + + spin_lock_irqsave(&cq->cq_lock, flags); ++ cqe = cq->latest_cqe; + old_cons = qed_chain_get_cons_idx_u32(&cq->pbl); + while (num_entries && is_valid_cqe(cq, cqe)) { + struct qedr_qp *qp; diff --git a/queue-4.14/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch b/queue-4.14/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch new file mode 100644 index 00000000000..2daacd46672 --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-qp-s-ack-timeout-configuration.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kalderon, Michal" +Date: Wed, 21 Mar 2018 14:51:50 +0200 +Subject: RDMA/qedr: fix QP's ack timeout configuration + +From: "Kalderon, Michal" + +[ Upstream commit c3594f22302cca5e924e47ec1cc8edd265708f41 ] + +QPs that were configured with ack timeout value lower than 1 +msec will not implement re-transmission timeout. +This means that if a packet / ACK were dropped, the QP +will not retransmit this packet. + +This can lead to an application hang. + +Fixes: cecbcddf6 ("qedr: Add support for QP verbs") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1903,18 +1903,23 @@ int qedr_modify_qp(struct ib_qp *ibqp, s + SET_FIELD(qp_params.modify_flags, + QED_ROCE_MODIFY_QP_VALID_ACK_TIMEOUT, 1); + +- qp_params.ack_timeout = attr->timeout; +- if (attr->timeout) { +- u32 temp; +- +- temp = 4096 * (1UL << attr->timeout) / 1000 / 1000; +- /* FW requires [msec] */ +- qp_params.ack_timeout = temp; +- } else { +- /* Infinite */ ++ /* The received timeout value is an exponent used like this: ++ * "12.7.34 LOCAL ACK TIMEOUT ++ * Value representing the transport (ACK) timeout for use by ++ * the remote, expressed as: 4.096 * 2^timeout [usec]" ++ * The FW expects timeout in msec so we need to divide the usec ++ * result by 1000. We'll approximate 1000~2^10, and 4.096 ~ 2^2, ++ * so we get: 2^2 * 2^timeout / 2^10 = 2^(timeout - 8). ++ * The value of zero means infinite so we use a 'max_t' to make ++ * sure that sub 1 msec values will be configured as 1 msec. ++ */ ++ if (attr->timeout) ++ qp_params.ack_timeout = ++ 1 << max_t(int, attr->timeout - 8, 0); ++ else + qp_params.ack_timeout = 0; +- } + } ++ + if (attr_mask & IB_QP_RETRY_CNT) { + SET_FIELD(qp_params.modify_flags, + QED_ROCE_MODIFY_QP_VALID_RETRY_CNT, 1); diff --git a/queue-4.14/rdma-qedr-fix-qp-state-initialization-race.patch b/queue-4.14/rdma-qedr-fix-qp-state-initialization-race.patch new file mode 100644 index 00000000000..f6a8308f2f5 --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-qp-state-initialization-race.patch @@ -0,0 +1,80 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kalderon, Michal" +Date: Wed, 21 Mar 2018 14:51:52 +0200 +Subject: RDMA/qedr: Fix QP state initialization race + +From: "Kalderon, Michal" + +[ Upstream commit caf61b1b8b88ccf1451f7321a176393797e8d292 ] + +Once the FW is transitioned to error, FLUSH cqes can be received. +We want the driver to be aware of the fact that QP is already in error. + +Without this fix, a user may see false error messages in the dmesg log, +mentioning that a FLUSH cqe was received while QP is not in error state. + +Fixes: cecbcddf ("qedr: Add support for QP verbs") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/verbs.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/qedr/verbs.c ++++ b/drivers/infiniband/hw/qedr/verbs.c +@@ -1663,14 +1663,15 @@ static void qedr_reset_qp_hwq_info(struc + + static int qedr_update_qp_state(struct qedr_dev *dev, + struct qedr_qp *qp, ++ enum qed_roce_qp_state cur_state, + enum qed_roce_qp_state new_state) + { + int status = 0; + +- if (new_state == qp->state) ++ if (new_state == cur_state) + return 0; + +- switch (qp->state) { ++ switch (cur_state) { + case QED_ROCE_QP_STATE_RESET: + switch (new_state) { + case QED_ROCE_QP_STATE_INIT: +@@ -1774,6 +1775,7 @@ int qedr_modify_qp(struct ib_qp *ibqp, s + struct qedr_dev *dev = get_qedr_dev(&qp->dev->ibdev); + const struct ib_global_route *grh = rdma_ah_read_grh(&attr->ah_attr); + enum ib_qp_state old_qp_state, new_qp_state; ++ enum qed_roce_qp_state cur_state; + int rc = 0; + + DP_DEBUG(dev, QEDR_MSG_QP, +@@ -1992,13 +1994,25 @@ int qedr_modify_qp(struct ib_qp *ibqp, s + qp->dest_qp_num = attr->dest_qp_num; + } + ++ cur_state = qp->state; ++ ++ /* Update the QP state before the actual ramrod to prevent a race with ++ * fast path. Modifying the QP state to error will cause the device to ++ * flush the CQEs and while polling the flushed CQEs will considered as ++ * a potential issue if the QP isn't in error state. ++ */ ++ if ((attr_mask & IB_QP_STATE) && qp->qp_type != IB_QPT_GSI && ++ !udata && qp_params.new_state == QED_ROCE_QP_STATE_ERR) ++ qp->state = QED_ROCE_QP_STATE_ERR; ++ + if (qp->qp_type != IB_QPT_GSI) + rc = dev->ops->rdma_modify_qp(dev->rdma_ctx, + qp->qed_qp, &qp_params); + + if (attr_mask & IB_QP_STATE) { + if ((qp->qp_type != IB_QPT_GSI) && (!udata)) +- rc = qedr_update_qp_state(dev, qp, qp_params.new_state); ++ rc = qedr_update_qp_state(dev, qp, cur_state, ++ qp_params.new_state); + qp->state = qp_params.new_state; + } + diff --git a/queue-4.14/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch b/queue-4.14/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch new file mode 100644 index 00000000000..91f0515677e --- /dev/null +++ b/queue-4.14/rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Kalderon, Michal" +Date: Wed, 21 Mar 2018 14:51:51 +0200 +Subject: RDMA/qedr: Fix rc initialization on CNQ allocation failure + +From: "Kalderon, Michal" + +[ Upstream commit b15606f47b89b0b09936d7f45b59ba6275527041 ] + +Return code wasn't set properly when CNQ allocation failed. +This only affect error message logging, currently user will +receive an error message that says the qedr driver load failed +with rc '0', instead of ENOMEM + +Fixes: ec72fce4 ("qedr: Add support for RoCE HW init") +Signed-off-by: Michal Kalderon +Signed-off-by: Ariel Elior +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/qedr/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/qedr/main.c ++++ b/drivers/infiniband/hw/qedr/main.c +@@ -782,7 +782,8 @@ static struct qedr_dev *qedr_add(struct + + dev->num_cnq = dev->ops->rdma_get_min_cnq_msix(cdev); + if (!dev->num_cnq) { +- DP_ERR(dev, "not enough CNQ resources.\n"); ++ DP_ERR(dev, "Failed. At least one CNQ is required.\n"); ++ rc = -ENOMEM; + goto init_err; + } + diff --git a/queue-4.14/rdma-ucma-correct-option-size-check-using-optlen.patch b/queue-4.14/rdma-ucma-correct-option-size-check-using-optlen.patch new file mode 100644 index 00000000000..71bcc4bd9ca --- /dev/null +++ b/queue-4.14/rdma-ucma-correct-option-size-check-using-optlen.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Chien Tin Tung +Date: Wed, 21 Mar 2018 13:09:25 -0500 +Subject: RDMA/ucma: Correct option size check using optlen + +From: Chien Tin Tung + +[ Upstream commit 5f3e3b85cc0a5eae1c46d72e47d3de7bf208d9e2 ] + +The option size check is using optval instead of optlen +causing the set option call to fail. Use the correct +field, optlen, for size check. + +Fixes: 6a21dfc0d0db ("RDMA/ucma: Limit possible option size") +Signed-off-by: Chien Tin Tung +Signed-off-by: Shiraz Saleem +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -1315,7 +1315,7 @@ static ssize_t ucma_set_option(struct uc + if (IS_ERR(ctx)) + return PTR_ERR(ctx); + +- if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) ++ if (unlikely(cmd.optlen > KMALLOC_MAX_SIZE)) + return -EINVAL; + + optval = memdup_user((void __user *) (unsigned long) cmd.optval, diff --git a/queue-4.14/rds-incorrect-reference-counting-in-tcp-socket-creation.patch b/queue-4.14/rds-incorrect-reference-counting-in-tcp-socket-creation.patch new file mode 100644 index 00000000000..0ed7a1b3e5a --- /dev/null +++ b/queue-4.14/rds-incorrect-reference-counting-in-tcp-socket-creation.patch @@ -0,0 +1,63 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ka-Cheong Poon +Date: Thu, 1 Mar 2018 21:07:18 -0800 +Subject: rds: Incorrect reference counting in TCP socket creation + +From: Ka-Cheong Poon + +[ Upstream commit 84eef2b2187ed73c0e4520cbfeb874e964a0b56a ] + +Commit 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the +accept socket") has a reference counting issue in TCP socket creation +when accepting a new connection. The code uses sock_create_lite() to +create a kernel socket. But it does not do __module_get() on the +socket owner. When the connection is shutdown and sock_release() is +called to free the socket, the owner's reference count is decremented +and becomes incorrect. Note that this bug only shows up when the socket +owner is configured as a kernel module. + +v2: Update comments + +Fixes: 0933a578cd55 ("rds: tcp: use sock_create_lite() to create the accept socket") +Signed-off-by: Ka-Cheong Poon +Acked-by: Santosh Shilimkar +Acked-by: Sowmini Varadhan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/tcp_listen.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/net/rds/tcp_listen.c ++++ b/net/rds/tcp_listen.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2006 Oracle. All rights reserved. ++ * Copyright (c) 2006, 2018 Oracle. All rights reserved. + * + * This software is available to you under a choice of one of two + * licenses. You may choose to be licensed under the terms of the GNU +@@ -142,12 +142,20 @@ int rds_tcp_accept_one(struct socket *so + if (ret) + goto out; + +- new_sock->type = sock->type; +- new_sock->ops = sock->ops; + ret = sock->ops->accept(sock, new_sock, O_NONBLOCK, true); + if (ret < 0) + goto out; + ++ /* sock_create_lite() does not get a hold on the owner module so we ++ * need to do it here. Note that sock_release() uses sock->ops to ++ * determine if it needs to decrement the reference count. So set ++ * sock->ops after calling accept() in case that fails. And there's ++ * no need to do try_module_get() as the listener should have a hold ++ * already. ++ */ ++ new_sock->ops = sock->ops; ++ __module_get(new_sock->ops->owner); ++ + ret = rds_tcp_keepalive(new_sock); + if (ret < 0) + goto out; diff --git a/queue-4.14/regmap-correct-comparison-in-regmap_cached.patch b/queue-4.14/regmap-correct-comparison-in-regmap_cached.patch new file mode 100644 index 00000000000..ade1ae3b090 --- /dev/null +++ b/queue-4.14/regmap-correct-comparison-in-regmap_cached.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Charles Keepax +Date: Mon, 12 Feb 2018 18:15:44 +0000 +Subject: regmap: Correct comparison in regmap_cached + +From: Charles Keepax + +[ Upstream commit 71df179363a5a733a8932e9afb869760d7559383 ] + +The cache pointer points to the actual memory used by the cache, as the +comparison here is looking for the type of the cache it should check +against cache_type. + +Fixes: 1ea975cf1ef5 ("regmap: Add a function to check if a regmap register is cached") +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -98,7 +98,7 @@ bool regmap_cached(struct regmap *map, u + int ret; + unsigned int val; + +- if (map->cache == REGCACHE_NONE) ++ if (map->cache_type == REGCACHE_NONE) + return false; + + if (!map->cache_ops) diff --git a/queue-4.14/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch b/queue-4.14/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch new file mode 100644 index 00000000000..54c5ca29c18 --- /dev/null +++ b/queue-4.14/regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 21:33:11 +0100 +Subject: regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' + +From: Christophe Jaillet + +[ Upstream commit ed8cffda27dea6fd3dafb3ee881c5a786edac9ca ] + +Re-order error handling code and gotos to avoid leaks in error handling +paths. + +Fixes: 9f946099fe19 ("regulator: gpio: fix parsing of gpio list") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/gpio-regulator.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/regulator/gpio-regulator.c ++++ b/drivers/regulator/gpio-regulator.c +@@ -271,8 +271,7 @@ static int gpio_regulator_probe(struct p + drvdata->desc.name = kstrdup(config->supply_name, GFP_KERNEL); + if (drvdata->desc.name == NULL) { + dev_err(&pdev->dev, "Failed to allocate supply name\n"); +- ret = -ENOMEM; +- goto err; ++ return -ENOMEM; + } + + if (config->nr_gpios != 0) { +@@ -292,7 +291,7 @@ static int gpio_regulator_probe(struct p + dev_err(&pdev->dev, + "Could not obtain regulator setting GPIOs: %d\n", + ret); +- goto err_memstate; ++ goto err_memgpio; + } + } + +@@ -303,7 +302,7 @@ static int gpio_regulator_probe(struct p + if (drvdata->states == NULL) { + dev_err(&pdev->dev, "Failed to allocate state data\n"); + ret = -ENOMEM; +- goto err_memgpio; ++ goto err_stategpio; + } + drvdata->nr_states = config->nr_states; + +@@ -324,7 +323,7 @@ static int gpio_regulator_probe(struct p + default: + dev_err(&pdev->dev, "No regulator type set\n"); + ret = -EINVAL; +- goto err_memgpio; ++ goto err_memstate; + } + + /* build initial state from gpio init data. */ +@@ -361,22 +360,21 @@ static int gpio_regulator_probe(struct p + if (IS_ERR(drvdata->dev)) { + ret = PTR_ERR(drvdata->dev); + dev_err(&pdev->dev, "Failed to register regulator: %d\n", ret); +- goto err_stategpio; ++ goto err_memstate; + } + + platform_set_drvdata(pdev, drvdata); + + return 0; + +-err_stategpio: +- gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memstate: + kfree(drvdata->states); ++err_stategpio: ++ gpio_free_array(drvdata->gpios, drvdata->nr_gpios); + err_memgpio: + kfree(drvdata->gpios); + err_name: + kfree(drvdata->desc.name); +-err: + return ret; + } + diff --git a/queue-4.14/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch b/queue-4.14/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch new file mode 100644 index 00000000000..517f5a9eb05 --- /dev/null +++ b/queue-4.14/regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch @@ -0,0 +1,30 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe JAILLET +Date: Fri, 26 Jan 2018 23:13:44 +0100 +Subject: regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' + +From: Christophe JAILLET + +[ Upstream commit 30966861a7a2051457be8c49466887d78cc47e97 ] + +If an unlikely failure in 'of_get_regulator_init_data()' occurs, we must +release the reference on the current 'child' node before returning. + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/of_regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -305,6 +305,7 @@ int of_regulator_match(struct device *de + dev_err(dev, + "failed to parse DT for regulator %s\n", + child->name); ++ of_node_put(child); + return -EINVAL; + } + match->of_node = of_node_get(child); diff --git a/queue-4.14/regulatory-add-nul-to-request-alpha2.patch b/queue-4.14/regulatory-add-nul-to-request-alpha2.patch new file mode 100644 index 00000000000..affb43a25d9 --- /dev/null +++ b/queue-4.14/regulatory-add-nul-to-request-alpha2.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Johannes Berg +Date: Thu, 22 Feb 2018 20:55:28 +0100 +Subject: regulatory: add NUL to request alpha2 + +From: Johannes Berg + +[ Upstream commit 657308f73e674e86b60509a430a46e569bf02846 ] + +Similar to the ancient commit a5fe8e7695dc ("regulatory: add NUL +to alpha2"), add another byte to alpha2 in the request struct so +that when we use nla_put_string(), we don't overrun anything. + +Fixes: 73d54c9e74c4 ("cfg80211: add regulatory netlink multicast group") +Reported-by: Kees Cook +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/regulatory.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/regulatory.h ++++ b/include/net/regulatory.h +@@ -78,7 +78,7 @@ struct regulatory_request { + int wiphy_idx; + enum nl80211_reg_initiator initiator; + enum nl80211_user_reg_hint_type user_reg_hint_type; +- char alpha2[2]; ++ char alpha2[3]; + enum nl80211_dfs_regions dfs_region; + bool intersect; + bool processed; diff --git a/queue-4.14/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch b/queue-4.14/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch new file mode 100644 index 00000000000..e0cc2d0ddd6 --- /dev/null +++ b/queue-4.14/remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe JAILLET +Date: Wed, 14 Mar 2018 20:56:37 +0100 +Subject: remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' + +From: Christophe JAILLET + +[ Upstream commit de6f83f85be94e0b7d0d324c29ccc9d78a6bb4e7 ] + +If 'of_device_get_match_data()' fails, we must undo the previous +'rproc_alloc()' call. + +Fixes: a0ff4aa6f010 ("remoteproc: imx_rproc: add a NXP/Freescale imx_rproc driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/imx_rproc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/remoteproc/imx_rproc.c ++++ b/drivers/remoteproc/imx_rproc.c +@@ -339,8 +339,10 @@ static int imx_rproc_probe(struct platfo + } + + dcfg = of_device_get_match_data(dev); +- if (!dcfg) +- return -EINVAL; ++ if (!dcfg) { ++ ret = -EINVAL; ++ goto err_put_rproc; ++ } + + priv = rproc->priv; + priv->rproc = rproc; diff --git a/queue-4.14/rsi-fix-kernel-panic-observed-on-64bit-machine.patch b/queue-4.14/rsi-fix-kernel-panic-observed-on-64bit-machine.patch new file mode 100644 index 00000000000..749ec0bf103 --- /dev/null +++ b/queue-4.14/rsi-fix-kernel-panic-observed-on-64bit-machine.patch @@ -0,0 +1,154 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Amitkumar Karwar +Date: Tue, 20 Mar 2018 19:10:41 +0530 +Subject: rsi: fix kernel panic observed on 64bit machine + +From: Amitkumar Karwar + +[ Upstream commit 864db4d5085349fcfa1f260b5bcd2adde3d7f2ed ] + +Following kernel panic is observed on 64bit machine while loading +the driver. It is fixed if we pass dynamically allocated memory to +SDIO for DMA. + +BUG: unable to handle kernel paging request at ffffeb04000172e0 +IP: sg_miter_stop+0x56/0x70 +PGD 0 P4D 0 +Oops: 0000 [#1] SMP PTI +Modules linked in: rsi_sdio(OE+) rsi_91x(OE) btrsi(OE) rfcomm bluetooth +ecdh_generic mac80211 mmc_block fuse xt_CHECKSUM iptable_mangle +drm_kms_helper mmc_core serio_raw drm firewire_ohci tg3 +CPU: 0 PID: 4003 Comm: insmod Tainted: G OE 4.16.0-rc1+ #27 +Hardware name: Dell Inc. Latitude E5500 /0DW634, BIOS +A19 06/13/2013 +RIP: 0010:sg_miter_stop+0x56/0x70 +RSP: 0018:ffff88007d003e78 EFLAGS: 00010002 +RAX: 0000000000000003 RBX: 0000000000000004 RCX: 0000000000000000 +RDX: ffffeb04000172c0 RSI: ffff88002f58002c RDI: ffff88007d003e80 +RBP: 0000000000000004 R08: ffff88007d003e80 R09: 0000000000000008 +R10: 0000000000000003 R11: 0000000000000001 R12: 0000000000000004 +R13: ffff88002f580028 R14: 0000000000000000 R15: 0000000000000004 +FS: 00007f35c29db700(0000) GS:ffff88007d000000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffeb04000172e0 CR3: 000000007038e000 CR4: 00000000000406f0 +Call Trace: + +sg_copy_buffer+0xc6/0xf0 +sdhci_tasklet_finish+0x170/0x260 [sdhci] +tasklet_action+0xf4/0x100 +__do_softirq+0xef/0x26e +irq_exit+0xbe/0xd0 +do_IRQ+0x4a/0xc0 +common_interrupt+0xa2/0xa2 + + +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +++++++++++++++++++++----------- + drivers/net/wireless/rsi/rsi_sdio.h | 2 ++ + 2 files changed, 23 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -636,11 +636,14 @@ static int rsi_sdio_master_reg_read(stru + u32 *read_buf, u16 size) + { + u32 addr_on_bus, *data; +- u32 align[2] = {}; + u16 ms_addr; + int status; + +- data = PTR_ALIGN(&align[0], 8); ++ data = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data) ++ return -ENOMEM; ++ ++ data = PTR_ALIGN(data, 8); + + ms_addr = (addr >> 16); + status = rsi_sdio_master_access_msword(adapter, ms_addr); +@@ -648,7 +651,7 @@ static int rsi_sdio_master_reg_read(stru + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); +- return status; ++ goto err; + } + addr &= 0xFFFF; + +@@ -666,7 +669,7 @@ static int rsi_sdio_master_reg_read(stru + (u8 *)data, 4); + if (status < 0) { + rsi_dbg(ERR_ZONE, "%s: AHB register read failed\n", __func__); +- return status; ++ goto err; + } + if (size == 2) { + if ((addr & 0x3) == 0) +@@ -688,17 +691,23 @@ static int rsi_sdio_master_reg_read(stru + *read_buf = *data; + } + +- return 0; ++err: ++ kfree(data); ++ return status; + } + + static int rsi_sdio_master_reg_write(struct rsi_hw *adapter, + unsigned long addr, + unsigned long data, u16 size) + { +- unsigned long data1[2], *data_aligned; ++ unsigned long *data_aligned; + int status; + +- data_aligned = PTR_ALIGN(&data1[0], 8); ++ data_aligned = kzalloc(RSI_MASTER_REG_BUF_SIZE, GFP_KERNEL); ++ if (!data_aligned) ++ return -ENOMEM; ++ ++ data_aligned = PTR_ALIGN(data_aligned, 8); + + if (size == 2) { + *data_aligned = ((data << 16) | (data & 0xFFFF)); +@@ -717,6 +726,7 @@ static int rsi_sdio_master_reg_write(str + rsi_dbg(ERR_ZONE, + "%s: Unable to set ms word to common reg\n", + __func__); ++ kfree(data_aligned); + return -EIO; + } + addr = addr & 0xFFFF; +@@ -726,12 +736,12 @@ static int rsi_sdio_master_reg_write(str + (adapter, + (addr | RSI_SD_REQUEST_MASTER), + (u8 *)data_aligned, size); +- if (status < 0) { ++ if (status < 0) + rsi_dbg(ERR_ZONE, + "%s: Unable to do AHB reg write\n", __func__); +- return status; +- } +- return 0; ++ ++ kfree(data_aligned); ++ return status; + } + + /** +--- a/drivers/net/wireless/rsi/rsi_sdio.h ++++ b/drivers/net/wireless/rsi/rsi_sdio.h +@@ -46,6 +46,8 @@ enum sdio_interrupt_type { + #define PKT_BUFF_AVAILABLE 1 + #define FW_ASSERT_IND 2 + ++#define RSI_MASTER_REG_BUF_SIZE 12 ++ + #define RSI_DEVICE_BUFFER_STATUS_REGISTER 0xf3 + #define RSI_FN1_INT_REGISTER 0xf9 + #define RSI_SD_REQUEST_MASTER 0x10000 diff --git a/queue-4.14/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch b/queue-4.14/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch new file mode 100644 index 00000000000..986937f4063 --- /dev/null +++ b/queue-4.14/rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch @@ -0,0 +1,59 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:44 +0100 +Subject: rxrpc: Don't treat call aborts as conn aborts + +From: David Howells + +[ Upstream commit 57b0c9d49b94bbeb53649b7fbd264603c1ebd585 ] + +If a call-level abort is received for the previous call to complete on a +connection channel, then that abort is queued for the connection processor +to handle. Unfortunately, the connection processor then assumes without +checking that the abort is connection-level (ie. callNumber is 0) and +distributes it over all active calls on that connection, thereby +incorrectly aborting them. + +Fix this by discarding aborts aimed at a completed call. + +Further, discard all packets aimed at a call that's complete if there's +currently an active call on a channel, since the DATA packets associated +with the new call automatically terminate the old call. + +Fixes: 18bfeba50dfd ("rxrpc: Perform terminal call ACK/ABORT retransmission from conn processor") +Reported-by: Marc Dionne +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/input.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/net/rxrpc/input.c ++++ b/net/rxrpc/input.c +@@ -1175,16 +1175,19 @@ void rxrpc_data_ready(struct sock *udp_s + goto discard_unlock; + + if (sp->hdr.callNumber == chan->last_call) { +- /* For the previous service call, if completed successfully, we +- * discard all further packets. ++ if (chan->call || ++ sp->hdr.type == RXRPC_PACKET_TYPE_ABORT) ++ goto discard_unlock; ++ ++ /* For the previous service call, if completed ++ * successfully, we discard all further packets. + */ + if (rxrpc_conn_is_service(conn) && +- (chan->last_type == RXRPC_PACKET_TYPE_ACK || +- sp->hdr.type == RXRPC_PACKET_TYPE_ABORT)) ++ chan->last_type == RXRPC_PACKET_TYPE_ACK) + goto discard_unlock; + +- /* But otherwise we need to retransmit the final packet from +- * data cached in the connection record. ++ /* But otherwise we need to retransmit the final packet ++ * from data cached in the connection record. + */ + rxrpc_post_packet_to_conn(conn, skb); + goto out_unlock; diff --git a/queue-4.14/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch b/queue-4.14/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch new file mode 100644 index 00000000000..69e0c3c5ca9 --- /dev/null +++ b/queue-4.14/rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Howells +Date: Fri, 30 Mar 2018 21:04:43 +0100 +Subject: rxrpc: Fix Tx ring annotation after initial Tx failure + +From: David Howells + +[ Upstream commit 03877bf6a30cca7d4bc3ffabd3c3e9464a7a1a19 ] + +rxrpc calls have a ring of packets that are awaiting ACK or retransmission +and a parallel ring of annotations that tracks the state of those packets. +If the initial transmission of a packet on the underlying UDP socket fails +then the packet annotation is marked for resend - but the setting of this +mark accidentally erases the last-packet mark also stored in the same +annotation slot. If this happens, a call won't switch out of the Tx phase +when all the packets have been transmitted. + +Fix this by retaining the last-packet mark and only altering the packet +state. + +Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/sendmsg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/rxrpc/sendmsg.c ++++ b/net/rxrpc/sendmsg.c +@@ -92,7 +92,9 @@ static inline void rxrpc_instant_resend( + spin_lock_bh(&call->lock); + + if (call->state < RXRPC_CALL_COMPLETE) { +- call->rxtx_annotations[ix] = RXRPC_TX_ANNO_RETRANS; ++ call->rxtx_annotations[ix] = ++ (call->rxtx_annotations[ix] & RXRPC_TX_ANNO_LAST) | ++ RXRPC_TX_ANNO_RETRANS; + if (!test_and_set_bit(RXRPC_CALL_EV_RESEND, &call->events)) + rxrpc_queue_call(call); + } diff --git a/queue-4.14/rxrpc-work-around-usercopy-check.patch b/queue-4.14/rxrpc-work-around-usercopy-check.patch new file mode 100644 index 00000000000..703bbc11ae9 --- /dev/null +++ b/queue-4.14/rxrpc-work-around-usercopy-check.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: David Howells +Date: Thu, 15 Feb 2018 22:59:00 +0000 +Subject: rxrpc: Work around usercopy check + +From: David Howells + +[ Upstream commit a16b8d0cf2ec1e626d24bc2a7b9e64ace6f7501d ] + +Due to a check recently added to copy_to_user(), it's now not permitted to +copy from slab-held data to userspace unless the slab is whitelisted. This +affects rxrpc_recvmsg() when it attempts to place an RXRPC_USER_CALL_ID +control message in the userspace control message buffer. A warning is +generated by usercopy_warn() because the source is the copy of the +user_call_ID retained in the rxrpc_call struct. + +Work around the issue by copying the user_call_ID to a variable on the +stack and passing that to put_cmsg(). + +The warning generated looks like: + + Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'dmaengine-unmap-128' (offset 680, size 8)! + WARNING: CPU: 0 PID: 1401 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0 + ... + RIP: 0010:usercopy_warn+0x7e/0xa0 + ... + Call Trace: + __check_object_size+0x9c/0x1a0 + put_cmsg+0x98/0x120 + rxrpc_recvmsg+0x6fc/0x1010 [rxrpc] + ? finish_wait+0x80/0x80 + ___sys_recvmsg+0xf8/0x240 + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? __clear_rsb+0x25/0x3d + ? __clear_rsb+0x15/0x3d + ? finish_task_switch+0xa6/0x2b0 + ? trace_hardirqs_on_caller+0xed/0x180 + ? _raw_spin_unlock_irq+0x29/0x40 + ? __sys_recvmsg+0x4e/0x90 + __sys_recvmsg+0x4e/0x90 + do_syscall_64+0x7a/0x220 + entry_SYSCALL_64_after_hwframe+0x26/0x9b + +Reported-by: Jonathan Billings +Signed-off-by: David Howells +Acked-by: Kees Cook +Tested-by: Jonathan Billings +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/recvmsg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/recvmsg.c ++++ b/net/rxrpc/recvmsg.c +@@ -513,9 +513,10 @@ try_again: + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, + sizeof(unsigned int), &id32); + } else { ++ unsigned long idl = call->user_call_ID; ++ + ret = put_cmsg(msg, SOL_RXRPC, RXRPC_USER_CALL_ID, +- sizeof(unsigned long), +- &call->user_call_ID); ++ sizeof(unsigned long), &idl); + } + if (ret < 0) + goto error_unlock_call; diff --git a/queue-4.14/s390-cio-clear-timer-when-terminating-driver-i-o.patch b/queue-4.14/s390-cio-clear-timer-when-terminating-driver-i-o.patch new file mode 100644 index 00000000000..45f7269559b --- /dev/null +++ b/queue-4.14/s390-cio-clear-timer-when-terminating-driver-i-o.patch @@ -0,0 +1,31 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Ott +Date: Mon, 12 Feb 2018 12:01:03 +0100 +Subject: s390/cio: clear timer when terminating driver I/O + +From: Sebastian Ott + +[ Upstream commit 410d5e13e7638bc146321671e223d56495fbf3c7 ] + +When we terminate driver I/O (because we need to stop using a certain +channel path) we also need to ensure that a timer (which may have been +set up using ccw_device_start_timeout) is cleared. + +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_fsm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/cio/device_fsm.c ++++ b/drivers/s390/cio/device_fsm.c +@@ -897,6 +897,7 @@ void ccw_device_kill_io(struct ccw_devic + { + int ret; + ++ ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; + cdev->private->async_kill_io_rc = -EIO; + ret = ccw_device_cancel_halt_clear(cdev); diff --git a/queue-4.14/s390-cio-fix-ccw_device_start_timeout-api.patch b/queue-4.14/s390-cio-fix-ccw_device_start_timeout-api.patch new file mode 100644 index 00000000000..6ef1ec4cd33 --- /dev/null +++ b/queue-4.14/s390-cio-fix-ccw_device_start_timeout-api.patch @@ -0,0 +1,198 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Ott +Date: Tue, 6 Feb 2018 14:59:43 +0100 +Subject: s390/cio: fix ccw_device_start_timeout API + +From: Sebastian Ott + +[ Upstream commit f97a6b6c47d2f329a24f92cc0ca3c6df5727ba73 ] + +There are cases a device driver can't start IO because the device is +currently in use by cio. In this case the device driver is notified +when the device is usable again. + +Using ccw_device_start_timeout we would set the timeout (and change +an existing timeout) before we test for internal usage. Worst case +this could lead to an unexpected timer deletion. + +Fix this by setting the timeout after we test for internal usage. + +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_ops.c | 72 ++++++++++++++++++------------------------ + 1 file changed, 32 insertions(+), 40 deletions(-) + +--- a/drivers/s390/cio/device_ops.c ++++ b/drivers/s390/cio/device_ops.c +@@ -160,7 +160,7 @@ int ccw_device_clear(struct ccw_device * + } + + /** +- * ccw_device_start_key() - start a s390 channel program with key ++ * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key + * @cdev: target ccw device + * @cpa: logical start address of channel program + * @intparm: user specific interruption parameter; will be presented back to +@@ -171,10 +171,15 @@ int ccw_device_clear(struct ccw_device * + * @key: storage key to be used for the I/O + * @flags: additional flags; defines the action to be performed for I/O + * processing. ++ * @expires: timeout value in jiffies + * + * Start a S/390 channel program. When the interrupt arrives, the + * IRQ handler is called, either immediately, delayed (dev-end missing, + * or sense required) or never (no IRQ handler registered). ++ * This function notifies the device driver if the channel program has not ++ * completed during the time specified by @expires. If a timeout occurs, the ++ * channel program is terminated via xsch, hsch or csch, and the device's ++ * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT). + * Returns: + * %0, if the operation was successful; + * -%EBUSY, if the device is busy, or status pending; +@@ -183,9 +188,9 @@ int ccw_device_clear(struct ccw_device * + * Context: + * Interrupts disabled, ccw device lock held + */ +-int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa, +- unsigned long intparm, __u8 lpm, __u8 key, +- unsigned long flags) ++int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, ++ unsigned long intparm, __u8 lpm, __u8 key, ++ unsigned long flags, int expires) + { + struct subchannel *sch; + int ret; +@@ -225,6 +230,8 @@ int ccw_device_start_key(struct ccw_devi + switch (ret) { + case 0: + cdev->private->intparm = intparm; ++ if (expires) ++ ccw_device_set_timeout(cdev, expires); + break; + case -EACCES: + case -ENODEV: +@@ -235,7 +242,7 @@ int ccw_device_start_key(struct ccw_devi + } + + /** +- * ccw_device_start_timeout_key() - start a s390 channel program with timeout and key ++ * ccw_device_start_key() - start a s390 channel program with key + * @cdev: target ccw device + * @cpa: logical start address of channel program + * @intparm: user specific interruption parameter; will be presented back to +@@ -246,15 +253,10 @@ int ccw_device_start_key(struct ccw_devi + * @key: storage key to be used for the I/O + * @flags: additional flags; defines the action to be performed for I/O + * processing. +- * @expires: timeout value in jiffies + * + * Start a S/390 channel program. When the interrupt arrives, the + * IRQ handler is called, either immediately, delayed (dev-end missing, + * or sense required) or never (no IRQ handler registered). +- * This function notifies the device driver if the channel program has not +- * completed during the time specified by @expires. If a timeout occurs, the +- * channel program is terminated via xsch, hsch or csch, and the device's +- * interrupt handler will be called with an irb containing ERR_PTR(-%ETIMEDOUT). + * Returns: + * %0, if the operation was successful; + * -%EBUSY, if the device is busy, or status pending; +@@ -263,19 +265,12 @@ int ccw_device_start_key(struct ccw_devi + * Context: + * Interrupts disabled, ccw device lock held + */ +-int ccw_device_start_timeout_key(struct ccw_device *cdev, struct ccw1 *cpa, +- unsigned long intparm, __u8 lpm, __u8 key, +- unsigned long flags, int expires) ++int ccw_device_start_key(struct ccw_device *cdev, struct ccw1 *cpa, ++ unsigned long intparm, __u8 lpm, __u8 key, ++ unsigned long flags) + { +- int ret; +- +- if (!cdev) +- return -ENODEV; +- ccw_device_set_timeout(cdev, expires); +- ret = ccw_device_start_key(cdev, cpa, intparm, lpm, key, flags); +- if (ret != 0) +- ccw_device_set_timeout(cdev, 0); +- return ret; ++ return ccw_device_start_timeout_key(cdev, cpa, intparm, lpm, key, ++ flags, 0); + } + + /** +@@ -490,18 +485,20 @@ void ccw_device_get_id(struct ccw_device + EXPORT_SYMBOL(ccw_device_get_id); + + /** +- * ccw_device_tm_start_key() - perform start function ++ * ccw_device_tm_start_timeout_key() - perform start function + * @cdev: ccw device on which to perform the start function + * @tcw: transport-command word to be started + * @intparm: user defined parameter to be passed to the interrupt handler + * @lpm: mask of paths to use + * @key: storage key to use for storage access ++ * @expires: time span in jiffies after which to abort request + * + * Start the tcw on the given ccw device. Return zero on success, non-zero + * otherwise. + */ +-int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw, +- unsigned long intparm, u8 lpm, u8 key) ++int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw, ++ unsigned long intparm, u8 lpm, u8 key, ++ int expires) + { + struct subchannel *sch; + int rc; +@@ -528,37 +525,32 @@ int ccw_device_tm_start_key(struct ccw_d + return -EACCES; + } + rc = cio_tm_start_key(sch, tcw, lpm, key); +- if (rc == 0) ++ if (rc == 0) { + cdev->private->intparm = intparm; ++ if (expires) ++ ccw_device_set_timeout(cdev, expires); ++ } + return rc; + } +-EXPORT_SYMBOL(ccw_device_tm_start_key); ++EXPORT_SYMBOL(ccw_device_tm_start_timeout_key); + + /** +- * ccw_device_tm_start_timeout_key() - perform start function ++ * ccw_device_tm_start_key() - perform start function + * @cdev: ccw device on which to perform the start function + * @tcw: transport-command word to be started + * @intparm: user defined parameter to be passed to the interrupt handler + * @lpm: mask of paths to use + * @key: storage key to use for storage access +- * @expires: time span in jiffies after which to abort request + * + * Start the tcw on the given ccw device. Return zero on success, non-zero + * otherwise. + */ +-int ccw_device_tm_start_timeout_key(struct ccw_device *cdev, struct tcw *tcw, +- unsigned long intparm, u8 lpm, u8 key, +- int expires) ++int ccw_device_tm_start_key(struct ccw_device *cdev, struct tcw *tcw, ++ unsigned long intparm, u8 lpm, u8 key) + { +- int ret; +- +- ccw_device_set_timeout(cdev, expires); +- ret = ccw_device_tm_start_key(cdev, tcw, intparm, lpm, key); +- if (ret != 0) +- ccw_device_set_timeout(cdev, 0); +- return ret; ++ return ccw_device_tm_start_timeout_key(cdev, tcw, intparm, lpm, key, 0); + } +-EXPORT_SYMBOL(ccw_device_tm_start_timeout_key); ++EXPORT_SYMBOL(ccw_device_tm_start_key); + + /** + * ccw_device_tm_start() - perform start function diff --git a/queue-4.14/s390-cio-fix-return-code-after-missing-interrupt.patch b/queue-4.14/s390-cio-fix-return-code-after-missing-interrupt.patch new file mode 100644 index 00000000000..cacd86eb876 --- /dev/null +++ b/queue-4.14/s390-cio-fix-return-code-after-missing-interrupt.patch @@ -0,0 +1,71 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sebastian Ott +Date: Wed, 7 Feb 2018 13:18:19 +0100 +Subject: s390/cio: fix return code after missing interrupt + +From: Sebastian Ott + +[ Upstream commit 770b55c995d171f026a9efb85e71e3b1ea47b93d ] + +When a timeout occurs for users of ccw_device_start_timeout +we will stop the IO and call the drivers int handler with +the irb pointer set to ERR_PTR(-ETIMEDOUT). Sometimes +however we'd set the irb pointer to ERR_PTR(-EIO) which is +not intended. Just set the correct value in all codepaths. + +Reported-by: Julian Wiedmann +Signed-off-by: Sebastian Ott +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/device_fsm.c | 6 ++++-- + drivers/s390/cio/io_sch.h | 1 + + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/s390/cio/device_fsm.c ++++ b/drivers/s390/cio/device_fsm.c +@@ -796,6 +796,7 @@ ccw_device_online_timeout(struct ccw_dev + + ccw_device_set_timeout(cdev, 0); + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -ETIMEDOUT; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +@@ -872,7 +873,7 @@ ccw_device_killing_irq(struct ccw_device + /* OK, i/o is dead now. Call interrupt handler. */ + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + static void +@@ -889,7 +890,7 @@ ccw_device_killing_timeout(struct ccw_de + ccw_device_online_verify(cdev, 0); + if (cdev->handler) + cdev->handler(cdev, cdev->private->intparm, +- ERR_PTR(-EIO)); ++ ERR_PTR(cdev->private->async_kill_io_rc)); + } + + void ccw_device_kill_io(struct ccw_device *cdev) +@@ -897,6 +898,7 @@ void ccw_device_kill_io(struct ccw_devic + int ret; + + cdev->private->iretry = 255; ++ cdev->private->async_kill_io_rc = -EIO; + ret = ccw_device_cancel_halt_clear(cdev); + if (ret == -EBUSY) { + ccw_device_set_timeout(cdev, 3*HZ); +--- a/drivers/s390/cio/io_sch.h ++++ b/drivers/s390/cio/io_sch.h +@@ -157,6 +157,7 @@ struct ccw_device_private { + unsigned long intparm; /* user interruption parameter */ + struct qdio_irq *qdio_data; + struct irb irb; /* device status */ ++ int async_kill_io_rc; + struct senseid senseid; /* SenseID info */ + struct pgid pgid[8]; /* path group IDs per chpid*/ + struct ccw1 iccws[2]; /* ccws for SNID/SID/SPGID commands */ diff --git a/queue-4.14/s390-dasd-fix-handling-of-internal-requests.patch b/queue-4.14/s390-dasd-fix-handling-of-internal-requests.patch new file mode 100644 index 00000000000..4523349185c --- /dev/null +++ b/queue-4.14/s390-dasd-fix-handling-of-internal-requests.patch @@ -0,0 +1,88 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefan Haberland +Date: Wed, 7 Feb 2018 17:39:14 +0100 +Subject: s390/dasd: fix handling of internal requests + +From: Stefan Haberland + +[ Upstream commit 9487cfd3430d07366801886bdf185799a2b6f066 ] + +Internal DASD device driver I/O such as query host access count or +path verification is started using the _sleep_on() function. +To mark a request as started or ended the callback_data is set to either +DASD_SLEEPON_START_TAG or DASD_SLEEPON_END_TAG. + +In cases where the request has to be stopped unconditionally the status is +set to DASD_SLEEPON_END_TAG as well which leads to immediate clearing of +the request. +But the request might still be on a device request queue for normal +operation which might lead to a panic because of a BUG() statement in +__dasd_device_process_final_queue() or a list corruption of the device +request queue. + +Fix by removing the setting of DASD_SLEEPON_END_TAG in the +dasd_cancel_req() and dasd_generic_requeue_all_requests() functions and +ensure that the request is not deleted in the requeue function. +Trigger the device tasklet in the requeue function and let the normal +processing cleanup the request. + +Signed-off-by: Stefan Haberland +Reviewed-by: Jan Hoeppner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 21 +++++++-------------- + 1 file changed, 7 insertions(+), 14 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -2596,8 +2596,6 @@ int dasd_cancel_req(struct dasd_ccw_req + case DASD_CQR_QUEUED: + /* request was not started - just set to cleared */ + cqr->status = DASD_CQR_CLEARED; +- if (cqr->callback_data == DASD_SLEEPON_START_TAG) +- cqr->callback_data = DASD_SLEEPON_END_TAG; + break; + case DASD_CQR_IN_IO: + /* request in IO - terminate IO and release again */ +@@ -3917,9 +3915,12 @@ static int dasd_generic_requeue_all_requ + wait_event(dasd_flush_wq, + (cqr->status != DASD_CQR_CLEAR_PENDING)); + +- /* mark sleepon requests as ended */ +- if (cqr->callback_data == DASD_SLEEPON_START_TAG) +- cqr->callback_data = DASD_SLEEPON_END_TAG; ++ /* ++ * requeue requests to blocklayer will only work ++ * for block device requests ++ */ ++ if (_dasd_requeue_request(cqr)) ++ continue; + + /* remove requests from device and block queue */ + list_del_init(&cqr->devlist); +@@ -3932,13 +3933,6 @@ static int dasd_generic_requeue_all_requ + cqr = refers; + } + +- /* +- * requeue requests to blocklayer will only work +- * for block device requests +- */ +- if (_dasd_requeue_request(cqr)) +- continue; +- + if (cqr->block) + list_del_init(&cqr->blocklist); + cqr->block->base->discipline->free_cp( +@@ -3955,8 +3949,7 @@ static int dasd_generic_requeue_all_requ + list_splice_tail(&requeue_queue, &device->ccw_queue); + spin_unlock_irq(get_ccwdev_lock(device->cdev)); + } +- /* wake up generic waitqueue for eventually ended sleepon requests */ +- wake_up(&generic_waitq); ++ dasd_schedule_device_bh(device); + return rc; + } + diff --git a/queue-4.14/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch b/queue-4.14/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch new file mode 100644 index 00000000000..b7329d0cd23 --- /dev/null +++ b/queue-4.14/sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch @@ -0,0 +1,74 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Davidlohr Bueso +Date: Mon, 2 Apr 2018 09:49:54 -0700 +Subject: sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning + +From: Davidlohr Bueso + +[ Upstream commit d29a20645d5e929aa7e8616f28e5d8e1c49263ec ] + +While running rt-tests' pi_stress program I got the following splat: + + rq->clock_update_flags < RQCF_ACT_SKIP + WARNING: CPU: 27 PID: 0 at kernel/sched/sched.h:960 assert_clock_updated.isra.38.part.39+0x13/0x20 + + [...] + + + enqueue_top_rt_rq+0xf4/0x150 + ? cpufreq_dbs_governor_start+0x170/0x170 + sched_rt_rq_enqueue+0x65/0x80 + sched_rt_period_timer+0x156/0x360 + ? sched_rt_rq_enqueue+0x80/0x80 + __hrtimer_run_queues+0xfa/0x260 + hrtimer_interrupt+0xcb/0x220 + smp_apic_timer_interrupt+0x62/0x120 + apic_timer_interrupt+0xf/0x20 + + + [...] + + do_idle+0x183/0x1e0 + cpu_startup_entry+0x5f/0x70 + start_secondary+0x192/0x1d0 + secondary_startup_64+0xa5/0xb0 + +We can get rid of it be the "traditional" means of adding an +update_rq_clock() call after acquiring the rq->lock in +do_sched_rt_period_timer(). + +The case for the RT task throttling (which this workload also hits) +can be ignored in that the skip_update call is actually bogus and +quite the contrary (the request bits are removed/reverted). + +By setting RQCF_UPDATED we really don't care if the skip is happening +or not and will therefore make the assert_clock_updated() check happy. + +Signed-off-by: Davidlohr Bueso +Reviewed-by: Matt Fleming +Acked-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Thomas Gleixner +Cc: dave@stgolabs.net +Cc: linux-kernel@vger.kernel.org +Cc: rostedt@goodmis.org +Link: http://lkml.kernel.org/r/20180402164954.16255-1-dave@stgolabs.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/rt.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -843,6 +843,8 @@ static int do_sched_rt_period_timer(stru + continue; + + raw_spin_lock(&rq->lock); ++ update_rq_clock(rq); ++ + if (rt_rq->rt_time) { + u64 runtime; + diff --git a/queue-4.14/scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch b/queue-4.14/scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch new file mode 100644 index 00000000000..f9120a03cdc --- /dev/null +++ b/queue-4.14/scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Hannes Reinecke +Date: Mon, 26 Feb 2018 08:39:59 +0100 +Subject: scsi: core: return BLK_STS_OK for DID_OK in __scsi_error_from_host_byte() + +From: Hannes Reinecke + +[ Upstream commit e39a97353e5378eb46bf01679799c5704d397f32 ] + +When converting __scsi_error_from_host_byte() to BLK_STS error codes the +case DID_OK was forgotten, resulting in it always returning an error. + +Fixes: 2a842acab109 ("block: introduce new block status code type") +Cc: Doug Gilbert +Signed-off-by: Hannes Reinecke +Reviewed-by: Douglas Gilbert +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -720,6 +720,8 @@ static blk_status_t __scsi_error_from_ho + int result) + { + switch (host_byte(result)) { ++ case DID_OK: ++ return BLK_STS_OK; + case DID_TRANSPORT_FAILFAST: + return BLK_STS_TRANSPORT; + case DID_TARGET_FAILURE: diff --git a/queue-4.14/seccomp-add-a-selftest-for-get_metadata.patch b/queue-4.14/seccomp-add-a-selftest-for-get_metadata.patch new file mode 100644 index 00000000000..a29d58253f0 --- /dev/null +++ b/queue-4.14/seccomp-add-a-selftest-for-get_metadata.patch @@ -0,0 +1,98 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tycho Andersen +Date: Tue, 20 Feb 2018 19:47:47 -0700 +Subject: seccomp: add a selftest for get_metadata + +From: Tycho Andersen + +[ Upstream commit d057dc4e35e16050befa3dda943876dab39cbf80 ] + +Let's test that we get the flags correctly, and that we preserve the filter +index across the ptrace(PTRACE_SECCOMP_GET_METADATA) correctly. + +Signed-off-by: Tycho Andersen +CC: Kees Cook +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 61 ++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -145,6 +145,15 @@ struct seccomp_data { + #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) + #endif + ++#ifndef PTRACE_SECCOMP_GET_METADATA ++#define PTRACE_SECCOMP_GET_METADATA 0x420d ++ ++struct seccomp_metadata { ++ __u64 filter_off; /* Input: which filter */ ++ __u64 flags; /* Output: filter's flags */ ++}; ++#endif ++ + #ifndef seccomp + int seccomp(unsigned int op, unsigned int flags, void *args) + { +@@ -2861,6 +2870,58 @@ TEST(get_action_avail) + EXPECT_EQ(errno, EOPNOTSUPP); + } + ++TEST(get_metadata) ++{ ++ pid_t pid; ++ int pipefd[2]; ++ char buf; ++ struct seccomp_metadata md; ++ ++ ASSERT_EQ(0, pipe(pipefd)); ++ ++ pid = fork(); ++ ASSERT_GE(pid, 0); ++ if (pid == 0) { ++ struct sock_filter filter[] = { ++ BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW), ++ }; ++ struct sock_fprog prog = { ++ .len = (unsigned short)ARRAY_SIZE(filter), ++ .filter = filter, ++ }; ++ ++ /* one with log, one without */ ++ ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, ++ SECCOMP_FILTER_FLAG_LOG, &prog)); ++ ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog)); ++ ++ ASSERT_EQ(0, close(pipefd[0])); ++ ASSERT_EQ(1, write(pipefd[1], "1", 1)); ++ ASSERT_EQ(0, close(pipefd[1])); ++ ++ while (1) ++ sleep(100); ++ } ++ ++ ASSERT_EQ(0, close(pipefd[1])); ++ ASSERT_EQ(1, read(pipefd[0], &buf, 1)); ++ ++ ASSERT_EQ(0, ptrace(PTRACE_ATTACH, pid)); ++ ASSERT_EQ(pid, waitpid(pid, NULL, 0)); ++ ++ md.filter_off = 0; ++ ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md)); ++ EXPECT_EQ(md.flags, SECCOMP_FILTER_FLAG_LOG); ++ EXPECT_EQ(md.filter_off, 0); ++ ++ md.filter_off = 1; ++ ASSERT_EQ(sizeof(md), ptrace(PTRACE_SECCOMP_GET_METADATA, pid, sizeof(md), &md)); ++ EXPECT_EQ(md.flags, 0); ++ EXPECT_EQ(md.filter_off, 1); ++ ++ ASSERT_EQ(0, kill(pid, SIGKILL)); ++} ++ + /* + * TODO: + * - add microbenchmarks diff --git a/queue-4.14/selftest-vdso-fix-o.patch b/queue-4.14/selftest-vdso-fix-o.patch new file mode 100644 index 00000000000..3b94d8393f3 --- /dev/null +++ b/queue-4.14/selftest-vdso-fix-o.patch @@ -0,0 +1,50 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dominik Brodowski +Date: Sun, 11 Feb 2018 11:59:50 +0100 +Subject: selftest/vDSO: fix O= + +From: Dominik Brodowski + +[ Upstream commit 70b574e7d719bdf96d26528cb289f3e782e83979 ] + +The vDSO selftests ignored the O= or KBUILD_OUTPUT= parameters. Fix it. + +Signed-off-by: Dominik Brodowski +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/vDSO/Makefile | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/vDSO/Makefile ++++ b/tools/testing/selftests/vDSO/Makefile +@@ -1,4 +1,6 @@ + # SPDX-License-Identifier: GPL-2.0 ++include ../lib.mk ++ + ifndef CROSS_COMPILE + CFLAGS := -std=gnu99 + CFLAGS_vdso_standalone_test_x86 := -nostdlib -fno-asynchronous-unwind-tables -fno-stack-protector +@@ -6,16 +8,14 @@ ifeq ($(CONFIG_X86_32),y) + LDLIBS += -lgcc_s + endif + +-TEST_PROGS := vdso_test vdso_standalone_test_x86 ++TEST_PROGS := $(OUTPUT)/vdso_test $(OUTPUT)/vdso_standalone_test_x86 + + all: $(TEST_PROGS) +-vdso_test: parse_vdso.c vdso_test.c +-vdso_standalone_test_x86: vdso_standalone_test_x86.c parse_vdso.c ++$(OUTPUT)/vdso_test: parse_vdso.c vdso_test.c ++$(OUTPUT)/vdso_standalone_test_x86: vdso_standalone_test_x86.c parse_vdso.c + $(CC) $(CFLAGS) $(CFLAGS_vdso_standalone_test_x86) \ + vdso_standalone_test_x86.c parse_vdso.c \ +- -o vdso_standalone_test_x86 ++ -o $@ + +-include ../lib.mk +-clean: +- rm -fr $(TEST_PROGS) ++EXTRA_CLEAN := $(TEST_PROGS) + endif diff --git a/queue-4.14/selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch b/queue-4.14/selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch new file mode 100644 index 00000000000..18654df6267 --- /dev/null +++ b/queue-4.14/selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch @@ -0,0 +1,45 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Li Zhijian +Date: Thu, 22 Feb 2018 10:34:02 +0800 +Subject: selftests/bpf/test_maps: exit child process without error in ENOMEM case + +From: Li Zhijian + +[ Upstream commit 80475c48c6a8a65171e035e0915dc7996b5a0a65 ] + +test_maps contains a series of stress tests, and previously it will break the +rest tests when it failed to alloc memory. +----------------------- +Failed to create hashmap key=8 value=262144 'Cannot allocate memory' +Failed to create hashmap key=16 value=262144 'Cannot allocate memory' +Failed to create hashmap key=8 value=262144 'Cannot allocate memory' +Failed to create hashmap key=8 value=262144 'Cannot allocate memory' +test_maps: test_maps.c:955: run_parallel: Assertion `status == 0' failed. +Aborted +not ok 1..3 selftests: test_maps [FAIL] +----------------------- +after this patch, the rest tests will be continue when it occurs an ENOMEM failure + +CC: Alexei Starovoitov +CC: Philip Li +Suggested-by: Daniel Borkmann +Signed-off-by: Li Zhijian +Signed-off-by: Daniel Borkmann + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_maps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/testing/selftests/bpf/test_maps.c ++++ b/tools/testing/selftests/bpf/test_maps.c +@@ -126,6 +126,8 @@ static void test_hashmap_sizes(int task, + fd = bpf_create_map(BPF_MAP_TYPE_HASH, i, j, + 2, map_flags); + if (fd < 0) { ++ if (errno == ENOMEM) ++ return; + printf("Failed to create hashmap key=%d value=%d '%s'\n", + i, j, strerror(errno)); + exit(1); diff --git a/queue-4.14/selftests-ftrace-add-a-testcase-for-probepoint.patch b/queue-4.14/selftests-ftrace-add-a-testcase-for-probepoint.patch new file mode 100644 index 00000000000..3a018bb0389 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-a-testcase-for-probepoint.patch @@ -0,0 +1,70 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:40:31 +0900 +Subject: selftests: ftrace: Add a testcase for probepoint + +From: Masami Hiramatsu + +[ Upstream commit dfa453bc90eca0febff33c8d292a656e53702158 ] + +Add a testcase for probe point definition. This tests +symbol, address and symbol+offset syntax. The offset +must be positive and smaller than UINT_MAX. + +Link: http://lkml.kernel.org/r/152129043097.31874.14273580606301767394.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc | 43 +++++++++++++ + 1 file changed, 43 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/probepoint.tc +@@ -0,0 +1,43 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe events - probe points ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++TARGET_FUNC=create_trace_kprobe ++ ++dec_addr() { # hexaddr ++ printf "%d" "0x"`echo $1 | tail -c 8` ++} ++ ++set_offs() { # prev target next ++ A1=`dec_addr $1` ++ A2=`dec_addr $2` ++ A3=`dec_addr $3` ++ TARGET="0x$2" # an address ++ PREV=`expr $A1 - $A2` # offset to previous symbol ++ NEXT=+`expr $A3 - $A2` # offset to next symbol ++ OVERFLOW=+`printf "0x%x" ${PREV}` # overflow offset to previous symbol ++} ++ ++# We have to decode symbol addresses to get correct offsets. ++# If the offset is not an instruction boundary, it cause -EILSEQ. ++set_offs `grep -A1 -B1 ${TARGET_FUNC} /proc/kallsyms | cut -f 1 -d " " | xargs` ++ ++UINT_TEST=no ++# printf "%x" -1 returns (unsigned long)-1. ++if [ `printf "%x" -1 | wc -c` != 9 ]; then ++ UINT_TEST=yes ++fi ++ ++echo 0 > events/enable ++echo > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}" > kprobe_events ++echo "p:testprobe ${TARGET}" > kprobe_events ++echo "p:testprobe ${TARGET_FUNC}${NEXT}" > kprobe_events ++! echo "p:testprobe ${TARGET_FUNC}${PREV}" > kprobe_events ++if [ "${UINT_TEST}" = yes ]; then ++! echo "p:testprobe ${TARGET_FUNC}${OVERFLOW}" > kprobe_events ++fi ++echo > kprobe_events ++clear_trace diff --git a/queue-4.14/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch b/queue-4.14/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch new file mode 100644 index 00000000000..26107470163 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch @@ -0,0 +1,73 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:39:44 +0900 +Subject: selftests: ftrace: Add a testcase for string type with kprobe_event + +From: Masami Hiramatsu + +[ Upstream commit 5fbdbed797b6d12d043a5121fdbc8d8b49d10e80 ] + +Add a testcase for string type with kprobe event. +This tests good/bad syntax combinations and also +the traced data is correct in several way. + +Link: http://lkml.kernel.org/r/152129038381.31874.9201387794548737554.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc | 46 ++++++++++ + 1 file changed, 46 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_string.tc +@@ -0,0 +1,46 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event string type argument ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++case `uname -m` in ++x86_64) ++ ARG2=%si ++ OFFS=8 ++;; ++i[3456]86) ++ ARG2=%cx ++ OFFS=4 ++;; ++aarch64) ++ ARG2=%x1 ++ OFFS=8 ++;; ++arm*) ++ ARG2=%r1 ++ OFFS=4 ++;; ++*) ++ echo "Please implement other architecture here" ++ exit_untested ++esac ++ ++: "Test get argument (1)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test\"" ++ ++echo 0 > events/kprobes/testprobe/enable ++: "Test get argument (2)" ++echo "p:testprobe create_trace_kprobe arg1=+0(+0(${ARG2})):string arg2=+0(+${OFFS}(${ARG2})):string" > kprobe_events ++echo 1 > events/kprobes/testprobe/enable ++! echo test1 test2 >> kprobe_events ++tail -n 1 trace | grep -qe "testprobe.* arg1=\"test1\" arg2=\"test2\"" ++ ++echo 0 > events/enable ++echo > kprobe_events diff --git a/queue-4.14/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch b/queue-4.14/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch new file mode 100644 index 00000000000..bf3e576baf1 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-probe-event-argument-syntax-testcase.patch @@ -0,0 +1,124 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 17 Mar 2018 21:38:56 +0900 +Subject: selftests: ftrace: Add probe event argument syntax testcase + +From: Masami Hiramatsu + +[ Upstream commit 871bef2000968c312a4000b2f56d370dcedbc93c ] + +Add a testcase for probe event argument syntax which +ensures the kprobe_events interface correctly parses +given event arguments. + +Link: http://lkml.kernel.org/r/152129033679.31874.12705519603869152799.stgit@devbox + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 97 ++++++++++ + 1 file changed, 97 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +@@ -0,0 +1,97 @@ ++#!/bin/sh ++# SPDX-License-Identifier: GPL-2.0 ++# description: Kprobe event argument syntax ++ ++[ -f kprobe_events ] || exit_unsupported # this is configurable ++ ++grep "x8/16/32/64" README > /dev/null || exit_unsupported # version issue ++ ++echo 0 > events/enable ++echo > kprobe_events ++ ++PROBEFUNC="vfs_read" ++GOODREG= ++BADREG= ++GOODSYM="_sdata" ++if ! grep -qw ${GOODSYM} /proc/kallsyms ; then ++ GOODSYM=$PROBEFUNC ++fi ++BADSYM="deaqswdefr" ++SYMADDR=0x`grep -w ${GOODSYM} /proc/kallsyms | cut -f 1 -d " "` ++GOODTYPE="x16" ++BADTYPE="y16" ++ ++case `uname -m` in ++x86_64|i[3456]86) ++ GOODREG=%ax ++ BADREG=%ex ++;; ++aarch64) ++ GOODREG=%x0 ++ BADREG=%ax ++;; ++arm*) ++ GOODREG=%r0 ++ BADREG=%ax ++;; ++esac ++ ++test_goodarg() # Good-args ++{ ++ while [ "$1" ]; do ++ echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++test_badarg() # Bad-args ++{ ++ while [ "$1" ]; do ++ ! echo "p ${PROBEFUNC} $1" > kprobe_events ++ shift 1 ++ done; ++} ++ ++echo > kprobe_events ++ ++: "Register access" ++test_goodarg ${GOODREG} ++test_badarg ${BADREG} ++ ++: "Symbol access" ++test_goodarg "@${GOODSYM}" "@${SYMADDR}" "@${GOODSYM}+10" "@${GOODSYM}-10" ++test_badarg "@" "@${BADSYM}" "@${GOODSYM}*10" "@${GOODSYM}/10" \ ++ "@${GOODSYM}%10" "@${GOODSYM}&10" "@${GOODSYM}|10" ++ ++: "Stack access" ++test_goodarg "\$stack" "\$stack0" "\$stack1" ++test_badarg "\$stackp" "\$stack0+10" "\$stack1-10" ++ ++: "Retval access" ++echo "r ${PROBEFUNC} \$retval" > kprobe_events ++! echo "p ${PROBEFUNC} \$retval" > kprobe_events ++ ++: "Comm access" ++test_goodarg "\$comm" ++ ++: "Indirect memory access" ++test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \ ++ "+0(\$stack1)" "+10(@${GOODSYM}-10)" "+0(+10(+20(\$stack)))" ++test_badarg "+(${GOODREG})" "(${GOODREG}+10)" "-(${GOODREG})" "(${GOODREG})" \ ++ "+10(\$comm)" "+0(${GOODREG})+10" ++ ++: "Name assignment" ++test_goodarg "varname=${GOODREG}" ++test_badarg "varname=varname2=${GOODREG}" ++ ++: "Type syntax" ++test_goodarg "${GOODREG}:${GOODTYPE}" ++test_badarg "${GOODREG}::${GOODTYPE}" "${GOODREG}:${BADTYPE}" \ ++ "${GOODTYPE}:${GOODREG}" ++ ++: "Combination check" ++ ++test_goodarg "\$comm:string" "+0(\$stack):string" ++test_badarg "\$comm:x64" "\$stack:string" "${GOODREG}:string" ++ ++echo > kprobe_events diff --git a/queue-4.14/selftests-futex-fix-line-continuation-in-makefile.patch b/queue-4.14/selftests-futex-fix-line-continuation-in-makefile.patch new file mode 100644 index 00000000000..511c064c4ce --- /dev/null +++ b/queue-4.14/selftests-futex-fix-line-continuation-in-makefile.patch @@ -0,0 +1,43 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "Daniel Díaz" +Date: Wed, 7 Feb 2018 11:24:31 -0600 +Subject: selftests/futex: Fix line continuation in Makefile + +From: "Daniel Díaz" + +[ Upstream commit 067b25a5639b10dfdd41ce6b4d4140fe84d0a8e7 ] + +The Makefile lacks a couple of line continuation backslashes +in an `if' clause, which produces an error when make versions +prior to 4.x are used for building the tests. + + $ make + make[1]: Entering directory `/[...]/linux/tools/testing/selftests/futex' + /bin/sh: -c: line 5: syntax error: unexpected end of file + make[1]: *** [all] Error 1 + make[1]: Leaving directory `/[...]/linux/tools/testing/selftests/futex' + make: *** [all] Error 2 + +Signed-off-by: Daniel Díaz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/futex/Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/futex/Makefile ++++ b/tools/testing/selftests/futex/Makefile +@@ -12,9 +12,9 @@ all: + BUILD_TARGET=$(OUTPUT)/$$DIR; \ + mkdir $$BUILD_TARGET -p; \ + make OUTPUT=$$BUILD_TARGET -C $$DIR $@;\ +- if [ -e $$DIR/$(TEST_PROGS) ]; then +- rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; +- fi ++ if [ -e $$DIR/$(TEST_PROGS) ]; then \ ++ rsync -a $$DIR/$(TEST_PROGS) $$BUILD_TARGET/; \ ++ fi \ + done + + override define RUN_TESTS diff --git a/queue-4.14/selftests-memfd-add-config-fragment-for-fuse.patch b/queue-4.14/selftests-memfd-add-config-fragment-for-fuse.patch new file mode 100644 index 00000000000..a6f2a6cdff9 --- /dev/null +++ b/queue-4.14/selftests-memfd-add-config-fragment-for-fuse.patch @@ -0,0 +1,25 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Anders Roxell +Date: Tue, 6 Feb 2018 16:20:44 -0600 +Subject: selftests: memfd: add config fragment for fuse + +From: Anders Roxell + +[ Upstream commit 9a606f8d55cfc932ec02172aaed4124fdc150047 ] + +The memfd test requires to insert the fuse module (CONFIG_FUSE_FS). + +Signed-off-by: Anders Roxell +Signed-off-by: Daniel Díaz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/memfd/config | 1 + + 1 file changed, 1 insertion(+) + create mode 100644 tools/testing/selftests/memfd/config + +--- /dev/null ++++ b/tools/testing/selftests/memfd/config +@@ -0,0 +1 @@ ++CONFIG_FUSE_FS=m diff --git a/queue-4.14/selftests-memfd-add-run_fuse_test.sh-to-test_files.patch b/queue-4.14/selftests-memfd-add-run_fuse_test.sh-to-test_files.patch new file mode 100644 index 00000000000..f95d717a685 --- /dev/null +++ b/queue-4.14/selftests-memfd-add-run_fuse_test.sh-to-test_files.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Anders Roxell +Date: Wed, 21 Feb 2018 14:45:58 -0800 +Subject: selftests/memfd: add run_fuse_test.sh to TEST_FILES + +From: Anders Roxell + +[ Upstream commit bdefe01a6b14bde268741435ac854fda4ef7e847 ] + +While testing memfd tests, there is a missing script, as reported by +kselftest: + + ./run_tests.sh: line 7: ./run_fuse_test.sh: No such file or directory + +Link: http://lkml.kernel.org/r/1517955779-11386-1-git-send-email-daniel.diaz@linaro.org +Signed-off-by: Anders Roxell +Signed-off-by: Daniel Díaz +Cc: Shuah Khan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/memfd/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/memfd/Makefile ++++ b/tools/testing/selftests/memfd/Makefile +@@ -5,6 +5,7 @@ CFLAGS += -I../../../../include/ + CFLAGS += -I../../../../usr/include/ + + TEST_PROGS := run_tests.sh ++TEST_FILES := run_fuse_test.sh + TEST_GEN_FILES := memfd_test fuse_mnt fuse_test + + fuse_mnt.o: CFLAGS += $(shell pkg-config fuse --cflags) diff --git a/queue-4.14/selftests-net-fixes-psock_fanout-ebpf-test-case.patch b/queue-4.14/selftests-net-fixes-psock_fanout-ebpf-test-case.patch new file mode 100644 index 00000000000..cad7161fbc4 --- /dev/null +++ b/queue-4.14/selftests-net-fixes-psock_fanout-ebpf-test-case.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Prashant Bhole +Date: Thu, 15 Feb 2018 09:19:26 +0900 +Subject: selftests/net: fixes psock_fanout eBPF test case + +From: Prashant Bhole + +[ Upstream commit ddd0010392d9cbcb95b53d11b7cafc67b373ab56 ] + +eBPF test fails due to verifier failure because log_buf is too small. +Fixed by increasing log_buf size + +Signed-off-by: Prashant Bhole +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/psock_fanout.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/net/psock_fanout.c ++++ b/tools/testing/selftests/net/psock_fanout.c +@@ -128,6 +128,8 @@ static void sock_fanout_getopts(int fd, + + static void sock_fanout_set_ebpf(int fd) + { ++ static char log_buf[65536]; ++ + const int len_off = __builtin_offsetof(struct __sk_buff, len); + struct bpf_insn prog[] = { + { BPF_ALU64 | BPF_MOV | BPF_X, 6, 1, 0, 0 }, +@@ -140,7 +142,6 @@ static void sock_fanout_set_ebpf(int fd) + { BPF_ALU | BPF_MOV | BPF_K, 0, 0, 0, 0 }, + { BPF_JMP | BPF_EXIT, 0, 0, 0, 0 } + }; +- char log_buf[512]; + union bpf_attr attr; + int pfd; + diff --git a/queue-4.14/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch b/queue-4.14/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch new file mode 100644 index 00000000000..fd728483535 --- /dev/null +++ b/queue-4.14/selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch @@ -0,0 +1,65 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Ellerman +Date: Mon, 26 Feb 2018 15:22:22 +1100 +Subject: selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable + +From: Michael Ellerman + +[ Upstream commit cd4a6f3ab4d80cb919d15897eb3cbc85c2009d4b ] + +The subpage_prot syscall is only functional when the system is using +the Hash MMU. Since commit 5b2b80714796 ("powerpc/mm: Invalidate +subpage_prot() system call on radix platforms") it returns ENOENT when +the Radix MMU is active. Currently this just makes the test fail. + +Additionally the syscall is not available if the kernel is built with +4K pages, or if CONFIG_PPC_SUBPAGE_PROT=n, in which case it returns +ENOSYS because the syscall is missing entirely. + +So check explicitly for ENOENT and ENOSYS and skip if we see either of +those. + +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/mm/subpage_prot.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/tools/testing/selftests/powerpc/mm/subpage_prot.c ++++ b/tools/testing/selftests/powerpc/mm/subpage_prot.c +@@ -135,6 +135,16 @@ static int run_test(void *addr, unsigned + return 0; + } + ++static int syscall_available(void) ++{ ++ int rc; ++ ++ errno = 0; ++ rc = syscall(__NR_subpage_prot, 0, 0, 0); ++ ++ return rc == 0 || (errno != ENOENT && errno != ENOSYS); ++} ++ + int test_anon(void) + { + unsigned long align; +@@ -145,6 +155,8 @@ int test_anon(void) + void *mallocblock; + unsigned long mallocsize; + ++ SKIP_IF(!syscall_available()); ++ + if (getpagesize() != 0x10000) { + fprintf(stderr, "Kernel page size must be 64K!\n"); + return 1; +@@ -180,6 +192,8 @@ int test_file(void) + off_t filesize; + int fd; + ++ SKIP_IF(!syscall_available()); ++ + fd = open(file_name, O_RDWR); + if (fd == -1) { + perror("failed to open file"); diff --git a/queue-4.14/selftests-print-the-test-we-re-running-to-dev-kmsg.patch b/queue-4.14/selftests-print-the-test-we-re-running-to-dev-kmsg.patch new file mode 100644 index 00000000000..8b9df77a3c3 --- /dev/null +++ b/queue-4.14/selftests-print-the-test-we-re-running-to-dev-kmsg.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Ellerman +Date: Fri, 23 Mar 2018 20:44:27 +1100 +Subject: selftests: Print the test we're running to /dev/kmsg + +From: Michael Ellerman + +[ Upstream commit 88893cf787d3062c631cc20b875068eb11756e03 ] + +Some tests cause the kernel to print things to the kernel log +buffer (ie. printk), in particular oops and warnings etc. However when +running all the tests in succession it's not always obvious which +test(s) caused the kernel to print something. + +We can narrow it down by printing which test directory we're running +in to /dev/kmsg, if it's writable. + +Example output: + + [ 170.149149] kselftest: Running tests in powerpc + [ 305.300132] kworker/dying (71) used greatest stack depth: 7776 bytes + left + [ 808.915456] kselftest: Running tests in pstore + +Signed-off-by: Michael Ellerman +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/Makefile | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/Makefile ++++ b/tools/testing/selftests/Makefile +@@ -122,6 +122,7 @@ ifdef INSTALL_PATH + BUILD_TARGET=$$BUILD/$$TARGET; \ + echo "echo ; echo Running tests in $$TARGET" >> $(ALL_SCRIPT); \ + echo "echo ========================================" >> $(ALL_SCRIPT); \ ++ echo "[ -w /dev/kmsg ] && echo \"kselftest: Running tests in $$TARGET\" >> /dev/kmsg" >> $(ALL_SCRIPT); \ + echo "cd $$TARGET" >> $(ALL_SCRIPT); \ + make -s --no-print-directory OUTPUT=$$BUILD_TARGET -C $$TARGET emit_tests >> $(ALL_SCRIPT); \ + echo "cd \$$ROOT" >> $(ALL_SCRIPT); \ diff --git a/queue-4.14/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch b/queue-4.14/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch new file mode 100644 index 00000000000..2415d6d2302 --- /dev/null +++ b/queue-4.14/selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch @@ -0,0 +1,27 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Naresh Kamboju +Date: Wed, 7 Feb 2018 14:47:20 +0530 +Subject: selftests: pstore: Adding config fragment CONFIG_PSTORE_RAM=m + +From: Naresh Kamboju + +[ Upstream commit 9a379e77033f02c4a071891afdf0f0a01eff8ccb ] + +pstore_tests and pstore_post_reboot_tests need CONFIG_PSTORE_RAM=m + +Signed-off-by: Naresh Kamboju +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/pstore/config | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/testing/selftests/pstore/config ++++ b/tools/testing/selftests/pstore/config +@@ -2,3 +2,4 @@ CONFIG_MISC_FILESYSTEMS=y + CONFIG_PSTORE=y + CONFIG_PSTORE_PMSG=y + CONFIG_PSTORE_CONSOLE=y ++CONFIG_PSTORE_RAM=m diff --git a/queue-4.14/selftests-sync-missing-cflags-while-compiling.patch b/queue-4.14/selftests-sync-missing-cflags-while-compiling.patch new file mode 100644 index 00000000000..12559e67704 --- /dev/null +++ b/queue-4.14/selftests-sync-missing-cflags-while-compiling.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Anders Roxell +Date: Tue, 6 Feb 2018 16:23:39 -0600 +Subject: selftests: sync: missing CFLAGS while compiling + +From: Anders Roxell + +[ Upstream commit b2c93e300a11b419b4c67ce08e16fa1436d8118c ] + +Based on patch: https://patchwork.kernel.org/patch/10042045/ + +arch64-linux-gnu-gcc -c sync.c -o sync/sync.o +sync.c:42:29: fatal error: linux/sync_file.h: No such file or directory + #include + ^ +CFLAGS is not used during the compile step, so the system instead of +kernel headers are used. Fix this by adding CFLAGS to the OBJS compile +rule. + +Reported-by: Lei Yang +Signed-off-by: Anders Roxell +Signed-off-by: Daniel Díaz +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/sync/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/sync/Makefile ++++ b/tools/testing/selftests/sync/Makefile +@@ -30,7 +30,7 @@ $(TEST_CUSTOM_PROGS): $(TESTS) $(OBJS) + $(CC) -o $(TEST_CUSTOM_PROGS) $(OBJS) $(TESTS) $(CFLAGS) $(LDFLAGS) + + $(OBJS): $(OUTPUT)/%.o: %.c +- $(CC) -c $^ -o $@ ++ $(CC) -c $^ -o $@ $(CFLAGS) + + $(TESTS): $(OUTPUT)/%.o: %.c + $(CC) -c $^ -o $@ diff --git a/queue-4.14/selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch b/queue-4.14/selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch new file mode 100644 index 00000000000..4f2d7c43a4a --- /dev/null +++ b/queue-4.14/selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch @@ -0,0 +1,94 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Li Zhijian +Date: Fri, 9 Mar 2018 15:51:16 -0800 +Subject: selftests/vm/run_vmtests: adjust hugetlb size according to nr_cpus + +From: Li Zhijian + +[ Upstream commit 0627be7d3c871035364923559543c9b2ff5357f2 ] + +Fix userfaultfd_hugetlb on hosts which have more than 64 cpus. + + --------------------------- + running userfaultfd_hugetlb + --------------------------- + invalid MiB + Usage: + [FAIL] + +Via userfaultfd.c we can know, hugetlb_size needs to meet hugetlb_size +>= nr_cpus * hugepage_size. hugepage_size is often 2M, so when host +cpus > 64, it requires more than 128M. + +[zhijianx.li@intel.com: update changelog/comments and variable name] + Link: http://lkml.kernel.org/r/20180302024356.83359-1-zhijianx.li@intel.com + Link: http://lkml.kernel.org/r/20180303125027.81638-1-zhijianx.li@intel.com +Link: http://lkml.kernel.org/r/20180302024356.83359-1-zhijianx.li@intel.com +Signed-off-by: Li Zhijian +Cc: Shuah Khan +Cc: SeongJae Park +Cc: Philippe Ombredanne +Cc: Aneesh Kumar K.V +Cc: Mike Kravetz +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/vm/run_vmtests | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/tools/testing/selftests/vm/run_vmtests ++++ b/tools/testing/selftests/vm/run_vmtests +@@ -2,25 +2,33 @@ + # SPDX-License-Identifier: GPL-2.0 + #please run as root + +-#we need 256M, below is the size in kB +-needmem=262144 + mnt=./huge + exitcode=0 + +-#get pagesize and freepages from /proc/meminfo ++#get huge pagesize and freepages from /proc/meminfo + while read name size unit; do + if [ "$name" = "HugePages_Free:" ]; then + freepgs=$size + fi + if [ "$name" = "Hugepagesize:" ]; then +- pgsize=$size ++ hpgsize_KB=$size + fi + done < /proc/meminfo + ++# Simple hugetlbfs tests have a hardcoded minimum requirement of ++# huge pages totaling 256MB (262144KB) in size. The userfaultfd ++# hugetlb test requires a minimum of 2 * nr_cpus huge pages. Take ++# both of these requirements into account and attempt to increase ++# number of huge pages available. ++nr_cpus=$(nproc) ++hpgsize_MB=$((hpgsize_KB / 1024)) ++half_ufd_size_MB=$((((nr_cpus * hpgsize_MB + 127) / 128) * 128)) ++needmem_KB=$((half_ufd_size_MB * 2 * 1024)) ++ + #set proper nr_hugepages +-if [ -n "$freepgs" ] && [ -n "$pgsize" ]; then ++if [ -n "$freepgs" ] && [ -n "$hpgsize_KB" ]; then + nr_hugepgs=`cat /proc/sys/vm/nr_hugepages` +- needpgs=`expr $needmem / $pgsize` ++ needpgs=$((needmem_KB / hpgsize_KB)) + tries=2 + while [ $tries -gt 0 ] && [ $freepgs -lt $needpgs ]; do + lackpgs=$(( $needpgs - $freepgs )) +@@ -107,8 +115,9 @@ fi + echo "---------------------------" + echo "running userfaultfd_hugetlb" + echo "---------------------------" +-# 256MB total huge pages == 128MB src and 128MB dst +-./userfaultfd hugetlb 128 32 $mnt/ufd_test_file ++# Test requires source and destination huge pages. Size of source ++# (half_ufd_size_MB) is passed as argument to test. ++./userfaultfd hugetlb $half_ufd_size_MB 32 $mnt/ufd_test_file + if [ $? -ne 0 ]; then + echo "[FAIL]" + exitcode=1 diff --git a/queue-4.14/series b/queue-4.14/series index 83b41ce3665..d7fac82f211 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -54,3 +54,445 @@ powerpc-move-default-security-feature-flags.patch powerpc-pseries-restore-default-security-feature-flags-on-setup.patch powerpc-64s-fix-section-mismatch-warnings-from-setup_rfi_flush.patch powerpc-64s-add-support-for-a-store-forwarding-barrier-at-kernel-entry-exit.patch +mips-generic-fix-machine-compatible-matching.patch +mac80211-mesh-fix-wrong-mesh-ttl-offset-calculation.patch +arc-fix-malformed-arc_emul_unaligned-default.patch +ptr_ring-prevent-integer-overflow-when-calculating-size.patch +arm64-dts-rockchip-fix-rock64-gmac2io-stability-issues.patch +arm64-dts-rockchip-correct-ep-gpios-for-rk3399-sapphire.patch +libata-fix-compile-warning-with-ata_debug-enabled.patch +selftests-sync-missing-cflags-while-compiling.patch +selftest-vdso-fix-o.patch +selftests-pstore-adding-config-fragment-config_pstore_ram-m.patch +selftests-memfd-add-config-fragment-for-fuse.patch +arm-omap2-timer-fix-a-kmemleak-caused-in-omap_get_timer_dt.patch +arm-omap3-fix-prm-wake-interrupt-for-resume.patch +arm-omap2-fix-sar_base-inititalization-for-hs-omaps.patch +arm-omap1-clock-fix-debugfs_create_-usage.patch +ibmvnic-wait-until-reset-is-complete-to-set-carrier-on.patch +ibmvnic-free-rx-socket-buffer-in-case-of-adapter-error.patch +ibmvnic-clean-rx-pool-buffers-during-device-close.patch +tls-retrun-the-correct-iv-in-getsockopt.patch +xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch +ib-uverbs-fix-method-merging-in-uverbs_ioctl_merge.patch +ib-uverbs-fix-possible-oops-with-duplicate-ioctl-attributes.patch +ib-uverbs-fix-unbalanced-unlock-on-error-path-for-rdma_explicit_destroy.patch +arm64-dts-rockchip-fix-dwmmc-clocks.patch +arm-dts-rockchip-fix-dwmmc-clocks.patch +iwlwifi-mvm-fix-security-bug-in-pn-checking.patch +iwlwifi-mvm-fix-ibss-for-devices-that-support-station-type-api.patch +iwlwifi-mvm-always-init-rs-with-20mhz-bandwidth-rates.patch +nfc-llcp-limit-size-of-sdp-uri.patch +rxrpc-work-around-usercopy-check.patch +md-free-bioset-when-md_run-fails.patch +md-fix-md_write_start-deadlock-w-o-metadata-devices.patch +s390-dasd-fix-handling-of-internal-requests.patch +xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch +mac80211-round-ieee80211_tx_status_headroom-up-to-multiple-of-4.patch +mac80211-fix-a-possible-leak-of-station-stats.patch +mac80211-fix-calling-sleeping-function-in-atomic-context.patch +cfg80211-clear-wep-keys-after-disconnection.patch +mac80211-do-not-disconnect-on-invalid-operating-class.patch +mac80211-fix-sending-addba-response-for-an-ongoing-session.patch +gpu-ipu-v3-pre-fix-device-node-leak-in-ipu_pre_lookup_by_phandle.patch +gpu-ipu-v3-prg-fix-device-node-leak-in-ipu_prg_lookup_by_phandle.patch +md-raid10-fix-null-deference-in-handle_write_completed.patch +drm-exynos-g2d-use-monotonic-timestamps.patch +drm-exynos-fix-comparison-to-bitshift-when-dealing-with-a-mask.patch +drm-exynos-g2d-delete-an-error-message-for-a-failed-memory-allocation-in-two-functions.patch +drm-meson-fix-vsync-buffer-update.patch +arm64-perf-correct-pmuver-probing.patch +rdma-bnxt_re-unpin-sq-and-rq-memory-if-qp-create-fails.patch +rdma-bnxt_re-fix-system-crash-during-load-unload.patch +ibmvnic-check-for-null-skb-s-in-napi-poll-routine.patch +net-mlx5e-return-error-if-prio-is-specified-when-offloading-eswitch-vlan-push.patch +locking-xchg-alpha-add-unconditional-memory-barrier-to-cmpxchg.patch +md-raid5-avoid-string-overflow-warning.patch +virtio_net-fix-xdp-code-path-in-receive_small.patch +kernel-relay.c-limit-kmalloc-size-to-kmalloc_max_size.patch +bug.h-work-around-gcc-pr82365-in-bug.patch +selftests-memfd-add-run_fuse_test.sh-to-test_files.patch +seccomp-add-a-selftest-for-get_metadata.patch +soc-imx-gpc-de-register-power-domains-only-if-initialized.patch +powerpc-bpf-jit-fix-32-bit-jit-for-seccomp_data-access.patch +s390-cio-fix-ccw_device_start_timeout-api.patch +s390-cio-fix-return-code-after-missing-interrupt.patch +s390-cio-clear-timer-when-terminating-driver-i-o.patch +selftests-bpf-test_maps-exit-child-process-without-error-in-enomem-case.patch +pkcs-7-fix-direct-verification-of-signerinfo-signature.patch +arm64-dts-cavium-fix-pci-bus-dtc-warnings.patch +nfs-system-crashes-after-nfs4err_moved-recovery.patch +arm-omap-fix-dmtimer-init-for-omap1.patch +smsc75xx-fix-smsc75xx_set_features.patch +regulatory-add-nul-to-request-alpha2.patch +integrity-security-fix-digsig.c-build-error-with-header-file.patch +x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch +locking-xchg-alpha-fix-xchg-and-cmpxchg-memory-ordering-bugs.patch +x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch +mac80211-drop-frames-with-unexpected-ds-bits-from-fast-rx-to-slow-path.patch +arm64-fix-unwind_frame-for-filtered-out-fn-for-function-graph-tracing.patch +macvlan-fix-use-after-free-in-macvlan_common_newlink.patch +kvm-nvmx-don-t-halt-vcpu-when-l1-is-injecting-events-to-l2.patch +kvm-fix-warning-for-config_have_kvm_eventfd-builds.patch +arm-dts-imx6dl-include-correct-dtsi-file-for-engicam-i.corem6-duallite-solo-rqs.patch +fs-dcache-avoid-livelock-between-d_alloc_parallel-and-__d_add.patch +fs-dcache-use-read_once-when-accessing-i_dir_seq.patch +md-fix-a-potential-deadlock-of-raid5-raid10-reshape.patch +md-raid1-fix-null-pointer-dereference.patch +batman-adv-fix-packet-checksum-in-receive-path.patch +batman-adv-invalidate-checksum-on-fragment-reassembly.patch +netfilter-ipt_clusterip-put-config-struct-if-we-can-t-increment-ct-refcount.patch +netfilter-ipt_clusterip-put-config-instead-of-freeing-it.patch +netfilter-ebtables-convert-bug_ons-to-warn_ons.patch +batman-adv-ignore-invalid-batadv_iv_gw-during-netlink-send.patch +batman-adv-ignore-invalid-batadv_v_gw-during-netlink-send.patch +batman-adv-fix-netlink-dumping-of-bla-claims.patch +batman-adv-fix-netlink-dumping-of-bla-backbones.patch +netfilter-don-t-set-f_iface-on-ipv6-fib-lookups.patch +nvme-pci-fix-nvme-queue-cleanup-if-irq-setup-fails.patch +clocksource-drivers-fsl_ftm_timer-fix-error-return-checking.patch +libceph-ceph-avoid-memory-leak-when-specifying-same-option-several-times.patch +ceph-fix-dentry-leak-when-failing-to-init-debugfs.patch +xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch +arm-orion5x-revert-commit-4904dbda41c8.patch +qrtr-add-module_alias-macro-to-smd.patch +selftests-futex-fix-line-continuation-in-makefile.patch +r8152-fix-tx-packets-accounting.patch +virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch +dmaengine-rcar-dmac-fix-max_chunk_size-for-r-car-gen3.patch +bcache-fix-kcrashes-with-fio-in-raid5-backend-dev.patch +ip_gre-fix-ifla_mtu-ignored-on-newlink.patch +ip6_tunnel-fix-ifla_mtu-ignored-on-newlink.patch +sit-fix-ifla_mtu-ignored-on-newlink.patch +nbd-fix-return-value-in-error-handling-path.patch +arm-dts-nsp-fix-amount-of-ram-on-bcm958625hr.patch +arm-dts-bcm283x-fix-unit-address-of-local_intc.patch +powerpc-boot-fix-random-libfdt-related-build-errors.patch +clocksource-drivers-mips-gic-timer-use-correct-shift-count-to-extract-data.patch +gianfar-fix-rx-byte-accounting-for-ndev-stats.patch +net-tcp-illinois-replace-broken-algorithm-reference-link.patch +nvmet-fix-psdt-field-check-in-command-format.patch +net-smc-use-link_id-of-server-in-confirm-link-reply.patch +mlxsw-core-fix-flex-keys-scratchpad-offset-conflict.patch +mlxsw-spectrum-treat-ipv6-unregistered-multicast-as-broadcast.patch +spectrum-reference-count-vlan-entries.patch +arc-mcip-halt-gfrc-counter-when-arc-cores-halt.patch +arc-mcip-update-mcip-debug-mask-when-the-new-cpu-came-online.patch +arc-setup-cpu-possible-mask-according-to-possible-cpus-dts-property.patch +ipvs-remove-ips_nat_mask-check-to-fix-passive-ftp.patch +ib-mlx-set-slid-to-zero-in-ethernet-completion-struct.patch +rdma-bnxt_re-unconditionly-fence-non-wire-memory-operations.patch +rdma-bnxt_re-fix-incorrect-db-offset-calculation.patch +rdma-bnxt_re-fix-the-ib_reg-failure-cleanup.patch +xen-pirq-fix-error-path-cleanup-when-binding-msis.patch +drm-amd-amdgpu-correct-vram-width-for-apus-with-gmc9.patch +xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch +arm64-dts-rockchip-fix-rk3399-gru-s2r-pinctrl-hogs-wifi-reset.patch +drm-sun4i-fix-dclk_set_phase.patch +btrfs-use-kvzalloc-to-allocate-btrfs_fs_info.patch +btrfs-send-fix-issuing-write-op-when-processing-hole-in-no-data-mode.patch +btrfs-fix-log-replay-failure-after-linking-special-file-and-fsync.patch +ceph-fix-potential-memory-leak-in-init_caches.patch +block-display-the-correct-diskname-for-bio.patch +nvme-pci-fix-eeh-failure-on-ppc.patch +nvme-pci-pass-max-vectors-as-num_possible_cpus-to-pci_alloc_irq_vectors.patch +selftests-powerpc-skip-the-subpage_prot-tests-if-the-syscall-is-unavailable.patch +scsi-core-return-blk_sts_ok-for-did_ok-in-__scsi_error_from_host_byte.patch +net-ethtool-don-t-ignore-return-from-driver-get_fecparam-method.patch +iwlwifi-mvm-fix-tx-of-ccmp-256.patch +iwlwifi-mvm-fix-channel-switch-for-count-0-and-1.patch +iwlwifi-mvm-fix-assert-0x2b00-on-older-fws.patch +iwlwifi-avoid-collecting-firmware-dump-if-not-loaded.patch +iwlwifi-mvm-fix-failed-to-remove-key-message.patch +iwlwifi-mvm-direct-multicast-frames-to-the-correct-station.patch +iwlwifi-mvm-correctly-set-the-tid-for-mcast-queue.patch +rds-incorrect-reference-counting-in-tcp-socket-creation.patch +watchdog-f71808e_wdt-fix-magic-close-handling.patch +watchdog-sbsa-use-32-bit-read-for-wcv.patch +batman-adv-fix-multicast-packet-loss-with-a-single-want_all_ipv4-6-flag.patch +hv_netvsc-use-napi_schedule_irqoff.patch +hv_netvsc-filter-multicast-broadcast.patch +hv_netvsc-propagate-rx-filters-to-vf.patch +arm-dts-rockchip-add-missing-sound-dai-cells-on-rk3288.patch +perf-record-fix-crash-in-pipe-mode.patch +e1000e-fix-check_for_link-return-value-with-autoneg-off.patch +e1000e-allocate-ring-descriptors-with-dma_zalloc_coherent.patch +ia64-err-inject-use-get_user_pages_fast.patch +rdma-qedr-fix-kernel-panic-when-running-fio-over-nfsordma.patch +rdma-qedr-fix-iwarp-write-and-send-with-immediate.patch +ib-mlx4-fix-corruption-of-rocev2-ipv4-gids.patch +ib-mlx4-include-gid-type-when-deleting-gids-from-hw-table-under-roce.patch +ib-mlx5-fix-an-error-code-in-__mlx5_ib_modify_qp.patch +fbdev-fixing-arbitrary-kernel-leak-in-case-fbiogetcmap_sparc-in-sbusfb_ioctl_helper.patch +fsl-fman-avoid-sleeping-in-atomic-context-while-adding-an-address.patch +qed-free-roce-ilt-memory-on-rmmod-qedr.patch +net-qcom-emac-use-proper-free-methods-during-tx.patch +net-smsc911x-fix-unload-crash-when-link-is-up.patch +ib-core-fix-possible-crash-to-access-null-netdev.patch +cxgb4-do-not-set-needs_free_netdev-for-mgmt-dev-s.patch +xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch +xen-xenbus-use-put_device-instead-of-kfree.patch +hv_netvsc-fix-filter-flags.patch +hv_netvsc-fix-locking-for-rx_mode.patch +hv_netvsc-fix-locking-during-vf-setup.patch +arm-davinci-fix-the-gpio-lookup-for-omapl138-hawk.patch +arm64-relax-arm_smccc_arch_workaround_1-discovery.patch +selftests-vm-run_vmtests-adjust-hugetlb-size-according-to-nr_cpus.patch +lib-test_kmod.c-fix-limit-check-on-number-of-test-devices-created.patch +dmaengine-mv_xor_v2-fix-clock-resource-by-adding-a-register-clock.patch +netfilter-ebtables-fix-erroneous-reject-of-last-rule.patch +can-m_can-change-comparison-to-bitshift-when-dealing-with-a-mask.patch +can-m_can-select-pinctrl-state-in-each-suspend-resume-function.patch +bnxt_en-check-valid-vnic-id-in-bnxt_hwrm_vnic_set_tpa.patch +workqueue-use-put_device-instead-of-kfree.patch +ipv4-lock-mtu-in-fnhe-when-received-pmtu-net.ipv4.route.min_pmtu.patch +sunvnet-does-not-support-gso-for-sctp.patch +kvm-arm-arm64-vgic-add-missing-irq_lock-to-vgic_mmio_read_pending.patch +gpu-ipu-v3-prg-avoid-possible-array-underflow.patch +drm-imx-move-arming-of-the-vblank-event-to-atomic_flush.patch +drm-nouveau-bl-fix-backlight-regression.patch +xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch +iwlwifi-mvm-set-the-correct-tid-when-we-flush-the-mcast-sta.patch +iwlwifi-mvm-correctly-set-igtk-for-ap.patch +iwlwifi-mvm-fix-error-checking-for-multi-broadcast-sta.patch +microblaze-switch-to-no_bootmem.patch +net-fix-vlan-untag-for-bridge-and-vlan_dev-with-reorder_hdr-off.patch +vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch +batman-adv-fix-header-size-check-in-batadv_dbg_arp.patch +net-sched-fix-null-dereference-in-the-error-path-of-tcf_sample_init.patch +batman-adv-fix-skbuff-rcsum-on-packet-reroute.patch +vti4-don-t-count-header-length-twice-on-tunnel-setup.patch +ip_tunnel-clamp-mtu-to-bounds-on-new-link.patch +vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch +vti6-fix-dev-max_mtu-setting.patch +iwlwifi-mvm-increase-session-protection-time-after-cs.patch +iwlwifi-mvm-clear-tx-queue-id-when-unreserving-aggregation-queue.patch +iwlwifi-mvm-make-sure-internal-station-has-a-valid-id.patch +iwlwifi-mvm-fix-array-out-of-bounds-reference.patch +drm-tegra-shutdown-on-driver-unbind.patch +perf-cgroup-fix-child-event-counting-bug.patch +brcmfmac-fix-check-for-iso3166-code.patch +kbuild-make-scripts-adjust_autoksyms.sh-robust-against-timestamp-races.patch +rdma-ucma-correct-option-size-check-using-optlen.patch +rdma-qedr-fix-qp-s-ack-timeout-configuration.patch +rdma-qedr-fix-rc-initialization-on-cnq-allocation-failure.patch +rdma-qedr-fix-qp-state-initialization-race.patch +net-sched-fix-idr-leak-on-the-error-path-of-tcf_bpf_init.patch +net-sched-fix-idr-leak-in-the-error-path-of-tcf_simp_init.patch +net-sched-fix-idr-leak-in-the-error-path-of-tcf_act_police_init.patch +net-sched-fix-idr-leak-in-the-error-path-of-tcp_pedit_init.patch +net-sched-fix-idr-leak-in-the-error-path-of-__tcf_ipt_init.patch +net-sched-fix-idr-leak-in-the-error-path-of-tcf_skbmod_init.patch +net-dsa-fix-functional-dsa-loop-dependency-on-fixed_phy.patch +macsec-missing-dev_put-on-error-in-macsec_newlink.patch +drm-ast-fixed-1280x800-display-issue.patch +mm-mempolicy.c-avoid-use-uninitialized-preferred_node.patch +mm-thp-do-not-cause-memcg-oom-for-thp.patch +xfrm-fix-transport-mode-skb-control-buffer-usage.patch +selftests-ftrace-add-probe-event-argument-syntax-testcase.patch +selftests-ftrace-add-a-testcase-for-string-type-with-kprobe_event.patch +selftests-ftrace-add-a-testcase-for-probepoint.patch +drm-amdkfd-fix-scratch-memory-with-hws-enabled.patch +batman-adv-fix-multicast-via-unicast-transmission-with-ap-isolation.patch +batman-adv-fix-packet-loss-for-broadcasted-dhcp-packets-to-a-server.patch +arm-8748-1-mm-define-vdso_start-vdso_end-as-array.patch +lan78xx-set-asd-in-mac_cr-when-eee-is-enabled.patch +net-qmi_wwan-add-broadmobi-bm806u-2020-2033.patch +bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch +net-dsa-mt7530-fix-module-autoloading-for-of-platform-drivers.patch +net-mlx5-make-eswitch-support-to-depend-on-switchdev.patch +perf-x86-intel-fix-linear-ip-of-pebs-real_ip-on-haswell-and-later-cpus.patch +x86-alternatives-fixup-alternative_call_2.patch +llc-properly-handle-dev_queue_xmit-return-value.patch +builddeb-fix-header-package-regarding-dtc-source-links.patch +qede-fix-barrier-usage-after-tx-doorbell-write.patch +mm-slab-memcg_link-the-slab-s-kmem_cache.patch +mm-page_owner-fix-recursion-bug-after-changing-skip-entries.patch +mm-vmstat.c-fix-vmstat_update-preemption-bug.patch +mm-kmemleak.c-wait-for-scan-completion-before-disabling-free.patch +hv_netvsc-enable-multicast-if-necessary.patch +qede-do-not-drop-rx-checksum-invalidated-packets.patch +net-fix-untag-for-vlan-packets-without-ethernet-header.patch +vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch +net-mvneta-fix-enable-of-all-initialized-rxqs.patch +sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch +firmware-dmi_scan-fix-uuid-length-safety-check.patch +nvme-don-t-send-keep-alives-to-the-discovery-controller.patch +btrfs-clean-up-resources-during-umount-after-trans-is-aborted.patch +btrfs-fix-loss-of-prealloc-extents-past-i_size-after-fsync-log-replay.patch +x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch +x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch +fs-proc-proc_sysctl.c-fix-potential-page-fault-while-unregistering-sysctl-table.patch +swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch +z3fold-fix-memory-leak.patch +sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch +force-log-to-disk-before-reading-the-agf-during-a-fstrim.patch +cpufreq-cppc-initialize-shared-perf-capabilities-of-cpus.patch +powerpc-fscr-enable-interrupts-earlier-before-calling-get_user.patch +perf-tools-fix-perf-builds-with-clang-support.patch +perf-clang-add-support-for-recent-clang-versions.patch +dp83640-ensure-against-premature-access-to-phy-registers-after-reset.patch +arm-dts-ls1021a-specify-tbipa-register-address.patch +ibmvnic-zero-used-tx-descriptor-counter-on-reset.patch +mm-ksm-fix-interaction-with-thp.patch +mm-fix-races-between-address_space-dereference-and-free-in-page_evicatable.patch +mm-thp-fix-potential-clearing-to-referenced-flag-in-page_idle_clear_pte_refs_one.patch +btrfs-bail-out-on-error-during-replay_dir_deletes.patch +btrfs-fix-null-pointer-dereference-in-log_dir_items.patch +btrfs-fix-possible-softlock-on-single-core-machines.patch +ib-rxe-fix-for-oops-in-rxe_register_device-on-ppc64le-arch.patch +ocfs2-dlm-don-t-handle-migrate-lockres-if-already-in-shutdown.patch +powerpc-64s-idle-fix-restore-of-amor-on-power9-after-deep-sleep.patch +sched-rt-fix-rq-clock_update_flags-rqcf_act_skip-warning.patch +x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch +kvm-vmx-raise-internal-error-for-exception-during-invalid-protected-mode-state.patch +lan78xx-connect-phy-early.patch +fscache-fix-hanging-wait-on-page-discarded-by-writeback.patch +sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch +net-bgmac-fix-endian-access-in-bgmac_dma_tx_ring_free.patch +net-bgmac-correctly-annotate-register-space.patch +powerpc-64s-sreset-panic-if-there-is-no-debugger-or-crash-dump-handlers.patch +btrfs-tests-qgroup-fix-wrong-tree-backref-level.patch +btrfs-fix-copy_items-return-value-when-logging-an-inode.patch +btrfs-fix-lockdep-splat-in-btrfs_alloc_subvolume_writers.patch +btrfs-qgroup-fix-root-item-corruption-when-multiple-same-source-snapshots-are-created-with-quota-enabled.patch +rxrpc-fix-tx-ring-annotation-after-initial-tx-failure.patch +rxrpc-don-t-treat-call-aborts-as-conn-aborts.patch +xen-acpi-off-by-one-in-read_acpi_id.patch +drivers-macintosh-rack-meter-really-fix-bogus-memsets.patch +acpi-acpi_pad-fix-memory-leak-in-power-saving-threads.patch +powerpc-mpic-check-if-cpu_possible-in-mpic_physmask.patch +ieee802154-ca8210-fix-uninitialised-data-read.patch +ath10k-advertize-beacon_int_min_gcd.patch +iommu-amd-take-into-account-that-alloc_dev_data-may-return-null.patch +intel_th-use-correct-method-of-finding-hub.patch +m68k-set-dma-and-coherent-masks-for-platform-fec-ethernets.patch +iwlwifi-mvm-check-if-mac80211_queue-is-valid-in-iwl_mvm_disable_txq.patch +parisc-pci-switch-lba-pci-bus-from-hard-fail-to-soft-fail-mode.patch +hwmon-nct6775-fix-writing-pwmx_mode.patch +powerpc-perf-prevent-kernel-address-leak-to-userspace-via-bhrb-buffer.patch +powerpc-perf-fix-kernel-address-leak-via-sampling-registers.patch +rsi-fix-kernel-panic-observed-on-64bit-machine.patch +tools-thermal-tmon-fix-for-segfault.patch +selftests-print-the-test-we-re-running-to-dev-kmsg.patch +net-mlx5-protect-from-command-bit-overflow.patch +watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch +ath10k-fix-kernel-panic-while-using-worker-ath10k_sta_rc_update_wk.patch +nvme-pci-disable-apst-for-samsung-nvme-ssd-960-evo-asus-prime-z370-a.patch +ath9k-fix-crash-in-spectral-scan.patch +cxgb4-setup-fw-queues-before-registering-netdev.patch +ima-fix-kconfig-to-select-tpm-2.0-crb-interface.patch +ima-fallback-to-the-builtin-hash-algorithm.patch +watchdog-aspeed-allow-configuring-for-alternate-boot.patch +virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch +arm-dts-socfpga-fix-gic-ppi-warning.patch +ext4-don-t-complain-about-incorrect-features-when-probing.patch +drm-vmwgfx-unpin-the-screen-object-backup-buffer-when-not-used.patch +iommu-mediatek-fix-protect-memory-setting.patch +cpufreq-cppc_cpufreq-fix-cppc_cpufreq_init-failure-path.patch +ib-mlx5-set-the-default-active-rate-and-width-to-qdr-and-4x.patch +zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch +bcache-quit-dc-writeback_thread-when-bcache_dev_detaching-is-set.patch +remoteproc-imx_rproc-fix-an-error-handling-path-in-imx_rproc_probe.patch +dt-bindings-add-device-tree-binding-for-allwinner-h6-main-ccu.patch +acpica-events-add-a-return-on-failure-from-acpi_hw_register_read.patch +acpica-fix-memory-leak-on-unusual-memory-leak.patch +acpica-acpi-acpica-fix-acpi-operand-cache-leak-in-nseval.c.patch +cxgb4-fix-queue-free-path-of-uld-drivers.patch +i2c-mv64xxx-apply-errata-delay-only-in-standard-mode.patch +kvm-lapic-stop-advertising-directed_eoi-when-in-kernel-ioapic-is-in-use.patch +perf-top-fix-top.call-graph-config-option-reading.patch +perf-stat-fix-core-dump-when-flag-t-is-used.patch +ib-core-honor-port_num-while-resolving-gid-for-ib-link-layer.patch +drm-amdkfd-add-missing-include-of-mm.h.patch +coresight-use-px-to-print-pcsr-instead-of-p.patch +regulator-gpio-fix-some-error-handling-paths-in-gpio_regulator_probe.patch +spi-bcm-qspi-fix-some-error-handling-paths.patch +net-smc-pay-attention-to-max_order-for-cq-entries.patch +mips-ath79-fix-ar724x_pll_reg_pcie_config-offset.patch +pci-restore-config-space-on-runtime-resume-despite-being-unbound.patch +watchdog-dw-rmw-the-control-register.patch +watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch +ipmi_ssif-fix-kernel-panic-at-msg_done_handler.patch +drm-meson-fix-some-error-handling-paths-in-meson_drv_bind_master.patch +drm-meson-fix-an-un-handled-error-path-in-meson_drv_bind_master.patch +powerpc-add-missing-prototype-for-arch_irq_work_raise.patch +powerpc-powernv-npu-fix-deadlock-in-mmio_invalidate.patch +cxl-check-if-psl-data-cache-is-available-before-issue-flush-request.patch +f2fs-fix-to-set-keep_size-bit-in-f2fs_zero_range.patch +f2fs-fix-to-clear-cp_trimmed_flag.patch +f2fs-fix-to-check-extent-cache-in-f2fs_drop_extent_tree.patch +perf-core-fix-installing-cgroup-events-on-cpu.patch +max17042-propagate-of_node-to-power-supply-device.patch +perf-core-fix-perf_output_read_group.patch +drm-panel-simple-fix-the-bus-format-for-the-ontat-panel.patch +hwmon-pmbus-max8688-accept-negative-page-register-values.patch +hwmon-pmbus-adm1275-accept-negative-page-register-values.patch +perf-x86-intel-properly-save-restore-the-pmu-state-in-the-nmi-handler.patch +cdrom-do-not-call-check_disk_change-inside-cdrom_open.patch +efi-arm-only-register-page-tables-when-they-exist.patch +perf-x86-intel-fix-large-period-handling-on-broadwell-cpus.patch +perf-x86-intel-fix-event-update-for-auto-reload.patch +arm64-dts-qcom-fix-spi5-config-on-msm8996.patch +soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch +gfs2-fix-fallocate-chunk-size.patch +x86-devicetree-initialize-device-tree-before-using-it.patch +x86-devicetree-fix-device-irq-settings-in-dt.patch +phy-rockchip-emmc-retry-calpad-busy-trimming.patch +alsa-vmaster-propagate-slave-error.patch +phy-qcom-qmp-fix-phy-pipe-clock-gating.patch +drm-bridge-sii902x-retry-status-read-after-ddi-i2c.patch +tools-hv-fix-compiler-warnings-about-major-target_fname.patch +block-null_blk-fix-invalid-parameters-when-loading-module.patch +dmaengine-pl330-fix-a-race-condition-in-case-of-threaded-irqs.patch +i2c-core-report-of-style-module-alias-for-devices-registered-via-of.patch +dmaengine-rcar-dmac-check-the-done-lists-in-rcar_dmac_chan_get_residue.patch +enic-enable-rq-before-updating-rq-descriptors.patch +watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch +hwrng-stm32-add-reset-during-probe.patch +pinctrl-devicetree-fix-dt_to_map_one_config-handling-of-hogs.patch +pinctrl-artpec6-dt-add-missing-pin-group-uart5nocts.patch +vfio-ccw-fence-off-transport-mode.patch +dmaengine-qcom-bam_dma-get-num-channels-and-num-ees-from-dt.patch +drm-omapdrm-dss-move-initialization-code-from-component-bind-to-probe.patch +arm-dts-dra71-evm-correct-evm_sd-regulator-max-voltage.patch +drm-amdgpu-disable-gfx-ring-and-disable-pq-wptr-in-hw_fini.patch +drm-amdgpu-adjust-timeout-for-ib_ring_tests-v2.patch +net-stmmac-ensure-that-the-device-has-released-ownership-before-reading-data.patch +net-stmmac-ensure-that-the-mss-desc-is-the-last-desc-to-set-the-own-bit.patch +cpufreq-reorder-cpufreq_online-error-code-path.patch +dpaa_eth-fix-sg-mapping.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9220.patch +udf-provide-saner-default-for-invalid-uid-gid.patch +ixgbe-prevent-ptp_rx_hang-from-running-when-in-filter_all-mode.patch +sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch +power-supply-ltc2941-battery-gauge-fix-temperature-units.patch +arm-dts-bcm283x-fix-probing-of-bcm2835-i2s.patch +arm-dts-bcm283x-fix-pin-function-of-jtag-pins.patch +pcmcia-pm-avoid-noirq-suspend-aborts-during-suspend-to-idle.patch +audit-return-on-memory-error-to-avoid-null-pointer-dereference.patch +net-stmmac-call-correct-function-in-stmmac_mac_config_rx_queues_routing.patch +rcu-call-touch_nmi_watchdog-while-printing-stall-warnings.patch +pinctrl-sh-pfc-r8a7796-fix-mod_sel-register-pin-assignment-for-ssi-pins-group.patch +dpaa_eth-fix-pause-capability-advertisement-logic.patch +mips-octeon-fix-logging-messages-with-spurious-periods-after-newlines.patch +drm-rockchip-respect-page-offset-for-prime-mmap-calls.patch +x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch +perf-test-fix-test-case-inet_pton-to-accept-inlines.patch +perf-report-fix-wrong-jump-arrow.patch +perf-tests-use-arch__compare_symbol_names-to-compare-symbols.patch +perf-report-fix-memory-corruption-in-branch-history-mode-branch-history.patch +perf-tests-fix-dwarf-unwind-for-stripped-binaries.patch +selftests-net-fixes-psock_fanout-ebpf-test-case.patch +netlabel-if-pf_inet6-check-sk_buff-ip-header-version.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen3.patch +drm-rcar-du-lvds-fix-lvds-startup-on-r-car-gen2.patch +arm-dts-at91-tse850-use-the-correct-compatible-for-the-eeprom.patch +regmap-correct-comparison-in-regmap_cached.patch +i40e-add-delay-after-emp-reset-for-firmware-to-recover.patch +arm-dts-imx7d-cl-som-imx7-fix-pinctrl_enet.patch +arm-dts-porter-fix-hdmi-output-routing.patch +regulator-of-add-a-missing-of_node_put-in-an-error-handling-path-of-of_regulator_match.patch +pinctrl-msm-use-dynamic-gpio-numbering.patch +pinctrl-mcp23s08-spi-fix-regmap-debugfs-entries.patch +kdb-make-mdr-command-repeat.patch diff --git a/queue-4.14/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch b/queue-4.14/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch new file mode 100644 index 00000000000..a01d450341d --- /dev/null +++ b/queue-4.14/sh-fix-debug-trap-failure-to-process-signals-before-return-to-user.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Rich Felker +Date: Thu, 15 Mar 2018 20:01:36 -0400 +Subject: sh: fix debug trap failure to process signals before return to user + +From: Rich Felker + +[ Upstream commit 96a598996f6ac518ac79839ecbb17c91af91f4f7 ] + +When responding to a debug trap (breakpoint) in userspace, the +kernel's trap handler raised SIGTRAP but returned from the trap via a +code path that ignored pending signals, resulting in an infinite loop +re-executing the trapping instruction. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/entry-common.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/kernel/entry-common.S ++++ b/arch/sh/kernel/entry-common.S +@@ -255,7 +255,7 @@ debug_trap: + mov.l @r8, r8 + jsr @r8 + nop +- bra __restore_all ++ bra ret_from_exception + nop + CFI_ENDPROC + diff --git a/queue-4.14/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch b/queue-4.14/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch new file mode 100644 index 00000000000..8bb123c57e3 --- /dev/null +++ b/queue-4.14/sh_eth-fix-tsu-init-on-sh7734-r8a7740.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sergei Shtylyov +Date: Sat, 24 Feb 2018 22:41:45 +0300 +Subject: sh_eth: fix TSU init on SH7734/R8A7740 + +From: Sergei Shtylyov + +[ Upstream commit a94cf2a614f8bc5b2b33c708626ce695bf71e424 ] + +It appears that the single port Ether controllers having TSU (like SH7734/ +R8A7740) need the same kind of treating in sh_eth_tsu_init() as R7S72100 +currently has -- they also don't have the TSU registers related e.g. to +passing the frames between ports. Add the 'sh_eth_cpu_data::dual_port' +flag and use it as a new criterion for taking a "short path" in the TSU +init sequence in order to avoid writing to the non-existent registers... + +Fixes: f0e81fecd4f8 ("net: sh_eth: Add support SH7734") +Fixes: 73a0d907301e ("net: sh_eth: add support R8A7740") +Signed-off-by: Sergei Shtylyov +Tested-by: Geert Uytterhoeven +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 6 +++++- + drivers/net/ethernet/renesas/sh_eth.h | 1 + + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -753,6 +753,7 @@ static struct sh_eth_cpu_data sh7757_dat + .rpadir = 1, + .rpadir_value = 2 << 16, + .rtrate = 1, ++ .dual_port = 1, + }; + + #define SH_GIGA_ETH_BASE 0xfee00000UL +@@ -831,6 +832,7 @@ static struct sh_eth_cpu_data sh7757_dat + .no_trimd = 1, + .no_ade = 1, + .tsu = 1, ++ .dual_port = 1, + }; + + /* SH7734 */ +@@ -901,6 +903,7 @@ static struct sh_eth_cpu_data sh7763_dat + .tsu = 1, + .irq_flags = IRQF_SHARED, + .magic = 1, ++ .dual_port = 1, + }; + + static struct sh_eth_cpu_data sh7619_data = { +@@ -933,6 +936,7 @@ static struct sh_eth_cpu_data sh771x_dat + EESIPR_RRFIP | EESIPR_RTLFIP | EESIPR_RTSFIP | + EESIPR_PREIP | EESIPR_CERFIP, + .tsu = 1, ++ .dual_port = 1, + }; + + static void sh_eth_set_default_cpu_data(struct sh_eth_cpu_data *cd) +@@ -2911,7 +2915,7 @@ static int sh_eth_vlan_rx_kill_vid(struc + /* SuperH's TSU register init function */ + static void sh_eth_tsu_init(struct sh_eth_private *mdp) + { +- if (sh_eth_is_rz_fast_ether(mdp)) { ++ if (!mdp->cd->dual_port) { + sh_eth_tsu_write(mdp, 0, TSU_TEN); /* Disable all CAM entry */ + sh_eth_tsu_write(mdp, TSU_FWSLC_POSTENU | TSU_FWSLC_POSTENL, + TSU_FWSLC); /* Enable POST registers */ +--- a/drivers/net/ethernet/renesas/sh_eth.h ++++ b/drivers/net/ethernet/renesas/sh_eth.h +@@ -509,6 +509,7 @@ struct sh_eth_cpu_data { + unsigned rmiimode:1; /* EtherC has RMIIMODE register */ + unsigned rtrate:1; /* EtherC has RTRATE register */ + unsigned magic:1; /* EtherC has ECMR.MPDE and ECSR.MPD */ ++ unsigned dual_port:1; /* Dual EtherC/E-DMAC */ + }; + + struct sh_eth_private { diff --git a/queue-4.14/sit-fix-ifla_mtu-ignored-on-newlink.patch b/queue-4.14/sit-fix-ifla_mtu-ignored-on-newlink.patch new file mode 100644 index 00000000000..5616cd715e8 --- /dev/null +++ b/queue-4.14/sit-fix-ifla_mtu-ignored-on-newlink.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xin Long +Date: Tue, 27 Feb 2018 19:19:41 +0800 +Subject: sit: fix IFLA_MTU ignored on NEWLINK + +From: Xin Long + +[ Upstream commit 2b3957c34b6d7f03544b12ebbf875eee430745db ] + +Commit 128bb975dc3c ("ip6_gre: init dev->mtu and dev->hard_header_len +correctly") fixed IFLA_MTU ignored on NEWLINK for ip6_gre. The same +mtu fix is also needed for sit. + +Note that dev->hard_header_len setting for sit works fine, no need to +fix it. sit is actually ipv4 tunnel, it can't call ip6_tnl_change_mtu +to set mtu. + +Reported-by: Jianlin Shi +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1569,6 +1569,13 @@ static int ipip6_newlink(struct net *src + if (err < 0) + return err; + ++ if (tb[IFLA_MTU]) { ++ u32 mtu = nla_get_u32(tb[IFLA_MTU]); ++ ++ if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len) ++ dev->mtu = mtu; ++ } ++ + #ifdef CONFIG_IPV6_SIT_6RD + if (ipip6_netlink_6rd_parms(data, &ip6rd)) + err = ipip6_tunnel_update_6rd(nt, &ip6rd); diff --git a/queue-4.14/smsc75xx-fix-smsc75xx_set_features.patch b/queue-4.14/smsc75xx-fix-smsc75xx_set_features.patch new file mode 100644 index 00000000000..97087007b2e --- /dev/null +++ b/queue-4.14/smsc75xx-fix-smsc75xx_set_features.patch @@ -0,0 +1,42 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Eric Dumazet +Date: Tue, 20 Feb 2018 21:42:26 -0800 +Subject: smsc75xx: fix smsc75xx_set_features() + +From: Eric Dumazet + +[ Upstream commit 88e80c62671ceecdbb77c902731ec95a4bfa62f9 ] + +If an attempt is made to disable RX checksums, USB adapter is changed +but netdev->features is not, because smsc75xx_set_features() returns a +non zero value. + +This throws errors from netdev_rx_csum_fault() : +: hw csum failure + +Signed-off-by: Eric Dumazet +Cc: Steve Glendinning +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc75xx.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -954,10 +954,11 @@ static int smsc75xx_set_features(struct + /* it's racing here! */ + + ret = smsc75xx_write_reg(dev, RFE_CTL, pdata->rfe_ctl); +- if (ret < 0) ++ if (ret < 0) { + netdev_warn(dev->net, "Error writing RFE_CTL\n"); +- +- return ret; ++ return ret; ++ } ++ return 0; + } + + static int smsc75xx_wait_ready(struct usbnet *dev, int in_pm) diff --git a/queue-4.14/soc-imx-gpc-de-register-power-domains-only-if-initialized.patch b/queue-4.14/soc-imx-gpc-de-register-power-domains-only-if-initialized.patch new file mode 100644 index 00000000000..3a6375a7a4e --- /dev/null +++ b/queue-4.14/soc-imx-gpc-de-register-power-domains-only-if-initialized.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefan Agner +Date: Sun, 7 Jan 2018 14:49:05 +0100 +Subject: soc: imx: gpc: de-register power domains only if initialized + +From: Stefan Agner + +[ Upstream commit 7801c545e706674aeed40256eb806ad37b18ad71 ] + +If power domain information are missing in the device tree, no +power domains get initialized. However, imx_gpc_remove tries to +remove power domains always in the old DT binding case. Only +remove power domains when imx_gpc_probe initialized them in +first place. + +Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") +Signed-off-by: Stefan Agner +Reviewed-by: Lucas Stach +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/imx/gpc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/soc/imx/gpc.c ++++ b/drivers/soc/imx/gpc.c +@@ -456,13 +456,21 @@ static int imx_gpc_probe(struct platform + + static int imx_gpc_remove(struct platform_device *pdev) + { ++ struct device_node *pgc_node; + int ret; + ++ pgc_node = of_get_child_by_name(pdev->dev.of_node, "pgc"); ++ ++ /* bail out if DT too old and doesn't provide the necessary info */ ++ if (!of_property_read_bool(pdev->dev.of_node, "#power-domain-cells") && ++ !pgc_node) ++ return 0; ++ + /* + * If the old DT binding is used the toplevel driver needs to + * de-register the power domains + */ +- if (!of_get_child_by_name(pdev->dev.of_node, "pgc")) { ++ if (!pgc_node) { + of_genpd_del_provider(pdev->dev.of_node); + + ret = pm_genpd_remove(&imx_gpc_domains[GPC_PGC_DOMAIN_PU].base); diff --git a/queue-4.14/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch b/queue-4.14/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch new file mode 100644 index 00000000000..93899d56f6b --- /dev/null +++ b/queue-4.14/soc-qcom-wcnss_ctrl-fix-increment-in-nv-upload.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bjorn Andersson +Date: Tue, 27 Feb 2018 16:45:25 -0800 +Subject: soc: qcom: wcnss_ctrl: Fix increment in NV upload + +From: Bjorn Andersson + +[ Upstream commit 90c29ed7627b6b4aeb603ee197650173c8434512 ] + +hdr.len includes both the size of the header and the fragment, so using +this when stepping through the firmware causes us to skip 16 bytes every +chunk of 3072 bytes; causing only the first fragment to actually be +valid data. + +Instead use fragment size steps through the firmware blob. + +Fixes: ea7a1f275cf0 ("soc: qcom: Introduce WCNSS_CTRL SMD client") +Reported-by: Will Newton +Signed-off-by: Bjorn Andersson +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/qcom/wcnss_ctrl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/qcom/wcnss_ctrl.c ++++ b/drivers/soc/qcom/wcnss_ctrl.c +@@ -249,7 +249,7 @@ static int wcnss_download_nv(struct wcns + /* Increment for next fragment */ + req->seq++; + +- data += req->hdr.len; ++ data += NV_FRAGMENT_SIZE; + left -= NV_FRAGMENT_SIZE; + } while (left > 0); + diff --git a/queue-4.14/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch b/queue-4.14/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch new file mode 100644 index 00000000000..12bc2c3fb37 --- /dev/null +++ b/queue-4.14/sparc64-make-atomic_xchg-an-inline-function-rather-than-a-macro.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: "David S. Miller" +Date: Tue, 3 Apr 2018 08:24:35 -0700 +Subject: sparc64: Make atomic_xchg() an inline function rather than a macro. + +From: "David S. Miller" + +[ Upstream commit d13864b68e41c11e4231de90cf358658f6ecea45 ] + +This avoids a lot of -Wunused warnings such as: + +==================== +kernel/debug/debug_core.c: In function ‘kgdb_cpu_enter’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +./arch/sparc/include/asm/atomic_64.h:86:30: note: in expansion of macro ‘xchg’ + #define atomic_xchg(v, new) (xchg(&((v)->counter), new)) + ^~~~ +kernel/debug/debug_core.c:508:4: note: in expansion of macro ‘atomic_xchg’ + atomic_xchg(&kgdb_active, cpu); + ^~~~~~~~~~~ +==================== + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/include/asm/atomic_64.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/sparc/include/asm/atomic_64.h ++++ b/arch/sparc/include/asm/atomic_64.h +@@ -83,7 +83,11 @@ ATOMIC_OPS(xor) + #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0) + + #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n))) +-#define atomic_xchg(v, new) (xchg(&((v)->counter), new)) ++ ++static inline int atomic_xchg(atomic_t *v, int new) ++{ ++ return xchg(&v->counter, new); ++} + + static inline int __atomic_add_unless(atomic_t *v, int a, int u) + { diff --git a/queue-4.14/spectrum-reference-count-vlan-entries.patch b/queue-4.14/spectrum-reference-count-vlan-entries.patch new file mode 100644 index 00000000000..ae56afc1447 --- /dev/null +++ b/queue-4.14/spectrum-reference-count-vlan-entries.patch @@ -0,0 +1,91 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ido Schimmel +Date: Wed, 28 Feb 2018 13:12:11 +0100 +Subject: spectrum: Reference count VLAN entries + +From: Ido Schimmel + +[ Upstream commit b3529af6bb0d4fe72defdd539712ceffaa054fb3 ] + +One of the basic construct in the device is a port-VLAN pair, which can +be bound to a FID or a RIF in order to direct packets to the bridge or +the router, respectively. + +Since not all the netdevs are configured with a VLAN (e.g., sw1p1 vs. +sw1p1.10), VID 1 is used to represent these and thus this VID can be +used by both upper devices of mlxsw ports and by the driver itself. + +However, this VID is not reference counted and therefore might be freed +prematurely, which can result in various WARNINGs. For example: + +$ ip link add name br0 type bridge vlan_filtering 1 +$ teamd -t team0 -d -c '{"runner": {"name": "lacp"}}' +$ ip link set dev team0 master br0 +$ ip link set dev enp1s0np1 master team0 +$ ip address add 192.0.2.1/24 dev enp1s0np1 + +The enslavement to team0 will fail because team0 already has an upper +and thus vlan_vids_del_by_dev() will be executed as part of team's error +path which will delete VID 1 from enp1s0np1 (added by br0 as PVID). The +WARNING will be generated when the driver will realize it can't find VID +1 on the port and bind it to a RIF. + +Fix this by adding a reference count to the VLAN entries on the port, in +a similar fashion to the reference counting used by the corresponding +'vlan_vid_info' structure in the 8021q driver. + +Fixes: c57529e1d5d8 ("mlxsw: spectrum: Replace vPorts with Port-VLAN") +Reported-by: Tal Bar +Signed-off-by: Ido Schimmel +Tested-by: Tal Bar +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 8 +++++++- + drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +@@ -1417,6 +1417,7 @@ mlxsw_sp_port_vlan_create(struct mlxsw_s + } + + mlxsw_sp_port_vlan->mlxsw_sp_port = mlxsw_sp_port; ++ mlxsw_sp_port_vlan->ref_count = 1; + mlxsw_sp_port_vlan->vid = vid; + list_add(&mlxsw_sp_port_vlan->list, &mlxsw_sp_port->vlans_list); + +@@ -1444,8 +1445,10 @@ mlxsw_sp_port_vlan_get(struct mlxsw_sp_p + struct mlxsw_sp_port_vlan *mlxsw_sp_port_vlan; + + mlxsw_sp_port_vlan = mlxsw_sp_port_vlan_find_by_vid(mlxsw_sp_port, vid); +- if (mlxsw_sp_port_vlan) ++ if (mlxsw_sp_port_vlan) { ++ mlxsw_sp_port_vlan->ref_count++; + return mlxsw_sp_port_vlan; ++ } + + return mlxsw_sp_port_vlan_create(mlxsw_sp_port, vid); + } +@@ -1454,6 +1457,9 @@ void mlxsw_sp_port_vlan_put(struct mlxsw + { + struct mlxsw_sp_fid *fid = mlxsw_sp_port_vlan->fid; + ++ if (--mlxsw_sp_port_vlan->ref_count != 0) ++ return; ++ + if (mlxsw_sp_port_vlan->bridge_port) + mlxsw_sp_port_vlan_bridge_leave(mlxsw_sp_port_vlan); + else if (fid) +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h +@@ -194,6 +194,7 @@ struct mlxsw_sp_port_vlan { + struct list_head list; + struct mlxsw_sp_port *mlxsw_sp_port; + struct mlxsw_sp_fid *fid; ++ unsigned int ref_count; + u16 vid; + struct mlxsw_sp_bridge_port *bridge_port; + struct list_head bridge_vlan_node; diff --git a/queue-4.14/spi-bcm-qspi-fix-some-error-handling-paths.patch b/queue-4.14/spi-bcm-qspi-fix-some-error-handling-paths.patch new file mode 100644 index 00000000000..c0c76d8994e --- /dev/null +++ b/queue-4.14/spi-bcm-qspi-fix-some-error-handling-paths.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Christophe Jaillet +Date: Tue, 13 Mar 2018 19:36:58 +0100 +Subject: spi: bcm-qspi: fIX some error handling paths + +From: Christophe Jaillet + +[ Upstream commit bc3cc75281b3c2b1c5355d88d147b66a753bb9a5 ] + +For some reason, commit c0368e4db4a3 ("spi: bcm-qspi: Fix use after free +in bcm_qspi_probe() in error path") has updated some gotos, but not all of +them. + +This looks spurious, so fix it. + +Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm-qspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-bcm-qspi.c ++++ b/drivers/spi/spi-bcm-qspi.c +@@ -1255,7 +1255,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[MSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[MSPI])) { + ret = PTR_ERR(qspi->base[MSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + } else { + goto qspi_resource_err; +@@ -1266,7 +1266,7 @@ int bcm_qspi_probe(struct platform_devic + qspi->base[BSPI] = devm_ioremap_resource(dev, res); + if (IS_ERR(qspi->base[BSPI])) { + ret = PTR_ERR(qspi->base[BSPI]); +- goto qspi_probe_err; ++ goto qspi_resource_err; + } + qspi->bspi_mode = true; + } else { diff --git a/queue-4.14/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch b/queue-4.14/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch new file mode 100644 index 00000000000..bc43de95fb7 --- /dev/null +++ b/queue-4.14/sr-get-drop-reference-to-device-in-revalidate-and-check_events.patch @@ -0,0 +1,119 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jens Axboe +Date: Wed, 11 Apr 2018 11:26:09 -0600 +Subject: sr: get/drop reference to device in revalidate and check_events + +From: Jens Axboe + +[ Upstream commit 2d097c50212e137e7b53ffe3b37561153eeba87d ] + +We can't just use scsi_cd() to get the scsi_cd structure, we have +to grab a live reference to the device. For both callbacks, we're +not inside an open where we already hold a reference to the device. + +This fixes device removal/addition under concurrent device access, +which otherwise could result in the below oops. + +NULL pointer dereference at 0000000000000010 +PGD 0 P4D 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: +sr 12:0:0:0: [sr2] scsi-1 drive + scsi_debug crc_t10dif crct10dif_generic crct10dif_common nvme nvme_core sb_edac xl +sr 12:0:0:0: Attached scsi CD-ROM sr2 + sr_mod cdrom btrfs xor zstd_decompress zstd_compress xxhash lzo_compress zlib_defc +sr 12:0:0:0: Attached scsi generic sg7 type 5 + igb ahci libahci i2c_algo_bit libata dca [last unloaded: crc_t10dif] +CPU: 43 PID: 4629 Comm: systemd-udevd Not tainted 4.16.0+ #650 +Hardware name: Dell Inc. PowerEdge T630/0NT78X, BIOS 2.3.4 11/09/2016 +RIP: 0010:sr_block_revalidate_disk+0x23/0x190 [sr_mod] +RSP: 0018:ffff883ff357bb58 EFLAGS: 00010292 +RAX: ffffffffa00b07d0 RBX: ffff883ff3058000 RCX: ffff883ff357bb66 +RDX: 0000000000000003 RSI: 0000000000007530 RDI: ffff881fea631000 +RBP: 0000000000000000 R08: ffff881fe4d38400 R09: 0000000000000000 +R10: 0000000000000000 R11: 00000000000001b6 R12: 000000000800005d +R13: 000000000800005d R14: ffff883ffd9b3790 R15: 0000000000000000 +FS: 00007f7dc8e6d8c0(0000) GS:ffff883fff340000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000000000010 CR3: 0000003ffda98005 CR4: 00000000003606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? __invalidate_device+0x48/0x60 + check_disk_change+0x4c/0x60 + sr_block_open+0x16/0xd0 [sr_mod] + __blkdev_get+0xb9/0x450 + ? iget5_locked+0x1c0/0x1e0 + blkdev_get+0x11e/0x320 + ? bdget+0x11d/0x150 + ? _raw_spin_unlock+0xa/0x20 + ? bd_acquire+0xc0/0xc0 + do_dentry_open+0x1b0/0x320 + ? inode_permission+0x24/0xc0 + path_openat+0x4e6/0x1420 + ? cpumask_any_but+0x1f/0x40 + ? flush_tlb_mm_range+0xa0/0x120 + do_filp_open+0x8c/0xf0 + ? __seccomp_filter+0x28/0x230 + ? _raw_spin_unlock+0xa/0x20 + ? __handle_mm_fault+0x7d6/0x9b0 + ? list_lru_add+0xa8/0xc0 + ? _raw_spin_unlock+0xa/0x20 + ? __alloc_fd+0xaf/0x160 + ? do_sys_open+0x1a6/0x230 + do_sys_open+0x1a6/0x230 + do_syscall_64+0x5a/0x100 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Reviewed-by: Lee Duncan +Reviewed-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sr.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -585,18 +585,28 @@ out: + static unsigned int sr_block_check_events(struct gendisk *disk, + unsigned int clearing) + { +- struct scsi_cd *cd = scsi_cd(disk); ++ unsigned int ret = 0; ++ struct scsi_cd *cd; + +- if (atomic_read(&cd->device->disk_events_disable_depth)) ++ cd = scsi_cd_get(disk); ++ if (!cd) + return 0; + +- return cdrom_check_events(&cd->cdi, clearing); ++ if (!atomic_read(&cd->device->disk_events_disable_depth)) ++ ret = cdrom_check_events(&cd->cdi, clearing); ++ ++ scsi_cd_put(cd); ++ return ret; + } + + static int sr_block_revalidate_disk(struct gendisk *disk) + { +- struct scsi_cd *cd = scsi_cd(disk); + struct scsi_sense_hdr sshdr; ++ struct scsi_cd *cd; ++ ++ cd = scsi_cd_get(disk); ++ if (!cd) ++ return -ENXIO; + + /* if the unit is not ready, nothing more to do */ + if (scsi_test_unit_ready(cd->device, SR_TIMEOUT, MAX_RETRIES, &sshdr)) +@@ -605,6 +615,7 @@ static int sr_block_revalidate_disk(stru + sr_cd_check(&cd->cdi); + get_sectorsize(cd); + out: ++ scsi_cd_put(cd); + return 0; + } + diff --git a/queue-4.14/sunvnet-does-not-support-gso-for-sctp.patch b/queue-4.14/sunvnet-does-not-support-gso-for-sctp.patch new file mode 100644 index 00000000000..54029799e0c --- /dev/null +++ b/queue-4.14/sunvnet-does-not-support-gso-for-sctp.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Cathy Zhou +Date: Wed, 14 Mar 2018 10:56:07 -0700 +Subject: sunvnet: does not support GSO for sctp + +From: Cathy Zhou + +[ Upstream commit cf55612a945039476abfd73e39064b2e721c3272 ] + +The NETIF_F_GSO_SOFTWARE implies support for GSO on SCTP, but the +sunvnet driver does not support GSO for sctp. Here we remove the +NETIF_F_GSO_SOFTWARE feature flag and only report NETIF_F_ALL_TSO +instead. + +Signed-off-by: Cathy Zhou +Signed-off-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/sun/sunvnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -311,7 +311,7 @@ static struct vnet *vnet_new(const u64 * + dev->ethtool_ops = &vnet_ethtool_ops; + dev->watchdog_timeo = VNET_TX_TIMEOUT; + +- dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_GSO_SOFTWARE | ++ dev->hw_features = NETIF_F_TSO | NETIF_F_GSO | NETIF_F_ALL_TSO | + NETIF_F_HW_CSUM | NETIF_F_SG; + dev->features = dev->hw_features; + diff --git a/queue-4.14/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch b/queue-4.14/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch new file mode 100644 index 00000000000..f7ffa3b90e9 --- /dev/null +++ b/queue-4.14/swap-divide-by-zero-when-zero-length-swap-file-on-ssd.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Tom Abraham +Date: Tue, 10 Apr 2018 16:29:48 -0700 +Subject: swap: divide-by-zero when zero length swap file on ssd + +From: Tom Abraham + +[ Upstream commit a06ad633a37c64a0cd4c229fc605cee8725d376e ] + +Calling swapon() on a zero length swap file on SSD can lead to a +divide-by-zero. + +Although creating such files isn't possible with mkswap and they woud be +considered invalid, it would be better for the swapon code to be more +robust and handle this condition gracefully (return -EINVAL). +Especially since the fix is small and straightforward. + +To help with wear leveling on SSD, the swapon syscall calculates a +random position in the swap file using modulo p->highest_bit, which is +set to maxpages - 1 in read_swap_header. + +If the swap file is zero length, read_swap_header sets maxpages=1 and +last_page=0, resulting in p->highest_bit=0 and we divide-by-zero when we +modulo p->highest_bit in swapon syscall. + +This can be prevented by having read_swap_header return zero if +last_page is zero. + +Link: http://lkml.kernel.org/r/5AC747C1020000A7001FA82C@prv-mh.provo.novell.com +Signed-off-by: Thomas Abraham +Reported-by: +Reviewed-by: Andrew Morton +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/swapfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -2954,6 +2954,10 @@ static unsigned long read_swap_header(st + maxpages = swp_offset(pte_to_swp_entry( + swp_entry_to_pte(swp_entry(0, ~0UL)))) + 1; + last_page = swap_header->info.last_page; ++ if (!last_page) { ++ pr_warn("Empty swap-file\n"); ++ return 0; ++ } + if (last_page > maxpages) { + pr_warn("Truncating oversized swap area, only using %luk out of %luk\n", + maxpages << (PAGE_SHIFT - 10), diff --git a/queue-4.14/tls-retrun-the-correct-iv-in-getsockopt.patch b/queue-4.14/tls-retrun-the-correct-iv-in-getsockopt.patch new file mode 100644 index 00000000000..6a37eb915f0 --- /dev/null +++ b/queue-4.14/tls-retrun-the-correct-iv-in-getsockopt.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Boris Pismenny +Date: Wed, 14 Feb 2018 10:46:06 +0200 +Subject: tls: retrun the correct IV in getsockopt + +From: Boris Pismenny + +[ Upstream commit a1dfa6812b682eef750412dd5a90e7d38d7af068 ] + +Current code returns four bytes of salt followed by four bytes of IV. +This patch returns all eight bytes of IV. + +fixes: 3c4d7559159b ("tls: kernel TLS support") +Signed-off-by: Boris Pismenny +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tls/tls_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/tls/tls_main.c ++++ b/net/tls/tls_main.c +@@ -299,7 +299,8 @@ static int do_tls_getsockopt_tx(struct s + goto out; + } + lock_sock(sk); +- memcpy(crypto_info_aes_gcm_128->iv, ctx->iv, ++ memcpy(crypto_info_aes_gcm_128->iv, ++ ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE, + TLS_CIPHER_AES_GCM_128_IV_SIZE); + release_sock(sk); + if (copy_to_user(optval, diff --git a/queue-4.14/tools-hv-fix-compiler-warnings-about-major-target_fname.patch b/queue-4.14/tools-hv-fix-compiler-warnings-about-major-target_fname.patch new file mode 100644 index 00000000000..c888b93a277 --- /dev/null +++ b/queue-4.14/tools-hv-fix-compiler-warnings-about-major-target_fname.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dexuan Cui +Date: Sun, 4 Mar 2018 22:17:14 -0700 +Subject: tools: hv: fix compiler warnings about major/target_fname + +From: Dexuan Cui + +[ Upstream commit 1330fc35327f3ecdfa1aa645e7321ced7349b2cd ] + +This patch fixes the below warnings with new glibc and gcc: + +hv_vss_daemon.c:100:13: warning: In the GNU C Library, "major" is defined + by . For historical compatibility, it is currently +defined by as well, but we plan to remove this soon. +To use "major", include directly. + +hv_fcopy_daemon.c:42:2: note: 'snprintf' output between 2 and 1040 +bytes into a destination of size 260 + +Signed-off-by: Dexuan Cui +Cc: Stephen Hemminger +Cc: K. Y. Srinivasan +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/hv/hv_fcopy_daemon.c | 3 ++- + tools/hv/hv_vss_daemon.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/hv/hv_fcopy_daemon.c ++++ b/tools/hv/hv_fcopy_daemon.c +@@ -23,13 +23,14 @@ + #include + #include + #include ++#include + #include + #include + #include + #include + + static int target_fd; +-static char target_fname[W_MAX_PATH]; ++static char target_fname[PATH_MAX]; + static unsigned long long filesize; + + static int hv_start_fcopy(struct hv_start_fcopy *smsg) +--- a/tools/hv/hv_vss_daemon.c ++++ b/tools/hv/hv_vss_daemon.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-4.14/tools-thermal-tmon-fix-for-segfault.patch b/queue-4.14/tools-thermal-tmon-fix-for-segfault.patch new file mode 100644 index 00000000000..4f4352646c3 --- /dev/null +++ b/queue-4.14/tools-thermal-tmon-fix-for-segfault.patch @@ -0,0 +1,81 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Frank Asseg +Date: Mon, 12 Mar 2018 19:57:06 +0100 +Subject: tools/thermal: tmon: fix for segfault + +From: Frank Asseg + +[ Upstream commit 6c59f64b7ecf2bccbe73931d7d573d66ed13b537 ] + +Fixes a segfault occurring when e.g. is pressed multiple times in the +ncurses tmon application. The segfault is caused by incrementing +cur_thermal_record in the main function without checking if it's value reached +NR_THERMAL_RECORD immediately. Since the boundary check only occurred in +update_thermal_data a race condition existed, which lead to an attempted read +beyond the last element of the trec array. + +The fix was implemented by moving the cur_thermal_record incrementation to the +update_thermal_data function using a temporary variable on which the boundary +condition is checked before updating cur_thread_record, so that the variable is +never incremented beyond the trec array's boundary. + +It seems the segfault does not occur on every machine: On a HP EliteBook G4 the +segfault happens, while it does not happen on a Thinkpad T540p. + +Signed-off-by: Frank Asseg +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/thermal/tmon/sysfs.c | 12 +++++++----- + tools/thermal/tmon/tmon.c | 1 - + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/thermal/tmon/sysfs.c ++++ b/tools/thermal/tmon/sysfs.c +@@ -486,6 +486,7 @@ int zone_instance_to_index(int zone_inst + int update_thermal_data() + { + int i; ++ int next_thermal_record = cur_thermal_record + 1; + char tz_name[256]; + static unsigned long samples; + +@@ -495,9 +496,9 @@ int update_thermal_data() + } + + /* circular buffer for keeping historic data */ +- if (cur_thermal_record >= NR_THERMAL_RECORDS) +- cur_thermal_record = 0; +- gettimeofday(&trec[cur_thermal_record].tv, NULL); ++ if (next_thermal_record >= NR_THERMAL_RECORDS) ++ next_thermal_record = 0; ++ gettimeofday(&trec[next_thermal_record].tv, NULL); + if (tmon_log) { + fprintf(tmon_log, "%lu ", ++samples); + fprintf(tmon_log, "%3.1f ", p_param.t_target); +@@ -507,11 +508,12 @@ int update_thermal_data() + snprintf(tz_name, 256, "%s/%s%d", THERMAL_SYSFS, TZONE, + ptdata.tzi[i].instance); + sysfs_get_ulong(tz_name, "temp", +- &trec[cur_thermal_record].temp[i]); ++ &trec[next_thermal_record].temp[i]); + if (tmon_log) + fprintf(tmon_log, "%lu ", +- trec[cur_thermal_record].temp[i]/1000); ++ trec[next_thermal_record].temp[i] / 1000); + } ++ cur_thermal_record = next_thermal_record; + for (i = 0; i < ptdata.nr_cooling_dev; i++) { + char cdev_name[256]; + unsigned long val; +--- a/tools/thermal/tmon/tmon.c ++++ b/tools/thermal/tmon/tmon.c +@@ -336,7 +336,6 @@ int main(int argc, char **argv) + show_data_w(); + show_cooling_device(); + } +- cur_thermal_record++; + time_elapsed += ticktime; + controller_handler(trec[0].temp[target_tz_index] / 1000, + &yk); diff --git a/queue-4.14/udf-provide-saner-default-for-invalid-uid-gid.patch b/queue-4.14/udf-provide-saner-default-for-invalid-uid-gid.patch new file mode 100644 index 00000000000..a70df2b95d1 --- /dev/null +++ b/queue-4.14/udf-provide-saner-default-for-invalid-uid-gid.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jan Kara +Date: Thu, 22 Feb 2018 10:39:52 +0100 +Subject: udf: Provide saner default for invalid uid / gid + +From: Jan Kara + +[ Upstream commit 116e5258e4115aca0c64ac0bf40ded3b353ed626 ] + +Currently when UDF filesystem is recorded without uid / gid (ids are set +to -1), we will assign INVALID_[UG]ID to vfs inode unless user uses uid= +and gid= mount options. In such case filesystem could not be modified in +any way as VFS refuses to modify files with invalid ids (even by root). +This is confusing to users and not very useful default since such media +mode is generally used for removable media. Use overflow[ug]id instead +so that at least root can modify the filesystem. + +Reported-by: Steve Kenton +Reviewed-by: Pali Rohár +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/udf/super.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -2091,8 +2091,9 @@ static int udf_fill_super(struct super_b + bool lvid_open = false; + + uopt.flags = (1 << UDF_FLAG_USE_AD_IN_ICB) | (1 << UDF_FLAG_STRICT); +- uopt.uid = INVALID_UID; +- uopt.gid = INVALID_GID; ++ /* By default we'll use overflow[ug]id when UDF inode [ug]id == -1 */ ++ uopt.uid = make_kuid(current_user_ns(), overflowuid); ++ uopt.gid = make_kgid(current_user_ns(), overflowgid); + uopt.umask = 0; + uopt.fmode = UDF_INVALID_MODE; + uopt.dmode = UDF_INVALID_MODE; diff --git a/queue-4.14/vfio-ccw-fence-off-transport-mode.patch b/queue-4.14/vfio-ccw-fence-off-transport-mode.patch new file mode 100644 index 00000000000..43d507e54b5 --- /dev/null +++ b/queue-4.14/vfio-ccw-fence-off-transport-mode.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Cornelia Huck +Date: Thu, 22 Feb 2018 15:35:43 +0100 +Subject: vfio-ccw: fence off transport mode + +From: Cornelia Huck + +[ Upstream commit 9851bc77e62499957567e7c39a5beba7d6de6296 ] + +vfio-ccw only supports command mode for channel programs, not transport +mode. User space is supposed to already take care of that and pass us +command-mode ORBs only, but better make sure and return an error to +the caller instead of trying to process tcws as ccws. + +Reviewed-by: Dong Jia Shi +Acked-by: Halil Pasic +Signed-off-by: Cornelia Huck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/cio/vfio_ccw_fsm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/s390/cio/vfio_ccw_fsm.c ++++ b/drivers/s390/cio/vfio_ccw_fsm.c +@@ -129,6 +129,11 @@ static void fsm_io_request(struct vfio_c + if (scsw->cmd.fctl & SCSW_FCTL_START_FUNC) { + orb = (union orb *)io_region->orb_area; + ++ /* Don't try to build a cp if transport mode is specified. */ ++ if (orb->tm.b) { ++ io_region->ret_code = -EOPNOTSUPP; ++ goto err_out; ++ } + io_region->ret_code = cp_init(&private->cp, mdev_dev(mdev), + orb); + if (io_region->ret_code) diff --git a/queue-4.14/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch b/queue-4.14/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch new file mode 100644 index 00000000000..c9e54058b74 --- /dev/null +++ b/queue-4.14/virtio-gpu-fix-ioctl-and-expose-the-fixed-status-to-userspace.patch @@ -0,0 +1,79 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dave Airlie +Date: Wed, 21 Feb 2018 11:50:03 +1000 +Subject: virtio-gpu: fix ioctl and expose the fixed status to userspace. + +From: Dave Airlie + +[ Upstream commit 9a191b114906457c4b2494c474f58ae4142d4e67 ] + +This exposes to mesa that it can use the fixed ioctl for querying +later cap sets, cap set 1 is forever frozen in time. + +Signed-off-by: Dave Airlie +Link: http://patchwork.freedesktop.org/patch/msgid/20180221015003.22884-1-airlied@gmail.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/virtio/virtgpu_ioctl.c | 17 +++++++++++------ + include/uapi/drm/virtgpu_drm.h | 1 + + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_ioctl.c ++++ b/drivers/gpu/drm/virtio/virtgpu_ioctl.c +@@ -196,6 +196,9 @@ static int virtio_gpu_getparam_ioctl(str + case VIRTGPU_PARAM_3D_FEATURES: + value = vgdev->has_virgl_3d == true ? 1 : 0; + break; ++ case VIRTGPU_PARAM_CAPSET_QUERY_FIX: ++ value = 1; ++ break; + default: + return -EINVAL; + } +@@ -471,7 +474,7 @@ static int virtio_gpu_get_caps_ioctl(str + { + struct virtio_gpu_device *vgdev = dev->dev_private; + struct drm_virtgpu_get_caps *args = data; +- int size; ++ unsigned size, host_caps_size; + int i; + int found_valid = -1; + int ret; +@@ -480,6 +483,10 @@ static int virtio_gpu_get_caps_ioctl(str + if (vgdev->num_capsets == 0) + return -ENOSYS; + ++ /* don't allow userspace to pass 0 */ ++ if (args->size == 0) ++ return -EINVAL; ++ + spin_lock(&vgdev->display_info_lock); + for (i = 0; i < vgdev->num_capsets; i++) { + if (vgdev->capsets[i].id == args->cap_set_id) { +@@ -495,11 +502,9 @@ static int virtio_gpu_get_caps_ioctl(str + return -EINVAL; + } + +- size = vgdev->capsets[found_valid].max_size; +- if (args->size > size) { +- spin_unlock(&vgdev->display_info_lock); +- return -EINVAL; +- } ++ host_caps_size = vgdev->capsets[found_valid].max_size; ++ /* only copy to user the minimum of the host caps size or the guest caps size */ ++ size = min(args->size, host_caps_size); + + list_for_each_entry(cache_ent, &vgdev->cap_cache, head) { + if (cache_ent->id == args->cap_set_id && +--- a/include/uapi/drm/virtgpu_drm.h ++++ b/include/uapi/drm/virtgpu_drm.h +@@ -63,6 +63,7 @@ struct drm_virtgpu_execbuffer { + }; + + #define VIRTGPU_PARAM_3D_FEATURES 1 /* do we have 3D features in the hw */ ++#define VIRTGPU_PARAM_CAPSET_QUERY_FIX 2 /* do we have the capset fix */ + + struct drm_virtgpu_getparam { + __u64 param; diff --git a/queue-4.14/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch b/queue-4.14/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch new file mode 100644 index 00000000000..44b6587caad --- /dev/null +++ b/queue-4.14/virtio-net-fix-operstate-for-virtio-when-no-virtio_net_f_status.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jay Vosburgh +Date: Thu, 22 Mar 2018 14:42:41 +0000 +Subject: virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS + +From: Jay Vosburgh + +[ Upstream commit bda7fab54828bbef2164bb23c0f6b1a7d05cc718 ] + +The operstate update logic will leave an interface in the +default UNKNOWN operstate if the interface carrier state never changes +from the default carrier up state set at creation. This includes the +case of an explicit call to netif_carrier_on, as the carrier on to on +transition has no effect on operstate. + + This affects virtio-net for the case that the virtio peer does +not support VIRTIO_NET_F_STATUS (the feature that provides carrier state +updates). Without this feature, the virtio specification states that +"the link should be assumed active," so, logically, the operstate should +be UP instead of UNKNOWN. This has impact on user space applications +that use the operstate to make availability decisions for the interface. + + Resolve this by changing the virtio probe logic slightly to call +netif_carrier_off for both the "with" and "without" VIRTIO_NET_F_STATUS +cases, and then the existing call to netif_carrier_on for the "without" +case will cause an operstate transition. + +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Ben Hutchings +Signed-off-by: Jay Vosburgh +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -2655,8 +2655,8 @@ static int virtnet_probe(struct virtio_d + + /* Assume link up if device can't report link status, + otherwise get link status from config. */ ++ netif_carrier_off(dev); + if (virtio_has_feature(vi->vdev, VIRTIO_NET_F_STATUS)) { +- netif_carrier_off(dev); + schedule_work(&vi->config_work); + } else { + vi->status = VIRTIO_NET_S_LINK_UP; diff --git a/queue-4.14/virtio_net-fix-xdp-code-path-in-receive_small.patch b/queue-4.14/virtio_net-fix-xdp-code-path-in-receive_small.patch new file mode 100644 index 00000000000..b6ad912181f --- /dev/null +++ b/queue-4.14/virtio_net-fix-xdp-code-path-in-receive_small.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jesper Dangaard Brouer +Date: Tue, 20 Feb 2018 14:32:10 +0100 +Subject: virtio_net: fix XDP code path in receive_small() + +From: Jesper Dangaard Brouer + +[ Upstream commit 95dbe9e7b3720efa5cf83d21f44f6d953f7cf4a2 ] + +When configuring virtio_net to use the code path 'receive_small()', +in-order to get correct XDP_REDIRECT support, I discovered TCP packets +would get silently dropped when loading an XDP program action XDP_PASS. + +The bug seems to be that receive_small() when XDP is loaded check that +hdr->hdr.flags is zero, which seems wrong as hdr.flags contains the +flags VIRTIO_NET_HDR_F_* : + #define VIRTIO_NET_HDR_F_NEEDS_CSUM 1 /* Use csum_start, csum_offset */ + #define VIRTIO_NET_HDR_F_DATA_VALID 2 /* Csum is valid */ + +TCP got dropped as it had the VIRTIO_NET_HDR_F_DATA_VALID flag set. + +The flags that are relevant here are the VIRTIO_NET_HDR_GSO_* flags +stored in hdr->hdr.gso_type. Thus, the fix is just check that none of +the gso_type flags have been set. + +Fixes: bb91accf2733 ("virtio-net: XDP support for small buffers") +Signed-off-by: Jesper Dangaard Brouer +Acked-by: John Fastabend +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -513,7 +513,7 @@ static struct sk_buff *receive_small(str + void *orig_data; + u32 act; + +- if (unlikely(hdr->hdr.gso_type || hdr->hdr.flags)) ++ if (unlikely(hdr->hdr.gso_type)) + goto err_xdp; + + if (unlikely(xdp_headroom < virtnet_get_headroom(vi))) { diff --git a/queue-4.14/vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch b/queue-4.14/vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch new file mode 100644 index 00000000000..431480674bc --- /dev/null +++ b/queue-4.14/vlan-fix-out-of-order-vlan-headers-with-reorder-header-off.patch @@ -0,0 +1,165 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Toshiaki Makita +Date: Tue, 13 Mar 2018 14:51:28 +0900 +Subject: vlan: Fix out of order vlan headers with reorder header off + +From: Toshiaki Makita + +[ Upstream commit cbe7128c4b92e2004984f477fd38dfa81662f02e ] + +With reorder header off, received packets are untagged in skb_vlan_untag() +called from within __netif_receive_skb_core(), and later the tag will be +inserted back in vlan_do_receive(). + +This caused out of order vlan headers when we create a vlan device on top +of another vlan device, because vlan_do_receive() inserts a tag as the +outermost vlan tag. E.g. the outer tag is first removed in skb_vlan_untag() +and inserted back in vlan_do_receive(), then the inner tag is next removed +and inserted back as the outermost tag. + +This patch fixes the behaviour by inserting the inner tag at the right +position. + +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_vlan.h | 66 ++++++++++++++++++++++++++++++++++++++++-------- + net/8021q/vlan_core.c | 4 +- + 2 files changed, 57 insertions(+), 13 deletions(-) + +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -300,30 +300,34 @@ static inline bool vlan_hw_offload_capab + } + + /** +- * __vlan_insert_tag - regular VLAN tag inserting ++ * __vlan_insert_inner_tag - inner VLAN tag inserting + * @skb: skbuff to tag + * @vlan_proto: VLAN encapsulation protocol + * @vlan_tci: VLAN TCI to insert ++ * @mac_len: MAC header length including outer vlan headers + * +- * Inserts the VLAN tag into @skb as part of the payload ++ * Inserts the VLAN tag into @skb as part of the payload at offset mac_len + * Returns error if skb_cow_head failes. + * + * Does not change skb->protocol so this function can be used during receive. + */ +-static inline int __vlan_insert_tag(struct sk_buff *skb, +- __be16 vlan_proto, u16 vlan_tci) ++static inline int __vlan_insert_inner_tag(struct sk_buff *skb, ++ __be16 vlan_proto, u16 vlan_tci, ++ unsigned int mac_len) + { + struct vlan_ethhdr *veth; + + if (skb_cow_head(skb, VLAN_HLEN) < 0) + return -ENOMEM; + +- veth = skb_push(skb, VLAN_HLEN); ++ skb_push(skb, VLAN_HLEN); + +- /* Move the mac addresses to the beginning of the new header. */ +- memmove(skb->data, skb->data + VLAN_HLEN, 2 * ETH_ALEN); ++ /* Move the mac header sans proto to the beginning of the new header. */ ++ memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN); + skb->mac_header -= VLAN_HLEN; + ++ veth = (struct vlan_ethhdr *)(skb->data + mac_len - ETH_HLEN); ++ + /* first, the ethernet type */ + veth->h_vlan_proto = vlan_proto; + +@@ -334,12 +338,30 @@ static inline int __vlan_insert_tag(stru + } + + /** +- * vlan_insert_tag - regular VLAN tag inserting ++ * __vlan_insert_tag - regular VLAN tag inserting + * @skb: skbuff to tag + * @vlan_proto: VLAN encapsulation protocol + * @vlan_tci: VLAN TCI to insert + * + * Inserts the VLAN tag into @skb as part of the payload ++ * Returns error if skb_cow_head failes. ++ * ++ * Does not change skb->protocol so this function can be used during receive. ++ */ ++static inline int __vlan_insert_tag(struct sk_buff *skb, ++ __be16 vlan_proto, u16 vlan_tci) ++{ ++ return __vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, ETH_HLEN); ++} ++ ++/** ++ * vlan_insert_inner_tag - inner VLAN tag inserting ++ * @skb: skbuff to tag ++ * @vlan_proto: VLAN encapsulation protocol ++ * @vlan_tci: VLAN TCI to insert ++ * @mac_len: MAC header length including outer vlan headers ++ * ++ * Inserts the VLAN tag into @skb as part of the payload at offset mac_len + * Returns a VLAN tagged skb. If a new skb is created, @skb is freed. + * + * Following the skb_unshare() example, in case of error, the calling function +@@ -347,12 +369,14 @@ static inline int __vlan_insert_tag(stru + * + * Does not change skb->protocol so this function can be used during receive. + */ +-static inline struct sk_buff *vlan_insert_tag(struct sk_buff *skb, +- __be16 vlan_proto, u16 vlan_tci) ++static inline struct sk_buff *vlan_insert_inner_tag(struct sk_buff *skb, ++ __be16 vlan_proto, ++ u16 vlan_tci, ++ unsigned int mac_len) + { + int err; + +- err = __vlan_insert_tag(skb, vlan_proto, vlan_tci); ++ err = __vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, mac_len); + if (err) { + dev_kfree_skb_any(skb); + return NULL; +@@ -361,6 +385,26 @@ static inline struct sk_buff *vlan_inser + } + + /** ++ * vlan_insert_tag - regular VLAN tag inserting ++ * @skb: skbuff to tag ++ * @vlan_proto: VLAN encapsulation protocol ++ * @vlan_tci: VLAN TCI to insert ++ * ++ * Inserts the VLAN tag into @skb as part of the payload ++ * Returns a VLAN tagged skb. If a new skb is created, @skb is freed. ++ * ++ * Following the skb_unshare() example, in case of error, the calling function ++ * doesn't have to worry about freeing the original skb. ++ * ++ * Does not change skb->protocol so this function can be used during receive. ++ */ ++static inline struct sk_buff *vlan_insert_tag(struct sk_buff *skb, ++ __be16 vlan_proto, u16 vlan_tci) ++{ ++ return vlan_insert_inner_tag(skb, vlan_proto, vlan_tci, ETH_HLEN); ++} ++ ++/** + * vlan_insert_tag_set_proto - regular VLAN tag inserting + * @skb: skbuff to tag + * @vlan_proto: VLAN encapsulation protocol +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -48,8 +48,8 @@ bool vlan_do_receive(struct sk_buff **sk + * original position later + */ + skb_push(skb, offset); +- skb = *skbp = vlan_insert_tag(skb, skb->vlan_proto, +- skb->vlan_tci); ++ skb = *skbp = vlan_insert_inner_tag(skb, skb->vlan_proto, ++ skb->vlan_tci, skb->mac_len); + if (!skb) + return false; + skb_pull(skb, offset + VLAN_HLEN); diff --git a/queue-4.14/vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch b/queue-4.14/vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch new file mode 100644 index 00000000000..f1807b9861e --- /dev/null +++ b/queue-4.14/vlan-fix-vlan-insertion-for-packets-without-ethernet-header.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Toshiaki Makita +Date: Thu, 29 Mar 2018 19:05:30 +0900 +Subject: vlan: Fix vlan insertion for packets without ethernet header + +From: Toshiaki Makita + +[ Upstream commit c769accdf3d8a103940bea2979b65556718567e9 ] + +In some situation vlan packets do not have ethernet headers. One example +is packets from tun devices. Users can specify vlan protocol in tun_pi +field instead of IP protocol. When we have a vlan device with reorder_hdr +disabled on top of the tun device, such packets from tun devices are +untagged in skb_vlan_untag() and vlan headers will be inserted back in +vlan_insert_inner_tag(). + +vlan_insert_inner_tag() however did not expect packets without ethernet +headers, so in such a case size argument for memmove() underflowed. + +We don't need to copy headers for packets which do not have preceding +headers of vlan headers, so skip memmove() in that case. +Also don't write vlan protocol in skb->data when it does not have enough +room for it. + +Fixes: cbe7128c4b92 ("vlan: Fix out of order vlan headers with reorder header off") +Signed-off-by: Toshiaki Makita +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/if_vlan.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -323,13 +323,24 @@ static inline int __vlan_insert_inner_ta + skb_push(skb, VLAN_HLEN); + + /* Move the mac header sans proto to the beginning of the new header. */ +- memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN); ++ if (likely(mac_len > ETH_TLEN)) ++ memmove(skb->data, skb->data + VLAN_HLEN, mac_len - ETH_TLEN); + skb->mac_header -= VLAN_HLEN; + + veth = (struct vlan_ethhdr *)(skb->data + mac_len - ETH_HLEN); + + /* first, the ethernet type */ +- veth->h_vlan_proto = vlan_proto; ++ if (likely(mac_len >= ETH_TLEN)) { ++ /* h_vlan_encapsulated_proto should already be populated, and ++ * skb->data has space for h_vlan_proto ++ */ ++ veth->h_vlan_proto = vlan_proto; ++ } else { ++ /* h_vlan_encapsulated_proto should not be populated, and ++ * skb->data has no space for h_vlan_proto ++ */ ++ veth->h_vlan_encapsulated_proto = skb->protocol; ++ } + + /* now, the TCI */ + veth->h_vlan_TCI = htons(vlan_tci); diff --git a/queue-4.14/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch b/queue-4.14/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch new file mode 100644 index 00000000000..0163ebaf707 --- /dev/null +++ b/queue-4.14/vti4-don-t-count-header-length-twice-on-tunnel-setup.patch @@ -0,0 +1,66 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:16:27 +0100 +Subject: vti4: Don't count header length twice on tunnel setup + +From: Stefano Brivio + +[ Upstream commit dd1df24737727e119c263acf1be2a92763938297 ] + +This re-introduces the effect of commit a32452366b72 ("vti4: +Don't count header length twice.") which was accidentally +reverted by merge commit f895f0cfbb77 ("Merge branch 'master' of +git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec"). + +The commit message from Steffen Klassert said: + + We currently count the size of LL_MAX_HEADER and struct iphdr + twice for vti4 devices, this leads to a wrong device mtu. + The size of LL_MAX_HEADER and struct iphdr is already counted in + ip_tunnel_bind_dev(), so don't do it again in vti_tunnel_init(). + +And this is still the case now: ip_tunnel_bind_dev() already +accounts for the header length of the link layer (not +necessarily LL_MAX_HEADER, if the output device is found), plus +one IP header. + +For example, with a vti device on top of veth, with MTU of 1500, +the existing implementation would set the initial vti MTU to +1332, accounting once for LL_MAX_HEADER (128, included in +hard_header_len by vti) and twice for the same IP header (once +from hard_header_len, once from ip_tunnel_bind_dev()). + +It should instead be 1480, because ip_tunnel_bind_dev() is able +to figure out that the output device is veth, so no additional +link layer header is attached, and will properly count one +single IP header. + +The existing issue had the side effect of avoiding PMTUD for +most xfrm policies, by arbitrarily lowering the initial MTU. +However, the only way to get a consistent PMTU value is to let +the xfrm PMTU discovery do its course, and commit d6af1a31cc72 +("vti: Add pmtu handling to vti_xmit.") now takes care of local +delivery cases where the application ignores local socket +notifications. + +Fixes: b9959fd3b0fa ("vti: switch to new ip tunnel code") +Fixes: f895f0cfbb77 ("Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->hard_header_len = LL_MAX_HEADER + sizeof(struct iphdr); + dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; diff --git a/queue-4.14/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch b/queue-4.14/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch new file mode 100644 index 00000000000..7f2c2b79d92 --- /dev/null +++ b/queue-4.14/vti4-don-t-override-mtu-passed-on-link-creation-via-ifla_mtu.patch @@ -0,0 +1,33 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:16:29 +0100 +Subject: vti4: Don't override MTU passed on link creation via IFLA_MTU + +From: Stefano Brivio + +[ Upstream commit 03080e5ec72740c1a62e6730f2a5f3f114f11b19 ] + +Don't hardcode a MTU value on vti tunnel initialization, +ip_tunnel_newlink() is able to deal with this already. See also +commit ffc2b6ee4174 ("ip_gre: fix IFLA_MTU ignored on NEWLINK"). + +Fixes: 1181412c1a67 ("net/ipv4: VTI support new module for ip_vti.") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_vti.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -396,7 +396,6 @@ static int vti_tunnel_init(struct net_de + memcpy(dev->dev_addr, &iph->saddr, 4); + memcpy(dev->broadcast, &iph->daddr, 4); + +- dev->mtu = ETH_DATA_LEN; + dev->flags = IFF_NOARP; + dev->addr_len = 4; + dev->features |= NETIF_F_LLTX; diff --git a/queue-4.14/vti6-fix-dev-max_mtu-setting.patch b/queue-4.14/vti6-fix-dev-max_mtu-setting.patch new file mode 100644 index 00000000000..a9723129ddf --- /dev/null +++ b/queue-4.14/vti6-fix-dev-max_mtu-setting.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Stefano Brivio +Date: Thu, 15 Mar 2018 17:17:13 +0100 +Subject: vti6: Fix dev->max_mtu setting + +From: Stefano Brivio + +[ Upstream commit f8a554b4aa9686bb2c12f6bae516e58783289a03 ] + +We shouldn't allow a tunnel to have IP_MAX_MTU as MTU, because +another IPv6 header is going on top of our packets. Without this +patch, we might end up building packets bigger than IP_MAX_MTU. + +Fixes: b96f9afee4eb ("ipv4/6: use core net MTU range checking") +Signed-off-by: Stefano Brivio +Acked-by: Sabrina Dubroca +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -852,7 +852,7 @@ static void vti6_dev_setup(struct net_de + dev->hard_header_len = LL_MAX_HEADER + sizeof(struct ipv6hdr); + dev->mtu = ETH_DATA_LEN; + dev->min_mtu = IPV6_MIN_MTU; +- dev->max_mtu = IP_MAX_MTU; ++ dev->max_mtu = IP_MAX_MTU - sizeof(struct ipv6hdr); + dev->flags |= IFF_NOARP; + dev->addr_len = sizeof(struct in6_addr); + netif_keep_dst(dev); diff --git a/queue-4.14/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch b/queue-4.14/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch new file mode 100644 index 00000000000..711709eeed8 --- /dev/null +++ b/queue-4.14/watchdog-asm9260_wdt-fix-error-handling-in-asm9260_wdt_probe.patch @@ -0,0 +1,46 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexey Khoroshilov +Date: Sat, 10 Feb 2018 13:17:27 +0300 +Subject: watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 3c829f47e33eb0398a9a14e357a05199a7be0277 ] + +If devm_reset_control_get_exclusive() fails, asm9260_wdt_probe() +returns immediately. But clks has been already enabled at that point, +so it is required to disable them or to move the code around. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/asm9260_wdt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/asm9260_wdt.c ++++ b/drivers/watchdog/asm9260_wdt.c +@@ -292,14 +292,14 @@ static int asm9260_wdt_probe(struct plat + if (IS_ERR(priv->iobase)) + return PTR_ERR(priv->iobase); + +- ret = asm9260_wdt_get_dt_clks(priv); +- if (ret) +- return ret; +- + priv->rst = devm_reset_control_get_exclusive(&pdev->dev, "wdt_rst"); + if (IS_ERR(priv->rst)) + return PTR_ERR(priv->rst); + ++ ret = asm9260_wdt_get_dt_clks(priv); ++ if (ret) ++ return ret; ++ + wdd = &priv->wdd; + wdd->info = &asm9260_wdt_ident; + wdd->ops = &asm9260_wdt_ops; diff --git a/queue-4.14/watchdog-aspeed-allow-configuring-for-alternate-boot.patch b/queue-4.14/watchdog-aspeed-allow-configuring-for-alternate-boot.patch new file mode 100644 index 00000000000..2575f7e59c9 --- /dev/null +++ b/queue-4.14/watchdog-aspeed-allow-configuring-for-alternate-boot.patch @@ -0,0 +1,60 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Milton Miller +Date: Thu, 15 Mar 2018 11:02:06 -0500 +Subject: watchdog: aspeed: Allow configuring for alternate boot + +From: Milton Miller + +[ Upstream commit 6ffa3402211acc30e47e691e14d62f3fd065a54e ] + +Allow the device tree to specify a watchdog to fallover to +the alternate boot source. + +The aspeeed watchdog can set a latch directing flash chip select 0 to +chip select 1, allowing boot from an alternate media if the watchdog +is not reset in time. On the ast2400 bank 1 also goes to flash bank 1, +while on the ast2500 the chip selects are swapped. + +Also clear the secondary boot bit during the machine restart operation. +Otherwise, the system will switch to the alternate boot after every +reboot, which is not desired. + +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Joel Stanley +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -46,6 +46,7 @@ MODULE_DEVICE_TABLE(of, aspeed_wdt_of_ta + #define WDT_RELOAD_VALUE 0x04 + #define WDT_RESTART 0x08 + #define WDT_CTRL 0x0C ++#define WDT_CTRL_BOOT_SECONDARY BIT(7) + #define WDT_CTRL_RESET_MODE_SOC (0x00 << 5) + #define WDT_CTRL_RESET_MODE_FULL_CHIP (0x01 << 5) + #define WDT_CTRL_RESET_MODE_ARM_CPU (0x10 << 5) +@@ -158,6 +159,7 @@ static int aspeed_wdt_restart(struct wat + { + struct aspeed_wdt *wdt = to_aspeed_wdt(wdd); + ++ wdt->ctrl &= ~WDT_CTRL_BOOT_SECONDARY; + aspeed_wdt_enable(wdt, 128 * WDT_RATE_1MHZ / 1000); + + mdelay(1000); +@@ -242,6 +244,8 @@ static int aspeed_wdt_probe(struct platf + } + if (of_property_read_bool(np, "aspeed,external-signal")) + wdt->ctrl |= WDT_CTRL_WDT_EXT; ++ if (of_property_read_bool(np, "aspeed,alt-boot")) ++ wdt->ctrl |= WDT_CTRL_BOOT_SECONDARY; + + writel(wdt->ctrl, wdt->base + WDT_CTRL); + diff --git a/queue-4.14/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch b/queue-4.14/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch new file mode 100644 index 00000000000..9eb77efeee2 --- /dev/null +++ b/queue-4.14/watchdog-aspeed-fix-translation-of-reset-mode-to-ctrl-register.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Milton Miller +Date: Fri, 9 Mar 2018 15:58:19 -0600 +Subject: watchdog: aspeed: Fix translation of reset mode to ctrl register + +From: Milton Miller + +[ Upstream commit d2fc8db691bf3197d43b2afb553311a9bf257bff ] + +Assert RESET_SYSTEM bit for any reset and set MODE field from reset +type. + +The watchdog control register has a RESET_SYSTEM bit that is really +closer to activate a reset, and RESET_SYSTEM_MODE field that chooses +how much to reset. + +Before this patch, a node without these optional property would do a +SOC reset, but a node with properties requesting a cpu or SOC reset +would do nothing and a node requesting a system reset would do a +SOC reset. + +Fixes: b7f0b8ad25f3 ("drivers/watchdog: ASPEED reference dev tree properties for config") +Signed-off-by: Milton Miller +Signed-off-by: Eddie James +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/aspeed_wdt.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/watchdog/aspeed_wdt.c ++++ b/drivers/watchdog/aspeed_wdt.c +@@ -234,11 +234,14 @@ static int aspeed_wdt_probe(struct platf + wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | WDT_CTRL_RESET_SYSTEM; + } else { + if (!strcmp(reset_type, "cpu")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_ARM_CPU | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "soc")) +- wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_SOC | ++ WDT_CTRL_RESET_SYSTEM; + else if (!strcmp(reset_type, "system")) +- wdt->ctrl |= WDT_CTRL_RESET_SYSTEM; ++ wdt->ctrl |= WDT_CTRL_RESET_MODE_FULL_CHIP | ++ WDT_CTRL_RESET_SYSTEM; + else if (strcmp(reset_type, "none")) + return -EINVAL; + } diff --git a/queue-4.14/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch b/queue-4.14/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch new file mode 100644 index 00000000000..1e2112943db --- /dev/null +++ b/queue-4.14/watchdog-davinci_wdt-fix-error-handling-in-davinci_wdt_probe.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexey Khoroshilov +Date: Sat, 24 Mar 2018 00:36:46 +0300 +Subject: watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() + +From: Alexey Khoroshilov + +[ Upstream commit d66e53649c18377edc08d48901e658e4fd491d46 ] + +clk_disable_unprepare() was added to one error path, +but there is another one. The patch makes sure clk is +disabled at the both of them. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/davinci_wdt.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/watchdog/davinci_wdt.c ++++ b/drivers/watchdog/davinci_wdt.c +@@ -198,15 +198,22 @@ static int davinci_wdt_probe(struct plat + + wdt_mem = platform_get_resource(pdev, IORESOURCE_MEM, 0); + davinci_wdt->base = devm_ioremap_resource(dev, wdt_mem); +- if (IS_ERR(davinci_wdt->base)) +- return PTR_ERR(davinci_wdt->base); ++ if (IS_ERR(davinci_wdt->base)) { ++ ret = PTR_ERR(davinci_wdt->base); ++ goto err_clk_disable; ++ } + + ret = watchdog_register_device(wdd); +- if (ret < 0) { +- clk_disable_unprepare(davinci_wdt->clk); ++ if (ret) { + dev_err(dev, "cannot register watchdog device\n"); ++ goto err_clk_disable; + } + ++ return 0; ++ ++err_clk_disable: ++ clk_disable_unprepare(davinci_wdt->clk); ++ + return ret; + } + diff --git a/queue-4.14/watchdog-dw-rmw-the-control-register.patch b/queue-4.14/watchdog-dw-rmw-the-control-register.patch new file mode 100644 index 00000000000..5a10aa6513d --- /dev/null +++ b/queue-4.14/watchdog-dw-rmw-the-control-register.patch @@ -0,0 +1,90 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Brian Norris +Date: Fri, 9 Mar 2018 19:46:06 -0800 +Subject: watchdog: dw: RMW the control register + +From: Brian Norris + +[ Upstream commit a81abbb412341e9e3b2d42ed7d310cf71fbb84a8 ] + +RK3399 has rst_pulse_length in CONTROL_REG[4:2], determining the length +of pulse to issue for system reset. We shouldn't clobber this value, +because that might make the system reset ineffective. On RK3399, we're +seeing that a value of 000b (meaning 2 cycles) yields an unreliable +(partial?) reset, and so we only fully reset after the watchdog fires a +second time. If we retain the system default (010b, or 8 clock cycles), +then the watchdog reset is much more reliable. + +Read-modify-write retains the system value and improves reset +reliability. + +It seems we were intentionally clobbering the response mode previously, +to ensure we performed a system reset (we don't support an interrupt +notification), so retain that explicitly. + +Signed-off-by: Brian Norris +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/dw_wdt.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/watchdog/dw_wdt.c ++++ b/drivers/watchdog/dw_wdt.c +@@ -34,6 +34,7 @@ + + #define WDOG_CONTROL_REG_OFFSET 0x00 + #define WDOG_CONTROL_REG_WDT_EN_MASK 0x01 ++#define WDOG_CONTROL_REG_RESP_MODE_MASK 0x02 + #define WDOG_TIMEOUT_RANGE_REG_OFFSET 0x04 + #define WDOG_TIMEOUT_RANGE_TOPINIT_SHIFT 4 + #define WDOG_CURRENT_COUNT_REG_OFFSET 0x08 +@@ -121,14 +122,23 @@ static int dw_wdt_set_timeout(struct wat + return 0; + } + ++static void dw_wdt_arm_system_reset(struct dw_wdt *dw_wdt) ++{ ++ u32 val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ ++ /* Disable interrupt mode; always perform system reset. */ ++ val &= ~WDOG_CONTROL_REG_RESP_MODE_MASK; ++ /* Enable watchdog. */ ++ val |= WDOG_CONTROL_REG_WDT_EN_MASK; ++ writel(val, dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++} ++ + static int dw_wdt_start(struct watchdog_device *wdd) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); + + dw_wdt_set_timeout(wdd, wdd->timeout); +- +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + return 0; + } +@@ -152,16 +162,13 @@ static int dw_wdt_restart(struct watchdo + unsigned long action, void *data) + { + struct dw_wdt *dw_wdt = to_dw_wdt(wdd); +- u32 val; + + writel(0, dw_wdt->regs + WDOG_TIMEOUT_RANGE_REG_OFFSET); +- val = readl(dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); +- if (val & WDOG_CONTROL_REG_WDT_EN_MASK) ++ if (dw_wdt_is_enabled(dw_wdt)) + writel(WDOG_COUNTER_RESTART_KICK_VALUE, + dw_wdt->regs + WDOG_COUNTER_RESTART_REG_OFFSET); + else +- writel(WDOG_CONTROL_REG_WDT_EN_MASK, +- dw_wdt->regs + WDOG_CONTROL_REG_OFFSET); ++ dw_wdt_arm_system_reset(dw_wdt); + + /* wait for reset to assert... */ + mdelay(500); diff --git a/queue-4.14/watchdog-f71808e_wdt-fix-magic-close-handling.patch b/queue-4.14/watchdog-f71808e_wdt-fix-magic-close-handling.patch new file mode 100644 index 00000000000..8b9d2960245 --- /dev/null +++ b/queue-4.14/watchdog-f71808e_wdt-fix-magic-close-handling.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Igor Pylypiv +Date: Wed, 28 Feb 2018 00:59:12 -0800 +Subject: watchdog: f71808e_wdt: Fix magic close handling + +From: Igor Pylypiv + +[ Upstream commit 7bd3e7b743956afbec30fb525bc3c5e22e3d475c ] + +Watchdog close is "expected" when any byte is 'V' not just the last one. +Writing "V" to the device fails because the last byte is the end of string. + +$ echo V > /dev/watchdog +f71808e_wdt: Unexpected close, not stopping watchdog! + +Signed-off-by: Igor Pylypiv +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/f71808e_wdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -566,7 +566,8 @@ static ssize_t watchdog_write(struct fil + char c; + if (get_user(c, buf + i)) + return -EFAULT; +- expect_close = (c == 'V'); ++ if (c == 'V') ++ expect_close = true; + } + + /* Properly order writes across fork()ed processes */ diff --git a/queue-4.14/watchdog-sbsa-use-32-bit-read-for-wcv.patch b/queue-4.14/watchdog-sbsa-use-32-bit-read-for-wcv.patch new file mode 100644 index 00000000000..95304bcef3f --- /dev/null +++ b/queue-4.14/watchdog-sbsa-use-32-bit-read-for-wcv.patch @@ -0,0 +1,51 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Jayachandran C +Date: Wed, 28 Feb 2018 02:52:20 -0800 +Subject: watchdog: sbsa: use 32-bit read for WCV + +From: Jayachandran C + +[ Upstream commit 93ac3deb7c220cbcec032a967220a1f109d58431 ] + +According to SBSA spec v3.1 section 5.3: + All registers are 32 bits in size and should be accessed using + 32-bit reads and writes. If an access size other than 32 bits + is used then the results are IMPLEMENTATION DEFINED. + [...] + The Generic Watchdog is little-endian + +The current code uses readq to read the watchdog compare register +which does a 64-bit access. This fails on ThunderX2 which does not +implement 64-bit access to this register. + +Fix this by using lo_hi_readq() that does two 32-bit reads. + +Signed-off-by: Jayachandran C +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/sbsa_gwdt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/watchdog/sbsa_gwdt.c ++++ b/drivers/watchdog/sbsa_gwdt.c +@@ -50,6 +50,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -159,7 +160,7 @@ static unsigned int sbsa_gwdt_get_timele + !(readl(gwdt->control_base + SBSA_GWDT_WCS) & SBSA_GWDT_WCS_WS0)) + timeleft += readl(gwdt->control_base + SBSA_GWDT_WOR); + +- timeleft += readq(gwdt->control_base + SBSA_GWDT_WCV) - ++ timeleft += lo_hi_readq(gwdt->control_base + SBSA_GWDT_WCV) - + arch_counter_get_cntvct(); + + do_div(timeleft, gwdt->clk); diff --git a/queue-4.14/workqueue-use-put_device-instead-of-kfree.patch b/queue-4.14/workqueue-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..28084cda0a1 --- /dev/null +++ b/queue-4.14/workqueue-use-put_device-instead-of-kfree.patch @@ -0,0 +1,32 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arvind Yadav +Date: Tue, 6 Mar 2018 15:35:43 +0530 +Subject: workqueue: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit 537f4146c53c95aac977852b371bafb9c6755ee1 ] + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized in this function instead. + +Signed-off-by: Arvind Yadav +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/workqueue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -5350,7 +5350,7 @@ int workqueue_sysfs_register(struct work + + ret = device_register(&wq_dev->dev); + if (ret) { +- kfree(wq_dev); ++ put_device(&wq_dev->dev); + wq->wq_dev = NULL; + return ret; + } diff --git a/queue-4.14/x86-alternatives-fixup-alternative_call_2.patch b/queue-4.14/x86-alternatives-fixup-alternative_call_2.patch new file mode 100644 index 00000000000..9a1cf585c53 --- /dev/null +++ b/queue-4.14/x86-alternatives-fixup-alternative_call_2.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Alexey Dobriyan +Date: Sun, 14 Jan 2018 15:05:04 +0300 +Subject: x86/alternatives: Fixup alternative_call_2 + +From: Alexey Dobriyan + +[ Upstream commit bd6271039ee6f0c9b468148fc2d73e0584af6b4f ] + +The following pattern fails to compile while the same pattern +with alternative_call() does: + + if (...) + alternative_call_2(...); + else + alternative_call_2(...); + +as it expands into + + if (...) + { + }; <=== + else + { + }; + +Signed-off-by: Alexey Dobriyan +Signed-off-by: Thomas Gleixner +Acked-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20180114120504.GA11368@avx2 +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/alternative.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/include/asm/alternative.h ++++ b/arch/x86/include/asm/alternative.h +@@ -218,13 +218,11 @@ static inline int alternatives_text_rese + */ + #define alternative_call_2(oldfunc, newfunc1, feature1, newfunc2, feature2, \ + output, input...) \ +-{ \ + asm volatile (ALTERNATIVE_2("call %P[old]", "call %P[new1]", feature1,\ + "call %P[new2]", feature2) \ + : output, ASM_CALL_CONSTRAINT \ + : [old] "i" (oldfunc), [new1] "i" (newfunc1), \ +- [new2] "i" (newfunc2), ## input); \ +-} ++ [new2] "i" (newfunc2), ## input) + + /* + * use this macro(s) if you need more than one output parameter diff --git a/queue-4.14/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch b/queue-4.14/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch new file mode 100644 index 00000000000..8ef69689b45 --- /dev/null +++ b/queue-4.14/x86-apic-set-up-through-local-apic-mode-on-the-boot-cpu-if-noapic-specified.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Baoquan He +Date: Wed, 14 Feb 2018 13:46:56 +0800 +Subject: x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified + +From: Baoquan He + +[ Upstream commit bee3204ec3c49f6f53add9c3962c9012a5c036fa ] + +Currently the kdump kernel becomes very slow if 'noapic' is specified. +Normal kernel doesn't have this bug. + +Kernel parameter 'noapic' is used to disable IO-APIC in system for +testing or special purpose. Here the root cause is that in kdump +kernel LAPIC is disabled since commit: + + 522e664644 ("x86/apic: Disable I/O APIC before shutdown of the local APIC") + +In this case we need set up through-local-APIC on boot CPU in +setup_local_APIC(). + +In normal kernel the legacy irq mode is enabled by the BIOS. If +it is virtual wire mode, the local-APIC has been enabled and set as +through-local-APIC. + +Though we fixed the regression introduced by commit 522e664644, +to further improve robustness set up the through-local-APIC mode +explicitly, do not rely on the default boot IRQ mode. + +Signed-off-by: Baoquan He +Reviewed-by: Eric W. Biederman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: douly.fnst@cn.fujitsu.com +Cc: joro@8bytes.org +Cc: prarit@redhat.com +Cc: uobergfe@redhat.com +Link: http://lkml.kernel.org/r/20180214054656.3780-7-bhe@redhat.com +[ Rewrote the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1481,7 +1481,7 @@ void setup_local_APIC(void) + * TODO: set up through-local-APIC from through-I/O-APIC? --macro + */ + value = apic_read(APIC_LVT0) & APIC_LVT_MASKED; +- if (!cpu && (pic_mode || !value)) { ++ if (!cpu && (pic_mode || !value || skip_ioapic_setup)) { + value = APIC_DM_EXTINT; + apic_printk(APIC_VERBOSE, "enabled ExtINT on CPU#%d\n", cpu); + } else { diff --git a/queue-4.14/x86-devicetree-fix-device-irq-settings-in-dt.patch b/queue-4.14/x86-devicetree-fix-device-irq-settings-in-dt.patch new file mode 100644 index 00000000000..3c267d0cdc5 --- /dev/null +++ b/queue-4.14/x86-devicetree-fix-device-irq-settings-in-dt.patch @@ -0,0 +1,62 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:53 -0800 +Subject: x86/devicetree: Fix device IRQ settings in DT + +From: Ivan Gorinov + +[ Upstream commit 0a5169add90e43ab45ab1ba34223b8583fcaf675 ] + +IRQ parameters for the SoC devices connected directly to I/O APIC lines +(without PCI IRQ routing) may be specified in the Device Tree. + +Called from DT IRQ parser, irq_create_fwspec_mapping() calls +irq_domain_alloc_irqs() with a pointer to irq_fwspec structure as @arg. + +But x86-specific DT IRQ allocation code casts @arg to of_phandle_args +structure pointer and crashes trying to read the IRQ parameters. The +function was not converted when the mapping descriptor was changed to +irq_fwspec in the generic irqdomain code. + +Fixes: 11e4438ee330 ("irqdomain: Introduce a firmware-specific IRQ specifier structure") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/a234dee27ea60ce76141872da0d6bdb378b2a9ee.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -201,19 +201,22 @@ static struct of_ioapic_type of_ioapic_t + static int dt_irqdomain_alloc(struct irq_domain *domain, unsigned int virq, + unsigned int nr_irqs, void *arg) + { +- struct of_phandle_args *irq_data = (void *)arg; ++ struct irq_fwspec *fwspec = (struct irq_fwspec *)arg; + struct of_ioapic_type *it; + struct irq_alloc_info tmp; ++ int type_index; + +- if (WARN_ON(irq_data->args_count < 2)) ++ if (WARN_ON(fwspec->param_count < 2)) + return -EINVAL; +- if (irq_data->args[1] >= ARRAY_SIZE(of_ioapic_type)) ++ ++ type_index = fwspec->param[1]; ++ if (type_index >= ARRAY_SIZE(of_ioapic_type)) + return -EINVAL; + +- it = &of_ioapic_type[irq_data->args[1]]; ++ it = &of_ioapic_type[type_index]; + ioapic_set_alloc_attr(&tmp, NUMA_NO_NODE, it->trigger, it->polarity); + tmp.ioapic_id = mpc_ioapic_id(mp_irqdomain_ioapic_idx(domain)); +- tmp.ioapic_pin = irq_data->args[0]; ++ tmp.ioapic_pin = fwspec->param[0]; + + return mp_irqdomain_alloc(domain, virq, nr_irqs, &tmp); + } diff --git a/queue-4.14/x86-devicetree-initialize-device-tree-before-using-it.patch b/queue-4.14/x86-devicetree-initialize-device-tree-before-using-it.patch new file mode 100644 index 00000000000..fd0f3011a74 --- /dev/null +++ b/queue-4.14/x86-devicetree-initialize-device-tree-before-using-it.patch @@ -0,0 +1,58 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Ivan Gorinov +Date: Wed, 7 Mar 2018 11:46:29 -0800 +Subject: x86/devicetree: Initialize device tree before using it + +From: Ivan Gorinov + +[ Upstream commit 628df9dc5ad886b0a9b33c75a7b09710eb859ca1 ] + +Commit 08d53aa58cb1 added CRC32 calculation in early_init_dt_verify() and +checking in late initcall of_fdt_raw_init(), making early_init_dt_verify() +mandatory. + +The required call to early_init_dt_verify() was not added to the +x86-specific implementation, causing failure to create the sysfs entry in +of_fdt_raw_init(). + +Fixes: 08d53aa58cb1 ("of/fdt: export fdt blob as /sys/firmware/fdt") +Signed-off-by: Ivan Gorinov +Signed-off-by: Thomas Gleixner +Cc: Mark Rutland +Cc: Rob Herring +Link: https://lkml.kernel.org/r/c8c7e941efc63b5d25ebf9b6350b0f3df38f6098.1520450752.git.ivan.gorinov@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/devicetree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/devicetree.c ++++ b/arch/x86/kernel/devicetree.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -276,14 +277,15 @@ static void __init x86_flattree_get_conf + + map_len = max(PAGE_SIZE - (initial_dtb & ~PAGE_MASK), (u64)128); + +- initial_boot_params = dt = early_memremap(initial_dtb, map_len); +- size = of_get_flat_dt_size(); ++ dt = early_memremap(initial_dtb, map_len); ++ size = fdt_totalsize(dt); + if (map_len < size) { + early_memunmap(dt, map_len); +- initial_boot_params = dt = early_memremap(initial_dtb, size); ++ dt = early_memremap(initial_dtb, size); + map_len = size; + } + ++ early_init_dt_verify(dt); + unflatten_and_copy_device_tree(); + early_memunmap(dt, map_len); + } diff --git a/queue-4.14/x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch b/queue-4.14/x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch new file mode 100644 index 00000000000..73cd3ad88af --- /dev/null +++ b/queue-4.14/x86-intel_rdt-fix-incorrect-returned-value-when-creating-rdgroup-sub-directory-in-resctrl-file-system.patch @@ -0,0 +1,54 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Wang Hui +Date: Thu, 22 Feb 2018 19:26:03 -0800 +Subject: x86/intel_rdt: Fix incorrect returned value when creating rdgroup sub-directory in resctrl file system + +From: Wang Hui + +[ Upstream commit 36e74d355297dde6e69a39c838d24710e442babe ] + +If no monitoring feature is detected because all monitoring features are +disabled during boot time or there is no monitoring feature in hardware, +creating rdtgroup sub-directory by "mkdir" command reports error: + + mkdir: cannot create directory ‘/sys/fs/resctrl/p1’: No such file or directory + +But the sub-directory actually is generated and content is correct: + + cpus cpus_list schemata tasks + +The error is because rdtgroup_mkdir_ctrl_mon() returns non zero value after +the sub-directory is created and the returned value is reported as an error +to user. + +Clear the returned value to report to user that the sub-directory is +actually created successfully. + +Signed-off-by: Wang Hui +Signed-off-by: Zhang Yanfei +Signed-off-by: Fenghua Yu +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Ravi V Shankar +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: Vikas +Cc: Xiaochen Shen +Link: http://lkml.kernel.org/r/1519356363-133085-1-git-send-email-fenghua.yu@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c ++++ b/arch/x86/kernel/cpu/intel_rdt_rdtgroup.c +@@ -1657,6 +1657,7 @@ static int rdtgroup_mkdir_ctrl_mon(struc + if (ret < 0) + goto out_common_fail; + closid = ret; ++ ret = 0; + + rdtgrp->closid = closid; + list_add(&rdtgrp->rdtgroup_list, &rdt_all_groups); diff --git a/queue-4.14/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch b/queue-4.14/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch new file mode 100644 index 00000000000..7654b00c608 --- /dev/null +++ b/queue-4.14/x86-mm-do-not-forbid-_page_rw-before-init-for-__ro_after_init.patch @@ -0,0 +1,64 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dave Hansen +Date: Fri, 6 Apr 2018 13:55:14 -0700 +Subject: x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init + +From: Dave Hansen + +[ Upstream commit 639d6aafe437a7464399d2a77d006049053df06f ] + +__ro_after_init data gets stuck in the .rodata section. That's normally +fine because the kernel itself manages the R/W properties. + +But, if we run __change_page_attr() on an area which is __ro_after_init, +the .rodata checks will trigger and force the area to be immediately +read-only, even if it is early-ish in boot. This caused problems when +trying to clear the _PAGE_GLOBAL bit for these area in the PTI code: +it cleared _PAGE_GLOBAL like I asked, but also took it up on itself +to clear _PAGE_RW. The kernel then oopses the next time it wrote to +a __ro_after_init data structure. + +To fix this, add the kernel_set_to_readonly check, just like we have +for kernel text, just a few lines below in this function. + +Signed-off-by: Dave Hansen +Acked-by: Kees Cook +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Arjan van de Ven +Cc: Borislav Petkov +Cc: Dan Williams +Cc: David Woodhouse +Cc: Greg Kroah-Hartman +Cc: Hugh Dickins +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Nadav Amit +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180406205514.8D898241@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pageattr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -298,9 +298,11 @@ static inline pgprot_t static_protection + + /* + * The .rodata section needs to be read-only. Using the pfn +- * catches all aliases. ++ * catches all aliases. This also includes __ro_after_init, ++ * so do not enforce until kernel_set_to_readonly is true. + */ +- if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, ++ if (kernel_set_to_readonly && ++ within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT, + __pa_symbol(__end_rodata) >> PAGE_SHIFT)) + pgprot_val(forbidden) |= _PAGE_RW; + diff --git a/queue-4.14/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch b/queue-4.14/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch new file mode 100644 index 00000000000..6ee0ec0b5c7 --- /dev/null +++ b/queue-4.14/x86-mm-fix-bogus-warning-during-efi-bootup-use-boot_cpu_has-instead-of-this_cpu_has-in-build_cr3_noflush.patch @@ -0,0 +1,86 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Sai Praneeth +Date: Wed, 4 Apr 2018 12:34:19 -0700 +Subject: x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush() + +From: Sai Praneeth + +[ Upstream commit 162ee5a8ab49be40d253f90e94aef712470a3a24 ] + +Linus reported the following boot warning: + + WARNING: CPU: 0 PID: 0 at arch/x86/include/asm/tlbflush.h:134 load_new_mm_cr3+0x114/0x170 + [...] + Call Trace: + switch_mm_irqs_off+0x267/0x590 + switch_mm+0xe/0x20 + efi_switch_mm+0x3e/0x50 + efi_enter_virtual_mode+0x43f/0x4da + start_kernel+0x3bf/0x458 + secondary_startup_64+0xa5/0xb0 + +... after merging: + + 03781e40890c: x86/efi: Use efi_switch_mm() rather than manually twiddling with %cr3 + +When the platform supports PCID and if CONFIG_DEBUG_VM=y is enabled, +build_cr3_noflush() (called via switch_mm()) does a sanity check to see +if X86_FEATURE_PCID is set. + +Presently, build_cr3_noflush() uses "this_cpu_has(X86_FEATURE_PCID)" to +perform the check but this_cpu_has() works only after SMP is initialized +(i.e. per cpu cpu_info's should be populated) and this happens to be very +late in the boot process (during rest_init()). + +As efi_runtime_services() are called during (early) kernel boot time +and run time, modify build_cr3_noflush() to use boot_cpu_has() all the +time. As suggested by Dave Hansen, this should be OK because all CPU's have +same capabilities on x86. + +With this change the warning is fixed. + +( Dave also suggested that we put a warning in this_cpu_has() if it's used + early in the boot process. This is still work in progress as it affects + MCE. ) + +Reported-by: Linus Torvalds +Signed-off-by: Sai Praneeth Prakhya +Cc: Andrew Morton +Cc: Andy Lutomirski +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Lee Chun-Yi +Cc: Matt Fleming +Cc: Michael S. Tsirkin +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Ravi Shankar +Cc: Ricardo Neri +Cc: Thomas Gleixner +Cc: Tony Luck +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/1522870459-7432-1-git-send-email-sai.praneeth.prakhya@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/tlbflush.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/tlbflush.h ++++ b/arch/x86/include/asm/tlbflush.h +@@ -131,7 +131,12 @@ static inline unsigned long build_cr3(pg + static inline unsigned long build_cr3_noflush(pgd_t *pgd, u16 asid) + { + VM_WARN_ON_ONCE(asid > MAX_ASID_AVAILABLE); +- VM_WARN_ON_ONCE(!this_cpu_has(X86_FEATURE_PCID)); ++ /* ++ * Use boot_cpu_has() instead of this_cpu_has() as this function ++ * might be called during early boot. This should work even after ++ * boot because all CPU's the have same capabilities: ++ */ ++ VM_WARN_ON_ONCE(!boot_cpu_has(X86_FEATURE_PCID)); + return __sme_pa(pgd) | kern_pcid(asid) | CR3_NOFLUSH; + } + diff --git a/queue-4.14/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch b/queue-4.14/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch new file mode 100644 index 00000000000..0192d664fc4 --- /dev/null +++ b/queue-4.14/x86-pgtable-don-t-set-huge-pud-pmd-on-non-leaf-entries.patch @@ -0,0 +1,99 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Joerg Roedel +Date: Wed, 11 Apr 2018 17:24:38 +0200 +Subject: x86/pgtable: Don't set huge PUD/PMD on non-leaf entries + +From: Joerg Roedel + +[ Upstream commit e3e288121408c3abeed5af60b87b95c847143845 ] + +The pmd_set_huge() and pud_set_huge() functions are used from +the generic ioremap() code to establish large mappings where this +is possible. + +But the generic ioremap() code does not check whether the +PMD/PUD entries are already populated with a non-leaf entry, +so that any page-table pages these entries point to will be +lost. + +Further, on x86-32 with SHARED_KERNEL_PMD=0, this causes a +BUG_ON() in vmalloc_sync_one() when PMD entries are synced +from swapper_pg_dir to the current page-table. This happens +because the PMD entry from swapper_pg_dir was promoted to a +huge-page entry while the current PGD still contains the +non-leaf entry. Because both entries are present and point +to a different page, the BUG_ON() triggers. + +This was actually triggered with pti-x32 enabled in a KVM +virtual machine by the graphics driver. + +A real and better fix for that would be to improve the +page-table handling in the generic ioremap() code. But that is +out-of-scope for this patch-set and left for later work. + +Reported-by: David H. Gutteridge +Signed-off-by: Joerg Roedel +Reviewed-by: Thomas Gleixner +Cc: Andrea Arcangeli +Cc: Andy Lutomirski +Cc: Boris Ostrovsky +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Dave Hansen +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Jiri Kosina +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Linus Torvalds +Cc: Pavel Machek +Cc: Peter Zijlstra +Cc: Waiman Long +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180411152437.GC15462@8bytes.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/pgtable.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -1,6 +1,7 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + #include + #include + #include +@@ -636,6 +637,10 @@ int pud_set_huge(pud_t *pud, phys_addr_t + (mtrr != MTRR_TYPE_WRBACK)) + return 0; + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pud_present(*pud) && !pud_huge(*pud)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pud, pfn_pte( +@@ -664,6 +669,10 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t + return 0; + } + ++ /* Bail out if we are we on a populated non-leaf entry: */ ++ if (pmd_present(*pmd) && !pmd_huge(*pmd)) ++ return 0; ++ + prot = pgprot_4k_2_large(prot); + + set_pte((pte_t *)pmd, pfn_pte( diff --git a/queue-4.14/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch b/queue-4.14/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch new file mode 100644 index 00000000000..e1250e902dc --- /dev/null +++ b/queue-4.14/x86-topology-update-the-cpu-cores-field-in-proc-cpuinfo-correctly-across-cpu-hotplug-operations.patch @@ -0,0 +1,53 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Samuel Neves +Date: Wed, 21 Feb 2018 20:50:36 +0000 +Subject: x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations + +From: Samuel Neves + +[ Upstream commit 4596749339e06dc7a424fc08a15eded850ed78b7 ] + +Without this fix, /proc/cpuinfo will display an incorrect amount +of CPU cores, after bringing them offline and online again, as +exemplified below: + + $ cat /proc/cpuinfo | grep cores + cpu cores : 4 + cpu cores : 8 + cpu cores : 8 + cpu cores : 20 + cpu cores : 4 + cpu cores : 3 + cpu cores : 2 + cpu cores : 2 + +This patch fixes this by always zeroing the booted_cores variable +upon turning off a logical CPU. + +Tested-by: Dou Liyang +Signed-off-by: Samuel Neves +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: jgross@suse.com +Cc: luto@kernel.org +Cc: prarit@redhat.com +Cc: vkuznets@redhat.com +Link: http://lkml.kernel.org/r/20180221205036.5244-1-sneves@dei.uc.pt +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smpboot.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1521,6 +1521,7 @@ static void remove_siblinginfo(int cpu) + cpumask_clear(topology_core_cpumask(cpu)); + c->phys_proc_id = 0; + c->cpu_core_id = 0; ++ c->booted_cores = 0; + cpumask_clear_cpu(cpu, cpu_sibling_setup_mask); + recompute_smt_state(); + } diff --git a/queue-4.14/xen-acpi-off-by-one-in-read_acpi_id.patch b/queue-4.14/xen-acpi-off-by-one-in-read_acpi_id.patch new file mode 100644 index 00000000000..109f9e119fd --- /dev/null +++ b/queue-4.14/xen-acpi-off-by-one-in-read_acpi_id.patch @@ -0,0 +1,39 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Dan Carpenter +Date: Thu, 29 Mar 2018 12:01:53 +0300 +Subject: xen/acpi: off by one in read_acpi_id() + +From: Dan Carpenter + +[ Upstream commit c37a3c94775855567b90f91775b9691e10bd2806 ] + +If acpi_id is == nr_acpi_bits, then we access one element beyond the end +of the acpi_psd[] array or we set one bit beyond the end of the bit map +when we do __set_bit(acpi_id, acpi_id_present); + +Fixes: 59a568029181 ("xen/acpi-processor: C and P-state driver that uploads said data to hypervisor.") +Signed-off-by: Dan Carpenter +Reviewed-by: Joao Martins +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-acpi-processor.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/xen/xen-acpi-processor.c ++++ b/drivers/xen/xen-acpi-processor.c +@@ -362,9 +362,9 @@ read_acpi_id(acpi_handle handle, u32 lvl + } + /* There are more ACPI Processor objects than in x2APIC or MADT. + * This can happen with incorrect ACPI SSDT declerations. */ +- if (acpi_id > nr_acpi_bits) { +- pr_debug("We only have %u, trying to set %u\n", +- nr_acpi_bits, acpi_id); ++ if (acpi_id >= nr_acpi_bits) { ++ pr_debug("max acpi id %u, trying to set %u\n", ++ nr_acpi_bits - 1, acpi_id); + return AE_OK; + } + /* OK, There is a ACPI Processor object */ diff --git a/queue-4.14/xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch b/queue-4.14/xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch new file mode 100644 index 00000000000..ead7ea17bf3 --- /dev/null +++ b/queue-4.14/xen-blkfront-move-negotiate_mq-to-cover-all-cases-of-new-vbds.patch @@ -0,0 +1,75 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Bhavesh Davda +Date: Fri, 22 Dec 2017 14:17:13 -0800 +Subject: xen-blkfront: move negotiate_mq to cover all cases of new VBDs + +From: Bhavesh Davda + +[ Upstream commit 7ed8ce1c5fc7cf25b3602c73bef897a3466a6645 ] + +negotiate_mq should happen in all cases of a new VBD being discovered by +xen-blkfront, whether called through _probe() or a hot-attached new VBD +from dom-0 via xenstore. Otherwise, hot-attached new VBDs are left +configured without multi-queue. + +Signed-off-by: Bhavesh Davda +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/xen-blkfront.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -262,6 +262,7 @@ static DEFINE_SPINLOCK(minor_lock); + + static int blkfront_setup_indirect(struct blkfront_ring_info *rinfo); + static void blkfront_gather_backend_features(struct blkfront_info *info); ++static int negotiate_mq(struct blkfront_info *info); + + static int get_id_from_freelist(struct blkfront_ring_info *rinfo) + { +@@ -1774,11 +1775,18 @@ static int talk_to_blkback(struct xenbus + unsigned int i, max_page_order; + unsigned int ring_page_order; + ++ if (!info) ++ return -ENODEV; ++ + max_page_order = xenbus_read_unsigned(info->xbdev->otherend, + "max-ring-page-order", 0); + ring_page_order = min(xen_blkif_max_ring_order, max_page_order); + info->nr_ring_pages = 1 << ring_page_order; + ++ err = negotiate_mq(info); ++ if (err) ++ goto destroy_blkring; ++ + for (i = 0; i < info->nr_rings; i++) { + struct blkfront_ring_info *rinfo = &info->rinfo[i]; + +@@ -1978,11 +1986,6 @@ static int blkfront_probe(struct xenbus_ + } + + info->xbdev = dev; +- err = negotiate_mq(info); +- if (err) { +- kfree(info); +- return err; +- } + + mutex_init(&info->mutex); + info->vdevice = vdevice; +@@ -2099,10 +2102,6 @@ static int blkfront_resume(struct xenbus + + blkif_free(info, info->connected == BLKIF_STATE_CONNECTED); + +- err = negotiate_mq(info); +- if (err) +- return err; +- + err = talk_to_blkback(dev, info); + if (!err) + blk_mq_update_nr_hw_queues(&info->tag_set, info->nr_rings); diff --git a/queue-4.14/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch b/queue-4.14/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch new file mode 100644 index 00000000000..c9774245e97 --- /dev/null +++ b/queue-4.14/xen-pirq-fix-error-path-cleanup-when-binding-msis.patch @@ -0,0 +1,44 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Roger Pau Monne +Date: Wed, 28 Feb 2018 09:19:03 +0000 +Subject: xen/pirq: fix error path cleanup when binding MSIs + +From: Roger Pau Monne + +[ Upstream commit 910f8befdf5bccf25287d9f1743e3e546bcb7ce0 ] + +Current cleanup in the error path of xen_bind_pirq_msi_to_irq is +wrong. First of all there's an off-by-one in the cleanup loop, which +can lead to unbinding wrong IRQs. + +Secondly IRQs not bound won't be freed, thus leaking IRQ numbers. + +Note that there's no need to differentiate between bound and unbound +IRQs when freeing them, __unbind_from_irq will deal with both of them +correctly. + +Fixes: 4892c9b4ada9f9 ("xen: add support for MSI message groups") +Reported-by: Hooman Mirhadi +Signed-off-by: Roger Pau Monné +Reviewed-by: Amit Shah +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/events/events_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -755,8 +755,8 @@ out: + mutex_unlock(&irq_mapping_update_lock); + return irq; + error_irq: +- for (; i >= 0; i--) +- __unbind_from_irq(irq + i); ++ while (nvec--) ++ __unbind_from_irq(irq + nvec); + mutex_unlock(&irq_mapping_update_lock); + return ret; + } diff --git a/queue-4.14/xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch b/queue-4.14/xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch new file mode 100644 index 00000000000..2ba2c45d0bd --- /dev/null +++ b/queue-4.14/xen-pvcalls-fix-null-pointer-dereference-on-map-sock.patch @@ -0,0 +1,35 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Colin Ian King +Date: Thu, 22 Feb 2018 17:22:59 +0000 +Subject: xen/pvcalls: fix null pointer dereference on map->sock + +From: Colin Ian King + +[ Upstream commit 68d2059be660944152ba667e43c3b4ec225974bc ] + +Currently if map is null then a potential null pointer deference +occurs when calling sock_release on map->sock. I believe the +actual intention was to call sock_release on sock instead. Fix +this. + +Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command") +Signed-off-by: Colin Ian King +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/pvcalls-back.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -424,7 +424,7 @@ static int pvcalls_back_connect(struct x + sock); + if (!map) { + ret = -EFAULT; +- sock_release(map->sock); ++ sock_release(sock); + } + + out: diff --git a/queue-4.14/xen-xenbus-use-put_device-instead-of-kfree.patch b/queue-4.14/xen-xenbus-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..56010572b87 --- /dev/null +++ b/queue-4.14/xen-xenbus-use-put_device-instead-of-kfree.patch @@ -0,0 +1,37 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Arvind Yadav +Date: Tue, 6 Mar 2018 15:40:37 +0530 +Subject: xen: xenbus: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit 351b2bccede1cb673ec7957b35ea997ea24c8884 ] + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized. + +Signed-off-by: Arvind Yadav +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -466,8 +466,11 @@ int xenbus_probe_node(struct xen_bus_typ + + /* Register with generic device framework. */ + err = device_register(&xendev->dev); +- if (err) ++ if (err) { ++ put_device(&xendev->dev); ++ xendev = NULL; + goto fail; ++ } + + return 0; + fail: diff --git a/queue-4.14/xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch b/queue-4.14/xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch new file mode 100644 index 00000000000..1c42f8eaeb8 --- /dev/null +++ b/queue-4.14/xfrm-do-not-call-rcu_read_unlock-when-afinfo-is-null-in-xfrm_get_tos.patch @@ -0,0 +1,41 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xin Long +Date: Sat, 17 Feb 2018 15:16:22 +0800 +Subject: xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos + +From: Xin Long + +[ Upstream commit 143a4454daaf0e80a2b9f37159a0d6d2b61e64ed ] + +When xfrm_policy_get_afinfo returns NULL, it will not hold rcu +read lock. In this case, rcu_read_unlock should not be called +in xfrm_get_tos, just like other places where it's calling +xfrm_policy_get_afinfo. + +Fixes: f5e2bb4f5b22 ("xfrm: policy: xfrm_get_tos cannot fail") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1459,10 +1459,13 @@ xfrm_tmpl_resolve(struct xfrm_policy **p + static int xfrm_get_tos(const struct flowi *fl, int family) + { + const struct xfrm_policy_afinfo *afinfo; +- int tos = 0; ++ int tos; + + afinfo = xfrm_policy_get_afinfo(family); +- tos = afinfo ? afinfo->get_tos(fl) : 0; ++ if (!afinfo) ++ return 0; ++ ++ tos = afinfo->get_tos(fl); + + rcu_read_unlock(); + diff --git a/queue-4.14/xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch b/queue-4.14/xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch new file mode 100644 index 00000000000..4c1175f3b68 --- /dev/null +++ b/queue-4.14/xfrm-fix-esn-sequence-number-handling-for-ipsec-gso-packets.patch @@ -0,0 +1,34 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Steffen Klassert +Date: Wed, 28 Feb 2018 09:23:19 +0100 +Subject: xfrm: Fix ESN sequence number handling for IPsec GSO packets. + +From: Steffen Klassert + +[ Upstream commit b8b549eec8187ac1b12075d69a2d84d89b5e811a ] + +When IPsec offloading was introduced, we accidentally incremented +the sequence number counter on the xfrm_state by one packet +too much in the ESN case. This leads to a sequence number gap of +one packet after each GSO packet. Fix this by setting the sequence +number to the correct value. + +Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading") +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_replay.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_replay.c ++++ b/net/xfrm/xfrm_replay.c +@@ -658,7 +658,7 @@ static int xfrm_replay_overflow_offload_ + } else { + XFRM_SKB_CB(skb)->seq.output.low = oseq + 1; + XFRM_SKB_CB(skb)->seq.output.hi = oseq_hi; +- xo->seq.low = oseq = oseq + 1; ++ xo->seq.low = oseq + 1; + xo->seq.hi = oseq_hi; + oseq += skb_shinfo(skb)->gso_segs; + } diff --git a/queue-4.14/xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch b/queue-4.14/xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch new file mode 100644 index 00000000000..431e5d526fd --- /dev/null +++ b/queue-4.14/xfrm-fix-rcu_read_unlock-usage-in-xfrm_local_error.patch @@ -0,0 +1,36 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Taehee Yoo +Date: Fri, 16 Mar 2018 11:35:51 +0900 +Subject: xfrm: fix rcu_read_unlock usage in xfrm_local_error + +From: Taehee Yoo + +[ Upstream commit 46c0ef6e1eb95f619d9f62da4332749153db92f7 ] + +In the xfrm_local_error, rcu_read_unlock should be called when afinfo +is not NULL. because xfrm_state_get_afinfo calls rcu_read_unlock +if afinfo is NULL. + +Fixes: af5d27c4e12b ("xfrm: remove xfrm_state_put_afinfo") +Signed-off-by: Taehee Yoo +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_output.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -285,8 +285,9 @@ void xfrm_local_error(struct sk_buff *sk + return; + + afinfo = xfrm_state_get_afinfo(proto); +- if (afinfo) ++ if (afinfo) { + afinfo->local_error(skb, mtu); +- rcu_read_unlock(); ++ rcu_read_unlock(); ++ } + } + EXPORT_SYMBOL_GPL(xfrm_local_error); diff --git a/queue-4.14/xfrm-fix-transport-mode-skb-control-buffer-usage.patch b/queue-4.14/xfrm-fix-transport-mode-skb-control-buffer-usage.patch new file mode 100644 index 00000000000..b230e080a68 --- /dev/null +++ b/queue-4.14/xfrm-fix-transport-mode-skb-control-buffer-usage.patch @@ -0,0 +1,40 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Steffen Klassert +Date: Mon, 19 Mar 2018 07:15:39 +0100 +Subject: xfrm: Fix transport mode skb control buffer usage. + +From: Steffen Klassert + +[ Upstream commit 9a3fb9fb84cc30577c1b012a6a3efda944684291 ] + +A recent commit introduced a new struct xfrm_trans_cb +that is used with the sk_buff control buffer. Unfortunately +it placed the structure in front of the control buffer and +overlooked that the IPv4/IPv6 control buffer is still needed +for some layer 4 protocols. As a result the IPv4/IPv6 control +buffer is overwritten with this structure. Fix this by setting +a apropriate header in front of the structure. + +Fixes acf568ee859f ("xfrm: Reinject transport-mode packets ...") +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_input.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -26,6 +26,12 @@ struct xfrm_trans_tasklet { + }; + + struct xfrm_trans_cb { ++ union { ++ struct inet_skb_parm h4; ++#if IS_ENABLED(CONFIG_IPV6) ++ struct inet6_skb_parm h6; ++#endif ++ } header; + int (*finish)(struct net *net, struct sock *sk, struct sk_buff *skb); + }; + diff --git a/queue-4.14/xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch b/queue-4.14/xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch new file mode 100644 index 00000000000..2ffac76734d --- /dev/null +++ b/queue-4.14/xhci-workaround-for-amd-promontory-disabled-ports-wakeup.patch @@ -0,0 +1,227 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Joe Lee +Date: Mon, 12 Feb 2018 14:24:46 +0200 +Subject: xhci: workaround for AMD Promontory disabled ports wakeup + +From: Joe Lee + +[ Upstream commit bde0716d1f076e4c913c7946bcc858f71243c7a0 ] + +For AMD Promontory xHCI host, although you can disable USB ports in +BIOS settings, those ports will be enabled anyway after you remove a +device on that port and re-plug it in again. It's a known limitation of +the chip. As a workaround we can clear the PORT_WAKE_BITS. + +[commit and code comment rephrasing -Mathias] +Signed-off-by: Joe Lee +Signed-off-by: Mathias Nyman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/pci-quirks.c | 109 ++++++++++++++++++++++++++++++++++++++++++ + drivers/usb/host/pci-quirks.h | 5 + + drivers/usb/host/xhci-hub.c | 7 ++ + drivers/usb/host/xhci-pci.c | 11 ++++ + drivers/usb/host/xhci.h | 2 + 5 files changed, 133 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -65,6 +65,23 @@ + #define AX_INDXC 0x30 + #define AX_DATAC 0x34 + ++#define PT_ADDR_INDX 0xE8 ++#define PT_READ_INDX 0xE4 ++#define PT_SIG_1_ADDR 0xA520 ++#define PT_SIG_2_ADDR 0xA521 ++#define PT_SIG_3_ADDR 0xA522 ++#define PT_SIG_4_ADDR 0xA523 ++#define PT_SIG_1_DATA 0x78 ++#define PT_SIG_2_DATA 0x56 ++#define PT_SIG_3_DATA 0x34 ++#define PT_SIG_4_DATA 0x12 ++#define PT4_P1_REG 0xB521 ++#define PT4_P2_REG 0xB522 ++#define PT2_P1_REG 0xD520 ++#define PT2_P2_REG 0xD521 ++#define PT1_P1_REG 0xD522 ++#define PT1_P2_REG 0xD523 ++ + #define NB_PCIE_INDX_ADDR 0xe0 + #define NB_PCIE_INDX_DATA 0xe4 + #define PCIE_P_CNTL 0x10040 +@@ -512,6 +529,98 @@ void usb_amd_dev_put(void) + EXPORT_SYMBOL_GPL(usb_amd_dev_put); + + /* ++ * Check if port is disabled in BIOS on AMD Promontory host. ++ * BIOS Disabled ports may wake on connect/disconnect and need ++ * driver workaround to keep them disabled. ++ * Returns true if port is marked disabled. ++ */ ++bool usb_amd_pt_check_port(struct device *device, int port) ++{ ++ unsigned char value, port_shift; ++ struct pci_dev *pdev; ++ u16 reg; ++ ++ pdev = to_pci_dev(device); ++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_1_ADDR); ++ ++ pci_read_config_byte(pdev, PT_READ_INDX, &value); ++ if (value != PT_SIG_1_DATA) ++ return false; ++ ++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_2_ADDR); ++ ++ pci_read_config_byte(pdev, PT_READ_INDX, &value); ++ if (value != PT_SIG_2_DATA) ++ return false; ++ ++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_3_ADDR); ++ ++ pci_read_config_byte(pdev, PT_READ_INDX, &value); ++ if (value != PT_SIG_3_DATA) ++ return false; ++ ++ pci_write_config_word(pdev, PT_ADDR_INDX, PT_SIG_4_ADDR); ++ ++ pci_read_config_byte(pdev, PT_READ_INDX, &value); ++ if (value != PT_SIG_4_DATA) ++ return false; ++ ++ /* Check disabled port setting, if bit is set port is enabled */ ++ switch (pdev->device) { ++ case 0x43b9: ++ case 0x43ba: ++ /* ++ * device is AMD_PROMONTORYA_4(0x43b9) or PROMONTORYA_3(0x43ba) ++ * PT4_P1_REG bits[7..1] represents USB2.0 ports 6 to 0 ++ * PT4_P2_REG bits[6..0] represents ports 13 to 7 ++ */ ++ if (port > 6) { ++ reg = PT4_P2_REG; ++ port_shift = port - 7; ++ } else { ++ reg = PT4_P1_REG; ++ port_shift = port + 1; ++ } ++ break; ++ case 0x43bb: ++ /* ++ * device is AMD_PROMONTORYA_2(0x43bb) ++ * PT2_P1_REG bits[7..5] represents USB2.0 ports 2 to 0 ++ * PT2_P2_REG bits[5..0] represents ports 9 to 3 ++ */ ++ if (port > 2) { ++ reg = PT2_P2_REG; ++ port_shift = port - 3; ++ } else { ++ reg = PT2_P1_REG; ++ port_shift = port + 5; ++ } ++ break; ++ case 0x43bc: ++ /* ++ * device is AMD_PROMONTORYA_1(0x43bc) ++ * PT1_P1_REG[7..4] represents USB2.0 ports 3 to 0 ++ * PT1_P2_REG[5..0] represents ports 9 to 4 ++ */ ++ if (port > 3) { ++ reg = PT1_P2_REG; ++ port_shift = port - 4; ++ } else { ++ reg = PT1_P1_REG; ++ port_shift = port + 4; ++ } ++ break; ++ default: ++ return false; ++ } ++ pci_write_config_word(pdev, PT_ADDR_INDX, reg); ++ pci_read_config_byte(pdev, PT_READ_INDX, &value); ++ ++ return !(value & BIT(port_shift)); ++} ++EXPORT_SYMBOL_GPL(usb_amd_pt_check_port); ++ ++/* + * Make sure the controller is completely inactive, unable to + * generate interrupts or do DMA. + */ +--- a/drivers/usb/host/pci-quirks.h ++++ b/drivers/usb/host/pci-quirks.h +@@ -17,6 +17,7 @@ void usb_enable_intel_xhci_ports(struct + void usb_disable_xhci_ports(struct pci_dev *xhci_pdev); + void sb800_prefetch(struct device *dev, int on); + bool usb_xhci_needs_pci_reset(struct pci_dev *pdev); ++bool usb_amd_pt_check_port(struct device *device, int port); + #else + struct pci_dev; + static inline void usb_amd_quirk_pll_disable(void) {} +@@ -25,6 +26,10 @@ static inline void usb_asmedia_modifyflo + static inline void usb_amd_dev_put(void) {} + static inline void usb_disable_xhci_ports(struct pci_dev *xhci_pdev) {} + static inline void sb800_prefetch(struct device *dev, int on) {} ++static inline bool usb_amd_pt_check_port(struct device *device, int port) ++{ ++ return false; ++} + #endif /* CONFIG_USB_PCI */ + + #endif /* __LINUX_USB_PCI_QUIRKS_H */ +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -1531,6 +1531,13 @@ int xhci_bus_suspend(struct usb_hcd *hcd + t2 |= PORT_WKOC_E | PORT_WKCONN_E; + t2 &= ~PORT_WKDISC_E; + } ++ ++ if ((xhci->quirks & XHCI_U2_DISABLE_WAKE) && ++ (hcd->speed < HCD_USB3)) { ++ if (usb_amd_pt_check_port(hcd->self.controller, ++ port_index)) ++ t2 &= ~PORT_WAKE_BITS; ++ } + } else + t2 &= ~PORT_WAKE_BITS; + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -54,6 +54,10 @@ + #define PCI_DEVICE_ID_INTEL_APL_XHCI 0x5aa8 + #define PCI_DEVICE_ID_INTEL_DNV_XHCI 0x19d0 + ++#define PCI_DEVICE_ID_AMD_PROMONTORYA_4 0x43b9 ++#define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba ++#define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb ++#define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc + #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142 + + static const char hcd_name[] = "xhci_hcd"; +@@ -143,6 +147,13 @@ static void xhci_pci_quirks(struct devic + if (pdev->vendor == PCI_VENDOR_ID_AMD) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + ++ if ((pdev->vendor == PCI_VENDOR_ID_AMD) && ++ ((pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_4) || ++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_3) || ++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_2) || ++ (pdev->device == PCI_DEVICE_ID_AMD_PROMONTORYA_1))) ++ xhci->quirks |= XHCI_U2_DISABLE_WAKE; ++ + if (pdev->vendor == PCI_VENDOR_ID_INTEL) { + xhci->quirks |= XHCI_LPM_SUPPORT; + xhci->quirks |= XHCI_INTEL_HOST; +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1829,7 +1829,7 @@ struct xhci_hcd { + /* For controller with a broken Port Disable implementation */ + #define XHCI_BROKEN_PORT_PED (1 << 25) + #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26) +-/* Reserved. It was XHCI_U2_DISABLE_WAKE */ ++#define XHCI_U2_DISABLE_WAKE (1 << 27) + #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28) + #define XHCI_SUSPEND_DELAY (1 << 30) + diff --git a/queue-4.14/z3fold-fix-memory-leak.patch b/queue-4.14/z3fold-fix-memory-leak.patch new file mode 100644 index 00000000000..d3f643978bd --- /dev/null +++ b/queue-4.14/z3fold-fix-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Xidong Wang +Date: Tue, 10 Apr 2018 16:29:34 -0700 +Subject: z3fold: fix memory leak + +From: Xidong Wang + +[ Upstream commit 1ec6995d1290bfb87cc3a51f0836c889e857cef9 ] + +In z3fold_create_pool(), the memory allocated by __alloc_percpu() is not +released on the error path that pool->compact_wq , which holds the +return value of create_singlethread_workqueue(), is NULL. This will +result in a memory leak bug. + +[akpm@linux-foundation.org: fix oops on kzalloc() failure, check __alloc_percpu() retval] +Link: http://lkml.kernel.org/r/1522803111-29209-1-git-send-email-wangxidong_97@163.com +Signed-off-by: Xidong Wang +Reviewed-by: Andrew Morton +Cc: Vitaly Wool +Cc: Mike Rapoport +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/z3fold.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/mm/z3fold.c ++++ b/mm/z3fold.c +@@ -469,6 +469,8 @@ static struct z3fold_pool *z3fold_create + spin_lock_init(&pool->lock); + spin_lock_init(&pool->stale_lock); + pool->unbuddied = __alloc_percpu(sizeof(struct list_head)*NCHUNKS, 2); ++ if (!pool->unbuddied) ++ goto out_pool; + for_each_possible_cpu(cpu) { + struct list_head *unbuddied = + per_cpu_ptr(pool->unbuddied, cpu); +@@ -481,7 +483,7 @@ static struct z3fold_pool *z3fold_create + pool->name = name; + pool->compact_wq = create_singlethread_workqueue(pool->name); + if (!pool->compact_wq) +- goto out; ++ goto out_unbuddied; + pool->release_wq = create_singlethread_workqueue(pool->name); + if (!pool->release_wq) + goto out_wq; +@@ -491,8 +493,11 @@ static struct z3fold_pool *z3fold_create + + out_wq: + destroy_workqueue(pool->compact_wq); +-out: ++out_unbuddied: ++ free_percpu(pool->unbuddied); ++out_pool: + kfree(pool); ++out: + return NULL; + } + diff --git a/queue-4.14/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch b/queue-4.14/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch new file mode 100644 index 00000000000..2b2e6ba21e6 --- /dev/null +++ b/queue-4.14/zorro-set-up-z-dev.dma_mask-for-the-dma-api.patch @@ -0,0 +1,55 @@ +From foo@baz Sun May 27 16:52:54 CEST 2018 +From: Michael Schmitz +Date: Sat, 3 Mar 2018 12:04:13 +1300 +Subject: zorro: Set up z->dev.dma_mask for the DMA API + +From: Michael Schmitz + +[ Upstream commit 55496d3fe2acd1a365c43cbd613a20ecd4d74395 ] + +The generic DMA API uses dev->dma_mask to check the DMA addressable +memory bitmask, and warns if no mask is set or even allocated. + +Set z->dev.dma_coherent_mask on Zorro bus scan, and make z->dev.dma_mask +to point to z->dev.dma_coherent_mask so device drivers that need DMA have +everything set up to avoid warnings from dma_alloc_coherent(). Drivers can +still use dma_set_mask_and_coherent() to explicitly set their DMA bit mask. + +Signed-off-by: Michael Schmitz +[geert: Handle Zorro II with 24-bit address space] +Acked-by: Christoph Hellwig +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/zorro/zorro.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/zorro/zorro.c ++++ b/drivers/zorro/zorro.c +@@ -16,6 +16,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -185,6 +186,17 @@ static int __init amiga_zorro_probe(stru + z->dev.parent = &bus->dev; + z->dev.bus = &zorro_bus_type; + z->dev.id = i; ++ switch (z->rom.er_Type & ERT_TYPEMASK) { ++ case ERT_ZORROIII: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(32); ++ break; ++ ++ case ERT_ZORROII: ++ default: ++ z->dev.coherent_dma_mask = DMA_BIT_MASK(24); ++ break; ++ } ++ z->dev.dma_mask = &z->dev.coherent_dma_mask; + } + + /* ... then register them */ -- 2.47.2