From: Greg Kroah-Hartman Date: Wed, 22 Aug 2018 08:06:01 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.18.5~43 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1dd7aceb0536805f90938eb146110c06e422b9aa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-nfit-fix-cmd_rc-for-acpi_nfit_ctl-to-always-return-a-value.patch alsa-seq-fix-ubsan-warning-at-sndrv_seq_ioctl_query_next_client-ioctl.patch arc-enable-machine_desc-init_per_cpu-for-config_smp.patch arc-explicitly-add-mmedium-calls-to-cflags.patch arc-improve-cmpxchg-syscall-implementation.patch arm-8780-1-ftrace-only-set-kernel-memory-back-to-read-only-after-boot.patch arm-dra7-omap5-enable-actlr-enable-invalidates-of-btb-for-secondary-cores.patch arm-dts-am3517.dtsi-disable-reference-to-omap3-otg-controller.patch arm-dts-am437x-make-edt-ft5x06-a-wakeup-source.patch arm-dts-cygnus-fix-i2c-controller-interrupt-type.patch arm-dts-cygnus-fix-pcie-controller-interrupt-type.patch arm-dts-da850-fix-interrups-property-for-gpio.patch arm-dts-nsp-fix-i2c-controller-interrupt-type.patch arm-dts-nsp-fix-pcie-controllers-interrupt-types.patch arm-imx_v4_v5_defconfig-select-ulpi-support.patch arm-imx_v6_v7_defconfig-select-ulpi-support.patch arm-pxa-irq-fix-handling-of-icmr-registers-in-suspend-resume.patch arm64-dts-ns2-fix-i2c-controller-interrupt-type.patch arm64-make-secondary_start_kernel-notrace.patch batman-adv-fix-bat_ogm_iv-best-gw-refcnt-after-netlink-dump.patch batman-adv-fix-bat_v-best-gw-refcnt-after-netlink-dump.patch bnx2x-fix-receiving-tx-timeout-in-error-or-recovery-state.patch bnxt_en-always-set-output-parameters-in-bnxt_get_max_rings.patch bnxt_en-fix-for-system-hang-if-request_irq-fails.patch bpf-s390-fix-potential-memleak-when-later-bpf_jit_prog-fails.patch brcmfmac-stop-watchdog-before-detach-and-free-everything.patch ceph-fix-dentry-leak-in-splice_dentry.patch cxgb4-when-disabling-dcb-set-txq-dcb-priority-to-0.patch dmaengine-k3dma-off-by-one-in-k3_of_dma_simple_xlate.patch dmaengine-pl330-report-burst-residue-granularity.patch drm-armada-fix-colorkey-mode-property.patch drm-exynos-decon5433-fix-per-plane-global-alpha-for-xrgb-modes.patch drm-exynos-decon5433-fix-winconx-reset-value.patch drm-exynos-gsc-fix-support-for-nv16-61-yuv420-yvu420-and-yuv422-modes.patch drm-mali-dp-enable-global-se-interrupts-mask-for-dp500.patch drm-nouveau-gem-off-by-one-bugs-in-nouveau_gem_pushbuf_reloc_apply.patch enic-initialize-enic-rfs_h.lock-in-enic_probe.patch hid-wacom-correct-touch-maximum-xy-of-2nd-gen-intuos.patch ib-rxe-fix-missing-completion-for-mem_reg-work-requests.patch ieee802154-6lowpan-set-ifla_link.patch ieee802154-at86rf230-switch-from-bug_on-to-warn_on-on-problem.patch ieee802154-at86rf230-use-__func__-macro-for-debug-messages.patch ieee802154-fakelb-switch-from-bug_on-to-warn_on-on-problem.patch iio-pressure-bmp280-fix-relative-humidity-unit.patch ipv6-make-ipv6_renew_options-interrupt-kernel-safe.patch ipv6-mcast-fix-unsolicited-report-interval-after-receiving-querys.patch ipvlan-call-dev_change_flags-when-ipvlan-mode-is-reset.patch ixgbe-be-more-careful-when-modifying-mac-filters.patch kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch kvm-arm-arm64-drop-resource-size-check-for-gicv-window.patch libahci-fix-possible-spectre-v1-pmp-indexing-in-ahci_led_store.patch locking-lockdep-do-not-record-irq-state-within-lockdep-code.patch m68k-fix-bad-page-state-oops-on-coldfire-boot.patch md-raid10-fix-that-replacement-cannot-complete-recovery-after-reassemble.patch net-davinci_emac-match-the-mdio-device-against-its-compatible-if-possible.patch net-ethernet-freescale-fman-fix-cross-build-error.patch net-hamradio-use-eth_broadcast_addr.patch net-propagate-dev_get_valid_name-return-code.patch net-qca_spi-avoid-packet-drop-during-initial-sync.patch net-qca_spi-fix-log-level-if-probe-fails.patch net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch net-qrtr-broadcast-messages-only-from-control-port.patch net-sched-act_tunnel_key-fix-null-dereference-when-goto-chain-is-used.patch net-stmmac-socfpga-add-additional-ocp-reset-line-for-stratix10.patch net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch netfilter-ipv6-nf_defrag-reduce-struct-net-memory-waste.patch netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dostring.patch netfilter-x_tables-set-module-owner-for-icmp-6-matches.patch nfc-pn533-fix-wrong-gfp-flag-usage.patch nfit-fix-unchecked-dereference-in-acpi_nfit_ctl.patch nl80211-relax-ht-operation-checks-for-mesh.patch nvmet-reset-keep-alive-timer-in-controller-enable.patch objtool-support-gcc-8-fnoreorder-functions.patch octeon_mgmt-fix-mix-registers-configuration-on-mtu-setup.patch packet-reset-network-header-if-packet-shorter-than-ll-reserved-space.patch pci-versatile-fix-i-o-space-page-leak.patch pci-xilinx-add-missing-of_node_put.patch pci-xilinx-nwl-add-missing-of_node_put.patch perf-bench-fix-numa-report-output-code.patch perf-llvm-utils-remove-bashism-from-kernel-include-fetch-script.patch perf-report-powerpc-fix-crash-if-callchain-is-empty.patch perf-test-session-topology-fix-test-on-s390.patch perf-tests-add-event-parsing-error-handling-to-parse-events-test.patch pinctrl-nsp-fix-potential-null-dereference.patch pinctrl-nsp-off-by-ones-in-nsp_pinmux_enable.patch qed-add-sanity-check-for-simd-fastpath-handler.patch qlogic-check-kstrtoul-for-errors.patch ravb-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch ravb-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch rdma-mlx5-fix-memory-leak-in-mlx5_ib_create_srq-error-path.patch samples-bpf-add-missing-linux-if_vlan.h.patch samples-bpf-check-the-error-of-write-and-read.patch scsi-xen-scsifront-add-error-handling-for-xenbus_printf.patch selftests-pstore-return-kselftest-skip-code-for-skipped-tests.patch selftests-static_keys-return-kselftest-skip-code-for-skipped-tests.patch selftests-sync-add-config-fragment-for-testing-sync-framework.patch selftests-user-return-kselftest-skip-code-for-skipped-tests.patch selftests-x86-sigreturn-64-fix-spurious-failures-on-amd-cpus.patch selftests-x86-sigreturn-do-minor-cleanups.patch selftests-zram-return-kselftest-skip-code-for-skipped-tests.patch sh_eth-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch sh_eth-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch smack-mark-inode-instant-in-smack_task_to_inode.patch smsc75xx-add-workaround-for-gigabit-link-up-hardware-errata.patch tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch tcp-remove-delayed-ack-events-in-dctcp.patch tools-build-use-hostldflags-with-fixdep.patch tracing-use-__printf-markup-to-silence-compiler.patch usb-dwc2-fix-isoc-split-in-transfer-with-no-data.patch usb-dwc3-of-simple-fix-use-after-free-on-remove.patch usb-gadget-composite-fix-delayed_status-race-condition-when-set_interface.patch usb-gadget-dwc2-fix-memory-leak-in-gadget_init.patch usb-xhci-increase-crs-timeout-value.patch usb-xhci-remove-the-code-build-warning.patch xen-add-error-handling-for-xenbus_printf.patch xen-scsiback-add-error-handling-for-xenbus_printf.patch --- diff --git a/queue-4.9/acpi-nfit-fix-cmd_rc-for-acpi_nfit_ctl-to-always-return-a-value.patch b/queue-4.9/acpi-nfit-fix-cmd_rc-for-acpi_nfit_ctl-to-always-return-a-value.patch new file mode 100644 index 00000000000..28deb5741c2 --- /dev/null +++ b/queue-4.9/acpi-nfit-fix-cmd_rc-for-acpi_nfit_ctl-to-always-return-a-value.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dave Jiang +Date: Thu, 28 Jun 2018 09:56:55 -0700 +Subject: acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value + +From: Dave Jiang + +[ Upstream commit c1985cefd844e26bd19673a6df8d8f0b1918c2db ] + +cmd_rc is passed in by reference to the acpi_nfit_ctl() function and the +caller expects a value returned. However, when the package is pass through +via the ND_CMD_CALL command, cmd_rc is not touched. Make sure cmd_rc is +always set. + +Fixes: aef253382266 ("libnvdimm, nfit: centralize command status translation") + +Signed-off-by: Dave Jiang +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/nfit/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -201,6 +201,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + const u8 *uuid; + int rc, i; + ++ *cmd_rc = -EINVAL; + func = cmd; + if (cmd == ND_CMD_CALL) { + call_pkg = buf; +@@ -288,6 +289,7 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + * If we return an error (like elsewhere) then caller wouldn't + * be able to rely upon data returned to make calculation. + */ ++ *cmd_rc = 0; + return 0; + } + diff --git a/queue-4.9/alsa-seq-fix-ubsan-warning-at-sndrv_seq_ioctl_query_next_client-ioctl.patch b/queue-4.9/alsa-seq-fix-ubsan-warning-at-sndrv_seq_ioctl_query_next_client-ioctl.patch new file mode 100644 index 00000000000..e44323e8d95 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-ubsan-warning-at-sndrv_seq_ioctl_query_next_client-ioctl.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Takashi Iwai +Date: Mon, 25 Jun 2018 11:13:59 +0200 +Subject: ALSA: seq: Fix UBSAN warning at SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT ioctl + +From: Takashi Iwai + +[ Upstream commit c9a4c63888dbb79ce4d068ca1dd8b05bc3f156b1 ] + +The kernel may spew a WARNING with UBSAN undefined behavior at +handling ALSA sequencer ioctl SNDRV_SEQ_IOCTL_QUERY_NEXT_CLIENT: + +UBSAN: Undefined behaviour in sound/core/seq/seq_clientmgr.c:2007:14 +signed integer overflow: +2147483647 + 1 cannot be represented in type 'int' +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x122/0x1c8 lib/dump_stack.c:113 + ubsan_epilogue+0x12/0x86 lib/ubsan.c:159 + handle_overflow+0x1c2/0x21f lib/ubsan.c:190 + __ubsan_handle_add_overflow+0x2a/0x31 lib/ubsan.c:198 + snd_seq_ioctl_query_next_client+0x1ac/0x1d0 sound/core/seq/seq_clientmgr.c:2007 + snd_seq_ioctl+0x264/0x3d0 sound/core/seq/seq_clientmgr.c:2144 + .... + +It happens only when INT_MAX is passed there, as we're incrementing it +unconditionally. So the fix is trivial, check the value with +INT_MAX. Although the bug itself is fairly harmless, it's better to +fix it so that fuzzers won't hit this again later. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200211 +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -2002,7 +2002,8 @@ static int snd_seq_ioctl_query_next_clie + struct snd_seq_client *cptr = NULL; + + /* search for next client */ +- info->client++; ++ if (info->client < INT_MAX) ++ info->client++; + if (info->client < 0) + info->client = 0; + for (; info->client < SNDRV_SEQ_MAX_CLIENTS; info->client++) { diff --git a/queue-4.9/arc-enable-machine_desc-init_per_cpu-for-config_smp.patch b/queue-4.9/arc-enable-machine_desc-init_per_cpu-for-config_smp.patch new file mode 100644 index 00000000000..911be768aab --- /dev/null +++ b/queue-4.9/arc-enable-machine_desc-init_per_cpu-for-config_smp.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Alexey Brodkin +Date: Wed, 29 Nov 2017 11:21:45 +0300 +Subject: ARC: Enable machine_desc->init_per_cpu for !CONFIG_SMP + +From: Alexey Brodkin + +[ Upstream commit 2f24ef7413a4d91657ef04e77c27ce0b313e6c95 ] + +machine_desc->init_per_cpu() hook is supposed to be per cpu +initialization and would seem to apply equally to UP and/or SMP. +Infact the comment in header file seems to suggest it works for +UP too, which was not the case and this patch. + +This enables !CONFIG_SMP build for platforms such as hsdk. + +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +[vgupta: trimmeed changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/mach_desc.h | 2 -- + arch/arc/kernel/irq.c | 2 +- + 2 files changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/arc/include/asm/mach_desc.h ++++ b/arch/arc/include/asm/mach_desc.h +@@ -34,9 +34,7 @@ struct machine_desc { + const char *name; + const char **dt_compat; + void (*init_early)(void); +-#ifdef CONFIG_SMP + void (*init_per_cpu)(unsigned int); +-#endif + void (*init_machine)(void); + void (*init_late)(void); + +--- a/arch/arc/kernel/irq.c ++++ b/arch/arc/kernel/irq.c +@@ -31,10 +31,10 @@ void __init init_IRQ(void) + /* a SMP H/w block could do IPI IRQ request here */ + if (plat_smp_ops.init_per_cpu) + plat_smp_ops.init_per_cpu(smp_processor_id()); ++#endif + + if (machine_desc->init_per_cpu) + machine_desc->init_per_cpu(smp_processor_id()); +-#endif + } + + /* diff --git a/queue-4.9/arc-explicitly-add-mmedium-calls-to-cflags.patch b/queue-4.9/arc-explicitly-add-mmedium-calls-to-cflags.patch new file mode 100644 index 00000000000..56f1a6783f8 --- /dev/null +++ b/queue-4.9/arc-explicitly-add-mmedium-calls-to-cflags.patch @@ -0,0 +1,79 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Alexey Brodkin +Date: Fri, 1 Jun 2018 14:34:33 +0300 +Subject: ARC: Explicitly add -mmedium-calls to CFLAGS + +From: Alexey Brodkin + +[ Upstream commit 74c11e300c103af47db5b658fdcf28002421e250 ] + +GCC built for arc*-*-linux has "-mmedium-calls" implicitly enabled by default +thus we don't see any problems during Linux kernel compilation. +----------------------------->8------------------------ +arc-linux-gcc -mcpu=arc700 -Q --help=target | grep calls + -mlong-calls [disabled] + -mmedium-calls [enabled] +----------------------------->8------------------------ + +But if we try to use so-called Elf32 toolchain with GCC configured for +arc*-*-elf* then we'd see the following failure: +----------------------------->8------------------------ +init/do_mounts.o: In function 'init_rootfs': +do_mounts.c:(.init.text+0x108): relocation truncated to fit: R_ARC_S21W_PCREL +against symbol 'unregister_filesystem' defined in .text section in fs/filesystems.o + +arc-elf32-ld: final link failed: Symbol needs debug section which does not exist +make: *** [vmlinux] Error 1 +----------------------------->8------------------------ + +That happens because neither "-mmedium-calls" nor "-mlong-calls" are enabled in +Elf32 GCC: +----------------------------->8------------------------ +arc-elf32-gcc -mcpu=arc700 -Q --help=target | grep calls + -mlong-calls [disabled] + -mmedium-calls [disabled] +----------------------------->8------------------------ + +Now to make it possible to use Elf32 toolchain for building Linux kernel +we're explicitly add "-mmedium-calls" to CFLAGS. + +And since we add "-mmedium-calls" to the global CFLAGS there's no point in +having per-file copies thus removing them. + +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/Makefile | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +--- a/arch/arc/Makefile ++++ b/arch/arc/Makefile +@@ -18,7 +18,7 @@ endif + + KBUILD_DEFCONFIG := nsim_700_defconfig + +-cflags-y += -fno-common -pipe -fno-builtin -D__linux__ ++cflags-y += -fno-common -pipe -fno-builtin -mmedium-calls -D__linux__ + cflags-$(CONFIG_ISA_ARCOMPACT) += -mA7 + cflags-$(CONFIG_ISA_ARCV2) += -mcpu=archs + +@@ -141,16 +141,3 @@ dtbs: scripts + + archclean: + $(Q)$(MAKE) $(clean)=$(boot) +- +-# Hacks to enable final link due to absence of link-time branch relexation +-# and gcc choosing optimal(shorter) branches at -O3 +-# +-# vineetg Feb 2010: -mlong-calls switched off for overall kernel build +-# However lib/decompress_inflate.o (.init.text) calls +-# zlib_inflate_workspacesize (.text) causing relocation errors. +-# Thus forcing all exten calls in this file to be long calls +-export CFLAGS_decompress_inflate.o = -mmedium-calls +-export CFLAGS_initramfs.o = -mmedium-calls +-ifdef CONFIG_SMP +-export CFLAGS_core.o = -mmedium-calls +-endif diff --git a/queue-4.9/arc-improve-cmpxchg-syscall-implementation.patch b/queue-4.9/arc-improve-cmpxchg-syscall-implementation.patch new file mode 100644 index 00000000000..be31dcf4249 --- /dev/null +++ b/queue-4.9/arc-improve-cmpxchg-syscall-implementation.patch @@ -0,0 +1,109 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Peter Zijlstra +Date: Tue, 19 Jun 2018 17:22:05 +0300 +Subject: ARC: Improve cmpxchg syscall implementation + +From: Peter Zijlstra + +[ Upstream commit e8708786d4fe21c043d38d760f768949a3d71185 ] + +This is used in configs lacking hardware atomics to emulate atomic r-m-w +for user space, implemented by disabling preemption in kernel. + +However there are issues in current implementation: + +1. Process not terminated if invalid user pointer passed: + i.e. __get_user() failed. + +2. The reason for this patch was __put_user() failure not being handled + either, specifically for the COW break scenario. + The zero page is initially wired up and read from __get_user() + succeeds. A subsequent write by __put_user() induces a + Protection Violation, but COW can't finish as Linux page fault + handler is disabled due to preempt disable. + And what's worse is we silently return the stale value to user space. + Fix this specific case by re-enabling preemption and explicitly + fixing up the fault and retrying the whole sequence over. + +Cc: Max Filippov +Cc: linux-arch@vger.kernel.org +Signed-off-by: Alexey Brodkin +Signed-off-by: Peter Zijlstra +Signed-off-by: Vineet Gupta +[vgupta: rewrote the changelog] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/kernel/process.c | 47 +++++++++++++++++++++++++++++++++++----------- + 1 file changed, 36 insertions(+), 11 deletions(-) + +--- a/arch/arc/kernel/process.c ++++ b/arch/arc/kernel/process.c +@@ -44,7 +44,8 @@ SYSCALL_DEFINE0(arc_gettls) + SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, uaddr, int, expected, int, new) + { + struct pt_regs *regs = current_pt_regs(); +- int uval = -EFAULT; ++ u32 uval; ++ int ret; + + /* + * This is only for old cores lacking LLOCK/SCOND, which by defintion +@@ -57,23 +58,47 @@ SYSCALL_DEFINE3(arc_usr_cmpxchg, int *, + /* Z indicates to userspace if operation succeded */ + regs->status32 &= ~STATUS_Z_MASK; + +- if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int))) +- return -EFAULT; ++ ret = access_ok(VERIFY_WRITE, uaddr, sizeof(*uaddr)); ++ if (!ret) ++ goto fail; + ++again: + preempt_disable(); + +- if (__get_user(uval, uaddr)) +- goto done; ++ ret = __get_user(uval, uaddr); ++ if (ret) ++ goto fault; + +- if (uval == expected) { +- if (!__put_user(new, uaddr)) +- regs->status32 |= STATUS_Z_MASK; +- } ++ if (uval != expected) ++ goto out; + +-done: +- preempt_enable(); ++ ret = __put_user(new, uaddr); ++ if (ret) ++ goto fault; ++ ++ regs->status32 |= STATUS_Z_MASK; + ++out: ++ preempt_enable(); + return uval; ++ ++fault: ++ preempt_enable(); ++ ++ if (unlikely(ret != -EFAULT)) ++ goto fail; ++ ++ down_read(¤t->mm->mmap_sem); ++ ret = fixup_user_fault(current, current->mm, (unsigned long) uaddr, ++ FAULT_FLAG_WRITE, NULL); ++ up_read(¤t->mm->mmap_sem); ++ ++ if (likely(!ret)) ++ goto again; ++ ++fail: ++ force_sig(SIGSEGV, current); ++ return ret; + } + + void arch_cpu_idle(void) diff --git a/queue-4.9/arm-8780-1-ftrace-only-set-kernel-memory-back-to-read-only-after-boot.patch b/queue-4.9/arm-8780-1-ftrace-only-set-kernel-memory-back-to-read-only-after-boot.patch new file mode 100644 index 00000000000..015a5f1b36c --- /dev/null +++ b/queue-4.9/arm-8780-1-ftrace-only-set-kernel-memory-back-to-read-only-after-boot.patch @@ -0,0 +1,71 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Tue, 10 Jul 2018 08:22:40 +0100 +Subject: ARM: 8780/1: ftrace: Only set kernel memory back to read-only after boot + +From: "Steven Rostedt (VMware)" + +[ Upstream commit b4c7e2bd2eb4764afe3af9409ff3b1b87116fa30 ] + +Dynamic ftrace requires modifying the code segments that are usually +set to read-only. To do this, a per arch function is called both before +and after the ftrace modifications are performed. The "before" function +will set kernel code text to read-write to allow for ftrace to make the +modifications, and the "after" function will set the kernel code text +back to "read-only" to keep the kernel code text protected. + +The issue happens when dynamic ftrace is tested at boot up. The test is +done before the kernel code text has been set to read-only. But the +"before" and "after" calls are still performed. The "after" call will +change the kernel code text to read-only prematurely, and other boot +code that expects this code to be read-write will fail. + +The solution is to add a variable that is set when the kernel code text +is expected to be converted to read-only, and make the ftrace "before" +and "after" calls do nothing if that variable is not yet set. This is +similar to the x86 solution from commit 162396309745 ("ftrace, x86: +make kernel text writable only for conversions"). + +Link: http://lkml.kernel.org/r/20180620212906.24b7b66e@vmware.local.home + +Reported-by: Stefan Agner +Tested-by: Stefan Agner +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mm/init.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/arm/mm/init.c ++++ b/arch/arm/mm/init.c +@@ -722,19 +722,28 @@ int __mark_rodata_ro(void *unused) + return 0; + } + ++static int kernel_set_to_readonly __read_mostly; ++ + void mark_rodata_ro(void) + { ++ kernel_set_to_readonly = 1; + stop_machine(__mark_rodata_ro, NULL, NULL); + } + + void set_kernel_text_rw(void) + { ++ if (!kernel_set_to_readonly) ++ return; ++ + set_section_perms(ro_perms, ARRAY_SIZE(ro_perms), false, + current->active_mm); + } + + void set_kernel_text_ro(void) + { ++ if (!kernel_set_to_readonly) ++ return; ++ + set_section_perms(ro_perms, ARRAY_SIZE(ro_perms), true, + current->active_mm); + } diff --git a/queue-4.9/arm-dra7-omap5-enable-actlr-enable-invalidates-of-btb-for-secondary-cores.patch b/queue-4.9/arm-dra7-omap5-enable-actlr-enable-invalidates-of-btb-for-secondary-cores.patch new file mode 100644 index 00000000000..498f6d10fbc --- /dev/null +++ b/queue-4.9/arm-dra7-omap5-enable-actlr-enable-invalidates-of-btb-for-secondary-cores.patch @@ -0,0 +1,87 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Nishanth Menon +Date: Tue, 10 Jul 2018 14:47:25 -0500 +Subject: ARM: DRA7/OMAP5: Enable ACTLR[0] (Enable invalidates of BTB) for secondary cores + +From: Nishanth Menon + +[ Upstream commit 2f8b5b21830aea95989a6e67d8a971297272a086 ] + +Call secure services to enable ACTLR[0] (Enable invalidates of BTB with +ICIALLU) when branch hardening is enabled for kernel. + +On GP devices OMAP5/DRA7, there is no possibility to update secure +side since "secure world" is ROM and there are no override mechanisms +possible. On HS devices, appropriate PPA should do the workarounds as +well. + +However, the configuration is only done for secondary core, since it is +expected that firmware/bootloader will have enabled the required +configuration for the primary boot core (note: bootloaders typically +will NOT enable secondary processors, since it has no need to do so). + +Signed-off-by: Nishanth Menon +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap-smp.c | 41 +++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 41 insertions(+) + +--- a/arch/arm/mach-omap2/omap-smp.c ++++ b/arch/arm/mach-omap2/omap-smp.c +@@ -104,6 +104,45 @@ void omap5_erratum_workaround_801819(voi + static inline void omap5_erratum_workaround_801819(void) { } + #endif + ++#ifdef CONFIG_HARDEN_BRANCH_PREDICTOR ++/* ++ * Configure ACR and enable ACTLR[0] (Enable invalidates of BTB with ++ * ICIALLU) to activate the workaround for secondary Core. ++ * NOTE: it is assumed that the primary core's configuration is done ++ * by the boot loader (kernel will detect a misconfiguration and complain ++ * if this is not done). ++ * ++ * In General Purpose(GP) devices, ACR bit settings can only be done ++ * by ROM code in "secure world" using the smc call and there is no ++ * option to update the "firmware" on such devices. This also works for ++ * High security(HS) devices, as a backup option in case the ++ * "update" is not done in the "security firmware". ++ */ ++static void omap5_secondary_harden_predictor(void) ++{ ++ u32 acr, acr_mask; ++ ++ asm volatile ("mrc p15, 0, %0, c1, c0, 1" : "=r" (acr)); ++ ++ /* ++ * ACTLR[0] (Enable invalidates of BTB with ICIALLU) ++ */ ++ acr_mask = BIT(0); ++ ++ /* Do we already have it done.. if yes, skip expensive smc */ ++ if ((acr & acr_mask) == acr_mask) ++ return; ++ ++ acr |= acr_mask; ++ omap_smc1(OMAP5_DRA7_MON_SET_ACR_INDEX, acr); ++ ++ pr_debug("%s: ARM ACR setup for CVE_2017_5715 applied on CPU%d\n", ++ __func__, smp_processor_id()); ++} ++#else ++static inline void omap5_secondary_harden_predictor(void) { } ++#endif ++ + static void omap4_secondary_init(unsigned int cpu) + { + /* +@@ -126,6 +165,8 @@ static void omap4_secondary_init(unsigne + set_cntfreq(); + /* Configure ACR to disable streaming WA for 801819 */ + omap5_erratum_workaround_801819(); ++ /* Enable ACR to allow for ICUALLU workaround */ ++ omap5_secondary_harden_predictor(); + } + + /* diff --git a/queue-4.9/arm-dts-am3517.dtsi-disable-reference-to-omap3-otg-controller.patch b/queue-4.9/arm-dts-am3517.dtsi-disable-reference-to-omap3-otg-controller.patch new file mode 100644 index 00000000000..7043ef2ef16 --- /dev/null +++ b/queue-4.9/arm-dts-am3517.dtsi-disable-reference-to-omap3-otg-controller.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Adam Ford +Date: Wed, 11 Jul 2018 12:54:54 -0500 +Subject: ARM: dts: am3517.dtsi: Disable reference to OMAP3 OTG controller + +From: Adam Ford + +[ Upstream commit 923847413f7316b5ced3491769b3fefa6c56a79a ] + +The AM3517 has a different OTG controller location than the OMAP3, +which is included from omap3.dtsi. This results in a hwmod error. +Since the AM3517 has a different OTG controller address, this patch +disabes one that is isn't available. + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/am3517.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/arm/boot/dts/am3517.dtsi ++++ b/arch/arm/boot/dts/am3517.dtsi +@@ -74,6 +74,11 @@ + }; + }; + ++/* Table Table 5-79 of the TRM shows 480ab000 is reserved */ ++&usb_otg_hs { ++ status = "disabled"; ++}; ++ + &iva { + status = "disabled"; + }; diff --git a/queue-4.9/arm-dts-am437x-make-edt-ft5x06-a-wakeup-source.patch b/queue-4.9/arm-dts-am437x-make-edt-ft5x06-a-wakeup-source.patch new file mode 100644 index 00000000000..63eba307076 --- /dev/null +++ b/queue-4.9/arm-dts-am437x-make-edt-ft5x06-a-wakeup-source.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Daniel Mack +Date: Sun, 17 Jun 2018 13:53:09 +0200 +Subject: ARM: dts: am437x: make edt-ft5x06 a wakeup source + +From: Daniel Mack + +[ Upstream commit 49a6ec5b807ea4ad7ebe1f58080ebb8497cb2d2c ] + +The touchscreen driver no longer configures the device as wakeup source by +default. A "wakeup-source" property is needed. + +Signed-off-by: Daniel Mack +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/am437x-sk-evm.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/am437x-sk-evm.dts ++++ b/arch/arm/boot/dts/am437x-sk-evm.dts +@@ -533,6 +533,8 @@ + + touchscreen-size-x = <480>; + touchscreen-size-y = <272>; ++ ++ wakeup-source; + }; + + tlv320aic3106: tlv320aic3106@1b { diff --git a/queue-4.9/arm-dts-cygnus-fix-i2c-controller-interrupt-type.patch b/queue-4.9/arm-dts-cygnus-fix-i2c-controller-interrupt-type.patch new file mode 100644 index 00000000000..9797d793b10 --- /dev/null +++ b/queue-4.9/arm-dts-cygnus-fix-i2c-controller-interrupt-type.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ray Jui +Date: Tue, 12 Jun 2018 13:21:27 -0700 +Subject: ARM: dts: Cygnus: Fix I2C controller interrupt type + +From: Ray Jui + +[ Upstream commit 71ca3409703b62b6a092d0d9d13f366c121bc5d3 ] + +Fix I2C controller interrupt to use IRQ_TYPE_LEVEL_HIGH for Broadcom +Cygnus SoC. + +Fixes: b51c05a331ff ("ARM: dts: add I2C device nodes for Broadcom Cygnus") +Signed-off-by: Ray Jui +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-cygnus.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/bcm-cygnus.dtsi ++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi +@@ -128,7 +128,7 @@ + reg = <0x18008000 0x100>; + #address-cells = <1>; + #size-cells = <0>; +- interrupts = ; ++ interrupts = ; + clock-frequency = <100000>; + status = "disabled"; + }; +@@ -157,7 +157,7 @@ + reg = <0x1800b000 0x100>; + #address-cells = <1>; + #size-cells = <0>; +- interrupts = ; ++ interrupts = ; + clock-frequency = <100000>; + status = "disabled"; + }; diff --git a/queue-4.9/arm-dts-cygnus-fix-pcie-controller-interrupt-type.patch b/queue-4.9/arm-dts-cygnus-fix-pcie-controller-interrupt-type.patch new file mode 100644 index 00000000000..c22ca459e77 --- /dev/null +++ b/queue-4.9/arm-dts-cygnus-fix-pcie-controller-interrupt-type.patch @@ -0,0 +1,72 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ray Jui +Date: Tue, 12 Jun 2018 13:21:28 -0700 +Subject: ARM: dts: Cygnus: Fix PCIe controller interrupt type + +From: Ray Jui + +[ Upstream commit 6cb1628ad3506b315cdddd7676db0ff2af378d28 ] + +Fix PCIe controller interrupt to use IRQ_TYPE_LEVEL_HIGH for Broadcom +Cygnus SoC + +Fixes: cd590b50a936 ("ARM: dts: enable PCIe support for Cygnus") +Fixes: f6b889358a82 ("ARM: dts: Enable MSI support for Broadcom Cygnus") +Signed-off-by: Ray Jui +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-cygnus.dtsi | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/arch/arm/boot/dts/bcm-cygnus.dtsi ++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi +@@ -168,7 +168,7 @@ + + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; +- interrupt-map = <0 0 0 0 &gic GIC_SPI 100 IRQ_TYPE_NONE>; ++ interrupt-map = <0 0 0 0 &gic GIC_SPI 100 IRQ_TYPE_LEVEL_HIGH>; + + linux,pci-domain = <0>; + +@@ -190,10 +190,10 @@ + compatible = "brcm,iproc-msi"; + msi-controller; + interrupt-parent = <&gic>; +- interrupts = , +- , +- , +- ; ++ interrupts = , ++ , ++ , ++ ; + }; + }; + +@@ -203,7 +203,7 @@ + + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; +- interrupt-map = <0 0 0 0 &gic GIC_SPI 106 IRQ_TYPE_NONE>; ++ interrupt-map = <0 0 0 0 &gic GIC_SPI 106 IRQ_TYPE_LEVEL_HIGH>; + + linux,pci-domain = <1>; + +@@ -225,10 +225,10 @@ + compatible = "brcm,iproc-msi"; + msi-controller; + interrupt-parent = <&gic>; +- interrupts = , +- , +- , +- ; ++ interrupts = , ++ , ++ , ++ ; + }; + }; + diff --git a/queue-4.9/arm-dts-da850-fix-interrups-property-for-gpio.patch b/queue-4.9/arm-dts-da850-fix-interrups-property-for-gpio.patch new file mode 100644 index 00000000000..7a52975f3b8 --- /dev/null +++ b/queue-4.9/arm-dts-da850-fix-interrups-property-for-gpio.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Keerthy +Date: Tue, 5 Jun 2018 15:37:51 +0530 +Subject: ARM: dts: da850: Fix interrups property for gpio + +From: Keerthy + +[ Upstream commit 3eb1b955cd7ed1e621ace856710006c2a8a7f231 ] + +The intc #interrupt-cells is equal to 1. Currently gpio +node has 2 cells per IRQ which is wrong. Remove the additional +cell for each of the interrupts. + +Signed-off-by: Keerthy +Fixes: 2e38b946dc54 ("ARM: davinci: da850: add GPIO DT node") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/da850.dtsi | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/arch/arm/boot/dts/da850.dtsi ++++ b/arch/arm/boot/dts/da850.dtsi +@@ -377,11 +377,7 @@ + gpio-controller; + #gpio-cells = <2>; + reg = <0x226000 0x1000>; +- interrupts = <42 IRQ_TYPE_EDGE_BOTH +- 43 IRQ_TYPE_EDGE_BOTH 44 IRQ_TYPE_EDGE_BOTH +- 45 IRQ_TYPE_EDGE_BOTH 46 IRQ_TYPE_EDGE_BOTH +- 47 IRQ_TYPE_EDGE_BOTH 48 IRQ_TYPE_EDGE_BOTH +- 49 IRQ_TYPE_EDGE_BOTH 50 IRQ_TYPE_EDGE_BOTH>; ++ interrupts = <42 43 44 45 46 47 48 49 50>; + ti,ngpio = <144>; + ti,davinci-gpio-unbanked = <0>; + status = "disabled"; diff --git a/queue-4.9/arm-dts-nsp-fix-i2c-controller-interrupt-type.patch b/queue-4.9/arm-dts-nsp-fix-i2c-controller-interrupt-type.patch new file mode 100644 index 00000000000..4c27e44e7a3 --- /dev/null +++ b/queue-4.9/arm-dts-nsp-fix-i2c-controller-interrupt-type.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Florian Fainelli +Date: Mon, 11 Jun 2018 15:47:12 -0700 +Subject: ARM: dts: NSP: Fix i2c controller interrupt type + +From: Florian Fainelli + +[ Upstream commit a3e32e78a40017756c71ef6dad429ffe3301126a ] + +The i2c controller should use IRQ_TYPE_LEVEL_HIGH instead of +IRQ_TYPE_NONE. + +Fixes: 0f9f27a36d09 ("ARM: dts: NSP: Add I2C support to the DT") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-nsp.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm-nsp.dtsi ++++ b/arch/arm/boot/dts/bcm-nsp.dtsi +@@ -288,7 +288,7 @@ + reg = <0x38000 0x50>; + #address-cells = <1>; + #size-cells = <0>; +- interrupts = ; ++ interrupts = ; + clock-frequency = <100000>; + }; + diff --git a/queue-4.9/arm-dts-nsp-fix-pcie-controllers-interrupt-types.patch b/queue-4.9/arm-dts-nsp-fix-pcie-controllers-interrupt-types.patch new file mode 100644 index 00000000000..58ecacb953b --- /dev/null +++ b/queue-4.9/arm-dts-nsp-fix-pcie-controllers-interrupt-types.patch @@ -0,0 +1,95 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Florian Fainelli +Date: Mon, 11 Jun 2018 15:47:13 -0700 +Subject: ARM: dts: NSP: Fix PCIe controllers interrupt types + +From: Florian Fainelli + +[ Upstream commit 403fde644855bc71318c8db65646383e22653b13 ] + +The interrupts for the PCIe controllers should all be of type +IRQ_TYPE_LEVEL_HIGH instead of IRQ_TYPE_NONE. + +Fixes: d71eb9412088 ("ARM: dts: NSP: Add MSI support on PCI") +Fixes: 522199029fdc ("ARM: dts: NSP: Fix PCIE DT issue") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-nsp.dtsi | 30 +++++++++++++++--------------- + 1 file changed, 15 insertions(+), 15 deletions(-) + +--- a/arch/arm/boot/dts/bcm-nsp.dtsi ++++ b/arch/arm/boot/dts/bcm-nsp.dtsi +@@ -375,7 +375,7 @@ + + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; +- interrupt-map = <0 0 0 0 &gic GIC_SPI 131 IRQ_TYPE_NONE>; ++ interrupt-map = <0 0 0 0 &gic GIC_SPI 131 IRQ_TYPE_LEVEL_HIGH>; + + linux,pci-domain = <0>; + +@@ -397,10 +397,10 @@ + compatible = "brcm,iproc-msi"; + msi-controller; + interrupt-parent = <&gic>; +- interrupts = , +- , +- , +- ; ++ interrupts = , ++ , ++ , ++ ; + brcm,pcie-msi-inten; + }; + }; +@@ -411,7 +411,7 @@ + + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; +- interrupt-map = <0 0 0 0 &gic GIC_SPI 137 IRQ_TYPE_NONE>; ++ interrupt-map = <0 0 0 0 &gic GIC_SPI 137 IRQ_TYPE_LEVEL_HIGH>; + + linux,pci-domain = <1>; + +@@ -433,10 +433,10 @@ + compatible = "brcm,iproc-msi"; + msi-controller; + interrupt-parent = <&gic>; +- interrupts = , +- , +- , +- ; ++ interrupts = , ++ , ++ , ++ ; + brcm,pcie-msi-inten; + }; + }; +@@ -447,7 +447,7 @@ + + #interrupt-cells = <1>; + interrupt-map-mask = <0 0 0 0>; +- interrupt-map = <0 0 0 0 &gic GIC_SPI 143 IRQ_TYPE_NONE>; ++ interrupt-map = <0 0 0 0 &gic GIC_SPI 143 IRQ_TYPE_LEVEL_HIGH>; + + linux,pci-domain = <2>; + +@@ -469,10 +469,10 @@ + compatible = "brcm,iproc-msi"; + msi-controller; + interrupt-parent = <&gic>; +- interrupts = , +- , +- , +- ; ++ interrupts = , ++ , ++ , ++ ; + brcm,pcie-msi-inten; + }; + }; diff --git a/queue-4.9/arm-imx_v4_v5_defconfig-select-ulpi-support.patch b/queue-4.9/arm-imx_v4_v5_defconfig-select-ulpi-support.patch new file mode 100644 index 00000000000..d58b2d0cfae --- /dev/null +++ b/queue-4.9/arm-imx_v4_v5_defconfig-select-ulpi-support.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Fabio Estevam +Date: Tue, 26 Jun 2018 08:37:09 -0300 +Subject: ARM: imx_v4_v5_defconfig: Select ULPI support + +From: Fabio Estevam + +[ Upstream commit 2ceb2780b790b74bc408a949f6aedbad8afa693e ] + +Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that +USB ULPI can be functional on some boards like that use ULPI +interface. + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/imx_v4_v5_defconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/configs/imx_v4_v5_defconfig ++++ b/arch/arm/configs/imx_v4_v5_defconfig +@@ -145,9 +145,11 @@ CONFIG_USB_STORAGE=y + CONFIG_USB_CHIPIDEA=y + CONFIG_USB_CHIPIDEA_UDC=y + CONFIG_USB_CHIPIDEA_HOST=y ++CONFIG_USB_CHIPIDEA_ULPI=y + CONFIG_NOP_USB_XCEIV=y + CONFIG_USB_GADGET=y + CONFIG_USB_ETH=m ++CONFIG_USB_ULPI_BUS=y + CONFIG_MMC=y + CONFIG_MMC_SDHCI=y + CONFIG_MMC_SDHCI_PLTFM=y diff --git a/queue-4.9/arm-imx_v6_v7_defconfig-select-ulpi-support.patch b/queue-4.9/arm-imx_v6_v7_defconfig-select-ulpi-support.patch new file mode 100644 index 00000000000..bc2518cb078 --- /dev/null +++ b/queue-4.9/arm-imx_v6_v7_defconfig-select-ulpi-support.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Fabio Estevam +Date: Mon, 25 Jun 2018 09:34:03 -0300 +Subject: ARM: imx_v6_v7_defconfig: Select ULPI support + +From: Fabio Estevam + +[ Upstream commit 157bcc06094c3c5800d3f4676527047b79b618e7 ] + +Select CONFIG_USB_CHIPIDEA_ULPI and CONFIG_USB_ULPI_BUS so that +USB ULPI can be functional on some boards like imx51-babbge. + +This fixes a kernel hang in 4.18-rc1 on i.mx51-babbage, caused by commit +03e6275ae381 ("usb: chipidea: Fix ULPI on imx51"). + +Suggested-by: Andrey Smirnov +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/configs/imx_v6_v7_defconfig | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/configs/imx_v6_v7_defconfig ++++ b/arch/arm/configs/imx_v6_v7_defconfig +@@ -271,6 +271,7 @@ CONFIG_USB_STORAGE=y + CONFIG_USB_CHIPIDEA=y + CONFIG_USB_CHIPIDEA_UDC=y + CONFIG_USB_CHIPIDEA_HOST=y ++CONFIG_USB_CHIPIDEA_ULPI=y + CONFIG_USB_SERIAL=m + CONFIG_USB_SERIAL_GENERIC=y + CONFIG_USB_SERIAL_FTDI_SIO=m +@@ -307,6 +308,7 @@ CONFIG_USB_GADGETFS=m + CONFIG_USB_FUNCTIONFS=m + CONFIG_USB_MASS_STORAGE=m + CONFIG_USB_G_SERIAL=m ++CONFIG_USB_ULPI_BUS=y + CONFIG_MMC=y + CONFIG_MMC_SDHCI=y + CONFIG_MMC_SDHCI_PLTFM=y diff --git a/queue-4.9/arm-pxa-irq-fix-handling-of-icmr-registers-in-suspend-resume.patch b/queue-4.9/arm-pxa-irq-fix-handling-of-icmr-registers-in-suspend-resume.patch new file mode 100644 index 00000000000..516e8c56d88 --- /dev/null +++ b/queue-4.9/arm-pxa-irq-fix-handling-of-icmr-registers-in-suspend-resume.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Daniel Mack +Date: Fri, 6 Jul 2018 22:15:00 +0200 +Subject: ARM: pxa: irq: fix handling of ICMR registers in suspend/resume + +From: Daniel Mack + +[ Upstream commit 0c1049dcb4ceec640d8bd797335bcbebdcab44d2 ] + +PXA3xx platforms have 56 interrupts that are stored in two ICMR +registers. The code in pxa_irq_suspend() and pxa_irq_resume() however +does a simple division by 32 which only leads to one register being +saved at suspend and restored at resume time. The NAND interrupt +setting, for instance, is lost. + +Fix this by using DIV_ROUND_UP() instead. + +Signed-off-by: Daniel Mack +Signed-off-by: Robert Jarzmik +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-pxa/irq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-pxa/irq.c ++++ b/arch/arm/mach-pxa/irq.c +@@ -185,7 +185,7 @@ static int pxa_irq_suspend(void) + { + int i; + +- for (i = 0; i < pxa_internal_irq_nr / 32; i++) { ++ for (i = 0; i < DIV_ROUND_UP(pxa_internal_irq_nr, 32); i++) { + void __iomem *base = irq_base(i); + + saved_icmr[i] = __raw_readl(base + ICMR); +@@ -204,7 +204,7 @@ static void pxa_irq_resume(void) + { + int i; + +- for (i = 0; i < pxa_internal_irq_nr / 32; i++) { ++ for (i = 0; i < DIV_ROUND_UP(pxa_internal_irq_nr, 32); i++) { + void __iomem *base = irq_base(i); + + __raw_writel(saved_icmr[i], base + ICMR); diff --git a/queue-4.9/arm64-dts-ns2-fix-i2c-controller-interrupt-type.patch b/queue-4.9/arm64-dts-ns2-fix-i2c-controller-interrupt-type.patch new file mode 100644 index 00000000000..da2ceea5a96 --- /dev/null +++ b/queue-4.9/arm64-dts-ns2-fix-i2c-controller-interrupt-type.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ray Jui +Date: Tue, 12 Jun 2018 13:21:29 -0700 +Subject: arm64: dts: ns2: Fix I2C controller interrupt type + +From: Ray Jui + +[ Upstream commit e605c287deed45624e8d35a15e3f0b4faab1a62d ] + +Fix I2C controller interrupt to use IRQ_TYPE_LEVEL_HIGH for Broadcom NS2 +SoC. + +Fixes: 7ac674e8df7a ("arm64: dts: Add I2C nodes for NS2") +Signed-off-by: Ray Jui +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/broadcom/ns2.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/broadcom/ns2.dtsi ++++ b/arch/arm64/boot/dts/broadcom/ns2.dtsi +@@ -393,7 +393,7 @@ + reg = <0x66080000 0x100>; + #address-cells = <1>; + #size-cells = <0>; +- interrupts = ; ++ interrupts = ; + clock-frequency = <100000>; + status = "disabled"; + }; +@@ -421,7 +421,7 @@ + reg = <0x660b0000 0x100>; + #address-cells = <1>; + #size-cells = <0>; +- interrupts = ; ++ interrupts = ; + clock-frequency = <100000>; + status = "disabled"; + }; diff --git a/queue-4.9/arm64-make-secondary_start_kernel-notrace.patch b/queue-4.9/arm64-make-secondary_start_kernel-notrace.patch new file mode 100644 index 00000000000..723e98635d6 --- /dev/null +++ b/queue-4.9/arm64-make-secondary_start_kernel-notrace.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Zhizhou Zhang +Date: Tue, 12 Jun 2018 17:07:37 +0800 +Subject: arm64: make secondary_start_kernel() notrace + +From: Zhizhou Zhang + +[ Upstream commit b154886f7892499d0d3054026e19dfb9a731df61 ] + +We can't call function trace hook before setup percpu offset. +When entering secondary_start_kernel(), percpu offset has not +been initialized. So this lead hotplug malfunction. +Here is the flow to reproduce this bug: + +echo 0 > /sys/devices/system/cpu/cpu1/online +echo function > /sys/kernel/debug/tracing/current_tracer +echo 1 > /sys/kernel/debug/tracing/tracing_on +echo 1 > /sys/devices/system/cpu/cpu1/online + +Acked-by: Mark Rutland +Tested-by: Suzuki K Poulose +Signed-off-by: Zhizhou Zhang +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -205,7 +205,7 @@ int __cpu_up(unsigned int cpu, struct ta + * This is the secondary CPU boot entry. We're using this CPUs + * idle thread stack, but a set of temporary page tables. + */ +-asmlinkage void secondary_start_kernel(void) ++asmlinkage notrace void secondary_start_kernel(void) + { + struct mm_struct *mm = &init_mm; + unsigned int cpu = smp_processor_id(); diff --git a/queue-4.9/batman-adv-fix-bat_ogm_iv-best-gw-refcnt-after-netlink-dump.patch b/queue-4.9/batman-adv-fix-bat_ogm_iv-best-gw-refcnt-after-netlink-dump.patch new file mode 100644 index 00000000000..70fe1105d91 --- /dev/null +++ b/queue-4.9/batman-adv-fix-bat_ogm_iv-best-gw-refcnt-after-netlink-dump.patch @@ -0,0 +1,51 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sven Eckelmann +Date: Sat, 2 Jun 2018 17:26:34 +0200 +Subject: batman-adv: Fix bat_ogm_iv best gw refcnt after netlink dump + +From: Sven Eckelmann + +[ Upstream commit b5685d2687d6612adf5eac519eb7008f74dfd1ec ] + +A reference for the best gateway is taken when the list of gateways in the +mesh is sent via netlink. This is necessary to check whether the currently +dumped entry is the currently selected gateway or not. This information is +then transferred as flag BATADV_ATTR_FLAG_BEST. + +After the comparison of the current entry is done, +batadv_iv_gw_dump_entry() has to decrease the reference counter again. +Otherwise the reference will be held and thus prevents a proper shutdown of +the batman-adv interfaces (and some of the interfaces enslaved in it). + +Fixes: efb766af06e3 ("batman-adv: add B.A.T.M.A.N. IV bat_gw_dump implementations") +Reported-by: Andreas Ziegler +Tested-by: Andreas Ziegler +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_iv_ogm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_iv_ogm.c ++++ b/net/batman-adv/bat_iv_ogm.c +@@ -2704,7 +2704,7 @@ static int batadv_iv_gw_dump_entry(struc + { + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; +- struct batadv_gw_node *curr_gw; ++ struct batadv_gw_node *curr_gw = NULL; + int ret = 0; + void *hdr; + +@@ -2752,6 +2752,8 @@ static int batadv_iv_gw_dump_entry(struc + ret = 0; + + out: ++ if (curr_gw) ++ batadv_gw_node_put(curr_gw); + if (router_ifinfo) + batadv_neigh_ifinfo_put(router_ifinfo); + if (router) diff --git a/queue-4.9/batman-adv-fix-bat_v-best-gw-refcnt-after-netlink-dump.patch b/queue-4.9/batman-adv-fix-bat_v-best-gw-refcnt-after-netlink-dump.patch new file mode 100644 index 00000000000..4207ae8f19c --- /dev/null +++ b/queue-4.9/batman-adv-fix-bat_v-best-gw-refcnt-after-netlink-dump.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sven Eckelmann +Date: Sat, 2 Jun 2018 17:26:35 +0200 +Subject: batman-adv: Fix bat_v best gw refcnt after netlink dump + +From: Sven Eckelmann + +[ Upstream commit 9713cb0cf19f1cec6c007e3b37be0697042b6720 ] + +A reference for the best gateway is taken when the list of gateways in the +mesh is sent via netlink. This is necessary to check whether the currently +dumped entry is the currently selected gateway or not. This information is +then transferred as flag BATADV_ATTR_FLAG_BEST. + +After the comparison of the current entry is done, +batadv_v_gw_dump_entry() has to decrease the reference counter again. +Otherwise the reference will be held and thus prevents a proper shutdown of +the batman-adv interfaces (and some of the interfaces enslaved in it). + +Fixes: b71bb6f924fe ("batman-adv: add B.A.T.M.A.N. V bat_gw_dump implementations") +Signed-off-by: Sven Eckelmann +Acked-by: Marek Lindner +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bat_v.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v.c ++++ b/net/batman-adv/bat_v.c +@@ -919,7 +919,7 @@ static int batadv_v_gw_dump_entry(struct + { + struct batadv_neigh_ifinfo *router_ifinfo = NULL; + struct batadv_neigh_node *router; +- struct batadv_gw_node *curr_gw; ++ struct batadv_gw_node *curr_gw = NULL; + int ret = 0; + void *hdr; + +@@ -987,6 +987,8 @@ static int batadv_v_gw_dump_entry(struct + ret = 0; + + out: ++ if (curr_gw) ++ batadv_gw_node_put(curr_gw); + if (router_ifinfo) + batadv_neigh_ifinfo_put(router_ifinfo); + if (router) diff --git a/queue-4.9/bnx2x-fix-receiving-tx-timeout-in-error-or-recovery-state.patch b/queue-4.9/bnx2x-fix-receiving-tx-timeout-in-error-or-recovery-state.patch new file mode 100644 index 00000000000..dde754bbfce --- /dev/null +++ b/queue-4.9/bnx2x-fix-receiving-tx-timeout-in-error-or-recovery-state.patch @@ -0,0 +1,77 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Thu, 28 Jun 2018 04:52:15 -0700 +Subject: bnx2x: Fix receiving tx-timeout in error or recovery state. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 484c016d9392786ce5c74017c206c706f29f823d ] + +Driver performs the internal reload when it receives tx-timeout event from +the OS. Internal reload might fail in some scenarios e.g., fatal HW issues. +In such cases OS still see the link, which would result in undesirable +functionalities such as re-generation of tx-timeouts. +The patch addresses this issue by indicating the link-down to OS when +tx-timeout is detected, and keeping the link in down state till the +internal reload is successful. + +Please consider applying it to 'net' branch. + +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x.h | 1 + + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 6 ++++++ + drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 6 ++++++ + 3 files changed, 13 insertions(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x.h +@@ -1529,6 +1529,7 @@ struct bnx2x { + struct link_vars link_vars; + u32 link_cnt; + struct bnx2x_link_report_data last_reported_link; ++ bool force_link_down; + + struct mdio_if_info mdio; + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -1265,6 +1265,11 @@ void __bnx2x_link_report(struct bnx2x *b + { + struct bnx2x_link_report_data cur_data; + ++ if (bp->force_link_down) { ++ bp->link_vars.link_up = 0; ++ return; ++ } ++ + /* reread mf_cfg */ + if (IS_PF(bp) && !CHIP_IS_E1(bp)) + bnx2x_read_mf_cfg(bp); +@@ -2822,6 +2827,7 @@ int bnx2x_nic_load(struct bnx2x *bp, int + bp->pending_max = 0; + } + ++ bp->force_link_down = false; + if (bp->port.pmf) { + rc = bnx2x_initial_phy_init(bp, load_mode); + if (rc) +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c +@@ -10279,6 +10279,12 @@ static void bnx2x_sp_rtnl_task(struct wo + bp->sp_rtnl_state = 0; + smp_mb(); + ++ /* Immediately indicate link as down */ ++ bp->link_vars.link_up = 0; ++ bp->force_link_down = true; ++ netif_carrier_off(bp->dev); ++ BNX2X_ERR("Indicating link is down due to Tx-timeout\n"); ++ + bnx2x_nic_unload(bp, UNLOAD_NORMAL, true); + bnx2x_nic_load(bp, LOAD_NORMAL); + diff --git a/queue-4.9/bnxt_en-always-set-output-parameters-in-bnxt_get_max_rings.patch b/queue-4.9/bnxt_en-always-set-output-parameters-in-bnxt_get_max_rings.patch new file mode 100644 index 00000000000..6b7ee272e3e --- /dev/null +++ b/queue-4.9/bnxt_en-always-set-output-parameters-in-bnxt_get_max_rings.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Michael Chan +Date: Mon, 9 Jul 2018 02:24:49 -0400 +Subject: bnxt_en: Always set output parameters in bnxt_get_max_rings(). + +From: Michael Chan + +[ Upstream commit 78f058a4aa0f2280dc4d45d2c4a95728398ef857 ] + +The current code returns -ENOMEM and does not bother to set the output +parameters to 0 when no rings are available. Some callers, such as +bnxt_get_channels() will display garbage ring numbers when that happens. +Fix it by always setting the output parameters. + +Fixes: 6e6c5a57fbe1 ("bnxt_en: Modify bnxt_get_max_rings() to support shared or non shared rings.") +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -6862,11 +6862,11 @@ int bnxt_get_max_rings(struct bnxt *bp, + int rx, tx, cp; + + _bnxt_get_max_rings(bp, &rx, &tx, &cp); ++ *max_rx = rx; ++ *max_tx = tx; + if (!rx || !tx || !cp) + return -ENOMEM; + +- *max_rx = rx; +- *max_tx = tx; + return bnxt_trim_rings(bp, max_rx, max_tx, cp, shared); + } + diff --git a/queue-4.9/bnxt_en-fix-for-system-hang-if-request_irq-fails.patch b/queue-4.9/bnxt_en-fix-for-system-hang-if-request_irq-fails.patch new file mode 100644 index 00000000000..4ffa4eaad43 --- /dev/null +++ b/queue-4.9/bnxt_en-fix-for-system-hang-if-request_irq-fails.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vikas Gupta +Date: Mon, 9 Jul 2018 02:24:52 -0400 +Subject: bnxt_en: Fix for system hang if request_irq fails + +From: Vikas Gupta + +[ Upstream commit c58387ab1614f6d7fb9e244f214b61e7631421fc ] + +Fix bug in the error code path when bnxt_request_irq() returns failure. +bnxt_disable_napi() should not be called in this error path because +NAPI has not been enabled yet. + +Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") +Signed-off-by: Vikas Gupta +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -5560,7 +5560,7 @@ static int __bnxt_open_nic(struct bnxt * + rc = bnxt_request_irq(bp); + if (rc) { + netdev_err(bp->dev, "bnxt_request_irq err: %x\n", rc); +- goto open_err; ++ goto open_err_irq; + } + } + +@@ -5593,6 +5593,8 @@ static int __bnxt_open_nic(struct bnxt * + + open_err: + bnxt_disable_napi(bp); ++ ++open_err_irq: + bnxt_del_napi(bp); + + open_err_free_mem: diff --git a/queue-4.9/bpf-s390-fix-potential-memleak-when-later-bpf_jit_prog-fails.patch b/queue-4.9/bpf-s390-fix-potential-memleak-when-later-bpf_jit_prog-fails.patch new file mode 100644 index 00000000000..13a244db623 --- /dev/null +++ b/queue-4.9/bpf-s390-fix-potential-memleak-when-later-bpf_jit_prog-fails.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Daniel Borkmann +Date: Thu, 28 Jun 2018 23:34:58 +0200 +Subject: bpf, s390: fix potential memleak when later bpf_jit_prog fails + +From: Daniel Borkmann + +[ Upstream commit f605ce5eb26ac934fb8106d75d46a2c875a2bf23 ] + +If we would ever fail in the bpf_jit_prog() pass that writes the +actual insns to the image after we got header via bpf_jit_binary_alloc() +then we also need to make sure to free it through bpf_jit_binary_free() +again when bailing out. Given we had prior bpf_jit_prog() passes to +initially probe for clobbered registers, program size and to fill in +addrs arrray for jump targets, this is more of a theoretical one, +but at least make sure this doesn't break with future changes. + +Fixes: 054623105728 ("s390/bpf: Add s390x eBPF JIT compiler backend") +Signed-off-by: Daniel Borkmann +Cc: Martin Schwidefsky +Acked-by: Alexei Starovoitov +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/net/bpf_jit_comp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1386,6 +1386,7 @@ struct bpf_prog *bpf_int_jit_compile(str + goto free_addrs; + } + if (bpf_jit_prog(&jit, fp)) { ++ bpf_jit_binary_free(header); + fp = orig_fp; + goto free_addrs; + } diff --git a/queue-4.9/brcmfmac-stop-watchdog-before-detach-and-free-everything.patch b/queue-4.9/brcmfmac-stop-watchdog-before-detach-and-free-everything.patch new file mode 100644 index 00000000000..e94127a22fd --- /dev/null +++ b/queue-4.9/brcmfmac-stop-watchdog-before-detach-and-free-everything.patch @@ -0,0 +1,76 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Michael Trimarchi +Date: Wed, 30 May 2018 11:06:34 +0200 +Subject: brcmfmac: stop watchdog before detach and free everything + +From: Michael Trimarchi + +[ Upstream commit 373c83a801f15b1e3d02d855fad89112bd4ccbe0 ] + +Using built-in in kernel image without a firmware in filesystem +or in the kernel image can lead to a kernel NULL pointer deference. +Watchdog need to be stopped in brcmf_sdio_remove + +The system is going down NOW! +[ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8 +Sent SIGTERM to all processes +[ 1348.121412] Mem abort info: +[ 1348.126962] ESR = 0x96000004 +[ 1348.130023] Exception class = DABT (current EL), IL = 32 bits +[ 1348.135948] SET = 0, FnV = 0 +[ 1348.138997] EA = 0, S1PTW = 0 +[ 1348.142154] Data abort info: +[ 1348.145045] ISV = 0, ISS = 0x00000004 +[ 1348.148884] CM = 0, WnR = 0 +[ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) +[ 1348.158475] [00000000000002f8] pgd=0000000000000000 +[ 1348.163364] Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 1348.168927] Modules linked in: ipv6 +[ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 #18 +[ 1348.180757] Hardware name: Amarula A64-Relic (DT) +[ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO) +[ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20 +[ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290 +[ 1348.200253] sp : ffff00000b85be30 +[ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000 +[ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638 +[ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800 +[ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660 +[ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00 +[ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001 +[ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8 +[ 1348.240711] x15: 0000000000000000 x14: 0000000000000400 +[ 1348.246018] x13: 0000000000000400 x12: 0000000000000001 +[ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10 +[ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870 +[ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55 +[ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000 +[ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100 +[ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000 + +Signed-off-by: Michael Trimarchi +Acked-by: Arend van Spriel +Tested-by: Andy Shevchenko +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -4229,6 +4229,13 @@ void brcmf_sdio_remove(struct brcmf_sdio + brcmf_dbg(TRACE, "Enter\n"); + + if (bus) { ++ /* Stop watchdog task */ ++ if (bus->watchdog_tsk) { ++ send_sig(SIGTERM, bus->watchdog_tsk, 1); ++ kthread_stop(bus->watchdog_tsk); ++ bus->watchdog_tsk = NULL; ++ } ++ + /* De-register interrupt handler */ + brcmf_sdiod_intr_unregister(bus->sdiodev); + diff --git a/queue-4.9/ceph-fix-dentry-leak-in-splice_dentry.patch b/queue-4.9/ceph-fix-dentry-leak-in-splice_dentry.patch new file mode 100644 index 00000000000..bf2725b72e7 --- /dev/null +++ b/queue-4.9/ceph-fix-dentry-leak-in-splice_dentry.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Yan, Zheng" +Date: Tue, 19 Jun 2018 18:20:34 +0800 +Subject: ceph: fix dentry leak in splice_dentry() + +From: "Yan, Zheng" + +[ Upstream commit 8b8f53af1ed9df88a4c0fbfdf3db58f62060edf3 ] + +In any case, d_splice_alias() does not drop reference of original +dentry. + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ceph/inode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1077,6 +1077,7 @@ static struct dentry *splice_dentry(stru + if (IS_ERR(realdn)) { + pr_err("splice_dentry error %ld %p inode %p ino %llx.%llx\n", + PTR_ERR(realdn), dn, in, ceph_vinop(in)); ++ dput(dn); + dn = realdn; /* note realdn contains the error */ + goto out; + } else if (realdn) { diff --git a/queue-4.9/cxgb4-when-disabling-dcb-set-txq-dcb-priority-to-0.patch b/queue-4.9/cxgb4-when-disabling-dcb-set-txq-dcb-priority-to-0.patch new file mode 100644 index 00000000000..20e4c6d0d99 --- /dev/null +++ b/queue-4.9/cxgb4-when-disabling-dcb-set-txq-dcb-priority-to-0.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ganesh Goudar +Date: Sat, 23 Jun 2018 20:28:26 +0530 +Subject: cxgb4: when disabling dcb set txq dcb priority to 0 + +From: Ganesh Goudar + +[ Upstream commit 5ce36338a30f9814fc4824f9fe6c20cd83d872c7 ] + +When we are disabling DCB, store "0" in txq->dcb_prio +since that's used for future TX Work Request "OVLAN_IDX" +values. Setting non zero priority upon disabling DCB +would halt the traffic. + +Reported-by: AMG Zollner Robert +CC: David Ahern +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -274,7 +274,7 @@ static void dcb_tx_queue_prio_enable(str + "Can't %s DCB Priority on port %d, TX Queue %d: err=%d\n", + enable ? "set" : "unset", pi->port_id, i, -err); + else +- txq->dcb_prio = value; ++ txq->dcb_prio = enable ? value : 0; + } + } + diff --git a/queue-4.9/dmaengine-k3dma-off-by-one-in-k3_of_dma_simple_xlate.patch b/queue-4.9/dmaengine-k3dma-off-by-one-in-k3_of_dma_simple_xlate.patch new file mode 100644 index 00000000000..9dfa6ea4df5 --- /dev/null +++ b/queue-4.9/dmaengine-k3dma-off-by-one-in-k3_of_dma_simple_xlate.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dan Carpenter +Date: Fri, 22 Jun 2018 14:15:47 +0300 +Subject: dmaengine: k3dma: Off by one in k3_of_dma_simple_xlate() + +From: Dan Carpenter + +[ Upstream commit c4c2b7644cc9a41f17a8cc8904efe3f66ae4c7ed ] + +The d->chans[] array has d->dma_requests elements so the > should be +>= here. + +Fixes: 8e6152bc660e ("dmaengine: Add hisilicon k3 DMA engine driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/k3dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/k3dma.c ++++ b/drivers/dma/k3dma.c +@@ -792,7 +792,7 @@ static struct dma_chan *k3_of_dma_simple + struct k3_dma_dev *d = ofdma->of_dma_data; + unsigned int request = dma_spec->args[0]; + +- if (request > d->dma_requests) ++ if (request >= d->dma_requests) + return NULL; + + return dma_get_slave_channel(&(d->chans[request].vc.chan)); diff --git a/queue-4.9/dmaengine-pl330-report-burst-residue-granularity.patch b/queue-4.9/dmaengine-pl330-report-burst-residue-granularity.patch new file mode 100644 index 00000000000..551cefde2d8 --- /dev/null +++ b/queue-4.9/dmaengine-pl330-report-burst-residue-granularity.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Marek Szyprowski +Date: Tue, 19 Jun 2018 15:20:50 +0200 +Subject: dmaengine: pl330: report BURST residue granularity + +From: Marek Szyprowski + +[ Upstream commit e3f329c600033f011a978a8bc4ddb1e2e94c4f4d ] + +The reported residue is already calculated in BURST unit granularity, so +advertise this capability properly to other devices in the system. + +Fixes: aee4d1fac887 ("dmaengine: pl330: improve pl330_tx_status() function") +Signed-off-by: Marek Szyprowski +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/pl330.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -2951,7 +2951,7 @@ pl330_probe(struct amba_device *adev, co + pd->src_addr_widths = PL330_DMA_BUSWIDTHS; + pd->dst_addr_widths = PL330_DMA_BUSWIDTHS; + pd->directions = BIT(DMA_DEV_TO_MEM) | BIT(DMA_MEM_TO_DEV); +- pd->residue_granularity = DMA_RESIDUE_GRANULARITY_SEGMENT; ++ pd->residue_granularity = DMA_RESIDUE_GRANULARITY_BURST; + pd->max_burst = ((pl330->quirks & PL330_QUIRK_BROKEN_NO_FLUSHP) ? + 1 : PL330_MAX_BURST); + diff --git a/queue-4.9/drm-armada-fix-colorkey-mode-property.patch b/queue-4.9/drm-armada-fix-colorkey-mode-property.patch new file mode 100644 index 00000000000..b69eabfeae1 --- /dev/null +++ b/queue-4.9/drm-armada-fix-colorkey-mode-property.patch @@ -0,0 +1,91 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Russell King +Date: Sun, 24 Jun 2018 14:35:10 +0100 +Subject: drm/armada: fix colorkey mode property + +From: Russell King + +[ Upstream commit d378859a667edc99e3473704847698cae97ca2b1 ] + +The colorkey mode property was not correctly disabling the colorkeying +when "disabled" mode was selected. Arrange for this to work as one +would expect. + +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/armada/armada_hw.h | 1 + + drivers/gpu/drm/armada/armada_overlay.c | 30 ++++++++++++++++++++++-------- + 2 files changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/armada/armada_hw.h ++++ b/drivers/gpu/drm/armada/armada_hw.h +@@ -160,6 +160,7 @@ enum { + CFG_ALPHAM_GRA = 0x1 << 16, + CFG_ALPHAM_CFG = 0x2 << 16, + CFG_ALPHA_MASK = 0xff << 8, ++#define CFG_ALPHA(x) ((x) << 8) + CFG_PIXCMD_MASK = 0xff, + }; + +--- a/drivers/gpu/drm/armada/armada_overlay.c ++++ b/drivers/gpu/drm/armada/armada_overlay.c +@@ -27,6 +27,7 @@ struct armada_ovl_plane_properties { + uint16_t contrast; + uint16_t saturation; + uint32_t colorkey_mode; ++ uint32_t colorkey_enable; + }; + + struct armada_ovl_plane { +@@ -62,11 +63,13 @@ armada_ovl_update_attr(struct armada_ovl + writel_relaxed(0x00002000, dcrtc->base + LCD_SPU_CBSH_HUE); + + spin_lock_irq(&dcrtc->irq_lock); +- armada_updatel(prop->colorkey_mode | CFG_ALPHAM_GRA, +- CFG_CKMODE_MASK | CFG_ALPHAM_MASK | CFG_ALPHA_MASK, +- dcrtc->base + LCD_SPU_DMA_CTRL1); +- +- armada_updatel(ADV_GRACOLORKEY, 0, dcrtc->base + LCD_SPU_ADV_REG); ++ armada_updatel(prop->colorkey_mode, ++ CFG_CKMODE_MASK | CFG_ALPHAM_MASK | CFG_ALPHA_MASK, ++ dcrtc->base + LCD_SPU_DMA_CTRL1); ++ if (dcrtc->variant->has_spu_adv_reg) ++ armada_updatel(prop->colorkey_enable, ++ ADV_GRACOLORKEY | ADV_VIDCOLORKEY, ++ dcrtc->base + LCD_SPU_ADV_REG); + spin_unlock_irq(&dcrtc->irq_lock); + } + +@@ -340,8 +343,17 @@ static int armada_ovl_plane_set_property + dplane->prop.colorkey_vb |= K2B(val); + update_attr = true; + } else if (property == priv->colorkey_mode_prop) { +- dplane->prop.colorkey_mode &= ~CFG_CKMODE_MASK; +- dplane->prop.colorkey_mode |= CFG_CKMODE(val); ++ if (val == CKMODE_DISABLE) { ++ dplane->prop.colorkey_mode = ++ CFG_CKMODE(CKMODE_DISABLE) | ++ CFG_ALPHAM_CFG | CFG_ALPHA(255); ++ dplane->prop.colorkey_enable = 0; ++ } else { ++ dplane->prop.colorkey_mode = ++ CFG_CKMODE(val) | ++ CFG_ALPHAM_GRA | CFG_ALPHA(0); ++ dplane->prop.colorkey_enable = ADV_GRACOLORKEY; ++ } + update_attr = true; + } else if (property == priv->brightness_prop) { + dplane->prop.brightness = val - 256; +@@ -470,7 +482,9 @@ int armada_overlay_plane_create(struct d + dplane->prop.colorkey_yr = 0xfefefe00; + dplane->prop.colorkey_ug = 0x01010100; + dplane->prop.colorkey_vb = 0x01010100; +- dplane->prop.colorkey_mode = CFG_CKMODE(CKMODE_RGB); ++ dplane->prop.colorkey_mode = CFG_CKMODE(CKMODE_RGB) | ++ CFG_ALPHAM_GRA | CFG_ALPHA(0); ++ dplane->prop.colorkey_enable = ADV_GRACOLORKEY; + dplane->prop.brightness = 0; + dplane->prop.contrast = 0x4000; + dplane->prop.saturation = 0x4000; diff --git a/queue-4.9/drm-exynos-decon5433-fix-per-plane-global-alpha-for-xrgb-modes.patch b/queue-4.9/drm-exynos-decon5433-fix-per-plane-global-alpha-for-xrgb-modes.patch new file mode 100644 index 00000000000..9e8d875fc3e --- /dev/null +++ b/queue-4.9/drm-exynos-decon5433-fix-per-plane-global-alpha-for-xrgb-modes.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Marek Szyprowski +Date: Thu, 7 Jun 2018 13:07:40 +0200 +Subject: drm/exynos: decon5433: Fix per-plane global alpha for XRGB modes + +From: Marek Szyprowski + +[ Upstream commit ab337fc274a1957ff0771f19e826c736253f7c39 ] + +Set per-plane global alpha to maximum value to get proper blending of +XRGB and ARGB planes. This fixes the strange order of overlapping planes. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -291,8 +291,8 @@ static void decon_update_plane(struct ex + COORDINATE_Y(state->crtc.y + state->crtc.h - 1); + writel(val, ctx->addr + DECON_VIDOSDxB(win)); + +- val = VIDOSD_Wx_ALPHA_R_F(0x0) | VIDOSD_Wx_ALPHA_G_F(0x0) | +- VIDOSD_Wx_ALPHA_B_F(0x0); ++ val = VIDOSD_Wx_ALPHA_R_F(0xff) | VIDOSD_Wx_ALPHA_G_F(0xff) | ++ VIDOSD_Wx_ALPHA_B_F(0xff); + writel(val, ctx->addr + DECON_VIDOSDxC(win)); + + val = VIDOSD_Wx_ALPHA_R_F(0x0) | VIDOSD_Wx_ALPHA_G_F(0x0) | diff --git a/queue-4.9/drm-exynos-decon5433-fix-winconx-reset-value.patch b/queue-4.9/drm-exynos-decon5433-fix-winconx-reset-value.patch new file mode 100644 index 00000000000..4ba83ce4a2f --- /dev/null +++ b/queue-4.9/drm-exynos-decon5433-fix-winconx-reset-value.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Marek Szyprowski +Date: Thu, 7 Jun 2018 13:07:49 +0200 +Subject: drm/exynos: decon5433: Fix WINCONx reset value + +From: Marek Szyprowski + +[ Upstream commit 7b7aa62c05eac9789c208b946f515983a9255d8d ] + +The only bits that should be preserved in decon_win_set_fmt() is +WINCONx_ENWIN_F. All other bits depends on the selected pixel formats and +are set by the mentioned function. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos5433_drm_decon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/exynos/exynos5433_drm_decon.c ++++ b/drivers/gpu/drm/exynos/exynos5433_drm_decon.c +@@ -199,7 +199,7 @@ static void decon_win_set_pixfmt(struct + unsigned long val; + + val = readl(ctx->addr + DECON_WINCONx(win)); +- val &= ~WINCONx_BPPMODE_MASK; ++ val &= WINCONx_ENWIN_F; + + switch (fb->pixel_format) { + case DRM_FORMAT_XRGB1555: diff --git a/queue-4.9/drm-exynos-gsc-fix-support-for-nv16-61-yuv420-yvu420-and-yuv422-modes.patch b/queue-4.9/drm-exynos-gsc-fix-support-for-nv16-61-yuv420-yvu420-and-yuv422-modes.patch new file mode 100644 index 00000000000..71b5858b9a3 --- /dev/null +++ b/queue-4.9/drm-exynos-gsc-fix-support-for-nv16-61-yuv420-yvu420-and-yuv422-modes.patch @@ -0,0 +1,96 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Marek Szyprowski +Date: Thu, 7 Jun 2018 13:06:13 +0200 +Subject: drm/exynos: gsc: Fix support for NV16/61, YUV420/YVU420 and YUV422 modes + +From: Marek Szyprowski + +[ Upstream commit dd209ef809080ced903e7747ee3ef640c923a1d2 ] + +Fix following issues related to planar YUV pixel format configuration: +- NV16/61 modes were incorrectly programmed as NV12/21, +- YVU420 was programmed as YUV420 on source, +- YVU420 and YUV422 were programmed as YUV420 on output. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Inki Dae +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/exynos/exynos_drm_gsc.c | 29 ++++++++++++++++++++--------- + drivers/gpu/drm/exynos/regs-gsc.h | 1 + + 2 files changed, 21 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/exynos/exynos_drm_gsc.c ++++ b/drivers/gpu/drm/exynos/exynos_drm_gsc.c +@@ -532,21 +532,25 @@ static int gsc_src_set_fmt(struct device + GSC_IN_CHROMA_ORDER_CRCB); + break; + case DRM_FORMAT_NV21: ++ cfg |= (GSC_IN_CHROMA_ORDER_CRCB | GSC_IN_YUV420_2P); ++ break; + case DRM_FORMAT_NV61: +- cfg |= (GSC_IN_CHROMA_ORDER_CRCB | +- GSC_IN_YUV420_2P); ++ cfg |= (GSC_IN_CHROMA_ORDER_CRCB | GSC_IN_YUV422_2P); + break; + case DRM_FORMAT_YUV422: + cfg |= GSC_IN_YUV422_3P; + break; + case DRM_FORMAT_YUV420: ++ cfg |= (GSC_IN_CHROMA_ORDER_CBCR | GSC_IN_YUV420_3P); ++ break; + case DRM_FORMAT_YVU420: +- cfg |= GSC_IN_YUV420_3P; ++ cfg |= (GSC_IN_CHROMA_ORDER_CRCB | GSC_IN_YUV420_3P); + break; + case DRM_FORMAT_NV12: ++ cfg |= (GSC_IN_CHROMA_ORDER_CBCR | GSC_IN_YUV420_2P); ++ break; + case DRM_FORMAT_NV16: +- cfg |= (GSC_IN_CHROMA_ORDER_CBCR | +- GSC_IN_YUV420_2P); ++ cfg |= (GSC_IN_CHROMA_ORDER_CBCR | GSC_IN_YUV422_2P); + break; + default: + dev_err(ippdrv->dev, "invalid target yuv order 0x%x.\n", fmt); +@@ -806,18 +810,25 @@ static int gsc_dst_set_fmt(struct device + GSC_OUT_CHROMA_ORDER_CRCB); + break; + case DRM_FORMAT_NV21: +- case DRM_FORMAT_NV61: + cfg |= (GSC_OUT_CHROMA_ORDER_CRCB | GSC_OUT_YUV420_2P); + break; ++ case DRM_FORMAT_NV61: ++ cfg |= (GSC_OUT_CHROMA_ORDER_CRCB | GSC_OUT_YUV422_2P); ++ break; + case DRM_FORMAT_YUV422: ++ cfg |= GSC_OUT_YUV422_3P; ++ break; + case DRM_FORMAT_YUV420: ++ cfg |= (GSC_OUT_CHROMA_ORDER_CBCR | GSC_OUT_YUV420_3P); ++ break; + case DRM_FORMAT_YVU420: +- cfg |= GSC_OUT_YUV420_3P; ++ cfg |= (GSC_OUT_CHROMA_ORDER_CRCB | GSC_OUT_YUV420_3P); + break; + case DRM_FORMAT_NV12: ++ cfg |= (GSC_OUT_CHROMA_ORDER_CBCR | GSC_OUT_YUV420_2P); ++ break; + case DRM_FORMAT_NV16: +- cfg |= (GSC_OUT_CHROMA_ORDER_CBCR | +- GSC_OUT_YUV420_2P); ++ cfg |= (GSC_OUT_CHROMA_ORDER_CBCR | GSC_OUT_YUV422_2P); + break; + default: + dev_err(ippdrv->dev, "invalid target yuv order 0x%x.\n", fmt); +--- a/drivers/gpu/drm/exynos/regs-gsc.h ++++ b/drivers/gpu/drm/exynos/regs-gsc.h +@@ -138,6 +138,7 @@ + #define GSC_OUT_YUV420_3P (3 << 4) + #define GSC_OUT_YUV422_1P (4 << 4) + #define GSC_OUT_YUV422_2P (5 << 4) ++#define GSC_OUT_YUV422_3P (6 << 4) + #define GSC_OUT_YUV444 (7 << 4) + #define GSC_OUT_TILE_TYPE_MASK (1 << 2) + #define GSC_OUT_TILE_C_16x8 (0 << 2) diff --git a/queue-4.9/drm-mali-dp-enable-global-se-interrupts-mask-for-dp500.patch b/queue-4.9/drm-mali-dp-enable-global-se-interrupts-mask-for-dp500.patch new file mode 100644 index 00000000000..6aaa918edc1 --- /dev/null +++ b/queue-4.9/drm-mali-dp-enable-global-se-interrupts-mask-for-dp500.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Alison Wang +Date: Tue, 24 Apr 2018 10:42:32 +0800 +Subject: drm: mali-dp: Enable Global SE interrupts mask for DP500 + +From: Alison Wang + +[ Upstream commit 89610dc2c235e7b02bb9fba0ce247e12d4dde7cd ] + +In the situation that DE and SE aren’t shared the same interrupt number, +the Global SE interrupts mask bit MASK_IRQ_EN in MASKIRQ must be set, or +else other mask bits will not work and no SE interrupt will occur. This +patch enables MASK_IRQ_EN for SE to fix this problem. + +Signed-off-by: Alison Wang +Acked-by: Liviu Dudau +Signed-off-by: Liviu Dudau +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/arm/malidp_hw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/arm/malidp_hw.c ++++ b/drivers/gpu/drm/arm/malidp_hw.c +@@ -432,7 +432,8 @@ const struct malidp_hw_device malidp_dev + .vsync_irq = MALIDP500_DE_IRQ_VSYNC, + }, + .se_irq_map = { +- .irq_mask = MALIDP500_SE_IRQ_CONF_MODE, ++ .irq_mask = MALIDP500_SE_IRQ_CONF_MODE | ++ MALIDP500_SE_IRQ_GLOBAL, + .vsync_irq = 0, + }, + .dc_irq_map = { diff --git a/queue-4.9/drm-nouveau-gem-off-by-one-bugs-in-nouveau_gem_pushbuf_reloc_apply.patch b/queue-4.9/drm-nouveau-gem-off-by-one-bugs-in-nouveau_gem_pushbuf_reloc_apply.patch new file mode 100644 index 00000000000..4844267d608 --- /dev/null +++ b/queue-4.9/drm-nouveau-gem-off-by-one-bugs-in-nouveau_gem_pushbuf_reloc_apply.patch @@ -0,0 +1,41 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dan Carpenter +Date: Tue, 3 Jul 2018 15:30:56 +0300 +Subject: drm/nouveau/gem: off by one bugs in nouveau_gem_pushbuf_reloc_apply() + +From: Dan Carpenter + +[ Upstream commit 7f073d011f93e92d4d225526b9ab6b8b0bbd6613 ] + +The bo array has req->nr_buffers elements so the > should be >= so we +don't read beyond the end of the array. + +Fixes: a1606a9596e5 ("drm/nouveau: new gem pushbuf interface, bump to 0.0.16") +Signed-off-by: Dan Carpenter +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -601,7 +601,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n + struct nouveau_bo *nvbo; + uint32_t data; + +- if (unlikely(r->bo_index > req->nr_buffers)) { ++ if (unlikely(r->bo_index >= req->nr_buffers)) { + NV_PRINTK(err, cli, "reloc bo index invalid\n"); + ret = -EINVAL; + break; +@@ -611,7 +611,7 @@ nouveau_gem_pushbuf_reloc_apply(struct n + if (b->presumed.valid) + continue; + +- if (unlikely(r->reloc_bo_index > req->nr_buffers)) { ++ if (unlikely(r->reloc_bo_index >= req->nr_buffers)) { + NV_PRINTK(err, cli, "reloc container bo index invalid\n"); + ret = -EINVAL; + break; diff --git a/queue-4.9/enic-initialize-enic-rfs_h.lock-in-enic_probe.patch b/queue-4.9/enic-initialize-enic-rfs_h.lock-in-enic_probe.patch new file mode 100644 index 00000000000..6266e1db13f --- /dev/null +++ b/queue-4.9/enic-initialize-enic-rfs_h.lock-in-enic_probe.patch @@ -0,0 +1,98 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Govindarajulu Varadarajan +Date: Tue, 19 Jun 2018 08:15:24 -0700 +Subject: enic: initialize enic->rfs_h.lock in enic_probe + +From: Govindarajulu Varadarajan + +[ Upstream commit 3256d29fc7aecdf99feb1cb9475ed2252769a8a7 ] + +lockdep spotted that we are using rfs_h.lock in enic_get_rxnfc() without +initializing. rfs_h.lock is initialized in enic_open(). But ethtool_ops +can be called when interface is down. + +Move enic_rfs_flw_tbl_init to enic_probe. + +INFO: trying to register non-static key. +the code is fine but needs lockdep annotation. +turning off the locking correctness validator. +CPU: 18 PID: 1189 Comm: ethtool Not tainted 4.17.0-rc7-devel+ #27 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 +Call Trace: +dump_stack+0x85/0xc0 +register_lock_class+0x550/0x560 +? __handle_mm_fault+0xa8b/0x1100 +__lock_acquire+0x81/0x670 +lock_acquire+0xb9/0x1e0 +? enic_get_rxnfc+0x139/0x2b0 [enic] +_raw_spin_lock_bh+0x38/0x80 +? enic_get_rxnfc+0x139/0x2b0 [enic] +enic_get_rxnfc+0x139/0x2b0 [enic] +ethtool_get_rxnfc+0x8d/0x1c0 +dev_ethtool+0x16c8/0x2400 +? __mutex_lock+0x64d/0xa00 +? dev_load+0x6a/0x150 +dev_ioctl+0x253/0x4b0 +sock_do_ioctl+0x9a/0x130 +sock_ioctl+0x1af/0x350 +do_vfs_ioctl+0x8e/0x670 +? syscall_trace_enter+0x1e2/0x380 +ksys_ioctl+0x60/0x90 +__x64_sys_ioctl+0x16/0x20 +do_syscall_64+0x5a/0x170 +entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_clsf.c | 3 +-- + drivers/net/ethernet/cisco/enic/enic_main.c | 3 ++- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_clsf.c ++++ b/drivers/net/ethernet/cisco/enic/enic_clsf.c +@@ -78,7 +78,6 @@ void enic_rfs_flw_tbl_init(struct enic * + enic->rfs_h.max = enic->config.num_arfs; + enic->rfs_h.free = enic->rfs_h.max; + enic->rfs_h.toclean = 0; +- enic_rfs_timer_start(enic); + } + + void enic_rfs_flw_tbl_free(struct enic *enic) +@@ -87,7 +86,6 @@ void enic_rfs_flw_tbl_free(struct enic * + + enic_rfs_timer_stop(enic); + spin_lock_bh(&enic->rfs_h.lock); +- enic->rfs_h.free = 0; + for (i = 0; i < (1 << ENIC_RFS_FLW_BITSHIFT); i++) { + struct hlist_head *hhead; + struct hlist_node *tmp; +@@ -98,6 +96,7 @@ void enic_rfs_flw_tbl_free(struct enic * + enic_delfltr(enic, n->fltr_id); + hlist_del(&n->node); + kfree(n); ++ enic->rfs_h.free++; + } + } + spin_unlock_bh(&enic->rfs_h.lock); +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1760,7 +1760,7 @@ static int enic_open(struct net_device * + vnic_intr_unmask(&enic->intr[i]); + + enic_notify_timer_start(enic); +- enic_rfs_flw_tbl_init(enic); ++ enic_rfs_timer_start(enic); + + return 0; + +@@ -2692,6 +2692,7 @@ static int enic_probe(struct pci_dev *pd + enic->notify_timer.function = enic_notify_timer; + enic->notify_timer.data = (unsigned long)enic; + ++ enic_rfs_flw_tbl_init(enic); + enic_set_rx_coal_setting(enic); + INIT_WORK(&enic->reset, enic_reset); + INIT_WORK(&enic->tx_hang_reset, enic_tx_hang_reset); diff --git a/queue-4.9/hid-wacom-correct-touch-maximum-xy-of-2nd-gen-intuos.patch b/queue-4.9/hid-wacom-correct-touch-maximum-xy-of-2nd-gen-intuos.patch new file mode 100644 index 00000000000..a573e85f584 --- /dev/null +++ b/queue-4.9/hid-wacom-correct-touch-maximum-xy-of-2nd-gen-intuos.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Jason Gerecke +Date: Tue, 26 Jun 2018 09:58:02 -0700 +Subject: HID: wacom: Correct touch maximum XY of 2nd-gen Intuos + +From: Jason Gerecke + +[ Upstream commit 3b8d573586d1b9dee33edf6cb6f2ca05f4bca568 ] + +The touch sensors on the 2nd-gen Intuos tablets don't use a 4096x4096 +sensor like other similar tablets (3rd-gen Bamboo, Intuos5, etc.). +The incorrect maximum XY values don't normally affect userspace since +touch input from these devices is typically relative rather than +absolute. It does, however, cause problems when absolute distances +need to be measured, e.g. for gesture recognition. Since the resolution +of the touch sensor on these devices is 10 units / mm (versus 100 for +the pen sensor), the proper maximum values can be calculated by simply +dividing by 10. + +Fixes: b5fd2a3e92 ("Input: wacom - add support for three new Intuos devices") +Signed-off-by: Jason Gerecke +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2429,8 +2429,14 @@ void wacom_setup_device_quirks(struct wa + if (features->type >= INTUOSHT && features->type <= BAMBOO_PT) + features->device_type |= WACOM_DEVICETYPE_PAD; + +- features->x_max = 4096; +- features->y_max = 4096; ++ if (features->type == INTUOSHT2) { ++ features->x_max = features->x_max / 10; ++ features->y_max = features->y_max / 10; ++ } ++ else { ++ features->x_max = 4096; ++ features->y_max = 4096; ++ } + } + else if (features->pktlen == WACOM_PKGLEN_BBTOUCH) { + features->device_type |= WACOM_DEVICETYPE_PAD; diff --git a/queue-4.9/ib-rxe-fix-missing-completion-for-mem_reg-work-requests.patch b/queue-4.9/ib-rxe-fix-missing-completion-for-mem_reg-work-requests.patch new file mode 100644 index 00000000000..2419d2c211e --- /dev/null +++ b/queue-4.9/ib-rxe-fix-missing-completion-for-mem_reg-work-requests.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vijay Immanuel +Date: Tue, 12 Jun 2018 18:16:05 -0700 +Subject: IB/rxe: Fix missing completion for mem_reg work requests + +From: Vijay Immanuel + +[ Upstream commit 375dc53d032fc11e98036b5f228ad13f7c5933f5 ] + +Run the completer task to post a work completion after processing +a memory registration or invalidate work request. This covers the +case where the memory registration or invalidate was the last work +request posted to the qp. + +Signed-off-by: Vijay Immanuel +Reviewed-by: Yonatan Cohen +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_req.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -648,6 +648,9 @@ next_wqe: + } else { + goto exit; + } ++ if ((wqe->wr.send_flags & IB_SEND_SIGNALED) || ++ qp->sq_sig_type == IB_SIGNAL_ALL_WR) ++ rxe_run_task(&qp->comp.task, 1); + qp->req.wqe_index = next_index(qp->sq.queue, + qp->req.wqe_index); + goto next_wqe; diff --git a/queue-4.9/ieee802154-6lowpan-set-ifla_link.patch b/queue-4.9/ieee802154-6lowpan-set-ifla_link.patch new file mode 100644 index 00000000000..217510ba7ad --- /dev/null +++ b/queue-4.9/ieee802154-6lowpan-set-ifla_link.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Lubomir Rintel +Date: Mon, 2 Jul 2018 11:21:47 +0200 +Subject: ieee802154: 6lowpan: set IFLA_LINK + +From: Lubomir Rintel + +[ Upstream commit b30c122c0bbb0a1dc413085e177ea09467e65fdb ] + +Otherwise NetworkManager (and iproute alike) is not able to identify the +parent IEEE 802.15.4 interface of a 6LoWPAN link. + +Signed-off-by: Lubomir Rintel +Acked-by: Alexander Aring +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/6lowpan/core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/ieee802154/6lowpan/core.c ++++ b/net/ieee802154/6lowpan/core.c +@@ -90,12 +90,18 @@ static int lowpan_neigh_construct(struct + return 0; + } + ++static int lowpan_get_iflink(const struct net_device *dev) ++{ ++ return lowpan_802154_dev(dev)->wdev->ifindex; ++} ++ + static const struct net_device_ops lowpan_netdev_ops = { + .ndo_init = lowpan_dev_init, + .ndo_start_xmit = lowpan_xmit, + .ndo_open = lowpan_open, + .ndo_stop = lowpan_stop, + .ndo_neigh_construct = lowpan_neigh_construct, ++ .ndo_get_iflink = lowpan_get_iflink, + }; + + static void lowpan_setup(struct net_device *ldev) diff --git a/queue-4.9/ieee802154-at86rf230-switch-from-bug_on-to-warn_on-on-problem.patch b/queue-4.9/ieee802154-at86rf230-switch-from-bug_on-to-warn_on-on-problem.patch new file mode 100644 index 00000000000..cc910863fa2 --- /dev/null +++ b/queue-4.9/ieee802154-at86rf230-switch-from-bug_on-to-warn_on-on-problem.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Schmidt +Date: Fri, 22 Sep 2017 14:13:53 +0200 +Subject: ieee802154: at86rf230: switch from BUG_ON() to WARN_ON() on problem + +From: Stefan Schmidt + +[ Upstream commit 20f330452ad8814f2289a589baf65e21270879a7 ] + +The check is valid but it does not warrant to crash the kernel. A +WARN_ON() is good enough here. +Found by checkpatch. + +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/at86rf230.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ieee802154/at86rf230.c ++++ b/drivers/net/ieee802154/at86rf230.c +@@ -941,7 +941,7 @@ at86rf230_xmit(struct ieee802154_hw *hw, + static int + at86rf230_ed(struct ieee802154_hw *hw, u8 *level) + { +- BUG_ON(!level); ++ WARN_ON(!level); + *level = 0xbe; + return 0; + } diff --git a/queue-4.9/ieee802154-at86rf230-use-__func__-macro-for-debug-messages.patch b/queue-4.9/ieee802154-at86rf230-use-__func__-macro-for-debug-messages.patch new file mode 100644 index 00000000000..a18b9d248f8 --- /dev/null +++ b/queue-4.9/ieee802154-at86rf230-use-__func__-macro-for-debug-messages.patch @@ -0,0 +1,70 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Schmidt +Date: Fri, 22 Sep 2017 14:13:54 +0200 +Subject: ieee802154: at86rf230: use __func__ macro for debug messages + +From: Stefan Schmidt + +[ Upstream commit 8a81388ec27c4c0adbdecd20e67bb5f411ab46b2 ] + +Instead of having the function name hard-coded (it might change and we +forgot to update them in the debug output) we can use __func__ instead +and also shorter the line so we do not need to break it. Also fix an +extra blank line while being here. +Found by checkpatch. + +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/at86rf230.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/net/ieee802154/at86rf230.c ++++ b/drivers/net/ieee802154/at86rf230.c +@@ -1117,8 +1117,7 @@ at86rf230_set_hw_addr_filt(struct ieee80 + if (changed & IEEE802154_AFILT_SADDR_CHANGED) { + u16 addr = le16_to_cpu(filt->short_addr); + +- dev_vdbg(&lp->spi->dev, +- "at86rf230_set_hw_addr_filt called for saddr\n"); ++ dev_vdbg(&lp->spi->dev, "%s called for saddr\n", __func__); + __at86rf230_write(lp, RG_SHORT_ADDR_0, addr); + __at86rf230_write(lp, RG_SHORT_ADDR_1, addr >> 8); + } +@@ -1126,8 +1125,7 @@ at86rf230_set_hw_addr_filt(struct ieee80 + if (changed & IEEE802154_AFILT_PANID_CHANGED) { + u16 pan = le16_to_cpu(filt->pan_id); + +- dev_vdbg(&lp->spi->dev, +- "at86rf230_set_hw_addr_filt called for pan id\n"); ++ dev_vdbg(&lp->spi->dev, "%s called for pan id\n", __func__); + __at86rf230_write(lp, RG_PAN_ID_0, pan); + __at86rf230_write(lp, RG_PAN_ID_1, pan >> 8); + } +@@ -1136,15 +1134,13 @@ at86rf230_set_hw_addr_filt(struct ieee80 + u8 i, addr[8]; + + memcpy(addr, &filt->ieee_addr, 8); +- dev_vdbg(&lp->spi->dev, +- "at86rf230_set_hw_addr_filt called for IEEE addr\n"); ++ dev_vdbg(&lp->spi->dev, "%s called for IEEE addr\n", __func__); + for (i = 0; i < 8; i++) + __at86rf230_write(lp, RG_IEEE_ADDR_0 + i, addr[i]); + } + + if (changed & IEEE802154_AFILT_PANC_CHANGED) { +- dev_vdbg(&lp->spi->dev, +- "at86rf230_set_hw_addr_filt called for panc change\n"); ++ dev_vdbg(&lp->spi->dev, "%s called for panc change\n", __func__); + if (filt->pan_coord) + at86rf230_write_subreg(lp, SR_AACK_I_AM_COORD, 1); + else +@@ -1248,7 +1244,6 @@ at86rf230_set_cca_mode(struct ieee802154 + return at86rf230_write_subreg(lp, SR_CCA_MODE, val); + } + +- + static int + at86rf230_set_cca_ed_level(struct ieee802154_hw *hw, s32 mbm) + { diff --git a/queue-4.9/ieee802154-fakelb-switch-from-bug_on-to-warn_on-on-problem.patch b/queue-4.9/ieee802154-fakelb-switch-from-bug_on-to-warn_on-on-problem.patch new file mode 100644 index 00000000000..de05d7ab359 --- /dev/null +++ b/queue-4.9/ieee802154-fakelb-switch-from-bug_on-to-warn_on-on-problem.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Schmidt +Date: Fri, 22 Sep 2017 14:14:05 +0200 +Subject: ieee802154: fakelb: switch from BUG_ON() to WARN_ON() on problem + +From: Stefan Schmidt + +[ Upstream commit 8f2fbc6c60ff213369e06a73610fc882a42fdf20 ] + +The check is valid but it does not warrant to crash the kernel. A +WARN_ON() is good enough here. +Found by checkpatch. + +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ieee802154/fakelb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ieee802154/fakelb.c ++++ b/drivers/net/ieee802154/fakelb.c +@@ -49,7 +49,7 @@ struct fakelb_phy { + + static int fakelb_hw_ed(struct ieee802154_hw *hw, u8 *level) + { +- BUG_ON(!level); ++ WARN_ON(!level); + *level = 0xbe; + + return 0; diff --git a/queue-4.9/iio-pressure-bmp280-fix-relative-humidity-unit.patch b/queue-4.9/iio-pressure-bmp280-fix-relative-humidity-unit.patch new file mode 100644 index 00000000000..3ad2404323d --- /dev/null +++ b/queue-4.9/iio-pressure-bmp280-fix-relative-humidity-unit.patch @@ -0,0 +1,43 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Tomasz Duszynski +Date: Mon, 28 May 2018 17:38:59 +0200 +Subject: iio: pressure: bmp280: fix relative humidity unit + +From: Tomasz Duszynski + +[ Upstream commit 13399ff25f179811ce9c1df1523eb39f9e4a4772 ] + +According to IIO ABI relative humidity reading should be +returned in milli percent. + +This patch addresses that by applying proper scaling and +returning integer instead of fractional format type specifier. + +Note that the fixes tag is before the driver was heavily refactored +to introduce spi support, so the patch won't apply that far back. + +Signed-off-by: Tomasz Duszynski +Fixes: 14beaa8f5ab1 ("iio: pressure: bmp280: add humidity support") +Acked-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/bmp280-core.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/pressure/bmp280-core.c ++++ b/drivers/iio/pressure/bmp280-core.c +@@ -347,10 +347,9 @@ static int bmp280_read_humid(struct bmp2 + adc_humidity = be16_to_cpu(tmp); + comp_humidity = bmp280_compensate_humidity(data, adc_humidity); + +- *val = comp_humidity; +- *val2 = 1024; ++ *val = comp_humidity * 1000 / 1024; + +- return IIO_VAL_FRACTIONAL; ++ return IIO_VAL_INT; + } + + static int bmp280_read_raw(struct iio_dev *indio_dev, diff --git a/queue-4.9/ipv6-make-ipv6_renew_options-interrupt-kernel-safe.patch b/queue-4.9/ipv6-make-ipv6_renew_options-interrupt-kernel-safe.patch new file mode 100644 index 00000000000..8cb3822c654 --- /dev/null +++ b/queue-4.9/ipv6-make-ipv6_renew_options-interrupt-kernel-safe.patch @@ -0,0 +1,334 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Paul Moore +Date: Wed, 4 Jul 2018 09:58:05 -0400 +Subject: ipv6: make ipv6_renew_options() interrupt/kernel safe + +From: Paul Moore + +[ Upstream commit a9ba23d48dbc6ffd08426bb10f05720e0b9f5c14 ] + +At present the ipv6_renew_options_kern() function ends up calling into +access_ok() which is problematic if done from inside an interrupt as +access_ok() calls WARN_ON_IN_IRQ() on some (all?) architectures +(x86-64 is affected). Example warning/backtrace is shown below: + + WARNING: CPU: 1 PID: 3144 at lib/usercopy.c:11 _copy_from_user+0x85/0x90 + ... + Call Trace: + + ipv6_renew_option+0xb2/0xf0 + ipv6_renew_options+0x26a/0x340 + ipv6_renew_options_kern+0x2c/0x40 + calipso_req_setattr+0x72/0xe0 + netlbl_req_setattr+0x126/0x1b0 + selinux_netlbl_inet_conn_request+0x80/0x100 + selinux_inet_conn_request+0x6d/0xb0 + security_inet_conn_request+0x32/0x50 + tcp_conn_request+0x35f/0xe00 + ? __lock_acquire+0x250/0x16c0 + ? selinux_socket_sock_rcv_skb+0x1ae/0x210 + ? tcp_rcv_state_process+0x289/0x106b + tcp_rcv_state_process+0x289/0x106b + ? tcp_v6_do_rcv+0x1a7/0x3c0 + tcp_v6_do_rcv+0x1a7/0x3c0 + tcp_v6_rcv+0xc82/0xcf0 + ip6_input_finish+0x10d/0x690 + ip6_input+0x45/0x1e0 + ? ip6_rcv_finish+0x1d0/0x1d0 + ipv6_rcv+0x32b/0x880 + ? ip6_make_skb+0x1e0/0x1e0 + __netif_receive_skb_core+0x6f2/0xdf0 + ? process_backlog+0x85/0x250 + ? process_backlog+0x85/0x250 + ? process_backlog+0xec/0x250 + process_backlog+0xec/0x250 + net_rx_action+0x153/0x480 + __do_softirq+0xd9/0x4f7 + do_softirq_own_stack+0x2a/0x40 + + ... + +While not present in the backtrace, ipv6_renew_option() ends up calling +access_ok() via the following chain: + + access_ok() + _copy_from_user() + copy_from_user() + ipv6_renew_option() + +The fix presented in this patch is to perform the userspace copy +earlier in the call chain such that it is only called when the option +data is actually coming from userspace; that place is +do_ipv6_setsockopt(). Not only does this solve the problem seen in +the backtrace above, it also allows us to simplify the code quite a +bit by removing ipv6_renew_options_kern() completely. We also take +this opportunity to cleanup ipv6_renew_options()/ipv6_renew_option() +a small amount as well. + +This patch is heavily based on a rough patch by Al Viro. I've taken +his original patch, converted a kmemdup() call in do_ipv6_setsockopt() +to a memdup_user() call, made better use of the e_inval jump target in +the same function, and cleaned up the use ipv6_renew_option() by +ipv6_renew_options(). + +CC: Al Viro +Signed-off-by: Paul Moore +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ipv6.h | 9 --- + net/ipv6/calipso.c | 9 +-- + net/ipv6/exthdrs.c | 111 ++++++++++++----------------------------------- + net/ipv6/ipv6_sockglue.c | 27 ++++++++--- + 4 files changed, 53 insertions(+), 103 deletions(-) + +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -312,14 +312,7 @@ struct ipv6_txoptions *ipv6_dup_options( + struct ipv6_txoptions *ipv6_renew_options(struct sock *sk, + struct ipv6_txoptions *opt, + int newtype, +- struct ipv6_opt_hdr __user *newopt, +- int newoptlen); +-struct ipv6_txoptions * +-ipv6_renew_options_kern(struct sock *sk, +- struct ipv6_txoptions *opt, +- int newtype, +- struct ipv6_opt_hdr *newopt, +- int newoptlen); ++ struct ipv6_opt_hdr *newopt); + struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, + struct ipv6_txoptions *opt); + +--- a/net/ipv6/calipso.c ++++ b/net/ipv6/calipso.c +@@ -799,8 +799,7 @@ static int calipso_opt_update(struct soc + { + struct ipv6_txoptions *old = txopt_get(inet6_sk(sk)), *txopts; + +- txopts = ipv6_renew_options_kern(sk, old, IPV6_HOPOPTS, +- hop, hop ? ipv6_optlen(hop) : 0); ++ txopts = ipv6_renew_options(sk, old, IPV6_HOPOPTS, hop); + txopt_put(old); + if (IS_ERR(txopts)) + return PTR_ERR(txopts); +@@ -1222,8 +1221,7 @@ static int calipso_req_setattr(struct re + if (IS_ERR(new)) + return PTR_ERR(new); + +- txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, +- new, new ? ipv6_optlen(new) : 0); ++ txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); + + kfree(new); + +@@ -1260,8 +1258,7 @@ static void calipso_req_delattr(struct r + if (calipso_opt_del(req_inet->ipv6_opt->hopopt, &new)) + return; /* Nothing to do */ + +- txopts = ipv6_renew_options_kern(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, +- new, new ? ipv6_optlen(new) : 0); ++ txopts = ipv6_renew_options(sk, req_inet->ipv6_opt, IPV6_HOPOPTS, new); + + if (!IS_ERR(txopts)) { + txopts = xchg(&req_inet->ipv6_opt, txopts); +--- a/net/ipv6/exthdrs.c ++++ b/net/ipv6/exthdrs.c +@@ -760,29 +760,21 @@ ipv6_dup_options(struct sock *sk, struct + } + EXPORT_SYMBOL_GPL(ipv6_dup_options); + +-static int ipv6_renew_option(void *ohdr, +- struct ipv6_opt_hdr __user *newopt, int newoptlen, +- int inherit, +- struct ipv6_opt_hdr **hdr, +- char **p) ++static void ipv6_renew_option(int renewtype, ++ struct ipv6_opt_hdr **dest, ++ struct ipv6_opt_hdr *old, ++ struct ipv6_opt_hdr *new, ++ int newtype, char **p) + { +- if (inherit) { +- if (ohdr) { +- memcpy(*p, ohdr, ipv6_optlen((struct ipv6_opt_hdr *)ohdr)); +- *hdr = (struct ipv6_opt_hdr *)*p; +- *p += CMSG_ALIGN(ipv6_optlen(*hdr)); +- } +- } else { +- if (newopt) { +- if (copy_from_user(*p, newopt, newoptlen)) +- return -EFAULT; +- *hdr = (struct ipv6_opt_hdr *)*p; +- if (ipv6_optlen(*hdr) > newoptlen) +- return -EINVAL; +- *p += CMSG_ALIGN(newoptlen); +- } +- } +- return 0; ++ struct ipv6_opt_hdr *src; ++ ++ src = (renewtype == newtype ? new : old); ++ if (!src) ++ return; ++ ++ memcpy(*p, src, ipv6_optlen(src)); ++ *dest = (struct ipv6_opt_hdr *)*p; ++ *p += CMSG_ALIGN(ipv6_optlen(*dest)); + } + + /** +@@ -808,13 +800,11 @@ static int ipv6_renew_option(void *ohdr, + */ + struct ipv6_txoptions * + ipv6_renew_options(struct sock *sk, struct ipv6_txoptions *opt, +- int newtype, +- struct ipv6_opt_hdr __user *newopt, int newoptlen) ++ int newtype, struct ipv6_opt_hdr *newopt) + { + int tot_len = 0; + char *p; + struct ipv6_txoptions *opt2; +- int err; + + if (opt) { + if (newtype != IPV6_HOPOPTS && opt->hopopt) +@@ -827,8 +817,8 @@ ipv6_renew_options(struct sock *sk, stru + tot_len += CMSG_ALIGN(ipv6_optlen(opt->dst1opt)); + } + +- if (newopt && newoptlen) +- tot_len += CMSG_ALIGN(newoptlen); ++ if (newopt) ++ tot_len += CMSG_ALIGN(ipv6_optlen(newopt)); + + if (!tot_len) + return NULL; +@@ -843,29 +833,19 @@ ipv6_renew_options(struct sock *sk, stru + opt2->tot_len = tot_len; + p = (char *)(opt2 + 1); + +- err = ipv6_renew_option(opt ? opt->hopopt : NULL, newopt, newoptlen, +- newtype != IPV6_HOPOPTS, +- &opt2->hopopt, &p); +- if (err) +- goto out; +- +- err = ipv6_renew_option(opt ? opt->dst0opt : NULL, newopt, newoptlen, +- newtype != IPV6_RTHDRDSTOPTS, +- &opt2->dst0opt, &p); +- if (err) +- goto out; +- +- err = ipv6_renew_option(opt ? opt->srcrt : NULL, newopt, newoptlen, +- newtype != IPV6_RTHDR, +- (struct ipv6_opt_hdr **)&opt2->srcrt, &p); +- if (err) +- goto out; +- +- err = ipv6_renew_option(opt ? opt->dst1opt : NULL, newopt, newoptlen, +- newtype != IPV6_DSTOPTS, +- &opt2->dst1opt, &p); +- if (err) +- goto out; ++ ipv6_renew_option(IPV6_HOPOPTS, &opt2->hopopt, ++ (opt ? opt->hopopt : NULL), ++ newopt, newtype, &p); ++ ipv6_renew_option(IPV6_RTHDRDSTOPTS, &opt2->dst0opt, ++ (opt ? opt->dst0opt : NULL), ++ newopt, newtype, &p); ++ ipv6_renew_option(IPV6_RTHDR, ++ (struct ipv6_opt_hdr **)&opt2->srcrt, ++ (opt ? (struct ipv6_opt_hdr *)opt->srcrt : NULL), ++ newopt, newtype, &p); ++ ipv6_renew_option(IPV6_DSTOPTS, &opt2->dst1opt, ++ (opt ? opt->dst1opt : NULL), ++ newopt, newtype, &p); + + opt2->opt_nflen = (opt2->hopopt ? ipv6_optlen(opt2->hopopt) : 0) + + (opt2->dst0opt ? ipv6_optlen(opt2->dst0opt) : 0) + +@@ -873,37 +853,6 @@ ipv6_renew_options(struct sock *sk, stru + opt2->opt_flen = (opt2->dst1opt ? ipv6_optlen(opt2->dst1opt) : 0); + + return opt2; +-out: +- sock_kfree_s(sk, opt2, opt2->tot_len); +- return ERR_PTR(err); +-} +- +-/** +- * ipv6_renew_options_kern - replace a specific ext hdr with a new one. +- * +- * @sk: sock from which to allocate memory +- * @opt: original options +- * @newtype: option type to replace in @opt +- * @newopt: new option of type @newtype to replace (kernel-mem) +- * @newoptlen: length of @newopt +- * +- * See ipv6_renew_options(). The difference is that @newopt is +- * kernel memory, rather than user memory. +- */ +-struct ipv6_txoptions * +-ipv6_renew_options_kern(struct sock *sk, struct ipv6_txoptions *opt, +- int newtype, struct ipv6_opt_hdr *newopt, +- int newoptlen) +-{ +- struct ipv6_txoptions *ret_val; +- const mm_segment_t old_fs = get_fs(); +- +- set_fs(KERNEL_DS); +- ret_val = ipv6_renew_options(sk, opt, newtype, +- (struct ipv6_opt_hdr __user *)newopt, +- newoptlen); +- set_fs(old_fs); +- return ret_val; + } + + struct ipv6_txoptions *ipv6_fixup_options(struct ipv6_txoptions *opt_space, +--- a/net/ipv6/ipv6_sockglue.c ++++ b/net/ipv6/ipv6_sockglue.c +@@ -390,6 +390,12 @@ static int do_ipv6_setsockopt(struct soc + case IPV6_DSTOPTS: + { + struct ipv6_txoptions *opt; ++ struct ipv6_opt_hdr *new = NULL; ++ ++ /* hop-by-hop / destination options are privileged option */ ++ retv = -EPERM; ++ if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) ++ break; + + /* remove any sticky options header with a zero option + * length, per RFC3542. +@@ -401,17 +407,22 @@ static int do_ipv6_setsockopt(struct soc + else if (optlen < sizeof(struct ipv6_opt_hdr) || + optlen & 0x7 || optlen > 8 * 255) + goto e_inval; +- +- /* hop-by-hop / destination options are privileged option */ +- retv = -EPERM; +- if (optname != IPV6_RTHDR && !ns_capable(net->user_ns, CAP_NET_RAW)) +- break; ++ else { ++ new = memdup_user(optval, optlen); ++ if (IS_ERR(new)) { ++ retv = PTR_ERR(new); ++ break; ++ } ++ if (unlikely(ipv6_optlen(new) > optlen)) { ++ kfree(new); ++ goto e_inval; ++ } ++ } + + opt = rcu_dereference_protected(np->opt, + lockdep_sock_is_held(sk)); +- opt = ipv6_renew_options(sk, opt, optname, +- (struct ipv6_opt_hdr __user *)optval, +- optlen); ++ opt = ipv6_renew_options(sk, opt, optname, new); ++ kfree(new); + if (IS_ERR(opt)) { + retv = PTR_ERR(opt); + break; diff --git a/queue-4.9/ipv6-mcast-fix-unsolicited-report-interval-after-receiving-querys.patch b/queue-4.9/ipv6-mcast-fix-unsolicited-report-interval-after-receiving-querys.patch new file mode 100644 index 00000000000..1b3f1b65031 --- /dev/null +++ b/queue-4.9/ipv6-mcast-fix-unsolicited-report-interval-after-receiving-querys.patch @@ -0,0 +1,58 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Hangbin Liu +Date: Thu, 21 Jun 2018 19:49:36 +0800 +Subject: ipv6: mcast: fix unsolicited report interval after receiving querys + +From: Hangbin Liu + +[ Upstream commit 6c6da92808442908287fae8ebb0ca041a52469f4 ] + +After recieving MLD querys, we update idev->mc_maxdelay with max_delay +from query header. This make the later unsolicited reports have the same +interval with mc_maxdelay, which means we may send unsolicited reports with +long interval time instead of default configured interval time. + +Also as we will not call ipv6_mc_reset() after device up. This issue will +be there even after leave the group and join other groups. + +Fixes: fc4eba58b4c14 ("ipv6: make unsolicited report intervals configurable for mld") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/mcast.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -2084,7 +2084,8 @@ void ipv6_mc_dad_complete(struct inet6_d + mld_send_initial_cr(idev); + idev->mc_dad_count--; + if (idev->mc_dad_count) +- mld_dad_start_timer(idev, idev->mc_maxdelay); ++ mld_dad_start_timer(idev, ++ unsolicited_report_interval(idev)); + } + } + +@@ -2096,7 +2097,8 @@ static void mld_dad_timer_expire(unsigne + if (idev->mc_dad_count) { + idev->mc_dad_count--; + if (idev->mc_dad_count) +- mld_dad_start_timer(idev, idev->mc_maxdelay); ++ mld_dad_start_timer(idev, ++ unsolicited_report_interval(idev)); + } + in6_dev_put(idev); + } +@@ -2454,7 +2456,8 @@ static void mld_ifc_timer_expire(unsigne + if (idev->mc_ifc_count) { + idev->mc_ifc_count--; + if (idev->mc_ifc_count) +- mld_ifc_start_timer(idev, idev->mc_maxdelay); ++ mld_ifc_start_timer(idev, ++ unsolicited_report_interval(idev)); + } + in6_dev_put(idev); + } diff --git a/queue-4.9/ipvlan-call-dev_change_flags-when-ipvlan-mode-is-reset.patch b/queue-4.9/ipvlan-call-dev_change_flags-when-ipvlan-mode-is-reset.patch new file mode 100644 index 00000000000..e142a5f2ef4 --- /dev/null +++ b/queue-4.9/ipvlan-call-dev_change_flags-when-ipvlan-mode-is-reset.patch @@ -0,0 +1,121 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Hangbin Liu +Date: Sun, 1 Jul 2018 16:21:21 +0800 +Subject: ipvlan: call dev_change_flags when ipvlan mode is reset + +From: Hangbin Liu + +[ Upstream commit 5dc2d3996a8b221c20dd0900bdad45031a572530 ] + +After we change the ipvlan mode from l3 to l2, or vice versa, we only +reset IFF_NOARP flag, but don't flush the ARP table cache, which will +cause eth->h_dest to be equal to eth->h_source in ipvlan_xmit_mode_l2(). +Then the message will not come out of host. + +Here is the reproducer on local host: + +ip link set eth1 up +ip addr add 192.168.1.1/24 dev eth1 +ip link add link eth1 ipvlan1 type ipvlan mode l3 + +ip netns add net1 +ip link set ipvlan1 netns net1 +ip netns exec net1 ip link set ipvlan1 up +ip netns exec net1 ip addr add 192.168.2.1/24 dev ipvlan1 + +ip route add 192.168.2.0/24 via 192.168.1.2 +ping 192.168.2.2 -c 2 + +ip netns exec net1 ip link set ipvlan1 type ipvlan mode l2 +ping 192.168.2.2 -c 2 + +Add the same configuration on remote host. After we set the mode to l2, +we could find that the src/dst MAC addresses are the same on eth1: + +21:26:06.648565 00:b7:13:ad:d3:05 > 00:b7:13:ad:d3:05, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58356, offset 0, flags [DF], proto ICMP (1), length 84) + 192.168.2.1 > 192.168.2.2: ICMP echo request, id 22686, seq 1, length 64 + +Fix this by calling dev_change_flags(), which will call netdevice notifier +with flag change info. + +v2: +a) As pointed out by Wang Cong, check return value for dev_change_flags() when +change dev flags. +b) As suggested by Stefano and Sabrina, move flags setting before l3mdev_ops. +So we don't need to redo ipvlan_{, un}register_nf_hook() again in err path. + +Reported-by: Jianlin Shi +Reviewed-by: Stefano Brivio +Reviewed-by: Sabrina Dubroca +Fixes: 2ad7bf3638411 ("ipvlan: Initial check-in of the IPVLAN driver.") +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ipvlan/ipvlan_main.c | 36 ++++++++++++++++++++++++++++-------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +--- a/drivers/net/ipvlan/ipvlan_main.c ++++ b/drivers/net/ipvlan/ipvlan_main.c +@@ -63,10 +63,23 @@ static int ipvlan_set_port_mode(struct i + { + struct ipvl_dev *ipvlan; + struct net_device *mdev = port->dev; +- int err = 0; ++ unsigned int flags; ++ int err; + + ASSERT_RTNL(); + if (port->mode != nval) { ++ list_for_each_entry(ipvlan, &port->ipvlans, pnode) { ++ flags = ipvlan->dev->flags; ++ if (nval == IPVLAN_MODE_L3 || nval == IPVLAN_MODE_L3S) { ++ err = dev_change_flags(ipvlan->dev, ++ flags | IFF_NOARP); ++ } else { ++ err = dev_change_flags(ipvlan->dev, ++ flags & ~IFF_NOARP); ++ } ++ if (unlikely(err)) ++ goto fail; ++ } + if (nval == IPVLAN_MODE_L3S) { + /* New mode is L3S */ + err = ipvlan_register_nf_hook(); +@@ -74,21 +87,28 @@ static int ipvlan_set_port_mode(struct i + mdev->l3mdev_ops = &ipvl_l3mdev_ops; + mdev->priv_flags |= IFF_L3MDEV_MASTER; + } else +- return err; ++ goto fail; + } else if (port->mode == IPVLAN_MODE_L3S) { + /* Old mode was L3S */ + mdev->priv_flags &= ~IFF_L3MDEV_MASTER; + ipvlan_unregister_nf_hook(); + mdev->l3mdev_ops = NULL; + } +- list_for_each_entry(ipvlan, &port->ipvlans, pnode) { +- if (nval == IPVLAN_MODE_L3 || nval == IPVLAN_MODE_L3S) +- ipvlan->dev->flags |= IFF_NOARP; +- else +- ipvlan->dev->flags &= ~IFF_NOARP; +- } + port->mode = nval; + } ++ return 0; ++ ++fail: ++ /* Undo the flags changes that have been done so far. */ ++ list_for_each_entry_continue_reverse(ipvlan, &port->ipvlans, pnode) { ++ flags = ipvlan->dev->flags; ++ if (port->mode == IPVLAN_MODE_L3 || ++ port->mode == IPVLAN_MODE_L3S) ++ dev_change_flags(ipvlan->dev, flags | IFF_NOARP); ++ else ++ dev_change_flags(ipvlan->dev, flags & ~IFF_NOARP); ++ } ++ + return err; + } + diff --git a/queue-4.9/ixgbe-be-more-careful-when-modifying-mac-filters.patch b/queue-4.9/ixgbe-be-more-careful-when-modifying-mac-filters.patch new file mode 100644 index 00000000000..6808fa03589 --- /dev/null +++ b/queue-4.9/ixgbe-be-more-careful-when-modifying-mac-filters.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Alexander Duyck +Date: Mon, 18 Jun 2018 12:02:00 -0400 +Subject: ixgbe: Be more careful when modifying MAC filters + +From: Alexander Duyck + +[ Upstream commit d14c780c11fbc10f66c43e7b64eefe87ca442bd3 ] + +This change makes it so that we are much more explicit about the ordering +of updates to the receive address register (RAR) table. Prior to this patch +I believe we may have been updating the table while entries were still +active, or possibly allowing for reordering of things since we weren't +explicitly flushing writes to either the lower or upper portion of the +register prior to accessing the other half. + +Signed-off-by: Alexander Duyck +Reviewed-by: Shannon Nelson +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_common.c +@@ -1847,7 +1847,12 @@ s32 ixgbe_set_rar_generic(struct ixgbe_h + if (enable_addr != 0) + rar_high |= IXGBE_RAH_AV; + ++ /* Record lower 32 bits of MAC address and then make ++ * sure that write is flushed to hardware before writing ++ * the upper 16 bits and setting the valid bit. ++ */ + IXGBE_WRITE_REG(hw, IXGBE_RAL(index), rar_low); ++ IXGBE_WRITE_FLUSH(hw); + IXGBE_WRITE_REG(hw, IXGBE_RAH(index), rar_high); + + return 0; +@@ -1879,8 +1884,13 @@ s32 ixgbe_clear_rar_generic(struct ixgbe + rar_high = IXGBE_READ_REG(hw, IXGBE_RAH(index)); + rar_high &= ~(0x0000FFFF | IXGBE_RAH_AV); + +- IXGBE_WRITE_REG(hw, IXGBE_RAL(index), 0); ++ /* Clear the address valid bit and upper 16 bits of the address ++ * before clearing the lower bits. This way we aren't updating ++ * a live filter. ++ */ + IXGBE_WRITE_REG(hw, IXGBE_RAH(index), rar_high); ++ IXGBE_WRITE_FLUSH(hw); ++ IXGBE_WRITE_REG(hw, IXGBE_RAL(index), 0); + + /* clear VMDq pool/queue selection for this RAR */ + hw->mac.ops.clear_vmdq(hw, index, IXGBE_CLEAR_VMDQ_ALL); diff --git a/queue-4.9/kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch b/queue-4.9/kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch new file mode 100644 index 00000000000..f26404d568a --- /dev/null +++ b/queue-4.9/kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch @@ -0,0 +1,69 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Zhen Lei +Date: Tue, 3 Jul 2018 17:02:46 -0700 +Subject: kasan: fix shadow_size calculation error in kasan_module_alloc + +From: Zhen Lei + +[ Upstream commit 1e8e18f694a52d703665012ca486826f64bac29d ] + +There is a special case that the size is "(N << KASAN_SHADOW_SCALE_SHIFT) +Pages plus X", the value of X is [1, KASAN_SHADOW_SCALE_SIZE-1]. The +operation "size >> KASAN_SHADOW_SCALE_SHIFT" will drop X, and the +roundup operation can not retrieve the missed one page. For example: +size=0x28006, PAGE_SIZE=0x1000, KASAN_SHADOW_SCALE_SHIFT=3, we will get +shadow_size=0x5000, but actually we need 6 pages. + + shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, PAGE_SIZE); + +This can lead to a kernel crash when kasan is enabled and the value of +mod->core_layout.size or mod->init_layout.size is like above. Because +the shadow memory of X has not been allocated and mapped. + +move_module: + ptr = module_alloc(mod->core_layout.size); + ... + memset(ptr, 0, mod->core_layout.size); //crashed + + Unable to handle kernel paging request at virtual address ffff0fffff97b000 + ...... + Call trace: + __asan_storeN+0x174/0x1a8 + memset+0x24/0x48 + layout_and_allocate+0xcd8/0x1800 + load_module+0x190/0x23e8 + SyS_finit_module+0x148/0x180 + +Link: http://lkml.kernel.org/r/1529659626-12660-1-git-send-email-thunder.leizhen@huawei.com +Signed-off-by: Zhen Lei +Reviewed-by: Dmitriy Vyukov +Acked-by: Andrey Ryabinin +Cc: Alexander Potapenko +Cc: Hanjun Guo +Cc: Libin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/kasan/kasan.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/mm/kasan/kasan.c ++++ b/mm/kasan/kasan.c +@@ -660,12 +660,13 @@ void kasan_kfree_large(const void *ptr) + int kasan_module_alloc(void *addr, size_t size) + { + void *ret; ++ size_t scaled_size; + size_t shadow_size; + unsigned long shadow_start; + + shadow_start = (unsigned long)kasan_mem_to_shadow(addr); +- shadow_size = round_up(size >> KASAN_SHADOW_SCALE_SHIFT, +- PAGE_SIZE); ++ scaled_size = (size + KASAN_SHADOW_MASK) >> KASAN_SHADOW_SCALE_SHIFT; ++ shadow_size = round_up(scaled_size, PAGE_SIZE); + + if (WARN_ON(!PAGE_ALIGNED(shadow_start))) + return -EINVAL; diff --git a/queue-4.9/kvm-arm-arm64-drop-resource-size-check-for-gicv-window.patch b/queue-4.9/kvm-arm-arm64-drop-resource-size-check-for-gicv-window.patch new file mode 100644 index 00000000000..39cd888c890 --- /dev/null +++ b/queue-4.9/kvm-arm-arm64-drop-resource-size-check-for-gicv-window.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ard Biesheuvel +Date: Fri, 1 Jun 2018 17:06:28 +0200 +Subject: KVM: arm/arm64: Drop resource size check for GICV window + +From: Ard Biesheuvel + +[ Upstream commit ba56bc3a0786992755e6804fbcbdc60ef6cfc24c ] + +When booting a 64 KB pages kernel on a ACPI GICv3 system that +implements support for v2 emulation, the following warning is +produced + + GICV size 0x2000 not a multiple of page size 0x10000 + +and support for v2 emulation is disabled, preventing GICv2 VMs +from being able to run on such hosts. + +The reason is that vgic_v3_probe() performs a sanity check on the +size of the window (it should be a multiple of the page size), +while the ACPI MADT parsing code hardcodes the size of the window +to 8 KB. This makes sense, considering that ACPI does not bother +to describe the size in the first place, under the assumption that +platforms implementing ACPI will follow the architecture and not +put anything else in the same 64 KB window. + +So let's just drop the sanity check altogether, and assume that +the window is at least 64 KB in size. + +Fixes: 909777324588 ("KVM: arm/arm64: vgic-new: vgic_init: implement kvm_vgic_hyp_init") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-v3.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/virt/kvm/arm/vgic/vgic-v3.c ++++ b/virt/kvm/arm/vgic/vgic-v3.c +@@ -337,11 +337,6 @@ int vgic_v3_probe(const struct gic_kvm_i + pr_warn("GICV physical address 0x%llx not page aligned\n", + (unsigned long long)info->vcpu.start); + kvm_vgic_global_state.vcpu_base = 0; +- } else if (!PAGE_ALIGNED(resource_size(&info->vcpu))) { +- pr_warn("GICV size 0x%llx not a multiple of page size 0x%lx\n", +- (unsigned long long)resource_size(&info->vcpu), +- PAGE_SIZE); +- kvm_vgic_global_state.vcpu_base = 0; + } else { + kvm_vgic_global_state.vcpu_base = info->vcpu.start; + kvm_vgic_global_state.can_emulate_gicv2 = true; diff --git a/queue-4.9/libahci-fix-possible-spectre-v1-pmp-indexing-in-ahci_led_store.patch b/queue-4.9/libahci-fix-possible-spectre-v1-pmp-indexing-in-ahci_led_store.patch new file mode 100644 index 00000000000..173cadb48a7 --- /dev/null +++ b/queue-4.9/libahci-fix-possible-spectre-v1-pmp-indexing-in-ahci_led_store.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: John Garry +Date: Fri, 8 Jun 2018 18:26:33 +0800 +Subject: libahci: Fix possible Spectre-v1 pmp indexing in ahci_led_store() + +From: John Garry + +[ Upstream commit fae2a63737e5973f1426bc139935a0f42e232844 ] + +Currently smatch warns of possible Spectre-V1 issue in ahci_led_store(): +drivers/ata/libahci.c:1150 ahci_led_store() warn: potential spectre issue 'pp->em_priv' (local cap) + +Userspace controls @pmp from following callchain: +em_message->store() +->ata_scsi_em_message_store() +-->ap->ops->em_store() +--->ahci_led_store() + +After the mask+shift @pmp is effectively an 8b value, which is used to +index into an array of length 8, so sanitize the array index. + +Signed-off-by: John Garry +Signed-off-by: Tejun Heo + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1124,10 +1125,12 @@ static ssize_t ahci_led_store(struct ata + + /* get the slot number from the message */ + pmp = (state & EM_MSG_LED_PMP_SLOT) >> 8; +- if (pmp < EM_MAX_SLOTS) ++ if (pmp < EM_MAX_SLOTS) { ++ pmp = array_index_nospec(pmp, EM_MAX_SLOTS); + emp = &pp->em_priv[pmp]; +- else ++ } else { + return -EINVAL; ++ } + + /* mask off the activity bits if we are in sw_activity + * mode, user should turn off sw_activity before setting diff --git a/queue-4.9/locking-lockdep-do-not-record-irq-state-within-lockdep-code.patch b/queue-4.9/locking-lockdep-do-not-record-irq-state-within-lockdep-code.patch new file mode 100644 index 00000000000..4c588797e63 --- /dev/null +++ b/queue-4.9/locking-lockdep-do-not-record-irq-state-within-lockdep-code.patch @@ -0,0 +1,82 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Steven Rostedt (VMware)" +Date: Wed, 4 Apr 2018 14:06:30 -0400 +Subject: locking/lockdep: Do not record IRQ state within lockdep code + +From: "Steven Rostedt (VMware)" + +[ Upstream commit fcc784be837714a9173b372ff9fb9b514590dad9 ] + +While debugging where things were going wrong with mapping +enabling/disabling interrupts with the lockdep state and actual real +enabling and disabling interrupts, I had to silent the IRQ +disabling/enabling in debug_check_no_locks_freed() because it was +always showing up as it was called before the splat was. + +Use raw_local_irq_save/restore() for not only debug_check_no_locks_freed() +but for all internal lockdep functions, as they hide useful information +about where interrupts were used incorrectly last. + +Signed-off-by: Steven Rostedt (VMware) +Cc: Andrew Morton +Cc: Linus Torvalds +Cc: Paul E. McKenney +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/lkml/20180404140630.3f4f4c7a@gandalf.local.home +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/lockdep.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/locking/lockdep.c ++++ b/kernel/locking/lockdep.c +@@ -1240,11 +1240,11 @@ unsigned long lockdep_count_forward_deps + this.parent = NULL; + this.class = class; + +- local_irq_save(flags); ++ raw_local_irq_save(flags); + arch_spin_lock(&lockdep_lock); + ret = __lockdep_count_forward_deps(&this); + arch_spin_unlock(&lockdep_lock); +- local_irq_restore(flags); ++ raw_local_irq_restore(flags); + + return ret; + } +@@ -1267,11 +1267,11 @@ unsigned long lockdep_count_backward_dep + this.parent = NULL; + this.class = class; + +- local_irq_save(flags); ++ raw_local_irq_save(flags); + arch_spin_lock(&lockdep_lock); + ret = __lockdep_count_backward_deps(&this); + arch_spin_unlock(&lockdep_lock); +- local_irq_restore(flags); ++ raw_local_irq_restore(flags); + + return ret; + } +@@ -4273,7 +4273,7 @@ void debug_check_no_locks_freed(const vo + if (unlikely(!debug_locks)) + return; + +- local_irq_save(flags); ++ raw_local_irq_save(flags); + for (i = 0; i < curr->lockdep_depth; i++) { + hlock = curr->held_locks + i; + +@@ -4284,7 +4284,7 @@ void debug_check_no_locks_freed(const vo + print_freed_lock_bug(curr, mem_from, mem_from + mem_len, hlock); + break; + } +- local_irq_restore(flags); ++ raw_local_irq_restore(flags); + } + EXPORT_SYMBOL_GPL(debug_check_no_locks_freed); + diff --git a/queue-4.9/m68k-fix-bad-page-state-oops-on-coldfire-boot.patch b/queue-4.9/m68k-fix-bad-page-state-oops-on-coldfire-boot.patch new file mode 100644 index 00000000000..30ac3f58840 --- /dev/null +++ b/queue-4.9/m68k-fix-bad-page-state-oops-on-coldfire-boot.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Greg Ungerer +Date: Mon, 18 Jun 2018 15:34:14 +1000 +Subject: m68k: fix "bad page state" oops on ColdFire boot + +From: Greg Ungerer + +[ Upstream commit ecd60532e060e45c63c57ecf1c8549b1d656d34d ] + +Booting a ColdFire m68k core with MMU enabled causes a "bad page state" +oops since commit 1d40a5ea01d5 ("mm: mark pages in use for page tables"): + + BUG: Bad page state in process sh pfn:01ce2 + page:004fefc8 count:0 mapcount:-1024 mapping:00000000 index:0x0 + flags: 0x0() + raw: 00000000 00000000 00000000 fffffbff 00000000 00000100 00000200 00000000 + raw: 039c4000 + page dumped because: nonzero mapcount + Modules linked in: + CPU: 0 PID: 22 Comm: sh Not tainted 4.17.0-07461-g1d40a5ea01d5 #13 + +Fix by calling pgtable_page_dtor() in our __pte_free_tlb() code path, +so that the PG_table flag is cleared before we free the pte page. + +Note that I had to change the type of pte_free() to be static from +extern. Otherwise you get a lot of warnings like this: + +./arch/m68k/include/asm/mcf_pgalloc.h:80:2: warning: ‘pgtable_page_dtor’ is static but used in inline function ‘pte_free’ which is not static + pgtable_page_dtor(page); + ^ + +And making it static is consistent with our use of this in the other +m68k pgalloc definitions of pte_free(). + +Signed-off-by: Greg Ungerer +CC: Matthew Wilcox +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/m68k/include/asm/mcf_pgalloc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/m68k/include/asm/mcf_pgalloc.h ++++ b/arch/m68k/include/asm/mcf_pgalloc.h +@@ -43,6 +43,7 @@ extern inline pmd_t *pmd_alloc_kernel(pg + static inline void __pte_free_tlb(struct mmu_gather *tlb, pgtable_t page, + unsigned long address) + { ++ pgtable_page_dtor(page); + __free_page(page); + } + +@@ -73,8 +74,9 @@ static inline struct page *pte_alloc_one + return page; + } + +-extern inline void pte_free(struct mm_struct *mm, struct page *page) ++static inline void pte_free(struct mm_struct *mm, struct page *page) + { ++ pgtable_page_dtor(page); + __free_page(page); + } + diff --git a/queue-4.9/md-raid10-fix-that-replacement-cannot-complete-recovery-after-reassemble.patch b/queue-4.9/md-raid10-fix-that-replacement-cannot-complete-recovery-after-reassemble.patch new file mode 100644 index 00000000000..35f14d64be2 --- /dev/null +++ b/queue-4.9/md-raid10-fix-that-replacement-cannot-complete-recovery-after-reassemble.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: BingJing Chang +Date: Thu, 28 Jun 2018 18:40:11 +0800 +Subject: md/raid10: fix that replacement cannot complete recovery after reassemble + +From: BingJing Chang + +[ Upstream commit bda3153998f3eb2cafa4a6311971143628eacdbc ] + +During assemble, the spare marked for replacement is not checked. +conf->fullsync cannot be updated to be 1. As a result, recovery will +treat it as a clean array. All recovering sectors are skipped. Original +device is replaced with the not-recovered spare. + +mdadm -C /dev/md0 -l10 -n4 -pn2 /dev/loop[0123] +mdadm /dev/md0 -a /dev/loop4 +mdadm /dev/md0 --replace /dev/loop0 +mdadm -S /dev/md0 # stop array during recovery + +mdadm -A /dev/md0 /dev/loop[01234] + +After reassemble, you can see recovery go on, but it completes +immediately. In fact, recovery is not actually processed. + +To solve this problem, we just add the missing logics for replacment +spares. (In raid1.c or raid5.c, they have already been checked.) + +Reported-by: Alex Chen +Reviewed-by: Alex Wu +Reviewed-by: Chung-Chiang Cheng +Signed-off-by: BingJing Chang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -3734,6 +3734,13 @@ static int raid10_run(struct mddev *mdde + disk->rdev->saved_raid_disk < 0) + conf->fullsync = 1; + } ++ ++ if (disk->replacement && ++ !test_bit(In_sync, &disk->replacement->flags) && ++ disk->replacement->saved_raid_disk < 0) { ++ conf->fullsync = 1; ++ } ++ + disk->recovery_disabled = mddev->recovery_disabled - 1; + } + diff --git a/queue-4.9/net-davinci_emac-match-the-mdio-device-against-its-compatible-if-possible.patch b/queue-4.9/net-davinci_emac-match-the-mdio-device-against-its-compatible-if-possible.patch new file mode 100644 index 00000000000..9478a6da7f8 --- /dev/null +++ b/queue-4.9/net-davinci_emac-match-the-mdio-device-against-its-compatible-if-possible.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Bartosz Golaszewski +Date: Wed, 20 Jun 2018 10:03:56 +0200 +Subject: net: davinci_emac: match the mdio device against its compatible if possible + +From: Bartosz Golaszewski + +[ Upstream commit ea0820bb771175c7d4192fc6f5b5c56b3c6d5239 ] + +Device tree based systems without of_dev_auxdata will have the mdio +device named differently than "davinci_mdio(.0)". In this case use the +device's parent's compatible string for matching + +Signed-off-by: Bartosz Golaszewski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/davinci_emac.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -1387,6 +1387,10 @@ static int emac_devioctl(struct net_devi + + static int match_first_device(struct device *dev, void *data) + { ++ if (dev->parent && dev->parent->of_node) ++ return of_device_is_compatible(dev->parent->of_node, ++ "ti,davinci_mdio"); ++ + return !strncmp(dev_name(dev), "davinci_mdio", 12); + } + diff --git a/queue-4.9/net-ethernet-freescale-fman-fix-cross-build-error.patch b/queue-4.9/net-ethernet-freescale-fman-fix-cross-build-error.patch new file mode 100644 index 00000000000..b8c1137ab4d --- /dev/null +++ b/queue-4.9/net-ethernet-freescale-fman-fix-cross-build-error.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Randy Dunlap +Date: Fri, 13 Jul 2018 21:25:19 -0700 +Subject: net/ethernet/freescale/fman: fix cross-build error + +From: Randy Dunlap + +[ Upstream commit c133459765fae249ba482f62e12f987aec4376f0 ] + + CC [M] drivers/net/ethernet/freescale/fman/fman.o +In file included from ../drivers/net/ethernet/freescale/fman/fman.c:35: +../include/linux/fsl/guts.h: In function 'guts_set_dmacr': +../include/linux/fsl/guts.h:165:2: error: implicit declaration of function 'clrsetbits_be32' [-Werror=implicit-function-declaration] + clrsetbits_be32(&guts->dmacr, 3 << shift, device << shift); + ^~~~~~~~~~~~~~~ + +Signed-off-by: Randy Dunlap +Cc: Madalin Bucur +Cc: netdev@vger.kernel.org +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/fsl/guts.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/fsl/guts.h ++++ b/include/linux/fsl/guts.h +@@ -16,6 +16,7 @@ + #define __FSL_GUTS_H__ + + #include ++#include + + /** + * Global Utility Registers. diff --git a/queue-4.9/net-hamradio-use-eth_broadcast_addr.patch b/queue-4.9/net-hamradio-use-eth_broadcast_addr.patch new file mode 100644 index 00000000000..8fb6b8554ad --- /dev/null +++ b/queue-4.9/net-hamradio-use-eth_broadcast_addr.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Agner +Date: Sun, 17 Jun 2018 23:40:53 +0200 +Subject: net: hamradio: use eth_broadcast_addr + +From: Stefan Agner + +[ Upstream commit 4e8439aa34802deab11cee68b0ecb18f887fb153 ] + +The array bpq_eth_addr is only used to get the size of an +address, whereas the bcast_addr is used to set the broadcast +address. This leads to a warning when using clang: +drivers/net/hamradio/bpqether.c:94:13: warning: variable 'bpq_eth_addr' is not + needed and will not be emitted [-Wunneeded-internal-declaration] +static char bpq_eth_addr[6]; + ^ + +Remove both variables and use the common eth_broadcast_addr +to set the broadcast address. + +Signed-off-by: Stefan Agner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/bpqether.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/net/hamradio/bpqether.c ++++ b/drivers/net/hamradio/bpqether.c +@@ -89,10 +89,6 @@ + static const char banner[] __initconst = KERN_INFO \ + "AX.25: bpqether driver version 004\n"; + +-static char bcast_addr[6]={0xFF,0xFF,0xFF,0xFF,0xFF,0xFF}; +- +-static char bpq_eth_addr[6]; +- + static int bpq_rcv(struct sk_buff *, struct net_device *, struct packet_type *, struct net_device *); + static int bpq_device_event(struct notifier_block *, unsigned long, void *); + +@@ -515,8 +511,8 @@ static int bpq_new_device(struct net_dev + bpq->ethdev = edev; + bpq->axdev = ndev; + +- memcpy(bpq->dest_addr, bcast_addr, sizeof(bpq_eth_addr)); +- memcpy(bpq->acpt_addr, bcast_addr, sizeof(bpq_eth_addr)); ++ eth_broadcast_addr(bpq->dest_addr); ++ eth_broadcast_addr(bpq->acpt_addr); + + err = register_netdevice(ndev); + if (err) diff --git a/queue-4.9/net-propagate-dev_get_valid_name-return-code.patch b/queue-4.9/net-propagate-dev_get_valid_name-return-code.patch new file mode 100644 index 00000000000..4c66eef38cc --- /dev/null +++ b/queue-4.9/net-propagate-dev_get_valid_name-return-code.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Li RongQing +Date: Tue, 19 Jun 2018 17:23:17 +0800 +Subject: net: propagate dev_get_valid_name return code + +From: Li RongQing + +[ Upstream commit 7892bd081045222b9e4027fec279a28d6fe7aa66 ] + +if dev_get_valid_name failed, propagate its return code + +and remove the setting err to ENODEV, it will be set to +0 again before dev_change_net_namespace exits. + +Signed-off-by: Li RongQing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -7945,7 +7945,8 @@ int dev_change_net_namespace(struct net_ + /* We get here if we can't use the current device name */ + if (!pat) + goto out; +- if (dev_get_valid_name(net, dev, pat) < 0) ++ err = dev_get_valid_name(net, dev, pat); ++ if (err < 0) + goto out; + } + +@@ -7957,7 +7958,6 @@ int dev_change_net_namespace(struct net_ + dev_close(dev); + + /* And unlink it from device chain */ +- err = -ENODEV; + unlist_netdevice(dev); + + synchronize_net(); diff --git a/queue-4.9/net-qca_spi-avoid-packet-drop-during-initial-sync.patch b/queue-4.9/net-qca_spi-avoid-packet-drop-during-initial-sync.patch new file mode 100644 index 00000000000..896900b6e79 --- /dev/null +++ b/queue-4.9/net-qca_spi-avoid-packet-drop-during-initial-sync.patch @@ -0,0 +1,33 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Wahren +Date: Wed, 18 Jul 2018 08:31:43 +0200 +Subject: net: qca_spi: Avoid packet drop during initial sync + +From: Stefan Wahren + +[ Upstream commit b2bab426dc715de147f8039a3fccff27d795f4eb ] + +As long as the synchronization with the QCA7000 isn't finished, we +cannot accept packets from the upper layers. So let the SPI thread +enable the TX queue after sync and avoid unwanted packet drop. + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -635,7 +635,7 @@ qcaspi_netdev_open(struct net_device *de + return ret; + } + +- netif_start_queue(qca->net_dev); ++ /* SPI thread takes care of TX queue */ + + return 0; + } diff --git a/queue-4.9/net-qca_spi-fix-log-level-if-probe-fails.patch b/queue-4.9/net-qca_spi-fix-log-level-if-probe-fails.patch new file mode 100644 index 00000000000..f9fe85d8970 --- /dev/null +++ b/queue-4.9/net-qca_spi-fix-log-level-if-probe-fails.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Wahren +Date: Wed, 18 Jul 2018 08:31:45 +0200 +Subject: net: qca_spi: Fix log level if probe fails + +From: Stefan Wahren + +[ Upstream commit 50973993260a6934f0a00da53d9b746cfbea89ab ] + +In cases the probing fails the log level of the messages should +be an error. + +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -868,22 +868,22 @@ qca_spi_probe(struct spi_device *spi) + + if ((qcaspi_clkspeed < QCASPI_CLK_SPEED_MIN) || + (qcaspi_clkspeed > QCASPI_CLK_SPEED_MAX)) { +- dev_info(&spi->dev, "Invalid clkspeed: %d\n", +- qcaspi_clkspeed); ++ dev_err(&spi->dev, "Invalid clkspeed: %d\n", ++ qcaspi_clkspeed); + return -EINVAL; + } + + if ((qcaspi_burst_len < QCASPI_BURST_LEN_MIN) || + (qcaspi_burst_len > QCASPI_BURST_LEN_MAX)) { +- dev_info(&spi->dev, "Invalid burst len: %d\n", +- qcaspi_burst_len); ++ dev_err(&spi->dev, "Invalid burst len: %d\n", ++ qcaspi_burst_len); + return -EINVAL; + } + + if ((qcaspi_pluggable < QCASPI_PLUGGABLE_MIN) || + (qcaspi_pluggable > QCASPI_PLUGGABLE_MAX)) { +- dev_info(&spi->dev, "Invalid pluggable: %d\n", +- qcaspi_pluggable); ++ dev_err(&spi->dev, "Invalid pluggable: %d\n", ++ qcaspi_pluggable); + return -EINVAL; + } + +@@ -944,8 +944,8 @@ qca_spi_probe(struct spi_device *spi) + } + + if (register_netdev(qcaspi_devs)) { +- dev_info(&spi->dev, "Unable to register net device %s\n", +- qcaspi_devs->name); ++ dev_err(&spi->dev, "Unable to register net device %s\n", ++ qcaspi_devs->name); + free_netdev(qcaspi_devs); + return -EFAULT; + } diff --git a/queue-4.9/net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch b/queue-4.9/net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch new file mode 100644 index 00000000000..9a45137d1ec --- /dev/null +++ b/queue-4.9/net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Stefan Wahren +Date: Wed, 18 Jul 2018 08:31:44 +0200 +Subject: net: qca_spi: Make sure the QCA7000 reset is triggered + +From: Stefan Wahren + +[ Upstream commit 711c62dfa6bdb4326ca6c587f295ea5c4f7269de ] + +In case the SPI thread is not running, a simple reset of sync +state won't fix the transmit timeout. We also need to wake up the kernel +thread. + +Signed-off-by: Stefan Wahren +Fixes: ed7d42e24eff ("net: qca_spi: fix transmit queue timeout handling") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -739,6 +739,9 @@ qcaspi_netdev_tx_timeout(struct net_devi + qca->net_dev->stats.tx_errors++; + /* Trigger tx queue flush and QCA7000 reset */ + qca->sync = QCASPI_SYNC_UNKNOWN; ++ ++ if (qca->spi_thread) ++ wake_up_process(qca->spi_thread); + } + + static int diff --git a/queue-4.9/net-qrtr-broadcast-messages-only-from-control-port.patch b/queue-4.9/net-qrtr-broadcast-messages-only-from-control-port.patch new file mode 100644 index 00000000000..958e3935727 --- /dev/null +++ b/queue-4.9/net-qrtr-broadcast-messages-only-from-control-port.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Arun Kumar Neelakantam +Date: Wed, 4 Jul 2018 19:49:32 +0530 +Subject: net: qrtr: Broadcast messages only from control port + +From: Arun Kumar Neelakantam + +[ Upstream commit fdf5fd3975666804118e62c69de25dc85cc0909c ] + +The broadcast node id should only be sent with the control port id. + +Signed-off-by: Arun Kumar Neelakantam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/qrtr/qrtr.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/qrtr/qrtr.c ++++ b/net/qrtr/qrtr.c +@@ -621,6 +621,10 @@ static int qrtr_sendmsg(struct socket *s + node = NULL; + if (addr->sq_node == QRTR_NODE_BCAST) { + enqueue_fn = qrtr_bcast_enqueue; ++ if (addr->sq_port != QRTR_PORT_CTRL) { ++ release_sock(sk); ++ return -ENOTCONN; ++ } + } else if (addr->sq_node == ipc->us.sq_node) { + enqueue_fn = qrtr_local_enqueue; + } else { diff --git a/queue-4.9/net-sched-act_tunnel_key-fix-null-dereference-when-goto-chain-is-used.patch b/queue-4.9/net-sched-act_tunnel_key-fix-null-dereference-when-goto-chain-is-used.patch new file mode 100644 index 00000000000..aed4706b056 --- /dev/null +++ b/queue-4.9/net-sched-act_tunnel_key-fix-null-dereference-when-goto-chain-is-used.patch @@ -0,0 +1,150 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Davide Caratti +Date: Fri, 6 Jul 2018 21:01:06 +0200 +Subject: net/sched: act_tunnel_key: fix NULL dereference when 'goto chain' is used + +From: Davide Caratti + +[ Upstream commit 38230a3e0e0933bbcf5df6fa469ba0667f667568 ] + +the control action in the common member of struct tcf_tunnel_key must be a +valid value, as it can contain the chain index when 'goto chain' is used. +Ensure that the control action can be read as x->tcfa_action, when x is a +pointer to struct tc_action and x->ops->type is TCA_ACT_TUNNEL_KEY, to +prevent the following command: + + # tc filter add dev $h2 ingress protocol ip pref 1 handle 101 flower \ + > $tcflags dst_mac $h2mac action tunnel_key unset goto chain 1 + +from causing a NULL dereference when a matching packet is received: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + PGD 80000001097ac067 P4D 80000001097ac067 PUD 103b0a067 PMD 0 + Oops: 0000 [#1] SMP PTI + CPU: 0 PID: 3491 Comm: mausezahn Tainted: G E 4.18.0-rc2.auguri+ #421 + Hardware name: Hewlett-Packard HP Z220 CMT Workstation/1790, BIOS K51 v01.58 02/07/2013 + RIP: 0010:tcf_action_exec+0xb8/0x100 + Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 + RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246 + RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001 + RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 + RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c + R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800 + R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40 + FS: 00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0 + Call Trace: + + fl_classify+0x1ad/0x1c0 [cls_flower] + ? __update_load_avg_se.isra.47+0x1ca/0x1d0 + ? __update_load_avg_se.isra.47+0x1ca/0x1d0 + ? update_load_avg+0x665/0x690 + ? update_load_avg+0x665/0x690 + ? kmem_cache_alloc+0x38/0x1c0 + tcf_classify+0x89/0x140 + __netif_receive_skb_core+0x5ea/0xb70 + ? enqueue_entity+0xd0/0x270 + ? process_backlog+0x97/0x150 + process_backlog+0x97/0x150 + net_rx_action+0x14b/0x3e0 + __do_softirq+0xde/0x2b4 + do_softirq_own_stack+0x2a/0x40 + + do_softirq.part.18+0x49/0x50 + __local_bh_enable_ip+0x49/0x50 + __dev_queue_xmit+0x4ab/0x8a0 + ? wait_woken+0x80/0x80 + ? packet_sendmsg+0x38f/0x810 + ? __dev_queue_xmit+0x8a0/0x8a0 + packet_sendmsg+0x38f/0x810 + sock_sendmsg+0x36/0x40 + __sys_sendto+0x10e/0x140 + ? do_vfs_ioctl+0xa4/0x630 + ? syscall_trace_enter+0x1df/0x2e0 + ? __audit_syscall_exit+0x22a/0x290 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x5b/0x180 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + RIP: 0033:0x7fd67e18dc93 + Code: 48 8b 0d 18 83 20 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 59 c7 20 00 00 75 13 49 89 ca b8 2c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 34 c3 48 83 ec 08 e8 2b f7 ff ff 48 89 04 24 + RSP: 002b:00007ffe0189b748 EFLAGS: 00000246 ORIG_RAX: 000000000000002c + RAX: ffffffffffffffda RBX: 00000000020ca010 RCX: 00007fd67e18dc93 + RDX: 0000000000000062 RSI: 00000000020ca322 RDI: 0000000000000003 + RBP: 00007ffe0189b780 R08: 00007ffe0189b760 R09: 0000000000000014 + R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000062 + R13: 00000000020ca322 R14: 00007ffe0189b760 R15: 0000000000000003 + Modules linked in: act_tunnel_key act_gact cls_flower sch_ingress vrf veth act_csum(E) xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter intel_rapl snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic kvm_intel kvm irqbypass snd_hda_intel crct10dif_pclmul crc32_pclmul hp_wmi ghash_clmulni_intel pcbc snd_hda_codec aesni_intel sparse_keymap rfkill snd_hda_core snd_hwdep snd_seq crypto_simd iTCO_wdt gpio_ich iTCO_vendor_support wmi_bmof cryptd mei_wdt glue_helper snd_seq_device snd_pcm pcspkr snd_timer snd i2c_i801 lpc_ich sg soundcore wmi mei_me + mei ie31200_edac nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod sr_mod cdrom i915 video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ahci crc32c_intel libahci serio_raw sfc libata mtd drm ixgbe mdio i2c_core e1000e dca + CR2: 0000000000000000 + ---[ end trace 1ab8b5b5d4639dfc ]--- + RIP: 0010:tcf_action_exec+0xb8/0x100 + Code: 00 00 00 20 74 1d 83 f8 03 75 09 49 83 c4 08 4d 39 ec 75 bc 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 49 8b 97 a8 00 00 00 <48> 8b 12 48 89 55 00 48 83 c4 10 5b 5d 41 5c 41 5d 41 5e 41 5f c3 + RSP: 0018:ffff95145ea03c40 EFLAGS: 00010246 + RAX: 0000000020000001 RBX: ffff9514499e5800 RCX: 0000000000000001 + RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000000 + RBP: ffff95145ea03e60 R08: 0000000000000000 R09: ffff95145ea03c9c + R10: ffff95145ea03c78 R11: 0000000000000008 R12: ffff951456a69800 + R13: ffff951456a69808 R14: 0000000000000001 R15: ffff95144965ee40 + FS: 00007fd67ee11740(0000) GS:ffff95145ea00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000000 CR3: 00000001038a2006 CR4: 00000000001606f0 + Kernel panic - not syncing: Fatal exception in interrupt + Kernel Offset: 0x11400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) + ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- + +Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key") +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tc_act/tc_tunnel_key.h | 1 - + net/sched/act_tunnel_key.c | 6 +++--- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/include/net/tc_act/tc_tunnel_key.h ++++ b/include/net/tc_act/tc_tunnel_key.h +@@ -16,7 +16,6 @@ + struct tcf_tunnel_key_params { + struct rcu_head rcu; + int tcft_action; +- int action; + struct metadata_dst *tcft_enc_metadata; + }; + +--- a/net/sched/act_tunnel_key.c ++++ b/net/sched/act_tunnel_key.c +@@ -39,7 +39,7 @@ static int tunnel_key_act(struct sk_buff + + tcf_lastuse_update(&t->tcf_tm); + bstats_cpu_update(this_cpu_ptr(t->common.cpu_bstats), skb); +- action = params->action; ++ action = READ_ONCE(t->tcf_action); + + switch (params->tcft_action) { + case TCA_TUNNEL_KEY_ACT_RELEASE: +@@ -170,7 +170,7 @@ static int tunnel_key_init(struct net *n + + params_old = rtnl_dereference(t->params); + +- params_new->action = parm->action; ++ t->tcf_action = parm->action; + params_new->tcft_action = parm->t_action; + params_new->tcft_enc_metadata = metadata; + +@@ -242,13 +242,13 @@ static int tunnel_key_dump(struct sk_buf + .index = t->tcf_index, + .refcnt = t->tcf_refcnt - ref, + .bindcnt = t->tcf_bindcnt - bind, ++ .action = t->tcf_action, + }; + struct tcf_t tm; + + params = rtnl_dereference(t->params); + + opt.t_action = params->tcft_action; +- opt.action = params->action; + + if (nla_put(skb, TCA_TUNNEL_KEY_PARMS, sizeof(opt), &opt)) + goto nla_put_failure; diff --git a/queue-4.9/net-stmmac-socfpga-add-additional-ocp-reset-line-for-stratix10.patch b/queue-4.9/net-stmmac-socfpga-add-additional-ocp-reset-line-for-stratix10.patch new file mode 100644 index 00000000000..ebc9f366a8a --- /dev/null +++ b/queue-4.9/net-stmmac-socfpga-add-additional-ocp-reset-line-for-stratix10.patch @@ -0,0 +1,86 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dinh Nguyen +Date: Tue, 19 Jun 2018 10:35:38 -0500 +Subject: net: stmmac: socfpga: add additional ocp reset line for Stratix10 + +From: Dinh Nguyen + +[ Upstream commit bc8a2d9bcbf1ca548b1deb315d14e1da81945bea ] + +The Stratix10 platform has an additional reset line, OCP(Open Core Protocol), +that also needs to get deasserted for the stmmac ethernet controller to work. +Thus we need to update the Kconfig to include ARCH_STRATIX10 in order to build +dwmac-socfpga. + +Also, remove the redundant check for the reset controller pointer. The +reset driver already checks for the pointer and returns 0 if the pointer +is NULL. + +Signed-off-by: Dinh Nguyen +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/Kconfig | 2 +- + drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c | 18 ++++++++++++++---- + 2 files changed, 15 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/Kconfig ++++ b/drivers/net/ethernet/stmicro/stmmac/Kconfig +@@ -83,7 +83,7 @@ config DWMAC_ROCKCHIP + config DWMAC_SOCFPGA + tristate "SOCFPGA dwmac support" + default ARCH_SOCFPGA +- depends on OF && (ARCH_SOCFPGA || COMPILE_TEST) ++ depends on OF && (ARCH_SOCFPGA || ARCH_STRATIX10 || COMPILE_TEST) + select MFD_SYSCON + help + Support for ethernet controller on Altera SOCFPGA +--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c ++++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-socfpga.c +@@ -55,6 +55,7 @@ struct socfpga_dwmac { + struct device *dev; + struct regmap *sys_mgr_base_addr; + struct reset_control *stmmac_rst; ++ struct reset_control *stmmac_ocp_rst; + void __iomem *splitter_base; + bool f2h_ptp_ref_clk; + struct tse_pcs pcs; +@@ -262,8 +263,8 @@ static int socfpga_dwmac_set_phy_mode(st + val = SYSMGR_EMACGRP_CTRL_PHYSEL_ENUM_GMII_MII; + + /* Assert reset to the enet controller before changing the phy mode */ +- if (dwmac->stmmac_rst) +- reset_control_assert(dwmac->stmmac_rst); ++ reset_control_assert(dwmac->stmmac_ocp_rst); ++ reset_control_assert(dwmac->stmmac_rst); + + regmap_read(sys_mgr_base_addr, reg_offset, &ctrl); + ctrl &= ~(SYSMGR_EMACGRP_CTRL_PHYSEL_MASK << reg_shift); +@@ -285,8 +286,8 @@ static int socfpga_dwmac_set_phy_mode(st + /* Deassert reset for the phy configuration to be sampled by + * the enet controller, and operation to start in requested mode + */ +- if (dwmac->stmmac_rst) +- reset_control_deassert(dwmac->stmmac_rst); ++ reset_control_deassert(dwmac->stmmac_ocp_rst); ++ reset_control_deassert(dwmac->stmmac_rst); + if (phymode == PHY_INTERFACE_MODE_SGMII) { + if (tse_pcs_init(dwmac->pcs.tse_pcs_base, &dwmac->pcs) != 0) { + dev_err(dwmac->dev, "Unable to initialize TSE PCS"); +@@ -321,6 +322,15 @@ static int socfpga_dwmac_probe(struct pl + goto err_remove_config_dt; + } + ++ dwmac->stmmac_ocp_rst = devm_reset_control_get_optional(dev, "stmmaceth-ocp"); ++ if (IS_ERR(dwmac->stmmac_ocp_rst)) { ++ ret = PTR_ERR(dwmac->stmmac_ocp_rst); ++ dev_err(dev, "error getting reset control of ocp %d\n", ret); ++ goto err_remove_config_dt; ++ } ++ ++ reset_control_deassert(dwmac->stmmac_ocp_rst); ++ + ret = socfpga_dwmac_parse_data(dwmac, dev); + if (ret) { + dev_err(dev, "Unable to parse OF data\n"); diff --git a/queue-4.9/net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch b/queue-4.9/net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch new file mode 100644 index 00000000000..75e3762885d --- /dev/null +++ b/queue-4.9/net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch @@ -0,0 +1,37 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: David Lechner +Date: Mon, 16 Jul 2018 17:58:10 -0500 +Subject: net: usb: rtl8150: demote allmulti message to dev_dbg() + +From: David Lechner + +[ Upstream commit 3a9b0455062ffb9d2f6cd4473a76e3456f318c9f ] + +This driver can spam the kernel log with multiple messages of: + + net eth0: eth0: allmulti set + +Usually 4 or 8 at a time (probably because of using ConnMan). + +This message doesn't seem useful, so let's demote it from dev_info() +to dev_dbg(). + +Signed-off-by: David Lechner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/rtl8150.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/rtl8150.c ++++ b/drivers/net/usb/rtl8150.c +@@ -681,7 +681,7 @@ static void rtl8150_set_multicast(struct + (netdev->flags & IFF_ALLMULTI)) { + rx_creg &= 0xfffe; + rx_creg |= 0x0002; +- dev_info(&netdev->dev, "%s: allmulti set\n", netdev->name); ++ dev_dbg(&netdev->dev, "%s: allmulti set\n", netdev->name); + } else { + /* ~RX_MULTICAST, ~RX_PROMISCUOUS */ + rx_creg &= 0x00fc; diff --git a/queue-4.9/netfilter-ipv6-nf_defrag-reduce-struct-net-memory-waste.patch b/queue-4.9/netfilter-ipv6-nf_defrag-reduce-struct-net-memory-waste.patch new file mode 100644 index 00000000000..2af05c28f54 --- /dev/null +++ b/queue-4.9/netfilter-ipv6-nf_defrag-reduce-struct-net-memory-waste.patch @@ -0,0 +1,72 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Eric Dumazet +Date: Wed, 13 Jun 2018 10:11:56 -0700 +Subject: netfilter: ipv6: nf_defrag: reduce struct net memory waste + +From: Eric Dumazet + +[ Upstream commit 9ce7bc036ae4cfe3393232c86e9e1fea2153c237 ] + +It is a waste of memory to use a full "struct netns_sysctl_ipv6" +while only one pointer is really used, considering netns_sysctl_ipv6 +keeps growing. + +Also, since "struct netns_frags" has cache line alignment, +it is better to move the frags_hdr pointer outside, otherwise +we spend a full cache line for this pointer. + +This saves 192 bytes of memory per netns. + +Fixes: c038a767cd69 ("ipv6: add a new namespace for nf_conntrack_reasm") +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/net_namespace.h | 1 + + include/net/netns/ipv6.h | 1 - + net/ipv6/netfilter/nf_conntrack_reasm.c | 6 +++--- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/include/net/net_namespace.h ++++ b/include/net/net_namespace.h +@@ -116,6 +116,7 @@ struct net { + #endif + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) + struct netns_nf_frag nf_frag; ++ struct ctl_table_header *nf_frag_frags_hdr; + #endif + struct sock *nfnl; + struct sock *nfnl_stash; +--- a/include/net/netns/ipv6.h ++++ b/include/net/netns/ipv6.h +@@ -89,7 +89,6 @@ struct netns_ipv6 { + + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) + struct netns_nf_frag { +- struct netns_sysctl_ipv6 sysctl; + struct netns_frags frags; + }; + #endif +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -117,7 +117,7 @@ static int nf_ct_frag6_sysctl_register(s + if (hdr == NULL) + goto err_reg; + +- net->nf_frag.sysctl.frags_hdr = hdr; ++ net->nf_frag_frags_hdr = hdr; + return 0; + + err_reg: +@@ -131,8 +131,8 @@ static void __net_exit nf_ct_frags6_sysc + { + struct ctl_table *table; + +- table = net->nf_frag.sysctl.frags_hdr->ctl_table_arg; +- unregister_net_sysctl_table(net->nf_frag.sysctl.frags_hdr); ++ table = net->nf_frag_frags_hdr->ctl_table_arg; ++ unregister_net_sysctl_table(net->nf_frag_frags_hdr); + if (!net_eq(net, &init_net)) + kfree(table); + } diff --git a/queue-4.9/netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch b/queue-4.9/netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch new file mode 100644 index 00000000000..675854eb506 --- /dev/null +++ b/queue-4.9/netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch @@ -0,0 +1,64 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Andrey Ryabinin +Date: Fri, 6 Jul 2018 16:38:53 +0300 +Subject: netfilter: nf_conntrack: Fix possible possible crash on module loading. + +From: Andrey Ryabinin + +[ Upstream commit 2045cdfa1b40d66f126f3fd05604fc7c754f0022 ] + +Loading the nf_conntrack module with doubled hashsize parameter, i.e. + modprobe nf_conntrack hashsize=12345 hashsize=12345 +causes NULL-ptr deref. + +If 'hashsize' specified twice, the nf_conntrack_set_hashsize() function +will be called also twice. +The first nf_conntrack_set_hashsize() call will set the +'nf_conntrack_htable_size' variable: + + nf_conntrack_set_hashsize() + ... + /* On boot, we can set this without any fancy locking. */ + if (!nf_conntrack_htable_size) + return param_set_uint(val, kp); + +But on the second invocation, the nf_conntrack_htable_size is already set, +so the nf_conntrack_set_hashsize() will take a different path and call +the nf_conntrack_hash_resize() function. Which will crash on the attempt +to dereference 'nf_conntrack_hash' pointer: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 + RIP: 0010:nf_conntrack_hash_resize+0x255/0x490 [nf_conntrack] + Call Trace: + nf_conntrack_set_hashsize+0xcd/0x100 [nf_conntrack] + parse_args+0x1f9/0x5a0 + load_module+0x1281/0x1a50 + __se_sys_finit_module+0xbe/0xf0 + do_syscall_64+0x7c/0x390 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Fix this, by checking !nf_conntrack_hash instead of +!nf_conntrack_htable_size. nf_conntrack_hash will be initialized only +after the module loaded, so the second invocation of the +nf_conntrack_set_hashsize() won't crash, it will just reinitialize +nf_conntrack_htable_size again. + +Signed-off-by: Andrey Ryabinin +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1822,7 +1822,7 @@ int nf_conntrack_set_hashsize(const char + return -EOPNOTSUPP; + + /* On boot, we can set this without any fancy locking. */ +- if (!nf_conntrack_htable_size) ++ if (!nf_conntrack_hash) + return param_set_uint(val, kp); + + rc = kstrtouint(val, 0, &hashsize); diff --git a/queue-4.9/netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dostring.patch b/queue-4.9/netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dostring.patch new file mode 100644 index 00000000000..6f120487147 --- /dev/null +++ b/queue-4.9/netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dostring.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Jann Horn +Date: Wed, 20 Jun 2018 18:33:45 +0200 +Subject: netfilter: nf_log: fix uninit read in nf_log_proc_dostring + +From: Jann Horn + +[ Upstream commit dffd22aed2aa1e804bccf19b30a421e89ee2ae61 ] + +When proc_dostring() is called with a non-zero offset in strict mode, it +doesn't just write to the ->data buffer, it also reads. Make sure it +doesn't read uninitialized data. + +Fixes: c6ac37d8d884 ("netfilter: nf_log: fix error on write NONE to [...]") +Signed-off-by: Jann Horn +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_log.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nf_log.c ++++ b/net/netfilter/nf_log.c +@@ -426,6 +426,10 @@ static int nf_log_proc_dostring(struct c + if (write) { + struct ctl_table tmp = *table; + ++ /* proc_dostring() can append to existing strings, so we need to ++ * initialize it as an empty string. ++ */ ++ buf[0] = '\0'; + tmp.data = buf; + r = proc_dostring(&tmp, write, buffer, lenp, ppos); + if (r) diff --git a/queue-4.9/netfilter-x_tables-set-module-owner-for-icmp-6-matches.patch b/queue-4.9/netfilter-x_tables-set-module-owner-for-icmp-6-matches.patch new file mode 100644 index 00000000000..a09788171be --- /dev/null +++ b/queue-4.9/netfilter-x_tables-set-module-owner-for-icmp-6-matches.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Florian Westphal +Date: Wed, 4 Jul 2018 20:25:32 +0200 +Subject: netfilter: x_tables: set module owner for icmp(6) matches + +From: Florian Westphal + +[ Upstream commit d376bef9c29b3c65aeee4e785fffcd97ef0a9a81 ] + +nft_compat relies on xt_request_find_match to increment +refcount of the module that provides the match/target. + +The (builtin) icmp matches did't set the module owner so it +was possible to rmmod ip(6)tables while icmp extensions were still in use. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/netfilter/ip_tables.c | 1 + + net/ipv6/netfilter/ip6_tables.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/ipv4/netfilter/ip_tables.c ++++ b/net/ipv4/netfilter/ip_tables.c +@@ -1913,6 +1913,7 @@ static struct xt_match ipt_builtin_mt[] + .checkentry = icmp_checkentry, + .proto = IPPROTO_ICMP, + .family = NFPROTO_IPV4, ++ .me = THIS_MODULE, + }, + }; + +--- a/net/ipv6/netfilter/ip6_tables.c ++++ b/net/ipv6/netfilter/ip6_tables.c +@@ -1934,6 +1934,7 @@ static struct xt_match ip6t_builtin_mt[] + .checkentry = icmp6_checkentry, + .proto = IPPROTO_ICMPV6, + .family = NFPROTO_IPV6, ++ .me = THIS_MODULE, + }, + }; + diff --git a/queue-4.9/nfc-pn533-fix-wrong-gfp-flag-usage.patch b/queue-4.9/nfc-pn533-fix-wrong-gfp-flag-usage.patch new file mode 100644 index 00000000000..4ef221a2a1c --- /dev/null +++ b/queue-4.9/nfc-pn533-fix-wrong-gfp-flag-usage.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Hans de Goede +Date: Thu, 7 Jun 2018 15:54:48 +0200 +Subject: NFC: pn533: Fix wrong GFP flag usage + +From: Hans de Goede + +[ Upstream commit ecc443c03fb14abfb8a6af5e3b2d43b5257e60f2 ] + +pn533_recv_response() is an urb completion handler, so it must use +GFP_ATOMIC. pn533_usb_send_frame() OTOH runs from a regular sleeping +context, so the pn533_submit_urb_for_response() there (and only there) +can use the regular GFP_KERNEL flags. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514134 +Fixes: 9815c7cf22da ("NFC: pn533: Separate physical layer from ...") +Cc: Michael Thalmeier +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nfc/pn533/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -71,7 +71,7 @@ static void pn533_recv_response(struct u + struct sk_buff *skb = NULL; + + if (!urb->status) { +- skb = alloc_skb(urb->actual_length, GFP_KERNEL); ++ skb = alloc_skb(urb->actual_length, GFP_ATOMIC); + if (!skb) { + nfc_err(&phy->udev->dev, "failed to alloc memory\n"); + } else { +@@ -180,7 +180,7 @@ static int pn533_usb_send_frame(struct p + + if (dev->protocol_type == PN533_PROTO_REQ_RESP) { + /* request for response for sent packet directly */ +- rc = pn533_submit_urb_for_response(phy, GFP_ATOMIC); ++ rc = pn533_submit_urb_for_response(phy, GFP_KERNEL); + if (rc) + goto error; + } else if (dev->protocol_type == PN533_PROTO_REQ_ACK_RESP) { diff --git a/queue-4.9/nfit-fix-unchecked-dereference-in-acpi_nfit_ctl.patch b/queue-4.9/nfit-fix-unchecked-dereference-in-acpi_nfit_ctl.patch new file mode 100644 index 00000000000..fd5a49cb7c7 --- /dev/null +++ b/queue-4.9/nfit-fix-unchecked-dereference-in-acpi_nfit_ctl.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dave Jiang +Date: Wed, 11 Jul 2018 10:10:11 -0700 +Subject: nfit: fix unchecked dereference in acpi_nfit_ctl + +From: Dave Jiang + +[ Upstream commit ee6581ceba7f8314b81b2f2a81f1cf3f67c679e2 ] + +Incremental patch to fix the unchecked dereference in acpi_nfit_ctl. +Reported by Dan Carpenter: + +"acpi/nfit: fix cmd_rc for acpi_nfit_ctl to +always return a value" from Jun 28, 2018, leads to the following +Smatch complaint: + + drivers/acpi/nfit/core.c:578 acpi_nfit_ctl() + warn: variable dereferenced before check 'cmd_rc' (see line 411) + +drivers/acpi/nfit/core.c + 410 + 411 *cmd_rc = -EINVAL; + ^^^^^^^^^^^^^^^^^^ +Patch adds unchecked dereference. + +Fixes: c1985cefd844 ("acpi/nfit: fix cmd_rc for acpi_nfit_ctl to always return a value") + +Signed-off-by: Dave Jiang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/nfit/core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -201,7 +201,8 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + const u8 *uuid; + int rc, i; + +- *cmd_rc = -EINVAL; ++ if (cmd_rc) ++ *cmd_rc = -EINVAL; + func = cmd; + if (cmd == ND_CMD_CALL) { + call_pkg = buf; +@@ -289,7 +290,8 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + * If we return an error (like elsewhere) then caller wouldn't + * be able to rely upon data returned to make calculation. + */ +- *cmd_rc = 0; ++ if (cmd_rc) ++ *cmd_rc = 0; + return 0; + } + diff --git a/queue-4.9/nl80211-relax-ht-operation-checks-for-mesh.patch b/queue-4.9/nl80211-relax-ht-operation-checks-for-mesh.patch new file mode 100644 index 00000000000..0b5426e7c73 --- /dev/null +++ b/queue-4.9/nl80211-relax-ht-operation-checks-for-mesh.patch @@ -0,0 +1,76 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Bob Copeland +Date: Sun, 24 Jun 2018 21:10:49 -0400 +Subject: nl80211: relax ht operation checks for mesh + +From: Bob Copeland + +[ Upstream commit 188f60ab8e787fcbb5ac9d64ede23a0070231f09 ] + +Commit 9757235f451c, "nl80211: correct checks for +NL80211_MESHCONF_HT_OPMODE value") relaxed the range for the HT +operation field in meshconf, while also adding checks requiring +the non-greenfield and non-ht-sta bits to be set in certain +circumstances. The latter bit is actually reserved for mesh BSSes +according to Table 9-168 in 802.11-2016, so in fact it should not +be set. + +wpa_supplicant sets these bits because the mesh and AP code share +the same implementation, but authsae does not. As a result, some +meshconf updates from authsae which set only the NONHT_MIXED +protection bits were being rejected. + +In order to avoid breaking userspace by changing the rules again, +simply accept the values with or without the bits set, and mask +off the reserved bit to match the spec. + +While in here, update the 802.11-2012 reference to 802.11-2016. + +Fixes: 9757235f451c ("nl80211: correct checks for NL80211_MESHCONF_HT_OPMODE value") +Cc: Masashi Honma +Signed-off-by: Bob Copeland +Reviewed-by: Masashi Honma +Reviewed-by: Masashi Honma +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 19 +++---------------- + 1 file changed, 3 insertions(+), 16 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -5847,7 +5847,7 @@ do { \ + nl80211_check_s32); + /* + * Check HT operation mode based on +- * IEEE 802.11 2012 8.4.2.59 HT Operation element. ++ * IEEE 802.11-2016 9.4.2.57 HT Operation element. + */ + if (tb[NL80211_MESHCONF_HT_OPMODE]) { + ht_opmode = nla_get_u16(tb[NL80211_MESHCONF_HT_OPMODE]); +@@ -5857,22 +5857,9 @@ do { \ + IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT)) + return -EINVAL; + +- if ((ht_opmode & IEEE80211_HT_OP_MODE_NON_GF_STA_PRSNT) && +- (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT)) +- return -EINVAL; ++ /* NON_HT_STA bit is reserved, but some programs set it */ ++ ht_opmode &= ~IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT; + +- switch (ht_opmode & IEEE80211_HT_OP_MODE_PROTECTION) { +- case IEEE80211_HT_OP_MODE_PROTECTION_NONE: +- case IEEE80211_HT_OP_MODE_PROTECTION_20MHZ: +- if (ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT) +- return -EINVAL; +- break; +- case IEEE80211_HT_OP_MODE_PROTECTION_NONMEMBER: +- case IEEE80211_HT_OP_MODE_PROTECTION_NONHT_MIXED: +- if (!(ht_opmode & IEEE80211_HT_OP_MODE_NON_HT_STA_PRSNT)) +- return -EINVAL; +- break; +- } + cfg->ht_opmode = ht_opmode; + mask |= (1 << (NL80211_MESHCONF_HT_OPMODE - 1)); + } diff --git a/queue-4.9/nvmet-reset-keep-alive-timer-in-controller-enable.patch b/queue-4.9/nvmet-reset-keep-alive-timer-in-controller-enable.patch new file mode 100644 index 00000000000..fb2e0c83ebb --- /dev/null +++ b/queue-4.9/nvmet-reset-keep-alive-timer-in-controller-enable.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Max Gurtuvoy +Date: Tue, 19 Jun 2018 15:45:33 +0300 +Subject: nvmet: reset keep alive timer in controller enable + +From: Max Gurtuvoy + +[ Upstream commit d68a90e148f5a82aa67654c5012071e31c0e4baa ] + +Controllers that are not yet enabled should not really enforce keep alive +timeouts, but we still want to track a timeout and cleanup in case a host +died before it enabled the controller. Hence, simply reset the keep +alive timer when the controller is enabled. + +Suggested-by: Max Gurtovoy +Signed-off-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/nvme/target/core.c ++++ b/drivers/nvme/target/core.c +@@ -578,6 +578,14 @@ static void nvmet_start_ctrl(struct nvme + } + + ctrl->csts = NVME_CSTS_RDY; ++ ++ /* ++ * Controllers that are not yet enabled should not really enforce the ++ * keep alive timeout, but we still want to track a timeout and cleanup ++ * in case a host died before it enabled the controller. Hence, simply ++ * reset the keep alive timer when the controller is enabled. ++ */ ++ mod_delayed_work(system_wq, &ctrl->ka_work, ctrl->kato * HZ); + } + + static void nvmet_clear_ctrl(struct nvmet_ctrl *ctrl) diff --git a/queue-4.9/objtool-support-gcc-8-fnoreorder-functions.patch b/queue-4.9/objtool-support-gcc-8-fnoreorder-functions.patch new file mode 100644 index 00000000000..0b11100687d --- /dev/null +++ b/queue-4.9/objtool-support-gcc-8-fnoreorder-functions.patch @@ -0,0 +1,102 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Josh Poimboeuf +Date: Wed, 27 Jun 2018 17:03:45 -0500 +Subject: objtool: Support GCC 8 '-fnoreorder-functions' + +From: Josh Poimboeuf + +[ Upstream commit 08b393d01c88aff27347ed2b1b354eb4db2f1532 ] + +Since the following commit: + + cd77849a69cf ("objtool: Fix GCC 8 cold subfunction detection for aliased functions") + +... if the kernel is built with EXTRA_CFLAGS='-fno-reorder-functions', +objtool can get stuck in an infinite loop. + +That flag causes the new GCC 8 cold subfunctions to be placed in .text +instead of .text.unlikely. But it also has an unfortunate quirk: in the +symbol table, the subfunction (e.g., nmi_panic.cold.7) is nested inside +the parent (nmi_panic). + +That function overlap confuses objtool, and causes it to get into an +infinite loop in next_insn_same_func(). Here's Allan's description of +the loop: + + "Objtool iterates through the instructions in nmi_panic using + next_insn_same_func. Once it reaches the end of nmi_panic at 0x534 it + jumps to 0x528 as that's the start of nmi_panic.cold.7. However, since + the instructions starting at 0x528 are still associated with nmi_panic + objtool will get stuck in a loop, continually jumping back to 0x528 + after reaching 0x534." + +Fix it by shortening the length of the parent function so that the +functions no longer overlap. + +Reported-and-analyzed-by: Allan Xavier +Signed-off-by: Josh Poimboeuf +Cc: Allan Xavier +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/9e704c52bee651129b036be14feda317ae5606ae.1530136978.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/elf.c | 37 ++++++++++++++++++++++++++----------- + 1 file changed, 26 insertions(+), 11 deletions(-) + +--- a/tools/objtool/elf.c ++++ b/tools/objtool/elf.c +@@ -302,19 +302,34 @@ static int read_symbols(struct elf *elf) + continue; + sym->pfunc = sym->cfunc = sym; + coldstr = strstr(sym->name, ".cold."); +- if (coldstr) { +- coldstr[0] = '\0'; +- pfunc = find_symbol_by_name(elf, sym->name); +- coldstr[0] = '.'; ++ if (!coldstr) ++ continue; ++ ++ coldstr[0] = '\0'; ++ pfunc = find_symbol_by_name(elf, sym->name); ++ coldstr[0] = '.'; ++ ++ if (!pfunc) { ++ WARN("%s(): can't find parent function", ++ sym->name); ++ goto err; ++ } + +- if (!pfunc) { +- WARN("%s(): can't find parent function", +- sym->name); +- goto err; +- } ++ sym->pfunc = pfunc; ++ pfunc->cfunc = sym; + +- sym->pfunc = pfunc; +- pfunc->cfunc = sym; ++ /* ++ * Unfortunately, -fnoreorder-functions puts the child ++ * inside the parent. Remove the overlap so we can ++ * have sane assumptions. ++ * ++ * Note that pfunc->len now no longer matches ++ * pfunc->sym.st_size. ++ */ ++ if (sym->sec == pfunc->sec && ++ sym->offset >= pfunc->offset && ++ sym->offset + sym->len == pfunc->offset + pfunc->len) { ++ pfunc->len -= sym->len; + } + } + } diff --git a/queue-4.9/octeon_mgmt-fix-mix-registers-configuration-on-mtu-setup.patch b/queue-4.9/octeon_mgmt-fix-mix-registers-configuration-on-mtu-setup.patch new file mode 100644 index 00000000000..a8a18a76aa7 --- /dev/null +++ b/queue-4.9/octeon_mgmt-fix-mix-registers-configuration-on-mtu-setup.patch @@ -0,0 +1,67 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Alexander Sverdlin +Date: Fri, 13 Jul 2018 17:31:50 +0200 +Subject: octeon_mgmt: Fix MIX registers configuration on MTU setup + +From: Alexander Sverdlin + +[ Upstream commit 4aac0b43474d18f6160302a3caa147d77fa3baa1 ] + +octeon_mgmt driver doesn't drop RX frames that are 1-4 bytes bigger than +MTU set for the corresponding interface. The problem is in the +AGL_GMX_RX0/1_FRM_MAX register setting, which should not account for VLAN +tagging. + +According to Octeon HW manual: +"For tagged frames, MAX increases by four bytes for each VLAN found up to a +maximum of two VLANs, or MAX + 8 bytes." + +OCTEON_FRAME_HEADER_LEN "define" is fine for ring buffer management, but +should not be used for AGL_GMX_RX0/1_FRM_MAX. + +The problem could be easily reproduced using "ping" command. If affected +system has default MTU 1500, other host (having MTU >= 1504) can +successfully "ping" the affected system with payload size 1473-1476, +resulting in IP packets of size 1501-1504 accepted by the mgmt driver. +Fixed system still accepts IP packets of 1500 bytes even with VLAN tagging, +because the limits are lifted in HW as expected, for every VLAN tag. + +Signed-off-by: Alexander Sverdlin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cavium/octeon/octeon_mgmt.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c ++++ b/drivers/net/ethernet/cavium/octeon/octeon_mgmt.c +@@ -643,7 +643,7 @@ static int octeon_mgmt_set_mac_address(s + static int octeon_mgmt_change_mtu(struct net_device *netdev, int new_mtu) + { + struct octeon_mgmt *p = netdev_priv(netdev); +- int size_without_fcs = new_mtu + OCTEON_MGMT_RX_HEADROOM; ++ int max_packet = new_mtu + ETH_HLEN + ETH_FCS_LEN; + + /* Limit the MTU to make sure the ethernet packets are between + * 64 bytes and 16383 bytes. +@@ -657,9 +657,17 @@ static int octeon_mgmt_change_mtu(struct + + netdev->mtu = new_mtu; + +- cvmx_write_csr(p->agl + AGL_GMX_RX_FRM_MAX, size_without_fcs); ++ /* HW lifts the limit if the frame is VLAN tagged ++ * (+4 bytes per each tag, up to two tags) ++ */ ++ cvmx_write_csr(p->agl + AGL_GMX_RX_FRM_MAX, max_packet); ++ /* Set the hardware to truncate packets larger than the MTU. The jabber ++ * register must be set to a multiple of 8 bytes, so round up. JABBER is ++ * an unconditional limit, so we need to account for two possible VLAN ++ * tags. ++ */ + cvmx_write_csr(p->agl + AGL_GMX_RX_JABBER, +- (size_without_fcs + 7) & 0xfff8); ++ (max_packet + 7 + VLAN_HLEN * 2) & 0xfff8); + + return 0; + } diff --git a/queue-4.9/packet-reset-network-header-if-packet-shorter-than-ll-reserved-space.patch b/queue-4.9/packet-reset-network-header-if-packet-shorter-than-ll-reserved-space.patch new file mode 100644 index 00000000000..a9702973ba3 --- /dev/null +++ b/queue-4.9/packet-reset-network-header-if-packet-shorter-than-ll-reserved-space.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Willem de Bruijn +Date: Wed, 11 Jul 2018 12:00:45 -0400 +Subject: packet: reset network header if packet shorter than ll reserved space + +From: Willem de Bruijn + +[ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ] + +If variable length link layer headers result in a packet shorter +than dev->hard_header_len, reset the network header offset. Else +skb->mac_len may exceed skb->len after skb_mac_reset_len. + +packet_sendmsg_spkt already has similar logic. + +Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") +Signed-off-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2917,6 +2917,8 @@ static int packet_snd(struct socket *soc + goto out_free; + } else if (reserve) { + skb_reserve(skb, -reserve); ++ if (len < reserve) ++ skb_reset_network_header(skb); + } + + /* Returns -EFAULT on error */ diff --git a/queue-4.9/pci-versatile-fix-i-o-space-page-leak.patch b/queue-4.9/pci-versatile-fix-i-o-space-page-leak.patch new file mode 100644 index 00000000000..4988bcfe440 --- /dev/null +++ b/queue-4.9/pci-versatile-fix-i-o-space-page-leak.patch @@ -0,0 +1,88 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sergei Shtylyov +Date: Wed, 18 Jul 2018 15:40:40 -0500 +Subject: PCI: versatile: Fix I/O space page leak + +From: Sergei Shtylyov + +[ Upstream commit 0018b265adf7e251f90d3ca1c7c0e32e2a0ad262 ] + +When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY +driver was left disabled, the kernel crashed with this BUG: + + kernel BUG at lib/ioremap.c:72! + Internal error: Oops - BUG: 0 [#1] PREEMPT SMP + Modules linked in: + CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092 + Hardware name: Renesas Condor board based on r8a77980 (DT) + Workqueue: events deferred_probe_work_func + pstate: 80000005 (Nzcv daif -PAN -UAO) + pc : ioremap_page_range+0x370/0x3c8 + lr : ioremap_page_range+0x40/0x3c8 + sp : ffff000008da39e0 + x29: ffff000008da39e0 x28: 00e8000000000f07 + x27: ffff7dfffee00000 x26: 0140000000000000 + x25: ffff7dfffef00000 x24: 00000000000fe100 + x23: ffff80007b906000 x22: ffff000008ab8000 + x21: ffff000008bb1d58 x20: ffff7dfffef00000 + x19: ffff800009c30fb8 x18: 0000000000000001 + x17: 00000000000152d0 x16: 00000000014012d0 + x15: 0000000000000000 x14: 0720072007200720 + x13: 0720072007200720 x12: 0720072007200720 + x11: 0720072007300730 x10: 00000000000000ae + x9 : 0000000000000000 x8 : ffff7dffff000000 + x7 : 0000000000000000 x6 : 0000000000000100 + x5 : 0000000000000000 x4 : 000000007b906000 + x3 : ffff80007c61a880 x2 : ffff7dfffeefffff + x1 : 0000000040000000 x0 : 00e80000fe100f07 + Process kworker/0:1 (pid: 39, stack limit = 0x (ptrval)) + Call trace: + ioremap_page_range+0x370/0x3c8 + pci_remap_iospace+0x7c/0xac + pci_parse_request_of_pci_ranges+0x13c/0x190 + rcar_pcie_probe+0x4c/0xb04 + platform_drv_probe+0x50/0xbc + driver_probe_device+0x21c/0x308 + __device_attach_driver+0x98/0xc8 + bus_for_each_drv+0x54/0x94 + __device_attach+0xc4/0x12c + device_initial_probe+0x10/0x18 + bus_probe_device+0x90/0x98 + deferred_probe_work_func+0xb0/0x150 + process_one_work+0x12c/0x29c + worker_thread+0x200/0x3fc + kthread+0x108/0x134 + ret_from_fork+0x10/0x18 + Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000) + +It turned out that pci_remap_iospace() wasn't undone when the driver's +probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER, +the probe was retried, finally causing the BUG due to trying to remap +already remapped pages. + +The Versatile PCI controller driver has the same issue. +Replace pci_remap_iospace() with the devm_ managed version to fix the bug. + +Fixes: b7e78170efd4 ("PCI: versatile: Add DT-based ARM Versatile PB PCIe host driver") +Signed-off-by: Sergei Shtylyov +[lorenzo.pieralisi@arm.com: updated the commit log] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Reviewed-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/host/pci-versatile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/host/pci-versatile.c ++++ b/drivers/pci/host/pci-versatile.c +@@ -89,7 +89,7 @@ static int versatile_pci_parse_request_o + + switch (resource_type(res)) { + case IORESOURCE_IO: +- err = pci_remap_iospace(res, iobase); ++ err = devm_pci_remap_iospace(dev, res, iobase); + if (err) { + dev_warn(dev, "error %d: failed to map resource %pR\n", + err, res); diff --git a/queue-4.9/pci-xilinx-add-missing-of_node_put.patch b/queue-4.9/pci-xilinx-add-missing-of_node_put.patch new file mode 100644 index 00000000000..9c6062c2eb9 --- /dev/null +++ b/queue-4.9/pci-xilinx-add-missing-of_node_put.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 13:49:54 -0500 +Subject: PCI: xilinx: Add missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit 8c3f9bd851a4d3acf0a0f222d4e9e41c0cd1ea8e ] + +The call to of_get_next_child() returns a node pointer with refcount +incremented thus it must be explicitly decremented here after the last +usage. + +Fixes: 8961def56845 ("PCI: xilinx: Add Xilinx AXI PCIe Host Bridge IP driver") +Signed-off-by: Nicholas Mc Guire +[lorenzo.pieralisi@arm.com: reworked commit log] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/host/pcie-xilinx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/host/pcie-xilinx.c ++++ b/drivers/pci/host/pcie-xilinx.c +@@ -527,6 +527,7 @@ static int xilinx_pcie_init_irq_domain(s + port->leg_domain = irq_domain_add_linear(pcie_intc_node, 4, + &intx_domain_ops, + port); ++ of_node_put(pcie_intc_node); + if (!port->leg_domain) { + dev_err(dev, "Failed to get a INTx IRQ domain\n"); + return -ENODEV; diff --git a/queue-4.9/pci-xilinx-nwl-add-missing-of_node_put.patch b/queue-4.9/pci-xilinx-nwl-add-missing-of_node_put.patch new file mode 100644 index 00000000000..5261f0cf480 --- /dev/null +++ b/queue-4.9/pci-xilinx-nwl-add-missing-of_node_put.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 13:50:10 -0500 +Subject: PCI: xilinx-nwl: Add missing of_node_put() + +From: Nicholas Mc Guire + +[ Upstream commit 342639d996f18bc0a4db2f42a84230c0a966dc94 ] + +The call to of_get_next_child() returns a node pointer with +refcount incremented thus it must be explicitly decremented +here after the last usage. + +Fixes: ab597d35ef11 ("PCI: xilinx-nwl: Add support for Xilinx NWL PCIe Host Controller") +Signed-off-by: Nicholas Mc Guire +[lorenzo.pieralisi@arm.com: updated commit log] +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/host/pcie-xilinx-nwl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/host/pcie-xilinx-nwl.c ++++ b/drivers/pci/host/pcie-xilinx-nwl.c +@@ -532,7 +532,7 @@ static int nwl_pcie_init_irq_domain(stru + INTX_NUM, + &legacy_domain_ops, + pcie); +- ++ of_node_put(legacy_intc_node); + if (!pcie->legacy_irq_domain) { + dev_err(dev, "failed to create IRQ domain\n"); + return -ENOMEM; diff --git a/queue-4.9/perf-bench-fix-numa-report-output-code.patch b/queue-4.9/perf-bench-fix-numa-report-output-code.patch new file mode 100644 index 00000000000..8e9e7b72531 --- /dev/null +++ b/queue-4.9/perf-bench-fix-numa-report-output-code.patch @@ -0,0 +1,60 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Jiri Olsa +Date: Wed, 20 Jun 2018 11:40:36 +0200 +Subject: perf bench: Fix numa report output code + +From: Jiri Olsa + +[ Upstream commit 983107072be1a39cbde67d45cb0059138190e015 ] + +Currently we can hit following assert when running numa bench: + + $ perf bench numa mem -p 3 -t 1 -P 512 -s 100 -zZ0cm --thp 1 + perf: bench/numa.c:1577: __bench_numa: Assertion `!(!(((wait_stat) & 0x7f) == 0))' failed. + +The assertion is correct, because we hit the SIGFPE in following line: + + Thread 2.2 "thread 0/0" received signal SIGFPE, Arithmetic exception. + [Switching to Thread 0x7fffd28c6700 (LWP 11750)] + 0x000.. in worker_thread (__tdata=0x7.. ) at bench/numa.c:1257 + 1257 td->speed_gbs = bytes_done / (td->runtime_ns / NSEC_PER_SEC) / 1e9; + +We don't check if the runtime is actually bigger than 1 second, +and thus this might end up with zero division within FPU. + +Adding the check to prevent this. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20180620094036.17278-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/bench/numa.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/tools/perf/bench/numa.c ++++ b/tools/perf/bench/numa.c +@@ -1093,7 +1093,7 @@ static void *worker_thread(void *__tdata + u8 *global_data; + u8 *process_data; + u8 *thread_data; +- u64 bytes_done; ++ u64 bytes_done, secs; + long work_done; + u32 l; + struct rusage rusage; +@@ -1249,7 +1249,8 @@ static void *worker_thread(void *__tdata + timersub(&stop, &start0, &diff); + td->runtime_ns = diff.tv_sec * NSEC_PER_SEC; + td->runtime_ns += diff.tv_usec * NSEC_PER_USEC; +- td->speed_gbs = bytes_done / (td->runtime_ns / NSEC_PER_SEC) / 1e9; ++ secs = td->runtime_ns / NSEC_PER_SEC; ++ td->speed_gbs = secs ? bytes_done / secs / 1e9 : 0; + + getrusage(RUSAGE_THREAD, &rusage); + td->system_time_ns = rusage.ru_stime.tv_sec * NSEC_PER_SEC; diff --git a/queue-4.9/perf-llvm-utils-remove-bashism-from-kernel-include-fetch-script.patch b/queue-4.9/perf-llvm-utils-remove-bashism-from-kernel-include-fetch-script.patch new file mode 100644 index 00000000000..5b838d95901 --- /dev/null +++ b/queue-4.9/perf-llvm-utils-remove-bashism-from-kernel-include-fetch-script.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Kim Phillips +Date: Fri, 29 Jun 2018 12:46:52 -0500 +Subject: perf llvm-utils: Remove bashism from kernel include fetch script + +From: Kim Phillips + +[ Upstream commit f6432b9f65001651412dbc3589d251534822d4ab ] + +Like system(), popen() calls /bin/sh, which may/may not be bash. + +Script when run on dash and encounters the line, yields: + + exit: Illegal number: -1 + +checkbashisms report on script content: + + possible bashism (exit|return with negative status code): + exit -1 + +Remove the bashism and use the more portable non-zero failure +status code 1. + +Signed-off-by: Kim Phillips +Cc: Alexander Shishkin +Cc: Hendrik Brueckner +Cc: Jiri Olsa +Cc: Michael Petlan +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Sandipan Das +Cc: Thomas Richter +Link: http://lkml.kernel.org/r/20180629124652.8d0af7e2281fd3fd8262cacc@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/llvm-utils.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/llvm-utils.c ++++ b/tools/perf/util/llvm-utils.c +@@ -260,16 +260,16 @@ static const char *kinc_fetch_script = + "#!/usr/bin/env sh\n" + "if ! test -d \"$KBUILD_DIR\"\n" + "then\n" +-" exit -1\n" ++" exit 1\n" + "fi\n" + "if ! test -f \"$KBUILD_DIR/include/generated/autoconf.h\"\n" + "then\n" +-" exit -1\n" ++" exit 1\n" + "fi\n" + "TMPDIR=`mktemp -d`\n" + "if test -z \"$TMPDIR\"\n" + "then\n" +-" exit -1\n" ++" exit 1\n" + "fi\n" + "cat << EOF > $TMPDIR/Makefile\n" + "obj-y := dummy.o\n" diff --git a/queue-4.9/perf-report-powerpc-fix-crash-if-callchain-is-empty.patch b/queue-4.9/perf-report-powerpc-fix-crash-if-callchain-is-empty.patch new file mode 100644 index 00000000000..f8c9e3fd358 --- /dev/null +++ b/queue-4.9/perf-report-powerpc-fix-crash-if-callchain-is-empty.patch @@ -0,0 +1,72 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sandipan Das +Date: Mon, 11 Jun 2018 16:10:49 +0530 +Subject: perf report powerpc: Fix crash if callchain is empty + +From: Sandipan Das + +[ Upstream commit 143c99f6ac6812d23254e80844d6e34be897d3e1 ] + +For some cases, the callchain provided by the kernel may be empty. So, +the callchain ip filtering code will cause a crash if we do not check +whether the struct ip_callchain pointer is NULL before accessing any +members. + +This can be observed on a powerpc64le system running Fedora 27 as shown +below. + + # perf record -b -e cycles:u ls + +Before: + + # perf report --branch-history + + perf: Segmentation fault + -------- backtrace -------- + perf[0x1027615c] + linux-vdso64.so.1(__kernel_sigtramp_rt64+0x0)[0x7fff856304d8] + perf(arch_skip_callchain_idx+0x44)[0x10257c58] + perf[0x1017f2e4] + perf(thread__resolve_callchain+0x124)[0x1017ff5c] + perf(sample__resolve_callchain+0xf0)[0x10172788] + ... + +After: + + # perf report --branch-history + + Samples: 25 of event 'cycles:u', Event count (approx.): 2306870 + Overhead Source:Line Symbol Shared Object + + 11.60% _init+35736 [.] _init ls + + 9.84% strcoll_l.c:137 [.] __strcoll_l libc-2.26.so + + 9.16% memcpy.S:175 [.] __memcpy_power7 libc-2.26.so + + 9.01% gconv_charset.h:54 [.] _nl_find_locale libc-2.26.so + + 8.87% dl-addr.c:52 [.] _dl_addr libc-2.26.so + + 8.83% _init+236 [.] _init ls + ... + +Reported-by: Ravi Bangoria +Signed-off-by: Sandipan Das +Acked-by: Ravi Bangoria +Cc: Jiri Olsa +Cc: Naveen N. Rao +Cc: Sukadev Bhattiprolu +Link: http://lkml.kernel.org/r/20180611104049.11048-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/skip-callchain-idx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c ++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c +@@ -243,7 +243,7 @@ int arch_skip_callchain_idx(struct threa + u64 ip; + u64 skip_slot = -1; + +- if (chain->nr < 3) ++ if (!chain || chain->nr < 3) + return skip_slot; + + ip = chain->ips[2]; diff --git a/queue-4.9/perf-test-session-topology-fix-test-on-s390.patch b/queue-4.9/perf-test-session-topology-fix-test-on-s390.patch new file mode 100644 index 00000000000..c0e2919742b --- /dev/null +++ b/queue-4.9/perf-test-session-topology-fix-test-on-s390.patch @@ -0,0 +1,62 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Thomas Richter +Date: Mon, 11 Jun 2018 09:31:53 +0200 +Subject: perf test session topology: Fix test on s390 + +From: Thomas Richter + +[ Upstream commit b930e62ecd362843002bdf84c2940439822af321 ] + +On s390 this test case fails because the socket identifiction numbers +assigned to the CPU are higher than the CPU identification numbers. + +F/ix this by adding the platform architecture into the perf data header +flag information. This helps identifiing the test platform and handles +s390 specifics in process_cpu_topology(). + +Before: + + [root@p23lp27 perf]# perf test -vvvvv -F 39 + 39: Session topology : + --- start --- + templ file: /tmp/perf-test-iUv755 + socket_id number is too big.You may need to upgrade the perf tool. + ---- end ---- + Session topology: Skip + [root@p23lp27 perf]# + +After: + + [root@p23lp27 perf]# perf test -vvvvv -F 39 + 39: Session topology : + --- start --- + templ file: /tmp/perf-test-8X8VTs + CPU 0, core 0, socket 6 + CPU 1, core 1, socket 3 + ---- end ---- + Session topology: Ok + [root@p23lp27 perf]# + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Cc: Heiko Carstens +Cc: Martin Schwidefsky +Fixes: c84974ed9fb6 ("perf test: Add entry to test cpu topology") +Link: http://lkml.kernel.org/r/20180611073153.15592-2-tmricht@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/topology.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/tools/perf/tests/topology.c ++++ b/tools/perf/tests/topology.c +@@ -42,6 +42,7 @@ static int session_write_header(char *pa + + perf_header__set_feat(&session->header, HEADER_CPU_TOPOLOGY); + perf_header__set_feat(&session->header, HEADER_NRCPUS); ++ perf_header__set_feat(&session->header, HEADER_ARCH); + + session->header.data_size += DATA_SIZE; + diff --git a/queue-4.9/perf-tests-add-event-parsing-error-handling-to-parse-events-test.patch b/queue-4.9/perf-tests-add-event-parsing-error-handling-to-parse-events-test.patch new file mode 100644 index 00000000000..46a77256199 --- /dev/null +++ b/queue-4.9/perf-tests-add-event-parsing-error-handling-to-parse-events-test.patch @@ -0,0 +1,87 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Jiri Olsa +Date: Mon, 11 Jun 2018 11:34:21 +0200 +Subject: perf tests: Add event parsing error handling to parse events test + +From: Jiri Olsa + +[ Upstream commit 933ccf2002aaef1037cb676622a694f5390c3d59 ] + +Add missing error handling for parse_events calls in test_event function +that led to following segfault on s390: + + running test 52 'intel_pt//u' + perf: Segmentation fault + ... + /lib64/libc.so.6(vasprintf+0xe6) [0x3fffca3f106] + /lib64/libc.so.6(asprintf+0x46) [0x3fffca1aa96] + ./perf(parse_events_add_pmu+0xb8) [0x80132088] + ./perf(parse_events_parse+0xc62) [0x8019529a] + ./perf(parse_events+0x98) [0x801341c0] + ./perf(test__parse_events+0x48) [0x800cd140] + ./perf(cmd_test+0x26a) [0x800bd44a] + test child interrupted + +Adding the struct parse_events_error argument to parse_events call. Also +adding parse_events_print_error to get more details on the parsing +failures, like: + + # perf test 6 -v + running test 52 'intel_pt//u'failed to parse event 'intel_pt//u', err 1, str 'Cannot find PMU `intel_pt'. Missing kernel support?' + event syntax error: 'intel_pt//u' + \___ Cannot find PMU `intel_pt'. Missing kernel support? + +Committer note: + +Use named initializers in the struct parse_events_error variable to +avoid breaking the build on centos5, 6 and others with a similar gcc: + + cc1: warnings being treated as errors + tests/parse-events.c: In function 'test_event': + tests/parse-events.c:1696: error: missing initializer + tests/parse-events.c:1696: error: (near initialization for 'err.str') + +Reported-by: Kim Phillips +Signed-off-by: Jiri Olsa +Tested-by: Kim Phillips +Cc: Alexander Shishkin +Cc: David Ahern +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Martin Schwidefsky +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Richter +Link: http://lkml.kernel.org/r/20180611093422.1005-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/parse-events.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/tools/perf/tests/parse-events.c ++++ b/tools/perf/tests/parse-events.c +@@ -1666,6 +1666,7 @@ static struct terms_test test__terms[] = + + static int test_event(struct evlist_test *e) + { ++ struct parse_events_error err = { .idx = 0, }; + struct perf_evlist *evlist; + int ret; + +@@ -1673,10 +1674,11 @@ static int test_event(struct evlist_test + if (evlist == NULL) + return -ENOMEM; + +- ret = parse_events(evlist, e->name, NULL); ++ ret = parse_events(evlist, e->name, &err); + if (ret) { +- pr_debug("failed to parse event '%s', err %d\n", +- e->name, ret); ++ pr_debug("failed to parse event '%s', err %d, str '%s'\n", ++ e->name, ret, err.str); ++ parse_events_print_error(&err, e->name); + } else { + ret = e->check(evlist); + } diff --git a/queue-4.9/pinctrl-nsp-fix-potential-null-dereference.patch b/queue-4.9/pinctrl-nsp-fix-potential-null-dereference.patch new file mode 100644 index 00000000000..b256d5e796a --- /dev/null +++ b/queue-4.9/pinctrl-nsp-fix-potential-null-dereference.patch @@ -0,0 +1,46 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Wei Yongjun +Date: Wed, 11 Jul 2018 12:34:21 +0000 +Subject: pinctrl: nsp: Fix potential NULL dereference + +From: Wei Yongjun + +[ Upstream commit c29e9da56bebb4c2c794e871b0dc0298bbf08142 ] + +platform_get_resource() may fail and return NULL, so we should +better check it's return value to avoid a NULL pointer dereference +a bit later in the code. + +This is detected by Coccinelle semantic patch. + +@@ +expression pdev, res, n, t, e, e1, e2; +@@ + +res = platform_get_resource(pdev, t, n); ++ if (!res) ++ return -EINVAL; +... when != res == NULL +e = devm_ioremap_nocache(e1, res->start, e2); + +Fixes: cc4fa83f66e9 ("pinctrl: nsp: add pinmux driver support for Broadcom NSP SoC") +Signed-off-by: Wei Yongjun +Reviewed-by: Ray Jui +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/bcm/pinctrl-nsp-mux.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/bcm/pinctrl-nsp-mux.c ++++ b/drivers/pinctrl/bcm/pinctrl-nsp-mux.c +@@ -577,6 +577,8 @@ static int nsp_pinmux_probe(struct platf + return PTR_ERR(pinctrl->base0); + + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); ++ if (!res) ++ return -EINVAL; + pinctrl->base1 = devm_ioremap_nocache(&pdev->dev, res->start, + resource_size(res)); + if (!pinctrl->base1) { diff --git a/queue-4.9/pinctrl-nsp-off-by-ones-in-nsp_pinmux_enable.patch b/queue-4.9/pinctrl-nsp-off-by-ones-in-nsp_pinmux_enable.patch new file mode 100644 index 00000000000..6e7a4826ec9 --- /dev/null +++ b/queue-4.9/pinctrl-nsp-off-by-ones-in-nsp_pinmux_enable.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dan Carpenter +Date: Tue, 3 Jul 2018 15:04:25 +0300 +Subject: pinctrl: nsp: off by ones in nsp_pinmux_enable() + +From: Dan Carpenter + +[ Upstream commit f90a21c898db58eaea14b8ad7e9af3b9e15e5f8a ] + +The > comparisons should be >= or else we read beyond the end of the +pinctrl->functions[] array. + +Fixes: cc4fa83f66e9 ("pinctrl: nsp: add pinmux driver support for Broadcom NSP SoC") +Signed-off-by: Dan Carpenter +Reviewed-by: Ray Jui +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/bcm/pinctrl-nsp-mux.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pinctrl/bcm/pinctrl-nsp-mux.c ++++ b/drivers/pinctrl/bcm/pinctrl-nsp-mux.c +@@ -460,8 +460,8 @@ static int nsp_pinmux_enable(struct pinc + const struct nsp_pin_function *func; + const struct nsp_pin_group *grp; + +- if (grp_select > pinctrl->num_groups || +- func_select > pinctrl->num_functions) ++ if (grp_select >= pinctrl->num_groups || ++ func_select >= pinctrl->num_functions) + return -EINVAL; + + func = &pinctrl->functions[func_select]; diff --git a/queue-4.9/qed-add-sanity-check-for-simd-fastpath-handler.patch b/queue-4.9/qed-add-sanity-check-for-simd-fastpath-handler.patch new file mode 100644 index 00000000000..7ec27f50a75 --- /dev/null +++ b/queue-4.9/qed-add-sanity-check-for-simd-fastpath-handler.patch @@ -0,0 +1,45 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Mon, 18 Jun 2018 21:58:01 -0700 +Subject: qed: Add sanity check for SIMD fastpath handler. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit 3935a70968820c3994db4de7e6e1c7e814bff875 ] + +Avoid calling a SIMD fastpath handler if it is NULL. The check is needed +to handle an unlikely scenario where unsolicited interrupt is destined to +a PF in INTa mode. + +Fixes: fe56b9e6a ("qed: Add module with basic common support") +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Ariel Elior +Signed-off-by: Michal Kalderon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_main.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -502,8 +502,16 @@ static irqreturn_t qed_single_int(int ir + /* Fastpath interrupts */ + for (j = 0; j < 64; j++) { + if ((0x2ULL << j) & status) { +- hwfn->simd_proto_handler[j].func( +- hwfn->simd_proto_handler[j].token); ++ struct qed_simd_fp_handler *p_handler = ++ &hwfn->simd_proto_handler[j]; ++ ++ if (p_handler->func) ++ p_handler->func(p_handler->token); ++ else ++ DP_NOTICE(hwfn, ++ "Not calling fastpath handler as it is NULL [handler #%d, status 0x%llx]\n", ++ j, status); ++ + status &= ~(0x2ULL << j); + rc = IRQ_HANDLED; + } diff --git a/queue-4.9/qlogic-check-kstrtoul-for-errors.patch b/queue-4.9/qlogic-check-kstrtoul-for-errors.patch new file mode 100644 index 00000000000..d73c7c83fd4 --- /dev/null +++ b/queue-4.9/qlogic-check-kstrtoul-for-errors.patch @@ -0,0 +1,31 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dan Carpenter +Date: Thu, 12 Jul 2018 15:23:45 +0300 +Subject: qlogic: check kstrtoul() for errors + +From: Dan Carpenter + +[ Upstream commit 5fc853cc01c68f84984ecc2d5fd777ecad78240f ] + +We accidentally left out the error handling for kstrtoul(). + +Fixes: a520030e326a ("qlcnic: Implement flash sysfs callback for 83xx adapter") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sysfs.c +@@ -1128,6 +1128,8 @@ static ssize_t qlcnic_83xx_sysfs_flash_w + struct qlcnic_adapter *adapter = dev_get_drvdata(dev); + + ret = kstrtoul(buf, 16, &data); ++ if (ret) ++ return ret; + + switch (data) { + case QLC_83XX_FLASH_SECTOR_ERASE_CMD: diff --git a/queue-4.9/ravb-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch b/queue-4.9/ravb-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch new file mode 100644 index 00000000000..cef02b1f590 --- /dev/null +++ b/queue-4.9/ravb-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch @@ -0,0 +1,46 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:14:50 +0300 +Subject: ravb: fix invalid context bug while calling auto-negotiation by ethtool + +From: Vladimir Zapolskiy + +[ Upstream commit 0973a4dd79fe56a3beecfcff675ba4c01df0b0c1 ] + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however the helper function is +called in atomic context. + +The bug can be reproduced by running "ethtool -r" command, the bug +is reported if CONFIG_DEBUG_ATOMIC_SLEEP build option is enabled. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -1122,15 +1122,10 @@ error_exit: + + static int ravb_nway_reset(struct net_device *ndev) + { +- struct ravb_private *priv = netdev_priv(ndev); + int error = -ENODEV; +- unsigned long flags; + +- if (ndev->phydev) { +- spin_lock_irqsave(&priv->lock, flags); ++ if (ndev->phydev) + error = phy_start_aneg(ndev->phydev); +- spin_unlock_irqrestore(&priv->lock, flags); +- } + + return error; + } diff --git a/queue-4.9/ravb-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch b/queue-4.9/ravb-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch new file mode 100644 index 00000000000..d09b42a3c71 --- /dev/null +++ b/queue-4.9/ravb-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch @@ -0,0 +1,117 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:14:51 +0300 +Subject: ravb: fix invalid context bug while changing link options by ethtool + +From: Vladimir Zapolskiy + +[ Upstream commit 05925e52a7d379192a5fdff2c33710f573190ead ] + +The change fixes sleep in atomic context bug, which is encountered +every time when link settings are changed by ethtool. + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however that helper function is +called in atomic context under a grabbed spinlock, because +phy_start_aneg() is called by phy_ethtool_ksettings_set() and by +replaced phy_ethtool_sset() helpers from phylib. + +Now duplex mode setting is enforced in ravb_adjust_link() only, also +now RX/TX is disabled when link is put down or modifications to E-MAC +registers ECMR and GECMR are expected for both cases of checked and +ignored link status pin state from E-MAC interrupt handler. + +Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/ravb_main.c | 49 +++++++++---------------------- + 1 file changed, 15 insertions(+), 34 deletions(-) + +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -955,6 +955,13 @@ static void ravb_adjust_link(struct net_ + struct ravb_private *priv = netdev_priv(ndev); + struct phy_device *phydev = ndev->phydev; + bool new_state = false; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&priv->lock, flags); ++ ++ /* Disable TX and RX right over here, if E-MAC change is ignored */ ++ if (priv->no_avb_link) ++ ravb_rcv_snd_disable(ndev); + + if (phydev->link) { + if (phydev->duplex != priv->duplex) { +@@ -972,18 +979,21 @@ static void ravb_adjust_link(struct net_ + ravb_modify(ndev, ECMR, ECMR_TXF, 0); + new_state = true; + priv->link = phydev->link; +- if (priv->no_avb_link) +- ravb_rcv_snd_enable(ndev); + } + } else if (priv->link) { + new_state = true; + priv->link = 0; + priv->speed = 0; + priv->duplex = -1; +- if (priv->no_avb_link) +- ravb_rcv_snd_disable(ndev); + } + ++ /* Enable TX and RX right over here, if E-MAC change is ignored */ ++ if (priv->no_avb_link && phydev->link) ++ ravb_rcv_snd_enable(ndev); ++ ++ mmiowb(); ++ spin_unlock_irqrestore(&priv->lock, flags); ++ + if (new_state && netif_msg_link(priv)) + phy_print_status(phydev); + } +@@ -1085,39 +1095,10 @@ static int ravb_get_link_ksettings(struc + static int ravb_set_link_ksettings(struct net_device *ndev, + const struct ethtool_link_ksettings *cmd) + { +- struct ravb_private *priv = netdev_priv(ndev); +- unsigned long flags; +- int error; +- + if (!ndev->phydev) + return -ENODEV; + +- spin_lock_irqsave(&priv->lock, flags); +- +- /* Disable TX and RX */ +- ravb_rcv_snd_disable(ndev); +- +- error = phy_ethtool_ksettings_set(ndev->phydev, cmd); +- if (error) +- goto error_exit; +- +- if (cmd->base.duplex == DUPLEX_FULL) +- priv->duplex = 1; +- else +- priv->duplex = 0; +- +- ravb_set_duplex(ndev); +- +-error_exit: +- mdelay(1); +- +- /* Enable TX and RX */ +- ravb_rcv_snd_enable(ndev); +- +- mmiowb(); +- spin_unlock_irqrestore(&priv->lock, flags); +- +- return error; ++ return phy_ethtool_ksettings_set(ndev->phydev, cmd); + } + + static int ravb_nway_reset(struct net_device *ndev) diff --git a/queue-4.9/rdma-mlx5-fix-memory-leak-in-mlx5_ib_create_srq-error-path.patch b/queue-4.9/rdma-mlx5-fix-memory-leak-in-mlx5_ib_create_srq-error-path.patch new file mode 100644 index 00000000000..fac5b287f0b --- /dev/null +++ b/queue-4.9/rdma-mlx5-fix-memory-leak-in-mlx5_ib_create_srq-error-path.patch @@ -0,0 +1,55 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Kamal Heib +Date: Tue, 10 Jul 2018 11:56:50 +0300 +Subject: RDMA/mlx5: Fix memory leak in mlx5_ib_create_srq() error path + +From: Kamal Heib + +[ Upstream commit d63c46734c545ad0488761059004a65c46efdde3 ] + +Fix memory leak in the error path of mlx5_ib_create_srq() by making sure +to free the allocated srq. + +Fixes: c2b37f76485f ("IB/mlx5: Fix integer overflows in mlx5_ib_create_srq") +Signed-off-by: Kamal Heib +Acked-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/srq.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/srq.c ++++ b/drivers/infiniband/hw/mlx5/srq.c +@@ -268,18 +268,24 @@ struct ib_srq *mlx5_ib_create_srq(struct + + desc_size = sizeof(struct mlx5_wqe_srq_next_seg) + + srq->msrq.max_gs * sizeof(struct mlx5_wqe_data_seg); +- if (desc_size == 0 || srq->msrq.max_gs > desc_size) +- return ERR_PTR(-EINVAL); ++ if (desc_size == 0 || srq->msrq.max_gs > desc_size) { ++ err = -EINVAL; ++ goto err_srq; ++ } + desc_size = roundup_pow_of_two(desc_size); + desc_size = max_t(size_t, 32, desc_size); +- if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) +- return ERR_PTR(-EINVAL); ++ if (desc_size < sizeof(struct mlx5_wqe_srq_next_seg)) { ++ err = -EINVAL; ++ goto err_srq; ++ } + srq->msrq.max_avail_gather = (desc_size - sizeof(struct mlx5_wqe_srq_next_seg)) / + sizeof(struct mlx5_wqe_data_seg); + srq->msrq.wqe_shift = ilog2(desc_size); + buf_size = srq->msrq.max * desc_size; +- if (buf_size < desc_size) +- return ERR_PTR(-EINVAL); ++ if (buf_size < desc_size) { ++ err = -EINVAL; ++ goto err_srq; ++ } + in.type = init_attr->srq_type; + + if (pd->uobject) diff --git a/queue-4.9/samples-bpf-add-missing-linux-if_vlan.h.patch b/queue-4.9/samples-bpf-add-missing-linux-if_vlan.h.patch new file mode 100644 index 00000000000..8904000f1d0 --- /dev/null +++ b/queue-4.9/samples-bpf-add-missing-linux-if_vlan.h.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Taeung Song +Date: Wed, 4 Jul 2018 22:36:36 +0900 +Subject: samples/bpf: add missing + +From: Taeung Song + +[ Upstream commit 4d5d33a085335ef469c9a87792bcaaaa8e64d8c4 ] + +This fixes build error regarding redefinition: + + CLANG-bpf samples/bpf/parse_varlen.o + samples/bpf/parse_varlen.c:111:8: error: redefinition of 'vlan_hdr' + struct vlan_hdr { + ^ + ./include/linux/if_vlan.h:38:8: note: previous definition is here + +So remove duplicate 'struct vlan_hdr' in sample code and include if_vlan.h + +Signed-off-by: Taeung Song +Acked-by: David S. Miller +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + samples/bpf/parse_varlen.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/samples/bpf/parse_varlen.c ++++ b/samples/bpf/parse_varlen.c +@@ -6,6 +6,7 @@ + */ + #define KBUILD_MODNAME "foo" + #include ++#include + #include + #include + #include +@@ -108,11 +109,6 @@ static int parse_ipv6(void *data, uint64 + return 0; + } + +-struct vlan_hdr { +- uint16_t h_vlan_TCI; +- uint16_t h_vlan_encapsulated_proto; +-}; +- + SEC("varlen") + int handle_ingress(struct __sk_buff *skb) + { diff --git a/queue-4.9/samples-bpf-check-the-error-of-write-and-read.patch b/queue-4.9/samples-bpf-check-the-error-of-write-and-read.patch new file mode 100644 index 00000000000..5e55dc3bbf7 --- /dev/null +++ b/queue-4.9/samples-bpf-check-the-error-of-write-and-read.patch @@ -0,0 +1,65 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Taeung Song +Date: Wed, 4 Jul 2018 22:36:38 +0900 +Subject: samples/bpf: Check the error of write() and read() + +From: Taeung Song + +[ Upstream commit 02a2f000a3629274bfad60bfc4de9edec49e63e7 ] + +test_task_rename() and test_urandom_read() +can be failed during write() and read(), +So check the result of them. + +Reviewed-by: David Laight +Signed-off-by: Taeung Song +Acked-by: David S. Miller +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + samples/bpf/test_overhead_user.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/samples/bpf/test_overhead_user.c ++++ b/samples/bpf/test_overhead_user.c +@@ -6,6 +6,7 @@ + */ + #define _GNU_SOURCE + #include ++#include + #include + #include + #include +@@ -44,8 +45,13 @@ static void test_task_rename(int cpu) + exit(1); + } + start_time = time_get_ns(); +- for (i = 0; i < MAX_CNT; i++) +- write(fd, buf, sizeof(buf)); ++ for (i = 0; i < MAX_CNT; i++) { ++ if (write(fd, buf, sizeof(buf)) < 0) { ++ printf("task rename failed: %s\n", strerror(errno)); ++ close(fd); ++ return; ++ } ++ } + printf("task_rename:%d: %lld events per sec\n", + cpu, MAX_CNT * 1000000000ll / (time_get_ns() - start_time)); + close(fd); +@@ -63,8 +69,13 @@ static void test_urandom_read(int cpu) + exit(1); + } + start_time = time_get_ns(); +- for (i = 0; i < MAX_CNT; i++) +- read(fd, buf, sizeof(buf)); ++ for (i = 0; i < MAX_CNT; i++) { ++ if (read(fd, buf, sizeof(buf)) < 0) { ++ printf("failed to read from /dev/urandom: %s\n", strerror(errno)); ++ close(fd); ++ return; ++ } ++ } + printf("urandom_read:%d: %lld events per sec\n", + cpu, MAX_CNT * 1000000000ll / (time_get_ns() - start_time)); + close(fd); diff --git a/queue-4.9/scsi-xen-scsifront-add-error-handling-for-xenbus_printf.patch b/queue-4.9/scsi-xen-scsifront-add-error-handling-for-xenbus_printf.patch new file mode 100644 index 00000000000..028621d6181 --- /dev/null +++ b/queue-4.9/scsi-xen-scsifront-add-error-handling-for-xenbus_printf.patch @@ -0,0 +1,94 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Zhouyang Jia +Date: Sat, 16 Jun 2018 01:05:01 +0800 +Subject: scsi: xen-scsifront: add error handling for xenbus_printf + +From: Zhouyang Jia + +[ Upstream commit 93efbd39870474cc536b9caf4a6efeb03b0bc56f ] + +When xenbus_printf fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling xenbus_printf. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/xen-scsifront.c | 33 ++++++++++++++++++++++++++------- + 1 file changed, 26 insertions(+), 7 deletions(-) + +--- a/drivers/scsi/xen-scsifront.c ++++ b/drivers/scsi/xen-scsifront.c +@@ -676,10 +676,17 @@ static int scsifront_dev_reset_handler(s + static int scsifront_sdev_configure(struct scsi_device *sdev) + { + struct vscsifrnt_info *info = shost_priv(sdev->host); ++ int err; + +- if (info && current == info->curr) +- xenbus_printf(XBT_NIL, info->dev->nodename, ++ if (info && current == info->curr) { ++ err = xenbus_printf(XBT_NIL, info->dev->nodename, + info->dev_state_path, "%d", XenbusStateConnected); ++ if (err) { ++ xenbus_dev_error(info->dev, err, ++ "%s: writing dev_state_path", __func__); ++ return err; ++ } ++ } + + return 0; + } +@@ -687,10 +694,15 @@ static int scsifront_sdev_configure(stru + static void scsifront_sdev_destroy(struct scsi_device *sdev) + { + struct vscsifrnt_info *info = shost_priv(sdev->host); ++ int err; + +- if (info && current == info->curr) +- xenbus_printf(XBT_NIL, info->dev->nodename, ++ if (info && current == info->curr) { ++ err = xenbus_printf(XBT_NIL, info->dev->nodename, + info->dev_state_path, "%d", XenbusStateClosed); ++ if (err) ++ xenbus_dev_error(info->dev, err, ++ "%s: writing dev_state_path", __func__); ++ } + } + + static struct scsi_host_template scsifront_sht = { +@@ -1025,9 +1037,12 @@ static void scsifront_do_lun_hotplug(str + + if (scsi_add_device(info->host, chn, tgt, lun)) { + dev_err(&dev->dev, "scsi_add_device\n"); +- xenbus_printf(XBT_NIL, dev->nodename, ++ err = xenbus_printf(XBT_NIL, dev->nodename, + info->dev_state_path, + "%d", XenbusStateClosed); ++ if (err) ++ xenbus_dev_error(dev, err, ++ "%s: writing dev_state_path", __func__); + } + break; + case VSCSIFRONT_OP_DEL_LUN: +@@ -1041,10 +1056,14 @@ static void scsifront_do_lun_hotplug(str + } + break; + case VSCSIFRONT_OP_READD_LUN: +- if (device_state == XenbusStateConnected) +- xenbus_printf(XBT_NIL, dev->nodename, ++ if (device_state == XenbusStateConnected) { ++ err = xenbus_printf(XBT_NIL, dev->nodename, + info->dev_state_path, + "%d", XenbusStateConnected); ++ if (err) ++ xenbus_dev_error(dev, err, ++ "%s: writing dev_state_path", __func__); ++ } + break; + default: + break; diff --git a/queue-4.9/selftests-pstore-return-kselftest-skip-code-for-skipped-tests.patch b/queue-4.9/selftests-pstore-return-kselftest-skip-code-for-skipped-tests.patch new file mode 100644 index 00000000000..d3b96f388c5 --- /dev/null +++ b/queue-4.9/selftests-pstore-return-kselftest-skip-code-for-skipped-tests.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Tue, 12 Jun 2018 16:46:03 -0600 +Subject: selftests: pstore: return Kselftest Skip code for skipped tests + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit 856e7c4b619af622d56b3b454f7bec32a170ac99 ] + +When pstore_post_reboot test gets skipped because of unmet dependencies +and/or unsupported configuration, it returns 0 which is treated as a pass +by the Kselftest framework. This leads to false positive result even when +the test could not be run. + +Change it to return kselftest skip code when a test gets skipped to clearly +report that the test could not be run. + +Kselftest framework SKIP code is 4 and the framework prints appropriate +messages to indicate that the test is skipped. + +Signed-off-by: Shuah Khan (Samsung OSG) +Reviewed-by: Kees Cook +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/pstore/pstore_post_reboot_tests | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/pstore/pstore_post_reboot_tests ++++ b/tools/testing/selftests/pstore/pstore_post_reboot_tests +@@ -7,13 +7,16 @@ + # + # Released under the terms of the GPL v2. + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ + . ./common_tests + + if [ -e $REBOOT_FLAG ]; then + rm $REBOOT_FLAG + else + prlog "pstore_crash_test has not been executed yet. we skip further tests." +- exit 0 ++ exit $ksft_skip + fi + + prlog -n "Mounting pstore filesystem ... " diff --git a/queue-4.9/selftests-static_keys-return-kselftest-skip-code-for-skipped-tests.patch b/queue-4.9/selftests-static_keys-return-kselftest-skip-code-for-skipped-tests.patch new file mode 100644 index 00000000000..9d5e6e27907 --- /dev/null +++ b/queue-4.9/selftests-static_keys-return-kselftest-skip-code-for-skipped-tests.patch @@ -0,0 +1,53 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Tue, 12 Jun 2018 17:40:31 -0600 +Subject: selftests: static_keys: return Kselftest Skip code for skipped tests + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit 8781578087b8fb8829558bac96c3c24e5ba26f82 ] + +When static_keys test is skipped because of unmet dependencies and/or +unsupported configuration, it exits with error which is treated as a fail +by the Kselftest framework. This leads to false negative result even when +the test could not be run. + +Change it to return kselftest skip code when a test gets skipped to clearly +report that the test could not be run. + +Added an explicit searches for test_static_key_base and test_static_keys +modules and return skip code if they aren't found to differentiate between +the failure to load the module condition and module not found condition. + +Kselftest framework SKIP code is 4 and the framework prints appropriate +messages to indicate that the test is skipped. + +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/static_keys/test_static_keys.sh | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/tools/testing/selftests/static_keys/test_static_keys.sh ++++ b/tools/testing/selftests/static_keys/test_static_keys.sh +@@ -1,6 +1,19 @@ + #!/bin/sh + # Runs static keys kernel module tests + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ ++if ! /sbin/modprobe -q -n test_static_key_base; then ++ echo "static_key: module test_static_key_base is not found [SKIP]" ++ exit $ksft_skip ++fi ++ ++if ! /sbin/modprobe -q -n test_static_keys; then ++ echo "static_key: module test_static_keys is not found [SKIP]" ++ exit $ksft_skip ++fi ++ + if /sbin/modprobe -q test_static_key_base; then + if /sbin/modprobe -q test_static_keys; then + echo "static_key: ok" diff --git a/queue-4.9/selftests-sync-add-config-fragment-for-testing-sync-framework.patch b/queue-4.9/selftests-sync-add-config-fragment-for-testing-sync-framework.patch new file mode 100644 index 00000000000..1bca36bfc94 --- /dev/null +++ b/queue-4.9/selftests-sync-add-config-fragment-for-testing-sync-framework.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Fathi Boudra +Date: Thu, 14 Jun 2018 11:57:08 +0200 +Subject: selftests: sync: add config fragment for testing sync framework + +From: Fathi Boudra + +[ Upstream commit d6a3e55131fcb1e5ca1753f4b6f297a177b2fc91 ] + +Unless the software synchronization objects (CONFIG_SW_SYNC) is enabled, +the sync test will be skipped: + +TAP version 13 +1..0 # Skipped: Sync framework not supported by kernel + +Add a config fragment file to be able to run "make kselftest-merge" to +enable relevant configuration required in order to run the sync test. + +Signed-off-by: Fathi Boudra +Link: https://lkml.org/lkml/2017/5/5/14 +Signed-off-by: Anders Roxell +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/sync/config | 4 ++++ + 1 file changed, 4 insertions(+) + create mode 100644 tools/testing/selftests/sync/config + +--- /dev/null ++++ b/tools/testing/selftests/sync/config +@@ -0,0 +1,4 @@ ++CONFIG_STAGING=y ++CONFIG_ANDROID=y ++CONFIG_SYNC=y ++CONFIG_SW_SYNC=y diff --git a/queue-4.9/selftests-user-return-kselftest-skip-code-for-skipped-tests.patch b/queue-4.9/selftests-user-return-kselftest-skip-code-for-skipped-tests.patch new file mode 100644 index 00000000000..91bc4eb27da --- /dev/null +++ b/queue-4.9/selftests-user-return-kselftest-skip-code-for-skipped-tests.patch @@ -0,0 +1,44 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Wed, 13 Jun 2018 21:10:48 -0600 +Subject: selftests: user: return Kselftest Skip code for skipped tests + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit d7d5311d4aa9611fe1a5a851e6f75733237a668a ] + +When user test is skipped because of unmet dependencies and/or +unsupported configuration, it exits with error which is treated as +a fail by the Kselftest framework. This leads to false negative result +even when the test could not be run. + +Change it to return kselftest skip code when a test gets skipped to +clearly report that the test could not be run. Add an explicit check +for module presence and return skip code if module isn't present. + +Kselftest framework SKIP code is 4 and the framework prints appropriate +messages to indicate that the test is skipped. + +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/user/test_user_copy.sh | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/tools/testing/selftests/user/test_user_copy.sh ++++ b/tools/testing/selftests/user/test_user_copy.sh +@@ -1,6 +1,13 @@ + #!/bin/sh + # Runs copy_to/from_user infrastructure using test_user_copy kernel module + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ ++if ! /sbin/modprobe -q -n test_user_copy; then ++ echo "user: module test_user_copy is not found [SKIP]" ++ exit $ksft_skip ++fi + if /sbin/modprobe -q test_user_copy; then + /sbin/modprobe -q -r test_user_copy + echo "user_copy: ok" diff --git a/queue-4.9/selftests-x86-sigreturn-64-fix-spurious-failures-on-amd-cpus.patch b/queue-4.9/selftests-x86-sigreturn-64-fix-spurious-failures-on-amd-cpus.patch new file mode 100644 index 00000000000..ce585bd5ce4 --- /dev/null +++ b/queue-4.9/selftests-x86-sigreturn-64-fix-spurious-failures-on-amd-cpus.patch @@ -0,0 +1,94 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Andy Lutomirski +Date: Tue, 26 Jun 2018 22:17:17 -0700 +Subject: selftests/x86/sigreturn/64: Fix spurious failures on AMD CPUs + +From: Andy Lutomirski + +[ Upstream commit ec348020566009d3da9b99f07c05814d13969c78 ] + +When I wrote the sigreturn test, I didn't realize that AMD's busted +IRET behavior was different from Intel's busted IRET behavior: + +On AMD CPUs, the CPU leaks the high 32 bits of the kernel stack pointer +to certain userspace contexts. Gee, thanks. There's very little +the kernel can do about it. Modify the test so it passes. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/86e7fd3564497f657de30a36da4505799eebef01.1530076529.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/sigreturn.c | 46 ++++++++++++++++++++------------ + 1 file changed, 29 insertions(+), 17 deletions(-) + +--- a/tools/testing/selftests/x86/sigreturn.c ++++ b/tools/testing/selftests/x86/sigreturn.c +@@ -612,19 +612,38 @@ static int test_valid_sigreturn(int cs_b + greg_t req = requested_regs[i], res = resulting_regs[i]; + if (i == REG_TRAPNO || i == REG_IP) + continue; /* don't care */ +- if (i == REG_SP) { +- printf("\tSP: %llx -> %llx\n", (unsigned long long)req, +- (unsigned long long)res); + ++ if (i == REG_SP) { + /* +- * In many circumstances, the high 32 bits of rsp +- * are zeroed. For example, we could be a real +- * 32-bit program, or we could hit any of a number +- * of poorly-documented IRET or segmented ESP +- * oddities. If this happens, it's okay. ++ * If we were using a 16-bit stack segment, then ++ * the kernel is a bit stuck: IRET only restores ++ * the low 16 bits of ESP/RSP if SS is 16-bit. ++ * The kernel uses a hack to restore bits 31:16, ++ * but that hack doesn't help with bits 63:32. ++ * On Intel CPUs, bits 63:32 end up zeroed, and, on ++ * AMD CPUs, they leak the high bits of the kernel ++ * espfix64 stack pointer. There's very little that ++ * the kernel can do about it. ++ * ++ * Similarly, if we are returning to a 32-bit context, ++ * the CPU will often lose the high 32 bits of RSP. + */ +- if (res == (req & 0xFFFFFFFF)) +- continue; /* OK; not expected to work */ ++ ++ if (res == req) ++ continue; ++ ++ if (cs_bits != 64 && ((res ^ req) & 0xFFFFFFFF) == 0) { ++ printf("[NOTE]\tSP: %llx -> %llx\n", ++ (unsigned long long)req, ++ (unsigned long long)res); ++ continue; ++ } ++ ++ printf("[FAIL]\tSP mismatch: requested 0x%llx; got 0x%llx\n", ++ (unsigned long long)requested_regs[i], ++ (unsigned long long)resulting_regs[i]); ++ nerrs++; ++ continue; + } + + bool ignore_reg = false; +@@ -663,13 +682,6 @@ static int test_valid_sigreturn(int cs_b + } + + if (requested_regs[i] != resulting_regs[i] && !ignore_reg) { +- /* +- * SP is particularly interesting here. The +- * usual cause of failures is that we hit the +- * nasty IRET case of returning to a 16-bit SS, +- * in which case bits 16:31 of the *kernel* +- * stack pointer persist in ESP. +- */ + printf("[FAIL]\tReg %d mismatch: requested 0x%llx; got 0x%llx\n", + i, (unsigned long long)requested_regs[i], + (unsigned long long)resulting_regs[i]); diff --git a/queue-4.9/selftests-x86-sigreturn-do-minor-cleanups.patch b/queue-4.9/selftests-x86-sigreturn-do-minor-cleanups.patch new file mode 100644 index 00000000000..8c3b934dab8 --- /dev/null +++ b/queue-4.9/selftests-x86-sigreturn-do-minor-cleanups.patch @@ -0,0 +1,61 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Andy Lutomirski +Date: Tue, 26 Jun 2018 22:17:18 -0700 +Subject: selftests/x86/sigreturn: Do minor cleanups + +From: Andy Lutomirski + +[ Upstream commit e8a445dea219c32727016af14f847d2e8f7ebec8 ] + +We have short names for the requested and resulting register values. +Use them instead of spelling out the whole register entry for each +case. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/bb3bc1f923a2f6fe7912d22a1068fe29d6033d38.1530076529.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/sigreturn.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/x86/sigreturn.c ++++ b/tools/testing/selftests/x86/sigreturn.c +@@ -610,6 +610,7 @@ static int test_valid_sigreturn(int cs_b + */ + for (int i = 0; i < NGREG; i++) { + greg_t req = requested_regs[i], res = resulting_regs[i]; ++ + if (i == REG_TRAPNO || i == REG_IP) + continue; /* don't care */ + +@@ -673,18 +674,18 @@ static int test_valid_sigreturn(int cs_b + #endif + + /* Sanity check on the kernel */ +- if (i == REG_CX && requested_regs[i] != resulting_regs[i]) { ++ if (i == REG_CX && req != res) { + printf("[FAIL]\tCX (saved SP) mismatch: requested 0x%llx; got 0x%llx\n", +- (unsigned long long)requested_regs[i], +- (unsigned long long)resulting_regs[i]); ++ (unsigned long long)req, ++ (unsigned long long)res); + nerrs++; + continue; + } + +- if (requested_regs[i] != resulting_regs[i] && !ignore_reg) { ++ if (req != res && !ignore_reg) { + printf("[FAIL]\tReg %d mismatch: requested 0x%llx; got 0x%llx\n", +- i, (unsigned long long)requested_regs[i], +- (unsigned long long)resulting_regs[i]); ++ i, (unsigned long long)req, ++ (unsigned long long)res); + nerrs++; + } + } diff --git a/queue-4.9/selftests-zram-return-kselftest-skip-code-for-skipped-tests.patch b/queue-4.9/selftests-zram-return-kselftest-skip-code-for-skipped-tests.patch new file mode 100644 index 00000000000..935f744697f --- /dev/null +++ b/queue-4.9/selftests-zram-return-kselftest-skip-code-for-skipped-tests.patch @@ -0,0 +1,68 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Thu, 14 Jun 2018 16:56:13 -0600 +Subject: selftests: zram: return Kselftest Skip code for skipped tests + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit 685814466bf8398192cf855415a0bb2cefc1930e ] + +When zram test is skipped because of unmet dependencies and/or +unsupported configuration, it exits with error which is treated as +a fail by the Kselftest framework. This leads to false negative result +even when the test could not be run. + +Change it to return kselftest skip code when a test gets skipped to +clearly report that the test could not be run. + +Kselftest framework SKIP code is 4 and the framework prints appropriate +messages to indicate that the test is skipped. + +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/zram/zram.sh | 5 ++++- + tools/testing/selftests/zram/zram_lib.sh | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/zram/zram.sh ++++ b/tools/testing/selftests/zram/zram.sh +@@ -1,6 +1,9 @@ + #!/bin/bash + TCID="zram.sh" + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ + . ./zram_lib.sh + + run_zram () { +@@ -23,5 +26,5 @@ elif [ -b /dev/zram0 ]; then + else + echo "$TCID : No zram.ko module or /dev/zram0 device file not found" + echo "$TCID : CONFIG_ZRAM is not set" +- exit 1 ++ exit $ksft_skip + fi +--- a/tools/testing/selftests/zram/zram_lib.sh ++++ b/tools/testing/selftests/zram/zram_lib.sh +@@ -18,6 +18,9 @@ MODULE=0 + dev_makeswap=-1 + dev_mounted=-1 + ++# Kselftest framework requirement - SKIP code is 4. ++ksft_skip=4 ++ + trap INT + + check_prereqs() +@@ -27,7 +30,7 @@ check_prereqs() + + if [ $uid -ne 0 ]; then + echo $msg must be run as root >&2 +- exit 0 ++ exit $ksft_skip + fi + } + diff --git a/queue-4.9/series b/queue-4.9/series index 44e23c6e8de..03c09d12030 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1 +1,118 @@ x86-entry-64-remove-ebx-handling-from-error_entry-exit.patch +arc-explicitly-add-mmedium-calls-to-cflags.patch +usb-dwc3-of-simple-fix-use-after-free-on-remove.patch +netfilter-ipv6-nf_defrag-reduce-struct-net-memory-waste.patch +selftests-pstore-return-kselftest-skip-code-for-skipped-tests.patch +selftests-static_keys-return-kselftest-skip-code-for-skipped-tests.patch +selftests-user-return-kselftest-skip-code-for-skipped-tests.patch +selftests-zram-return-kselftest-skip-code-for-skipped-tests.patch +selftests-sync-add-config-fragment-for-testing-sync-framework.patch +arm-dts-nsp-fix-i2c-controller-interrupt-type.patch +arm-dts-nsp-fix-pcie-controllers-interrupt-types.patch +arm-dts-cygnus-fix-i2c-controller-interrupt-type.patch +arm-dts-cygnus-fix-pcie-controller-interrupt-type.patch +arm64-dts-ns2-fix-i2c-controller-interrupt-type.patch +drm-mali-dp-enable-global-se-interrupts-mask-for-dp500.patch +ib-rxe-fix-missing-completion-for-mem_reg-work-requests.patch +libahci-fix-possible-spectre-v1-pmp-indexing-in-ahci_led_store.patch +usb-dwc2-fix-isoc-split-in-transfer-with-no-data.patch +usb-gadget-composite-fix-delayed_status-race-condition-when-set_interface.patch +usb-gadget-dwc2-fix-memory-leak-in-gadget_init.patch +xen-add-error-handling-for-xenbus_printf.patch +scsi-xen-scsifront-add-error-handling-for-xenbus_printf.patch +xen-scsiback-add-error-handling-for-xenbus_printf.patch +arm64-make-secondary_start_kernel-notrace.patch +qed-add-sanity-check-for-simd-fastpath-handler.patch +enic-initialize-enic-rfs_h.lock-in-enic_probe.patch +net-hamradio-use-eth_broadcast_addr.patch +net-propagate-dev_get_valid_name-return-code.patch +net-stmmac-socfpga-add-additional-ocp-reset-line-for-stratix10.patch +nvmet-reset-keep-alive-timer-in-controller-enable.patch +arc-enable-machine_desc-init_per_cpu-for-config_smp.patch +net-davinci_emac-match-the-mdio-device-against-its-compatible-if-possible.patch +kvm-arm-arm64-drop-resource-size-check-for-gicv-window.patch +locking-lockdep-do-not-record-irq-state-within-lockdep-code.patch +ipv6-mcast-fix-unsolicited-report-interval-after-receiving-querys.patch +smack-mark-inode-instant-in-smack_task_to_inode.patch +batman-adv-fix-bat_ogm_iv-best-gw-refcnt-after-netlink-dump.patch +batman-adv-fix-bat_v-best-gw-refcnt-after-netlink-dump.patch +cxgb4-when-disabling-dcb-set-txq-dcb-priority-to-0.patch +iio-pressure-bmp280-fix-relative-humidity-unit.patch +brcmfmac-stop-watchdog-before-detach-and-free-everything.patch +arm-dts-am437x-make-edt-ft5x06-a-wakeup-source.patch +alsa-seq-fix-ubsan-warning-at-sndrv_seq_ioctl_query_next_client-ioctl.patch +usb-xhci-remove-the-code-build-warning.patch +usb-xhci-increase-crs-timeout-value.patch +nfc-pn533-fix-wrong-gfp-flag-usage.patch +perf-test-session-topology-fix-test-on-s390.patch +perf-report-powerpc-fix-crash-if-callchain-is-empty.patch +perf-tests-add-event-parsing-error-handling-to-parse-events-test.patch +perf-bench-fix-numa-report-output-code.patch +netfilter-nf_log-fix-uninit-read-in-nf_log_proc_dostring.patch +ceph-fix-dentry-leak-in-splice_dentry.patch +selftests-x86-sigreturn-64-fix-spurious-failures-on-amd-cpus.patch +selftests-x86-sigreturn-do-minor-cleanups.patch +arm-dts-da850-fix-interrups-property-for-gpio.patch +dmaengine-pl330-report-burst-residue-granularity.patch +dmaengine-k3dma-off-by-one-in-k3_of_dma_simple_xlate.patch +md-raid10-fix-that-replacement-cannot-complete-recovery-after-reassemble.patch +nl80211-relax-ht-operation-checks-for-mesh.patch +drm-exynos-gsc-fix-support-for-nv16-61-yuv420-yvu420-and-yuv422-modes.patch +drm-exynos-decon5433-fix-per-plane-global-alpha-for-xrgb-modes.patch +drm-exynos-decon5433-fix-winconx-reset-value.patch +bpf-s390-fix-potential-memleak-when-later-bpf_jit_prog-fails.patch +pci-xilinx-add-missing-of_node_put.patch +pci-xilinx-nwl-add-missing-of_node_put.patch +bnx2x-fix-receiving-tx-timeout-in-error-or-recovery-state.patch +acpi-nfit-fix-cmd_rc-for-acpi_nfit_ctl-to-always-return-a-value.patch +m68k-fix-bad-page-state-oops-on-coldfire-boot.patch +objtool-support-gcc-8-fnoreorder-functions.patch +ipvlan-call-dev_change_flags-when-ipvlan-mode-is-reset.patch +hid-wacom-correct-touch-maximum-xy-of-2nd-gen-intuos.patch +arm-imx_v6_v7_defconfig-select-ulpi-support.patch +arm-imx_v4_v5_defconfig-select-ulpi-support.patch +tracing-use-__printf-markup-to-silence-compiler.patch +kasan-fix-shadow_size-calculation-error-in-kasan_module_alloc.patch +smsc75xx-add-workaround-for-gigabit-link-up-hardware-errata.patch +samples-bpf-add-missing-linux-if_vlan.h.patch +samples-bpf-check-the-error-of-write-and-read.patch +ieee802154-6lowpan-set-ifla_link.patch +netfilter-x_tables-set-module-owner-for-icmp-6-matches.patch +ipv6-make-ipv6_renew_options-interrupt-kernel-safe.patch +net-qrtr-broadcast-messages-only-from-control-port.patch +sh_eth-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch +sh_eth-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch +ravb-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch +ravb-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch +arm-pxa-irq-fix-handling-of-icmr-registers-in-suspend-resume.patch +net-sched-act_tunnel_key-fix-null-dereference-when-goto-chain-is-used.patch +ieee802154-at86rf230-switch-from-bug_on-to-warn_on-on-problem.patch +ieee802154-at86rf230-use-__func__-macro-for-debug-messages.patch +ieee802154-fakelb-switch-from-bug_on-to-warn_on-on-problem.patch +drm-armada-fix-colorkey-mode-property.patch +netfilter-nf_conntrack-fix-possible-possible-crash-on-module-loading.patch +arc-improve-cmpxchg-syscall-implementation.patch +bnxt_en-always-set-output-parameters-in-bnxt_get_max_rings.patch +bnxt_en-fix-for-system-hang-if-request_irq-fails.patch +perf-llvm-utils-remove-bashism-from-kernel-include-fetch-script.patch +nfit-fix-unchecked-dereference-in-acpi_nfit_ctl.patch +rdma-mlx5-fix-memory-leak-in-mlx5_ib_create_srq-error-path.patch +arm-8780-1-ftrace-only-set-kernel-memory-back-to-read-only-after-boot.patch +arm-dra7-omap5-enable-actlr-enable-invalidates-of-btb-for-secondary-cores.patch +arm-dts-am3517.dtsi-disable-reference-to-omap3-otg-controller.patch +ixgbe-be-more-careful-when-modifying-mac-filters.patch +tools-build-use-hostldflags-with-fixdep.patch +packet-reset-network-header-if-packet-shorter-than-ll-reserved-space.patch +qlogic-check-kstrtoul-for-errors.patch +tcp-remove-delayed-ack-events-in-dctcp.patch +pinctrl-nsp-off-by-ones-in-nsp_pinmux_enable.patch +pinctrl-nsp-fix-potential-null-dereference.patch +drm-nouveau-gem-off-by-one-bugs-in-nouveau_gem_pushbuf_reloc_apply.patch +net-ethernet-freescale-fman-fix-cross-build-error.patch +octeon_mgmt-fix-mix-registers-configuration-on-mtu-setup.patch +net-usb-rtl8150-demote-allmulti-message-to-dev_dbg.patch +pci-versatile-fix-i-o-space-page-leak.patch +net-qca_spi-avoid-packet-drop-during-initial-sync.patch +net-qca_spi-make-sure-the-qca7000-reset-is-triggered.patch +net-qca_spi-fix-log-level-if-probe-fails.patch +tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch diff --git a/queue-4.9/sh_eth-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch b/queue-4.9/sh_eth-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch new file mode 100644 index 00000000000..5ac188dead8 --- /dev/null +++ b/queue-4.9/sh_eth-fix-invalid-context-bug-while-calling-auto-negotiation-by-ethtool.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:12:39 +0300 +Subject: sh_eth: fix invalid context bug while calling auto-negotiation by ethtool + +From: Vladimir Zapolskiy + +[ Upstream commit 53a710b5044d8475faa6813000b6dd659400ef7b ] + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however the helper function is +called in atomic context. + +The bug can be reproduced by running "ethtool -r" command, the bug +is reported if CONFIG_DEBUG_ATOMIC_SLEEP build option is enabled. + +Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -2079,18 +2079,10 @@ static void sh_eth_get_regs(struct net_d + + static int sh_eth_nway_reset(struct net_device *ndev) + { +- struct sh_eth_private *mdp = netdev_priv(ndev); +- unsigned long flags; +- int ret; +- + if (!ndev->phydev) + return -ENODEV; + +- spin_lock_irqsave(&mdp->lock, flags); +- ret = phy_start_aneg(ndev->phydev); +- spin_unlock_irqrestore(&mdp->lock, flags); +- +- return ret; ++ return phy_start_aneg(ndev->phydev); + } + + static u32 sh_eth_get_msglevel(struct net_device *ndev) diff --git a/queue-4.9/sh_eth-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch b/queue-4.9/sh_eth-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch new file mode 100644 index 00000000000..40b8e55648c --- /dev/null +++ b/queue-4.9/sh_eth-fix-invalid-context-bug-while-changing-link-options-by-ethtool.patch @@ -0,0 +1,122 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Vladimir Zapolskiy +Date: Wed, 4 Jul 2018 11:12:40 +0300 +Subject: sh_eth: fix invalid context bug while changing link options by ethtool + +From: Vladimir Zapolskiy + +[ Upstream commit 5cb3f52a11e18628fc4bee76dd14b1f0b76349de ] + +The change fixes sleep in atomic context bug, which is encountered +every time when link settings are changed by ethtool. + +Since commit 35b5f6b1a82b ("PHYLIB: Locking fixes for PHY I/O +potentially sleeping") phy_start_aneg() function utilizes a mutex +to serialize changes to phy state, however that helper function is +called in atomic context under a grabbed spinlock, because +phy_start_aneg() is called by phy_ethtool_ksettings_set() and by +replaced phy_ethtool_sset() helpers from phylib. + +Now duplex mode setting is enforced in sh_eth_adjust_link() only, +also now RX/TX is disabled when link is put down or modifications +to E-MAC registers ECMR and GECMR are expected for both cases of +checked and ignored link status pin state from E-MAC interrupt handler. + +For reference the change is a partial rework of commit 1e1b812bbe10 +("sh_eth: fix handling of no LINK signal"). + +Fixes: dc19e4e5e02f ("sh: sh_eth: Add support ethtool") +Signed-off-by: Vladimir Zapolskiy +Reviewed-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 49 ++++++++++------------------------ + 1 file changed, 15 insertions(+), 34 deletions(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -1743,8 +1743,15 @@ static void sh_eth_adjust_link(struct ne + { + struct sh_eth_private *mdp = netdev_priv(ndev); + struct phy_device *phydev = ndev->phydev; ++ unsigned long flags; + int new_state = 0; + ++ spin_lock_irqsave(&mdp->lock, flags); ++ ++ /* Disable TX and RX right over here, if E-MAC change is ignored */ ++ if (mdp->cd->no_psr || mdp->no_ether_link) ++ sh_eth_rcv_snd_disable(ndev); ++ + if (phydev->link) { + if (phydev->duplex != mdp->duplex) { + new_state = 1; +@@ -1763,18 +1770,21 @@ static void sh_eth_adjust_link(struct ne + sh_eth_modify(ndev, ECMR, ECMR_TXF, 0); + new_state = 1; + mdp->link = phydev->link; +- if (mdp->cd->no_psr || mdp->no_ether_link) +- sh_eth_rcv_snd_enable(ndev); + } + } else if (mdp->link) { + new_state = 1; + mdp->link = 0; + mdp->speed = 0; + mdp->duplex = -1; +- if (mdp->cd->no_psr || mdp->no_ether_link) +- sh_eth_rcv_snd_disable(ndev); + } + ++ /* Enable TX and RX right over here, if E-MAC change is ignored */ ++ if ((mdp->cd->no_psr || mdp->no_ether_link) && phydev->link) ++ sh_eth_rcv_snd_enable(ndev); ++ ++ mmiowb(); ++ spin_unlock_irqrestore(&mdp->lock, flags); ++ + if (new_state && netif_msg_link(mdp)) + phy_print_status(phydev); + } +@@ -1856,39 +1866,10 @@ static int sh_eth_get_link_ksettings(str + static int sh_eth_set_link_ksettings(struct net_device *ndev, + const struct ethtool_link_ksettings *cmd) + { +- struct sh_eth_private *mdp = netdev_priv(ndev); +- unsigned long flags; +- int ret; +- + if (!ndev->phydev) + return -ENODEV; + +- spin_lock_irqsave(&mdp->lock, flags); +- +- /* disable tx and rx */ +- sh_eth_rcv_snd_disable(ndev); +- +- ret = phy_ethtool_ksettings_set(ndev->phydev, cmd); +- if (ret) +- goto error_exit; +- +- if (cmd->base.duplex == DUPLEX_FULL) +- mdp->duplex = 1; +- else +- mdp->duplex = 0; +- +- if (mdp->cd->set_duplex) +- mdp->cd->set_duplex(ndev); +- +-error_exit: +- mdelay(1); +- +- /* enable tx and rx */ +- sh_eth_rcv_snd_enable(ndev); +- +- spin_unlock_irqrestore(&mdp->lock, flags); +- +- return ret; ++ return phy_ethtool_ksettings_set(ndev->phydev, cmd); + } + + /* If it is ever necessary to increase SH_ETH_REG_DUMP_MAX_REGS, the diff --git a/queue-4.9/smack-mark-inode-instant-in-smack_task_to_inode.patch b/queue-4.9/smack-mark-inode-instant-in-smack_task_to_inode.patch new file mode 100644 index 00000000000..ad327ee84bc --- /dev/null +++ b/queue-4.9/smack-mark-inode-instant-in-smack_task_to_inode.patch @@ -0,0 +1,34 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Casey Schaufler +Date: Fri, 22 Jun 2018 10:54:45 -0700 +Subject: Smack: Mark inode instant in smack_task_to_inode + +From: Casey Schaufler + +[ Upstream commit 7b4e88434c4e7982fb053c49657e1c8bbb8692d9 ] + +Smack: Mark inode instant in smack_task_to_inode + +/proc clean-up in commit 1bbc55131e59bd099fdc568d3aa0b42634dbd188 +resulted in smack_task_to_inode() being called before smack_d_instantiate. +This resulted in the smk_inode value being ignored, even while present +for files in /proc/self. Marking the inode as instant here fixes that. + +Signed-off-by: Casey Schaufler +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/smack/smack_lsm.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -2307,6 +2307,7 @@ static void smack_task_to_inode(struct t + struct smack_known *skp = smk_of_task_struct(p); + + isp->smk_inode = skp; ++ isp->smk_flags |= SMK_INODE_INSTANT; + } + + /* diff --git a/queue-4.9/smsc75xx-add-workaround-for-gigabit-link-up-hardware-errata.patch b/queue-4.9/smsc75xx-add-workaround-for-gigabit-link-up-hardware-errata.patch new file mode 100644 index 00000000000..94a7eb45cad --- /dev/null +++ b/queue-4.9/smsc75xx-add-workaround-for-gigabit-link-up-hardware-errata.patch @@ -0,0 +1,105 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Yuiko Oshino +Date: Tue, 3 Jul 2018 11:21:46 -0400 +Subject: smsc75xx: Add workaround for gigabit link up hardware errata. + +From: Yuiko Oshino + +[ Upstream commit d461e3da905332189aad546b2ad9adbe6071c7cc ] + +In certain conditions, the device may not be able to link in gigabit mode. This software workaround ensures that the device will not enter the failure state. + +Fixes: d0cad871703b898a442e4049c532ec39168e5b57 ("SMSC75XX USB 2.0 Gigabit Ethernet Devices") +Signed-off-by: Yuiko Oshino +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/smsc75xx.c | 62 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 62 insertions(+) + +--- a/drivers/net/usb/smsc75xx.c ++++ b/drivers/net/usb/smsc75xx.c +@@ -82,6 +82,9 @@ static bool turbo_mode = true; + module_param(turbo_mode, bool, 0644); + MODULE_PARM_DESC(turbo_mode, "Enable multiple frames per Rx transaction"); + ++static int smsc75xx_link_ok_nopm(struct usbnet *dev); ++static int smsc75xx_phy_gig_workaround(struct usbnet *dev); ++ + static int __must_check __smsc75xx_read_reg(struct usbnet *dev, u32 index, + u32 *data, int in_pm) + { +@@ -852,6 +855,9 @@ static int smsc75xx_phy_initialize(struc + return -EIO; + } + ++ /* phy workaround for gig link */ ++ smsc75xx_phy_gig_workaround(dev); ++ + smsc75xx_mdio_write(dev->net, dev->mii.phy_id, MII_ADVERTISE, + ADVERTISE_ALL | ADVERTISE_CSMA | ADVERTISE_PAUSE_CAP | + ADVERTISE_PAUSE_ASYM); +@@ -990,6 +996,62 @@ static int smsc75xx_wait_ready(struct us + return -EIO; + } + ++static int smsc75xx_phy_gig_workaround(struct usbnet *dev) ++{ ++ struct mii_if_info *mii = &dev->mii; ++ int ret = 0, timeout = 0; ++ u32 buf, link_up = 0; ++ ++ /* Set the phy in Gig loopback */ ++ smsc75xx_mdio_write(dev->net, mii->phy_id, MII_BMCR, 0x4040); ++ ++ /* Wait for the link up */ ++ do { ++ link_up = smsc75xx_link_ok_nopm(dev); ++ usleep_range(10000, 20000); ++ timeout++; ++ } while ((!link_up) && (timeout < 1000)); ++ ++ if (timeout >= 1000) { ++ netdev_warn(dev->net, "Timeout waiting for PHY link up\n"); ++ return -EIO; ++ } ++ ++ /* phy reset */ ++ ret = smsc75xx_read_reg(dev, PMT_CTL, &buf); ++ if (ret < 0) { ++ netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n", ret); ++ return ret; ++ } ++ ++ buf |= PMT_CTL_PHY_RST; ++ ++ ret = smsc75xx_write_reg(dev, PMT_CTL, buf); ++ if (ret < 0) { ++ netdev_warn(dev->net, "Failed to write PMT_CTL: %d\n", ret); ++ return ret; ++ } ++ ++ timeout = 0; ++ do { ++ usleep_range(10000, 20000); ++ ret = smsc75xx_read_reg(dev, PMT_CTL, &buf); ++ if (ret < 0) { ++ netdev_warn(dev->net, "Failed to read PMT_CTL: %d\n", ++ ret); ++ return ret; ++ } ++ timeout++; ++ } while ((buf & PMT_CTL_PHY_RST) && (timeout < 100)); ++ ++ if (timeout >= 100) { ++ netdev_warn(dev->net, "timeout waiting for PHY Reset\n"); ++ return -EIO; ++ } ++ ++ return 0; ++} ++ + static int smsc75xx_reset(struct usbnet *dev) + { + struct smsc75xx_priv *pdata = (struct smsc75xx_priv *)(dev->data[0]); diff --git a/queue-4.9/tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch b/queue-4.9/tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch new file mode 100644 index 00000000000..821464b1c73 --- /dev/null +++ b/queue-4.9/tcp-identify-cryptic-messages-as-tcp-seq-bugs.patch @@ -0,0 +1,54 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Randy Dunlap +Date: Tue, 17 Jul 2018 18:27:45 -0700 +Subject: tcp: identify cryptic messages as TCP seq # bugs + +From: Randy Dunlap + +[ Upstream commit e56b8ce363a36fb7b74b80aaa5cc9084f2c908b4 ] + +Attempt to make cryptic TCP seq number error messages clearer by +(1) identifying the source of the message as "TCP", (2) identifying the +errors as "seq # bug", and (3) grouping the field identifiers and values +by separating them with commas. + +E.g., the following message is changed from: + +recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0 +WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90 + +to: + +TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0 +WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0 + +Suggested-by: 積丹尼 Dan Jacobson +Signed-off-by: Randy Dunlap +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -1696,7 +1696,7 @@ int tcp_recvmsg(struct sock *sk, struct + * shouldn't happen. + */ + if (WARN(before(*seq, TCP_SKB_CB(skb)->seq), +- "recvmsg bug: copied %X seq %X rcvnxt %X fl %X\n", ++ "TCP recvmsg seq # bug: copied %X, seq %X, rcvnxt %X, fl %X\n", + *seq, TCP_SKB_CB(skb)->seq, tp->rcv_nxt, + flags)) + break; +@@ -1711,7 +1711,7 @@ int tcp_recvmsg(struct sock *sk, struct + if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) + goto found_fin_ok; + WARN(!(flags & MSG_PEEK), +- "recvmsg bug 2: copied %X seq %X rcvnxt %X fl %X\n", ++ "TCP recvmsg seq # bug 2: copied %X, seq %X, rcvnxt %X, fl %X\n", + *seq, TCP_SKB_CB(skb)->seq, tp->rcv_nxt, flags); + } + diff --git a/queue-4.9/tcp-remove-delayed-ack-events-in-dctcp.patch b/queue-4.9/tcp-remove-delayed-ack-events-in-dctcp.patch new file mode 100644 index 00000000000..2cef1a6daa5 --- /dev/null +++ b/queue-4.9/tcp-remove-delayed-ack-events-in-dctcp.patch @@ -0,0 +1,111 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Yuchung Cheng +Date: Thu, 12 Jul 2018 06:04:53 -0700 +Subject: tcp: remove DELAYED ACK events in DCTCP + +From: Yuchung Cheng + +[ Upstream commit a69258f7aa2623e0930212f09c586fd06674ad79 ] + +After fixing the way DCTCP tracking delayed ACKs, the delayed-ACK +related callbacks are no longer needed + +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Acked-by: Neal Cardwell +Acked-by: Lawrence Brakmo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 2 -- + net/ipv4/tcp_dctcp.c | 25 ------------------------- + net/ipv4/tcp_output.c | 4 ---- + 3 files changed, 31 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -850,8 +850,6 @@ enum tcp_ca_event { + CA_EVENT_LOSS, /* loss timeout */ + CA_EVENT_ECN_NO_CE, /* ECT set, but not CE marked */ + CA_EVENT_ECN_IS_CE, /* received CE marked IP packet */ +- CA_EVENT_DELAYED_ACK, /* Delayed ack is sent */ +- CA_EVENT_NON_DELAYED_ACK, + }; + + /* Information about inbound ACK, passed to cong_ops->in_ack_event() */ +--- a/net/ipv4/tcp_dctcp.c ++++ b/net/ipv4/tcp_dctcp.c +@@ -55,7 +55,6 @@ struct dctcp { + u32 dctcp_alpha; + u32 next_seq; + u32 ce_state; +- u32 delayed_ack_reserved; + u32 loss_cwnd; + }; + +@@ -96,7 +95,6 @@ static void dctcp_init(struct sock *sk) + + ca->dctcp_alpha = min(dctcp_alpha_on_init, DCTCP_MAX_ALPHA); + +- ca->delayed_ack_reserved = 0; + ca->loss_cwnd = 0; + ca->ce_state = 0; + +@@ -230,25 +228,6 @@ static void dctcp_state(struct sock *sk, + } + } + +-static void dctcp_update_ack_reserved(struct sock *sk, enum tcp_ca_event ev) +-{ +- struct dctcp *ca = inet_csk_ca(sk); +- +- switch (ev) { +- case CA_EVENT_DELAYED_ACK: +- if (!ca->delayed_ack_reserved) +- ca->delayed_ack_reserved = 1; +- break; +- case CA_EVENT_NON_DELAYED_ACK: +- if (ca->delayed_ack_reserved) +- ca->delayed_ack_reserved = 0; +- break; +- default: +- /* Don't care for the rest. */ +- break; +- } +-} +- + static void dctcp_cwnd_event(struct sock *sk, enum tcp_ca_event ev) + { + switch (ev) { +@@ -258,10 +237,6 @@ static void dctcp_cwnd_event(struct sock + case CA_EVENT_ECN_NO_CE: + dctcp_ce_state_1_to_0(sk); + break; +- case CA_EVENT_DELAYED_ACK: +- case CA_EVENT_NON_DELAYED_ACK: +- dctcp_update_ack_reserved(sk, ev); +- break; + default: + /* Don't care for the rest. */ + break; +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3444,8 +3444,6 @@ void tcp_send_delayed_ack(struct sock *s + int ato = icsk->icsk_ack.ato; + unsigned long timeout; + +- tcp_ca_event(sk, CA_EVENT_DELAYED_ACK); +- + if (ato > TCP_DELACK_MIN) { + const struct tcp_sock *tp = tcp_sk(sk); + int max_ato = HZ / 2; +@@ -3502,8 +3500,6 @@ void __tcp_send_ack(struct sock *sk, u32 + if (sk->sk_state == TCP_CLOSE) + return; + +- tcp_ca_event(sk, CA_EVENT_NON_DELAYED_ACK); +- + /* We are not putting this on the write queue, so + * tcp_transmit_skb() will set the ownership to this + * sock. diff --git a/queue-4.9/tools-build-use-hostldflags-with-fixdep.patch b/queue-4.9/tools-build-use-hostldflags-with-fixdep.patch new file mode 100644 index 00000000000..ada13d45938 --- /dev/null +++ b/queue-4.9/tools-build-use-hostldflags-with-fixdep.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Laura Abbott +Date: Mon, 9 Jul 2018 17:45:57 -0700 +Subject: tools: build: Use HOSTLDFLAGS with fixdep + +From: Laura Abbott + +[ Upstream commit 8b247a92ebd0cda7dec49a6f771d9c4950f3d3ad ] + +The final link of fixdep uses LDFLAGS but not the existing HOSTLDFLAGS. +Fix this. + +Signed-off-by: Laura Abbott +Acked-by: Jiri Olsa +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/build/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/build/Makefile ++++ b/tools/build/Makefile +@@ -42,7 +42,7 @@ $(OUTPUT)fixdep-in.o: FORCE + $(Q)$(MAKE) $(build)=fixdep + + $(OUTPUT)fixdep: $(OUTPUT)fixdep-in.o +- $(QUIET_LINK)$(HOSTCC) $(LDFLAGS) -o $@ $< ++ $(QUIET_LINK)$(HOSTCC) $(HOSTLDFLAGS) -o $@ $< + + FORCE: + diff --git a/queue-4.9/tracing-use-__printf-markup-to-silence-compiler.patch b/queue-4.9/tracing-use-__printf-markup-to-silence-compiler.patch new file mode 100644 index 00000000000..365239d6497 --- /dev/null +++ b/queue-4.9/tracing-use-__printf-markup-to-silence-compiler.patch @@ -0,0 +1,69 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 8 Mar 2018 21:58:43 +0100 +Subject: tracing: Use __printf markup to silence compiler + +From: Mathieu Malaterre + +[ Upstream commit 26b68dd2f48fe7699a89f0cfbb9f4a650dc1c837 ] + +Silence warnings (triggered at W=1) by adding relevant __printf attributes. + + CC kernel/trace/trace.o +kernel/trace/trace.c: In function ‘__trace_array_vprintk’: +kernel/trace/trace.c:2979:2: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format] + len = vscnprintf(tbuffer, TRACE_BUF_SIZE, fmt, args); + ^~~ + AR kernel/trace/built-in.o + +Link: http://lkml.kernel.org/r/20180308205843.27447-1-malat@debian.org + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2525,6 +2525,7 @@ out_nobuffer: + } + EXPORT_SYMBOL_GPL(trace_vbprintk); + ++__printf(3, 0) + static int + __trace_array_vprintk(struct ring_buffer *buffer, + unsigned long ip, const char *fmt, va_list args) +@@ -2579,12 +2580,14 @@ out_nobuffer: + return len; + } + ++__printf(3, 0) + int trace_array_vprintk(struct trace_array *tr, + unsigned long ip, const char *fmt, va_list args) + { + return __trace_array_vprintk(tr->trace_buffer.buffer, ip, fmt, args); + } + ++__printf(3, 0) + int trace_array_printk(struct trace_array *tr, + unsigned long ip, const char *fmt, ...) + { +@@ -2600,6 +2603,7 @@ int trace_array_printk(struct trace_arra + return ret; + } + ++__printf(3, 4) + int trace_array_printk_buf(struct ring_buffer *buffer, + unsigned long ip, const char *fmt, ...) + { +@@ -2615,6 +2619,7 @@ int trace_array_printk_buf(struct ring_b + return ret; + } + ++__printf(2, 0) + int trace_vprintk(unsigned long ip, const char *fmt, va_list args) + { + return trace_array_vprintk(&global_trace, ip, fmt, args); diff --git a/queue-4.9/usb-dwc2-fix-isoc-split-in-transfer-with-no-data.patch b/queue-4.9/usb-dwc2-fix-isoc-split-in-transfer-with-no-data.patch new file mode 100644 index 00000000000..87c6c00d6ec --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-isoc-split-in-transfer-with-no-data.patch @@ -0,0 +1,59 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: William Wu +Date: Fri, 11 May 2018 17:46:32 +0800 +Subject: usb: dwc2: fix isoc split in transfer with no data + +From: William Wu + +[ Upstream commit 70c3c8cb83856758025c2a211dd022bc0478922a ] + +If isoc split in transfer with no data (the length of DATA0 +packet is zero), we can't simply return immediately. Because +the DATA0 can be the first transaction or the second transaction +for the isoc split in transaction. If the DATA0 packet with no +data is in the first transaction, we can return immediately. +But if the DATA0 packet with no data is in the second transaction +of isoc split in transaction sequence, we need to increase the +qtd->isoc_frame_index and giveback urb to device driver if needed, +otherwise, the MDATA packet will be lost. + +A typical test case is that connect the dwc2 controller with an +usb hs Hub (GL852G-12), and plug an usb fs audio device (Plantronics +headset) into the downstream port of Hub. Then use the usb mic +to record, we can find noise when playback. + +In the case, the isoc split in transaction sequence like this: + +- SSPLIT IN transaction +- CSPLIT IN transaction + - MDATA packet (176 bytes) +- CSPLIT IN transaction + - DATA0 packet (0 byte) + +This patch use both the length of DATA0 and qtd->isoc_split_offset +to check if the DATA0 is in the second transaction. + +Tested-by: Gevorg Sahakyan +Tested-by: Heiko Stuebner +Acked-by: Minas Harutyunyan hminas@synopsys.com> +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd_intr.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/dwc2/hcd_intr.c ++++ b/drivers/usb/dwc2/hcd_intr.c +@@ -922,9 +922,8 @@ static int dwc2_xfercomp_isoc_split_in(s + frame_desc = &qtd->urb->iso_descs[qtd->isoc_frame_index]; + len = dwc2_get_actual_xfer_length(hsotg, chan, chnum, qtd, + DWC2_HC_XFER_COMPLETE, NULL); +- if (!len) { ++ if (!len && !qtd->isoc_split_offset) { + qtd->complete_split = 0; +- qtd->isoc_split_offset = 0; + return 0; + } + diff --git a/queue-4.9/usb-dwc3-of-simple-fix-use-after-free-on-remove.patch b/queue-4.9/usb-dwc3-of-simple-fix-use-after-free-on-remove.patch new file mode 100644 index 00000000000..2e3c0e76761 --- /dev/null +++ b/queue-4.9/usb-dwc3-of-simple-fix-use-after-free-on-remove.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Johan Hovold +Date: Thu, 31 May 2018 16:45:52 +0200 +Subject: usb: dwc3: of-simple: fix use-after-free on remove + +From: Johan Hovold + +[ Upstream commit 896e518883f18e601335908192e33426c1f599a4 ] + +The clocks have already been explicitly disabled and put as part of +remove() so the runtime suspend callback must not be run when balancing +the runtime PM usage count before returning. + +Fixes: 16adc674d0d6 ("usb: dwc3: add generic OF glue layer") +Signed-off-by: Johan Hovold +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-of-simple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/dwc3-of-simple.c ++++ b/drivers/usb/dwc3/dwc3-of-simple.c +@@ -132,8 +132,9 @@ static int dwc3_of_simple_remove(struct + + of_platform_depopulate(dev); + +- pm_runtime_put_sync(dev); + pm_runtime_disable(dev); ++ pm_runtime_put_noidle(dev); ++ pm_runtime_set_suspended(dev); + + return 0; + } diff --git a/queue-4.9/usb-gadget-composite-fix-delayed_status-race-condition-when-set_interface.patch b/queue-4.9/usb-gadget-composite-fix-delayed_status-race-condition-when-set_interface.patch new file mode 100644 index 00000000000..16ba5ea0827 --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-delayed_status-race-condition-when-set_interface.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Chunfeng Yun +Date: Fri, 25 May 2018 17:24:57 +0800 +Subject: usb: gadget: composite: fix delayed_status race condition when set_interface + +From: Chunfeng Yun + +[ Upstream commit 980900d6318066b9f8314bfb87329a20fd0d1ca4 ] + +It happens when enable debug log, if set_alt() returns +USB_GADGET_DELAYED_STATUS and usb_composite_setup_continue() +is called before increasing count of @delayed_status, +so fix it by using spinlock of @cdev->lock. + +Signed-off-by: Chunfeng Yun +Tested-by: Jay Hsu +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1712,6 +1712,8 @@ composite_setup(struct usb_gadget *gadge + */ + if (w_value && !f->get_alt) + break; ++ ++ spin_lock(&cdev->lock); + value = f->set_alt(f, w_index, w_value); + if (value == USB_GADGET_DELAYED_STATUS) { + DBG(cdev, +@@ -1721,6 +1723,7 @@ composite_setup(struct usb_gadget *gadge + DBG(cdev, "delayed_status count %d\n", + cdev->delayed_status); + } ++ spin_unlock(&cdev->lock); + break; + case USB_REQ_GET_INTERFACE: + if (ctrl->bRequestType != (USB_DIR_IN|USB_RECIP_INTERFACE)) diff --git a/queue-4.9/usb-gadget-dwc2-fix-memory-leak-in-gadget_init.patch b/queue-4.9/usb-gadget-dwc2-fix-memory-leak-in-gadget_init.patch new file mode 100644 index 00000000000..870c568f435 --- /dev/null +++ b/queue-4.9/usb-gadget-dwc2-fix-memory-leak-in-gadget_init.patch @@ -0,0 +1,49 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Grigor Tovmasyan +Date: Thu, 24 May 2018 18:22:30 +0400 +Subject: usb: gadget: dwc2: fix memory leak in gadget_init() + +From: Grigor Tovmasyan + +[ Upstream commit 9bb073a053f0464ea74a4d4c331fdb7da58568d6 ] + +Freed allocated request for ep0 to prevent memory leak in case when +dwc2_driver_probe() failed. + +Cc: Stefan Wahren +Cc: Marek Szyprowski +Tested-by: Stefan Wahren +Tested-by: Marek Szyprowski +Acked-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -3948,9 +3948,11 @@ int dwc2_gadget_init(struct dwc2_hsotg * + } + + ret = usb_add_gadget_udc(dev, &hsotg->gadget); +- if (ret) ++ if (ret) { ++ dwc2_hsotg_ep_free_request(&hsotg->eps_out[0]->ep, ++ hsotg->ctrl_req); + return ret; +- ++ } + dwc2_hsotg_dump(hsotg); + + return 0; +@@ -3963,6 +3965,7 @@ int dwc2_gadget_init(struct dwc2_hsotg * + int dwc2_hsotg_remove(struct dwc2_hsotg *hsotg) + { + usb_del_gadget_udc(&hsotg->gadget); ++ dwc2_hsotg_ep_free_request(&hsotg->eps_out[0]->ep, hsotg->ctrl_req); + + return 0; + } diff --git a/queue-4.9/usb-xhci-increase-crs-timeout-value.patch b/queue-4.9/usb-xhci-increase-crs-timeout-value.patch new file mode 100644 index 00000000000..fe69daa5bd2 --- /dev/null +++ b/queue-4.9/usb-xhci-increase-crs-timeout-value.patch @@ -0,0 +1,42 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Ajay Gupta +Date: Thu, 21 Jun 2018 16:19:45 +0300 +Subject: usb: xhci: increase CRS timeout value + +From: Ajay Gupta + +[ Upstream commit 305886ca87be480ae159908c2affd135c04215cf ] + +Some controllers take almost 55ms to complete controller +restore state (CRS). +There is no timeout limit mentioned in xhci specification so +fixing the issue by increasing the timeout limit to 100ms + +[reformat code comment -Mathias] +Signed-off-by: Ajay Gupta +Signed-off-by: Nagaraj Annaiah +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1056,8 +1056,13 @@ int xhci_resume(struct xhci_hcd *xhci, b + command = readl(&xhci->op_regs->command); + command |= CMD_CRS; + writel(command, &xhci->op_regs->command); ++ /* ++ * Some controllers take up to 55+ ms to complete the controller ++ * restore so setting the timeout to 100ms. Xhci specification ++ * doesn't mention any timeout value. ++ */ + if (xhci_handshake(&xhci->op_regs->status, +- STS_RESTORE, 0, 10 * 1000)) { ++ STS_RESTORE, 0, 100 * 1000)) { + xhci_warn(xhci, "WARN: xHC restore state timeout\n"); + spin_unlock_irq(&xhci->lock); + return -ETIMEDOUT; diff --git a/queue-4.9/usb-xhci-remove-the-code-build-warning.patch b/queue-4.9/usb-xhci-remove-the-code-build-warning.patch new file mode 100644 index 00000000000..d55d1e246e9 --- /dev/null +++ b/queue-4.9/usb-xhci-remove-the-code-build-warning.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Dongjiu Geng +Date: Thu, 21 Jun 2018 16:19:43 +0300 +Subject: usb: xhci: remove the code build warning + +From: Dongjiu Geng + +[ Upstream commit 36eb93509c45d0bdbd8d09a01ab9d857972f5963 ] + +Initialize the 'err' variate to remove the build warning, +the warning is shown as below: + +drivers/usb/host/xhci-tegra.c: In function 'tegra_xusb_mbox_thread': +drivers/usb/host/xhci-tegra.c:552:6: warning: 'err' may be used uninitialized in this function [-Wuninitialized] +drivers/usb/host/xhci-tegra.c:482:6: note: 'err' was declared here + +Fixes: e84fce0f8837 ("usb: xhci: Add NVIDIA Tegra XUSB controller driver") +Signed-off-by: Dongjiu Geng +Acked-by: Thierry Reding +Acked-by: Jon Hunter +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -482,7 +482,7 @@ static void tegra_xusb_mbox_handle(struc + unsigned long mask; + unsigned int port; + bool idle, enable; +- int err; ++ int err = 0; + + memset(&rsp, 0, sizeof(rsp)); + diff --git a/queue-4.9/xen-add-error-handling-for-xenbus_printf.patch b/queue-4.9/xen-add-error-handling-for-xenbus_printf.patch new file mode 100644 index 00000000000..caa0841d940 --- /dev/null +++ b/queue-4.9/xen-add-error-handling-for-xenbus_printf.patch @@ -0,0 +1,57 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Zhouyang Jia +Date: Fri, 15 Jun 2018 07:34:52 +0800 +Subject: xen: add error handling for xenbus_printf + +From: Zhouyang Jia + +[ Upstream commit 84c029a73327cef571eaa61c7d6e67e8031b52ec ] + +When xenbus_printf fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling xenbus_printf. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Boris Ostrovsky +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/manage.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/xen/manage.c ++++ b/drivers/xen/manage.c +@@ -291,8 +291,15 @@ static void sysrq_handler(struct xenbus_ + return; + } + +- if (sysrq_key != '\0') +- xenbus_printf(xbt, "control", "sysrq", "%c", '\0'); ++ if (sysrq_key != '\0') { ++ err = xenbus_printf(xbt, "control", "sysrq", "%c", '\0'); ++ if (err) { ++ pr_err("%s: Error %d writing sysrq in control/sysrq\n", ++ __func__, err); ++ xenbus_transaction_end(xbt, 1); ++ return; ++ } ++ } + + err = xenbus_transaction_end(xbt, 0); + if (err == -EAGAIN) +@@ -344,7 +351,12 @@ static int setup_shutdown_watcher(void) + continue; + snprintf(node, FEATURE_PATH_SIZE, "feature-%s", + shutdown_handlers[idx].command); +- xenbus_printf(XBT_NIL, "control", node, "%u", 1); ++ err = xenbus_printf(XBT_NIL, "control", node, "%u", 1); ++ if (err) { ++ pr_err("%s: Error %d writing %s\n", __func__, ++ err, node); ++ return err; ++ } + } + + return 0; diff --git a/queue-4.9/xen-scsiback-add-error-handling-for-xenbus_printf.patch b/queue-4.9/xen-scsiback-add-error-handling-for-xenbus_printf.patch new file mode 100644 index 00000000000..1cac5c1694a --- /dev/null +++ b/queue-4.9/xen-scsiback-add-error-handling-for-xenbus_printf.patch @@ -0,0 +1,72 @@ +From foo@baz Wed Aug 22 09:42:09 CEST 2018 +From: Zhouyang Jia +Date: Sat, 16 Jun 2018 08:14:37 +0800 +Subject: xen/scsiback: add error handling for xenbus_printf + +From: Zhouyang Jia + +[ Upstream commit 7c63ca24c878e0051c91904b72174029320ef4bd ] + +When xenbus_printf fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling xenbus_printf. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xen-scsiback.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/xen/xen-scsiback.c ++++ b/drivers/xen/xen-scsiback.c +@@ -1014,6 +1014,7 @@ static void scsiback_do_add_lun(struct v + { + struct v2p_entry *entry; + unsigned long flags; ++ int err; + + if (try) { + spin_lock_irqsave(&info->v2p_lock, flags); +@@ -1029,8 +1030,11 @@ static void scsiback_do_add_lun(struct v + scsiback_del_translation_entry(info, vir); + } + } else if (!try) { +- xenbus_printf(XBT_NIL, info->dev->nodename, state, ++ err = xenbus_printf(XBT_NIL, info->dev->nodename, state, + "%d", XenbusStateClosed); ++ if (err) ++ xenbus_dev_error(info->dev, err, ++ "%s: writing %s", __func__, state); + } + } + +@@ -1069,8 +1073,11 @@ static void scsiback_do_1lun_hotplug(str + snprintf(str, sizeof(str), "vscsi-devs/%s/p-dev", ent); + val = xenbus_read(XBT_NIL, dev->nodename, str, NULL); + if (IS_ERR(val)) { +- xenbus_printf(XBT_NIL, dev->nodename, state, ++ err = xenbus_printf(XBT_NIL, dev->nodename, state, + "%d", XenbusStateClosed); ++ if (err) ++ xenbus_dev_error(info->dev, err, ++ "%s: writing %s", __func__, state); + return; + } + strlcpy(phy, val, VSCSI_NAMELEN); +@@ -1081,8 +1088,11 @@ static void scsiback_do_1lun_hotplug(str + err = xenbus_scanf(XBT_NIL, dev->nodename, str, "%u:%u:%u:%u", + &vir.hst, &vir.chn, &vir.tgt, &vir.lun); + if (XENBUS_EXIST_ERR(err)) { +- xenbus_printf(XBT_NIL, dev->nodename, state, ++ err = xenbus_printf(XBT_NIL, dev->nodename, state, + "%d", XenbusStateClosed); ++ if (err) ++ xenbus_dev_error(info->dev, err, ++ "%s: writing %s", __func__, state); + return; + } +