From f93ee91bbdc5aa8fc9f17b925a1aa0f34359efc6 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 18 Jul 2017 17:15:42 +0200 Subject: [PATCH] 4.12-stable patches added patches: cfg80211-check-if-nan-service-id-is-of-expected-size.patch cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch kernel-extable.c-mark-core_kernel_text-notrace.patch kvm-arm64-fix-phy-counter-access-failure-in-guest.patch kvm-avoid-unused-variable-warning-for-up-builds.patch kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch kvm-vfio-decouple-only-when-we-match-a-group.patch mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch parisc-mm-ensure-irqs-are-off-in-switch_mm.patch parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch parisc-use-compat_sys_keyctl.patch thp-mm-fix-crash-due-race-in-madv_free-handling.patch tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch --- ...f-nan-service-id-is-of-expected-size.patch | 41 ++++ ...-pmkid-attribute-is-of-expected-size.patch | 42 ++++ ...r-nl80211_attr_local_mesh_power_mode.patch | 36 ++++ ...ted-in-nl80211_attr_scan_frequencies.patch | 41 ++++ ...config_optimize_inlining-is-disabled.patch | 95 ++++++++ ...pu-gfx6-properly-cache-mc_arb_ramcfg.patch | 31 +++ ...-table-only-if-efi_memmap-is-enabled.patch | 45 ++++ ...c-fix-spin-lockup-issue-on-nlru-lock.patch | 80 +++++++ ...-of-bound-access-in-gic_set_affinity.patch | 72 +++++++ ...able.c-mark-core_kernel_text-notrace.patch | 62 ++++++ ...-phy-counter-access-failure-in-guest.patch | 49 +++++ ...nused-variable-warning-for-up-builds.patch | 71 ++++++ ...po-in-xics-on-xive-state-saving-code.patch | 77 +++++++ ...-decouple-only-when-we-match-a-group.patch | 54 +++++ ...-list_lru_count_node-to-be-race-free.patch | 87 ++++++++ ...f-bug_on-for-dma-ops-on-non-dma-devs.patch | 204 ++++++++++++++++++ ...-mm-ensure-irqs-are-off-in-switch_mm.patch | 56 +++++ ...-of-sigbus-when-running-out-of-stack.patch | 40 ++++ queue-4.12/parisc-use-compat_sys_keyctl.patch | 33 +++ queue-4.12/series | 22 ++ ...crash-due-race-in-madv_free-handling.patch | 77 +++++++ ...o-avoid-overflowing-lock_chain-depth.patch | 53 +++++ ...y-the-efi-struct-members-used-by-xen.patch | 101 +++++++++ 23 files changed, 1469 insertions(+) create mode 100644 queue-4.12/cfg80211-check-if-nan-service-id-is-of-expected-size.patch create mode 100644 queue-4.12/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch create mode 100644 queue-4.12/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch create mode 100644 queue-4.12/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch create mode 100644 queue-4.12/compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch create mode 100644 queue-4.12/drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch create mode 100644 queue-4.12/efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch create mode 100644 queue-4.12/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch create mode 100644 queue-4.12/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch create mode 100644 queue-4.12/kernel-extable.c-mark-core_kernel_text-notrace.patch create mode 100644 queue-4.12/kvm-arm64-fix-phy-counter-access-failure-in-guest.patch create mode 100644 queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch create mode 100644 queue-4.12/kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch create mode 100644 queue-4.12/kvm-vfio-decouple-only-when-we-match-a-group.patch create mode 100644 queue-4.12/mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch create mode 100644 queue-4.12/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch create mode 100644 queue-4.12/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch create mode 100644 queue-4.12/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch create mode 100644 queue-4.12/parisc-use-compat_sys_keyctl.patch create mode 100644 queue-4.12/thp-mm-fix-crash-due-race-in-madv_free-handling.patch create mode 100644 queue-4.12/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch create mode 100644 queue-4.12/x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch diff --git a/queue-4.12/cfg80211-check-if-nan-service-id-is-of-expected-size.patch b/queue-4.12/cfg80211-check-if-nan-service-id-is-of-expected-size.patch new file mode 100644 index 00000000000..c41337ce594 --- /dev/null +++ b/queue-4.12/cfg80211-check-if-nan-service-id-is-of-expected-size.patch @@ -0,0 +1,41 @@ +From 0a27844ce86d039d74221dd56cd8c0349b146b63 Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:40 +0300 +Subject: cfg80211: Check if NAN service ID is of expected size + +From: Srinivas Dasari + +commit 0a27844ce86d039d74221dd56cd8c0349b146b63 upstream. + +nla policy checks for only maximum length of the attribute data when the +attribute type is NLA_BINARY. If userspace sends less data than +specified, cfg80211 may access illegal memory. When type is NLA_UNSPEC, +nla policy check ensures that userspace sends minimum specified length +number of bytes. + +Remove type assignment to NLA_BINARY from nla_policy of +NL80211_NAN_FUNC_SERVICE_ID to make these NLA_UNSPEC and to make sure +minimum NL80211_NAN_FUNC_SERVICE_ID_LEN bytes are received from +userspace with NL80211_NAN_FUNC_SERVICE_ID. + +Fixes: a442b761b24 ("cfg80211: add add_nan_func / del_nan_func") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -520,7 +520,7 @@ nl80211_bss_select_policy[NL80211_BSS_SE + static const struct nla_policy + nl80211_nan_func_policy[NL80211_NAN_FUNC_ATTR_MAX + 1] = { + [NL80211_NAN_FUNC_TYPE] = { .type = NLA_U8 }, +- [NL80211_NAN_FUNC_SERVICE_ID] = { .type = NLA_BINARY, ++ [NL80211_NAN_FUNC_SERVICE_ID] = { + .len = NL80211_NAN_FUNC_SERVICE_ID_LEN }, + [NL80211_NAN_FUNC_PUBLISH_TYPE] = { .type = NLA_U8 }, + [NL80211_NAN_FUNC_PUBLISH_BCAST] = { .type = NLA_FLAG }, diff --git a/queue-4.12/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch b/queue-4.12/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch new file mode 100644 index 00000000000..0dc2afd06ed --- /dev/null +++ b/queue-4.12/cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch @@ -0,0 +1,42 @@ +From 9361df14d1cbf966409d5d6f48bb334384fbe138 Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:39 +0300 +Subject: cfg80211: Check if PMKID attribute is of expected size + +From: Srinivas Dasari + +commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream. + +nla policy checks for only maximum length of the attribute data +when the attribute type is NLA_BINARY. If userspace sends less +data than specified, the wireless drivers may access illegal +memory. When type is NLA_UNSPEC, nla policy check ensures that +userspace sends minimum specified length number of bytes. + +Remove type assignment to NLA_BINARY from nla_policy of +NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum +WLAN_PMKID_LEN bytes are received from userspace with +NL80211_ATTR_PMKID. + +Fixes: 67fbb16be69d ("nl80211: PMKSA caching support") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -291,8 +291,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_WPA_VERSIONS] = { .type = NLA_U32 }, + [NL80211_ATTR_PID] = { .type = NLA_U32 }, + [NL80211_ATTR_4ADDR] = { .type = NLA_U8 }, +- [NL80211_ATTR_PMKID] = { .type = NLA_BINARY, +- .len = WLAN_PMKID_LEN }, ++ [NL80211_ATTR_PMKID] = { .len = WLAN_PMKID_LEN }, + [NL80211_ATTR_DURATION] = { .type = NLA_U32 }, + [NL80211_ATTR_COOKIE] = { .type = NLA_U64 }, + [NL80211_ATTR_TX_RATES] = { .type = NLA_NESTED }, diff --git a/queue-4.12/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch b/queue-4.12/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch new file mode 100644 index 00000000000..74e5eaa4021 --- /dev/null +++ b/queue-4.12/cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch @@ -0,0 +1,36 @@ +From 8feb69c7bd89513be80eb19198d48f154b254021 Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:41 +0300 +Subject: cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE + +From: Srinivas Dasari + +commit 8feb69c7bd89513be80eb19198d48f154b254021 upstream. + +Buffer overread may happen as nl80211_set_station() reads 4 bytes +from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without +validating the size of data received when userspace sends less +than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. +Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid +the buffer overread. + +Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -348,6 +348,7 @@ static const struct nla_policy nl80211_p + [NL80211_ATTR_SCAN_FLAGS] = { .type = NLA_U32 }, + [NL80211_ATTR_P2P_CTWINDOW] = { .type = NLA_U8 }, + [NL80211_ATTR_P2P_OPPPS] = { .type = NLA_U8 }, ++ [NL80211_ATTR_LOCAL_MESH_POWER_MODE] = {. type = NLA_U32 }, + [NL80211_ATTR_ACL_POLICY] = {. type = NLA_U32 }, + [NL80211_ATTR_MAC_ADDRS] = { .type = NLA_NESTED }, + [NL80211_ATTR_STA_CAPABILITY] = { .type = NLA_U16 }, diff --git a/queue-4.12/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch b/queue-4.12/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch new file mode 100644 index 00000000000..af0b6ffd752 --- /dev/null +++ b/queue-4.12/cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch @@ -0,0 +1,41 @@ +From d7f13f7450369281a5d0ea463cc69890a15923ae Mon Sep 17 00:00:00 2001 +From: Srinivas Dasari +Date: Fri, 7 Jul 2017 01:43:42 +0300 +Subject: cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES + +From: Srinivas Dasari + +commit d7f13f7450369281a5d0ea463cc69890a15923ae upstream. + +validate_scan_freqs() retrieves frequencies from attributes +nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with +nla_get_u32(), which reads 4 bytes from each attribute +without validating the size of data received. Attributes +nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy. + +Validate size of each attribute before parsing to avoid potential buffer +overread. + +Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)") +Signed-off-by: Srinivas Dasari +Signed-off-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -6470,6 +6470,10 @@ static int validate_scan_freqs(struct nl + struct nlattr *attr1, *attr2; + int n_channels = 0, tmp1, tmp2; + ++ nla_for_each_nested(attr1, freqs, tmp1) ++ if (nla_len(attr1) != sizeof(u32)) ++ return 0; ++ + nla_for_each_nested(attr1, freqs, tmp1) { + n_channels++; + /* diff --git a/queue-4.12/compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch b/queue-4.12/compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch new file mode 100644 index 00000000000..71b012252ab --- /dev/null +++ b/queue-4.12/compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch @@ -0,0 +1,95 @@ +From 9a04dbcfb33b4012d0ce8c0282f1e3ca694675b1 Mon Sep 17 00:00:00 2001 +From: David Rientjes +Date: Thu, 6 Jul 2017 15:35:24 -0700 +Subject: compiler, clang: always inline when CONFIG_OPTIMIZE_INLINING is disabled + +From: David Rientjes + +commit 9a04dbcfb33b4012d0ce8c0282f1e3ca694675b1 upstream. + +The motivation for commit abb2ea7dfd82 ("compiler, clang: suppress +warning for unused static inline functions") was to suppress clang's +warnings about unused static inline functions. + +For configs without CONFIG_OPTIMIZE_INLINING enabled, such as any non-x86 +architecture, `inline' in the kernel implies that +__attribute__((always_inline)) is used. + +Some code depends on that behavior, see + https://lkml.org/lkml/2017/6/13/918: + + net/built-in.o: In function `__xchg_mb': + arch/arm64/include/asm/cmpxchg.h:99: undefined reference to `__compiletime_assert_99' + arch/arm64/include/asm/cmpxchg.h:99: undefined reference to `__compiletime_assert_99 + +The full fix would be to identify these breakages and annotate the +functions with __always_inline instead of `inline'. But since we are +late in the 4.12-rc cycle, simply carry forward the forced inlining +behavior and work toward moving arm64, and other architectures, toward +CONFIG_OPTIMIZE_INLINING behavior. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1706261552200.1075@chino.kir.corp.google.com +Signed-off-by: David Rientjes +Reported-by: Sodagudi Prasad +Tested-by: Sodagudi Prasad +Tested-by: Matthias Kaehlcke +Cc: Mark Rutland +Cc: Will Deacon +Cc: Catalin Marinas +Cc: Ingo Molnar +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/compiler-clang.h | 8 -------- + include/linux/compiler-gcc.h | 18 +++++++++++------- + 2 files changed, 11 insertions(+), 15 deletions(-) + +--- a/include/linux/compiler-clang.h ++++ b/include/linux/compiler-clang.h +@@ -15,11 +15,3 @@ + * with any version that can compile the kernel + */ + #define __UNIQUE_ID(prefix) __PASTE(__PASTE(__UNIQUE_ID_, prefix), __COUNTER__) +- +-/* +- * GCC does not warn about unused static inline functions for +- * -Wunused-function. This turns out to avoid the need for complex #ifdef +- * directives. Suppress the warning in clang as well. +- */ +-#undef inline +-#define inline inline __attribute__((unused)) notrace +--- a/include/linux/compiler-gcc.h ++++ b/include/linux/compiler-gcc.h +@@ -66,18 +66,22 @@ + + /* + * Force always-inline if the user requests it so via the .config, +- * or if gcc is too old: ++ * or if gcc is too old. ++ * GCC does not warn about unused static inline functions for ++ * -Wunused-function. This turns out to avoid the need for complex #ifdef ++ * directives. Suppress the warning in clang as well by using "unused" ++ * function attribute, which is redundant but not harmful for gcc. + */ + #if !defined(CONFIG_ARCH_SUPPORTS_OPTIMIZED_INLINING) || \ + !defined(CONFIG_OPTIMIZE_INLINING) || (__GNUC__ < 4) +-#define inline inline __attribute__((always_inline)) notrace +-#define __inline__ __inline__ __attribute__((always_inline)) notrace +-#define __inline __inline __attribute__((always_inline)) notrace ++#define inline inline __attribute__((always_inline,unused)) notrace ++#define __inline__ __inline__ __attribute__((always_inline,unused)) notrace ++#define __inline __inline __attribute__((always_inline,unused)) notrace + #else + /* A lot of inline functions can cause havoc with function tracing */ +-#define inline inline notrace +-#define __inline__ __inline__ notrace +-#define __inline __inline notrace ++#define inline inline __attribute__((unused)) notrace ++#define __inline__ __inline__ __attribute__((unused)) notrace ++#define __inline __inline __attribute__((unused)) notrace + #endif + + #define __always_inline inline __attribute__((always_inline)) diff --git a/queue-4.12/drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch b/queue-4.12/drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch new file mode 100644 index 00000000000..c9ae2fce48d --- /dev/null +++ b/queue-4.12/drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch @@ -0,0 +1,31 @@ +From 6653ebd48f493efe3f3598ff3fe7b3d5451665df Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 2 Jun 2017 16:30:46 -0400 +Subject: drm/amdgpu/gfx6: properly cache mc_arb_ramcfg + +From: Alex Deucher + +commit 6653ebd48f493efe3f3598ff3fe7b3d5451665df upstream. + +This was missing for gfx6. + +Acked-by: Huang Rui +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v6_0.c +@@ -1688,7 +1688,8 @@ static void gfx_v6_0_gpu_init(struct amd + WREG32(mmBIF_FB_EN, BIF_FB_EN__FB_READ_EN_MASK | BIF_FB_EN__FB_WRITE_EN_MASK); + + mc_shared_chmap = RREG32(mmMC_SHARED_CHMAP); +- mc_arb_ramcfg = RREG32(mmMC_ARB_RAMCFG); ++ adev->gfx.config.mc_arb_ramcfg = RREG32(mmMC_ARB_RAMCFG); ++ mc_arb_ramcfg = adev->gfx.config.mc_arb_ramcfg; + + adev->gfx.config.num_tile_pipes = adev->gfx.config.max_tile_pipes; + adev->gfx.config.mem_max_burst_length_bytes = 256; diff --git a/queue-4.12/efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch b/queue-4.12/efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch new file mode 100644 index 00000000000..cd42d354084 --- /dev/null +++ b/queue-4.12/efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch @@ -0,0 +1,45 @@ +From 457ea3f7e97881f937136ce0ba1f29f82b9abdb0 Mon Sep 17 00:00:00 2001 +From: Daniel Kiper +Date: Thu, 22 Jun 2017 12:51:36 +0200 +Subject: efi: Process the MEMATTR table only if EFI_MEMMAP is enabled + +From: Daniel Kiper + +commit 457ea3f7e97881f937136ce0ba1f29f82b9abdb0 upstream. + +Otherwise e.g. Xen dom0 on x86_64 EFI platforms crashes. + +In theory we can check EFI_PARAVIRT too, however, +EFI_MEMMAP looks more targeted and covers more cases. + +Signed-off-by: Daniel Kiper +Reviewed-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: andrew.cooper3@citrix.com +Cc: boris.ostrovsky@oracle.com +Cc: jgross@suse.com +Cc: linux-efi@vger.kernel.org +Cc: matt@codeblueprint.co.uk +Cc: xen-devel@lists.xenproject.org +Link: http://lkml.kernel.org/r/1498128697-12943-2-git-send-email-daniel.kiper@oracle.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/efi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/efi/efi.c ++++ b/drivers/firmware/efi/efi.c +@@ -528,7 +528,8 @@ int __init efi_config_parse_tables(void + } + } + +- efi_memattr_init(); ++ if (efi_enabled(EFI_MEMMAP)) ++ efi_memattr_init(); + + /* Parse the EFI Properties table if it exists */ + if (efi.properties_table != EFI_INVALID_TABLE_ADDR) { diff --git a/queue-4.12/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch b/queue-4.12/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch new file mode 100644 index 00000000000..6160303b432 --- /dev/null +++ b/queue-4.12/fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch @@ -0,0 +1,80 @@ +From b17c070fb624cf10162cf92ea5e1ec25cd8ac176 Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Mon, 10 Jul 2017 15:50:00 -0700 +Subject: fs/dcache.c: fix spin lockup issue on nlru->lock + +From: Sahitya Tummala + +commit b17c070fb624cf10162cf92ea5e1ec25cd8ac176 upstream. + +__list_lru_walk_one() acquires nlru spin lock (nlru->lock) for longer +duration if there are more number of items in the lru list. As per the +current code, it can hold the spin lock for upto maximum UINT_MAX +entries at a time. So if there are more number of items in the lru +list, then "BUG: spinlock lockup suspected" is observed in the below +path: + + spin_bug+0x90 + do_raw_spin_lock+0xfc + _raw_spin_lock+0x28 + list_lru_add+0x28 + dput+0x1c8 + path_put+0x20 + terminate_walk+0x3c + path_lookupat+0x100 + filename_lookup+0x6c + user_path_at_empty+0x54 + SyS_faccessat+0xd0 + el0_svc_naked+0x24 + +This nlru->lock is acquired by another CPU in this path - + + d_lru_shrink_move+0x34 + dentry_lru_isolate_shrink+0x48 + __list_lru_walk_one.isra.10+0x94 + list_lru_walk_node+0x40 + shrink_dcache_sb+0x60 + do_remount_sb+0xbc + do_emergency_remount+0xb0 + process_one_work+0x228 + worker_thread+0x2e0 + kthread+0xf4 + ret_from_fork+0x10 + +Fix this lockup by reducing the number of entries to be shrinked from +the lru list to 1024 at once. Also, add cond_resched() before +processing the lru list again. + +Link: http://marc.info/?t=149722864900001&r=1&w=2 +Link: http://lkml.kernel.org/r/1498707575-2472-1-git-send-email-stummala@codeaurora.org +Signed-off-by: Sahitya Tummala +Suggested-by: Jan Kara +Suggested-by: Vladimir Davydov +Acked-by: Vladimir Davydov +Cc: Alexander Polakov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1133,11 +1133,12 @@ void shrink_dcache_sb(struct super_block + LIST_HEAD(dispose); + + freed = list_lru_walk(&sb->s_dentry_lru, +- dentry_lru_isolate_shrink, &dispose, UINT_MAX); ++ dentry_lru_isolate_shrink, &dispose, 1024); + + this_cpu_sub(nr_dentry_unused, freed); + shrink_dentry_list(&dispose); +- } while (freed > 0); ++ cond_resched(); ++ } while (list_lru_count(&sb->s_dentry_lru) > 0); + } + EXPORT_SYMBOL(shrink_dcache_sb); + diff --git a/queue-4.12/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch b/queue-4.12/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch new file mode 100644 index 00000000000..574b593e5c6 --- /dev/null +++ b/queue-4.12/irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch @@ -0,0 +1,72 @@ +From 866d7c1b0a3c70387646c4e455e727a58c5d465a Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Fri, 30 Jun 2017 10:58:28 +0100 +Subject: irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity + +From: Suzuki K Poulose + +commit 866d7c1b0a3c70387646c4e455e727a58c5d465a upstream. + +The GICv3 driver doesn't check if the target CPU for gic_set_affinity +is valid before going ahead and making the changes. This triggers the +following splat with KASAN: + +[ 141.189434] BUG: KASAN: global-out-of-bounds in gic_set_affinity+0x8c/0x140 +[ 141.189704] Read of size 8 at addr ffff200009741d20 by task swapper/1/0 +[ 141.189958] +[ 141.190158] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.12.0-rc7 +[ 141.190458] Hardware name: Foundation-v8A (DT) +[ 141.190658] Call trace: +[ 141.190908] [] dump_backtrace+0x0/0x328 +[ 141.191224] [] show_stack+0x14/0x20 +[ 141.191507] [] dump_stack+0xa4/0xc8 +[ 141.191858] [] print_address_description+0x13c/0x250 +[ 141.192219] [] kasan_report+0x210/0x300 +[ 141.192547] [] __asan_load8+0x84/0x98 +[ 141.192874] [] gic_set_affinity+0x8c/0x140 +[ 141.193158] [] irq_do_set_affinity+0x54/0xb8 +[ 141.193473] [] irq_set_affinity_locked+0x64/0xf0 +[ 141.193828] [] __irq_set_affinity+0x48/0x78 +[ 141.194158] [] arm_perf_starting_cpu+0x104/0x150 +[ 141.194513] [] cpuhp_invoke_callback+0x17c/0x1f8 +[ 141.194783] [] notify_cpu_starting+0x8c/0xb8 +[ 141.195130] [] secondary_start_kernel+0x15c/0x200 +[ 141.195390] [<0000000080db81b4>] 0x80db81b4 +[ 141.195603] +[ 141.195685] The buggy address belongs to the variable: +[ 141.196012] __cpu_logical_map+0x200/0x220 +[ 141.196176] +[ 141.196315] Memory state around the buggy address: +[ 141.196586] ffff200009741c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.196913] ffff200009741c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.197158] >ffff200009741d00: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00 +[ 141.197487] ^ +[ 141.197758] ffff200009741d80: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00 +[ 141.198060] ffff200009741e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 141.198358] ================================================================== +[ 141.198609] Disabling lock debugging due to kernel taint +[ 141.198961] CPU1: Booted secondary processor [410fd051] + +This patch adds the check to make sure the cpu is valid. + +Fixes: commit 021f653791ad17e03f98 ("irqchip: gic-v3: Initial support for GICv3") +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -645,6 +645,9 @@ static int gic_set_affinity(struct irq_d + int enabled; + u64 val; + ++ if (cpu >= nr_cpu_ids) ++ return -EINVAL; ++ + if (gic_irq_in_rdist(d)) + return -EINVAL; + diff --git a/queue-4.12/kernel-extable.c-mark-core_kernel_text-notrace.patch b/queue-4.12/kernel-extable.c-mark-core_kernel_text-notrace.patch new file mode 100644 index 00000000000..47086d6d9bf --- /dev/null +++ b/queue-4.12/kernel-extable.c-mark-core_kernel_text-notrace.patch @@ -0,0 +1,62 @@ +From c0d80ddab89916273cb97114889d3f337bc370ae Mon Sep 17 00:00:00 2001 +From: Marcin Nowakowski +Date: Thu, 6 Jul 2017 15:35:31 -0700 +Subject: kernel/extable.c: mark core_kernel_text notrace + +From: Marcin Nowakowski + +commit c0d80ddab89916273cb97114889d3f337bc370ae upstream. + +core_kernel_text is used by MIPS in its function graph trace processing, +so having this method traced leads to an infinite set of recursive calls +such as: + + Call Trace: + ftrace_return_to_handler+0x50/0x128 + core_kernel_text+0x10/0x1b8 + prepare_ftrace_return+0x6c/0x114 + ftrace_graph_caller+0x20/0x44 + return_to_handler+0x10/0x30 + return_to_handler+0x0/0x30 + return_to_handler+0x0/0x30 + ftrace_ops_no_ops+0x114/0x1bc + core_kernel_text+0x10/0x1b8 + core_kernel_text+0x10/0x1b8 + core_kernel_text+0x10/0x1b8 + ftrace_ops_no_ops+0x114/0x1bc + core_kernel_text+0x10/0x1b8 + prepare_ftrace_return+0x6c/0x114 + ftrace_graph_caller+0x20/0x44 + (...) + +Mark the function notrace to avoid it being traced. + +Link: http://lkml.kernel.org/r/1498028607-6765-1-git-send-email-marcin.nowakowski@imgtec.com +Signed-off-by: Marcin Nowakowski +Reviewed-by: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Thomas Meyer +Cc: Ingo Molnar +Cc: Steven Rostedt +Cc: Daniel Borkmann +Cc: Paul Gortmaker +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/extable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/extable.c ++++ b/kernel/extable.c +@@ -69,7 +69,7 @@ static inline int init_kernel_text(unsig + return 0; + } + +-int core_kernel_text(unsigned long addr) ++int notrace core_kernel_text(unsigned long addr) + { + if (addr >= (unsigned long)_stext && + addr < (unsigned long)_etext) diff --git a/queue-4.12/kvm-arm64-fix-phy-counter-access-failure-in-guest.patch b/queue-4.12/kvm-arm64-fix-phy-counter-access-failure-in-guest.patch new file mode 100644 index 00000000000..e0eedec5846 --- /dev/null +++ b/queue-4.12/kvm-arm64-fix-phy-counter-access-failure-in-guest.patch @@ -0,0 +1,49 @@ +From 02d50cdaff36c135d222015cffdca3ff11d168ea Mon Sep 17 00:00:00 2001 +From: Hu Huajun +Date: Mon, 12 Jun 2017 22:37:48 +0800 +Subject: KVM: ARM64: fix phy counter access failure in guest. + +From: Hu Huajun + +commit 02d50cdaff36c135d222015cffdca3ff11d168ea upstream. + +When reading the cntpct_el0 in guest with VHE (Virtual Host Extension) +enabled in host, the "Unsupported guest sys_reg access" error reported. +The reason is cnthctl_el2.EL1PCTEN is not enabled, which is expected +to be done in kvm_timer_init_vhe(). The problem is kvm_timer_init_vhe +is called by cpu_init_hyp_mode, and which is called when VHE is disabled. +This patch remove the incorrect call to kvm_timer_init_vhe() from +cpu_init_hyp_mode(), and calls kvm_timer_init_vhe() to enable +cnthctl_el2.EL1PCTEN in cpu_hyp_reinit(). + +Fixes: 488f94d7212b ("KVM: arm64: Access CNTHCTL_EL2 bit fields correctly on VHE systems") +Signed-off-by: Hu Huajun +Reviewed-by: Christoffer Dall +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/arm/arm.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/virt/kvm/arm/arm.c ++++ b/virt/kvm/arm/arm.c +@@ -1115,9 +1115,6 @@ static void cpu_init_hyp_mode(void *dumm + __cpu_init_hyp_mode(pgd_ptr, hyp_stack_ptr, vector_ptr); + __cpu_init_stage2(); + +- if (is_kernel_in_hyp_mode()) +- kvm_timer_init_vhe(); +- + kvm_arm_init_debug(); + } + +@@ -1137,6 +1134,7 @@ static void cpu_hyp_reinit(void) + * event was cancelled before the CPU was reset. + */ + __cpu_init_stage2(); ++ kvm_timer_init_vhe(); + } else { + cpu_init_hyp_mode(NULL); + } diff --git a/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch b/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch new file mode 100644 index 00000000000..4190e80e926 --- /dev/null +++ b/queue-4.12/kvm-avoid-unused-variable-warning-for-up-builds.patch @@ -0,0 +1,71 @@ +From b49defe83659cefbb1763d541e779da32594ab10 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Fri, 30 Jun 2017 13:25:45 +0200 +Subject: kvm: avoid unused variable warning for UP builds + +From: Paolo Bonzini + +commit b49defe83659cefbb1763d541e779da32594ab10 upstream. + +The uniprocessor version of smp_call_function_many does not evaluate +all of its argument, and the compiler emits a warning about "wait" +being unused. This breaks the build on architectures for which +"-Werror" is enabled by default. + +Work around it by moving the invocation of smp_call_function_many to +its own inline function. + +Reported-by: Paul Mackerras +Fixes: 7a97cec26b94c909f4cbad2dc3186af3e457a522 +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -187,12 +187,23 @@ static void ack_flush(void *_completed) + { + } + ++static inline bool kvm_kick_many_cpus(const struct cpumask *cpus, bool wait) ++{ ++ if (unlikely(!cpus)) ++ cpus = cpu_online_mask; ++ ++ if (cpumask_empty(cpus)) ++ return false; ++ ++ smp_call_function_many(cpus, ack_flush, NULL, wait); ++ return true; ++} ++ + bool kvm_make_all_cpus_request(struct kvm *kvm, unsigned int req) + { + int i, cpu, me; + cpumask_var_t cpus; +- bool called = true; +- bool wait = req & KVM_REQUEST_WAIT; ++ bool called; + struct kvm_vcpu *vcpu; + + zalloc_cpumask_var(&cpus, GFP_ATOMIC); +@@ -207,14 +218,9 @@ bool kvm_make_all_cpus_request(struct kv + + if (cpus != NULL && cpu != -1 && cpu != me && + kvm_request_needs_ipi(vcpu, req)) +- cpumask_set_cpu(cpu, cpus); ++ __cpumask_set_cpu(cpu, cpus); + } +- if (unlikely(cpus == NULL)) +- smp_call_function_many(cpu_online_mask, ack_flush, NULL, wait); +- else if (!cpumask_empty(cpus)) +- smp_call_function_many(cpus, ack_flush, NULL, wait); +- else +- called = false; ++ called = kvm_kick_many_cpus(cpus, !!(req & KVM_REQUEST_WAIT)); + put_cpu(); + free_cpumask_var(cpus); + return called; diff --git a/queue-4.12/kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch b/queue-4.12/kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch new file mode 100644 index 00000000000..f98b74ce351 --- /dev/null +++ b/queue-4.12/kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch @@ -0,0 +1,77 @@ +From 00c14757f6abacd78cad9b2690a0e1f42e4b76c8 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 30 Jun 2017 16:39:55 +1000 +Subject: KVM: PPC: Book3S: Fix typo in XICS-on-XIVE state saving code + +From: Paul Mackerras + +commit 00c14757f6abacd78cad9b2690a0e1f42e4b76c8 upstream. + +This fixes a typo where the wrong loop index was used to index +the kvmppc_xive_vcpu.queues[] array in xive_pre_save_scan(). +The variable i contains the vcpu number; we need to index queues[] +using j, which iterates from 0 to KVMPPC_XIVE_Q_COUNT-1. + +The effect of this bug is that things that save the interrupt +controller state, such as "virsh dump", on a VM with more than +8 vCPUs, result in xive_pre_save_queue() getting called on a +bogus queue structure, usually resulting in a crash like this: + +[ 501.821107] Unable to handle kernel paging request for data at address 0x00000084 +[ 501.821212] Faulting instruction address: 0xc008000004c7c6f8 +[ 501.821234] Oops: Kernel access of bad area, sig: 11 [#1] +[ 501.821305] SMP NR_CPUS=1024 +[ 501.821307] NUMA +[ 501.821376] PowerNV +[ 501.821470] Modules linked in: vhost_net vhost tap xt_CHECKSUM ipt_MASQUERADE nf_nat_masquerade_ipv4 ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_mangle ip6table_security ip6table_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack libcrc32c iptable_mangle iptable_security iptable_raw ebtable_filter ebtables ip6table_filter ip6_tables ses enclosure scsi_transport_sas ipmi_powernv ipmi_devintf ipmi_msghandler powernv_op_panel kvm_hv nfsd auth_rpcgss oid_registry nfs_acl lockd grace sunrpc kvm tg3 ptp pps_core +[ 501.822477] CPU: 3 PID: 3934 Comm: live_migration Not tainted 4.11.0-4.git8caa70f.el7.centos.ppc64le #1 +[ 501.822633] task: c0000003f9e3ae80 task.stack: c0000003f9ed4000 +[ 501.822745] NIP: c008000004c7c6f8 LR: c008000004c7c628 CTR: 0000000030058018 +[ 501.822877] REGS: c0000003f9ed7980 TRAP: 0300 Not tainted (4.11.0-4.git8caa70f.el7.centos.ppc64le) +[ 501.823030] MSR: 9000000000009033 +[ 501.823047] CR: 28022244 XER: 00000000 +[ 501.823203] CFAR: c008000004c7c77c DAR: 0000000000000084 DSISR: 40000000 SOFTE: 1 +[ 501.823203] GPR00: c008000004c7c628 c0000003f9ed7c00 c008000004c91450 00000000000000ff +[ 501.823203] GPR04: c0000003f5580000 c0000003f559bf98 9000000000009033 0000000000000000 +[ 501.823203] GPR08: 0000000000000084 0000000000000000 00000000000001e0 9000000000001003 +[ 501.823203] GPR12: c00000000008a7d0 c00000000fdc1b00 000000000a9a0000 0000000000000000 +[ 501.823203] GPR16: 00000000402954e8 000000000a9a0000 0000000000000004 0000000000000000 +[ 501.823203] GPR20: 0000000000000008 c000000002e8f180 c000000002e8f1e0 0000000000000001 +[ 501.823203] GPR24: 0000000000000008 c0000003f5580008 c0000003f4564018 c000000002e8f1e8 +[ 501.823203] GPR28: 00003ff6e58bdc28 c0000003f4564000 0000000000000000 0000000000000000 +[ 501.825441] NIP [c008000004c7c6f8] xive_get_attr+0x3b8/0x5b0 [kvm] +[ 501.825671] LR [c008000004c7c628] xive_get_attr+0x2e8/0x5b0 [kvm] +[ 501.825887] Call Trace: +[ 501.825991] [c0000003f9ed7c00] [c008000004c7c628] xive_get_attr+0x2e8/0x5b0 [kvm] (unreliable) +[ 501.826312] [c0000003f9ed7cd0] [c008000004c62ec4] kvm_device_ioctl_attr+0x64/0xa0 [kvm] +[ 501.826581] [c0000003f9ed7d20] [c008000004c62fcc] kvm_device_ioctl+0xcc/0xf0 [kvm] +[ 501.826843] [c0000003f9ed7d40] [c000000000350c70] do_vfs_ioctl+0xd0/0x8c0 +[ 501.827060] [c0000003f9ed7de0] [c000000000351534] SyS_ioctl+0xd4/0xf0 +[ 501.827282] [c0000003f9ed7e30] [c00000000000b8e0] system_call+0x38/0xfc +[ 501.827496] Instruction dump: +[ 501.827632] 419e0078 3b760008 e9160008 83fb000c 83db0010 80fb0008 2f280000 60000000 +[ 501.827901] 60000000 60420000 419a0050 7be91764 <7d284c2c> 552a0ffe 7f8af040 419e003c +[ 501.828176] ---[ end trace 2d0529a5bbbbafed ]--- + +Fixes: 5af50993850a ("KVM: PPC: Book3S HV: Native usage of the XIVE interrupt controller") +Acked-by: Benjamin Herrenschmidt +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kvm/book3s_xive.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kvm/book3s_xive.c ++++ b/arch/powerpc/kvm/book3s_xive.c +@@ -1257,8 +1257,8 @@ static void xive_pre_save_scan(struct kv + if (!xc) + continue; + for (j = 0; j < KVMPPC_XIVE_Q_COUNT; j++) { +- if (xc->queues[i].qpage) +- xive_pre_save_queue(xive, &xc->queues[i]); ++ if (xc->queues[j].qpage) ++ xive_pre_save_queue(xive, &xc->queues[j]); + } + } + diff --git a/queue-4.12/kvm-vfio-decouple-only-when-we-match-a-group.patch b/queue-4.12/kvm-vfio-decouple-only-when-we-match-a-group.patch new file mode 100644 index 00000000000..13fc8aebfcd --- /dev/null +++ b/queue-4.12/kvm-vfio-decouple-only-when-we-match-a-group.patch @@ -0,0 +1,54 @@ +From e323369b2e204da4dc771bbddceef986f4bf85d5 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 28 Jun 2017 13:49:52 -0600 +Subject: kvm-vfio: Decouple only when we match a group + +From: Alex Williamson + +commit e323369b2e204da4dc771bbddceef986f4bf85d5 upstream. + +Unset-KVM and decrement-assignment only when we find the group in our +list. Otherwise we can get out of sync if the user triggers this for +groups that aren't currently on our list. + +Signed-off-by: Alex Williamson +Reviewed-by: Alexey Kardashevskiy +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Acked-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/vfio.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/virt/kvm/vfio.c ++++ b/virt/kvm/vfio.c +@@ -246,21 +246,20 @@ static int kvm_vfio_set_group(struct kvm + continue; + + list_del(&kvg->node); ++ kvm_arch_end_assignment(dev->kvm); ++#ifdef CONFIG_SPAPR_TCE_IOMMU ++ kvm_spapr_tce_release_vfio_group(dev->kvm, ++ kvg->vfio_group); ++#endif ++ kvm_vfio_group_set_kvm(kvg->vfio_group, NULL); + kvm_vfio_group_put_external_user(kvg->vfio_group); + kfree(kvg); + ret = 0; + break; + } + +- kvm_arch_end_assignment(dev->kvm); +- + mutex_unlock(&kv->lock); + +-#ifdef CONFIG_SPAPR_TCE_IOMMU +- kvm_spapr_tce_release_vfio_group(dev->kvm, vfio_group); +-#endif +- kvm_vfio_group_set_kvm(vfio_group, NULL); +- + kvm_vfio_group_put_external_user(vfio_group); + + kvm_vfio_update_coherency(dev); diff --git a/queue-4.12/mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch b/queue-4.12/mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch new file mode 100644 index 00000000000..3ac68f1e9d9 --- /dev/null +++ b/queue-4.12/mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch @@ -0,0 +1,87 @@ +From 2c80cd57c74339889a8752b20862a16c28929c3a Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Mon, 10 Jul 2017 15:49:57 -0700 +Subject: mm/list_lru.c: fix list_lru_count_node() to be race free + +From: Sahitya Tummala + +commit 2c80cd57c74339889a8752b20862a16c28929c3a upstream. + +list_lru_count_node() iterates over all memcgs to get the total number of +entries on the node but it can race with memcg_drain_all_list_lrus(), +which migrates the entries from a dead cgroup to another. This can return +incorrect number of entries from list_lru_count_node(). + +Fix this by keeping track of entries per node and simply return it in +list_lru_count_node(). + +Link: http://lkml.kernel.org/r/1498707555-30525-1-git-send-email-stummala@codeaurora.org +Signed-off-by: Sahitya Tummala +Acked-by: Vladimir Davydov +Cc: Jan Kara +Cc: Alexander Polakov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/list_lru.h | 1 + + mm/list_lru.c | 14 ++++++-------- + 2 files changed, 7 insertions(+), 8 deletions(-) + +--- a/include/linux/list_lru.h ++++ b/include/linux/list_lru.h +@@ -44,6 +44,7 @@ struct list_lru_node { + /* for cgroup aware lrus points to per cgroup lists, otherwise NULL */ + struct list_lru_memcg *memcg_lrus; + #endif ++ long nr_items; + } ____cacheline_aligned_in_smp; + + struct list_lru { +--- a/mm/list_lru.c ++++ b/mm/list_lru.c +@@ -117,6 +117,7 @@ bool list_lru_add(struct list_lru *lru, + l = list_lru_from_kmem(nlru, item); + list_add_tail(item, &l->list); + l->nr_items++; ++ nlru->nr_items++; + spin_unlock(&nlru->lock); + return true; + } +@@ -136,6 +137,7 @@ bool list_lru_del(struct list_lru *lru, + l = list_lru_from_kmem(nlru, item); + list_del_init(item); + l->nr_items--; ++ nlru->nr_items--; + spin_unlock(&nlru->lock); + return true; + } +@@ -183,15 +185,10 @@ EXPORT_SYMBOL_GPL(list_lru_count_one); + + unsigned long list_lru_count_node(struct list_lru *lru, int nid) + { +- long count = 0; +- int memcg_idx; ++ struct list_lru_node *nlru; + +- count += __list_lru_count_one(lru, nid, -1); +- if (list_lru_memcg_aware(lru)) { +- for_each_memcg_cache_index(memcg_idx) +- count += __list_lru_count_one(lru, nid, memcg_idx); +- } +- return count; ++ nlru = &lru->node[nid]; ++ return nlru->nr_items; + } + EXPORT_SYMBOL_GPL(list_lru_count_node); + +@@ -226,6 +223,7 @@ restart: + assert_spin_locked(&nlru->lock); + case LRU_REMOVED: + isolated++; ++ nlru->nr_items--; + /* + * If the lru lock has been dropped, our list + * traversal is now invalid and so we have to diff --git a/queue-4.12/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch b/queue-4.12/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch new file mode 100644 index 00000000000..97c9a952444 --- /dev/null +++ b/queue-4.12/parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch @@ -0,0 +1,204 @@ +From 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Mon, 3 Jul 2017 10:38:05 +0200 +Subject: parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs + +From: Thomas Bogendoerfer + +commit 33f9e02495d15a061f0c94ef46f5103a2d0c20f3 upstream. + +Enabling parport pc driver on a B2600 (and probably other 64bit PARISC +systems) produced following BUG: + +CPU: 0 PID: 1 Comm: swapper Not tainted 4.12.0-rc5-30198-g1132d5e #156 +task: 000000009e050000 task.stack: 000000009e04c000 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI +PSW: 00001000000001101111111100001111 Not tainted +r00-03 000000ff0806ff0f 000000009e04c990 0000000040871b78 000000009e04cac0 +r04-07 0000000040c14de0 ffffffffffffffff 000000009e07f098 000000009d82d200 +r08-11 000000009d82d210 0000000000000378 0000000000000000 0000000040c345e0 +r12-15 0000000000000005 0000000040c345e0 0000000000000000 0000000040c9d5e0 +r16-19 0000000040c345e0 00000000f00001c4 00000000f00001bc 0000000000000061 +r20-23 000000009e04ce28 0000000000000010 0000000000000010 0000000040b89e40 +r24-27 0000000000000003 0000000000ffffff 000000009d82d210 0000000040c14de0 +r28-31 0000000000000000 000000009e04ca90 000000009e04cb40 0000000000000000 +sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + +IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000404aece0 00000000404aece4 + IIR: 03ffe01f ISR: 0000000010340000 IOR: 000001781304cac8 + CPU: 0 CR30: 000000009e04c000 CR31: 00000000e2976de2 + ORIG_R28: 0000000000000200 + IAOQ[0]: sba_dma_supported+0x80/0xd0 + IAOQ[1]: sba_dma_supported+0x84/0xd0 + RP(r2): parport_pc_probe_port+0x178/0x1200 + +Cause is a call to dma_coerce_mask_and_coherenet in parport_pc_probe_port, +which PARISC DMA API doesn't handle very nicely. This commit gives back +DMA_ERROR_CODE for DMA API calls, if device isn't capable of DMA +transaction. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/dma-mapping.h | 11 +++++++---- + drivers/parisc/ccio-dma.c | 12 ++++++++++++ + drivers/parisc/dino.c | 5 ++++- + drivers/parisc/lba_pci.c | 6 ++++-- + drivers/parisc/sba_iommu.c | 14 ++++++++++++++ + 5 files changed, 41 insertions(+), 7 deletions(-) + +--- a/arch/parisc/include/asm/dma-mapping.h ++++ b/arch/parisc/include/asm/dma-mapping.h +@@ -20,6 +20,8 @@ + ** flush/purge and allocate "regular" cacheable pages for everything. + */ + ++#define DMA_ERROR_CODE (~(dma_addr_t)0) ++ + #ifdef CONFIG_PA11 + extern const struct dma_map_ops pcxl_dma_ops; + extern const struct dma_map_ops pcx_dma_ops; +@@ -54,12 +56,13 @@ parisc_walk_tree(struct device *dev) + break; + } + } +- BUG_ON(!dev->platform_data); + return dev->platform_data; + } +- +-#define GET_IOC(dev) (HBA_DATA(parisc_walk_tree(dev))->iommu) +- ++ ++#define GET_IOC(dev) ({ \ ++ void *__pdata = parisc_walk_tree(dev); \ ++ __pdata ? HBA_DATA(__pdata)->iommu : NULL; \ ++}) + + #ifdef CONFIG_IOMMU_CCIO + struct parisc_device; +--- a/drivers/parisc/ccio-dma.c ++++ b/drivers/parisc/ccio-dma.c +@@ -741,6 +741,8 @@ ccio_map_single(struct device *dev, void + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + BUG_ON(size <= 0); + +@@ -814,6 +816,10 @@ ccio_unmap_page(struct device *dev, dma_ + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN("%s() iovp 0x%lx/%x\n", + __func__, (long)iova, size); +@@ -918,6 +924,8 @@ ccio_map_sg(struct device *dev, struct s + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + +@@ -990,6 +998,10 @@ ccio_unmap_sg(struct device *dev, struct + + BUG_ON(!dev); + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + DBG_RUN_SG("%s() START %d entries, %p,%x\n", + __func__, nents, sg_virt(sglist), sglist->length); +--- a/drivers/parisc/dino.c ++++ b/drivers/parisc/dino.c +@@ -154,7 +154,10 @@ struct dino_device + }; + + /* Looks nice and keeps the compiler happy */ +-#define DINO_DEV(d) ((struct dino_device *) d) ++#define DINO_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct dino_device *)__pdata; }) + + + /* +--- a/drivers/parisc/lba_pci.c ++++ b/drivers/parisc/lba_pci.c +@@ -111,8 +111,10 @@ static u32 lba_t32; + + + /* Looks nice and keeps the compiler happy */ +-#define LBA_DEV(d) ((struct lba_device *) (d)) +- ++#define LBA_DEV(d) ({ \ ++ void *__pdata = d; \ ++ BUG_ON(!__pdata); \ ++ (struct lba_device *)__pdata; }) + + /* + ** Only allow 8 subsidiary busses per LBA +--- a/drivers/parisc/sba_iommu.c ++++ b/drivers/parisc/sba_iommu.c +@@ -691,6 +691,8 @@ static int sba_dma_supported( struct dev + return 0; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* + * check if mask is >= than the current max IO Virt Address +@@ -722,6 +724,8 @@ sba_map_single(struct device *dev, void + int pide; + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return DMA_ERROR_CODE; + + /* save offset bits */ + offset = ((dma_addr_t) (long) addr) & ~IOVP_MASK; +@@ -813,6 +817,10 @@ sba_unmap_page(struct device *dev, dma_a + DBG_RUN("%s() iovp 0x%lx/%x\n", __func__, (long) iova, size); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + offset = iova & ~IOVP_MASK; + iova ^= offset; /* clear offset bits */ + size += offset; +@@ -952,6 +960,8 @@ sba_map_sg(struct device *dev, struct sc + DBG_RUN_SG("%s() START %d entries\n", __func__, nents); + + ioc = GET_IOC(dev); ++ if (!ioc) ++ return 0; + + /* Fast path single entry scatterlists. */ + if (nents == 1) { +@@ -1037,6 +1047,10 @@ sba_unmap_sg(struct device *dev, struct + __func__, nents, sg_virt(sglist), sglist->length); + + ioc = GET_IOC(dev); ++ if (!ioc) { ++ WARN_ON(!ioc); ++ return; ++ } + + #ifdef SBA_COLLECT_STATS + ioc->usg_calls++; diff --git a/queue-4.12/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch b/queue-4.12/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch new file mode 100644 index 00000000000..a3401373d88 --- /dev/null +++ b/queue-4.12/parisc-mm-ensure-irqs-are-off-in-switch_mm.patch @@ -0,0 +1,56 @@ +From 649aa24254e85bf6bd7807dd372d083707852b1f Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 29 May 2017 17:14:16 +0200 +Subject: parisc/mm: Ensure IRQs are off in switch_mm() + +From: Helge Deller + +commit 649aa24254e85bf6bd7807dd372d083707852b1f upstream. + +This is because of commit f98db6013c55 ("sched/core: Add switch_mm_irqs_off() +and use it in the scheduler") in which switch_mm_irqs_off() is called by the +scheduler, vs switch_mm() which is used by use_mm(). + +This patch lets the parisc code mirror the x86 and powerpc code, ie. it +disables interrupts in switch_mm(), and optimises the scheduler case by +defining switch_mm_irqs_off(). + +Signed-off-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/mmu_context.h | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/mmu_context.h ++++ b/arch/parisc/include/asm/mmu_context.h +@@ -49,15 +49,26 @@ static inline void load_context(mm_conte + mtctl(__space_to_prot(context), 8); + } + +-static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) ++static inline void switch_mm_irqs_off(struct mm_struct *prev, ++ struct mm_struct *next, struct task_struct *tsk) + { +- + if (prev != next) { + mtctl(__pa(next->pgd), 25); + load_context(next->context); + } + } + ++static inline void switch_mm(struct mm_struct *prev, ++ struct mm_struct *next, struct task_struct *tsk) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ switch_mm_irqs_off(prev, next, tsk); ++ local_irq_restore(flags); ++} ++#define switch_mm_irqs_off switch_mm_irqs_off ++ + #define deactivate_mm(tsk,mm) do { } while (0) + + static inline void activate_mm(struct mm_struct *prev, struct mm_struct *next) diff --git a/queue-4.12/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch b/queue-4.12/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch new file mode 100644 index 00000000000..c5a4b329ab6 --- /dev/null +++ b/queue-4.12/parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch @@ -0,0 +1,40 @@ +From 247462316f85a9e0479445c1a4223950b68ffac1 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 2 Jul 2017 22:00:41 +0200 +Subject: parisc: Report SIGSEGV instead of SIGBUS when running out of stack + +From: Helge Deller + +commit 247462316f85a9e0479445c1a4223950b68ffac1 upstream. + +When a process runs out of stack the parisc kernel wrongly faults with SIGBUS +instead of the expected SIGSEGV signal. + +This example shows how the kernel faults: +do_page_fault() command='a.out' type=15 address=0xfaac2000 in libc-2.24.so[f8308000+16c000] +trap #15: Data TLB miss fault, vm_start = 0xfa2c2000, vm_end = 0xfaac2000 + +The vma->vm_end value is the first address which does not belong to the vma, so +adjust the check to include vma->vm_end to the range for which to send the +SIGSEGV signal. + +This patch unbreaks building the debian libsigsegv package. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/mm/fault.c ++++ b/arch/parisc/mm/fault.c +@@ -367,7 +367,7 @@ bad_area: + case 15: /* Data TLB miss fault/Data page fault */ + /* send SIGSEGV when outside of vma */ + if (!vma || +- address < vma->vm_start || address > vma->vm_end) { ++ address < vma->vm_start || address >= vma->vm_end) { + si.si_signo = SIGSEGV; + si.si_code = SEGV_MAPERR; + break; diff --git a/queue-4.12/parisc-use-compat_sys_keyctl.patch b/queue-4.12/parisc-use-compat_sys_keyctl.patch new file mode 100644 index 00000000000..f29432c2873 --- /dev/null +++ b/queue-4.12/parisc-use-compat_sys_keyctl.patch @@ -0,0 +1,33 @@ +From b0f94efd5aa8daa8a07d7601714c2573266cd4c9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 12 Jun 2017 23:18:30 -0700 +Subject: parisc: use compat_sys_keyctl() + +From: Eric Biggers + +commit b0f94efd5aa8daa8a07d7601714c2573266cd4c9 upstream. + +Architectures with a compat syscall table must put compat_sys_keyctl() +in it, not sys_keyctl(). The parisc architecture was not doing this; +fix it. + +Signed-off-by: Eric Biggers +Acked-by: Helge Deller +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/syscall_table.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -361,7 +361,7 @@ + ENTRY_SAME(ni_syscall) /* 263: reserved for vserver */ + ENTRY_SAME(add_key) + ENTRY_SAME(request_key) /* 265 */ +- ENTRY_SAME(keyctl) ++ ENTRY_COMP(keyctl) + ENTRY_SAME(ioprio_set) + ENTRY_SAME(ioprio_get) + ENTRY_SAME(inotify_init) diff --git a/queue-4.12/series b/queue-4.12/series index 0bf293eca31..9a16a8b5a65 100644 --- a/queue-4.12/series +++ b/queue-4.12/series @@ -23,3 +23,25 @@ adding-the-type-of-exported-symbols.patch sparc64-fix-gup_huge_pmd.patch brcmfmac-fix-a-memory-leak-in-error-handling-path-in-brcmf_cfg80211_attach.patch brcmfmac-fix-glom_skb-leak-in-brcmf_sdiod_recv_chain.patch +x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch +efi-process-the-memattr-table-only-if-efi_memmap-is-enabled.patch +cfg80211-define-nla_policy-for-nl80211_attr_local_mesh_power_mode.patch +cfg80211-validate-frequencies-nested-in-nl80211_attr_scan_frequencies.patch +cfg80211-check-if-pmkid-attribute-is-of-expected-size.patch +cfg80211-check-if-nan-service-id-is-of-expected-size.patch +drm-amdgpu-gfx6-properly-cache-mc_arb_ramcfg.patch +kvm-arm64-fix-phy-counter-access-failure-in-guest.patch +kvm-ppc-book3s-fix-typo-in-xics-on-xive-state-saving-code.patch +kvm-vfio-decouple-only-when-we-match-a-group.patch +kvm-avoid-unused-variable-warning-for-up-builds.patch +irqchip-gic-v3-fix-out-of-bound-access-in-gic_set_affinity.patch +parisc-report-sigsegv-instead-of-sigbus-when-running-out-of-stack.patch +parisc-use-compat_sys_keyctl.patch +parisc-dma-api-return-error-instead-of-bug_on-for-dma-ops-on-non-dma-devs.patch +parisc-mm-ensure-irqs-are-off-in-switch_mm.patch +tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch +compiler-clang-always-inline-when-config_optimize_inlining-is-disabled.patch +thp-mm-fix-crash-due-race-in-madv_free-handling.patch +kernel-extable.c-mark-core_kernel_text-notrace.patch +mm-list_lru.c-fix-list_lru_count_node-to-be-race-free.patch +fs-dcache.c-fix-spin-lockup-issue-on-nlru-lock.patch diff --git a/queue-4.12/thp-mm-fix-crash-due-race-in-madv_free-handling.patch b/queue-4.12/thp-mm-fix-crash-due-race-in-madv_free-handling.patch new file mode 100644 index 00000000000..54b0b75ecbd --- /dev/null +++ b/queue-4.12/thp-mm-fix-crash-due-race-in-madv_free-handling.patch @@ -0,0 +1,77 @@ +From bbf29ffc7f963bb894f84f0580c70cfea01c3892 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Thu, 6 Jul 2017 15:35:28 -0700 +Subject: thp, mm: fix crash due race in MADV_FREE handling + +From: Kirill A. Shutemov + +commit bbf29ffc7f963bb894f84f0580c70cfea01c3892 upstream. + +Reinette reported the following crash: + + BUG: Bad page state in process log2exe pfn:57600 + page:ffffea00015d8000 count:0 mapcount:0 mapping: (null) index:0x20200 + flags: 0x4000000000040019(locked|uptodate|dirty|swapbacked) + raw: 4000000000040019 0000000000000000 0000000000020200 00000000ffffffff + raw: ffffea00015d8020 ffffea00015d8020 0000000000000000 0000000000000000 + page dumped because: PAGE_FLAGS_CHECK_AT_FREE flag(s) set + bad because of flags: 0x1(locked) + Modules linked in: rfcomm 8021q bnep intel_rapl x86_pkg_temp_thermal coretemp efivars btusb btrtl btbcm pwm_lpss_pci snd_hda_codec_hdmi btintel pwm_lpss snd_hda_codec_realtek snd_soc_skl snd_hda_codec_generic snd_soc_skl_ipc spi_pxa2xx_platform snd_soc_sst_ipc snd_soc_sst_dsp i2c_designware_platform i2c_designware_core snd_hda_ext_core snd_soc_sst_match snd_hda_intel snd_hda_codec mei_me snd_hda_core mei snd_soc_rt286 snd_soc_rl6347a snd_soc_core efivarfs + CPU: 1 PID: 354 Comm: log2exe Not tainted 4.12.0-rc7-test-test #19 + Hardware name: Intel corporation NUC6CAYS/NUC6CAYB, BIOS AYAPLCEL.86A.0027.2016.1108.1529 11/08/2016 + Call Trace: + bad_page+0x16a/0x1f0 + free_pages_check_bad+0x117/0x190 + free_hot_cold_page+0x7b1/0xad0 + __put_page+0x70/0xa0 + madvise_free_huge_pmd+0x627/0x7b0 + madvise_free_pte_range+0x6f8/0x1150 + __walk_page_range+0x6b5/0xe30 + walk_page_range+0x13b/0x310 + madvise_free_page_range.isra.16+0xad/0xd0 + madvise_free_single_vma+0x2e4/0x470 + SyS_madvise+0x8ce/0x1450 + +If somebody frees the page under us and we hold the last reference to +it, put_page() would attempt to free the page before unlocking it. + +The fix is trivial reorder of operations. + +Dave said: + "I came up with the exact same patch. For posterity, here's the test + case, generated by syzkaller and trimmed down by Reinette: + + https://www.sr71.net/~dave/intel/log2.c + + And the config that helps detect this: + + https://www.sr71.net/~dave/intel/config-log2" + +Fixes: b8d3c4c3009d ("mm/huge_memory.c: don't split THP page when MADV_FREE syscall is called") +Link: http://lkml.kernel.org/r/20170628101249.17879-1-kirill.shutemov@linux.intel.com +Signed-off-by: Kirill A. Shutemov +Reported-by: Reinette Chatre +Acked-by: Dave Hansen +Acked-by: Michal Hocko +Acked-by: Minchan Kim +Cc: Huang Ying +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/huge_memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/huge_memory.c ++++ b/mm/huge_memory.c +@@ -1575,8 +1575,8 @@ bool madvise_free_huge_pmd(struct mmu_ga + get_page(page); + spin_unlock(ptl); + split_huge_page(page); +- put_page(page); + unlock_page(page); ++ put_page(page); + goto out_unlocked; + } + diff --git a/queue-4.12/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch b/queue-4.12/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch new file mode 100644 index 00000000000..2916ecf3f96 --- /dev/null +++ b/queue-4.12/tools-lib-lockdep-reduce-max_lock_depth-to-avoid-overflowing-lock_chain-depth.patch @@ -0,0 +1,53 @@ +From 98dcea0cfd04e083ac74137ceb9a632604740e2d Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 25 May 2017 12:58:33 +0000 +Subject: tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth + +From: Ben Hutchings + +commit 98dcea0cfd04e083ac74137ceb9a632604740e2d upstream. + +liblockdep has been broken since commit 75dd602a5198 ("lockdep: Fix +lock_chain::base size"), as that adds a check that MAX_LOCK_DEPTH is +within the range of lock_chain::depth and in liblockdep it is much +too large. + +That should have resulted in a compiler error, but didn't because: + +- the check uses ARRAY_SIZE(), which isn't yet defined in liblockdep + so is assumed to be an (undeclared) function +- putting a function call inside a BUILD_BUG_ON() expression quietly + turns it into some nonsense involving a variable-length array + +It did produce a compiler warning, but I didn't notice because +liblockdep already produces too many warnings if -Wall is enabled +(which I'll fix shortly). + +Even before that commit, which reduced lock_chain::depth from 8 bits +to 6, MAX_LOCK_DEPTH was too large. + +Signed-off-by: Ben Hutchings +Signed-off-by: Sasha Levin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: a.p.zijlstra@chello.nl +Link: http://lkml.kernel.org/r/20170525130005.5947-3-alexander.levin@verizon.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + tools/lib/lockdep/uinclude/linux/lockdep.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/lib/lockdep/uinclude/linux/lockdep.h ++++ b/tools/lib/lockdep/uinclude/linux/lockdep.h +@@ -8,7 +8,7 @@ + #include + #include + +-#define MAX_LOCK_DEPTH 2000UL ++#define MAX_LOCK_DEPTH 63UL + + #define asmlinkage + #define __visible diff --git a/queue-4.12/x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch b/queue-4.12/x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch new file mode 100644 index 00000000000..3e003d34533 --- /dev/null +++ b/queue-4.12/x86-xen-efi-initialize-only-the-efi-struct-members-used-by-xen.patch @@ -0,0 +1,101 @@ +From 6c64447ec58b0bac612732303f7ab04562124587 Mon Sep 17 00:00:00 2001 +From: Daniel Kiper +Date: Thu, 22 Jun 2017 12:51:37 +0200 +Subject: x86/xen/efi: Initialize only the EFI struct members used by Xen + +From: Daniel Kiper + +commit 6c64447ec58b0bac612732303f7ab04562124587 upstream. + +The current approach, which is the wholesale efi struct initialization from +a 'efi_xen' local template is not robust. Usually if new member is defined +then it is properly initialized in drivers/firmware/efi/efi.c, but not in +arch/x86/xen/efi.c. + +The effect is that the Xen initialization clears any fields the generic code +might have set and the Xen code does not know about yet. + +I saw this happen a few times, so let's initialize only the EFI struct members +used by Xen and maintain no local duplicate, to avoid such issues in the future. + +Signed-off-by: Daniel Kiper +Reviewed-by: Boris Ostrovsky +Acked-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: andrew.cooper3@citrix.com +Cc: jgross@suse.com +Cc: linux-efi@vger.kernel.org +Cc: matt@codeblueprint.co.uk +Cc: xen-devel@lists.xenproject.org +Link: http://lkml.kernel.org/r/1498128697-12943-3-git-send-email-daniel.kiper@oracle.com +[ Clarified the changelog. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/efi.c | 45 ++++++++++++--------------------------------- + 1 file changed, 12 insertions(+), 33 deletions(-) + +--- a/arch/x86/xen/efi.c ++++ b/arch/x86/xen/efi.c +@@ -54,38 +54,6 @@ static efi_system_table_t efi_systab_xen + .tables = EFI_INVALID_TABLE_ADDR /* Initialized later. */ + }; + +-static const struct efi efi_xen __initconst = { +- .systab = NULL, /* Initialized later. */ +- .runtime_version = 0, /* Initialized later. */ +- .mps = EFI_INVALID_TABLE_ADDR, +- .acpi = EFI_INVALID_TABLE_ADDR, +- .acpi20 = EFI_INVALID_TABLE_ADDR, +- .smbios = EFI_INVALID_TABLE_ADDR, +- .smbios3 = EFI_INVALID_TABLE_ADDR, +- .sal_systab = EFI_INVALID_TABLE_ADDR, +- .boot_info = EFI_INVALID_TABLE_ADDR, +- .hcdp = EFI_INVALID_TABLE_ADDR, +- .uga = EFI_INVALID_TABLE_ADDR, +- .uv_systab = EFI_INVALID_TABLE_ADDR, +- .fw_vendor = EFI_INVALID_TABLE_ADDR, +- .runtime = EFI_INVALID_TABLE_ADDR, +- .config_table = EFI_INVALID_TABLE_ADDR, +- .get_time = xen_efi_get_time, +- .set_time = xen_efi_set_time, +- .get_wakeup_time = xen_efi_get_wakeup_time, +- .set_wakeup_time = xen_efi_set_wakeup_time, +- .get_variable = xen_efi_get_variable, +- .get_next_variable = xen_efi_get_next_variable, +- .set_variable = xen_efi_set_variable, +- .query_variable_info = xen_efi_query_variable_info, +- .update_capsule = xen_efi_update_capsule, +- .query_capsule_caps = xen_efi_query_capsule_caps, +- .get_next_high_mono_count = xen_efi_get_next_high_mono_count, +- .reset_system = xen_efi_reset_system, +- .set_virtual_address_map = NULL, /* Not used under Xen. */ +- .flags = 0 /* Initialized later. */ +-}; +- + static efi_system_table_t __init *xen_efi_probe(void) + { + struct xen_platform_op op = { +@@ -102,7 +70,18 @@ static efi_system_table_t __init *xen_ef + + /* Here we know that Xen runs on EFI platform. */ + +- efi = efi_xen; ++ efi.get_time = xen_efi_get_time; ++ efi.set_time = xen_efi_set_time; ++ efi.get_wakeup_time = xen_efi_get_wakeup_time; ++ efi.set_wakeup_time = xen_efi_set_wakeup_time; ++ efi.get_variable = xen_efi_get_variable; ++ efi.get_next_variable = xen_efi_get_next_variable; ++ efi.set_variable = xen_efi_set_variable; ++ efi.query_variable_info = xen_efi_query_variable_info; ++ efi.update_capsule = xen_efi_update_capsule; ++ efi.query_capsule_caps = xen_efi_query_capsule_caps; ++ efi.get_next_high_mono_count = xen_efi_get_next_high_mono_count; ++ efi.reset_system = xen_efi_reset_system; + + efi_systab_xen.tables = info->cfg.addr; + efi_systab_xen.nr_tables = info->cfg.nent; -- 2.47.3