--- /dev/null
+From 5ae51d67aec95f6f9386aa8dd5db424964895575 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Mon, 11 Feb 2019 14:59:07 -0800
+Subject: clk: clk-twl6040: Fix imprecise external abort for pdmclk
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 5ae51d67aec95f6f9386aa8dd5db424964895575 upstream.
+
+I noticed that modprobe clk-twl6040 can fail after a cold boot with:
+abe_cm:clk:0010:0: failed to enable
+...
+Unhandled fault: imprecise external abort (0x1406) at 0xbe896b20
+
+WARNING: CPU: 1 PID: 29 at drivers/clk/clk.c:828 clk_core_disable_lock+0x18/0x24
+...
+(clk_core_disable_lock) from [<c0123534>] (_disable_clocks+0x18/0x90)
+(_disable_clocks) from [<c0124040>] (_idle+0x17c/0x244)
+(_idle) from [<c0125ad4>] (omap_hwmod_idle+0x24/0x44)
+(omap_hwmod_idle) from [<c053a038>] (sysc_runtime_suspend+0x48/0x108)
+(sysc_runtime_suspend) from [<c06084c4>] (__rpm_callback+0x144/0x1d8)
+(__rpm_callback) from [<c0608578>] (rpm_callback+0x20/0x80)
+(rpm_callback) from [<c0607034>] (rpm_suspend+0x120/0x694)
+(rpm_suspend) from [<c0607a78>] (__pm_runtime_idle+0x60/0x84)
+(__pm_runtime_idle) from [<c053aaf0>] (sysc_probe+0x874/0xf2c)
+(sysc_probe) from [<c05fecd4>] (platform_drv_probe+0x48/0x98)
+
+After searching around for a similar issue, I came across an earlier fix
+that never got merged upstream in the Android tree for glass-omap-xrr02.
+There is patch "MFD: twl6040-codec: Implement PDMCLK cold temp errata"
+by Misael Lopez Cruz <misael.lopez@ti.com>.
+
+Based on my observations, this fix is also needed when cold booting
+devices, and not just for deeper idle modes. Since we now have a clock
+driver for pdmclk, let's fix the issue in twl6040_pdmclk_prepare().
+
+Cc: Misael Lopez Cruz <misael.lopez@ti.com>
+Cc: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/clk-twl6040.c | 53 ++++++++++++++++++++++++++++++++++++++++++++--
+ 1 file changed, 51 insertions(+), 2 deletions(-)
+
+--- a/drivers/clk/clk-twl6040.c
++++ b/drivers/clk/clk-twl6040.c
+@@ -41,6 +41,43 @@ static int twl6040_pdmclk_is_prepared(st
+ return pdmclk->enabled;
+ }
+
++static int twl6040_pdmclk_reset_one_clock(struct twl6040_pdmclk *pdmclk,
++ unsigned int reg)
++{
++ const u8 reset_mask = TWL6040_HPLLRST; /* Same for HPPLL and LPPLL */
++ int ret;
++
++ ret = twl6040_set_bits(pdmclk->twl6040, reg, reset_mask);
++ if (ret < 0)
++ return ret;
++
++ ret = twl6040_clear_bits(pdmclk->twl6040, reg, reset_mask);
++ if (ret < 0)
++ return ret;
++
++ return 0;
++}
++
++/*
++ * TWL6040A2 Phoenix Audio IC erratum #6: "PDM Clock Generation Issue At
++ * Cold Temperature". This affects cold boot and deeper idle states it
++ * seems. The workaround consists of resetting HPPLL and LPPLL.
++ */
++static int twl6040_pdmclk_quirk_reset_clocks(struct twl6040_pdmclk *pdmclk)
++{
++ int ret;
++
++ ret = twl6040_pdmclk_reset_one_clock(pdmclk, TWL6040_REG_HPPLLCTL);
++ if (ret)
++ return ret;
++
++ ret = twl6040_pdmclk_reset_one_clock(pdmclk, TWL6040_REG_LPPLLCTL);
++ if (ret)
++ return ret;
++
++ return 0;
++}
++
+ static int twl6040_pdmclk_prepare(struct clk_hw *hw)
+ {
+ struct twl6040_pdmclk *pdmclk = container_of(hw, struct twl6040_pdmclk,
+@@ -48,8 +85,20 @@ static int twl6040_pdmclk_prepare(struct
+ int ret;
+
+ ret = twl6040_power(pdmclk->twl6040, 1);
+- if (!ret)
+- pdmclk->enabled = 1;
++ if (ret)
++ return ret;
++
++ ret = twl6040_pdmclk_quirk_reset_clocks(pdmclk);
++ if (ret)
++ goto out_err;
++
++ pdmclk->enabled = 1;
++
++ return 0;
++
++out_err:
++ dev_err(pdmclk->dev, "%s: error %i\n", __func__, ret);
++ twl6040_power(pdmclk->twl6040, 0);
+
+ return ret;
+ }
--- /dev/null
+From 7ca4c922aad2e3c46767a12f80d01c6b25337b59 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sun, 27 Jan 2019 23:09:21 -0300
+Subject: clk: ingenic: Fix doc of ingenic_cgu_div_info
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 7ca4c922aad2e3c46767a12f80d01c6b25337b59 upstream.
+
+The 'div' field does not represent a number of bits used to divide
+(understand: right-shift) the divider, but a number itself used to
+divide the divider.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Maarten ter Huurne <maarten@treewalker.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/ingenic/cgu.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/ingenic/cgu.h
++++ b/drivers/clk/ingenic/cgu.h
+@@ -78,7 +78,7 @@ struct ingenic_cgu_mux_info {
+ * @reg: offset of the divider control register within the CGU
+ * @shift: number of bits to left shift the divide value by (ie. the index of
+ * the lowest bit of the divide value within its control register)
+- * @div: number of bits to divide the divider value by (i.e. if the
++ * @div: number to divide the divider value by (i.e. if the
+ * effective divider value is the value written to the register
+ * multiplied by some constant)
+ * @bits: the size of the divide value in bits
--- /dev/null
+From bc5d922c93491878c44c9216e9d227c7eeb81d7f Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sun, 27 Jan 2019 23:09:20 -0300
+Subject: clk: ingenic: Fix round_rate misbehaving with non-integer dividers
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit bc5d922c93491878c44c9216e9d227c7eeb81d7f upstream.
+
+Take a parent rate of 180 MHz, and a requested rate of 4.285715 MHz.
+This results in a theorical divider of 41.999993 which is then rounded
+up to 42. The .round_rate function would then return (180 MHz / 42) as
+the clock, rounded down, so 4.285714 MHz.
+
+Calling clk_set_rate on 4.285714 MHz would round the rate again, and
+give a theorical divider of 42,0000028, now rounded up to 43, and the
+rate returned would be (180 MHz / 43) which is 4.186046 MHz, aka. not
+what we requested.
+
+Fix this by rounding up the divisions.
+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Tested-by: Maarten ter Huurne <maarten@treewalker.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/ingenic/cgu.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/clk/ingenic/cgu.c
++++ b/drivers/clk/ingenic/cgu.c
+@@ -364,16 +364,16 @@ ingenic_clk_round_rate(struct clk_hw *hw
+ struct ingenic_clk *ingenic_clk = to_ingenic_clk(hw);
+ struct ingenic_cgu *cgu = ingenic_clk->cgu;
+ const struct ingenic_cgu_clk_info *clk_info;
+- long rate = *parent_rate;
++ unsigned int div = 1;
+
+ clk_info = &cgu->clock_info[ingenic_clk->idx];
+
+ if (clk_info->type & CGU_CLK_DIV)
+- rate /= ingenic_clk_calc_div(clk_info, *parent_rate, req_rate);
++ div = ingenic_clk_calc_div(clk_info, *parent_rate, req_rate);
+ else if (clk_info->type & CGU_CLK_FIXDIV)
+- rate /= clk_info->fixdiv.div;
++ div = clk_info->fixdiv.div;
+
+- return rate;
++ return DIV_ROUND_UP(*parent_rate, div);
+ }
+
+ static int
+@@ -393,7 +393,7 @@ ingenic_clk_set_rate(struct clk_hw *hw,
+
+ if (clk_info->type & CGU_CLK_DIV) {
+ div = ingenic_clk_calc_div(clk_info, parent_rate, req_rate);
+- rate = parent_rate / div;
++ rate = DIV_ROUND_UP(parent_rate, div);
+
+ if (rate != req_rate)
+ return -EINVAL;
--- /dev/null
+From 521282237b9d78b9bff423ec818becd4c95841c2 Mon Sep 17 00:00:00 2001
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Date: Fri, 8 Feb 2019 11:25:23 +0900
+Subject: clk: uniphier: Fix update register for CPU-gear
+
+From: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+
+commit 521282237b9d78b9bff423ec818becd4c95841c2 upstream.
+
+Need to set the update bit in UNIPHIER_CLK_CPUGEAR_UPD to update
+the CPU-gear value.
+
+Fixes: d08f1f0d596c ("clk: uniphier: add CPU-gear change (cpufreq) support")
+Cc: linux-stable@vger.kernel.org
+Signed-off-by: Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
+Acked-by: Masahiro Yamada <yamada.masahiro@socionext.com>
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clk/uniphier/clk-uniphier-cpugear.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/clk/uniphier/clk-uniphier-cpugear.c
++++ b/drivers/clk/uniphier/clk-uniphier-cpugear.c
+@@ -47,7 +47,7 @@ static int uniphier_clk_cpugear_set_pare
+ return ret;
+
+ ret = regmap_write_bits(gear->regmap,
+- gear->regbase + UNIPHIER_CLK_CPUGEAR_SET,
++ gear->regbase + UNIPHIER_CLK_CPUGEAR_UPD,
+ UNIPHIER_CLK_CPUGEAR_UPD_BIT,
+ UNIPHIER_CLK_CPUGEAR_UPD_BIT);
+ if (ret)
--- /dev/null
+From 9505b98ccddc454008ca7efff90044e3e857c827 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Thu, 7 Mar 2019 11:22:41 +0100
+Subject: cpufreq: pxa2xx: remove incorrect __init annotation
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream.
+
+pxa_cpufreq_init_voltages() is marked __init but usually inlined into
+the non-__init pxa_cpufreq_init() function. When building with clang,
+it can stay as a standalone function in a discarded section, and produce
+this warning:
+
+WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages()
+The function pxa_cpufreq_init() references
+the function __init pxa_cpufreq_init_voltages().
+This is often because pxa_cpufreq_init lacks a __init
+annotation or the annotation of pxa_cpufreq_init_voltages is wrong.
+
+Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Acked-by: Robert Jarzmik <robert.jarzmik@free.fr>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/cpufreq/pxa2xx-cpufreq.c
++++ b/drivers/cpufreq/pxa2xx-cpufreq.c
+@@ -192,7 +192,7 @@ static int pxa_cpufreq_change_voltage(co
+ return ret;
+ }
+
+-static void __init pxa_cpufreq_init_voltages(void)
++static void pxa_cpufreq_init_voltages(void)
+ {
+ vcc_core = regulator_get(NULL, "vcc_core");
+ if (IS_ERR(vcc_core)) {
+@@ -208,7 +208,7 @@ static int pxa_cpufreq_change_voltage(co
+ return 0;
+ }
+
+-static void __init pxa_cpufreq_init_voltages(void) { }
++static void pxa_cpufreq_init_voltages(void) { }
+ #endif
+
+ static void find_freq_tables(struct cpufreq_frequency_table **freq_table,
--- /dev/null
+From 446fae2bb5395f3028d8e3aae1508737e5a72ea1 Mon Sep 17 00:00:00 2001
+From: Yangtao Li <tiny.windzz@gmail.com>
+Date: Mon, 4 Feb 2019 02:48:54 -0500
+Subject: cpufreq: tegra124: add missing of_node_put()
+
+From: Yangtao Li <tiny.windzz@gmail.com>
+
+commit 446fae2bb5395f3028d8e3aae1508737e5a72ea1 upstream.
+
+of_cpu_device_node_get() will increase the refcount of device_node,
+it is necessary to call of_node_put() at the end to release the
+refcount.
+
+Fixes: 9eb15dbbfa1a2 ("cpufreq: Add cpufreq driver for Tegra124")
+Cc: <stable@vger.kernel.org> # 4.4+
+Signed-off-by: Yangtao Li <tiny.windzz@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/cpufreq/tegra124-cpufreq.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/cpufreq/tegra124-cpufreq.c
++++ b/drivers/cpufreq/tegra124-cpufreq.c
+@@ -134,6 +134,8 @@ static int tegra124_cpufreq_probe(struct
+
+ platform_set_drvdata(pdev, priv);
+
++ of_node_put(np);
++
+ return 0;
+
+ out_switch_to_pllx:
--- /dev/null
+From edeb304f659792fb5bab90d7d6f3408b4c7301fb Mon Sep 17 00:00:00 2001
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+Date: Tue, 29 Jan 2019 16:36:18 +0530
+Subject: cxl: Wrap iterations over afu slices inside 'afu_list_lock'
+
+From: Vaibhav Jain <vaibhav@linux.ibm.com>
+
+commit edeb304f659792fb5bab90d7d6f3408b4c7301fb upstream.
+
+Within cxl module, iteration over array 'adapter->afu' may be racy
+at few points as it might be simultaneously read during an EEH and its
+contents being set to NULL while driver is being unloaded or unbound
+from the adapter. This might result in a NULL pointer to 'struct afu'
+being de-referenced during an EEH thereby causing a kernel oops.
+
+This patch fixes this by making sure that all access to the array
+'adapter->afu' is wrapped within the context of spin-lock
+'adapter->afu_list_lock'.
+
+Fixes: 9e8df8a21963 ("cxl: EEH support")
+Cc: stable@vger.kernel.org # v4.3+
+Acked-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
+Acked-by: Frederic Barrat <fbarrat@linux.ibm.com>
+Acked-by: Christophe Lombard <clombard@linux.vnet.ibm.com>
+Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/cxl/guest.c | 2 ++
+ drivers/misc/cxl/pci.c | 39 ++++++++++++++++++++++++++++++---------
+ 2 files changed, 32 insertions(+), 9 deletions(-)
+
+--- a/drivers/misc/cxl/guest.c
++++ b/drivers/misc/cxl/guest.c
+@@ -267,6 +267,7 @@ static int guest_reset(struct cxl *adapt
+ int i, rc;
+
+ pr_devel("Adapter reset request\n");
++ spin_lock(&adapter->afu_list_lock);
+ for (i = 0; i < adapter->slices; i++) {
+ if ((afu = adapter->afu[i])) {
+ pci_error_handlers(afu, CXL_ERROR_DETECTED_EVENT,
+@@ -283,6 +284,7 @@ static int guest_reset(struct cxl *adapt
+ pci_error_handlers(afu, CXL_RESUME_EVENT, 0);
+ }
+ }
++ spin_unlock(&adapter->afu_list_lock);
+ return rc;
+ }
+
+--- a/drivers/misc/cxl/pci.c
++++ b/drivers/misc/cxl/pci.c
+@@ -2050,7 +2050,7 @@ static pci_ers_result_t cxl_vphb_error_d
+ /* There should only be one entry, but go through the list
+ * anyway
+ */
+- if (afu->phb == NULL)
++ if (afu == NULL || afu->phb == NULL)
+ return result;
+
+ list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) {
+@@ -2077,7 +2077,8 @@ static pci_ers_result_t cxl_pci_error_de
+ {
+ struct cxl *adapter = pci_get_drvdata(pdev);
+ struct cxl_afu *afu;
+- pci_ers_result_t result = PCI_ERS_RESULT_NEED_RESET, afu_result;
++ pci_ers_result_t result = PCI_ERS_RESULT_NEED_RESET;
++ pci_ers_result_t afu_result = PCI_ERS_RESULT_NEED_RESET;
+ int i;
+
+ /* At this point, we could still have an interrupt pending.
+@@ -2088,6 +2089,7 @@ static pci_ers_result_t cxl_pci_error_de
+
+ /* If we're permanently dead, give up. */
+ if (state == pci_channel_io_perm_failure) {
++ spin_lock(&adapter->afu_list_lock);
+ for (i = 0; i < adapter->slices; i++) {
+ afu = adapter->afu[i];
+ /*
+@@ -2096,6 +2098,7 @@ static pci_ers_result_t cxl_pci_error_de
+ */
+ cxl_vphb_error_detected(afu, state);
+ }
++ spin_unlock(&adapter->afu_list_lock);
+ return PCI_ERS_RESULT_DISCONNECT;
+ }
+
+@@ -2177,11 +2180,17 @@ static pci_ers_result_t cxl_pci_error_de
+ * * In slot_reset, free the old resources and allocate new ones.
+ * * In resume, clear the flag to allow things to start.
+ */
++
++ /* Make sure no one else changes the afu list */
++ spin_lock(&adapter->afu_list_lock);
++
+ for (i = 0; i < adapter->slices; i++) {
+ afu = adapter->afu[i];
+
+- afu_result = cxl_vphb_error_detected(afu, state);
++ if (afu == NULL)
++ continue;
+
++ afu_result = cxl_vphb_error_detected(afu, state);
+ cxl_context_detach_all(afu);
+ cxl_ops->afu_deactivate_mode(afu, afu->current_mode);
+ pci_deconfigure_afu(afu);
+@@ -2193,6 +2202,7 @@ static pci_ers_result_t cxl_pci_error_de
+ (result == PCI_ERS_RESULT_NEED_RESET))
+ result = PCI_ERS_RESULT_NONE;
+ }
++ spin_unlock(&adapter->afu_list_lock);
+
+ /* should take the context lock here */
+ if (cxl_adapter_context_lock(adapter) != 0)
+@@ -2225,14 +2235,18 @@ static pci_ers_result_t cxl_pci_slot_res
+ */
+ cxl_adapter_context_unlock(adapter);
+
++ spin_lock(&adapter->afu_list_lock);
+ for (i = 0; i < adapter->slices; i++) {
+ afu = adapter->afu[i];
+
++ if (afu == NULL)
++ continue;
++
+ if (pci_configure_afu(afu, adapter, pdev))
+- goto err;
++ goto err_unlock;
+
+ if (cxl_afu_select_best_mode(afu))
+- goto err;
++ goto err_unlock;
+
+ if (afu->phb == NULL)
+ continue;
+@@ -2244,16 +2258,16 @@ static pci_ers_result_t cxl_pci_slot_res
+ ctx = cxl_get_context(afu_dev);
+
+ if (ctx && cxl_release_context(ctx))
+- goto err;
++ goto err_unlock;
+
+ ctx = cxl_dev_context_init(afu_dev);
+ if (IS_ERR(ctx))
+- goto err;
++ goto err_unlock;
+
+ afu_dev->dev.archdata.cxl_ctx = ctx;
+
+ if (cxl_ops->afu_check_and_enable(afu))
+- goto err;
++ goto err_unlock;
+
+ afu_dev->error_state = pci_channel_io_normal;
+
+@@ -2274,8 +2288,13 @@ static pci_ers_result_t cxl_pci_slot_res
+ result = PCI_ERS_RESULT_DISCONNECT;
+ }
+ }
++
++ spin_unlock(&adapter->afu_list_lock);
+ return result;
+
++err_unlock:
++ spin_unlock(&adapter->afu_list_lock);
++
+ err:
+ /* All the bits that happen in both error_detected and cxl_remove
+ * should be idempotent, so we don't need to worry about leaving a mix
+@@ -2296,10 +2315,11 @@ static void cxl_pci_resume(struct pci_de
+ * This is not the place to be checking if everything came back up
+ * properly, because there's no return value: do that in slot_reset.
+ */
++ spin_lock(&adapter->afu_list_lock);
+ for (i = 0; i < adapter->slices; i++) {
+ afu = adapter->afu[i];
+
+- if (afu->phb == NULL)
++ if (afu == NULL || afu->phb == NULL)
+ continue;
+
+ list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) {
+@@ -2308,6 +2328,7 @@ static void cxl_pci_resume(struct pci_de
+ afu_dev->driver->err_handler->resume(afu_dev);
+ }
+ }
++ spin_unlock(&adapter->afu_list_lock);
+ }
+
+ static const struct pci_error_handlers cxl_err_handler = {
--- /dev/null
+From 2b6e492467c78183bb629bb0a100ea3509b615a5 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 23 Jan 2019 17:44:16 +0300
+Subject: device property: Fix the length used in PROPERTY_ENTRY_STRING()
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit 2b6e492467c78183bb629bb0a100ea3509b615a5 upstream.
+
+With string type property entries we need to use
+sizeof(const char *) instead of the number of characters as
+the length of the entry.
+
+If the string was shorter then sizeof(const char *),
+attempts to read it would have failed with -EOVERFLOW. The
+problem has been hidden because all build-in string
+properties have had a string longer then 8 characters until
+now.
+
+Fixes: a85f42047533 ("device property: helper macros for property entry creation")
+Cc: 4.5+ <stable@vger.kernel.org> # 4.5+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ include/linux/property.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/property.h
++++ b/include/linux/property.h
+@@ -252,7 +252,7 @@ struct property_entry {
+ #define PROPERTY_ENTRY_STRING(_name_, _val_) \
+ (struct property_entry) { \
+ .name = _name_, \
+- .length = sizeof(_val_), \
++ .length = sizeof(const char *), \
+ .is_string = true, \
+ { .value = { .str = _val_ } }, \
+ }
--- /dev/null
+From 1c2d14212b15a60300a2d4f6364753e87394c521 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Tue, 29 Jan 2019 17:17:24 +0100
+Subject: ext2: Fix underflow in ext2_max_size()
+
+From: Jan Kara <jack@suse.cz>
+
+commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream.
+
+When ext2 filesystem is created with 64k block size, ext2_max_size()
+will return value less than 0. Also, we cannot write any file in this fs
+since the sb->maxbytes is less than 0. The core of the problem is that
+the size of block index tree for such large block size is more than
+i_blocks can carry. So fix the computation to count with this
+possibility.
+
+File size limits computed with the new function for the full range of
+possible block sizes look like:
+
+bits file_size
+10 17247252480
+11 275415851008
+12 2196873666560
+13 2197948973056
+14 2198486220800
+15 2198754754560
+16 2198888906752
+
+CC: stable@vger.kernel.org
+Reported-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext2/super.c | 41 ++++++++++++++++++++++++++---------------
+ 1 file changed, 26 insertions(+), 15 deletions(-)
+
+--- a/fs/ext2/super.c
++++ b/fs/ext2/super.c
+@@ -754,7 +754,8 @@ static loff_t ext2_max_size(int bits)
+ {
+ loff_t res = EXT2_NDIR_BLOCKS;
+ int meta_blocks;
+- loff_t upper_limit;
++ unsigned int upper_limit;
++ unsigned int ppb = 1 << (bits-2);
+
+ /* This is calculated to be the largest file size for a
+ * dense, file such that the total number of
+@@ -768,24 +769,34 @@ static loff_t ext2_max_size(int bits)
+ /* total blocks in file system block size */
+ upper_limit >>= (bits - 9);
+
+-
+- /* indirect blocks */
+- meta_blocks = 1;
+- /* double indirect blocks */
+- meta_blocks += 1 + (1LL << (bits-2));
+- /* tripple indirect blocks */
+- meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2)));
+-
+- upper_limit -= meta_blocks;
+- upper_limit <<= bits;
+-
++ /* Compute how many blocks we can address by block tree */
+ res += 1LL << (bits-2);
+ res += 1LL << (2*(bits-2));
+ res += 1LL << (3*(bits-2));
++ /* Does block tree limit file size? */
++ if (res < upper_limit)
++ goto check_lfs;
++
++ res = upper_limit;
++ /* How many metadata blocks are needed for addressing upper_limit? */
++ upper_limit -= EXT2_NDIR_BLOCKS;
++ /* indirect blocks */
++ meta_blocks = 1;
++ upper_limit -= ppb;
++ /* double indirect blocks */
++ if (upper_limit < ppb * ppb) {
++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb);
++ res -= meta_blocks;
++ goto check_lfs;
++ }
++ meta_blocks += 1 + ppb;
++ upper_limit -= ppb * ppb;
++ /* tripple indirect blocks for the rest */
++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) +
++ DIV_ROUND_UP(upper_limit, ppb*ppb);
++ res -= meta_blocks;
++check_lfs:
+ res <<= bits;
+- if (res > upper_limit)
+- res = upper_limit;
+-
+ if (res > MAX_LFS_FILESIZE)
+ res = MAX_LFS_FILESIZE;
+
--- /dev/null
+From abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Mon, 11 Feb 2019 00:35:06 -0500
+Subject: ext4: add mask of ext4 flags to swap
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 upstream.
+
+The reason is that while swapping two inode, we swap the flags too.
+Some flags such as EXT4_JOURNAL_DATA_FL can really confuse the things
+since we're not resetting the address operations structure. The
+simplest way to keep things sane is to restrict the flags that can be
+swapped.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/ext4.h | 3 +++
+ fs/ext4/ioctl.c | 6 +++++-
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -426,6 +426,9 @@ struct flex_groups {
+ /* Flags that are appropriate for non-directories/regular files. */
+ #define EXT4_OTHER_FLMASK (EXT4_NODUMP_FL | EXT4_NOATIME_FL)
+
++/* The only flags that should be swapped */
++#define EXT4_FL_SHOULD_SWAP (EXT4_HUGE_FILE_FL | EXT4_EXTENTS_FL)
++
+ /* Mask out flags that are inappropriate for the given type of inode. */
+ static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags)
+ {
+--- a/fs/ext4/ioctl.c
++++ b/fs/ext4/ioctl.c
+@@ -61,6 +61,7 @@ static void swap_inode_data(struct inode
+ loff_t isize;
+ struct ext4_inode_info *ei1;
+ struct ext4_inode_info *ei2;
++ unsigned long tmp;
+
+ ei1 = EXT4_I(inode1);
+ ei2 = EXT4_I(inode2);
+@@ -73,7 +74,10 @@ static void swap_inode_data(struct inode
+ swap(inode1->i_mtime, inode2->i_mtime);
+
+ memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data));
+- swap(ei1->i_flags, ei2->i_flags);
++ tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP;
++ ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) |
++ (ei1->i_flags & ~EXT4_FL_SHOULD_SWAP);
++ ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP);
+ swap(ei1->i_disksize, ei2->i_disksize);
+ ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS);
+ ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS);
--- /dev/null
+From f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 Mon Sep 17 00:00:00 2001
+From: Jan Kara <jack@suse.cz>
+Date: Mon, 11 Feb 2019 13:30:32 -0500
+Subject: ext4: fix crash during online resizing
+
+From: Jan Kara <jack@suse.cz>
+
+commit f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 upstream.
+
+When computing maximum size of filesystem possible with given number of
+group descriptor blocks, we forget to include s_first_data_block into
+the number of blocks. Thus for filesystems with non-zero
+s_first_data_block it can happen that computed maximum filesystem size
+is actually lower than current filesystem size which confuses the code
+and eventually leads to a BUG_ON in ext4_alloc_group_tables() hitting on
+flex_gd->count == 0. The problem can be reproduced like:
+
+truncate -s 100g /tmp/image
+mkfs.ext4 -b 1024 -E resize=262144 /tmp/image 32768
+mount -t ext4 -o loop /tmp/image /mnt
+resize2fs /dev/loop0 262145
+resize2fs /dev/loop0 300000
+
+Fix the problem by properly including s_first_data_block into the
+computed number of filesystem blocks.
+
+Fixes: 1c6bd7173d66 "ext4: convert file system to meta_bg if needed..."
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ext4/resize.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ext4/resize.c
++++ b/fs/ext4/resize.c
+@@ -1930,7 +1930,8 @@ retry:
+ le16_to_cpu(es->s_reserved_gdt_blocks);
+ n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb);
+ n_blocks_count = (ext4_fsblk_t)n_group *
+- EXT4_BLOCKS_PER_GROUP(sb);
++ EXT4_BLOCKS_PER_GROUP(sb) +
++ le32_to_cpu(es->s_first_data_block);
+ n_group--; /* set to last group number */
+ }
+
--- /dev/null
+From f4e3f4ae1d9c9330de355f432b69952e8cef650c Mon Sep 17 00:00:00 2001
+From: Sowjanya Komatineni <skomatineni@nvidia.com>
+Date: Tue, 12 Feb 2019 11:06:44 -0800
+Subject: i2c: tegra: fix maximum transfer size
+
+From: Sowjanya Komatineni <skomatineni@nvidia.com>
+
+commit f4e3f4ae1d9c9330de355f432b69952e8cef650c upstream.
+
+Tegra186 and prior supports maximum 4K bytes per packet transfer
+including 12 bytes of packet header.
+
+This patch fixes max write length limit to account packet header
+size for transfers.
+
+Cc: stable@vger.kernel.org # 4.4+
+
+Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
+Signed-off-by: Sowjanya Komatineni <skomatineni@nvidia.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-tegra.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-tegra.c
++++ b/drivers/i2c/busses/i2c-tegra.c
+@@ -794,7 +794,7 @@ static const struct i2c_algorithm tegra_
+ /* payload size is only 12 bit */
+ static const struct i2c_adapter_quirks tegra_i2c_quirks = {
+ .max_read_len = 4096,
+- .max_write_len = 4096,
++ .max_write_len = 4096 - 12,
+ };
+
+ static const struct tegra_i2c_hw_feature tegra20_i2c_hw = {
--- /dev/null
+From bc5add09764c123f58942a37c8335247e683d234 Mon Sep 17 00:00:00 2001
+From: "Michael J. Ruhl" <michael.j.ruhl@intel.com>
+Date: Tue, 26 Feb 2019 08:45:35 -0800
+Subject: IB/hfi1: Close race condition on user context disable and close
+
+From: Michael J. Ruhl <michael.j.ruhl@intel.com>
+
+commit bc5add09764c123f58942a37c8335247e683d234 upstream.
+
+When disabling and removing a receive context, it is possible for an
+asynchronous event (i.e IRQ) to occur. Because of this, there is a race
+between cleaning up the context, and the context being used by the
+asynchronous event.
+
+cpu 0 (context cleanup)
+ rc->ref_count-- (ref_count == 0)
+ hfi1_rcd_free()
+cpu 1 (IRQ (with rcd index))
+ rcd_get_by_index()
+ lock
+ ref_count+++ <-- reference count race (WARNING)
+ return rcd
+ unlock
+cpu 0
+ hfi1_free_ctxtdata() <-- incorrect free location
+ lock
+ remove rcd from array
+ unlock
+ free rcd
+
+This race will cause the following WARNING trace:
+
+WARNING: CPU: 0 PID: 175027 at include/linux/kref.h:52 hfi1_rcd_get_by_index+0x84/0xa0 [hfi1]
+CPU: 0 PID: 175027 Comm: IMB-MPI1 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.el7.x86_64 #1
+Hardware name: Intel Corporation S2600KP/S2600KP, BIOS SE5C610.86B.11.01.0076.C4.111920150602 11/19/2015
+Call Trace:
+ dump_stack+0x19/0x1b
+ __warn+0xd8/0x100
+ warn_slowpath_null+0x1d/0x20
+ hfi1_rcd_get_by_index+0x84/0xa0 [hfi1]
+ is_rcv_urgent_int+0x24/0x90 [hfi1]
+ general_interrupt+0x1b6/0x210 [hfi1]
+ __handle_irq_event_percpu+0x44/0x1c0
+ handle_irq_event_percpu+0x32/0x80
+ handle_irq_event+0x3c/0x60
+ handle_edge_irq+0x7f/0x150
+ handle_irq+0xe4/0x1a0
+ do_IRQ+0x4d/0xf0
+ common_interrupt+0x162/0x162
+
+The race can also lead to a use after free which could be similar to:
+
+general protection fault: 0000 1 SMP
+CPU: 71 PID: 177147 Comm: IMB-MPI1 Kdump: loaded Tainted: G W OE ------------ 3.10.0-957.el7.x86_64 #1
+Hardware name: Intel Corporation S2600KP/S2600KP, BIOS SE5C610.86B.11.01.0076.C4.111920150602 11/19/2015
+task: ffff9962a8098000 ti: ffff99717a508000 task.ti: ffff99717a508000 __kmalloc+0x94/0x230
+Call Trace:
+ ? hfi1_user_sdma_process_request+0x9c8/0x1250 [hfi1]
+ hfi1_user_sdma_process_request+0x9c8/0x1250 [hfi1]
+ hfi1_aio_write+0xba/0x110 [hfi1]
+ do_sync_readv_writev+0x7b/0xd0
+ do_readv_writev+0xce/0x260
+ ? handle_mm_fault+0x39d/0x9b0
+ ? pick_next_task_fair+0x5f/0x1b0
+ ? sched_clock_cpu+0x85/0xc0
+ ? __schedule+0x13a/0x890
+ vfs_writev+0x35/0x60
+ SyS_writev+0x7f/0x110
+ system_call_fastpath+0x22/0x27
+
+Use the appropriate kref API to verify access.
+
+Reorder context cleanup to ensure context removal before cleanup occurs
+correctly.
+
+Cc: stable@vger.kernel.org # v4.14.0+
+Fixes: f683c80ca68e ("IB/hfi1: Resolve kernel panics by reference counting receive contexts")
+Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
+Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
+Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
+Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/hfi1/hfi.h | 2 +-
+ drivers/infiniband/hw/hfi1/init.c | 14 +++++++++-----
+ 2 files changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/infiniband/hw/hfi1/hfi.h
++++ b/drivers/infiniband/hw/hfi1/hfi.h
+@@ -1398,7 +1398,7 @@ void hfi1_init_pportdata(struct pci_dev
+ struct hfi1_devdata *dd, u8 hw_pidx, u8 port);
+ void hfi1_free_ctxtdata(struct hfi1_devdata *dd, struct hfi1_ctxtdata *rcd);
+ int hfi1_rcd_put(struct hfi1_ctxtdata *rcd);
+-void hfi1_rcd_get(struct hfi1_ctxtdata *rcd);
++int hfi1_rcd_get(struct hfi1_ctxtdata *rcd);
+ struct hfi1_ctxtdata *hfi1_rcd_get_by_index(struct hfi1_devdata *dd, u16 ctxt);
+ int handle_receive_interrupt(struct hfi1_ctxtdata *rcd, int thread);
+ int handle_receive_interrupt_nodma_rtail(struct hfi1_ctxtdata *rcd, int thread);
+--- a/drivers/infiniband/hw/hfi1/init.c
++++ b/drivers/infiniband/hw/hfi1/init.c
+@@ -215,12 +215,12 @@ static void hfi1_rcd_free(struct kref *k
+ struct hfi1_ctxtdata *rcd =
+ container_of(kref, struct hfi1_ctxtdata, kref);
+
+- hfi1_free_ctxtdata(rcd->dd, rcd);
+-
+ spin_lock_irqsave(&rcd->dd->uctxt_lock, flags);
+ rcd->dd->rcd[rcd->ctxt] = NULL;
+ spin_unlock_irqrestore(&rcd->dd->uctxt_lock, flags);
+
++ hfi1_free_ctxtdata(rcd->dd, rcd);
++
+ kfree(rcd);
+ }
+
+@@ -243,10 +243,13 @@ int hfi1_rcd_put(struct hfi1_ctxtdata *r
+ * @rcd: pointer to an initialized rcd data structure
+ *
+ * Use this to get a reference after the init.
++ *
++ * Return : reflect kref_get_unless_zero(), which returns non-zero on
++ * increment, otherwise 0.
+ */
+-void hfi1_rcd_get(struct hfi1_ctxtdata *rcd)
++int hfi1_rcd_get(struct hfi1_ctxtdata *rcd)
+ {
+- kref_get(&rcd->kref);
++ return kref_get_unless_zero(&rcd->kref);
+ }
+
+ /**
+@@ -305,7 +308,8 @@ struct hfi1_ctxtdata *hfi1_rcd_get_by_in
+ spin_lock_irqsave(&dd->uctxt_lock, flags);
+ if (dd->rcd[ctxt]) {
+ rcd = dd->rcd[ctxt];
+- hfi1_rcd_get(rcd);
++ if (!hfi1_rcd_get(rcd))
++ rcd = NULL;
+ }
+ spin_unlock_irqrestore(&dd->uctxt_lock, flags);
+
--- /dev/null
+From 9ed3f22223c33347ed963e7c7019cf2956dd4e37 Mon Sep 17 00:00:00 2001
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Date: Thu, 24 Jan 2019 15:11:53 +0200
+Subject: intel_th: Don't reference unassigned outputs
+
+From: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+
+commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream.
+
+When an output port driver is removed, also remove references to it from
+any masters. Failing to do this causes a NULL ptr dereference when
+configuring another output port:
+
+> BUG: unable to handle kernel NULL pointer dereference at 000000000000000d
+> RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth]
+> Call Trace:
+> dev_attr_store+0x1b/0x30
+> sysfs_kf_write+0x3c/0x50
+> kernfs_fop_write+0x125/0x1a0
+> __vfs_write+0x3a/0x190
+> ? __vfs_write+0x5/0x190
+> ? _cond_resched+0x1a/0x50
+> ? rcu_all_qs+0x5/0xb0
+> ? __vfs_write+0x5/0x190
+> vfs_write+0xb8/0x1b0
+> ksys_write+0x55/0xc0
+> __x64_sys_write+0x1a/0x20
+> do_syscall_64+0x5a/0x140
+> entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Fixes: b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver")
+CC: stable@vger.kernel.org # v4.4+
+Reported-by: Ammy Yi <ammy.yi@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwtracing/intel_th/gth.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/hwtracing/intel_th/gth.c
++++ b/drivers/hwtracing/intel_th/gth.c
+@@ -615,6 +615,7 @@ static void intel_th_gth_unassign(struct
+ {
+ struct gth_device *gth = dev_get_drvdata(&thdev->dev);
+ int port = othdev->output.port;
++ int master;
+
+ if (thdev->host_mode)
+ return;
+@@ -623,6 +624,9 @@ static void intel_th_gth_unassign(struct
+ othdev->output.port = -1;
+ othdev->output.active = false;
+ gth->output[port].output = NULL;
++ for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++)
++ if (gth->master[master] == port)
++ gth->master[master] = -1;
+ spin_unlock(>h->gth_lock);
+ }
+
--- /dev/null
+From 8d565748b6035eeda18895c213396a4c9fac6a4c Mon Sep 17 00:00:00 2001
+From: Zenghui Yu <yuzenghui@huawei.com>
+Date: Sun, 10 Feb 2019 05:24:10 +0000
+Subject: irqchip/gic-v3-its: Avoid parsing _indirect_ twice for Device table
+
+From: Zenghui Yu <yuzenghui@huawei.com>
+
+commit 8d565748b6035eeda18895c213396a4c9fac6a4c upstream.
+
+In current logic, its_parse_indirect_baser() will be invoked twice
+when allocating Device tables. Add a *break* to omit the unnecessary
+and annoying (might be ...) invoking.
+
+Fixes: 32bd44dc19de ("irqchip/gic-v3-its: Fix the incorrect parsing of VCPU table size")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/irqchip/irq-gic-v3-its.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/irqchip/irq-gic-v3-its.c
++++ b/drivers/irqchip/irq-gic-v3-its.c
+@@ -1708,6 +1708,8 @@ static int its_alloc_tables(struct its_n
+ indirect = its_parse_indirect_baser(its, baser,
+ psz, &order,
+ its->device_ids);
++ break;
++
+ case GITS_BASER_TYPE_VCPU:
+ indirect = its_parse_indirect_baser(its, baser,
+ psz, &order,
--- /dev/null
+From 8cf7630b29701d364f8df4a50e4f1f5e752b2778 Mon Sep 17 00:00:00 2001
+From: Zev Weiss <zev@bewilderbeest.net>
+Date: Mon, 11 Mar 2019 23:28:02 -0700
+Subject: kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
+
+From: Zev Weiss <zev@bewilderbeest.net>
+
+commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream.
+
+This bug has apparently existed since the introduction of this function
+in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git,
+"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of
+neighbour sysctls.").
+
+As a minimal fix we can simply duplicate the corresponding check in
+do_proc_dointvec_conv().
+
+Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net
+Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
+Cc: Brendan Higgins <brendanhiggins@google.com>
+Cc: Iurii Zaikin <yzaikin@google.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Luis Chamberlain <mcgrof@kernel.org>
+Cc: <stable@vger.kernel.org> [2.6.2+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/sysctl.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -2530,7 +2530,16 @@ static int do_proc_dointvec_minmax_conv(
+ {
+ struct do_proc_dointvec_minmax_conv_param *param = data;
+ if (write) {
+- int val = *negp ? -*lvalp : *lvalp;
++ int val;
++ if (*negp) {
++ if (*lvalp > (unsigned long) INT_MAX + 1)
++ return -EINVAL;
++ val = -*lvalp;
++ } else {
++ if (*lvalp > (unsigned long) INT_MAX)
++ return -EINVAL;
++ val = *lvalp;
++ }
+ if ((param->min && *param->min > val) ||
+ (param->max && *param->max < val))
+ return -EINVAL;
--- /dev/null
+From 607076a904c435f2677fadaadd4af546279db68b Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Sun, 10 Feb 2019 20:47:49 +0100
+Subject: libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit 607076a904c435f2677fadaadd4af546279db68b upstream.
+
+It doesn't make sense and the USB core warns on each submit of such
+URB, easily flooding the message buffer with tracebacks.
+
+Analogous issue was fixed in regular libertas driver in commit 6528d8804780
+("libertas: don't set URB_ZERO_PACKET on IN USB transfer").
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Reviewed-by: Steve deRosier <derosier@cal-sierra.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+@@ -433,8 +433,6 @@ static int __if_usb_submit_rx_urb(struct
+ skb_tail_pointer(skb),
+ MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp);
+
+- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET;
+-
+ lbtf_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n",
+ cardp->rx_urb);
+ ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC);
--- /dev/null
+From 46612b751c4941c5c0472ddf04027e877ae5990f Mon Sep 17 00:00:00 2001
+From: zhongjiang <zhongjiang@huawei.com>
+Date: Tue, 5 Mar 2019 15:41:16 -0800
+Subject: mm: hwpoison: fix thp split handing in soft_offline_in_use_page()
+
+From: zhongjiang <zhongjiang@huawei.com>
+
+commit 46612b751c4941c5c0472ddf04027e877ae5990f upstream.
+
+When soft_offline_in_use_page() runs on a thp tail page after pmd is
+split, we trigger the following VM_BUG_ON_PAGE():
+
+ Memory failure: 0x3755ff: non anonymous thp
+ __get_any_page: 0x3755ff: unknown zero refcount page type 2fffff80000000
+ Soft offlining pfn 0x34d805 at process virtual address 0x20fff000
+ page:ffffea000d360140 count:0 mapcount:0 mapping:0000000000000000 index:0x1
+ flags: 0x2fffff80000000()
+ raw: 002fffff80000000 ffffea000d360108 ffffea000d360188 0000000000000000
+ raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
+ page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0)
+ ------------[ cut here ]------------
+ kernel BUG at ./include/linux/mm.h:519!
+
+soft_offline_in_use_page() passed refcount and page lock from tail page
+to head page, which is not needed because we can pass any subpage to
+split_huge_page().
+
+Naoya had fixed a similar issue in c3901e722b29 ("mm: hwpoison: fix thp
+split handling in memory_failure()"). But he missed fixing soft
+offline.
+
+Link: http://lkml.kernel.org/r/1551452476-24000-1-git-send-email-zhongjiang@huawei.com
+Fixes: 61f5d698cc97 ("mm: re-enable THP")
+Signed-off-by: zhongjiang <zhongjiang@huawei.com>
+Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Hugh Dickins <hughd@google.com>
+Cc: Kirill A. Shutemov <kirill@shutemov.name>
+Cc: Andrea Arcangeli <aarcange@redhat.com>
+Cc: <stable@vger.kernel.org> [4.5+]
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/memory-failure.c | 14 ++++++--------
+ 1 file changed, 6 insertions(+), 8 deletions(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1701,19 +1701,17 @@ static int soft_offline_in_use_page(stru
+ struct page *hpage = compound_head(page);
+
+ if (!PageHuge(page) && PageTransHuge(hpage)) {
+- lock_page(hpage);
+- if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) {
+- unlock_page(hpage);
+- if (!PageAnon(hpage))
++ lock_page(page);
++ if (!PageAnon(page) || unlikely(split_huge_page(page))) {
++ unlock_page(page);
++ if (!PageAnon(page))
+ pr_info("soft offline: %#lx: non anonymous thp\n", page_to_pfn(page));
+ else
+ pr_info("soft offline: %#lx: thp split failed\n", page_to_pfn(page));
+- put_hwpoison_page(hpage);
++ put_hwpoison_page(page);
+ return -EBUSY;
+ }
+- unlock_page(hpage);
+- get_hwpoison_page(page);
+- put_hwpoison_page(hpage);
++ unlock_page(page);
+ }
+
+ if (PageHuge(page))
--- /dev/null
+From 401592d2e095947344e10ec0623adbcd58934dd4 Mon Sep 17 00:00:00 2001
+From: Roman Penyaev <rpenyaev@suse.de>
+Date: Tue, 5 Mar 2019 15:43:20 -0800
+Subject: mm/vmalloc: fix size check for remap_vmalloc_range_partial()
+
+From: Roman Penyaev <rpenyaev@suse.de>
+
+commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream.
+
+When VM_NO_GUARD is not set area->size includes adjacent guard page,
+thus for correct size checking get_vm_area_size() should be used, but
+not area->size.
+
+This fixes possible kernel oops when userspace tries to mmap an area on
+1 page bigger than was allocated by vmalloc_user() call: the size check
+inside remap_vmalloc_range_partial() accounts non-existing guard page
+also, so check successfully passes but vmalloc_to_page() returns NULL
+(guard page does not physically exist).
+
+The following code pattern example should trigger an oops:
+
+ static int oops_mmap(struct file *file, struct vm_area_struct *vma)
+ {
+ void *mem;
+
+ mem = vmalloc_user(4096);
+ BUG_ON(!mem);
+ /* Do not care about mem leak */
+
+ return remap_vmalloc_range(vma, mem, 0);
+ }
+
+And userspace simply mmaps size + PAGE_SIZE:
+
+ mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0);
+
+Possible candidates for oops which do not have any explicit size
+checks:
+
+ *** drivers/media/usb/stkwebcam/stk-webcam.c:
+ v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0);
+
+Or the following one:
+
+ *** drivers/video/fbdev/core/fbmem.c
+ static int
+ fb_mmap(struct file *file, struct vm_area_struct * vma)
+ ...
+ res = fb->fb_mmap(info, vma);
+
+Where fb_mmap callback calls remap_vmalloc_range() directly without any
+explicit checks:
+
+ *** drivers/video/fbdev/vfb.c
+ static int vfb_mmap(struct fb_info *info,
+ struct vm_area_struct *vma)
+ {
+ return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff);
+ }
+
+Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de
+Signed-off-by: Roman Penyaev <rpenyaev@suse.de>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
+Cc: Joe Perches <joe@perches.com>
+Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmalloc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/vmalloc.c
++++ b/mm/vmalloc.c
+@@ -2262,7 +2262,7 @@ int remap_vmalloc_range_partial(struct v
+ if (!(area->flags & VM_USERMAP))
+ return -EINVAL;
+
+- if (kaddr + size > area->addr + area->size)
++ if (kaddr + size > area->addr + get_vm_area_size(area))
+ return -EINVAL;
+
+ do {
--- /dev/null
+From 43f89877f26671c6309cd87d7364b1a3e66e71cf Mon Sep 17 00:00:00 2001
+From: Dexuan Cui <decui@microsoft.com>
+Date: Wed, 30 Jan 2019 01:23:01 +0000
+Subject: nfit: acpi_nfit_ctl(): Check out_obj->type in the right place
+
+From: Dexuan Cui <decui@microsoft.com>
+
+commit 43f89877f26671c6309cd87d7364b1a3e66e71cf upstream.
+
+In the case of ND_CMD_CALL, we should also check out_obj->type.
+
+The patch uses out_obj->type, which is a short alias to
+out_obj->package.type.
+
+Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command marshaling mechanism")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Signed-off-by: Dan Williams <dan.j.williams@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ drivers/acpi/nfit/core.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/drivers/acpi/nfit/core.c
++++ b/drivers/acpi/nfit/core.c
+@@ -329,6 +329,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ return -EINVAL;
+ }
+
++ if (out_obj->type != ACPI_TYPE_BUFFER) {
++ dev_dbg(dev, "%s unexpected output object type cmd: %s type: %d\n",
++ dimm_name, cmd_name, out_obj->type);
++ rc = -EINVAL;
++ goto out;
++ }
++
+ if (call_pkg) {
+ call_pkg->nd_fw_size = out_obj->buffer.length;
+ memcpy(call_pkg->nd_payload + call_pkg->nd_size_in,
+@@ -347,13 +354,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc
+ return 0;
+ }
+
+- if (out_obj->package.type != ACPI_TYPE_BUFFER) {
+- dev_dbg(dev, "%s:%s unexpected output object type cmd: %s type: %d\n",
+- __func__, dimm_name, cmd_name, out_obj->type);
+- rc = -EINVAL;
+- goto out;
+- }
+-
+ dev_dbg(dev, "%s:%s cmd: %s output length: %d\n", __func__, dimm_name,
+ cmd_name, out_obj->buffer.length);
+ print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4,
--- /dev/null
+From 21698fd57984cd28207d841dbdaa026d6061bceb Mon Sep 17 00:00:00 2001
+From: QiaoChong <qiaochong@loongson.cn>
+Date: Sat, 9 Feb 2019 20:59:07 +0000
+Subject: parport_pc: fix find_superio io compare code, should use equal test.
+
+From: QiaoChong <qiaochong@loongson.cn>
+
+commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream.
+
+In the original code before 181bf1e815a2 the loop was continuing until
+it finds the first matching superios[i].io and p->base.
+But after 181bf1e815a2 the logic changed and the loop now returns the
+pointer to the first mismatched array element which is then used in
+get_superio_dma() and get_superio_irq() and thus returning the wrong
+value.
+Fix the condition so that it now returns the correct pointer.
+
+Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for")
+Cc: Alan Cox <alan@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: QiaoChong <qiaochong@loongson.cn>
+[rewrite the commit message]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/parport/parport_pc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/parport/parport_pc.c
++++ b/drivers/parport/parport_pc.c
+@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super
+ {
+ int i;
+ for (i = 0; i < NR_SUPERIOS; i++)
+- if (superios[i].io != p->base)
++ if (superios[i].io == p->base)
+ return &superios[i];
+ return NULL;
+ }
btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch
btrfs-fix-corruption-reading-shared-and-compressed-extents-after-hole-punching.patch
crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch
+libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch
+irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch
+x86-kprobes-prohibit-probing-on-optprobe-template-code.patch
+cpufreq-tegra124-add-missing-of_node_put.patch
+cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch
+ext4-add-mask-of-ext4-flags-to-swap.patch
+ext4-fix-crash-during-online-resizing.patch
+ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch
+cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch
+ext2-fix-underflow-in-ext2_max_size.patch
+clk-uniphier-fix-update-register-for-cpu-gear.patch
+clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch
+clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch
+clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch
+usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch
+nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch
+mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch
+mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch
+kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch
+device-property-fix-the-length-used-in-property_entry_string.patch
+intel_th-don-t-reference-unassigned-outputs.patch
+parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch
+i2c-tegra-fix-maximum-transfer-size.patch
--- /dev/null
+From 563b9372f7ec57e44e8f9a8600c5107d7ffdd166 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Sun, 24 Feb 2019 18:36:22 +0300
+Subject: usb: chipidea: tegra: Fix missed ci_hdrc_remove_device()
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 563b9372f7ec57e44e8f9a8600c5107d7ffdd166 upstream.
+
+The ChipIdea's platform device need to be unregistered on Tegra's driver
+module removal.
+
+Fixes: dfebb5f43a78827a ("usb: chipidea: Add support for Tegra20/30/114/124")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Peter Chen <peter.chen@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/ci_hdrc_tegra.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/chipidea/ci_hdrc_tegra.c
++++ b/drivers/usb/chipidea/ci_hdrc_tegra.c
+@@ -133,6 +133,7 @@ static int tegra_udc_remove(struct platf
+ {
+ struct tegra_udc *udc = platform_get_drvdata(pdev);
+
++ ci_hdrc_remove_device(udc->dev);
+ usb_phy_set_suspend(udc->phy, 1);
+ clk_disable_unprepare(udc->clk);
+
--- /dev/null
+From 0192e6535ebe9af68614198ced4fd6d37b778ebf Mon Sep 17 00:00:00 2001
+From: Masami Hiramatsu <mhiramat@kernel.org>
+Date: Wed, 13 Feb 2019 01:11:19 +0900
+Subject: x86/kprobes: Prohibit probing on optprobe template code
+
+From: Masami Hiramatsu <mhiramat@kernel.org>
+
+commit 0192e6535ebe9af68614198ced4fd6d37b778ebf upstream.
+
+Prohibit probing on optprobe template code, since it is not
+a code but a template instruction sequence. If we modify
+this template, copied template must be broken.
+
+Signed-off-by: Masami Hiramatsu <mhiramat@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andrea Righi <righi.andrea@gmail.com>
+Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Fixes: 9326638cbee2 ("kprobes, x86: Use NOKPROBE_SYMBOL() instead of __kprobes annotation")
+Link: http://lkml.kernel.org/r/154998787911.31052.15274376330136234452.stgit@devbox
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/kprobes/opt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/arch/x86/kernel/kprobes/opt.c
++++ b/arch/x86/kernel/kprobes/opt.c
+@@ -141,6 +141,11 @@ asm (
+
+ void optprobe_template_func(void);
+ STACK_FRAME_NON_STANDARD(optprobe_template_func);
++NOKPROBE_SYMBOL(optprobe_template_func);
++NOKPROBE_SYMBOL(optprobe_template_entry);
++NOKPROBE_SYMBOL(optprobe_template_val);
++NOKPROBE_SYMBOL(optprobe_template_call);
++NOKPROBE_SYMBOL(optprobe_template_end);
+
+ #define TMPL_MOVE_IDX \
+ ((long)&optprobe_template_val - (long)&optprobe_template_entry)
projects / thirdparty / kernel / stable-queue.git / commitdiff
