From: Greg Kroah-Hartman Date: Sat, 28 Jul 2018 10:49:43 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v4.17.12~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3e1d17a7e0345289bb10356b62aff7b5f1a1e56d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch alsa-fm801-add-error-handling-for-snd_ctl_add.patch alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch ath-add-regulatory-mapping-for-apl13_world.patch ath-add-regulatory-mapping-for-apl2_fcca.patch ath-add-regulatory-mapping-for-bahamas.patch ath-add-regulatory-mapping-for-bermuda.patch ath-add-regulatory-mapping-for-etsi8_world.patch ath-add-regulatory-mapping-for-fcc3_etsic.patch ath-add-regulatory-mapping-for-serbia.patch ath-add-regulatory-mapping-for-tanzania.patch ath-add-regulatory-mapping-for-uganda.patch bpf-fix-references-to-free_bpf_prog_info-in-comments.patch crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch drm-radeon-fix-mode_valid-s-return-type.patch fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch hid-i2c-hid-check-if-device-is-there-before-really-probing.patch hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch infiniband-fix-a-possible-use-after-free-bug.patch ipconfig-correctly-initialise-ic_nameservers.patch libata-fix-command-retry-decision.patch md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch media-saa7164-fix-driver-name-in-debug-output.patch media-si470x-fix-__be16-annotations.patch media-siano-get-rid-of-__le32-__le16-cast-warnings.patch media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch microblaze-fix-simpleimage-format-generation.patch mm-slub.c-add-__printf-verification-to-slab_err.patch mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch mwifiex-handle-race-during-mwifiex_usb_disconnect.patch pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch perf-fix-invalid-bit-in-diagnostic-entry.patch perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch powerpc-32-add-a-missing-include-header.patch powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch powerpc-powermac-mark-variable-x-as-unused.patch rdma-mad-convert-bug_ons-to-error-flows.patch regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch rsi-fix-invalid-vdd-warning-in-mmc.patch rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch scsi-3w-9xxx-fix-a-missing-check-bug.patch scsi-3w-xxxx-fix-a-missing-check-bug.patch scsi-megaraid-silence-a-static-checker-bug.patch scsi-ufs-fix-exception-event-handling.patch tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch --- diff --git a/queue-3.18/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch b/queue-3.18/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch new file mode 100644 index 00000000000..72f91de89d9 --- /dev/null +++ b/queue-3.18/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 16:18:40 +0800 +Subject: ALSA: emu10k1: add error handling for snd_ctl_add + +From: Zhouyang Jia + +[ Upstream commit 6d531e7b972cb62ded011c2dfcc2d9f72ea6c421 ] + +When snd_ctl_add fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling snd_ctl_add. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -1875,7 +1875,9 @@ int snd_emu10k1_pcm_efx(struct snd_emu10 + if (!kctl) + return -ENOMEM; + kctl->id.device = device; +- snd_ctl_add(emu->card, kctl); ++ err = snd_ctl_add(emu->card, kctl); ++ if (err < 0) ++ return err; + + snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(emu->pci), 64*1024, 64*1024); + diff --git a/queue-3.18/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch b/queue-3.18/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch new file mode 100644 index 00000000000..e1fa24c5df6 --- /dev/null +++ b/queue-3.18/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Takashi Iwai +Date: Thu, 17 May 2018 20:02:23 +0200 +Subject: ALSA: emu10k1: Rate-limit error messages about page errors + +From: Takashi Iwai + +[ Upstream commit 11d42c81036324697d367600bfc16f6dd37636fd ] + +The error messages at sanity checks of memory pages tend to repeat too +many times once when it hits, and without the rate limit, it may flood +and become unreadable. Replace such messages with the *_ratelimited() +variant. + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1093027 +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/emu10k1/memory.c ++++ b/sound/pci/emu10k1/memory.c +@@ -237,13 +237,13 @@ __found_pages: + static int is_valid_page(struct snd_emu10k1 *emu, dma_addr_t addr) + { + if (addr & ~emu->dma_mask) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "max memory size is 0x%lx (addr = 0x%lx)!!\n", + emu->dma_mask, (unsigned long)addr); + return 0; + } + if (addr & (EMUPAGESIZE-1)) { +- dev_err(emu->card->dev, "page is not aligned\n"); ++ dev_err_ratelimited(emu->card->dev, "page is not aligned\n"); + return 0; + } + return 1; +@@ -334,7 +334,7 @@ snd_emu10k1_alloc_pages(struct snd_emu10 + else + addr = snd_pcm_sgbuf_get_addr(substream, ofs); + if (! is_valid_page(emu, addr)) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "emu: failure page = %d\n", idx); + mutex_unlock(&hdr->block_mutex); + return NULL; diff --git a/queue-3.18/alsa-fm801-add-error-handling-for-snd_ctl_add.patch b/queue-3.18/alsa-fm801-add-error-handling-for-snd_ctl_add.patch new file mode 100644 index 00000000000..06b7a132a21 --- /dev/null +++ b/queue-3.18/alsa-fm801-add-error-handling-for-snd_ctl_add.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 16:04:06 +0800 +Subject: ALSA: fm801: add error handling for snd_ctl_add + +From: Zhouyang Jia + +[ Upstream commit ef1ffbe7889e99f5b5cccb41c89e5c94f50f3218 ] + +When snd_ctl_add fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling snd_ctl_add. + +Signed-off-by: Zhouyang Jia +Acked-by: Andy Shevchenko +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/fm801.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1070,11 +1070,19 @@ static int snd_fm801_mixer(struct fm801 + if ((err = snd_ac97_mixer(chip->ac97_bus, &ac97, &chip->ac97_sec)) < 0) + return err; + } +- for (i = 0; i < FM801_CONTROLS; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ for (i = 0; i < FM801_CONTROLS; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ if (err < 0) ++ return err; ++ } + if (chip->multichannel) { +- for (i = 0; i < FM801_CONTROLS_MULTI; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ for (i = 0; i < FM801_CONTROLS_MULTI; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ if (err < 0) ++ return err; ++ } + } + return 0; + } diff --git a/queue-3.18/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch b/queue-3.18/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch new file mode 100644 index 00000000000..df77667eff1 --- /dev/null +++ b/queue-3.18/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Takashi Sakamoto +Date: Wed, 2 May 2018 22:48:16 +0900 +Subject: ALSA: hda/ca0132: fix build failure when a local macro is defined + +From: Takashi Sakamoto + +[ Upstream commit 8e142e9e628975b0dddd05cf1b095331dff6e2de ] + +DECLARE_TLV_DB_SCALE (alias of SNDRV_CTL_TLVD_DECLARE_DB_SCALE) is used but +tlv.h is not included. This causes build failure when local macro is +defined by comment-out. + +This commit fixes the bug. At the same time, the alias macro is replaced +with a destination macro added at a commit 46e860f76804 ("ALSA: rename +TLV-related macros so that they're friendly to user applications") + +Reported-by: Connor McAdams +Fixes: 44f0c9782cc6 ('ALSA: hda/ca0132: Add tuning controls') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_ca0132.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -38,6 +38,10 @@ + /* Enable this to see controls for tuning purpose. */ + /*#define ENABLE_TUNING_CONTROLS*/ + ++#ifdef ENABLE_TUNING_CONTROLS ++#include ++#endif ++ + #define FLOAT_ZERO 0x00000000 + #define FLOAT_ONE 0x3f800000 + #define FLOAT_TWO 0x40000000 +@@ -3037,8 +3041,8 @@ static int equalizer_ctl_put(struct snd_ + return 1; + } + +-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); +-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0); + + static int add_tuning_control(struct hda_codec *codec, + hda_nid_t pnid, hda_nid_t nid, diff --git a/queue-3.18/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch b/queue-3.18/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch new file mode 100644 index 00000000000..859a1dc1515 --- /dev/null +++ b/queue-3.18/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Takashi Iwai +Date: Wed, 16 May 2018 20:07:18 +0200 +Subject: ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback + +From: Takashi Iwai + +[ Upstream commit 377a879d9832f4ba69bd6a1fc996bb4181b1e504 ] + +retire_capture_urb() may print warning messages when the given URB +doesn't align, and this may flood the system log easily. +Put the rate limit to the message for avoiding it. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1093485 +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1263,7 +1263,7 @@ static void retire_capture_urb(struct sn + if (bytes % (runtime->sample_bits >> 3) != 0) { + int oldbytes = bytes; + bytes = frames * stride; +- dev_warn(&subs->dev->dev, ++ dev_warn_ratelimited(&subs->dev->dev, + "Corrected urb data len. %d->%d\n", + oldbytes, bytes); + } diff --git a/queue-3.18/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch b/queue-3.18/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch new file mode 100644 index 00000000000..f39e264976e --- /dev/null +++ b/queue-3.18/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Kai Chieh Chuang +Date: Mon, 28 May 2018 10:18:18 +0800 +Subject: ASoC: dpcm: fix BE dai not hw_free and shutdown + +From: Kai Chieh Chuang + +[ Upstream commit 9c0ac70ad24d76b873c1551e27790c7f6a815d5c ] + +In case, one BE is used by two FE1/FE2 +FE1--->BE--> + | +FE2----] +when FE1/FE2 call dpcm_be_dai_hw_free() together +the BE users will be 2 (> 1), hence cannot be hw_free +the be state will leave at, ex. SND_SOC_DPCM_STATE_STOP + +later FE1/FE2 call dpcm_be_dai_shutdown(), +will be skip due to wrong state. +leaving the BE not being hw_free and shutdown. + +The BE dai will be hw_free later when calling +dpcm_be_dai_shutdown() if still in invalid state. + +Signed-off-by: KaiChieh Chuang +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-pcm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1611,8 +1611,10 @@ int dpcm_be_dai_shutdown(struct snd_soc_ + continue; + + if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && +- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) +- continue; ++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) { ++ soc_pcm_hw_free(be_substream); ++ be->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_FREE; ++ } + + dev_dbg(be->dev, "ASoC: close BE %s\n", + dpcm->fe->dai_link->name); diff --git a/queue-3.18/ath-add-regulatory-mapping-for-apl13_world.patch b/queue-3.18/ath-add-regulatory-mapping-for-apl13_world.patch new file mode 100644 index 00000000000..56f1df27d36 --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-apl13_world.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:14 +0300 +Subject: ath: Add regulatory mapping for APL13_WORLD + +From: Sven Eckelmann + +[ Upstream commit 9ba8df0c52b3e6baa436374b429d3d73bd09a320 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -69,6 +69,7 @@ enum EnumRd { + APL1_ETSIC = 0x55, + APL2_ETSIC = 0x56, + APL5_WORLD = 0x58, ++ APL13_WORLD = 0x5A, + APL6_WORLD = 0x5B, + APL7_FCCA = 0x5C, + APL8_WORLD = 0x5D, +@@ -195,6 +196,7 @@ static struct reg_dmn_pair_mapping regDo + {APL3_WORLD, CTL_FCC, CTL_ETSI}, + {APL4_WORLD, CTL_FCC, CTL_ETSI}, + {APL5_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL13_WORLD, CTL_ETSI, CTL_ETSI}, + {APL6_WORLD, CTL_ETSI, CTL_ETSI}, + {APL8_WORLD, CTL_ETSI, CTL_ETSI}, + {APL9_WORLD, CTL_ETSI, CTL_ETSI}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-apl2_fcca.patch b/queue-3.18/ath-add-regulatory-mapping-for-apl2_fcca.patch new file mode 100644 index 00000000000..b0ae95a625b --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-apl2_fcca.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:05 +0300 +Subject: ath: Add regulatory mapping for APL2_FCCA + +From: Sven Eckelmann + +[ Upstream commit 4f183687e3fad3ce0e06e38976cad81bc4541990 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: FCC +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -61,6 +61,7 @@ enum EnumRd { + MKK1_MKKA1 = 0x4A, + MKK1_MKKA2 = 0x4B, + MKK1_MKKC = 0x4C, ++ APL2_FCCA = 0x4D, + + APL3_FCCA = 0x50, + APL1_WORLD = 0x52, +@@ -193,6 +194,7 @@ static struct reg_dmn_pair_mapping regDo + {FCC1_FCCA, CTL_FCC, CTL_FCC}, + {APL1_WORLD, CTL_FCC, CTL_ETSI}, + {APL2_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL2_FCCA, CTL_FCC, CTL_FCC}, + {APL3_WORLD, CTL_FCC, CTL_ETSI}, + {APL4_WORLD, CTL_FCC, CTL_ETSI}, + {APL5_WORLD, CTL_FCC, CTL_ETSI}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-bahamas.patch b/queue-3.18/ath-add-regulatory-mapping-for-bahamas.patch new file mode 100644 index 00000000000..71108804c45 --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-bahamas.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:09:53 +0300 +Subject: ath: Add regulatory mapping for Bahamas + +From: Sven Eckelmann + +[ Upstream commit 699e2302c286a14afe7b7394151ce6c4e1790cc1 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -68,6 +68,7 @@ enum CountryCode { + CTRY_AUSTRALIA = 36, + CTRY_AUSTRIA = 40, + CTRY_AZERBAIJAN = 31, ++ CTRY_BAHAMAS = 44, + CTRY_BAHRAIN = 48, + CTRY_BANGLADESH = 50, + CTRY_BARBADOS = 52, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -306,6 +306,7 @@ static struct country_code_to_enum_rd al + {CTRY_AUSTRALIA2, FCC6_WORLD, "AU"}, + {CTRY_AUSTRIA, ETSI1_WORLD, "AT"}, + {CTRY_AZERBAIJAN, ETSI4_WORLD, "AZ"}, ++ {CTRY_BAHAMAS, FCC3_WORLD, "BS"}, + {CTRY_BAHRAIN, APL6_WORLD, "BH"}, + {CTRY_BANGLADESH, NULL1_WORLD, "BD"}, + {CTRY_BARBADOS, FCC2_WORLD, "BB"}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-bermuda.patch b/queue-3.18/ath-add-regulatory-mapping-for-bermuda.patch new file mode 100644 index 00000000000..68bdd9315ed --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-bermuda.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:09:59 +0300 +Subject: ath: Add regulatory mapping for Bermuda + +From: Sven Eckelmann + +[ Upstream commit 9c790f2d234f65697e3b0948adbfdf36dbe63dd7 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: FCC +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -74,6 +74,7 @@ enum CountryCode { + CTRY_BELARUS = 112, + CTRY_BELGIUM = 56, + CTRY_BELIZE = 84, ++ CTRY_BERMUDA = 60, + CTRY_BOLIVIA = 68, + CTRY_BOSNIA_HERZ = 70, + CTRY_BRAZIL = 76, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -313,6 +313,7 @@ static struct country_code_to_enum_rd al + {CTRY_BELGIUM, ETSI1_WORLD, "BE"}, + {CTRY_BELGIUM2, ETSI4_WORLD, "BL"}, + {CTRY_BELIZE, APL1_ETSIC, "BZ"}, ++ {CTRY_BERMUDA, FCC3_FCCA, "BM"}, + {CTRY_BOLIVIA, APL1_ETSIC, "BO"}, + {CTRY_BOSNIA_HERZ, ETSI1_WORLD, "BA"}, + {CTRY_BRAZIL, FCC3_WORLD, "BR"}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-etsi8_world.patch b/queue-3.18/ath-add-regulatory-mapping-for-etsi8_world.patch new file mode 100644 index 00000000000..ce1cbde66a4 --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-etsi8_world.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:18 +0300 +Subject: ath: Add regulatory mapping for ETSI8_WORLD + +From: Sven Eckelmann + +[ Upstream commit 45faf6e096da8bb80e1ddf8c08a26a9601d9469e ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -45,6 +45,7 @@ enum EnumRd { + ETSI4_ETSIC = 0x38, + ETSI5_WORLD = 0x39, + ETSI6_WORLD = 0x34, ++ ETSI8_WORLD = 0x3D, + ETSI_RESERVED = 0x33, + + MKK1_MKKA = 0x40, +@@ -181,6 +182,7 @@ static struct reg_dmn_pair_mapping regDo + {ETSI4_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI5_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI6_WORLD, CTL_ETSI, CTL_ETSI}, ++ {ETSI8_WORLD, CTL_ETSI, CTL_ETSI}, + + /* XXX: For ETSI3_ETSIA, Was NO_CTL meant for the 2 GHz band ? */ + {ETSI3_ETSIA, CTL_ETSI, CTL_ETSI}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-fcc3_etsic.patch b/queue-3.18/ath-add-regulatory-mapping-for-fcc3_etsic.patch new file mode 100644 index 00000000000..199972cc9ad --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-fcc3_etsic.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:30 +0300 +Subject: ath: Add regulatory mapping for FCC3_ETSIC + +From: Sven Eckelmann + +[ Upstream commit 01fb2994a98dc72c8818c274f7b5983d5dd885c7 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -35,6 +35,7 @@ enum EnumRd { + FRANCE_RES = 0x31, + FCC3_FCCA = 0x3A, + FCC3_WORLD = 0x3B, ++ FCC3_ETSIC = 0x3F, + + ETSI1_WORLD = 0x37, + ETSI3_ETSIA = 0x32, +@@ -168,6 +169,7 @@ static struct reg_dmn_pair_mapping regDo + {FCC2_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC3_FCCA, CTL_FCC, CTL_FCC}, + {FCC3_WORLD, CTL_FCC, CTL_ETSI}, ++ {FCC3_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC4_FCCA, CTL_FCC, CTL_FCC}, + {FCC5_FCCA, CTL_FCC, CTL_FCC}, + {FCC6_FCCA, CTL_FCC, CTL_FCC}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-serbia.patch b/queue-3.18/ath-add-regulatory-mapping-for-serbia.patch new file mode 100644 index 00000000000..f1f3deb3243 --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-serbia.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:43 +0300 +Subject: ath: Add regulatory mapping for Serbia + +From: Sven Eckelmann + +[ Upstream commit 2a3169a54bb53717928392a04fb84deb765b51f1 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -159,6 +159,7 @@ enum CountryCode { + CTRY_ROMANIA = 642, + CTRY_RUSSIA = 643, + CTRY_SAUDI_ARABIA = 682, ++ CTRY_SERBIA = 688, + CTRY_SERBIA_MONTENEGRO = 891, + CTRY_SINGAPORE = 702, + CTRY_SLOVAKIA = 703, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -452,6 +452,7 @@ static struct country_code_to_enum_rd al + {CTRY_ROMANIA, NULL1_WORLD, "RO"}, + {CTRY_RUSSIA, NULL1_WORLD, "RU"}, + {CTRY_SAUDI_ARABIA, NULL1_WORLD, "SA"}, ++ {CTRY_SERBIA, ETSI1_WORLD, "RS"}, + {CTRY_SERBIA_MONTENEGRO, ETSI1_WORLD, "CS"}, + {CTRY_SINGAPORE, APL6_WORLD, "SG"}, + {CTRY_SLOVAKIA, ETSI1_WORLD, "SK"}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-tanzania.patch b/queue-3.18/ath-add-regulatory-mapping-for-tanzania.patch new file mode 100644 index 00000000000..81f72fe1212 --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-tanzania.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:48 +0300 +Subject: ath: Add regulatory mapping for Tanzania + +From: Sven Eckelmann + +[ Upstream commit 667ddac5745fb9fddfe8f7fd2523070f50bd4442 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -170,6 +170,7 @@ enum CountryCode { + CTRY_SWITZERLAND = 756, + CTRY_SYRIA = 760, + CTRY_TAIWAN = 158, ++ CTRY_TANZANIA = 834, + CTRY_THAILAND = 764, + CTRY_TRINIDAD_Y_TOBAGO = 780, + CTRY_TUNISIA = 788, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -463,6 +463,7 @@ static struct country_code_to_enum_rd al + {CTRY_SWITZERLAND, ETSI1_WORLD, "CH"}, + {CTRY_SYRIA, NULL1_WORLD, "SY"}, + {CTRY_TAIWAN, APL3_FCCA, "TW"}, ++ {CTRY_TANZANIA, APL1_WORLD, "TZ"}, + {CTRY_THAILAND, FCC3_WORLD, "TH"}, + {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"}, + {CTRY_TUNISIA, ETSI3_WORLD, "TN"}, diff --git a/queue-3.18/ath-add-regulatory-mapping-for-uganda.patch b/queue-3.18/ath-add-regulatory-mapping-for-uganda.patch new file mode 100644 index 00000000000..8e3e424776e --- /dev/null +++ b/queue-3.18/ath-add-regulatory-mapping-for-uganda.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:54 +0300 +Subject: ath: Add regulatory mapping for Uganda + +From: Sven Eckelmann + +[ Upstream commit 1ea3986ad2bc72081c69f3fbc1e5e0eeb3c44f17 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -175,6 +175,7 @@ enum CountryCode { + CTRY_TUNISIA = 788, + CTRY_TURKEY = 792, + CTRY_UAE = 784, ++ CTRY_UGANDA = 800, + CTRY_UKRAINE = 804, + CTRY_UNITED_KINGDOM = 826, + CTRY_UNITED_STATES = 840, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -467,6 +467,7 @@ static struct country_code_to_enum_rd al + {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"}, + {CTRY_TUNISIA, ETSI3_WORLD, "TN"}, + {CTRY_TURKEY, ETSI3_WORLD, "TR"}, ++ {CTRY_UGANDA, FCC3_WORLD, "UG"}, + {CTRY_UKRAINE, NULL1_WORLD, "UA"}, + {CTRY_UAE, NULL1_WORLD, "AE"}, + {CTRY_UNITED_KINGDOM, ETSI1_WORLD, "GB"}, diff --git a/queue-3.18/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch b/queue-3.18/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch new file mode 100644 index 00000000000..4e87d6ebcae --- /dev/null +++ b/queue-3.18/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Jakub Kicinski +Date: Thu, 3 May 2018 18:37:17 -0700 +Subject: bpf: fix references to free_bpf_prog_info() in comments + +From: Jakub Kicinski + +[ Upstream commit ab7f5bf0928be2f148d000a6eaa6c0a36e74750e ] + +Comments in the verifier refer to free_bpf_prog_info() which +seems to have never existed in tree. Replace it with +free_used_maps(). + +Signed-off-by: Jakub Kicinski +Reviewed-by: Quentin Monnet +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1763,7 +1763,7 @@ static int replace_map_fd_with_map_ptr(s + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded +- * and all maps are released in free_bpf_prog_info() ++ * and all maps are released in free_used_maps() + */ + atomic_inc(&map->refcnt); + +@@ -1929,7 +1929,7 @@ free_log_buf: + free_env: + if (!prog->aux->used_maps) + /* if we didn't copy map pointers into bpf_prog_info, release +- * them now. Otherwise free_bpf_prog_info() will release them. ++ * them now. Otherwise free_used_maps() will release them. + */ + release_maps(env); + kfree(env); diff --git a/queue-3.18/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch b/queue-3.18/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch new file mode 100644 index 00000000000..cc2675534c1 --- /dev/null +++ b/queue-3.18/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Tudor-Dan Ambarus +Date: Tue, 3 Apr 2018 09:39:00 +0300 +Subject: crypto: authenc - don't leak pointers to authenc keys + +From: Tudor-Dan Ambarus + +[ Upstream commit ad2fdcdf75d169e7a5aec6c7cb421c0bec8ec711 ] + +In crypto_authenc_setkey we save pointers to the authenc keys in +a local variable of type struct crypto_authenc_keys and we don't +zeroize it after use. Fix this and don't leak pointers to the +authenc keys. + +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/authenc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -112,6 +112,7 @@ static int crypto_authenc_setkey(struct + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: diff --git a/queue-3.18/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch b/queue-3.18/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch new file mode 100644 index 00000000000..b190c856148 --- /dev/null +++ b/queue-3.18/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Tudor-Dan Ambarus +Date: Tue, 3 Apr 2018 09:39:01 +0300 +Subject: crypto: authencesn - don't leak pointers to authenc keys + +From: Tudor-Dan Ambarus + +[ Upstream commit 31545df391d58a3bb60e29b1192644a6f2b5a8dd ] + +In crypto_authenc_esn_setkey we save pointers to the authenc keys +in a local variable of type struct crypto_authenc_keys and we don't +zeroize it after use. Fix this and don't leak pointers to the +authenc keys. + +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/authencesn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -86,6 +86,7 @@ static int crypto_authenc_esn_setkey(str + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: diff --git a/queue-3.18/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch b/queue-3.18/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch new file mode 100644 index 00000000000..ea2c72cd8cf --- /dev/null +++ b/queue-3.18/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Luc Van Oostenryck +Date: Tue, 24 Apr 2018 15:14:57 +0200 +Subject: drm/gma500: fix psb_intel_lvds_mode_valid()'s return type + +From: Luc Van Oostenryck + +[ Upstream commit 2ea009095c6e7396915a1d0dd480c41f02985f79 ] + +The method struct drm_connector_helper_funcs::mode_valid is defined +as returning an 'enum drm_mode_status' but the driver implementation +for this method, psb_intel_lvds_mode_valid(), uses an 'int' for it. + +Fix this by using 'enum drm_mode_status' for psb_intel_lvds_mode_valid(). + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180424131458.2060-1-luc.vanoostenryck@gmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/gma500/psb_intel_drv.h | 2 +- + drivers/gpu/drm/gma500/psb_intel_lvds.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/gma500/psb_intel_drv.h ++++ b/drivers/gpu/drm/gma500/psb_intel_drv.h +@@ -251,7 +251,7 @@ extern int intelfb_remove(struct drm_dev + extern bool psb_intel_lvds_mode_fixup(struct drm_encoder *encoder, + const struct drm_display_mode *mode, + struct drm_display_mode *adjusted_mode); +-extern int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++extern enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode); + extern int psb_intel_lvds_set_property(struct drm_connector *connector, + struct drm_property *property, +--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c +@@ -343,7 +343,7 @@ static void psb_intel_lvds_restore(struc + } + } + +-int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_psb_private *dev_priv = connector->dev->dev_private; diff --git a/queue-3.18/drm-radeon-fix-mode_valid-s-return-type.patch b/queue-3.18/drm-radeon-fix-mode_valid-s-return-type.patch new file mode 100644 index 00000000000..405b68d6cac --- /dev/null +++ b/queue-3.18/drm-radeon-fix-mode_valid-s-return-type.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Luc Van Oostenryck +Date: Tue, 24 Apr 2018 15:15:13 +0200 +Subject: drm/radeon: fix mode_valid's return type + +From: Luc Van Oostenryck + +[ Upstream commit 7a47f20eb1fb8fa8d7a8fe3a4fd8c721f04c2174 ] + +The method struct drm_connector_helper_funcs::mode_valid is defined +as returning an 'enum drm_mode_status' but the driver implementation +for this method uses an 'int' for it. + +Fix this by using 'enum drm_mode_status' in the driver too. + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -804,7 +804,7 @@ static int radeon_lvds_get_modes(struct + return ret; + } + +-static int radeon_lvds_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_encoder *encoder = radeon_best_single_encoder(connector); +@@ -947,7 +947,7 @@ static int radeon_vga_get_modes(struct d + return ret; + } + +-static int radeon_vga_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_vga_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1086,7 +1086,7 @@ static int radeon_tv_get_modes(struct dr + return 1; + } + +-static int radeon_tv_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_tv_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + if ((mode->hdisplay > 1024) || (mode->vdisplay > 768)) +@@ -1387,7 +1387,7 @@ static void radeon_dvi_force(struct drm_ + radeon_connector->use_digital = true; + } + +-static int radeon_dvi_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dvi_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1666,7 +1666,7 @@ out: + return ret; + } + +-static int radeon_dp_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dp_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; diff --git a/queue-3.18/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch b/queue-3.18/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch new file mode 100644 index 00000000000..8242f62f814 --- /dev/null +++ b/queue-3.18/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch @@ -0,0 +1,118 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Kirill Tkhai +Date: Thu, 5 Apr 2018 14:58:06 +0300 +Subject: fasync: Fix deadlock between task-context and interrupt-context kill_fasync() + +From: Kirill Tkhai + +[ Upstream commit 7a107c0f55a3b4c6f84a4323df5610360bde1684 ] + +I observed the following deadlock between them: + +[task 1] [task 2] [task 3] +kill_fasync() mm_update_next_owner() copy_process() + spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock) + send_sigio() ... + read_lock(&fown->lock) kill_fasync() ... + read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ... + +Task 1 can't acquire read locked tasklist_lock, since there is +already task 3 expressed its wish to take the lock exclusive. +Task 2 holds the read locked lock, but it can't take the spin lock. + +Also, there is possible another deadlock (which I haven't observed): + +[task 1] [task 2] +f_getown() kill_fasync() + read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,) + send_sigio() write_lock_irq(&f_own->lock) + kill_fasync() read_lock(&fown->lock) + spin_lock_irqsave(&fa->fa_lock,) + +Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(), +as it guarantees fa->fa_file->f_owner integrity only. It may seem, +that it used to give a task a small possibility to receive two sequential +signals, if there are two parallel kill_fasync() callers, and task +handles the first signal fastly, but the behaviour won't become +different, since there is exclusive sighand lock in do_send_sig_info(). + +The patch converts fa_lock into rwlock_t, and this fixes two above +deadlocks, as rwlock is allowed to be taken from interrupt handler +by qrwlock design. + +Signed-off-by: Kirill Tkhai +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 15 +++++++-------- + include/linux/fs.h | 2 +- + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -587,9 +587,9 @@ int fasync_remove_entry(struct file *fil + if (fa->fa_file != filp) + continue; + +- spin_lock_irq(&fa->fa_lock); ++ write_lock_irq(&fa->fa_lock); + fa->fa_file = NULL; +- spin_unlock_irq(&fa->fa_lock); ++ write_unlock_irq(&fa->fa_lock); + + *fp = fa->fa_next; + call_rcu(&fa->fa_rcu, fasync_free_rcu); +@@ -634,13 +634,13 @@ struct fasync_struct *fasync_insert_entr + if (fa->fa_file != filp) + continue; + +- spin_lock_irq(&fa->fa_lock); ++ write_lock_irq(&fa->fa_lock); + fa->fa_fd = fd; +- spin_unlock_irq(&fa->fa_lock); ++ write_unlock_irq(&fa->fa_lock); + goto out; + } + +- spin_lock_init(&new->fa_lock); ++ rwlock_init(&new->fa_lock); + new->magic = FASYNC_MAGIC; + new->fa_file = filp; + new->fa_fd = fd; +@@ -703,14 +703,13 @@ static void kill_fasync_rcu(struct fasyn + { + while (fa) { + struct fown_struct *fown; +- unsigned long flags; + + if (fa->magic != FASYNC_MAGIC) { + printk(KERN_ERR "kill_fasync: bad magic number in " + "fasync_struct!\n"); + return; + } +- spin_lock_irqsave(&fa->fa_lock, flags); ++ read_lock(&fa->fa_lock); + if (fa->fa_file) { + fown = &fa->fa_file->f_owner; + /* Don't send SIGURG to processes which have not set a +@@ -719,7 +718,7 @@ static void kill_fasync_rcu(struct fasyn + if (!(sig == SIGURG && fown->signum == 0)) + send_sigio(fown, fa->fa_fd, band); + } +- spin_unlock_irqrestore(&fa->fa_lock, flags); ++ read_unlock(&fa->fa_lock); + fa = rcu_dereference(fa->fa_next); + } + } +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1128,7 +1128,7 @@ static inline int lease_modify(struct fi + + + struct fasync_struct { +- spinlock_t fa_lock; ++ rwlock_t fa_lock; + int magic; + int fa_fd; + struct fasync_struct *fa_next; /* singly linked list */ diff --git a/queue-3.18/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch b/queue-3.18/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch new file mode 100644 index 00000000000..d8c84f591b8 --- /dev/null +++ b/queue-3.18/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Dmitry Torokhov +Date: Wed, 9 May 2018 12:12:15 -0700 +Subject: HID: i2c-hid: check if device is there before really probing + +From: Dmitry Torokhov + +[ Upstream commit b3a81b6c4fc6730ac49e20d789a93c0faabafc98 ] + +On many Chromebooks touch devices are multi-sourced; the components are +electrically compatible and one can be freely swapped for another without +changing the OS image or firmware. + +To avoid bunch of scary messages when device is not actually present in the +system let's try testing basic communication with it and if there is no +response terminate probe early with -ENXIO. + +Signed-off-by: Dmitry Torokhov +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -981,6 +981,14 @@ static int i2c_hid_probe(struct i2c_clie + pm_runtime_set_active(&client->dev); + pm_runtime_enable(&client->dev); + ++ /* Make sure there is something at this address */ ++ ret = i2c_smbus_read_byte(client); ++ if (ret < 0) { ++ dev_dbg(&client->dev, "nothing at this address: %d\n", ret); ++ ret = -ENXIO; ++ goto err_pm; ++ } ++ + ret = i2c_hid_fetch_hid_descriptor(ihid); + if (ret < 0) + goto err_pm; diff --git a/queue-3.18/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch b/queue-3.18/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch new file mode 100644 index 00000000000..642a5fa9a3d --- /dev/null +++ b/queue-3.18/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Stewart Smith +Date: Thu, 29 Mar 2018 17:02:46 +1100 +Subject: hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common() + +From: Stewart Smith + +[ Upstream commit 447808bf500a7cc92173266a59f8a494e132b122 ] + +time_init() will set up tb_ticks_per_usec based on reality. +time_init() is called *after* udbg_init_opal_common() during boot. + +from arch/powerpc/kernel/time.c: + unsigned long tb_ticks_per_usec = 100; /* sane default */ + +Currently, all powernv systems have a timebase frequency of 512mhz +(512000000/1000000 == 0x200) - although there's nothing written +down anywhere that I can find saying that we couldn't make that +different based on the requirements in the ISA. + +So, we've been (accidentally) thwacking the (currently) correct +(for powernv at least) value for tb_ticks_per_usec earlier than +we otherwise would have. + +The "sane default" seems to be adequate for our purposes between +udbg_init_opal_common() and time_init() being called, and if it isn't, +then we should probably be setting it somewhere that isn't hvc_opal.c! + +Signed-off-by: Stewart Smith +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/hvc/hvc_opal.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/hvc/hvc_opal.c ++++ b/drivers/tty/hvc/hvc_opal.c +@@ -337,7 +337,6 @@ static void udbg_init_opal_common(void) + udbg_putc = udbg_opal_putc; + udbg_getc = udbg_opal_getc; + udbg_getc_poll = udbg_opal_getc_poll; +- tb_ticks_per_usec = 0x200; /* Make udelay not suck */ + } + + void __init hvc_opal_init_early(void) diff --git a/queue-3.18/infiniband-fix-a-possible-use-after-free-bug.patch b/queue-3.18/infiniband-fix-a-possible-use-after-free-bug.patch new file mode 100644 index 00000000000..aea467b8df5 --- /dev/null +++ b/queue-3.18/infiniband-fix-a-possible-use-after-free-bug.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Cong Wang +Date: Fri, 1 Jun 2018 11:31:44 -0700 +Subject: infiniband: fix a possible use-after-free bug + +From: Cong Wang + +[ Upstream commit cb2595c1393b4a5211534e6f0a0fbad369e21ad8 ] + +ucma_process_join() will free the new allocated "mc" struct, +if there is any error after that, especially the copy_to_user(). + +But in parallel, ucma_leave_multicast() could find this "mc" +through idr_find() before ucma_process_join() frees it, since it +is already published. + +So "mc" could be used in ucma_leave_multicast() after it is been +allocated and freed in ucma_process_join(), since we don't refcnt +it. + +Fix this by separating "publish" from ID allocation, so that we +can get an ID first and publish it later after copy_to_user(). + +Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") +Reported-by: Noam Rathaus +Signed-off-by: Cong Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -180,7 +180,7 @@ static struct ucma_multicast* ucma_alloc + return NULL; + + mutex_lock(&mut); +- mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); ++ mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); + mutex_unlock(&mut); + if (mc->id < 0) + goto error; +@@ -1262,6 +1262,10 @@ static ssize_t ucma_process_join(struct + goto err3; + } + ++ mutex_lock(&mut); ++ idr_replace(&multicast_idr, mc, mc->id); ++ mutex_unlock(&mut); ++ + mutex_unlock(&file->mut); + ucma_put_ctx(ctx); + return 0; diff --git a/queue-3.18/ipconfig-correctly-initialise-ic_nameservers.patch b/queue-3.18/ipconfig-correctly-initialise-ic_nameservers.patch new file mode 100644 index 00000000000..5a2acf9f8cb --- /dev/null +++ b/queue-3.18/ipconfig-correctly-initialise-ic_nameservers.patch @@ -0,0 +1,86 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Chris Novakovic +Date: Tue, 24 Apr 2018 03:56:37 +0100 +Subject: ipconfig: Correctly initialise ic_nameservers + +From: Chris Novakovic + +[ Upstream commit 300eec7c0a2495f771709c7642aa15f7cc148b83 ] + +ic_nameservers, which stores the list of name servers discovered by +ipconfig, is initialised (i.e. has all of its elements set to NONE, or +0xffffffff) by ic_nameservers_predef() in the following scenarios: + + - before the "ip=" and "nfsaddrs=" kernel command line parameters are + parsed (in ip_auto_config_setup()); + - before autoconfiguring via DHCP or BOOTP (in ic_bootp_init()), in + order to clear any values that may have been set after parsing "ip=" + or "nfsaddrs=" and are no longer needed. + +This means that ic_nameservers_predef() is not called when neither "ip=" +nor "nfsaddrs=" is specified on the kernel command line. In this +scenario, every element in ic_nameservers remains set to 0x00000000, +which is indistinguishable from ANY and causes pnp_seq_show() to write +the following (bogus) information to /proc/net/pnp: + + #MANUAL + nameserver 0.0.0.0 + nameserver 0.0.0.0 + nameserver 0.0.0.0 + +This is potentially problematic for systems that blindly link +/etc/resolv.conf to /proc/net/pnp. + +Ensure that ic_nameservers is also initialised when neither "ip=" nor +"nfsaddrs=" are specified by calling ic_nameservers_predef() in +ip_auto_config(), but only when ip_auto_config_setup() was not called +earlier. This causes the following to be written to /proc/net/pnp, and +is consistent with what gets written when ipconfig is configured +manually but no name servers are specified on the kernel command line: + + #MANUAL + +Signed-off-by: Chris Novakovic +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipconfig.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -772,6 +772,11 @@ static void __init ic_bootp_init_ext(u8 + */ + static inline void __init ic_bootp_init(void) + { ++ /* Re-initialise all name servers to NONE, in case any were set via the ++ * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses ++ * specified there will already have been decoded but are no longer ++ * needed ++ */ + ic_nameservers_predef(); + + dev_add_pack(&bootp_packet_type); +@@ -1404,6 +1409,13 @@ static int __init ip_auto_config(void) + int err; + unsigned int i; + ++ /* Initialise all name servers to NONE (but only if the "ip=" or ++ * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise ++ * we'll overwrite the IP addresses specified there) ++ */ ++ if (ic_set_manually == 0) ++ ic_nameservers_predef(); ++ + #ifdef CONFIG_PROC_FS + proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops); + #endif /* CONFIG_PROC_FS */ +@@ -1605,6 +1617,7 @@ static int __init ip_auto_config_setup(c + return 1; + } + ++ /* Initialise all name servers to NONE */ + ic_nameservers_predef(); + + /* Parse string for static IP assignment. */ diff --git a/queue-3.18/libata-fix-command-retry-decision.patch b/queue-3.18/libata-fix-command-retry-decision.patch new file mode 100644 index 00000000000..83616f9b0c2 --- /dev/null +++ b/queue-3.18/libata-fix-command-retry-decision.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Damien Le Moal +Date: Wed, 9 May 2018 09:28:12 +0900 +Subject: libata: Fix command retry decision + +From: Damien Le Moal + +[ Upstream commit 804689ad2d9b66d0d3920b48cf05881049d44589 ] + +For failed commands with valid sense data (e.g. NCQ commands), +scsi_check_sense() is used in ata_analyze_tf() to determine if the +command can be retried. In such case, rely on this decision and ignore +the command error mask based decision done in ata_worth_retry(). + +This fixes useless retries of commands such as unaligned writes on zoned +disks (TYPE_ZAC). + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-eh.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2173,12 +2173,16 @@ static void ata_eh_link_autopsy(struct a + if (qc->err_mask & ~AC_ERR_OTHER) + qc->err_mask &= ~AC_ERR_OTHER; + +- /* SENSE_VALID trumps dev/unknown error and revalidation */ ++ /* ++ * SENSE_VALID trumps dev/unknown error and revalidation. Upper ++ * layers will determine whether the command is worth retrying ++ * based on the sense data and device class/type. Otherwise, ++ * determine directly if the command is worth retrying using its ++ * error mask and flags. ++ */ + if (qc->flags & ATA_QCFLAG_SENSE_VALID) + qc->err_mask &= ~(AC_ERR_DEV | AC_ERR_OTHER); +- +- /* determine whether the command is worth retrying */ +- if (ata_eh_worth_retry(qc)) ++ else if (ata_eh_worth_retry(qc)) + qc->flags |= ATA_QCFLAG_RETRY; + + /* accumulate error info */ diff --git a/queue-3.18/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch b/queue-3.18/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch new file mode 100644 index 00000000000..339235e86e7 --- /dev/null +++ b/queue-3.18/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Yufen Yu +Date: Fri, 4 May 2018 18:08:10 +0800 +Subject: md: fix NULL dereference of mddev->pers in remove_and_add_spares() + +From: Yufen Yu + +[ Upstream commit c42a0e2675721e1444f56e6132a07b7b1ec169ac ] + +We met NULL pointer BUG as follow: + +[ 151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 +[ 151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0 +[ 151.762039] Oops: 0000 [#1] SMP PTI +[ 151.762406] Modules linked in: +[ 151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238 +[ 151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 +[ 151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0 +[ 151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246 +[ 151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000 +[ 151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000 +[ 151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051 +[ 151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600 +[ 151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000 +[ 151.769160] FS: 00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000 +[ 151.769971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0 +[ 151.771272] Call Trace: +[ 151.771542] md_ioctl+0x1df2/0x1e10 +[ 151.771906] ? __switch_to+0x129/0x440 +[ 151.772295] ? __schedule+0x244/0x850 +[ 151.772672] blkdev_ioctl+0x4bd/0x970 +[ 151.773048] block_ioctl+0x39/0x40 +[ 151.773402] do_vfs_ioctl+0xa4/0x610 +[ 151.773770] ? dput.part.23+0x87/0x100 +[ 151.774151] ksys_ioctl+0x70/0x80 +[ 151.774493] __x64_sys_ioctl+0x16/0x20 +[ 151.774877] do_syscall_64+0x5b/0x180 +[ 151.775258] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +For raid6, when two disk of the array are offline, two spare disks can +be added into the array. Before spare disks recovery completing, +system reboot and mdadm thinks it is ok to restart the degraded +array by md_ioctl(). Since disks in raid6 is not only_parity(), +raid5_run() will abort, when there is no PPL feature or not setting +'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL. + +But, mddev->raid_disks has been set and it will not be cleared when +raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to +remove a disk by mdadm, which will cause NULL pointer dereference +in remove_and_add_spares() finally. + +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -5676,6 +5676,9 @@ static int hot_remove_disk(struct mddev + char b[BDEVNAME_SIZE]; + struct md_rdev *rdev; + ++ if (!mddev->pers) ++ return -ENODEV; ++ + rdev = find_rdev(mddev, dev); + if (!rdev) + return -ENXIO; diff --git a/queue-3.18/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch b/queue-3.18/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch new file mode 100644 index 00000000000..84b6ec21be4 --- /dev/null +++ b/queue-3.18/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Suman Anna +Date: Wed, 14 Mar 2018 11:41:36 -0400 +Subject: media: omap3isp: fix unbalanced dma_iommu_mapping + +From: Suman Anna + +[ Upstream commit b7e1e6859fbf60519fd82d7120cee106a6019512 ] + +The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware +ARM DMA backend. The current code creates a dma_iommu_mapping and +attaches this to the ISP device, but never detaches the mapping in +either the probe failure paths or the driver remove path resulting +in an unbalanced mapping refcount and a memory leak. Fix this properly. + +Reported-by: Pavel Machek +Signed-off-by: Suman Anna +Tested-by: Pavel Machek +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/isp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2117,6 +2117,7 @@ error_csiphy: + + static void isp_detach_iommu(struct isp_device *isp) + { ++ arm_iommu_detach_device(isp->dev); + arm_iommu_release_mapping(isp->mapping); + isp->mapping = NULL; + iommu_group_remove_device(isp->dev); +@@ -2150,8 +2151,7 @@ static int isp_attach_iommu(struct isp_d + mapping = arm_iommu_create_mapping(&platform_bus_type, SZ_1G, SZ_2G); + if (IS_ERR(mapping)) { + dev_err(isp->dev, "failed to create ARM IOMMU mapping\n"); +- ret = PTR_ERR(mapping); +- goto error; ++ return PTR_ERR(mapping); + } + + isp->mapping = mapping; +@@ -2166,7 +2166,8 @@ static int isp_attach_iommu(struct isp_d + return 0; + + error: +- isp_detach_iommu(isp); ++ arm_iommu_release_mapping(isp->mapping); ++ isp->mapping = NULL; + return ret; + } + diff --git a/queue-3.18/media-saa7164-fix-driver-name-in-debug-output.patch b/queue-3.18/media-saa7164-fix-driver-name-in-debug-output.patch new file mode 100644 index 00000000000..16498e059ae --- /dev/null +++ b/queue-3.18/media-saa7164-fix-driver-name-in-debug-output.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Brad Love +Date: Fri, 4 May 2018 17:53:35 -0400 +Subject: media: saa7164: Fix driver name in debug output + +From: Brad Love + +[ Upstream commit 0cc4655cb57af0b7e105d075c4f83f8046efafe7 ] + +This issue was reported by a user who downloaded a corrupt saa7164 +firmware, then went looking for a valid xc5000 firmware to fix the +error displayed...but the device in question has no xc5000, thus after +much effort, the wild goose chase eventually led to a support call. + +The xc5000 has nothing to do with saa7164 (as far as I can tell), +so replace the string with saa7164 as well as give a meaningful +hint on the firmware mismatch. + +Signed-off-by: Brad Love +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/saa7164/saa7164-fw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/pci/saa7164/saa7164-fw.c ++++ b/drivers/media/pci/saa7164/saa7164-fw.c +@@ -430,7 +430,8 @@ int saa7164_downloadfirmware(struct saa7 + __func__, fw->size); + + if (fw->size != fwlength) { +- printk(KERN_ERR "xc5000: firmware incorrect size\n"); ++ printk(KERN_ERR "saa7164: firmware incorrect size %zu != %u\n", ++ fw->size, fwlength); + ret = -ENOMEM; + goto out; + } diff --git a/queue-3.18/media-si470x-fix-__be16-annotations.patch b/queue-3.18/media-si470x-fix-__be16-annotations.patch new file mode 100644 index 00000000000..491437f2c5b --- /dev/null +++ b/queue-3.18/media-si470x-fix-__be16-annotations.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mauro Carvalho Chehab +Date: Fri, 6 Apr 2018 07:54:51 -0400 +Subject: media: si470x: fix __be16 annotations + +From: Mauro Carvalho Chehab + +[ Upstream commit 90db5c829692a0a7845e977e45719b4699216bd4 ] + +The annotations there are wrong as warned: + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: warning: incorrect type in assignment (different base types) + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: expected unsigned short [unsigned] [short] + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: got restricted __be16 [usertype] + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -96,7 +96,7 @@ MODULE_PARM_DESC(max_rds_errors, "RDS ma + */ + int si470x_get_register(struct si470x_device *radio, int regnr) + { +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -121,7 +121,7 @@ int si470x_get_register(struct si470x_de + int si470x_set_register(struct si470x_device *radio, int regnr) + { + int i; +- u16 buf[WRITE_REG_NUM]; ++ __be16 buf[WRITE_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -151,7 +151,7 @@ int si470x_set_register(struct si470x_de + static int si470x_get_all_registers(struct si470x_device *radio) + { + int i; +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, diff --git a/queue-3.18/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch b/queue-3.18/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch new file mode 100644 index 00000000000..a29d843b8ce --- /dev/null +++ b/queue-3.18/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch @@ -0,0 +1,108 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mauro Carvalho Chehab +Date: Fri, 20 Apr 2018 08:32:16 -0400 +Subject: media: siano: get rid of __le32/__le16 cast warnings + +From: Mauro Carvalho Chehab + +[ Upstream commit e1b7f11b37def5f3021c06e8c2b4953e099357aa ] + +Those are all false-positives that appear with smatch when building for +arm: + + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + +Get rid of them by adding explicit forced casts. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/siano/smsendian.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/media/common/siano/smsendian.c ++++ b/drivers/media/common/siano/smsendian.c +@@ -35,7 +35,7 @@ void smsendian_handle_tx_message(void *b + switch (msg->x_msg_header.msg_type) { + case MSG_SMS_DATA_DOWNLOAD_REQ: + { +- msg->msg_data[0] = le32_to_cpu(msg->msg_data[0]); ++ msg->msg_data[0] = le32_to_cpu((__force __le32)(msg->msg_data[0])); + break; + } + +@@ -44,7 +44,7 @@ void smsendian_handle_tx_message(void *b + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -64,7 +64,7 @@ void smsendian_handle_rx_message(void *b + { + struct sms_version_res *ver = + (struct sms_version_res *) msg; +- ver->chip_model = le16_to_cpu(ver->chip_model); ++ ver->chip_model = le16_to_cpu((__force __le16)ver->chip_model); + break; + } + +@@ -81,7 +81,7 @@ void smsendian_handle_rx_message(void *b + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -95,9 +95,9 @@ void smsendian_handle_message_header(voi + #ifdef __BIG_ENDIAN + struct sms_msg_hdr *phdr = (struct sms_msg_hdr *)msg; + +- phdr->msg_type = le16_to_cpu(phdr->msg_type); +- phdr->msg_length = le16_to_cpu(phdr->msg_length); +- phdr->msg_flags = le16_to_cpu(phdr->msg_flags); ++ phdr->msg_type = le16_to_cpu((__force __le16)phdr->msg_type); ++ phdr->msg_length = le16_to_cpu((__force __le16)phdr->msg_length); ++ phdr->msg_flags = le16_to_cpu((__force __le16)phdr->msg_flags); + #endif /* __BIG_ENDIAN */ + } + EXPORT_SYMBOL_GPL(smsendian_handle_message_header); diff --git a/queue-3.18/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch b/queue-3.18/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch new file mode 100644 index 00000000000..8983b6ca775 --- /dev/null +++ b/queue-3.18/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Colin Ian King +Date: Wed, 25 Apr 2018 11:04:21 -0400 +Subject: media: smiapp: fix timeout checking in smiapp_read_nvm + +From: Colin Ian King + +[ Upstream commit 7a2148dfda8001c983f0effd9afd8a7fa58e99c4 ] + +The current code decrements the timeout counter i and the end of +each loop i is incremented, so the check for timeout will always +be false and hence the timeout mechanism is just a dead code path. +Potentially, if the RD_READY bit is not set, we could end up in +an infinite loop. + +Fix this so the timeout starts from 1000 and decrements to zero, +if at the end of the loop i is zero we have a timeout condition. + +Detected by CoverityScan, CID#1324008 ("Logically dead code") + +Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver") + +Signed-off-by: Colin Ian King +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/smiapp/smiapp-core.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/smiapp/smiapp-core.c ++++ b/drivers/media/i2c/smiapp/smiapp-core.c +@@ -939,7 +939,7 @@ static int smiapp_read_nvm(struct smiapp + if (rval) + goto out; + +- for (i = 0; i < 1000; i++) { ++ for (i = 1000; i > 0; i--) { + rval = smiapp_read( + sensor, + SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s); +@@ -950,11 +950,10 @@ static int smiapp_read_nvm(struct smiapp + if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY) + break; + +- if (--i == 0) { +- rval = -ETIMEDOUT; +- goto out; +- } +- ++ } ++ if (!i) { ++ rval = -ETIMEDOUT; ++ goto out; + } + + for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) { diff --git a/queue-3.18/microblaze-fix-simpleimage-format-generation.patch b/queue-3.18/microblaze-fix-simpleimage-format-generation.patch new file mode 100644 index 00000000000..f5295077145 --- /dev/null +++ b/queue-3.18/microblaze-fix-simpleimage-format-generation.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Michal Simek +Date: Tue, 10 Apr 2018 15:05:42 +0200 +Subject: microblaze: Fix simpleImage format generation + +From: Michal Simek + +[ Upstream commit ece97f3a5fb50cf5f98886fbc63c9665f2bb199d ] + +simpleImage generation was broken for some time. This patch is fixing +steps how simpleImage.*.ub file is generated. Steps are objdump of +vmlinux and create .ub. +Also make sure that there is striped elf version with .strip suffix. + +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/microblaze/boot/Makefile | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/microblaze/boot/Makefile ++++ b/arch/microblaze/boot/Makefile +@@ -21,18 +21,20 @@ $(obj)/linux.bin.gz: $(obj)/linux.bin FO + quiet_cmd_cp = CP $< $@$2 + cmd_cp = cat $< >$@$2 || (rm -f $@ && echo false) + +-quiet_cmd_strip = STRIP $@ ++quiet_cmd_strip = STRIP $< $@$2 + cmd_strip = $(STRIP) -K microblaze_start -K _end -K __log_buf \ +- -K _fdt_start vmlinux -o $@ ++ -K _fdt_start $< -o $@$2 + + UIMAGE_LOADADDR = $(CONFIG_KERNEL_BASE_ADDR) ++UIMAGE_IN = $@ ++UIMAGE_OUT = $@.ub + + $(obj)/simpleImage.%: vmlinux FORCE + $(call if_changed,cp,.unstrip) + $(call if_changed,objcopy) + $(call if_changed,uimage) +- $(call if_changed,strip) +- @echo 'Kernel: $@ is ready' ' (#'`cat .version`')' ++ $(call if_changed,strip,.strip) ++ @echo 'Kernel: $(UIMAGE_OUT) is ready' ' (#'`cat .version`')' + + + clean-files += simpleImage.*.unstrip linux.bin.ub diff --git a/queue-3.18/mm-slub.c-add-__printf-verification-to-slab_err.patch b/queue-3.18/mm-slub.c-add-__printf-verification-to-slab_err.patch new file mode 100644 index 00000000000..565ba3001b0 --- /dev/null +++ b/queue-3.18/mm-slub.c-add-__printf-verification-to-slab_err.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 7 Jun 2018 17:05:17 -0700 +Subject: mm/slub.c: add __printf verification to slab_err() + +From: Mathieu Malaterre + +[ Upstream commit a38965bf941b7c2af50de09c96bc5f03e136caef ] + +__printf is useful to verify format and arguments. Remove the following +warning (with W=1): + + mm/slub.c:721:2: warning: function might be possible candidate for `gnu_printf' format attribute [-Wsuggest-attribute=format] + +Link: http://lkml.kernel.org/r/20180505200706.19986-1-malat@debian.org +Signed-off-by: Mathieu Malaterre +Reviewed-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -636,7 +636,7 @@ static void object_err(struct kmem_cache + print_trailer(s, page, object); + } + +-static void slab_err(struct kmem_cache *s, struct page *page, ++static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page, + const char *fmt, ...) + { + va_list args; diff --git a/queue-3.18/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch b/queue-3.18/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch new file mode 100644 index 00000000000..10d92c89991 --- /dev/null +++ b/queue-3.18/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch @@ -0,0 +1,64 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Chintan Pandya +Date: Thu, 7 Jun 2018 17:06:50 -0700 +Subject: mm: vmalloc: avoid racy handling of debugobjects in vunmap + +From: Chintan Pandya + +[ Upstream commit f3c01d2f3ade6790db67f80fef60df84424f8964 ] + +Currently, __vunmap flow is, + 1) Release the VM area + 2) Free the debug objects corresponding to that vm area. + +This leave some race window open. + 1) Release the VM area + 1.5) Some other client gets the same vm area + 1.6) This client allocates new debug objects on the same + vm area + 2) Free the debug objects corresponding to this vm area. + +Here, we actually free 'other' client's debug objects. + +Fix this by freeing the debug objects first and then releasing the VM +area. + +Link: http://lkml.kernel.org/r/1523961828-9485-2-git-send-email-cpandya@codeaurora.org +Signed-off-by: Chintan Pandya +Reviewed-by: Andrew Morton +Cc: Ard Biesheuvel +Cc: Byungchul Park +Cc: Catalin Marinas +Cc: Florian Fainelli +Cc: Johannes Weiner +Cc: Laura Abbott +Cc: Vlastimil Babka +Cc: Wei Yang +Cc: Yisheng Xie +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1440,7 +1440,7 @@ static void __vunmap(const void *addr, i + addr)) + return; + +- area = remove_vm_area(addr); ++ area = find_vmap_area((unsigned long)addr)->vm; + if (unlikely(!area)) { + WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n", + addr); +@@ -1450,6 +1450,7 @@ static void __vunmap(const void *addr, i + debug_check_no_locks_freed(addr, area->size); + debug_check_no_obj_freed(addr, area->size); + ++ remove_vm_area(addr); + if (deallocate_pages) { + int i; + diff --git a/queue-3.18/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch b/queue-3.18/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch new file mode 100644 index 00000000000..0478117d283 --- /dev/null +++ b/queue-3.18/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Ganapathi Bhat +Date: Thu, 24 May 2018 19:18:27 +0530 +Subject: mwifiex: handle race during mwifiex_usb_disconnect + +From: Ganapathi Bhat + +[ Upstream commit b817047ae70c0bd67b677b65d0d69d72cd6e9728 ] + +Race condition is observed during rmmod of mwifiex_usb: + +1. The rmmod thread will call mwifiex_usb_disconnect(), download + SHUTDOWN command and do wait_event_interruptible_timeout(), + waiting for response. + +2. The main thread will handle the response and will do a + wake_up_interruptible(), unblocking rmmod thread. + +3. On getting unblocked, rmmod thread will make rx_cmd.urb = NULL in + mwifiex_usb_free(). + +4. The main thread will try to resubmit rx_cmd.urb in + mwifiex_usb_submit_rx_urb(), which is NULL. + +To fix, wait for main thread to complete before calling +mwifiex_usb_free(). + +Signed-off-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mwifiex/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mwifiex/usb.c ++++ b/drivers/net/wireless/mwifiex/usb.c +@@ -556,6 +556,9 @@ static void mwifiex_usb_disconnect(struc + MWIFIEX_FUNC_SHUTDOWN); + } + ++ if (adapter->workqueue) ++ flush_workqueue(adapter->workqueue); ++ + mwifiex_usb_free(card); + + dev_dbg(adapter->dev, "%s: removing card\n", __func__); diff --git a/queue-3.18/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch b/queue-3.18/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch new file mode 100644 index 00000000000..8480dc25ae3 --- /dev/null +++ b/queue-3.18/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mika Westerberg +Date: Wed, 23 May 2018 17:19:22 -0500 +Subject: PCI: pciehp: Request control of native hotplug only if supported + +From: Mika Westerberg + +[ Upstream commit 408fec36a1ab3d14273c2116b449ef1e9be3cb8b ] + +Currently we request control of native PCIe hotplug unconditionally. +Native PCIe hotplug events are handled by the pciehp driver, and if it is +not enabled those events will be lost. + +Request control of native PCIe hotplug only if the pciehp driver is +enabled, so we will actually handle native PCIe hotplug events. + +Suggested-by: Bjorn Helgaas +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/pci_root.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -476,9 +476,11 @@ static void negotiate_os_control(struct + } + + control = OSC_PCI_EXPRESS_CAPABILITY_CONTROL +- | OSC_PCI_EXPRESS_NATIVE_HP_CONTROL + | OSC_PCI_EXPRESS_PME_CONTROL; + ++ if (IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ control |= OSC_PCI_EXPRESS_NATIVE_HP_CONTROL; ++ + if (pci_aer_available()) { + if (aer_acpi_firmware_first()) + dev_info(&device->dev, diff --git a/queue-3.18/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch b/queue-3.18/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch new file mode 100644 index 00000000000..051b1e90219 --- /dev/null +++ b/queue-3.18/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Christoph Hellwig +Date: Fri, 18 May 2018 18:56:24 +0200 +Subject: PCI: Prevent sysfs disable of device while driver is attached + +From: Christoph Hellwig + +[ Upstream commit 6f5cdfa802733dcb561bf664cc89d203f2fd958f ] + +Manipulating the enable_cnt behind the back of the driver will wreak +complete havoc with the kernel state, so disallow it. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Bjorn Helgaas +Reviewed-by: Johannes Thumshirn +Acked-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -199,13 +199,16 @@ static ssize_t enable_store(struct devic + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- if (!val) { +- if (pci_is_enabled(pdev)) +- pci_disable_device(pdev); +- else +- result = -EIO; +- } else ++ device_lock(dev); ++ if (dev->driver) ++ result = -EBUSY; ++ else if (val) + result = pci_enable_device(pdev); ++ else if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); ++ else ++ result = -EIO; ++ device_unlock(dev); + + return result < 0 ? result : count; + } diff --git a/queue-3.18/perf-fix-invalid-bit-in-diagnostic-entry.patch b/queue-3.18/perf-fix-invalid-bit-in-diagnostic-entry.patch new file mode 100644 index 00000000000..22cc40008dd --- /dev/null +++ b/queue-3.18/perf-fix-invalid-bit-in-diagnostic-entry.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Thomas Richter +Date: Tue, 8 May 2018 07:53:39 +0200 +Subject: perf: fix invalid bit in diagnostic entry + +From: Thomas Richter + +[ Upstream commit 3c0a83b14ea71fef5ccc93a3bd2de5f892be3194 ] + +The s390 CPU measurement facility sampling mode supports basic entries +and diagnostic entries. Each entry has a valid bit to indicate the +status of the entry as valid or invalid. + +This bit is bit 31 in the diagnostic entry, but the bit mask definition +refers to bit 30. + +Fix this by making the reserved field one bit larger. + +Fixes: 7e75fc3ff4cf ("s390/cpum_sf: Add raw data sampling to support the diagnostic-sampling function") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -118,7 +118,7 @@ struct hws_basic_entry { + + struct hws_diag_entry { + unsigned int def:16; /* 0-15 Data Entry Format */ +- unsigned int R:14; /* 16-19 and 20-30 reserved */ ++ unsigned int R:15; /* 16-19 and 20-30 reserved */ + unsigned int I:1; /* 31 entry valid or invalid */ + u8 data[]; /* Machine-dependent sample data */ + } __packed; diff --git a/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch b/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch new file mode 100644 index 00000000000..42bd58197bb --- /dev/null +++ b/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Kan Liang +Date: Thu, 3 May 2018 11:25:07 -0700 +Subject: perf/x86/intel/uncore: Correct fixed counter index check for NHM + +From: Kan Liang + +[ Upstream commit d71f11c076c420c4e2fceb4faefa144e055e0935 ] + +For Nehalem and Westmere, there is only one fixed counter for W-Box. +There is no index which is bigger than UNCORE_PMC_IDX_FIXED. +It is not correct to use >= to check fixed counter. +The code quality issue will bring problem when new counter index is +introduced. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: acme@kernel.org +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/1525371913-10597-2-git-send-email-kan.liang@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c +@@ -240,7 +240,7 @@ static void nhmex_uncore_msr_enable_even + { + struct hw_perf_event *hwc = &event->hw; + +- if (hwc->idx >= UNCORE_PMC_IDX_FIXED) ++ if (hwc->idx == UNCORE_PMC_IDX_FIXED) + wrmsrl(hwc->config_base, NHMEX_PMON_CTL_EN_BIT0); + else if (box->pmu->type->event_mask & NHMEX_PMON_CTL_EN_BIT0) + wrmsrl(hwc->config_base, hwc->config | NHMEX_PMON_CTL_EN_BIT22); diff --git a/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch b/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch new file mode 100644 index 00000000000..38d05d540b0 --- /dev/null +++ b/queue-3.18/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Kan Liang +Date: Thu, 3 May 2018 11:25:08 -0700 +Subject: perf/x86/intel/uncore: Correct fixed counter index check in generic code + +From: Kan Liang + +[ Upstream commit 4749f8196452eeb73cf2086a6a9705bae479d33d ] + +There is no index which is bigger than UNCORE_PMC_IDX_FIXED. The only +exception is client IMC uncore, which has been specially handled. +For generic code, it is not correct to use >= to check fixed counter. +The code quality issue will bring problem when a new counter index is +introduced. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: acme@kernel.org +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/1525371913-10597-3-git-send-email-kan.liang@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +@@ -175,7 +175,7 @@ void uncore_perf_event_update(struct int + u64 prev_count, new_count, delta; + int shift; + +- if (event->hw.idx >= UNCORE_PMC_IDX_FIXED) ++ if (event->hw.idx == UNCORE_PMC_IDX_FIXED) + shift = 64 - uncore_fixed_ctr_bits(box); + else + shift = 64 - uncore_perf_ctr_bits(box); diff --git a/queue-3.18/powerpc-32-add-a-missing-include-header.patch b/queue-3.18/powerpc-32-add-a-missing-include-header.patch new file mode 100644 index 00000000000..f2f17b0b2fc --- /dev/null +++ b/queue-3.18/powerpc-32-add-a-missing-include-header.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 22 Mar 2018 21:20:03 +0100 +Subject: powerpc/32: Add a missing include header + +From: Mathieu Malaterre + +[ Upstream commit c89ca593220931c150cffda24b4d4ccf82f13fc8 ] + +The header file was missing from the includes. Fix the +following warning, treated as error with W=1: + + arch/powerpc/kernel/pci_32.c:286:6: error: no previous prototype for ‘sys_pciconfig_iobase’ [-Werror=missing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/pci_32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/pci_32.c ++++ b/arch/powerpc/kernel/pci_32.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-3.18/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch b/queue-3.18/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch new file mode 100644 index 00000000000..1b2a9b4bf23 --- /dev/null +++ b/queue-3.18/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Christophe Leroy +Date: Thu, 24 May 2018 11:02:06 +0000 +Subject: powerpc/8xx: fix invalid register expression in head_8xx.S + +From: Christophe Leroy + +[ Upstream commit e4ccb1dae6bdef228d729c076c38161ef6e7ca34 ] + +New binutils generate the following warning + + AS arch/powerpc/kernel/head_8xx.o +arch/powerpc/kernel/head_8xx.S: Assembler messages: +arch/powerpc/kernel/head_8xx.S:916: Warning: invalid register expression + +This patch fixes it. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_8xx.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -722,7 +722,7 @@ start_here: + tovirt(r6,r6) + lis r5, abatron_pteptrs@h + ori r5, r5, abatron_pteptrs@l +- stw r5, 0xf0(r0) /* Must match your Abatron config file */ ++ stw r5, 0xf0(0) /* Must match your Abatron config file */ + tophys(r5,r5) + stw r6, 0(r5) + diff --git a/queue-3.18/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch b/queue-3.18/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch new file mode 100644 index 00000000000..c109f24ab5c --- /dev/null +++ b/queue-3.18/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 22 Mar 2018 21:19:56 +0100 +Subject: powerpc/chrp/time: Make some functions static, add missing header include + +From: Mathieu Malaterre + +[ Upstream commit b87a358b4a1421abd544c0b554b1b7159b2b36c0 ] + +Add a missing include . + +These functions can all be static, make it so. Fix warnings treated as +errors with W=1: + + arch/powerpc/platforms/chrp/time.c:41:13: error: no previous prototype for ‘chrp_time_init’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:66:5: error: no previous prototype for ‘chrp_cmos_clock_read’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:74:6: error: no previous prototype for ‘chrp_cmos_clock_write’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:86:5: error: no previous prototype for ‘chrp_set_rtc_time’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:130:6: error: no previous prototype for ‘chrp_get_rtc_time’ [-Werror=missing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/chrp/time.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/chrp/time.c ++++ b/arch/powerpc/platforms/chrp/time.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include ++ + extern spinlock_t rtc_lock; + + #define NVRAM_AS0 0x74 +@@ -62,7 +64,7 @@ long __init chrp_time_init(void) + return 0; + } + +-int chrp_cmos_clock_read(int addr) ++static int chrp_cmos_clock_read(int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); +@@ -70,7 +72,7 @@ int chrp_cmos_clock_read(int addr) + return (inb(nvram_data)); + } + +-void chrp_cmos_clock_write(unsigned long val, int addr) ++static void chrp_cmos_clock_write(unsigned long val, int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); diff --git a/queue-3.18/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch b/queue-3.18/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch new file mode 100644 index 00000000000..82507e3a6e3 --- /dev/null +++ b/queue-3.18/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch @@ -0,0 +1,56 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: "Jonathan Neuschäfer" +Date: Thu, 10 May 2018 23:59:19 +0200 +Subject: powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet + +From: "Jonathan Neuschäfer" + +[ Upstream commit 9dcb3df4281876731e4e8bff7940514d72375154 ] + +The interrupt controller inside the Wii's Hollywood chip is connected to +two masters, the "Broadway" PowerPC and the "Starlet" ARM926, each with +their own interrupt status and mask registers. + +When booting the Wii with mini[1], interrupts from the SD card +controller (IRQ 7) are handled by the ARM, because mini provides SD +access over IPC. Linux however can't currently use or disable this IPC +service, so both sides try to handle IRQ 7 without coordination. + +Let's instead make sure that all interrupts that are unmasked on the PPC +side are masked on the ARM side; this will also make sure that Linux can +properly talk to the SD card controller (and potentially other devices). + +If access to a device through IPC is desired in the future, interrupts +from that device should not be handled by Linux directly. + +[1]: https://github.com/lewurm/mini + +Signed-off-by: Jonathan Neuschäfer +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -35,6 +35,8 @@ + */ + #define HW_BROADWAY_ICR 0x00 + #define HW_BROADWAY_IMR 0x04 ++#define HW_STARLET_ICR 0x08 ++#define HW_STARLET_IMR 0x0c + + + /* +@@ -74,6 +76,9 @@ static void hlwd_pic_unmask(struct irq_d + void __iomem *io_base = irq_data_get_irq_chip_data(d); + + setbits32(io_base + HW_BROADWAY_IMR, 1 << irq); ++ ++ /* Make sure the ARM (aka. Starlet) doesn't handle this interrupt. */ ++ clrbits32(io_base + HW_STARLET_IMR, 1 << irq); + } + + diff --git a/queue-3.18/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch b/queue-3.18/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch new file mode 100644 index 00000000000..165b2c2e594 --- /dev/null +++ b/queue-3.18/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 4 Apr 2018 22:13:05 +0200 +Subject: powerpc/powermac: Add missing prototype for note_bootable_part() + +From: Mathieu Malaterre + +[ Upstream commit f72cf3f1d49f2c35d6cb682af2e8c93550f264e4 ] + +Add a missing prototype for function `note_bootable_part` to silence a +warning treated as error with W=1: + + arch/powerpc/platforms/powermac/setup.c:361:12: error: no previous prototype for ‘note_bootable_part’ [-Werror=missing-prototypes] + +Suggested-by: Christophe Leroy +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powermac/setup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/platforms/powermac/setup.c ++++ b/arch/powerpc/platforms/powermac/setup.c +@@ -359,6 +359,7 @@ static int pmac_late_init(void) + } + machine_late_initcall(powermac, pmac_late_init); + ++void note_bootable_part(dev_t dev, int part, int goodness); + /* + * This is __init_refok because we check for "initializing" before + * touching any of the __init sensitive things and "initializing" diff --git a/queue-3.18/powerpc-powermac-mark-variable-x-as-unused.patch b/queue-3.18/powerpc-powermac-mark-variable-x-as-unused.patch new file mode 100644 index 00000000000..df4ea097732 --- /dev/null +++ b/queue-3.18/powerpc-powermac-mark-variable-x-as-unused.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 4 Apr 2018 22:07:46 +0200 +Subject: powerpc/powermac: Mark variable x as unused + +From: Mathieu Malaterre + +[ Upstream commit 5a4b475cf8511da721f20ba432c244061db7139f ] + +Since the value of x is never intended to be read, declare it with gcc +attribute as unused. Fix warning treated as error with W=1: + + arch/powerpc/platforms/powermac/bootx_init.c:471:21: error: variable ‘x’ set but not used [-Werror=unused-but-set-variable] + +Suggested-by: Christophe Leroy +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powermac/bootx_init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powermac/bootx_init.c ++++ b/arch/powerpc/platforms/powermac/bootx_init.c +@@ -467,7 +467,7 @@ void __init bootx_init(unsigned long r3, + boot_infos_t *bi = (boot_infos_t *) r4; + unsigned long hdr; + unsigned long space; +- unsigned long ptr, x; ++ unsigned long ptr; + char *model; + unsigned long offset = reloc_offset(); + +@@ -561,6 +561,8 @@ void __init bootx_init(unsigned long r3, + * MMU switched OFF, so this should not be useful anymore. + */ + if (bi->version < 4) { ++ unsigned long x __maybe_unused; ++ + bootx_printf("Touching pages...\n"); + + /* diff --git a/queue-3.18/rdma-mad-convert-bug_ons-to-error-flows.patch b/queue-3.18/rdma-mad-convert-bug_ons-to-error-flows.patch new file mode 100644 index 00000000000..dc546d54b80 --- /dev/null +++ b/queue-3.18/rdma-mad-convert-bug_ons-to-error-flows.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Leon Romanovsky +Date: Tue, 29 May 2018 14:56:19 +0300 +Subject: RDMA/mad: Convert BUG_ONs to error flows + +From: Leon Romanovsky + +[ Upstream commit 2468b82d69e3a53d024f28d79ba0fdb8bf43dfbf ] + +Let's perform checks in-place instead of BUG_ONs. + +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/mad.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -1466,7 +1466,8 @@ static int add_oui_reg_req(struct ib_mad + mad_reg_req->oui, 3)) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(!*method); ++ if (!*method) ++ goto error3; + goto check_in_use; + } + } +@@ -1476,10 +1477,12 @@ static int add_oui_reg_req(struct ib_mad + vclass]->oui[i])) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(*method); + /* Allocate method table for this OUI */ +- if ((ret = allocate_method_table(method))) +- goto error3; ++ if (!*method) { ++ ret = allocate_method_table(method); ++ if (ret) ++ goto error3; ++ } + memcpy((*vendor_table)->vendor_class[vclass]->oui[i], + mad_reg_req->oui, 3); + goto check_in_use; diff --git a/queue-3.18/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch b/queue-3.18/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch new file mode 100644 index 00000000000..e117cdbb034 --- /dev/null +++ b/queue-3.18/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Anson Huang +Date: Thu, 17 May 2018 15:27:22 +0800 +Subject: regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops + +From: Anson Huang + +[ Upstream commit 0b01fd3d40fe6402e5fa3b491ef23109feb1aaa5 ] + +If is_enabled() is not defined, regulator core will assume +this regulator is already enabled, then it can NOT be really +enabled after disabled. + +Based on Li Jun's patch from the NXP kernel tree. + +Signed-off-by: Anson Huang +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/pfuze100-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -142,6 +142,7 @@ static struct regulator_ops pfuze100_sw_ + static struct regulator_ops pfuze100_swb_regulator_ops = { + .enable = regulator_enable_regmap, + .disable = regulator_disable_regmap, ++ .is_enabled = regulator_is_enabled_regmap, + .list_voltage = regulator_list_voltage_table, + .map_voltage = regulator_map_voltage_ascend, + .set_voltage_sel = regulator_set_voltage_sel_regmap, diff --git a/queue-3.18/rsi-fix-invalid-vdd-warning-in-mmc.patch b/queue-3.18/rsi-fix-invalid-vdd-warning-in-mmc.patch new file mode 100644 index 00000000000..156ef914d6b --- /dev/null +++ b/queue-3.18/rsi-fix-invalid-vdd-warning-in-mmc.patch @@ -0,0 +1,76 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Siva Rebbagondla +Date: Wed, 11 Apr 2018 12:13:32 +0530 +Subject: rsi: Fix 'invalid vdd' warning in mmc + +From: Siva Rebbagondla + +[ Upstream commit 78e450719c702784e42af6da912d3692fd3da0cb ] + +While performing cleanup, driver is messing with card->ocr +value by not masking rocr against ocr_avail. Below panic +is observed with some of the SDIO host controllers due to +this. Issue is resolved by reverting incorrect modifications +to vdd. + +[ 927.423821] mmc1: Invalid vdd 0x1f +[ 927.423925] Modules linked in: rsi_sdio(+) cmac bnep arc4 rsi_91x + mac80211 cfg80211 btrsi rfcomm bluetooth ecdh_generic +[ 927.424073] CPU: 0 PID: 1624 Comm: insmod Tainted: G W 4.15.0-1000-caracalla #1 +[ 927.424075] Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.06 01/22/2018 +[ 927.424082] RIP: 0010:sdhci_set_power_noreg+0xdd/0x190[sdhci] +[ 927.424085] RSP: 0018:ffffac3fc064b930 EFLAGS: 00010282 +[ 927.424107] Call Trace: +[ 927.424118] sdhci_set_power+0x5a/0x60 [sdhci] +[ 927.424125] sdhci_set_ios+0x360/0x3b0 [sdhci] +[ 927.424133] mmc_set_initial_state+0x92/0x120 +[ 927.424137] mmc_power_up.part.34+0x33/0x1d0 +[ 927.424141] mmc_power_up+0x17/0x20 +[ 927.424147] mmc_sdio_runtime_resume+0x2d/0x50 +[ 927.424151] mmc_runtime_resume+0x17/0x20 +[ 927.424156] __rpm_callback+0xc4/0x200 +[ 927.424161] ? idr_alloc_cyclic+0x57/0xd0 +[ 927.424165] ? mmc_runtime_suspend+0x20/0x20 +[ 927.424169] rpm_callback+0x24/0x80 +[ 927.424172] ? mmc_runtime_suspend+0x20/0x20 +[ 927.424176] rpm_resume+0x4b3/0x6c0 +[ 927.424181] __pm_runtime_resume+0x4e/0x80 +[ 927.424188] driver_probe_device+0x41/0x490 +[ 927.424192] __driver_attach+0xdf/0xf0 +[ 927.424196] ? driver_probe_device+0x490/0x490 +[ 927.424201] bus_for_each_dev+0x6c/0xc0 +[ 927.424205] driver_attach+0x1e/0x20 +[ 927.424209] bus_add_driver+0x1f4/0x270 +[ 927.424217] ? rsi_sdio_ack_intr+0x50/0x50 [rsi_sdio] +[ 927.424221] driver_register+0x60/0xe0 +[ 927.424227] ? rsi_sdio_ack_intr+0x50/0x50 [rsi_sdio] +[ 927.424231] sdio_register_driver+0x20/0x30 +[ 927.424237] rsi_module_init+0x16/0x40 [rsi_sdio] + +Signed-off-by: Siva Rebbagondla +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -155,7 +155,6 @@ static void rsi_reset_card(struct sdio_f + int err; + struct mmc_card *card = pfunction->card; + struct mmc_host *host = card->host; +- s32 bit = (fls(host->ocr_avail) - 1); + u8 cmd52_resp; + u32 clock, resp, i; + u16 rca; +@@ -175,7 +174,6 @@ static void rsi_reset_card(struct sdio_f + msleep(20); + + /* Initialize the SDIO card */ +- host->ios.vdd = bit; + host->ios.chip_select = MMC_CS_DONTCARE; + host->ios.bus_mode = MMC_BUSMODE_OPENDRAIN; + host->ios.power_mode = MMC_POWER_UP; diff --git a/queue-3.18/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch b/queue-3.18/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch new file mode 100644 index 00000000000..96ab35e57c9 --- /dev/null +++ b/queue-3.18/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Alexandre Belloni +Date: Tue, 5 Jun 2018 23:09:14 +0200 +Subject: rtc: ensure rtc_set_alarm fails when alarms are not supported + +From: Alexandre Belloni + +[ Upstream commit abfdff44bc38e9e2ef7929f633fb8462632299d4 ] + +When using RTC_ALM_SET or RTC_WKALM_SET with rtc_wkalrm.enabled not set, +rtc_timer_enqueue() is not called and rtc_set_alarm() may succeed but the +subsequent RTC_AIE_ON ioctl will fail. RTC_ALM_READ would also fail in that +case. + +Ensure rtc_set_alarm() fails when alarms are not supported to avoid letting +programs think the alarms are working for a particular RTC when they are +not. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -381,6 +381,11 @@ int rtc_set_alarm(struct rtc_device *rtc + { + int err; + ++ if (!rtc->ops) ++ return -ENODEV; ++ else if (!rtc->ops->set_alarm) ++ return -EINVAL; ++ + err = rtc_valid_tm(&alarm->time); + if (err != 0) + return err; diff --git a/queue-3.18/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch b/queue-3.18/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch new file mode 100644 index 00000000000..c0ecad8c8c4 --- /dev/null +++ b/queue-3.18/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Thomas Richter +Date: Tue, 8 May 2018 10:18:39 +0200 +Subject: s390/cpum_sf: Add data entry sizes to sampling trailer entry + +From: Thomas Richter + +[ Upstream commit 77715b7ddb446bd39a06f3376e85f4bb95b29bb8 ] + +The CPU Measurement sampling facility creates a trailer entry for each +Sample-Data-Block of stored samples. The trailer entry contains the sizes +(in bytes) of the stored sampling types: + - basic-sampling data entry size + - diagnostic-sampling data entry size +Both sizes are 2 bytes long. + +This patch changes the trailer entry definition to reflect this. + +Fixes: fcc77f507333 ("s390/cpum_sf: Atomically reset trailer entry fields of sample-data-blocks") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -134,7 +134,9 @@ struct hws_trailer_entry { + unsigned int f:1; /* 0 - Block Full Indicator */ + unsigned int a:1; /* 1 - Alert request control */ + unsigned int t:1; /* 2 - Timestamp format */ +- unsigned long long:61; /* 3 - 63: Reserved */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ + }; + unsigned long long flags; /* 0 - 63: All indicators */ + }; diff --git a/queue-3.18/scsi-3w-9xxx-fix-a-missing-check-bug.patch b/queue-3.18/scsi-3w-9xxx-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..641ecb86c90 --- /dev/null +++ b/queue-3.18/scsi-3w-9xxx-fix-a-missing-check-bug.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Wenwen Wang +Date: Mon, 7 May 2018 19:46:43 -0500 +Subject: scsi: 3w-9xxx: fix a missing-check bug + +From: Wenwen Wang + +[ Upstream commit c9318a3e0218bc9dacc25be46b9eec363259536f ] + +In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from +the userspace pointer 'argp' and saved to the kernel object +'driver_command'. Then a security check is performed on the data buffer +size indicated by 'driver_command', which is +'driver_command.buffer_length'. If the security check is passed, the +entire ioctl command is copied again from the 'argp' pointer and saved +to the kernel object 'tw_ioctl'. Then, various operations are performed +on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer +resides in userspace, a malicious userspace process can race to change +the buffer size between the two copies. This way, the user can bypass +the security check and inject invalid data buffer size. This can cause +potential security issues in the following execution. + +This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o +avoid the above issues. + +Signed-off-by: Wenwen Wang +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-9xxx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -901,6 +901,11 @@ static int twa_chrdev_open(struct inode + unsigned int minor_number; + int retval = TW_IOCTL_ERROR_OS_ENODEV; + ++ if (!capable(CAP_SYS_ADMIN)) { ++ retval = -EACCES; ++ goto out; ++ } ++ + minor_number = iminor(inode); + if (minor_number >= twa_device_extension_count) + goto out; diff --git a/queue-3.18/scsi-3w-xxxx-fix-a-missing-check-bug.patch b/queue-3.18/scsi-3w-xxxx-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..7beab1c9d2f --- /dev/null +++ b/queue-3.18/scsi-3w-xxxx-fix-a-missing-check-bug.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Wenwen Wang +Date: Mon, 7 May 2018 19:54:01 -0500 +Subject: scsi: 3w-xxxx: fix a missing-check bug + +From: Wenwen Wang + +[ Upstream commit 9899e4d3523faaef17c67141aa80ff2088f17871 ] + +In tw_chrdev_ioctl(), the length of the data buffer is firstly copied +from the userspace pointer 'argp' and saved to the kernel object +'data_buffer_length'. Then a security check is performed on it to make +sure that the length is not more than 'TW_MAX_IOCTL_SECTORS * +512'. Otherwise, an error code -EINVAL is returned. If the security +check is passed, the entire ioctl command is copied again from the +'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various +operations are performed on 'tw_ioctl' according to the 'cmd'. Given +that the 'argp' pointer resides in userspace, a malicious userspace +process can race to change the buffer length between the two +copies. This way, the user can bypass the security check and inject +invalid data buffer length. This can cause potential security issues in +the following execution. + +This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to +avoid the above issues. + +Signed-off-by: Wenwen Wang +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-xxxx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -1047,6 +1047,9 @@ static int tw_chrdev_open(struct inode * + + dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n"); + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ + minor_number = iminor(inode); + if (minor_number >= tw_device_extension_count) + return -ENODEV; diff --git a/queue-3.18/scsi-megaraid-silence-a-static-checker-bug.patch b/queue-3.18/scsi-megaraid-silence-a-static-checker-bug.patch new file mode 100644 index 00000000000..75b018ac5a5 --- /dev/null +++ b/queue-3.18/scsi-megaraid-silence-a-static-checker-bug.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Dan Carpenter +Date: Thu, 3 May 2018 13:54:32 +0300 +Subject: scsi: megaraid: silence a static checker bug + +From: Dan Carpenter + +[ Upstream commit 27e833dabab74ee665e487e291c9afc6d71effba ] + +If we had more than 32 megaraid cards then it would cause memory +corruption. That's not likely, of course, but it's handy to enforce it +and make the static checker happy. + +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/megaraid.c ++++ b/drivers/scsi/megaraid.c +@@ -4200,6 +4200,9 @@ megaraid_probe_one(struct pci_dev *pdev, + int irq, i, j; + int error = -ENODEV; + ++ if (hba_count >= MAX_CONTROLLERS) ++ goto out; ++ + if (pci_enable_device(pdev)) + goto out; + pci_set_master(pdev); diff --git a/queue-3.18/scsi-ufs-fix-exception-event-handling.patch b/queue-3.18/scsi-ufs-fix-exception-event-handling.patch new file mode 100644 index 00000000000..4b4c7dd7ba9 --- /dev/null +++ b/queue-3.18/scsi-ufs-fix-exception-event-handling.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Maya Erez +Date: Thu, 3 May 2018 16:37:16 +0530 +Subject: scsi: ufs: fix exception event handling + +From: Maya Erez + +[ Upstream commit 2e3611e9546c2ed4def152a51dfd34e8dddae7a5 ] + +The device can set the exception event bit in one of the response UPIU, +for example to notify the need for urgent BKOPs operation. In such a +case, the host driver calls ufshcd_exception_event_handler to handle +this notification. When trying to check the exception event status (for +finding the cause for the exception event), the device may be busy with +additional SCSI commands handling and may not respond within the 100ms +timeout. + +To prevent that, we need to block SCSI commands during handling of +exception events and allow retransmissions of the query requests, in +case of timeout. + +Signed-off-by: Subhash Jadavani +Signed-off-by: Maya Erez +Signed-off-by: Can Guo +Signed-off-by: Asutosh Das +Reviewed-by: Subhash Jadavani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3330,6 +3330,7 @@ static void ufshcd_exception_event_handl + hba = container_of(work, struct ufs_hba, eeh_work); + + pm_runtime_get_sync(hba->dev); ++ scsi_block_requests(hba->host); + err = ufshcd_get_ee_status(hba, &status); + if (err) { + dev_err(hba->dev, "%s: failed to get exception status %d\n", +@@ -3345,6 +3346,7 @@ static void ufshcd_exception_event_handl + __func__, err); + } + out: ++ scsi_unblock_requests(hba->host); + pm_runtime_put_sync(hba->dev); + return; + } diff --git a/queue-3.18/series b/queue-3.18/series index 1d7c9ad17b5..9c2d9f0c774 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -2,3 +2,64 @@ tracing-fix-double-free-of-event_trigger_data.patch tracing-fix-possible-double-free-in-event_enable_trigger_func.patch tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch +alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch +alsa-fm801-add-error-handling-for-snd_ctl_add.patch +mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch +mm-slub.c-add-__printf-verification-to-slab_err.patch +rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch +infiniband-fix-a-possible-use-after-free-bug.patch +hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch +rdma-mad-convert-bug_ons-to-error-flows.patch +usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch +perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch +perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch +asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch +mwifiex-handle-race-during-mwifiex_usb_disconnect.patch +wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch +pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch +ath-add-regulatory-mapping-for-fcc3_etsic.patch +ath-add-regulatory-mapping-for-etsi8_world.patch +ath-add-regulatory-mapping-for-apl13_world.patch +ath-add-regulatory-mapping-for-apl2_fcca.patch +ath-add-regulatory-mapping-for-uganda.patch +ath-add-regulatory-mapping-for-tanzania.patch +ath-add-regulatory-mapping-for-serbia.patch +ath-add-regulatory-mapping-for-bermuda.patch +ath-add-regulatory-mapping-for-bahamas.patch +powerpc-32-add-a-missing-include-header.patch +powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch +powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch +powerpc-powermac-mark-variable-x-as-unused.patch +powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch +pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch +scsi-ufs-fix-exception-event-handling.patch +alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch +regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch +md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch +media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch +alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch +drm-radeon-fix-mode_valid-s-return-type.patch +powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch +hid-i2c-hid-check-if-device-is-there-before-really-probing.patch +tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch +tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch +libata-fix-command-retry-decision.patch +media-saa7164-fix-driver-name-in-debug-output.patch +s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch +perf-fix-invalid-bit-in-diagnostic-entry.patch +scsi-3w-9xxx-fix-a-missing-check-bug.patch +scsi-3w-xxxx-fix-a-missing-check-bug.patch +scsi-megaraid-silence-a-static-checker-bug.patch +bpf-fix-references-to-free_bpf_prog_info-in-comments.patch +media-siano-get-rid-of-__le32-__le16-cast-warnings.patch +alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch +fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch +drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch +ipconfig-correctly-initialise-ic_nameservers.patch +rsi-fix-invalid-vdd-warning-in-mmc.patch +microblaze-fix-simpleimage-format-generation.patch +usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch +crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch +crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch +media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch +media-si470x-fix-__be16-annotations.patch diff --git a/queue-3.18/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch b/queue-3.18/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch new file mode 100644 index 00000000000..581e2609ebf --- /dev/null +++ b/queue-3.18/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Sudeep Holla +Date: Wed, 9 May 2018 17:02:08 +0100 +Subject: tick: Prefer a lower rating device only if it's CPU local device + +From: Sudeep Holla + +[ Upstream commit 1332a90558013ae4242e3dd7934bdcdeafb06c0d ] + +Checking the equality of cpumask for both new and old tick device doesn't +ensure that it's CPU local device. This will cause issue if a low rating +clockevent tick device is registered first followed by the registration +of higher rating clockevent tick device. + +In such case, clockevents_released list will never get emptied as both +the devices get selected as preferred one and we will loop forever in +clockevents_notify_released. + +Signed-off-by: Sudeep Holla +Signed-off-by: Thomas Gleixner +Cc: Frederic Weisbecker +Link: https://lkml.kernel.org/r/1525881728-4858-1-git-send-email-sudeep.holla@arm.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -266,7 +266,8 @@ static bool tick_check_preferred(struct + */ + return !curdev || + newdev->rating > curdev->rating || +- !cpumask_equal(curdev->cpumask, newdev->cpumask); ++ (!cpumask_equal(curdev->cpumask, newdev->cpumask) && ++ !tick_check_percpu(curdev, newdev, smp_processor_id())); + } + + /* diff --git a/queue-3.18/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch b/queue-3.18/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch new file mode 100644 index 00000000000..23fa59c689e --- /dev/null +++ b/queue-3.18/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch @@ -0,0 +1,96 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: DaeRyong Jeong +Date: Tue, 1 May 2018 00:27:04 +0900 +Subject: tty: Fix data race in tty_insert_flip_string_fixed_flag + +From: DaeRyong Jeong + +[ Upstream commit b6da31b2c07c46f2dcad1d86caa835227a16d9ff ] + +Unlike normal serials, in pty layer, there is no guarantee that multiple +threads don't insert input characters at the same time. If it is happened, +tty_insert_flip_string_fixed_flag can be executed concurrently. This can +lead slab out-of-bounds write in tty_insert_flip_string_fixed_flag. + +Call sequences are as follows. +CPU0 CPU1 +n_tty_ioctl_helper n_tty_ioctl_helper +__start_tty tty_send_xchar +tty_wakeup pty_write +n_hdlc_tty_wakeup tty_insert_flip_string +n_hdlc_send_frames tty_insert_flip_string_fixed_flag +pty_write +tty_insert_flip_string +tty_insert_flip_string_fixed_flag + +To fix the race, acquire port->lock in pty_write() before it inserts input +characters to tty buffer. It prevents multiple threads from inserting +input characters concurrently. + +The crash log is as follows: +BUG: KASAN: slab-out-of-bounds in tty_insert_flip_string_fixed_flag+0xb5/ +0x130 drivers/tty/tty_buffer.c:316 at addr ffff880114fcc121 +Write of size 1792 by task syz-executor0/30017 +CPU: 1 PID: 30017 Comm: syz-executor0 Not tainted 4.8.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 + 0000000000000000 ffff88011638f888 ffffffff81694cc3 ffff88007d802140 + ffff880114fcb300 ffff880114fcc300 ffff880114fcb300 ffff88011638f8b0 + ffffffff8130075c ffff88011638f940 ffff88007d802140 ffff880194fcc121 +Call Trace: + __dump_stack lib/dump_stack.c:15 [inline] + dump_stack+0xb3/0x110 lib/dump_stack.c:51 + kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 + print_address_description mm/kasan/report.c:194 [inline] + kasan_report_error+0x1f7/0x4e0 mm/kasan/report.c:283 + kasan_report+0x36/0x40 mm/kasan/report.c:303 + check_memory_region_inline mm/kasan/kasan.c:292 [inline] + check_memory_region+0x13e/0x1a0 mm/kasan/kasan.c:299 + memcpy+0x37/0x50 mm/kasan/kasan.c:335 + tty_insert_flip_string_fixed_flag+0xb5/0x130 drivers/tty/tty_buffer.c:316 + tty_insert_flip_string include/linux/tty_flip.h:35 [inline] + pty_write+0x7f/0xc0 drivers/tty/pty.c:115 + n_hdlc_send_frames+0x1d4/0x3b0 drivers/tty/n_hdlc.c:419 + n_hdlc_tty_wakeup+0x73/0xa0 drivers/tty/n_hdlc.c:496 + tty_wakeup+0x92/0xb0 drivers/tty/tty_io.c:601 + __start_tty.part.26+0x66/0x70 drivers/tty/tty_io.c:1018 + __start_tty+0x34/0x40 drivers/tty/tty_io.c:1013 + n_tty_ioctl_helper+0x146/0x1e0 drivers/tty/tty_ioctl.c:1138 + n_hdlc_tty_ioctl+0xb3/0x2b0 drivers/tty/n_hdlc.c:794 + tty_ioctl+0xa85/0x16d0 drivers/tty/tty_io.c:2992 + vfs_ioctl fs/ioctl.c:43 [inline] + do_vfs_ioctl+0x13e/0xba0 fs/ioctl.c:679 + SYSC_ioctl fs/ioctl.c:694 [inline] + SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 + entry_SYSCALL_64_fastpath+0x1f/0xbd + +Signed-off-by: DaeRyong Jeong +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/pty.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -114,16 +114,19 @@ static int pty_space(struct tty_struct * + static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + { + struct tty_struct *to = tty->link; ++ unsigned long flags; + + if (tty->stopped) + return 0; + + if (c > 0) { ++ spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); ++ spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } diff --git a/queue-3.18/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch b/queue-3.18/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch new file mode 100644 index 00000000000..f8dc3c5a751 --- /dev/null +++ b/queue-3.18/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Dominik Bozek +Date: Fri, 13 Apr 2018 10:42:31 -0700 +Subject: usb: hub: Don't wait for connect state at resume for powered-off ports + +From: Dominik Bozek + +[ Upstream commit 5d111f5190848d6fb1c414dc57797efea3526a2f ] + +wait_for_connected() wait till a port change status to +USB_PORT_STAT_CONNECTION, but this is not possible if +the port is unpowered. The loop will only exit at timeout. + +Such case take place if an over-current incident happen +while system is in S3. Then during resume wait_for_connected() +will wait 2s, which may be noticeable by the user. + +Signed-off-by: Dominik Bozek +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3310,6 +3310,10 @@ static int wait_for_ss_port_enable(struc + while (delay_ms < 2000) { + if (status || *portstatus & USB_PORT_STAT_CONNECTION) + break; ++ if (!port_is_power_on(hub, *portstatus)) { ++ status = -ENODEV; ++ break; ++ } + msleep(20); + delay_ms += 20; + status = hub_port_status(hub, *port1, portstatus, portchange); diff --git a/queue-3.18/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch b/queue-3.18/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch new file mode 100644 index 00000000000..fdf96167a04 --- /dev/null +++ b/queue-3.18/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Tue, 29 May 2018 16:13:03 -0600 +Subject: usbip: usbip_detach: Fix memory, udev context and udev leak + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit d179f99a651685b19333360e6558110da2fe9bd7 ] + +detach_port() fails to call usbip_vhci_driver_close() from its error +path after usbip_vhci_detach_device() returns failure, leaking memory +allocated in usbip_vhci_driver_open() and holding udev_context and udev +references. Fix it to call usbip_vhci_driver_close(). + +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/usbip/src/usbip_detach.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/tools/usb/usbip/src/usbip_detach.c ++++ b/tools/usb/usbip/src/usbip_detach.c +@@ -43,7 +43,7 @@ void usbip_detach_usage(void) + + static int detach_port(char *port) + { +- int ret; ++ int ret = 0; + uint8_t portnum; + char path[PATH_MAX+1]; + +@@ -71,9 +71,12 @@ static int detach_port(char *port) + } + + ret = usbip_vhci_detach_device(portnum); +- if (ret < 0) +- return -1; ++ if (ret < 0) { ++ ret = -1; ++ goto call_driver_close; ++ } + ++call_driver_close: + usbip_vhci_driver_close(); + + return ret; diff --git a/queue-3.18/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch b/queue-3.18/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch new file mode 100644 index 00000000000..106106de9a8 --- /dev/null +++ b/queue-3.18/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:29:48 CEST 2018 +From: Eyal Reizer +Date: Mon, 28 May 2018 11:36:42 +0300 +Subject: wlcore: sdio: check for valid platform device data before suspend + +From: Eyal Reizer + +[ Upstream commit 6e91d48371e79862ea2c05867aaebe4afe55a865 ] + +the wl pointer can be null In case only wlcore_sdio is probed while +no WiLink module is successfully probed, as in the case of mounting a +wl12xx module while using a device tree file configured with wl18xx +related settings. +In this case the system was crashing in wl1271_suspend() as platform +device data is not set. +Make sure wl the pointer is valid before using it. + +Signed-off-by: Eyal Reizer +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/sdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/sdio.c ++++ b/drivers/net/wireless/ti/wlcore/sdio.c +@@ -342,6 +342,11 @@ static int wl1271_suspend(struct device + mmc_pm_flag_t sdio_flags; + int ret = 0; + ++ if (!wl) { ++ dev_err(dev, "no wilink module was probed\n"); ++ goto out; ++ } ++ + dev_dbg(dev, "wl1271 suspend. wow_enabled: %d\n", + wl->wow_enabled); +