From: Greg Kroah-Hartman Date: Mon, 12 Jun 2017 12:46:55 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.57~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f1709006d3f496bf6c779495e789c5c80ba4490;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch asoc-fix-use-after-free-at-card-unregistration.patch drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch perf-core-drop-kernel-samples-even-though-u-is-specified.patch powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch --- diff --git a/queue-3.18/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch b/queue-3.18/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch new file mode 100644 index 00000000000..6d95c6a295a --- /dev/null +++ b/queue-3.18/alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch @@ -0,0 +1,55 @@ +From ba3021b2c79b2fa9114f92790a99deb27a65b728 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 2 Jun 2017 17:26:56 +0200 +Subject: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT + +From: Takashi Iwai + +commit ba3021b2c79b2fa9114f92790a99deb27a65b728 upstream. + +snd_timer_user_tselect() reallocates the queue buffer dynamically, but +it forgot to reset its indices. Since the read may happen +concurrently with ioctl and snd_timer_user_tselect() allocates the +buffer via kmalloc(), this may lead to the leak of uninitialized +kernel-space data, as spotted via KMSAN: + + BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 + CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x143/0x1b0 lib/dump_stack.c:52 + kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 + kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 + copy_to_user ./arch/x86/include/asm/uaccess.h:725 + snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 + do_loop_readv_writev fs/read_write.c:716 + __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 + do_readv_writev fs/read_write.c:894 + vfs_readv fs/read_write.c:908 + do_readv+0x52a/0x5d0 fs/read_write.c:934 + SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 + SyS_readv+0x87/0xb0 fs/read_write.c:1018 + +This patch adds the missing reset of queue indices. Together with the +previous fix for the ioctl/read race, we cover the whole problem. + +Reported-by: Alexander Potapenko +Tested-by: Alexander Potapenko +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/timer.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -1620,6 +1620,7 @@ static int snd_timer_user_tselect(struct + if (err < 0) + goto __err; + ++ tu->qhead = tu->qtail = tu->qused = 0; + kfree(tu->queue); + tu->queue = NULL; + kfree(tu->tqueue); diff --git a/queue-3.18/asoc-fix-use-after-free-at-card-unregistration.patch b/queue-3.18/asoc-fix-use-after-free-at-card-unregistration.patch new file mode 100644 index 00000000000..d61da2337d6 --- /dev/null +++ b/queue-3.18/asoc-fix-use-after-free-at-card-unregistration.patch @@ -0,0 +1,51 @@ +From 4efda5f2130da033aeedc5b3205569893b910de2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 24 May 2017 10:19:45 +0200 +Subject: ASoC: Fix use-after-free at card unregistration + +From: Takashi Iwai + +commit 4efda5f2130da033aeedc5b3205569893b910de2 upstream. + +soc_cleanup_card_resources() call snd_card_free() at the last of its +procedure. This turned out to lead to a use-after-free. +PCM runtimes have been already removed via soc_remove_pcm_runtimes(), +while it's dereferenced later in soc_pcm_free() called via +snd_card_free(). + +The fix is simple: just move the snd_card_free() call to the beginning +of the whole procedure. This also gives another benefit: it +guarantees that all operations have been shut down before actually +releasing the resources, which was racy until now. + +Reported-and-tested-by: Robert Jarzmik +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-core.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -1868,6 +1868,9 @@ static int soc_cleanup_card_resources(st + for (i = 0; i < card->num_aux_devs; i++) + soc_remove_aux_dev(card, i); + ++ /* free the ALSA card at first; this syncs with pending operations */ ++ snd_card_free(card->snd_card); ++ + /* remove and free each DAI */ + soc_remove_dai_links(card); + +@@ -1879,9 +1882,7 @@ static int soc_cleanup_card_resources(st + + snd_soc_dapm_free(&card->dapm); + +- snd_card_free(card->snd_card); + return 0; +- + } + + /* removes a socdev */ diff --git a/queue-3.18/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch b/queue-3.18/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch new file mode 100644 index 00000000000..c91f523d74d --- /dev/null +++ b/queue-3.18/drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch @@ -0,0 +1,36 @@ +From 32829da54d9368103a2f03269a5120aa9ee4d5da Mon Sep 17 00:00:00 2001 +From: Julius Werner +Date: Fri, 2 Jun 2017 15:36:39 -0700 +Subject: drivers: char: mem: Fix wraparound check to allow mappings up to the end + +From: Julius Werner + +commit 32829da54d9368103a2f03269a5120aa9ee4d5da upstream. + +A recent fix to /dev/mem prevents mappings from wrapping around the end +of physical address space. However, the check was written in a way that +also prevents a mapping reaching just up to the end of physical address +space, which may be a valid use case (especially on 32-bit systems). +This patch fixes it by checking the last mapped address (instead of the +first address behind that) for overflow. + +Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()") +Reported-by: Nico Huber +Signed-off-by: Julius Werner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/mem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -332,7 +332,7 @@ static int mmap_mem(struct file *file, s + phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; + + /* It's illegal to wrap around the end of the physical address space. */ +- if (offset + (phys_addr_t)size < offset) ++ if (offset + (phys_addr_t)size - 1 < offset) + return -EINVAL; + + if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size)) diff --git a/queue-3.18/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch b/queue-3.18/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch new file mode 100644 index 00000000000..6d298e614fd --- /dev/null +++ b/queue-3.18/drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch @@ -0,0 +1,31 @@ +From f0c62e9878024300319ba2438adc7b06c6b9c448 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 27 Apr 2017 12:12:08 +0300 +Subject: drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() + +From: Dan Carpenter + +commit f0c62e9878024300319ba2438adc7b06c6b9c448 upstream. + +If vmalloc() fails then we need to a bit of cleanup before returning. + +Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") +Signed-off-by: Dan Carpenter +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c +@@ -384,6 +384,8 @@ void *vmw_fifo_reserve(struct vmw_privat + return fifo_state->static_buffer; + else { + fifo_state->dynamic_buffer = vmalloc(bytes); ++ if (!fifo_state->dynamic_buffer) ++ goto out_err; + return fifo_state->dynamic_buffer; + } + } diff --git a/queue-3.18/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch b/queue-3.18/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch new file mode 100644 index 00000000000..8a646115124 --- /dev/null +++ b/queue-3.18/drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch @@ -0,0 +1,36 @@ +From ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Fri, 2 Jun 2017 07:42:09 +0200 +Subject: drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() + +From: Vladis Dronov + +commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf upstream. + +The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is +a user-controlled 'uint32_t' value which is used as a loop count limit. +This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. + +References: +https://bugzilla.redhat.com/show_bug.cgi?id=1437431 + +Signed-off-by: Vladis Dronov +Reviewed-by: Sinclair Yeh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c +@@ -1243,6 +1243,9 @@ int vmw_gb_surface_define_ioctl(struct d + const struct svga3d_surface_desc *desc; + uint32_t backup_handle; + ++ if (req->mip_levels > DRM_VMW_MAX_MIP_LEVELS) ++ return -EINVAL; ++ + if (unlikely(vmw_user_surface_size == 0)) + vmw_user_surface_size = ttm_round_pot(sizeof(*user_srf)) + + 128; diff --git a/queue-3.18/perf-core-drop-kernel-samples-even-though-u-is-specified.patch b/queue-3.18/perf-core-drop-kernel-samples-even-though-u-is-specified.patch new file mode 100644 index 00000000000..62ea330aeba --- /dev/null +++ b/queue-3.18/perf-core-drop-kernel-samples-even-though-u-is-specified.patch @@ -0,0 +1,127 @@ +From cc1582c231ea041fbc68861dfaf957eaf902b829 Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Thu, 25 May 2017 18:09:07 +0800 +Subject: perf/core: Drop kernel samples even though :u is specified + +From: Jin Yao + +commit cc1582c231ea041fbc68861dfaf957eaf902b829 upstream. + +When doing sampling, for example: + + perf record -e cycles:u ... + +On workloads that do a lot of kernel entry/exits we see kernel +samples, even though :u is specified. This is due to skid existing. + +This might be a security issue because it can leak kernel addresses even +though kernel sampling support is disabled. + +The patch drops the kernel samples if exclude_kernel is specified. + +For example, test on Haswell desktop: + + perf record -e cycles:u + perf report --stdio + +Before patch applied: + + 99.77% mgen mgen [.] buf_read + 0.20% mgen mgen [.] rand_buf_init + 0.01% mgen [kernel.vmlinux] [k] apic_timer_interrupt + 0.00% mgen mgen [.] last_free_elem + 0.00% mgen libc-2.23.so [.] __random_r + 0.00% mgen libc-2.23.so [.] _int_malloc + 0.00% mgen mgen [.] rand_array_init + 0.00% mgen [kernel.vmlinux] [k] page_fault + 0.00% mgen libc-2.23.so [.] __random + 0.00% mgen libc-2.23.so [.] __strcasestr + 0.00% mgen ld-2.23.so [.] strcmp + 0.00% mgen ld-2.23.so [.] _dl_start + 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 + 0.00% mgen ld-2.23.so [.] _start + +We can see kernel symbols apic_timer_interrupt and page_fault. + +After patch applied: + + 99.79% mgen mgen [.] buf_read + 0.19% mgen mgen [.] rand_buf_init + 0.00% mgen libc-2.23.so [.] __random_r + 0.00% mgen mgen [.] rand_array_init + 0.00% mgen mgen [.] last_free_elem + 0.00% mgen libc-2.23.so [.] vfprintf + 0.00% mgen libc-2.23.so [.] rand + 0.00% mgen libc-2.23.so [.] __random + 0.00% mgen libc-2.23.so [.] _int_malloc + 0.00% mgen libc-2.23.so [.] _IO_doallocbuf + 0.00% mgen ld-2.23.so [.] do_lookup_x + 0.00% mgen ld-2.23.so [.] open_verify.constprop.7 + 0.00% mgen ld-2.23.so [.] _dl_important_hwcaps + 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 + 0.00% mgen ld-2.23.so [.] _start + +There are only userspace symbols. + +Signed-off-by: Jin Yao +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Cc: acme@kernel.org +Cc: jolsa@kernel.org +Cc: kan.liang@intel.com +Cc: mark.rutland@arm.com +Cc: will.deacon@arm.com +Cc: yao.jin@intel.com +Link: http://lkml.kernel.org/r/1495706947-3744-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5761,6 +5761,21 @@ static void perf_log_throttle(struct per + perf_output_end(&handle); + } + ++static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs) ++{ ++ /* ++ * Due to interrupt latency (AKA "skid"), we may enter the ++ * kernel before taking an overflow, even if the PMU is only ++ * counting user events. ++ * To avoid leaking information to userspace, we must always ++ * reject kernel samples when exclude_kernel is set. ++ */ ++ if (event->attr.exclude_kernel && !user_mode(regs)) ++ return false; ++ ++ return true; ++} ++ + /* + * Generic event overflow handling, sampling. + */ +@@ -5808,6 +5823,12 @@ static int __perf_event_overflow(struct + } + + /* ++ * For security, drop the skid kernel samples if necessary. ++ */ ++ if (!sample_is_allowed(event, regs)) ++ return ret; ++ ++ /* + * XXX event_limit might not quite work as expected on inherited + * events + */ diff --git a/queue-3.18/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch b/queue-3.18/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch new file mode 100644 index 00000000000..2a016ed2296 --- /dev/null +++ b/queue-3.18/powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch @@ -0,0 +1,91 @@ +From daeba2956f32f91f3493788ff6ee02fb1b2f02fa Mon Sep 17 00:00:00 2001 +From: Russell Currey +Date: Wed, 19 Apr 2017 17:39:26 +1000 +Subject: powerpc/eeh: Avoid use after free in eeh_handle_special_event() + +From: Russell Currey + +commit daeba2956f32f91f3493788ff6ee02fb1b2f02fa upstream. + +eeh_handle_special_event() is called when an EEH event is detected but +can't be narrowed down to a specific PE. This function looks through +every PE to find one in an erroneous state, then calls the regular event +handler eeh_handle_normal_event() once it knows which PE has an error. + +However, if eeh_handle_normal_event() found that the PE cannot possibly +be recovered, it will free it, rendering the passed PE stale. +This leads to a use after free in eeh_handle_special_event() as it attempts to +clear the "recovering" state on the PE after eeh_handle_normal_event() returns. + +Thus, make sure the PE is valid when attempting to clear state in +eeh_handle_special_event(). + +Fixes: 8a6b1bc70dbb ("powerpc/eeh: EEH core to handle special event") +Reported-by: Alexey Kardashevskiy +Signed-off-by: Russell Currey +Reviewed-by: Gavin Shan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/powerpc/kernel/eeh_driver.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/kernel/eeh_driver.c ++++ b/arch/powerpc/kernel/eeh_driver.c +@@ -678,7 +678,7 @@ static int eeh_reset_device(struct eeh_p + */ + #define MAX_WAIT_FOR_RECOVERY 300 + +-static void eeh_handle_normal_event(struct eeh_pe *pe) ++static bool eeh_handle_normal_event(struct eeh_pe *pe) + { + struct pci_bus *frozen_bus; + int rc = 0; +@@ -688,7 +688,7 @@ static void eeh_handle_normal_event(stru + if (!frozen_bus) { + pr_err("%s: Cannot find PCI bus for PHB#%d-PE#%x\n", + __func__, pe->phb->global_number, pe->addr); +- return; ++ return false; + } + + eeh_pe_update_time_stamp(pe); +@@ -805,7 +805,7 @@ static void eeh_handle_normal_event(stru + pr_info("EEH: Notify device driver to resume\n"); + eeh_pe_dev_traverse(pe, eeh_report_resume, NULL); + +- return; ++ return false; + + excess_failures: + /* +@@ -845,7 +845,11 @@ perm_error: + pci_lock_rescan_remove(); + pcibios_remove_pci_devices(frozen_bus); + pci_unlock_rescan_remove(); ++ ++ /* The passed PE should no longer be used */ ++ return true; + } ++ return false; + } + + static void eeh_handle_special_event(void) +@@ -911,7 +915,14 @@ static void eeh_handle_special_event(voi + */ + if (rc == EEH_NEXT_ERR_FROZEN_PE || + rc == EEH_NEXT_ERR_FENCED_PHB) { +- eeh_handle_normal_event(pe); ++ /* ++ * eeh_handle_normal_event() can make the PE stale if it ++ * determines that the PE cannot possibly be recovered. ++ * Don't modify the PE state if that's the case. ++ */ ++ if (eeh_handle_normal_event(pe)) ++ continue; ++ + eeh_pe_state_clear(pe, EEH_PE_RECOVERING); + } else { + pci_lock_rescan_remove(); diff --git a/queue-3.18/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch b/queue-3.18/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch new file mode 100644 index 00000000000..aa9a09439c6 --- /dev/null +++ b/queue-3.18/powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch @@ -0,0 +1,105 @@ +From ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 6 Jun 2017 20:23:57 +1000 +Subject: powerpc/numa: Fix percpu allocations to be NUMA aware + +From: Michael Ellerman + +commit ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b upstream. + +In commit 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID"), we +switched to the generic implementation of cpu_to_node(), which uses a percpu +variable to hold the NUMA node for each CPU. + +Unfortunately we neglected to notice that we use cpu_to_node() in the allocation +of our percpu areas, leading to a chicken and egg problem. In practice what +happens is when we are setting up the percpu areas, cpu_to_node() reports that +all CPUs are on node 0, so we allocate all percpu areas on node 0. + +This is visible in the dmesg output, as all pcpu allocs being in group 0: + + pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 + pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 + pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 + pcpu-alloc: [0] 24 25 26 27 [0] 28 29 30 31 + pcpu-alloc: [0] 32 33 34 35 [0] 36 37 38 39 + pcpu-alloc: [0] 40 41 42 43 [0] 44 45 46 47 + +To fix it we need an early_cpu_to_node() which can run prior to percpu being +setup. We already have the numa_cpu_lookup_table we can use, so just plumb it +in. With the patch dmesg output shows two groups, 0 and 1: + + pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 + pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 + pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 + pcpu-alloc: [1] 24 25 26 27 [1] 28 29 30 31 + pcpu-alloc: [1] 32 33 34 35 [1] 36 37 38 39 + pcpu-alloc: [1] 40 41 42 43 [1] 44 45 46 47 + +We can also check the data_offset in the paca of various CPUs, with the fix we +see: + + CPU 0: data_offset = 0x0ffe8b0000 + CPU 24: data_offset = 0x1ffe5b0000 + +And we can see from dmesg that CPU 24 has an allocation on node 1: + + node 0: [mem 0x0000000000000000-0x0000000fffffffff] + node 1: [mem 0x0000001000000000-0x0000001fffffffff] + +Fixes: 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID") +Signed-off-by: Michael Ellerman +Reviewed-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/topology.h | 14 ++++++++++++++ + arch/powerpc/kernel/setup_64.c | 4 ++-- + 2 files changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/topology.h ++++ b/arch/powerpc/include/asm/topology.h +@@ -44,8 +44,22 @@ extern void __init dump_numa_cpu_topolog + extern int sysfs_add_device_to_node(struct device *dev, int nid); + extern void sysfs_remove_device_from_node(struct device *dev, int nid); + ++static inline int early_cpu_to_node(int cpu) ++{ ++ int nid; ++ ++ nid = numa_cpu_lookup_table[cpu]; ++ ++ /* ++ * Fall back to node 0 if nid is unset (it should be, except bugs). ++ * This allows callers to safely do NODE_DATA(early_cpu_to_node(cpu)). ++ */ ++ return (nid < 0) ? 0 : nid; ++} + #else + ++static inline int early_cpu_to_node(int cpu) { return 0; } ++ + static inline void dump_numa_cpu_topology(void) {} + + static inline int sysfs_add_device_to_node(struct device *dev, int nid) +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -754,7 +754,7 @@ void ppc64_boot_msg(unsigned int src, co + + static void * __init pcpu_fc_alloc(unsigned int cpu, size_t size, size_t align) + { +- return __alloc_bootmem_node(NODE_DATA(cpu_to_node(cpu)), size, align, ++ return __alloc_bootmem_node(NODE_DATA(early_cpu_to_node(cpu)), size, align, + __pa(MAX_DMA_ADDRESS)); + } + +@@ -765,7 +765,7 @@ static void __init pcpu_fc_free(void *pt + + static int pcpu_cpu_distance(unsigned int from, unsigned int to) + { +- if (cpu_to_node(from) == cpu_to_node(to)) ++ if (early_cpu_to_node(from) == early_cpu_to_node(to)) + return LOCAL_DISTANCE; + else + return REMOTE_DISTANCE; diff --git a/queue-3.18/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch b/queue-3.18/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch new file mode 100644 index 00000000000..1a2771a96e0 --- /dev/null +++ b/queue-3.18/scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch @@ -0,0 +1,65 @@ +From ddff7ed45edce4a4c92949d3c61cd25d229c4a14 Mon Sep 17 00:00:00 2001 +From: Johannes Thumshirn +Date: Tue, 23 May 2017 16:50:47 +0200 +Subject: scsi: qla2xxx: don't disable a not previously enabled PCI device + +From: Johannes Thumshirn + +commit ddff7ed45edce4a4c92949d3c61cd25d229c4a14 upstream. + +When pci_enable_device() or pci_enable_device_mem() fail in +qla2x00_probe_one() we bail out but do a call to +pci_disable_device(). This causes the dev_WARN_ON() in +pci_disable_device() to trigger, as the device wasn't enabled +previously. + +So instead of taking the 'probe_out' error path we can directly return +*iff* one of the pci_enable_device() calls fails. + +Additionally rename the 'probe_out' goto label's name to the more +descriptive 'disable_device'. + +Signed-off-by: Johannes Thumshirn +Fixes: e315cd28b9ef ("[SCSI] qla2xxx: Code changes for qla data structure refactoring") +Reviewed-by: Bart Van Assche +Reviewed-by: Giridhar Malavali +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2387,10 +2387,10 @@ qla2x00_probe_one(struct pci_dev *pdev, + + if (mem_only) { + if (pci_enable_device_mem(pdev)) +- goto probe_out; ++ return ret; + } else { + if (pci_enable_device(pdev)) +- goto probe_out; ++ return ret; + } + + /* This may fail but that's ok */ +@@ -2400,7 +2400,7 @@ qla2x00_probe_one(struct pci_dev *pdev, + if (!ha) { + ql_log_pci(ql_log_fatal, pdev, 0x0009, + "Unable to allocate memory for ha.\n"); +- goto probe_out; ++ goto disable_device; + } + ql_dbg_pci(ql_dbg_init, pdev, 0x000a, + "Memory allocated for ha=%p.\n", ha); +@@ -2998,7 +2998,7 @@ iospace_config_failed: + kfree(ha); + ha = NULL; + +-probe_out: ++disable_device: + pci_disable_device(pdev); + return ret; + } diff --git a/queue-3.18/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch b/queue-3.18/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch new file mode 100644 index 00000000000..aee3b717262 --- /dev/null +++ b/queue-3.18/serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch @@ -0,0 +1,61 @@ +From 3c9101766b502a0163d1d437fada5801cf616be2 Mon Sep 17 00:00:00 2001 +From: Takatoshi Akiyama +Date: Mon, 27 Feb 2017 15:56:31 +0900 +Subject: serial: sh-sci: Fix panic when serial console and DMA are enabled + +From: Takatoshi Akiyama + +commit 3c9101766b502a0163d1d437fada5801cf616be2 upstream. + +This patch fixes an issue that kernel panic happens when DMA is enabled +and we press enter key while the kernel booting on the serial console. + +* An interrupt may occur after sci_request_irq(). +* DMA transfer area is initialized by setup_timer() in sci_request_dma() + and used in interrupt. + +If an interrupt occurred between sci_request_irq() and setup_timer() in +sci_request_dma(), DMA transfer area has not been initialized yet. +So, this patch changes the order of sci_request_irq() and +sci_request_dma(). + +Fixes: 73a19e4c0301 ("serial: sh-sci: Add DMA support.") +Signed-off-by: Takatoshi Akiyama +[Shimoda changes the commit log] +Signed-off-by: Yoshihiro Shimoda +Cc: Jiri Slaby +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1734,11 +1734,13 @@ static int sci_startup(struct uart_port + + dev_dbg(port->dev, "%s(%d)\n", __func__, port->line); + ++ sci_request_dma(port); ++ + ret = sci_request_irq(s); +- if (unlikely(ret < 0)) ++ if (unlikely(ret < 0)) { ++ sci_free_dma(port); + return ret; +- +- sci_request_dma(port); ++ } + + spin_lock_irqsave(&port->lock, flags); + sci_start_tx(port); +@@ -1760,8 +1762,8 @@ static void sci_shutdown(struct uart_por + sci_stop_tx(port); + spin_unlock_irqrestore(&port->lock, flags); + +- sci_free_dma(port); + sci_free_irq(s); ++ sci_free_dma(port); + } + + static unsigned int sci_scbrr_calc(struct sci_port *s, unsigned int bps, diff --git a/queue-3.18/series b/queue-3.18/series index d4195d291b1..a7a1ae251b6 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -26,3 +26,13 @@ random-properly-align-get_random_int_hash.patch stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch btrfs-use-correct-types-for-page-indices-in-btrfs_page_exists_in_range.patch btrfs-fix-memory-leak-in-update_space_info-failure-path.patch +scsi-qla2xxx-don-t-disable-a-not-previously-enabled-pci-device.patch +powerpc-eeh-avoid-use-after-free-in-eeh_handle_special_event.patch +powerpc-numa-fix-percpu-allocations-to-be-numa-aware.patch +perf-core-drop-kernel-samples-even-though-u-is-specified.patch +drm-vmwgfx-handle-vmalloc-failure-in-vmw_local_fifo_reserve.patch +drm-vmwgfx-limit-the-number-of-mip-levels-in-vmw_gb_surface_define_ioctl.patch +alsa-timer-fix-missing-queue-indices-reset-at-sndrv_timer_ioctl_select.patch +asoc-fix-use-after-free-at-card-unregistration.patch +drivers-char-mem-fix-wraparound-check-to-allow-mappings-up-to-the-end.patch +serial-sh-sci-fix-panic-when-serial-console-and-dma-are-enabled.patch