From: Greg Kroah-Hartman Date: Thu, 22 Mar 2018 13:45:30 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.102~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e7207ef79d5c8cb15b3e100f0ac29a85cc22a20;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-pmic-xpower-fix-power_table-addresses.patch acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch acpi-processor-fix-error-handling-in-__acpi_processor_start.patch acpi-processor-replace-racy-task-affinity-logic.patch acpica-iasl-fix-iort-smmu-gsi-disassembling.patch alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch asoc-intel-atom-update-thinkpad-10-quirk.patch asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch ath-fix-updating-radar-flags-for-coutry-code-india.patch ath10k-fix-out-of-bounds-access-to-local-buffer.patch ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch block-mq-cure-cpu-hotplug-lock-inversion.patch bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch bnx2x-align-rx-buffers.patch bonding-handle-link-transition-from-fail-to-up-correctly.patch btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch btrfs-fix-extent-map-leak-during-fallocate-error-path.patch btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch cifs-small-underflow-in-cnvrtdosunixtm.patch clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch clk-don-t-touch-hardware-when-reparenting-during-registration.patch clk-ns2-correct-sdio-bits.patch clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch coresight-fix-disabling-of-coresight-tpiu.patch cpufreq-sh-replace-racy-task-affinity-logic.patch cros_ec-fix-nul-termination-for-firmware-build-info.patch dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch drm-amdgpu-fix-gpu-reset-crash.patch drm-msm-fix-leak-in-failed-get_pages.patch drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch fix-express-lane-queue-creation.patch genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch gpio-gpio-wcove-fix-gpio-irq-status-mask.patch gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch i2c-i2c-scmi-add-a-ms-hid.patch ia64-fix-module-loading-for-gcc-5.4.patch ib-hfi1-fix-softlockup-issue.patch ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch ib-mlx4-change-vma-from-shared-to-private.patch ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch ib-mlx5-change-vma-from-shared-to-private.patch ib-mlx5-set-correct-sl-in-completion-for-roce.patch ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch ib-rxe-don-t-clamp-residual-length-to-mtu.patch ib-umem-fix-use-of-npages-nmap-fields.patch ibmvnic-disable-irq-prior-to-close.patch iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch infiniband-uverbs-fix-integer-overflows.patch input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch iommu-omap-register-driver-before-setting-iommu-ops.patch iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch iwlwifi-a000-fix-memory-offsets-and-lengths.patch iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch ixgbevf-fix-size-of-queue-stats-length.patch jbd2-fix-lockdep-splat-with-generic-270-test.patch kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch libertas-check-return-value-of-alloc_workqueue.patch mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch mac80211-fix-possible-sband-related-null-pointer-de-reference.patch md-raid10-skip-spare-disk-as-first-disk.patch md-raid10-wait-up-frozen-array-in-handle_write_completed.patch media-bt8xx-fix-err-bt878_probe.patch media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch media-dvb-core-race-condition-when-writing-to-cam.patch media-media-dvb-frontends-add-delay-to-si2168-restart.patch mfd-palmas-reset-the-powerhold-mux-during-power-off.patch mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch mmc-avoid-removing-non-removable-hosts-during-suspend.patch mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch mt7601u-check-return-value-of-alloc_skb.patch mtip32xx-use-runtime-tag-to-initialize-command-header.patch mwifiex-don-t-leak-chan_stats-on-reset.patch net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch net-ipv6-send-unsolicited-na-on-admin-up.patch netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch netvsc-deal-with-rescinded-channels-correctly.patch nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch nfsd4-permit-layoutget-of-executable-only-files.patch omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch oom-improve-oom-disable-handling.patch openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch orangefs-do-not-wait-for-timeout-if-umounting.patch perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch pinctrl-really-force-states-during-suspend-resume.patch pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch platform-chrome-use-proper-protocol-transfer-function.patch platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch platform-x86-asus-wmi-try-to-set-als-by-default.patch platform-x86-intel-vbtn-add-volume-up-and-down.patch pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch power-supply-bq24190_charger-add-disable-reset-device-property.patch power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch power-supply-pda_power-move-from-timer-to-delayed_work.patch powerpc-64s-remove-sao-feature-from-power9-dd1.patch pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch qed-unlock-on-error-in-qed_vf_pf_acquire.patch qlcnic-fix-unchecked-return-value.patch qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch rdma-cma-use-correct-size-when-writing-netlink-stats.patch rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch regulator-anatop-set-default-voltage-selector-for-pcie.patch rndis_wlan-add-return-value-validation.patch rtc-ac100-fix-multiple-race-conditions.patch rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch scsi-virtio_scsi-always-try-to-read-vpd-pages.patch serial-8250_dw-disable-clock-on-error.patch sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch spi-dw-disable-clock-after-unregistering-the-host.patch staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch staging-wilc1000-fix-unchecked-return-value.patch tcm_fileio-prevent-information-leak-for-short-reads.patch tcp-remove-poll-flakes-with-fastopen.patch time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch tipc-check-return-value-of-nlmsg_new.patch tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch vgacon-set-vga-struct-resource-types.patch video-fbdev-udlfb-fix-buffer-on-stack.patch vxlan-correctly-handle-ipv6.disable-module-parameter.patch wan-pc300too-abort-path-on-failure.patch watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch x86-i8259-export-legacy_pic-symbol.patch x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch x86-reboot-turn-off-kvm-when-halting-a-cpu.patch x86-xen-split-xen_smp_prepare_boot_cpu.patch xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch --- diff --git a/queue-4.9/acpi-pmic-xpower-fix-power_table-addresses.patch b/queue-4.9/acpi-pmic-xpower-fix-power_table-addresses.patch new file mode 100644 index 00000000000..c994c6ca020 --- /dev/null +++ b/queue-4.9/acpi-pmic-xpower-fix-power_table-addresses.patch @@ -0,0 +1,159 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Fri, 21 Apr 2017 13:48:08 +0200 +Subject: ACPI / PMIC: xpower: Fix power_table addresses + +From: Hans de Goede + + +[ Upstream commit 2bde7c32b1db162692f05c6be066b5bcd3d9fdbe ] + +The power table addresses should be contiguous, but there was a hole +where 0x34 was missing. On most devices this is not a problem as +addresses above 0x34 are used for the BUC# convertors which are not +used in the DSDTs I've access to but after the BUC# convertors +there is a field named GPI1 in the DSTDs, which does get used in some +cases and ended up turning BUC6 on and off due to the wrong addresses, +resulting in turning the entire device off (or causing it to reboot). + +Removing the hole in the addresses fixes this, fixing one of my +Bay Trail tablets turning off while booting the mainline kernel. + +While at it add comments with the field names used in the DSDTs to +make it easier to compare the register and bits used at each address +with the datasheet. + +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/pmic/intel_pmic_xpower.c | 50 +++++++++++++++++----------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +--- a/drivers/acpi/pmic/intel_pmic_xpower.c ++++ b/drivers/acpi/pmic/intel_pmic_xpower.c +@@ -28,97 +28,97 @@ static struct pmic_table power_table[] = + .address = 0x00, + .reg = 0x13, + .bit = 0x05, +- }, ++ }, /* ALD1 */ + { + .address = 0x04, + .reg = 0x13, + .bit = 0x06, +- }, ++ }, /* ALD2 */ + { + .address = 0x08, + .reg = 0x13, + .bit = 0x07, +- }, ++ }, /* ALD3 */ + { + .address = 0x0c, + .reg = 0x12, + .bit = 0x03, +- }, ++ }, /* DLD1 */ + { + .address = 0x10, + .reg = 0x12, + .bit = 0x04, +- }, ++ }, /* DLD2 */ + { + .address = 0x14, + .reg = 0x12, + .bit = 0x05, +- }, ++ }, /* DLD3 */ + { + .address = 0x18, + .reg = 0x12, + .bit = 0x06, +- }, ++ }, /* DLD4 */ + { + .address = 0x1c, + .reg = 0x12, + .bit = 0x00, +- }, ++ }, /* ELD1 */ + { + .address = 0x20, + .reg = 0x12, + .bit = 0x01, +- }, ++ }, /* ELD2 */ + { + .address = 0x24, + .reg = 0x12, + .bit = 0x02, +- }, ++ }, /* ELD3 */ + { + .address = 0x28, + .reg = 0x13, + .bit = 0x02, +- }, ++ }, /* FLD1 */ + { + .address = 0x2c, + .reg = 0x13, + .bit = 0x03, +- }, ++ }, /* FLD2 */ + { + .address = 0x30, + .reg = 0x13, + .bit = 0x04, +- }, ++ }, /* FLD3 */ + { +- .address = 0x38, ++ .address = 0x34, + .reg = 0x10, + .bit = 0x03, +- }, ++ }, /* BUC1 */ + { +- .address = 0x3c, ++ .address = 0x38, + .reg = 0x10, + .bit = 0x06, +- }, ++ }, /* BUC2 */ + { +- .address = 0x40, ++ .address = 0x3c, + .reg = 0x10, + .bit = 0x05, +- }, ++ }, /* BUC3 */ + { +- .address = 0x44, ++ .address = 0x40, + .reg = 0x10, + .bit = 0x04, +- }, ++ }, /* BUC4 */ + { +- .address = 0x48, ++ .address = 0x44, + .reg = 0x10, + .bit = 0x01, +- }, ++ }, /* BUC5 */ + { +- .address = 0x4c, ++ .address = 0x48, + .reg = 0x10, + .bit = 0x00 +- }, ++ }, /* BUC6 */ + }; + + /* TMP0 - TMP5 are the same, all from GPADC */ diff --git a/queue-4.9/acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch b/queue-4.9/acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch new file mode 100644 index 00000000000..f9e468b367a --- /dev/null +++ b/queue-4.9/acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch @@ -0,0 +1,93 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Sun, 30 Apr 2017 22:54:16 +0200 +Subject: ACPI / power: Delay turning off unused power resources after suspend + +From: Hans de Goede + + +[ Upstream commit 8ece1d83346bcc431090d59a2184276192189cdd ] + +Commit 660b1113e0f3 (ACPI / PM: Fix consistency check for power resources +during resume) introduced a check for ACPI power resources which have +been turned on by the BIOS during suspend and turns these back off again. + +This is causing problems on a Dell Venue Pro 11 7130 (i5-4300Y) it causes +the following messages to show up in dmesg: + +[ 131.014605] ACPI: Waking up from system sleep state S3 +[ 131.150271] acpi LNXPOWER:07: Turning OFF +[ 131.150323] acpi LNXPOWER:06: Turning OFF +[ 131.150911] acpi LNXPOWER:00: Turning OFF +[ 131.169014] ACPI : EC: interrupt unblocked +[ 131.181811] xhci_hcd 0000:00:14.0: System wakeup disabled by ACPI +[ 133.535728] pci_raw_set_power_state: 76 callbacks suppressed +[ 133.535735] iwlwifi 0000:01:00.0: Refused to change power state, + currently in D3 +[ 133.597672] PM: noirq resume of devices complete after 2428.891 msecs + +Followed by a bunch of iwlwifi errors later on and the pcie device +dropping from the bus (acpiphp thinks it has been unplugged). + +Disabling the turning off of unused power resources fixes this. Instead +of adding a quirk for this system, this commit fixes this by moving the +disabling of unused power resources to later in the resume sequence +when the iwlwifi card has been moved out of D3 so the ref_count for +its power resource no longer is 0. + +This new behavior seems to match the intend of the original commit which +commit-msg says: "(... which means that no devices are going to need them +any time soon) and we should turn them off". + +This also avoids power resources which we need when bringing devices out +of D3 from getting bounced off and then back on again. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/power.c | 10 ++++++++++ + drivers/acpi/sleep.c | 1 + + drivers/acpi/sleep.h | 1 + + 3 files changed, 12 insertions(+) + +--- a/drivers/acpi/power.c ++++ b/drivers/acpi/power.c +@@ -864,6 +864,16 @@ void acpi_resume_power_resources(void) + + mutex_unlock(&resource->resource_lock); + } ++ ++ mutex_unlock(&power_resource_list_lock); ++} ++ ++void acpi_turn_off_unused_power_resources(void) ++{ ++ struct acpi_power_resource *resource; ++ ++ mutex_lock(&power_resource_list_lock); ++ + list_for_each_entry_reverse(resource, &acpi_power_resource_list, list_node) { + int result, state; + +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -474,6 +474,7 @@ static void acpi_pm_start(u32 acpi_state + */ + static void acpi_pm_end(void) + { ++ acpi_turn_off_unused_power_resources(); + acpi_scan_lock_release(); + /* + * This is necessary in case acpi_pm_finish() is not called during a +--- a/drivers/acpi/sleep.h ++++ b/drivers/acpi/sleep.h +@@ -6,6 +6,7 @@ extern struct list_head acpi_wakeup_devi + extern struct mutex acpi_device_lock; + + extern void acpi_resume_power_resources(void); ++extern void acpi_turn_off_unused_power_resources(void); + + static inline acpi_status acpi_set_waking_vector(u32 wakeup_address) + { diff --git a/queue-4.9/acpi-processor-fix-error-handling-in-__acpi_processor_start.patch b/queue-4.9/acpi-processor-fix-error-handling-in-__acpi_processor_start.patch new file mode 100644 index 00000000000..729e83cff81 --- /dev/null +++ b/queue-4.9/acpi-processor-fix-error-handling-in-__acpi_processor_start.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Thomas Gleixner +Date: Wed, 12 Apr 2017 22:07:33 +0200 +Subject: ACPI/processor: Fix error handling in __acpi_processor_start() + +From: Thomas Gleixner + + +[ Upstream commit a5cbdf693a60d5b86d4d21dfedd90f17754eb273 ] + +When acpi_install_notify_handler() fails the cooling device stays +registered and the sysfs files created via acpi_pss_perf_init() are +leaked and the function returns success. + +Undo acpi_pss_perf_init() and return a proper error code. + +Signed-off-by: Thomas Gleixner +Cc: Fenghua Yu +Cc: Tony Luck +Cc: Herbert Xu +Cc: "Rafael J. Wysocki" +Cc: Peter Zijlstra +Cc: Benjamin Herrenschmidt +Cc: Sebastian Siewior +Cc: Lai Jiangshan +Cc: linux-acpi@vger.kernel.org +Cc: Viresh Kumar +Cc: Michael Ellerman +Cc: Tejun Heo +Cc: "David S. Miller" +Cc: Len Brown +Link: http://lkml.kernel.org/r/20170412201042.695499645@linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_driver.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/processor_driver.c ++++ b/drivers/acpi/processor_driver.c +@@ -251,6 +251,9 @@ static int __acpi_processor_start(struct + if (ACPI_SUCCESS(status)) + return 0; + ++ result = -ENODEV; ++ acpi_pss_perf_exit(pr, device); ++ + err_power_exit: + acpi_processor_power_exit(pr); + return result; diff --git a/queue-4.9/acpi-processor-replace-racy-task-affinity-logic.patch b/queue-4.9/acpi-processor-replace-racy-task-affinity-logic.patch new file mode 100644 index 00000000000..71d47baf2aa --- /dev/null +++ b/queue-4.9/acpi-processor-replace-racy-task-affinity-logic.patch @@ -0,0 +1,200 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Thomas Gleixner +Date: Wed, 12 Apr 2017 22:07:34 +0200 +Subject: ACPI/processor: Replace racy task affinity logic + +From: Thomas Gleixner + + +[ Upstream commit 8153f9ac43897f9f4786b30badc134fcc1a4fb11 ] + +acpi_processor_get_throttling() requires to invoke the getter function on +the target CPU. This is achieved by temporarily setting the affinity of the +calling user space thread to the requested CPU and reset it to the original +affinity afterwards. + +That's racy vs. CPU hotplug and concurrent affinity settings for that +thread resulting in code executing on the wrong CPU and overwriting the +new affinity setting. + +acpi_processor_get_throttling() is invoked in two ways: + +1) The CPU online callback, which is already running on the target CPU and + obviously protected against hotplug and not affected by affinity + settings. + +2) The ACPI driver probe function, which is not protected against hotplug + during modprobe. + +Switch it over to work_on_cpu() and protect the probe function against CPU +hotplug. + +Signed-off-by: Thomas Gleixner +Cc: Fenghua Yu +Cc: Tony Luck +Cc: Herbert Xu +Cc: "Rafael J. Wysocki" +Cc: Peter Zijlstra +Cc: Benjamin Herrenschmidt +Cc: Sebastian Siewior +Cc: Lai Jiangshan +Cc: linux-acpi@vger.kernel.org +Cc: Viresh Kumar +Cc: Michael Ellerman +Cc: Tejun Heo +Cc: "David S. Miller" +Cc: Len Brown +Link: http://lkml.kernel.org/r/20170412201042.785920903@linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_driver.c | 7 +++- + drivers/acpi/processor_throttling.c | 62 ++++++++++++++++++++---------------- + 2 files changed, 42 insertions(+), 27 deletions(-) + +--- a/drivers/acpi/processor_driver.c ++++ b/drivers/acpi/processor_driver.c +@@ -262,11 +262,16 @@ err_power_exit: + static int acpi_processor_start(struct device *dev) + { + struct acpi_device *device = ACPI_COMPANION(dev); ++ int ret; + + if (!device) + return -ENODEV; + +- return __acpi_processor_start(device); ++ /* Protect against concurrent CPU hotplug operations */ ++ get_online_cpus(); ++ ret = __acpi_processor_start(device); ++ put_online_cpus(); ++ return ret; + } + + static int acpi_processor_stop(struct device *dev) +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -62,8 +62,8 @@ struct acpi_processor_throttling_arg { + #define THROTTLING_POSTCHANGE (2) + + static int acpi_processor_get_throttling(struct acpi_processor *pr); +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force); ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct); + + static int acpi_processor_update_tsd_coord(void) + { +@@ -891,7 +891,8 @@ static int acpi_processor_get_throttling + ACPI_DEBUG_PRINT((ACPI_DB_INFO, + "Invalid throttling state, reset\n")); + state = 0; +- ret = acpi_processor_set_throttling(pr, state, true); ++ ret = __acpi_processor_set_throttling(pr, state, true, ++ true); + if (ret) + return ret; + } +@@ -901,36 +902,31 @@ static int acpi_processor_get_throttling + return 0; + } + +-static int acpi_processor_get_throttling(struct acpi_processor *pr) ++static long __acpi_processor_get_throttling(void *data) + { +- cpumask_var_t saved_mask; +- int ret; ++ struct acpi_processor *pr = data; ++ ++ return pr->throttling.acpi_processor_get_throttling(pr); ++} + ++static int acpi_processor_get_throttling(struct acpi_processor *pr) ++{ + if (!pr) + return -EINVAL; + + if (!pr->flags.throttling) + return -ENODEV; + +- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL)) +- return -ENOMEM; +- + /* +- * Migrate task to the cpu pointed by pr. ++ * This is either called from the CPU hotplug callback of ++ * processor_driver or via the ACPI probe function. In the latter ++ * case the CPU is not guaranteed to be online. Both call sites are ++ * protected against CPU hotplug. + */ +- cpumask_copy(saved_mask, ¤t->cpus_allowed); +- /* FIXME: use work_on_cpu() */ +- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) { +- /* Can't migrate to the target pr->id CPU. Exit */ +- free_cpumask_var(saved_mask); ++ if (!cpu_online(pr->id)) + return -ENODEV; +- } +- ret = pr->throttling.acpi_processor_get_throttling(pr); +- /* restore the previous state */ +- set_cpus_allowed_ptr(current, saved_mask); +- free_cpumask_var(saved_mask); + +- return ret; ++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr); + } + + static int acpi_processor_get_fadt_info(struct acpi_processor *pr) +@@ -1080,8 +1076,15 @@ static long acpi_processor_throttling_fn + arg->target_state, arg->force); + } + +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force) ++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) ++{ ++ if (direct) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct) + { + int ret = 0; + unsigned int i; +@@ -1130,7 +1133,8 @@ int acpi_processor_set_throttling(struct + arg.pr = pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg, ++ direct); + } else { + /* + * When the T-state coordination is SW_ALL or HW_ALL, +@@ -1163,8 +1167,8 @@ int acpi_processor_set_throttling(struct + arg.pr = match_pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, +- &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, ++ &arg, direct); + } + } + /* +@@ -1182,6 +1186,12 @@ int acpi_processor_set_throttling(struct + return ret; + } + ++int acpi_processor_set_throttling(struct acpi_processor *pr, int state, ++ bool force) ++{ ++ return __acpi_processor_set_throttling(pr, state, force, false); ++} ++ + int acpi_processor_get_throttling_info(struct acpi_processor *pr) + { + int result = 0; diff --git a/queue-4.9/acpica-iasl-fix-iort-smmu-gsi-disassembling.patch b/queue-4.9/acpica-iasl-fix-iort-smmu-gsi-disassembling.patch new file mode 100644 index 00000000000..71f7b335d6e --- /dev/null +++ b/queue-4.9/acpica-iasl-fix-iort-smmu-gsi-disassembling.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Lv Zheng +Date: Wed, 26 Apr 2017 16:18:49 +0800 +Subject: ACPICA: iasl: Fix IORT SMMU GSI disassembling + +From: Lv Zheng + + +[ Upstream commit bb1e23e66e6237ff7a1824b37366540a89149c33 ] + +ACPICA commit 637b88de24a78c20478728d9d66632b06fcaa5bf + +If the IORT template is compiled and then iort.aml binary disassembled to +iort.dsl, SMMUv1 node lists incorrect offset for SMMU_Nsg_cfg_irpt Interrupt: +[0ECh 0236 8] SMMU_Nsg_irpt Interrupt : 0000000000000000 +[0ECh 0236 8] SMMU_Nsg_cfg_irpt Interrupt : 0000000000000000 +This is because iasl hasn't implemented SMMU GSI decoding yet. + +This patch fixes this issue by preparing structures for decoding IORT SMMU +GSI. ACPICA BZ 1340, reported by Alexei Fedorov, fixed by Lv Zheng. + +Link: https://github.com/acpica/acpica/commit/637b88de +Link: https://bugs.acpica.org/show_bug.cgi?id=1340 +Reported-by: Alexei Fedorov +Signed-off-by: Lv Zheng +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/acpi/actbl2.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/include/acpi/actbl2.h ++++ b/include/acpi/actbl2.h +@@ -783,6 +783,15 @@ struct acpi_iort_smmu { + #define ACPI_IORT_SMMU_DVM_SUPPORTED (1) + #define ACPI_IORT_SMMU_COHERENT_WALK (1<<1) + ++/* Global interrupt format */ ++ ++struct acpi_iort_smmu_gsi { ++ u32 nsg_irpt; ++ u32 nsg_irpt_flags; ++ u32 nsg_cfg_irpt; ++ u32 nsg_cfg_irpt_flags; ++}; ++ + struct acpi_iort_smmu_v3 { + u64 base_address; /* SMMUv3 base address */ + u32 flags; diff --git a/queue-4.9/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch b/queue-4.9/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch new file mode 100644 index 00000000000..417b0159173 --- /dev/null +++ b/queue-4.9/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Mikhail Paulyshka +Date: Fri, 21 Apr 2017 08:52:42 +0200 +Subject: ALSA: hda - Fix headset microphone detection for ASUS N551 and N751 + +From: Mikhail Paulyshka + + +[ Upstream commit fc7438b1eb12b6c93d7b7a62423779eb5dfc673c ] + +Headset microphone does not work out of the box on ASUS Nx51 +laptops. This patch fixes it. + +Patch tested on Asus N551 laptop. Asus N751 part is not tested, but +according to [1] this laptop uses the same audiosystem. + +1. https://bugzilla.kernel.org/show_bug.cgi?id=117781 + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195437 +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6780,6 +6780,7 @@ enum { + ALC668_FIXUP_DELL_DISABLE_AAMIX, + ALC668_FIXUP_DELL_XPS13, + ALC662_FIXUP_ASUS_Nx50, ++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + ALC668_FIXUP_ASUS_Nx51, + ALC891_FIXUP_HEADSET_MODE, + ALC891_FIXUP_DELL_MIC_NO_PRESENCE, +@@ -7031,14 +7032,21 @@ static const struct hda_fixup alc662_fix + .chained = true, + .chain_id = ALC662_FIXUP_BASS_1A + }, ++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_mode_alc668, ++ .chain_id = ALC662_FIXUP_BASS_CHMAP ++ }, + [ALC668_FIXUP_ASUS_Nx51] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +- {0x1a, 0x90170151}, /* bass speaker */ ++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */ ++ { 0x1a, 0x90170151 }, /* bass speaker */ ++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */ + {} + }, + .chained = true, +- .chain_id = ALC662_FIXUP_BASS_CHMAP, ++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + }, + [ALC891_FIXUP_HEADSET_MODE] = { + .type = HDA_FIXUP_FUNC, diff --git a/queue-4.9/arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch b/queue-4.9/arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch new file mode 100644 index 00000000000..e0236763540 --- /dev/null +++ b/queue-4.9/arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Abel Vesa +Date: Mon, 3 Apr 2017 23:58:54 +0100 +Subject: ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER + +From: Abel Vesa + + +[ Upstream commit 6f05d0761af612e04572ba4d65b4c0274a88444f ] + +The support for dynamic ftrace with CONFIG_DEBUG_RODATA involves +overriding the weak arch_ftrace_update_code() with a variant which makes +the kernel text writable around the patching. + +This override was however added under the CONFIG_OLD_MCOUNT ifdef, and +CONFIG_OLD_MCOUNT is only enabled if frame pointers are enabled. + +This leads to non-functional dynamic ftrace (ftrace triggers a +WARN_ON()) when CONFIG_DEBUG_RODATA is enabled and CONFIG_FRAME_POINTER +is not. + +Move the override out of that ifdef and into the CONFIG_DYNAMIC_FTRACE +ifdef where it belongs. + +Fixes: 80d6b0c2eed2a ("ARM: mm: allow text and rodata sections to be read-only") +Suggested-by: Nicolai Stange +Suggested-by: Rabin Vincent +Signed-off-by: Abel Vesa +Acked-by: Rabin Vincent +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/ftrace.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/arm/kernel/ftrace.c ++++ b/arch/arm/kernel/ftrace.c +@@ -29,11 +29,6 @@ + #endif + + #ifdef CONFIG_DYNAMIC_FTRACE +-#ifdef CONFIG_OLD_MCOUNT +-#define OLD_MCOUNT_ADDR ((unsigned long) mcount) +-#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old) +- +-#define OLD_NOP 0xe1a00000 /* mov r0, r0 */ + + static int __ftrace_modify_code(void *data) + { +@@ -51,6 +46,12 @@ void arch_ftrace_update_code(int command + stop_machine(__ftrace_modify_code, &command, NULL); + } + ++#ifdef CONFIG_OLD_MCOUNT ++#define OLD_MCOUNT_ADDR ((unsigned long) mcount) ++#define OLD_FTRACE_ADDR ((unsigned long) ftrace_caller_old) ++ ++#define OLD_NOP 0xe1a00000 /* mov r0, r0 */ ++ + static unsigned long ftrace_nop_replace(struct dyn_ftrace *rec) + { + return rec->arch.old_mcount ? OLD_NOP : NOP; diff --git a/queue-4.9/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch b/queue-4.9/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch new file mode 100644 index 00000000000..10338b5c9a4 --- /dev/null +++ b/queue-4.9/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Kishon Vijay Abraham I +Date: Mon, 27 Mar 2017 15:15:20 +0530 +Subject: ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP + +From: Kishon Vijay Abraham I + + +[ Upstream commit 2c949ce38f4e81d7487f165fa3b8f77d74a2a6c4 ] + +The PCIe programming sequence in TRM suggests CLKSTCTRL of PCIe should be +set to SW_WKUP. There are no issues when CLKSTCTRL is set to HW_AUTO in RC +mode. However in EP mode, the host system is not able to access the +MEMSPACE and setting the CLKSTCTRL to SW_WKUP fixes it. + +Acked-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/clockdomains7xx_data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/clockdomains7xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c +@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm + .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT, + .wkdep_srcs = pcie_wkup_sleep_deps, + .sleepdep_srcs = pcie_wkup_sleep_deps, +- .flags = CLKDM_CAN_HWSUP_SWSUP, ++ .flags = CLKDM_CAN_SWSUP, + }; + + static struct clockdomain atl_7xx_clkdm = { diff --git a/queue-4.9/arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch b/queue-4.9/arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch new file mode 100644 index 00000000000..56d226ef1f6 --- /dev/null +++ b/queue-4.9/arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Joel Stanley +Date: Mon, 18 Dec 2017 23:27:03 +1030 +Subject: ARM: dts: aspeed-evb: Add unit name to memory node + +From: Joel Stanley + + +[ Upstream commit e40ed274489a5f516da120186578eb379b452ac6 ] + +Fixes a warning when building with W=1. + +All of the ASPEED device trees build without warnings now. + +Signed-off-by: Joel Stanley +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/aspeed-ast2500-evb.dts ++++ b/arch/arm/boot/dts/aspeed-ast2500-evb.dts +@@ -15,7 +15,7 @@ + bootargs = "console=ttyS4,115200 earlyprintk"; + }; + +- memory { ++ memory@80000000 { + reg = <0x80000000 0x20000000>; + }; + }; diff --git a/queue-4.9/asoc-intel-atom-update-thinkpad-10-quirk.patch b/queue-4.9/asoc-intel-atom-update-thinkpad-10-quirk.patch new file mode 100644 index 00000000000..df87c90d20a --- /dev/null +++ b/queue-4.9/asoc-intel-atom-update-thinkpad-10-quirk.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pierre-Louis Bossart +Date: Mon, 17 Apr 2017 10:04:07 -0500 +Subject: ASoC: Intel: Atom: update Thinkpad 10 quirk + +From: Pierre-Louis Bossart + + +[ Upstream commit beb5989a8c6c6867b4e873cca2a66d31f977368f ] + +There are multiple skews of the same Lenovo audio hardware +based on the Realtek RT5670 codec. + +Manufacturer: LENOVO + Product Name: 20C1CTO1WW + Version: ThinkPad 10 + +Manufacturer: LENOVO + Product Name: 20C3001VHH + Version: ThinkPad 10 + +Manufacturer: LENOVO + Product Name: 20C10024GE + Version: ThinkPad Tablet B + +Manufacturer: LENOVO + Product Name: 20359 + Version: Lenovo Miix 2 10 + +For all these devices, the same quirk is used to force +the machine driver to be based on RT5670 instead of RT5640 +as indicated by the BIOS. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=96691 +Tested-by: Nicole Faerber +Tested-by: Viacheslav Ostroukh +Signed-off-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/atom/sst/sst_acpi.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/sound/soc/intel/atom/sst/sst_acpi.c ++++ b/sound/soc/intel/atom/sst/sst_acpi.c +@@ -420,7 +420,21 @@ static const struct dmi_system_id byt_ta + .callback = byt_thinkpad10_quirk_cb, + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "20C3001VHH"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad 10"), ++ }, ++ }, ++ { ++ .callback = byt_thinkpad10_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad Tablet B"), ++ }, ++ }, ++ { ++ .callback = byt_thinkpad10_quirk_cb, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"), + }, + }, + { } diff --git a/queue-4.9/asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch b/queue-4.9/asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch new file mode 100644 index 00000000000..ff7a000d08a --- /dev/null +++ b/queue-4.9/asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Thu, 20 Apr 2017 13:17:02 +0300 +Subject: ASoC: Intel: Skylake: Uninitialized variable in probe_codec() + +From: Dan Carpenter + + +[ Upstream commit e6a33532affd14c12688c0e9b2e773e8b2550f3b ] + +My static checker complains that if snd_hdac_bus_get_response() returns +-EIO then "res" is uninitialized. Fix this by initializing it to -1 so +that the error is handled correctly. + +Fixes: d8c2dab8381d ("ASoC: Intel: Add Skylake HDA audio driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/skylake/skl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/skylake/skl.c ++++ b/sound/soc/intel/skylake/skl.c +@@ -457,7 +457,7 @@ static int probe_codec(struct hdac_ext_b + struct hdac_bus *bus = ebus_to_hbus(ebus); + unsigned int cmd = (addr << 28) | (AC_NODE_ROOT << 20) | + (AC_VERB_PARAMETERS << 8) | AC_PAR_VENDOR_ID; +- unsigned int res; ++ unsigned int res = -1; + + mutex_lock(&bus->cmd_mutex); + snd_hdac_bus_send_cmd(bus, cmd); diff --git a/queue-4.9/ath-fix-updating-radar-flags-for-coutry-code-india.patch b/queue-4.9/ath-fix-updating-radar-flags-for-coutry-code-india.patch new file mode 100644 index 00000000000..27597fb6b88 --- /dev/null +++ b/queue-4.9/ath-fix-updating-radar-flags-for-coutry-code-india.patch @@ -0,0 +1,92 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Mohammed Shafi Shajakhan +Date: Wed, 12 Apr 2017 23:19:37 +0530 +Subject: ath: Fix updating radar flags for coutry code India + +From: Mohammed Shafi Shajakhan + + +[ Upstream commit c0c345d4cacc6a1f39d4856f37dcf6e34f51a5e4 ] + +As per latest regulatory update for India, channel 52, 56, 60, 64 +is no longer restricted to DFS. Enabling DFS/no infra flags in driver +results in applying all DFS related restrictions (like doing CAC etc +before this channel moves to 'available state') for these channels +even though the country code is programmed as 'India' in he hardware, +fix this by relaxing the frequency range while applying RADAR flags +only if the country code is programmed to India. If the frequency range +needs to modified based on different country code, ath_is_radar_freq +can be extended/modified dynamically. + +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/regd.c ++++ b/drivers/net/wireless/ath/regd.c +@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain) + EXPORT_SYMBOL(ath_is_49ghz_allowed); + + /* Frequency is one where radar detection is required */ +-static bool ath_is_radar_freq(u16 center_freq) ++static bool ath_is_radar_freq(u16 center_freq, ++ struct ath_regulatory *reg) ++ + { ++ if (reg->country_code == CTRY_INDIA) ++ return (center_freq >= 5500 && center_freq <= 5700); + return (center_freq >= 5260 && center_freq <= 5700); + } + +@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct w + enum nl80211_reg_initiator initiator, + struct ieee80211_channel *ch) + { +- if (ath_is_radar_freq(ch->center_freq) || ++ if (ath_is_radar_freq(ch->center_freq, reg) || + (ch->flags & IEEE80211_CHAN_RADAR)) + return; + +@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wip + } + } + +-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */ +-static void ath_reg_apply_radar_flags(struct wiphy *wiphy) ++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */ ++static void ath_reg_apply_radar_flags(struct wiphy *wiphy, ++ struct ath_regulatory *reg) + { + struct ieee80211_supported_band *sband; + struct ieee80211_channel *ch; +@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(st + + for (i = 0; i < sband->n_channels; i++) { + ch = &sband->channels[i]; +- if (!ath_is_radar_freq(ch->center_freq)) ++ if (!ath_is_radar_freq(ch->center_freq, reg)) + continue; + /* We always enable radar detection/DFS on this + * frequency range. Additionally we also apply on +@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy + struct ath_common *common = container_of(reg, struct ath_common, + regulatory); + /* We always apply this */ +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + + /* + * This would happen when we have sent a custom regulatory request +@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulator + } + + wiphy_apply_custom_regulatory(wiphy, regd); +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg); + return 0; + } diff --git a/queue-4.9/ath10k-fix-out-of-bounds-access-to-local-buffer.patch b/queue-4.9/ath10k-fix-out-of-bounds-access-to-local-buffer.patch new file mode 100644 index 00000000000..d7a35f57626 --- /dev/null +++ b/queue-4.9/ath10k-fix-out-of-bounds-access-to-local-buffer.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Michael Mera +Date: Mon, 24 Apr 2017 16:11:57 +0900 +Subject: ath10k: fix out of bounds access to local buffer + +From: Michael Mera + + +[ Upstream commit a16703aaeaedec7a8bee5be5522c7c3e75478951 ] + +During write to debugfs file simulate_fw_crash, fixed-size local buffer +'buf' is accessed and modified at index 'count-1', where 'count' is the +size of the write (so potentially out of bounds). +This patch fixes this problem. + +Signed-off-by: Michael Mera +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/debug.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/debug.c ++++ b/drivers/net/wireless/ath/ath10k/debug.c +@@ -624,17 +624,21 @@ static ssize_t ath10k_write_simulate_fw_ + size_t count, loff_t *ppos) + { + struct ath10k *ar = file->private_data; +- char buf[32]; ++ char buf[32] = {0}; ++ ssize_t rc; + int ret; + +- simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); ++ /* filter partial writes and invalid commands */ ++ if (*ppos != 0 || count >= sizeof(buf) || count == 0) ++ return -EINVAL; + +- /* make sure that buf is null terminated */ +- buf[sizeof(buf) - 1] = 0; ++ rc = simple_write_to_buffer(buf, sizeof(buf) - 1, ppos, user_buf, count); ++ if (rc < 0) ++ return rc; + + /* drop the possible '\n' from the end */ +- if (buf[count - 1] == '\n') +- buf[count - 1] = 0; ++ if (buf[*ppos - 1] == '\n') ++ buf[*ppos - 1] = '\0'; + + mutex_lock(&ar->conf_mutex); + diff --git a/queue-4.9/ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch b/queue-4.9/ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch new file mode 100644 index 00000000000..d77f03c3dae --- /dev/null +++ b/queue-4.9/ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Balaji Pothunoori +Date: Thu, 7 Dec 2017 16:58:04 +0200 +Subject: ath10k: handling qos at STA side based on AP WMM enable/disable + +From: Balaji Pothunoori + + +[ Upstream commit 07ffb4497360ae8789f05555fec8171ee952304d ] + +Data packets are not sent by STA in case of STA joined to +non QOS AP (WMM disabled AP). This is happening because of STA +is sending data packets to firmware from host with qos enabled +along with non qos queue value(TID = 16). +Due to qos enabled, firmware is discarding the packet. + +This patch fixes this issue by updating the qos based on station +WME capability field if WMM is disabled in AP. + +This patch is required by 10.4 family chipsets like +QCA4019/QCA9888/QCA9884/QCA99X0. +Firmware Versoin : 10.4-3.5.1-00018. + +For 10.2.4 family chipsets QCA988X/QCA9887 and QCA6174 this patch +has no effect. + +Signed-off-by: Balaji Pothunoori +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -2505,7 +2505,7 @@ static void ath10k_peer_assoc_h_qos(stru + } + break; + case WMI_VDEV_TYPE_STA: +- if (vif->bss_conf.qos) ++ if (sta->wme) + arg->peer_flags |= arvif->ar->wmi.peer_flags->qos; + break; + case WMI_VDEV_TYPE_IBSS: diff --git a/queue-4.9/block-mq-cure-cpu-hotplug-lock-inversion.patch b/queue-4.9/block-mq-cure-cpu-hotplug-lock-inversion.patch new file mode 100644 index 00000000000..c70bb0219c9 --- /dev/null +++ b/queue-4.9/block-mq-cure-cpu-hotplug-lock-inversion.patch @@ -0,0 +1,112 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Peter Zijlstra +Date: Thu, 4 May 2017 15:05:26 +0200 +Subject: block/mq: Cure cpu hotplug lock inversion + +From: Peter Zijlstra + + +[ Upstream commit eabe06595d62cfa9278e2cd012df614bc68a7042 ] + +By poking at /debug/sched_features I triggered the following splat: + + [] ====================================================== + [] WARNING: possible circular locking dependency detected + [] 4.11.0-00873-g964c8b7-dirty #694 Not tainted + [] ------------------------------------------------------ + [] bash/2109 is trying to acquire lock: + [] (cpu_hotplug_lock.rw_sem){++++++}, at: [] static_key_slow_dec+0x1b/0x50 + [] + [] but task is already holding lock: + [] (&sb->s_type->i_mutex_key#4){+++++.}, at: [] sched_feat_write+0x86/0x170 + [] + [] which lock already depends on the new lock. + [] + [] + [] the existing dependency chain (in reverse order) is: + [] + [] -> #2 (&sb->s_type->i_mutex_key#4){+++++.}: + [] lock_acquire+0x100/0x210 + [] down_write+0x28/0x60 + [] start_creating+0x5e/0xf0 + [] debugfs_create_dir+0x13/0x110 + [] blk_mq_debugfs_register+0x21/0x70 + [] blk_mq_register_dev+0x64/0xd0 + [] blk_register_queue+0x6a/0x170 + [] device_add_disk+0x22d/0x440 + [] loop_add+0x1f3/0x280 + [] loop_init+0x104/0x142 + [] do_one_initcall+0x43/0x180 + [] kernel_init_freeable+0x1de/0x266 + [] kernel_init+0xe/0x100 + [] ret_from_fork+0x31/0x40 + [] + [] -> #1 (all_q_mutex){+.+.+.}: + [] lock_acquire+0x100/0x210 + [] __mutex_lock+0x6c/0x960 + [] mutex_lock_nested+0x1b/0x20 + [] blk_mq_init_allocated_queue+0x37c/0x4e0 + [] blk_mq_init_queue+0x3a/0x60 + [] loop_add+0xe5/0x280 + [] loop_init+0x104/0x142 + [] do_one_initcall+0x43/0x180 + [] kernel_init_freeable+0x1de/0x266 + [] kernel_init+0xe/0x100 + [] ret_from_fork+0x31/0x40 + + [] *** DEADLOCK *** + [] + [] 3 locks held by bash/2109: + [] #0: (sb_writers#11){.+.+.+}, at: [] vfs_write+0x17d/0x1a0 + [] #1: (debugfs_srcu){......}, at: [] full_proxy_write+0x5d/0xd0 + [] #2: (&sb->s_type->i_mutex_key#4){+++++.}, at: [] sched_feat_write+0x86/0x170 + [] + [] stack backtrace: + [] CPU: 9 PID: 2109 Comm: bash Not tainted 4.11.0-00873-g964c8b7-dirty #694 + [] Hardware name: Intel Corporation S2600GZ/S2600GZ, BIOS SE5C600.86B.02.02.0002.122320131210 12/23/2013 + [] Call Trace: + + [] lock_acquire+0x100/0x210 + [] get_online_cpus+0x2a/0x90 + [] static_key_slow_dec+0x1b/0x50 + [] static_key_disable+0x20/0x30 + [] sched_feat_write+0x131/0x170 + [] full_proxy_write+0x97/0xd0 + [] __vfs_write+0x28/0x120 + [] vfs_write+0xb5/0x1a0 + [] SyS_write+0x49/0xa0 + [] entry_SYSCALL_64_fastpath+0x23/0xc2 + +This is because of the cpu hotplug lock rework. Break the chain at #1 +by reversing the lock acquisition order. This way i_mutex_key#4 no +longer depends on cpu_hotplug_lock and things are good. + +Cc: Jens Axboe +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -2014,15 +2014,15 @@ struct request_queue *blk_mq_init_alloca + + blk_mq_init_cpu_queues(q, set->nr_hw_queues); + +- get_online_cpus(); + mutex_lock(&all_q_mutex); ++ get_online_cpus(); + + list_add_tail(&q->all_q_node, &all_q_list); + blk_mq_add_queue_tag_set(set, q); + blk_mq_map_swqueue(q, cpu_online_mask); + +- mutex_unlock(&all_q_mutex); + put_online_cpus(); ++ mutex_unlock(&all_q_mutex); + + return q; + diff --git a/queue-4.9/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch b/queue-4.9/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch new file mode 100644 index 00000000000..ec69238463e --- /dev/null +++ b/queue-4.9/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Loic Poulain +Date: Wed, 22 Nov 2017 15:03:17 +0100 +Subject: Bluetooth: btqcomsmd: Fix skb double free corruption + +From: Loic Poulain + + +[ Upstream commit 67b8fbead4685b36d290a0ef91c6ddffc4920ec9 ] + +In case of hci send frame failure, skb is still owned +by the caller (hci_core) and then should not be freed. + +This fixes crash on dragonboard-410c when sending SCO +packet. skb is freed by both btqcomsmd and hci_core. + +Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") +Signed-off-by: Loic Poulain +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btqcomsmd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/bluetooth/btqcomsmd.c ++++ b/drivers/bluetooth/btqcomsmd.c +@@ -85,7 +85,8 @@ static int btqcomsmd_send(struct hci_dev + break; + } + +- kfree_skb(skb); ++ if (!ret) ++ kfree_skb(skb); + + return ret; + } diff --git a/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch b/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch new file mode 100644 index 00000000000..08e34c5c034 --- /dev/null +++ b/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dean Jenkins +Date: Fri, 28 Apr 2017 13:57:25 +0100 +Subject: Bluetooth: hci_ldisc: Add protocol check to hci_uart_dequeue() + +From: Dean Jenkins + + +[ Upstream commit 048e1bd3a27fbeb84ccdff52e165370c1339a193 ] + +Before attempting to dequeue a Data Link protocol encapsulated message, +check that the Data Link protocol is still bound to the HCI UART driver. +This makes the code consistent with the usage of the other proto +function pointers. + +Therefore, add a check for HCI_UART_PROTO_READY into hci_uart_dequeue() +and return NULL if the Data Link protocol is not bound. + +This is needed for robustness as there is a scheduling race condition. +hci_uart_write_work() is scheduled to run via work queue hu->write_work +from hci_uart_tx_wakeup(). Therefore, there is a delay between +scheduling hci_uart_write_work() to run and hci_uart_dequeue() running +whereby the Data Link protocol layer could become unbound during the +scheduling delay. In this case, without the check, the call to the +unbound Data Link protocol layer dequeue function can crash. + +It is noted that hci_uart_tty_close() has a +"cancel_work_sync(&hu->write_work)" statement but this only reduces +the window of the race condition because it is possible for a new +work-item to be added to work queue hu->write_work after the call to +cancel_work_sync(). For example, Data Link layer retransmissions can +be added to the work queue after the cancel_work_sync() has finished. + +Signed-off-by: Dean Jenkins +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_ldisc.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -113,10 +113,12 @@ static inline struct sk_buff *hci_uart_d + { + struct sk_buff *skb = hu->tx_skb; + +- if (!skb) +- skb = hu->proto->dequeue(hu); +- else ++ if (!skb) { ++ if (test_bit(HCI_UART_PROTO_READY, &hu->flags)) ++ skb = hu->proto->dequeue(hu); ++ } else { + hu->tx_skb = NULL; ++ } + + return skb; + } diff --git a/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch b/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch new file mode 100644 index 00000000000..c85455bf284 --- /dev/null +++ b/queue-4.9/bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dean Jenkins +Date: Fri, 28 Apr 2017 13:57:26 +0100 +Subject: Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup() + +From: Dean Jenkins + + +[ Upstream commit 2d6f1da168e1d62c47f7d50135ac4cbd8411dcb1 ] + +Before attempting to schedule a work-item onto hu->write_work in +hci_uart_tx_wakeup(), check that the Data Link protocol layer is +still bound to the HCI UART driver. + +Failure to perform this protocol check causes a race condition between +the work queue hu->write_work running hci_uart_write_work() and the +Data Link protocol layer being unbound (closed) in hci_uart_tty_close(). + +Note hci_uart_tty_close() does have a "cancel_work_sync(&hu->write_work)" +but it is ineffective because it cannot prevent work-items being added +to hu->write_work after cancel_work_sync() has run. + +Therefore, add a check for HCI_UART_PROTO_READY into hci_uart_tx_wakeup() +which prevents scheduling of the work queue when HCI_UART_PROTO_READY +is in the clear state. However, note a small race condition remains +because the hci_uart_tx_wakeup() thread can run in parallel with the +hci_uart_tty_close() thread so it is possible that a schedule of +hu->write_work can occur when HCI_UART_PROTO_READY is cleared. A complete +solution needs locking of the threads which is implemented in a future +commit. + +Signed-off-by: Dean Jenkins +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_ldisc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -125,6 +125,9 @@ static inline struct sk_buff *hci_uart_d + + int hci_uart_tx_wakeup(struct hci_uart *hu) + { ++ if (!test_bit(HCI_UART_PROTO_READY, &hu->flags)) ++ return 0; ++ + if (test_and_set_bit(HCI_UART_SENDING, &hu->tx_state)) { + set_bit(HCI_UART_TX_WAKEUP, &hu->tx_state); + return 0; diff --git a/queue-4.9/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch b/queue-4.9/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch new file mode 100644 index 00000000000..d963221759f --- /dev/null +++ b/queue-4.9/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Loic Poulain +Date: Mon, 6 Nov 2017 12:16:56 +0100 +Subject: Bluetooth: hci_qca: Avoid setup failure on missing rampatch + +From: Loic Poulain + + +[ Upstream commit ba8f3597900291a93604643017fff66a14546015 ] + +Assuming that the original code idea was to enable in-band sleeping +only if the setup_rome method returns succes and run in 'standard' +mode otherwise, we should not return setup_rome return value which +makes qca_setup fail if no rampatch/nvm file found. + +This fixes BT issue on the dragonboard-820C p4 which includes the +following QCA controller: +hci0: Product:0x00000008 +hci0: Patch :0x00000111 +hci0: ROM :0x00000302 +hci0: SOC :0x00000044 + +Since there is no rampatch for this controller revision, just make +it work as is. + +Signed-off-by: Loic Poulain +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -936,6 +936,9 @@ static int qca_setup(struct hci_uart *hu + if (!ret) { + set_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags); + qca_debugfs_init(hdev); ++ } else if (ret == -ENOENT) { ++ /* No patch/nvm-config found, run with original fw/config */ ++ ret = 0; + } + + /* Setup bdaddr */ diff --git a/queue-4.9/bnx2x-align-rx-buffers.patch b/queue-4.9/bnx2x-align-rx-buffers.patch new file mode 100644 index 00000000000..756a0e7ed71 --- /dev/null +++ b/queue-4.9/bnx2x-align-rx-buffers.patch @@ -0,0 +1,78 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Scott Wood +Date: Fri, 28 Apr 2017 19:17:41 -0500 +Subject: bnx2x: Align RX buffers + +From: Scott Wood + + +[ Upstream commit 9b70de6d0266888b3743f03802502e43131043c8 ] + +The bnx2x driver is not providing proper alignment on the receive buffers it +passes to build_skb(), causing skb_shared_info to be misaligned. +skb_shared_info contains an atomic, and while PPC normally supports +unaligned accesses, it does not support unaligned atomics. + +Aligning the size of rx buffers will ensure that page_frag_alloc() returns +aligned addresses. + +This can be reproduced on PPC by setting the network MTU to 1450 (or other +non-multiple-of-4) and then generating sufficient inbound network traffic +(one or two large "wget"s usually does it), producing the following oops: + +Unable to handle kernel paging request for unaligned access at address 0xc00000ffc43af656 +Faulting instruction address: 0xc00000000080ef8c +Oops: Kernel access of bad area, sig: 7 [#1] +SMP NR_CPUS=2048 +NUMA +PowerNV +Modules linked in: vmx_crypto powernv_rng rng_core powernv_op_panel leds_powernv led_class nfsd ip_tables x_tables autofs4 xfs lpfc bnx2x mdio libcrc32c crc_t10dif crct10dif_generic crct10dif_common +CPU: 104 PID: 0 Comm: swapper/104 Not tainted 4.11.0-rc8-00088-g4c761da #2 +task: c00000ffd4892400 task.stack: c00000ffd4920000 +NIP: c00000000080ef8c LR: c00000000080eee8 CTR: c0000000001f8320 +REGS: c00000ffffc33710 TRAP: 0600 Not tainted (4.11.0-rc8-00088-g4c761da) +MSR: 9000000000009033 + CR: 24082042 XER: 00000000 +CFAR: c00000000080eea0 DAR: c00000ffc43af656 DSISR: 00000000 SOFTE: 1 +GPR00: c000000000907f64 c00000ffffc33990 c000000000dd3b00 c00000ffcaf22100 +GPR04: c00000ffcaf22e00 0000000000000000 0000000000000000 0000000000000000 +GPR08: 0000000000b80008 c00000ffc43af636 c00000ffc43af656 0000000000000000 +GPR12: c0000000001f6f00 c00000000fe1a000 000000000000049f 000000000000c51f +GPR16: 00000000ffffef33 0000000000000000 0000000000008a43 0000000000000001 +GPR20: c00000ffc58a90c0 0000000000000000 000000000000dd86 0000000000000000 +GPR24: c000007fd0ed10c0 00000000ffffffff 0000000000000158 000000000000014a +GPR28: c00000ffc43af010 c00000ffc9144000 c00000ffcaf22e00 c00000ffcaf22100 +NIP [c00000000080ef8c] __skb_clone+0xdc/0x140 +LR [c00000000080eee8] __skb_clone+0x38/0x140 +Call Trace: +[c00000ffffc33990] [c00000000080fb74] skb_clone+0x74/0x110 (unreliable) +[c00000ffffc339c0] [c000000000907f64] packet_rcv+0x144/0x510 +[c00000ffffc33a40] [c000000000827b64] __netif_receive_skb_core+0x5b4/0xd80 +[c00000ffffc33b00] [c00000000082b2bc] netif_receive_skb_internal+0x2c/0xc0 +[c00000ffffc33b40] [c00000000082c49c] napi_gro_receive+0x11c/0x260 +[c00000ffffc33b80] [d000000066483d68] bnx2x_poll+0xcf8/0x17b0 [bnx2x] +[c00000ffffc33d00] [c00000000082babc] net_rx_action+0x31c/0x480 +[c00000ffffc33e10] [c0000000000d5a44] __do_softirq+0x164/0x3d0 +[c00000ffffc33f00] [c0000000000d60a8] irq_exit+0x108/0x120 +[c00000ffffc33f20] [c000000000015b98] __do_irq+0x98/0x200 +[c00000ffffc33f90] [c000000000027f14] call_do_irq+0x14/0x24 +[c00000ffd4923a90] [c000000000015d94] do_IRQ+0x94/0x110 +[c00000ffd4923ae0] [c000000000008d90] hardware_interrupt_common+0x150/0x160 + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2026,6 +2026,7 @@ static void bnx2x_set_rx_buf_size(struct + ETH_OVREHEAD + + mtu + + BNX2X_FW_RX_ALIGN_END; ++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size); + /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */ + if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE) + fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD; diff --git a/queue-4.9/bonding-handle-link-transition-from-fail-to-up-correctly.patch b/queue-4.9/bonding-handle-link-transition-from-fail-to-up-correctly.patch new file mode 100644 index 00000000000..88309b9687f --- /dev/null +++ b/queue-4.9/bonding-handle-link-transition-from-fail-to-up-correctly.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Mahesh Bandewar +Date: Tue, 11 Apr 2017 22:36:00 -0700 +Subject: bonding: handle link transition from FAIL to UP correctly + +From: Mahesh Bandewar + + +[ Upstream commit fb9eb899a6dc663e4a2deed9af2ac28f507d0ffb ] + +When link transitions from LINK_FAIL to LINK_UP, the commit phase is +not called. This leads to an erroneous state causing slave-link state to +get stuck in "going down" state while its speed and duplex are perfectly +fine. This issue is a side-effect of splitting link-set into propose and +commit phases introduced by de77ecd4ef02 ("bonding: improve link-status +update in mii-monitoring") + +This patch fixes these issues by calling commit phase whenever link +state change is proposed. + +Fixes: de77ecd4ef02 ("bonding: improve link-status update in mii-monitoring") +Signed-off-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2067,6 +2067,7 @@ static int bond_miimon_inspect(struct bo + (bond->params.downdelay - slave->delay) * + bond->params.miimon, + slave->dev->name); ++ commit++; + continue; + } + +@@ -2104,7 +2105,7 @@ static int bond_miimon_inspect(struct bo + (bond->params.updelay - slave->delay) * + bond->params.miimon, + slave->dev->name); +- ++ commit++; + continue; + } + diff --git a/queue-4.9/btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch b/queue-4.9/btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch new file mode 100644 index 00000000000..11d81445942 --- /dev/null +++ b/queue-4.9/btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch @@ -0,0 +1,57 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Adam Borowski +Date: Tue, 7 Mar 2017 23:34:44 +0100 +Subject: btrfs: fix a bogus warning when converting only data or metadata + +From: Adam Borowski + + +[ Upstream commit 14506127979a5a3d0c5d9b4cc76ce9d4ec23b717 ] + +If your filesystem has, eg, data:raid0 metadata:raid1, and you run "btrfs +balance -dconvert=raid1", the meta.target field will be uninitialized. +That's otherwise ok, as it's unused except for this warning. + +Thus, let's use the existing set of raid levels for the comparison. + +As a side effect, non-convert balances will now nag about data>metadata. + +Signed-off-by: Adam Borowski +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/volumes.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/volumes.c ++++ b/fs/btrfs/volumes.c +@@ -3765,6 +3765,7 @@ int btrfs_balance(struct btrfs_balance_c + struct btrfs_ioctl_balance_args *bargs) + { + struct btrfs_fs_info *fs_info = bctl->fs_info; ++ u64 meta_target, data_target; + u64 allowed; + int mixed = 0; + int ret; +@@ -3861,11 +3862,16 @@ int btrfs_balance(struct btrfs_balance_c + } + } while (read_seqretry(&fs_info->profiles_lock, seq)); + +- if (btrfs_get_num_tolerated_disk_barrier_failures(bctl->meta.target) < +- btrfs_get_num_tolerated_disk_barrier_failures(bctl->data.target)) { ++ /* if we're not converting, the target field is uninitialized */ ++ meta_target = (bctl->meta.flags & BTRFS_BALANCE_ARGS_CONVERT) ? ++ bctl->meta.target : fs_info->avail_metadata_alloc_bits; ++ data_target = (bctl->data.flags & BTRFS_BALANCE_ARGS_CONVERT) ? ++ bctl->data.target : fs_info->avail_data_alloc_bits; ++ if (btrfs_get_num_tolerated_disk_barrier_failures(meta_target) < ++ btrfs_get_num_tolerated_disk_barrier_failures(data_target)) { + btrfs_warn(fs_info, + "metadata profile 0x%llx has lower redundancy than data profile 0x%llx", +- bctl->meta.target, bctl->data.target); ++ meta_target, data_target); + } + + if (bctl->sys.flags & BTRFS_BALANCE_ARGS_CONVERT) { diff --git a/queue-4.9/btrfs-fix-extent-map-leak-during-fallocate-error-path.patch b/queue-4.9/btrfs-fix-extent-map-leak-during-fallocate-error-path.patch new file mode 100644 index 00000000000..3c82ad39588 --- /dev/null +++ b/queue-4.9/btrfs-fix-extent-map-leak-during-fallocate-error-path.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Filipe Manana +Date: Mon, 3 Apr 2017 15:57:17 +0100 +Subject: Btrfs: fix extent map leak during fallocate error path + +From: Filipe Manana + + +[ Upstream commit be2d253cc98244765323a7c94cc1ac5cd5a17072 ] + +If the call to btrfs_qgroup_reserve_data() failed, we were leaking an +extent map structure. The failure can happen either due to an -ENOMEM +condition or, when quotas are enabled, due to -EDQUOT for example. + +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -2817,8 +2817,10 @@ static long btrfs_fallocate(struct file + } + ret = btrfs_qgroup_reserve_data(inode, cur_offset, + last_byte - cur_offset); +- if (ret < 0) ++ if (ret < 0) { ++ free_extent_map(em); + break; ++ } + } else { + /* + * Do not need to reserve unwritten extent for this diff --git a/queue-4.9/btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch b/queue-4.9/btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch new file mode 100644 index 00000000000..639d555a62e --- /dev/null +++ b/queue-4.9/btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Filipe Manana +Date: Wed, 8 Mar 2017 16:43:49 +0000 +Subject: Btrfs: fix incorrect space accounting after failure to insert inline extent + +From: Filipe Manana + + +[ Upstream commit 1c81ba237bcecad9bc885a1ddcf02d725ea38482 ] + +When using compression, if we fail to insert an inline extent we +incorrectly end up attempting to free the reserved data space twice, +once through extent_clear_unlock_delalloc(), because we pass it the +flag EXTENT_DO_ACCOUNTING, and once through a direct call to +btrfs_free_reserved_data_space_noquota(). This results in a trace +like the following: + +[ 834.576240] ------------[ cut here ]------------ +[ 834.576825] WARNING: CPU: 2 PID: 486 at fs/btrfs/extent-tree.c:4316 btrfs_free_reserved_data_space_noquota+0x60/0x9f [btrfs] +[ 834.579501] Modules linked in: btrfs crc32c_generic xor raid6_pq ppdev i2c_piix4 acpi_cpufreq psmouse tpm_tis parport_pc pcspkr serio_raw tpm_tis_core sg parport evdev i2c_core tpm button loop autofs4 ext4 crc16 jbd2 mbcache sr_mod cdrom sd_mod ata_generic virtio_scsi ata_piix virtio_pci libata virtio_ring virtio scsi_mod e1000 floppy [last unloaded: btrfs] +[ 834.592116] CPU: 2 PID: 486 Comm: kworker/u32:4 Not tainted 4.10.0-rc8-btrfs-next-37+ #2 +[ 834.593316] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 +[ 834.595273] Workqueue: btrfs-delalloc btrfs_delalloc_helper [btrfs] +[ 834.596103] Call Trace: +[ 834.596103] dump_stack+0x67/0x90 +[ 834.596103] __warn+0xc2/0xdd +[ 834.596103] warn_slowpath_null+0x1d/0x1f +[ 834.596103] btrfs_free_reserved_data_space_noquota+0x60/0x9f [btrfs] +[ 834.596103] compress_file_range.constprop.42+0x2fa/0x3fc [btrfs] +[ 834.596103] ? submit_compressed_extents+0x3a7/0x3a7 [btrfs] +[ 834.596103] async_cow_start+0x32/0x4d [btrfs] +[ 834.596103] btrfs_scrubparity_helper+0x187/0x3e7 [btrfs] +[ 834.596103] btrfs_delalloc_helper+0xe/0x10 [btrfs] +[ 834.596103] process_one_work+0x273/0x4e4 +[ 834.596103] worker_thread+0x1eb/0x2ca +[ 834.596103] ? rescuer_thread+0x2b6/0x2b6 +[ 834.596103] kthread+0x100/0x108 +[ 834.596103] ? __list_del_entry+0x22/0x22 +[ 834.596103] ret_from_fork+0x2e/0x40 +[ 834.611656] ---[ end trace 719902fe6bdef08f ]--- + +So fix this by not calling directly btrfs_free_reserved_data_space_noquota() +if an error happened. + +Signed-off-by: Filipe Manana +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/inode.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -567,8 +567,10 @@ cont: + PAGE_SET_WRITEBACK | + page_error_op | + PAGE_END_WRITEBACK); +- btrfs_free_reserved_data_space_noquota(inode, start, +- end - start + 1); ++ if (ret == 0) ++ btrfs_free_reserved_data_space_noquota(inode, ++ start, ++ end - start + 1); + goto free_pages_out; + } + } diff --git a/queue-4.9/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch b/queue-4.9/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch new file mode 100644 index 00000000000..79fed8d4cd2 --- /dev/null +++ b/queue-4.9/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Filipe Manana +Date: Tue, 4 Apr 2017 20:31:00 +0100 +Subject: Btrfs: send, fix file hole not being preserved due to inline extent + +From: Filipe Manana + + +[ Upstream commit e1cbfd7bf6dabdac561c75d08357571f44040a45 ] + +Normally we don't have inline extents followed by regular extents, but +there's currently at least one harmless case where this happens. For +example, when the page size is 4Kb and compression is enabled: + + $ mkfs.btrfs -f /dev/sdb + $ mount -o compress /dev/sdb /mnt + $ xfs_io -f -c "pwrite -S 0xaa 0 4K" -c "fsync" /mnt/foobar + $ xfs_io -c "pwrite -S 0xbb 8K 4K" -c "fsync" /mnt/foobar + +In this case we get a compressed inline extent, representing 4Kb of +data, followed by a hole extent and then a regular data extent. The +inline extent was not expanded/converted to a regular extent exactly +because it represents 4Kb of data. This does not cause any apparent +problem (such as the issue solved by commit e1699d2d7bf6 +("btrfs: add missing memset while reading compressed inline extents")) +except trigger an unexpected case in the incremental send code path +that makes us issue an operation to write a hole when it's not needed, +resulting in more writes at the receiver and wasting space at the +receiver. + +So teach the incremental send code to deal with this particular case. + +The issue can be currently triggered by running fstests btrfs/137 with +compression enabled (MOUNT_OPTIONS="-o compress" ./check btrfs/137). + +Signed-off-by: Filipe Manana +Reviewed-by: Liu Bo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -5156,13 +5156,19 @@ static int is_extent_unchanged(struct se + while (key.offset < ekey->offset + left_len) { + ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item); + right_type = btrfs_file_extent_type(eb, ei); +- if (right_type != BTRFS_FILE_EXTENT_REG) { ++ if (right_type != BTRFS_FILE_EXTENT_REG && ++ right_type != BTRFS_FILE_EXTENT_INLINE) { + ret = 0; + goto out; + } + + right_disknr = btrfs_file_extent_disk_bytenr(eb, ei); +- right_len = btrfs_file_extent_num_bytes(eb, ei); ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ right_len = btrfs_file_extent_inline_len(eb, slot, ei); ++ right_len = PAGE_ALIGN(right_len); ++ } else { ++ right_len = btrfs_file_extent_num_bytes(eb, ei); ++ } + right_offset = btrfs_file_extent_offset(eb, ei); + right_gen = btrfs_file_extent_generation(eb, ei); + +@@ -5176,6 +5182,19 @@ static int is_extent_unchanged(struct se + goto out; + } + ++ /* ++ * We just wanted to see if when we have an inline extent, what ++ * follows it is a regular extent (wanted to check the above ++ * condition for inline extents too). This should normally not ++ * happen but it's possible for example when we have an inline ++ * compressed extent representing data with a size matching ++ * the page size (currently the same as sector size). ++ */ ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ ret = 0; ++ goto out; ++ } ++ + left_offset_fixed = left_offset; + if (key.offset < ekey->offset) { + /* Fix the right offset for 2a and 7. */ diff --git a/queue-4.9/cifs-small-underflow-in-cnvrtdosunixtm.patch b/queue-4.9/cifs-small-underflow-in-cnvrtdosunixtm.patch new file mode 100644 index 00000000000..d7155b1c7bc --- /dev/null +++ b/queue-4.9/cifs-small-underflow-in-cnvrtdosunixtm.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Dan Carpenter +Date: Mon, 1 May 2017 21:43:43 +0300 +Subject: cifs: small underflow in cnvrtDosUnixTm() + +From: Dan Carpenter + + +[ Upstream commit 564277eceeca01e02b1ef3e141cfb939184601b4 ] + +January is month 1. There is no zero-th month. If someone passes a +zero month then it means we read from one space before the start of the +total_days_of_prev_months[] array. + +We may as well also be strict about days as well. + +Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/netmisc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/cifs/netmisc.c ++++ b/fs/cifs/netmisc.c +@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le + cifs_dbg(VFS, "illegal hours %d\n", st->Hours); + days = sd->Day; + month = sd->Month; +- if ((days > 31) || (month > 12)) { ++ if (days < 1 || days > 31 || month < 1 || month > 12) { + cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days); +- if (month > 12) +- month = 12; ++ days = clamp(days, 1, 31); ++ month = clamp(month, 1, 12); + } + month -= 1; + days += total_days_of_prev_months[month]; diff --git a/queue-4.9/clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch b/queue-4.9/clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch new file mode 100644 index 00000000000..c571101209a --- /dev/null +++ b/queue-4.9/clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch @@ -0,0 +1,73 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Lars-Peter Clausen +Date: Tue, 5 Sep 2017 11:32:40 +0200 +Subject: clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() + +From: Lars-Peter Clausen + + +[ Upstream commit 063578dc5f407f67d149133818efabe457daafda ] + +If the nocount bit is set the divider is bypassed and the settings for the +divider count should be ignored and a divider value of 1 should be assumed. +Handle this correctly in the driver recalc_rate() callback. + +While the driver sets up the part so that the read back dividers values +yield the correct result the power-on reset settings of the part might not +reflect this and hence calling e.g. clk_get_rate() without prior calls to +clk_set_rate() will yield the wrong result. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-axi-clkgen.c | 29 ++++++++++++++++++++++++----- + 1 file changed, 24 insertions(+), 5 deletions(-) + +--- a/drivers/clk/clk-axi-clkgen.c ++++ b/drivers/clk/clk-axi-clkgen.c +@@ -40,6 +40,10 @@ + #define MMCM_REG_FILTER1 0x4e + #define MMCM_REG_FILTER2 0x4f + ++#define MMCM_CLKOUT_NOCOUNT BIT(6) ++ ++#define MMCM_CLK_DIV_NOCOUNT BIT(12) ++ + struct axi_clkgen { + void __iomem *base; + struct clk_hw clk_hw; +@@ -315,12 +319,27 @@ static unsigned long axi_clkgen_recalc_r + unsigned int reg; + unsigned long long tmp; + +- axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, ®); +- dout = (reg & 0x3f) + ((reg >> 6) & 0x3f); ++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_2, ®); ++ if (reg & MMCM_CLKOUT_NOCOUNT) { ++ dout = 1; ++ } else { ++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, ®); ++ dout = (reg & 0x3f) + ((reg >> 6) & 0x3f); ++ } ++ + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_DIV, ®); +- d = (reg & 0x3f) + ((reg >> 6) & 0x3f); +- axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, ®); +- m = (reg & 0x3f) + ((reg >> 6) & 0x3f); ++ if (reg & MMCM_CLK_DIV_NOCOUNT) ++ d = 1; ++ else ++ d = (reg & 0x3f) + ((reg >> 6) & 0x3f); ++ ++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB2, ®); ++ if (reg & MMCM_CLKOUT_NOCOUNT) { ++ m = 1; ++ } else { ++ axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, ®); ++ m = (reg & 0x3f) + ((reg >> 6) & 0x3f); ++ } + + if (d == 0 || dout == 0) + return 0; diff --git a/queue-4.9/clk-don-t-touch-hardware-when-reparenting-during-registration.patch b/queue-4.9/clk-don-t-touch-hardware-when-reparenting-during-registration.patch new file mode 100644 index 00000000000..9e7e86fb578 --- /dev/null +++ b/queue-4.9/clk-don-t-touch-hardware-when-reparenting-during-registration.patch @@ -0,0 +1,107 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Stephen Boyd +Date: Thu, 2 Nov 2017 00:36:09 -0700 +Subject: clk: Don't touch hardware when reparenting during registration + +From: Stephen Boyd + + +[ Upstream commit f8f8f1d04494d3a6546bee3f0618c4dba31d7b72 ] + +The orphan clocks reparent operation shouldn't touch the hardware +if clocks are enabled, otherwise it may get a chance to disable a +newly registered critical clock which triggers the warning below. + +Assuming we have two clocks: A and B, B is the parent of A. +Clock A has flag: CLK_OPS_PARENT_ENABLE +Clock B has flag: CLK_IS_CRITICAL + +Step 1: +Clock A is registered, then it becomes orphan. + +Step 2: +Clock B is registered. Before clock B reach the critical clock enable +operation, orphan A will find the newly registered parent B and do +reparent operation, then parent B will be finally disabled in +__clk_set_parent_after() due to CLK_OPS_PARENT_ENABLE flag as there's +still no users of B which will then trigger the following warning. + +WARNING: CPU: 0 PID: 0 at drivers/clk/clk.c:597 clk_core_disable+0xb4/0xe0 +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-00056-gdff1f66-dirty #1373 +Hardware name: Generic DT based system +Backtrace: +[] (dump_backtrace) from [] (show_stack+0x18/0x1c) + r6:600000d3 r5:00000000 r4:c0e26358 r3:00000000 +[] (show_stack) from [] (dump_stack+0xb4/0xe8) +[] (dump_stack) from [] (__warn+0xd8/0x104) + r10:c0c21cd0 r9:c048aa78 r8:00000255 r7:00000009 r6:c0c1cd90 r5:00000000 + r4:00000000 r3:c0e01d34 +[] (__warn) from [] (warn_slowpath_null+0x28/0x30) + r9:00000000 r8:ef00bf80 r7:c165ac4c r6:ef00bf80 r5:ef00bf80 r4:ef00bf80 +[] (warn_slowpath_null) from [] (clk_core_disable+0xb4/0xe0) +[] (clk_core_disable) from [] (clk_core_disable_lock+0x20/0x2c) + r4:000000d3 r3:c0e0af00 +[] (clk_core_disable_lock) from [] (clk_core_disable_unprepare+0x14/0x28) + r5:00000000 r4:ef00bf80 +[] (clk_core_disable_unprepare) from [] (__clk_set_parent_after+0x38/0x54) + r4:ef00bd80 r3:000010a0 +[] (__clk_set_parent_after) from [] (clk_register+0x4d0/0x648) + r6:ef00d500 r5:ef00bf80 r4:ef00bd80 r3:ef00bfd4 +[] (clk_register) from [] (clk_hw_register+0x10/0x1c) + r9:00000000 r8:00000003 r7:00000000 r6:00000824 r5:00000001 r4:ef00d500 +[] (clk_hw_register) from [] (_register_divider+0xcc/0x120) +[] (_register_divider) from [] (clk_register_divider+0x44/0x54) + r10:00000004 r9:00000003 r8:00000001 r7:00000000 r6:00000003 r5:00000001 + r4:f0810030 +[] (clk_register_divider) from [] (imx7ulp_clocks_init+0x558/0xe98) + r7:c0e296f8 r6:c165c808 r5:00000000 r4:c165c808 +[] (imx7ulp_clocks_init) from [] (of_clk_init+0x118/0x1e0) + r10:00000001 r9:c0e01f68 r8:00000000 r7:c0e01f60 r6:ef7f8974 r5:ef0035c0 + r4:00000006 +[] (of_clk_init) from [] (time_init+0x2c/0x38) + r10:efffed40 r9:c0d61a48 r8:c0e78000 r7:c0e07900 r6:ffffffff r5:c0e78000 + r4:00000000 +[] (time_init) from [] (start_kernel+0x218/0x394) +[] (start_kernel) from [<6000807c>] (0x6000807c) + r10:00000000 r9:410fc075 r8:6000406a r7:c0e0c930 r6:c0d61a44 r5:c0e07918 + r4:c0e78294 + +We know that the clk isn't enabled with any sort of prepare_count +here so we don't need to enable anything to prevent a race. And +we're holding the prepare mutex so set_rate/set_parent can't race +here either. Based on an earlier patch by Dong Aisheng. + +Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)") +Cc: Michael Turquette +Cc: Shawn Guo +Reported-by: Dong Aisheng +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -2443,14 +2443,17 @@ static int __clk_core_init(struct clk_co + */ + hlist_for_each_entry_safe(orphan, tmp2, &clk_orphan_list, child_node) { + struct clk_core *parent = __clk_init_parent(orphan); ++ unsigned long flags; + + /* + * we could call __clk_set_parent, but that would result in a + * redundant call to the .set_rate op, if it exists + */ + if (parent) { +- __clk_set_parent_before(orphan, parent); +- __clk_set_parent_after(orphan, parent, NULL); ++ /* update the clk tree topology */ ++ flags = clk_enable_lock(); ++ clk_reparent(orphan, parent); ++ clk_enable_unlock(flags); + __clk_recalc_accuracies(orphan); + __clk_recalc_rates(orphan, 0); + } diff --git a/queue-4.9/clk-ns2-correct-sdio-bits.patch b/queue-4.9/clk-ns2-correct-sdio-bits.patch new file mode 100644 index 00000000000..683a606d4d8 --- /dev/null +++ b/queue-4.9/clk-ns2-correct-sdio-bits.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Bharat Kumar Reddy Gooty +Date: Mon, 20 Mar 2017 18:12:14 -0400 +Subject: clk: ns2: Correct SDIO bits + +From: Bharat Kumar Reddy Gooty + + +[ Upstream commit 8973aa4aecac223548366ca81818309a0f0efa6d ] + +Corrected the bits for power and iso. + +Signed-off-by: Bharat Kumar Reddy Gooty +Signed-off-by: Jon Mason +Fixes: f7225a83 ("clk: ns2: add clock support for Broadcom Northstar 2 SoC") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/bcm/clk-ns2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/bcm/clk-ns2.c ++++ b/drivers/clk/bcm/clk-ns2.c +@@ -103,7 +103,7 @@ CLK_OF_DECLARE(ns2_genpll_src_clk, "brcm + + static const struct iproc_pll_ctrl genpll_sw = { + .flags = IPROC_CLK_AON | IPROC_CLK_PLL_SPLIT_STAT_CTRL, +- .aon = AON_VAL(0x0, 2, 9, 8), ++ .aon = AON_VAL(0x0, 1, 11, 10), + .reset = RESET_VAL(0x4, 2, 1), + .dig_filter = DF_VAL(0x0, 9, 3, 5, 4, 2, 3), + .ndiv_int = REG_VAL(0x8, 4, 10), diff --git a/queue-4.9/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch b/queue-4.9/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch new file mode 100644 index 00000000000..d349fb9fb8f --- /dev/null +++ b/queue-4.9/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Sergej Sawazki +Date: Tue, 25 Jul 2017 23:21:02 +0200 +Subject: clk: si5351: Rename internal plls to avoid name collisions + +From: Sergej Sawazki + + +[ Upstream commit cdba9a4fb0b53703959ac861e415816cb61aded4 ] + +This drivers probe fails due to a clock name collision if a clock named +'plla' or 'pllb' is already registered when registering this drivers +internal plls. + +Fix it by renaming internal plls to avoid name collisions. + +Cc: Sebastian Hesselbarth +Cc: Rabeeh Khoury +Signed-off-by: Sergej Sawazki +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-si5351.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/clk-si5351.c ++++ b/drivers/clk/clk-si5351.c +@@ -72,7 +72,7 @@ static const char * const si5351_input_n + "xtal", "clkin" + }; + static const char * const si5351_pll_names[] = { +- "plla", "pllb", "vxco" ++ "si5351_plla", "si5351_pllb", "si5351_vxco" + }; + static const char * const si5351_msynth_names[] = { + "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7" diff --git a/queue-4.9/coresight-fix-disabling-of-coresight-tpiu.patch b/queue-4.9/coresight-fix-disabling-of-coresight-tpiu.patch new file mode 100644 index 00000000000..356ad40e339 --- /dev/null +++ b/queue-4.9/coresight-fix-disabling-of-coresight-tpiu.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Robert Walker +Date: Mon, 18 Dec 2017 11:05:44 -0700 +Subject: coresight: Fix disabling of CoreSight TPIU + +From: Robert Walker + + +[ Upstream commit 11595db8e17faaa05fadc25746c870e31276962f ] + +The CoreSight TPIU should be disabled when tracing to other sinks to allow +them to operate at full bandwidth. + +This patch fixes tpiu_disable_hw() to correctly disable the TPIU by +configuring the TPIU to stop on flush, initiating a manual flush, waiting +for the flush to complete and then waits for the TPIU to indicate it has +stopped. + +Signed-off-by: Robert Walker +Tested-by: Mike Leach +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-tpiu.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-tpiu.c ++++ b/drivers/hwtracing/coresight/coresight-tpiu.c +@@ -46,8 +46,11 @@ + #define TPIU_ITATBCTR0 0xef8 + + /** register definition **/ ++/* FFSR - 0x300 */ ++#define FFSR_FT_STOPPED BIT(1) + /* FFCR - 0x304 */ + #define FFCR_FON_MAN BIT(6) ++#define FFCR_STOP_FI BIT(12) + + /** + * @base: memory mapped base address for this component. +@@ -85,10 +88,14 @@ static void tpiu_disable_hw(struct tpiu_ + { + CS_UNLOCK(drvdata->base); + +- /* Clear formatter controle reg. */ +- writel_relaxed(0x0, drvdata->base + TPIU_FFCR); ++ /* Clear formatter and stop on flush */ ++ writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR); + /* Generate manual flush */ +- writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR); ++ writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR); ++ /* Wait for flush to complete */ ++ coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0); ++ /* Wait for formatter to stop */ ++ coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1); + + CS_LOCK(drvdata->base); + } diff --git a/queue-4.9/cpufreq-sh-replace-racy-task-affinity-logic.patch b/queue-4.9/cpufreq-sh-replace-racy-task-affinity-logic.patch new file mode 100644 index 00000000000..cca16db8f2f --- /dev/null +++ b/queue-4.9/cpufreq-sh-replace-racy-task-affinity-logic.patch @@ -0,0 +1,127 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Thomas Gleixner +Date: Wed, 12 Apr 2017 22:07:36 +0200 +Subject: cpufreq/sh: Replace racy task affinity logic + +From: Thomas Gleixner + + +[ Upstream commit 205dcc1ecbc566cbc20acf246e68de3b080b3ecf ] + +The target() callback must run on the affected cpu. This is achieved by +temporarily setting the affinity of the calling thread to the requested CPU +and reset it to the original affinity afterwards. + +That's racy vs. concurrent affinity settings for that thread resulting in +code executing on the wrong CPU. + +Replace it by work_on_cpu(). All call pathes which invoke the callbacks are +already protected against CPU hotplug. + +Signed-off-by: Thomas Gleixner +Acked-by: Viresh Kumar +Cc: Fenghua Yu +Cc: Tony Luck +Cc: Herbert Xu +Cc: "Rafael J. Wysocki" +Cc: Peter Zijlstra +Cc: Benjamin Herrenschmidt +Cc: Sebastian Siewior +Cc: linux-pm@vger.kernel.org +Cc: Lai Jiangshan +Cc: Michael Ellerman +Cc: Tejun Heo +Cc: "David S. Miller" +Cc: Len Brown +Link: http://lkml.kernel.org/r/20170412201042.958216363@linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/sh-cpufreq.c | 45 +++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 18 deletions(-) + +--- a/drivers/cpufreq/sh-cpufreq.c ++++ b/drivers/cpufreq/sh-cpufreq.c +@@ -30,54 +30,63 @@ + + static DEFINE_PER_CPU(struct clk, sh_cpuclk); + ++struct cpufreq_target { ++ struct cpufreq_policy *policy; ++ unsigned int freq; ++}; ++ + static unsigned int sh_cpufreq_get(unsigned int cpu) + { + return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000; + } + +-/* +- * Here we notify other drivers of the proposed change and the final change. +- */ +-static int sh_cpufreq_target(struct cpufreq_policy *policy, +- unsigned int target_freq, +- unsigned int relation) ++static long __sh_cpufreq_target(void *arg) + { +- unsigned int cpu = policy->cpu; ++ struct cpufreq_target *target = arg; ++ struct cpufreq_policy *policy = target->policy; ++ int cpu = policy->cpu; + struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu); +- cpumask_t cpus_allowed; + struct cpufreq_freqs freqs; + struct device *dev; + long freq; + +- cpus_allowed = current->cpus_allowed; +- set_cpus_allowed_ptr(current, cpumask_of(cpu)); +- +- BUG_ON(smp_processor_id() != cpu); ++ if (smp_processor_id() != cpu) ++ return -ENODEV; + + dev = get_cpu_device(cpu); + + /* Convert target_freq from kHz to Hz */ +- freq = clk_round_rate(cpuclk, target_freq * 1000); ++ freq = clk_round_rate(cpuclk, target->freq * 1000); + + if (freq < (policy->min * 1000) || freq > (policy->max * 1000)) + return -EINVAL; + +- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000); ++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000); + + freqs.old = sh_cpufreq_get(cpu); + freqs.new = (freq + 500) / 1000; + freqs.flags = 0; + +- cpufreq_freq_transition_begin(policy, &freqs); +- set_cpus_allowed_ptr(current, &cpus_allowed); ++ cpufreq_freq_transition_begin(target->policy, &freqs); + clk_set_rate(cpuclk, freq); +- cpufreq_freq_transition_end(policy, &freqs, 0); ++ cpufreq_freq_transition_end(target->policy, &freqs, 0); + + dev_dbg(dev, "set frequency %lu Hz\n", freq); +- + return 0; + } + ++/* ++ * Here we notify other drivers of the proposed change and the final change. ++ */ ++static int sh_cpufreq_target(struct cpufreq_policy *policy, ++ unsigned int target_freq, ++ unsigned int relation) ++{ ++ struct cpufreq_target data = { .policy = policy, .freq = target_freq }; ++ ++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data); ++} ++ + static int sh_cpufreq_verify(struct cpufreq_policy *policy) + { + struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu); diff --git a/queue-4.9/cros_ec-fix-nul-termination-for-firmware-build-info.patch b/queue-4.9/cros_ec-fix-nul-termination-for-firmware-build-info.patch new file mode 100644 index 00000000000..f0c24856e91 --- /dev/null +++ b/queue-4.9/cros_ec-fix-nul-termination-for-firmware-build-info.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Arnd Bergmann +Date: Mon, 4 Dec 2017 15:49:48 +0100 +Subject: cros_ec: fix nul-termination for firmware build info + +From: Arnd Bergmann + + +[ Upstream commit 50a0d71a5d20e1d3eff1d974fdc8559ad6d74892 ] + +As gcc-8 reports, we zero out the wrong byte: + +drivers/platform/chrome/cros_ec_sysfs.c: In function 'show_ec_version': +drivers/platform/chrome/cros_ec_sysfs.c:190:12: error: array subscript 4294967295 is above array bounds of 'uint8_t[]' [-Werror=array-bounds] + +This changes the code back to what it did before changing to a +zero-length array structure. + +Fixes: a841178445bb ("mfd: cros_ec: Use a zero-length array for command data") +Signed-off-by: Arnd Bergmann +Signed-off-by: Benson Leung +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/platform/chrome/cros_ec_sysfs.c ++++ b/drivers/platform/chrome/cros_ec_sysfs.c +@@ -187,7 +187,7 @@ static ssize_t show_ec_version(struct de + count += scnprintf(buf + count, PAGE_SIZE - count, + "Build info: EC error %d\n", msg->result); + else { +- msg->data[sizeof(msg->data) - 1] = '\0'; ++ msg->data[EC_HOST_PARAM_SIZE - 1] = '\0'; + count += scnprintf(buf + count, PAGE_SIZE - count, + "Build info: %s\n", msg->data); + } diff --git a/queue-4.9/dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch b/queue-4.9/dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch new file mode 100644 index 00000000000..4dce67db09e --- /dev/null +++ b/queue-4.9/dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch @@ -0,0 +1,137 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: NeilBrown +Date: Wed, 6 Sep 2017 09:43:28 +1000 +Subject: dm: ensure bio submission follows a depth-first tree walk + +From: NeilBrown + + +[ Upstream commit 18a25da84354c6bb655320de6072c00eda6eb602 ] + +A dm device can, in general, represent a tree of targets, each of which +handles a sub-range of the range of blocks handled by the parent. + +The bio sequencing managed by generic_make_request() requires that bios +are generated and handled in a depth-first manner. Each call to a +make_request_fn() may submit bios to a single member device, and may +submit bios for a reduced region of the same device as the +make_request_fn. + +In particular, any bios submitted to member devices must be expected to +be processed in order, so a later one must never wait for an earlier +one. + +This ordering is usually achieved by using bio_split() to reduce a bio +to a size that can be completely handled by one target, and resubmitting +the remainder to the originating device. bio_queue_split() shows the +canonical approach. + +dm doesn't follow this approach, largely because it has needed to split +bios since long before bio_split() was available. It currently can +submit bios to separate targets within the one dm_make_request() call. +Dependencies between these targets, as can happen with dm-snap, can +cause deadlocks if either bios gets stuck behind the other in the queues +managed by generic_make_request(). This requires the 'rescue' +functionality provided by dm_offload_{start,end}. + +Some of this requirement can be removed by changing the order of bio +submission to follow the canonical approach. That is, if dm finds that +it needs to split a bio, the remainder should be sent to +generic_make_request() rather than being handled immediately. This +delays the handling until the first part is completely processed, so the +deadlock problems do not occur. + +__split_and_process_bio() can be called both from dm_make_request() and +from dm_wq_work(). When called from dm_wq_work() the current approach +is perfectly satisfactory as each bio will be processed immediately. +When called from dm_make_request(), current->bio_list will be non-NULL, +and in this case it is best to create a separate "clone" bio for the +remainder. + +When we use bio_clone_bioset() to split off the front part of a bio +and chain the two together and submit the remainder to +generic_make_request(), it is important that the newly allocated +bio is used as the head to be processed immediately, and the original +bio gets "bio_advance()"d and sent to generic_make_request() as the +remainder. Otherwise, if the newly allocated bio is used as the +remainder, and if it then needs to be split again, then the next +bio_clone_bioset() call will be made while holding a reference a bio +(result of the first clone) from the same bioset. This can potentially +exhaust the bioset mempool and result in a memory allocation deadlock. + +Note that there is no race caused by reassigning cio.io->bio after already +calling __map_bio(). This bio will only be dereferenced again after +dec_pending() has found io->io_count to be zero, and this cannot happen +before the dec_pending() call at the end of __split_and_process_bio(). + +To provide the clone bio when splitting, we use q->bio_split. This +was previously being freed by bio-based dm to avoid having excess +rescuer threads. As bio_split bio sets no longer create rescuer +threads, there is little cost and much gain from restoring the +q->bio_split bio set. + +Signed-off-by: NeilBrown +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm.c | 33 ++++++++++++++++++++++++--------- + 1 file changed, 24 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -1320,8 +1320,29 @@ static void __split_and_process_bio(stru + } else { + ci.bio = bio; + ci.sector_count = bio_sectors(bio); +- while (ci.sector_count && !error) ++ while (ci.sector_count && !error) { + error = __split_and_process_non_flush(&ci); ++ if (current->bio_list && ci.sector_count && !error) { ++ /* ++ * Remainder must be passed to generic_make_request() ++ * so that it gets handled *after* bios already submitted ++ * have been completely processed. ++ * We take a clone of the original to store in ++ * ci.io->bio to be used by end_io_acct() and ++ * for dec_pending to use for completion handling. ++ * As this path is not used for REQ_OP_ZONE_REPORT, ++ * the usage of io->bio in dm_remap_zone_report() ++ * won't be affected by this reassignment. ++ */ ++ struct bio *b = bio_clone_bioset(bio, GFP_NOIO, ++ md->queue->bio_split); ++ ci.io->bio = b; ++ bio_advance(bio, (bio_sectors(bio) - ci.sector_count) << 9); ++ bio_chain(b, bio); ++ generic_make_request(bio); ++ break; ++ } ++ } + } + + /* drop the extra reference count */ +@@ -1332,8 +1353,8 @@ static void __split_and_process_bio(stru + *---------------------------------------------------------------*/ + + /* +- * The request function that just remaps the bio built up by +- * dm_merge_bvec. ++ * The request function that remaps the bio to one target and ++ * splits off any remainder. + */ + static blk_qc_t dm_make_request(struct request_queue *q, struct bio *bio) + { +@@ -1854,12 +1875,6 @@ int dm_setup_md_queue(struct mapped_devi + case DM_TYPE_DAX_BIO_BASED: + dm_init_normal_md_queue(md); + blk_queue_make_request(md->queue, dm_make_request); +- /* +- * DM handles splitting bios as needed. Free the bio_split bioset +- * since it won't be used (saves 1 process per bio-based DM device). +- */ +- bioset_free(md->queue->bio_split); +- md->queue->bio_split = NULL; + + if (type == DM_TYPE_DAX_BIO_BASED) + queue_flag_set_unlocked(QUEUE_FLAG_DAX, md->queue); diff --git a/queue-4.9/dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch b/queue-4.9/dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch new file mode 100644 index 00000000000..1656da3f946 --- /dev/null +++ b/queue-4.9/dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Vignesh R +Date: Tue, 19 Dec 2017 12:51:16 +0200 +Subject: dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 + +From: Vignesh R + + +[ Upstream commit d087f15786021a9605b20f4c678312510be4cac1 ] + +Register layout of a typical TPCC_EVT_MUX_M_N register is such that the +lowest numbered event is at the lowest byte address and highest numbered +event at highest byte address. But TPCC_EVT_MUX_60_63 register layout is +different, in that the lowest numbered event is at the highest address +and highest numbered event is at the lowest address. Therefore, modify +ti_am335x_xbar_write() to handle TPCC_EVT_MUX_60_63 register +accordingly. + +Signed-off-by: Vignesh R +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/ti-dma-crossbar.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -54,7 +54,15 @@ struct ti_am335x_xbar_map { + + static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val) + { +- writeb_relaxed(val, iomem + event); ++ /* ++ * TPCC_EVT_MUX_60_63 register layout is different than the ++ * rest, in the sense, that event 63 is mapped to lowest byte ++ * and event 60 is mapped to highest, handle it separately. ++ */ ++ if (event >= 60 && event <= 63) ++ writeb_relaxed(val, iomem + (63 - event % 4)); ++ else ++ writeb_relaxed(val, iomem + event); + } + + static void ti_am335x_xbar_free(struct device *dev, void *route_data) diff --git a/queue-4.9/dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch b/queue-4.9/dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch new file mode 100644 index 00000000000..67febffec01 --- /dev/null +++ b/queue-4.9/dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Kedareswara rao Appana +Date: Thu, 7 Dec 2017 10:54:28 +0530 +Subject: dmaengine: zynqmp_dma: Fix race condition in the probe + +From: Kedareswara rao Appana + + +[ Upstream commit 5ba080aada5e739165e0f38d5cc3b04c82b323c8 ] + +Incase of interrupt property is not present, +Driver is trying to free an invalid irq, +This patch fixes it by adding a check before freeing the irq. + +Signed-off-by: Kedareswara rao Appana +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/xilinx/zynqmp_dma.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -933,7 +933,8 @@ static void zynqmp_dma_chan_remove(struc + if (!chan) + return; + +- devm_free_irq(chan->zdev->dev, chan->irq, chan); ++ if (chan->irq) ++ devm_free_irq(chan->zdev->dev, chan->irq, chan); + tasklet_kill(&chan->tasklet); + list_del(&chan->common.device_node); + clk_disable_unprepare(chan->clk_apb); diff --git a/queue-4.9/drm-amdgpu-fix-gpu-reset-crash.patch b/queue-4.9/drm-amdgpu-fix-gpu-reset-crash.patch new file mode 100644 index 00000000000..1317fcf2633 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-gpu-reset-crash.patch @@ -0,0 +1,98 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Chunming Zhou +Date: Mon, 24 Apr 2017 17:09:15 +0800 +Subject: drm/amdgpu: fix gpu reset crash + +From: Chunming Zhou + + +[ Upstream commit 51687759be93fbc553f2727e86be25c38126ba93 ] + +[ 413.687439] BUG: unable to handle kernel NULL pointer dereference at 0000000000000548 +[ 413.687479] IP: [] to_live_kthread+0x5/0x60 +[ 413.687507] PGD 1efd12067 +[ 413.687519] PUD 1efd11067 +[ 413.687531] PMD 0 + +[ 413.687543] Oops: 0000 [#1] SMP +[ 413.687557] Modules linked in: amdgpu(OE) ttm(OE) drm_kms_helper(E) drm(E) i2c_algo_bit(E) fb_sys_fops(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) rpcsec_gss_krb5(E) nfsv4(E) nfs(E) fscache(E) snd_hda_codec_realtek(E) snd_hda_codec_generic(E) snd_hda_codec_hdmi(E) snd_hda_intel(E) eeepc_wmi(E) snd_hda_codec(E) asus_wmi(E) snd_hda_core(E) sparse_keymap(E) snd_hwdep(E) video(E) snd_pcm(E) snd_seq_midi(E) joydev(E) snd_seq_midi_event(E) snd_rawmidi(E) snd_seq(E) snd_seq_device(E) snd_timer(E) kvm(E) irqbypass(E) crct10dif_pclmul(E) snd(E) crc32_pclmul(E) ghash_clmulni_intel(E) soundcore(E) aesni_intel(E) aes_x86_64(E) lrw(E) gf128mul(E) glue_helper(E) ablk_helper(E) cryptd(E) shpchp(E) serio_raw(E) i2c_piix4(E) 8250_dw(E) i2c_designware_platform(E) i2c_designware_core(E) mac_hid(E) binfmt_misc(E) +[ 413.687894] parport_pc(E) ppdev(E) lp(E) parport(E) nfsd(E) auth_rpcgss(E) nfs_acl(E) lockd(E) grace(E) sunrpc(E) autofs4(E) hid_generic(E) usbhid(E) hid(E) psmouse(E) ahci(E) r8169(E) mii(E) libahci(E) wmi(E) +[ 413.687989] CPU: 13 PID: 1134 Comm: kworker/13:2 Tainted: G OE 4.9.0-custom #4 +[ 413.688019] Hardware name: System manufacturer System Product Name/PRIME B350-PLUS, BIOS 0606 04/06/2017 +[ 413.688089] Workqueue: events amd_sched_job_timedout [amdgpu] +[ 413.688116] task: ffff88020f9657c0 task.stack: ffffc90001a88000 +[ 413.688139] RIP: 0010:[] [] to_live_kthread+0x5/0x60 +[ 413.688171] RSP: 0018:ffffc90001a8bd60 EFLAGS: 00010282 +[ 413.688191] RAX: ffff88020f0073f8 RBX: ffff88020f000000 RCX: 0000000000000000 +[ 413.688217] RDX: 0000000000000001 RSI: ffff88020f9670c0 RDI: 0000000000000000 +[ 413.688243] RBP: ffffc90001a8bd78 R08: 0000000000000000 R09: 0000000000001000 +[ 413.688269] R10: 0000006051b11a82 R11: 0000000000000001 R12: 0000000000000000 +[ 413.688295] R13: ffff88020f002770 R14: ffff88020f004838 R15: ffff8801b23c2c60 +[ 413.688321] FS: 0000000000000000(0000) GS:ffff88021ef40000(0000) knlGS:0000000000000000 +[ 413.688352] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 413.688373] CR2: 0000000000000548 CR3: 00000001efd0f000 CR4: 00000000003406e0 +[ 413.688399] Stack: +[ 413.688407] ffffffff8109b304 ffff88020f000000 0000000000000070 ffffc90001a8bdf0 +[ 413.688439] ffffffffa05ce29d ffffffffa052feb7 ffffffffa07b5820 ffffc90001a8bda0 +[ 413.688470] ffffffff00000018 ffff8801bb88f060 0000000001a8bdb8 ffff88021ef59280 +[ 413.688502] Call Trace: +[ 413.688514] [] ? kthread_park+0x14/0x60 +[ 413.688555] [] amdgpu_gpu_reset+0x7d/0x670 [amdgpu] +[ 413.688589] [] ? drm_printk+0x97/0xa0 [drm] +[ 413.688643] [] amdgpu_job_timedout+0x46/0x50 [amdgpu] +[ 413.688700] [] amd_sched_job_timedout+0x17/0x20 [amdgpu] +[ 413.688727] [] process_one_work+0x153/0x3f0 +[ 413.688751] [] worker_thread+0x12b/0x4b0 +[ 413.688773] [] ? do_syscall_64+0x6e/0x180 +[ 413.688795] [] ? rescuer_thread+0x350/0x350 +[ 413.688818] [] ? do_syscall_64+0x6e/0x180 +[ 413.688839] [] kthread+0xd3/0xf0 +[ 413.688858] [] ? kthread_park+0x60/0x60 +[ 413.688881] [] ret_from_fork+0x25/0x30 +[ 413.688901] Code: 25 40 d3 00 00 48 8b 80 48 05 00 00 48 89 e5 5d 48 8b 40 c8 48 c1 e8 02 83 e0 01 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <48> 8b b7 48 05 00 00 55 48 89 e5 48 85 f6 74 31 8b 97 f8 18 00 +[ 413.689045] RIP [] to_live_kthread+0x5/0x60 +[ 413.689064] RSP +[ 413.689076] CR2: 0000000000000548 +[ 413.697985] ---[ end trace 0a314a64821f84e9 ]--- + +The root cause is some ring doesn't have scheduler, like KIQ ring + +Reviewed-by: Christian König +Signed-off-by: Chunming Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c +@@ -2237,7 +2237,7 @@ int amdgpu_gpu_reset(struct amdgpu_devic + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; + +- if (!ring) ++ if (!ring || !ring->sched.thread) + continue; + kthread_park(ring->sched.thread); + amd_sched_hw_job_reset(&ring->sched); +@@ -2326,7 +2326,8 @@ retry: + } + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { + struct amdgpu_ring *ring = adev->rings[i]; +- if (!ring) ++ ++ if (!ring || !ring->sched.thread) + continue; + + amd_sched_job_recovery(&ring->sched); +@@ -2335,7 +2336,7 @@ retry: + } else { + dev_err(adev->dev, "asic resume failed (%d).\n", r); + for (i = 0; i < AMDGPU_MAX_RINGS; ++i) { +- if (adev->rings[i]) { ++ if (adev->rings[i] && adev->rings[i]->sched.thread) { + kthread_unpark(adev->rings[i]->sched.thread); + } + } diff --git a/queue-4.9/drm-msm-fix-leak-in-failed-get_pages.patch b/queue-4.9/drm-msm-fix-leak-in-failed-get_pages.patch new file mode 100644 index 00000000000..300ccf8e5ae --- /dev/null +++ b/queue-4.9/drm-msm-fix-leak-in-failed-get_pages.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Prakash Kamliya +Date: Mon, 4 Dec 2017 19:10:15 +0530 +Subject: drm/msm: fix leak in failed get_pages + +From: Prakash Kamliya + + +[ Upstream commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb ] + +get_pages doesn't keep a reference of the pages allocated +when it fails later in the code path. This can lead to +a memory leak. Keep reference of the allocated pages so +that it can be freed when msm_gem_free_object gets called +later during cleanup. + +Signed-off-by: Prakash Kamliya +Signed-off-by: Sharat Masetty +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -91,14 +91,17 @@ static struct page **get_pages(struct dr + return p; + } + ++ msm_obj->pages = p; ++ + msm_obj->sgt = drm_prime_pages_to_sg(p, npages); + if (IS_ERR(msm_obj->sgt)) { ++ void *ptr = ERR_CAST(msm_obj->sgt); ++ + dev_err(dev->dev, "failed to allocate sgt\n"); +- return ERR_CAST(msm_obj->sgt); ++ msm_obj->sgt = NULL; ++ return ptr; + } + +- msm_obj->pages = p; +- + /* For non-cached buffers, ensure the new pages are clean + * because display controller, GPU, etc. are not coherent: + */ +@@ -121,7 +124,10 @@ static void put_pages(struct drm_gem_obj + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, + msm_obj->sgt->nents, DMA_BIDIRECTIONAL); +- sg_free_table(msm_obj->sgt); ++ ++ if (msm_obj->sgt) ++ sg_free_table(msm_obj->sgt); ++ + kfree(msm_obj->sgt); + + if (use_pages(obj)) diff --git a/queue-4.9/drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch b/queue-4.9/drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch new file mode 100644 index 00000000000..0a1154e58be --- /dev/null +++ b/queue-4.9/drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Mario Kleiner +Date: Mon, 24 Apr 2017 01:59:34 +0200 +Subject: drm/nouveau/kms: Increase max retries in scanout position queries. + +From: Mario Kleiner + + +[ Upstream commit 60b95d709525e3ce1c51e1fc93175dcd1755d345 ] + +So far we only allowed for 1 retry and just failed the query +- and thereby high precision vblank timestamping - if we did +not get a reasonable result, as such a failure wasn't considered +all too horrible. There are a few NVidia gpu models out there which +may need a bit more than 1 retry to get a successful query result +under some conditions. + +Since Linux 4.4 the update code for vblank counter and timestamp +in drm_update_vblank_count() changed so that the implementation +assumes that high precision vblank timestamping of a kms driver +either consistently succeeds or consistently fails for a given +video mode and encoder/connector combo. Iow. switching from success +to fail or vice versa on a modeset or connector change is ok, but +spurious temporary failure for a given setup can confuse the core +code and potentially cause bad miscounting of vblanks and confusion +or hangs in userspace clients which rely on vblank stuff, e.g., +desktop compositors. + +Therefore change the max retry count to a larger number - more than +any gpu so far is known to need to succeed, but still low enough +so that these queries which do also happen in vblank interrupt are +still fast enough to be not disastrously long if something would +go badly wrong with them. + +As such sporadic retries only happen seldom even on affected gpu's, +this could mean a vblank irq could take a few dozen microseconds +longer every few hours of uptime -- better than a desktop compositor +randomly hanging every couple of hours or days of uptime in a hard +to reproduce manner. + +Signed-off-by: Mario Kleiner +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/nouveau/nouveau_display.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_display.c ++++ b/drivers/gpu/drm/nouveau/nouveau_display.c +@@ -106,7 +106,7 @@ nouveau_display_scanoutpos_head(struct d + }; + struct nouveau_display *disp = nouveau_display(crtc->dev); + struct drm_vblank_crtc *vblank = &crtc->dev->vblank[drm_crtc_index(crtc)]; +- int ret, retry = 1; ++ int ret, retry = 20; + + do { + ret = nvif_mthd(&disp->disp, 0, &args, sizeof(args)); diff --git a/queue-4.9/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch b/queue-4.9/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch new file mode 100644 index 00000000000..309fbe8d9a8 --- /dev/null +++ b/queue-4.9/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Peter Ujfalusi +Date: Fri, 29 Sep 2017 14:49:49 +0300 +Subject: drm/omap: DMM: Check for DMM readiness after successful transaction commit + +From: Peter Ujfalusi + + +[ Upstream commit b7ea6b286c4051e043f691781785e3c4672f014a ] + +Check the status of the DMM engine after it is reported that the +transaction was completed as in rare cases the engine might not reached a +working state. + +The wait_status() will print information in case the DMM is not reached the +expected state and the dmm_txn_commit() will return with an error code to +make sure that we are not continuing with a broken setup. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -298,7 +298,12 @@ static int dmm_txn_commit(struct dmm_txn + msecs_to_jiffies(100))) { + dev_err(dmm->dev, "timed out waiting for done\n"); + ret = -ETIMEDOUT; ++ goto cleanup; + } ++ ++ /* Check the engine status before continue */ ++ ret = wait_status(engine, DMM_PATSTATUS_READY | ++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE); + } + + cleanup: diff --git a/queue-4.9/drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch b/queue-4.9/drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch new file mode 100644 index 00000000000..801fa9916a8 --- /dev/null +++ b/queue-4.9/drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch @@ -0,0 +1,52 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Logan Gunthorpe +Date: Tue, 5 Dec 2017 16:30:51 -0700 +Subject: drm/tilcdc: ensure nonatomic iowrite64 is not used + +From: Logan Gunthorpe + + +[ Upstream commit 4e5ca2d930aa8714400aedf4bf1dc959cb04280f ] + +Add a check to ensure iowrite64 is only used if it is atomic. + +It was decided in [1] that the tilcdc driver should not be using an +atomic operation (so it was left out of this patchset). However, it turns +out that through the drm code, a nonatomic header is actually included: + +include/linux/io-64-nonatomic-lo-hi.h +is included from include/drm/drm_os_linux.h:9:0, + from include/drm/drmP.h:74, + from include/drm/drm_modeset_helper.h:26, + from include/drm/drm_atomic_helper.h:33, + from drivers/gpu/drm/tilcdc/tilcdc_crtc.c:19: + +And thus, without this change, this patchset would inadvertantly +change the behaviour of the tilcdc driver. + +[1] lkml.kernel.org/r/CAK8P3a2HhO_zCnsTzq7hmWSz5La5Thu19FWZpun16iMnyyNreQ@mail.gmail.com + +Signed-off-by: Logan Gunthorpe +Reviewed-by: Andy Shevchenko +Cc: Jyri Sarha +Cc: Arnd Bergmann +Cc: Tomi Valkeinen +Cc: David Airlie +Signed-off-by: Jyri Sarha +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/tilcdc/tilcdc_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/tilcdc/tilcdc_regs.h ++++ b/drivers/gpu/drm/tilcdc/tilcdc_regs.h +@@ -124,7 +124,7 @@ static inline void tilcdc_write64(struct + struct tilcdc_drm_private *priv = dev->dev_private; + volatile void __iomem *addr = priv->mmio + reg; + +-#ifdef iowrite64 ++#if defined(iowrite64) && !defined(iowrite64_is_nonatomic) + iowrite64(data, addr); + #else + __iowmb(); diff --git a/queue-4.9/dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch b/queue-4.9/dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch new file mode 100644 index 00000000000..975b3cb3610 --- /dev/null +++ b/queue-4.9/dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Rask Ingemann Lambertsen +Date: Wed, 22 Feb 2017 20:41:02 +0100 +Subject: dt-bindings: mfd: axp20x: Add "xpowers,master-mode" property for AXP806 PMICs + +From: Rask Ingemann Lambertsen + + +[ Upstream commit 8461cf20d17e0090e9236b73d25b31be4f7fadc5 ] + +commit b101829a029a ("mfd: axp20x: Fix AXP806 access errors on cold boot") +was intended to fix the case where a board uses an AXP806 in slave mode, +but the boot loader leaves it in master mode for lack of AXP806 support. +But now the driver breaks on boards where the PMIC is operating in master +mode. To let the device tree describe which mode of operation is needed, +this patch introduces a new property "xpowers,master-mode". + +Fixes: 204ae2963e10 ("mfd: axp20x: Add bindings for AXP806 PMIC") +Signed-off-by: Rask Ingemann Lambertsen +Acked-by: Chen-Yu Tsai +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/mfd/axp20x.txt | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/Documentation/devicetree/bindings/mfd/axp20x.txt ++++ b/Documentation/devicetree/bindings/mfd/axp20x.txt +@@ -28,6 +28,9 @@ Optional properties: + regulator to drive the OTG VBus, rather then as an input pin + which signals whether the board is driving OTG VBus or not. + ++- x-powers,master-mode: Boolean (axp806 only). Set this when the PMIC is ++ wired for master mode. The default is slave mode. ++ + - -supply: a phandle to the regulator supply node. May be omitted if + inputs are unregulated, such as using the IPSOUT output + from the PMIC. diff --git a/queue-4.9/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch b/queue-4.9/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch new file mode 100644 index 00000000000..1ae4bc9c774 --- /dev/null +++ b/queue-4.9/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Bernd Faust +Date: Thu, 16 Feb 2017 19:42:07 +0100 +Subject: e1000e: fix timing for 82579 Gigabit Ethernet controller + +From: Bernd Faust + + +[ Upstream commit 5313eeccd2d7f486be4e5c7560e3e2be239ec8f7 ] + +After an upgrade to Linux kernel v4.x the hardware timestamps of the +82579 Gigabit Ethernet Controller are different than expected. +The values that are being read are almost four times as big as before +the kernel upgrade. + +The difference is that after the upgrade the driver sets the clock +frequency to 25MHz, where before the upgrade it was set to 96MHz. Intel +confirmed that the correct frequency for this network adapter is 96MHz. + +Signed-off-by: Bernd Faust +Acked-by: Sasha Neftin +Acked-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -3528,6 +3528,12 @@ s32 e1000e_get_base_timinca(struct e1000 + + switch (hw->mac.type) { + case e1000_pch2lan: ++ /* Stable 96MHz frequency */ ++ incperiod = INCPERIOD_96MHz; ++ incvalue = INCVALUE_96MHz; ++ shift = INCVALUE_SHIFT_96MHz; ++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz; ++ break; + case e1000_pch_lpt: + if (er32(TSYNCRXCTL) & E1000_TSYNCRXCTL_SYSCFI) { + /* Stable 96MHz frequency */ diff --git a/queue-4.9/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch b/queue-4.9/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch new file mode 100644 index 00000000000..cb1e57bd3fe --- /dev/null +++ b/queue-4.9/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: James Smart +Date: Fri, 21 Apr 2017 16:04:56 -0700 +Subject: Fix driver usage of 128B WQEs when WQ_CREATE is V1. + +From: James Smart + + +[ Upstream commit 3f247de750b8dd8f50a2c1390e2a1238790a9dff ] + +There are two versions of a structure for queue creation and setup that the +driver shares with FW. The driver was only treating as version 0. + +Verify WQ_CREATE with 128B WQEs in V0 and V1. + +Code review of another bug showed the driver passing +128B WQEs and 8 pages in WQ CREATE and V0. +Code inspection/instrumentation showed that the driver +uses V0 in WQ_CREATE and if the caller passes queue->entry_size +128B, the driver sets the hdr_version to V1 so all is good. +When I tested the V1 WQ_CREATE, the mailbox failed causing +the driver to unload. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_sli.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -13696,6 +13696,9 @@ lpfc_wq_create(struct lpfc_hba *phba, st + case LPFC_Q_CREATE_VERSION_1: + bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1, + wq->entry_count); ++ bf_set(lpfc_mbox_hdr_version, &shdr->request, ++ LPFC_Q_CREATE_VERSION_1); ++ + switch (wq->entry_size) { + default: + case 64: diff --git a/queue-4.9/fix-express-lane-queue-creation.patch b/queue-4.9/fix-express-lane-queue-creation.patch new file mode 100644 index 00000000000..1f060fb88a8 --- /dev/null +++ b/queue-4.9/fix-express-lane-queue-creation.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: James Smart +Date: Fri, 21 Apr 2017 16:05:05 -0700 +Subject: Fix Express lane queue creation. + +From: James Smart + + +[ Upstream commit 7e04e21afa82ef024416f5413b5bdb66e0505bcd ] + +The older sli4 adapters only supported the 64 byte WQE entry size. +The new adapter (fw) support both 64 and 128 byte WQE entry sizies. +The Express lane WQ was not being created with the 128 byte WQE sizes +when it was supported. + +Not having the right WQE size created for the express lane work queue +caused the the firmware to overwrite the lun indentifier in the FCP header. + +This patch correctly creates the express lane work queue with the +supported size. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_init.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -11312,6 +11312,7 @@ int + lpfc_fof_queue_create(struct lpfc_hba *phba) + { + struct lpfc_queue *qdesc; ++ uint32_t wqesize; + + /* Create FOF EQ */ + qdesc = lpfc_sli4_queue_alloc(phba, phba->sli4_hba.eq_esize, +@@ -11332,8 +11333,11 @@ lpfc_fof_queue_create(struct lpfc_hba *p + phba->sli4_hba.oas_cq = qdesc; + + /* Create OAS WQ */ +- qdesc = lpfc_sli4_queue_alloc(phba, phba->sli4_hba.wq_esize, ++ wqesize = (phba->fcp_embed_io) ? ++ LPFC_WQE128_SIZE : phba->sli4_hba.wq_esize; ++ qdesc = lpfc_sli4_queue_alloc(phba, wqesize, + phba->sli4_hba.wq_ecount); ++ + if (!qdesc) + goto out_error; + diff --git a/queue-4.9/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch b/queue-4.9/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch new file mode 100644 index 00000000000..75b9df10d38 --- /dev/null +++ b/queue-4.9/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Sat, 15 Apr 2017 12:08:31 +0200 +Subject: genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs + +From: Hans de Goede + + +[ Upstream commit 382bd4de61827dbaaf5fb4fb7b1f4be4a86505e7 ] + +When requesting a shared irq with IRQF_TRIGGER_NONE then the irqaction +flags get filled with the trigger type from the irq_data: + + if (!(new->flags & IRQF_TRIGGER_MASK)) + new->flags |= irqd_get_trigger_type(&desc->irq_data); + +On the first setup_irq() the trigger type in irq_data is NONE when the +above code executes, then the irq is started up for the first time and +then the actual trigger type gets established, but that's too late to fix +up new->flags. + +When then a second user of the irq requests the irq with IRQF_TRIGGER_NONE +its irqaction's triggertype gets set to the actual trigger type and the +following check fails: + + if (!((old->flags ^ new->flags) & IRQF_TRIGGER_MASK)) + +Resulting in the request_irq failing with -EBUSY even though both +users requested the irq with IRQF_SHARED | IRQF_TRIGGER_NONE + +Fix this by comparing the new irqaction's trigger type to the trigger type +stored in the irq_data which correctly reflects the actual trigger type +being used for the irq. + +Suggested-by: Thomas Gleixner +Signed-off-by: Hans de Goede +Acked-by: Marc Zyngier +Link: http://lkml.kernel.org/r/20170415100831.17073-1-hdegoede@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1210,8 +1210,10 @@ __setup_irq(unsigned int irq, struct irq + * set the trigger type must match. Also all must + * agree on ONESHOT. + */ ++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data); ++ + if (!((old->flags & new->flags) & IRQF_SHARED) || +- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) || ++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) || + ((old->flags ^ new->flags) & IRQF_ONESHOT)) + goto mismatch; + diff --git a/queue-4.9/gpio-gpio-wcove-fix-gpio-irq-status-mask.patch b/queue-4.9/gpio-gpio-wcove-fix-gpio-irq-status-mask.patch new file mode 100644 index 00000000000..f8f34f427e8 --- /dev/null +++ b/queue-4.9/gpio-gpio-wcove-fix-gpio-irq-status-mask.patch @@ -0,0 +1,54 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Kuppuswamy Sathyanarayanan +Date: Mon, 24 Apr 2017 12:15:04 -0700 +Subject: gpio: gpio-wcove: fix GPIO IRQ status mask + +From: Kuppuswamy Sathyanarayanan + + +[ Upstream commit 881ebd229f4a5ea88f269c1225245e50db9ba303 ] + +According to Whiskey Cove PMIC spec, bit 7 of GPIOIRQ0_REG belongs to +battery IO. So we should skip this bit when checking for GPIO IRQ pending +status. Otherwise, wcove_gpio_irq_handler() might go into the infinite +loop until IRQ "pending" status becomes 0. This patch fixes this issue. + +Signed-off-by: Kuppuswamy Sathyanarayanan +Acked-by: Mika Westerberg +Acked-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-wcove.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-wcove.c ++++ b/drivers/gpio/gpio-wcove.c +@@ -51,6 +51,8 @@ + #define GROUP1_NR_IRQS 6 + #define IRQ_MASK_BASE 0x4e19 + #define IRQ_STATUS_BASE 0x4e0b ++#define GPIO_IRQ0_MASK GENMASK(6, 0) ++#define GPIO_IRQ1_MASK GENMASK(5, 0) + #define UPDATE_IRQ_TYPE BIT(0) + #define UPDATE_IRQ_MASK BIT(1) + +@@ -310,7 +312,7 @@ static irqreturn_t wcove_gpio_irq_handle + return IRQ_NONE; + } + +- pending = p[0] | (p[1] << 8); ++ pending = (p[0] & GPIO_IRQ0_MASK) | ((p[1] & GPIO_IRQ1_MASK) << 7); + if (!pending) + return IRQ_NONE; + +@@ -334,7 +336,7 @@ static irqreturn_t wcove_gpio_irq_handle + break; + } + +- pending = p[0] | (p[1] << 8); ++ pending = (p[0] & GPIO_IRQ0_MASK) | ((p[1] & GPIO_IRQ1_MASK) << 7); + } + + return IRQ_HANDLED; diff --git a/queue-4.9/gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch b/queue-4.9/gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch new file mode 100644 index 00000000000..0ead978695c --- /dev/null +++ b/queue-4.9/gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Kuppuswamy Sathyanarayanan +Date: Fri, 14 Apr 2017 10:29:25 -0700 +Subject: gpio: gpio-wcove: fix irq pending status bit width + +From: Kuppuswamy Sathyanarayanan + + +[ Upstream commit 7c2d176fe3f8dce632b948f79c7e89916ffe2c70 ] + +Whiskey cove PMIC has three GPIO banks with total number of 13 GPIO +pins. But when checking for the pending status, for_each_set_bit() uses +bit width of 7 and hence it only checks the status for first 7 GPIO pins +missing to check/clear the status of rest of the GPIO pins. This patch +fixes this issue. + +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-wcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpio/gpio-wcove.c ++++ b/drivers/gpio/gpio-wcove.c +@@ -318,7 +318,7 @@ static irqreturn_t wcove_gpio_irq_handle + while (pending) { + /* One iteration is for all pending bits */ + for_each_set_bit(gpio, (const unsigned long *)&pending, +- GROUP0_NR_IRQS) { ++ WCOVE_GPIO_NUM) { + offset = (gpio > GROUP0_NR_IRQS) ? 1 : 0; + mask = (offset == 1) ? BIT(gpio - GROUP0_NR_IRQS) : + BIT(gpio); diff --git a/queue-4.9/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch b/queue-4.9/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch new file mode 100644 index 00000000000..57d6f099b03 --- /dev/null +++ b/queue-4.9/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Fri, 21 Apr 2017 13:39:09 +0300 +Subject: HSI: ssi_protocol: double free in ssip_pn_xmit() + +From: Dan Carpenter + + +[ Upstream commit 3026050179a3a9a6f5c892c414b5e36ecf092081 ] + +If skb_pad() fails then it frees skb and we don't need to free it again +at the end of the function. + +Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol") +Signed-off-by: Dan Carpenter +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hsi/clients/ssi_protocol.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -989,7 +989,7 @@ static int ssip_pn_xmit(struct sk_buff * + goto drop; + /* Pad to 32-bits - FIXME: Revisit*/ + if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3))) +- goto drop; ++ goto inc_dropped; + + /* + * Modem sends Phonet messages over SSI with its own endianess... +@@ -1041,8 +1041,9 @@ static int ssip_pn_xmit(struct sk_buff * + drop2: + hsi_free_msg(msg); + drop: +- dev->stats.tx_dropped++; + dev_kfree_skb(skb); ++inc_dropped: ++ dev->stats.tx_dropped++; + + return 0; + } diff --git a/queue-4.9/i2c-i2c-scmi-add-a-ms-hid.patch b/queue-4.9/i2c-i2c-scmi-add-a-ms-hid.patch new file mode 100644 index 00000000000..5dd420fe287 --- /dev/null +++ b/queue-4.9/i2c-i2c-scmi-add-a-ms-hid.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Edgar Cherkasov +Date: Tue, 4 Apr 2017 19:18:27 +0300 +Subject: i2c: i2c-scmi: add a MS HID + +From: Edgar Cherkasov + + +[ Upstream commit e058e7a4bc89104540a8a303682248614b5df6f1 ] + +Description of the problem: + - i2c-scmi driver contains only two identifiers "SMBUS01" and "SMBUSIBM"; + - the fist HID (SMBUS01) is clearly defined in "SMBus Control Method + Interface Specification, version 1.0": "Each device must specify + 'SMBUS01' as its _HID and use a unique _UID value"; + - unfortunately, BIOS vendors (like AMI) seem to ignore this requirement + and implement "SMB0001" HID instead of "SMBUS01"; + - I speculate that they do this because only "SMB0001" is hard coded in + Windows SMBus driver produced by Microsoft. + +This leads to following situation: + - SMBus works out of box in Windows but not in Linux; + - board vendors are forced to add correct "SMBUS01" HID to BIOS to make + SMBus work in Linux. Moreover the same board vendors complain that + tools (3-rd party ASL compiler) do not like the "SMBUS01" identifier + and produce errors. So they need to constantly patch the compiler for + each new version of BIOS. + +As it is very unlikely that BIOS vendors implement a correct HID in +future, I would propose to consider whether it is possible to work around +the problem by adding MS HID to the Linux i2c-scmi driver. + +v2: move the definition of the new HID to the driver itself. + +Signed-off-by: Edgar Cherkasov +Signed-off-by: Michael Brunner +Acked-by: Viktor Krasnov +Reviewed-by: Jean Delvare +Reviewed-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-scmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -18,6 +18,9 @@ + #define ACPI_SMBUS_HC_CLASS "smbus" + #define ACPI_SMBUS_HC_DEVICE_NAME "cmi" + ++/* SMBUS HID definition as supported by Microsoft Windows */ ++#define ACPI_SMBUS_MS_HID "SMB0001" ++ + ACPI_MODULE_NAME("smbus_cmi"); + + struct smbus_methods_t { +@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_ + static const struct acpi_device_id acpi_smbus_cmi_ids[] = { + {"SMBUS01", (kernel_ulong_t)&smbus_methods}, + {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods}, ++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods}, + {"", 0} + }; + MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids); diff --git a/queue-4.9/ia64-fix-module-loading-for-gcc-5.4.patch b/queue-4.9/ia64-fix-module-loading-for-gcc-5.4.patch new file mode 100644 index 00000000000..721bf52d73e --- /dev/null +++ b/queue-4.9/ia64-fix-module-loading-for-gcc-5.4.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Sergei Trofimovich +Date: Mon, 1 May 2017 11:51:55 -0700 +Subject: ia64: fix module loading for gcc-5.4 + +From: Sergei Trofimovich + + +[ Upstream commit a25fb8508c1b80dce742dbeaa4d75a1e9f2c5617 ] + +Starting from gcc-5.4+ gcc generates MLX instructions in more cases to +refer local symbols: + + https://gcc.gnu.org/PR60465 + +That caused ia64 module loader to choke on such instructions: + + fuse: invalid slot number 1 for IMM64 + +The Linux kernel used to handle only case where relocation pointed to +slot=2 instruction in the bundle. That limitation was fixed in linux by +commit 9c184a073bfd ("[IA64] Fix 2.6 kernel for the new ia64 assembler") +See + + http://sources.redhat.com/bugzilla/show_bug.cgi?id=1433 + +This change lifts the slot=2 restriction from the kernel module loader. + +Tested on 'fuse' and 'btrfs' kernel modules. + +Cc: Markus Elfring +Cc: H J Lu +Cc: Fenghua Yu +Cc: Andrew Morton +Bug: https://bugs.gentoo.org/601014 +Tested-by: Émeric MASCHINO +Signed-off-by: Sergei Trofimovich +Signed-off-by: Tony Luck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/module.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -153,7 +153,7 @@ slot (const struct insn *insn) + static int + apply_imm64 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM64\n", + mod->name, slot(insn)); + return 0; +@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct + static int + apply_imm60 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM60\n", + mod->name, slot(insn)); + return 0; diff --git a/queue-4.9/ib-hfi1-fix-softlockup-issue.patch b/queue-4.9/ib-hfi1-fix-softlockup-issue.patch new file mode 100644 index 00000000000..41215286b0c --- /dev/null +++ b/queue-4.9/ib-hfi1-fix-softlockup-issue.patch @@ -0,0 +1,270 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Tadeusz Struk +Date: Fri, 28 Apr 2017 10:40:02 -0700 +Subject: IB/hfi1: Fix softlockup issue + +From: Tadeusz Struk + + +[ Upstream commit 22546b741af8355cd2e16739b6af4a8f17081839 ] + +Soft lockups can occur because the mad processing on different CPUs acquire +the spin lock dc8051_lock: + +[534552.835870] [] ? read_dev_port_cntr.isra.37+0x23/0x160 [hfi1] +[534552.835880] [] read_dev_cntr+0x4f/0x60 [hfi1] +[534552.835893] [] pma_get_opa_portstatus+0x64d/0x8c0 [hfi1] +[534552.835904] [] hfi1_process_mad+0x48d/0x18c0 [hfi1] +[534552.835908] [] ? __slab_free+0x81/0x2f0 +[534552.835936] [] ? ib_mad_recv_done+0x21e/0xa30 [ib_core] +[534552.835939] [] ? __kmalloc+0x1f3/0x240 +[534552.835947] [] ib_mad_recv_done+0x2cb/0xa30 [ib_core] +[534552.835955] [] __ib_process_cq+0x55/0xd0 [ib_core] +[534552.835962] [] ib_cq_poll_work+0x20/0x60 [ib_core] +[534552.835964] [] process_one_work+0x17b/0x470 +[534552.835966] [] worker_thread+0x126/0x410 +[534552.835969] [] ? rescuer_thread+0x460/0x460 +[534552.835971] [] kthread+0xcf/0xe0 +[534552.835974] [] ? kthread_create_on_node+0x140/0x140 +[534552.835977] [] ret_from_fork+0x58/0x90 +[534552.835980] [] ? kthread_create_on_node+0x140/0x140 + +This issue is made worse when the 8051 is busy and the reads take longer. +Fix by using a non-spinning lock procure. + +Reviewed-by: Michael J. Ruhl +Reviewed-by: Mike Marciszyn +Signed-off-by: Tadeusz Struk +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/chip.c | 86 ++++++++++++++++++++++---------------- + drivers/infiniband/hw/hfi1/hfi.h | 7 +-- + drivers/infiniband/hw/hfi1/init.c | 2 + 3 files changed, 57 insertions(+), 38 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/chip.c ++++ b/drivers/infiniband/hw/hfi1/chip.c +@@ -6379,18 +6379,17 @@ static void lcb_shutdown(struct hfi1_dev + * + * The expectation is that the caller of this routine would have taken + * care of properly transitioning the link into the correct state. ++ * NOTE: the caller needs to acquire the dd->dc8051_lock lock ++ * before calling this function. + */ +-static void dc_shutdown(struct hfi1_devdata *dd) ++static void _dc_shutdown(struct hfi1_devdata *dd) + { +- unsigned long flags; ++ lockdep_assert_held(&dd->dc8051_lock); + +- spin_lock_irqsave(&dd->dc8051_lock, flags); +- if (dd->dc_shutdown) { +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); ++ if (dd->dc_shutdown) + return; +- } ++ + dd->dc_shutdown = 1; +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); + /* Shutdown the LCB */ + lcb_shutdown(dd, 1); + /* +@@ -6401,35 +6400,45 @@ static void dc_shutdown(struct hfi1_devd + write_csr(dd, DC_DC8051_CFG_RST, 0x1); + } + ++static void dc_shutdown(struct hfi1_devdata *dd) ++{ ++ mutex_lock(&dd->dc8051_lock); ++ _dc_shutdown(dd); ++ mutex_unlock(&dd->dc8051_lock); ++} ++ + /* + * Calling this after the DC has been brought out of reset should not + * do any damage. ++ * NOTE: the caller needs to acquire the dd->dc8051_lock lock ++ * before calling this function. + */ +-static void dc_start(struct hfi1_devdata *dd) ++static void _dc_start(struct hfi1_devdata *dd) + { +- unsigned long flags; +- int ret; ++ lockdep_assert_held(&dd->dc8051_lock); + +- spin_lock_irqsave(&dd->dc8051_lock, flags); + if (!dd->dc_shutdown) +- goto done; +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); ++ return; ++ + /* Take the 8051 out of reset */ + write_csr(dd, DC_DC8051_CFG_RST, 0ull); + /* Wait until 8051 is ready */ +- ret = wait_fm_ready(dd, TIMEOUT_8051_START); +- if (ret) { ++ if (wait_fm_ready(dd, TIMEOUT_8051_START)) + dd_dev_err(dd, "%s: timeout starting 8051 firmware\n", + __func__); +- } ++ + /* Take away reset for LCB and RX FPE (set in lcb_shutdown). */ + write_csr(dd, DCC_CFG_RESET, 0x10); + /* lcb_shutdown() with abort=1 does not restore these */ + write_csr(dd, DC_LCB_ERR_EN, dd->lcb_err_en); +- spin_lock_irqsave(&dd->dc8051_lock, flags); + dd->dc_shutdown = 0; +-done: +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); ++} ++ ++static void dc_start(struct hfi1_devdata *dd) ++{ ++ mutex_lock(&dd->dc8051_lock); ++ _dc_start(dd); ++ mutex_unlock(&dd->dc8051_lock); + } + + /* +@@ -8418,16 +8427,11 @@ static int do_8051_command( + { + u64 reg, completed; + int return_code; +- unsigned long flags; + unsigned long timeout; + + hfi1_cdbg(DC8051, "type %d, data 0x%012llx", type, in_data); + +- /* +- * Alternative to holding the lock for a long time: +- * - keep busy wait - have other users bounce off +- */ +- spin_lock_irqsave(&dd->dc8051_lock, flags); ++ mutex_lock(&dd->dc8051_lock); + + /* We can't send any commands to the 8051 if it's in reset */ + if (dd->dc_shutdown) { +@@ -8453,10 +8457,8 @@ static int do_8051_command( + return_code = -ENXIO; + goto fail; + } +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); +- dc_shutdown(dd); +- dc_start(dd); +- spin_lock_irqsave(&dd->dc8051_lock, flags); ++ _dc_shutdown(dd); ++ _dc_start(dd); + } + + /* +@@ -8534,8 +8536,7 @@ static int do_8051_command( + write_csr(dd, DC_DC8051_CFG_HOST_CMD_0, 0); + + fail: +- spin_unlock_irqrestore(&dd->dc8051_lock, flags); +- ++ mutex_unlock(&dd->dc8051_lock); + return return_code; + } + +@@ -11849,6 +11850,10 @@ static void free_cntrs(struct hfi1_devda + dd->scntrs = NULL; + kfree(dd->cntrnames); + dd->cntrnames = NULL; ++ if (dd->update_cntr_wq) { ++ destroy_workqueue(dd->update_cntr_wq); ++ dd->update_cntr_wq = NULL; ++ } + } + + static u64 read_dev_port_cntr(struct hfi1_devdata *dd, struct cntr_entry *entry, +@@ -12004,7 +12009,7 @@ u64 write_port_cntr(struct hfi1_pportdat + return write_dev_port_cntr(ppd->dd, entry, sval, ppd, vl, data); + } + +-static void update_synth_timer(unsigned long opaque) ++static void do_update_synth_timer(struct work_struct *work) + { + u64 cur_tx; + u64 cur_rx; +@@ -12013,8 +12018,8 @@ static void update_synth_timer(unsigned + int i, j, vl; + struct hfi1_pportdata *ppd; + struct cntr_entry *entry; +- +- struct hfi1_devdata *dd = (struct hfi1_devdata *)opaque; ++ struct hfi1_devdata *dd = container_of(work, struct hfi1_devdata, ++ update_cntr_work); + + /* + * Rather than keep beating on the CSRs pick a minimal set that we can +@@ -12097,7 +12102,13 @@ static void update_synth_timer(unsigned + } else { + hfi1_cdbg(CNTR, "[%d] No update necessary", dd->unit); + } ++} ++ ++static void update_synth_timer(unsigned long opaque) ++{ ++ struct hfi1_devdata *dd = (struct hfi1_devdata *)opaque; + ++ queue_work(dd->update_cntr_wq, &dd->update_cntr_work); + mod_timer(&dd->synth_stats_timer, jiffies + HZ * SYNTH_CNT_TIME); + } + +@@ -12333,6 +12344,13 @@ static int init_cntrs(struct hfi1_devdat + if (init_cpu_counters(dd)) + goto bail; + ++ dd->update_cntr_wq = alloc_ordered_workqueue("hfi1_update_cntr_%d", ++ WQ_MEM_RECLAIM, dd->unit); ++ if (!dd->update_cntr_wq) ++ goto bail; ++ ++ INIT_WORK(&dd->update_cntr_work, do_update_synth_timer); ++ + mod_timer(&dd->synth_stats_timer, jiffies + HZ * SYNTH_CNT_TIME); + return 0; + bail: +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -475,7 +475,7 @@ struct rvt_sge_state; + #define HFI1_PART_ENFORCE_OUT 0x2 + + /* how often we check for synthetic counter wrap around */ +-#define SYNTH_CNT_TIME 2 ++#define SYNTH_CNT_TIME 3 + + /* Counter flags */ + #define CNTR_NORMAL 0x0 /* Normal counters, just read register */ +@@ -929,8 +929,9 @@ struct hfi1_devdata { + spinlock_t rcvctrl_lock; /* protect changes to RcvCtrl */ + /* around rcd and (user ctxts) ctxt_cnt use (intr vs free) */ + spinlock_t uctxt_lock; /* rcd and user context changes */ +- /* exclusive access to 8051 */ +- spinlock_t dc8051_lock; ++ struct mutex dc8051_lock; /* exclusive access to 8051 */ ++ struct workqueue_struct *update_cntr_wq; ++ struct work_struct update_cntr_work; + /* exclusive access to 8051 memory */ + spinlock_t dc8051_memlock; + int dc8051_timed_out; /* remember if the 8051 timed out */ +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -1078,11 +1078,11 @@ struct hfi1_devdata *hfi1_alloc_devdata( + spin_lock_init(&dd->uctxt_lock); + spin_lock_init(&dd->hfi1_diag_trans_lock); + spin_lock_init(&dd->sc_init_lock); +- spin_lock_init(&dd->dc8051_lock); + spin_lock_init(&dd->dc8051_memlock); + seqlock_init(&dd->sc2vl_lock); + spin_lock_init(&dd->sde_map_lock); + spin_lock_init(&dd->pio_map_lock); ++ mutex_init(&dd->dc8051_lock); + init_waitqueue_head(&dd->event_queue); + + dd->int_counter = alloc_percpu(u64); diff --git a/queue-4.9/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch b/queue-4.9/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch new file mode 100644 index 00000000000..72e3e6305aa --- /dev/null +++ b/queue-4.9/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Erez Shitrit +Date: Tue, 14 Nov 2017 14:51:53 +0200 +Subject: IB/ipoib: Avoid memory leak if the SA returns a different DGID + +From: Erez Shitrit + + +[ Upstream commit 439000892ee17a9c92f1e4297818790ef8bb4ced ] + +The ipoib path database is organized around DGIDs from the LLADDR, but the +SA is free to return a different GID when asked for path. This causes a +bug because the SA's modified DGID is copied into the database key, even +though it is no longer the correct lookup key, causing a memory leak and +other malfunctions. + +Ensure the database key does not change after the SA query completes. + +Demonstration of the bug is as follows +ipoib wants to send to GID fe80:0000:0000:0000:0002:c903:00ef:5ee2, it +creates new record in the DB with that gid as a key, and issues a new +request to the SM. +Now, the SM from some reason returns path-record with other SGID (for +example, 2001:0000:0000:0000:0002:c903:00ef:5ee2 that contains the local +subnet prefix) now ipoib will overwrite the current entry with the new +one, and if new request to the original GID arrives ipoib will not find +it in the DB (was overwritten) and will create new record that in its +turn will also be overwritten by the response from the SM, and so on +till the driver eats all the device memory. + +Signed-off-by: Erez Shitrit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -799,6 +799,22 @@ static void path_rec_completion(int stat + spin_lock_irqsave(&priv->lock, flags); + + if (!IS_ERR_OR_NULL(ah)) { ++ /* ++ * pathrec.dgid is used as the database key from the LLADDR, ++ * it must remain unchanged even if the SA returns a different ++ * GID to use in the AH. ++ */ ++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid))) { ++ ipoib_dbg( ++ priv, ++ "%s got PathRec for gid %pI6 while asked for %pI6\n", ++ dev->name, pathrec->dgid.raw, ++ path->pathrec.dgid.raw); ++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid)); ++ } ++ + path->pathrec = *pathrec; + + old_ah = path->ah; diff --git a/queue-4.9/ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch b/queue-4.9/ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch new file mode 100644 index 00000000000..3621f41b6fb --- /dev/null +++ b/queue-4.9/ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch @@ -0,0 +1,111 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Feras Daoud +Date: Sun, 19 Mar 2017 11:18:55 +0200 +Subject: IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow + +From: Feras Daoud + + +[ Upstream commit 3e31a490e01a6e67cbe9f6e1df2f3ff0fbf48972 ] + +Before calling ipoib_stop, rtnl_lock should be taken, then +the flow clears the IPOIB_FLAG_ADMIN_UP and IPOIB_FLAG_OPER_UP +flags, and waits for mcast completion if IPOIB_MCAST_FLAG_BUSY +is set. + +On the other hand, the flow of multicast join task initializes +a mcast completion, sets the IPOIB_MCAST_FLAG_BUSY and calls +ipoib_mcast_join. If IPOIB_FLAG_OPER_UP flag is not set, this +call returns EINVAL without setting the mcast completion and +leads to a deadlock. + + ipoib_stop | + | | + clear_bit(IPOIB_FLAG_ADMIN_UP) | + | | + Context Switch | + | ipoib_mcast_join_task + | | + | spin_lock_irq(lock) + | | + | init_completion(mcast) + | | + | set_bit(IPOIB_MCAST_FLAG_BUSY) + | | + | Context Switch + | | + clear_bit(IPOIB_FLAG_OPER_UP) | + | | + spin_lock_irqsave(lock) | + | | + Context Switch | + | ipoib_mcast_join + | return (-EINVAL) + | | + | spin_unlock_irq(lock) + | | + | Context Switch + | | + ipoib_mcast_dev_flush | + wait_for_completion(mcast) | + +ipoib_stop will wait for mcast completion for ever, and will +not release the rtnl_lock. As a result panic occurs with the +following trace: + + [13441.639268] Call Trace: + [13441.640150] [] schedule+0x29/0x70 + [13441.641038] [] schedule_timeout+0x239/0x2d0 + [13441.641914] [] ? complete+0x47/0x50 + [13441.642765] [] ? flush_workqueue_prep_pwqs+0x16d/0x200 + [13441.643580] [] wait_for_completion+0x116/0x170 + [13441.644434] [] ? wake_up_state+0x20/0x20 + [13441.645293] [] ipoib_mcast_dev_flush+0x150/0x190 [ib_ipoib] + [13441.646159] [] ipoib_ib_dev_down+0x37/0x60 [ib_ipoib] + [13441.647013] [] ipoib_stop+0x75/0x150 [ib_ipoib] + +Fixes: 08bc327629cb ("IB/ipoib: fix for rare multicast join race condition") +Signed-off-by: Feras Daoud +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -487,6 +487,9 @@ static int ipoib_mcast_join(struct net_d + !test_bit(IPOIB_FLAG_OPER_UP, &priv->flags)) + return -EINVAL; + ++ init_completion(&mcast->done); ++ set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); ++ + ipoib_dbg_mcast(priv, "joining MGID %pI6\n", mcast->mcmember.mgid.raw); + + rec.mgid = mcast->mcmember.mgid; +@@ -645,8 +648,6 @@ void ipoib_mcast_join_task(struct work_s + if (mcast->backoff == 1 || + time_after_eq(jiffies, mcast->delay_until)) { + /* Found the next unjoined group */ +- init_completion(&mcast->done); +- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); + if (ipoib_mcast_join(dev, mcast)) { + spin_unlock_irq(&priv->lock); + return; +@@ -666,11 +667,9 @@ out: + queue_delayed_work(priv->wq, &priv->mcast_task, + delay_until - jiffies); + } +- if (mcast) { +- init_completion(&mcast->done); +- set_bit(IPOIB_MCAST_FLAG_BUSY, &mcast->flags); ++ if (mcast) + ipoib_mcast_join(dev, mcast); +- } ++ + spin_unlock_irq(&priv->lock); + } + diff --git a/queue-4.9/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch b/queue-4.9/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch new file mode 100644 index 00000000000..d5787789465 --- /dev/null +++ b/queue-4.9/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Feras Daoud +Date: Sun, 19 Mar 2017 11:18:54 +0200 +Subject: IB/ipoib: Update broadcast object if PKey value was changed in index 0 + +From: Feras Daoud + + +[ Upstream commit 9a9b8112699d78e7f317019b37f377e90023f3ed ] + +Update the broadcast address in the priv->broadcast object when the +Pkey value changes in index 0, otherwise the multicast GID value will +keep the previous value of the PKey, and will not be updated. +This leads to interface state down because the interface will keep the +old PKey value. + +For example, in SR-IOV environment, if the PF changes the value of PKey +index 0 for one of the VFs, then the VF receives PKey change event that +triggers heavy flush. This flush calls update_parent_pkey that update the +broadcast object and its relevant members. If in this case the multicast +GID will not be updated, the interface state will be down. + +Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization environments") +Signed-off-by: Feras Daoud +Signed-off-by: Erez Shitrit +Reviewed-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -974,6 +974,19 @@ static inline int update_parent_pkey(str + */ + priv->dev->broadcast[8] = priv->pkey >> 8; + priv->dev->broadcast[9] = priv->pkey & 0xff; ++ ++ /* ++ * Update the broadcast address in the priv->broadcast object, ++ * in case it already exists, otherwise no one will do that. ++ */ ++ if (priv->broadcast) { ++ spin_lock_irq(&priv->lock); ++ memcpy(priv->broadcast->mcmember.mgid.raw, ++ priv->dev->broadcast + 4, ++ sizeof(union ib_gid)); ++ spin_unlock_irq(&priv->lock); ++ } ++ + return 0; + } + diff --git a/queue-4.9/ib-mlx4-change-vma-from-shared-to-private.patch b/queue-4.9/ib-mlx4-change-vma-from-shared-to-private.patch new file mode 100644 index 00000000000..a0f84d309a7 --- /dev/null +++ b/queue-4.9/ib-mlx4-change-vma-from-shared-to-private.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Maor Gottlieb +Date: Wed, 29 Mar 2017 06:03:01 +0300 +Subject: IB/mlx4: Change vma from shared to private + +From: Maor Gottlieb + + +[ Upstream commit ca37a664a8e4e9988b220988ceb4d79e3316f195 ] + +Anonymous VMA (->vm_ops == NULL) cannot be shared, otherwise +it would lead to SIGBUS. + +Remove the shared flags from the vma after we change it to be +anonymous. + +This is easily reproduced by doing modprobe -r while running a +user-space application such as raw_ethernet_bw. + +Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support') +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1182,6 +1182,8 @@ static void mlx4_ib_disassociate_ucontex + BUG_ON(1); + } + ++ context->hw_bar_info[i].vma->vm_flags &= ++ ~(VM_SHARED | VM_MAYSHARE); + /* context going to be destroyed, should not access ops any more */ + context->hw_bar_info[i].vma->vm_ops = NULL; + } diff --git a/queue-4.9/ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch b/queue-4.9/ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch new file mode 100644 index 00000000000..377b33cc956 --- /dev/null +++ b/queue-4.9/ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Maor Gottlieb +Date: Wed, 29 Mar 2017 06:03:00 +0300 +Subject: IB/mlx4: Take write semaphore when changing the vma struct + +From: Maor Gottlieb + + +[ Upstream commit 22c3653d04bd0c67b75e99d85e0c0bdf83947df5 ] + +When the driver disassociate user context, it changes the vma to +anonymous by setting the vm_ops to null and zap the vma ptes. + +In order to avoid race in the kernel, we need to take write lock +before we change the vma entries. + +Fixes: ae184ddeca5db ('IB/mlx4_ib: Disassociate support') +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/main.c ++++ b/drivers/infiniband/hw/mlx4/main.c +@@ -1168,7 +1168,7 @@ static void mlx4_ib_disassociate_ucontex + /* need to protect from a race on closing the vma as part of + * mlx4_ib_vma_close(). + */ +- down_read(&owning_mm->mmap_sem); ++ down_write(&owning_mm->mmap_sem); + for (i = 0; i < HW_BAR_COUNT; i++) { + vma = context->hw_bar_info[i].vma; + if (!vma) +@@ -1186,7 +1186,7 @@ static void mlx4_ib_disassociate_ucontex + context->hw_bar_info[i].vma->vm_ops = NULL; + } + +- up_read(&owning_mm->mmap_sem); ++ up_write(&owning_mm->mmap_sem); + mmput(owning_mm); + put_task_struct(owning_process); + } diff --git a/queue-4.9/ib-mlx5-change-vma-from-shared-to-private.patch b/queue-4.9/ib-mlx5-change-vma-from-shared-to-private.patch new file mode 100644 index 00000000000..d9f46388fb7 --- /dev/null +++ b/queue-4.9/ib-mlx5-change-vma-from-shared-to-private.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Maor Gottlieb +Date: Wed, 29 Mar 2017 06:03:03 +0300 +Subject: IB/mlx5: Change vma from shared to private + +From: Maor Gottlieb + + +[ Upstream commit 1377661298d2820d675553d186c31b6f46c140d0 ] + +Anonymous VMA (->vm_ops == NULL) cannot be shared, otherwise +it would lead to SIGBUS. + +Remove the shared flags from the vma after we change it to be +anonymous. + +This is easily reproduced by doing modprobe -r while running a +user-space application such as raw_ethernet_bw. + +Fixes: 7c2344c3bbf97 ('IB/mlx5: Implements disassociate_ucontext API') +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1323,6 +1323,7 @@ static void mlx5_ib_disassociate_ucontex + /* context going to be destroyed, should + * not access ops any more. + */ ++ vma->vm_flags &= ~(VM_SHARED | VM_MAYSHARE); + vma->vm_ops = NULL; + list_del(&vma_private->list); + kfree(vma_private); diff --git a/queue-4.9/ib-mlx5-set-correct-sl-in-completion-for-roce.patch b/queue-4.9/ib-mlx5-set-correct-sl-in-completion-for-roce.patch new file mode 100644 index 00000000000..73200348a7e --- /dev/null +++ b/queue-4.9/ib-mlx5-set-correct-sl-in-completion-for-roce.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Moni Shoua +Date: Thu, 20 Apr 2017 13:26:54 +0300 +Subject: IB/mlx5: Set correct SL in completion for RoCE + +From: Moni Shoua + + +[ Upstream commit 12f8fedef2ec94c783f929126b20440a01512c14 ] + +There is a difference when parsing a completion entry between Ethernet +and IB ports. When link layer is Ethernet the bits describe the type of +L3 header in the packet. In the case when link layer is Ethernet and VLAN +header is present the value of SL is equal to the 3 UP bits in the VLAN +header. If VLAN header is not present then the SL is undefined and consumer +of the completion should check if IB_WC_WITH_VLAN is set. + +While that, this patch also fills the vlan_id field in the completion if +present. + +Signed-off-by: Moni Shoua +Reviewed-by: Majd Dibbiny +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/cq.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/cq.c ++++ b/drivers/infiniband/hw/mlx5/cq.c +@@ -172,6 +172,8 @@ static void handle_responder(struct ib_w + struct mlx5_ib_srq *srq; + struct mlx5_ib_wq *wq; + u16 wqe_ctr; ++ u8 roce_packet_type; ++ bool vlan_present; + u8 g; + + if (qp->ibqp.srq || qp->ibqp.xrcd) { +@@ -223,7 +225,6 @@ static void handle_responder(struct ib_w + break; + } + wc->slid = be16_to_cpu(cqe->slid); +- wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf; + wc->src_qp = be32_to_cpu(cqe->flags_rqpn) & 0xffffff; + wc->dlid_path_bits = cqe->ml_path; + g = (be32_to_cpu(cqe->flags_rqpn) >> 28) & 3; +@@ -237,10 +238,22 @@ static void handle_responder(struct ib_w + wc->pkey_index = 0; + } + +- if (ll != IB_LINK_LAYER_ETHERNET) ++ if (ll != IB_LINK_LAYER_ETHERNET) { ++ wc->sl = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0xf; + return; ++ } ++ ++ vlan_present = cqe->l4_l3_hdr_type & 0x1; ++ roce_packet_type = (be32_to_cpu(cqe->flags_rqpn) >> 24) & 0x3; ++ if (vlan_present) { ++ wc->vlan_id = (be16_to_cpu(cqe->vlan_info)) & 0xfff; ++ wc->sl = (be16_to_cpu(cqe->vlan_info) >> 13) & 0x7; ++ wc->wc_flags |= IB_WC_WITH_VLAN; ++ } else { ++ wc->sl = 0; ++ } + +- switch (wc->sl & 0x3) { ++ switch (roce_packet_type) { + case MLX5_CQE_ROCE_L3_HEADER_TYPE_GRH: + wc->network_hdr_type = RDMA_NETWORK_IB; + break; diff --git a/queue-4.9/ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch b/queue-4.9/ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch new file mode 100644 index 00000000000..f9975cfa28b --- /dev/null +++ b/queue-4.9/ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Maor Gottlieb +Date: Wed, 29 Mar 2017 06:03:02 +0300 +Subject: IB/mlx5: Take write semaphore when changing the vma struct + +From: Maor Gottlieb + + +[ Upstream commit ecc7d83be3243835c9396a1a2fb8ce95f205207b ] + +When the driver disassociate user context, it changes the vma to +anonymous by setting the vm_ops to null and zap the vma ptes. + +In order to avoid race in the kernel, we need to take write lock +before we change the vma entries. + +Fixes: 7c2344c3bbf97 ('IB/mlx5: Implements disassociate_ucontext API') +Signed-off-by: Maor Gottlieb +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -1313,7 +1313,7 @@ static void mlx5_ib_disassociate_ucontex + /* need to protect from a race on closing the vma as part of + * mlx5_ib_vma_close. + */ +- down_read(&owning_mm->mmap_sem); ++ down_write(&owning_mm->mmap_sem); + list_for_each_entry_safe(vma_private, n, &context->vma_private_list, + list) { + vma = vma_private->vma; +@@ -1327,7 +1327,7 @@ static void mlx5_ib_disassociate_ucontex + list_del(&vma_private->list); + kfree(vma_private); + } +- up_read(&owning_mm->mmap_sem); ++ up_write(&owning_mm->mmap_sem); + mmput(owning_mm); + put_task_struct(owning_process); + } diff --git a/queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch b/queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch new file mode 100644 index 00000000000..8f3f763ae73 --- /dev/null +++ b/queue-4.9/ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Thu, 27 Apr 2017 12:14:20 +0300 +Subject: IB/rdmavt: restore IRQs on error path in rvt_create_ah() + +From: Dan Carpenter + + +[ Upstream commit f0bb2d44ca26b7090dc7bade8877b77005f07dfc ] + +We need to call spin_unlock_irqrestore() instead of vanilla +spin_unlock() on this error path. + +Fixes: 119a8e708d16 ("IB/rdmavt: Add AH to rdmavt") +Signed-off-by: Dan Carpenter +Reviewed-by: Leon Romanovsky +Acked-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rdmavt/ah.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rdmavt/ah.c ++++ b/drivers/infiniband/sw/rdmavt/ah.c +@@ -119,7 +119,7 @@ struct ib_ah *rvt_create_ah(struct ib_pd + + spin_lock_irqsave(&dev->n_ahs_lock, flags); + if (dev->n_ahs_allocated == dev->dparms.props.max_ah) { +- spin_unlock(&dev->n_ahs_lock); ++ spin_unlock_irqrestore(&dev->n_ahs_lock, flags); + kfree(ah); + return ERR_PTR(-ENOMEM); + } diff --git a/queue-4.9/ib-rxe-don-t-clamp-residual-length-to-mtu.patch b/queue-4.9/ib-rxe-don-t-clamp-residual-length-to-mtu.patch new file mode 100644 index 00000000000..303f60acf4d --- /dev/null +++ b/queue-4.9/ib-rxe-don-t-clamp-residual-length-to-mtu.patch @@ -0,0 +1,72 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Johannes Thumshirn +Date: Thu, 6 Apr 2017 14:49:44 +0200 +Subject: IB/rxe: Don't clamp residual length to mtu + +From: Johannes Thumshirn + + +[ Upstream commit d52418502e288b5c7e9e2e6cf1de5f1d3d79d2e1 ] + +When reading a RDMA WRITE FIRST packet we copy the DMA length from the RDMA +header into the qp->resp.resid variable for later use. Later in check_rkey() +we clamp it to the MTU if the packet is an RDMA WRITE packet and has a +residual length bigger than the MTU. Later in write_data_in() we subtract the +payload of the packet from the residual length. If the packet happens to have a +payload of exactly the MTU size we end up with a residual length of 0 despite +the packet not being the last in the conversation. When the next packet in the +conversation arrives, we don't have any residual length left and thus set the QP +into an error state. + +This broke NVMe over Fabrics functionality over rdma_rxe.ko + +The patch was verified using the following test. + + # echo eth0 > /sys/module/rdma_rxe/parameters/add + # nvme connect -t rdma -a 192.168.155.101 -s 1023 -n nvmf-test + # mkfs.xfs -fK /dev/nvme0n1 + meta-data=/dev/nvme0n1 isize=256 agcount=4, agsize=65536 blks + = sectsz=4096 attr=2, projid32bit=1 + = crc=0 finobt=0, sparse=0 + data = bsize=4096 blocks=262144, imaxpct=25 + = sunit=0 swidth=0 blks + naming =version 2 bsize=4096 ascii-ci=0 ftype=1 + log =internal log bsize=4096 blocks=2560, version=2 + = sectsz=4096 sunit=1 blks, lazy-count=1 + realtime =none extsz=4096 blocks=0, rtextents=0 + # mount /dev/nvme0n1 /tmp/ + [ 148.923263] XFS (nvme0n1): Mounting V4 Filesystem + [ 148.961196] XFS (nvme0n1): Ending clean mount + # dd if=/dev/urandom of=test.bin bs=1M count=128 + 128+0 records in + 128+0 records out + 134217728 bytes (134 MB, 128 MiB) copied, 0.437991 s, 306 MB/s + # sha256sum test.bin + cde42941f045efa8c4f0f157ab6f29741753cdd8d1cff93a6b03649d83c4129a test.bin + # cp test.bin /tmp/ + sha256sum /tmp/test.bin + cde42941f045efa8c4f0f157ab6f29741753cdd8d1cff93a6b03649d83c4129a /tmp/test.bin + +Signed-off-by: Johannes Thumshirn +Cc: Hannes Reinecke +Cc: Sagi Grimberg +Cc: Max Gurtovoy +Acked-by: Moni Shoua +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_resp.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -471,8 +471,6 @@ static enum resp_states check_rkey(struc + state = RESPST_ERR_LENGTH; + goto err; + } +- +- qp->resp.resid = mtu; + } else { + if (pktlen != resid) { + state = RESPST_ERR_LENGTH; diff --git a/queue-4.9/ib-umem-fix-use-of-npages-nmap-fields.patch b/queue-4.9/ib-umem-fix-use-of-npages-nmap-fields.patch new file mode 100644 index 00000000000..c33e95c7b52 --- /dev/null +++ b/queue-4.9/ib-umem-fix-use-of-npages-nmap-fields.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Artemy Kovalyov +Date: Tue, 14 Nov 2017 14:51:59 +0200 +Subject: IB/umem: Fix use of npages/nmap fields + +From: Artemy Kovalyov + + +[ Upstream commit edf1a84fe37c51290e2c88154ecaf48dadff3d27 ] + +In ib_umem structure npages holds original number of sg entries, while +nmap is number of DMA blocks returned by dma_map_sg. + +Fixes: c5d76f130b28 ('IB/core: Add umem function to read data from user-space') +Signed-off-by: Artemy Kovalyov +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/umem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -357,7 +357,7 @@ int ib_umem_copy_from(void *dst, struct + return -EINVAL; + } + +- ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->nmap, dst, length, ++ ret = sg_pcopy_to_buffer(umem->sg_head.sgl, umem->npages, dst, length, + offset + ib_umem_offset(umem)); + + if (ret < 0) diff --git a/queue-4.9/ibmvnic-disable-irq-prior-to-close.patch b/queue-4.9/ibmvnic-disable-irq-prior-to-close.patch new file mode 100644 index 00000000000..4fef808a1b4 --- /dev/null +++ b/queue-4.9/ibmvnic-disable-irq-prior-to-close.patch @@ -0,0 +1,92 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Brian King +Date: Wed, 19 Apr 2017 13:45:10 -0400 +Subject: ibmvnic: Disable irq prior to close + +From: Brian King + + +[ Upstream commit dd9c20fa07ba5cfb5a0ab3181d68530506610605 ] + + Add some code to call disable_irq on all the vnic interface's irqs. + This fixes a crash observed when closing an active interface, as + seen in the oops below when we try to access a buffer in the interrupt + handler which we've already freed. + + Unable to handle kernel paging request for data at address 0x00000001 + Faulting instruction address: 0xd000000003886824 + Oops: Kernel access of bad area, sig: 11 [#1] + SMP NR_CPUS=2048 NUMA pSeries + Modules linked in: ibmvnic(OEN) rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag rpcsec_ + Supported: No, Unsupported modules are loaded + CPU: 8 PID: 0 Comm: swapper/8 Tainted: G OE NX 4.4.49-92.11-default #1 + task: c00000007f990110 ti: c0000000fffa0000 task.ti: c00000007f9b8000 + NIP: d000000003886824 LR: d000000003886824 CTR: c0000000007eff60 + REGS: c0000000fffa3a70 TRAP: 0300 Tainted: G OE NX (4.4.49-92.11-default) + MSR: 8000000000009033 CR: 22008042 XER: 20000008 + CFAR: c000000000008468 DAR: 0000000000000001 DSISR: 40000000 SOFTE: 0 + GPR00: d000000003886824 c0000000fffa3cf0 d000000003894118 0000000000000000 + GPR04: 0000000000000000 0000000000000000 c000000001249da0 0000000000000000 + GPR08: 000000000000000e 0000000000000000 c0000000ccb00000 d000000003889180 + GPR12: c0000000007eff60 c000000007af4c00 0000000000000001 c0000000010def30 + GPR16: c00000007f9b8000 c000000000b98c30 c00000007f9b8080 c000000000bab858 + GPR20: 0000000000000005 0000000000000000 c0000000ff5d7e80 c0000000f809f648 + GPR24: c0000000ff5d7ec8 0000000000000000 0000000000000000 c0000000ccb001a0 + GPR28: 000000000000000a c0000000f809f600 c0000000fd4cd900 c0000000f9cd5b00 + NIP [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic] + LR [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic] + Call Trace: + [c0000000fffa3cf0] [d000000003886824] ibmvnic_interrupt_tx+0x114/0x380 [ibmvnic] (unreliable) + [c0000000fffa3dd0] [c000000000132940] __handle_irq_event_percpu+0x90/0x2e0 + [c0000000fffa3e90] [c000000000132bcc] handle_irq_event_percpu+0x3c/0x90 + [c0000000fffa3ed0] [c000000000132c88] handle_irq_event+0x68/0xc0 + [c0000000fffa3f00] [c000000000137edc] handle_fasteoi_irq+0xec/0x250 + [c0000000fffa3f30] [c000000000131b04] generic_handle_irq+0x54/0x80 + [c0000000fffa3f60] [c000000000011190] __do_irq+0x80/0x1d0 + [c0000000fffa3f90] [c0000000000248d8] call_do_irq+0x14/0x24 + [c00000007f9bb9e0] [c000000000011380] do_IRQ+0xa0/0x120 + [c00000007f9bba40] [c000000000002594] hardware_interrupt_common+0x114/0x180 + +Signed-off-by: Brian King +Signed-off-by: Nathan Fontenot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/ibmvnic.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/net/ethernet/ibm/ibmvnic.c ++++ b/drivers/net/ethernet/ibm/ibmvnic.c +@@ -511,6 +511,23 @@ alloc_napi_failed: + return -ENOMEM; + } + ++static void disable_sub_crqs(struct ibmvnic_adapter *adapter) ++{ ++ int i; ++ ++ if (adapter->tx_scrq) { ++ for (i = 0; i < adapter->req_tx_queues; i++) ++ if (adapter->tx_scrq[i]) ++ disable_irq(adapter->tx_scrq[i]->irq); ++ } ++ ++ if (adapter->rx_scrq) { ++ for (i = 0; i < adapter->req_rx_queues; i++) ++ if (adapter->rx_scrq[i]) ++ disable_irq(adapter->rx_scrq[i]->irq); ++ } ++} ++ + static int ibmvnic_close(struct net_device *netdev) + { + struct ibmvnic_adapter *adapter = netdev_priv(netdev); +@@ -519,6 +536,7 @@ static int ibmvnic_close(struct net_devi + int i; + + adapter->closing = true; ++ disable_sub_crqs(adapter); + + for (i = 0; i < adapter->req_rx_queues; i++) + napi_disable(&adapter->napi[i]); diff --git a/queue-4.9/iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch b/queue-4.9/iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch new file mode 100644 index 00000000000..c51ad5c667e --- /dev/null +++ b/queue-4.9/iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Colin Ian King +Date: Wed, 19 Apr 2017 15:35:48 +0100 +Subject: iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value + +From: Colin Ian King + + +[ Upstream commit c894acc7bf400d039bf740420b22f0b71b7fb504 ] + +Ensure that when an invalid value in ret or value is found -EINVAL +is returned. A previous commit broke the way the return error is +being returned and instead caused the return code in ret to be +re-assigned rather than be returned. + +Fixes: 5d9854eaea776 ("iio: hid-sensor: Store restore poll and hysteresis on S3") +Signed-off-by: Colin Ian King +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c +@@ -215,7 +215,7 @@ int hid_sensor_write_samp_freq_value(str + ret = sensor_hub_set_feature(st->hsdev, st->poll.report_id, + st->poll.index, sizeof(value), &value); + if (ret < 0 || value < 0) +- ret = -EINVAL; ++ return -EINVAL; + + ret = sensor_hub_get_feature(st->hsdev, + st->poll.report_id, +@@ -265,7 +265,7 @@ int hid_sensor_write_raw_hyst_value(stru + st->sensitivity.index, sizeof(value), + &value); + if (ret < 0 || value < 0) +- ret = -EINVAL; ++ return -EINVAL; + + ret = sensor_hub_get_feature(st->hsdev, + st->sensitivity.report_id, diff --git a/queue-4.9/iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch b/queue-4.9/iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch new file mode 100644 index 00000000000..960796fdbf0 --- /dev/null +++ b/queue-4.9/iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch @@ -0,0 +1,78 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Shrirang Bagul +Date: Wed, 19 Apr 2017 22:05:00 +0800 +Subject: iio: st_pressure: st_accel: Initialise sensor platform data properly + +From: Shrirang Bagul + + +[ Upstream commit 7383d44b84c94aaca4bf695a6bd8a69f2295ef1a ] + +This patch fixes the sensor platform data initialisation for st_pressure +and st_accel device drivers. Without this patch, the driver fails to +register the sensors when the user removes and re-loads the driver. + +1. Unload the kernel modules for st_pressure +$ sudo rmmod st_pressure_i2c +$ sudo rmmod st_pressure + +2. Re-load the driver +$ sudo insmod st_pressure +$ sudo insmod st_pressure_i2c + +Signed-off-by: Jonathan Cameron +Acked-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/st_accel_core.c | 7 ++++--- + drivers/iio/pressure/st_pressure_core.c | 8 ++++---- + 2 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/iio/accel/st_accel_core.c ++++ b/drivers/iio/accel/st_accel_core.c +@@ -827,6 +827,8 @@ static const struct iio_trigger_ops st_a + int st_accel_common_probe(struct iio_dev *indio_dev) + { + struct st_sensor_data *adata = iio_priv(indio_dev); ++ struct st_sensors_platform_data *pdata = ++ (struct st_sensors_platform_data *)adata->dev->platform_data; + int irq = adata->get_irq_data_ready(indio_dev); + int err; + +@@ -853,9 +855,8 @@ int st_accel_common_probe(struct iio_dev + &adata->sensor_settings->fs.fs_avl[0]; + adata->odr = adata->sensor_settings->odr.odr_avl[0].hz; + +- if (!adata->dev->platform_data) +- adata->dev->platform_data = +- (struct st_sensors_platform_data *)&default_accel_pdata; ++ if (!pdata) ++ pdata = (struct st_sensors_platform_data *)&default_accel_pdata; + + err = st_sensors_init_sensor(indio_dev, adata->dev->platform_data); + if (err < 0) +--- a/drivers/iio/pressure/st_pressure_core.c ++++ b/drivers/iio/pressure/st_pressure_core.c +@@ -638,6 +638,8 @@ static const struct iio_trigger_ops st_p + int st_press_common_probe(struct iio_dev *indio_dev) + { + struct st_sensor_data *press_data = iio_priv(indio_dev); ++ struct st_sensors_platform_data *pdata = ++ (struct st_sensors_platform_data *)press_data->dev->platform_data; + int irq = press_data->get_irq_data_ready(indio_dev); + int err; + +@@ -673,10 +675,8 @@ int st_press_common_probe(struct iio_dev + press_data->odr = press_data->sensor_settings->odr.odr_avl[0].hz; + + /* Some devices don't support a data ready pin. */ +- if (!press_data->dev->platform_data && +- press_data->sensor_settings->drdy_irq.addr) +- press_data->dev->platform_data = +- (struct st_sensors_platform_data *)&default_press_pdata; ++ if (!pdata && press_data->sensor_settings->drdy_irq.addr) ++ pdata = (struct st_sensors_platform_data *)&default_press_pdata; + + err = st_sensors_init_sensor(indio_dev, press_data->dev->platform_data); + if (err < 0) diff --git a/queue-4.9/infiniband-uverbs-fix-integer-overflows.patch b/queue-4.9/infiniband-uverbs-fix-integer-overflows.patch new file mode 100644 index 00000000000..9180e9bab0f --- /dev/null +++ b/queue-4.9/infiniband-uverbs-fix-integer-overflows.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Vlad Tsyrklevich +Date: Fri, 24 Mar 2017 15:55:17 -0400 +Subject: infiniband/uverbs: Fix integer overflows + +From: Vlad Tsyrklevich + + +[ Upstream commit 4f7f4dcfff2c19debbcdbcc861c325610a15e0c5 ] + +The 'num_sge' variable is verfied to be smaller than the 'sge_count' +variable; however, since both are user-controlled it's possible to cause +an integer overflow for the kmalloc multiply on 32-bit platforms +(num_sge and sge_count are both defined u32). By crafting an input that +causes a smaller-than-expected allocation it's possible to write +controlled data out-of-bounds. + +Signed-off-by: Vlad Tsyrklevich +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2491,9 +2491,13 @@ ssize_t ib_uverbs_destroy_qp(struct ib_u + + static void *alloc_wr(size_t wr_size, __u32 num_sge) + { ++ if (num_sge >= (U32_MAX - ALIGN(wr_size, sizeof (struct ib_sge))) / ++ sizeof (struct ib_sge)) ++ return NULL; ++ + return kmalloc(ALIGN(wr_size, sizeof (struct ib_sge)) + + num_sge * sizeof (struct ib_sge), GFP_KERNEL); +-}; ++} + + ssize_t ib_uverbs_post_send(struct ib_uverbs_file *file, + struct ib_device *ib_dev, +@@ -2719,6 +2723,13 @@ static struct ib_recv_wr *ib_uverbs_unma + ret = -EINVAL; + goto err; + } ++ ++ if (user_wr->num_sge >= ++ (U32_MAX - ALIGN(sizeof *next, sizeof (struct ib_sge))) / ++ sizeof (struct ib_sge)) { ++ ret = -EINVAL; ++ goto err; ++ } + + next = kmalloc(ALIGN(sizeof *next, sizeof (struct ib_sge)) + + user_wr->num_sge * sizeof (struct ib_sge), diff --git a/queue-4.9/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch b/queue-4.9/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch new file mode 100644 index 00000000000..b40447bd7fb --- /dev/null +++ b/queue-4.9/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dmitry Torokhov +Date: Mon, 12 Dec 2016 15:32:57 -0800 +Subject: Input: ar1021_i2c - fix too long name in driver's device table + +From: Dmitry Torokhov + + +[ Upstream commit 95123fc43560d6f4a60e74f72836e63cd8848f76 ] + +The name field in structure i2c_device_id is 20 characters, and we expect +it to be NULL-terminated, however we are trying to stuff it with 21 bytes +and thus NULL-terminator is lost. This causes issues when one creates +device with name "MICROCHIP_AR1021_I2C" as i2c core cuts off the last "C", +and automatic module loading by alias does not work as result. + +The -I2C suffix in the device name is superfluous, we know what bus we are +dealing with, so let's drop it. Also, no other driver uses capitals, and +the manufacturer name is normally not included, except in very rare cases +of incompatible name collisions. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116211 +Fixes: dd4cae8bf166 ("Input: Add Microchip AR1021 i2c touchscreen") +Reviewed-By: Christian Gmeiner +Tested-by: Martin Kepplinger +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ar1021_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ar1021_i2c.c ++++ b/drivers/input/touchscreen/ar1021_i2c.c +@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_res + static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume); + + static const struct i2c_device_id ar1021_i2c_id[] = { +- { "MICROCHIP_AR1021_I2C", 0 }, ++ { "ar1021", 0 }, + { }, + }; + MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id); diff --git a/queue-4.9/input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch b/queue-4.9/input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch new file mode 100644 index 00000000000..d3119cf3a68 --- /dev/null +++ b/queue-4.9/input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Sebastian Reichel +Date: Fri, 28 Apr 2017 10:25:51 -0700 +Subject: Input: twl4030-pwrbutton - use correct device for irq request + +From: Sebastian Reichel + + +[ Upstream commit 3071e9dd6cd3f2290d770117330f2c8b2e9a97e4 ] + +The interrupt should be requested for the platform device +and not for the input device. + +Fixes: 7f9ce649d267 ("Input: twl4030-pwrbutton - simplify driver using devm_*") +Signed-off-by: Sebastian Reichel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/twl4030-pwrbutton.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/misc/twl4030-pwrbutton.c ++++ b/drivers/input/misc/twl4030-pwrbutton.c +@@ -70,7 +70,7 @@ static int twl4030_pwrbutton_probe(struc + pwr->phys = "twl4030_pwrbutton/input0"; + pwr->dev.parent = &pdev->dev; + +- err = devm_request_threaded_irq(&pwr->dev, irq, NULL, powerbutton_irq, ++ err = devm_request_threaded_irq(&pdev->dev, irq, NULL, powerbutton_irq, + IRQF_TRIGGER_FALLING | IRQF_TRIGGER_RISING | + IRQF_ONESHOT, + "twl4030_pwrbutton", pwr); diff --git a/queue-4.9/iommu-omap-register-driver-before-setting-iommu-ops.patch b/queue-4.9/iommu-omap-register-driver-before-setting-iommu-ops.patch new file mode 100644 index 00000000000..2b3e129a785 --- /dev/null +++ b/queue-4.9/iommu-omap-register-driver-before-setting-iommu-ops.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Suman Anna +Date: Wed, 12 Apr 2017 00:21:26 -0500 +Subject: iommu/omap: Register driver before setting IOMMU ops + +From: Suman Anna + + +[ Upstream commit abaa7e5b054aae567861628b74dbc7fbf8ed79e8 ] + +Move the registration of the OMAP IOMMU platform driver before +setting the IOMMU callbacks on the platform bus. This causes +the IOMMU devices to be probed first before the .add_device() +callback is invoked for all registered devices, and allows +the iommu_group support to be added to the OMAP IOMMU driver. + +While at this, also check for the return status from bus_set_iommu. + +Signed-off-by: Suman Anna +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/omap-iommu.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/omap-iommu.c ++++ b/drivers/iommu/omap-iommu.c +@@ -1299,6 +1299,7 @@ static int __init omap_iommu_init(void) + const unsigned long flags = SLAB_HWCACHE_ALIGN; + size_t align = 1 << 10; /* L2 pagetable alignement */ + struct device_node *np; ++ int ret; + + np = of_find_matching_node(NULL, omap_iommu_of_match); + if (!np) +@@ -1312,11 +1313,25 @@ static int __init omap_iommu_init(void) + return -ENOMEM; + iopte_cachep = p; + +- bus_set_iommu(&platform_bus_type, &omap_iommu_ops); +- + omap_iommu_debugfs_init(); + +- return platform_driver_register(&omap_iommu_driver); ++ ret = platform_driver_register(&omap_iommu_driver); ++ if (ret) { ++ pr_err("%s: failed to register driver\n", __func__); ++ goto fail_driver; ++ } ++ ++ ret = bus_set_iommu(&platform_bus_type, &omap_iommu_ops); ++ if (ret) ++ goto fail_bus; ++ ++ return 0; ++ ++fail_bus: ++ platform_driver_unregister(&omap_iommu_driver); ++fail_driver: ++ kmem_cache_destroy(iopte_cachep); ++ return ret; + } + subsys_initcall(omap_iommu_init); + /* must be ready before omap3isp is probed */ diff --git a/queue-4.9/iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch b/queue-4.9/iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch new file mode 100644 index 00000000000..1b47b535b4f --- /dev/null +++ b/queue-4.9/iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch @@ -0,0 +1,130 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Jerry Snitselaar +Date: Wed, 20 Dec 2017 09:48:56 -0700 +Subject: iommu/vt-d: clean up pr_irq if request_threaded_irq fails + +From: Jerry Snitselaar + + +[ Upstream commit 72d548113881dd32bf7f0b221d031e6586468437 ] + +It is unlikely request_threaded_irq will fail, but if it does for some +reason we should clear iommu->pr_irq in the error path. Also +intel_svm_finish_prq shouldn't try to clean up the page request +interrupt if pr_irq is 0. Without these, if request_threaded_irq were +to fail the following occurs: + +fail with no fixes: + +[ 0.683147] ------------[ cut here ]------------ +[ 0.683148] NULL pointer, cannot free irq +[ 0.683158] WARNING: CPU: 1 PID: 1 at kernel/irq/irqdomain.c:1632 irq_domain_free_irqs+0x126/0x140 +[ 0.683160] Modules linked in: +[ 0.683163] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #3 +[ 0.683165] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017 +[ 0.683168] RIP: 0010:irq_domain_free_irqs+0x126/0x140 +[ 0.683169] RSP: 0000:ffffc90000037ce8 EFLAGS: 00010292 +[ 0.683171] RAX: 000000000000001d RBX: ffff880276283c00 RCX: ffffffff81c5e5e8 +[ 0.683172] RDX: 0000000000000001 RSI: 0000000000000096 RDI: 0000000000000246 +[ 0.683174] RBP: ffff880276283c00 R08: 0000000000000000 R09: 000000000000023c +[ 0.683175] R10: 0000000000000007 R11: 0000000000000000 R12: 000000000000007a +[ 0.683176] R13: 0000000000000001 R14: 0000000000000000 R15: 0000010010000000 +[ 0.683178] FS: 0000000000000000(0000) GS:ffff88027ec80000(0000) knlGS:0000000000000000 +[ 0.683180] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.683181] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0 +[ 0.683182] Call Trace: +[ 0.683189] intel_svm_finish_prq+0x3c/0x60 +[ 0.683191] free_dmar_iommu+0x1ac/0x1b0 +[ 0.683195] init_dmars+0xaaa/0xaea +[ 0.683200] ? klist_next+0x19/0xc0 +[ 0.683203] ? pci_do_find_bus+0x50/0x50 +[ 0.683205] ? pci_get_dev_by_id+0x52/0x70 +[ 0.683208] intel_iommu_init+0x498/0x5c7 +[ 0.683211] pci_iommu_init+0x13/0x3c +[ 0.683214] ? e820__memblock_setup+0x61/0x61 +[ 0.683217] do_one_initcall+0x4d/0x1a0 +[ 0.683220] kernel_init_freeable+0x186/0x20e +[ 0.683222] ? set_debug_rodata+0x11/0x11 +[ 0.683225] ? rest_init+0xb0/0xb0 +[ 0.683226] kernel_init+0xa/0xff +[ 0.683229] ret_from_fork+0x1f/0x30 +[ 0.683259] Code: 89 ee 44 89 e7 e8 3b e8 ff ff 5b 5d 44 89 e7 44 89 ee 41 5c 41 5d 41 5e e9 a8 84 ff ff 48 c7 c7 a8 71 a7 81 31 c0 e8 6a d3 f9 ff <0f> ff 5b 5d 41 5c 41 5d 41 5 +e c3 0f 1f 44 00 00 66 2e 0f 1f 84 +[ 0.683285] ---[ end trace f7650e42792627ca ]--- + +with iommu->pr_irq = 0, but no check in intel_svm_finish_prq: + +[ 0.669561] ------------[ cut here ]------------ +[ 0.669563] Trying to free already-free IRQ 0 +[ 0.669573] WARNING: CPU: 3 PID: 1 at kernel/irq/manage.c:1546 __free_irq+0xa4/0x2c0 +[ 0.669574] Modules linked in: +[ 0.669577] CPU: 3 PID: 1 Comm: swapper/0 Not tainted 4.15.0-rc2 #4 +[ 0.669579] Hardware name: /NUC7i3BNB, BIOS BNKBL357.86A.0036.2017.0105.1112 01/05/2017 +[ 0.669581] RIP: 0010:__free_irq+0xa4/0x2c0 +[ 0.669582] RSP: 0000:ffffc90000037cc0 EFLAGS: 00010082 +[ 0.669584] RAX: 0000000000000021 RBX: 0000000000000000 RCX: ffffffff81c5e5e8 +[ 0.669585] RDX: 0000000000000001 RSI: 0000000000000086 RDI: 0000000000000046 +[ 0.669587] RBP: 0000000000000000 R08: 0000000000000000 R09: 000000000000023c +[ 0.669588] R10: 0000000000000007 R11: 0000000000000000 R12: ffff880276253960 +[ 0.669589] R13: ffff8802762538a4 R14: ffff880276253800 R15: ffff880276283600 +[ 0.669593] FS: 0000000000000000(0000) GS:ffff88027ed80000(0000) knlGS:0000000000000000 +[ 0.669594] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 0.669596] CR2: 0000000000000000 CR3: 0000000001c09001 CR4: 00000000003606e0 +[ 0.669602] Call Trace: +[ 0.669616] free_irq+0x30/0x60 +[ 0.669620] intel_svm_finish_prq+0x34/0x60 +[ 0.669623] free_dmar_iommu+0x1ac/0x1b0 +[ 0.669627] init_dmars+0xaaa/0xaea +[ 0.669631] ? klist_next+0x19/0xc0 +[ 0.669634] ? pci_do_find_bus+0x50/0x50 +[ 0.669637] ? pci_get_dev_by_id+0x52/0x70 +[ 0.669639] intel_iommu_init+0x498/0x5c7 +[ 0.669642] pci_iommu_init+0x13/0x3c +[ 0.669645] ? e820__memblock_setup+0x61/0x61 +[ 0.669648] do_one_initcall+0x4d/0x1a0 +[ 0.669651] kernel_init_freeable+0x186/0x20e +[ 0.669653] ? set_debug_rodata+0x11/0x11 +[ 0.669656] ? rest_init+0xb0/0xb0 +[ 0.669658] kernel_init+0xa/0xff +[ 0.669661] ret_from_fork+0x1f/0x30 +[ 0.669662] Code: 7a 08 75 0e e9 c3 01 00 00 4c 39 7b 08 74 57 48 89 da 48 8b 5a 18 48 85 db 75 ee 89 ee 48 c7 c7 78 67 a7 81 31 c0 e8 4c 37 fa ff <0f> ff 48 8b 34 24 4c 89 ef e +8 0e 4c 68 00 49 8b 46 40 48 8b 80 +[ 0.669688] ---[ end trace 58a470248700f2fc ]--- + +Cc: Alex Williamson +Cc: Joerg Roedel +Cc: Ashok Raj +Signed-off-by: Jerry Snitselaar +Reviewed-by: Ashok Raj +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/intel-svm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/iommu/intel-svm.c ++++ b/drivers/iommu/intel-svm.c +@@ -127,6 +127,7 @@ int intel_svm_enable_prq(struct intel_io + pr_err("IOMMU: %s: Failed to request IRQ for page request queue\n", + iommu->name); + dmar_free_hwirq(irq); ++ iommu->pr_irq = 0; + goto err; + } + dmar_writeq(iommu->reg + DMAR_PQH_REG, 0ULL); +@@ -142,9 +143,11 @@ int intel_svm_finish_prq(struct intel_io + dmar_writeq(iommu->reg + DMAR_PQT_REG, 0ULL); + dmar_writeq(iommu->reg + DMAR_PQA_REG, 0ULL); + +- free_irq(iommu->pr_irq, iommu); +- dmar_free_hwirq(iommu->pr_irq); +- iommu->pr_irq = 0; ++ if (iommu->pr_irq) { ++ free_irq(iommu->pr_irq, iommu); ++ dmar_free_hwirq(iommu->pr_irq); ++ iommu->pr_irq = 0; ++ } + + free_pages((unsigned long)iommu->prq, PRQ_ORDER); + iommu->prq = NULL; diff --git a/queue-4.9/ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch b/queue-4.9/ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch new file mode 100644 index 00000000000..d999e8a0322 --- /dev/null +++ b/queue-4.9/ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Alexey Kodanev +Date: Tue, 19 Dec 2017 16:59:21 +0300 +Subject: ip6_vti: adjust vti mtu according to mtu of lower device + +From: Alexey Kodanev + + +[ Upstream commit 53c81e95df1793933f87748d36070a721f6cb287 ] + +LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over +ip6_vti that require fragmentation and the underlying device has an +MTU smaller than 1500 plus some extra space for headers. This happens +because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating +it depending on a destination address or link parameter. Further +attempts to send UDP packets may succeed because pmtu gets updated on +ICMPV6_PKT_TOOBIG in vti6_err(). + +In case the lower device has larger MTU size, e.g. 9000, ip6_vti works +but not using the possible maximum size, output packets have 1500 limit. + +The above cases require manual MTU setup after ip6_vti creation. However +ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev(). + +Here is the example when the lower device MTU is set to 9000: + + # ip a sh ltp_ns_veth2 + ltp_ns_veth2@if7: mtu 9000 ... + inet 10.0.0.2/24 scope global ltp_ns_veth2 + inet6 fd00::2/64 scope global + + # ip li add vti6 type vti6 local fd00::2 remote fd00::1 + # ip li show vti6 + vti6@NONE: mtu 1500 ... + link/tunnel6 fd00::2 peer fd00::1 + +After the patch: + # ip li add vti6 type vti6 local fd00::2 remote fd00::1 + # ip li show vti6 + vti6@NONE: mtu 8832 ... + link/tunnel6 fd00::2 peer fd00::1 + +Reported-by: Petr Vorel +Signed-off-by: Alexey Kodanev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -625,6 +625,7 @@ static void vti6_link_config(struct ip6_ + { + struct net_device *dev = t->dev; + struct __ip6_tnl_parm *p = &t->parms; ++ struct net_device *tdev = NULL; + + memcpy(dev->dev_addr, &p->laddr, sizeof(struct in6_addr)); + memcpy(dev->broadcast, &p->raddr, sizeof(struct in6_addr)); +@@ -637,6 +638,25 @@ static void vti6_link_config(struct ip6_ + dev->flags |= IFF_POINTOPOINT; + else + dev->flags &= ~IFF_POINTOPOINT; ++ ++ if (p->flags & IP6_TNL_F_CAP_XMIT) { ++ int strict = (ipv6_addr_type(&p->raddr) & ++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); ++ struct rt6_info *rt = rt6_lookup(t->net, ++ &p->raddr, &p->laddr, ++ p->link, strict); ++ ++ if (rt) ++ tdev = rt->dst.dev; ++ ip6_rt_put(rt); ++ } ++ ++ if (!tdev && p->link) ++ tdev = __dev_get_by_index(t->net, p->link); ++ ++ if (tdev) ++ dev->mtu = max_t(int, tdev->mtu - dev->hard_header_len, ++ IPV6_MIN_MTU); + } + + /** diff --git a/queue-4.9/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch b/queue-4.9/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch new file mode 100644 index 00000000000..cc9dbfd216d --- /dev/null +++ b/queue-4.9/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Robert Lippert +Date: Thu, 20 Apr 2017 16:49:47 -0700 +Subject: ipmi/watchdog: fix wdog hang on panic waiting for ipmi response + +From: Robert Lippert + + +[ Upstream commit 2c1175c2e8e5487233cabde358a19577562ac83e ] + +Commit c49c097610fe ("ipmi: Don't call receive handler in the +panic context") means that the panic_recv_free is not called during a +panic and the atomic count does not drop to 0. + +Fix this by only expecting one decrement of the atomic variable +which comes from panic_smi_free. + +Signed-off-by: Robert Lippert +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_watchdog.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -515,7 +515,7 @@ static void panic_halt_ipmi_heartbeat(vo + msg.cmd = IPMI_WDOG_RESET_TIMER; + msg.data = NULL; + msg.data_len = 0; +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = ipmi_request_supply_msgs(watchdog_user, + (struct ipmi_addr *) &addr, + 0, +@@ -525,7 +525,7 @@ static void panic_halt_ipmi_heartbeat(vo + &panic_halt_heartbeat_recv_msg, + 1); + if (rv) +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + } + + static struct ipmi_smi_msg panic_halt_smi_msg = { +@@ -549,12 +549,12 @@ static void panic_halt_ipmi_set_timeout( + /* Wait for the messages to be free. */ + while (atomic_read(&panic_done_count) != 0) + ipmi_poll_interface(watchdog_user); +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = i_ipmi_set_timeout(&panic_halt_smi_msg, + &panic_halt_recv_msg, + &send_heartbeat_now); + if (rv) { +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + printk(KERN_WARNING PFX + "Unable to extend the watchdog timeout."); + } else { diff --git a/queue-4.9/ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch b/queue-4.9/ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch new file mode 100644 index 00000000000..4f2bd196332 --- /dev/null +++ b/queue-4.9/ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch @@ -0,0 +1,83 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Paolo Abeni +Date: Thu, 20 Apr 2017 11:44:16 +0200 +Subject: ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled + +From: Paolo Abeni + + +[ Upstream commit 1442f6f7c1b77de1c508318164a527e240c24a4d ] + +When creating a new ipvs service, ipv6 addresses are always accepted +if CONFIG_IP_VS_IPV6 is enabled. On dest creation the address family +is not explicitly checked. + +This allows the user-space to configure ipvs services even if the +system is booted with ipv6.disable=1. On specific configuration, ipvs +can try to call ipv6 routing code at setup time, causing the kernel to +oops due to fib6_rules_ops being NULL. + +This change addresses the issue adding a check for the ipv6 +module being enabled while validating ipv6 service operations and +adding the same validation for dest operations. + +According to git history, this issue is apparently present since +the introduction of ipv6 support, and the oops can be triggered +since commit 09571c7ae30865ad ("IPVS: Add function to determine +if IPv6 address is local") + +Fixes: 09571c7ae30865ad ("IPVS: Add function to determine if IPv6 address is local") +Signed-off-by: Paolo Abeni +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/ipvs/ip_vs_ctl.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3092,6 +3092,17 @@ nla_put_failure: + return skb->len; + } + ++static bool ip_vs_is_af_valid(int af) ++{ ++ if (af == AF_INET) ++ return true; ++#ifdef CONFIG_IP_VS_IPV6 ++ if (af == AF_INET6 && ipv6_mod_enabled()) ++ return true; ++#endif ++ return false; ++} ++ + static int ip_vs_genl_parse_service(struct netns_ipvs *ipvs, + struct ip_vs_service_user_kern *usvc, + struct nlattr *nla, int full_entry, +@@ -3118,11 +3129,7 @@ static int ip_vs_genl_parse_service(stru + memset(usvc, 0, sizeof(*usvc)); + + usvc->af = nla_get_u16(nla_af); +-#ifdef CONFIG_IP_VS_IPV6 +- if (usvc->af != AF_INET && usvc->af != AF_INET6) +-#else +- if (usvc->af != AF_INET) +-#endif ++ if (!ip_vs_is_af_valid(usvc->af)) + return -EAFNOSUPPORT; + + if (nla_fwmark) { +@@ -3624,6 +3631,11 @@ static int ip_vs_genl_set_cmd(struct sk_ + if (udest.af == 0) + udest.af = svc->af; + ++ if (!ip_vs_is_af_valid(udest.af)) { ++ ret = -EAFNOSUPPORT; ++ goto out; ++ } ++ + if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) { + /* The synchronization protocol is incompatible + * with mixed family services diff --git a/queue-4.9/irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch b/queue-4.9/irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch new file mode 100644 index 00000000000..fbe85e4ad12 --- /dev/null +++ b/queue-4.9/irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch @@ -0,0 +1,102 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Paul Burton +Date: Thu, 20 Apr 2017 10:07:34 +0100 +Subject: irqchip/mips-gic: Separate IPI reservation & usage tracking + +From: Paul Burton + + +[ Upstream commit f8dcd9e81797ae24acc44c84f0eb3b9e6cee9791 ] + +Since commit 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy +domain") introduced the GIC IPI IRQ domain we have tracked both +reservation of interrupts & their use with a single bitmap - ipi_resrv. +If an interrupt is reserved for use as an IPI but not actually in use +then the appropriate bit is set in ipi_resrv. If an interrupt is either +not reserved for use as an IPI or has been allocated as one then the +appropriate bit is clear in ipi_resrv. + +Unfortunately this means that checking whether a bit is set in ipi_resrv +to prevent IPI interrupts being allocated for use with a device is +broken, because if the interrupt has been allocated as an IPI first then +its bit will be clear. + +Fix this by separating the tracking of IPI reservation & usage, +introducing a separate ipi_available bitmap for the latter. This means +that ipi_resrv will now always have bits set corresponding to all +interrupts reserved for use as IPIs, whether or not they have been +allocated yet, and therefore that checking it when allocating device +interrupts works as expected. + +Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain") +Signed-off-by: Paul Burton +Signed-off-by: Matt Redfearn +Cc: linux-mips@linux-mips.org +Cc: Jason Cooper +Cc: Marc Zyngier +Cc: Ralf Baechle +Link: http://lkml.kernel.org/r/1492679256-14513-2-git-send-email-matt.redfearn@imgtec.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-mips-gic.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/irqchip/irq-mips-gic.c ++++ b/drivers/irqchip/irq-mips-gic.c +@@ -55,6 +55,7 @@ static unsigned int gic_cpu_pin; + static unsigned int timer_cpu_pin; + static struct irq_chip gic_level_irq_controller, gic_edge_irq_controller; + DECLARE_BITMAP(ipi_resrv, GIC_MAX_INTRS); ++DECLARE_BITMAP(ipi_available, GIC_MAX_INTRS); + + static void __gic_irq_dispatch(void); + +@@ -746,17 +747,17 @@ static int gic_irq_domain_alloc(struct i + + return gic_setup_dev_chip(d, virq, spec->hwirq); + } else { +- base_hwirq = find_first_bit(ipi_resrv, gic_shared_intrs); ++ base_hwirq = find_first_bit(ipi_available, gic_shared_intrs); + if (base_hwirq == gic_shared_intrs) { + return -ENOMEM; + } + + /* check that we have enough space */ + for (i = base_hwirq; i < nr_irqs; i++) { +- if (!test_bit(i, ipi_resrv)) ++ if (!test_bit(i, ipi_available)) + return -EBUSY; + } +- bitmap_clear(ipi_resrv, base_hwirq, nr_irqs); ++ bitmap_clear(ipi_available, base_hwirq, nr_irqs); + + /* map the hwirq for each cpu consecutively */ + i = 0; +@@ -787,7 +788,7 @@ static int gic_irq_domain_alloc(struct i + + return 0; + error: +- bitmap_set(ipi_resrv, base_hwirq, nr_irqs); ++ bitmap_set(ipi_available, base_hwirq, nr_irqs); + return ret; + } + +@@ -802,7 +803,7 @@ void gic_irq_domain_free(struct irq_doma + return; + + base_hwirq = GIC_HWIRQ_TO_SHARED(irqd_to_hwirq(data)); +- bitmap_set(ipi_resrv, base_hwirq, nr_irqs); ++ bitmap_set(ipi_available, base_hwirq, nr_irqs); + } + + int gic_irq_domain_match(struct irq_domain *d, struct device_node *node, +@@ -1066,6 +1067,7 @@ static void __init __gic_init(unsigned l + 2 * gic_vpes); + } + ++ bitmap_copy(ipi_available, ipi_resrv, GIC_MAX_INTRS); + gic_basic_init(); + } + diff --git a/queue-4.9/iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch b/queue-4.9/iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch new file mode 100644 index 00000000000..2957d187c44 --- /dev/null +++ b/queue-4.9/iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch @@ -0,0 +1,85 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Bharat Potnuri +Date: Tue, 28 Nov 2017 23:58:07 +0530 +Subject: iser-target: avoid reinitializing rdma contexts for isert commands + +From: Bharat Potnuri + + +[ Upstream commit 66f53e6f5400578bae58db0c06d85a8820831f40 ] + +isert commands that failed during isert_rdma_rw_ctx_post() are queued to +Queue-Full(QF) queue and are scheduled to be reposted during queue-full +queue processing. During this reposting, the rdma contexts are initialised +again in isert_rdma_rw_ctx_post(), which is leaking significant memory. + +unreferenced object 0xffff8830201d9640 (size 64): + comm "kworker/0:2", pid 195, jiffies 4295374851 (age 4528.436s) + hex dump (first 32 bytes): + 00 60 8b cb 2e 00 00 00 00 10 00 00 00 00 00 00 .`.............. + 00 90 e3 cb 2e 00 00 00 00 10 00 00 00 00 00 00 ................ + backtrace: + [] kmemleak_alloc+0x4e/0xb0 + [] __kmalloc+0x125/0x2b0 + [] rdma_rw_ctx_init+0x15f/0x6f0 [ib_core] + [] isert_rdma_rw_ctx_post+0xc4/0x3c0 [ib_isert] + [] isert_put_datain+0x112/0x1c0 [ib_isert] + [] lio_queue_data_in+0x2e/0x30 [iscsi_target_mod] + [] target_qf_do_work+0x2b2/0x4b0 [target_core_mod] + [] process_one_work+0x1db/0x5d0 + [] worker_thread+0x4d/0x3e0 + [] kthread+0x117/0x150 + [] ret_from_fork+0x27/0x40 + [] 0xffffffffffffffff + +Here is patch to use the older rdma contexts while reposting +the isert commands intead of reinitialising them. + +Signed-off-by: Potnuri Bharat Teja +Reviewed-by: Sagi Grimberg +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/isert/ib_isert.c | 7 +++++++ + drivers/infiniband/ulp/isert/ib_isert.h | 1 + + 2 files changed, 8 insertions(+) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2098,6 +2098,9 @@ isert_rdma_rw_ctx_post(struct isert_cmd + u32 rkey, offset; + int ret; + ++ if (cmd->ctx_init_done) ++ goto rdma_ctx_post; ++ + if (dir == DMA_FROM_DEVICE) { + addr = cmd->write_va; + rkey = cmd->write_stag; +@@ -2125,11 +2128,15 @@ isert_rdma_rw_ctx_post(struct isert_cmd + se_cmd->t_data_sg, se_cmd->t_data_nents, + offset, addr, rkey, dir); + } ++ + if (ret < 0) { + isert_err("Cmd: %p failed to prepare RDMA res\n", cmd); + return ret; + } + ++ cmd->ctx_init_done = true; ++ ++rdma_ctx_post: + ret = rdma_rw_ctx_post(&cmd->rw, conn->qp, port_num, cqe, chain_wr); + if (ret < 0) + isert_err("Cmd: %p failed to post RDMA res\n", cmd); +--- a/drivers/infiniband/ulp/isert/ib_isert.h ++++ b/drivers/infiniband/ulp/isert/ib_isert.h +@@ -124,6 +124,7 @@ struct isert_cmd { + struct rdma_rw_ctx rw; + struct work_struct comp_work; + struct scatterlist sg; ++ bool ctx_init_done; + }; + + static inline struct isert_cmd *tx_desc_to_cmd(struct iser_tx_desc *desc) diff --git a/queue-4.9/iwlwifi-a000-fix-memory-offsets-and-lengths.patch b/queue-4.9/iwlwifi-a000-fix-memory-offsets-and-lengths.patch new file mode 100644 index 00000000000..9fd1eef43f8 --- /dev/null +++ b/queue-4.9/iwlwifi-a000-fix-memory-offsets-and-lengths.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Liad Kaufman +Date: Sun, 19 Feb 2017 10:42:40 +0200 +Subject: iwlwifi: a000: fix memory offsets and lengths + +From: Liad Kaufman + + +[ Upstream commit f4d1047914ea05e0f8393944da18f6ee5dad24c4 ] + +Memory offsets and lengths for A000 HW is different +than currently specified. + +Fixes: e34d975e40ff ("iwlwifi: Add a000 HW family support") +Signed-off-by: Liad Kaufman +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-a000.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-a000.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-a000.c +@@ -65,12 +65,12 @@ + #define IWL_A000_TX_POWER_VERSION 0xffff /* meaningless */ + + /* Memory offsets and lengths */ +-#define IWL_A000_DCCM_OFFSET 0x800000 +-#define IWL_A000_DCCM_LEN 0x18000 ++#define IWL_A000_DCCM_OFFSET 0x800000 /* LMAC1 */ ++#define IWL_A000_DCCM_LEN 0x10000 /* LMAC1 */ + #define IWL_A000_DCCM2_OFFSET 0x880000 + #define IWL_A000_DCCM2_LEN 0x8000 + #define IWL_A000_SMEM_OFFSET 0x400000 +-#define IWL_A000_SMEM_LEN 0x68000 ++#define IWL_A000_SMEM_LEN 0xD0000 + + #define IWL_A000_FW_PRE "iwlwifi-Qu-a0-jf-b0-" + #define IWL_A000_MODULE_FIRMWARE(api) \ diff --git a/queue-4.9/iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch b/queue-4.9/iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch new file mode 100644 index 00000000000..e39a9faebf8 --- /dev/null +++ b/queue-4.9/iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch @@ -0,0 +1,167 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Emmanuel Grumbach +Date: Mon, 13 Feb 2017 11:29:16 +0200 +Subject: iwlwifi: split the handler and the wake parts of the notification infra + +From: Emmanuel Grumbach + + +[ Upstream commit 2220fb2960b72915e7fd9da640a4695dceff238c ] + +The notification infrastructure (iwl_notification_wait_* +functions) allows to wait until a list of notifications +will come up from the firmware and to run a special handler +(notif_wait handler) when those are received. + +The operation mode notifies the notification infrastructure +about any Rx being received by the mean of +iwl_notification_wait_notify() which will do two things: +1) call the notif_wait handler +2) wakeup the thread that was waiting for the notification + +Typically, only after those two steps happened, the +operation mode will run its own handler for the notification +that was received from the firmware. This means that the +thread that was waiting for that notification can be +running before the operation mode's handler was called. + +When the operation mode's handler is ASYNC, things get even +worse since the thread that was waiting for the +notification isn't even guaranteed that the ASYNC callback +was added to async_handlers_list before it starts to run. +This means that even calling +iwl_mvm_wait_for_async_handlers() can't guarantee that +absolutely everything related to that notification has run. +The following can happen: + +Thread sending the command Operation mode's Rx path +-------------------------- ------------------------ +iwl_init_notification_wait() +iwl_mvm_send_cmd() + iwl_mvm_rx_common() + iwl_notification_wait_notify() +iwl_mvm_wait_for_async_handlers() +// Possibly free some data +// structure + list_add_tail(async_handlers_list); + schedule_work(async_handlers_wk); + // Access the freed structure + +Split the 'run notif_wait's handler' and the 'wake up the +thread' parts to fix this. This allows the operation mode +to do the following: + +Thread sending the command Operation mode's Rx path +-------------------------- ------------------------ +iwl_init_notification_wait() +iwl_mvm_send_cmd() + iwl_mvm_rx_common() + iwl_notification_wait() + // Will run the notif_wait's handler + list_add_tail(async_handlers_list); + schedule_work(async_handlers_wk); + iwl_notification_notify() +iwl_mvm_wait_for_async_handlers() + +This way, the waiter is guaranteed that all the handlers +have been run (if SYNC), or at least enqueued (if ASYNC) +by the time it wakes up. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c | 10 +++----- + drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h | 25 ++++++++++++++++---- + 2 files changed, 24 insertions(+), 11 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.c +@@ -76,8 +76,8 @@ void iwl_notification_wait_init(struct i + } + IWL_EXPORT_SYMBOL(iwl_notification_wait_init); + +-void iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_wait, +- struct iwl_rx_packet *pkt) ++bool iwl_notification_wait(struct iwl_notif_wait_data *notif_wait, ++ struct iwl_rx_packet *pkt) + { + bool triggered = false; + +@@ -118,13 +118,11 @@ void iwl_notification_wait_notify(struct + } + } + spin_unlock(¬if_wait->notif_wait_lock); +- + } + +- if (triggered) +- wake_up_all(¬if_wait->notif_waitq); ++ return triggered; + } +-IWL_EXPORT_SYMBOL(iwl_notification_wait_notify); ++IWL_EXPORT_SYMBOL(iwl_notification_wait); + + void iwl_abort_notification_waits(struct iwl_notif_wait_data *notif_wait) + { +--- a/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-notif-wait.h +@@ -6,7 +6,7 @@ + * GPL LICENSE SUMMARY + * + * Copyright(c) 2007 - 2014 Intel Corporation. All rights reserved. +- * Copyright(c) 2015 Intel Deutschland GmbH ++ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of version 2 of the GNU General Public License as +@@ -32,6 +32,7 @@ + * BSD LICENSE + * + * Copyright(c) 2005 - 2014 Intel Corporation. All rights reserved. ++ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without +@@ -89,10 +90,10 @@ struct iwl_notif_wait_data { + * + * This structure is not used directly, to wait for a + * notification declare it on the stack, and call +- * iwlagn_init_notification_wait() with appropriate ++ * iwl_init_notification_wait() with appropriate + * parameters. Then do whatever will cause the ucode + * to notify the driver, and to wait for that then +- * call iwlagn_wait_notification(). ++ * call iwl_wait_notification(). + * + * Each notification is one-shot. If at some point we + * need to support multi-shot notifications (which +@@ -114,10 +115,24 @@ struct iwl_notification_wait { + + /* caller functions */ + void iwl_notification_wait_init(struct iwl_notif_wait_data *notif_data); +-void iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_data, +- struct iwl_rx_packet *pkt); ++bool iwl_notification_wait(struct iwl_notif_wait_data *notif_data, ++ struct iwl_rx_packet *pkt); + void iwl_abort_notification_waits(struct iwl_notif_wait_data *notif_data); + ++static inline void ++iwl_notification_notify(struct iwl_notif_wait_data *notif_data) ++{ ++ wake_up_all(¬if_data->notif_waitq); ++} ++ ++static inline void ++iwl_notification_wait_notify(struct iwl_notif_wait_data *notif_data, ++ struct iwl_rx_packet *pkt) ++{ ++ if (iwl_notification_wait(notif_data, pkt)) ++ iwl_notification_notify(notif_data); ++} ++ + /* user functions */ + void __acquires(wait_entry) + iwl_init_notification_wait(struct iwl_notif_wait_data *notif_data, diff --git a/queue-4.9/ixgbevf-fix-size-of-queue-stats-length.patch b/queue-4.9/ixgbevf-fix-size-of-queue-stats-length.patch new file mode 100644 index 00000000000..48fb0848085 --- /dev/null +++ b/queue-4.9/ixgbevf-fix-size-of-queue-stats-length.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Emil Tantilov +Date: Thu, 30 Mar 2017 20:49:02 -0700 +Subject: ixgbevf: fix size of queue stats length + +From: Emil Tantilov + + +[ Upstream commit f87fc44770f54ff1b54d44ae9cec11f10efeca02 ] + +IXGBEVF_QUEUE_STATS_LEN is based on ixgebvf_stats, not ixgbe_stats. + +This change fixes a bug where ethtool -S displayed some empty fields. + +Signed-off-by: Emil Tantilov +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbevf/ethtool.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/ixgbevf/ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ethtool.c +@@ -80,7 +80,7 @@ static struct ixgbe_stats ixgbevf_gstrin + #define IXGBEVF_QUEUE_STATS_LEN ( \ + (((struct ixgbevf_adapter *)netdev_priv(netdev))->num_tx_queues + \ + ((struct ixgbevf_adapter *)netdev_priv(netdev))->num_rx_queues) * \ +- (sizeof(struct ixgbe_stats) / sizeof(u64))) ++ (sizeof(struct ixgbevf_stats) / sizeof(u64))) + #define IXGBEVF_GLOBAL_STATS_LEN ARRAY_SIZE(ixgbevf_gstrings_stats) + + #define IXGBEVF_STATS_LEN (IXGBEVF_GLOBAL_STATS_LEN + IXGBEVF_QUEUE_STATS_LEN) diff --git a/queue-4.9/jbd2-fix-lockdep-splat-with-generic-270-test.patch b/queue-4.9/jbd2-fix-lockdep-splat-with-generic-270-test.patch new file mode 100644 index 00000000000..394b76dbf67 --- /dev/null +++ b/queue-4.9/jbd2-fix-lockdep-splat-with-generic-270-test.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Jan Kara +Date: Sat, 29 Apr 2017 20:12:16 -0400 +Subject: jbd2: Fix lockdep splat with generic/270 test + +From: Jan Kara + + +[ Upstream commit c52c47e4b4fbe4284602fc2ccbfc4a4d8dc05b49 ] + +I've hit a lockdep splat with generic/270 test complaining that: + +3216.fsstress.b/3533 is trying to acquire lock: + (jbd2_handle){++++..}, at: [] jbd2_log_wait_commit+0x0/0x150 + +but task is already holding lock: + (jbd2_handle){++++..}, at: [] start_this_handle+0x35b/0x850 + +The underlying problem is that jbd2_journal_force_commit_nested() +(called from ext4_should_retry_alloc()) may get called while a +transaction handle is started. In such case it takes care to not wait +for commit of the running transaction (which would deadlock) but only +for a commit of a transaction that is already committing (which is safe +as that doesn't wait for any filesystem locks). + +In fact there are also other callers of jbd2_log_wait_commit() that take +care to pass tid of a transaction that is already committing and for +those cases, the lockdep instrumentation is too restrictive and leading +to false positive reports. Fix the problem by calling +jbd2_might_wait_for_commit() from jbd2_log_wait_commit() only if the +transaction isn't already committing. + +Fixes: 1eaa566d368b214d99cbb973647c1b0b8102a9ae +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/jbd2/journal.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -691,8 +691,21 @@ int jbd2_log_wait_commit(journal_t *jour + { + int err = 0; + +- jbd2_might_wait_for_commit(journal); + read_lock(&journal->j_state_lock); ++#ifdef CONFIG_PROVE_LOCKING ++ /* ++ * Some callers make sure transaction is already committing and in that ++ * case we cannot block on open handles anymore. So don't warn in that ++ * case. ++ */ ++ if (tid_gt(tid, journal->j_commit_sequence) && ++ (!journal->j_committing_transaction || ++ journal->j_committing_transaction->t_tid != tid)) { ++ read_unlock(&journal->j_state_lock); ++ jbd2_might_wait_for_commit(journal); ++ read_lock(&journal->j_state_lock); ++ } ++#endif + #ifdef CONFIG_JBD2_DEBUG + if (!tid_geq(journal->j_commit_request, tid)) { + printk(KERN_ERR diff --git a/queue-4.9/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch b/queue-4.9/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch new file mode 100644 index 00000000000..d2e66b4899e --- /dev/null +++ b/queue-4.9/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Alexey Kardashevskiy +Date: Fri, 24 Mar 2017 17:48:10 +1100 +Subject: KVM: PPC: Book3S PR: Exit KVM on failed mapping + +From: Alexey Kardashevskiy + + +[ Upstream commit bd9166ffe624000140fc6b606b256df01fc0d060 ] + +At the moment kvmppc_mmu_map_page() returns -1 if +mmu_hash_ops.hpte_insert() fails for any reason so the page fault handler +resumes the guest and it faults on the same address again. + +This adds distinction to kvmppc_mmu_map_page() to return -EIO if +mmu_hash_ops.hpte_insert() failed for a reason other than full pteg. +At the moment only pSeries_lpar_hpte_insert() returns -2 if +plpar_pte_enter() failed with a code other than H_PTEG_FULL. +Other mmu_hash_ops.hpte_insert() instances can only fail with +-1 "full pteg". + +With this change, if PR KVM fails to update HPT, it can signal +the userspace about this instead of returning to guest and having +the very same page fault over and over again. + +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_host.c | 5 ++++- + arch/powerpc/kvm/book3s_pr.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_host.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c +@@ -177,12 +177,15 @@ map_again: + ret = mmu_hash_ops.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags, + hpsize, hpsize, MMU_SEGSIZE_256M); + +- if (ret < 0) { ++ if (ret == -1) { + /* If we couldn't map a primary PTE, try a secondary */ + hash = ~hash; + vflags ^= HPTE_V_SECONDARY; + attempt++; + goto map_again; ++ } else if (ret < 0) { ++ r = -EIO; ++ goto out_unlock; + } else { + trace_kvm_book3s_64_mmu_map(rflags, hpteg, + vpn, hpaddr, orig_pte); +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -627,7 +627,11 @@ int kvmppc_handle_pagefault(struct kvm_r + kvmppc_mmu_unmap_page(vcpu, &pte); + } + /* The guest's PTE is not mapped yet. Map on the host */ +- kvmppc_mmu_map_page(vcpu, &pte, iswrite); ++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) { ++ /* Exit KVM if mapping failed */ ++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ return RESUME_HOST; ++ } + if (data) + vcpu->stat.sp_storage++; + else if (vcpu->arch.mmu.is_dcbz32(vcpu) && diff --git a/queue-4.9/libertas-check-return-value-of-alloc_workqueue.patch b/queue-4.9/libertas-check-return-value-of-alloc_workqueue.patch new file mode 100644 index 00000000000..6f0782ce53b --- /dev/null +++ b/queue-4.9/libertas-check-return-value-of-alloc_workqueue.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 21:19:38 +0800 +Subject: libertas: check return value of alloc_workqueue + +From: Pan Bian + + +[ Upstream commit dc3f89c38a8406554ffeffa370aad086a9c5e9de ] + +Function alloc_workqueue() will return a NULL pointer if there is no +enough memory, and its return value should be validated before using. +However, in function if_spi_probe(), its return value is not checked. +This may result in a NULL dereference bug. This patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/libertas/if_spi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/marvell/libertas/if_spi.c ++++ b/drivers/net/wireless/marvell/libertas/if_spi.c +@@ -1181,6 +1181,10 @@ static int if_spi_probe(struct spi_devic + + /* Initialize interrupt handling stuff. */ + card->workqueue = alloc_workqueue("libertas_spi", WQ_MEM_RECLAIM, 0); ++ if (!card->workqueue) { ++ err = -ENOMEM; ++ goto remove_card; ++ } + INIT_WORK(&card->packet_work, if_spi_host_to_card_worker); + INIT_WORK(&card->resume_work, if_spi_resume_worker); + +@@ -1209,6 +1213,7 @@ release_irq: + free_irq(spi->irq, card); + terminate_workqueue: + destroy_workqueue(card->workqueue); ++remove_card: + lbs_remove_card(priv); /* will call free_netdev */ + free_card: + free_if_spi_card(card); diff --git a/queue-4.9/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch b/queue-4.9/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch new file mode 100644 index 00000000000..a1c3ef100e7 --- /dev/null +++ b/queue-4.9/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Emmanuel Grumbach +Date: Wed, 26 Apr 2017 10:58:51 +0300 +Subject: mac80211: don't parse encrypted management frames in ieee80211_frame_acked + +From: Emmanuel Grumbach + + +[ Upstream commit cf147085fdda044622973a12e4e06f1c753ab677 ] + +ieee80211_frame_acked is called when a frame is acked by +the peer. In case this is a management frame, we check +if this an SMPS frame, in which case we can update our +antenna configuration. + +When we parse the management frame we look at the category +in case it is an action frame. That byte sits after the IV +in case the frame was encrypted. This means that if the +frame was encrypted, we basically look at the IV instead +of looking at the category. It is then theorically +possible that we think that an SMPS action frame was acked +where really we had another frame that was encrypted. + +Since the only management frame whose ack needs to be +tracked is the SMPS action frame, and that frame is not +a robust management frame, it will never be encrypted. +The easiest way to fix this problem is then to not look +at frames that were encrypted. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/status.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -200,6 +200,7 @@ static void ieee80211_frame_acked(struct + } + + if (ieee80211_is_action(mgmt->frame_control) && ++ !ieee80211_has_protected(mgmt->frame_control) && + mgmt->u.action.category == WLAN_CATEGORY_HT && + mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS && + ieee80211_sdata_running(sdata)) { diff --git a/queue-4.9/mac80211-fix-possible-sband-related-null-pointer-de-reference.patch b/queue-4.9/mac80211-fix-possible-sband-related-null-pointer-de-reference.patch new file mode 100644 index 00000000000..ae645d05e07 --- /dev/null +++ b/queue-4.9/mac80211-fix-possible-sband-related-null-pointer-de-reference.patch @@ -0,0 +1,602 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Mohammed Shafi Shajakhan +Date: Thu, 27 Apr 2017 12:45:38 +0530 +Subject: mac80211: Fix possible sband related NULL pointer de-reference + +From: Mohammed Shafi Shajakhan + + +[ Upstream commit 21a8e9dd52b64f0170bad208293ef8c30c3c1403 ] + +Existing API 'ieee80211_get_sdata_band' returns default 2 GHz band even +if the channel context configuration is NULL. This crashes for chipsets +which support 5 Ghz alone when it tries to access members of 'sband'. +Channel context configuration can be NULL in multivif case and when +channel switch is in progress (or) when it fails. Fix this by replacing +the API 'ieee80211_get_sdata_band' with 'ieee80211_get_sband' which +returns a NULL pointer for sband when the channel configuration is NULL. + +An example scenario is as below: + +In multivif mode (AP + STA) with drivers like ath10k, when we do a +channel switch in the AP vif (which has a number of clients connected) +and a STA vif which is connected to some other AP, when the channel +switch in AP vif fails, while the STA vifs tries to connect to the +other AP, there is a window where the channel context is NULL/invalid +and this results in a crash while the clients connected to the AP vif +tries to reconnect and this race is very similar to the one investigated +by Michal in https://patchwork.kernel.org/patch/3788161/ and this does +happens with hardware that supports 5Ghz alone after long hours of +testing with continuous channel switch on the AP vif + +ieee80211 phy0: channel context reservation cannot be finalized because +some interfaces aren't switching +wlan0: failed to finalize CSA, disconnecting +wlan0-1: deauthenticating from 8c:fd:f0:01:54:9c by local choice + (Reason: 3=DEAUTH_LEAVING) + + WARNING: CPU: 1 PID: 19032 at net/mac80211/ieee80211_i.h:1013 sta_info_alloc+0x374/0x3fc [mac80211] + [] (sta_info_alloc [mac80211]) + [] (ieee80211_add_station [mac80211])) + [] (nl80211_new_station [cfg80211]) + + Unable to handle kernel NULL pointer dereference at virtual + address 00000014 + pgd = d5f4c000 + Internal error: Oops: 17 [#1] PREEMPT SMP ARM + PC is at sta_info_alloc+0x380/0x3fc [mac80211] + LR is at sta_info_alloc+0x37c/0x3fc [mac80211] + [] (sta_info_alloc [mac80211]) + [] (ieee80211_add_station [mac80211]) + [] (nl80211_new_station [cfg80211])) + +Cc: Michal Kazior +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 30 +++++++++++++++++------------- + net/mac80211/ibss.c | 6 +++++- + net/mac80211/ieee80211_i.h | 36 +++++++++++++++++++++--------------- + net/mac80211/mesh.c | 29 ++++++++++++++++++++--------- + net/mac80211/mesh_plink.c | 37 ++++++++++++++++++++++++++----------- + net/mac80211/mlme.c | 14 ++++++++++++-- + net/mac80211/rate.c | 4 +++- + net/mac80211/sta_info.c | 13 +++++++++---- + net/mac80211/tdls.c | 29 +++++++++++++++++++---------- + net/mac80211/tx.c | 5 ++++- + net/mac80211/util.c | 6 +++--- + 11 files changed, 139 insertions(+), 70 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -620,10 +620,11 @@ void sta_set_rate_info_tx(struct sta_inf + int shift = ieee80211_vif_get_shift(&sta->sdata->vif); + u16 brate; + +- sband = sta->local->hw.wiphy->bands[ +- ieee80211_get_sdata_band(sta->sdata)]; +- brate = sband->bitrates[rate->idx].bitrate; +- rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift); ++ sband = ieee80211_get_sband(sta->sdata); ++ if (sband) { ++ brate = sband->bitrates[rate->idx].bitrate; ++ rinfo->legacy = DIV_ROUND_UP(brate, 1 << shift); ++ } + } + if (rate->flags & IEEE80211_TX_RC_40_MHZ_WIDTH) + rinfo->bw = RATE_INFO_BW_40; +@@ -1218,10 +1219,11 @@ static int sta_apply_parameters(struct i + int ret = 0; + struct ieee80211_supported_band *sband; + struct ieee80211_sub_if_data *sdata = sta->sdata; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); + u32 mask, set; + +- sband = local->hw.wiphy->bands[band]; ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return -EINVAL; + + mask = params->sta_flags_mask; + set = params->sta_flags_set; +@@ -1354,7 +1356,7 @@ static int sta_apply_parameters(struct i + ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef, + sband, params->supported_rates, + params->supported_rates_len, +- &sta->sta.supp_rates[band]); ++ &sta->sta.supp_rates[sband->band]); + } + + if (params->ht_capa) +@@ -1370,8 +1372,8 @@ static int sta_apply_parameters(struct i + /* returned value is only needed for rc update, but the + * rc isn't initialized here yet, so ignore it + */ +- __ieee80211_vht_handle_opmode(sdata, sta, +- params->opmode_notif, band); ++ __ieee80211_vht_handle_opmode(sdata, sta, params->opmode_notif, ++ sband->band); + } + + if (params->support_p2p_ps >= 0) +@@ -2017,13 +2019,15 @@ static int ieee80211_change_bss(struct w + struct bss_parameters *params) + { + struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev); +- enum nl80211_band band; ++ struct ieee80211_supported_band *sband; + u32 changed = 0; + + if (!sdata_dereference(sdata->u.ap.beacon, sdata)) + return -ENOENT; + +- band = ieee80211_get_sdata_band(sdata); ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return -EINVAL; + + if (params->use_cts_prot >= 0) { + sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot; +@@ -2036,7 +2040,7 @@ static int ieee80211_change_bss(struct w + } + + if (!sdata->vif.bss_conf.use_short_slot && +- band == NL80211_BAND_5GHZ) { ++ sband->band == NL80211_BAND_5GHZ) { + sdata->vif.bss_conf.use_short_slot = true; + changed |= BSS_CHANGED_ERP_SLOT; + } +@@ -2049,7 +2053,7 @@ static int ieee80211_change_bss(struct w + + if (params->basic_rates) { + ieee80211_parse_bitrates(&sdata->vif.bss_conf.chandef, +- wiphy->bands[band], ++ wiphy->bands[sband->band], + params->basic_rates, + params->basic_rates_len, + &sdata->vif.bss_conf.basic_rates); +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -994,7 +994,7 @@ static void ieee80211_update_sta_info(st + enum nl80211_band band = rx_status->band; + enum nl80211_bss_scan_width scan_width; + struct ieee80211_local *local = sdata->local; +- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band]; ++ struct ieee80211_supported_band *sband; + bool rates_updated = false; + u32 supp_rates = 0; + +@@ -1004,6 +1004,10 @@ static void ieee80211_update_sta_info(st + if (!ether_addr_equal(mgmt->bssid, sdata->u.ibss.bssid)) + return; + ++ sband = local->hw.wiphy->bands[band]; ++ if (WARN_ON(!sband)) ++ return; ++ + rcu_read_lock(); + sta = sta_info_get(sdata, mgmt->sa); + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -991,21 +991,6 @@ sdata_assert_lock(struct ieee80211_sub_i + lockdep_assert_held(&sdata->wdev.mtx); + } + +-static inline enum nl80211_band +-ieee80211_get_sdata_band(struct ieee80211_sub_if_data *sdata) +-{ +- enum nl80211_band band = NL80211_BAND_2GHZ; +- struct ieee80211_chanctx_conf *chanctx_conf; +- +- rcu_read_lock(); +- chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); +- if (!WARN_ON(!chanctx_conf)) +- band = chanctx_conf->def.chan->band; +- rcu_read_unlock(); +- +- return band; +-} +- + static inline int + ieee80211_chandef_get_shift(struct cfg80211_chan_def *chandef) + { +@@ -1410,6 +1395,27 @@ IEEE80211_WDEV_TO_SUB_IF(struct wireless + return container_of(wdev, struct ieee80211_sub_if_data, wdev); + } + ++static inline struct ieee80211_supported_band * ++ieee80211_get_sband(struct ieee80211_sub_if_data *sdata) ++{ ++ struct ieee80211_local *local = sdata->local; ++ struct ieee80211_chanctx_conf *chanctx_conf; ++ enum nl80211_band band; ++ ++ rcu_read_lock(); ++ chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); ++ ++ if (WARN_ON(!chanctx_conf)) { ++ rcu_read_unlock(); ++ return NULL; ++ } ++ ++ band = chanctx_conf->def.chan->band; ++ rcu_read_unlock(); ++ ++ return local->hw.wiphy->bands[band]; ++} ++ + /* this struct represents 802.11n's RA/TID combination */ + struct ieee80211_ra_tid { + u8 ra[ETH_ALEN]; +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -63,6 +63,7 @@ bool mesh_matches_local(struct ieee80211 + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + u32 basic_rates = 0; + struct cfg80211_chan_def sta_chan_def; ++ struct ieee80211_supported_band *sband; + + /* + * As support for each feature is added, check for matching +@@ -83,7 +84,11 @@ bool mesh_matches_local(struct ieee80211 + (ifmsh->mesh_auth_id == ie->mesh_config->meshconf_auth))) + return false; + +- ieee80211_sta_get_rates(sdata, ie, ieee80211_get_sdata_band(sdata), ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return false; ++ ++ ieee80211_sta_get_rates(sdata, ie, sband->band, + &basic_rates); + + if (sdata->vif.bss_conf.basic_rates != basic_rates) +@@ -399,12 +404,13 @@ static int mesh_add_ds_params_ie(struct + int mesh_add_ht_cap_ie(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb) + { +- struct ieee80211_local *local = sdata->local; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); + struct ieee80211_supported_band *sband; + u8 *pos; + +- sband = local->hw.wiphy->bands[band]; ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return -EINVAL; ++ + if (!sband->ht_cap.ht_supported || + sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_20_NOHT || + sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_5 || +@@ -462,12 +468,13 @@ int mesh_add_ht_oper_ie(struct ieee80211 + int mesh_add_vht_cap_ie(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb) + { +- struct ieee80211_local *local = sdata->local; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); + struct ieee80211_supported_band *sband; + u8 *pos; + +- sband = local->hw.wiphy->bands[band]; ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return -EINVAL; ++ + if (!sband->vht_cap.vht_supported || + sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_20_NOHT || + sdata->vif.bss_conf.chandef.width == NL80211_CHAN_WIDTH_5 || +@@ -916,12 +923,16 @@ ieee80211_mesh_process_chnswitch(struct + struct cfg80211_csa_settings params; + struct ieee80211_csa_ie csa_ie; + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); ++ struct ieee80211_supported_band *sband; + int err; + u32 sta_flags; + + sdata_assert_lock(sdata); + ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return false; ++ + sta_flags = IEEE80211_STA_DISABLE_VHT; + switch (sdata->vif.bss_conf.chandef.width) { + case NL80211_CHAN_WIDTH_20_NOHT: +@@ -935,7 +946,7 @@ ieee80211_mesh_process_chnswitch(struct + + memset(¶ms, 0, sizeof(params)); + memset(&csa_ie, 0, sizeof(csa_ie)); +- err = ieee80211_parse_ch_switch_ie(sdata, elems, band, ++ err = ieee80211_parse_ch_switch_ie(sdata, elems, sband->band, + sta_flags, sdata->vif.addr, + &csa_ie); + if (err < 0) +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -93,19 +93,23 @@ static inline void mesh_plink_fsm_restar + static u32 mesh_set_short_slot_time(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_local *local = sdata->local; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); +- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band]; ++ struct ieee80211_supported_band *sband; + struct sta_info *sta; + u32 erp_rates = 0, changed = 0; + int i; + bool short_slot = false; + +- if (band == NL80211_BAND_5GHZ) { ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return changed; ++ ++ if (sband->band == NL80211_BAND_5GHZ) { + /* (IEEE 802.11-2012 19.4.5) */ + short_slot = true; + goto out; +- } else if (band != NL80211_BAND_2GHZ) ++ } else if (sband->band != NL80211_BAND_2GHZ) { + goto out; ++ } + + for (i = 0; i < sband->n_bitrates; i++) + if (sband->bitrates[i].flags & IEEE80211_RATE_ERP_G) +@@ -121,7 +125,7 @@ static u32 mesh_set_short_slot_time(stru + continue; + + short_slot = false; +- if (erp_rates & sta->sta.supp_rates[band]) ++ if (erp_rates & sta->sta.supp_rates[sband->band]) + short_slot = true; + else + break; +@@ -247,7 +251,15 @@ static int mesh_plink_frame_tx(struct ie + mgmt->u.action.u.self_prot.action_code = action; + + if (action != WLAN_SP_MESH_PEERING_CLOSE) { +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); ++ struct ieee80211_supported_band *sband; ++ enum nl80211_band band; ++ ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) { ++ err = -EINVAL; ++ goto free; ++ } ++ band = sband->band; + + /* capability info */ + pos = skb_put(skb, 2); +@@ -393,13 +405,16 @@ static void mesh_sta_info_init(struct ie + struct ieee802_11_elems *elems, bool insert) + { + struct ieee80211_local *local = sdata->local; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); + struct ieee80211_supported_band *sband; + u32 rates, basic_rates = 0, changed = 0; + enum ieee80211_sta_rx_bandwidth bw = sta->sta.bandwidth; + +- sband = local->hw.wiphy->bands[band]; +- rates = ieee80211_sta_get_rates(sdata, elems, band, &basic_rates); ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return; ++ ++ rates = ieee80211_sta_get_rates(sdata, elems, sband->band, ++ &basic_rates); + + spin_lock_bh(&sta->mesh->plink_lock); + sta->rx_stats.last_rx = jiffies; +@@ -410,9 +425,9 @@ static void mesh_sta_info_init(struct ie + goto out; + sta->mesh->processed_beacon = true; + +- if (sta->sta.supp_rates[band] != rates) ++ if (sta->sta.supp_rates[sband->band] != rates) + changed |= IEEE80211_RC_SUPP_RATES_CHANGED; +- sta->sta.supp_rates[band] = rates; ++ sta->sta.supp_rates[sband->band] = rates; + + if (ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband, + elems->ht_cap_elem, sta)) +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1851,11 +1851,16 @@ static u32 ieee80211_handle_bss_capabili + u16 capab, bool erp_valid, u8 erp) + { + struct ieee80211_bss_conf *bss_conf = &sdata->vif.bss_conf; ++ struct ieee80211_supported_band *sband; + u32 changed = 0; + bool use_protection; + bool use_short_preamble; + bool use_short_slot; + ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return changed; ++ + if (erp_valid) { + use_protection = (erp & WLAN_ERP_USE_PROTECTION) != 0; + use_short_preamble = (erp & WLAN_ERP_BARKER_PREAMBLE) == 0; +@@ -1865,7 +1870,7 @@ static u32 ieee80211_handle_bss_capabili + } + + use_short_slot = !!(capab & WLAN_CAPABILITY_SHORT_SLOT_TIME); +- if (ieee80211_get_sdata_band(sdata) == NL80211_BAND_5GHZ) ++ if (sband->band == NL80211_BAND_5GHZ) + use_short_slot = true; + + if (use_protection != bss_conf->use_cts_prot) { +@@ -2994,7 +2999,12 @@ static bool ieee80211_assoc_success(stru + goto out; + } + +- sband = local->hw.wiphy->bands[ieee80211_get_sdata_band(sdata)]; ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) { ++ mutex_unlock(&sdata->local->sta_mtx); ++ ret = false; ++ goto out; ++ } + + /* Set up internal HT/VHT capabilities */ + if (elems.ht_cap_elem && !(ifmgd->flags & IEEE80211_STA_DISABLE_HT)) +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -875,7 +875,9 @@ int rate_control_set_rates(struct ieee80 + struct ieee80211_sta_rates *old; + struct ieee80211_supported_band *sband; + +- sband = hw->wiphy->bands[ieee80211_get_sdata_band(sta->sdata)]; ++ sband = ieee80211_get_sband(sta->sdata); ++ if (!sband) ++ return -EINVAL; + rate_control_apply_mask_ratetbl(sta, sband, rates); + /* + * mac80211 guarantees that this function will not be called +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -395,10 +395,15 @@ struct sta_info *sta_info_alloc(struct i + sta->sta.smps_mode = IEEE80211_SMPS_OFF; + if (sdata->vif.type == NL80211_IFTYPE_AP || + sdata->vif.type == NL80211_IFTYPE_AP_VLAN) { +- struct ieee80211_supported_band *sband = +- hw->wiphy->bands[ieee80211_get_sdata_band(sdata)]; +- u8 smps = (sband->ht_cap.cap & IEEE80211_HT_CAP_SM_PS) >> +- IEEE80211_HT_CAP_SM_PS_SHIFT; ++ struct ieee80211_supported_band *sband; ++ u8 smps; ++ ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ goto free_txq; ++ ++ smps = (sband->ht_cap.cap & IEEE80211_HT_CAP_SM_PS) >> ++ IEEE80211_HT_CAP_SM_PS_SHIFT; + /* + * Assume that hostapd advertises our caps in the beacon and + * this is the known_smps_mode for a station that just assciated +--- a/net/mac80211/tdls.c ++++ b/net/mac80211/tdls.c +@@ -47,8 +47,7 @@ static void ieee80211_tdls_add_ext_capab + NL80211_FEATURE_TDLS_CHANNEL_SWITCH; + bool wider_band = ieee80211_hw_check(&local->hw, TDLS_WIDER_BW) && + !ifmgd->tdls_wider_bw_prohibited; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); +- struct ieee80211_supported_band *sband = local->hw.wiphy->bands[band]; ++ struct ieee80211_supported_band *sband = ieee80211_get_sband(sdata); + bool vht = sband && sband->vht_cap.vht_supported; + u8 *pos = (void *)skb_put(skb, 10); + +@@ -180,11 +179,14 @@ static void ieee80211_tdls_add_bss_coex_ + static u16 ieee80211_get_tdls_sta_capab(struct ieee80211_sub_if_data *sdata, + u16 status_code) + { ++ struct ieee80211_supported_band *sband; ++ + /* The capability will be 0 when sending a failure code */ + if (status_code != 0) + return 0; + +- if (ieee80211_get_sdata_band(sdata) == NL80211_BAND_2GHZ) { ++ sband = ieee80211_get_sband(sdata); ++ if (sband && sband->band == NL80211_BAND_2GHZ) { + return WLAN_CAPABILITY_SHORT_SLOT_TIME | + WLAN_CAPABILITY_SHORT_PREAMBLE; + } +@@ -358,17 +360,20 @@ ieee80211_tdls_add_setup_start_ies(struc + u8 action_code, bool initiator, + const u8 *extra_ies, size_t extra_ies_len) + { +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); +- struct ieee80211_local *local = sdata->local; + struct ieee80211_supported_band *sband; ++ struct ieee80211_local *local = sdata->local; + struct ieee80211_sta_ht_cap ht_cap; + struct ieee80211_sta_vht_cap vht_cap; + struct sta_info *sta = NULL; + size_t offset = 0, noffset; + u8 *pos; + +- ieee80211_add_srates_ie(sdata, skb, false, band); +- ieee80211_add_ext_srates_ie(sdata, skb, false, band); ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return; ++ ++ ieee80211_add_srates_ie(sdata, skb, false, sband->band); ++ ieee80211_add_ext_srates_ie(sdata, skb, false, sband->band); + ieee80211_tdls_add_supp_channels(sdata, skb); + + /* add any custom IEs that go before Extended Capabilities */ +@@ -439,7 +444,6 @@ ieee80211_tdls_add_setup_start_ies(struc + * the same on all bands. The specification limits the setup to a + * single HT-cap, so use the current band for now. + */ +- sband = local->hw.wiphy->bands[band]; + memcpy(&ht_cap, &sband->ht_cap, sizeof(ht_cap)); + + if ((action_code == WLAN_TDLS_SETUP_REQUEST || +@@ -545,9 +549,13 @@ ieee80211_tdls_add_setup_cfm_ies(struct + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + size_t offset = 0, noffset; + struct sta_info *sta, *ap_sta; +- enum nl80211_band band = ieee80211_get_sdata_band(sdata); ++ struct ieee80211_supported_band *sband; + u8 *pos; + ++ sband = ieee80211_get_sband(sdata); ++ if (!sband) ++ return; ++ + mutex_lock(&local->sta_mtx); + + sta = sta_info_get(sdata, peer); +@@ -612,7 +620,8 @@ ieee80211_tdls_add_setup_cfm_ies(struct + ieee80211_tdls_add_link_ie(sdata, skb, peer, initiator); + + /* only include VHT-operation if not on the 2.4GHz band */ +- if (band != NL80211_BAND_2GHZ && sta->sta.vht_cap.vht_supported) { ++ if (sband->band != NL80211_BAND_2GHZ && ++ sta->sta.vht_cap.vht_supported) { + /* + * if both peers support WIDER_BW, we can expand the chandef to + * a wider compatible one, up to 80MHz +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4182,7 +4182,10 @@ struct sk_buff *ieee80211_beacon_get_tim + return bcn; + + shift = ieee80211_vif_get_shift(vif); +- sband = hw->wiphy->bands[ieee80211_get_sdata_band(vif_to_sdata(vif))]; ++ sband = ieee80211_get_sband(vif_to_sdata(vif)); ++ if (!sband) ++ return bcn; ++ + ieee80211_tx_monitor(hw_to_local(hw), copy, sband, 1, shift, false); + + return bcn; +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1590,14 +1590,14 @@ u32 ieee80211_sta_get_rates(struct ieee8 + size_t num_rates; + u32 supp_rates, rate_flags; + int i, j, shift; ++ + sband = sdata->local->hw.wiphy->bands[band]; ++ if (WARN_ON(!sband)) ++ return 1; + + rate_flags = ieee80211_chandef_rate_flags(&sdata->vif.bss_conf.chandef); + shift = ieee80211_vif_get_shift(&sdata->vif); + +- if (WARN_ON(!sband)) +- return 1; +- + num_rates = sband->n_bitrates; + supp_rates = 0; + for (i = 0; i < elems->supp_rates_len + diff --git a/queue-4.9/md-raid10-skip-spare-disk-as-first-disk.patch b/queue-4.9/md-raid10-skip-spare-disk-as-first-disk.patch new file mode 100644 index 00000000000..c5332713a7a --- /dev/null +++ b/queue-4.9/md-raid10-skip-spare-disk-as-first-disk.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Shaohua Li +Date: Mon, 1 May 2017 12:15:07 -0700 +Subject: md/raid10: skip spare disk as 'first' disk + +From: Shaohua Li + + +[ Upstream commit b506335e5d2b4ec687dde392a3bdbf7601778f1d ] + +Commit 6f287ca(md/raid10: reset the 'first' at the end of loop) ignores +a case in reshape, the first rdev could be a spare disk, which shouldn't +be accounted as the first disk since it doesn't include the offset info. + +Fix: 6f287ca(md/raid10: reset the 'first' at the end of loop) +Cc: Guoqing Jiang +Cc: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4089,6 +4089,7 @@ static int raid10_start_reshape(struct m + diff = 0; + if (first || diff < min_offset_diff) + min_offset_diff = diff; ++ first = 0; + } + } + diff --git a/queue-4.9/md-raid10-wait-up-frozen-array-in-handle_write_completed.patch b/queue-4.9/md-raid10-wait-up-frozen-array-in-handle_write_completed.patch new file mode 100644 index 00000000000..2660e3c0f38 --- /dev/null +++ b/queue-4.9/md-raid10-wait-up-frozen-array-in-handle_write_completed.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Guoqing Jiang +Date: Mon, 17 Apr 2017 17:11:05 +0800 +Subject: md/raid10: wait up frozen array in handle_write_completed + +From: Guoqing Jiang + + +[ Upstream commit cf25ae78fc50010f66b9be945017796da34c434d ] + +Since nr_queued is changed, we need to call wake_up here +if the array is already frozen and waiting for condition +"nr_pending == nr_queued + extra" to be true. + +And commit 824e47daddbf ("RAID1: avoid unnecessary spin +locks in I/O barrier code") which has already added the +wake_up for raid1. + +Signed-off-by: Guoqing Jiang +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2704,6 +2704,11 @@ static void handle_write_completed(struc + list_add(&r10_bio->retry_list, &conf->bio_end_io_list); + conf->nr_queued++; + spin_unlock_irq(&conf->device_lock); ++ /* ++ * In case freeze_array() is waiting for condition ++ * nr_pending == nr_queued + extra to be true. ++ */ ++ wake_up(&conf->wait_barrier); + md_wakeup_thread(conf->mddev->thread); + } else { + if (test_bit(R10BIO_WriteError, diff --git a/queue-4.9/media-bt8xx-fix-err-bt878_probe.patch b/queue-4.9/media-bt8xx-fix-err-bt878_probe.patch new file mode 100644 index 00000000000..14713bc937d --- /dev/null +++ b/queue-4.9/media-bt8xx-fix-err-bt878_probe.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Christophe JAILLET +Date: Thu, 21 Sep 2017 19:23:56 -0400 +Subject: media: bt8xx: Fix err 'bt878_probe()' + +From: Christophe JAILLET + + +[ Upstream commit 45392ff6881dbe56d41ef0b17c2e576065f8ffa1 ] + +This is odd to call 'pci_disable_device()' in an error path before a +coresponding successful 'pci_enable_device()'. + +Return directly instead. + +Fixes: 77e0be12100a ("V4L/DVB (4176): Bug-fix: Fix memory overflow") + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/bt8xx/bt878.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -422,8 +422,7 @@ static int bt878_probe(struct pci_dev *d + bt878_num); + if (bt878_num >= BT878_MAX) { + printk(KERN_ERR "bt878: Too many devices inserted\n"); +- result = -ENOMEM; +- goto fail0; ++ return -ENOMEM; + } + if (pci_enable_device(dev)) + return -EIO; diff --git a/queue-4.9/media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch b/queue-4.9/media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch new file mode 100644 index 00000000000..7b35590898c --- /dev/null +++ b/queue-4.9/media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: "Gustavo A. R. Silva" +Date: Mon, 20 Nov 2017 09:00:55 -0500 +Subject: media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt + +From: "Gustavo A. R. Silva" + + +[ Upstream commit baed3c4bc4c13de93e0dba0a26d601411ebcb389 ] + +_channel_ is being dereferenced before it is null checked, hence there is a +potential null pointer dereference. Fix this by moving the pointer dereference +after _channel_ has been null checked. + +This issue was detected with the help of Coccinelle. + +Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") + +Signed-off-by: Gustavo A. R. Silva +Acked-by: Patrice Chotard +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c ++++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +@@ -83,7 +83,7 @@ static void c8sectpfe_timer_interrupt(un + static void channel_swdemux_tsklet(unsigned long data) + { + struct channel_info *channel = (struct channel_info *)data; +- struct c8sectpfei *fei = channel->fei; ++ struct c8sectpfei *fei; + unsigned long wp, rp; + int pos, num_packets, n, size; + u8 *buf; +@@ -91,6 +91,8 @@ static void channel_swdemux_tsklet(unsig + if (unlikely(!channel || !channel->irec)) + return; + ++ fei = channel->fei; ++ + wp = readl(channel->irec + DMA_PRDS_BUSWP_TP(0)); + rp = readl(channel->irec + DMA_PRDS_BUSRP_TP(0)); + diff --git a/queue-4.9/media-dvb-core-race-condition-when-writing-to-cam.patch b/queue-4.9/media-dvb-core-race-condition-when-writing-to-cam.patch new file mode 100644 index 00000000000..42b50156f0a --- /dev/null +++ b/queue-4.9/media-dvb-core-race-condition-when-writing-to-cam.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Jasmin J +Date: Fri, 17 Mar 2017 23:04:20 -0300 +Subject: [media] media/dvb-core: Race condition when writing to CAM + +From: Jasmin J + + +[ Upstream commit e7080d4471d805d921a9ea21b32f911a91e248cb ] + +It started with a sporadic message in syslog: "CAM tried to send a +buffer larger than the ecount size" This message is not the fault +itself, but a consecutive fault, after a read error from the CAM. This +happens only on several CAMs, several hardware, and of course sporadic. + +It is a consecutive fault, if the last read from the CAM did fail. I +guess this will not happen on all CAMs, but at least it did on mine. +There was a write error to the CAM and during the re-initialization +procedure, the CAM finished the last read, although it got a RS. + +The write error to the CAM happened because a race condition between HC +write, checking DA and FR. + +This patch added an additional check for DA(RE), just after checking FR. +It is important to read the CAMs status register again, to give the CAM +the necessary time for a proper reaction to HC. Please note the +description within the source code (patch below). + +[mchehab@s-opensource.com: make checkpatch happy] + +Signed-off-by: Jasmin jessich +Tested-by: Ralph Metzler +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -779,6 +779,29 @@ static int dvb_ca_en50221_write_data(str + goto exit; + } + ++ /* ++ * It may need some time for the CAM to settle down, or there might ++ * be a race condition between the CAM, writing HC and our last ++ * check for DA. This happens, if the CAM asserts DA, just after ++ * checking DA before we are setting HC. In this case it might be ++ * a bug in the CAM to keep the FR bit, the lower layer/HW ++ * communication requires a longer timeout or the CAM needs more ++ * time internally. But this happens in reality! ++ * We need to read the status from the HW again and do the same ++ * we did for the previous check for DA ++ */ ++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS); ++ if (status < 0) ++ goto exit; ++ ++ if (status & (STATUSREG_DA | STATUSREG_RE)) { ++ if (status & STATUSREG_DA) ++ dvb_ca_en50221_thread_wakeup(ca); ++ ++ status = -EAGAIN; ++ goto exit; ++ } ++ + /* send the amount of data */ + if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0) + goto exit; diff --git a/queue-4.9/media-media-dvb-frontends-add-delay-to-si2168-restart.patch b/queue-4.9/media-media-dvb-frontends-add-delay-to-si2168-restart.patch new file mode 100644 index 00000000000..0c972461501 --- /dev/null +++ b/queue-4.9/media-media-dvb-frontends-add-delay-to-si2168-restart.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Ron Economos +Date: Mon, 11 Dec 2017 19:51:53 -0500 +Subject: media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart + +From: Ron Economos + + +[ Upstream commit 380a6c86457573aa42d27ae11e025eb25941a0b7 ] + +On faster CPUs a delay is required after the resume command and the restart command. Without the delay, the restart command often returns -EREMOTEIO and the Si2168 does not restart. + +Note that this patch fixes the same issue as https://patchwork.linuxtv.org/patch/44304/, but I believe my udelay() fix addresses the actual problem. + +Signed-off-by: Ron Economos +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/si2168.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -14,6 +14,8 @@ + * GNU General Public License for more details. + */ + ++#include ++ + #include "si2168_priv.h" + + static const struct dvb_frontend_ops si2168_ops; +@@ -378,6 +380,7 @@ static int si2168_init(struct dvb_fronte + if (ret) + goto err; + ++ udelay(100); + memcpy(cmd.args, "\x85", 1); + cmd.wlen = 1; + cmd.rlen = 1; diff --git a/queue-4.9/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch b/queue-4.9/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch new file mode 100644 index 00000000000..d12aaf52595 --- /dev/null +++ b/queue-4.9/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Keerthy +Date: Thu, 10 Nov 2016 10:39:18 +0530 +Subject: mfd: palmas: Reset the POWERHOLD mux during power off + +From: Keerthy + + +[ Upstream commit 85fdaf8eb9bbec1f0f8a52fd5d85659d60738816 ] + +POWERHOLD signal has higher priority over the DEV_ON bit. +So power off will not happen if the POWERHOLD is held high. +Hence reset the MUX to GPIO_7 mode to release the POWERHOLD +and the DEV_ON bit to take effect to power off the PMIC. + +PMIC Power off happens in dire situations like thermal shutdown +so irrespective of the POWERHOLD setting go ahead and turn off +the powerhold. Currently poweroff is broken on boards that have +powerhold enabled. This fixes poweroff on those boards. + +Signed-off-by: Keerthy +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/palmas.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mfd/palmas.c ++++ b/drivers/mfd/palmas.c +@@ -430,6 +430,20 @@ static void palmas_power_off(void) + { + unsigned int addr; + int ret, slave; ++ struct device_node *np = palmas_dev->dev->of_node; ++ ++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) { ++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE, ++ PALMAS_PRIMARY_SECONDARY_PAD2); ++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE); ++ ++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr, ++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0); ++ if (ret) ++ dev_err(palmas_dev->dev, ++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n", ++ ret); ++ } + + if (!palmas_dev) + return; diff --git a/queue-4.9/mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch b/queue-4.9/mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch new file mode 100644 index 00000000000..44941794516 --- /dev/null +++ b/queue-4.9/mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Johannes Weiner +Date: Wed, 3 May 2017 14:51:54 -0700 +Subject: mm: fix check for reclaimable pages in PF_MEMALLOC reclaim throttling + +From: Johannes Weiner + + +[ Upstream commit d450abd81b081d45adb12f303a07dd44b15eb1bc ] + +PF_MEMALLOC direct reclaimers get throttled on a node when the sum of +all free pages in each zone fall below half the min watermark. During +the summation, we want to exclude zones that don't have reclaimables. +Checking the same pgdat over and over again doesn't make sense. + +Fixes: 599d0c954f91 ("mm, vmscan: move LRU lists to node") +Link: http://lkml.kernel.org/r/20170228214007.5621-3-hannes@cmpxchg.org +Signed-off-by: Johannes Weiner +Acked-by: Hillf Danton +Acked-by: Michal Hocko +Cc: Jia He +Cc: Mel Gorman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmscan.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/vmscan.c ++++ b/mm/vmscan.c +@@ -2841,8 +2841,10 @@ static bool allow_direct_reclaim(pg_data + + for (i = 0; i <= ZONE_NORMAL; i++) { + zone = &pgdat->node_zones[i]; +- if (!managed_zone(zone) || +- pgdat_reclaimable_pages(pgdat) == 0) ++ if (!managed_zone(zone)) ++ continue; ++ ++ if (!zone_reclaimable_pages(zone)) + continue; + + pfmemalloc_reserve += min_wmark_pages(zone); diff --git a/queue-4.9/mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch b/queue-4.9/mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch new file mode 100644 index 00000000000..d57a7ebd652 --- /dev/null +++ b/queue-4.9/mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Naoya Horiguchi +Date: Wed, 3 May 2017 14:56:22 -0700 +Subject: mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page + +From: Naoya Horiguchi + + +[ Upstream commit 286c469a988fbaf68e3a97ddf1e6c245c1446968 ] + +Memory error handler calls try_to_unmap() for error pages in various +states. If the error page is a mlocked page, error handling could fail +with "still referenced by 1 users" message. This is because the page is +linked to and stays in lru cache after the following call chain. + + try_to_unmap_one + page_remove_rmap + clear_page_mlock + putback_lru_page + lru_cache_add + +memory_failure() calls shake_page() to hanlde the similar issue, but +current code doesn't cover because shake_page() is called only before +try_to_unmap(). So this patches adds shake_page(). + +Fixes: 23a003bfd23ea9ea0b7756b920e51f64b284b468 ("mm/madvise: pass return code of memory_failure() to userspace") +Link: http://lkml.kernel.org/r/20170417055948.GM31394@yexl-desktop +Link: http://lkml.kernel.org/r/1493197841-23986-3-git-send-email-n-horiguchi@ah.jp.nec.com +Signed-off-by: Naoya Horiguchi +Reported-by: kernel test robot +Cc: Xiaolong Ye +Cc: Chen Gong +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory-failure.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -921,6 +921,7 @@ static int hwpoison_user_mappings(struct + int ret; + int kill = 1, forcekill; + struct page *hpage = *hpagep; ++ bool mlocked = PageMlocked(hpage); + + /* + * Here we are interested only in user-mapped pages, so skip any +@@ -985,6 +986,13 @@ static int hwpoison_user_mappings(struct + pfn, page_mapcount(hpage)); + + /* ++ * try_to_unmap() might put mlocked page in lru cache, so call ++ * shake_page() again to ensure that it's flushed. ++ */ ++ if (mlocked) ++ shake_page(hpage, 0); ++ ++ /* + * Now that the dirty bit has been propagated to the + * struct page and all unmaps done we can decide if + * killing is needed or not. Only kill when the page diff --git a/queue-4.9/mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch b/queue-4.9/mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch new file mode 100644 index 00000000000..ba8684b4a89 --- /dev/null +++ b/queue-4.9/mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: David Rientjes +Date: Wed, 3 May 2017 14:53:02 -0700 +Subject: mm, vmstat: suppress pcp stats for unpopulated zones in zoneinfo + +From: David Rientjes + + +[ Upstream commit 7dfb8bf3b9caef4049bee51d2c22e1c3a311d483 ] + +After "mm, vmstat: print non-populated zones in zoneinfo", +/proc/zoneinfo will show unpopulated zones. + +The per-cpu pageset statistics are not relevant for unpopulated zones +and can be potentially lengthy, so supress them when they are not +interesting. + +Also moves lowmem reserve protection information above pcp stats since +it is relevant for all zones per vm.lowmem_reserve_ratio. + +Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1703061400500.46428@chino.kir.corp.google.com +Signed-off-by: David Rientjes +Cc: Anshuman Khandual +Cc: Vlastimil Babka +Cc: Mel Gorman +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmstat.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1387,18 +1387,24 @@ static void zoneinfo_show_print(struct s + zone->present_pages, + zone->managed_pages); + +- for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++) +- seq_printf(m, "\n %-12s %lu", vmstat_text[i], +- zone_page_state(zone, i)); +- + seq_printf(m, + "\n protection: (%ld", + zone->lowmem_reserve[0]); + for (i = 1; i < ARRAY_SIZE(zone->lowmem_reserve); i++) + seq_printf(m, ", %ld", zone->lowmem_reserve[i]); +- seq_printf(m, +- ")" +- "\n pagesets"); ++ seq_putc(m, ')'); ++ ++ /* If unpopulated, no other information is useful */ ++ if (!populated_zone(zone)) { ++ seq_putc(m, '\n'); ++ return; ++ } ++ ++ for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++) ++ seq_printf(m, "\n %-12s %lu", vmstat_text[i], ++ zone_page_state(zone, i)); ++ ++ seq_printf(m, "\n pagesets"); + for_each_online_cpu(i) { + struct per_cpu_pageset *pageset; + diff --git a/queue-4.9/mmc-avoid-removing-non-removable-hosts-during-suspend.patch b/queue-4.9/mmc-avoid-removing-non-removable-hosts-during-suspend.patch new file mode 100644 index 00000000000..51b20f729d8 --- /dev/null +++ b/queue-4.9/mmc-avoid-removing-non-removable-hosts-during-suspend.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Daniel Drake +Date: Tue, 12 Dec 2017 10:49:02 +0000 +Subject: mmc: avoid removing non-removable hosts during suspend + +From: Daniel Drake + + +[ Upstream commit de8dcc3d2c0e08e5068ee1e26fc46415c15e3637 ] + +The Weibu F3C MiniPC has an onboard AP6255 module, presenting +two SDIO functions on a single MMC host (Bluetooth/btsdio and +WiFi/brcmfmac), and the mmc layer correctly detects this as +non-removable. + +After suspend/resume, the wifi and bluetooth interfaces disappear +and do not get probed again. + +The conditions here are: + + 1. During suspend, we reach mmc_pm_notify() + + 2. mmc_pm_notify() calls mmc_sdio_pre_suspend() to see if we can + suspend the SDIO host. However, mmc_sdio_pre_suspend() returns + -ENOSYS because btsdio_driver does not have a suspend method. + + 3. mmc_pm_notify() proceeds to remove the card + + 4. Upon resume, mmc_rescan() does nothing with this host, because of + the rescan_entered check which aims to only scan a non-removable + device a single time (i.e. during boot). + +Fix the loss of functionality by detecting that we are unable to +suspend a non-removable host, so avoid the forced removal in that +case. The comment above this function already indicates that this +code was only intended for removable devices. + +Signed-off-by: Daniel Drake +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2974,6 +2974,14 @@ static int mmc_pm_notify(struct notifier + if (!err) + break; + ++ if (!mmc_card_is_removable(host)) { ++ dev_warn(mmc_dev(host), ++ "pre_suspend failed for non-removable host: " ++ "%d\n", err); ++ /* Avoid removing non-removable hosts */ ++ break; ++ } ++ + /* Calling bus_ops->remove() with a claimed host can deadlock */ + host->bus_ops->remove(host); + mmc_claim_host(host); diff --git a/queue-4.9/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch b/queue-4.9/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch new file mode 100644 index 00000000000..2002db3e7a5 --- /dev/null +++ b/queue-4.9/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Mon, 10 Apr 2017 16:54:17 +0300 +Subject: mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() + +From: Dan Carpenter + + +[ Upstream commit ec5ab8933772c87f24ad62a4a602fe8949f423c2 ] + +devm_pinctrl_get() returns error pointers, it never returns NULL. + +Fixes: 455e5cd6f736 ("mmc: omap_hsmmc: Pin remux workaround to support SDIO interrupt on AM335x") +Signed-off-by: Dan Carpenter +Reviewed-by: Kishon Vijay Abraham I +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/omap_hsmmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1762,8 +1762,8 @@ static int omap_hsmmc_configure_wake_irq + */ + if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) { + struct pinctrl *p = devm_pinctrl_get(host->dev); +- if (!p) { +- ret = -ENODEV; ++ if (IS_ERR(p)) { ++ ret = PTR_ERR(p); + goto err_free_irq; + } + if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) { diff --git a/queue-4.9/mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch b/queue-4.9/mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch new file mode 100644 index 00000000000..fb7150210d0 --- /dev/null +++ b/queue-4.9/mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: yangbo lu +Date: Thu, 20 Apr 2017 14:58:29 +0800 +Subject: mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a + +From: yangbo lu + + +[ Upstream commit a627f025eb0534052ff451427c16750b3530634c ] + +The ls1046a datasheet specified that the max SD clock frequency +for eSDHC SDR104/HS200 was 167MHz, and the ls1012a datasheet +specified it's 125MHz for ls1012a. So this patch is to add the +limitation. + +Signed-off-by: Yangbo Lu +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-of-esdhc.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mmc/host/sdhci-of-esdhc.c ++++ b/drivers/mmc/host/sdhci-of-esdhc.c +@@ -432,6 +432,20 @@ static void esdhc_of_set_clock(struct sd + if (esdhc->vendor_ver < VENDOR_V_23) + pre_div = 2; + ++ /* ++ * Limit SD clock to 167MHz for ls1046a according to its datasheet ++ */ ++ if (clock > 167000000 && ++ of_find_compatible_node(NULL, NULL, "fsl,ls1046a-esdhc")) ++ clock = 167000000; ++ ++ /* ++ * Limit SD clock to 125MHz for ls1012a according to its datasheet ++ */ ++ if (clock > 125000000 && ++ of_find_compatible_node(NULL, NULL, "fsl,ls1012a-esdhc")) ++ clock = 125000000; ++ + /* Workaround to reduce the clock frequency for p1010 esdhc */ + if (of_find_compatible_node(NULL, NULL, "fsl,p1010-esdhc")) { + if (clock > 20000000) diff --git a/queue-4.9/mt7601u-check-return-value-of-alloc_skb.patch b/queue-4.9/mt7601u-check-return-value-of-alloc_skb.patch new file mode 100644 index 00000000000..41b31ad81dd --- /dev/null +++ b/queue-4.9/mt7601u-check-return-value-of-alloc_skb.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 15:00:23 +0800 +Subject: mt7601u: check return value of alloc_skb + +From: Pan Bian + + +[ Upstream commit 5fb01e91daf84ad1e50edfcf63116ecbe31e7ba7 ] + +Function alloc_skb() will return a NULL pointer if there is no enough +memory. However, in function mt7601u_mcu_msg_alloc(), its return value +is not validated before it is used. This patch fixes it. + +Signed-off-by: Pan Bian +Acked-by: Jakub Kicinski +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt7601u/mcu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt7601u/mcu.c ++++ b/drivers/net/wireless/mediatek/mt7601u/mcu.c +@@ -66,8 +66,10 @@ mt7601u_mcu_msg_alloc(struct mt7601u_dev + WARN_ON(len % 4); /* if length is not divisible by 4 we need to pad */ + + skb = alloc_skb(len + MT_DMA_HDR_LEN + 4, GFP_KERNEL); +- skb_reserve(skb, MT_DMA_HDR_LEN); +- memcpy(skb_put(skb, len), data, len); ++ if (skb) { ++ skb_reserve(skb, MT_DMA_HDR_LEN); ++ memcpy(skb_put(skb, len), data, len); ++ } + + return skb; + } +@@ -170,6 +172,8 @@ static int mt7601u_mcu_function_select(s + }; + + skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg)); ++ if (!skb) ++ return -ENOMEM; + return mt7601u_mcu_msg_send(dev, skb, CMD_FUN_SET_OP, func == 5); + } + +@@ -205,6 +209,8 @@ mt7601u_mcu_calibrate(struct mt7601u_dev + }; + + skb = mt7601u_mcu_msg_alloc(dev, &msg, sizeof(msg)); ++ if (!skb) ++ return -ENOMEM; + return mt7601u_mcu_msg_send(dev, skb, CMD_CALIBRATION_OP, true); + } + diff --git a/queue-4.9/mtip32xx-use-runtime-tag-to-initialize-command-header.patch b/queue-4.9/mtip32xx-use-runtime-tag-to-initialize-command-header.patch new file mode 100644 index 00000000000..d11520c6422 --- /dev/null +++ b/queue-4.9/mtip32xx-use-runtime-tag-to-initialize-command-header.patch @@ -0,0 +1,102 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Ming Lei +Date: Thu, 27 Apr 2017 07:45:18 -0600 +Subject: mtip32xx: use runtime tag to initialize command header + +From: Ming Lei + + +[ Upstream commit a4e84aae8139aca9fbfbced1f45c51ca81b57488 ] + +mtip32xx supposes that 'request_idx' passed to .init_request() +is tag of the request, and use that as request's tag to initialize +command header. + +After MQ IO scheduler is in, request tag assigned isn't same with +the request index anymore, so cause strange hardware failure on +mtip32xx, even whole system panic is triggered. + +This patch fixes the issue by initializing command header via +request's real tag. + +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/mtip32xx/mtip32xx.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +--- a/drivers/block/mtip32xx/mtip32xx.c ++++ b/drivers/block/mtip32xx/mtip32xx.c +@@ -169,6 +169,25 @@ static bool mtip_check_surprise_removal( + return false; /* device present */ + } + ++/* we have to use runtime tag to setup command header */ ++static void mtip_init_cmd_header(struct request *rq) ++{ ++ struct driver_data *dd = rq->q->queuedata; ++ struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq); ++ u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64; ++ ++ /* Point the command headers at the command tables. */ ++ cmd->command_header = dd->port->command_list + ++ (sizeof(struct mtip_cmd_hdr) * rq->tag); ++ cmd->command_header_dma = dd->port->command_list_dma + ++ (sizeof(struct mtip_cmd_hdr) * rq->tag); ++ ++ if (host_cap_64) ++ cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16); ++ ++ cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF); ++} ++ + static struct mtip_cmd *mtip_get_int_command(struct driver_data *dd) + { + struct request *rq; +@@ -180,6 +199,9 @@ static struct mtip_cmd *mtip_get_int_com + if (IS_ERR(rq)) + return NULL; + ++ /* Internal cmd isn't submitted via .queue_rq */ ++ mtip_init_cmd_header(rq); ++ + return blk_mq_rq_to_pdu(rq); + } + +@@ -3811,6 +3833,8 @@ static int mtip_queue_rq(struct blk_mq_h + struct request *rq = bd->rq; + int ret; + ++ mtip_init_cmd_header(rq); ++ + if (unlikely(mtip_check_unal_depth(hctx, rq))) + return BLK_MQ_RQ_QUEUE_BUSY; + +@@ -3842,7 +3866,6 @@ static int mtip_init_cmd(void *data, str + { + struct driver_data *dd = data; + struct mtip_cmd *cmd = blk_mq_rq_to_pdu(rq); +- u32 host_cap_64 = readl(dd->mmio + HOST_CAP) & HOST_CAP_64; + + /* + * For flush requests, request_idx starts at the end of the +@@ -3859,17 +3882,6 @@ static int mtip_init_cmd(void *data, str + + memset(cmd->command, 0, CMD_DMA_ALLOC_SZ); + +- /* Point the command headers at the command tables. */ +- cmd->command_header = dd->port->command_list + +- (sizeof(struct mtip_cmd_hdr) * request_idx); +- cmd->command_header_dma = dd->port->command_list_dma + +- (sizeof(struct mtip_cmd_hdr) * request_idx); +- +- if (host_cap_64) +- cmd->command_header->ctbau = __force_bit2int cpu_to_le32((cmd->command_dma >> 16) >> 16); +- +- cmd->command_header->ctba = __force_bit2int cpu_to_le32(cmd->command_dma & 0xFFFFFFFF); +- + sg_init_table(cmd->sg, MTIP_MAX_SG); + return 0; + } diff --git a/queue-4.9/mwifiex-don-t-leak-chan_stats-on-reset.patch b/queue-4.9/mwifiex-don-t-leak-chan_stats-on-reset.patch new file mode 100644 index 00000000000..f4c468541b3 --- /dev/null +++ b/queue-4.9/mwifiex-don-t-leak-chan_stats-on-reset.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Brian Norris +Date: Fri, 14 Apr 2017 14:51:20 -0700 +Subject: mwifiex: don't leak 'chan_stats' on reset + +From: Brian Norris + + +[ Upstream commit fb9e67bee3ab7111513130c516ffe378d885c0d0 ] + +'chan_stats' is (re)allocated in _mwifiex_fw_dpc() -> +mwifiex_init_channel_scan_gap(), which is called whenever the device is +initialized -- at probe or at reset. + +But we only free it in we completely unregister the adapter, meaning we +leak a copy of it during every reset. + +Let's free it in the shutdown / removal paths instead (and in the +error-handling path), to avoid the leak. + +Ideally, we can eventually unify much of mwifiex_shutdown_sw() and +mwifiex_remove_card() (way too much copy-and-paste) to reduce the burden +on bugfixes like this. But that's work for tomorrow. + +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/marvell/mwifiex/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/marvell/mwifiex/main.c ++++ b/drivers/net/wireless/marvell/mwifiex/main.c +@@ -146,7 +146,6 @@ static int mwifiex_unregister(struct mwi + + kfree(adapter->regd); + +- vfree(adapter->chan_stats); + kfree(adapter); + return 0; + } +@@ -636,6 +635,7 @@ static void mwifiex_fw_dpc(const struct + goto done; + + err_add_intf: ++ vfree(adapter->chan_stats); + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); + err_init_fw: +@@ -1429,6 +1429,7 @@ mwifiex_shutdown_sw(struct mwifiex_adapt + mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev); + rtnl_unlock(); + } ++ vfree(adapter->chan_stats); + + up(sem); + exit_sem_err: +@@ -1729,6 +1730,7 @@ int mwifiex_remove_card(struct mwifiex_a + mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev); + rtnl_unlock(); + } ++ vfree(adapter->chan_stats); + + wiphy_unregister(adapter->wiphy); + wiphy_free(adapter->wiphy); diff --git a/queue-4.9/net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch b/queue-4.9/net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch new file mode 100644 index 00000000000..a4325a70135 --- /dev/null +++ b/queue-4.9/net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Christophe Leroy +Date: Tue, 7 Feb 2017 10:05:09 +0100 +Subject: net: ethernet: ucc_geth: fix MEM_PART_MURAM mode + +From: Christophe Leroy + + +[ Upstream commit 8b8642af15ed14b9a7a34d3401afbcc274533e13 ] + +Since commit 5093bb965a163 ("powerpc/QE: switch to the cpm_muram +implementation"), muram area is not part of immrbar mapping anymore +so immrbar_virt_to_phys() is not usable anymore. + +Fixes: 5093bb965a163 ("powerpc/QE: switch to the cpm_muram implementation") +Signed-off-by: Christophe Leroy +Acked-by: David S. Miller +Acked-by: Li Yang +Signed-off-by: Scott Wood +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/ucc_geth.c | 8 +++----- + include/soc/fsl/qe/qe.h | 1 + + 2 files changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/freescale/ucc_geth.c ++++ b/drivers/net/ethernet/freescale/ucc_geth.c +@@ -2594,11 +2594,10 @@ static int ucc_geth_startup(struct ucc_g + } else if (ugeth->ug_info->uf_info.bd_mem_part == + MEM_PART_MURAM) { + out_be32(&ugeth->p_send_q_mem_reg->sqqd[i].bd_ring_base, +- (u32) immrbar_virt_to_phys(ugeth-> +- p_tx_bd_ring[i])); ++ (u32)qe_muram_dma(ugeth->p_tx_bd_ring[i])); + out_be32(&ugeth->p_send_q_mem_reg->sqqd[i]. + last_bd_completed_address, +- (u32) immrbar_virt_to_phys(endOfRing)); ++ (u32)qe_muram_dma(endOfRing)); + } + } + +@@ -2844,8 +2843,7 @@ static int ucc_geth_startup(struct ucc_g + } else if (ugeth->ug_info->uf_info.bd_mem_part == + MEM_PART_MURAM) { + out_be32(&ugeth->p_rx_bd_qs_tbl[i].externalbdbaseptr, +- (u32) immrbar_virt_to_phys(ugeth-> +- p_rx_bd_ring[i])); ++ (u32)qe_muram_dma(ugeth->p_rx_bd_ring[i])); + } + /* rest of fields handled by QE */ + } +--- a/include/soc/fsl/qe/qe.h ++++ b/include/soc/fsl/qe/qe.h +@@ -243,6 +243,7 @@ static inline int qe_alive_during_sleep( + #define qe_muram_free cpm_muram_free + #define qe_muram_addr cpm_muram_addr + #define qe_muram_offset cpm_muram_offset ++#define qe_muram_dma cpm_muram_dma + + #define qe_setbits32(_addr, _v) iowrite32be(ioread32be(_addr) | (_v), (_addr)) + #define qe_clrbits32(_addr, _v) iowrite32be(ioread32be(_addr) & ~(_v), (_addr)) diff --git a/queue-4.9/net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch b/queue-4.9/net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch new file mode 100644 index 00000000000..5fc4d2395c6 --- /dev/null +++ b/queue-4.9/net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch @@ -0,0 +1,82 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Timmy Li +Date: Tue, 2 May 2017 10:46:52 +0800 +Subject: net: hns: fix ethtool_get_strings overflow in hns driver + +From: Timmy Li + + +[ Upstream commit 412b65d15a7f8a93794653968308fc100f2aa87c ] + +hns_get_sset_count() returns HNS_NET_STATS_CNT and the data space allocated +is not enough for ethtool_get_strings(), which will cause random memory +corruption. + +When SLAB and DEBUG_SLAB are both enabled, memory corruptions like the +the following can be observed without this patch: +[ 43.115200] Slab corruption (Not tainted): Acpi-ParseExt start=ffff801fb0b69030, len=80 +[ 43.115206] Redzone: 0x9f911029d006462/0x5f78745f31657070. +[ 43.115208] Last user: [<5f7272655f746b70>](0x5f7272655f746b70) +[ 43.115214] 010: 70 70 65 31 5f 74 78 5f 70 6b 74 00 6b 6b 6b 6b ppe1_tx_pkt.kkkk +[ 43.115217] 030: 70 70 65 31 5f 74 78 5f 70 6b 74 5f 6f 6b 00 6b ppe1_tx_pkt_ok.k +[ 43.115218] Next obj: start=ffff801fb0b69098, len=80 +[ 43.115220] Redzone: 0x706d655f6f666966/0x9f911029d74e35b. +[ 43.115229] Last user: [](acpi_os_release_object+0x28/0x38) +[ 43.115231] 000: 74 79 00 6b 6b 6b 6b 6b 70 70 65 31 5f 74 78 5f ty.kkkkkppe1_tx_ +[ 43.115232] 010: 70 6b 74 5f 65 72 72 5f 63 73 75 6d 5f 66 61 69 pkt_err_csum_fai + +Signed-off-by: Timmy Li +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 2 +- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 2 +- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 2 +- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c +@@ -671,7 +671,7 @@ static void hns_gmac_get_strings(u32 str + + static int hns_gmac_get_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS) ++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) + return ARRAY_SIZE(g_gmac_stats_string); + + return 0; +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c +@@ -422,7 +422,7 @@ void hns_ppe_update_stats(struct hns_ppe + + int hns_ppe_get_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS) ++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) + return ETH_PPE_STATIC_NUM; + return 0; + } +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c +@@ -798,7 +798,7 @@ void hns_rcb_get_stats(struct hnae_queue + */ + int hns_rcb_get_ring_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS) ++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) + return HNS_RING_STATIC_REG_NUM; + + return 0; +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_xgmac.c +@@ -776,7 +776,7 @@ static void hns_xgmac_get_strings(u32 st + */ + static int hns_xgmac_get_sset_count(int stringset) + { +- if (stringset == ETH_SS_STATS) ++ if (stringset == ETH_SS_STATS || stringset == ETH_SS_PRIV_FLAGS) + return ARRAY_SIZE(g_xgmac_stats_string); + + return 0; diff --git a/queue-4.9/net-ipv6-send-unsolicited-na-on-admin-up.patch b/queue-4.9/net-ipv6-send-unsolicited-na-on-admin-up.patch new file mode 100644 index 00000000000..a293f3c2932 --- /dev/null +++ b/queue-4.9/net-ipv6-send-unsolicited-na-on-admin-up.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: David Ahern +Date: Wed, 12 Apr 2017 11:49:04 -0700 +Subject: net: ipv6: send unsolicited NA on admin up + +From: David Ahern + + +[ Upstream commit 4a6e3c5def13c91adf2acc613837001f09af3baa ] + +ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is +set to 1, gratuitous arp requests are sent when the device is brought up. +The same is expected when ndisc_notify is set to 1 (per ndisc_notify in +Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP +event; add it. + +Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer address change") +Signed-off-by: David Ahern +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1723,6 +1723,8 @@ static int ndisc_netdev_event(struct not + case NETDEV_CHANGEADDR: + neigh_changeaddr(&nd_tbl, dev); + fib6_run_gc(0, net, false); ++ /* fallthrough */ ++ case NETDEV_UP: + idev = in6_dev_get(dev); + if (!idev) + break; diff --git a/queue-4.9/netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch b/queue-4.9/netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch new file mode 100644 index 00000000000..7a968fff0a0 --- /dev/null +++ b/queue-4.9/netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch @@ -0,0 +1,78 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Liping Zhang +Date: Sat, 15 Apr 2017 19:27:42 +0800 +Subject: netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink + +From: Liping Zhang + + +[ Upstream commit 66e5a6b18bd09d0431e97cd3c162e76c5c2aebba ] + +cthelpers added via nfnetlink may have the same tuple, i.e. except for +the l3proto and l4proto, other fields are all zero. So even with the +different names, we will also fail to add them: + # nfct helper add ssdp inet udp + # nfct helper add tftp inet udp + nfct v1.4.3: netlink error: File exists + +So in order to avoid unpredictable behaviour, we should: +1. cthelpers can be selected by nft ct helper obj or xt_CT target, so +report error if duplicated { name, l3proto, l4proto } tuple exist. +2. cthelpers can be selected by nf_ct_tuple_src_mask_cmp when +nf_ct_auto_assign_helper is enabled, so also report error if duplicated +{ l3proto, l4proto, src-port } tuple exist. + +Also note, if the cthelper is added from userspace, then the src-port will +always be zero, it's invalid for nf_ct_auto_assign_helper, so there's no +need to check the second point listed above. + +Fixes: 893e093c786c ("netfilter: nf_ct_helper: bail out on duplicated helpers") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_helper.c | 26 +++++++++++++++++++++----- + 1 file changed, 21 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nf_conntrack_helper.c ++++ b/net/netfilter/nf_conntrack_helper.c +@@ -379,17 +379,33 @@ int nf_conntrack_helper_register(struct + struct nf_conntrack_tuple_mask mask = { .src.u.all = htons(0xFFFF) }; + unsigned int h = helper_hash(&me->tuple); + struct nf_conntrack_helper *cur; +- int ret = 0; ++ int ret = 0, i; + + BUG_ON(me->expect_policy == NULL); + BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); + BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); + + mutex_lock(&nf_ct_helper_mutex); +- hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { +- if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, &mask)) { +- ret = -EEXIST; +- goto out; ++ for (i = 0; i < nf_ct_helper_hsize; i++) { ++ hlist_for_each_entry(cur, &nf_ct_helper_hash[i], hnode) { ++ if (!strcmp(cur->name, me->name) && ++ (cur->tuple.src.l3num == NFPROTO_UNSPEC || ++ cur->tuple.src.l3num == me->tuple.src.l3num) && ++ cur->tuple.dst.protonum == me->tuple.dst.protonum) { ++ ret = -EEXIST; ++ goto out; ++ } ++ } ++ } ++ ++ /* avoid unpredictable behaviour for auto_assign_helper */ ++ if (!(me->flags & NF_CT_HELPER_F_USERSPACE)) { ++ hlist_for_each_entry(cur, &nf_ct_helper_hash[h], hnode) { ++ if (nf_ct_tuple_src_mask_cmp(&cur->tuple, &me->tuple, ++ &mask)) { ++ ret = -EEXIST; ++ goto out; ++ } + } + } + hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]); diff --git a/queue-4.9/netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch b/queue-4.9/netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch new file mode 100644 index 00000000000..d06f0460413 --- /dev/null +++ b/queue-4.9/netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch @@ -0,0 +1,68 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Liping Zhang +Date: Sun, 23 Apr 2017 18:29:30 +0800 +Subject: netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded + +From: Liping Zhang + + +[ Upstream commit 277a292835c196894ef895d5e1fd6170bb916f55 ] + +Currently, after adding the following nft rules: + # nft add set x target1 { type ipv4_addr \; flags timeout \;} + # nft add rule x y set add ip daddr timeout 1d @target1 counter + +the counters will always be zero despite of the elements are added +to the dynamic set "target1" or not, as we will break the nft expr +traversal unconditionally: + # nft list ruleset + ... + set target1 { + ... + elements = { 8.8.8.8 expires 23h59m53s} + } + chain output { + ... + set add ip daddr timeout 1d @target1 counter packets 0 bytes 0 + ^ ^ + ... + } + +Since we add the elements to the set successfully, we should continue +to the next expression. + +Additionally, if elements are added to "flow table" successfully, we +will _always_ continue to the next expr, even if the operation is +_OP_ADD. So it's better to keep them to be consistent. + +Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") +Reported-by: Robert White +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_dynset.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -82,8 +82,7 @@ static void nft_dynset_eval(const struct + nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) { + timeout = priv->timeout ? : set->timeout; + *nft_set_ext_expiration(ext) = jiffies + timeout; +- } else if (sexpr == NULL) +- goto out; ++ } + + if (sexpr != NULL) + sexpr->ops->eval(sexpr, regs, pkt); +@@ -92,7 +91,7 @@ static void nft_dynset_eval(const struct + regs->verdict.code = NFT_BREAK; + return; + } +-out: ++ + if (!priv->invert) + regs->verdict.code = NFT_BREAK; + } diff --git a/queue-4.9/netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch b/queue-4.9/netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch new file mode 100644 index 00000000000..e71caf22ced --- /dev/null +++ b/queue-4.9/netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Fri, 28 Apr 2017 15:57:56 +0300 +Subject: netfilter: x_tables: unlock on error in xt_find_table_lock() + +From: Dan Carpenter + + +[ Upstream commit 7dde07e9c53617549d67dd3e1d791496d0d3868e ] + +According to my static checker we should unlock here before the return. +That seems reasonable to me as well. + +Fixes" b9e69e127397 ("netfilter: xtables: don't hook tables by default") +Signed-off-by: Dan Carpenter +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/x_tables.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -1006,8 +1006,10 @@ struct xt_table *xt_find_table_lock(stru + list_for_each_entry(t, &init_net.xt.tables[af], list) { + if (strcmp(t->name, name)) + continue; +- if (!try_module_get(t->me)) ++ if (!try_module_get(t->me)) { ++ mutex_unlock(&xt[af].mutex); + return NULL; ++ } + + mutex_unlock(&xt[af].mutex); + if (t->table_init(net) != 0) { diff --git a/queue-4.9/netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch b/queue-4.9/netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch new file mode 100644 index 00000000000..c15edf801fd --- /dev/null +++ b/queue-4.9/netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch @@ -0,0 +1,72 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Gao Feng +Date: Fri, 14 Apr 2017 10:00:08 +0800 +Subject: netfilter: xt_CT: fix refcnt leak on error path + +From: Gao Feng + + +[ Upstream commit 470acf55a021713869b9bcc967268ac90c8a0fac ] + +There are two cases which causes refcnt leak. + +1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should +free the timeout refcnt. +Now goto the err_put_timeout error handler instead of going ahead. + +2. When the time policy is not found, we should call module_put. +Otherwise, the related cthelper module cannot be removed anymore. +It is easy to reproduce by typing the following command: + # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx + +Signed-off-by: Gao Feng +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/xt_CT.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -168,8 +168,10 @@ xt_ct_set_timeout(struct nf_conn *ct, co + goto err_put_timeout; + } + timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC); +- if (timeout_ext == NULL) ++ if (!timeout_ext) { + ret = -ENOMEM; ++ goto err_put_timeout; ++ } + + rcu_read_unlock(); + return ret; +@@ -201,6 +203,7 @@ static int xt_ct_tg_check(const struct x + struct xt_ct_target_info_v1 *info) + { + struct nf_conntrack_zone zone; ++ struct nf_conn_help *help; + struct nf_conn *ct; + int ret = -EOPNOTSUPP; + +@@ -249,7 +252,7 @@ static int xt_ct_tg_check(const struct x + if (info->timeout[0]) { + ret = xt_ct_set_timeout(ct, par, info->timeout); + if (ret < 0) +- goto err3; ++ goto err4; + } + __set_bit(IPS_CONFIRMED_BIT, &ct->status); + nf_conntrack_get(&ct->ct_general); +@@ -257,6 +260,10 @@ out: + info->ct = ct; + return 0; + ++err4: ++ help = nfct_help(ct); ++ if (help) ++ module_put(help->helper->me); + err3: + nf_ct_tmpl_free(ct); + err2: diff --git a/queue-4.9/netvsc-deal-with-rescinded-channels-correctly.patch b/queue-4.9/netvsc-deal-with-rescinded-channels-correctly.patch new file mode 100644 index 00000000000..2c9971447c5 --- /dev/null +++ b/queue-4.9/netvsc-deal-with-rescinded-channels-correctly.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: "K. Y. Srinivasan" +Date: Wed, 19 Apr 2017 13:53:49 -0700 +Subject: netvsc: Deal with rescinded channels correctly + +From: "K. Y. Srinivasan" + + +[ Upstream commit 73e64fa4f417b22d8d5521999a631ced8e2d442e ] + +We will not be able to send packets over a channel that has been +rescinded. Make necessary adjustments so we can properly cleanup +even when the channel is rescinded. This issue can be trigerred +in the NIC hot-remove path. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hyperv/netvsc.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/hyperv/netvsc.c ++++ b/drivers/net/hyperv/netvsc.c +@@ -151,6 +151,13 @@ static void netvsc_destroy_buf(struct hv + sizeof(struct nvsp_message), + (unsigned long)revoke_packet, + VM_PKT_DATA_INBAND, 0); ++ /* If the failure is because the channel is rescinded; ++ * ignore the failure since we cannot send on a rescinded ++ * channel. This would allow us to properly cleanup ++ * even when the channel is rescinded. ++ */ ++ if (device->channel->rescind) ++ ret = 0; + /* + * If we failed here, we might as well return and + * have a leak rather than continue and a bugchk +@@ -211,6 +218,15 @@ static void netvsc_destroy_buf(struct hv + sizeof(struct nvsp_message), + (unsigned long)revoke_packet, + VM_PKT_DATA_INBAND, 0); ++ ++ /* If the failure is because the channel is rescinded; ++ * ignore the failure since we cannot send on a rescinded ++ * channel. This would allow us to properly cleanup ++ * even when the channel is rescinded. ++ */ ++ if (device->channel->rescind) ++ ret = 0; ++ + /* If we failed here, we might as well return and + * have a leak rather than continue and a bugchk + */ diff --git a/queue-4.9/nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch b/queue-4.9/nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch new file mode 100644 index 00000000000..25fee7478ac --- /dev/null +++ b/queue-4.9/nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch @@ -0,0 +1,105 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: NeilBrown +Date: Wed, 15 Mar 2017 12:40:44 +1100 +Subject: NFS: don't try to cross a mountpount when there isn't one there. + +From: NeilBrown + + +[ Upstream commit 99bbf6ecc694dfe0b026e15359c5aa2a60b97a93 ] + +consider the sequence of commands: + mkdir -p /import/nfs /import/bind /import/etc + mount --bind / /import/bind + mount --make-private /import/bind + mount --bind /import/etc /import/bind/etc + + exportfs -o rw,no_root_squash,crossmnt,async,no_subtree_check localhost:/ + mount -o vers=4 localhost:/ /import/nfs + ls -l /import/nfs/etc + +You would not expect this to report a stale file handle. +Yet it does. + +The manipulations under /import/bind cause the dentry for +/etc to get the DCACHE_MOUNTED flag set, even though nothing +is mounted on /etc. This causes nfsd to call +nfsd_cross_mnt() even though there is no mountpoint. So an +upcall to mountd for "/etc" is performed. + +The 'crossmnt' flag on the export of / causes mountd to +report that /etc is exported as it is a descendant of /. It +assumes the kernel wouldn't ask about something that wasn't +a mountpoint. The filehandle returned identifies the +filesystem and the inode number of /etc. + +When this filehandle is presented to rpc.mountd, via +"nfsd.fh", the inode cannot be found associated with any +name in /etc/exports, or with any mountpoint listed by +getmntent(). So rpc.mountd says the filehandle doesn't +exist. Hence ESTALE. + +This is fixed by teaching nfsd not to trust DCACHE_MOUNTED +too much. It is just a hint, not a guarantee. +Change nfsd_mountpoint() to return '1' for a certain mountpoint, +'2' for a possible mountpoint, and 0 otherwise. + +Then change nfsd_crossmnt() to check if follow_down() +actually found a mountpount and, if not, to avoid performing +a lookup if the location is not known to certainly require +an export-point. + +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/vfs.c | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -94,6 +94,12 @@ nfsd_cross_mnt(struct svc_rqst *rqstp, s + err = follow_down(&path); + if (err < 0) + goto out; ++ if (path.mnt == exp->ex_path.mnt && path.dentry == dentry && ++ nfsd_mountpoint(dentry, exp) == 2) { ++ /* This is only a mountpoint in some other namespace */ ++ path_put(&path); ++ goto out; ++ } + + exp2 = rqst_exp_get_by_name(rqstp, &path); + if (IS_ERR(exp2)) { +@@ -167,16 +173,26 @@ static int nfsd_lookup_parent(struct svc + /* + * For nfsd purposes, we treat V4ROOT exports as though there was an + * export at *every* directory. ++ * We return: ++ * '1' if this dentry *must* be an export point, ++ * '2' if it might be, if there is really a mount here, and ++ * '0' if there is no chance of an export point here. + */ + int nfsd_mountpoint(struct dentry *dentry, struct svc_export *exp) + { +- if (d_mountpoint(dentry)) ++ if (!d_inode(dentry)) ++ return 0; ++ if (exp->ex_flags & NFSEXP_V4ROOT) + return 1; + if (nfsd4_is_junction(dentry)) + return 1; +- if (!(exp->ex_flags & NFSEXP_V4ROOT)) +- return 0; +- return d_inode(dentry) != NULL; ++ if (d_mountpoint(dentry)) ++ /* ++ * Might only be a mountpoint in a different namespace, ++ * but we need to check. ++ */ ++ return 2; ++ return 0; + } + + __be32 diff --git a/queue-4.9/nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch b/queue-4.9/nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch new file mode 100644 index 00000000000..0b397625840 --- /dev/null +++ b/queue-4.9/nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Benjamin Coddington +Date: Fri, 14 Apr 2017 12:29:54 -0400 +Subject: NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete() + +From: Benjamin Coddington + + +[ Upstream commit 43b7d964ed30dbca5c83c90cb010985b429ec4f9 ] + +Commit a7d42ddb3099727f58366fa006f850a219cce6c8 ("nfs: add mirroring +support to pgio layer") moved pg_cleanup out of the path when there was +non-sequental I/O that needed to be flushed. The result is that for +layouts that have more than one layout segment per file, the pg_lseg is not +cleared, so we can end up hitting the WARN_ON_ONCE(req_start >= seg_end) in +pnfs_generic_pg_test since the pg_lseg will be pointing to that +previously-flushed layout segment. + +Signed-off-by: Benjamin Coddington +Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pagelist.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1262,8 +1262,10 @@ void nfs_pageio_cond_complete(struct nfs + mirror = &desc->pg_mirrors[midx]; + if (!list_empty(&mirror->pg_list)) { + prev = nfs_list_entry(mirror->pg_list.prev); +- if (index != prev->wb_index + 1) +- nfs_pageio_complete_mirror(desc, midx); ++ if (index != prev->wb_index + 1) { ++ nfs_pageio_complete(desc); ++ break; ++ } + } + } + } diff --git a/queue-4.9/nfsd4-permit-layoutget-of-executable-only-files.patch b/queue-4.9/nfsd4-permit-layoutget-of-executable-only-files.patch new file mode 100644 index 00000000000..e999bec4895 --- /dev/null +++ b/queue-4.9/nfsd4-permit-layoutget-of-executable-only-files.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Benjamin Coddington +Date: Tue, 19 Dec 2017 09:35:25 -0500 +Subject: nfsd4: permit layoutget of executable-only files + +From: Benjamin Coddington + + +[ Upstream commit 66282ec1cf004c09083c29cb5e49019037937bbd ] + +Clients must be able to read a file in order to execute it, and for pNFS +that means the client needs to be able to perform a LAYOUTGET on the file. + +This behavior for executable-only files was added for OPEN in commit +a043226bc140 "nfsd4: permit read opens of executable-only files". + +This fixes up xfstests generic/126 on block/scsi layouts. + +Signed-off-by: Benjamin Coddington +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1338,14 +1338,14 @@ nfsd4_layoutget(struct svc_rqst *rqstp, + const struct nfsd4_layout_ops *ops; + struct nfs4_layout_stateid *ls; + __be32 nfserr; +- int accmode; ++ int accmode = NFSD_MAY_READ_IF_EXEC; + + switch (lgp->lg_seg.iomode) { + case IOMODE_READ: +- accmode = NFSD_MAY_READ; ++ accmode |= NFSD_MAY_READ; + break; + case IOMODE_RW: +- accmode = NFSD_MAY_READ | NFSD_MAY_WRITE; ++ accmode |= NFSD_MAY_READ | NFSD_MAY_WRITE; + break; + default: + dprintk("%s: invalid iomode %d\n", diff --git a/queue-4.9/omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch b/queue-4.9/omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch new file mode 100644 index 00000000000..32c3d892a3d --- /dev/null +++ b/queue-4.9/omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch @@ -0,0 +1,132 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: "H. Nikolaus Schaller" +Date: Tue, 28 Nov 2017 16:48:54 +0100 +Subject: omapdrm: panel: fix compatible vendor string for td028ttec1 + +From: "H. Nikolaus Schaller" + + +[ Upstream commit c1b9d4c75cd549e08bd0596d7f9dcc20f7f6e8fa ] + +The vendor name was "toppoly" but other panels and the vendor list +have defined it as "tpo". So let's fix it in driver and bindings. + +We keep the old definition in parallel to stay compatible with +potential older DTB setup. + +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/panel/toppoly,td028ttec1.txt | 30 ---------- + Documentation/devicetree/bindings/display/panel/tpo,td028ttec1.txt | 30 ++++++++++ + drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c | 3 + + drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c | 3 + + 4 files changed, 36 insertions(+), 30 deletions(-) + rename Documentation/devicetree/bindings/display/panel/{toppoly,td028ttec1.txt => tpo,td028ttec1.txt} (84%) + +--- a/Documentation/devicetree/bindings/display/panel/toppoly,td028ttec1.txt ++++ /dev/null +@@ -1,30 +0,0 @@ +-Toppoly TD028TTEC1 Panel +-======================== +- +-Required properties: +-- compatible: "toppoly,td028ttec1" +- +-Optional properties: +-- label: a symbolic name for the panel +- +-Required nodes: +-- Video port for DPI input +- +-Example +-------- +- +-lcd-panel: td028ttec1@0 { +- compatible = "toppoly,td028ttec1"; +- reg = <0>; +- spi-max-frequency = <100000>; +- spi-cpol; +- spi-cpha; +- +- label = "lcd"; +- port { +- lcd_in: endpoint { +- remote-endpoint = <&dpi_out>; +- }; +- }; +-}; +- +--- /dev/null ++++ b/Documentation/devicetree/bindings/display/panel/tpo,td028ttec1.txt +@@ -0,0 +1,30 @@ ++Toppoly TD028TTEC1 Panel ++======================== ++ ++Required properties: ++- compatible: "tpo,td028ttec1" ++ ++Optional properties: ++- label: a symbolic name for the panel ++ ++Required nodes: ++- Video port for DPI input ++ ++Example ++------- ++ ++lcd-panel: td028ttec1@0 { ++ compatible = "tpo,td028ttec1"; ++ reg = <0>; ++ spi-max-frequency = <100000>; ++ spi-cpol; ++ spi-cpha; ++ ++ label = "lcd"; ++ port { ++ lcd_in: endpoint { ++ remote-endpoint = <&dpi_out>; ++ }; ++ }; ++}; ++ +--- a/drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c ++++ b/drivers/gpu/drm/omapdrm/displays/panel-tpo-td028ttec1.c +@@ -456,6 +456,8 @@ static int td028ttec1_panel_remove(struc + } + + static const struct of_device_id td028ttec1_of_match[] = { ++ { .compatible = "omapdss,tpo,td028ttec1", }, ++ /* keep to not break older DTB */ + { .compatible = "omapdss,toppoly,td028ttec1", }, + {}, + }; +@@ -475,6 +477,7 @@ static struct spi_driver td028ttec1_spi_ + + module_spi_driver(td028ttec1_spi_driver); + ++MODULE_ALIAS("spi:tpo,td028ttec1"); + MODULE_ALIAS("spi:toppoly,td028ttec1"); + MODULE_AUTHOR("H. Nikolaus Schaller "); + MODULE_DESCRIPTION("Toppoly TD028TTEC1 panel driver"); +--- a/drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c ++++ b/drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c +@@ -455,6 +455,8 @@ static int td028ttec1_panel_remove(struc + } + + static const struct of_device_id td028ttec1_of_match[] = { ++ { .compatible = "omapdss,tpo,td028ttec1", }, ++ /* keep to not break older DTB */ + { .compatible = "omapdss,toppoly,td028ttec1", }, + {}, + }; +@@ -474,6 +476,7 @@ static struct spi_driver td028ttec1_spi_ + + module_spi_driver(td028ttec1_spi_driver); + ++MODULE_ALIAS("spi:tpo,td028ttec1"); + MODULE_ALIAS("spi:toppoly,td028ttec1"); + MODULE_AUTHOR("H. Nikolaus Schaller "); + MODULE_DESCRIPTION("Toppoly TD028TTEC1 panel driver"); diff --git a/queue-4.9/oom-improve-oom-disable-handling.patch b/queue-4.9/oom-improve-oom-disable-handling.patch new file mode 100644 index 00000000000..b381eed8636 --- /dev/null +++ b/queue-4.9/oom-improve-oom-disable-handling.patch @@ -0,0 +1,79 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Michal Hocko +Date: Wed, 3 May 2017 14:54:57 -0700 +Subject: oom: improve oom disable handling + +From: Michal Hocko + + +[ Upstream commit d75da004c708c9fca7b53f7da293a295522414d9 ] + +Tetsuo has reported that sysrq triggered OOM killer will print a +misleading information when no tasks are selected: + + sysrq: SysRq : Manual OOM execution + Out of memory: Kill process 4468 ((agetty)) score 0 or sacrifice child + Killed process 4468 ((agetty)) total-vm:43704kB, anon-rss:1760kB, file-rss:0kB, shmem-rss:0kB + sysrq: SysRq : Manual OOM execution + Out of memory: Kill process 4469 (systemd-cgroups) score 0 or sacrifice child + Killed process 4469 (systemd-cgroups) total-vm:10704kB, anon-rss:120kB, file-rss:0kB, shmem-rss:0kB + sysrq: SysRq : Manual OOM execution + sysrq: OOM request ignored because killer is disabled + sysrq: SysRq : Manual OOM execution + sysrq: OOM request ignored because killer is disabled + sysrq: SysRq : Manual OOM execution + sysrq: OOM request ignored because killer is disabled + +The real reason is that there are no eligible tasks for the OOM killer +to select but since commit 7c5f64f84483 ("mm: oom: deduplicate victim +selection code for memcg and global oom") the semantic of out_of_memory +has changed without updating moom_callback. + +This patch updates moom_callback to tell that no task was eligible which +is the case for both oom killer disabled and no eligible tasks. In +order to help distinguish first case from the second add printk to both +oom_killer_{enable,disable}. This information is useful on its own +because it might help debugging potential memory allocation failures. + +Fixes: 7c5f64f84483 ("mm: oom: deduplicate victim selection code for memcg and global oom") +Link: http://lkml.kernel.org/r/20170404134705.6361-1-mhocko@kernel.org +Signed-off-by: Michal Hocko +Reported-by: Tetsuo Handa +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/sysrq.c | 2 +- + mm/oom_kill.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/sysrq.c ++++ b/drivers/tty/sysrq.c +@@ -375,7 +375,7 @@ static void moom_callback(struct work_st + + mutex_lock(&oom_lock); + if (!out_of_memory(&oc)) +- pr_info("OOM request ignored because killer is disabled\n"); ++ pr_info("OOM request ignored. No task eligible\n"); + mutex_unlock(&oom_lock); + } + +--- a/mm/oom_kill.c ++++ b/mm/oom_kill.c +@@ -706,6 +706,7 @@ void exit_oom_victim(void) + void oom_killer_enable(void) + { + oom_killer_disabled = false; ++ pr_info("OOM killer enabled.\n"); + } + + /** +@@ -742,6 +743,7 @@ bool oom_killer_disable(signed long time + oom_killer_enable(); + return false; + } ++ pr_info("OOM killer disabled.\n"); + + return true; + } diff --git a/queue-4.9/openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch b/queue-4.9/openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch new file mode 100644 index 00000000000..4b5fb32a84b --- /dev/null +++ b/queue-4.9/openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch @@ -0,0 +1,85 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Jarno Rajahalme +Date: Fri, 14 Apr 2017 14:26:38 -0700 +Subject: openvswitch: Delete conntrack entry clashing with an expectation. + +From: Jarno Rajahalme + + +[ Upstream commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd ] + +Conntrack helpers do not check for a potentially clashing conntrack +entry when creating a new expectation. Also, nf_conntrack_in() will +check expectations (via init_conntrack()) only if a conntrack entry +can not be found. The expectation for a packet which also matches an +existing conntrack entry will not be removed by conntrack, and is +currently handled inconsistently by OVS, as OVS expects the +expectation to be removed when the connection tracking entry matching +that expectation is confirmed. + +It should be noted that normally an IP stack would not allow reuse of +a 5-tuple of an old (possibly lingering) connection for a new data +connection, so this is somewhat unlikely corner case. However, it is +possible that a misbehaving source could cause conntrack entries be +created that could then interfere with new related connections. + +Fix this in the OVS module by deleting the clashing conntrack entry +after an expectation has been matched. This causes the following +nf_conntrack_in() call also find the expectation and remove it when +creating the new conntrack entry, as well as the forthcoming reply +direction packets to match the new related connection instead of the +old clashing conntrack entry. + +Fixes: 7f8a436eaa2c ("openvswitch: Add conntrack action") +Reported-by: Yang Song +Signed-off-by: Jarno Rajahalme +Acked-by: Joe Stringer +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/openvswitch/conntrack.c | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +--- a/net/openvswitch/conntrack.c ++++ b/net/openvswitch/conntrack.c +@@ -396,10 +396,38 @@ ovs_ct_expect_find(struct net *net, cons + u16 proto, const struct sk_buff *skb) + { + struct nf_conntrack_tuple tuple; ++ struct nf_conntrack_expect *exp; + + if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple)) + return NULL; +- return __nf_ct_expect_find(net, zone, &tuple); ++ ++ exp = __nf_ct_expect_find(net, zone, &tuple); ++ if (exp) { ++ struct nf_conntrack_tuple_hash *h; ++ ++ /* Delete existing conntrack entry, if it clashes with the ++ * expectation. This can happen since conntrack ALGs do not ++ * check for clashes between (new) expectations and existing ++ * conntrack entries. nf_conntrack_in() will check the ++ * expectations only if a conntrack entry can not be found, ++ * which can lead to OVS finding the expectation (here) in the ++ * init direction, but which will not be removed by the ++ * nf_conntrack_in() call, if a matching conntrack entry is ++ * found instead. In this case all init direction packets ++ * would be reported as new related packets, while reply ++ * direction packets would be reported as un-related ++ * established packets. ++ */ ++ h = nf_conntrack_find_get(net, zone, &tuple); ++ if (h) { ++ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); ++ ++ nf_ct_delete(ct, 0, 0); ++ nf_conntrack_put(&ct->ct_general); ++ } ++ } ++ ++ return exp; + } + + /* This replicates logic from nf_conntrack_core.c that is not exported. */ diff --git a/queue-4.9/orangefs-do-not-wait-for-timeout-if-umounting.patch b/queue-4.9/orangefs-do-not-wait-for-timeout-if-umounting.patch new file mode 100644 index 00000000000..ac8a956bb40 --- /dev/null +++ b/queue-4.9/orangefs-do-not-wait-for-timeout-if-umounting.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Martin Brandenburg +Date: Tue, 25 Apr 2017 15:38:07 -0400 +Subject: orangefs: do not wait for timeout if umounting + +From: Martin Brandenburg + + +[ Upstream commit b5a9d61eebdd0016ccb383b25a5c3d04977a6549 ] + +When the computer is turned off, all the processes are killed and then +all the filesystems are umounted. OrangeFS should not wait for the +userspace daemon to come back in that case. + +This only works for plain umount(2). To actually take advantage of this +interactively, `umount -f' is needed; otherwise umount will issue a +statfs first, which will wait for the userspace daemon to come back. + +Signed-off-by: Martin Brandenburg +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/orangefs/waitqueue.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/orangefs/waitqueue.c ++++ b/fs/orangefs/waitqueue.c +@@ -124,7 +124,14 @@ retry_servicing: + gossip_debug(GOSSIP_WAIT_DEBUG, + "%s:client core is NOT in service.\n", + __func__); +- timeout = op_timeout_secs * HZ; ++ /* ++ * Don't wait for the userspace component to return if ++ * the filesystem is being umounted anyway. ++ */ ++ if (op->upcall.type == ORANGEFS_VFS_OP_FS_UMOUNT) ++ timeout = 0; ++ else ++ timeout = op_timeout_secs * HZ; + } + spin_unlock(&orangefs_request_list_lock); + diff --git a/queue-4.9/perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch b/queue-4.9/perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch new file mode 100644 index 00000000000..0dc3a551cd1 --- /dev/null +++ b/queue-4.9/perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Kim Phillips +Date: Wed, 3 May 2017 13:14:02 +0100 +Subject: perf tests kmod-path: Don't fail if compressed modules aren't supported + +From: Kim Phillips + + +[ Upstream commit 805b151a1afd24414706a7f6ae275fbb9649be74 ] + +__kmod_path__parse() uses is_supported_compression() to determine and +parse out compressed module file extensions. On systems without zlib, +this test fails and __kmod_path__parse() continues to strcmp "ko" with +"gz". Don't do this on those systems. + +Signed-off-by: Kim Phillips +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Peter Zijlstra +Fixes: 3c8a67f50a1e ("perf tools: Add kmod_path__parse function") +Link: http://lkml.kernel.org/r/20170503131402.c66e314460026c80cd787b34@arm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/kmod-path.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/tools/perf/tests/kmod-path.c ++++ b/tools/perf/tests/kmod-path.c +@@ -61,6 +61,7 @@ int test__kmod_path__parse(int subtest _ + M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_KERNEL, true); + M("/xxxx/xxxx/x-x.ko", PERF_RECORD_MISC_USER, false); + ++#ifdef HAVE_ZLIB_SUPPORT + /* path alloc_name alloc_ext kmod comp name ext */ + T("/xxxx/xxxx/x.ko.gz", true , true , true, true, "[x]", "gz"); + T("/xxxx/xxxx/x.ko.gz", false , true , true, true, NULL , "gz"); +@@ -96,6 +97,7 @@ int test__kmod_path__parse(int subtest _ + M("x.ko.gz", PERF_RECORD_MISC_CPUMODE_UNKNOWN, true); + M("x.ko.gz", PERF_RECORD_MISC_KERNEL, true); + M("x.ko.gz", PERF_RECORD_MISC_USER, false); ++#endif + + /* path alloc_name alloc_ext kmod comp name ext */ + T("[test_module]", true , true , true, false, "[test_module]", NULL); diff --git a/queue-4.9/pinctrl-really-force-states-during-suspend-resume.patch b/queue-4.9/pinctrl-really-force-states-during-suspend-resume.patch new file mode 100644 index 00000000000..289540a6c57 --- /dev/null +++ b/queue-4.9/pinctrl-really-force-states-during-suspend-resume.patch @@ -0,0 +1,107 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Florian Fainelli +Date: Wed, 1 Mar 2017 10:32:57 -0800 +Subject: pinctrl: Really force states during suspend/resume + +From: Florian Fainelli + + +[ Upstream commit 981ed1bfbc6c4660b2ddaa8392893e20a6255048 ] + +In case a platform only defaults a "default" set of pins, but not a +"sleep" set of pins, and this particular platform suspends and resumes +in a way that the pin states are not preserved by the hardware, when we +resume, we would call pinctrl_single_resume() -> pinctrl_force_default() +-> pinctrl_select_state() and the first thing we do is check that the +pins state is the same as before, and do nothing. + +In order to fix this, decouple the actual state change from +pinctrl_select_state() and move it pinctrl_commit_state(), while keeping +the p->state == state check in pinctrl_select_state() not to change the +caller assumptions. pinctrl_force_sleep() and pinctrl_force_default() +are updated to bypass the state check by calling pinctrl_commit_state(). + +[Linus Walleij] +The forced pin control states are currently only used in some pin +controller drivers that grab their own reference to their own pins. +This is equal to the pin control hogs: pins taken by pin control +devices since there are no corresponding device in the Linux device +hierarchy, such as memory controller lines or unused GPIO lines, +or GPIO lines that are used orthogonally from the GPIO subsystem +but pincontrol-wise managed as hogs (non-strict mode, allowing +simultaneous use by GPIO and pin control). For this case forcing +the state from the drivers' suspend()/resume() callbacks makes +sense and should semantically match the name of the function. + +Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device") +Signed-off-by: Florian Fainelli +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -992,19 +992,16 @@ struct pinctrl_state *pinctrl_lookup_sta + EXPORT_SYMBOL_GPL(pinctrl_lookup_state); + + /** +- * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW + * @p: the pinctrl handle for the device that requests configuration + * @state: the state handle to select/activate/program + */ +-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state) + { + struct pinctrl_setting *setting, *setting2; + struct pinctrl_state *old_state = p->state; + int ret; + +- if (p->state == state) +- return 0; +- + if (p->state) { + /* + * For each pinmux setting in the old state, forget SW's record +@@ -1068,6 +1065,19 @@ unapply_new_state: + + return ret; + } ++ ++/** ++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * @p: the pinctrl handle for the device that requests configuration ++ * @state: the state handle to select/activate/program ++ */ ++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++{ ++ if (p->state == state) ++ return 0; ++ ++ return pinctrl_commit_state(p, state); ++} + EXPORT_SYMBOL_GPL(pinctrl_select_state); + + static void devm_pinctrl_release(struct device *dev, void *res) +@@ -1236,7 +1246,7 @@ void pinctrl_unregister_map(struct pinct + int pinctrl_force_sleep(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_sleep); +@@ -1248,7 +1258,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep); + int pinctrl_force_default(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_default); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_default); diff --git a/queue-4.9/pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch b/queue-4.9/pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch new file mode 100644 index 00000000000..1593d3c709d --- /dev/null +++ b/queue-4.9/pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Brian Norris +Date: Tue, 12 Dec 2017 09:43:43 -0800 +Subject: pinctrl: rockchip: enable clock when reading pin direction register + +From: Brian Norris + + +[ Upstream commit 5c9d8c4f6b8168738a26bcf288516cc3a0886810 ] + +We generally leave the GPIO clock disabled, unless an interrupt is +requested or we're accessing IO registers. We forgot to do this for the +->get_direction() callback, which means we can sometimes [1] get +incorrect results [2] from, e.g., /sys/kernel/debug/gpio. + +Enable the clock, so we get the right results! + +[1] Sometimes, because many systems have 1 or mor interrupt requested on +each GPIO bank, so they always leave their clock on. + +[2] Incorrect, meaning the register returns 0, and so we interpret that +as "input". + +Signed-off-by: Brian Norris +Reviewed-by: Heiko Stuebner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-rockchip.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -1278,8 +1278,16 @@ static int rockchip_gpio_get_direction(s + { + struct rockchip_pin_bank *bank = gpiochip_get_data(chip); + u32 data; ++ int ret; + ++ ret = clk_enable(bank->clk); ++ if (ret < 0) { ++ dev_err(bank->drvdata->dev, ++ "failed to enable clock for bank %s\n", bank->name); ++ return ret; ++ } + data = readl_relaxed(bank->reg_base + GPIO_SWPORT_DDR); ++ clk_disable(bank->clk); + + return !(data & BIT(offset)); + } diff --git a/queue-4.9/platform-chrome-use-proper-protocol-transfer-function.patch b/queue-4.9/platform-chrome-use-proper-protocol-transfer-function.patch new file mode 100644 index 00000000000..1993d5653a0 --- /dev/null +++ b/queue-4.9/platform-chrome-use-proper-protocol-transfer-function.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Shawn Nematbakhsh +Date: Fri, 8 Sep 2017 13:50:11 -0700 +Subject: platform/chrome: Use proper protocol transfer function + +From: Shawn Nematbakhsh + + +[ Upstream commit d48b8c58c57f6edbe2965f0a5f62c5cf9593ca96 ] + +pkt_xfer should be used for protocol v3, and cmd_xfer otherwise. We had +one instance of these functions correct, but not the second, fall-back +case. We use the fall-back only when the first command returns an +IN_PROGRESS status, which is only used on some EC firmwares where we +don't want to constantly poll the bus, but instead back off and +sleep/retry for a little while. + +Fixes: 2c7589af3c4d ("mfd: cros_ec: add proto v3 skeleton") +Signed-off-by: Shawn Nematbakhsh +Signed-off-by: Brian Norris +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Benson Leung +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/chrome/cros_ec_proto.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/platform/chrome/cros_ec_proto.c ++++ b/drivers/platform/chrome/cros_ec_proto.c +@@ -60,12 +60,14 @@ static int send_command(struct cros_ec_d + struct cros_ec_command *msg) + { + int ret; ++ int (*xfer_fxn)(struct cros_ec_device *ec, struct cros_ec_command *msg); + + if (ec_dev->proto_version > 2) +- ret = ec_dev->pkt_xfer(ec_dev, msg); ++ xfer_fxn = ec_dev->pkt_xfer; + else +- ret = ec_dev->cmd_xfer(ec_dev, msg); ++ xfer_fxn = ec_dev->cmd_xfer; + ++ ret = (*xfer_fxn)(ec_dev, msg); + if (msg->result == EC_RES_IN_PROGRESS) { + int i; + struct cros_ec_command *status_msg; +@@ -88,7 +90,7 @@ static int send_command(struct cros_ec_d + for (i = 0; i < EC_COMMAND_RETRIES; i++) { + usleep_range(10000, 11000); + +- ret = ec_dev->cmd_xfer(ec_dev, status_msg); ++ ret = (*xfer_fxn)(ec_dev, status_msg); + if (ret < 0) + break; + diff --git a/queue-4.9/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch b/queue-4.9/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch new file mode 100644 index 00000000000..5bf516d2405 --- /dev/null +++ b/queue-4.9/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Santeri Toivonen +Date: Tue, 4 Apr 2017 21:09:00 +0300 +Subject: platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA + +From: Santeri Toivonen + + +[ Upstream commit f35823619db8bbaa2afea8705f239c3cecb9d22f ] + +Asus laptop X302UA starts up with Wi-Fi disabled, +without a way to enable it. Set wapf=4 to fix the problem. + +Signed-off-by: Santeri Toivonen +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-nb-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -152,6 +152,15 @@ static const struct dmi_system_id asus_q + }, + { + .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. X302UA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"), ++ }, ++ .driver_data = &quirk_asus_wapf4, ++ }, ++ { ++ .callback = dmi_matched, + .ident = "ASUSTeK COMPUTER INC. X401U", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), diff --git a/queue-4.9/platform-x86-asus-wmi-try-to-set-als-by-default.patch b/queue-4.9/platform-x86-asus-wmi-try-to-set-als-by-default.patch new file mode 100644 index 00000000000..8f56034c540 --- /dev/null +++ b/queue-4.9/platform-x86-asus-wmi-try-to-set-als-by-default.patch @@ -0,0 +1,145 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Oleksij Rempel +Date: Fri, 28 Apr 2017 16:19:49 +0200 +Subject: platform/x86: asus-wmi: try to set als by default + +From: Oleksij Rempel + + +[ Upstream commit e9b615186805e2c18a0ac76aca62c1543ecfdbb8 ] + +some laptops, for example ASUS UX330UAK, have brocken als_get function +but working als_set funktion. In this case, ALS will stay turned off. + + Method (WMNB, 3, Serialized) + { + ... + If (Local0 == 0x53545344) + { + ... + If (IIA0 == 0x00050001) + { + If (!ALSP) + { + Return (0x02) + } + + Local0 = (GALS & 0x10) <<<---- bug, + should be: (GALS () & 0x10) + If (Local0) + { + Return (0x00050001) + } + Else + { + Return (0x00050000) + } + } + + ..... + If (Local0 == 0x53564544) + { + ... + If (IIA0 == 0x00050001) + { + Return (ALSC (IIA1)) + } + + ...... + Method (GALS, 0, NotSerialized) + { + Local0 = Zero + Local0 |= 0x20 + If (ALAE) + { + Local0 |= 0x10 + } + + Local1 = 0x0A + Local1 <<= 0x08 + Local0 |= Local1 + Return (Local0) + } + +Since it works without problems on Windows I assume ASUS WMI driver for Win +never trying to get ALS state, and instead it is setting it by default to ON. + +This patch will do the same. Turn ALS on by default. + +Signed-off-by: Oleksij Rempel +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-nb-wmi.c | 13 +++++++++++++ + drivers/platform/x86/asus-wmi.c | 12 ++++++++++++ + drivers/platform/x86/asus-wmi.h | 1 + + 3 files changed, 26 insertions(+) + +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -120,6 +120,10 @@ static struct quirk_entry quirk_asus_x55 + .xusb2pr = 0x01D9, + }; + ++static struct quirk_entry quirk_asus_ux330uak = { ++ .wmi_force_als_set = true, ++}; ++ + static int dmi_matched(const struct dmi_system_id *dmi) + { + quirks = dmi->driver_data; +@@ -422,6 +426,15 @@ static const struct dmi_system_id asus_q + }, + { + .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. UX330UAK", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "UX330UAK"), ++ }, ++ .driver_data = &quirk_asus_ux330uak, ++ }, ++ { ++ .callback = dmi_matched, + .ident = "ASUSTeK COMPUTER INC. X550LB", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1109,6 +1109,15 @@ static void asus_wmi_set_xusb2pr(struct + } + + /* ++ * Some devices dont support or have borcken get_als method ++ * but still support set method. ++ */ ++static void asus_wmi_set_als(void) ++{ ++ asus_wmi_set_devstate(ASUS_WMI_DEVID_ALS_ENABLE, 1, NULL); ++} ++ ++/* + * Hwmon device + */ + static int asus_hwmon_agfn_fan_speed_read(struct asus_wmi *asus, int fan, +@@ -2120,6 +2129,9 @@ static int asus_wmi_add(struct platform_ + goto fail_rfkill; + } + ++ if (asus->driver->quirks->wmi_force_als_set) ++ asus_wmi_set_als(); ++ + /* Some Asus desktop boards export an acpi-video backlight interface, + stop this from showing up */ + chassis_type = dmi_get_system_info(DMI_CHASSIS_TYPE); +--- a/drivers/platform/x86/asus-wmi.h ++++ b/drivers/platform/x86/asus-wmi.h +@@ -45,6 +45,7 @@ struct quirk_entry { + bool store_backlight_power; + bool wmi_backlight_power; + bool wmi_backlight_native; ++ bool wmi_force_als_set; + int wapf; + /* + * For machines with AMD graphic chips, it will send out WMI event diff --git a/queue-4.9/platform-x86-intel-vbtn-add-volume-up-and-down.patch b/queue-4.9/platform-x86-intel-vbtn-add-volume-up-and-down.patch new file mode 100644 index 00000000000..9015b46dc72 --- /dev/null +++ b/queue-4.9/platform-x86-intel-vbtn-add-volume-up-and-down.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Maarten Maathuis +Date: Mon, 24 Apr 2017 23:35:21 +0200 +Subject: platform/x86: intel-vbtn: add volume up and down + +From: Maarten Maathuis + + +[ Upstream commit 8d9e29972836b75eb74f533594999500a4c7cc19 ] + +Tested on HP Elite X2 1012 G1. +Matches event report of Lenovo Helix 2 +(https://www.spinics.net/lists/ibm-acpi-devel/msg03982.html). + +Signed-off-by: Maarten Maathuis +[andy: fixed indentation of comments and massaged title of the change] +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/intel-vbtn.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/platform/x86/intel-vbtn.c ++++ b/drivers/platform/x86/intel-vbtn.c +@@ -37,6 +37,10 @@ static const struct acpi_device_id intel + static const struct key_entry intel_vbtn_keymap[] = { + { KE_IGNORE, 0xC0, { KEY_POWER } }, /* power key press */ + { KE_KEY, 0xC1, { KEY_POWER } }, /* power key release */ ++ { KE_KEY, 0xC4, { KEY_VOLUMEUP } }, /* volume-up key press */ ++ { KE_IGNORE, 0xC5, { KEY_VOLUMEUP } }, /* volume-up key release */ ++ { KE_KEY, 0xC6, { KEY_VOLUMEDOWN } }, /* volume-down key press */ ++ { KE_IGNORE, 0xC7, { KEY_VOLUMEDOWN } }, /* volume-down key release */ + { KE_END }, + }; + diff --git a/queue-4.9/pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch b/queue-4.9/pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch new file mode 100644 index 00000000000..8c24e3b2a06 --- /dev/null +++ b/queue-4.9/pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch @@ -0,0 +1,55 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Trond Myklebust +Date: Mon, 1 May 2017 17:06:56 -0400 +Subject: pNFS: Fix a deadlock when coalescing writes and returning the layout + +From: Trond Myklebust + + +[ Upstream commit 61f454e30c18a28924e96be12592c0d5e24bcc81 ] + +Consider the following deadlock: + +Process P1 Process P2 Process P3 +========== ========== ========== + lock_page(page) + + lseg = pnfs_update_layout(inode) + +lo = NFS_I(inode)->layout +pnfs_error_mark_layout_for_return(lo) + + lock_page(page) + + lseg = pnfs_update_layout(inode) + +In this scenario, +- P1 has declared the layout to be in error, but P2 holds a reference to + a layout segment on that inode, so the layoutreturn is deferred. +- P2 is waiting for a page lock held by P3. +- P3 is asking for a new layout segment, but is blocked waiting + for the layoutreturn. + +The fix is to ensure that pnfs_error_mark_layout_for_return() does +not set the NFS_LAYOUT_RETURN flag, which blocks P3. Instead, we allow +the latter to call LAYOUTGET so that it can make progress and unblock +P2. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -1953,8 +1953,6 @@ void pnfs_error_mark_layout_for_return(s + + spin_lock(&inode->i_lock); + pnfs_set_plh_return_info(lo, range.iomode, 0); +- /* Block LAYOUTGET */ +- set_bit(NFS_LAYOUT_RETURN, &lo->plh_flags); + /* + * mark all matching lsegs so that we are sure to have no live + * segments at hand when sending layoutreturn. See pnfs_put_lseg() diff --git a/queue-4.9/pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch b/queue-4.9/pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch new file mode 100644 index 00000000000..f9a82fdb707 --- /dev/null +++ b/queue-4.9/pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Trond Myklebust +Date: Tue, 25 Apr 2017 11:26:53 -0400 +Subject: pNFS: Fix use after free issues in pnfs_do_read() + +From: Trond Myklebust + + +[ Upstream commit 6aeafd05eca9bc8ab6b03d7e56d09ffd18190f44 ] + +The assumption should be that if the caller returns PNFS_ATTEMPTED, then hdr +has been consumed, and so we should not be testing hdr->task.tk_status. +If the caller returns PNFS_TRY_AGAIN, then we need to recoalesce and +free hdr. + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/pnfs.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/fs/nfs/pnfs.c ++++ b/fs/nfs/pnfs.c +@@ -2308,10 +2308,20 @@ pnfs_do_read(struct nfs_pageio_descripto + enum pnfs_try_status trypnfs; + + trypnfs = pnfs_try_to_read_data(hdr, call_ops, lseg); +- if (trypnfs == PNFS_TRY_AGAIN) +- pnfs_read_resend_pnfs(hdr); +- if (trypnfs == PNFS_NOT_ATTEMPTED || hdr->task.tk_status) ++ switch (trypnfs) { ++ case PNFS_NOT_ATTEMPTED: + pnfs_read_through_mds(desc, hdr); ++ case PNFS_ATTEMPTED: ++ break; ++ case PNFS_TRY_AGAIN: ++ /* cleanup hdr and prepare to redo pnfs */ ++ if (!test_and_set_bit(NFS_IOHDR_REDO, &hdr->flags)) { ++ struct nfs_pgio_mirror *mirror = nfs_pgio_current_mirror(desc); ++ list_splice_init(&hdr->pages, &mirror->pg_list); ++ mirror->pg_recoalesce = 1; ++ } ++ hdr->mds_ops->rpc_release(hdr); ++ } + } + + static void pnfs_readhdr_free(struct nfs_pgio_header *hdr) diff --git a/queue-4.9/power-supply-bq24190_charger-add-disable-reset-device-property.patch b/queue-4.9/power-supply-bq24190_charger-add-disable-reset-device-property.patch new file mode 100644 index 00000000000..b0d69b463a5 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-add-disable-reset-device-property.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Fri, 14 Apr 2017 18:52:33 +0200 +Subject: power: supply: bq24190_charger: Add disable-reset device-property + +From: Hans de Goede + + +[ Upstream commit 6cf62a3b97e78ba41d31390e59a1ddc98a9e3622 ] + +Allow platform-code to disable the reset on probe and suspend/resume +by setting a "disable-reset" boolean device property on the device. + +There are several reasons why the platform-code may want to disable +the reset on probe and suspend/resume: + +1) Resetting the charger should never be necessary it should always have +sane values programmed. If it is running with invalid values while we +are not running (system turned off or suspended) there is a big problem +as that may lead to overcharging the battery. + +2) The reset in suspend() is meant to put the charger back into default +mode, but this is not necessary and not a good idea. If the charger has +been programmed with a higher max charge_current / charge_voltage then +putting it back in default-mode will reset those to the safe power-on +defaults, leading to slower charging, or charging to a lower voltage +(and thus not using the full capacity) while suspended which is +undesirable. Reprogramming the max charge_current / charge_voltage +after the reset will not help here as that will put the charger back +in host mode and start the i2c watchdog if the host then does not do +anything for 40s (iow if we're suspended for more then 40s) the watchdog +expires resetting the device to default-mode, including resetting all +the registers to there safe power-on defaults. So the only way to keep +using custom charge settings while suspending is to keep the charger in +its normal running state with the i2c watchdog disabled. This is fine +as the charger will still automatically switch from constant current +to constant voltage and stop charging when the battery is full. + +3) Besides never being necessary resetting the charger also causes +problems on systems where the charge voltage limit is set higher then the +reset value, if this is the case and the charger is reset while charging +and the battery voltage is between the 2 voltages, then about half the +time the charger gets confused and claims to be charging (REG08 contains +0x64) but in reality the charger has decoupled itself from VBUS (Q1 off) +and is drawing 0A from VBUS, leaving the system running from the battery. + +This last problem is happening on a GPD-win mini PC with a bq24292i +charger chip combined with a max17047 fuel-gauge and a LiHV battery. +I've checked and TI does not list any errata for the bq24292i which +could explain this (there are no errata at all). + +Cc: Liam Breck +Cc: Tony Lindgren +Signed-off-by: Hans de Goede +Acked-by: Liam Breck +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq24190_charger.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -506,6 +506,9 @@ static int bq24190_register_reset(struct + int ret, limit = 100; + u8 v; + ++ if (device_property_read_bool(bdi->dev, "disable-reset")) ++ return 0; ++ + /* Reset the registers */ + ret = bq24190_write_mask(bdi, BQ24190_REG_POC, + BQ24190_REG_POC_RESET_MASK, diff --git a/queue-4.9/power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch b/queue-4.9/power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch new file mode 100644 index 00000000000..968e53e9786 --- /dev/null +++ b/queue-4.9/power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Liam Breck +Date: Tue, 11 Apr 2017 04:59:54 -0700 +Subject: power: supply: bq24190_charger: Limit over/under voltage fault logging + +From: Liam Breck + + +[ Upstream commit d63d07c6fc25182af6d3ab5b3b8737b0c1025ebd ] + +If the charger is unplugged before the battery is full we may +see an over/under voltage fault. Ignore this rather then emitting +a message or uevent. + +This fixes messages like these getting logged on charger unplug + replug: +bq24190-charger 15-006b: Fault: boost 0, charge 1, battery 0, ntc 0 +bq24190-charger 15-006b: Fault: boost 0, charge 0, battery 0, ntc 0 + +Cc: Tony Lindgren +Cc: Hans de Goede +Signed-off-by: Liam Breck +Acked-by: Tony Lindgren +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq24190_charger.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/bq24190_charger.c ++++ b/drivers/power/supply/bq24190_charger.c +@@ -1184,8 +1184,13 @@ static irqreturn_t bq24190_irq_handler_t + } + } while (f_reg && ++i < 2); + ++ /* ignore over/under voltage fault after disconnect */ ++ if (f_reg == (1 << BQ24190_REG_F_CHRG_FAULT_SHIFT) && ++ !(ss_reg & BQ24190_REG_SS_PG_STAT_MASK)) ++ f_reg = 0; ++ + if (f_reg != bdi->f_reg) { +- dev_info(bdi->dev, ++ dev_warn(bdi->dev, + "Fault: boost %d, charge %d, battery %d, ntc %d\n", + !!(f_reg & BQ24190_REG_F_BOOST_FAULT_MASK), + !!(f_reg & BQ24190_REG_F_CHRG_FAULT_MASK), diff --git a/queue-4.9/power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch b/queue-4.9/power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch new file mode 100644 index 00000000000..b8a0aa6277b --- /dev/null +++ b/queue-4.9/power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Mon, 24 Apr 2017 16:22:08 +0800 +Subject: power: supply: isp1704: Fix unchecked return value of devm_kzalloc + +From: Pan Bian + + +[ Upstream commit 8b20839988f1ed5e534b270f3776709b640dc7e0 ] + +Function devm_kzalloc() will return a NULL pointer. However, in function +isp1704_charger_probe(), the return value of devm_kzalloc() is directly +used without validation. This may result in a bad memory access bug. + +Fixes: 34a109610e2a ("isp1704_charger: Add DT support") +Signed-off-by: Pan Bian +Reviewed-by: Pali Rohár +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/isp1704_charger.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/power/supply/isp1704_charger.c ++++ b/drivers/power/supply/isp1704_charger.c +@@ -418,6 +418,10 @@ static int isp1704_charger_probe(struct + + pdata = devm_kzalloc(&pdev->dev, + sizeof(struct isp1704_charger_data), GFP_KERNEL); ++ if (!pdata) { ++ ret = -ENOMEM; ++ goto fail0; ++ } + pdata->enable_gpio = gpio; + + dev_info(&pdev->dev, "init gpio %d\n", pdata->enable_gpio); diff --git a/queue-4.9/power-supply-pda_power-move-from-timer-to-delayed_work.patch b/queue-4.9/power-supply-pda_power-move-from-timer-to-delayed_work.patch new file mode 100644 index 00000000000..bba470eeeb7 --- /dev/null +++ b/queue-4.9/power-supply-pda_power-move-from-timer-to-delayed_work.patch @@ -0,0 +1,179 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Michael Trimarchi +Date: Tue, 25 Apr 2017 15:18:05 +0200 +Subject: power: supply: pda_power: move from timer to delayed_work + +From: Michael Trimarchi + + +[ Upstream commit 633e8799ddc09431be2744c4a1efdbda13af2b0b ] + +This changed is needed to avoid locking problem during +boot as shown: + +<5>[ 8.824096] Registering SWP/SWPB emulation handler +<6>[ 8.977294] clock: disabling unused clocks to save power +<3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269 +<3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0 +<4>[ 9.130249] 3 locks held by swapper/0/1: +<4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [] __driver_attach+0x58/0xa8 +<4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [] __driver_attach+0x68/0xa8 +<4>[ 9.154357] #2: (&polling_timer){......}, at: [] run_timer_softirq+0x108/0x3ec +<4>[ 9.163726] Backtrace: +<4>[ 9.166473] [] (dump_backtrace+0x0/0x114) from [] (dump_stack+0x20/0x24) +<4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113 +<4>[ 9.182250] [] (dump_stack+0x0/0x24) from [] (__might_sleep+0x10c/0x128) +<4>[ 9.191650] [] (__might_sleep+0x0/0x128) from [] (mutex_lock_nested+0x34/0x36c) +<4>[ 9.201660] r5:c02d5350 r4:d79a0c64 +<4>[ 9.205688] [] (mutex_lock_nested+0x0/0x36c) from [] (regulator_set_current_limit+0x30/0x118) +<4>[ 9.217071] [] (regulator_set_current_limit+0x0/0x118) from [] (update_charger+0x84/0xc4) +<4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000 +<4>[ 9.234436] [] (update_charger+0x0/0xc4) from [] (psy_changed+0x20/0x48) +<4>[ 9.243804] r5:d782e000 r4:c1767e94 +<4>[ 9.247802] [] (psy_changed+0x0/0x48) from [] (polling_timer_func+0x84/0xb8) +<4>[ 9.257537] r4:c1767e94 r3:00000002 +<4>[ 9.261566] [] (polling_timer_func+0x0/0xb8) from [] (run_timer_softirq+0x17c/0x3ec) +<4>[ 9.272033] r4:c1767eb0 r3:00000000 +<4>[ 9.276062] [] (run_timer_softirq+0x0/0x3ec) from [] (__do_softirq+0xf0/0x298) +<4>[ 9.286010] [] (__do_softirq+0x0/0x298) from [] (irq_exit+0x98/0xa0) +<4>[ 9.295013] [] (irq_exit+0x0/0xa0) from [] (handle_IRQ+0x60/0xc0) +<4>[ 9.303680] r4:c1194e98 r3:c00bc778 +<4>[ 9.307708] [] (handle_IRQ+0x0/0xc0) from [] (gic_handle_irq+0x34/0x68) +<4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100 +<4>[ 9.324310] r3:c026ba48 +<4>[ 9.327301] [] (gic_handle_irq+0x0/0x68) from [] (__irq_svc+0x40/0x74) +<4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50) +<4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000 +<4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50 +<4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff + +Fixes: b2998049cfae ("[BATTERY] pda_power platform driver") +Signed-off-by: Michael Trimarchi +Signed-off-by: Anthony Brandon +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/pda_power.c | 49 +++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 22 deletions(-) + +--- a/drivers/power/supply/pda_power.c ++++ b/drivers/power/supply/pda_power.c +@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags + static struct device *dev; + static struct pda_power_pdata *pdata; + static struct resource *ac_irq, *usb_irq; +-static struct timer_list charger_timer; +-static struct timer_list supply_timer; +-static struct timer_list polling_timer; ++static struct delayed_work charger_work; ++static struct delayed_work polling_work; ++static struct delayed_work supply_work; + static int polling; + static struct power_supply *pda_psy_ac, *pda_psy_usb; + +@@ -140,7 +140,7 @@ static void update_charger(void) + } + } + +-static void supply_timer_func(unsigned long unused) ++static void supply_work_func(struct work_struct *work) + { + if (ac_status == PDA_PSY_TO_CHANGE) { + ac_status = new_ac_status; +@@ -161,11 +161,12 @@ static void psy_changed(void) + * Okay, charger set. Now wait a bit before notifying supplicants, + * charge power should stabilize. + */ +- mod_timer(&supply_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_charger)); ++ cancel_delayed_work(&supply_work); ++ schedule_delayed_work(&supply_work, ++ msecs_to_jiffies(pdata->wait_for_charger)); + } + +-static void charger_timer_func(unsigned long unused) ++static void charger_work_func(struct work_struct *work) + { + update_status(); + psy_changed(); +@@ -184,13 +185,14 @@ static irqreturn_t power_changed_isr(int + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return IRQ_HANDLED; + } + +-static void polling_timer_func(unsigned long unused) ++static void polling_work_func(struct work_struct *work) + { + int changed = 0; + +@@ -211,8 +213,9 @@ static void polling_timer_func(unsigned + if (changed) + psy_changed(); + +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + #if IS_ENABLED(CONFIG_USB_PHY) +@@ -250,8 +253,9 @@ static int otg_handle_notification(struc + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return NOTIFY_OK; + } +@@ -300,8 +304,8 @@ static int pda_power_probe(struct platfo + if (!pdata->ac_max_uA) + pdata->ac_max_uA = 500000; + +- setup_timer(&charger_timer, charger_timer_func, 0); +- setup_timer(&supply_timer, supply_timer_func, 0); ++ INIT_DELAYED_WORK(&charger_work, charger_work_func); ++ INIT_DELAYED_WORK(&supply_work, supply_work_func); + + ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac"); + usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb"); +@@ -385,9 +389,10 @@ static int pda_power_probe(struct platfo + + if (polling) { + dev_dbg(dev, "will poll for status\n"); +- setup_timer(&polling_timer, polling_timer_func, 0); +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ INIT_DELAYED_WORK(&polling_work, polling_work_func); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + if (ac_irq || usb_irq) +@@ -433,9 +438,9 @@ static int pda_power_remove(struct platf + free_irq(ac_irq->start, pda_psy_ac); + + if (polling) +- del_timer_sync(&polling_timer); +- del_timer_sync(&charger_timer); +- del_timer_sync(&supply_timer); ++ cancel_delayed_work_sync(&polling_work); ++ cancel_delayed_work_sync(&charger_work); ++ cancel_delayed_work_sync(&supply_work); + + if (pdata->is_usb_online) + power_supply_unregister(pda_psy_usb); diff --git a/queue-4.9/powerpc-64s-remove-sao-feature-from-power9-dd1.patch b/queue-4.9/powerpc-64s-remove-sao-feature-from-power9-dd1.patch new file mode 100644 index 00000000000..3a707eb22d5 --- /dev/null +++ b/queue-4.9/powerpc-64s-remove-sao-feature-from-power9-dd1.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Nicholas Piggin +Date: Wed, 19 Apr 2017 12:27:38 +1000 +Subject: powerpc/64s: Remove SAO feature from Power9 DD1 + +From: Nicholas Piggin + + +[ Upstream commit ca80d5d0a8175c9be04cfbce24180b8f5e0a744b ] + +Power9 DD1 does not implement SAO. Although it's not widely used, its presence +or absence is visible to user space via arch_validate_prot() so it's moderately +important that we get the value right. + +Fixes: 7dccfbc325bb ("powerpc/book3s: Add a cpu table entry for different POWER9 revs") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/cputable.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/cputable.h ++++ b/arch/powerpc/include/asm/cputable.h +@@ -474,7 +474,8 @@ enum { + CPU_FTR_ICSWX | CPU_FTR_CFAR | CPU_FTR_HVMODE | CPU_FTR_VMX_COPY | \ + CPU_FTR_DBELL | CPU_FTR_HAS_PPR | CPU_FTR_DAWR | \ + CPU_FTR_ARCH_207S | CPU_FTR_TM_COMP | CPU_FTR_ARCH_300) +-#define CPU_FTRS_POWER9_DD1 (CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD1) ++#define CPU_FTRS_POWER9_DD1 ((CPU_FTRS_POWER9 | CPU_FTR_POWER9_DD1) & \ ++ (~CPU_FTR_SAO)) + #define CPU_FTRS_CELL (CPU_FTR_USE_TB | CPU_FTR_LWSYNC | \ + CPU_FTR_PPCAS_ARCH_V2 | CPU_FTR_CTRL | \ + CPU_FTR_ALTIVEC_COMP | CPU_FTR_MMCRA | CPU_FTR_SMT | \ diff --git a/queue-4.9/pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch b/queue-4.9/pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch new file mode 100644 index 00000000000..c543b19c399 --- /dev/null +++ b/queue-4.9/pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch @@ -0,0 +1,80 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Sahara +Date: Wed, 13 Dec 2017 09:10:48 +0400 +Subject: pty: cancel pty slave port buf's work in tty_release + +From: Sahara + + +[ Upstream commit 2b022ab7542df60021ab57854b3faaaf42552eaf ] + +In case that CONFIG_SLUB_DEBUG is on and pty is used, races between +release_one_tty and flush_to_ldisc work threads may happen and lead +to use-after-free condition on tty->link->port. Because SLUB_DEBUG +is turned on, freed tty->link->port is filled with POISON_FREE value. +So far without SLUB_DEBUG, port was filled with zero and flush_to_ldisc +could return without a problem by checking if tty is NULL. + +CPU 0 CPU 1 +----- ----- +release_tty pty_write + cancel_work_sync(tty) to = tty->link + tty_kref_put(tty->link) tty_schedule_flip(to->port) + << workqueue >> ... + release_one_tty ... + pty_cleanup ... + kfree(tty->link->port) << workqueue >> + flush_to_ldisc + tty = READ_ONCE(port->itty) + tty is 0x6b6b6b6b6b6b6b6b + !!PANIC!! access tty->ldisc + + Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b93 + pgd = ffffffc0eb1c3000 + [6b6b6b6b6b6b6b93] *pgd=0000000000000000, *pud=0000000000000000 + ------------[ cut here ]------------ + Kernel BUG at ffffff800851154c [verbose debug info unavailable] + Internal error: Oops - BUG: 96000004 [#1] PREEMPT SMP + CPU: 3 PID: 265 Comm: kworker/u8:9 Tainted: G W 3.18.31-g0a58eeb #1 + Hardware name: Qualcomm Technologies, Inc. MSM 8996pro v1.1 + PMI8996 Carbide (DT) + Workqueue: events_unbound flush_to_ldisc + task: ffffffc0ed610ec0 ti: ffffffc0ed624000 task.ti: ffffffc0ed624000 + PC is at ldsem_down_read_trylock+0x0/0x4c + LR is at tty_ldisc_ref+0x24/0x4c + pc : [] lr : [] pstate: 80400145 + sp : ffffffc0ed627cd0 + x29: ffffffc0ed627cd0 x28: 0000000000000000 + x27: ffffff8009e05000 x26: ffffffc0d382cfa0 + x25: 0000000000000000 x24: ffffff800a012f08 + x23: 0000000000000000 x22: ffffffc0703fbc88 + x21: 6b6b6b6b6b6b6b6b x20: 6b6b6b6b6b6b6b93 + x19: 0000000000000000 x18: 0000000000000001 + x17: 00e80000f80d6f53 x16: 0000000000000001 + x15: 0000007f7d826fff x14: 00000000000000a0 + x13: 0000000000000000 x12: 0000000000000109 + x11: 0000000000000000 x10: 0000000000000000 + x9 : ffffffc0ed624000 x8 : ffffffc0ed611580 + x7 : 0000000000000000 x6 : ffffff800a42e000 + x5 : 00000000000003fc x4 : 0000000003bd1201 + x3 : 0000000000000001 x2 : 0000000000000001 + x1 : ffffff800851004c x0 : 6b6b6b6b6b6b6b93 + +Signed-off-by: Sahara +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/tty_io.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1702,6 +1702,8 @@ static void release_tty(struct tty_struc + if (tty->link) + tty->link->port->itty = NULL; + tty_buffer_cancel_work(tty->port); ++ if (tty->link) ++ tty_buffer_cancel_work(tty->link->port); + + tty_kref_put(tty->link); + tty_kref_put(tty); diff --git a/queue-4.9/qed-unlock-on-error-in-qed_vf_pf_acquire.patch b/queue-4.9/qed-unlock-on-error-in-qed_vf_pf_acquire.patch new file mode 100644 index 00000000000..2e6fca3f9b5 --- /dev/null +++ b/queue-4.9/qed-unlock-on-error-in-qed_vf_pf_acquire.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Carpenter +Date: Fri, 28 Apr 2017 15:56:09 +0300 +Subject: qed: Unlock on error in qed_vf_pf_acquire() + +From: Dan Carpenter + + +[ Upstream commit 66117a9d9a8ca948680d6554769ef9e88f936954 ] + +My static checker complains that we're holding a mutex on this error +path. Let's goto exit instead of returning directly. + +Fixes: b0bccb69eba3 ("qed: Change locking scheme for VF channel") +Signed-off-by: Dan Carpenter +Acked-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_vf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_vf.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_vf.c +@@ -204,7 +204,7 @@ static int qed_vf_pf_acquire(struct qed_ + /* send acquire request */ + rc = qed_send_msg2pf(p_hwfn, &resp->hdr.status, sizeof(*resp)); + if (rc) +- return rc; ++ goto exit; + + /* copy acquire response from buffer to p_hwfn */ + memcpy(&p_iov->acquire_resp, resp, sizeof(p_iov->acquire_resp)); diff --git a/queue-4.9/qlcnic-fix-unchecked-return-value.patch b/queue-4.9/qlcnic-fix-unchecked-return-value.patch new file mode 100644 index 00000000000..bc14a4e9c50 --- /dev/null +++ b/queue-4.9/qlcnic-fix-unchecked-return-value.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 20:04:04 +0800 +Subject: qlcnic: fix unchecked return value + +From: Pan Bian + + +[ Upstream commit 91ec701a553cb3de470fd471c6fefe3ad1125455 ] + +Function pci_find_ext_capability() may return 0, which is an invalid +address. In function qlcnic_sriov_virtid_fn(), its return value is used +without validation. This may result in invalid memory access bugs. This +patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -128,6 +128,8 @@ static int qlcnic_sriov_virtid_fn(struct + return 0; + + pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV); ++ if (!pos) ++ return 0; + pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset); + pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride); + diff --git a/queue-4.9/qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch b/queue-4.9/qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch new file mode 100644 index 00000000000..34d2b2aaf48 --- /dev/null +++ b/queue-4.9/qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: "Bjørn Mork" +Date: Thu, 14 Dec 2017 19:55:50 +0100 +Subject: qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect + +From: "Bjørn Mork" + + +[ Upstream commit 245d21190aec547c0de64f70c0e6de871c185a24 ] + +It has been reported that the dummy byte we add to avoid +ZLPs can be forwarded by the modem to the PGW/GGSN, and that +some operators will drop the connection if this happens. + +In theory, QMI devices are based on CDC ECM and should as such +both support ZLPs and silently ignore the dummy byte. The latter +assumption failed. Let's test out the first. + +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -531,7 +531,7 @@ err: + + static const struct driver_info qmi_wwan_info = { + .description = "WWAN/QMI device", +- .flags = FLAG_WWAN, ++ .flags = FLAG_WWAN | FLAG_SEND_ZLP, + .bind = qmi_wwan_bind, + .unbind = qmi_wwan_unbind, + .manage_power = qmi_wwan_manage_power, +@@ -540,7 +540,7 @@ static const struct driver_info qmi_wwan + + static const struct driver_info qmi_wwan_info_quirk_dtr = { + .description = "WWAN/QMI device", +- .flags = FLAG_WWAN, ++ .flags = FLAG_WWAN | FLAG_SEND_ZLP, + .bind = qmi_wwan_bind, + .unbind = qmi_wwan_unbind, + .manage_power = qmi_wwan_manage_power, diff --git a/queue-4.9/rdma-cma-use-correct-size-when-writing-netlink-stats.patch b/queue-4.9/rdma-cma-use-correct-size-when-writing-netlink-stats.patch new file mode 100644 index 00000000000..8d4503ddffd --- /dev/null +++ b/queue-4.9/rdma-cma-use-correct-size-when-writing-netlink-stats.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Parav Pandit +Date: Tue, 14 Nov 2017 14:51:55 +0200 +Subject: RDMA/cma: Use correct size when writing netlink stats + +From: Parav Pandit + + +[ Upstream commit 7baaa49af3716fb31877c61f59b74d029ce15b75 ] + +The code was using the src size when formatting the dst. They are almost +certainly the same value but it reads wrong. + +Fixes: ce117ffac2e9 ("RDMA/cma: Export AF_IB statistics") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -4336,7 +4336,7 @@ static int cma_get_id_stats(struct sk_bu + RDMA_NL_RDMA_CM_ATTR_SRC_ADDR)) + goto out; + if (ibnl_put_attr(skb, nlh, +- rdma_addr_size(cma_src_addr(id_priv)), ++ rdma_addr_size(cma_dst_addr(id_priv)), + cma_dst_addr(id_priv), + RDMA_NL_RDMA_CM_ATTR_DST_ADDR)) + goto out; diff --git a/queue-4.9/rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch b/queue-4.9/rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch new file mode 100644 index 00000000000..514cbb9b48b --- /dev/null +++ b/queue-4.9/rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Geert Uytterhoeven +Date: Wed, 29 Nov 2017 09:47:33 +0100 +Subject: RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() + +From: Geert Uytterhoeven + + +[ Upstream commit 302d6424e4a293a5761997e6c9fc3dfb1e4c355f ] + +With gcc-4.1.2: + + drivers/infiniband/core/iwpm_util.c: In function ‘iwpm_send_mapinfo’: + drivers/infiniband/core/iwpm_util.c:647: warning: ‘ret’ may be used uninitialized in this function + +Indeed, if nl_client is not found in any of the scanned has buckets, ret +will be used uninitialized. + +Preinitialize ret to -EINVAL to fix this. + +Fixes: 30dc5e63d6a5ad24 ("RDMA/core: Add support for iWARP Port Mapper user space service") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Tatyana Nikolova +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/iwpm_util.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/core/iwpm_util.c ++++ b/drivers/infiniband/core/iwpm_util.c +@@ -664,6 +664,7 @@ int iwpm_send_mapinfo(u8 nl_client, int + } + skb_num++; + spin_lock_irqsave(&iwpm_mapinfo_lock, flags); ++ ret = -EINVAL; + for (i = 0; i < IWPM_MAPINFO_HASH_SIZE; i++) { + hlist_for_each_entry(map_info, &iwpm_hash_bucket[i], + hlist_node) { diff --git a/queue-4.9/rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch b/queue-4.9/rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch new file mode 100644 index 00000000000..6f4082a7a12 --- /dev/null +++ b/queue-4.9/rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch @@ -0,0 +1,38 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Anton Vasilyev +Date: Tue, 8 Aug 2017 18:56:37 +0300 +Subject: RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS + +From: Anton Vasilyev + + +[ Upstream commit 744820869166c8c78be891240cf5f66e8a333694 ] + +Debugfs file reset_stats is created with S_IRUSR permissions, +but ocrdma_dbgfs_ops_read() doesn't support OCRDMA_RESET_STATS, +whereas ocrdma_dbgfs_ops_write() supports only OCRDMA_RESET_STATS. + +The patch fixes misstype with permissions. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/ocrdma/ocrdma_stats.c ++++ b/drivers/infiniband/hw/ocrdma/ocrdma_stats.c +@@ -836,7 +836,7 @@ void ocrdma_add_port_stats(struct ocrdma + + dev->reset_stats.type = OCRDMA_RESET_STATS; + dev->reset_stats.dev = dev; +- if (!debugfs_create_file("reset_stats", S_IRUSR, dev->dir, ++ if (!debugfs_create_file("reset_stats", 0200, dev->dir, + &dev->reset_stats, &ocrdma_dbg_ops)) + goto err; + diff --git a/queue-4.9/regulator-anatop-set-default-voltage-selector-for-pcie.patch b/queue-4.9/regulator-anatop-set-default-voltage-selector-for-pcie.patch new file mode 100644 index 00000000000..d8cfc09f984 --- /dev/null +++ b/queue-4.9/regulator-anatop-set-default-voltage-selector-for-pcie.patch @@ -0,0 +1,46 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dong Aisheng +Date: Wed, 12 Apr 2017 09:58:47 +0800 +Subject: regulator: anatop: set default voltage selector for pcie + +From: Dong Aisheng + + +[ Upstream commit 9bf944548169f6153c3d3778cf983cb5db251a0e ] + +Set the initial voltage selector for vddpcie in case it's disabled +by default. + +This fixes the below warning: +20c8000.anatop:regulator-vddpcie: Failed to read a valid default voltage selector. +anatop_regulator: probe of 20c8000.anatop:regulator-vddpcie failed with error -22 + +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Robin Gong +Cc: Richard Zhu +Signed-off-by: Richard Zhu +Signed-off-by: Dong Aisheng +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/anatop-regulator.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/regulator/anatop-regulator.c ++++ b/drivers/regulator/anatop-regulator.c +@@ -296,6 +296,11 @@ static int anatop_regulator_probe(struct + if (!sreg->sel && !strcmp(sreg->name, "vddpu")) + sreg->sel = 22; + ++ /* set the default voltage of the pcie phy to be 1.100v */ ++ if (!sreg->sel && rdesc->name && ++ !strcmp(rdesc->name, "vddpcie")) ++ sreg->sel = 0x10; ++ + if (!sreg->bypass && !sreg->sel) { + dev_err(&pdev->dev, "Failed to read a valid default voltage selector.\n"); + return -EINVAL; diff --git a/queue-4.9/rndis_wlan-add-return-value-validation.patch b/queue-4.9/rndis_wlan-add-return-value-validation.patch new file mode 100644 index 00000000000..2056cbc3320 --- /dev/null +++ b/queue-4.9/rndis_wlan-add-return-value-validation.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Mon, 24 Apr 2017 08:40:28 +0800 +Subject: rndis_wlan: add return value validation + +From: Pan Bian + + +[ Upstream commit 9dc7efd3978aa67ae598129d2a3f240b390ce508 ] + +Function create_singlethread_workqueue() will return a NULL pointer if +there is no enough memory, and its return value should be validated +before using. However, in function rndis_wlan_bind(), its return value +is not checked. This may cause NULL dereference bugs. This patch fixes +it. + +Signed-off-by: Pan Bian +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -3427,6 +3427,10 @@ static int rndis_wlan_bind(struct usbnet + + /* because rndis_command() sleeps we need to use workqueue */ + priv->workqueue = create_singlethread_workqueue("rndis_wlan"); ++ if (!priv->workqueue) { ++ wiphy_free(wiphy); ++ return -ENOMEM; ++ } + INIT_WORK(&priv->work, rndis_wlan_worker); + INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller); + INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results); diff --git a/queue-4.9/rtc-ac100-fix-multiple-race-conditions.patch b/queue-4.9/rtc-ac100-fix-multiple-race-conditions.patch new file mode 100644 index 00000000000..3b064ec3db0 --- /dev/null +++ b/queue-4.9/rtc-ac100-fix-multiple-race-conditions.patch @@ -0,0 +1,121 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Alexandre Belloni +Date: Mon, 4 Dec 2017 14:58:33 +0100 +Subject: rtc: ac100: Fix multiple race conditions + +From: Alexandre Belloni + + +[ Upstream commit 994ec64c0a193940be7a6fd074668b9446d3b6c3 ] + +The probe function is not allowed to fail after registering the RTC because +the following may happen: + +CPU0: CPU1: +sys_load_module() + do_init_module() + do_one_initcall() + cmos_do_probe() + rtc_device_register() + __register_chrdev() + cdev->owner = struct module* + open("/dev/rtc0") + rtc_device_unregister() + module_put() + free_module() + module_free(mod->module_core) + /* struct module *module is now + freed */ + chrdev_open() + spin_lock(cdev_lock) + cdev_get() + try_module_get() + module_is_live() + /* dereferences already + freed struct module* */ + +Also, the interrupt handler: ac100_rtc_irq() is dereferencing chip->rtc but +this may still be NULL when it is called, resulting in: +Unable to handle kernel NULL pointer dereference at virtual address 00000194 +pgd = (ptrval) +[00000194] *pgd=00000000 +Internal error: Oops: 5 [#1] SMP ARM +Modules linked in: +CPU: 0 PID: 72 Comm: irq/71-ac100-rt Not tainted 4.15.0-rc1-next-20171201-dirty #120 +Hardware name: Allwinner sun8i Family +task: (ptrval) task.stack: (ptrval) +PC is at mutex_lock+0x14/0x3c +LR is at ac100_rtc_irq+0x38/0xc8 +pc : [] lr : [] psr: 60000053 +sp : ee9c9f28 ip : 00000000 fp : ee9adfdc +r10: 00000000 r9 : c0a04c48 r8 : c015ed18 +r7 : ee9bd600 r6 : ee9c9f28 r5 : ee9af590 r4 : c0a04c48 +r3 : ef3cb3c0 r2 : 00000000 r1 : ee9af590 r0 : 00000194 +Flags: nZCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none +Control: 10c5387d Table: 4000406a DAC: 00000051 +Process irq/71-ac100-rt (pid: 72, stack limit = 0x(ptrval)) +Stack: (0xee9c9f28 to 0xee9ca000) +9f20: 00000000 7c2fd1be c015ed18 ee9adf40 ee9c0400 ee9c0400 +9f40: ee9adf40 c015ed34 ee9c8000 ee9adf64 ee9c0400 c015f040 ee9adf80 00000000 +9f60: c015ee24 7c2fd1be ee9adfc0 ee9adf80 00000000 ee9c8000 ee9adf40 c015eef4 +9f80: ef1eba34 c0138f14 ee9c8000 ee9adf80 c0138df4 00000000 00000000 00000000 +9fa0: 00000000 00000000 00000000 c01010e8 00000000 00000000 00000000 00000000 +9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff +[] (mutex_lock) from [] (ac100_rtc_irq+0x38/0xc8) +[] (ac100_rtc_irq) from [] (irq_thread_fn+0x1c/0x54) +[] (irq_thread_fn) from [] (irq_thread+0x14c/0x214) +[] (irq_thread) from [] (kthread+0x120/0x150) +[] (kthread) from [] (ret_from_fork+0x14/0x2c) + +Solve both issues by moving to +devm_rtc_allocate_device()/rtc_register_device() + +Reported-by: Quentin Schulz +Tested-by: Quentin Schulz +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-ac100.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-ac100.c ++++ b/drivers/rtc/rtc-ac100.c +@@ -567,6 +567,12 @@ static int ac100_rtc_probe(struct platfo + return chip->irq; + } + ++ chip->rtc = devm_rtc_allocate_device(&pdev->dev); ++ if (IS_ERR(chip->rtc)) ++ return PTR_ERR(chip->rtc); ++ ++ chip->rtc->ops = &ac100_rtc_ops; ++ + ret = devm_request_threaded_irq(&pdev->dev, chip->irq, NULL, + ac100_rtc_irq, + IRQF_SHARED | IRQF_ONESHOT, +@@ -586,17 +592,16 @@ static int ac100_rtc_probe(struct platfo + /* clear counter alarm pending interrupts */ + regmap_write(chip->regmap, AC100_ALM_INT_STA, AC100_ALM_INT_ENABLE); + +- chip->rtc = devm_rtc_device_register(&pdev->dev, "rtc-ac100", +- &ac100_rtc_ops, THIS_MODULE); +- if (IS_ERR(chip->rtc)) { +- dev_err(&pdev->dev, "unable to register device\n"); +- return PTR_ERR(chip->rtc); +- } +- + ret = ac100_rtc_register_clks(chip); + if (ret) + return ret; + ++ ret = rtc_register_device(chip->rtc); ++ if (ret) { ++ dev_err(&pdev->dev, "unable to register device\n"); ++ return ret; ++ } ++ + dev_info(&pdev->dev, "RTC enabled\n"); + + return 0; diff --git a/queue-4.9/rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch b/queue-4.9/rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch new file mode 100644 index 00000000000..ac639feb8ad --- /dev/null +++ b/queue-4.9/rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch @@ -0,0 +1,75 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Sat, 18 Mar 2017 14:45:49 +0100 +Subject: rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs + +From: Hans de Goede + + +[ Upstream commit a1e23a42f1bdc00e32fc4869caef12e4e6272f26 ] + +On some systems (e.g. Intel Bay Trail systems) the legacy PIC is not +used, in this case virq 8 will be a random irq, rather then hw_irq 8 +from the PIC. + +Requesting virq 8 in this case will not help us to get alarm irqs and +may cause problems for other drivers which actually do need virq 8, +for example on an Asus Transformer T100TA this leads to: + +[ 28.745155] genirq: Flags mismatch irq 8. 00000088 (mmc0) vs. 00000080 (rtc0) + +[ 28.753700] mmc0: Failed to request IRQ 8: -16 +[ 28.975934] sdhci-acpi: probe of 80860F14:01 failed with error -16 + +This commit fixes this by making the rtc-cmos driver continue +without using an irq rather then claiming irq 8 when no irq is +specified in the pnp-info and there are no legacy-irqs. + +Signed-off-by: Hans de Goede +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -41,6 +41,9 @@ + #include + #include + #include ++#ifdef CONFIG_X86 ++#include ++#endif + + /* this is for "generic access to PC-style RTC" using CMOS_READ/CMOS_WRITE */ + #include +@@ -1117,17 +1120,23 @@ static int cmos_pnp_probe(struct pnp_dev + { + cmos_wake_setup(&pnp->dev); + +- if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) ++ if (pnp_port_start(pnp, 0) == 0x70 && !pnp_irq_valid(pnp, 0)) { ++ unsigned int irq = 0; ++#ifdef CONFIG_X86 + /* Some machines contain a PNP entry for the RTC, but + * don't define the IRQ. It should always be safe to +- * hardcode it in these cases ++ * hardcode it on systems with a legacy PIC. + */ ++ if (nr_legacy_irqs()) ++ irq = 8; ++#endif + return cmos_do_probe(&pnp->dev, +- pnp_get_resource(pnp, IORESOURCE_IO, 0), 8); +- else ++ pnp_get_resource(pnp, IORESOURCE_IO, 0), irq); ++ } else { + return cmos_do_probe(&pnp->dev, + pnp_get_resource(pnp, IORESOURCE_IO, 0), + pnp_irq(pnp, 0)); ++ } + } + + static void cmos_pnp_remove(struct pnp_dev *pnp) diff --git a/queue-4.9/rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch b/queue-4.9/rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch new file mode 100644 index 00000000000..a2df7e3267a --- /dev/null +++ b/queue-4.9/rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch @@ -0,0 +1,47 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Moritz Fischer +Date: Mon, 24 Apr 2017 15:05:11 -0700 +Subject: rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks + +From: Moritz Fischer + + +[ Upstream commit 453d0744f6c6ca3f9749b8c57c2e85b5b9f52514 ] + +The issue is that the internal counter that triggers the watchdog reset +is actually running at 4096 Hz instead of 1Hz, therefore the value +given by userland (in sec) needs to be multiplied by 4096 to get the +correct behavior. + +Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support") +Signed-off-by: Moritz Fischer +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-ds1374.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-ds1374.c ++++ b/drivers/rtc/rtc-ds1374.c +@@ -527,6 +527,10 @@ static long ds1374_wdt_ioctl(struct file + if (get_user(new_margin, (int __user *)arg)) + return -EFAULT; + ++ /* the hardware's tick rate is 4096 Hz, so ++ * the counter value needs to be scaled accordingly ++ */ ++ new_margin <<= 12; + if (new_margin < 1 || new_margin > 16777216) + return -EINVAL; + +@@ -535,7 +539,8 @@ static long ds1374_wdt_ioctl(struct file + ds1374_wdt_ping(); + /* fallthrough */ + case WDIOC_GETTIMEOUT: +- return put_user(wdt_margin, (int __user *)arg); ++ /* when returning ... inverse is true */ ++ return put_user((wdt_margin >> 12), (int __user *)arg); + case WDIOC_SETOPTIONS: + if (copy_from_user(&options, (int __user *)arg, sizeof(int))) + return -EFAULT; diff --git a/queue-4.9/rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch b/queue-4.9/rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch new file mode 100644 index 00000000000..3ebb44eef90 --- /dev/null +++ b/queue-4.9/rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch @@ -0,0 +1,42 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Moritz Fischer +Date: Mon, 24 Apr 2017 15:05:12 -0700 +Subject: rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL + +From: Moritz Fischer + + +[ Upstream commit 538c08f4c89580fc644e2bc64e0a4b86c925da4e ] + +The WDIOC_SETOPTIONS case in the watchdog ioctl would alwayss falls +through to the -EINVAL case. This is wrong since thew watchdog does +actually get stopped or started correctly. + +Fixes: 920f91e50c5b ("drivers/rtc/rtc-ds1374.c: add watchdog support") +Signed-off-by: Moritz Fischer +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-ds1374.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-ds1374.c ++++ b/drivers/rtc/rtc-ds1374.c +@@ -548,14 +548,15 @@ static long ds1374_wdt_ioctl(struct file + if (options & WDIOS_DISABLECARD) { + pr_info("disable watchdog\n"); + ds1374_wdt_disable(); ++ return 0; + } + + if (options & WDIOS_ENABLECARD) { + pr_info("enable watchdog\n"); + ds1374_wdt_settimeout(wdt_margin); + ds1374_wdt_ping(); ++ return 0; + } +- + return -EINVAL; + } + return -ENOTTY; diff --git a/queue-4.9/rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch b/queue-4.9/rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch new file mode 100644 index 00000000000..a052bd28f0a --- /dev/null +++ b/queue-4.9/rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Tsang-Shian Lin +Date: Sat, 9 Dec 2017 11:37:10 -0600 +Subject: rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. + +From: Tsang-Shian Lin + + +[ Upstream commit b7573a0a27bfa8270dea9b145448f6884b7cacc1 ] + +Reset the driver current tx read/write index to zero when inactiveps +nic out of sync with HW state. Wrong driver tx read/write index will +cause Tx fail. + +Signed-off-by: Tsang-Shian Lin +Signed-off-by: Ping-Ke Shih +Signed-off-by: Larry Finger +Cc: Yan-Hsuan Chuang +Cc: Birming Chiu +Cc: Shaofu +Cc: Steven Ting +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtlwifi/pci.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -1572,7 +1572,14 @@ int rtl_pci_reset_trx_ring(struct ieee80 + dev_kfree_skb_irq(skb); + ring->idx = (ring->idx + 1) % ring->entries; + } ++ ++ if (rtlpriv->use_new_trx_flow) { ++ rtlpci->tx_ring[i].cur_tx_rp = 0; ++ rtlpci->tx_ring[i].cur_tx_wp = 0; ++ } ++ + ring->idx = 0; ++ ring->entries = rtlpci->txringcount[i]; + } + } + spin_unlock_irqrestore(&rtlpriv->locks.irq_th_lock, flags); diff --git a/queue-4.9/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch b/queue-4.9/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch new file mode 100644 index 00000000000..1e3f40996cf --- /dev/null +++ b/queue-4.9/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch @@ -0,0 +1,94 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Finn Thain +Date: Sun, 2 Apr 2017 17:08:05 +1000 +Subject: scsi: mac_esp: Replace bogus memory barrier with spinlock + +From: Finn Thain + + +[ Upstream commit 4da2b1eb230ba4ad19b58984dc52e05b1073df5f ] + +Commit da244654c66e ("[SCSI] mac_esp: fix for quadras with two esp +chips") added mac_scsi_esp_intr() to handle the IRQ lines from a pair of +on-board ESP chips (a normal shared IRQ did not work). + +Proper mutual exclusion was missing from that patch. This patch fixes +race conditions between comparison and assignment of esp_chips[] +pointers. + +Signed-off-by: Finn Thain +Reviewed-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mac_esp.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/mac_esp.c ++++ b/drivers/scsi/mac_esp.c +@@ -55,6 +55,7 @@ struct mac_esp_priv { + int error; + }; + static struct esp *esp_chips[2]; ++static DEFINE_SPINLOCK(esp_chips_lock); + + #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \ + platform_get_drvdata((struct platform_device *) \ +@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform + } + + host->irq = IRQ_MAC_SCSI; +- esp_chips[dev->id] = esp; +- mb(); +- if (esp_chips[!dev->id] == NULL) { +- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); +- if (err < 0) { +- esp_chips[dev->id] = NULL; +- goto fail_free_priv; +- } ++ ++ /* The request_irq() call is intended to succeed for the first device ++ * and fail for the second device. ++ */ ++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); ++ spin_lock(&esp_chips_lock); ++ if (err < 0 && esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); ++ goto fail_free_priv; + } ++ esp_chips[dev->id] = esp; ++ spin_unlock(&esp_chips_lock); + + err = scsi_esp_register(esp, &dev->dev); + if (err) +@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform + return 0; + + fail_free_irq: +- if (esp_chips[!dev->id] == NULL) ++ spin_lock(&esp_chips_lock); ++ esp_chips[dev->id] = NULL; ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(host->irq, esp); ++ } else ++ spin_unlock(&esp_chips_lock); + fail_free_priv: + kfree(mep); + fail_free_command_block: +@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platfor + + scsi_esp_unregister(esp); + ++ spin_lock(&esp_chips_lock); + esp_chips[dev->id] = NULL; +- if (!(esp_chips[0] || esp_chips[1])) ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(irq, NULL); ++ } else ++ spin_unlock(&esp_chips_lock); + + kfree(mep); + diff --git a/queue-4.9/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch b/queue-4.9/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch new file mode 100644 index 00000000000..32589779cfc --- /dev/null +++ b/queue-4.9/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch @@ -0,0 +1,86 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: David Gibson +Date: Thu, 13 Apr 2017 12:13:00 +1000 +Subject: scsi: virtio_scsi: Always try to read VPD pages + +From: David Gibson + + +[ Upstream commit 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0 ] + +Passed through SCSI targets may have transfer limits which come from the +host SCSI controller or something on the host side other than the target +itself. + +To make this work properly, the hypervisor can adjust the target's VPD +information to advertise these limits. But for that to work, the guest +has to look at the VPD pages, which we won't do by default if it is an +SPC-2 device, even if it does actually support it. + +This adds a workaround to address this, forcing devices attached to a +virtio-scsi controller to always check the VPD pages. This is modelled +on a similar workaround for the storvsc (Hyper-V) SCSI controller, +although that exists for slightly different reasons. + +A specific case which causes this is a volume from IBM's IPR RAID +controller (which presents as an SPC-2 device, although it does support +VPD) passed through with qemu's 'scsi-block' device. + +[mkp: fixed typo] + +Signed-off-by: David Gibson +Acked-by: Paolo Bonzini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/virtio_scsi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #define VIRTIO_SCSI_MEMPOOL_SZ 64 +@@ -705,6 +706,28 @@ static int virtscsi_device_reset(struct + return virtscsi_tmf(vscsi, cmd); + } + ++static int virtscsi_device_alloc(struct scsi_device *sdevice) ++{ ++ /* ++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block') ++ * may have transfer limits which come from the host SCSI ++ * controller or something on the host side other than the ++ * target itself. ++ * ++ * To make this work properly, the hypervisor can adjust the ++ * target's VPD information to advertise these limits. But ++ * for that to work, the guest has to look at the VPD pages, ++ * which we won't do by default if it is an SPC-2 device, even ++ * if it does actually support it. ++ * ++ * So, set the blist to always try to read the VPD pages. ++ */ ++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES; ++ ++ return 0; ++} ++ ++ + /** + * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth + * @sdev: Virtscsi target whose queue depth to change +@@ -776,6 +799,7 @@ static struct scsi_host_template virtscs + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, diff --git a/queue-4.9/serial-8250_dw-disable-clock-on-error.patch b/queue-4.9/serial-8250_dw-disable-clock-on-error.patch new file mode 100644 index 00000000000..fdf62619bd2 --- /dev/null +++ b/queue-4.9/serial-8250_dw-disable-clock-on-error.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Stefan Potyra +Date: Wed, 6 Dec 2017 16:46:12 +0100 +Subject: serial: 8250_dw: Disable clock on error + +From: Stefan Potyra + + +[ Upstream commit 8af016aa5a27c6a2505460eb4d83f1e70c38dc43 ] + +If there is no clock rate for uartclk defined, disable the previously +enabled clock again. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 23f5b3fdd04e serial: 8250_dw: only get the clock rate in one place +Signed-off-by: Stefan Potyra +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_dw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -464,7 +464,8 @@ static int dw8250_probe(struct platform_ + /* If no clock rate is defined, fail. */ + if (!p->uartclk) { + dev_err(dev, "clock rate not defined\n"); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_clk; + } + + data->pclk = devm_clk_get(dev, "apb_pclk"); diff --git a/queue-4.9/series b/queue-4.9/series index 00749c859ae..9b8cc52a2da 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -5,3 +5,169 @@ cifs-enable-encryption-during-session-setup-phase.patch staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch revert-led-core-fix-brightness-setting-when-setting-delay_off-0.patch led-core-clear-led_blink_sw-flag-in-led_blink_set.patch +platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch +bonding-handle-link-transition-from-fail-to-up-correctly.patch +regulator-anatop-set-default-voltage-selector-for-pcie.patch +power-supply-bq24190_charger-limit-over-under-voltage-fault-logging.patch +x86-i8259-export-legacy_pic-symbol.patch +rtc-cmos-do-not-assume-irq-8-for-rtc-when-there-are-no-legacy-irqs.patch +input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch +time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch +acpi-processor-fix-error-handling-in-__acpi_processor_start.patch +acpi-processor-replace-racy-task-affinity-logic.patch +cpufreq-sh-replace-racy-task-affinity-logic.patch +genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch +i2c-i2c-scmi-add-a-ms-hid.patch +net-ipv6-send-unsolicited-na-on-admin-up.patch +media-dvb-core-race-condition-when-writing-to-cam.patch +btrfs-fix-a-bogus-warning-when-converting-only-data-or-metadata.patch +asoc-intel-atom-update-thinkpad-10-quirk.patch +tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch +spi-dw-disable-clock-after-unregistering-the-host.patch +powerpc-64s-remove-sao-feature-from-power9-dd1.patch +ath-fix-updating-radar-flags-for-coutry-code-india.patch +clk-ns2-correct-sdio-bits.patch +iwlwifi-split-the-handler-and-the-wake-parts-of-the-notification-infra.patch +iwlwifi-a000-fix-memory-offsets-and-lengths.patch +scsi-virtio_scsi-always-try-to-read-vpd-pages.patch +kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch +mwifiex-don-t-leak-chan_stats-on-reset.patch +x86-reboot-turn-off-kvm-when-halting-a-cpu.patch +arm-8668-1-ftrace-fix-dynamic-ftrace-with-debug_rodata-and-frame_pointer.patch +irqchip-mips-gic-separate-ipi-reservation-usage-tracking.patch +iommu-omap-register-driver-before-setting-iommu-ops.patch +md-raid10-wait-up-frozen-array-in-handle_write_completed.patch +nfs-fix-missing-pg_cleanup-after-nfs_pageio_cond_complete.patch +tcp-remove-poll-flakes-with-fastopen.patch +e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch +alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch +ib-ipoib-fix-deadlock-between-ipoib_stop-and-mcast-join-flow.patch +ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch +hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch +ib-mlx4-take-write-semaphore-when-changing-the-vma-struct.patch +ib-mlx4-change-vma-from-shared-to-private.patch +ib-mlx5-take-write-semaphore-when-changing-the-vma-struct.patch +ib-mlx5-change-vma-from-shared-to-private.patch +ib-mlx5-set-correct-sl-in-completion-for-roce.patch +asoc-intel-skylake-uninitialized-variable-in-probe_codec.patch +ibmvnic-disable-irq-prior-to-close.patch +netvsc-deal-with-rescinded-channels-correctly.patch +fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch +fix-express-lane-queue-creation.patch +gpio-gpio-wcove-fix-irq-pending-status-bit-width.patch +netfilter-xt_ct-fix-refcnt-leak-on-error-path.patch +openvswitch-delete-conntrack-entry-clashing-with-an-expectation.patch +netfilter-nf_ct_helper-permit-cthelpers-with-different-names-via-nfnetlink.patch +mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch +tipc-check-return-value-of-nlmsg_new.patch +wan-pc300too-abort-path-on-failure.patch +qlcnic-fix-unchecked-return-value.patch +netfilter-nft_dynset-continue-to-next-expr-if-_op_add-succeeded.patch +platform-x86-intel-vbtn-add-volume-up-and-down.patch +scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch +infiniband-uverbs-fix-integer-overflows.patch +pnfs-fix-use-after-free-issues-in-pnfs_do_read.patch +xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch +nfs-don-t-try-to-cross-a-mountpount-when-there-isn-t-one-there.patch +iio-st_pressure-st_accel-initialise-sensor-platform-data-properly.patch +mt7601u-check-return-value-of-alloc_skb.patch +libertas-check-return-value-of-alloc_workqueue.patch +rndis_wlan-add-return-value-validation.patch +btrfs-fix-incorrect-space-accounting-after-failure-to-insert-inline-extent.patch +btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch +btrfs-fix-extent-map-leak-during-fallocate-error-path.patch +orangefs-do-not-wait-for-timeout-if-umounting.patch +mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch +acpica-iasl-fix-iort-smmu-gsi-disassembling.patch +iio-hid-sensor-fix-return-of-einval-on-invalid-values-in-ret-or-value.patch +dt-bindings-mfd-axp20x-add-xpowers-master-mode-property-for-axp806-pmics.patch +mfd-palmas-reset-the-powerhold-mux-during-power-off.patch +mtip32xx-use-runtime-tag-to-initialize-command-header.patch +x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch +gpio-gpio-wcove-fix-gpio-irq-status-mask.patch +staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch +staging-wilc1000-fix-unchecked-return-value.patch +ipvs-explicitly-forbid-ipv6-service-dest-creation-if-ipv6-mod-is-disabled.patch +mac80211-fix-possible-sband-related-null-pointer-de-reference.patch +mmc-sdhci-of-esdhc-limit-sd-clock-for-ls1012a-ls1046a.patch +netfilter-x_tables-unlock-on-error-in-xt_find_table_lock.patch +arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch +ib-rdmavt-restore-irqs-on-error-path-in-rvt_create_ah.patch +ib-hfi1-fix-softlockup-issue.patch +platform-x86-asus-wmi-try-to-set-als-by-default.patch +ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch +acpi-pmic-xpower-fix-power_table-addresses.patch +drm-amdgpu-fix-gpu-reset-crash.patch +drm-nouveau-kms-increase-max-retries-in-scanout-position-queries.patch +jbd2-fix-lockdep-splat-with-generic-270-test.patch +ixgbevf-fix-size-of-queue-stats-length.patch +net-ethernet-ucc_geth-fix-mem_part_muram-mode.patch +soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch +bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_dequeue.patch +bluetooth-hci_ldisc-add-protocol-check-to-hci_uart_tx_wakeup.patch +vxlan-correctly-handle-ipv6.disable-module-parameter.patch +qed-unlock-on-error-in-qed_vf_pf_acquire.patch +bnx2x-align-rx-buffers.patch +power-supply-bq24190_charger-add-disable-reset-device-property.patch +power-supply-isp1704-fix-unchecked-return-value-of-devm_kzalloc.patch +power-supply-pda_power-move-from-timer-to-delayed_work.patch +input-twl4030-pwrbutton-use-correct-device-for-irq-request.patch +ib-rxe-don-t-clamp-residual-length-to-mtu.patch +md-raid10-skip-spare-disk-as-first-disk.patch +acpi-power-delay-turning-off-unused-power-resources-after-suspend.patch +ia64-fix-module-loading-for-gcc-5.4.patch +tcm_fileio-prevent-information-leak-for-short-reads.patch +x86-xen-split-xen_smp_prepare_boot_cpu.patch +video-fbdev-udlfb-fix-buffer-on-stack.patch +sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch +pnfs-fix-a-deadlock-when-coalescing-writes-and-returning-the-layout.patch +net-hns-fix-ethtool_get_strings-overflow-in-hns-driver.patch +cifs-small-underflow-in-cnvrtdosunixtm.patch +mm-fix-check-for-reclaimable-pages-in-pf_memalloc-reclaim-throttling.patch +mm-vmstat-suppress-pcp-stats-for-unpopulated-zones-in-zoneinfo.patch +oom-improve-oom-disable-handling.patch +mm-hwpoison-call-shake_page-after-try_to_unmap-for-mlocked-page.patch +rtc-ds1374-wdt-fix-issue-with-timeout-scaling-from-secs-to-wdt-ticks.patch +rtc-ds1374-wdt-fix-stop-start-ioctl-always-returning-einval.patch +ath10k-fix-out-of-bounds-access-to-local-buffer.patch +perf-tests-kmod-path-don-t-fail-if-compressed-modules-aren-t-supported.patch +block-mq-cure-cpu-hotplug-lock-inversion.patch +bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch +bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch +media-c8sectpfe-fix-potential-null-pointer-dereference-in-c8sectpfe_timer_interrupt.patch +drm-msm-fix-leak-in-failed-get_pages.patch +dm-ensure-bio-submission-follows-a-depth-first-tree-walk.patch +rdma-iwpm-fix-uninitialized-error-code-in-iwpm_send_mapinfo.patch +rtlwifi-rtl_pci-fix-the-bug-when-inactiveps-is-enabled.patch +media-bt8xx-fix-err-bt878_probe.patch +ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch +media-media-dvb-frontends-add-delay-to-si2168-restart.patch +qmi_wwan-set-flag_send_zlp-to-avoid-network-initiated-disconnect.patch +serial-8250_dw-disable-clock-on-error.patch +cros_ec-fix-nul-termination-for-firmware-build-info.patch +watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch +platform-chrome-use-proper-protocol-transfer-function.patch +dmaengine-zynqmp_dma-fix-race-condition-in-the-probe.patch +drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch +mmc-avoid-removing-non-removable-hosts-during-suspend.patch +rtc-ac100-fix-multiple-race-conditions.patch +ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch +rdma-cma-use-correct-size-when-writing-netlink-stats.patch +ib-umem-fix-use-of-npages-nmap-fields.patch +iser-target-avoid-reinitializing-rdma-contexts-for-isert-commands.patch +vgacon-set-vga-struct-resource-types.patch +omapdrm-panel-fix-compatible-vendor-string-for-td028ttec1.patch +drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch +pty-cancel-pty-slave-port-buf-s-work-in-tty_release.patch +coresight-fix-disabling-of-coresight-tpiu.patch +pinctrl-really-force-states-during-suspend-resume.patch +pinctrl-rockchip-enable-clock-when-reading-pin-direction-register.patch +iommu-vt-d-clean-up-pr_irq-if-request_threaded_irq-fails.patch +ip6_vti-adjust-vti-mtu-according-to-mtu-of-lower-device.patch +rdma-ocrdma-fix-permissions-for-ocrdma_reset_stats.patch +arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch +nfsd4-permit-layoutget-of-executable-only-files.patch +clk-don-t-touch-hardware-when-reparenting-during-registration.patch +clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch +clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch +dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch diff --git a/queue-4.9/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch b/queue-4.9/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch new file mode 100644 index 00000000000..a23b9a8d405 --- /dev/null +++ b/queue-4.9/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Alexey Khoroshilov +Date: Tue, 2 May 2017 13:47:53 +0200 +Subject: sm501fb: don't return zero on failure path in sm501fb_start() + +From: Alexey Khoroshilov + + +[ Upstream commit dc85e9a87420613b3129d5cc5ecd79c58351c546 ] + +If fbmem iomemory mapping failed, sm501fb_start() breaks off +initialization, deallocates resources, but returns zero. +As a result, double deallocation can happen in sm501fb_stop(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Cc: Tomi Valkeinen +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/sm501fb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_ + info->fbmem = ioremap(res->start, resource_size(res)); + if (info->fbmem == NULL) { + dev_err(dev, "cannot remap framebuffer\n"); ++ ret = -ENXIO; + goto err_mem_res; + } + diff --git a/queue-4.9/soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch b/queue-4.9/soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch new file mode 100644 index 00000000000..405ab6dc2ab --- /dev/null +++ b/queue-4.9/soc-fsl-qe-round-brg_freq-to-1khz-granularity.patch @@ -0,0 +1,63 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Valentin Longchamp +Date: Fri, 17 Feb 2017 11:29:45 +0100 +Subject: soc/fsl/qe: round brg_freq to 1kHz granularity + +From: Valentin Longchamp + + +[ Upstream commit 2ccf80b7566cc035d903dd0ac5d7ebd25c2c1060 ] + +Because of integer computation rounding in u-boot (that sets the QE +brg-frequency DTS prop), the clk value is 99999999 Hz even though it is +100 MHz. + +When setting brg clks that are exact divisors of 100 MHz, this small +differnce plays a role and can result in lower clks to be output (for +instance 20 MHz - divide by 5 - results in 16.666 MHz - divide by 6). + +This patch fixes that by "forcing" the brg_clk to the nearest kHz when +the difference is below 2 integer rounding errors (i.e. 4). + +Signed-off-by: Valentin Longchamp +Signed-off-by: Scott Wood +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/fsl/qe/qe.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/soc/fsl/qe/qe.c ++++ b/drivers/soc/fsl/qe/qe.c +@@ -163,11 +163,15 @@ EXPORT_SYMBOL(qe_issue_cmd); + */ + static unsigned int brg_clk = 0; + ++#define CLK_GRAN (1000) ++#define CLK_GRAN_LIMIT (5) ++ + unsigned int qe_get_brg_clk(void) + { + struct device_node *qe; + int size; + const u32 *prop; ++ unsigned int mod; + + if (brg_clk) + return brg_clk; +@@ -185,6 +189,15 @@ unsigned int qe_get_brg_clk(void) + + of_node_put(qe); + ++ /* round this if near to a multiple of CLK_GRAN */ ++ mod = brg_clk % CLK_GRAN; ++ if (mod) { ++ if (mod < CLK_GRAN_LIMIT) ++ brg_clk -= mod; ++ else if (mod > (CLK_GRAN - CLK_GRAN_LIMIT)) ++ brg_clk += CLK_GRAN - mod; ++ } ++ + return brg_clk; + } + EXPORT_SYMBOL(qe_get_brg_clk); diff --git a/queue-4.9/spi-dw-disable-clock-after-unregistering-the-host.patch b/queue-4.9/spi-dw-disable-clock-after-unregistering-the-host.patch new file mode 100644 index 00000000000..5013a239d77 --- /dev/null +++ b/queue-4.9/spi-dw-disable-clock-after-unregistering-the-host.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Marek Vasut +Date: Tue, 18 Apr 2017 20:09:06 +0200 +Subject: spi: dw: Disable clock after unregistering the host + +From: Marek Vasut + + +[ Upstream commit 400c18e3dc86e04ef5afec9b86a8586ca629b9e9 ] + +The dw_mmio driver disables the block clock before unregistering +the host. The code unregistering the host may access the SPI block +registers. If register access happens with block clock disabled, +this may lead to a bus hang. Disable the clock after unregistering +the host to prevent such situation. + +This bug was observed on Altera Cyclone V SoC. + +Signed-off-by: Marek Vasut +Cc: Andy Shevchenko +Cc: Mark Brown +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-dw-mmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -115,8 +115,8 @@ static int dw_spi_mmio_remove(struct pla + { + struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev); + +- clk_disable_unprepare(dwsmmio->clk); + dw_spi_remove_host(&dwsmmio->dws); ++ clk_disable_unprepare(dwsmmio->clk); + + return 0; + } diff --git a/queue-4.9/staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch b/queue-4.9/staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch new file mode 100644 index 00000000000..50c4d3220d7 --- /dev/null +++ b/queue-4.9/staging-unisys-visorhba-fix-s-par-to-boot-with-option-config_vmap_stack-set-to-y.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Sameer Wadgaonkar +Date: Tue, 18 Apr 2017 16:55:25 -0400 +Subject: staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y + +From: Sameer Wadgaonkar + + +[ Upstream commit 3c2bf0bd08123f3497bd3e84bd9088c937b0cb40 ] + +The root issue is that we are not allowed to have items on the +stack being passed to "DMA" like operations. In this case we have +a vmcall and an inline completion of scsi command. + +This patch fixes the issue by moving the variables on stack in +do_scsi_nolinuxstat() to heap memory. + +Signed-off-by: Sameer Wadgaonkar +Signed-off-by: David Kershner +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/unisys/visorhba/visorhba_main.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/staging/unisys/visorhba/visorhba_main.c ++++ b/drivers/staging/unisys/visorhba/visorhba_main.c +@@ -842,7 +842,7 @@ static void + do_scsi_nolinuxstat(struct uiscmdrsp *cmdrsp, struct scsi_cmnd *scsicmd) + { + struct scsi_device *scsidev; +- unsigned char buf[36]; ++ unsigned char *buf; + struct scatterlist *sg; + unsigned int i; + char *this_page; +@@ -857,6 +857,10 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm + if (cmdrsp->scsi.no_disk_result == 0) + return; + ++ buf = kzalloc(sizeof(char) * 36, GFP_KERNEL); ++ if (!buf) ++ return; ++ + /* Linux scsi code wants a device at Lun 0 + * to issue report luns, but we don't want + * a disk there so we'll present a processor +@@ -868,6 +872,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm + if (scsi_sg_count(scsicmd) == 0) { + memcpy(scsi_sglist(scsicmd), buf, + cmdrsp->scsi.bufflen); ++ kfree(buf); + return; + } + +@@ -879,6 +884,7 @@ do_scsi_nolinuxstat(struct uiscmdrsp *cm + memcpy(this_page, buf + bufind, sg[i].length); + kunmap_atomic(this_page_orig); + } ++ kfree(buf); + } else { + devdata = (struct visorhba_devdata *)scsidev->host->hostdata; + for_each_vdisk_match(vdisk, devdata, scsidev) { diff --git a/queue-4.9/staging-wilc1000-fix-unchecked-return-value.patch b/queue-4.9/staging-wilc1000-fix-unchecked-return-value.patch new file mode 100644 index 00000000000..312d55660fe --- /dev/null +++ b/queue-4.9/staging-wilc1000-fix-unchecked-return-value.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 19:53:58 +0800 +Subject: staging: wilc1000: fix unchecked return value + +From: Pan Bian + + +[ Upstream commit 9e96652756ad647b7bcc03cb99ffc9756d7b5f93 ] + +Function dev_alloc_skb() will return a NULL pointer if there is no +enough memory. However, in function WILC_WFI_mon_xmit(), its return +value is used without validation. This may result in a bad memory access +bug. This patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/wilc1000/linux_mon.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/wilc1000/linux_mon.c ++++ b/drivers/staging/wilc1000/linux_mon.c +@@ -197,6 +197,8 @@ static netdev_tx_t WILC_WFI_mon_xmit(str + + if (skb->data[0] == 0xc0 && (!(memcmp(broadcast, &skb->data[4], 6)))) { + skb2 = dev_alloc_skb(skb->len + sizeof(struct wilc_wfi_radiotap_cb_hdr)); ++ if (!skb2) ++ return -ENOMEM; + + memcpy(skb_put(skb2, skb->len), skb->data, skb->len); + diff --git a/queue-4.9/tcm_fileio-prevent-information-leak-for-short-reads.patch b/queue-4.9/tcm_fileio-prevent-information-leak-for-short-reads.patch new file mode 100644 index 00000000000..5c6f44636e6 --- /dev/null +++ b/queue-4.9/tcm_fileio-prevent-information-leak-for-short-reads.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Dmitry Monakhov +Date: Fri, 31 Mar 2017 19:53:35 +0400 +Subject: tcm_fileio: Prevent information leak for short reads + +From: Dmitry Monakhov + + +[ Upstream commit f11b55d13563e9428c88c873f4f03a6bef11ec0a ] + +If we failed to read data from backing file (probably because some one +truncate file under us), we must zerofill cmd's data, otherwise it will +be returned as is. Most likely cmd's data are unitialized pages from +page cache. This result in information leak. + +(Change BUG_ON into -EINVAL se_cmd failure - nab) + +testcase: https://github.com/dmonakhov/xfstests/commit/e11a1b7b907ca67b1be51a1594025600767366d5 +Signed-off-by: Dmitry Monakhov +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_file.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/target/target_core_file.c ++++ b/drivers/target/target_core_file.c +@@ -276,12 +276,11 @@ static int fd_do_rw(struct se_cmd *cmd, + else + ret = vfs_iter_read(fd, &iter, &pos); + +- kfree(bvec); +- + if (is_write) { + if (ret < 0 || ret != data_length) { + pr_err("%s() write returned %d\n", __func__, ret); +- return (ret < 0 ? ret : -EINVAL); ++ if (ret >= 0) ++ ret = -EINVAL; + } + } else { + /* +@@ -294,17 +293,29 @@ static int fd_do_rw(struct se_cmd *cmd, + pr_err("%s() returned %d, expecting %u for " + "S_ISBLK\n", __func__, ret, + data_length); +- return (ret < 0 ? ret : -EINVAL); ++ if (ret >= 0) ++ ret = -EINVAL; + } + } else { + if (ret < 0) { + pr_err("%s() returned %d for non S_ISBLK\n", + __func__, ret); +- return ret; ++ } else if (ret != data_length) { ++ /* ++ * Short read case: ++ * Probably some one truncate file under us. ++ * We must explicitly zero sg-pages to prevent ++ * expose uninizialized pages to userspace. ++ */ ++ if (ret < data_length) ++ ret += iov_iter_zero(data_length - ret, &iter); ++ else ++ ret = -EINVAL; + } + } + } +- return 1; ++ kfree(bvec); ++ return ret; + } + + static sense_reason_t diff --git a/queue-4.9/tcp-remove-poll-flakes-with-fastopen.patch b/queue-4.9/tcp-remove-poll-flakes-with-fastopen.patch new file mode 100644 index 00000000000..8b508db785e --- /dev/null +++ b/queue-4.9/tcp-remove-poll-flakes-with-fastopen.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Eric Dumazet +Date: Tue, 18 Apr 2017 09:45:52 -0700 +Subject: tcp: remove poll() flakes with FastOpen + +From: Eric Dumazet + + +[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ] + +When using TCP FastOpen for an active session, we send one wakeup event +from tcp_finish_connect(), right before the data eventually contained in +the received SYNACK is queued to sk->sk_receive_queue. + +This means that depending on machine load or luck, poll() users +might receive POLLOUT events instead of POLLIN|POLLOUT + +To fix this, we need to move the call to sk->sk_state_change() +after the (optional) call to tcp_rcv_fastopen_synack() + +Signed-off-by: Eric Dumazet +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5606,10 +5606,6 @@ void tcp_finish_connect(struct sock *sk, + else + tp->pred_flags = 0; + +- if (!sock_flag(sk, SOCK_DEAD)) { +- sk->sk_state_change(sk); +- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); +- } + } + + static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack, +@@ -5678,6 +5674,7 @@ static int tcp_rcv_synsent_state_process + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_cookie foc = { .len = -1 }; + int saved_clamp = tp->rx_opt.mss_clamp; ++ bool fastopen_fail; + + tcp_parse_options(skb, &tp->rx_opt, 0, &foc); + if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) +@@ -5781,10 +5778,15 @@ static int tcp_rcv_synsent_state_process + + tcp_finish_connect(sk, skb); + +- if ((tp->syn_fastopen || tp->syn_data) && +- tcp_rcv_fastopen_synack(sk, skb, &foc)) +- return -1; ++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) && ++ tcp_rcv_fastopen_synack(sk, skb, &foc); + ++ if (!sock_flag(sk, SOCK_DEAD)) { ++ sk->sk_state_change(sk); ++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); ++ } ++ if (fastopen_fail) ++ return -1; + if (sk->sk_write_pending || + icsk->icsk_accept_queue.rskq_defer_accept || + icsk->icsk_ack.pingpong) { diff --git a/queue-4.9/time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch b/queue-4.9/time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch new file mode 100644 index 00000000000..6066b5da340 --- /dev/null +++ b/queue-4.9/time-change-posix-clocks-ops-interfaces-to-use-timespec64.patch @@ -0,0 +1,227 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Deepa Dinamani +Date: Sun, 26 Mar 2017 12:04:13 -0700 +Subject: time: Change posix clocks ops interfaces to use timespec64 + +From: Deepa Dinamani + + +[ Upstream commit d340266e19ddb70dbd608f9deedcfb35fdb9d419 ] + +struct timespec is not y2038 safe on 32 bit machines. + +The posix clocks apis use struct timespec directly and through struct +itimerspec. + +Replace the posix clock interfaces to use struct timespec64 and struct +itimerspec64 instead. Also fix up their implementations accordingly. + +Note that the clock_getres() interface has also been changed to use +timespec64 even though this particular interface is not affected by the +y2038 problem. This helps verification for internal kernel code for y2038 +readiness by getting rid of time_t/ timeval/ timespec. + +Signed-off-by: Deepa Dinamani +Cc: arnd@arndb.de +Cc: y2038@lists.linaro.org +Cc: netdev@vger.kernel.org +Cc: Richard Cochran +Cc: john.stultz@linaro.org +Link: http://lkml.kernel.org/r/1490555058-4603-3-git-send-email-deepa.kernel@gmail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ptp/ptp_clock.c | 18 +++++++----------- + include/linux/posix-clock.h | 10 +++++----- + kernel/time/posix-clock.c | 34 ++++++++++++++++++++++++---------- + 3 files changed, 36 insertions(+), 26 deletions(-) + +--- a/drivers/ptp/ptp_clock.c ++++ b/drivers/ptp/ptp_clock.c +@@ -97,30 +97,26 @@ static s32 scaled_ppm_to_ppb(long ppm) + + /* posix clock implementation */ + +-static int ptp_clock_getres(struct posix_clock *pc, struct timespec *tp) ++static int ptp_clock_getres(struct posix_clock *pc, struct timespec64 *tp) + { + tp->tv_sec = 0; + tp->tv_nsec = 1; + return 0; + } + +-static int ptp_clock_settime(struct posix_clock *pc, const struct timespec *tp) ++static int ptp_clock_settime(struct posix_clock *pc, const struct timespec64 *tp) + { + struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock); +- struct timespec64 ts = timespec_to_timespec64(*tp); + +- return ptp->info->settime64(ptp->info, &ts); ++ return ptp->info->settime64(ptp->info, tp); + } + +-static int ptp_clock_gettime(struct posix_clock *pc, struct timespec *tp) ++static int ptp_clock_gettime(struct posix_clock *pc, struct timespec64 *tp) + { + struct ptp_clock *ptp = container_of(pc, struct ptp_clock, clock); +- struct timespec64 ts; + int err; + +- err = ptp->info->gettime64(ptp->info, &ts); +- if (!err) +- *tp = timespec64_to_timespec(ts); ++ err = ptp->info->gettime64(ptp->info, tp); + return err; + } + +@@ -133,7 +129,7 @@ static int ptp_clock_adjtime(struct posi + ops = ptp->info; + + if (tx->modes & ADJ_SETOFFSET) { +- struct timespec ts; ++ struct timespec64 ts; + ktime_t kt; + s64 delta; + +@@ -146,7 +142,7 @@ static int ptp_clock_adjtime(struct posi + if ((unsigned long) ts.tv_nsec >= NSEC_PER_SEC) + return -EINVAL; + +- kt = timespec_to_ktime(ts); ++ kt = timespec64_to_ktime(ts); + delta = ktime_to_ns(kt); + err = ops->adjtime(ops, delta); + } else if (tx->modes & ADJ_FREQUENCY) { +--- a/include/linux/posix-clock.h ++++ b/include/linux/posix-clock.h +@@ -59,23 +59,23 @@ struct posix_clock_operations { + + int (*clock_adjtime)(struct posix_clock *pc, struct timex *tx); + +- int (*clock_gettime)(struct posix_clock *pc, struct timespec *ts); ++ int (*clock_gettime)(struct posix_clock *pc, struct timespec64 *ts); + +- int (*clock_getres) (struct posix_clock *pc, struct timespec *ts); ++ int (*clock_getres) (struct posix_clock *pc, struct timespec64 *ts); + + int (*clock_settime)(struct posix_clock *pc, +- const struct timespec *ts); ++ const struct timespec64 *ts); + + int (*timer_create) (struct posix_clock *pc, struct k_itimer *kit); + + int (*timer_delete) (struct posix_clock *pc, struct k_itimer *kit); + + void (*timer_gettime)(struct posix_clock *pc, +- struct k_itimer *kit, struct itimerspec *tsp); ++ struct k_itimer *kit, struct itimerspec64 *tsp); + + int (*timer_settime)(struct posix_clock *pc, + struct k_itimer *kit, int flags, +- struct itimerspec *tsp, struct itimerspec *old); ++ struct itimerspec64 *tsp, struct itimerspec64 *old); + /* + * Optional character device methods: + */ +--- a/kernel/time/posix-clock.c ++++ b/kernel/time/posix-clock.c +@@ -300,14 +300,17 @@ out: + static int pc_clock_gettime(clockid_t id, struct timespec *ts) + { + struct posix_clock_desc cd; ++ struct timespec64 ts64; + int err; + + err = get_clock_desc(id, &cd); + if (err) + return err; + +- if (cd.clk->ops.clock_gettime) +- err = cd.clk->ops.clock_gettime(cd.clk, ts); ++ if (cd.clk->ops.clock_gettime) { ++ err = cd.clk->ops.clock_gettime(cd.clk, &ts64); ++ *ts = timespec64_to_timespec(ts64); ++ } + else + err = -EOPNOTSUPP; + +@@ -319,14 +322,17 @@ static int pc_clock_gettime(clockid_t id + static int pc_clock_getres(clockid_t id, struct timespec *ts) + { + struct posix_clock_desc cd; ++ struct timespec64 ts64; + int err; + + err = get_clock_desc(id, &cd); + if (err) + return err; + +- if (cd.clk->ops.clock_getres) +- err = cd.clk->ops.clock_getres(cd.clk, ts); ++ if (cd.clk->ops.clock_getres) { ++ err = cd.clk->ops.clock_getres(cd.clk, &ts64); ++ *ts = timespec64_to_timespec(ts64); ++ } + else + err = -EOPNOTSUPP; + +@@ -337,6 +343,7 @@ static int pc_clock_getres(clockid_t id, + + static int pc_clock_settime(clockid_t id, const struct timespec *ts) + { ++ struct timespec64 ts64 = timespec_to_timespec64(*ts); + struct posix_clock_desc cd; + int err; + +@@ -350,7 +357,7 @@ static int pc_clock_settime(clockid_t id + } + + if (cd.clk->ops.clock_settime) +- err = cd.clk->ops.clock_settime(cd.clk, ts); ++ err = cd.clk->ops.clock_settime(cd.clk, &ts64); + else + err = -EOPNOTSUPP; + out: +@@ -403,29 +410,36 @@ static void pc_timer_gettime(struct k_it + { + clockid_t id = kit->it_clock; + struct posix_clock_desc cd; ++ struct itimerspec64 ts64; + + if (get_clock_desc(id, &cd)) + return; + +- if (cd.clk->ops.timer_gettime) +- cd.clk->ops.timer_gettime(cd.clk, kit, ts); +- ++ if (cd.clk->ops.timer_gettime) { ++ cd.clk->ops.timer_gettime(cd.clk, kit, &ts64); ++ *ts = itimerspec64_to_itimerspec(&ts64); ++ } + put_clock_desc(&cd); + } + + static int pc_timer_settime(struct k_itimer *kit, int flags, + struct itimerspec *ts, struct itimerspec *old) + { ++ struct itimerspec64 ts64 = itimerspec_to_itimerspec64(ts); + clockid_t id = kit->it_clock; + struct posix_clock_desc cd; ++ struct itimerspec64 old64; + int err; + + err = get_clock_desc(id, &cd); + if (err) + return err; + +- if (cd.clk->ops.timer_settime) +- err = cd.clk->ops.timer_settime(cd.clk, kit, flags, ts, old); ++ if (cd.clk->ops.timer_settime) { ++ err = cd.clk->ops.timer_settime(cd.clk, kit, flags, &ts64, &old64); ++ if (old) ++ *old = itimerspec64_to_itimerspec(&old64); ++ } + else + err = -EOPNOTSUPP; + diff --git a/queue-4.9/tipc-check-return-value-of-nlmsg_new.patch b/queue-4.9/tipc-check-return-value-of-nlmsg_new.patch new file mode 100644 index 00000000000..d5f2701e99a --- /dev/null +++ b/queue-4.9/tipc-check-return-value-of-nlmsg_new.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 15:09:19 +0800 +Subject: tipc: check return value of nlmsg_new + +From: Pan Bian + + +[ Upstream commit 78302fd405769c9a9379e9adda119d533dce2eed ] + +Function nlmsg_new() will return a NULL pointer if there is no enough +memory, and its return value should be checked before it is used. +However, in function tipc_nl_node_get_monitor(), the validation of the +return value of function nlmsg_new() is missed. This patch fixes the +bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2094,6 +2094,8 @@ int tipc_nl_node_get_monitor(struct sk_b + int err; + + msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); ++ if (!msg.skb) ++ return -ENOMEM; + msg.portid = info->snd_portid; + msg.seq = info->snd_seq; + diff --git a/queue-4.9/tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch b/queue-4.9/tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch new file mode 100644 index 00000000000..b94d05174f0 --- /dev/null +++ b/queue-4.9/tools-testing-nvdimm-fix-nfit_test-shutdown-crash.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Dan Williams +Date: Thu, 13 Apr 2017 23:14:34 -0700 +Subject: tools/testing/nvdimm: fix nfit_test shutdown crash + +From: Dan Williams + + +[ Upstream commit 8b06b884cd98f7ec8b5028680b99fabfb7b3e192 ] + +Keep the nfit_test instances alive until after nfit_test_teardown(), as +we may be doing resource lookups until the final un-registrations have +completed. This fixes crashes of the form. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 + IP: __release_resource+0x12/0x90 + Call Trace: + remove_resource+0x23/0x40 + __wrap_remove_resource+0x29/0x30 [nfit_test_iomap] + acpi_nfit_remove_resource+0xe/0x10 [nfit] + devm_action_release+0xf/0x20 + release_nodes+0x16d/0x2b0 + devres_release_all+0x3c/0x60 + device_release+0x21/0x90 + kobject_release+0x6a/0x170 + kobject_put+0x2f/0x60 + put_device+0x17/0x20 + platform_device_unregister+0x20/0x30 + nfit_test_exit+0x36/0x960 [nfit_test] + +Reported-by: Linda Knippers +Signed-off-by: Dan Williams +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/nvdimm/test/nfit.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/testing/nvdimm/test/nfit.c ++++ b/tools/testing/nvdimm/test/nfit.c +@@ -1908,6 +1908,7 @@ static __init int nfit_test_init(void) + put_device(&pdev->dev); + goto err_register; + } ++ get_device(&pdev->dev); + + rc = dma_coerce_mask_and_coherent(&pdev->dev, DMA_BIT_MASK(64)); + if (rc) +@@ -1926,6 +1927,10 @@ static __init int nfit_test_init(void) + if (instances[i]) + platform_device_unregister(&instances[i]->pdev); + nfit_test_teardown(); ++ for (i = 0; i < NUM_NFITS; i++) ++ if (instances[i]) ++ put_device(&instances[i]->pdev.dev); ++ + return rc; + } + +@@ -1933,10 +1938,13 @@ static __exit void nfit_test_exit(void) + { + int i; + +- platform_driver_unregister(&nfit_test_driver); + for (i = 0; i < NUM_NFITS; i++) + platform_device_unregister(&instances[i]->pdev); ++ platform_driver_unregister(&nfit_test_driver); + nfit_test_teardown(); ++ ++ for (i = 0; i < NUM_NFITS; i++) ++ put_device(&instances[i]->pdev.dev); + class_destroy(nfit_test_dimm); + } + diff --git a/queue-4.9/vgacon-set-vga-struct-resource-types.patch b/queue-4.9/vgacon-set-vga-struct-resource-types.patch new file mode 100644 index 00000000000..25bd03316d2 --- /dev/null +++ b/queue-4.9/vgacon-set-vga-struct-resource-types.patch @@ -0,0 +1,110 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Bjorn Helgaas +Date: Fri, 1 Dec 2017 11:06:39 -0600 +Subject: vgacon: Set VGA struct resource types + +From: Bjorn Helgaas + + +[ Upstream commit c82084117f79bcae085e40da526253736a247120 ] + +Set the resource type when we reserve VGA-related I/O port resources. + +The resource code doesn't actually look at the type, so it inserts +resources without a type in the tree correctly even without this change. +But if we ever print a resource without a type, it looks like this: + + vga+ [??? 0x000003c0-0x000003df flags 0x0] + +Setting the type means it will be printed correctly as: + + vga+ [io 0x000003c0-0x000003df] + +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/console.c | 1 + + drivers/video/console/vgacon.c | 34 ++++++++++++++++++++++++++-------- + 2 files changed, 27 insertions(+), 8 deletions(-) + +--- a/arch/alpha/kernel/console.c ++++ b/arch/alpha/kernel/console.c +@@ -20,6 +20,7 @@ + struct pci_controller *pci_vga_hose; + static struct resource alpha_vga = { + .name = "alpha-vga+", ++ .flags = IORESOURCE_IO, + .start = 0x3C0, + .end = 0x3DF + }; +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -405,7 +405,10 @@ static const char *vgacon_startup(void) + vga_video_port_val = VGA_CRT_DM; + if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) { + static struct resource ega_console_resource = +- { .name = "ega", .start = 0x3B0, .end = 0x3BF }; ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_EGAM; + vga_vram_size = 0x8000; + display_desc = "EGA+"; +@@ -413,9 +416,15 @@ static const char *vgacon_startup(void) + &ega_console_resource); + } else { + static struct resource mda1_console_resource = +- { .name = "mda", .start = 0x3B0, .end = 0x3BB }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BB }; + static struct resource mda2_console_resource = +- { .name = "mda", .start = 0x3BF, .end = 0x3BF }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3BF, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_MDA; + vga_vram_size = 0x2000; + display_desc = "*MDA"; +@@ -437,15 +446,21 @@ static const char *vgacon_startup(void) + vga_vram_size = 0x8000; + + if (!screen_info.orig_video_isVGA) { +- static struct resource ega_console_resource +- = { .name = "ega", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource ega_console_resource = ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_EGAC; + display_desc = "EGA"; + request_resource(&ioport_resource, + &ega_console_resource); + } else { +- static struct resource vga_console_resource +- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource vga_console_resource = ++ { .name = "vga+", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_VGAC; + display_desc = "VGA+"; + request_resource(&ioport_resource, +@@ -489,7 +504,10 @@ static const char *vgacon_startup(void) + } + } else { + static struct resource cga_console_resource = +- { .name = "cga", .start = 0x3D4, .end = 0x3D5 }; ++ { .name = "cga", ++ .flags = IORESOURCE_IO, ++ .start = 0x3D4, ++ .end = 0x3D5 }; + vga_video_type = VIDEO_TYPE_CGA; + vga_vram_size = 0x2000; + display_desc = "*CGA"; diff --git a/queue-4.9/video-fbdev-udlfb-fix-buffer-on-stack.patch b/queue-4.9/video-fbdev-udlfb-fix-buffer-on-stack.patch new file mode 100644 index 00000000000..46ee75a52b9 --- /dev/null +++ b/queue-4.9/video-fbdev-udlfb-fix-buffer-on-stack.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Maksim Salau +Date: Tue, 2 May 2017 13:47:53 +0200 +Subject: video: fbdev: udlfb: Fix buffer on stack + +From: Maksim Salau + + +[ Upstream commit 45f580c42e5c125d55dbd8099750a1998de3d917 ] + +Allocate buffers on HEAP instead of STACK for local array +that is to be sent using usb_control_msg(). + +Signed-off-by: Maksim Salau +Cc: Bernie Thompson +Cc: Geert Uytterhoeven +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1487,15 +1487,25 @@ static struct device_attribute fb_device + static int dlfb_select_std_channel(struct dlfb_data *dev) + { + int ret; +- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7, ++ void *buf; ++ static const u8 set_def_chn[] = { ++ 0x57, 0xCD, 0xDC, 0xA7, + 0x1C, 0x88, 0x5E, 0x15, + 0x60, 0xFE, 0xC6, 0x97, + 0x16, 0x3D, 0x47, 0xF2 }; + ++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL); ++ ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + NR_USB_REQUEST_CHANNEL, + (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0, +- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ ++ kfree(buf); ++ + return ret; + } + diff --git a/queue-4.9/vxlan-correctly-handle-ipv6.disable-module-parameter.patch b/queue-4.9/vxlan-correctly-handle-ipv6.disable-module-parameter.patch new file mode 100644 index 00000000000..8bd9a783f47 --- /dev/null +++ b/queue-4.9/vxlan-correctly-handle-ipv6.disable-module-parameter.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Jiri Benc +Date: Thu, 27 Apr 2017 21:24:35 +0200 +Subject: vxlan: correctly handle ipv6.disable module parameter + +From: Jiri Benc + + +[ Upstream commit d074bf9600443403aa24fbc12c1f18eadc90f5aa ] + +When IPv6 is compiled but disabled at runtime, __vxlan_sock_add returns +-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole +operation of bringing up the tunnel. + +Ignore failure of IPv6 socket creation for metadata based tunnels caused by +IPv6 not being available. + +Fixes: b1be00a6c39f ("vxlan: support both IPv4 and IPv6 sockets in a single vxlan device") +Signed-off-by: Jiri Benc +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -2816,17 +2816,21 @@ static int __vxlan_sock_add(struct vxlan + + static int vxlan_sock_add(struct vxlan_dev *vxlan) + { +- bool ipv6 = vxlan->flags & VXLAN_F_IPV6; + bool metadata = vxlan->flags & VXLAN_F_COLLECT_METADATA; ++ bool ipv6 = vxlan->flags & VXLAN_F_IPV6 || metadata; ++ bool ipv4 = !ipv6 || metadata; + int ret = 0; + + RCU_INIT_POINTER(vxlan->vn4_sock, NULL); + #if IS_ENABLED(CONFIG_IPV6) + RCU_INIT_POINTER(vxlan->vn6_sock, NULL); +- if (ipv6 || metadata) ++ if (ipv6) { + ret = __vxlan_sock_add(vxlan, true); ++ if (ret < 0 && ret != -EAFNOSUPPORT) ++ ipv4 = false; ++ } + #endif +- if (!ret && (!ipv6 || metadata)) ++ if (ipv4) + ret = __vxlan_sock_add(vxlan, false); + if (ret < 0) + vxlan_sock_release(vxlan); diff --git a/queue-4.9/wan-pc300too-abort-path-on-failure.patch b/queue-4.9/wan-pc300too-abort-path-on-failure.patch new file mode 100644 index 00000000000..c5ac27bcf4e --- /dev/null +++ b/queue-4.9/wan-pc300too-abort-path-on-failure.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 17:38:35 +0800 +Subject: wan: pc300too: abort path on failure + +From: Pan Bian + + +[ Upstream commit 2a39e7aa8a98f777f0732ca7125b6c9668791760 ] + +In function pc300_pci_init_one(), on the ioremap error path, function +pc300_pci_remove_one() is called to free the allocated memory. However, +the path is not terminated, and the freed memory will be used later, +resulting in use-after-free bugs. This path fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/pc300too.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wan/pc300too.c ++++ b/drivers/net/wan/pc300too.c +@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci + card->rambase == NULL) { + pr_err("ioremap() failed\n"); + pc300_pci_remove_one(pdev); ++ return -ENOMEM; + } + + /* PLX PCI 9050 workaround for local configuration register read bug */ diff --git a/queue-4.9/watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch b/queue-4.9/watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch new file mode 100644 index 00000000000..55defda9a7b --- /dev/null +++ b/queue-4.9/watchdog-fix-potential-kref-imbalance-when-opening-watchdog.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Guenter Roeck +Date: Mon, 25 Sep 2017 09:17:01 -0700 +Subject: watchdog: Fix potential kref imbalance when opening watchdog + +From: Guenter Roeck + + +[ Upstream commit 4bcd615fad6adddc68b058d498b30a9e0e0db77a ] + +If a watchdog driver's open function sets WDOG_HW_RUNNING with the +expectation that the watchdog can not be stopped, but then stops the +watchdog anyway in its stop function, kref_get() wil not be called in +watchdog_open(). If the watchdog then stops on close, WDOG_HW_RUNNING +will be cleared and kref_put() will be called, causing a kref imbalance. +As result the character device data structure will be released, which in +turn will cause the system to crash on the next call to watchdog_open(). + +Fixes: ee142889e32f5 ("watchdog: Introduce WDOG_HW_RUNNING flag") +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/watchdog_dev.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/watchdog_dev.c ++++ b/drivers/watchdog/watchdog_dev.c +@@ -760,6 +760,7 @@ static int watchdog_open(struct inode *i + { + struct watchdog_core_data *wd_data; + struct watchdog_device *wdd; ++ bool hw_running; + int err; + + /* Get the corresponding watchdog device */ +@@ -779,7 +780,8 @@ static int watchdog_open(struct inode *i + * If the /dev/watchdog device is open, we don't want the module + * to be unloaded. + */ +- if (!watchdog_hw_running(wdd) && !try_module_get(wdd->ops->owner)) { ++ hw_running = watchdog_hw_running(wdd); ++ if (!hw_running && !try_module_get(wdd->ops->owner)) { + err = -EBUSY; + goto out_clear; + } +@@ -790,7 +792,7 @@ static int watchdog_open(struct inode *i + + file->private_data = wd_data; + +- if (!watchdog_hw_running(wdd)) ++ if (!hw_running) + kref_get(&wd_data->kref); + + /* dev/watchdog is a virtual (and thus non-seekable) filesystem */ diff --git a/queue-4.9/x86-i8259-export-legacy_pic-symbol.patch b/queue-4.9/x86-i8259-export-legacy_pic-symbol.patch new file mode 100644 index 00000000000..9396f682154 --- /dev/null +++ b/queue-4.9/x86-i8259-export-legacy_pic-symbol.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Hans de Goede +Date: Sat, 8 Apr 2017 19:54:20 +0200 +Subject: x86: i8259: export legacy_pic symbol + +From: Hans de Goede + + +[ Upstream commit 7ee06cb2f840a96be46233181ed4557901a74385 ] + +The classic PC rtc-coms driver has a workaround for broken ACPI device +nodes for it which lack an irq resource. This workaround used to +unconditionally hardcode the irq to 8 in these cases. + +This was causing irq conflict problems on systems without a legacy-pic +so a recent patch added an if (nr_legacy_irqs()) guard to the +workaround to avoid this irq conflict. + +nr_legacy_irqs() uses the legacy_pic symbol under the hood causing +an undefined symbol error if the rtc-cmos code is build as a module. + +This commit exports the legacy_pic symbol to fix this. + +Cc: rtc-linux@googlegroups.com +Cc: alexandre.belloni@free-electrons.com +Signed-off-by: Hans de Goede +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/i8259.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -418,6 +418,7 @@ struct legacy_pic default_legacy_pic = { + }; + + struct legacy_pic *legacy_pic = &default_legacy_pic; ++EXPORT_SYMBOL(legacy_pic); + + static int __init i8259A_init_ops(void) + { diff --git a/queue-4.9/x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch b/queue-4.9/x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch new file mode 100644 index 00000000000..f732b75dbb5 --- /dev/null +++ b/queue-4.9/x86-kaslr-fix-kexec-kernel-boot-crash-when-kaslr-randomization-fails.patch @@ -0,0 +1,76 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Baoquan He +Date: Thu, 27 Apr 2017 15:42:20 +0800 +Subject: x86/KASLR: Fix kexec kernel boot crash when KASLR randomization fails + +From: Baoquan He + + +[ Upstream commit da63b6b20077469bd6bd96e07991ce145fc4fbc4 ] + +Dave found that a kdump kernel with KASLR enabled will reset to the BIOS +immediately if physical randomization failed to find a new position for +the kernel. A kernel with the 'nokaslr' option works in this case. + +The reason is that KASLR will install a new page table for the identity +mapping, while it missed building it for the original kernel location +if KASLR physical randomization fails. + +This only happens in the kexec/kdump kernel, because the identity mapping +has been built for kexec/kdump in the 1st kernel for the whole memory by +calling init_pgtable(). Here if physical randomizaiton fails, it won't build +the identity mapping for the original area of the kernel but change to a +new page table '_pgtable'. Then the kernel will triple fault immediately +caused by no identity mappings. + +The normal kernel won't see this bug, because it comes here via startup_32() +and CR3 will be set to _pgtable already. In startup_32() the identity +mapping is built for the 0~4G area. In KASLR we just append to the existing +area instead of entirely overwriting it for on-demand identity mapping +building. So the identity mapping for the original area of kernel is still +there. + +To fix it we just switch to the new identity mapping page table when physical +KASLR succeeds. Otherwise we keep the old page table unchanged just like +"nokaslr" does. + +Signed-off-by: Baoquan He +Signed-off-by: Dave Young +Acked-by: Kees Cook +Cc: Borislav Petkov +Cc: Dave Jiang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Garnier +Cc: Thomas Gleixner +Cc: Yinghai Lu +Link: http://lkml.kernel.org/r/1493278940-5885-1-git-send-email-bhe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/kaslr.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/boot/compressed/kaslr.c ++++ b/arch/x86/boot/compressed/kaslr.c +@@ -460,10 +460,17 @@ void choose_random_location(unsigned lon + add_identity_map(random_addr, output_size); + *output = random_addr; + } ++ ++ /* ++ * This loads the identity mapping page table. ++ * This should only be done if a new physical address ++ * is found for the kernel, otherwise we should keep ++ * the old page table to make it be like the "nokaslr" ++ * case. ++ */ ++ finalize_identity_maps(); + } + +- /* This actually loads the identity pagetable on x86_64. */ +- finalize_identity_maps(); + + /* Pick random virtual address starting from LOAD_PHYSICAL_ADDR. */ + if (IS_ENABLED(CONFIG_X86_64)) diff --git a/queue-4.9/x86-reboot-turn-off-kvm-when-halting-a-cpu.patch b/queue-4.9/x86-reboot-turn-off-kvm-when-halting-a-cpu.patch new file mode 100644 index 00000000000..1445f74723d --- /dev/null +++ b/queue-4.9/x86-reboot-turn-off-kvm-when-halting-a-cpu.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Tiantian Feng +Date: Wed, 19 Apr 2017 18:18:39 +0200 +Subject: x86/reboot: Turn off KVM when halting a CPU + +From: Tiantian Feng + + +[ Upstream commit fba4f472b33aa81ca1836f57d005455261e9126f ] + +A CPU in VMX root mode will ignore INIT signals and will fail to bring +up the APs after reboot. Therefore, on a panic we disable VMX on all +CPUs before rebooting or triggering kdump. + +Do this when halting the machine as well, in case a firmware-level reboot +does not perform a cold reset for all processors. Without doing this, +rebooting the host may hang. + +Signed-off-by: Tiantian Feng +Signed-off-by: Xishi Qiu +[ Rewritten commit message. ] +Signed-off-by: Paolo Bonzini +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: kvm@vger.kernel.org +Link: http://lkml.kernel.org/r/20170419161839.30550-1-pbonzini@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/smp.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/smp.c ++++ b/arch/x86/kernel/smp.c +@@ -33,6 +33,7 @@ + #include + #include + #include ++#include + + /* + * Some notes on x86 processor bugs affecting SMP operation: +@@ -162,6 +163,7 @@ static int smp_stop_nmi_callback(unsigne + if (raw_smp_processor_id() == atomic_read(&stopping_cpu)) + return NMI_HANDLED; + ++ cpu_emergency_vmxoff(); + stop_this_cpu(NULL); + + return NMI_HANDLED; +@@ -174,6 +176,7 @@ static int smp_stop_nmi_callback(unsigne + asmlinkage __visible void smp_reboot_interrupt(void) + { + ipi_entering_ack_irq(); ++ cpu_emergency_vmxoff(); + stop_this_cpu(NULL); + irq_exit(); + } diff --git a/queue-4.9/x86-xen-split-xen_smp_prepare_boot_cpu.patch b/queue-4.9/x86-xen-split-xen_smp_prepare_boot_cpu.patch new file mode 100644 index 00000000000..b5bdacf7973 --- /dev/null +++ b/queue-4.9/x86-xen-split-xen_smp_prepare_boot_cpu.patch @@ -0,0 +1,104 @@ +From foo@baz Thu Mar 22 14:40:24 CET 2018 +From: Vitaly Kuznetsov +Date: Tue, 14 Mar 2017 18:35:43 +0100 +Subject: x86/xen: split xen_smp_prepare_boot_cpu() + +From: Vitaly Kuznetsov + + +[ Upstream commit a2d1078a35f9a38ae888aa6147e4ca32666154a1 ] + +Split xen_smp_prepare_boot_cpu() into xen_pv_smp_prepare_boot_cpu() and +xen_hvm_smp_prepare_boot_cpu() to support further splitting of smp.c. + +Signed-off-by: Vitaly Kuznetsov +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/smp.c | 49 ++++++++++++++++++++++++++++++------------------- + 1 file changed, 30 insertions(+), 19 deletions(-) + +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -299,35 +299,46 @@ static void __init xen_filter_cpu_maps(v + + } + +-static void __init xen_smp_prepare_boot_cpu(void) ++static void __init xen_pv_smp_prepare_boot_cpu(void) + { + BUG_ON(smp_processor_id() != 0); + native_smp_prepare_boot_cpu(); + +- if (xen_pv_domain()) { +- if (!xen_feature(XENFEAT_writable_page_tables)) +- /* We've switched to the "real" per-cpu gdt, so make +- * sure the old memory can be recycled. */ +- make_lowmem_page_readwrite(xen_initial_gdt); ++ if (!xen_feature(XENFEAT_writable_page_tables)) ++ /* We've switched to the "real" per-cpu gdt, so make ++ * sure the old memory can be recycled. */ ++ make_lowmem_page_readwrite(xen_initial_gdt); + + #ifdef CONFIG_X86_32 +- /* +- * Xen starts us with XEN_FLAT_RING1_DS, but linux code +- * expects __USER_DS +- */ +- loadsegment(ds, __USER_DS); +- loadsegment(es, __USER_DS); ++ /* ++ * Xen starts us with XEN_FLAT_RING1_DS, but linux code ++ * expects __USER_DS ++ */ ++ loadsegment(ds, __USER_DS); ++ loadsegment(es, __USER_DS); + #endif + +- xen_filter_cpu_maps(); +- xen_setup_vcpu_info_placement(); +- } ++ xen_filter_cpu_maps(); ++ xen_setup_vcpu_info_placement(); ++ ++ /* ++ * The alternative logic (which patches the unlock/lock) runs before ++ * the smp bootup up code is activated. Hence we need to set this up ++ * the core kernel is being patched. Otherwise we will have only ++ * modules patched but not core code. ++ */ ++ xen_init_spinlocks(); ++} ++ ++static void __init xen_hvm_smp_prepare_boot_cpu(void) ++{ ++ BUG_ON(smp_processor_id() != 0); ++ native_smp_prepare_boot_cpu(); + + /* + * Setup vcpu_info for boot CPU. + */ +- if (xen_hvm_domain()) +- xen_vcpu_setup(0); ++ xen_vcpu_setup(0); + + /* + * The alternative logic (which patches the unlock/lock) runs before +@@ -733,7 +744,7 @@ static irqreturn_t xen_irq_work_interrup + } + + static const struct smp_ops xen_smp_ops __initconst = { +- .smp_prepare_boot_cpu = xen_smp_prepare_boot_cpu, ++ .smp_prepare_boot_cpu = xen_pv_smp_prepare_boot_cpu, + .smp_prepare_cpus = xen_smp_prepare_cpus, + .smp_cpus_done = xen_smp_cpus_done, + +@@ -772,5 +783,5 @@ void __init xen_hvm_smp_init(void) + smp_ops.cpu_die = xen_cpu_die; + smp_ops.send_call_func_ipi = xen_smp_send_call_function_ipi; + smp_ops.send_call_func_single_ipi = xen_smp_send_call_function_single_ipi; +- smp_ops.smp_prepare_boot_cpu = xen_smp_prepare_boot_cpu; ++ smp_ops.smp_prepare_boot_cpu = xen_hvm_smp_prepare_boot_cpu; + } diff --git a/queue-4.9/xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch b/queue-4.9/xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch new file mode 100644 index 00000000000..8ee40532db2 --- /dev/null +++ b/queue-4.9/xprtrdma-cancel-refresh-worker-during-buffer-shutdown.patch @@ -0,0 +1,32 @@ +From foo@baz Thu Mar 22 14:40:23 CET 2018 +From: Chuck Lever +Date: Tue, 11 Apr 2017 13:22:29 -0400 +Subject: xprtrdma: Cancel refresh worker during buffer shutdown + +From: Chuck Lever + + +[ Upstream commit 9378b274e1eb6925db315e345f48850d2d5d9789 ] + +Trying to create MRs while the transport is being torn down can +cause a crash. + +Fixes: e2ac236c0b65 ("xprtrdma: Allocate MRs on demand") +Signed-off-by: Chuck Lever +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtrdma/verbs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtrdma/verbs.c ++++ b/net/sunrpc/xprtrdma/verbs.c +@@ -1054,6 +1054,7 @@ void + rpcrdma_buffer_destroy(struct rpcrdma_buffer *buf) + { + cancel_delayed_work_sync(&buf->rb_recovery_worker); ++ cancel_delayed_work_sync(&buf->rb_refresh_worker); + + while (!list_empty(&buf->rb_recv_bufs)) { + struct rpcrdma_rep *rep;