--- /dev/null
+From c2d311553855395764e2e5bf401d987ba65c2056 Mon Sep 17 00:00:00 2001
+From: Thomas Zimmermann <tzimmermann@suse.de>
+Date: Mon, 18 Mar 2019 15:47:58 +0100
+Subject: drm/vmwgfx: Don't double-free the mode stored in par->set_mode
+
+From: Thomas Zimmermann <tzimmermann@suse.de>
+
+commit c2d311553855395764e2e5bf401d987ba65c2056 upstream.
+
+When calling vmw_fb_set_par(), the mode stored in par->set_mode gets free'd
+twice. The first free is in vmw_fb_kms_detach(), the second is near the
+end of vmw_fb_set_par() under the name of 'old_mode'. The mode-setting code
+only works correctly if the mode doesn't actually change. Removing
+'old_mode' in favor of using par->set_mode directly fixes the problem.
+
+Cc: <stable@vger.kernel.org>
+Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2")
+Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
+Reviewed-by: Deepak Rawat <drawat@vmware.com>
+Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 +++---------
+ 1 file changed, 3 insertions(+), 9 deletions(-)
+
+--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fb.c
+@@ -531,11 +531,9 @@ static int vmw_fb_set_par(struct fb_info
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ DRM_MODE_FLAG_NHSYNC | DRM_MODE_FLAG_PVSYNC)
+ };
+- struct drm_display_mode *old_mode;
+ struct drm_display_mode *mode;
+ int ret;
+
+- old_mode = par->set_mode;
+ mode = drm_mode_duplicate(vmw_priv->dev, &new_mode);
+ if (!mode) {
+ DRM_ERROR("Could not create new fb mode.\n");
+@@ -546,11 +544,7 @@ static int vmw_fb_set_par(struct fb_info
+ mode->vdisplay = var->yres;
+ vmw_guess_mode_timing(mode);
+
+- if (old_mode && drm_mode_equal(old_mode, mode)) {
+- drm_mode_destroy(vmw_priv->dev, mode);
+- mode = old_mode;
+- old_mode = NULL;
+- } else if (!vmw_kms_validate_mode_vram(vmw_priv,
++ if (!vmw_kms_validate_mode_vram(vmw_priv,
+ mode->hdisplay *
+ DIV_ROUND_UP(var->bits_per_pixel, 8),
+ mode->vdisplay)) {
+@@ -613,8 +607,8 @@ static int vmw_fb_set_par(struct fb_info
+ schedule_delayed_work(&par->local_work, 0);
+
+ out_unlock:
+- if (old_mode)
+- drm_mode_destroy(vmw_priv->dev, old_mode);
++ if (par->set_mode)
++ drm_mode_destroy(vmw_priv->dev, par->set_mode);
+ par->set_mode = mode;
+
+ drm_modeset_unlock_all(vmw_priv->dev);
--- /dev/null
+From 47c25036b60f27b86ab44b66a8861bcf81cde39b Mon Sep 17 00:00:00 2001
+From: Archer Yan <ayan@wavecomp.com>
+Date: Fri, 8 Mar 2019 03:29:19 +0000
+Subject: MIPS: Fix kernel crash for R6 in jump label branch function
+
+From: Archer Yan <ayan@wavecomp.com>
+
+commit 47c25036b60f27b86ab44b66a8861bcf81cde39b upstream.
+
+Insert Branch instruction instead of NOP to make sure assembler don't
+patch code in forbidden slot. In jump label function, it might
+be possible to patch Control Transfer Instructions(CTIs) into
+forbidden slot, which will generate Reserved Instruction exception
+in MIPS release 6.
+
+Signed-off-by: Archer Yan <ayan@wavecomp.com>
+Reviewed-by: Paul Burton <paul.burton@mips.com>
+[paul.burton@mips.com:
+ - Add MIPS prefix to subject.
+ - Mark for stable from v4.0, which introduced r6 support, onwards.]
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Cc: stable@vger.kernel.org # v4.0+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/include/asm/jump_label.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/mips/include/asm/jump_label.h
++++ b/arch/mips/include/asm/jump_label.h
+@@ -21,15 +21,15 @@
+ #endif
+
+ #ifdef CONFIG_CPU_MICROMIPS
+-#define NOP_INSN "nop32"
++#define B_INSN "b32"
+ #else
+-#define NOP_INSN "nop"
++#define B_INSN "b"
+ #endif
+
+ static __always_inline bool arch_static_branch(struct static_key *key, bool branch)
+ {
+- asm_volatile_goto("1:\t" NOP_INSN "\n\t"
+- "nop\n\t"
++ asm_volatile_goto("1:\t" B_INSN " 2f\n\t"
++ "2:\tnop\n\t"
+ ".pushsection __jump_table, \"aw\"\n\t"
+ WORD_INSN " 1b, %l[l_yes], %0\n\t"
+ ".popsection\n\t"
--- /dev/null
+From 5f5f67da9781770df0403269bc57d7aae608fecd Mon Sep 17 00:00:00 2001
+From: Yifeng Li <tomli@tomli.me>
+Date: Tue, 5 Mar 2019 06:00:22 +0800
+Subject: mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction.
+
+From: Yifeng Li <tomli@tomli.me>
+
+commit 5f5f67da9781770df0403269bc57d7aae608fecd upstream.
+
+Timekeeping IRQs from CS5536 MFGPT are routed to i8259, which then
+triggers the "cascade" IRQ on MIPS CPU. Without IRQF_NO_SUSPEND in
+cascade_irqaction, MFGPT interrupts will be masked in suspend mode,
+and the machine would be unable to resume once suspended.
+
+Previously, MIPS IRQs were not disabled properly, so the original
+code appeared to work. Commit a3e6c1eff5 ("MIPS: IRQ: Fix disable_irq on
+CPU IRQs") uncovers the bug. To fix it, add IRQF_NO_SUSPEND to
+cascade_irqaction.
+
+This commit is functionally identical to 0add9c2f1cff ("MIPS:
+Loongson-3: Add IRQF_NO_SUSPEND to Cascade irqaction"), but it forgot
+to apply the same fix to Loongson2.
+
+Signed-off-by: Yifeng Li <tomli@tomli.me>
+Signed-off-by: Paul Burton <paul.burton@mips.com>
+Cc: linux-mips@vger.kernel.org
+Cc: Jiaxun Yang <jiaxun.yang@flygoat.com>
+Cc: Huacai Chen <chenhc@lemote.com>
+Cc: Ralf Baechle <ralf@linux-mips.org>
+Cc: James Hogan <jhogan@kernel.org>
+Cc: linux-kernel@vger.kernel.org
+Cc: stable@vger.kernel.org # v3.19+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/loongson64/lemote-2f/irq.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/loongson64/lemote-2f/irq.c
++++ b/arch/mips/loongson64/lemote-2f/irq.c
+@@ -102,7 +102,7 @@ static struct irqaction ip6_irqaction =
+ static struct irqaction cascade_irqaction = {
+ .handler = no_action,
+ .name = "cascade",
+- .flags = IRQF_NO_THREAD,
++ .flags = IRQF_NO_THREAD | IRQF_NO_SUSPEND,
+ };
+
+ void __init mach_init_irq(void)
--- /dev/null
+From e60a582bcde01158a64ff948fb799f21f5d31a11 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:09:19 +0100
+Subject: mmc: pxamci: fix enum type confusion
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit e60a582bcde01158a64ff948fb799f21f5d31a11 upstream.
+
+clang points out several instances of mismatched types in this drivers,
+all coming from a single declaration:
+
+drivers/mmc/host/pxamci.c:193:15: error: implicit conversion from enumeration type 'enum dma_transfer_direction' to
+ different enumeration type 'enum dma_data_direction' [-Werror,-Wenum-conversion]
+ direction = DMA_DEV_TO_MEM;
+ ~ ^~~~~~~~~~~~~~
+drivers/mmc/host/pxamci.c:212:62: error: implicit conversion from enumeration type 'enum dma_data_direction' to
+ different enumeration type 'enum dma_transfer_direction' [-Werror,-Wenum-conversion]
+ tx = dmaengine_prep_slave_sg(chan, data->sg, host->dma_len, direction,
+
+The behavior is correct, so this must be a simply typo from
+dma_data_direction and dma_transfer_direction being similarly named
+types with a similar purpose.
+
+Fixes: 6464b7140951 ("mmc: pxamci: switch over to dmaengine use")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/pxamci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/pxamci.c
++++ b/drivers/mmc/host/pxamci.c
+@@ -181,7 +181,7 @@ static void pxamci_dma_irq(void *param);
+ static void pxamci_setup_data(struct pxamci_host *host, struct mmc_data *data)
+ {
+ struct dma_async_tx_descriptor *tx;
+- enum dma_data_direction direction;
++ enum dma_transfer_direction direction;
+ struct dma_slave_config config;
+ struct dma_chan *chan;
+ unsigned int nob = data->blocks;
--- /dev/null
+From d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 11 Mar 2019 15:04:18 +0100
+Subject: udf: Fix crash on IO error during truncate
+
+From: Jan Kara <jack@suse.cz>
+
+commit d3ca4651d05c0ff7259d087d8c949bcf3e14fb46 upstream.
+
+When truncate(2) hits IO error when reading indirect extent block the
+code just bugs with:
+
+kernel BUG at linux-4.15.0/fs/udf/truncate.c:249!
+...
+
+Fix the problem by bailing out cleanly in case of IO error.
+
+CC: stable@vger.kernel.org
+Reported-by: jean-luc malet <jeanluc.malet@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/udf/truncate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/udf/truncate.c
++++ b/fs/udf/truncate.c
+@@ -260,6 +260,9 @@ void udf_truncate_extents(struct inode *
+ epos.block = eloc;
+ epos.bh = udf_tread(sb,
+ udf_get_lb_pblock(sb, &eloc, 0));
++ /* Error reading indirect block? */
++ if (!epos.bh)
++ return;
+ if (elen)
+ indirect_ext_len =
+ (elen + sb->s_blocksize - 1) >>
projects / thirdparty / kernel / stable-queue.git / commitdiff
