From: Greg Kroah-Hartman Date: Sun, 11 Nov 2018 02:08:26 +0000 (-0800) Subject: 4.18-stable patches X-Git-Tag: v4.19.2~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=31b90ffb06972b2ef5775d179249e66baee1500d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch dm-zoned-fix-metadata-block-ref-counting.patch dm-zoned-fix-various-dmz_get_mblock-issues.patch fsnotify-fix-busy-inodes-during-unmount.patch iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch lockd-fix-access-beyond-unterminated-strings-in-prints.patch media-ov7670-make-xclk-clock-optional.patch media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch mips-memset-fix-cpu_daddi_workarounds-small_fixup-regression.patch mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch net-bcmgenet-fix-of-child-node-lookup.patch nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch nfs-fix-a-missed-page-unlock-after-pg_doio.patch nfsd-correctly-decrement-odstate-refcount-in-error-path.patch nfsd-fix-an-oops-in-free_session.patch nfsv4.1-fix-the-r-wsize-checking.patch ocxl-fix-access-to-the-afu-descriptor-data.patch power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch powerpc-64s-hash-do-not-use-ppc_invalidate_erat-on-cpus-before-power9.patch powerpc-msi-fix-compile-error-on-mpc83xx.patch powerpc-tm-fix-hfscr-bit-for-no-suspend-case.patch rtc-cmos-fix-non-acpi-undefined-reference-to-hpet_rtc_interrupt.patch rtc-cmos-remove-the-use_acpi_alarm-module-parameter-for-acpi.patch rtc-ds1307-fix-ds1339-wakealarm-support.patch tc-set-dma-masks-for-devices.patch --- diff --git a/queue-4.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch b/queue-4.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch new file mode 100644 index 00000000000..e1bbf06a610 --- /dev/null +++ b/queue-4.18/dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch @@ -0,0 +1,70 @@ +From 800a7340ab7dd667edf95e74d8e4f23a17e87076 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 3 Oct 2018 11:43:59 -0500 +Subject: dm ioctl: harden copy_params()'s copy_from_user() from malicious users + +From: Wenwen Wang + +commit 800a7340ab7dd667edf95e74d8e4f23a17e87076 upstream. + +In copy_params(), the struct 'dm_ioctl' is first copied from the user +space buffer 'user' to 'param_kernel' and the field 'data_size' is +checked against 'minimum_data_size' (size of 'struct dm_ioctl' payload +up to its 'data' member). If the check fails, an error code EINVAL will be +returned. Otherwise, param_kernel->data_size is used to do a second copy, +which copies from the same user-space buffer to 'dmi'. After the second +copy, only 'dmi->data_size' is checked against 'param_kernel->data_size'. +Given that the buffer 'user' resides in the user space, a malicious +user-space process can race to change the content in the buffer between +the two copies. This way, the attacker can inject inconsistent data +into 'dmi' (versus previously validated 'param_kernel'). + +Fix redundant copying of 'minimum_data_size' from user-space buffer by +using the first copy stored in 'param_kernel'. Also remove the +'data_size' check after the second copy because it is now unnecessary. + +Cc: stable@vger.kernel.org +Signed-off-by: Wenwen Wang +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-ioctl.c | 18 ++++++------------ + 1 file changed, 6 insertions(+), 12 deletions(-) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1720,8 +1720,7 @@ static void free_params(struct dm_ioctl + } + + static int copy_params(struct dm_ioctl __user *user, struct dm_ioctl *param_kernel, +- int ioctl_flags, +- struct dm_ioctl **param, int *param_flags) ++ int ioctl_flags, struct dm_ioctl **param, int *param_flags) + { + struct dm_ioctl *dmi; + int secure_data; +@@ -1762,18 +1761,13 @@ static int copy_params(struct dm_ioctl _ + + *param_flags |= DM_PARAMS_MALLOC; + +- if (copy_from_user(dmi, user, param_kernel->data_size)) +- goto bad; ++ /* Copy from param_kernel (which was already copied from user) */ ++ memcpy(dmi, param_kernel, minimum_data_size); + +-data_copied: +- /* +- * Abort if something changed the ioctl data while it was being copied. +- */ +- if (dmi->data_size != param_kernel->data_size) { +- DMERR("rejecting ioctl: data size modified while processing parameters"); ++ if (copy_from_user(&dmi->data, (char __user *)user + minimum_data_size, ++ param_kernel->data_size - minimum_data_size)) + goto bad; +- } +- ++data_copied: + /* Wipe the user buffer so we do not return it to userspace */ + if (secure_data && clear_user(user, param_kernel->data_size)) + goto bad; diff --git a/queue-4.18/dm-zoned-fix-metadata-block-ref-counting.patch b/queue-4.18/dm-zoned-fix-metadata-block-ref-counting.patch new file mode 100644 index 00000000000..1edf489f13e --- /dev/null +++ b/queue-4.18/dm-zoned-fix-metadata-block-ref-counting.patch @@ -0,0 +1,102 @@ +From 33c2865f8d011a2ca9f67124ddab9dc89382e9f1 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 17 Oct 2018 18:05:07 +0900 +Subject: dm zoned: fix metadata block ref counting + +From: Damien Le Moal + +commit 33c2865f8d011a2ca9f67124ddab9dc89382e9f1 upstream. + +Since the ref field of struct dmz_mblock is always used with the +spinlock of struct dmz_metadata locked, there is no need to use an +atomic_t type. Change the type of the ref field to an unsigne +integer. + +Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-zoned-metadata.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/md/dm-zoned-metadata.c ++++ b/drivers/md/dm-zoned-metadata.c +@@ -99,7 +99,7 @@ struct dmz_mblock { + struct rb_node node; + struct list_head link; + sector_t no; +- atomic_t ref; ++ unsigned int ref; + unsigned long state; + struct page *page; + void *data; +@@ -296,7 +296,7 @@ static struct dmz_mblock *dmz_alloc_mblo + + RB_CLEAR_NODE(&mblk->node); + INIT_LIST_HEAD(&mblk->link); +- atomic_set(&mblk->ref, 0); ++ mblk->ref = 0; + mblk->state = 0; + mblk->no = mblk_no; + mblk->data = page_address(mblk->page); +@@ -397,7 +397,7 @@ static struct dmz_mblock *dmz_fetch_mblo + return NULL; + + spin_lock(&zmd->mblk_lock); +- atomic_inc(&mblk->ref); ++ mblk->ref++; + set_bit(DMZ_META_READING, &mblk->state); + dmz_insert_mblock(zmd, mblk); + spin_unlock(&zmd->mblk_lock); +@@ -484,7 +484,8 @@ static void dmz_release_mblock(struct dm + + spin_lock(&zmd->mblk_lock); + +- if (atomic_dec_and_test(&mblk->ref)) { ++ mblk->ref--; ++ if (mblk->ref == 0) { + if (test_bit(DMZ_META_ERROR, &mblk->state)) { + rb_erase(&mblk->node, &zmd->mblk_rbtree); + dmz_free_mblock(zmd, mblk); +@@ -511,7 +512,8 @@ static struct dmz_mblock *dmz_get_mblock + mblk = dmz_lookup_mblock(zmd, mblk_no); + if (mblk) { + /* Cache hit: remove block from LRU list */ +- if (atomic_inc_return(&mblk->ref) == 1 && ++ mblk->ref++; ++ if (mblk->ref == 1 && + !test_bit(DMZ_META_DIRTY, &mblk->state)) + list_del_init(&mblk->link); + } +@@ -753,7 +755,7 @@ int dmz_flush_metadata(struct dmz_metada + + spin_lock(&zmd->mblk_lock); + clear_bit(DMZ_META_DIRTY, &mblk->state); +- if (atomic_read(&mblk->ref) == 0) ++ if (mblk->ref == 0) + list_add_tail(&mblk->link, &zmd->mblk_lru_list); + spin_unlock(&zmd->mblk_lock); + } +@@ -2308,7 +2310,7 @@ static void dmz_cleanup_metadata(struct + mblk = list_first_entry(&zmd->mblk_dirty_list, + struct dmz_mblock, link); + dmz_dev_warn(zmd->dev, "mblock %llu still in dirty list (ref %u)", +- (u64)mblk->no, atomic_read(&mblk->ref)); ++ (u64)mblk->no, mblk->ref); + list_del_init(&mblk->link); + rb_erase(&mblk->node, &zmd->mblk_rbtree); + dmz_free_mblock(zmd, mblk); +@@ -2326,8 +2328,8 @@ static void dmz_cleanup_metadata(struct + root = &zmd->mblk_rbtree; + rbtree_postorder_for_each_entry_safe(mblk, next, root, node) { + dmz_dev_warn(zmd->dev, "mblock %llu ref %u still in rbtree", +- (u64)mblk->no, atomic_read(&mblk->ref)); +- atomic_set(&mblk->ref, 0); ++ (u64)mblk->no, mblk->ref); ++ mblk->ref = 0; + dmz_free_mblock(zmd, mblk); + } + diff --git a/queue-4.18/dm-zoned-fix-various-dmz_get_mblock-issues.patch b/queue-4.18/dm-zoned-fix-various-dmz_get_mblock-issues.patch new file mode 100644 index 00000000000..894f463f42a --- /dev/null +++ b/queue-4.18/dm-zoned-fix-various-dmz_get_mblock-issues.patch @@ -0,0 +1,158 @@ +From 3d4e738311327bc4ba1d55fbe2f1da3de4a475f9 Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Wed, 17 Oct 2018 18:05:08 +0900 +Subject: dm zoned: fix various dmz_get_mblock() issues + +From: Damien Le Moal + +commit 3d4e738311327bc4ba1d55fbe2f1da3de4a475f9 upstream. + +dmz_fetch_mblock() called from dmz_get_mblock() has a race since the +allocation of the new metadata block descriptor and its insertion in +the cache rbtree with the READING state is not atomic. Two different +contexts requesting the same block may end up each adding two different +descriptors of the same block to the cache. + +Another problem for this function is that the BIO for processing the +block read is allocated after the metadata block descriptor is inserted +in the cache rbtree. If the BIO allocation fails, the metadata block +descriptor is freed without first being removed from the rbtree. + +Fix the first problem by checking again if the requested block is not in +the cache right before inserting the newly allocated descriptor, +atomically under the mblk_lock spinlock. The second problem is fixed by +simply allocating the BIO before inserting the new block in the cache. + +Finally, since dmz_fetch_mblock() also increments a block reference +counter, rename the function to dmz_get_mblock_slow(). To be symmetric +and clear, also rename dmz_lookup_mblock() to dmz_get_mblock_fast() and +increment the block reference counter directly in that function rather +than in dmz_get_mblock(). + +Fixes: 3b1a94c88b79 ("dm zoned: drive-managed zoned block device target") +Cc: stable@vger.kernel.org +Signed-off-by: Damien Le Moal +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-zoned-metadata.c | 66 ++++++++++++++++++++++++++--------------- + 1 file changed, 42 insertions(+), 24 deletions(-) + +--- a/drivers/md/dm-zoned-metadata.c ++++ b/drivers/md/dm-zoned-metadata.c +@@ -339,10 +339,11 @@ static void dmz_insert_mblock(struct dmz + } + + /* +- * Lookup a metadata block in the rbtree. ++ * Lookup a metadata block in the rbtree. If the block is found, increment ++ * its reference count. + */ +-static struct dmz_mblock *dmz_lookup_mblock(struct dmz_metadata *zmd, +- sector_t mblk_no) ++static struct dmz_mblock *dmz_get_mblock_fast(struct dmz_metadata *zmd, ++ sector_t mblk_no) + { + struct rb_root *root = &zmd->mblk_rbtree; + struct rb_node *node = root->rb_node; +@@ -350,8 +351,17 @@ static struct dmz_mblock *dmz_lookup_mbl + + while (node) { + mblk = container_of(node, struct dmz_mblock, node); +- if (mblk->no == mblk_no) ++ if (mblk->no == mblk_no) { ++ /* ++ * If this is the first reference to the block, ++ * remove it from the LRU list. ++ */ ++ mblk->ref++; ++ if (mblk->ref == 1 && ++ !test_bit(DMZ_META_DIRTY, &mblk->state)) ++ list_del_init(&mblk->link); + return mblk; ++ } + node = (mblk->no < mblk_no) ? node->rb_left : node->rb_right; + } + +@@ -382,32 +392,47 @@ static void dmz_mblock_bio_end_io(struct + } + + /* +- * Read a metadata block from disk. ++ * Read an uncached metadata block from disk and add it to the cache. + */ +-static struct dmz_mblock *dmz_fetch_mblock(struct dmz_metadata *zmd, +- sector_t mblk_no) ++static struct dmz_mblock *dmz_get_mblock_slow(struct dmz_metadata *zmd, ++ sector_t mblk_no) + { +- struct dmz_mblock *mblk; ++ struct dmz_mblock *mblk, *m; + sector_t block = zmd->sb[zmd->mblk_primary].block + mblk_no; + struct bio *bio; + +- /* Get block and insert it */ ++ /* Get a new block and a BIO to read it */ + mblk = dmz_alloc_mblock(zmd, mblk_no); + if (!mblk) + return NULL; + +- spin_lock(&zmd->mblk_lock); +- mblk->ref++; +- set_bit(DMZ_META_READING, &mblk->state); +- dmz_insert_mblock(zmd, mblk); +- spin_unlock(&zmd->mblk_lock); +- + bio = bio_alloc(GFP_NOIO, 1); + if (!bio) { + dmz_free_mblock(zmd, mblk); + return NULL; + } + ++ spin_lock(&zmd->mblk_lock); ++ ++ /* ++ * Make sure that another context did not start reading ++ * the block already. ++ */ ++ m = dmz_get_mblock_fast(zmd, mblk_no); ++ if (m) { ++ spin_unlock(&zmd->mblk_lock); ++ dmz_free_mblock(zmd, mblk); ++ bio_put(bio); ++ return m; ++ } ++ ++ mblk->ref++; ++ set_bit(DMZ_META_READING, &mblk->state); ++ dmz_insert_mblock(zmd, mblk); ++ ++ spin_unlock(&zmd->mblk_lock); ++ ++ /* Submit read BIO */ + bio->bi_iter.bi_sector = dmz_blk2sect(block); + bio_set_dev(bio, zmd->dev->bdev); + bio->bi_private = mblk; +@@ -509,19 +534,12 @@ static struct dmz_mblock *dmz_get_mblock + + /* Check rbtree */ + spin_lock(&zmd->mblk_lock); +- mblk = dmz_lookup_mblock(zmd, mblk_no); +- if (mblk) { +- /* Cache hit: remove block from LRU list */ +- mblk->ref++; +- if (mblk->ref == 1 && +- !test_bit(DMZ_META_DIRTY, &mblk->state)) +- list_del_init(&mblk->link); +- } ++ mblk = dmz_get_mblock_fast(zmd, mblk_no); + spin_unlock(&zmd->mblk_lock); + + if (!mblk) { + /* Cache miss: read the block from disk */ +- mblk = dmz_fetch_mblock(zmd, mblk_no); ++ mblk = dmz_get_mblock_slow(zmd, mblk_no); + if (!mblk) + return ERR_PTR(-ENOMEM); + } diff --git a/queue-4.18/fsnotify-fix-busy-inodes-during-unmount.patch b/queue-4.18/fsnotify-fix-busy-inodes-during-unmount.patch new file mode 100644 index 00000000000..d939f9413c0 --- /dev/null +++ b/queue-4.18/fsnotify-fix-busy-inodes-during-unmount.patch @@ -0,0 +1,176 @@ +From 721fb6fbfd2132164c2e8777cc837f9b2c1794dc Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 17 Oct 2018 13:07:05 +0200 +Subject: fsnotify: Fix busy inodes during unmount + +From: Jan Kara + +commit 721fb6fbfd2132164c2e8777cc837f9b2c1794dc upstream. + +Detaching of mark connector from fsnotify_put_mark() can race with +unmounting of the filesystem like: + + CPU1 CPU2 +fsnotify_put_mark() + spin_lock(&conn->lock); + ... + inode = fsnotify_detach_connector_from_object(conn) + spin_unlock(&conn->lock); + generic_shutdown_super() + fsnotify_unmount_inodes() + sees connector detached for inode + -> nothing to do + evict_inode() + barfs on pending inode reference + iput(inode); + +Resulting in "Busy inodes after unmount" message and possible kernel +oops. Make fsnotify_unmount_inodes() properly wait for outstanding inode +references from detached connectors. + +Note that the accounting of outstanding inode references in the +superblock can cause some cacheline contention on the counter. OTOH it +happens only during deletion of the last notification mark from an inode +(or during unlinking of watched inode) and that is not too bad. I have +measured time to create & delete inotify watch 100000 times from 64 +processes in parallel (each process having its own inotify group and its +own file on a shared superblock) on a 64 CPU machine. Average and +standard deviation of 15 runs look like: + + Avg Stddev +Vanilla 9.817400 0.276165 +Fixed 9.710467 0.228294 + +So there's no statistically significant difference. + +Fixes: 6b3f05d24d35 ("fsnotify: Detach mark from object list when last reference is dropped") +CC: stable@vger.kernel.org +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/fsnotify.c | 3 +++ + fs/notify/mark.c | 39 +++++++++++++++++++++++++++++++-------- + include/linux/fs.h | 3 +++ + 3 files changed, 37 insertions(+), 8 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -96,6 +96,9 @@ void fsnotify_unmount_inodes(struct supe + + if (iput_inode) + iput(iput_inode); ++ /* Wait for outstanding inode references from connectors */ ++ wait_var_event(&sb->s_fsnotify_inode_refs, ++ !atomic_long_read(&sb->s_fsnotify_inode_refs)); + } + + /* +--- a/fs/notify/mark.c ++++ b/fs/notify/mark.c +@@ -161,15 +161,18 @@ static void fsnotify_connector_destroy_w + } + } + +-static struct inode *fsnotify_detach_connector_from_object( +- struct fsnotify_mark_connector *conn) ++static void *fsnotify_detach_connector_from_object( ++ struct fsnotify_mark_connector *conn, ++ unsigned int *type) + { + struct inode *inode = NULL; + ++ *type = conn->type; + if (conn->type == FSNOTIFY_OBJ_TYPE_INODE) { + inode = conn->inode; + rcu_assign_pointer(inode->i_fsnotify_marks, NULL); + inode->i_fsnotify_mask = 0; ++ atomic_long_inc(&inode->i_sb->s_fsnotify_inode_refs); + conn->inode = NULL; + conn->type = FSNOTIFY_OBJ_TYPE_DETACHED; + } else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT) { +@@ -193,10 +196,29 @@ static void fsnotify_final_mark_destroy( + fsnotify_put_group(group); + } + ++/* Drop object reference originally held by a connector */ ++static void fsnotify_drop_object(unsigned int type, void *objp) ++{ ++ struct inode *inode; ++ struct super_block *sb; ++ ++ if (!objp) ++ return; ++ /* Currently only inode references are passed to be dropped */ ++ if (WARN_ON_ONCE(type != FSNOTIFY_OBJ_TYPE_INODE)) ++ return; ++ inode = objp; ++ sb = inode->i_sb; ++ iput(inode); ++ if (atomic_long_dec_and_test(&sb->s_fsnotify_inode_refs)) ++ wake_up_var(&sb->s_fsnotify_inode_refs); ++} ++ + void fsnotify_put_mark(struct fsnotify_mark *mark) + { + struct fsnotify_mark_connector *conn; +- struct inode *inode = NULL; ++ void *objp = NULL; ++ unsigned int type = FSNOTIFY_OBJ_TYPE_DETACHED; + bool free_conn = false; + + /* Catch marks that were actually never attached to object */ +@@ -216,7 +238,7 @@ void fsnotify_put_mark(struct fsnotify_m + conn = mark->connector; + hlist_del_init_rcu(&mark->obj_list); + if (hlist_empty(&conn->list)) { +- inode = fsnotify_detach_connector_from_object(conn); ++ objp = fsnotify_detach_connector_from_object(conn, &type); + free_conn = true; + } else { + __fsnotify_recalc_mask(conn); +@@ -224,7 +246,7 @@ void fsnotify_put_mark(struct fsnotify_m + mark->connector = NULL; + spin_unlock(&conn->lock); + +- iput(inode); ++ fsnotify_drop_object(type, objp); + + if (free_conn) { + spin_lock(&destroy_lock); +@@ -702,7 +724,8 @@ void fsnotify_destroy_marks(struct fsnot + { + struct fsnotify_mark_connector *conn; + struct fsnotify_mark *mark, *old_mark = NULL; +- struct inode *inode; ++ void *objp; ++ unsigned int type; + + conn = fsnotify_grab_connector(connp); + if (!conn) +@@ -728,11 +751,11 @@ void fsnotify_destroy_marks(struct fsnot + * mark references get dropped. It would lead to strange results such + * as delaying inode deletion or blocking unmount. + */ +- inode = fsnotify_detach_connector_from_object(conn); ++ objp = fsnotify_detach_connector_from_object(conn, &type); + spin_unlock(&conn->lock); + if (old_mark) + fsnotify_put_mark(old_mark); +- iput(inode); ++ fsnotify_drop_object(type, objp); + } + + /* +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1416,6 +1416,9 @@ struct super_block { + /* Number of inodes with nlink == 0 but still referenced */ + atomic_long_t s_remove_count; + ++ /* Pending fsnotify inode refs */ ++ atomic_long_t s_fsnotify_inode_refs; ++ + /* Being remounted read-only */ + int s_readonly_remount; + diff --git a/queue-4.18/iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch b/queue-4.18/iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch new file mode 100644 index 00000000000..2ad77d4b133 --- /dev/null +++ b/queue-4.18/iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch @@ -0,0 +1,50 @@ +From 7d321bd3542500caf125249f44dc37cb4e738013 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 1 Oct 2018 12:42:49 +0100 +Subject: iommu/arm-smmu: Ensure that page-table updates are visible before TLBI + +From: Will Deacon + +commit 7d321bd3542500caf125249f44dc37cb4e738013 upstream. + +The IO-pgtable code relies on the driver TLB invalidation callbacks to +ensure that all page-table updates are visible to the IOMMU page-table +walker. + +In the case that the page-table walker is cache-coherent, we cannot rely +on an implicit DSB from the DMA-mapping code, so we must ensure that we +execute a DSB in our tlb_add_flush() callback prior to triggering the +invalidation. + +Cc: +Cc: Robin Murphy +Fixes: 2df7a25ce4a7 ("iommu/arm-smmu: Clean up DMA API usage") +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/arm-smmu.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -469,6 +469,9 @@ static void arm_smmu_tlb_inv_range_nosyn + bool stage1 = cfg->cbar != CBAR_TYPE_S2_TRANS; + void __iomem *reg = ARM_SMMU_CB(smmu_domain->smmu, cfg->cbndx); + ++ if (smmu_domain->smmu->features & ARM_SMMU_FEAT_COHERENT_WALK) ++ wmb(); ++ + if (stage1) { + reg += leaf ? ARM_SMMU_CB_S1_TLBIVAL : ARM_SMMU_CB_S1_TLBIVA; + +@@ -510,6 +513,9 @@ static void arm_smmu_tlb_inv_vmid_nosync + struct arm_smmu_domain *smmu_domain = cookie; + void __iomem *base = ARM_SMMU_GR0(smmu_domain->smmu); + ++ if (smmu_domain->smmu->features & ARM_SMMU_FEAT_COHERENT_WALK) ++ wmb(); ++ + writel_relaxed(smmu_domain->cfg.vmid, base + ARM_SMMU_GR0_TLBIVMID); + } + diff --git a/queue-4.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch b/queue-4.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch new file mode 100644 index 00000000000..51f7eaf5dd2 --- /dev/null +++ b/queue-4.18/lockd-fix-access-beyond-unterminated-strings-in-prints.patch @@ -0,0 +1,32 @@ +From 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee Mon Sep 17 00:00:00 2001 +From: Amir Goldstein +Date: Fri, 28 Sep 2018 20:41:48 +0300 +Subject: lockd: fix access beyond unterminated strings in prints + +From: Amir Goldstein + +commit 93f38b6fae0ea8987e22d9e6c38f8dfdccd867ee upstream. + +printk format used %*s instead of %.*s, so hostname_len does not limit +the number of bytes accessed from hostname. + +Signed-off-by: Amir Goldstein +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/lockd/host.c ++++ b/fs/lockd/host.c +@@ -341,7 +341,7 @@ struct nlm_host *nlmsvc_lookup_host(cons + }; + struct lockd_net *ln = net_generic(net, lockd_net_id); + +- dprintk("lockd: %s(host='%*s', vers=%u, proto=%s)\n", __func__, ++ dprintk("lockd: %s(host='%.*s', vers=%u, proto=%s)\n", __func__, + (int)hostname_len, hostname, rqstp->rq_vers, + (rqstp->rq_prot == IPPROTO_UDP ? "udp" : "tcp")); + diff --git a/queue-4.18/media-ov7670-make-xclk-clock-optional.patch b/queue-4.18/media-ov7670-make-xclk-clock-optional.patch new file mode 100644 index 00000000000..f1ec4178b47 --- /dev/null +++ b/queue-4.18/media-ov7670-make-xclk-clock-optional.patch @@ -0,0 +1,64 @@ +From 786fa584eda86d6598db3b87c61dc81f68808d11 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Thu, 4 Oct 2018 17:29:03 -0400 +Subject: media: ov7670: make "xclk" clock optional + +From: Lubomir Rintel + +commit 786fa584eda86d6598db3b87c61dc81f68808d11 upstream. + +When the "xclk" clock was added, it was made mandatory. This broke the +driver on an OLPC plaform which doesn't know such clock. Make it +optional. + +Tested on a OLPC XO-1 laptop. + +Fixes: 0a024d634cee ("[media] ov7670: get xclk") + +Cc: stable@vger.kernel.org # 4.11+ +Signed-off-by: Lubomir Rintel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/ov7670.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +--- a/drivers/media/i2c/ov7670.c ++++ b/drivers/media/i2c/ov7670.c +@@ -1810,17 +1810,24 @@ static int ov7670_probe(struct i2c_clien + info->pclk_hb_disable = true; + } + +- info->clk = devm_clk_get(&client->dev, "xclk"); +- if (IS_ERR(info->clk)) +- return PTR_ERR(info->clk); +- ret = clk_prepare_enable(info->clk); +- if (ret) +- return ret; ++ info->clk = devm_clk_get(&client->dev, "xclk"); /* optional */ ++ if (IS_ERR(info->clk)) { ++ ret = PTR_ERR(info->clk); ++ if (ret == -ENOENT) ++ info->clk = NULL; ++ else ++ return ret; ++ } ++ if (info->clk) { ++ ret = clk_prepare_enable(info->clk); ++ if (ret) ++ return ret; + +- info->clock_speed = clk_get_rate(info->clk) / 1000000; +- if (info->clock_speed < 10 || info->clock_speed > 48) { +- ret = -EINVAL; +- goto clk_disable; ++ info->clock_speed = clk_get_rate(info->clk) / 1000000; ++ if (info->clock_speed < 10 || info->clock_speed > 48) { ++ ret = -EINVAL; ++ goto clk_disable; ++ } + } + + ret = ov7670_init_gpio(client, info); diff --git a/queue-4.18/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch b/queue-4.18/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch new file mode 100644 index 00000000000..f2def36e7f1 --- /dev/null +++ b/queue-4.18/media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch @@ -0,0 +1,38 @@ +From 250854eed5d45a73d81e4137dfd85180af6f2ec3 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Mon, 8 Oct 2018 15:08:27 -0400 +Subject: media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD + +From: Hans Verkuil + +commit 250854eed5d45a73d81e4137dfd85180af6f2ec3 upstream. + +When the OSD is on (i.e. vivid displays text on top of the test pattern), and +you enable hflip, then the driver crashes. + +The cause turned out to be a division of a negative number by an unsigned value. +You expect that -8 / 2U would be -4, but in reality it is 2147483644 :-( + +Fixes: 3e14e7a82c1ef ("vivid-tpg: add hor/vert downsampling support to tpg_gen_text") + +Signed-off-by: Hans Verkuil +Reported-by: Mauro Carvalho Chehab +Cc: # for v4.1 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/v4l2-tpg/v4l2-tpg-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c ++++ b/drivers/media/common/v4l2-tpg/v4l2-tpg-core.c +@@ -1770,7 +1770,7 @@ typedef struct { u16 __; u8 _; } __packe + pos[7] = (chr & (0x01 << 0) ? fg : bg); \ + } \ + \ +- pos += (tpg->hflip ? -8 : 8) / hdiv; \ ++ pos += (tpg->hflip ? -8 : 8) / (int)hdiv; \ + } \ + } \ + } while (0) diff --git a/queue-4.18/mips-memset-fix-cpu_daddi_workarounds-small_fixup-regression.patch b/queue-4.18/mips-memset-fix-cpu_daddi_workarounds-small_fixup-regression.patch new file mode 100644 index 00000000000..969d481aebf --- /dev/null +++ b/queue-4.18/mips-memset-fix-cpu_daddi_workarounds-small_fixup-regression.patch @@ -0,0 +1,69 @@ +From 2f7619ae90bf78cf576b5e72087aab0435266fdb Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 2 Oct 2018 12:50:11 +0100 +Subject: MIPS: memset: Fix CPU_DADDI_WORKAROUNDS `small_fixup' regression + +From: Maciej W. Rozycki + +commit 2f7619ae90bf78cf576b5e72087aab0435266fdb upstream. + +Fix a commit 8a8158c85e1e ("MIPS: memset.S: EVA & fault support for +small_memset") regression and remove assembly warnings: + +arch/mips/lib/memset.S: Assembler messages: +arch/mips/lib/memset.S:243: Warning: Macro instruction expanded into multiple instructions in a branch delay slot + +triggering with the CPU_DADDI_WORKAROUNDS option set and this code: + + PTR_SUBU a2, t1, a0 + jr ra + PTR_ADDIU a2, 1 + +This is because with that option in place the DADDIU instruction, which +the PTR_ADDIU CPP macro expands to, becomes a GAS macro, which in turn +expands to an LI/DADDU (or actually ADDIU/DADDU) sequence: + + 13c: 01a4302f dsubu a2,t1,a0 + 140: 03e00008 jr ra + 144: 24010001 li at,1 + 148: 00c1302d daddu a2,a2,at + ... + +Correct this by switching off the `noreorder' assembly mode and letting +GAS schedule this jump's delay slot, as there is nothing special about +it that would require manual scheduling. With this change in place +correct code is produced: + + 13c: 01a4302f dsubu a2,t1,a0 + 140: 24010001 li at,1 + 144: 03e00008 jr ra + 148: 00c1302d daddu a2,a2,at + ... + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Fixes: 8a8158c85e1e ("MIPS: memset.S: EVA & fault support for small_memset") +Patchwork: https://patchwork.linux-mips.org/patch/20833/ +Cc: Ralf Baechle +Cc: stable@vger.kernel.org # 4.17+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/lib/memset.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mips/lib/memset.S ++++ b/arch/mips/lib/memset.S +@@ -262,9 +262,11 @@ + nop + + .Lsmall_fixup\@: ++ .set reorder + PTR_SUBU a2, t1, a0 ++ PTR_ADDIU a2, 1 + jr ra +- PTR_ADDIU a2, 1 ++ .set noreorder + + .endm + diff --git a/queue-4.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch b/queue-4.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch new file mode 100644 index 00000000000..57e9b8fd598 --- /dev/null +++ b/queue-4.18/mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch @@ -0,0 +1,39 @@ +From c0fae7e2452b90c31edd2d25eb3baf0c76b400ca Mon Sep 17 00:00:00 2001 +From: Aaro Koskinen +Date: Sat, 27 Oct 2018 01:46:34 +0300 +Subject: MIPS: OCTEON: fix out of bounds array access on CN68XX + +From: Aaro Koskinen + +commit c0fae7e2452b90c31edd2d25eb3baf0c76b400ca upstream. + +The maximum number of interfaces is returned by +cvmx_helper_get_number_of_interfaces(), and the value is used to access +interface_port_count[]. When CN68XX support was added, we forgot +to increase the array size. Fix that. + +Fixes: 2c8c3f0201333 ("MIPS: Octeon: Support additional interfaces on CN68XX") +Signed-off-by: Aaro Koskinen +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20949/ +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: stable@vger.kernel.org # v4.3+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/cavium-octeon/executive/cvmx-helper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/cavium-octeon/executive/cvmx-helper.c ++++ b/arch/mips/cavium-octeon/executive/cvmx-helper.c +@@ -67,7 +67,7 @@ void (*cvmx_override_pko_queue_priority) + void (*cvmx_override_ipd_port_setup) (int ipd_port); + + /* Port count per interface */ +-static int interface_port_count[5]; ++static int interface_port_count[9]; + + /** + * Return the number of interfaces the chip has. Each interface diff --git a/queue-4.18/net-bcmgenet-fix-of-child-node-lookup.patch b/queue-4.18/net-bcmgenet-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..77fb60f8e69 --- /dev/null +++ b/queue-4.18/net-bcmgenet-fix-of-child-node-lookup.patch @@ -0,0 +1,41 @@ +From d397dbe606120a1ea1b11b0020c3f7a3852da5ac Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:50 +0200 +Subject: net: bcmgenet: fix OF child-node lookup + +From: Johan Hovold + +commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac upstream. + +Use the new of_get_compatible_child() helper to lookup the mdio child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the node of the device being probed). + +Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") +Cc: stable # 3.15 +Cc: David S. Miller +Reviewed-by: Florian Fainelli +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/genet/bcmmii.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/genet/bcmmii.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmmii.c +@@ -342,7 +342,7 @@ static struct device_node *bcmgenet_mii_ + if (!compat) + return NULL; + +- priv->mdio_dn = of_find_compatible_node(dn, NULL, compat); ++ priv->mdio_dn = of_get_compatible_child(dn, compat); + kfree(compat); + if (!priv->mdio_dn) { + dev_err(kdev, "unable to find MDIO bus node\n"); diff --git a/queue-4.18/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch b/queue-4.18/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch new file mode 100644 index 00000000000..63b412735cd --- /dev/null +++ b/queue-4.18/nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch @@ -0,0 +1,46 @@ +From 5bf59773aaf36dd62117dc83d50e1bbf9ef432da Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:52 +0200 +Subject: NFC: nfcmrvl_uart: fix OF child-node lookup + +From: Johan Hovold + +commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da upstream. + +Use the new of_get_compatible_child() helper to lookup the nfc child +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(i.e. non-child) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the parent node). + +Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver") +Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC") +Cc: stable # 4.2 +Cc: Vincent Cuissard +Cc: Samuel Ortiz +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/nfcmrvl/uart.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/nfc/nfcmrvl/uart.c ++++ b/drivers/nfc/nfcmrvl/uart.c +@@ -73,10 +73,9 @@ static int nfcmrvl_uart_parse_dt(struct + struct device_node *matched_node; + int ret; + +- matched_node = of_find_compatible_node(node, NULL, "marvell,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "marvell,nfc-uart"); + if (!matched_node) { +- matched_node = of_find_compatible_node(node, NULL, +- "mrvl,nfc-uart"); ++ matched_node = of_get_compatible_child(node, "mrvl,nfc-uart"); + if (!matched_node) + return -ENODEV; + } diff --git a/queue-4.18/nfs-fix-a-missed-page-unlock-after-pg_doio.patch b/queue-4.18/nfs-fix-a-missed-page-unlock-after-pg_doio.patch new file mode 100644 index 00000000000..e5481881264 --- /dev/null +++ b/queue-4.18/nfs-fix-a-missed-page-unlock-after-pg_doio.patch @@ -0,0 +1,85 @@ +From fdbd1a2e4a71adcb1ae219fcfd964930d77a7f84 Mon Sep 17 00:00:00 2001 +From: Benjamin Coddington +Date: Thu, 18 Oct 2018 15:01:48 -0400 +Subject: nfs: Fix a missed page unlock after pg_doio() + +From: Benjamin Coddington + +commit fdbd1a2e4a71adcb1ae219fcfd964930d77a7f84 upstream. + +We must check pg_error and call error_cleanup after any call to pg_doio. +Currently, we are skipping the unlock of a page if we encounter an error in +nfs_pageio_complete() before handing off the work to the RPC layer. + +Signed-off-by: Benjamin Coddington +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/pagelist.c | 40 +++++++++++++++++++++------------------- + 1 file changed, 21 insertions(+), 19 deletions(-) + +--- a/fs/nfs/pagelist.c ++++ b/fs/nfs/pagelist.c +@@ -1110,6 +1110,20 @@ static int nfs_pageio_add_request_mirror + return ret; + } + ++static void nfs_pageio_error_cleanup(struct nfs_pageio_descriptor *desc) ++{ ++ u32 midx; ++ struct nfs_pgio_mirror *mirror; ++ ++ if (!desc->pg_error) ++ return; ++ ++ for (midx = 0; midx < desc->pg_mirror_count; midx++) { ++ mirror = &desc->pg_mirrors[midx]; ++ desc->pg_completion_ops->error_cleanup(&mirror->pg_list); ++ } ++} ++ + int nfs_pageio_add_request(struct nfs_pageio_descriptor *desc, + struct nfs_page *req) + { +@@ -1160,25 +1174,11 @@ int nfs_pageio_add_request(struct nfs_pa + return 1; + + out_failed: +- /* +- * We might have failed before sending any reqs over wire. +- * Clean up rest of the reqs in mirror pg_list. +- */ +- if (desc->pg_error) { +- struct nfs_pgio_mirror *mirror; +- void (*func)(struct list_head *); +- +- /* remember fatal errors */ +- if (nfs_error_is_fatal(desc->pg_error)) +- nfs_context_set_write_error(req->wb_context, +- desc->pg_error); +- +- func = desc->pg_completion_ops->error_cleanup; +- for (midx = 0; midx < desc->pg_mirror_count; midx++) { +- mirror = &desc->pg_mirrors[midx]; +- func(&mirror->pg_list); +- } +- } ++ /* remember fatal errors */ ++ if (nfs_error_is_fatal(desc->pg_error)) ++ nfs_context_set_write_error(req->wb_context, ++ desc->pg_error); ++ nfs_pageio_error_cleanup(desc); + return 0; + } + +@@ -1250,6 +1250,8 @@ void nfs_pageio_complete(struct nfs_page + for (midx = 0; midx < desc->pg_mirror_count; midx++) + nfs_pageio_complete_mirror(desc, midx); + ++ if (desc->pg_error < 0) ++ nfs_pageio_error_cleanup(desc); + if (desc->pg_ops->pg_cleanup) + desc->pg_ops->pg_cleanup(desc); + nfs_pageio_cleanup_mirroring(desc); diff --git a/queue-4.18/nfsd-correctly-decrement-odstate-refcount-in-error-path.patch b/queue-4.18/nfsd-correctly-decrement-odstate-refcount-in-error-path.patch new file mode 100644 index 00000000000..ef9d5134521 --- /dev/null +++ b/queue-4.18/nfsd-correctly-decrement-odstate-refcount-in-error-path.patch @@ -0,0 +1,43 @@ +From bd8d725078867cda250fe94b9c5a067b4a64ca74 Mon Sep 17 00:00:00 2001 +From: Andrew Elble +Date: Fri, 5 Oct 2018 09:32:08 -0400 +Subject: nfsd: correctly decrement odstate refcount in error path + +From: Andrew Elble + +commit bd8d725078867cda250fe94b9c5a067b4a64ca74 upstream. + +alloc_init_deleg() both allocates an nfs4_delegation, and +bumps the refcount on odstate. So after this point, we need to +put_clnt_odstate() and nfs4_put_stid() to not leave the odstate +refcount inappropriately bumped. + +Signed-off-by: Andrew Elble +Reviewed-by: Jeff Layton +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -4361,7 +4361,7 @@ nfs4_set_delegation(struct nfs4_client * + + fl = nfs4_alloc_init_lease(dp, NFS4_OPEN_DELEGATE_READ); + if (!fl) +- goto out_stid; ++ goto out_clnt_odstate; + + status = vfs_setlease(fp->fi_deleg_file, fl->fl_type, &fl, NULL); + if (fl) +@@ -4386,7 +4386,6 @@ out_unlock: + vfs_setlease(fp->fi_deleg_file, F_UNLCK, NULL, (void **)&dp); + out_clnt_odstate: + put_clnt_odstate(dp->dl_clnt_odstate); +-out_stid: + nfs4_put_stid(&dp->dl_stid); + out_delegees: + put_deleg_file(fp); diff --git a/queue-4.18/nfsd-fix-an-oops-in-free_session.patch b/queue-4.18/nfsd-fix-an-oops-in-free_session.patch new file mode 100644 index 00000000000..6e513825e76 --- /dev/null +++ b/queue-4.18/nfsd-fix-an-oops-in-free_session.patch @@ -0,0 +1,33 @@ +From bb6ad5572c0022e17e846b382d7413cdcf8055be Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 9 Oct 2018 15:54:15 -0400 +Subject: nfsd: Fix an Oops in free_session() + +From: Trond Myklebust + +commit bb6ad5572c0022e17e846b382d7413cdcf8055be upstream. + +In call_xpt_users(), we delete the entry from the list, but we +do not reinitialise it. This triggers the list poisoning when +we later call unregister_xpt_user() in nfsd4_del_conns(). + +Signed-off-by: Trond Myklebust +Cc: stable@vger.kernel.org +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc_xprt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -989,7 +989,7 @@ static void call_xpt_users(struct svc_xp + spin_lock(&xprt->xpt_lock); + while (!list_empty(&xprt->xpt_users)) { + u = list_first_entry(&xprt->xpt_users, struct svc_xpt_user, list); +- list_del(&u->list); ++ list_del_init(&u->list); + u->callback(u); + } + spin_unlock(&xprt->xpt_lock); diff --git a/queue-4.18/nfsv4.1-fix-the-r-wsize-checking.patch b/queue-4.18/nfsv4.1-fix-the-r-wsize-checking.patch new file mode 100644 index 00000000000..c4381c1ff4a --- /dev/null +++ b/queue-4.18/nfsv4.1-fix-the-r-wsize-checking.patch @@ -0,0 +1,76 @@ +From 943cff67b842839f4f35364ba2db5c2d3f025d94 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 18 Sep 2018 10:07:44 -0400 +Subject: NFSv4.1: Fix the r/wsize checking + +From: Trond Myklebust + +commit 943cff67b842839f4f35364ba2db5c2d3f025d94 upstream. + +The intention of nfs4_session_set_rwsize() was to cap the r/wsize to the +buffer sizes negotiated by the CREATE_SESSION. The initial code had a +bug whereby we would not check the values negotiated by nfs_probe_fsinfo() +(the assumption being that CREATE_SESSION will always negotiate buffer values +that are sane w.r.t. the server's preferred r/wsizes) but would only check +values set by the user in the 'mount' command. + +The code was changed in 4.11 to _always_ set the r/wsize, meaning that we +now never use the server preferred r/wsizes. This is the regression that +this patch fixes. +Also rename the function to nfs4_session_limit_rwsize() in order to avoid +future confusion. + +Fixes: 033853325fe3 (NFSv4.1 respect server's max size in CREATE_SESSION") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4client.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/fs/nfs/nfs4client.c ++++ b/fs/nfs/nfs4client.c +@@ -935,10 +935,10 @@ EXPORT_SYMBOL_GPL(nfs4_set_ds_client); + + /* + * Session has been established, and the client marked ready. +- * Set the mount rsize and wsize with negotiated fore channel +- * attributes which will be bound checked in nfs_server_set_fsinfo. ++ * Limit the mount rsize, wsize and dtsize using negotiated fore ++ * channel attributes. + */ +-static void nfs4_session_set_rwsize(struct nfs_server *server) ++static void nfs4_session_limit_rwsize(struct nfs_server *server) + { + #ifdef CONFIG_NFS_V4_1 + struct nfs4_session *sess; +@@ -951,9 +951,11 @@ static void nfs4_session_set_rwsize(stru + server_resp_sz = sess->fc_attrs.max_resp_sz - nfs41_maxread_overhead; + server_rqst_sz = sess->fc_attrs.max_rqst_sz - nfs41_maxwrite_overhead; + +- if (!server->rsize || server->rsize > server_resp_sz) ++ if (server->dtsize > server_resp_sz) ++ server->dtsize = server_resp_sz; ++ if (server->rsize > server_resp_sz) + server->rsize = server_resp_sz; +- if (!server->wsize || server->wsize > server_rqst_sz) ++ if (server->wsize > server_rqst_sz) + server->wsize = server_rqst_sz; + #endif /* CONFIG_NFS_V4_1 */ + } +@@ -1000,12 +1002,12 @@ static int nfs4_server_common_setup(stru + (unsigned long long) server->fsid.minor); + nfs_display_fhandle(mntfh, "Pseudo-fs root FH"); + +- nfs4_session_set_rwsize(server); +- + error = nfs_probe_fsinfo(server, mntfh, fattr); + if (error < 0) + goto out; + ++ nfs4_session_limit_rwsize(server); ++ + if (server->namelen == 0 || server->namelen > NFS4_MAXNAMLEN) + server->namelen = NFS4_MAXNAMLEN; + diff --git a/queue-4.18/ocxl-fix-access-to-the-afu-descriptor-data.patch b/queue-4.18/ocxl-fix-access-to-the-afu-descriptor-data.patch new file mode 100644 index 00000000000..cb19f486fa6 --- /dev/null +++ b/queue-4.18/ocxl-fix-access-to-the-afu-descriptor-data.patch @@ -0,0 +1,50 @@ +From 6f8e45f7eb1bee5efdbe4a9cfe4a45627403c5fb Mon Sep 17 00:00:00 2001 +From: Christophe Lombard +Date: Tue, 14 Aug 2018 14:45:15 +0200 +Subject: ocxl: Fix access to the AFU Descriptor Data + +From: Christophe Lombard + +commit 6f8e45f7eb1bee5efdbe4a9cfe4a45627403c5fb upstream. + +The AFU Information DVSEC capability is a means to extract common, +general information about all of the AFUs associated with a Function +independent of the specific functionality that each AFU provides. +Write in the AFU Index field allows to access to the descriptor data +for each AFU. + +With the current code, we are not able to access to these specific data +when the index >= 1 because we are writing to the wrong location. +All requests to the data of each AFU are pointing to those of the AFU 0, +which could have impacts when using a card with more than one AFU per +function. + +This patch fixes the access to the AFU Descriptor Data indexed by the +AFU Info Index field. + +Fixes: 5ef3166e8a32 ("ocxl: Driver code for 'generic' opencapi devices") +Cc: stable # 4.16 +Signed-off-by: Christophe Lombard +Signed-off-by: Greg Kroah-Hartman + +Acked-by: Frederic Barrat +Acked-by: Andrew Donnellan +Signed-off-by: Michael Ellerman + +--- + drivers/misc/ocxl/config.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/misc/ocxl/config.c ++++ b/drivers/misc/ocxl/config.c +@@ -280,7 +280,9 @@ int ocxl_config_check_afu_index(struct p + u32 val; + int rc, templ_major, templ_minor, len; + +- pci_write_config_word(dev, fn->dvsec_afu_info_pos, afu_idx); ++ pci_write_config_byte(dev, ++ fn->dvsec_afu_info_pos + OCXL_DVSEC_AFU_INFO_AFU_IDX, ++ afu_idx); + rc = read_afu_info(dev, fn, OCXL_DVSEC_TEMPL_VERSION, &val); + if (rc) + return rc; diff --git a/queue-4.18/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch b/queue-4.18/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch new file mode 100644 index 00000000000..5fe8febc700 --- /dev/null +++ b/queue-4.18/power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch @@ -0,0 +1,52 @@ +From 9844fb2e351311210e6660a9a1c62d17424a6145 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 27 Aug 2018 10:21:53 +0200 +Subject: power: supply: twl4030-charger: fix OF sibling-node lookup + +From: Johan Hovold + +commit 9844fb2e351311210e6660a9a1c62d17424a6145 upstream. + +Use the new of_get_compatible_child() helper to lookup the usb sibling +node instead of using of_find_compatible_node(), which searches the +entire tree from a given start node and thus can return an unrelated +(non-sibling) node. + +This also addresses a potential use-after-free (e.g. after probe +deferral) as the tree-wide helper drops a reference to its first +argument (i.e. the parent device node). + +While at it, also fix the related phy-node reference leak. + +Fixes: f5e4edb8c888 ("power: twl4030_charger: find associated phy by more reliable means.") +Cc: stable # 4.2 +Cc: NeilBrown +Cc: Felipe Balbi +Cc: Sebastian Reichel +Reviewed-by: Sebastian Reichel +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/supply/twl4030_charger.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/twl4030_charger.c ++++ b/drivers/power/supply/twl4030_charger.c +@@ -996,12 +996,13 @@ static int twl4030_bci_probe(struct plat + if (bci->dev->of_node) { + struct device_node *phynode; + +- phynode = of_find_compatible_node(bci->dev->of_node->parent, +- NULL, "ti,twl4030-usb"); ++ phynode = of_get_compatible_child(bci->dev->of_node->parent, ++ "ti,twl4030-usb"); + if (phynode) { + bci->usb_nb.notifier_call = twl4030_bci_usb_ncb; + bci->transceiver = devm_usb_get_phy_by_node( + bci->dev, phynode, &bci->usb_nb); ++ of_node_put(phynode); + if (IS_ERR(bci->transceiver)) { + ret = PTR_ERR(bci->transceiver); + if (ret == -EPROBE_DEFER) diff --git a/queue-4.18/powerpc-64s-hash-do-not-use-ppc_invalidate_erat-on-cpus-before-power9.patch b/queue-4.18/powerpc-64s-hash-do-not-use-ppc_invalidate_erat-on-cpus-before-power9.patch new file mode 100644 index 00000000000..22c784608d8 --- /dev/null +++ b/queue-4.18/powerpc-64s-hash-do-not-use-ppc_invalidate_erat-on-cpus-before-power9.patch @@ -0,0 +1,66 @@ +From bc276ecba132caccb1fda5863a652c15def2b8c6 Mon Sep 17 00:00:00 2001 +From: Nicholas Piggin +Date: Mon, 27 Aug 2018 13:03:01 +1000 +Subject: powerpc/64s/hash: Do not use PPC_INVALIDATE_ERAT on CPUs before POWER9 + +From: Nicholas Piggin + +commit bc276ecba132caccb1fda5863a652c15def2b8c6 upstream. + +PPC_INVALIDATE_ERAT is slbia IH=7 which is a new variant introduced +with POWER9, and the result is undefined on earlier CPUs. + +Commits 7b9f71f974 ("powerpc/64s: POWER9 machine check handler") and +d4748276ae ("powerpc/64s: Improve local TLB flush for boot and MCE on +POWER9") caused POWER7/8 code to use this instruction. Remove it. An +ERAT flush can be made by invalidatig the SLB, but before POWER9 that +requires a flush and rebolt. + +Fixes: 7b9f71f974 ("powerpc/64s: POWER9 machine check handler") +Fixes: d4748276ae ("powerpc/64s: Improve local TLB flush for boot and MCE on POWER9") +Cc: stable@vger.kernel.org # v4.11+ +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/mce_power.c | 7 +++++++ + arch/powerpc/mm/hash_native_64.c | 4 ++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/mce_power.c ++++ b/arch/powerpc/kernel/mce_power.c +@@ -97,6 +97,13 @@ static void flush_and_reload_slb(void) + + static void flush_erat(void) + { ++#ifdef CONFIG_PPC_BOOK3S_64 ++ if (!early_cpu_has_feature(CPU_FTR_ARCH_300)) { ++ flush_and_reload_slb(); ++ return; ++ } ++#endif ++ /* PPC_INVALIDATE_ERAT can only be used on ISA v3 and newer */ + asm volatile(PPC_INVALIDATE_ERAT : : :"memory"); + } + +--- a/arch/powerpc/mm/hash_native_64.c ++++ b/arch/powerpc/mm/hash_native_64.c +@@ -115,6 +115,8 @@ static void tlbiel_all_isa300(unsigned i + tlbiel_hash_set_isa300(0, is, 0, 2, 1); + + asm volatile("ptesync": : :"memory"); ++ ++ asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory"); + } + + void hash__tlbiel_all(unsigned int action) +@@ -140,8 +142,6 @@ void hash__tlbiel_all(unsigned int actio + tlbiel_all_isa206(POWER7_TLB_SETS, is); + else + WARN(1, "%s called on pre-POWER7 CPU\n", __func__); +- +- asm volatile(PPC_INVALIDATE_ERAT "; isync" : : :"memory"); + } + + static inline unsigned long ___tlbie(unsigned long vpn, int psize, diff --git a/queue-4.18/powerpc-msi-fix-compile-error-on-mpc83xx.patch b/queue-4.18/powerpc-msi-fix-compile-error-on-mpc83xx.patch new file mode 100644 index 00000000000..1308d783ee5 --- /dev/null +++ b/queue-4.18/powerpc-msi-fix-compile-error-on-mpc83xx.patch @@ -0,0 +1,45 @@ +From 0f99153def98134403c9149128e59d3e1786cf04 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 19 Oct 2018 06:12:50 +0000 +Subject: powerpc/msi: Fix compile error on mpc83xx + +From: Christophe Leroy + +commit 0f99153def98134403c9149128e59d3e1786cf04 upstream. + +mpic_get_primary_version() is not defined when not using MPIC. +The compile error log like: + +arch/powerpc/sysdev/built-in.o: In function `fsl_of_msi_probe': +fsl_msi.c:(.text+0x150c): undefined reference to `fsl_mpic_primary_get_version' + +Signed-off-by: Jia Hongtao +Signed-off-by: Scott Wood +Reported-by: Radu Rendec +Fixes: 807d38b73b6 ("powerpc/mpic: Add get_version API both for internal and external use") +Cc: stable@vger.kernel.org +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/mpic.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/powerpc/include/asm/mpic.h ++++ b/arch/powerpc/include/asm/mpic.h +@@ -393,7 +393,14 @@ extern struct bus_type mpic_subsys; + #define MPIC_REGSET_TSI108 MPIC_REGSET(1) /* Tsi108/109 PIC */ + + /* Get the version of primary MPIC */ ++#ifdef CONFIG_MPIC + extern u32 fsl_mpic_primary_get_version(void); ++#else ++static inline u32 fsl_mpic_primary_get_version(void) ++{ ++ return 0; ++} ++#endif + + /* Allocate the controller structure and setup the linux irq descs + * for the range if interrupts passed in. No HW initialization is diff --git a/queue-4.18/powerpc-tm-fix-hfscr-bit-for-no-suspend-case.patch b/queue-4.18/powerpc-tm-fix-hfscr-bit-for-no-suspend-case.patch new file mode 100644 index 00000000000..4dd08fdd7b9 --- /dev/null +++ b/queue-4.18/powerpc-tm-fix-hfscr-bit-for-no-suspend-case.patch @@ -0,0 +1,56 @@ +From dd9a8c5a87395b6f05552c3b44e42fdc95760552 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Tue, 11 Sep 2018 13:07:56 +1000 +Subject: powerpc/tm: Fix HFSCR bit for no suspend case + +From: Michael Neuling + +commit dd9a8c5a87395b6f05552c3b44e42fdc95760552 upstream. + +Currently on P9N DD2.1 we end up taking infinite TM facility +unavailable exceptions on the first TM usage by userspace. + +In the special case of TM no suspend (P9N DD2.1), Linux is told TM is +off via CPU dt-ftrs but told to (partially) use it via +OPAL_REINIT_CPUS_TM_SUSPEND_DISABLED. So HFSCR[TM] will be off from +dt-ftrs but we need to turn it on for the no suspend case. + +This patch fixes this by enabling HFSCR TM in this case. + +Cc: stable@vger.kernel.org # 4.15+ +Signed-off-by: Michael Neuling +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/setup_64.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -242,13 +242,19 @@ static void cpu_ready_for_interrupts(voi + } + + /* +- * Fixup HFSCR:TM based on CPU features. The bit is set by our +- * early asm init because at that point we haven't updated our +- * CPU features from firmware and device-tree. Here we have, +- * so let's do it. ++ * Set HFSCR:TM based on CPU features: ++ * In the special case of TM no suspend (P9N DD2.1), Linux is ++ * told TM is off via the dt-ftrs but told to (partially) use ++ * it via OPAL_REINIT_CPUS_TM_SUSPEND_DISABLED. So HFSCR[TM] ++ * will be off from dt-ftrs but we need to turn it on for the ++ * no suspend case. + */ +- if (cpu_has_feature(CPU_FTR_HVMODE) && !cpu_has_feature(CPU_FTR_TM_COMP)) +- mtspr(SPRN_HFSCR, mfspr(SPRN_HFSCR) & ~HFSCR_TM); ++ if (cpu_has_feature(CPU_FTR_HVMODE)) { ++ if (cpu_has_feature(CPU_FTR_TM_COMP)) ++ mtspr(SPRN_HFSCR, mfspr(SPRN_HFSCR) | HFSCR_TM); ++ else ++ mtspr(SPRN_HFSCR, mfspr(SPRN_HFSCR) & ~HFSCR_TM); ++ } + + /* Set IR and DR in PACA MSR */ + get_paca()->kernel_msr = MSR_KERNEL; diff --git a/queue-4.18/rtc-cmos-fix-non-acpi-undefined-reference-to-hpet_rtc_interrupt.patch b/queue-4.18/rtc-cmos-fix-non-acpi-undefined-reference-to-hpet_rtc_interrupt.patch new file mode 100644 index 00000000000..0ac5663d2e3 --- /dev/null +++ b/queue-4.18/rtc-cmos-fix-non-acpi-undefined-reference-to-hpet_rtc_interrupt.patch @@ -0,0 +1,57 @@ +From d197a253855d2d8e507a003880aab35c4e2473db Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 2 Oct 2018 02:08:49 +0100 +Subject: rtc: cmos: Fix non-ACPI undefined reference to `hpet_rtc_interrupt' + +From: Maciej W. Rozycki + +commit d197a253855d2d8e507a003880aab35c4e2473db upstream. + +Fix a commit 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm +instead of HPET") `rtc-cmos' regression causing a link error: + +drivers/rtc/rtc-cmos.o: In function `cmos_platform_probe': +rtc-cmos.c:(.init.text+0x33c): undefined reference to `hpet_rtc_interrupt' +rtc-cmos.c:(.init.text+0x3f4): undefined reference to `hpet_rtc_interrupt' + +with non-ACPI platforms using this driver. The cause is the change of +the condition guarding the use of `hpet_rtc_interrupt'. + +Previously it was a call to `is_hpet_enabled'. That function is static +inline and has a hardcoded 0 result for non-ACPI platforms, which imply +!HPET_EMULATE_RTC. Consequently the compiler optimized the whole block +away including the reference to `hpet_rtc_interrupt', which never made +it to the link stage. + +Now the guarding condition is a call to `use_hpet_alarm', which is not +static inline and therefore the compiler may not be able to prove that +it actually always returns 0 for non-ACPI platforms. Consequently the +build breaks with an unsatisfied reference, because `hpet_rtc_interrupt' +is nowhere defined at link time. + +Fix the problem by marking `use_hpet_alarm' inline. As the `inline' +keyword serves as an optimization hint rather than a requirement the +compiler is still free to choose whether inlining will be beneficial or +not for ACPI platforms. + +Signed-off-by: Maciej W. Rozycki +Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-cmos.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -167,7 +167,7 @@ static inline int hpet_unregister_irq_ha + #endif + + /* Don't use HPET for RTC Alarm event if ACPI Fixed event is used */ +-static int use_hpet_alarm(void) ++static inline int use_hpet_alarm(void) + { + return is_hpet_enabled() && !use_acpi_alarm; + } diff --git a/queue-4.18/rtc-cmos-remove-the-use_acpi_alarm-module-parameter-for-acpi.patch b/queue-4.18/rtc-cmos-remove-the-use_acpi_alarm-module-parameter-for-acpi.patch new file mode 100644 index 00000000000..4f9202453d7 --- /dev/null +++ b/queue-4.18/rtc-cmos-remove-the-use_acpi_alarm-module-parameter-for-acpi.patch @@ -0,0 +1,118 @@ +From bc51098cdd9573bfdecfd02fc8ed474419d73ea0 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Tue, 2 Oct 2018 02:09:05 +0100 +Subject: rtc: cmos: Remove the `use_acpi_alarm' module parameter for !ACPI + +From: Maciej W. Rozycki + +commit bc51098cdd9573bfdecfd02fc8ed474419d73ea0 upstream. + +Fix a problem with commit 311ee9c151ad ("rtc: cmos: allow using ACPI for +RTC alarm instead of HPET") defining `use_acpi_alarm' module parameter +even for non-ACPI platforms, which ignore it. Wrap the definition into +#ifdef CONFIG_ACPI and use a static inline wrapper function, hardcoded +to return 0 and consequently optimized away for !ACPI, following the +existing pattern with HPET handling functions. + +Signed-off-by: Maciej W. Rozycki +Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET") +Cc: stable@vger.kernel.org # 4.18+ +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-cmos.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -50,6 +50,7 @@ + /* this is for "generic access to PC-style RTC" using CMOS_READ/CMOS_WRITE */ + #include + ++#ifdef CONFIG_ACPI + /* + * Use ACPI SCI to replace HPET interrupt for RTC Alarm event + * +@@ -61,6 +62,18 @@ + static bool use_acpi_alarm; + module_param(use_acpi_alarm, bool, 0444); + ++static inline int cmos_use_acpi_alarm(void) ++{ ++ return use_acpi_alarm; ++} ++#else /* !CONFIG_ACPI */ ++ ++static inline int cmos_use_acpi_alarm(void) ++{ ++ return 0; ++} ++#endif ++ + struct cmos_rtc { + struct rtc_device *rtc; + struct device *dev; +@@ -169,7 +182,7 @@ static inline int hpet_unregister_irq_ha + /* Don't use HPET for RTC Alarm event if ACPI Fixed event is used */ + static inline int use_hpet_alarm(void) + { +- return is_hpet_enabled() && !use_acpi_alarm; ++ return is_hpet_enabled() && !cmos_use_acpi_alarm(); + } + + /*----------------------------------------------------------------*/ +@@ -340,7 +353,7 @@ static void cmos_irq_enable(struct cmos_ + if (use_hpet_alarm()) + hpet_set_rtc_irq_bit(mask); + +- if ((mask & RTC_AIE) && use_acpi_alarm) { ++ if ((mask & RTC_AIE) && cmos_use_acpi_alarm()) { + if (cmos->wake_on) + cmos->wake_on(cmos->dev); + } +@@ -358,7 +371,7 @@ static void cmos_irq_disable(struct cmos + if (use_hpet_alarm()) + hpet_mask_rtc_irq_bit(mask); + +- if ((mask & RTC_AIE) && use_acpi_alarm) { ++ if ((mask & RTC_AIE) && cmos_use_acpi_alarm()) { + if (cmos->wake_off) + cmos->wake_off(cmos->dev); + } +@@ -980,7 +993,7 @@ static int cmos_suspend(struct device *d + } + spin_unlock_irq(&rtc_lock); + +- if ((tmp & RTC_AIE) && !use_acpi_alarm) { ++ if ((tmp & RTC_AIE) && !cmos_use_acpi_alarm()) { + cmos->enabled_wake = 1; + if (cmos->wake_on) + cmos->wake_on(dev); +@@ -1031,7 +1044,7 @@ static void cmos_check_wkalrm(struct dev + * ACPI RTC wake event is cleared after resume from STR, + * ACK the rtc irq here + */ +- if (t_now >= cmos->alarm_expires && use_acpi_alarm) { ++ if (t_now >= cmos->alarm_expires && cmos_use_acpi_alarm()) { + cmos_interrupt(0, (void *)cmos->rtc); + return; + } +@@ -1053,7 +1066,7 @@ static int __maybe_unused cmos_resume(st + struct cmos_rtc *cmos = dev_get_drvdata(dev); + unsigned char tmp; + +- if (cmos->enabled_wake && !use_acpi_alarm) { ++ if (cmos->enabled_wake && !cmos_use_acpi_alarm()) { + if (cmos->wake_off) + cmos->wake_off(dev); + else +@@ -1132,7 +1145,7 @@ static u32 rtc_handler(void *context) + * Or else, ACPI SCI is enabled during suspend/resume only, + * update rtc irq in that case. + */ +- if (use_acpi_alarm) ++ if (cmos_use_acpi_alarm()) + cmos_interrupt(0, (void *)cmos->rtc); + else { + /* Fix me: can we use cmos_interrupt() here as well? */ diff --git a/queue-4.18/rtc-ds1307-fix-ds1339-wakealarm-support.patch b/queue-4.18/rtc-ds1307-fix-ds1339-wakealarm-support.patch new file mode 100644 index 00000000000..805ad569652 --- /dev/null +++ b/queue-4.18/rtc-ds1307-fix-ds1339-wakealarm-support.patch @@ -0,0 +1,33 @@ +From 7dceef78f310f5351735060d78a1777c69606016 Mon Sep 17 00:00:00 2001 +From: Soeren Moch +Date: Mon, 22 Oct 2018 14:38:12 +0200 +Subject: rtc: ds1307: fix ds1339 wakealarm support + +From: Soeren Moch + +commit 7dceef78f310f5351735060d78a1777c69606016 upstream. + +Commit 51ed73eb998a1c79a2b0e9bed68f75a8a2c93b9b ("rtc: ds1340: Add support +for trickle charger.") breaks ds1339 wakealarm support by limiting +accessible registers. Fix this. + +Fixes: 51ed73eb998a ("rtc: ds1340: Add support for trickle charger.") +Cc: stable@vger.kernel.org +Signed-off-by: Soeren Moch +Signed-off-by: Alexandre Belloni +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-ds1307.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -1372,7 +1372,6 @@ static void ds1307_clks_register(struct + static const struct regmap_config regmap_config = { + .reg_bits = 8, + .val_bits = 8, +- .max_register = 0x9, + }; + + static int ds1307_probe(struct i2c_client *client, diff --git a/queue-4.18/series b/queue-4.18/series index 02372ce8cef..cbb605a57a9 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -260,3 +260,28 @@ smb3-do-not-attempt-cifs-operation-in-smb3-query-info-error-path.patch smb3-on-kerberos-mount-if-server-doesn-t-specify-auth-type-use-krb5.patch printk-fix-panic-caused-by-passing-log_buf_len-to-command-line.patch genirq-fix-race-on-spurious-interrupt-detection.patch +nfc-nfcmrvl_uart-fix-of-child-node-lookup.patch +nfsv4.1-fix-the-r-wsize-checking.patch +nfs-fix-a-missed-page-unlock-after-pg_doio.patch +nfsd-correctly-decrement-odstate-refcount-in-error-path.patch +nfsd-fix-an-oops-in-free_session.patch +lockd-fix-access-beyond-unterminated-strings-in-prints.patch +dm-ioctl-harden-copy_params-s-copy_from_user-from-malicious-users.patch +dm-zoned-fix-metadata-block-ref-counting.patch +dm-zoned-fix-various-dmz_get_mblock-issues.patch +media-ov7670-make-xclk-clock-optional.patch +fsnotify-fix-busy-inodes-during-unmount.patch +powerpc-msi-fix-compile-error-on-mpc83xx.patch +powerpc-tm-fix-hfscr-bit-for-no-suspend-case.patch +powerpc-64s-hash-do-not-use-ppc_invalidate_erat-on-cpus-before-power9.patch +mips-memset-fix-cpu_daddi_workarounds-small_fixup-regression.patch +mips-octeon-fix-out-of-bounds-array-access-on-cn68xx.patch +rtc-ds1307-fix-ds1339-wakealarm-support.patch +rtc-cmos-fix-non-acpi-undefined-reference-to-hpet_rtc_interrupt.patch +rtc-cmos-remove-the-use_acpi_alarm-module-parameter-for-acpi.patch +power-supply-twl4030-charger-fix-of-sibling-node-lookup.patch +ocxl-fix-access-to-the-afu-descriptor-data.patch +iommu-arm-smmu-ensure-that-page-table-updates-are-visible-before-tlbi.patch +tc-set-dma-masks-for-devices.patch +net-bcmgenet-fix-of-child-node-lookup.patch +media-v4l2-tpg-fix-kernel-oops-when-enabling-hflip-and-osd.patch diff --git a/queue-4.18/tc-set-dma-masks-for-devices.patch b/queue-4.18/tc-set-dma-masks-for-devices.patch new file mode 100644 index 00000000000..a327dfd07ed --- /dev/null +++ b/queue-4.18/tc-set-dma-masks-for-devices.patch @@ -0,0 +1,107 @@ +From 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Wed, 3 Oct 2018 13:21:07 +0100 +Subject: TC: Set DMA masks for devices + +From: Maciej W. Rozycki + +commit 3f2aa244ee1a0d17ed5b6c86564d2c1b24d1c96b upstream. + +Fix a TURBOchannel support regression with commit 205e1b7f51e4 +("dma-mapping: warn when there is no coherent_dma_mask") that caused +coherent DMA allocations to produce a warning such as: + +defxx: v1.11 2014/07/01 Lawrence V. Stefani and others +tc1: DEFTA at MMIO addr = 0x1e900000, IRQ = 20, Hardware addr = 08-00-2b-a3-a3-29 +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 dfx_dev_register+0x670/0x678 +Modules linked in: +CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.0-rc6 #2 +Stack : ffffffff8009ffc0 fffffffffffffec0 0000000000000000 ffffffff80647650 + 0000000000000000 0000000000000000 ffffffff806f5f80 ffffffffffffffff + 0000000000000000 0000000000000000 0000000000000001 ffffffff8065d4e8 + 98000000031b6300 ffffffff80563478 ffffffff805685b0 ffffffffffffffff + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + 0000000000000000 0000000000000009 ffffffff8053efd0 ffffffff806657d0 + 0000000000000000 ffffffff803177f8 0000000000000000 ffffffff806d0000 + 9800000003078000 980000000307b9e0 000000001e900000 ffffffff80067940 + 0000000000000000 ffffffff805d6720 0000000000000204 ffffffff80388df8 + ffffffff805176c0 ffffffff8004dc78 0000000000000000 ffffffff80067940 + ... +Call Trace: +[] show_stack+0xa0/0x130 +[] __warn+0x128/0x170 +---[ end trace b1d1e094f67f3bb2 ]--- + +This is because the TURBOchannel bus driver fails to set the coherent +DMA mask for devices enumerated. + +Set the regular and coherent DMA masks for TURBOchannel devices then, +observing that the bus protocol supports a 34-bit (16GiB) DMA address +space, by interpreting the value presented in the address cycle across +the 32 `ad' lines as a 32-bit word rather than byte address[1]. The +architectural size of the TURBOchannel DMA address space exceeds the +maximum amount of RAM any actual TURBOchannel system in existence may +have, hence both masks are the same. + +This removes the warning shown above. + +References: + +[1] "TURBOchannel Hardware Specification", EK-369AA-OD-007B, Digital + Equipment Corporation, January 1993, Section "DMA", pp. 1-15 -- 1-17 + +Signed-off-by: Maciej W. Rozycki +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/20835/ +Fixes: 205e1b7f51e4 ("dma-mapping: warn when there is no coherent_dma_mask") +Cc: stable@vger.kernel.org # 4.16+ +Cc: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tc/tc.c | 8 +++++++- + include/linux/tc.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/tc/tc.c ++++ b/drivers/tc/tc.c +@@ -2,7 +2,7 @@ + * TURBOchannel bus services. + * + * Copyright (c) Harald Koerfgen, 1998 +- * Copyright (c) 2001, 2003, 2005, 2006 Maciej W. Rozycki ++ * Copyright (c) 2001, 2003, 2005, 2006, 2018 Maciej W. Rozycki + * Copyright (c) 2005 James Simmons + * + * This file is subject to the terms and conditions of the GNU +@@ -10,6 +10,7 @@ + * directory of this archive for more details. + */ + #include ++#include + #include + #include + #include +@@ -92,6 +93,11 @@ static void __init tc_bus_add_devices(st + tdev->dev.bus = &tc_bus_type; + tdev->slot = slot; + ++ /* TURBOchannel has 34-bit DMA addressing (16GiB space). */ ++ tdev->dma_mask = DMA_BIT_MASK(34); ++ tdev->dev.dma_mask = &tdev->dma_mask; ++ tdev->dev.coherent_dma_mask = DMA_BIT_MASK(34); ++ + for (i = 0; i < 8; i++) { + tdev->firmware[i] = + readb(module + offset + TC_FIRM_VER + 4 * i); +--- a/include/linux/tc.h ++++ b/include/linux/tc.h +@@ -84,6 +84,7 @@ struct tc_dev { + device. */ + struct device dev; /* Generic device interface. */ + struct resource resource; /* Address space of this device. */ ++ u64 dma_mask; /* DMA addressable range. */ + char vendor[9]; + char name[9]; + char firmware[9];