From: Greg Kroah-Hartman Date: Mon, 17 Sep 2018 10:23:42 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.18.9~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=13e8e92f80efd411b6411b1dd52a847c43d4a4f1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arc-enable-swap.patch ata-libahci-correct-setting-of-devslp-register.patch ath10k-disable-bundle-mgmt-tx-completion-event-support.patch ath10k-prevent-active-scans-on-potential-unusable-channels.patch ath9k-report-tx-status-on-eosp.patch ath9k_hw-fix-channel-maximum-power-level-test.patch bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch ethtool-remove-trailing-semicolon-for-static-inline.patch f2fs-do-not-set-free-of-current-section.patch f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch gpio-tegra-move-driver-registration-to-subsys_init-level.patch input-atmel_mxt_ts-only-use-first-t9-instance.patch iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch macintosh-via-pmu-add-missing-mmio-accessors.patch md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch media-helene-fix-xtal-frequency-setting-at-power-on.patch media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch mips-generic-fix-missing-of_node_put.patch mips-octeon-add-missing-of_node_put.patch mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch misc-mic-scif-fix-scif_get_new_port-error-handling.patch misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch net-mvneta-fix-mtu-change-on-port-without-link.patch net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch nfsv4.0-fix-client-reference-leak-in-callback.patch nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch partitions-aix-append-null-character-to-print-data-from-disk.patch partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch scsi-target-fix-__transport_register_session-locking.patch timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch uio-potential-double-frees-if-__uio_register_device-fails.patch wlcore-set-rx_status-boottime_ns-field-on-rx.patch x86-kexec-allocate-8k-pgds-for-pti.patch x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch --- diff --git a/queue-4.9/arc-enable-swap.patch b/queue-4.9/arc-enable-swap.patch new file mode 100644 index 00000000000..6b1e77281a5 --- /dev/null +++ b/queue-4.9/arc-enable-swap.patch @@ -0,0 +1,51 @@ +From c83532fb0fe053d2e43e9387354cb1b52ba26427 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 2 Aug 2018 11:50:16 +0300 +Subject: ARC: [plat-axs*]: Enable SWAP + +From: Alexey Brodkin + +commit c83532fb0fe053d2e43e9387354cb1b52ba26427 upstream. + +SWAP support on ARC was fixed earlier by +commit 6e3761145a9b ("ARC: Fix CONFIG_SWAP") +so now we may safely enable it on platforms that +have external media like USB and SD-card. + +Note: it was already allowed for HSDK + +Signed-off-by: Alexey Brodkin +Cc: stable@vger.kernel.org # 6e3761145a9b: ARC: Fix CONFIG_SWAP +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/configs/axs101_defconfig | 1 - + arch/arc/configs/axs103_defconfig | 1 - + arch/arc/configs/axs103_smp_defconfig | 1 - + 3 files changed, 3 deletions(-) + +--- a/arch/arc/configs/axs101_defconfig ++++ b/arch/arc/configs/axs101_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set +--- a/arch/arc/configs/axs103_defconfig ++++ b/arch/arc/configs/axs103_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set +--- a/arch/arc/configs/axs103_smp_defconfig ++++ b/arch/arc/configs/axs103_smp_defconfig +@@ -1,5 +1,4 @@ + CONFIG_DEFAULT_HOSTNAME="ARCLinux" +-# CONFIG_SWAP is not set + CONFIG_SYSVIPC=y + CONFIG_POSIX_MQUEUE=y + # CONFIG_CROSS_MEMORY_ATTACH is not set diff --git a/queue-4.9/ata-libahci-correct-setting-of-devslp-register.patch b/queue-4.9/ata-libahci-correct-setting-of-devslp-register.patch new file mode 100644 index 00000000000..5d6a1226c8b --- /dev/null +++ b/queue-4.9/ata-libahci-correct-setting-of-devslp-register.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Srinivas Pandruvada +Date: Mon, 2 Jul 2018 12:01:53 -0700 +Subject: ata: libahci: Correct setting of DEVSLP register + +From: Srinivas Pandruvada + +[ Upstream commit 2dbb3ec29a6c069035857a2fc4c24e80e5dfe3cc ] + +We have seen that on some platforms, SATA device never show any DEVSLP +residency. This prevent power gating of SATA IP, which prevent system +to transition to low power mode in systems with SLP_S0 aka modern +standby systems. The PHY logic is off only in DEVSLP not in slumber. +Reference: +https://www.intel.com/content/dam/www/public/us/en/documents/datasheets +/332995-skylake-i-o-platform-datasheet-volume-1.pdf +Section 28.7.6.1 + +Here driver is trying to do read-modify-write the devslp register. But +not resetting the bits for which this driver will modify values (DITO, +MDAT and DETO). So simply reset those bits before updating to new values. + +Signed-off-by: Srinivas Pandruvada +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -2132,6 +2132,8 @@ static void ahci_set_aggressive_devslp(s + deto = 20; + } + ++ /* Make dito, mdat, deto bits to 0s */ ++ devslp &= ~GENMASK_ULL(24, 2); + devslp |= ((dito << PORT_DEVSLP_DITO_OFFSET) | + (mdat << PORT_DEVSLP_MDAT_OFFSET) | + (deto << PORT_DEVSLP_DETO_OFFSET) | diff --git a/queue-4.9/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch b/queue-4.9/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch new file mode 100644 index 00000000000..45944b98602 --- /dev/null +++ b/queue-4.9/ath10k-disable-bundle-mgmt-tx-completion-event-support.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Surabhi Vishnoi +Date: Wed, 25 Jul 2018 10:59:41 +0300 +Subject: ath10k: disable bundle mgmt tx completion event support + +From: Surabhi Vishnoi + +[ Upstream commit 673bc519c55843c68c3aecff71a4101e79d28d2b ] + +The tx completion of multiple mgmt frames can be bundled +in a single event and sent by the firmware to host, if this +capability is not disabled explicitly by the host. If the host +cannot handle the bundled mgmt tx completion, this capability +support needs to be disabled in the wmi init cmd, sent to the firmware. + +Add the host capability indication flag in the wmi ready command, +to let firmware know the features supported by the host driver. +This field is ignored if it is not supported by firmware. + +Set the host capability indication flag(i.e. host_capab) to zero, +for disabling the support of bundle mgmt tx completion. This will +indicate the firmware to send completion event for every mgmt tx +completion, instead of bundling them together and sending in a single +event. + +Tested HW: WCN3990 +Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1 + +Signed-off-by: Surabhi Vishnoi +Signed-off-by: Rakesh Pillai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi-tlv.c | 5 +++++ + drivers/net/wireless/ath/ath10k/wmi-tlv.h | 5 +++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c +@@ -1451,6 +1451,11 @@ static struct sk_buff *ath10k_wmi_tlv_op + cfg->keep_alive_pattern_size = __cpu_to_le32(0); + cfg->max_tdls_concurrent_sleep_sta = __cpu_to_le32(1); + cfg->max_tdls_concurrent_buffer_sta = __cpu_to_le32(1); ++ cfg->wmi_send_separate = __cpu_to_le32(0); ++ cfg->num_ocb_vdevs = __cpu_to_le32(0); ++ cfg->num_ocb_channels = __cpu_to_le32(0); ++ cfg->num_ocb_schedules = __cpu_to_le32(0); ++ cfg->host_capab = __cpu_to_le32(0); + + ath10k_wmi_put_host_mem_chunks(ar, chunks); + +--- a/drivers/net/wireless/ath/ath10k/wmi-tlv.h ++++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.h +@@ -1227,6 +1227,11 @@ struct wmi_tlv_resource_config { + __le32 keep_alive_pattern_size; + __le32 max_tdls_concurrent_sleep_sta; + __le32 max_tdls_concurrent_buffer_sta; ++ __le32 wmi_send_separate; ++ __le32 num_ocb_vdevs; ++ __le32 num_ocb_channels; ++ __le32 num_ocb_schedules; ++ __le32 host_capab; + } __packed; + + struct wmi_tlv_init_cmd { diff --git a/queue-4.9/ath10k-prevent-active-scans-on-potential-unusable-channels.patch b/queue-4.9/ath10k-prevent-active-scans-on-potential-unusable-channels.patch new file mode 100644 index 00000000000..1615fdc3a4f --- /dev/null +++ b/queue-4.9/ath10k-prevent-active-scans-on-potential-unusable-channels.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Sven Eckelmann +Date: Thu, 26 Jul 2018 15:59:48 +0200 +Subject: ath10k: prevent active scans on potential unusable channels + +From: Sven Eckelmann + +[ Upstream commit 3f259111583801013cb605bb4414aa529adccf1c ] + +The QCA4019 hw1.0 firmware 10.4-3.2.1-00050 and 10.4-3.5.3-00053 (and most +likely all other) seem to ignore the WMI_CHAN_FLAG_DFS flag during the +scan. This results in transmission (probe requests) on channels which are +not "available" for transmissions. + +Since the firmware is closed source and nothing can be done from our side +to fix the problem in it, the driver has to work around this problem. The +WMI_CHAN_FLAG_PASSIVE seems to be interpreted by the firmware to not +scan actively on a channel unless an AP was detected on it. Simple probe +requests will then be transmitted by the STA on the channel. + +ath10k must therefore also use this flag when it queues a radar channel for +scanning. This should reduce the chance of an active scan when the channel +might be "unusable" for transmissions. + +Fixes: e8a50f8ba44b ("ath10k: introduce DFS implementation") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -3003,6 +3003,13 @@ static int ath10k_update_channel_list(st + passive = channel->flags & IEEE80211_CHAN_NO_IR; + ch->passive = passive; + ++ /* the firmware is ignoring the "radar" flag of the ++ * channel and is scanning actively using Probe Requests ++ * on "Radar detection"/DFS channels which are not ++ * marked as "available" ++ */ ++ ch->passive |= ch->chan_radar; ++ + ch->freq = channel->center_freq; + ch->band_center_freq1 = channel->center_freq; + ch->min_power = 0; diff --git a/queue-4.9/ath9k-report-tx-status-on-eosp.patch b/queue-4.9/ath9k-report-tx-status-on-eosp.patch new file mode 100644 index 00000000000..6dd3ecc0c31 --- /dev/null +++ b/queue-4.9/ath9k-report-tx-status-on-eosp.patch @@ -0,0 +1,31 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Felix Fietkau +Date: Mon, 30 Jul 2018 21:31:23 +0300 +Subject: ath9k: report tx status on EOSP + +From: Felix Fietkau + +[ Upstream commit 36e14a787dd0b459760de3622e9709edb745a6af ] + +Fixes missed indications of end of U-APSD service period to mac80211 + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/xmit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -84,7 +84,8 @@ static void ath_tx_status(struct ieee802 + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_sta *sta = info->status.status_driver_data[0]; + +- if (info->flags & IEEE80211_TX_CTL_REQ_TX_STATUS) { ++ if (info->flags & (IEEE80211_TX_CTL_REQ_TX_STATUS | ++ IEEE80211_TX_STATUS_EOSP)) { + ieee80211_tx_status(hw, skb); + return; + } diff --git a/queue-4.9/ath9k_hw-fix-channel-maximum-power-level-test.patch b/queue-4.9/ath9k_hw-fix-channel-maximum-power-level-test.patch new file mode 100644 index 00000000000..2a7bc216aea --- /dev/null +++ b/queue-4.9/ath9k_hw-fix-channel-maximum-power-level-test.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Felix Fietkau +Date: Mon, 30 Jul 2018 21:31:28 +0300 +Subject: ath9k_hw: fix channel maximum power level test + +From: Felix Fietkau + +[ Upstream commit 461d8a6bb9879b0e619752d040292e67aa06f1d2 ] + +The tx power applied by set_txpower is limited by the CTL (conformance +test limit) entries in the EEPROM. These can change based on the user +configured regulatory domain. +Depending on the EEPROM data this can cause the tx power to become too +limited, if the original regdomain CTLs impose lower limits than the CTLs +of the user configured regdomain. + +To fix this issue, set the initial channel limits without any CTL +restrictions and only apply the CTL at run time when setting the channel +and the real tx power. + +Signed-off-by: Felix Fietkau +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath9k/hw.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -2915,16 +2915,19 @@ void ath9k_hw_apply_txpower(struct ath_h + struct ath_regulatory *reg = ath9k_hw_regulatory(ah); + struct ieee80211_channel *channel; + int chan_pwr, new_pwr; ++ u16 ctl = NO_CTL; + + if (!chan) + return; + ++ if (!test) ++ ctl = ath9k_regd_get_ctl(reg, chan); ++ + channel = chan->chan; + chan_pwr = min_t(int, channel->max_power * 2, MAX_RATE_POWER); + new_pwr = min_t(int, chan_pwr, reg->power_limit); + +- ah->eep_ops->set_txpower(ah, chan, +- ath9k_regd_get_ctl(reg, chan), ++ ah->eep_ops->set_txpower(ah, chan, ctl, + get_antenna_gain(ah, chan), new_pwr, test); + } + diff --git a/queue-4.9/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch b/queue-4.9/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch new file mode 100644 index 00000000000..8f50fe4ed0e --- /dev/null +++ b/queue-4.9/bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Johan Hedberg +Date: Sat, 4 Aug 2018 23:40:26 +0300 +Subject: Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV + +From: Johan Hedberg + +[ Upstream commit 6c3711ec64fd23a9abc8aaf59a9429569a6282df ] + +This driver was recently updated to use serdev, so add the appropriate +dependency. Without this one can get compiler warnings like this if +CONFIG_SERIAL_DEV_BUS is not enabled: + + CC [M] drivers/bluetooth/hci_h5.o +drivers/bluetooth/hci_h5.c:934:36: warning: ‘h5_serdev_driver’ defined but not used [-Wunused-variable] + static struct serdev_device_driver h5_serdev_driver = { + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Johan Hedberg +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/Kconfig ++++ b/drivers/bluetooth/Kconfig +@@ -125,6 +125,7 @@ config BT_HCIUART_LL + config BT_HCIUART_3WIRE + bool "Three-wire UART (H5) protocol support" + depends on BT_HCIUART ++ depends on BT_HCIUART_SERDEV + help + The HCI Three-wire UART Transport Layer makes it possible to + user the Bluetooth HCI over a serial port interface. The HCI diff --git a/queue-4.9/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch b/queue-4.9/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch new file mode 100644 index 00000000000..f8ab6d01612 --- /dev/null +++ b/queue-4.9/bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Marcel Holtmann +Date: Mon, 30 Jul 2018 13:57:41 +0200 +Subject: Bluetooth: hidp: Fix handling of strncpy for hid->name information + +From: Marcel Holtmann + +[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ] + +This fixes two issues with setting hid->name information. + + CC net/bluetooth/hidp/core.o +In function ‘hidp_setup_hid’, + inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9, + inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8, + inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8: +net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation] + strncpy(hid->name, req->name, sizeof(req->name) - 1); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + CC net/bluetooth/hidp/core.o +net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’: +net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess] + strncpy(hid->name, req->name, sizeof(req->name)); + ^ + +Signed-off-by: Marcel Holtmann +Signed-off-by: Johan Hedberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hidp/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hidp/core.c ++++ b/net/bluetooth/hidp/core.c +@@ -774,7 +774,7 @@ static int hidp_setup_hid(struct hidp_se + hid->version = req->version; + hid->country = req->country; + +- strncpy(hid->name, req->name, sizeof(req->name) - 1); ++ strncpy(hid->name, req->name, sizeof(hid->name)); + + snprintf(hid->phys, sizeof(hid->phys), "%pMR", + &l2cap_pi(session->ctrl_sock->sk)->chan->src); diff --git a/queue-4.9/ethtool-remove-trailing-semicolon-for-static-inline.patch b/queue-4.9/ethtool-remove-trailing-semicolon-for-static-inline.patch new file mode 100644 index 00000000000..35bf72886d6 --- /dev/null +++ b/queue-4.9/ethtool-remove-trailing-semicolon-for-static-inline.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Florian Fainelli +Date: Sat, 4 Aug 2018 14:20:40 -0700 +Subject: ethtool: Remove trailing semicolon for static inline + +From: Florian Fainelli + +[ Upstream commit d89d41556141a527030a15233135ba622ba3350d ] + +Android's header sanitization tool chokes on static inline functions having a +trailing semicolon, leading to an incorrectly parsed header file. While the +tool should obviously be fixed, also fix the header files for the two affected +functions: ethtool_get_flow_spec_ring() and ethtool_get_flow_spec_ring_vf(). + +Fixes: 8cf6f497de40 ("ethtool: Add helper routines to pass vf to rx_flow_spec") +Reporetd-by: Blair Prescott +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/uapi/linux/ethtool.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/uapi/linux/ethtool.h ++++ b/include/uapi/linux/ethtool.h +@@ -882,13 +882,13 @@ struct ethtool_rx_flow_spec { + static inline __u64 ethtool_get_flow_spec_ring(__u64 ring_cookie) + { + return ETHTOOL_RX_FLOW_SPEC_RING & ring_cookie; +-}; ++} + + static inline __u64 ethtool_get_flow_spec_ring_vf(__u64 ring_cookie) + { + return (ETHTOOL_RX_FLOW_SPEC_RING_VF & ring_cookie) >> + ETHTOOL_RX_FLOW_SPEC_RING_VF_OFF; +-}; ++} + + /** + * struct ethtool_rxnfc - command to get or set RX flow classification rules diff --git a/queue-4.9/f2fs-do-not-set-free-of-current-section.patch b/queue-4.9/f2fs-do-not-set-free-of-current-section.patch new file mode 100644 index 00000000000..54c24ebf296 --- /dev/null +++ b/queue-4.9/f2fs-do-not-set-free-of-current-section.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Yunlong Song +Date: Thu, 12 Jul 2018 23:09:26 +0800 +Subject: f2fs: do not set free of current section + +From: Yunlong Song + +[ Upstream commit 3611ce9911267cb93d364bd71ddea6821278d11f ] + +For the case when sbi->segs_per_sec > 1, take section:segment = 5 for +example, if segment 1 is just used and allocate new segment 2, and the +blocks of segment 1 is invalidated, at this time, the previous code will +use __set_test_and_free to free the free_secmap and free_sections++, +this is not correct since it is still a current section, so fix it. + +Signed-off-by: Yunlong Song +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/segment.h ++++ b/fs/f2fs/segment.h +@@ -386,6 +386,8 @@ static inline void __set_test_and_free(s + if (test_and_clear_bit(segno, free_i->free_segmap)) { + free_i->free_segments++; + ++ if (IS_CURSEC(sbi, secno)) ++ goto skip_free; + next = find_next_bit(free_i->free_segmap, + start_segno + sbi->segs_per_sec, start_segno); + if (next >= start_segno + sbi->segs_per_sec) { +@@ -393,6 +395,7 @@ static inline void __set_test_and_free(s + free_i->free_sections++; + } + } ++skip_free: + spin_unlock(&free_i->segmap_lock); + } + diff --git a/queue-4.9/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch b/queue-4.9/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch new file mode 100644 index 00000000000..d488bc9420a --- /dev/null +++ b/queue-4.9/f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch @@ -0,0 +1,155 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Chao Yu +Date: Sat, 30 Jun 2018 18:13:40 +0800 +Subject: f2fs: fix to do sanity check with reserved blkaddr of inline inode + +From: Chao Yu + +[ Upstream commit 4dbe38dc386910c668c75ae616b99b823b59f3eb ] + +As Wen Xu reported in bugzilla, after image was injected with random data +by fuzzing, inline inode would contain invalid reserved blkaddr, then +during inline conversion, we will encounter illegal memory accessing +reported by KASAN, the root cause of this is when writing out converted +inline page, we will use invalid reserved blkaddr to update sit bitmap, +result in accessing memory beyond sit bitmap boundary. + +In order to fix this issue, let's do sanity check with reserved block +address of inline inode to avoid above condition. + +https://bugzilla.kernel.org/show_bug.cgi?id=200179 + +[ 1428.846352] BUG: KASAN: use-after-free in update_sit_entry+0x80/0x7f0 +[ 1428.846618] Read of size 4 at addr ffff880194483540 by task a.out/2741 + +[ 1428.846855] CPU: 0 PID: 2741 Comm: a.out Tainted: G W 4.17.0+ #1 +[ 1428.846858] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 1428.846860] Call Trace: +[ 1428.846868] dump_stack+0x71/0xab +[ 1428.846875] print_address_description+0x6b/0x290 +[ 1428.846881] kasan_report+0x28e/0x390 +[ 1428.846888] ? update_sit_entry+0x80/0x7f0 +[ 1428.846898] update_sit_entry+0x80/0x7f0 +[ 1428.846906] f2fs_allocate_data_block+0x6db/0xc70 +[ 1428.846914] ? f2fs_get_node_info+0x14f/0x590 +[ 1428.846920] do_write_page+0xc8/0x150 +[ 1428.846928] f2fs_outplace_write_data+0xfe/0x210 +[ 1428.846935] ? f2fs_do_write_node_page+0x170/0x170 +[ 1428.846941] ? radix_tree_tag_clear+0xff/0x130 +[ 1428.846946] ? __mod_node_page_state+0x22/0xa0 +[ 1428.846951] ? inc_zone_page_state+0x54/0x100 +[ 1428.846956] ? __test_set_page_writeback+0x336/0x5d0 +[ 1428.846964] f2fs_convert_inline_page+0x407/0x6d0 +[ 1428.846971] ? f2fs_read_inline_data+0x3b0/0x3b0 +[ 1428.846978] ? __get_node_page+0x335/0x6b0 +[ 1428.846987] f2fs_convert_inline_inode+0x41b/0x500 +[ 1428.846994] ? f2fs_convert_inline_page+0x6d0/0x6d0 +[ 1428.847000] ? kasan_unpoison_shadow+0x31/0x40 +[ 1428.847005] ? kasan_kmalloc+0xa6/0xd0 +[ 1428.847024] f2fs_file_mmap+0x79/0xc0 +[ 1428.847029] mmap_region+0x58b/0x880 +[ 1428.847037] ? arch_get_unmapped_area+0x370/0x370 +[ 1428.847042] do_mmap+0x55b/0x7a0 +[ 1428.847048] vm_mmap_pgoff+0x16f/0x1c0 +[ 1428.847055] ? vma_is_stack_for_current+0x50/0x50 +[ 1428.847062] ? __fsnotify_update_child_dentry_flags.part.1+0x160/0x160 +[ 1428.847068] ? do_sys_open+0x206/0x2a0 +[ 1428.847073] ? __fget+0xb4/0x100 +[ 1428.847079] ksys_mmap_pgoff+0x278/0x360 +[ 1428.847085] ? find_mergeable_anon_vma+0x50/0x50 +[ 1428.847091] do_syscall_64+0x73/0x160 +[ 1428.847098] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 1428.847102] RIP: 0033:0x7fb1430766ba +[ 1428.847103] Code: 89 f5 41 54 49 89 fc 55 53 74 35 49 63 e8 48 63 da 4d 89 f9 49 89 e8 4d 63 d6 48 89 da 4c 89 ee 4c 89 e7 b8 09 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 56 5b 5d 41 5c 41 5d 41 5e 41 5f c3 0f 1f 00 +[ 1428.847162] RSP: 002b:00007ffc651d9388 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 +[ 1428.847167] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fb1430766ba +[ 1428.847170] RDX: 0000000000000001 RSI: 0000000000001000 RDI: 0000000000000000 +[ 1428.847173] RBP: 0000000000000003 R08: 0000000000000003 R09: 0000000000000000 +[ 1428.847176] R10: 0000000000008002 R11: 0000000000000246 R12: 0000000000000000 +[ 1428.847179] R13: 0000000000001000 R14: 0000000000008002 R15: 0000000000000000 + +[ 1428.847252] Allocated by task 2683: +[ 1428.847372] kasan_kmalloc+0xa6/0xd0 +[ 1428.847380] kmem_cache_alloc+0xc8/0x1e0 +[ 1428.847385] getname_flags+0x73/0x2b0 +[ 1428.847390] user_path_at_empty+0x1d/0x40 +[ 1428.847395] vfs_statx+0xc1/0x150 +[ 1428.847401] __do_sys_newlstat+0x7e/0xd0 +[ 1428.847405] do_syscall_64+0x73/0x160 +[ 1428.847411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 1428.847466] Freed by task 2683: +[ 1428.847566] __kasan_slab_free+0x137/0x190 +[ 1428.847571] kmem_cache_free+0x85/0x1e0 +[ 1428.847575] filename_lookup+0x191/0x280 +[ 1428.847580] vfs_statx+0xc1/0x150 +[ 1428.847585] __do_sys_newlstat+0x7e/0xd0 +[ 1428.847590] do_syscall_64+0x73/0x160 +[ 1428.847596] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 1428.847648] The buggy address belongs to the object at ffff880194483300 + which belongs to the cache names_cache of size 4096 +[ 1428.847946] The buggy address is located 576 bytes inside of + 4096-byte region [ffff880194483300, ffff880194484300) +[ 1428.848234] The buggy address belongs to the page: +[ 1428.848366] page:ffffea0006512000 count:1 mapcount:0 mapping:ffff8801f3586380 index:0x0 compound_mapcount: 0 +[ 1428.848606] flags: 0x17fff8000008100(slab|head) +[ 1428.848737] raw: 017fff8000008100 dead000000000100 dead000000000200 ffff8801f3586380 +[ 1428.848931] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000 +[ 1428.849122] page dumped because: kasan: bad access detected + +[ 1428.849305] Memory state around the buggy address: +[ 1428.849436] ffff880194483400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849620] ffff880194483480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849804] >ffff880194483500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.849985] ^ +[ 1428.850120] ffff880194483580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.850303] ffff880194483600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 1428.850498] ================================================================== + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/inline.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/fs/f2fs/inline.c ++++ b/fs/f2fs/inline.c +@@ -124,6 +124,16 @@ int f2fs_convert_inline_page(struct dnod + if (err) + return err; + ++ if (unlikely(dn->data_blkaddr != NEW_ADDR)) { ++ f2fs_put_dnode(dn); ++ set_sbi_flag(fio.sbi, SBI_NEED_FSCK); ++ f2fs_msg(fio.sbi->sb, KERN_WARNING, ++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " ++ "run fsck to fix.", ++ __func__, dn->inode->i_ino, dn->data_blkaddr); ++ return -EINVAL; ++ } ++ + f2fs_bug_on(F2FS_P_SB(page), PageWriteback(page)); + + read_inline_data(page, dn->inode_page); +@@ -351,6 +361,17 @@ static int f2fs_move_inline_dirents(stru + if (err) + goto out; + ++ if (unlikely(dn.data_blkaddr != NEW_ADDR)) { ++ f2fs_put_dnode(&dn); ++ set_sbi_flag(F2FS_P_SB(page), SBI_NEED_FSCK); ++ f2fs_msg(F2FS_P_SB(page)->sb, KERN_WARNING, ++ "%s: corrupted inline inode ino=%lx, i_addr[0]:0x%x, " ++ "run fsck to fix.", ++ __func__, dir->i_ino, dn.data_blkaddr); ++ err = -EINVAL; ++ goto out; ++ } ++ + f2fs_wait_on_page_writeback(page, DATA, true); + zero_user_segment(page, MAX_INLINE_DATA, PAGE_SIZE); + diff --git a/queue-4.9/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch b/queue-4.9/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch new file mode 100644 index 00000000000..3da3fcfbd5e --- /dev/null +++ b/queue-4.9/f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch @@ -0,0 +1,223 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Chao Yu +Date: Sat, 23 Jun 2018 11:25:19 +0800 +Subject: f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize + +From: Chao Yu + +[ Upstream commit c77ec61ca0a49544ca81881cc5d5529858f7e196 ] + +This patch adds to do sanity check with {sit,nat}_ver_bitmap_bytesize +during mount, in order to avoid accessing across cache boundary with +this abnormal bitmap size. + +- Overview +buffer overrun in build_sit_info() when mounting a crafted f2fs image + +- Reproduce + +- Kernel message +[ 548.580867] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.580877] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.584979] ================================================================== +[ 548.586568] BUG: KASAN: use-after-free in kmemdup+0x36/0x50 +[ 548.587715] Read of size 64 at addr ffff8801e9c265ff by task mount/1295 + +[ 548.589428] CPU: 1 PID: 1295 Comm: mount Not tainted 4.18.0-rc1+ #4 +[ 548.589432] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.589438] Call Trace: +[ 548.589474] dump_stack+0x7b/0xb5 +[ 548.589487] print_address_description+0x70/0x290 +[ 548.589492] kasan_report+0x291/0x390 +[ 548.589496] ? kmemdup+0x36/0x50 +[ 548.589509] check_memory_region+0x139/0x190 +[ 548.589514] memcpy+0x23/0x50 +[ 548.589518] kmemdup+0x36/0x50 +[ 548.589545] f2fs_build_segment_manager+0x8fa/0x3410 +[ 548.589551] ? __asan_loadN+0xf/0x20 +[ 548.589560] ? f2fs_sanity_check_ckpt+0x1be/0x240 +[ 548.589566] ? f2fs_flush_sit_entries+0x10c0/0x10c0 +[ 548.589587] ? __put_user_ns+0x40/0x40 +[ 548.589604] ? find_next_bit+0x57/0x90 +[ 548.589610] f2fs_fill_super+0x194b/0x2b40 +[ 548.589617] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589637] ? set_blocksize+0x90/0x140 +[ 548.589651] mount_bdev+0x1c5/0x210 +[ 548.589655] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.589667] f2fs_mount+0x15/0x20 +[ 548.589672] mount_fs+0x60/0x1a0 +[ 548.589683] ? alloc_vfsmnt+0x309/0x360 +[ 548.589688] vfs_kern_mount+0x6b/0x1a0 +[ 548.589699] do_mount+0x34a/0x18c0 +[ 548.589710] ? lockref_put_or_lock+0xcf/0x160 +[ 548.589716] ? copy_mount_string+0x20/0x20 +[ 548.589728] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.589734] ? kasan_check_write+0x14/0x20 +[ 548.589740] ? _copy_from_user+0x6a/0x90 +[ 548.589744] ? memdup_user+0x42/0x60 +[ 548.589750] ksys_mount+0x83/0xd0 +[ 548.589755] __x64_sys_mount+0x67/0x80 +[ 548.589781] do_syscall_64+0x78/0x170 +[ 548.589797] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.589820] RIP: 0033:0x7f76fc331b9a +[ 548.589821] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.589880] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.589890] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.589892] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.589895] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.589897] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.589900] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 + +[ 548.590242] The buggy address belongs to the page: +[ 548.591243] page:ffffea0007a70980 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +[ 548.592886] flags: 0x2ffff0000000000() +[ 548.593665] raw: 02ffff0000000000 dead000000000100 dead000000000200 0000000000000000 +[ 548.595258] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +[ 548.603713] page dumped because: kasan: bad access detected + +[ 548.605203] Memory state around the buggy address: +[ 548.606198] ffff8801e9c26480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.607676] ffff8801e9c26500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.609157] >ffff8801e9c26580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.610629] ^ +[ 548.612088] ffff8801e9c26600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.613674] ffff8801e9c26680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff +[ 548.615141] ================================================================== +[ 548.616613] Disabling lock debugging due to kernel taint +[ 548.622871] WARNING: CPU: 1 PID: 1295 at mm/page_alloc.c:4065 __alloc_pages_slowpath+0xe4a/0x1420 +[ 548.622878] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mac_hid i2c_piix4 soundcore ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl drm_kms_helper syscopyarea aesni_intel sysfillrect sysimgblt fb_sys_fops ttm drm aes_x86_64 crypto_simd cryptd 8139cp glue_helper mii pata_acpi floppy +[ 548.623217] CPU: 1 PID: 1295 Comm: mount Tainted: G B 4.18.0-rc1+ #4 +[ 548.623219] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +[ 548.623226] RIP: 0010:__alloc_pages_slowpath+0xe4a/0x1420 +[ 548.623227] Code: ff ff 01 89 85 c8 fe ff ff e9 91 fc ff ff 41 89 c5 e9 5c fc ff ff 0f 0b 89 f8 25 ff ff f7 ff 89 85 8c fe ff ff e9 d5 f2 ff ff <0f> 0b e9 65 f2 ff ff 65 8b 05 38 81 d2 47 f6 c4 01 74 1c 65 48 8b +[ 548.623281] RSP: 0018:ffff8801f28c7678 EFLAGS: 00010246 +[ 548.623284] RAX: 0000000000000000 RBX: 00000000006040c0 RCX: ffffffffb82f73b7 +[ 548.623287] RDX: 1ffff1003e518eeb RSI: 000000000000000c RDI: 0000000000000000 +[ 548.623290] RBP: ffff8801f28c7880 R08: 0000000000000000 R09: ffffed0047fff2c5 +[ 548.623292] R10: 0000000000000001 R11: ffffed0047fff2c4 R12: ffff8801e88de040 +[ 548.623295] R13: 00000000006040c0 R14: 000000000000000c R15: ffff8801f28c7938 +[ 548.623299] FS: 00007f76fca51840(0000) GS:ffff8801f6f00000(0000) knlGS:0000000000000000 +[ 548.623302] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 548.623304] CR2: 00007f19b9171760 CR3: 00000001ed952000 CR4: 00000000000006e0 +[ 548.623317] Call Trace: +[ 548.623325] ? kasan_check_read+0x11/0x20 +[ 548.623330] ? __zone_watermark_ok+0x92/0x240 +[ 548.623336] ? get_page_from_freelist+0x1c3/0x1d90 +[ 548.623347] ? _raw_spin_lock_irqsave+0x2a/0x60 +[ 548.623353] ? warn_alloc+0x250/0x250 +[ 548.623358] ? save_stack+0x46/0xd0 +[ 548.623361] ? kasan_kmalloc+0xad/0xe0 +[ 548.623366] ? __isolate_free_page+0x2a0/0x2a0 +[ 548.623370] ? mount_fs+0x60/0x1a0 +[ 548.623374] ? vfs_kern_mount+0x6b/0x1a0 +[ 548.623378] ? do_mount+0x34a/0x18c0 +[ 548.623383] ? ksys_mount+0x83/0xd0 +[ 548.623387] ? __x64_sys_mount+0x67/0x80 +[ 548.623391] ? do_syscall_64+0x78/0x170 +[ 548.623396] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623401] __alloc_pages_nodemask+0x3c5/0x400 +[ 548.623407] ? __alloc_pages_slowpath+0x1420/0x1420 +[ 548.623412] ? __mutex_lock_slowpath+0x20/0x20 +[ 548.623417] ? kvmalloc_node+0x31/0x80 +[ 548.623424] alloc_pages_current+0x75/0x110 +[ 548.623436] kmalloc_order+0x24/0x60 +[ 548.623442] kmalloc_order_trace+0x24/0xb0 +[ 548.623448] __kmalloc_track_caller+0x207/0x220 +[ 548.623455] ? f2fs_build_node_manager+0x399/0xbb0 +[ 548.623460] kmemdup+0x20/0x50 +[ 548.623465] f2fs_build_node_manager+0x399/0xbb0 +[ 548.623470] f2fs_fill_super+0x195e/0x2b40 +[ 548.623477] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623481] ? set_blocksize+0x90/0x140 +[ 548.623486] mount_bdev+0x1c5/0x210 +[ 548.623489] ? f2fs_commit_super+0x1b0/0x1b0 +[ 548.623495] f2fs_mount+0x15/0x20 +[ 548.623498] mount_fs+0x60/0x1a0 +[ 548.623503] ? alloc_vfsmnt+0x309/0x360 +[ 548.623508] vfs_kern_mount+0x6b/0x1a0 +[ 548.623513] do_mount+0x34a/0x18c0 +[ 548.623518] ? lockref_put_or_lock+0xcf/0x160 +[ 548.623523] ? copy_mount_string+0x20/0x20 +[ 548.623528] ? memcg_kmem_put_cache+0x1b/0xa0 +[ 548.623533] ? kasan_check_write+0x14/0x20 +[ 548.623537] ? _copy_from_user+0x6a/0x90 +[ 548.623542] ? memdup_user+0x42/0x60 +[ 548.623547] ksys_mount+0x83/0xd0 +[ 548.623552] __x64_sys_mount+0x67/0x80 +[ 548.623557] do_syscall_64+0x78/0x170 +[ 548.623562] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 548.623566] RIP: 0033:0x7f76fc331b9a +[ 548.623567] Code: 48 8b 0d 01 c3 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d ce c2 2b 00 f7 d8 64 89 01 48 +[ 548.623632] RSP: 002b:00007ffd4f0a0e48 EFLAGS: 00000206 ORIG_RAX: 00000000000000a5 +[ 548.623636] RAX: ffffffffffffffda RBX: 000000000146c030 RCX: 00007f76fc331b9a +[ 548.623639] RDX: 000000000146c210 RSI: 000000000146df30 RDI: 0000000001474ec0 +[ 548.623641] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013 +[ 548.623643] R10: 00000000c0ed0000 R11: 0000000000000206 R12: 0000000001474ec0 +[ 548.623646] R13: 000000000146c210 R14: 0000000000000000 R15: 0000000000000003 +[ 548.623650] ---[ end trace 4ce02f25ff7d3df5 ]--- +[ 548.623656] F2FS-fs (loop0): Failed to initialize F2FS node manager +[ 548.627936] F2FS-fs (loop0): Invalid log blocks per segment (8201) + +[ 548.627940] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock +[ 548.635835] F2FS-fs (loop0): Failed to initialize F2FS node manager + +- Location +https://elixir.bootlin.com/linux/v4.18-rc1/source/fs/f2fs/segment.c#L3578 + + sit_i->sit_bitmap = kmemdup(src_bitmap, bitmap_size, GFP_KERNEL); + +Buffer overrun happens when doing memcpy. I suspect there is missing (inconsistent) checks on bitmap_size. + +Reported by Wen Xu (wen.xu@gatech.edu) from SSLab, Gatech. + +Reported-by: Wen Xu +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1425,12 +1425,17 @@ int sanity_check_ckpt(struct f2fs_sb_inf + struct f2fs_super_block *raw_super = F2FS_RAW_SUPER(sbi); + struct f2fs_checkpoint *ckpt = F2FS_CKPT(sbi); + unsigned int main_segs, blocks_per_seg; ++ unsigned int sit_segs, nat_segs; ++ unsigned int sit_bitmap_size, nat_bitmap_size; ++ unsigned int log_blocks_per_seg; + int i; + + total = le32_to_cpu(raw_super->segment_count); + fsmeta = le32_to_cpu(raw_super->segment_count_ckpt); +- fsmeta += le32_to_cpu(raw_super->segment_count_sit); +- fsmeta += le32_to_cpu(raw_super->segment_count_nat); ++ sit_segs = le32_to_cpu(raw_super->segment_count_sit); ++ fsmeta += sit_segs; ++ nat_segs = le32_to_cpu(raw_super->segment_count_nat); ++ fsmeta += nat_segs; + fsmeta += le32_to_cpu(ckpt->rsvd_segment_count); + fsmeta += le32_to_cpu(raw_super->segment_count_ssa); + +@@ -1451,6 +1456,18 @@ int sanity_check_ckpt(struct f2fs_sb_inf + return 1; + } + ++ sit_bitmap_size = le32_to_cpu(ckpt->sit_ver_bitmap_bytesize); ++ nat_bitmap_size = le32_to_cpu(ckpt->nat_ver_bitmap_bytesize); ++ log_blocks_per_seg = le32_to_cpu(raw_super->log_blocks_per_seg); ++ ++ if (sit_bitmap_size != ((sit_segs / 2) << log_blocks_per_seg) / 8 || ++ nat_bitmap_size != ((nat_segs / 2) << log_blocks_per_seg) / 8) { ++ f2fs_msg(sbi->sb, KERN_ERR, ++ "Wrong bitmap size: sit: %u, nat:%u", ++ sit_bitmap_size, nat_bitmap_size); ++ return 1; ++ } ++ + if (unlikely(f2fs_cp_error(sbi))) { + f2fs_msg(sbi->sb, KERN_ERR, "A bug case: need to run fsck"); + return 1; diff --git a/queue-4.9/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch b/queue-4.9/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch new file mode 100644 index 00000000000..7b297112eff --- /dev/null +++ b/queue-4.9/f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Chao Yu +Date: Wed, 4 Jul 2018 21:20:05 +0800 +Subject: f2fs: fix to skip GC if type in SSA and SIT is inconsistent + +From: Chao Yu + +[ Upstream commit 10d255c3540239c7920f52d2eb223756e186af56 ] + +If segment type in SSA and SIT is inconsistent, we will encounter below +BUG_ON during GC, to avoid this panic, let's just skip doing GC on such +segment. + +The bug is triggered with image reported in below link: + +https://bugzilla.kernel.org/show_bug.cgi?id=200223 + +[ 388.060262] ------------[ cut here ]------------ +[ 388.060268] kernel BUG at /home/y00370721/git/devf2fs/gc.c:989! +[ 388.061172] invalid opcode: 0000 [#1] SMP +[ 388.061773] Modules linked in: f2fs(O) bluetooth ecdh_generic xt_tcpudp iptable_filter ip_tables x_tables lp ttm drm_kms_helper drm intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel fb_sys_fops ppdev aes_x86_64 syscopyarea crypto_simd sysfillrect parport_pc joydev sysimgblt glue_helper parport cryptd i2c_piix4 serio_raw mac_hid btrfs hid_generic usbhid hid raid6_pq psmouse pata_acpi floppy +[ 388.064247] CPU: 7 PID: 4151 Comm: f2fs_gc-7:0 Tainted: G O 4.13.0-rc1+ #26 +[ 388.065306] Hardware name: Xen HVM domU, BIOS 4.1.2_115-900.260_ 11/06/2015 +[ 388.066058] task: ffff880201583b80 task.stack: ffffc90004d7c000 +[ 388.069948] RIP: 0010:do_garbage_collect+0xcc8/0xcd0 [f2fs] +[ 388.070766] RSP: 0018:ffffc90004d7fc68 EFLAGS: 00010202 +[ 388.071783] RAX: ffff8801ed227000 RBX: 0000000000000001 RCX: ffffea0007b489c0 +[ 388.072700] RDX: ffff880000000000 RSI: 0000000000000001 RDI: ffffea0007b489c0 +[ 388.073607] RBP: ffffc90004d7fd58 R08: 0000000000000003 R09: ffffea0007b489dc +[ 388.074619] R10: 0000000000000000 R11: 0052782ab317138d R12: 0000000000000018 +[ 388.075625] R13: 0000000000000018 R14: ffff880211ceb000 R15: ffff880211ceb000 +[ 388.076687] FS: 0000000000000000(0000) GS:ffff880214fc0000(0000) knlGS:0000000000000000 +[ 388.083277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 388.084536] CR2: 0000000000e18c60 CR3: 00000001ecf2e000 CR4: 00000000001406e0 +[ 388.085748] Call Trace: +[ 388.086690] ? find_next_bit+0xb/0x10 +[ 388.088091] f2fs_gc+0x1a8/0x9d0 [f2fs] +[ 388.088888] ? lock_timer_base+0x7d/0xa0 +[ 388.090213] ? try_to_del_timer_sync+0x44/0x60 +[ 388.091698] gc_thread_func+0x342/0x4b0 [f2fs] +[ 388.092892] ? wait_woken+0x80/0x80 +[ 388.094098] kthread+0x109/0x140 +[ 388.095010] ? f2fs_gc+0x9d0/0x9d0 [f2fs] +[ 388.096043] ? kthread_park+0x60/0x60 +[ 388.097281] ret_from_fork+0x25/0x30 +[ 388.098401] Code: ff ff 48 83 e8 01 48 89 44 24 58 e9 27 f8 ff ff 48 83 e8 01 e9 78 fc ff ff 48 8d 78 ff e9 17 fb ff ff 48 83 ef 01 e9 4d f4 ff ff <0f> 0b 66 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5 41 56 41 55 +[ 388.100864] RIP: do_garbage_collect+0xcc8/0xcd0 [f2fs] RSP: ffffc90004d7fc68 +[ 388.101810] ---[ end trace 81c73d6e6b7da61d ]--- + +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -877,7 +877,13 @@ static int do_garbage_collect(struct f2f + goto next; + + sum = page_address(sum_page); +- f2fs_bug_on(sbi, type != GET_SUM_TYPE((&sum->footer))); ++ if (type != GET_SUM_TYPE((&sum->footer))) { ++ f2fs_msg(sbi->sb, KERN_ERR, "Inconsistent segment (%u) " ++ "type [%d, %d] in SSA and SIT", ++ segno, type, GET_SUM_TYPE((&sum->footer))); ++ set_sbi_flag(sbi, SBI_NEED_FSCK); ++ goto next; ++ } + + /* + * this is to avoid deadlock: diff --git a/queue-4.9/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch b/queue-4.9/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch new file mode 100644 index 00000000000..6375dd37677 --- /dev/null +++ b/queue-4.9/f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Dan Carpenter +Date: Wed, 20 Jun 2018 13:39:53 +0300 +Subject: f2fs: Fix uninitialized return in f2fs_ioc_shutdown() + +From: Dan Carpenter + +[ Upstream commit 2a96d8ad94ce57cb0072f7a660b1039720c47716 ] + +"ret" can be uninitialized on the success path when "in == +F2FS_GOING_DOWN_FULLSYNC". + +Fixes: 60b2b4ee2bc0 ("f2fs: Fix deadlock in shutdown ioctl") +Signed-off-by: Dan Carpenter +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -1665,7 +1665,7 @@ static int f2fs_ioc_shutdown(struct file + struct f2fs_sb_info *sbi = F2FS_I_SB(inode); + struct super_block *sb = sbi->sb; + __u32 in; +- int ret; ++ int ret = 0; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; diff --git a/queue-4.9/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch b/queue-4.9/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch new file mode 100644 index 00000000000..4016ac8619a --- /dev/null +++ b/queue-4.9/f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Chao Yu +Date: Wed, 4 Jul 2018 18:04:10 +0800 +Subject: f2fs: try grabbing node page lock aggressively in sync scenario + +From: Chao Yu + +[ Upstream commit 4b270a8cc5047682f0a3f3f9af3b498408dbd2bc ] + +In synchronous scenario, like in checkpoint(), we are going to flush +dirty node pages to device synchronously, we can easily failed +writebacking node page due to trylock_page() failure, especially in +condition of intensive lock competition, which can cause long latency +of checkpoint(). So let's use lock_page() in synchronous scenario to +avoid this issue. + +Signed-off-by: Yunlei He +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/node.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/node.c ++++ b/fs/f2fs/node.c +@@ -1463,7 +1463,9 @@ next_step: + !is_cold_node(page))) + continue; + lock_node: +- if (!trylock_page(page)) ++ if (wbc->sync_mode == WB_SYNC_ALL) ++ lock_page(page); ++ else if (!trylock_page(page)) + continue; + + if (unlikely(page->mapping != NODE_MAPPING(sbi))) { diff --git a/queue-4.9/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch b/queue-4.9/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch new file mode 100644 index 00000000000..8dcdd3928d0 --- /dev/null +++ b/queue-4.9/gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Anton Vasilyev +Date: Mon, 23 Jul 2018 19:53:30 +0300 +Subject: gpio: ml-ioh: Fix buffer underwrite on probe error path + +From: Anton Vasilyev + +[ Upstream commit 4bf4eed44bfe288f459496eaf38089502ef91a79 ] + +If ioh_gpio_probe() fails on devm_irq_alloc_descs() then chip may point +to any element of chip_save array, so reverse iteration from pointer chip +may become chip_save[-1] and gpiochip_remove() will operate with wrong +memory. + +The patch fix the error path of ioh_gpio_probe() to correctly bypass +chip_save array. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-ml-ioh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-ml-ioh.c ++++ b/drivers/gpio/gpio-ml-ioh.c +@@ -495,9 +495,10 @@ err_irq_alloc_descs: + + chip = chip_save; + err_gpiochip_add: ++ chip = chip_save; + while (--i >= 0) { +- chip--; + gpiochip_remove(&chip->gpio); ++ chip++; + } + kfree(chip_save); + diff --git a/queue-4.9/gpio-tegra-move-driver-registration-to-subsys_init-level.patch b/queue-4.9/gpio-tegra-move-driver-registration-to-subsys_init-level.patch new file mode 100644 index 00000000000..ea978796750 --- /dev/null +++ b/queue-4.9/gpio-tegra-move-driver-registration-to-subsys_init-level.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Dmitry Osipenko +Date: Thu, 2 Aug 2018 14:11:44 +0300 +Subject: gpio: tegra: Move driver registration to subsys_init level + +From: Dmitry Osipenko + +[ Upstream commit 40b25bce0adbe641a744d1291bc0e51fb7f3c3d8 ] + +There is a bug in regards to deferred probing within the drivers core +that causes GPIO-driver to suspend after its users. The bug appears if +GPIO-driver probe is getting deferred, which happens after introducing +dependency on PINCTRL-driver for the GPIO-driver by defining "gpio-ranges" +property in device-tree. The bug in the drivers core is old (more than 4 +years now) and is well known, unfortunately there is no easy fix for it. +The good news is that we can workaround the deferred probe issue by +changing GPIO / PINCTRL drivers registration order and hence by moving +PINCTRL driver registration to the arch_init level and GPIO to the +subsys_init. + +Signed-off-by: Dmitry Osipenko +Acked-by: Stefan Agner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -723,4 +723,4 @@ static int __init tegra_gpio_init(void) + { + return platform_driver_register(&tegra_gpio_driver); + } +-postcore_initcall(tegra_gpio_init); ++subsys_initcall(tegra_gpio_init); diff --git a/queue-4.9/input-atmel_mxt_ts-only-use-first-t9-instance.patch b/queue-4.9/input-atmel_mxt_ts-only-use-first-t9-instance.patch new file mode 100644 index 00000000000..e4093a64b32 --- /dev/null +++ b/queue-4.9/input-atmel_mxt_ts-only-use-first-t9-instance.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Nick Dyer +Date: Fri, 27 Jul 2018 11:44:20 -0700 +Subject: Input: atmel_mxt_ts - only use first T9 instance + +From: Nick Dyer + +[ Upstream commit 36f5d9ef26e52edff046b4b097855db89bf0cd4a ] + +The driver only registers one input device, which uses the screen +parameters from the first T9 instance. The first T63 instance also uses +those parameters. + +It is incorrect to send input reports from the second instances of these +objects if they are enabled: the input scaling will be wrong and the +positions will be mashed together. + +This also causes problems on Android if the number of slots exceeds 32. + +In the future, this could be handled by looking for enabled touch object +instances and creating an input device for each one. + +Signed-off-by: Nick Dyer +Acked-by: Benson Leung +Acked-by: Yufeng Shen +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -1671,10 +1671,11 @@ static int mxt_get_object_table(struct m + break; + case MXT_TOUCH_MULTI_T9: + data->multitouch = MXT_TOUCH_MULTI_T9; ++ /* Only handle messages from first T9 instance */ + data->T9_reportid_min = min_id; +- data->T9_reportid_max = max_id; +- data->num_touchids = object->num_report_ids +- * mxt_obj_instances(object); ++ data->T9_reportid_max = min_id + ++ object->num_report_ids - 1; ++ data->num_touchids = object->num_report_ids; + break; + case MXT_SPT_MESSAGECOUNT_T44: + data->T44_address = object->start_address; diff --git a/queue-4.9/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch b/queue-4.9/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch new file mode 100644 index 00000000000..1c2f46fad83 --- /dev/null +++ b/queue-4.9/iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 20 Jul 2018 18:16:59 +0200 +Subject: iommu/ipmmu-vmsa: Fix allocation in atomic context + +From: Geert Uytterhoeven + +[ Upstream commit 46583e8c48c5a094ba28060615b3a7c8c576690f ] + +When attaching a device to an IOMMU group with +CONFIG_DEBUG_ATOMIC_SLEEP=y: + + BUG: sleeping function called from invalid context at mm/slab.h:421 + in_atomic(): 1, irqs_disabled(): 128, pid: 61, name: kworker/1:1 + ... + Call trace: + ... + arm_lpae_alloc_pgtable+0x114/0x184 + arm_64_lpae_alloc_pgtable_s1+0x2c/0x128 + arm_32_lpae_alloc_pgtable_s1+0x40/0x6c + alloc_io_pgtable_ops+0x60/0x88 + ipmmu_attach_device+0x140/0x334 + +ipmmu_attach_device() takes a spinlock, while arm_lpae_alloc_pgtable() +allocates memory using GFP_KERNEL. Originally, the ipmmu-vmsa driver +had its own custom page table allocation implementation using +GFP_ATOMIC, hence the spinlock was fine. + +Fix this by replacing the spinlock by a mutex, like the arm-smmu driver +does. + +Fixes: f20ed39f53145e45 ("iommu/ipmmu-vmsa: Use the ARM LPAE page table allocator") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/ipmmu-vmsa.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/iommu/ipmmu-vmsa.c ++++ b/drivers/iommu/ipmmu-vmsa.c +@@ -44,7 +44,7 @@ struct ipmmu_vmsa_domain { + struct io_pgtable_ops *iop; + + unsigned int context_id; +- spinlock_t lock; /* Protects mappings */ ++ struct mutex mutex; /* Protects mappings */ + }; + + struct ipmmu_vmsa_archdata { +@@ -464,7 +464,7 @@ static struct iommu_domain *ipmmu_domain + if (!domain) + return NULL; + +- spin_lock_init(&domain->lock); ++ mutex_init(&domain->mutex); + + return &domain->io_domain; + } +@@ -488,7 +488,6 @@ static int ipmmu_attach_device(struct io + struct ipmmu_vmsa_archdata *archdata = dev->archdata.iommu; + struct ipmmu_vmsa_device *mmu = archdata->mmu; + struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain); +- unsigned long flags; + unsigned int i; + int ret = 0; + +@@ -497,7 +496,7 @@ static int ipmmu_attach_device(struct io + return -ENXIO; + } + +- spin_lock_irqsave(&domain->lock, flags); ++ mutex_lock(&domain->mutex); + + if (!domain->mmu) { + /* The domain hasn't been used yet, initialize it. */ +@@ -513,7 +512,7 @@ static int ipmmu_attach_device(struct io + ret = -EINVAL; + } + +- spin_unlock_irqrestore(&domain->lock, flags); ++ mutex_unlock(&domain->mutex); + + if (ret < 0) + return ret; diff --git a/queue-4.9/macintosh-via-pmu-add-missing-mmio-accessors.patch b/queue-4.9/macintosh-via-pmu-add-missing-mmio-accessors.patch new file mode 100644 index 00000000000..e94fc7f98c1 --- /dev/null +++ b/queue-4.9/macintosh-via-pmu-add-missing-mmio-accessors.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Finn Thain +Date: Mon, 2 Jul 2018 04:21:18 -0400 +Subject: macintosh/via-pmu: Add missing mmio accessors + +From: Finn Thain + +[ Upstream commit 576d5290d678a651b9f36050fc1717e0573aca13 ] + +Add missing in_8() accessors to init_pmu() and pmu_sr_intr(). + +This fixes several sparse warnings: +drivers/macintosh/via-pmu.c:536:29: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:537:33: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1455:17: warning: dereference of noderef expression +drivers/macintosh/via-pmu.c:1456:69: warning: dereference of noderef expression + +Tested-by: Stan Johnson +Signed-off-by: Finn Thain +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/macintosh/via-pmu.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/macintosh/via-pmu.c ++++ b/drivers/macintosh/via-pmu.c +@@ -531,8 +531,9 @@ init_pmu(void) + int timeout; + struct adb_request req; + +- out_8(&via[B], via[B] | TREQ); /* negate TREQ */ +- out_8(&via[DIRB], (via[DIRB] | TREQ) & ~TACK); /* TACK in, TREQ out */ ++ /* Negate TREQ. Set TACK to input and TREQ to output. */ ++ out_8(&via[B], in_8(&via[B]) | TREQ); ++ out_8(&via[DIRB], (in_8(&via[DIRB]) | TREQ) & ~TACK); + + pmu_request(&req, NULL, 2, PMU_SET_INTR_MASK, pmu_intr_mask); + timeout = 100000; +@@ -1454,8 +1455,8 @@ pmu_sr_intr(void) + struct adb_request *req; + int bite = 0; + +- if (via[B] & TREQ) { +- printk(KERN_ERR "PMU: spurious SR intr (%x)\n", via[B]); ++ if (in_8(&via[B]) & TREQ) { ++ printk(KERN_ERR "PMU: spurious SR intr (%x)\n", in_8(&via[B])); + out_8(&via[IFR], SR_INT); + return NULL; + } diff --git a/queue-4.9/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch b/queue-4.9/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch new file mode 100644 index 00000000000..43475aa96dd --- /dev/null +++ b/queue-4.9/md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: BingJing Chang +Date: Wed, 1 Aug 2018 17:08:36 +0800 +Subject: md/raid5: fix data corruption of replacements after originals dropped + +From: BingJing Chang + +[ Upstream commit d63e2fc804c46e50eee825c5d3a7228e07048b47 ] + +During raid5 replacement, the stripes can be marked with R5_NeedReplace +flag. Data can be read from being-replaced devices and written to +replacing spares without reading all other devices. (It's 'replace' +mode. s.replacing = 1) If a being-replaced device is dropped, the +replacement progress will be interrupted and resumed with pure recovery +mode. However, existing stripes before being interrupted cannot read +from the dropped device anymore. It prints lots of WARN_ON messages. +And it results in data corruption because existing stripes write +problematic data into its replacement device and update the progress. + +\# Erase disks (1MB + 2GB) +dd if=/dev/zero of=/dev/sda bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdb bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdc bs=1MB count=2049 +dd if=/dev/zero of=/dev/sdd bs=1MB count=2049 +mdadm -C /dev/md0 -amd -R -l5 -n3 -x0 /dev/sd[abc] -z 2097152 +\# Ensure array stores non-zero data +dd if=/root/data_4GB.iso of=/dev/md0 bs=1MB +\# Start replacement +mdadm /dev/md0 -a /dev/sdd +mdadm /dev/md0 --replace /dev/sda + +Then, Hot-plug out /dev/sda during recovery, and wait for recovery done. +echo check > /sys/block/md0/md/sync_action +cat /sys/block/md0/md/mismatch_cnt # it will be greater than 0. + +Soon after you hot-plug out /dev/sda, you will see many WARN_ON +messages. The replacement recovery will be interrupted shortly. After +the recovery finishes, it will result in data corruption. + +Actually, it's just an unhandled case of replacement. In commit + (md/raid5: fix interaction of 'replace' and 'recovery'.), +if a NeedReplace device is not UPTODATE then that is an error, the +commit just simply print WARN_ON but also mark these corrupted stripes +with R5_WantReplace. (it means it's ready for writes.) + +To fix this case, we can leverage 'sync and replace' mode mentioned in +commit <9a3e1101b827> (md/raid5: detect and handle replacements during +recovery.). We can add logics to detect and use 'sync and replace' mode +for these stripes. + +Reported-by: Alex Chen +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -4207,6 +4207,12 @@ static void analyse_stripe(struct stripe + s->failed++; + if (rdev && !test_bit(Faulty, &rdev->flags)) + do_recovery = 1; ++ else if (!rdev) { ++ rdev = rcu_dereference( ++ conf->disks[i].replacement); ++ if (rdev && !test_bit(Faulty, &rdev->flags)) ++ do_recovery = 1; ++ } + } + } + if (test_bit(STRIPE_SYNCING, &sh->state)) { diff --git a/queue-4.9/media-helene-fix-xtal-frequency-setting-at-power-on.patch b/queue-4.9/media-helene-fix-xtal-frequency-setting-at-power-on.patch new file mode 100644 index 00000000000..98dea8597b8 --- /dev/null +++ b/queue-4.9/media-helene-fix-xtal-frequency-setting-at-power-on.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Katsuhiro Suzuki +Date: Mon, 28 May 2018 21:09:20 -0400 +Subject: media: helene: fix xtal frequency setting at power on + +From: Katsuhiro Suzuki + +[ Upstream commit a00e5f074b3f3cd39d1ccdc53d4d805b014df3f3 ] + +This patch fixes crystal frequency setting when power on this device. + +Signed-off-by: Katsuhiro Suzuki +Acked-by: Abylay Ospan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/helene.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/helene.c ++++ b/drivers/media/dvb-frontends/helene.c +@@ -898,7 +898,10 @@ static int helene_x_pon(struct helene_pr + helene_write_regs(priv, 0x99, cdata, sizeof(cdata)); + + /* 0x81 - 0x94 */ +- data[0] = 0x18; /* xtal 24 MHz */ ++ if (priv->xtal == SONY_HELENE_XTAL_16000) ++ data[0] = 0x10; /* xtal 16 MHz */ ++ else ++ data[0] = 0x18; /* xtal 24 MHz */ + data[1] = (uint8_t)(0x80 | (0x04 & 0x1F)); /* 4 x 25 = 100uA */ + data[2] = (uint8_t)(0x80 | (0x26 & 0x7F)); /* 38 x 0.25 = 9.5pF */ + data[3] = 0x80; /* REFOUT signal output 500mVpp */ diff --git a/queue-4.9/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch b/queue-4.9/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch new file mode 100644 index 00000000000..fe778078f15 --- /dev/null +++ b/queue-4.9/media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Sylwester Nawrocki +Date: Tue, 5 Jun 2018 09:33:59 -0400 +Subject: media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions + +From: Sylwester Nawrocki + +[ Upstream commit 4faeaf9c0f4581667ce5826f9c90c4fd463ef086 ] + +Look up of buffers in s5p_mfc_handle_frame_new, s5p_mfc_handle_frame_copy_time +functions is not working properly for DMA addresses above 2 GiB. As a result +flags and timestamp of returned buffers are not set correctly and it breaks +operation of GStreamer/OMX plugins which rely on the CAPTURE buffer queue +flags. + +Due to improper return type of the get_dec_y_adr, get_dspl_y_adr callbacks +and sign bit extension these callbacks return incorrect address values, +e.g. 0xfffffffffefc0000 instead of 0x00000000fefc0000. Then the statement: + +"if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) == dec_y_addr)" + +is always false, which breaks looking up capture queue buffers. + +To ensure proper matching by address u32 type is used for the DMA +addresses. This should work on all related SoCs, since the MFC DMA +address width is not larger than 32-bit. + +Changes done in this patch are minimal as there is a larger patch series +pending refactoring the whole driver. + +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -249,24 +249,24 @@ static void s5p_mfc_handle_frame_all_ext + static void s5p_mfc_handle_frame_copy_time(struct s5p_mfc_ctx *ctx) + { + struct s5p_mfc_dev *dev = ctx->dev; +- struct s5p_mfc_buf *dst_buf, *src_buf; +- size_t dec_y_addr; ++ struct s5p_mfc_buf *dst_buf, *src_buf; ++ u32 dec_y_addr; + unsigned int frame_type; + + /* Make sure we actually have a new frame before continuing. */ + frame_type = s5p_mfc_hw_call(dev->mfc_ops, get_dec_frame_type, dev); + if (frame_type == S5P_FIMV_DECODE_FRAME_SKIPPED) + return; +- dec_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev); ++ dec_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dec_y_adr, dev); + + /* Copy timestamp / timecode from decoded src to dst and set + appropriate flags. */ + src_buf = list_entry(ctx->src_queue.next, struct s5p_mfc_buf, list); + list_for_each_entry(dst_buf, &ctx->dst_queue, list) { +- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) +- == dec_y_addr) { +- dst_buf->b->timecode = +- src_buf->b->timecode; ++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0); ++ ++ if (addr == dec_y_addr) { ++ dst_buf->b->timecode = src_buf->b->timecode; + dst_buf->b->vb2_buf.timestamp = + src_buf->b->vb2_buf.timestamp; + dst_buf->b->flags &= +@@ -302,10 +302,10 @@ static void s5p_mfc_handle_frame_new(str + { + struct s5p_mfc_dev *dev = ctx->dev; + struct s5p_mfc_buf *dst_buf; +- size_t dspl_y_addr; ++ u32 dspl_y_addr; + unsigned int frame_type; + +- dspl_y_addr = s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev); ++ dspl_y_addr = (u32)s5p_mfc_hw_call(dev->mfc_ops, get_dspl_y_adr, dev); + if (IS_MFCV6_PLUS(dev)) + frame_type = s5p_mfc_hw_call(dev->mfc_ops, + get_disp_frame_type, ctx); +@@ -324,9 +324,10 @@ static void s5p_mfc_handle_frame_new(str + /* The MFC returns address of the buffer, now we have to + * check which videobuf does it correspond to */ + list_for_each_entry(dst_buf, &ctx->dst_queue, list) { ++ u32 addr = (u32)vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0); ++ + /* Check if this is the buffer we're looking for */ +- if (vb2_dma_contig_plane_dma_addr(&dst_buf->b->vb2_buf, 0) +- == dspl_y_addr) { ++ if (addr == dspl_y_addr) { + list_del(&dst_buf->list); + ctx->dst_queue_cnt--; + dst_buf->b->sequence = ctx->sequence; diff --git a/queue-4.9/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch b/queue-4.9/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch new file mode 100644 index 00000000000..9c3016225c4 --- /dev/null +++ b/queue-4.9/mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Zumeng Chen +Date: Wed, 4 Jul 2018 12:35:29 +0800 +Subject: mfd: ti_am335x_tscadc: Fix struct clk memory leak + +From: Zumeng Chen + +[ Upstream commit c2b1509c77a99a0dcea0a9051ca743cb88385f50 ] + +Use devm_elk_get() to let Linux manage struct clk memory to avoid the following +memory leakage report: + +unreferenced object 0xdd75efc0 (size 64): + comm "systemd-udevd", pid 186, jiffies 4294945126 (age 1195.750s) + hex dump (first 32 bytes): + 61 64 63 5f 74 73 63 5f 66 63 6b 00 00 00 00 00 adc_tsc_fck..... + 00 00 00 00 92 03 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x40/0x74 + [] __kmalloc_track_caller+0x198/0x388 + [] kstrdup+0x40/0x5c + [] kstrdup_const+0x30/0x3c + [] __clk_create_clk+0x60/0xac + [] clk_get_sys+0x74/0x144 + [] clk_get+0x5c/0x68 + [] ti_tscadc_probe+0x260/0x468 [ti_am335x_tscadc] + [] platform_drv_probe+0x60/0xac + [] driver_probe_device+0x214/0x2dc + [] __driver_attach+0x94/0xc0 + [] bus_for_each_dev+0x90/0xa0 + [] driver_attach+0x28/0x30 + [] bus_add_driver+0x184/0x1ec + [] driver_register+0xb0/0xf0 + [] __platform_driver_register+0x40/0x54 + +Signed-off-by: Zumeng Chen +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/ti_am335x_tscadc.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -209,14 +209,13 @@ static int ti_tscadc_probe(struct platfo + * The TSC_ADC_SS controller design assumes the OCP clock is + * at least 6x faster than the ADC clock. + */ +- clk = clk_get(&pdev->dev, "adc_tsc_fck"); ++ clk = devm_clk_get(&pdev->dev, "adc_tsc_fck"); + if (IS_ERR(clk)) { + dev_err(&pdev->dev, "failed to get TSC fck\n"); + err = PTR_ERR(clk); + goto err_disable_clk; + } + clock_rate = clk_get_rate(clk); +- clk_put(clk); + tscadc->clk_div = clock_rate / ADC_CLK; + + /* TSCADC_CLKDIV needs to be configured to the value minus 1 */ diff --git a/queue-4.9/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch b/queue-4.9/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch new file mode 100644 index 00000000000..d105f6aece6 --- /dev/null +++ b/queue-4.9/mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Paul Burton +Date: Fri, 27 Jul 2018 18:23:19 -0700 +Subject: MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET + +From: Paul Burton + +[ Upstream commit 0494d7ffdcebc6935410ea0719b24ab626675351 ] + +isa_virt_to_bus() & isa_bus_to_virt() claim to treat ISA bus addresses +as being identical to physical addresses, but they fail to do so in the +presence of a non-zero PHYS_OFFSET. + +Correct this by having them use virt_to_phys() & phys_to_virt(), which +consolidates the calculations to one place & ensures that ISA bus +addresses do indeed match physical addresses. + +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20047/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: Vladimir Kondratiev +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -141,14 +141,14 @@ static inline void * phys_to_virt(unsign + /* + * ISA I/O bus memory addresses are 1:1 with the physical address. + */ +-static inline unsigned long isa_virt_to_bus(volatile void * address) ++static inline unsigned long isa_virt_to_bus(volatile void *address) + { +- return (unsigned long)address - PAGE_OFFSET; ++ return virt_to_phys(address); + } + +-static inline void * isa_bus_to_virt(unsigned long address) ++static inline void *isa_bus_to_virt(unsigned long address) + { +- return (void *)(address + PAGE_OFFSET); ++ return phys_to_virt(address); + } + + #define isa_page_to_bus page_to_phys diff --git a/queue-4.9/mips-generic-fix-missing-of_node_put.patch b/queue-4.9/mips-generic-fix-missing-of_node_put.patch new file mode 100644 index 00000000000..b83d6a1199f --- /dev/null +++ b/queue-4.9/mips-generic-fix-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Nicholas Mc Guire +Date: Wed, 11 Jul 2018 20:32:45 +0200 +Subject: MIPS: generic: fix missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit 28ec2238f37e72a3a40a7eb46893e7651bcc40a6 ] + +of_find_compatible_node() returns a device_node pointer with refcount +incremented and must be decremented explicitly. + As this code is using the result only to check presence of the interrupt +controller (!NULL) but not actually using the result otherwise the +refcount can be decremented here immediately again. + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19820/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/generic/init.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/generic/init.c ++++ b/arch/mips/generic/init.c +@@ -159,6 +159,7 @@ void __init arch_init_irq(void) + "mti,cpu-interrupt-controller"); + if (!cpu_has_veic && !intc_node) + mips_cpu_irq_init(); ++ of_node_put(intc_node); + + irqchip_init(); + } diff --git a/queue-4.9/mips-octeon-add-missing-of_node_put.patch b/queue-4.9/mips-octeon-add-missing-of_node_put.patch new file mode 100644 index 00000000000..34863885df9 --- /dev/null +++ b/queue-4.9/mips-octeon-add-missing-of_node_put.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 16 Jun 2018 09:06:33 +0200 +Subject: MIPS: Octeon: add missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit b1259519e618d479ede8a0db5474b3aff99f5056 ] + +The call to of_find_node_by_name returns a node pointer with refcount +incremented thus it must be explicitly decremented here after the last +usage. + +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19558/ +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/cavium-octeon/octeon-platform.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/cavium-octeon/octeon-platform.c ++++ b/arch/mips/cavium-octeon/octeon-platform.c +@@ -366,6 +366,7 @@ static int __init octeon_ehci_device_ini + return 0; + + pd = of_find_device_by_node(ehci_node); ++ of_node_put(ehci_node); + if (!pd) + return 0; + +@@ -428,6 +429,7 @@ static int __init octeon_ohci_device_ini + return 0; + + pd = of_find_device_by_node(ohci_node); ++ of_node_put(ohci_node); + if (!pd) + return 0; + diff --git a/queue-4.9/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch b/queue-4.9/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch new file mode 100644 index 00000000000..9359278b81f --- /dev/null +++ b/queue-4.9/mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Paul Burton +Date: Fri, 25 Nov 2016 18:46:09 +0000 +Subject: MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON + +From: Paul Burton + +[ Upstream commit d4da0e97baea8768b3d66ccef3967bebd50dfc3b ] + +If a driver causes DMA cache maintenance with a zero length then we +currently BUG and kill the kernel. As this is a scenario that we may +well be able to recover from, WARN & return in the condition instead. + +Signed-off-by: Paul Burton +Acked-by: Florian Fainelli +Patchwork: https://patchwork.linux-mips.org/patch/14623/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/c-r4k.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/mips/mm/c-r4k.c ++++ b/arch/mips/mm/c-r4k.c +@@ -835,7 +835,8 @@ static void r4k_flush_icache_user_range( + static void r4k_dma_cache_wback_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { +@@ -871,7 +872,8 @@ static void r4k_dma_cache_wback_inv(unsi + static void r4k_dma_cache_inv(unsigned long addr, unsigned long size) + { + /* Catch bad driver code */ +- BUG_ON(size == 0); ++ if (WARN_ON(size == 0)) ++ return; + + preempt_disable(); + if (cpu_has_inclusive_pcaches) { diff --git a/queue-4.9/misc-mic-scif-fix-scif_get_new_port-error-handling.patch b/queue-4.9/misc-mic-scif-fix-scif_get_new_port-error-handling.patch new file mode 100644 index 00000000000..a0f6c897cf8 --- /dev/null +++ b/queue-4.9/misc-mic-scif-fix-scif_get_new_port-error-handling.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:42:22 +0300 +Subject: misc: mic: SCIF Fix scif_get_new_port() error handling + +From: Dan Carpenter + +[ Upstream commit a39284ae9d2ad09975c8ae33f1bd0f05fbfbf6ee ] + +There are only 2 callers of scif_get_new_port() and both appear to get +the error handling wrong. Both treat zero returns as error, but it +actually returns negative error codes and >= 0 on success. + +Fixes: e9089f43c9a7 ("misc: mic: SCIF open close bind and listen APIs") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mic/scif/scif_api.c | 20 +++++++++----------- + 1 file changed, 9 insertions(+), 11 deletions(-) + +--- a/drivers/misc/mic/scif/scif_api.c ++++ b/drivers/misc/mic/scif/scif_api.c +@@ -370,11 +370,10 @@ int scif_bind(scif_epd_t epd, u16 pn) + goto scif_bind_exit; + } + } else { +- pn = scif_get_new_port(); +- if (!pn) { +- ret = -ENOSPC; ++ ret = scif_get_new_port(); ++ if (ret < 0) + goto scif_bind_exit; +- } ++ pn = ret; + } + + ep->state = SCIFEP_BOUND; +@@ -648,13 +647,12 @@ int __scif_connect(scif_epd_t epd, struc + err = -EISCONN; + break; + case SCIFEP_UNBOUND: +- ep->port.port = scif_get_new_port(); +- if (!ep->port.port) { +- err = -ENOSPC; +- } else { +- ep->port.node = scif_info.nodeid; +- ep->conn_async_state = ASYNC_CONN_IDLE; +- } ++ err = scif_get_new_port(); ++ if (err < 0) ++ break; ++ ep->port.port = err; ++ ep->port.node = scif_info.nodeid; ++ ep->conn_async_state = ASYNC_CONN_IDLE; + /* Fall through */ + case SCIFEP_BOUND: + /* diff --git a/queue-4.9/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch b/queue-4.9/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch new file mode 100644 index 00000000000..dee59765f1c --- /dev/null +++ b/queue-4.9/misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 18:45:36 +0300 +Subject: misc: ti-st: Fix memory leak in the error path of probe() + +From: Anton Vasilyev + +[ Upstream commit 81ae962d7f180c0092859440c82996cccb254976 ] + +Free resources instead of direct return of the error code if kim_probe +fails. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ti-st/st_kim.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/ti-st/st_kim.c ++++ b/drivers/misc/ti-st/st_kim.c +@@ -756,14 +756,14 @@ static int kim_probe(struct platform_dev + err = gpio_request(kim_gdata->nshutdown, "kim"); + if (unlikely(err)) { + pr_err(" gpio %d request failed ", kim_gdata->nshutdown); +- return err; ++ goto err_sysfs_group; + } + + /* Configure nShutdown GPIO as output=0 */ + err = gpio_direction_output(kim_gdata->nshutdown, 0); + if (unlikely(err)) { + pr_err(" unable to configure gpio %d", kim_gdata->nshutdown); +- return err; ++ goto err_sysfs_group; + } + /* get reference of pdev for request_firmware + */ diff --git a/queue-4.9/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch b/queue-4.9/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch new file mode 100644 index 00000000000..a863edb9742 --- /dev/null +++ b/queue-4.9/net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Petr Machata +Date: Fri, 27 Jul 2018 15:26:55 +0300 +Subject: net: dcb: For wild-card lookups, use priority -1, not 0 + +From: Petr Machata + +[ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ] + +The function dcb_app_lookup walks the list of specified DCB APP entries, +looking for one that matches a given criteria: ifindex, selector, +protocol ID and optionally also priority. The "don't care" value for +priority is set to 0, because that priority has not been allowed under +CEE regime, which predates the IEEE standardization. + +Under IEEE, 0 is a valid priority number. But because dcb_app_lookup +considers zero a wild card, attempts to add an APP entry with priority 0 +fail when other entries exist for a given ifindex / selector / PID +triplet. + +Fix by changing the wild-card value to -1. + +Signed-off-by: Petr Machata +Signed-off-by: Ido Schimmel +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/dcb/dcbnl.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/dcb/dcbnl.c ++++ b/net/dcb/dcbnl.c +@@ -1764,7 +1764,7 @@ static struct dcb_app_type *dcb_app_look + if (itr->app.selector == app->selector && + itr->app.protocol == app->protocol && + itr->ifindex == ifindex && +- (!prio || itr->app.priority == prio)) ++ ((prio == -1) || itr->app.priority == prio)) + return itr; + } + +@@ -1799,7 +1799,8 @@ u8 dcb_getapp(struct net_device *dev, st + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio = itr->app.priority; + spin_unlock_bh(&dcb_lock); + +@@ -1827,7 +1828,8 @@ int dcb_setapp(struct net_device *dev, s + + spin_lock_bh(&dcb_lock); + /* Search for existing match and replace */ +- if ((itr = dcb_app_lookup(new, dev->ifindex, 0))) { ++ itr = dcb_app_lookup(new, dev->ifindex, -1); ++ if (itr) { + if (new->priority) + itr->app.priority = new->priority; + else { +@@ -1860,7 +1862,8 @@ u8 dcb_ieee_getapp_mask(struct net_devic + u8 prio = 0; + + spin_lock_bh(&dcb_lock); +- if ((itr = dcb_app_lookup(app, dev->ifindex, 0))) ++ itr = dcb_app_lookup(app, dev->ifindex, -1); ++ if (itr) + prio |= 1 << itr->app.priority; + spin_unlock_bh(&dcb_lock); + diff --git a/queue-4.9/net-mvneta-fix-mtu-change-on-port-without-link.patch b/queue-4.9/net-mvneta-fix-mtu-change-on-port-without-link.patch new file mode 100644 index 00000000000..84907d22c48 --- /dev/null +++ b/queue-4.9/net-mvneta-fix-mtu-change-on-port-without-link.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Yelena Krivosheev +Date: Wed, 18 Jul 2018 18:10:51 +0200 +Subject: net: mvneta: fix mtu change on port without link + +From: Yelena Krivosheev + +[ Upstream commit 8466baf788ec3e18836bd9c91ba0b1a07af25878 ] + +It is incorrect to enable TX/RX queues (call by mvneta_port_up()) for +port without link. Indeed MTU change for interface without link causes TX +queues to stuck. + +Fixes: c5aff18204da ("net: mvneta: driver for Marvell Armada 370/XP +network unit") +Signed-off-by: Yelena Krivosheev +[gregory.clement: adding Fixes tags and rewording commit log] +Signed-off-by: Gregory CLEMENT +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvneta.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -3117,7 +3117,6 @@ static int mvneta_change_mtu(struct net_ + + on_each_cpu(mvneta_percpu_enable, pp, true); + mvneta_start_dev(pp); +- mvneta_port_up(pp); + + netdev_update_features(dev); + diff --git a/queue-4.9/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch b/queue-4.9/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch new file mode 100644 index 00000000000..54c833a5440 --- /dev/null +++ b/queue-4.9/net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch @@ -0,0 +1,79 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Arun Parameswaran +Date: Wed, 1 Aug 2018 17:53:47 -0700 +Subject: net: phy: Fix the register offsets in Broadcom iProc mdio mux driver + +From: Arun Parameswaran + +[ Upstream commit 77fefa93bfebe4df44f154f2aa5938e32630d0bf ] + +Modify the register offsets in the Broadcom iProc mdio mux to start +from the top of the register address space. + +Earlier, the base address pointed to the end of the block's register +space. The base address will now point to the start of the mdio's +address space. The offsets have been fixed to match this. + +Signed-off-by: Arun Parameswaran +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-mux-bcm-iproc.c | 20 +++++++++++++++----- + 1 file changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/mdio-mux-bcm-iproc.c ++++ b/drivers/net/phy/mdio-mux-bcm-iproc.c +@@ -22,7 +22,7 @@ + #include + #include + +-#define MDIO_PARAM_OFFSET 0x00 ++#define MDIO_PARAM_OFFSET 0x23c + #define MDIO_PARAM_MIIM_CYCLE 29 + #define MDIO_PARAM_INTERNAL_SEL 25 + #define MDIO_PARAM_BUS_ID 22 +@@ -30,20 +30,22 @@ + #define MDIO_PARAM_PHY_ID 16 + #define MDIO_PARAM_PHY_DATA 0 + +-#define MDIO_READ_OFFSET 0x04 ++#define MDIO_READ_OFFSET 0x240 + #define MDIO_READ_DATA_MASK 0xffff +-#define MDIO_ADDR_OFFSET 0x08 ++#define MDIO_ADDR_OFFSET 0x244 + +-#define MDIO_CTRL_OFFSET 0x0C ++#define MDIO_CTRL_OFFSET 0x248 + #define MDIO_CTRL_WRITE_OP 0x1 + #define MDIO_CTRL_READ_OP 0x2 + +-#define MDIO_STAT_OFFSET 0x10 ++#define MDIO_STAT_OFFSET 0x24c + #define MDIO_STAT_DONE 1 + + #define BUS_MAX_ADDR 32 + #define EXT_BUS_START_ADDR 16 + ++#define MDIO_REG_ADDR_SPACE_SIZE 0x250 ++ + struct iproc_mdiomux_desc { + void *mux_handle; + void __iomem *base; +@@ -169,6 +171,14 @@ static int mdio_mux_iproc_probe(struct p + md->dev = &pdev->dev; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (res->start & 0xfff) { ++ /* For backward compatibility in case the ++ * base address is specified with an offset. ++ */ ++ dev_info(&pdev->dev, "fix base address in dt-blob\n"); ++ res->start &= ~0xfff; ++ res->end = res->start + MDIO_REG_ADDR_SPACE_SIZE - 1; ++ } + md->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(md->base)) { + dev_err(&pdev->dev, "failed to ioremap register\n"); diff --git a/queue-4.9/nfsv4.0-fix-client-reference-leak-in-callback.patch b/queue-4.9/nfsv4.0-fix-client-reference-leak-in-callback.patch new file mode 100644 index 00000000000..385a8cf5808 --- /dev/null +++ b/queue-4.9/nfsv4.0-fix-client-reference-leak-in-callback.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Olga Kornievskaia +Date: Thu, 26 Jul 2018 16:04:47 -0400 +Subject: NFSv4.0 fix client reference leak in callback + +From: Olga Kornievskaia + +[ Upstream commit 32cd3ee511f4e07ca25d71163b50e704808d22f4 ] + +If there is an error during processing of a callback message, it leads +to refrence leak on the client structure and eventually an unclean +superblock. + +Signed-off-by: Olga Kornievskaia +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/callback_xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/nfs/callback_xdr.c ++++ b/fs/nfs/callback_xdr.c +@@ -968,16 +968,21 @@ static __be32 nfs4_callback_compound(str + + if (hdr_arg.minorversion == 0) { + cps.clp = nfs4_find_client_ident(SVC_NET(rqstp), hdr_arg.cb_ident); +- if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) ++ if (!cps.clp || !check_gss_callback_principal(cps.clp, rqstp)) { ++ if (cps.clp) ++ nfs_put_client(cps.clp); + goto out_invalidcred; ++ } + } + + cps.minorversion = hdr_arg.minorversion; + hdr_res.taglen = hdr_arg.taglen; + hdr_res.tag = hdr_arg.tag; +- if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0) ++ if (encode_compound_hdr_res(&xdr_out, &hdr_res) != 0) { ++ if (cps.clp) ++ nfs_put_client(cps.clp); + return rpc_system_err; +- ++ } + while (status == 0 && nops != hdr_arg.nops) { + status = process_op(nops, rqstp, &xdr_in, + argp, &xdr_out, resp, &cps); diff --git a/queue-4.9/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch b/queue-4.9/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch new file mode 100644 index 00000000000..69f5c2535a2 --- /dev/null +++ b/queue-4.9/nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Trond Myklebust +Date: Thu, 12 Jul 2018 14:19:03 -0400 +Subject: NFSv4.1: Fix a potential layoutget/layoutrecall deadlock + +From: Trond Myklebust + +[ Upstream commit bd3d16a887b0c19a2a20d35ffed499e3a3637feb ] + +If the client is sending a layoutget, but the server issues a callback +to recall what it thinks may be an outstanding layout, then we may find +an uninitialised layout attached to the inode due to the layoutget. +In that case, it is appropriate to return NFS4ERR_NOMATCHING_LAYOUT +rather than NFS4ERR_DELAY, as the latter can end up deadlocking. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/callback_proc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -175,9 +175,9 @@ static u32 pnfs_check_callback_stateid(s + { + u32 oldseq, newseq; + +- /* Is the stateid still not initialised? */ ++ /* Is the stateid not initialised? */ + if (!pnfs_layout_is_valid(lo)) +- return NFS4ERR_DELAY; ++ return NFS4ERR_NOMATCHING_LAYOUT; + + /* Mismatched stateid? */ + if (!nfs4_stateid_match_other(&lo->plh_stateid, new)) diff --git a/queue-4.9/partitions-aix-append-null-character-to-print-data-from-disk.patch b/queue-4.9/partitions-aix-append-null-character-to-print-data-from-disk.patch new file mode 100644 index 00000000000..a374d6220e0 --- /dev/null +++ b/queue-4.9/partitions-aix-append-null-character-to-print-data-from-disk.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:29 -0300 +Subject: partitions/aix: append null character to print data from disk + +From: Mauricio Faria de Oliveira + +[ Upstream commit d43fdae7bac2def8c4314b5a49822cb7f08a45f1 ] + +Even if properly initialized, the lvname array (i.e., strings) +is read from disk, and might contain corrupt data (e.g., lack +the null terminating character for strings). + +So, make sure the partition name string used in pr_warn() has +the null terminating character. + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Suggested-by: Daniel J. Axtens +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -281,10 +281,14 @@ int aix_partition(struct parsed_partitio + next_lp_ix += 1; + } + for (i = 0; i < state->limit; i += 1) +- if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) ++ if (lvip[i].pps_found && !lvip[i].lv_is_contiguous) { ++ char tmp[sizeof(n[i].name) + 1]; // null char ++ ++ snprintf(tmp, sizeof(tmp), "%s", n[i].name); + pr_warn("partition %s (%u pp's found) is " + "not contiguous\n", +- n[i].name, lvip[i].pps_found); ++ tmp, lvip[i].pps_found); ++ } + kfree(pvd); + } + kfree(n); diff --git a/queue-4.9/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch b/queue-4.9/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch new file mode 100644 index 00000000000..4bdefa1fcb8 --- /dev/null +++ b/queue-4.9/partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Mauricio Faria de Oliveira +Date: Wed, 25 Jul 2018 22:46:28 -0300 +Subject: partitions/aix: fix usage of uninitialized lv_info and lvname structures + +From: Mauricio Faria de Oliveira + +[ Upstream commit 14cb2c8a6c5dae57ee3e2da10fa3db2b9087e39e ] + +The if-block that sets a successful return value in aix_partition() +uses 'lvip[].pps_per_lv' and 'n[].name' potentially uninitialized. + +For example, if 'numlvs' is zero or alloc_lvn() fails, neither is +initialized, but are used anyway if alloc_pvd() succeeds after it. + +So, make the alloc_pvd() call conditional on their initialization. + +This has been hit when attaching an apparently corrupted/stressed +AIX LUN, misleading the kernel to pr_warn() invalid data and hang. + + [...] partition (null) (11 pp's found) is not contiguous + [...] partition (null) (2 pp's found) is not contiguous + [...] partition (null) (3 pp's found) is not contiguous + [...] partition (null) (64 pp's found) is not contiguous + +Fixes: 6ceea22bbbc8 ("partitions: add aix lvm partition support files") +Signed-off-by: Mauricio Faria de Oliveira +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partitions/aix.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/block/partitions/aix.c ++++ b/block/partitions/aix.c +@@ -177,7 +177,7 @@ int aix_partition(struct parsed_partitio + u32 vgda_sector = 0; + u32 vgda_len = 0; + int numlvs = 0; +- struct pvd *pvd; ++ struct pvd *pvd = NULL; + struct lv_info { + unsigned short pps_per_lv; + unsigned short pps_found; +@@ -231,10 +231,11 @@ int aix_partition(struct parsed_partitio + if (lvip[i].pps_per_lv) + foundlvs += 1; + } ++ /* pvd loops depend on n[].name and lvip[].pps_per_lv */ ++ pvd = alloc_pvd(state, vgda_sector + 17); + } + put_dev_sector(sect); + } +- pvd = alloc_pvd(state, vgda_sector + 17); + if (pvd) { + int numpps = be16_to_cpu(pvd->pp_count); + int psn_part1 = be32_to_cpu(pvd->psn_part1); diff --git a/queue-4.9/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch b/queue-4.9/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch new file mode 100644 index 00000000000..279fc0609fc --- /dev/null +++ b/queue-4.9/perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Christophe Leroy +Date: Fri, 22 Sep 2017 13:20:43 +0200 +Subject: perf tools: Allow overriding MAX_NR_CPUS at compile time + +From: Christophe Leroy + +[ Upstream commit 21b8732eb4479b579bda9ee38e62b2c312c2a0e5 ] + +After update of kernel, the perf tool doesn't run anymore on my 32MB RAM +powerpc board, but still runs on a 128MB RAM board: + + ~# strace perf + execve("/usr/sbin/perf", ["perf"], [/* 12 vars */]) = -1 ENOMEM (Cannot allocate memory) + --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} --- + +++ killed by SIGSEGV +++ + Segmentation fault + +objdump -x shows that .bss section has a huge size of 24Mbytes: + + 27 .bss 016baca8 101cebb8 101cebb8 001cd988 2**3 + +With especially the following objects having quite big size: + + 10205f80 l O .bss 00140000 runtime_cycles_stats + 10345f80 l O .bss 00140000 runtime_stalled_cycles_front_stats + 10485f80 l O .bss 00140000 runtime_stalled_cycles_back_stats + 105c5f80 l O .bss 00140000 runtime_branches_stats + 10705f80 l O .bss 00140000 runtime_cacherefs_stats + 10845f80 l O .bss 00140000 runtime_l1_dcache_stats + 10985f80 l O .bss 00140000 runtime_l1_icache_stats + 10ac5f80 l O .bss 00140000 runtime_ll_cache_stats + 10c05f80 l O .bss 00140000 runtime_itlb_cache_stats + 10d45f80 l O .bss 00140000 runtime_dtlb_cache_stats + 10e85f80 l O .bss 00140000 runtime_cycles_in_tx_stats + 10fc5f80 l O .bss 00140000 runtime_transaction_stats + 11105f80 l O .bss 00140000 runtime_elision_stats + 11245f80 l O .bss 00140000 runtime_topdown_total_slots + 11385f80 l O .bss 00140000 runtime_topdown_slots_retired + 114c5f80 l O .bss 00140000 runtime_topdown_slots_issued + 11605f80 l O .bss 00140000 runtime_topdown_fetch_bubbles + 11745f80 l O .bss 00140000 runtime_topdown_recovery_bubbles + +This is due to commit 4d255766d28b1 ("perf: Bump max number of cpus +to 1024"), because many tables are sized with MAX_NR_CPUS + +This patch gives the opportunity to redefine MAX_NR_CPUS via + + $ make EXTRA_CFLAGS=-DMAX_NR_CPUS=1 + +Signed-off-by: Christophe Leroy +Cc: Alexander Shishkin +Cc: Peter Zijlstra +Cc: linuxppc-dev@lists.ozlabs.org +Link: http://lkml.kernel.org/r/20170922112043.8349468C57@po15668-vm-win7.idsi0.si.c-s.fr +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/perf.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/perf.h ++++ b/tools/perf/perf.h +@@ -22,7 +22,9 @@ static inline unsigned long long rdclock + return ts.tv_sec * 1000000000ULL + ts.tv_nsec; + } + ++#ifndef MAX_NR_CPUS + #define MAX_NR_CPUS 1024 ++#endif + + extern const char *input_name; + extern bool perf_host, perf_guest; diff --git a/queue-4.9/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch b/queue-4.9/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch new file mode 100644 index 00000000000..49a0f2aa00a --- /dev/null +++ b/queue-4.9/rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Parav Pandit +Date: Mon, 16 Jul 2018 11:50:13 +0300 +Subject: RDMA/cma: Do not ignore net namespace for unbound cm_id + +From: Parav Pandit + +[ Upstream commit 643d213a9a034fa04f5575a40dfc8548e33ce04f ] + +Currently if the cm_id is not bound to any netdevice, than for such cm_id, +net namespace is ignored; which is incorrect. + +Regardless of cm_id bound to a netdevice or not, net namespace must +match. When a cm_id is bound to a netdevice, in such case net namespace +and netdevice both must match. + +Fixes: 4c21b5bcef73 ("IB/cma: Add net_dev and private data checks to RDMA CM") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -1409,9 +1409,16 @@ static bool cma_match_net_dev(const stru + (addr->src_addr.ss_family == AF_IB || + cma_protocol_roce_dev_port(id->device, port_num)); + +- return !addr->dev_addr.bound_dev_if || +- (net_eq(dev_net(net_dev), addr->dev_addr.net) && +- addr->dev_addr.bound_dev_if == net_dev->ifindex); ++ /* ++ * Net namespaces must match, and if the listner is listening ++ * on a specific netdevice than netdevice must match as well. ++ */ ++ if (net_eq(dev_net(net_dev), addr->dev_addr.net) && ++ (!!addr->dev_addr.bound_dev_if == ++ (addr->dev_addr.bound_dev_if == net_dev->ifindex))) ++ return true; ++ else ++ return false; + } + + static struct rdma_id_private *cma_find_listener( diff --git a/queue-4.9/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch b/queue-4.9/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch new file mode 100644 index 00000000000..395730e69fa --- /dev/null +++ b/queue-4.9/scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:51:57 +0300 +Subject: scsi: 3ware: fix return 0 on the error path of probe + +From: Anton Vasilyev + +[ Upstream commit 4dc98c1995482262e70e83ef029135247fafe0f2 ] + +tw_probe() returns 0 in case of fail of tw_initialize_device_extension(), +pci_resource_start() or tw_reset_sequence() and releases resources. +twl_probe() returns 0 in case of fail of twl_initialize_device_extension(), +pci_iomap() and twl_reset_sequence(). twa_probe() returns 0 in case of +fail of tw_initialize_device_extension(), ioremap() and +twa_reset_sequence(). + +The patch adds retval initialization for these cases. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-9xxx.c | 6 +++++- + drivers/scsi/3w-sas.c | 3 +++ + drivers/scsi/3w-xxxx.c | 2 ++ + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2045,6 +2045,7 @@ static int twa_probe(struct pci_dev *pde + + if (twa_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x25, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2067,6 +2068,7 @@ static int twa_probe(struct pci_dev *pde + tw_dev->base_addr = ioremap(mem_addr, mem_len); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x35, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -2074,8 +2076,10 @@ static int twa_probe(struct pci_dev *pde + TW_DISABLE_INTERRUPTS(tw_dev); + + /* Initialize the card */ +- if (twa_reset_sequence(tw_dev, 0)) ++ if (twa_reset_sequence(tw_dev, 0)) { ++ retval = -ENOMEM; + goto out_iounmap; ++ } + + /* Set host specific parameters */ + if ((pdev->device == PCI_DEVICE_ID_3WARE_9650SE) || +--- a/drivers/scsi/3w-sas.c ++++ b/drivers/scsi/3w-sas.c +@@ -1600,6 +1600,7 @@ static int twl_probe(struct pci_dev *pde + + if (twl_initialize_device_extension(tw_dev)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1a, "Failed to initialize device extension"); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -1614,6 +1615,7 @@ static int twl_probe(struct pci_dev *pde + tw_dev->base_addr = pci_iomap(pdev, 1, 0); + if (!tw_dev->base_addr) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1c, "Failed to ioremap"); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + +@@ -1623,6 +1625,7 @@ static int twl_probe(struct pci_dev *pde + /* Initialize the card */ + if (twl_reset_sequence(tw_dev, 0)) { + TW_PRINTK(tw_dev->host, TW_DRIVER, 0x1d, "Controller reset failed during probe"); ++ retval = -ENOMEM; + goto out_iounmap; + } + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -2281,6 +2281,7 @@ static int tw_probe(struct pci_dev *pdev + + if (tw_initialize_device_extension(tw_dev)) { + printk(KERN_WARNING "3w-xxxx: Failed to initialize device extension."); ++ retval = -ENOMEM; + goto out_free_device_extension; + } + +@@ -2295,6 +2296,7 @@ static int tw_probe(struct pci_dev *pdev + tw_dev->base_addr = pci_resource_start(pdev, 0); + if (!tw_dev->base_addr) { + printk(KERN_WARNING "3w-xxxx: Failed to get io address."); ++ retval = -ENOMEM; + goto out_release_mem_region; + } + diff --git a/queue-4.9/scsi-target-fix-__transport_register_session-locking.patch b/queue-4.9/scsi-target-fix-__transport_register_session-locking.patch new file mode 100644 index 00000000000..920e7d2d4cf --- /dev/null +++ b/queue-4.9/scsi-target-fix-__transport_register_session-locking.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Mike Christie +Date: Thu, 2 Aug 2018 12:12:20 -0500 +Subject: scsi: target: fix __transport_register_session locking + +From: Mike Christie + +[ Upstream commit 6a64f6e1591322beb8ce16e952a53582caf2a15c ] + +When __transport_register_session is called from transport_register_session +irqs will already have been disabled, so we do not want the unlock irq call +to enable them until the higher level has done the final +spin_unlock_irqrestore/ spin_unlock_irq. + +This has __transport_register_session use the save/restore call. + +Signed-off-by: Mike Christie +Reviewed-by: Bart Van Assche +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_transport.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -316,6 +316,7 @@ void __transport_register_session( + { + const struct target_core_fabric_ops *tfo = se_tpg->se_tpg_tfo; + unsigned char buf[PR_REG_ISID_LEN]; ++ unsigned long flags; + + se_sess->se_tpg = se_tpg; + se_sess->fabric_sess_ptr = fabric_sess_ptr; +@@ -352,7 +353,7 @@ void __transport_register_session( + se_sess->sess_bin_isid = get_unaligned_be64(&buf[0]); + } + +- spin_lock_irq(&se_nacl->nacl_sess_lock); ++ spin_lock_irqsave(&se_nacl->nacl_sess_lock, flags); + /* + * The se_nacl->nacl_sess pointer will be set to the + * last active I_T Nexus for each struct se_node_acl. +@@ -361,7 +362,7 @@ void __transport_register_session( + + list_add_tail(&se_sess->sess_acl_list, + &se_nacl->acl_sess_list); +- spin_unlock_irq(&se_nacl->nacl_sess_lock); ++ spin_unlock_irqrestore(&se_nacl->nacl_sess_lock, flags); + } + list_add_tail(&se_sess->sess_list, &se_tpg->tpg_sess_list); + diff --git a/queue-4.9/series b/queue-4.9/series index be9f14fa771..82497579165 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -15,3 +15,52 @@ selinux-use-gfp_nowait-in-the-avc-kmem_caches.patch locking-osq_lock-fix-osq_lock-queue-corruption.patch mm-vmscan-clear-pgdat_writeback-when-zone-is-balanced.patch mm-remove-seemingly-spurious-reclaimability-check-from-laptop_mode-gating.patch +arc-enable-swap.patch +misc-mic-scif-fix-scif_get_new_port-error-handling.patch +ethtool-remove-trailing-semicolon-for-static-inline.patch +bluetooth-h5-fix-missing-dependency-on-bt_hciuart_serdev.patch +gpio-tegra-move-driver-registration-to-subsys_init-level.patch +net-phy-fix-the-register-offsets-in-broadcom-iproc-mdio-mux-driver.patch +scsi-target-fix-__transport_register_session-locking.patch +md-raid5-fix-data-corruption-of-replacements-after-originals-dropped.patch +timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch +misc-ti-st-fix-memory-leak-in-the-error-path-of-probe.patch +uio-potential-double-frees-if-__uio_register_device-fails.patch +tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch +f2fs-do-not-set-free-of-current-section.patch +perf-tools-allow-overriding-max_nr_cpus-at-compile-time.patch +nfsv4.0-fix-client-reference-leak-in-callback.patch +macintosh-via-pmu-add-missing-mmio-accessors.patch +ath9k-report-tx-status-on-eosp.patch +ath9k_hw-fix-channel-maximum-power-level-test.patch +ath10k-prevent-active-scans-on-potential-unusable-channels.patch +wlcore-set-rx_status-boottime_ns-field-on-rx.patch +mips-fix-isa-virt-bus-conversion-for-non-zero-phys_offset.patch +ata-libahci-correct-setting-of-devslp-register.patch +scsi-3ware-fix-return-0-on-the-error-path-of-probe.patch +ath10k-disable-bundle-mgmt-tx-completion-event-support.patch +bluetooth-hidp-fix-handling-of-strncpy-for-hid-name-information.patch +x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch +x86-kexec-allocate-8k-pgds-for-pti.patch +gpio-ml-ioh-fix-buffer-underwrite-on-probe-error-path.patch +net-mvneta-fix-mtu-change-on-port-without-link.patch +f2fs-try-grabbing-node-page-lock-aggressively-in-sync-scenario.patch +f2fs-fix-to-skip-gc-if-type-in-ssa-and-sit-is-inconsistent.patch +tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch +tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch +f2fs-fix-to-do-sanity-check-with-reserved-blkaddr-of-inline-inode.patch +mips-octeon-add-missing-of_node_put.patch +mips-generic-fix-missing-of_node_put.patch +net-dcb-for-wild-card-lookups-use-priority-1-not-0.patch +input-atmel_mxt_ts-only-use-first-t9-instance.patch +media-s5p-mfc-fix-buffer-look-up-in-s5p_mfc_handle_frame_-new-copy_time-functions.patch +partitions-aix-append-null-character-to-print-data-from-disk.patch +partitions-aix-fix-usage-of-uninitialized-lv_info-and-lvname-structures.patch +media-helene-fix-xtal-frequency-setting-at-power-on.patch +f2fs-fix-uninitialized-return-in-f2fs_ioc_shutdown.patch +iommu-ipmmu-vmsa-fix-allocation-in-atomic-context.patch +mfd-ti_am335x_tscadc-fix-struct-clk-memory-leak.patch +f2fs-fix-to-do-sanity-check-with-sit-nat-_ver_bitmap_bytesize.patch +nfsv4.1-fix-a-potential-layoutget-layoutrecall-deadlock.patch +mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch +rdma-cma-do-not-ignore-net-namespace-for-unbound-cm_id.patch diff --git a/queue-4.9/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch b/queue-4.9/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch new file mode 100644 index 00000000000..7d56669a8d1 --- /dev/null +++ b/queue-4.9/timers-clear-timer_base-must_forward_clk-with-timer_base-lock-held.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Gaurav Kohli +Date: Thu, 2 Aug 2018 14:21:03 +0530 +Subject: timers: Clear timer_base::must_forward_clk with timer_base::lock held + +From: Gaurav Kohli + +[ Upstream commit 363e934d8811d799c88faffc5bfca782fd728334 ] + +timer_base::must_forward_clock is indicating that the base clock might be +stale due to a long idle sleep. + +The forwarding of the base clock takes place in the timer softirq or when a +timer is enqueued to a base which is idle. If the enqueue of timer to an +idle base happens from a remote CPU, then the following race can happen: + + CPU0 CPU1 + run_timer_softirq mod_timer + + base = lock_timer_base(timer); + base->must_forward_clk = false + if (base->must_forward_clk) + forward(base); -> skipped + + enqueue_timer(base, timer, idx); + -> idx is calculated high due to + stale base + unlock_timer_base(timer); + base = lock_timer_base(timer); + forward(base); + +The root cause is that timer_base::must_forward_clk is cleared outside the +timer_base::lock held region, so the remote queuing CPU observes it as +cleared, but the base clock is still stale. This can cause large +granularity values for timers, i.e. the accuracy of the expiry time +suffers. + +Prevent this by clearing the flag with timer_base::lock held, so that the +forwarding takes place before the cleared flag is observable by a remote +CPU. + +Signed-off-by: Gaurav Kohli +Signed-off-by: Thomas Gleixner +Cc: john.stultz@linaro.org +Cc: sboyd@kernel.org +Cc: linux-arm-msm@vger.kernel.org +Link: https://lkml.kernel.org/r/1533199863-22748-1-git-send-email-gkohli@codeaurora.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/timer.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/kernel/time/timer.c ++++ b/kernel/time/timer.c +@@ -1649,6 +1649,22 @@ static inline void __run_timers(struct t + + spin_lock_irq(&base->lock); + ++ /* ++ * timer_base::must_forward_clk must be cleared before running ++ * timers so that any timer functions that call mod_timer() will ++ * not try to forward the base. Idle tracking / clock forwarding ++ * logic is only used with BASE_STD timers. ++ * ++ * The must_forward_clk flag is cleared unconditionally also for ++ * the deferrable base. The deferrable base is not affected by idle ++ * tracking and never forwarded, so clearing the flag is a NOOP. ++ * ++ * The fact that the deferrable base is never forwarded can cause ++ * large variations in granularity for deferrable timers, but they ++ * can be deferred for long periods due to idle anyway. ++ */ ++ base->must_forward_clk = false; ++ + while (time_after_eq(jiffies, base->clk)) { + + levels = collect_expired_timers(base, heads); +@@ -1668,19 +1684,6 @@ static __latent_entropy void run_timer_s + { + struct timer_base *base = this_cpu_ptr(&timer_bases[BASE_STD]); + +- /* +- * must_forward_clk must be cleared before running timers so that any +- * timer functions that call mod_timer will not try to forward the +- * base. idle trcking / clock forwarding logic is only used with +- * BASE_STD timers. +- * +- * The deferrable base does not do idle tracking at all, so we do +- * not forward it. This can result in very large variations in +- * granularity for deferrable timers, but they can be deferred for +- * long periods due to idle. +- */ +- base->must_forward_clk = false; +- + __run_timers(base); + if (IS_ENABLED(CONFIG_NO_HZ_COMMON)) + __run_timers(this_cpu_ptr(&timer_bases[BASE_DEF])); diff --git a/queue-4.9/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch b/queue-4.9/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch new file mode 100644 index 00000000000..53dbde83abf --- /dev/null +++ b/queue-4.9/tpm-tpm_i2c_infineon-switch-to-i2c_lock_bus-...-i2c_lock_segment.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Peter Rosin +Date: Wed, 20 Jun 2018 07:17:54 +0200 +Subject: tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) + +From: Peter Rosin + +[ Upstream commit bb853aac2c478ce78116128263801189408ad2a8 ] + +Locking the root adapter for __i2c_transfer will deadlock if the +device sits behind a mux-locked I2C mux. Switch to the finer-grained +i2c_lock_bus with the I2C_LOCK_SEGMENT flag. If the device does not +sit behind a mux-locked mux, the two locking variants are equivalent. + +Signed-off-by: Peter Rosin +Reviewed-by: Jarkko Sakkinen +Tested-by: Alexander Steffen +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_i2c_infineon.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/tpm/tpm_i2c_infineon.c ++++ b/drivers/char/tpm/tpm_i2c_infineon.c +@@ -115,7 +115,7 @@ static int iic_tpm_read(u8 addr, u8 *buf + /* Lock the adapter for the duration of the whole sequence. */ + if (!tpm_dev.client->adapter->algo->master_xfer) + return -EOPNOTSUPP; +- i2c_lock_adapter(tpm_dev.client->adapter); ++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + + if (tpm_dev.chip_type == SLB9645) { + /* use a combined read for newer chips +@@ -156,7 +156,7 @@ static int iic_tpm_read(u8 addr, u8 *buf + } + + out: +- i2c_unlock_adapter(tpm_dev.client->adapter); ++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + /* take care of 'guard time' */ + usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); + +@@ -188,7 +188,7 @@ static int iic_tpm_write_generic(u8 addr + + if (!tpm_dev.client->adapter->algo->master_xfer) + return -EOPNOTSUPP; +- i2c_lock_adapter(tpm_dev.client->adapter); ++ i2c_lock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + + /* prepend the 'register address' to the buffer */ + tpm_dev.buf[0] = addr; +@@ -207,7 +207,7 @@ static int iic_tpm_write_generic(u8 addr + usleep_range(sleep_low, sleep_hi); + } + +- i2c_unlock_adapter(tpm_dev.client->adapter); ++ i2c_unlock_bus(tpm_dev.client->adapter, I2C_LOCK_SEGMENT); + /* take care of 'guard time' */ + usleep_range(SLEEP_DURATION_LOW, SLEEP_DURATION_HI); + diff --git a/queue-4.9/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch b/queue-4.9/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch new file mode 100644 index 00000000000..a0c0ecf1f73 --- /dev/null +++ b/queue-4.9/tpm_tis_spi-pass-the-spi-irq-down-to-the-driver.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Linus Walleij +Date: Fri, 8 Jun 2018 09:09:07 +0200 +Subject: tpm_tis_spi: Pass the SPI IRQ down to the driver + +From: Linus Walleij + +[ Upstream commit 1a339b658d9dbe1471f67b78237cf8fa08bbbeb5 ] + +An SPI TPM device managed directly on an embedded board using +the SPI bus and some GPIO or similar line as IRQ handler will +pass the IRQn from the TPM device associated with the SPI +device. This is already handled by the SPI core, so make sure +to pass this down to the core as well. + +(The TPM core habit of using -1 to signal no IRQ is dubious +(as IRQ 0 is NO_IRQ) but I do not want to mess with that +semantic in this patch.) + +Cc: Mark Brown +Signed-off-by: Linus Walleij +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_spi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_tis_spi.c ++++ b/drivers/char/tpm/tpm_tis_spi.c +@@ -189,6 +189,7 @@ static const struct tpm_tis_phy_ops tpm_ + static int tpm_tis_spi_probe(struct spi_device *dev) + { + struct tpm_tis_spi_phy *phy; ++ int irq; + + phy = devm_kzalloc(&dev->dev, sizeof(struct tpm_tis_spi_phy), + GFP_KERNEL); +@@ -201,7 +202,13 @@ static int tpm_tis_spi_probe(struct spi_ + if (!phy->iobuf) + return -ENOMEM; + +- return tpm_tis_core_init(&dev->dev, &phy->priv, -1, &tpm_spi_phy_ops, ++ /* If the SPI device has an IRQ then use that */ ++ if (dev->irq > 0) ++ irq = dev->irq; ++ else ++ irq = -1; ++ ++ return tpm_tis_core_init(&dev->dev, &phy->priv, irq, &tpm_spi_phy_ops, + NULL); + } + diff --git a/queue-4.9/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch b/queue-4.9/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch new file mode 100644 index 00000000000..b4b00c8211c --- /dev/null +++ b/queue-4.9/tty-rocket-fix-possible-buffer-overwrite-on-register_pci.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Anton Vasilyev +Date: Fri, 27 Jul 2018 16:39:31 +0300 +Subject: tty: rocket: Fix possible buffer overwrite on register_PCI + +From: Anton Vasilyev + +[ Upstream commit 0419056ec8fd01ddf5460d2dba0491aad22657dd ] + +If number of isa and pci boards exceed NUM_BOARDS on the path +rp_init()->init_PCI()->register_PCI() then buffer overwrite occurs +in register_PCI() on assign rcktpt_io_addr[i]. + +The patch adds check on upper bound for index of registered +board in register_PCI. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/rocket.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/rocket.c ++++ b/drivers/tty/rocket.c +@@ -1913,7 +1913,7 @@ static __init int register_PCI(int i, st + ByteIO_t UPCIRingInd = 0; + + if (!dev || !pci_match_id(rocket_pci_ids, dev) || +- pci_enable_device(dev)) ++ pci_enable_device(dev) || i >= NUM_BOARDS) + return 0; + + rcktpt_io_addr[i] = pci_resource_start(dev, 0); diff --git a/queue-4.9/uio-potential-double-frees-if-__uio_register_device-fails.patch b/queue-4.9/uio-potential-double-frees-if-__uio_register_device-fails.patch new file mode 100644 index 00000000000..df29d28297f --- /dev/null +++ b/queue-4.9/uio-potential-double-frees-if-__uio_register_device-fails.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Dan Carpenter +Date: Thu, 2 Aug 2018 11:24:47 +0300 +Subject: uio: potential double frees if __uio_register_device() fails + +From: Dan Carpenter + +[ Upstream commit f019f07ecf6a6b8bd6d7853bce70925d90af02d1 ] + +The uio_unregister_device() function assumes that if "info->uio_dev" is +non-NULL that means "info" is fully allocated. Setting info->uio_de +has to be the last thing in the function. + +In the current code, if request_threaded_irq() fails then we return with +info->uio_dev set to non-NULL but info is not fully allocated and it can +lead to double frees. + +Fixes: beafc54c4e2f ("UIO: Add the User IO core code") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -841,8 +841,6 @@ int __uio_register_device(struct module + if (ret) + goto err_uio_dev_add_attributes; + +- info->uio_dev = idev; +- + if (info->irq && (info->irq != UIO_IRQ_CUSTOM)) { + /* + * Note that we deliberately don't use devm_request_irq +@@ -858,6 +856,7 @@ int __uio_register_device(struct module + goto err_request_irq; + } + ++ info->uio_dev = idev; + return 0; + + err_request_irq: diff --git a/queue-4.9/wlcore-set-rx_status-boottime_ns-field-on-rx.patch b/queue-4.9/wlcore-set-rx_status-boottime_ns-field-on-rx.patch new file mode 100644 index 00000000000..fe767e7a07e --- /dev/null +++ b/queue-4.9/wlcore-set-rx_status-boottime_ns-field-on-rx.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Loic Poulain +Date: Fri, 27 Jul 2018 18:30:23 +0200 +Subject: wlcore: Set rx_status boottime_ns field on rx + +From: Loic Poulain + +[ Upstream commit 37a634f60fd6dfbda2c312657eec7ef0750546e7 ] + +When receiving a beacon or probe response, we should update the +boottime_ns field which is the timestamp the frame was received at. +(cf mac80211.h) + +This fixes a scanning issue with Android since it relies on this +timestamp to determine when the AP has been seen for the last time +(via the nl80211 BSS_LAST_SEEN_BOOTTIME parameter). + +Signed-off-by: Loic Poulain +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/rx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ti/wlcore/rx.c ++++ b/drivers/net/wireless/ti/wlcore/rx.c +@@ -59,7 +59,7 @@ static u32 wlcore_rx_get_align_buf_size( + static void wl1271_rx_status(struct wl1271 *wl, + struct wl1271_rx_descriptor *desc, + struct ieee80211_rx_status *status, +- u8 beacon) ++ u8 beacon, u8 probe_rsp) + { + memset(status, 0, sizeof(struct ieee80211_rx_status)); + +@@ -106,6 +106,9 @@ static void wl1271_rx_status(struct wl12 + } + } + ++ if (beacon || probe_rsp) ++ status->boottime_ns = ktime_get_boot_ns(); ++ + if (beacon) + wlcore_set_pending_regdomain_ch(wl, (u16)desc->channel, + status->band); +@@ -194,7 +197,8 @@ static int wl1271_rx_handle_data(struct + if (ieee80211_is_data_present(hdr->frame_control)) + is_data = 1; + +- wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon); ++ wl1271_rx_status(wl, desc, IEEE80211_SKB_RXCB(skb), beacon, ++ ieee80211_is_probe_resp(hdr->frame_control)); + wlcore_hw_set_rx_csum(wl, desc, skb); + + seq_num = (le16_to_cpu(hdr->seq_ctrl) & IEEE80211_SCTL_SEQ) >> 4; diff --git a/queue-4.9/x86-kexec-allocate-8k-pgds-for-pti.patch b/queue-4.9/x86-kexec-allocate-8k-pgds-for-pti.patch new file mode 100644 index 00000000000..546f513f366 --- /dev/null +++ b/queue-4.9/x86-kexec-allocate-8k-pgds-for-pti.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:03 +0200 +Subject: x86/kexec: Allocate 8k PGDs for PTI + +From: Joerg Roedel + +[ Upstream commit ca38dc8f2724d101038b1205122c93a1c7f38f11 ] + +Fuzzing the PTI-x86-32 code with trinity showed unhandled +kernel paging request oops-messages that looked a lot like +silent data corruption. + +Lot's of debugging and testing lead to the kexec-32bit code, +which is still allocating 4k PGDs when PTI is enabled. But +since it uses native_set_pud() to build the page-table, it +will unevitably call into __pti_set_user_pgtbl(), which +writes beyond the allocated 4k page. + +Use PGD_ALLOCATION_ORDER to allocate PGDs in the kexec code +to fix the issue. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-4-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/machine_kexec_32.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -70,7 +70,7 @@ static void load_segments(void) + + static void machine_kexec_free_page_tables(struct kimage *image) + { +- free_page((unsigned long)image->arch.pgd); ++ free_pages((unsigned long)image->arch.pgd, PGD_ALLOCATION_ORDER); + image->arch.pgd = NULL; + #ifdef CONFIG_X86_PAE + free_page((unsigned long)image->arch.pmd0); +@@ -86,7 +86,8 @@ static void machine_kexec_free_page_tabl + + static int machine_kexec_alloc_page_tables(struct kimage *image) + { +- image->arch.pgd = (pgd_t *)get_zeroed_page(GFP_KERNEL); ++ image->arch.pgd = (pgd_t *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, ++ PGD_ALLOCATION_ORDER); + #ifdef CONFIG_X86_PAE + image->arch.pmd0 = (pmd_t *)get_zeroed_page(GFP_KERNEL); + image->arch.pmd1 = (pmd_t *)get_zeroed_page(GFP_KERNEL); diff --git a/queue-4.9/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch b/queue-4.9/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch new file mode 100644 index 00000000000..14fdd5fdc7d --- /dev/null +++ b/queue-4.9/x86-mm-remove-in_nmi-warning-from-vmalloc_fault.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Sep 17 12:22:41 CEST 2018 +From: Joerg Roedel +Date: Wed, 25 Jul 2018 17:48:01 +0200 +Subject: x86/mm: Remove in_nmi() warning from vmalloc_fault() + +From: Joerg Roedel + +[ Upstream commit 6863ea0cda8725072522cd78bda332d9a0b73150 ] + +It is perfectly okay to take page-faults, especially on the +vmalloc area while executing an NMI handler. Remove the +warning. + +Signed-off-by: Joerg Roedel +Signed-off-by: Thomas Gleixner +Tested-by: David H. Gutteridge +Cc: "H . Peter Anvin" +Cc: linux-mm@kvack.org +Cc: Linus Torvalds +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Josh Poimboeuf +Cc: Juergen Gross +Cc: Peter Zijlstra +Cc: Borislav Petkov +Cc: Jiri Kosina +Cc: Boris Ostrovsky +Cc: Brian Gerst +Cc: David Laight +Cc: Denys Vlasenko +Cc: Eduardo Valentin +Cc: Greg KH +Cc: Will Deacon +Cc: aliguori@amazon.com +Cc: daniel.gruss@iaik.tugraz.at +Cc: hughd@google.com +Cc: keescook@google.com +Cc: Andrea Arcangeli +Cc: Waiman Long +Cc: Pavel Machek +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: joro@8bytes.org +Link: https://lkml.kernel.org/r/1532533683-5988-2-git-send-email-joro@8bytes.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/fault.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/x86/mm/fault.c ++++ b/arch/x86/mm/fault.c +@@ -330,8 +330,6 @@ static noinline int vmalloc_fault(unsign + if (!(address >= VMALLOC_START && address < VMALLOC_END)) + return -1; + +- WARN_ON_ONCE(in_nmi()); +- + /* + * Synchronize this task's top level page-table + * with the 'reference' page table.