From: Greg Kroah-Hartman Date: Fri, 8 Mar 2019 11:19:12 +0000 (+0100) Subject: 5.0-stable patches X-Git-Tag: v5.0.1~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=119168f18838c98414eee7535de727eed48ffabe;p=thirdparty%2Fkernel%2Fstable-queue.git 5.0-stable patches added patches: aio-fix-locking-in-aio_poll.patch alpha-wire-up-io_pgetevents-system-call.patch applicom-fix-potential-spectre-v1-vulnerabilities.patch bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch gnss-sirf-fix-premature-wakeup-interrupt-enable.patch mips-irq-allocate-accurate-order-pages-for-irq-stack.patch revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch selftests-firmware-fix-verify_reqs-return-value.patch tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch usb-serial-cp210x-fix-gpio-in-autosuspend.patch usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch xhci-tegra-prevent-error-pointer-dereference.patch xtensa-fix-get_wchan.patch --- diff --git a/queue-5.0/aio-fix-locking-in-aio_poll.patch b/queue-5.0/aio-fix-locking-in-aio_poll.patch new file mode 100644 index 00000000000..56d475fb7bf --- /dev/null +++ b/queue-5.0/aio-fix-locking-in-aio_poll.patch @@ -0,0 +1,314 @@ +From d3d6a18d7d351cbcc9b33dbedf710e65f8ce1595 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 8 Feb 2019 16:59:49 -0800 +Subject: aio: Fix locking in aio_poll() + +From: Bart Van Assche + +commit d3d6a18d7d351cbcc9b33dbedf710e65f8ce1595 upstream. + +wake_up_locked() may but does not have to be called with interrupts +disabled. Since the fuse filesystem calls wake_up_locked() without +disabling interrupts aio_poll_wake() may be called with interrupts +enabled. Since the kioctx.ctx_lock may be acquired from IRQ context, +all code that acquires that lock from thread context must disable +interrupts. Hence change the spin_trylock() call in aio_poll_wake() +into a spin_trylock_irqsave() call. This patch fixes the following +lockdep complaint: + +===================================================== +WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected +5.0.0-rc4-next-20190131 #23 Not tainted +----------------------------------------------------- +syz-executor2/13779 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: +0000000098ac1230 (&fiq->waitq){+.+.}, at: spin_lock include/linux/spinlock.h:329 [inline] +0000000098ac1230 (&fiq->waitq){+.+.}, at: aio_poll fs/aio.c:1772 [inline] +0000000098ac1230 (&fiq->waitq){+.+.}, at: __io_submit_one fs/aio.c:1875 [inline] +0000000098ac1230 (&fiq->waitq){+.+.}, at: io_submit_one+0xedf/0x1cf0 fs/aio.c:1908 + +and this task is already holding: +000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:354 [inline] +000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1771 [inline] +000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1875 [inline] +000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb6/0x1cf0 fs/aio.c:1908 +which would create a new lock dependency: + (&(&ctx->ctx_lock)->rlock){..-.} -> (&fiq->waitq){+.+.} + +but this new dependency connects a SOFTIRQ-irq-safe lock: + (&(&ctx->ctx_lock)->rlock){..-.} + +... which became SOFTIRQ-irq-safe at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] + _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160 + spin_lock_irq include/linux/spinlock.h:354 [inline] + free_ioctx_users+0x2d/0x4a0 fs/aio.c:610 + percpu_ref_put_many include/linux/percpu-refcount.h:285 [inline] + percpu_ref_put include/linux/percpu-refcount.h:301 [inline] + percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline] + percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 lib/percpu-refcount.c:158 + __rcu_reclaim kernel/rcu/rcu.h:240 [inline] + rcu_do_batch kernel/rcu/tree.c:2486 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2799 [inline] + rcu_core+0x928/0x1390 kernel/rcu/tree.c:2780 + __do_softirq+0x266/0x95a kernel/softirq.c:292 + run_ksoftirqd kernel/softirq.c:654 [inline] + run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646 + smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 + kthread+0x357/0x430 kernel/kthread.c:247 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + +to a SOFTIRQ-irq-unsafe lock: + (&fiq->waitq){+.+.} + +... which became SOFTIRQ-irq-unsafe at: +... + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415 + fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676 + fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687 + fuse_send_init fs/fuse/inode.c:989 [inline] + fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214 + mount_nodev+0x68/0x110 fs/super.c:1392 + fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239 + legacy_get_tree+0xf2/0x200 fs/fs_context.c:590 + vfs_get_tree+0x123/0x450 fs/super.c:1481 + do_new_mount fs/namespace.c:2610 [inline] + do_mount+0x1436/0x2c40 fs/namespace.c:2932 + ksys_mount+0xdb/0x150 fs/namespace.c:3148 + __do_sys_mount fs/namespace.c:3162 [inline] + __se_sys_mount fs/namespace.c:3159 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +other info that might help us debug this: + + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&fiq->waitq); + local_irq_disable(); + lock(&(&ctx->ctx_lock)->rlock); + lock(&fiq->waitq); + + lock(&(&ctx->ctx_lock)->rlock); + + *** DEADLOCK *** + +1 lock held by syz-executor2/13779: + #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: spin_lock_irq include/linux/spinlock.h:354 [inline] + #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: aio_poll fs/aio.c:1771 [inline] + #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: __io_submit_one fs/aio.c:1875 [inline] + #0: 000000003c46111c (&(&ctx->ctx_lock)->rlock){..-.}, at: io_submit_one+0xeb6/0x1cf0 fs/aio.c:1908 + +the dependencies between SOFTIRQ-irq-safe lock and the holding lock: +-> (&(&ctx->ctx_lock)->rlock){..-.} { + IN-SOFTIRQ-W at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] + _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160 + spin_lock_irq include/linux/spinlock.h:354 [inline] + free_ioctx_users+0x2d/0x4a0 fs/aio.c:610 + percpu_ref_put_many include/linux/percpu-refcount.h:285 [inline] + percpu_ref_put include/linux/percpu-refcount.h:301 [inline] + percpu_ref_call_confirm_rcu lib/percpu-refcount.c:123 [inline] + percpu_ref_switch_to_atomic_rcu+0x3e7/0x520 lib/percpu-refcount.c:158 + __rcu_reclaim kernel/rcu/rcu.h:240 [inline] + rcu_do_batch kernel/rcu/tree.c:2486 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2799 [inline] + rcu_core+0x928/0x1390 kernel/rcu/tree.c:2780 + __do_softirq+0x266/0x95a kernel/softirq.c:292 + run_ksoftirqd kernel/softirq.c:654 [inline] + run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646 + smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164 + kthread+0x357/0x430 kernel/kthread.c:247 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352 + INITIAL USE at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock_irq include/linux/spinlock_api_smp.h:128 [inline] + _raw_spin_lock_irq+0x60/0x80 kernel/locking/spinlock.c:160 + spin_lock_irq include/linux/spinlock.h:354 [inline] + __do_sys_io_cancel fs/aio.c:2052 [inline] + __se_sys_io_cancel fs/aio.c:2035 [inline] + __x64_sys_io_cancel+0xd5/0x5a0 fs/aio.c:2035 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + } + ... key at: [] __key.52370+0x0/0x40 + ... acquired at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + aio_poll fs/aio.c:1772 [inline] + __io_submit_one fs/aio.c:1875 [inline] + io_submit_one+0xedf/0x1cf0 fs/aio.c:1908 + __do_sys_io_submit fs/aio.c:1953 [inline] + __se_sys_io_submit fs/aio.c:1923 [inline] + __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +the dependencies between the lock to be acquired + and SOFTIRQ-irq-unsafe lock: +-> (&fiq->waitq){+.+.} { + HARDIRQ-ON-W at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415 + fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676 + fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687 + fuse_send_init fs/fuse/inode.c:989 [inline] + fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214 + mount_nodev+0x68/0x110 fs/super.c:1392 + fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239 + legacy_get_tree+0xf2/0x200 fs/fs_context.c:590 + vfs_get_tree+0x123/0x450 fs/super.c:1481 + do_new_mount fs/namespace.c:2610 [inline] + do_mount+0x1436/0x2c40 fs/namespace.c:2932 + ksys_mount+0xdb/0x150 fs/namespace.c:3148 + __do_sys_mount fs/namespace.c:3162 [inline] + __se_sys_mount fs/namespace.c:3159 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + SOFTIRQ-ON-W at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415 + fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676 + fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687 + fuse_send_init fs/fuse/inode.c:989 [inline] + fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214 + mount_nodev+0x68/0x110 fs/super.c:1392 + fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239 + legacy_get_tree+0xf2/0x200 fs/fs_context.c:590 + vfs_get_tree+0x123/0x450 fs/super.c:1481 + do_new_mount fs/namespace.c:2610 [inline] + do_mount+0x1436/0x2c40 fs/namespace.c:2932 + ksys_mount+0xdb/0x150 fs/namespace.c:3148 + __do_sys_mount fs/namespace.c:3162 [inline] + __se_sys_mount fs/namespace.c:3159 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + INITIAL USE at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + flush_bg_queue+0x1f3/0x3c0 fs/fuse/dev.c:415 + fuse_request_queue_background+0x2d1/0x580 fs/fuse/dev.c:676 + fuse_request_send_background+0x58/0x120 fs/fuse/dev.c:687 + fuse_send_init fs/fuse/inode.c:989 [inline] + fuse_fill_super+0x13bb/0x1730 fs/fuse/inode.c:1214 + mount_nodev+0x68/0x110 fs/super.c:1392 + fuse_mount+0x2d/0x40 fs/fuse/inode.c:1239 + legacy_get_tree+0xf2/0x200 fs/fs_context.c:590 + vfs_get_tree+0x123/0x450 fs/super.c:1481 + do_new_mount fs/namespace.c:2610 [inline] + do_mount+0x1436/0x2c40 fs/namespace.c:2932 + ksys_mount+0xdb/0x150 fs/namespace.c:3148 + __do_sys_mount fs/namespace.c:3162 [inline] + __se_sys_mount fs/namespace.c:3159 [inline] + __x64_sys_mount+0xbe/0x150 fs/namespace.c:3159 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + } + ... key at: [] __key.43450+0x0/0x40 + ... acquired at: + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + aio_poll fs/aio.c:1772 [inline] + __io_submit_one fs/aio.c:1875 [inline] + io_submit_one+0xedf/0x1cf0 fs/aio.c:1908 + __do_sys_io_submit fs/aio.c:1953 [inline] + __se_sys_io_submit fs/aio.c:1923 [inline] + __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +stack backtrace: +CPU: 0 PID: 13779 Comm: syz-executor2 Not tainted 5.0.0-rc4-next-20190131 #23 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_bad_irq_dependency kernel/locking/lockdep.c:1573 [inline] + check_usage.cold+0x60f/0x940 kernel/locking/lockdep.c:1605 + check_irq_usage kernel/locking/lockdep.c:1650 [inline] + check_prev_add_irq kernel/locking/lockdep_states.h:8 [inline] + check_prev_add kernel/locking/lockdep.c:1860 [inline] + check_prevs_add kernel/locking/lockdep.c:1968 [inline] + validate_chain kernel/locking/lockdep.c:2339 [inline] + __lock_acquire+0x1f12/0x4790 kernel/locking/lockdep.c:3320 + lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3826 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:329 [inline] + aio_poll fs/aio.c:1772 [inline] + __io_submit_one fs/aio.c:1875 [inline] + io_submit_one+0xedf/0x1cf0 fs/aio.c:1908 + __do_sys_io_submit fs/aio.c:1953 [inline] + __se_sys_io_submit fs/aio.c:1923 [inline] + __x64_sys_io_submit+0x1bd/0x580 fs/aio.c:1923 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Reported-by: syzbot +Cc: Christoph Hellwig +Cc: Avi Kivity +Cc: Miklos Szeredi +Cc: +Fixes: e8693bcfa0b4 ("aio: allow direct aio poll comletions for keyed wakeups") # v4.19 +Signed-off-by: Miklos Szeredi +[ bvanassche: added a comment ] +Reluctantly-Acked-by: Christoph Hellwig +Signed-off-by: Bart Van Assche +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/aio.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/aio.c ++++ b/fs/aio.c +@@ -1680,6 +1680,7 @@ static int aio_poll_wake(struct wait_que + struct poll_iocb *req = container_of(wait, struct poll_iocb, wait); + struct aio_kiocb *iocb = container_of(req, struct aio_kiocb, poll); + __poll_t mask = key_to_poll(key); ++ unsigned long flags; + + req->woken = true; + +@@ -1688,10 +1689,15 @@ static int aio_poll_wake(struct wait_que + if (!(mask & req->events)) + return 0; + +- /* try to complete the iocb inline if we can: */ +- if (spin_trylock(&iocb->ki_ctx->ctx_lock)) { ++ /* ++ * Try to complete the iocb inline if we can. Use ++ * irqsave/irqrestore because not all filesystems (e.g. fuse) ++ * call this function with IRQs disabled and because IRQs ++ * have to be disabled before ctx_lock is obtained. ++ */ ++ if (spin_trylock_irqsave(&iocb->ki_ctx->ctx_lock, flags)) { + list_del(&iocb->ki_list); +- spin_unlock(&iocb->ki_ctx->ctx_lock); ++ spin_unlock_irqrestore(&iocb->ki_ctx->ctx_lock, flags); + + list_del_init(&req->wait.entry); + aio_poll_complete(iocb, mask); diff --git a/queue-5.0/alpha-wire-up-io_pgetevents-system-call.patch b/queue-5.0/alpha-wire-up-io_pgetevents-system-call.patch new file mode 100644 index 00000000000..a717aa6f4a8 --- /dev/null +++ b/queue-5.0/alpha-wire-up-io_pgetevents-system-call.patch @@ -0,0 +1,31 @@ +From d012d1325ba523b8ef3e55ba79c943e220154fdc Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 3 Jan 2019 22:10:26 +0100 +Subject: alpha: wire up io_pgetevents system call + +From: Arnd Bergmann + +commit d012d1325ba523b8ef3e55ba79c943e220154fdc upstream. + +The io_pgetevents system call was added in linux-4.18 but has +no entry for alpha: + +warning: #warning syscall io_pgetevents not implemented [-Wcpp] + +Assign a the next system call number here. + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/syscalls/syscall.tbl | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/alpha/kernel/syscalls/syscall.tbl ++++ b/arch/alpha/kernel/syscalls/syscall.tbl +@@ -451,3 +451,4 @@ + 520 common preadv2 sys_preadv2 + 521 common pwritev2 sys_pwritev2 + 522 common statx sys_statx ++523 common io_pgetevents sys_io_pgetevents diff --git a/queue-5.0/applicom-fix-potential-spectre-v1-vulnerabilities.patch b/queue-5.0/applicom-fix-potential-spectre-v1-vulnerabilities.patch new file mode 100644 index 00000000000..6da30761c71 --- /dev/null +++ b/queue-5.0/applicom-fix-potential-spectre-v1-vulnerabilities.patch @@ -0,0 +1,104 @@ +From d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 9 Jan 2019 16:05:10 -0600 +Subject: applicom: Fix potential Spectre v1 vulnerabilities + +From: Gustavo A. R. Silva + +commit d7ac3c6ef5d8ce14b6381d52eb7adafdd6c8bb3c upstream. + +IndexCard is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r] +drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap) + +Fix this by sanitizing IndexCard before using it to index apbs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/ + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/applicom.c | 35 ++++++++++++++++++++++++----------- + 1 file changed, 24 insertions(+), 11 deletions(-) + +--- a/drivers/char/applicom.c ++++ b/drivers/char/applicom.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -386,7 +387,11 @@ static ssize_t ac_write(struct file *fil + TicCard = st_loc.tic_des_from_pc; /* tic number to send */ + IndexCard = NumCard - 1; + +- if((NumCard < 1) || (NumCard > MAX_BOARD) || !apbs[IndexCard].RamIO) ++ if (IndexCard >= MAX_BOARD) ++ return -EINVAL; ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); ++ ++ if (!apbs[IndexCard].RamIO) + return -EINVAL; + + #ifdef DEBUG +@@ -697,6 +702,7 @@ static long ac_ioctl(struct file *file, + unsigned char IndexCard; + void __iomem *pmem; + int ret = 0; ++ static int warncount = 10; + volatile unsigned char byte_reset_it; + struct st_ram_io *adgl; + void __user *argp = (void __user *)arg; +@@ -711,16 +717,12 @@ static long ac_ioctl(struct file *file, + mutex_lock(&ac_mutex); + IndexCard = adgl->num_card-1; + +- if(cmd != 6 && ((IndexCard >= MAX_BOARD) || !apbs[IndexCard].RamIO)) { +- static int warncount = 10; +- if (warncount) { +- printk( KERN_WARNING "APPLICOM driver IOCTL, bad board number %d\n",(int)IndexCard+1); +- warncount--; +- } +- kfree(adgl); +- mutex_unlock(&ac_mutex); +- return -EINVAL; +- } ++ if (cmd != 6 && IndexCard >= MAX_BOARD) ++ goto err; ++ IndexCard = array_index_nospec(IndexCard, MAX_BOARD); ++ ++ if (cmd != 6 && !apbs[IndexCard].RamIO) ++ goto err; + + switch (cmd) { + +@@ -838,5 +840,16 @@ static long ac_ioctl(struct file *file, + kfree(adgl); + mutex_unlock(&ac_mutex); + return 0; ++ ++err: ++ if (warncount) { ++ pr_warn("APPLICOM driver IOCTL, bad board number %d\n", ++ (int)IndexCard + 1); ++ warncount--; ++ } ++ kfree(adgl); ++ mutex_unlock(&ac_mutex); ++ return -EINVAL; ++ + } + diff --git a/queue-5.0/bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch b/queue-5.0/bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch new file mode 100644 index 00000000000..1e5af8d442a --- /dev/null +++ b/queue-5.0/bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch @@ -0,0 +1,58 @@ +From 00df214b1faae520880cc5c57e206f21239ef741 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 27 Jan 2019 16:33:59 +0800 +Subject: Bluetooth: btrtl: Restore old logic to assume firmware is already loaded + +From: Kai-Heng Feng + +commit 00df214b1faae520880cc5c57e206f21239ef741 upstream. + +Realtek bluetooth may not work after reboot: +[ 12.446130] Bluetooth: hci0: RTL: rtl: unknown IC info, lmp subver a99e, hci rev 826c, hci ver 0008 + +This is a regression introduced by commit 26503ad25de8 ("Bluetooth: +btrtl: split the device initialization into smaller parts"). The new +logic errors out early when no matching IC info can be found, in this +case it means the firmware is already loaded. + +So let's assume the firmware is already loaded when we can't find +matching IC info, like the old logic did. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201921 +Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts") +Cc: stable@vger.kernel.org # 4.19+ +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btrtl.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/btrtl.c ++++ b/drivers/bluetooth/btrtl.c +@@ -552,10 +552,9 @@ struct btrtl_device_info *btrtl_initiali + hdev->bus); + + if (!btrtl_dev->ic_info) { +- rtl_dev_err(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x", ++ rtl_dev_info(hdev, "rtl: unknown IC info, lmp subver %04x, hci rev %04x, hci ver %04x", + lmp_subver, hci_rev, hci_ver); +- ret = -EINVAL; +- goto err_free; ++ return btrtl_dev; + } + + if (btrtl_dev->ic_info->has_rom_version) { +@@ -610,6 +609,11 @@ int btrtl_download_firmware(struct hci_d + * standard btusb. Once that firmware is uploaded, the subver changes + * to a different value. + */ ++ if (!btrtl_dev->ic_info) { ++ rtl_dev_info(hdev, "rtl: assuming no firmware upload needed\n"); ++ return 0; ++ } ++ + switch (btrtl_dev->ic_info->lmp_subver) { + case RTL_ROM_LMP_8723A: + case RTL_ROM_LMP_3499: diff --git a/queue-5.0/bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch b/queue-5.0/bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch new file mode 100644 index 00000000000..624a111861f --- /dev/null +++ b/queue-5.0/bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch @@ -0,0 +1,131 @@ +From c4f5627f7eeecde1bb6b646d8c0907b96dc2b2a6 Mon Sep 17 00:00:00 2001 +From: Matthias Kaehlcke +Date: Wed, 2 Jan 2019 16:11:20 -0800 +Subject: Bluetooth: Fix locking in bt_accept_enqueue() for BH context + +From: Matthias Kaehlcke + +commit c4f5627f7eeecde1bb6b646d8c0907b96dc2b2a6 upstream. + +With commit e16337622016 ("Bluetooth: Handle bt_accept_enqueue() socket +atomically") lock_sock[_nested]() is used to acquire the socket lock +before manipulating the socket. lock_sock[_nested]() may block, which +is problematic since bt_accept_enqueue() can be called in bottom half +context (e.g. from rfcomm_connect_ind()): + +[] __might_sleep+0x4c/0x80 +[] lock_sock_nested+0x24/0x58 +[] bt_accept_enqueue+0x48/0xd4 [bluetooth] +[] rfcomm_connect_ind+0x190/0x218 [rfcomm] + +Add a parameter to bt_accept_enqueue() to indicate whether the +function is called from BH context, and acquire the socket lock +with bh_lock_sock_nested() if that's the case. + +Also adapt all callers of bt_accept_enqueue() to pass the new +parameter: + +- l2cap_sock_new_connection_cb() + - uses lock_sock() to lock the parent socket => process context + +- rfcomm_connect_ind() + - acquires the parent socket lock with bh_lock_sock() => BH + context + +- __sco_chan_add() + - called from sco_chan_add(), which is called from sco_connect(). + parent is NULL, hence bt_accept_enqueue() isn't called in this + code path and we can ignore it + - also called from sco_conn_ready(). uses bh_lock_sock() to acquire + the parent lock => BH context + +Fixes: e16337622016 ("Bluetooth: Handle bt_accept_enqueue() socket atomically") +Signed-off-by: Matthias Kaehlcke +Reviewed-by: Douglas Anderson +Signed-off-by: Marcel Holtmann +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/bluetooth/bluetooth.h | 2 +- + net/bluetooth/af_bluetooth.c | 16 +++++++++++++--- + net/bluetooth/l2cap_sock.c | 2 +- + net/bluetooth/rfcomm/sock.c | 2 +- + net/bluetooth/sco.c | 2 +- + 5 files changed, 17 insertions(+), 7 deletions(-) + +--- a/include/net/bluetooth/bluetooth.h ++++ b/include/net/bluetooth/bluetooth.h +@@ -276,7 +276,7 @@ int bt_sock_ioctl(struct socket *sock, + int bt_sock_wait_state(struct sock *sk, int state, unsigned long timeo); + int bt_sock_wait_ready(struct sock *sk, unsigned long flags); + +-void bt_accept_enqueue(struct sock *parent, struct sock *sk); ++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh); + void bt_accept_unlink(struct sock *sk); + struct sock *bt_accept_dequeue(struct sock *parent, struct socket *newsock); + +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -154,15 +154,25 @@ void bt_sock_unlink(struct bt_sock_list + } + EXPORT_SYMBOL(bt_sock_unlink); + +-void bt_accept_enqueue(struct sock *parent, struct sock *sk) ++void bt_accept_enqueue(struct sock *parent, struct sock *sk, bool bh) + { + BT_DBG("parent %p, sk %p", parent, sk); + + sock_hold(sk); +- lock_sock_nested(sk, SINGLE_DEPTH_NESTING); ++ ++ if (bh) ++ bh_lock_sock_nested(sk); ++ else ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); ++ + list_add_tail(&bt_sk(sk)->accept_q, &bt_sk(parent)->accept_q); + bt_sk(sk)->parent = parent; +- release_sock(sk); ++ ++ if (bh) ++ bh_unlock_sock(sk); ++ else ++ release_sock(sk); ++ + parent->sk_ack_backlog++; + } + EXPORT_SYMBOL(bt_accept_enqueue); +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1252,7 +1252,7 @@ static struct l2cap_chan *l2cap_sock_new + + l2cap_sock_init(sk, parent); + +- bt_accept_enqueue(parent, sk); ++ bt_accept_enqueue(parent, sk, false); + + release_sock(parent); + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -988,7 +988,7 @@ int rfcomm_connect_ind(struct rfcomm_ses + rfcomm_pi(sk)->channel = channel; + + sk->sk_state = BT_CONFIG; +- bt_accept_enqueue(parent, sk); ++ bt_accept_enqueue(parent, sk, true); + + /* Accept connection and return socket DLC */ + *d = rfcomm_pi(sk)->dlc; +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -193,7 +193,7 @@ static void __sco_chan_add(struct sco_co + conn->sk = sk; + + if (parent) +- bt_accept_enqueue(parent, sk); ++ bt_accept_enqueue(parent, sk, true); + } + + static int sco_chan_add(struct sco_conn *conn, struct sock *sk, diff --git a/queue-5.0/gnss-sirf-fix-premature-wakeup-interrupt-enable.patch b/queue-5.0/gnss-sirf-fix-premature-wakeup-interrupt-enable.patch new file mode 100644 index 00000000000..1cbbb9b2572 --- /dev/null +++ b/queue-5.0/gnss-sirf-fix-premature-wakeup-interrupt-enable.patch @@ -0,0 +1,96 @@ +From 82f844c22588bf47132c82faeda50b6db473162c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 22 Jan 2019 18:22:53 +0100 +Subject: gnss: sirf: fix premature wakeup interrupt enable + +From: Johan Hovold + +commit 82f844c22588bf47132c82faeda50b6db473162c upstream. + +Make sure the receiver is powered (and booted) before enabling the +wakeup interrupt to avoid spurious interrupts due to a floating input. + +Similarly, disable the interrupt before powering off on probe errors and +on unbind. + +Fixes: d2efbbd18b1e ("gnss: add driver for sirfstar-based receivers") +Cc: stable # 4.19 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gnss/sirf.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +--- a/drivers/gnss/sirf.c ++++ b/drivers/gnss/sirf.c +@@ -310,30 +310,26 @@ static int sirf_probe(struct serdev_devi + ret = -ENODEV; + goto err_put_device; + } ++ ++ ret = regulator_enable(data->vcc); ++ if (ret) ++ goto err_put_device; ++ ++ /* Wait for chip to boot into hibernate mode. */ ++ msleep(SIRF_BOOT_DELAY); + } + + if (data->wakeup) { + ret = gpiod_to_irq(data->wakeup); + if (ret < 0) +- goto err_put_device; +- ++ goto err_disable_vcc; + data->irq = ret; + +- ret = devm_request_threaded_irq(dev, data->irq, NULL, +- sirf_wakeup_handler, ++ ret = request_threaded_irq(data->irq, NULL, sirf_wakeup_handler, + IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "wakeup", data); + if (ret) +- goto err_put_device; +- } +- +- if (data->on_off) { +- ret = regulator_enable(data->vcc); +- if (ret) +- goto err_put_device; +- +- /* Wait for chip to boot into hibernate mode */ +- msleep(SIRF_BOOT_DELAY); ++ goto err_disable_vcc; + } + + if (IS_ENABLED(CONFIG_PM)) { +@@ -342,7 +338,7 @@ static int sirf_probe(struct serdev_devi + } else { + ret = sirf_runtime_resume(dev); + if (ret < 0) +- goto err_disable_vcc; ++ goto err_free_irq; + } + + ret = gnss_register_device(gdev); +@@ -356,6 +352,9 @@ err_disable_rpm: + pm_runtime_disable(dev); + else + sirf_runtime_suspend(dev); ++err_free_irq: ++ if (data->wakeup) ++ free_irq(data->irq, data); + err_disable_vcc: + if (data->on_off) + regulator_disable(data->vcc); +@@ -376,6 +375,9 @@ static void sirf_remove(struct serdev_de + else + sirf_runtime_suspend(&serdev->dev); + ++ if (data->wakeup) ++ free_irq(data->irq, data); ++ + if (data->on_off) + regulator_disable(data->vcc); + diff --git a/queue-5.0/mips-irq-allocate-accurate-order-pages-for-irq-stack.patch b/queue-5.0/mips-irq-allocate-accurate-order-pages-for-irq-stack.patch new file mode 100644 index 00000000000..5a9e90a0b23 --- /dev/null +++ b/queue-5.0/mips-irq-allocate-accurate-order-pages-for-irq-stack.patch @@ -0,0 +1,44 @@ +From 72faa7a773ca59336f3c889e878de81445c5a85c Mon Sep 17 00:00:00 2001 +From: Liu Xiang +Date: Sat, 16 Feb 2019 17:12:24 +0800 +Subject: MIPS: irq: Allocate accurate order pages for irq stack + +From: Liu Xiang + +commit 72faa7a773ca59336f3c889e878de81445c5a85c upstream. + +The irq_pages is the number of pages for irq stack, but not the +order which is needed by __get_free_pages(). +We can use get_order() to calculate the accurate order. + +Signed-off-by: Liu Xiang +Signed-off-by: Paul Burton +Fixes: fe8bd18ffea5 ("MIPS: Introduce irq_stack") +Cc: linux-mips@vger.kernel.org +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/irq.c ++++ b/arch/mips/kernel/irq.c +@@ -52,6 +52,7 @@ asmlinkage void spurious_interrupt(void) + void __init init_IRQ(void) + { + int i; ++ unsigned int order = get_order(IRQ_STACK_SIZE); + + for (i = 0; i < NR_IRQS; i++) + irq_set_noprobe(i); +@@ -62,8 +63,7 @@ void __init init_IRQ(void) + arch_init_irq(); + + for_each_possible_cpu(i) { +- int irq_pages = IRQ_STACK_SIZE / PAGE_SIZE; +- void *s = (void *)__get_free_pages(GFP_KERNEL, irq_pages); ++ void *s = (void *)__get_free_pages(GFP_KERNEL, order); + + irq_stack[i] = s; + pr_debug("CPU%d IRQ stack at 0x%p - 0x%p\n", i, diff --git a/queue-5.0/revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch b/queue-5.0/revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch new file mode 100644 index 00000000000..82e6d5b3f3c --- /dev/null +++ b/queue-5.0/revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch @@ -0,0 +1,41 @@ +From d2b284d356e9758d2bafd505d482e3c9433ef424 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain +Date: Thu, 7 Feb 2019 11:06:00 -0800 +Subject: Revert "selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config" + +From: Luis Chamberlain + +commit d2b284d356e9758d2bafd505d482e3c9433ef424 upstream. + +This reverts commit 7492902e8d22b568463897fa967c0886764cf034. + +The commit tried to address an issue discovered by Dan where he got +a message saying: + +'usermode helper disabled so ignoring test'. + +Dans's commit is forcing CONFIG_FW_LOADER_USER_HELPER_FALLBACK but just +having CONFIG_FW_LOADER_USER_HELPER suffices to emulate the_FALLBACK +functionality. + +Dan's commit is trying to fix an issue which is hidden from a previous +commit. That issue will be addressed properly next. + +Fixes: 7492902e8d22 ("selftests: firmware: add CONFIG_FW_LOADER_USER_HELPER_FALLBACK to config") +Cc: stable +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/firmware/config | 1 - + 1 file changed, 1 deletion(-) + +--- a/tools/testing/selftests/firmware/config ++++ b/tools/testing/selftests/firmware/config +@@ -1,6 +1,5 @@ + CONFIG_TEST_FIRMWARE=y + CONFIG_FW_LOADER=y + CONFIG_FW_LOADER_USER_HELPER=y +-CONFIG_FW_LOADER_USER_HELPER_FALLBACK=y + CONFIG_IKCONFIG=y + CONFIG_IKCONFIG_PROC=y diff --git a/queue-5.0/revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch b/queue-5.0/revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch new file mode 100644 index 00000000000..d001b94a1ce --- /dev/null +++ b/queue-5.0/revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch @@ -0,0 +1,49 @@ +From 13ac7db09c914e4991a08b7ad578267d5cdd9856 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain +Date: Thu, 7 Feb 2019 11:06:01 -0800 +Subject: Revert "selftests: firmware: remove use of non-standard diff -Z option" + +From: Luis Chamberlain + +commit 13ac7db09c914e4991a08b7ad578267d5cdd9856 upstream. + +This reverts commit f70b472e937bb659a7b7a14e64f07308e230888c. + +This breaks testing on Debian, and this patch was NACKed anyway. +The proper way to address this is a quirk for busybox as that is +where the issue is present. + +Signed-off-by: Luis Chamberlain +Fixes: f70b472e937b ("selftests: firmware: remove use of non-standard diff -Z option") +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/firmware/fw_filesystem.sh | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/tools/testing/selftests/firmware/fw_filesystem.sh ++++ b/tools/testing/selftests/firmware/fw_filesystem.sh +@@ -155,8 +155,11 @@ read_firmwares() + { + for i in $(seq 0 3); do + config_set_read_fw_idx $i +- # Verify the contents match +- if ! diff -q "$FW" $DIR/read_firmware 2>/dev/null ; then ++ # Verify the contents are what we expect. ++ # -Z required for now -- check for yourself, md5sum ++ # on $FW and DIR/read_firmware will yield the same. Even ++ # cmp agrees, so something is off. ++ if ! diff -q -Z "$FW" $DIR/read_firmware 2>/dev/null ; then + echo "request #$i: firmware was not loaded" >&2 + exit 1 + fi +@@ -168,7 +171,7 @@ read_firmwares_expect_nofile() + for i in $(seq 0 3); do + config_set_read_fw_idx $i + # Ensures contents differ +- if diff -q "$FW" $DIR/read_firmware 2>/dev/null ; then ++ if diff -q -Z "$FW" $DIR/read_firmware 2>/dev/null ; then + echo "request $i: file was not expected to match" >&2 + exit 1 + fi diff --git a/queue-5.0/selftests-firmware-fix-verify_reqs-return-value.patch b/queue-5.0/selftests-firmware-fix-verify_reqs-return-value.patch new file mode 100644 index 00000000000..e84e356b18f --- /dev/null +++ b/queue-5.0/selftests-firmware-fix-verify_reqs-return-value.patch @@ -0,0 +1,34 @@ +From 344c0152d878922365464b7140c74c2a5e073d99 Mon Sep 17 00:00:00 2001 +From: Luis Chamberlain +Date: Thu, 7 Feb 2019 11:06:02 -0800 +Subject: selftests: firmware: fix verify_reqs() return value + +From: Luis Chamberlain + +commit 344c0152d878922365464b7140c74c2a5e073d99 upstream. + +commit a6a9be9270c87 ("selftests: firmware: return Kselftest Skip code +for skipped tests") by Shuah modified failures to return the special +error code of $ksft_skip (4). We have a corner case issue where we +*do* want to verify_reqs(). + +Cc: # >= 4.18 +Fixes: a6a9be9270c87 ("selftests: firmware: return Kselftest Skip code for for skipped tests") +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + tools/testing/selftests/firmware/fw_lib.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/firmware/fw_lib.sh ++++ b/tools/testing/selftests/firmware/fw_lib.sh +@@ -91,7 +91,7 @@ verify_reqs() + if [ "$TEST_REQS_FW_SYSFS_FALLBACK" = "yes" ]; then + if [ ! "$HAS_FW_LOADER_USER_HELPER" = "yes" ]; then + echo "usermode helper disabled so ignoring test" +- exit $ksft_skip ++ exit 0 + fi + fi + } diff --git a/queue-5.0/series b/queue-5.0/series index deb8d1cd7b0..b84103a6bb1 100644 --- a/queue-5.0/series +++ b/queue-5.0/series @@ -28,3 +28,18 @@ team-free-bpf-filter-when-unregistering-netdev.patch tipc-fix-rdm-dgram-connect-regression.patch x86-cpu-amd-set-the-cpb-bit-unconditionally-on-f17h.patch x86-boot-compressed-64-do-not-read-legacy-rom-on-efi-system.patch +tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch +xhci-tegra-prevent-error-pointer-dereference.patch +usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch +applicom-fix-potential-spectre-v1-vulnerabilities.patch +alpha-wire-up-io_pgetevents-system-call.patch +mips-irq-allocate-accurate-order-pages-for-irq-stack.patch +aio-fix-locking-in-aio_poll.patch +xtensa-fix-get_wchan.patch +gnss-sirf-fix-premature-wakeup-interrupt-enable.patch +usb-serial-cp210x-fix-gpio-in-autosuspend.patch +revert-selftests-firmware-add-config_fw_loader_user_helper_fallback-to-config.patch +revert-selftests-firmware-remove-use-of-non-standard-diff-z-option.patch +selftests-firmware-fix-verify_reqs-return-value.patch +bluetooth-btrtl-restore-old-logic-to-assume-firmware-is-already-loaded.patch +bluetooth-fix-locking-in-bt_accept_enqueue-for-bh-context.patch diff --git a/queue-5.0/tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch b/queue-5.0/tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch new file mode 100644 index 00000000000..1e0a5752c5d --- /dev/null +++ b/queue-5.0/tracing-fix-event-filters-and-triggers-to-handle-negative-numbers.patch @@ -0,0 +1,58 @@ +From 6a072128d262d2b98d31626906a96700d1fc11eb Mon Sep 17 00:00:00 2001 +From: Pavel Tikhomirov +Date: Thu, 23 Aug 2018 13:25:34 +0300 +Subject: tracing: Fix event filters and triggers to handle negative numbers + +From: Pavel Tikhomirov + +commit 6a072128d262d2b98d31626906a96700d1fc11eb upstream. + +Then tracing syscall exit event it is extremely useful to filter exit +codes equal to some negative value, to react only to required errors. +But negative numbers does not work: + +[root@snorch sys_exit_read]# echo "ret == -1" > filter +bash: echo: write error: Invalid argument +[root@snorch sys_exit_read]# cat filter +ret == -1 + ^ +parse_error: Invalid value (did you forget quotes)? + +Similar thing happens when setting triggers. + +These is a regression in v4.17 introduced by the commit mentioned below, +testing without these commit shows no problem with negative numbers. + +Link: http://lkml.kernel.org/r/20180823102534.7642-1-ptikhomirov@virtuozzo.com + +Cc: stable@vger.kernel.org +Fixes: 80765597bc58 ("tracing: Rewrite filter logic to be simpler and faster") +Signed-off-by: Pavel Tikhomirov +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -1301,7 +1301,7 @@ static int parse_pred(const char *str, v + /* go past the last quote */ + i++; + +- } else if (isdigit(str[i])) { ++ } else if (isdigit(str[i]) || str[i] == '-') { + + /* Make sure the field is not a string */ + if (is_string_field(field)) { +@@ -1314,6 +1314,9 @@ static int parse_pred(const char *str, v + goto err_free; + } + ++ if (str[i] == '-') ++ i++; ++ + /* We allow 0xDEADBEEF */ + while (isalnum(str[i])) + i++; diff --git a/queue-5.0/usb-serial-cp210x-fix-gpio-in-autosuspend.patch b/queue-5.0/usb-serial-cp210x-fix-gpio-in-autosuspend.patch new file mode 100644 index 00000000000..f2947726858 --- /dev/null +++ b/queue-5.0/usb-serial-cp210x-fix-gpio-in-autosuspend.patch @@ -0,0 +1,60 @@ +From 7b0b644b9aa2de5032db0f468fddca091d0b7b90 Mon Sep 17 00:00:00 2001 +From: Karoly Pados +Date: Sun, 17 Feb 2019 18:59:01 +0100 +Subject: USB: serial: cp210x: fix GPIO in autosuspend + +From: Karoly Pados + +commit 7b0b644b9aa2de5032db0f468fddca091d0b7b90 upstream. + +Current GPIO code in cp210x fails to take USB autosuspend into account, +making it practically impossible to use GPIOs with autosuspend enabled +without user configuration. Fix this like for ftdi_sio in a previous patch. +Tested on a CP2102N. + +Signed-off-by: Karoly Pados +Fixes: cf5276ce7867 ("USB: serial: cp210x: Adding GPIO support for CP2105") +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -1354,8 +1354,13 @@ static int cp210x_gpio_get(struct gpio_c + if (priv->partnum == CP210X_PARTNUM_CP2105) + req_type = REQTYPE_INTERFACE_TO_HOST; + ++ result = usb_autopm_get_interface(serial->interface); ++ if (result) ++ return result; ++ + result = cp210x_read_vendor_block(serial, req_type, + CP210X_READ_LATCH, &buf, sizeof(buf)); ++ usb_autopm_put_interface(serial->interface); + if (result < 0) + return result; + +@@ -1376,6 +1381,10 @@ static void cp210x_gpio_set(struct gpio_ + + buf.mask = BIT(gpio); + ++ result = usb_autopm_get_interface(serial->interface); ++ if (result) ++ goto out; ++ + if (priv->partnum == CP210X_PARTNUM_CP2105) { + result = cp210x_write_vendor_block(serial, + REQTYPE_HOST_TO_INTERFACE, +@@ -1393,6 +1402,8 @@ static void cp210x_gpio_set(struct gpio_ + NULL, 0, USB_CTRL_SET_TIMEOUT); + } + ++ usb_autopm_put_interface(serial->interface); ++out: + if (result < 0) { + dev_err(&serial->interface->dev, "failed to set GPIO value: %d\n", + result); diff --git a/queue-5.0/usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch b/queue-5.0/usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch new file mode 100644 index 00000000000..84cf9a5e76f --- /dev/null +++ b/queue-5.0/usb-xhci-fix-for-enabling-usb-role-switch-quirk-on-intel_sunrisepoint_lp_xhci.patch @@ -0,0 +1,33 @@ +From 8fde481ef3674ae5ad0dbfef4df18ff507c5675a Mon Sep 17 00:00:00 2001 +From: Balaji Manoharan +Date: Wed, 20 Feb 2019 19:50:53 +0200 +Subject: usb: xhci: Fix for Enabling USB ROLE SWITCH QUIRK on INTEL_SUNRISEPOINT_LP_XHCI + +From: Balaji Manoharan + +commit 8fde481ef3674ae5ad0dbfef4df18ff507c5675a upstream. + +This fix enables USB role feature on intel commercial nuc +platform which is based on Kabylake chipset. + +Signed-off-by: Balaji Manoharan +Reviewed-by: Hans de Goede +Reviewed-by: Heikki Krogerus +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -194,6 +194,7 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_SSIC_PORT_UNUSED; + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + (pdev->device == PCI_DEVICE_ID_INTEL_CHERRYVIEW_XHCI || ++ pdev->device == PCI_DEVICE_ID_INTEL_SUNRISEPOINT_LP_XHCI || + pdev->device == PCI_DEVICE_ID_INTEL_APL_XHCI)) + xhci->quirks |= XHCI_INTEL_USB_ROLE_SW; + if (pdev->vendor == PCI_VENDOR_ID_INTEL && diff --git a/queue-5.0/xhci-tegra-prevent-error-pointer-dereference.patch b/queue-5.0/xhci-tegra-prevent-error-pointer-dereference.patch new file mode 100644 index 00000000000..4ec9513051d --- /dev/null +++ b/queue-5.0/xhci-tegra-prevent-error-pointer-dereference.patch @@ -0,0 +1,38 @@ +From 0326ccb5feac6eac35ba6254260e2774277cd976 Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Wed, 20 Feb 2019 14:48:41 +0100 +Subject: xhci: tegra: Prevent error pointer dereference + +From: Thierry Reding + +commit 0326ccb5feac6eac35ba6254260e2774277cd976 upstream. + +During initialization, the host and super-speed power domains will +contain an ERR_PTR() encoded error code rather than being NULL. To +avoid a crash, use a !IS_ERR_OR_NULL() condition during cleanup. + +Signed-off-by: Thierry Reding +Fixes: 6494a9ad86de ("usb: xhci: tegra: Add genpd support") +Cc: stable +Reviewed-by: Jon Hunter +Acked-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-tegra.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -941,9 +941,9 @@ static void tegra_xusb_powerdomain_remov + device_link_del(tegra->genpd_dl_ss); + if (tegra->genpd_dl_host) + device_link_del(tegra->genpd_dl_host); +- if (tegra->genpd_dev_ss) ++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_ss)) + dev_pm_domain_detach(tegra->genpd_dev_ss, true); +- if (tegra->genpd_dev_host) ++ if (!IS_ERR_OR_NULL(tegra->genpd_dev_host)) + dev_pm_domain_detach(tegra->genpd_dev_host, true); + } + diff --git a/queue-5.0/xtensa-fix-get_wchan.patch b/queue-5.0/xtensa-fix-get_wchan.patch new file mode 100644 index 00000000000..6b06f00f9ac --- /dev/null +++ b/queue-5.0/xtensa-fix-get_wchan.patch @@ -0,0 +1,35 @@ +From d90b88fd3653f1fb66ecc6571b860d5a5749fa56 Mon Sep 17 00:00:00 2001 +From: Max Filippov +Date: Wed, 2 Jan 2019 01:08:32 -0800 +Subject: xtensa: fix get_wchan + +From: Max Filippov + +commit d90b88fd3653f1fb66ecc6571b860d5a5749fa56 upstream. + +Stack unwinding is implemented incorrectly in xtensa get_wchan: instead +of extracting a0 and a1 registers from the spill location under the +stack pointer it extracts a word pointed to by the stack pointer and +subtracts 4 or 3 from it. + +Cc: stable@vger.kernel.org +Signed-off-by: Max Filippov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/process.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/xtensa/kernel/process.c ++++ b/arch/xtensa/kernel/process.c +@@ -321,8 +321,8 @@ unsigned long get_wchan(struct task_stru + + /* Stack layout: sp-4: ra, sp-3: sp' */ + +- pc = MAKE_PC_FROM_RA(*(unsigned long*)sp - 4, sp); +- sp = *(unsigned long *)sp - 3; ++ pc = MAKE_PC_FROM_RA(SPILL_SLOT(sp, 0), sp); ++ sp = SPILL_SLOT(sp, 1); + } while (count++ < 16); + return 0; + }