Home Home > GIT Browse > openSUSE-15.0
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2015-05-03 20:57:52 +0200
committerJiri Kosina <jkosina@suse.cz>2015-05-03 21:01:51 +0200
commitc63b25154e13e36f2229b982d4b5eb71e4a3624f (patch)
treef3648eef4cd39c0d9c30091a319564db073e6a6c
parentc86eb37868b984771fb99ee68d52af103c8539eb (diff)
parent7f44e69e3e2fd5abad477c121d0e3f7a1f4c7535 (diff)
Merge branch 'SLE11-SP3' into SLE11-SP4rpm-3.0.101-59
Conflicts: series.conf
-rw-r--r--patches.arch/powerpc-perf-Cap-64bit-userspace-backtraces-to-PERF_.patch32
-rw-r--r--patches.arch/pseries-Correct-cpu-affinity-for-dlpar-added-cpus.patch49
-rw-r--r--patches.arch/pseries-suppress-Trying-to-free-nonexistent-resource-warning.patch70
-rw-r--r--patches.arch/revert-ppc-ddw-extend-dynamic-DMA-Window-functionality201
-rw-r--r--patches.arch/revert-ppc-remove-ddw-on-kexec121
-rw-r--r--patches.fixes/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id.patch110
-rw-r--r--patches.fixes/ib-ipoib-add-missing-locking-when-cm-object-is-delet.patch47
-rw-r--r--patches.fixes/ib-ipoib-fix-rcu-pointer-dereference-of-wrong-object.patch35
-rw-r--r--patches.fixes/ipoib-fix-ab-ba-deadlock-when-deleting-neighbours.patch292
-rw-r--r--patches.fixes/ipoib-fix-ipoib_neigh-hashing-to-use-the-correct-dad.patch58
-rw-r--r--patches.fixes/ipoib-fix-memory-leak-in-the-neigh-table-deletion-fl.patch137
-rw-r--r--patches.fixes/ipoib-fix-race-in-deleting-ipoib_neigh-entries.patch133
-rw-r--r--patches.fixes/rtc-cmos-add-more-quirks-for-TGCS.patch43
-rw-r--r--series.conf26
14 files changed, 1348 insertions, 6 deletions
diff --git a/patches.arch/powerpc-perf-Cap-64bit-userspace-backtraces-to-PERF_.patch b/patches.arch/powerpc-perf-Cap-64bit-userspace-backtraces-to-PERF_.patch
new file mode 100644
index 0000000000..f7a008153a
--- /dev/null
+++ b/patches.arch/powerpc-perf-Cap-64bit-userspace-backtraces-to-PERF_.patch
@@ -0,0 +1,32 @@
+Git-commit: 9a5cbce421a283e6aea3c4007f141735bf9da8c3
+Patch-mainline: v4.0-rc4
+Reference: bsc#928142
+From: Anton Blanchard <anton@samba.org>
+Date: Tue, 14 Apr 2015 07:51:03 +1000
+Subject: [PATCH] powerpc/perf: Cap 64bit userspace backtraces to
+ PERF_MAX_STACK_DEPTH
+
+We cap 32bit userspace backtraces to PERF_MAX_STACK_DEPTH
+(currently 127), but we forgot to do the same for 64bit backtraces.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Anton Blanchard <anton@samba.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Acked-by: Dinar Valeev <dvaleev@suse.com>
+---
+ arch/powerpc/perf/callchain.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: linux-3.0-SLE11-SP3/arch/powerpc/kernel/perf_callchain.c
+===================================================================
+--- linux-3.0-SLE11-SP3.orig/arch/powerpc/kernel/perf_callchain.c
++++ linux-3.0-SLE11-SP3/arch/powerpc/kernel/perf_callchain.c
+@@ -235,7 +235,7 @@ static void perf_callchain_user_64(struc
+ sp = regs->gpr[1];
+ perf_callchain_store(entry, next_ip);
+
+- for (;;) {
++ while (entry->nr < PERF_MAX_STACK_DEPTH) {
+ fp = (unsigned long __user *) sp;
+ if (!valid_user_sp(sp, 1) || read_user_stack_64(fp, &next_sp))
+ return;
diff --git a/patches.arch/pseries-Correct-cpu-affinity-for-dlpar-added-cpus.patch b/patches.arch/pseries-Correct-cpu-affinity-for-dlpar-added-cpus.patch
new file mode 100644
index 0000000000..622baac49b
--- /dev/null
+++ b/patches.arch/pseries-Correct-cpu-affinity-for-dlpar-added-cpus.patch
@@ -0,0 +1,49 @@
+Subject: Correct cpu affinity for dlpar added cpus
+From: nfont@linux.vnet.ibm.com
+Patch-mainline: Submitted on Apr 29 2015
+References: bsc#928970
+
+The incorrect ordering of operations during cpu dlpar causes the affinity
+of cpus being added to be invalid. Phyp does not assign affinity information
+for a cpu until the rtas set-indicator calls are made to set the isolation
+and allocation state. In the current code we call rtas configure-connector
+before making the set-indicator calls which results in invalid data in the
+ibm,associativity property for the cpu we're adding.
+
+This patch corrects the order of operations to make the set-indicator
+calls (done in acquire_drc) before calling configure-connector.
+
+Signed-off-by: Nathan Fontenot <nfont at linux.vnet.ibm.com>
+Acked-by: Dinar Valeev <dvaleev@suse.com>
+
+Index: linux-3.0-SLE11-SP3/arch/powerpc/platforms/pseries/dlpar.c
+===================================================================
+--- linux-3.0-SLE11-SP3.orig/arch/powerpc/platforms/pseries/dlpar.c
++++ linux-3.0-SLE11-SP3/arch/powerpc/platforms/pseries/dlpar.c
+@@ -421,6 +421,12 @@ static ssize_t dlpar_cpu_probe(const cha
+ goto out;
+ }
+
++ rc = dlpar_acquire_drc(drc_index);
++ if (rc) {
++ rc = -EINVAL;
++ goto out;
++ }
++
+ dn = dlpar_configure_connector(drc_index);
+ if (!dn) {
+ rc = -EINVAL;
+@@ -441,13 +447,6 @@ static ssize_t dlpar_cpu_probe(const cha
+ kfree(dn->full_name);
+ dn->full_name = cpu_name;
+
+- rc = dlpar_acquire_drc(drc_index);
+- if (rc) {
+- dlpar_free_cc_nodes(dn);
+- rc = -EINVAL;
+- goto out;
+- }
+-
+ rc = dlpar_attach_node(dn);
+ if (rc) {
+ dlpar_release_drc(drc_index);
diff --git a/patches.arch/pseries-suppress-Trying-to-free-nonexistent-resource-warning.patch b/patches.arch/pseries-suppress-Trying-to-free-nonexistent-resource-warning.patch
new file mode 100644
index 0000000000..ed469e2861
--- /dev/null
+++ b/patches.arch/pseries-suppress-Trying-to-free-nonexistent-resource-warning.patch
@@ -0,0 +1,70 @@
+Git-commit d760afd4d2570653891f94e13b848e97150dc5a6
+Patch-mainline: v3.7-rc1
+Reference: bsc#927190
+From: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
+Date: Mon Oct 8 16:34:14 2012 -0700
+Subject:memory-hotplug: suppress "Trying to free nonexistent resource <XXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYY>" warning
+
+When our x86 box calls __remove_pages(), release_mem_region() shows many
+warnings. And x86 box cannot unregister iomem_resource.
+
+ "Trying to free nonexistent resource <XXXXXXXXXXXXXXXX-YYYYYYYYYYYYYYYY>"
+
+release_mem_region() has been changed to be called in each
+PAGES_PER_SECTION by commit de7f0cba9678 ("memory hotplug: release
+memory regions in PAGES_PER_SECTION chunks"). Because powerpc registers
+iomem_resource in each PAGES_PER_SECTION chunk. But when I hot add
+memory on x86 box, iomem_resource is register in each _CRS not
+PAGES_PER_SECTION chunk. So x86 box unregisters iomem_resource.
+
+The patch fixes the problem.
+
+Signed-off-by: Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Jiang Liu <liuj97@gmail.com>
+Cc: Len Brown <len.brown@intel.com>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Cc: Paul Mackerras <paulus@samba.org>
+Cc: Christoph Lameter <cl@linux.com>
+Cc: Minchan Kim <minchan.kim@gmail.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: Wen Congyang <wency@cn.fujitsu.com>
+Cc: Dave Hansen <dave@linux.vnet.ibm.com>
+Cc: Nathan Fontenot <nfont@austin.ibm.com>
+Cc: Badari Pulavarty <pbadari@us.ibm.com>
+Cc: Yasunori Goto <y-goto@jp.fujitsu.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Dinar Valeev <dvaleev@suse.com>
+
+Index: linux-3.0-SLE11-SP3/arch/powerpc/platforms/pseries/hotplug-memory.c
+===================================================================
+--- linux-3.0-SLE11-SP3.orig/arch/powerpc/platforms/pseries/hotplug-memory.c
++++ linux-3.0-SLE11-SP3/arch/powerpc/platforms/pseries/hotplug-memory.c
+@@ -78,6 +78,8 @@ static int pseries_remove_memblock(unsig
+ unsigned long start, start_pfn;
+ struct zone *zone;
+ int ret;
++ unsigned long section;
++ unsigned long sections_to_remove;
+
+ start_pfn = base >> PAGE_SHIFT;
+
+@@ -97,9 +99,13 @@ static int pseries_remove_memblock(unsig
+ * to sysfs "state" file and we can't remove sysfs entries
+ * while writing to it. So we have to defer it to here.
+ */
+- ret = __remove_pages(zone, start_pfn, memblock_size >> PAGE_SHIFT);
+- if (ret)
+- return ret;
++ sections_to_remove = (memblock_size >> PAGE_SHIFT) / PAGES_PER_SECTION;
++ for (section = 0; section < sections_to_remove; section++) {
++ unsigned long pfn = start_pfn + section * PAGES_PER_SECTION;
++ ret = __remove_pages(zone, pfn, PAGES_PER_SECTION);
++ if (ret)
++ return ret;
++ }
+
+ /*
+ * Update memory regions for memory remove
diff --git a/patches.arch/revert-ppc-ddw-extend-dynamic-DMA-Window-functionality b/patches.arch/revert-ppc-ddw-extend-dynamic-DMA-Window-functionality
new file mode 100644
index 0000000000..985c6336d8
--- /dev/null
+++ b/patches.arch/revert-ppc-ddw-extend-dynamic-DMA-Window-functionality
@@ -0,0 +1,201 @@
+Git-commit: ae69e1eddc646ff8dc1d5439005d1f82c33f9ae7
+Reference: bsc#926016
+Patch-mainline: v3.14-rc1
+From: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Date: Fri, 10 Jan 2014 15:09:38 -0800
+Subject: [PATCH] Revert "powerpc/pseries/iommu: remove default window before
+ attempting DDW manipulation"
+
+Ben rightfully pointed out that there is a race in the "newer" DDW code.
+Presuming we are running on recent enough firmware that supports the
+"reset" DDW manipulation call, we currently always remove the base
+32-bit DMA window in order to maximize the resources for Phyp when
+creating the 64-bit window. However, this can be problematic for the
+case where multiple functions are in the same PE (partitionable
+endpoint), where some funtions might be 32-bit DMA only. All of a
+sudden, the only functional DMA window for such functions is gone. We
+will have serious errors in such situations. The best solution is simply
+to revert the extension to the DDW code where we ever remove the base
+DMA window.
+
+This reverts commit 25ebc45b93452d0bc60271f178237123c4b26808.
+
+Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Dinar Valeev <dvaleev@suse.com>
+---
+ arch/powerpc/platforms/pseries/iommu.c | 86 +++++++---------------------------
+ 1 file changed, 17 insertions(+), 69 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
+index e029918..bb2e16c 100644
+--- a/arch/powerpc/platforms/pseries/iommu.c
++++ b/arch/powerpc/platforms/pseries/iommu.c
+@@ -662,21 +662,6 @@ static int __init disable_ddw_setup(char
+
+ early_param("disable_ddw", disable_ddw_setup);
+
+-static inline void __remove_ddw(struct device_node *np, const u32 *ddw_avail, u64 liobn)
+-{
+- int ret;
+-
+- ret = rtas_call(ddw_avail[2], 1, 1, NULL, liobn);
+- if (ret)
+- pr_warning("%s: failed to remove DMA window: rtas returned "
+- "%d to ibm,remove-pe-dma-window(%x) %llx\n",
+- np->full_name, ret, ddw_avail[2], liobn);
+- else
+- pr_debug("%s: successfully removed DMA window: rtas returned "
+- "%d to ibm,remove-pe-dma-window(%x) %llx\n",
+- np->full_name, ret, ddw_avail[2], liobn);
+-}
+-
+ static void remove_ddw(struct device_node *np)
+ {
+ struct dynamic_dma_window_prop *dwp;
+@@ -706,7 +691,15 @@ static void remove_ddw(struct device_nod
+ pr_debug("%s successfully cleared tces in window.\n",
+ np->full_name);
+
+- __remove_ddw(np, ddw_avail, liobn);
++ ret = rtas_call(ddw_avail[2], 1, 1, NULL, liobn);
++ if (ret)
++ pr_warning("%s: failed to remove direct window: rtas returned "
++ "%d to ibm,remove-pe-dma-window(%x) %llx\n",
++ np->full_name, ret, ddw_avail[2], liobn);
++ else
++ pr_debug("%s: successfully removed direct window: rtas returned "
++ "%d to ibm,remove-pe-dma-window(%x) %llx\n",
++ np->full_name, ret, ddw_avail[2], liobn);
+
+ delprop:
+ ret = prom_remove_property(np, win64);
+@@ -870,12 +863,6 @@ static int create_ddw(struct pci_dev *de
+ return ret;
+ }
+
+-static void restore_default_window(struct pci_dev *dev,
+- u32 ddw_restore_token)
+-{
+- __restore_default_window(pci_device_to_OF_node(dev), ddw_restore_token);
+-}
+-
+ struct failed_ddw_pdn {
+ struct device_node *pdn;
+ struct list_head list;
+@@ -903,13 +890,9 @@ static u64 enable_ddw(struct pci_dev *de
+ u64 dma_addr, max_addr;
+ struct device_node *dn;
+ const u32 *uninitialized_var(ddw_avail);
+- const u32 *uninitialized_var(ddw_extensions);
+- u32 ddw_restore_token = 0;
+ struct direct_window *window;
+ struct property *win64;
+ struct dynamic_dma_window_prop *ddwprop;
+- const void *dma_window = NULL;
+- unsigned long liobn, offset, size;
+ struct failed_ddw_pdn *fpdn;
+
+ mutex_lock(&direct_window_init_mutex);
+@@ -939,42 +922,9 @@ static u64 enable_ddw(struct pci_dev *de
+ */
+ ddw_avail = of_get_property(pdn, "ibm,ddw-applicable", &len);
+ if (!ddw_avail || len < 3 * sizeof(u32))
+- goto out_unlock;
++ goto out_failed;
+
+- /*
+- * the extensions property is only required to exist in certain
+- * levels of firmware and later
+- * the ibm,ddw-extensions property is a list with the first
+- * element containing the number of extensions and each
+- * subsequent entry is a value corresponding to that extension
+- */
+- ddw_extensions = of_get_property(pdn, "ibm,ddw-extensions", &len);
+- if (ddw_extensions) {
+- /*
+- * each new defined extension length should be added to
+- * the top of the switch so the "earlier" entries also
+- * get picked up
+- */
+- switch (ddw_extensions[0]) {
+- /* ibm,reset-pe-dma-windows */
+- case 1:
+- ddw_restore_token = ddw_extensions[1];
+- break;
+- }
+- }
+-
+- /*
+- * Only remove the existing DMA window if we can restore back to
+- * the default state. Removing the existing window maximizes the
+- * resources available to firmware for dynamic window creation.
+- */
+- if (ddw_restore_token) {
+- dma_window = of_get_property(pdn, "ibm,dma-window", NULL);
+- of_parse_dma_window(pdn, dma_window, &liobn, &offset, &size);
+- __remove_ddw(pdn, ddw_avail, liobn);
+- }
+-
+- /*
++ /*
+ * Query if there is a second window of size to map the
+ * whole partition. Query returns number of windows, largest
+ * block assigned to PE (partition endpoint), and two bitmasks
+@@ -983,7 +933,7 @@ static u64 enable_ddw(struct pci_dev *de
+ dn = pci_device_to_OF_node(dev);
+ ret = query_ddw(dev, ddw_avail, &query);
+ if (ret != 0)
+- goto out_restore_window;
++ goto out_failed;
+
+ if (query.windows_available == 0) {
+ /*
+@@ -992,7 +942,7 @@ static u64 enable_ddw(struct pci_dev *de
+ * trading in for a larger page size.
+ */
+ dev_dbg(&dev->dev, "no free dynamic windows");
+- goto out_restore_window;
++ goto out_failed;
+ }
+ if (query.page_size & 4) {
+ page_shift = 24; /* 16MB */
+@@ -1003,7 +953,7 @@ static u64 enable_ddw(struct pci_dev *de
+ } else {
+ dev_dbg(&dev->dev, "no supported direct page size in mask %x",
+ query.page_size);
+- goto out_restore_window;
++ goto out_failed;
+ }
+ /* verify the window * number of ptes will map the partition */
+ /* check largest block * page size > max memory hotplug addr */
+@@ -1012,14 +962,14 @@ static u64 enable_ddw(struct pci_dev *de
+ dev_dbg(&dev->dev, "can't map partiton max 0x%llx with %u "
+ "%llu-sized pages\n", max_addr, query.largest_available_block,
+ 1ULL << page_shift);
+- goto out_restore_window;
++ goto out_failed;
+ }
+ len = order_base_2(max_addr);
+ win64 = kzalloc(sizeof(struct property), GFP_KERNEL);
+ if (!win64) {
+ dev_info(&dev->dev,
+ "couldn't allocate property for 64bit dma window\n");
+- goto out_restore_window;
++ goto out_failed;
+ }
+ win64->name = kstrdup(DIRECT64_PROPNAME, GFP_KERNEL);
+ win64->value = ddwprop = kmalloc(sizeof(*ddwprop), GFP_KERNEL);
+@@ -1078,9 +1028,7 @@ out_free_prop:
+ kfree(win64->value);
+ kfree(win64);
+
+-out_restore_window:
+- if (ddw_restore_token)
+- restore_default_window(dev, ddw_restore_token);
++out_failed:
+
+ fpdn = kzalloc(sizeof(*fpdn), GFP_KERNEL);
+ if (!fpdn)
+--
+2.1.4
diff --git a/patches.arch/revert-ppc-remove-ddw-on-kexec b/patches.arch/revert-ppc-remove-ddw-on-kexec
new file mode 100644
index 0000000000..02a7654cf0
--- /dev/null
+++ b/patches.arch/revert-ppc-remove-ddw-on-kexec
@@ -0,0 +1,121 @@
+Git-commit: 97e7dc523acaa335d44517b06ef5609b3ee65c6a
+Reference: bsc#926016
+Patch-mainline: v3.14-rc1
+From: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Date: Fri, 10 Jan 2014 15:10:41 -0800
+Subject: [PATCH] Revert "pseries/iommu: Remove DDW on kexec"
+
+After reverting 25ebc45b93452d0bc60271f178237123c4b26808
+("powerpc/pseries/iommu: remove default window before attempting DDW
+manipulation"), we no longer remove the base window in enable_ddw.
+Therefore, we no longer need to reset the DMA window state in
+find_existing_ddw_windows(). We can instead go back to what was done
+before, which simply reuses the previous configuration, if any. Further,
+this removes the final caller of the reset-pe-dma-windows call, so
+remove those functions.
+
+This fixes an EEH on kdump with the ipr driver. The EEH occurs, because
+the initcall removes the DDW configuration (64-bit DMA window), but
+doesn't ensure the ops are via the IOMMU -- a DMA operation occurs
+during probe (still investigating this) and we EEH.
+
+This reverts commit 14b6f00f8a4fdec5ccd45a0710284de301a61628.
+
+Signed-off-by: Nishanth Aravamudan <nacc@linux.vnet.ibm.com>
+Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Dinar Valeev <dvaleev@suse.com>
+---
+ arch/powerpc/platforms/pseries/iommu.c | 63 ++++++++--------------------------
+ 1 file changed, 14 insertions(+), 49 deletions(-)
+
+diff --git a/arch/powerpc/platforms/pseries/iommu.c b/arch/powerpc/platforms/pseries/iommu.c
+index bb2e16c..33b552f 100644
+--- a/arch/powerpc/platforms/pseries/iommu.c
++++ b/arch/powerpc/platforms/pseries/iommu.c
+@@ -728,69 +728,33 @@ static u64 find_existing_ddw(struct devi
+ return dma_addr;
+ }
+
+-static void __restore_default_window(struct device_node *dn,
+- u32 ddw_restore_token)
+-{
+- struct pci_dn *pcidn;
+- u32 cfg_addr;
+- u64 buid;
+- int ret;
+-
+- /*
+- * Get the config address and phb buid of the PE window.
+- * Rely on eeh to retrieve this for us.
+- * Retrieve them from the pci device, not the node with the
+- * dma-window property
+- */
+- pcidn = PCI_DN(dn);
+- cfg_addr = pcidn->eeh_config_addr;
+- if (pcidn->eeh_pe_config_addr)
+- cfg_addr = pcidn->eeh_pe_config_addr;
+- buid = pcidn->phb->buid;
+-
+- do {
+- ret = rtas_call(ddw_restore_token, 3, 1, NULL, cfg_addr,
+- BUID_HI(buid), BUID_LO(buid));
+- } while (rtas_busy_delay(ret));
+- pr_info("ibm,reset-pe-dma-windows(%x) %x %x %x returned %d\n",
+- ddw_restore_token, cfg_addr, BUID_HI(buid), BUID_LO(buid), ret);
+-}
+-
+ static int find_existing_ddw_windows(void)
+ {
++ int len;
+ struct device_node *pdn;
++ struct direct_window *window;
+ const struct dynamic_dma_window_prop *direct64;
+- const u32 *ddw_extensions;
+
+ if (!firmware_has_feature(FW_FEATURE_LPAR))
+ return 0;
+
+ for_each_node_with_property(pdn, DIRECT64_PROPNAME) {
+- direct64 = of_get_property(pdn, DIRECT64_PROPNAME, NULL);
++ direct64 = of_get_property(pdn, DIRECT64_PROPNAME, &len);
+ if (!direct64)
+ continue;
+
+- /*
+- * We need to ensure the IOMMU table is active when we
+- * return from the IOMMU setup so that the common code
+- * can clear the table or find the holes. To that end,
+- * first, remove any existing DDW configuration.
+- */
+- remove_ddw(pdn);
+-
+- /*
+- * Second, if we are running on a new enough level of
+- * firmware where the restore API is present, use it to
+- * restore the 32-bit window, which was removed in
+- * create_ddw.
+- * If the API is not present, then create_ddw couldn't
+- * have removed the 32-bit window in the first place, so
+- * removing the DDW configuration should be sufficient.
+- */
+- ddw_extensions = of_get_property(pdn, "ibm,ddw-extensions",
+- NULL);
+- if (ddw_extensions && ddw_extensions[0] > 0)
+- __restore_default_window(pdn, ddw_extensions[1]);
++ window = kzalloc(sizeof(*window), GFP_KERNEL);
++ if (!window || len < sizeof(struct dynamic_dma_window_prop)) {
++ kfree(window);
++ remove_ddw(pdn);
++ continue;
++ }
++
++ window->device = pdn;
++ window->prop = direct64;
++ spin_lock(&direct_window_list_lock);
++ list_add(&window->list, &direct_window_list);
++ spin_unlock(&direct_window_list_lock);
+ }
+
+ return 0;
+--
+2.1.4
diff --git a/patches.fixes/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id.patch b/patches.fixes/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id.patch
new file mode 100644
index 0000000000..21d8c8b4a9
--- /dev/null
+++ b/patches.fixes/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id.patch
@@ -0,0 +1,110 @@
+From: Jann Horn <jann@thejh.net>
+Date: Sun, 19 Apr 2015 02:48:39 +0200
+Subject: fs: take i_mutex during prepare_binprm for set[ug]id executables
+Git-commit: 8b01fc86b9f425899f8a3a8fc1c47d73c2c20543
+Patch-mainline: v4.1-rc1
+References: CVE-2015-3339 bnc#928130
+
+This prevents a race between chown() and execve(), where chowning a
+setuid-user binary to root would momentarily make the binary setuid
+root.
+
+This patch was mostly written by Linus Torvalds.
+
+Signed-off-by: Jann Horn <jann@thejh.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Acked-by: Miklos Szeredi <mszeredi@suse.cz>
+---
+ fs/exec.c | 69 ++++++++++++++++++++++++++++++++++++++------------------------
+ 1 file changed, 43 insertions(+), 26 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -1291,6 +1291,48 @@ int check_unsafe_exec(struct linux_binpr
+ return res;
+ }
+
++static void bprm_fill_uid(struct linux_binprm *bprm)
++{
++ struct inode *inode;
++ unsigned int mode;
++ uid_t uid;
++ gid_t gid;
++
++ /* clear any previous set[ug]id data from a previous binary */
++ bprm->cred->euid = current_euid();
++ bprm->cred->egid = current_egid();
++
++ if (bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID)
++ return;
++
++ if (current->no_new_privs)
++ return;
++
++ inode = bprm->file->f_path.dentry->d_inode;
++ mode = ACCESS_ONCE(inode->i_mode);
++ if (!(mode & (S_ISUID|S_ISGID)))
++ return;
++
++ /* Be careful if suid/sgid is set */
++ mutex_lock(&inode->i_mutex);
++
++ /* reload atomically mode/uid/gid now that lock held */
++ mode = inode->i_mode;
++ uid = inode->i_uid;
++ gid = inode->i_gid;
++ mutex_unlock(&inode->i_mutex);
++
++ if (mode & S_ISUID) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->euid = uid;
++ }
++
++ if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
++ bprm->per_clear |= PER_CLEAR_ON_SETID;
++ bprm->cred->egid = gid;
++ }
++}
++
+ /*
+ * Fill the binprm structure from the inode.
+ * Check permissions, then read the first 128 (BINPRM_BUF_SIZE) bytes
+@@ -1299,37 +1341,12 @@ int check_unsafe_exec(struct linux_binpr
+ */
+ int prepare_binprm(struct linux_binprm *bprm)
+ {
+- umode_t mode;
+- struct inode * inode = bprm->file->f_path.dentry->d_inode;
+ int retval;
+
+- mode = inode->i_mode;
+ if (bprm->file->f_op == NULL)
+ return -EACCES;
+
+- /* clear any previous set[ug]id data from a previous binary */
+- bprm->cred->euid = current_euid();
+- bprm->cred->egid = current_egid();
+-
+- if (!(bprm->file->f_path.mnt->mnt_flags & MNT_NOSUID) &&
+- !current->no_new_privs) {
+- /* Set-uid? */
+- if (mode & S_ISUID) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->euid = inode->i_uid;
+- }
+-
+- /* Set-gid? */
+- /*
+- * If setgid is set but no group execute bit then this
+- * is a candidate for mandatory locking, not a setgid
+- * executable.
+- */
+- if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) {
+- bprm->per_clear |= PER_CLEAR_ON_SETID;
+- bprm->cred->egid = inode->i_gid;
+- }
+- }
++ bprm_fill_uid(bprm);
+
+ /* fill in binprm security blob */
+ retval = security_bprm_set_creds(bprm);
diff --git a/patches.fixes/ib-ipoib-add-missing-locking-when-cm-object-is-delet.patch b/patches.fixes/ib-ipoib-add-missing-locking-when-cm-object-is-delet.patch
new file mode 100644
index 0000000000..d70717a21c
--- /dev/null
+++ b/patches.fixes/ib-ipoib-add-missing-locking-when-cm-object-is-delet.patch
@@ -0,0 +1,47 @@
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Subject: IB/ipoib: Add missing locking when CM object is deleted
+Git-commit: fa16ebed31f336e41970f3f0ea9e8279f6be2d27
+Patch-mainline: v3.6
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+Commit b63b70d87741 ("IPoIB: Use a private hash table for path lookup
+in xmit path") introduced a bug where in ipoib_cm_destroy_tx() a CM
+object is moved between lists without any supported locking. Under a
+stress test, this eventually leads to list corruption and a crash.
+
+Previously when this routine was called, callers were taking the
+device priv lock. Currently this function is called from the RCU
+callback associated with neighbour deletion. Fix the race by taking
+the same lock we used to before.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+index f9559fb..b2f2220c 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+@@ -1282,12 +1282,15 @@ struct ipoib_cm_tx *ipoib_cm_create_tx(struct net_device *dev, struct ipoib_path
+ void ipoib_cm_destroy_tx(struct ipoib_cm_tx *tx)
+ {
+ struct ipoib_dev_priv *priv = netdev_priv(tx->dev);
++ unsigned long flags;
+ if (test_and_clear_bit(IPOIB_FLAG_INITIALIZED, &tx->flags)) {
++ spin_lock_irqsave(&priv->lock, flags);
+ list_move(&tx->list, &priv->cm.reap_list);
+ queue_work(ipoib_workqueue, &priv->cm.reap_task);
+ ipoib_dbg(priv, "Reap connection for gid %pI6\n",
+ tx->neigh->daddr + 4);
+ tx->neigh = NULL;
++ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+ }
+
+--
+1.8.4.5
+
diff --git a/patches.fixes/ib-ipoib-fix-rcu-pointer-dereference-of-wrong-object.patch b/patches.fixes/ib-ipoib-fix-rcu-pointer-dereference-of-wrong-object.patch
new file mode 100644
index 0000000000..abb748e323
--- /dev/null
+++ b/patches.fixes/ib-ipoib-fix-rcu-pointer-dereference-of-wrong-object.patch
@@ -0,0 +1,35 @@
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Subject: IB/ipoib: Fix RCU pointer dereference of wrong object
+Git-commit: 6c723a68c661008adf415ee90efe5f737e928ce0
+Patch-mainline: v3.6
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+Commit b63b70d87741 ("IPoIB: Use a private hash table for path lookup
+in xmit path") introduced a bug where in ipoib_neigh_free() (which is
+called from a few errors flows in the driver), rcu_dereference() is
+invoked with the wrong pointer object, which results in a crash.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 8af59b2..d9e4856 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1063,7 +1063,7 @@ void ipoib_neigh_free(struct ipoib_neigh *neigh)
+ for (n = rcu_dereference_protected(*np,
+ lockdep_is_held(&ntbl->rwlock));
+ n != NULL;
+- n = rcu_dereference_protected(neigh->hnext,
++ n = rcu_dereference_protected(*np,
+ lockdep_is_held(&ntbl->rwlock))) {
+ if (n == neigh) {
+ /* found */
+--
+1.8.4.5
+
diff --git a/patches.fixes/ipoib-fix-ab-ba-deadlock-when-deleting-neighbours.patch b/patches.fixes/ipoib-fix-ab-ba-deadlock-when-deleting-neighbours.patch
new file mode 100644
index 0000000000..80b66e051e
--- /dev/null
+++ b/patches.fixes/ipoib-fix-ab-ba-deadlock-when-deleting-neighbours.patch
@@ -0,0 +1,292 @@
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Subject: IPoIB: Fix AB-BA deadlock when deleting neighbours
+Git-commit: b5120a6e11e90d98d8a752545ac60bfa1ea95f1a
+Patch-mainline: v3.6
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+Lockdep points out a circular locking dependency betwwen the ipoib
+device priv spinlock (priv->lock) and the neighbour table rwlock
+(ntbl->rwlock).
+
+In the normal path, ie neigbour garbage collection task, the neigh
+table rwlock is taken first and then if the neighbour needs to be
+deleted, priv->lock is taken.
+
+However in some error paths, such as in ipoib_cm_handle_tx_wc(),
+priv->lock is taken first and then ipoib_neigh_free routine is called
+which in turn takes the neighbour table ntbl->rwlock.
+
+The solution is to get rid the neigh table rwlock completely and use
+only priv->lock.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib.h | 1 -
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 70 ++++++++++----------------
+ drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 2 -
+ 3 files changed, 27 insertions(+), 46 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
+index 02b646b..724673f 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib.h
++++ b/drivers/infiniband/ulp/ipoib/ipoib.h
+@@ -274,7 +274,6 @@ struct ipoib_neigh_hash {
+
+ struct ipoib_neigh_table {
+ struct ipoib_neigh_hash __rcu *htbl;
+- rwlock_t rwlock;
+ atomic_t entries;
+ struct completion flushed;
+ struct completion deleted;
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index ccf8864..e4984d9 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -557,15 +557,15 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+ struct ipoib_neigh *neigh;
+ unsigned long flags;
+
++ spin_lock_irqsave(&priv->lock, flags);
+ neigh = ipoib_neigh_alloc(daddr, dev);
+ if (!neigh) {
++ spin_unlock_irqrestore(&priv->lock, flags);
+ ++dev->stats.tx_dropped;
+ dev_kfree_skb_any(skb);
+ return;
+ }
+
+- spin_lock_irqsave(&priv->lock, flags);
+-
+ path = __path_find(dev, daddr + 4);
+ if (!path) {
+ path = path_rec_create(dev, daddr + 4);
+@@ -874,10 +874,10 @@ static void __ipoib_reap_neigh(struct ipoib_dev_priv *priv)
+ if (test_bit(IPOIB_STOP_NEIGH_GC, &priv->flags))
+ return;
+
+- write_lock_bh(&ntbl->rwlock);
++ spin_lock_irqsave(&priv->lock, flags);
+
+ htbl = rcu_dereference_protected(ntbl->htbl,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+
+ if (!htbl)
+ goto out_unlock;
+@@ -894,16 +894,14 @@ static void __ipoib_reap_neigh(struct ipoib_dev_priv *priv)
+ struct ipoib_neigh __rcu **np = &htbl->buckets[i];
+
+ while ((neigh = rcu_dereference_protected(*np,
+- lockdep_is_held(&ntbl->rwlock))) != NULL) {
++ lockdep_is_held(&priv->lock))) != NULL) {
+ /* was the neigh idle for two GC periods */
+ if (time_after(neigh_obsolete, neigh->alive)) {
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(neigh->hnext,
+- lockdep_is_held(&ntbl->rwlock)));
++ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- spin_lock_irqsave(&priv->lock, flags);
+ list_del(&neigh->list);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -913,7 +911,7 @@ static void __ipoib_reap_neigh(struct ipoib_dev_priv *priv)
+ }
+
+ out_unlock:
+- write_unlock_bh(&ntbl->rwlock);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+ static void ipoib_reap_neigh(struct work_struct *work)
+@@ -958,10 +956,8 @@ struct ipoib_neigh *ipoib_neigh_alloc(u8 *daddr,
+ struct ipoib_neigh *neigh;
+ u32 hash_val;
+
+- write_lock_bh(&ntbl->rwlock);
+-
+ htbl = rcu_dereference_protected(ntbl->htbl,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+ if (!htbl) {
+ neigh = NULL;
+ goto out_unlock;
+@@ -972,10 +968,10 @@ struct ipoib_neigh *ipoib_neigh_alloc(u8 *daddr,
+ */
+ hash_val = ipoib_addr_hash(htbl, daddr);
+ for (neigh = rcu_dereference_protected(htbl->buckets[hash_val],
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+ neigh != NULL;
+ neigh = rcu_dereference_protected(neigh->hnext,
+- lockdep_is_held(&ntbl->rwlock))) {
++ lockdep_is_held(&priv->lock))) {
+ if (memcmp(daddr, neigh->daddr, INFINIBAND_ALEN) == 0) {
+ /* found, take one ref on behalf of the caller */
+ if (!atomic_inc_not_zero(&neigh->refcnt)) {
+@@ -998,12 +994,11 @@ struct ipoib_neigh *ipoib_neigh_alloc(u8 *daddr,
+ /* put in hash */
+ rcu_assign_pointer(neigh->hnext,
+ rcu_dereference_protected(htbl->buckets[hash_val],
+- lockdep_is_held(&ntbl->rwlock)));
++ lockdep_is_held(&priv->lock)));
+ rcu_assign_pointer(htbl->buckets[hash_val], neigh);
+ atomic_inc(&ntbl->entries);
+
+ out_unlock:
+- write_unlock_bh(&ntbl->rwlock);
+
+ return neigh;
+ }
+@@ -1051,35 +1046,29 @@ void ipoib_neigh_free(struct ipoib_neigh *neigh)
+ struct ipoib_neigh *n;
+ u32 hash_val;
+
+- write_lock_bh(&ntbl->rwlock);
+-
+ htbl = rcu_dereference_protected(ntbl->htbl,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+ if (!htbl)
+- goto out_unlock;
++ return;
+
+ hash_val = ipoib_addr_hash(htbl, neigh->daddr);
+ np = &htbl->buckets[hash_val];
+ for (n = rcu_dereference_protected(*np,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+ n != NULL;
+ n = rcu_dereference_protected(*np,
+- lockdep_is_held(&ntbl->rwlock))) {
++ lockdep_is_held(&priv->lock))) {
+ if (n == neigh) {
+ /* found */
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(neigh->hnext,
+- lockdep_is_held(&ntbl->rwlock)));
++ lockdep_is_held(&priv->lock)));
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+- goto out_unlock;
++ return;
+ } else {
+ np = &n->hnext;
+ }
+ }
+-
+-out_unlock:
+- write_unlock_bh(&ntbl->rwlock);
+-
+ }
+
+ static int ipoib_neigh_hash_init(struct ipoib_dev_priv *priv)
+@@ -1091,7 +1080,6 @@ static int ipoib_neigh_hash_init(struct ipoib_dev_priv *priv)
+
+ clear_bit(IPOIB_NEIGH_TBL_FLUSH, &priv->flags);
+ ntbl->htbl = NULL;
+- rwlock_init(&ntbl->rwlock);
+ htbl = kzalloc(sizeof(*htbl), GFP_KERNEL);
+ if (!htbl)
+ return -ENOMEM;
+@@ -1139,10 +1127,10 @@ void ipoib_del_neighs_by_gid(struct net_device *dev, u8 *gid)
+ int i;
+
+ /* remove all neigh connected to a given path or mcast */
+- write_lock_bh(&ntbl->rwlock);
++ spin_lock_irqsave(&priv->lock, flags);
+
+ htbl = rcu_dereference_protected(ntbl->htbl,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+
+ if (!htbl)
+ goto out_unlock;
+@@ -1152,16 +1140,14 @@ void ipoib_del_neighs_by_gid(struct net_device *dev, u8 *gid)
+ struct ipoib_neigh __rcu **np = &htbl->buckets[i];
+
+ while ((neigh = rcu_dereference_protected(*np,
+- lockdep_is_held(&ntbl->rwlock))) != NULL) {
++ lockdep_is_held(&priv->lock))) != NULL) {
+ /* delete neighs belong to this parent */
+ if (!memcmp(gid, neigh->daddr + 4, sizeof (union ib_gid))) {
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(neigh->hnext,
+- lockdep_is_held(&ntbl->rwlock)));
++ lockdep_is_held(&priv->lock)));
+ /* remove from parent list */
+- spin_lock_irqsave(&priv->lock, flags);
+ list_del(&neigh->list);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ } else {
+ np = &neigh->hnext;
+@@ -1170,7 +1156,7 @@ void ipoib_del_neighs_by_gid(struct net_device *dev, u8 *gid)
+ }
+ }
+ out_unlock:
+- write_unlock_bh(&ntbl->rwlock);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ }
+
+ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+@@ -1182,10 +1168,10 @@ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+
+ init_completion(&priv->ntbl.flushed);
+
+- write_lock_bh(&ntbl->rwlock);
++ spin_lock_irqsave(&priv->lock, flags);
+
+ htbl = rcu_dereference_protected(ntbl->htbl,
+- lockdep_is_held(&ntbl->rwlock));
++ lockdep_is_held(&priv->lock));
+ if (!htbl)
+ goto out_unlock;
+
+@@ -1198,14 +1184,12 @@ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+ struct ipoib_neigh __rcu **np = &htbl->buckets[i];
+
+ while ((neigh = rcu_dereference_protected(*np,
+- lockdep_is_held(&ntbl->rwlock))) != NULL) {
++ lockdep_is_held(&priv->lock))) != NULL) {
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(neigh->hnext,
+- lockdep_is_held(&ntbl->rwlock)));
++ lockdep_is_held(&priv->lock)));
+ /* remove from path/mc list */
+- spin_lock_irqsave(&priv->lock, flags);
+ list_del(&neigh->list);
+- spin_unlock_irqrestore(&priv->lock, flags);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ }
+ }
+@@ -1215,7 +1199,7 @@ free_htbl:
+ call_rcu(&htbl->rcu, neigh_hash_free_rcu);
+
+ out_unlock:
+- write_unlock_bh(&ntbl->rwlock);
++ spin_unlock_irqrestore(&priv->lock, flags);
+ if (wait_flushed)
+ wait_for_completion(&priv->ntbl.flushed);
+ }
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+index eeffe95..80e3de5 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c
+@@ -705,9 +705,7 @@ out:
+ neigh = ipoib_neigh_get(dev, daddr);
+ spin_lock_irqsave(&priv->lock, flags);
+ if (!neigh) {
+- spin_unlock_irqrestore(&priv->lock, flags);
+ neigh = ipoib_neigh_alloc(daddr, dev);
+- spin_lock_irqsave(&priv->lock, flags);
+ if (neigh) {
+ kref_get(&mcast->ah->ref);
+ neigh->ah = mcast->ah;
+--
+1.8.4.5
+
diff --git a/patches.fixes/ipoib-fix-ipoib_neigh-hashing-to-use-the-correct-dad.patch b/patches.fixes/ipoib-fix-ipoib_neigh-hashing-to-use-the-correct-dad.patch
new file mode 100644
index 0000000000..edad293af2
--- /dev/null
+++ b/patches.fixes/ipoib-fix-ipoib_neigh-hashing-to-use-the-correct-dad.patch
@@ -0,0 +1,58 @@
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Subject: IPoIB: Fix ipoib_neigh hashing to use the correct daddr octets
+Git-commit: 9d1ad66e3eae0faf3f19a618da74b4c377474845
+Patch-mainline: v3.9
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+The hash function introduced in commit b63b70d877 ("IPoIB: Use a
+private hash table for path lookup in xmit path") was designd to use
+the 3 octets of the IPoIB HW address that holds the remote QPN.
+However, this currently isn't the case on little-endian machines,
+because the the code there uses the flags part (octet[0]) and not the
+last octet of the QPN (octet[3]). Fix this.
+
+The fix caused a checkpatch warning on line over 80 characters, to
+solve that changed the name of the temp variable that holds the daddr.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib.h | 2 ++
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 4 ++--
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
+index 724673f..0d93c55 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib.h
++++ b/drivers/infiniband/ulp/ipoib/ipoib.h
+@@ -113,6 +113,8 @@ enum {
+ #define IPOIB_OP_CM (0)
+ #endif
+
++#define IPOIB_QPN_MASK ((__force u32) cpu_to_be32(0xFFFFFF))
++
+ /* structs */
+
+ struct ipoib_header {
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index e4984d9..3cb0c18 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -819,10 +819,10 @@ static u32 ipoib_addr_hash(struct ipoib_neigh_hash *htbl, u8 *daddr)
+ * different subnets.
+ */
+ /* qpn octets[1:4) & port GUID octets[12:20) */
+- u32 *daddr_32 = (u32 *) daddr;
++ u32 *d32 = (u32 *) daddr;
+ u32 hv;
+
+- hv = jhash_3words(daddr_32[3], daddr_32[4], 0xFFFFFF & daddr_32[0], 0);
++ hv = jhash_3words(d32[3], d32[4], IPOIB_QPN_MASK & d32[0], 0);
+ return hv & htbl->mask;
+ }
+
+--
+1.8.4.5
+
diff --git a/patches.fixes/ipoib-fix-memory-leak-in-the-neigh-table-deletion-fl.patch b/patches.fixes/ipoib-fix-memory-leak-in-the-neigh-table-deletion-fl.patch
new file mode 100644
index 0000000000..e1f0b3c265
--- /dev/null
+++ b/patches.fixes/ipoib-fix-memory-leak-in-the-neigh-table-deletion-fl.patch
@@ -0,0 +1,137 @@
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Subject: IPoIB: Fix memory leak in the neigh table deletion flow
+Git-commit: 66172c09938bfc4efdcf9b5e0246a85b9b76dd54
+Patch-mainline: v3.6
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+If the neighbours hash table is empty when unloading the module, then
+ipoib_flush_neighs(), the cleanup routine, isn't called and the
+memory used for the hash table itself leaked.
+
+To fix this, ipoib_flush_neighs() is allways called, and another
+completion object is added to signal when the table is freed.
+
+Once invoked, ipoib_flush_neighs() flushes all the neighbours (if
+there are any), calls the the hash table RCU free routine, which now
+signals completion of the deletion process, and waits for the last
+neighbour to be freed.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib.h | 4 ++++
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 23 +++++++++++++++++------
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib.h b/drivers/infiniband/ulp/ipoib/ipoib.h
+index 9e67894..02b646b 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib.h
++++ b/drivers/infiniband/ulp/ipoib/ipoib.h
+@@ -262,7 +262,10 @@ struct ipoib_ethtool_st {
+ u16 max_coalesced_frames;
+ };
+
++struct ipoib_neigh_table;
++
+ struct ipoib_neigh_hash {
++ struct ipoib_neigh_table *ntbl;
+ struct ipoib_neigh __rcu **buckets;
+ struct rcu_head rcu;
+ u32 mask;
+@@ -274,6 +277,7 @@ struct ipoib_neigh_table {
+ rwlock_t rwlock;
+ atomic_t entries;
+ struct completion flushed;
++ struct completion deleted;
+ };
+
+ /*
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index d9e4856..ccf8864 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -1106,6 +1106,7 @@ static int ipoib_neigh_hash_init(struct ipoib_dev_priv *priv)
+ htbl->mask = (size - 1);
+ htbl->buckets = buckets;
+ ntbl->htbl = htbl;
++ htbl->ntbl = ntbl;
+ atomic_set(&ntbl->entries, 0);
+
+ /* start garbage collection */
+@@ -1122,9 +1123,11 @@ static void neigh_hash_free_rcu(struct rcu_head *head)
+ struct ipoib_neigh_hash,
+ rcu);
+ struct ipoib_neigh __rcu **buckets = htbl->buckets;
++ struct ipoib_neigh_table *ntbl = htbl->ntbl;
+
+ kfree(buckets);
+ kfree(htbl);
++ complete(&ntbl->deleted);
+ }
+
+ void ipoib_del_neighs_by_gid(struct net_device *dev, u8 *gid)
+@@ -1175,7 +1178,9 @@ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+ struct ipoib_neigh_table *ntbl = &priv->ntbl;
+ struct ipoib_neigh_hash *htbl;
+ unsigned long flags;
+- int i;
++ int i, wait_flushed = 0;
++
++ init_completion(&priv->ntbl.flushed);
+
+ write_lock_bh(&ntbl->rwlock);
+
+@@ -1184,6 +1189,10 @@ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+ if (!htbl)
+ goto out_unlock;
+
++ wait_flushed = atomic_read(&priv->ntbl.entries);
++ if (!wait_flushed)
++ goto free_htbl;
++
+ for (i = 0; i < htbl->size; i++) {
+ struct ipoib_neigh *neigh;
+ struct ipoib_neigh __rcu **np = &htbl->buckets[i];
+@@ -1201,11 +1210,14 @@ static void ipoib_flush_neighs(struct ipoib_dev_priv *priv)
+ }
+ }
+
++free_htbl:
+ rcu_assign_pointer(ntbl->htbl, NULL);
+ call_rcu(&htbl->rcu, neigh_hash_free_rcu);
+
+ out_unlock:
+ write_unlock_bh(&ntbl->rwlock);
++ if (wait_flushed)
++ wait_for_completion(&priv->ntbl.flushed);
+ }
+
+ static void ipoib_neigh_hash_uninit(struct net_device *dev)
+@@ -1214,7 +1226,7 @@ static void ipoib_neigh_hash_uninit(struct net_device *dev)
+ int stopped;
+
+ ipoib_dbg(priv, "ipoib_neigh_hash_uninit\n");
+- init_completion(&priv->ntbl.flushed);
++ init_completion(&priv->ntbl.deleted);
+ set_bit(IPOIB_NEIGH_TBL_FLUSH, &priv->flags);
+
+ /* Stop GC if called at init fail need to cancel work */
+@@ -1222,10 +1234,9 @@ static void ipoib_neigh_hash_uninit(struct net_device *dev)
+ if (!stopped)
+ cancel_delayed_work(&priv->neigh_reap_task);
+
+- if (atomic_read(&priv->ntbl.entries)) {
+- ipoib_flush_neighs(priv);
+- wait_for_completion(&priv->ntbl.flushed);
+- }
++ ipoib_flush_neighs(priv);
++
++ wait_for_completion(&priv->ntbl.deleted);
+ }
+
+
+--
+1.8.4.5
+
diff --git a/patches.fixes/ipoib-fix-race-in-deleting-ipoib_neigh-entries.patch b/patches.fixes/ipoib-fix-race-in-deleting-ipoib_neigh-entries.patch
new file mode 100644
index 0000000000..18a1cc2abd
--- /dev/null
+++ b/patches.fixes/ipoib-fix-race-in-deleting-ipoib_neigh-entries.patch
@@ -0,0 +1,133 @@
+From: Jim Foraker <foraker1@llnl.gov>
+Subject: IPoIB: Fix race in deleting ipoib_neigh entries
+Git-commit: 49b8e74438062aba379ce5d3f91b9e6e2e9c6745
+Patch-mainline: v3.12
+References: bsc#924340
+Acked-by: Jiri Bohac <jbohac@suse.cz>
+
+In several places, this snippet is used when removing neigh entries:
+
+ list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+
+The list_del() removes neigh from the associated struct ipoib_path, while
+ipoib_neigh_free() removes neigh from the device's neigh entry lookup
+table. Both of these operations are protected by the priv->lock
+spinlock. The table however is also protected via RCU, and so naturally
+the lock is not held when doing reads.
+
+This leads to a race condition, in which a thread may successfully look
+up a neigh entry that has already been deleted from neigh->list. Since
+the previous deletion will have marked the entry with poison, a second
+list_del() on the object will cause a panic:
+
+ #5 [ffff8802338c3c70] general_protection at ffffffff815108c5
+ [exception RIP: list_del+16]
+ RIP: ffffffff81289020 RSP: ffff8802338c3d20 RFLAGS: 00010082
+ RAX: dead000000200200 RBX: ffff880433e60c88 RCX: 0000000000009e6c
+ RDX: 0000000000000246 RSI: ffff8806012ca298 RDI: ffff880433e60c88
+ RBP: ffff8802338c3d30 R8: ffff8806012ca2e8 R9: 00000000ffffffff
+ R10: 0000000000000001 R11: 0000000000000000 R12: ffff8804346b2020
+ R13: ffff88032a3e7540 R14: ffff8804346b26e0 R15: 0000000000000246
+ ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0000
+ #6 [ffff8802338c3d38] ipoib_cm_tx_handler at ffffffffa066fe0a [ib_ipoib]
+ #7 [ffff8802338c3d98] cm_process_work at ffffffffa05149a7 [ib_cm]
+ #8 [ffff8802338c3de8] cm_work_handler at ffffffffa05161aa [ib_cm]
+ #9 [ffff8802338c3e38] worker_thread at ffffffff81090e10
+ #10 [ffff8802338c3ee8] kthread at ffffffff81096c66
+ #11 [ffff8802338c3f48] kernel_thread at ffffffff8100c0ca
+
+We move the list_del() into ipoib_neigh_free(), so that deletion happens
+only once, after the entry has been successfully removed from the lookup
+table. This same behavior is already used in ipoib_del_neighs_by_gid()
+and __ipoib_reap_neigh().
+
+Signed-off-by: Jim Foraker <foraker1@llnl.gov>
+Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
+Reviewed-by: Jack Wang <jinpu.wang@profitbricks.com>
+Reviewed-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+---
+ drivers/infiniband/ulp/ipoib/ipoib_cm.c | 3 ---
+ drivers/infiniband/ulp/ipoib/ipoib_main.c | 9 +++------
+ 2 files changed, 3 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_cm.c b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+index e4213bf..f9559fb 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_cm.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_cm.c
+@@ -819,7 +819,6 @@ void ipoib_cm_handle_tx_wc(struct net_device *dev, struct ib_wc *wc)
+
+ if (neigh) {
+ neigh->cm = NULL;
+- list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+
+ tx->neigh = NULL;
+@@ -1240,7 +1239,6 @@ static int ipoib_cm_tx_handler(struct ib_cm_id *cm_id,
+
+ if (neigh) {
+ neigh->cm = NULL;
+- list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+
+ tx->neigh = NULL;
+@@ -1328,7 +1326,6 @@ static void ipoib_cm_tx_start(struct work_struct *work)
+ neigh = p->neigh;
+ if (neigh) {
+ neigh->cm = NULL;
+- list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+ }
+ list_del(&p->list);
+diff --git a/drivers/infiniband/ulp/ipoib/ipoib_main.c b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+index 3cb0c18..1986a40 100644
+--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c
++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c
+@@ -463,7 +463,6 @@ static void path_rec_completion(int status,
+ path,
+ neigh));
+ if (!ipoib_cm_get(neigh)) {
+- list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+ continue;
+ }
+@@ -585,7 +584,6 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+ if (!ipoib_cm_get(neigh))
+ ipoib_cm_set(neigh, ipoib_cm_create_tx(dev, path, neigh));
+ if (!ipoib_cm_get(neigh)) {
+- list_del(&neigh->list);
+ ipoib_neigh_free(neigh);
+ goto err_drop;
+ }
+@@ -606,7 +604,7 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+ neigh->ah = NULL;
+
+ if (!path->query && path_rec_start(dev, path))
+- goto err_list;
++ goto err_path;
+
+ __skb_queue_tail(&neigh->queue, skb);
+ }
+@@ -615,9 +613,6 @@ static void neigh_add_path(struct sk_buff *skb, u8 *daddr,
+ ipoib_neigh_put(neigh);
+ return;
+
+-err_list:
+- list_del(&neigh->list);
+-
+ err_path:
+ ipoib_neigh_free(neigh);
+ err_drop:
+@@ -1063,6 +1058,8 @@ void ipoib_neigh_free(struct ipoib_neigh *neigh)
+ rcu_assign_pointer(*np,
+ rcu_dereference_protected(neigh->hnext,
+ lockdep_is_held(&priv->lock)));
++ /* remove from parent list */
++ list_del(&neigh->list);
+ call_rcu(&neigh->rcu, ipoib_neigh_reclaim);
+ return;
+ } else {
+--
+1.8.4.5
+
diff --git a/patches.fixes/rtc-cmos-add-more-quirks-for-TGCS.patch b/patches.fixes/rtc-cmos-add-more-quirks-for-TGCS.patch
index dc7e2996b2..9f5697cd5d 100644
--- a/patches.fixes/rtc-cmos-add-more-quirks-for-TGCS.patch
+++ b/patches.fixes/rtc-cmos-add-more-quirks-for-TGCS.patch
@@ -6,19 +6,25 @@ References: bnc#927262
The recent TGCS POS machines with Baytrail need the same workaround
like Truman model for avoiding spurious reboot at shtudown.
The model numbers are:
+ With vendor ID 'TOSHIBA':
6140 # for Darth, Ichigan
4900 # for Jade, Pearl
4810 # for Jaspar, Opal
+ 4852E7
+ 485257
+ With vendor ID 'IBM CORPORATION':
+ 4900
Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Egbert Eich <eich@suse.de>
---
- drivers/rtc/rtc-cmos.c | 27 +++++++++++++++++++++++++++
- 1 file changed, 27 insertions(+)
+ drivers/rtc/rtc-cmos.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
---- a/drivers/rtc/rtc-cmos.c
-+++ b/drivers/rtc/rtc-cmos.c
-@@ -402,6 +402,33 @@ static const struct dmi_system_id rtc_qu
+--- linux-3.0-SLE11-SP3.orig/drivers/rtc/rtc-cmos.c
++++ linux-3.0-SLE11-SP3/drivers/rtc/rtc-cmos.c
+@@ -402,6 +402,60 @@ static const struct dmi_system_id rtc_qu
DMI_MATCH(DMI_PRODUCT_NAME, "4852570"),
},
},
@@ -45,10 +51,37 @@ Signed-off-by: Takashi Iwai <tiwai@suse.de>
+ .callback = set_alarm_disable_quirk,
+ .ident = "TGCS POS",
+ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "IBM CORPORATION"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "4900"),
++ },
++ },
++ /* https://bugzilla.novell.com/show_bug.cgi?id=927262 */
++ {
++ .callback = set_alarm_disable_quirk,
++ .ident = "TGCS POS",
++ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "4810"),
+ },
+ },
++ /* https://bugzilla.novell.com/show_bug.cgi?id=927262 */
++ {
++ .callback = set_alarm_disable_quirk,
++ .ident = "TGCS POS",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "485257"),
++ },
++ },
++ /* https://bugzilla.novell.com/show_bug.cgi?id=927262 */
++ {
++ .callback = set_alarm_disable_quirk,
++ .ident = "TGCS POS",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "4852E7"),
++ },
++ },
/* https://bugzilla.novell.com/show_bug.cgi?id=812592 */
{
.callback = set_alarm_disable_quirk,
diff --git a/series.conf b/series.conf
index 46e1392a30..916f0ab6f8 100644
--- a/series.conf
+++ b/series.conf
@@ -777,6 +777,8 @@
patches.arch/ppc-restore_default_window-no-liobn
patches.arch/ppc-remove-ddw-on-kexec
+
+
patches.arch/ppc-pseries-disable-interrupts-around-IOMMU-percpu-data-accesses
patches.arch/ppc-pseries-iommu-disable-interrupts-around-percpu-data-accesses
patches.arch/ppc-iommu-reduce-spinlocking-in-iommu_free
@@ -912,6 +914,17 @@
#bsc#917839
patches.fixes/powerpc-bsc917839.patch
+
+ #bsc#928142
+ patches.arch/powerpc-perf-Cap-64bit-userspace-backtraces-to-PERF_.patch
+
+ #bsc#926016
+ patches.arch/revert-ppc-ddw-extend-dynamic-DMA-Window-functionality
+ patches.arch/revert-ppc-remove-ddw-on-kexec
+
+ #bsc#928970
+ patches.arch/pseries-Correct-cpu-affinity-for-dlpar-added-cpus.patch
+
########################################################
# S/390
########################################################
@@ -1779,6 +1792,9 @@
patches.fixes/mm-fix-BUG-in-__split_huge_page_pmd.patch
+ #bsc 927190
+ patches.arch/pseries-suppress-Trying-to-free-nonexistent-resource-warning.patch
+
# Boot time optimisations
patches.suse/x86-ioremap-Speed-up-check-for-RAM-pages.patch
patches.suse/x86-optimize-resource-lookups-for-ioremap.patch
@@ -13887,7 +13903,12 @@
patches.fixes/ipoib-convert-over-to-dev_lookup_neigh_skb.patch
patches.fixes/ipoib-need-to-do-dst_neigh_lookup_skb-outside-of-pri.patch
patches.fixes/ipoib-use-a-private-hash-table-for-path-lookup-in-xm.patch
-
+ patches.fixes/ib-ipoib-fix-rcu-pointer-dereference-of-wrong-object.patch
+ patches.fixes/ipoib-fix-memory-leak-in-the-neigh-table-deletion-fl.patch
+ patches.fixes/ipoib-fix-ab-ba-deadlock-when-deleting-neighbours.patch
+ patches.fixes/ipoib-fix-ipoib_neigh-hashing-to-use-the-correct-dad.patch
+ patches.fixes/ipoib-fix-race-in-deleting-ipoib_neigh-entries.patch
+ patches.fixes/ib-ipoib-add-missing-locking-when-cm-object-is-delet.patch
patches.fixes/net-relax-rcvbuf-limits.patch
patches.fixes/net-fix-neighbours-after-mac-change.patch
@@ -22647,6 +22668,9 @@
patches.drivers/0001-driver-core-add-bus_notify_removed_device-event
patches.drivers/0002-iommu-vt-d-only-remove-domain-when-device-is-removed
patches.drivers/iommu-vt-d-fix-dmar_domain-leak-in-iommu_attach_device
+ # CVE-2015-3339 bnc#928130
+ # This depends on SECCOMP MODE 2 patches (current->no_new_privs)
+ patches.fixes/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id.patch
########################################################
# You'd better have a good reason for adding a patch