From: Greg Kroah-Hartman Date: Mon, 12 Jun 2017 13:33:46 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.57~10 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3126d7c2d75229c6e4d5ba9e16d0fcf1e12e6ad3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch --- diff --git a/queue-4.11/audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch b/queue-4.11/audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch new file mode 100644 index 00000000000..3c0ff62bbb9 --- /dev/null +++ b/queue-4.11/audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch @@ -0,0 +1,336 @@ +From 48d0e023af9799cd7220335baf8e3ba61eeafbeb Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 2 May 2017 10:16:05 -0400 +Subject: audit: fix the RCU locking for the auditd_connection structure + +From: Paul Moore + +commit 48d0e023af9799cd7220335baf8e3ba61eeafbeb upstream. + +Cong Wang correctly pointed out that the RCU read locking of the +auditd_connection struct was wrong, this patch correct this by +adopting a more traditional, and correct RCU locking model. + +This patch is heavily based on an earlier prototype by Cong Wang. + +Reported-by: Cong Wang +Signed-off-by: Cong Wang +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + + +--- + kernel/audit.c | 167 +++++++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 115 insertions(+), 52 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -110,18 +110,19 @@ struct audit_net { + * @pid: auditd PID + * @portid: netlink portid + * @net: the associated network namespace +- * @lock: spinlock to protect write access ++ * @rcu: RCU head + * + * Description: + * This struct is RCU protected; you must either hold the RCU lock for reading +- * or the included spinlock for writing. ++ * or the associated spinlock for writing. + */ + static struct auditd_connection { + int pid; + u32 portid; + struct net *net; +- spinlock_t lock; +-} auditd_conn; ++ struct rcu_head rcu; ++} *auditd_conn = NULL; ++static DEFINE_SPINLOCK(auditd_conn_lock); + + /* If audit_rate_limit is non-zero, limit the rate of sending audit records + * to that number per second. This prevents DoS attacks, but results in +@@ -223,15 +224,39 @@ struct audit_reply { + int auditd_test_task(const struct task_struct *task) + { + int rc; ++ struct auditd_connection *ac; + + rcu_read_lock(); +- rc = (auditd_conn.pid && task->tgid == auditd_conn.pid ? 1 : 0); ++ ac = rcu_dereference(auditd_conn); ++ rc = (ac && ac->pid == task->tgid ? 1 : 0); + rcu_read_unlock(); + + return rc; + } + + /** ++ * auditd_pid_vnr - Return the auditd PID relative to the namespace ++ * ++ * Description: ++ * Returns the PID in relation to the namespace, 0 on failure. ++ */ ++static pid_t auditd_pid_vnr(void) ++{ ++ pid_t pid; ++ const struct auditd_connection *ac; ++ ++ rcu_read_lock(); ++ ac = rcu_dereference(auditd_conn); ++ if (!ac) ++ pid = 0; ++ else ++ pid = ac->pid; ++ rcu_read_unlock(); ++ ++ return pid; ++} ++ ++/** + * audit_get_sk - Return the audit socket for the given network namespace + * @net: the destination network namespace + * +@@ -427,6 +452,23 @@ static int audit_set_failure(u32 state) + } + + /** ++ * auditd_conn_free - RCU helper to release an auditd connection struct ++ * @rcu: RCU head ++ * ++ * Description: ++ * Drop any references inside the auditd connection tracking struct and free ++ * the memory. ++ */ ++static void auditd_conn_free(struct rcu_head *rcu) ++{ ++ struct auditd_connection *ac; ++ ++ ac = container_of(rcu, struct auditd_connection, rcu); ++ put_net(ac->net); ++ kfree(ac); ++} ++ ++/** + * auditd_set - Set/Reset the auditd connection state + * @pid: auditd PID + * @portid: auditd netlink portid +@@ -434,22 +476,33 @@ static int audit_set_failure(u32 state) + * + * Description: + * This function will obtain and drop network namespace references as +- * necessary. ++ * necessary. Returns zero on success, negative values on failure. + */ +-static void auditd_set(int pid, u32 portid, struct net *net) ++static int auditd_set(int pid, u32 portid, struct net *net) + { + unsigned long flags; ++ struct auditd_connection *ac_old, *ac_new; + +- spin_lock_irqsave(&auditd_conn.lock, flags); +- auditd_conn.pid = pid; +- auditd_conn.portid = portid; +- if (auditd_conn.net) +- put_net(auditd_conn.net); +- if (net) +- auditd_conn.net = get_net(net); +- else +- auditd_conn.net = NULL; +- spin_unlock_irqrestore(&auditd_conn.lock, flags); ++ if (!pid || !net) ++ return -EINVAL; ++ ++ ac_new = kzalloc(sizeof(*ac_new), GFP_KERNEL); ++ if (!ac_new) ++ return -ENOMEM; ++ ac_new->pid = pid; ++ ac_new->portid = portid; ++ ac_new->net = get_net(net); ++ ++ spin_lock_irqsave(&auditd_conn_lock, flags); ++ ac_old = rcu_dereference_protected(auditd_conn, ++ lockdep_is_held(&auditd_conn_lock)); ++ rcu_assign_pointer(auditd_conn, ac_new); ++ spin_unlock_irqrestore(&auditd_conn_lock, flags); ++ ++ if (ac_old) ++ call_rcu(&ac_old->rcu, auditd_conn_free); ++ ++ return 0; + } + + /** +@@ -544,13 +597,19 @@ static void kauditd_retry_skb(struct sk_ + */ + static void auditd_reset(void) + { ++ unsigned long flags; + struct sk_buff *skb; ++ struct auditd_connection *ac_old; + + /* if it isn't already broken, break the connection */ +- rcu_read_lock(); +- if (auditd_conn.pid) +- auditd_set(0, 0, NULL); +- rcu_read_unlock(); ++ spin_lock_irqsave(&auditd_conn_lock, flags); ++ ac_old = rcu_dereference_protected(auditd_conn, ++ lockdep_is_held(&auditd_conn_lock)); ++ rcu_assign_pointer(auditd_conn, NULL); ++ spin_unlock_irqrestore(&auditd_conn_lock, flags); ++ ++ if (ac_old) ++ call_rcu(&ac_old->rcu, auditd_conn_free); + + /* flush all of the main and retry queues to the hold queue */ + while ((skb = skb_dequeue(&audit_retry_queue))) +@@ -576,6 +635,7 @@ static int auditd_send_unicast_skb(struc + u32 portid; + struct net *net; + struct sock *sk; ++ struct auditd_connection *ac; + + /* NOTE: we can't call netlink_unicast while in the RCU section so + * take a reference to the network namespace and grab local +@@ -585,15 +645,15 @@ static int auditd_send_unicast_skb(struc + * section netlink_unicast() should safely return an error */ + + rcu_read_lock(); +- if (!auditd_conn.pid) { ++ ac = rcu_dereference(auditd_conn); ++ if (!ac) { + rcu_read_unlock(); + rc = -ECONNREFUSED; + goto err; + } +- net = auditd_conn.net; +- get_net(net); ++ net = get_net(ac->net); + sk = audit_get_sk(net); +- portid = auditd_conn.portid; ++ portid = ac->portid; + rcu_read_unlock(); + + rc = netlink_unicast(sk, skb, portid, 0); +@@ -728,6 +788,7 @@ static int kauditd_thread(void *dummy) + u32 portid = 0; + struct net *net = NULL; + struct sock *sk = NULL; ++ struct auditd_connection *ac; + + #define UNICAST_RETRIES 5 + +@@ -735,14 +796,14 @@ static int kauditd_thread(void *dummy) + while (!kthread_should_stop()) { + /* NOTE: see the lock comments in auditd_send_unicast_skb() */ + rcu_read_lock(); +- if (!auditd_conn.pid) { ++ ac = rcu_dereference(auditd_conn); ++ if (!ac) { + rcu_read_unlock(); + goto main_queue; + } +- net = auditd_conn.net; +- get_net(net); ++ net = get_net(ac->net); + sk = audit_get_sk(net); +- portid = auditd_conn.portid; ++ portid = ac->portid; + rcu_read_unlock(); + + /* attempt to flush the hold queue */ +@@ -1102,9 +1163,7 @@ static int audit_receive_msg(struct sk_b + memset(&s, 0, sizeof(s)); + s.enabled = audit_enabled; + s.failure = audit_failure; +- rcu_read_lock(); +- s.pid = auditd_conn.pid; +- rcu_read_unlock(); ++ s.pid = auditd_pid_vnr(); + s.rate_limit = audit_rate_limit; + s.backlog_limit = audit_backlog_limit; + s.lost = atomic_read(&audit_lost); +@@ -1143,38 +1202,44 @@ static int audit_receive_msg(struct sk_b + /* test the auditd connection */ + audit_replace(requesting_pid); + +- rcu_read_lock(); +- auditd_pid = auditd_conn.pid; ++ auditd_pid = auditd_pid_vnr(); + /* only the current auditd can unregister itself */ + if ((!new_pid) && (requesting_pid != auditd_pid)) { +- rcu_read_unlock(); + audit_log_config_change("audit_pid", new_pid, + auditd_pid, 0); + return -EACCES; + } + /* replacing a healthy auditd is not allowed */ + if (auditd_pid && new_pid) { +- rcu_read_unlock(); + audit_log_config_change("audit_pid", new_pid, + auditd_pid, 0); + return -EEXIST; + } +- rcu_read_unlock(); +- +- if (audit_enabled != AUDIT_OFF) +- audit_log_config_change("audit_pid", new_pid, +- auditd_pid, 1); + + if (new_pid) { + /* register a new auditd connection */ +- auditd_set(new_pid, +- NETLINK_CB(skb).portid, +- sock_net(NETLINK_CB(skb).sk)); ++ err = auditd_set(new_pid, ++ NETLINK_CB(skb).portid, ++ sock_net(NETLINK_CB(skb).sk)); ++ if (audit_enabled != AUDIT_OFF) ++ audit_log_config_change("audit_pid", ++ new_pid, ++ auditd_pid, ++ err ? 0 : 1); ++ if (err) ++ return err; ++ + /* try to process any backlog */ + wake_up_interruptible(&kauditd_wait); +- } else ++ } else { ++ if (audit_enabled != AUDIT_OFF) ++ audit_log_config_change("audit_pid", ++ new_pid, ++ auditd_pid, 1); ++ + /* unregister the auditd connection */ + auditd_reset(); ++ } + } + if (s.mask & AUDIT_STATUS_RATE_LIMIT) { + err = audit_set_rate_limit(s.rate_limit); +@@ -1447,10 +1512,11 @@ static void __net_exit audit_net_exit(st + { + struct audit_net *aunet = net_generic(net, audit_net_id); + +- rcu_read_lock(); +- if (net == auditd_conn.net) +- auditd_reset(); +- rcu_read_unlock(); ++ /* NOTE: you would think that we would want to check the auditd ++ * connection and potentially reset it here if it lives in this ++ * namespace, but since the auditd connection tracking struct holds a ++ * reference to this namespace (see auditd_set()) we are only ever ++ * going to get here after that connection has been released */ + + netlink_kernel_release(aunet->sk); + } +@@ -1470,9 +1536,6 @@ static int __init audit_init(void) + if (audit_initialized == AUDIT_DISABLED) + return 0; + +- memset(&auditd_conn, 0, sizeof(auditd_conn)); +- spin_lock_init(&auditd_conn.lock); +- + skb_queue_head_init(&audit_queue); + skb_queue_head_init(&audit_retry_queue); + skb_queue_head_init(&audit_hold_queue); diff --git a/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch b/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch deleted file mode 100644 index 0e757a98f25..00000000000 --- a/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch +++ /dev/null @@ -1,201 +0,0 @@ -From d86b18a06cf361e12ccdf61ae240d432182d8d6b Mon Sep 17 00:00:00 2001 -From: Jon Bloomfield -Date: Wed, 24 May 2017 08:54:11 -0700 -Subject: drm/i915: Serialize GTT/Aperture accesses on BXT - -From: Jon Bloomfield - -commit d86b18a06cf361e12ccdf61ae240d432182d8d6b upstream. - -BXT has a H/W issue with IOMMU which can lead to system hangs when -Aperture accesses are queued within the GAM behind GTT Accesses. - -This patch avoids the condition by wrapping all GTT updates in stop_machine -and using a flushing read prior to restarting the machine. - -The stop_machine guarantees no new Aperture accesses can begin while -the PTE writes are being emmitted. The flushing read ensures that -any following Aperture accesses cannot begin until the PTE writes -have been cleared out of the GAM's fifo. - -Only FOLLOWING Aperture accesses need to be separated from in flight -PTE updates. PTE Writes may follow tightly behind already in flight -Aperture accesses, so no flushing read is required at the start of -a PTE update sequence. - -This issue was reproduced by running - igt/gem_readwrite and - igt/gem_render_copy -simultaneously from different processes, each in a tight loop, -with INTEL_IOMMU enabled. - -This patch was originally published as: - drm/i915: Serialize GTT Updates on BXT - -[Note: This will cause a performance penalty for some use cases, but -avoiding hangs trumps performance hits. This may need to be worked -around in Mesa to recover the lost performance.] - -v2: Move bxt/iommu detection into static function - Remove #ifdef CONFIG_INTEL_IOMMU protection - Make function names more reflective of purpose - Move flushing read into static function - -v3: Tidy up for checkpatch.pl - -Testcase: igt/gem_concurrent_blit -Signed-off-by: Jon Bloomfield -Cc: John Harrison -Cc: Chris Wilson -Cc: Daniel Vetter -Cc: Tvrtko Ursulin -Link: http://patchwork.freedesktop.org/patch/msgid/1495641251-30022-1-git-send-email-jon.bloomfield@intel.com -Reviewed-by: Tvrtko Ursulin -Signed-off-by: Chris Wilson -(cherry picked from commit 0ef34ad6222abfa513117515fec720c33a58f105) -Signed-off-by: Jani Nikula -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/i915/i915_drv.h | 10 +++ - drivers/gpu/drm/i915/i915_gem_gtt.c | 103 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 113 insertions(+) - ---- a/drivers/gpu/drm/i915/i915_drv.h -+++ b/drivers/gpu/drm/i915/i915_drv.h -@@ -2916,6 +2916,16 @@ static inline bool intel_scanout_needs_v - return false; - } - -+static inline bool -+intel_ggtt_update_needs_vtd_wa(struct drm_i915_private *dev_priv) -+{ -+#ifdef CONFIG_INTEL_IOMMU -+ if (IS_BROXTON(dev_priv) && intel_iommu_gfx_mapped) -+ return true; -+#endif -+ return false; -+} -+ - int intel_sanitize_enable_ppgtt(struct drm_i915_private *dev_priv, - int enable_ppgtt); - ---- a/drivers/gpu/drm/i915/i915_gem_gtt.c -+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c -@@ -2554,6 +2554,101 @@ static void gen8_ggtt_clear_range(struct - readl(gtt_base); - } - -+static void bxt_vtd_ggtt_wa(struct i915_address_space *vm) -+{ -+ struct drm_i915_private *dev_priv = vm->i915; -+ -+ /* -+ * Make sure the internal GAM fifo has been cleared of all GTT -+ * writes before exiting stop_machine(). This guarantees that -+ * any aperture accesses waiting to start in another process -+ * cannot back up behind the GTT writes causing a hang. -+ * The register can be any arbitrary GAM register. -+ */ -+ POSTING_READ(GFX_FLSH_CNTL_GEN6); -+} -+ -+struct insert_page { -+ struct i915_address_space *vm; -+ dma_addr_t addr; -+ u64 offset; -+ enum i915_cache_level level; -+}; -+ -+static int bxt_vtd_ggtt_insert_page__cb(void *_arg) -+{ -+ struct insert_page *arg = _arg; -+ -+ gen8_ggtt_insert_page(arg->vm, arg->addr, arg->offset, arg->level, 0); -+ bxt_vtd_ggtt_wa(arg->vm); -+ -+ return 0; -+} -+ -+static void bxt_vtd_ggtt_insert_page__BKL(struct i915_address_space *vm, -+ dma_addr_t addr, -+ u64 offset, -+ enum i915_cache_level level, -+ u32 unused) -+{ -+ struct insert_page arg = { vm, addr, offset, level }; -+ -+ stop_machine(bxt_vtd_ggtt_insert_page__cb, &arg, NULL); -+} -+ -+struct insert_entries { -+ struct i915_address_space *vm; -+ struct sg_table *st; -+ u64 start; -+ enum i915_cache_level level; -+}; -+ -+static int bxt_vtd_ggtt_insert_entries__cb(void *_arg) -+{ -+ struct insert_entries *arg = _arg; -+ -+ gen8_ggtt_insert_entries(arg->vm, arg->st, arg->start, arg->level, 0); -+ bxt_vtd_ggtt_wa(arg->vm); -+ -+ return 0; -+} -+ -+static void bxt_vtd_ggtt_insert_entries__BKL(struct i915_address_space *vm, -+ struct sg_table *st, -+ u64 start, -+ enum i915_cache_level level, -+ u32 unused) -+{ -+ struct insert_entries arg = { vm, st, start, level }; -+ -+ stop_machine(bxt_vtd_ggtt_insert_entries__cb, &arg, NULL); -+} -+ -+struct clear_range { -+ struct i915_address_space *vm; -+ u64 start; -+ u64 length; -+}; -+ -+static int bxt_vtd_ggtt_clear_range__cb(void *_arg) -+{ -+ struct clear_range *arg = _arg; -+ -+ gen8_ggtt_clear_range(arg->vm, arg->start, arg->length); -+ bxt_vtd_ggtt_wa(arg->vm); -+ -+ return 0; -+} -+ -+static void bxt_vtd_ggtt_clear_range__BKL(struct i915_address_space *vm, -+ u64 start, -+ u64 length) -+{ -+ struct clear_range arg = { vm, start, length }; -+ -+ stop_machine(bxt_vtd_ggtt_clear_range__cb, &arg, NULL); -+} -+ - static void gen6_ggtt_clear_range(struct i915_address_space *vm, - uint64_t start, - uint64_t length) -@@ -3120,6 +3215,14 @@ static int gen6_gmch_probe(struct i915_g - ggtt->base.unbind_vma = ggtt_unbind_vma; - ggtt->base.cleanup = gen6_gmch_remove; - -+ /* Serialize GTT updates with aperture access on BXT if VT-d is on. */ -+ if (intel_ggtt_update_needs_vtd_wa(dev_priv)) { -+ ggtt->base.insert_entries = bxt_vtd_ggtt_insert_entries__BKL; -+ ggtt->base.insert_page = bxt_vtd_ggtt_insert_page__BKL; -+ if (ggtt->base.clear_range != nop_clear_range) -+ ggtt->base.clear_range = bxt_vtd_ggtt_clear_range__BKL; -+ } -+ - ggtt->invalidate = gen6_ggtt_invalidate; - - if (HAS_EDRAM(dev_priv)) diff --git a/queue-4.11/drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch b/queue-4.11/drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch new file mode 100644 index 00000000000..463084adb6b --- /dev/null +++ b/queue-4.11/drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch @@ -0,0 +1,124 @@ +From 665788572c6410b7efadc2e3009c5d830b6d8ef9 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Fri, 10 Mar 2017 15:27:57 +0200 +Subject: drm/i915/vbt: don't propagate errors from intel_bios_init() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit 665788572c6410b7efadc2e3009c5d830b6d8ef9 upstream. + +We don't use the error return for anything other than reporting and +logging that there is no VBT. We can pull the logging in the function, +and remove the error status return. Moreover, if we needed the +information for something later on, we'd probably be better off storing +the bit in dev_priv, and using it where it's needed, instead of using +the error return. + +While at it, improve the comments. + +Cc: Manasi Navare +Cc: Ville Syrjälä +Reviewed-by: Chris Wilson +Signed-off-by: Jani Nikula +Link: http://patchwork.freedesktop.org/patch/msgid/438ebbb0d5f0d321c625065b9cc78532a1dab24f.1489152288.git.jani.nikula@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.c | 4 +--- + drivers/gpu/drm/i915/i915_drv.h | 2 +- + drivers/gpu/drm/i915/intel_bios.c | 31 ++++++++++++++++--------------- + 3 files changed, 18 insertions(+), 19 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -565,9 +565,7 @@ static int i915_load_modeset_init(struct + if (i915_inject_load_failure()) + return -ENODEV; + +- ret = intel_bios_init(dev_priv); +- if (ret) +- DRM_INFO("failed to find VBIOS tables\n"); ++ intel_bios_init(dev_priv); + + /* If we have > 1 VGA cards, then we need to arbitrate access + * to the common VGA resources. +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -3629,7 +3629,7 @@ static inline bool intel_gmbus_is_forced + extern void intel_i2c_reset(struct drm_i915_private *dev_priv); + + /* intel_bios.c */ +-int intel_bios_init(struct drm_i915_private *dev_priv); ++void intel_bios_init(struct drm_i915_private *dev_priv); + bool intel_bios_is_valid_vbt(const void *buf, size_t size); + bool intel_bios_is_tv_present(struct drm_i915_private *dev_priv); + bool intel_bios_is_lvds_present(struct drm_i915_private *dev_priv, u8 *i2c_pin); +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1462,36 +1462,35 @@ static const struct vbt_header *find_vbt + * intel_bios_init - find VBT and initialize settings from the BIOS + * @dev_priv: i915 device instance + * +- * Loads the Video BIOS and checks that the VBT exists. Sets scratch registers +- * to appropriate values. +- * +- * Returns 0 on success, nonzero on failure. ++ * Parse and initialize settings from the Video BIOS Tables (VBT). If the VBT ++ * was not found in ACPI OpRegion, try to find it in PCI ROM first. Also ++ * initialize some defaults if the VBT is not present at all. + */ +-int +-intel_bios_init(struct drm_i915_private *dev_priv) ++void intel_bios_init(struct drm_i915_private *dev_priv) + { + struct pci_dev *pdev = dev_priv->drm.pdev; + const struct vbt_header *vbt = dev_priv->opregion.vbt; + const struct bdb_header *bdb; + u8 __iomem *bios = NULL; + +- if (HAS_PCH_NOP(dev_priv)) +- return -ENODEV; ++ if (HAS_PCH_NOP(dev_priv)) { ++ DRM_DEBUG_KMS("Skipping VBT init due to disabled display.\n"); ++ return; ++ } + + init_vbt_defaults(dev_priv); + ++ /* If the OpRegion does not have VBT, look in PCI ROM. */ + if (!vbt) { + size_t size; + + bios = pci_map_rom(pdev, &size); + if (!bios) +- return -1; ++ goto out; + + vbt = find_vbt(bios, size); +- if (!vbt) { +- pci_unmap_rom(pdev, bios); +- return -1; +- } ++ if (!vbt) ++ goto out; + + DRM_DEBUG_KMS("Found valid VBT in PCI ROM\n"); + } +@@ -1516,10 +1515,12 @@ intel_bios_init(struct drm_i915_private + parse_mipi_sequence(dev_priv, bdb); + parse_ddi_ports(dev_priv, bdb); + ++out: ++ if (!vbt) ++ DRM_INFO("Failed to find VBIOS tables (VBT)\n"); ++ + if (bios) + pci_unmap_rom(pdev, bios); +- +- return 0; + } + + /** diff --git a/queue-4.11/drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch b/queue-4.11/drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch new file mode 100644 index 00000000000..56c46ecf1d3 --- /dev/null +++ b/queue-4.11/drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch @@ -0,0 +1,70 @@ +From bb1d132935c2f87cd261eb559759fe49d5e5dc43 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Fri, 10 Mar 2017 15:27:58 +0200 +Subject: drm/i915/vbt: split out defaults that are set when there is no VBT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit bb1d132935c2f87cd261eb559759fe49d5e5dc43 upstream. + +The main thing are the DDI ports. If there's a VBT that says there are +no outputs, we should trust that, and not have semi-random +defaults. Unfortunately, the defaults have resulted in some Chromebooks +without VBT to rely on this behaviour, so we split out the defaults for +the missing VBT case. + +Reviewed-by: Manasi Navare +Cc: Manasi Navare +Cc: Ville Syrjälä +Signed-off-by: Jani Nikula +Link: http://patchwork.freedesktop.org/patch/msgid/95c26079ff640d43f53b944f17e9fc356b36daec.1489152288.git.jani.nikula@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1341,6 +1341,7 @@ parse_device_mapping(struct drm_i915_pri + return; + } + ++/* Common defaults which may be overridden by VBT. */ + static void + init_vbt_defaults(struct drm_i915_private *dev_priv) + { +@@ -1377,6 +1378,18 @@ init_vbt_defaults(struct drm_i915_privat + &dev_priv->vbt.ddi_port_info[port]; + + info->hdmi_level_shift = HDMI_LEVEL_SHIFT_UNKNOWN; ++ } ++} ++ ++/* Defaults to initialize only if there is no VBT. */ ++static void ++init_vbt_missing_defaults(struct drm_i915_private *dev_priv) ++{ ++ enum port port; ++ ++ for (port = PORT_A; port < I915_MAX_PORTS; port++) { ++ struct ddi_vbt_port_info *info = ++ &dev_priv->vbt.ddi_port_info[port]; + + info->supports_dvi = (port != PORT_A && port != PORT_E); + info->supports_hdmi = info->supports_dvi; +@@ -1516,8 +1529,10 @@ void intel_bios_init(struct drm_i915_pri + parse_ddi_ports(dev_priv, bdb); + + out: +- if (!vbt) ++ if (!vbt) { + DRM_INFO("Failed to find VBIOS tables (VBT)\n"); ++ init_vbt_missing_defaults(dev_priv); ++ } + + if (bios) + pci_unmap_rom(pdev, bios); diff --git a/queue-4.11/hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch b/queue-4.11/hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch new file mode 100644 index 00000000000..6448beb5a85 --- /dev/null +++ b/queue-4.11/hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch @@ -0,0 +1,65 @@ +From 90b4f30b6d15222a509dacf47f29efef2b22571e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 10 May 2017 16:30:12 +0200 +Subject: hwmon: (coretemp) Handle frozen hotplug state correctly + +From: Thomas Gleixner + +commit 90b4f30b6d15222a509dacf47f29efef2b22571e upstream. + +The recent conversion to the hotplug state machine missed that the original +hotplug notifiers did not execute in the frozen state, which is used on +suspend on resume. + +This does not matter on single socket machines, but on multi socket systems +this breaks when the device for a non-boot socket is removed when the last +CPU of that socket is brought offline. The device removal locks up the +machine hard w/o any debug output. + +Prevent executing the hotplug callbacks when cpuhp_tasks_frozen is true. + +Thanks to Tommi for providing debug information patiently while I failed to +spot the obvious. + +Fixes: e00ca5df37ad ("hwmon: (coretemp) Convert to hotplug state machine") +Reported-by: Tommi Rantala +Tested-by: Tommi Rantala +Signed-off-by: Thomas Gleixner +Signed-off-by: Guenter Roeck +Cc: "Chen, Yu C" +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/coretemp.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -605,6 +605,13 @@ static int coretemp_cpu_online(unsigned + struct platform_data *pdata; + + /* ++ * Don't execute this on resume as the offline callback did ++ * not get executed on suspend. ++ */ ++ if (cpuhp_tasks_frozen) ++ return 0; ++ ++ /* + * CPUID.06H.EAX[0] indicates whether the CPU has thermal + * sensors. We check this bit only, all the early CPUs + * without thermal sensors will be filtered out. +@@ -654,6 +661,13 @@ static int coretemp_cpu_offline(unsigned + struct temp_data *tdata; + int indx, target; + ++ /* ++ * Don't execute this on suspend as the device remove locks ++ * up the machine. ++ */ ++ if (cpuhp_tasks_frozen) ++ return 0; ++ + /* If the physical CPU device does not exist, just return */ + if (!pdev) + return 0; diff --git a/queue-4.11/iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch b/queue-4.11/iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch new file mode 100644 index 00000000000..9b1b7528931 --- /dev/null +++ b/queue-4.11/iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch @@ -0,0 +1,108 @@ +From a008c31c7ef9a4106dbadf21b3bcb7e89826a5d7 Mon Sep 17 00:00:00 2001 +From: Chandan Rajendra +Date: Wed, 12 Apr 2017 11:03:20 -0700 +Subject: iomap_dio_rw: Prevent reading file data beyond iomap_dio->i_size + +From: Chandan Rajendra + +commit a008c31c7ef9a4106dbadf21b3bcb7e89826a5d7 upstream. + +On a ppc64 machine executing overlayfs/019 with xfs as the lower and +upper filesystem causes the following call trace, + +WARNING: CPU: 2 PID: 8034 at /root/repos/linux/fs/iomap.c:765 .iomap_dio_actor+0xcc/0x420 +Modules linked in: +CPU: 2 PID: 8034 Comm: fsstress Tainted: G L 4.11.0-rc5-next-20170405 #100 +task: c000000631314880 task.stack: c0000003915d4000 +NIP: c00000000035a72c LR: c00000000035a6f4 CTR: c00000000035a660 +REGS: c0000003915d7570 TRAP: 0700 Tainted: G L (4.11.0-rc5-next-20170405) +MSR: 800000000282b032 + CR: 24004284 XER: 00000000 +CFAR: c0000000006f7190 SOFTE: 1 +GPR00: c00000000035a6f4 c0000003915d77f0 c0000000015a3f00 000000007c22f600 +GPR04: 000000000022d000 0000000000002600 c0000003b2d56360 c0000003915d7960 +GPR08: c0000003915d7cd0 0000000000000002 0000000000002600 c000000000521cc0 +GPR12: 0000000024004284 c00000000fd80a00 000000004b04ae64 ffffffffffffffff +GPR16: 000000001000ca70 0000000000000000 c0000003b2d56380 c00000000153d2b8 +GPR20: 0000000000000010 c0000003bc87bac8 0000000000223000 000000000022f5ff +GPR24: c0000003b2d56360 000000000000000c 0000000000002600 000000000022d000 +GPR28: 0000000000000000 c0000003915d7960 c0000003b2d56360 00000000000001ff +NIP [c00000000035a72c] .iomap_dio_actor+0xcc/0x420 +LR [c00000000035a6f4] .iomap_dio_actor+0x94/0x420 +Call Trace: +[c0000003915d77f0] [c00000000035a6f4] .iomap_dio_actor+0x94/0x420 (unreliable) +[c0000003915d78f0] [c00000000035b9f4] .iomap_apply+0xf4/0x1f0 +[c0000003915d79d0] [c00000000035c320] .iomap_dio_rw+0x230/0x420 +[c0000003915d7ae0] [c000000000512a14] .xfs_file_dio_aio_read+0x84/0x160 +[c0000003915d7b80] [c000000000512d24] .xfs_file_read_iter+0x104/0x130 +[c0000003915d7c10] [c0000000002d6234] .__vfs_read+0x114/0x1a0 +[c0000003915d7cf0] [c0000000002d7a8c] .vfs_read+0xac/0x1a0 +[c0000003915d7d90] [c0000000002d96b8] .SyS_read+0x58/0x100 +[c0000003915d7e30] [c00000000000b8e0] system_call+0x38/0xfc +Instruction dump: +78630020 7f831b78 7ffc07b4 7c7ce039 40820360 a13d0018 2f890003 419e0288 +2f890004 419e00a0 2f890001 419e02a8 <0fe00000> 3b80fffb 38210100 7f83e378 + +The above problem can also be recreated on a regular xfs filesystem +using the command, + +$ fsstress -d /mnt -l 1000 -n 1000 -p 1000 + +The reason for the call trace is, +1. When 'reserving' blocks for delayed allocation , XFS reserves more + blocks (i.e. past file's current EOF) than required. This is done + because XFS assumes that userspace might write more data and hence + 'reserving' more blocks might lead to the file's new data being + stored contiguously on disk. +2. The in-memory 'struct xfs_bmbt_irec' mapping the file's last extent would + then cover the prealloc-ed EOF blocks in addition to the regular blocks. +3. When flushing the dirty blocks to disk, we only flush data till the + file's EOF. But before writing out the dirty data, we allocate blocks + on the disk for holding the file's new data. This allocation includes + the blocks that are part of the 'prealloc EOF blocks'. +4. Later, when the last reference to the inode is being closed, XFS frees the + unused 'prealloc EOF blocks' in xfs_inactive(). + +In step 3 above, When allocating space on disk for the delayed allocation +range, the space allocator might sometimes allocate less blocks than +required. If such an allocation ends right at the current EOF of the +file, We will not be able to clear the "delayed allocation" flag for the +'prealloc EOF blocks', since we won't have dirty buffer heads associated +with that range of the file. + +In such a situation if a Direct I/O read operation is performed on file +range [X, Y] (where X < EOF and Y > EOF), we flush dirty data in the +range [X, Y] and invalidate page cache for that range (Refer to +iomap_dio_rw()). Later for performing the Direct I/O read, XFS obtains +the extent items (which are still cached in memory) for the file +range. When doing so we are not supposed to get an extent item with +IOMAP_DELALLOC flag set, since the previous "flush" operation should +have converted any delayed allocation data in the range [X, Y]. Hence we +end up hitting a WARN_ON_ONCE(1) statement in iomap_dio_actor(). + +This commit fixes the bug by preventing the read operation from going +beyond iomap_dio->i_size. + +Reported-by: Santhosh G +Signed-off-by: Chandan Rajendra +Reviewed-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Greg Kroah-Hartman + +--- + fs/iomap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/iomap.c ++++ b/fs/iomap.c +@@ -909,6 +909,9 @@ iomap_dio_rw(struct kiocb *iocb, struct + break; + } + pos += ret; ++ ++ if (iov_iter_rw(iter) == READ && pos >= dio->i_size) ++ break; + } while ((count = iov_iter_count(iter)) > 0); + blk_finish_plug(&plug); + diff --git a/queue-4.11/series b/queue-4.11/series index 00f670a2dbb..0975b4d3f00 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -136,9 +136,14 @@ alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch asoc-fix-use-after-free-at-card-unregistration.patch cpu-hotplug-drop-the-device-lock-on-error.patch drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch -drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch drm-i915-fix-runtime-pm-for-lpe-audio.patch drm-i915-skl-add-missing-skl-id.patch serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch cgroup-mark-cgroup_get-with-__maybe_unused.patch +iomap_dio_rw-prevent-reading-file-data-beyond-iomap_dio-i_size.patch +tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch +hwmon-coretemp-handle-frozen-hotplug-state-correctly.patch +audit-fix-the-rcu-locking-for-the-auditd_connection-structure.patch +drm-i915-vbt-don-t-propagate-errors-from-intel_bios_init.patch +drm-i915-vbt-split-out-defaults-that-are-set-when-there-is-no-vbt.patch diff --git a/queue-4.11/tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch b/queue-4.11/tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch new file mode 100644 index 00000000000..e870626f493 --- /dev/null +++ b/queue-4.11/tracing-use-strlcpy-instead-of-strcpy-in-__trace_find_cmdline.patch @@ -0,0 +1,39 @@ +From e09e28671cda63e6308b31798b997639120e2a21 Mon Sep 17 00:00:00 2001 +From: Amey Telawane +Date: Wed, 3 May 2017 15:41:14 +0530 +Subject: tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline() + +From: Amey Telawane + +commit e09e28671cda63e6308b31798b997639120e2a21 upstream. + +Strcpy is inherently not safe, and strlcpy() should be used instead. +__trace_find_cmdline() uses strcpy() because the comms saved must have a +terminating nul character, but it doesn't hurt to add the extra protection +of using strlcpy() instead of strcpy(). + +Link: http://lkml.kernel.org/r/1493806274-13936-1-git-send-email-amit.pundir@linaro.org + +Signed-off-by: Amey Telawane +[AmitP: Cherry-picked this commit from CodeAurora kernel/msm-3.10 +https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=2161ae9a70b12cf18ac8e5952a20161ffbccb477] +Signed-off-by: Amit Pundir +[ Updated change log and removed the "- 1" from len parameter ] +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1899,7 +1899,7 @@ static void __trace_find_cmdline(int pid + + map = savedcmd->map_pid_to_cmdline[pid]; + if (map != NO_CMDLINE_MAP) +- strcpy(comm, get_saved_cmdlines(map)); ++ strlcpy(comm, get_saved_cmdlines(map), TASK_COMM_LEN); + else + strcpy(comm, "<...>"); + }