4.4-stable patches

added patches:
	alsa-hda-remove-superfluous-added-by-printk-conversion.patch
	alsa-seq-enable-use-locking-in-all-configurations.patch
	brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch
	bus-mbus-fix-window-size-calculation-for-4gb-windows.patch
	clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch
	drm-nouveau-bsp-g92-disable-by-default.patch
	drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch
	i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch
	keys-don-t-let-add_key-update-an-uninstantiated-key.patch
	keys-encrypted-fix-dereference-of-null-user_key_payload.patch
	lib-digsig-fix-dereference-of-null-user_key_payload.patch
	pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch
	rtlwifi-rtl8821ae-fix-connection-lost-problem.patch

diff --git a/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch b/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch
new file mode 100644 (file)
index 0000000..4acb6fb
--- /dev/null
+++ b/queue-4.4/alsa-hda-remove-superfluous-added-by-printk-conversion.patch
@@ -0,0 +1,35 @@
+From 6bf88a343db2b3c160edf9b82a74966b31cc80bd Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 17 Oct 2017 11:58:17 +0200
+Subject: ALSA: hda: Remove superfluous '-' added by printk conversion
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream.
+
+While converting the error messages to the standard macros in the
+commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a
+superfluous '-' slipped in the code mistakenly.  Its influence is
+almost negligible, merely shows a dB value as negative integer instead
+of positive integer (or vice versa) in the rare error message.
+So let's kill this embarrassing byte to show more correct value.
+
+Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_codec.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -1755,7 +1755,7 @@ static int get_kctl_0dB_offset(struct hd
+                       return -1;
+               if (*step_to_check && *step_to_check != step) {
+                       codec_err(codec, "Mismatching dB step for vmaster slave (%d!=%d)\n",
+--                                *step_to_check, step);
++                                 *step_to_check, step);
+                       return -1;
+               }
+               *step_to_check = step;

diff --git a/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch b/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch
new file mode 100644 (file)
index 0000000..6d59fb7
--- /dev/null
+++ b/queue-4.4/alsa-seq-enable-use-locking-in-all-configurations.patch
@@ -0,0 +1,66 @@
+From 8009d506a1dd00cf436b0c4cca0dcec130580a21 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Date: Wed, 18 Oct 2017 00:45:49 +0100
+Subject: ALSA: seq: Enable 'use' locking in all configurations
+
+From: Ben Hutchings <ben.hutchings@codethink.co.uk>
+
+commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream.
+
+The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is
+enabled.  This might once have been OK in non-preemptible
+configurations, but even in that case snd_seq_read() may sleep while
+relying on a 'use' lock.  So always use the proper implementations.
+
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_lock.c |    4 ----
+ sound/core/seq/seq_lock.h |   12 ------------
+ 2 files changed, 16 deletions(-)
+
+--- a/sound/core/seq/seq_lock.c
++++ b/sound/core/seq/seq_lock.c
+@@ -23,8 +23,6 @@
+ #include <sound/core.h>
+ #include "seq_lock.h"
+ 
+-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
+-
+ /* wait until all locks are released */
+ void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line)
+ {
+@@ -42,5 +40,3 @@ void snd_use_lock_sync_helper(snd_use_lo
+ }
+ 
+ EXPORT_SYMBOL(snd_use_lock_sync_helper);
+-
+-#endif
+--- a/sound/core/seq/seq_lock.h
++++ b/sound/core/seq/seq_lock.h
+@@ -3,8 +3,6 @@
+ 
+ #include <linux/sched.h>
+ 
+-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG)
+-
+ typedef atomic_t snd_use_lock_t;
+ 
+ /* initialize lock */
+@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t;
+ void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line);
+ #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__)
+ 
+-#else /* SMP || CONFIG_SND_DEBUG */
+-
+-typedef spinlock_t snd_use_lock_t;    /* dummy */
+-#define snd_use_lock_init(lockp) /**/
+-#define snd_use_lock_use(lockp) /**/
+-#define snd_use_lock_free(lockp) /**/
+-#define snd_use_lock_sync(lockp) /**/
+-
+-#endif /* SMP || CONFIG_SND_DEBUG */
+-
+ #endif /* __SND_SEQ_LOCK_H */

diff --git a/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch b/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch
new file mode 100644 (file)
index 0000000..5d1a24f
--- /dev/null
+++ b/queue-4.4/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch
@@ -0,0 +1,431 @@
+From c503dd38f850be28867ef7a42d9abe5ade81a9bd Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Fri, 22 Sep 2017 23:29:12 +0200
+Subject: brcmsmac: make some local variables 'static const' to reduce stack size
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit c503dd38f850be28867ef7a42d9abe5ade81a9bd upstream.
+
+With KASAN and a couple of other patches applied, this driver is one
+of the few remaining ones that actually use more than 2048 bytes of
+kernel stack:
+
+broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl':
+broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy':
+broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=]
+
+Here, I'm reducing the stack size by marking as many local variables as
+'static const' as I can without changing the actual code.
+
+This is the first of three patches to improve the stack usage in this
+driver. It would be good to have this backported to stabl kernels
+to get all drivers in 'allmodconfig' below the 2048 byte limit so
+we can turn on the frame warning again globally, but I realize that
+the patch is larger than the normal limit for stable backports.
+
+The other two patches do not need to be backported.
+
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c |  197 +++++++++-----------
+ 1 file changed, 97 insertions(+), 100 deletions(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_n.c
+@@ -14764,8 +14764,8 @@ static void wlc_phy_ipa_restore_tx_digi_
+ }
+ 
+ static void
+-wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, u8 *events, u8 *dlys,
+-                     u8 len)
++wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, const u8 *events,
++                     const u8 *dlys, u8 len)
+ {
+       u32 t1_offset, t2_offset;
+       u8 ctr;
+@@ -15240,16 +15240,16 @@ static void wlc_phy_workarounds_nphy_gai
+ static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi)
+ {
+       u16 currband;
+-      s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 };
+-      s8 *lna1_gain_db = NULL;
+-      s8 *lna1_gain_db_2 = NULL;
+-      s8 *lna2_gain_db = NULL;
+-      s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 };
+-      s8 *tia_gain_db;
+-      s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 };
+-      s8 *tia_gainbits;
+-      u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f };
+-      u16 *rfseq_init_gain;
++      static const s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 };
++      const s8 *lna1_gain_db = NULL;
++      const s8 *lna1_gain_db_2 = NULL;
++      const s8 *lna2_gain_db = NULL;
++      static const s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 };
++      const s8 *tia_gain_db;
++      static const s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 };
++      const s8 *tia_gainbits;
++      static const u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f };
++      const u16 *rfseq_init_gain;
+       u16 init_gaincode;
+       u16 clip1hi_gaincode;
+       u16 clip1md_gaincode = 0;
+@@ -15310,10 +15310,9 @@ static void wlc_phy_workarounds_nphy_gai
+ 
+                       if ((freq <= 5080) || (freq == 5825)) {
+ 
+-                              s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 };
+-                              s8 lna1A_gain_db_2_rev7[] = {
+-                                      11, 17, 22, 25};
+-                              s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
++                              static const s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 };
++                              static const s8 lna1A_gain_db_2_rev7[] = { 11, 17, 22, 25};
++                              static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
+ 
+                               crsminu_th = 0x3e;
+                               lna1_gain_db = lna1A_gain_db_rev7;
+@@ -15321,10 +15320,9 @@ static void wlc_phy_workarounds_nphy_gai
+                               lna2_gain_db = lna2A_gain_db_rev7;
+                       } else if ((freq >= 5500) && (freq <= 5700)) {
+ 
+-                              s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 };
+-                              s8 lna1A_gain_db_2_rev7[] = {
+-                                      12, 18, 22, 26};
+-                              s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 };
++                              static const s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 };
++                              static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26};
++                              static const s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 };
+ 
+                               crsminu_th = 0x45;
+                               clip1md_gaincode_B = 0x14;
+@@ -15335,10 +15333,9 @@ static void wlc_phy_workarounds_nphy_gai
+                               lna2_gain_db = lna2A_gain_db_rev7;
+                       } else {
+ 
+-                              s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 };
+-                              s8 lna1A_gain_db_2_rev7[] = {
+-                                      12, 18, 22, 26};
+-                              s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
++                              static const s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 };
++                              static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26};
++                              static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 };
+ 
+                               crsminu_th = 0x41;
+                               lna1_gain_db = lna1A_gain_db_rev7;
+@@ -15450,65 +15447,65 @@ static void wlc_phy_workarounds_nphy_gai
+               NPHY_RFSEQ_CMD_CLR_HIQ_DIS,
+               NPHY_RFSEQ_CMD_SET_HPF_BW
+       };
+-      u8 rfseq_updategainu_dlys[] = { 10, 30, 1 };
+-      s8 lna1G_gain_db[] = { 7, 11, 16, 23 };
+-      s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 };
+-      s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 };
+-      s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 };
+-      s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 };
+-      s8 lna1A_gain_db[] = { 7, 11, 17, 23 };
+-      s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 };
+-      s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 };
+-      s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 };
+-      s8 *lna1_gain_db = NULL;
+-      s8 lna2G_gain_db[] = { -5, 6, 10, 14 };
+-      s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 };
+-      s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 };
+-      s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 };
+-      s8 lna2A_gain_db[] = { -6, 2, 6, 10 };
+-      s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 };
+-      s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 };
+-      s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 };
+-      s8 *lna2_gain_db = NULL;
+-      s8 tiaG_gain_db[] = {
++      static const u8 rfseq_updategainu_dlys[] = { 10, 30, 1 };
++      static const s8 lna1G_gain_db[] = { 7, 11, 16, 23 };
++      static const s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 };
++      static const s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 };
++      static const s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 };
++      static const s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 };
++      static const s8 lna1A_gain_db[] = { 7, 11, 17, 23 };
++      static const s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 };
++      static const s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 };
++      static const s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 };
++      const s8 *lna1_gain_db = NULL;
++      static const s8 lna2G_gain_db[] = { -5, 6, 10, 14 };
++      static const s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 };
++      static const s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 };
++      static const s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 };
++      static const s8 lna2A_gain_db[] = { -6, 2, 6, 10 };
++      static const s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 };
++      static const s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 };
++      static const s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 };
++      const s8 *lna2_gain_db = NULL;
++      static const s8 tiaG_gain_db[] = {
+               0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A };
+-      s8 tiaA_gain_db[] = {
++      static const s8 tiaA_gain_db[] = {
+               0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13 };
+-      s8 tiaA_gain_db_rev4[] = {
++      static const s8 tiaA_gain_db_rev4[] = {
+               0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+-      s8 tiaA_gain_db_rev5[] = {
++      static const s8 tiaA_gain_db_rev5[] = {
+               0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+-      s8 tiaA_gain_db_rev6[] = {
++      static const s8 tiaA_gain_db_rev6[] = {
+               0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d };
+-      s8 *tia_gain_db;
+-      s8 tiaG_gainbits[] = {
++      const s8 *tia_gain_db;
++      static const s8 tiaG_gainbits[] = {
+               0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 };
+-      s8 tiaA_gainbits[] = {
++      static const s8 tiaA_gainbits[] = {
+               0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 };
+-      s8 tiaA_gainbits_rev4[] = {
++      static const s8 tiaA_gainbits_rev4[] = {
+               0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+-      s8 tiaA_gainbits_rev5[] = {
++      static const s8 tiaA_gainbits_rev5[] = {
+               0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+-      s8 tiaA_gainbits_rev6[] = {
++      static const s8 tiaA_gainbits_rev6[] = {
+               0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 };
+-      s8 *tia_gainbits;
+-      s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 };
+-      s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 };
+-      u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f };
+-      u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f };
+-      u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f };
+-      u16 rfseqG_init_gain_rev5_elna[] = {
++      const s8 *tia_gainbits;
++      static const s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 };
++      static const s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 };
++      static const u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f };
++      static const u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f };
++      static const u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f };
++      static const u16 rfseqG_init_gain_rev5_elna[] = {
+               0x013f, 0x013f, 0x013f, 0x013f };
+-      u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f };
+-      u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f };
+-      u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f };
+-      u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f };
+-      u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f };
+-      u16 rfseqA_init_gain_rev4_elna[] = {
++      static const u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f };
++      static const u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f };
++      static const u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f };
++      static const u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f };
++      static const u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f };
++      static const u16 rfseqA_init_gain_rev4_elna[] = {
+               0x314f, 0x314f, 0x314f, 0x314f };
+-      u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f };
+-      u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f };
+-      u16 *rfseq_init_gain;
++      static const u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f };
++      static const u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f };
++      const u16 *rfseq_init_gain;
+       u16 initG_gaincode = 0x627e;
+       u16 initG_gaincode_rev4 = 0x527e;
+       u16 initG_gaincode_rev5 = 0x427e;
+@@ -15538,10 +15535,10 @@ static void wlc_phy_workarounds_nphy_gai
+       u16 clip1mdA_gaincode_rev6 = 0x2084;
+       u16 clip1md_gaincode = 0;
+       u16 clip1loG_gaincode = 0x0074;
+-      u16 clip1loG_gaincode_rev5[] = {
++      static const u16 clip1loG_gaincode_rev5[] = {
+               0x0062, 0x0064, 0x006a, 0x106a, 0x106c, 0x1074, 0x107c, 0x207c
+       };
+-      u16 clip1loG_gaincode_rev6[] = {
++      static const u16 clip1loG_gaincode_rev6[] = {
+               0x106a, 0x106c, 0x1074, 0x107c, 0x007e, 0x107e, 0x207e, 0x307e
+       };
+       u16 clip1loG_gaincode_rev6_224B0 = 0x1074;
+@@ -16066,7 +16063,7 @@ static void wlc_phy_workarounds_nphy_gai
+ 
+ static void wlc_phy_workarounds_nphy(struct brcms_phy *pi)
+ {
+-      u8 rfseq_rx2tx_events[] = {
++      static const u8 rfseq_rx2tx_events[] = {
+               NPHY_RFSEQ_CMD_NOP,
+               NPHY_RFSEQ_CMD_RXG_FBW,
+               NPHY_RFSEQ_CMD_TR_SWITCH,
+@@ -16076,7 +16073,7 @@ static void wlc_phy_workarounds_nphy(str
+               NPHY_RFSEQ_CMD_EXT_PA
+       };
+       u8 rfseq_rx2tx_dlys[] = { 8, 6, 6, 2, 4, 60, 1 };
+-      u8 rfseq_tx2rx_events[] = {
++      static const u8 rfseq_tx2rx_events[] = {
+               NPHY_RFSEQ_CMD_NOP,
+               NPHY_RFSEQ_CMD_EXT_PA,
+               NPHY_RFSEQ_CMD_TX_GAIN,
+@@ -16085,8 +16082,8 @@ static void wlc_phy_workarounds_nphy(str
+               NPHY_RFSEQ_CMD_RXG_FBW,
+               NPHY_RFSEQ_CMD_CLR_HIQ_DIS
+       };
+-      u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 };
+-      u8 rfseq_tx2rx_events_rev3[] = {
++      static const u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 };
++      static const u8 rfseq_tx2rx_events_rev3[] = {
+               NPHY_REV3_RFSEQ_CMD_EXT_PA,
+               NPHY_REV3_RFSEQ_CMD_INT_PA_PU,
+               NPHY_REV3_RFSEQ_CMD_TX_GAIN,
+@@ -16096,7 +16093,7 @@ static void wlc_phy_workarounds_nphy(str
+               NPHY_REV3_RFSEQ_CMD_CLR_HIQ_DIS,
+               NPHY_REV3_RFSEQ_CMD_END
+       };
+-      u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 };
++      static const u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 };
+       u8 rfseq_rx2tx_events_rev3[] = {
+               NPHY_REV3_RFSEQ_CMD_NOP,
+               NPHY_REV3_RFSEQ_CMD_RXG_FBW,
+@@ -16110,7 +16107,7 @@ static void wlc_phy_workarounds_nphy(str
+       };
+       u8 rfseq_rx2tx_dlys_rev3[] = { 8, 6, 6, 4, 4, 18, 42, 1, 1 };
+ 
+-      u8 rfseq_rx2tx_events_rev3_ipa[] = {
++      static const u8 rfseq_rx2tx_events_rev3_ipa[] = {
+               NPHY_REV3_RFSEQ_CMD_NOP,
+               NPHY_REV3_RFSEQ_CMD_RXG_FBW,
+               NPHY_REV3_RFSEQ_CMD_TR_SWITCH,
+@@ -16121,15 +16118,15 @@ static void wlc_phy_workarounds_nphy(str
+               NPHY_REV3_RFSEQ_CMD_INT_PA_PU,
+               NPHY_REV3_RFSEQ_CMD_END
+       };
+-      u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 };
+-      u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f };
++      static const u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 };
++      static const u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f };
+ 
+       s16 alpha0, alpha1, alpha2;
+       s16 beta0, beta1, beta2;
+       u32 leg_data_weights, ht_data_weights, nss1_data_weights,
+           stbc_data_weights;
+       u8 chan_freq_range = 0;
+-      u16 dac_control = 0x0002;
++      static const u16 dac_control = 0x0002;
+       u16 aux_adc_vmid_rev7_core0[] = { 0x8e, 0x96, 0x96, 0x96 };
+       u16 aux_adc_vmid_rev7_core1[] = { 0x8f, 0x9f, 0x9f, 0x96 };
+       u16 aux_adc_vmid_rev4[] = { 0xa2, 0xb4, 0xb4, 0x89 };
+@@ -16139,8 +16136,8 @@ static void wlc_phy_workarounds_nphy(str
+       u16 aux_adc_gain_rev4[] = { 0x02, 0x02, 0x02, 0x00 };
+       u16 aux_adc_gain_rev3[] = { 0x02, 0x02, 0x02, 0x00 };
+       u16 *aux_adc_gain;
+-      u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 };
+-      u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 };
++      static const u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 };
++      static const u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 };
+       s32 min_nvar_val = 0x18d;
+       s32 min_nvar_offset_6mbps = 20;
+       u8 pdetrange;
+@@ -16151,9 +16148,9 @@ static void wlc_phy_workarounds_nphy(str
+       u16 rfseq_rx2tx_lpf_h_hpc_rev7 = 0x77;
+       u16 rfseq_tx2rx_lpf_h_hpc_rev7 = 0x77;
+       u16 rfseq_pktgn_lpf_h_hpc_rev7 = 0x77;
+-      u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 };
+-      u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
+-      u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
++      static const u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 };
++      static const u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
++      static const u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 };
+       u16 ipalvlshift_3p3_war_en = 0;
+       u16 rccal_bcap_val, rccal_scap_val;
+       u16 rccal_tx20_11b_bcap = 0;
+@@ -24291,13 +24288,13 @@ static void wlc_phy_update_txcal_ladder_
+       u16 bbmult;
+       u16 tblentry;
+ 
+-      struct nphy_txiqcal_ladder ladder_lo[] = {
++      static const struct nphy_txiqcal_ladder ladder_lo[] = {
+               {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0},
+               {25, 0}, {25, 1}, {25, 2}, {25, 3}, {25, 4}, {25, 5},
+               {25, 6}, {25, 7}, {35, 7}, {50, 7}, {71, 7}, {100, 7}
+       };
+ 
+-      struct nphy_txiqcal_ladder ladder_iq[] = {
++      static const struct nphy_txiqcal_ladder ladder_iq[] = {
+               {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0},
+               {25, 0}, {35, 0}, {50, 0}, {71, 0}, {100, 0}, {100, 1},
+               {100, 2}, {100, 3}, {100, 4}, {100, 5}, {100, 6}, {100, 7}
+@@ -25773,67 +25770,67 @@ wlc_phy_cal_txiqlo_nphy(struct brcms_phy
+       u16 cal_gain[2];
+       struct nphy_iqcal_params cal_params[2];
+       u32 tbl_len;
+-      void *tbl_ptr;
++      const void *tbl_ptr;
+       bool ladder_updated[2];
+       u8 mphase_cal_lastphase = 0;
+       int bcmerror = 0;
+       bool phyhang_avoid_state = false;
+ 
+-      u16 tbl_tx_iqlo_cal_loft_ladder_20[] = {
++      static const u16 tbl_tx_iqlo_cal_loft_ladder_20[] = {
+               0x0300, 0x0500, 0x0700, 0x0900, 0x0d00, 0x1100, 0x1900, 0x1901,
+               0x1902,
+               0x1903, 0x1904, 0x1905, 0x1906, 0x1907, 0x2407, 0x3207, 0x4607,
+               0x6407
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = {
++      static const u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = {
+               0x0200, 0x0300, 0x0600, 0x0900, 0x0d00, 0x1100, 0x1900, 0x2400,
+               0x3200,
+               0x4600, 0x6400, 0x6401, 0x6402, 0x6403, 0x6404, 0x6405, 0x6406,
+               0x6407
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_loft_ladder_40[] = {
++      static const u16 tbl_tx_iqlo_cal_loft_ladder_40[] = {
+               0x0200, 0x0300, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1201,
+               0x1202,
+               0x1203, 0x1204, 0x1205, 0x1206, 0x1207, 0x1907, 0x2307, 0x3207,
+               0x4707
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = {
++      static const u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = {
+               0x0100, 0x0200, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1900,
+               0x2300,
+               0x3200, 0x4700, 0x4701, 0x4702, 0x4703, 0x4704, 0x4705, 0x4706,
+               0x4707
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_startcoefs[] = {
++      static const u16 tbl_tx_iqlo_cal_startcoefs[] = {
+               0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+               0x0000
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_cmds_fullcal[] = {
++      static const u16 tbl_tx_iqlo_cal_cmds_fullcal[] = {
+               0x8123, 0x8264, 0x8086, 0x8245, 0x8056,
+               0x9123, 0x9264, 0x9086, 0x9245, 0x9056
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_cmds_recal[] = {
++      static const u16 tbl_tx_iqlo_cal_cmds_recal[] = {
+               0x8101, 0x8253, 0x8053, 0x8234, 0x8034,
+               0x9101, 0x9253, 0x9053, 0x9234, 0x9034
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = {
++      static const u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = {
+               0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+               0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
+               0x0000
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = {
++      static const u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = {
+               0x8434, 0x8334, 0x8084, 0x8267, 0x8056, 0x8234,
+               0x9434, 0x9334, 0x9084, 0x9267, 0x9056, 0x9234
+       };
+ 
+-      u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = {
++      static const u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = {
+               0x8423, 0x8323, 0x8073, 0x8256, 0x8045, 0x8223,
+               0x9423, 0x9323, 0x9073, 0x9256, 0x9045, 0x9223
+       };

diff --git a/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch b/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch
new file mode 100644 (file)
index 0000000..3fd04e9
--- /dev/null
+++ b/queue-4.4/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch
@@ -0,0 +1,58 @@
+From 2bbbd96357ce76cc45ec722c00f654aa7b189112 Mon Sep 17 00:00:00 2001
+From: Jan Luebbe <jlu@pengutronix.de>
+Date: Mon, 28 Aug 2017 17:25:16 +0200
+Subject: bus: mbus: fix window size calculation for 4GB windows
+
+From: Jan Luebbe <jlu@pengutronix.de>
+
+commit 2bbbd96357ce76cc45ec722c00f654aa7b189112 upstream.
+
+At least the Armada XP SoC supports 4GB on a single DRAM window. Because
+the size register values contain the actual size - 1, the MSB is set in
+that case. For example, the SDRAM window's control register's value is
+0xffffffe1 for 4GB (bits 31 to 24 contain the size).
+
+The MBUS driver reads back each window's size from registers and
+calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which
+overflows for 32 bit values, resulting in other miscalculations further
+on (a bad RAM window for the CESA crypto engine calculated by
+mvebu_mbus_setup_cpu_target_nooverlap() in my case).
+
+This patch changes the type in 'struct mbus_dram_window' from u32 to
+u64, which allows us to keep using the same register calculation code in
+most MBUS-using drivers (which calculate ->size - 1 again).
+
+Fixes: fddddb52a6c4 ("bus: introduce an Marvell EBU MBus driver")
+Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
+Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bus/mvebu-mbus.c |    2 +-
+ include/linux/mbus.h     |    4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/bus/mvebu-mbus.c
++++ b/drivers/bus/mvebu-mbus.c
+@@ -720,7 +720,7 @@ mvebu_mbus_default_setup_cpu_target(stru
+                       if (mbus->hw_io_coherency)
+                               w->mbus_attr |= ATTR_HW_COHERENCY;
+                       w->base = base & DDR_BASE_CS_LOW_MASK;
+-                      w->size = (size | ~DDR_SIZE_MASK) + 1;
++                      w->size = (u64)(size | ~DDR_SIZE_MASK) + 1;
+               }
+       }
+       mvebu_mbus_dram_info.num_cs = cs;
+--- a/include/linux/mbus.h
++++ b/include/linux/mbus.h
+@@ -29,8 +29,8 @@ struct mbus_dram_target_info
+       struct mbus_dram_window {
+               u8      cs_index;
+               u8      mbus_attr;
+-              u32     base;
+-              u32     size;
++              u64     base;
++              u64     size;
+       } cs[4];
+ };
+ 

diff --git a/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch b/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch
new file mode 100644 (file)
index 0000000..7293eb2
--- /dev/null
+++ b/queue-4.4/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch
@@ -0,0 +1,45 @@
+From eb39a7c0355393c5a8d930f342ad7a6231b552c4 Mon Sep 17 00:00:00 2001
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+Date: Thu, 19 Oct 2017 22:57:02 +0200
+Subject: clockevents/drivers/cs5535: Improve resilience to spurious interrupts
+
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+
+commit eb39a7c0355393c5a8d930f342ad7a6231b552c4 upstream.
+
+The interrupt handler mfgpt_tick() is not robust versus spurious interrupts
+which happen before the clock event device is registered and fully
+initialized.
+
+The reason is that the safe guard against spurious interrupts solely checks
+for the clockevents shutdown state, but lacks a check for detached
+state. If the interrupt hits while the device is in detached state it
+passes the safe guard and dereferences the event handler call back which is
+NULL.
+
+Add the missing state check.
+
+Fixes: 8f9327cbb6e8 ("clockevents/drivers/cs5535: Migrate to new 'set-state' interface")
+Suggested-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lkml.kernel.org/r/20171020093103.3317F6004D@linux.fjfi.cvut.cz
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/clocksource/cs5535-clockevt.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/clocksource/cs5535-clockevt.c
++++ b/drivers/clocksource/cs5535-clockevt.c
+@@ -117,7 +117,8 @@ static irqreturn_t mfgpt_tick(int irq, v
+       /* Turn off the clock (and clear the event) */
+       disable_timer(cs5535_event_clock);
+ 
+-      if (clockevent_state_shutdown(&cs5535_clockevent))
++      if (clockevent_state_detached(&cs5535_clockevent) ||
++          clockevent_state_shutdown(&cs5535_clockevent))
+               return IRQ_HANDLED;
+ 
+       /* Clear the counter */

diff --git a/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch b/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch
new file mode 100644 (file)
index 0000000..98a3c09
--- /dev/null
+++ b/queue-4.4/drm-nouveau-bsp-g92-disable-by-default.patch
@@ -0,0 +1,35 @@
+From 194d68dd051c2dd5ac2b522ae16100e774e8d869 Mon Sep 17 00:00:00 2001
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+Date: Sun, 1 Oct 2017 13:52:43 -0400
+Subject: drm/nouveau/bsp/g92: disable by default
+
+From: Ilia Mirkin <imirkin@alum.mit.edu>
+
+commit 194d68dd051c2dd5ac2b522ae16100e774e8d869 upstream.
+
+G92's seem to require some additional bit of initialization before the
+BSP engine can work. It feels like clocks are not set up for the
+underlying VLD engine, which means that all commands submitted to the
+xtensa chip end up hanging. VP seems to work fine though.
+
+This still allows people to force-enable the bsp engine if they want to
+play around with it, but makes it harder for the card to hang by
+default.
+
+Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c
++++ b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c
+@@ -40,5 +40,5 @@ int
+ g84_bsp_new(struct nvkm_device *device, int index, struct nvkm_engine **pengine)
+ {
+       return nvkm_xtensa_new_(&g84_bsp, device, index,
+-                              true, 0x103000, pengine);
++                              device->chipset != 0x92, 0x103000, pengine);
+ }

diff --git a/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch b/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch
new file mode 100644 (file)
index 0000000..98b03f9
--- /dev/null
+++ b/queue-4.4/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch
@@ -0,0 +1,33 @@
+From 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 Mon Sep 17 00:00:00 2001
+From: Ben Skeggs <bskeggs@redhat.com>
+Date: Mon, 25 Sep 2017 15:05:38 +1000
+Subject: drm/nouveau/mmu: flush tlbs before deleting page tables
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+commit 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 upstream.
+
+Even though we've zeroed the PDE, the GPU may have cached the PD, so we
+need to flush when deleting them.
+
+Noticed while working on replacement MMU code, but a backport might be a
+good idea, so let's fix it in the current code too.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c
++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c
+@@ -240,6 +240,8 @@ nvkm_vm_unmap_pgt(struct nvkm_vm *vm, in
+                       mmu->func->map_pgt(vpgd->obj, pde, vpgt->mem);
+               }
+ 
++              mmu->func->flush(vm);
++
+               nvkm_memory_del(&pgt);
+       }
+ }

diff --git a/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch b/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch
new file mode 100644 (file)
index 0000000..69c4df3
--- /dev/null
+++ b/queue-4.4/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch
@@ -0,0 +1,58 @@
+From c6ebcedbab7ca78984959386012a17b21183e1a3 Mon Sep 17 00:00:00 2001
+From: Pontus Andersson <epontan@gmail.com>
+Date: Mon, 2 Oct 2017 14:45:19 +0200
+Subject: i2c: ismt: Separate I2C block read from SMBus block read
+
+From: Pontus Andersson <epontan@gmail.com>
+
+commit c6ebcedbab7ca78984959386012a17b21183e1a3 upstream.
+
+Commit b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for
+block reads") broke I2C block reads. It aimed to fix normal SMBus block
+read, but changed the correct behavior of I2C block read in the process.
+
+According to Documentation/i2c/smbus-protocol, one vital difference
+between normal SMBus block read and I2C block read is that there is no
+byte count prefixed in the data sent on the wire:
+
+ SMBus Block Read:  i2c_smbus_read_block_data()
+ S Addr Wr [A] Comm [A]
+            S Addr Rd [A] [Count] A [Data] A [Data] A ... A [Data] NA P
+
+ I2C Block Read:  i2c_smbus_read_i2c_block_data()
+ S Addr Wr [A] Comm [A]
+            S Addr Rd [A] [Data] A [Data] A ... A [Data] NA P
+
+Therefore the two transaction types need to be processed differently in
+the driver by copying of the dma_buffer as done previously for the
+I2C_SMBUS_I2C_BLOCK_DATA case.
+
+Fixes: b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads")
+Signed-off-by: Pontus Andersson <epontan@gmail.com>
+Tested-by: Stephen Douthit <stephend@adiengineering.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-ismt.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/i2c/busses/i2c-ismt.c
++++ b/drivers/i2c/busses/i2c-ismt.c
+@@ -338,12 +338,15 @@ static int ismt_process_desc(const struc
+                       data->word = dma_buffer[0] | (dma_buffer[1] << 8);
+                       break;
+               case I2C_SMBUS_BLOCK_DATA:
+-              case I2C_SMBUS_I2C_BLOCK_DATA:
+                       if (desc->rxbytes != dma_buffer[0] + 1)
+                               return -EMSGSIZE;
+ 
+                       memcpy(data->block, dma_buffer, desc->rxbytes);
+                       break;
++              case I2C_SMBUS_I2C_BLOCK_DATA:
++                      memcpy(&data->block[1], dma_buffer, desc->rxbytes);
++                      data->block[0] = desc->rxbytes;
++                      break;
+               }
+               return 0;
+       }

diff --git a/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch b/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch
new file mode 100644 (file)
index 0000000..fded2f7
--- /dev/null
+++ b/queue-4.4/keys-don-t-let-add_key-update-an-uninstantiated-key.patch
@@ -0,0 +1,120 @@
+From 60ff5b2f547af3828aebafd54daded44cfb0807a Mon Sep 17 00:00:00 2001
+From: David Howells <dhowells@redhat.com>
+Date: Thu, 12 Oct 2017 16:00:41 +0100
+Subject: KEYS: don't let add_key() update an uninstantiated key
+
+From: David Howells <dhowells@redhat.com>
+
+commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream.
+
+Currently, when passed a key that already exists, add_key() will call the
+key's ->update() method if such exists.  But this is heavily broken in the
+case where the key is uninstantiated because it doesn't call
+__key_instantiate_and_link().  Consequently, it doesn't do most of the
+things that are supposed to happen when the key is instantiated, such as
+setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and
+awakening tasks waiting on it, and incrementing key->user->nikeys.
+
+It also never takes key_construction_mutex, which means that
+->instantiate() can run concurrently with ->update() on the same key.  In
+the case of the "user" and "logon" key types this causes a memory leak, at
+best.  Maybe even worse, the ->update() methods of the "encrypted" and
+"trusted" key types actually just dereference a NULL pointer when passed an
+uninstantiated key.
+
+Change key_create_or_update() to wait interruptibly for the key to finish
+construction before continuing.
+
+This patch only affects *uninstantiated* keys.  For now we still allow a
+negatively instantiated key to be updated (thereby positively
+instantiating it), although that's broken too (the next patch fixes it)
+and I'm not sure that anyone actually uses that functionality either.
+
+Here is a simple reproducer for the bug using the "encrypted" key type
+(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug
+pertained to more than just the "encrypted" key type:
+
+    #include <stdlib.h>
+    #include <unistd.h>
+    #include <keyutils.h>
+
+    int main(void)
+    {
+        int ringid = keyctl_join_session_keyring(NULL);
+
+        if (fork()) {
+            for (;;) {
+                const char payload[] = "update user:foo 32";
+
+                usleep(rand() % 10000);
+                add_key("encrypted", "desc", payload, sizeof(payload), ringid);
+                keyctl_clear(ringid);
+            }
+        } else {
+            for (;;)
+                request_key("encrypted", "desc", "callout_info", ringid);
+        }
+    }
+
+It causes:
+
+    BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
+    IP: encrypted_update+0xb0/0x170
+    PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0
+    PREEMPT SMP
+    CPU: 0 PID: 340 Comm: reproduce Tainted: G      D         4.14.0-rc1-00025-g428490e38b2e #796
+    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+    task: ffff8a467a39a340 task.stack: ffffb15c40770000
+    RIP: 0010:encrypted_update+0xb0/0x170
+    RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246
+    RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000
+    RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303
+    RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17
+    R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000
+    R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f
+    FS:  00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000
+    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+    CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0
+    Call Trace:
+     key_create_or_update+0x2bc/0x460
+     SyS_add_key+0x10c/0x1d0
+     entry_SYSCALL_64_fastpath+0x1f/0xbe
+    RIP: 0033:0x7f5d7f211259
+    RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8
+    RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259
+    RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04
+    RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004
+    R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868
+    R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000
+    Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b
+    RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8
+    CR2: 0000000000000018
+
+Reported-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+cc: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/keys/key.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/security/keys/key.c
++++ b/security/keys/key.c
+@@ -907,6 +907,16 @@ error:
+        */
+       __key_link_end(keyring, &index_key, edit);
+ 
++      key = key_ref_to_ptr(key_ref);
++      if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) {
++              ret = wait_for_key_construction(key, true);
++              if (ret < 0) {
++                      key_ref_put(key_ref);
++                      key_ref = ERR_PTR(ret);
++                      goto error_free_prep;
++              }
++      }
++
+       key_ref = __key_update(key_ref, &prep);
+       goto error_free_prep;
+ }

diff --git a/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch b/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch
new file mode 100644 (file)
index 0000000..4932d08
--- /dev/null
+++ b/queue-4.4/keys-encrypted-fix-dereference-of-null-user_key_payload.patch
@@ -0,0 +1,51 @@
+From 13923d0865ca96312197962522e88bc0aedccd74 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:37:49 -0700
+Subject: KEYS: encrypted: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 13923d0865ca96312197962522e88bc0aedccd74 upstream.
+
+A key of type "encrypted" references a "master key" which is used to
+encrypt and decrypt the encrypted key's payload.  However, when we
+accessed the master key's payload, we failed to handle the case where
+the master key has been revoked, which sets the payload pointer to NULL.
+Note that request_key() *does* skip revoked keys, but there is still a
+window where the key can be revoked before we acquire its semaphore.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+This was an issue for master keys of type "user" only.  Master keys can
+also be of type "trusted", but those cannot be revoked.
+
+Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Cc: David Safford <safford@us.ibm.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+
+---
+ security/keys/encrypted-keys/encrypted.c |    7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/security/keys/encrypted-keys/encrypted.c
++++ b/security/keys/encrypted-keys/encrypted.c
+@@ -315,6 +315,13 @@ static struct key *request_user_key(cons
+ 
+       down_read(&ukey->sem);
+       upayload = user_key_payload(ukey);
++      if (!upayload) {
++              /* key was revoked before we acquired its semaphore */
++              up_read(&ukey->sem);
++              key_put(ukey);
++              ukey = ERR_PTR(-EKEYREVOKED);
++              goto error;
++      }
+       *master_key = upayload->data;
+       *master_keylen = upayload->datalen;
+ error:

diff --git a/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch b/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch
new file mode 100644 (file)
index 0000000..ebbb13d
--- /dev/null
+++ b/queue-4.4/lib-digsig-fix-dereference-of-null-user_key_payload.patch
@@ -0,0 +1,43 @@
+From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:43:20 -0700
+Subject: lib/digsig: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream.
+
+digsig_verify() requests a user key, then accesses its payload.
+However, a revoked key has a NULL payload, and we failed to check for
+this.  request_key() *does* skip revoked keys, but there is still a
+window where the key can be revoked before we acquire its semaphore.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 051dbb918c7f ("crypto: digital signature verification support")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/digsig.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/lib/digsig.c
++++ b/lib/digsig.c
+@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key
+       down_read(&key->sem);
+       ukp = user_key_payload(key);
+ 
++      if (!ukp) {
++              /* key was revoked before we acquired its semaphore */
++              err = -EKEYREVOKED;
++              goto err1;
++      }
++
+       if (ukp->datalen < sizeof(*pkh))
+               goto err1;
+ 

diff --git a/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch b/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch
new file mode 100644 (file)
index 0000000..d53e3d3
--- /dev/null
+++ b/queue-4.4/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch
@@ -0,0 +1,34 @@
+From 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a Mon Sep 17 00:00:00 2001
+From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+Date: Sun, 8 Oct 2017 20:02:32 +0200
+Subject: pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
+
+From: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+
+commit 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a upstream.
+
+The ASN.1 parser does not necessarily set the sinfo field,
+this patch prevents a NULL pointer dereference on broken
+input.
+
+Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes and content type")
+Signed-off-by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/pkcs7_parser.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/crypto/asymmetric_keys/pkcs7_parser.c
++++ b/crypto/asymmetric_keys/pkcs7_parser.c
+@@ -90,6 +90,9 @@ static int pkcs7_check_authattrs(struct
+       bool want;
+ 
+       sinfo = msg->signed_infos;
++      if (!sinfo)
++              goto inconsistent;
++
+       if (sinfo->authattrs) {
+               want = true;
+               msg->have_authattrs = true;

diff --git a/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch b/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch
new file mode 100644 (file)
index 0000000..6fc03d4
--- /dev/null
+++ b/queue-4.4/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch
@@ -0,0 +1,36 @@
+From b8b8b16352cd90c6083033fd4487f04fae935c18 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Wed, 20 Sep 2017 16:15:05 -0500
+Subject: rtlwifi: rtl8821ae: Fix connection lost problem
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit b8b8b16352cd90c6083033fd4487f04fae935c18 upstream.
+
+In commit 40b368af4b75 ("rtlwifi: Fix alignment issues"), the read
+of REG_DBI_READ was changed from 16 to 8 bits. For unknown reasonsi
+this change results in reduced stability for the wireless connection.
+This regression was located using bisection.
+
+Fixes: 40b368af4b75 ("rtlwifi: Fix alignment issues")
+Reported-and-tested-by: James Cameron <quozl@laptop.org>
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ping-Ke Shih <pkshih@realtek.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c
+@@ -1127,7 +1127,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl
+       }
+       if (0 == tmp) {
+               read_addr = REG_DBI_RDATA + addr % 4;
+-              ret = rtl_read_byte(rtlpriv, read_addr);
++              ret = rtl_read_word(rtlpriv, read_addr);
+       }
+       return ret;
+ }

diff --git a/queue-4.4/series b/queue-4.4/series
index b7641e7da585c096e90627b7dcc457db6dee79da..379c01578a11e4d0a8802748465318c7d2b9fcd8 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -9,3 +9,16 @@ can-gs_usb-fix-busy-loop-if-no-more-tx-context-is-available.patch
 usb-musb-sunxi-explicitly-release-usb-phy-on-exit.patch
 usb-musb-check-for-host-mode-using-is_host_active-on-reset-interrupt.patch
 can-esd_usb2-fix-can_dlc-value-for-received-rtr-frames.patch
+drm-nouveau-bsp-g92-disable-by-default.patch
+drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch
+alsa-seq-enable-use-locking-in-all-configurations.patch
+alsa-hda-remove-superfluous-added-by-printk-conversion.patch
+i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch
+brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch
+bus-mbus-fix-window-size-calculation-for-4gb-windows.patch
+clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch
+rtlwifi-rtl8821ae-fix-connection-lost-problem.patch
+keys-encrypted-fix-dereference-of-null-user_key_payload.patch
+lib-digsig-fix-dereference-of-null-user_key_payload.patch
+keys-don-t-let-add_key-update-an-uninstantiated-key.patch
+pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch