--- /dev/null
+From d88c93f090f708c18195553b352b9f205e65418f Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 23 Jan 2019 11:27:02 +0100
+Subject: debugfs: fix debugfs_rename parameter checking
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit d88c93f090f708c18195553b352b9f205e65418f upstream.
+
+debugfs_rename() needs to check that the dentries passed into it really
+are valid, as sometimes they are not (i.e. if the return value of
+another debugfs call is passed into this one.) So fix this up by
+properly checking if the two parent directories are errors (they are
+allowed to be NULL), and if the dentry to rename is not NULL or an
+error.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/debugfs/inode.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/debugfs/inode.c
++++ b/fs/debugfs/inode.c
+@@ -787,6 +787,13 @@ struct dentry *debugfs_rename(struct den
+ struct dentry *dentry = NULL, *trap;
+ struct name_snapshot old_name;
+
++ if (IS_ERR(old_dir))
++ return old_dir;
++ if (IS_ERR(new_dir))
++ return new_dir;
++ if (IS_ERR_OR_NULL(old_dentry))
++ return old_dentry;
++
+ trap = lock_rename(new_dir, old_dir);
+ /* Source or destination directories don't exist? */
+ if (d_really_is_negative(old_dir) || d_really_is_negative(new_dir))
--- /dev/null
+From 9bcf15f75cac3c6a00d8f8083a635de9c8537799 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sat, 5 Jan 2019 19:36:18 +0100
+Subject: iio: adc: axp288: Fix TS-pin handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 9bcf15f75cac3c6a00d8f8083a635de9c8537799 upstream.
+
+Prior to this commit there were 3 issues with our handling of the TS-pin:
+
+1) There are 2 ways how the firmware can disable monitoring of the TS-pin
+for designs which do not have a temperature-sensor for the battery:
+a) Clearing bit 0 of the AXP20X_ADC_EN1 register
+b) Setting bit 2 of the AXP288_ADC_TS_PIN_CTRL monitoring
+
+Prior to this commit we were unconditionally setting both bits to the
+value used on devices with a TS. This causes the temperature protection to
+kick in on devices without a TS, such as the Jumper ezbook v2, causing
+them to not charge under Linux.
+
+This commit fixes this by using regmap_update_bits when updating these 2
+registers, leaving the 2 mentioned bits alone.
+
+The next 2 problems are related to our handling of the current-source
+for the TS-pin. The current-source used for the battery temp-sensor (TS)
+is shared with the GPADC. For proper fuel-gauge and charger operation the
+TS current-source needs to be permanently on. But to read the GPADC we
+need to temporary switch the TS current-source to ondemand, so that the
+GPADC can use it, otherwise we will always read an all 0 value.
+
+2) Problem 2 is we were writing hardcoded values to the ADC TS pin-ctrl
+register, overwriting various other unrelated bits. Specifically we were
+overwriting the current-source setting for the TS and GPIO0 pins, forcing
+it to 80ųA independent of its original setting. On a Chuwi Vi10 tablet
+this was causing us to get a too high adc value (due to a too high
+current-source) resulting in the following errors being logged:
+
+ACPI Error: AE_ERROR, Returned by Handler for [UserDefinedRegion]
+ACPI Error: Method parse/execution failed \_SB.SXP1._TMP, AE_ERROR
+
+This commit fixes this by using regmap_update_bits to change only the
+relevant bits.
+
+3) After reading the GPADC channel we were unconditionally enabling the
+TS current-source even on devices where the TS-pin is not used and the
+current-source thus was off before axp288_adc_read_raw call.
+
+This commit fixes this by making axp288_adc_set_ts a nop on devices where
+the ADC is not enabled for the TS-pin.
+
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1610545
+Fixes: 3091141d7803 ("iio: adc: axp288: Fix the GPADC pin ...")
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/axp288_adc.c | 76 +++++++++++++++++++++++++++++++++----------
+ 1 file changed, 60 insertions(+), 16 deletions(-)
+
+--- a/drivers/iio/adc/axp288_adc.c
++++ b/drivers/iio/adc/axp288_adc.c
+@@ -27,9 +27,18 @@
+ #include <linux/iio/machine.h>
+ #include <linux/iio/driver.h>
+
+-#define AXP288_ADC_EN_MASK 0xF1
+-#define AXP288_ADC_TS_PIN_GPADC 0xF2
+-#define AXP288_ADC_TS_PIN_ON 0xF3
++/*
++ * This mask enables all ADCs except for the battery temp-sensor (TS), that is
++ * left as-is to avoid breaking charging on devices without a temp-sensor.
++ */
++#define AXP288_ADC_EN_MASK 0xF0
++#define AXP288_ADC_TS_ENABLE 0x01
++
++#define AXP288_ADC_TS_CURRENT_ON_OFF_MASK GENMASK(1, 0)
++#define AXP288_ADC_TS_CURRENT_OFF (0 << 0)
++#define AXP288_ADC_TS_CURRENT_ON_WHEN_CHARGING (1 << 0)
++#define AXP288_ADC_TS_CURRENT_ON_ONDEMAND (2 << 0)
++#define AXP288_ADC_TS_CURRENT_ON (3 << 0)
+
+ enum axp288_adc_id {
+ AXP288_ADC_TS,
+@@ -44,6 +53,7 @@ enum axp288_adc_id {
+ struct axp288_adc_info {
+ int irq;
+ struct regmap *regmap;
++ bool ts_enabled;
+ };
+
+ static const struct iio_chan_spec axp288_adc_channels[] = {
+@@ -115,21 +125,33 @@ static int axp288_adc_read_channel(int *
+ return IIO_VAL_INT;
+ }
+
+-static int axp288_adc_set_ts(struct regmap *regmap, unsigned int mode,
+- unsigned long address)
++/*
++ * The current-source used for the battery temp-sensor (TS) is shared
++ * with the GPADC. For proper fuel-gauge and charger operation the TS
++ * current-source needs to be permanently on. But to read the GPADC we
++ * need to temporary switch the TS current-source to ondemand, so that
++ * the GPADC can use it, otherwise we will always read an all 0 value.
++ */
++static int axp288_adc_set_ts(struct axp288_adc_info *info,
++ unsigned int mode, unsigned long address)
+ {
+ int ret;
+
+- /* channels other than GPADC do not need to switch TS pin */
++ /* No need to switch the current-source if the TS pin is disabled */
++ if (!info->ts_enabled)
++ return 0;
++
++ /* Channels other than GPADC do not need the current source */
+ if (address != AXP288_GP_ADC_H)
+ return 0;
+
+- ret = regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, mode);
++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK, mode);
+ if (ret)
+ return ret;
+
+ /* When switching to the GPADC pin give things some time to settle */
+- if (mode == AXP288_ADC_TS_PIN_GPADC)
++ if (mode == AXP288_ADC_TS_CURRENT_ON_ONDEMAND)
+ usleep_range(6000, 10000);
+
+ return 0;
+@@ -145,14 +167,14 @@ static int axp288_adc_read_raw(struct ii
+ mutex_lock(&indio_dev->mlock);
+ switch (mask) {
+ case IIO_CHAN_INFO_RAW:
+- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_GPADC,
++ if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON_ONDEMAND,
+ chan->address)) {
+ dev_err(&indio_dev->dev, "GPADC mode\n");
+ ret = -EINVAL;
+ break;
+ }
+ ret = axp288_adc_read_channel(val, chan->address, info->regmap);
+- if (axp288_adc_set_ts(info->regmap, AXP288_ADC_TS_PIN_ON,
++ if (axp288_adc_set_ts(info, AXP288_ADC_TS_CURRENT_ON,
+ chan->address))
+ dev_err(&indio_dev->dev, "TS pin restore\n");
+ break;
+@@ -164,13 +186,35 @@ static int axp288_adc_read_raw(struct ii
+ return ret;
+ }
+
+-static int axp288_adc_set_state(struct regmap *regmap)
++static int axp288_adc_initialize(struct axp288_adc_info *info)
+ {
+- /* ADC should be always enabled for internal FG to function */
+- if (regmap_write(regmap, AXP288_ADC_TS_PIN_CTRL, AXP288_ADC_TS_PIN_ON))
+- return -EIO;
++ int ret, adc_enable_val;
++
++ /*
++ * Determine if the TS pin is enabled and set the TS current-source
++ * accordingly.
++ */
++ ret = regmap_read(info->regmap, AXP20X_ADC_EN1, &adc_enable_val);
++ if (ret)
++ return ret;
++
++ if (adc_enable_val & AXP288_ADC_TS_ENABLE) {
++ info->ts_enabled = true;
++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
++ AXP288_ADC_TS_CURRENT_ON);
++ } else {
++ info->ts_enabled = false;
++ ret = regmap_update_bits(info->regmap, AXP288_ADC_TS_PIN_CTRL,
++ AXP288_ADC_TS_CURRENT_ON_OFF_MASK,
++ AXP288_ADC_TS_CURRENT_OFF);
++ }
++ if (ret)
++ return ret;
+
+- return regmap_write(regmap, AXP20X_ADC_EN1, AXP288_ADC_EN_MASK);
++ /* Turn on the ADC for all channels except TS, leave TS as is */
++ return regmap_update_bits(info->regmap, AXP20X_ADC_EN1,
++ AXP288_ADC_EN_MASK, AXP288_ADC_EN_MASK);
+ }
+
+ static const struct iio_info axp288_adc_iio_info = {
+@@ -200,7 +244,7 @@ static int axp288_adc_probe(struct platf
+ * Set ADC to enabled state at all time, including system suspend.
+ * otherwise internal fuel gauge functionality may be affected.
+ */
+- ret = axp288_adc_set_state(axp20x->regmap);
++ ret = axp288_adc_initialize(info);
+ if (ret) {
+ dev_err(&pdev->dev, "unable to enable ADC device\n");
+ return ret;
--- /dev/null
+From 0808831dc62e90023ad14ff8da4804c7846e904b Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Sun, 30 Dec 2018 19:07:01 -0800
+Subject: iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 0808831dc62e90023ad14ff8da4804c7846e904b upstream.
+
+IIO_TEMP scale value for temperature was incorrect and not in millicelsius
+as required by the ABI documentation.
+
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Fixes: 27dec00ecf2d (iio: chemical: add Atlas pH-SM sensor support)
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/chemical/atlas-ph-sensor.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/iio/chemical/atlas-ph-sensor.c
++++ b/drivers/iio/chemical/atlas-ph-sensor.c
+@@ -444,9 +444,8 @@ static int atlas_read_raw(struct iio_dev
+ case IIO_CHAN_INFO_SCALE:
+ switch (chan->type) {
+ case IIO_TEMP:
+- *val = 1; /* 0.01 */
+- *val2 = 100;
+- break;
++ *val = 10;
++ return IIO_VAL_INT;
+ case IIO_PH:
+ *val = 1; /* 0.001 */
+ *val2 = 1000;
+@@ -477,7 +476,7 @@ static int atlas_write_raw(struct iio_de
+ int val, int val2, long mask)
+ {
+ struct atlas_data *data = iio_priv(indio_dev);
+- __be32 reg = cpu_to_be32(val);
++ __be32 reg = cpu_to_be32(val / 10);
+
+ if (val2 != 0 || val < 0 || val > 20000)
+ return -EINVAL;
--- /dev/null
+From f214ff521fb1f861c8d7f7d0af98b06bf61b3369 Mon Sep 17 00:00:00 2001
+From: Dan Murphy <dmurphy@ti.com>
+Date: Fri, 11 Jan 2019 13:57:07 -0600
+Subject: iio: ti-ads8688: Update buffer allocation for timestamps
+
+From: Dan Murphy <dmurphy@ti.com>
+
+commit f214ff521fb1f861c8d7f7d0af98b06bf61b3369 upstream.
+
+Per Jonathan Cameron, the buffer needs to allocate room for a
+64 bit timestamp as well as the channels. Change the buffer
+to allocate this additional space.
+
+Fixes: 2a86487786b5c ("iio: adc: ti-ads8688: add trigger and buffer support")
+Signed-off-by: Dan Murphy <dmurphy@ti.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ti-ads8688.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ti-ads8688.c
++++ b/drivers/iio/adc/ti-ads8688.c
+@@ -41,6 +41,7 @@
+
+ #define ADS8688_VREF_MV 4096
+ #define ADS8688_REALBITS 16
++#define ADS8688_MAX_CHANNELS 8
+
+ /*
+ * enum ads8688_range - ADS8688 reference voltage range
+@@ -385,7 +386,7 @@ static irqreturn_t ads8688_trigger_handl
+ {
+ struct iio_poll_func *pf = p;
+ struct iio_dev *indio_dev = pf->indio_dev;
+- u16 buffer[8];
++ u16 buffer[ADS8688_MAX_CHANNELS + sizeof(s64)/sizeof(u16)];
+ int i, j = 0;
+
+ for (i = 0; i < indio_dev->masklength; i++) {
--- /dev/null
+From dd957493baa586f1431490f97f9c7c45eaf8ab10 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Sun, 3 Feb 2019 10:02:07 +0100
+Subject: libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit dd957493baa586f1431490f97f9c7c45eaf8ab10 upstream.
+
+We've received a bugreport that using LPM with a SAMSUNG
+MZ7TE512HMHP-000L1 SSD leads to system instability, we already have
+a quirk for the MZ7TD256HAFV-000L9, which is also a Samsun EVO 840 /
+PM851 OEM model, so it seems some of these models have a LPM issue.
+
+This commits adds a NOLPM quirk for the model string from the new
+bugeport, to avoid the reported stability issues.
+
+Cc: stable@vger.kernel.org
+BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1571330
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/libata-core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -4554,6 +4554,7 @@ static const struct ata_blacklist_entry
+ { "SAMSUNG MZMPC128HBFU-000MV", "CXM14M1Q", ATA_HORKAGE_NOLPM, },
+ { "SAMSUNG SSD PM830 mSATA *", "CXM13D1Q", ATA_HORKAGE_NOLPM, },
+ { "SAMSUNG MZ7TD256HAFV-000L9", NULL, ATA_HORKAGE_NOLPM, },
++ { "SAMSUNG MZ7TE512HMHP-000L1", "EXT06L0Q", ATA_HORKAGE_NOLPM, },
+
+ /* devices that don't properly handle queued TRIM commands */
+ { "Micron_M500IT_*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM |
--- /dev/null
+From efe814e90b98aed6d655b5a4092b9114b8b26e42 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 24 Jan 2019 14:45:02 +0200
+Subject: mei: me: add ice lake point device id.
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit efe814e90b98aed6d655b5a4092b9114b8b26e42 upstream.
+
+Add icelake mei device id.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -139,6 +139,8 @@
+ #define MEI_DEV_ID_CNP_H 0xA360 /* Cannon Point H */
+ #define MEI_DEV_ID_CNP_H_4 0xA364 /* Cannon Point H 4 (iTouch) */
+
++#define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
++
+ /*
+ * MEI HW Section
+ */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -105,6 +105,8 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H, MEI_ME_PCH8_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CNP_H_4, MEI_ME_PCH8_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
++
+ /* required last entry */
+ {0, }
+ };
--- /dev/null
+From f8a70d8b889f180e6860cb1f85fed43d37844c5a Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 3 Dec 2018 17:52:19 +0300
+Subject: misc: vexpress: Off by one in vexpress_syscfg_exec()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit f8a70d8b889f180e6860cb1f85fed43d37844c5a upstream.
+
+The > comparison should be >= to prevent reading beyond the end of the
+func->template[] array.
+
+(The func->template array is allocated in vexpress_syscfg_regmap_init()
+and it has func->num_templates elements.)
+
+Fixes: 974cc7b93441 ("mfd: vexpress: Define the device as MFD cells")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Sudeep Holla <sudeep.holla@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vexpress-syscfg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/vexpress-syscfg.c
++++ b/drivers/misc/vexpress-syscfg.c
+@@ -61,7 +61,7 @@ static int vexpress_syscfg_exec(struct v
+ int tries;
+ long timeout;
+
+- if (WARN_ON(index > func->num_templates))
++ if (WARN_ON(index >= func->num_templates))
+ return -EINVAL;
+
+ command = readl(syscfg->base + SYS_CFGCTRL);
--- /dev/null
+From ad4635153034c20c6f6e211e2ed3fd38b658649a Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <bbrezillon@kernel.org>
+Date: Wed, 30 Jan 2019 12:55:52 +0100
+Subject: mtd: Make sure mtd->erasesize is valid even if the partition is of size 0
+
+From: Boris Brezillon <bbrezillon@kernel.org>
+
+commit ad4635153034c20c6f6e211e2ed3fd38b658649a upstream.
+
+Commit 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent
+erase properties") introduced a check to make sure ->erasesize and
+->_erase values are consistent with the MTD_NO_ERASE flag.
+This patch did not take the 0 bytes partition case into account which
+can happen when the defined partition is outside the flash device memory
+range. Fix that by setting the partition erasesize to the parent
+erasesize.
+
+Fixes: 33f45c44d68b ("mtd: Do not allow MTD devices with inconsistent erase properties")
+Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: <stable@vger.kernel.org>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdpart.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/mtd/mtdpart.c
++++ b/drivers/mtd/mtdpart.c
+@@ -470,6 +470,10 @@ static struct mtd_part *allocate_partiti
+ /* let's register it anyway to preserve ordering */
+ slave->offset = 0;
+ slave->mtd.size = 0;
++
++ /* Initialize ->erasesize to make add_mtd_device() happy. */
++ slave->mtd.erasesize = parent->erasesize;
++
+ printk(KERN_ERR"mtd: partition \"%s\" is out of reach -- disabled\n",
+ part->name);
+ goto out_register;
--- /dev/null
+From d5d27fd9826b59979b184ec288e4812abac0e988 Mon Sep 17 00:00:00 2001
+From: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Date: Tue, 5 Feb 2019 16:52:51 +0100
+Subject: mtd: rawnand: gpmi: fix MX28 bus master lockup problem
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+
+commit d5d27fd9826b59979b184ec288e4812abac0e988 upstream.
+
+Disable BCH soft reset according to MX23 erratum #2847 ("BCH soft
+reset may cause bus master lock up") for MX28 too. It has the same
+problem.
+
+Observed problem: once per 100,000+ MX28 reboots NAND read failed on
+DMA timeout errors:
+[ 1.770823] UBI: attaching mtd3 to ubi0
+[ 2.768088] gpmi_nand: DMA timeout, last DMA :1
+[ 3.958087] gpmi_nand: BCH timeout, last DMA :1
+[ 4.156033] gpmi_nand: Error in ECC-based read: -110
+[ 4.161136] UBI warning: ubi_io_read: error -110 while reading 64
+bytes from PEB 0:0, read only 0 bytes, retry
+[ 4.171283] step 1 error
+[ 4.173846] gpmi_nand: Chip: 0, Error -1
+
+Without BCH soft reset we successfully executed 1,000,000 MX28 reboots.
+
+I have a quote from NXP regarding this problem, from July 18th 2016:
+
+"As the i.MX23 and i.MX28 are of the same generation, they share many
+characteristics. Unfortunately, also the erratas may be shared.
+In case of the documented erratas and the workarounds, you can also
+apply the workaround solution of one device on the other one. This have
+been reported, but I’m afraid that there are not an estimated date for
+updating the Errata documents.
+Please accept our apologies for any inconveniences this may cause."
+
+Fixes: 6f2a6a52560a ("mtd: nand: gpmi: reset BCH earlier, too, to avoid NAND startup problems")
+Cc: stable@vger.kernel.org
+Signed-off-by: Manfred Schlaegl <manfred.schlaegl@ginzinger.com>
+Signed-off-by: Martin Kepplinger <martin.kepplinger@ginzinger.com>
+Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Acked-by: Han Xu <han.xu@nxp.com>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c
++++ b/drivers/mtd/nand/raw/gpmi-nand/gpmi-lib.c
+@@ -155,9 +155,10 @@ int gpmi_init(struct gpmi_nand_data *thi
+
+ /*
+ * Reset BCH here, too. We got failures otherwise :(
+- * See later BCH reset for explanation of MX23 handling
++ * See later BCH reset for explanation of MX23 and MX28 handling
+ */
+- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
++ ret = gpmi_reset_block(r->bch_regs,
++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
+ if (ret)
+ goto err_out;
+
+@@ -263,12 +264,10 @@ int bch_set_geometry(struct gpmi_nand_da
+ /*
+ * Due to erratum #2847 of the MX23, the BCH cannot be soft reset on this
+ * chip, otherwise it will lock up. So we skip resetting BCH on the MX23.
+- * On the other hand, the MX28 needs the reset, because one case has been
+- * seen where the BCH produced ECC errors constantly after 10000
+- * consecutive reboots. The latter case has not been seen on the MX23
+- * yet, still we don't know if it could happen there as well.
++ * and MX28.
+ */
+- ret = gpmi_reset_block(r->bch_regs, GPMI_IS_MX23(this));
++ ret = gpmi_reset_block(r->bch_regs,
++ GPMI_IS_MX23(this) || GPMI_IS_MX28(this));
+ if (ret)
+ goto err_out;
+
--- /dev/null
+From c3c7dbf4887ab3ed9d611cd1f6e16937f8700743 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <bbrezillon@kernel.org>
+Date: Thu, 24 Jan 2019 15:46:54 +0100
+Subject: mtd: spinand: Fix the error/cleanup path in spinand_init()
+
+From: Boris Brezillon <bbrezillon@kernel.org>
+
+commit c3c7dbf4887ab3ed9d611cd1f6e16937f8700743 upstream.
+
+The manufacturer specific initialization has already been done when
+block unlocking takes place, and if anything goes wrong during this
+procedure we should call spinand_manufacturer_cleanup().
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -1014,11 +1014,11 @@ static int spinand_init(struct spinand_d
+ for (i = 0; i < nand->memorg.ntargets; i++) {
+ ret = spinand_select_target(spinand, i);
+ if (ret)
+- goto err_free_bufs;
++ goto err_manuf_cleanup;
+
+ ret = spinand_lock_block(spinand, BL_ALL_UNLOCKED);
+ if (ret)
+- goto err_free_bufs;
++ goto err_manuf_cleanup;
+ }
+
+ ret = nanddev_init(nand, &spinand_ops, THIS_MODULE);
--- /dev/null
+From 13c15e07eedf26092054c8c71f2f47edb8388310 Mon Sep 17 00:00:00 2001
+From: Boris Brezillon <bbrezillon@kernel.org>
+Date: Thu, 24 Jan 2019 15:20:07 +0100
+Subject: mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache
+
+From: Boris Brezillon <bbrezillon@kernel.org>
+
+commit 13c15e07eedf26092054c8c71f2f47edb8388310 upstream.
+
+Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset
+the cache content to 0xFF (depends on vendor implementation), so we
+must fill the page cache entirely even if we only want to program the
+data portion of the page, otherwise we might corrupt the BBM or user
+data previously programmed in OOB area.
+
+Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs")
+Reported-by: Stefan Roese <sr@denx.de>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
+Tested-by: Stefan Roese <sr@denx.de>
+Reviewed-by: Stefan Roese <sr@denx.de>
+Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/nand/spi/core.c | 42 ++++++++++++++++++++----------------------
+ 1 file changed, 20 insertions(+), 22 deletions(-)
+
+--- a/drivers/mtd/nand/spi/core.c
++++ b/drivers/mtd/nand/spi/core.c
+@@ -304,24 +304,30 @@ static int spinand_write_to_cache_op(str
+ struct nand_device *nand = spinand_to_nand(spinand);
+ struct mtd_info *mtd = nanddev_to_mtd(nand);
+ struct nand_page_io_req adjreq = *req;
+- unsigned int nbytes = 0;
+- void *buf = NULL;
++ void *buf = spinand->databuf;
++ unsigned int nbytes;
+ u16 column = 0;
+ int ret;
+
+- memset(spinand->databuf, 0xff,
+- nanddev_page_size(nand) +
+- nanddev_per_page_oobsize(nand));
++ /*
++ * Looks like PROGRAM LOAD (AKA write cache) does not necessarily reset
++ * the cache content to 0xFF (depends on vendor implementation), so we
++ * must fill the page cache entirely even if we only want to program
++ * the data portion of the page, otherwise we might corrupt the BBM or
++ * user data previously programmed in OOB area.
++ */
++ nbytes = nanddev_page_size(nand) + nanddev_per_page_oobsize(nand);
++ memset(spinand->databuf, 0xff, nbytes);
++ adjreq.dataoffs = 0;
++ adjreq.datalen = nanddev_page_size(nand);
++ adjreq.databuf.out = spinand->databuf;
++ adjreq.ooblen = nanddev_per_page_oobsize(nand);
++ adjreq.ooboffs = 0;
++ adjreq.oobbuf.out = spinand->oobbuf;
+
+- if (req->datalen) {
++ if (req->datalen)
+ memcpy(spinand->databuf + req->dataoffs, req->databuf.out,
+ req->datalen);
+- adjreq.dataoffs = 0;
+- adjreq.datalen = nanddev_page_size(nand);
+- adjreq.databuf.out = spinand->databuf;
+- nbytes = adjreq.datalen;
+- buf = spinand->databuf;
+- }
+
+ if (req->ooblen) {
+ if (req->mode == MTD_OPS_AUTO_OOB)
+@@ -332,14 +338,6 @@ static int spinand_write_to_cache_op(str
+ else
+ memcpy(spinand->oobbuf + req->ooboffs, req->oobbuf.out,
+ req->ooblen);
+-
+- adjreq.ooblen = nanddev_per_page_oobsize(nand);
+- adjreq.ooboffs = 0;
+- nbytes += nanddev_per_page_oobsize(nand);
+- if (!buf) {
+- buf = spinand->oobbuf;
+- column = nanddev_page_size(nand);
+- }
+ }
+
+ spinand_cache_op_adjust_colum(spinand, &adjreq, &column);
+@@ -370,8 +368,8 @@ static int spinand_write_to_cache_op(str
+
+ /*
+ * We need to use the RANDOM LOAD CACHE operation if there's
+- * more than one iteration, because the LOAD operation resets
+- * the cache to 0xff.
++ * more than one iteration, because the LOAD operation might
++ * reset the cache to 0xff.
+ */
+ if (nbytes) {
+ column = op.addr.val;
--- /dev/null
+From c4a46acf1db3ce547d290c29e55b3476c78dd76c Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 24 Jan 2019 14:45:03 +0200
+Subject: samples: mei: use /dev/mei0 instead of /dev/mei
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit c4a46acf1db3ce547d290c29e55b3476c78dd76c upstream.
+
+The device was moved from misc device to character devices
+to support multiple mei devices.
+
+Cc: <stable@vger.kernel.org> #v4.9+
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ samples/mei/mei-amt-version.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/samples/mei/mei-amt-version.c
++++ b/samples/mei/mei-amt-version.c
+@@ -117,7 +117,7 @@ static bool mei_init(struct mei *me, con
+
+ me->verbose = verbose;
+
+- me->fd = open("/dev/mei", O_RDWR);
++ me->fd = open("/dev/mei0", O_RDWR);
+ if (me->fd == -1) {
+ mei_err(me, "Cannot establish a handle to the Intel MEI driver\n");
+ goto err;
--- /dev/null
+mtd-make-sure-mtd-erasesize-is-valid-even-if-the-partition-is-of-size-0.patch
+mtd-spinand-handle-the-case-where-program-load-does-not-reset-the-cache.patch
+mtd-spinand-fix-the-error-cleanup-path-in-spinand_init.patch
+mtd-rawnand-gpmi-fix-mx28-bus-master-lockup-problem.patch
+libata-add-nolpm-quirk-for-samsung-mz7te512hmhp-000l1-ssd.patch
+tools-iio-iio_generic_buffer-make-num_loops-signed.patch
+iio-adc-axp288-fix-ts-pin-handling.patch
+iio-chemical-atlas-ph-sensor-correct-iio_temp-values-to-millicelsius.patch
+iio-ti-ads8688-update-buffer-allocation-for-timestamps.patch
+signal-always-notice-exiting-tasks.patch
+signal-better-detection-of-synchronous-signals.patch
+misc-vexpress-off-by-one-in-vexpress_syscfg_exec.patch
+mei-me-add-ice-lake-point-device-id.patch
+samples-mei-use-dev-mei0-instead-of-dev-mei.patch
+debugfs-fix-debugfs_rename-parameter-checking.patch
--- /dev/null
+From 35634ffa1751b6efd8cf75010b509dcb0263e29b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 6 Feb 2019 18:39:40 -0600
+Subject: signal: Always notice exiting tasks
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 35634ffa1751b6efd8cf75010b509dcb0263e29b upstream.
+
+Recently syzkaller was able to create unkillablle processes by
+creating a timer that is delivered as a thread local signal on SIGHUP,
+and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop
+failing to deliver SIGHUP but always trying.
+
+Upon examination it turns out part of the problem is actually most of
+the solution. Since 2.5 signal delivery has found all fatal signals,
+marked the signal group for death, and queued SIGKILL in every threads
+thread queue relying on signal->group_exit_code to preserve the
+information of which was the actual fatal signal.
+
+The conversion of all fatal signals to SIGKILL results in the
+synchronous signal heuristic in next_signal kicking in and preferring
+SIGHUP to SIGKILL. Which is especially problematic as all
+fatal signals have already been transformed into SIGKILL.
+
+Instead of dequeueing signals and depending upon SIGKILL to
+be the first signal dequeued, first test if the signal group
+has already been marked for death. This guarantees that
+nothing in the signal queue can prevent a process that needs
+to exit from exiting.
+
+Cc: stable@vger.kernel.org
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Ref: ebf5ebe31d2c ("[PATCH] signal-fixes-2.5.59-A4")
+History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -2390,6 +2390,11 @@ relock:
+ goto relock;
+ }
+
++ /* Has this task already been marked for death? */
++ ksig->info.si_signo = signr = SIGKILL;
++ if (signal_group_exit(signal))
++ goto fatal;
++
+ for (;;) {
+ struct k_sigaction *ka;
+
+@@ -2485,6 +2490,7 @@ relock:
+ continue;
+ }
+
++ fatal:
+ spin_unlock_irq(&sighand->siglock);
+
+ /*
--- /dev/null
+From 7146db3317c67b517258cb5e1b08af387da0618b Mon Sep 17 00:00:00 2001
+From: "Eric W. Biederman" <ebiederm@xmission.com>
+Date: Wed, 6 Feb 2019 17:51:47 -0600
+Subject: signal: Better detection of synchronous signals
+
+From: Eric W. Biederman <ebiederm@xmission.com>
+
+commit 7146db3317c67b517258cb5e1b08af387da0618b upstream.
+
+Recently syzkaller was able to create unkillablle processes by
+creating a timer that is delivered as a thread local signal on SIGHUP,
+and receiving SIGHUP SA_NODEFERER. Ultimately causing a loop failing
+to deliver SIGHUP but always trying.
+
+When the stack overflows delivery of SIGHUP fails and force_sigsegv is
+called. Unfortunately because SIGSEGV is numerically higher than
+SIGHUP next_signal tries again to deliver a SIGHUP.
+
+From a quality of implementation standpoint attempting to deliver the
+timer SIGHUP signal is wrong. We should attempt to deliver the
+synchronous SIGSEGV signal we just forced.
+
+We can make that happening in a fairly straight forward manner by
+instead of just looking at the signal number we also look at the
+si_code. In particular for exceptions (aka synchronous signals) the
+si_code is always greater than 0.
+
+That still has the potential to pick up a number of asynchronous
+signals as in a few cases the same si_codes that are used
+for synchronous signals are also used for asynchronous signals,
+and SI_KERNEL is also included in the list of possible si_codes.
+
+Still the heuristic is much better and timer signals are definitely
+excluded. Which is enough to prevent all known ways for someone
+sending a process signals fast enough to cause unexpected and
+arguably incorrect behavior.
+
+Cc: stable@vger.kernel.org
+Fixes: a27341cd5fcb ("Prioritize synchronous signals over 'normal' signals")
+Tested-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/signal.c | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 51 insertions(+), 1 deletion(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -681,6 +681,48 @@ int dequeue_signal(struct task_struct *t
+ return signr;
+ }
+
++static int dequeue_synchronous_signal(siginfo_t *info)
++{
++ struct task_struct *tsk = current;
++ struct sigpending *pending = &tsk->pending;
++ struct sigqueue *q, *sync = NULL;
++
++ /*
++ * Might a synchronous signal be in the queue?
++ */
++ if (!((pending->signal.sig[0] & ~tsk->blocked.sig[0]) & SYNCHRONOUS_MASK))
++ return 0;
++
++ /*
++ * Return the first synchronous signal in the queue.
++ */
++ list_for_each_entry(q, &pending->list, list) {
++ /* Synchronous signals have a postive si_code */
++ if ((q->info.si_code > SI_USER) &&
++ (sigmask(q->info.si_signo) & SYNCHRONOUS_MASK)) {
++ sync = q;
++ goto next;
++ }
++ }
++ return 0;
++next:
++ /*
++ * Check if there is another siginfo for the same signal.
++ */
++ list_for_each_entry_continue(q, &pending->list, list) {
++ if (q->info.si_signo == sync->info.si_signo)
++ goto still_pending;
++ }
++
++ sigdelset(&pending->signal, sync->info.si_signo);
++ recalc_sigpending();
++still_pending:
++ list_del_init(&sync->list);
++ copy_siginfo(info, &sync->info);
++ __sigqueue_free(sync);
++ return info->si_signo;
++}
++
+ /*
+ * Tell a process that it has a new active signal..
+ *
+@@ -2408,7 +2450,15 @@ relock:
+ goto relock;
+ }
+
+- signr = dequeue_signal(current, ¤t->blocked, &ksig->info);
++ /*
++ * Signals generated by the execution of an instruction
++ * need to be delivered before any other pending signals
++ * so that the instruction pointer in the signal stack
++ * frame points to the faulting instruction.
++ */
++ signr = dequeue_synchronous_signal(&ksig->info);
++ if (!signr)
++ signr = dequeue_signal(current, ¤t->blocked, &ksig->info);
+
+ if (!signr)
+ break; /* will return 0 */
--- /dev/null
+From b119d3bc328e7a9574861ebe0c2110e2776c2de1 Mon Sep 17 00:00:00 2001
+From: Martin Kelly <mkelly@xevo.com>
+Date: Fri, 11 Jan 2019 23:13:09 +0000
+Subject: tools: iio: iio_generic_buffer: make num_loops signed
+
+From: Martin Kelly <mkelly@xevo.com>
+
+commit b119d3bc328e7a9574861ebe0c2110e2776c2de1 upstream.
+
+Currently, num_loops is unsigned, but it's set by strtoll, which returns a
+(signed) long long int. This could lead to overflow, and it also makes the
+check "num_loops < 0" always be false, since num_loops is unsigned.
+Setting num_loops to -1 to loop forever is almost working because num_loops
+is getting set to a very high number, but it's technically still incorrect.
+
+Fix this issue by making num_loops signed. This also fixes an error found
+by Smatch.
+
+Signed-off-by: Martin Kelly <mkelly@xevo.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 55dda0abcf9d ("tools: iio: iio_generic_buffer: allow continuous looping")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/iio/iio_generic_buffer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/iio/iio_generic_buffer.c
++++ b/tools/iio/iio_generic_buffer.c
+@@ -330,7 +330,7 @@ static const struct option longopts[] =
+
+ int main(int argc, char **argv)
+ {
+- unsigned long long num_loops = 2;
++ long long num_loops = 2;
+ unsigned long timedelay = 1000000;
+ unsigned long buf_len = 128;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
