From: Sasha Levin Date: Tue, 26 Nov 2019 02:27:55 +0000 (-0500) Subject: fixes for 4.9 X-Git-Tag: v4.4.204~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3d68d7c829dd338f9affb8bf9c8a2b3f5c394c13;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpica-use-d-for-signed-int-print-formatting-instead.patch b/queue-4.9/acpica-use-d-for-signed-int-print-formatting-instead.patch new file mode 100644 index 00000000000..f76709ee545 --- /dev/null +++ b/queue-4.9/acpica-use-d-for-signed-int-print-formatting-instead.patch @@ -0,0 +1,36 @@ +From e2ca3163b40c1741c8e6334708e31c0066a15f20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Nov 2018 09:43:52 -0800 +Subject: ACPICA: Use %d for signed int print formatting instead of %u + +From: Colin Ian King + +[ Upstream commit f8ddf49b420112e28bdd23d7ad52d7991a0ccbe3 ] + +Fix warnings found using static analysis with cppcheck, use %d printf +format specifier for signed ints rather than %u + +Signed-off-by: Colin Ian King +Signed-off-by: Erik Schmauss +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + tools/power/acpi/tools/acpidump/apmain.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/power/acpi/tools/acpidump/apmain.c b/tools/power/acpi/tools/acpidump/apmain.c +index 7ff46be908f0b..d426fec3b1d34 100644 +--- a/tools/power/acpi/tools/acpidump/apmain.c ++++ b/tools/power/acpi/tools/acpidump/apmain.c +@@ -139,7 +139,7 @@ static int ap_insert_action(char *argument, u32 to_be_done) + + current_action++; + if (current_action > AP_MAX_ACTIONS) { +- fprintf(stderr, "Too many table options (max %u)\n", ++ fprintf(stderr, "Too many table options (max %d)\n", + AP_MAX_ACTIONS); + return (-1); + } +-- +2.20.1 + diff --git a/queue-4.9/alsa-i2c-cs8427-fix-int-to-char-conversion.patch b/queue-4.9/alsa-i2c-cs8427-fix-int-to-char-conversion.patch new file mode 100644 index 00000000000..dc642b9639c --- /dev/null +++ b/queue-4.9/alsa-i2c-cs8427-fix-int-to-char-conversion.patch @@ -0,0 +1,45 @@ +From 7652edc6b434fc65c872e08ec3e815f3ee24648b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Oct 2018 12:33:02 +0200 +Subject: ALSA: i2c/cs8427: Fix int to char conversion + +From: Philipp Klocke + +[ Upstream commit eb7ebfa3c1989aa8e59d5e68ab3cddd7df1bfb27 ] + +Compiling with clang yields the following warning: + +sound/i2c/cs8427.c:140:31: warning: implicit conversion from 'int' +to 'char' changes value from 160 to -96 [-Wconstant-conversion] + data[0] = CS8427_REG_AUTOINC | CS8427_REG_CORU_DATABUF; + ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~ + +Because CS8427_REG_AUTOINC is defined as 128, it is too big for a +char field. +So change data from char to unsigned char, that it can hold the value. + +This patch does not change the generated code. + +Signed-off-by: Philipp Klocke +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/i2c/cs8427.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/i2c/cs8427.c b/sound/i2c/cs8427.c +index 7e21621e492a4..7fd1b40008838 100644 +--- a/sound/i2c/cs8427.c ++++ b/sound/i2c/cs8427.c +@@ -118,7 +118,7 @@ static int snd_cs8427_send_corudata(struct snd_i2c_device *device, + struct cs8427 *chip = device->private_data; + char *hw_data = udata ? + chip->playback.hw_udata : chip->playback.hw_status; +- char data[32]; ++ unsigned char data[32]; + int err, idx; + + if (!memcmp(hw_data, ndata, count)) +-- +2.20.1 + diff --git a/queue-4.9/alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch b/queue-4.9/alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch new file mode 100644 index 00000000000..02c90189fc5 --- /dev/null +++ b/queue-4.9/alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch @@ -0,0 +1,54 @@ +From 6c6ca20437cfdecdf8ed794ea85bda81cb9f7156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Oct 2018 14:25:22 +0900 +Subject: ALSA: isight: fix leak of reference to firewire unit in error path of + .probe callback + +From: Takashi Sakamoto + +[ Upstream commit 51e68fb0929c29e47e9074ca3e99ffd6021a1c5a ] + +In some error paths, reference count of firewire unit is not decreased. +This commit fixes the bug. + +Fixes: 5b14ec25a79b('ALSA: firewire: release reference count of firewire unit in .remove callback of bus driver') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/firewire/isight.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/firewire/isight.c b/sound/firewire/isight.c +index 48d6dca471c6b..6c8daf5b391ff 100644 +--- a/sound/firewire/isight.c ++++ b/sound/firewire/isight.c +@@ -639,7 +639,7 @@ static int isight_probe(struct fw_unit *unit, + if (!isight->audio_base) { + dev_err(&unit->device, "audio unit base not found\n"); + err = -ENXIO; +- goto err_unit; ++ goto error; + } + fw_iso_resources_init(&isight->resources, unit); + +@@ -668,12 +668,12 @@ static int isight_probe(struct fw_unit *unit, + dev_set_drvdata(&unit->device, isight); + + return 0; +- +-err_unit: +- fw_unit_put(isight->unit); +- mutex_destroy(&isight->mutex); + error: + snd_card_free(card); ++ ++ mutex_destroy(&isight->mutex); ++ fw_unit_put(isight->unit); ++ + return err; + } + +-- +2.20.1 + diff --git a/queue-4.9/amiflop-clean-up-on-errors-during-setup.patch b/queue-4.9/amiflop-clean-up-on-errors-during-setup.patch new file mode 100644 index 00000000000..03e4e43d1be --- /dev/null +++ b/queue-4.9/amiflop-clean-up-on-errors-during-setup.patch @@ -0,0 +1,150 @@ +From ff0f6a9fc017fa2172069bc4154c5cf4b0a5b8c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 12:20:46 -0700 +Subject: amiflop: clean up on errors during setup + +From: Omar Sandoval + +[ Upstream commit 53d0f8dbde89cf6c862c7a62e00c6123e02cba41 ] + +The error handling in fd_probe_drives() doesn't clean up at all. Fix it +up in preparation for converting to blk-mq. While we're here, get rid of +the commented out amiga_floppy_remove(). + +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/amiflop.c | 84 ++++++++++++++++++++--------------------- + 1 file changed, 40 insertions(+), 44 deletions(-) + +diff --git a/drivers/block/amiflop.c b/drivers/block/amiflop.c +index 5fd50a2841682..db4354fb2a0d3 100644 +--- a/drivers/block/amiflop.c ++++ b/drivers/block/amiflop.c +@@ -1699,11 +1699,41 @@ static const struct block_device_operations floppy_fops = { + .check_events = amiga_check_events, + }; + ++static struct gendisk *fd_alloc_disk(int drive) ++{ ++ struct gendisk *disk; ++ ++ disk = alloc_disk(1); ++ if (!disk) ++ goto out; ++ ++ disk->queue = blk_init_queue(do_fd_request, &amiflop_lock); ++ if (IS_ERR(disk->queue)) { ++ disk->queue = NULL; ++ goto out_put_disk; ++ } ++ ++ unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL); ++ if (!unit[drive].trackbuf) ++ goto out_cleanup_queue; ++ ++ return disk; ++ ++out_cleanup_queue: ++ blk_cleanup_queue(disk->queue); ++ disk->queue = NULL; ++out_put_disk: ++ put_disk(disk); ++out: ++ unit[drive].type->code = FD_NODRIVE; ++ return NULL; ++} ++ + static int __init fd_probe_drives(void) + { + int drive,drives,nomem; + +- printk(KERN_INFO "FD: probing units\nfound "); ++ pr_info("FD: probing units\nfound"); + drives=0; + nomem=0; + for(drive=0;drivecode == FD_NODRIVE) + continue; +- disk = alloc_disk(1); ++ ++ disk = fd_alloc_disk(drive); + if (!disk) { +- unit[drive].type->code = FD_NODRIVE; ++ pr_cont(" no mem for fd%d", drive); ++ nomem = 1; + continue; + } + unit[drive].gendisk = disk; +- +- disk->queue = blk_init_queue(do_fd_request, &amiflop_lock); +- if (!disk->queue) { +- unit[drive].type->code = FD_NODRIVE; +- continue; +- } +- + drives++; +- if ((unit[drive].trackbuf = kmalloc(FLOPPY_MAX_SECTORS * 512, GFP_KERNEL)) == NULL) { +- printk("no mem for "); +- unit[drive].type = &drive_types[num_dr_types - 1]; /* FD_NODRIVE */ +- drives--; +- nomem = 1; +- } +- printk("fd%d ",drive); ++ ++ pr_cont(" fd%d",drive); + disk->major = FLOPPY_MAJOR; + disk->first_minor = drive; + disk->fops = &floppy_fops; +@@ -1742,11 +1762,11 @@ static int __init fd_probe_drives(void) + } + if ((drives > 0) || (nomem == 0)) { + if (drives == 0) +- printk("no drives"); +- printk("\n"); ++ pr_cont(" no drives"); ++ pr_cont("\n"); + return drives; + } +- printk("\n"); ++ pr_cont("\n"); + return -ENOMEM; + } + +@@ -1837,30 +1857,6 @@ static int __init amiga_floppy_probe(struct platform_device *pdev) + return ret; + } + +-#if 0 /* not safe to unload */ +-static int __exit amiga_floppy_remove(struct platform_device *pdev) +-{ +- int i; +- +- for( i = 0; i < FD_MAX_UNITS; i++) { +- if (unit[i].type->code != FD_NODRIVE) { +- struct request_queue *q = unit[i].gendisk->queue; +- del_gendisk(unit[i].gendisk); +- put_disk(unit[i].gendisk); +- kfree(unit[i].trackbuf); +- if (q) +- blk_cleanup_queue(q); +- } +- } +- blk_unregister_region(MKDEV(FLOPPY_MAJOR, 0), 256); +- free_irq(IRQ_AMIGA_CIAA_TB, NULL); +- free_irq(IRQ_AMIGA_DSKBLK, NULL); +- custom.dmacon = DMAF_DISK; /* disable DMA */ +- amiga_chip_free(raw_buf); +- unregister_blkdev(FLOPPY_MAJOR, "fd"); +-} +-#endif +- + static struct platform_driver amiga_floppy_driver = { + .driver = { + .name = "amiga-floppy", +-- +2.20.1 + diff --git a/queue-4.9/arm64-makefile-fix-build-of-.i-file-in-external-modu.patch b/queue-4.9/arm64-makefile-fix-build-of-.i-file-in-external-modu.patch new file mode 100644 index 00000000000..4a9afa17bb1 --- /dev/null +++ b/queue-4.9/arm64-makefile-fix-build-of-.i-file-in-external-modu.patch @@ -0,0 +1,57 @@ +From 2b5a38d40b0e56016add6d77a2aa0d0986df852d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 16:37:10 -0700 +Subject: arm64: makefile fix build of .i file in external module case + +From: Victor Kamensky + +[ Upstream commit 98356eb0ae499c63e78073ccedd9a5fc5c563288 ] + +After 'a66649dab350 arm64: fix vdso-offsets.h dependency' if +one will try to build .i file in case of external kernel module, +build fails complaining that prepare0 target is missing. This +issue came up with SystemTap when it tries to build variety +of .i files for its own generated kernel modules trying to +figure given kernel features/capabilities. + +The issue is that prepare0 is defined in top level Makefile +only if KBUILD_EXTMOD is not defined. .i file rule depends +on prepare and in case KBUILD_EXTMOD defined top level Makefile +contains empty rule for prepare. But after mentioned commit +arch/arm64/Makefile would introduce dependency on prepare0 +through its own prepare target. + +Fix it to put proper ifdef KBUILD_EXTMOD around code introduced +by mentioned commit. It matches what top level Makefile does. + +Acked-by: Kevin Brodsky +Signed-off-by: Victor Kamensky +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + arch/arm64/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm64/Makefile b/arch/arm64/Makefile +index ee94597773fab..8d469aa5fc987 100644 +--- a/arch/arm64/Makefile ++++ b/arch/arm64/Makefile +@@ -134,6 +134,7 @@ archclean: + $(Q)$(MAKE) $(clean)=$(boot) + $(Q)$(MAKE) $(clean)=$(boot)/dts + ++ifeq ($(KBUILD_EXTMOD),) + # We need to generate vdso-offsets.h before compiling certain files in kernel/. + # In order to do that, we should use the archprepare target, but we can't since + # asm-offsets.h is included in some files used to generate vdso-offsets.h, and +@@ -143,6 +144,7 @@ archclean: + prepare: vdso_prepare + vdso_prepare: prepare0 + $(Q)$(MAKE) $(build)=arch/arm64/kernel/vdso include/generated/vdso-offsets.h ++endif + + define archhelp + echo '* Image.gz - Compressed kernel image (arch/$(ARCH)/boot/Image.gz)' +-- +2.20.1 + diff --git a/queue-4.9/asoc-tegra_sgtl5000-fix-device_node-refcounting.patch b/queue-4.9/asoc-tegra_sgtl5000-fix-device_node-refcounting.patch new file mode 100644 index 00000000000..20e09cc169b --- /dev/null +++ b/queue-4.9/asoc-tegra_sgtl5000-fix-device_node-refcounting.patch @@ -0,0 +1,74 @@ +From 29f6aebeb619e9fad5cef118f8732c2bf10b5c02 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 12:47:29 +0200 +Subject: ASoC: tegra_sgtl5000: fix device_node refcounting + +From: Marcel Ziswiler + +[ Upstream commit a85227da2dcc291b762c8482a505bc7d0d2d4b07 ] + +Similar to the following: + +commit 4321723648b0 ("ASoC: tegra_alc5632: fix device_node refcounting") + +commit 7c5dfd549617 ("ASoC: tegra: fix device_node refcounting") + +Signed-off-by: Marcel Ziswiler +Acked-by: Jon Hunter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/tegra/tegra_sgtl5000.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/tegra/tegra_sgtl5000.c b/sound/soc/tegra/tegra_sgtl5000.c +index 1e76869dd4880..863e04809a6b8 100644 +--- a/sound/soc/tegra/tegra_sgtl5000.c ++++ b/sound/soc/tegra/tegra_sgtl5000.c +@@ -152,14 +152,14 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev) + dev_err(&pdev->dev, + "Property 'nvidia,i2s-controller' missing/invalid\n"); + ret = -EINVAL; +- goto err; ++ goto err_put_codec_of_node; + } + + tegra_sgtl5000_dai.platform_of_node = tegra_sgtl5000_dai.cpu_of_node; + + ret = tegra_asoc_utils_init(&machine->util_data, &pdev->dev); + if (ret) +- goto err; ++ goto err_put_cpu_of_node; + + ret = snd_soc_register_card(card); + if (ret) { +@@ -172,6 +172,13 @@ static int tegra_sgtl5000_driver_probe(struct platform_device *pdev) + + err_fini_utils: + tegra_asoc_utils_fini(&machine->util_data); ++err_put_cpu_of_node: ++ of_node_put(tegra_sgtl5000_dai.cpu_of_node); ++ tegra_sgtl5000_dai.cpu_of_node = NULL; ++ tegra_sgtl5000_dai.platform_of_node = NULL; ++err_put_codec_of_node: ++ of_node_put(tegra_sgtl5000_dai.codec_of_node); ++ tegra_sgtl5000_dai.codec_of_node = NULL; + err: + return ret; + } +@@ -186,6 +193,12 @@ static int tegra_sgtl5000_driver_remove(struct platform_device *pdev) + + tegra_asoc_utils_fini(&machine->util_data); + ++ of_node_put(tegra_sgtl5000_dai.cpu_of_node); ++ tegra_sgtl5000_dai.cpu_of_node = NULL; ++ tegra_sgtl5000_dai.platform_of_node = NULL; ++ of_node_put(tegra_sgtl5000_dai.codec_of_node); ++ tegra_sgtl5000_dai.codec_of_node = NULL; ++ + return ret; + } + +-- +2.20.1 + diff --git a/queue-4.9/ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch b/queue-4.9/ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch new file mode 100644 index 00000000000..eeda7f15d0d --- /dev/null +++ b/queue-4.9/ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch @@ -0,0 +1,114 @@ +From e390a4630b75a30915c6e97895f09861b6d141a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 15:55:26 +0800 +Subject: ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem + +From: Carl Huang + +[ Upstream commit 0738b4998c6d1caf9ca2447b946709a7278c70f1 ] + +ath10k_pci_diag_write_mem may allocate big size of the dma memory +based on the parameter nbytes. Take firmware diag download as +example, the biggest size is about 500K. In some systems, the +allocation is likely to fail because it can't acquire such a large +contiguous dma memory. + +The fix is to allocate a small size dma memory. In the loop, +driver copies the data to the allocated dma memory and writes to +the destination until all the data is written. + +Tested with QCA6174 PCI with +firmware-6.bin_WLAN.RM.4.4.1-00119-QCARMSWP-1, this also affects +QCA9377 PCI. + +Signed-off-by: Carl Huang +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 23 +++++++++++------------ + 1 file changed, 11 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index b7bac14d1487b..d84a362a084ac 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -1039,10 +1039,9 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + struct ath10k_pci *ar_pci = ath10k_pci_priv(ar); + int ret = 0; + u32 *buf; +- unsigned int completed_nbytes, orig_nbytes, remaining_bytes; ++ unsigned int completed_nbytes, alloc_nbytes, remaining_bytes; + struct ath10k_ce_pipe *ce_diag; + void *data_buf = NULL; +- u32 ce_data; /* Host buffer address in CE space */ + dma_addr_t ce_data_base = 0; + int i; + +@@ -1056,9 +1055,10 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + * 1) 4-byte alignment + * 2) Buffer in DMA-able space + */ +- orig_nbytes = nbytes; ++ alloc_nbytes = min_t(unsigned int, nbytes, DIAG_TRANSFER_LIMIT); ++ + data_buf = (unsigned char *)dma_alloc_coherent(ar->dev, +- orig_nbytes, ++ alloc_nbytes, + &ce_data_base, + GFP_ATOMIC); + if (!data_buf) { +@@ -1066,9 +1066,6 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + goto done; + } + +- /* Copy caller's data to allocated DMA buf */ +- memcpy(data_buf, data, orig_nbytes); +- + /* + * The address supplied by the caller is in the + * Target CPU virtual address space. +@@ -1081,12 +1078,14 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + */ + address = ath10k_pci_targ_cpu_to_ce_addr(ar, address); + +- remaining_bytes = orig_nbytes; +- ce_data = ce_data_base; ++ remaining_bytes = nbytes; + while (remaining_bytes) { + /* FIXME: check cast */ + nbytes = min_t(int, remaining_bytes, DIAG_TRANSFER_LIMIT); + ++ /* Copy caller's data to allocated DMA buf */ ++ memcpy(data_buf, data, nbytes); ++ + /* Set up to receive directly into Target(!) address */ + ret = __ath10k_ce_rx_post_buf(ce_diag, &address, address); + if (ret != 0) +@@ -1096,7 +1095,7 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + * Request CE to send caller-supplied data that + * was copied to bounce buffer to Target(!) address. + */ +- ret = ath10k_ce_send_nolock(ce_diag, NULL, (u32)ce_data, ++ ret = ath10k_ce_send_nolock(ce_diag, NULL, ce_data_base, + nbytes, 0, 0); + if (ret != 0) + goto done; +@@ -1137,12 +1136,12 @@ int ath10k_pci_diag_write_mem(struct ath10k *ar, u32 address, + + remaining_bytes -= nbytes; + address += nbytes; +- ce_data += nbytes; ++ data += nbytes; + } + + done: + if (data_buf) { +- dma_free_coherent(ar->dev, orig_nbytes, data_buf, ++ dma_free_coherent(ar->dev, alloc_nbytes, data_buf, + ce_data_base); + } + +-- +2.20.1 + diff --git a/queue-4.9/atm-zatm-fix-empty-body-clang-warnings.patch b/queue-4.9/atm-zatm-fix-empty-body-clang-warnings.patch new file mode 100644 index 00000000000..91be5414fe7 --- /dev/null +++ b/queue-4.9/atm-zatm-fix-empty-body-clang-warnings.patch @@ -0,0 +1,175 @@ +From 7946aa41fe9b76f805b7071cd3c38a5ea65dae47 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Oct 2018 11:04:19 -0700 +Subject: atm: zatm: Fix empty body Clang warnings + +From: Nathan Chancellor + +[ Upstream commit 64b9d16e2d02ca6e5dc8fcd30cfd52b0ecaaa8f4 ] + +Clang warns: + +drivers/atm/zatm.c:513:7: error: while loop has empty body +[-Werror,-Wempty-body] + zwait; + ^ +drivers/atm/zatm.c:513:7: note: put the semicolon on a separate line to +silence this warning + +Get rid of this warning by using an empty do-while loop. While we're at +it, add parentheses to make it clear that this is a function-like macro. + +Link: https://github.com/ClangBuiltLinux/linux/issues/42 +Suggested-by: Masahiro Yamada +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/zatm.c | 42 +++++++++++++++++++++--------------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c +index a0b88f1489905..e23e2672a1d6b 100644 +--- a/drivers/atm/zatm.c ++++ b/drivers/atm/zatm.c +@@ -126,7 +126,7 @@ static unsigned long dummy[2] = {0,0}; + #define zin_n(r) inl(zatm_dev->base+r*4) + #define zin(r) inl(zatm_dev->base+uPD98401_##r*4) + #define zout(v,r) outl(v,zatm_dev->base+uPD98401_##r*4) +-#define zwait while (zin(CMR) & uPD98401_BUSY) ++#define zwait() do {} while (zin(CMR) & uPD98401_BUSY) + + /* RX0, RX1, TX0, TX1 */ + static const int mbx_entries[NR_MBX] = { 1024,1024,1024,1024 }; +@@ -140,7 +140,7 @@ static const int mbx_esize[NR_MBX] = { 16,16,4,4 }; /* entry size in bytes */ + + static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr) + { +- zwait; ++ zwait(); + zout(value,CER); + zout(uPD98401_IND_ACC | uPD98401_IA_BALL | + (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR); +@@ -149,10 +149,10 @@ static void zpokel(struct zatm_dev *zatm_dev,u32 value,u32 addr) + + static u32 zpeekl(struct zatm_dev *zatm_dev,u32 addr) + { +- zwait; ++ zwait(); + zout(uPD98401_IND_ACC | uPD98401_IA_BALL | uPD98401_IA_RW | + (uPD98401_IA_TGT_CM << uPD98401_IA_TGT_SHIFT) | addr,CMR); +- zwait; ++ zwait(); + return zin(CER); + } + +@@ -241,7 +241,7 @@ static void refill_pool(struct atm_dev *dev,int pool) + } + if (first) { + spin_lock_irqsave(&zatm_dev->lock, flags); +- zwait; ++ zwait(); + zout(virt_to_bus(first),CER); + zout(uPD98401_ADD_BAT | (pool << uPD98401_POOL_SHIFT) | count, + CMR); +@@ -508,9 +508,9 @@ static int open_rx_first(struct atm_vcc *vcc) + } + if (zatm_vcc->pool < 0) return -EMSGSIZE; + spin_lock_irqsave(&zatm_dev->lock, flags); +- zwait; ++ zwait(); + zout(uPD98401_OPEN_CHAN,CMR); +- zwait; ++ zwait(); + DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER)); + chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT; + spin_unlock_irqrestore(&zatm_dev->lock, flags); +@@ -571,21 +571,21 @@ static void close_rx(struct atm_vcc *vcc) + pos = vcc->vci >> 1; + shift = (1-(vcc->vci & 1)) << 4; + zpokel(zatm_dev,zpeekl(zatm_dev,pos) & ~(0xffff << shift),pos); +- zwait; ++ zwait(); + zout(uPD98401_NOP,CMR); +- zwait; ++ zwait(); + zout(uPD98401_NOP,CMR); + spin_unlock_irqrestore(&zatm_dev->lock, flags); + } + spin_lock_irqsave(&zatm_dev->lock, flags); +- zwait; ++ zwait(); + zout(uPD98401_DEACT_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan << + uPD98401_CHAN_ADDR_SHIFT),CMR); +- zwait; ++ zwait(); + udelay(10); /* why oh why ... ? */ + zout(uPD98401_CLOSE_CHAN | uPD98401_CHAN_RT | (zatm_vcc->rx_chan << + uPD98401_CHAN_ADDR_SHIFT),CMR); +- zwait; ++ zwait(); + if (!(zin(CMR) & uPD98401_CHAN_ADDR)) + printk(KERN_CRIT DEV_LABEL "(itf %d): can't close RX channel " + "%d\n",vcc->dev->number,zatm_vcc->rx_chan); +@@ -699,7 +699,7 @@ printk("NONONONOO!!!!\n"); + skb_queue_tail(&zatm_vcc->tx_queue,skb); + DPRINTK("QRP=0x%08lx\n",zpeekl(zatm_dev,zatm_vcc->tx_chan*VC_SIZE/4+ + uPD98401_TXVC_QRP)); +- zwait; ++ zwait(); + zout(uPD98401_TX_READY | (zatm_vcc->tx_chan << + uPD98401_CHAN_ADDR_SHIFT),CMR); + spin_unlock_irqrestore(&zatm_dev->lock, flags); +@@ -891,12 +891,12 @@ static void close_tx(struct atm_vcc *vcc) + } + spin_lock_irqsave(&zatm_dev->lock, flags); + #if 0 +- zwait; ++ zwait(); + zout(uPD98401_DEACT_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR); + #endif +- zwait; ++ zwait(); + zout(uPD98401_CLOSE_CHAN | (chan << uPD98401_CHAN_ADDR_SHIFT),CMR); +- zwait; ++ zwait(); + if (!(zin(CMR) & uPD98401_CHAN_ADDR)) + printk(KERN_CRIT DEV_LABEL "(itf %d): can't close TX channel " + "%d\n",vcc->dev->number,chan); +@@ -926,9 +926,9 @@ static int open_tx_first(struct atm_vcc *vcc) + zatm_vcc->tx_chan = 0; + if (vcc->qos.txtp.traffic_class == ATM_NONE) return 0; + spin_lock_irqsave(&zatm_dev->lock, flags); +- zwait; ++ zwait(); + zout(uPD98401_OPEN_CHAN,CMR); +- zwait; ++ zwait(); + DPRINTK("0x%x 0x%x\n",zin(CMR),zin(CER)); + chan = (zin(CMR) & uPD98401_CHAN_ADDR) >> uPD98401_CHAN_ADDR_SHIFT; + spin_unlock_irqrestore(&zatm_dev->lock, flags); +@@ -1559,7 +1559,7 @@ static void zatm_phy_put(struct atm_dev *dev,unsigned char value, + struct zatm_dev *zatm_dev; + + zatm_dev = ZATM_DEV(dev); +- zwait; ++ zwait(); + zout(value,CER); + zout(uPD98401_IND_ACC | uPD98401_IA_B0 | + (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR); +@@ -1571,10 +1571,10 @@ static unsigned char zatm_phy_get(struct atm_dev *dev,unsigned long addr) + struct zatm_dev *zatm_dev; + + zatm_dev = ZATM_DEV(dev); +- zwait; ++ zwait(); + zout(uPD98401_IND_ACC | uPD98401_IA_B0 | uPD98401_IA_RW | + (uPD98401_IA_TGT_PHY << uPD98401_IA_TGT_SHIFT) | addr,CMR); +- zwait; ++ zwait(); + return zin(CER) & 0xff; + } + +-- +2.20.1 + diff --git a/queue-4.9/audit-print-empty-execve-args.patch b/queue-4.9/audit-print-empty-execve-args.patch new file mode 100644 index 00000000000..991c1d183c6 --- /dev/null +++ b/queue-4.9/audit-print-empty-execve-args.patch @@ -0,0 +1,49 @@ +From c8ef44a825d2f8d4e02d1d9f16082ff1defeaf15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Oct 2018 16:22:57 -0400 +Subject: audit: print empty EXECVE args + +From: Richard Guy Briggs + +[ Upstream commit ea956d8be91edc702a98b7fe1f9463e7ca8c42ab ] + +Empty executable arguments were being skipped when printing out the list +of arguments in an EXECVE record, making it appear they were somehow +lost. Include empty arguments as an itemized empty string. + +Reproducer: + autrace /bin/ls "" "/etc" + ausearch --start recent -m execve -i | grep EXECVE + type=EXECVE msg=audit(10/03/2018 13:04:03.208:1391) : argc=3 a0=/bin/ls a2=/etc + +With fix: + type=EXECVE msg=audit(10/03/2018 21:51:38.290:194) : argc=3 a0=/bin/ls a1= a2=/etc + type=EXECVE msg=audit(1538617898.290:194): argc=3 a0="/bin/ls" a1="" a2="/etc" + +Passes audit-testsuite. GH issue tracker at +https://github.com/linux-audit/audit-kernel/issues/99 + +Signed-off-by: Richard Guy Briggs +[PM: cleaned up the commit metadata] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + kernel/auditsc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/auditsc.c b/kernel/auditsc.c +index c2aaf539728fb..854e90be1a023 100644 +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1096,7 +1096,7 @@ static void audit_log_execve_info(struct audit_context *context, + } + + /* write as much as we can to the audit log */ +- if (len_buf > 0) { ++ if (len_buf >= 0) { + /* NOTE: some magic numbers here - basically if we + * can't fit a reasonable amount of data into the + * existing audit buffer, flush it and start with +-- +2.20.1 + diff --git a/queue-4.9/brcmsmac-ap-mode-update-beacon-when-tim-changes.patch b/queue-4.9/brcmsmac-ap-mode-update-beacon-when-tim-changes.patch new file mode 100644 index 00000000000..0ec305d4396 --- /dev/null +++ b/queue-4.9/brcmsmac-ap-mode-update-beacon-when-tim-changes.patch @@ -0,0 +1,99 @@ +From d07534613ef6da56263db1b36f624127c8f0731c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Oct 2018 19:21:39 +0300 +Subject: brcmsmac: AP mode: update beacon when TIM changes + +From: Ali MJ Al-Nasrawy + +[ Upstream commit 2258ee58baa554609a3cc3996276e4276f537b6d ] + +Beacons are not updated to reflect TIM changes. This is not compliant with +power-saving client stations as the beacons do not have valid TIM and can +cause the network to stall at random occasions and to have highly variable +latencies. +Fix it by updating beacon templates on mac80211 set_tim callback. + +Addresses an issue described in: +https://marc.info/?i=20180911163534.21312d08%20()%20manjaro + +Signed-off-by: Ali MJ Al-Nasrawy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../broadcom/brcm80211/brcmsmac/mac80211_if.c | 26 +++++++++++++++++++ + .../broadcom/brcm80211/brcmsmac/main.h | 1 + + 2 files changed, 27 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +index 7c2a9a9bc372c..a620b2f6c7c4c 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +@@ -502,6 +502,7 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + } + + spin_lock_bh(&wl->lock); ++ wl->wlc->vif = vif; + wl->mute_tx = false; + brcms_c_mute(wl->wlc, false); + if (vif->type == NL80211_IFTYPE_STATION) +@@ -519,6 +520,11 @@ brcms_ops_add_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + static void + brcms_ops_remove_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif) + { ++ struct brcms_info *wl = hw->priv; ++ ++ spin_lock_bh(&wl->lock); ++ wl->wlc->vif = NULL; ++ spin_unlock_bh(&wl->lock); + } + + static int brcms_ops_config(struct ieee80211_hw *hw, u32 changed) +@@ -937,6 +943,25 @@ static void brcms_ops_set_tsf(struct ieee80211_hw *hw, + spin_unlock_bh(&wl->lock); + } + ++static int brcms_ops_beacon_set_tim(struct ieee80211_hw *hw, ++ struct ieee80211_sta *sta, bool set) ++{ ++ struct brcms_info *wl = hw->priv; ++ struct sk_buff *beacon = NULL; ++ u16 tim_offset = 0; ++ ++ spin_lock_bh(&wl->lock); ++ if (wl->wlc->vif) ++ beacon = ieee80211_beacon_get_tim(hw, wl->wlc->vif, ++ &tim_offset, NULL); ++ if (beacon) ++ brcms_c_set_new_beacon(wl->wlc, beacon, tim_offset, ++ wl->wlc->vif->bss_conf.dtim_period); ++ spin_unlock_bh(&wl->lock); ++ ++ return 0; ++} ++ + static const struct ieee80211_ops brcms_ops = { + .tx = brcms_ops_tx, + .start = brcms_ops_start, +@@ -955,6 +980,7 @@ static const struct ieee80211_ops brcms_ops = { + .flush = brcms_ops_flush, + .get_tsf = brcms_ops_get_tsf, + .set_tsf = brcms_ops_set_tsf, ++ .set_tim = brcms_ops_beacon_set_tim, + }; + + void brcms_dpc(unsigned long data) +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h +index c4d135cff04ad..9f76b880814e8 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/main.h +@@ -563,6 +563,7 @@ struct brcms_c_info { + + struct wiphy *wiphy; + struct scb pri_scb; ++ struct ieee80211_vif *vif; + + struct sk_buff *beacon; + u16 beacon_tim_offset; +-- +2.20.1 + diff --git a/queue-4.9/brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch b/queue-4.9/brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch new file mode 100644 index 00000000000..3866fba1394 --- /dev/null +++ b/queue-4.9/brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch @@ -0,0 +1,39 @@ +From a5c81924dc8ac3d95261c70cb2c67a39acd43bd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Oct 2018 19:12:35 +0300 +Subject: brcmsmac: never log "tid x is not agg'able" by default + +From: Ali MJ Al-Nasrawy + +[ Upstream commit 96fca788e5788b7ea3b0050eb35a343637e0a465 ] + +This message greatly spams the log under heavy Tx of frames with BK access +class which is especially true when operating as AP. It is also not informative +as the "agg'ablity" of TIDs are set once and never change. +Fix this by logging only in debug mode. + +Signed-off-by: Ali MJ Al-Nasrawy +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + .../net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +index a620b2f6c7c4c..b820e80d4b4c2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/mac80211_if.c +@@ -846,8 +846,8 @@ brcms_ops_ampdu_action(struct ieee80211_hw *hw, + status = brcms_c_aggregatable(wl->wlc, tid); + spin_unlock_bh(&wl->lock); + if (!status) { +- brcms_err(wl->wlc->hw->d11core, +- "START: tid %d is not agg\'able\n", tid); ++ brcms_dbg_ht(wl->wlc->hw->d11core, ++ "START: tid %d is not agg\'able\n", tid); + return -EINVAL; + } + ieee80211_start_tx_ba_cb_irqsafe(vif, sta->addr, tid); +-- +2.20.1 + diff --git a/queue-4.9/btrfs-handle-error-of-get_old_root.patch b/queue-4.9/btrfs-handle-error-of-get_old_root.patch new file mode 100644 index 00000000000..df2ac8c8e30 --- /dev/null +++ b/queue-4.9/btrfs-handle-error-of-get_old_root.patch @@ -0,0 +1,43 @@ +From df37243bc0d7ac6e907e233e76e74c04e33a8e95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Sep 2018 11:35:10 +0300 +Subject: btrfs: handle error of get_old_root + +From: Nikolay Borisov + +[ Upstream commit 315bed43fea532650933e7bba316a7601d439edf ] + +In btrfs_search_old_slot get_old_root is always used with the assumption +it cannot fail. However, this is not true in rare circumstance it can +fail and return null. This will lead to null point dereference when the +header is read. Fix this by checking the return value and properly +handling NULL by setting ret to -EIO and returning gracefully. + +Coverity-id: 1087503 +Signed-off-by: Nikolay Borisov +Reviewed-by: Lu Fengqi +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/ctree.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c +index 3df434eb14743..3faccbf35e9f4 100644 +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -2973,6 +2973,10 @@ int btrfs_search_old_slot(struct btrfs_root *root, struct btrfs_key *key, + + again: + b = get_old_root(root, time_seq); ++ if (!b) { ++ ret = -EIO; ++ goto done; ++ } + level = btrfs_header_level(b); + p->locks[level] = BTRFS_READ_LOCK; + +-- +2.20.1 + diff --git a/queue-4.9/ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch b/queue-4.9/ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch new file mode 100644 index 00000000000..fb21a7daee1 --- /dev/null +++ b/queue-4.9/ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch @@ -0,0 +1,32 @@ +From ef03fc3baae696318d18f457fa40cb7840b06743 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Sep 2018 09:10:29 +0800 +Subject: ceph: fix dentry leak in ceph_readdir_prepopulate + +From: Yan, Zheng + +[ Upstream commit c58f450bd61511d897efc2ea472c69630635b557 ] + +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +--- + fs/ceph/inode.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fs/ceph/inode.c b/fs/ceph/inode.c +index 7fcddaaca8a5d..049cff197d2a1 100644 +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1630,7 +1630,6 @@ int ceph_readdir_prepopulate(struct ceph_mds_request *req, + if (IS_ERR(realdn)) { + err = PTR_ERR(realdn); + d_drop(dn); +- dn = NULL; + goto next_item; + } + dn = realdn; +-- +2.20.1 + diff --git a/queue-4.9/clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch b/queue-4.9/clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch new file mode 100644 index 00000000000..0350c738155 --- /dev/null +++ b/queue-4.9/clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch @@ -0,0 +1,38 @@ +From cb6c9ef62f3dc548292f501b4b739c5af27d9b3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Sep 2018 14:01:44 +0200 +Subject: clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk + +From: Lubomir Rintel + +[ Upstream commit 4917fb90eec7c26dac1497ada3bd4a325f670fcc ] + +A typo that makes it impossible to get the correct clocks for +MMP2_CLK_SDH2 and MMP2_CLK_SDH3. + +Signed-off-by: Lubomir Rintel +Fixes: 1ec770d92a62 ("clk: mmp: add mmp2 DT support for clock driver") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mmp/clk-of-mmp2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/mmp/clk-of-mmp2.c b/drivers/clk/mmp/clk-of-mmp2.c +index 9adaf48aea231..061a9f10218b3 100644 +--- a/drivers/clk/mmp/clk-of-mmp2.c ++++ b/drivers/clk/mmp/clk-of-mmp2.c +@@ -227,8 +227,8 @@ static struct mmp_param_gate_clk apmu_gate_clks[] = { + /* The gate clocks has mux parent. */ + {MMP2_CLK_SDH0, "sdh0_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH0, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, + {MMP2_CLK_SDH1, "sdh1_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH1, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, +- {MMP2_CLK_SDH1, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, +- {MMP2_CLK_SDH1, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, ++ {MMP2_CLK_SDH2, "sdh2_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH2, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, ++ {MMP2_CLK_SDH3, "sdh3_clk", "sdh_mix_clk", CLK_SET_RATE_PARENT, APMU_SDH3, 0x1b, 0x1b, 0x0, 0, &sdh_lock}, + {MMP2_CLK_DISP0, "disp0_clk", "disp0_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1b, 0x1b, 0x0, 0, &disp0_lock}, + {MMP2_CLK_DISP0_SPHY, "disp0_sphy_clk", "disp0_sphy_div", CLK_SET_RATE_PARENT, APMU_DISP0, 0x1024, 0x1024, 0x0, 0, &disp0_lock}, + {MMP2_CLK_DISP1, "disp1_clk", "disp1_div", CLK_SET_RATE_PARENT, APMU_DISP1, 0x1b, 0x1b, 0x0, 0, &disp1_lock}, +-- +2.20.1 + diff --git a/queue-4.9/dlm-don-t-leak-kernel-pointer-to-userspace.patch b/queue-4.9/dlm-don-t-leak-kernel-pointer-to-userspace.patch new file mode 100644 index 00000000000..852d5af9b2f --- /dev/null +++ b/queue-4.9/dlm-don-t-leak-kernel-pointer-to-userspace.patch @@ -0,0 +1,44 @@ +From 4a72f03dbc2ca6d8a85c6b54709b05dcd09df97f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Nov 2018 14:18:22 -0600 +Subject: dlm: don't leak kernel pointer to userspace + +From: Tycho Andersen + +[ Upstream commit 9de30f3f7f4d31037cfbb7c787e1089c1944b3a7 ] + +In copy_result_to_user(), we first create a struct dlm_lock_result, which +contains a struct dlm_lksb, the last member of which is a pointer to the +lvb. Unfortunately, we copy the entire struct dlm_lksb to the result +struct, which is then copied to userspace at the end of the function, +leaking the contents of sb_lvbptr, which is a valid kernel pointer in some +cases (indeed, later in the same function the data it points to is copied +to userspace). + +It is an error to leak kernel pointers to userspace, as it undermines KASLR +protections (see e.g. 65eea8edc31 ("floppy: Do not copy a kernel pointer to +user memory in FDGETPRM ioctl") for another example of this). + +Signed-off-by: Tycho Andersen +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/user.c b/fs/dlm/user.c +index 9ac65914ab5b0..57f2aacec97f5 100644 +--- a/fs/dlm/user.c ++++ b/fs/dlm/user.c +@@ -700,7 +700,7 @@ static int copy_result_to_user(struct dlm_user_args *ua, int compat, + result.version[0] = DLM_DEVICE_VERSION_MAJOR; + result.version[1] = DLM_DEVICE_VERSION_MINOR; + result.version[2] = DLM_DEVICE_VERSION_PATCH; +- memcpy(&result.lksb, &ua->lksb, sizeof(struct dlm_lksb)); ++ memcpy(&result.lksb, &ua->lksb, offsetof(struct dlm_lksb, sb_lvbptr)); + result.user_lksb = ua->user_lksb; + + /* FIXME: dlm1 provides for the user's bastparam/addr to not be updated +-- +2.20.1 + diff --git a/queue-4.9/dlm-fix-invalid-free.patch b/queue-4.9/dlm-fix-invalid-free.patch new file mode 100644 index 00000000000..c6d583316c3 --- /dev/null +++ b/queue-4.9/dlm-fix-invalid-free.patch @@ -0,0 +1,46 @@ +From 985604531597ab9837b804c06887dc3704a65892 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Nov 2018 14:18:20 -0600 +Subject: dlm: fix invalid free + +From: Tycho Andersen + +[ Upstream commit d968b4e240cfe39d39d80483bac8bca8716fd93c ] + +dlm_config_nodes() does not allocate nodes on failure, so we should not +free() nodes when it fails. + +Signed-off-by: Tycho Andersen +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/member.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/dlm/member.c b/fs/dlm/member.c +index 9c47f1c14a8ba..a47ae99f7bcbc 100644 +--- a/fs/dlm/member.c ++++ b/fs/dlm/member.c +@@ -683,7 +683,7 @@ int dlm_ls_start(struct dlm_ls *ls) + + error = dlm_config_nodes(ls->ls_name, &nodes, &count); + if (error < 0) +- goto fail; ++ goto fail_rv; + + spin_lock(&ls->ls_recover_lock); + +@@ -715,8 +715,9 @@ int dlm_ls_start(struct dlm_ls *ls) + return 0; + + fail: +- kfree(rv); + kfree(nodes); ++ fail_rv: ++ kfree(rv); + return error; + } + +-- +2.20.1 + diff --git a/queue-4.9/f2fs-fix-to-spread-clear_cold_data.patch b/queue-4.9/f2fs-fix-to-spread-clear_cold_data.patch new file mode 100644 index 00000000000..bb9ef5369e4 --- /dev/null +++ b/queue-4.9/f2fs-fix-to-spread-clear_cold_data.patch @@ -0,0 +1,94 @@ +From e57e5961a8ee5ef4a2e010df933474a8d0e920aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jul 2018 18:15:16 +0800 +Subject: f2fs: fix to spread clear_cold_data() + +From: Chao Yu + +[ Upstream commit 2baf07818549c8bb8d7b3437e889b86eab56d38e ] + +We need to drop PG_checked flag on page as well when we clear PG_uptodate +flag, in order to avoid treating the page as GCing one later. + +Signed-off-by: Weichao Guo +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/data.c | 8 +++++++- + fs/f2fs/dir.c | 1 + + fs/f2fs/segment.c | 4 +++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c +index 9041805096e0c..0206c8c20784c 100644 +--- a/fs/f2fs/data.c ++++ b/fs/f2fs/data.c +@@ -1201,6 +1201,7 @@ int do_write_data_page(struct f2fs_io_info *fio) + /* This page is already truncated */ + if (fio->old_blkaddr == NULL_ADDR) { + ClearPageUptodate(page); ++ clear_cold_data(page); + goto out_writepage; + } + +@@ -1337,8 +1338,10 @@ static int f2fs_write_data_page(struct page *page, + clear_cold_data(page); + out: + inode_dec_dirty_pages(inode); +- if (err) ++ if (err) { + ClearPageUptodate(page); ++ clear_cold_data(page); ++ } + + if (wbc->for_reclaim) { + f2fs_submit_merged_bio_cond(sbi, NULL, page, 0, DATA, WRITE); +@@ -1821,6 +1824,8 @@ void f2fs_invalidate_page(struct page *page, unsigned int offset, + inode_dec_dirty_pages(inode); + } + ++ clear_cold_data(page); ++ + /* This is atomic written page, keep Private */ + if (IS_ATOMIC_WRITTEN_PAGE(page)) + return; +@@ -1839,6 +1844,7 @@ int f2fs_release_page(struct page *page, gfp_t wait) + if (IS_ATOMIC_WRITTEN_PAGE(page)) + return 0; + ++ clear_cold_data(page); + set_page_private(page, 0); + ClearPagePrivate(page); + return 1; +diff --git a/fs/f2fs/dir.c b/fs/f2fs/dir.c +index af719d93507e8..b414892be08b7 100644 +--- a/fs/f2fs/dir.c ++++ b/fs/f2fs/dir.c +@@ -772,6 +772,7 @@ void f2fs_delete_entry(struct f2fs_dir_entry *dentry, struct page *page, + clear_page_dirty_for_io(page); + ClearPagePrivate(page); + ClearPageUptodate(page); ++ clear_cold_data(page); + inode_dec_dirty_pages(dir); + } + f2fs_put_page(page, 1); +diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c +index 1d5a352138109..c4c84af1ec17a 100644 +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -227,8 +227,10 @@ static int __revoke_inmem_pages(struct inode *inode, + } + next: + /* we don't need to invalidate this in the sccessful status */ +- if (drop || recover) ++ if (drop || recover) { + ClearPageUptodate(page); ++ clear_cold_data(page); ++ } + set_page_private(page, 0); + ClearPagePrivate(page); + f2fs_put_page(page, 1); +-- +2.20.1 + diff --git a/queue-4.9/fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch b/queue-4.9/fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch new file mode 100644 index 00000000000..e2c6410dd9d --- /dev/null +++ b/queue-4.9/fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch @@ -0,0 +1,58 @@ +From a964c5c0201e8b2b32e171c15b39ef3eed020abc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:35 -0700 +Subject: fs/hfs/extent.c: fix array out of bounds read of array extent + +From: Colin Ian King + +[ Upstream commit 6c9a3f843a29d6894dfc40df338b91dbd78f0ae3 ] + +Currently extent and index i are both being incremented causing an array +out of bounds read on extent[i]. Fix this by removing the extraneous +increment of extent. + +Ernesto said: + +: This is only triggered when deleting a file with a resource fork. I +: may be wrong because the documentation isn't clear, but I don't think +: you can create those under linux. So I guess nobody was testing them. +: +: > A disk space leak, perhaps? +: +: That's what it looks like in general. hfs_free_extents() won't do +: anything if the block count doesn't add up, and the error will be +: ignored. Now, if the block count randomly does add up, we could see +: some corruption. + +Detected by CoverityScan, CID#711541 ("Out of bounds read") + +Link: http://lkml.kernel.org/r/20180831140538.31566-1-colin.king@canonical.com +Signed-off-by: Colin Ian King +Reviewed-by: Ernesto A. Fernndez +Cc: David Howells +Cc: Al Viro +Cc: Hin-Tak Leung +Cc: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/extent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c +index 16819d2a978b4..cbe4fca96378a 100644 +--- a/fs/hfs/extent.c ++++ b/fs/hfs/extent.c +@@ -304,7 +304,7 @@ int hfs_free_fork(struct super_block *sb, struct hfs_cat_file *file, int type) + return 0; + + blocks = 0; +- for (i = 0; i < 3; extent++, i++) ++ for (i = 0; i < 3; i++) + blocks += be16_to_cpu(extent[i].count); + + res = hfs_free_extents(sb, extent, blocks, blocks); +-- +2.20.1 + diff --git a/queue-4.9/fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch b/queue-4.9/fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch new file mode 100644 index 00000000000..595f7510762 --- /dev/null +++ b/queue-4.9/fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch @@ -0,0 +1,61 @@ +From 8d4342e6348471b9bb8f82b6d21b4ac894b8e880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Oct 2018 15:02:52 -0700 +Subject: fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in + dlm_print_one_mle() + +From: Jia-Ju Bai + +[ Upstream commit 999865764f5f128896402572b439269acb471022 ] + +The kernel module may sleep with holding a spinlock. + +The function call paths (from bottom to top) in Linux-4.16 are: + +[FUNC] get_zeroed_page(GFP_NOFS) +fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle +fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle +fs/ocfs2/dlm/dlmmaster.c, 255: __dlm_put_mle in dlm_put_mle +fs/ocfs2/dlm/dlmmaster.c, 254: spin_lock in dlm_put_ml + +[FUNC] get_zeroed_page(GFP_NOFS) +fs/ocfs2/dlm/dlmdebug.c, 332: get_zeroed_page in dlm_print_one_mle +fs/ocfs2/dlm/dlmmaster.c, 240: dlm_print_one_mle in __dlm_put_mle +fs/ocfs2/dlm/dlmmaster.c, 222: __dlm_put_mle in dlm_put_mle_inuse +fs/ocfs2/dlm/dlmmaster.c, 219: spin_lock in dlm_put_mle_inuse + +To fix this bug, GFP_NOFS is replaced with GFP_ATOMIC. + +This bug is found by my static analysis tool DSAC. + +Link: http://lkml.kernel.org/r/20180901112528.27025-1-baijiaju1990@gmail.com +Signed-off-by: Jia-Ju Bai +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/dlm/dlmdebug.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ocfs2/dlm/dlmdebug.c b/fs/ocfs2/dlm/dlmdebug.c +index e7b760deefaee..32d60f69db24c 100644 +--- a/fs/ocfs2/dlm/dlmdebug.c ++++ b/fs/ocfs2/dlm/dlmdebug.c +@@ -329,7 +329,7 @@ void dlm_print_one_mle(struct dlm_master_list_entry *mle) + { + char *buf; + +- buf = (char *) get_zeroed_page(GFP_NOFS); ++ buf = (char *) get_zeroed_page(GFP_ATOMIC); + if (buf) { + dump_mle(mle, buf, PAGE_SIZE - 1); + free_page((unsigned long)buf); +-- +2.20.1 + diff --git a/queue-4.9/gfs2-fix-marking-bitmaps-non-full.patch b/queue-4.9/gfs2-fix-marking-bitmaps-non-full.patch new file mode 100644 index 00000000000..d5f44c30935 --- /dev/null +++ b/queue-4.9/gfs2-fix-marking-bitmaps-non-full.patch @@ -0,0 +1,56 @@ +From 861ac6f2be4ad446b542c9f174a406a930f1b7bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Sep 2018 15:30:25 +0100 +Subject: gfs2: Fix marking bitmaps non-full + +From: Andreas Gruenbacher + +[ Upstream commit ec23df2b0cf3e1620f5db77972b7fb735f267eff ] + +Reservations in gfs can span multiple gfs2_bitmaps (but they won't span +multiple resource groups). When removing a reservation, we want to +clear the GBF_FULL flags of all involved gfs2_bitmaps, not just that of +the first bitmap. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Bob Peterson +Reviewed-by: Steven Whitehouse +Signed-off-by: Sasha Levin +--- + fs/gfs2/rgrp.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c +index f77a38755aea6..0a80f66365492 100644 +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -630,7 +630,10 @@ static void __rs_deltree(struct gfs2_blkreserv *rs) + RB_CLEAR_NODE(&rs->rs_node); + + if (rs->rs_free) { +- struct gfs2_bitmap *bi = rbm_bi(&rs->rs_rbm); ++ u64 last_block = gfs2_rbm_to_block(&rs->rs_rbm) + ++ rs->rs_free - 1; ++ struct gfs2_rbm last_rbm = { .rgd = rs->rs_rbm.rgd, }; ++ struct gfs2_bitmap *start, *last; + + /* return reserved blocks to the rgrp */ + BUG_ON(rs->rs_rbm.rgd->rd_reserved < rs->rs_free); +@@ -641,7 +644,13 @@ static void __rs_deltree(struct gfs2_blkreserv *rs) + it will force the number to be recalculated later. */ + rgd->rd_extfail_pt += rs->rs_free; + rs->rs_free = 0; +- clear_bit(GBF_FULL, &bi->bi_flags); ++ if (gfs2_rbm_from_block(&last_rbm, last_block)) ++ return; ++ start = rbm_bi(&rs->rs_rbm); ++ last = rbm_bi(&last_rbm); ++ do ++ clear_bit(GBF_FULL, &start->bi_flags); ++ while (start++ != last); + } + } + +-- +2.20.1 + diff --git a/queue-4.9/gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch b/queue-4.9/gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch new file mode 100644 index 00000000000..690a6bf0171 --- /dev/null +++ b/queue-4.9/gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch @@ -0,0 +1,78 @@ +From d93da0a71756aefcb31c8072b586c713ed2397fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Oct 2018 10:04:45 -0600 +Subject: gsmi: Fix bug in append_to_eventlog sysfs handler + +From: Duncan Laurie + +[ Upstream commit 655603de68469adaff16842ac17a5aec9c9ce89b ] + +The sysfs handler should return the number of bytes consumed, which in the +case of a successful write is the entire buffer. Also fix a bug where +param.data_len was being set to (count - (2 * sizeof(u32))) instead of just +(count - sizeof(u32)). The latter is correct because we skip over the +leading u32 which is our param.type, but we were also incorrectly +subtracting sizeof(u32) on the line where we were actually setting +param.data_len: + + param.data_len = count - sizeof(u32); + +This meant that for our example event.kernel_software_watchdog with total +length 10 bytes, param.data_len was just 2 prior to this change. + +To test, successfully append an event to the log with gsmi sysfs. +This sample event is for a "Kernel Software Watchdog" + +> xxd -g 1 event.kernel_software_watchdog +0000000: 01 00 00 00 ad de 06 00 00 00 + +> cat event.kernel_software_watchdog > /sys/firmware/gsmi/append_to_eventlog + +> mosys eventlog list | tail -1 +14 | 2012-06-25 10:14:14 | Kernl Event | Software Watchdog + +Signed-off-by: Duncan Laurie +Reviewed-by: Vadim Bendebury +Reviewed-by: Stefan Reinauer +Signed-off-by: Furquan Shaikh +Tested-by: Furquan Shaikh +Reviewed-by: Aaron Durbin +Reviewed-by: Justin TerAvest +[zwisler: updated changelog for 2nd bug fix and upstream] +Signed-off-by: Ross Zwisler +Reviewed-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/google/gsmi.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c +index c463871609764..98cdfc2ee0dff 100644 +--- a/drivers/firmware/google/gsmi.c ++++ b/drivers/firmware/google/gsmi.c +@@ -480,11 +480,10 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj, + if (count < sizeof(u32)) + return -EINVAL; + param.type = *(u32 *)buf; +- count -= sizeof(u32); + buf += sizeof(u32); + + /* The remaining buffer is the data payload */ +- if (count > gsmi_dev.data_buf->length) ++ if ((count - sizeof(u32)) > gsmi_dev.data_buf->length) + return -EINVAL; + param.data_len = count - sizeof(u32); + +@@ -504,7 +503,7 @@ static ssize_t eventlog_write(struct file *filp, struct kobject *kobj, + + spin_unlock_irqrestore(&gsmi_dev.lock, flags); + +- return rc; ++ return (rc == 0) ? count : rc; + + } + +-- +2.20.1 + diff --git a/queue-4.9/hfs-fix-bug-on-bnode-parent-update.patch b/queue-4.9/hfs-fix-bug-on-bnode-parent-update.patch new file mode 100644 index 00000000000..247dcf196d6 --- /dev/null +++ b/queue-4.9/hfs-fix-bug-on-bnode-parent-update.patch @@ -0,0 +1,48 @@ +From 92574cac0ea464ffbf00b9ffa882805434496efd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:11 -0700 +Subject: hfs: fix BUG on bnode parent update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit ef75bcc5763d130451a99825f247d301088b790b ] + +hfs_brec_update_parent() may hit BUG_ON() if the first record of both a +leaf node and its parent are changed, and if this forces the parent to +be split. It is not possible for this to happen on a valid hfs +filesystem because the index nodes have fixed length keys. + +For reasons I ignore, the hfs module does have support for a number of +hfsplus features. A corrupt btree header may report variable length +keys and trigger this BUG, so it's better to fix it. + +Link: http://lkml.kernel.org/r/cf9b02d57f806217a2b1bf5db8c3e39730d8f603.1535682463.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Reviewed-by: Andrew Morton +Cc: Christoph Hellwig +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/brec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfs/brec.c b/fs/hfs/brec.c +index 2e713673df42f..85dab71bee74f 100644 +--- a/fs/hfs/brec.c ++++ b/fs/hfs/brec.c +@@ -444,6 +444,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd) + /* restore search_key */ + hfs_bnode_read_key(node, fd->search_key, 14); + } ++ new_node = NULL; + } + + if (!rec && node->parent) +-- +2.20.1 + diff --git a/queue-4.9/hfs-fix-return-value-of-hfs_get_block.patch b/queue-4.9/hfs-fix-return-value-of-hfs_get_block.patch new file mode 100644 index 00000000000..2822ad4c6e3 --- /dev/null +++ b/queue-4.9/hfs-fix-return-value-of-hfs_get_block.patch @@ -0,0 +1,48 @@ +From 36621185f26b8184dfd33c0a1f6049b5f1c6e02b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:24 -0700 +Subject: hfs: fix return value of hfs_get_block() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit 1267a07be5ebbff2d2739290f3d043ae137c15b4 ] + +Direct writes to empty inodes fail with EIO. The generic direct-io code +is in part to blame (a patch has been submitted as "direct-io: allow +direct writes to empty inodes"), but hfs is worse affected than the other +filesystems because the fallback to buffered I/O doesn't happen. + +The problem is the return value of hfs_get_block() when called with +!create. Change it to be more consistent with the other modules. + +Link: http://lkml.kernel.org/r/4538ab8c35ea37338490525f0f24cbc37227528c.1539195310.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Reviewed-by: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/extent.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c +index 1bd1afefe2538..16819d2a978b4 100644 +--- a/fs/hfs/extent.c ++++ b/fs/hfs/extent.c +@@ -345,7 +345,9 @@ int hfs_get_block(struct inode *inode, sector_t block, + ablock = (u32)block / HFS_SB(sb)->fs_div; + + if (block >= HFS_I(inode)->fs_blocks) { +- if (block > HFS_I(inode)->fs_blocks || !create) ++ if (!create) ++ return 0; ++ if (block > HFS_I(inode)->fs_blocks) + return -EIO; + if (ablock >= HFS_I(inode)->alloc_blocks) { + res = hfs_extend_file(inode); +-- +2.20.1 + diff --git a/queue-4.9/hfs-prevent-btree-data-loss-on-enospc.patch b/queue-4.9/hfs-prevent-btree-data-loss-on-enospc.patch new file mode 100644 index 00000000000..0fdc27c9099 --- /dev/null +++ b/queue-4.9/hfs-prevent-btree-data-loss-on-enospc.patch @@ -0,0 +1,166 @@ +From 740923c7596692ef2369ee73ac1d416d4030e8bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:17 -0700 +Subject: hfs: prevent btree data loss on ENOSPC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit 54640c7502e5ed41fbf4eedd499e85f9acc9698f ] + +Inserting a new record in a btree may require splitting several of its +nodes. If we hit ENOSPC halfway through, the new nodes will be left +orphaned and their records will be lost. This could mean lost inodes or +extents. + +Henceforth, check the available disk space before making any changes. +This still leaves the potential problem of corruption on ENOMEM. + +There is no need to reserve space before deleting a catalog record, as we +do for hfsplus. This difference is because hfs index nodes have fixed +length keys. + +Link: http://lkml.kernel.org/r/ab5fc8a7d5ffccfd5f27b1cf2cb4ceb6c110da74.1536269131.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/btree.c | 41 +++++++++++++++++++++++++---------------- + fs/hfs/btree.h | 1 + + fs/hfs/catalog.c | 16 ++++++++++++++++ + fs/hfs/extent.c | 4 ++++ + 4 files changed, 46 insertions(+), 16 deletions(-) + +diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c +index 320f4372f1720..77eff447d3014 100644 +--- a/fs/hfs/btree.c ++++ b/fs/hfs/btree.c +@@ -219,25 +219,17 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx) + return node; + } + +-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) ++/* Make sure @tree has enough space for the @rsvd_nodes */ ++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes) + { +- struct hfs_bnode *node, *next_node; +- struct page **pagep; +- u32 nidx, idx; +- unsigned off; +- u16 off16; +- u16 len; +- u8 *data, byte, m; +- int i; +- +- while (!tree->free_nodes) { +- struct inode *inode = tree->inode; +- u32 count; +- int res; ++ struct inode *inode = tree->inode; ++ u32 count; ++ int res; + ++ while (tree->free_nodes < rsvd_nodes) { + res = hfs_extend_file(inode); + if (res) +- return ERR_PTR(res); ++ return res; + HFS_I(inode)->phys_size = inode->i_size = + (loff_t)HFS_I(inode)->alloc_blocks * + HFS_SB(tree->sb)->alloc_blksz; +@@ -245,9 +237,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + tree->sb->s_blocksize_bits; + inode_set_bytes(inode, inode->i_size); + count = inode->i_size >> tree->node_size_shift; +- tree->free_nodes = count - tree->node_count; ++ tree->free_nodes += count - tree->node_count; + tree->node_count = count; + } ++ return 0; ++} ++ ++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) ++{ ++ struct hfs_bnode *node, *next_node; ++ struct page **pagep; ++ u32 nidx, idx; ++ unsigned off; ++ u16 off16; ++ u16 len; ++ u8 *data, byte, m; ++ int i, res; ++ ++ res = hfs_bmap_reserve(tree, 1); ++ if (res) ++ return ERR_PTR(res); + + nidx = 0; + node = hfs_bnode_find(tree, nidx); +diff --git a/fs/hfs/btree.h b/fs/hfs/btree.h +index f6bd266d70b55..2715f416b5a80 100644 +--- a/fs/hfs/btree.h ++++ b/fs/hfs/btree.h +@@ -81,6 +81,7 @@ struct hfs_find_data { + extern struct hfs_btree *hfs_btree_open(struct super_block *, u32, btree_keycmp); + extern void hfs_btree_close(struct hfs_btree *); + extern void hfs_btree_write(struct hfs_btree *); ++extern int hfs_bmap_reserve(struct hfs_btree *, int); + extern struct hfs_bnode * hfs_bmap_alloc(struct hfs_btree *); + extern void hfs_bmap_free(struct hfs_bnode *node); + +diff --git a/fs/hfs/catalog.c b/fs/hfs/catalog.c +index 8a66405b0f8b5..d365bf0b8c77d 100644 +--- a/fs/hfs/catalog.c ++++ b/fs/hfs/catalog.c +@@ -97,6 +97,14 @@ int hfs_cat_create(u32 cnid, struct inode *dir, const struct qstr *str, struct i + if (err) + return err; + ++ /* ++ * Fail early and avoid ENOSPC during the btree operations. We may ++ * have to split the root node at most once. ++ */ ++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth); ++ if (err) ++ goto err2; ++ + hfs_cat_build_key(sb, fd.search_key, cnid, NULL); + entry_size = hfs_cat_build_thread(sb, &entry, S_ISDIR(inode->i_mode) ? + HFS_CDR_THD : HFS_CDR_FTH, +@@ -295,6 +303,14 @@ int hfs_cat_move(u32 cnid, struct inode *src_dir, const struct qstr *src_name, + return err; + dst_fd = src_fd; + ++ /* ++ * Fail early and avoid ENOSPC during the btree operations. We may ++ * have to split the root node at most once. ++ */ ++ err = hfs_bmap_reserve(src_fd.tree, 2 * src_fd.tree->depth); ++ if (err) ++ goto out; ++ + /* find the old dir entry and read the data */ + hfs_cat_build_key(sb, src_fd.search_key, src_dir->i_ino, src_name); + err = hfs_brec_find(&src_fd); +diff --git a/fs/hfs/extent.c b/fs/hfs/extent.c +index e33a0d36a93eb..1bd1afefe2538 100644 +--- a/fs/hfs/extent.c ++++ b/fs/hfs/extent.c +@@ -117,6 +117,10 @@ static int __hfs_ext_write_extent(struct inode *inode, struct hfs_find_data *fd) + if (HFS_I(inode)->flags & HFS_FLG_EXT_NEW) { + if (res != -ENOENT) + return res; ++ /* Fail early and avoid ENOSPC during the btree operation */ ++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1); ++ if (res) ++ return res; + hfs_brec_insert(fd, HFS_I(inode)->cached_extents, sizeof(hfs_extent_rec)); + HFS_I(inode)->flags &= ~(HFS_FLG_EXT_DIRTY|HFS_FLG_EXT_NEW); + } else { +-- +2.20.1 + diff --git a/queue-4.9/hfs-update-timestamp-on-truncate.patch b/queue-4.9/hfs-update-timestamp-on-truncate.patch new file mode 100644 index 00000000000..69770c07f02 --- /dev/null +++ b/queue-4.9/hfs-update-timestamp-on-truncate.patch @@ -0,0 +1,41 @@ +From 696f9bd11d11e7134a2a49adf9cb9f47947d42ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:31 -0700 +Subject: hfs: update timestamp on truncate() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit 8cd3cb5061730af085a3f9890a3352f162b4e20c ] + +The vfs takes care of updating mtime on ftruncate(), but on truncate() it +must be done by the module. + +Link: http://lkml.kernel.org/r/e1611eda2985b672ed2d8677350b4ad8c2d07e8a.1539316825.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Reviewed-by: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c +index f776acf2378a1..de0d6d4c46b68 100644 +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -641,6 +641,8 @@ int hfs_inode_setattr(struct dentry *dentry, struct iattr * attr) + + truncate_setsize(inode, attr->ia_size); + hfs_file_truncate(inode); ++ inode->i_atime = inode->i_mtime = inode->i_ctime = ++ current_time(inode); + } + + setattr_copy(inode, attr); +-- +2.20.1 + diff --git a/queue-4.9/hfsplus-fix-bug-on-bnode-parent-update.patch b/queue-4.9/hfsplus-fix-bug-on-bnode-parent-update.patch new file mode 100644 index 00000000000..6d9a2f164f2 --- /dev/null +++ b/queue-4.9/hfsplus-fix-bug-on-bnode-parent-update.patch @@ -0,0 +1,59 @@ +From 072242322dc2850c00a4653b25eaa8c7ac82bd0c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:04 -0700 +Subject: hfsplus: fix BUG on bnode parent update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit 19a9d0f1acf75e8be8cfba19c1a34e941846fa2b ] + +Creating, renaming or deleting a file may hit BUG_ON() if the first +record of both a leaf node and its parent are changed, and if this +forces the parent to be split. This bug is triggered by xfstests +generic/027, somewhat rarely; here is a more reliable reproducer: + + truncate -s 50M fs.iso + mkfs.hfsplus fs.iso + mount fs.iso /mnt + i=1000 + while [ $i -le 2400 ]; do + touch /mnt/$i &>/dev/null + ((++i)) + done + i=2400 + while [ $i -ge 1000 ]; do + mv /mnt/$i /mnt/$(perl -e "print $i x61") &>/dev/null + ((--i)) + done + +The issue is that a newly created bnode is being put twice. Reset +new_node to NULL in hfs_brec_update_parent() before reaching goto again. + +Link: http://lkml.kernel.org/r/5ee1db09b60373a15890f6a7c835d00e76bf601d.1535682461.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/brec.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfsplus/brec.c b/fs/hfsplus/brec.c +index 1002a0c08319b..20ce698251ad1 100644 +--- a/fs/hfsplus/brec.c ++++ b/fs/hfsplus/brec.c +@@ -447,6 +447,7 @@ static int hfs_brec_update_parent(struct hfs_find_data *fd) + /* restore search_key */ + hfs_bnode_read_key(node, fd->search_key, 14); + } ++ new_node = NULL; + } + + if (!rec && node->parent) +-- +2.20.1 + diff --git a/queue-4.9/hfsplus-fix-return-value-of-hfsplus_get_block.patch b/queue-4.9/hfsplus-fix-return-value-of-hfsplus_get_block.patch new file mode 100644 index 00000000000..fb272611245 --- /dev/null +++ b/queue-4.9/hfsplus-fix-return-value-of-hfsplus_get_block.patch @@ -0,0 +1,48 @@ +From a3f75f5e4096ac86e4b2e2eb91e9b8a15078b408 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:21 -0700 +Subject: hfsplus: fix return value of hfsplus_get_block() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit 839c3a6a5e1fbc8542d581911b35b2cb5cd29304 ] + +Direct writes to empty inodes fail with EIO. The generic direct-io code +is in part to blame (a patch has been submitted as "direct-io: allow +direct writes to empty inodes"), but hfsplus is worse affected than the +other filesystems because the fallback to buffered I/O doesn't happen. + +The problem is the return value of hfsplus_get_block() when called with +!create. Change it to be more consistent with the other modules. + +Link: http://lkml.kernel.org/r/2cd1301404ec7cf1e39c8f11a01a4302f1460ad6.1539195310.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Reviewed-by: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/extents.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c +index ce0b8f8374081..d93c051559cb8 100644 +--- a/fs/hfsplus/extents.c ++++ b/fs/hfsplus/extents.c +@@ -236,7 +236,9 @@ int hfsplus_get_block(struct inode *inode, sector_t iblock, + ablock = iblock >> sbi->fs_shift; + + if (iblock >= hip->fs_blocks) { +- if (iblock > hip->fs_blocks || !create) ++ if (!create) ++ return 0; ++ if (iblock > hip->fs_blocks) + return -EIO; + if (ablock >= hip->alloc_blocks) { + res = hfsplus_file_extend(inode, false); +-- +2.20.1 + diff --git a/queue-4.9/hfsplus-prevent-btree-data-loss-on-enospc.patch b/queue-4.9/hfsplus-prevent-btree-data-loss-on-enospc.patch new file mode 100644 index 00000000000..08ca0069e7f --- /dev/null +++ b/queue-4.9/hfsplus-prevent-btree-data-loss-on-enospc.patch @@ -0,0 +1,220 @@ +From 17d319d4836ac0d161a923366ef2674c2e7c34b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:14 -0700 +Subject: hfsplus: prevent btree data loss on ENOSPC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit d92915c35bfaf763d78bf1d5ac7f183420e3bd99 ] + +Inserting or deleting a record in a btree may require splitting several of +its nodes. If we hit ENOSPC halfway through, the new nodes will be left +orphaned and their records will be lost. This could mean lost inodes, +extents or xattrs. + +Henceforth, check the available disk space before making any changes. +This still leaves the potential problem of corruption on ENOMEM. + +The patch can be tested with xfstests generic/027. + +Link: http://lkml.kernel.org/r/4596eef22fbda137b4ffa0272d92f0da15364421.1536269129.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Cc: Christoph Hellwig +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/attributes.c | 10 ++++++++++ + fs/hfsplus/btree.c | 44 ++++++++++++++++++++++++++--------------- + fs/hfsplus/catalog.c | 24 ++++++++++++++++++++++ + fs/hfsplus/extents.c | 4 ++++ + fs/hfsplus/hfsplus_fs.h | 2 ++ + 5 files changed, 68 insertions(+), 16 deletions(-) + +diff --git a/fs/hfsplus/attributes.c b/fs/hfsplus/attributes.c +index e5b221de7de63..d7455ea702878 100644 +--- a/fs/hfsplus/attributes.c ++++ b/fs/hfsplus/attributes.c +@@ -216,6 +216,11 @@ int hfsplus_create_attr(struct inode *inode, + if (err) + goto failed_init_create_attr; + ++ /* Fail early and avoid ENOSPC during the btree operation */ ++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth + 1); ++ if (err) ++ goto failed_create_attr; ++ + if (name) { + err = hfsplus_attr_build_key(sb, fd.search_key, + inode->i_ino, name); +@@ -312,6 +317,11 @@ int hfsplus_delete_attr(struct inode *inode, const char *name) + if (err) + return err; + ++ /* Fail early and avoid ENOSPC during the btree operation */ ++ err = hfs_bmap_reserve(fd.tree, fd.tree->depth); ++ if (err) ++ goto out; ++ + if (name) { + err = hfsplus_attr_build_key(sb, fd.search_key, + inode->i_ino, name); +diff --git a/fs/hfsplus/btree.c b/fs/hfsplus/btree.c +index 8d2256454efe6..7e96b4c294f7a 100644 +--- a/fs/hfsplus/btree.c ++++ b/fs/hfsplus/btree.c +@@ -341,26 +341,21 @@ static struct hfs_bnode *hfs_bmap_new_bmap(struct hfs_bnode *prev, u32 idx) + return node; + } + +-struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) ++/* Make sure @tree has enough space for the @rsvd_nodes */ ++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes) + { +- struct hfs_bnode *node, *next_node; +- struct page **pagep; +- u32 nidx, idx; +- unsigned off; +- u16 off16; +- u16 len; +- u8 *data, byte, m; +- int i; ++ struct inode *inode = tree->inode; ++ struct hfsplus_inode_info *hip = HFSPLUS_I(inode); ++ u32 count; ++ int res; + +- while (!tree->free_nodes) { +- struct inode *inode = tree->inode; +- struct hfsplus_inode_info *hip = HFSPLUS_I(inode); +- u32 count; +- int res; ++ if (rsvd_nodes <= 0) ++ return 0; + ++ while (tree->free_nodes < rsvd_nodes) { + res = hfsplus_file_extend(inode, hfs_bnode_need_zeroout(tree)); + if (res) +- return ERR_PTR(res); ++ return res; + hip->phys_size = inode->i_size = + (loff_t)hip->alloc_blocks << + HFSPLUS_SB(tree->sb)->alloc_blksz_shift; +@@ -368,9 +363,26 @@ struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) + hip->alloc_blocks << HFSPLUS_SB(tree->sb)->fs_shift; + inode_set_bytes(inode, inode->i_size); + count = inode->i_size >> tree->node_size_shift; +- tree->free_nodes = count - tree->node_count; ++ tree->free_nodes += count - tree->node_count; + tree->node_count = count; + } ++ return 0; ++} ++ ++struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree) ++{ ++ struct hfs_bnode *node, *next_node; ++ struct page **pagep; ++ u32 nidx, idx; ++ unsigned off; ++ u16 off16; ++ u16 len; ++ u8 *data, byte, m; ++ int i, res; ++ ++ res = hfs_bmap_reserve(tree, 1); ++ if (res) ++ return ERR_PTR(res); + + nidx = 0; + node = hfs_bnode_find(tree, nidx); +diff --git a/fs/hfsplus/catalog.c b/fs/hfsplus/catalog.c +index a5e00f7a4c143..947da72e72a30 100644 +--- a/fs/hfsplus/catalog.c ++++ b/fs/hfsplus/catalog.c +@@ -264,6 +264,14 @@ int hfsplus_create_cat(u32 cnid, struct inode *dir, + if (err) + return err; + ++ /* ++ * Fail early and avoid ENOSPC during the btree operations. We may ++ * have to split the root node at most once. ++ */ ++ err = hfs_bmap_reserve(fd.tree, 2 * fd.tree->depth); ++ if (err) ++ goto err2; ++ + hfsplus_cat_build_key_with_cnid(sb, fd.search_key, cnid); + entry_size = hfsplus_fill_cat_thread(sb, &entry, + S_ISDIR(inode->i_mode) ? +@@ -332,6 +340,14 @@ int hfsplus_delete_cat(u32 cnid, struct inode *dir, const struct qstr *str) + if (err) + return err; + ++ /* ++ * Fail early and avoid ENOSPC during the btree operations. We may ++ * have to split the root node at most once. ++ */ ++ err = hfs_bmap_reserve(fd.tree, 2 * (int)fd.tree->depth - 2); ++ if (err) ++ goto out; ++ + if (!str) { + int len; + +@@ -432,6 +448,14 @@ int hfsplus_rename_cat(u32 cnid, + return err; + dst_fd = src_fd; + ++ /* ++ * Fail early and avoid ENOSPC during the btree operations. We may ++ * have to split the root node at most twice. ++ */ ++ err = hfs_bmap_reserve(src_fd.tree, 4 * (int)src_fd.tree->depth - 1); ++ if (err) ++ goto out; ++ + /* find the old dir entry and read the data */ + err = hfsplus_cat_build_key(sb, src_fd.search_key, + src_dir->i_ino, src_name); +diff --git a/fs/hfsplus/extents.c b/fs/hfsplus/extents.c +index feca524ce2a5c..ce0b8f8374081 100644 +--- a/fs/hfsplus/extents.c ++++ b/fs/hfsplus/extents.c +@@ -99,6 +99,10 @@ static int __hfsplus_ext_write_extent(struct inode *inode, + if (hip->extent_state & HFSPLUS_EXT_NEW) { + if (res != -ENOENT) + return res; ++ /* Fail early and avoid ENOSPC during the btree operation */ ++ res = hfs_bmap_reserve(fd->tree, fd->tree->depth + 1); ++ if (res) ++ return res; + hfs_brec_insert(fd, hip->cached_extents, + sizeof(hfsplus_extent_rec)); + hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW); +diff --git a/fs/hfsplus/hfsplus_fs.h b/fs/hfsplus/hfsplus_fs.h +index a3f03b2474637..35cd703c66045 100644 +--- a/fs/hfsplus/hfsplus_fs.h ++++ b/fs/hfsplus/hfsplus_fs.h +@@ -311,6 +311,7 @@ static inline unsigned short hfsplus_min_io_size(struct super_block *sb) + #define hfs_btree_open hfsplus_btree_open + #define hfs_btree_close hfsplus_btree_close + #define hfs_btree_write hfsplus_btree_write ++#define hfs_bmap_reserve hfsplus_bmap_reserve + #define hfs_bmap_alloc hfsplus_bmap_alloc + #define hfs_bmap_free hfsplus_bmap_free + #define hfs_bnode_read hfsplus_bnode_read +@@ -395,6 +396,7 @@ u32 hfsplus_calc_btree_clump_size(u32 block_size, u32 node_size, u64 sectors, + struct hfs_btree *hfs_btree_open(struct super_block *sb, u32 id); + void hfs_btree_close(struct hfs_btree *tree); + int hfs_btree_write(struct hfs_btree *tree); ++int hfs_bmap_reserve(struct hfs_btree *tree, int rsvd_nodes); + struct hfs_bnode *hfs_bmap_alloc(struct hfs_btree *tree); + void hfs_bmap_free(struct hfs_bnode *node); + +-- +2.20.1 + diff --git a/queue-4.9/hfsplus-update-timestamps-on-truncate.patch b/queue-4.9/hfsplus-update-timestamps-on-truncate.patch new file mode 100644 index 00000000000..4f87ff37b14 --- /dev/null +++ b/queue-4.9/hfsplus-update-timestamps-on-truncate.patch @@ -0,0 +1,42 @@ +From 0422dd32c4d90ba87f5e282cbef6d7c4e9cc1e70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:06:27 -0700 +Subject: hfsplus: update timestamps on truncate() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ernesto A. Fernández + +[ Upstream commit dc8844aada735890a6de109bef327f5df36a982e ] + +The vfs takes care of updating ctime and mtime on ftruncate(), but on +truncate() it must be done by the module. + +This patch can be tested with xfstests generic/313. + +Link: http://lkml.kernel.org/r/9beb0913eea37288599e8e1b7cec8768fb52d1b8.1539316825.git.ernesto.mnd.fernandez@gmail.com +Signed-off-by: Ernesto A. Fernández +Reviewed-by: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/hfsplus/inode.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c +index 2e796f8302ffa..cfd380e2743d1 100644 +--- a/fs/hfsplus/inode.c ++++ b/fs/hfsplus/inode.c +@@ -260,6 +260,7 @@ static int hfsplus_setattr(struct dentry *dentry, struct iattr *attr) + } + truncate_setsize(inode, attr->ia_size); + hfsplus_file_truncate(inode); ++ inode->i_mtime = inode->i_ctime = current_time(inode); + } + + setattr_copy(inode, attr); +-- +2.20.1 + diff --git a/queue-4.9/igb-shorten-maximum-phc-timecounter-update-interval.patch b/queue-4.9/igb-shorten-maximum-phc-timecounter-update-interval.patch new file mode 100644 index 00000000000..ecbc91fcb6a --- /dev/null +++ b/queue-4.9/igb-shorten-maximum-phc-timecounter-update-interval.patch @@ -0,0 +1,56 @@ +From 1cb0007ae0f0e87df7a561d60088cb0ad0d71d88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Oct 2018 13:13:39 +0200 +Subject: igb: shorten maximum PHC timecounter update interval + +From: Miroslav Lichvar + +[ Upstream commit 094bf4d0e9657f6ea1ee3d7e07ce3970796949ce ] + +The timecounter needs to be updated at least once per ~550 seconds in +order to avoid a 40-bit SYSTIM timestamp to be misinterpreted as an old +timestamp. + +Since commit 500462a9d ("timers: Switch to a non-cascading wheel"), +scheduling of delayed work seems to be less accurate and a requested +delay of 540 seconds may actually be longer than 550 seconds. Shorten +the delay to 480 seconds to be sure the timecounter is updated in time. + +This fixes an issue with HW timestamps on 82580/I350/I354 being off by +~1100 seconds for few seconds every ~9 minutes. + +Cc: Jacob Keller +Cc: Richard Cochran +Cc: Thomas Gleixner +Signed-off-by: Miroslav Lichvar +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_ptp.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_ptp.c b/drivers/net/ethernet/intel/igb/igb_ptp.c +index 9eb9b68f8935e..ae1f963b60923 100644 +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -65,9 +65,15 @@ + * + * The 40 bit 82580 SYSTIM overflows every + * 2^40 * 10^-9 / 60 = 18.3 minutes. ++ * ++ * SYSTIM is converted to real time using a timecounter. As ++ * timecounter_cyc2time() allows old timestamps, the timecounter ++ * needs to be updated at least once per half of the SYSTIM interval. ++ * Scheduling of delayed work is not very accurate, so we aim for 8 ++ * minutes to be sure the actual interval is shorter than 9.16 minutes. + */ + +-#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 9) ++#define IGB_SYSTIM_OVERFLOW_PERIOD (HZ * 60 * 8) + #define IGB_PTP_TX_TIMEOUT (HZ * 15) + #define INCPERIOD_82576 BIT(E1000_TIMINCA_16NS_SHIFT) + #define INCVALUE_82576_MASK GENMASK(E1000_TIMINCA_16NS_SHIFT - 1, 0) +-- +2.20.1 + diff --git a/queue-4.9/kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch b/queue-4.9/kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch new file mode 100644 index 00000000000..d5b9b52614d --- /dev/null +++ b/queue-4.9/kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch @@ -0,0 +1,103 @@ +From ae5f561b447cbd94594eb41bf53431614cd7e496 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Oct 2018 16:59:51 -0400 +Subject: kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on + bad stack + +From: Steven Rostedt (VMware) + +[ Upstream commit c2712b858187f5bcd7b042fe4daa3ba3a12635c0 ] + +Andy had some concerns about using regs_get_kernel_stack_nth() in a new +function regs_get_kernel_argument() as if there's any error in the stack +code, it could cause a bad memory access. To be on the safe side, call +probe_kernel_read() on the stack address to be extra careful in accessing +the memory. A helper function, regs_get_kernel_stack_nth_addr(), was added +to just return the stack address (or NULL if not on the stack), that will be +used to find the address (and could be used by other functions) and read the +address with kernel_probe_read(). + +Requested-by: Andy Lutomirski +Signed-off-by: Steven Rostedt (VMware) +Reviewed-by: Joel Fernandes (Google) +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20181017165951.09119177@gandalf.local.home +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/ptrace.h | 42 +++++++++++++++++++++++++++++------ + 1 file changed, 35 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h +index ea78a8438a8af..fb489cd848faa 100644 +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -199,24 +199,52 @@ static inline int regs_within_kernel_stack(struct pt_regs *regs, + (kernel_stack_pointer(regs) & ~(THREAD_SIZE - 1))); + } + ++/** ++ * regs_get_kernel_stack_nth_addr() - get the address of the Nth entry on stack ++ * @regs: pt_regs which contains kernel stack pointer. ++ * @n: stack entry number. ++ * ++ * regs_get_kernel_stack_nth() returns the address of the @n th entry of the ++ * kernel stack which is specified by @regs. If the @n th entry is NOT in ++ * the kernel stack, this returns NULL. ++ */ ++static inline unsigned long *regs_get_kernel_stack_nth_addr(struct pt_regs *regs, unsigned int n) ++{ ++ unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs); ++ ++ addr += n; ++ if (regs_within_kernel_stack(regs, (unsigned long)addr)) ++ return addr; ++ else ++ return NULL; ++} ++ ++/* To avoid include hell, we can't include uaccess.h */ ++extern long probe_kernel_read(void *dst, const void *src, size_t size); ++ + /** + * regs_get_kernel_stack_nth() - get Nth entry of the stack + * @regs: pt_regs which contains kernel stack pointer. + * @n: stack entry number. + * + * regs_get_kernel_stack_nth() returns @n th entry of the kernel stack which +- * is specified by @regs. If the @n th entry is NOT in the kernel stack, ++ * is specified by @regs. If the @n th entry is NOT in the kernel stack + * this returns 0. + */ + static inline unsigned long regs_get_kernel_stack_nth(struct pt_regs *regs, + unsigned int n) + { +- unsigned long *addr = (unsigned long *)kernel_stack_pointer(regs); +- addr += n; +- if (regs_within_kernel_stack(regs, (unsigned long)addr)) +- return *addr; +- else +- return 0; ++ unsigned long *addr; ++ unsigned long val; ++ long ret; ++ ++ addr = regs_get_kernel_stack_nth_addr(regs, n); ++ if (addr) { ++ ret = probe_kernel_read(&val, addr, sizeof(val)); ++ if (!ret) ++ return val; ++ } ++ return 0; + } + + #define arch_has_single_step() (1) +-- +2.20.1 + diff --git a/queue-4.9/kvm-x86-fix-invvpid-and-invept-register-operand-size.patch b/queue-4.9/kvm-x86-fix-invvpid-and-invept-register-operand-size.patch new file mode 100644 index 00000000000..10e96eedf56 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-invvpid-and-invept-register-operand-size.patch @@ -0,0 +1,45 @@ +From 566c97233809f67e717e141463a255f5315cbeb8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 19:40:43 +0200 +Subject: KVM/x86: Fix invvpid and invept register operand size in 64-bit mode + +From: Uros Bizjak + +[ Upstream commit 5ebb272b2ea7e02911a03a893f8d922d49f9bb4a ] + +Register operand size of invvpid and invept instruction in 64-bit mode +has always 64 bits. Adjust inline function argument type to reflect +correct size. + +Signed-off-by: Uros Bizjak +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index 4c0d6d0d6337f..f76caa03f4f80 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -1547,7 +1547,7 @@ static int __find_msr_index(struct vcpu_vmx *vmx, u32 msr) + return -1; + } + +-static inline void __invvpid(int ext, u16 vpid, gva_t gva) ++static inline void __invvpid(unsigned long ext, u16 vpid, gva_t gva) + { + struct { + u64 vpid : 16; +@@ -1561,7 +1561,7 @@ static inline void __invvpid(int ext, u16 vpid, gva_t gva) + : : "a"(&operand), "c"(ext) : "cc", "memory"); + } + +-static inline void __invept(int ext, u64 eptp, gpa_t gpa) ++static inline void __invept(unsigned long ext, u64 eptp, gpa_t gpa) + { + struct { + u64 eptp, gpa; +-- +2.20.1 + diff --git a/queue-4.9/linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch b/queue-4.9/linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch new file mode 100644 index 00000000000..e217978cad6 --- /dev/null +++ b/queue-4.9/linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch @@ -0,0 +1,42 @@ +From 8a38f10b6a37677bb46ce95efddf9d3bd59ca92a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:05:07 -0700 +Subject: linux/bitmap.h: fix type of nbits in bitmap_shift_right() + +From: Rasmus Villemoes + +[ Upstream commit d9873969fa8725dc6a5a21ab788c057fd8719751 ] + +Most other bitmap API, including the OOL version __bitmap_shift_right, +take unsigned nbits. This was accidentally left out from 2fbad29917c98. + +Link: http://lkml.kernel.org/r/20180818131623.8755-5-linux@rasmusvillemoes.dk +Fixes: 2fbad29917c98 ("lib: bitmap: change bitmap_shift_right to take unsigned parameters") +Signed-off-by: Rasmus Villemoes +Reported-by: Yury Norov +Reviewed-by: Andy Shevchenko +Cc: Rasmus Villemoes +Cc: Sudeep Holla +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/bitmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h +index dc56304ac829f..dec03c0dbc214 100644 +--- a/include/linux/bitmap.h ++++ b/include/linux/bitmap.h +@@ -321,7 +321,7 @@ static __always_inline int bitmap_weight(const unsigned long *src, unsigned int + } + + static inline void bitmap_shift_right(unsigned long *dst, const unsigned long *src, +- unsigned int shift, int nbits) ++ unsigned int shift, unsigned int nbits) + { + if (small_const_nbits(nbits)) + *dst = (*src & BITMAP_LAST_WORD_MASK(nbits)) >> shift; +-- +2.20.1 + diff --git a/queue-4.9/linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch b/queue-4.9/linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch new file mode 100644 index 00000000000..51d76843a7a --- /dev/null +++ b/queue-4.9/linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch @@ -0,0 +1,60 @@ +From 94646d697b833330f67bfdcdc1ba525c49f72e6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:04:59 -0700 +Subject: linux/bitmap.h: handle constant zero-size bitmaps correctly + +From: Rasmus Villemoes + +[ Upstream commit 7275b097851a5e2e0dd4da039c7e96b59ac5314e ] + +The static inlines in bitmap.h do not handle a compile-time constant +nbits==0 correctly (they dereference the passed src or dst pointers, +despite only 0 words being valid to access). I had the 0-day buildbot +chew on a patch [1] that would cause build failures for such cases without +complaining, suggesting that we don't have any such users currently, at +least for the 70 .config/arch combinations that was built. Should any +turn up, make sure they use the out-of-line versions, which do handle +nbits==0 correctly. + +This is of course not the most efficient, but it's much less churn than +teaching all the static inlines an "if (zero_const_nbits())", and since we +don't have any current instances, this doesn't affect existing code at +all. + +[1] lkml.kernel.org/r/20180815085539.27485-1-linux@rasmusvillemoes.dk + +Link: http://lkml.kernel.org/r/20180818131623.8755-3-linux@rasmusvillemoes.dk +Signed-off-by: Rasmus Villemoes +Reviewed-by: Andy Shevchenko +Cc: Yury Norov +Cc: Rasmus Villemoes +Cc: Sudeep Holla +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/linux/bitmap.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h +index 3b77588a93602..dc56304ac829f 100644 +--- a/include/linux/bitmap.h ++++ b/include/linux/bitmap.h +@@ -185,8 +185,13 @@ extern int bitmap_print_to_pagebuf(bool list, char *buf, + #define BITMAP_FIRST_WORD_MASK(start) (~0UL << ((start) & (BITS_PER_LONG - 1))) + #define BITMAP_LAST_WORD_MASK(nbits) (~0UL >> (-(nbits) & (BITS_PER_LONG - 1))) + ++/* ++ * The static inlines below do not handle constant nbits==0 correctly, ++ * so make such users (should any ever turn up) call the out-of-line ++ * versions. ++ */ + #define small_const_nbits(nbits) \ +- (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG) ++ (__builtin_constant_p(nbits) && (nbits) <= BITS_PER_LONG && (nbits) > 0) + + static inline void bitmap_zero(unsigned long *dst, unsigned int nbits) + { +-- +2.20.1 + diff --git a/queue-4.9/m68k-fix-command-line-parsing-when-passed-from-u-boo.patch b/queue-4.9/m68k-fix-command-line-parsing-when-passed-from-u-boo.patch new file mode 100644 index 00000000000..d4aecb9d56a --- /dev/null +++ b/queue-4.9/m68k-fix-command-line-parsing-when-passed-from-u-boo.patch @@ -0,0 +1,33 @@ +From 67fabc780e1c98b1b7381b578c51c4d1da70d735 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Sep 2018 14:44:25 +0200 +Subject: m68k: fix command-line parsing when passed from u-boot + +From: Angelo Dureghello + +[ Upstream commit 381fdd62c38344a771aed06adaf14aae65c47454 ] + +This patch fixes command_line array zero-terminated +one byte over the end of the array, causing boot to hang. + +Signed-off-by: Angelo Dureghello +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/kernel/uboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/m68k/kernel/uboot.c b/arch/m68k/kernel/uboot.c +index b3536a82a2620..e002084af1012 100644 +--- a/arch/m68k/kernel/uboot.c ++++ b/arch/m68k/kernel/uboot.c +@@ -103,5 +103,5 @@ __init void process_uboot_commandline(char *commandp, int size) + } + + parse_uboot_commandline(commandp, len); +- commandp[size - 1] = 0; ++ commandp[len - 1] = 0; + } +-- +2.20.1 + diff --git a/queue-4.9/macintosh-windfarm_smu_sat-fix-debug-output.patch b/queue-4.9/macintosh-windfarm_smu_sat-fix-debug-output.patch new file mode 100644 index 00000000000..76fe915ad5c --- /dev/null +++ b/queue-4.9/macintosh-windfarm_smu_sat-fix-debug-output.patch @@ -0,0 +1,79 @@ +From f8809c622b9ae17458f5d86c06d58290ae00bf4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Oct 2018 11:18:49 +1100 +Subject: macintosh/windfarm_smu_sat: Fix debug output + +From: Benjamin Herrenschmidt + +[ Upstream commit fc0c8b36d379a046525eacb9c3323ca635283757 ] + +There's some antiquated debug output that's trying +to do a hand-made hexdump and turning into horrible +1-byte-per-line output these days. + +Use print_hex_dump() instead + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + drivers/macintosh/windfarm_smu_sat.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +diff --git a/drivers/macintosh/windfarm_smu_sat.c b/drivers/macintosh/windfarm_smu_sat.c +index ad6223e883404..3d310dd60a0be 100644 +--- a/drivers/macintosh/windfarm_smu_sat.c ++++ b/drivers/macintosh/windfarm_smu_sat.c +@@ -22,14 +22,6 @@ + + #define VERSION "1.0" + +-#define DEBUG +- +-#ifdef DEBUG +-#define DBG(args...) printk(args) +-#else +-#define DBG(args...) do { } while(0) +-#endif +- + /* If the cache is older than 800ms we'll refetch it */ + #define MAX_AGE msecs_to_jiffies(800) + +@@ -106,13 +98,10 @@ struct smu_sdbp_header *smu_sat_get_sdb_partition(unsigned int sat_id, int id, + buf[i+2] = data[3]; + buf[i+3] = data[2]; + } +-#ifdef DEBUG +- DBG(KERN_DEBUG "sat %d partition %x:", sat_id, id); +- for (i = 0; i < len; ++i) +- DBG(" %x", buf[i]); +- DBG("\n"); +-#endif + ++ printk(KERN_DEBUG "sat %d partition %x:", sat_id, id); ++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET, ++ 16, 1, buf, len, false); + if (size) + *size = len; + return (struct smu_sdbp_header *) buf; +@@ -132,13 +121,13 @@ static int wf_sat_read_cache(struct wf_sat *sat) + if (err < 0) + return err; + sat->last_read = jiffies; ++ + #ifdef LOTSA_DEBUG + { + int i; +- DBG(KERN_DEBUG "wf_sat_get: data is"); +- for (i = 0; i < 16; ++i) +- DBG(" %.2x", sat->cache[i]); +- DBG("\n"); ++ printk(KERN_DEBUG "wf_sat_get: data is"); ++ print_hex_dump(KERN_DEBUG, " ", DUMP_PREFIX_OFFSET, ++ 16, 1, sat->cache, 16, false); + } + #endif + return 0; +-- +2.20.1 + diff --git a/queue-4.9/macsec-let-the-administrator-set-up-state-even-if-lo.patch b/queue-4.9/macsec-let-the-administrator-set-up-state-even-if-lo.patch new file mode 100644 index 00000000000..e5159c87973 --- /dev/null +++ b/queue-4.9/macsec-let-the-administrator-set-up-state-even-if-lo.patch @@ -0,0 +1,43 @@ +From 57302dd2ff63b5dfe58a4efafccd4d078738181b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Oct 2018 09:33:10 +0100 +Subject: macsec: let the administrator set UP state even if lowerdev is down + +From: Sabrina Dubroca + +[ Upstream commit 07bddef9839378bd6f95b393cf24c420529b4ef1 ] + +Currently, the kernel doesn't let the administrator set a macsec device +up unless its lower device is currently up. This is inconsistent, as a +macsec device that is up won't automatically go down when its lower +device goes down. + +Now that linkstate propagation works, there's really no reason for this +limitation, so let's remove it. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Reported-by: Radu Rendec +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index d2a3825376be5..a48ed0873cc72 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -2798,9 +2798,6 @@ static int macsec_dev_open(struct net_device *dev) + struct net_device *real_dev = macsec->real_dev; + int err; + +- if (!(real_dev->flags & IFF_UP)) +- return -ENETDOWN; +- + err = dev_uc_add(real_dev, dev->dev_addr); + if (err < 0) + return err; +-- +2.20.1 + diff --git a/queue-4.9/macsec-update-operstate-when-lower-device-changes.patch b/queue-4.9/macsec-update-operstate-when-lower-device-changes.patch new file mode 100644 index 00000000000..322f603dc10 --- /dev/null +++ b/queue-4.9/macsec-update-operstate-when-lower-device-changes.patch @@ -0,0 +1,70 @@ +From 91d100e38c91965e6750c2ccfcba9cc40a1e60c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Oct 2018 09:33:09 +0100 +Subject: macsec: update operstate when lower device changes + +From: Sabrina Dubroca + +[ Upstream commit e6ac075882b2afcdf2d5ab328ce4ab42a1eb9593 ] + +Like all other virtual devices (macvlan, vlan), the operstate of a +macsec device should match the state of its lower device. This is done +by calling netif_stacked_transfer_operstate from its netdevice notifier. + +We also need to call netif_stacked_transfer_operstate when a new macsec +device is created, so that its operstate is set properly. This is only +relevant when we try to bring the device up directly when we create it. + +Radu Rendec proposed a similar patch, inspired from the 802.1q driver, +that included changing the administrative state of the macsec device, +instead of just the operstate. This version is similar to what the +macvlan driver does, and updates only the operstate. + +Fixes: c09440f7dcb3 ("macsec: introduce IEEE 802.1AE driver") +Reported-by: Radu Rendec +Reported-by: Patrick Talbert +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/macsec.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c +index da10104be16cf..d2a3825376be5 100644 +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -3275,6 +3275,9 @@ static int macsec_newlink(struct net *net, struct net_device *dev, + if (err < 0) + goto del_dev; + ++ netif_stacked_transfer_operstate(real_dev, dev); ++ linkwatch_fire_event(dev); ++ + macsec_generation++; + + return 0; +@@ -3446,6 +3449,20 @@ static int macsec_notify(struct notifier_block *this, unsigned long event, + return NOTIFY_DONE; + + switch (event) { ++ case NETDEV_DOWN: ++ case NETDEV_UP: ++ case NETDEV_CHANGE: { ++ struct macsec_dev *m, *n; ++ struct macsec_rxh_data *rxd; ++ ++ rxd = macsec_data_rtnl(real_dev); ++ list_for_each_entry_safe(m, n, &rxd->secys, secys) { ++ struct net_device *dev = m->secy.netdev; ++ ++ netif_stacked_transfer_operstate(real_dev, dev); ++ } ++ break; ++ } + case NETDEV_UNREGISTER: { + struct macsec_dev *m, *n; + struct macsec_rxh_data *rxd; +-- +2.20.1 + diff --git a/queue-4.9/mfd-arizona-correct-calling-of-runtime_put_sync.patch b/queue-4.9/mfd-arizona-correct-calling-of-runtime_put_sync.patch new file mode 100644 index 00000000000..219e9552790 --- /dev/null +++ b/queue-4.9/mfd-arizona-correct-calling-of-runtime_put_sync.patch @@ -0,0 +1,54 @@ +From 8a816f3ea7b3455ebad48bd02f6ae91877c72cd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Aug 2018 19:52:44 +0530 +Subject: mfd: arizona: Correct calling of runtime_put_sync + +From: Sapthagiri Baratam + +[ Upstream commit 6b269a41a4520f7eb639e61a45ebbb9c9267d5e0 ] + +Don't call runtime_put_sync when clk32k_ref is ARIZONA_32KZ_MCLK2 +as there is no corresponding runtime_get_sync call. + +MCLK1 is not in the AoD power domain so if it is used as 32kHz clock +source we need to hold a runtime PM reference to keep the device from +going into low power mode. + +Fixes: cdd8da8cc66b ("mfd: arizona: Add gating of external MCLKn clocks") +Signed-off-by: Sapthagiri Baratam +Acked-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/arizona-core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/mfd/arizona-core.c b/drivers/mfd/arizona-core.c +index 0556a9749dbe0..1f0c2b594654e 100644 +--- a/drivers/mfd/arizona-core.c ++++ b/drivers/mfd/arizona-core.c +@@ -52,8 +52,10 @@ int arizona_clk32k_enable(struct arizona *arizona) + if (ret != 0) + goto err_ref; + ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK1]); +- if (ret != 0) +- goto err_pm; ++ if (ret != 0) { ++ pm_runtime_put_sync(arizona->dev); ++ goto err_ref; ++ } + break; + case ARIZONA_32KZ_MCLK2: + ret = clk_prepare_enable(arizona->mclk[ARIZONA_MCLK2]); +@@ -67,8 +69,6 @@ int arizona_clk32k_enable(struct arizona *arizona) + ARIZONA_CLK_32K_ENA); + } + +-err_pm: +- pm_runtime_put_sync(arizona->dev); + err_ref: + if (ret != 0) + arizona->clk32k_ref--; +-- +2.20.1 + diff --git a/queue-4.9/mfd-max8997-enale-irq-wakeup-unconditionally.patch b/queue-4.9/mfd-max8997-enale-irq-wakeup-unconditionally.patch new file mode 100644 index 00000000000..5dd22483cda --- /dev/null +++ b/queue-4.9/mfd-max8997-enale-irq-wakeup-unconditionally.patch @@ -0,0 +1,66 @@ +From ee72bd7891200888d77e6b98f518ddac833b65bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Sep 2018 13:54:07 +0200 +Subject: mfd: max8997: Enale irq-wakeup unconditionally + +From: Marek Szyprowski + +[ Upstream commit efddff27c886e729a7f84a7205bd84d7d4af7336 ] + +IRQ wake up support for MAX8997 driver was initially configured by +respective property in pdata. However, after the driver conversion to +device-tree, setting it was left as 'todo'. Nowadays most of other PMIC MFD +drivers initialized from device-tree assume that they can be an irq wakeup +source, so enable it also for MAX8997. This fixes support for wakeup from +MAX8997 RTC alarm. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/max8997.c | 8 +------- + include/linux/mfd/max8997.h | 1 - + 2 files changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/mfd/max8997.c b/drivers/mfd/max8997.c +index 2d6e2c3927862..4a2fc59d59016 100644 +--- a/drivers/mfd/max8997.c ++++ b/drivers/mfd/max8997.c +@@ -155,12 +155,6 @@ static struct max8997_platform_data *max8997_i2c_parse_dt_pdata( + + pd->ono = irq_of_parse_and_map(dev->of_node, 1); + +- /* +- * ToDo: the 'wakeup' member in the platform data is more of a linux +- * specfic information. Hence, there is no binding for that yet and +- * not parsed here. +- */ +- + return pd; + } + +@@ -248,7 +242,7 @@ static int max8997_i2c_probe(struct i2c_client *i2c, + */ + + /* MAX8997 has a power button input. */ +- device_init_wakeup(max8997->dev, pdata->wakeup); ++ device_init_wakeup(max8997->dev, true); + + return ret; + +diff --git a/include/linux/mfd/max8997.h b/include/linux/mfd/max8997.h +index cf815577bd686..3ae1fe743bc34 100644 +--- a/include/linux/mfd/max8997.h ++++ b/include/linux/mfd/max8997.h +@@ -178,7 +178,6 @@ struct max8997_led_platform_data { + struct max8997_platform_data { + /* IRQ */ + int ono; +- int wakeup; + + /* ---- PMIC ---- */ + struct max8997_regulator_data *regulators; +-- +2.20.1 + diff --git a/queue-4.9/mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch b/queue-4.9/mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch new file mode 100644 index 00000000000..45174ef7383 --- /dev/null +++ b/queue-4.9/mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch @@ -0,0 +1,60 @@ +From 63fcd757b1b5d05a4fb9347a5ada859a3bc322fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Aug 2018 17:02:40 -0300 +Subject: mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values + +From: Fabio Estevam + +[ Upstream commit 55143439b7b501882bea9d95a54adfe00ffc79a3 ] + +When trying to read any MC13892 ADC channel on a imx51-babbage board: + +The MC13892 PMIC shutdowns completely. + +After debugging this issue and comparing the MC13892 and MC13783 +initializations done in the vendor kernel, it was noticed that the +CHRGRAWDIV bit of the ADC0 register was not being set. + +This bit is set by default after power on, but the driver was +clearing it. + +After setting this bit it is possible to read the ADC values correctly. + +Signed-off-by: Fabio Estevam +Tested-by: Chris Healy +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mc13xxx-core.c | 3 ++- + include/linux/mfd/mc13xxx.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c +index 6c16f170529f5..75d52034f89da 100644 +--- a/drivers/mfd/mc13xxx-core.c ++++ b/drivers/mfd/mc13xxx-core.c +@@ -278,7 +278,8 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode, + if (ret) + goto out; + +- adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2; ++ adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2 | ++ MC13XXX_ADC0_CHRGRAWDIV; + adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC; + + if (channel > 7) +diff --git a/include/linux/mfd/mc13xxx.h b/include/linux/mfd/mc13xxx.h +index 638222e43e489..93011c61aafd2 100644 +--- a/include/linux/mfd/mc13xxx.h ++++ b/include/linux/mfd/mc13xxx.h +@@ -247,6 +247,7 @@ struct mc13xxx_platform_data { + #define MC13XXX_ADC0_TSMOD0 (1 << 12) + #define MC13XXX_ADC0_TSMOD1 (1 << 13) + #define MC13XXX_ADC0_TSMOD2 (1 << 14) ++#define MC13XXX_ADC0_CHRGRAWDIV (1 << 15) + #define MC13XXX_ADC0_ADINC1 (1 << 16) + #define MC13XXX_ADC0_ADINC2 (1 << 17) + +-- +2.20.1 + diff --git a/queue-4.9/misc-mic-fix-a-dma-pool-free-failure.patch b/queue-4.9/misc-mic-fix-a-dma-pool-free-failure.patch new file mode 100644 index 00000000000..4de77c5b9a6 --- /dev/null +++ b/queue-4.9/misc-mic-fix-a-dma-pool-free-failure.patch @@ -0,0 +1,54 @@ +From ee49698b283de968622355c24aaae7940e95779a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Oct 2018 18:38:28 -0500 +Subject: misc: mic: fix a DMA pool free failure + +From: Wenwen Wang + +[ Upstream commit 6b995f4eec34745f6cb20d66d5277611f0b3c3fa ] + +In _scif_prog_signal(), the boolean variable 'x100' is used to indicate +whether the MIC Coprocessor is X100. If 'x100' is true, the status +descriptor will be used to write the value to the destination. Otherwise, a +DMA pool will be allocated for this purpose. Specifically, if the DMA pool +is allocated successfully, two memory addresses will be returned. One is +for the CPU and the other is for the device to access the DMA pool. The +former is stored to the variable 'status' and the latter is stored to the +variable 'src'. After the allocation, the address in 'src' is saved to +'status->src_dma_addr', which is actually in the DMA pool, and 'src' is +then modified. + +Later on, if an error occurs, the execution flow will transfer to the label +'dma_fail', which will check 'x100' and free up the allocated DMA pool if +'x100' is false. The point here is that 'status->src_dma_addr' is used for +freeing up the DMA pool. As mentioned before, 'status->src_dma_addr' is in +the DMA pool. And thus, the device is able to modify this data. This can +potentially cause failures when freeing up the DMA pool because of the +modified device address. + +This patch avoids the above issue by using the variable 'src' (with +necessary calculation) to free up the DMA pool. + +Signed-off-by: Wenwen Wang +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/scif/scif_fence.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/mic/scif/scif_fence.c b/drivers/misc/mic/scif/scif_fence.c +index cac3bcc308a7e..7bb929f05d852 100644 +--- a/drivers/misc/mic/scif/scif_fence.c ++++ b/drivers/misc/mic/scif/scif_fence.c +@@ -272,7 +272,7 @@ static int _scif_prog_signal(scif_epd_t epd, dma_addr_t dst, u64 val) + dma_fail: + if (!x100) + dma_pool_free(ep->remote_dev->signal_pool, status, +- status->src_dma_addr); ++ src - offsetof(struct scif_status, val)); + alloc_fail: + return err; + } +-- +2.20.1 + diff --git a/queue-4.9/misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch b/queue-4.9/misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch new file mode 100644 index 00000000000..abda1340214 --- /dev/null +++ b/queue-4.9/misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch @@ -0,0 +1,70 @@ +From 10035449294e8f7834c1d2bf86cb00e16e988592 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Oct 2018 11:00:30 -0700 +Subject: mISDN: Fix type of switch control variable in ctrl_teimanager + +From: Nathan Chancellor + +[ Upstream commit aeb5e02aca91522733eb1db595ac607d30c87767 ] + +Clang warns (trimmed for brevity): + +drivers/isdn/mISDN/tei.c:1193:7: warning: overflow converting case value +to switch condition type (2147764552 to 18446744071562348872) [-Wswitch] + case IMHOLD_L1: + ^ +drivers/isdn/mISDN/tei.c:1187:7: warning: overflow converting case value +to switch condition type (2147764550 to 18446744071562348870) [-Wswitch] + case IMCLEAR_L2: + ^ +2 warnings generated. + +The root cause is that the _IOC macro can generate really large numbers, +which don't find into type int. My research into how GCC and Clang are +handling this at a low level didn't prove fruitful and surveying the +kernel tree shows that aside from here and a few places in the scsi +subsystem, everything that uses _IOC is at least of type 'unsigned int'. +Make that change here because as nothing in this function cares about +the signedness of the variable and it removes ambiguity, which is never +good when dealing with compilers. + +While we're here, remove the unnecessary local variable ret (just return +-EINVAL and 0 directly). + +Link: https://github.com/ClangBuiltLinux/linux/issues/67 +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/tei.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/isdn/mISDN/tei.c b/drivers/isdn/mISDN/tei.c +index 592f597d89518..8261afbbafb05 100644 +--- a/drivers/isdn/mISDN/tei.c ++++ b/drivers/isdn/mISDN/tei.c +@@ -1180,8 +1180,7 @@ static int + ctrl_teimanager(struct manager *mgr, void *arg) + { + /* currently we only have one option */ +- int *val = (int *)arg; +- int ret = 0; ++ unsigned int *val = (unsigned int *)arg; + + switch (val[0]) { + case IMCLEAR_L2: +@@ -1197,9 +1196,9 @@ ctrl_teimanager(struct manager *mgr, void *arg) + test_and_clear_bit(OPTION_L1_HOLD, &mgr->options); + break; + default: +- ret = -EINVAL; ++ return -EINVAL; + } +- return ret; ++ return 0; + } + + /* This function does create a L2 for fixed TEI in NT Mode */ +-- +2.20.1 + diff --git a/queue-4.9/mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch b/queue-4.9/mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch new file mode 100644 index 00000000000..1715935f15d --- /dev/null +++ b/queue-4.9/mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch @@ -0,0 +1,47 @@ +From f6835ab9034e37be557587b78ec6d7dc53406123 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 8 Apr 2019 12:07:17 +0800 +Subject: mm/memory_hotplug: Do not unlock when fails to take the + device_hotplug_lock + +From: zhong jiang + +[ Upstream commit d2ab99403ee00d8014e651728a4702ea1ae5e52c ] + +When adding the memory by probing memory block in sysfs interface, there is an +obvious issue that we will unlock the device_hotplug_lock when fails to takes it. + +That issue was introduced in Commit 8df1d0e4a265 +("mm/memory_hotplug: make add_memory() take the device_hotplug_lock") + +We should drop out in time when fails to take the device_hotplug_lock. + +Fixes: 8df1d0e4a265 ("mm/memory_hotplug: make add_memory() take the device_hotplug_lock") +Reported-by: Yang yingliang +Signed-off-by: zhong jiang +Reviewed-by: Oscar Salvador +Reviewed-by: David Hildenbrand +Acked-by: Michal Hocko +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/base/memory.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index 9f96f1b43c15f..6a3694a4843f8 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -502,7 +502,7 @@ memory_probe_store(struct device *dev, struct device_attribute *attr, + + ret = lock_device_hotplug_sysfs(); + if (ret) +- goto out; ++ return ret; + + nid = memory_add_physaddr_to_nid(phys_addr); + ret = __add_memory(nid, phys_addr, +-- +2.20.1 + diff --git a/queue-4.9/mm-memory_hotplug-make-add_memory-take-the-device_ho.patch b/queue-4.9/mm-memory_hotplug-make-add_memory-take-the-device_ho.patch new file mode 100644 index 00000000000..b3f462b7166 --- /dev/null +++ b/queue-4.9/mm-memory_hotplug-make-add_memory-take-the-device_ho.patch @@ -0,0 +1,215 @@ +From 9c196251d942b0555d572d60eb79b4a90fa980aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Oct 2018 15:10:24 -0700 +Subject: mm/memory_hotplug: make add_memory() take the device_hotplug_lock + +From: David Hildenbrand + +[ Upstream commit 8df1d0e4a265f25dc1e7e7624ccdbcb4a6630c89 ] + +add_memory() currently does not take the device_hotplug_lock, however +is aleady called under the lock from + arch/powerpc/platforms/pseries/hotplug-memory.c + drivers/acpi/acpi_memhotplug.c +to synchronize against CPU hot-remove and similar. + +In general, we should hold the device_hotplug_lock when adding memory to +synchronize against online/offline request (e.g. from user space) - which +already resulted in lock inversions due to device_lock() and +mem_hotplug_lock - see 30467e0b3be ("mm, hotplug: fix concurrent memory +hot-add deadlock"). add_memory()/add_memory_resource() will create memory +block devices, so this really feels like the right thing to do. + +Holding the device_hotplug_lock makes sure that a memory block device +can really only be accessed (e.g. via .online/.state) from user space, +once the memory has been fully added to the system. + +The lock is not held yet in + drivers/xen/balloon.c + arch/powerpc/platforms/powernv/memtrace.c + drivers/s390/char/sclp_cmd.c + drivers/hv/hv_balloon.c +So, let's either use the locked variants or take the lock. + +Don't export add_memory_resource(), as it once was exported to be used by +XEN, which is never built as a module. If somebody requires it, we also +have to export a locked variant (as device_hotplug_lock is never +exported). + +Link: http://lkml.kernel.org/r/20180925091457.28651-3-david@redhat.com +Signed-off-by: David Hildenbrand +Reviewed-by: Pavel Tatashin +Reviewed-by: Rafael J. Wysocki +Reviewed-by: Rashmica Gupta +Reviewed-by: Oscar Salvador +Cc: Benjamin Herrenschmidt +Cc: Paul Mackerras +Cc: Michael Ellerman +Cc: "Rafael J. Wysocki" +Cc: Len Brown +Cc: Greg Kroah-Hartman +Cc: Boris Ostrovsky +Cc: Juergen Gross +Cc: Nathan Fontenot +Cc: John Allen +Cc: Michal Hocko +Cc: Dan Williams +Cc: Joonsoo Kim +Cc: Vlastimil Babka +Cc: Mathieu Malaterre +Cc: Pavel Tatashin +Cc: YASUAKI ISHIMATSU +Cc: Balbir Singh +Cc: Haiyang Zhang +Cc: Heiko Carstens +Cc: Jonathan Corbet +Cc: Kate Stewart +Cc: "K. Y. Srinivasan" +Cc: Martin Schwidefsky +Cc: Michael Neuling +Cc: Philippe Ombredanne +Cc: Stephen Hemminger +Cc: Thomas Gleixner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + .../platforms/pseries/hotplug-memory.c | 2 +- + drivers/acpi/acpi_memhotplug.c | 2 +- + drivers/base/memory.c | 9 ++++++-- + drivers/xen/balloon.c | 3 +++ + include/linux/memory_hotplug.h | 1 + + mm/memory_hotplug.c | 22 ++++++++++++++++--- + 6 files changed, 32 insertions(+), 7 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c +index c0a0947f43bbb..656bbbd731d03 100644 +--- a/arch/powerpc/platforms/pseries/hotplug-memory.c ++++ b/arch/powerpc/platforms/pseries/hotplug-memory.c +@@ -616,7 +616,7 @@ static int dlpar_add_lmb(struct of_drconf_cell *lmb) + nid = memory_add_physaddr_to_nid(lmb->base_addr); + + /* Add the memory */ +- rc = add_memory(nid, lmb->base_addr, block_sz); ++ rc = __add_memory(nid, lmb->base_addr, block_sz); + if (rc) { + dlpar_remove_device_tree_lmb(lmb); + dlpar_release_drc(lmb->drc_index); +diff --git a/drivers/acpi/acpi_memhotplug.c b/drivers/acpi/acpi_memhotplug.c +index 6b0d3ef7309cb..2ccfbb61ca899 100644 +--- a/drivers/acpi/acpi_memhotplug.c ++++ b/drivers/acpi/acpi_memhotplug.c +@@ -228,7 +228,7 @@ static int acpi_memory_enable_device(struct acpi_memory_device *mem_device) + if (node < 0) + node = memory_add_physaddr_to_nid(info->start_addr); + +- result = add_memory(node, info->start_addr, info->length); ++ result = __add_memory(node, info->start_addr, info->length); + + /* + * If the memory block has been used by the kernel, add_memory() +diff --git a/drivers/base/memory.c b/drivers/base/memory.c +index c5cdd190b7816..9f96f1b43c15f 100644 +--- a/drivers/base/memory.c ++++ b/drivers/base/memory.c +@@ -500,15 +500,20 @@ memory_probe_store(struct device *dev, struct device_attribute *attr, + if (phys_addr & ((pages_per_block << PAGE_SHIFT) - 1)) + return -EINVAL; + ++ ret = lock_device_hotplug_sysfs(); ++ if (ret) ++ goto out; ++ + nid = memory_add_physaddr_to_nid(phys_addr); +- ret = add_memory(nid, phys_addr, +- MIN_MEMORY_BLOCK_SIZE * sections_per_block); ++ ret = __add_memory(nid, phys_addr, ++ MIN_MEMORY_BLOCK_SIZE * sections_per_block); + + if (ret) + goto out; + + ret = count; + out: ++ unlock_device_hotplug(); + return ret; + } + +diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c +index 6af117af97804..731cf54f75c65 100644 +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -358,7 +358,10 @@ static enum bp_state reserve_additional_memory(void) + * callers drop the mutex before trying again. + */ + mutex_unlock(&balloon_mutex); ++ /* add_memory_resource() requires the device_hotplug lock */ ++ lock_device_hotplug(); + rc = add_memory_resource(nid, resource, memhp_auto_online); ++ unlock_device_hotplug(); + mutex_lock(&balloon_mutex); + + if (rc) { +diff --git a/include/linux/memory_hotplug.h b/include/linux/memory_hotplug.h +index 134a2f69c21ab..9469eef300952 100644 +--- a/include/linux/memory_hotplug.h ++++ b/include/linux/memory_hotplug.h +@@ -272,6 +272,7 @@ static inline void remove_memory(int nid, u64 start, u64 size) {} + + extern int walk_memory_range(unsigned long start_pfn, unsigned long end_pfn, + void *arg, int (*func)(struct memory_block *, void *)); ++extern int __add_memory(int nid, u64 start, u64 size); + extern int add_memory(int nid, u64 start, u64 size); + extern int add_memory_resource(int nid, struct resource *resource, bool online); + extern int zone_for_memory(int nid, u64 start, u64 size, int zone_default, +diff --git a/mm/memory_hotplug.c b/mm/memory_hotplug.c +index b4c8d7b9ab820..449999657c0bb 100644 +--- a/mm/memory_hotplug.c ++++ b/mm/memory_hotplug.c +@@ -1340,7 +1340,12 @@ static int online_memory_block(struct memory_block *mem, void *arg) + return memory_block_change_state(mem, MEM_ONLINE, MEM_OFFLINE); + } + +-/* we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG */ ++/* ++ * NOTE: The caller must call lock_device_hotplug() to serialize hotplug ++ * and online/offline operations (triggered e.g. by sysfs). ++ * ++ * we are OK calling __meminit stuff here - we have CONFIG_MEMORY_HOTPLUG ++ */ + int __ref add_memory_resource(int nid, struct resource *res, bool online) + { + u64 start, size; +@@ -1418,9 +1423,9 @@ int __ref add_memory_resource(int nid, struct resource *res, bool online) + mem_hotplug_done(); + return ret; + } +-EXPORT_SYMBOL_GPL(add_memory_resource); + +-int __ref add_memory(int nid, u64 start, u64 size) ++/* requires device_hotplug_lock, see add_memory_resource() */ ++int __ref __add_memory(int nid, u64 start, u64 size) + { + struct resource *res; + int ret; +@@ -1434,6 +1439,17 @@ int __ref add_memory(int nid, u64 start, u64 size) + release_memory_resource(res); + return ret; + } ++ ++int add_memory(int nid, u64 start, u64 size) ++{ ++ int rc; ++ ++ lock_device_hotplug(); ++ rc = __add_memory(nid, start, size); ++ unlock_device_hotplug(); ++ ++ return rc; ++} + EXPORT_SYMBOL_GPL(add_memory); + + #ifdef CONFIG_MEMORY_HOTREMOVE +-- +2.20.1 + diff --git a/queue-4.9/mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch b/queue-4.9/mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch new file mode 100644 index 00000000000..38276468c3b --- /dev/null +++ b/queue-4.9/mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch @@ -0,0 +1,248 @@ +From e08dbf2302939c517b97f5c5c0e282e8df94a5b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Oct 2018 15:09:45 -0700 +Subject: mm/page-writeback.c: fix range_cyclic writeback vs writepages + deadlock + +From: Dave Chinner + +[ Upstream commit 64081362e8ff4587b4554087f3cfc73d3e0a4cd7 ] + +We've recently seen a workload on XFS filesystems with a repeatable +deadlock between background writeback and a multi-process application +doing concurrent writes and fsyncs to a small range of a file. + +range_cyclic +writeback Process 1 Process 2 + +xfs_vm_writepages + write_cache_pages + writeback_index = 2 + cycled = 0 + .... + find page 2 dirty + lock Page 2 + ->writepage + page 2 writeback + page 2 clean + page 2 added to bio + no more pages + write() + locks page 1 + dirties page 1 + locks page 2 + dirties page 1 + fsync() + .... + xfs_vm_writepages + write_cache_pages + start index 0 + find page 1 towrite + lock Page 1 + ->writepage + page 1 writeback + page 1 clean + page 1 added to bio + find page 2 towrite + lock Page 2 + page 2 is writeback + + write() + locks page 1 + dirties page 1 + fsync() + .... + xfs_vm_writepages + write_cache_pages + start index 0 + + !done && !cycled + sets index to 0, restarts lookup + find page 1 dirty + find page 1 towrite + lock Page 1 + page 1 is writeback + + + lock Page 1 + + +DEADLOCK because: + + - process 1 needs page 2 writeback to complete to make + enough progress to issue IO pending for page 1 + - writeback needs page 1 writeback to complete so process 2 + can progress and unlock the page it is blocked on, then it + can issue the IO pending for page 2 + - process 2 can't make progress until process 1 issues IO + for page 1 + +The underlying cause of the problem here is that range_cyclic writeback is +processing pages in descending index order as we hold higher index pages +in a structure controlled from above write_cache_pages(). The +write_cache_pages() caller needs to be able to submit these pages for IO +before write_cache_pages restarts writeback at mapping index 0 to avoid +wcp inverting the page lock/writeback wait order. + +generic_writepages() is not susceptible to this bug as it has no private +context held across write_cache_pages() - filesystems using this +infrastructure always submit pages in ->writepage immediately and so there +is no problem with range_cyclic going back to mapping index 0. + +However: + mpage_writepages() has a private bio context, + exofs_writepages() has page_collect + fuse_writepages() has fuse_fill_wb_data + nfs_writepages() has nfs_pageio_descriptor + xfs_vm_writepages() has xfs_writepage_ctx + +All of these ->writepages implementations can hold pages under writeback +in their private structures until write_cache_pages() returns, and hence +they are all susceptible to this deadlock. + +Also worth noting is that ext4 has it's own bastardised version of +write_cache_pages() and so it /may/ have an equivalent deadlock. I looked +at the code long enough to understand that it has a similar retry loop for +range_cyclic writeback reaching the end of the file and then promptly ran +away before my eyes bled too much. I'll leave it for the ext4 developers +to determine if their code is actually has this deadlock and how to fix it +if it has. + +There's a few ways I can see avoid this deadlock. There's probably more, +but these are the first I've though of: + +1. get rid of range_cyclic altogether + +2. range_cyclic always stops at EOF, and we start again from +writeback index 0 on the next call into write_cache_pages() + +2a. wcp also returns EAGAIN to ->writepages implementations to +indicate range cyclic has hit EOF. writepages implementations can +then flush the current context and call wpc again to continue. i.e. +lift the retry into the ->writepages implementation + +3. range_cyclic uses trylock_page() rather than lock_page(), and it +skips pages it can't lock without blocking. It will already do this +for pages under writeback, so this seems like a no-brainer + +3a. all non-WB_SYNC_ALL writeback uses trylock_page() to avoid +blocking as per pages under writeback. + +I don't think #1 is an option - range_cyclic prevents frequently +dirtied lower file offset from starving background writeback of +rarely touched higher file offsets. + +#2 is simple, and I don't think it will have any impact on +performance as going back to the start of the file implies an +immediate seek. We'll have exactly the same number of seeks if we +switch writeback to another inode, and then come back to this one +later and restart from index 0. + +#2a is pretty much "status quo without the deadlock". Moving the +retry loop up into the wcp caller means we can issue IO on the +pending pages before calling wcp again, and so avoid locking or +waiting on pages in the wrong order. I'm not convinced we need to do +this given that we get the same thing from #2 on the next writeback +call from the writeback infrastructure. + +#3 is really just a band-aid - it doesn't fix the access/wait +inversion problem, just prevents it from becoming a deadlock +situation. I'd prefer we fix the inversion, not sweep it under the +carpet like this. + +#3a is really an optimisation that just so happens to include the +band-aid fix of #3. + +So it seems that the simplest way to fix this issue is to implement +solution #2 + +Link: http://lkml.kernel.org/r/20181005054526.21507-1-david@fromorbit.com +Signed-off-by: Dave Chinner +Reviewed-by: Jan Kara +Cc: Nicholas Piggin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/page-writeback.c | 33 +++++++++++++++------------------ + 1 file changed, 15 insertions(+), 18 deletions(-) + +diff --git a/mm/page-writeback.c b/mm/page-writeback.c +index 281a46aeae61d..f6a376a510995 100644 +--- a/mm/page-writeback.c ++++ b/mm/page-writeback.c +@@ -2141,6 +2141,13 @@ EXPORT_SYMBOL(tag_pages_for_writeback); + * not miss some pages (e.g., because some other process has cleared TOWRITE + * tag we set). The rule we follow is that TOWRITE tag can be cleared only + * by the process clearing the DIRTY tag (and submitting the page for IO). ++ * ++ * To avoid deadlocks between range_cyclic writeback and callers that hold ++ * pages in PageWriteback to aggregate IO until write_cache_pages() returns, ++ * we do not loop back to the start of the file. Doing so causes a page ++ * lock/page writeback access order inversion - we should only ever lock ++ * multiple pages in ascending page->index order, and looping back to the start ++ * of the file violates that rule and causes deadlocks. + */ + int write_cache_pages(struct address_space *mapping, + struct writeback_control *wbc, writepage_t writepage, +@@ -2155,7 +2162,6 @@ int write_cache_pages(struct address_space *mapping, + pgoff_t index; + pgoff_t end; /* Inclusive */ + pgoff_t done_index; +- int cycled; + int range_whole = 0; + int tag; + +@@ -2163,23 +2169,17 @@ int write_cache_pages(struct address_space *mapping, + if (wbc->range_cyclic) { + writeback_index = mapping->writeback_index; /* prev offset */ + index = writeback_index; +- if (index == 0) +- cycled = 1; +- else +- cycled = 0; + end = -1; + } else { + index = wbc->range_start >> PAGE_SHIFT; + end = wbc->range_end >> PAGE_SHIFT; + if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) + range_whole = 1; +- cycled = 1; /* ignore range_cyclic tests */ + } + if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages) + tag = PAGECACHE_TAG_TOWRITE; + else + tag = PAGECACHE_TAG_DIRTY; +-retry: + if (wbc->sync_mode == WB_SYNC_ALL || wbc->tagged_writepages) + tag_pages_for_writeback(mapping, index, end); + done_index = index; +@@ -2287,17 +2287,14 @@ int write_cache_pages(struct address_space *mapping, + pagevec_release(&pvec); + cond_resched(); + } +- if (!cycled && !done) { +- /* +- * range_cyclic: +- * We hit the last page and there is more work to be done: wrap +- * back to the start of the file +- */ +- cycled = 1; +- index = 0; +- end = writeback_index - 1; +- goto retry; +- } ++ ++ /* ++ * If we hit the last page and there is more work to be done: wrap ++ * back the index back to the start of the file for the next ++ * time we are called. ++ */ ++ if (wbc->range_cyclic && !done) ++ done_index = 0; + if (wbc->range_cyclic || (range_whole && wbc->nr_to_write > 0)) + mapping->writeback_index = done_index; + +-- +2.20.1 + diff --git a/queue-4.9/mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch b/queue-4.9/mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch new file mode 100644 index 00000000000..eed1ffcb469 --- /dev/null +++ b/queue-4.9/mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch @@ -0,0 +1,46 @@ +From 328078f72e1f9cd36365e970c37f1de7145cf7a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Oct 2018 15:20:47 +0800 +Subject: mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready + fail + +From: Chaotian Jing + +[ Upstream commit f38a9774ddde9d79b3487dd888edd8b8623552af ] + +when msdc_cmd_is_ready return fail, the req_timeout work has not been +inited and cancel_delayed_work() will return false, then, the request +return directly and never call mmc_request_done(). + +so need call mod_delayed_work() before msdc_cmd_is_ready() + +Signed-off-by: Chaotian Jing +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mtk-sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mtk-sd.c b/drivers/mmc/host/mtk-sd.c +index 6f9535e5e584b..7fc6ce3811421 100644 +--- a/drivers/mmc/host/mtk-sd.c ++++ b/drivers/mmc/host/mtk-sd.c +@@ -870,6 +870,7 @@ static void msdc_start_command(struct msdc_host *host, + WARN_ON(host->cmd); + host->cmd = cmd; + ++ mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT); + if (!msdc_cmd_is_ready(host, mrq, cmd)) + return; + +@@ -881,7 +882,6 @@ static void msdc_start_command(struct msdc_host *host, + + cmd->error = 0; + rawcmd = msdc_cmd_prepare_raw_cmd(host, mrq, cmd); +- mod_delayed_work(system_wq, &host->req_timeout, DAT_TIMEOUT); + + sdr_set_bits(host->base + MSDC_INTEN, cmd_ints_mask); + writel(cmd->arg, host->base + SDC_ARG); +-- +2.20.1 + diff --git a/queue-4.9/mwifiex-fix-nl80211_tx_power_limited.patch b/queue-4.9/mwifiex-fix-nl80211_tx_power_limited.patch new file mode 100644 index 00000000000..dd46b779b85 --- /dev/null +++ b/queue-4.9/mwifiex-fix-nl80211_tx_power_limited.patch @@ -0,0 +1,117 @@ +From 52d8eab10243e3c2e54db6f8aabe15cbab23192d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Feb 2019 15:59:38 +0200 +Subject: mwifiex: Fix NL80211_TX_POWER_LIMITED + +From: Adrian Bunk + +[ Upstream commit 65a576e27309120e0621f54d5c81eb9128bd56be ] + +NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC, +which is the opposite of what should happen and can cause nasty +regulatory problems. + +if/else converted to a switch without default to make gcc warn +on unhandled enum values. + +Signed-off-by: Adrian Bunk +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/cfg80211.c | 13 +++++++++++-- + drivers/net/wireless/marvell/mwifiex/ioctl.h | 1 + + drivers/net/wireless/marvell/mwifiex/sta_ioctl.c | 11 +++++++---- + 3 files changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +index 46d0099fd6e82..94901b0041cec 100644 +--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c +@@ -364,11 +364,20 @@ mwifiex_cfg80211_set_tx_power(struct wiphy *wiphy, + struct mwifiex_power_cfg power_cfg; + int dbm = MBM_TO_DBM(mbm); + +- if (type == NL80211_TX_POWER_FIXED) { ++ switch (type) { ++ case NL80211_TX_POWER_FIXED: + power_cfg.is_power_auto = 0; ++ power_cfg.is_power_fixed = 1; + power_cfg.power_level = dbm; +- } else { ++ break; ++ case NL80211_TX_POWER_LIMITED: ++ power_cfg.is_power_auto = 0; ++ power_cfg.is_power_fixed = 0; ++ power_cfg.power_level = dbm; ++ break; ++ case NL80211_TX_POWER_AUTOMATIC: + power_cfg.is_power_auto = 1; ++ break; + } + + priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY); +diff --git a/drivers/net/wireless/marvell/mwifiex/ioctl.h b/drivers/net/wireless/marvell/mwifiex/ioctl.h +index 536ab834b1262..729a69f88a481 100644 +--- a/drivers/net/wireless/marvell/mwifiex/ioctl.h ++++ b/drivers/net/wireless/marvell/mwifiex/ioctl.h +@@ -265,6 +265,7 @@ struct mwifiex_ds_encrypt_key { + + struct mwifiex_power_cfg { + u32 is_power_auto; ++ u32 is_power_fixed; + u32 power_level; + }; + +diff --git a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +index 7f9645703d968..478885afb6c6b 100644 +--- a/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c ++++ b/drivers/net/wireless/marvell/mwifiex/sta_ioctl.c +@@ -728,6 +728,9 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, + txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; + txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET); + if (!power_cfg->is_power_auto) { ++ u16 dbm_min = power_cfg->is_power_fixed ? ++ dbm : priv->min_tx_power_level; ++ + txp_cfg->mode = cpu_to_le32(1); + pg_tlv = (struct mwifiex_types_power_group *) + (buf + sizeof(struct host_cmd_ds_txpwr_cfg)); +@@ -742,7 +745,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, + pg->last_rate_code = 0x03; + pg->modulation_class = MOD_CLASS_HR_DSSS; + pg->power_step = 0; +- pg->power_min = (s8) dbm; ++ pg->power_min = (s8) dbm_min; + pg->power_max = (s8) dbm; + pg++; + /* Power group for modulation class OFDM */ +@@ -750,7 +753,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, + pg->last_rate_code = 0x07; + pg->modulation_class = MOD_CLASS_OFDM; + pg->power_step = 0; +- pg->power_min = (s8) dbm; ++ pg->power_min = (s8) dbm_min; + pg->power_max = (s8) dbm; + pg++; + /* Power group for modulation class HTBW20 */ +@@ -758,7 +761,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, + pg->last_rate_code = 0x20; + pg->modulation_class = MOD_CLASS_HT; + pg->power_step = 0; +- pg->power_min = (s8) dbm; ++ pg->power_min = (s8) dbm_min; + pg->power_max = (s8) dbm; + pg->ht_bandwidth = HT_BW_20; + pg++; +@@ -767,7 +770,7 @@ int mwifiex_set_tx_power(struct mwifiex_private *priv, + pg->last_rate_code = 0x20; + pg->modulation_class = MOD_CLASS_HT; + pg->power_step = 0; +- pg->power_min = (s8) dbm; ++ pg->power_min = (s8) dbm_min; + pg->power_max = (s8) dbm; + pg->ht_bandwidth = HT_BW_40; + } +-- +2.20.1 + diff --git a/queue-4.9/net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch b/queue-4.9/net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch new file mode 100644 index 00000000000..1f0f5284a5a --- /dev/null +++ b/queue-4.9/net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch @@ -0,0 +1,41 @@ +From ad3b995fba69b720a646a76d24a1261cb6923373 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Nov 2018 02:08:43 +0000 +Subject: net: bcmgenet: return correct value 'ret' from bcmgenet_power_down + +From: YueHaibing + +[ Upstream commit 0db55093b56618088b9a1d445eb6e43b311bea33 ] + +Fixes gcc '-Wunused-but-set-variable' warning: + +drivers/net/ethernet/broadcom/genet/bcmgenet.c: In function 'bcmgenet_power_down': +drivers/net/ethernet/broadcom/genet/bcmgenet.c:1136:6: warning: + variable 'ret' set but not used [-Wunused-but-set-variable] + +bcmgenet_power_down should return 'ret' instead of 0. + +Fixes: ca8cf341903f ("net: bcmgenet: propagate errors from bcmgenet_power_down") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 4a4782b3cc1b1..a234044805977 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1078,7 +1078,7 @@ static int bcmgenet_power_down(struct bcmgenet_priv *priv, + break; + } + +- return 0; ++ return ret; + } + + static void bcmgenet_power_up(struct bcmgenet_priv *priv, +-- +2.20.1 + diff --git a/queue-4.9/net-do-not-abort-bulk-send-on-bql-status.patch b/queue-4.9/net-do-not-abort-bulk-send-on-bql-status.patch new file mode 100644 index 00000000000..0c45f49ac68 --- /dev/null +++ b/queue-4.9/net-do-not-abort-bulk-send-on-bql-status.patch @@ -0,0 +1,51 @@ +From 99eed3c5aba0f22a9a71be0d60862bbd5e95d3f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 08:39:13 -0700 +Subject: net: do not abort bulk send on BQL status + +From: Eric Dumazet + +[ Upstream commit fe60faa5063822f2d555f4f326c7dd72a60929bf ] + +Before calling dev_hard_start_xmit(), upper layers tried +to cook optimal skb list based on BQL budget. + +Problem is that GSO packets can end up comsuming more than +the BQL budget. + +Breaking the loop is not useful, since requeued packets +are ahead of any packets still in the qdisc. + +It is also more expensive, since next TX completion will +push these packets later, while skbs are not in cpu caches. + +It is also a behavior difference with TSO packets, that can +break the BQL limit by a large amount. + +Note that drivers should use __netdev_tx_sent_queue() +in order to have optimal xmit_more support, and avoid +useless atomic operations as shown in the following patch. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 547b4daae5cad..c6fb7e61cb405 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2997,7 +2997,7 @@ struct sk_buff *dev_hard_start_xmit(struct sk_buff *first, struct net_device *de + } + + skb = next; +- if (netif_xmit_stopped(txq) && skb) { ++ if (netif_tx_queue_stopped(txq) && skb) { + rc = NETDEV_TX_BUSY; + break; + } +-- +2.20.1 + diff --git a/queue-4.9/net-ena-fix-kconfig-dependency-on-x86.patch b/queue-4.9/net-ena-fix-kconfig-dependency-on-x86.patch new file mode 100644 index 00000000000..4bc7e9eaac5 --- /dev/null +++ b/queue-4.9/net-ena-fix-kconfig-dependency-on-x86.patch @@ -0,0 +1,37 @@ +From b28c51d3164cd6305767ce56177e7f1f0f9fae40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Oct 2018 10:04:21 +0000 +Subject: net: ena: Fix Kconfig dependency on X86 + +From: Netanel Belgazal + +[ Upstream commit 8c590f9776386b8f697fd0b7ed6142ae6e3de79e ] + +The Kconfig limitation of X86 is to too wide. +The ENA driver only requires a little endian dependency. + +Change the dependency to be on little endian CPU. + +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amazon/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/amazon/Kconfig b/drivers/net/ethernet/amazon/Kconfig +index 99b30353541ab..9e87d7b8360f5 100644 +--- a/drivers/net/ethernet/amazon/Kconfig ++++ b/drivers/net/ethernet/amazon/Kconfig +@@ -17,7 +17,7 @@ if NET_VENDOR_AMAZON + + config ENA_ETHERNET + tristate "Elastic Network Adapter (ENA) support" +- depends on (PCI_MSI && X86) ++ depends on PCI_MSI && !CPU_BIG_ENDIAN + ---help--- + This driver supports Elastic Network Adapter (ENA)" + +-- +2.20.1 + diff --git a/queue-4.9/net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch b/queue-4.9/net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch new file mode 100644 index 00000000000..c846ca2412c --- /dev/null +++ b/queue-4.9/net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch @@ -0,0 +1,43 @@ +From a352005dd0d3ae7488f846f4db1c9ddc5130ea72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Oct 2018 21:51:36 +0300 +Subject: net: ethernet: ti: cpsw: unsync mcast entries while switch promisc + mode + +From: Ivan Khoronzhuk + +[ Upstream commit 9737cc99dd14b5b8b9d267618a6061feade8ea68 ] + +After flushing all mcast entries from the table, the ones contained in +mc list of ndev are not restored when promisc mode is toggled off, +because they are considered as synched with ALE, thus, in order to +restore them after promisc mode - reset syncing info. This fix +touches only switch mode devices, including single port boards +like Beagle Bone. + +Fixes: commit 5da1948969bc +("net: ethernet: ti: cpsw: fix lost of mcast packets while rx_mode update") + +Signed-off-by: Ivan Khoronzhuk +Reviewed-by: Grygorii Strashko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/cpsw.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/ti/cpsw.c b/drivers/net/ethernet/ti/cpsw.c +index d7cb205fe7e26..892b06852e150 100644 +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -590,6 +590,7 @@ static void cpsw_set_promiscious(struct net_device *ndev, bool enable) + + /* Clear all mcast from ALE */ + cpsw_ale_flush_multicast(ale, ALE_ALL_PORTS, -1); ++ __dev_mc_unsync(ndev, NULL); + + /* Flood All Unicast Packets to Host port */ + cpsw_ale_control_set(ale, 0, ALE_P0_UNI_FLOOD, 1); +-- +2.20.1 + diff --git a/queue-4.9/net-fix-warning-in-af_unix.patch b/queue-4.9/net-fix-warning-in-af_unix.patch new file mode 100644 index 00000000000..4e23d4535fe --- /dev/null +++ b/queue-4.9/net-fix-warning-in-af_unix.patch @@ -0,0 +1,37 @@ +From c90cd3c7ef7d69fe04d38c263e8adf3163961e8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 14:57:26 +0900 +Subject: net: fix warning in af_unix + +From: Kyeongdon Kim + +[ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ] + +This fixes the "'hash' may be used uninitialized in this function" + +net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized] + addr->hash = hash ^ sk->sk_type; + +Signed-off-by: Kyeongdon Kim +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/unix/af_unix.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index cecf51a5aec4f..32ae82a5596d9 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -224,6 +224,8 @@ static inline void unix_release_addr(struct unix_address *addr) + + static int unix_mkname(struct sockaddr_un *sunaddr, int len, unsigned int *hashp) + { ++ *hashp = 0; ++ + if (len <= sizeof(short) || len > sizeof(*sunaddr)) + return -EINVAL; + if (!sunaddr || sunaddr->sun_family != AF_UNIX) +-- +2.20.1 + diff --git a/queue-4.9/ntb-intel-fix-return-value-for-ndev_vec_mask.patch b/queue-4.9/ntb-intel-fix-return-value-for-ndev_vec_mask.patch new file mode 100644 index 00000000000..6b2fa6f1293 --- /dev/null +++ b/queue-4.9/ntb-intel-fix-return-value-for-ndev_vec_mask.patch @@ -0,0 +1,39 @@ +From 371b94ae3eafef4ff4361718e2d39ac9b5e3f163 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Aug 2018 17:13:59 -0700 +Subject: ntb: intel: fix return value for ndev_vec_mask() + +From: Dave Jiang + +[ Upstream commit 7756e2b5d68c36e170a111dceea22f7365f83256 ] + +ndev_vec_mask() should be returning u64 mask value instead of int. +Otherwise the mask value returned can be incorrect for larger +vectors. + +Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") + +Signed-off-by: Dave Jiang +Tested-by: Lucas Van +Signed-off-by: Jon Mason +Signed-off-by: Sasha Levin +--- + drivers/ntb/hw/intel/ntb_hw_intel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ntb/hw/intel/ntb_hw_intel.c b/drivers/ntb/hw/intel/ntb_hw_intel.c +index 7310a261c858b..e175cbeba266f 100644 +--- a/drivers/ntb/hw/intel/ntb_hw_intel.c ++++ b/drivers/ntb/hw/intel/ntb_hw_intel.c +@@ -330,7 +330,7 @@ static inline int ndev_db_clear_mask(struct intel_ntb_dev *ndev, u64 db_bits, + return 0; + } + +-static inline int ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector) ++static inline u64 ndev_vec_mask(struct intel_ntb_dev *ndev, int db_vector) + { + u64 shift, mask; + +-- +2.20.1 + diff --git a/queue-4.9/ntb_netdev-fix-sleep-time-mismatch.patch b/queue-4.9/ntb_netdev-fix-sleep-time-mismatch.patch new file mode 100644 index 00000000000..54184dffad4 --- /dev/null +++ b/queue-4.9/ntb_netdev-fix-sleep-time-mismatch.patch @@ -0,0 +1,38 @@ +From c30b4abdf56e3476c4a53a64d46aca69aecc5f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jun 2018 16:13:12 -0400 +Subject: ntb_netdev: fix sleep time mismatch + +From: Jon Mason + +[ Upstream commit a861594b1b7ffd630f335b351c4e9f938feadb8e ] + +The tx_time should be in usecs (according to the comment above the +variable), but the setting of the timer during the rearming is done in +msecs. Change it to match the expected units. + +Fixes: e74bfeedad08 ("NTB: Add flow control to the ntb_netdev") +Suggested-by: Gerd W. Haeussler +Signed-off-by: Jon Mason +Acked-by: Dave Jiang +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index a9acf71568555..03009f1becddc 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -236,7 +236,7 @@ static void ntb_netdev_tx_timer(unsigned long data) + struct ntb_netdev *dev = netdev_priv(ndev); + + if (ntb_transport_tx_free_entry(dev->qp) < tx_stop) { +- mod_timer(&dev->tx_timer, jiffies + msecs_to_jiffies(tx_time)); ++ mod_timer(&dev->tx_timer, jiffies + usecs_to_jiffies(tx_time)); + } else { + /* Make sure anybody stopping the queue after this sees the new + * value of ntb_transport_tx_free_entry() +-- +2.20.1 + diff --git a/queue-4.9/ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch b/queue-4.9/ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch new file mode 100644 index 00000000000..c82ae1135d5 --- /dev/null +++ b/queue-4.9/ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch @@ -0,0 +1,216 @@ +From a4a4e4a1e02dc02383268b8254d057d2563a12cd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Nov 2018 15:48:19 -0700 +Subject: ocfs2: don't put and assigning null to bh allocated outside + +From: Changwei Ge + +[ Upstream commit cf76c78595ca87548ca5e45c862ac9e0949c4687 ] + +ocfs2_read_blocks() and ocfs2_read_blocks_sync() are both used to read +several blocks from disk. Currently, the input argument *bhs* can be +NULL or NOT. It depends on the caller's behavior. If the function +fails in reading blocks from disk, the corresponding bh will be assigned +to NULL and put. + +Obviously, above process for non-NULL input bh is not appropriate. +Because the caller doesn't even know its bhs are put and re-assigned. + +If buffer head is managed by caller, ocfs2_read_blocks and +ocfs2_read_blocks_sync() should not evaluate it to NULL. It will cause +caller accessing illegal memory, thus crash. + +Link: http://lkml.kernel.org/r/HK2PR06MB045285E0F4FBB561F9F2F9B3D5680@HK2PR06MB0452.apcprd06.prod.outlook.com +Signed-off-by: Changwei Ge +Reviewed-by: Guozhonghua +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/buffer_head_io.c | 77 ++++++++++++++++++++++++++++++--------- + 1 file changed, 59 insertions(+), 18 deletions(-) + +diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c +index 935bac253991b..1403c88f2b053 100644 +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -98,25 +98,34 @@ int ocfs2_write_block(struct ocfs2_super *osb, struct buffer_head *bh, + return ret; + } + ++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it ++ * will be easier to handle read failure. ++ */ + int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + unsigned int nr, struct buffer_head *bhs[]) + { + int status = 0; + unsigned int i; + struct buffer_head *bh; ++ int new_bh = 0; + + trace_ocfs2_read_blocks_sync((unsigned long long)block, nr); + + if (!nr) + goto bail; + ++ /* Don't put buffer head and re-assign it to NULL if it is allocated ++ * outside since the caller can't be aware of this alternation! ++ */ ++ new_bh = (bhs[0] == NULL); ++ + for (i = 0 ; i < nr ; i++) { + if (bhs[i] == NULL) { + bhs[i] = sb_getblk(osb->sb, block++); + if (bhs[i] == NULL) { + status = -ENOMEM; + mlog_errno(status); +- goto bail; ++ break; + } + } + bh = bhs[i]; +@@ -156,9 +165,26 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + submit_bh(REQ_OP_READ, 0, bh); + } + ++read_failure: + for (i = nr; i > 0; i--) { + bh = bhs[i - 1]; + ++ if (unlikely(status)) { ++ if (new_bh && bh) { ++ /* If middle bh fails, let previous bh ++ * finish its read and then put it to ++ * aovoid bh leak ++ */ ++ if (!buffer_jbd(bh)) ++ wait_on_buffer(bh); ++ put_bh(bh); ++ bhs[i - 1] = NULL; ++ } else if (bh && buffer_uptodate(bh)) { ++ clear_buffer_uptodate(bh); ++ } ++ continue; ++ } ++ + /* No need to wait on the buffer if it's managed by JBD. */ + if (!buffer_jbd(bh)) + wait_on_buffer(bh); +@@ -168,8 +194,7 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + * so we can safely record this and loop back + * to cleanup the other buffers. */ + status = -EIO; +- put_bh(bh); +- bhs[i - 1] = NULL; ++ goto read_failure; + } + } + +@@ -177,6 +202,9 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + return status; + } + ++/* Caller must provide a bhs[] with all NULL or non-NULL entries, so it ++ * will be easier to handle read failure. ++ */ + int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + struct buffer_head *bhs[], int flags, + int (*validate)(struct super_block *sb, +@@ -186,6 +214,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + int i, ignore_cache = 0; + struct buffer_head *bh; + struct super_block *sb = ocfs2_metadata_cache_get_super(ci); ++ int new_bh = 0; + + trace_ocfs2_read_blocks_begin(ci, (unsigned long long)block, nr, flags); + +@@ -211,6 +240,11 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + goto bail; + } + ++ /* Don't put buffer head and re-assign it to NULL if it is allocated ++ * outside since the caller can't be aware of this alternation! ++ */ ++ new_bh = (bhs[0] == NULL); ++ + ocfs2_metadata_cache_io_lock(ci); + for (i = 0 ; i < nr ; i++) { + if (bhs[i] == NULL) { +@@ -219,7 +253,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + ocfs2_metadata_cache_io_unlock(ci); + status = -ENOMEM; + mlog_errno(status); +- goto bail; ++ /* Don't forget to put previous bh! */ ++ break; + } + } + bh = bhs[i]; +@@ -313,16 +348,27 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + } + } + +- status = 0; +- ++read_failure: + for (i = (nr - 1); i >= 0; i--) { + bh = bhs[i]; + + if (!(flags & OCFS2_BH_READAHEAD)) { +- if (status) { +- /* Clear the rest of the buffers on error */ +- put_bh(bh); +- bhs[i] = NULL; ++ if (unlikely(status)) { ++ /* Clear the buffers on error including those ++ * ever succeeded in reading ++ */ ++ if (new_bh && bh) { ++ /* If middle bh fails, let previous bh ++ * finish its read and then put it to ++ * aovoid bh leak ++ */ ++ if (!buffer_jbd(bh)) ++ wait_on_buffer(bh); ++ put_bh(bh); ++ bhs[i] = NULL; ++ } else if (bh && buffer_uptodate(bh)) { ++ clear_buffer_uptodate(bh); ++ } + continue; + } + /* We know this can't have changed as we hold the +@@ -340,9 +386,7 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + * uptodate. */ + status = -EIO; + clear_buffer_needs_validate(bh); +- put_bh(bh); +- bhs[i] = NULL; +- continue; ++ goto read_failure; + } + + if (buffer_needs_validate(bh)) { +@@ -352,11 +396,8 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + BUG_ON(buffer_jbd(bh)); + clear_buffer_needs_validate(bh); + status = validate(sb, bh); +- if (status) { +- put_bh(bh); +- bhs[i] = NULL; +- continue; +- } ++ if (status) ++ goto read_failure; + } + } + +-- +2.20.1 + diff --git a/queue-4.9/ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch b/queue-4.9/ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch new file mode 100644 index 00000000000..4c5b1f02b82 --- /dev/null +++ b/queue-4.9/ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch @@ -0,0 +1,84 @@ +From 401b6345c34bb7bd83a391213e072f9a4cdbce2b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Nov 2018 15:48:27 -0700 +Subject: ocfs2: fix clusters leak in ocfs2_defrag_extent() + +From: Larry Chen + +[ Upstream commit 6194ae4242dec0c9d604bc05df83aa9260a899e4 ] + +ocfs2_defrag_extent() might leak allocated clusters. When the file +system has insufficient space, the number of claimed clusters might be +less than the caller wants. If that happens, the original code might +directly commit the transaction without returning clusters. + +This patch is based on code in ocfs2_add_clusters_in_btree(). + +[akpm@linux-foundation.org: include localalloc.h, reduce scope of data_ac] +Link: http://lkml.kernel.org/r/20180904041621.16874-3-lchen@suse.com +Signed-off-by: Larry Chen +Reviewed-by: Andrew Morton +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Joseph Qi +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/move_extents.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c +index c179afd0051a0..afaa044f5f6bd 100644 +--- a/fs/ocfs2/move_extents.c ++++ b/fs/ocfs2/move_extents.c +@@ -25,6 +25,7 @@ + #include "ocfs2_ioctl.h" + + #include "alloc.h" ++#include "localalloc.h" + #include "aops.h" + #include "dlmglue.h" + #include "extent_map.h" +@@ -222,6 +223,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + struct ocfs2_refcount_tree *ref_tree = NULL; + u32 new_phys_cpos, new_len; + u64 phys_blkno = ocfs2_clusters_to_blocks(inode->i_sb, phys_cpos); ++ int need_free = 0; + + if ((ext_flags & OCFS2_EXT_REFCOUNTED) && *len) { + +@@ -315,6 +317,7 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + if (!partial) { + context->range->me_flags &= ~OCFS2_MOVE_EXT_FL_COMPLETE; + ret = -ENOSPC; ++ need_free = 1; + goto out_commit; + } + } +@@ -339,6 +342,20 @@ static int ocfs2_defrag_extent(struct ocfs2_move_extents_context *context, + mlog_errno(ret); + + out_commit: ++ if (need_free && context->data_ac) { ++ struct ocfs2_alloc_context *data_ac = context->data_ac; ++ ++ if (context->data_ac->ac_which == OCFS2_AC_USE_LOCAL) ++ ocfs2_free_local_alloc_bits(osb, handle, data_ac, ++ new_phys_cpos, new_len); ++ else ++ ocfs2_free_clusters(handle, ++ data_ac->ac_inode, ++ data_ac->ac_bh, ++ ocfs2_clusters_to_blocks(osb->sb, new_phys_cpos), ++ new_len); ++ } ++ + ocfs2_commit_trans(osb, handle); + + out_unlock_mutex: +-- +2.20.1 + diff --git a/queue-4.9/pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch b/queue-4.9/pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch new file mode 100644 index 00000000000..3c0e06398be --- /dev/null +++ b/queue-4.9/pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch @@ -0,0 +1,44 @@ +From 675fd729032126be1c25af2ca1e8ac11e7db8ff2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Oct 2018 13:10:54 +0530 +Subject: PCI: keystone: Use quirk to limit MRRS for K2G + +From: Kishon Vijay Abraham I + +[ Upstream commit 148e340c0696369fadbbddc8f4bef801ed247d71 ] + +PCI controller in K2G also has a limitation that memory read request +size (MRRS) must not exceed 256 bytes. Use the quirk to limit MRRS +(added for K2HK, K2L and K2E) for K2G as well. + +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Lorenzo Pieralisi +Signed-off-by: Sasha Levin +--- + drivers/pci/host/pci-keystone.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pci/host/pci-keystone.c b/drivers/pci/host/pci-keystone.c +index eac0a1238e9d0..c690299d5c4a8 100644 +--- a/drivers/pci/host/pci-keystone.c ++++ b/drivers/pci/host/pci-keystone.c +@@ -43,6 +43,7 @@ + #define PCIE_RC_K2HK 0xb008 + #define PCIE_RC_K2E 0xb009 + #define PCIE_RC_K2L 0xb00a ++#define PCIE_RC_K2G 0xb00b + + #define to_keystone_pcie(x) container_of(x, struct keystone_pcie, pp) + +@@ -57,6 +58,8 @@ static void quirk_limit_mrrs(struct pci_dev *dev) + .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, }, + { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2L), + .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, }, ++ { PCI_DEVICE(PCI_VENDOR_ID_TI, PCIE_RC_K2G), ++ .class = PCI_CLASS_BRIDGE_PCI << 8, .class_mask = ~0, }, + { 0, }, + }; + +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch b/queue-4.9/pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch new file mode 100644 index 00000000000..2031b0ccdc5 --- /dev/null +++ b/queue-4.9/pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch @@ -0,0 +1,65 @@ +From 60734f17bf0f62070752eb3c611ac501aa7e85a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Nov 2018 08:00:08 -0700 +Subject: pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT + +From: Nathan Chancellor + +[ Upstream commit f24bfb39975c241374cadebbd037c17960cf1412 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/pinctrl/pinctrl-lpc18xx.c:643:29: warning: implicit conversion +from enumeration type 'enum lpc18xx_pin_config_param' to different +enumeration type 'enum pin_config_param' [-Wenum-conversion] + {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0}, + ~ ^~~~~~~~~~~~~~~~~~~~~~~ +drivers/pinctrl/pinctrl-lpc18xx.c:648:12: warning: implicit conversion +from enumeration type 'enum lpc18xx_pin_config_param' to different +enumeration type 'enum pin_config_param' [-Wenum-conversion] + PCONFDUMP(PIN_CONFIG_GPIO_PIN_INT, "gpio pin int", NULL, true), + ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from +macro 'PCONFDUMP' + .param = a, .display = b, .format = c, .has_arg = d \ + ^ +2 warnings generated. + +It is expected that pinctrl drivers can extend pin_config_param because +of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion +isn't an issue. Most drivers that take advantage of this define the +PIN_CONFIG variables as constants, rather than enumerated values. Do the +same thing here so that Clang no longer warns. + +Link: https://github.com/ClangBuiltLinux/linux/issues/140 +Signed-off-by: Nathan Chancellor +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-lpc18xx.c | 10 ++-------- + 1 file changed, 2 insertions(+), 8 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-lpc18xx.c b/drivers/pinctrl/pinctrl-lpc18xx.c +index e053f1fa55120..ab2a451f31562 100644 +--- a/drivers/pinctrl/pinctrl-lpc18xx.c ++++ b/drivers/pinctrl/pinctrl-lpc18xx.c +@@ -630,14 +630,8 @@ static const struct pinctrl_pin_desc lpc18xx_pins[] = { + LPC18XX_PIN(i2c0_sda, PIN_I2C0_SDA), + }; + +-/** +- * enum lpc18xx_pin_config_param - possible pin configuration parameters +- * @PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt +- * controller. +- */ +-enum lpc18xx_pin_config_param { +- PIN_CONFIG_GPIO_PIN_INT = PIN_CONFIG_END + 1, +-}; ++/* PIN_CONFIG_GPIO_PIN_INT: route gpio to the gpio pin interrupt controller */ ++#define PIN_CONFIG_GPIO_PIN_INT (PIN_CONFIG_END + 1) + + static const struct pinconf_generic_params lpc18xx_params[] = { + {"nxp,gpio-pin-interrupt", PIN_CONFIG_GPIO_PIN_INT, 0}, +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch b/queue-4.9/pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch new file mode 100644 index 00000000000..002d0d0acb4 --- /dev/null +++ b/queue-4.9/pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch @@ -0,0 +1,62 @@ +From 351e5b47342121facb3a716b30bdde84a3cf9be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 20:11:47 -0400 +Subject: pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues + +From: Brian Masney + +[ Upstream commit 149a96047237574b756d872007c006acd0cc6687 ] + +When attempting to setup up a gpio hog, device probing would repeatedly +fail with -EPROBE_DEFERED errors. It was caused by a circular dependency +between the gpio and pinctrl frameworks. If the gpio-ranges property is +present in device tree, then the gpio framework will handle the gpio pin +registration and eliminate the circular dependency. + +See Christian Lamparter's commit a86caa9ba5d7 ("pinctrl: msm: fix +gpio-hog related boot issues") for a detailed commit message that +explains the issue in much more detail. The code comment in this commit +came from Christian's commit. + +Signed-off-by: Brian Masney +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/qcom/pinctrl-spmi-gpio.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +index 8093afd17aa4f..69641c9e7d179 100644 +--- a/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c ++++ b/drivers/pinctrl/qcom/pinctrl-spmi-gpio.c +@@ -790,10 +790,23 @@ static int pmic_gpio_probe(struct platform_device *pdev) + return ret; + } + +- ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0, npins); +- if (ret) { +- dev_err(dev, "failed to add pin range\n"); +- goto err_range; ++ /* ++ * For DeviceTree-supported systems, the gpio core checks the ++ * pinctrl's device node for the "gpio-ranges" property. ++ * If it is present, it takes care of adding the pin ranges ++ * for the driver. In this case the driver can skip ahead. ++ * ++ * In order to remain compatible with older, existing DeviceTree ++ * files which don't set the "gpio-ranges" property or systems that ++ * utilize ACPI the driver has to call gpiochip_add_pin_range(). ++ */ ++ if (!of_property_read_bool(dev->of_node, "gpio-ranges")) { ++ ret = gpiochip_add_pin_range(&state->chip, dev_name(dev), 0, 0, ++ npins); ++ if (ret) { ++ dev_err(dev, "failed to add pin range\n"); ++ goto err_range; ++ } + } + + return 0; +-- +2.20.1 + diff --git a/queue-4.9/pinctrl-zynq-use-define-directive-for-pin_config_io_.patch b/queue-4.9/pinctrl-zynq-use-define-directive-for-pin_config_io_.patch new file mode 100644 index 00000000000..3608a9ad7a5 --- /dev/null +++ b/queue-4.9/pinctrl-zynq-use-define-directive-for-pin_config_io_.patch @@ -0,0 +1,67 @@ +From 7d8b92c20e3828efbd6a3ce926b1363cfd8a510f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Nov 2018 01:56:40 -0700 +Subject: pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD + +From: Nathan Chancellor + +[ Upstream commit cd8a145a066a1a3beb0ae615c7cb2ee4217418d7 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/pinctrl/pinctrl-zynq.c:985:18: warning: implicit conversion from +enumeration type 'enum zynq_pin_config_param' to different enumeration +type 'enum pin_config_param' [-Wenum-conversion] + {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18}, + ~ ^~~~~~~~~~~~~~~~~~~~~ +drivers/pinctrl/pinctrl-zynq.c:990:16: warning: implicit conversion from +enumeration type 'enum zynq_pin_config_param' to different enumeration +type 'enum pin_config_param' [-Wenum-conversion] + = { PCONFDUMP(PIN_CONFIG_IOSTANDARD, "IO-standard", NULL, true), + ~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/pinctrl/pinconf-generic.h:163:11: note: expanded from +macro 'PCONFDUMP' + .param = a, .display = b, .format = c, .has_arg = d \ + ^ +2 warnings generated. + +It is expected that pinctrl drivers can extend pin_config_param because +of the gap between PIN_CONFIG_END and PIN_CONFIG_MAX so this conversion +isn't an issue. Most drivers that take advantage of this define the +PIN_CONFIG variables as constants, rather than enumerated values. Do the +same thing here so that Clang no longer warns. + +Signed-off-by: Nathan Chancellor +Acked-by: Michal Simek +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-zynq.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-zynq.c b/drivers/pinctrl/pinctrl-zynq.c +index e0ecffcbe11f6..f8b54cfc90c7d 100644 +--- a/drivers/pinctrl/pinctrl-zynq.c ++++ b/drivers/pinctrl/pinctrl-zynq.c +@@ -967,15 +967,12 @@ enum zynq_io_standards { + zynq_iostd_max + }; + +-/** +- * enum zynq_pin_config_param - possible pin configuration parameters +- * @PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to ++/* ++ * PIN_CONFIG_IOSTANDARD: if the pin can select an IO standard, the argument to + * this parameter (on a custom format) tells the driver which alternative + * IO standard to use. + */ +-enum zynq_pin_config_param { +- PIN_CONFIG_IOSTANDARD = PIN_CONFIG_END + 1, +-}; ++#define PIN_CONFIG_IOSTANDARD (PIN_CONFIG_END + 1) + + static const struct pinconf_generic_params zynq_dt_params[] = { + {"io-standard", PIN_CONFIG_IOSTANDARD, zynq_iostd_lvcmos18}, +-- +2.20.1 + diff --git a/queue-4.9/platform-x86-asus-nb-wmi-support-als-on-the-zenbook-.patch b/queue-4.9/platform-x86-asus-nb-wmi-support-als-on-the-zenbook-.patch new file mode 100644 index 00000000000..a2a18ddbdf6 --- /dev/null +++ b/queue-4.9/platform-x86-asus-nb-wmi-support-als-on-the-zenbook-.patch @@ -0,0 +1,63 @@ +From 6446a82022f948e2bf3398aee3d0ae58cb1ac7e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Nov 2017 14:18:44 -0700 +Subject: platform/x86: asus-nb-wmi: Support ALS on the Zenbook UX430UQ + +From: Kiernan Hager + +[ Upstream commit db2582afa7444a0ce6bb1ebf1431715969a10b06 ] + +This patch adds support for ALS on the Zenbook UX430UQ to the asus_nb_wmi +driver. It also renames "quirk_asus_ux330uak" to "quirk_asus_forceals" +because it is now used for more than one model of computer, and should +thus have a more general name. + +Signed-off-by: Kiernan Hager +[andy: massaged commit message, fixed indentation and commas in the code] +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 69ffbd7b76f74..4c35419608f7c 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -120,7 +120,7 @@ static struct quirk_entry quirk_asus_x550lb = { + .xusb2pr = 0x01D9, + }; + +-static struct quirk_entry quirk_asus_ux330uak = { ++static struct quirk_entry quirk_asus_forceals = { + .wmi_force_als_set = true, + }; + +@@ -431,7 +431,7 @@ static const struct dmi_system_id asus_quirks[] = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_PRODUCT_NAME, "UX330UAK"), + }, +- .driver_data = &quirk_asus_ux330uak, ++ .driver_data = &quirk_asus_forceals, + }, + { + .callback = dmi_matched, +@@ -442,6 +442,15 @@ static const struct dmi_system_id asus_quirks[] = { + }, + .driver_data = &quirk_asus_x550lb, + }, ++ { ++ .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. UX430UQ", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "UX430UQ"), ++ }, ++ .driver_data = &quirk_asus_forceals, ++ }, + {}, + }; + +-- +2.20.1 + diff --git a/queue-4.9/platform-x86-asus-wmi-only-tell-ec-the-os-will-handl.patch b/queue-4.9/platform-x86-asus-wmi-only-tell-ec-the-os-will-handl.patch new file mode 100644 index 00000000000..4cb8d129194 --- /dev/null +++ b/queue-4.9/platform-x86-asus-wmi-only-tell-ec-the-os-will-handl.patch @@ -0,0 +1,115 @@ +From 60aa7f3187a22d0957e751eb3ad6e10d212b2e33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jun 2019 09:02:02 +0200 +Subject: platform/x86: asus-wmi: Only Tell EC the OS will handle display + hotkeys from asus_nb_wmi +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hans de Goede + +[ Upstream commit 401fee8195d401b2b94dee57383f627050724d5b ] + +Commit 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will +handle the display off hotkey") causes the backlight to be permanently off +on various EeePC laptop models using the eeepc-wmi driver (Asus EeePC +1015BX, Asus EeePC 1025C). + +The asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL) call added +by that commit is made conditional in this commit and only enabled in +the quirk_entry structs in the asus-nb-wmi driver fixing the broken +display / backlight on various EeePC laptop models. + +Cc: João Paulo Rechi Vita +Fixes: 78f3ac76d9e5 ("platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey") +Signed-off-by: Hans de Goede +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/asus-nb-wmi.c | 8 ++++++++ + drivers/platform/x86/asus-wmi.c | 2 +- + drivers/platform/x86/asus-wmi.h | 1 + + 3 files changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/asus-nb-wmi.c b/drivers/platform/x86/asus-nb-wmi.c +index 4c35419608f7c..0fd7e40b86a0d 100644 +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -78,10 +78,12 @@ static bool asus_q500a_i8042_filter(unsigned char data, unsigned char str, + + static struct quirk_entry quirk_asus_unknown = { + .wapf = 0, ++ .wmi_backlight_set_devstate = true, + }; + + static struct quirk_entry quirk_asus_q500a = { + .i8042_filter = asus_q500a_i8042_filter, ++ .wmi_backlight_set_devstate = true, + }; + + /* +@@ -92,15 +94,18 @@ static struct quirk_entry quirk_asus_q500a = { + static struct quirk_entry quirk_asus_x55u = { + .wapf = 4, + .wmi_backlight_power = true, ++ .wmi_backlight_set_devstate = true, + .no_display_toggle = true, + }; + + static struct quirk_entry quirk_asus_wapf4 = { + .wapf = 4, ++ .wmi_backlight_set_devstate = true, + }; + + static struct quirk_entry quirk_asus_x200ca = { + .wapf = 2, ++ .wmi_backlight_set_devstate = true, + }; + + static struct quirk_entry quirk_no_rfkill = { +@@ -114,13 +119,16 @@ static struct quirk_entry quirk_no_rfkill_wapf4 = { + + static struct quirk_entry quirk_asus_ux303ub = { + .wmi_backlight_native = true, ++ .wmi_backlight_set_devstate = true, + }; + + static struct quirk_entry quirk_asus_x550lb = { ++ .wmi_backlight_set_devstate = true, + .xusb2pr = 0x01D9, + }; + + static struct quirk_entry quirk_asus_forceals = { ++ .wmi_backlight_set_devstate = true, + .wmi_force_als_set = true, + }; + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 10bd13b301784..aede41a92cacb 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -2154,7 +2154,7 @@ static int asus_wmi_add(struct platform_device *pdev) + err = asus_wmi_backlight_init(asus); + if (err && err != -ENODEV) + goto fail_backlight; +- } else ++ } else if (asus->driver->quirks->wmi_backlight_set_devstate) + err = asus_wmi_set_devstate(ASUS_WMI_DEVID_BACKLIGHT, 2, NULL); + + status = wmi_install_notify_handler(asus->driver->event_guid, +diff --git a/drivers/platform/x86/asus-wmi.h b/drivers/platform/x86/asus-wmi.h +index 5db052d1de1e1..53bab79780e22 100644 +--- a/drivers/platform/x86/asus-wmi.h ++++ b/drivers/platform/x86/asus-wmi.h +@@ -45,6 +45,7 @@ struct quirk_entry { + bool store_backlight_power; + bool wmi_backlight_power; + bool wmi_backlight_native; ++ bool wmi_backlight_set_devstate; + bool wmi_force_als_set; + int wapf; + /* +-- +2.20.1 + diff --git a/queue-4.9/powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch b/queue-4.9/powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch new file mode 100644 index 00000000000..d42622f81f5 --- /dev/null +++ b/queue-4.9/powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch @@ -0,0 +1,44 @@ +From 8cc48beef8d8129e0f518b57a5a7d241c87f68f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Sep 2018 11:23:22 +1000 +Subject: powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field + +From: Sam Bobroff + +[ Upstream commit 473af09b56dc4be68e4af33220ceca6be67aa60d ] + +eeh_add_to_parent_pe() sometimes removes the EEH_PE_KEEP flag, but it +incorrectly removes it from pe->type, instead of pe->state. + +However, rather than clearing it from the correct field, remove it. +Inspection of the code shows that it can't ever have had any effect +(even if it had been cleared from the correct field), because the +field is never tested after it is cleared by the statement in +question. + +The clear statement was added by commit 807a827d4e74 ("powerpc/eeh: +Keep PE during hotplug"), but it didn't explain why it was necessary. + +Signed-off-by: Sam Bobroff +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/eeh_pe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/eeh_pe.c b/arch/powerpc/kernel/eeh_pe.c +index 1abd8dd77ec13..eee2131a97e61 100644 +--- a/arch/powerpc/kernel/eeh_pe.c ++++ b/arch/powerpc/kernel/eeh_pe.c +@@ -370,7 +370,7 @@ int eeh_add_to_parent_pe(struct eeh_dev *edev) + while (parent) { + if (!(parent->type & EEH_PE_INVALID)) + break; +- parent->type &= ~(EEH_PE_INVALID | EEH_PE_KEEP); ++ parent->type &= ~EEH_PE_INVALID; + parent = parent->parent; + } + +-- +2.20.1 + diff --git a/queue-4.9/powerpc-fix-signedness-bug-in-update_flash_db.patch b/queue-4.9/powerpc-fix-signedness-bug-in-update_flash_db.patch new file mode 100644 index 00000000000..a9b8af40374 --- /dev/null +++ b/queue-4.9/powerpc-fix-signedness-bug-in-update_flash_db.patch @@ -0,0 +1,40 @@ +From a8cade1738cdf5f6b8d855fd68c6e9d30eff62be Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Oct 2018 19:44:58 +0300 +Subject: powerpc: Fix signedness bug in update_flash_db() + +From: Dan Carpenter + +[ Upstream commit 014704e6f54189a203cc14c7c0bb411b940241bc ] + +The "count < sizeof(struct os_area_db)" comparison is type promoted to +size_t so negative values of "count" are treated as very high values +and we accidentally return success instead of a negative error code. + +This doesn't really change runtime much but it fixes a static checker +warning. + +Signed-off-by: Dan Carpenter +Acked-by: Geoff Levand +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/ps3/os-area.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/ps3/os-area.c b/arch/powerpc/platforms/ps3/os-area.c +index 3db53e8aff927..9b2ef76578f06 100644 +--- a/arch/powerpc/platforms/ps3/os-area.c ++++ b/arch/powerpc/platforms/ps3/os-area.c +@@ -664,7 +664,7 @@ static int update_flash_db(void) + db_set_64(db, &os_area_db_id_rtc_diff, saved_params.rtc_diff); + + count = os_area_flash_write(db, sizeof(struct os_area_db), pos); +- if (count < sizeof(struct os_area_db)) { ++ if (count < 0 || count < sizeof(struct os_area_db)) { + pr_debug("%s: os_area_flash_write failed %zd\n", __func__, + count); + error = count < 0 ? count : -EIO; +-- +2.20.1 + diff --git a/queue-4.9/powerpc-process-fix-flush_all_to_thread-for-spe.patch b/queue-4.9/powerpc-process-fix-flush_all_to_thread-for-spe.patch new file mode 100644 index 00000000000..268fd1cc9b0 --- /dev/null +++ b/queue-4.9/powerpc-process-fix-flush_all_to_thread-for-spe.patch @@ -0,0 +1,63 @@ +From bb41489629d9c385e95b5e533aa58677fd393539 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Oct 2018 10:57:22 -0300 +Subject: powerpc/process: Fix flush_all_to_thread for SPE + +From: Felipe Rechia + +[ Upstream commit e901378578c62202594cba0f6c076f3df365ec91 ] + +Fix a bug introduced by the creation of flush_all_to_thread() for +processors that have SPE (Signal Processing Engine) and use it to +compute floating-point operations. + +>From userspace perspective, the problem was seen in attempts of +computing floating-point operations which should generate exceptions. +For example: + + fork(); + float x = 0.0 / 0.0; + isnan(x); // forked process returns False (should be True) + +The operation above also should always cause the SPEFSCR FINV bit to +be set. However, the SPE floating-point exceptions were turned off +after a fork(). + +Kernel versions prior to the bug used flush_spe_to_thread(), which +first saves SPEFSCR register values in tsk->thread and then calls +giveup_spe(tsk). + +After commit 579e633e764e, the save_all() function was called first +to giveup_spe(), and then the SPEFSCR register values were saved in +tsk->thread. This would save the SPEFSCR register values after +disabling SPE for that thread, causing the bug described above. + +Fixes 579e633e764e ("powerpc: create flush_all_to_thread()") +Signed-off-by: Felipe Rechia +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/process.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index 47c6c0401b3a2..54c95e7c74cce 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -576,12 +576,11 @@ void flush_all_to_thread(struct task_struct *tsk) + if (tsk->thread.regs) { + preempt_disable(); + BUG_ON(tsk != current); +- save_all(tsk); +- + #ifdef CONFIG_SPE + if (tsk->thread.regs->msr & MSR_SPE) + tsk->thread.spefscr = mfspr(SPRN_SPEFSCR); + #endif ++ save_all(tsk); + + preempt_enable(); + } +-- +2.20.1 + diff --git a/queue-4.9/printk-fix-integer-overflow-in-setup_log_buf.patch b/queue-4.9/printk-fix-integer-overflow-in-setup_log_buf.patch new file mode 100644 index 00000000000..f498c294a1e --- /dev/null +++ b/queue-4.9/printk-fix-integer-overflow-in-setup_log_buf.patch @@ -0,0 +1,61 @@ +From f56649903c9d6f2d1ef9fe6f2281ff3f0f2900f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Oct 2018 20:33:08 +0900 +Subject: printk: fix integer overflow in setup_log_buf() + +From: Sergey Senozhatsky + +[ Upstream commit d2130e82e9454304e9b91ba9da551b5989af8c27 ] + +The way we calculate logbuf free space percentage overflows signed +integer: + + int free; + + free = __LOG_BUF_LEN - log_next_idx; + pr_info("early log buf free: %u(%u%%)\n", + free, (free * 100) / __LOG_BUF_LEN); + +We support LOG_BUF_LEN of up to 1<<25 bytes. Since setup_log_buf() is +called during early init, logbuf is mostly empty, so + + __LOG_BUF_LEN - log_next_idx + +is close to 1<<25. Thus when we multiply it by 100, we overflow signed +integer value range: 100 is 2^6 + 2^5 + 2^2. + +Example, booting with LOG_BUF_LEN 1<<25 and log_buf_len=2G +boot param: + +[ 0.075317] log_buf_len: -2147483648 bytes +[ 0.075319] early log buf free: 33549896(-28%) + +Make "free" unsigned integer and use appropriate printk() specifier. + +Link: http://lkml.kernel.org/r/20181010113308.9337-1-sergey.senozhatsky@gmail.com +To: Steven Rostedt +Cc: linux-kernel@vger.kernel.org +Cc: Sergey Senozhatsky +Signed-off-by: Sergey Senozhatsky +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + kernel/printk/printk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c +index a0339c458c140..c1873d325ebda 100644 +--- a/kernel/printk/printk.c ++++ b/kernel/printk/printk.c +@@ -1050,7 +1050,7 @@ void __init setup_log_buf(int early) + { + unsigned long flags; + char *new_log_buf; +- int free; ++ unsigned int free; + + if (log_buf != __log_buf) + return; +-- +2.20.1 + diff --git a/queue-4.9/qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch b/queue-4.9/qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch new file mode 100644 index 00000000000..736d358cb52 --- /dev/null +++ b/queue-4.9/qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch @@ -0,0 +1,40 @@ +From 8a8d865f33d95f8acfefc0dd7e2f7bc712236663 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Oct 2018 23:11:11 +0300 +Subject: qlcnic: fix a return in qlcnic_dcb_get_capability() + +From: Dan Carpenter + +[ Upstream commit c94f026fb742b2d3199422751dbc4f6fc0e753d8 ] + +These functions are supposed to return one on failure and zero on +success. Returning a zero here could cause uninitialized variable +bugs in several of the callers. For example: + + drivers/scsi/cxgbi/cxgb4i/cxgb4i.c:1660 get_iscsi_dcb_priority() + error: uninitialized symbol 'caps'. + +Fixes: 48365e485275 ("qlcnic: dcb: Add support for CEE Netlink interface.") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c +index 4b76c69fe86d2..834208e55f7b8 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_dcb.c +@@ -883,7 +883,7 @@ static u8 qlcnic_dcb_get_capability(struct net_device *netdev, int capid, + struct qlcnic_adapter *adapter = netdev_priv(netdev); + + if (!test_bit(QLCNIC_DCB_STATE, &adapter->dcb->state)) +- return 0; ++ return 1; + + switch (capid) { + case DCB_CAP_ATTR_PG: +-- +2.20.1 + diff --git a/queue-4.9/rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch b/queue-4.9/rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch new file mode 100644 index 00000000000..2fee3f5b0b2 --- /dev/null +++ b/queue-4.9/rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch @@ -0,0 +1,44 @@ +From 719b58ae688f3f53e1e7a5acb4fe380507e75a41 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Oct 2018 13:43:45 -0700 +Subject: rtc: s35390a: Change buf's type to u8 in s35390a_init + +From: Nathan Chancellor + +[ Upstream commit ef0f02fd69a02b50e468a4ddbe33e3d81671e248 ] + +Clang warns: + +drivers/rtc/rtc-s35390a.c:124:27: warning: implicit conversion from +'int' to 'char' changes value from 192 to -64 [-Wconstant-conversion] + buf = S35390A_FLAG_RESET | S35390A_FLAG_24H; + ~ ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~ +1 warning generated. + +Update buf to be an unsigned 8-bit integer, which matches the buf member +in struct i2c_msg. + +https://github.com/ClangBuiltLinux/linux/issues/145 +Signed-off-by: Nathan Chancellor +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-s35390a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c +index 5dab4665ca3bd..3e0eea3aa876d 100644 +--- a/drivers/rtc/rtc-s35390a.c ++++ b/drivers/rtc/rtc-s35390a.c +@@ -106,7 +106,7 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len) + */ + static int s35390a_reset(struct s35390a *s35390a, char *status1) + { +- char buf; ++ u8 buf; + int ret; + unsigned initcount = 0; + +-- +2.20.1 + diff --git a/queue-4.9/rtl8xxxu-fix-missing-break-in-switch.patch b/queue-4.9/rtl8xxxu-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..8c3bc13135c --- /dev/null +++ b/queue-4.9/rtl8xxxu-fix-missing-break-in-switch.patch @@ -0,0 +1,35 @@ +From 1336102cb802af2a05688edff327b28cef7a42b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Oct 2018 13:51:03 +0200 +Subject: rtl8xxxu: Fix missing break in switch + +From: Gustavo A. R. Silva + +[ Upstream commit 307b00c5e695857ca92fc6a4b8ab6c48f988a1b1 ] + +Add missing break statement in order to prevent the code from falling +through to the default case. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 4e725d165aa60..e78545d4add3c 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5660,6 +5660,7 @@ static int rtl8xxxu_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + break; + case WLAN_CIPHER_SUITE_TKIP: + key->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC; ++ break; + default: + return -EOPNOTSUPP; + } +-- +2.20.1 + diff --git a/queue-4.9/rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch b/queue-4.9/rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch new file mode 100644 index 00000000000..10aa2011bef --- /dev/null +++ b/queue-4.9/rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch @@ -0,0 +1,40 @@ +From e914c1a9114e3b43785cf733b0ef9860945d70e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Nov 2018 19:25:30 +0800 +Subject: rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information + +From: Shaokun Zhang + +[ Upstream commit 7d129adff3afbd3a449bc3593f2064ac546d58d3 ] + +RT_TRACE shows REG_MCUFWDL value as a decimal value with a '0x' +prefix, which is somewhat misleading. + +Fix it to print hexadecimal, as was intended. + +Cc: Ping-Ke Shih +Cc: Kalle Valo +Signed-off-by: Shaokun Zhang +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c +index 8de29cc3ced07..a24644f34e650 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/fw.c +@@ -234,7 +234,7 @@ static int _rtl92d_fw_init(struct ieee80211_hw *hw) + rtl_read_byte(rtlpriv, FW_MAC1_READY)); + } + RT_TRACE(rtlpriv, COMP_FW, DBG_DMESG, +- "Polling FW ready fail!! REG_MCUFWDL:0x%08ul\n", ++ "Polling FW ready fail!! REG_MCUFWDL:0x%08x\n", + rtl_read_dword(rtlpriv, REG_MCUFWDL)); + return -1; + } +-- +2.20.1 + diff --git a/queue-4.9/s390-perf-return-error-when-debug_register-fails.patch b/queue-4.9/s390-perf-return-error-when-debug_register-fails.patch new file mode 100644 index 00000000000..422bd30928a --- /dev/null +++ b/queue-4.9/s390-perf-return-error-when-debug_register-fails.patch @@ -0,0 +1,56 @@ +From ba8a71b8a1cc6cda565f24dc94421c3ecd30c6a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Oct 2018 14:39:29 +0100 +Subject: s390/perf: Return error when debug_register fails + +From: Thomas Richter + +[ Upstream commit ec0c0bb489727de0d4dca6a00be6970ab8a3b30a ] + +Return an error when the function debug_register() fails allocating +the debug handle. +Also remove the registered debug handle when the initialization fails +later on. + +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + arch/s390/kernel/perf_cpum_sf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/arch/s390/kernel/perf_cpum_sf.c b/arch/s390/kernel/perf_cpum_sf.c +index 96e4fcad57bf7..f46e5c0cb6d95 100644 +--- a/arch/s390/kernel/perf_cpum_sf.c ++++ b/arch/s390/kernel/perf_cpum_sf.c +@@ -1611,14 +1611,17 @@ static int __init init_cpum_sampling_pmu(void) + } + + sfdbg = debug_register(KMSG_COMPONENT, 2, 1, 80); +- if (!sfdbg) ++ if (!sfdbg) { + pr_err("Registering for s390dbf failed\n"); ++ return -ENOMEM; ++ } + debug_register_view(sfdbg, &debug_sprintf_view); + + err = register_external_irq(EXT_IRQ_MEASURE_ALERT, + cpumf_measurement_alert); + if (err) { + pr_cpumsf_err(RS_INIT_FAILURE_ALRT); ++ debug_unregister(sfdbg); + goto out; + } + +@@ -1627,6 +1630,7 @@ static int __init init_cpum_sampling_pmu(void) + pr_cpumsf_err(RS_INIT_FAILURE_PERF); + unregister_external_irq(EXT_IRQ_MEASURE_ALERT, + cpumf_measurement_alert); ++ debug_unregister(sfdbg); + goto out; + } + +-- +2.20.1 + diff --git a/queue-4.9/sched-fair-don-t-increase-sd-balance_interval-on-new.patch b/queue-4.9/sched-fair-don-t-increase-sd-balance_interval-on-new.patch new file mode 100644 index 00000000000..e49749e9ae6 --- /dev/null +++ b/queue-4.9/sched-fair-don-t-increase-sd-balance_interval-on-new.patch @@ -0,0 +1,77 @@ +From 3ed7f097460ef146b38f1404341fa5fc47c14e9b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Sep 2018 16:12:07 +0100 +Subject: sched/fair: Don't increase sd->balance_interval on newidle balance + +From: Valentin Schneider + +[ Upstream commit 3f130a37c442d5c4d66531b240ebe9abfef426b5 ] + +When load_balance() fails to move some load because of task affinity, +we end up increasing sd->balance_interval to delay the next periodic +balance in the hopes that next time we look, that annoying pinned +task(s) will be gone. + +However, idle_balance() pays no attention to sd->balance_interval, yet +it will still lead to an increase in balance_interval in case of +pinned tasks. + +If we're going through several newidle balances (e.g. we have a +periodic task), this can lead to a huge increase of the +balance_interval in a very small amount of time. + +To prevent that, don't increase the balance interval when going +through a newidle balance. + +This is a similar approach to what is done in commit 58b26c4c0257 +("sched: Increment cache_nice_tries only on periodic lb"), where we +disregard newidle balance and rely on periodic balance for more stable +results. + +Signed-off-by: Valentin Schneider +Signed-off-by: Peter Zijlstra (Intel) +Cc: Dietmar.Eggemann@arm.com +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: patrick.bellasi@arm.com +Cc: vincent.guittot@linaro.org +Link: http://lkml.kernel.org/r/1537974727-30788-2-git-send-email-valentin.schneider@arm.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index d8afae1bd5c5e..b765a58cf20f1 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -7950,13 +7950,22 @@ static int load_balance(int this_cpu, struct rq *this_rq, + sd->nr_balance_failed = 0; + + out_one_pinned: ++ ld_moved = 0; ++ ++ /* ++ * idle_balance() disregards balance intervals, so we could repeatedly ++ * reach this code, which would lead to balance_interval skyrocketting ++ * in a short amount of time. Skip the balance_interval increase logic ++ * to avoid that. ++ */ ++ if (env.idle == CPU_NEWLY_IDLE) ++ goto out; ++ + /* tune up the balancing interval */ + if (((env.flags & LBF_ALL_PINNED) && + sd->balance_interval < MAX_PINNED_INTERVAL) || + (sd->balance_interval < sd->max_interval)) + sd->balance_interval *= 2; +- +- ld_moved = 0; + out: + return ld_moved; + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch b/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch new file mode 100644 index 00000000000..385b4fa209b --- /dev/null +++ b/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch @@ -0,0 +1,38 @@ +From 2c1d7b361dbdce1438858bb6741327baa59438da Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 16:17:15 +0200 +Subject: scsi: dc395x: fix DMA API usage in sg_update_list + +From: Christoph Hellwig + +[ Upstream commit 6c404a68bf83b4135a8a9aa1c388ebdf98e8ba7f ] + +We need to transfer device ownership to the CPU before we can manipulate +the mapped data. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/dc395x.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 9da0ac360848f..830b2d2dcf206 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -1972,6 +1972,11 @@ static void sg_update_list(struct ScsiReqBlk *srb, u32 left) + xferred -= psge->length; + } else { + /* Partial SG entry done */ ++ pci_dma_sync_single_for_cpu(srb->dcb-> ++ acb->dev, ++ srb->sg_bus_addr, ++ SEGMENTX_LEN, ++ PCI_DMA_TODEVICE); + psge->length -= xferred; + psge->address += xferred; + srb->sg_index = idx; +-- +2.20.1 + diff --git a/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-srb_done.patch b/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-srb_done.patch new file mode 100644 index 00000000000..fb7b15980ec --- /dev/null +++ b/queue-4.9/scsi-dc395x-fix-dma-api-usage-in-srb_done.patch @@ -0,0 +1,55 @@ +From 11465a06f519df297430f6128c5ba068b7d34b92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Oct 2018 16:17:14 +0200 +Subject: scsi: dc395x: fix dma API usage in srb_done + +From: Christoph Hellwig + +[ Upstream commit 3a5bd7021184dec2946f2a4d7a8943f8a5713e52 ] + +We can't just transfer ownership to the CPU and then unmap, as this will +break with swiotlb. + +Instead unmap the command and sense buffer a little earlier in the I/O +completion handler and get rid of the pci_dma_sync_sg_for_cpu call +entirely. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/dc395x.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 5ee7f44cf869b..9da0ac360848f 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -3450,14 +3450,12 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb, + } + } + +- if (dir != PCI_DMA_NONE && scsi_sg_count(cmd)) +- pci_dma_sync_sg_for_cpu(acb->dev, scsi_sglist(cmd), +- scsi_sg_count(cmd), dir); +- + ckc_only = 0; + /* Check Error Conditions */ + ckc_e: + ++ pci_unmap_srb(acb, srb); ++ + if (cmd->cmnd[0] == INQUIRY) { + unsigned char *base = NULL; + struct ScsiInqData *ptr; +@@ -3511,7 +3509,6 @@ static void srb_done(struct AdapterCtlBlk *acb, struct DeviceCtlBlk *dcb, + cmd, cmd->result); + srb_free_insert(acb, srb); + } +- pci_unmap_srb(acb, srb); + + cmd->scsi_done(cmd); + waiting_process_next(acb); +-- +2.20.1 + diff --git a/queue-4.9/scsi-ips-fix-missing-break-in-switch.patch b/queue-4.9/scsi-ips-fix-missing-break-in-switch.patch new file mode 100644 index 00000000000..955d59ab4ed --- /dev/null +++ b/queue-4.9/scsi-ips-fix-missing-break-in-switch.patch @@ -0,0 +1,36 @@ +From ed1e0da33f437a04a25a44d94c38ed7f550ddbf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 11:12:23 +0200 +Subject: scsi: ips: fix missing break in switch + +From: Gustavo A. R. Silva + +[ Upstream commit 5d25ff7a544889bc4b749fda31778d6a18dddbcb ] + +Add missing break statement in order to prevent the code from falling +through to case TEST_UNIT_READY. + +Addresses-Coverity-ID: 1357338 ("Missing break in switch") +Suggested-by: Martin K. Petersen +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ips.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ips.c b/drivers/scsi/ips.c +index 02cb76fd44208..6bbf2945a3e00 100644 +--- a/drivers/scsi/ips.c ++++ b/drivers/scsi/ips.c +@@ -3500,6 +3500,7 @@ ips_send_cmd(ips_ha_t * ha, ips_scb_t * scb) + + case START_STOP: + scb->scsi_cmd->result = DID_OK << 16; ++ break; + + case TEST_UNIT_READY: + case INQUIRY: +-- +2.20.1 + diff --git a/queue-4.9/scsi-isci-change-sci_controller_start_task-s-return-.patch b/queue-4.9/scsi-isci-change-sci_controller_start_task-s-return-.patch new file mode 100644 index 00000000000..aad064f1615 --- /dev/null +++ b/queue-4.9/scsi-isci-change-sci_controller_start_task-s-return-.patch @@ -0,0 +1,107 @@ +From e633318fd0122332c177282883df3e717443bce3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Sep 2018 17:12:00 -0700 +Subject: scsi: isci: Change sci_controller_start_task's return type to + sci_status + +From: Nathan Chancellor + +[ Upstream commit 362b5da3dfceada6e74ecdd7af3991bbe42c0c0f ] + +Clang warns when an enumerated type is implicitly converted to another. + +drivers/scsi/isci/request.c:3476:13: warning: implicit conversion from +enumeration type 'enum sci_task_status' to different enumeration type +'enum sci_status' [-Wenum-conversion] + status = sci_controller_start_task(ihost, + ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/isci/host.c:2744:10: warning: implicit conversion from +enumeration type 'enum sci_status' to different enumeration type 'enum +sci_task_status' [-Wenum-conversion] + return SCI_SUCCESS; + ~~~~~~ ^~~~~~~~~~~ +drivers/scsi/isci/host.c:2753:9: warning: implicit conversion from +enumeration type 'enum sci_status' to different enumeration type 'enum +sci_task_status' [-Wenum-conversion] + return status; + ~~~~~~ ^~~~~~ + +Avoid all of these implicit conversion by just making +sci_controller_start_task use sci_status. This silences +Clang and has no functional change since sci_task_status +has all of its values mapped to something in sci_status. + +Link: https://github.com/ClangBuiltLinux/linux/issues/153 +Signed-off-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/isci/host.c | 8 ++++---- + drivers/scsi/isci/host.h | 2 +- + drivers/scsi/isci/task.c | 4 ++-- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/isci/host.c b/drivers/scsi/isci/host.c +index 609dafd661d14..da4583a2fa23e 100644 +--- a/drivers/scsi/isci/host.c ++++ b/drivers/scsi/isci/host.c +@@ -2717,9 +2717,9 @@ enum sci_status sci_controller_continue_io(struct isci_request *ireq) + * the task management request. + * @task_request: the handle to the task request object to start. + */ +-enum sci_task_status sci_controller_start_task(struct isci_host *ihost, +- struct isci_remote_device *idev, +- struct isci_request *ireq) ++enum sci_status sci_controller_start_task(struct isci_host *ihost, ++ struct isci_remote_device *idev, ++ struct isci_request *ireq) + { + enum sci_status status; + +@@ -2728,7 +2728,7 @@ enum sci_task_status sci_controller_start_task(struct isci_host *ihost, + "%s: SCIC Controller starting task from invalid " + "state\n", + __func__); +- return SCI_TASK_FAILURE_INVALID_STATE; ++ return SCI_FAILURE_INVALID_STATE; + } + + status = sci_remote_device_start_task(ihost, idev, ireq); +diff --git a/drivers/scsi/isci/host.h b/drivers/scsi/isci/host.h +index 22a9bb1abae14..15dc6e0d8deb0 100644 +--- a/drivers/scsi/isci/host.h ++++ b/drivers/scsi/isci/host.h +@@ -490,7 +490,7 @@ enum sci_status sci_controller_start_io( + struct isci_remote_device *idev, + struct isci_request *ireq); + +-enum sci_task_status sci_controller_start_task( ++enum sci_status sci_controller_start_task( + struct isci_host *ihost, + struct isci_remote_device *idev, + struct isci_request *ireq); +diff --git a/drivers/scsi/isci/task.c b/drivers/scsi/isci/task.c +index 6dcaed0c1fc8c..fb6eba331ac6e 100644 +--- a/drivers/scsi/isci/task.c ++++ b/drivers/scsi/isci/task.c +@@ -258,7 +258,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost, + struct isci_tmf *tmf, unsigned long timeout_ms) + { + DECLARE_COMPLETION_ONSTACK(completion); +- enum sci_task_status status = SCI_TASK_FAILURE; ++ enum sci_status status = SCI_FAILURE; + struct isci_request *ireq; + int ret = TMF_RESP_FUNC_FAILED; + unsigned long flags; +@@ -301,7 +301,7 @@ static int isci_task_execute_tmf(struct isci_host *ihost, + /* start the TMF io. */ + status = sci_controller_start_task(ihost, idev, ireq); + +- if (status != SCI_TASK_SUCCESS) { ++ if (status != SCI_SUCCESS) { + dev_dbg(&ihost->pdev->dev, + "%s: start_io failed - status = 0x%x, request = %p\n", + __func__, +-- +2.20.1 + diff --git a/queue-4.9/scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch b/queue-4.9/scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch new file mode 100644 index 00000000000..8ce630ee6d1 --- /dev/null +++ b/queue-4.9/scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch @@ -0,0 +1,55 @@ +From b0ba4d407dd601295c5022e93856cff4cf61c43d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Sep 2018 17:11:50 -0700 +Subject: scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler + +From: Nathan Chancellor + +[ Upstream commit e9e9a103528c7e199ead6e5374c9c52cf16b5802 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/scsi/isci/request.c:1629:13: warning: implicit conversion from +enumeration type 'enum sci_io_status' to different enumeration type +'enum sci_status' [-Wenum-conversion] + status = SCI_IO_FAILURE_RESPONSE_VALID; + ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/scsi/isci/request.c:1631:12: warning: implicit conversion from +enumeration type 'enum sci_io_status' to different enumeration type +'enum sci_status' [-Wenum-conversion] + status = SCI_IO_FAILURE_RESPONSE_VALID; + ~ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +status is of type sci_status but SCI_IO_FAILURE_RESPONSE_VALID is of +type sci_io_status. Use SCI_FAILURE_IO_RESPONSE_VALID, which is from +sci_status and has SCI_IO_FAILURE_RESPONSE_VALID's exact value since +that is what SCI_IO_FAILURE_RESPONSE_VALID is mapped to in the isci.h +file. + +Link: https://github.com/ClangBuiltLinux/linux/issues/153 +Signed-off-by: Nathan Chancellor +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/isci/request.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/isci/request.c b/drivers/scsi/isci/request.c +index b709d2b208809..7d71ca421751d 100644 +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -1626,9 +1626,9 @@ static enum sci_status atapi_d2h_reg_frame_handler(struct isci_request *ireq, + + if (status == SCI_SUCCESS) { + if (ireq->stp.rsp.status & ATA_ERR) +- status = SCI_IO_FAILURE_RESPONSE_VALID; ++ status = SCI_FAILURE_IO_RESPONSE_VALID; + } else { +- status = SCI_IO_FAILURE_RESPONSE_VALID; ++ status = SCI_FAILURE_IO_RESPONSE_VALID; + } + + if (status != SCI_SUCCESS) { +-- +2.20.1 + diff --git a/queue-4.9/scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch b/queue-4.9/scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch new file mode 100644 index 00000000000..34c3a069bf9 --- /dev/null +++ b/queue-4.9/scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch @@ -0,0 +1,48 @@ +From 2107c6452e6d2ca1d962aa0ec3cc8c4474ea8542 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Oct 2018 18:06:15 -0700 +Subject: scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param + +From: Nathan Chancellor + +[ Upstream commit 20054597f169090109fc3f0dfa1a48583f4178a4 ] + +Clang warns when one enumerated type is implicitly converted to another. + +drivers/scsi/iscsi_tcp.c:803:15: warning: implicit conversion from +enumeration type 'enum iscsi_host_param' to different enumeration type +'enum iscsi_param' [-Wenum-conversion] + &addr, param, buf); + ^~~~~ +1 warning generated. + +iscsi_conn_get_addr_param handles ISCSI_HOST_PARAM_IPADDRESS just fine +so add an explicit cast to iscsi_param to make it clear to Clang that +this is expected behavior. + +Link: https://github.com/ClangBuiltLinux/linux/issues/153 +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/iscsi_tcp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c +index ace4f1f41b8e0..d60564397be54 100644 +--- a/drivers/scsi/iscsi_tcp.c ++++ b/drivers/scsi/iscsi_tcp.c +@@ -798,7 +798,8 @@ static int iscsi_sw_tcp_host_get_param(struct Scsi_Host *shost, + return rc; + + return iscsi_conn_get_addr_param((struct sockaddr_storage *) +- &addr, param, buf); ++ &addr, ++ (enum iscsi_param)param, buf); + default: + return iscsi_host_get_param(shost, param, buf); + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch b/queue-4.9/scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch new file mode 100644 index 00000000000..436c251f093 --- /dev/null +++ b/queue-4.9/scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch @@ -0,0 +1,132 @@ +From 1a670a58a8786a35e6c6b4cf5923a552b39b824d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Oct 2018 13:41:06 -0700 +Subject: scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces + +From: James Smart + +[ Upstream commit 036cad1f1ac9ce03e2db94b8460f98eaf1e1ee4c ] + +On FCoE adapters, when running link bounce test in a loop, initiator +failed to login with switch switch and required driver reload to +recover. Switch reached a point where all subsequent FLOGIs would be +LS_RJT'd. Further testing showed the condition to be related to not +performing FCF discovery between FLOGI's. + +Fix by monitoring FLOGI failures and once a repeated error is seen +repeat FCF discovery. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 2 ++ + drivers/scsi/lpfc/lpfc_hbadisc.c | 20 ++++++++++++++++++++ + drivers/scsi/lpfc/lpfc_init.c | 2 +- + drivers/scsi/lpfc/lpfc_sli.c | 11 ++--------- + drivers/scsi/lpfc/lpfc_sli4.h | 1 + + 5 files changed, 26 insertions(+), 10 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index b5be4df05733f..3702497b5b169 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -1141,6 +1141,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + phba->fcf.fcf_flag &= ~FCF_DISCOVERY; + phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO); + spin_unlock_irq(&phba->hbalock); ++ phba->fcf.fcf_redisc_attempted = 0; /* reset */ + goto out; + } + if (!rc) { +@@ -1155,6 +1156,7 @@ lpfc_cmpl_els_flogi(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb, + phba->fcf.fcf_flag &= ~FCF_DISCOVERY; + phba->hba_flag &= ~(FCF_RR_INPROG | HBA_DEVLOSS_TMO); + spin_unlock_irq(&phba->hbalock); ++ phba->fcf.fcf_redisc_attempted = 0; /* reset */ + goto out; + } + } +diff --git a/drivers/scsi/lpfc/lpfc_hbadisc.c b/drivers/scsi/lpfc/lpfc_hbadisc.c +index 9cca5ddbc50cc..6eaba16768461 100644 +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -1969,6 +1969,26 @@ int lpfc_sli4_fcf_rr_next_proc(struct lpfc_vport *vport, uint16_t fcf_index) + "failover and change port state:x%x/x%x\n", + phba->pport->port_state, LPFC_VPORT_UNKNOWN); + phba->pport->port_state = LPFC_VPORT_UNKNOWN; ++ ++ if (!phba->fcf.fcf_redisc_attempted) { ++ lpfc_unregister_fcf(phba); ++ ++ rc = lpfc_sli4_redisc_fcf_table(phba); ++ if (!rc) { ++ lpfc_printf_log(phba, KERN_INFO, LOG_FIP, ++ "3195 Rediscover FCF table\n"); ++ phba->fcf.fcf_redisc_attempted = 1; ++ lpfc_sli4_clear_fcf_rr_bmask(phba); ++ } else { ++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP, ++ "3196 Rediscover FCF table " ++ "failed. Status:x%x\n", rc); ++ } ++ } else { ++ lpfc_printf_log(phba, KERN_WARNING, LOG_FIP, ++ "3197 Already rediscover FCF table " ++ "attempted. No more retry\n"); ++ } + goto stop_flogi_current_fcf; + } else { + lpfc_printf_log(phba, KERN_INFO, LOG_FIP | LOG_ELS, +diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c +index e9ea8f4ea2c92..2f80b2c0409e0 100644 +--- a/drivers/scsi/lpfc/lpfc_init.c ++++ b/drivers/scsi/lpfc/lpfc_init.c +@@ -4444,7 +4444,7 @@ lpfc_sli4_async_fip_evt(struct lpfc_hba *phba, + break; + } + /* If fast FCF failover rescan event is pending, do nothing */ +- if (phba->fcf.fcf_flag & FCF_REDISC_EVT) { ++ if (phba->fcf.fcf_flag & (FCF_REDISC_EVT | FCF_REDISC_PEND)) { + spin_unlock_irq(&phba->hbalock); + break; + } +diff --git a/drivers/scsi/lpfc/lpfc_sli.c b/drivers/scsi/lpfc/lpfc_sli.c +index c05fc61a383b2..e1e0feb250031 100644 +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -16553,15 +16553,8 @@ lpfc_sli4_fcf_rr_next_index_get(struct lpfc_hba *phba) + goto initial_priority; + lpfc_printf_log(phba, KERN_WARNING, LOG_FIP, + "2844 No roundrobin failover FCF available\n"); +- if (next_fcf_index >= LPFC_SLI4_FCF_TBL_INDX_MAX) +- return LPFC_FCOE_FCF_NEXT_NONE; +- else { +- lpfc_printf_log(phba, KERN_WARNING, LOG_FIP, +- "3063 Only FCF available idx %d, flag %x\n", +- next_fcf_index, +- phba->fcf.fcf_pri[next_fcf_index].fcf_rec.flag); +- return next_fcf_index; +- } ++ ++ return LPFC_FCOE_FCF_NEXT_NONE; + } + + if (next_fcf_index < LPFC_SLI4_FCF_TBL_INDX_MAX && +diff --git a/drivers/scsi/lpfc/lpfc_sli4.h b/drivers/scsi/lpfc/lpfc_sli4.h +index 0b88b5703e0f1..9c69c4215de30 100644 +--- a/drivers/scsi/lpfc/lpfc_sli4.h ++++ b/drivers/scsi/lpfc/lpfc_sli4.h +@@ -237,6 +237,7 @@ struct lpfc_fcf { + #define FCF_REDISC_EVT 0x100 /* FCF rediscovery event to worker thread */ + #define FCF_REDISC_FOV 0x200 /* Post FCF rediscovery fast failover */ + #define FCF_REDISC_PROG (FCF_REDISC_PEND | FCF_REDISC_EVT) ++ uint16_t fcf_redisc_attempted; + uint32_t addr_mode; + uint32_t eligible_fcf_cnt; + struct lpfc_fcf_rec current_rec; +-- +2.20.1 + diff --git a/queue-4.9/scsi-megaraid_sas-fix-msleep-granularity.patch b/queue-4.9/scsi-megaraid_sas-fix-msleep-granularity.patch new file mode 100644 index 00000000000..39d63bdbef8 --- /dev/null +++ b/queue-4.9/scsi-megaraid_sas-fix-msleep-granularity.patch @@ -0,0 +1,46 @@ +From bb10bdced2bf450dc6b2ba7b278978b5bbdcc60e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 23:37:41 -0700 +Subject: scsi: megaraid_sas: Fix msleep granularity + +From: Shivasharan S + +[ Upstream commit 9155cf30a3c4ef97e225d6daddf9bd4b173267e8 ] + +In megasas_transition_to_ready() driver waits 180seconds for controller to +change FW state. Here we are calling msleep(1) in a loop for this. As +explained in timers-howto.txt, msleep(1) will actually sleep longer than +1ms. If a faulty controller is connected, we will end up waiting for much +more than 180 seconds causing unnecessary delays during load. + +Change the granularity of msleep() call from 1ms to 1000ms. + +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index d90693b2767fd..c5cc002dfdd5c 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -3694,12 +3694,12 @@ megasas_transition_to_ready(struct megasas_instance *instance, int ocr) + /* + * The cur_state should not last for more than max_wait secs + */ +- for (i = 0; i < (max_wait * 1000); i++) { ++ for (i = 0; i < max_wait; i++) { + curr_abs_state = instance->instancet-> + read_fw_status_reg(instance->reg_set); + + if (abs_state == curr_abs_state) { +- msleep(1); ++ msleep(1000); + } else + break; + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch b/queue-4.9/scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch new file mode 100644 index 00000000000..eb53ab7c5d9 --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch @@ -0,0 +1,44 @@ +From ec3f45b1b5aef95f2947f7778d81495a490e18b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 18:53:38 +0530 +Subject: scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing + page11 + +From: Suganath Prabu + +[ Upstream commit 97f35194093362a63b33caba2485521ddabe2c95 ] + +Currently driver is modifying both current & NVRAM/persistent data in +Manufacturing page11. Driver should change only current copy of +Manufacturing page11. It should not modify the persistent data. + +So removed the section of code where driver is modifying the persistent +data of Manufacturing page11. + +Signed-off-by: Suganath Prabu +Reviewed-by: Bjorn Helgaas +Reviewed-by: Andy Shevchenko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_config.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_config.c b/drivers/scsi/mpt3sas/mpt3sas_config.c +index cebfd734fd769..a9fef0cd382bd 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_config.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_config.c +@@ -674,10 +674,6 @@ mpt3sas_config_set_manufacturing_pg11(struct MPT3SAS_ADAPTER *ioc, + r = _config_request(ioc, &mpi_request, mpi_reply, + MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page, + sizeof(*config_page)); +- mpi_request.Action = MPI2_CONFIG_ACTION_PAGE_WRITE_NVRAM; +- r = _config_request(ioc, &mpi_request, mpi_reply, +- MPT3_CONFIG_PAGE_DEFAULT_TIMEOUT, config_page, +- sizeof(*config_page)); + out: + return r; + } +-- +2.20.1 + diff --git a/queue-4.9/scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch b/queue-4.9/scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch new file mode 100644 index 00000000000..1eebf389e05 --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch @@ -0,0 +1,87 @@ +From 45eb16fecc63c166d44e7de47835bfc7354cfc34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 31 Oct 2018 18:53:36 +0530 +Subject: scsi: mpt3sas: Fix Sync cache command failure during driver unload + +From: Suganath Prabu + +[ Upstream commit 9029a72500b95578a35877a43473b82cb0386c53 ] + +This is to fix SYNC CACHE and START STOP command failures with +DID_NO_CONNECT during driver unload. + +In driver's IO submission patch (i.e. in driver's .queuecommand()) driver +won't allow any SCSI commands to the IOC when ioc->remove_host flag is set +and hence SYNC CACHE commands which are issued to the target drives (where +write cache is enabled) during driver unload time is failed with +DID_NO_CONNECT status. + +Now modified the driver to allow SYNC CACHE and START STOP commands to IOC, +even when remove_host flag is set. + +Signed-off-by: Suganath Prabu +Reviewed-by: Bjorn Helgaas +Reviewed-by: Andy Shevchenko +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 36 +++++++++++++++++++++++++++- + 1 file changed, 35 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index ec48c010a3bab..aa2078d7e23e2 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -3297,6 +3297,40 @@ _scsih_tm_tr_complete(struct MPT3SAS_ADAPTER *ioc, u16 smid, u8 msix_index, + return _scsih_check_for_pending_tm(ioc, smid); + } + ++/** _scsih_allow_scmd_to_device - check whether scmd needs to ++ * issue to IOC or not. ++ * @ioc: per adapter object ++ * @scmd: pointer to scsi command object ++ * ++ * Returns true if scmd can be issued to IOC otherwise returns false. ++ */ ++inline bool _scsih_allow_scmd_to_device(struct MPT3SAS_ADAPTER *ioc, ++ struct scsi_cmnd *scmd) ++{ ++ ++ if (ioc->pci_error_recovery) ++ return false; ++ ++ if (ioc->hba_mpi_version_belonged == MPI2_VERSION) { ++ if (ioc->remove_host) ++ return false; ++ ++ return true; ++ } ++ ++ if (ioc->remove_host) { ++ ++ switch (scmd->cmnd[0]) { ++ case SYNCHRONIZE_CACHE: ++ case START_STOP: ++ return true; ++ default: ++ return false; ++ } ++ } ++ ++ return true; ++} + + /** + * _scsih_sas_control_complete - completion routine +@@ -4059,7 +4093,7 @@ scsih_qcmd(struct Scsi_Host *shost, struct scsi_cmnd *scmd) + return 0; + } + +- if (ioc->pci_error_recovery || ioc->remove_host) { ++ if (!(_scsih_allow_scmd_to_device(ioc, scmd))) { + scmd->result = DID_NO_CONNECT << 16; + scmd->scsi_done(scmd); + return 0; +-- +2.20.1 + diff --git a/queue-4.9/selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch b/queue-4.9/selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch new file mode 100644 index 00000000000..fe8596caeac --- /dev/null +++ b/queue-4.9/selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch @@ -0,0 +1,40 @@ +From 6ac56213280539ee30108a087a65ec5a68bd6ac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Aug 2018 23:16:13 +0900 +Subject: selftests/ftrace: Fix to test kprobe $comm arg only if available + +From: Masami Hiramatsu + +[ Upstream commit 2452c96e617a0ff6fb2692e55217a3fa57a7322c ] + +Test $comm in kprobe-event argument syntax testcase +only if it is supported on the kernel because +$comm has been introduced 4.8 kernel. +So on older stable kernel, it should be skipped. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Sasha Levin +--- + .../selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +index 231bcd2c4eb59..1e7ac6f3362ff 100644 +--- a/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc ++++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_args_syntax.tc +@@ -71,8 +71,11 @@ test_badarg "\$stackp" "\$stack0+10" "\$stack1-10" + echo "r ${PROBEFUNC} \$retval" > kprobe_events + ! echo "p ${PROBEFUNC} \$retval" > kprobe_events + ++# $comm was introduced in 4.8, older kernels reject it. ++if grep -A1 "fetcharg:" README | grep -q '\$comm' ; then + : "Comm access" + test_goodarg "\$comm" ++fi + + : "Indirect memory access" + test_goodarg "+0(${GOODREG})" "-0(${GOODREG})" "+10(\$stack)" \ +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 64dba651e97..d531c449ae7 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -7,3 +7,103 @@ gpio-max77620-fixup-debounce-delays.patch tools-gpio-correctly-add-make-dependencies-for-gpio_utils.patch revert-fs-ocfs2-fix-possible-null-pointer-dereferences-in-ocfs2_xa_prepare_entry.patch mm-ksm.c-don-t-warn-if-page-is-still-mapped-in-remove_stable_node.patch +platform-x86-asus-nb-wmi-support-als-on-the-zenbook-.patch +platform-x86-asus-wmi-only-tell-ec-the-os-will-handl.patch +mwifiex-fix-nl80211_tx_power_limited.patch +alsa-isight-fix-leak-of-reference-to-firewire-unit-i.patch +printk-fix-integer-overflow-in-setup_log_buf.patch +gfs2-fix-marking-bitmaps-non-full.patch +synclink_gt-fix-compat_ioctl.patch +powerpc-fix-signedness-bug-in-update_flash_db.patch +powerpc-eeh-fix-use-of-eeh_pe_keep-on-wrong-field.patch +brcmsmac-ap-mode-update-beacon-when-tim-changes.patch +ath10k-allocate-small-size-dma-memory-in-ath10k_pci_.patch +spi-sh-msiof-fix-deferred-probing.patch +mmc-mediatek-fix-cannot-receive-new-request-when-msd.patch +btrfs-handle-error-of-get_old_root.patch +gsmi-fix-bug-in-append_to_eventlog-sysfs-handler.patch +misc-mic-fix-a-dma-pool-free-failure.patch +m68k-fix-command-line-parsing-when-passed-from-u-boo.patch +amiflop-clean-up-on-errors-during-setup.patch +scsi-ips-fix-missing-break-in-switch.patch +kvm-x86-fix-invvpid-and-invept-register-operand-size.patch +scsi-isci-use-proper-enumerated-type-in-atapi_d2h_re.patch +scsi-isci-change-sci_controller_start_task-s-return-.patch +scsi-iscsi_tcp-explicitly-cast-param-in-iscsi_sw_tcp.patch +clk-mmp2-fix-the-clock-id-for-sdh2_clk-and-sdh3_clk.patch +asoc-tegra_sgtl5000-fix-device_node-refcounting.patch +scsi-dc395x-fix-dma-api-usage-in-srb_done.patch +scsi-dc395x-fix-dma-api-usage-in-sg_update_list.patch +net-fix-warning-in-af_unix.patch +net-ena-fix-kconfig-dependency-on-x86.patch +xfs-fix-use-after-free-race-in-xfs_buf_rele.patch +kprobes-x86-ptrace.h-make-regs_get_kernel_stack_nth-.patch +alsa-i2c-cs8427-fix-int-to-char-conversion.patch +macintosh-windfarm_smu_sat-fix-debug-output.patch +usb-misc-appledisplay-fix-backlight-update_status-re.patch +usbip-tools-fix-atoi-on-non-null-terminated-string.patch +sunrpc-fix-a-compile-warning-for-cmpxchg64.patch +sunrpc-safely-reallow-resvport-min-max-inversion.patch +atm-zatm-fix-empty-body-clang-warnings.patch +s390-perf-return-error-when-debug_register-fails.patch +spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch +sparc-fix-parport-build-warnings.patch +ceph-fix-dentry-leak-in-ceph_readdir_prepopulate.patch +rtc-s35390a-change-buf-s-type-to-u8-in-s35390a_init.patch +f2fs-fix-to-spread-clear_cold_data.patch +misdn-fix-type-of-switch-control-variable-in-ctrl_te.patch +qlcnic-fix-a-return-in-qlcnic_dcb_get_capability.patch +net-ethernet-ti-cpsw-unsync-mcast-entries-while-swit.patch +mfd-arizona-correct-calling-of-runtime_put_sync.patch +mfd-mc13xxx-core-fix-pmic-shutdown-when-reading-adc-.patch +mfd-max8997-enale-irq-wakeup-unconditionally.patch +selftests-ftrace-fix-to-test-kprobe-comm-arg-only-if.patch +thermal-rcar_thermal-prevent-hardware-access-during-.patch +powerpc-process-fix-flush_all_to_thread-for-spe.patch +sparc64-rework-xchg-definition-to-avoid-warnings.patch +fs-ocfs2-dlm-dlmdebug.c-fix-a-sleep-in-atomic-contex.patch +mm-page-writeback.c-fix-range_cyclic-writeback-vs-wr.patch +macsec-update-operstate-when-lower-device-changes.patch +macsec-let-the-administrator-set-up-state-even-if-lo.patch +um-make-line-tty-semantics-use-true-write-irq.patch +linux-bitmap.h-handle-constant-zero-size-bitmaps-cor.patch +linux-bitmap.h-fix-type-of-nbits-in-bitmap_shift_rig.patch +hfsplus-fix-bug-on-bnode-parent-update.patch +hfs-fix-bug-on-bnode-parent-update.patch +hfsplus-prevent-btree-data-loss-on-enospc.patch +hfs-prevent-btree-data-loss-on-enospc.patch +hfsplus-fix-return-value-of-hfsplus_get_block.patch +hfs-fix-return-value-of-hfs_get_block.patch +hfsplus-update-timestamps-on-truncate.patch +hfs-update-timestamp-on-truncate.patch +fs-hfs-extent.c-fix-array-out-of-bounds-read-of-arra.patch +mm-memory_hotplug-make-add_memory-take-the-device_ho.patch +igb-shorten-maximum-phc-timecounter-update-interval.patch +ntb_netdev-fix-sleep-time-mismatch.patch +ntb-intel-fix-return-value-for-ndev_vec_mask.patch +arm64-makefile-fix-build-of-.i-file-in-external-modu.patch +ocfs2-don-t-put-and-assigning-null-to-bh-allocated-o.patch +ocfs2-fix-clusters-leak-in-ocfs2_defrag_extent.patch +net-do-not-abort-bulk-send-on-bql-status.patch +sched-fair-don-t-increase-sd-balance_interval-on-new.patch +audit-print-empty-execve-args.patch +wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch +rtl8xxxu-fix-missing-break-in-switch.patch +brcmsmac-never-log-tid-x-is-not-agg-able-by-default.patch +wireless-airo-potential-buffer-overflow-in-sprintf.patch +rtlwifi-rtl8192de-fix-misleading-reg_mcufwdl-informa.patch +scsi-mpt3sas-fix-sync-cache-command-failure-during-d.patch +scsi-mpt3sas-fix-driver-modifying-persistent-data-in.patch +scsi-megaraid_sas-fix-msleep-granularity.patch +scsi-lpfc-fcoe-fix-link-down-issue-after-1000-link-b.patch +dlm-fix-invalid-free.patch +dlm-don-t-leak-kernel-pointer-to-userspace.patch +acpica-use-d-for-signed-int-print-formatting-instead.patch +net-bcmgenet-return-correct-value-ret-from-bcmgenet_.patch +sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch +pinctrl-qcom-spmi-gpio-fix-gpio-hog-related-boot-iss.patch +pinctrl-lpc18xx-use-define-directive-for-pin_config_.patch +pinctrl-zynq-use-define-directive-for-pin_config_io_.patch +pci-keystone-use-quirk-to-limit-mrrs-for-k2g.patch +spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch +mm-memory_hotplug-do-not-unlock-when-fails-to-take-t.patch diff --git a/queue-4.9/sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch b/queue-4.9/sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch new file mode 100644 index 00000000000..61ce097d6d2 --- /dev/null +++ b/queue-4.9/sock-reset-dst-when-changing-sk_mark-via-setsockopt.patch @@ -0,0 +1,46 @@ +From 94b9ee1b9fac02ce9920644686f28830a177e9b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Nov 2018 08:13:35 -0600 +Subject: sock: Reset dst when changing sk_mark via setsockopt + +From: David Barmann + +[ Upstream commit 50254256f382c56bde87d970f3d0d02fdb76ec70 ] + +When setting the SO_MARK socket option, if the mark changes, the dst +needs to be reset so that a new route lookup is performed. + +This fixes the case where an application wants to change routing by +setting a new sk_mark. If this is done after some packets have already +been sent, the dst is cached and has no effect. + +Signed-off-by: David Barmann +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/sock.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/core/sock.c b/net/core/sock.c +index d224933514074..9178c16543758 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -945,10 +945,12 @@ int sock_setsockopt(struct socket *sock, int level, int optname, + clear_bit(SOCK_PASSSEC, &sock->flags); + break; + case SO_MARK: +- if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) ++ if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) { + ret = -EPERM; +- else ++ } else if (val != sk->sk_mark) { + sk->sk_mark = val; ++ sk_dst_reset(sk); ++ } + break; + + case SO_RXQ_OVFL: +-- +2.20.1 + diff --git a/queue-4.9/sparc-fix-parport-build-warnings.patch b/queue-4.9/sparc-fix-parport-build-warnings.patch new file mode 100644 index 00000000000..57c671fe64f --- /dev/null +++ b/queue-4.9/sparc-fix-parport-build-warnings.patch @@ -0,0 +1,50 @@ +From 4ce88b409b277387707dfefc235513f07497fd6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Oct 2018 10:52:52 -0700 +Subject: sparc: Fix parport build warnings. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David S. Miller + +[ Upstream commit 46b8306480fb424abd525acc1763da1c63a27d8a ] + +If PARPORT_PC_FIFO is not enabled, do not provide the dma lock +macros and lock definition. Otherwise: + +./arch/sparc/include/asm/parport.h:24:24: warning: ‘dma_spin_lock’ defined but not used [-Wunused-variable] + static DEFINE_SPINLOCK(dma_spin_lock); + ^~~~~~~~~~~~~ +./include/linux/spinlock_types.h:81:39: note: in definition of macro ‘DEFINE_SPINLOCK’ + #define DEFINE_SPINLOCK(x) spinlock_t x = __SPIN_LOCK_UNLOCKED(x) + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/include/asm/parport.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/sparc/include/asm/parport.h b/arch/sparc/include/asm/parport.h +index f005ccac91cc9..e87c0f81b700e 100644 +--- a/arch/sparc/include/asm/parport.h ++++ b/arch/sparc/include/asm/parport.h +@@ -20,6 +20,7 @@ + */ + #define HAS_DMA + ++#ifdef CONFIG_PARPORT_PC_FIFO + static DEFINE_SPINLOCK(dma_spin_lock); + + #define claim_dma_lock() \ +@@ -30,6 +31,7 @@ static DEFINE_SPINLOCK(dma_spin_lock); + + #define release_dma_lock(__flags) \ + spin_unlock_irqrestore(&dma_spin_lock, __flags); ++#endif + + static struct sparc_ebus_info { + struct ebus_dma_info info; +-- +2.20.1 + diff --git a/queue-4.9/sparc64-rework-xchg-definition-to-avoid-warnings.patch b/queue-4.9/sparc64-rework-xchg-definition-to-avoid-warnings.patch new file mode 100644 index 00000000000..91cd6905def --- /dev/null +++ b/queue-4.9/sparc64-rework-xchg-definition-to-avoid-warnings.patch @@ -0,0 +1,51 @@ +From c51d2e8298f7d498593ac83158bfbe77762e3a23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Oct 2018 15:39:49 -0700 +Subject: sparc64: Rework xchg() definition to avoid warnings. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: David S. Miller + +[ Upstream commit 6c2fc9cddc1ffdef8ada1dc8404e5affae849953 ] + +Such as: + +fs/ocfs2/file.c: In function ‘ocfs2_file_write_iter’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +and + +drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c: In function ‘ixgbevf_xdp_setup’: +./arch/sparc/include/asm/cmpxchg_64.h:55:22: warning: value computed is not used [-Wunused-value] + #define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/sparc/include/asm/cmpxchg_64.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/sparc/include/asm/cmpxchg_64.h b/arch/sparc/include/asm/cmpxchg_64.h +index faa2f61058c27..92f0a46ace78e 100644 +--- a/arch/sparc/include/asm/cmpxchg_64.h ++++ b/arch/sparc/include/asm/cmpxchg_64.h +@@ -40,7 +40,12 @@ static inline unsigned long xchg64(__volatile__ unsigned long *m, unsigned long + return val; + } + +-#define xchg(ptr,x) ((__typeof__(*(ptr)))__xchg((unsigned long)(x),(ptr),sizeof(*(ptr)))) ++#define xchg(ptr,x) \ ++({ __typeof__(*(ptr)) __ret; \ ++ __ret = (__typeof__(*(ptr))) \ ++ __xchg((unsigned long)(x), (ptr), sizeof(*(ptr))); \ ++ __ret; \ ++}) + + void __xchg_called_with_bad_pointer(void); + +-- +2.20.1 + diff --git a/queue-4.9/spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch b/queue-4.9/spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch new file mode 100644 index 00000000000..54e6a611971 --- /dev/null +++ b/queue-4.9/spi-omap2-mcspi-fix-dma-and-fifo-event-trigger-size-.patch @@ -0,0 +1,49 @@ +From 44a4d7a0e3edd60e2ee5264b6fced58a6e8198c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jan 2019 12:28:32 +0530 +Subject: spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch + +From: Vignesh R + +[ Upstream commit baf8b9f8d260c55a86405f70a384c29cda888476 ] + +Commit b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length") +broke SPI transfers where bits_per_word != 8. This is because of +mimsatch between McSPI FIFO level event trigger size (SPI word length) and +DMA request size(word length * maxburst). This leads to data +corruption, lockup and errors like: + + spi1.0: EOW timed out + +Fix this by setting DMA maxburst size to 1 so that +McSPI FIFO level event trigger size matches DMA request size. + +Fixes: b682cffa3ac6 ("spi: omap2-mcspi: Set FIFO DMA trigger level to word length") +Cc: stable@vger.kernel.org +Reported-by: David Lechner +Tested-by: David Lechner +Signed-off-by: Vignesh R +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap2-mcspi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index bc136fe3a2829..ccb6f98550da4 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -625,8 +625,8 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer) + cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0; + cfg.src_addr_width = width; + cfg.dst_addr_width = width; +- cfg.src_maxburst = es; +- cfg.dst_maxburst = es; ++ cfg.src_maxburst = 1; ++ cfg.dst_maxburst = 1; + + rx = xfer->rx_buf; + tx = xfer->tx_buf; +-- +2.20.1 + diff --git a/queue-4.9/spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch b/queue-4.9/spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch new file mode 100644 index 00000000000..3af05a210ac --- /dev/null +++ b/queue-4.9/spi-omap2-mcspi-set-fifo-dma-trigger-level-to-word-l.patch @@ -0,0 +1,112 @@ +From 238ccabf43d2c13a5c373aa07773b980c7b61e88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Oct 2018 12:08:28 +0530 +Subject: spi: omap2-mcspi: Set FIFO DMA trigger level to word length + +From: Vignesh R + +[ Upstream commit b682cffa3ac6d9d9e16e9b413c45caee3b391fab ] + +McSPI has 32 byte FIFO in Transmit-Receive mode. Current code tries to +configuration FIFO watermark level for DMA trigger to be GCD of transfer +length and max FIFO size which would mean trigger level may be set to 32 +for transmit-receive mode if length is aligned. This does not work in +case of SPI slave mode where FIFO always needs to have data ready +whenever master starts the clock. With DMA trigger size of 32 there will +be a small window during slave TX where DMA is still putting data into +FIFO but master would have started clock for next byte, resulting in +shifting out of stale data. Similarly, on Slave RX side there may be RX +FIFO overflow +Fix this by setting FIFO watermark for DMA trigger to word +length. This means DMA is triggered as soon as FIFO has space for word +length bytes and DMA would make sure FIFO is almost always full +therefore improving FIFO occupancy in both master and slave mode. + +Signed-off-by: Vignesh R +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap2-mcspi.c | 26 +++++++------------------- + 1 file changed, 7 insertions(+), 19 deletions(-) + +diff --git a/drivers/spi/spi-omap2-mcspi.c b/drivers/spi/spi-omap2-mcspi.c +index a47cf638460a6..bc136fe3a2829 100644 +--- a/drivers/spi/spi-omap2-mcspi.c ++++ b/drivers/spi/spi-omap2-mcspi.c +@@ -298,7 +298,7 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi, + struct omap2_mcspi_cs *cs = spi->controller_state; + struct omap2_mcspi *mcspi; + unsigned int wcnt; +- int max_fifo_depth, fifo_depth, bytes_per_word; ++ int max_fifo_depth, bytes_per_word; + u32 chconf, xferlevel; + + mcspi = spi_master_get_devdata(master); +@@ -314,10 +314,6 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi, + else + max_fifo_depth = OMAP2_MCSPI_MAX_FIFODEPTH; + +- fifo_depth = gcd(t->len, max_fifo_depth); +- if (fifo_depth < 2 || fifo_depth % bytes_per_word != 0) +- goto disable_fifo; +- + wcnt = t->len / bytes_per_word; + if (wcnt > OMAP2_MCSPI_MAX_FIFOWCNT) + goto disable_fifo; +@@ -325,16 +321,17 @@ static void omap2_mcspi_set_fifo(const struct spi_device *spi, + xferlevel = wcnt << 16; + if (t->rx_buf != NULL) { + chconf |= OMAP2_MCSPI_CHCONF_FFER; +- xferlevel |= (fifo_depth - 1) << 8; ++ xferlevel |= (bytes_per_word - 1) << 8; + } ++ + if (t->tx_buf != NULL) { + chconf |= OMAP2_MCSPI_CHCONF_FFET; +- xferlevel |= fifo_depth - 1; ++ xferlevel |= bytes_per_word - 1; + } + + mcspi_write_reg(master, OMAP2_MCSPI_XFERLEVEL, xferlevel); + mcspi_write_chconf0(spi, chconf); +- mcspi->fifo_depth = fifo_depth; ++ mcspi->fifo_depth = max_fifo_depth; + + return; + } +@@ -601,7 +598,6 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer) + struct dma_slave_config cfg; + enum dma_slave_buswidth width; + unsigned es; +- u32 burst; + void __iomem *chstat_reg; + void __iomem *irqstat_reg; + int wait_res; +@@ -623,22 +619,14 @@ omap2_mcspi_txrx_dma(struct spi_device *spi, struct spi_transfer *xfer) + } + + count = xfer->len; +- burst = 1; +- +- if (mcspi->fifo_depth > 0) { +- if (count > mcspi->fifo_depth) +- burst = mcspi->fifo_depth / es; +- else +- burst = count / es; +- } + + memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr = cs->phys + OMAP2_MCSPI_RX0; + cfg.dst_addr = cs->phys + OMAP2_MCSPI_TX0; + cfg.src_addr_width = width; + cfg.dst_addr_width = width; +- cfg.src_maxburst = burst; +- cfg.dst_maxburst = burst; ++ cfg.src_maxburst = es; ++ cfg.dst_maxburst = es; + + rx = xfer->rx_buf; + tx = xfer->tx_buf; +-- +2.20.1 + diff --git a/queue-4.9/spi-sh-msiof-fix-deferred-probing.patch b/queue-4.9/spi-sh-msiof-fix-deferred-probing.patch new file mode 100644 index 00000000000..797530b8c69 --- /dev/null +++ b/queue-4.9/spi-sh-msiof-fix-deferred-probing.patch @@ -0,0 +1,41 @@ +From fa0cfee1080bd4b1885a2c4c97df505fb43523aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Oct 2018 22:48:22 +0300 +Subject: spi: sh-msiof: fix deferred probing + +From: Sergei Shtylyov + +[ Upstream commit f34c6e6257aa477cdfe7e9bbbecd3c5648ecda69 ] + +Since commit 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +platform_get_irq() can return -EPROBE_DEFER. However, the driver overrides +an error returned by that function with -ENOENT which breaks the deferred +probing. Propagate upstream an error code returned by platform_get_irq() +and remove the bogus "platform" from the error message, while at it... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergei Shtylyov +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sh-msiof.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-sh-msiof.c b/drivers/spi/spi-sh-msiof.c +index 711ea523b3251..8a69148a962a8 100644 +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -1198,8 +1198,8 @@ static int sh_msiof_spi_probe(struct platform_device *pdev) + + i = platform_get_irq(pdev, 0); + if (i < 0) { +- dev_err(&pdev->dev, "cannot get platform IRQ\n"); +- ret = -ENOENT; ++ dev_err(&pdev->dev, "cannot get IRQ\n"); ++ ret = i; + goto err1; + } + +-- +2.20.1 + diff --git a/queue-4.9/sunrpc-fix-a-compile-warning-for-cmpxchg64.patch b/queue-4.9/sunrpc-fix-a-compile-warning-for-cmpxchg64.patch new file mode 100644 index 00000000000..422cc8ff449 --- /dev/null +++ b/queue-4.9/sunrpc-fix-a-compile-warning-for-cmpxchg64.patch @@ -0,0 +1,30 @@ +From 9d44217f88f37016090552b4f1f56c9ee1bb0b60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Oct 2018 17:03:56 -0400 +Subject: SUNRPC: Fix a compile warning for cmpxchg64() + +From: Trond Myklebust + +[ Upstream commit e732f4485a150492b286f3efc06f9b34dd6b9995 ] + +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/auth_gss/gss_krb5_seal.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sunrpc/auth_gss/gss_krb5_seal.c b/net/sunrpc/auth_gss/gss_krb5_seal.c +index 1d74d653e6c05..ad0dcb69395d7 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_seal.c ++++ b/net/sunrpc/auth_gss/gss_krb5_seal.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #if IS_ENABLED(CONFIG_SUNRPC_DEBUG) + # define RPCDBG_FACILITY RPCDBG_AUTH +-- +2.20.1 + diff --git a/queue-4.9/sunrpc-safely-reallow-resvport-min-max-inversion.patch b/queue-4.9/sunrpc-safely-reallow-resvport-min-max-inversion.patch new file mode 100644 index 00000000000..060e3b9e630 --- /dev/null +++ b/queue-4.9/sunrpc-safely-reallow-resvport-min-max-inversion.patch @@ -0,0 +1,124 @@ +From c93872757b46befffe8d673d6dc36eb99b2e180e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Oct 2018 15:27:02 -0400 +Subject: sunrpc: safely reallow resvport min/max inversion + +From: J. Bruce Fields + +[ Upstream commit 826799e66e8683e5698e140bb9ef69afc8c0014e ] + +Commits ffb6ca33b04b and e08ea3a96fc7 prevent setting xprt_min_resvport +greater than xprt_max_resvport, but may also break simple code that sets +one parameter then the other, if the new range does not overlap the old. + +Also it looks racy to me, unless there's some serialization I'm not +seeing. Granted it would probably require malicious privileged processes +(unless there's a chance these might eventually be settable in unprivileged +containers), but still it seems better not to let userspace panic the +kernel. + +Simpler seems to be to allow setting the parameters to whatever you want +but interpret xprt_min_resvport > xprt_max_resvport as the empty range. + +Fixes: ffb6ca33b04b "sunrpc: Prevent resvport min/max inversion..." +Fixes: e08ea3a96fc7 "sunrpc: Prevent rexvport min/max inversion..." +Signed-off-by: J. Bruce Fields +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/xprtsock.c | 34 ++++++++++++++++++---------------- + 1 file changed, 18 insertions(+), 16 deletions(-) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 280fb31787084..f3f05148922a1 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -124,7 +124,7 @@ static struct ctl_table xs_tunables_table[] = { + .mode = 0644, + .proc_handler = proc_dointvec_minmax, + .extra1 = &xprt_min_resvport_limit, +- .extra2 = &xprt_max_resvport ++ .extra2 = &xprt_max_resvport_limit + }, + { + .procname = "max_resvport", +@@ -132,7 +132,7 @@ static struct ctl_table xs_tunables_table[] = { + .maxlen = sizeof(unsigned int), + .mode = 0644, + .proc_handler = proc_dointvec_minmax, +- .extra1 = &xprt_min_resvport, ++ .extra1 = &xprt_min_resvport_limit, + .extra2 = &xprt_max_resvport_limit + }, + { +@@ -1737,11 +1737,17 @@ static void xs_udp_timer(struct rpc_xprt *xprt, struct rpc_task *task) + xprt_adjust_cwnd(xprt, task, -ETIMEDOUT); + } + +-static unsigned short xs_get_random_port(void) ++static int xs_get_random_port(void) + { +- unsigned short range = xprt_max_resvport - xprt_min_resvport + 1; +- unsigned short rand = (unsigned short) prandom_u32() % range; +- return rand + xprt_min_resvport; ++ unsigned short min = xprt_min_resvport, max = xprt_max_resvport; ++ unsigned short range; ++ unsigned short rand; ++ ++ if (max < min) ++ return -EADDRINUSE; ++ range = max - min + 1; ++ rand = (unsigned short) prandom_u32() % range; ++ return rand + min; + } + + /** +@@ -1798,9 +1804,9 @@ static void xs_set_srcport(struct sock_xprt *transport, struct socket *sock) + transport->srcport = xs_sock_getport(sock); + } + +-static unsigned short xs_get_srcport(struct sock_xprt *transport) ++static int xs_get_srcport(struct sock_xprt *transport) + { +- unsigned short port = transport->srcport; ++ int port = transport->srcport; + + if (port == 0 && transport->xprt.resvport) + port = xs_get_random_port(); +@@ -1821,7 +1827,7 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock) + { + struct sockaddr_storage myaddr; + int err, nloop = 0; +- unsigned short port = xs_get_srcport(transport); ++ int port = xs_get_srcport(transport); + unsigned short last; + + /* +@@ -1839,8 +1845,8 @@ static int xs_bind(struct sock_xprt *transport, struct socket *sock) + * transport->xprt.resvport == 1) xs_get_srcport above will + * ensure that port is non-zero and we will bind as needed. + */ +- if (port == 0) +- return 0; ++ if (port <= 0) ++ return port; + + memcpy(&myaddr, &transport->srcaddr, transport->xprt.addrlen); + do { +@@ -3223,12 +3229,8 @@ static int param_set_uint_minmax(const char *val, + + static int param_set_portnr(const char *val, const struct kernel_param *kp) + { +- if (kp->arg == &xprt_min_resvport) +- return param_set_uint_minmax(val, kp, +- RPC_MIN_RESVPORT, +- xprt_max_resvport); + return param_set_uint_minmax(val, kp, +- xprt_min_resvport, ++ RPC_MIN_RESVPORT, + RPC_MAX_RESVPORT); + } + +-- +2.20.1 + diff --git a/queue-4.9/synclink_gt-fix-compat_ioctl.patch b/queue-4.9/synclink_gt-fix-compat_ioctl.patch new file mode 100644 index 00000000000..2a444ac6676 --- /dev/null +++ b/queue-4.9/synclink_gt-fix-compat_ioctl.patch @@ -0,0 +1,62 @@ +From 5c4857d3cb127f036a2ce4d7852d20407f3edba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Sep 2018 20:57:18 -0400 +Subject: synclink_gt(): fix compat_ioctl() + +From: Al Viro + +[ Upstream commit 27230e51349fde075598c1b59d15e1ff802f3f6e ] + +compat_ptr() for pointer-taking ones... + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 7aca2d4670e4a..e645ee1cfd989 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -1187,14 +1187,13 @@ static long slgt_compat_ioctl(struct tty_struct *tty, + unsigned int cmd, unsigned long arg) + { + struct slgt_info *info = tty->driver_data; +- int rc = -ENOIOCTLCMD; ++ int rc; + + if (sanity_check(info, tty->name, "compat_ioctl")) + return -ENODEV; + DBGINFO(("%s compat_ioctl() cmd=%08X\n", info->device_name, cmd)); + + switch (cmd) { +- + case MGSL_IOCSPARAMS32: + rc = set_params32(info, compat_ptr(arg)); + break; +@@ -1214,18 +1213,11 @@ static long slgt_compat_ioctl(struct tty_struct *tty, + case MGSL_IOCWAITGPIO: + case MGSL_IOCGXSYNC: + case MGSL_IOCGXCTRL: +- case MGSL_IOCSTXIDLE: +- case MGSL_IOCTXENABLE: +- case MGSL_IOCRXENABLE: +- case MGSL_IOCTXABORT: +- case TIOCMIWAIT: +- case MGSL_IOCSIF: +- case MGSL_IOCSXSYNC: +- case MGSL_IOCSXCTRL: +- rc = ioctl(tty, cmd, arg); ++ rc = ioctl(tty, cmd, (unsigned long)compat_ptr(arg)); + break; ++ default: ++ rc = ioctl(tty, cmd, arg); + } +- + DBGINFO(("%s compat_ioctl() cmd=%08X rc=%d\n", info->device_name, cmd, rc)); + return rc; + } +-- +2.20.1 + diff --git a/queue-4.9/thermal-rcar_thermal-prevent-hardware-access-during-.patch b/queue-4.9/thermal-rcar_thermal-prevent-hardware-access-during-.patch new file mode 100644 index 00000000000..bcdbc8f72d2 --- /dev/null +++ b/queue-4.9/thermal-rcar_thermal-prevent-hardware-access-during-.patch @@ -0,0 +1,49 @@ +From 31f331cbbd981dac15f1084cde4a8db218c571bf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Oct 2018 09:20:15 +0200 +Subject: thermal: rcar_thermal: Prevent hardware access during system suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Geert Uytterhoeven + +[ Upstream commit 3a31386217628ffe2491695be2db933c25dde785 ] + +On r8a7791/koelsch, sometimes the following message is printed during +system suspend: + + rcar_thermal e61f0000.thermal: thermal sensor was broken + +This happens if the workqueue runs while the device is already +suspended. Fix this by using the freezable system workqueue instead, +cfr. commit 51e20d0e3a60cf46 ("thermal: Prevent polling from happening +during system suspend"). + +Fixes: e0a5172e9eec7f0d ("thermal: rcar: add interrupt support") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Niklas Söderlund +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +--- + drivers/thermal/rcar_thermal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/rcar_thermal.c b/drivers/thermal/rcar_thermal.c +index 73e5fee6cf1d5..83126e2dce36d 100644 +--- a/drivers/thermal/rcar_thermal.c ++++ b/drivers/thermal/rcar_thermal.c +@@ -401,8 +401,8 @@ static irqreturn_t rcar_thermal_irq(int irq, void *data) + rcar_thermal_for_each_priv(priv, common) { + if (rcar_thermal_had_changed(priv, status)) { + rcar_thermal_irq_disable(priv); +- schedule_delayed_work(&priv->work, +- msecs_to_jiffies(300)); ++ queue_delayed_work(system_freezable_wq, &priv->work, ++ msecs_to_jiffies(300)); + } + } + +-- +2.20.1 + diff --git a/queue-4.9/um-make-line-tty-semantics-use-true-write-irq.patch b/queue-4.9/um-make-line-tty-semantics-use-true-write-irq.patch new file mode 100644 index 00000000000..3bf3a2db672 --- /dev/null +++ b/queue-4.9/um-make-line-tty-semantics-use-true-write-irq.patch @@ -0,0 +1,41 @@ +From 0b463edf28f52af6cb1409275fa3155d3b8ee1e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Sep 2018 08:47:13 +0100 +Subject: um: Make line/tty semantics use true write IRQ + +From: Anton Ivanov + +[ Upstream commit 917e2fd2c53eb3c4162f5397555cbd394390d4bc ] + +This fixes a long standing bug where large amounts of output +could freeze the tty (most commonly seen on stdio console). +While the bug has always been there it became more pronounced +after moving to the new interrupt controller. + +The line semantics are now changed to have true IRQ write +semantics which should further improve the tty/line subsystem +stability and performance + +Signed-off-by: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/drivers/line.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/um/drivers/line.c b/arch/um/drivers/line.c +index 62087028a9ce1..d2ad45c101137 100644 +--- a/arch/um/drivers/line.c ++++ b/arch/um/drivers/line.c +@@ -260,7 +260,7 @@ static irqreturn_t line_write_interrupt(int irq, void *data) + if (err == 0) { + spin_unlock(&line->lock); + return IRQ_NONE; +- } else if (err < 0) { ++ } else if ((err < 0) && (err != -EAGAIN)) { + line->head = line->buffer; + line->tail = line->buffer; + } +-- +2.20.1 + diff --git a/queue-4.9/usb-misc-appledisplay-fix-backlight-update_status-re.patch b/queue-4.9/usb-misc-appledisplay-fix-backlight-update_status-re.patch new file mode 100644 index 00000000000..eaa03af870c --- /dev/null +++ b/queue-4.9/usb-misc-appledisplay-fix-backlight-update_status-re.patch @@ -0,0 +1,50 @@ +From 3eb6dcfa8887c82cabafb0142ac38a0e7ff32f3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 14:20:08 +0200 +Subject: USB: misc: appledisplay: fix backlight update_status return code + +From: Mattias Jacobsson <2pi@mok.nu> + +[ Upstream commit 090158555ff8d194a98616034100b16697dd80d0 ] + +Upon success the update_status handler returns a positive number +corresponding to the number of bytes transferred by usb_control_msg. +However the return code of the update_status handler should indicate if +an error occurred(negative) or how many bytes of the user's input to sysfs +that was consumed. Return code zero indicates all bytes were consumed. + +The bug can for example result in the update_status handler being called +twice, the second time with only the "unconsumed" part of the user's input +to sysfs. Effectively setting an incorrect brightness. + +Change the update_status handler to return zero for all successful +transactions and forward usb_control_msg's error code upon failure. + +Signed-off-by: Mattias Jacobsson <2pi@mok.nu> +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/appledisplay.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c +index b8092bcf89a29..140af7754c1e6 100644 +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -160,8 +160,11 @@ static int appledisplay_bl_update_status(struct backlight_device *bd) + pdata->msgdata, 2, + ACD_USB_TIMEOUT); + mutex_unlock(&pdata->sysfslock); +- +- return retval; ++ ++ if (retval < 0) ++ return retval; ++ else ++ return 0; + } + + static int appledisplay_bl_get_brightness(struct backlight_device *bd) +-- +2.20.1 + diff --git a/queue-4.9/usbip-tools-fix-atoi-on-non-null-terminated-string.patch b/queue-4.9/usbip-tools-fix-atoi-on-non-null-terminated-string.patch new file mode 100644 index 00000000000..a7f3e546d77 --- /dev/null +++ b/queue-4.9/usbip-tools-fix-atoi-on-non-null-terminated-string.patch @@ -0,0 +1,60 @@ +From faf287416ee584650a2e4556828560872ee1e581 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 19:03:43 +0100 +Subject: usbip: tools: fix atoi() on non-null terminated string + +From: Colin Ian King + +[ Upstream commit e325808c0051b16729ffd472ff887c6cae5c6317 ] + +Currently the call to atoi is being passed a single char string +that is not null terminated, so there is a potential read overrun +along the stack when parsing for an integer value. Fix this by +instead using a 2 char string that is initialized to all zeros +to ensure that a 1 char read into the string is always terminated +with a \0. + +Detected by cppcheck: +"Invalid atoi() argument nr 1. A nul-terminated string is required." + +Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + tools/usb/usbip/libsrc/usbip_host_common.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/usb/usbip/libsrc/usbip_host_common.c b/tools/usb/usbip/libsrc/usbip_host_common.c +index 6ff7b601f8545..f5ad219a324e8 100644 +--- a/tools/usb/usbip/libsrc/usbip_host_common.c ++++ b/tools/usb/usbip/libsrc/usbip_host_common.c +@@ -43,7 +43,7 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) + int size; + int fd; + int length; +- char status; ++ char status[2] = { 0 }; + int value = 0; + + size = snprintf(status_attr_path, sizeof(status_attr_path), +@@ -61,14 +61,14 @@ static int32_t read_attr_usbip_status(struct usbip_usb_device *udev) + return -1; + } + +- length = read(fd, &status, 1); ++ length = read(fd, status, 1); + if (length < 0) { + err("error reading attribute %s", status_attr_path); + close(fd); + return -1; + } + +- value = atoi(&status); ++ value = atoi(status); + + return value; + } +-- +2.20.1 + diff --git a/queue-4.9/wireless-airo-potential-buffer-overflow-in-sprintf.patch b/queue-4.9/wireless-airo-potential-buffer-overflow-in-sprintf.patch new file mode 100644 index 00000000000..7976dd9b0ff --- /dev/null +++ b/queue-4.9/wireless-airo-potential-buffer-overflow-in-sprintf.patch @@ -0,0 +1,40 @@ +From dbb6e66cc1dd6daa8b94999cccf516876dbfa50d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Oct 2018 11:33:34 +0300 +Subject: wireless: airo: potential buffer overflow in sprintf() + +From: Dan Carpenter + +[ Upstream commit 3d39e1bb1c88f32820c5f9271f2c8c2fb9a52bac ] + +It looks like we wanted to print a maximum of BSSList_rid.ssidLen bytes +of the ssid, but we accidentally use "%*s" (width) instead of "%.*s" +(precision) so if the ssid doesn't have a NUL terminator this could lead +to an overflow. + +Static analysis. Not tested. + +Fixes: e174961ca1a0 ("net: convert print_mac to %pM") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/cisco/airo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/cisco/airo.c b/drivers/net/wireless/cisco/airo.c +index 69b826d229c5b..04939e576ee02 100644 +--- a/drivers/net/wireless/cisco/airo.c ++++ b/drivers/net/wireless/cisco/airo.c +@@ -5472,7 +5472,7 @@ static int proc_BSSList_open( struct inode *inode, struct file *file ) { + we have to add a spin lock... */ + rc = readBSSListRid(ai, doLoseSync, &BSSList_rid); + while(rc == 0 && BSSList_rid.index != cpu_to_le16(0xffff)) { +- ptr += sprintf(ptr, "%pM %*s rssi = %d", ++ ptr += sprintf(ptr, "%pM %.*s rssi = %d", + BSSList_rid.bssid, + (int)BSSList_rid.ssidLen, + BSSList_rid.ssid, +-- +2.20.1 + diff --git a/queue-4.9/wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch b/queue-4.9/wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch new file mode 100644 index 00000000000..258ddf05666 --- /dev/null +++ b/queue-4.9/wlcore-fix-the-return-value-in-case-of-error-in-wlco.patch @@ -0,0 +1,41 @@ +From 3e1a3979e34657fedfa19644c7b3dcd52b574751 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Oct 2018 09:39:40 +0200 +Subject: wlcore: Fix the return value in case of error in + 'wlcore_vendor_cmd_smart_config_start()' + +From: Christophe JAILLET + +[ Upstream commit 3419348a97bcc256238101129d69b600ceb5cc70 ] + +We return 0 unconditionally at the end of +'wlcore_vendor_cmd_smart_config_start()'. +However, 'ret' is set to some error codes in several error handling paths +and we already return some error codes at the beginning of the function. + +Return 'ret' instead to propagate the error code. + +Fixes: 80ff8063e87c ("wlcore: handle smart config vendor commands") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ti/wlcore/vendor_cmd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ti/wlcore/vendor_cmd.c b/drivers/net/wireless/ti/wlcore/vendor_cmd.c +index fd4e9ba176c9b..332a3a5c1c900 100644 +--- a/drivers/net/wireless/ti/wlcore/vendor_cmd.c ++++ b/drivers/net/wireless/ti/wlcore/vendor_cmd.c +@@ -66,7 +66,7 @@ wlcore_vendor_cmd_smart_config_start(struct wiphy *wiphy, + out: + mutex_unlock(&wl->mutex); + +- return 0; ++ return ret; + } + + static int +-- +2.20.1 + diff --git a/queue-4.9/xfs-fix-use-after-free-race-in-xfs_buf_rele.patch b/queue-4.9/xfs-fix-use-after-free-race-in-xfs_buf_rele.patch new file mode 100644 index 00000000000..4bc469adae1 --- /dev/null +++ b/queue-4.9/xfs-fix-use-after-free-race-in-xfs_buf_rele.patch @@ -0,0 +1,123 @@ +From 5627b1716e4cd9658bd61e306607ff7fc33126ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Oct 2018 17:21:29 +1100 +Subject: xfs: fix use-after-free race in xfs_buf_rele + +From: Dave Chinner + +[ Upstream commit 37fd1678245f7a5898c1b05128bc481fb403c290 ] + +When looking at a 4.18 based KASAN use after free report, I noticed +that racing xfs_buf_rele() may race on dropping the last reference +to the buffer and taking the buffer lock. This was the symptom +displayed by the KASAN report, but the actual issue that was +reported had already been fixed in 4.19-rc1 by commit e339dd8d8b04 +("xfs: use sync buffer I/O for sync delwri queue submission"). + +Despite this, I think there is still an issue with xfs_buf_rele() +in this code: + + release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock); + spin_lock(&bp->b_lock); + if (!release) { +..... + +If two threads race on the b_lock after both dropping a reference +and one getting dropping the last reference so release = true, we +end up with: + +CPU 0 CPU 1 +atomic_dec_and_lock() + atomic_dec_and_lock() + spin_lock(&bp->b_lock) +spin_lock(&bp->b_lock) + + b_lru_ref = 0> + + freebuf = true + spin_unlock(&bp->b_lock) + xfs_buf_free(bp) + + +spin_unlock(&bp->b_lock) + +IOWs, we can't safely take bp->b_lock after dropping the hold +reference because the buffer may go away at any time after we +drop that reference. However, this can be fixed simply by taking the +bp->b_lock before we drop the reference. + +It is safe to nest the pag_buf_lock inside bp->b_lock as the +pag_buf_lock is only used to serialise against lookup in +xfs_buf_find() and no other locks are held over or under the +pag_buf_lock there. Make this clear by documenting the buffer lock +orders at the top of the file. + +Signed-off-by: Dave Chinner +Reviewed-by: Brian Foster +Reviewed-by: Carlos Maiolino +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_buf.c | 38 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 37 insertions(+), 1 deletion(-) + +diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c +index 651755353374d..0b58b9d419e84 100644 +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -57,6 +57,32 @@ static kmem_zone_t *xfs_buf_zone; + #define xb_to_gfp(flags) \ + ((((flags) & XBF_READ_AHEAD) ? __GFP_NORETRY : GFP_NOFS) | __GFP_NOWARN) + ++/* ++ * Locking orders ++ * ++ * xfs_buf_ioacct_inc: ++ * xfs_buf_ioacct_dec: ++ * b_sema (caller holds) ++ * b_lock ++ * ++ * xfs_buf_stale: ++ * b_sema (caller holds) ++ * b_lock ++ * lru_lock ++ * ++ * xfs_buf_rele: ++ * b_lock ++ * pag_buf_lock ++ * lru_lock ++ * ++ * xfs_buftarg_wait_rele ++ * lru_lock ++ * b_lock (trylock due to inversion) ++ * ++ * xfs_buftarg_isolate ++ * lru_lock ++ * b_lock (trylock due to inversion) ++ */ + + static inline int + xfs_buf_is_vmapped( +@@ -957,8 +983,18 @@ xfs_buf_rele( + + ASSERT(atomic_read(&bp->b_hold) > 0); + +- release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock); ++ /* ++ * We grab the b_lock here first to serialise racing xfs_buf_rele() ++ * calls. The pag_buf_lock being taken on the last reference only ++ * serialises against racing lookups in xfs_buf_find(). IOWs, the second ++ * to last reference we drop here is not serialised against the last ++ * reference until we take bp->b_lock. Hence if we don't grab b_lock ++ * first, the last "release" reference can win the race to the lock and ++ * free the buffer before the second-to-last reference is processed, ++ * leading to a use-after-free scenario. ++ */ + spin_lock(&bp->b_lock); ++ release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock); + if (!release) { + /* + * Drop the in-flight state if the buffer is already on the LRU +-- +2.20.1 +