Hello community, here is the log from the commit of package kernel-source for openSUSE:Factory checked in at 2017-10-24 22:20:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kernel-source (Old) and /work/SRC/openSUSE:Factory/.kernel-source.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kernel-source" Tue Oct 24 22:20:44 2017 rev:385 rq:535943 version:4.13.9 Changes: -------- --- /work/SRC/openSUSE:Factory/kernel-source/dtb-aarch64.changes 2017-10-20 14:40:37.062985255 +0200 +++ /work/SRC/openSUSE:Factory/.kernel-source.new/dtb-aarch64.changes 2017-10-24 22:20:47.767655014 +0200 @@ -1,0 +2,41 @@ +Mon Oct 23 11:38:06 CEST 2017 - [email protected] + +- futex: do not fail on invalid op (bnc#1064590). +- commit e7d7106 + +------------------------------------------------------------------- +Sun Oct 22 09:24:14 CEST 2017 - [email protected] + +- Linux 4.13.9 (bnc#1012628). +- vmbus: more host signalling avoidance (bnc#1012628). +- vmbus: eliminate duplicate cached index (bnc#1012628). +- vmbus: refactor hv_signal_on_read (bnc#1012628). +- vmbus: simplify hv_ringbuffer_read (bnc#1012628). +- Drivers: hv: vmbus: Fix bugs in rescind handling (bnc#1012628). +- Drivers: hv: vmbus: Fix rescind handling issues (bnc#1012628). +- HID: hid-elecom: extend to fix descriptor for HUGE trackball + (bnc#1012628). +- mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE + outside of lock (bnc#1012628). +- perf pmu: Unbreak perf record for arm/arm64 with events with + explicit PMU (bnc#1012628). +- x86/apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" + on hypervisors (bnc#1012628). +- x86/apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" + on CPUs without the feature (bnc#1012628). +- commit abdc07c + +------------------------------------------------------------------- +Wed Oct 18 19:36:39 CEST 2017 - [email protected] + +- mac80211: accept key reinstall without changing anything (CVE-2017-13080 bsc#1063667). +- commit 7aed50c + +------------------------------------------------------------------- +Wed Oct 18 12:43:48 CEST 2017 - [email protected] + +- ALSA: hda: Abort capability probe at invalid register read + (bsc#1064017). +- commit d1f5e26 + +------------------------------------------------------------------- dtb-armv6l.changes: same change dtb-armv7l.changes: same change kernel-64kb.changes: same change kernel-debug.changes: same change kernel-default.changes: same change kernel-docs.changes: same change kernel-lpae.changes: same change kernel-obs-build.changes: same change kernel-obs-qa.changes: same change kernel-pae.changes: same change kernel-source.changes: same change kernel-syms.changes: same change kernel-syzkaller.changes: same change kernel-vanilla.changes: same change kernel-zfcpdump.changes: same change ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ dtb-aarch64.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.359346892 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.363346705 +0200 @@ -17,7 +17,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -29,9 +29,9 @@ %(chmod +x %_sourcedir/{guards,apply-patches,check-for-config-changes,group-source-files.pl,split-modules,modversions,kabi.pl,mkspec,compute-PATCHVERSION.sh,arch-symbols,log.sh,try-disable-staging-driver,compress-vmlinux.sh,mkspec-dtb}) Name: dtb-aarch64 -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif dtb-armv6l.spec: same change dtb-armv7l.spec: same change ++++++ kernel-64kb.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.527339039 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.535338665 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with 64kb PAGE_SIZE License: GPL-2.0 Group: System/Kernel -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif kernel-debug.spec: same change kernel-default.spec: same change ++++++ kernel-docs.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.635333991 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.643333617 +0200 @@ -17,7 +17,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -31,9 +31,9 @@ Summary: Kernel Documentation License: GPL-2.0 Group: Documentation/Man -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-lpae.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.691331374 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.695331187 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel for LPAE enabled systems License: GPL-2.0 Group: System/Kernel -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-obs-build.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.727329691 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.731329504 +0200 @@ -19,7 +19,7 @@ #!BuildIgnore: post-build-checks -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -57,9 +57,9 @@ Summary: package kernel and initrd for OBS VM builds License: GPL-2.0 Group: SLES -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-obs-qa.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.755328382 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.759328195 +0200 @@ -17,7 +17,7 @@ # needsrootforbuild -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %include %_sourcedir/kernel-spec-macros @@ -36,9 +36,9 @@ Summary: Basic QA tests for the kernel License: GPL-2.0 Group: SLES -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-pae.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.791326699 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.791326699 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel with PAE Support License: GPL-2.0 Group: System/Kernel -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-source.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.831324830 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.847324082 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -30,9 +30,9 @@ Summary: The Linux Kernel Sources License: GPL-2.0 Group: Development/Sources -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-syms.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.899321651 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.903321465 +0200 @@ -24,10 +24,10 @@ Summary: Kernel Symbol Versions (modversions) License: GPL-2.0 Group: Development/Sources -Version: 4.13.8 +Version: 4.13.9 %if %using_buildservice %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif ++++++ kernel-syzkaller.spec ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:54.935319969 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:54.955319034 +0200 @@ -18,7 +18,7 @@ %define srcversion 4.13 -%define patchversion 4.13.8 +%define patchversion 4.13.9 %define variant %{nil} %define vanilla_only 0 @@ -58,9 +58,9 @@ Summary: Kernel used for fuzzing by syzkaller License: GPL-2.0 Group: System/Kernel -Version: 4.13.8 +Version: 4.13.9 %if 0%{?is_kotd} -Release: <RELEASE>.g569e26e +Release: <RELEASE>.ge7d7106 %else Release: 0 %endif kernel-vanilla.spec: same change kernel-zfcpdump.spec: same change ++++++ patches.drivers.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.drivers/ALSA-hda-Abort-capability-probe-at-invalid-register- new/patches.drivers/ALSA-hda-Abort-capability-probe-at-invalid-register- --- old/patches.drivers/ALSA-hda-Abort-capability-probe-at-invalid-register- 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.drivers/ALSA-hda-Abort-capability-probe-at-invalid-register- 2017-10-18 12:43:48.000000000 +0200 @@ -0,0 +1,49 @@ +From 098a0a62c1554f5a3813ef1b8539563214ada8f6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <[email protected]> +Date: Tue, 17 Oct 2017 16:38:55 +0200 +Subject: [PATCH] ALSA: hda: Abort capability probe at invalid register read +Patch-mainline: Queued in subsystem maintainer repository +Git-commit: 098a0a62c1554f5a3813ef1b8539563214ada8f6 +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound.git +References: bsc#1064017 + +The loop in snd_hdac_bus_parse_capabilities() may go to nirvana when +it hits an invalid register value read: + + BUG: unable to handle kernel paging request at ffffad5dc41f3fff + IP: pci_azx_readl+0x5/0x10 [snd_hda_intel] + Call Trace: + snd_hdac_bus_parse_capabilities+0x3c/0x1f0 [snd_hda_core] + azx_probe_continue+0x7d5/0x940 [snd_hda_intel] + ..... + +This happened on a new Intel machine, and we need to check the value +and abort the loop accordingly. + +[note: the fixes tag below indicates only the commit where this patch + can be applied; the original problem was introduced even before that + commit] + +Fixes: 6720b38420a0 ("ALSA: hda - move bus_parse_capabilities to core") +Cc: <[email protected]> +Acked-by: Vinod Koul <[email protected]> +Signed-off-by: Takashi Iwai <[email protected]> + +--- + sound/hda/hdac_controller.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/hda/hdac_controller.c ++++ b/sound/hda/hdac_controller.c +@@ -284,6 +284,11 @@ int snd_hdac_bus_parse_capabilities(stru + dev_dbg(bus->dev, "HDA capability ID: 0x%x\n", + (cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF); + ++ if (cur_cap == -1) { ++ dev_dbg(bus->dev, "Invalid capability reg read\n"); ++ break; ++ } ++ + switch ((cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF) { + case AZX_ML_CAP_ID: + dev_dbg(bus->dev, "Found ML capability\n"); ++++++ patches.fixes.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch new/patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch --- old/patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch 2017-10-18 22:21:40.000000000 +0200 @@ -0,0 +1,76 @@ +From: Johannes Berg <[email protected]> +Date: Tue, 5 Sep 2017 14:54:54 +0200 +Subject: [PATCH] mac80211: accept key reinstall without changing anything +Git-commit: fdf7cb4185b60c68e1a75e61691c4afdc15dea0e +Patch-mainline: Queued +Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git +References: CVE-2017-13080 bsc#1063667 + +When a key is reinstalled we can reset the replay counters +etc. which can lead to nonce reuse and/or replay detection +being impossible, breaking security properties, as described +in the "KRACK attacks". + +In particular, CVE-2017-13080 applies to GTK rekeying that +happened in firmware while the host is in D3, with the second +part of the attack being done after the host wakes up. In +this case, the wpa_supplicant mitigation isn't sufficient +since wpa_supplicant doesn't know the GTK material. + +In case this happens, simply silently accept the new key +coming from userspace but don't take any action on it since +it's the same key; this keeps the PN replay counters intact. + +Signed-off-by: Johannes Berg <[email protected]> +Signed-off-by: Luis R. Rodriguez <[email protected]> +--- + net/mac80211/key.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 44388d6a1d8e..14f9e2211995 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -617,9 +617,6 @@ int ieee80211_key_link(struct ieee80211_key *key, + + pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; + idx = key->conf.keyidx; +- key->local = sdata->local; +- key->sdata = sdata; +- key->sta = sta; + + mutex_lock(&sdata->local->key_mtx); + +@@ -630,6 +627,21 @@ int ieee80211_key_link(struct ieee80211_key *key, + else + old_key = key_mtx_dereference(sdata->local, sdata->keys[idx]); + ++ /* ++ * Silently accept key re-installation without really installing the ++ * new version of the key to avoid nonce reuse or replay issues. ++ */ ++ if (old_key && key->conf.keylen == old_key->conf.keylen && ++ !memcmp(key->conf.key, old_key->conf.key, key->conf.keylen)) { ++ ieee80211_key_free_unused(key); ++ ret = 0; ++ goto out; ++ } ++ ++ key->local = sdata->local; ++ key->sdata = sdata; ++ key->sta = sta; ++ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +@@ -645,6 +657,7 @@ int ieee80211_key_link(struct ieee80211_key *key, + ret = 0; + } + ++ out: + mutex_unlock(&sdata->local->key_mtx); + + return ret; +-- +2.14.2 + ++++++ patches.kernel.org.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-001-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch new/patches.kernel.org/4.13.9-001-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch --- old/patches.kernel.org/4.13.9-001-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-001-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,63 @@ +From: Hans de Goede <[email protected]> +Date: Wed, 30 Aug 2017 12:58:11 +0200 +Subject: [PATCH] x86/apic: Silence "FW_BUG TSC_DEADLINE disabled due to + Errata" on CPUs without the feature +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 594a30fb12424717a41c62323d2a8bf167dbccad + +commit 594a30fb12424717a41c62323d2a8bf167dbccad upstream. + +When booting 4.13 on a VirtualBox VM on a Skylake host the following +error shows up in the logs: + + [ 0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; + please update microcode to version: 0xb2 (or later) + +This is caused by apic_check_deadline_errata() only checking CPU model +and not the X86_FEATURE_TSC_DEADLINE_TIMER flag (which VirtualBox does +NOT export to the guest), combined with VirtualBox not exporting the +micro-code version to the guest. + +This commit adds a check for X86_FEATURE_TSC_DEADLINE_TIMER to +apic_check_deadline_errata(), silencing this error on VirtualBox VMs. + +Signed-off-by: Hans de Goede <[email protected]> +Acked-by: Thomas Gleixner <[email protected]> +Cc: Frank Mehnert <[email protected]> +Cc: Linus Torvalds <[email protected]> +Cc: Michael Thayer <[email protected]> +Cc: Michal Necasek <[email protected]> +Cc: Peter Zijlstra <[email protected]> +Fixes: bd9240a18e ("x86/apic: Add TSC_DEADLINE quirk due to errata") +Link: http://lkml.kernel.org/r/[email protected] +Signed-off-by: Ingo Molnar <[email protected]> +Signed-off-by: Paolo Bonzini <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + arch/x86/kernel/apic/apic.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index 98b3dd8cf2bf..b3273c842850 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -599,9 +599,13 @@ static const struct x86_cpu_id deadline_match[] = { + + static void apic_check_deadline_errata(void) + { +- const struct x86_cpu_id *m = x86_match_cpu(deadline_match); ++ const struct x86_cpu_id *m; + u32 rev; + ++ if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER)) ++ return; ++ ++ m = x86_match_cpu(deadline_match); + if (!m) + return; + +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-002-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch new/patches.kernel.org/4.13.9-002-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch --- old/patches.kernel.org/4.13.9-002-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-002-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,58 @@ +From: Paolo Bonzini <[email protected]> +Date: Tue, 10 Oct 2017 12:12:57 +0200 +Subject: [PATCH] x86/apic: Silence "FW_BUG TSC_DEADLINE disabled due to + Errata" on hypervisors +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: cc6afe2240298049585e86b1ade85efc8a7f225d + +commit cc6afe2240298049585e86b1ade85efc8a7f225d upstream. + +Commit 594a30fb1242 ("x86/apic: Silence "FW_BUG TSC_DEADLINE disabled +due to Errata" on CPUs without the feature", 2017-08-30) was also about +silencing the warning on VirtualBox; however, KVM does expose the TSC +deadline timer, and it's virtualized so that it is immune from CPU errata. + +Therefore, booting 4.13 with "-cpu Haswell" shows this in the logs: + + [ 0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata; + please update microcode to version: 0xb2 (or later) + +Even if you had a hypervisor that does _not_ virtualize the TSC deadline +and rather exposes the hardware one, it should be the hypervisors task +to update microcode and possibly hide the flag from CPUID. So just +hide the message when running on _any_ hypervisor, not just those that +do not support the TSC deadline timer. + +The older check still makes sense, so keep it. + +Fixes: bd9240a18e ("x86/apic: Add TSC_DEADLINE quirk due to errata") +Signed-off-by: Paolo Bonzini <[email protected]> +Signed-off-by: Thomas Gleixner <[email protected]> +Cc: Peter Zijlstra <[email protected]> +Cc: Hans de Goede <[email protected]> +Cc: [email protected] +Link: https://lkml.kernel.org/r/[email protected] +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + arch/x86/kernel/apic/apic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c +index b3273c842850..a7be1b4283a0 100644 +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -602,7 +602,8 @@ static void apic_check_deadline_errata(void) + const struct x86_cpu_id *m; + u32 rev; + +- if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER)) ++ if (!boot_cpu_has(X86_FEATURE_TSC_DEADLINE_TIMER) || ++ boot_cpu_has(X86_FEATURE_HYPERVISOR)) + return; + + m = x86_match_cpu(deadline_match); +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-003-perf-pmu-Unbreak-perf-record-for-arm-arm64-wit.patch new/patches.kernel.org/4.13.9-003-perf-pmu-Unbreak-perf-record-for-arm-arm64-wit.patch --- old/patches.kernel.org/4.13.9-003-perf-pmu-Unbreak-perf-record-for-arm-arm64-wit.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-003-perf-pmu-Unbreak-perf-record-for-arm-arm64-wit.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,210 @@ +From: Mark Rutland <[email protected]> +Date: Fri, 6 Oct 2017 19:38:22 +0100 +Subject: [PATCH] perf pmu: Unbreak perf record for arm/arm64 with events with + explicit PMU +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 66ec11919a0f96e936bb731fdbc2851316077d26 + +commit 66ec11919a0f96e936bb731fdbc2851316077d26 upstream. + +Currently, perf record is broken on arm/arm64 systems when the PMU is +specified explicitly as part of the event, e.g. + +$ ./perf record -e armv8_cortex_a53/cpu_cycles/u true + +In such cases, perf record fails to open events unless +perf_event_paranoid is set to -1, even if the PMU in question supports +mode exclusion. Further, even when perf_event_paranoid is toggled, no +samples are recorded. + +This is an unintended side effect of commit: + + e3ba76deef23064f ("perf tools: Force uncore events to system wide monitoring) + +... which assumes that if a PMU has an associated cpu_map, it is an +uncore PMU, and forces events for such PMUs to be system-wide. + +This is not true for arm/arm64 systems, which can have heterogeneous +CPUs. To account for this, multiple CPU PMUs are exposed, each with a +"cpus" field under sysfs, which the perf tool parses into a cpu_map. ARM +PMUs do not have a "cpumask" file, and only have a "cpus" file. For the +gory details as to why, see commit: + + 7e3fcffe95544010 ("perf pmu: Support alternative sysfs cpumask") + +Given all of this, we can instead identify uncore PMUs by explicitly +checking for a "cpumask" file, and restore arm/arm64 PMU support back to +a working state. This patch does so, adding a new perf_pmu::is_uncore +field, and splitting the existing cpumask parsing so that it can be +reused. + +Signed-off-by: Mark Rutland <[email protected]> +Tested-by Will Deacon <[email protected]> +Acked-by: Jiri Olsa <[email protected]> +Cc: Adrian Hunter <[email protected]> +Cc: Borislav Petkov <[email protected]> +Cc: David Ahern <[email protected]> +Cc: Namhyung Kim <[email protected]> +Cc: Peter Zijlstra <[email protected]> +Fixes: e3ba76deef23064f ("perf tools: Force uncore events to system wide monitoring) +Link: http://lkml.kernel.org/r/[email protected] +Signed-off-by: Arnaldo Carvalho de Melo <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + tools/perf/util/parse-events.c | 9 ++++--- + tools/perf/util/pmu.c | 56 +++++++++++++++++++++++++++++++----------- + tools/perf/util/pmu.h | 1 + + 3 files changed, 47 insertions(+), 19 deletions(-) + +diff --git a/tools/perf/util/parse-events.c b/tools/perf/util/parse-events.c +index 01e779b91c8e..2e3ffc3bc483 100644 +--- a/tools/perf/util/parse-events.c ++++ b/tools/perf/util/parse-events.c +@@ -309,10 +309,11 @@ static char *get_config_name(struct list_head *head_terms) + static struct perf_evsel * + __add_event(struct list_head *list, int *idx, + struct perf_event_attr *attr, +- char *name, struct cpu_map *cpus, ++ char *name, struct perf_pmu *pmu, + struct list_head *config_terms) + { + struct perf_evsel *evsel; ++ struct cpu_map *cpus = pmu ? pmu->cpus : NULL; + + event_attr_init(attr); + +@@ -323,7 +324,7 @@ __add_event(struct list_head *list, int *idx, + (*idx)++; + evsel->cpus = cpu_map__get(cpus); + evsel->own_cpus = cpu_map__get(cpus); +- evsel->system_wide = !!cpus; ++ evsel->system_wide = pmu ? pmu->is_uncore : false; + + if (name) + evsel->name = strdup(name); +@@ -1232,7 +1233,7 @@ int parse_events_add_pmu(struct parse_events_evlist *data, + + if (!head_config) { + attr.type = pmu->type; +- evsel = __add_event(list, &data->idx, &attr, NULL, pmu->cpus, NULL); ++ evsel = __add_event(list, &data->idx, &attr, NULL, pmu, NULL); + return evsel ? 0 : -ENOMEM; + } + +@@ -1253,7 +1254,7 @@ int parse_events_add_pmu(struct parse_events_evlist *data, + return -EINVAL; + + evsel = __add_event(list, &data->idx, &attr, +- get_config_name(head_config), pmu->cpus, ++ get_config_name(head_config), pmu, + &config_terms); + if (evsel) { + evsel->unit = info.unit; +diff --git a/tools/perf/util/pmu.c b/tools/perf/util/pmu.c +index ac16a9db1fb5..1c4d7b4e4fb5 100644 +--- a/tools/perf/util/pmu.c ++++ b/tools/perf/util/pmu.c +@@ -470,17 +470,36 @@ static void pmu_read_sysfs(void) + closedir(dir); + } + ++static struct cpu_map *__pmu_cpumask(const char *path) ++{ ++ FILE *file; ++ struct cpu_map *cpus; ++ ++ file = fopen(path, "r"); ++ if (!file) ++ return NULL; ++ ++ cpus = cpu_map__read(file); ++ fclose(file); ++ return cpus; ++} ++ ++/* ++ * Uncore PMUs have a "cpumask" file under sysfs. CPU PMUs (e.g. on arm/arm64) ++ * may have a "cpus" file. ++ */ ++#define CPUS_TEMPLATE_UNCORE "%s/bus/event_source/devices/%s/cpumask" ++#define CPUS_TEMPLATE_CPU "%s/bus/event_source/devices/%s/cpus" ++ + static struct cpu_map *pmu_cpumask(const char *name) + { +- struct stat st; + char path[PATH_MAX]; +- FILE *file; + struct cpu_map *cpus; + const char *sysfs = sysfs__mountpoint(); + const char *templates[] = { +- "%s/bus/event_source/devices/%s/cpumask", +- "%s/bus/event_source/devices/%s/cpus", +- NULL ++ CPUS_TEMPLATE_UNCORE, ++ CPUS_TEMPLATE_CPU, ++ NULL + }; + const char **template; + +@@ -489,20 +508,25 @@ static struct cpu_map *pmu_cpumask(const char *name) + + for (template = templates; *template; template++) { + snprintf(path, PATH_MAX, *template, sysfs, name); +- if (stat(path, &st) == 0) +- break; ++ cpus = __pmu_cpumask(path); ++ if (cpus) ++ return cpus; + } + +- if (!*template) +- return NULL; ++ return NULL; ++} + +- file = fopen(path, "r"); +- if (!file) +- return NULL; ++static bool pmu_is_uncore(const char *name) ++{ ++ char path[PATH_MAX]; ++ struct cpu_map *cpus; ++ const char *sysfs = sysfs__mountpoint(); + +- cpus = cpu_map__read(file); +- fclose(file); +- return cpus; ++ snprintf(path, PATH_MAX, CPUS_TEMPLATE_UNCORE, sysfs, name); ++ cpus = __pmu_cpumask(path); ++ cpu_map__put(cpus); ++ ++ return !!cpus; + } + + /* +@@ -617,6 +641,8 @@ static struct perf_pmu *pmu_lookup(const char *name) + + pmu->cpus = pmu_cpumask(name); + ++ pmu->is_uncore = pmu_is_uncore(name); ++ + INIT_LIST_HEAD(&pmu->format); + INIT_LIST_HEAD(&pmu->aliases); + list_splice(&format, &pmu->format); +diff --git a/tools/perf/util/pmu.h b/tools/perf/util/pmu.h +index 389e9729331f..fe0de0502ce2 100644 +--- a/tools/perf/util/pmu.h ++++ b/tools/perf/util/pmu.h +@@ -22,6 +22,7 @@ struct perf_pmu { + char *name; + __u32 type; + bool selectable; ++ bool is_uncore; + struct perf_event_attr *default_config; + struct cpu_map *cpus; + struct list_head format; /* HEAD struct perf_pmu_format -> list */ +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-004-mm-page_vma_mapped-ensure-pmd-is-loaded-with-R.patch new/patches.kernel.org/4.13.9-004-mm-page_vma_mapped-ensure-pmd-is-loaded-with-R.patch --- old/patches.kernel.org/4.13.9-004-mm-page_vma_mapped-ensure-pmd-is-loaded-with-R.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-004-mm-page_vma_mapped-ensure-pmd-is-loaded-with-R.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,129 @@ +From: Will Deacon <[email protected]> +Date: Fri, 13 Oct 2017 15:58:25 -0700 +Subject: [PATCH] mm: page_vma_mapped: ensure pmd is loaded with READ_ONCE + outside of lock +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: a7b100953aa33a5bbdc3e5e7f2241b9c0704606e + +commit a7b100953aa33a5bbdc3e5e7f2241b9c0704606e upstream. + +Loading the pmd without holding the pmd_lock exposes us to races with +concurrent updaters of the page tables but, worse still, it also allows +the compiler to cache the pmd value in a register and reuse it later on, +even if we've performed a READ_ONCE in between and seen a more recent +value. + +In the case of page_vma_mapped_walk, this leads to the following crash +when the pmd loaded for the initial pmd_trans_huge check is all zeroes +and a subsequent valid table entry is loaded by check_pmd. We then +proceed into map_pte, but the compiler re-uses the zero entry inside +pte_offset_map, resulting in a junk pointer being installed in +pvmw->pte: + + PC is at check_pte+0x20/0x170 + LR is at page_vma_mapped_walk+0x2e0/0x540 + [...] + Process doio (pid: 2463, stack limit = 0xffff00000f2e8000) + Call trace: + check_pte+0x20/0x170 + page_vma_mapped_walk+0x2e0/0x540 + page_mkclean_one+0xac/0x278 + rmap_walk_file+0xf0/0x238 + rmap_walk+0x64/0xa0 + page_mkclean+0x90/0xa8 + clear_page_dirty_for_io+0x84/0x2a8 + mpage_submit_page+0x34/0x98 + mpage_process_page_bufs+0x164/0x170 + mpage_prepare_extent_to_map+0x134/0x2b8 + ext4_writepages+0x484/0xe30 + do_writepages+0x44/0xe8 + __filemap_fdatawrite_range+0xbc/0x110 + file_write_and_wait_range+0x48/0xd8 + ext4_sync_file+0x80/0x4b8 + vfs_fsync_range+0x64/0xc0 + SyS_msync+0x194/0x1e8 + +This patch fixes the problem by ensuring that READ_ONCE is used before +the initial checks on the pmd, and this value is subsequently used when +checking whether or not the pmd is present. pmd_check is removed and +the pmd_present check is inlined directly. + +Link: http://lkml.kernel.org/r/[email protected] +Fixes: f27176cfc363 ("mm: convert page_mkclean_one() to use page_vma_mapped_walk()") +Signed-off-by: Will Deacon <[email protected]> +Tested-by: Yury Norov <[email protected]> +Tested-by: Richard Ruigrok <[email protected]> +Acked-by: Kirill A. Shutemov <[email protected]> +Cc: "Paul E. McKenney" <[email protected]> +Cc: Peter Zijlstra <[email protected]> +Signed-off-by: Andrew Morton <[email protected]> +Signed-off-by: Linus Torvalds <[email protected]> +[will: backport to 4.13.y] +Signed-off-by: Will Deacon <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + mm/page_vma_mapped.c | 25 ++++++++++--------------- + 1 file changed, 10 insertions(+), 15 deletions(-) + +diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c +index 8ec6ba230bb9..6b9311631aa1 100644 +--- a/mm/page_vma_mapped.c ++++ b/mm/page_vma_mapped.c +@@ -6,17 +6,6 @@ + + #include "internal.h" + +-static inline bool check_pmd(struct page_vma_mapped_walk *pvmw) +-{ +- pmd_t pmde; +- /* +- * Make sure we don't re-load pmd between present and !trans_huge check. +- * We need a consistent view. +- */ +- pmde = READ_ONCE(*pvmw->pmd); +- return pmd_present(pmde) && !pmd_trans_huge(pmde); +-} +- + static inline bool not_found(struct page_vma_mapped_walk *pvmw) + { + page_vma_mapped_walk_done(pvmw); +@@ -106,6 +95,7 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + pgd_t *pgd; + p4d_t *p4d; + pud_t *pud; ++ pmd_t pmde; + + /* The only possible pmd mapping has been handled on last iteration */ + if (pvmw->pmd && !pvmw->pte) +@@ -138,7 +128,13 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + if (!pud_present(*pud)) + return false; + pvmw->pmd = pmd_offset(pud, pvmw->address); +- if (pmd_trans_huge(*pvmw->pmd)) { ++ /* ++ * Make sure the pmd value isn't cached in a register by the ++ * compiler and used as a stale value after we've observed a ++ * subsequent update. ++ */ ++ pmde = READ_ONCE(*pvmw->pmd); ++ if (pmd_trans_huge(pmde)) { + pvmw->ptl = pmd_lock(mm, pvmw->pmd); + if (!pmd_present(*pvmw->pmd)) + return not_found(pvmw); +@@ -153,9 +149,8 @@ bool page_vma_mapped_walk(struct page_vma_mapped_walk *pvmw) + spin_unlock(pvmw->ptl); + pvmw->ptl = NULL; + } +- } else { +- if (!check_pmd(pvmw)) +- return false; ++ } else if (!pmd_present(pmde)) { ++ return false; + } + if (!map_pte(pvmw)) + goto next_pte; +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-005-HID-hid-elecom-extend-to-fix-descriptor-for-HU.patch new/patches.kernel.org/4.13.9-005-HID-hid-elecom-extend-to-fix-descriptor-for-HU.patch --- old/patches.kernel.org/4.13.9-005-HID-hid-elecom-extend-to-fix-descriptor-for-HU.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-005-HID-hid-elecom-extend-to-fix-descriptor-for-HU.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,112 @@ +From: Alex Manoussakis <[email protected]> +Date: Thu, 5 Oct 2017 13:41:20 -0400 +Subject: [PATCH] HID: hid-elecom: extend to fix descriptor for HUGE trackball +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: a0933a456ff83a3b5ffa3a1903e0b8de4a56adf5 + +commit a0933a456ff83a3b5ffa3a1903e0b8de4a56adf5 upstream. + +In addition to DEFT, Elecom introduced a larger trackball called HUGE, in +both wired (M-HT1URBK) and wireless (M-HT1DRBK) versions. It has the same +buttons and behavior as the DEFT. This patch adds the two relevant USB IDs +to enable operation of the three Fn buttons on the top of the device. + +Cc: Diego Elio Petteno <[email protected]> +Signed-off-by: Alex Manoussakis <[email protected]> +Signed-off-by: Jiri Kosina <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hid/Kconfig | 1 + + drivers/hid/hid-core.c | 2 ++ + drivers/hid/hid-elecom.c | 13 +++++++++---- + drivers/hid/hid-ids.h | 2 ++ + 4 files changed, 14 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index 3cd60f460b61..8b27211f6c50 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -281,6 +281,7 @@ config HID_ELECOM + Support for ELECOM devices: + - BM084 Bluetooth Mouse + - DEFT Trackball (Wired and wireless) ++ - HUGE Trackball (Wired and wireless) + + config HID_ELO + tristate "ELO USB 4000/4500 touchscreen" +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 9017dcc14502..efb3501b4123 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -2031,6 +2031,8 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRED) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRELESS) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRED) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRELESS) }, + #endif + #if IS_ENABLED(CONFIG_HID_ELO) + { HID_USB_DEVICE(USB_VENDOR_ID_ELO, 0x0009) }, +diff --git a/drivers/hid/hid-elecom.c b/drivers/hid/hid-elecom.c +index e2c7465df69f..54aeea57d209 100644 +--- a/drivers/hid/hid-elecom.c ++++ b/drivers/hid/hid-elecom.c +@@ -3,6 +3,7 @@ + * Copyright (c) 2010 Richard Nauber <[email protected]> + * Copyright (c) 2016 Yuxuan Shui <[email protected]> + * Copyright (c) 2017 Diego Elio Pettenò <[email protected]> ++ * Copyright (c) 2017 Alex Manoussakis <[email protected]> + */ + + /* +@@ -32,9 +33,11 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc, + break; + case USB_DEVICE_ID_ELECOM_DEFT_WIRED: + case USB_DEVICE_ID_ELECOM_DEFT_WIRELESS: +- /* The DEFT trackball has eight buttons, but its descriptor only +- * reports five, disabling the three Fn buttons on the top of +- * the mouse. ++ case USB_DEVICE_ID_ELECOM_HUGE_WIRED: ++ case USB_DEVICE_ID_ELECOM_HUGE_WIRELESS: ++ /* The DEFT/HUGE trackball has eight buttons, but its descriptor ++ * only reports five, disabling the three Fn buttons on the top ++ * of the mouse. + * + * Apply the following diff to the descriptor: + * +@@ -62,7 +65,7 @@ static __u8 *elecom_report_fixup(struct hid_device *hdev, __u8 *rdesc, + * End Collection, End Collection, + */ + if (*rsize == 213 && rdesc[13] == 5 && rdesc[21] == 5) { +- hid_info(hdev, "Fixing up Elecom DEFT Fn buttons\n"); ++ hid_info(hdev, "Fixing up Elecom DEFT/HUGE Fn buttons\n"); + rdesc[13] = 8; /* Button/Variable Report Count */ + rdesc[21] = 8; /* Button/Variable Usage Maximum */ + rdesc[29] = 0; /* Button/Constant Report Count */ +@@ -76,6 +79,8 @@ static const struct hid_device_id elecom_devices[] = { + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_BM084) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRED) }, + { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_DEFT_WIRELESS) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRED) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_ELECOM, USB_DEVICE_ID_ELECOM_HUGE_WIRELESS) }, + { } + }; + MODULE_DEVICE_TABLE(hid, elecom_devices); +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c9ba4c6db74c..1333ac5c6597 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -366,6 +366,8 @@ + #define USB_DEVICE_ID_ELECOM_BM084 0x0061 + #define USB_DEVICE_ID_ELECOM_DEFT_WIRED 0x00fe + #define USB_DEVICE_ID_ELECOM_DEFT_WIRELESS 0x00ff ++#define USB_DEVICE_ID_ELECOM_HUGE_WIRED 0x010c ++#define USB_DEVICE_ID_ELECOM_HUGE_WIRELESS 0x010d + + #define USB_VENDOR_ID_DREAM_CHEEKY 0x1d34 + #define USB_DEVICE_ID_DREAM_CHEEKY_WN 0x0004 +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-006-Drivers-hv-vmbus-Fix-rescind-handling-issues.patch new/patches.kernel.org/4.13.9-006-Drivers-hv-vmbus-Fix-rescind-handling-issues.patch --- old/patches.kernel.org/4.13.9-006-Drivers-hv-vmbus-Fix-rescind-handling-issues.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-006-Drivers-hv-vmbus-Fix-rescind-handling-issues.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,170 @@ +From: "K. Y. Srinivasan" <[email protected]> +Date: Fri, 11 Aug 2017 10:03:59 -0700 +Subject: [PATCH] Drivers: hv: vmbus: Fix rescind handling issues +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 6f3d791f300618caf82a2be0c27456edd76d5164 + +commit 6f3d791f300618caf82a2be0c27456edd76d5164 upstream. + +This patch handles the following issues that were observed when we are +handling racing channel offer message and rescind message for the same +offer: + +1. Since the host does not respond to messages on a rescinded channel, +in the current code, we could be indefinitely blocked on the vmbus_open() call. + +2. When a rescinded channel is being closed, if there is a pending interrupt on the +channel, we could end up freeing the channel that the interrupt handler would run on. + +Signed-off-by: K. Y. Srinivasan <[email protected]> +Reviewed-by: Dexuan Cui <[email protected]> +Tested-by: Dexuan Cui <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/channel.c | 14 ++++++++++++++ + drivers/hv/channel_mgmt.c | 29 ++++++++++++++++++++++++++--- + drivers/hv/vmbus_drv.c | 3 +++ + include/linux/hyperv.h | 2 ++ + 4 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index e57cc40cb768..63ac1c6a825f 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -177,6 +177,11 @@ int vmbus_open(struct vmbus_channel *newchannel, u32 send_ringbuffer_size, + &vmbus_connection.chn_msg_list); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); + ++ if (newchannel->rescind) { ++ err = -ENODEV; ++ goto error_free_gpadl; ++ } ++ + ret = vmbus_post_msg(open_msg, + sizeof(struct vmbus_channel_open_channel), true); + +@@ -421,6 +426,11 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer, + + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); + ++ if (channel->rescind) { ++ ret = -ENODEV; ++ goto cleanup; ++ } ++ + ret = vmbus_post_msg(gpadlmsg, msginfo->msgsize - + sizeof(*msginfo), true); + if (ret != 0) +@@ -494,6 +504,10 @@ int vmbus_teardown_gpadl(struct vmbus_channel *channel, u32 gpadl_handle) + list_add_tail(&info->msglistentry, + &vmbus_connection.chn_msg_list); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); ++ ++ if (channel->rescind) ++ goto post_msg_err; ++ + ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_gpadl_teardown), + true); + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 037361158074..624d815745e4 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -451,6 +451,12 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) + /* Make sure this is a new offer */ + mutex_lock(&vmbus_connection.channel_mutex); + ++ /* ++ * Now that we have acquired the channel_mutex, ++ * we can release the potentially racing rescind thread. ++ */ ++ atomic_dec(&vmbus_connection.offer_in_progress); ++ + list_for_each_entry(channel, &vmbus_connection.chn_list, listentry) { + if (!uuid_le_cmp(channel->offermsg.offer.if_type, + newchannel->offermsg.offer.if_type) && +@@ -481,7 +487,6 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) + channel->num_sc++; + spin_unlock_irqrestore(&channel->lock, flags); + } else { +- atomic_dec(&vmbus_connection.offer_in_progress); + goto err_free_chan; + } + } +@@ -510,7 +515,6 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) + if (!fnew) { + if (channel->sc_creation_callback != NULL) + channel->sc_creation_callback(newchannel); +- atomic_dec(&vmbus_connection.offer_in_progress); + return; + } + +@@ -541,7 +545,7 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) + goto err_deq_chan; + } + +- atomic_dec(&vmbus_connection.offer_in_progress); ++ newchannel->probe_done = true; + return; + + err_deq_chan: +@@ -882,8 +886,27 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + channel->rescind = true; + spin_unlock_irqrestore(&channel->lock, flags); + ++ /* ++ * Now that we have posted the rescind state, perform ++ * rescind related cleanup. ++ */ + vmbus_rescind_cleanup(channel); + ++ /* ++ * Now wait for offer handling to complete. ++ */ ++ while (READ_ONCE(channel->probe_done) == false) { ++ /* ++ * We wait here until any channel offer is currently ++ * being processed. ++ */ ++ msleep(1); ++ } ++ ++ /* ++ * At this point, the rescind handling can proceed safely. ++ */ ++ + if (channel->device_obj) { + if (channel->chn_rescind_callback) { + channel->chn_rescind_callback(channel); +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index ed84e96715a0..43160a2eafe0 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -940,6 +940,9 @@ static void vmbus_chan_sched(struct hv_per_cpu_context *hv_cpu) + if (channel->offermsg.child_relid != relid) + continue; + ++ if (channel->rescind) ++ continue; ++ + switch (channel->callback_mode) { + case HV_CALL_ISR: + vmbus_channel_isr(channel); +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index b7d7bbec74e0..fa9fea5765a7 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -895,6 +895,8 @@ struct vmbus_channel { + */ + enum hv_numa_policy affinity_policy; + ++ bool probe_done; ++ + }; + + static inline bool is_hvsock_channel(const struct vmbus_channel *c) +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-007-Drivers-hv-vmbus-Fix-bugs-in-rescind-handling.patch new/patches.kernel.org/4.13.9-007-Drivers-hv-vmbus-Fix-bugs-in-rescind-handling.patch --- old/patches.kernel.org/4.13.9-007-Drivers-hv-vmbus-Fix-bugs-in-rescind-handling.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-007-Drivers-hv-vmbus-Fix-bugs-in-rescind-handling.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,204 @@ +From: "K. Y. Srinivasan" <[email protected]> +Date: Fri, 29 Sep 2017 21:09:36 -0700 +Subject: [PATCH] Drivers: hv: vmbus: Fix bugs in rescind handling +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 192b2d78722ffea188e5ec6ae5d55010dce05a4b + +commit 192b2d78722ffea188e5ec6ae5d55010dce05a4b upstream. + +This patch addresses the following bugs in the current rescind handling code: + +1. Fixes a race condition where we may be invoking hv_process_channel_removal() +on an already freed channel. + +2. Prevents indefinite wait when rescinding sub-channels by correctly setting +the probe_complete state. + +I would like to thank Dexuan for patiently reviewing earlier versions of this +patch and identifying many of the issues fixed here. + +Greg, please apply this to 4.14-final. + +Fixes: '54a66265d675 ("Drivers: hv: vmbus: Fix rescind handling")' + +Signed-off-by: K. Y. Srinivasan <[email protected]> +Reviewed-by: Dexuan Cui <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/channel.c | 6 +++--- + drivers/hv/channel_mgmt.c | 37 ++++++++++++++++++------------------- + drivers/hv/vmbus_drv.c | 3 +-- + include/linux/hyperv.h | 2 +- + 4 files changed, 23 insertions(+), 25 deletions(-) + +diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c +index 63ac1c6a825f..be3fccab07fe 100644 +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -640,6 +640,7 @@ void vmbus_close(struct vmbus_channel *channel) + */ + return; + } ++ mutex_lock(&vmbus_connection.channel_mutex); + /* + * Close all the sub-channels first and then close the + * primary channel. +@@ -648,16 +649,15 @@ void vmbus_close(struct vmbus_channel *channel) + cur_channel = list_entry(cur, struct vmbus_channel, sc_list); + vmbus_close_internal(cur_channel); + if (cur_channel->rescind) { +- mutex_lock(&vmbus_connection.channel_mutex); +- hv_process_channel_removal(cur_channel, ++ hv_process_channel_removal( + cur_channel->offermsg.child_relid); +- mutex_unlock(&vmbus_connection.channel_mutex); + } + } + /* + * Now close the primary. + */ + vmbus_close_internal(channel); ++ mutex_unlock(&vmbus_connection.channel_mutex); + } + EXPORT_SYMBOL_GPL(vmbus_close); + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 624d815745e4..18c94ed02562 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -159,7 +159,7 @@ static void vmbus_rescind_cleanup(struct vmbus_channel *channel) + + + spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags); +- ++ channel->rescind = true; + list_for_each_entry(msginfo, &vmbus_connection.chn_msg_list, + msglistentry) { + +@@ -381,14 +381,21 @@ static void vmbus_release_relid(u32 relid) + true); + } + +-void hv_process_channel_removal(struct vmbus_channel *channel, u32 relid) ++void hv_process_channel_removal(u32 relid) + { + unsigned long flags; +- struct vmbus_channel *primary_channel; ++ struct vmbus_channel *primary_channel, *channel; + +- BUG_ON(!channel->rescind); + BUG_ON(!mutex_is_locked(&vmbus_connection.channel_mutex)); + ++ /* ++ * Make sure channel is valid as we may have raced. ++ */ ++ channel = relid2channel(relid); ++ if (!channel) ++ return; ++ ++ BUG_ON(!channel->rescind); + if (channel->target_cpu != get_cpu()) { + put_cpu(); + smp_call_function_single(channel->target_cpu, +@@ -515,6 +522,7 @@ static void vmbus_process_offer(struct vmbus_channel *newchannel) + if (!fnew) { + if (channel->sc_creation_callback != NULL) + channel->sc_creation_callback(newchannel); ++ newchannel->probe_done = true; + return; + } + +@@ -843,7 +851,6 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + { + struct vmbus_channel_rescind_offer *rescind; + struct vmbus_channel *channel; +- unsigned long flags; + struct device *dev; + + rescind = (struct vmbus_channel_rescind_offer *)hdr; +@@ -882,16 +889,6 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + return; + } + +- spin_lock_irqsave(&channel->lock, flags); +- channel->rescind = true; +- spin_unlock_irqrestore(&channel->lock, flags); +- +- /* +- * Now that we have posted the rescind state, perform +- * rescind related cleanup. +- */ +- vmbus_rescind_cleanup(channel); +- + /* + * Now wait for offer handling to complete. + */ +@@ -910,6 +907,7 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + if (channel->device_obj) { + if (channel->chn_rescind_callback) { + channel->chn_rescind_callback(channel); ++ vmbus_rescind_cleanup(channel); + return; + } + /* +@@ -918,6 +916,7 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + */ + dev = get_device(&channel->device_obj->device); + if (dev) { ++ vmbus_rescind_cleanup(channel); + vmbus_device_unregister(channel->device_obj); + put_device(dev); + } +@@ -930,16 +929,16 @@ static void vmbus_onoffer_rescind(struct vmbus_channel_message_header *hdr) + * 1. Close all sub-channels first + * 2. Then close the primary channel. + */ ++ mutex_lock(&vmbus_connection.channel_mutex); ++ vmbus_rescind_cleanup(channel); + if (channel->state == CHANNEL_OPEN_STATE) { + /* + * The channel is currently not open; + * it is safe for us to cleanup the channel. + */ +- mutex_lock(&vmbus_connection.channel_mutex); +- hv_process_channel_removal(channel, +- channel->offermsg.child_relid); +- mutex_unlock(&vmbus_connection.channel_mutex); ++ hv_process_channel_removal(rescind->child_relid); + } ++ mutex_unlock(&vmbus_connection.channel_mutex); + } + } + +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index 43160a2eafe0..5ad627044dd1 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -768,8 +768,7 @@ static void vmbus_device_release(struct device *device) + struct vmbus_channel *channel = hv_dev->channel; + + mutex_lock(&vmbus_connection.channel_mutex); +- hv_process_channel_removal(channel, +- channel->offermsg.child_relid); ++ hv_process_channel_removal(channel->offermsg.child_relid); + mutex_unlock(&vmbus_connection.channel_mutex); + kfree(hv_dev); + +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index fa9fea5765a7..c7162eaa9476 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1455,7 +1455,7 @@ extern bool vmbus_prep_negotiate_resp(struct icmsg_hdr *icmsghdrp, u8 *buf, + const int *srv_version, int srv_vercnt, + int *nego_fw_version, int *nego_srv_version); + +-void hv_process_channel_removal(struct vmbus_channel *channel, u32 relid); ++void hv_process_channel_removal(u32 relid); + + void vmbus_setevent(struct vmbus_channel *channel); + /* +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-008-vmbus-simplify-hv_ringbuffer_read.patch new/patches.kernel.org/4.13.9-008-vmbus-simplify-hv_ringbuffer_read.patch --- old/patches.kernel.org/4.13.9-008-vmbus-simplify-hv_ringbuffer_read.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-008-vmbus-simplify-hv_ringbuffer_read.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,196 @@ +From: Stephen Hemminger <[email protected]> +Date: Sun, 25 Jun 2017 12:30:24 -0700 +Subject: [PATCH] vmbus: simplify hv_ringbuffer_read +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 4226ff69a3dff78bead7d9a270423cd21f8d40b8 + +commit 4226ff69a3dff78bead7d9a270423cd21f8d40b8 upstream. + +With new iterator functions (and the double mapping) the ring buffer +read function can be greatly simplified. + +Signed-off-by: Stephen Hemminger <[email protected]> +Signed-off-by: K. Y. Srinivasan <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/ring_buffer.c | 118 +++++++---------------------------------------- + 1 file changed, 17 insertions(+), 101 deletions(-) + +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index 1f450c39a9b0..f29981764653 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -94,30 +94,6 @@ hv_set_next_write_location(struct hv_ring_buffer_info *ring_info, + ring_info->ring_buffer->write_index = next_write_location; + } + +-/* Get the next read location for the specified ring buffer. */ +-static inline u32 +-hv_get_next_read_location(const struct hv_ring_buffer_info *ring_info) +-{ +- return ring_info->ring_buffer->read_index; +-} +- +-/* +- * Get the next read location + offset for the specified ring buffer. +- * This allows the caller to skip. +- */ +-static inline u32 +-hv_get_next_readlocation_withoffset(const struct hv_ring_buffer_info *ring_info, +- u32 offset) +-{ +- u32 next = ring_info->ring_buffer->read_index; +- +- next += offset; +- if (next >= ring_info->ring_datasize) +- next -= ring_info->ring_datasize; +- +- return next; +-} +- + /* Set the next read location for the specified ring buffer. */ + static inline void + hv_set_next_read_location(struct hv_ring_buffer_info *ring_info, +@@ -141,29 +117,6 @@ hv_get_ring_bufferindices(struct hv_ring_buffer_info *ring_info) + return (u64)ring_info->ring_buffer->write_index << 32; + } + +-/* +- * Helper routine to copy to source from ring buffer. +- * Assume there is enough room. Handles wrap-around in src case only!! +- */ +-static u32 hv_copyfrom_ringbuffer( +- const struct hv_ring_buffer_info *ring_info, +- void *dest, +- u32 destlen, +- u32 start_read_offset) +-{ +- void *ring_buffer = hv_get_ring_buffer(ring_info); +- u32 ring_buffer_size = hv_get_ring_buffersize(ring_info); +- +- memcpy(dest, ring_buffer + start_read_offset, destlen); +- +- start_read_offset += destlen; +- if (start_read_offset >= ring_buffer_size) +- start_read_offset -= ring_buffer_size; +- +- return start_read_offset; +-} +- +- + /* + * Helper routine to copy from source to ring buffer. + * Assume there is enough room. Handles wrap-around in dest case only!! +@@ -334,33 +287,22 @@ int hv_ringbuffer_write(struct vmbus_channel *channel, + return 0; + } + +-static inline void +-init_cached_read_index(struct hv_ring_buffer_info *rbi) +-{ +- rbi->cached_read_index = rbi->ring_buffer->read_index; +-} +- + int hv_ringbuffer_read(struct vmbus_channel *channel, + void *buffer, u32 buflen, u32 *buffer_actual_len, + u64 *requestid, bool raw) + { +- u32 bytes_avail_toread; +- u32 next_read_location; +- u64 prev_indices = 0; +- struct vmpacket_descriptor desc; +- u32 offset; +- u32 packetlen; +- struct hv_ring_buffer_info *inring_info = &channel->inbound; +- +- if (buflen <= 0) ++ struct vmpacket_descriptor *desc; ++ u32 packetlen, offset; ++ ++ if (unlikely(buflen == 0)) + return -EINVAL; + + *buffer_actual_len = 0; + *requestid = 0; + +- bytes_avail_toread = hv_get_bytes_to_read(inring_info); + /* Make sure there is something to read */ +- if (bytes_avail_toread < sizeof(desc)) { ++ desc = hv_pkt_iter_first(channel); ++ if (desc == NULL) { + /* + * No error is set when there is even no header, drivers are + * supposed to analyze buffer_actual_len. +@@ -368,48 +310,22 @@ int hv_ringbuffer_read(struct vmbus_channel *channel, + return 0; + } + +- init_cached_read_index(inring_info); +- +- next_read_location = hv_get_next_read_location(inring_info); +- next_read_location = hv_copyfrom_ringbuffer(inring_info, &desc, +- sizeof(desc), +- next_read_location); +- +- offset = raw ? 0 : (desc.offset8 << 3); +- packetlen = (desc.len8 << 3) - offset; ++ offset = raw ? 0 : (desc->offset8 << 3); ++ packetlen = (desc->len8 << 3) - offset; + *buffer_actual_len = packetlen; +- *requestid = desc.trans_id; +- +- if (bytes_avail_toread < packetlen + offset) +- return -EAGAIN; ++ *requestid = desc->trans_id; + +- if (packetlen > buflen) ++ if (unlikely(packetlen > buflen)) + return -ENOBUFS; + +- next_read_location = +- hv_get_next_readlocation_withoffset(inring_info, offset); ++ /* since ring is double mapped, only one copy is necessary */ ++ memcpy(buffer, (const char *)desc + offset, packetlen); + +- next_read_location = hv_copyfrom_ringbuffer(inring_info, +- buffer, +- packetlen, +- next_read_location); ++ /* Advance ring index to next packet descriptor */ ++ __hv_pkt_iter_next(channel, desc); + +- next_read_location = hv_copyfrom_ringbuffer(inring_info, +- &prev_indices, +- sizeof(u64), +- next_read_location); +- +- /* +- * Make sure all reads are done before we update the read index since +- * the writer may start writing to the read area once the read index +- * is updated. +- */ +- virt_mb(); +- +- /* Update the read index */ +- hv_set_next_read_location(inring_info, next_read_location); +- +- hv_signal_on_read(channel); ++ /* Notify host of update */ ++ hv_pkt_iter_close(channel); + + return 0; + } +@@ -442,7 +358,7 @@ struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel *channel) + struct hv_ring_buffer_info *rbi = &channel->inbound; + + /* set state for later hv_signal_on_read() */ +- init_cached_read_index(rbi); ++ rbi->cached_read_index = rbi->ring_buffer->read_index; + + if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor)) + return NULL; +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-009-vmbus-refactor-hv_signal_on_read.patch new/patches.kernel.org/4.13.9-009-vmbus-refactor-hv_signal_on_read.patch --- old/patches.kernel.org/4.13.9-009-vmbus-refactor-hv_signal_on_read.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-009-vmbus-refactor-hv_signal_on_read.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,148 @@ +From: Stephen Hemminger <[email protected]> +Date: Sun, 25 Jun 2017 12:30:26 -0700 +Subject: [PATCH] vmbus: refactor hv_signal_on_read +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 8dd45f2ab005a1f3301296059b23b03ec3dbf79b + +commit 8dd45f2ab005a1f3301296059b23b03ec3dbf79b upstream. + +The function hv_signal_on_read was defined in hyperv.h and +only used in one place in ring_buffer code. Clearer to just +move it inline there. + +Signed-off-by: Stephen Hemminger <[email protected]> +Signed-off-by: K. Y. Srinivasan <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/ring_buffer.c | 32 +++++++++++++++++++++++++++++-- + include/linux/hyperv.h | 49 ------------------------------------------------ + 2 files changed, 30 insertions(+), 51 deletions(-) + +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index f29981764653..a9021f13379f 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -29,6 +29,7 @@ + #include <linux/uio.h> + #include <linux/vmalloc.h> + #include <linux/slab.h> ++#include <linux/prefetch.h> + + #include "hyperv_vmbus.h" + +@@ -357,7 +358,7 @@ struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel *channel) + { + struct hv_ring_buffer_info *rbi = &channel->inbound; + +- /* set state for later hv_signal_on_read() */ ++ /* set state for later hv_pkt_iter_close */ + rbi->cached_read_index = rbi->ring_buffer->read_index; + + if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor)) +@@ -400,6 +401,8 @@ EXPORT_SYMBOL_GPL(__hv_pkt_iter_next); + void hv_pkt_iter_close(struct vmbus_channel *channel) + { + struct hv_ring_buffer_info *rbi = &channel->inbound; ++ u32 cur_write_sz, cached_write_sz; ++ u32 pending_sz; + + /* + * Make sure all reads are done before we update the read index since +@@ -409,6 +412,31 @@ void hv_pkt_iter_close(struct vmbus_channel *channel) + virt_rmb(); + rbi->ring_buffer->read_index = rbi->priv_read_index; + +- hv_signal_on_read(channel); ++ /* ++ * Issue a full memory barrier before making the signaling decision. ++ * Here is the reason for having this barrier: ++ * If the reading of the pend_sz (in this function) ++ * were to be reordered and read before we commit the new read ++ * index (in the calling function) we could ++ * have a problem. If the host were to set the pending_sz after we ++ * have sampled pending_sz and go to sleep before we commit the ++ * read index, we could miss sending the interrupt. Issue a full ++ * memory barrier to address this. ++ */ ++ virt_mb(); ++ ++ pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz); ++ /* If the other end is not blocked on write don't bother. */ ++ if (pending_sz == 0) ++ return; ++ ++ cur_write_sz = hv_get_bytes_to_write(rbi); ++ ++ if (cur_write_sz < pending_sz) ++ return; ++ ++ cached_write_sz = hv_get_cached_bytes_to_write(rbi); ++ if (cached_write_sz < pending_sz) ++ vmbus_setevent(channel); + } + EXPORT_SYMBOL_GPL(hv_pkt_iter_close); +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index c7162eaa9476..8a1d29c431fa 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -1475,55 +1475,6 @@ hv_get_ring_buffer(const struct hv_ring_buffer_info *ring_info) + return ring_info->ring_buffer->buffer; + } + +-/* +- * To optimize the flow management on the send-side, +- * when the sender is blocked because of lack of +- * sufficient space in the ring buffer, potential the +- * consumer of the ring buffer can signal the producer. +- * This is controlled by the following parameters: +- * +- * 1. pending_send_sz: This is the size in bytes that the +- * producer is trying to send. +- * 2. The feature bit feat_pending_send_sz set to indicate if +- * the consumer of the ring will signal when the ring +- * state transitions from being full to a state where +- * there is room for the producer to send the pending packet. +- */ +- +-static inline void hv_signal_on_read(struct vmbus_channel *channel) +-{ +- u32 cur_write_sz, cached_write_sz; +- u32 pending_sz; +- struct hv_ring_buffer_info *rbi = &channel->inbound; +- +- /* +- * Issue a full memory barrier before making the signaling decision. +- * Here is the reason for having this barrier: +- * If the reading of the pend_sz (in this function) +- * were to be reordered and read before we commit the new read +- * index (in the calling function) we could +- * have a problem. If the host were to set the pending_sz after we +- * have sampled pending_sz and go to sleep before we commit the +- * read index, we could miss sending the interrupt. Issue a full +- * memory barrier to address this. +- */ +- virt_mb(); +- +- pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz); +- /* If the other end is not blocked on write don't bother. */ +- if (pending_sz == 0) +- return; +- +- cur_write_sz = hv_get_bytes_to_write(rbi); +- +- if (cur_write_sz < pending_sz) +- return; +- +- cached_write_sz = hv_get_cached_bytes_to_write(rbi); +- if (cached_write_sz < pending_sz) +- vmbus_setevent(channel); +-} +- + /* + * Mask off host interrupt callback notifications + */ +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-010-vmbus-eliminate-duplicate-cached-index.patch new/patches.kernel.org/4.13.9-010-vmbus-eliminate-duplicate-cached-index.patch --- old/patches.kernel.org/4.13.9-010-vmbus-eliminate-duplicate-cached-index.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-010-vmbus-eliminate-duplicate-cached-index.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,108 @@ +From: Stephen Hemminger <[email protected]> +Date: Sun, 25 Jun 2017 12:30:27 -0700 +Subject: [PATCH] vmbus: eliminate duplicate cached index +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 05d00bc94ac27d220d8a78e365d7fa3a26dcca17 + +commit 05d00bc94ac27d220d8a78e365d7fa3a26dcca17 upstream. + +Don't need cached read index anymore now that packet iterator +is used. The iterator has the original read index until the +visible read_index is updated. + +Signed-off-by: Stephen Hemminger <[email protected]> +Signed-off-by: K. Y. Srinivasan <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/ring_buffer.c | 17 ++++------------- + include/linux/hyperv.h | 14 -------------- + 2 files changed, 4 insertions(+), 27 deletions(-) + +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index a9021f13379f..b0f79526b86a 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -358,9 +358,6 @@ struct vmpacket_descriptor *hv_pkt_iter_first(struct vmbus_channel *channel) + { + struct hv_ring_buffer_info *rbi = &channel->inbound; + +- /* set state for later hv_pkt_iter_close */ +- rbi->cached_read_index = rbi->ring_buffer->read_index; +- + if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor)) + return NULL; + +@@ -388,10 +385,7 @@ __hv_pkt_iter_next(struct vmbus_channel *channel, + rbi->priv_read_index -= dsize; + + /* more data? */ +- if (hv_pkt_iter_avail(rbi) < sizeof(struct vmpacket_descriptor)) +- return NULL; +- else +- return hv_get_ring_buffer(rbi) + rbi->priv_read_index; ++ return hv_pkt_iter_first(channel); + } + EXPORT_SYMBOL_GPL(__hv_pkt_iter_next); + +@@ -401,7 +395,7 @@ EXPORT_SYMBOL_GPL(__hv_pkt_iter_next); + void hv_pkt_iter_close(struct vmbus_channel *channel) + { + struct hv_ring_buffer_info *rbi = &channel->inbound; +- u32 cur_write_sz, cached_write_sz; ++ u32 orig_write_sz = hv_get_bytes_to_write(rbi); + u32 pending_sz; + + /* +@@ -430,13 +424,10 @@ void hv_pkt_iter_close(struct vmbus_channel *channel) + if (pending_sz == 0) + return; + +- cur_write_sz = hv_get_bytes_to_write(rbi); +- +- if (cur_write_sz < pending_sz) ++ if (hv_get_bytes_to_write(rbi) < pending_sz) + return; + +- cached_write_sz = hv_get_cached_bytes_to_write(rbi); +- if (cached_write_sz < pending_sz) ++ if (orig_write_sz < pending_sz) + vmbus_setevent(channel); + } + EXPORT_SYMBOL_GPL(hv_pkt_iter_close); +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index 8a1d29c431fa..3647085dab0a 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -127,7 +127,6 @@ struct hv_ring_buffer_info { + u32 ring_data_startoffset; + u32 priv_write_index; + u32 priv_read_index; +- u32 cached_read_index; + }; + + /* +@@ -180,19 +179,6 @@ static inline u32 hv_get_bytes_to_write(const struct hv_ring_buffer_info *rbi) + return write; + } + +-static inline u32 hv_get_cached_bytes_to_write( +- const struct hv_ring_buffer_info *rbi) +-{ +- u32 read_loc, write_loc, dsize, write; +- +- dsize = rbi->ring_datasize; +- read_loc = rbi->cached_read_index; +- write_loc = rbi->ring_buffer->write_index; +- +- write = write_loc >= read_loc ? dsize - (write_loc - read_loc) : +- read_loc - write_loc; +- return write; +-} + /* + * VMBUS version is 32 bit entity broken up into + * two 16 bit quantities: major_number. minor_number. +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-011-vmbus-more-host-signalling-avoidance.patch new/patches.kernel.org/4.13.9-011-vmbus-more-host-signalling-avoidance.patch --- old/patches.kernel.org/4.13.9-011-vmbus-more-host-signalling-avoidance.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-011-vmbus-more-host-signalling-avoidance.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,71 @@ +From: Stephen Hemminger <[email protected]> +Date: Sun, 25 Jun 2017 12:30:28 -0700 +Subject: [PATCH] vmbus: more host signalling avoidance +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 03bad714a1619c0074eb44d6f217c505fe27030f + +commit 03bad714a1619c0074eb44d6f217c505fe27030f upstream. + +Don't signal host if it has disabled interrupts for that +ring buffer. Check the feature bit to see if host supports +pending send size flag. + +Signed-off-by: Stephen Hemminger <[email protected]> +Signed-off-by: K. Y. Srinivasan <[email protected]> +Signed-off-by: Greg Kroah-Hartman <[email protected]> +Signed-off-by: Jiri Slaby <[email protected]> +--- + drivers/hv/ring_buffer.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/hv/ring_buffer.c b/drivers/hv/ring_buffer.c +index b0f79526b86a..741daa6e2fc7 100644 +--- a/drivers/hv/ring_buffer.c ++++ b/drivers/hv/ring_buffer.c +@@ -396,7 +396,6 @@ void hv_pkt_iter_close(struct vmbus_channel *channel) + { + struct hv_ring_buffer_info *rbi = &channel->inbound; + u32 orig_write_sz = hv_get_bytes_to_write(rbi); +- u32 pending_sz; + + /* + * Make sure all reads are done before we update the read index since +@@ -419,15 +418,27 @@ void hv_pkt_iter_close(struct vmbus_channel *channel) + */ + virt_mb(); + +- pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz); +- /* If the other end is not blocked on write don't bother. */ +- if (pending_sz == 0) ++ /* If host has disabled notifications then skip */ ++ if (rbi->ring_buffer->interrupt_mask) + return; + +- if (hv_get_bytes_to_write(rbi) < pending_sz) +- return; ++ if (rbi->ring_buffer->feature_bits.feat_pending_send_sz) { ++ u32 pending_sz = READ_ONCE(rbi->ring_buffer->pending_send_sz); + +- if (orig_write_sz < pending_sz) +- vmbus_setevent(channel); ++ /* ++ * If there was space before we began iteration, ++ * then host was not blocked. Also handles case where ++ * pending_sz is zero then host has nothing pending ++ * and does not need to be signaled. ++ */ ++ if (orig_write_sz > pending_sz) ++ return; ++ ++ /* If pending write will not fit, don't give false hope. */ ++ if (hv_get_bytes_to_write(rbi) < pending_sz) ++ return; ++ } ++ ++ vmbus_setevent(channel); + } + EXPORT_SYMBOL_GPL(hv_pkt_iter_close); +-- +2.14.2 + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.kernel.org/4.13.9-012-Linux-4.13.9.patch new/patches.kernel.org/4.13.9-012-Linux-4.13.9.patch --- old/patches.kernel.org/4.13.9-012-Linux-4.13.9.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.kernel.org/4.13.9-012-Linux-4.13.9.patch 2017-10-22 09:24:39.000000000 +0200 @@ -0,0 +1,27 @@ +From: Greg Kroah-Hartman <[email protected]> +Date: Sat, 21 Oct 2017 17:55:07 +0200 +Subject: [PATCH] Linux 4.13.9 +References: bnc#1012628 +Patch-mainline: 4.13.9 +Git-commit: 5b61412afb6674b51f83ee0de2df0a455643d5be + +Signed-off-by: Jiri Slaby <[email protected]> +--- + Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 66ec023da822..aa0267950444 100644 +--- a/Makefile ++++ b/Makefile +@@ -1,6 +1,6 @@ + VERSION = 4 + PATCHLEVEL = 13 +-SUBLEVEL = 8 ++SUBLEVEL = 9 + EXTRAVERSION = + NAME = Fearless Coyote + +-- +2.14.2 + ++++++ patches.suse.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/patches.suse/futex-do-not-fail-on-invalid-op.patch new/patches.suse/futex-do-not-fail-on-invalid-op.patch --- old/patches.suse/futex-do-not-fail-on-invalid-op.patch 1970-01-01 01:00:00.000000000 +0100 +++ new/patches.suse/futex-do-not-fail-on-invalid-op.patch 2017-10-23 11:44:25.000000000 +0200 @@ -0,0 +1,77 @@ +From: Jiri Slaby <[email protected]> +Date: Mon, 23 Oct 2017 09:53:49 +0200 +Subject: futex: do not fail on invalid op +Patch-mainline: submitted on 2017/10/23 +References: bnc#1064590 + +In 30d6e0a4190d ("futex: Remove duplicated code and fix undefined +behaviour"), I let FUTEX_WAKE_OP to fail on invalid op. Namely when +op should be considered as shift and the shift is out of range (< 0 or +> 31). + +But strace's test suite does this madness: +futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee); +futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xbadfaced); +futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xffffffff); + +When I pick the first 0xa0caffee, it decodes as: +0x80000000 & 0xa0caffee: oparg is shift +0x70000000 & 0xa0caffee: op is FUTEX_OP_OR +0x0f000000 & 0xa0caffee: cmp is FUTEX_OP_CMP_EQ +0x00fff000 & 0xa0caffee: oparg is sign-extended 0xcaf = -849 +0x00000fff & 0xa0caffee: cmparg is sign-extended 0xfee = -18 + +That means the op tries to do this: + (futex |= (1 << (-849))) == -18 +which is completely bogus. The new check of op in the code is: + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { + if (oparg < 0 || oparg > 31) + return -EINVAL; + oparg = 1 << oparg; + } + +which results obviously in the "Invalid argument" errno: +----8<--------8<--------8<--------8<--------8<---- +FAIL: futex +=========== + +futex(0x7fabd78bcffc, 0x5, 0xfacefeed, 0xb, 0x7fabd78bcffc, 0xa0caffee) = -1: Invalid argument +futex.test: failed test: ../futex failed with code 1 +----8<--------8<--------8<--------8<--------8<---- + +So let us soften the failure to print only a (ratelimited) message and +return 0 silently in these cases until userspace keeps up. + +Fixes: 30d6e0a4190d ("futex: Remove duplicated code and fix undefined behaviour") +Signed-off-by: Jiri Slaby <[email protected]> +Cc: Ingo Molnar <[email protected]> +Cc: Peter Zijlstra <[email protected]> +Cc: Darren Hart <[email protected]> +Cc: Linus Torvalds <[email protected]> + +Signed-off-by: Jiri Slaby <[email protected]> +--- + kernel/futex.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1570,8 +1570,16 @@ static int futex_atomic_op_inuser(unsign + int oldval, ret; + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { +- if (oparg < 0 || oparg > 31) +- return -EINVAL; ++ if (oparg < 0 || oparg > 31) { ++ char comm[sizeof(current->comm)]; ++ /* ++ * kill this print and return -EINVAL when userspace ++ * is sane again ++ */ ++ pr_info_ratelimited("futex_wake_op: %s tries to shift op by %d, ignoring this request; fix this program\n", ++ get_task_comm(comm, current), oparg); ++ return 0; ++ } + oparg = 1 << oparg; + } + ++++++ series.conf ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:56.723236394 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:56.727236207 +0200 @@ -590,6 +590,18 @@ patches.kernel.org/4.13.8-052-x86-alternatives-Fix-alt_max_short-macro-to-re.patch patches.kernel.org/4.13.8-053-KVM-nVMX-update-last_nonleaf_level-when-initia.patch patches.kernel.org/4.13.8-054-Linux-4.13.8.patch + patches.kernel.org/4.13.9-001-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch + patches.kernel.org/4.13.9-002-x86-apic-Silence-FW_BUG-TSC_DEADLINE-disabled-.patch + patches.kernel.org/4.13.9-003-perf-pmu-Unbreak-perf-record-for-arm-arm64-wit.patch + patches.kernel.org/4.13.9-004-mm-page_vma_mapped-ensure-pmd-is-loaded-with-R.patch + patches.kernel.org/4.13.9-005-HID-hid-elecom-extend-to-fix-descriptor-for-HU.patch + patches.kernel.org/4.13.9-006-Drivers-hv-vmbus-Fix-rescind-handling-issues.patch + patches.kernel.org/4.13.9-007-Drivers-hv-vmbus-Fix-bugs-in-rescind-handling.patch + patches.kernel.org/4.13.9-008-vmbus-simplify-hv_ringbuffer_read.patch + patches.kernel.org/4.13.9-009-vmbus-refactor-hv_signal_on_read.patch + patches.kernel.org/4.13.9-010-vmbus-eliminate-duplicate-cached-index.patch + patches.kernel.org/4.13.9-011-vmbus-more-host-signalling-avoidance.patch + patches.kernel.org/4.13.9-012-Linux-4.13.9.patch ######################################################## # Build fixes that apply to the vanilla kernel too. @@ -639,6 +651,7 @@ ######################################################## patches.suse/setuid-dumpable-wrongdir patches.fixes/futex-Remove-duplicated-code-and-fix-undefined-behav.patch + patches.suse/futex-do-not-fail-on-invalid-op.patch ######################################################## # Architecture-specific patches. These used to be all @@ -892,6 +905,7 @@ ######################################################## patches.suse/b43-missing-firmware-info.patch patches.suse/iwlwifi-expose-default-fallback-ucode-api + patches.fixes/mac80211-accept-key-reinstall-without-changing-anyth.patch ######################################################## # ISDN @@ -929,6 +943,7 @@ ########################################################## patches.drivers/ALSA-hda-Implement-mic-mute-LED-mode-enum patches.drivers/ALSA-ice1712-Add-support-for-STAudio-ADCIII + patches.drivers/ALSA-hda-Abort-capability-probe-at-invalid-register- ######################################################## # Char / serial ++++++ source-timestamp ++++++ --- /var/tmp/diff_new_pack.E0bTc5/_old 2017-10-24 22:20:56.787233402 +0200 +++ /var/tmp/diff_new_pack.E0bTc5/_new 2017-10-24 22:20:56.787233402 +0200 @@ -1,3 +1,3 @@ -2017-10-18 11:53:30 +0200 -GIT Revision: 569e26e37cba0ef2809a58ea4f1ca0c558202f17 +2017-10-23 11:44:25 +0200 +GIT Revision: e7d71063ecf68f95aca8efd745790e08a8f93e30 GIT Branch: stable
