From: Greg Kroah-Hartman Date: Mon, 12 Jun 2017 12:47:36 +0000 (+0200) Subject: 4.11-stable patches X-Git-Tag: v3.18.57~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3facdbf26189722e24fba68f551c4f7ff2dfc169;p=thirdparty%2Fkernel%2Fstable-queue.git 4.11-stable patches added patches: alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch alsa-timer-fix-race-between-read-and-ioctl.patch asoc-fix-use-after-free-at-card-unregistration.patch cgroup-mark-cgroup_get-with-__maybe_unused.patch cpu-hotplug-drop-the-device-lock-on-error.patch drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch drm-i915-fix-runtime-pm-for-lpe-audio.patch drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch drm-i915-skl-add-missing-skl-id.patch drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch perf-core-drop-kernel-samples-even-though-u-is-specified.patch pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch powerpc-kernel-fix-fp-and-vector-register-restoration.patch powerpc-kernel-initialize-load_tm-on-task-creation.patch powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch --- diff --git a/queue-4.11/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch b/queue-4.11/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch new file mode 100644 index 00000000000..f6aae5cc4f2 --- /dev/null +++ b/queue-4.11/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch @@ -0,0 +1,55 @@ +From ba3021b2c79b2fa9114f92790a99deb27a65b728 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 2 Jun 2017 17:26:56 +0200 +Subject: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT + +From: Takashi Iwai + +commit ba3021b2c79b2fa9114f92790a99deb27a65b728 upstream. + +snd_timer_user_tselect() reallocates the queue buffer dynamically, but +it forgot to reset its indices. Since the read may happen +concurrently with ioctl and snd_timer_user_tselect() allocates the +buffer via kmalloc(), this may lead to the leak of uninitialized +kernel-space data, as spotted via KMSAN: + + BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 + CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x143/0x1b0 lib/dump_stack.c:52 + kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 + kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 + copy_to_user ./arch/x86/include/asm/uaccess.h:725 + snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 + do_loop_readv_writev fs/read_write.c:716 + __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 + do_readv_writev fs/read_write.c:894 + vfs_readv fs/read_write.c:908 + do_readv+0x52a/0x5d0 fs/read_write.c:934 + SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 + SyS_readv+0x87/0xb0 fs/read_write.c:1018 + +This patch adds the missing reset of queue indices. Together with the +previous fix for the ioctl/read race, we cover the whole problem. + +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1623,6 +1623,7 @@ static int snd_timer_user_tselect(struct + if (err < 0) + goto __err; + ++ tu->qhead = tu->qtail = tu->qused = 0; + kfree(tu->queue); + tu->queue = NULL; + kfree(tu->tqueue); diff --git a/queue-4.11/alsa-timer-fix-race-between-read-and-ioctl.patch b/queue-4.11/alsa-timer-fix-race-between-read-and-ioctl.patch new file mode 100644 index 00000000000..5c15c4f1cee --- /dev/null +++ b/queue-4.11/alsa-timer-fix-race-between-read-and-ioctl.patch @@ -0,0 +1,73 @@ +From d11662f4f798b50d8c8743f433842c3e40fe3378 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 2 Jun 2017 15:03:38 +0200 +Subject: ALSA: timer: Fix race between read and ioctl + +From: Takashi Iwai + +commit d11662f4f798b50d8c8743f433842c3e40fe3378 upstream. + +The read from ALSA timer device, the function snd_timer_user_tread(), +may access to an uninitialized struct snd_timer_user fields when the +read is concurrently performed while the ioctl like +snd_timer_user_tselect() is invoked. We have already fixed the races +among ioctls via a mutex, but we seem to have forgotten the race +between read vs ioctl. + +This patch simply applies (more exactly extends the already applied +range of) tu->ioctl_lock in snd_timer_user_tread() for closing the +race window. + +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1964,6 +1964,7 @@ static ssize_t snd_timer_user_read(struc + + tu = file->private_data; + unit = tu->tread ? sizeof(struct snd_timer_tread) : sizeof(struct snd_timer_read); ++ mutex_lock(&tu->ioctl_lock); + spin_lock_irq(&tu->qlock); + while ((long)count - result >= unit) { + while (!tu->qused) { +@@ -1979,7 +1980,9 @@ static ssize_t snd_timer_user_read(struc + add_wait_queue(&tu->qchange_sleep, &wait); + + spin_unlock_irq(&tu->qlock); ++ mutex_unlock(&tu->ioctl_lock); + schedule(); ++ mutex_lock(&tu->ioctl_lock); + spin_lock_irq(&tu->qlock); + + remove_wait_queue(&tu->qchange_sleep, &wait); +@@ -1999,7 +2002,6 @@ static ssize_t snd_timer_user_read(struc + tu->qused--; + spin_unlock_irq(&tu->qlock); + +- mutex_lock(&tu->ioctl_lock); + if (tu->tread) { + if (copy_to_user(buffer, &tu->tqueue[qhead], + sizeof(struct snd_timer_tread))) +@@ -2009,7 +2011,6 @@ static ssize_t snd_timer_user_read(struc + sizeof(struct snd_timer_read))) + err = -EFAULT; + } +- mutex_unlock(&tu->ioctl_lock); + + spin_lock_irq(&tu->qlock); + if (err < 0) +@@ -2019,6 +2020,7 @@ static ssize_t snd_timer_user_read(struc + } + _error: + spin_unlock_irq(&tu->qlock); ++ mutex_unlock(&tu->ioctl_lock); + return result > 0 ? result : err; + } + diff --git a/queue-4.11/asoc-fix-use-after-free-at-card-unregistration.patch b/queue-4.11/asoc-fix-use-after-free-at-card-unregistration.patch new file mode 100644 index 00000000000..03289bb61e7 --- /dev/null +++ b/queue-4.11/asoc-fix-use-after-free-at-card-unregistration.patch @@ -0,0 +1,51 @@ +From 4efda5f2130da033aeedc5b3205569893b910de2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 24 May 2017 10:19:45 +0200 +Subject: ASoC: Fix use-after-free at card unregistration + +From: Takashi Iwai + +commit 4efda5f2130da033aeedc5b3205569893b910de2 upstream. + +soc_cleanup_card_resources() call snd_card_free() at the last of its +procedure. This turned out to lead to a use-after-free. +PCM runtimes have been already removed via soc_remove_pcm_runtimes(), +while it's dereferenced later in soc_pcm_free() called via +snd_card_free(). + +The fix is simple: just move the snd_card_free() call to the beginning +of the whole procedure. This also gives another benefit: it +guarantees that all operations have been shut down before actually +releasing the resources, which was racy until now. + +Reported-and-tested-by: Robert Jarzmik +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -2286,6 +2286,9 @@ static int soc_cleanup_card_resources(st + list_for_each_entry(rtd, &card->rtd_list, list) + flush_delayed_work(&rtd->delayed_work); + ++ /* free the ALSA card at first; this syncs with pending operations */ ++ snd_card_free(card->snd_card); ++ + /* remove and free each DAI */ + soc_remove_dai_links(card); + soc_remove_pcm_runtimes(card); +@@ -2300,9 +2303,7 @@ static int soc_cleanup_card_resources(st + if (card->remove) + card->remove(card); + +- snd_card_free(card->snd_card); + return 0; +- + } + + /* removes a socdev */ diff --git a/queue-4.11/cgroup-mark-cgroup_get-with-__maybe_unused.patch b/queue-4.11/cgroup-mark-cgroup_get-with-__maybe_unused.patch new file mode 100644 index 00000000000..5ccab80df4e --- /dev/null +++ b/queue-4.11/cgroup-mark-cgroup_get-with-__maybe_unused.patch @@ -0,0 +1,38 @@ +From 310b4816a5d8082416b4ab83e5a7b3cb92883a4d Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 1 May 2017 15:24:14 -0400 +Subject: cgroup: mark cgroup_get() with __maybe_unused + +From: Tejun Heo + +commit 310b4816a5d8082416b4ab83e5a7b3cb92883a4d upstream. + +a590b90d472f ("cgroup: fix spurious warnings on cgroup_is_dead() from +cgroup_sk_alloc()") converted most cgroup_get() usages to +cgroup_get_live() leaving cgroup_sk_alloc() the sole user of +cgroup_get(). When !CONFIG_SOCK_CGROUP_DATA, this ends up triggering +unused warning for cgroup_get(). + +Silence the warning by adding __maybe_unused to cgroup_get(). + +Reported-by: Stephen Rothwell +Link: http://lkml.kernel.org/r/20170501145340.17e8ef86@canb.auug.org.au +Signed-off-by: Tejun Heo +Cc: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -436,7 +436,7 @@ out_unlock: + return css; + } + +-static void cgroup_get(struct cgroup *cgrp) ++static void __maybe_unused cgroup_get(struct cgroup *cgrp) + { + css_get(&cgrp->self); + } diff --git a/queue-4.11/cpu-hotplug-drop-the-device-lock-on-error.patch b/queue-4.11/cpu-hotplug-drop-the-device-lock-on-error.patch new file mode 100644 index 00000000000..01972f96f79 --- /dev/null +++ b/queue-4.11/cpu-hotplug-drop-the-device-lock-on-error.patch @@ -0,0 +1,51 @@ +From 40da1b11f01e43aad1aa6cea64681b6125e8a2a7 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Fri, 2 Jun 2017 16:27:14 +0200 +Subject: cpu/hotplug: Drop the device lock on error + +From: Sebastian Andrzej Siewior + +commit 40da1b11f01e43aad1aa6cea64681b6125e8a2a7 upstream. + +If a custom CPU target is specified and that one is not available _or_ +can't be interrupted then the code returns to userland without dropping a +lock as notices by lockdep: + +|echo 133 > /sys/devices/system/cpu/cpu7/hotplug/target +| ================================================ +| [ BUG: lock held when returning to user space! ] +| ------------------------------------------------ +| bash/503 is leaving the kernel with locks still held! +| 1 lock held by bash/503: +| #0: (device_hotplug_lock){+.+...}, at: [] lock_device_hotplug_sysfs+0x10/0x40 + +So release the lock then. + +Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable") +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170602142714.3ogo25f2wbq6fjpj@linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -1656,13 +1656,13 @@ static ssize_t write_cpuhp_target(struct + ret = !sp->name || sp->cant_stop ? -EINVAL : 0; + mutex_unlock(&cpuhp_state_mutex); + if (ret) +- return ret; ++ goto out; + + if (st->state < target) + ret = do_cpu_up(dev->id, target); + else + ret = do_cpu_down(dev->id, target); +- ++out: + unlock_device_hotplug(); + return ret ? ret : count; + } diff --git a/queue-4.11/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch b/queue-4.11/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch new file mode 100644 index 00000000000..4b1a49344bb --- /dev/null +++ b/queue-4.11/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch @@ -0,0 +1,36 @@ +From 32829da54d9368103a2f03269a5120aa9ee4d5da Mon Sep 17 00:00:00 2001 +From: Julius Werner +Date: Fri, 2 Jun 2017 15:36:39 -0700 +Subject: drivers: char: mem: Fix wraparound check to allow mappings up to the end + +From: Julius Werner + +commit 32829da54d9368103a2f03269a5120aa9ee4d5da upstream. + +A recent fix to /dev/mem prevents mappings from wrapping around the end +of physical address space. However, the check was written in a way that +also prevents a mapping reaching just up to the end of physical address +space, which may be a valid use case (especially on 32-bit systems). +This patch fixes it by checking the last mapped address (instead of the +first address behind that) for overflow. + +Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()") +Reported-by: Nico Huber +Signed-off-by: Julius Werner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -343,7 +343,7 @@ static int mmap_mem(struct file *file, s + phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; + + /* It's illegal to wrap around the end of the physical address space. */ +- if (offset + (phys_addr_t)size < offset) ++ if (offset + (phys_addr_t)size - 1 < offset) + return -EINVAL; + + if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size)) diff --git a/queue-4.11/drm-i915-fix-runtime-pm-for-lpe-audio.patch b/queue-4.11/drm-i915-fix-runtime-pm-for-lpe-audio.patch new file mode 100644 index 00000000000..a95444b8954 --- /dev/null +++ b/queue-4.11/drm-i915-fix-runtime-pm-for-lpe-audio.patch @@ -0,0 +1,93 @@ +From 668e3b014afb66ab29e134bca7c258527273ac75 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Thu, 27 Apr 2017 19:02:20 +0300 +Subject: drm/i915: Fix runtime PM for LPE audio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 668e3b014afb66ab29e134bca7c258527273ac75 upstream. + +Not calling pm_runtime_enable() means that runtime PM can't be +enabled at all via sysfs. So we definitely need to call it +from somewhere. + +Calling it from the driver seems like a bad idea because it +would have to be paired with a pm_runtime_disable() at driver +unload time, otherwise the core gets upset. Also if there's +no LPE audio driver loaded then we couldn't runtime suspend +i915 either. + +So it looks like a better plan is to call it from i915 when +we register the platform device. That seems to match how +pci generally does things. I cargo culted the +pm_runtime_forbid() and pm_runtime_set_active() calls from +pci as well. + +The exposed runtime PM API is massive an thorougly misleading, so +I don't actually know if this is how you're supposed to use the API +or not. But it seems to work. I can now runtime suspend i915 again +with or without the LPE audio driver loaded, and reloading the +LPE audio driver also seems to work. + +Note that powertop won't auto-tune runtime PM for platform devices, +which is a little annoying. So I'm not sure that leaving runtime +PM in "on" mode by default is the best choice here. But I've left +it like that for now at least. + +Also remove the comment about there not being much benefit from +LPE audio runtime PM. Not allowing runtime PM blocks i915 runtime +PM, which will also block s0ix, and that could have a measurable +impact on power consumption. + +Cc: Takashi Iwai +Cc: Pierre-Louis Bossart +Fixes: 0b6b524f3915 ("ALSA: x86: Don't enable runtime PM as default") +Signed-off-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/20170427160231.13337-2-ville.syrjala@linux.intel.com +Reviewed-by: Takashi Iwai +(cherry picked from commit 183c00350ccda86781f6695840e6c5f5b22efbd1) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_lpe_audio.c | 5 +++++ + sound/x86/intel_hdmi_audio.c | 4 ---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_lpe_audio.c ++++ b/drivers/gpu/drm/i915/intel_lpe_audio.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #include "i915_drv.h" + #include +@@ -121,6 +122,10 @@ lpe_audio_platdev_create(struct drm_i915 + + kfree(rsc); + ++ pm_runtime_forbid(&platdev->dev); ++ pm_runtime_set_active(&platdev->dev); ++ pm_runtime_enable(&platdev->dev); ++ + return platdev; + + err: +--- a/sound/x86/intel_hdmi_audio.c ++++ b/sound/x86/intel_hdmi_audio.c +@@ -1809,10 +1809,6 @@ static int hdmi_lpe_audio_probe(struct p + pdata->notify_pending = false; + spin_unlock_irq(&pdata->lpe_audio_slock); + +- /* runtime PM isn't enabled as default, since it won't save much on +- * BYT/CHT devices; user who want the runtime PM should adjust the +- * power/ontrol and power/autosuspend_delay_ms sysfs entries instead +- */ + pm_runtime_use_autosuspend(&pdev->dev); + pm_runtime_mark_last_busy(&pdev->dev); + pm_runtime_set_active(&pdev->dev); diff --git a/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch b/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch new file mode 100644 index 00000000000..0e757a98f25 --- /dev/null +++ b/queue-4.11/drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch @@ -0,0 +1,201 @@ +From d86b18a06cf361e12ccdf61ae240d432182d8d6b Mon Sep 17 00:00:00 2001 +From: Jon Bloomfield +Date: Wed, 24 May 2017 08:54:11 -0700 +Subject: drm/i915: Serialize GTT/Aperture accesses on BXT + +From: Jon Bloomfield + +commit d86b18a06cf361e12ccdf61ae240d432182d8d6b upstream. + +BXT has a H/W issue with IOMMU which can lead to system hangs when +Aperture accesses are queued within the GAM behind GTT Accesses. + +This patch avoids the condition by wrapping all GTT updates in stop_machine +and using a flushing read prior to restarting the machine. + +The stop_machine guarantees no new Aperture accesses can begin while +the PTE writes are being emmitted. The flushing read ensures that +any following Aperture accesses cannot begin until the PTE writes +have been cleared out of the GAM's fifo. + +Only FOLLOWING Aperture accesses need to be separated from in flight +PTE updates. PTE Writes may follow tightly behind already in flight +Aperture accesses, so no flushing read is required at the start of +a PTE update sequence. + +This issue was reproduced by running + igt/gem_readwrite and + igt/gem_render_copy +simultaneously from different processes, each in a tight loop, +with INTEL_IOMMU enabled. + +This patch was originally published as: + drm/i915: Serialize GTT Updates on BXT + +[Note: This will cause a performance penalty for some use cases, but +avoiding hangs trumps performance hits. This may need to be worked +around in Mesa to recover the lost performance.] + +v2: Move bxt/iommu detection into static function + Remove #ifdef CONFIG_INTEL_IOMMU protection + Make function names more reflective of purpose + Move flushing read into static function + +v3: Tidy up for checkpatch.pl + +Testcase: igt/gem_concurrent_blit +Signed-off-by: Jon Bloomfield +Cc: John Harrison +Cc: Chris Wilson +Cc: Daniel Vetter +Cc: Tvrtko Ursulin +Link: http://patchwork.freedesktop.org/patch/msgid/1495641251-30022-1-git-send-email-jon.bloomfield@intel.com +Reviewed-by: Tvrtko Ursulin +Signed-off-by: Chris Wilson +(cherry picked from commit 0ef34ad6222abfa513117515fec720c33a58f105) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.h | 10 +++ + drivers/gpu/drm/i915/i915_gem_gtt.c | 103 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 113 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -2916,6 +2916,16 @@ static inline bool intel_scanout_needs_v + return false; + } + ++static inline bool ++intel_ggtt_update_needs_vtd_wa(struct drm_i915_private *dev_priv) ++{ ++#ifdef CONFIG_INTEL_IOMMU ++ if (IS_BROXTON(dev_priv) && intel_iommu_gfx_mapped) ++ return true; ++#endif ++ return false; ++} ++ + int intel_sanitize_enable_ppgtt(struct drm_i915_private *dev_priv, + int enable_ppgtt); + +--- a/drivers/gpu/drm/i915/i915_gem_gtt.c ++++ b/drivers/gpu/drm/i915/i915_gem_gtt.c +@@ -2554,6 +2554,101 @@ static void gen8_ggtt_clear_range(struct + readl(gtt_base); + } + ++static void bxt_vtd_ggtt_wa(struct i915_address_space *vm) ++{ ++ struct drm_i915_private *dev_priv = vm->i915; ++ ++ /* ++ * Make sure the internal GAM fifo has been cleared of all GTT ++ * writes before exiting stop_machine(). This guarantees that ++ * any aperture accesses waiting to start in another process ++ * cannot back up behind the GTT writes causing a hang. ++ * The register can be any arbitrary GAM register. ++ */ ++ POSTING_READ(GFX_FLSH_CNTL_GEN6); ++} ++ ++struct insert_page { ++ struct i915_address_space *vm; ++ dma_addr_t addr; ++ u64 offset; ++ enum i915_cache_level level; ++}; ++ ++static int bxt_vtd_ggtt_insert_page__cb(void *_arg) ++{ ++ struct insert_page *arg = _arg; ++ ++ gen8_ggtt_insert_page(arg->vm, arg->addr, arg->offset, arg->level, 0); ++ bxt_vtd_ggtt_wa(arg->vm); ++ ++ return 0; ++} ++ ++static void bxt_vtd_ggtt_insert_page__BKL(struct i915_address_space *vm, ++ dma_addr_t addr, ++ u64 offset, ++ enum i915_cache_level level, ++ u32 unused) ++{ ++ struct insert_page arg = { vm, addr, offset, level }; ++ ++ stop_machine(bxt_vtd_ggtt_insert_page__cb, &arg, NULL); ++} ++ ++struct insert_entries { ++ struct i915_address_space *vm; ++ struct sg_table *st; ++ u64 start; ++ enum i915_cache_level level; ++}; ++ ++static int bxt_vtd_ggtt_insert_entries__cb(void *_arg) ++{ ++ struct insert_entries *arg = _arg; ++ ++ gen8_ggtt_insert_entries(arg->vm, arg->st, arg->start, arg->level, 0); ++ bxt_vtd_ggtt_wa(arg->vm); ++ ++ return 0; ++} ++ ++static void bxt_vtd_ggtt_insert_entries__BKL(struct i915_address_space *vm, ++ struct sg_table *st, ++ u64 start, ++ enum i915_cache_level level, ++ u32 unused) ++{ ++ struct insert_entries arg = { vm, st, start, level }; ++ ++ stop_machine(bxt_vtd_ggtt_insert_entries__cb, &arg, NULL); ++} ++ ++struct clear_range { ++ struct i915_address_space *vm; ++ u64 start; ++ u64 length; ++}; ++ ++static int bxt_vtd_ggtt_clear_range__cb(void *_arg) ++{ ++ struct clear_range *arg = _arg; ++ ++ gen8_ggtt_clear_range(arg->vm, arg->start, arg->length); ++ bxt_vtd_ggtt_wa(arg->vm); ++ ++ return 0; ++} ++ ++static void bxt_vtd_ggtt_clear_range__BKL(struct i915_address_space *vm, ++ u64 start, ++ u64 length) ++{ ++ struct clear_range arg = { vm, start, length }; ++ ++ stop_machine(bxt_vtd_ggtt_clear_range__cb, &arg, NULL); ++} ++ + static void gen6_ggtt_clear_range(struct i915_address_space *vm, + uint64_t start, + uint64_t length) +@@ -3120,6 +3215,14 @@ static int gen6_gmch_probe(struct i915_g + ggtt->base.unbind_vma = ggtt_unbind_vma; + ggtt->base.cleanup = gen6_gmch_remove; + ++ /* Serialize GTT updates with aperture access on BXT if VT-d is on. */ ++ if (intel_ggtt_update_needs_vtd_wa(dev_priv)) { ++ ggtt->base.insert_entries = bxt_vtd_ggtt_insert_entries__BKL; ++ ggtt->base.insert_page = bxt_vtd_ggtt_insert_page__BKL; ++ if (ggtt->base.clear_range != nop_clear_range) ++ ggtt->base.clear_range = bxt_vtd_ggtt_clear_range__BKL; ++ } ++ + ggtt->invalidate = gen6_ggtt_invalidate; + + if (HAS_EDRAM(dev_priv)) diff --git a/queue-4.11/drm-i915-skl-add-missing-skl-id.patch b/queue-4.11/drm-i915-skl-add-missing-skl-id.patch new file mode 100644 index 00000000000..382a372cc62 --- /dev/null +++ b/queue-4.11/drm-i915-skl-add-missing-skl-id.patch @@ -0,0 +1,40 @@ +From ca7a45ba6fb9e7ceca56d10b91db29c2f3451a2e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Winiarski?= +Date: Mon, 27 Feb 2017 12:22:56 +0100 +Subject: drm/i915/skl: Add missing SKL ID +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michał Winiarski + +commit ca7a45ba6fb9e7ceca56d10b91db29c2f3451a2e upstream. + +Used by production device: + Intel(R) Iris(TM) Graphics P555 + +Cc: Mika Kuoppala +Cc: Rodrigo Vivi +Signed-off-by: Michał Winiarski +Reviewed-by: Rodrigo Vivi +Reviewed-by: Mika Kuoppala +Signed-off-by: Mika Kuoppala +Link: http://patchwork.freedesktop.org/patch/msgid/20170227112256.20060-1-michal.winiarski@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + include/drm/i915_pciids.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/include/drm/i915_pciids.h ++++ b/include/drm/i915_pciids.h +@@ -265,7 +265,8 @@ + INTEL_VGA_DEVICE(0x1923, info), /* ULT GT3 */ \ + INTEL_VGA_DEVICE(0x1926, info), /* ULT GT3 */ \ + INTEL_VGA_DEVICE(0x1927, info), /* ULT GT3 */ \ +- INTEL_VGA_DEVICE(0x192B, info) /* Halo GT3 */ \ ++ INTEL_VGA_DEVICE(0x192B, info), /* Halo GT3 */ \ ++ INTEL_VGA_DEVICE(0x192D, info) /* SRV GT3 */ + + #define INTEL_SKL_GT4_IDS(info) \ + INTEL_VGA_DEVICE(0x1932, info), /* DT GT4 */ \ diff --git a/queue-4.11/drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch b/queue-4.11/drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch new file mode 100644 index 00000000000..59ad28e773d --- /dev/null +++ b/queue-4.11/drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch @@ -0,0 +1,57 @@ +From b4e382ca7586a63b6c1e5221ce0863ff867c2df6 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Mon, 5 Jun 2017 17:23:32 +1000 +Subject: drm/nouveau/tmr: fully separate alarm execution/pending lists + +From: Ben Skeggs + +commit b4e382ca7586a63b6c1e5221ce0863ff867c2df6 upstream. + +Reusing the list_head for both is a bad idea. Callback execution is done +with the lock dropped so that alarms can be rescheduled from the callback, +which means that with some unfortunate timing, lists can get corrupted. + +The execution list should not require its own locking, the single function +that uses it can only be called from a single context. + +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h | 1 + + drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h ++++ b/drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h +@@ -4,6 +4,7 @@ + + struct nvkm_alarm { + struct list_head head; ++ struct list_head exec; + u64 timestamp; + void (*func)(struct nvkm_alarm *); + }; +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c +@@ -50,7 +50,8 @@ nvkm_timer_alarm_trigger(struct nvkm_tim + /* Move to completed list. We'll drop the lock before + * executing the callback so it can reschedule itself. + */ +- list_move_tail(&alarm->head, &exec); ++ list_del_init(&alarm->head); ++ list_add(&alarm->exec, &exec); + } + + /* Shut down interrupt if no more pending alarms. */ +@@ -59,8 +60,8 @@ nvkm_timer_alarm_trigger(struct nvkm_tim + spin_unlock_irqrestore(&tmr->lock, flags); + + /* Execute completed callbacks. */ +- list_for_each_entry_safe(alarm, atemp, &exec, head) { +- list_del_init(&alarm->head); ++ list_for_each_entry_safe(alarm, atemp, &exec, exec) { ++ list_del(&alarm->exec); + alarm->func(alarm); + } + } diff --git a/queue-4.11/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch b/queue-4.11/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch new file mode 100644 index 00000000000..7f85a501474 --- /dev/null +++ b/queue-4.11/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch @@ -0,0 +1,31 @@ +From f0c62e9878024300319ba2438adc7b06c6b9c448 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 27 Apr 2017 12:12:08 +0300 +Subject: drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() + +From: Dan Carpenter + +commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream. + +If vmalloc() fails then we need to a bit of cleanup before returning. + +Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") +Signed-off-by: Dan Carpenter +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +@@ -368,6 +368,8 @@ static void *vmw_local_fifo_reserve(stru + return fifo_state->static_buffer; + else { + fifo_state->dynamic_buffer = vmalloc(bytes); ++ if (!fifo_state->dynamic_buffer) ++ goto out_err; + return fifo_state->dynamic_buffer; + } + } diff --git a/queue-4.11/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch b/queue-4.11/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch new file mode 100644 index 00000000000..2fa321c4350 --- /dev/null +++ b/queue-4.11/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch @@ -0,0 +1,36 @@ +From ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Fri, 2 Jun 2017 07:42:09 +0200 +Subject: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() + +From: Vladis Dronov + +commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream. + +The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is +a user-controlled 'uint32_t' value which is used as a loop count limit. +This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1437431 + +Signed-off-by: Vladis Dronov +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -1280,6 +1280,9 @@ int vmw_gb_surface_define_ioctl(struct d + if (req->multisample_count != 0) + return -EINVAL; + ++ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) ++ return -EINVAL; ++ + if (unlikely(vmw_user_surface_size == 0)) + vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + + 128; diff --git a/queue-4.11/drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch b/queue-4.11/drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch new file mode 100644 index 00000000000..79998f4b721 --- /dev/null +++ b/queue-4.11/drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch @@ -0,0 +1,59 @@ +From 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c Mon Sep 17 00:00:00 2001 +From: Sinclair Yeh +Date: Fri, 2 Jun 2017 07:50:57 +0200 +Subject: drm/vmwgfx: Make sure backup_handle is always valid + +From: Sinclair Yeh + +commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c upstream. + +When vmw_gb_surface_define_ioctl() is called with an existing buffer, +we end up returning an uninitialized variable in the backup_handle. + +The fix is to first initialize backup_handle to 0 just to be sure, and +second, when a user-provided buffer is found, we will use the +req->buffer_handle as the backup_handle. + +Reported-by: Murray McAllister +Signed-off-by: Sinclair Yeh +Reviewed-by: Deepak Rawat +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -1275,7 +1275,7 @@ int vmw_gb_surface_define_ioctl(struct d + struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; + int ret; + uint32_t size; +- uint32_t backup_handle; ++ uint32_t backup_handle = 0; + + if (req->multisample_count != 0) + return -EINVAL; +@@ -1318,12 +1318,16 @@ int vmw_gb_surface_define_ioctl(struct d + ret = vmw_user_dmabuf_lookup(tfile, req->buffer_handle, + &res->backup, + &user_srf->backup_base); +- if (ret == 0 && res->backup->base.num_pages * PAGE_SIZE < +- res->backup_size) { +- DRM_ERROR("Surface backup buffer is too small.\n"); +- vmw_dmabuf_unreference(&res->backup); +- ret = -EINVAL; +- goto out_unlock; ++ if (ret == 0) { ++ if (res->backup->base.num_pages * PAGE_SIZE < ++ res->backup_size) { ++ DRM_ERROR("Surface backup buffer is too small.\n"); ++ vmw_dmabuf_unreference(&res->backup); ++ ret = -EINVAL; ++ goto out_unlock; ++ } else { ++ backup_handle = req->buffer_handle; ++ } + } + } else if (req->drm_surface_flags & drm_vmw_surface_flag_create_buffer) + ret = vmw_user_dmabuf_alloc(dev_priv, tfile, diff --git a/queue-4.11/kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch b/queue-4.11/kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch new file mode 100644 index 00000000000..055801c54e5 --- /dev/null +++ b/queue-4.11/kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch @@ -0,0 +1,85 @@ +From d6dbdd3c8558cad3b6d74cc357b408622d122331 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Mon, 5 Jun 2017 19:17:18 +0100 +Subject: KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages + +From: Marc Zyngier + +commit d6dbdd3c8558cad3b6d74cc357b408622d122331 upstream. + +Under memory pressure, we start ageing pages, which amounts to parsing +the page tables. Since we don't want to allocate any extra level, +we pass NULL for our private allocation cache. Which means that +stage2_get_pud() is allowed to fail. This results in the following +splat: + +[ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008 +[ 1520.417741] pgd = ffff810f52fef000 +[ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000 +[ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 1520.435156] Modules linked in: +[ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G W 4.12.0-rc4-00027-g1885c397eaec #7205 +[ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016 +[ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000 +[ 1520.469666] PC is at stage2_get_pmd+0x34/0x110 +[ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0 +[ 1520.478917] pc : [] lr : [] pstate: 40000145 +[ 1520.486325] sp : ffff800ce04e33d0 +[ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064 +[ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000 +[ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000 +[ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000 +[ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000 +[ 1520.516274] x19: 0000000058264000 x18: 0000000000000000 +[ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70 +[ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008 +[ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002 +[ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940 +[ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200 +[ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000 +[ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000 +[ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008 +[ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c +[ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000) +[...] +[ 1521.510735] [] stage2_get_pmd+0x34/0x110 +[ 1521.516221] [] kvm_age_hva_handler+0x44/0xf0 +[ 1521.522054] [] handle_hva_to_gpa+0xb8/0xe8 +[ 1521.527716] [] kvm_age_hva+0x44/0xf0 +[ 1521.532854] [] kvm_mmu_notifier_clear_flush_young+0x70/0xc0 +[ 1521.539992] [] __mmu_notifier_clear_flush_young+0x88/0xd0 +[ 1521.546958] [] page_referenced_one+0xf0/0x188 +[ 1521.552881] [] rmap_walk_anon+0xec/0x250 +[ 1521.558370] [] rmap_walk+0x78/0xa0 +[ 1521.563337] [] page_referenced+0x164/0x180 +[ 1521.569002] [] shrink_active_list+0x178/0x3b8 +[ 1521.574922] [] shrink_node_memcg+0x328/0x600 +[ 1521.580758] [] shrink_node+0xc4/0x328 +[ 1521.585986] [] do_try_to_free_pages+0xc0/0x340 +[ 1521.592000] [] try_to_free_pages+0xcc/0x240 +[...] + +The trivial fix is to handle this NULL pud value early, rather than +dereferencing it blindly. + +Signed-off-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -879,6 +879,9 @@ static pmd_t *stage2_get_pmd(struct kvm + pmd_t *pmd; + + pud = stage2_get_pud(kvm, cache, addr); ++ if (!pud) ++ return NULL; ++ + if (stage2_pud_none(*pud)) { + if (!cache) + return NULL; diff --git a/queue-4.11/net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch b/queue-4.11/net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch new file mode 100644 index 00000000000..f1bbd549638 --- /dev/null +++ b/queue-4.11/net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch @@ -0,0 +1,230 @@ +From 246096690be0742d9bb5f3456d2cb95b68f7b46d Mon Sep 17 00:00:00 2001 +From: Timur Tabi +Date: Thu, 1 Jun 2017 16:08:13 -0500 +Subject: net: qcom/emac: do not use hardware mdio automatic polling + +From: Timur Tabi + +commit 246096690be0742d9bb5f3456d2cb95b68f7b46d upstream. + +Use software polling (PHY_POLL) to check for link state changes instead +of relying on the EMAC's hardware polling feature. Some PHY drivers +are unable to get a functioning link because the HW polling is not +robust enough. + +The EMAC is able to poll the PHY on the MDIO bus looking for link state +changes (via the Link Status bit in the Status Register at address 0x1). +When the link state changes, the EMAC triggers an interrupt and tells the +driver what the new state is. The feature eliminates the need for +software to poll the MDIO bus. + +Unfortunately, this feature is incompatible with phylib, because it +ignores everything that the PHY core and PHY drivers are trying to do. +In particular: + +1. It assumes a compatible register set, so PHYs with different registers + may not work. + +2. It doesn't allow for hardware errata that have work-arounds implemented + in the PHY driver. + +3. It doesn't support multiple register pages. If the PHY core switches + the register set to another page, the EMAC won't know the page has + changed and will still attempt to read the same PHY register. + +4. It only checks the copper side of the link, not the SGMII side. Some + PHY drivers (e.g. at803x) may also check the SGMII side, and + report the link as not ready during autonegotiation if the SGMII link + is still down. Phylib then waits for another interrupt to query + the PHY again, but the EMAC won't send another interrupt because it + thinks the link is up. + +Tested-by: Manoj Iyer +Signed-off-by: Timur Tabi +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/qualcomm/emac/emac-mac.c | 2 + drivers/net/ethernet/qualcomm/emac/emac-phy.c | 75 +------------------------- + drivers/net/ethernet/qualcomm/emac/emac.c | 22 ------- + 3 files changed, 6 insertions(+), 93 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/emac/emac-mac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-mac.c +@@ -931,7 +931,7 @@ int emac_mac_up(struct emac_adapter *adp + emac_mac_config(adpt); + emac_mac_rx_descs_refill(adpt, &adpt->rx_q); + +- adpt->phydev->irq = PHY_IGNORE_INTERRUPT; ++ adpt->phydev->irq = PHY_POLL; + ret = phy_connect_direct(netdev, adpt->phydev, emac_adjust_link, + PHY_INTERFACE_MODE_SGMII); + if (ret) { +--- a/drivers/net/ethernet/qualcomm/emac/emac-phy.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac-phy.c +@@ -13,15 +13,11 @@ + /* Qualcomm Technologies, Inc. EMAC PHY Controller driver. + */ + +-#include +-#include +-#include + #include + #include + #include + #include + #include "emac.h" +-#include "emac-mac.h" + + /* EMAC base register offsets */ + #define EMAC_MDIO_CTRL 0x001414 +@@ -52,62 +48,10 @@ + + #define MDIO_WAIT_TIMES 1000 + +-#define EMAC_LINK_SPEED_DEFAULT (\ +- EMAC_LINK_SPEED_10_HALF |\ +- EMAC_LINK_SPEED_10_FULL |\ +- EMAC_LINK_SPEED_100_HALF |\ +- EMAC_LINK_SPEED_100_FULL |\ +- EMAC_LINK_SPEED_1GB_FULL) +- +-/** +- * emac_phy_mdio_autopoll_disable() - disable mdio autopoll +- * @adpt: the emac adapter +- * +- * The autopoll feature takes over the MDIO bus. In order for +- * the PHY driver to be able to talk to the PHY over the MDIO +- * bus, we need to temporarily disable the autopoll feature. +- */ +-static int emac_phy_mdio_autopoll_disable(struct emac_adapter *adpt) +-{ +- u32 val; +- +- /* disable autopoll */ +- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, MDIO_AP_EN, 0); +- +- /* wait for any mdio polling to complete */ +- if (!readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, val, +- !(val & MDIO_BUSY), 100, MDIO_WAIT_TIMES * 100)) +- return 0; +- +- /* failed to disable; ensure it is enabled before returning */ +- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, 0, MDIO_AP_EN); +- +- return -EBUSY; +-} +- +-/** +- * emac_phy_mdio_autopoll_disable() - disable mdio autopoll +- * @adpt: the emac adapter +- * +- * The EMAC has the ability to poll the external PHY on the MDIO +- * bus for link state changes. This eliminates the need for the +- * driver to poll the phy. If if the link state does change, +- * the EMAC issues an interrupt on behalf of the PHY. +- */ +-static void emac_phy_mdio_autopoll_enable(struct emac_adapter *adpt) +-{ +- emac_reg_update32(adpt->base + EMAC_MDIO_CTRL, 0, MDIO_AP_EN); +-} +- + static int emac_mdio_read(struct mii_bus *bus, int addr, int regnum) + { + struct emac_adapter *adpt = bus->priv; + u32 reg; +- int ret; +- +- ret = emac_phy_mdio_autopoll_disable(adpt); +- if (ret) +- return ret; + + emac_reg_update32(adpt->base + EMAC_PHY_STS, PHY_ADDR_BMSK, + (addr << PHY_ADDR_SHFT)); +@@ -122,24 +66,15 @@ static int emac_mdio_read(struct mii_bus + if (readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, reg, + !(reg & (MDIO_START | MDIO_BUSY)), + 100, MDIO_WAIT_TIMES * 100)) +- ret = -EIO; +- else +- ret = (reg >> MDIO_DATA_SHFT) & MDIO_DATA_BMSK; +- +- emac_phy_mdio_autopoll_enable(adpt); ++ return -EIO; + +- return ret; ++ return (reg >> MDIO_DATA_SHFT) & MDIO_DATA_BMSK; + } + + static int emac_mdio_write(struct mii_bus *bus, int addr, int regnum, u16 val) + { + struct emac_adapter *adpt = bus->priv; + u32 reg; +- int ret; +- +- ret = emac_phy_mdio_autopoll_disable(adpt); +- if (ret) +- return ret; + + emac_reg_update32(adpt->base + EMAC_PHY_STS, PHY_ADDR_BMSK, + (addr << PHY_ADDR_SHFT)); +@@ -155,11 +90,9 @@ static int emac_mdio_write(struct mii_bu + if (readl_poll_timeout(adpt->base + EMAC_MDIO_CTRL, reg, + !(reg & (MDIO_START | MDIO_BUSY)), 100, + MDIO_WAIT_TIMES * 100)) +- ret = -EIO; +- +- emac_phy_mdio_autopoll_enable(adpt); ++ return -EIO; + +- return ret; ++ return 0; + } + + /* Configure the MDIO bus and connect the external PHY */ +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -50,19 +50,7 @@ + #define DMAR_DLY_CNT_DEF 15 + #define DMAW_DLY_CNT_DEF 4 + +-#define IMR_NORMAL_MASK (\ +- ISR_ERROR |\ +- ISR_GPHY_LINK |\ +- ISR_TX_PKT |\ +- GPHY_WAKEUP_INT) +- +-#define IMR_EXTENDED_MASK (\ +- SW_MAN_INT |\ +- ISR_OVER |\ +- ISR_ERROR |\ +- ISR_GPHY_LINK |\ +- ISR_TX_PKT |\ +- GPHY_WAKEUP_INT) ++#define IMR_NORMAL_MASK (ISR_ERROR | ISR_OVER | ISR_TX_PKT) + + #define ISR_TX_PKT (\ + TX_PKT_INT |\ +@@ -70,10 +58,6 @@ + TX_PKT_INT2 |\ + TX_PKT_INT3) + +-#define ISR_GPHY_LINK (\ +- GPHY_LINK_UP_INT |\ +- GPHY_LINK_DOWN_INT) +- + #define ISR_OVER (\ + RFD0_UR_INT |\ + RFD1_UR_INT |\ +@@ -187,10 +171,6 @@ irqreturn_t emac_isr(int _irq, void *dat + if (status & ISR_OVER) + net_warn_ratelimited("warning: TX/RX overflow\n"); + +- /* link event */ +- if (status & ISR_GPHY_LINK) +- phy_mac_interrupt(adpt->phydev, !!(status & GPHY_LINK_UP_INT)); +- + exit: + /* enable the interrupt */ + writel(irq->mask, adpt->base + EMAC_INT_MASK); diff --git a/queue-4.11/perf-core-drop-kernel-samples-even-though-u-is-specified.patch b/queue-4.11/perf-core-drop-kernel-samples-even-though-u-is-specified.patch new file mode 100644 index 00000000000..21ffef430c4 --- /dev/null +++ b/queue-4.11/perf-core-drop-kernel-samples-even-though-u-is-specified.patch @@ -0,0 +1,127 @@ +From cc1582c231ea041fbc68861dfaf957eaf902b829 Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Thu, 25 May 2017 18:09:07 +0800 +Subject: perf/core: Drop kernel samples even though :u is specified + +From: Jin Yao + +commit cc1582c231ea041fbc68861dfaf957eaf902b829 upstream. + +When doing sampling, for example: + + perf record -e cycles:u ... + +On workloads that do a lot of kernel entry/exits we see kernel +samples, even though :u is specified. This is due to skid existing. + +This might be a security issue because it can leak kernel addresses even +though kernel sampling support is disabled. + +The patch drops the kernel samples if exclude_kernel is specified. + +For example, test on Haswell desktop: + + perf record -e cycles:u + perf report --stdio + +Before patch applied: + + 99.77% mgen mgen [.] buf_read + 0.20% mgen mgen [.] rand_buf_init + 0.01% mgen [kernel.vmlinux] [k] apic_timer_interrupt + 0.00% mgen mgen [.] last_free_elem + 0.00% mgen libc-2.23.so [.] __random_r + 0.00% mgen libc-2.23.so [.] _int_malloc + 0.00% mgen mgen [.] rand_array_init + 0.00% mgen [kernel.vmlinux] [k] page_fault + 0.00% mgen libc-2.23.so [.] __random + 0.00% mgen libc-2.23.so [.] __strcasestr + 0.00% mgen ld-2.23.so [.] strcmp + 0.00% mgen ld-2.23.so [.] _dl_start + 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 + 0.00% mgen ld-2.23.so [.] _start + +We can see kernel symbols apic_timer_interrupt and page_fault. + +After patch applied: + + 99.79% mgen mgen [.] buf_read + 0.19% mgen mgen [.] rand_buf_init + 0.00% mgen libc-2.23.so [.] __random_r + 0.00% mgen mgen [.] rand_array_init + 0.00% mgen mgen [.] last_free_elem + 0.00% mgen libc-2.23.so [.] vfprintf + 0.00% mgen libc-2.23.so [.] rand + 0.00% mgen libc-2.23.so [.] __random + 0.00% mgen libc-2.23.so [.] _int_malloc + 0.00% mgen libc-2.23.so [.] _IO_doallocbuf + 0.00% mgen ld-2.23.so [.] do_lookup_x + 0.00% mgen ld-2.23.so [.] open_verify.constprop.7 + 0.00% mgen ld-2.23.so [.] _dl_important_hwcaps + 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 + 0.00% mgen ld-2.23.so [.] _start + +There are only userspace symbols. + +Signed-off-by: Jin Yao +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Cc: kan.liang@intel.com +Cc: mark.rutland@arm.com +Cc: will.deacon@arm.com +Cc: yao.jin@intel.com +Link: http://lkml.kernel.org/r/1495706947-3744-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -7184,6 +7184,21 @@ int perf_event_account_interrupt(struct + return __perf_event_account_interrupt(event, 1); + } + ++static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs) ++{ ++ /* ++ * Due to interrupt latency (AKA "skid"), we may enter the ++ * kernel before taking an overflow, even if the PMU is only ++ * counting user events. ++ * To avoid leaking information to userspace, we must always ++ * reject kernel samples when exclude_kernel is set. ++ */ ++ if (event->attr.exclude_kernel && !user_mode(regs)) ++ return false; ++ ++ return true; ++} ++ + /* + * Generic event overflow handling, sampling. + */ +@@ -7205,6 +7220,12 @@ static int __perf_event_overflow(struct + ret = __perf_event_account_interrupt(event, throttle); + + /* ++ * For security, drop the skid kernel samples if necessary. ++ */ ++ if (!sample_is_allowed(event, regs)) ++ return ret; ++ ++ /* + * XXX event_limit might not quite work as expected on inherited + * events + */ diff --git a/queue-4.11/pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch b/queue-4.11/pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch new file mode 100644 index 00000000000..fa0d8de83f9 --- /dev/null +++ b/queue-4.11/pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch @@ -0,0 +1,35 @@ +From a9de080bbcd5c4e213a3d7bbb1e314d60980e943 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 25 Apr 2017 06:22:05 +0000 +Subject: pinctrl: cherryview: Add terminate entry for dmi_system_id tables + +From: Wei Yongjun + +commit a9de080bbcd5c4e213a3d7bbb1e314d60980e943 upstream. + +Make sure dmi_system_id tables are NULL terminated. + +Fixes: 703650278372 ("pinctrl: cherryview: Add a quirk to make Acer +Chromebook keyboard work again") +Signed-off-by: Wei Yongjun +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Cc: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/intel/pinctrl-cherryview.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/intel/pinctrl-cherryview.c ++++ b/drivers/pinctrl/intel/pinctrl-cherryview.c +@@ -1542,7 +1542,8 @@ static const struct dmi_system_id chv_no + DMI_MATCH(DMI_PRODUCT_NAME, "Edgar"), + DMI_MATCH(DMI_BIOS_DATE, "05/21/2016"), + }, +- } ++ }, ++ {} + }; + + static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq) diff --git a/queue-4.11/powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch b/queue-4.11/powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch new file mode 100644 index 00000000000..f3bbb321ffc --- /dev/null +++ b/queue-4.11/powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch @@ -0,0 +1,42 @@ +From dc421b200f91930c9c6a9586810ff8c232cf10fc Mon Sep 17 00:00:00 2001 +From: Michael Bringmann +Date: Mon, 22 May 2017 15:44:37 -0500 +Subject: powerpc/hotplug-mem: Fix missing endian conversion of aa_index + +From: Michael Bringmann + +commit dc421b200f91930c9c6a9586810ff8c232cf10fc upstream. + +When adding or removing memory, the aa_index (affinity value) for the +memblock must also be converted to match the endianness of the rest +of the 'ibm,dynamic-memory' property. Otherwise, subsequent retrieval +of the attribute will likely lead to non-existent nodes, followed by +using the default node in the code inappropriately. + +Fixes: 5f97b2a0d176 ("powerpc/pseries: Implement memory hotplug add in the kernel") +Signed-off-by: Michael Bringmann +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/hotplug-memory.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -124,6 +124,7 @@ static struct property *dlpar_clone_drco + for (i = 0; i < num_lmbs; i++) { + lmbs[i].base_addr = be64_to_cpu(lmbs[i].base_addr); + lmbs[i].drc_index = be32_to_cpu(lmbs[i].drc_index); ++ lmbs[i].aa_index = be32_to_cpu(lmbs[i].aa_index); + lmbs[i].flags = be32_to_cpu(lmbs[i].flags); + } + +@@ -147,6 +148,7 @@ static void dlpar_update_drconf_property + for (i = 0; i < num_lmbs; i++) { + lmbs[i].base_addr = cpu_to_be64(lmbs[i].base_addr); + lmbs[i].drc_index = cpu_to_be32(lmbs[i].drc_index); ++ lmbs[i].aa_index = cpu_to_be32(lmbs[i].aa_index); + lmbs[i].flags = cpu_to_be32(lmbs[i].flags); + } + diff --git a/queue-4.11/powerpc-kernel-fix-fp-and-vector-register-restoration.patch b/queue-4.11/powerpc-kernel-fix-fp-and-vector-register-restoration.patch new file mode 100644 index 00000000000..57d9b867a4f --- /dev/null +++ b/queue-4.11/powerpc-kernel-fix-fp-and-vector-register-restoration.patch @@ -0,0 +1,51 @@ +From 1195892c091a15cc862f4e202482a36adc924e12 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Fri, 2 Jun 2017 18:43:30 -0300 +Subject: powerpc/kernel: Fix FP and vector register restoration + +From: Breno Leitao + +commit 1195892c091a15cc862f4e202482a36adc924e12 upstream. + +Currently tsk->thread->load_vec and load_fp are not initialized during +task creation, which can lead to garbage values in these variables (non-zero +values). + +These variables will be checked later in restore_math() to validate if the +FP and vector registers are being utilized. Since these values might be +non-zero, the restore_math() will continue to save the FP and vectors even if +they were never utilized by the userspace application. load_fp and load_vec +counters will then overflow (they wrap at 255) and the FP and Altivec will be +finally disabled, but before that condition is reached (counter overflow) +several context switches will have restored FP and vector registers without +need, causing a performance degradation. + +Fixes: 70fe3d980f5f ("powerpc: Restore FPU/VEC/VSX if previously used") +Signed-off-by: Breno Leitao +Signed-off-by: Gustavo Romero +Acked-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/process.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1666,6 +1666,7 @@ void start_thread(struct pt_regs *regs, + #ifdef CONFIG_VSX + current->thread.used_vsr = 0; + #endif ++ current->thread.load_fp = 0; + memset(¤t->thread.fp_state, 0, sizeof(current->thread.fp_state)); + current->thread.fp_save_area = NULL; + #ifdef CONFIG_ALTIVEC +@@ -1674,6 +1675,7 @@ void start_thread(struct pt_regs *regs, + current->thread.vr_save_area = NULL; + current->thread.vrsave = 0; + current->thread.used_vr = 0; ++ current->thread.load_vec = 0; + #endif /* CONFIG_ALTIVEC */ + #ifdef CONFIG_SPE + memset(current->thread.evr, 0, sizeof(current->thread.evr)); diff --git a/queue-4.11/powerpc-kernel-initialize-load_tm-on-task-creation.patch b/queue-4.11/powerpc-kernel-initialize-load_tm-on-task-creation.patch new file mode 100644 index 00000000000..9a53dd28446 --- /dev/null +++ b/queue-4.11/powerpc-kernel-initialize-load_tm-on-task-creation.patch @@ -0,0 +1,36 @@ +From 7f22ced4377628074e2ac25f41a88f98eb3b03f1 Mon Sep 17 00:00:00 2001 +From: Breno Leitao +Date: Mon, 5 Jun 2017 11:40:59 -0300 +Subject: powerpc/kernel: Initialize load_tm on task creation + +From: Breno Leitao + +commit 7f22ced4377628074e2ac25f41a88f98eb3b03f1 upstream. + +Currently tsk->thread.load_tm is not initialized in the task creation +and can contain garbage on a new task. + +This is an undesired behaviour, since it affects the timing to enable +and disable the transactional memory laziness (disabling and enabling +the MSR TM bit, which affects TM reclaim and recheckpoint in the +scheduling process). + +Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace") +Signed-off-by: Breno Leitao +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/process.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -1687,6 +1687,7 @@ void start_thread(struct pt_regs *regs, + current->thread.tm_tfhar = 0; + current->thread.tm_texasr = 0; + current->thread.tm_tfiar = 0; ++ current->thread.load_tm = 0; + #endif /* CONFIG_PPC_TRANSACTIONAL_MEM */ + } + EXPORT_SYMBOL(start_thread); diff --git a/queue-4.11/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch b/queue-4.11/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch new file mode 100644 index 00000000000..43432091349 --- /dev/null +++ b/queue-4.11/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch @@ -0,0 +1,105 @@ +From ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 6 Jun 2017 20:23:57 +1000 +Subject: powerpc/numa: Fix percpu allocations to be NUMA aware + +From: Michael Ellerman + +commit ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b upstream. + +In commit 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID"), we +switched to the generic implementation of cpu_to_node(), which uses a percpu +variable to hold the NUMA node for each CPU. + +Unfortunately we neglected to notice that we use cpu_to_node() in the allocation +of our percpu areas, leading to a chicken and egg problem. In practice what +happens is when we are setting up the percpu areas, cpu_to_node() reports that +all CPUs are on node 0, so we allocate all percpu areas on node 0. + +This is visible in the dmesg output, as all pcpu allocs being in group 0: + + pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 + pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 + pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 + pcpu-alloc: [0] 24 25 26 27 [0] 28 29 30 31 + pcpu-alloc: [0] 32 33 34 35 [0] 36 37 38 39 + pcpu-alloc: [0] 40 41 42 43 [0] 44 45 46 47 + +To fix it we need an early_cpu_to_node() which can run prior to percpu being +setup. We already have the numa_cpu_lookup_table we can use, so just plumb it +in. With the patch dmesg output shows two groups, 0 and 1: + + pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 + pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 + pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 + pcpu-alloc: [1] 24 25 26 27 [1] 28 29 30 31 + pcpu-alloc: [1] 32 33 34 35 [1] 36 37 38 39 + pcpu-alloc: [1] 40 41 42 43 [1] 44 45 46 47 + +We can also check the data_offset in the paca of various CPUs, with the fix we +see: + + CPU 0: data_offset = 0x0ffe8b0000 + CPU 24: data_offset = 0x1ffe5b0000 + +And we can see from dmesg that CPU 24 has an allocation on node 1: + + node 0: [mem 0x0000000000000000-0x0000000fffffffff] + node 1: [mem 0x0000001000000000-0x0000001fffffffff] + +Fixes: 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID") +Signed-off-by: Michael Ellerman +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/topology.h | 14 ++++++++++++++ + arch/powerpc/kernel/setup_64.c | 4 ++-- + 2 files changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -44,8 +44,22 @@ extern void __init dump_numa_cpu_topolog + extern int sysfs_add_device_to_node(struct device *dev, int nid); + extern void sysfs_remove_device_from_node(struct device *dev, int nid); + ++static inline int early_cpu_to_node(int cpu) ++{ ++ int nid; ++ ++ nid = numa_cpu_lookup_table[cpu]; ++ ++ /* ++ * Fall back to node 0 if nid is unset (it should be, except bugs). ++ * This allows callers to safely do NODE_DATA(early_cpu_to_node(cpu)). ++ */ ++ return (nid < 0) ? 0 : nid; ++} + #else + ++static inline int early_cpu_to_node(int cpu) { return 0; } ++ + static inline void dump_numa_cpu_topology(void) {} + + static inline int sysfs_add_device_to_node(struct device *dev, int nid) +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -650,7 +650,7 @@ void __init emergency_stack_init(void) + + static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align) + { +- return __alloc_bootmem_node(NODE_DATA(cpu_to_node(cpu)), size, align, ++ return __alloc_bootmem_node(NODE_DATA(early_cpu_to_node(cpu)), size, align, + __pa(MAX_DMA_ADDRESS)); + } + +@@ -661,7 +661,7 @@ static void __init pcpu_fc_free(void *pt + + static int pcpu_cpu_distance(unsigned int from, unsigned int to) + { +- if (cpu_to_node(from) == cpu_to_node(to)) ++ if (early_cpu_to_node(from) == early_cpu_to_node(to)) + return LOCAL_DISTANCE; + else + return REMOTE_DISTANCE; diff --git a/queue-4.11/powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch b/queue-4.11/powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch new file mode 100644 index 00000000000..5a7fb1540f1 --- /dev/null +++ b/queue-4.11/powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch @@ -0,0 +1,36 @@ +From 6f553912eedafae13ff20b322a65e471fe7f5236 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Wed, 24 May 2017 10:01:55 +0200 +Subject: powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function + +From: Christophe Leroy + +commit 6f553912eedafae13ff20b322a65e471fe7f5236 upstream. + +of_mm_gpiochip_add_data() generates an oops for NULL pointer dereference. + +of_mm_gpiochip_add_data() calls mm_gc->save_regs() before +setting the data, therefore ->save_regs() cannot use gpiochip_get_data() + +Fixes: 937daafca774 ("powerpc: simple-gpio: use gpiochip data pointer") +Signed-off-by: Christophe Leroy +Reviewed-by: Linus Walleij +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/simple_gpio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/simple_gpio.c ++++ b/arch/powerpc/sysdev/simple_gpio.c +@@ -75,7 +75,8 @@ static int u8_gpio_dir_out(struct gpio_c + + static void u8_gpio_save_regs(struct of_mm_gpio_chip *mm_gc) + { +- struct u8_gpio_chip *u8_gc = gpiochip_get_data(&mm_gc->gc); ++ struct u8_gpio_chip *u8_gc = ++ container_of(mm_gc, struct u8_gpio_chip, mm_gc); + + u8_gc->data = in_8(mm_gc->regs); + } diff --git a/queue-4.11/revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch b/queue-4.11/revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch new file mode 100644 index 00000000000..bb253244ab9 --- /dev/null +++ b/queue-4.11/revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch @@ -0,0 +1,62 @@ +From 3e4240da0e3673637c1c995bdd14cfdbc8f4dc4c Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Wed, 24 May 2017 01:39:35 +0200 +Subject: Revert "ata: sata_mv: Convert to devm_ioremap_resource()" + +From: Andrew Lunn + +commit 3e4240da0e3673637c1c995bdd14cfdbc8f4dc4c upstream. + +This reverts commit 368e5fbdfc60732643f34f538823ed4bc8829827. + +devm_ioremap_resource() enforces that there are no overlapping +resources, where as devm_ioremap() does not. The sata phy driver needs +a subset of the sata IO address space, so maps some of the sata +address space. As a result, sata_mv now fails to probe, reporting it +cannot get its resources, and so we don't have any SATA disks. + +Signed-off-by: Andrew Lunn +Acked-by: Gregory CLEMENT +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_mv.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -4067,7 +4067,6 @@ static int mv_platform_probe(struct plat + struct ata_host *host; + struct mv_host_priv *hpriv; + struct resource *res; +- void __iomem *mmio; + int n_ports = 0, irq = 0; + int rc; + int port; +@@ -4086,9 +4085,8 @@ static int mv_platform_probe(struct plat + * Get the register base first + */ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- mmio = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mmio)) +- return PTR_ERR(mmio); ++ if (res == NULL) ++ return -EINVAL; + + /* allocate host */ + if (pdev->dev.of_node) { +@@ -4132,7 +4130,12 @@ static int mv_platform_probe(struct plat + hpriv->board_idx = chip_soc; + + host->iomap = NULL; +- hpriv->base = mmio - SATAHC0_REG_BASE; ++ hpriv->base = devm_ioremap(&pdev->dev, res->start, ++ resource_size(res)); ++ if (!hpriv->base) ++ return -ENOMEM; ++ ++ hpriv->base -= SATAHC0_REG_BASE; + + hpriv->clk = clk_get(&pdev->dev, NULL); + if (IS_ERR(hpriv->clk)) diff --git a/queue-4.11/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch b/queue-4.11/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch new file mode 100644 index 00000000000..e1815b525ea --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch @@ -0,0 +1,65 @@ +From ddff7ed45edce4a4c92949d3c61cd25d229c4a14 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Tue, 23 May 2017 16:50:47 +0200 +Subject: scsi: qla2xxx: don't disable a not previously enabled PCI device + +From: Johannes Thumshirn + +commit ddff7ed45edce4a4c92949d3c61cd25d229c4a14 upstream. + +When pci_enable_device() or pci_enable_device_mem() fail in +qla2x00_probe_one() we bail out but do a call to +pci_disable_device(). This causes the dev_WARN_ON() in +pci_disable_device() to trigger, as the device wasn't enabled +previously. + +So instead of taking the 'probe_out' error path we can directly return +*iff* one of the pci_enable_device() calls fails. + +Additionally rename the 'probe_out' goto label's name to the more +descriptive 'disable_device'. + +Signed-off-by: Johannes Thumshirn +Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring") +Reviewed-by: Bart Van Assche +Reviewed-by: Giridhar Malavali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2626,10 +2626,10 @@ qla2x00_probe_one(struct pci_dev *pdev, + + if (mem_only) { + if (pci_enable_device_mem(pdev)) +- goto probe_out; ++ return ret; + } else { + if (pci_enable_device(pdev)) +- goto probe_out; ++ return ret; + } + + /* This may fail but that's ok */ +@@ -2639,7 +2639,7 @@ qla2x00_probe_one(struct pci_dev *pdev, + if (!ha) { + ql_log_pci(ql_log_fatal, pdev, 0x0009, + "Unable to allocate memory for ha.\n"); +- goto probe_out; ++ goto disable_device; + } + ql_dbg_pci(ql_dbg_init, pdev, 0x000a, + "Memory allocated for ha=%p.\n", ha); +@@ -3258,7 +3258,7 @@ iospace_config_failed: + kfree(ha); + ha = NULL; + +-probe_out: ++disable_device: + pci_disable_device(pdev); + return ret; + } diff --git a/queue-4.11/scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch b/queue-4.11/scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch new file mode 100644 index 00000000000..7e983aa59f0 --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch @@ -0,0 +1,97 @@ +From b95b9452aacf80659ea67bf0948cbfa7e28e5e0b Mon Sep 17 00:00:00 2001 +From: Sawan Chandak +Date: Wed, 24 May 2017 18:06:20 -0700 +Subject: scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue + +From: Sawan Chandak + +commit b95b9452aacf80659ea67bf0948cbfa7e28e5e0b upstream. + +when driver is loaded with Multi Queue enabled, it was noticed that +there was one less queue pair created. + +Following message would indicate this: + +"No resources to create additional q pair." + +The result of one less queue pair means that system can crash, if the +block mq layer thinks there is an extra hardware queue available, and +the driver will use a NULL ptr qpair in that instance. + +Following stack trace is seen in one of the crash: + +irq_create_affinity_masks+0x98/0x530 +irq_create_affinity_masks+0x98/0x530 +__pci_enable_msix+0x321/0x4e0 +mutex_lock+0x12/0x40 +pci_alloc_irq_vectors_affinity+0xb5/0x140 +qla24xx_enable_msix+0x79/0x530 [qla2xxx] +qla2x00_request_irqs+0x61/0x2d0 [qla2xxx] +qla2x00_probe_one+0xc73/0x2390 [qla2xxx] +ida_simple_get+0x98/0x100 +kernfs_next_descendant_post+0x40/0x50 +local_pci_probe+0x45/0xa0 +pci_device_probe+0xfc/0x140 +driver_probe_device+0x2c5/0x470 +__driver_attach+0xdd/0xe0 +driver_probe_device+0x470/0x470 +bus_for_each_dev+0x6c/0xc0 +driver_attach+0x1e/0x20 +bus_add_driver+0x45/0x270 +driver_register+0x60/0xe0 +__pci_register_driver+0x4c/0x50 +qla2x00_module_init+0x1ce/0x21e [qla2xxx] + +Signed-off-by: Sawan Chandak +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_def.h | 1 + + drivers/scsi/qla2xxx/qla_init.c | 5 ++++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_def.h ++++ b/drivers/scsi/qla2xxx/qla_def.h +@@ -3425,6 +3425,7 @@ struct qla_hw_data { + uint8_t max_req_queues; + uint8_t max_rsp_queues; + uint8_t max_qpairs; ++ uint8_t num_qpairs; + struct qla_qpair *base_qpair; + struct qla_npiv_entry *npiv_info; + uint16_t nvram_npiv_size; +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -7543,12 +7543,13 @@ struct qla_qpair *qla2xxx_create_qpair(s + /* Assign available que pair id */ + mutex_lock(&ha->mq_lock); + qpair_id = find_first_zero_bit(ha->qpair_qid_map, ha->max_qpairs); +- if (qpair_id >= ha->max_qpairs) { ++ if (ha->num_qpairs >= ha->max_qpairs) { + mutex_unlock(&ha->mq_lock); + ql_log(ql_log_warn, vha, 0x0183, + "No resources to create additional q pair.\n"); + goto fail_qid_map; + } ++ ha->num_qpairs++; + set_bit(qpair_id, ha->qpair_qid_map); + ha->queue_pair_map[qpair_id] = qpair; + qpair->id = qpair_id; +@@ -7635,6 +7636,7 @@ fail_rsp: + fail_msix: + ha->queue_pair_map[qpair_id] = NULL; + clear_bit(qpair_id, ha->qpair_qid_map); ++ ha->num_qpairs--; + mutex_unlock(&ha->mq_lock); + fail_qid_map: + kfree(qpair); +@@ -7660,6 +7662,7 @@ int qla2xxx_delete_qpair(struct scsi_qla + mutex_lock(&ha->mq_lock); + ha->queue_pair_map[qpair->id] = NULL; + clear_bit(qpair->id, ha->qpair_qid_map); ++ ha->num_qpairs--; + list_del(&qpair->qp_list_elem); + if (list_empty(&vha->qp_list)) + vha->flags.qpairs_available = 0; diff --git a/queue-4.11/scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch b/queue-4.11/scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch new file mode 100644 index 00000000000..42559808641 --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch @@ -0,0 +1,38 @@ +From 74939a0bc772d642b1c12827966c4c3a3c90ea2c Mon Sep 17 00:00:00 2001 +From: Joe Carnuccio +Date: Wed, 24 May 2017 18:06:23 -0700 +Subject: scsi: qla2xxx: Fix mailbox pointer error in fwdump capture + +From: Joe Carnuccio + +commit 74939a0bc772d642b1c12827966c4c3a3c90ea2c upstream. + +Signed-off-by: Joe Carnuccio +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_dbg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_dbg.c ++++ b/drivers/scsi/qla2xxx/qla_dbg.c +@@ -1131,7 +1131,7 @@ qla24xx_fw_dump(scsi_qla_host_t *vha, in + + /* Mailbox registers. */ + mbx_reg = ®->mailbox0; +- for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, dmp_reg++) ++ for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, mbx_reg++) + fw->mailbox_reg[cnt] = htons(RD_REG_WORD(mbx_reg)); + + /* Transfer sequence registers. */ +@@ -2090,7 +2090,7 @@ qla83xx_fw_dump(scsi_qla_host_t *vha, in + + /* Mailbox registers. */ + mbx_reg = ®->mailbox0; +- for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, dmp_reg++) ++ for (cnt = 0; cnt < sizeof(fw->mailbox_reg) / 2; cnt++, mbx_reg++) + fw->mailbox_reg[cnt] = htons(RD_REG_WORD(mbx_reg)); + + /* Transfer sequence registers. */ diff --git a/queue-4.11/scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch b/queue-4.11/scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch new file mode 100644 index 00000000000..6467c916c5a --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch @@ -0,0 +1,44 @@ +From 0ea88662b5c6404a8f7af6b040b3cf1f0e8c3a66 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Wed, 24 May 2017 18:06:19 -0700 +Subject: scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call + +From: Quinn Tran + +commit 0ea88662b5c6404a8f7af6b040b3cf1f0e8c3a66 upstream. + +Remove redundant fc_host_port_name calls to prevent early access of +scsi_host->shost_data buffer. This prevent null pointer access. + +Following stack trace is seen: + +BUG: unable to handle kernel NULL pointer dereference at 00000000000008 +IP: qla24xx_report_id_acquisition+0x22d/0x3a0 [qla2xxx] + +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_mbx.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -3676,15 +3676,6 @@ qla24xx_report_id_acquisition(scsi_qla_h + qlt_update_host_map(vha, id); + } + +- fc_host_port_name(vha->host) = +- wwn_to_u64(vha->port_name); +- +- if (qla_ini_mode_enabled(vha)) +- ql_dbg(ql_dbg_mbx, vha, 0x1018, +- "FA-WWN portname %016llx (%x)\n", +- fc_host_port_name(vha->host), +- rptid_entry->vp_status); +- + set_bit(REGISTER_FC4_NEEDED, &vha->dpc_flags); + set_bit(REGISTER_FDMI_NEEDED, &vha->dpc_flags); + } else { diff --git a/queue-4.11/scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch b/queue-4.11/scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch new file mode 100644 index 00000000000..6be80859203 --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch @@ -0,0 +1,44 @@ +From cb590700e04d4f59179c44f360217f5ad04ae262 Mon Sep 17 00:00:00 2001 +From: "himanshu.madhani@cavium.com" +Date: Wed, 24 May 2017 18:06:18 -0700 +Subject: scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive + +From: himanshu.madhani@cavium.com + +commit cb590700e04d4f59179c44f360217f5ad04ae262 upstream. + +Following messages are seen into system logs + +qla2xxx [0000:09:00.0]-00af:9: Performing ISP error recovery - ha=ffff98315ee30000. +qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware. +qla2xxx [0000:09:00.0]-d009:9: Firmware has been previously dumped (ffffba488c001000) -- ignoring request. +qla2xxx [0000:09:00.0]-504b:9: RISC paused -- HCCR=40, Dumping firmware. + +See Bugzilla for details +https://bugzilla.kernel.org/show_bug.cgi?id=195285 + +Fixes: d74595278f4ab ("scsi: qla2xxx: Add multiple queue pair functionality.") +Reported-by: Laurence Oberman +Reported-by: Anthony Bloodoff +Tested-by: Laurence Oberman +Tested-by: Anthony Bloodoff +Signed-off-by: Himanshu Madhani +Signed-off-by: Giridhar Malavali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_isr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -3282,7 +3282,7 @@ msix_register_fail: + } + + /* Enable MSI-X vector for response queue update for queue 0 */ +- if (IS_QLA83XX(ha) || IS_QLA27XX(ha)) { ++ if (IS_QLA25XX(ha) || IS_QLA83XX(ha) || IS_QLA27XX(ha)) { + if (ha->msixbase && ha->mqiobase && + (ha->max_rsp_queues > 1 || ha->max_req_queues > 1 || + ql2xmqsupport)) diff --git a/queue-4.11/scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch b/queue-4.11/scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch new file mode 100644 index 00000000000..80336162928 --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch @@ -0,0 +1,33 @@ +From ce6c668b146cc4f4442111e2bcee4c3af94e1ddf Mon Sep 17 00:00:00 2001 +From: Joe Carnuccio +Date: Wed, 24 May 2017 18:06:21 -0700 +Subject: scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues + +From: Joe Carnuccio + +commit ce6c668b146cc4f4442111e2bcee4c3af94e1ddf upstream. + +Firmware dump allows for debugging customer issues. This patch fixes +start/end pointer calculation to capture T262 template entry for dump +tool. + +Signed-off-by: Joe Carnuccio +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_tmpl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/qla2xxx/qla_tmpl.c ++++ b/drivers/scsi/qla2xxx/qla_tmpl.c +@@ -371,7 +371,7 @@ qla27xx_fwdt_entry_t262(struct scsi_qla_ + goto done; + } + +- if (end <= start || start == 0 || end == 0) { ++ if (end < start || start == 0 || end == 0) { + ql_dbg(ql_dbg_misc, vha, 0xd023, + "%s: unusable range (start=%x end=%x)\n", __func__, + ent->t262.end_addr, ent->t262.start_addr); diff --git a/queue-4.11/scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch b/queue-4.11/scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch new file mode 100644 index 00000000000..2212ea43d43 --- /dev/null +++ b/queue-4.11/scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch @@ -0,0 +1,61 @@ +From 1d63496516c61e2e1351f10e6becbfc9ee511395 Mon Sep 17 00:00:00 2001 +From: Joe Carnuccio +Date: Wed, 24 May 2017 18:06:22 -0700 +Subject: scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC + +From: Joe Carnuccio + +commit 1d63496516c61e2e1351f10e6becbfc9ee511395 upstream. + +Set bit (BIT_15) to send right ECHO payload information for Diagnostic +Echo Test command. + +Signed-off-by: Joe Carnuccio +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_bsg.c | 9 +++++---- + drivers/scsi/qla2xxx/qla_mbx.c | 4 ++-- + 2 files changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_bsg.c ++++ b/drivers/scsi/qla2xxx/qla_bsg.c +@@ -730,6 +730,8 @@ qla2x00_process_loopback(struct bsg_job + return -EIO; + } + ++ memset(&elreq, 0, sizeof(elreq)); ++ + elreq.req_sg_cnt = dma_map_sg(&ha->pdev->dev, + bsg_job->request_payload.sg_list, bsg_job->request_payload.sg_cnt, + DMA_TO_DEVICE); +@@ -795,10 +797,9 @@ qla2x00_process_loopback(struct bsg_job + + if (atomic_read(&vha->loop_state) == LOOP_READY && + (ha->current_topology == ISP_CFG_F || +- ((IS_QLA81XX(ha) || IS_QLA8031(ha) || IS_QLA8044(ha)) && +- le32_to_cpu(*(uint32_t *)req_data) == ELS_OPCODE_BYTE +- && req_data_len == MAX_ELS_FRAME_PAYLOAD)) && +- elreq.options == EXTERNAL_LOOPBACK) { ++ (le32_to_cpu(*(uint32_t *)req_data) == ELS_OPCODE_BYTE && ++ req_data_len == MAX_ELS_FRAME_PAYLOAD)) && ++ elreq.options == EXTERNAL_LOOPBACK) { + type = "FC_BSG_HST_VENDOR_ECHO_DIAG"; + ql_dbg(ql_dbg_user, vha, 0x701e, + "BSG request type: %s.\n", type); +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -4812,9 +4812,9 @@ qla2x00_echo_test(scsi_qla_host_t *vha, + + memset(mcp->mb, 0 , sizeof(mcp->mb)); + mcp->mb[0] = MBC_DIAGNOSTIC_ECHO; +- mcp->mb[1] = mreq->options | BIT_6; /* BIT_6 specifies 64bit address */ ++ /* BIT_6 specifies 64bit address */ ++ mcp->mb[1] = mreq->options | BIT_15 | BIT_6; + if (IS_CNA_CAPABLE(ha)) { +- mcp->mb[1] |= BIT_15; + mcp->mb[2] = vha->fcoe_fcf_idx; + } + mcp->mb[16] = LSW(mreq->rcv_dma); diff --git a/queue-4.11/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch b/queue-4.11/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch new file mode 100644 index 00000000000..89eaa83b1f2 --- /dev/null +++ b/queue-4.11/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch @@ -0,0 +1,61 @@ +From 3c9101766b502a0163d1d437fada5801cf616be2 Mon Sep 17 00:00:00 2001 +From: Takatoshi Akiyama +Date: Mon, 27 Feb 2017 15:56:31 +0900 +Subject: serial: sh-sci: Fix panic when serial console and DMA are enabled + +From: Takatoshi Akiyama + +commit 3c9101766b502a0163d1d437fada5801cf616be2 upstream. + +This patch fixes an issue that kernel panic happens when DMA is enabled +and we press enter key while the kernel booting on the serial console. + +* An interrupt may occur after sci_request_irq(). +* DMA transfer area is initialized by setup_timer() in sci_request_dma() + and used in interrupt. + +If an interrupt occurred between sci_request_irq() and setup_timer() in +sci_request_dma(), DMA transfer area has not been initialized yet. +So, this patch changes the order of sci_request_irq() and +sci_request_dma(). + +Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") +Signed-off-by: Takatoshi Akiyama +[Shimoda changes the commit log] +Signed-off-by: Yoshihiro Shimoda +Cc: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1985,11 +1985,13 @@ static int sci_startup(struct uart_port + + dev_dbg(port->dev, "%s(%d)\n", __func__, port->line); + ++ sci_request_dma(port); ++ + ret = sci_request_irq(s); +- if (unlikely(ret < 0)) ++ if (unlikely(ret < 0)) { ++ sci_free_dma(port); + return ret; +- +- sci_request_dma(port); ++ } + + return 0; + } +@@ -2021,8 +2023,8 @@ static void sci_shutdown(struct uart_por + } + #endif + +- sci_free_dma(port); + sci_free_irq(s); ++ sci_free_dma(port); + } + + static int sci_sck_calc(struct sci_port *s, unsigned int bps, diff --git a/queue-4.11/series b/queue-4.11/series index fff82425cff..00f670a2dbb 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -109,3 +109,36 @@ btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch btrfs-fix-memory-leak-in-update_space_info-failure-path.patch btrfs-fix-race-with-relocation-recovery-and-fs_root-setup.patch btrfs-fix-delalloc-accounting-leak-caused-by-u32-overflow.patch +kvm-arm-arm64-handle-possible-null-stage2-pud-when-ageing-pages.patch +scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch +scsi-qla2xxx-fix-recursive-loop-during-target-mode-configuration-for-isp25xx-leaving-system-unresponsive.patch +scsi-qla2xxx-fix-crash-due-to-mismatch-mumber-of-q-pair-creation-for-multi-queue.patch +scsi-qla2xxx-fix-null-pointer-access-due-to-redundant-fc_host_port_name-call.patch +scsi-qla2xxx-modify-t262-fw-dump-template-to-specify-same-start-end-to-debug-customer-issues.patch +scsi-qla2xxx-set-bit-15-for-diag_echo_test-mbc.patch +scsi-qla2xxx-fix-mailbox-pointer-error-in-fwdump-capture.patch +powerpc-sysdev-simple_gpio-fix-oops-in-gpio-save_regs-function.patch +powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch +powerpc-hotplug-mem-fix-missing-endian-conversion-of-aa_index.patch +powerpc-kernel-fix-fp-and-vector-register-restoration.patch +powerpc-kernel-initialize-load_tm-on-task-creation.patch +revert-ata-sata_mv-convert-to-devm_ioremap_resource.patch +perf-core-drop-kernel-samples-even-though-u-is-specified.patch +srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch +net-qcom-emac-do-not-use-hardware-mdio-automatic-polling.patch +drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch +drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch +drm-vmwgfx-make-sure-backup_handle-is-always-valid.patch +x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch +drm-nouveau-tmr-fully-separate-alarm-execution-pending-lists.patch +alsa-timer-fix-race-between-read-and-ioctl.patch +alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch +asoc-fix-use-after-free-at-card-unregistration.patch +cpu-hotplug-drop-the-device-lock-on-error.patch +drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch +drm-i915-serialize-gtt-aperture-accesses-on-bxt.patch +drm-i915-fix-runtime-pm-for-lpe-audio.patch +drm-i915-skl-add-missing-skl-id.patch +serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch +pinctrl-cherryview-add-terminate-entry-for-dmi_system_id-tables.patch +cgroup-mark-cgroup_get-with-__maybe_unused.patch diff --git a/queue-4.11/srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch b/queue-4.11/srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch new file mode 100644 index 00000000000..995250a9899 --- /dev/null +++ b/queue-4.11/srcu-allow-use-of-classic-srcu-from-both-process-and-interrupt-context.patch @@ -0,0 +1,96 @@ +From 1123a6041654e8f889014659593bad4168e542c2 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 31 May 2017 14:03:11 +0200 +Subject: srcu: Allow use of Classic SRCU from both process and interrupt context + +From: Paolo Bonzini + +commit 1123a6041654e8f889014659593bad4168e542c2 upstream. + +Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting +down a guest running iperf on a VFIO assigned device. This happens +because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt +context, while a worker thread does the same inside kvm_set_irq(). If the +interrupt happens while the worker thread is executing __srcu_read_lock(), +updates to the Classic SRCU ->lock_count[] field or the Tree SRCU +->srcu_lock_count[] field can be lost. + +The docs say you are not supposed to call srcu_read_lock() and +srcu_read_unlock() from irq context, but KVM interrupt injection happens +from (host) interrupt context and it would be nice if SRCU supported the +use case. KVM is using SRCU here not really for the "sleepable" part, +but rather due to its IPI-free fast detection of grace periods. It is +therefore not desirable to switch back to RCU, which would effectively +revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING", +2014-01-16). + +However, the docs are overly conservative. You can have an SRCU instance +only has users in irq context, and you can mix process and irq context +as long as process context users disable interrupts. In addition, +__srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and +Classic SRCU. For those two implementations, only srcu_read_lock() +is unsafe. + +When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(), +in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via +this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments. +Therefore it kept __this_cpu_inc(), with preempt_disable/enable in +the caller. Tree SRCU however only does one increment, so on most +architectures it is more efficient for __srcu_read_lock() to use +this_cpu_inc(), and any performance differences appear to be down in +the noise. + +Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING") +Reported-by: Linu Cherian +Suggested-by: Linu Cherian +Cc: kvm@vger.kernel.org +Signed-off-by: Paolo Bonzini +Cc: Linus Torvalds +Signed-off-by: Paul E. McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/srcu.h | 2 -- + kernel/rcu/srcu.c | 5 ++--- + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/include/linux/srcu.h ++++ b/include/linux/srcu.h +@@ -232,9 +232,7 @@ static inline int srcu_read_lock(struct + { + int retval; + +- preempt_disable(); + retval = __srcu_read_lock(sp); +- preempt_enable(); + rcu_lock_acquire(&(sp)->dep_map); + return retval; + } +--- a/kernel/rcu/srcu.c ++++ b/kernel/rcu/srcu.c +@@ -257,7 +257,7 @@ EXPORT_SYMBOL_GPL(cleanup_srcu_struct); + + /* + * Counts the new reader in the appropriate per-CPU element of the +- * srcu_struct. Must be called from process context. ++ * srcu_struct. + * Returns an index that must be passed to the matching srcu_read_unlock(). + */ + int __srcu_read_lock(struct srcu_struct *sp) +@@ -265,7 +265,7 @@ int __srcu_read_lock(struct srcu_struct + int idx; + + idx = READ_ONCE(sp->completed) & 0x1; +- __this_cpu_inc(sp->per_cpu_ref->lock_count[idx]); ++ this_cpu_inc(sp->per_cpu_ref->lock_count[idx]); + smp_mb(); /* B */ /* Avoid leaking the critical section. */ + return idx; + } +@@ -275,7 +275,6 @@ EXPORT_SYMBOL_GPL(__srcu_read_lock); + * Removes the count for the old reader from the appropriate per-CPU + * element of the srcu_struct. Note that this may well be a different + * CPU than that which was incremented by the corresponding srcu_read_lock(). +- * Must be called from process context. + */ + void __srcu_read_unlock(struct srcu_struct *sp, int idx) + { diff --git a/queue-4.11/x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch b/queue-4.11/x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch new file mode 100644 index 00000000000..4557881fe02 --- /dev/null +++ b/queue-4.11/x86-microcode-intel-clear-patch-pointer-before-jettisoning-the-initrd.patch @@ -0,0 +1,48 @@ +From 5b0bc9ac2ce4881ee318a21f31140584ce4dbdad Mon Sep 17 00:00:00 2001 +From: Dominik Brodowski +Date: Wed, 7 Jun 2017 11:58:19 +0200 +Subject: x86/microcode/intel: Clear patch pointer before jettisoning the initrd + +From: Dominik Brodowski + +commit 5b0bc9ac2ce4881ee318a21f31140584ce4dbdad upstream. + +During early boot, load_ucode_intel_ap() uses __load_ucode_intel() +to obtain a pointer to the relevant microcode patch (embedded in the +initrd), and stores this value in 'intel_ucode_patch' to speed up the +microcode patch application for subsequent CPUs. + +On resuming from suspend-to-RAM, however, load_ucode_ap() calls +load_ucode_intel_ap() for each non-boot-CPU. By then the initramfs is +long gone so the pointer stored in 'intel_ucode_patch' no longer points to +a valid microcode patch. + +Clear that pointer so that we effectively fall back to the CPU hotplug +notifier callbacks to update the microcode. + +Signed-off-by: Dominik Brodowski +[ Edit and massage commit message. ] +Signed-off-by: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170607095819.9754-1-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/microcode/intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -619,6 +619,9 @@ int __init save_microcode_in_initrd_inte + + show_saved_mc(); + ++ /* initrd is going away, clear patch ptr. */ ++ intel_ucode_patch = NULL; ++ + return 0; + } +