From becb9d7acf68d4c37fe275a88e3ac649f7973be2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 20 Feb 2018 12:09:42 +0100 Subject: [PATCH] 4.15-stable patches added patches: arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch console-dummy-leave-.con_font_get-set-to-null.patch drm-amd-powerplay-fix-smu_table_entry.handle-type.patch drm-ast-load-lut-in-crtc_commit.patch drm-check-for-lessee-in-drop_master-ioctl.patch drm-qxl-reapply-cursor-after-resetting-primary.patch drm-qxl-unref-cursor-bo-when-finished-with-it.patch drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch drm-radeon-adjust-tested-variable.patch drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch ext4-correct-documentation-for-grpid-mount-option.patch ext4-fix-a-race-in-the-ext4-shutdown-path.patch ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch jbd2-fix-sphinx-kernel-doc-build-warnings.patch mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch mips-cps-fix-mips_isa_level_raw-fallout.patch mips-fix-incorrect-mem-x-y-handling.patch mips-fix-typo-big_endian-to-cpu_big_endian.patch mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch mm-hide-a-warning-for-compile_test.patch mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch pci-iproc-fix-null-pointer-dereference-for-bcma.patch pci-keystone-fix-interrupt-controller-node-lookup.patch pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch rbd-whitelist-rbd_feature_operations-feature-bit.patch revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch xenbus-track-caller-request-id.patch --- ...umber-for-branch-predictor-hardening.patch | 56 ++ ...ummy-leave-.con_font_get-set-to-null.patch | 32 + ...play-fix-smu_table_entry.handle-type.patch | 35 + .../drm-ast-load-lut-in-crtc_commit.patch | 46 ++ ...heck-for-lessee-in-drop_master-ioctl.patch | 42 ++ ...apply-cursor-after-resetting-primary.patch | 153 ++++ ...nref-cursor-bo-when-finished-with-it.patch | 43 ++ ...-radeon-add-dpm-quirk-for-jet-pro-v2.patch | 40 + .../drm-radeon-adjust-tested-variable.patch | 57 ++ ...n-t-add-swapped-bos-to-swap-lru-list.patch | 43 ++ ...r-update-in-ttm_bo_vm_access_kmap-v2.patch | 48 ++ ...documentation-for-grpid-mount-option.patch | 35 + ...fix-a-race-in-the-ext4-shutdown-path.patch | 56 ++ ...r-to-disk-in-__ext4_grp_locked_error.patch | 37 + ...fix-sphinx-kernel-doc-build-warnings.patch | 708 ++++++++++++++++++ ..._referenced-in-mb_cache_entry_create.patch | 93 +++ ...s-cps-fix-mips_isa_level_raw-fallout.patch | 86 +++ .../mips-fix-incorrect-mem-x-y-handling.patch | 94 +++ ...ix-typo-big_endian-to-cpu_big_endian.patch | 52 ++ ...ty-to-start-from-completion-vector-0.patch | 41 + ...nment-in-devm_memremap_pages_release.patch | 41 + .../mm-hide-a-warning-for-compile_test.patch | 39 + ...rwrite-max-frequency-unconditionally.patch | 35 + ...ment-an-sdhci-specific-bounce-buffer.patch | 307 ++++++++ ...anitize-array-index-in-mpls_label_ok.patch | 107 +++ ...n-hip06-hip07-only-in-root-port-mode.patch | 40 + ...ix-null-pointer-dereference-for-bcma.patch | 86 +++ ...fix-interrupt-controller-node-lookup.patch | 57 ++ ...assume-nocompl-for-thunderbolt-ports.patch | 80 ++ ...t-rbd_feature_operations-feature-bit.patch | 39 + ...gp-io-to-protect-from-vgaarb-changes.patch | 192 +++++ ...clude-tx-phase-in-the-tuning-process.patch | 74 ++ ...mware-error-codes-prevent-busy-loops.patch | 82 ++ ...plete-reset-on-read-from-zero-offset.patch | 41 + queue-4.15/series | 39 + ...obs-with-a-wildcard-at-the-beginning.patch | 82 ++ ...mel_lcdfb-fix-display-timings-lookup.patch | 57 ++ ...bug-when-hot-removing-a-physical-cpu.patch | 113 +++ ...2m_mapping-on-autotranslating-guests.patch | 46 ++ .../xenbus-track-caller-request-id.patch | 95 +++ 40 files changed, 3449 insertions(+) create mode 100644 queue-4.15/arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch create mode 100644 queue-4.15/console-dummy-leave-.con_font_get-set-to-null.patch create mode 100644 queue-4.15/drm-amd-powerplay-fix-smu_table_entry.handle-type.patch create mode 100644 queue-4.15/drm-ast-load-lut-in-crtc_commit.patch create mode 100644 queue-4.15/drm-check-for-lessee-in-drop_master-ioctl.patch create mode 100644 queue-4.15/drm-qxl-reapply-cursor-after-resetting-primary.patch create mode 100644 queue-4.15/drm-qxl-unref-cursor-bo-when-finished-with-it.patch create mode 100644 queue-4.15/drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch create mode 100644 queue-4.15/drm-radeon-adjust-tested-variable.patch create mode 100644 queue-4.15/drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch create mode 100644 queue-4.15/drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch create mode 100644 queue-4.15/ext4-correct-documentation-for-grpid-mount-option.patch create mode 100644 queue-4.15/ext4-fix-a-race-in-the-ext4-shutdown-path.patch create mode 100644 queue-4.15/ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch create mode 100644 queue-4.15/jbd2-fix-sphinx-kernel-doc-build-warnings.patch create mode 100644 queue-4.15/mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch create mode 100644 queue-4.15/mips-cps-fix-mips_isa_level_raw-fallout.patch create mode 100644 queue-4.15/mips-fix-incorrect-mem-x-y-handling.patch create mode 100644 queue-4.15/mips-fix-typo-big_endian-to-cpu_big_endian.patch create mode 100644 queue-4.15/mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch create mode 100644 queue-4.15/mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch create mode 100644 queue-4.15/mm-hide-a-warning-for-compile_test.patch create mode 100644 queue-4.15/mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch create mode 100644 queue-4.15/mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch create mode 100644 queue-4.15/mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch create mode 100644 queue-4.15/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch create mode 100644 queue-4.15/pci-iproc-fix-null-pointer-dereference-for-bcma.patch create mode 100644 queue-4.15/pci-keystone-fix-interrupt-controller-node-lookup.patch create mode 100644 queue-4.15/pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch create mode 100644 queue-4.15/rbd-whitelist-rbd_feature_operations-feature-bit.patch create mode 100644 queue-4.15/revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch create mode 100644 queue-4.15/revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch create mode 100644 queue-4.15/rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch create mode 100644 queue-4.15/seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch create mode 100644 queue-4.15/tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch create mode 100644 queue-4.15/video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch create mode 100644 queue-4.15/x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch create mode 100644 queue-4.15/xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch create mode 100644 queue-4.15/xenbus-track-caller-request-id.patch diff --git a/queue-4.15/arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch b/queue-4.15/arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch new file mode 100644 index 00000000000..019f72b326d --- /dev/null +++ b/queue-4.15/arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch @@ -0,0 +1,56 @@ +From 16e574d762ac5512eb922ac0ac5eed360b7db9d8 Mon Sep 17 00:00:00 2001 +From: Shanker Donthineni +Date: Sun, 11 Feb 2018 19:16:15 -0600 +Subject: arm64: Add missing Falkor part number for branch predictor hardening + +From: Shanker Donthineni + +commit 16e574d762ac5512eb922ac0ac5eed360b7db9d8 upstream. + +References to CPU part number MIDR_QCOM_FALKOR were dropped from the +mailing list patch due to mainline/arm64 branch dependency. So this +patch adds the missing part number. + +Fixes: ec82b567a74f ("arm64: Implement branch predictor hardening for Falkor") +Acked-by: Marc Zyngier +Signed-off-by: Shanker Donthineni +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/cpu_errata.c | 9 +++++++++ + arch/arm64/kvm/hyp/switch.c | 4 +++- + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -408,6 +408,15 @@ const struct arm64_cpu_capabilities arm6 + }, + { + .capability = ARM64_HARDEN_BRANCH_PREDICTOR, ++ MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR), ++ .enable = qcom_enable_link_stack_sanitization, ++ }, ++ { ++ .capability = ARM64_HARDEN_BP_POST_GUEST_EXIT, ++ MIDR_ALL_VERSIONS(MIDR_QCOM_FALKOR), ++ }, ++ { ++ .capability = ARM64_HARDEN_BRANCH_PREDICTOR, + MIDR_ALL_VERSIONS(MIDR_BRCM_VULCAN), + .enable = enable_smccc_arch_workaround_1, + }, +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -400,8 +400,10 @@ again: + u32 midr = read_cpuid_id(); + + /* Apply BTAC predictors mitigation to all Falkor chips */ +- if ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1) ++ if (((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR) || ++ ((midr & MIDR_CPU_MODEL_MASK) == MIDR_QCOM_FALKOR_V1)) { + __qcom_hyp_sanitize_btac_predictors(); ++ } + } + + fp_enabled = __fpsimd_enabled(); diff --git a/queue-4.15/console-dummy-leave-.con_font_get-set-to-null.patch b/queue-4.15/console-dummy-leave-.con_font_get-set-to-null.patch new file mode 100644 index 00000000000..e5ed405e6b7 --- /dev/null +++ b/queue-4.15/console-dummy-leave-.con_font_get-set-to-null.patch @@ -0,0 +1,32 @@ +From 724ba8b30b044aa0d94b1cd374fc15806cdd6f18 Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Mon, 15 Jan 2018 17:04:22 +0100 +Subject: console/dummy: leave .con_font_get set to NULL + +From: Nicolas Pitre + +commit 724ba8b30b044aa0d94b1cd374fc15806cdd6f18 upstream. + +When this method is set, the caller expects struct console_font fields +to be properly initialized when it returns. Leave it unset otherwise +nonsensical (leaked kernel stack) values are returned to user space. + +Signed-off-by: Nicolas Pitre +Cc: stable@vger.kernel.org +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/console/dummycon.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/video/console/dummycon.c ++++ b/drivers/video/console/dummycon.c +@@ -67,7 +67,6 @@ const struct consw dummy_con = { + .con_switch = DUMMY, + .con_blank = DUMMY, + .con_font_set = DUMMY, +- .con_font_get = DUMMY, + .con_font_default = DUMMY, + .con_font_copy = DUMMY, + }; diff --git a/queue-4.15/drm-amd-powerplay-fix-smu_table_entry.handle-type.patch b/queue-4.15/drm-amd-powerplay-fix-smu_table_entry.handle-type.patch new file mode 100644 index 00000000000..a13725193f1 --- /dev/null +++ b/queue-4.15/drm-amd-powerplay-fix-smu_table_entry.handle-type.patch @@ -0,0 +1,35 @@ +From adab595d16abe48e9c097f000bf8921d35b28fb7 Mon Sep 17 00:00:00 2001 +From: Andrey Grodzovsky +Date: Wed, 17 Jan 2018 17:24:13 -0500 +Subject: drm/amd/powerplay: Fix smu_table_entry.handle type + +From: Andrey Grodzovsky + +commit adab595d16abe48e9c097f000bf8921d35b28fb7 upstream. + +The handle describes kernel logical address, should be +unsigned long and not uint32_t. +Fixes KASAN error and GFP on driver unload. + +Reviewed-by: Rex Zhu +Reviewed-by: Alex Deucher +Signed-off-by: Andrey Grodzovsky +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h ++++ b/drivers/gpu/drm/amd/powerplay/smumgr/rv_smumgr.h +@@ -40,7 +40,7 @@ struct smu_table_entry { + uint32_t table_addr_high; + uint32_t table_addr_low; + uint8_t *table; +- uint32_t handle; ++ unsigned long handle; + }; + + struct smu_table_array { diff --git a/queue-4.15/drm-ast-load-lut-in-crtc_commit.patch b/queue-4.15/drm-ast-load-lut-in-crtc_commit.patch new file mode 100644 index 00000000000..3cc35206c22 --- /dev/null +++ b/queue-4.15/drm-ast-load-lut-in-crtc_commit.patch @@ -0,0 +1,46 @@ +From 24b8ef699e8221d2b7f813adaab13eec053e1507 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Thu, 18 Jan 2018 16:40:16 +0100 +Subject: drm/ast: Load lut in crtc_commit + +From: Daniel Vetter + +commit 24b8ef699e8221d2b7f813adaab13eec053e1507 upstream. + +In the past the ast driver relied upon the fbdev emulation helpers to +call ->load_lut at boot-up. But since + +commit b8e2b0199cc377617dc238f5106352c06dcd3fa2 +Author: Peter Rosin +Date: Tue Jul 4 12:36:57 2017 +0200 + + drm/fb-helper: factor out pseudo-palette + +that's cleaned up and drivers are expected to boot into a consistent +lut state. This patch fixes that. + +Fixes: b8e2b0199cc3 ("drm/fb-helper: factor out pseudo-palette") +Cc: Peter Rosin +Cc: Daniel Vetter +Cc: # v4.14+ +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=198123 +Cc: Bill Fraser +Reported-and-Tested-by: Bill Fraser +Signed-off-by: Daniel Vetter +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -644,6 +644,7 @@ static void ast_crtc_commit(struct drm_c + { + struct ast_private *ast = crtc->dev->dev_private; + ast_set_index_reg_mask(ast, AST_IO_SEQ_PORT, 0x1, 0xdf, 0); ++ ast_crtc_load_lut(crtc); + } + + diff --git a/queue-4.15/drm-check-for-lessee-in-drop_master-ioctl.patch b/queue-4.15/drm-check-for-lessee-in-drop_master-ioctl.patch new file mode 100644 index 00000000000..14d2b504314 --- /dev/null +++ b/queue-4.15/drm-check-for-lessee-in-drop_master-ioctl.patch @@ -0,0 +1,42 @@ +From 761e05a702f5d537ffcca1ba933f9f0a968aa022 Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Thu, 18 Jan 2018 17:51:59 -0800 +Subject: drm: Check for lessee in DROP_MASTER ioctl + +From: Keith Packard + +commit 761e05a702f5d537ffcca1ba933f9f0a968aa022 upstream. + +Don't let a lessee control what the current DRM master is set to; +that's the job of the "real" master. Otherwise, the lessee would +disable all access to master operations for the owner and all lessees +under it. + +This matches the same check made in the SET_MASTER ioctl. + +Signed-off-by: Keith Packard +Fixes: 2ed077e467ee ("drm: Add drm_object lease infrastructure [v5]") +Cc: # v4.15+ +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180119015159.1606-1-keithp@keithp.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_auth.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/drm_auth.c ++++ b/drivers/gpu/drm/drm_auth.c +@@ -230,6 +230,12 @@ int drm_dropmaster_ioctl(struct drm_devi + if (!dev->master) + goto out_unlock; + ++ if (file_priv->master->lessor != NULL) { ++ DRM_DEBUG_LEASE("Attempt to drop lessee %d as master\n", file_priv->master->lessee_id); ++ ret = -EINVAL; ++ goto out_unlock; ++ } ++ + ret = 0; + drm_drop_master(dev, file_priv); + out_unlock: diff --git a/queue-4.15/drm-qxl-reapply-cursor-after-resetting-primary.patch b/queue-4.15/drm-qxl-reapply-cursor-after-resetting-primary.patch new file mode 100644 index 00000000000..ad4c475bf82 --- /dev/null +++ b/queue-4.15/drm-qxl-reapply-cursor-after-resetting-primary.patch @@ -0,0 +1,153 @@ +From 9428088c90b6f7d5edd2a1b0d742c75339b36f6e Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 27 Nov 2017 16:50:10 -0500 +Subject: drm/qxl: reapply cursor after resetting primary + +From: Ray Strode + +commit 9428088c90b6f7d5edd2a1b0d742c75339b36f6e upstream. + +QXL associates mouse state with its primary plane. + +Destroying a primary plane and putting a new one in place has the side +effect of destroying the cursor as well. + +This commit changes the driver to reapply the cursor any time a new +primary is created. It achieves this by keeping a reference to the +cursor bo on the qxl_crtc struct. + +This fix is very similar to + +commit 4532b241a4b7 ("drm/qxl: reapply cursor after SetCrtc calls") + +which got implicitly reverted as part of implementing the atomic +modeset feature. + +Cc: Gerd Hoffmann +Cc: Dave Airlie +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1512097 +Fixes: 1277eed5fecb ("drm: qxl: Atomic phase 1: convert cursor to universal plane") +Cc: stable@vger.kernel.org +Signed-off-by: Ray Strode +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_display.c | 59 ++++++++++++++++++++++++++++++++++++++ + drivers/gpu/drm/qxl/qxl_drv.h | 2 + + 2 files changed, 61 insertions(+) + +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -289,6 +289,7 @@ static void qxl_crtc_destroy(struct drm_ + { + struct qxl_crtc *qxl_crtc = to_qxl_crtc(crtc); + ++ qxl_bo_unref(&qxl_crtc->cursor_bo); + drm_crtc_cleanup(crtc); + kfree(qxl_crtc); + } +@@ -495,6 +496,53 @@ static int qxl_primary_atomic_check(stru + return 0; + } + ++static int qxl_primary_apply_cursor(struct drm_plane *plane) ++{ ++ struct drm_device *dev = plane->dev; ++ struct qxl_device *qdev = dev->dev_private; ++ struct drm_framebuffer *fb = plane->state->fb; ++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc); ++ struct qxl_cursor_cmd *cmd; ++ struct qxl_release *release; ++ int ret = 0; ++ ++ if (!qcrtc->cursor_bo) ++ return 0; ++ ++ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd), ++ QXL_RELEASE_CURSOR_CMD, ++ &release, NULL); ++ if (ret) ++ return ret; ++ ++ ret = qxl_release_list_add(release, qcrtc->cursor_bo); ++ if (ret) ++ goto out_free_release; ++ ++ ret = qxl_release_reserve_list(release, false); ++ if (ret) ++ goto out_free_release; ++ ++ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); ++ cmd->type = QXL_CURSOR_SET; ++ cmd->u.set.position.x = plane->state->crtc_x + fb->hot_x; ++ cmd->u.set.position.y = plane->state->crtc_y + fb->hot_y; ++ ++ cmd->u.set.shape = qxl_bo_physical_address(qdev, qcrtc->cursor_bo, 0); ++ ++ cmd->u.set.visible = 1; ++ qxl_release_unmap(qdev, release, &cmd->release_info); ++ ++ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); ++ qxl_release_fence_buffer_objects(release); ++ ++ return ret; ++ ++out_free_release: ++ qxl_release_free(qdev, release); ++ return ret; ++} ++ + static void qxl_primary_atomic_update(struct drm_plane *plane, + struct drm_plane_state *old_state) + { +@@ -510,6 +558,7 @@ static void qxl_primary_atomic_update(st + .x2 = qfb->base.width, + .y2 = qfb->base.height + }; ++ int ret; + bool same_shadow = false; + + if (old_state->fb) { +@@ -531,6 +580,11 @@ static void qxl_primary_atomic_update(st + if (!same_shadow) + qxl_io_destroy_primary(qdev); + bo_old->is_primary = false; ++ ++ ret = qxl_primary_apply_cursor(plane); ++ if (ret) ++ DRM_ERROR( ++ "could not set cursor after creating primary"); + } + + if (!bo->is_primary) { +@@ -571,6 +625,7 @@ static void qxl_cursor_atomic_update(str + struct drm_device *dev = plane->dev; + struct qxl_device *qdev = dev->dev_private; + struct drm_framebuffer *fb = plane->state->fb; ++ struct qxl_crtc *qcrtc = to_qxl_crtc(plane->state->crtc); + struct qxl_release *release; + struct qxl_cursor_cmd *cmd; + struct qxl_cursor *cursor; +@@ -628,6 +683,10 @@ static void qxl_cursor_atomic_update(str + cmd->u.set.shape = qxl_bo_physical_address(qdev, + cursor_bo, 0); + cmd->type = QXL_CURSOR_SET; ++ ++ qxl_bo_unref(&qcrtc->cursor_bo); ++ qcrtc->cursor_bo = cursor_bo; ++ cursor_bo = NULL; + } else { + + ret = qxl_release_reserve_list(release, true); +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -111,6 +111,8 @@ struct qxl_bo_list { + struct qxl_crtc { + struct drm_crtc base; + int index; ++ ++ struct qxl_bo *cursor_bo; + }; + + struct qxl_output { diff --git a/queue-4.15/drm-qxl-unref-cursor-bo-when-finished-with-it.patch b/queue-4.15/drm-qxl-unref-cursor-bo-when-finished-with-it.patch new file mode 100644 index 00000000000..f01912cafdf --- /dev/null +++ b/queue-4.15/drm-qxl-unref-cursor-bo-when-finished-with-it.patch @@ -0,0 +1,43 @@ +From 16c6db3688734b27487a42d0c2a1062d0b2bad03 Mon Sep 17 00:00:00 2001 +From: Ray Strode +Date: Mon, 27 Nov 2017 16:50:09 -0500 +Subject: drm/qxl: unref cursor bo when finished with it + +From: Ray Strode + +commit 16c6db3688734b27487a42d0c2a1062d0b2bad03 upstream. + +qxl_cursor_atomic_update allocs a bo for the cursor that +it never frees up at the end of the function. + +This commit fixes that. + +Signed-off-by: Ray Strode +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_display.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -575,7 +575,7 @@ static void qxl_cursor_atomic_update(str + struct qxl_cursor_cmd *cmd; + struct qxl_cursor *cursor; + struct drm_gem_object *obj; +- struct qxl_bo *cursor_bo, *user_bo = NULL; ++ struct qxl_bo *cursor_bo = NULL, *user_bo = NULL; + int ret; + void *user_ptr; + int size = 64*64*4; +@@ -645,6 +645,8 @@ static void qxl_cursor_atomic_update(str + qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); + qxl_release_fence_buffer_objects(release); + ++ qxl_bo_unref(&cursor_bo); ++ + return; + + out_backoff: diff --git a/queue-4.15/drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch b/queue-4.15/drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch new file mode 100644 index 00000000000..e6c42b98e6c --- /dev/null +++ b/queue-4.15/drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch @@ -0,0 +1,40 @@ +From 239b5f64e12b1f09f506c164dff0374924782979 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 21 Nov 2017 12:09:38 -0500 +Subject: drm/radeon: Add dpm quirk for Jet PRO (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit 239b5f64e12b1f09f506c164dff0374924782979 upstream. + +Fixes stability issues. + +v2: clamp sclk to 600 Mhz + +Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103370 +Acked-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/si_dpm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/radeon/si_dpm.c ++++ b/drivers/gpu/drm/radeon/si_dpm.c +@@ -2984,6 +2984,11 @@ static void si_apply_state_adjust_rules( + (rdev->pdev->device == 0x6667)) { + max_sclk = 75000; + } ++ if ((rdev->pdev->revision == 0xC3) || ++ (rdev->pdev->device == 0x6665)) { ++ max_sclk = 60000; ++ max_mclk = 80000; ++ } + } else if (rdev->family == CHIP_OLAND) { + if ((rdev->pdev->revision == 0xC7) || + (rdev->pdev->revision == 0x80) || diff --git a/queue-4.15/drm-radeon-adjust-tested-variable.patch b/queue-4.15/drm-radeon-adjust-tested-variable.patch new file mode 100644 index 00000000000..16371044bee --- /dev/null +++ b/queue-4.15/drm-radeon-adjust-tested-variable.patch @@ -0,0 +1,57 @@ +From 3a61b527b4e1f285d21b6e9e623dc45cf8bb391f Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sat, 27 Jan 2018 15:28:15 +0100 +Subject: drm/radeon: adjust tested variable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Julia Lawall + +commit 3a61b527b4e1f285d21b6e9e623dc45cf8bb391f upstream. + +Check the variable that was most recently initialized. + +The semantic match that finds this problem is as follows: +(http://coccinelle.lip6.fr/) + +// +@@ +expression x, y, f, g, e, m; +statement S1,S2,S3,S4; +@@ + +x = f(...); +if (\(<+...x...+>\&e\)) S1 else S2 +( +x = g(...); +| +m = g(...,&x,...); +| +y = g(...); +*if (e) + S3 else S4 +) +// + +Signed-off-by: Julia Lawall +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_uvd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_uvd.c ++++ b/drivers/gpu/drm/radeon/radeon_uvd.c +@@ -995,7 +995,7 @@ int radeon_uvd_calc_upll_dividers(struct + /* calc dclk divider with current vco freq */ + dclk_div = radeon_uvd_calc_upll_post_div(vco_freq, dclk, + pd_min, pd_even); +- if (vclk_div > pd_max) ++ if (dclk_div > pd_max) + break; /* vco is too big, it has to stop */ + + /* calc score with current vco freq */ diff --git a/queue-4.15/drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch b/queue-4.15/drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch new file mode 100644 index 00000000000..079362e799a --- /dev/null +++ b/queue-4.15/drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch @@ -0,0 +1,43 @@ +From fd5002d6a3c602664b07668a24df4ef7a43bf078 Mon Sep 17 00:00:00 2001 +From: Felix Kuehling +Date: Wed, 17 Jan 2018 23:52:03 -0500 +Subject: drm/ttm: Don't add swapped BOs to swap-LRU list +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Felix Kuehling + +commit fd5002d6a3c602664b07668a24df4ef7a43bf078 upstream. + +A BO that's already swapped would be added back to the swap-LRU list +for example if its validation failed under high memory pressure. This +could later lead to swapping it out again and leaking previous swap +storage. + +This commit adds a condition to prevent that from happening. + +v2: Check page_flags instead of swap_storage + +Signed-off-by: Felix Kuehling +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_bo.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo.c ++++ b/drivers/gpu/drm/ttm/ttm_bo.c +@@ -175,7 +175,8 @@ void ttm_bo_add_to_lru(struct ttm_buffer + list_add_tail(&bo->lru, &man->lru[bo->priority]); + kref_get(&bo->list_kref); + +- if (bo->ttm && !(bo->ttm->page_flags & TTM_PAGE_FLAG_SG)) { ++ if (bo->ttm && !(bo->ttm->page_flags & ++ (TTM_PAGE_FLAG_SG | TTM_PAGE_FLAG_SWAPPED))) { + list_add_tail(&bo->swap, + &bo->glob->swap_lru[bo->priority]); + kref_get(&bo->list_kref); diff --git a/queue-4.15/drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch b/queue-4.15/drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch new file mode 100644 index 00000000000..37a11a443f3 --- /dev/null +++ b/queue-4.15/drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch @@ -0,0 +1,48 @@ +From 95244db2d3f743f37e69446a2807dd1a42750542 Mon Sep 17 00:00:00 2001 +From: Tom St Denis +Date: Fri, 26 Jan 2018 09:32:29 -0500 +Subject: drm/ttm: Fix 'buf' pointer update in ttm_bo_vm_access_kmap() (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom St Denis + +commit 95244db2d3f743f37e69446a2807dd1a42750542 upstream. + +The buf pointer was not being incremented inside the loop +meaning the same block of data would be read or written +repeatedly. +(v2) Change 'buf' pointer to uint8_t* type + +Cc: stable@vger.kernel.org +Fixes: 09ac4fcb3f25 ("drm/ttm: Implement vm_operations_struct.access v2") + +Signed-off-by: Tom St Denis +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ttm/ttm_bo_vm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ttm/ttm_bo_vm.c ++++ b/drivers/gpu/drm/ttm/ttm_bo_vm.c +@@ -299,7 +299,7 @@ static void ttm_bo_vm_close(struct vm_ar + + static int ttm_bo_vm_access_kmap(struct ttm_buffer_object *bo, + unsigned long offset, +- void *buf, int len, int write) ++ uint8_t *buf, int len, int write) + { + unsigned long page = offset >> PAGE_SHIFT; + unsigned long bytes_left = len; +@@ -328,6 +328,7 @@ static int ttm_bo_vm_access_kmap(struct + ttm_bo_kunmap(&map); + + page++; ++ buf += bytes; + bytes_left -= bytes; + offset = 0; + } while (bytes_left); diff --git a/queue-4.15/ext4-correct-documentation-for-grpid-mount-option.patch b/queue-4.15/ext4-correct-documentation-for-grpid-mount-option.patch new file mode 100644 index 00000000000..7611c58df4d --- /dev/null +++ b/queue-4.15/ext4-correct-documentation-for-grpid-mount-option.patch @@ -0,0 +1,35 @@ +From 9f0372488cc9243018a812e8cfbf27de650b187b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= + +Date: Thu, 11 Jan 2018 13:43:33 -0500 +Subject: ext4: correct documentation for grpid mount option +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +commit 9f0372488cc9243018a812e8cfbf27de650b187b upstream. + +The grpid option is currently described as being the same as nogrpid. + +Signed-off-by: Ernesto A. Fernández +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/filesystems/ext4.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/filesystems/ext4.txt ++++ b/Documentation/filesystems/ext4.txt +@@ -233,7 +233,7 @@ data_err=ignore(*) Just print an error m + data_err=abort Abort the journal if an error occurs in a file + data buffer in ordered mode. + +-grpid Give objects the same group ID as their creator. ++grpid New objects have the group ID of their parent. + bsdgroups + + nogrpid (*) New objects have the group ID of their creator. diff --git a/queue-4.15/ext4-fix-a-race-in-the-ext4-shutdown-path.patch b/queue-4.15/ext4-fix-a-race-in-the-ext4-shutdown-path.patch new file mode 100644 index 00000000000..0acc4922b0e --- /dev/null +++ b/queue-4.15/ext4-fix-a-race-in-the-ext4-shutdown-path.patch @@ -0,0 +1,56 @@ +From abbc3f9395c76d554a9ed27d4b1ebfb5d9b0e4ca Mon Sep 17 00:00:00 2001 +From: Harshad Shirwadkar +Date: Wed, 10 Jan 2018 00:13:13 -0500 +Subject: ext4: fix a race in the ext4 shutdown path + +From: Harshad Shirwadkar + +commit abbc3f9395c76d554a9ed27d4b1ebfb5d9b0e4ca upstream. + +This patch fixes a race between the shutdown path and bio completion +handling. In the ext4 direct io path with async io, after submitting a +bio to the block layer, if journal starting fails, +ext4_direct_IO_write() would bail out pretending that the IO +failed. The caller would have had no way of knowing whether or not the +IO was successfully submitted. So instead, we return -EIOCBQUEUED in +this case. Now, the caller knows that the IO was submitted. The bio +completion handler takes care of the error. + +Tested: Ran the shutdown xfstest test 461 in loop for over 2 hours across +4 machines resulting in over 400 runs. Verified that the race didn't +occur. Usually the race was seen in about 20-30 iterations. + +Signed-off-by: Harshad Shirwadkar +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/inode.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -3767,10 +3767,18 @@ static ssize_t ext4_direct_IO_write(stru + /* Credits for sb + inode write */ + handle = ext4_journal_start(inode, EXT4_HT_INODE, 2); + if (IS_ERR(handle)) { +- /* This is really bad luck. We've written the data +- * but cannot extend i_size. Bail out and pretend +- * the write failed... */ +- ret = PTR_ERR(handle); ++ /* ++ * We wrote the data but cannot extend ++ * i_size. Bail out. In async io case, we do ++ * not return error here because we have ++ * already submmitted the corresponding ++ * bio. Returning error here makes the caller ++ * think that this IO is done and failed ++ * resulting in race with bio's completion ++ * handler. ++ */ ++ if (!ret) ++ ret = PTR_ERR(handle); + if (inode->i_nlink) + ext4_orphan_del(NULL, inode); + diff --git a/queue-4.15/ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch b/queue-4.15/ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch new file mode 100644 index 00000000000..d919efde468 --- /dev/null +++ b/queue-4.15/ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch @@ -0,0 +1,37 @@ +From 06f29cc81f0350261f59643a505010531130eea0 Mon Sep 17 00:00:00 2001 +From: Zhouyi Zhou +Date: Wed, 10 Jan 2018 00:34:19 -0500 +Subject: ext4: save error to disk in __ext4_grp_locked_error() + +From: Zhouyi Zhou + +commit 06f29cc81f0350261f59643a505010531130eea0 upstream. + +In the function __ext4_grp_locked_error(), __save_error_info() +is called to save error info in super block block, but does not sync +that information to disk to info the subsequence fsck after reboot. + +This patch writes the error information to disk. After this patch, +I think there is no obvious EXT4 error handle branches which leads to +"Remounting filesystem read-only" will leave the disk partition miss +the subsequence fsck. + +Signed-off-by: Zhouyi Zhou +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -742,6 +742,7 @@ __acquires(bitlock) + } + + ext4_unlock_group(sb, grp); ++ ext4_commit_super(sb, 1); + ext4_handle_error(sb); + /* + * We only get here in the ERRORS_RO case; relocking the group diff --git a/queue-4.15/jbd2-fix-sphinx-kernel-doc-build-warnings.patch b/queue-4.15/jbd2-fix-sphinx-kernel-doc-build-warnings.patch new file mode 100644 index 00000000000..8d01bb69804 --- /dev/null +++ b/queue-4.15/jbd2-fix-sphinx-kernel-doc-build-warnings.patch @@ -0,0 +1,708 @@ +From f69120ce6c024aa634a8fc25787205e42f0ccbe6 Mon Sep 17 00:00:00 2001 +From: "Tobin C. Harding" +Date: Wed, 10 Jan 2018 00:27:29 -0500 +Subject: jbd2: fix sphinx kernel-doc build warnings + +From: Tobin C. Harding + +commit f69120ce6c024aa634a8fc25787205e42f0ccbe6 upstream. + +Sphinx emits various (26) warnings when building make target 'htmldocs'. +Currently struct definitions contain duplicate documentation, some as +kernel-docs and some as standard c89 comments. We can reduce +duplication while cleaning up the kernel docs. + +Move all kernel-docs to right above each struct member. Use the set of +all existing comments (kernel-doc and c89). Add documentation for +missing struct members and function arguments. + +Signed-off-by: Tobin C. Harding +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/transaction.c | 5 + include/linux/jbd2.h | 431 +++++++++++++++++++++++++++++++------------------- + 2 files changed, 272 insertions(+), 164 deletions(-) + +--- a/fs/jbd2/transaction.c ++++ b/fs/jbd2/transaction.c +@@ -495,8 +495,10 @@ void jbd2_journal_free_reserved(handle_t + EXPORT_SYMBOL(jbd2_journal_free_reserved); + + /** +- * int jbd2_journal_start_reserved(handle_t *handle) - start reserved handle ++ * int jbd2_journal_start_reserved() - start reserved handle + * @handle: handle to start ++ * @type: for handle statistics ++ * @line_no: for handle statistics + * + * Start handle that has been previously reserved with jbd2_journal_reserve(). + * This attaches @handle to the running transaction (or creates one if there's +@@ -626,6 +628,7 @@ error_out: + * int jbd2_journal_restart() - restart a handle . + * @handle: handle to restart + * @nblocks: nr credits requested ++ * @gfp_mask: memory allocation flags (for start_this_handle) + * + * Restart a handle for a multi-transaction filesystem + * operation. +--- a/include/linux/jbd2.h ++++ b/include/linux/jbd2.h +@@ -418,26 +418,41 @@ static inline void jbd_unlock_bh_journal + #define JI_WAIT_DATA (1 << __JI_WAIT_DATA) + + /** +- * struct jbd_inode is the structure linking inodes in ordered mode +- * present in a transaction so that we can sync them during commit. ++ * struct jbd_inode - The jbd_inode type is the structure linking inodes in ++ * ordered mode present in a transaction so that we can sync them during commit. + */ + struct jbd2_inode { +- /* Which transaction does this inode belong to? Either the running +- * transaction or the committing one. [j_list_lock] */ ++ /** ++ * @i_transaction: ++ * ++ * Which transaction does this inode belong to? Either the running ++ * transaction or the committing one. [j_list_lock] ++ */ + transaction_t *i_transaction; + +- /* Pointer to the running transaction modifying inode's data in case +- * there is already a committing transaction touching it. [j_list_lock] */ ++ /** ++ * @i_next_transaction: ++ * ++ * Pointer to the running transaction modifying inode's data in case ++ * there is already a committing transaction touching it. [j_list_lock] ++ */ + transaction_t *i_next_transaction; + +- /* List of inodes in the i_transaction [j_list_lock] */ ++ /** ++ * @i_list: List of inodes in the i_transaction [j_list_lock] ++ */ + struct list_head i_list; + +- /* VFS inode this inode belongs to [constant during the lifetime +- * of the structure] */ ++ /** ++ * @i_vfs_inode: ++ * ++ * VFS inode this inode belongs to [constant for lifetime of structure] ++ */ + struct inode *i_vfs_inode; + +- /* Flags of inode [j_list_lock] */ ++ /** ++ * @i_flags: Flags of inode [j_list_lock] ++ */ + unsigned long i_flags; + }; + +@@ -447,12 +462,20 @@ struct jbd2_revoke_table_s; + * struct handle_s - The handle_s type is the concrete type associated with + * handle_t. + * @h_transaction: Which compound transaction is this update a part of? ++ * @h_journal: Which journal handle belongs to - used iff h_reserved set. ++ * @h_rsv_handle: Handle reserved for finishing the logical operation. + * @h_buffer_credits: Number of remaining buffers we are allowed to dirty. +- * @h_ref: Reference count on this handle +- * @h_err: Field for caller's use to track errors through large fs operations +- * @h_sync: flag for sync-on-close +- * @h_jdata: flag to force data journaling +- * @h_aborted: flag indicating fatal error on handle ++ * @h_ref: Reference count on this handle. ++ * @h_err: Field for caller's use to track errors through large fs operations. ++ * @h_sync: Flag for sync-on-close. ++ * @h_jdata: Flag to force data journaling. ++ * @h_reserved: Flag for handle for reserved credits. ++ * @h_aborted: Flag indicating fatal error on handle. ++ * @h_type: For handle statistics. ++ * @h_line_no: For handle statistics. ++ * @h_start_jiffies: Handle Start time. ++ * @h_requested_credits: Holds @h_buffer_credits after handle is started. ++ * @saved_alloc_context: Saved context while transaction is open. + **/ + + /* Docbook can't yet cope with the bit fields, but will leave the documentation +@@ -462,32 +485,23 @@ struct jbd2_revoke_table_s; + struct jbd2_journal_handle + { + union { +- /* Which compound transaction is this update a part of? */ + transaction_t *h_transaction; + /* Which journal handle belongs to - used iff h_reserved set */ + journal_t *h_journal; + }; + +- /* Handle reserved for finishing the logical operation */ + handle_t *h_rsv_handle; +- +- /* Number of remaining buffers we are allowed to dirty: */ + int h_buffer_credits; +- +- /* Reference count on this handle */ + int h_ref; +- +- /* Field for caller's use to track errors through large fs */ +- /* operations */ + int h_err; + + /* Flags [no locking] */ +- unsigned int h_sync: 1; /* sync-on-close */ +- unsigned int h_jdata: 1; /* force data journaling */ +- unsigned int h_reserved: 1; /* handle with reserved credits */ +- unsigned int h_aborted: 1; /* fatal error on handle */ +- unsigned int h_type: 8; /* for handle statistics */ +- unsigned int h_line_no: 16; /* for handle statistics */ ++ unsigned int h_sync: 1; ++ unsigned int h_jdata: 1; ++ unsigned int h_reserved: 1; ++ unsigned int h_aborted: 1; ++ unsigned int h_type: 8; ++ unsigned int h_line_no: 16; + + unsigned long h_start_jiffies; + unsigned int h_requested_credits; +@@ -729,228 +743,253 @@ jbd2_time_diff(unsigned long start, unsi + /** + * struct journal_s - The journal_s type is the concrete type associated with + * journal_t. +- * @j_flags: General journaling state flags +- * @j_errno: Is there an outstanding uncleared error on the journal (from a +- * prior abort)? +- * @j_sb_buffer: First part of superblock buffer +- * @j_superblock: Second part of superblock buffer +- * @j_format_version: Version of the superblock format +- * @j_state_lock: Protect the various scalars in the journal +- * @j_barrier_count: Number of processes waiting to create a barrier lock +- * @j_barrier: The barrier lock itself +- * @j_running_transaction: The current running transaction.. +- * @j_committing_transaction: the transaction we are pushing to disk +- * @j_checkpoint_transactions: a linked circular list of all transactions +- * waiting for checkpointing +- * @j_wait_transaction_locked: Wait queue for waiting for a locked transaction +- * to start committing, or for a barrier lock to be released +- * @j_wait_done_commit: Wait queue for waiting for commit to complete +- * @j_wait_commit: Wait queue to trigger commit +- * @j_wait_updates: Wait queue to wait for updates to complete +- * @j_wait_reserved: Wait queue to wait for reserved buffer credits to drop +- * @j_checkpoint_mutex: Mutex for locking against concurrent checkpoints +- * @j_head: Journal head - identifies the first unused block in the journal +- * @j_tail: Journal tail - identifies the oldest still-used block in the +- * journal. +- * @j_free: Journal free - how many free blocks are there in the journal? +- * @j_first: The block number of the first usable block +- * @j_last: The block number one beyond the last usable block +- * @j_dev: Device where we store the journal +- * @j_blocksize: blocksize for the location where we store the journal. +- * @j_blk_offset: starting block offset for into the device where we store the +- * journal +- * @j_fs_dev: Device which holds the client fs. For internal journal this will +- * be equal to j_dev +- * @j_reserved_credits: Number of buffers reserved from the running transaction +- * @j_maxlen: Total maximum capacity of the journal region on disk. +- * @j_list_lock: Protects the buffer lists and internal buffer state. +- * @j_inode: Optional inode where we store the journal. If present, all journal +- * block numbers are mapped into this inode via bmap(). +- * @j_tail_sequence: Sequence number of the oldest transaction in the log +- * @j_transaction_sequence: Sequence number of the next transaction to grant +- * @j_commit_sequence: Sequence number of the most recently committed +- * transaction +- * @j_commit_request: Sequence number of the most recent transaction wanting +- * commit +- * @j_uuid: Uuid of client object. +- * @j_task: Pointer to the current commit thread for this journal +- * @j_max_transaction_buffers: Maximum number of metadata buffers to allow in a +- * single compound commit transaction +- * @j_commit_interval: What is the maximum transaction lifetime before we begin +- * a commit? +- * @j_commit_timer: The timer used to wakeup the commit thread +- * @j_revoke_lock: Protect the revoke table +- * @j_revoke: The revoke table - maintains the list of revoked blocks in the +- * current transaction. +- * @j_revoke_table: alternate revoke tables for j_revoke +- * @j_wbuf: array of buffer_heads for jbd2_journal_commit_transaction +- * @j_wbufsize: maximum number of buffer_heads allowed in j_wbuf, the +- * number that will fit in j_blocksize +- * @j_last_sync_writer: most recent pid which did a synchronous write +- * @j_history_lock: Protect the transactions statistics history +- * @j_proc_entry: procfs entry for the jbd statistics directory +- * @j_stats: Overall statistics +- * @j_private: An opaque pointer to fs-private information. +- * @j_trans_commit_map: Lockdep entity to track transaction commit dependencies + */ +- + struct journal_s + { +- /* General journaling state flags [j_state_lock] */ ++ /** ++ * @j_flags: General journaling state flags [j_state_lock] ++ */ + unsigned long j_flags; + +- /* ++ /** ++ * @j_errno: ++ * + * Is there an outstanding uncleared error on the journal (from a prior + * abort)? [j_state_lock] + */ + int j_errno; + +- /* The superblock buffer */ ++ /** ++ * @j_sb_buffer: The first part of the superblock buffer. ++ */ + struct buffer_head *j_sb_buffer; ++ ++ /** ++ * @j_superblock: The second part of the superblock buffer. ++ */ + journal_superblock_t *j_superblock; + +- /* Version of the superblock format */ ++ /** ++ * @j_format_version: Version of the superblock format. ++ */ + int j_format_version; + +- /* +- * Protect the various scalars in the journal ++ /** ++ * @j_state_lock: Protect the various scalars in the journal. + */ + rwlock_t j_state_lock; + +- /* ++ /** ++ * @j_barrier_count: ++ * + * Number of processes waiting to create a barrier lock [j_state_lock] + */ + int j_barrier_count; + +- /* The barrier lock itself */ ++ /** ++ * @j_barrier: The barrier lock itself. ++ */ + struct mutex j_barrier; + +- /* ++ /** ++ * @j_running_transaction: ++ * + * Transactions: The current running transaction... + * [j_state_lock] [caller holding open handle] + */ + transaction_t *j_running_transaction; + +- /* ++ /** ++ * @j_committing_transaction: ++ * + * the transaction we are pushing to disk + * [j_state_lock] [caller holding open handle] + */ + transaction_t *j_committing_transaction; + +- /* ++ /** ++ * @j_checkpoint_transactions: ++ * + * ... and a linked circular list of all transactions waiting for + * checkpointing. [j_list_lock] + */ + transaction_t *j_checkpoint_transactions; + +- /* ++ /** ++ * @j_wait_transaction_locked: ++ * + * Wait queue for waiting for a locked transaction to start committing, +- * or for a barrier lock to be released ++ * or for a barrier lock to be released. + */ + wait_queue_head_t j_wait_transaction_locked; + +- /* Wait queue for waiting for commit to complete */ ++ /** ++ * @j_wait_done_commit: Wait queue for waiting for commit to complete. ++ */ + wait_queue_head_t j_wait_done_commit; + +- /* Wait queue to trigger commit */ ++ /** ++ * @j_wait_commit: Wait queue to trigger commit. ++ */ + wait_queue_head_t j_wait_commit; + +- /* Wait queue to wait for updates to complete */ ++ /** ++ * @j_wait_updates: Wait queue to wait for updates to complete. ++ */ + wait_queue_head_t j_wait_updates; + +- /* Wait queue to wait for reserved buffer credits to drop */ ++ /** ++ * @j_wait_reserved: ++ * ++ * Wait queue to wait for reserved buffer credits to drop. ++ */ + wait_queue_head_t j_wait_reserved; + +- /* Semaphore for locking against concurrent checkpoints */ ++ /** ++ * @j_checkpoint_mutex: ++ * ++ * Semaphore for locking against concurrent checkpoints. ++ */ + struct mutex j_checkpoint_mutex; + +- /* ++ /** ++ * @j_chkpt_bhs: ++ * + * List of buffer heads used by the checkpoint routine. This + * was moved from jbd2_log_do_checkpoint() to reduce stack + * usage. Access to this array is controlled by the +- * j_checkpoint_mutex. [j_checkpoint_mutex] ++ * @j_checkpoint_mutex. [j_checkpoint_mutex] + */ + struct buffer_head *j_chkpt_bhs[JBD2_NR_BATCH]; +- +- /* ++ ++ /** ++ * @j_head: ++ * + * Journal head: identifies the first unused block in the journal. + * [j_state_lock] + */ + unsigned long j_head; + +- /* ++ /** ++ * @j_tail: ++ * + * Journal tail: identifies the oldest still-used block in the journal. + * [j_state_lock] + */ + unsigned long j_tail; + +- /* ++ /** ++ * @j_free: ++ * + * Journal free: how many free blocks are there in the journal? + * [j_state_lock] + */ + unsigned long j_free; + +- /* +- * Journal start and end: the block numbers of the first usable block +- * and one beyond the last usable block in the journal. [j_state_lock] ++ /** ++ * @j_first: ++ * ++ * The block number of the first usable block in the journal ++ * [j_state_lock]. + */ + unsigned long j_first; ++ ++ /** ++ * @j_last: ++ * ++ * The block number one beyond the last usable block in the journal ++ * [j_state_lock]. ++ */ + unsigned long j_last; + +- /* +- * Device, blocksize and starting block offset for the location where we +- * store the journal. ++ /** ++ * @j_dev: Device where we store the journal. + */ + struct block_device *j_dev; ++ ++ /** ++ * @j_blocksize: Block size for the location where we store the journal. ++ */ + int j_blocksize; ++ ++ /** ++ * @j_blk_offset: ++ * ++ * Starting block offset into the device where we store the journal. ++ */ + unsigned long long j_blk_offset; ++ ++ /** ++ * @j_devname: Journal device name. ++ */ + char j_devname[BDEVNAME_SIZE+24]; + +- /* ++ /** ++ * @j_fs_dev: ++ * + * Device which holds the client fs. For internal journal this will be + * equal to j_dev. + */ + struct block_device *j_fs_dev; + +- /* Total maximum capacity of the journal region on disk. */ ++ /** ++ * @j_maxlen: Total maximum capacity of the journal region on disk. ++ */ + unsigned int j_maxlen; + +- /* Number of buffers reserved from the running transaction */ ++ /** ++ * @j_reserved_credits: ++ * ++ * Number of buffers reserved from the running transaction. ++ */ + atomic_t j_reserved_credits; + +- /* +- * Protects the buffer lists and internal buffer state. ++ /** ++ * @j_list_lock: Protects the buffer lists and internal buffer state. + */ + spinlock_t j_list_lock; + +- /* Optional inode where we store the journal. If present, all */ +- /* journal block numbers are mapped into this inode via */ +- /* bmap(). */ ++ /** ++ * @j_inode: ++ * ++ * Optional inode where we store the journal. If present, all ++ * journal block numbers are mapped into this inode via bmap(). ++ */ + struct inode *j_inode; + +- /* ++ /** ++ * @j_tail_sequence: ++ * + * Sequence number of the oldest transaction in the log [j_state_lock] + */ + tid_t j_tail_sequence; + +- /* ++ /** ++ * @j_transaction_sequence: ++ * + * Sequence number of the next transaction to grant [j_state_lock] + */ + tid_t j_transaction_sequence; + +- /* ++ /** ++ * @j_commit_sequence: ++ * + * Sequence number of the most recently committed transaction + * [j_state_lock]. + */ + tid_t j_commit_sequence; + +- /* ++ /** ++ * @j_commit_request: ++ * + * Sequence number of the most recent transaction wanting commit + * [j_state_lock] + */ + tid_t j_commit_request; + +- /* ++ /** ++ * @j_uuid: ++ * + * Journal uuid: identifies the object (filesystem, LVM volume etc) + * backed by this journal. This will eventually be replaced by an array + * of uuids, allowing us to index multiple devices within a single +@@ -958,85 +997,151 @@ struct journal_s + */ + __u8 j_uuid[16]; + +- /* Pointer to the current commit thread for this journal */ ++ /** ++ * @j_task: Pointer to the current commit thread for this journal. ++ */ + struct task_struct *j_task; + +- /* ++ /** ++ * @j_max_transaction_buffers: ++ * + * Maximum number of metadata buffers to allow in a single compound +- * commit transaction ++ * commit transaction. + */ + int j_max_transaction_buffers; + +- /* ++ /** ++ * @j_commit_interval: ++ * + * What is the maximum transaction lifetime before we begin a commit? + */ + unsigned long j_commit_interval; + +- /* The timer used to wakeup the commit thread: */ ++ /** ++ * @j_commit_timer: The timer used to wakeup the commit thread. ++ */ + struct timer_list j_commit_timer; + +- /* +- * The revoke table: maintains the list of revoked blocks in the +- * current transaction. [j_revoke_lock] ++ /** ++ * @j_revoke_lock: Protect the revoke table. + */ + spinlock_t j_revoke_lock; ++ ++ /** ++ * @j_revoke: ++ * ++ * The revoke table - maintains the list of revoked blocks in the ++ * current transaction. ++ */ + struct jbd2_revoke_table_s *j_revoke; ++ ++ /** ++ * @j_revoke_table: Alternate revoke tables for j_revoke. ++ */ + struct jbd2_revoke_table_s *j_revoke_table[2]; + +- /* +- * array of bhs for jbd2_journal_commit_transaction ++ /** ++ * @j_wbuf: Array of bhs for jbd2_journal_commit_transaction. + */ + struct buffer_head **j_wbuf; ++ ++ /** ++ * @j_wbufsize: ++ * ++ * Size of @j_wbuf array. ++ */ + int j_wbufsize; + +- /* +- * this is the pid of hte last person to run a synchronous operation +- * through the journal ++ /** ++ * @j_last_sync_writer: ++ * ++ * The pid of the last person to run a synchronous operation ++ * through the journal. + */ + pid_t j_last_sync_writer; + +- /* +- * the average amount of time in nanoseconds it takes to commit a ++ /** ++ * @j_average_commit_time: ++ * ++ * The average amount of time in nanoseconds it takes to commit a + * transaction to disk. [j_state_lock] + */ + u64 j_average_commit_time; + +- /* +- * minimum and maximum times that we should wait for +- * additional filesystem operations to get batched into a +- * synchronous handle in microseconds ++ /** ++ * @j_min_batch_time: ++ * ++ * Minimum time that we should wait for additional filesystem operations ++ * to get batched into a synchronous handle in microseconds. + */ + u32 j_min_batch_time; ++ ++ /** ++ * @j_max_batch_time: ++ * ++ * Maximum time that we should wait for additional filesystem operations ++ * to get batched into a synchronous handle in microseconds. ++ */ + u32 j_max_batch_time; + +- /* This function is called when a transaction is closed */ ++ /** ++ * @j_commit_callback: ++ * ++ * This function is called when a transaction is closed. ++ */ + void (*j_commit_callback)(journal_t *, + transaction_t *); + + /* + * Journal statistics + */ ++ ++ /** ++ * @j_history_lock: Protect the transactions statistics history. ++ */ + spinlock_t j_history_lock; ++ ++ /** ++ * @j_proc_entry: procfs entry for the jbd statistics directory. ++ */ + struct proc_dir_entry *j_proc_entry; ++ ++ /** ++ * @j_stats: Overall statistics. ++ */ + struct transaction_stats_s j_stats; + +- /* Failed journal commit ID */ ++ /** ++ * @j_failed_commit: Failed journal commit ID. ++ */ + unsigned int j_failed_commit; + +- /* ++ /** ++ * @j_private: ++ * + * An opaque pointer to fs-private information. ext3 puts its +- * superblock pointer here ++ * superblock pointer here. + */ + void *j_private; + +- /* Reference to checksum algorithm driver via cryptoapi */ ++ /** ++ * @j_chksum_driver: ++ * ++ * Reference to checksum algorithm driver via cryptoapi. ++ */ + struct crypto_shash *j_chksum_driver; + +- /* Precomputed journal UUID checksum for seeding other checksums */ ++ /** ++ * @j_csum_seed: ++ * ++ * Precomputed journal UUID checksum for seeding other checksums. ++ */ + __u32 j_csum_seed; + + #ifdef CONFIG_DEBUG_LOCK_ALLOC +- /* ++ /** ++ * @j_trans_commit_map: ++ * + * Lockdep entity to track transaction commit dependencies. Handles + * hold this "lock" for read, when we wait for commit, we acquire the + * "lock" for writing. This matches the properties of jbd2 journalling diff --git a/queue-4.15/mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch b/queue-4.15/mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch new file mode 100644 index 00000000000..ca3b55d9525 --- /dev/null +++ b/queue-4.15/mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch @@ -0,0 +1,93 @@ +From 3876bbe27d04b848750d5310a37d6b76b593f648 Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Sun, 7 Jan 2018 16:22:35 -0500 +Subject: mbcache: initialize entry->e_referenced in mb_cache_entry_create() + +From: Alexander Potapenko + +commit 3876bbe27d04b848750d5310a37d6b76b593f648 upstream. + +KMSAN reported use of uninitialized |entry->e_referenced| in a condition +in mb_cache_shrink(): + +================================================================== +BUG: KMSAN: use of uninitialized memory in mb_cache_shrink+0x3b4/0xc50 fs/mbcache.c:287 +CPU: 2 PID: 816 Comm: kswapd1 Not tainted 4.11.0-rc5+ #2877 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs +01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:16 [inline] + dump_stack+0x172/0x1c0 lib/dump_stack.c:52 + kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:927 + __msan_warning_32+0x61/0xb0 mm/kmsan/kmsan_instr.c:469 + mb_cache_shrink+0x3b4/0xc50 fs/mbcache.c:287 + mb_cache_scan+0x67/0x80 fs/mbcache.c:321 + do_shrink_slab mm/vmscan.c:397 [inline] + shrink_slab+0xc3d/0x12d0 mm/vmscan.c:500 + shrink_node+0x208f/0x2fd0 mm/vmscan.c:2603 + kswapd_shrink_node mm/vmscan.c:3172 [inline] + balance_pgdat mm/vmscan.c:3289 [inline] + kswapd+0x160f/0x2850 mm/vmscan.c:3478 + kthread+0x46c/0x5f0 kernel/kthread.c:230 + ret_from_fork+0x29/0x40 arch/x86/entry/entry_64.S:430 +chained origin: + save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 [inline] + kmsan_save_stack mm/kmsan/kmsan.c:317 [inline] + kmsan_internal_chain_origin+0x12a/0x1f0 mm/kmsan/kmsan.c:547 + __msan_store_shadow_origin_1+0xac/0x110 mm/kmsan/kmsan_instr.c:257 + mb_cache_entry_create+0x3b3/0xc60 fs/mbcache.c:95 + ext4_xattr_cache_insert fs/ext4/xattr.c:1647 [inline] + ext4_xattr_block_set+0x4c82/0x5530 fs/ext4/xattr.c:1022 + ext4_xattr_set_handle+0x1332/0x20a0 fs/ext4/xattr.c:1252 + ext4_xattr_set+0x4d2/0x680 fs/ext4/xattr.c:1306 + ext4_xattr_trusted_set+0x8d/0xa0 fs/ext4/xattr_trusted.c:36 + __vfs_setxattr+0x703/0x790 fs/xattr.c:149 + __vfs_setxattr_noperm+0x27a/0x6f0 fs/xattr.c:180 + vfs_setxattr fs/xattr.c:223 [inline] + setxattr+0x6ae/0x790 fs/xattr.c:449 + path_setxattr+0x1eb/0x380 fs/xattr.c:468 + SYSC_lsetxattr+0x8d/0xb0 fs/xattr.c:490 + SyS_lsetxattr+0x77/0xa0 fs/xattr.c:486 + entry_SYSCALL_64_fastpath+0x13/0x94 +origin: + save_stack_trace+0x37/0x40 arch/x86/kernel/stacktrace.c:59 + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:302 [inline] + kmsan_internal_poison_shadow+0xb1/0x1a0 mm/kmsan/kmsan.c:198 + kmsan_kmalloc+0x7f/0xe0 mm/kmsan/kmsan.c:337 + kmem_cache_alloc+0x1c2/0x1e0 mm/slub.c:2766 + mb_cache_entry_create+0x283/0xc60 fs/mbcache.c:86 + ext4_xattr_cache_insert fs/ext4/xattr.c:1647 [inline] + ext4_xattr_block_set+0x4c82/0x5530 fs/ext4/xattr.c:1022 + ext4_xattr_set_handle+0x1332/0x20a0 fs/ext4/xattr.c:1252 + ext4_xattr_set+0x4d2/0x680 fs/ext4/xattr.c:1306 + ext4_xattr_trusted_set+0x8d/0xa0 fs/ext4/xattr_trusted.c:36 + __vfs_setxattr+0x703/0x790 fs/xattr.c:149 + __vfs_setxattr_noperm+0x27a/0x6f0 fs/xattr.c:180 + vfs_setxattr fs/xattr.c:223 [inline] + setxattr+0x6ae/0x790 fs/xattr.c:449 + path_setxattr+0x1eb/0x380 fs/xattr.c:468 + SYSC_lsetxattr+0x8d/0xb0 fs/xattr.c:490 + SyS_lsetxattr+0x77/0xa0 fs/xattr.c:486 + entry_SYSCALL_64_fastpath+0x13/0x94 +================================================================== + +Signed-off-by: Alexander Potapenko +Signed-off-by: Eric Biggers +Cc: stable@vger.kernel.org # v4.6 +Signed-off-by: Greg Kroah-Hartman + +--- + fs/mbcache.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/mbcache.c ++++ b/fs/mbcache.c +@@ -94,6 +94,7 @@ int mb_cache_entry_create(struct mb_cach + entry->e_key = key; + entry->e_value = value; + entry->e_reusable = reusable; ++ entry->e_referenced = 0; + head = mb_cache_entry_head(cache, key); + hlist_bl_lock(head); + hlist_bl_for_each_entry(dup, dup_node, head, e_hash_list) { diff --git a/queue-4.15/mips-cps-fix-mips_isa_level_raw-fallout.patch b/queue-4.15/mips-cps-fix-mips_isa_level_raw-fallout.patch new file mode 100644 index 00000000000..f6b5bad16a5 --- /dev/null +++ b/queue-4.15/mips-cps-fix-mips_isa_level_raw-fallout.patch @@ -0,0 +1,86 @@ +From 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Fri, 2 Feb 2018 14:36:40 +0000 +Subject: MIPS: CPS: Fix MIPS_ISA_LEVEL_RAW fallout + +From: James Hogan + +commit 8dbc1864b74f5dea5a3f7c30ca8fd358a675132f upstream. + +Commit 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning") +added .set MIPS_ISA_LEVEL_RAW to silence warnings about .set mt on r1, +however this can result in a MOVE being encoded as a 64-bit DADDU +instruction on certain version of binutils (e.g. 2.22), and reserved +instruction exceptions at runtime on 32-bit hardware. + +Reduce the sizes of the push/pop sections to include only instructions +that are part of the MT ASE or which won't convert to 64-bit +instructions after .set mips64r2/mips64r6. + +Reported-by: Greg Ungerer +Fixes: 17278a91e04f ("MIPS: CPS: Fix r1 .set mt assembler warning") +Signed-off-by: James Hogan +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Cc: # 4.15 +Tested-by: Greg Ungerer +Patchwork: https://patchwork.linux-mips.org/patch/18578/ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/cps-vec.S | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/arch/mips/kernel/cps-vec.S ++++ b/arch/mips/kernel/cps-vec.S +@@ -388,15 +388,16 @@ LEAF(mips_cps_boot_vpes) + + #elif defined(CONFIG_MIPS_MT) + +- .set push +- .set MIPS_ISA_LEVEL_RAW +- .set mt +- + /* If the core doesn't support MT then return */ + has_mt t0, 5f + + /* Enter VPE configuration state */ ++ .set push ++ .set MIPS_ISA_LEVEL_RAW ++ .set mt + dvpe ++ .set pop ++ + PTR_LA t1, 1f + jr.hb t1 + nop +@@ -422,6 +423,10 @@ LEAF(mips_cps_boot_vpes) + mtc0 t0, CP0_VPECONTROL + ehb + ++ .set push ++ .set MIPS_ISA_LEVEL_RAW ++ .set mt ++ + /* Skip the VPE if its TC is not halted */ + mftc0 t0, CP0_TCHALT + beqz t0, 2f +@@ -495,6 +500,8 @@ LEAF(mips_cps_boot_vpes) + ehb + evpe + ++ .set pop ++ + /* Check whether this VPE is meant to be running */ + li t0, 1 + sll t0, t0, a1 +@@ -509,7 +516,7 @@ LEAF(mips_cps_boot_vpes) + 1: jr.hb t0 + nop + +-2: .set pop ++2: + + #endif /* CONFIG_MIPS_MT_SMP */ + diff --git a/queue-4.15/mips-fix-incorrect-mem-x-y-handling.patch b/queue-4.15/mips-fix-incorrect-mem-x-y-handling.patch new file mode 100644 index 00000000000..1895e116aa3 --- /dev/null +++ b/queue-4.15/mips-fix-incorrect-mem-x-y-handling.patch @@ -0,0 +1,94 @@ +From 67a3ba25aa955198196f40b76b329b3ab9ad415a Mon Sep 17 00:00:00 2001 +From: Marcin Nowakowski +Date: Thu, 1 Feb 2018 12:37:21 +0100 +Subject: MIPS: Fix incorrect mem=X@Y handling + +From: Marcin Nowakowski + +commit 67a3ba25aa955198196f40b76b329b3ab9ad415a upstream. + +Commit 73fbc1eba7ff ("MIPS: fix mem=X@Y commandline processing") added a +fix to ensure that the memory range between PHYS_OFFSET and low memory +address specified by mem= cmdline argument is not later processed by +free_all_bootmem. This change was incorrect for systems where the +commandline specifies more than 1 mem argument, as it will cause all +memory between PHYS_OFFSET and each of the memory offsets to be marked +as reserved, which results in parts of the RAM marked as reserved +(Creator CI20's u-boot has a default commandline argument 'mem=256M@0x0 +mem=768M@0x30000000'). + +Change the behaviour to ensure that only the range between PHYS_OFFSET +and the lowest start address of the memories is marked as protected. + +This change also ensures that the range is marked protected even if it's +only defined through the devicetree and not only via commandline +arguments. + +Reported-by: Mathieu Malaterre +Signed-off-by: Marcin Nowakowski +Fixes: 73fbc1eba7ff ("MIPS: fix mem=X@Y commandline processing") +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # v4.11+ +Tested-by: Mathieu Malaterre +Patchwork: https://patchwork.linux-mips.org/patch/18562/ +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/setup.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/mips/kernel/setup.c ++++ b/arch/mips/kernel/setup.c +@@ -375,6 +375,7 @@ static void __init bootmem_init(void) + unsigned long reserved_end; + unsigned long mapstart = ~0UL; + unsigned long bootmap_size; ++ phys_addr_t ramstart = (phys_addr_t)ULLONG_MAX; + bool bootmap_valid = false; + int i; + +@@ -395,7 +396,8 @@ static void __init bootmem_init(void) + max_low_pfn = 0; + + /* +- * Find the highest page frame number we have available. ++ * Find the highest page frame number we have available ++ * and the lowest used RAM address + */ + for (i = 0; i < boot_mem_map.nr_map; i++) { + unsigned long start, end; +@@ -407,6 +409,8 @@ static void __init bootmem_init(void) + end = PFN_DOWN(boot_mem_map.map[i].addr + + boot_mem_map.map[i].size); + ++ ramstart = min(ramstart, boot_mem_map.map[i].addr); ++ + #ifndef CONFIG_HIGHMEM + /* + * Skip highmem here so we get an accurate max_low_pfn if low +@@ -436,6 +440,13 @@ static void __init bootmem_init(void) + mapstart = max(reserved_end, start); + } + ++ /* ++ * Reserve any memory between the start of RAM and PHYS_OFFSET ++ */ ++ if (ramstart > PHYS_OFFSET) ++ add_memory_region(PHYS_OFFSET, ramstart - PHYS_OFFSET, ++ BOOT_MEM_RESERVED); ++ + if (min_low_pfn >= max_low_pfn) + panic("Incorrect memory mapping !!!"); + if (min_low_pfn > ARCH_PFN_OFFSET) { +@@ -664,9 +675,6 @@ static int __init early_parse_mem(char * + + add_memory_region(start, size, BOOT_MEM_RAM); + +- if (start && start > PHYS_OFFSET) +- add_memory_region(PHYS_OFFSET, start - PHYS_OFFSET, +- BOOT_MEM_RESERVED); + return 0; + } + early_param("mem", early_parse_mem); diff --git a/queue-4.15/mips-fix-typo-big_endian-to-cpu_big_endian.patch b/queue-4.15/mips-fix-typo-big_endian-to-cpu_big_endian.patch new file mode 100644 index 00000000000..217dcbdd928 --- /dev/null +++ b/queue-4.15/mips-fix-typo-big_endian-to-cpu_big_endian.patch @@ -0,0 +1,52 @@ +From 2e6522c565522a2e18409c315c49d78c8b74807b Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Wed, 17 Jan 2018 19:56:38 +0100 +Subject: MIPS: Fix typo BIG_ENDIAN to CPU_BIG_ENDIAN + +From: Corentin Labbe + +commit 2e6522c565522a2e18409c315c49d78c8b74807b upstream. + +MIPS_GENERIC selects some options conditional on BIG_ENDIAN which does +not exist. + +Replace BIG_ENDIAN with CPU_BIG_ENDIAN which is the correct kconfig +name. Note that BMIPS_GENERIC does the same which confirms that this +patch is needed. + +Fixes: eed0eabd12ef0 ("MIPS: generic: Introduce generic DT-based board support") +Signed-off-by: Corentin Labbe +Reviewed-by: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: # 4.9+ +Patchwork: https://patchwork.linux-mips.org/patch/18495/ +[jhogan@kernel.org: Clean up commit message] +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/Kconfig | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/mips/Kconfig ++++ b/arch/mips/Kconfig +@@ -119,12 +119,12 @@ config MIPS_GENERIC + select SYS_SUPPORTS_MULTITHREADING + select SYS_SUPPORTS_RELOCATABLE + select SYS_SUPPORTS_SMARTMIPS +- select USB_EHCI_BIG_ENDIAN_DESC if BIG_ENDIAN +- select USB_EHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN +- select USB_OHCI_BIG_ENDIAN_DESC if BIG_ENDIAN +- select USB_OHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN +- select USB_UHCI_BIG_ENDIAN_DESC if BIG_ENDIAN +- select USB_UHCI_BIG_ENDIAN_MMIO if BIG_ENDIAN ++ select USB_EHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN ++ select USB_EHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN ++ select USB_OHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN ++ select USB_OHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN ++ select USB_UHCI_BIG_ENDIAN_DESC if CPU_BIG_ENDIAN ++ select USB_UHCI_BIG_ENDIAN_MMIO if CPU_BIG_ENDIAN + select USE_OF + help + Select this to build a kernel which aims to support multiple boards, diff --git a/queue-4.15/mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch b/queue-4.15/mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch new file mode 100644 index 00000000000..166829480b4 --- /dev/null +++ b/queue-4.15/mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch @@ -0,0 +1,41 @@ +From 2572cf57d75a7f91835d9a38771e9e76d575d122 Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Mon, 5 Feb 2018 16:24:52 +0200 +Subject: mlx5: fix mlx5_get_vector_affinity to start from completion vector 0 + +From: Sagi Grimberg + +commit 2572cf57d75a7f91835d9a38771e9e76d575d122 upstream. + +The consumers of this routine expects the affinity map of of vector +index relative to the first completion vector. The upper layers are +not aware of internal/private completion vectors that mlx5 allocates +for its own usage. + +Hence, return the affinity map of vector index relative to the first +completion vector. + +Fixes: 05e0cc84e00c ("net/mlx5: Fix get vector affinity helper function") +Reported-by: Logan Gunthorpe +Tested-by: Max Gurtovoy +Reviewed-by: Max Gurtovoy +Cc: # v4.15 +Signed-off-by: Sagi Grimberg +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mlx5/driver.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mlx5/driver.h ++++ b/include/linux/mlx5/driver.h +@@ -1238,7 +1238,7 @@ mlx5_get_vector_affinity(struct mlx5_cor + int eqn; + int err; + +- err = mlx5_vector2eqn(dev, vector, &eqn, &irq); ++ err = mlx5_vector2eqn(dev, MLX5_EQ_VEC_COMP_BASE + vector, &eqn, &irq); + if (err) + return NULL; + diff --git a/queue-4.15/mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch b/queue-4.15/mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch new file mode 100644 index 00000000000..eb17dad6d81 --- /dev/null +++ b/queue-4.15/mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch @@ -0,0 +1,41 @@ +From 10a0cd6e4932b5078215b1ec2c896597eec0eff9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20H=2E=20Sch=C3=B6nherr?= +Date: Fri, 19 Jan 2018 16:27:54 -0800 +Subject: mm: Fix memory size alignment in devm_memremap_pages_release() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jan H. Schönherr + +commit 10a0cd6e4932b5078215b1ec2c896597eec0eff9 upstream. + +The functions devm_memremap_pages() and devm_memremap_pages_release() use +different ways to calculate the section-aligned amount of memory. The +latter function may use an incorrect size if the memory region is small +but straddles a section border. + +Use the same code for both. + +Cc: +Fixes: 5f29a77cd957 ("mm: fix mixed zone detection in devm_memremap_pages") +Signed-off-by: Jan H. Schönherr +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/memremap.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/memremap.c ++++ b/kernel/memremap.c +@@ -301,7 +301,8 @@ static void devm_memremap_pages_release( + + /* pages are dead and unused, undo the arch mapping */ + align_start = res->start & ~(SECTION_SIZE - 1); +- align_size = ALIGN(resource_size(res), SECTION_SIZE); ++ align_size = ALIGN(res->start + resource_size(res), SECTION_SIZE) ++ - align_start; + + mem_hotplug_begin(); + arch_remove_memory(align_start, align_size); diff --git a/queue-4.15/mm-hide-a-warning-for-compile_test.patch b/queue-4.15/mm-hide-a-warning-for-compile_test.patch new file mode 100644 index 00000000000..71d15449785 --- /dev/null +++ b/queue-4.15/mm-hide-a-warning-for-compile_test.patch @@ -0,0 +1,39 @@ +From af27d9403f5b80685b79c88425086edccecaf711 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 16 Feb 2018 16:25:53 +0100 +Subject: mm: hide a #warning for COMPILE_TEST + +From: Arnd Bergmann + +commit af27d9403f5b80685b79c88425086edccecaf711 upstream. + +We get a warning about some slow configurations in randconfig kernels: + + mm/memory.c:83:2: error: #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. [-Werror=cpp] + +The warning is reasonable by itself, but gets in the way of randconfig +build testing, so I'm hiding it whenever CONFIG_COMPILE_TEST is set. + +The warning was added in 2013 in commit 75980e97dacc ("mm: fold +page->_last_nid into page->flags where possible"). + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -81,7 +81,7 @@ + + #include "internal.h" + +-#ifdef LAST_CPUPID_NOT_IN_PAGE_FLAGS ++#if defined(LAST_CPUPID_NOT_IN_PAGE_FLAGS) && !defined(CONFIG_COMPILE_TEST) + #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. + #endif + diff --git a/queue-4.15/mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch b/queue-4.15/mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch new file mode 100644 index 00000000000..f6bdcbecf85 --- /dev/null +++ b/queue-4.15/mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch @@ -0,0 +1,35 @@ +From 118032be389009b07ecb5a03ffe219a89d421def Mon Sep 17 00:00:00 2001 +From: Phil Elwell +Date: Mon, 12 Feb 2018 21:13:44 +0100 +Subject: mmc: bcm2835: Don't overwrite max frequency unconditionally + +From: Phil Elwell + +commit 118032be389009b07ecb5a03ffe219a89d421def upstream. + +The optional DT parameter max-frequency could init the max bus frequency. +So take care of this, before setting the max bus frequency. + +Fixes: 660fc733bd74 ("mmc: bcm2835: Add new driver for the sdhost controller.") +Signed-off-by: Phil Elwell +Signed-off-by: Stefan Wahren +Cc: # 4.12+ +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/bcm2835.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/bcm2835.c ++++ b/drivers/mmc/host/bcm2835.c +@@ -1265,7 +1265,8 @@ static int bcm2835_add_host(struct bcm28 + char pio_limit_string[20]; + int ret; + +- mmc->f_max = host->max_clk; ++ if (!mmc->f_max || mmc->f_max > host->max_clk) ++ mmc->f_max = host->max_clk; + mmc->f_min = host->max_clk / SDCDIV_MAX_CDIV; + + mmc->max_busy_timeout = ~0 / (mmc->f_max / 1000); diff --git a/queue-4.15/mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch b/queue-4.15/mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch new file mode 100644 index 00000000000..99135bcc97d --- /dev/null +++ b/queue-4.15/mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch @@ -0,0 +1,307 @@ +From bd9b902798ab14d19ca116b10bde581ddff8f905 Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Mon, 29 Jan 2018 00:44:53 +0100 +Subject: mmc: sdhci: Implement an SDHCI-specific bounce buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Walleij + +commit bd9b902798ab14d19ca116b10bde581ddff8f905 upstream. + +The bounce buffer is gone from the MMC core, and now we found out +that there are some (crippled) i.MX boards out there that have broken +ADMA (cannot do scatter-gather), and also broken PIO so they must +use SDMA. Closer examination shows a less significant slowdown +also on SDMA-only capable Laptop hosts. + +SDMA sets down the number of segments to one, so that each segment +gets turned into a singular request that ping-pongs to the block +layer before the next request/segment is issued. + +Apparently it happens a lot that the block layer send requests +that include a lot of physically discontiguous segments. My guess +is that this phenomenon is coming from the file system. + +These devices that cannot handle scatterlists in hardware can see +major benefits from a DMA-contiguous bounce buffer. + +This patch accumulates those fragmented scatterlists in a physically +contiguous bounce buffer so that we can issue bigger DMA data chunks +to/from the card. + +When tested with a PCI-integrated host (1217:8221) that +only supports SDMA: +0b:00.0 SD Host controller: O2 Micro, Inc. OZ600FJ0/OZ900FJ0/OZ600FJS + SD/MMC Card Reader Controller (rev 05) +This patch gave ~1Mbyte/s improved throughput on large reads and +writes when testing using iozone than without the patch. + +dmesg: +sdhci-pci 0000:0b:00.0: SDHCI controller found [1217:8221] (rev 5) +mmc0 bounce up to 128 segments into one, max segment size 65536 bytes +mmc0: SDHCI controller on PCI [0000:0b:00.0] using DMA + +On the i.MX SDHCI controllers on the crippled i.MX 25 and i.MX 35 +the patch restores the performance to what it was before we removed +the bounce buffers. + +Cc: Pierre Ossman +Cc: Benoît Thébaudeau +Cc: Fabio Estevam +Cc: Benjamin Beckmeyer +Cc: stable@vger.kernel.org # v4.14+ +Fixes: de3ee99b097d ("mmc: Delete bounce buffer handling") +Tested-by: Benjamin Beckmeyer +Acked-by: Adrian Hunter +Signed-off-by: Linus Walleij +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 164 ++++++++++++++++++++++++++++++++++++++++++++--- + drivers/mmc/host/sdhci.h | 3 + 2 files changed, 159 insertions(+), 8 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -502,8 +503,35 @@ static int sdhci_pre_dma_transfer(struct + if (data->host_cookie == COOKIE_PRE_MAPPED) + return data->sg_count; + +- sg_count = dma_map_sg(mmc_dev(host->mmc), data->sg, data->sg_len, +- mmc_get_dma_dir(data)); ++ /* Bounce write requests to the bounce buffer */ ++ if (host->bounce_buffer) { ++ unsigned int length = data->blksz * data->blocks; ++ ++ if (length > host->bounce_buffer_size) { ++ pr_err("%s: asked for transfer of %u bytes exceeds bounce buffer %u bytes\n", ++ mmc_hostname(host->mmc), length, ++ host->bounce_buffer_size); ++ return -EIO; ++ } ++ if (mmc_get_dma_dir(data) == DMA_TO_DEVICE) { ++ /* Copy the data to the bounce buffer */ ++ sg_copy_to_buffer(data->sg, data->sg_len, ++ host->bounce_buffer, ++ length); ++ } ++ /* Switch ownership to the DMA */ ++ dma_sync_single_for_device(host->mmc->parent, ++ host->bounce_addr, ++ host->bounce_buffer_size, ++ mmc_get_dma_dir(data)); ++ /* Just a dummy value */ ++ sg_count = 1; ++ } else { ++ /* Just access the data directly from memory */ ++ sg_count = dma_map_sg(mmc_dev(host->mmc), ++ data->sg, data->sg_len, ++ mmc_get_dma_dir(data)); ++ } + + if (sg_count == 0) + return -ENOSPC; +@@ -673,6 +701,14 @@ static void sdhci_adma_table_post(struct + } + } + ++static u32 sdhci_sdma_address(struct sdhci_host *host) ++{ ++ if (host->bounce_buffer) ++ return host->bounce_addr; ++ else ++ return sg_dma_address(host->data->sg); ++} ++ + static u8 sdhci_calc_timeout(struct sdhci_host *host, struct mmc_command *cmd) + { + u8 count; +@@ -858,8 +894,8 @@ static void sdhci_prepare_data(struct sd + SDHCI_ADMA_ADDRESS_HI); + } else { + WARN_ON(sg_cnt != 1); +- sdhci_writel(host, sg_dma_address(data->sg), +- SDHCI_DMA_ADDRESS); ++ sdhci_writel(host, sdhci_sdma_address(host), ++ SDHCI_DMA_ADDRESS); + } + } + +@@ -2248,7 +2284,12 @@ static void sdhci_pre_req(struct mmc_hos + + mrq->data->host_cookie = COOKIE_UNMAPPED; + +- if (host->flags & SDHCI_REQ_USE_DMA) ++ /* ++ * No pre-mapping in the pre hook if we're using the bounce buffer, ++ * for that we would need two bounce buffers since one buffer is ++ * in flight when this is getting called. ++ */ ++ if (host->flags & SDHCI_REQ_USE_DMA && !host->bounce_buffer) + sdhci_pre_dma_transfer(host, mrq->data, COOKIE_PRE_MAPPED); + } + +@@ -2352,8 +2393,45 @@ static bool sdhci_request_done(struct sd + struct mmc_data *data = mrq->data; + + if (data && data->host_cookie == COOKIE_MAPPED) { +- dma_unmap_sg(mmc_dev(host->mmc), data->sg, data->sg_len, +- mmc_get_dma_dir(data)); ++ if (host->bounce_buffer) { ++ /* ++ * On reads, copy the bounced data into the ++ * sglist ++ */ ++ if (mmc_get_dma_dir(data) == DMA_FROM_DEVICE) { ++ unsigned int length = data->bytes_xfered; ++ ++ if (length > host->bounce_buffer_size) { ++ pr_err("%s: bounce buffer is %u bytes but DMA claims to have transferred %u bytes\n", ++ mmc_hostname(host->mmc), ++ host->bounce_buffer_size, ++ data->bytes_xfered); ++ /* Cap it down and continue */ ++ length = host->bounce_buffer_size; ++ } ++ dma_sync_single_for_cpu( ++ host->mmc->parent, ++ host->bounce_addr, ++ host->bounce_buffer_size, ++ DMA_FROM_DEVICE); ++ sg_copy_from_buffer(data->sg, ++ data->sg_len, ++ host->bounce_buffer, ++ length); ++ } else { ++ /* No copying, just switch ownership */ ++ dma_sync_single_for_cpu( ++ host->mmc->parent, ++ host->bounce_addr, ++ host->bounce_buffer_size, ++ mmc_get_dma_dir(data)); ++ } ++ } else { ++ /* Unmap the raw data */ ++ dma_unmap_sg(mmc_dev(host->mmc), data->sg, ++ data->sg_len, ++ mmc_get_dma_dir(data)); ++ } + data->host_cookie = COOKIE_UNMAPPED; + } + } +@@ -2636,7 +2714,8 @@ static void sdhci_data_irq(struct sdhci_ + */ + if (intmask & SDHCI_INT_DMA_END) { + u32 dmastart, dmanow; +- dmastart = sg_dma_address(host->data->sg); ++ ++ dmastart = sdhci_sdma_address(host); + dmanow = dmastart + host->data->bytes_xfered; + /* + * Force update to the next DMA block boundary. +@@ -3217,6 +3296,68 @@ void __sdhci_read_caps(struct sdhci_host + } + EXPORT_SYMBOL_GPL(__sdhci_read_caps); + ++static int sdhci_allocate_bounce_buffer(struct sdhci_host *host) ++{ ++ struct mmc_host *mmc = host->mmc; ++ unsigned int max_blocks; ++ unsigned int bounce_size; ++ int ret; ++ ++ /* ++ * Cap the bounce buffer at 64KB. Using a bigger bounce buffer ++ * has diminishing returns, this is probably because SD/MMC ++ * cards are usually optimized to handle this size of requests. ++ */ ++ bounce_size = SZ_64K; ++ /* ++ * Adjust downwards to maximum request size if this is less ++ * than our segment size, else hammer down the maximum ++ * request size to the maximum buffer size. ++ */ ++ if (mmc->max_req_size < bounce_size) ++ bounce_size = mmc->max_req_size; ++ max_blocks = bounce_size / 512; ++ ++ /* ++ * When we just support one segment, we can get significant ++ * speedups by the help of a bounce buffer to group scattered ++ * reads/writes together. ++ */ ++ host->bounce_buffer = devm_kmalloc(mmc->parent, ++ bounce_size, ++ GFP_KERNEL); ++ if (!host->bounce_buffer) { ++ pr_err("%s: failed to allocate %u bytes for bounce buffer, falling back to single segments\n", ++ mmc_hostname(mmc), ++ bounce_size); ++ /* ++ * Exiting with zero here makes sure we proceed with ++ * mmc->max_segs == 1. ++ */ ++ return 0; ++ } ++ ++ host->bounce_addr = dma_map_single(mmc->parent, ++ host->bounce_buffer, ++ bounce_size, ++ DMA_BIDIRECTIONAL); ++ ret = dma_mapping_error(mmc->parent, host->bounce_addr); ++ if (ret) ++ /* Again fall back to max_segs == 1 */ ++ return 0; ++ host->bounce_buffer_size = bounce_size; ++ ++ /* Lie about this since we're bouncing */ ++ mmc->max_segs = max_blocks; ++ mmc->max_seg_size = bounce_size; ++ mmc->max_req_size = bounce_size; ++ ++ pr_info("%s bounce up to %u segments into one, max segment size %u bytes\n", ++ mmc_hostname(mmc), max_blocks, bounce_size); ++ ++ return 0; ++} ++ + int sdhci_setup_host(struct sdhci_host *host) + { + struct mmc_host *mmc; +@@ -3713,6 +3854,13 @@ int sdhci_setup_host(struct sdhci_host * + */ + mmc->max_blk_count = (host->quirks & SDHCI_QUIRK_NO_MULTIBLOCK) ? 1 : 65535; + ++ if (mmc->max_segs == 1) { ++ /* This may alter mmc->*_blk_* parameters */ ++ ret = sdhci_allocate_bounce_buffer(host); ++ if (ret) ++ return ret; ++ } ++ + return 0; + + unreg: +--- a/drivers/mmc/host/sdhci.h ++++ b/drivers/mmc/host/sdhci.h +@@ -440,6 +440,9 @@ struct sdhci_host { + + int irq; /* Device IRQ */ + void __iomem *ioaddr; /* Mapped address */ ++ char *bounce_buffer; /* For packing SDMA reads/writes */ ++ dma_addr_t bounce_addr; ++ unsigned int bounce_buffer_size; + + const struct sdhci_ops *ops; /* Low level hw interface */ + diff --git a/queue-4.15/mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch b/queue-4.15/mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch new file mode 100644 index 00000000000..9b71fb23a43 --- /dev/null +++ b/queue-4.15/mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch @@ -0,0 +1,107 @@ +From 3968523f855050b8195134da951b87c20bd66130 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 7 Feb 2018 22:34:24 -0800 +Subject: mpls, nospec: Sanitize array index in mpls_label_ok() + +From: Dan Williams + +commit 3968523f855050b8195134da951b87c20bd66130 upstream. + +mpls_label_ok() validates that the 'platform_label' array index from a +userspace netlink message payload is valid. Under speculation the +mpls_label_ok() result may not resolve in the CPU pipeline until after +the index is used to access an array element. Sanitize the index to zero +to prevent userspace-controlled arbitrary out-of-bounds speculation, a +precursor for a speculative execution side channel vulnerability. + +Cc: +Cc: "David S. Miller" +Cc: Eric W. Biederman +Signed-off-by: Dan Williams +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/mpls/af_mpls.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +--- a/net/mpls/af_mpls.c ++++ b/net/mpls/af_mpls.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -935,24 +936,27 @@ errout: + return err; + } + +-static bool mpls_label_ok(struct net *net, unsigned int index, ++static bool mpls_label_ok(struct net *net, unsigned int *index, + struct netlink_ext_ack *extack) + { ++ bool is_ok = true; ++ + /* Reserved labels may not be set */ +- if (index < MPLS_LABEL_FIRST_UNRESERVED) { ++ if (*index < MPLS_LABEL_FIRST_UNRESERVED) { + NL_SET_ERR_MSG(extack, + "Invalid label - must be MPLS_LABEL_FIRST_UNRESERVED or higher"); +- return false; ++ is_ok = false; + } + + /* The full 20 bit range may not be supported. */ +- if (index >= net->mpls.platform_labels) { ++ if (is_ok && *index >= net->mpls.platform_labels) { + NL_SET_ERR_MSG(extack, + "Label >= configured maximum in platform_labels"); +- return false; ++ is_ok = false; + } + +- return true; ++ *index = array_index_nospec(*index, net->mpls.platform_labels); ++ return is_ok; + } + + static int mpls_route_add(struct mpls_route_config *cfg, +@@ -975,7 +979,7 @@ static int mpls_route_add(struct mpls_ro + index = find_free_label(net); + } + +- if (!mpls_label_ok(net, index, extack)) ++ if (!mpls_label_ok(net, &index, extack)) + goto errout; + + /* Append makes no sense with mpls */ +@@ -1052,7 +1056,7 @@ static int mpls_route_del(struct mpls_ro + + index = cfg->rc_label; + +- if (!mpls_label_ok(net, index, extack)) ++ if (!mpls_label_ok(net, &index, extack)) + goto errout; + + mpls_route_update(net, index, NULL, &cfg->rc_nlinfo); +@@ -1810,7 +1814,7 @@ static int rtm_to_route_config(struct sk + goto errout; + + if (!mpls_label_ok(cfg->rc_nlinfo.nl_net, +- cfg->rc_label, extack)) ++ &cfg->rc_label, extack)) + goto errout; + break; + } +@@ -2137,7 +2141,7 @@ static int mpls_getroute(struct sk_buff + goto errout; + } + +- if (!mpls_label_ok(net, in_label, extack)) { ++ if (!mpls_label_ok(net, &in_label, extack)) { + err = -EINVAL; + goto errout; + } diff --git a/queue-4.15/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch b/queue-4.15/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch new file mode 100644 index 00000000000..ddc4494a909 --- /dev/null +++ b/queue-4.15/pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch @@ -0,0 +1,40 @@ +From deb86999323661c019ef2740eb9d479d1e526b5c Mon Sep 17 00:00:00 2001 +From: Dongdong Liu +Date: Thu, 28 Dec 2017 17:53:32 +0800 +Subject: PCI: Disable MSI for HiSilicon Hip06/Hip07 only in Root Port mode + +From: Dongdong Liu + +commit deb86999323661c019ef2740eb9d479d1e526b5c upstream. + +HiSilicon Hip06/Hip07 can operate as either a Root Port or an Endpoint. It +always advertises an MSI capability, but it can only generate MSIs when in +Endpoint mode. + +The device has the same Vendor and Device IDs in both modes, so check the +Class Code and disable MSI only when operating as a Root Port. + +[bhelgaas: changelog] +Fixes: 72f2ff0deb87 ("PCI: Disable MSI for HiSilicon Hip06/Hip07 Root Ports") +Signed-off-by: Dongdong Liu +Signed-off-by: Bjorn Helgaas +Reviewed-by: Zhou Wang +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1636,8 +1636,8 @@ static void quirk_pcie_mch(struct pci_de + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7520_MCH, quirk_pcie_mch); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7320_MCH, quirk_pcie_mch); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_E7525_MCH, quirk_pcie_mch); +-DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, quirk_pcie_mch); + ++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_VENDOR_ID_HUAWEI, 0x1610, PCI_CLASS_BRIDGE_PCI, 8, quirk_pcie_mch); + + /* + * It's possible for the MSI to get corrupted if shpc and acpi diff --git a/queue-4.15/pci-iproc-fix-null-pointer-dereference-for-bcma.patch b/queue-4.15/pci-iproc-fix-null-pointer-dereference-for-bcma.patch new file mode 100644 index 00000000000..d0353d5dadc --- /dev/null +++ b/queue-4.15/pci-iproc-fix-null-pointer-dereference-for-bcma.patch @@ -0,0 +1,86 @@ +From 3b65ca50d24ce33cb92d88840e289135c92b40ed Mon Sep 17 00:00:00 2001 +From: Ray Jui +Date: Thu, 11 Jan 2018 12:36:16 -0800 +Subject: PCI: iproc: Fix NULL pointer dereference for BCMA +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ray Jui + +commit 3b65ca50d24ce33cb92d88840e289135c92b40ed upstream. + +With the inbound DMA mapping supported added, the iProc PCIe driver +parses DT property "dma-ranges" through call to +"of_pci_dma_range_parser_init()". In the case of BCMA, this results in a +NULL pointer deference due to a missing of_node. + +Fix this by adding a guard in pcie-iproc-platform.c to only enable the +inbound DMA mapping logic when DT property "dma-ranges" is present. + +Fixes: dd9d4e7498de3 ("PCI: iproc: Add inbound DMA mapping support") +Reported-by: Rafał Miłecki +Signed-off-by: Ray Jui +[lorenzo.pieralisi@arm.com: updated commit log] +Signed-off-by: Lorenzo Pieralisi +Tested-by: Rafał Miłecki +cc: # 4.10+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pcie-iproc-platform.c | 7 +++++++ + drivers/pci/host/pcie-iproc.c | 8 +++++--- + drivers/pci/host/pcie-iproc.h | 2 ++ + 3 files changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/pci/host/pcie-iproc-platform.c ++++ b/drivers/pci/host/pcie-iproc-platform.c +@@ -92,6 +92,13 @@ static int iproc_pcie_pltfm_probe(struct + pcie->need_ob_cfg = true; + } + ++ /* ++ * DT nodes are not used by all platforms that use the iProc PCIe ++ * core driver. For platforms that require explict inbound mapping ++ * configuration, "dma-ranges" would have been present in DT ++ */ ++ pcie->need_ib_cfg = of_property_read_bool(np, "dma-ranges"); ++ + /* PHY use is optional */ + pcie->phy = devm_phy_get(dev, "pcie-phy"); + if (IS_ERR(pcie->phy)) { +--- a/drivers/pci/host/pcie-iproc.c ++++ b/drivers/pci/host/pcie-iproc.c +@@ -1378,9 +1378,11 @@ int iproc_pcie_setup(struct iproc_pcie * + } + } + +- ret = iproc_pcie_map_dma_ranges(pcie); +- if (ret && ret != -ENOENT) +- goto err_power_off_phy; ++ if (pcie->need_ib_cfg) { ++ ret = iproc_pcie_map_dma_ranges(pcie); ++ if (ret && ret != -ENOENT) ++ goto err_power_off_phy; ++ } + + #ifdef CONFIG_ARM + pcie->sysdata.private_data = pcie; +--- a/drivers/pci/host/pcie-iproc.h ++++ b/drivers/pci/host/pcie-iproc.h +@@ -74,6 +74,7 @@ struct iproc_msi; + * @ob: outbound mapping related parameters + * @ob_map: outbound mapping related parameters specific to the controller + * ++ * @need_ib_cfg: indicates SW needs to configure the inbound mapping window + * @ib: inbound mapping related parameters + * @ib_map: outbound mapping region related parameters + * +@@ -101,6 +102,7 @@ struct iproc_pcie { + struct iproc_pcie_ob ob; + const struct iproc_pcie_ob_map *ob_map; + ++ bool need_ib_cfg; + struct iproc_pcie_ib ib; + const struct iproc_pcie_ib_map *ib_map; + diff --git a/queue-4.15/pci-keystone-fix-interrupt-controller-node-lookup.patch b/queue-4.15/pci-keystone-fix-interrupt-controller-node-lookup.patch new file mode 100644 index 00000000000..f17994266eb --- /dev/null +++ b/queue-4.15/pci-keystone-fix-interrupt-controller-node-lookup.patch @@ -0,0 +1,57 @@ +From eac56aa3bc8af3d9b9850345d0f2da9d83529134 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 17 Nov 2017 14:38:31 +0100 +Subject: PCI: keystone: Fix interrupt-controller-node lookup + +From: Johan Hovold + +commit eac56aa3bc8af3d9b9850345d0f2da9d83529134 upstream. + +Fix child-node lookup during initialisation which was using the wrong +OF-helper and ended up searching the whole device tree depth-first +starting at the parent rather than just matching on its children. + +To make things worse, the parent pci node could end up being prematurely +freed as of_find_node_by_name() drops a reference to its first argument. +Any matching child interrupt-controller node was also leaked. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Cc: stable # 3.18 +Acked-by: Murali Karicheri +Signed-off-by: Johan Hovold +[lorenzo.pieralisi@arm.com: updated commit subject] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/dwc/pci-keystone.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/dwc/pci-keystone.c ++++ b/drivers/pci/dwc/pci-keystone.c +@@ -178,7 +178,7 @@ static int ks_pcie_get_irq_controller_in + } + + /* interrupt controller is in a child node */ +- *np_temp = of_find_node_by_name(np_pcie, controller); ++ *np_temp = of_get_child_by_name(np_pcie, controller); + if (!(*np_temp)) { + dev_err(dev, "Node for %s is absent\n", controller); + return -EINVAL; +@@ -187,6 +187,7 @@ static int ks_pcie_get_irq_controller_in + temp = of_irq_count(*np_temp); + if (!temp) { + dev_err(dev, "No IRQ entries in %s\n", controller); ++ of_node_put(*np_temp); + return -EINVAL; + } + +@@ -204,6 +205,8 @@ static int ks_pcie_get_irq_controller_in + break; + } + ++ of_node_put(*np_temp); ++ + if (temp) { + *num_irqs = temp; + return 0; diff --git a/queue-4.15/pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch b/queue-4.15/pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch new file mode 100644 index 00000000000..e8ba7e30c58 --- /dev/null +++ b/queue-4.15/pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch @@ -0,0 +1,80 @@ +From 493fb50e958c1c6deef7feff0b8c3855def78d75 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 17 Jan 2018 16:48:39 +0100 +Subject: PCI: pciehp: Assume NoCompl+ for Thunderbolt ports + +From: Lukas Wunner + +commit 493fb50e958c1c6deef7feff0b8c3855def78d75 upstream. + +Certain Thunderbolt 1 controllers claim to support Command Completed events +(value of 0b in the No Command Completed Support field of the Slot +Capabilities register) but in reality they neither set the Command +Completed bit in the Slot Status register nor signal a Command Completed +interrupt: + + 8086:1513 CV82524 [Light Ridge 4C 2010] + 8086:151a DSL2310 [Eagle Ridge 2C 2011] + 8086:151b CVL2510 [Light Peak 2C 2010] + 8086:1547 DSL3510 [Cactus Ridge 4C 2012] + 8086:1548 DSL3310 [Cactus Ridge 2C 2012] + 8086:1549 DSL2210 [Port Ridge 1C 2011] + +All known newer chips (Redwood Ridge and onwards) set No Command Completed +Support, indicating that they do not support Command Completed events. + +The user-visible impact is that after unplugging such a device, 2 seconds +elapse until pciehp is unbound. That's because on ->remove, +pcie_write_cmd() is called via pcie_disable_notification() and every call +to pcie_write_cmd() takes 2 seconds (1 second for each invocation of +pcie_wait_cmd()): + + [ 337.942727] pciehp 0000:0a:00.0:pcie204: Timeout on hotplug command 0x1038 (issued 21176 msec ago) + [ 340.014735] pciehp 0000:0a:00.0:pcie204: Timeout on hotplug command 0x0000 (issued 2072 msec ago) + +That by itself has always been unpleasant, but the situation has become +worse with commit cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during +shutdown"): Now pciehp is unbound on ->shutdown. Because Thunderbolt +controllers typically have 4 hotplug ports, every reboot and shutdown is +now delayed by 8 seconds, plus another 2 seconds for every attached +Thunderbolt 1 device. + +Thunderbolt hotplug slots are not physical slots that one inserts cards +into, but rather logical hotplug slots implemented in silicon. Devices +appear beyond those logical slots once a PCI tunnel is established on top +of the Thunderbolt Converged I/O switch. One would expect commands written +to the Slot Control register to be executed immediately by the silicon, so +for simplicity we always assume NoCompl+ for Thunderbolt ports. + +Fixes: cc27b735ad3a ("PCI/portdrv: Turn off PCIe services during shutdown") +Tested-by: Mika Westerberg +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Mika Westerberg +Cc: stable@vger.kernel.org # v4.12+ +Cc: Sinan Kaya +Cc: Yehezkel Bernat +Cc: Michael Jamet +Cc: Andreas Noever +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/pciehp_hpc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/pci/hotplug/pciehp_hpc.c ++++ b/drivers/pci/hotplug/pciehp_hpc.c +@@ -848,6 +848,13 @@ struct controller *pcie_init(struct pcie + if (pdev->hotplug_user_indicators) + slot_cap &= ~(PCI_EXP_SLTCAP_AIP | PCI_EXP_SLTCAP_PIP); + ++ /* ++ * We assume no Thunderbolt controllers support Command Complete events, ++ * but some controllers falsely claim they do. ++ */ ++ if (pdev->is_thunderbolt) ++ slot_cap |= PCI_EXP_SLTCAP_NCCS; ++ + ctrl->slot_cap = slot_cap; + mutex_init(&ctrl->ctrl_lock); + init_waitqueue_head(&ctrl->queue); diff --git a/queue-4.15/rbd-whitelist-rbd_feature_operations-feature-bit.patch b/queue-4.15/rbd-whitelist-rbd_feature_operations-feature-bit.patch new file mode 100644 index 00000000000..a179ab8804d --- /dev/null +++ b/queue-4.15/rbd-whitelist-rbd_feature_operations-feature-bit.patch @@ -0,0 +1,39 @@ +From e573427a440fd67d3f522357d7ac901d59281948 Mon Sep 17 00:00:00 2001 +From: Ilya Dryomov +Date: Tue, 16 Jan 2018 15:41:54 +0100 +Subject: rbd: whitelist RBD_FEATURE_OPERATIONS feature bit + +From: Ilya Dryomov + +commit e573427a440fd67d3f522357d7ac901d59281948 upstream. + +This feature bit restricts older clients from performing certain +maintenance operations against an image (e.g. clone, snap create). +krbd does not perform maintenance operations. + +Cc: stable@vger.kernel.org +Signed-off-by: Ilya Dryomov +Reviewed-by: Jason Dillaman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/rbd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/rbd.c ++++ b/drivers/block/rbd.c +@@ -124,11 +124,13 @@ static int atomic_dec_return_safe(atomic + #define RBD_FEATURE_STRIPINGV2 (1ULL<<1) + #define RBD_FEATURE_EXCLUSIVE_LOCK (1ULL<<2) + #define RBD_FEATURE_DATA_POOL (1ULL<<7) ++#define RBD_FEATURE_OPERATIONS (1ULL<<8) + + #define RBD_FEATURES_ALL (RBD_FEATURE_LAYERING | \ + RBD_FEATURE_STRIPINGV2 | \ + RBD_FEATURE_EXCLUSIVE_LOCK | \ +- RBD_FEATURE_DATA_POOL) ++ RBD_FEATURE_DATA_POOL | \ ++ RBD_FEATURE_OPERATIONS) + + /* Features supported by this (client software) implementation. */ + diff --git a/queue-4.15/revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch b/queue-4.15/revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch new file mode 100644 index 00000000000..2732dea7596 --- /dev/null +++ b/queue-4.15/revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch @@ -0,0 +1,192 @@ +From d6fa7588fd7a8def4c747c0c574ce85d453e3788 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Wed, 24 Jan 2018 19:35:45 +0100 +Subject: Revert "apple-gmux: lock iGP IO to protect from vgaarb changes" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Wunner + +commit d6fa7588fd7a8def4c747c0c574ce85d453e3788 upstream. + +Commit 4eebd5a4e726 ("apple-gmux: lock iGP IO to protect from vgaarb +changes") amended this driver's ->probe hook to lock decoding of normal +(non-legacy) I/O space accesses to the integrated GPU on dual-GPU +MacBook Pros. The lock stays in place until the driver is unbound. + +The change was made to work around an issue with the out-of-tree nvidia +graphics driver (available at http://www.nvidia.com/object/unix.html). +It contains the following sequence in nvidia/nv.c: + + #if defined(CONFIG_VGA_ARB) && !defined(NVCPU_PPC64LE) + #if defined(VGA_DEFAULT_DEVICE) + vga_tryget(VGA_DEFAULT_DEVICE, VGA_RSRC_LEGACY_MASK); + #endif + vga_set_legacy_decoding(dev, VGA_RSRC_NONE); + #endif + +This code was reported to cause deadlocks with VFIO already in 2013: +https://devtalk.nvidia.com/default/topic/545560 + +I've reported the issue to Nvidia developers once more in 2017: +https://www.spinics.net/lists/dri-devel/msg138754.html + +On the MacBookPro10,1, this code apparently breaks backlight control +(which is handled by apple-gmux via an I/O region starting at 0x700), +as reported by Petri Hodju: +https://bugzilla.kernel.org/show_bug.cgi?id=86121 + +I tried to replicate Petri's observations on my MacBook9,1, which uses +the same Intel Ivy Bridge + Nvidia GeForce GT 650M architecture, to no +avail. On my machine apple-gmux' I/O region remains accessible even +with the nvidia driver loaded and commit 4eebd5a4e726 reverted. +Petri reported that apple-gmux becomes accessible again after a +suspend/resume cycle because the BIOS changed the VGA routing on the +root port to the Nvidia GPU. Perhaps this is a BIOS issue after all +that can be fixed with an update? + +In any case, the change made by commit 4eebd5a4e726 has turned out to +cause two new issues: + +* Wilfried Klaebe reports a deadlock when launching Xorg because it + opens /dev/vga_arbiter and calls vga_get(), but apple-gmux is holding + a lock on I/O space indefinitely. It looks like apple-gmux' current + behavior is an abuse of the vgaarb API as locks are not meant to be + held for longer periods: + https://bugzilla.kernel.org/show_bug.cgi?id=88861#c11 + https://bugzilla.kernel.org/attachment.cgi?id=217541 + +* On dual GPU MacBook Pros introduced since 2013, the integrated GPU is + powergated on boot und thus becomes invisible to Linux unless a custom + EFI protocol is used to leave it powered on. (A patch exists but is + not in mainline yet due to several negative side effects.) On these + machines, locking I/O to the integrated GPU (as done by 4eebd5a4e726) + fails and backlight control is therefore broken: + https://bugzilla.kernel.org/show_bug.cgi?id=105051 + +So let's revert commit 4eebd5a4e726 please. Users experiencing the +issue with the proprietary nvidia driver can comment out the above- +quoted problematic code as a workaround (or try updating the BIOS). + +Cc: Petri Hodju +Cc: Bjorn Helgaas +Cc: Bruno Prémont +Cc: Andy Ritger +Cc: Ronald Tschalär +Tested-by: Wilfried Klaebe +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/apple-gmux.c | 48 -------------------------------------- + 1 file changed, 1 insertion(+), 47 deletions(-) + +--- a/drivers/platform/x86/apple-gmux.c ++++ b/drivers/platform/x86/apple-gmux.c +@@ -24,7 +24,6 @@ + #include + #include + #include +-#include + #include + #include + +@@ -54,7 +53,6 @@ struct apple_gmux_data { + bool indexed; + struct mutex index_lock; + +- struct pci_dev *pdev; + struct backlight_device *bdev; + + /* switcheroo data */ +@@ -599,23 +597,6 @@ static int gmux_resume(struct device *de + return 0; + } + +-static struct pci_dev *gmux_get_io_pdev(void) +-{ +- struct pci_dev *pdev = NULL; +- +- while ((pdev = pci_get_class(PCI_CLASS_DISPLAY_VGA << 8, pdev))) { +- u16 cmd; +- +- pci_read_config_word(pdev, PCI_COMMAND, &cmd); +- if (!(cmd & PCI_COMMAND_IO)) +- continue; +- +- return pdev; +- } +- +- return NULL; +-} +- + static int is_thunderbolt(struct device *dev, void *data) + { + return to_pci_dev(dev)->is_thunderbolt; +@@ -631,7 +612,6 @@ static int gmux_probe(struct pnp_dev *pn + int ret = -ENXIO; + acpi_status status; + unsigned long long gpe; +- struct pci_dev *pdev = NULL; + + if (apple_gmux_data) + return -EBUSY; +@@ -682,7 +662,7 @@ static int gmux_probe(struct pnp_dev *pn + ver_minor = (version >> 16) & 0xff; + ver_release = (version >> 8) & 0xff; + } else { +- pr_info("gmux device not present or IO disabled\n"); ++ pr_info("gmux device not present\n"); + ret = -ENODEV; + goto err_release; + } +@@ -690,23 +670,6 @@ static int gmux_probe(struct pnp_dev *pn + pr_info("Found gmux version %d.%d.%d [%s]\n", ver_major, ver_minor, + ver_release, (gmux_data->indexed ? "indexed" : "classic")); + +- /* +- * Apple systems with gmux are EFI based and normally don't use +- * VGA. In addition changing IO+MEM ownership between IGP and dGPU +- * disables IO/MEM used for backlight control on some systems. +- * Lock IO+MEM to GPU with active IO to prevent switch. +- */ +- pdev = gmux_get_io_pdev(); +- if (pdev && vga_tryget(pdev, +- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM)) { +- pr_err("IO+MEM vgaarb-locking for PCI:%s failed\n", +- pci_name(pdev)); +- ret = -EBUSY; +- goto err_release; +- } else if (pdev) +- pr_info("locked IO for PCI:%s\n", pci_name(pdev)); +- gmux_data->pdev = pdev; +- + memset(&props, 0, sizeof(props)); + props.type = BACKLIGHT_PLATFORM; + props.max_brightness = gmux_read32(gmux_data, GMUX_PORT_MAX_BRIGHTNESS); +@@ -822,10 +785,6 @@ err_enable_gpe: + err_notify: + backlight_device_unregister(bdev); + err_release: +- if (gmux_data->pdev) +- vga_put(gmux_data->pdev, +- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM); +- pci_dev_put(pdev); + release_region(gmux_data->iostart, gmux_data->iolen); + err_free: + kfree(gmux_data); +@@ -845,11 +804,6 @@ static void gmux_remove(struct pnp_dev * + &gmux_notify_handler); + } + +- if (gmux_data->pdev) { +- vga_put(gmux_data->pdev, +- VGA_RSRC_NORMAL_IO | VGA_RSRC_NORMAL_MEM); +- pci_dev_put(gmux_data->pdev); +- } + backlight_device_unregister(gmux_data->bdev); + + release_region(gmux_data->iostart, gmux_data->iolen); diff --git a/queue-4.15/revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch b/queue-4.15/revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch new file mode 100644 index 00000000000..8a9e744d510 --- /dev/null +++ b/queue-4.15/revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch @@ -0,0 +1,74 @@ +From fe0e58048f005fdce315eb4d185e5c160be4ac01 Mon Sep 17 00:00:00 2001 +From: Jerome Brunet +Date: Mon, 12 Feb 2018 14:13:59 +0100 +Subject: Revert "mmc: meson-gx: include tx phase in the tuning process" + +From: Jerome Brunet + +commit fe0e58048f005fdce315eb4d185e5c160be4ac01 upstream. + +This reverts commit 0a44697627d17a66d7dc98f17aeca07ca79c5c20. + +This commit was initially intended to fix problems with hs200 and hs400 +on some boards, mainly the odroid-c2. The OC2 (Rev 0.2) I have performs +well in this modes, so I could not confirm these issues. + +We've had several reports about the issues being still present on (some) +OC2, so apparently, this change does not do what it was supposed to do. +Maybe the eMMC signal quality is on the edge on the board. This may +explain the variability we see in term of stability, but this is just a +guess. Lowering the max_frequency to 100Mhz seems to do trick for those +affected by the issue + +Worse, the commit created new issues (CRC errors and hangs) on other +boards, such as the kvim 1 and 2, the p200 or the libretech-cc. + +According to amlogic, the Tx phase should not be tuned and left in its +default configuration, so it is best to just revert the commit. + +Fixes: 0a44697627d1 ("mmc: meson-gx: include tx phase in the tuning process") +Cc: # 4.14+ +Signed-off-by: Jerome Brunet +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/meson-gx-mmc.c | 19 +------------------ + 1 file changed, 1 insertion(+), 18 deletions(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -716,22 +716,6 @@ static int meson_mmc_clk_phase_tuning(st + static int meson_mmc_execute_tuning(struct mmc_host *mmc, u32 opcode) + { + struct meson_host *host = mmc_priv(mmc); +- int ret; +- +- /* +- * If this is the initial tuning, try to get a sane Rx starting +- * phase before doing the actual tuning. +- */ +- if (!mmc->doing_retune) { +- ret = meson_mmc_clk_phase_tuning(mmc, opcode, host->rx_clk); +- +- if (ret) +- return ret; +- } +- +- ret = meson_mmc_clk_phase_tuning(mmc, opcode, host->tx_clk); +- if (ret) +- return ret; + + return meson_mmc_clk_phase_tuning(mmc, opcode, host->rx_clk); + } +@@ -762,9 +746,8 @@ static void meson_mmc_set_ios(struct mmc + if (!IS_ERR(mmc->supply.vmmc)) + mmc_regulator_set_ocr(mmc, mmc->supply.vmmc, ios->vdd); + +- /* Reset phases */ ++ /* Reset rx phase */ + clk_set_phase(host->rx_clk, 0); +- clk_set_phase(host->tx_clk, 270); + + break; + diff --git a/queue-4.15/rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch b/queue-4.15/rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch new file mode 100644 index 00000000000..5ef0b926964 --- /dev/null +++ b/queue-4.15/rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch @@ -0,0 +1,82 @@ +From 5b8b58063029f02da573120ef4dc9079822e3cda Mon Sep 17 00:00:00 2001 +From: Stewart Smith +Date: Tue, 2 Aug 2016 11:50:16 +1000 +Subject: rtc-opal: Fix handling of firmware error codes, prevent busy loops + +From: Stewart Smith + +commit 5b8b58063029f02da573120ef4dc9079822e3cda upstream. + +According to the OPAL docs: + skiboot-5.2.5/doc/opal-api/opal-rtc-read-3.txt + skiboot-5.2.5/doc/opal-api/opal-rtc-write-4.txt + +OPAL_HARDWARE may be returned from OPAL_RTC_READ or OPAL_RTC_WRITE and +this indicates either a transient or permanent error. + +Prior to this patch, Linux was not dealing with OPAL_HARDWARE being a +permanent error particularly well, in that you could end up in a busy +loop. + +This was not too hard to trigger on an AMI BMC based OpenPOWER machine +doing a continuous "ipmitool mc reset cold" to the BMC, the result of +that being that we'd get stuck in an infinite loop in +opal_get_rtc_time(). + +We now retry a few times before returning the error higher up the +stack. + +Fixes: 16b1d26e77b1 ("rtc/tpo: Driver to support rtc and wakeup on PowerNV platform") +Cc: stable@vger.kernel.org # v3.19+ +Signed-off-by: Stewart Smith +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-opal.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -58,6 +58,7 @@ static void tm_to_opal(struct rtc_time * + static int opal_get_rtc_time(struct device *dev, struct rtc_time *tm) + { + long rc = OPAL_BUSY; ++ int retries = 10; + u32 y_m_d; + u64 h_m_s_ms; + __be32 __y_m_d; +@@ -67,8 +68,11 @@ static int opal_get_rtc_time(struct devi + rc = opal_rtc_read(&__y_m_d, &__h_m_s_ms); + if (rc == OPAL_BUSY_EVENT) + opal_poll_events(NULL); +- else ++ else if (retries-- && (rc == OPAL_HARDWARE ++ || rc == OPAL_INTERNAL_ERROR)) + msleep(10); ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) ++ break; + } + + if (rc != OPAL_SUCCESS) +@@ -84,6 +88,7 @@ static int opal_get_rtc_time(struct devi + static int opal_set_rtc_time(struct device *dev, struct rtc_time *tm) + { + long rc = OPAL_BUSY; ++ int retries = 10; + u32 y_m_d = 0; + u64 h_m_s_ms = 0; + +@@ -92,8 +97,11 @@ static int opal_set_rtc_time(struct devi + rc = opal_rtc_write(y_m_d, h_m_s_ms); + if (rc == OPAL_BUSY_EVENT) + opal_poll_events(NULL); +- else ++ else if (retries-- && (rc == OPAL_HARDWARE ++ || rc == OPAL_INTERNAL_ERROR)) + msleep(10); ++ else if (rc != OPAL_BUSY && rc != OPAL_BUSY_EVENT) ++ break; + } + + return rc == OPAL_SUCCESS ? 0 : -EIO; diff --git a/queue-4.15/seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch b/queue-4.15/seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch new file mode 100644 index 00000000000..32156357a17 --- /dev/null +++ b/queue-4.15/seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch @@ -0,0 +1,41 @@ +From cf5eebae2cd28d37581507668605f4d23cd7218d Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 15 Nov 2017 11:34:58 +0100 +Subject: seq_file: fix incomplete reset on read from zero offset + +From: Miklos Szeredi + +commit cf5eebae2cd28d37581507668605f4d23cd7218d upstream. + +When resetting iterator on a zero offset we need to discard any data +already in the buffer (count), and private state of the iterator (version). + +For example this bug results in first line being repeated in /proc/mounts +if doing a zero size read before a non-zero size read. + +Reported-by: Rich Felker +Signed-off-by: Miklos Szeredi +Fixes: e522751d605d ("seq_file: reset iterator to first record for zero offset") +Cc: # v4.10 +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/seq_file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/fs/seq_file.c ++++ b/fs/seq_file.c +@@ -181,8 +181,11 @@ ssize_t seq_read(struct file *file, char + * if request is to read from zero offset, reset iterator to first + * record as it might have been already advanced by previous requests + */ +- if (*ppos == 0) ++ if (*ppos == 0) { + m->index = 0; ++ m->version = 0; ++ m->count = 0; ++ } + + /* Don't assume *ppos is where we left it */ + if (unlikely(*ppos != m->read_pos)) { diff --git a/queue-4.15/series b/queue-4.15/series index 979d937d27e..daebd32556b 100644 --- a/queue-4.15/series +++ b/queue-4.15/series @@ -85,3 +85,42 @@ x86-cpu-rename-cpu_data.x86_mask-to-cpu_data.x86_stepping.patch x86-spectre-fix-an-error-message.patch x86-cpu-change-type-of-x86_cache_size-variable-to-unsigned-int.patch x86-entry-64-fix-cr3-restore-in-paranoid_exit.patch +drm-ttm-don-t-add-swapped-bos-to-swap-lru-list.patch +drm-ttm-fix-buf-pointer-update-in-ttm_bo_vm_access_kmap-v2.patch +drm-qxl-unref-cursor-bo-when-finished-with-it.patch +drm-qxl-reapply-cursor-after-resetting-primary.patch +drm-amd-powerplay-fix-smu_table_entry.handle-type.patch +drm-ast-load-lut-in-crtc_commit.patch +drm-check-for-lessee-in-drop_master-ioctl.patch +arm64-add-missing-falkor-part-number-for-branch-predictor-hardening.patch +drm-radeon-add-dpm-quirk-for-jet-pro-v2.patch +drm-radeon-adjust-tested-variable.patch +x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch +rtc-opal-fix-handling-of-firmware-error-codes-prevent-busy-loops.patch +mbcache-initialize-entry-e_referenced-in-mb_cache_entry_create.patch +mmc-sdhci-implement-an-sdhci-specific-bounce-buffer.patch +mmc-bcm2835-don-t-overwrite-max-frequency-unconditionally.patch +revert-mmc-meson-gx-include-tx-phase-in-the-tuning-process.patch +mlx5-fix-mlx5_get_vector_affinity-to-start-from-completion-vector-0.patch +revert-apple-gmux-lock-igp-io-to-protect-from-vgaarb-changes.patch +jbd2-fix-sphinx-kernel-doc-build-warnings.patch +ext4-fix-a-race-in-the-ext4-shutdown-path.patch +ext4-save-error-to-disk-in-__ext4_grp_locked_error.patch +ext4-correct-documentation-for-grpid-mount-option.patch +mm-hide-a-warning-for-compile_test.patch +mm-fix-memory-size-alignment-in-devm_memremap_pages_release.patch +mips-fix-typo-big_endian-to-cpu_big_endian.patch +mips-cps-fix-mips_isa_level_raw-fallout.patch +mips-fix-incorrect-mem-x-y-handling.patch +pci-disable-msi-for-hisilicon-hip06-hip07-only-in-root-port-mode.patch +pci-iproc-fix-null-pointer-dereference-for-bcma.patch +pci-pciehp-assume-nocompl-for-thunderbolt-ports.patch +pci-keystone-fix-interrupt-controller-node-lookup.patch +video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch +console-dummy-leave-.con_font_get-set-to-null.patch +rbd-whitelist-rbd_feature_operations-feature-bit.patch +xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch +xenbus-track-caller-request-id.patch +seq_file-fix-incomplete-reset-on-read-from-zero-offset.patch +tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch +mpls-nospec-sanitize-array-index-in-mpls_label_ok.patch diff --git a/queue-4.15/tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch b/queue-4.15/tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch new file mode 100644 index 00000000000..138f53e316b --- /dev/null +++ b/queue-4.15/tracing-fix-parsing-of-globs-with-a-wildcard-at-the-beginning.patch @@ -0,0 +1,82 @@ +From 07234021410bbc27b7c86c18de98616c29fbe667 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Mon, 5 Feb 2018 22:18:11 -0500 +Subject: tracing: Fix parsing of globs with a wildcard at the beginning + +From: Steven Rostedt (VMware) + +commit 07234021410bbc27b7c86c18de98616c29fbe667 upstream. + +Al Viro reported: + + For substring - sure, but what about something like "*a*b" and "a*b"? + AFAICS, filter_parse_regex() ends up with identical results in both + cases - MATCH_GLOB and *search = "a*b". And no way for the caller + to tell one from another. + +Testing this with the following: + + # cd /sys/kernel/tracing + # echo '*raw*lock' > set_ftrace_filter + bash: echo: write error: Invalid argument + +With this patch: + + # echo '*raw*lock' > set_ftrace_filter + # cat set_ftrace_filter +_raw_read_trylock +_raw_write_trylock +_raw_read_unlock +_raw_spin_unlock +_raw_write_unlock +_raw_spin_trylock +_raw_spin_lock +_raw_write_lock +_raw_read_lock + +Al recommended not setting the search buffer to skip the first '*' unless we +know we are not using MATCH_GLOB. This implements his suggested logic. + +Link: http://lkml.kernel.org/r/20180127170748.GF13338@ZenIV.linux.org.uk + +Cc: stable@vger.kernel.org +Fixes: 60f1d5e3bac44 ("ftrace: Support full glob matching") +Reviewed-by: Masami Hiramatsu +Reported-by: Al Viro +Suggsted-by: Al Viro +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -400,7 +400,6 @@ enum regex_type filter_parse_regex(char + for (i = 0; i < len; i++) { + if (buff[i] == '*') { + if (!i) { +- *search = buff + 1; + type = MATCH_END_ONLY; + } else if (i == len - 1) { + if (type == MATCH_END_ONLY) +@@ -410,14 +409,14 @@ enum regex_type filter_parse_regex(char + buff[i] = 0; + break; + } else { /* pattern continues, use full glob */ +- type = MATCH_GLOB; +- break; ++ return MATCH_GLOB; + } + } else if (strchr("[?\\", buff[i])) { +- type = MATCH_GLOB; +- break; ++ return MATCH_GLOB; + } + } ++ if (buff[0] == '*') ++ *search = buff + 1; + + return type; + } diff --git a/queue-4.15/video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch b/queue-4.15/video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch new file mode 100644 index 00000000000..37fcae1854b --- /dev/null +++ b/queue-4.15/video-fbdev-atmel_lcdfb-fix-display-timings-lookup.patch @@ -0,0 +1,57 @@ +From 9cb18db0701f6b74f0c45c23ad767b3ebebe37f6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 29 Dec 2017 19:48:43 +0100 +Subject: video: fbdev: atmel_lcdfb: fix display-timings lookup + +From: Johan Hovold + +commit 9cb18db0701f6b74f0c45c23ad767b3ebebe37f6 upstream. + +Fix child-node lookup during probe, which ended up searching the whole +device tree depth-first starting at the parent rather than just matching +on its children. + +To make things worse, the parent display node was also prematurely +freed. + +Note that the display and timings node references are never put after a +successful dt-initialisation so the nodes would leak on later probe +deferrals and on driver unbind. + +Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") +Cc: stable # 3.13 +Cc: Jean-Christophe PLAGNIOL-VILLARD +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Signed-off-by: Johan Hovold +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/atmel_lcdfb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/atmel_lcdfb.c ++++ b/drivers/video/fbdev/atmel_lcdfb.c +@@ -1119,7 +1119,7 @@ static int atmel_lcdfb_of_init(struct at + goto put_display_node; + } + +- timings_np = of_find_node_by_name(display_np, "display-timings"); ++ timings_np = of_get_child_by_name(display_np, "display-timings"); + if (!timings_np) { + dev_err(dev, "failed to find display-timings node\n"); + ret = -ENODEV; +@@ -1140,6 +1140,12 @@ static int atmel_lcdfb_of_init(struct at + fb_add_videomode(&fb_vm, &info->modelist); + } + ++ /* ++ * FIXME: Make sure we are not referencing any fields in display_np ++ * and timings_np and drop our references to them before returning to ++ * avoid leaking the nodes on probe deferral and driver unbind. ++ */ ++ + return 0; + + put_timings_node: diff --git a/queue-4.15/x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch b/queue-4.15/x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch new file mode 100644 index 00000000000..f3eae60a854 --- /dev/null +++ b/queue-4.15/x86-smpboot-fix-uncore_pci_remove-indexing-bug-when-hot-removing-a-physical-cpu.patch @@ -0,0 +1,113 @@ +From 295cc7eb314eb3321fb6d67ca6f7305f5c50d10f Mon Sep 17 00:00:00 2001 +From: Masayoshi Mizuma +Date: Thu, 8 Feb 2018 09:19:08 -0500 +Subject: x86/smpboot: Fix uncore_pci_remove() indexing bug when hot-removing a physical CPU + +From: Masayoshi Mizuma + +commit 295cc7eb314eb3321fb6d67ca6f7305f5c50d10f upstream. + +When a physical CPU is hot-removed, the following warning messages +are shown while the uncore device is removed in uncore_pci_remove(): + + WARNING: CPU: 120 PID: 5 at arch/x86/events/intel/uncore.c:988 + uncore_pci_remove+0xf1/0x110 + ... + CPU: 120 PID: 5 Comm: kworker/u1024:0 Not tainted 4.15.0-rc8 #1 + Workqueue: kacpi_hotplug acpi_hotplug_work_fn + ... + Call Trace: + pci_device_remove+0x36/0xb0 + device_release_driver_internal+0x145/0x210 + pci_stop_bus_device+0x76/0xa0 + pci_stop_root_bus+0x44/0x60 + acpi_pci_root_remove+0x1f/0x80 + acpi_bus_trim+0x54/0x90 + acpi_bus_trim+0x2e/0x90 + acpi_device_hotplug+0x2bc/0x4b0 + acpi_hotplug_work_fn+0x1a/0x30 + process_one_work+0x141/0x340 + worker_thread+0x47/0x3e0 + kthread+0xf5/0x130 + +When uncore_pci_remove() runs, it tries to get the package ID to +clear the value of uncore_extra_pci_dev[].dev[] by using +topology_phys_to_logical_pkg(). The warning messesages are +shown because topology_phys_to_logical_pkg() returns -1. + + arch/x86/events/intel/uncore.c: + static void uncore_pci_remove(struct pci_dev *pdev) + { + ... + phys_id = uncore_pcibus_to_physid(pdev->bus); + ... + pkg = topology_phys_to_logical_pkg(phys_id); // returns -1 + for (i = 0; i < UNCORE_EXTRA_PCI_DEV_MAX; i++) { + if (uncore_extra_pci_dev[pkg].dev[i] == pdev) { + uncore_extra_pci_dev[pkg].dev[i] = NULL; + break; + } + } + WARN_ON_ONCE(i >= UNCORE_EXTRA_PCI_DEV_MAX); // <=========== HERE!! + +topology_phys_to_logical_pkg() tries to find +cpuinfo_x86->phys_proc_id that matches the phys_pkg argument. + + arch/x86/kernel/smpboot.c: + int topology_phys_to_logical_pkg(unsigned int phys_pkg) + { + int cpu; + + for_each_possible_cpu(cpu) { + struct cpuinfo_x86 *c = &cpu_data(cpu); + + if (c->initialized && c->phys_proc_id == phys_pkg) + return c->logical_proc_id; + } + return -1; + } + +However, the phys_proc_id was already set to 0 by remove_siblinginfo() +when the CPU was offlined. + +So, topology_phys_to_logical_pkg() cannot find the correct +logical_proc_id and always returns -1. + +As the result, uncore_pci_remove() calls WARN_ON_ONCE() and the warning +messages are shown. + +What is worse is that the bogus 'pkg' index results in two bugs: + + - We dereference uncore_extra_pci_dev[] with a negative index + - We fail to clean up a stale pointer in uncore_extra_pci_dev[][] + +To fix these bugs, remove the clearing of ->phys_proc_id from remove_siblinginfo(). + +This should not cause any problems, because ->phys_proc_id is not +used after it is hot-removed and it is re-set while hot-adding. + +Signed-off-by: Masayoshi Mizuma +Acked-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: yasu.isimatu@gmail.com +Cc: +Fixes: 30bb9811856f ("x86/topology: Avoid wasting 128k for package id array") +Link: http://lkml.kernel.org/r/ed738d54-0f01-b38b-b794-c31dc118c207@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/smpboot.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1431,7 +1431,6 @@ static void remove_siblinginfo(int cpu) + cpumask_clear(cpu_llc_shared_mask(cpu)); + cpumask_clear(topology_sibling_cpumask(cpu)); + cpumask_clear(topology_core_cpumask(cpu)); +- c->phys_proc_id = 0; + c->cpu_core_id = 0; + cpumask_clear_cpu(cpu, cpu_sibling_setup_mask); + recompute_smt_state(); diff --git a/queue-4.15/xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch b/queue-4.15/xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch new file mode 100644 index 00000000000..ed42b832317 --- /dev/null +++ b/queue-4.15/xen-fix-set-clear-_foreign_p2m_mapping-on-autotranslating-guests.patch @@ -0,0 +1,46 @@ +From 781198f1f373c3e350dbeb3af04a7d4c81c1b8d7 Mon Sep 17 00:00:00 2001 +From: Simon Gaiser +Date: Wed, 7 Feb 2018 21:47:40 +0100 +Subject: xen: Fix {set,clear}_foreign_p2m_mapping on autotranslating guests + +From: Simon Gaiser + +commit 781198f1f373c3e350dbeb3af04a7d4c81c1b8d7 upstream. + +Commit 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths") +removed the check for autotranslation from {set,clear}_foreign_p2m_mapping +but those are called by grant-table.c also on PVH/HVM guests. + +Cc: # 4.14 +Fixes: 82616f9599a7 ("xen: remove tests for pvh mode in pure pv paths") +Signed-off-by: Simon Gaiser +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/p2m.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -694,6 +694,9 @@ int set_foreign_p2m_mapping(struct gntta + int i, ret = 0; + pte_t *pte; + ++ if (xen_feature(XENFEAT_auto_translated_physmap)) ++ return 0; ++ + if (kmap_ops) { + ret = HYPERVISOR_grant_table_op(GNTTABOP_map_grant_ref, + kmap_ops, count); +@@ -736,6 +739,9 @@ int clear_foreign_p2m_mapping(struct gnt + { + int i, ret = 0; + ++ if (xen_feature(XENFEAT_auto_translated_physmap)) ++ return 0; ++ + for (i = 0; i < count; i++) { + unsigned long mfn = __pfn_to_mfn(page_to_pfn(pages[i])); + unsigned long pfn = page_to_pfn(pages[i]); diff --git a/queue-4.15/xenbus-track-caller-request-id.patch b/queue-4.15/xenbus-track-caller-request-id.patch new file mode 100644 index 00000000000..7f55319768e --- /dev/null +++ b/queue-4.15/xenbus-track-caller-request-id.patch @@ -0,0 +1,95 @@ +From 29fee6eed2811ff1089b30fc579a2d19d78016ab Mon Sep 17 00:00:00 2001 +From: Joao Martins +Date: Fri, 2 Feb 2018 17:42:33 +0000 +Subject: xenbus: track caller request id + +From: Joao Martins + +commit 29fee6eed2811ff1089b30fc579a2d19d78016ab upstream. + +Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple concurrent +xenstore accesses") optimized xenbus concurrent accesses but in doing so +broke UABI of /dev/xen/xenbus. Through /dev/xen/xenbus applications are in +charge of xenbus message exchange with the correct header and body. Now, +after the mentioned commit the replies received by application will no +longer have the header req_id echoed back as it was on request (see +specification below for reference), because that particular field is being +overwritten by kernel. + +struct xsd_sockmsg +{ + uint32_t type; /* XS_??? */ + uint32_t req_id;/* Request identifier, echoed in daemon's response. */ + uint32_t tx_id; /* Transaction id (0 if not related to a transaction). */ + uint32_t len; /* Length of data following this. */ + + /* Generally followed by nul-terminated string(s). */ +}; + +Before there was only one request at a time so req_id could simply be +forwarded back and forth. To allow simultaneous requests we need a +different req_id for each message thus kernel keeps a monotonic increasing +counter for this field and is written on every request irrespective of +userspace value. + +Forwarding again the req_id on userspace requests is not a solution because +we would open the possibility of userspace-generated req_id colliding with +kernel ones. So this patch instead takes another route which is to +artificially keep user req_id while keeping the xenbus logic as is. We do +that by saving the original req_id before xs_send(), use the private kernel +counter as req_id and then once reply comes and was validated, we restore +back the original req_id. + +Cc: # 4.11 +Fixes: fd8aa9095a ("xen: optimize xenbus driver for multiple concurrent xenstore accesses") +Reported-by: Bhavesh Davda +Signed-off-by: Joao Martins +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus.h | 1 + + drivers/xen/xenbus/xenbus_comms.c | 1 + + drivers/xen/xenbus/xenbus_xs.c | 3 +++ + 3 files changed, 5 insertions(+) + +--- a/drivers/xen/xenbus/xenbus.h ++++ b/drivers/xen/xenbus/xenbus.h +@@ -76,6 +76,7 @@ struct xb_req_data { + struct list_head list; + wait_queue_head_t wq; + struct xsd_sockmsg msg; ++ uint32_t caller_req_id; + enum xsd_sockmsg_type type; + char *body; + const struct kvec *vec; +--- a/drivers/xen/xenbus/xenbus_comms.c ++++ b/drivers/xen/xenbus/xenbus_comms.c +@@ -309,6 +309,7 @@ static int process_msg(void) + goto out; + + if (req->state == xb_req_state_wait_reply) { ++ req->msg.req_id = req->caller_req_id; + req->msg.type = state.msg.type; + req->msg.len = state.msg.len; + req->body = state.body; +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -227,6 +227,8 @@ static void xs_send(struct xb_req_data * + req->state = xb_req_state_queued; + init_waitqueue_head(&req->wq); + ++ /* Save the caller req_id and restore it later in the reply */ ++ req->caller_req_id = req->msg.req_id; + req->msg.req_id = xs_request_enter(req); + + mutex_lock(&xb_write_mutex); +@@ -310,6 +312,7 @@ static void *xs_talkv(struct xenbus_tran + req->num_vecs = num_vecs; + req->cb = xs_wake_up; + ++ msg.req_id = 0; + msg.tx_id = t.id; + msg.type = type; + msg.len = 0; -- 2.47.3