From: Greg Kroah-Hartman Date: Mon, 19 Mar 2018 09:12:48 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.15.12~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1e9e2874a327c47cd7b96dad7594a7d39dd4b62c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: apparmor-make-path_max-parameter-readonly.patch arm-dra7-hwmod_data-prevent-wait_target_disable-error-for-usb_otg_ss.patch arm-dts-adjust-moxart-irq-controller-and-flags.patch arm-dts-am335x-pepper-fix-the-audio-codec-s-reset-pin.patch arm-dts-omap3-n900-fix-the-audio-codec-s-reset-pin.patch arm-dts-r8a7790-correct-parent-of-ssi-clocks.patch arm-dts-r8a7791-correct-parent-of-ssi-clocks.patch asoc-nuc900-fix-a-loop-timeout-test.patch ath10k-disallow-dfs-simulation-if-dfs-channel-is-not-enabled.patch batman-adv-handle-race-condition-for-claims-between-gateways.patch blk-throttle-make-sure-expire-time-isn-t-too-big.patch braille-console-fix-value-returned-by-_braille_console_setup.patch drivers-net-xgene-fix-hardware-checksum-setting.patch drm-defer-disabling-the-vblank-irq-until-the-next-interrupt-for-instant-off.patch drm-radeon-fail-fb-creation-from-imported-dma-bufs.patch fm10k-correctly-check-if-interface-is-removed.patch hid-clamp-input-to-logical-range-if-no-null-state.patch hid-elo-clear-btn_left-mapping.patch hid-reject-input-outside-logical-range-only-if-null-state-is-set.patch ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch input-tsc2007-check-for-presence-and-power-down-tsc2007-during-probe.patch iommu-iova-fix-underflow-bug-in-__alloc_and_insert_iova_range.patch kprobes-x86-fix-kprobe-booster-not-to-boost-far-call-instructions.patch kprobes-x86-set-kprobes-pages-read-only.patch mac80211-remove-bug-when-interface-type-is-invalid.patch media-cpia2-fix-a-couple-off-by-one-bugs.patch media-i2c-soc_camera-fix-ov6650-sensor-getting-wrong-clock.patch mips-bpf-quit-clobbering-callee-saved-registers-in-jit-code.patch mm-fix-false-positive-vm_bug_on-in-page_cache_-get-add-_speculative.patch mtd-nand-fix-interpretation-of-nand_cmd_none-in-nand_command.patch mtd-nand-ifc-update-bufnum-mask-for-ver-2.0.0.patch net-faraday-add-missing-include-of-of.h.patch net-mvpp2-set-dma-mask-and-coherent-dma-mask-on-ppv2.2.patch net-xfrm-allow-clearing-socket-xfrm-policies.patch of-fix-of_device_get_modalias-returned-length-when-truncating-buffers.patch pci-msi-stop-disabling-msi-msi-x-in-pci_device_shutdown.patch perf-inject-copy-events-when-reordering-events-in-pipe-mode.patch perf-session-don-t-rely-on-evlist-in-pipe-mode.patch perf-tools-make-perf_event__synthesize_mmap_events-scale.patch powerpc-avoid-taking-a-data-miss-on-every-userspace-instruction-miss.patch rcutorture-configinit-fix-build-directory-error-message.patch regulator-isl9305-fix-array-size.patch reiserfs-make-cancel_old_flush-reliable.patch sched-act_csum-don-t-mangle-tcp-and-udp-gso-packets.patch sched-stop-resched_cpu-from-sending-ipis-to-offline-cpus.patch scsi-devinfo-apply-to-hp-xp-the-same-flags-as-hitachi-vsp.patch scsi-ipr-fix-missed-eh-wakeup.patch scsi-sg-check-for-valid-direction-before-starting-the-request.patch scsi-sg-close-race-condition-in-sg_remove_sfp_usercontext.patch selinux-check-for-address-length-in-selinux_socket_bind.patch spi-omap2-mcspi-poll-omap2_mcspi_chstat_rxs-for-pio-transfer.patch spi-sun6i-disable-unprepare-clocks-on-remove.patch tcp-sysctl-fix-a-race-to-avoid-unexpected-0-window-from-space.patch timers-sched_clock-update-timeout-for-clock-wrap.patch tools-usbip-fixes-build-with-musl-libc-toolchain.patch usb-gadget-dummy_hcd-fix-wrong-power-status-bit-clear-reset-in-dummy_hub_control.patch veth-set-peer-gso-values.patch video-arm-clcd-fix-dma-allocation-size.patch wil6210-fix-memory-access-violation-in-wil_memcpy_from-toio_32.patch --- diff --git a/queue-3.18/apparmor-make-path_max-parameter-readonly.patch b/queue-3.18/apparmor-make-path_max-parameter-readonly.patch new file mode 100644 index 00000000000..3fa2fa1b933 --- /dev/null +++ b/queue-3.18/apparmor-make-path_max-parameter-readonly.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: John Johansen +Date: Thu, 6 Apr 2017 06:55:24 -0700 +Subject: apparmor: Make path_max parameter readonly + +From: John Johansen + + +[ Upstream commit 622f6e3265707ebf02ba776ac6e68003bcc31213 ] + +The path_max parameter determines the max size of buffers allocated +but it should not be setable at run time. If can be used to cause an +oops + +root@ubuntu:~# echo 16777216 > /sys/module/apparmor/parameters/path_max +root@ubuntu:~# cat /sys/module/apparmor/parameters/path_max +Killed + +[ 122.141911] BUG: unable to handle kernel paging request at ffff880080945fff +[ 122.143497] IP: [] d_absolute_path+0x44/0xa0 +[ 122.144742] PGD 220c067 PUD 0 +[ 122.145453] Oops: 0002 [#1] SMP +[ 122.146204] Modules linked in: vmw_vsock_vmci_transport vsock ppdev vmw_balloon snd_ens1371 btusb snd_ac97_codec gameport snd_rawmidi btrtl snd_seq_device ac97_bus btbcm btintel snd_pcm input_leds bluetooth snd_timer snd joydev soundcore serio_raw coretemp shpchp nfit parport_pc i2c_piix4 8250_fintek vmw_vmci parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd vmwgfx psmouse mptspi ttm mptscsih drm_kms_helper mptbase syscopyarea scsi_transport_spi sysfillrect +[ 122.163365] ahci sysimgblt e1000 fb_sys_fops libahci drm pata_acpi fjes +[ 122.164747] CPU: 3 PID: 1501 Comm: bash Not tainted 4.4.0-59-generic #80-Ubuntu +[ 122.166250] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 +[ 122.168611] task: ffff88003496aa00 ti: ffff880076474000 task.ti: ffff880076474000 +[ 122.170018] RIP: 0010:[] [] d_absolute_path+0x44/0xa0 +[ 122.171525] RSP: 0018:ffff880076477b90 EFLAGS: 00010206 +[ 122.172462] RAX: ffff880080945fff RBX: 0000000000000000 RCX: 0000000001000000 +[ 122.173709] RDX: 0000000000ffffff RSI: ffff880080946000 RDI: ffff8800348a1010 +[ 122.174978] RBP: ffff880076477bb8 R08: ffff880076477c80 R09: 0000000000000000 +[ 122.176227] R10: 00007ffffffff000 R11: ffff88007f946000 R12: ffff88007f946000 +[ 122.177496] R13: ffff880076477c80 R14: ffff8800348a1010 R15: ffff8800348a2400 +[ 122.178745] FS: 00007fd459eb4700(0000) GS:ffff88007b6c0000(0000) knlGS:0000000000000000 +[ 122.180176] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 122.181186] CR2: ffff880080945fff CR3: 0000000073422000 CR4: 00000000001406e0 +[ 122.182469] Stack: +[ 122.182843] 00ffffff00000001 ffff880080946000 0000000000000000 0000000000000000 +[ 122.184409] 00000000570f789c ffff880076477c30 ffffffff81385671 ffff88007a2e7a58 +[ 122.185810] 0000000000000000 ffff880076477c88 01000000008a1000 0000000000000000 +[ 122.187231] Call Trace: +[ 122.187680] [] aa_path_name+0x81/0x370 +[ 122.188637] [] profile_transition+0xbd/0xb80 +[ 122.190181] [] ? zone_statistics+0x7c/0xa0 +[ 122.191674] [] apparmor_bprm_set_creds+0x9b0/0xac0 +[ 122.193288] [] ? ext4_xattr_get+0x81/0x220 +[ 122.194793] [] ? ext4_xattr_security_get+0x1c/0x30 +[ 122.196392] [] ? get_vfs_caps_from_disk+0x69/0x110 +[ 122.198004] [] ? mnt_may_suid+0x3f/0x50 +[ 122.199737] [] ? cap_bprm_set_creds+0xa3/0x600 +[ 122.201377] [] security_bprm_set_creds+0x33/0x50 +[ 122.203024] [] prepare_binprm+0x85/0x190 +[ 122.204515] [] do_execveat_common.isra.33+0x485/0x710 +[ 122.206200] [] SyS_execve+0x3a/0x50 +[ 122.207615] [] stub_execve+0x5/0x5 +[ 122.208978] [] ? entry_SYSCALL_64_fastpath+0x16/0x71 +[ 122.210615] Code: f8 31 c0 48 63 c2 83 ea 01 48 c7 45 e8 00 00 00 00 48 01 c6 85 d2 48 c7 45 f0 00 00 00 00 48 89 75 e0 89 55 dc 78 0c 48 8d 46 ff 46 ff 00 48 89 45 e0 48 8d 55 e0 48 8d 4d dc 48 8d 75 e8 e8 +[ 122.217320] RIP [] d_absolute_path+0x44/0xa0 +[ 122.218860] RSP +[ 122.219919] CR2: ffff880080945fff +[ 122.220936] ---[ end trace 506cdbd85eb6c55e ]--- + +Reported-by: Tetsuo Handa +Signed-off-by: John Johansen +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/apparmor/lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/apparmor/lsm.c ++++ b/security/apparmor/lsm.c +@@ -735,7 +735,7 @@ module_param_named(logsyscall, aa_g_logs + + /* Maximum pathname length before accesses will start getting rejected */ + unsigned int aa_g_path_max = 2 * PATH_MAX; +-module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); ++module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); + + /* Determines how paranoid loading of policy is and how much verification + * on the loaded policy is done. diff --git a/queue-3.18/arm-dra7-hwmod_data-prevent-wait_target_disable-error-for-usb_otg_ss.patch b/queue-3.18/arm-dra7-hwmod_data-prevent-wait_target_disable-error-for-usb_otg_ss.patch new file mode 100644 index 00000000000..3d8f243b249 --- /dev/null +++ b/queue-3.18/arm-dra7-hwmod_data-prevent-wait_target_disable-error-for-usb_otg_ss.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Roger Quadros +Date: Mon, 13 Mar 2017 13:53:16 +0200 +Subject: ARM: DRA7: hwmod_data: Prevent wait_target_disable error for usb_otg_ss + +From: Roger Quadros + + +[ Upstream commit e2d54fe76997301b49311bde7ba8ef52b47896f9 ] + +It seems that if L3_INIT clkdomain is kept in HW_AUTO while usb_otg_ss +is in use then there are random chances that the usb_otg_ss module +will fail to completely idle. i.e. IDLEST = 0x2 instead of 0x3. + +Preventing L3_INIT from HW_AUTO while usb_otg_ss module is in use +fixes this issue. + +We don't know yet if usb_otg_ss instances 3 and 4 are affected by this +issue or not so don't add this flag for those instances. + +Cc: Tero Kristo +Signed-off-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap_hwmod_7xx_data.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-omap2/omap_hwmod_7xx_data.c ++++ b/arch/arm/mach-omap2/omap_hwmod_7xx_data.c +@@ -2106,6 +2106,7 @@ static struct omap_hwmod dra7xx_usb_otg_ + .class = &dra7xx_usb_otg_ss_hwmod_class, + .clkdm_name = "l3init_clkdm", + .main_clk = "dpll_core_h13x2_ck", ++ .flags = HWMOD_CLKDM_NOAUTO, + .prcm = { + .omap4 = { + .clkctrl_offs = DRA7XX_CM_L3INIT_USB_OTG_SS1_CLKCTRL_OFFSET, +@@ -2127,6 +2128,7 @@ static struct omap_hwmod dra7xx_usb_otg_ + .class = &dra7xx_usb_otg_ss_hwmod_class, + .clkdm_name = "l3init_clkdm", + .main_clk = "dpll_core_h13x2_ck", ++ .flags = HWMOD_CLKDM_NOAUTO, + .prcm = { + .omap4 = { + .clkctrl_offs = DRA7XX_CM_L3INIT_USB_OTG_SS2_CLKCTRL_OFFSET, diff --git a/queue-3.18/arm-dts-adjust-moxart-irq-controller-and-flags.patch b/queue-3.18/arm-dts-adjust-moxart-irq-controller-and-flags.patch new file mode 100644 index 00000000000..507dd543172 --- /dev/null +++ b/queue-3.18/arm-dts-adjust-moxart-irq-controller-and-flags.patch @@ -0,0 +1,119 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Linus Walleij +Date: Sat, 18 Mar 2017 17:40:01 +0100 +Subject: ARM: dts: Adjust moxart IRQ controller and flags + +From: Linus Walleij + + +[ Upstream commit c2a736b698008d296c5010ec39077eeb5796109f ] + +The moxart interrupt line flags were not respected in previous +driver: instead of assigning them per-consumer, a fixes mask +was set in the controller. + +With the migration to a standard Faraday driver we need to +set up and handle the consumer flags correctly. Also remove +the Moxart-specific flags when switching to using real consumer +flags. + +Extend the register window to 0x100 bytes as we may have a few +more registers in there and it doesn't hurt. + +Tested-by: Jonas Jensen +Signed-off-by: Jonas Jensen +Signed-off-by: Linus Walleij +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/moxart-uc7112lx.dts | 2 +- + arch/arm/boot/dts/moxart.dtsi | 17 +++++++++-------- + 2 files changed, 10 insertions(+), 9 deletions(-) + +--- a/arch/arm/boot/dts/moxart-uc7112lx.dts ++++ b/arch/arm/boot/dts/moxart-uc7112lx.dts +@@ -6,7 +6,7 @@ + */ + + /dts-v1/; +-/include/ "moxart.dtsi" ++#include "moxart.dtsi" + + / { + model = "MOXA UC-7112-LX"; +--- a/arch/arm/boot/dts/moxart.dtsi ++++ b/arch/arm/boot/dts/moxart.dtsi +@@ -6,6 +6,7 @@ + */ + + /include/ "skeleton.dtsi" ++#include + + / { + compatible = "moxa,moxart"; +@@ -36,8 +37,8 @@ + ranges; + + intc: interrupt-controller@98800000 { +- compatible = "moxa,moxart-ic"; +- reg = <0x98800000 0x38>; ++ compatible = "moxa,moxart-ic", "faraday,ftintc010"; ++ reg = <0x98800000 0x100>; + interrupt-controller; + #interrupt-cells = <2>; + interrupt-mask = <0x00080000>; +@@ -59,7 +60,7 @@ + timer: timer@98400000 { + compatible = "moxa,moxart-timer"; + reg = <0x98400000 0x42>; +- interrupts = <19 1>; ++ interrupts = <19 IRQ_TYPE_EDGE_FALLING>; + clocks = <&clk_apb>; + }; + +@@ -80,7 +81,7 @@ + dma: dma@90500000 { + compatible = "moxa,moxart-dma"; + reg = <0x90500080 0x40>; +- interrupts = <24 0>; ++ interrupts = <24 IRQ_TYPE_LEVEL_HIGH>; + #dma-cells = <1>; + }; + +@@ -93,7 +94,7 @@ + sdhci: sdhci@98e00000 { + compatible = "moxa,moxart-sdhci"; + reg = <0x98e00000 0x5C>; +- interrupts = <5 0>; ++ interrupts = <5 IRQ_TYPE_LEVEL_HIGH>; + clocks = <&clk_apb>; + dmas = <&dma 5>, + <&dma 5>; +@@ -120,7 +121,7 @@ + mac0: mac@90900000 { + compatible = "moxa,moxart-mac"; + reg = <0x90900000 0x90>; +- interrupts = <25 0>; ++ interrupts = <25 IRQ_TYPE_LEVEL_HIGH>; + phy-handle = <ðphy0>; + phy-mode = "mii"; + status = "disabled"; +@@ -129,7 +130,7 @@ + mac1: mac@92000000 { + compatible = "moxa,moxart-mac"; + reg = <0x92000000 0x90>; +- interrupts = <27 0>; ++ interrupts = <27 IRQ_TYPE_LEVEL_HIGH>; + phy-handle = <ðphy1>; + phy-mode = "mii"; + status = "disabled"; +@@ -138,7 +139,7 @@ + uart0: uart@98200000 { + compatible = "ns16550a"; + reg = <0x98200000 0x20>; +- interrupts = <31 8>; ++ interrupts = <31 IRQ_TYPE_LEVEL_HIGH>; + reg-shift = <2>; + reg-io-width = <4>; + clock-frequency = <14745600>; diff --git a/queue-3.18/arm-dts-am335x-pepper-fix-the-audio-codec-s-reset-pin.patch b/queue-3.18/arm-dts-am335x-pepper-fix-the-audio-codec-s-reset-pin.patch new file mode 100644 index 00000000000..880b25f9c38 --- /dev/null +++ b/queue-3.18/arm-dts-am335x-pepper-fix-the-audio-codec-s-reset-pin.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Andrew F. Davis" +Date: Wed, 29 Nov 2017 11:13:56 -0600 +Subject: ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin + +From: "Andrew F. Davis" + + +[ Upstream commit e153db03c6b7a035c797bcdf35262586f003ee93 ] + +The correct DT property for specifying a GPIO used for reset +is "reset-gpios", fix this here. + +Fixes: 4341881d0562 ("ARM: dts: Add devicetree for Gumstix Pepper board") + +Signed-off-by: Andrew F. Davis +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/am335x-pepper.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/am335x-pepper.dts ++++ b/arch/arm/boot/dts/am335x-pepper.dts +@@ -138,7 +138,7 @@ + &audio_codec { + status = "okay"; + +- gpio-reset = <&gpio1 16 GPIO_ACTIVE_LOW>; ++ reset-gpios = <&gpio1 16 GPIO_ACTIVE_LOW>; + AVDD-supply = <&ldo3_reg>; + IOVDD-supply = <&ldo3_reg>; + DRVDD-supply = <&ldo3_reg>; diff --git a/queue-3.18/arm-dts-omap3-n900-fix-the-audio-codec-s-reset-pin.patch b/queue-3.18/arm-dts-omap3-n900-fix-the-audio-codec-s-reset-pin.patch new file mode 100644 index 00000000000..2af279ebb7c --- /dev/null +++ b/queue-3.18/arm-dts-omap3-n900-fix-the-audio-codec-s-reset-pin.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Andrew F. Davis" +Date: Wed, 29 Nov 2017 11:13:59 -0600 +Subject: ARM: dts: omap3-n900: Fix the audio CODEC's reset pin + +From: "Andrew F. Davis" + + +[ Upstream commit 7be4b5dc7ffa9499ac6ef33a5ffa9ff43f9b7057 ] + +The correct DT property for specifying a GPIO used for reset +is "reset-gpios", fix this here. + +Fixes: 14e3e295b2b9 ("ARM: dts: omap3-n900: Add TLV320AIC3X support") + +Signed-off-by: Andrew F. Davis +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/omap3-n900.dts | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/omap3-n900.dts ++++ b/arch/arm/boot/dts/omap3-n900.dts +@@ -435,7 +435,7 @@ + tlv320aic3x: tlv320aic3x@18 { + compatible = "ti,tlv320aic3x"; + reg = <0x18>; +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ + ai3x-gpio-func = < + 0 /* AIC3X_GPIO1_FUNC_DISABLED */ + 5 /* AIC3X_GPIO2_FUNC_DIGITAL_MIC_INPUT */ +@@ -452,7 +452,7 @@ + tlv320aic3x_aux: tlv320aic3x@19 { + compatible = "ti,tlv320aic3x"; + reg = <0x19>; +- gpio-reset = <&gpio2 28 GPIO_ACTIVE_HIGH>; /* 60 */ ++ reset-gpios = <&gpio2 28 GPIO_ACTIVE_LOW>; /* 60 */ + + AVDD-supply = <&vmmc2>; + DRVDD-supply = <&vmmc2>; diff --git a/queue-3.18/arm-dts-r8a7790-correct-parent-of-ssi-clocks.patch b/queue-3.18/arm-dts-r8a7790-correct-parent-of-ssi-clocks.patch new file mode 100644 index 00000000000..0c2728ccfed --- /dev/null +++ b/queue-3.18/arm-dts-r8a7790-correct-parent-of-ssi-clocks.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Geert Uytterhoeven +Date: Mon, 3 Apr 2017 11:45:41 +0200 +Subject: ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks + +From: Geert Uytterhoeven + + +[ Upstream commit d13d4e063d4a08eb1686e890e9183dde709871bf ] + +The SSI-ALL gate clock is located in between the P clock and the +individual SSI[0-9] clocks, hence the former should be listed as their +parent. + +Fixes: bcde372254386872 ("ARM: shmobile: r8a7790: add MSTP10 support on DTSI") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7790.dtsi | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/r8a7790.dtsi ++++ b/arch/arm/boot/dts/r8a7790.dtsi +@@ -978,8 +978,11 @@ + compatible = "renesas,r8a7790-mstp-clocks", "renesas,cpg-mstp-clocks"; + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>; + clocks = <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7790_CLK_SSI_ALL>, <&mstp10_clks R8A7790_CLK_SSI_ALL>, + <&p_clk>, + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>, + <&mstp10_clks R8A7790_CLK_SCU_ALL>, <&mstp10_clks R8A7790_CLK_SCU_ALL>, diff --git a/queue-3.18/arm-dts-r8a7791-correct-parent-of-ssi-clocks.patch b/queue-3.18/arm-dts-r8a7791-correct-parent-of-ssi-clocks.patch new file mode 100644 index 00000000000..f959fae1c16 --- /dev/null +++ b/queue-3.18/arm-dts-r8a7791-correct-parent-of-ssi-clocks.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Geert Uytterhoeven +Date: Mon, 3 Apr 2017 11:45:42 +0200 +Subject: ARM: dts: r8a7791: Correct parent of SSI[0-9] clocks + +From: Geert Uytterhoeven + + +[ Upstream commit 16fe68dcab5702a024d85229ff7e98979cb701a5 ] + +The SSI-ALL gate clock is located in between the P clock and the +individual SSI[0-9] clocks, hence the former should be listed as their +parent. + +Fixes: ee9141522dcf13f8 ("ARM: shmobile: r8a7791: add MSTP10 support on DTSI") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7791.dtsi | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/r8a7791.dtsi ++++ b/arch/arm/boot/dts/r8a7791.dtsi +@@ -1001,8 +1001,11 @@ + compatible = "renesas,r8a7791-mstp-clocks", "renesas,cpg-mstp-clocks"; + reg = <0 0xe6150998 0 4>, <0 0xe61509a8 0 4>; + clocks = <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, +- <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, <&p_clk>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, ++ <&mstp10_clks R8A7791_CLK_SSI_ALL>, <&mstp10_clks R8A7791_CLK_SSI_ALL>, + <&p_clk>, + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>, + <&mstp10_clks R8A7791_CLK_SCU_ALL>, <&mstp10_clks R8A7791_CLK_SCU_ALL>, diff --git a/queue-3.18/asoc-nuc900-fix-a-loop-timeout-test.patch b/queue-3.18/asoc-nuc900-fix-a-loop-timeout-test.patch new file mode 100644 index 00000000000..630630cb07c --- /dev/null +++ b/queue-3.18/asoc-nuc900-fix-a-loop-timeout-test.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Dan Carpenter +Date: Sat, 9 Dec 2017 14:52:28 +0300 +Subject: ASoC: nuc900: Fix a loop timeout test + +From: Dan Carpenter + + +[ Upstream commit 65a12b3aafed5fc59f4ce41b22b752b1729e6701 ] + +We should be finishing the loop with timeout set to zero but because +this is a post-op we finish with timeout == -1. + +Fixes: 1082e2703a2d ("ASoC: NUC900/audio: add nuc900 audio driver support") +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/nuc900/nuc900-ac97.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/nuc900/nuc900-ac97.c ++++ b/sound/soc/nuc900/nuc900-ac97.c +@@ -67,7 +67,7 @@ static unsigned short nuc900_ac97_read(s + + /* polling the AC_R_FINISH */ + while (!(AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_R_FINISH) +- && timeout--) ++ && --timeout) + mdelay(1); + + if (!timeout) { +@@ -121,7 +121,7 @@ static void nuc900_ac97_write(struct snd + + /* polling the AC_W_FINISH */ + while ((AUDIO_READ(nuc900_audio->mmio + ACTL_ACCON) & AC_W_FINISH) +- && timeout--) ++ && --timeout) + mdelay(1); + + if (!timeout) diff --git a/queue-3.18/ath10k-disallow-dfs-simulation-if-dfs-channel-is-not-enabled.patch b/queue-3.18/ath10k-disallow-dfs-simulation-if-dfs-channel-is-not-enabled.patch new file mode 100644 index 00000000000..4953e6cf78b --- /dev/null +++ b/queue-3.18/ath10k-disallow-dfs-simulation-if-dfs-channel-is-not-enabled.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Mohammed Shafi Shajakhan +Date: Wed, 22 Feb 2017 21:03:11 +0530 +Subject: ath10k: disallow DFS simulation if DFS channel is not enabled + +From: Mohammed Shafi Shajakhan + + +[ Upstream commit ca07baab0b1e627ae1d4a55d190fb1c9d32a3445 ] + +If DFS is not enabled in hostapd (ieee80211h=0) DFS channels shall +not be available for use even though the hardware may have the capability +to support DFS. With this configuration (DFS disabled in hostapd) trying to +bring up ath10k device in DFS channel for AP mode fails and trying to +simulate DFS in ath10k debugfs results in a warning in cfg80211 complaining +invalid channel and this should be avoided in the driver itself rather than +false propogating RADAR detection to mac80211/cfg80211. Fix this by +checking for the first vif 'is_started' state(should work for client mode +as well) as all the vifs shall be configured for the same channel + +sys/kernel/debug/ieee80211/phy1/ath10k# echo 1 > dfs_simulate_radar + +WARNING: at net/wireless/chan.c:265 cfg80211_radar_event+0x24/0x60 +Workqueue: phy0 ieee80211_dfs_radar_detected_work [mac80211] +[] (warn_slowpath_null) from +[] (cfg80211_radar_event+0x24/0x60 [cfg80211]) +[] (cfg80211_radar_event [cfg80211]) from +[] (ieee80211_dfs_radar_detected_work+0x94/0xa0 [mac80211]) +[] (ieee80211_dfs_radar_detected_work [mac80211]) from +[] (process_one_work+0x20c/0x32c) + +WARNING: at net/wireless/nl80211.c:2488 nl80211_get_mpath+0x13c/0x4cc + Workqueue: phy0 ieee80211_dfs_radar_detected_work [mac80211] +[] (warn_slowpath_null) from +[] (cfg80211_radar_event+0x24/0x60 [cfg80211]) +[] (cfg80211_radar_event [cfg80211]) from +[] (ieee80211_dfs_radar_detected_work+0x94/0xa0 [mac80211]) +[] (ieee80211_dfs_radar_detected_work [mac80211]) from +[] (process_one_work+0x20c/0x32c) + +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/debug.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -1079,6 +1079,15 @@ static ssize_t ath10k_write_simulate_rad + size_t count, loff_t *ppos) + { + struct ath10k *ar = file->private_data; ++ struct ath10k_vif *arvif; ++ ++ /* Just check for for the first vif alone, as all the vifs will be ++ * sharing the same channel and if the channel is disabled, all the ++ * vifs will share the same 'is_started' state. ++ */ ++ arvif = list_first_entry(&ar->arvifs, typeof(*arvif), list); ++ if (!arvif->is_started) ++ return -EINVAL; + + ieee80211_radar_detected(ar->hw); + diff --git a/queue-3.18/batman-adv-handle-race-condition-for-claims-between-gateways.patch b/queue-3.18/batman-adv-handle-race-condition-for-claims-between-gateways.patch new file mode 100644 index 00000000000..4a00c2cfcd6 --- /dev/null +++ b/queue-3.18/batman-adv-handle-race-condition-for-claims-between-gateways.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Andreas Pape +Date: Mon, 5 Sep 2016 13:20:29 +0200 +Subject: batman-adv: handle race condition for claims between gateways + +From: Andreas Pape + + +[ Upstream commit a3a5129e122709306cfa6409781716c2933df99b ] + +Consider the following situation which has been found in a test setup: +Gateway B has claimed client C and gateway A has the same backbone +network as B. C sends a broad- or multicast to B and directly after +this packet decides to send another packet to A due to a better TQ +value. B will forward the broad-/multicast into the backbone as it is +the responsible gw and after that A will claim C as it has been +chosen by C as the best gateway. If it now happens that A claims C +before it has received the broad-/multicast forwarded by B (due to +backbone topology or due to some delay in B when forwarding the +packet) we get a critical situation: in the current code A will +immediately unclaim C when receiving the multicast due to the +roaming client scenario although the position of C has not changed +in the mesh. If this happens the multi-/broadcast forwarded by B +will be sent back into the mesh by A and we have looping packets +until one of the gateways claims C again. +In order to prevent this, unclaiming of a client due to the roaming +client scenario is only done after a certain time is expired after +the last claim of the client. 100 ms are used here, which should be +slow enough for big backbones and slow gateways but fast enough not +to break the roaming client use case. + +Acked-by: Simon Wunderlich +Signed-off-by: Andreas Pape +[sven@narfation.org: fix conflicts with current version] +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/batman-adv/bridge_loop_avoidance.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/net/batman-adv/bridge_loop_avoidance.c ++++ b/net/batman-adv/bridge_loop_avoidance.c +@@ -1596,10 +1596,22 @@ int batadv_bla_tx(struct batadv_priv *ba + /* if yes, the client has roamed and we have + * to unclaim it. + */ +- batadv_handle_unclaim(bat_priv, primary_if, +- primary_if->net_dev->dev_addr, +- ethhdr->h_source, vid); +- goto allow; ++ if (batadv_has_timed_out(claim->lasttime, 100)) { ++ /* only unclaim if the last claim entry is ++ * older than 100 ms to make sure we really ++ * have a roaming client here. ++ */ ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Roaming client %pM detected. Unclaim it.\n", ++ ethhdr->h_source); ++ batadv_handle_unclaim(bat_priv, primary_if, ++ primary_if->net_dev->dev_addr, ++ ethhdr->h_source, vid); ++ goto allow; ++ } else { ++ batadv_dbg(BATADV_DBG_BLA, bat_priv, "bla_tx(): Race for claim %pM detected. Drop packet.\n", ++ ethhdr->h_source); ++ goto handled; ++ } + } + + /* check if it is a multicast/broadcast frame */ diff --git a/queue-3.18/blk-throttle-make-sure-expire-time-isn-t-too-big.patch b/queue-3.18/blk-throttle-make-sure-expire-time-isn-t-too-big.patch new file mode 100644 index 00000000000..cdc40c055da --- /dev/null +++ b/queue-3.18/blk-throttle-make-sure-expire-time-isn-t-too-big.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Shaohua Li +Date: Mon, 27 Mar 2017 10:51:36 -0700 +Subject: blk-throttle: make sure expire time isn't too big + +From: Shaohua Li + + +[ Upstream commit 06cceedcca67a93ac7f7aa93bbd9980c7496d14e ] + +cgroup could be throttled to a limit but when all cgroups cross high +limit, queue enters a higher state and so the group should be throttled +to a higher limit. It's possible the cgroup is sleeping because of +throttle and other cgroups don't dispatch IO any more. In this case, +nobody can trigger current downgrade/upgrade logic. To fix this issue, +we could either set up a timer to wakeup the cgroup if other cgroups are +idle or make sure this cgroup doesn't sleep too long. Setting up a timer +means we must change the timer very frequently. This patch chooses the +latter. Making cgroup sleep time not too big wouldn't change cgroup +bps/iops, but could make it wakeup more frequently, which isn't a big +issue because throtl_slice * 8 is already quite big. + +Signed-off-by: Shaohua Li +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-throttle.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -648,6 +648,17 @@ static void throtl_dequeue_tg(struct thr + static void throtl_schedule_pending_timer(struct throtl_service_queue *sq, + unsigned long expires) + { ++ unsigned long max_expire = jiffies + 8 * throtl_slice; ++ ++ /* ++ * Since we are adjusting the throttle limit dynamically, the sleep ++ * time calculated according to previous limit might be invalid. It's ++ * possible the cgroup sleep time is very long and no other cgroups ++ * have IO running so notify the limit changes. Make sure the cgroup ++ * doesn't sleep too long to avoid the missed notification. ++ */ ++ if (time_after(expires, max_expire)) ++ expires = max_expire; + mod_timer(&sq->pending_timer, expires); + throtl_log(sq, "schedule timer. delay=%lu jiffies=%lu", + expires - jiffies, jiffies); diff --git a/queue-3.18/braille-console-fix-value-returned-by-_braille_console_setup.patch b/queue-3.18/braille-console-fix-value-returned-by-_braille_console_setup.patch new file mode 100644 index 00000000000..b70f5fbfcf9 --- /dev/null +++ b/queue-3.18/braille-console-fix-value-returned-by-_braille_console_setup.patch @@ -0,0 +1,104 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Samuel Thibault +Date: Sun, 26 Mar 2017 22:47:36 +0200 +Subject: braille-console: Fix value returned by _braille_console_setup + +From: Samuel Thibault + + +[ Upstream commit 2ed2b8621be2708c0f6d61fe9841e9ad8b9753f0 ] + +commit bbeddf52adc1 ("printk: move braille console support into +separate braille.[ch] files") introduced _braille_console_setup() +to outline the braille initialization code. There was however some +confusion over the value it was supposed to return. commit 2cfe6c4ac7ee +("printk: Fix return of braille_register_console()") tried to fix it +but failed to. + +This fixes and documents the returned value according to the use +in printk.c: non-zero return means a parsing error, and thus this +console configuration should be ignored. + +Signed-off-by: Samuel Thibault +Cc: Aleksey Makarov +Cc: Joe Perches +Cc: Ming Lei +Cc: Steven Rostedt +Acked-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/printk/braille.c | 15 ++++++++------- + kernel/printk/braille.h | 13 ++++++++++--- + 2 files changed, 18 insertions(+), 10 deletions(-) + +--- a/kernel/printk/braille.c ++++ b/kernel/printk/braille.c +@@ -2,12 +2,13 @@ + + #include + #include ++#include + #include + + #include "console_cmdline.h" + #include "braille.h" + +-char *_braille_console_setup(char **str, char **brl_options) ++int _braille_console_setup(char **str, char **brl_options) + { + if (!memcmp(*str, "brl,", 4)) { + *brl_options = ""; +@@ -15,14 +16,14 @@ char *_braille_console_setup(char **str, + } else if (!memcmp(str, "brl=", 4)) { + *brl_options = *str + 4; + *str = strchr(*brl_options, ','); +- if (!*str) ++ if (!*str) { + pr_err("need port name after brl=\n"); +- else +- *((*str)++) = 0; +- } else +- return NULL; ++ return -EINVAL; ++ } ++ *((*str)++) = 0; ++ } + +- return *str; ++ return 0; + } + + int +--- a/kernel/printk/braille.h ++++ b/kernel/printk/braille.h +@@ -9,7 +9,14 @@ braille_set_options(struct console_cmdli + c->brl_options = brl_options; + } + +-char * ++/* ++ * Setup console according to braille options. ++ * Return -EINVAL on syntax error, 0 on success (or no braille option was ++ * actually given). ++ * Modifies str to point to the serial options ++ * Sets brl_options to the parsed braille options. ++ */ ++int + _braille_console_setup(char **str, char **brl_options); + + int +@@ -25,10 +32,10 @@ braille_set_options(struct console_cmdli + { + } + +-static inline char * ++static inline int + _braille_console_setup(char **str, char **brl_options) + { +- return NULL; ++ return 0; + } + + static inline int diff --git a/queue-3.18/drivers-net-xgene-fix-hardware-checksum-setting.patch b/queue-3.18/drivers-net-xgene-fix-hardware-checksum-setting.patch new file mode 100644 index 00000000000..4275c244937 --- /dev/null +++ b/queue-3.18/drivers-net-xgene-fix-hardware-checksum-setting.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Quan Nguyen +Date: Wed, 15 Mar 2017 13:27:16 -0700 +Subject: drivers: net: xgene: Fix hardware checksum setting + +From: Quan Nguyen + + +[ Upstream commit e026e700d940a1ea3d3bc84d92ac668b1f015462 ] + +This patch fixes the hardware checksum settings by properly program +the classifier. Otherwise, packet may be received with checksum error +on X-Gene1 SoC. + +Signed-off-by: Quan Nguyen +Signed-off-by: Iyappan Subramanian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/apm/xgene/xgene_enet_hw.c | 1 + + drivers/net/ethernet/apm/xgene/xgene_enet_hw.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.c +@@ -535,6 +535,7 @@ static void xgene_enet_cle_bypass(struct + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG0_0_ADDR, &cb); + cb |= CFG_CLE_BYPASS_EN0; + CFG_CLE_IP_PROTOCOL0_SET(&cb, 3); ++ CFG_CLE_IP_HDR_LEN_SET(&cb, 0); + xgene_enet_wr_csr(pdata, CLE_BYPASS_REG0_0_ADDR, cb); + + xgene_enet_rd_csr(pdata, CLE_BYPASS_REG1_0_ADDR, &cb); +--- a/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h ++++ b/drivers/net/ethernet/apm/xgene/xgene_enet_hw.h +@@ -143,6 +143,7 @@ enum xgene_enet_rm { + #define CFG_TXCLK_MUXSEL0_SET(dst, val) xgene_set_bits(dst, val, 29, 3) + + #define CFG_CLE_IP_PROTOCOL0_SET(dst, val) xgene_set_bits(dst, val, 16, 2) ++#define CFG_CLE_IP_HDR_LEN_SET(dst, val) xgene_set_bits(dst, val, 8, 5) + #define CFG_CLE_DSTQID0_SET(dst, val) xgene_set_bits(dst, val, 0, 12) + #define CFG_CLE_FPSEL0_SET(dst, val) xgene_set_bits(dst, val, 16, 4) + #define CFG_MACMODE_SET(dst, val) xgene_set_bits(dst, val, 18, 2) diff --git a/queue-3.18/drm-defer-disabling-the-vblank-irq-until-the-next-interrupt-for-instant-off.patch b/queue-3.18/drm-defer-disabling-the-vblank-irq-until-the-next-interrupt-for-instant-off.patch new file mode 100644 index 00000000000..fdb6635c0b5 --- /dev/null +++ b/queue-3.18/drm-defer-disabling-the-vblank-irq-until-the-next-interrupt-for-instant-off.patch @@ -0,0 +1,108 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Chris Wilson +Date: Wed, 15 Mar 2017 20:40:25 +0000 +Subject: drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) + +From: Chris Wilson + + +[ Upstream commit 608b20506941969ea30d8c08dc9ae02bb87dbf7d ] + +On vblank instant-off systems, we can get into a situation where the cost +of enabling and disabling the vblank IRQ around a drmWaitVblank query +dominates. And with the advent of even deeper hardware sleep state, +touching registers becomes ever more expensive. However, we know that if +the user wants the current vblank counter, they are also very likely to +immediately queue a vblank wait and so we can keep the interrupt around +and only turn it off if we have no further vblank requests queued within +the interrupt interval. + +After vblank event delivery, this patch adds a shadow of one vblank where +the interrupt is kept alive for the user to query and queue another vblank +event. Similarly, if the user is using blocking drmWaitVblanks, the +interrupt will be disabled on the IRQ following the wait completion. +However, if the user is simply querying the current vblank counter and +timestamp, the interrupt will be disabled after every IRQ and the user +will enabled it again on the first query following the IRQ. + +v2: Mario Kleiner - +After testing this, one more thing that would make sense is to move +the disable block at the end of drm_handle_vblank() instead of at the +top. + +Turns out that if high precision timestaming is disabled or doesn't +work for some reason (as can be simulated by echo 0 > +/sys/module/drm/parameters/timestamp_precision_usec), then with your +delayed disable code at its current place, the vblank counter won't +increment anymore at all for instant queries, ie. with your other +"instant query" patches. Clients which repeatedly query the counter +and wait for it to progress will simply hang, spinning in an endless +query loop. There's that comment in vblank_disable_and_save: + +"* Skip this step if there isn't any high precision timestamp + * available. In that case we can't account for this and just + * hope for the best. + */ + +With the disable happening after leading edge of vblank (== hw counter +increment already happened) but before the vblank counter/timestamp +handling in drm_handle_vblank, that step is needed to keep the counter +progressing, so skipping it is bad. + +Now without high precision timestamping support, a kms driver must not +set dev->vblank_disable_immediate = true, as this would cause problems +for clients, so this shouldn't matter, but it would be good to still +make this robust against a future kms driver which might have +unreliable high precision timestamping, e.g., high precision +timestamping that intermittently doesn't work. + +v3: Patch before coffee needs extra coffee. + +Testcase: igt/kms_vblank +Signed-off-by: Chris Wilson +Cc: Ville Syrjälä +Cc: Daniel Vetter +Cc: Michel Dänzer +Cc: Laurent Pinchart +Cc: Dave Airlie , +Cc: Mario Kleiner +Reviewed-by: Ville Syrjälä +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/20170315204027.20160-1-chris@chris-wilson.co.uk +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_irq.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_irq.c ++++ b/drivers/gpu/drm/drm_irq.c +@@ -1038,9 +1038,9 @@ void drm_vblank_put(struct drm_device *d + if (atomic_dec_and_test(&vblank->refcount)) { + if (drm_vblank_offdelay == 0) + return; +- else if (dev->vblank_disable_immediate || drm_vblank_offdelay < 0) ++ else if (drm_vblank_offdelay < 0) + vblank_disable_fn((unsigned long)vblank); +- else ++ else if (!dev->vblank_disable_immediate) + mod_timer(&vblank->disable_timer, + jiffies + ((drm_vblank_offdelay * HZ)/1000)); + } +@@ -1664,6 +1664,16 @@ bool drm_handle_vblank(struct drm_device + wake_up(&vblank->queue); + drm_handle_vblank_events(dev, crtc); + ++ /* With instant-off, we defer disabling the interrupt until after ++ * we finish processing the following vblank. The disable has to ++ * be last (after drm_handle_vblank_events) so that the timestamp ++ * is always accurate. ++ */ ++ if (dev->vblank_disable_immediate && ++ drm_vblank_offdelay > 0 && ++ !atomic_read(&vblank->refcount)) ++ vblank_disable_fn((unsigned long)vblank); ++ + spin_unlock_irqrestore(&dev->event_lock, irqflags); + + return true; diff --git a/queue-3.18/drm-radeon-fail-fb-creation-from-imported-dma-bufs.patch b/queue-3.18/drm-radeon-fail-fb-creation-from-imported-dma-bufs.patch new file mode 100644 index 00000000000..4050f5dd045 --- /dev/null +++ b/queue-3.18/drm-radeon-fail-fb-creation-from-imported-dma-bufs.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Christopher James Halse Rogers +Date: Wed, 29 Mar 2017 15:00:54 +1100 +Subject: drm/radeon: Fail fb creation from imported dma-bufs. + +From: Christopher James Halse Rogers + + +[ Upstream commit a294043b2fbd8de69d161457ed0c7a4026bbfa5a ] + +Any use of the framebuffer will migrate it to VRAM, which is not sensible for +an imported dma-buf. + +v2: Use DRM_DEBUG_KMS to prevent userspace accidentally spamming dmesg. + +Reviewed-by: Michel Dänzer +Reviewed-by: Christian König +Signed-off-by: Christopher James Halse Rogers +CC: amd-gfx@lists.freedesktop.org +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_display.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -1320,6 +1320,12 @@ radeon_user_framebuffer_create(struct dr + return ERR_PTR(-ENOENT); + } + ++ /* Handle is imported dma-buf, so cannot be migrated to VRAM for scanout */ ++ if (obj->import_attach) { ++ DRM_DEBUG_KMS("Cannot create framebuffer from imported dma_buf\n"); ++ return ERR_PTR(-EINVAL); ++ } ++ + radeon_fb = kzalloc(sizeof(*radeon_fb), GFP_KERNEL); + if (radeon_fb == NULL) { + drm_gem_object_unreference_unlocked(obj); diff --git a/queue-3.18/fm10k-correctly-check-if-interface-is-removed.patch b/queue-3.18/fm10k-correctly-check-if-interface-is-removed.patch new file mode 100644 index 00000000000..c66fcc3f7ab --- /dev/null +++ b/queue-3.18/fm10k-correctly-check-if-interface-is-removed.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Phil Turnbull +Date: Wed, 23 Nov 2016 13:33:58 -0500 +Subject: fm10k: correctly check if interface is removed + +From: Phil Turnbull + + +[ Upstream commit 540fca35e38d15777b310f450f63f056e63039f5 ] + +FM10K_REMOVED expects a hardware address, not a 'struct fm10k_hw'. + +Fixes: 5cb8db4a4cbc ("fm10k: Add support for VF") +Signed-off-by: Phil Turnbull +Tested-by: Krishneil Singh +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c ++++ b/drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c +@@ -840,7 +840,7 @@ static void fm10k_self_test(struct net_d + + memset(data, 0, sizeof(*data) * FM10K_TEST_LEN); + +- if (FM10K_REMOVED(hw)) { ++ if (FM10K_REMOVED(hw->hw_addr)) { + netif_err(interface, drv, dev, + "Interface removed - test blocked\n"); + eth_test->flags |= ETH_TEST_FL_FAILED; diff --git a/queue-3.18/hid-clamp-input-to-logical-range-if-no-null-state.patch b/queue-3.18/hid-clamp-input-to-logical-range-if-no-null-state.patch new file mode 100644 index 00000000000..dd1d53f3244 --- /dev/null +++ b/queue-3.18/hid-clamp-input-to-logical-range-if-no-null-state.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Tomasz Kramkowski +Date: Tue, 14 Mar 2017 13:29:13 +0000 +Subject: HID: clamp input to logical range if no null state + +From: Tomasz Kramkowski + + +[ Upstream commit c3883fe06488a483658ba5d849b70e49bee15e7c ] + +This patch fixes an issue in drivers/hid/hid-input.c where values +outside of the logical range are not clamped when "null state" bit of +the input control is not set. + +This was discussed on the lists [1] and this change stems from the fact +due to the ambiguity of the HID specification it might be appropriate to +follow Microsoft's own interpretation of the specification. As noted in +Microsoft's documentation [2] in the section titled "Required HID usages +for digitizers" it is noted that values reported outside the logical +range "will be considered as invalid data and the value will be changed +to the nearest boundary value (logical min/max)." + +This patch fixes an issue where the (1292:4745) Innomedia INNEX +GENESIS/ATARI reports out of range values for its X and Y axis of the +DPad which, due to the null state bit being unset, are forwarded to +userspace as is. Now these values will get clamped to the logical range +before being forwarded to userspace. This device was also used to test +this patch. + +This patch expands on commit 3f3752705dbd ("HID: reject input outside +logical range only if null state is set"). + +[1]: http://lkml.kernel.org/r/20170307131036.GA853@gaia.local +[2]: https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp + +Signed-off-by: Tomasz Kramkowski +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1090,19 +1090,26 @@ void hidinput_hid_event(struct hid_devic + + /* + * Ignore out-of-range values as per HID specification, +- * section 5.10 and 6.2.25. ++ * section 5.10 and 6.2.25, when NULL state bit is present. ++ * When it's not, clamp the value to match Microsoft's input ++ * driver as mentioned in "Required HID usages for digitizers": ++ * https://msdn.microsoft.com/en-us/library/windows/hardware/dn672278(v=vs.85).asp + * + * The logical_minimum < logical_maximum check is done so that we + * don't unintentionally discard values sent by devices which + * don't specify logical min and max. + */ + if ((field->flags & HID_MAIN_ITEM_VARIABLE) && +- (field->flags & HID_MAIN_ITEM_NULL_STATE) && +- (field->logical_minimum < field->logical_maximum) && +- (value < field->logical_minimum || +- value > field->logical_maximum)) { +- dbg_hid("Ignoring out-of-range value %x\n", value); +- return; ++ (field->logical_minimum < field->logical_maximum)) { ++ if (field->flags & HID_MAIN_ITEM_NULL_STATE && ++ (value < field->logical_minimum || ++ value > field->logical_maximum)) { ++ dbg_hid("Ignoring out-of-range value %x\n", value); ++ return; ++ } ++ value = clamp(value, ++ field->logical_minimum, ++ field->logical_maximum); + } + + /* diff --git a/queue-3.18/hid-elo-clear-btn_left-mapping.patch b/queue-3.18/hid-elo-clear-btn_left-mapping.patch new file mode 100644 index 00000000000..d3bdfe451c4 --- /dev/null +++ b/queue-3.18/hid-elo-clear-btn_left-mapping.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Jiri Kosina +Date: Wed, 22 Nov 2017 11:19:51 +0100 +Subject: HID: elo: clear BTN_LEFT mapping + +From: Jiri Kosina + + +[ Upstream commit 9abd04af951e5734c9d5cfee9b49790844b734cf ] + +ELO devices have one Button usage in GenDesk field, which makes hid-input map +it to BTN_LEFT; that confuses userspace, which then considers the device to be +a mouse/touchpad instead of touchscreen. + +Fix that by unmapping BTN_LEFT and keeping only BTN_TOUCH in place. + +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-elo.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/hid/hid-elo.c ++++ b/drivers/hid/hid-elo.c +@@ -42,6 +42,12 @@ static void elo_input_configured(struct + { + struct input_dev *input = hidinput->input; + ++ /* ++ * ELO devices have one Button usage in GenDesk field, which makes ++ * hid-input map it to BTN_LEFT; that confuses userspace, which then ++ * considers the device to be a mouse/touchpad instead of touchscreen. ++ */ ++ clear_bit(BTN_LEFT, input->keybit); + set_bit(BTN_TOUCH, input->keybit); + set_bit(ABS_PRESSURE, input->absbit); + input_set_abs_params(input, ABS_PRESSURE, 0, 256, 0, 0); diff --git a/queue-3.18/hid-reject-input-outside-logical-range-only-if-null-state-is-set.patch b/queue-3.18/hid-reject-input-outside-logical-range-only-if-null-state-is-set.patch new file mode 100644 index 00000000000..e1edf8d6b09 --- /dev/null +++ b/queue-3.18/hid-reject-input-outside-logical-range-only-if-null-state-is-set.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Valtteri Heikkilä" +Date: Tue, 14 Feb 2017 23:14:32 +0000 +Subject: HID: reject input outside logical range only if null state is set + +From: "Valtteri Heikkilä" + + +[ Upstream commit 3f3752705dbd50b66b66ad7b4d54fe33d2f746ed ] + +This patch fixes an issue in drivers/hid/hid-input.c where USB HID +control null state flag is not checked upon rejecting inputs outside +logical minimum-maximum range. The check should be made according to USB +HID specification 1.11, section 6.2.2.5, p.31. The fix will resolve +issues with some game controllers, such as: +https://bugzilla.kernel.org/show_bug.cgi?id=68621 + +[tk@the-tk.com: shortened and fixed spelling in commit message] +Signed-off-by: Valtteri Heikkilä +Signed-off-by: Tomasz Kramkowski +Acked-By: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-input.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -1097,6 +1097,7 @@ void hidinput_hid_event(struct hid_devic + * don't specify logical min and max. + */ + if ((field->flags & HID_MAIN_ITEM_VARIABLE) && ++ (field->flags & HID_MAIN_ITEM_NULL_STATE) && + (field->logical_minimum < field->logical_maximum) && + (value < field->logical_minimum || + value > field->logical_maximum)) { diff --git a/queue-3.18/ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch b/queue-3.18/ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch new file mode 100644 index 00000000000..4e209510d5d --- /dev/null +++ b/queue-3.18/ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Mimi Zohar +Date: Wed, 8 Nov 2017 07:38:28 -0500 +Subject: ima: relax requiring a file signature for new files with zero length + +From: Mimi Zohar + + +[ Upstream commit b7e27bc1d42e8e0cc58b602b529c25cd0071b336 ] + +Custom policies can require file signatures based on LSM labels. These +files are normally created and only afterwards labeled, requiring them +to be signed. + +Instead of requiring file signatures based on LSM labels, entire +filesystems could require file signatures. In this case, we need the +ability of writing new files without requiring file signatures. + +The definition of a "new" file was originally defined as any file with +a length of zero. Subsequent patches redefined a "new" file to be based +on the FILE_CREATE open flag. By combining the open flag with a file +size of zero, this patch relaxes the file signature requirement. + +Fixes: 1ac202e978e1 ima: accept previously set IMA_NEW_FILE +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_appraise.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -206,7 +206,8 @@ int ima_appraise_measurement(int func, s + if (opened & FILE_CREATED) + iint->flags |= IMA_NEW_FILE; + if ((iint->flags & IMA_NEW_FILE) && +- !(iint->flags & IMA_DIGSIG_REQUIRED)) ++ (!(iint->flags & IMA_DIGSIG_REQUIRED) || ++ (inode->i_size == 0))) + status = INTEGRITY_PASS; + goto out; + } diff --git a/queue-3.18/input-tsc2007-check-for-presence-and-power-down-tsc2007-during-probe.patch b/queue-3.18/input-tsc2007-check-for-presence-and-power-down-tsc2007-during-probe.patch new file mode 100644 index 00000000000..d180875b573 --- /dev/null +++ b/queue-3.18/input-tsc2007-check-for-presence-and-power-down-tsc2007-during-probe.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "H. Nikolaus Schaller" +Date: Fri, 17 Feb 2017 12:51:19 -0800 +Subject: Input: tsc2007 - check for presence and power down tsc2007 during probe + +From: "H. Nikolaus Schaller" + + +[ Upstream commit 934df23171e7c5b71d937104d4957891c39748ff ] + +1. check if chip is really present and don't succeed if it isn't. +2. if it succeeds, power down the chip until accessed + +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/tsc2007.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/input/touchscreen/tsc2007.c ++++ b/drivers/input/touchscreen/tsc2007.c +@@ -456,6 +456,14 @@ static int tsc2007_probe(struct i2c_clie + + tsc2007_stop(ts); + ++ /* power down the chip (TSC2007_SETUP does not ACK on I2C) */ ++ err = tsc2007_xfer(ts, PWRDOWN); ++ if (err < 0) { ++ dev_err(&client->dev, ++ "Failed to setup chip: %d\n", err); ++ return err; /* usually, chip does not respond */ ++ } ++ + err = input_register_device(input_dev); + if (err) { + dev_err(&client->dev, diff --git a/queue-3.18/iommu-iova-fix-underflow-bug-in-__alloc_and_insert_iova_range.patch b/queue-3.18/iommu-iova-fix-underflow-bug-in-__alloc_and_insert_iova_range.patch new file mode 100644 index 00000000000..71137fb24ff --- /dev/null +++ b/queue-3.18/iommu-iova-fix-underflow-bug-in-__alloc_and_insert_iova_range.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Nate Watterson +Date: Fri, 7 Apr 2017 01:36:20 -0400 +Subject: iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range + +From: Nate Watterson + + +[ Upstream commit 5016bdb796b3726eec043ca0ce3be981f712c756 ] + +Normally, calling alloc_iova() using an iova_domain with insufficient +pfns remaining between start_pfn and dma_limit will fail and return a +NULL pointer. Unexpectedly, if such a "full" iova_domain contains an +iova with pfn_lo == 0, the alloc_iova() call will instead succeed and +return an iova containing invalid pfns. + +This is caused by an underflow bug in __alloc_and_insert_iova_range() +that occurs after walking the "full" iova tree when the search ends +at the iova with pfn_lo == 0 and limit_pfn is then adjusted to be just +below that (-1). This (now huge) limit_pfn gives the impression that a +vast amount of space is available between it and start_pfn and thus +a new iova is allocated with the invalid pfn_hi value, 0xFFF.... . + +To rememdy this, a check is introduced to ensure that adjustments to +limit_pfn will not underflow. + +This issue has been observed in the wild, and is easily reproduced with +the following sample code. + + struct iova_domain *iovad = kzalloc(sizeof(*iovad), GFP_KERNEL); + struct iova *rsvd_iova, *good_iova, *bad_iova; + unsigned long limit_pfn = 3; + unsigned long start_pfn = 1; + unsigned long va_size = 2; + + init_iova_domain(iovad, SZ_4K, start_pfn, limit_pfn); + rsvd_iova = reserve_iova(iovad, 0, 0); + good_iova = alloc_iova(iovad, va_size, limit_pfn, true); + bad_iova = alloc_iova(iovad, va_size, limit_pfn, true); + +Prior to the patch, this yielded: + *rsvd_iova == {0, 0} /* Expected */ + *good_iova == {2, 3} /* Expected */ + *bad_iova == {-2, -1} /* Oh no... */ + +After the patch, bad_iova is NULL as expected since inadequate +space remains between limit_pfn and start_pfn after allocating +good_iova. + +Signed-off-by: Nate Watterson +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/iova.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/iova.c ++++ b/drivers/iommu/iova.c +@@ -118,7 +118,7 @@ static int __alloc_and_insert_iova_range + break; /* found a free slot */ + } + adjust_limit_pfn: +- limit_pfn = curr_iova->pfn_lo - 1; ++ limit_pfn = curr_iova->pfn_lo ? (curr_iova->pfn_lo - 1) : 0; + move_left: + prev = curr; + curr = rb_prev(curr); diff --git a/queue-3.18/kprobes-x86-fix-kprobe-booster-not-to-boost-far-call-instructions.patch b/queue-3.18/kprobes-x86-fix-kprobe-booster-not-to-boost-far-call-instructions.patch new file mode 100644 index 00000000000..d30aaef7cfb --- /dev/null +++ b/queue-3.18/kprobes-x86-fix-kprobe-booster-not-to-boost-far-call-instructions.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Masami Hiramatsu +Date: Wed, 29 Mar 2017 13:56:56 +0900 +Subject: kprobes/x86: Fix kprobe-booster not to boost far call instructions + +From: Masami Hiramatsu + + +[ Upstream commit bd0b90676c30fe640e7ead919b3e38846ac88ab7 ] + +Fix the kprobe-booster not to boost far call instruction, +because a call may store the address in the single-step +execution buffer to the stack, which should be modified +after single stepping. + +Currently, this instruction will be filtered as not +boostable in resume_execution(), so this is not a +critical issue. + +Signed-off-by: Masami Hiramatsu +Cc: Ananth N Mavinakayanahalli +Cc: Andrey Ryabinin +Cc: Anil S Keshavamurthy +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: David S . Miller +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ye Xiaolong +Link: http://lkml.kernel.org/r/149076340615.22469.14066273186134229909.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kprobes/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -196,6 +196,8 @@ retry: + return (opcode != 0x62 && opcode != 0x67); + case 0x70: + return 0; /* can't boost conditional jump */ ++ case 0x90: ++ return opcode != 0x9a; /* can't boost call far */ + case 0xc0: + /* can't boost software-interruptions */ + return (0xc1 < opcode && opcode < 0xcc) || opcode == 0xcf; diff --git a/queue-3.18/kprobes-x86-set-kprobes-pages-read-only.patch b/queue-3.18/kprobes-x86-set-kprobes-pages-read-only.patch new file mode 100644 index 00000000000..c5c50b59e0a --- /dev/null +++ b/queue-3.18/kprobes-x86-set-kprobes-pages-read-only.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Masami Hiramatsu +Date: Wed, 29 Mar 2017 14:02:46 +0900 +Subject: kprobes/x86: Set kprobes pages read-only + +From: Masami Hiramatsu + + +[ Upstream commit d0381c81c2f782fa2131178d11e0cfb23d50d631 ] + +Set the pages which is used for kprobes' singlestep buffer +and optprobe's trampoline instruction buffer to readonly. +This can prevent unexpected (or unintended) instruction +modification. + +This also passes rodata_test as below. + +Without this patch, rodata_test shows a warning: + + WARNING: CPU: 0 PID: 1 at arch/x86/mm/dump_pagetables.c:235 note_page+0x7a9/0xa20 + x86/mm: Found insecure W+X mapping at address ffffffffa0000000/0xffffffffa0000000 + +With this fix, no W+X pages are found: + + x86/mm: Checked W+X mappings: passed, no W+X pages found. + rodata_test: all tests were successful + +Reported-by: Andrey Ryabinin +Signed-off-by: Masami Hiramatsu +Cc: Ananth N Mavinakayanahalli +Cc: Anil S Keshavamurthy +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: David S . Miller +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Ye Xiaolong +Link: http://lkml.kernel.org/r/149076375592.22469.14174394514338612247.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kprobes/core.c | 4 ++++ + arch/x86/kernel/kprobes/opt.c | 3 +++ + 2 files changed, 7 insertions(+) + +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -378,6 +378,8 @@ static int arch_copy_kprobe(struct kprob + { + int ret; + ++ set_memory_rw((unsigned long)p->ainsn.insn & PAGE_MASK, 1); ++ + /* Copy an instruction with recovering if other optprobe modifies it.*/ + ret = __copy_instruction(p->ainsn.insn, p->addr); + if (!ret) +@@ -392,6 +394,8 @@ static int arch_copy_kprobe(struct kprob + else + p->ainsn.boostable = -1; + ++ set_memory_ro((unsigned long)p->ainsn.insn & PAGE_MASK, 1); ++ + /* Check whether the instruction modifies Interrupt Flag or not */ + p->ainsn.if_modifier = is_IF_modifier(p->ainsn.insn); + +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -344,6 +344,7 @@ int arch_prepare_optimized_kprobe(struct + } + + buf = (u8 *)op->optinsn.insn; ++ set_memory_rw((unsigned long)buf & PAGE_MASK, 1); + + /* Copy instructions into the out-of-line buffer */ + ret = copy_optimized_instructions(buf + TMPL_END_IDX, op->kp.addr); +@@ -366,6 +367,8 @@ int arch_prepare_optimized_kprobe(struct + synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size, + (u8 *)op->kp.addr + op->optinsn.size); + ++ set_memory_ro((unsigned long)buf & PAGE_MASK, 1); ++ + flush_icache_range((unsigned long) buf, + (unsigned long) buf + TMPL_END_IDX + + op->optinsn.size + RELATIVEJUMP_SIZE); diff --git a/queue-3.18/mac80211-remove-bug-when-interface-type-is-invalid.patch b/queue-3.18/mac80211-remove-bug-when-interface-type-is-invalid.patch new file mode 100644 index 00000000000..cc49c598a18 --- /dev/null +++ b/queue-3.18/mac80211-remove-bug-when-interface-type-is-invalid.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Luca Coelho +Date: Sun, 29 Oct 2017 11:51:10 +0200 +Subject: mac80211: remove BUG() when interface type is invalid + +From: Luca Coelho + + +[ Upstream commit c7976f5272486e4ff406014c4b43e2fa3b70b052 ] + +In the ieee80211_setup_sdata() we check if the interface type is valid +and, if not, call BUG(). This should never happen, but if there is +something wrong with the code, it will not be caught until the bug +happens when an interface is being set up. Calling BUG() is too +extreme for this and a WARN_ON() would be better used instead. Change +that. + +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/iface.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1379,7 +1379,7 @@ static void ieee80211_setup_sdata(struct + break; + case NL80211_IFTYPE_UNSPECIFIED: + case NUM_NL80211_IFTYPES: +- BUG(); ++ WARN_ON(1); + break; + } + diff --git a/queue-3.18/media-cpia2-fix-a-couple-off-by-one-bugs.patch b/queue-3.18/media-cpia2-fix-a-couple-off-by-one-bugs.patch new file mode 100644 index 00000000000..2f3086b26e9 --- /dev/null +++ b/queue-3.18/media-cpia2-fix-a-couple-off-by-one-bugs.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Dan Carpenter +Date: Thu, 9 Nov 2017 16:28:14 -0500 +Subject: media: cpia2: Fix a couple off by one bugs + +From: Dan Carpenter + + +[ Upstream commit d5ac225c7d64c9c3ef821239edc035634e594ec9 ] + +The cam->buffers[] array has cam->num_frames elements so the > needs to +be changed to >= to avoid going beyond the end of the array. The +->buffers[] array is allocated in cpia2_allocate_buffers() if you want +to confirm. + +Fixes: ab33d5071de7 ("V4L/DVB (3376): Add cpia2 camera support") + +Signed-off-by: Dan Carpenter +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/cpia2/cpia2_v4l.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/cpia2/cpia2_v4l.c ++++ b/drivers/media/usb/cpia2/cpia2_v4l.c +@@ -812,7 +812,7 @@ static int cpia2_querybuf(struct file *f + struct camera_data *cam = video_drvdata(file); + + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE || +- buf->index > cam->num_frames) ++ buf->index >= cam->num_frames) + return -EINVAL; + + buf->m.offset = cam->buffers[buf->index].data - cam->frame_buffer; +@@ -863,7 +863,7 @@ static int cpia2_qbuf(struct file *file, + + if(buf->type != V4L2_BUF_TYPE_VIDEO_CAPTURE || + buf->memory != V4L2_MEMORY_MMAP || +- buf->index > cam->num_frames) ++ buf->index >= cam->num_frames) + return -EINVAL; + + DBG("QBUF #%d\n", buf->index); diff --git a/queue-3.18/media-i2c-soc_camera-fix-ov6650-sensor-getting-wrong-clock.patch b/queue-3.18/media-i2c-soc_camera-fix-ov6650-sensor-getting-wrong-clock.patch new file mode 100644 index 00000000000..29bb63fd8f4 --- /dev/null +++ b/queue-3.18/media-i2c-soc_camera-fix-ov6650-sensor-getting-wrong-clock.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Janusz Krzysztofik +Date: Wed, 15 Jun 2016 19:29:50 -0300 +Subject: [media] media: i2c/soc_camera: fix ov6650 sensor getting wrong clock + +From: Janusz Krzysztofik + + +[ Upstream commit 54449af0e0b2ea43a8166611c95b730c850c3184 ] + +After changes to v4l2_clk API introduced in v4.1 by commits a37462b919 +'[media] V4L: remove clock name from v4l2_clk API' and 4f528afcfb +'[media] V4L: add CCF support to the v4l2_clk API', ov6650 sensor +stopped responding because v4l2_clk_get(), still called with +depreciated V4L2 clock name "mclk", started to return respective CCF +clock instead of the V4l2 one registered by soc_camera. Fix it by +calling v4l2_clk_get() with NULL clock name. + +Created and tested on Amstrad Delta against Linux-4.7-rc3 with +omap1_camera fixes. + +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Guennadi Liakhovetski +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/soc_camera/ov6650.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -1016,7 +1016,7 @@ static int ov6650_probe(struct i2c_clien + priv->code = V4L2_MBUS_FMT_YUYV8_2X8; + priv->colorspace = V4L2_COLORSPACE_JPEG; + +- priv->clk = v4l2_clk_get(&client->dev, "mclk"); ++ priv->clk = v4l2_clk_get(&client->dev, NULL); + if (IS_ERR(priv->clk)) { + ret = PTR_ERR(priv->clk); + goto eclkget; diff --git a/queue-3.18/mips-bpf-quit-clobbering-callee-saved-registers-in-jit-code.patch b/queue-3.18/mips-bpf-quit-clobbering-callee-saved-registers-in-jit-code.patch new file mode 100644 index 00000000000..548dbeb7170 --- /dev/null +++ b/queue-3.18/mips-bpf-quit-clobbering-callee-saved-registers-in-jit-code.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: David Daney +Date: Tue, 14 Mar 2017 14:21:43 -0700 +Subject: MIPS: BPF: Quit clobbering callee saved registers in JIT code. + +From: David Daney + + +[ Upstream commit 1ef0910cfd681f0bd0b81f8809935b2006e9cfb9 ] + +If bpf_needs_clear_a() returns true, only actually clear it if it is +ever used. If it is not used, we don't save and restore it, so the +clearing has the nasty side effect of clobbering caller state. + +Also, don't emit stack pointer adjustment instructions if the +adjustment amount is zero. + +Signed-off-by: David Daney +Cc: James Hogan +Cc: Alexei Starovoitov +Cc: Steven J. Hill +Cc: linux-mips@linux-mips.org +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/15745/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/net/bpf_jit.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/arch/mips/net/bpf_jit.c ++++ b/arch/mips/net/bpf_jit.c +@@ -562,7 +562,8 @@ static void save_bpf_jit_regs(struct jit + u32 sflags, tmp_flags; + + /* Adjust the stack pointer */ +- emit_stack_offset(-align_sp(offset), ctx); ++ if (offset) ++ emit_stack_offset(-align_sp(offset), ctx); + + if (ctx->flags & SEEN_CALL) { + /* Argument save area */ +@@ -641,7 +642,8 @@ static void restore_bpf_jit_regs(struct + emit_load_stack_reg(r_ra, r_sp, real_off, ctx); + + /* Restore the sp and discard the scrach memory */ +- emit_stack_offset(align_sp(offset), ctx); ++ if (offset) ++ emit_stack_offset(align_sp(offset), ctx); + } + + static unsigned int get_stack_depth(struct jit_ctx *ctx) +@@ -689,8 +691,14 @@ static void build_prologue(struct jit_ct + if (ctx->flags & SEEN_X) + emit_jit_reg_move(r_X, r_zero, ctx); + +- /* Do not leak kernel data to userspace */ +- if (bpf_needs_clear_a(&ctx->skf->insns[0])) ++ /* ++ * Do not leak kernel data to userspace, we only need to clear ++ * r_A if it is ever used. In fact if it is never used, we ++ * will not save/restore it, so clearing it in this case would ++ * corrupt the state of the caller. ++ */ ++ if (bpf_needs_clear_a(&ctx->skf->insns[0]) && ++ (ctx->flags & SEEN_A)) + emit_jit_reg_move(r_A, r_zero, ctx); + } + diff --git a/queue-3.18/mm-fix-false-positive-vm_bug_on-in-page_cache_-get-add-_speculative.patch b/queue-3.18/mm-fix-false-positive-vm_bug_on-in-page_cache_-get-add-_speculative.patch new file mode 100644 index 00000000000..4ef5e979c95 --- /dev/null +++ b/queue-3.18/mm-fix-false-positive-vm_bug_on-in-page_cache_-get-add-_speculative.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Kirill A. Shutemov" +Date: Fri, 24 Mar 2017 14:13:05 +0300 +Subject: mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() + +From: "Kirill A. Shutemov" + + +[ Upstream commit 591a3d7c09fa08baff48ad86c2347dbd28a52753 ] + +0day testing by Fengguang Wu triggered this crash while running Trinity: + + kernel BUG at include/linux/pagemap.h:151! + ... + CPU: 0 PID: 458 Comm: trinity-c0 Not tainted 4.11.0-rc2-00251-g2947ba0 #1 + ... + Call Trace: + __get_user_pages_fast() + get_user_pages_fast() + get_futex_key() + futex_requeue() + do_futex() + SyS_futex() + do_syscall_64() + entry_SYSCALL64_slow_path() + +It' VM_BUG_ON() due to false-negative in_atomic(). We call +page_cache_get_speculative() with disabled local interrupts. +It should be atomic enough. + +So let's check for disabled interrupts in the VM_BUG_ON() condition +too, to resolve this. + +( This got triggered by the conversion of the x86 GUP code to the + generic GUP code. ) + +Reported-by: Fengguang Wu +Signed-off-by: Kirill A. Shutemov +Cc: Andrew Morton +Cc: Aneesh Kumar K.V +Cc: Kirill A. Shutemov +Cc: LKP +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20170324114709.pcytvyb3d6ajux33@black.fi.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pagemap.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/pagemap.h ++++ b/include/linux/pagemap.h +@@ -146,7 +146,7 @@ static inline int page_cache_get_specula + + #ifdef CONFIG_TINY_RCU + # ifdef CONFIG_PREEMPT_COUNT +- VM_BUG_ON(!in_atomic()); ++ VM_BUG_ON(!in_atomic() && !irqs_disabled()); + # endif + /* + * Preempt must be disabled here - we rely on rcu_read_lock doing +@@ -184,7 +184,7 @@ static inline int page_cache_add_specula + + #if !defined(CONFIG_SMP) && defined(CONFIG_TREE_RCU) + # ifdef CONFIG_PREEMPT_COUNT +- VM_BUG_ON(!in_atomic()); ++ VM_BUG_ON(!in_atomic() && !irqs_disabled()); + # endif + VM_BUG_ON_PAGE(page_count(page) == 0, page); + atomic_add(count, &page->_count); diff --git a/queue-3.18/mtd-nand-fix-interpretation-of-nand_cmd_none-in-nand_command.patch b/queue-3.18/mtd-nand-fix-interpretation-of-nand_cmd_none-in-nand_command.patch new file mode 100644 index 00000000000..daea63f32d3 --- /dev/null +++ b/queue-3.18/mtd-nand-fix-interpretation-of-nand_cmd_none-in-nand_command.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Miquel Raynal +Date: Wed, 8 Nov 2017 17:00:27 +0100 +Subject: mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() + +From: Miquel Raynal + + +[ Upstream commit df467899da0b71465760b4e35127bce837244eee ] + +Some drivers (like nand_hynix.c) call ->cmdfunc() with NAND_CMD_NONE +and a column address and expect the controller to only send address +cycles. Right now, the default ->cmdfunc() implementations provided by +the core do not filter out the command cycle in this case and forwards +the request to the controller driver through the ->cmd_ctrl() method. +The thing is, NAND controller drivers can get this wrong and send a +command cycle with a NAND_CMD_NONE opcode and since NAND_CMD_NONE is +-1, and the command field is usually casted to an u8, we end up sending +the 0xFF command which is actually a RESET operation. + +Add conditions in nand_command[_lp]() functions to sending the initial +command cycle when command == NAND_CMD_NONE. + +Signed-off-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/nand_base.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -600,7 +600,8 @@ static void nand_command(struct mtd_info + chip->cmd_ctrl(mtd, readcmd, ctrl); + ctrl &= ~NAND_CTRL_CHANGE; + } +- chip->cmd_ctrl(mtd, command, ctrl); ++ if (command != NAND_CMD_NONE) ++ chip->cmd_ctrl(mtd, command, ctrl); + + /* Address cycle, when necessary */ + ctrl = NAND_CTRL_ALE | NAND_CTRL_CHANGE; +@@ -629,6 +630,7 @@ static void nand_command(struct mtd_info + */ + switch (command) { + ++ case NAND_CMD_NONE: + case NAND_CMD_PAGEPROG: + case NAND_CMD_ERASE1: + case NAND_CMD_ERASE2: +@@ -691,7 +693,9 @@ static void nand_command_lp(struct mtd_i + } + + /* Command latch cycle */ +- chip->cmd_ctrl(mtd, command, NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE); ++ if (command != NAND_CMD_NONE) ++ chip->cmd_ctrl(mtd, command, ++ NAND_NCE | NAND_CLE | NAND_CTRL_CHANGE); + + if (column != -1 || page_addr != -1) { + int ctrl = NAND_CTRL_CHANGE | NAND_NCE | NAND_ALE; +@@ -724,6 +728,7 @@ static void nand_command_lp(struct mtd_i + */ + switch (command) { + ++ case NAND_CMD_NONE: + case NAND_CMD_CACHEDPROG: + case NAND_CMD_PAGEPROG: + case NAND_CMD_ERASE1: diff --git a/queue-3.18/mtd-nand-ifc-update-bufnum-mask-for-ver-2.0.0.patch b/queue-3.18/mtd-nand-ifc-update-bufnum-mask-for-ver-2.0.0.patch new file mode 100644 index 00000000000..9e768304921 --- /dev/null +++ b/queue-3.18/mtd-nand-ifc-update-bufnum-mask-for-ver-2.0.0.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Jagdish Gediya +Date: Thu, 23 Nov 2017 17:04:31 +0530 +Subject: mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 + +From: Jagdish Gediya + + +[ Upstream commit bccb06c353af3764ca86d9da47652458e6c2eb41 ] + +Bufnum mask is used to calculate page position in the internal SRAM. + +As IFC version 2.0.0 has 16KB of internal SRAM as compared to older +versions which had 8KB. Hence bufnum mask needs to be updated. + +Signed-off-by: Jagdish Gediya +Signed-off-by: Prabhakar Kushwaha +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/fsl_ifc_nand.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/mtd/nand/fsl_ifc_nand.c ++++ b/drivers/mtd/nand/fsl_ifc_nand.c +@@ -988,6 +988,13 @@ static int fsl_ifc_chip_init(struct fsl_ + if (ver == FSL_IFC_V1_1_0) + fsl_ifc_sram_init(priv); + ++ /* ++ * As IFC version 2.0.0 has 16KB of internal SRAM as compared to older ++ * versions which had 8KB. Hence bufnum mask needs to be updated. ++ */ ++ if (ctrl->version >= FSL_IFC_VERSION_2_0_0) ++ priv->bufnum_mask = (priv->bufnum_mask * 2) + 1; ++ + return 0; + } + diff --git a/queue-3.18/net-faraday-add-missing-include-of-of.h.patch b/queue-3.18/net-faraday-add-missing-include-of-of.h.patch new file mode 100644 index 00000000000..eab1da4c848 --- /dev/null +++ b/queue-3.18/net-faraday-add-missing-include-of-of.h.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Andrew Lunn +Date: Sun, 2 Apr 2017 20:20:47 +0200 +Subject: net/faraday: Add missing include of of.h + +From: Andrew Lunn + + +[ Upstream commit d39004ab136ebb6949a7dda9d24376f3d6209295 ] + +Breaking the include loop netdevice.h, dsa.h, devlink.h broke this +driver, it depends on includes brought in by these headers. Adding +linux/of.h fixes it. + +Fixes: ed0e39e97d34 ("net: break include loop netdevice.h, dsa.h, devlink.h") +Signed-off-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/faraday/ftgmac100.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/faraday/ftgmac100.c ++++ b/drivers/net/ethernet/faraday/ftgmac100.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-3.18/net-mvpp2-set-dma-mask-and-coherent-dma-mask-on-ppv2.2.patch b/queue-3.18/net-mvpp2-set-dma-mask-and-coherent-dma-mask-on-ppv2.2.patch new file mode 100644 index 00000000000..05911f97a05 --- /dev/null +++ b/queue-3.18/net-mvpp2-set-dma-mask-and-coherent-dma-mask-on-ppv2.2.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Thomas Petazzoni +Date: Tue, 7 Mar 2017 16:53:19 +0100 +Subject: net: mvpp2: set dma mask and coherent dma mask on PPv2.2 + +From: Thomas Petazzoni + + +[ Upstream commit 2067e0a13cfe0b1bdca7b91bc5e4f2740b07d478 ] + +On PPv2.2, the streaming mappings can be anywhere in the first 40 bits +of the physical address space. However, for the coherent mappings, we +still need them to be in the first 32 bits of the address space, +because all BM pools share a single register to store the high 32 bits +of the BM pool address, which means all BM pools must be allocated in +the same 4GB memory area. + +Signed-off-by: Thomas Petazzoni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/mvpp2.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/net/ethernet/marvell/mvpp2.c ++++ b/drivers/net/ethernet/marvell/mvpp2.c +@@ -6339,6 +6339,20 @@ static int mvpp2_probe(struct platform_d + /* Get system's tclk rate */ + priv->tclk = clk_get_rate(priv->pp_clk); + ++ if (priv->hw_version == MVPP22) { ++ err = dma_set_mask(&pdev->dev, DMA_BIT_MASK(40)); ++ if (err) ++ goto err_mg_clk; ++ /* Sadly, the BM pools all share the same register to ++ * store the high 32 bits of their address. So they ++ * must all have the same high 32 bits, which forces ++ * us to restrict coherent memory to DMA_BIT_MASK(32). ++ */ ++ err = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (err) ++ goto err_mg_clk; ++ } ++ + /* Initialize network controller */ + err = mvpp2_init(pdev, priv); + if (err < 0) { diff --git a/queue-3.18/net-xfrm-allow-clearing-socket-xfrm-policies.patch b/queue-3.18/net-xfrm-allow-clearing-socket-xfrm-policies.patch new file mode 100644 index 00000000000..1cfa5fbd8c2 --- /dev/null +++ b/queue-3.18/net-xfrm-allow-clearing-socket-xfrm-policies.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Lorenzo Colitti +Date: Mon, 20 Nov 2017 19:26:02 +0900 +Subject: net: xfrm: allow clearing socket xfrm policies. + +From: Lorenzo Colitti + + +[ Upstream commit be8f8284cd897af2482d4e54fbc2bdfc15557259 ] + +Currently it is possible to add or update socket policies, but +not clear them. Therefore, once a socket policy has been applied, +the socket cannot be used for unencrypted traffic. + +This patch allows (privileged) users to clear socket policies by +passing in a NULL pointer and zero length argument to the +{IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both +the incoming and outgoing policies being cleared. + +The simple approach taken in this patch cannot clear socket +policies in only one direction. If desired this could be added +in the future, for example by continuing to pass in a length of +zero (which currently is guaranteed to return EMSGSIZE) and +making the policy be a pointer to an integer that contains one +of the XFRM_POLICY_{IN,OUT} enum values. + +An alternative would have been to interpret the length as a +signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the +input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output +policy. + +Tested: https://android-review.googlesource.com/539816 +Signed-off-by: Lorenzo Colitti +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 2 +- + net/xfrm/xfrm_state.c | 7 +++++++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1292,7 +1292,7 @@ EXPORT_SYMBOL(xfrm_policy_delete); + + int xfrm_sk_policy_insert(struct sock *sk, int dir, struct xfrm_policy *pol) + { +- struct net *net = xp_net(pol); ++ struct net *net = sock_net(sk); + struct xfrm_policy *old_pol; + + #ifdef CONFIG_XFRM_SUB_POLICY +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1845,6 +1845,13 @@ int xfrm_user_policy(struct sock *sk, in + struct xfrm_mgr *km; + struct xfrm_policy *pol = NULL; + ++ if (!optval && !optlen) { ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_IN, NULL); ++ xfrm_sk_policy_insert(sk, XFRM_POLICY_OUT, NULL); ++ __sk_dst_reset(sk); ++ return 0; ++ } ++ + if (optlen <= 0 || optlen > PAGE_SIZE) + return -EMSGSIZE; + diff --git a/queue-3.18/of-fix-of_device_get_modalias-returned-length-when-truncating-buffers.patch b/queue-3.18/of-fix-of_device_get_modalias-returned-length-when-truncating-buffers.patch new file mode 100644 index 00000000000..9f7b345c5da --- /dev/null +++ b/queue-3.18/of-fix-of_device_get_modalias-returned-length-when-truncating-buffers.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Rob Herring +Date: Mon, 16 Jan 2017 14:28:39 -0600 +Subject: of: fix of_device_get_modalias returned length when truncating buffers + +From: Rob Herring + + +[ Upstream commit bcf54d5385abaea9c8026aae6f4eeb348671a52d ] + +If the length of the modalias is greater than the buffer size, then the +modalias is truncated. However the untruncated length is returned which +will cause an error. Fix this to return the truncated length. If an error +in the case was desired, then then we should just return -ENOMEM. + +The reality is no device will ever have 4KB of compatible strings to hit +this case. + +Signed-off-by: Rob Herring +Cc: Frank Rowand +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/device.c ++++ b/drivers/of/device.c +@@ -126,7 +126,7 @@ ssize_t of_device_get_modalias(struct de + str[i] = '_'; + } + +- return tsize; ++ return repend; + } + EXPORT_SYMBOL_GPL(of_device_get_modalias); + diff --git a/queue-3.18/pci-msi-stop-disabling-msi-msi-x-in-pci_device_shutdown.patch b/queue-3.18/pci-msi-stop-disabling-msi-msi-x-in-pci_device_shutdown.patch new file mode 100644 index 00000000000..4cbe9fcf63c --- /dev/null +++ b/queue-3.18/pci-msi-stop-disabling-msi-msi-x-in-pci_device_shutdown.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Prarit Bhargava +Date: Thu, 26 Jan 2017 14:07:47 -0500 +Subject: PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() + +From: Prarit Bhargava + + +[ Upstream commit fda78d7a0ead144f4b2cdb582dcba47911f4952c ] + +The pci_bus_type .shutdown method, pci_device_shutdown(), is called from +device_shutdown() in the kernel restart and shutdown paths. + +Previously, pci_device_shutdown() called pci_msi_shutdown() and +pci_msix_shutdown(). This disables MSI and MSI-X, which causes the device +to fall back to raising interrupts via INTx. But the driver is still bound +to the device, it doesn't know about this change, and it likely doesn't +have an INTx handler, so these INTx interrupts cause "nobody cared" +warnings like this: + + irq 16: nobody cared (try booting with the "irqpoll" option) + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.2-1.el7_UNSUPPORTED.x86_64 #1 + Hardware name: Hewlett-Packard HP Z820 Workstation/158B, BIOS J63 v03.90 06/ + ... + +The MSI disabling code was added by d52877c7b1af ("pci/irq: let +pci_device_shutdown to call pci_msi_shutdown v2") because a driver left MSI +enabled and kdump failed because the kexeced kernel wasn't prepared to +receive the MSI interrupts. + +Subsequent commits 1851617cd2da ("PCI/MSI: Disable MSI at enumeration even +if kernel doesn't support MSI") and e80e7edc55ba ("PCI/MSI: Initialize MSI +capability for all architectures") changed the kexeced kernel to disable +all MSIs itself so it no longer depends on the crashed kernel to clean up +after itself. + +Stop disabling MSI/MSI-X in pci_device_shutdown(). This resolves the +"nobody cared" unhandled IRQ issue above. It also allows PCI serial +devices, which may rely on the MSI interrupts, to continue outputting +messages during reboot/shutdown. + +[bhelgaas: changelog, drop pci_msi_shutdown() and pci_msix_shutdown() calls +altogether] +Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=187351 +Signed-off-by: Prarit Bhargava +Signed-off-by: Bjorn Helgaas +CC: Alex Williamson +CC: David Arcari +CC: Myron Stowe +CC: Lukas Wunner +CC: Keith Busch +CC: Mika Westerberg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-driver.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/pci/pci-driver.c ++++ b/drivers/pci/pci-driver.c +@@ -450,8 +450,6 @@ static void pci_device_shutdown(struct d + + if (drv && drv->shutdown) + drv->shutdown(pci_dev); +- pci_msi_shutdown(pci_dev); +- pci_msix_shutdown(pci_dev); + + #ifdef CONFIG_KEXEC + /* diff --git a/queue-3.18/perf-inject-copy-events-when-reordering-events-in-pipe-mode.patch b/queue-3.18/perf-inject-copy-events-when-reordering-events-in-pipe-mode.patch new file mode 100644 index 00000000000..f001595d215 --- /dev/null +++ b/queue-3.18/perf-inject-copy-events-when-reordering-events-in-pipe-mode.patch @@ -0,0 +1,101 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: David Carrillo-Cisneros +Date: Mon, 10 Apr 2017 13:14:27 -0700 +Subject: perf inject: Copy events when reordering events in pipe mode + +From: David Carrillo-Cisneros + + +[ Upstream commit 1e0d4f0200e4dbdfc38d818f329d8a0955f7c6f5 ] + +__perf_session__process_pipe_events reuses the same memory buffer to +process all events in the pipe. + +When reordering is needed (e.g. -b option), events are not immediately +flushed, but kept around until reordering is possible, causing +memory corruption. + +The problem is usually observed by a "Unknown sample error" output. It +can easily be reproduced by: + + perf record -o - noploop | perf inject -b > output + +Committer testing: + +Before: + + $ perf record -o - stress -t 2 -c 2 | perf inject -b > /dev/null + stress: info: [8297] dispatching hogs: 2 cpu, 0 io, 0 vm, 0 hdd + stress: info: [8297] successful run completed in 2s + [ perf record: Woken up 3 times to write data ] + [ perf record: Captured and wrote 0.000 MB - ] + Warning: + Found 1 unknown events! + + Is this an older tool processing a perf.data file generated by a more recent tool? + + If that is not the case, consider reporting to linux-kernel@vger.kernel.org. + + $ + +After: + + $ perf record -o - stress -t 2 -c 2 | perf inject -b > /dev/null + stress: info: [9027] dispatching hogs: 2 cpu, 0 io, 0 vm, 0 hdd + stress: info: [9027] successful run completed in 2s + [ perf record: Woken up 3 times to write data ] + [ perf record: Captured and wrote 0.000 MB - ] + no symbols found in /usr/bin/stress, maybe install a debug package? + no symbols found in /usr/bin/stress, maybe install a debug package? + $ + +Signed-off-by: David Carrillo-Cisneros +Tested-by: Arnaldo Carvalho de Melo +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: He Kuang +Cc: Masami Hiramatsu +Cc: Paul Turner +Cc: Peter Zijlstra +Cc: Simon Que +Cc: Stephane Eranian +Cc: Wang Nan +Link: http://lkml.kernel.org/r/20170410201432.24807-3-davidcc@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/ordered-events.c | 3 ++- + tools/perf/util/session.c | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/ordered-events.c ++++ b/tools/perf/util/ordered-events.c +@@ -80,7 +80,7 @@ static union perf_event *dup_event(struc + + static void free_dup_event(struct ordered_events *oe, union perf_event *event) + { +- if (oe->copy_on_queue) { ++ if (event && oe->copy_on_queue) { + oe->cur_alloc_size -= event->header.size; + free(event); + } +@@ -151,6 +151,7 @@ void ordered_events__delete(struct order + list_move(&event->list, &oe->cache); + oe->nr_events--; + free_dup_event(oe, event->event); ++ event->event = NULL; + } + + static int __ordered_events__flush(struct perf_session *s, +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -1080,6 +1080,7 @@ static int __perf_session__process_pipe_ + buf = malloc(cur_size); + if (!buf) + return -errno; ++ ordered_events__set_copy_on_queue(oe, true); + more: + event = buf; + err = readn(fd, event, sizeof(struct perf_event_header)); diff --git a/queue-3.18/perf-session-don-t-rely-on-evlist-in-pipe-mode.patch b/queue-3.18/perf-session-don-t-rely-on-evlist-in-pipe-mode.patch new file mode 100644 index 00000000000..bc6e1816090 --- /dev/null +++ b/queue-3.18/perf-session-don-t-rely-on-evlist-in-pipe-mode.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: David Carrillo-Cisneros +Date: Mon, 10 Apr 2017 13:14:30 -0700 +Subject: perf session: Don't rely on evlist in pipe mode + +From: David Carrillo-Cisneros + + +[ Upstream commit 0973ad97c187e06aece61f685b9c3b2d93290a73 ] + +Session sets a number parameters that rely on evlist. These parameters +are not used in pipe-mode and should not be set, since evlist is +unavailable. Fix that. + +Signed-off-by: David Carrillo-Cisneros +Acked-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: He Kuang +Cc: Masami Hiramatsu +Cc: Paul Turner +Cc: Peter Zijlstra +Cc: Simon Que +Cc: Stephane Eranian +Cc: Wang Nan +Link: http://lkml.kernel.org/r/20170410201432.24807-6-davidcc@google.com +[ Check if file != NULL in perf_session__new(), like when used by builtin-top.c ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/session.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/tools/perf/util/session.c ++++ b/tools/perf/util/session.c +@@ -108,8 +108,14 @@ struct perf_session *perf_session__new(s + if (perf_session__open(session) < 0) + goto out_close; + +- perf_session__set_id_hdr_size(session); +- perf_session__set_comm_exec(session); ++ /* ++ * set session attributes that are present in perf.data ++ * but not in pipe-mode. ++ */ ++ if (!file->is_pipe) { ++ perf_session__set_id_hdr_size(session); ++ perf_session__set_comm_exec(session); ++ } + } + } + +@@ -122,7 +128,11 @@ struct perf_session *perf_session__new(s + pr_warning("Cannot read kernel map\n"); + } + +- if (tool && tool->ordering_requires_timestamps && ++ /* ++ * In pipe-mode, evlist is empty until PERF_RECORD_HEADER_ATTR is ++ * processed, so perf_evlist__sample_id_all is not meaningful here. ++ */ ++ if ((!file || !file->is_pipe) && tool && tool->ordering_requires_timestamps && + tool->ordered_events && !perf_evlist__sample_id_all(session->evlist)) { + dump_printf("WARNING: No sample_id_all support, falling back to unordered processing\n"); + tool->ordered_events = false; diff --git a/queue-3.18/perf-tools-make-perf_event__synthesize_mmap_events-scale.patch b/queue-3.18/perf-tools-make-perf_event__synthesize_mmap_events-scale.patch new file mode 100644 index 00000000000..632fb8edc17 --- /dev/null +++ b/queue-3.18/perf-tools-make-perf_event__synthesize_mmap_events-scale.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Stephane Eranian +Date: Wed, 15 Mar 2017 10:17:13 -0700 +Subject: perf tools: Make perf_event__synthesize_mmap_events() scale + +From: Stephane Eranian + + +[ Upstream commit 88b897a30c525c2eee6e7f16e1e8d0f18830845e ] + +This patch significantly improves the execution time of +perf_event__synthesize_mmap_events() when running perf record on systems +where processes have lots of threads. + +It just happens that cat /proc/pid/maps support uses a O(N^2) algorithm to +generate each map line in the maps file. If you have 1000 threads, then you +have necessarily 1000 stacks. For each vma, you need to check if it +corresponds to a thread's stack. With a large number of threads, this can take +a very long time. I have seen latencies >> 10mn. + +As of today, perf does not use the fact that a mapping is a stack, therefore we +can work around the issue by using /proc/pid/tasks/pid/maps. This entry does +not try to map a vma to stack and is thus much faster with no loss of +functonality. + +The proc-map-timeout logic is kept in case users still want some upper limit. + +In V2, we fix the file path from /proc/pid/tasks/pid/maps to actual +/proc/pid/task/pid/maps, tasks -> task. Thanks Arnaldo for catching this. + +Committer note: + +This problem seems to have been elliminated in the kernel since commit : +b18cb64ead40 ("fs/proc: Stop trying to report thread stacks"). + +Signed-off-by: Stephane Eranian +Acked-by: Jiri Olsa +Cc: Andy Lutomirski +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20170315135059.GC2177@redhat.com +Link: http://lkml.kernel.org/r/1489598233-25586-1-git-send-email-eranian@google.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/event.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/event.c ++++ b/tools/perf/util/event.c +@@ -167,8 +167,8 @@ int perf_event__synthesize_mmap_events(s + if (machine__is_default_guest(machine)) + return 0; + +- snprintf(filename, sizeof(filename), "%s/proc/%d/maps", +- machine->root_dir, pid); ++ snprintf(filename, sizeof(filename), "%s/proc/%d/task/%d/maps", ++ machine->root_dir, pid, pid); + + fp = fopen(filename, "r"); + if (fp == NULL) { diff --git a/queue-3.18/powerpc-avoid-taking-a-data-miss-on-every-userspace-instruction-miss.patch b/queue-3.18/powerpc-avoid-taking-a-data-miss-on-every-userspace-instruction-miss.patch new file mode 100644 index 00000000000..15e8898e2ce --- /dev/null +++ b/queue-3.18/powerpc-avoid-taking-a-data-miss-on-every-userspace-instruction-miss.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Anton Blanchard +Date: Mon, 3 Apr 2017 16:41:02 +1000 +Subject: powerpc: Avoid taking a data miss on every userspace instruction miss + +From: Anton Blanchard + + +[ Upstream commit a7a9dcd882a67b68568868b988289fce5ffd8419 ] + +Early on in do_page_fault() we call store_updates_sp(), regardless of +the type of exception. For an instruction miss this doesn't make +sense, because we only use this information to detect if a data miss +is the result of a stack expansion instruction or not. + +Worse still, it results in a data miss within every userspace +instruction miss handler, because we try and load the very instruction +we are about to install a pte for! + +A simple exec microbenchmark runs 6% faster on POWER8 with this fix: + + #include + #include + #include + +int main(int argc, char *argv[]) +{ + unsigned long left = atol(argv[1]); + char leftstr[16]; + + if (left-- == 0) + return 0; + + sprintf(leftstr, "%ld", left); + execlp(argv[0], argv[0], leftstr, NULL); + perror("exec failed\n"); + + return 0; +} + +Pass the number of iterations on the command line (eg 10000) and time +how long it takes to execute. + +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/fault.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/mm/fault.c ++++ b/arch/powerpc/mm/fault.c +@@ -294,7 +294,7 @@ int __kprobes do_page_fault(struct pt_re + * can result in fault, which will cause a deadlock when called with + * mmap_sem held + */ +- if (user_mode(regs)) ++ if (!is_exec && user_mode(regs)) + store_update_sp = store_updates_sp(regs); + + if (user_mode(regs)) diff --git a/queue-3.18/rcutorture-configinit-fix-build-directory-error-message.patch b/queue-3.18/rcutorture-configinit-fix-build-directory-error-message.patch new file mode 100644 index 00000000000..fb1eda72ce3 --- /dev/null +++ b/queue-3.18/rcutorture-configinit-fix-build-directory-error-message.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: SeongJae Park +Date: Fri, 3 Nov 2017 19:17:20 +0900 +Subject: rcutorture/configinit: Fix build directory error message + +From: SeongJae Park + + +[ Upstream commit 2adfa4210f8f35cdfb4e08318cc06b99752964c2 ] + +The 'configinit.sh' script checks the format of optional argument for the +build directory, printing an error message if the format is not valid. +However, the error message uses the wrong variable, indicating an empty +string even though the user entered a non-empty (but erroneous) string. +This commit fixes the script to use the correct variable. + +Fixes: c87b9c601ac8 ("rcutorture: Add KVM-based test framework") + +Signed-off-by: SeongJae Park +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/rcutorture/bin/configinit.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/rcutorture/bin/configinit.sh ++++ b/tools/testing/selftests/rcutorture/bin/configinit.sh +@@ -51,7 +51,7 @@ then + mkdir $builddir + fi + else +- echo Bad build directory: \"$builddir\" ++ echo Bad build directory: \"$buildloc\" + exit 2 + fi + fi diff --git a/queue-3.18/regulator-isl9305-fix-array-size.patch b/queue-3.18/regulator-isl9305-fix-array-size.patch new file mode 100644 index 00000000000..0957d6431e1 --- /dev/null +++ b/queue-3.18/regulator-isl9305-fix-array-size.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Vincent Stehlé" +Date: Sun, 9 Apr 2017 22:05:05 +0200 +Subject: regulator: isl9305: fix array size + +From: "Vincent Stehlé" + + +[ Upstream commit 0c08aaf873174c95e674cf21ffcd041c589d2e5b ] + +ISL9305_MAX_REGULATOR is the last index used to access the init_data[] +array, so we need to add one to this last index to obtain the necessary +array size. + +This fixes the following smatch error: + + drivers/regulator/isl9305.c:160 isl9305_i2c_probe() error: buffer overflow 'pdata->init_data' 3 <= 3 + +Fixes: dec38b5ce6a9edb4 ("regulator: isl9305: Add Intersil ISL9305/H driver") +Signed-off-by: Vincent Stehlé +Cc: Mark Brown +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/platform_data/isl9305.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/platform_data/isl9305.h ++++ b/include/linux/platform_data/isl9305.h +@@ -24,7 +24,7 @@ + struct regulator_init_data; + + struct isl9305_pdata { +- struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR]; ++ struct regulator_init_data *init_data[ISL9305_MAX_REGULATOR + 1]; + }; + + #endif diff --git a/queue-3.18/reiserfs-make-cancel_old_flush-reliable.patch b/queue-3.18/reiserfs-make-cancel_old_flush-reliable.patch new file mode 100644 index 00000000000..7adc8d39e33 --- /dev/null +++ b/queue-3.18/reiserfs-make-cancel_old_flush-reliable.patch @@ -0,0 +1,112 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Jan Kara +Date: Wed, 5 Apr 2017 14:09:48 +0200 +Subject: reiserfs: Make cancel_old_flush() reliable + +From: Jan Kara + + +[ Upstream commit 71b0576bdb862e964a82c73327cdd1a249c53e67 ] + +Currently canceling of delayed work that flushes old data using +cancel_old_flush() does not prevent work from being requeued. Thus +in theory new work can be queued after cancel_old_flush() from +reiserfs_freeze() has run. This will become larger problem once +flush_old_commits() can requeue the work itself. + +Fix the problem by recording in sbi->work_queue that flushing work is +canceled and should not be requeued. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/reiserfs/journal.c | 2 +- + fs/reiserfs/reiserfs.h | 1 + + fs/reiserfs/super.c | 21 +++++++++++++++------ + 3 files changed, 17 insertions(+), 7 deletions(-) + +--- a/fs/reiserfs/journal.c ++++ b/fs/reiserfs/journal.c +@@ -1961,7 +1961,7 @@ static int do_journal_release(struct rei + * will be requeued because superblock is being shutdown and doesn't + * have MS_ACTIVE set. + */ +- cancel_delayed_work_sync(&REISERFS_SB(sb)->old_work); ++ reiserfs_cancel_old_flush(sb); + /* wait for all commits to finish */ + cancel_delayed_work_sync(&SB_JOURNAL(sb)->j_work); + +--- a/fs/reiserfs/reiserfs.h ++++ b/fs/reiserfs/reiserfs.h +@@ -2946,6 +2946,7 @@ int reiserfs_allocate_list_bitmaps(struc + struct reiserfs_list_bitmap *, unsigned int); + + void reiserfs_schedule_old_flush(struct super_block *s); ++void reiserfs_cancel_old_flush(struct super_block *s); + void add_save_link(struct reiserfs_transaction_handle *th, + struct inode *inode, int truncate); + int remove_save_link(struct inode *inode, int truncate); +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -89,7 +89,9 @@ static void flush_old_commits(struct wor + s = sbi->s_journal->j_work_sb; + + spin_lock(&sbi->old_work_lock); +- sbi->work_queued = 0; ++ /* Avoid clobbering the cancel state... */ ++ if (sbi->work_queued == 1) ++ sbi->work_queued = 0; + spin_unlock(&sbi->old_work_lock); + + reiserfs_sync_fs(s, 1); +@@ -116,21 +118,22 @@ void reiserfs_schedule_old_flush(struct + spin_unlock(&sbi->old_work_lock); + } + +-static void cancel_old_flush(struct super_block *s) ++void reiserfs_cancel_old_flush(struct super_block *s) + { + struct reiserfs_sb_info *sbi = REISERFS_SB(s); + +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); + spin_lock(&sbi->old_work_lock); +- sbi->work_queued = 0; ++ /* Make sure no new flushes will be queued */ ++ sbi->work_queued = 2; + spin_unlock(&sbi->old_work_lock); ++ cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); + } + + static int reiserfs_freeze(struct super_block *s) + { + struct reiserfs_transaction_handle th; + +- cancel_old_flush(s); ++ reiserfs_cancel_old_flush(s); + + reiserfs_write_lock(s); + if (!(s->s_flags & MS_RDONLY)) { +@@ -151,7 +154,13 @@ static int reiserfs_freeze(struct super_ + + static int reiserfs_unfreeze(struct super_block *s) + { ++ struct reiserfs_sb_info *sbi = REISERFS_SB(s); ++ + reiserfs_allow_writes(s); ++ spin_lock(&sbi->old_work_lock); ++ /* Allow old_work to run again */ ++ sbi->work_queued = 0; ++ spin_unlock(&sbi->old_work_lock); + return 0; + } + +@@ -2164,7 +2173,7 @@ error_unlocked: + if (sbi->commit_wq) + destroy_workqueue(sbi->commit_wq); + +- cancel_delayed_work_sync(&REISERFS_SB(s)->old_work); ++ reiserfs_cancel_old_flush(s); + + reiserfs_free_bitmap_cache(s); + if (SB_BUFFER_WITH_SB(s)) diff --git a/queue-3.18/sched-act_csum-don-t-mangle-tcp-and-udp-gso-packets.patch b/queue-3.18/sched-act_csum-don-t-mangle-tcp-and-udp-gso-packets.patch new file mode 100644 index 00000000000..7d88b5f4f77 --- /dev/null +++ b/queue-3.18/sched-act_csum-don-t-mangle-tcp-and-udp-gso-packets.patch @@ -0,0 +1,80 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Davide Caratti +Date: Thu, 23 Mar 2017 10:39:40 +0100 +Subject: sched: act_csum: don't mangle TCP and UDP GSO packets + +From: Davide Caratti + + +[ Upstream commit add641e7dee31b36aee83412c29e39dd1f5e0c9c ] + +after act_csum computes the checksum on skbs carrying GSO TCP/UDP packets, +subsequent segmentation fails because skb_needs_check(skb, true) returns +true. Because of that, skb_warn_bad_offload() is invoked and the following +message is displayed: + +WARNING: CPU: 3 PID: 28 at net/core/dev.c:2553 skb_warn_bad_offload+0xf0/0xfd +<...> + + [] skb_warn_bad_offload+0xf0/0xfd + [] __skb_gso_segment+0xec/0x110 + [] validate_xmit_skb+0x12d/0x2b0 + [] validate_xmit_skb_list+0x42/0x70 + [] sch_direct_xmit+0xd0/0x1b0 + [] __qdisc_run+0x120/0x270 + [] __dev_queue_xmit+0x23d/0x690 + [] dev_queue_xmit+0x10/0x20 + +Since GSO is able to compute checksum on individual segments of such skbs, +we can simply skip mangling the packet. + +Signed-off-by: Davide Caratti +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_csum.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/net/sched/act_csum.c ++++ b/net/sched/act_csum.c +@@ -176,6 +176,9 @@ static int tcf_csum_ipv4_tcp(struct sk_b + struct tcphdr *tcph; + const struct iphdr *iph; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV4) ++ return 1; ++ + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph)); + if (tcph == NULL) + return 0; +@@ -197,6 +200,9 @@ static int tcf_csum_ipv6_tcp(struct sk_b + struct tcphdr *tcph; + const struct ipv6hdr *ip6h; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) ++ return 1; ++ + tcph = tcf_csum_skb_nextlayer(skb, ihl, ipl, sizeof(*tcph)); + if (tcph == NULL) + return 0; +@@ -220,6 +226,9 @@ static int tcf_csum_ipv4_udp(struct sk_b + const struct iphdr *iph; + u16 ul; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP) ++ return 1; ++ + /* + * Support both UDP and UDPLITE checksum algorithms, Don't use + * udph->len to get the real length without any protocol check, +@@ -273,6 +282,9 @@ static int tcf_csum_ipv6_udp(struct sk_b + const struct ipv6hdr *ip6h; + u16 ul; + ++ if (skb_is_gso(skb) && skb_shinfo(skb)->gso_type & SKB_GSO_UDP) ++ return 1; ++ + /* + * Support both UDP and UDPLITE checksum algorithms, Don't use + * udph->len to get the real length without any protocol check, diff --git a/queue-3.18/sched-stop-resched_cpu-from-sending-ipis-to-offline-cpus.patch b/queue-3.18/sched-stop-resched_cpu-from-sending-ipis-to-offline-cpus.patch new file mode 100644 index 00000000000..5ce32ccb787 --- /dev/null +++ b/queue-3.18/sched-stop-resched_cpu-from-sending-ipis-to-offline-cpus.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: "Paul E. McKenney" +Date: Fri, 13 Oct 2017 16:24:28 -0700 +Subject: sched: Stop resched_cpu() from sending IPIs to offline CPUs + +From: "Paul E. McKenney" + + +[ Upstream commit a0982dfa03efca6c239c52cabebcea4afb93ea6b ] + +The rcutorture test suite occasionally provokes a splat due to invoking +resched_cpu() on an offline CPU: + +WARNING: CPU: 2 PID: 8 at /home/paulmck/public_git/linux-rcu/arch/x86/kernel/smp.c:128 native_smp_send_reschedule+0x37/0x40 +Modules linked in: +CPU: 2 PID: 8 Comm: rcu_preempt Not tainted 4.14.0-rc4+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 +task: ffff902ede9daf00 task.stack: ffff96c50010c000 +RIP: 0010:native_smp_send_reschedule+0x37/0x40 +RSP: 0018:ffff96c50010fdb8 EFLAGS: 00010096 +RAX: 000000000000002e RBX: ffff902edaab4680 RCX: 0000000000000003 +RDX: 0000000080000003 RSI: 0000000000000000 RDI: 00000000ffffffff +RBP: ffff96c50010fdb8 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000000 R11: 00000000299f36ae R12: 0000000000000001 +R13: ffffffff9de64240 R14: 0000000000000001 R15: ffffffff9de64240 +FS: 0000000000000000(0000) GS:ffff902edfc80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000000f7d4c642 CR3: 000000001e0e2000 CR4: 00000000000006e0 +Call Trace: + resched_curr+0x8f/0x1c0 + resched_cpu+0x2c/0x40 + rcu_implicit_dynticks_qs+0x152/0x220 + force_qs_rnp+0x147/0x1d0 + ? sync_rcu_exp_select_cpus+0x450/0x450 + rcu_gp_kthread+0x5a9/0x950 + kthread+0x142/0x180 + ? force_qs_rnp+0x1d0/0x1d0 + ? kthread_create_on_node+0x40/0x40 + ret_from_fork+0x27/0x40 +Code: 14 01 0f 92 c0 84 c0 74 14 48 8b 05 14 4f f4 00 be fd 00 00 00 ff 90 a0 00 00 00 5d c3 89 fe 48 c7 c7 38 89 ca 9d e8 e5 56 08 00 <0f> ff 5d c3 0f 1f 44 00 00 8b 05 52 9e 37 02 85 c0 75 38 55 48 +---[ end trace 26df9e5df4bba4ac ]--- + +This splat cannot be generated by expedited grace periods because they +always invoke resched_cpu() on the current CPU, which is good because +expedited grace periods require that resched_cpu() unconditionally +succeed. However, other parts of RCU can tolerate resched_cpu() acting +as a no-op, at least as long as it doesn't happen too often. + +This commit therefore makes resched_cpu() invoke resched_curr() only if +the CPU is either online or is the current CPU. + +Signed-off-by: Paul E. McKenney +Cc: Ingo Molnar +Cc: Peter Zijlstra + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -633,7 +633,8 @@ void resched_cpu(int cpu) + unsigned long flags; + + raw_spin_lock_irqsave(&rq->lock, flags); +- resched_curr(rq); ++ if (cpu_online(cpu) || cpu == smp_processor_id()) ++ resched_curr(rq); + raw_spin_unlock_irqrestore(&rq->lock, flags); + } + diff --git a/queue-3.18/scsi-devinfo-apply-to-hp-xp-the-same-flags-as-hitachi-vsp.patch b/queue-3.18/scsi-devinfo-apply-to-hp-xp-the-same-flags-as-hitachi-vsp.patch new file mode 100644 index 00000000000..a9765c781e5 --- /dev/null +++ b/queue-3.18/scsi-devinfo-apply-to-hp-xp-the-same-flags-as-hitachi-vsp.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Xose Vazquez Perez +Date: Fri, 17 Nov 2017 21:31:36 +0100 +Subject: scsi: devinfo: apply to HP XP the same flags as Hitachi VSP + +From: Xose Vazquez Perez + + +[ Upstream commit b369a0471503130cfc74f9f62071db97f48948c3 ] + +Commit 56f3d383f37b ("scsi: scsi_devinfo: Add TRY_VPD_PAGES to HITACHI +OPEN-V blacklist entry") modified some Hitachi entries: + + HITACHI is always supporting VPD pages, even though it's claiming to + support SCSI Revision 3 only. + +The same should have been done also for HP-rebranded. + +[mkp: checkpatch and tweaked commit message] + +Cc: Hannes Reinecke +Cc: Takahiro Yasui +Cc: Matthias Rudolph +Cc: Martin K. Petersen +Cc: James E.J. Bottomley +Cc: SCSI ML +Signed-off-by: Xose Vazquez Perez +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_devinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -180,7 +180,7 @@ static struct { + {"HITACHI", "6586-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HITACHI", "6588-", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"HP", "A6189A", NULL, BLIST_SPARSELUN | BLIST_LARGELUN}, /* HP VA7400 */ +- {"HP", "OPEN-", "*", BLIST_REPORTLUN2}, /* HP XP Arrays */ ++ {"HP", "OPEN-", "*", BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES}, /* HP XP Arrays */ + {"HP", "NetRAID-4M", NULL, BLIST_FORCELUN}, + {"HP", "HSV100", NULL, BLIST_REPORTLUN2 | BLIST_NOSTARTONADD}, + {"HP", "C1557A", NULL, BLIST_FORCELUN}, diff --git a/queue-3.18/scsi-ipr-fix-missed-eh-wakeup.patch b/queue-3.18/scsi-ipr-fix-missed-eh-wakeup.patch new file mode 100644 index 00000000000..6cd4f28d3f9 --- /dev/null +++ b/queue-3.18/scsi-ipr-fix-missed-eh-wakeup.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Brian King +Date: Wed, 15 Mar 2017 16:58:36 -0500 +Subject: scsi: ipr: Fix missed EH wakeup + +From: Brian King + + +[ Upstream commit 66a0d59cdd12546ddf01d229de28b07ccf6d637f ] + +Following a command abort or device reset, ipr's EH handlers wait for +the commands getting aborted to get sent back from the adapter prior to +returning from the EH handler. This fixes up some cases where the +completion handler was not getting called, which would have resulted in +the EH thread waiting until it timed out, greatly extending EH time. + +Signed-off-by: Brian King +Reviewed-by: Wendy Xiong +Tested-by: Wendy Xiong +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ipr.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -828,8 +828,10 @@ static void ipr_sata_eh_done(struct ipr_ + + qc->err_mask |= AC_ERR_OTHER; + sata_port->ioasa.status |= ATA_BUSY; +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + ata_qc_complete(qc); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -5830,8 +5832,10 @@ static void ipr_erp_done(struct ipr_cmnd + res->in_erp = 0; + } + scsi_dma_unmap(ipr_cmd->scsi_cmd); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -6214,8 +6218,10 @@ static void ipr_erp_start(struct ipr_ioa + } + + scsi_dma_unmap(ipr_cmd->scsi_cmd); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + } + + /** +@@ -6241,8 +6247,10 @@ static void ipr_scsi_done(struct ipr_cmn + scsi_dma_unmap(scsi_cmd); + + spin_lock_irqsave(ipr_cmd->hrrq->lock, lock_flags); +- list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + scsi_cmd->scsi_done(scsi_cmd); ++ if (ipr_cmd->eh_comp) ++ complete(ipr_cmd->eh_comp); ++ list_add_tail(&ipr_cmd->queue, &ipr_cmd->hrrq->hrrq_free_q); + spin_unlock_irqrestore(ipr_cmd->hrrq->lock, lock_flags); + } else { + spin_lock_irqsave(ioa_cfg->host->host_lock, lock_flags); diff --git a/queue-3.18/scsi-sg-check-for-valid-direction-before-starting-the-request.patch b/queue-3.18/scsi-sg-check-for-valid-direction-before-starting-the-request.patch new file mode 100644 index 00000000000..e5514e13d50 --- /dev/null +++ b/queue-3.18/scsi-sg-check-for-valid-direction-before-starting-the-request.patch @@ -0,0 +1,98 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Johannes Thumshirn +Date: Fri, 7 Apr 2017 09:34:15 +0200 +Subject: scsi: sg: check for valid direction before starting the request + +From: Johannes Thumshirn + + +[ Upstream commit 28676d869bbb5257b5f14c0c95ad3af3a7019dd5 ] + +Check for a valid direction before starting the request, otherwise we +risk running into an assertion in the scsi midlayer checking for valid +requests. + +[mkp: fixed typo] + +Signed-off-by: Johannes Thumshirn +Link: http://www.spinics.net/lists/linux-scsi/msg104400.html +Reported-by: Dmitry Vyukov +Signed-off-by: Hannes Reinecke +Tested-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 46 ++++++++++++++++++++++++++++++++++------------ + 1 file changed, 34 insertions(+), 12 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -674,18 +674,14 @@ sg_write(struct file *filp, const char _ + * is a non-zero input_size, so emit a warning. + */ + if (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV) { +- static char cmd[TASK_COMM_LEN]; +- if (strcmp(current->comm, cmd)) { +- printk_ratelimited(KERN_WARNING +- "sg_write: data in/out %d/%d bytes " +- "for SCSI command 0x%x-- guessing " +- "data in;\n program %s not setting " +- "count and/or reply_len properly\n", +- old_hdr.reply_len - (int)SZ_SG_HEADER, +- input_size, (unsigned int) cmnd[0], +- current->comm); +- strcpy(cmd, current->comm); +- } ++ printk_ratelimited(KERN_WARNING ++ "sg_write: data in/out %d/%d bytes " ++ "for SCSI command 0x%x-- guessing " ++ "data in;\n program %s not setting " ++ "count and/or reply_len properly\n", ++ old_hdr.reply_len - (int)SZ_SG_HEADER, ++ input_size, (unsigned int) cmnd[0], ++ current->comm); + } + k = sg_common_write(sfp, srp, cmnd, sfp->timeout, blocking); + return (k < 0) ? k : count; +@@ -764,6 +760,29 @@ sg_new_write(Sg_fd *sfp, struct file *fi + return count; + } + ++static bool sg_is_valid_dxfer(sg_io_hdr_t *hp) ++{ ++ switch (hp->dxfer_direction) { ++ case SG_DXFER_NONE: ++ if (hp->dxferp || hp->dxfer_len > 0) ++ return false; ++ return true; ++ case SG_DXFER_TO_DEV: ++ case SG_DXFER_FROM_DEV: ++ case SG_DXFER_TO_FROM_DEV: ++ if (!hp->dxferp || hp->dxfer_len == 0) ++ return false; ++ return true; ++ case SG_DXFER_UNKNOWN: ++ if ((!hp->dxferp && hp->dxfer_len) || ++ (hp->dxferp && hp->dxfer_len == 0)) ++ return false; ++ return true; ++ default: ++ return false; ++ } ++} ++ + static int + sg_common_write(Sg_fd * sfp, Sg_request * srp, + unsigned char *cmnd, int timeout, int blocking) +@@ -784,6 +803,9 @@ sg_common_write(Sg_fd * sfp, Sg_request + "sg_common_write: scsi opcode=0x%02x, cmd_size=%d\n", + (int) cmnd[0], (int) hp->cmd_len)); + ++ if (!sg_is_valid_dxfer(hp)) ++ return -EINVAL; ++ + k = sg_start_req(srp, cmnd); + if (k) { + SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp, diff --git a/queue-3.18/scsi-sg-close-race-condition-in-sg_remove_sfp_usercontext.patch b/queue-3.18/scsi-sg-close-race-condition-in-sg_remove_sfp_usercontext.patch new file mode 100644 index 00000000000..136668b6d75 --- /dev/null +++ b/queue-3.18/scsi-sg-close-race-condition-in-sg_remove_sfp_usercontext.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Hannes Reinecke +Date: Fri, 7 Apr 2017 09:34:17 +0200 +Subject: scsi: sg: close race condition in sg_remove_sfp_usercontext() + +From: Hannes Reinecke + + +[ Upstream commit 97d27b0dd015e980ade63fda111fd1353276e28b ] + +sg_remove_sfp_usercontext() is clearing any sg requests, but needs to +take 'rq_list_lock' when modifying the list. + +Reported-by: Christoph Hellwig +Signed-off-by: Hannes Reinecke +Reviewed-by: Johannes Thumshirn +Tested-by: Johannes Thumshirn +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sg.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -535,6 +535,7 @@ sg_read(struct file *filp, char __user * + } else + count = (old_hdr->result == 0) ? 0 : -EIO; + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + retval = count; + free_old_hdr: + kfree(old_hdr); +@@ -575,6 +576,7 @@ sg_new_read(Sg_fd * sfp, char __user *bu + } + err_out: + err2 = sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return err ? : err2 ? : count; + } + +@@ -811,6 +813,7 @@ sg_common_write(Sg_fd * sfp, Sg_request + SCSI_LOG_TIMEOUT(1, sg_printk(KERN_INFO, sfp->parentdp, + "sg_common_write: start_req err=%d\n", k)); + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return k; /* probably out of space --> ENOMEM */ + } + if (atomic_read(&sdp->detaching)) { +@@ -823,6 +826,7 @@ sg_common_write(Sg_fd * sfp, Sg_request + } + + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + return -ENODEV; + } + +@@ -1353,6 +1357,7 @@ sg_rq_end_io_usercontext(struct work_str + struct sg_fd *sfp = srp->parentfp; + + sg_finish_rem_req(srp); ++ sg_remove_request(sfp, srp); + kref_put(&sfp->f_ref, sg_remove_sfp); + } + +@@ -1902,8 +1907,6 @@ sg_finish_rem_req(Sg_request *srp) + else + sg_remove_scat(sfp, req_schp); + +- sg_remove_request(sfp, srp); +- + return ret; + } + +@@ -2250,12 +2253,17 @@ sg_remove_sfp_usercontext(struct work_st + struct sg_fd *sfp = container_of(work, struct sg_fd, ew.work); + struct sg_device *sdp = sfp->parentdp; + Sg_request *srp; ++ unsigned long iflags; + + /* Cleanup any responses which were never read(). */ ++ write_lock_irqsave(&sfp->rq_list_lock, iflags); + while (!list_empty(&sfp->rq_list)) { + srp = list_first_entry(&sfp->rq_list, Sg_request, entry); + sg_finish_rem_req(srp); ++ list_del(&srp->entry); ++ srp->parentfp = NULL; + } ++ write_unlock_irqrestore(&sfp->rq_list_lock, iflags); + + if (sfp->reserve.bufflen > 0) { + SCSI_LOG_TIMEOUT(6, sg_printk(KERN_INFO, sdp, diff --git a/queue-3.18/selinux-check-for-address-length-in-selinux_socket_bind.patch b/queue-3.18/selinux-check-for-address-length-in-selinux_socket_bind.patch new file mode 100644 index 00000000000..32f60462df2 --- /dev/null +++ b/queue-3.18/selinux-check-for-address-length-in-selinux_socket_bind.patch @@ -0,0 +1,106 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Alexander Potapenko +Date: Mon, 6 Mar 2017 19:46:14 +0100 +Subject: selinux: check for address length in selinux_socket_bind() + +From: Alexander Potapenko + + +[ Upstream commit e2f586bd83177d22072b275edd4b8b872daba924 ] + +KMSAN (KernelMemorySanitizer, a new error detection tool) reports use of +uninitialized memory in selinux_socket_bind(): + +================================================================== +BUG: KMSAN: use of unitialized memory +inter: 0 +CPU: 3 PID: 1074 Comm: packet2 Tainted: G B 4.8.0-rc6+ #1916 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + 0000000000000000 ffff8800882ffb08 ffffffff825759c8 ffff8800882ffa48 + ffffffff818bf551 ffffffff85bab870 0000000000000092 ffffffff85bab550 + 0000000000000000 0000000000000092 00000000bb0009bb 0000000000000002 +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x238/0x290 lib/dump_stack.c:51 + [] kmsan_report+0x276/0x2e0 mm/kmsan/kmsan.c:1008 + [] __msan_warning+0x5b/0xb0 mm/kmsan/kmsan_instr.c:424 + [] selinux_socket_bind+0xf41/0x1080 security/selinux/hooks.c:4288 + [] security_socket_bind+0x1ec/0x240 security/security.c:1240 + [] SYSC_bind+0x358/0x5f0 net/socket.c:1366 + [] SyS_bind+0x82/0xa0 net/socket.c:1356 + [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 + [] entry_SYSCALL64_slow_path+0x25/0x25 arch/x86/entry/entry_64.o:? +chained origin: 00000000ba6009bb + [] save_stack_trace+0x27/0x50 arch/x86/kernel/stacktrace.c:67 + [< inline >] kmsan_save_stack_with_flags mm/kmsan/kmsan.c:322 + [< inline >] kmsan_save_stack mm/kmsan/kmsan.c:337 + [] kmsan_internal_chain_origin+0x118/0x1e0 mm/kmsan/kmsan.c:530 + [] __msan_set_alloca_origin4+0xc3/0x130 mm/kmsan/kmsan_instr.c:380 + [] SYSC_bind+0x129/0x5f0 net/socket.c:1356 + [] SyS_bind+0x82/0xa0 net/socket.c:1356 + [] do_syscall_64+0x58/0x70 arch/x86/entry/common.c:292 + [] return_from_SYSCALL_64+0x0/0x6a arch/x86/entry/entry_64.o:? +origin description: ----address@SYSC_bind (origin=00000000b8c00900) +================================================================== + +(the line numbers are relative to 4.8-rc6, but the bug persists upstream) + +, when I run the following program as root: + +======================================================= + #include + #include + #include + + int main(int argc, char *argv[]) { + struct sockaddr addr; + int size = 0; + if (argc > 1) { + size = atoi(argv[1]); + } + memset(&addr, 0, sizeof(addr)); + int fd = socket(PF_INET6, SOCK_DGRAM, IPPROTO_IP); + bind(fd, &addr, size); + return 0; + } +======================================================= + +(for different values of |size| other error reports are printed). + +This happens because bind() unconditionally copies |size| bytes of +|addr| to the kernel, leaving the rest uninitialized. Then +security_socket_bind() reads the IP address bytes, including the +uninitialized ones, to determine the port, or e.g. pass them further to +sel_netnode_find(), which uses them to calculate a hash. + +Signed-off-by: Alexander Potapenko +Acked-by: Eric Dumazet +[PM: fixed some whitespace damage] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4061,10 +4061,18 @@ static int selinux_socket_bind(struct so + u32 sid, node_perm; + + if (family == PF_INET) { ++ if (addrlen < sizeof(struct sockaddr_in)) { ++ err = -EINVAL; ++ goto out; ++ } + addr4 = (struct sockaddr_in *)address; + snum = ntohs(addr4->sin_port); + addrp = (char *)&addr4->sin_addr.s_addr; + } else { ++ if (addrlen < SIN6_LEN_RFC2133) { ++ err = -EINVAL; ++ goto out; ++ } + addr6 = (struct sockaddr_in6 *)address; + snum = ntohs(addr6->sin6_port); + addrp = (char *)&addr6->sin6_addr.s6_addr; diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..9471872be7e --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,59 @@ +input-tsc2007-check-for-presence-and-power-down-tsc2007-during-probe.patch +hid-reject-input-outside-logical-range-only-if-null-state-is-set.patch +net-mvpp2-set-dma-mask-and-coherent-dma-mask-on-ppv2.2.patch +pci-msi-stop-disabling-msi-msi-x-in-pci_device_shutdown.patch +selinux-check-for-address-length-in-selinux_socket_bind.patch +perf-tools-make-perf_event__synthesize_mmap_events-scale.patch +drivers-net-xgene-fix-hardware-checksum-setting.patch +drm-defer-disabling-the-vblank-irq-until-the-next-interrupt-for-instant-off.patch +ath10k-disallow-dfs-simulation-if-dfs-channel-is-not-enabled.patch +hid-clamp-input-to-logical-range-if-no-null-state.patch +arm-dts-adjust-moxart-irq-controller-and-flags.patch +batman-adv-handle-race-condition-for-claims-between-gateways.patch +of-fix-of_device_get_modalias-returned-length-when-truncating-buffers.patch +scsi-ipr-fix-missed-eh-wakeup.patch +media-i2c-soc_camera-fix-ov6650-sensor-getting-wrong-clock.patch +timers-sched_clock-update-timeout-for-clock-wrap.patch +sched-act_csum-don-t-mangle-tcp-and-udp-gso-packets.patch +spi-omap2-mcspi-poll-omap2_mcspi_chstat_rxs-for-pio-transfer.patch +tcp-sysctl-fix-a-race-to-avoid-unexpected-0-window-from-space.patch +mm-fix-false-positive-vm_bug_on-in-page_cache_-get-add-_speculative.patch +blk-throttle-make-sure-expire-time-isn-t-too-big.patch +arm-dra7-hwmod_data-prevent-wait_target_disable-error-for-usb_otg_ss.patch +braille-console-fix-value-returned-by-_braille_console_setup.patch +arm-dts-r8a7790-correct-parent-of-ssi-clocks.patch +arm-dts-r8a7791-correct-parent-of-ssi-clocks.patch +powerpc-avoid-taking-a-data-miss-on-every-userspace-instruction-miss.patch +net-faraday-add-missing-include-of-of.h.patch +reiserfs-make-cancel_old_flush-reliable.patch +fm10k-correctly-check-if-interface-is-removed.patch +apparmor-make-path_max-parameter-readonly.patch +iommu-iova-fix-underflow-bug-in-__alloc_and_insert_iova_range.patch +video-arm-clcd-fix-dma-allocation-size.patch +drm-radeon-fail-fb-creation-from-imported-dma-bufs.patch +mips-bpf-quit-clobbering-callee-saved-registers-in-jit-code.patch +regulator-isl9305-fix-array-size.patch +usb-gadget-dummy_hcd-fix-wrong-power-status-bit-clear-reset-in-dummy_hub_control.patch +perf-inject-copy-events-when-reordering-events-in-pipe-mode.patch +perf-session-don-t-rely-on-evlist-in-pipe-mode.patch +scsi-sg-check-for-valid-direction-before-starting-the-request.patch +scsi-sg-close-race-condition-in-sg_remove_sfp_usercontext.patch +kprobes-x86-fix-kprobe-booster-not-to-boost-far-call-instructions.patch +kprobes-x86-set-kprobes-pages-read-only.patch +wil6210-fix-memory-access-violation-in-wil_memcpy_from-toio_32.patch +hid-elo-clear-btn_left-mapping.patch +sched-stop-resched_cpu-from-sending-ipis-to-offline-cpus.patch +net-xfrm-allow-clearing-socket-xfrm-policies.patch +mtd-nand-fix-interpretation-of-nand_cmd_none-in-nand_command.patch +arm-dts-am335x-pepper-fix-the-audio-codec-s-reset-pin.patch +arm-dts-omap3-n900-fix-the-audio-codec-s-reset-pin.patch +mtd-nand-ifc-update-bufnum-mask-for-ver-2.0.0.patch +tools-usbip-fixes-build-with-musl-libc-toolchain.patch +spi-sun6i-disable-unprepare-clocks-on-remove.patch +scsi-devinfo-apply-to-hp-xp-the-same-flags-as-hitachi-vsp.patch +media-cpia2-fix-a-couple-off-by-one-bugs.patch +veth-set-peer-gso-values.patch +mac80211-remove-bug-when-interface-type-is-invalid.patch +asoc-nuc900-fix-a-loop-timeout-test.patch +rcutorture-configinit-fix-build-directory-error-message.patch +ima-relax-requiring-a-file-signature-for-new-files-with-zero-length.patch diff --git a/queue-3.18/spi-omap2-mcspi-poll-omap2_mcspi_chstat_rxs-for-pio-transfer.patch b/queue-3.18/spi-omap2-mcspi-poll-omap2_mcspi_chstat_rxs-for-pio-transfer.patch new file mode 100644 index 00000000000..6d48f93b7fb --- /dev/null +++ b/queue-3.18/spi-omap2-mcspi-poll-omap2_mcspi_chstat_rxs-for-pio-transfer.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Akinobu Mita +Date: Wed, 22 Mar 2017 09:18:26 +0900 +Subject: spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer + +From: Akinobu Mita + + +[ Upstream commit 812613591cb652344186c4cd912304ed02138566 ] + +When running the spi-loopback-test with slower clock rate like 10 KHz, +the test for 251 bytes transfer was failed. This failure triggered an +spi-omap2-mcspi's error message "DMA RX last word empty". + +This message means that PIO for reading the remaining bytes due to the +DMA transfer length reduction is failed. This problem can be fixed by +polling OMAP2_MCSPI_CHSTAT_RXS bit in channel status register to wait +until the receive buffer register is filled. + +Cc: Mark Brown +Signed-off-by: Akinobu Mita +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-omap2-mcspi.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -441,6 +441,8 @@ omap2_mcspi_rx_dma(struct spi_device *sp + int elements = 0; + int word_len, element_count; + struct omap2_mcspi_cs *cs = spi->controller_state; ++ void __iomem *chstat_reg = cs->base + OMAP2_MCSPI_CHSTAT0; ++ + mcspi = spi_master_get_devdata(spi->master); + mcspi_dma = &mcspi->dma_channels[spi->chip_select]; + count = xfer->len; +@@ -501,8 +503,8 @@ omap2_mcspi_rx_dma(struct spi_device *sp + if (l & OMAP2_MCSPI_CHCONF_TURBO) { + elements--; + +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0) +- & OMAP2_MCSPI_CHSTAT_RXS)) { ++ if (!mcspi_wait_for_reg_bit(chstat_reg, ++ OMAP2_MCSPI_CHSTAT_RXS)) { + u32 w; + + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0); +@@ -520,8 +522,7 @@ omap2_mcspi_rx_dma(struct spi_device *sp + return count; + } + } +- if (likely(mcspi_read_cs_reg(spi, OMAP2_MCSPI_CHSTAT0) +- & OMAP2_MCSPI_CHSTAT_RXS)) { ++ if (!mcspi_wait_for_reg_bit(chstat_reg, OMAP2_MCSPI_CHSTAT_RXS)) { + u32 w; + + w = mcspi_read_cs_reg(spi, OMAP2_MCSPI_RX0); diff --git a/queue-3.18/spi-sun6i-disable-unprepare-clocks-on-remove.patch b/queue-3.18/spi-sun6i-disable-unprepare-clocks-on-remove.patch new file mode 100644 index 00000000000..9e49b4a8a58 --- /dev/null +++ b/queue-3.18/spi-sun6i-disable-unprepare-clocks-on-remove.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Tobias Jordan +Date: Thu, 7 Dec 2017 15:04:53 +0100 +Subject: spi: sun6i: disable/unprepare clocks on remove + +From: Tobias Jordan + + +[ Upstream commit 2d9bbd02c54094ceffa555143b0d68cd06504d63 ] + +sun6i_spi_probe() uses sun6i_spi_runtime_resume() to prepare/enable +clocks, so sun6i_spi_remove() should use sun6i_spi_runtime_suspend() to +disable/unprepare them if we're not suspended. +Replacing pm_runtime_disable() by pm_runtime_force_suspend() will ensure +that sun6i_spi_runtime_suspend() is called if needed. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) +Signed-off-by: Tobias Jordan +Acked-by: Maxime Ripard +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sun6i.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -457,7 +457,7 @@ err_free_master: + + static int sun6i_spi_remove(struct platform_device *pdev) + { +- pm_runtime_disable(&pdev->dev); ++ pm_runtime_force_suspend(&pdev->dev); + + return 0; + } diff --git a/queue-3.18/tcp-sysctl-fix-a-race-to-avoid-unexpected-0-window-from-space.patch b/queue-3.18/tcp-sysctl-fix-a-race-to-avoid-unexpected-0-window-from-space.patch new file mode 100644 index 00000000000..9ffa988ae04 --- /dev/null +++ b/queue-3.18/tcp-sysctl-fix-a-race-to-avoid-unexpected-0-window-from-space.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Gao Feng +Date: Fri, 24 Mar 2017 07:05:12 +0800 +Subject: tcp: sysctl: Fix a race to avoid unexpected 0 window from space + +From: Gao Feng + + +[ Upstream commit c48367427a39ea0b85c7cf018fe4256627abfd9e ] + +Because sysctl_tcp_adv_win_scale could be changed any time, so there +is one race in tcp_win_from_space. +For example, +1.sysctl_tcp_adv_win_scale<=0 (sysctl_tcp_adv_win_scale is negative now) +2.space>>(-sysctl_tcp_adv_win_scale) (sysctl_tcp_adv_win_scale is postive now) + +As a result, tcp_win_from_space returns 0. It is unexpected. + +Certainly if the compiler put the sysctl_tcp_adv_win_scale into one +register firstly, then use the register directly, it would be ok. +But we could not depend on the compiler behavior. + +Signed-off-by: Gao Feng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/tcp.h | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1099,9 +1099,11 @@ void tcp_select_initial_window(int __spa + + static inline int tcp_win_from_space(int space) + { +- return sysctl_tcp_adv_win_scale<=0 ? +- (space>>(-sysctl_tcp_adv_win_scale)) : +- space - (space>>sysctl_tcp_adv_win_scale); ++ int tcp_adv_win_scale = sysctl_tcp_adv_win_scale; ++ ++ return tcp_adv_win_scale <= 0 ? ++ (space>>(-tcp_adv_win_scale)) : ++ space - (space>>tcp_adv_win_scale); + } + + /* Note: caller must be prepared to deal with negative returns */ diff --git a/queue-3.18/timers-sched_clock-update-timeout-for-clock-wrap.patch b/queue-3.18/timers-sched_clock-update-timeout-for-clock-wrap.patch new file mode 100644 index 00000000000..299c09c3d61 --- /dev/null +++ b/queue-3.18/timers-sched_clock-update-timeout-for-clock-wrap.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: David Engraf +Date: Fri, 17 Feb 2017 08:51:03 +0100 +Subject: timers, sched_clock: Update timeout for clock wrap + +From: David Engraf + + +[ Upstream commit 1b8955bc5ac575009835e371ae55e7f3af2197a9 ] + +The scheduler clock framework may not use the correct timeout for the clock +wrap. This happens when a new clock driver calls sched_clock_register() +after the kernel called sched_clock_postinit(). In this case the clock wrap +timeout is too long thus sched_clock_poll() is called too late and the clock +already wrapped. + +On my ARM system the scheduler was no longer scheduling any other task than +the idle task because the sched_clock() wrapped. + +Signed-off-by: David Engraf +Signed-off-by: John Stultz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/sched_clock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/time/sched_clock.c ++++ b/kernel/time/sched_clock.c +@@ -146,6 +146,11 @@ void __init sched_clock_register(u64 (*r + cd.epoch_ns = ns; + raw_write_seqcount_end(&cd.seq); + ++ if (sched_clock_timer.function != NULL) { ++ /* update timeout for clock wrap */ ++ hrtimer_start(&sched_clock_timer, cd.wrap_kt, HRTIMER_MODE_REL); ++ } ++ + r = rate; + if (r >= 4000000) { + r /= 1000000; diff --git a/queue-3.18/tools-usbip-fixes-build-with-musl-libc-toolchain.patch b/queue-3.18/tools-usbip-fixes-build-with-musl-libc-toolchain.patch new file mode 100644 index 00000000000..f2cce045081 --- /dev/null +++ b/queue-3.18/tools-usbip-fixes-build-with-musl-libc-toolchain.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Julien BOIBESSOT +Date: Tue, 5 Dec 2017 18:48:14 +0100 +Subject: tools/usbip: fixes build with musl libc toolchain + +From: Julien BOIBESSOT + + +[ Upstream commit 77be4c878c72e411ad22af96b6f81dd45c26450a ] + +Indeed musl doesn't define old SIGCLD signal name but only new one SIGCHLD. +SIGCHLD is the new POSIX name for that signal so it doesn't change +anything on other libcs. + +This fixes this kind of build error: + +usbipd.c: In function ‘set_signal’: +usbipd.c:459:12: error: 'SIGCLD' undeclared (first use in this function) + sigaction(SIGCLD, &act, NULL); + ^~~~~~ +usbipd.c:459:12: note: each undeclared identifier is reported only once + for each function it appears in +Makefile:407: recipe for target 'usbipd.o' failed +make[3]: *** [usbipd.o] Error 1 + +Signed-off-by: Julien BOIBESSOT +Acked-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/usbip/src/usbipd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/usb/usbip/src/usbipd.c ++++ b/tools/usb/usbip/src/usbipd.c +@@ -453,7 +453,7 @@ static void set_signal(void) + sigaction(SIGTERM, &act, NULL); + sigaction(SIGINT, &act, NULL); + act.sa_handler = SIG_IGN; +- sigaction(SIGCLD, &act, NULL); ++ sigaction(SIGCHLD, &act, NULL); + } + + static const char *pid_file; diff --git a/queue-3.18/usb-gadget-dummy_hcd-fix-wrong-power-status-bit-clear-reset-in-dummy_hub_control.patch b/queue-3.18/usb-gadget-dummy_hcd-fix-wrong-power-status-bit-clear-reset-in-dummy_hub_control.patch new file mode 100644 index 00000000000..4a2685f9507 --- /dev/null +++ b/queue-3.18/usb-gadget-dummy_hcd-fix-wrong-power-status-bit-clear-reset-in-dummy_hub_control.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Yuyang Du +Date: Fri, 24 Mar 2017 04:06:11 +0800 +Subject: usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control() + +From: Yuyang Du + + +[ Upstream commit 9f20dfb44d03745d0d3cef2ffb3abf8d8024fa61 ] + +This fixes the commit: 1cd8fd2887e1 ("usb: gadget: dummy_hcd: add +SuperSpeed support"). + +In the case of ClearPortFeature and USB_PORT_FEAT_POWER, simply clear +the right bit regardless of what the wValue is. + +Acked-by: Alan Stern +Signed-off-by: Yuyang Du +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/dummy_hcd.c | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -2001,16 +2001,13 @@ static int dummy_hub_control( + } + break; + case USB_PORT_FEAT_POWER: +- if (hcd->speed == HCD_USB3) { +- if (dum_hcd->port_status & USB_PORT_STAT_POWER) +- dev_dbg(dummy_dev(dum_hcd), +- "power-off\n"); +- } else +- if (dum_hcd->port_status & +- USB_SS_PORT_STAT_POWER) +- dev_dbg(dummy_dev(dum_hcd), +- "power-off\n"); +- /* FALLS THROUGH */ ++ dev_dbg(dummy_dev(dum_hcd), "power-off\n"); ++ if (hcd->speed == HCD_USB3) ++ dum_hcd->port_status &= ~USB_SS_PORT_STAT_POWER; ++ else ++ dum_hcd->port_status &= ~USB_PORT_STAT_POWER; ++ set_link_state(dum_hcd); ++ break; + default: + dum_hcd->port_status &= ~(1 << wValue); + set_link_state(dum_hcd); +@@ -2181,14 +2178,13 @@ static int dummy_hub_control( + if ((dum_hcd->port_status & + USB_SS_PORT_STAT_POWER) != 0) { + dum_hcd->port_status |= (1 << wValue); +- set_link_state(dum_hcd); + } + } else + if ((dum_hcd->port_status & + USB_PORT_STAT_POWER) != 0) { + dum_hcd->port_status |= (1 << wValue); +- set_link_state(dum_hcd); + } ++ set_link_state(dum_hcd); + } + break; + case GetPortErrorCount: diff --git a/queue-3.18/veth-set-peer-gso-values.patch b/queue-3.18/veth-set-peer-gso-values.patch new file mode 100644 index 00000000000..83f185665e5 --- /dev/null +++ b/queue-3.18/veth-set-peer-gso-values.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Stephen Hemminger +Date: Thu, 7 Dec 2017 15:40:20 -0800 +Subject: veth: set peer GSO values + +From: Stephen Hemminger + + +[ Upstream commit 72d24955b44a4039db54a1c252b5031969eeaac3 ] + +When new veth is created, and GSO values have been configured +on one device, clone those values to the peer. + +For example: + # ip link add dev vm1 gso_max_size 65530 type veth peer name vm2 + +This should create vm1 <--> vm2 with both having GSO maximum +size set to 65530. + +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/veth.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/veth.c ++++ b/drivers/net/veth.c +@@ -382,6 +382,9 @@ static int veth_newlink(struct net *src_ + if (ifmp && (dev->ifindex != 0)) + peer->ifindex = ifmp->ifi_index; + ++ peer->gso_max_size = dev->gso_max_size; ++ peer->gso_max_segs = dev->gso_max_segs; ++ + err = register_netdevice(peer); + put_net(net); + net = NULL; diff --git a/queue-3.18/video-arm-clcd-fix-dma-allocation-size.patch b/queue-3.18/video-arm-clcd-fix-dma-allocation-size.patch new file mode 100644 index 00000000000..ccf4160c3d1 --- /dev/null +++ b/queue-3.18/video-arm-clcd-fix-dma-allocation-size.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Liam Beguin +Date: Fri, 7 Apr 2017 17:03:24 +0200 +Subject: video: ARM CLCD: fix dma allocation size + +From: Liam Beguin + + +[ Upstream commit 9a1c779e6b06855e41099caa6f15b3b584dfa88c ] + +This patch forces the frambuffer size to be aligned on kernel pages. + +During the board startup, the splash screed did appear; +the "ts_test" program or our application were not able to start. + +The following error message was reported: +error: failed to map framebuffer device to memory. +LinuxFB: driver cannot connect + +The issue was discovered, on the LPC32xx platform, during the migration +of the LCD definition from the board file to the device tree. + +Signed-off-by: Liam Beguin +Signed-off-by: Sylvain Lemieux +Cc: Vladimir Zapolskiy +Cc: Russell King +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/amba-clcd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/amba-clcd.c ++++ b/drivers/video/fbdev/amba-clcd.c +@@ -757,8 +757,8 @@ static int clcdfb_of_dma_setup(struct cl + if (err) + return err; + +- framesize = fb->panel->mode.xres * fb->panel->mode.yres * +- fb->panel->bpp / 8; ++ framesize = PAGE_ALIGN(fb->panel->mode.xres * fb->panel->mode.yres * ++ fb->panel->bpp / 8); + fb->fb.screen_base = dma_alloc_coherent(&fb->dev->dev, framesize, + &dma, GFP_KERNEL); + if (!fb->fb.screen_base) diff --git a/queue-3.18/wil6210-fix-memory-access-violation-in-wil_memcpy_from-toio_32.patch b/queue-3.18/wil6210-fix-memory-access-violation-in-wil_memcpy_from-toio_32.patch new file mode 100644 index 00000000000..84a1333fcc2 --- /dev/null +++ b/queue-3.18/wil6210-fix-memory-access-violation-in-wil_memcpy_from-toio_32.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Mar 19 10:11:52 CET 2018 +From: Dedy Lansky +Date: Wed, 5 Apr 2017 14:58:11 +0300 +Subject: wil6210: fix memory access violation in wil_memcpy_from/toio_32 + +From: Dedy Lansky + + +[ Upstream commit 0f6edfe2bbbb59d161580cb4870fcc46f5490f85 ] + +In case count is not multiple of 4, there is a read access in +wil_memcpy_toio_32() from outside src buffer boundary. +In wil_memcpy_fromio_32(), in case count is not multiple of 4, there is +a write access to outside dst io memory boundary. + +Fix these issues with proper handling of the last 1 to 4 copied bytes. + +Signed-off-by: Dedy Lansky +Signed-off-by: Maya Erez +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/wil6210/main.c | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/wil6210/main.c ++++ b/drivers/net/wireless/ath/wil6210/main.c +@@ -59,9 +59,15 @@ void wil_memcpy_fromio_32(void *dst, con + u32 *d = dst; + const volatile u32 __iomem *s = src; + +- /* size_t is unsigned, if (count%4 != 0) it will wrap */ +- for (count += 4; count > 4; count -= 4) ++ for (; count >= 4; count -= 4) + *d++ = __raw_readl(s++); ++ ++ if (unlikely(count)) { ++ /* count can be 1..3 */ ++ u32 tmp = __raw_readl(s); ++ ++ memcpy(d, &tmp, count); ++ } + } + + void wil_memcpy_toio_32(volatile void __iomem *dst, const void *src, +@@ -70,8 +76,16 @@ void wil_memcpy_toio_32(volatile void __ + volatile u32 __iomem *d = dst; + const u32 *s = src; + +- for (count += 4; count > 4; count -= 4) ++ for (; count >= 4; count -= 4) + __raw_writel(*s++, d++); ++ ++ if (unlikely(count)) { ++ /* count can be 1..3 */ ++ u32 tmp = 0; ++ ++ memcpy(&tmp, s, count); ++ __raw_writel(tmp, d); ++ } + } + + static void wil_disconnect_cid(struct wil6210_priv *wil, int cid)