linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.4 00/46] 4.4.73-stable review
@ 2017-06-15 17:52 Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 01/46] s390/vmem: fix identity mapping Greg Kroah-Hartman
                   ` (44 more replies)
  0 siblings, 45 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuahkh, patches,
	ben.hutchings, stable

This is the start of the stable review cycle for the 4.4.73 release.
There are 46 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Sat Jun 17 17:51:59 UTC 2017.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.73-rc1.gz
or in the git tree and branch at:
  git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.4.73-rc1

Dan Carpenter <dan.carpenter@oracle.com>
    sparc64: make string buffers large enough

Christian Borntraeger <borntraeger@de.ibm.com>
    s390/kvm: do not rely on the ILC on kvm host protection fauls

Max Filippov <jcmvbkbc@gmail.com>
    xtensa: don't use linux IRQ #0

Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
    tipc: ignore requests when the connection state is not CONNECTED

Eric Dumazet <edumazet@google.com>
    proc: add a schedule point in proc_pid_readdir()

Coly Li <colyli@suse.de>
    romfs: use different way to generate fsid for BLOCK or MTD

Xin Long <lucien.xin@gmail.com>
    sctp: sctp_addr_id2transport should verify the addr before looking up assoc

hayeswang <hayeswang@realtek.com>
    r8152: avoid start_xmit to schedule napi when napi is disabled

hayeswang <hayeswang@realtek.com>
    r8152: fix rtl8152_post_reset function

hayeswang <hayeswang@realtek.com>
    r8152: re-schedule napi for tx

Chuck Lever <chuck.lever@oracle.com>
    nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"

Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
    ravb: unmap descriptors when freeing rings

Y.C. Chen <yc_chen@aspeedtech.com>
    drm/ast: Fixed system hanged if disable P2A

Lyude Paul <lyude@redhat.com>
    drm/nouveau: Don't enabling polling twice on runtime resume

Helge Deller <deller@gmx.de>
    parisc, parport_gsc: Fixes for printk continuation lines

Alexey Khoroshilov <khoroshilov@ispras.ru>
    net: adaptec: starfire: add checks for dma mapping errors

Jisheng Zhang <jszhang@marvell.com>
    pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES

Arseny Solokha <asolokha@kb.kras.ru>
    gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page

Jack Morgenstein <jackm@dev.mellanox.co.il>
    net/mlx4_core: Avoid command timeouts during VF driver device shutdown

Ben Skeggs <bskeggs@redhat.com>
    drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers

Ben Skeggs <bskeggs@redhat.com>
    drm/nouveau: prevent userspace from deleting client object

Dimitris Michailidis <dmichail@google.com>
    ipv6: fix flow labels when the traffic class is non-0

David Howells <dhowells@redhat.com>
    FS-Cache: Initialise stores_lock in netfs cookie

David Howells <dhowells@redhat.com>
    fscache: Clear outstanding writes when disabling a cookie

David Howells <dhowells@redhat.com>
    fscache: Fix dead object requeue

Stanislaw Gruszka <sgruszka@redhat.com>
    ethtool: do not vzalloc(0) on registers dump

Ard Biesheuvel <ard.biesheuvel@linaro.org>
    log2: make order_base_2() behave correctly on const input value zero

Peter Zijlstra <peterz@infradead.org>
    kasan: respect /proc/sys/kernel/traceoff_on_warning

David Lin <dtwlin@google.com>
    jump label: pass kbuild_cflags when checking for asm goto support

Rafael J. Wysocki <rafael.j.wysocki@intel.com>
    PM / runtime: Avoid false-positive warnings from might_sleep_if()

Linus Lüssing <linus.luessing@c0d3.blue>
    ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches

Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
    i2c: piix4: Fix request_region size

Stefan Brüns <stefan.bruens@rwth-aachen.de>
    sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications

Stefan Brüns <stefan.bruens@rwth-aachen.de>
    sierra_net: Skip validating irrelevant fields for IDLE LSIs

Kejian Yan <yankejian@huawei.com>
    net: hns: Fix the device being used for dma mapping during TX

Ralf Baechle <ralf@linux-mips.org>
    NET: mkiss: Fix panic

Ralf Baechle <ralf@linux-mips.org>
    NET: Fix /proc/net/arp for AX.25

Jonathan T. Leighton <jtleight@udel.edu>
    ipv6: Inhibit IPv4-mapped src address on the wire.

Jonathan T. Leighton <jtleight@udel.edu>
    ipv6: Handle IPv4-mapped src to in6addr_any dst.

Anssi Hannula <anssi.hannula@bitwise.fi>
    net: xilinx_emaclite: fix receive buffer overflow

Anssi Hannula <anssi.hannula@bitwise.fi>
    net: xilinx_emaclite: fix freezes due to unordered I/O

Sachin Prabhu <sprabhu@redhat.com>
    Call echo service immediately after socket reconnect

Malcolm Priestley <tvboxspy@gmail.com>
    staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.

Fabio Estevam <fabio.estevam@nxp.com>
    ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation

Richard <richard@aaazen.com>
    partitions/msdos: FreeBSD UFS2 file systems are not recognized

Heiko Carstens <heiko.carstens@de.ibm.com>
    s390/vmem: fix identity mapping


-------------

Diffstat:

 Makefile                                           |   6 +-
 arch/arm/boot/dts/imx6dl.dtsi                      |   2 +-
 arch/s390/kernel/entry.S                           |  19 ++-
 arch/s390/mm/vmem.c                                |   2 +-
 arch/sparc/kernel/traps_64.c                       |   4 +-
 arch/xtensa/include/asm/irq.h                      |   3 +-
 arch/xtensa/kernel/irq.c                           |   5 -
 .../platforms/xtfpga/include/platform/hardware.h   |   6 +-
 arch/xtensa/platforms/xtfpga/setup.c               |  10 +-
 block/partitions/msdos.c                           |   2 +
 drivers/base/power/runtime.c                       |  11 +-
 drivers/gpu/drm/ast/ast_drv.h                      |   1 +
 drivers/gpu/drm/ast/ast_main.c                     | 157 +++++++++++----------
 drivers/gpu/drm/ast/ast_post.c                     |  18 ++-
 drivers/gpu/drm/nouveau/nouveau_display.c          |   3 +-
 drivers/gpu/drm/nouveau/nouveau_drm.c              |   5 +-
 drivers/gpu/drm/nouveau/nouveau_fence.h            |   1 +
 drivers/gpu/drm/nouveau/nouveau_usif.c             |   3 +-
 drivers/gpu/drm/nouveau/nv84_fence.c               |   6 +
 drivers/i2c/busses/i2c-piix4.c                     |   2 +-
 drivers/irqchip/irq-xtensa-mx.c                    |   2 +-
 drivers/irqchip/irq-xtensa-pic.c                   |   2 +-
 drivers/net/ethernet/adaptec/starfire.c            |  45 +++++-
 drivers/net/ethernet/freescale/gianfar.c           |   4 +-
 drivers/net/ethernet/hisilicon/hns/hns_enet.c      |   2 +-
 drivers/net/ethernet/mellanox/mlx4/catas.c         |   2 +-
 drivers/net/ethernet/mellanox/mlx4/intf.c          |  12 ++
 drivers/net/ethernet/mellanox/mlx4/mlx4.h          |   1 +
 drivers/net/ethernet/renesas/ravb_main.c           | 112 ++++++++-------
 drivers/net/ethernet/xilinx/xilinx_emaclite.c      | 126 +++++++++--------
 drivers/net/hamradio/mkiss.c                       |   4 +-
 drivers/net/usb/r8152.c                            |  13 +-
 drivers/net/usb/sierra_net.c                       | 111 +++++++++------
 drivers/parport/parport_gsc.c                      |   8 +-
 drivers/pinctrl/berlin/berlin-bg4ct.c              |   2 +-
 drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c     |  13 +-
 fs/cifs/connect.c                                  |  24 +++-
 fs/fscache/cookie.c                                |   5 +
 fs/fscache/netfs.c                                 |   1 +
 fs/fscache/object.c                                |  32 ++++-
 fs/nfs/nfs4state.c                                 |   1 +
 fs/proc/base.c                                     |   2 +
 fs/romfs/super.c                                   |  23 ++-
 include/linux/fscache-cache.h                      |   1 +
 include/linux/log2.h                               |  13 +-
 include/net/ipv6.h                                 |   5 +
 mm/kasan/report.c                                  |   3 +
 net/core/ethtool.c                                 |   9 +-
 net/ipv4/arp.c                                     |  12 +-
 net/ipv6/addrconf.c                                |  10 +-
 net/ipv6/datagram.c                                |  14 +-
 net/ipv6/ip6_output.c                              |   3 +
 net/ipv6/tcp_ipv6.c                                |  11 +-
 net/ipv6/udp.c                                     |   4 +
 net/sctp/socket.c                                  |   6 +-
 net/tipc/server.c                                  |  13 +-
 56 files changed, 601 insertions(+), 316 deletions(-)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 01/46] s390/vmem: fix identity mapping
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 02/46] partitions/msdos: FreeBSD UFS2 file systems are not recognized Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiko Carstens, Martin Schwidefsky,
	Jean Delvare

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Heiko Carstens <heiko.carstens@de.ibm.com>

commit c34a69059d7876e0793eb410deedfb08ccb22b02 upstream.

The identity mapping is suboptimal for the last 2GB frame. The mapping
will be established with a mix of 4KB and 1MB mappings instead of a
single 2GB mapping.

This happens because of a off-by-one bug introduced with
commit 50be63450728 ("s390/mm: Convert bootmem to memblock").

Currently the identity mapping looks like this:

0x0000000080000000-0x0000000180000000        4G PUD RW
0x0000000180000000-0x00000001fff00000     2047M PMD RW
0x00000001fff00000-0x0000000200000000        1M PTE RW

With the bug fixed it looks like this:

0x0000000080000000-0x0000000200000000        6G PUD RW

Fixes: 50be63450728 ("s390/mm: Convert bootmem to memblock")
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/mm/vmem.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/s390/mm/vmem.c
+++ b/arch/s390/mm/vmem.c
@@ -372,7 +372,7 @@ void __init vmem_map_init(void)
 	ro_end = (unsigned long)&_eshared & PAGE_MASK;
 	for_each_memblock(memory, reg) {
 		start = reg->base;
-		end = reg->base + reg->size - 1;
+		end = reg->base + reg->size;
 		if (start >= ro_end || end <= ro_start)
 			vmem_add_mem(start, end - start, 0);
 		else if (start >= ro_start && end <= ro_end)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 02/46] partitions/msdos: FreeBSD UFS2 file systems are not recognized
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 01/46] s390/vmem: fix identity mapping Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 03/46] ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Richard Narron, Christoph Hellwig,
	Jens Axboe

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Richard <richard@aaazen.com>

commit 223220356d5ebc05ead9a8d697abb0c0a906fc81 upstream.

The code in block/partitions/msdos.c recognizes FreeBSD, OpenBSD
and NetBSD partitions and does a reasonable job picking out OpenBSD
and NetBSD UFS subpartitions.

But for FreeBSD the subpartitions are always "bad".

    Kernel: <bsd:bad subpartition - ignored

Though all 3 of these BSD systems use UFS as a file system, only
FreeBSD uses relative start addresses in the subpartition
declarations.

The following patch fixes this for FreeBSD partitions and leaves
the code for OpenBSD and NetBSD intact:

Signed-off-by: Richard Narron <comet.berkeley@gmail.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 block/partitions/msdos.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/block/partitions/msdos.c
+++ b/block/partitions/msdos.c
@@ -300,6 +300,8 @@ static void parse_bsd(struct parsed_part
 			continue;
 		bsd_start = le32_to_cpu(p->p_offset);
 		bsd_size = le32_to_cpu(p->p_size);
+		if (memcmp(flavour, "bsd\0", 4) == 0)
+			bsd_start += offset;
 		if (offset == bsd_start && size == bsd_size)
 			/* full parent partition, we have it already */
 			continue;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 03/46] ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 01/46] s390/vmem: fix identity mapping Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 02/46] partitions/msdos: FreeBSD UFS2 file systems are not recognized Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 04/46] staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Shawn Guo, Stephane Fillod

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Fabio Estevam <fabio.estevam@nxp.com>

commit 46350b71a09ccf3573649e03db55d4b61d5da231 upstream.

Table 8 from MX6DL datasheet (IMX6SDLCEC Rev. 5, 06/2015):
http://cache.nxp.com/files/32bit/doc/data_sheet/IMX6SDLCEC.pdf

states the following:

"LDO Output Set Point (VDD_ARM_CAP) = 1.125 V minimum for operation
up to 396 MHz."

So fix the entry by adding the 25mV margin value as done in the other
entries of the table, which results in 1.15V for 396MHz operation.

Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Cc: Stephane Fillod <f8cfe@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/imx6dl.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6dl.dtsi
+++ b/arch/arm/boot/dts/imx6dl.dtsi
@@ -30,7 +30,7 @@
 				/* kHz    uV */
 				996000  1250000
 				792000  1175000
-				396000  1075000
+				396000  1150000
 			>;
 			fsl,soc-operating-points = <
 				/* ARM kHz  SOC-PU uV */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 04/46] staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 03/46] ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 05/46] Call echo service immediately after socket reconnect Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Malcolm Priestley

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Malcolm Priestley <tvboxspy@gmail.com>

commit baabd567f87be05330faa5140f72a91960e7405a upstream.

The driver attempts to alter memory that is mapped to PCI device.

This is because tx_fwinfo_8190pci points to skb->data

Move the pci_map_single to when completed buffer is ready to be mapped with
psdec is empty to drop on mapping error.

Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
+++ b/drivers/staging/rtl8192e/rtl8192e/r8192E_dev.c
@@ -1185,8 +1185,7 @@ void  rtl92e_fill_tx_desc(struct net_dev
 			  struct cb_desc *cb_desc, struct sk_buff *skb)
 {
 	struct r8192_priv *priv = rtllib_priv(dev);
-	dma_addr_t mapping = pci_map_single(priv->pdev, skb->data, skb->len,
-			 PCI_DMA_TODEVICE);
+	dma_addr_t mapping;
 	struct tx_fwinfo_8190pci *pTxFwInfo = NULL;
 
 	pTxFwInfo = (struct tx_fwinfo_8190pci *)skb->data;
@@ -1197,8 +1196,6 @@ void  rtl92e_fill_tx_desc(struct net_dev
 	pTxFwInfo->Short = _rtl92e_query_is_short(pTxFwInfo->TxHT,
 						  pTxFwInfo->TxRate, cb_desc);
 
-	if (pci_dma_mapping_error(priv->pdev, mapping))
-		netdev_err(dev, "%s(): DMA Mapping error\n", __func__);
 	if (cb_desc->bAMPDUEnable) {
 		pTxFwInfo->AllowAggregation = 1;
 		pTxFwInfo->RxMF = cb_desc->ampdu_factor;
@@ -1233,6 +1230,14 @@ void  rtl92e_fill_tx_desc(struct net_dev
 	}
 
 	memset((u8 *)pdesc, 0, 12);
+
+	mapping = pci_map_single(priv->pdev, skb->data, skb->len,
+				 PCI_DMA_TODEVICE);
+	if (pci_dma_mapping_error(priv->pdev, mapping)) {
+		netdev_err(dev, "%s(): DMA Mapping error\n", __func__);
+		return;
+	}
+
 	pdesc->LINIP = 0;
 	pdesc->CmdInit = 1;
 	pdesc->Offset = sizeof(struct tx_fwinfo_8190pci) + 8;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 05/46] Call echo service immediately after socket reconnect
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 04/46] staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 06/46] net: xilinx_emaclite: fix freezes due to unordered I/O Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sachin Prabhu, Pavel Shilovsky, Steve French

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Sachin Prabhu <sprabhu@redhat.com>

commit b8c600120fc87d53642476f48c8055b38d6e14c7 upstream.

Commit 4fcd1813e640 ("Fix reconnect to not defer smb3 session reconnect
long after socket reconnect") changes the behaviour of the SMB2 echo
service and causes it to renegotiate after a socket reconnect. However
under default settings, the echo service could take up to 120 seconds to
be scheduled.

The patch forces the echo service to be called immediately resulting a
negotiate call being made immediately on reconnect.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/connect.c |   24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -412,6 +412,9 @@ cifs_reconnect(struct TCP_Server_Info *s
 		}
 	} while (server->tcpStatus == CifsNeedReconnect);
 
+	if (server->tcpStatus == CifsNeedNegotiate)
+		mod_delayed_work(cifsiod_wq, &server->echo, 0);
+
 	return rc;
 }
 
@@ -421,18 +424,27 @@ cifs_echo_request(struct work_struct *wo
 	int rc;
 	struct TCP_Server_Info *server = container_of(work,
 					struct TCP_Server_Info, echo.work);
+	unsigned long echo_interval;
+
+	/*
+	 * If we need to renegotiate, set echo interval to zero to
+	 * immediately call echo service where we can renegotiate.
+	 */
+	if (server->tcpStatus == CifsNeedNegotiate)
+		echo_interval = 0;
+	else
+		echo_interval = SMB_ECHO_INTERVAL;
 
 	/*
-	 * We cannot send an echo if it is disabled or until the
-	 * NEGOTIATE_PROTOCOL request is done, which is indicated by
-	 * server->ops->need_neg() == true. Also, no need to ping if
-	 * we got a response recently.
+	 * We cannot send an echo if it is disabled.
+	 * Also, no need to ping if we got a response recently.
 	 */
 
 	if (server->tcpStatus == CifsNeedReconnect ||
-	    server->tcpStatus == CifsExiting || server->tcpStatus == CifsNew ||
+	    server->tcpStatus == CifsExiting ||
+	    server->tcpStatus == CifsNew ||
 	    (server->ops->can_echo && !server->ops->can_echo(server)) ||
-	    time_before(jiffies, server->lstrp + SMB_ECHO_INTERVAL - HZ))
+	    time_before(jiffies, server->lstrp + echo_interval - HZ))
 		goto requeue_echo;
 
 	rc = server->ops->echo ? server->ops->echo(server) : -ENOSYS;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 06/46] net: xilinx_emaclite: fix freezes due to unordered I/O
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 05/46] Call echo service immediately after socket reconnect Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 07/46] net: xilinx_emaclite: fix receive buffer overflow Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anssi Hannula, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>


[ Upstream commit acf138f1b00bdd1b7cd9894562ed0c2a1670888e ]

The xilinx_emaclite uses __raw_writel and __raw_readl for register
accesses. Those functions do not imply any kind of memory barriers and
they may be reordered.

The driver does not seem to take that into account, though, and the
driver does not satisfy the ordering requirements of the hardware.
For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
which try to set MDIO address before initiating the transaction.

I'm seeing system freezes with the driver with GCC 5.4 and current
Linux kernels on Zynq-7000 SoC immediately when trying to use the
interface.

In commit 123c1407af87 ("net: emaclite: Do not use microblaze and ppc
IO functions") the driver was switched from non-generic
in_be32/out_be32 (memory barriers, big endian) to
__raw_readl/__raw_writel (no memory barriers, native endian), so
apparently the device follows system endianness and the driver was
originally written with the assumption of memory barriers.

Rather than try to hunt for each case of missing barrier, just switch
the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
on endianness instead.

Tested on little-endian Zynq-7000 ARM SoC FPGA.

Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: 123c1407af87 ("net: emaclite: Do not use microblaze and ppc IO
functions")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/xilinx/xilinx_emaclite.c |  116 +++++++++++++-------------
 1 file changed, 62 insertions(+), 54 deletions(-)

--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -100,6 +100,14 @@
 /* BUFFER_ALIGN(adr) calculates the number of bytes to the next alignment. */
 #define BUFFER_ALIGN(adr) ((ALIGNMENT - ((u32) adr)) % ALIGNMENT)
 
+#ifdef __BIG_ENDIAN
+#define xemaclite_readl		ioread32be
+#define xemaclite_writel	iowrite32be
+#else
+#define xemaclite_readl		ioread32
+#define xemaclite_writel	iowrite32
+#endif
+
 /**
  * struct net_local - Our private per device data
  * @ndev:		instance of the network device
@@ -158,15 +166,15 @@ static void xemaclite_enable_interrupts(
 	u32 reg_data;
 
 	/* Enable the Tx interrupts for the first Buffer */
-	reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
-	__raw_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
-		     drvdata->base_addr + XEL_TSR_OFFSET);
+	reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+	xemaclite_writel(reg_data | XEL_TSR_XMIT_IE_MASK,
+			 drvdata->base_addr + XEL_TSR_OFFSET);
 
 	/* Enable the Rx interrupts for the first buffer */
-	__raw_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
+	xemaclite_writel(XEL_RSR_RECV_IE_MASK, drvdata->base_addr + XEL_RSR_OFFSET);
 
 	/* Enable the Global Interrupt Enable */
-	__raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+	xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
 }
 
 /**
@@ -181,17 +189,17 @@ static void xemaclite_disable_interrupts
 	u32 reg_data;
 
 	/* Disable the Global Interrupt Enable */
-	__raw_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
+	xemaclite_writel(XEL_GIER_GIE_MASK, drvdata->base_addr + XEL_GIER_OFFSET);
 
 	/* Disable the Tx interrupts for the first buffer */
-	reg_data = __raw_readl(drvdata->base_addr + XEL_TSR_OFFSET);
-	__raw_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
-		     drvdata->base_addr + XEL_TSR_OFFSET);
+	reg_data = xemaclite_readl(drvdata->base_addr + XEL_TSR_OFFSET);
+	xemaclite_writel(reg_data & (~XEL_TSR_XMIT_IE_MASK),
+			 drvdata->base_addr + XEL_TSR_OFFSET);
 
 	/* Disable the Rx interrupts for the first buffer */
-	reg_data = __raw_readl(drvdata->base_addr + XEL_RSR_OFFSET);
-	__raw_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
-		     drvdata->base_addr + XEL_RSR_OFFSET);
+	reg_data = xemaclite_readl(drvdata->base_addr + XEL_RSR_OFFSET);
+	xemaclite_writel(reg_data & (~XEL_RSR_RECV_IE_MASK),
+			 drvdata->base_addr + XEL_RSR_OFFSET);
 }
 
 /**
@@ -323,7 +331,7 @@ static int xemaclite_send_data(struct ne
 		byte_count = ETH_FRAME_LEN;
 
 	/* Check if the expected buffer is available */
-	reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+	reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
 	if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
 	     XEL_TSR_XMIT_ACTIVE_MASK)) == 0) {
 
@@ -336,7 +344,7 @@ static int xemaclite_send_data(struct ne
 
 		addr = (void __iomem __force *)((u32 __force)addr ^
 						 XEL_BUFFER_OFFSET);
-		reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+		reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
 
 		if ((reg_data & (XEL_TSR_XMIT_BUSY_MASK |
 		     XEL_TSR_XMIT_ACTIVE_MASK)) != 0)
@@ -347,16 +355,16 @@ static int xemaclite_send_data(struct ne
 	/* Write the frame to the buffer */
 	xemaclite_aligned_write(data, (u32 __force *) addr, byte_count);
 
-	__raw_writel((byte_count & XEL_TPLR_LENGTH_MASK),
-		     addr + XEL_TPLR_OFFSET);
+	xemaclite_writel((byte_count & XEL_TPLR_LENGTH_MASK),
+			 addr + XEL_TPLR_OFFSET);
 
 	/* Update the Tx Status Register to indicate that there is a
 	 * frame to send. Set the XEL_TSR_XMIT_ACTIVE_MASK flag which
 	 * is used by the interrupt handler to check whether a frame
 	 * has been transmitted */
-	reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
+	reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
 	reg_data |= (XEL_TSR_XMIT_BUSY_MASK | XEL_TSR_XMIT_ACTIVE_MASK);
-	__raw_writel(reg_data, addr + XEL_TSR_OFFSET);
+	xemaclite_writel(reg_data, addr + XEL_TSR_OFFSET);
 
 	return 0;
 }
@@ -381,7 +389,7 @@ static u16 xemaclite_recv_data(struct ne
 	addr = (drvdata->base_addr + drvdata->next_rx_buf_to_use);
 
 	/* Verify which buffer has valid data */
-	reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+	reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
 
 	if ((reg_data & XEL_RSR_RECV_DONE_MASK) == XEL_RSR_RECV_DONE_MASK) {
 		if (drvdata->rx_ping_pong != 0)
@@ -398,14 +406,14 @@ static u16 xemaclite_recv_data(struct ne
 			return 0;	/* No data was available */
 
 		/* Verify that buffer has valid data */
-		reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+		reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
 		if ((reg_data & XEL_RSR_RECV_DONE_MASK) !=
 		     XEL_RSR_RECV_DONE_MASK)
 			return 0;	/* No data was available */
 	}
 
 	/* Get the protocol type of the ethernet frame that arrived */
-	proto_type = ((ntohl(__raw_readl(addr + XEL_HEADER_OFFSET +
+	proto_type = ((ntohl(xemaclite_readl(addr + XEL_HEADER_OFFSET +
 			XEL_RXBUFF_OFFSET)) >> XEL_HEADER_SHIFT) &
 			XEL_RPLR_LENGTH_MASK);
 
@@ -414,7 +422,7 @@ static u16 xemaclite_recv_data(struct ne
 	if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) {
 
 		if (proto_type == ETH_P_IP) {
-			length = ((ntohl(__raw_readl(addr +
+			length = ((ntohl(xemaclite_readl(addr +
 					XEL_HEADER_IP_LENGTH_OFFSET +
 					XEL_RXBUFF_OFFSET)) >>
 					XEL_HEADER_SHIFT) &
@@ -436,9 +444,9 @@ static u16 xemaclite_recv_data(struct ne
 				data, length);
 
 	/* Acknowledge the frame */
-	reg_data = __raw_readl(addr + XEL_RSR_OFFSET);
+	reg_data = xemaclite_readl(addr + XEL_RSR_OFFSET);
 	reg_data &= ~XEL_RSR_RECV_DONE_MASK;
-	__raw_writel(reg_data, addr + XEL_RSR_OFFSET);
+	xemaclite_writel(reg_data, addr + XEL_RSR_OFFSET);
 
 	return length;
 }
@@ -465,14 +473,14 @@ static void xemaclite_update_address(str
 
 	xemaclite_aligned_write(address_ptr, (u32 __force *) addr, ETH_ALEN);
 
-	__raw_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
+	xemaclite_writel(ETH_ALEN, addr + XEL_TPLR_OFFSET);
 
 	/* Update the MAC address in the EmacLite */
-	reg_data = __raw_readl(addr + XEL_TSR_OFFSET);
-	__raw_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
+	reg_data = xemaclite_readl(addr + XEL_TSR_OFFSET);
+	xemaclite_writel(reg_data | XEL_TSR_PROG_MAC_ADDR, addr + XEL_TSR_OFFSET);
 
 	/* Wait for EmacLite to finish with the MAC address update */
-	while ((__raw_readl(addr + XEL_TSR_OFFSET) &
+	while ((xemaclite_readl(addr + XEL_TSR_OFFSET) &
 		XEL_TSR_PROG_MAC_ADDR) != 0)
 		;
 }
@@ -642,32 +650,32 @@ static irqreturn_t xemaclite_interrupt(i
 	u32 tx_status;
 
 	/* Check if there is Rx Data available */
-	if ((__raw_readl(base_addr + XEL_RSR_OFFSET) &
+	if ((xemaclite_readl(base_addr + XEL_RSR_OFFSET) &
 			 XEL_RSR_RECV_DONE_MASK) ||
-	    (__raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
+	    (xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_RSR_OFFSET)
 			 & XEL_RSR_RECV_DONE_MASK))
 
 		xemaclite_rx_handler(dev);
 
 	/* Check if the Transmission for the first buffer is completed */
-	tx_status = __raw_readl(base_addr + XEL_TSR_OFFSET);
+	tx_status = xemaclite_readl(base_addr + XEL_TSR_OFFSET);
 	if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
 		(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
 
 		tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
-		__raw_writel(tx_status, base_addr + XEL_TSR_OFFSET);
+		xemaclite_writel(tx_status, base_addr + XEL_TSR_OFFSET);
 
 		tx_complete = true;
 	}
 
 	/* Check if the Transmission for the second buffer is completed */
-	tx_status = __raw_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+	tx_status = xemaclite_readl(base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
 	if (((tx_status & XEL_TSR_XMIT_BUSY_MASK) == 0) &&
 		(tx_status & XEL_TSR_XMIT_ACTIVE_MASK) != 0) {
 
 		tx_status &= ~XEL_TSR_XMIT_ACTIVE_MASK;
-		__raw_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
-			     XEL_TSR_OFFSET);
+		xemaclite_writel(tx_status, base_addr + XEL_BUFFER_OFFSET +
+				 XEL_TSR_OFFSET);
 
 		tx_complete = true;
 	}
@@ -700,7 +708,7 @@ static int xemaclite_mdio_wait(struct ne
 	/* wait for the MDIO interface to not be busy or timeout
 	   after some time.
 	*/
-	while (__raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
+	while (xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET) &
 			XEL_MDIOCTRL_MDIOSTS_MASK) {
 		if (time_before_eq(end, jiffies)) {
 			WARN_ON(1);
@@ -736,17 +744,17 @@ static int xemaclite_mdio_read(struct mi
 	 * MDIO Address register. Set the Status bit in the MDIO Control
 	 * register to start a MDIO read transaction.
 	 */
-	ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
-	__raw_writel(XEL_MDIOADDR_OP_MASK |
-		     ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
-		     lp->base_addr + XEL_MDIOADDR_OFFSET);
-	__raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
-		     lp->base_addr + XEL_MDIOCTRL_OFFSET);
+	ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+	xemaclite_writel(XEL_MDIOADDR_OP_MASK |
+			 ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+			 lp->base_addr + XEL_MDIOADDR_OFFSET);
+	xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+			 lp->base_addr + XEL_MDIOCTRL_OFFSET);
 
 	if (xemaclite_mdio_wait(lp))
 		return -ETIMEDOUT;
 
-	rc = __raw_readl(lp->base_addr + XEL_MDIORD_OFFSET);
+	rc = xemaclite_readl(lp->base_addr + XEL_MDIORD_OFFSET);
 
 	dev_dbg(&lp->ndev->dev,
 		"xemaclite_mdio_read(phy_id=%i, reg=%x) == %x\n",
@@ -783,13 +791,13 @@ static int xemaclite_mdio_write(struct m
 	 * Data register. Finally, set the Status bit in the MDIO Control
 	 * register to start a MDIO write transaction.
 	 */
-	ctrl_reg = __raw_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
-	__raw_writel(~XEL_MDIOADDR_OP_MASK &
-		     ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
-		     lp->base_addr + XEL_MDIOADDR_OFFSET);
-	__raw_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
-	__raw_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
-		     lp->base_addr + XEL_MDIOCTRL_OFFSET);
+	ctrl_reg = xemaclite_readl(lp->base_addr + XEL_MDIOCTRL_OFFSET);
+	xemaclite_writel(~XEL_MDIOADDR_OP_MASK &
+			 ((phy_id << XEL_MDIOADDR_PHYADR_SHIFT) | reg),
+			 lp->base_addr + XEL_MDIOADDR_OFFSET);
+	xemaclite_writel(val, lp->base_addr + XEL_MDIOWR_OFFSET);
+	xemaclite_writel(ctrl_reg | XEL_MDIOCTRL_MDIOSTS_MASK,
+			 lp->base_addr + XEL_MDIOCTRL_OFFSET);
 
 	return 0;
 }
@@ -836,8 +844,8 @@ static int xemaclite_mdio_setup(struct n
 	/* Enable the MDIO bus by asserting the enable bit in MDIO Control
 	 * register.
 	 */
-	__raw_writel(XEL_MDIOCTRL_MDIOEN_MASK,
-		     lp->base_addr + XEL_MDIOCTRL_OFFSET);
+	xemaclite_writel(XEL_MDIOCTRL_MDIOEN_MASK,
+			 lp->base_addr + XEL_MDIOCTRL_OFFSET);
 
 	bus = mdiobus_alloc();
 	if (!bus) {
@@ -1141,8 +1149,8 @@ static int xemaclite_of_probe(struct pla
 		dev_warn(dev, "No MAC address found\n");
 
 	/* Clear the Tx CSR's in case this is a restart */
-	__raw_writel(0, lp->base_addr + XEL_TSR_OFFSET);
-	__raw_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
+	xemaclite_writel(0, lp->base_addr + XEL_TSR_OFFSET);
+	xemaclite_writel(0, lp->base_addr + XEL_BUFFER_OFFSET + XEL_TSR_OFFSET);
 
 	/* Set the MAC address in the EmacLite device */
 	xemaclite_update_address(lp, ndev->dev_addr);

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 07/46] net: xilinx_emaclite: fix receive buffer overflow
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 06/46] net: xilinx_emaclite: fix freezes due to unordered I/O Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 08/46] ipv6: Handle IPv4-mapped src to in6addr_any dst Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anssi Hannula, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Anssi Hannula <anssi.hannula@bitwise.fi>


[ Upstream commit cd224553641848dd17800fe559e4ff5d208553e8 ]

xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.

Fix those cases.

Also add an additional unconditional check with WARN_ON() at the end.

Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/xilinx/xilinx_emaclite.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c
+++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c
@@ -379,7 +379,7 @@ static int xemaclite_send_data(struct ne
  *
  * Return:	Total number of bytes received
  */
-static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data)
+static u16 xemaclite_recv_data(struct net_local *drvdata, u8 *data, int maxlen)
 {
 	void __iomem *addr;
 	u16 length, proto_type;
@@ -419,7 +419,7 @@ static u16 xemaclite_recv_data(struct ne
 
 	/* Check if received ethernet frame is a raw ethernet frame
 	 * or an IP packet or an ARP packet */
-	if (proto_type > (ETH_FRAME_LEN + ETH_FCS_LEN)) {
+	if (proto_type > ETH_DATA_LEN) {
 
 		if (proto_type == ETH_P_IP) {
 			length = ((ntohl(xemaclite_readl(addr +
@@ -427,6 +427,7 @@ static u16 xemaclite_recv_data(struct ne
 					XEL_RXBUFF_OFFSET)) >>
 					XEL_HEADER_SHIFT) &
 					XEL_RPLR_LENGTH_MASK);
+			length = min_t(u16, length, ETH_DATA_LEN);
 			length += ETH_HLEN + ETH_FCS_LEN;
 
 		} else if (proto_type == ETH_P_ARP)
@@ -439,6 +440,9 @@ static u16 xemaclite_recv_data(struct ne
 		/* Use the length in the frame, plus the header and trailer */
 		length = proto_type + ETH_HLEN + ETH_FCS_LEN;
 
+	if (WARN_ON(length > maxlen))
+		length = maxlen;
+
 	/* Read from the EmacLite device */
 	xemaclite_aligned_read((u32 __force *) (addr + XEL_RXBUFF_OFFSET),
 				data, length);
@@ -613,7 +617,7 @@ static void xemaclite_rx_handler(struct
 
 	skb_reserve(skb, 2);
 
-	len = xemaclite_recv_data(lp, (u8 *) skb->data);
+	len = xemaclite_recv_data(lp, (u8 *) skb->data, len);
 
 	if (!len) {
 		dev->stats.rx_errors++;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 08/46] ipv6: Handle IPv4-mapped src to in6addr_any dst.
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 07/46] net: xilinx_emaclite: fix receive buffer overflow Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan T. Leighton,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Jonathan T. Leighton" <jtleight@udel.edu>


[ Upstream commit 052d2369d1b479cdbbe020fdd6d057d3c342db74 ]

This patch adds a check on the type of the source address for the case
where the destination address is in6addr_any. If the source is an
IPv4-mapped IPv6 source address, the destination is changed to
::ffff:127.0.0.1, and otherwise the destination is changed to ::1. This
is done in three locations to handle UDP calls to either connect() or
sendmsg() and TCP calls to connect(). Note that udpv6_sendmsg() delays
handling an in6addr_any destination until very late, so the patch only
needs to handle the case where the source is an IPv4-mapped IPv6
address.

Signed-off-by: Jonathan T. Leighton <jtleight@udel.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/datagram.c |   14 +++++++++-----
 net/ipv6/tcp_ipv6.c |   11 ++++++++---
 net/ipv6/udp.c      |    4 ++++
 3 files changed, 21 insertions(+), 8 deletions(-)

--- a/net/ipv6/datagram.c
+++ b/net/ipv6/datagram.c
@@ -76,18 +76,22 @@ static int __ip6_datagram_connect(struct
 		}
 	}
 
-	addr_type = ipv6_addr_type(&usin->sin6_addr);
-
-	if (addr_type == IPV6_ADDR_ANY) {
+	if (ipv6_addr_any(&usin->sin6_addr)) {
 		/*
 		 *	connect to self
 		 */
-		usin->sin6_addr.s6_addr[15] = 0x01;
+		if (ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
+			ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
+					       &usin->sin6_addr);
+		else
+			usin->sin6_addr = in6addr_loopback;
 	}
 
+	addr_type = ipv6_addr_type(&usin->sin6_addr);
+
 	daddr = &usin->sin6_addr;
 
-	if (addr_type == IPV6_ADDR_MAPPED) {
+	if (addr_type & IPV6_ADDR_MAPPED) {
 		struct sockaddr_in sin;
 
 		if (__ipv6_only_sock(sk)) {
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -149,8 +149,13 @@ static int tcp_v6_connect(struct sock *s
 	 *	connect() to INADDR_ANY means loopback (BSD'ism).
 	 */
 
-	if (ipv6_addr_any(&usin->sin6_addr))
-		usin->sin6_addr.s6_addr[15] = 0x1;
+	if (ipv6_addr_any(&usin->sin6_addr)) {
+		if (ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr))
+			ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
+					       &usin->sin6_addr);
+		else
+			usin->sin6_addr = in6addr_loopback;
+	}
 
 	addr_type = ipv6_addr_type(&usin->sin6_addr);
 
@@ -189,7 +194,7 @@ static int tcp_v6_connect(struct sock *s
 	 *	TCP over IPv4
 	 */
 
-	if (addr_type == IPV6_ADDR_MAPPED) {
+	if (addr_type & IPV6_ADDR_MAPPED) {
 		u32 exthdrlen = icsk->icsk_ext_hdr_len;
 		struct sockaddr_in sin;
 
--- a/net/ipv6/udp.c
+++ b/net/ipv6/udp.c
@@ -1136,6 +1136,10 @@ int udpv6_sendmsg(struct sock *sk, struc
 			if (addr_len < SIN6_LEN_RFC2133)
 				return -EINVAL;
 			daddr = &sin6->sin6_addr;
+			if (ipv6_addr_any(daddr) &&
+			    ipv6_addr_v4mapped(&np->saddr))
+				ipv6_addr_set_v4mapped(htonl(INADDR_LOOPBACK),
+						       daddr);
 			break;
 		case AF_INET:
 			goto do_udp_sendmsg;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire.
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 08/46] ipv6: Handle IPv4-mapped src to in6addr_any dst Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-29 12:13   ` Ben Hutchings
  2017-06-15 17:52 ` [PATCH 4.4 10/46] NET: Fix /proc/net/arp for AX.25 Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  44 siblings, 1 reply; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan T. Leighton,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Jonathan T. Leighton" <jtleight@udel.edu>


[ Upstream commit ec5e3b0a1d41fbda0cc33a45bc9e54e91d9d12c7 ]

This patch adds a check for the problematic case of an IPv4-mapped IPv6
source address and a destination address that is neither an IPv4-mapped
IPv6 address nor in6addr_any, and returns an appropriate error. The
check in done before returning from looking up the route.

Signed-off-by: Jonathan T. Leighton <jtleight@udel.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_output.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -1004,6 +1004,9 @@ static int ip6_dst_lookup_tail(struct ne
 		}
 	}
 #endif
+	if (ipv6_addr_v4mapped(&fl6->saddr) &&
+	    !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr)))
+		return -EAFNOSUPPORT;
 
 	return 0;
 

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 10/46] NET: Fix /proc/net/arp for AX.25
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 11/46] NET: mkiss: Fix panic Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ralf Baechle, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>


[ Upstream commit 4872e57c812dd312bf8193b5933fa60585cda42f ]

When sending ARP requests over AX.25 links the hwaddress in the neighbour
cache are not getting initialized.  For such an incomplete arp entry
ax2asc2 will generate an empty string resulting in /proc/net/arp output
like the following:

$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device
192.168.122.1    0x1         0x2         52:54:00:00:5d:5f     *        ens3
172.20.1.99      0x3         0x0              *        bpq0

The missing field will confuse the procfs parsing of arp(8) resulting in
incorrect output for the device such as the following:

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
gateway                  ether   52:54:00:00:5d:5f   C                     ens3
172.20.1.99                      (incomplete)                              ens3

This changes the content of /proc/net/arp to:

$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device
172.20.1.99      0x3         0x0         *                     *        bpq0
192.168.122.1    0x1         0x2         52:54:00:00:5d:5f     *        ens3

To do so it change ax2asc to put the string "*" in buf for a NULL address
argument.  Finally the HW address field is left aligned in a 17 character
field (the length of an ethernet HW address in the usual hex notation) for
readability.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/arp.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/net/ipv4/arp.c
+++ b/net/ipv4/arp.c
@@ -1250,7 +1250,7 @@ void __init arp_init(void)
 /*
  *	ax25 -> ASCII conversion
  */
-static char *ax2asc2(ax25_address *a, char *buf)
+static void ax2asc2(ax25_address *a, char *buf)
 {
 	char c, *s;
 	int n;
@@ -1272,10 +1272,10 @@ static char *ax2asc2(ax25_address *a, ch
 	*s++ = n + '0';
 	*s++ = '\0';
 
-	if (*buf == '\0' || *buf == '-')
-		return "*";
-
-	return buf;
+	if (*buf == '\0' || *buf == '-') {
+		buf[0] = '*';
+		buf[1] = '\0';
+	}
 }
 #endif /* CONFIG_AX25 */
 
@@ -1309,7 +1309,7 @@ static void arp_format_neigh_entry(struc
 	}
 #endif
 	sprintf(tbuf, "%pI4", n->primary_key);
-	seq_printf(seq, "%-16s 0x%-10x0x%-10x%s     *        %s\n",
+	seq_printf(seq, "%-16s 0x%-10x0x%-10x%-17s     *        %s\n",
 		   tbuf, hatype, arp_state_to_flags(n), hbuffer, dev->name);
 	read_unlock(&n->lock);
 }

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 11/46] NET: mkiss: Fix panic
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 10/46] NET: Fix /proc/net/arp for AX.25 Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 12/46] net: hns: Fix the device being used for dma mapping during TX Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Thomas Osterried, Ralf Baechle,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ralf Baechle <ralf@linux-mips.org>


[ Upstream commit 7ba1b689038726d34e3244c1ac9e2e18c2ea4787 ]

If a USB-to-serial adapter is unplugged, the driver re-initializes, with
dev->hard_header_len and dev->addr_len set to zero, instead of the correct
values.  If then a packet is sent through the half-dead interface, the
kernel will panic due to running out of headroom in the skb when pushing
for the AX.25 headers resulting in this panic:

[<c0595468>] (skb_panic) from [<c0401f70>] (skb_push+0x4c/0x50)
[<c0401f70>] (skb_push) from [<bf0bdad4>] (ax25_hard_header+0x34/0xf4 [ax25])
[<bf0bdad4>] (ax25_hard_header [ax25]) from [<bf0d05d4>] (ax_header+0x38/0x40 [mkiss])
[<bf0d05d4>] (ax_header [mkiss]) from [<c041b584>] (neigh_compat_output+0x8c/0xd8)
[<c041b584>] (neigh_compat_output) from [<c043e7a8>] (ip_finish_output+0x2a0/0x914)
[<c043e7a8>] (ip_finish_output) from [<c043f948>] (ip_output+0xd8/0xf0)
[<c043f948>] (ip_output) from [<c043f04c>] (ip_local_out_sk+0x44/0x48)

This patch makes mkiss behave like the 6pack driver. 6pack does not
panic.  In 6pack.c sp_setup() (same function name here) the values for
dev->hard_header_len and dev->addr_len are set to the same values as in
my mkiss patch.

[ralf@linux-mips.org: Massages original submission to conform to the usual
standards for patch submissions.]

Signed-off-by: Thomas Osterried <thomas@osterried.de>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/hamradio/mkiss.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/hamradio/mkiss.c
+++ b/drivers/net/hamradio/mkiss.c
@@ -648,8 +648,8 @@ static void ax_setup(struct net_device *
 {
 	/* Finish setting up the DEVICE info. */
 	dev->mtu             = AX_MTU;
-	dev->hard_header_len = 0;
-	dev->addr_len        = 0;
+	dev->hard_header_len = AX25_MAX_HEADER_LEN;
+	dev->addr_len        = AX25_ADDR_LEN;
 	dev->type            = ARPHRD_AX25;
 	dev->tx_queue_len    = 10;
 	dev->header_ops      = &ax25_header_ops;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 12/46] net: hns: Fix the device being used for dma mapping during TX
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 11/46] NET: mkiss: Fix panic Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 15/46] i2c: piix4: Fix request_region size Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kejian Yan, Yisen Zhuang,
	Salil Mehta, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kejian Yan <yankejian@huawei.com>


[ Upstream commit b85ea006b6bebb692628f11882af41c3e12e1e09 ]

This patch fixes the device being used to DMA map skb->data.
Erroneous device assignment causes the crash when SMMU is enabled.
This happens during TX since buffer gets DMA mapped with device
correspondign to net_device and gets unmapped using the device
related to DSAF.

Signed-off-by: Kejian Yan <yankejian@huawei.com>
Reviewed-by: Yisen Zhuang <yisen.zhuang@huawei.com>
Signed-off-by: Salil Mehta <salil.mehta@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/hisilicon/hns/hns_enet.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
@@ -105,8 +105,8 @@ int hns_nic_net_xmit_hw(struct net_devic
 			struct hns_nic_ring_data *ring_data)
 {
 	struct hns_nic_priv *priv = netdev_priv(ndev);
-	struct device *dev = priv->dev;
 	struct hnae_ring *ring = ring_data->ring;
+	struct device *dev = ring_to_dev(ring);
 	struct netdev_queue *dev_queue;
 	struct skb_frag_struct *frag;
 	int buf_num;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 15/46] i2c: piix4: Fix request_region size
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 12/46] net: hns: Fix the device being used for dma mapping during TX Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 17/46] PM / runtime: Avoid false-positive warnings from might_sleep_if() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ricardo Ribalda Delgado,
	Jean Delvare, Wolfram Sang, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ricardo Ribalda <ricardo.ribalda@gmail.com>


[ Upstream commit f43128c75202f29ee71aa83e6c320a911137c189 ]

Since '701dc207bf55 ("i2c: piix4: Avoid race conditions with IMC")' we
are using the SMBSLVCNT register at offset 0x8. We need to request it.

Fixes: 701dc207bf55 ("i2c: piix4: Avoid race conditions with IMC")
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-piix4.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-piix4.c
+++ b/drivers/i2c/busses/i2c-piix4.c
@@ -54,7 +54,7 @@
 #define SMBSLVDAT	(0xC + piix4_smba)
 
 /* count for request_region */
-#define SMBIOSIZE	8
+#define SMBIOSIZE	9
 
 /* PCI Address Constants */
 #define SMBBA		0x090

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 17/46] PM / runtime: Avoid false-positive warnings from might_sleep_if()
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 15/46] i2c: piix4: Fix request_region size Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 18/46] jump label: pass kbuild_cflags when checking for asm goto support Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>


[ Upstream commit a9306a63631493afc75893a4ac405d4e1cbae6aa ]

The might_sleep_if() assertions in __pm_runtime_idle(),
__pm_runtime_suspend() and __pm_runtime_resume() may generate
false-positive warnings in some situations.  For example, that
happens if a nested pm_runtime_get_sync()/pm_runtime_put() pair
is executed with disabled interrupts within an outer
pm_runtime_get_sync()/pm_runtime_put() section for the same device.
[Generally, pm_runtime_get_sync() may sleep, so it should not be
called with disabled interrupts, but in this particular case the
previous pm_runtime_get_sync() guarantees that the device will not
be suspended, so the inner pm_runtime_get_sync() will return
immediately after incrementing the device's usage counter.]

That started to happen in the i915 driver in 4.10-rc, leading to
the following splat:

 BUG: sleeping function called from invalid context at drivers/base/power/runtime.c:1032
 in_atomic(): 1, irqs_disabled(): 0, pid: 1500, name: Xorg
 1 lock held by Xorg/1500:
  #0:  (&dev->struct_mutex){+.+.+.}, at:
  [<ffffffffa0680c13>] i915_mutex_lock_interruptible+0x43/0x140 [i915]
 CPU: 0 PID: 1500 Comm: Xorg Not tainted
 Call Trace:
  dump_stack+0x85/0xc2
  ___might_sleep+0x196/0x260
  __might_sleep+0x53/0xb0
  __pm_runtime_resume+0x7a/0x90
  intel_runtime_pm_get+0x25/0x90 [i915]
  aliasing_gtt_bind_vma+0xaa/0xf0 [i915]
  i915_vma_bind+0xaf/0x1e0 [i915]
  i915_gem_execbuffer_relocate_entry+0x513/0x6f0 [i915]
  i915_gem_execbuffer_relocate_vma.isra.34+0x188/0x250 [i915]
  ? trace_hardirqs_on+0xd/0x10
  ? i915_gem_execbuffer_reserve_vma.isra.31+0x152/0x1f0 [i915]
  ? i915_gem_execbuffer_reserve.isra.32+0x372/0x3a0 [i915]
  i915_gem_do_execbuffer.isra.38+0xa70/0x1a40 [i915]
  ? __might_fault+0x4e/0xb0
  i915_gem_execbuffer2+0xc5/0x260 [i915]
  ? __might_fault+0x4e/0xb0
  drm_ioctl+0x206/0x450 [drm]
  ? i915_gem_execbuffer+0x340/0x340 [i915]
  ? __fget+0x5/0x200
  do_vfs_ioctl+0x91/0x6f0
  ? __fget+0x111/0x200
  ? __fget+0x5/0x200
  SyS_ioctl+0x79/0x90
  entry_SYSCALL_64_fastpath+0x23/0xc6

even though the code triggering it is correct.

Unfortunately, the might_sleep_if() assertions in question are
too coarse-grained to cover such cases correctly, so make them
a bit less sensitive in order to avoid the false-positives.

Reported-and-tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/power/runtime.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -889,13 +889,13 @@ int __pm_runtime_idle(struct device *dev
 	unsigned long flags;
 	int retval;
 
-	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe);
-
 	if (rpmflags & RPM_GET_PUT) {
 		if (!atomic_dec_and_test(&dev->power.usage_count))
 			return 0;
 	}
 
+	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe);
+
 	spin_lock_irqsave(&dev->power.lock, flags);
 	retval = rpm_idle(dev, rpmflags);
 	spin_unlock_irqrestore(&dev->power.lock, flags);
@@ -921,13 +921,13 @@ int __pm_runtime_suspend(struct device *
 	unsigned long flags;
 	int retval;
 
-	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe);
-
 	if (rpmflags & RPM_GET_PUT) {
 		if (!atomic_dec_and_test(&dev->power.usage_count))
 			return 0;
 	}
 
+	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe);
+
 	spin_lock_irqsave(&dev->power.lock, flags);
 	retval = rpm_suspend(dev, rpmflags);
 	spin_unlock_irqrestore(&dev->power.lock, flags);
@@ -952,7 +952,8 @@ int __pm_runtime_resume(struct device *d
 	unsigned long flags;
 	int retval;
 
-	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe);
+	might_sleep_if(!(rpmflags & RPM_ASYNC) && !dev->power.irq_safe &&
+			dev->power.runtime_status != RPM_ACTIVE);
 
 	if (rpmflags & RPM_GET_PUT)
 		atomic_inc(&dev->power.usage_count);

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 18/46] jump label: pass kbuild_cflags when checking for asm goto support
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 17/46] PM / runtime: Avoid false-positive warnings from might_sleep_if() Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 19/46] kasan: respect /proc/sys/kernel/traceoff_on_warning Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Lin, Steven Rostedt,
	Michal Marek, Andrew Morton, Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Lin <dtwlin@google.com>


[ Upstream commit 35f860f9ba6aac56cc38e8b18916d833a83f1157 ]

Some versions of ARM GCC compiler such as Android toolchain throws in a
'-fpic' flag by default.  This causes the gcc-goto check script to fail
although some config would have '-fno-pic' flag in the KBUILD_CFLAGS.

This patch passes the KBUILD_CFLAGS to the check script so that the
script does not rely on the default config from different compilers.

Link: http://lkml.kernel.org/r/20170120234329.78868-1-dtwlin@google.com
Signed-off-by: David Lin <dtwlin@google.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Michal Marek <mmarek@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Makefile |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/Makefile
+++ b/Makefile
@@ -789,7 +789,7 @@ KBUILD_CFLAGS   += $(call cc-option,-Wer
 KBUILD_ARFLAGS := $(call ar-option,D)
 
 # check for 'asm goto'
-ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC)), y)
+ifeq ($(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-goto.sh $(CC) $(KBUILD_CFLAGS)), y)
 	KBUILD_CFLAGS += -DCC_HAVE_ASM_GOTO
 	KBUILD_AFLAGS += -DCC_HAVE_ASM_GOTO
 endif

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 19/46] kasan: respect /proc/sys/kernel/traceoff_on_warning
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 18/46] jump label: pass kbuild_cflags when checking for asm goto support Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 20/46] log2: make order_base_2() behave correctly on const input value zero Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Zijlstra (Intel),
	Andrey Ryabinin, Alexander Potapenko, Dmitry Vyukov,
	Steven Rostedt, Andrew Morton, Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <peterz@infradead.org>


[ Upstream commit 4f40c6e5627ea73b4e7c615c59631f38cc880885 ]

After much waiting I finally reproduced a KASAN issue, only to find my
trace-buffer empty of useful information because it got spooled out :/

Make kasan_report honour the /proc/sys/kernel/traceoff_on_warning
interface.

Link: http://lkml.kernel.org/r/20170125164106.3514-1-aryabinin@virtuozzo.com
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/kasan/report.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/mm/kasan/report.c
+++ b/mm/kasan/report.c
@@ -13,6 +13,7 @@
  *
  */
 
+#include <linux/ftrace.h>
 #include <linux/kernel.h>
 #include <linux/mm.h>
 #include <linux/printk.h>
@@ -251,6 +252,8 @@ void kasan_report(unsigned long addr, si
 	if (likely(!kasan_report_enabled()))
 		return;
 
+	disable_trace_on_warning();
+
 	info.access_addr = (void *)addr;
 	info.access_size = size;
 	info.is_write = is_write;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 20/46] log2: make order_base_2() behave correctly on const input value zero
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 19/46] kasan: respect /proc/sys/kernel/traceoff_on_warning Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 21/46] ethtool: do not vzalloc(0) on registers dump Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ard Biesheuvel <ard.biesheuvel@linaro.org>

commit 29905b52fad0854351f57bab867647e4982285bf upstream.

The function order_base_2() is defined (according to the comment block)
as returning zero on input zero, but subsequently passes the input into
roundup_pow_of_two(), which is explicitly undefined for input zero.

This has gone unnoticed until now, but optimization passes in GCC 7 may
produce constant folded function instances where a constant value of
zero is passed into order_base_2(), resulting in link errors against the
deliberately undefined '____ilog2_NaN'.

So update order_base_2() to adhere to its own documented interface.

[ See

     http://marc.info/?l=linux-kernel&m=147672952517795&w=2

  and follow-up discussion for more background. The gcc "optimization
  pass" is really just broken, but now the GCC trunk problem seems to
  have escaped out of just specially built daily images, so we need to
  work around it in mainline.    - Linus ]

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/log2.h |   13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/include/linux/log2.h
+++ b/include/linux/log2.h
@@ -194,6 +194,17 @@ unsigned long __rounddown_pow_of_two(uns
  *  ... and so on.
  */
 
-#define order_base_2(n) ilog2(roundup_pow_of_two(n))
+static inline __attribute_const__
+int __order_base_2(unsigned long n)
+{
+	return n > 1 ? ilog2(n - 1) + 1 : 0;
+}
 
+#define order_base_2(n)				\
+(						\
+	__builtin_constant_p(n) ? (		\
+		((n) == 0 || (n) == 1) ? 0 :	\
+		ilog2((n) - 1) + 1) :		\
+	__order_base_2(n)			\
+)
 #endif /* _LINUX_LOG2_H */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 21/46] ethtool: do not vzalloc(0) on registers dump
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 20/46] log2: make order_base_2() behave correctly on const input value zero Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 22/46] fscache: Fix dead object requeue Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislaw Gruszka, David S. Miller,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Stanislaw Gruszka <sgruszka@redhat.com>


[ Upstream commit 3808d34838184fd29088d6b3a364ba2f1c018fb6 ]

If ->get_regs_len() callback return 0, we allocate 0 bytes of memory,
what print ugly warning in dmesg, which can be found further below.

This happen on mac80211 devices where ieee80211_get_regs_len() just
return 0 and driver only fills ethtool_regs structure and actually
do not provide any dump. However I assume this can happen on other
drivers i.e. when for some devices driver provide regs dump and for
others do not. Hence preventing to to print warning in ethtool code
seems to be reasonable.

ethtool: vmalloc: allocation failure: 0 bytes, mode:0x24080c2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_ZERO)
<snip>
Call Trace:
[<ffffffff813bde47>] dump_stack+0x63/0x8c
[<ffffffff811b0a1f>] warn_alloc+0x13f/0x170
[<ffffffff811f0476>] __vmalloc_node_range+0x1e6/0x2c0
[<ffffffff811f0874>] vzalloc+0x54/0x60
[<ffffffff8169986c>] dev_ethtool+0xb4c/0x1b30
[<ffffffff816adbb1>] dev_ioctl+0x181/0x520
[<ffffffff816714d2>] sock_do_ioctl+0x42/0x50
<snip>
Mem-Info:
active_anon:435809 inactive_anon:173951 isolated_anon:0
 active_file:835822 inactive_file:196932 isolated_file:0
 unevictable:0 dirty:8 writeback:0 unstable:0
 slab_reclaimable:157732 slab_unreclaimable:10022
 mapped:83042 shmem:306356 pagetables:9507 bounce:0
 free:130041 free_pcp:1080 free_cma:0
Node 0 active_anon:1743236kB inactive_anon:695804kB active_file:3343288kB inactive_file:787728kB unevictable:0kB isolated(anon):0kB isolated(file):0kB mapped:332168kB dirty:32kB writeback:0kB shmem:0kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 1225424kB writeback_tmp:0kB unstable:0kB pages_scanned:0 all_unreclaimable? no
Node 0 DMA free:15900kB min:136kB low:168kB high:200kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15984kB managed:15900kB mlocked:0kB slab_reclaimable:0kB slab_unreclaimable:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
lowmem_reserve[]: 0 3187 7643 7643
Node 0 DMA32 free:419732kB min:28124kB low:35152kB high:42180kB active_anon:541180kB inactive_anon:248988kB active_file:1466388kB inactive_file:389632kB unevictable:0kB writepending:0kB present:3370280kB managed:3290932kB mlocked:0kB slab_reclaimable:217184kB slab_unreclaimable:4180kB kernel_stack:160kB pagetables:984kB bounce:0kB free_pcp:2236kB local_pcp:660kB free_cma:0kB
lowmem_reserve[]: 0 0 4456 4456

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/ethtool.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -886,9 +886,12 @@ static int ethtool_get_regs(struct net_d
 	if (regs.len > reglen)
 		regs.len = reglen;
 
-	regbuf = vzalloc(reglen);
-	if (reglen && !regbuf)
-		return -ENOMEM;
+	regbuf = NULL;
+	if (reglen) {
+		regbuf = vzalloc(reglen);
+		if (!regbuf)
+			return -ENOMEM;
+	}
 
 	ops->get_regs(dev, &regs, regbuf);
 

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 22/46] fscache: Fix dead object requeue
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 21/46] ethtool: do not vzalloc(0) on registers dump Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 23/46] fscache: Clear outstanding writes when disabling a cookie Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Howells, Jeremy McNicoll,
	Frank Sorenson, Benjamin Coddington, Al Viro, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit e26bfebdfc0d212d366de9990a096665d5c0209a ]

Under some circumstances, an fscache object can become queued such that it
fscache_object_work_func() can be called once the object is in the
OBJECT_DEAD state.  This results in the kernel oopsing when it tries to
invoke the handler for the state (which is hard coded to 0x2).

The way this comes about is something like the following:

 (1) The object dispatcher is processing a work state for an object.  This
     is done in workqueue context.

 (2) An out-of-band event comes in that isn't masked, causing the object to
     be queued, say EV_KILL.

 (3) The object dispatcher finishes processing the current work state on
     that object and then sees there's another event to process, so,
     without returning to the workqueue core, it processes that event too.
     It then follows the chain of events that initiates until we reach
     OBJECT_DEAD without going through a wait state (such as
     WAIT_FOR_CLEARANCE).

     At this point, object->events may be 0, object->event_mask will be 0
     and oob_event_mask will be 0.

 (4) The object dispatcher returns to the workqueue processor, and in due
     course, this sees that the object's work item is still queued and
     invokes it again.

 (5) The current state is a work state (OBJECT_DEAD), so the dispatcher
     jumps to it - resulting in an OOPS.

When I'm seeing this, the work state in (1) appears to have been either
LOOK_UP_OBJECT or CREATE_OBJECT (object->oob_table is
fscache_osm_lookup_oob).

The window for (2) is very small:

 (A) object->event_mask is cleared whilst the event dispatch process is
     underway - though there's no memory barrier to force this to the top
     of the function.

     The window, therefore is from the time the object was selected by the
     workqueue processor and made requeueable to the time the mask was
     cleared.

 (B) fscache_raise_event() will only queue the object if it manages to set
     the event bit and the corresponding event_mask bit was set.

     The enqueuement is then deferred slightly whilst we get a ref on the
     object and get the per-CPU variable for workqueue congestion.  This
     slight deferral slightly increases the probability by allowing extra
     time for the workqueue to make the item requeueable.

Handle this by giving the dead state a processor function and checking the
for the dead state address rather than seeing if the processor function is
address 0x2.  The dead state processor function can then set a flag to
indicate that it's occurred and give a warning if it occurs more than once
per object.

If this race occurs, an oops similar to the following is seen (note the RIP
value):

BUG: unable to handle kernel NULL pointer dereference at 0000000000000002
IP: [<0000000000000002>] 0x1
PGD 0
Oops: 0010 [#1] SMP
Modules linked in: ...
CPU: 17 PID: 16077 Comm: kworker/u48:9 Not tainted 3.10.0-327.18.2.el7.x86_64 #1
Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 12/27/2015
Workqueue: fscache_object fscache_object_work_func [fscache]
task: ffff880302b63980 ti: ffff880717544000 task.ti: ffff880717544000
RIP: 0010:[<0000000000000002>]  [<0000000000000002>] 0x1
RSP: 0018:ffff880717547df8  EFLAGS: 00010202
RAX: ffffffffa0368640 RBX: ffff880edf7a4480 RCX: dead000000200200
RDX: 0000000000000002 RSI: 00000000ffffffff RDI: ffff880edf7a4480
RBP: ffff880717547e18 R08: 0000000000000000 R09: dfc40a25cb3a4510
R10: dfc40a25cb3a4510 R11: 0000000000000400 R12: 0000000000000000
R13: ffff880edf7a4510 R14: ffff8817f6153400 R15: 0000000000000600
FS:  0000000000000000(0000) GS:ffff88181f420000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000002 CR3: 000000000194a000 CR4: 00000000001407e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
 ffffffffa0363695 ffff880edf7a4510 ffff88093f16f900 ffff8817faa4ec00
 ffff880717547e60 ffffffff8109d5db 00000000faa4ec18 0000000000000000
 ffff8817faa4ec18 ffff88093f16f930 ffff880302b63980 ffff88093f16f900
Call Trace:
 [<ffffffffa0363695>] ? fscache_object_work_func+0xa5/0x200 [fscache]
 [<ffffffff8109d5db>] process_one_work+0x17b/0x470
 [<ffffffff8109e4ac>] worker_thread+0x21c/0x400
 [<ffffffff8109e290>] ? rescuer_thread+0x400/0x400
 [<ffffffff810a5acf>] kthread+0xcf/0xe0
 [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140
 [<ffffffff816460d8>] ret_from_fork+0x58/0x90
 [<ffffffff810a5a00>] ? kthread_create_on_node+0x140/0x140

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeremy McNicoll <jeremymc@redhat.com>
Tested-by: Frank Sorenson <sorenson@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fscache/object.c           |   26 ++++++++++++++++++++++++--
 include/linux/fscache-cache.h |    1 +
 2 files changed, 25 insertions(+), 2 deletions(-)

--- a/fs/fscache/object.c
+++ b/fs/fscache/object.c
@@ -30,6 +30,7 @@ static const struct fscache_state *fscac
 static const struct fscache_state *fscache_object_available(struct fscache_object *, int);
 static const struct fscache_state *fscache_parent_ready(struct fscache_object *, int);
 static const struct fscache_state *fscache_update_object(struct fscache_object *, int);
+static const struct fscache_state *fscache_object_dead(struct fscache_object *, int);
 
 #define __STATE_NAME(n) fscache_osm_##n
 #define STATE(n) (&__STATE_NAME(n))
@@ -91,7 +92,7 @@ static WORK_STATE(LOOKUP_FAILURE,	"LCFL"
 static WORK_STATE(KILL_OBJECT,		"KILL", fscache_kill_object);
 static WORK_STATE(KILL_DEPENDENTS,	"KDEP", fscache_kill_dependents);
 static WORK_STATE(DROP_OBJECT,		"DROP", fscache_drop_object);
-static WORK_STATE(OBJECT_DEAD,		"DEAD", (void*)2UL);
+static WORK_STATE(OBJECT_DEAD,		"DEAD", fscache_object_dead);
 
 static WAIT_STATE(WAIT_FOR_INIT,	"?INI",
 		  TRANSIT_TO(INIT_OBJECT,	1 << FSCACHE_OBJECT_EV_NEW_CHILD));
@@ -229,6 +230,10 @@ execute_work_state:
 	event = -1;
 	if (new_state == NO_TRANSIT) {
 		_debug("{OBJ%x} %s notrans", object->debug_id, state->name);
+		if (unlikely(state == STATE(OBJECT_DEAD))) {
+			_leave(" [dead]");
+			return;
+		}
 		fscache_enqueue_object(object);
 		event_mask = object->oob_event_mask;
 		goto unmask_events;
@@ -239,7 +244,7 @@ execute_work_state:
 	object->state = state = new_state;
 
 	if (state->work) {
-		if (unlikely(state->work == ((void *)2UL))) {
+		if (unlikely(state == STATE(OBJECT_DEAD))) {
 			_leave(" [dead]");
 			return;
 		}
@@ -1077,3 +1082,20 @@ void fscache_object_mark_killed(struct f
 	}
 }
 EXPORT_SYMBOL(fscache_object_mark_killed);
+
+/*
+ * The object is dead.  We can get here if an object gets queued by an event
+ * that would lead to its death (such as EV_KILL) when the dispatcher is
+ * already running (and so can be requeued) but hasn't yet cleared the event
+ * mask.
+ */
+static const struct fscache_state *fscache_object_dead(struct fscache_object *object,
+						       int event)
+{
+	if (!test_and_set_bit(FSCACHE_OBJECT_RUN_AFTER_DEAD,
+			      &object->flags))
+		return NO_TRANSIT;
+
+	WARN(true, "FS-Cache object redispatched after death");
+	return NO_TRANSIT;
+}
--- a/include/linux/fscache-cache.h
+++ b/include/linux/fscache-cache.h
@@ -360,6 +360,7 @@ struct fscache_object {
 #define FSCACHE_OBJECT_IS_AVAILABLE	5	/* T if object has become active */
 #define FSCACHE_OBJECT_RETIRED		6	/* T if object was retired on relinquishment */
 #define FSCACHE_OBJECT_KILLED_BY_CACHE	7	/* T if object was killed by the cache */
+#define FSCACHE_OBJECT_RUN_AFTER_DEAD	8	/* T if object has been dispatched after death */
 
 	struct list_head	cache_link;	/* link in cache->object_list */
 	struct hlist_node	cookie_link;	/* link in cookie->backing_objects */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 23/46] fscache: Clear outstanding writes when disabling a cookie
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 22/46] fscache: Fix dead object requeue Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 24/46] FS-Cache: Initialise stores_lock in netfs cookie Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jianhong Yin, David Howells,
	Jeff Layton, Steve Dickson, Al Viro, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit 6bdded59c8933940ac7e5b416448276ac89d1144 ]

fscache_disable_cookie() needs to clear the outstanding writes on the
cookie it's disabling because they cannot be completed after.

Without this, fscache_nfs_open_file() gets stuck because it disables the
cookie when the file is opened for writing but can't uncache the pages till
afterwards - otherwise there's a race between the open routine and anyone
who already has it open R/O and is still reading from it.

Looking in /proc/pid/stack of the offending process shows:

[<ffffffffa0142883>] __fscache_wait_on_page_write+0x82/0x9b [fscache]
[<ffffffffa014336e>] __fscache_uncache_all_inode_pages+0x91/0xe1 [fscache]
[<ffffffffa01740fa>] nfs_fscache_open_file+0x59/0x9e [nfs]
[<ffffffffa01ccf41>] nfs4_file_open+0x17f/0x1b8 [nfsv4]
[<ffffffff8117350e>] do_dentry_open+0x16d/0x2b7
[<ffffffff811743ac>] vfs_open+0x5c/0x65
[<ffffffff81184185>] path_openat+0x785/0x8fb
[<ffffffff81184343>] do_filp_open+0x48/0x9e
[<ffffffff81174710>] do_sys_open+0x13b/0x1cb
[<ffffffff811747b9>] SyS_open+0x19/0x1b
[<ffffffff81001c44>] do_syscall_64+0x80/0x17a
[<ffffffff8165c2da>] return_from_SYSCALL_64+0x0/0x7a
[<ffffffffffffffff>] 0xffffffffffffffff

Reported-by: Jianhong Yin <jiyin@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fscache/cookie.c |    5 +++++
 fs/fscache/object.c |    6 ++++++
 2 files changed, 11 insertions(+)

--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -542,6 +542,7 @@ void __fscache_disable_cookie(struct fsc
 		hlist_for_each_entry(object, &cookie->backing_objects, cookie_link) {
 			if (invalidate)
 				set_bit(FSCACHE_OBJECT_RETIRED, &object->flags);
+			clear_bit(FSCACHE_OBJECT_PENDING_WRITE, &object->flags);
 			fscache_raise_event(object, FSCACHE_OBJECT_EV_KILL);
 		}
 	} else {
@@ -560,6 +561,10 @@ void __fscache_disable_cookie(struct fsc
 		wait_on_atomic_t(&cookie->n_active, fscache_wait_atomic_t,
 				 TASK_UNINTERRUPTIBLE);
 
+	/* Make sure any pending writes are cancelled. */
+	if (cookie->def->type != FSCACHE_COOKIE_TYPE_INDEX)
+		fscache_invalidate_writes(cookie);
+
 	/* Reset the cookie state if it wasn't relinquished */
 	if (!test_bit(FSCACHE_COOKIE_RELINQUISHED, &cookie->flags)) {
 		atomic_inc(&cookie->n_active);
--- a/fs/fscache/object.c
+++ b/fs/fscache/object.c
@@ -650,6 +650,12 @@ static const struct fscache_state *fscac
 	fscache_mark_object_dead(object);
 	object->oob_event_mask = 0;
 
+	if (test_bit(FSCACHE_OBJECT_RETIRED, &object->flags)) {
+		/* Reject any new read/write ops and abort any that are pending. */
+		clear_bit(FSCACHE_OBJECT_PENDING_WRITE, &object->flags);
+		fscache_cancel_all_ops(object);
+	}
+
 	if (list_empty(&object->dependents) &&
 	    object->n_ops == 0 &&
 	    object->n_children == 0)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 24/46] FS-Cache: Initialise stores_lock in netfs cookie
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 23/46] fscache: Clear outstanding writes when disabling a cookie Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 25/46] ipv6: fix flow labels when the traffic class is non-0 Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Howells, Jeff Layton,
	Steve Dickson, Al Viro, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: David Howells <dhowells@redhat.com>


[ Upstream commit 62deb8187d116581c88c69a2dd9b5c16588545d4 ]

Initialise the stores_lock in fscache netfs cookies.  Technically, it
shouldn't be necessary, since the netfs cookie is an index and stores no
data, but initialising it anyway adds insignificant overhead.

Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fscache/netfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/fscache/netfs.c
+++ b/fs/fscache/netfs.c
@@ -48,6 +48,7 @@ int __fscache_register_netfs(struct fsca
 	cookie->flags		= 1 << FSCACHE_COOKIE_ENABLED;
 
 	spin_lock_init(&cookie->lock);
+	spin_lock_init(&cookie->stores_lock);
 	INIT_HLIST_HEAD(&cookie->backing_objects);
 
 	/* check the netfs type is not already present */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 25/46] ipv6: fix flow labels when the traffic class is non-0
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 24/46] FS-Cache: Initialise stores_lock in netfs cookie Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 26/46] drm/nouveau: prevent userspace from deleting client object Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dimitris Michailidis, Eric Dumazet,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dimitris Michailidis <dmichail@google.com>


[ Upstream commit 90427ef5d2a4b9a24079889bf16afdcdaebc4240 ]

ip6_make_flowlabel() determines the flow label for IPv6 packets. It's
supposed to be passed a flow label, which it returns as is if non-0 and
in some other cases, otherwise it calculates a new value.

The problem is callers often pass a flowi6.flowlabel, which may also
contain traffic class bits. If the traffic class is non-0
ip6_make_flowlabel() mistakes the non-0 it gets as a flow label and
returns the whole thing. Thus it can return a 'flow label' longer than
20b and the low 20b of that is typically 0 resulting in packets with 0
label. Moreover, different packets of a flow may be labeled differently.
For a TCP flow with ECN non-payload and payload packets get different
labels as exemplified by this pair of consecutive packets:

(pure ACK)
Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 0001 1100 1110 0100 1001 = Flow Label: 0x1ce49
    Payload Length: 32
    Next Header: TCP (6)

(payload)
Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
    0110 .... = Version: 6
    .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0))
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2)
    .... .... .... 0000 0000 0000 0000 0000 = Flow Label: 0x00000
    Payload Length: 688
    Next Header: TCP (6)

This patch allows ip6_make_flowlabel() to be passed more than just a
flow label and has it extract the part it really wants. This was simpler
than modifying the callers. With this patch packets like the above become

Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
    0110 .... = Version: 6
    .... 0000 0000 .... .... .... .... .... = Traffic Class: 0x00 (DSCP: CS0, ECN: Not-ECT)
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..00 .... .... .... .... .... = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e
    Payload Length: 32
    Next Header: TCP (6)

Internet Protocol Version 6, Src: 2002:af5:11a3::, Dst: 2002:af5:11a2::
    0110 .... = Version: 6
    .... 0000 0010 .... .... .... .... .... = Traffic Class: 0x02 (DSCP: CS0, ECN: ECT(0))
        .... 0000 00.. .... .... .... .... .... = Differentiated Services Codepoint: Default (0)
        .... .... ..10 .... .... .... .... .... = Explicit Congestion Notification: ECN-Capable Transport codepoint '10' (2)
    .... .... .... 1010 1111 1010 0101 1110 = Flow Label: 0xafa5e
    Payload Length: 688
    Next Header: TCP (6)

Signed-off-by: Dimitris Michailidis <dmichail@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/ipv6.h |    5 +++++
 1 file changed, 5 insertions(+)

--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -744,6 +744,11 @@ static inline __be32 ip6_make_flowlabel(
 {
 	u32 hash;
 
+	/* @flowlabel may include more than a flow label, eg, the traffic class.
+	 * Here we want only the flow label value.
+	 */
+	flowlabel &= IPV6_FLOWLABEL_MASK;
+
 	if (flowlabel ||
 	    net->ipv6.sysctl.auto_flowlabels == IP6_AUTO_FLOW_LABEL_OFF ||
 	    (!autolabel &&

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 26/46] drm/nouveau: prevent userspace from deleting client object
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 25/46] ipv6: fix flow labels when the traffic class is non-0 Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 27/46] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Skeggs, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bskeggs@redhat.com>


[ Upstream commit c966b6279f610a24ac1d42dcbe30e10fa61220b2 ]

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_usif.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/gpu/drm/nouveau/nouveau_usif.c
+++ b/drivers/gpu/drm/nouveau/nouveau_usif.c
@@ -313,7 +313,8 @@ usif_ioctl(struct drm_file *filp, void _
 	if (nvif_unpack(argv->v0, 0, 0, true)) {
 		/* block access to objects not created via this interface */
 		owner = argv->v0.owner;
-		if (argv->v0.object == 0ULL)
+		if (argv->v0.object == 0ULL &&
+		    argv->v0.type != NVIF_IOCTL_V0_DEL)
 			argv->v0.owner = NVDRM_OBJECT_ANY; /* except client */
 		else
 			argv->v0.owner = NVDRM_OBJECT_USIF;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 27/46] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 26/46] drm/nouveau: prevent userspace from deleting client object Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 28/46] net/mlx4_core: Avoid command timeouts during VF driver device shutdown Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ben Skeggs, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Ben Skeggs <bskeggs@redhat.com>


[ Upstream commit 96692b097ba76d0c637ae8af47b29c73da33c9d0 ]

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_fence.h |    1 +
 drivers/gpu/drm/nouveau/nv84_fence.c    |    6 ++++++
 2 files changed, 7 insertions(+)

--- a/drivers/gpu/drm/nouveau/nouveau_fence.h
+++ b/drivers/gpu/drm/nouveau/nouveau_fence.h
@@ -99,6 +99,7 @@ struct nv84_fence_priv {
 	struct nouveau_bo *bo;
 	struct nouveau_bo *bo_gart;
 	u32 *suspend;
+	struct mutex mutex;
 };
 
 u64  nv84_fence_crtc(struct nouveau_channel *, int);
--- a/drivers/gpu/drm/nouveau/nv84_fence.c
+++ b/drivers/gpu/drm/nouveau/nv84_fence.c
@@ -121,8 +121,10 @@ nv84_fence_context_del(struct nouveau_ch
 	}
 
 	nouveau_bo_wr32(priv->bo, chan->chid * 16 / 4, fctx->base.sequence);
+	mutex_lock(&priv->mutex);
 	nouveau_bo_vma_del(priv->bo, &fctx->vma_gart);
 	nouveau_bo_vma_del(priv->bo, &fctx->vma);
+	mutex_unlock(&priv->mutex);
 	nouveau_fence_context_del(&fctx->base);
 	chan->fence = NULL;
 	nouveau_fence_context_free(&fctx->base);
@@ -148,11 +150,13 @@ nv84_fence_context_new(struct nouveau_ch
 	fctx->base.sync32 = nv84_fence_sync32;
 	fctx->base.sequence = nv84_fence_read(chan);
 
+	mutex_lock(&priv->mutex);
 	ret = nouveau_bo_vma_add(priv->bo, cli->vm, &fctx->vma);
 	if (ret == 0) {
 		ret = nouveau_bo_vma_add(priv->bo_gart, cli->vm,
 					&fctx->vma_gart);
 	}
+	mutex_unlock(&priv->mutex);
 
 	/* map display semaphore buffers into channel's vm */
 	for (i = 0; !ret && i < chan->drm->dev->mode_config.num_crtc; i++) {
@@ -232,6 +236,8 @@ nv84_fence_create(struct nouveau_drm *dr
 	priv->base.context_base = fence_context_alloc(priv->base.contexts);
 	priv->base.uevent = true;
 
+	mutex_init(&priv->mutex);
+
 	/* Use VRAM if there is any ; otherwise fallback to system memory */
 	domain = drm->device.info.ram_size != 0 ? TTM_PL_FLAG_VRAM :
 			 /*

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 28/46] net/mlx4_core: Avoid command timeouts during VF driver device shutdown
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 27/46] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 29/46] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Morgenstein, Tariq Toukan,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jack Morgenstein <jackm@dev.mellanox.co.il>


[ Upstream commit d585df1c5ccf995fcee910705ad7a9cdd11d4152 ]

Some Hypervisors detach VFs from VMs by instantly causing an FLR event
to be generated for a VF.

In the mlx4 case, this will cause that VF's comm channel to be disabled
before the VM has an opportunity to invoke the VF device's "shutdown"
method.

The result is that the VF driver on the VM will experience a command
timeout during the shutdown process when the Hypervisor does not deliver
a command-completion event to the VM.

To avoid FW command timeouts on the VM when the driver's shutdown method
is invoked, we detect the absence of the VF's comm channel at the very
start of the shutdown process. If the comm-channel has already been
disabled, we cause all FW commands during the device shutdown process to
immediately return success (and thus avoid all command timeouts).

Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlx4/catas.c |    2 +-
 drivers/net/ethernet/mellanox/mlx4/intf.c  |   12 ++++++++++++
 drivers/net/ethernet/mellanox/mlx4/mlx4.h  |    1 +
 3 files changed, 14 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/mellanox/mlx4/catas.c
+++ b/drivers/net/ethernet/mellanox/mlx4/catas.c
@@ -158,7 +158,7 @@ static int mlx4_reset_slave(struct mlx4_
 	return -ETIMEDOUT;
 }
 
-static int mlx4_comm_internal_err(u32 slave_read)
+int mlx4_comm_internal_err(u32 slave_read)
 {
 	return (u32)COMM_CHAN_EVENT_INTERNAL_ERR ==
 		(slave_read & (u32)COMM_CHAN_EVENT_INTERNAL_ERR) ? 1 : 0;
--- a/drivers/net/ethernet/mellanox/mlx4/intf.c
+++ b/drivers/net/ethernet/mellanox/mlx4/intf.c
@@ -218,6 +218,18 @@ void mlx4_unregister_device(struct mlx4_
 	struct mlx4_interface *intf;
 
 	mlx4_stop_catas_poll(dev);
+	if (dev->persist->interface_state & MLX4_INTERFACE_STATE_DELETION &&
+	    mlx4_is_slave(dev)) {
+		/* In mlx4_remove_one on a VF */
+		u32 slave_read =
+			swab32(readl(&mlx4_priv(dev)->mfunc.comm->slave_read));
+
+		if (mlx4_comm_internal_err(slave_read)) {
+			mlx4_dbg(dev, "%s: comm channel is down, entering error state.\n",
+				 __func__);
+			mlx4_enter_error_state(dev->persist);
+		}
+	}
 	mutex_lock(&intf_mutex);
 
 	list_for_each_entry(intf, &intf_list, list)
--- a/drivers/net/ethernet/mellanox/mlx4/mlx4.h
+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4.h
@@ -1205,6 +1205,7 @@ void mlx4_qp_event(struct mlx4_dev *dev,
 void mlx4_srq_event(struct mlx4_dev *dev, u32 srqn, int event_type);
 
 void mlx4_enter_error_state(struct mlx4_dev_persistent *persist);
+int mlx4_comm_internal_err(u32 slave_read);
 
 int mlx4_SENSE_PORT(struct mlx4_dev *dev, int port,
 		    enum mlx4_port_type *type);

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 29/46] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 28/46] net/mlx4_core: Avoid command timeouts during VF driver device shutdown Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 30/46] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arseny Solokha, Claudiu Manoil,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Arseny Solokha <asolokha@kb.kras.ru>


[ Upstream commit 4af0e5bb95ee3ba5ea4bd7dbb94e1648a5279cc9 ]

In spite of switching to paged allocation of Rx buffers, the driver still
called dma_unmap_single() in the Rx queues tear-down path.

The DMA region unmapping code in free_skb_rx_queue() basically predates
the introduction of paged allocation to the driver. While being refactored,
it apparently hasn't reflected the change in the DMA API usage by its
counterpart gfar_new_page().

As a result, setting an interface to the DOWN state now yields the following:

  # ip link set eth2 down
  fsl-gianfar ffe24000.ethernet: DMA-API: device driver frees DMA memory with wrong function [device address=0x000000001ecd0000] [size=40]
  ------------[ cut here ]------------
  WARNING: CPU: 1 PID: 189 at lib/dma-debug.c:1123 check_unmap+0x8e0/0xa28
  CPU: 1 PID: 189 Comm: ip Tainted: G           O    4.9.5 #1
  task: dee73400 task.stack: dede2000
  NIP: c02101e8 LR: c02101e8 CTR: c0260d74
  REGS: dede3bb0 TRAP: 0700   Tainted: G           O     (4.9.5)
  MSR: 00021000 <CE,ME>  CR: 28002222  XER: 00000000

  GPR00: c02101e8 dede3c60 dee73400 000000b6 dfbd033c dfbd36c4 1f622000 dede2000
  GPR08: 00000007 c05b1634 1f622000 00000000 22002484 100a9904 00000000 00000000
  GPR16: 00000000 db4c849c 00000002 db4c8480 00000001 df142240 db4c84bc 00000000
  GPR24: c0706148 c0700000 00029000 c07552e8 c07323b4 dede3cb8 c07605e0 db535540
  NIP [c02101e8] check_unmap+0x8e0/0xa28
  LR [c02101e8] check_unmap+0x8e0/0xa28
  Call Trace:
  [dede3c60] [c02101e8] check_unmap+0x8e0/0xa28 (unreliable)
  [dede3cb0] [c02103b8] debug_dma_unmap_page+0x88/0x9c
  [dede3d30] [c02dffbc] free_skb_resources+0x2c4/0x404
  [dede3d80] [c02e39b4] gfar_close+0x24/0xc8
  [dede3da0] [c0361550] __dev_close_many+0xa0/0xf8
  [dede3dd0] [c03616f0] __dev_close+0x2c/0x4c
  [dede3df0] [c036b1b8] __dev_change_flags+0xa0/0x174
  [dede3e10] [c036b2ac] dev_change_flags+0x20/0x60
  [dede3e30] [c03e130c] devinet_ioctl+0x540/0x824
  [dede3e90] [c0347dcc] sock_ioctl+0x134/0x298
  [dede3eb0] [c0111814] do_vfs_ioctl+0xac/0x854
  [dede3f20] [c0111ffc] SyS_ioctl+0x40/0x74
  [dede3f40] [c000f290] ret_from_syscall+0x0/0x3c
  --- interrupt: c01 at 0xff45da0
      LR = 0xff45cd0
  Instruction dump:
  811d001c 7c66482e 813d0020 9061000c 807f000c 5463103a 7cc6182e 3c60c052
  386309ac 90c10008 4cc63182 4826b845 <0fe00000> 4bfffa60 3c80c052 388402c4
  ---[ end trace 695ae6d7ac1d0c47 ]---
  Mapped at:
   [<c02e22a8>] gfar_alloc_rx_buffs+0x178/0x248
   [<c02e3ef0>] startup_gfar+0x368/0x570
   [<c036aeb4>] __dev_open+0xdc/0x150
   [<c036b1b8>] __dev_change_flags+0xa0/0x174
   [<c036b2ac>] dev_change_flags+0x20/0x60

Even though the issue was discovered in 4.9 kernel, the code in question
is identical in the current net and net-next trees.

Fixes: 75354148ce69 ("gianfar: Add paged allocation and Rx S/G")
Signed-off-by: Arseny Solokha <asolokha@kb.kras.ru>
Acked-by: Claudiu Manoil <claudiu.manoil@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/freescale/gianfar.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/freescale/gianfar.c
+++ b/drivers/net/ethernet/freescale/gianfar.c
@@ -1999,8 +1999,8 @@ static void free_skb_rx_queue(struct gfa
 		if (!rxb->page)
 			continue;
 
-		dma_unmap_single(rx_queue->dev, rxb->dma,
-				 PAGE_SIZE, DMA_FROM_DEVICE);
+		dma_unmap_page(rx_queue->dev, rxb->dma,
+			       PAGE_SIZE, DMA_FROM_DEVICE);
 		__free_page(rxb->page);
 
 		rxb->page = NULL;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 30/46] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 29/46] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 31/46] net: adaptec: starfire: add checks for dma mapping errors Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, Linus Walleij, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Jisheng Zhang <jszhang@marvell.com>


[ Upstream commit e82d02580af45663fad6d3596e4344c606e81e10 ]

This should be a typo.

Signed-off-by: Jisheng Zhang <jszhang@marvell.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/berlin/berlin-bg4ct.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pinctrl/berlin/berlin-bg4ct.c
+++ b/drivers/pinctrl/berlin/berlin-bg4ct.c
@@ -217,7 +217,7 @@ static const struct berlin_desc_group be
 	BERLIN_PINCTRL_GROUP("SCRD0_CRD_PRES", 0xc, 0x3, 0x15,
 			BERLIN_PINCTRL_FUNCTION(0x0, "gpio"), /* GPIO20 */
 			BERLIN_PINCTRL_FUNCTION(0x1, "scrd0"), /* crd pres */
-			BERLIN_PINCTRL_FUNCTION(0x1, "sd1a")), /* DAT3 */
+			BERLIN_PINCTRL_FUNCTION(0x3, "sd1a")), /* DAT3 */
 	BERLIN_PINCTRL_GROUP("SPI1_SS0n", 0xc, 0x3, 0x18,
 			BERLIN_PINCTRL_FUNCTION(0x0, "spi1"), /* SS0n */
 			BERLIN_PINCTRL_FUNCTION(0x1, "gpio"), /* GPIO37 */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 31/46] net: adaptec: starfire: add checks for dma mapping errors
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 30/46] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 32/46] parisc, parport_gsc: Fixes for printk continuation lines Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Khoroshilov, David S. Miller,
	Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Alexey Khoroshilov <khoroshilov@ispras.ru>


[ Upstream commit d1156b489fa734d1af763d6a07b1637c01bb0aed ]

init_ring(), refill_rx_ring() and start_tx() don't check
if mapping dma memory succeed.
The patch adds the checks and failure handling.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/adaptec/starfire.c |   45 ++++++++++++++++++++++++++++++--
 1 file changed, 43 insertions(+), 2 deletions(-)

--- a/drivers/net/ethernet/adaptec/starfire.c
+++ b/drivers/net/ethernet/adaptec/starfire.c
@@ -1153,6 +1153,12 @@ static void init_ring(struct net_device
 		if (skb == NULL)
 			break;
 		np->rx_info[i].mapping = pci_map_single(np->pci_dev, skb->data, np->rx_buf_sz, PCI_DMA_FROMDEVICE);
+		if (pci_dma_mapping_error(np->pci_dev,
+					  np->rx_info[i].mapping)) {
+			dev_kfree_skb(skb);
+			np->rx_info[i].skb = NULL;
+			break;
+		}
 		/* Grrr, we cannot offset to correctly align the IP header. */
 		np->rx_ring[i].rxaddr = cpu_to_dma(np->rx_info[i].mapping | RxDescValid);
 	}
@@ -1183,8 +1189,9 @@ static netdev_tx_t start_tx(struct sk_bu
 {
 	struct netdev_private *np = netdev_priv(dev);
 	unsigned int entry;
+	unsigned int prev_tx;
 	u32 status;
-	int i;
+	int i, j;
 
 	/*
 	 * be cautious here, wrapping the queue has weird semantics
@@ -1202,6 +1209,7 @@ static netdev_tx_t start_tx(struct sk_bu
 	}
 #endif /* ZEROCOPY && HAS_BROKEN_FIRMWARE */
 
+	prev_tx = np->cur_tx;
 	entry = np->cur_tx % TX_RING_SIZE;
 	for (i = 0; i < skb_num_frags(skb); i++) {
 		int wrap_ring = 0;
@@ -1235,6 +1243,11 @@ static netdev_tx_t start_tx(struct sk_bu
 					       skb_frag_size(this_frag),
 					       PCI_DMA_TODEVICE);
 		}
+		if (pci_dma_mapping_error(np->pci_dev,
+					  np->tx_info[entry].mapping)) {
+			dev->stats.tx_dropped++;
+			goto err_out;
+		}
 
 		np->tx_ring[entry].addr = cpu_to_dma(np->tx_info[entry].mapping);
 		np->tx_ring[entry].status = cpu_to_le32(status);
@@ -1269,8 +1282,30 @@ static netdev_tx_t start_tx(struct sk_bu
 		netif_stop_queue(dev);
 
 	return NETDEV_TX_OK;
-}
 
+err_out:
+	entry = prev_tx % TX_RING_SIZE;
+	np->tx_info[entry].skb = NULL;
+	if (i > 0) {
+		pci_unmap_single(np->pci_dev,
+				 np->tx_info[entry].mapping,
+				 skb_first_frag_len(skb),
+				 PCI_DMA_TODEVICE);
+		np->tx_info[entry].mapping = 0;
+		entry = (entry + np->tx_info[entry].used_slots) % TX_RING_SIZE;
+		for (j = 1; j < i; j++) {
+			pci_unmap_single(np->pci_dev,
+					 np->tx_info[entry].mapping,
+					 skb_frag_size(
+						&skb_shinfo(skb)->frags[j-1]),
+					 PCI_DMA_TODEVICE);
+			entry++;
+		}
+	}
+	dev_kfree_skb_any(skb);
+	np->cur_tx = prev_tx;
+	return NETDEV_TX_OK;
+}
 
 /* The interrupt handler does all of the Rx thread work and cleans up
    after the Tx thread. */
@@ -1570,6 +1605,12 @@ static void refill_rx_ring(struct net_de
 				break;	/* Better luck next round. */
 			np->rx_info[entry].mapping =
 				pci_map_single(np->pci_dev, skb->data, np->rx_buf_sz, PCI_DMA_FROMDEVICE);
+			if (pci_dma_mapping_error(np->pci_dev,
+						np->rx_info[entry].mapping)) {
+				dev_kfree_skb(skb);
+				np->rx_info[entry].skb = NULL;
+				break;
+			}
 			np->rx_ring[entry].rxaddr =
 				cpu_to_dma(np->rx_info[entry].mapping | RxDescValid);
 		}

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 32/46] parisc, parport_gsc: Fixes for printk continuation lines
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 31/46] net: adaptec: starfire: add checks for dma mapping errors Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 33/46] drm/nouveau: Dont enabling polling twice on runtime resume Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Helge Deller <deller@gmx.de>


[ Upstream commit 83b5d1e3d3013dbf90645a5d07179d018c8243fa ]

Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/parport/parport_gsc.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/parport/parport_gsc.c
+++ b/drivers/parport/parport_gsc.c
@@ -293,7 +293,7 @@ struct parport *parport_gsc_probe_port(u
 		p->irq = PARPORT_IRQ_NONE;
 	}
 	if (p->irq != PARPORT_IRQ_NONE) {
-		printk(", irq %d", p->irq);
+		pr_cont(", irq %d", p->irq);
 
 		if (p->dma == PARPORT_DMA_AUTO) {
 			p->dma = PARPORT_DMA_NONE;
@@ -303,8 +303,8 @@ struct parport *parport_gsc_probe_port(u
                                            is mandatory (see above) */
 		p->dma = PARPORT_DMA_NONE;
 
-	printk(" [");
-#define printmode(x) {if(p->modes&PARPORT_MODE_##x){printk("%s%s",f?",":"",#x);f++;}}
+	pr_cont(" [");
+#define printmode(x) {if(p->modes&PARPORT_MODE_##x){pr_cont("%s%s",f?",":"",#x);f++;}}
 	{
 		int f = 0;
 		printmode(PCSPP);
@@ -315,7 +315,7 @@ struct parport *parport_gsc_probe_port(u
 //		printmode(DMA);
 	}
 #undef printmode
-	printk("]\n");
+	pr_cont("]\n");
 
 	if (p->irq != PARPORT_IRQ_NONE) {
 		if (request_irq (p->irq, parport_irq_handler,

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 33/46] drm/nouveau: Dont enabling polling twice on runtime resume
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 32/46] parisc, parport_gsc: Fixes for printk continuation lines Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lyude, Hans de Goede, Kilian Singer,
	Lukas Wunner, David Airlie, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Lyude Paul <lyude@redhat.com>


[ Upstream commit cae9ff036eea577856d5b12860b4c79c5e71db4a ]

As it turns out, on cards that actually have CRTCs on them we're already
calling drm_kms_helper_poll_enable(drm_dev) from
nouveau_display_resume() before we call it in
nouveau_pmops_runtime_resume(). This leads us to accidentally trying to
enable polling twice, which results in a potential deadlock between the
RPM locks and drm_dev->mode_config.mutex if we end up trying to enable
polling the second time while output_poll_execute is running and holding
the mode_config lock. As such, make sure we only enable polling in
nouveau_pmops_runtime_resume() if we need to.

This fixes hangs observed on the ThinkPad W541

Signed-off-by: Lyude <lyude@redhat.com>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: Kilian Singer <kilian.singer@quantumtechnology.info>
Cc: Lukas Wunner <lukas@wunner.de>
Cc: David Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/nouveau/nouveau_display.c |    3 ++-
 drivers/gpu/drm/nouveau/nouveau_drm.c     |    5 ++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/nouveau/nouveau_display.c
+++ b/drivers/gpu/drm/nouveau/nouveau_display.c
@@ -370,7 +370,8 @@ nouveau_display_init(struct drm_device *
 		return ret;
 
 	/* enable polling for external displays */
-	drm_kms_helper_poll_enable(dev);
+	if (!dev->mode_config.poll_enabled)
+		drm_kms_helper_poll_enable(dev);
 
 	/* enable hotplug interrupts */
 	list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
@@ -743,7 +743,10 @@ nouveau_pmops_runtime_resume(struct devi
 	pci_set_master(pdev);
 
 	ret = nouveau_do_resume(drm_dev, true);
-	drm_kms_helper_poll_enable(drm_dev);
+
+	if (!drm_dev->mode_config.poll_enabled)
+		drm_kms_helper_poll_enable(drm_dev);
+
 	/* do magic */
 	nvif_mask(&device->object, 0x088488, (1 << 25), (1 << 25));
 	vga_switcheroo_set_dynamic_switch(pdev, VGA_SWITCHEROO_ON);

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 33/46] drm/nouveau: Dont enabling polling twice on runtime resume Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-29 13:45   ` Ben Hutchings
  2017-06-15 17:52 ` [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  44 siblings, 1 reply; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Y.C. Chen, Dave Airlie, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: "Y.C. Chen" <yc_chen@aspeedtech.com>


[ Upstream commit 6c971c09f38704513c426ba6515f22fb3d6c87d5 ]

The original ast driver will access some BMC configuration through P2A bridge
that can be disabled since AST2300 and after.
It will cause system hanged if P2A bridge is disabled.
Here is the update to fix it.

Signed-off-by: Y.C. Chen <yc_chen@aspeedtech.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/ast/ast_drv.h  |    1 
 drivers/gpu/drm/ast/ast_main.c |  157 +++++++++++++++++++++--------------------
 drivers/gpu/drm/ast/ast_post.c |   18 +++-
 3 files changed, 97 insertions(+), 79 deletions(-)

--- a/drivers/gpu/drm/ast/ast_drv.h
+++ b/drivers/gpu/drm/ast/ast_drv.h
@@ -113,6 +113,7 @@ struct ast_private {
 	struct ttm_bo_kmap_obj cache_kmap;
 	int next_cursor;
 	bool support_wide_screen;
+	bool DisableP2A;
 
 	enum ast_tx_chip tx_chip_type;
 	u8 dp501_maxclk;
--- a/drivers/gpu/drm/ast/ast_main.c
+++ b/drivers/gpu/drm/ast/ast_main.c
@@ -124,6 +124,12 @@ static int ast_detect_chip(struct drm_de
 	} else
 		*need_post = false;
 
+	/* Check P2A Access */
+	ast->DisableP2A = true;
+	data = ast_read32(ast, 0xf004);
+	if (data != 0xFFFFFFFF)
+		ast->DisableP2A = false;
+
 	/* Check if we support wide screen */
 	switch (ast->chip) {
 	case AST1180:
@@ -140,15 +146,17 @@ static int ast_detect_chip(struct drm_de
 			ast->support_wide_screen = true;
 		else {
 			ast->support_wide_screen = false;
-			/* Read SCU7c (silicon revision register) */
-			ast_write32(ast, 0xf004, 0x1e6e0000);
-			ast_write32(ast, 0xf000, 0x1);
-			data = ast_read32(ast, 0x1207c);
-			data &= 0x300;
-			if (ast->chip == AST2300 && data == 0x0) /* ast1300 */
-				ast->support_wide_screen = true;
-			if (ast->chip == AST2400 && data == 0x100) /* ast1400 */
-				ast->support_wide_screen = true;
+			if (ast->DisableP2A == false) {
+				/* Read SCU7c (silicon revision register) */
+				ast_write32(ast, 0xf004, 0x1e6e0000);
+				ast_write32(ast, 0xf000, 0x1);
+				data = ast_read32(ast, 0x1207c);
+				data &= 0x300;
+				if (ast->chip == AST2300 && data == 0x0) /* ast1300 */
+					ast->support_wide_screen = true;
+				if (ast->chip == AST2400 && data == 0x100) /* ast1400 */
+					ast->support_wide_screen = true;
+			}
 		}
 		break;
 	}
@@ -216,80 +224,81 @@ static int ast_get_dram_info(struct drm_
 	uint32_t data, data2;
 	uint32_t denum, num, div, ref_pll;
 
-	ast_write32(ast, 0xf004, 0x1e6e0000);
-	ast_write32(ast, 0xf000, 0x1);
-
-
-	ast_write32(ast, 0x10000, 0xfc600309);
-
-	do {
-		if (pci_channel_offline(dev->pdev))
-			return -EIO;
-	} while (ast_read32(ast, 0x10000) != 0x01);
-	data = ast_read32(ast, 0x10004);
-
-	if (data & 0x40)
+	if (ast->DisableP2A)
+	{
 		ast->dram_bus_width = 16;
+		ast->dram_type = AST_DRAM_1Gx16;
+		ast->mclk = 396;
+	}
 	else
-		ast->dram_bus_width = 32;
+	{
+		ast_write32(ast, 0xf004, 0x1e6e0000);
+		ast_write32(ast, 0xf000, 0x1);
+		data = ast_read32(ast, 0x10004);
+
+		if (data & 0x40)
+			ast->dram_bus_width = 16;
+		else
+			ast->dram_bus_width = 32;
+
+		if (ast->chip == AST2300 || ast->chip == AST2400) {
+			switch (data & 0x03) {
+			case 0:
+				ast->dram_type = AST_DRAM_512Mx16;
+				break;
+			default:
+			case 1:
+				ast->dram_type = AST_DRAM_1Gx16;
+				break;
+			case 2:
+				ast->dram_type = AST_DRAM_2Gx16;
+				break;
+			case 3:
+				ast->dram_type = AST_DRAM_4Gx16;
+				break;
+			}
+		} else {
+			switch (data & 0x0c) {
+			case 0:
+			case 4:
+				ast->dram_type = AST_DRAM_512Mx16;
+				break;
+			case 8:
+				if (data & 0x40)
+					ast->dram_type = AST_DRAM_1Gx16;
+				else
+					ast->dram_type = AST_DRAM_512Mx32;
+				break;
+			case 0xc:
+				ast->dram_type = AST_DRAM_1Gx32;
+				break;
+			}
+		}
 
-	if (ast->chip == AST2300 || ast->chip == AST2400) {
-		switch (data & 0x03) {
-		case 0:
-			ast->dram_type = AST_DRAM_512Mx16;
-			break;
-		default:
-		case 1:
-			ast->dram_type = AST_DRAM_1Gx16;
-			break;
-		case 2:
-			ast->dram_type = AST_DRAM_2Gx16;
-			break;
+		data = ast_read32(ast, 0x10120);
+		data2 = ast_read32(ast, 0x10170);
+		if (data2 & 0x2000)
+			ref_pll = 14318;
+		else
+			ref_pll = 12000;
+
+		denum = data & 0x1f;
+		num = (data & 0x3fe0) >> 5;
+		data = (data & 0xc000) >> 14;
+		switch (data) {
 		case 3:
-			ast->dram_type = AST_DRAM_4Gx16;
-			break;
-		}
-	} else {
-		switch (data & 0x0c) {
-		case 0:
-		case 4:
-			ast->dram_type = AST_DRAM_512Mx16;
+			div = 0x4;
 			break;
-		case 8:
-			if (data & 0x40)
-				ast->dram_type = AST_DRAM_1Gx16;
-			else
-				ast->dram_type = AST_DRAM_512Mx32;
+		case 2:
+		case 1:
+			div = 0x2;
 			break;
-		case 0xc:
-			ast->dram_type = AST_DRAM_1Gx32;
+		default:
+			div = 0x1;
 			break;
 		}
+		ast->mclk = ref_pll * (num + 2) / (denum + 2) * (div * 1000);
 	}
-
-	data = ast_read32(ast, 0x10120);
-	data2 = ast_read32(ast, 0x10170);
-	if (data2 & 0x2000)
-		ref_pll = 14318;
-	else
-		ref_pll = 12000;
-
-	denum = data & 0x1f;
-	num = (data & 0x3fe0) >> 5;
-	data = (data & 0xc000) >> 14;
-	switch (data) {
-	case 3:
-		div = 0x4;
-		break;
-	case 2:
-	case 1:
-		div = 0x2;
-		break;
-	default:
-		div = 0x1;
-		break;
-	}
-	ast->mclk = ref_pll * (num + 2) / (denum + 2) * (div * 1000);
 	return 0;
 }
 
--- a/drivers/gpu/drm/ast/ast_post.c
+++ b/drivers/gpu/drm/ast/ast_post.c
@@ -375,12 +375,20 @@ void ast_post_gpu(struct drm_device *dev
 	ast_enable_mmio(dev);
 	ast_set_def_ext_reg(dev);
 
-	if (ast->chip == AST2300 || ast->chip == AST2400)
-		ast_init_dram_2300(dev);
-	else
-		ast_init_dram_reg(dev);
+	if (ast->DisableP2A == false)
+	{
+		if (ast->chip == AST2300 || ast->chip == AST2400)
+			ast_init_dram_2300(dev);
+		else
+			ast_init_dram_reg(dev);
 
-	ast_init_3rdtx(dev);
+		ast_init_3rdtx(dev);
+	}
+	else
+	{
+		if (ast->tx_chip_type != AST_TX_NONE)
+			ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xa3, 0xcf, 0x80);	/* Enable DVO */
+	}
 }
 
 /* AST 2300 DRAM settings */

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-29 13:58   ` Ben Hutchings
  2017-06-15 17:52 ` [PATCH 4.4 36/46] nfs: Fix "Dont increment lock sequence ID after NFS4ERR_MOVED" Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  44 siblings, 1 reply; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kazuya Mizuguchi, Simon Horman,
	Sergei Shtylyov, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>


[ Upstream commit a47b70ea86bdeb3091341f5ae3ef580f1a1ad822 ]

"swiotlb buffer is full" errors occur after repeated initialisation of a
device - f.e. suspend/resume or ip link set up/down. This is because memory
mapped using dma_map_single() in ravb_ring_format() and ravb_start_xmit()
is not released.  Resolve this problem by unmapping descriptors when
freeing rings.

Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper")
Signed-off-by: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
[simon: reworked]
Signed-off-by: Simon Horman <horms+renesas@verge.net.au>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/renesas/ravb_main.c |  112 +++++++++++++++++--------------
 1 file changed, 64 insertions(+), 48 deletions(-)

--- a/drivers/net/ethernet/renesas/ravb_main.c
+++ b/drivers/net/ethernet/renesas/ravb_main.c
@@ -171,6 +171,49 @@ static struct mdiobb_ops bb_ops = {
 	.get_mdio_data = ravb_get_mdio_data,
 };
 
+/* Free TX skb function for AVB-IP */
+static int ravb_tx_free(struct net_device *ndev, int q, bool free_txed_only)
+{
+	struct ravb_private *priv = netdev_priv(ndev);
+	struct net_device_stats *stats = &priv->stats[q];
+	struct ravb_tx_desc *desc;
+	int free_num = 0;
+	int entry;
+	u32 size;
+
+	for (; priv->cur_tx[q] - priv->dirty_tx[q] > 0; priv->dirty_tx[q]++) {
+		bool txed;
+
+		entry = priv->dirty_tx[q] % (priv->num_tx_ring[q] *
+					     NUM_TX_DESC);
+		desc = &priv->tx_ring[q][entry];
+		txed = desc->die_dt == DT_FEMPTY;
+		if (free_txed_only && !txed)
+			break;
+		/* Descriptor type must be checked before all other reads */
+		dma_rmb();
+		size = le16_to_cpu(desc->ds_tagl) & TX_DS;
+		/* Free the original skb. */
+		if (priv->tx_skb[q][entry / NUM_TX_DESC]) {
+			dma_unmap_single(ndev->dev.parent, le32_to_cpu(desc->dptr),
+					 size, DMA_TO_DEVICE);
+			/* Last packet descriptor? */
+			if (entry % NUM_TX_DESC == NUM_TX_DESC - 1) {
+				entry /= NUM_TX_DESC;
+				dev_kfree_skb_any(priv->tx_skb[q][entry]);
+				priv->tx_skb[q][entry] = NULL;
+				if (txed)
+					stats->tx_packets++;
+			}
+			free_num++;
+		}
+		if (txed)
+			stats->tx_bytes += size;
+		desc->die_dt = DT_EEMPTY;
+	}
+	return free_num;
+}
+
 /* Free skb's and DMA buffers for Ethernet AVB */
 static void ravb_ring_free(struct net_device *ndev, int q)
 {
@@ -186,19 +229,21 @@ static void ravb_ring_free(struct net_de
 	kfree(priv->rx_skb[q]);
 	priv->rx_skb[q] = NULL;
 
-	/* Free TX skb ringbuffer */
-	if (priv->tx_skb[q]) {
-		for (i = 0; i < priv->num_tx_ring[q]; i++)
-			dev_kfree_skb(priv->tx_skb[q][i]);
-	}
-	kfree(priv->tx_skb[q]);
-	priv->tx_skb[q] = NULL;
-
 	/* Free aligned TX buffers */
 	kfree(priv->tx_align[q]);
 	priv->tx_align[q] = NULL;
 
 	if (priv->rx_ring[q]) {
+		for (i = 0; i < priv->num_rx_ring[q]; i++) {
+			struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i];
+
+			if (!dma_mapping_error(ndev->dev.parent,
+					       le32_to_cpu(desc->dptr)))
+				dma_unmap_single(ndev->dev.parent,
+						 le32_to_cpu(desc->dptr),
+						 PKT_BUF_SZ,
+						 DMA_FROM_DEVICE);
+		}
 		ring_size = sizeof(struct ravb_ex_rx_desc) *
 			    (priv->num_rx_ring[q] + 1);
 		dma_free_coherent(ndev->dev.parent, ring_size, priv->rx_ring[q],
@@ -207,12 +252,20 @@ static void ravb_ring_free(struct net_de
 	}
 
 	if (priv->tx_ring[q]) {
+		ravb_tx_free(ndev, q, false);
+
 		ring_size = sizeof(struct ravb_tx_desc) *
 			    (priv->num_tx_ring[q] * NUM_TX_DESC + 1);
 		dma_free_coherent(ndev->dev.parent, ring_size, priv->tx_ring[q],
 				  priv->tx_desc_dma[q]);
 		priv->tx_ring[q] = NULL;
 	}
+
+	/* Free TX skb ringbuffer.
+	 * SKBs are freed by ravb_tx_free() call above.
+	 */
+	kfree(priv->tx_skb[q]);
+	priv->tx_skb[q] = NULL;
 }
 
 /* Format skb and descriptor buffer for Ethernet AVB */
@@ -420,44 +473,6 @@ static int ravb_dmac_init(struct net_dev
 	return 0;
 }
 
-/* Free TX skb function for AVB-IP */
-static int ravb_tx_free(struct net_device *ndev, int q)
-{
-	struct ravb_private *priv = netdev_priv(ndev);
-	struct net_device_stats *stats = &priv->stats[q];
-	struct ravb_tx_desc *desc;
-	int free_num = 0;
-	int entry;
-	u32 size;
-
-	for (; priv->cur_tx[q] - priv->dirty_tx[q] > 0; priv->dirty_tx[q]++) {
-		entry = priv->dirty_tx[q] % (priv->num_tx_ring[q] *
-					     NUM_TX_DESC);
-		desc = &priv->tx_ring[q][entry];
-		if (desc->die_dt != DT_FEMPTY)
-			break;
-		/* Descriptor type must be checked before all other reads */
-		dma_rmb();
-		size = le16_to_cpu(desc->ds_tagl) & TX_DS;
-		/* Free the original skb. */
-		if (priv->tx_skb[q][entry / NUM_TX_DESC]) {
-			dma_unmap_single(ndev->dev.parent, le32_to_cpu(desc->dptr),
-					 size, DMA_TO_DEVICE);
-			/* Last packet descriptor? */
-			if (entry % NUM_TX_DESC == NUM_TX_DESC - 1) {
-				entry /= NUM_TX_DESC;
-				dev_kfree_skb_any(priv->tx_skb[q][entry]);
-				priv->tx_skb[q][entry] = NULL;
-				stats->tx_packets++;
-			}
-			free_num++;
-		}
-		stats->tx_bytes += size;
-		desc->die_dt = DT_EEMPTY;
-	}
-	return free_num;
-}
-
 static void ravb_get_tx_tstamp(struct net_device *ndev)
 {
 	struct ravb_private *priv = netdev_priv(ndev);
@@ -797,7 +812,7 @@ static int ravb_poll(struct napi_struct
 			spin_lock_irqsave(&priv->lock, flags);
 			/* Clear TX interrupt */
 			ravb_write(ndev, ~mask, TIS);
-			ravb_tx_free(ndev, q);
+			ravb_tx_free(ndev, q, true);
 			netif_wake_subqueue(ndev, q);
 			mmiowb();
 			spin_unlock_irqrestore(&priv->lock, flags);
@@ -1393,7 +1408,8 @@ static netdev_tx_t ravb_start_xmit(struc
 
 	priv->cur_tx[q] += NUM_TX_DESC;
 	if (priv->cur_tx[q] - priv->dirty_tx[q] >
-	    (priv->num_tx_ring[q] - 1) * NUM_TX_DESC && !ravb_tx_free(ndev, q))
+	    (priv->num_tx_ring[q] - 1) * NUM_TX_DESC &&
+	    !ravb_tx_free(ndev, q, true))
 		netif_stop_subqueue(ndev, q);
 
 exit:

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 36/46] nfs: Fix "Dont increment lock sequence ID after NFS4ERR_MOVED"
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 37/46] r8152: re-schedule napi for tx Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chuck Lever, Xuan Qi,
	Trond Myklebust, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Chuck Lever <chuck.lever@oracle.com>


[ Upstream commit 406dab8450ec76eca88a1af2fc15d18a2b36ca49 ]

Lock sequence IDs are bumped in decode_lock by calling
nfs_increment_seqid(). nfs_increment_sequid() does not use the
seqid_mutating_err() function fixed in commit 059aa7348241 ("Don't
increment lock sequence ID after NFS4ERR_MOVED").

Fixes: 059aa7348241 ("Don't increment lock sequence ID after ...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: Xuan Qi <xuan.qi@oracle.com>
Cc: stable@vger.kernel.org # v3.7+
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/nfs/nfs4state.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -1072,6 +1072,7 @@ static void nfs_increment_seqid(int stat
 		case -NFS4ERR_BADXDR:
 		case -NFS4ERR_RESOURCE:
 		case -NFS4ERR_NOFILEHANDLE:
+		case -NFS4ERR_MOVED:
 			/* Non-seqid mutating errors */
 			return;
 	};

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 37/46] r8152: re-schedule napi for tx
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 36/46] nfs: Fix "Dont increment lock sequence ID after NFS4ERR_MOVED" Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-29 14:23   ` Ben Hutchings
  2017-06-15 17:52 ` [PATCH 4.4 38/46] r8152: fix rtl8152_post_reset function Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  44 siblings, 1 reply; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hayes Wang, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: hayeswang <hayeswang@realtek.com>


[ Upstream commit 248b213ad908b88db15941202ef7cb7eb137c1a0 ]

Re-schedule napi after napi_complete() for tx, if it is necessay.

In r8152_poll(), if the tx is completed after tx_bottom() and before
napi_complete(), the scheduling of napi would be lost. Then, no
one handles the next tx until the next napi_schedule() is called.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/r8152.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -1851,6 +1851,9 @@ static int r8152_poll(struct napi_struct
 		napi_complete(napi);
 		if (!list_empty(&tp->rx_done))
 			napi_schedule(napi);
+		else if (!skb_queue_empty(&tp->tx_queue) &&
+			 !list_empty(&tp->tx_free))
+			napi_schedule(napi);
 	}
 
 	return work_done;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 38/46] r8152: fix rtl8152_post_reset function
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 37/46] r8152: re-schedule napi for tx Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:52 ` [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hayes Wang, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: hayeswang <hayeswang@realtek.com>


[ Upstream commit 2c561b2b728ca4013e76d6439bde2c137503745e ]

The rtl8152_post_reset() should sumbit rx urb and interrupt transfer,
otherwise the rx wouldn't work and the linking change couldn't be
detected.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/r8152.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -3418,12 +3418,14 @@ static int rtl8152_post_reset(struct usb
 	if (netif_carrier_ok(netdev)) {
 		mutex_lock(&tp->control);
 		tp->rtl_ops.enable(tp);
+		rtl_start_rx(tp);
 		rtl8152_set_rx_mode(netdev);
 		mutex_unlock(&tp->control);
 		netif_wake_queue(netdev);
 	}
 
 	napi_enable(&tp->napi);
+	usb_submit_urb(tp->intr_urb, GFP_KERNEL);
 
 	return 0;
 }

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 38/46] r8152: fix rtl8152_post_reset function Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-29 14:35   ` Ben Hutchings
  2017-06-15 17:52 ` [PATCH 4.4 40/46] sctp: sctp_addr_id2transport should verify the addr before looking up assoc Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  44 siblings, 1 reply; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hayes Wang, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: hayeswang <hayeswang@realtek.com>


[ Upstream commit de9bf29dd6e4a8a874cb92f8901aed50a9d0b1d3 ]

Stop the tx when the napi is disabled to prevent napi_schedule() is
called.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/r8152.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/net/usb/r8152.c
+++ b/drivers/net/usb/r8152.c
@@ -2993,10 +2993,13 @@ static void set_carrier(struct r8152 *tp
 		if (!netif_carrier_ok(netdev)) {
 			tp->rtl_ops.enable(tp);
 			set_bit(RTL8152_SET_RX_MODE, &tp->flags);
+			netif_stop_queue(netdev);
 			napi_disable(&tp->napi);
 			netif_carrier_on(netdev);
 			rtl_start_rx(tp);
 			napi_enable(&tp->napi);
+			netif_wake_queue(netdev);
+			netif_info(tp, link, netdev, "carrier on\n");
 		}
 	} else {
 		if (netif_carrier_ok(netdev)) {
@@ -3004,6 +3007,7 @@ static void set_carrier(struct r8152 *tp
 			napi_disable(&tp->napi);
 			tp->rtl_ops.disable(tp);
 			napi_enable(&tp->napi);
+			netif_info(tp, link, netdev, "carrier off\n");
 		}
 	}
 }
@@ -3388,12 +3392,12 @@ static int rtl8152_pre_reset(struct usb_
 	if (!netif_running(netdev))
 		return 0;
 
+	netif_stop_queue(netdev);
 	napi_disable(&tp->napi);
 	clear_bit(WORK_ENABLE, &tp->flags);
 	usb_kill_urb(tp->intr_urb);
 	cancel_delayed_work_sync(&tp->schedule);
 	if (netif_carrier_ok(netdev)) {
-		netif_stop_queue(netdev);
 		mutex_lock(&tp->control);
 		tp->rtl_ops.disable(tp);
 		mutex_unlock(&tp->control);
@@ -3421,10 +3425,10 @@ static int rtl8152_post_reset(struct usb
 		rtl_start_rx(tp);
 		rtl8152_set_rx_mode(netdev);
 		mutex_unlock(&tp->control);
-		netif_wake_queue(netdev);
 	}
 
 	napi_enable(&tp->napi);
+	netif_wake_queue(netdev);
 	usb_submit_urb(tp->intr_urb, GFP_KERNEL);
 
 	return 0;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 40/46] sctp: sctp_addr_id2transport should verify the addr before looking up assoc
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled Greg Kroah-Hartman
@ 2017-06-15 17:52 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 41/46] romfs: use different way to generate fsid for BLOCK or MTD Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Neil Horman,
	David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Xin Long <lucien.xin@gmail.com>


[ Upstream commit 6f29a130613191d3c6335169febe002cba00edf5 ]

sctp_addr_id2transport is a function for sockopt to look up assoc by
address. As the address is from userspace, it can be a v4-mapped v6
address. But in sctp protocol stack, it always handles a v4-mapped
v6 address as a v4 address. So it's necessary to convert it to a v4
address before looking up assoc by address.

This patch is to fix it by calling sctp_verify_addr in which it can do
this conversion before calling sctp_endpoint_lookup_assoc, just like
what sctp_sendmsg and __sctp_connect do for the address from users.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/socket.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -235,8 +235,12 @@ static struct sctp_transport *sctp_addr_
 					      sctp_assoc_t id)
 {
 	struct sctp_association *addr_asoc = NULL, *id_asoc = NULL;
-	struct sctp_transport *transport;
+	struct sctp_af *af = sctp_get_af_specific(addr->ss_family);
 	union sctp_addr *laddr = (union sctp_addr *)addr;
+	struct sctp_transport *transport;
+
+	if (sctp_verify_addr(sk, laddr, af->sockaddr_len))
+		return NULL;
 
 	addr_asoc = sctp_endpoint_lookup_assoc(sctp_sk(sk)->ep,
 					       laddr,

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 41/46] romfs: use different way to generate fsid for BLOCK or MTD
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2017-06-15 17:52 ` [PATCH 4.4 40/46] sctp: sctp_addr_id2transport should verify the addr before looking up assoc Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 42/46] proc: add a schedule point in proc_pid_readdir() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Coly Li, Nong Li, Richard Weinberger,
	Andrew Morton, Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Coly Li <colyli@suse.de>


[ Upstream commit f598f82e204ec0b17797caaf1b0311c52d43fb9a ]

Commit 8a59f5d25265 ("fs/romfs: return f_fsid for statfs(2)") generates
a 64bit id from sb->s_bdev->bd_dev.  This is only correct when romfs is
defined with CONFIG_ROMFS_ON_BLOCK.  If romfs is only defined with
CONFIG_ROMFS_ON_MTD, sb->s_bdev is NULL, referencing sb->s_bdev->bd_dev
will triger an oops.

Richard Weinberger points out that when CONFIG_ROMFS_BACKED_BY_BOTH=y,
both CONFIG_ROMFS_ON_BLOCK and CONFIG_ROMFS_ON_MTD are defined.
Therefore when calling huge_encode_dev() to generate a 64bit id, I use
the follow order to choose parameter,

- CONFIG_ROMFS_ON_BLOCK defined
  use sb->s_bdev->bd_dev
- CONFIG_ROMFS_ON_BLOCK undefined and CONFIG_ROMFS_ON_MTD defined
  use sb->s_dev when,
- both CONFIG_ROMFS_ON_BLOCK and CONFIG_ROMFS_ON_MTD undefined
  leave id as 0

When CONFIG_ROMFS_ON_MTD is defined and sb->s_mtd is not NULL, sb->s_dev
is set to a device ID generated by MTD_BLOCK_MAJOR and mtd index,
otherwise sb->s_dev is 0.

This is a try-best effort to generate a uniq file system ID, if all the
above conditions are not meet, f_fsid of this romfs instance will be 0.
Generally only one romfs can be built on single MTD block device, this
method is enough to identify multiple romfs instances in a computer.

Link: http://lkml.kernel.org/r/1482928596-115155-1-git-send-email-colyli@suse.de
Signed-off-by: Coly Li <colyli@suse.de>
Reported-by: Nong Li <nongli1031@gmail.com>
Tested-by: Nong Li <nongli1031@gmail.com>
Cc: Richard Weinberger <richard.weinberger@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/romfs/super.c |   23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

--- a/fs/romfs/super.c
+++ b/fs/romfs/super.c
@@ -74,6 +74,7 @@
 #include <linux/highmem.h>
 #include <linux/pagemap.h>
 #include <linux/uaccess.h>
+#include <linux/major.h>
 #include "internal.h"
 
 static struct kmem_cache *romfs_inode_cachep;
@@ -415,7 +416,22 @@ static void romfs_destroy_inode(struct i
 static int romfs_statfs(struct dentry *dentry, struct kstatfs *buf)
 {
 	struct super_block *sb = dentry->d_sb;
-	u64 id = huge_encode_dev(sb->s_bdev->bd_dev);
+	u64 id = 0;
+
+	/* When calling huge_encode_dev(),
+	 * use sb->s_bdev->bd_dev when,
+	 *   - CONFIG_ROMFS_ON_BLOCK defined
+	 * use sb->s_dev when,
+	 *   - CONFIG_ROMFS_ON_BLOCK undefined and
+	 *   - CONFIG_ROMFS_ON_MTD defined
+	 * leave id as 0 when,
+	 *   - CONFIG_ROMFS_ON_BLOCK undefined and
+	 *   - CONFIG_ROMFS_ON_MTD undefined
+	 */
+	if (sb->s_bdev)
+		id = huge_encode_dev(sb->s_bdev->bd_dev);
+	else if (sb->s_dev)
+		id = huge_encode_dev(sb->s_dev);
 
 	buf->f_type = ROMFS_MAGIC;
 	buf->f_namelen = ROMFS_MAXFN;
@@ -488,6 +504,11 @@ static int romfs_fill_super(struct super
 	sb->s_flags |= MS_RDONLY | MS_NOATIME;
 	sb->s_op = &romfs_super_ops;
 
+#ifdef CONFIG_ROMFS_ON_MTD
+	/* Use same dev ID from the underlying mtdblock device */
+	if (sb->s_mtd)
+		sb->s_dev = MKDEV(MTD_BLOCK_MAJOR, sb->s_mtd->index);
+#endif
 	/* read the image superblock and check it */
 	rsb = kmalloc(512, GFP_KERNEL);
 	if (!rsb)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 42/46] proc: add a schedule point in proc_pid_readdir()
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 41/46] romfs: use different way to generate fsid for BLOCK or MTD Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 43/46] tipc: ignore requests when the connection state is not CONNECTED Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Andrew Morton,
	Linus Torvalds, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Eric Dumazet <edumazet@google.com>


[ Upstream commit 3ba4bceef23206349d4130ddf140819b365de7c8 ]

We have seen proc_pid_readdir() invocations holding cpu for more than 50
ms.  Add a cond_resched() to be gentle with other tasks.

[akpm@linux-foundation.org: coding style fix]
Link: http://lkml.kernel.org/r/1484238380.15816.42.camel@edumazet-glaptop3.roam.corp.google.com
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/proc/base.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -3058,6 +3058,8 @@ int proc_pid_readdir(struct file *file,
 	     iter.tgid += 1, iter = next_tgid(ns, iter)) {
 		char name[PROC_NUMBUF];
 		int len;
+
+		cond_resched();
 		if (!has_pid_permissions(ns, iter.task, 2))
 			continue;
 

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 43/46] tipc: ignore requests when the connection state is not CONNECTED
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 42/46] proc: add a schedule point in proc_pid_readdir() Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 44/46] xtensa: dont use linux IRQ #0 Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ying Xue, Jon Maloy, John Thompson,
	Parthasarathy Bhuvaragan, David S. Miller, Sasha Levin

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>


[ Upstream commit 4c887aa65d38633885010277f3482400681be719 ]

In tipc_conn_sendmsg(), we first queue the request to the outqueue
followed by the connection state check. If the connection is not
connected, we should not queue this message.

In this commit, we reject the messages if the connection state is
not CF_CONNECTED.

Acked-by: Ying Xue <ying.xue@windriver.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Tested-by: John Thompson <thompa.atl@gmail.com>
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/server.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/net/tipc/server.c
+++ b/net/tipc/server.c
@@ -452,6 +452,11 @@ int tipc_conn_sendmsg(struct tipc_server
 	if (!con)
 		return -EINVAL;
 
+	if (!test_bit(CF_CONNECTED, &con->flags)) {
+		conn_put(con);
+		return 0;
+	}
+
 	e = tipc_alloc_entry(data, len);
 	if (!e) {
 		conn_put(con);
@@ -465,12 +470,8 @@ int tipc_conn_sendmsg(struct tipc_server
 	list_add_tail(&e->list, &con->outqueue);
 	spin_unlock_bh(&con->outqueue_lock);
 
-	if (test_bit(CF_CONNECTED, &con->flags)) {
-		if (!queue_work(s->send_wq, &con->swork))
-			conn_put(con);
-	} else {
+	if (!queue_work(s->send_wq, &con->swork))
 		conn_put(con);
-	}
 	return 0;
 }
 
@@ -494,7 +495,7 @@ static void tipc_send_to_sock(struct tip
 	int ret;
 
 	spin_lock_bh(&con->outqueue_lock);
-	while (1) {
+	while (test_bit(CF_CONNECTED, &con->flags)) {
 		e = list_entry(con->outqueue.next, struct outqueue_entry,
 			       list);
 		if ((struct list_head *) e == &con->outqueue)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 44/46] xtensa: dont use linux IRQ #0
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 43/46] tipc: ignore requests when the connection state is not CONNECTED Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 45/46] s390/kvm: do not rely on the ILC on kvm host protection fauls Greg Kroah-Hartman
                   ` (3 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Max Filippov

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Max Filippov <jcmvbkbc@gmail.com>

commit e5c86679d5e864947a52fb31e45a425dea3e7fa9 upstream.

Linux IRQ #0 is reserved for error reporting and may not be used.
Increase NR_IRQS for one additional slot and increase
irq_domain_add_legacy parameter first_irq value to 1, so that linux
IRQ #0 is not associated with hardware IRQ #0 in legacy IRQ domains.
Introduce macro XTENSA_PIC_LINUX_IRQ for static translation of xtensa
PIC hardware IRQ # to linux IRQ #. Use this macro in XTFPGA platform
data definitions.

This fixes inability to use hardware IRQ #0 in configurations that don't
use device tree and allows for non-identity mapping between linux IRQ #
and hardware IRQ #.

Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/xtensa/include/asm/irq.h                            |    3 ++-
 arch/xtensa/kernel/irq.c                                 |    5 -----
 arch/xtensa/platforms/xtfpga/include/platform/hardware.h |    6 ++++--
 arch/xtensa/platforms/xtfpga/setup.c                     |   10 +++++-----
 drivers/irqchip/irq-xtensa-mx.c                          |    2 +-
 drivers/irqchip/irq-xtensa-pic.c                         |    2 +-
 6 files changed, 13 insertions(+), 15 deletions(-)

--- a/arch/xtensa/include/asm/irq.h
+++ b/arch/xtensa/include/asm/irq.h
@@ -29,7 +29,8 @@ static inline void variant_irq_disable(u
 # define PLATFORM_NR_IRQS 0
 #endif
 #define XTENSA_NR_IRQS XCHAL_NUM_INTERRUPTS
-#define NR_IRQS (XTENSA_NR_IRQS + VARIANT_NR_IRQS + PLATFORM_NR_IRQS)
+#define NR_IRQS (XTENSA_NR_IRQS + VARIANT_NR_IRQS + PLATFORM_NR_IRQS + 1)
+#define XTENSA_PIC_LINUX_IRQ(hwirq) ((hwirq) + 1)
 
 #if VARIANT_NR_IRQS == 0
 static inline void variant_init_irq(void) { }
--- a/arch/xtensa/kernel/irq.c
+++ b/arch/xtensa/kernel/irq.c
@@ -34,11 +34,6 @@ asmlinkage void do_IRQ(int hwirq, struct
 {
 	int irq = irq_find_mapping(NULL, hwirq);
 
-	if (hwirq >= NR_IRQS) {
-		printk(KERN_EMERG "%s: cannot handle IRQ %d\n",
-				__func__, hwirq);
-	}
-
 #ifdef CONFIG_DEBUG_STACKOVERFLOW
 	/* Debugging check for stack overflow: is there less than 1KB free? */
 	{
--- a/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
+++ b/arch/xtensa/platforms/xtfpga/include/platform/hardware.h
@@ -24,16 +24,18 @@
 
 /* Interrupt configuration. */
 
-#define PLATFORM_NR_IRQS	10
+#define PLATFORM_NR_IRQS	0
 
 /* Default assignment of LX60 devices to external interrupts. */
 
 #ifdef CONFIG_XTENSA_MX
 #define DUART16552_INTNUM	XCHAL_EXTINT3_NUM
 #define OETH_IRQ		XCHAL_EXTINT4_NUM
+#define C67X00_IRQ		XCHAL_EXTINT8_NUM
 #else
 #define DUART16552_INTNUM	XCHAL_EXTINT0_NUM
 #define OETH_IRQ		XCHAL_EXTINT1_NUM
+#define C67X00_IRQ		XCHAL_EXTINT5_NUM
 #endif
 
 /*
@@ -63,5 +65,5 @@
 
 #define C67X00_PADDR		(XCHAL_KIO_PADDR + 0x0D0D0000)
 #define C67X00_SIZE		0x10
-#define C67X00_IRQ		5
+
 #endif /* __XTENSA_XTAVNET_HARDWARE_H */
--- a/arch/xtensa/platforms/xtfpga/setup.c
+++ b/arch/xtensa/platforms/xtfpga/setup.c
@@ -209,8 +209,8 @@ static struct resource ethoc_res[] = {
 		.flags = IORESOURCE_MEM,
 	},
 	[2] = { /* IRQ number */
-		.start = OETH_IRQ,
-		.end   = OETH_IRQ,
+		.start = XTENSA_PIC_LINUX_IRQ(OETH_IRQ),
+		.end   = XTENSA_PIC_LINUX_IRQ(OETH_IRQ),
 		.flags = IORESOURCE_IRQ,
 	},
 };
@@ -246,8 +246,8 @@ static struct resource c67x00_res[] = {
 		.flags = IORESOURCE_MEM,
 	},
 	[1] = { /* IRQ number */
-		.start = C67X00_IRQ,
-		.end   = C67X00_IRQ,
+		.start = XTENSA_PIC_LINUX_IRQ(C67X00_IRQ),
+		.end   = XTENSA_PIC_LINUX_IRQ(C67X00_IRQ),
 		.flags = IORESOURCE_IRQ,
 	},
 };
@@ -280,7 +280,7 @@ static struct resource serial_resource =
 static struct plat_serial8250_port serial_platform_data[] = {
 	[0] = {
 		.mapbase	= DUART16552_PADDR,
-		.irq		= DUART16552_INTNUM,
+		.irq		= XTENSA_PIC_LINUX_IRQ(DUART16552_INTNUM),
 		.flags		= UPF_BOOT_AUTOCONF | UPF_SKIP_TEST |
 				  UPF_IOREMAP,
 		.iotype		= UPIO_MEM32,
--- a/drivers/irqchip/irq-xtensa-mx.c
+++ b/drivers/irqchip/irq-xtensa-mx.c
@@ -142,7 +142,7 @@ static struct irq_chip xtensa_mx_irq_chi
 int __init xtensa_mx_init_legacy(struct device_node *interrupt_parent)
 {
 	struct irq_domain *root_domain =
-		irq_domain_add_legacy(NULL, NR_IRQS, 0, 0,
+		irq_domain_add_legacy(NULL, NR_IRQS - 1, 1, 0,
 				&xtensa_mx_irq_domain_ops,
 				&xtensa_mx_irq_chip);
 	irq_set_default_host(root_domain);
--- a/drivers/irqchip/irq-xtensa-pic.c
+++ b/drivers/irqchip/irq-xtensa-pic.c
@@ -89,7 +89,7 @@ static struct irq_chip xtensa_irq_chip =
 int __init xtensa_pic_init_legacy(struct device_node *interrupt_parent)
 {
 	struct irq_domain *root_domain =
-		irq_domain_add_legacy(NULL, NR_IRQS, 0, 0,
+		irq_domain_add_legacy(NULL, NR_IRQS - 1, 1, 0,
 				&xtensa_irq_domain_ops, &xtensa_irq_chip);
 	irq_set_default_host(root_domain);
 	return 0;

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 45/46] s390/kvm: do not rely on the ILC on kvm host protection fauls
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 44/46] xtensa: dont use linux IRQ #0 Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 17:53 ` [PATCH 4.4 46/46] sparc64: make string buffers large enough Greg Kroah-Hartman
                   ` (2 subsequent siblings)
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Borntraeger, Martin Schwidefsky

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Christian Borntraeger <borntraeger@de.ibm.com>

commit c0e7bb38c07cbd8269549ee0a0566021a3c729de upstream.

For most cases a protection exception in the host (e.g. copy
on write or dirty tracking) on the sie instruction will indicate
an instruction length of 4. Turns out that there are some corner
cases (e.g. runtime instrumentation) where this is not necessarily
true and the ILC is unpredictable.

Let's replace our 4 byte rewind_pad with 3 byte nops to prepare for
all possible ILCs.

Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/s390/kernel/entry.S |   19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

--- a/arch/s390/kernel/entry.S
+++ b/arch/s390/kernel/entry.S
@@ -229,12 +229,17 @@ ENTRY(sie64a)
 	lctlg	%c1,%c1,__LC_USER_ASCE		# load primary asce
 .Lsie_done:
 # some program checks are suppressing. C code (e.g. do_protection_exception)
-# will rewind the PSW by the ILC, which is 4 bytes in case of SIE. Other
-# instructions between sie64a and .Lsie_done should not cause program
-# interrupts. So lets use a nop (47 00 00 00) as a landing pad.
+# will rewind the PSW by the ILC, which is often 4 bytes in case of SIE. There
+# are some corner cases (e.g. runtime instrumentation) where ILC is unpredictable.
+# Other instructions between sie64a and .Lsie_done should not cause program
+# interrupts. So lets use 3 nops as a landing pad for all possible rewinds.
 # See also .Lcleanup_sie
-.Lrewind_pad:
-	nop	0
+.Lrewind_pad6:
+	nopr	7
+.Lrewind_pad4:
+	nopr	7
+.Lrewind_pad2:
+	nopr	7
 	.globl sie_exit
 sie_exit:
 	lg	%r14,__SF_EMPTY+8(%r15)		# load guest register save area
@@ -247,7 +252,9 @@ sie_exit:
 	stg	%r14,__SF_EMPTY+16(%r15)	# set exit reason code
 	j	sie_exit
 
-	EX_TABLE(.Lrewind_pad,.Lsie_fault)
+	EX_TABLE(.Lrewind_pad6,.Lsie_fault)
+	EX_TABLE(.Lrewind_pad4,.Lsie_fault)
+	EX_TABLE(.Lrewind_pad2,.Lsie_fault)
 	EX_TABLE(sie_exit,.Lsie_fault)
 #endif
 

^ permalink raw reply	[flat|nested] 54+ messages in thread

* [PATCH 4.4 46/46] sparc64: make string buffers large enough
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 45/46] s390/kvm: do not rely on the ILC on kvm host protection fauls Greg Kroah-Hartman
@ 2017-06-15 17:53 ` Greg Kroah-Hartman
  2017-06-15 22:24 ` [PATCH 4.4 00/46] 4.4.73-stable review Shuah Khan
  2017-06-16  0:39 ` Guenter Roeck
  44 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-15 17:53 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, David S. Miller,
	Waldemar Brodkorb

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Dan Carpenter <dan.carpenter@oracle.com>

commit b5c3206190f1fddd100b3060eb15f0d775ffeab8 upstream.

My static checker complains that if "lvl" is ULONG_MAX (this is 64 bit)
then some of the strings will overflow.  I don't know if that's possible
but it seems simple enough to make the buffers slightly larger.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Waldemar Brodkorb <wbx@openadk.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/sparc/kernel/traps_64.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/sparc/kernel/traps_64.c
+++ b/arch/sparc/kernel/traps_64.c
@@ -85,7 +85,7 @@ static void dump_tl1_traplog(struct tl1_
 
 void bad_trap(struct pt_regs *regs, long lvl)
 {
-	char buffer[32];
+	char buffer[36];
 	siginfo_t info;
 
 	if (notify_die(DIE_TRAP, "bad trap", regs,
@@ -116,7 +116,7 @@ void bad_trap(struct pt_regs *regs, long
 
 void bad_trap_tl1(struct pt_regs *regs, long lvl)
 {
-	char buffer[32];
+	char buffer[36];
 	
 	if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
 		       0, lvl, SIGTRAP) == NOTIFY_STOP)

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 00/46] 4.4.73-stable review
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2017-06-15 17:53 ` [PATCH 4.4 46/46] sparc64: make string buffers large enough Greg Kroah-Hartman
@ 2017-06-15 22:24 ` Shuah Khan
  2017-06-16  0:39 ` Guenter Roeck
  44 siblings, 0 replies; 54+ messages in thread
From: Shuah Khan @ 2017-06-15 22:24 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, stable, Shuah Khan

On 06/15/2017 11:52 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.73 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sat Jun 17 17:51:59 UTC 2017.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.73-rc1.gz
> or in the git tree and branch at:
>   git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 00/46] 4.4.73-stable review
  2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2017-06-15 22:24 ` [PATCH 4.4 00/46] 4.4.73-stable review Shuah Khan
@ 2017-06-16  0:39 ` Guenter Roeck
  44 siblings, 0 replies; 54+ messages in thread
From: Guenter Roeck @ 2017-06-16  0:39 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuahkh, patches, ben.hutchings, stable

On 06/15/2017 10:52 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.73 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Sat Jun 17 17:51:59 UTC 2017.
> Anything received after that time might be too late.
> 

Build results:
	total: 145 pass: 145 fail: 0
Qemu test results:
	total: 115 pass: 115 fail: 0

Details are available at http://kerneltests.org/builders.

Guenter

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire.
  2017-06-15 17:52 ` [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
@ 2017-06-29 12:13   ` Ben Hutchings
  2017-06-29 12:35     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 54+ messages in thread
From: Ben Hutchings @ 2017-06-29 12:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, David S. Miller
  Cc: linux-kernel, stable, Jonathan T. Leighton, Sasha Levin

On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: "Jonathan T. Leighton" <jtleight@udel.edu>
> 
> 
> [ Upstream commit ec5e3b0a1d41fbda0cc33a45bc9e54e91d9d12c7 ]
> 
> This patch adds a check for the problematic case of an IPv4-mapped IPv6
> source address and a destination address that is neither an IPv4-mapped
> IPv6 address nor in6addr_any, and returns an appropriate error. The
> check in done before returning from looking up the route.

I think this needs to be followed by:

commit 00ea1ceebe0d9f2dc1cc2b7bd575a00100c27869
Author: Willem de Bruijn <willemb@google.com>
Date:   Sat Feb 18 19:00:45 2017 -0500

    ipv6: release dst on error in ip6_dst_lookup_tail

Ben.

> Signed-off-by: Jonathan T. Leighton <jtleight@udel.edu>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  net/ipv6/ip6_output.c |    3 +++
>  1 file changed, 3 insertions(+)
> 
> --- a/net/ipv6/ip6_output.c
> +++ b/net/ipv6/ip6_output.c
> @@ -1004,6 +1004,9 @@ static int ip6_dst_lookup_tail(struct ne
>  		}
>  	}
>  #endif
> +	if (ipv6_addr_v4mapped(&fl6->saddr) &&
> +	    !(ipv6_addr_v4mapped(&fl6->daddr) || ipv6_addr_any(&fl6->daddr)))
> +		return -EAFNOSUPPORT;
>  
>  	return 0;
>  
> 
> 
> 

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire.
  2017-06-29 12:13   ` Ben Hutchings
@ 2017-06-29 12:35     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-06-29 12:35 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: David S. Miller, linux-kernel, stable, Jonathan T. Leighton, Sasha Levin

On Thu, Jun 29, 2017 at 01:13:35PM +0100, Ben Hutchings wrote:
> On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: "Jonathan T. Leighton" <jtleight@udel.edu>
> > 
> > 
> > [ Upstream commit ec5e3b0a1d41fbda0cc33a45bc9e54e91d9d12c7 ]
> > 
> > This patch adds a check for the problematic case of an IPv4-mapped IPv6
> > source address and a destination address that is neither an IPv4-mapped
> > IPv6 address nor in6addr_any, and returns an appropriate error. The
> > check in done before returning from looking up the route.
> 
> I think this needs to be followed by:
> 
> commit 00ea1ceebe0d9f2dc1cc2b7bd575a00100c27869
> Author: Willem de Bruijn <willemb@google.com>
> Date:   Sat Feb 18 19:00:45 2017 -0500
> 
>     ipv6: release dst on error in ip6_dst_lookup_tail
> 
> Ben.

Ah, nice catch.  Same thing goes for 4.9-stable, I'll go queue these up
there, thanks!

greg k-h

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A
  2017-06-15 17:52 ` [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A Greg Kroah-Hartman
@ 2017-06-29 13:45   ` Ben Hutchings
  2017-07-03  7:27     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 54+ messages in thread
From: Ben Hutchings @ 2017-06-29 13:45 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Y.C. Chen, Dave Airlie, Russell Currey
  Cc: linux-kernel, stable, Sasha Levin

On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: "Y.C. Chen" <yc_chen@aspeedtech.com>
> 
> 
> [ Upstream commit 6c971c09f38704513c426ba6515f22fb3d6c87d5 ]
> 
> The original ast driver will access some BMC configuration through P2A bridge
> that can be disabled since AST2300 and after.
> It will cause system hanged if P2A bridge is disabled.
> Here is the update to fix it.
[...]

Shouldn't this be followed by:

commit 71f677a91046599ece96ebab21df956ce909c456
Author: Russell Currey <ruscur@russell.cc>
Date:   Fri Feb 17 14:33:01 2017 +1100

    drm/ast: Handle configuration without P2A bridge

?

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings
  2017-06-15 17:52 ` [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings Greg Kroah-Hartman
@ 2017-06-29 13:58   ` Ben Hutchings
  2017-07-03 12:52     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 54+ messages in thread
From: Ben Hutchings @ 2017-06-29 13:58 UTC (permalink / raw)
  To: Greg Kroah-Hartman, Kazuya Mizuguchi, Simon Horman
  Cc: linux-kernel, stable, Sergei Shtylyov, David S. Miller, Sasha Levin

On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> 
> 
> [ Upstream commit a47b70ea86bdeb3091341f5ae3ef580f1a1ad822 ]
> 
> "swiotlb buffer is full" errors occur after repeated initialisation of a
> device - f.e. suspend/resume or ip link set up/down. This is because memory
> mapped using dma_map_single() in ravb_ring_format() and ravb_start_xmit()
> is not released.  Resolve this problem by unmapping descriptors when
> freeing rings.

This should be followed by:

commit 79514ef670e9e575a1fe36922268c439d0f0ca8a
Author: Eugeniu Rosca <erosca@de.adit-jv.com>
Date:   Tue Jun 6 00:08:10 2017 +0200

    ravb: Fix use-after-free on `ifconfig eth0 down`

But also, this loop looks wrong:

[...]
>  	if (priv->rx_ring[q]) {
> +		for (i = 0; i < priv->num_rx_ring[q]; i++) {
> +			struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i];
> +
> +			if (!dma_mapping_error(ndev->dev.parent,
> +					       le32_to_cpu(desc->dptr)))
> +				dma_unmap_single(ndev->dev.parent,
> +						 le32_to_cpu(desc->dptr),
> +						 PKT_BUF_SZ,
> +						 DMA_FROM_DEVICE);
> +		}
[...]

It's possible that the driver hasn't filled (or attempted to fill or
refill) every RX descriptor, so this could result in a double-unmap.  I
think this needs to use cur_rx and dirty_rx to determine which
descriptors to process.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 37/46] r8152: re-schedule napi for tx
  2017-06-15 17:52 ` [PATCH 4.4 37/46] r8152: re-schedule napi for tx Greg Kroah-Hartman
@ 2017-06-29 14:23   ` Ben Hutchings
  0 siblings, 0 replies; 54+ messages in thread
From: Ben Hutchings @ 2017-06-29 14:23 UTC (permalink / raw)
  To: Hayes Wang
  Cc: linux-kernel, stable, David S. Miller, Sasha Levin, Greg Kroah-Hartman

On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: hayeswang <hayeswang@realtek.com>
> 
> 
> [ Upstream commit 248b213ad908b88db15941202ef7cb7eb137c1a0 ]
> 
> Re-schedule napi after napi_complete() for tx, if it is necessay.
> 
> In r8152_poll(), if the tx is completed after tx_bottom() and before
> napi_complete(), the scheduling of napi would be lost. Then, no
> one handles the next tx until the next napi_schedule() is called.
[...]

This (and other) tests of list_empty() aren't going to be reliable
unless you take the same spinlock used when enqueueing packets.
Alternately you could count packets added and removed from the driver
internal queues and then you should only need memory barriers for
synchronisation when comparing counters.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled
  2017-06-15 17:52 ` [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled Greg Kroah-Hartman
@ 2017-06-29 14:35   ` Ben Hutchings
  0 siblings, 0 replies; 54+ messages in thread
From: Ben Hutchings @ 2017-06-29 14:35 UTC (permalink / raw)
  To: Hayes Wang
  Cc: linux-kernel, stable, David S. Miller, Sasha Levin, Greg Kroah-Hartman

On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: hayeswang <hayeswang@realtek.com>
> 
> 
> [ Upstream commit de9bf29dd6e4a8a874cb92f8901aed50a9d0b1d3 ]
> 
> Stop the tx when the napi is disabled to prevent napi_schedule() is
> called.
[...]
> +	netif_stop_queue(netdev);
>  	napi_disable(&tp->napi);
[...]

netif_stop_queue() is not synchronous, so you probably need
netif_tx_disable() instead.

Ben.

-- 
Ben Hutchings
Software Developer, Codethink Ltd.

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A
  2017-06-29 13:45   ` Ben Hutchings
@ 2017-07-03  7:27     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-07-03  7:27 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Y.C. Chen, Dave Airlie, Russell Currey, linux-kernel, stable,
	Sasha Levin

On Thu, Jun 29, 2017 at 02:45:45PM +0100, Ben Hutchings wrote:
> On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: "Y.C. Chen" <yc_chen@aspeedtech.com>
> > 
> > 
> > [ Upstream commit 6c971c09f38704513c426ba6515f22fb3d6c87d5 ]
> > 
> > The original ast driver will access some BMC configuration through P2A bridge
> > that can be disabled since AST2300 and after.
> > It will cause system hanged if P2A bridge is disabled.
> > Here is the update to fix it.
> [...]
> 
> Shouldn't this be followed by:
> 
> commit 71f677a91046599ece96ebab21df956ce909c456
> Author: Russell Currey <ruscur@russell.cc>
> Date:   Fri Feb 17 14:33:01 2017 +1100
> 
>     drm/ast: Handle configuration without P2A bridge
> 
> ?

Looks like it to me, now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 54+ messages in thread

* Re: [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings
  2017-06-29 13:58   ` Ben Hutchings
@ 2017-07-03 12:52     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 54+ messages in thread
From: Greg Kroah-Hartman @ 2017-07-03 12:52 UTC (permalink / raw)
  To: Ben Hutchings
  Cc: Kazuya Mizuguchi, Simon Horman, linux-kernel, stable,
	Sergei Shtylyov, David S. Miller, Sasha Levin

On Thu, Jun 29, 2017 at 02:58:09PM +0100, Ben Hutchings wrote:
> On Thu, 2017-06-15 at 19:52 +0200, Greg Kroah-Hartman wrote:
> > 4.4-stable review patch.  If anyone has any objections, please let me know.
> > 
> > ------------------
> > 
> > From: Kazuya Mizuguchi <kazuya.mizuguchi.ks@renesas.com>
> > 
> > 
> > [ Upstream commit a47b70ea86bdeb3091341f5ae3ef580f1a1ad822 ]
> > 
> > "swiotlb buffer is full" errors occur after repeated initialisation of a
> > device - f.e. suspend/resume or ip link set up/down. This is because memory
> > mapped using dma_map_single() in ravb_ring_format() and ravb_start_xmit()
> > is not released.  Resolve this problem by unmapping descriptors when
> > freeing rings.
> 
> This should be followed by:
> 
> commit 79514ef670e9e575a1fe36922268c439d0f0ca8a
> Author: Eugeniu Rosca <erosca@de.adit-jv.com>
> Date:   Tue Jun 6 00:08:10 2017 +0200
> 
>     ravb: Fix use-after-free on `ifconfig eth0 down`

Thanks, now queued up.

> But also, this loop looks wrong:
> 
> [...]
> >  	if (priv->rx_ring[q]) {
> > +		for (i = 0; i < priv->num_rx_ring[q]; i++) {
> > +			struct ravb_ex_rx_desc *desc = &priv->rx_ring[q][i];
> > +
> > +			if (!dma_mapping_error(ndev->dev.parent,
> > +					       le32_to_cpu(desc->dptr)))
> > +				dma_unmap_single(ndev->dev.parent,
> > +						 le32_to_cpu(desc->dptr),
> > +						 PKT_BUF_SZ,
> > +						 DMA_FROM_DEVICE);
> > +		}
> [...]
> 
> It's possible that the driver hasn't filled (or attempted to fill or
> refill) every RX descriptor, so this could result in a double-unmap.  I
> think this needs to use cur_rx and dirty_rx to determine which
> descriptors to process.

I'll let Kazuya fix that :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 54+ messages in thread

end of thread, other threads:[~2017-07-03 12:52 UTC | newest]

Thread overview: 54+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-15 17:52 [PATCH 4.4 00/46] 4.4.73-stable review Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 01/46] s390/vmem: fix identity mapping Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 02/46] partitions/msdos: FreeBSD UFS2 file systems are not recognized Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 03/46] ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 04/46] staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 05/46] Call echo service immediately after socket reconnect Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 06/46] net: xilinx_emaclite: fix freezes due to unordered I/O Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 07/46] net: xilinx_emaclite: fix receive buffer overflow Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 08/46] ipv6: Handle IPv4-mapped src to in6addr_any dst Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 09/46] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
2017-06-29 12:13   ` Ben Hutchings
2017-06-29 12:35     ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 10/46] NET: Fix /proc/net/arp for AX.25 Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 11/46] NET: mkiss: Fix panic Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 12/46] net: hns: Fix the device being used for dma mapping during TX Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 15/46] i2c: piix4: Fix request_region size Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 17/46] PM / runtime: Avoid false-positive warnings from might_sleep_if() Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 18/46] jump label: pass kbuild_cflags when checking for asm goto support Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 19/46] kasan: respect /proc/sys/kernel/traceoff_on_warning Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 20/46] log2: make order_base_2() behave correctly on const input value zero Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 21/46] ethtool: do not vzalloc(0) on registers dump Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 22/46] fscache: Fix dead object requeue Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 23/46] fscache: Clear outstanding writes when disabling a cookie Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 24/46] FS-Cache: Initialise stores_lock in netfs cookie Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 25/46] ipv6: fix flow labels when the traffic class is non-0 Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 26/46] drm/nouveau: prevent userspace from deleting client object Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 27/46] drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 28/46] net/mlx4_core: Avoid command timeouts during VF driver device shutdown Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 29/46] gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 30/46] pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 31/46] net: adaptec: starfire: add checks for dma mapping errors Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 32/46] parisc, parport_gsc: Fixes for printk continuation lines Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 33/46] drm/nouveau: Dont enabling polling twice on runtime resume Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 34/46] drm/ast: Fixed system hanged if disable P2A Greg Kroah-Hartman
2017-06-29 13:45   ` Ben Hutchings
2017-07-03  7:27     ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 35/46] ravb: unmap descriptors when freeing rings Greg Kroah-Hartman
2017-06-29 13:58   ` Ben Hutchings
2017-07-03 12:52     ` Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 36/46] nfs: Fix "Dont increment lock sequence ID after NFS4ERR_MOVED" Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 37/46] r8152: re-schedule napi for tx Greg Kroah-Hartman
2017-06-29 14:23   ` Ben Hutchings
2017-06-15 17:52 ` [PATCH 4.4 38/46] r8152: fix rtl8152_post_reset function Greg Kroah-Hartman
2017-06-15 17:52 ` [PATCH 4.4 39/46] r8152: avoid start_xmit to schedule napi when napi is disabled Greg Kroah-Hartman
2017-06-29 14:35   ` Ben Hutchings
2017-06-15 17:52 ` [PATCH 4.4 40/46] sctp: sctp_addr_id2transport should verify the addr before looking up assoc Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 41/46] romfs: use different way to generate fsid for BLOCK or MTD Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 42/46] proc: add a schedule point in proc_pid_readdir() Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 43/46] tipc: ignore requests when the connection state is not CONNECTED Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 44/46] xtensa: dont use linux IRQ #0 Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 45/46] s390/kvm: do not rely on the ILC on kvm host protection fauls Greg Kroah-Hartman
2017-06-15 17:53 ` [PATCH 4.4 46/46] sparc64: make string buffers large enough Greg Kroah-Hartman
2017-06-15 22:24 ` [PATCH 4.4 00/46] 4.4.73-stable review Shuah Khan
2017-06-16  0:39 ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).