From fd58f34543f62e2d26b2b287aa39f125f52a924e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 7 Aug 2017 13:38:53 -0700 Subject: [PATCH] 4.9-stable patches added patches: alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch asoc-do-not-close-shared-backend-dailink.patch brcmfmac-fix-memleak-due-to-calling-brcmf_sdiod_sgtable_alloc-twice.patch cgroup-create-dfl_root-files-on-subsys-registration.patch cgroup-fix-error-return-value-from-cgroup_subtree_control.patch cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch device-property-make-dev_fwnode-public.patch drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch iwlwifi-dvm-prevent-an-out-of-bounds-access.patch kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch libata-array-underflow-in-ata_find_dev.patch mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch mmc-core-fix-access-to-hs400-es-devices.patch mmc-core-use-device_property_read-instead-of-of_property_read.patch mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch mmc-sdhci-of-at91-force-card-detect-value-for-non-removable-devices.patch nfsv4-fix-exchange_id-corrupt-verifier-issue.patch parisc-handle-vma-s-whose-context-is-not-current-in-flush_cache_range.patch workqueue-restore-wq_unbound-max_active-1-to-be-ordered.patch --- ...x-speaker-output-from-vaio-vpcl14m1r.patch | 30 +++ ...-do-not-close-shared-backend-dailink.patch | 39 ++++ ...ling-brcmf_sdiod_sgtable_alloc-twice.patch | 40 ++++ ...fl_root-files-on-subsys-registration.patch | 45 ++++ ...rn-value-from-cgroup_subtree_control.patch | 39 ++++ ...complete-patching-of-cpusets_enabled.patch | 174 +++++++++++++++ ...vice-property-make-dev_fwnode-public.patch | 51 +++++ ...s-in-golden-registers-initialization.patch | 52 +++++ ...-dvm-prevent-an-out-of-bounds-access.patch | 48 ++++ ...exit-if-not-triggered-from-idle-task.patch | 75 +++++++ ...bata-array-underflow-in-ata_find_dev.patch | 44 ++++ ...el-reclaim-leaving-stale-tlb-entries.patch | 207 ++++++++++++++++++ ...-core-fix-access-to-hs400-es-devices.patch | 46 ++++ ...rty_read-instead-of-of_property_read.patch | 169 ++++++++++++++ ...rty_read-instead-of-of_property_read.patch | 83 +++++++ ...tect-value-for-non-removable-devices.patch | 92 ++++++++ ...x-exchange_id-corrupt-verifier-issue.patch | 88 ++++++++ ...-is-not-current-in-flush_cache_range.patch | 75 +++++++ queue-4.9/series | 5 + ...q_unbound-max_active-1-to-be-ordered.patch | 53 +++++ 20 files changed, 1455 insertions(+) create mode 100644 queue-4.9/alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch create mode 100644 queue-4.9/asoc-do-not-close-shared-backend-dailink.patch create mode 100644 queue-4.9/brcmfmac-fix-memleak-due-to-calling-brcmf_sdiod_sgtable_alloc-twice.patch create mode 100644 queue-4.9/cgroup-create-dfl_root-files-on-subsys-registration.patch create mode 100644 queue-4.9/cgroup-fix-error-return-value-from-cgroup_subtree_control.patch create mode 100644 queue-4.9/cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch create mode 100644 queue-4.9/device-property-make-dev_fwnode-public.patch create mode 100644 queue-4.9/drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch create mode 100644 queue-4.9/iwlwifi-dvm-prevent-an-out-of-bounds-access.patch create mode 100644 queue-4.9/kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch create mode 100644 queue-4.9/libata-array-underflow-in-ata_find_dev.patch create mode 100644 queue-4.9/mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch create mode 100644 queue-4.9/mmc-core-fix-access-to-hs400-es-devices.patch create mode 100644 queue-4.9/mmc-core-use-device_property_read-instead-of-of_property_read.patch create mode 100644 queue-4.9/mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch create mode 100644 queue-4.9/mmc-sdhci-of-at91-force-card-detect-value-for-non-removable-devices.patch create mode 100644 queue-4.9/nfsv4-fix-exchange_id-corrupt-verifier-issue.patch create mode 100644 queue-4.9/parisc-handle-vma-s-whose-context-is-not-current-in-flush_cache_range.patch create mode 100644 queue-4.9/workqueue-restore-wq_unbound-max_active-1-to-be-ordered.patch diff --git a/queue-4.9/alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch b/queue-4.9/alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch new file mode 100644 index 00000000000..09544c5e053 --- /dev/null +++ b/queue-4.9/alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch @@ -0,0 +1,30 @@ +From 3f3c371421e601fa93b6cb7fb52da9ad59ec90b4 Mon Sep 17 00:00:00 2001 +From: "Sergei A. Trusov" +Date: Wed, 2 Aug 2017 20:23:48 +1000 +Subject: ALSA: hda - Fix speaker output from VAIO VPCL14M1R + +From: Sergei A. Trusov + +commit 3f3c371421e601fa93b6cb7fb52da9ad59ec90b4 upstream. + +Sony VAIO VPCL14M1R needs the quirk to make the speaker working properly. + +Tested-by: Dmitriy +Signed-off-by: Sergei A. Trusov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -2233,6 +2233,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x1043, 0x8691, "ASUS ROG Ranger VIII", ALC882_FIXUP_GPIO3), + SND_PCI_QUIRK(0x104d, 0x9047, "Sony Vaio TT", ALC889_FIXUP_VAIO_TT), + SND_PCI_QUIRK(0x104d, 0x905a, "Sony Vaio Z", ALC882_FIXUP_NO_PRIMARY_HP), ++ SND_PCI_QUIRK(0x104d, 0x9060, "Sony Vaio VPCL14M1R", ALC882_FIXUP_NO_PRIMARY_HP), + SND_PCI_QUIRK(0x104d, 0x9043, "Sony Vaio VGC-LN51JGB", ALC882_FIXUP_NO_PRIMARY_HP), + SND_PCI_QUIRK(0x104d, 0x9044, "Sony VAIO AiO", ALC882_FIXUP_NO_PRIMARY_HP), + diff --git a/queue-4.9/asoc-do-not-close-shared-backend-dailink.patch b/queue-4.9/asoc-do-not-close-shared-backend-dailink.patch new file mode 100644 index 00000000000..6805d5eb118 --- /dev/null +++ b/queue-4.9/asoc-do-not-close-shared-backend-dailink.patch @@ -0,0 +1,39 @@ +From b1cd2e34c69a2f3988786af451b6e17967c293a0 Mon Sep 17 00:00:00 2001 +From: Banajit Goswami +Date: Fri, 14 Jul 2017 23:15:05 -0700 +Subject: ASoC: do not close shared backend dailink + +From: Banajit Goswami + +commit b1cd2e34c69a2f3988786af451b6e17967c293a0 upstream. + +Multiple frontend dailinks may be connected to a backend +dailink at the same time. When one of frontend dailinks is +closed, the associated backend dailink should not be closed +if it is connected to other active frontend dailinks. Change +ensures that backend dailink is closed only after all +connected frontend dailinks are closed. + +Signed-off-by: Gopikrishnaiah Anandan +Signed-off-by: Banajit Goswami +Signed-off-by: Patrick Lai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -181,6 +181,10 @@ int dpcm_dapm_stream_event(struct snd_so + dev_dbg(be->dev, "ASoC: BE %s event %d dir %d\n", + be->dai_link->name, event, dir); + ++ if ((event == SND_SOC_DAPM_STREAM_STOP) && ++ (be->dpcm[dir].users >= 1)) ++ continue; ++ + snd_soc_dapm_stream_event(be, dir, event); + } + diff --git a/queue-4.9/brcmfmac-fix-memleak-due-to-calling-brcmf_sdiod_sgtable_alloc-twice.patch b/queue-4.9/brcmfmac-fix-memleak-due-to-calling-brcmf_sdiod_sgtable_alloc-twice.patch new file mode 100644 index 00000000000..cf02ed3a48f --- /dev/null +++ b/queue-4.9/brcmfmac-fix-memleak-due-to-calling-brcmf_sdiod_sgtable_alloc-twice.patch @@ -0,0 +1,40 @@ +From 5f5d03143de5e0c593da4ab18fc6393c2815e108 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel +Date: Wed, 26 Jul 2017 13:09:24 +0100 +Subject: brcmfmac: fix memleak due to calling brcmf_sdiod_sgtable_alloc() twice + +From: Arend Van Spriel + +commit 5f5d03143de5e0c593da4ab18fc6393c2815e108 upstream. + +Due to a bugfix in wireless tree and the commit mentioned below a merge +was needed which went haywire. So the submitted change resulted in the +function brcmf_sdiod_sgtable_alloc() being called twice during the probe +thus leaking the memory of the first call. + +Fixes: 4d7928959832 ("brcmfmac: switch to new platform data") +Reported-by: Stefan Wahren +Tested-by: Stefan Wahren +Reviewed-by: Hante Meuleman +Signed-off-by: Arend van Spriel +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -4161,11 +4161,6 @@ struct brcmf_sdio *brcmf_sdio_probe(stru + goto fail; + } + +- /* allocate scatter-gather table. sg support +- * will be disabled upon allocation failure. +- */ +- brcmf_sdiod_sgtable_alloc(bus->sdiodev); +- + /* Query the F2 block size, set roundup accordingly */ + bus->blocksize = bus->sdiodev->func[2]->cur_blksize; + bus->roundup = min(max_roundup, bus->blocksize); diff --git a/queue-4.9/cgroup-create-dfl_root-files-on-subsys-registration.patch b/queue-4.9/cgroup-create-dfl_root-files-on-subsys-registration.patch new file mode 100644 index 00000000000..6a319bb7478 --- /dev/null +++ b/queue-4.9/cgroup-create-dfl_root-files-on-subsys-registration.patch @@ -0,0 +1,45 @@ +From 7af608e4f9530372aec6e940552bf76595f2e265 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 18 Jul 2017 17:57:46 -0400 +Subject: cgroup: create dfl_root files on subsys registration + +From: Tejun Heo + +commit 7af608e4f9530372aec6e940552bf76595f2e265 upstream. + +On subsystem registration, css_populate_dir() is not called on the new +root css, so the interface files for the subsystem on cgrp_dfl_root +aren't created on registration. This is a residue from the days when +cgrp_dfl_root was used only as the parking spot for unused subsystems, +which no longer is true as it's used as the root for cgroup2. + +This is often fine as later operations tend to create them as a part +of mount (cgroup1) or subtree_control operations (cgroup2); however, +it's not difficult to mount cgroup2 with the controller interface +files missing as Waiman found out. + +Fix it by invoking css_populate_dir() on the root css on subsys +registration. + +Signed-off-by: Tejun Heo +Reported-and-tested-by: Waiman Long +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -5718,6 +5718,10 @@ int __init cgroup_init(void) + + if (ss->bind) + ss->bind(init_css_set.subsys[ssid]); ++ ++ mutex_lock(&cgroup_mutex); ++ css_populate_dir(init_css_set.subsys[ssid]); ++ mutex_unlock(&cgroup_mutex); + } + + /* init_css_set.subsys[] has been updated, re-hash */ diff --git a/queue-4.9/cgroup-fix-error-return-value-from-cgroup_subtree_control.patch b/queue-4.9/cgroup-fix-error-return-value-from-cgroup_subtree_control.patch new file mode 100644 index 00000000000..9527ba805fd --- /dev/null +++ b/queue-4.9/cgroup-fix-error-return-value-from-cgroup_subtree_control.patch @@ -0,0 +1,39 @@ +From 3c74541777302eec43a0d1327c4d58b8659a776b Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sun, 23 Jul 2017 08:14:15 -0400 +Subject: cgroup: fix error return value from cgroup_subtree_control() + +From: Tejun Heo + +commit 3c74541777302eec43a0d1327c4d58b8659a776b upstream. + +While refactoring, f7b2814bb9b6 ("cgroup: factor out +cgroup_{apply|finalize}_control() from +cgroup_subtree_control_write()") broke error return value from the +function. The return value from the last operation is always +overridden to zero. Fix it. + +Signed-off-by: Tejun Heo +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -3487,11 +3487,11 @@ static ssize_t cgroup_subtree_control_wr + cgrp->subtree_control &= ~disable; + + ret = cgroup_apply_control(cgrp); +- + cgroup_finalize_control(cgrp, ret); ++ if (ret) ++ goto out_unlock; + + kernfs_activate(cgrp->kn); +- ret = 0; + out_unlock: + cgroup_kn_unlock(of->kn); + return ret ?: nbytes; diff --git a/queue-4.9/cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch b/queue-4.9/cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch new file mode 100644 index 00000000000..92fdc2ff0e5 --- /dev/null +++ b/queue-4.9/cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch @@ -0,0 +1,174 @@ +From 89affbf5d9ebb15c6460596822e8857ea2f9e735 Mon Sep 17 00:00:00 2001 +From: Dima Zavin +Date: Wed, 2 Aug 2017 13:32:18 -0700 +Subject: cpuset: fix a deadlock due to incomplete patching of cpusets_enabled() + +From: Dima Zavin + +commit 89affbf5d9ebb15c6460596822e8857ea2f9e735 upstream. + +In codepaths that use the begin/retry interface for reading +mems_allowed_seq with irqs disabled, there exists a race condition that +stalls the patch process after only modifying a subset of the +static_branch call sites. + +This problem manifested itself as a deadlock in the slub allocator, +inside get_any_partial. The loop reads mems_allowed_seq value (via +read_mems_allowed_begin), performs the defrag operation, and then +verifies the consistency of mem_allowed via the read_mems_allowed_retry +and the cookie returned by xxx_begin. + +The issue here is that both begin and retry first check if cpusets are +enabled via cpusets_enabled() static branch. This branch can be +rewritted dynamically (via cpuset_inc) if a new cpuset is created. The +x86 jump label code fully synchronizes across all CPUs for every entry +it rewrites. If it rewrites only one of the callsites (specifically the +one in read_mems_allowed_retry) and then waits for the +smp_call_function(do_sync_core) to complete while a CPU is inside the +begin/retry section with IRQs off and the mems_allowed value is changed, +we can hang. + +This is because begin() will always return 0 (since it wasn't patched +yet) while retry() will test the 0 against the actual value of the seq +counter. + +The fix is to use two different static keys: one for begin +(pre_enable_key) and one for retry (enable_key). In cpuset_inc(), we +first bump the pre_enable key to ensure that cpuset_mems_allowed_begin() +always return a valid seqcount if are enabling cpusets. Similarly, when +disabling cpusets via cpuset_dec(), we first ensure that callers of +cpuset_mems_allowed_retry() will start ignoring the seqcount value +before we let cpuset_mems_allowed_begin() return 0. + +The relevant stack traces of the two stuck threads: + + CPU: 1 PID: 1415 Comm: mkdir Tainted: G L 4.9.36-00104-g540c51286237 #4 + Hardware name: Default string Default string/Hardware, BIOS 4.29.1-20170526215256 05/26/2017 + task: ffff8817f9c28000 task.stack: ffffc9000ffa4000 + RIP: smp_call_function_many+0x1f9/0x260 + Call Trace: + smp_call_function+0x3b/0x70 + on_each_cpu+0x2f/0x90 + text_poke_bp+0x87/0xd0 + arch_jump_label_transform+0x93/0x100 + __jump_label_update+0x77/0x90 + jump_label_update+0xaa/0xc0 + static_key_slow_inc+0x9e/0xb0 + cpuset_css_online+0x70/0x2e0 + online_css+0x2c/0xa0 + cgroup_apply_control_enable+0x27f/0x3d0 + cgroup_mkdir+0x2b7/0x420 + kernfs_iop_mkdir+0x5a/0x80 + vfs_mkdir+0xf6/0x1a0 + SyS_mkdir+0xb7/0xe0 + entry_SYSCALL_64_fastpath+0x18/0xad + + ... + + CPU: 2 PID: 1 Comm: init Tainted: G L 4.9.36-00104-g540c51286237 #4 + Hardware name: Default string Default string/Hardware, BIOS 4.29.1-20170526215256 05/26/2017 + task: ffff8818087c0000 task.stack: ffffc90000030000 + RIP: int3+0x39/0x70 + Call Trace: + <#DB> ? ___slab_alloc+0x28b/0x5a0 + ? copy_process.part.40+0xf7/0x1de0 + __slab_alloc.isra.80+0x54/0x90 + copy_process.part.40+0xf7/0x1de0 + copy_process.part.40+0xf7/0x1de0 + kmem_cache_alloc_node+0x8a/0x280 + copy_process.part.40+0xf7/0x1de0 + _do_fork+0xe7/0x6c0 + _raw_spin_unlock_irq+0x2d/0x60 + trace_hardirqs_on_caller+0x136/0x1d0 + entry_SYSCALL_64_fastpath+0x5/0xad + do_syscall_64+0x27/0x350 + SyS_clone+0x19/0x20 + do_syscall_64+0x60/0x350 + entry_SYSCALL64_slow_path+0x25/0x25 + +Link: http://lkml.kernel.org/r/20170731040113.14197-1-dmitriyz@waymo.com +Fixes: 46e700abc44c ("mm, page_alloc: remove unnecessary taking of a seqlock when cpusets are disabled") +Signed-off-by: Dima Zavin +Reported-by: Cliff Spradlin +Acked-by: Vlastimil Babka +Cc: Peter Zijlstra +Cc: Christopher Lameter +Cc: Li Zefan +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/cpuset.h | 19 +++++++++++++++++-- + kernel/cpuset.c | 1 + + 2 files changed, 18 insertions(+), 2 deletions(-) + +--- a/include/linux/cpuset.h ++++ b/include/linux/cpuset.h +@@ -16,6 +16,19 @@ + + #ifdef CONFIG_CPUSETS + ++/* ++ * Static branch rewrites can happen in an arbitrary order for a given ++ * key. In code paths where we need to loop with read_mems_allowed_begin() and ++ * read_mems_allowed_retry() to get a consistent view of mems_allowed, we need ++ * to ensure that begin() always gets rewritten before retry() in the ++ * disabled -> enabled transition. If not, then if local irqs are disabled ++ * around the loop, we can deadlock since retry() would always be ++ * comparing the latest value of the mems_allowed seqcount against 0 as ++ * begin() still would see cpusets_enabled() as false. The enabled -> disabled ++ * transition should happen in reverse order for the same reasons (want to stop ++ * looking at real value of mems_allowed.sequence in retry() first). ++ */ ++extern struct static_key_false cpusets_pre_enable_key; + extern struct static_key_false cpusets_enabled_key; + static inline bool cpusets_enabled(void) + { +@@ -30,12 +43,14 @@ static inline int nr_cpusets(void) + + static inline void cpuset_inc(void) + { ++ static_branch_inc(&cpusets_pre_enable_key); + static_branch_inc(&cpusets_enabled_key); + } + + static inline void cpuset_dec(void) + { + static_branch_dec(&cpusets_enabled_key); ++ static_branch_dec(&cpusets_pre_enable_key); + } + + extern int cpuset_init(void); +@@ -113,7 +128,7 @@ extern void cpuset_print_current_mems_al + */ + static inline unsigned int read_mems_allowed_begin(void) + { +- if (!cpusets_enabled()) ++ if (!static_branch_unlikely(&cpusets_pre_enable_key)) + return 0; + + return read_seqcount_begin(¤t->mems_allowed_seq); +@@ -127,7 +142,7 @@ static inline unsigned int read_mems_all + */ + static inline bool read_mems_allowed_retry(unsigned int seq) + { +- if (!cpusets_enabled()) ++ if (!static_branch_unlikely(&cpusets_enabled_key)) + return false; + + return read_seqcount_retry(¤t->mems_allowed_seq, seq); +--- a/kernel/cpuset.c ++++ b/kernel/cpuset.c +@@ -61,6 +61,7 @@ + #include + #include + ++DEFINE_STATIC_KEY_FALSE(cpusets_pre_enable_key); + DEFINE_STATIC_KEY_FALSE(cpusets_enabled_key); + + /* See "Frequency meter" comments, below. */ diff --git a/queue-4.9/device-property-make-dev_fwnode-public.patch b/queue-4.9/device-property-make-dev_fwnode-public.patch new file mode 100644 index 00000000000..ab337178818 --- /dev/null +++ b/queue-4.9/device-property-make-dev_fwnode-public.patch @@ -0,0 +1,51 @@ +From e44bb0cbdc88686c21e2175a990b40bf6db5d005 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 28 Mar 2017 10:52:24 +0300 +Subject: device property: Make dev_fwnode() public + +From: Sakari Ailus + +commit e44bb0cbdc88686c21e2175a990b40bf6db5d005 upstream. + +The function to obtain a fwnode related to a struct device is useful for +drivers that use the fwnode property API: it allows not being aware of the +underlying firmware implementation. + +Signed-off-by: Sakari Ailus +Reviewed-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Cc: Chris Metcalf +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/property.c | 3 ++- + include/linux/property.h | 2 ++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -182,11 +182,12 @@ static int pset_prop_read_string(struct + return 0; + } + +-static inline struct fwnode_handle *dev_fwnode(struct device *dev) ++struct fwnode_handle *dev_fwnode(struct device *dev) + { + return IS_ENABLED(CONFIG_OF) && dev->of_node ? + &dev->of_node->fwnode : dev->fwnode; + } ++EXPORT_SYMBOL_GPL(dev_fwnode); + + /** + * device_property_present - check if a property of a device is present +--- a/include/linux/property.h ++++ b/include/linux/property.h +@@ -33,6 +33,8 @@ enum dev_dma_attr { + DEV_DMA_COHERENT, + }; + ++struct fwnode_handle *dev_fwnode(struct device *dev); ++ + bool device_property_present(struct device *dev, const char *propname); + int device_property_read_u8_array(struct device *dev, const char *propname, + u8 *val, size_t nval); diff --git a/queue-4.9/drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch b/queue-4.9/drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch new file mode 100644 index 00000000000..d26457b6ade --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch @@ -0,0 +1,52 @@ +From 5694785cf09bf0e7bd8e5f62361ea34fa162a4a0 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Sun, 30 Jul 2017 10:18:25 +0200 +Subject: drm/amdgpu: Fix undue fallthroughs in golden registers initialization +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jean Delvare + +commit 5694785cf09bf0e7bd8e5f62361ea34fa162a4a0 upstream. + +As I was staring at the si_init_golden_registers code, I noticed that +the Pitcairn initialization silently falls through the Cape Verde +initialization, and the Oland initialization falls through the Hainan +initialization. However there is no comment stating that this is +intentional, and the radeon driver doesn't have any such fallthrough, +so I suspect this is not supposed to happen. + +Signed-off-by: Jean Delvare +Fixes: 62a37553414a ("drm/amdgpu: add si implementation v10") +Cc: Ken Wang +Cc: Alex Deucher +Cc: "Marek Olšák" +Cc: "Christian König" +Cc: Flora Cui +Reviewed-by: Marek Olšák +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/si.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/si.c ++++ b/drivers/gpu/drm/amd/amdgpu/si.c +@@ -1301,6 +1301,7 @@ static void si_init_golden_registers(str + amdgpu_program_register_sequence(adev, + pitcairn_mgcg_cgcg_init, + (const u32)ARRAY_SIZE(pitcairn_mgcg_cgcg_init)); ++ break; + case CHIP_VERDE: + amdgpu_program_register_sequence(adev, + verde_golden_registers, +@@ -1325,6 +1326,7 @@ static void si_init_golden_registers(str + amdgpu_program_register_sequence(adev, + oland_mgcg_cgcg_init, + (const u32)ARRAY_SIZE(oland_mgcg_cgcg_init)); ++ break; + case CHIP_HAINAN: + amdgpu_program_register_sequence(adev, + hainan_golden_registers, diff --git a/queue-4.9/iwlwifi-dvm-prevent-an-out-of-bounds-access.patch b/queue-4.9/iwlwifi-dvm-prevent-an-out-of-bounds-access.patch new file mode 100644 index 00000000000..397699db5d0 --- /dev/null +++ b/queue-4.9/iwlwifi-dvm-prevent-an-out-of-bounds-access.patch @@ -0,0 +1,48 @@ +From 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 8 Jun 2017 10:55:26 +0300 +Subject: iwlwifi: dvm: prevent an out of bounds access + +From: Emmanuel Grumbach + +commit 0b0f934e92a8eaed2e6c48a50eae6f84661f74f3 upstream. + +iwlagn_check_ratid_empty takes the tid as a parameter, but +it doesn't check that it is not IWL_TID_NON_QOS. +Since IWL_TID_NON_QOS = 8 and iwl_priv::tid_data is an array +with 8 entries, accessing iwl_priv::tid_data[IWL_TID_NON_QOS] +is a bad idea. +This happened in iwlagn_rx_reply_tx. Since +iwlagn_check_ratid_empty is relevant only to check whether +we can open A-MPDU, this flow is irrelevant if tid is +IWL_TID_NON_QOS. Call iwlagn_check_ratid_empty only inside +the + if (tid != IWL_TID_NON_QOS) + +a few lines earlier in the function. + +Reported-by: Seraphime Kirkovski +Tested-by: Seraphime Kirkovski +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intel/iwlwifi/dvm/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c ++++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c +@@ -1190,11 +1190,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv + next_reclaimed; + IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n", + next_reclaimed); ++ iwlagn_check_ratid_empty(priv, sta_id, tid); + } + + iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs); + +- iwlagn_check_ratid_empty(priv, sta_id, tid); + freed = 0; + + /* process frames */ diff --git a/queue-4.9/kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch b/queue-4.9/kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch new file mode 100644 index 00000000000..10987115ede --- /dev/null +++ b/queue-4.9/kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch @@ -0,0 +1,75 @@ +From 337c017ccdf2653d0040099433fc1a2b1beb5926 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Tue, 1 Aug 2017 05:20:03 -0700 +Subject: KVM: async_pf: make rcu irq exit if not triggered from idle task +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit 337c017ccdf2653d0040099433fc1a2b1beb5926 upstream. + + WARNING: CPU: 5 PID: 1242 at kernel/rcu/tree_plugin.h:323 rcu_note_context_switch+0x207/0x6b0 + CPU: 5 PID: 1242 Comm: unity-settings- Not tainted 4.13.0-rc2+ #1 + RIP: 0010:rcu_note_context_switch+0x207/0x6b0 + Call Trace: + __schedule+0xda/0xba0 + ? kvm_async_pf_task_wait+0x1b2/0x270 + schedule+0x40/0x90 + kvm_async_pf_task_wait+0x1cc/0x270 + ? prepare_to_swait+0x22/0x70 + do_async_page_fault+0x77/0xb0 + ? do_async_page_fault+0x77/0xb0 + async_page_fault+0x28/0x30 + RIP: 0010:__d_lookup_rcu+0x90/0x1e0 + +I encounter this when trying to stress the async page fault in L1 guest w/ +L2 guests running. + +Commit 9b132fbe5419 (Add rcu user eqs exception hooks for async page +fault) adds rcu_irq_enter/exit() to kvm_async_pf_task_wait() to exit cpu +idle eqs when needed, to protect the code that needs use rcu. However, +we need to call the pair even if the function calls schedule(), as seen +from the above backtrace. + +This patch fixes it by informing the RCU subsystem exit/enter the irq +towards/away from idle for both n.halted and !n.halted. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Paul E. McKenney +Signed-off-by: Wanpeng Li +Reviewed-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kvm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/kvm.c ++++ b/arch/x86/kernel/kvm.c +@@ -152,6 +152,8 @@ void kvm_async_pf_task_wait(u32 token) + if (hlist_unhashed(&n.link)) + break; + ++ rcu_irq_exit(); ++ + if (!n.halted) { + local_irq_enable(); + schedule(); +@@ -160,11 +162,11 @@ void kvm_async_pf_task_wait(u32 token) + /* + * We cannot reschedule. So halt. + */ +- rcu_irq_exit(); + native_safe_halt(); + local_irq_disable(); +- rcu_irq_enter(); + } ++ ++ rcu_irq_enter(); + } + if (!n.halted) + finish_swait(&n.wq, &wait); diff --git a/queue-4.9/libata-array-underflow-in-ata_find_dev.patch b/queue-4.9/libata-array-underflow-in-ata_find_dev.patch new file mode 100644 index 00000000000..19daf433420 --- /dev/null +++ b/queue-4.9/libata-array-underflow-in-ata_find_dev.patch @@ -0,0 +1,44 @@ +From 59a5e266c3f5c1567508888dd61a45b86daed0fa Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 19 Jul 2017 13:06:41 +0300 +Subject: libata: array underflow in ata_find_dev() + +From: Dan Carpenter + +commit 59a5e266c3f5c1567508888dd61a45b86daed0fa upstream. + +My static checker complains that "devno" can be negative, meaning that +we read before the start of the loop. I've looked at the code, and I +think the warning is right. This come from /proc so it's root only or +it would be quite a quite a serious bug. The call tree looks like this: + +proc_scsi_write() <- gets id and channel from simple_strtoul() +-> scsi_add_single_device() <- calls shost->transportt->user_scan() + -> ata_scsi_user_scan() + -> ata_find_dev() + +Signed-off-by: Dan Carpenter +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -2971,10 +2971,12 @@ static unsigned int atapi_xlat(struct at + static struct ata_device *ata_find_dev(struct ata_port *ap, int devno) + { + if (!sata_pmp_attached(ap)) { +- if (likely(devno < ata_link_max_devices(&ap->link))) ++ if (likely(devno >= 0 && ++ devno < ata_link_max_devices(&ap->link))) + return &ap->link.device[devno]; + } else { +- if (likely(devno < ap->nr_pmp_links)) ++ if (likely(devno >= 0 && ++ devno < ap->nr_pmp_links)) + return &ap->pmp_link[devno].device[0]; + } + diff --git a/queue-4.9/mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch b/queue-4.9/mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch new file mode 100644 index 00000000000..4ba21cdb4ab --- /dev/null +++ b/queue-4.9/mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch @@ -0,0 +1,207 @@ +From 3ea277194daaeaa84ce75180ec7c7a2075027a68 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Wed, 2 Aug 2017 13:31:52 -0700 +Subject: mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries + +From: Mel Gorman + +commit 3ea277194daaeaa84ce75180ec7c7a2075027a68 upstream. + +Nadav Amit identified a theoritical race between page reclaim and +mprotect due to TLB flushes being batched outside of the PTL being held. + +He described the race as follows: + + CPU0 CPU1 + ---- ---- + user accesses memory using RW PTE + [PTE now cached in TLB] + try_to_unmap_one() + ==> ptep_get_and_clear() + ==> set_tlb_ubc_flush_pending() + mprotect(addr, PROT_READ) + ==> change_pte_range() + ==> [ PTE non-present - no flush ] + + user writes using cached RW PTE + ... + + try_to_unmap_flush() + +The same type of race exists for reads when protecting for PROT_NONE and +also exists for operations that can leave an old TLB entry behind such +as munmap, mremap and madvise. + +For some operations like mprotect, it's not necessarily a data integrity +issue but it is a correctness issue as there is a window where an +mprotect that limits access still allows access. For munmap, it's +potentially a data integrity issue although the race is massive as an +munmap, mmap and return to userspace must all complete between the +window when reclaim drops the PTL and flushes the TLB. However, it's +theoritically possible so handle this issue by flushing the mm if +reclaim is potentially currently batching TLB flushes. + +Other instances where a flush is required for a present pte should be ok +as either the page lock is held preventing parallel reclaim or a page +reference count is elevated preventing a parallel free leading to +corruption. In the case of page_mkclean there isn't an obvious path +that userspace could take advantage of without using the operations that +are guarded by this patch. Other users such as gup as a race with +reclaim looks just at PTEs. huge page variants should be ok as they +don't race with reclaim. mincore only looks at PTEs. userfault also +should be ok as if a parallel reclaim takes place, it will either fault +the page back in or read some of the data before the flush occurs +triggering a fault. + +Note that a variant of this patch was acked by Andy Lutomirski but this +was for the x86 parts on top of his PCID work which didn't make the 4.13 +merge window as expected. His ack is dropped from this version and +there will be a follow-on patch on top of PCID that will include his +ack. + +[akpm@linux-foundation.org: tweak comments] +[akpm@linux-foundation.org: fix spello] +Link: http://lkml.kernel.org/r/20170717155523.emckq2esjro6hf3z@suse.de +Reported-by: Nadav Amit +Signed-off-by: Mel Gorman +Cc: Andy Lutomirski +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mm_types.h | 4 ++++ + mm/internal.h | 5 ++++- + mm/madvise.c | 1 + + mm/memory.c | 1 + + mm/mprotect.c | 1 + + mm/mremap.c | 1 + + mm/rmap.c | 36 ++++++++++++++++++++++++++++++++++++ + 7 files changed, 48 insertions(+), 1 deletion(-) + +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -508,6 +508,10 @@ struct mm_struct { + */ + bool tlb_flush_pending; + #endif ++#ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH ++ /* See flush_tlb_batched_pending() */ ++ bool tlb_flush_batched; ++#endif + struct uprobes_state uprobes_state; + #ifdef CONFIG_X86_INTEL_MPX + /* address of the bounds directory */ +--- a/mm/internal.h ++++ b/mm/internal.h +@@ -472,6 +472,7 @@ struct tlbflush_unmap_batch; + #ifdef CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH + void try_to_unmap_flush(void); + void try_to_unmap_flush_dirty(void); ++void flush_tlb_batched_pending(struct mm_struct *mm); + #else + static inline void try_to_unmap_flush(void) + { +@@ -479,7 +480,9 @@ static inline void try_to_unmap_flush(vo + static inline void try_to_unmap_flush_dirty(void) + { + } +- ++static inline void flush_tlb_batched_pending(struct mm_struct *mm) ++{ ++} + #endif /* CONFIG_ARCH_WANT_BATCHED_UNMAP_TLB_FLUSH */ + + extern const struct trace_print_flags pageflag_names[]; +--- a/mm/madvise.c ++++ b/mm/madvise.c +@@ -282,6 +282,7 @@ static int madvise_free_pte_range(pmd_t + return 0; + + orig_pte = pte = pte_offset_map_lock(mm, pmd, addr, &ptl); ++ flush_tlb_batched_pending(mm); + arch_enter_lazy_mmu_mode(); + for (; addr != end; pte++, addr += PAGE_SIZE) { + ptent = *pte; +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1124,6 +1124,7 @@ again: + init_rss_vec(rss); + start_pte = pte_offset_map_lock(mm, pmd, addr, &ptl); + pte = start_pte; ++ flush_tlb_batched_pending(mm); + arch_enter_lazy_mmu_mode(); + do { + pte_t ptent = *pte; +--- a/mm/mprotect.c ++++ b/mm/mprotect.c +@@ -74,6 +74,7 @@ static unsigned long change_pte_range(st + if (!pte) + return 0; + ++ flush_tlb_batched_pending(vma->vm_mm); + arch_enter_lazy_mmu_mode(); + do { + oldpte = *pte; +--- a/mm/mremap.c ++++ b/mm/mremap.c +@@ -142,6 +142,7 @@ static void move_ptes(struct vm_area_str + new_ptl = pte_lockptr(mm, new_pmd); + if (new_ptl != old_ptl) + spin_lock_nested(new_ptl, SINGLE_DEPTH_NESTING); ++ flush_tlb_batched_pending(vma->vm_mm); + arch_enter_lazy_mmu_mode(); + + for (; old_addr < old_end; old_pte++, old_addr += PAGE_SIZE, +--- a/mm/rmap.c ++++ b/mm/rmap.c +@@ -617,6 +617,13 @@ static void set_tlb_ubc_flush_pending(st + tlb_ubc->flush_required = true; + + /* ++ * Ensure compiler does not re-order the setting of tlb_flush_batched ++ * before the PTE is cleared. ++ */ ++ barrier(); ++ mm->tlb_flush_batched = true; ++ ++ /* + * If the PTE was dirty then it's best to assume it's writable. The + * caller must use try_to_unmap_flush_dirty() or try_to_unmap_flush() + * before the page is queued for IO. +@@ -643,6 +650,35 @@ static bool should_defer_flush(struct mm + + return should_defer; + } ++ ++/* ++ * Reclaim unmaps pages under the PTL but do not flush the TLB prior to ++ * releasing the PTL if TLB flushes are batched. It's possible for a parallel ++ * operation such as mprotect or munmap to race between reclaim unmapping ++ * the page and flushing the page. If this race occurs, it potentially allows ++ * access to data via a stale TLB entry. Tracking all mm's that have TLB ++ * batching in flight would be expensive during reclaim so instead track ++ * whether TLB batching occurred in the past and if so then do a flush here ++ * if required. This will cost one additional flush per reclaim cycle paid ++ * by the first operation at risk such as mprotect and mumap. ++ * ++ * This must be called under the PTL so that an access to tlb_flush_batched ++ * that is potentially a "reclaim vs mprotect/munmap/etc" race will synchronise ++ * via the PTL. ++ */ ++void flush_tlb_batched_pending(struct mm_struct *mm) ++{ ++ if (mm->tlb_flush_batched) { ++ flush_tlb_mm(mm); ++ ++ /* ++ * Do not allow the compiler to re-order the clearing of ++ * tlb_flush_batched before the tlb is flushed. ++ */ ++ barrier(); ++ mm->tlb_flush_batched = false; ++ } ++} + #else + static void set_tlb_ubc_flush_pending(struct mm_struct *mm, + struct page *page, bool writable) diff --git a/queue-4.9/mmc-core-fix-access-to-hs400-es-devices.patch b/queue-4.9/mmc-core-fix-access-to-hs400-es-devices.patch new file mode 100644 index 00000000000..97bc9e9ee2b --- /dev/null +++ b/queue-4.9/mmc-core-fix-access-to-hs400-es-devices.patch @@ -0,0 +1,46 @@ +From 773dc118756b1f38766063e90e582016be868f09 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 1 Mar 2017 14:11:47 -0800 +Subject: mmc: core: Fix access to HS400-ES devices + +From: Guenter Roeck + +commit 773dc118756b1f38766063e90e582016be868f09 upstream. + +HS400-ES devices fail to initialize with the following error messages. + +mmc1: power class selection to bus width 8 ddr 0 failed +mmc1: error -110 whilst initialising MMC card + +This was seen on Samsung Chromebook Plus. Code analysis points to +commit 3d4ef329757c ("mmc: core: fix multi-bit bus width without +high-speed mode"), which attempts to set the bus width for all but +HS200 devices unconditionally. However, for HS400-ES, the bus width +is already selected. + +Cc: Anssi Hannula +Cc: Douglas Anderson +Cc: Brian Norris +Fixes: 3d4ef329757c ("mmc: core: fix multi-bit bus width ...") +Signed-off-by: Guenter Roeck +Reviewed-by: Douglas Anderson +Reviewed-by: Shawn Lin +Tested-by: Heiko Stuebner +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1690,7 +1690,7 @@ static int mmc_init_card(struct mmc_host + err = mmc_select_hs400(card); + if (err) + goto free_card; +- } else { ++ } else if (!mmc_card_hs400es(card)) { + /* Select the desired bus width optionally */ + err = mmc_select_bus_width(card); + if (err > 0 && mmc_card_hs(card)) { diff --git a/queue-4.9/mmc-core-use-device_property_read-instead-of-of_property_read.patch b/queue-4.9/mmc-core-use-device_property_read-instead-of-of_property_read.patch new file mode 100644 index 00000000000..0e7e9a5a8e1 --- /dev/null +++ b/queue-4.9/mmc-core-use-device_property_read-instead-of-of_property_read.patch @@ -0,0 +1,169 @@ +From 73a47a9bb3e2c4a9c553c72456e63ab991b1a4d9 Mon Sep 17 00:00:00 2001 +From: David Woods +Date: Fri, 26 May 2017 17:53:21 -0400 +Subject: mmc: core: Use device_property_read instead of of_property_read + +From: David Woods + +commit 73a47a9bb3e2c4a9c553c72456e63ab991b1a4d9 upstream. + +Using the device_property interfaces allows mmc drivers to work +on platforms which run on either device tree or ACPI. + +Signed-off-by: David Woods +Reviewed-by: Chris Metcalf +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/host.c | 70 +++++++++++++++++++++++------------------------- + 1 file changed, 34 insertions(+), 36 deletions(-) + +--- a/drivers/mmc/core/host.c ++++ b/drivers/mmc/core/host.c +@@ -179,19 +179,17 @@ static void mmc_retune_timer(unsigned lo + */ + int mmc_of_parse(struct mmc_host *host) + { +- struct device_node *np; ++ struct device *dev = host->parent; + u32 bus_width; + int ret; + bool cd_cap_invert, cd_gpio_invert = false; + bool ro_cap_invert, ro_gpio_invert = false; + +- if (!host->parent || !host->parent->of_node) ++ if (!dev || !dev_fwnode(dev)) + return 0; + +- np = host->parent->of_node; +- + /* "bus-width" is translated to MMC_CAP_*_BIT_DATA flags */ +- if (of_property_read_u32(np, "bus-width", &bus_width) < 0) { ++ if (device_property_read_u32(dev, "bus-width", &bus_width) < 0) { + dev_dbg(host->parent, + "\"bus-width\" property is missing, assuming 1 bit.\n"); + bus_width = 1; +@@ -213,7 +211,7 @@ int mmc_of_parse(struct mmc_host *host) + } + + /* f_max is obtained from the optional "max-frequency" property */ +- of_property_read_u32(np, "max-frequency", &host->f_max); ++ device_property_read_u32(dev, "max-frequency", &host->f_max); + + /* + * Configure CD and WP pins. They are both by default active low to +@@ -228,12 +226,12 @@ int mmc_of_parse(struct mmc_host *host) + */ + + /* Parse Card Detection */ +- if (of_property_read_bool(np, "non-removable")) { ++ if (device_property_read_bool(dev, "non-removable")) { + host->caps |= MMC_CAP_NONREMOVABLE; + } else { +- cd_cap_invert = of_property_read_bool(np, "cd-inverted"); ++ cd_cap_invert = device_property_read_bool(dev, "cd-inverted"); + +- if (of_property_read_bool(np, "broken-cd")) ++ if (device_property_read_bool(dev, "broken-cd")) + host->caps |= MMC_CAP_NEEDS_POLL; + + ret = mmc_gpiod_request_cd(host, "cd", 0, true, +@@ -259,7 +257,7 @@ int mmc_of_parse(struct mmc_host *host) + } + + /* Parse Write Protection */ +- ro_cap_invert = of_property_read_bool(np, "wp-inverted"); ++ ro_cap_invert = device_property_read_bool(dev, "wp-inverted"); + + ret = mmc_gpiod_request_ro(host, "wp", 0, false, 0, &ro_gpio_invert); + if (!ret) +@@ -267,62 +265,62 @@ int mmc_of_parse(struct mmc_host *host) + else if (ret != -ENOENT && ret != -ENOSYS) + return ret; + +- if (of_property_read_bool(np, "disable-wp")) ++ if (device_property_read_bool(dev, "disable-wp")) + host->caps2 |= MMC_CAP2_NO_WRITE_PROTECT; + + /* See the comment on CD inversion above */ + if (ro_cap_invert ^ ro_gpio_invert) + host->caps2 |= MMC_CAP2_RO_ACTIVE_HIGH; + +- if (of_property_read_bool(np, "cap-sd-highspeed")) ++ if (device_property_read_bool(dev, "cap-sd-highspeed")) + host->caps |= MMC_CAP_SD_HIGHSPEED; +- if (of_property_read_bool(np, "cap-mmc-highspeed")) ++ if (device_property_read_bool(dev, "cap-mmc-highspeed")) + host->caps |= MMC_CAP_MMC_HIGHSPEED; +- if (of_property_read_bool(np, "sd-uhs-sdr12")) ++ if (device_property_read_bool(dev, "sd-uhs-sdr12")) + host->caps |= MMC_CAP_UHS_SDR12; +- if (of_property_read_bool(np, "sd-uhs-sdr25")) ++ if (device_property_read_bool(dev, "sd-uhs-sdr25")) + host->caps |= MMC_CAP_UHS_SDR25; +- if (of_property_read_bool(np, "sd-uhs-sdr50")) ++ if (device_property_read_bool(dev, "sd-uhs-sdr50")) + host->caps |= MMC_CAP_UHS_SDR50; +- if (of_property_read_bool(np, "sd-uhs-sdr104")) ++ if (device_property_read_bool(dev, "sd-uhs-sdr104")) + host->caps |= MMC_CAP_UHS_SDR104; +- if (of_property_read_bool(np, "sd-uhs-ddr50")) ++ if (device_property_read_bool(dev, "sd-uhs-ddr50")) + host->caps |= MMC_CAP_UHS_DDR50; +- if (of_property_read_bool(np, "cap-power-off-card")) ++ if (device_property_read_bool(dev, "cap-power-off-card")) + host->caps |= MMC_CAP_POWER_OFF_CARD; +- if (of_property_read_bool(np, "cap-mmc-hw-reset")) ++ if (device_property_read_bool(dev, "cap-mmc-hw-reset")) + host->caps |= MMC_CAP_HW_RESET; +- if (of_property_read_bool(np, "cap-sdio-irq")) ++ if (device_property_read_bool(np, "cap-sdio-irq")) + host->caps |= MMC_CAP_SDIO_IRQ; +- if (of_property_read_bool(np, "full-pwr-cycle")) ++ if (device_property_read_bool(np, "full-pwr-cycle")) + host->caps2 |= MMC_CAP2_FULL_PWR_CYCLE; +- if (of_property_read_bool(np, "keep-power-in-suspend")) ++ if (device_property_read_bool(np, "keep-power-in-suspend")) + host->pm_caps |= MMC_PM_KEEP_POWER; +- if (of_property_read_bool(np, "wakeup-source") || +- of_property_read_bool(np, "enable-sdio-wakeup")) /* legacy */ ++ if (device_property_read_bool(np, "wakeup-source") || ++ device_property_read_bool(np, "enable-sdio-wakeup")) /* legacy */ + host->pm_caps |= MMC_PM_WAKE_SDIO_IRQ; +- if (of_property_read_bool(np, "mmc-ddr-1_8v")) ++ if (device_property_read_bool(np, "mmc-ddr-1_8v")) + host->caps |= MMC_CAP_1_8V_DDR; +- if (of_property_read_bool(np, "mmc-ddr-1_2v")) ++ if (device_property_read_bool(np, "mmc-ddr-1_2v")) + host->caps |= MMC_CAP_1_2V_DDR; +- if (of_property_read_bool(np, "mmc-hs200-1_8v")) ++ if (device_property_read_bool(np, "mmc-hs200-1_8v")) + host->caps2 |= MMC_CAP2_HS200_1_8V_SDR; +- if (of_property_read_bool(np, "mmc-hs200-1_2v")) ++ if (device_property_read_bool(np, "mmc-hs200-1_2v")) + host->caps2 |= MMC_CAP2_HS200_1_2V_SDR; +- if (of_property_read_bool(np, "mmc-hs400-1_8v")) ++ if (device_property_read_bool(np, "mmc-hs400-1_8v")) + host->caps2 |= MMC_CAP2_HS400_1_8V | MMC_CAP2_HS200_1_8V_SDR; +- if (of_property_read_bool(np, "mmc-hs400-1_2v")) ++ if (device_property_read_bool(np, "mmc-hs400-1_2v")) + host->caps2 |= MMC_CAP2_HS400_1_2V | MMC_CAP2_HS200_1_2V_SDR; +- if (of_property_read_bool(np, "mmc-hs400-enhanced-strobe")) ++ if (device_property_read_bool(np, "mmc-hs400-enhanced-strobe")) + host->caps2 |= MMC_CAP2_HS400_ES; +- if (of_property_read_bool(np, "no-sdio")) ++ if (device_property_read_bool(np, "no-sdio")) + host->caps2 |= MMC_CAP2_NO_SDIO; +- if (of_property_read_bool(np, "no-sd")) ++ if (device_property_read_bool(np, "no-sd")) + host->caps2 |= MMC_CAP2_NO_SD; +- if (of_property_read_bool(np, "no-mmc")) ++ if (device_property_read_bool(np, "no-mmc")) + host->caps2 |= MMC_CAP2_NO_MMC; + +- host->dsr_req = !of_property_read_u32(np, "dsr", &host->dsr); ++ host->dsr_req = !device_property_read_u32(dev, "dsr", &host->dsr); + if (host->dsr_req && (host->dsr & ~0xffff)) { + dev_err(host->parent, + "device tree specified broken value for DSR: 0x%x, ignoring\n", diff --git a/queue-4.9/mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch b/queue-4.9/mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch new file mode 100644 index 00000000000..c9a61c4d47b --- /dev/null +++ b/queue-4.9/mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch @@ -0,0 +1,83 @@ +From 852ff5fea9eb6a9799f1881d6df2cd69a9e6eed5 Mon Sep 17 00:00:00 2001 +From: David Woods +Date: Fri, 26 May 2017 17:53:20 -0400 +Subject: mmc: dw_mmc: Use device_property_read instead of of_property_read + +From: David Woods + +commit 852ff5fea9eb6a9799f1881d6df2cd69a9e6eed5 upstream. + +Using the device_property interfaces allows the dw_mmc driver to work +on platforms which run on either device tree or ACPI. + +Signed-off-by: David Woods +Reviewed-by: Chris Metcalf +Acked-by: Jaehoon Chung +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2610,8 +2610,8 @@ static int dw_mci_init_slot(struct dw_mc + host->slot[id] = slot; + + mmc->ops = &dw_mci_ops; +- if (of_property_read_u32_array(host->dev->of_node, +- "clock-freq-min-max", freq, 2)) { ++ if (device_property_read_u32_array(host->dev, "clock-freq-min-max", ++ freq, 2)) { + mmc->f_min = DW_MCI_FREQ_MIN; + mmc->f_max = DW_MCI_FREQ_MAX; + } else { +@@ -2709,7 +2709,6 @@ static void dw_mci_init_dma(struct dw_mc + { + int addr_config; + struct device *dev = host->dev; +- struct device_node *np = dev->of_node; + + /* + * Check tansfer mode from HCON[17:16] +@@ -2770,8 +2769,9 @@ static void dw_mci_init_dma(struct dw_mc + dev_info(host->dev, "Using internal DMA controller.\n"); + } else { + /* TRANS_MODE_EDMAC: check dma bindings again */ +- if ((of_property_count_strings(np, "dma-names") < 0) || +- (!of_find_property(np, "dmas", NULL))) { ++ if ((device_property_read_string_array(dev, "dma-names", ++ NULL, 0) < 0) || ++ !device_property_present(dev, "dmas")) { + goto no_dma; + } + host->dma_ops = &dw_mci_edmac_ops; +@@ -2931,7 +2931,6 @@ static struct dw_mci_board *dw_mci_parse + { + struct dw_mci_board *pdata; + struct device *dev = host->dev; +- struct device_node *np = dev->of_node; + const struct dw_mci_drv_data *drv_data = host->drv_data; + int ret; + u32 clock_frequency; +@@ -2948,15 +2947,15 @@ static struct dw_mci_board *dw_mci_parse + } + + /* find out number of slots supported */ +- of_property_read_u32(np, "num-slots", &pdata->num_slots); ++ device_property_read_u32(np, "num-slots", &pdata->num_slots); + +- if (of_property_read_u32(np, "fifo-depth", &pdata->fifo_depth)) ++ if (device_property_read_u32(np, "fifo-depth", &pdata->fifo_depth)) + dev_info(dev, + "fifo-depth property not found, using value of FIFOTH register as default\n"); + +- of_property_read_u32(np, "card-detect-delay", &pdata->detect_delay_ms); ++ device_property_read_u32(np, "card-detect-delay", &pdata->detect_delay_ms); + +- if (!of_property_read_u32(np, "clock-frequency", &clock_frequency)) ++ if (!device_property_read_u32(np, "clock-frequency", &clock_frequency)) + pdata->bus_hz = clock_frequency; + + if (drv_data && drv_data->parse_dt) { diff --git a/queue-4.9/mmc-sdhci-of-at91-force-card-detect-value-for-non-removable-devices.patch b/queue-4.9/mmc-sdhci-of-at91-force-card-detect-value-for-non-removable-devices.patch new file mode 100644 index 00000000000..f96a70af424 --- /dev/null +++ b/queue-4.9/mmc-sdhci-of-at91-force-card-detect-value-for-non-removable-devices.patch @@ -0,0 +1,92 @@ +From 7a1e3f143176e8ebdb2f5a9b3b47abc18b879d90 Mon Sep 17 00:00:00 2001 +From: Ludovic Desroches +Date: Wed, 26 Jul 2017 16:02:46 +0200 +Subject: mmc: sdhci-of-at91: force card detect value for non removable devices + +From: Ludovic Desroches + +commit 7a1e3f143176e8ebdb2f5a9b3b47abc18b879d90 upstream. + +When the device is non removable, the card detect signal is often used +for another purpose i.e. muxed to another SoC peripheral or used as a +GPIO. It could lead to wrong behaviors depending the default value of +this signal if not muxed to the SDHCI controller. + +Fixes: bb5f8ea4d514 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC") +Signed-off-by: Ludovic Desroches +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-of-at91.c | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-of-at91.c ++++ b/drivers/mmc/host/sdhci-of-at91.c +@@ -31,6 +31,7 @@ + + #define SDMMC_MC1R 0x204 + #define SDMMC_MC1R_DDR BIT(3) ++#define SDMMC_MC1R_FCD BIT(7) + #define SDMMC_CACR 0x230 + #define SDMMC_CACR_CAPWREN BIT(0) + #define SDMMC_CACR_KEY (0x46 << 8) +@@ -43,6 +44,15 @@ struct sdhci_at91_priv { + struct clk *mainck; + }; + ++static void sdhci_at91_set_force_card_detect(struct sdhci_host *host) ++{ ++ u8 mc1r; ++ ++ mc1r = readb(host->ioaddr + SDMMC_MC1R); ++ mc1r |= SDMMC_MC1R_FCD; ++ writeb(mc1r, host->ioaddr + SDMMC_MC1R); ++} ++ + static void sdhci_at91_set_clock(struct sdhci_host *host, unsigned int clock) + { + u16 clk; +@@ -112,10 +122,18 @@ void sdhci_at91_set_uhs_signaling(struct + sdhci_set_uhs_signaling(host, timing); + } + ++static void sdhci_at91_reset(struct sdhci_host *host, u8 mask) ++{ ++ sdhci_reset(host, mask); ++ ++ if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ sdhci_at91_set_force_card_detect(host); ++} ++ + static const struct sdhci_ops sdhci_at91_sama5d2_ops = { + .set_clock = sdhci_at91_set_clock, + .set_bus_width = sdhci_set_bus_width, +- .reset = sdhci_reset, ++ .reset = sdhci_at91_reset, + .set_uhs_signaling = sdhci_at91_set_uhs_signaling, + .set_power = sdhci_at91_set_power, + }; +@@ -322,6 +340,21 @@ static int sdhci_at91_probe(struct platf + host->quirks &= ~SDHCI_QUIRK_BROKEN_CARD_DETECTION; + } + ++ /* ++ * If the device attached to the MMC bus is not removable, it is safer ++ * to set the Force Card Detect bit. People often don't connect the ++ * card detect signal and use this pin for another purpose. If the card ++ * detect pin is not muxed to SDHCI controller, a default value is ++ * used. This value can be different from a SoC revision to another ++ * one. Problems come when this default value is not card present. To ++ * avoid this case, if the device is non removable then the card ++ * detection procedure using the SDMCC_CD signal is bypassed. ++ * This bit is reset when a software reset for all command is performed ++ * so we need to implement our own reset function to set back this bit. ++ */ ++ if (host->mmc->caps & MMC_CAP_NONREMOVABLE) ++ sdhci_at91_set_force_card_detect(host); ++ + pm_runtime_put_autosuspend(&pdev->dev); + + return 0; diff --git a/queue-4.9/nfsv4-fix-exchange_id-corrupt-verifier-issue.patch b/queue-4.9/nfsv4-fix-exchange_id-corrupt-verifier-issue.patch new file mode 100644 index 00000000000..0e3db298378 --- /dev/null +++ b/queue-4.9/nfsv4-fix-exchange_id-corrupt-verifier-issue.patch @@ -0,0 +1,88 @@ +From fd40559c8657418385e42f797e0b04bfc0add748 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 1 Aug 2017 16:02:47 -0400 +Subject: NFSv4: Fix EXCHANGE_ID corrupt verifier issue + +From: Trond Myklebust + +commit fd40559c8657418385e42f797e0b04bfc0add748 upstream. + +The verifier is allocated on the stack, but the EXCHANGE_ID RPC call was +changed to be asynchronous by commit 8d89bd70bc939. If we interrrupt +the call to rpc_wait_for_completion_task(), we can therefore end up +transmitting random stack contents in lieu of the verifier. + +Fixes: 8d89bd70bc939 ("NFS setup async exchange_id") +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 11 ++++------- + fs/nfs/nfs4xdr.c | 2 +- + include/linux/nfs_xdr.h | 2 +- + 3 files changed, 6 insertions(+), 9 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -7410,7 +7410,7 @@ static void nfs4_exchange_id_done(struct + cdata->res.server_scope = NULL; + } + /* Save the EXCHANGE_ID verifier session trunk tests */ +- memcpy(clp->cl_confirm.data, cdata->args.verifier->data, ++ memcpy(clp->cl_confirm.data, cdata->args.verifier.data, + sizeof(clp->cl_confirm.data)); + } + out: +@@ -7447,7 +7447,6 @@ static const struct rpc_call_ops nfs4_ex + static int _nfs4_proc_exchange_id(struct nfs_client *clp, struct rpc_cred *cred, + u32 sp4_how, struct rpc_xprt *xprt) + { +- nfs4_verifier verifier; + struct rpc_message msg = { + .rpc_proc = &nfs4_procedures[NFSPROC4_CLNT_EXCHANGE_ID], + .rpc_cred = cred, +@@ -7470,8 +7469,7 @@ static int _nfs4_proc_exchange_id(struct + if (!calldata) + goto out; + +- if (!xprt) +- nfs4_init_boot_verifier(clp, &verifier); ++ nfs4_init_boot_verifier(clp, &calldata->args.verifier); + + status = nfs4_init_uniform_client_string(clp); + if (status) +@@ -7516,9 +7514,8 @@ static int _nfs4_proc_exchange_id(struct + task_setup_data.rpc_xprt = xprt; + task_setup_data.flags = + RPC_TASK_SOFT|RPC_TASK_SOFTCONN|RPC_TASK_ASYNC; +- calldata->args.verifier = &clp->cl_confirm; +- } else { +- calldata->args.verifier = &verifier; ++ memcpy(calldata->args.verifier.data, clp->cl_confirm.data, ++ sizeof(calldata->args.verifier.data)); + } + calldata->args.client = clp; + #ifdef CONFIG_NFS_V4_1_MIGRATION +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -1761,7 +1761,7 @@ static void encode_exchange_id(struct xd + int len = 0; + + encode_op_hdr(xdr, OP_EXCHANGE_ID, decode_exchange_id_maxsz, hdr); +- encode_nfs4_verifier(xdr, args->verifier); ++ encode_nfs4_verifier(xdr, &args->verifier); + + encode_string(xdr, strlen(args->client->cl_owner_id), + args->client->cl_owner_id); +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1199,7 +1199,7 @@ struct nfs41_state_protection { + + struct nfs41_exchange_id_args { + struct nfs_client *client; +- nfs4_verifier *verifier; ++ nfs4_verifier verifier; + u32 flags; + struct nfs41_state_protection state_protect; + }; diff --git a/queue-4.9/parisc-handle-vma-s-whose-context-is-not-current-in-flush_cache_range.patch b/queue-4.9/parisc-handle-vma-s-whose-context-is-not-current-in-flush_cache_range.patch new file mode 100644 index 00000000000..a71c490de44 --- /dev/null +++ b/queue-4.9/parisc-handle-vma-s-whose-context-is-not-current-in-flush_cache_range.patch @@ -0,0 +1,75 @@ +From 13d57093c141db2036364d6be35e394fc5b64728 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Sun, 30 Jul 2017 16:20:19 -0400 +Subject: parisc: Handle vma's whose context is not current in flush_cache_range + +From: John David Anglin + +commit 13d57093c141db2036364d6be35e394fc5b64728 upstream. + +In testing James' patch to drivers/parisc/pdc_stable.c, I hit the BUG +statement in flush_cache_range() during a system shutdown: + +kernel BUG at arch/parisc/kernel/cache.c:595! +CPU: 2 PID: 6532 Comm: kworker/2:0 Not tainted 4.13.0-rc2+ #1 +Workqueue: events free_ioctx + + IAOQ[0]: flush_cache_range+0x144/0x148 + IAOQ[1]: flush_cache_page+0x0/0x1a8 + RP(r2): flush_cache_range+0xec/0x148 +Backtrace: + [<00000000402910ac>] unmap_page_range+0x84/0x880 + [<00000000402918f4>] unmap_single_vma+0x4c/0x60 + [<0000000040291a18>] zap_page_range_single+0x110/0x160 + [<0000000040291c34>] unmap_mapping_range+0x174/0x1a8 + [<000000004026ccd8>] truncate_pagecache+0x50/0xa8 + [<000000004026cd84>] truncate_setsize+0x54/0x70 + [<000000004033d534>] put_aio_ring_file+0x44/0xb0 + [<000000004033d5d8>] aio_free_ring+0x38/0x140 + [<000000004033d714>] free_ioctx+0x34/0xa8 + [<00000000401b0028>] process_one_work+0x1b8/0x4d0 + [<00000000401b04f4>] worker_thread+0x1b4/0x648 + [<00000000401b9128>] kthread+0x1b0/0x208 + [<0000000040150020>] end_fault_vector+0x20/0x28 + [<0000000040639518>] nf_ip_reroute+0x50/0xa8 + [<0000000040638ed0>] nf_ip_route+0x10/0x78 + [<0000000040638c90>] xfrm4_mode_tunnel_input+0x180/0x1f8 + +CPU: 2 PID: 6532 Comm: kworker/2:0 Not tainted 4.13.0-rc2+ #1 +Workqueue: events free_ioctx +Backtrace: + [<0000000040163bf0>] show_stack+0x20/0x38 + [<0000000040688480>] dump_stack+0xa8/0x120 + [<0000000040163dc4>] die_if_kernel+0x19c/0x2b0 + [<0000000040164d0c>] handle_interruption+0xa24/0xa48 + +This patch modifies flush_cache_range() to handle non current contexts. +In as much as this occurs infrequently, the simplest approach is to +flush the entire cache when this happens. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/cache.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -604,13 +604,12 @@ void flush_cache_range(struct vm_area_st + if (parisc_requires_coherency()) + flush_tlb_range(vma, start, end); + +- if ((end - start) >= parisc_cache_flush_threshold) { ++ if ((end - start) >= parisc_cache_flush_threshold ++ || vma->vm_mm->context != mfsp(3)) { + flush_cache_all(); + return; + } + +- BUG_ON(vma->vm_mm->context != mfsp(3)); +- + flush_user_dcache_range_asm(start, end); + if (vma->vm_flags & VM_EXEC) + flush_user_icache_range_asm(start, end); diff --git a/queue-4.9/series b/queue-4.9/series index 350f1f21e30..5b7c32b405d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,8 @@ mmc-core-use-device_property_read-instead-of-of_property_read.patch mmc-dw_mmc-use-device_property_read-instead-of-of_property_read.patch mmc-core-fix-access-to-hs400-es-devices.patch mm-mprotect-flush-tlb-if-potentially-racing-with-a-parallel-reclaim-leaving-stale-tlb-entries.patch +cpuset-fix-a-deadlock-due-to-incomplete-patching-of-cpusets_enabled.patch +alsa-hda-fix-speaker-output-from-vaio-vpcl14m1r.patch +drm-amdgpu-fix-undue-fallthroughs-in-golden-registers-initialization.patch +asoc-do-not-close-shared-backend-dailink.patch +kvm-async_pf-make-rcu-irq-exit-if-not-triggered-from-idle-task.patch diff --git a/queue-4.9/workqueue-restore-wq_unbound-max_active-1-to-be-ordered.patch b/queue-4.9/workqueue-restore-wq_unbound-max_active-1-to-be-ordered.patch new file mode 100644 index 00000000000..b60c8779e78 --- /dev/null +++ b/queue-4.9/workqueue-restore-wq_unbound-max_active-1-to-be-ordered.patch @@ -0,0 +1,53 @@ +From 5c0338c68706be53b3dc472e4308961c36e4ece1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 18 Jul 2017 18:41:52 -0400 +Subject: workqueue: restore WQ_UNBOUND/max_active==1 to be ordered + +From: Tejun Heo + +commit 5c0338c68706be53b3dc472e4308961c36e4ece1 upstream. + +The combination of WQ_UNBOUND and max_active == 1 used to imply +ordered execution. After NUMA affinity 4c16bd327c74 ("workqueue: +implement NUMA affinity for unbound workqueues"), this is no longer +true due to per-node worker pools. + +While the right way to create an ordered workqueue is +alloc_ordered_workqueue(), the documentation has been misleading for a +long time and people do use WQ_UNBOUND and max_active == 1 for ordered +workqueues which can lead to subtle bugs which are very difficult to +trigger. + +It's unlikely that we'd see noticeable performance impact by enforcing +ordering on WQ_UNBOUND / max_active == 1 workqueues. Let's +automatically set __WQ_ORDERED for those workqueues. + +Signed-off-by: Tejun Heo +Reported-by: Christoph Hellwig +Reported-by: Alexei Potashnik +Fixes: 4c16bd327c74 ("workqueue: implement NUMA affinity for unbound workqueues") +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/workqueue.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -3915,6 +3915,16 @@ struct workqueue_struct *__alloc_workque + struct workqueue_struct *wq; + struct pool_workqueue *pwq; + ++ /* ++ * Unbound && max_active == 1 used to imply ordered, which is no ++ * longer the case on NUMA machines due to per-node pools. While ++ * alloc_ordered_workqueue() is the right way to create an ordered ++ * workqueue, keep the previous behavior to avoid subtle breakages ++ * on NUMA. ++ */ ++ if ((flags & WQ_UNBOUND) && max_active == 1) ++ flags |= __WQ_ORDERED; ++ + /* see the comment above the definition of WQ_POWER_EFFICIENT */ + if ((flags & WQ_POWER_EFFICIENT) && wq_power_efficient) + flags |= WQ_UNBOUND; -- 2.47.3