From: Greg Kroah-Hartman Date: Thu, 24 May 2018 09:27:55 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.110~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f7a046d9d08ca2a40cfb3c9c1d738ef35d56f4d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch arm64-insn-allow-add-sub-immediate-with-lsl-12.patch asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch asoc-topology-create-tlv-data-for-dapm-widgets.patch bluetooth-btusb-add-device-id-for-rtl8822be.patch bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch clk-don-t-show-the-incorrect-clock-phase.patch clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch clk-samsung-exynos3250-fix-pll-rates.patch clk-samsung-exynos5250-fix-pll-rates.patch clk-samsung-exynos5260-fix-pll-rates.patch clk-samsung-exynos5433-fix-pll-rates.patch clk-samsung-exynos7-fix-pll-rates.patch clk-samsung-s3c2410-fix-pll-rates.patch clk-tegra-fix-pll_u-rate-configuration.patch crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch media-cx23885-override-888-impactvcbe-crystal-frequency.patch media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch media-cx25821-prevent-out-of-bounds-read-on-array-card.patch media-dmxdev-fix-error-code-for-invalid-ioctls.patch media-em28xx-usb-bulk-packet-size-fix.patch media-s3c-camif-fix-out-of-bounds-array-access.patch media-vb2-fix-videobuf2-to-map-correct-area.patch media-vivid-fix-incorrect-capabilities-for-radio.patch net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch rtc-snvs-fix-usage-of-snvs_rtc_enable.patch rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch scsi-aacraid-fix-shutdown-crash-when-init-fails.patch scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch scsi-fas216-fix-sense-buffer-initialization.patch scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch scsi-sd-keep-disk-read-only-when-re-reading-partition.patch scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch staging-lustre-fix-bug-in-osc_enter_cache_try.patch staging-lustre-lmv-correctly-iput-lmo_root.patch staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch usb-dwc2-fix-interval-type-issue.patch usb-dwc2-host-fix-transaction-errors-in-host-mode.patch usb-dwc3-add-softreset-phy-synchonization-delay.patch usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch usb-dwc3-undo-phy-init-if-soft-reset-fails.patch usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch usb-gadget-core-fix-use-after-free-of-usb_request.patch usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch --- diff --git a/queue-4.9/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch b/queue-4.9/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch new file mode 100644 index 00000000000..6ca33eacecd --- /dev/null +++ b/queue-4.9/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch @@ -0,0 +1,131 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Nobutaka Okabe +Date: Fri, 23 Mar 2018 19:18:22 +0900 +Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06 + +From: Nobutaka Okabe + +[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ] + +Add native DSD support quirk for Luxman DA-06 DAC, by adding the +PID/VID 1852:5065. + +Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()" +to cover broader device family sharing the same USB audio +implementation(*). +For the same reason, rename "is_teac_dsd_dac()" function to +"is_itf_usb_dsd_3alts_dac()". + +(*) +These devices have the same USB controller "ITF-USB DSD", supplied by +INTERFACE Co., Ltd. +"ITF-USB DSD" USB controller has two patterns, + +Pattern 1. (2 altsets version) +- Altset 0: for control +- Altset 1: for stream (S32) +- Altset 2: for stream (S32, DSD_U32) + +Pattern 2. (3 altsets version) +- Altset 0: for control +- Altset 1: for stream (S16) +- Altset 2: for stream (S32) +- Altset 3: for stream (S32, DSD_U32) + +"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1" +USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if +"Pattern2". + +Signed-off-by: Nobutaka Okabe +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1153,24 +1153,27 @@ bool snd_usb_get_sample_rate_quirk(struc + return false; + } + +-/* Marantz/Denon USB DACs need a vendor cmd to switch ++/* ITF-USB DSD based DACs need a vendor cmd to switch + * between PCM and native DSD mode ++ * (2 altsets version) + */ +-static bool is_marantz_denon_dac(unsigned int id) ++static bool is_itf_usb_dsd_2alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */ + case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */ + case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */ ++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */ + return true; + } + return false; + } + +-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch +- * between PCM/DOP and native DSD mode ++/* ITF-USB DSD based DACs need a vendor cmd to switch ++ * between PCM and native DSD mode ++ * (3 altsets version) + */ +-static bool is_teac_dsd_dac(unsigned int id) ++static bool is_itf_usb_dsd_3alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */ +@@ -1187,7 +1190,7 @@ int snd_usb_select_mode_quirk(struct snd + struct usb_device *dev = subs->dev; + int err; + +- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) { ++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) { + /* First switch to alt set 0, otherwise the mode switch cmd + * will not be accepted by the DAC + */ +@@ -1208,7 +1211,7 @@ int snd_usb_select_mode_quirk(struct snd + break; + } + mdelay(20); +- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) { ++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) { + /* Vendor mode switch cmd is required. */ + switch (fmt->altsetting) { + case 3: /* DSD mode (DSD_U32) requested */ +@@ -1304,10 +1307,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +- /* Marantz/Denon devices with USB DAC functionality need a delay ++ /* ITF-USB DSD based DACs functionality need a delay + * after each class compliant request + */ +- if (is_marantz_denon_dac(chip->usb_id) ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id) + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +@@ -1371,14 +1374,14 @@ u64 snd_usb_interface_dsd_format_quirks( + break; + } + +- /* Denon/Marantz devices with USB DAC functionality */ +- if (is_marantz_denon_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (2 altsets version) */ ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) { + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } + +- /* TEAC devices with USB DAC functionality */ +- if (is_teac_dsd_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (3 altsets version) */ ++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) { + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } diff --git a/queue-4.9/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch b/queue-4.9/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch new file mode 100644 index 00000000000..7ef67257b54 --- /dev/null +++ b/queue-4.9/arm64-insn-allow-add-sub-immediate-with-lsl-12.patch @@ -0,0 +1,66 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Marc Zyngier +Date: Sun, 3 Dec 2017 17:50:00 +0000 +Subject: arm64: insn: Allow ADD/SUB (immediate) with LSL #12 + +From: Marc Zyngier + +[ Upstream commit 11d764079c9f25d1da8e10906d54da7fefec5844 ] + +The encoder for ADD/SUB (immediate) can only cope with 12bit +immediates, while there is an encoding for a 12bit immediate shifted +by 12 bits to the left. + +Let's fix this small oversight by allowing the LSL_12 bit to be set. + +Reviewed-by: Christoffer Dall +Acked-by: Catalin Marinas +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/insn.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -35,6 +35,7 @@ + + #define AARCH64_INSN_SF_BIT BIT(31) + #define AARCH64_INSN_N_BIT BIT(22) ++#define AARCH64_INSN_LSL_12 BIT(22) + + static int aarch64_insn_encoding_class[] = { + AARCH64_INSN_CLS_UNKNOWN, +@@ -764,9 +765,18 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa + return AARCH64_BREAK_FAULT; + } + ++ /* We can't encode more than a 24bit value (12bit + 12bit shift) */ ++ if (imm & ~(BIT(24) - 1)) ++ goto out; ++ ++ /* If we have something in the top 12 bits... */ + if (imm & ~(SZ_4K - 1)) { +- pr_err("%s: invalid immediate encoding %d\n", __func__, imm); +- return AARCH64_BREAK_FAULT; ++ /* ... and in the low 12 bits -> error */ ++ if (imm & (SZ_4K - 1)) ++ goto out; ++ ++ imm >>= 12; ++ insn |= AARCH64_INSN_LSL_12; + } + + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RD, insn, dst); +@@ -774,6 +784,10 @@ u32 aarch64_insn_gen_add_sub_imm(enum aa + insn = aarch64_insn_encode_register(AARCH64_INSN_REGTYPE_RN, insn, src); + + return aarch64_insn_encode_immediate(AARCH64_INSN_IMM_12, insn, imm); ++ ++out: ++ pr_err("%s: invalid immediate encoding %d\n", __func__, imm); ++ return AARCH64_BREAK_FAULT; + } + + u32 aarch64_insn_gen_bitfield(enum aarch64_insn_register dst, diff --git a/queue-4.9/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch b/queue-4.9/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch new file mode 100644 index 00000000000..1a736173ad5 --- /dev/null +++ b/queue-4.9/asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch @@ -0,0 +1,45 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Dan Carpenter +Date: Mon, 15 Jan 2018 11:08:38 +0300 +Subject: ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read() + +From: Dan Carpenter + +[ Upstream commit 123af9043e93cb6f235207d260d50f832cdb5439 ] + +The loop timeout doesn't work because it's a post op and ends with "tmo" +set to -1. I changed it from a post-op to a pre-op and I changed the +initial the starting value from 5 to 6 so we still iterate 5 times. I +left the other as it was because it's a large number. + +Fixes: b3c70c9ea62a ("ASoC: Alchemy AC97C/I2SC audio support") +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/au1x/ac97c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/au1x/ac97c.c ++++ b/sound/soc/au1x/ac97c.c +@@ -91,8 +91,8 @@ static unsigned short au1xac97c_ac97_rea + do { + mutex_lock(&ctx->lock); + +- tmo = 5; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ tmo = 6; ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + udelay(21); /* wait an ac97 frame time */ + if (!tmo) { + pr_debug("ac97rd timeout #1\n"); +@@ -105,7 +105,7 @@ static unsigned short au1xac97c_ac97_rea + * poll, Forrest, poll... + */ + tmo = 0x10000; +- while ((RD(ctx, AC97_STATUS) & STAT_CP) && tmo--) ++ while ((RD(ctx, AC97_STATUS) & STAT_CP) && --tmo) + asm volatile ("nop"); + data = RD(ctx, AC97_CMDRESP); + diff --git a/queue-4.9/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch b/queue-4.9/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch new file mode 100644 index 00000000000..20c21817f11 --- /dev/null +++ b/queue-4.9/asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch @@ -0,0 +1,53 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Sylwester Nawrocki +Date: Mon, 5 Feb 2018 16:43:56 +0100 +Subject: ASoC: samsung: i2s: Ensure the RCLK rate is properly determined + +From: Sylwester Nawrocki + +[ Upstream commit 647d04f8e07afc7c3b7a42b3ee01a8b28db29631 ] + +If the RCLK mux clock configuration is specified in DT and no set_sysclk() +callback is used in the sound card driver the sclk_srcrate field will remain +set to 0, leading to an incorrect PSR divider setting. +To fix this the frequency value is retrieved from the CLK_I2S_RCLK_SRC clock, +so the actual RCLK mux selection is taken into account. + +Signed-off-by: Sylwester Nawrocki +Acked-by: Krzysztof Kozlowski +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/samsung/i2s.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/sound/soc/samsung/i2s.c ++++ b/sound/soc/samsung/i2s.c +@@ -642,8 +642,12 @@ static int i2s_set_fmt(struct snd_soc_da + tmp |= mod_slave; + break; + case SND_SOC_DAIFMT_CBS_CFS: +- /* Set default source clock in Master mode */ +- if (i2s->rclk_srcrate == 0) ++ /* ++ * Set default source clock in Master mode, only when the ++ * CLK_I2S_RCLK_SRC clock is not exposed so we ensure any ++ * clock configuration assigned in DT is not overwritten. ++ */ ++ if (i2s->rclk_srcrate == 0 && i2s->clk_data.clks == NULL) + i2s_set_sysclk(dai, SAMSUNG_I2S_RCLKSRC_0, + 0, SND_SOC_CLOCK_IN); + break; +@@ -858,6 +862,11 @@ static int config_setup(struct i2s_dai * + return 0; + + if (!(i2s->quirks & QUIRK_NO_MUXPSR)) { ++ struct clk *rclksrc = i2s->clk_table[CLK_I2S_RCLK_SRC]; ++ ++ if (i2s->rclk_srcrate == 0 && rclksrc && !IS_ERR(rclksrc)) ++ i2s->rclk_srcrate = clk_get_rate(rclksrc); ++ + psr = i2s->rclk_srcrate / i2s->frmclk / rfs; + writel(((psr - 1) << 8) | PSR_PSREN, i2s->addr + I2SPSR); + dev_dbg(&i2s->pdev->dev, diff --git a/queue-4.9/asoc-topology-create-tlv-data-for-dapm-widgets.patch b/queue-4.9/asoc-topology-create-tlv-data-for-dapm-widgets.patch new file mode 100644 index 00000000000..b460380415d --- /dev/null +++ b/queue-4.9/asoc-topology-create-tlv-data-for-dapm-widgets.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Ranjani Sridharan +Date: Fri, 9 Mar 2018 11:11:17 -0800 +Subject: ASoC: topology: create TLV data for dapm widgets + +From: Ranjani Sridharan + +[ Upstream commit bde8b3887add8368ecf0ca71117baf2fd56a6fc9 ] + +This patch adds the change required to create the TLV data +for dapm widget kcontrols from topology. This also fixes the following +TLV read error shown in amixer while showing the card control contents. +"amixer: Control hw:1 element TLV read error: No such device or address" + +Signed-off-by: Ranjani Sridharan +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1180,6 +1180,9 @@ static struct snd_kcontrol_new *soc_tplg + kfree(sm); + continue; + } ++ ++ /* create any TLV data */ ++ soc_tplg_create_tlv(tplg, &kc[i], &mc->hdr); + } + return kc; + diff --git a/queue-4.9/bluetooth-btusb-add-device-id-for-rtl8822be.patch b/queue-4.9/bluetooth-btusb-add-device-id-for-rtl8822be.patch new file mode 100644 index 00000000000..dc316118927 --- /dev/null +++ b/queue-4.9/bluetooth-btusb-add-device-id-for-rtl8822be.patch @@ -0,0 +1,33 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Larry Finger +Date: Sun, 11 Feb 2018 12:24:32 -0600 +Subject: Bluetooth: btusb: Add device ID for RTL8822BE + +From: Larry Finger + +[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ] + +The Asus Z370-I contains a Realtek RTL8822BE device with an associated +BT chip using a USB ID of 0b05:185c. This device is added to the driver. + +Signed-off-by: Hon Weng Chong +Signed-off-by: Larry Finger +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -355,6 +355,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8822BE Bluetooth devices */ ++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, ++ + /* Silicon Wave based devices */ + { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, + diff --git a/queue-4.9/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch b/queue-4.9/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch new file mode 100644 index 00000000000..a93f42582dd --- /dev/null +++ b/queue-4.9/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch @@ -0,0 +1,74 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Vicente Bergas +Date: Tue, 20 Mar 2018 19:41:10 +0100 +Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB + +From: Vicente Bergas + +[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ] + +This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it. + +Product information: +https://wikidevi.com/wiki/Edimax_EW-7611ULB + +>From /sys/kernel/debug/usb/devices +T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=7392 ProdID=a611 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us +E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Tested-by: Vicente Bergas +Signed-off-by: Vicente Bergas +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -345,6 +345,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723BU Bluetooth devices */ ++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.9/clk-don-t-show-the-incorrect-clock-phase.patch b/queue-4.9/clk-don-t-show-the-incorrect-clock-phase.patch new file mode 100644 index 00000000000..ce0ab4043a0 --- /dev/null +++ b/queue-4.9/clk-don-t-show-the-incorrect-clock-phase.patch @@ -0,0 +1,54 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Shawn Lin +Date: Wed, 14 Mar 2018 08:28:31 +0800 +Subject: clk: Don't show the incorrect clock phase + +From: Shawn Lin + +[ Upstream commit 1f9c63e8de3d7b377c9d74e4a17524cfb60e6384 ] + +It's found that the clock phase output from clk_summary is +wrong compared to the actual phase reading from the register. + +cat /sys/kernel/debug/clk/clk_summary | grep sdio_sample +sdio_sample 0 1 0 50000000 0 -22 + +It exposes an issue that clk core, clk_core_get_phase, always +returns the cached core->phase which should be either updated +by calling clk_set_phase or directly from the first place the +clk was registered. + +When registering the clk, the core->phase geting from ->get_phase() +may return negative value indicating error. This is quite common +since the clk's phase may be highly related to its parent chain, +but it was temporarily orphan when registered, since its parent +chains hadn't be ready at that time, so the clk drivers decide to +return error in this case. However, if no clk_set_phase is called or +maybe the ->set_phase() isn't even implemented, the core->phase would +never be updated. This is wrong, and we should try to update it when +all its parent chains are settled down, like the way of updating clock +rate for that. But it's not deserved to complicate the code now and +just update it anyway when calling clk_core_get_phase, which would be +much simple and enough. + +Signed-off-by: Shawn Lin +Acked-by: Jerome Brunet +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -1929,6 +1929,9 @@ static int clk_core_get_phase(struct clk + int ret; + + clk_prepare_lock(); ++ /* Always try to update cached phase if possible */ ++ if (core->ops->get_phase) ++ core->phase = core->ops->get_phase(core->hw); + ret = core->phase; + clk_prepare_unlock(); + diff --git a/queue-4.9/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch b/queue-4.9/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch new file mode 100644 index 00000000000..c8dcf326ad7 --- /dev/null +++ b/queue-4.9/clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch @@ -0,0 +1,37 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Shawn Lin +Date: Wed, 21 Mar 2018 10:39:19 +0800 +Subject: clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 + +From: Shawn Lin + +[ Upstream commit 4b0556a441dd37e598887215bc89b49a6ef525b3 ] + +commit c420c1e4db22 ("clk: rockchip: Prevent calculating mmc phase +if clock rate is zero") catches one gremlin again for clk-rk3228.c +that the parent of SDMMC phase clock should be sclk_sdmmc0, but not +sclk_sdmmc. However, the naming of the sdmmc clocks varies in the +manual with the card clock having the 0 while the hclk is named +without appended 0. So standardize one one format to prevent +confusion, as there also is only one (non-sdio) mmc controller on +the soc. + +Signed-off-by: Shawn Lin +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk-rk3228.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/rockchip/clk-rk3228.c ++++ b/drivers/clk/rockchip/clk-rk3228.c +@@ -369,7 +369,7 @@ static struct rockchip_clk_branch rk3228 + RK2928_CLKSEL_CON(23), 5, 2, MFLAGS, 0, 6, DFLAGS, + RK2928_CLKGATE_CON(2), 15, GFLAGS), + +- COMPOSITE(SCLK_SDMMC, "sclk_sdmmc0", mux_mmc_src_p, 0, ++ COMPOSITE(SCLK_SDMMC, "sclk_sdmmc", mux_mmc_src_p, 0, + RK2928_CLKSEL_CON(11), 8, 2, MFLAGS, 0, 8, DFLAGS, + RK2928_CLKGATE_CON(2), 11, GFLAGS), + diff --git a/queue-4.9/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch b/queue-4.9/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch new file mode 100644 index 00000000000..33b05b2cc2a --- /dev/null +++ b/queue-4.9/clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch @@ -0,0 +1,64 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Shawn Lin +Date: Mon, 5 Mar 2018 11:25:58 +0800 +Subject: clk: rockchip: Prevent calculating mmc phase if clock rate is zero + +From: Shawn Lin + +[ Upstream commit 4bf59902b50012b1dddeeaa23b217d9c4956cdda ] + +The MMC sample and drv clock for rockchip platforms are derived from +the bus clock output to the MMC/SDIO card. So it should never happens +that the clk rate is zero given it should inherits the clock rate from +its parent. If something goes wrong and makes the clock rate to be zero, +the calculation would be wrong but may still make the mmc tuning process +work luckily. However it makes people harder to debug when the following +data transfer is unstable. + +Signed-off-by: Shawn Lin +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk-mmc-phase.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/clk/rockchip/clk-mmc-phase.c ++++ b/drivers/clk/rockchip/clk-mmc-phase.c +@@ -58,6 +58,12 @@ static int rockchip_mmc_get_phase(struct + u16 degrees; + u32 delay_num = 0; + ++ /* See the comment for rockchip_mmc_set_phase below */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + raw_value = readl(mmc_clock->reg) >> (mmc_clock->shift); + + degrees = (raw_value & ROCKCHIP_MMC_DEGREE_MASK) * 90; +@@ -84,6 +90,23 @@ static int rockchip_mmc_set_phase(struct + u32 raw_value; + u32 delay; + ++ /* ++ * The below calculation is based on the output clock from ++ * MMC host to the card, which expects the phase clock inherits ++ * the clock rate from its parent, namely the output clock ++ * provider of MMC host. However, things may go wrong if ++ * (1) It is orphan. ++ * (2) It is assigned to the wrong parent. ++ * ++ * This check help debug the case (1), which seems to be the ++ * most likely problem we often face and which makes it difficult ++ * for people to debug unstable mmc tuning results. ++ */ ++ if (!rate) { ++ pr_err("%s: invalid clk rate\n", __func__); ++ return -EINVAL; ++ } ++ + nineties = degrees / 90; + remainder = (degrees % 90); + diff --git a/queue-4.9/clk-samsung-exynos3250-fix-pll-rates.patch b/queue-4.9/clk-samsung-exynos3250-fix-pll-rates.patch new file mode 100644 index 00000000000..25c60d9f449 --- /dev/null +++ b/queue-4.9/clk-samsung-exynos3250-fix-pll-rates.patch @@ -0,0 +1,55 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:48 +0100 +Subject: clk: samsung: exynos3250: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit a8321e7887410a2b2e80ab89d1ef7b30562658ea ] + +Rates declared in PLL rate tables should match exactly rates calculated +from PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +In this patch an erroneous P value for 74176002 output frequency is also +corrected. + +Signed-off-by: Andrzej Hajda +Acked-by: Chanwoo Choi +Acked-by: Tomasz Figa +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos3250.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos3250.c ++++ b/drivers/clk/samsung/clk-exynos3250.c +@@ -698,7 +698,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(144000000, 96, 2, 3, 0), + PLL_36XX_RATE( 96000000, 128, 2, 4, 0), + PLL_36XX_RATE( 84000000, 112, 2, 4, 0), +- PLL_36XX_RATE( 80000004, 106, 2, 4, 43691), ++ PLL_36XX_RATE( 80000003, 106, 2, 4, 43691), + PLL_36XX_RATE( 73728000, 98, 2, 4, 19923), + PLL_36XX_RATE( 67737598, 270, 3, 5, 62285), + PLL_36XX_RATE( 65535999, 174, 2, 5, 49982), +@@ -734,7 +734,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(148352005, 98, 2, 3, 59070), + PLL_36XX_RATE(108000000, 144, 2, 4, 0), + PLL_36XX_RATE( 74250000, 99, 2, 4, 0), +- PLL_36XX_RATE( 74176002, 98, 3, 4, 59070), ++ PLL_36XX_RATE( 74176002, 98, 2, 4, 59070), + PLL_36XX_RATE( 54054000, 216, 3, 5, 14156), + PLL_36XX_RATE( 54000000, 144, 2, 5, 0), + { /* sentinel */ } diff --git a/queue-4.9/clk-samsung-exynos5250-fix-pll-rates.patch b/queue-4.9/clk-samsung-exynos5250-fix-pll-rates.patch new file mode 100644 index 00000000000..427da48a371 --- /dev/null +++ b/queue-4.9/clk-samsung-exynos5250-fix-pll-rates.patch @@ -0,0 +1,52 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:49 +0100 +Subject: clk: samsung: exynos5250: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 2ac051eeabaa411ef89ae7cd5bb8e60cb41ad780 ] + +Rates declared in PLL rate tables should match exactly rates calculated +from PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Chanwoo Choi +Acked-by: Tomasz Figa +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5250.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos5250.c ++++ b/drivers/clk/samsung/clk-exynos5250.c +@@ -711,13 +711,13 @@ static const struct samsung_pll_rate_tab + /* sorted in descending order */ + /* PLL_36XX_RATE(rate, m, p, s, k) */ + PLL_36XX_RATE(192000000, 64, 2, 2, 0), +- PLL_36XX_RATE(180633600, 90, 3, 2, 20762), ++ PLL_36XX_RATE(180633605, 90, 3, 2, 20762), + PLL_36XX_RATE(180000000, 90, 3, 2, 0), + PLL_36XX_RATE(73728000, 98, 2, 4, 19923), +- PLL_36XX_RATE(67737600, 90, 2, 4, 20762), ++ PLL_36XX_RATE(67737602, 90, 2, 4, 20762), + PLL_36XX_RATE(49152000, 98, 3, 4, 19923), +- PLL_36XX_RATE(45158400, 90, 3, 4, 20762), +- PLL_36XX_RATE(32768000, 131, 3, 5, 4719), ++ PLL_36XX_RATE(45158401, 90, 3, 4, 20762), ++ PLL_36XX_RATE(32768001, 131, 3, 5, 4719), + { }, + }; + diff --git a/queue-4.9/clk-samsung-exynos5260-fix-pll-rates.patch b/queue-4.9/clk-samsung-exynos5260-fix-pll-rates.patch new file mode 100644 index 00000000000..2be08b1b625 --- /dev/null +++ b/queue-4.9/clk-samsung-exynos5260-fix-pll-rates.patch @@ -0,0 +1,43 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:50 +0100 +Subject: clk: samsung: exynos5260: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit cdb68fbd4e7962be742c4f29475220c5bf28d8a5 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5260.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/samsung/clk-exynos5260.c ++++ b/drivers/clk/samsung/clk-exynos5260.c +@@ -65,7 +65,7 @@ static const struct samsung_pll_rate_tab + PLL_36XX_RATE(480000000, 160, 2, 2, 0), + PLL_36XX_RATE(432000000, 144, 2, 2, 0), + PLL_36XX_RATE(400000000, 200, 3, 2, 0), +- PLL_36XX_RATE(394073130, 459, 7, 2, 49282), ++ PLL_36XX_RATE(394073128, 459, 7, 2, 49282), + PLL_36XX_RATE(333000000, 111, 2, 2, 0), + PLL_36XX_RATE(300000000, 100, 2, 2, 0), + PLL_36XX_RATE(266000000, 266, 3, 3, 0), diff --git a/queue-4.9/clk-samsung-exynos5433-fix-pll-rates.patch b/queue-4.9/clk-samsung-exynos5433-fix-pll-rates.patch new file mode 100644 index 00000000000..1df91fd8dc0 --- /dev/null +++ b/queue-4.9/clk-samsung-exynos5433-fix-pll-rates.patch @@ -0,0 +1,61 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:51 +0100 +Subject: clk: samsung: exynos5433: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit ab0447845cffc0fd752df2ccd6b4e34006000ce4 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos5433.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/clk/samsung/clk-exynos5433.c ++++ b/drivers/clk/samsung/clk-exynos5433.c +@@ -725,7 +725,7 @@ static const struct samsung_pll_rate_tab + PLL_35XX_RATE(800000000U, 400, 6, 1), + PLL_35XX_RATE(733000000U, 733, 12, 1), + PLL_35XX_RATE(700000000U, 175, 3, 1), +- PLL_35XX_RATE(667000000U, 222, 4, 1), ++ PLL_35XX_RATE(666000000U, 222, 4, 1), + PLL_35XX_RATE(633000000U, 211, 4, 1), + PLL_35XX_RATE(600000000U, 500, 5, 2), + PLL_35XX_RATE(552000000U, 460, 5, 2), +@@ -751,12 +751,12 @@ static const struct samsung_pll_rate_tab + /* AUD_PLL */ + static const struct samsung_pll_rate_table exynos5443_aud_pll_rates[] __initconst = { + PLL_36XX_RATE(400000000U, 200, 3, 2, 0), +- PLL_36XX_RATE(393216000U, 197, 3, 2, -25690), ++ PLL_36XX_RATE(393216003U, 197, 3, 2, -25690), + PLL_36XX_RATE(384000000U, 128, 2, 2, 0), +- PLL_36XX_RATE(368640000U, 246, 4, 2, -15729), +- PLL_36XX_RATE(361507200U, 181, 3, 2, -16148), +- PLL_36XX_RATE(338688000U, 113, 2, 2, -6816), +- PLL_36XX_RATE(294912000U, 98, 1, 3, 19923), ++ PLL_36XX_RATE(368639991U, 246, 4, 2, -15729), ++ PLL_36XX_RATE(361507202U, 181, 3, 2, -16148), ++ PLL_36XX_RATE(338687988U, 113, 2, 2, -6816), ++ PLL_36XX_RATE(294912002U, 98, 1, 3, 19923), + PLL_36XX_RATE(288000000U, 96, 1, 3, 0), + PLL_36XX_RATE(252000000U, 84, 1, 3, 0), + { /* sentinel */ } diff --git a/queue-4.9/clk-samsung-exynos7-fix-pll-rates.patch b/queue-4.9/clk-samsung-exynos7-fix-pll-rates.patch new file mode 100644 index 00000000000..8dc69e248f5 --- /dev/null +++ b/queue-4.9/clk-samsung-exynos7-fix-pll-rates.patch @@ -0,0 +1,43 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:52 +0100 +Subject: clk: samsung: exynos7: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 7e4db0c2836e892766565965207eee051c8037b9 ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-exynos7.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/samsung/clk-exynos7.c ++++ b/drivers/clk/samsung/clk-exynos7.c +@@ -140,7 +140,7 @@ static const struct samsung_div_clock to + }; + + static const struct samsung_pll_rate_table pll1460x_24mhz_tbl[] __initconst = { +- PLL_36XX_RATE(491520000, 20, 1, 0, 31457), ++ PLL_36XX_RATE(491519897, 20, 1, 0, 31457), + {}, + }; + diff --git a/queue-4.9/clk-samsung-s3c2410-fix-pll-rates.patch b/queue-4.9/clk-samsung-s3c2410-fix-pll-rates.patch new file mode 100644 index 00000000000..32458d788a1 --- /dev/null +++ b/queue-4.9/clk-samsung-s3c2410-fix-pll-rates.patch @@ -0,0 +1,69 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Andrzej Hajda +Date: Fri, 16 Feb 2018 15:57:53 +0100 +Subject: clk: samsung: s3c2410: Fix PLL rates + +From: Andrzej Hajda + +[ Upstream commit 179db533c08431f509a3823077549773d519358b ] + +Rates declared in PLL rate tables should match exactly rates calculated from +the PLL coefficients. If that is not the case, rate of the PLL's child clock +might be set not as expected. For instance, if in the PLL rates table we have +a 393216000 Hz entry and the real value as returned by the PLL's recalc_rate +callback is 393216003, after setting PLL's clk rate to 393216000 clk_get_rate +will return 393216003. If we now attempt to set rate of a PLL's child divider +clock to 393216000/2 its rate will be 131072001, rather than 196608000. +That is, the divider will be set to 3 instead of 2, because 393216003/2 is +greater than 196608000. + +To fix this issue declared rates are changed to exactly match rates generated +by the PLL, as calculated from the P, M, S, K coefficients. + +Signed-off-by: Andrzej Hajda +Acked-by: Tomasz Figa +Acked-by: Chanwoo Choi +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/samsung/clk-s3c2410.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/clk/samsung/clk-s3c2410.c ++++ b/drivers/clk/samsung/clk-s3c2410.c +@@ -168,7 +168,7 @@ static struct samsung_pll_rate_table pll + PLL_35XX_RATE(226000000, 105, 1, 1), + PLL_35XX_RATE(210000000, 132, 2, 1), + /* 2410 common */ +- PLL_35XX_RATE(203000000, 161, 3, 1), ++ PLL_35XX_RATE(202800000, 161, 3, 1), + PLL_35XX_RATE(192000000, 88, 1, 1), + PLL_35XX_RATE(186000000, 85, 1, 1), + PLL_35XX_RATE(180000000, 82, 1, 1), +@@ -178,18 +178,18 @@ static struct samsung_pll_rate_table pll + PLL_35XX_RATE(147000000, 90, 2, 1), + PLL_35XX_RATE(135000000, 82, 2, 1), + PLL_35XX_RATE(124000000, 116, 1, 2), +- PLL_35XX_RATE(118000000, 150, 2, 2), ++ PLL_35XX_RATE(118500000, 150, 2, 2), + PLL_35XX_RATE(113000000, 105, 1, 2), +- PLL_35XX_RATE(101000000, 127, 2, 2), ++ PLL_35XX_RATE(101250000, 127, 2, 2), + PLL_35XX_RATE(90000000, 112, 2, 2), +- PLL_35XX_RATE(85000000, 105, 2, 2), ++ PLL_35XX_RATE(84750000, 105, 2, 2), + PLL_35XX_RATE(79000000, 71, 1, 2), +- PLL_35XX_RATE(68000000, 82, 2, 2), +- PLL_35XX_RATE(56000000, 142, 2, 3), ++ PLL_35XX_RATE(67500000, 82, 2, 2), ++ PLL_35XX_RATE(56250000, 142, 2, 3), + PLL_35XX_RATE(48000000, 120, 2, 3), +- PLL_35XX_RATE(51000000, 161, 3, 3), ++ PLL_35XX_RATE(50700000, 161, 3, 3), + PLL_35XX_RATE(45000000, 82, 1, 3), +- PLL_35XX_RATE(34000000, 82, 2, 3), ++ PLL_35XX_RATE(33750000, 82, 2, 3), + { /* sentinel */ }, + }; + diff --git a/queue-4.9/clk-tegra-fix-pll_u-rate-configuration.patch b/queue-4.9/clk-tegra-fix-pll_u-rate-configuration.patch new file mode 100644 index 00000000000..2b963bd619f --- /dev/null +++ b/queue-4.9/clk-tegra-fix-pll_u-rate-configuration.patch @@ -0,0 +1,57 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Marcel Ziswiler +Date: Fri, 23 Feb 2018 00:04:51 +0100 +Subject: clk: tegra: Fix pll_u rate configuration + +From: Marcel Ziswiler + +[ Upstream commit c35b518f9ba06c9de79fb3ff62eed7462d804995 ] + +Turns out latest upstream U-Boot does not configure/enable pll_u which +leaves it at some default rate of 500 kHz: + +root@apalis-t30:~# cat /sys/kernel/debug/clk/clk_summary | grep pll_u + pll_u 3 3 0 500000 0 + +Of course this won't quite work leading to the following messages: + +[ 6.559593] usb 2-1: new full-speed USB device number 2 using tegra- +ehci +[ 11.759173] usb 2-1: device descriptor read/64, error -110 +[ 27.119453] usb 2-1: device descriptor read/64, error -110 +[ 27.389217] usb 2-1: new full-speed USB device number 3 using tegra- +ehci +[ 32.559454] usb 2-1: device descriptor read/64, error -110 +[ 47.929777] usb 2-1: device descriptor read/64, error -110 +[ 48.049658] usb usb2-port1: attempt power cycle +[ 48.759475] usb 2-1: new full-speed USB device number 4 using tegra- +ehci +[ 59.349457] usb 2-1: device not accepting address 4, error -110 +[ 59.509449] usb 2-1: new full-speed USB device number 5 using tegra- +ehci +[ 70.069457] usb 2-1: device not accepting address 5, error -110 +[ 70.079721] usb usb2-port1: unable to enumerate USB device + +Fix this by actually allowing the rate also being set from within +the Linux kernel. + +Signed-off-by: Marcel Ziswiler +Tested-by: Jon Hunter +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/tegra/clk-pll.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -1145,6 +1145,8 @@ static const struct clk_ops tegra_clk_pl + .enable = clk_pllu_enable, + .disable = clk_pll_disable, + .recalc_rate = clk_pll_recalc_rate, ++ .round_rate = clk_pll_round_rate, ++ .set_rate = clk_pll_set_rate, + }; + + static int _pll_fixed_mdiv(struct tegra_clk_pll_params *pll_params, diff --git a/queue-4.9/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch b/queue-4.9/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch new file mode 100644 index 00000000000..0ee1bf27f78 --- /dev/null +++ b/queue-4.9/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch @@ -0,0 +1,31 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Peter Robinson +Date: Sun, 11 Feb 2018 23:15:37 +0000 +Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss + +From: Peter Robinson + +[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ] + +The MODULE_ALIAS is required to enable the sun4i-ss driver to load +automatically when built at a module. Tested on a Cubietruck. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Signed-off-by: Peter Robinson +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +@@ -422,6 +422,7 @@ static struct platform_driver sun4i_ss_d + + module_platform_driver(sun4i_ss_driver); + ++MODULE_ALIAS("platform:sun4i-ss"); + MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Corentin LABBE "); diff --git a/queue-4.9/media-cx23885-override-888-impactvcbe-crystal-frequency.patch b/queue-4.9/media-cx23885-override-888-impactvcbe-crystal-frequency.patch new file mode 100644 index 00000000000..96bda1d7a3a --- /dev/null +++ b/queue-4.9/media-cx23885-override-888-impactvcbe-crystal-frequency.patch @@ -0,0 +1,43 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:37 -0500 +Subject: media: cx23885: Override 888 ImpactVCBe crystal frequency + +From: Brad Love + +[ Upstream commit 779c79d4b833ec646b0aed878da38edb45bbe156 ] + +Hauppauge produced a revision of ImpactVCBe using an 888, +with a 25MHz crystal, instead of using the default third +overtone 50Mhz crystal. This overrides that frequency so +that the cx25840 is properly configured. Without the proper +crystal setup the cx25840 cannot load the firmware or +decode video. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/cx23885-core.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/media/pci/cx23885/cx23885-core.c ++++ b/drivers/media/pci/cx23885/cx23885-core.c +@@ -872,6 +872,16 @@ static int cx23885_dev_setup(struct cx23 + if (cx23885_boards[dev->board].clk_freq > 0) + dev->clk_freq = cx23885_boards[dev->board].clk_freq; + ++ if (dev->board == CX23885_BOARD_HAUPPAUGE_IMPACTVCBE && ++ dev->pci->subsystem_device == 0x7137) { ++ /* Hauppauge ImpactVCBe device ID 0x7137 is populated ++ * with an 888, and a 25Mhz crystal, instead of the ++ * usual third overtone 50Mhz. The default clock rate must ++ * be overridden so the cx25840 is properly configured ++ */ ++ dev->clk_freq = 25000000; ++ } ++ + dev->pci_bus = dev->pci->bus->number; + dev->pci_slot = PCI_SLOT(dev->pci->devfn); + cx23885_irq_add(dev, 0x001f00); diff --git a/queue-4.9/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch b/queue-4.9/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch new file mode 100644 index 00000000000..98181201fc2 --- /dev/null +++ b/queue-4.9/media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Brad Love +Date: Tue, 6 Mar 2018 14:15:36 -0500 +Subject: media: cx23885: Set subdev host data to clk_freq pointer + +From: Brad Love + +[ Upstream commit 5ceade1d97fc6687e050c44c257382c192f56276 ] + +Currently clk_freq is ignored entirely, because the cx235840 driver +configures the xtal at the chip defaults. This is an issue if a +board is produced with a non-default frequency crystal. If clk_freq +is not zero the cx25840 will attempt to use the setting provided, +or fall back to defaults otherwise. + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx23885/cx23885-cards.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/pci/cx23885/cx23885-cards.c ++++ b/drivers/media/pci/cx23885/cx23885-cards.c +@@ -2282,6 +2282,10 @@ void cx23885_card_setup(struct cx23885_d + &dev->i2c_bus[2].i2c_adap, + "cx25840", 0x88 >> 1, NULL); + if (dev->sd_cx25840) { ++ /* set host data for clk_freq configuration */ ++ v4l2_set_subdev_hostdata(dev->sd_cx25840, ++ &dev->clk_freq); ++ + dev->sd_cx25840->grp_id = CX23885_HW_AV_CORE; + v4l2_subdev_call(dev->sd_cx25840, core, load_fw); + } diff --git a/queue-4.9/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch b/queue-4.9/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch new file mode 100644 index 00000000000..e6ab5dce0f7 --- /dev/null +++ b/queue-4.9/media-cx25821-prevent-out-of-bounds-read-on-array-card.patch @@ -0,0 +1,53 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Colin Ian King +Date: Wed, 31 Jan 2018 12:33:09 -0500 +Subject: media: cx25821: prevent out-of-bounds read on array card + +From: Colin Ian King + +[ Upstream commit 67300abdbe9f1717532aaf4e037222762716d0f6 ] + +Currently an out of range dev->nr is detected by just reporting the +issue and later on an out-of-bounds read on array card occurs because +of this. Fix this by checking the upper range of dev->nr with the size +of array card (removes the hard coded size), move this check earlier +and also exit with the error -ENOSYS to avoid the later out-of-bounds +array read. + +Detected by CoverityScan, CID#711191 ("Out-of-bounds-read") + +Fixes: commit 02b20b0b4cde ("V4L/DVB (12730): Add conexant cx25821 driver") + +Signed-off-by: Colin Ian King +Signed-off-by: Hans Verkuil +[hans.verkuil@cisco.com: %ld -> %zd] +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/cx25821/cx25821-core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/pci/cx25821/cx25821-core.c ++++ b/drivers/media/pci/cx25821/cx25821-core.c +@@ -871,6 +871,10 @@ static int cx25821_dev_setup(struct cx25 + dev->nr = ++cx25821_devcount; + sprintf(dev->name, "cx25821[%d]", dev->nr); + ++ if (dev->nr >= ARRAY_SIZE(card)) { ++ CX25821_INFO("dev->nr >= %zd", ARRAY_SIZE(card)); ++ return -ENODEV; ++ } + if (dev->pci->device != 0x8210) { + pr_info("%s(): Exiting. Incorrect Hardware device = 0x%02x\n", + __func__, dev->pci->device); +@@ -886,9 +890,6 @@ static int cx25821_dev_setup(struct cx25 + dev->channels[i].sram_channels = &cx25821_sram_channels[i]; + } + +- if (dev->nr > 1) +- CX25821_INFO("dev->nr > 1!"); +- + /* board config */ + dev->board = 1; /* card[dev->nr]; */ + dev->_max_num_decoders = MAX_DECODERS; diff --git a/queue-4.9/media-dmxdev-fix-error-code-for-invalid-ioctls.patch b/queue-4.9/media-dmxdev-fix-error-code-for-invalid-ioctls.patch new file mode 100644 index 00000000000..d3cdc8718de --- /dev/null +++ b/queue-4.9/media-dmxdev-fix-error-code-for-invalid-ioctls.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Mauro Carvalho Chehab +Date: Sun, 11 Feb 2018 05:44:21 -0500 +Subject: media: dmxdev: fix error code for invalid ioctls + +From: Mauro Carvalho Chehab + +[ Upstream commit a145f64c6107d3aa5a7cec9f8977d04ac2a896c9 ] + +Returning -EINVAL when an ioctl is not implemented is a very +bad idea, as it is hard to distinguish from other error +contitions that an ioctl could lead. Replace it by its +right error code: -ENOTTY. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dmxdev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/dvb-core/dmxdev.c ++++ b/drivers/media/dvb-core/dmxdev.c +@@ -1071,7 +1071,7 @@ static int dvb_demux_do_ioctl(struct fil + break; + + default: +- ret = -EINVAL; ++ ret = -ENOTTY; + break; + } + mutex_unlock(&dmxdev->mutex); diff --git a/queue-4.9/media-em28xx-usb-bulk-packet-size-fix.patch b/queue-4.9/media-em28xx-usb-bulk-packet-size-fix.patch new file mode 100644 index 00000000000..bacf1831669 --- /dev/null +++ b/queue-4.9/media-em28xx-usb-bulk-packet-size-fix.patch @@ -0,0 +1,46 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Brad Love +Date: Thu, 4 Jan 2018 19:04:13 -0500 +Subject: media: em28xx: USB bulk packet size fix + +From: Brad Love + +[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ] + +Hauppauge em28xx bulk devices exhibit continuity errors and corrupted +packets, when run in VMWare virtual machines. Unknown if other +manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected. + +According to documentation the maximum packet multiplier for em28xx in bulk +transfer mode is 256 * 188 bytes. This changes the size of bulk transfers +to maximum supported value and have a bonus beneficial alignment. + +Before: + +After: + +This sets up USB to expect just as many bytes as the em28xx is set to emit. + +Successful usage under load afterwards natively and in both VMWare +and KVM/Qemu virtual machines. + +Signed-off-by: Brad Love +Reviewed-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx.h ++++ b/drivers/media/usb/em28xx/em28xx.h +@@ -189,7 +189,7 @@ + USB 2.0 spec says bulk packet size is always 512 bytes + */ + #define EM28XX_BULK_PACKET_MULTIPLIER 384 +-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384 ++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94 + + #define EM28XX_INTERLACED_DEFAULT 1 + diff --git a/queue-4.9/media-s3c-camif-fix-out-of-bounds-array-access.patch b/queue-4.9/media-s3c-camif-fix-out-of-bounds-array-access.patch new file mode 100644 index 00000000000..e0be652e3f4 --- /dev/null +++ b/queue-4.9/media-s3c-camif-fix-out-of-bounds-array-access.patch @@ -0,0 +1,63 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Arnd Bergmann +Date: Tue, 16 Jan 2018 16:52:15 -0500 +Subject: media: s3c-camif: fix out-of-bounds array access + +From: Arnd Bergmann + +[ Upstream commit a398e043637a4819a0e96467bfecaabf3224dd62 ] + +While experimenting with older compiler versions, I ran +into a warning that no longer shows up on gcc-4.8 or newer: + +drivers/media/platform/s3c-camif/camif-capture.c: In function '__camif_subdev_try_format': +drivers/media/platform/s3c-camif/camif-capture.c:1265:25: error: array subscript is below array bounds + +This is an off-by-one bug, leading to an access before the start of the +array, while newer compilers silently assume this undefined behavior +cannot happen and leave the loop at index 0 if no other entry matches. + +As Sylvester explains, we actually need to ensure that the +value is within the range, so this reworks the loop to be +easier to parse correctly, and an additional check to fall +back on the first format value for any unexpected input. + +I found an existing gcc bug for it and added a reduced version +of the function there. + +Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69249#c3 +Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") + +Signed-off-by: Arnd Bergmann +Reviewed-by: Laurent Pinchart +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -1256,16 +1256,17 @@ static void __camif_subdev_try_format(st + { + const struct s3c_camif_variant *variant = camif->variant; + const struct vp_pix_limits *pix_lim; +- int i = ARRAY_SIZE(camif_mbus_formats); ++ unsigned int i; + + /* FIXME: constraints against codec or preview path ? */ + pix_lim = &variant->vp_pix_limits[VP_CODEC]; + +- while (i-- >= 0) ++ for (i = 0; i < ARRAY_SIZE(camif_mbus_formats); i++) + if (camif_mbus_formats[i] == mf->code) + break; + +- mf->code = camif_mbus_formats[i]; ++ if (i == ARRAY_SIZE(camif_mbus_formats)) ++ mf->code = camif_mbus_formats[0]; + + if (pad == CAMIF_SD_PAD_SINK) { + v4l_bound_align_image(&mf->width, 8, CAMIF_MAX_PIX_WIDTH, diff --git a/queue-4.9/media-vb2-fix-videobuf2-to-map-correct-area.patch b/queue-4.9/media-vb2-fix-videobuf2-to-map-correct-area.patch new file mode 100644 index 00000000000..a17f2c5107c --- /dev/null +++ b/queue-4.9/media-vb2-fix-videobuf2-to-map-correct-area.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Masami Hiramatsu +Date: Tue, 6 Feb 2018 03:02:23 -0500 +Subject: media: vb2: Fix videobuf2 to map correct area + +From: Masami Hiramatsu + +[ Upstream commit d13a0139d7874a0577b5955d6eed895517d23b72 ] + +Fixes vb2_vmalloc_get_userptr() to ioremap correct area. +Since the current code does ioremap the page address, if the offset > 0, +it does not do ioremap the last page and results in kernel panic. + +This fixes to pass the size + offset to ioremap so that ioremap +can map correct area. Also, this uses __pfn_to_phys() to get the physical +address of given PFN. + +Signed-off-by: Masami Hiramatsu +Reported-by: Takao Orito +Reported-by: Fumihiro ATSUMI +Reviewed-by: Marek Szyprowski +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/videobuf2-vmalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/videobuf2-vmalloc.c ++++ b/drivers/media/v4l2-core/videobuf2-vmalloc.c +@@ -104,7 +104,7 @@ static void *vb2_vmalloc_get_userptr(str + if (nums[i-1] + 1 != nums[i]) + goto fail_map; + buf->vaddr = (__force void *) +- ioremap_nocache(nums[0] << PAGE_SHIFT, size); ++ ioremap_nocache(__pfn_to_phys(nums[0]), size + offset); + } else { + buf->vaddr = vm_map_ram(frame_vector_pages(vec), n_pages, -1, + PAGE_KERNEL); diff --git a/queue-4.9/media-vivid-fix-incorrect-capabilities-for-radio.patch b/queue-4.9/media-vivid-fix-incorrect-capabilities-for-radio.patch new file mode 100644 index 00000000000..170e04bb2fb --- /dev/null +++ b/queue-4.9/media-vivid-fix-incorrect-capabilities-for-radio.patch @@ -0,0 +1,42 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Hans Verkuil +Date: Thu, 1 Feb 2018 02:36:33 -0500 +Subject: media: vivid: fix incorrect capabilities for radio + +From: Hans Verkuil + +[ Upstream commit 65243386f41d38460bfd4375d231a7c0346d0401 ] + +The vivid driver has two custom controls that change the behavior of RDS. +Depending on the control setting the V4L2_CAP_READWRITE capability is toggled. +However, after an earlier commit the capability was no longer set correctly. +This is now fixed. + +Fixes: 9765a32cd8 ("vivid: set device_caps in video_device") + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/vivid/vivid-ctrls.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/vivid/vivid-ctrls.c ++++ b/drivers/media/platform/vivid/vivid-ctrls.c +@@ -1167,6 +1167,7 @@ static int vivid_radio_rx_s_ctrl(struct + v4l2_ctrl_activate(dev->radio_rx_rds_ta, dev->radio_rx_rds_controls); + v4l2_ctrl_activate(dev->radio_rx_rds_tp, dev->radio_rx_rds_controls); + v4l2_ctrl_activate(dev->radio_rx_rds_ms, dev->radio_rx_rds_controls); ++ dev->radio_rx_dev.device_caps = dev->radio_rx_caps; + break; + case V4L2_CID_RDS_RECEPTION: + dev->radio_rx_rds_enabled = ctrl->val; +@@ -1241,6 +1242,7 @@ static int vivid_radio_tx_s_ctrl(struct + dev->radio_tx_caps &= ~V4L2_CAP_READWRITE; + if (!dev->radio_tx_rds_controls) + dev->radio_tx_caps |= V4L2_CAP_READWRITE; ++ dev->radio_tx_dev.device_caps = dev->radio_tx_caps; + break; + case V4L2_CID_RDS_TX_PTY: + if (dev->radio_rx_rds_controls) diff --git a/queue-4.9/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch b/queue-4.9/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch new file mode 100644 index 00000000000..0cfbfe86743 --- /dev/null +++ b/queue-4.9/net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch @@ -0,0 +1,67 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Giuseppe Lippolis +Date: Mon, 26 Mar 2018 16:34:39 +0200 +Subject: net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 + +From: Giuseppe Lippolis + +[ Upstream commit d4c4bc11353f3bea6754f7d21e3612c9f32d1d64 ] + +This modem is embedded on dlink dwr-921 router. + The oem configuration states: + + T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 + D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 + P: Vendor=1435 ProdID=0918 Rev= 2.32 + S: Manufacturer=Android + S: Product=Android + S: SerialNumber=0123456789ABCDEF + C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA + I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) + E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + E: Ad=84(I) Atr=03(Int.) MxPS= 64 Ivl=32ms + E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan + E: Ad=86(I) Atr=03(Int.) MxPS= 64 Ivl=32ms + E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan + E: Ad=88(I) Atr=03(Int.) MxPS= 64 Ivl=32ms + E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan + E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=32ms + E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + I:* If#= 6 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=(none) + E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms + E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=125us + +Tested on openwrt distribution + +Signed-off-by: Giuseppe Lippolis +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -810,6 +810,9 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x0846, 0x68a2, 8)}, + {QMI_FIXED_INTF(0x12d1, 0x140c, 1)}, /* Huawei E173 */ + {QMI_FIXED_INTF(0x12d1, 0x14ac, 1)}, /* Huawei E1820 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 3)}, /* Wistron NeWeb D18Q1 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 4)}, /* Wistron NeWeb D18Q1 */ ++ {QMI_FIXED_INTF(0x1435, 0xd181, 5)}, /* Wistron NeWeb D18Q1 */ + {QMI_FIXED_INTF(0x16d8, 0x6003, 0)}, /* CMOTech 6003 */ + {QMI_FIXED_INTF(0x16d8, 0x6007, 0)}, /* CMOTech CHE-628S */ + {QMI_FIXED_INTF(0x16d8, 0x6008, 0)}, /* CMOTech CMU-301 */ diff --git a/queue-4.9/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch b/queue-4.9/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch new file mode 100644 index 00000000000..76d67a41265 --- /dev/null +++ b/queue-4.9/net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch @@ -0,0 +1,29 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Torsten Hilbrich +Date: Mon, 26 Mar 2018 07:19:57 +0200 +Subject: net/usb/qmi_wwan.c: Add USB id for lt4120 modem + +From: Torsten Hilbrich + +[ Upstream commit f3d801baf118c9d452ee7c278df16880c892e669 ] + +This is needed to support the modem found in HP EliteBook 820 G3. + +Signed-off-by: Torsten Hilbrich +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -942,6 +942,7 @@ static const struct usb_device_id produc + {QMI_FIXED_INTF(0x413c, 0x81b6, 8)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x413c, 0x81b6, 10)}, /* Dell Wireless 5811e */ + {QMI_FIXED_INTF(0x03f0, 0x4e1d, 8)}, /* HP lt4111 LTE/EV-DO/HSPA+ Gobi 4G Module */ ++ {QMI_FIXED_INTF(0x03f0, 0x9d1d, 1)}, /* HP lt4120 Snapdragon X5 LTE */ + {QMI_FIXED_INTF(0x22de, 0x9061, 3)}, /* WeTelecom WPD-600N */ + {QMI_FIXED_INTF(0x1e0e, 0x9001, 5)}, /* SIMCom 7230E */ + {QMI_QUIRK_SET_DTR(0x2c7c, 0x0125, 4)}, /* Quectel EC25, EC20 R2.0 Mini PCIe */ diff --git a/queue-4.9/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch b/queue-4.9/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch new file mode 100644 index 00000000000..b3054a5e8a3 --- /dev/null +++ b/queue-4.9/rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch @@ -0,0 +1,45 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Alexandre Belloni +Date: Thu, 8 Mar 2018 23:27:31 +0100 +Subject: rtc: hctosys: Ensure system time doesn't overflow time_t + +From: Alexandre Belloni + +[ Upstream commit b3a5ac42ab18b7d1a8f2f072ca0ee76a3b754a43 ] + +On 32bit platforms, time_t is still a signed 32bit long. If it is +overflowed, userspace and the kernel cant agree on the current system time. +This causes multiple issues, in particular with systemd: +https://github.com/systemd/systemd/issues/1143 + +A good workaround is to simply avoid using hctosys which is something I +greatly encourage as the time is better set by userspace. + +However, many distribution enable it and use systemd which is rendering the +system unusable in case the RTC holds a date after 2038 (and more so after +2106). Many drivers have workaround for this case and they should be +eliminated so there is only one place left to fix when userspace is able to +cope with dates after the 31bit overflow. + +Acked-by: Arnd Bergmann +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/hctosys.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/rtc/hctosys.c ++++ b/drivers/rtc/hctosys.c +@@ -49,6 +49,11 @@ static int __init rtc_hctosys(void) + + tv64.tv_sec = rtc_tm_to_time64(&tm); + ++#if BITS_PER_LONG == 32 ++ if (tv64.tv_sec > INT_MAX) ++ goto err_read; ++#endif ++ + err = do_settimeofday64(&tv64); + + dev_info(rtc->dev.parent, diff --git a/queue-4.9/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch b/queue-4.9/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch new file mode 100644 index 00000000000..60a897e9d7d --- /dev/null +++ b/queue-4.9/rtc-snvs-fix-usage-of-snvs_rtc_enable.patch @@ -0,0 +1,91 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Bryan O'Donoghue +Date: Wed, 28 Mar 2018 20:14:05 +0100 +Subject: rtc: snvs: Fix usage of snvs_rtc_enable + +From: Bryan O'Donoghue + +[ Upstream commit 1485991c024603b2fb4ae77beb7a0d741128a48e ] + +commit 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") introduces +the SNVS RTC driver with a function snvs_rtc_enable(). + +snvs_rtc_enable() can return an error on the enable path however this +driver does not currently trap that failure on the probe() path and +consequently if enabling the RTC fails we encounter a later error spinning +forever in rtc_write_sync_lp(). + +[ 36.093481] [] (__irq_svc) from [] (_raw_spin_unlock_irqrestore+0x34/0x44) +[ 36.102122] [] (_raw_spin_unlock_irqrestore) from [] (regmap_read+0x4c/0x5c) +[ 36.110938] [] (regmap_read) from [] (rtc_write_sync_lp+0x6c/0x98) +[ 36.118881] [] (rtc_write_sync_lp) from [] (snvs_rtc_alarm_irq_enable+0x40/0x4c) +[ 36.128041] [] (snvs_rtc_alarm_irq_enable) from [] (rtc_timer_do_work+0xd8/0x1a8) +[ 36.137291] [] (rtc_timer_do_work) from [] (process_one_work+0x28c/0x76c) +[ 36.145840] [] (process_one_work) from [] (worker_thread+0x34/0x58c) +[ 36.153961] [] (worker_thread) from [] (kthread+0x138/0x150) +[ 36.161388] [] (kthread) from [] (ret_from_fork+0x14/0x20) +[ 36.168635] rcu_sched kthread starved for 2602 jiffies! g496 c495 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=0 +[ 36.178564] rcu_sched R running task 0 8 2 0x00000000 +[ 36.185664] [] (__schedule) from [] (schedule+0x3c/0xa0) +[ 36.192739] [] (schedule) from [] (schedule_timeout+0x78/0x4e0) +[ 36.200422] [] (schedule_timeout) from [] (rcu_gp_kthread+0x648/0x1864) +[ 36.208800] [] (rcu_gp_kthread) from [] (kthread+0x138/0x150) +[ 36.216309] [] (kthread) from [] (ret_from_fork+0x14/0x20) + +This patch fixes by parsing the result of rtc_write_sync_lp() and +propagating both in the probe and elsewhere. If the RTC doesn't start we +don't proceed loading the driver and don't get into this loop mess later +on. + +Fixes: 179a502f8c46 ("rtc: snvs: add Freescale rtc-snvs driver") +Signed-off-by: Bryan O'Donoghue +Acked-by: Shawn Guo +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-snvs.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -132,20 +132,23 @@ static int snvs_rtc_set_time(struct devi + { + struct snvs_rtc_data *data = dev_get_drvdata(dev); + unsigned long time; ++ int ret; + + rtc_tm_to_time(tm, &time); + + /* Disable RTC first */ +- snvs_rtc_enable(data, false); ++ ret = snvs_rtc_enable(data, false); ++ if (ret) ++ return ret; + + /* Write 32-bit time to 47-bit timer, leaving 15 LSBs blank */ + regmap_write(data->regmap, data->offset + SNVS_LPSRTCLR, time << CNTR_TO_SECS_SH); + regmap_write(data->regmap, data->offset + SNVS_LPSRTCMR, time >> (32 - CNTR_TO_SECS_SH)); + + /* Enable RTC again */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); + +- return 0; ++ return ret; + } + + static int snvs_rtc_read_alarm(struct device *dev, struct rtc_wkalrm *alrm) +@@ -287,7 +290,11 @@ static int snvs_rtc_probe(struct platfor + regmap_write(data->regmap, data->offset + SNVS_LPSR, 0xffffffff); + + /* Enable RTC */ +- snvs_rtc_enable(data, true); ++ ret = snvs_rtc_enable(data, true); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to enable rtc %d\n", ret); ++ goto error_rtc_device_register; ++ } + + device_init_wakeup(&pdev->dev, true); + diff --git a/queue-4.9/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch b/queue-4.9/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch new file mode 100644 index 00000000000..c74d31e5afd --- /dev/null +++ b/queue-4.9/rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch @@ -0,0 +1,48 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Colin Ian King +Date: Thu, 15 Feb 2018 19:36:14 +0000 +Subject: rtc: tx4939: avoid unintended sign extension on a 24 bit shift + +From: Colin Ian King + +[ Upstream commit 347876ad47b9923ce26e686173bbf46581802ffa ] + +The shifting of buf[5] by 24 bits to the left will be promoted to +a 32 bit signed int and then sign-extended to an unsigned long. If +the top bit of buf[5] is set then all then all the upper bits sec +end up as also being set because of the sign-extension. Fix this by +casting buf[5] to an unsigned long before the shift. + +Detected by CoverityScan, CID#1465292 ("Unintended sign extension") + +Fixes: 0e1492330cd2 ("rtc: add rtc-tx4939 driver") +Signed-off-by: Colin Ian King +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-tx4939.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-tx4939.c ++++ b/drivers/rtc/rtc-tx4939.c +@@ -86,7 +86,8 @@ static int tx4939_rtc_read_time(struct d + for (i = 2; i < 6; i++) + buf[i] = __raw_readl(&rtcreg->dat); + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, tm); + return rtc_valid_tm(tm); + } +@@ -147,7 +148,8 @@ static int tx4939_rtc_read_alarm(struct + alrm->enabled = (ctl & TX4939_RTCCTL_ALME) ? 1 : 0; + alrm->pending = (ctl & TX4939_RTCCTL_ALMD) ? 1 : 0; + spin_unlock_irq(&pdata->lock); +- sec = (buf[5] << 24) | (buf[4] << 16) | (buf[3] << 8) | buf[2]; ++ sec = ((unsigned long)buf[5] << 24) | (buf[4] << 16) | ++ (buf[3] << 8) | buf[2]; + rtc_time_to_tm(sec, &alrm->time); + return rtc_valid_tm(&alrm->time); + } diff --git a/queue-4.9/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch b/queue-4.9/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch new file mode 100644 index 00000000000..8e72510587c --- /dev/null +++ b/queue-4.9/scsi-aacraid-fix-shutdown-crash-when-init-fails.patch @@ -0,0 +1,70 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Meelis Roos +Date: Fri, 9 Feb 2018 08:57:44 +0200 +Subject: scsi: aacraid: fix shutdown crash when init fails + +From: Meelis Roos + +[ Upstream commit 00c20cdc79259c6c5bf978b21af96c2d3edb646d ] + +When aacraid init fails with "AAC0: adapter self-test failed.", shutdown +leads to UBSAN warning and then oops: + +[154316.118423] ================================================================================ +[154316.118508] UBSAN: Undefined behaviour in drivers/scsi/scsi_lib.c:2328:27 +[154316.118566] member access within null pointer of type 'struct Scsi_Host' +[154316.118631] CPU: 2 PID: 14530 Comm: reboot Tainted: G W 4.15.0-dirty #89 +[154316.118701] Hardware name: Hewlett Packard HP NetServer/HP System Board, BIOS 4.06.46 PW 06/25/2003 +[154316.118774] Call Trace: +[154316.118848] dump_stack+0x48/0x65 +[154316.118916] ubsan_epilogue+0xe/0x40 +[154316.118976] __ubsan_handle_type_mismatch+0xfb/0x180 +[154316.119043] scsi_block_requests+0x20/0x30 +[154316.119135] aac_shutdown+0x18/0x40 [aacraid] +[154316.119196] pci_device_shutdown+0x33/0x50 +[154316.119269] device_shutdown+0x18a/0x390 +[...] +[154316.123435] BUG: unable to handle kernel NULL pointer dereference at 000000f4 +[154316.123515] IP: scsi_block_requests+0xa/0x30 + +This is because aac_shutdown() does + + struct Scsi_Host *shost = pci_get_drvdata(dev); + scsi_block_requests(shost); + +and that assumes shost has been assigned with pci_set_drvdata(). + +However, pci_set_drvdata(pdev, shost) is done in aac_probe_one() far +after bailing out with error from calling the init function +((*aac_drivers[index].init)(aac)), and when the init function fails, no +error is returned from aac_probe_one() so PCI layer assumes there is +driver attached, and tries to shut it down later. + +Fix it by returning error from aac_probe_one() when card-specific init +function fails. + +This fixes reboot on my HP NetRAID-4M with dead battery. + +Signed-off-by: Meelis Roos +Reviewed-by: Dave Carroll +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/linit.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1203,8 +1203,10 @@ static int aac_probe_one(struct pci_dev + * Map in the registers from the adapter. + */ + aac->base_size = AAC_MIN_FOOTPRINT_SIZE; +- if ((*aac_drivers[index].init)(aac)) ++ if ((*aac_drivers[index].init)(aac)) { ++ error = -ENODEV; + goto out_unmap; ++ } + + if (aac->sync_mode) { + if (aac_sync_mode) diff --git a/queue-4.9/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch b/queue-4.9/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch new file mode 100644 index 00000000000..fab2820c30d --- /dev/null +++ b/queue-4.9/scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch @@ -0,0 +1,89 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Dave Carroll +Date: Tue, 3 Apr 2018 15:50:42 -0600 +Subject: scsi: aacraid: Insure command thread is not recursively stopped + +From: Dave Carroll + +[ Upstream commit 1c6b41fb92936fa5facea464d5d7cbf855966d04 ] + +If a recursive IOP_RESET is invoked, usually due to the eh_thread +handling errors after the first reset, be sure we flag that the command +thread has been stopped to avoid an Oops of the form; + + [ 336.620256] CPU: 28 PID: 1193 Comm: scsi_eh_0 Kdump: loaded Not tainted 4.14.0-49.el7a.ppc64le #1 + [ 336.620297] task: c000003fd630b800 task.stack: c000003fd61a4000 + [ 336.620326] NIP: c000000000176794 LR: c00000000013038c CTR: c00000000024bc10 + [ 336.620361] REGS: c000003fd61a7720 TRAP: 0300 Not tainted (4.14.0-49.el7a.ppc64le) + [ 336.620395] MSR: 9000000000009033 CR: 22084022 XER: 20040000 + [ 336.620435] CFAR: c000000000130388 DAR: 0000000000000000 DSISR: 40000000 SOFTE: 1 + [ 336.620435] GPR00: c00000000013038c c000003fd61a79a0 c0000000014c7e00 0000000000000000 + [ 336.620435] GPR04: 000000000000000c 000000000000000c 9000000000009033 0000000000000477 + [ 336.620435] GPR08: 0000000000000477 0000000000000000 0000000000000000 c008000010f7d940 + [ 336.620435] GPR12: c00000000024bc10 c000000007a33400 c0000000001708a8 c000003fe3b881d8 + [ 336.620435] GPR16: c000003fe3b88060 c000003fd61a7d10 fffffffffffff000 000000000000001e + [ 336.620435] GPR20: 0000000000000001 c000000000ebf1a0 0000000000000001 c000003fe3b88000 + [ 336.620435] GPR24: 0000000000000003 0000000000000002 c000003fe3b88840 c000003fe3b887e8 + [ 336.620435] GPR28: c000003fe3b88000 c000003fc8181788 0000000000000000 c000003fc8181700 + [ 336.620750] NIP [c000000000176794] exit_creds+0x34/0x160 + [ 336.620775] LR [c00000000013038c] __put_task_struct+0x8c/0x1f0 + [ 336.620804] Call Trace: + [ 336.620817] [c000003fd61a79a0] [c000003fe3b88000] 0xc000003fe3b88000 (unreliable) + [ 336.620853] [c000003fd61a79d0] [c00000000013038c] __put_task_struct+0x8c/0x1f0 + [ 336.620889] [c000003fd61a7a00] [c000000000171418] kthread_stop+0x1e8/0x1f0 + [ 336.620922] [c000003fd61a7a40] [c008000010f7448c] aac_reset_adapter+0x14c/0x8d0 [aacraid] + [ 336.620959] [c000003fd61a7b00] [c008000010f60174] aac_eh_host_reset+0x84/0x100 [aacraid] + [ 336.621010] [c000003fd61a7b30] [c000000000864f24] scsi_try_host_reset+0x74/0x180 + [ 336.621046] [c000003fd61a7bb0] [c000000000867ac0] scsi_eh_ready_devs+0xc00/0x14d0 + [ 336.625165] [c000003fd61a7ca0] [c0000000008699e0] scsi_error_handler+0x550/0x730 + [ 336.632101] [c000003fd61a7dc0] [c000000000170a08] kthread+0x168/0x1b0 + [ 336.639031] [c000003fd61a7e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4 + [ 336.645971] Instruction dump: + [ 336.648743] 384216a0 7c0802a6 fbe1fff8 f8010010 f821ffd1 7c7f1b78 60000000 60000000 + [ 336.657056] 39400000 e87f0838 f95f0838 7c0004ac <7d401828> 314affff 7d40192d 40c2fff4 + [ 336.663997] -[ end trace 4640cf8d4945ad95 ]- + +So flag when the thread is stopped by setting the thread pointer to NULL. + +Signed-off-by: Dave Carroll +Reviewed-by: Raghava Aditya Renukunta +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/aacraid/commsup.c | 4 +++- + drivers/scsi/aacraid/linit.c | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1374,9 +1374,10 @@ static int _aac_reset_adapter(struct aac + host = aac->scsi_host_ptr; + scsi_block_requests(host); + aac_adapter_disable_int(aac); +- if (aac->thread->pid != current->pid) { ++ if (aac->thread && aac->thread->pid != current->pid) { + spin_unlock_irq(host->host_lock); + kthread_stop(aac->thread); ++ aac->thread = NULL; + jafo = 1; + } + +@@ -1445,6 +1446,7 @@ static int _aac_reset_adapter(struct aac + aac->name); + if (IS_ERR(aac->thread)) { + retval = PTR_ERR(aac->thread); ++ aac->thread = NULL; + goto out; + } + } +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -1083,6 +1083,7 @@ static void __aac_shutdown(struct aac_de + up(&fib->event_wait); + } + kthread_stop(aac->thread); ++ aac->thread = NULL; + } + aac_adapter_disable_int(aac); + cpu = cpumask_first(cpu_online_mask); diff --git a/queue-4.9/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch b/queue-4.9/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch new file mode 100644 index 00000000000..b20379c2fdc --- /dev/null +++ b/queue-4.9/scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Chad Dupuis +Date: Wed, 24 Jan 2018 08:07:06 -0800 +Subject: scsi: bnx2fc: Fix check in SCSI completion handler for timed out request + +From: Chad Dupuis + +[ Upstream commit ecf7ff49945f5741fa1da112f994939f942031d3 ] + +When a request times out we set the io_req flag BNX2FC_FLAG_IO_COMPL so +that if a subsequent completion comes in on that task ID we will ignore +it. The issue is that in the check for this flag there is a missing +return so we will continue to process a request which may have already +been returned to the ownership of the SCSI layer. This can cause +unpredictable results. + +Solution is to add in the missing return. + +[mkp: typo plus title shortening] + +Signed-off-by: Chad Dupuis +Reviewed-by: Laurence Oberman +Tested-by: Laurence Oberman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2fc/bnx2fc_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/bnx2fc/bnx2fc_io.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_io.c +@@ -1869,6 +1869,7 @@ void bnx2fc_process_scsi_cmd_compl(struc + /* we will not receive ABTS response for this IO */ + BNX2FC_IO_DBG(io_req, "Timer context finished processing " + "this scsi cmd\n"); ++ return; + } + + /* Cancel the timeout_work, as we received IO completion */ diff --git a/queue-4.9/scsi-fas216-fix-sense-buffer-initialization.patch b/queue-4.9/scsi-fas216-fix-sense-buffer-initialization.patch new file mode 100644 index 00000000000..51c1e2a8df7 --- /dev/null +++ b/queue-4.9/scsi-fas216-fix-sense-buffer-initialization.patch @@ -0,0 +1,41 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Arnd Bergmann +Date: Thu, 18 Jan 2018 14:16:38 +0100 +Subject: scsi: fas216: fix sense buffer initialization + +From: Arnd Bergmann + +[ Upstream commit 96d5eaa9bb74d299508d811d865c2c41b38b0301 ] + +While testing with the ARM specific memset() macro removed, I ran into a +compiler warning that shows an old bug: + +drivers/scsi/arm/fas216.c: In function 'fas216_rq_sns_done': +drivers/scsi/arm/fas216.c:2014:40: error: argument to 'sizeof' in 'memset' call is the same expression as the destination; did you mean to provide an explicit length? [-Werror=sizeof-pointer-memaccess] + +It turns out that the definition of the scsi_cmd structure changed back +in linux-2.6.25, so now we clear only four bytes (sizeof(pointer)) +instead of 96 (SCSI_SENSE_BUFFERSIZE). I did not check whether we +actually need to initialize the buffer here, but it's clear that if we +do it, we should use the correct size. + +Fixes: de25deb18016 ("[SCSI] use dynamically allocated sense buffer") +Signed-off-by: Arnd Bergmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/arm/fas216.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/arm/fas216.c ++++ b/drivers/scsi/arm/fas216.c +@@ -2011,7 +2011,7 @@ static void fas216_rq_sns_done(FAS216_In + * have valid data in the sense buffer that could + * confuse the higher levels. + */ +- memset(SCpnt->sense_buffer, 0, sizeof(SCpnt->sense_buffer)); ++ memset(SCpnt->sense_buffer, 0, SCSI_SENSE_BUFFERSIZE); + //printk("scsi%d.%c: sense buffer: ", info->host->host_no, '0' + SCpnt->device->id); + //{ int i; for (i = 0; i < 32; i++) printk("%02x ", SCpnt->sense_buffer[i]); printk("\n"); } + /* diff --git a/queue-4.9/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch b/queue-4.9/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch new file mode 100644 index 00000000000..d05cf14e714 --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch @@ -0,0 +1,41 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:45 -0800 +Subject: scsi: lpfc: Fix frequency of Release WQE CQEs + +From: James Smart + +[ Upstream commit 04673e38f56b30cd39b1fa0f386137d818b17781 ] + +The driver controls when the hardware sends completions that communicate +consumption of elements from the WQ. This is done by setting a WQEC bit +on a WQE. + +The current driver sets it on every Nth WQE posting. However, the driver +isn't clearing the bit if the WQE is reused. Thus, if the queue depth +isn't evenly divisible by N, with enough time, it can be set on every +element, creating a lot of overhead and risking CQ full conditions. + +Correct by clearing the bit when not setting it on an Nth element. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_sli.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -116,6 +116,8 @@ lpfc_sli4_wq_put(struct lpfc_queue *q, u + /* set consumption flag every once in a while */ + if (!((q->host_index + 1) % q->entry_repost)) + bf_set(wqe_wqec, &wqe->generic.wqe_com, 1); ++ else ++ bf_set(wqe_wqec, &wqe->generic.wqe_com, 0); + if (q->phba->sli3_options & LPFC_SLI4_PHWQ_ENABLED) + bf_set(wqe_wqid, &wqe->generic.wqe_com, q->queue_id); + lpfc_sli_pcimem_bcopy(wqe, temp_wqe, q->entry_size); diff --git a/queue-4.9/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch b/queue-4.9/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch new file mode 100644 index 00000000000..11e3c83f32d --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch @@ -0,0 +1,37 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:55 -0800 +Subject: scsi: lpfc: Fix issue_lip if link is disabled + +From: James Smart + +[ Upstream commit 2289e9598dde9705400559ca2606fb8c145c34f0 ] + +The driver ignored checks on whether the link should be kept +administratively down after a link bounce. Correct the checks. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_attr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_attr.c ++++ b/drivers/scsi/lpfc/lpfc_attr.c +@@ -635,7 +635,12 @@ lpfc_issue_lip(struct Scsi_Host *shost) + LPFC_MBOXQ_t *pmboxq; + int mbxstatus = MBXERR_ERROR; + ++ /* ++ * If the link is offline, disabled or BLOCK_MGMT_IO ++ * it doesn't make any sense to allow issue_lip ++ */ + if ((vport->fc_flag & FC_OFFLINE_MODE) || ++ (phba->hba_flag & LINK_DISABLED) || + (phba->sli.sli_flag & LPFC_BLOCK_MGMT_IO)) + return -EPERM; + diff --git a/queue-4.9/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch b/queue-4.9/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch new file mode 100644 index 00000000000..5b57b630620 --- /dev/null +++ b/queue-4.9/scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch @@ -0,0 +1,50 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: James Smart +Date: Tue, 30 Jan 2018 15:58:54 -0800 +Subject: scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing + +From: James Smart + +[ Upstream commit 161df4f09987ae2e9f0f97f0b38eee298b4a39ff ] + +During link bounce testing in a point-to-point topology, the host may +enter a soft lockup on the lpfc_worker thread: + + Call Trace: + lpfc_work_done+0x1f3/0x1390 [lpfc] + lpfc_do_work+0x16f/0x180 [lpfc] + kthread+0xc7/0xe0 + ret_from_fork+0x3f/0x70 + +The driver was simultaneously setting a combination of flags that caused +lpfc_do_work()to effectively spin between slow path work and new event +data, causing the lockup. + +Ensure in the typical wq completions, that new event data flags are set +if the slow path flag is running. The slow path will eventually +reschedule the wq handling. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/lpfc/lpfc_hbadisc.c ++++ b/drivers/scsi/lpfc/lpfc_hbadisc.c +@@ -690,8 +690,9 @@ lpfc_work_done(struct lpfc_hba *phba) + (phba->hba_flag & HBA_SP_QUEUE_EVT)) { + if (pring->flag & LPFC_STOP_IOCB_EVENT) { + pring->flag |= LPFC_DEFERRED_RING_EVENT; +- /* Set the lpfc data pending flag */ +- set_bit(LPFC_DATA_READY, &phba->data_flags); ++ /* Preserve legacy behavior. */ ++ if (!(phba->hba_flag & HBA_SP_QUEUE_EVT)) ++ set_bit(LPFC_DATA_READY, &phba->data_flags); + } else { + if (phba->link_state >= LPFC_LINK_UP) { + pring->flag &= ~LPFC_DEFERRED_RING_EVENT; diff --git a/queue-4.9/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch b/queue-4.9/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch new file mode 100644 index 00000000000..d873132c6b6 --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Hannes Reinecke +Date: Mon, 26 Feb 2018 15:26:01 +0100 +Subject: scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM + +From: Hannes Reinecke + +[ Upstream commit 864449eea7c600596e305ffdc4a6a846414b222c ] + +The firmware event workqueue should not be marked as WQ_MEM_RECLAIM +as it's doesn't need to make forward progress under memory pressure. +In the current state it will result in a deadlock if the device had been +forcefully removed. + +Cc: Sreekanth Reddy +Cc: Suganath Prabu Subramani +Acked-by: Sreekanth Reddy +Signed-off-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -8853,7 +8853,7 @@ _scsih_probe(struct pci_dev *pdev, const + snprintf(ioc->firmware_event_name, sizeof(ioc->firmware_event_name), + "fw_event_%s%d", ioc->driver_name, ioc->id); + ioc->firmware_event_thread = alloc_ordered_workqueue( +- ioc->firmware_event_name, WQ_MEM_RECLAIM); ++ ioc->firmware_event_name, 0); + if (!ioc->firmware_event_thread) { + pr_err(MPT3SAS_FMT "failure at %s:%d/%s()!\n", + ioc->name, __FILE__, __LINE__, __func__); diff --git a/queue-4.9/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch b/queue-4.9/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch new file mode 100644 index 00000000000..435afb739c1 --- /dev/null +++ b/queue-4.9/scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Dan Carpenter +Date: Thu, 25 Jan 2018 17:27:27 +0300 +Subject: scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() + +From: Dan Carpenter + +[ Upstream commit a7043e9529f3c367cc4d82997e00be034cbe57ca ] + +My static checker complains about an out of bounds read: + + drivers/message/fusion/mptctl.c:2786 mptctl_hp_targetinfo() + error: buffer overflow 'hd->sel_timeout' 255 <= u32max. + +It's true that we probably should have a bounds check here. + +Signed-off-by: Dan Carpenter +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/message/fusion/mptctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/message/fusion/mptctl.c ++++ b/drivers/message/fusion/mptctl.c +@@ -2698,6 +2698,8 @@ mptctl_hp_targetinfo(unsigned long arg) + __FILE__, __LINE__, iocnum); + return -ENODEV; + } ++ if (karg.hdr.id >= MPT_MAX_FC_DEVICES) ++ return -EINVAL; + dctlprintk(ioc, printk(MYIOC_s_DEBUG_FMT "mptctl_hp_targetinfo called.\n", + ioc->name)); + diff --git a/queue-4.9/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch b/queue-4.9/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch new file mode 100644 index 00000000000..40e60b2a013 --- /dev/null +++ b/queue-4.9/scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch @@ -0,0 +1,88 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Wilfried Weissmann +Date: Fri, 23 Feb 2018 20:52:34 +0100 +Subject: scsi: mvsas: fix wrong endianness of sgpio api + +From: Wilfried Weissmann + +[ Upstream commit e75fba9c0668b3767f608ea07485f48d33c270cf ] + +This patch fixes the byte order of the SGPIO api and brings it back in +sync with ledmon v0.80 and above. + +[mkp: added missing SoB and fixed whitespace] + +Signed-off-by: Wilfried Weissmann +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mvsas/mv_94xx.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/mvsas/mv_94xx.c ++++ b/drivers/scsi/mvsas/mv_94xx.c +@@ -1080,16 +1080,16 @@ static int mvs_94xx_gpio_write(struct mv + void __iomem *regs = mvi->regs_ex - 0x10200; + + int drive = (i/3) & (4-1); /* drive number on host */ +- u32 block = mr32(MVS_SGPIO_DCTRL + ++ int driveshift = drive * 8; /* bit offset of drive */ ++ u32 block = ioread32be(regs + MVS_SGPIO_DCTRL + + MVS_SGPIO_HOST_OFFSET * mvi->id); + +- + /* + * if bit is set then create a mask with the first + * bit of the drive set in the mask ... + */ +- u32 bit = (write_data[i/8] & (1 << (i&(8-1)))) ? +- 1<<(24-drive*8) : 0; ++ u32 bit = get_unaligned_be32(write_data) & (1 << i) ? ++ 1 << driveshift : 0; + + /* + * ... and then shift it to the right position based +@@ -1098,26 +1098,27 @@ static int mvs_94xx_gpio_write(struct mv + switch (i%3) { + case 0: /* activity */ + block &= ~((0x7 << MVS_SGPIO_DCTRL_ACT_SHIFT) +- << (24-drive*8)); ++ << driveshift); + /* hardwire activity bit to SOF */ + block |= LED_BLINKA_SOF << ( + MVS_SGPIO_DCTRL_ACT_SHIFT + +- (24-drive*8)); ++ driveshift); + break; + case 1: /* id */ + block &= ~((0x3 << MVS_SGPIO_DCTRL_LOC_SHIFT) +- << (24-drive*8)); ++ << driveshift); + block |= bit << MVS_SGPIO_DCTRL_LOC_SHIFT; + break; + case 2: /* fail */ + block &= ~((0x7 << MVS_SGPIO_DCTRL_ERR_SHIFT) +- << (24-drive*8)); ++ << driveshift); + block |= bit << MVS_SGPIO_DCTRL_ERR_SHIFT; + break; + } + +- mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id, +- block); ++ iowrite32be(block, ++ regs + MVS_SGPIO_DCTRL + ++ MVS_SGPIO_HOST_OFFSET * mvi->id); + + } + +@@ -1132,7 +1133,7 @@ static int mvs_94xx_gpio_write(struct mv + void __iomem *regs = mvi->regs_ex - 0x10200; + + mw32(MVS_SGPIO_DCTRL + MVS_SGPIO_HOST_OFFSET * mvi->id, +- be32_to_cpu(((u32 *) write_data)[i])); ++ ((u32 *) write_data)[i]); + } + return reg_count; + } diff --git a/queue-4.9/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch b/queue-4.9/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch new file mode 100644 index 00000000000..f43ac9d0b25 --- /dev/null +++ b/queue-4.9/scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch @@ -0,0 +1,78 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Bart Van Assche +Date: Thu, 25 Jan 2018 08:24:29 -0800 +Subject: scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() + +From: Bart Van Assche + +[ Upstream commit c02189e12ce3bf3808cb880569d3b10249f50bd9 ] + +A left shift must shift less than the bit width of the left argument. +Avoid triggering undefined behavior if ha->mbx_count == 32. + +This patch avoids that UBSAN reports the following complaint: + +UBSAN: Undefined behaviour in drivers/scsi/qla2xxx/qla_isr.c:275:14 +shift exponent 32 is too large for 32-bit type 'int' +Call Trace: + dump_stack+0x4e/0x6c + ubsan_epilogue+0xd/0x3b + __ubsan_handle_shift_out_of_bounds+0x112/0x14c + qla2x00_mbx_completion+0x1c5/0x25d [qla2xxx] + qla2300_intr_handler+0x1ea/0x3bb [qla2xxx] + qla2x00_mailbox_command+0x77b/0x139a [qla2xxx] + qla2x00_mbx_reg_test+0x83/0x114 [qla2xxx] + qla2x00_chip_diag+0x354/0x45f [qla2xxx] + qla2x00_initialize_adapter+0x2c2/0xa4e [qla2xxx] + qla2x00_probe_one+0x1681/0x392e [qla2xxx] + pci_device_probe+0x10b/0x1f1 + driver_probe_device+0x21f/0x3a4 + __driver_attach+0xa9/0xe1 + bus_for_each_dev+0x6e/0xb5 + driver_attach+0x22/0x3c + bus_add_driver+0x1d1/0x2ae + driver_register+0x78/0x130 + __pci_register_driver+0x75/0xa8 + qla2x00_module_init+0x21b/0x267 [qla2xxx] + do_one_initcall+0x5a/0x1e2 + do_init_module+0x9d/0x285 + load_module+0x20db/0x38e3 + SYSC_finit_module+0xa8/0xbc + SyS_finit_module+0x9/0xb + do_syscall_64+0x77/0x271 + entry_SYSCALL64_slow_path+0x25/0x25 + +Reported-by: Meelis Roos +Signed-off-by: Bart Van Assche +Cc: Himanshu Madhani +Reviewed-by: Laurence Oberman +Acked-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla2xxx/qla_isr.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -272,7 +272,8 @@ qla2x00_mbx_completion(scsi_qla_host_t * + struct device_reg_2xxx __iomem *reg = &ha->iobase->isp; + + /* Read all mbox registers? */ +- mboxes = (1 << ha->mbx_count) - 1; ++ WARN_ON_ONCE(ha->mbx_count > 32); ++ mboxes = (1ULL << ha->mbx_count) - 1; + if (!ha->mcp) + ql_dbg(ql_dbg_async, vha, 0x5001, "MBX pointer ERROR.\n"); + else +@@ -2516,7 +2517,8 @@ qla24xx_mbx_completion(scsi_qla_host_t * + struct device_reg_24xx __iomem *reg = &ha->iobase->isp24; + + /* Read all mbox registers? */ +- mboxes = (1 << ha->mbx_count) - 1; ++ WARN_ON_ONCE(ha->mbx_count > 32); ++ mboxes = (1ULL << ha->mbx_count) - 1; + if (!ha->mcp) + ql_dbg(ql_dbg_async, vha, 0x504e, "MBX pointer ERROR.\n"); + else diff --git a/queue-4.9/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch b/queue-4.9/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch new file mode 100644 index 00000000000..840ba53fcbc --- /dev/null +++ b/queue-4.9/scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch @@ -0,0 +1,138 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Manish Rangankar +Date: Sun, 11 Feb 2018 22:48:41 -0800 +Subject: scsi: qla4xxx: skip error recovery in case of register disconnect. + +From: Manish Rangankar + +[ Upstream commit 1bc5ad3a6acdcf56f83272f2de1cd2389ea9e9e2 ] + +A system crashes when continuously removing/re-adding the storage +controller. + +Signed-off-by: Manish Rangankar +Reviewed-by: Ewan D. Milne +Reviewed-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/qla4xxx/ql4_def.h | 2 + + drivers/scsi/qla4xxx/ql4_os.c | 46 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 48 insertions(+) + +--- a/drivers/scsi/qla4xxx/ql4_def.h ++++ b/drivers/scsi/qla4xxx/ql4_def.h +@@ -168,6 +168,8 @@ + #define DEV_DB_NON_PERSISTENT 0 + #define DEV_DB_PERSISTENT 1 + ++#define QL4_ISP_REG_DISCONNECT 0xffffffffU ++ + #define COPY_ISID(dst_isid, src_isid) { \ + int i, j; \ + for (i = 0, j = ISID_SIZE - 1; i < ISID_SIZE;) \ +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -262,6 +262,24 @@ static struct iscsi_transport qla4xxx_is + + static struct scsi_transport_template *qla4xxx_scsi_transport; + ++static int qla4xxx_isp_check_reg(struct scsi_qla_host *ha) ++{ ++ u32 reg_val = 0; ++ int rval = QLA_SUCCESS; ++ ++ if (is_qla8022(ha)) ++ reg_val = readl(&ha->qla4_82xx_reg->host_status); ++ else if (is_qla8032(ha) || is_qla8042(ha)) ++ reg_val = qla4_8xxx_rd_direct(ha, QLA8XXX_PEG_ALIVE_COUNTER); ++ else ++ reg_val = readw(&ha->reg->ctrl_status); ++ ++ if (reg_val == QL4_ISP_REG_DISCONNECT) ++ rval = QLA_ERROR; ++ ++ return rval; ++} ++ + static int qla4xxx_send_ping(struct Scsi_Host *shost, uint32_t iface_num, + uint32_t iface_type, uint32_t payload_size, + uint32_t pid, struct sockaddr *dst_addr) +@@ -9196,10 +9214,17 @@ static int qla4xxx_eh_abort(struct scsi_ + struct srb *srb = NULL; + int ret = SUCCESS; + int wait = 0; ++ int rval; + + ql4_printk(KERN_INFO, ha, "scsi%ld:%d:%llu: Abort command issued cmd=%p, cdb=0x%x\n", + ha->host_no, id, lun, cmd, cmd->cmnd[0]); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + spin_lock_irqsave(&ha->hardware_lock, flags); + srb = (struct srb *) CMD_SP(cmd); + if (!srb) { +@@ -9251,6 +9276,7 @@ static int qla4xxx_eh_device_reset(struc + struct scsi_qla_host *ha = to_qla_host(cmd->device->host); + struct ddb_entry *ddb_entry = cmd->device->hostdata; + int ret = FAILED, stat; ++ int rval; + + if (!ddb_entry) + return ret; +@@ -9270,6 +9296,12 @@ static int qla4xxx_eh_device_reset(struc + cmd, jiffies, cmd->request->timeout / HZ, + ha->dpc_flags, cmd->result, cmd->allowed)); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + /* FIXME: wait for hba to go online */ + stat = qla4xxx_reset_lun(ha, ddb_entry, cmd->device->lun); + if (stat != QLA_SUCCESS) { +@@ -9313,6 +9345,7 @@ static int qla4xxx_eh_target_reset(struc + struct scsi_qla_host *ha = to_qla_host(cmd->device->host); + struct ddb_entry *ddb_entry = cmd->device->hostdata; + int stat, ret; ++ int rval; + + if (!ddb_entry) + return FAILED; +@@ -9330,6 +9363,12 @@ static int qla4xxx_eh_target_reset(struc + ha->host_no, cmd, jiffies, cmd->request->timeout / HZ, + ha->dpc_flags, cmd->result, cmd->allowed)); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + stat = qla4xxx_reset_target(ha, ddb_entry); + if (stat != QLA_SUCCESS) { + starget_printk(KERN_INFO, scsi_target(cmd->device), +@@ -9384,9 +9423,16 @@ static int qla4xxx_eh_host_reset(struct + { + int return_status = FAILED; + struct scsi_qla_host *ha; ++ int rval; + + ha = to_qla_host(cmd->device->host); + ++ rval = qla4xxx_isp_check_reg(ha); ++ if (rval != QLA_SUCCESS) { ++ ql4_printk(KERN_INFO, ha, "PCI/Register disconnect, exiting.\n"); ++ return FAILED; ++ } ++ + if ((is_qla8032(ha) || is_qla8042(ha)) && ql4xdontresethba) + qla4_83xx_set_idc_dontreset(ha); + diff --git a/queue-4.9/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch b/queue-4.9/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch new file mode 100644 index 00000000000..fe26b94548b --- /dev/null +++ b/queue-4.9/scsi-sd-keep-disk-read-only-when-re-reading-partition.patch @@ -0,0 +1,49 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Jeremy Cline +Date: Tue, 6 Mar 2018 21:47:32 +0000 +Subject: scsi: sd: Keep disk read-only when re-reading partition + +From: Jeremy Cline + +[ Upstream commit 20bd1d026aacc5399464f8328f305985c493cde3 ] + +If the read-only flag is true on a SCSI disk, re-reading the partition +table sets the flag back to false. + +To observe this bug, you can run: + +1. blockdev --setro /dev/sda +2. blockdev --rereadpt /dev/sda +3. blockdev --getro /dev/sda + +This commit reads the disk's old state and combines it with the device +disk-reported state rather than unconditionally marking it as RW. + +Reported-by: Li Ning +Signed-off-by: Jeremy Cline +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2401,6 +2401,7 @@ sd_read_write_protect_flag(struct scsi_d + int res; + struct scsi_device *sdp = sdkp->device; + struct scsi_mode_data data; ++ int disk_ro = get_disk_ro(sdkp->disk); + int old_wp = sdkp->write_prot; + + set_disk_ro(sdkp->disk, 0); +@@ -2441,7 +2442,7 @@ sd_read_write_protect_flag(struct scsi_d + "Test WP failed, assume Write Enabled\n"); + } else { + sdkp->write_prot = ((data.device_specific & 0x80) != 0); +- set_disk_ro(sdkp->disk, sdkp->write_prot); ++ set_disk_ro(sdkp->disk, sdkp->write_prot || disk_ro); + if (sdkp->first_scan || old_wp != sdkp->write_prot) { + sd_printk(KERN_NOTICE, sdkp, "Write Protect is %s\n", + sdkp->write_prot ? "on" : "off"); diff --git a/queue-4.9/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch b/queue-4.9/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch new file mode 100644 index 00000000000..f4508e2eebd --- /dev/null +++ b/queue-4.9/scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: "Michael Kelley (EOSG)" +Date: Wed, 24 Jan 2018 22:49:57 +0000 +Subject: scsi: storvsc: Increase cmd_per_lun for higher speed devices + +From: "Michael Kelley (EOSG)" + +[ Upstream commit cabe92a55e3a12005a4ac4d3954c9a174b0efe2a ] + +Increase cmd_per_lun to allow more I/Os in progress per device, +particularly for NVMe's. The Hyper-V host side can handle the higher +count with no issues. + +Signed-off-by: Michael Kelley +Reviewed-by: K. Y. Srinivasan +Acked-by: K. Y. Srinivasan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1580,7 +1580,7 @@ static struct scsi_host_template scsi_dr + .eh_timed_out = storvsc_eh_timed_out, + .slave_alloc = storvsc_device_alloc, + .slave_configure = storvsc_device_configure, +- .cmd_per_lun = 255, ++ .cmd_per_lun = 2048, + .this_id = -1, + .use_clustering = ENABLE_CLUSTERING, + /* Make sure we dont get a sg segment crosses a page boundary */ diff --git a/queue-4.9/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch b/queue-4.9/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch new file mode 100644 index 00000000000..97994101464 --- /dev/null +++ b/queue-4.9/scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Dan Carpenter +Date: Thu, 25 Jan 2018 17:13:40 +0300 +Subject: scsi: sym53c8xx_2: iterator underflow in sym_getsync() + +From: Dan Carpenter + +[ Upstream commit e6f791d95313c85f3dd4a26141e28e50ae9aa0ae ] + +We wanted to exit the loop with "div" set to zero, but instead, if we +don't hit the break then "div" is -1 when we finish the loop. It leads +to an array underflow a few lines later. + +Signed-off-by: Dan Carpenter +Reviewed-by: Johannes Thumshirn +Acked-by: Matthew Wilcox +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/sym53c8xx_2/sym_hipd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/sym53c8xx_2/sym_hipd.c ++++ b/drivers/scsi/sym53c8xx_2/sym_hipd.c +@@ -536,7 +536,7 @@ sym_getsync(struct sym_hcb *np, u_char d + * Look for the greatest clock divisor that allows an + * input speed faster than the period. + */ +- while (div-- > 0) ++ while (--div > 0) + if (kpc >= (div_10M[div] << 2)) break; + + /* diff --git a/queue-4.9/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch b/queue-4.9/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch new file mode 100644 index 00000000000..ae5ca4aad30 --- /dev/null +++ b/queue-4.9/scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch @@ -0,0 +1,35 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Sujit Reddy Thumma +Date: Wed, 24 Jan 2018 09:52:35 +0530 +Subject: scsi: ufs: Enable quirk to ignore sending WRITE_SAME command + +From: Sujit Reddy Thumma + +[ Upstream commit 84af7e8b895088d89f246d6b0f82717fafdebf61 ] + +WRITE_SAME command is not supported by UFS. Enable a quirk for the upper +level drivers to not send WRITE SAME command. + +[mkp: botched patch, applied by hand] + +Signed-off-by: Sujit Reddy Thumma +Signed-off-by: Subhash Jadavani +Signed-off-by: Asutosh Das +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3338,6 +3338,8 @@ static int ufshcd_slave_alloc(struct scs + /* REPORT SUPPORTED OPERATION CODES is not supported */ + sdev->no_report_opcodes = 1; + ++ /* WRITE_SAME command is not supported */ ++ sdev->no_write_same = 1; + + ufshcd_set_queue_depth(sdev); + diff --git a/queue-4.9/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch b/queue-4.9/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch new file mode 100644 index 00000000000..0671b1262b3 --- /dev/null +++ b/queue-4.9/serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch @@ -0,0 +1,39 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Vignesh R +Date: Thu, 8 Feb 2018 18:25:41 +0530 +Subject: serial: 8250: Don't service RX FIFO if interrupts are disabled + +From: Vignesh R + +[ Upstream commit 2e9fe539108320820016f78ca7704a7342788380 ] + +Currently, data in RX FIFO is read based on UART_LSR register state even +if RDI and RLSI interrupts are disabled in UART_IER register. +This is because when IRQ handler is called due to TX FIFO empty event, +RX FIFO is serviced based on UART_LSR register status instead of +UART_IIR status. This defeats the purpose of disabling UART RX +FIFO interrupts during throttling(see, omap_8250_throttle()) as IRQ +handler continues to drain UART RX FIFO resulting in overflow of buffer +at tty layer. +Fix this by making sure that driver drains UART RX FIFO only when +UART_IIR_RDI is set along with UART_LSR_BI or UART_LSR_DR bits. + +Signed-off-by: Vignesh R +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1815,7 +1815,8 @@ int serial8250_handle_irq(struct uart_po + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI)) { ++ if (status & (UART_LSR_DR | UART_LSR_BI) && ++ iir & UART_IIR_RDI) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } diff --git a/queue-4.9/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.9/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..18a19602121 --- /dev/null +++ b/queue-4.9/serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:29 +0100 +Subject: serial: arc_uart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit f9f5786987e81d166c60833edcb7d1836aa16944 ] + +The arc_uart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_ARC_NR_PORTS), so this can even be triggered using a +legitimate DTB. + +Fixes: ea28fd56fcde69af ("serial/arc-uart: switch to devicetree based probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/arc_uart.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/tty/serial/arc_uart.c ++++ b/drivers/tty/serial/arc_uart.c +@@ -596,6 +596,11 @@ static int arc_serial_probe(struct platf + if (dev_id < 0) + dev_id = 0; + ++ if (dev_id >= ARRAY_SIZE(arc_uart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", dev_id); ++ return -EINVAL; ++ } ++ + uart = &arc_uart_ports[dev_id]; + port = &uart->port; + diff --git a/queue-4.9/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.9/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..87ce5dae536 --- /dev/null +++ b/queue-4.9/serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,35 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:30 +0100 +Subject: serial: fsl_lpuart: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit ffab87fdecc655cc676f8be8dd1a2c5e22bd6d47 ] + +The lpuart_ports[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: c9e2e946fb0ba5d2 ("tty: serial: add Freescale lpuart driver support") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1902,6 +1902,10 @@ static int lpuart_probe(struct platform_ + dev_err(&pdev->dev, "failed to get alias id, errno %d\n", ret); + return ret; + } ++ if (ret >= ARRAY_SIZE(lpuart_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ret); ++ return -EINVAL; ++ } + sport->port.line = ret; + sport->lpuart32 = of_device_is_compatible(np, "fsl,ls1021a-lpuart"); + diff --git a/queue-4.9/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.9/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..ecc515d9ab0 --- /dev/null +++ b/queue-4.9/serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,39 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:31 +0100 +Subject: serial: imx: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 5673444821406dda5fc25e4b52aca419f8065a19 ] + +The imx_ports[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: ff05967a07225ab6 ("serial/imx: add of_alias_get_id() reference back") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Uwe Kleine-König +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/imx.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2080,6 +2080,12 @@ static int serial_imx_probe(struct platf + else if (ret < 0) + return ret; + ++ if (sport->port.line >= ARRAY_SIZE(imx_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", ++ sport->port.line); ++ return -EINVAL; ++ } ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(base)) diff --git a/queue-4.9/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.9/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..37238cc50ee --- /dev/null +++ b/queue-4.9/serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:32 +0100 +Subject: serial: mxs-auart: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit dd345a31bfdec350d2593e6de5964e55c7f19c76 ] + +The auart_port[] array is indexed using a value derived from the +"serialN" alias in DT, or from platform data, which may lead to an +out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 1ea6607d4cdc9179 ("serial: mxs-auart: Allow device tree probing") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/mxs-auart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/mxs-auart.c ++++ b/drivers/tty/serial/mxs-auart.c +@@ -1664,6 +1664,10 @@ static int mxs_auart_probe(struct platfo + s->port.line = pdev->id < 0 ? 0 : pdev->id; + else if (ret < 0) + return ret; ++ if (s->port.line >= ARRAY_SIZE(auart_port)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", s->port.line); ++ return -EINVAL; ++ } + + if (of_id) { + pdev->id_entry = of_id->data; diff --git a/queue-4.9/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch b/queue-4.9/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch new file mode 100644 index 00000000000..51e6c43ac8d --- /dev/null +++ b/queue-4.9/serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:34 +0100 +Subject: serial: samsung: Fix out-of-bounds access through serial port index + +From: Geert Uytterhoeven + +[ Upstream commit 49ee23b71877831ac087d6083f6f397dc19c9664 ] + +The s3c24xx_serial_ports[] array is indexed using a value derived from +the "serialN" alias in DT, or from an incrementing probe index, which +may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Note that the array size is defined by a Kconfig symbol +(CONFIG_SERIAL_SAMSUNG_UARTS), so this can even be triggered using +a legitimate DTB or legitimate board code. + +Fixes: 13a9f6c64fdc55eb ("serial: samsung: Consider DT alias when probing ports") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/samsung.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1813,6 +1813,10 @@ static int s3c24xx_serial_probe(struct p + + dbg("s3c24xx_serial_probe(%p) %d\n", pdev, index); + ++ if (index >= ARRAY_SIZE(s3c24xx_serial_ports)) { ++ dev_err(&pdev->dev, "serial%d out of range\n", index); ++ return -EINVAL; ++ } + ourport = &s3c24xx_serial_ports[index]; + + ourport->drv_data = s3c24xx_get_driver_data(pdev); diff --git a/queue-4.9/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch b/queue-4.9/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch new file mode 100644 index 00000000000..bdd4133790a --- /dev/null +++ b/queue-4.9/serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Geert Uytterhoeven +Date: Fri, 23 Feb 2018 14:38:37 +0100 +Subject: serial: xuartps: Fix out-of-bounds access through DT alias + +From: Geert Uytterhoeven + +[ Upstream commit e7d75e18d0fc3f7193b65282b651f980c778d935 ] + +The cdns_uart_port[] array is indexed using a value derived from the +"serialN" alias in DT, which may lead to an out-of-bounds access. + +Fix this by adding a range check. + +Fixes: 928e9263492069ee ("tty: xuartps: Initialize ports according to aliases") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/xilinx_uartps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -1106,7 +1106,7 @@ static struct uart_port *cdns_uart_get_p + struct uart_port *port; + + /* Try the given port id if failed use default method */ +- if (cdns_uart_port[id].mapbase != 0) { ++ if (id < CDNS_UART_NR_PORTS && cdns_uart_port[id].mapbase != 0) { + /* Find the next unused port */ + for (id = 0; id < CDNS_UART_NR_PORTS; id++) + if (cdns_uart_port[id].mapbase == 0) diff --git a/queue-4.9/series b/queue-4.9/series index d7ca5156d06..dabcf4d8a06 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -21,3 +21,77 @@ scsi-zfcp-fix-infinite-iteration-on-erp-ready-list.patch cfg80211-limit-wiphy-names-to-128-bytes.patch hfsplus-stop-workqueue-when-fill_super-failed.patch x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch +usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch +usb-dwc3-undo-phy-init-if-soft-reset-fails.patch +usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch +usb-gadget-core-fix-use-after-free-of-usb_request.patch +usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch +usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch +usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch +usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch +net-usb-qmi_wwan.c-add-usb-id-for-lt4120-modem.patch +net-usb-add-qmi_wwan-if-on-lte-modem-wistron-neweb-d18q1.patch +bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch +alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch +usb-dwc3-add-softreset-phy-synchonization-delay.patch +usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch +xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch +usb-dwc2-fix-interval-type-issue.patch +usb-dwc2-host-fix-transaction-errors-in-host-mode.patch +usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch +usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch +usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch +usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch +media-em28xx-usb-bulk-packet-size-fix.patch +bluetooth-btusb-add-device-id-for-rtl8822be.patch +staging-lustre-fix-bug-in-osc_enter_cache_try.patch +staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch +staging-lustre-lmv-correctly-iput-lmo_root.patch +crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch +scsi-fas216-fix-sense-buffer-initialization.patch +scsi-ufs-enable-quirk-to-ignore-sending-write_same-command.patch +scsi-bnx2fc-fix-check-in-scsi-completion-handler-for-timed-out-request.patch +scsi-sym53c8xx_2-iterator-underflow-in-sym_getsync.patch +scsi-mptfusion-add-bounds-check-in-mptctl_hp_targetinfo.patch +scsi-qla2xxx-avoid-triggering-undefined-behavior-in-qla2x00_mbx_completion.patch +scsi-storvsc-increase-cmd_per_lun-for-higher-speed-devices.patch +scsi-aacraid-fix-shutdown-crash-when-init-fails.patch +scsi-qla4xxx-skip-error-recovery-in-case-of-register-disconnect.patch +scsi-mpt3sas-do-not-mark-fw_event-workqueue-as-wq_mem_reclaim.patch +scsi-sd-keep-disk-read-only-when-re-reading-partition.patch +scsi-aacraid-insure-command-thread-is-not-recursively-stopped.patch +scsi-mvsas-fix-wrong-endianness-of-sgpio-api.patch +scsi-lpfc-fix-issue_lip-if-link-is-disabled.patch +scsi-lpfc-fix-soft-lockup-in-lpfc-worker-thread-during-lip-testing.patch +scsi-lpfc-fix-frequency-of-release-wqe-cqes.patch +asoc-au1x-fix-timeout-tests-in-au1xac97c_ac97_read.patch +asoc-topology-create-tlv-data-for-dapm-widgets.patch +asoc-samsung-i2s-ensure-the-rclk-rate-is-properly-determined.patch +clk-rockchip-fix-wrong-parent-for-sdmmc-phase-clock-for-rk3228.patch +clk-don-t-show-the-incorrect-clock-phase.patch +clk-tegra-fix-pll_u-rate-configuration.patch +media-cx23885-set-subdev-host-data-to-clk_freq-pointer.patch +clk-rockchip-prevent-calculating-mmc-phase-if-clock-rate-is-zero.patch +clk-samsung-s3c2410-fix-pll-rates.patch +clk-samsung-exynos7-fix-pll-rates.patch +clk-samsung-exynos5260-fix-pll-rates.patch +clk-samsung-exynos5433-fix-pll-rates.patch +clk-samsung-exynos5250-fix-pll-rates.patch +clk-samsung-exynos3250-fix-pll-rates.patch +media-dmxdev-fix-error-code-for-invalid-ioctls.patch +arm64-insn-allow-add-sub-immediate-with-lsl-12.patch +media-cx23885-override-888-impactvcbe-crystal-frequency.patch +media-s3c-camif-fix-out-of-bounds-array-access.patch +media-vb2-fix-videobuf2-to-map-correct-area.patch +media-vivid-fix-incorrect-capabilities-for-radio.patch +media-cx25821-prevent-out-of-bounds-read-on-array-card.patch +serial-xuartps-fix-out-of-bounds-access-through-dt-alias.patch +serial-samsung-fix-out-of-bounds-access-through-serial-port-index.patch +serial-mxs-auart-fix-out-of-bounds-access-through-serial-port-index.patch +serial-imx-fix-out-of-bounds-access-through-serial-port-index.patch +serial-fsl_lpuart-fix-out-of-bounds-access-through-dt-alias.patch +serial-arc_uart-fix-out-of-bounds-access-through-dt-alias.patch +serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch +rtc-snvs-fix-usage-of-snvs_rtc_enable.patch +rtc-hctosys-ensure-system-time-doesn-t-overflow-time_t.patch +rtc-tx4939-avoid-unintended-sign-extension-on-a-24-bit-shift.patch diff --git a/queue-4.9/staging-lustre-fix-bug-in-osc_enter_cache_try.patch b/queue-4.9/staging-lustre-fix-bug-in-osc_enter_cache_try.patch new file mode 100644 index 00000000000..f633c71d85d --- /dev/null +++ b/queue-4.9/staging-lustre-fix-bug-in-osc_enter_cache_try.patch @@ -0,0 +1,55 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: NeilBrown +Date: Fri, 2 Mar 2018 10:31:25 +1100 +Subject: staging: lustre: fix bug in osc_enter_cache_try + +From: NeilBrown + +[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ] + +The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc: +Automatically increase the max_dirty_mb") changed + +- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + +When this patch landed in Linux a couple of years later, it landed as + +- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && + +which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to +increase beyond cl_dirty_max_pages - which causes a latter assertion +to fails. + +Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb") +Signed-off-by: NeilBrown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/lustre/lustre/include/obd.h ++++ b/drivers/staging/lustre/lustre/include/obd.h +@@ -253,7 +253,7 @@ struct client_obd { + struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */ + + /* the grant values are protected by loi_list_lock below */ +- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */ ++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */ + unsigned long cl_dirty_max_pages; /* allowed w/o rpc */ + unsigned long cl_dirty_transit; /* dirty synchronous */ + unsigned long cl_avail_grant; /* bytes of credit for ost */ +--- a/drivers/staging/lustre/lustre/osc/osc_cache.c ++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c +@@ -1542,7 +1542,7 @@ static int osc_enter_cache_try(struct cl + if (rc < 0) + return 0; + +- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) { + osc_consume_write_grant(cli, &oap->oap_brw_page); + if (transient) { diff --git a/queue-4.9/staging-lustre-lmv-correctly-iput-lmo_root.patch b/queue-4.9/staging-lustre-lmv-correctly-iput-lmo_root.patch new file mode 100644 index 00000000000..0ef310bfa19 --- /dev/null +++ b/queue-4.9/staging-lustre-lmv-correctly-iput-lmo_root.patch @@ -0,0 +1,45 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: NeilBrown +Date: Fri, 23 Feb 2018 09:09:33 +1100 +Subject: staging: lustre: lmv: correctly iput lmo_root + +From: NeilBrown + +[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ] + +Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object +with master stripe") changed how lmo_root inodes were managed, +particularly when LMV_HASH_FLAG_MIGRATION is not set. +Previously lsm_md_oinfo[0].lmo_root was always a borrowed +inode reference and didn't need to by iput(). +Since the change, that special case only applies when +LMV_HASH_FLAG_MIGRATION is set + +In the upstream (lustre-release) version of this patch [Commit +60e07b972114 ("LU-4690 lod: separate master object with master +stripe")] the for loop in the lmv_unpack_md() was changed to count +from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set. +In the patch that got applied to Linux, that change was missing, +so lsm_md_oinfo[0].lmo_root is never iput(). +This results in a "VFS: Busy inodes" warning at unmount. + +Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe") +Signed-off-by: NeilBrown +Reviewed-by: James Simmons +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c ++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c +@@ -2928,7 +2928,7 @@ int lmv_unpack_md(struct obd_export *exp + if (lsm && !lmm) { + int i; + +- for (i = 1; i < lsm->lsm_md_stripe_count; i++) { ++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) { + /* + * For migrating inode, the master stripe and master + * object will be the same, so do not need iput, see diff --git a/queue-4.9/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch b/queue-4.9/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch new file mode 100644 index 00000000000..7d56a4b2ca6 --- /dev/null +++ b/queue-4.9/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Colin Ian King +Date: Wed, 28 Feb 2018 11:28:49 +0000 +Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr + +From: Colin Ian King + +[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ] + +Currently the allocation of priv->oldaddr is not null checked which will +lead to subsequent errors when accessing priv->oldaddr. Fix this with +a null pointer check and a return of -ENOMEM on allocation failure. + +Detected with Coccinelle: +drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, +possible model on line 1723 + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1705,6 +1705,8 @@ static short rtl8192_usb_initendpoints(s + + priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); + priv->oldaddr = kmalloc(16, GFP_KERNEL); ++ if (!priv->oldaddr) ++ return -ENOMEM; + oldaddr = priv->oldaddr; + align = ((long)oldaddr) & 3; + if (align) { diff --git a/queue-4.9/usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch b/queue-4.9/usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch new file mode 100644 index 00000000000..201432b0402 --- /dev/null +++ b/queue-4.9/usb-cdc_acm-prevent-race-at-write-to-acm-while-system-resumes.patch @@ -0,0 +1,92 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Dominik Bozek +Date: Thu, 15 Feb 2018 21:27:48 -0800 +Subject: usb: cdc_acm: prevent race at write to acm while system resumes + +From: Dominik Bozek + +[ Upstream commit b86b8eb6fecb5a4bac1ed0ca925c4082a61ea6e9 ] + +ACM driver may accept data to transmit while system is not fully +resumed. In this case ACM driver buffers data and prepare URBs +on usb anchor list. +There is a little chance that two tasks put a char and initiate +acm_tty_flush_chars(). In such a case, driver will put one URB +twice on usb anchor list. +This patch also reset length of data before resue of a buffer. +This not only prevent sending rubbish, but also lower risc of race. + +Without this patch we hit following kernel panic in one of our +stabilty/stress tests. + +[ 46.884442] *list_add double add*: new=ffff9b2ab7289330, prev=ffff9b2ab7289330, next=ffff9b2ab81e28e0. +[ 46.884476] Modules linked in: hci_uart btbcm bluetooth rfkill_gpio igb_avb(O) cfg80211 snd_soc_sst_bxt_tdf8532 snd_soc_skl snd_soc_skl_ipc snd_soc_sst_ipc snd_soc_sst_dsp snd_soc_sst_acpi snd_soc_sst_match snd_hda_ext_core snd_hda_core trusty_timer trusty_wall trusty_log trusty_virtio trusty_ipc trusty_mem trusty_irq trusty virtio_ring virtio intel_ipu4_mmu_bxtB0 lib2600_mod_bxtB0 intel_ipu4_isys_mod_bxtB0 lib2600psys_mod_bxtB0 intel_ipu4_psys_mod_bxtB0 intel_ipu4_mod_bxtB0 intel_ipu4_wrapper_bxtB0 intel_ipu4_acpi videobuf2_dma_contig as3638 dw9714 lm3643 crlmodule smiapp smiapp_pll +[ 46.884480] CPU: 1 PID: 33 Comm: kworker/u8:1 Tainted: G U W O 4.9.56-quilt-2e5dc0ac-g618ed69ced6e-dirty #4 +[ 46.884489] Workqueue: events_unbound flush_to_ldisc +[ 46.884494] ffffb98ac012bb08 ffffffffad3e82e5 ffffb98ac012bb58 0000000000000000 +[ 46.884497] ffffb98ac012bb48 ffffffffad0a23d1 00000024ad6374dd ffff9b2ab7289330 +[ 46.884500] ffff9b2ab81e28e0 ffff9b2ab7289330 0000000000000002 0000000000000000 +[ 46.884501] Call Trace: +[ 46.884507] [] dump_stack+0x67/0x92 +[ 46.884511] [] __warn+0xd1/0xf0 +[ 46.884513] [] warn_slowpath_fmt+0x5f/0x80 +[ 46.884516] [] __list_add+0xb3/0xc0 +[ 46.884521] [] *usb_anchor_urb*+0x4c/0xa0 +[ 46.884524] [] *acm_tty_flush_chars*+0x8f/0xb0 +[ 46.884527] [] *acm_tty_put_char*+0x41/0x100 +[ 46.884530] [] tty_put_char+0x24/0x40 +[ 46.884533] [] do_output_char+0xa5/0x200 +[ 46.884535] [] __process_echoes+0x148/0x290 +[ 46.884538] [] n_tty_receive_buf_common+0x57c/0xb00 +[ 46.884541] [] n_tty_receive_buf2+0x14/0x20 +[ 46.884543] [] tty_ldisc_receive_buf+0x22/0x50 +[ 46.884545] [] flush_to_ldisc+0xc5/0xe0 +[ 46.884549] [] process_one_work+0x148/0x440 +[ 46.884551] [] worker_thread+0x69/0x4a0 +[ 46.884554] [] ? max_active_store+0x80/0x80 +[ 46.884556] [] kthread+0x110/0x130 +[ 46.884559] [] ? kthread_park+0x60/0x60 +[ 46.884563] [] ret_from_fork+0x27/0x40 +[ 46.884566] ---[ end trace 3bd599058b8a9eb3 ]--- + +Signed-off-by: Dominik Bozek +Signed-off-by: Kuppuswamy Sathyanarayanan +Acked-by: Oliver Neukum +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -174,6 +174,7 @@ static int acm_wb_alloc(struct acm *acm) + wb = &acm->wb[wbn]; + if (!wb->use) { + wb->use = 1; ++ wb->len = 0; + return wbn; + } + wbn = (wbn + 1) % ACM_NW; +@@ -731,16 +732,18 @@ static int acm_tty_write(struct tty_stru + static void acm_tty_flush_chars(struct tty_struct *tty) + { + struct acm *acm = tty->driver_data; +- struct acm_wb *cur = acm->putbuffer; ++ struct acm_wb *cur; + int err; + unsigned long flags; + ++ spin_lock_irqsave(&acm->write_lock, flags); ++ ++ cur = acm->putbuffer; + if (!cur) /* nothing to do */ +- return; ++ goto out; + + acm->putbuffer = NULL; + err = usb_autopm_get_interface_async(acm->control); +- spin_lock_irqsave(&acm->write_lock, flags); + if (err < 0) { + cur->use = 0; + acm->putbuffer = cur; diff --git a/queue-4.9/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch b/queue-4.9/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch new file mode 100644 index 00000000000..fc2ee2ebdd2 --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-dwc2_hsotg_core_init_disconnected.patch @@ -0,0 +1,55 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Vardan Mikayelyan +Date: Tue, 16 Jan 2018 16:04:24 +0400 +Subject: usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() + +From: Vardan Mikayelyan + +[ Upstream commit 755d739534f998d92e348fba8ffb0478416576e7 ] + +We should call dwc2_hsotg_enqueue_setup() after properly +setting lx_state. Because it may cause error-out from +dwc2_hsotg_enqueue_setup() due to wrong value in lx_state. + +Issue can be reproduced by loading driver while connected +A-Connector (start in A-HOST mode) then disconnect A-Connector +to switch to B-DEVICE. + +Acked-by: John Youn +Signed-off-by: Vardan Mikayelyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/gadget.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -2642,12 +2642,6 @@ void dwc2_hsotg_core_init_disconnected(s + dwc2_writel(dwc2_hsotg_ep0_mps(hsotg->eps_out[0]->ep.maxpacket) | + DXEPCTL_USBACTEP, hsotg->regs + DIEPCTL0); + +- dwc2_hsotg_enqueue_setup(hsotg); +- +- dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", +- dwc2_readl(hsotg->regs + DIEPCTL0), +- dwc2_readl(hsotg->regs + DOEPCTL0)); +- + /* clear global NAKs */ + val = DCTL_CGOUTNAK | DCTL_CGNPINNAK; + if (!is_usb_reset) +@@ -2658,6 +2652,12 @@ void dwc2_hsotg_core_init_disconnected(s + mdelay(3); + + hsotg->lx_state = DWC2_L0; ++ ++ dwc2_hsotg_enqueue_setup(hsotg); ++ ++ dev_dbg(hsotg->dev, "EP0: DIEPCTL0=0x%08x, DOEPCTL0=0x%08x\n", ++ dwc2_readl(hsotg->regs + DIEPCTL0), ++ dwc2_readl(hsotg->regs + DOEPCTL0)); + } + + static void dwc2_hsotg_core_disconnect(struct dwc2_hsotg *hsotg) diff --git a/queue-4.9/usb-dwc2-fix-interval-type-issue.patch b/queue-4.9/usb-dwc2-fix-interval-type-issue.patch new file mode 100644 index 00000000000..c6341243f09 --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-interval-type-issue.patch @@ -0,0 +1,31 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Grigor Tovmasyan +Date: Tue, 6 Feb 2018 19:07:38 +0400 +Subject: usb: dwc2: Fix interval type issue + +From: Grigor Tovmasyan + +[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ] + +The maximum value that unsigned char can hold is 255, meanwhile +the maximum value of interval is 2^(bIntervalMax-1)=2^15. + +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.h ++++ b/drivers/usb/dwc2/core.h +@@ -209,7 +209,7 @@ struct dwc2_hsotg_ep { + unsigned char dir_in; + unsigned char index; + unsigned char mc; +- unsigned char interval; ++ u16 interval; + + unsigned int halted:1; + unsigned int periodic:1; diff --git a/queue-4.9/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch b/queue-4.9/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch new file mode 100644 index 00000000000..81099841b3c --- /dev/null +++ b/queue-4.9/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch @@ -0,0 +1,54 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Minas Harutyunyan +Date: Fri, 19 Jan 2018 14:44:20 +0400 +Subject: usb: dwc2: host: Fix transaction errors in host mode + +From: Minas Harutyunyan + +[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ] + +Added missing GUSBCFG programming in host mode, which fixes +transaction errors issue on HiKey and Altera Cyclone V boards. + +These field even if was programmed in device mode (in function +dwc2_hsotg_core_init_disconnected()) will be resetting to POR values +after core soft reset applied. +So, each time when switching to host mode required to set this field +to correct value. + +Acked-by: John Youn +Signed-off-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -2268,10 +2268,22 @@ static int dwc2_core_init(struct dwc2_hs + */ + static void dwc2_core_host_init(struct dwc2_hsotg *hsotg) + { +- u32 hcfg, hfir, otgctl; ++ u32 hcfg, hfir, otgctl, usbcfg; + + dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg); + ++ /* Set HS/FS Timeout Calibration to 7 (max available value). ++ * The number of PHY clocks that the application programs in ++ * this field is added to the high/full speed interpacket timeout ++ * duration in the core to account for any additional delays ++ * introduced by the PHY. This can be required, because the delay ++ * introduced by the PHY in generating the linestate condition ++ * can vary from one PHY to another. ++ */ ++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG); ++ usbcfg |= GUSBCFG_TOUTCAL(7); ++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG); ++ + /* Restart the Phy Clock */ + dwc2_writel(0, hsotg->regs + PCGCTL); + diff --git a/queue-4.9/usb-dwc3-add-softreset-phy-synchonization-delay.patch b/queue-4.9/usb-dwc3-add-softreset-phy-synchonization-delay.patch new file mode 100644 index 00000000000..e3cbd2b8cb3 --- /dev/null +++ b/queue-4.9/usb-dwc3-add-softreset-phy-synchonization-delay.patch @@ -0,0 +1,50 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:48 -0700 +Subject: usb: dwc3: Add SoftReset PHY synchonization delay + +From: Thinh Nguyen + +[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ] + +>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST +bit is cleared, we must wait at least 50ms before accessing the PHY +domain (synchronization delay). + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -161,7 +161,7 @@ static int dwc3_core_soft_reset(struct d + do { + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (!(reg & DWC3_DCTL_CSFTRST)) +- return 0; ++ goto done; + + udelay(1); + } while (--retries); +@@ -170,6 +170,17 @@ static int dwc3_core_soft_reset(struct d + phy_exit(dwc->usb2_generic_phy); + + return -ETIMEDOUT; ++ ++done: ++ /* ++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared, ++ * we must wait at least 50ms before accessing the PHY domain ++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2. ++ */ ++ if (dwc3_is_usb31(dwc)) ++ msleep(50); ++ ++ return 0; + } + + /** diff --git a/queue-4.9/usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch b/queue-4.9/usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch new file mode 100644 index 00000000000..4714ee94ecd --- /dev/null +++ b/queue-4.9/usb-dwc3-omap-don-t-miss-events-during-suspend-resume.patch @@ -0,0 +1,48 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Roger Quadros +Date: Mon, 22 Jan 2018 15:01:42 +0200 +Subject: usb: dwc3: omap: don't miss events during suspend/resume + +From: Roger Quadros + +[ Upstream commit c49f63055e252810e5d6c83a4943b18db16b3cd8 ] + +The USB cable state can change during suspend/resume +so be sure to check and update the extcon state. + +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-omap.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-omap.c ++++ b/drivers/usb/dwc3/dwc3-omap.c +@@ -598,9 +598,25 @@ static int dwc3_omap_resume(struct devic + return 0; + } + ++static void dwc3_omap_complete(struct device *dev) ++{ ++ struct dwc3_omap *omap = dev_get_drvdata(dev); ++ ++ if (extcon_get_state(omap->edev, EXTCON_USB)) ++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_VALID); ++ else ++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_OFF); ++ ++ if (extcon_get_state(omap->edev, EXTCON_USB_HOST)) ++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_GROUND); ++ else ++ dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_FLOAT); ++} ++ + static const struct dev_pm_ops dwc3_omap_dev_pm_ops = { + + SET_SYSTEM_SLEEP_PM_OPS(dwc3_omap_suspend, dwc3_omap_resume) ++ .complete = dwc3_omap_complete, + }; + + #define DEV_PM_OPS (&dwc3_omap_dev_pm_ops) diff --git a/queue-4.9/usb-dwc3-undo-phy-init-if-soft-reset-fails.patch b/queue-4.9/usb-dwc3-undo-phy-init-if-soft-reset-fails.patch new file mode 100644 index 00000000000..1e19ae8efac --- /dev/null +++ b/queue-4.9/usb-dwc3-undo-phy-init-if-soft-reset-fails.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Brian Norris +Date: Wed, 17 Jan 2018 13:22:49 -0800 +Subject: usb: dwc3: Undo PHY init if soft reset fails + +From: Brian Norris + +[ Upstream commit 00b42170c86f90ac9dea83a7dfcd3f0c38098fe2 ] + +In this function, we init the USB2 and USB3 PHYs, but if soft reset +times out, we don't unwind this. + +Noticed by inspection. + +Signed-off-by: Brian Norris +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -166,6 +166,9 @@ static int dwc3_core_soft_reset(struct d + udelay(1); + } while (--retries); + ++ phy_exit(dwc->usb3_generic_phy); ++ phy_exit(dwc->usb2_generic_phy); ++ + return -ETIMEDOUT; + } + diff --git a/queue-4.9/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch b/queue-4.9/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch new file mode 100644 index 00000000000..d7707bad865 --- /dev/null +++ b/queue-4.9/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:54 -0700 +Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields + +From: Thinh Nguyen + +[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ] + +Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP +is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM. + +The GTXFIFOSIZ register for DWC_usb31 is as follows: + +-------+-----------+----------------------------------+ + | BITS | Name | Description | + +=======+===========+==================================+ + | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address | + | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO | + | 14:0 | TXFDEP | TXFIFO Depth | + +-------+-----------+----------------------------------+ + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -238,6 +238,8 @@ + #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1) + + /* Global TX Fifo Size Register */ ++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */ ++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */ + #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff) + #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000) + diff --git a/queue-4.9/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch b/queue-4.9/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch new file mode 100644 index 00000000000..c7478d49e16 --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch @@ -0,0 +1,158 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Chris Dickens +Date: Sun, 31 Dec 2017 18:59:42 -0800 +Subject: usb: gadget: composite: fix incorrect handling of OS desc requests + +From: Chris Dickens + +[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ] + +When handling an OS descriptor request, one of the first operations is +to zero out the request buffer using the wLength from the setup packet. +There is no bounds checking, so a wLength > 4096 would clobber memory +adjacent to the request buffer. Fix this by taking the min of wLength +and the request buffer length prior to the memset. While at it, define +the buffer length in a header file so that magic numbers don't appear +throughout the code. + +When returning data to the host, the data length should be the min of +the wLength and the valid data we have to return. Currently we are +returning wLength, thus requests for a wLength greater than the amount +of data in the OS descriptor buffer would return invalid (albeit zero'd) +data following the valid descriptor data. Fix this by counting the +number of bytes when constructing the data and using this when +determining the length of the request. + +Signed-off-by: Chris Dickens +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 40 +++++++++++++++++++--------------------- + include/linux/usb/composite.h | 3 +++ + 2 files changed, 22 insertions(+), 21 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1421,7 +1421,7 @@ static int count_ext_compat(struct usb_c + return res; + } + +-static void fill_ext_compat(struct usb_configuration *c, u8 *buf) ++static int fill_ext_compat(struct usb_configuration *c, u8 *buf) + { + int i, count; + +@@ -1448,10 +1448,12 @@ static void fill_ext_compat(struct usb_c + buf += 23; + } + count += 24; +- if (count >= 4096) +- return; ++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; + } + } ++ ++ return count; + } + + static int count_ext_prop(struct usb_configuration *c, int interface) +@@ -1496,25 +1498,20 @@ static int fill_ext_prop(struct usb_conf + struct usb_os_desc *d; + struct usb_os_desc_ext_prop *ext_prop; + int j, count, n, ret; +- u8 *start = buf; + + f = c->interface[interface]; ++ count = 10; /* header length */ + for (j = 0; j < f->os_desc_n; ++j) { + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d) + list_for_each_entry(ext_prop, &d->ext_prop, entry) { +- /* 4kB minus header length */ +- n = buf - start; +- if (n >= 4086) +- return 0; +- +- count = ext_prop->data_len + ++ n = ext_prop->data_len + + ext_prop->name_len + 14; +- if (count > 4086 - n) +- return -EINVAL; +- usb_ext_prop_put_size(buf, count); ++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; ++ usb_ext_prop_put_size(buf, n); + usb_ext_prop_put_type(buf, ext_prop->type); + ret = usb_ext_prop_put_name(buf, ext_prop->name, + ext_prop->name_len); +@@ -1540,11 +1537,12 @@ static int fill_ext_prop(struct usb_conf + default: + return -EINVAL; + } +- buf += count; ++ buf += n; ++ count += n; + } + } + +- return 0; ++ return count; + } + + /* +@@ -1822,6 +1820,7 @@ unknown: + req->complete = composite_setup_complete; + buf = req->buf; + os_desc_cfg = cdev->os_desc_config; ++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ); + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { +@@ -1845,8 +1844,8 @@ unknown: + count += 16; /* header */ + put_unaligned_le32(count, buf); + buf += 16; +- fill_ext_compat(os_desc_cfg, buf); +- value = w_length; ++ value = fill_ext_compat(os_desc_cfg, buf); ++ value = min_t(u16, w_length, value); + } + break; + case USB_RECIP_INTERFACE: +@@ -1875,8 +1874,7 @@ unknown: + interface, buf); + if (value < 0) + return value; +- +- value = w_length; ++ value = min_t(u16, w_length, value); + } + break; + } +@@ -2151,8 +2149,8 @@ int composite_os_desc_req_prepare(struct + goto end; + } + +- /* OS feature descriptor length <= 4kB */ +- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); ++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ, ++ GFP_KERNEL); + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -53,6 +53,9 @@ + /* big enough to hold our biggest descriptor */ + #define USB_COMP_EP0_BUFSIZ 1024 + ++/* OS feature descriptor length <= 4kB */ ++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 ++ + #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) + struct usb_configuration; + diff --git a/queue-4.9/usb-gadget-core-fix-use-after-free-of-usb_request.patch b/queue-4.9/usb-gadget-core-fix-use-after-free-of-usb_request.patch new file mode 100644 index 00000000000..eda571dd8c9 --- /dev/null +++ b/queue-4.9/usb-gadget-core-fix-use-after-free-of-usb_request.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Manu Gautam +Date: Thu, 21 Dec 2017 09:54:25 +0530 +Subject: usb: gadget: core: Fix use-after-free of usb_request + +From: Manu Gautam + +[ Upstream commit e74bd4d358e5455233f1dcc3975425905b270b91 ] + +Driver is tracing usb_request after freeing it. +Fix it by changing the order. + +Signed-off-by: Manu Gautam +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -190,8 +190,8 @@ EXPORT_SYMBOL_GPL(usb_ep_alloc_request); + void usb_ep_free_request(struct usb_ep *ep, + struct usb_request *req) + { +- ep->ops->free_request(ep, req); + trace_usb_ep_free_request(ep, req, 0); ++ ep->ops->free_request(ep, req); + } + EXPORT_SYMBOL_GPL(usb_ep_free_request); + diff --git a/queue-4.9/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch b/queue-4.9/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch new file mode 100644 index 00000000000..130f8475a39 --- /dev/null +++ b/queue-4.9/usb-gadget-f_uac2-fix-bfirstinterface-in-composite-gadget.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: John Keeping +Date: Fri, 12 Jan 2018 18:43:32 +0000 +Subject: usb: gadget: f_uac2: fix bFirstInterface in composite gadget + +From: John Keeping + +[ Upstream commit 8813a59ed892305b5ac1b5b901740b1ad4b5fefa ] + +If there are multiple functions associated with a configuration, then +the UAC2 interfaces may not start at zero. Set the correct first +interface number in the association descriptor so that the audio +interfaces are enumerated correctly in this case. + +Reviewed-by: Krzysztof Opasiak +Signed-off-by: John Keeping +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1040,6 +1040,8 @@ afunc_bind(struct usb_configuration *cfg + dev_err(dev, "%s:%d Error!\n", __func__, __LINE__); + return ret; + } ++ iad_desc.bFirstInterface = ret; ++ + std_ac_if_desc.bInterfaceNumber = ret; + agdev->ac_intf = ret; + agdev->ac_alt = 0; diff --git a/queue-4.9/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch b/queue-4.9/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch new file mode 100644 index 00000000000..f412e8fc3df --- /dev/null +++ b/queue-4.9/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch @@ -0,0 +1,68 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:05:02 +0100 +Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set + +From: Lars-Peter Clausen + +[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ] + +When using a AIO read() operation on the function FS gadget driver a URB is +submitted asynchronously and on URB completion the received data is copied +to the userspace buffer associated with the read operation. + +This is done from a kernel worker thread invoking copy_to_user() (through +copy_to_iter()). And while the user space process memory is made available +to the kernel thread using use_mm(), some architecture require in addition +to this that the operation runs with USER_DS set. Otherwise the userspace +memory access will fail. + +For example on ARM64 with Privileged Access Never (PAN) and User Access +Override (UAO) enabled the following crash occurs. + + Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP + Modules linked in: + CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487 + Hardware name: ZynqMP ZCU102 Rev1.0 (DT) + Workqueue: events ffs_user_copy_worker + task: ffffffc87afc8080 task.stack: ffffffc87a00c000 + PC is at __arch_copy_to_user+0x190/0x220 + LR is at copy_to_iter+0x78/0x3c8 + [...] + [] __arch_copy_to_user+0x190/0x220 + [] ffs_user_copy_worker+0x70/0x130 + [] process_one_work+0x1dc/0x460 + [] worker_thread+0x50/0x4b0 + [] kthread+0xd8/0xf0 + [] ret_from_fork+0x10/0x50 + +Address this by placing a set_fs(USER_DS) before of the copy operation +and revert it again once the copy operation has finished. + +This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in +vhost_worker thread") which addresses the same underlying issue. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -759,9 +759,13 @@ static void ffs_user_copy_worker(struct + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; + + if (io_data->read && ret > 0) { ++ mm_segment_t oldfs = get_fs(); ++ ++ set_fs(USER_DS); + use_mm(io_data->mm); + ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); + unuse_mm(io_data->mm); ++ set_fs(oldfs); + } + + io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); diff --git a/queue-4.9/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch b/queue-4.9/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch new file mode 100644 index 00000000000..ff6502f2f3c --- /dev/null +++ b/queue-4.9/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch @@ -0,0 +1,53 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:26:16 +0100 +Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS + +From: Lars-Peter Clausen + +[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ] + +Some UDC drivers (like the DWC3) expect that the response to a setup() +request is queued from within the setup function itself so that it is +available as soon as setup() has completed. + +Upon receiving a setup request the function fs driver creates an event that +is made available to userspace. And only once userspace has acknowledged +that event the response to the setup request is queued. + +So it violates the requirement of those UDC drivers and random failures can +be observed. This is basically a race condition and if userspace is able to +read the event and queue the response fast enough all is good. But if it is +not, for example because other processes are currently scheduled to run, +the USB host that sent the setup request will observe an error. + +To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS +return code. If a setup() callback returns this value the UDC driver is +aware that response is not yet available and can uses the appropriate +methods to handle this case. + +Since in the case of function fs the response will never be available when +the setup() function returns make sure that this status code is used. + +This fixed random occasional failures that were previously observed on a +DWC3 based system under high system load. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3239,7 +3239,7 @@ static int ffs_func_setup(struct usb_fun + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return 0; ++ return USB_GADGET_DELAYED_STATUS; + } + + static bool ffs_func_req_match(struct usb_function *f, diff --git a/queue-4.9/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch b/queue-4.9/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch new file mode 100644 index 00000000000..4523ce33663 --- /dev/null +++ b/queue-4.9/usb-gadget-fsl_udc_core-fix-ep-valid-checks.patch @@ -0,0 +1,47 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Stefan Agner +Date: Mon, 12 Feb 2018 00:14:42 +0100 +Subject: usb: gadget: fsl_udc_core: fix ep valid checks + +From: Stefan Agner + +[ Upstream commit 20c63f4089cceab803438c383631963e34c4d8e5 ] + +Clang reports the following warning: + drivers/usb/gadget/udc/fsl_udc_core.c:1312:10: warning: address of array + 'ep->name' will always evaluate to 'true' [-Wpointer-bool-conversion] + if (ep->name) + ~~ ~~~~^~~~ + +It seems that the authors intention was to check if the ep has been +configured through struct_ep_setup. Check whether struct usb_ep name +pointer has been set instead. + +Signed-off-by: Stefan Agner +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/fsl_udc_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/fsl_udc_core.c ++++ b/drivers/usb/gadget/udc/fsl_udc_core.c +@@ -1310,7 +1310,7 @@ static void udc_reset_ep_queue(struct fs + { + struct fsl_ep *ep = get_ep_by_pipe(udc, pipe); + +- if (ep->name) ++ if (ep->ep.name) + nuke(ep, -ESHUTDOWN); + } + +@@ -1698,7 +1698,7 @@ static void dtd_complete_irq(struct fsl_ + curr_ep = get_ep_by_pipe(udc, i); + + /* If the ep is configured */ +- if (curr_ep->name == NULL) { ++ if (!curr_ep->ep.name) { + WARNING("Invalid EP?"); + continue; + } diff --git a/queue-4.9/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.9/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..dfe7909594b --- /dev/null +++ b/queue-4.9/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Wolfram Sang +Date: Tue, 6 Feb 2018 09:50:40 +0100 +Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/goku_udc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/goku_udc.h ++++ b/drivers/usb/gadget/udc/goku_udc.h +@@ -28,7 +28,7 @@ struct goku_udc_regs { + # define INT_EP1DATASET 0x00040 + # define INT_EP2DATASET 0x00080 + # define INT_EP3DATASET 0x00100 +-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */ ++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */ + # define INT_EP1NAK 0x00200 + # define INT_EP2NAK 0x00400 + # define INT_EP3NAK 0x00800 diff --git a/queue-4.9/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch b/queue-4.9/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch new file mode 100644 index 00000000000..d3c3cc169a4 --- /dev/null +++ b/queue-4.9/usb-ohci-fix-null-dereference-in-hcds-using-hcd_local_mem.patch @@ -0,0 +1,65 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Fredrik Noring +Date: Fri, 9 Mar 2018 18:34:34 +0100 +Subject: USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM + +From: Fredrik Noring + +[ Upstream commit d6c931ea32dc08ac2665bb5f009f9c40ad1bbdb3 ] + +Scatter-gather needs to be disabled when using dma_declare_coherent_memory +and HCD_LOCAL_MEM. Andrea Righi made the equivalent fix for EHCI drivers +in commit 4307a28eb01284 "USB: EHCI: fix NULL pointer dererence in HCDs +that use HCD_LOCAL_MEM". + +The following NULL pointer WARN_ON_ONCE triggered with OHCI drivers: + +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 49 at drivers/usb/core/hcd.c:1379 hcd_alloc_coherent+0x4c/0xc8 +Modules linked in: +CPU: 0 PID: 49 Comm: usb-storage Not tainted 4.15.0+ #1014 +Stack : 00000000 00000000 805a78d2 0000003a 81f5c2cc 8053d367 804d77fc 00000031 + 805a3a08 00000563 81ee9400 805a0000 00000000 10058c00 81f61b10 805c0000 + 00000000 00000000 805a0000 00d9038e 00000004 803ee818 00000006 312e3420 + 805c0000 00000000 00000073 81f61958 00000000 00000000 802eb380 804fd538 + 00000009 00000563 81ee9400 805a0000 00000002 80056148 00000000 805a0000 + ... +Call Trace: +[<578af360>] show_stack+0x74/0x104 +[<2f3702c6>] __warn+0x118/0x120 +[] warn_slowpath_null+0x44/0x58 +[] hcd_alloc_coherent+0x4c/0xc8 +[<3578fa36>] usb_hcd_map_urb_for_dma+0x4d8/0x534 +[<110bc94c>] usb_hcd_submit_urb+0x82c/0x834 +[<02eb5baf>] usb_sg_wait+0x14c/0x1a0 +[] usb_stor_bulk_transfer_sglist.part.1+0xac/0x124 +[<87a5c34c>] usb_stor_bulk_srb+0x40/0x60 +[] usb_stor_Bulk_transport+0x160/0x37c +[] usb_stor_invoke_transport+0x3c/0x500 +[<004754f4>] usb_stor_control_thread+0x258/0x28c +[<22edf42e>] kthread+0x134/0x13c +[] ret_from_kernel_thread+0x14/0x1c +---[ end trace bcdb825805eefdcc ]--- + +Signed-off-by: Fredrik Noring +Acked-by: Alan Stern + + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ohci-hcd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -446,7 +446,8 @@ static int ohci_init (struct ohci_hcd *o + struct usb_hcd *hcd = ohci_to_hcd(ohci); + + /* Accept arbitrarily long scatter-gather lists */ +- hcd->self.sg_tablesize = ~0; ++ if (!(hcd->driver->flags & HCD_LOCAL_MEM)) ++ hcd->self.sg_tablesize = ~0; + + if (distrust_firmware) + ohci->flags |= OHCI_QUIRK_HUB_POWER; diff --git a/queue-4.9/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch b/queue-4.9/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch new file mode 100644 index 00000000000..441666b5a07 --- /dev/null +++ b/queue-4.9/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch @@ -0,0 +1,37 @@ +From foo@baz Thu May 24 11:23:00 CEST 2018 +From: Mathias Nyman +Date: Fri, 16 Mar 2018 16:33:01 +0200 +Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot + +From: Mathias Nyman + +[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ] + +set udev->slot_id to zero when disabling and freeing the xhci slot. +Prevents usb core from calling xhci with a stale slot id. + +xHC controller may be reset during resume to recover from some error. +All slots are unusable as they are disabled and freed. +xhci driver starts slot enumeration again from 1 in the order they are +enabled. In the worst case a stale udev->slot_id for one device matches +a newly enabled slot_id for a different device, causing us to +perform a action on the wrong device. + +Signed-off-by: Mathias Nyman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -975,6 +975,8 @@ void xhci_free_virt_device(struct xhci_h + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + ++ if (dev->udev && dev->udev->slot_id) ++ dev->udev->slot_id = 0; + kfree(xhci->devs[slot_id]); + xhci->devs[slot_id] = NULL; + }