From 497c21cbc22b64a5e22144c5a8a8fb48c00a5115 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Mar 2018 10:48:51 -0800 Subject: [PATCH] 4.14-stable patches added patches: alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch alsa-hda-add-a-power_save-blacklist.patch alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch block-fix-the-count-of-pgpgout-for-write_same.patch block-kyber-fix-domain-token-leak-during-requeue.patch btrfs-use-proper-endianness-accessors-for-super_copy.patch cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch dax-fix-vma_is_fsdax-helper.patch direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch parisc-fix-ordering-of-cache-and-tlb-flushes.patch parisc-reduce-irq-overhead-when-run-in-qemu.patch parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch timers-forward-timer-base-before-migrating-timers.patch vfio-disable-filesystem-dax-page-pinning.patch x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch --- ...corruption-risk-in-snd_ctl_elem_read.patch | 52 +++++ .../alsa-hda-add-a-power_save-blacklist.patch | 110 +++++++++ ...pincfg-at-resume-on-lenovo-t470-dock.patch | 48 ++++ ...o-add-a-quirck-for-b-w-px-headphones.patch | 75 ++++++ ...g-spinlock-and-mutex-initializations.patch | 35 +++ ...-the-count-of-pgpgout-for-write_same.patch | 35 +++ ...fix-domain-token-leak-during-requeue.patch | 35 +++ ...-endianness-accessors-for-super_copy.patch | 101 +++++++++ ...-s3c24xx-fix-broken-s3c_cpufreq_init.patch | 47 ++++ queue-4.14/dax-fix-vma_is_fsdax-helper.patch | 37 +++ ...-fix-sleep-in-atomic-due-to-sync-aio.patch | 48 ++++ ...registers-in-runtime-suspended-state.patch | 45 ++++ ...mmc-factor-out-dw_mci_init_slot_caps.patch | 120 ++++++++++ ...out-of-bounds-access-for-slot-s-caps.patch | 105 +++++++++ ...ut-of-bounds-access-through-dt-alias.patch | 37 +++ ...s0i3-for-intel-byt-based-controllers.patch | 92 ++++++++ ...ix-ordering-of-cache-and-tlb-flushes.patch | 214 ++++++++++++++++++ ...reduce-irq-overhead-when-run-in-qemu.patch | 60 +++++ ...erval-timers-unconditionally-on-qemu.patch | 43 ++++ queue-4.14/series | 24 ++ ...d-timer-base-before-migrating-timers.patch | 84 +++++++ ...-disable-filesystem-dax-page-pinning.patch | 80 +++++++ ...cpu_entry_area-to-initial_page_table.patch | 163 +++++++++++++ ...handle-intel-edison-reboot-correctly.patch | 45 ++++ ...ro-msr_ia32_spec_ctrl-before-suspend.patch | 79 +++++++ 25 files changed, 1814 insertions(+) create mode 100644 queue-4.14/alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch create mode 100644 queue-4.14/alsa-hda-add-a-power_save-blacklist.patch create mode 100644 queue-4.14/alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch create mode 100644 queue-4.14/alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch create mode 100644 queue-4.14/alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch create mode 100644 queue-4.14/block-fix-the-count-of-pgpgout-for-write_same.patch create mode 100644 queue-4.14/block-kyber-fix-domain-token-leak-during-requeue.patch create mode 100644 queue-4.14/btrfs-use-proper-endianness-accessors-for-super_copy.patch create mode 100644 queue-4.14/cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch create mode 100644 queue-4.14/dax-fix-vma_is_fsdax-helper.patch create mode 100644 queue-4.14/direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch create mode 100644 queue-4.14/mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch create mode 100644 queue-4.14/mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch create mode 100644 queue-4.14/mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch create mode 100644 queue-4.14/mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch create mode 100644 queue-4.14/mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch create mode 100644 queue-4.14/parisc-fix-ordering-of-cache-and-tlb-flushes.patch create mode 100644 queue-4.14/parisc-reduce-irq-overhead-when-run-in-qemu.patch create mode 100644 queue-4.14/parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch create mode 100644 queue-4.14/timers-forward-timer-base-before-migrating-timers.patch create mode 100644 queue-4.14/vfio-disable-filesystem-dax-page-pinning.patch create mode 100644 queue-4.14/x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch create mode 100644 queue-4.14/x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch create mode 100644 queue-4.14/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch diff --git a/queue-4.14/alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch b/queue-4.14/alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch new file mode 100644 index 00000000000..f1fd644ccb2 --- /dev/null +++ b/queue-4.14/alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch @@ -0,0 +1,52 @@ +From 5a23699a39abc5328921a81b89383d088f6ba9cc Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Tue, 27 Feb 2018 17:01:18 +0000 +Subject: ALSA: control: Fix memory corruption risk in snd_ctl_elem_read + +From: Richard Fitzgerald + +commit 5a23699a39abc5328921a81b89383d088f6ba9cc upstream. + +The patch "ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE +operations" introduced a potential for kernel memory corruption due +to an incorrect if statement allowing non-readable controls to fall +through and call the get function. For TLV controls a driver can omit +SNDRV_CTL_ELEM_ACCESS_READ to ensure that only the TLV get function +can be called. Instead the normal get() can be invoked unexpectedly +and as the driver expects that this will only be called for controls +<= 512 bytes, potentially try to copy >512 bytes into the 512 byte +return array, so corrupting kernel memory. + +The problem is an attempt to refactor the snd_ctl_elem_read function +to invert the logic so that it conditionally aborted if the control +is unreadable instead of conditionally executing. But the if statement +wasn't inverted correctly. + +The correct inversion of + + if (a && !b) + +is + if (!a || b) + +Fixes: becf9e5d553c2 ("ALSA: control: code refactoring for ELEM_READ/ELEM_WRITE operations") +Signed-off-by: Richard Fitzgerald +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/control.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/core/control.c ++++ b/sound/core/control.c +@@ -888,7 +888,7 @@ static int snd_ctl_elem_read(struct snd_ + + index_offset = snd_ctl_get_ioff(kctl, &control->id); + vd = &kctl->vd[index_offset]; +- if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) && kctl->get == NULL) ++ if (!(vd->access & SNDRV_CTL_ELEM_ACCESS_READ) || kctl->get == NULL) + return -EPERM; + + snd_ctl_build_ioff(&control->id, kctl, index_offset); diff --git a/queue-4.14/alsa-hda-add-a-power_save-blacklist.patch b/queue-4.14/alsa-hda-add-a-power_save-blacklist.patch new file mode 100644 index 00000000000..553445e83c7 --- /dev/null +++ b/queue-4.14/alsa-hda-add-a-power_save-blacklist.patch @@ -0,0 +1,110 @@ +From 1ba8f9d308174e647b864c36209b4d7934d99888 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 22 Feb 2018 14:20:35 +0100 +Subject: ALSA: hda: Add a power_save blacklist + +From: Hans de Goede + +commit 1ba8f9d308174e647b864c36209b4d7934d99888 upstream. + +On some boards setting power_save to a non 0 value leads to clicking / +popping sounds when ever we enter/leave powersaving mode. Ideally we would +figure out how to avoid these sounds, but that is not always feasible. + +This commit adds a blacklist for devices where powersaving is known to +cause problems and disables it on these devices. + +Note I tried to put this blacklist in userspace first: +https://github.com/systemd/systemd/pull/8128 + +But the systemd maintainers rightfully pointed out that it would be +impossible to then later remove entries once we actually find a way to +make power-saving work on listed boards without issues. Having this list +in the kernel will allow removal of the blacklist entry in the same commit +which fixes the clicks / plops. + +The blacklist only applies to the default power_save module-option value, +if a user explicitly sets the module-option then the blacklist is not +used. + +[ added an ifdef CONFIG_PM for the build error -- tiwai] + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104 +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=198611 +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 38 ++++++++++++++++++++++++++++++++++++-- + 1 file changed, 36 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -181,7 +181,7 @@ static const struct kernel_param_ops par + }; + #define param_check_xint param_check_int + +-static int power_save = CONFIG_SND_HDA_POWER_SAVE_DEFAULT; ++static int power_save = -1; + module_param(power_save, xint, 0644); + MODULE_PARM_DESC(power_save, "Automatic power-saving timeout " + "(in second, 0 = disable)."); +@@ -2186,6 +2186,24 @@ out_free: + return err; + } + ++#ifdef CONFIG_PM ++/* On some boards setting power_save to a non 0 value leads to clicking / ++ * popping sounds when ever we enter/leave powersaving mode. Ideally we would ++ * figure out how to avoid these sounds, but that is not always feasible. ++ * So we keep a list of devices where we disable powersaving as its known ++ * to causes problems on these devices. ++ */ ++static struct snd_pci_quirk power_save_blacklist[] = { ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ ++ SND_PCI_QUIRK(0x1849, 0x0c0c, "Asrock B85M-ITX", 0), ++ /* https://bugzilla.redhat.com/show_bug.cgi?id=1525104 */ ++ SND_PCI_QUIRK(0x1043, 0x8733, "Asus Prime X370-Pro", 0), ++ /* https://bugzilla.kernel.org/show_bug.cgi?id=198611 */ ++ SND_PCI_QUIRK(0x17aa, 0x2227, "Lenovo X1 Carbon 3rd Gen", 0), ++ {} ++}; ++#endif /* CONFIG_PM */ ++ + /* number of codec slots for each chipset: 0 = default slots (i.e. 4) */ + static unsigned int azx_max_codecs[AZX_NUM_DRIVERS] = { + [AZX_DRIVER_NVIDIA] = 8, +@@ -2198,6 +2216,7 @@ static int azx_probe_continue(struct azx + struct hdac_bus *bus = azx_bus(chip); + struct pci_dev *pci = chip->pci; + int dev = chip->dev_index; ++ int val; + int err; + + hda->probe_continued = 1; +@@ -2278,7 +2297,22 @@ static int azx_probe_continue(struct azx + + chip->running = 1; + azx_add_card_list(chip); +- snd_hda_set_power_save(&chip->bus, power_save * 1000); ++ ++ val = power_save; ++#ifdef CONFIG_PM ++ if (val == -1) { ++ const struct snd_pci_quirk *q; ++ ++ val = CONFIG_SND_HDA_POWER_SAVE_DEFAULT; ++ q = snd_pci_quirk_lookup(chip->pci, power_save_blacklist); ++ if (q && val) { ++ dev_info(chip->card->dev, "device %04x:%04x is on the power_save blacklist, forcing power_save to 0\n", ++ q->subvendor, q->subdevice); ++ val = 0; ++ } ++ } ++#endif /* CONFIG_PM */ ++ snd_hda_set_power_save(&chip->bus, val * 1000); + if (azx_has_pm_runtime(chip) || hda->use_vga_switcheroo) + pm_runtime_put_autosuspend(&pci->dev); + diff --git a/queue-4.14/alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch b/queue-4.14/alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch new file mode 100644 index 00000000000..f226c243154 --- /dev/null +++ b/queue-4.14/alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch @@ -0,0 +1,48 @@ +From 71db96ddfa72671bd43cacdcc99ca178d90ba267 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 26 Feb 2018 15:36:38 +0100 +Subject: ALSA: hda - Fix pincfg at resume on Lenovo T470 dock + +From: Takashi Iwai + +commit 71db96ddfa72671bd43cacdcc99ca178d90ba267 upstream. + +We've added a quirk to enable the recent Lenovo dock support, where it +overwrites the pin configs of NID 0x17 and 19, not only updating the +pin config cache. It works right after the boot, but the problem is +that the pin configs are occasionally cleared when the machine goes to +PM. Meanwhile the quirk writes the pin configs only at the pre-probe, +so this won't be applied any longer. + +For addressing that issue, this patch moves the code to overwrite the +pin configs into HDA_FIXUP_ACT_INIT section so that it's always +applied at both probe and resume time. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195161 +Fixes: 61fcf8ece9b6 ("ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4852,13 +4852,14 @@ static void alc_fixup_tpt470_dock(struct + + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + spec->parse_flags = HDA_PINCFG_NO_HP_FIXUP; ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ } else if (action == HDA_FIXUP_ACT_INIT) { + /* Enable DOCK device */ + snd_hda_codec_write(codec, 0x17, 0, + AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0); + /* Enable DOCK device */ + snd_hda_codec_write(codec, 0x19, 0, + AC_VERB_SET_CONFIG_DEFAULT_BYTES_3, 0); +- snd_hda_apply_pincfgs(codec, pincfgs); + } + } + diff --git a/queue-4.14/alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch b/queue-4.14/alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch new file mode 100644 index 00000000000..0f7e424d9f4 --- /dev/null +++ b/queue-4.14/alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch @@ -0,0 +1,75 @@ +From 240a8af929c7c57dcde28682725b29cf8474e8e5 Mon Sep 17 00:00:00 2001 +From: Erik Veijola +Date: Fri, 23 Feb 2018 14:06:52 +0200 +Subject: ALSA: usb-audio: Add a quirck for B&W PX headphones + +From: Erik Veijola + +commit 240a8af929c7c57dcde28682725b29cf8474e8e5 upstream. + +The capture interface doesn't work and the playback interface only +supports 48 kHz sampling rate even though it advertises more rates. + +Signed-off-by: Erik Veijola +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks-table.h | 47 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -3277,4 +3277,51 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge + } + }, + ++{ ++ /* ++ * Bower's & Wilkins PX headphones only support the 48 kHz sample rate ++ * even though it advertises more. The capture interface doesn't work ++ * even on windows. ++ */ ++ USB_DEVICE(0x19b5, 0x0021), ++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) { ++ .ifnum = QUIRK_ANY_INTERFACE, ++ .type = QUIRK_COMPOSITE, ++ .data = (const struct snd_usb_audio_quirk[]) { ++ { ++ .ifnum = 0, ++ .type = QUIRK_AUDIO_STANDARD_MIXER, ++ }, ++ /* Capture */ ++ { ++ .ifnum = 1, ++ .type = QUIRK_IGNORE_INTERFACE, ++ }, ++ /* Playback */ ++ { ++ .ifnum = 2, ++ .type = QUIRK_AUDIO_FIXED_ENDPOINT, ++ .data = &(const struct audioformat) { ++ .formats = SNDRV_PCM_FMTBIT_S16_LE, ++ .channels = 2, ++ .iface = 2, ++ .altsetting = 1, ++ .altset_idx = 1, ++ .attributes = UAC_EP_CS_ATTR_FILL_MAX | ++ UAC_EP_CS_ATTR_SAMPLE_RATE, ++ .endpoint = 0x03, ++ .ep_attr = USB_ENDPOINT_XFER_ISOC, ++ .rates = SNDRV_PCM_RATE_48000, ++ .rate_min = 48000, ++ .rate_max = 48000, ++ .nr_rates = 1, ++ .rate_table = (unsigned int[]) { ++ 48000 ++ } ++ } ++ }, ++ } ++ } ++}, ++ + #undef USB_DEVICE_VENDOR_SPEC diff --git a/queue-4.14/alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch b/queue-4.14/alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch new file mode 100644 index 00000000000..246718a3dd0 --- /dev/null +++ b/queue-4.14/alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch @@ -0,0 +1,35 @@ +From 350144069abf351c743d766b2fba9cb9b7cd32a1 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 28 Feb 2018 08:36:06 +0100 +Subject: ALSA: x86: Fix missing spinlock and mutex initializations + +From: Takashi Iwai + +commit 350144069abf351c743d766b2fba9cb9b7cd32a1 upstream. + +The commit change for supporting the multiple ports moved involved +some code shuffling, and there the initializations of spinlock and +mutex in snd_intelhad object were dropped mistakenly. + +This patch adds the missing initializations again for each port. + +Fixes: b4eb0d522fcb ("ALSA: x86: Split snd_intelhad into card and PCM specific structures") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/x86/intel_hdmi_audio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/x86/intel_hdmi_audio.c ++++ b/sound/x86/intel_hdmi_audio.c +@@ -1827,6 +1827,8 @@ static int hdmi_lpe_audio_probe(struct p + ctx->port = port; + ctx->pipe = -1; + ++ spin_lock_init(&ctx->had_spinlock); ++ mutex_init(&ctx->mutex); + INIT_WORK(&ctx->hdmi_audio_wq, had_audio_wq); + + ret = snd_pcm_new(card, INTEL_HAD, port, MAX_PB_STREAMS, diff --git a/queue-4.14/block-fix-the-count-of-pgpgout-for-write_same.patch b/queue-4.14/block-fix-the-count-of-pgpgout-for-write_same.patch new file mode 100644 index 00000000000..0ba468de60f --- /dev/null +++ b/queue-4.14/block-fix-the-count-of-pgpgout-for-write_same.patch @@ -0,0 +1,35 @@ +From 7c5a0dcf557c6511a61e092ba887de28882fe857 Mon Sep 17 00:00:00 2001 +From: Jiufei Xue +Date: Tue, 27 Feb 2018 20:10:03 +0800 +Subject: block: fix the count of PGPGOUT for WRITE_SAME + +From: Jiufei Xue + +commit 7c5a0dcf557c6511a61e092ba887de28882fe857 upstream. + +The vm counters is counted in sectors, so we should do the conversation +in submit_bio. + +Fixes: 74d46992e0d9 ("block: replace bi_bdev with a gendisk pointer and partitions index") +Cc: stable@vger.kernel.org +Reviewed-by: Omar Sandoval +Reviewed-by: Christoph Hellwig +Signed-off-by: Jiufei Xue +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -2277,7 +2277,7 @@ blk_qc_t submit_bio(struct bio *bio) + unsigned int count; + + if (unlikely(bio_op(bio) == REQ_OP_WRITE_SAME)) +- count = queue_logical_block_size(bio->bi_disk->queue); ++ count = queue_logical_block_size(bio->bi_disk->queue) >> 9; + else + count = bio_sectors(bio); + diff --git a/queue-4.14/block-kyber-fix-domain-token-leak-during-requeue.patch b/queue-4.14/block-kyber-fix-domain-token-leak-during-requeue.patch new file mode 100644 index 00000000000..42f7d51c0b8 --- /dev/null +++ b/queue-4.14/block-kyber-fix-domain-token-leak-during-requeue.patch @@ -0,0 +1,35 @@ +From ba989a01469d027861e55c8f1121edadef757797 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Fri, 23 Feb 2018 23:36:57 +0800 +Subject: block: kyber: fix domain token leak during requeue + +From: Ming Lei + +commit ba989a01469d027861e55c8f1121edadef757797 upstream. + +When requeuing request, the domain token should have been freed +before re-inserting the request to io scheduler. Otherwise, the +assigned domain token will be leaked, and IO hang can be caused. + +Cc: Paolo Valente +Cc: Omar Sandoval +Cc: stable@vger.kernel.org +Reviewed-by: Bart Van Assche +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/kyber-iosched.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/block/kyber-iosched.c ++++ b/block/kyber-iosched.c +@@ -814,6 +814,7 @@ static struct elevator_type kyber_sched + .limit_depth = kyber_limit_depth, + .prepare_request = kyber_prepare_request, + .finish_request = kyber_finish_request, ++ .requeue_request = kyber_finish_request, + .completed_request = kyber_completed_request, + .dispatch_request = kyber_dispatch_request, + .has_work = kyber_has_work, diff --git a/queue-4.14/btrfs-use-proper-endianness-accessors-for-super_copy.patch b/queue-4.14/btrfs-use-proper-endianness-accessors-for-super_copy.patch new file mode 100644 index 00000000000..dfe3fd603a7 --- /dev/null +++ b/queue-4.14/btrfs-use-proper-endianness-accessors-for-super_copy.patch @@ -0,0 +1,101 @@ +From 3c181c12c431fe33b669410d663beb9cceefcd1b Mon Sep 17 00:00:00 2001 +From: Anand Jain +Date: Thu, 22 Feb 2018 21:58:42 +0800 +Subject: btrfs: use proper endianness accessors for super_copy + +From: Anand Jain + +commit 3c181c12c431fe33b669410d663beb9cceefcd1b upstream. + +The fs_info::super_copy is a byte copy of the on-disk structure and all +members must use the accessor macros/functions to obtain the right +value. This was missing in update_super_roots and in sysfs readers. + +Moving between opposite endianness hosts will report bogus numbers in +sysfs, and mount may fail as the root will not be restored correctly. If +the filesystem is always used on a same endian host, this will not be a +problem. + +Fix this by using the btrfs_set_super...() functions to set +fs_info::super_copy values, and for the sysfs, use the cached +fs_info::nodesize/sectorsize values. + +CC: stable@vger.kernel.org +Fixes: df93589a17378 ("btrfs: export more from FS_INFO to sysfs") +Signed-off-by: Anand Jain +Reviewed-by: Liu Bo +Reviewed-by: David Sterba +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/sysfs.c | 8 +++----- + fs/btrfs/transaction.c | 20 ++++++++++++-------- + 2 files changed, 15 insertions(+), 13 deletions(-) + +--- a/fs/btrfs/sysfs.c ++++ b/fs/btrfs/sysfs.c +@@ -422,7 +422,7 @@ static ssize_t btrfs_nodesize_show(struc + { + struct btrfs_fs_info *fs_info = to_fs_info(kobj); + +- return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->super_copy->nodesize); ++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->nodesize); + } + + BTRFS_ATTR(nodesize, btrfs_nodesize_show); +@@ -432,8 +432,7 @@ static ssize_t btrfs_sectorsize_show(str + { + struct btrfs_fs_info *fs_info = to_fs_info(kobj); + +- return snprintf(buf, PAGE_SIZE, "%u\n", +- fs_info->super_copy->sectorsize); ++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->sectorsize); + } + + BTRFS_ATTR(sectorsize, btrfs_sectorsize_show); +@@ -443,8 +442,7 @@ static ssize_t btrfs_clone_alignment_sho + { + struct btrfs_fs_info *fs_info = to_fs_info(kobj); + +- return snprintf(buf, PAGE_SIZE, "%u\n", +- fs_info->super_copy->sectorsize); ++ return snprintf(buf, PAGE_SIZE, "%u\n", fs_info->sectorsize); + } + + BTRFS_ATTR(clone_alignment, btrfs_clone_alignment_show); +--- a/fs/btrfs/transaction.c ++++ b/fs/btrfs/transaction.c +@@ -1722,19 +1722,23 @@ static void update_super_roots(struct bt + + super = fs_info->super_copy; + ++ /* update latest btrfs_super_block::chunk_root refs */ + root_item = &fs_info->chunk_root->root_item; +- super->chunk_root = root_item->bytenr; +- super->chunk_root_generation = root_item->generation; +- super->chunk_root_level = root_item->level; ++ btrfs_set_super_chunk_root(super, root_item->bytenr); ++ btrfs_set_super_chunk_root_generation(super, root_item->generation); ++ btrfs_set_super_chunk_root_level(super, root_item->level); + ++ /* update latest btrfs_super_block::root refs */ + root_item = &fs_info->tree_root->root_item; +- super->root = root_item->bytenr; +- super->generation = root_item->generation; +- super->root_level = root_item->level; ++ btrfs_set_super_root(super, root_item->bytenr); ++ btrfs_set_super_generation(super, root_item->generation); ++ btrfs_set_super_root_level(super, root_item->level); ++ + if (btrfs_test_opt(fs_info, SPACE_CACHE)) +- super->cache_generation = root_item->generation; ++ btrfs_set_super_cache_generation(super, root_item->generation); + if (test_bit(BTRFS_FS_UPDATE_UUID_TREE_GEN, &fs_info->flags)) +- super->uuid_tree_generation = root_item->generation; ++ btrfs_set_super_uuid_tree_generation(super, ++ root_item->generation); + } + + int btrfs_transaction_in_commit(struct btrfs_fs_info *info) diff --git a/queue-4.14/cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch b/queue-4.14/cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch new file mode 100644 index 00000000000..e27250825ec --- /dev/null +++ b/queue-4.14/cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch @@ -0,0 +1,47 @@ +From 0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 23 Feb 2018 09:38:28 +0530 +Subject: cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() + +From: Viresh Kumar + +commit 0373ca74831b0f93cd4cdbf7ad3aec3c33a479a5 upstream. + +commit a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()" +accidentally broke cpufreq on s3c2410 and s3c2412. + +These two platforms don't have a CPU frequency table and used to skip +calling cpufreq_table_validate_and_show() for them. But with the +above commit, we started calling it unconditionally and that will +eventually fail as the frequency table pointer is NULL. + +Fix this by calling cpufreq_table_validate_and_show() conditionally +again. + +Fixes: a307a1e6bc0d "cpufreq: s3c: use cpufreq_generic_init()" +Cc: 3.13+ # v3.13+ +Signed-off-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/s3c24xx-cpufreq.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/cpufreq/s3c24xx-cpufreq.c ++++ b/drivers/cpufreq/s3c24xx-cpufreq.c +@@ -351,7 +351,13 @@ struct clk *s3c_cpufreq_clk_get(struct d + static int s3c_cpufreq_init(struct cpufreq_policy *policy) + { + policy->clk = clk_arm; +- return cpufreq_generic_init(policy, ftab, cpu_cur.info->latency); ++ ++ policy->cpuinfo.transition_latency = cpu_cur.info->latency; ++ ++ if (ftab) ++ return cpufreq_table_validate_and_show(policy, ftab); ++ ++ return 0; + } + + static int __init s3c_cpufreq_initclks(void) diff --git a/queue-4.14/dax-fix-vma_is_fsdax-helper.patch b/queue-4.14/dax-fix-vma_is_fsdax-helper.patch new file mode 100644 index 00000000000..8cf6a019055 --- /dev/null +++ b/queue-4.14/dax-fix-vma_is_fsdax-helper.patch @@ -0,0 +1,37 @@ +From 230f5a8969d8345fc9bbe3683f068246cf1be4b8 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 21 Feb 2018 17:08:01 -0800 +Subject: dax: fix vma_is_fsdax() helper + +From: Dan Williams + +commit 230f5a8969d8345fc9bbe3683f068246cf1be4b8 upstream. + +Gerd reports that ->i_mode may contain other bits besides S_IFCHR. Use +S_ISCHR() instead. Otherwise, get_user_pages_longterm() may fail on +device-dax instances when those are meant to be explicitly allowed. + +Fixes: 2bb6d2837083 ("mm: introduce get_user_pages_longterm") +Cc: +Reported-by: Gerd Rausch +Acked-by: Jane Chu +Reported-by: Haozhong Zhang +Reviewed-by: Jan Kara +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/fs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3185,7 +3185,7 @@ static inline bool vma_is_fsdax(struct v + if (!vma_is_dax(vma)) + return false; + inode = file_inode(vma->vm_file); +- if (inode->i_mode == S_IFCHR) ++ if (S_ISCHR(inode->i_mode)) + return false; /* device-dax */ + return true; + } diff --git a/queue-4.14/direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch b/queue-4.14/direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch new file mode 100644 index 00000000000..4dd9ca7efc4 --- /dev/null +++ b/queue-4.14/direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch @@ -0,0 +1,48 @@ +From d9c10e5b8863cfb6886d1640386455075c6e979d Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 26 Feb 2018 12:51:43 +0100 +Subject: direct-io: Fix sleep in atomic due to sync AIO + +From: Jan Kara + +commit d9c10e5b8863cfb6886d1640386455075c6e979d upstream. + +Commit e864f39569f4 "fs: add RWF_DSYNC aand RWF_SYNC" added additional +way for direct IO to become synchronous and thus trigger fsync from the +IO completion handler. Then commit 9830f4be159b "fs: Use RWF_* flags for +AIO operations" allowed these flags to be set for AIO as well. However +that commit forgot to update the condition checking whether the IO +completion handling should be defered to a workqueue and thus AIO DIO +with RWF_[D]SYNC set will call fsync() from IRQ context resulting in +sleep in atomic. + +Fix the problem by checking directly iocb flags (the same way as it is +done in dio_complete()) instead of checking all conditions that could +lead to IO being synchronous. + +CC: Christoph Hellwig +CC: Goldwyn Rodrigues +CC: stable@vger.kernel.org +Reported-by: Mark Rutland +Tested-by: Mark Rutland +Fixes: 9830f4be159b29399d107bffb99e0132bc5aedd4 +Signed-off-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/direct-io.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -1252,8 +1252,7 @@ do_blockdev_direct_IO(struct kiocb *iocb + */ + if (dio->is_async && iov_iter_rw(iter) == WRITE) { + retval = 0; +- if ((iocb->ki_filp->f_flags & O_DSYNC) || +- IS_SYNC(iocb->ki_filp->f_mapping->host)) ++ if (iocb->ki_flags & IOCB_DSYNC) + retval = dio_set_defer_completion(dio); + else if (!dio->inode->i_sb->s_dio_done_wq) { + /* diff --git a/queue-4.14/mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch b/queue-4.14/mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch new file mode 100644 index 00000000000..184cc434d91 --- /dev/null +++ b/queue-4.14/mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch @@ -0,0 +1,45 @@ +From 5b43df8b4c1a7f0c3fbf793c9566068e6b1e570c Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Fri, 23 Feb 2018 16:47:25 +0800 +Subject: mmc: dw_mmc: Avoid accessing registers in runtime suspended state + +From: Shawn Lin + +commit 5b43df8b4c1a7f0c3fbf793c9566068e6b1e570c upstream. + +cat /sys/kernel/debug/mmc0/regs will hang up the system since +it's in runtime suspended state, so the genpd and biu_clk is +off. This patch fixes this problem by calling pm_runtime_get_sync +to wake it up before reading the registers. + +Fixes: e9ed8835e990 ("mmc: dw_mmc: add runtime PM callback") +Cc: +Signed-off-by: Shawn Lin +Reviewed-by: Jaehoon Chung +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -165,6 +165,8 @@ static int dw_mci_regs_show(struct seq_f + { + struct dw_mci *host = s->private; + ++ pm_runtime_get_sync(host->dev); ++ + seq_printf(s, "STATUS:\t0x%08x\n", mci_readl(host, STATUS)); + seq_printf(s, "RINTSTS:\t0x%08x\n", mci_readl(host, RINTSTS)); + seq_printf(s, "CMD:\t0x%08x\n", mci_readl(host, CMD)); +@@ -172,6 +174,8 @@ static int dw_mci_regs_show(struct seq_f + seq_printf(s, "INTMASK:\t0x%08x\n", mci_readl(host, INTMASK)); + seq_printf(s, "CLKENA:\t0x%08x\n", mci_readl(host, CLKENA)); + ++ pm_runtime_put_autosuspend(host->dev); ++ + return 0; + } + diff --git a/queue-4.14/mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch b/queue-4.14/mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch new file mode 100644 index 00000000000..4c9b831578c --- /dev/null +++ b/queue-4.14/mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch @@ -0,0 +1,120 @@ +From a4faa4929ed3be15e2d500d2405f992f6dedc8eb Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Sat, 24 Feb 2018 14:17:22 +0800 +Subject: mmc: dw_mmc: Factor out dw_mci_init_slot_caps + +From: Shawn Lin + +commit a4faa4929ed3be15e2d500d2405f992f6dedc8eb upstream. + +Factor out dw_mci_init_slot_caps to consolidate parsing +all differents types of capabilities from host contrllers. +No functional change intended. + +Signed-off-by: Shawn Lin +Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks") +Cc: +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc.c | 73 +++++++++++++++++++++++++++------------------- + 1 file changed, 43 insertions(+), 30 deletions(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2762,12 +2762,50 @@ static irqreturn_t dw_mci_interrupt(int + return IRQ_HANDLED; + } + ++static int dw_mci_init_slot_caps(struct dw_mci_slot *slot) ++{ ++ struct dw_mci *host = slot->host; ++ const struct dw_mci_drv_data *drv_data = host->drv_data; ++ struct mmc_host *mmc = slot->mmc; ++ int ctrl_id; ++ ++ if (host->pdata->caps) ++ mmc->caps = host->pdata->caps; ++ ++ /* ++ * Support MMC_CAP_ERASE by default. ++ * It needs to use trim/discard/erase commands. ++ */ ++ mmc->caps |= MMC_CAP_ERASE; ++ ++ if (host->pdata->pm_caps) ++ mmc->pm_caps = host->pdata->pm_caps; ++ ++ if (host->dev->of_node) { ++ ctrl_id = of_alias_get_id(host->dev->of_node, "mshc"); ++ if (ctrl_id < 0) ++ ctrl_id = 0; ++ } else { ++ ctrl_id = to_platform_device(host->dev)->id; ++ } ++ if (drv_data && drv_data->caps) ++ mmc->caps |= drv_data->caps[ctrl_id]; ++ ++ if (host->pdata->caps2) ++ mmc->caps2 = host->pdata->caps2; ++ ++ /* Process SDIO IRQs through the sdio_irq_work. */ ++ if (mmc->caps & MMC_CAP_SDIO_IRQ) ++ mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD; ++ ++ return 0; ++} ++ + static int dw_mci_init_slot(struct dw_mci *host) + { + struct mmc_host *mmc; + struct dw_mci_slot *slot; +- const struct dw_mci_drv_data *drv_data = host->drv_data; +- int ctrl_id, ret; ++ int ret; + u32 freq[2]; + + mmc = mmc_alloc_host(sizeof(struct dw_mci_slot), host->dev); +@@ -2801,38 +2839,13 @@ static int dw_mci_init_slot(struct dw_mc + if (!mmc->ocr_avail) + mmc->ocr_avail = MMC_VDD_32_33 | MMC_VDD_33_34; + +- if (host->pdata->caps) +- mmc->caps = host->pdata->caps; +- +- /* +- * Support MMC_CAP_ERASE by default. +- * It needs to use trim/discard/erase commands. +- */ +- mmc->caps |= MMC_CAP_ERASE; +- +- if (host->pdata->pm_caps) +- mmc->pm_caps = host->pdata->pm_caps; +- +- if (host->dev->of_node) { +- ctrl_id = of_alias_get_id(host->dev->of_node, "mshc"); +- if (ctrl_id < 0) +- ctrl_id = 0; +- } else { +- ctrl_id = to_platform_device(host->dev)->id; +- } +- if (drv_data && drv_data->caps) +- mmc->caps |= drv_data->caps[ctrl_id]; +- +- if (host->pdata->caps2) +- mmc->caps2 = host->pdata->caps2; +- + ret = mmc_of_parse(mmc); + if (ret) + goto err_host_allocated; + +- /* Process SDIO IRQs through the sdio_irq_work. */ +- if (mmc->caps & MMC_CAP_SDIO_IRQ) +- mmc->caps2 |= MMC_CAP2_SDIO_IRQ_NOTHREAD; ++ ret = dw_mci_init_slot_caps(slot); ++ if (ret) ++ goto err_host_allocated; + + /* Useful defaults if platform data is unset. */ + if (host->use_dma == TRANS_MODE_IDMAC) { diff --git a/queue-4.14/mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch b/queue-4.14/mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch new file mode 100644 index 00000000000..0bd34195c13 --- /dev/null +++ b/queue-4.14/mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch @@ -0,0 +1,105 @@ +From 0d84b9e5631d923744767dc6608672df906dd092 Mon Sep 17 00:00:00 2001 +From: Shawn Lin +Date: Sat, 24 Feb 2018 14:17:23 +0800 +Subject: mmc: dw_mmc: Fix out-of-bounds access for slot's caps + +From: Shawn Lin + +commit 0d84b9e5631d923744767dc6608672df906dd092 upstream. + +Add num_caps field for dw_mci_drv_data to validate the controller +id from DT alias and non-DT ways. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Shawn Lin +Fixes: 800d78bfccb3 ("mmc: dw_mmc: add support for implementation specific callbacks") +Cc: +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc-exynos.c | 1 + + drivers/mmc/host/dw_mmc-k3.c | 1 + + drivers/mmc/host/dw_mmc-rockchip.c | 1 + + drivers/mmc/host/dw_mmc-zx.c | 1 + + drivers/mmc/host/dw_mmc.c | 9 ++++++++- + drivers/mmc/host/dw_mmc.h | 2 ++ + 6 files changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/dw_mmc-exynos.c ++++ b/drivers/mmc/host/dw_mmc-exynos.c +@@ -487,6 +487,7 @@ static unsigned long exynos_dwmmc_caps[4 + + static const struct dw_mci_drv_data exynos_drv_data = { + .caps = exynos_dwmmc_caps, ++ .num_caps = ARRAY_SIZE(exynos_dwmmc_caps), + .init = dw_mci_exynos_priv_init, + .set_ios = dw_mci_exynos_set_ios, + .parse_dt = dw_mci_exynos_parse_dt, +--- a/drivers/mmc/host/dw_mmc-k3.c ++++ b/drivers/mmc/host/dw_mmc-k3.c +@@ -210,6 +210,7 @@ static int dw_mci_hi6220_execute_tuning( + + static const struct dw_mci_drv_data hi6220_data = { + .caps = dw_mci_hi6220_caps, ++ .num_caps = ARRAY_SIZE(dw_mci_hi6220_caps), + .switch_voltage = dw_mci_hi6220_switch_voltage, + .set_ios = dw_mci_hi6220_set_ios, + .parse_dt = dw_mci_hi6220_parse_dt, +--- a/drivers/mmc/host/dw_mmc-rockchip.c ++++ b/drivers/mmc/host/dw_mmc-rockchip.c +@@ -319,6 +319,7 @@ static const struct dw_mci_drv_data rk29 + + static const struct dw_mci_drv_data rk3288_drv_data = { + .caps = dw_mci_rk3288_dwmmc_caps, ++ .num_caps = ARRAY_SIZE(dw_mci_rk3288_dwmmc_caps), + .set_ios = dw_mci_rk3288_set_ios, + .execute_tuning = dw_mci_rk3288_execute_tuning, + .parse_dt = dw_mci_rk3288_parse_dt, +--- a/drivers/mmc/host/dw_mmc-zx.c ++++ b/drivers/mmc/host/dw_mmc-zx.c +@@ -195,6 +195,7 @@ static unsigned long zx_dwmmc_caps[3] = + + static const struct dw_mci_drv_data zx_drv_data = { + .caps = zx_dwmmc_caps, ++ .num_caps = ARRAY_SIZE(zx_dwmmc_caps), + .execute_tuning = dw_mci_zx_execute_tuning, + .prepare_hs400_tuning = dw_mci_zx_prepare_hs400_tuning, + .parse_dt = dw_mci_zx_parse_dt, +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2788,8 +2788,15 @@ static int dw_mci_init_slot_caps(struct + } else { + ctrl_id = to_platform_device(host->dev)->id; + } +- if (drv_data && drv_data->caps) ++ ++ if (drv_data && drv_data->caps) { ++ if (ctrl_id >= drv_data->num_caps) { ++ dev_err(host->dev, "invalid controller id %d\n", ++ ctrl_id); ++ return -EINVAL; ++ } + mmc->caps |= drv_data->caps[ctrl_id]; ++ } + + if (host->pdata->caps2) + mmc->caps2 = host->pdata->caps2; +--- a/drivers/mmc/host/dw_mmc.h ++++ b/drivers/mmc/host/dw_mmc.h +@@ -542,6 +542,7 @@ struct dw_mci_slot { + /** + * dw_mci driver data - dw-mshc implementation specific driver data. + * @caps: mmc subsystem specified capabilities of the controller(s). ++ * @num_caps: number of capabilities specified by @caps. + * @init: early implementation specific initialization. + * @set_ios: handle bus specific extensions. + * @parse_dt: parse implementation specific device tree properties. +@@ -553,6 +554,7 @@ struct dw_mci_slot { + */ + struct dw_mci_drv_data { + unsigned long *caps; ++ u32 num_caps; + int (*init)(struct dw_mci *host); + void (*set_ios)(struct dw_mci *host, struct mmc_ios *ios); + int (*parse_dt)(struct dw_mci *host); diff --git a/queue-4.14/mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.14/mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..0af53d87407 --- /dev/null +++ b/queue-4.14/mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,37 @@ +From 325501d9360eb42c7c51e6daa0d733844c1e790b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 13:44:19 +0100 +Subject: mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +commit 325501d9360eb42c7c51e6daa0d733844c1e790b upstream. + +The hs_timing_cfg[] array is indexed using a value derived from the +"mshcN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 361c7fe9b02eee7e ("mmc: dw_mmc-k3: add sd support for hi3660") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Shawn Lin +Cc: +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc-k3.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/dw_mmc-k3.c ++++ b/drivers/mmc/host/dw_mmc-k3.c +@@ -135,6 +135,9 @@ static int dw_mci_hi6220_parse_dt(struct + if (priv->ctrl_id < 0) + priv->ctrl_id = 0; + ++ if (priv->ctrl_id >= TIMING_MODE) ++ return -EINVAL; ++ + host->priv = priv; + return 0; + } diff --git a/queue-4.14/mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch b/queue-4.14/mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch new file mode 100644 index 00000000000..5a47046f773 --- /dev/null +++ b/queue-4.14/mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch @@ -0,0 +1,92 @@ +From f8870ae6e2d6be75b1accc2db981169fdfbea7ab Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 14 Feb 2018 15:57:43 +0200 +Subject: mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers + +From: Adrian Hunter + +commit f8870ae6e2d6be75b1accc2db981169fdfbea7ab upstream. + +Tuning can leave the IP in an active state (Buffer Read Enable bit set) +which prevents the entry to low power states (i.e. S0i3). Data reset will +clear it. + +Generally tuning is followed by a data transfer which will anyway sort out +the state, so it is rare that S0i3 is actually prevented. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -594,9 +594,36 @@ static void byt_read_dsm(struct sdhci_pc + slot->chip->rpm_retune = intel_host->d3_retune; + } + +-static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot) ++static int intel_execute_tuning(struct mmc_host *mmc, u32 opcode) ++{ ++ int err = sdhci_execute_tuning(mmc, opcode); ++ struct sdhci_host *host = mmc_priv(mmc); ++ ++ if (err) ++ return err; ++ ++ /* ++ * Tuning can leave the IP in an active state (Buffer Read Enable bit ++ * set) which prevents the entry to low power states (i.e. S0i3). Data ++ * reset will clear it. ++ */ ++ sdhci_reset(host, SDHCI_RESET_DATA); ++ ++ return 0; ++} ++ ++static void byt_probe_slot(struct sdhci_pci_slot *slot) + { ++ struct mmc_host_ops *ops = &slot->host->mmc_host_ops; ++ + byt_read_dsm(slot); ++ ++ ops->execute_tuning = intel_execute_tuning; ++} ++ ++static int byt_emmc_probe_slot(struct sdhci_pci_slot *slot) ++{ ++ byt_probe_slot(slot); + slot->host->mmc->caps |= MMC_CAP_8_BIT_DATA | MMC_CAP_NONREMOVABLE | + MMC_CAP_HW_RESET | MMC_CAP_1_8V_DDR | + MMC_CAP_CMD_DURING_TFR | +@@ -651,7 +678,7 @@ static int ni_byt_sdio_probe_slot(struct + { + int err; + +- byt_read_dsm(slot); ++ byt_probe_slot(slot); + + err = ni_set_max_freq(slot); + if (err) +@@ -664,7 +691,7 @@ static int ni_byt_sdio_probe_slot(struct + + static int byt_sdio_probe_slot(struct sdhci_pci_slot *slot) + { +- byt_read_dsm(slot); ++ byt_probe_slot(slot); + slot->host->mmc->caps |= MMC_CAP_POWER_OFF_CARD | MMC_CAP_NONREMOVABLE | + MMC_CAP_WAIT_WHILE_BUSY; + return 0; +@@ -672,7 +699,7 @@ static int byt_sdio_probe_slot(struct sd + + static int byt_sd_probe_slot(struct sdhci_pci_slot *slot) + { +- byt_read_dsm(slot); ++ byt_probe_slot(slot); + slot->host->mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY | + MMC_CAP_AGGRESSIVE_PM | MMC_CAP_CD_WAKE; + slot->cd_idx = 0; diff --git a/queue-4.14/parisc-fix-ordering-of-cache-and-tlb-flushes.patch b/queue-4.14/parisc-fix-ordering-of-cache-and-tlb-flushes.patch new file mode 100644 index 00000000000..ac57b2c17f1 --- /dev/null +++ b/queue-4.14/parisc-fix-ordering-of-cache-and-tlb-flushes.patch @@ -0,0 +1,214 @@ +From 0adb24e03a124b79130c9499731936b11ce2677d Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Tue, 27 Feb 2018 08:16:07 -0500 +Subject: parisc: Fix ordering of cache and TLB flushes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John David Anglin + +commit 0adb24e03a124b79130c9499731936b11ce2677d upstream. + +The change to flush_kernel_vmap_range() wasn't sufficient to avoid the +SMP stalls.  The problem is some drivers call these routines with +interrupts disabled.  Interrupts need to be enabled for flush_tlb_all() +and flush_cache_all() to work.  This version adds checks to ensure +interrupts are not disabled before calling routines that need IPI +interrupts.  When interrupts are disabled, we now drop into slower code. + +The attached change fixes the ordering of cache and TLB flushes in +several cases.  When we flush the cache using the existing PTE/TLB +entries, we need to flush the TLB after doing the cache flush.  We don't +need to do this when we flush the entire instruction and data caches as +these flushes don't use the existing TLB entries.  The same is true for +tmpalias region flushes. + +The flush_kernel_vmap_range() and invalidate_kernel_vmap_range() +routines have been updated. + +Secondly, we added a new purge_kernel_dcache_range_asm() routine to +pacache.S and use it in invalidate_kernel_vmap_range().  Nominally, +purges are faster than flushes as the cache lines don't have to be +written back to memory. + +Hopefully, this is sufficient to resolve the remaining problems due to +cache speculation.  So far, testing indicates that this is the case.  I +did work up a patch using tmpalias flushes, but there is a performance +hit because we need the physical address for each page, and we also need +to sequence access to the tmpalias flush code.  This increases the +probability of stalls. + +Signed-off-by: John David Anglin  +Cc: stable@vger.kernel.org # 4.9+ +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/cacheflush.h | 1 + arch/parisc/kernel/cache.c | 57 +++++++++++++++++++---------------- + arch/parisc/kernel/pacache.S | 22 +++++++++++++ + 3 files changed, 54 insertions(+), 26 deletions(-) + +--- a/arch/parisc/include/asm/cacheflush.h ++++ b/arch/parisc/include/asm/cacheflush.h +@@ -26,6 +26,7 @@ void flush_user_icache_range_asm(unsigne + void flush_kernel_icache_range_asm(unsigned long, unsigned long); + void flush_user_dcache_range_asm(unsigned long, unsigned long); + void flush_kernel_dcache_range_asm(unsigned long, unsigned long); ++void purge_kernel_dcache_range_asm(unsigned long, unsigned long); + void flush_kernel_dcache_page_asm(void *); + void flush_kernel_icache_page(void *); + +--- a/arch/parisc/kernel/cache.c ++++ b/arch/parisc/kernel/cache.c +@@ -465,10 +465,10 @@ EXPORT_SYMBOL(copy_user_page); + int __flush_tlb_range(unsigned long sid, unsigned long start, + unsigned long end) + { +- unsigned long flags, size; ++ unsigned long flags; + +- size = (end - start); +- if (size >= parisc_tlb_flush_threshold) { ++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) && ++ end - start >= parisc_tlb_flush_threshold) { + flush_tlb_all(); + return 1; + } +@@ -539,13 +539,11 @@ void flush_cache_mm(struct mm_struct *mm + struct vm_area_struct *vma; + pgd_t *pgd; + +- /* Flush the TLB to avoid speculation if coherency is required. */ +- if (parisc_requires_coherency()) +- flush_tlb_all(); +- + /* Flushing the whole cache on each cpu takes forever on + rp3440, etc. So, avoid it if the mm isn't too big. */ +- if (mm_total_size(mm) >= parisc_cache_flush_threshold) { ++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) && ++ mm_total_size(mm) >= parisc_cache_flush_threshold) { ++ flush_tlb_all(); + flush_cache_all(); + return; + } +@@ -553,9 +551,9 @@ void flush_cache_mm(struct mm_struct *mm + if (mm->context == mfsp(3)) { + for (vma = mm->mmap; vma; vma = vma->vm_next) { + flush_user_dcache_range_asm(vma->vm_start, vma->vm_end); +- if ((vma->vm_flags & VM_EXEC) == 0) +- continue; +- flush_user_icache_range_asm(vma->vm_start, vma->vm_end); ++ if (vma->vm_flags & VM_EXEC) ++ flush_user_icache_range_asm(vma->vm_start, vma->vm_end); ++ flush_tlb_range(vma, vma->vm_start, vma->vm_end); + } + return; + } +@@ -581,14 +579,9 @@ void flush_cache_mm(struct mm_struct *mm + void flush_cache_range(struct vm_area_struct *vma, + unsigned long start, unsigned long end) + { +- BUG_ON(!vma->vm_mm->context); +- +- /* Flush the TLB to avoid speculation if coherency is required. */ +- if (parisc_requires_coherency()) ++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) && ++ end - start >= parisc_cache_flush_threshold) { + flush_tlb_range(vma, start, end); +- +- if ((end - start) >= parisc_cache_flush_threshold +- || vma->vm_mm->context != mfsp(3)) { + flush_cache_all(); + return; + } +@@ -596,6 +589,7 @@ void flush_cache_range(struct vm_area_st + flush_user_dcache_range_asm(start, end); + if (vma->vm_flags & VM_EXEC) + flush_user_icache_range_asm(start, end); ++ flush_tlb_range(vma, start, end); + } + + void +@@ -604,8 +598,7 @@ flush_cache_page(struct vm_area_struct * + BUG_ON(!vma->vm_mm->context); + + if (pfn_valid(pfn)) { +- if (parisc_requires_coherency()) +- flush_tlb_page(vma, vmaddr); ++ flush_tlb_page(vma, vmaddr); + __flush_cache_page(vma, vmaddr, PFN_PHYS(pfn)); + } + } +@@ -613,21 +606,33 @@ flush_cache_page(struct vm_area_struct * + void flush_kernel_vmap_range(void *vaddr, int size) + { + unsigned long start = (unsigned long)vaddr; ++ unsigned long end = start + size; + +- if ((unsigned long)size > parisc_cache_flush_threshold) ++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) && ++ (unsigned long)size >= parisc_cache_flush_threshold) { ++ flush_tlb_kernel_range(start, end); + flush_data_cache(); +- else +- flush_kernel_dcache_range_asm(start, start + size); ++ return; ++ } ++ ++ flush_kernel_dcache_range_asm(start, end); ++ flush_tlb_kernel_range(start, end); + } + EXPORT_SYMBOL(flush_kernel_vmap_range); + + void invalidate_kernel_vmap_range(void *vaddr, int size) + { + unsigned long start = (unsigned long)vaddr; ++ unsigned long end = start + size; + +- if ((unsigned long)size > parisc_cache_flush_threshold) ++ if ((!IS_ENABLED(CONFIG_SMP) || !arch_irqs_disabled()) && ++ (unsigned long)size >= parisc_cache_flush_threshold) { ++ flush_tlb_kernel_range(start, end); + flush_data_cache(); +- else +- flush_kernel_dcache_range_asm(start, start + size); ++ return; ++ } ++ ++ purge_kernel_dcache_range_asm(start, end); ++ flush_tlb_kernel_range(start, end); + } + EXPORT_SYMBOL(invalidate_kernel_vmap_range); +--- a/arch/parisc/kernel/pacache.S ++++ b/arch/parisc/kernel/pacache.S +@@ -1110,6 +1110,28 @@ ENTRY_CFI(flush_kernel_dcache_range_asm) + .procend + ENDPROC_CFI(flush_kernel_dcache_range_asm) + ++ENTRY_CFI(purge_kernel_dcache_range_asm) ++ .proc ++ .callinfo NO_CALLS ++ .entry ++ ++ ldil L%dcache_stride, %r1 ++ ldw R%dcache_stride(%r1), %r23 ++ ldo -1(%r23), %r21 ++ ANDCM %r26, %r21, %r26 ++ ++1: cmpb,COND(<<),n %r26, %r25,1b ++ pdc,m %r23(%r26) ++ ++ sync ++ syncdma ++ bv %r0(%r2) ++ nop ++ .exit ++ ++ .procend ++ENDPROC_CFI(purge_kernel_dcache_range_asm) ++ + ENTRY_CFI(flush_user_icache_range_asm) + .proc + .callinfo NO_CALLS diff --git a/queue-4.14/parisc-reduce-irq-overhead-when-run-in-qemu.patch b/queue-4.14/parisc-reduce-irq-overhead-when-run-in-qemu.patch new file mode 100644 index 00000000000..7786aceaa26 --- /dev/null +++ b/queue-4.14/parisc-reduce-irq-overhead-when-run-in-qemu.patch @@ -0,0 +1,60 @@ +From 636a415bcc7f4fd020ece8fd5fc648c4cef19c34 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 12 Feb 2018 21:43:55 +0100 +Subject: parisc: Reduce irq overhead when run in qemu + +From: Helge Deller + +commit 636a415bcc7f4fd020ece8fd5fc648c4cef19c34 upstream. + +When run under QEMU, calling mfctl(16) creates some overhead because the +qemu timer has to be scaled and moved into the register. This patch +reduces the number of calls to mfctl(16) by moving the calls out of the +loops. + +Additionally, increase the minimal time interval to 8000 cycles instead +of 500 to compensate possible QEMU delays when delivering interrupts. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/time.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/parisc/kernel/time.c ++++ b/arch/parisc/kernel/time.c +@@ -76,10 +76,10 @@ irqreturn_t __irq_entry timer_interrupt( + next_tick = cpuinfo->it_value; + + /* Calculate how many ticks have elapsed. */ ++ now = mfctl(16); + do { + ++ticks_elapsed; + next_tick += cpt; +- now = mfctl(16); + } while (next_tick - now > cpt); + + /* Store (in CR16 cycles) up to when we are accounting right now. */ +@@ -103,16 +103,17 @@ irqreturn_t __irq_entry timer_interrupt( + * if one or the other wrapped. If "now" is "bigger" we'll end up + * with a very large unsigned number. + */ +- while (next_tick - mfctl(16) > cpt) ++ now = mfctl(16); ++ while (next_tick - now > cpt) + next_tick += cpt; + + /* Program the IT when to deliver the next interrupt. + * Only bottom 32-bits of next_tick are writable in CR16! + * Timer interrupt will be delivered at least a few hundred cycles +- * after the IT fires, so if we are too close (<= 500 cycles) to the ++ * after the IT fires, so if we are too close (<= 8000 cycles) to the + * next cycle, simply skip it. + */ +- if (next_tick - mfctl(16) <= 500) ++ if (next_tick - now <= 8000) + next_tick += cpt; + mtctl(next_tick, 16); + diff --git a/queue-4.14/parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch b/queue-4.14/parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch new file mode 100644 index 00000000000..be6236e59d1 --- /dev/null +++ b/queue-4.14/parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch @@ -0,0 +1,43 @@ +From 5ffa8518851f1401817c15d2a7eecc0373c26ff9 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Fri, 12 Jan 2018 22:44:00 +0100 +Subject: parisc: Use cr16 interval timers unconditionally on qemu + +From: Helge Deller + +commit 5ffa8518851f1401817c15d2a7eecc0373c26ff9 upstream. + +When running on qemu we know that the (emulated) cr16 cpu-internal +clocks are syncronized. So let's use them unconditionally on qemu. + +Signed-off-by: Helge Deller +Cc: stable@vger.kernel.org # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/processor.h | 2 ++ + arch/parisc/kernel/time.c | 2 +- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/processor.h ++++ b/arch/parisc/include/asm/processor.h +@@ -316,6 +316,8 @@ extern int _parisc_requires_coherency; + #define parisc_requires_coherency() (0) + #endif + ++extern int running_on_qemu; ++ + #endif /* __ASSEMBLY__ */ + + #endif /* __ASM_PARISC_PROCESSOR_H */ +--- a/arch/parisc/kernel/time.c ++++ b/arch/parisc/kernel/time.c +@@ -248,7 +248,7 @@ static int __init init_cr16_clocksource( + * different sockets, so mark them unstable and lower rating on + * multi-socket SMP systems. + */ +- if (num_online_cpus() > 1) { ++ if (num_online_cpus() > 1 && !running_on_qemu) { + int cpu; + unsigned long cpu0_loc; + cpu0_loc = per_cpu(cpu_data, 0).cpu_loc; diff --git a/queue-4.14/series b/queue-4.14/series index 6a19875c2af..0448a6dc58e 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -7,3 +7,27 @@ tpm_i2c_nuvoton-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus. tpm_tis-fix-potential-buffer-overruns-caused-by-bit-glitches-on-the-bus.patch tpm-constify-transmit-data-pointers.patch tpm_tis_spi-use-dma-safe-memory-for-spi-transfers.patch +alsa-usb-audio-add-a-quirck-for-b-w-px-headphones.patch +alsa-control-fix-memory-corruption-risk-in-snd_ctl_elem_read.patch +alsa-x86-fix-missing-spinlock-and-mutex-initializations.patch +alsa-hda-add-a-power_save-blacklist.patch +alsa-hda-fix-pincfg-at-resume-on-lenovo-t470-dock.patch +mmc-sdhci-pci-fix-s0i3-for-intel-byt-based-controllers.patch +mmc-dw_mmc-k3-fix-out-of-bounds-access-through-dt-alias.patch +mmc-dw_mmc-avoid-accessing-registers-in-runtime-suspended-state.patch +mmc-dw_mmc-factor-out-dw_mci_init_slot_caps.patch +mmc-dw_mmc-fix-out-of-bounds-access-for-slot-s-caps.patch +timers-forward-timer-base-before-migrating-timers.patch +parisc-use-cr16-interval-timers-unconditionally-on-qemu.patch +parisc-reduce-irq-overhead-when-run-in-qemu.patch +parisc-fix-ordering-of-cache-and-tlb-flushes.patch +btrfs-use-proper-endianness-accessors-for-super_copy.patch +block-fix-the-count-of-pgpgout-for-write_same.patch +block-kyber-fix-domain-token-leak-during-requeue.patch +vfio-disable-filesystem-dax-page-pinning.patch +cpufreq-s3c24xx-fix-broken-s3c_cpufreq_init.patch +dax-fix-vma_is_fsdax-helper.patch +direct-io-fix-sleep-in-atomic-due-to-sync-aio.patch +x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch +x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch +x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch diff --git a/queue-4.14/timers-forward-timer-base-before-migrating-timers.patch b/queue-4.14/timers-forward-timer-base-before-migrating-timers.patch new file mode 100644 index 00000000000..61ac1a1b211 --- /dev/null +++ b/queue-4.14/timers-forward-timer-base-before-migrating-timers.patch @@ -0,0 +1,84 @@ +From c52232a49e203a65a6e1a670cd5262f59e9364a0 Mon Sep 17 00:00:00 2001 +From: Lingutla Chandrasekhar +Date: Thu, 18 Jan 2018 17:20:22 +0530 +Subject: timers: Forward timer base before migrating timers + +From: Lingutla Chandrasekhar + +commit c52232a49e203a65a6e1a670cd5262f59e9364a0 upstream. + +On CPU hotunplug the enqueued timers of the unplugged CPU are migrated to a +live CPU. This happens from the control thread which initiated the unplug. + +If the CPU on which the control thread runs came out from a longer idle +period then the base clock of that CPU might be stale because the control +thread runs prior to any event which forwards the clock. + +In such a case the timers from the unplugged CPU are queued on the live CPU +based on the stale clock which can cause large delays due to increased +granularity of the outer timer wheels which are far away from base:;clock. + +But there is a worse problem than that. The following sequence of events +illustrates it: + + - CPU0 timer1 is queued expires = 59969 and base->clk = 59131. + + The timer is queued at wheel level 2, with resulting expiry time = 60032 + (due to level granularity). + + - CPU1 enters idle @60007, with next timer expiry @60020. + + - CPU0 is hotplugged at @60009 + + - CPU1 exits idle and runs the control thread which migrates the + timers from CPU0 + + timer1 is now queued in level 0 for immediate handling in the next + softirq because the requested expiry time 59969 is before CPU1 base->clk + 60007 + + - CPU1 runs code which forwards the base clock which succeeds because the + next expiring timer. which was collected at idle entry time is still set + to 60020. + + So it forwards beyond 60007 and therefore misses to expire the migrated + timer1. That timer gets expired when the wheel wraps around again, which + takes between 63 and 630ms depending on the HZ setting. + +Address both problems by invoking forward_timer_base() for the control CPUs +timer base. All other places, which might run into a similar problem +(mod_timer()/add_timer_on()) already invoke forward_timer_base() to avoid +that. + +[ tglx: Massaged comment and changelog ] + +Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible") +Co-developed-by: Neeraj Upadhyay +Signed-off-by: Neeraj Upadhyay +Signed-off-by: Lingutla Chandrasekhar +Signed-off-by: Thomas Gleixner +Cc: Anna-Maria Gleixner +Cc: linux-arm-msm@vger.kernel.org +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180118115022.6368-1-clingutla@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/timer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1834,6 +1834,12 @@ int timers_dead_cpu(unsigned int cpu) + raw_spin_lock_irq(&new_base->lock); + raw_spin_lock_nested(&old_base->lock, SINGLE_DEPTH_NESTING); + ++ /* ++ * The current CPUs base clock might be stale. Update it ++ * before moving the timers over. ++ */ ++ forward_timer_base(new_base); ++ + BUG_ON(old_base->running_timer); + + for (i = 0; i < WHEEL_SIZE; i++) diff --git a/queue-4.14/vfio-disable-filesystem-dax-page-pinning.patch b/queue-4.14/vfio-disable-filesystem-dax-page-pinning.patch new file mode 100644 index 00000000000..788a29e547c --- /dev/null +++ b/queue-4.14/vfio-disable-filesystem-dax-page-pinning.patch @@ -0,0 +1,80 @@ +From 94db151dc89262bfa82922c44e8320cea2334667 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Sun, 4 Feb 2018 10:34:02 -0800 +Subject: vfio: disable filesystem-dax page pinning + +From: Dan Williams + +commit 94db151dc89262bfa82922c44e8320cea2334667 upstream. + +Filesystem-DAX is incompatible with 'longterm' page pinning. Without +page cache indirection a DAX mapping maps filesystem blocks directly. +This means that the filesystem must not modify a file's block map while +any page in a mapping is pinned. In order to prevent the situation of +userspace holding of filesystem operations indefinitely, disallow +'longterm' Filesystem-DAX mappings. + +RDMA has the same conflict and the plan there is to add a 'with lease' +mechanism to allow the kernel to notify userspace that the mapping is +being torn down for block-map maintenance. Perhaps something similar can +be put in place for vfio. + +Note that xfs and ext4 still report: + + "DAX enabled. Warning: EXPERIMENTAL, use at your own risk" + +...at mount time, and resolving the dax-dma-vs-truncate problem is one +of the last hurdles to remove that designation. + +Acked-by: Alex Williamson +Cc: Michal Hocko +Cc: kvm@vger.kernel.org +Cc: +Reported-by: Haozhong Zhang +Tested-by: Haozhong Zhang +Fixes: d475c6346a38 ("dax,ext2: replace XIP read and write with DAX I/O") +Reviewed-by: Christoph Hellwig +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio_iommu_type1.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/vfio/vfio_iommu_type1.c ++++ b/drivers/vfio/vfio_iommu_type1.c +@@ -338,11 +338,12 @@ static int vaddr_get_pfn(struct mm_struc + { + struct page *page[1]; + struct vm_area_struct *vma; ++ struct vm_area_struct *vmas[1]; + int ret; + + if (mm == current->mm) { +- ret = get_user_pages_fast(vaddr, 1, !!(prot & IOMMU_WRITE), +- page); ++ ret = get_user_pages_longterm(vaddr, 1, !!(prot & IOMMU_WRITE), ++ page, vmas); + } else { + unsigned int flags = 0; + +@@ -351,7 +352,18 @@ static int vaddr_get_pfn(struct mm_struc + + down_read(&mm->mmap_sem); + ret = get_user_pages_remote(NULL, mm, vaddr, 1, flags, page, +- NULL, NULL); ++ vmas, NULL); ++ /* ++ * The lifetime of a vaddr_get_pfn() page pin is ++ * userspace-controlled. In the fs-dax case this could ++ * lead to indefinite stalls in filesystem operations. ++ * Disallow attempts to pin fs-dax pages via this ++ * interface. ++ */ ++ if (ret > 0 && vma_is_fsdax(vmas[0])) { ++ ret = -EOPNOTSUPP; ++ put_page(page[0]); ++ } + up_read(&mm->mmap_sem); + } + diff --git a/queue-4.14/x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch b/queue-4.14/x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch new file mode 100644 index 00000000000..d0367976c5f --- /dev/null +++ b/queue-4.14/x86-cpu_entry_area-sync-cpu_entry_area-to-initial_page_table.patch @@ -0,0 +1,163 @@ +From 945fd17ab6bab8a4d05da6c3170519fbcfe62ddb Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 28 Feb 2018 21:14:26 +0100 +Subject: x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table + +From: Thomas Gleixner + +commit 945fd17ab6bab8a4d05da6c3170519fbcfe62ddb upstream. + +The separation of the cpu_entry_area from the fixmap missed the fact that +on 32bit non-PAE kernels the cpu_entry_area mapping might not be covered in +initial_page_table by the previous synchronizations. + +This results in suspend/resume failures because 32bit utilizes initial page +table for resume. The absence of the cpu_entry_area mapping results in a +triple fault, aka. insta reboot. + +With PAE enabled this works by chance because the PGD entry which covers +the fixmap and other parts incindentally provides the cpu_entry_area +mapping as well. + +Synchronize the initial page table after setting up the cpu entry +area. Instead of adding yet another copy of the same code, move it to a +function and invoke it from the various places. + +It needs to be investigated if the existing calls in setup_arch() and +setup_per_cpu_areas() can be replaced by the later invocation from +setup_cpu_entry_areas(), but that's beyond the scope of this fix. + +Fixes: 92a0f81d8957 ("x86/cpu_entry_area: Move it out of the fixmap") +Reported-by: Woody Suwalski +Signed-off-by: Thomas Gleixner +Tested-by: Woody Suwalski +Cc: William Grant +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1802282137290.1392@nanos.tec.linutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable_32.h | 1 + + arch/x86/include/asm/pgtable_64.h | 1 + + arch/x86/kernel/setup.c | 17 +++++------------ + arch/x86/kernel/setup_percpu.c | 17 ++++------------- + arch/x86/mm/cpu_entry_area.c | 6 ++++++ + arch/x86/mm/init_32.c | 15 +++++++++++++++ + 6 files changed, 32 insertions(+), 25 deletions(-) + +--- a/arch/x86/include/asm/pgtable_32.h ++++ b/arch/x86/include/asm/pgtable_32.h +@@ -32,6 +32,7 @@ extern pmd_t initial_pg_pmd[]; + static inline void pgtable_cache_init(void) { } + static inline void check_pgt_cache(void) { } + void paging_init(void); ++void sync_initial_page_table(void); + + /* + * Define this if things work differently on an i386 and an i486: +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -28,6 +28,7 @@ extern pgd_t init_top_pgt[]; + #define swapper_pg_dir init_top_pgt + + extern void paging_init(void); ++static inline void sync_initial_page_table(void) { } + + #define pte_ERROR(e) \ + pr_err("%s:%d: bad pte %p(%016lx)\n", \ +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1238,20 +1238,13 @@ void __init setup_arch(char **cmdline_p) + + kasan_init(); + +-#ifdef CONFIG_X86_32 +- /* sync back kernel address range */ +- clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, +- swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- KERNEL_PGD_PTRS); +- + /* +- * sync back low identity map too. It is used for example +- * in the 32-bit EFI stub. ++ * Sync back kernel address range. ++ * ++ * FIXME: Can the later sync in setup_cpu_entry_areas() replace ++ * this call? + */ +- clone_pgd_range(initial_page_table, +- swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); +-#endif ++ sync_initial_page_table(); + + tboot_probe(); + +--- a/arch/x86/kernel/setup_percpu.c ++++ b/arch/x86/kernel/setup_percpu.c +@@ -287,24 +287,15 @@ void __init setup_per_cpu_areas(void) + /* Setup cpu initialized, callin, callout masks */ + setup_cpu_local_masks(); + +-#ifdef CONFIG_X86_32 + /* + * Sync back kernel address range again. We already did this in + * setup_arch(), but percpu data also needs to be available in + * the smpboot asm. We can't reliably pick up percpu mappings + * using vmalloc_fault(), because exception dispatch needs + * percpu data. ++ * ++ * FIXME: Can the later sync in setup_cpu_entry_areas() replace ++ * this call? + */ +- clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, +- swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- KERNEL_PGD_PTRS); +- +- /* +- * sync back low identity map too. It is used for example +- * in the 32-bit EFI stub. +- */ +- clone_pgd_range(initial_page_table, +- swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); +-#endif ++ sync_initial_page_table(); + } +--- a/arch/x86/mm/cpu_entry_area.c ++++ b/arch/x86/mm/cpu_entry_area.c +@@ -163,4 +163,10 @@ void __init setup_cpu_entry_areas(void) + + for_each_possible_cpu(cpu) + setup_cpu_entry_area(cpu); ++ ++ /* ++ * This is the last essential update to swapper_pgdir which needs ++ * to be synchronized to initial_page_table on 32bit. ++ */ ++ sync_initial_page_table(); + } +--- a/arch/x86/mm/init_32.c ++++ b/arch/x86/mm/init_32.c +@@ -453,6 +453,21 @@ static inline void permanent_kmaps_init( + } + #endif /* CONFIG_HIGHMEM */ + ++void __init sync_initial_page_table(void) ++{ ++ clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min(KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); ++} ++ + void __init native_pagetable_init(void) + { + unsigned long pfn, va; diff --git a/queue-4.14/x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch b/queue-4.14/x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch new file mode 100644 index 00000000000..3fc39fa01c6 --- /dev/null +++ b/queue-4.14/x86-platform-intel-mid-handle-intel-edison-reboot-correctly.patch @@ -0,0 +1,45 @@ +From 028091f82eefd5e84f81cef81a7673016ecbe78b Mon Sep 17 00:00:00 2001 +From: Sebastian Panceac +Date: Wed, 28 Feb 2018 11:40:49 +0200 +Subject: x86/platform/intel-mid: Handle Intel Edison reboot correctly + +From: Sebastian Panceac + +commit 028091f82eefd5e84f81cef81a7673016ecbe78b upstream. + +When the Intel Edison module is powered with 3.3V, the reboot command makes +the module stuck. If the module is powered at a greater voltage, like 4.4V +(as the Edison Mini Breakout board does), reboot works OK. + +The official Intel Edison BSP sends the IPCMSG_COLD_RESET message to the +SCU by default. The IPCMSG_COLD_BOOT which is used by the upstream kernel +is only sent when explicitely selected on the kernel command line. + +Use IPCMSG_COLD_RESET unconditionally which makes reboot work independent +of the power supply voltage. + +[ tglx: Massaged changelog ] + +Fixes: bda7b072de99 ("x86/platform/intel-mid: Implement power off sequence") +Signed-off-by: Sebastian Panceac +Signed-off-by: Thomas Gleixner +Acked-by: Andy Shevchenko +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/1519810849-15131-1-git-send-email-sebastian@resin.io +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/platform/intel-mid/intel-mid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/platform/intel-mid/intel-mid.c ++++ b/arch/x86/platform/intel-mid/intel-mid.c +@@ -79,7 +79,7 @@ static void intel_mid_power_off(void) + + static void intel_mid_reboot(void) + { +- intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0); ++ intel_scu_ipc_simple_command(IPCMSG_COLD_RESET, 0); + } + + static unsigned long __init intel_mid_calibrate_tsc(void) diff --git a/queue-4.14/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch b/queue-4.14/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch new file mode 100644 index 00000000000..04513ddc37c --- /dev/null +++ b/queue-4.14/x86-xen-zero-msr_ia32_spec_ctrl-before-suspend.patch @@ -0,0 +1,79 @@ +From 71c208dd54ab971036d83ff6d9837bae4976e623 Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Mon, 26 Feb 2018 15:08:18 +0100 +Subject: x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend + +From: Juergen Gross + +commit 71c208dd54ab971036d83ff6d9837bae4976e623 upstream. + +Older Xen versions (4.5 and before) might have problems migrating pv +guests with MSR_IA32_SPEC_CTRL having a non-zero value. So before +suspending zero that MSR and restore it after being resumed. + +Signed-off-by: Juergen Gross +Signed-off-by: Thomas Gleixner +Reviewed-by: Jan Beulich +Cc: stable@vger.kernel.org +Cc: xen-devel@lists.xenproject.org +Cc: boris.ostrovsky@oracle.com +Link: https://lkml.kernel.org/r/20180226140818.4849-1-jgross@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/suspend.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/arch/x86/xen/suspend.c ++++ b/arch/x86/xen/suspend.c +@@ -1,12 +1,15 @@ + // SPDX-License-Identifier: GPL-2.0 + #include + #include ++#include + + #include + #include + #include + #include + ++#include ++#include + #include + #include + #include +@@ -15,6 +18,8 @@ + #include "mmu.h" + #include "pmu.h" + ++static DEFINE_PER_CPU(u64, spec_ctrl); ++ + void xen_arch_pre_suspend(void) + { + if (xen_pv_domain()) +@@ -31,6 +36,9 @@ void xen_arch_post_suspend(int cancelled + + static void xen_vcpu_notify_restore(void *data) + { ++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) ++ wrmsrl(MSR_IA32_SPEC_CTRL, this_cpu_read(spec_ctrl)); ++ + /* Boot processor notified via generic timekeeping_resume() */ + if (smp_processor_id() == 0) + return; +@@ -40,7 +48,15 @@ static void xen_vcpu_notify_restore(void + + static void xen_vcpu_notify_suspend(void *data) + { ++ u64 tmp; ++ + tick_suspend_local(); ++ ++ if (xen_pv_domain() && boot_cpu_has(X86_FEATURE_SPEC_CTRL)) { ++ rdmsrl(MSR_IA32_SPEC_CTRL, tmp); ++ this_cpu_write(spec_ctrl, tmp); ++ wrmsrl(MSR_IA32_SPEC_CTRL, 0); ++ } + } + + void xen_arch_resume(void) -- 2.47.3