From: Greg Kroah-Hartman Date: Tue, 24 Oct 2017 08:04:06 +0000 (+0200) Subject: 4.13-stable patches X-Git-Tag: v3.18.78~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=709927c10d17eba0c52f1021542ee1226bc8bba1;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: alsa-hda-abort-capability-probe-at-invalid-register-read.patch alsa-hda-remove-superfluous-added-by-printk-conversion.patch alsa-seq-enable-use-locking-in-all-configurations.patch arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch brcmfmac-add-check-for-short-event-packets.patch brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch bus-mbus-fix-window-size-calculation-for-4gb-windows.patch clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch drm-nouveau-bsp-g92-disable-by-default.patch drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch ecryptfs-fix-dereference-of-null-user_key_payload.patch fs-cache-fix-dereference-of-null-user_key_payload.patch fscrypt-fix-dereference-of-null-user_key_payload.patch i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch keys-don-t-let-add_key-update-an-uninstantiated-key.patch keys-fix-race-between-updating-and-finding-a-negative-key.patch lib-digsig-fix-dereference-of-null-user_key_payload.patch media-cec-respond-to-unregistered-initiators-when-applicable.patch media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch media-s5p-cec-add-nack-detection-support.patch mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch revert-tools-power-turbostat-stop-migrating-unless-m.patch rtlwifi-rtl8821ae-fix-connection-lost-problem.patch tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch x86-microcode-intel-disable-late-loading-on-model-79.patch --- diff --git a/queue-4.13/alsa-hda-abort-capability-probe-at-invalid-register-read.patch b/queue-4.13/alsa-hda-abort-capability-probe-at-invalid-register-read.patch new file mode 100644 index 00000000000..aa9c0f179cd --- /dev/null +++ b/queue-4.13/alsa-hda-abort-capability-probe-at-invalid-register-read.patch @@ -0,0 +1,49 @@ +From 098a0a62c1554f5a3813ef1b8539563214ada8f6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Oct 2017 16:38:55 +0200 +Subject: ALSA: hda: Abort capability probe at invalid register read + +From: Takashi Iwai + +commit 098a0a62c1554f5a3813ef1b8539563214ada8f6 upstream. + +The loop in snd_hdac_bus_parse_capabilities() may go to nirvana when +it hits an invalid register value read: + + BUG: unable to handle kernel paging request at ffffad5dc41f3fff + IP: pci_azx_readl+0x5/0x10 [snd_hda_intel] + Call Trace: + snd_hdac_bus_parse_capabilities+0x3c/0x1f0 [snd_hda_core] + azx_probe_continue+0x7d5/0x940 [snd_hda_intel] + ..... + +This happened on a new Intel machine, and we need to check the value +and abort the loop accordingly. + +[Note: the fixes tag below indicates only the commit where this patch + can be applied; the original problem was introduced even before that + commit] + +Fixes: 6720b38420a0 ("ALSA: hda - move bus_parse_capabilities to core") +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/hda/hdac_controller.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/hda/hdac_controller.c ++++ b/sound/hda/hdac_controller.c +@@ -284,6 +284,11 @@ int snd_hdac_bus_parse_capabilities(stru + dev_dbg(bus->dev, "HDA capability ID: 0x%x\n", + (cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF); + ++ if (cur_cap == -1) { ++ dev_dbg(bus->dev, "Invalid capability reg read\n"); ++ break; ++ } ++ + switch ((cur_cap & AZX_CAP_HDR_ID_MASK) >> AZX_CAP_HDR_ID_OFF) { + case AZX_ML_CAP_ID: + dev_dbg(bus->dev, "Found ML capability\n"); diff --git a/queue-4.13/alsa-hda-remove-superfluous-added-by-printk-conversion.patch b/queue-4.13/alsa-hda-remove-superfluous-added-by-printk-conversion.patch new file mode 100644 index 00000000000..202f587b5b5 --- /dev/null +++ b/queue-4.13/alsa-hda-remove-superfluous-added-by-printk-conversion.patch @@ -0,0 +1,35 @@ +From 6bf88a343db2b3c160edf9b82a74966b31cc80bd Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 17 Oct 2017 11:58:17 +0200 +Subject: ALSA: hda: Remove superfluous '-' added by printk conversion + +From: Takashi Iwai + +commit 6bf88a343db2b3c160edf9b82a74966b31cc80bd upstream. + +While converting the error messages to the standard macros in the +commit 4e76a8833fac ("ALSA: hda - Replace with standard printk"), a +superfluous '-' slipped in the code mistakenly. Its influence is +almost negligible, merely shows a dB value as negative integer instead +of positive integer (or vice versa) in the rare error message. +So let's kill this embarrassing byte to show more correct value. + +Fixes: 4e76a8833fac ("ALSA: hda - Replace with standard printk") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1824,7 +1824,7 @@ static int get_kctl_0dB_offset(struct hd + return -1; + if (*step_to_check && *step_to_check != step) { + codec_err(codec, "Mismatching dB step for vmaster slave (%d!=%d)\n", +-- *step_to_check, step); ++ *step_to_check, step); + return -1; + } + *step_to_check = step; diff --git a/queue-4.13/alsa-seq-enable-use-locking-in-all-configurations.patch b/queue-4.13/alsa-seq-enable-use-locking-in-all-configurations.patch new file mode 100644 index 00000000000..545f71fafb4 --- /dev/null +++ b/queue-4.13/alsa-seq-enable-use-locking-in-all-configurations.patch @@ -0,0 +1,66 @@ +From 8009d506a1dd00cf436b0c4cca0dcec130580a21 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Wed, 18 Oct 2017 00:45:49 +0100 +Subject: ALSA: seq: Enable 'use' locking in all configurations + +From: Ben Hutchings + +commit 8009d506a1dd00cf436b0c4cca0dcec130580a21 upstream. + +The 'use' locking macros are no-ops if neither SMP or SND_DEBUG is +enabled. This might once have been OK in non-preemptible +configurations, but even in that case snd_seq_read() may sleep while +relying on a 'use' lock. So always use the proper implementations. + +Signed-off-by: Ben Hutchings +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_lock.c | 4 ---- + sound/core/seq/seq_lock.h | 12 ------------ + 2 files changed, 16 deletions(-) + +--- a/sound/core/seq/seq_lock.c ++++ b/sound/core/seq/seq_lock.c +@@ -23,8 +23,6 @@ + #include + #include "seq_lock.h" + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + /* wait until all locks are released */ + void snd_use_lock_sync_helper(snd_use_lock_t *lockp, const char *file, int line) + { +@@ -41,5 +39,3 @@ void snd_use_lock_sync_helper(snd_use_lo + } + } + EXPORT_SYMBOL(snd_use_lock_sync_helper); +- +-#endif +--- a/sound/core/seq/seq_lock.h ++++ b/sound/core/seq/seq_lock.h +@@ -3,8 +3,6 @@ + + #include + +-#if defined(CONFIG_SMP) || defined(CONFIG_SND_DEBUG) +- + typedef atomic_t snd_use_lock_t; + + /* initialize lock */ +@@ -20,14 +18,4 @@ typedef atomic_t snd_use_lock_t; + void snd_use_lock_sync_helper(snd_use_lock_t *lock, const char *file, int line); + #define snd_use_lock_sync(lockp) snd_use_lock_sync_helper(lockp, __BASE_FILE__, __LINE__) + +-#else /* SMP || CONFIG_SND_DEBUG */ +- +-typedef spinlock_t snd_use_lock_t; /* dummy */ +-#define snd_use_lock_init(lockp) /**/ +-#define snd_use_lock_use(lockp) /**/ +-#define snd_use_lock_free(lockp) /**/ +-#define snd_use_lock_sync(lockp) /**/ +- +-#endif /* SMP || CONFIG_SND_DEBUG */ +- + #endif /* __SND_SEQ_LOCK_H */ diff --git a/queue-4.13/arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch b/queue-4.13/arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch new file mode 100644 index 00000000000..87176af5dae --- /dev/null +++ b/queue-4.13/arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch @@ -0,0 +1,71 @@ +From a231d2783c332ef3e3ba238e82dbe599ff41ba14 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Fri, 8 Sep 2017 15:50:09 +0800 +Subject: ARM: dts: sun6i: Fix endpoint IDs in second display pipeline + +From: Chen-Yu Tsai + +commit a231d2783c332ef3e3ba238e82dbe599ff41ba14 upstream. + +When the second display pipeline device nodes for the A31/A31s were +added, it was not known that the TCONs could (through either DRCs) +select either backend as their input. Thus in the endpoints connecting +these components together, the endpoint IDs were set to 0, while in +fact they should have been set to 1. + +Fixes: 9a26882a7378 ("ARM: dts: sun6i: Add second display pipeline device + nodes") +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun6i-a31.dtsi | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/dts/sun6i-a31.dtsi ++++ b/arch/arm/boot/dts/sun6i-a31.dtsi +@@ -311,8 +311,8 @@ + #size-cells = <0>; + reg = <0>; + +- tcon1_in_drc1: endpoint@0 { +- reg = <0>; ++ tcon1_in_drc1: endpoint@1 { ++ reg = <1>; + remote-endpoint = <&drc1_out_tcon1>; + }; + }; +@@ -1012,8 +1012,8 @@ + #size-cells = <0>; + reg = <1>; + +- be1_out_drc1: endpoint@0 { +- reg = <0>; ++ be1_out_drc1: endpoint@1 { ++ reg = <1>; + remote-endpoint = <&drc1_in_be1>; + }; + }; +@@ -1042,8 +1042,8 @@ + #size-cells = <0>; + reg = <0>; + +- drc1_in_be1: endpoint@0 { +- reg = <0>; ++ drc1_in_be1: endpoint@1 { ++ reg = <1>; + remote-endpoint = <&be1_out_drc1>; + }; + }; +@@ -1053,8 +1053,8 @@ + #size-cells = <0>; + reg = <1>; + +- drc1_out_tcon1: endpoint@0 { +- reg = <0>; ++ drc1_out_tcon1: endpoint@1 { ++ reg = <1>; + remote-endpoint = <&tcon1_in_drc1>; + }; + }; diff --git a/queue-4.13/brcmfmac-add-check-for-short-event-packets.patch b/queue-4.13/brcmfmac-add-check-for-short-event-packets.patch new file mode 100644 index 00000000000..03deca4b7b9 --- /dev/null +++ b/queue-4.13/brcmfmac-add-check-for-short-event-packets.patch @@ -0,0 +1,37 @@ +From dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca Mon Sep 17 00:00:00 2001 +From: Kevin Cernekee +Date: Sat, 16 Sep 2017 21:08:24 -0700 +Subject: brcmfmac: Add check for short event packets + +From: Kevin Cernekee + +commit dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca upstream. + +The length of the data in the received skb is currently passed into +brcmf_fweh_process_event() as packet_len, but this value is not checked. +event_packet should be followed by DATALEN bytes of additional event +data. Ensure that the received packet actually contains at least +DATALEN bytes of additional data, to avoid copying uninitialized memory +into event->data. + +Suggested-by: Mattias Nissler +Signed-off-by: Kevin Cernekee +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c +@@ -429,7 +429,8 @@ void brcmf_fweh_process_event(struct brc + if (code != BRCMF_E_IF && !fweh->evt_handler[code]) + return; + +- if (datalen > BRCMF_DCMD_MAXLEN) ++ if (datalen > BRCMF_DCMD_MAXLEN || ++ datalen + sizeof(*event_packet) > packet_len) + return; + + if (in_interrupt()) diff --git a/queue-4.13/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch b/queue-4.13/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch new file mode 100644 index 00000000000..4753a0ae3a5 --- /dev/null +++ b/queue-4.13/brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch @@ -0,0 +1,431 @@ +From c503dd38f850be28867ef7a42d9abe5ade81a9bd Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 22 Sep 2017 23:29:12 +0200 +Subject: brcmsmac: make some local variables 'static const' to reduce stack size + +From: Arnd Bergmann + +commit c503dd38f850be28867ef7a42d9abe5ade81a9bd upstream. + +With KASAN and a couple of other patches applied, this driver is one +of the few remaining ones that actually use more than 2048 bytes of +kernel stack: + +broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl': +broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=] +broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy': +broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=] + +Here, I'm reducing the stack size by marking as many local variables as +'static const' as I can without changing the actual code. + +This is the first of three patches to improve the stack usage in this +driver. It would be good to have this backported to stabl kernels +to get all drivers in 'allmodconfig' below the 2048 byte limit so +we can turn on the frame warning again globally, but I realize that +the patch is larger than the normal limit for stable backports. + +The other two patches do not need to be backported. + +Acked-by: Arend van Spriel +Signed-off-by: Arnd Bergmann +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c | 197 +++++------ + 1 file changed, 97 insertions(+), 100 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_n.c +@@ -14764,8 +14764,8 @@ static void wlc_phy_ipa_restore_tx_digi_ + } + + static void +-wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, u8 *events, u8 *dlys, +- u8 len) ++wlc_phy_set_rfseq_nphy(struct brcms_phy *pi, u8 cmd, const u8 *events, ++ const u8 *dlys, u8 len) + { + u32 t1_offset, t2_offset; + u8 ctr; +@@ -15240,16 +15240,16 @@ static void wlc_phy_workarounds_nphy_gai + static void wlc_phy_workarounds_nphy_gainctrl_2057_rev6(struct brcms_phy *pi) + { + u16 currband; +- s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; +- s8 *lna1_gain_db = NULL; +- s8 *lna1_gain_db_2 = NULL; +- s8 *lna2_gain_db = NULL; +- s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; +- s8 *tia_gain_db; +- s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; +- s8 *tia_gainbits; +- u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; +- u16 *rfseq_init_gain; ++ static const s8 lna1G_gain_db_rev7[] = { 9, 14, 19, 24 }; ++ const s8 *lna1_gain_db = NULL; ++ const s8 *lna1_gain_db_2 = NULL; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaA_gain_db_rev7[] = { -9, -6, -3, 0, 3, 3, 3, 3, 3, 3 }; ++ const s8 *tia_gain_db; ++ static const s8 tiaA_gainbits_rev7[] = { 0, 1, 2, 3, 4, 4, 4, 4, 4, 4 }; ++ const s8 *tia_gainbits; ++ static const u16 rfseqA_init_gain_rev7[] = { 0x624f, 0x624f }; ++ const u16 *rfseq_init_gain; + u16 init_gaincode; + u16 clip1hi_gaincode; + u16 clip1md_gaincode = 0; +@@ -15310,10 +15310,9 @@ static void wlc_phy_workarounds_nphy_gai + + if ((freq <= 5080) || (freq == 5825)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 11, 17, 22, 25}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 16, 20, 24 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 11, 17, 22, 25}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x3e; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15321,10 +15320,9 @@ static void wlc_phy_workarounds_nphy_gai + lna2_gain_db = lna2A_gain_db_rev7; + } else if ((freq >= 5500) && (freq <= 5700)) { + +- s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; ++ static const s8 lna1A_gain_db_rev7[] = { 11, 17, 21, 25 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { 1, 8, 12, 16 }; + + crsminu_th = 0x45; + clip1md_gaincode_B = 0x14; +@@ -15335,10 +15333,9 @@ static void wlc_phy_workarounds_nphy_gai + lna2_gain_db = lna2A_gain_db_rev7; + } else { + +- s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; +- s8 lna1A_gain_db_2_rev7[] = { +- 12, 18, 22, 26}; +- s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; ++ static const s8 lna1A_gain_db_rev7[] = { 12, 18, 22, 26 }; ++ static const s8 lna1A_gain_db_2_rev7[] = { 12, 18, 22, 26}; ++ static const s8 lna2A_gain_db_rev7[] = { -1, 6, 10, 14 }; + + crsminu_th = 0x41; + lna1_gain_db = lna1A_gain_db_rev7; +@@ -15450,65 +15447,65 @@ static void wlc_phy_workarounds_nphy_gai + NPHY_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_RFSEQ_CMD_SET_HPF_BW + }; +- u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; +- s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; +- s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; +- s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; +- s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; +- s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; +- s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; +- s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; +- s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; +- s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; +- s8 *lna1_gain_db = NULL; +- s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; +- s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; +- s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; +- s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; +- s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; +- s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; +- s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; +- s8 *lna2_gain_db = NULL; +- s8 tiaG_gain_db[] = { ++ static const u8 rfseq_updategainu_dlys[] = { 10, 30, 1 }; ++ static const s8 lna1G_gain_db[] = { 7, 11, 16, 23 }; ++ static const s8 lna1G_gain_db_rev4[] = { 8, 12, 17, 25 }; ++ static const s8 lna1G_gain_db_rev5[] = { 9, 13, 18, 26 }; ++ static const s8 lna1G_gain_db_rev6[] = { 8, 13, 18, 25 }; ++ static const s8 lna1G_gain_db_rev6_224B0[] = { 10, 14, 19, 27 }; ++ static const s8 lna1A_gain_db[] = { 7, 11, 17, 23 }; ++ static const s8 lna1A_gain_db_rev4[] = { 8, 12, 18, 23 }; ++ static const s8 lna1A_gain_db_rev5[] = { 6, 10, 16, 21 }; ++ static const s8 lna1A_gain_db_rev6[] = { 6, 10, 16, 21 }; ++ const s8 *lna1_gain_db = NULL; ++ static const s8 lna2G_gain_db[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev5[] = { -3, 7, 11, 16 }; ++ static const s8 lna2G_gain_db_rev6[] = { -5, 6, 10, 14 }; ++ static const s8 lna2G_gain_db_rev6_224B0[] = { -5, 6, 10, 15 }; ++ static const s8 lna2A_gain_db[] = { -6, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev4[] = { -5, 2, 6, 10 }; ++ static const s8 lna2A_gain_db_rev5[] = { -7, 0, 4, 8 }; ++ static const s8 lna2A_gain_db_rev6[] = { -7, 0, 4, 8 }; ++ const s8 *lna2_gain_db = NULL; ++ static const s8 tiaG_gain_db[] = { + 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A, 0x0A }; +- s8 tiaA_gain_db[] = { ++ static const s8 tiaA_gain_db[] = { + 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13, 0x13 }; +- s8 tiaA_gain_db_rev4[] = { ++ static const s8 tiaA_gain_db_rev4[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev5[] = { ++ static const s8 tiaA_gain_db_rev5[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 tiaA_gain_db_rev6[] = { ++ static const s8 tiaA_gain_db_rev6[] = { + 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d, 0x0d }; +- s8 *tia_gain_db; +- s8 tiaG_gainbits[] = { ++ const s8 *tia_gain_db; ++ static const s8 tiaG_gainbits[] = { + 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03 }; +- s8 tiaA_gainbits[] = { ++ static const s8 tiaA_gainbits[] = { + 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 }; +- s8 tiaA_gainbits_rev4[] = { ++ static const s8 tiaA_gainbits_rev4[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev5[] = { ++ static const s8 tiaA_gainbits_rev5[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 tiaA_gainbits_rev6[] = { ++ static const s8 tiaA_gainbits_rev6[] = { + 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04 }; +- s8 *tia_gainbits; +- s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; +- s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; +- u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; +- u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev5_elna[] = { ++ const s8 *tia_gainbits; ++ static const s8 lpf_gain_db[] = { 0x00, 0x06, 0x0c, 0x12, 0x12, 0x12 }; ++ static const s8 lpf_gainbits[] = { 0x00, 0x01, 0x02, 0x03, 0x03, 0x03 }; ++ static const u16 rfseqG_init_gain[] = { 0x613f, 0x613f, 0x613f, 0x613f }; ++ static const u16 rfseqG_init_gain_rev4[] = { 0x513f, 0x513f, 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev5[] = { 0x413f, 0x413f, 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev5_elna[] = { + 0x013f, 0x013f, 0x013f, 0x013f }; +- u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; +- u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; +- u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; +- u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; +- u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; +- u16 rfseqA_init_gain_rev4_elna[] = { ++ static const u16 rfseqG_init_gain_rev6[] = { 0x513f, 0x513f }; ++ static const u16 rfseqG_init_gain_rev6_224B0[] = { 0x413f, 0x413f }; ++ static const u16 rfseqG_init_gain_rev6_elna[] = { 0x113f, 0x113f }; ++ static const u16 rfseqA_init_gain[] = { 0x516f, 0x516f, 0x516f, 0x516f }; ++ static const u16 rfseqA_init_gain_rev4[] = { 0x614f, 0x614f, 0x614f, 0x614f }; ++ static const u16 rfseqA_init_gain_rev4_elna[] = { + 0x314f, 0x314f, 0x314f, 0x314f }; +- u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; +- u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; +- u16 *rfseq_init_gain; ++ static const u16 rfseqA_init_gain_rev5[] = { 0x714f, 0x714f, 0x714f, 0x714f }; ++ static const u16 rfseqA_init_gain_rev6[] = { 0x714f, 0x714f }; ++ const u16 *rfseq_init_gain; + u16 initG_gaincode = 0x627e; + u16 initG_gaincode_rev4 = 0x527e; + u16 initG_gaincode_rev5 = 0x427e; +@@ -15538,10 +15535,10 @@ static void wlc_phy_workarounds_nphy_gai + u16 clip1mdA_gaincode_rev6 = 0x2084; + u16 clip1md_gaincode = 0; + u16 clip1loG_gaincode = 0x0074; +- u16 clip1loG_gaincode_rev5[] = { ++ static const u16 clip1loG_gaincode_rev5[] = { + 0x0062, 0x0064, 0x006a, 0x106a, 0x106c, 0x1074, 0x107c, 0x207c + }; +- u16 clip1loG_gaincode_rev6[] = { ++ static const u16 clip1loG_gaincode_rev6[] = { + 0x106a, 0x106c, 0x1074, 0x107c, 0x007e, 0x107e, 0x207e, 0x307e + }; + u16 clip1loG_gaincode_rev6_224B0 = 0x1074; +@@ -16066,7 +16063,7 @@ static void wlc_phy_workarounds_nphy_gai + + static void wlc_phy_workarounds_nphy(struct brcms_phy *pi) + { +- u8 rfseq_rx2tx_events[] = { ++ static const u8 rfseq_rx2tx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_TR_SWITCH, +@@ -16076,7 +16073,7 @@ static void wlc_phy_workarounds_nphy(str + NPHY_RFSEQ_CMD_EXT_PA + }; + u8 rfseq_rx2tx_dlys[] = { 8, 6, 6, 2, 4, 60, 1 }; +- u8 rfseq_tx2rx_events[] = { ++ static const u8 rfseq_tx2rx_events[] = { + NPHY_RFSEQ_CMD_NOP, + NPHY_RFSEQ_CMD_EXT_PA, + NPHY_RFSEQ_CMD_TX_GAIN, +@@ -16085,8 +16082,8 @@ static void wlc_phy_workarounds_nphy(str + NPHY_RFSEQ_CMD_RXG_FBW, + NPHY_RFSEQ_CMD_CLR_HIQ_DIS + }; +- u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; +- u8 rfseq_tx2rx_events_rev3[] = { ++ static const u8 rfseq_tx2rx_dlys[] = { 8, 6, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_EXT_PA, + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_TX_GAIN, +@@ -16096,7 +16093,7 @@ static void wlc_phy_workarounds_nphy(str + NPHY_REV3_RFSEQ_CMD_CLR_HIQ_DIS, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; ++ static const u8 rfseq_tx2rx_dlys_rev3[] = { 8, 4, 2, 2, 4, 4, 6, 1 }; + u8 rfseq_rx2tx_events_rev3[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, +@@ -16110,7 +16107,7 @@ static void wlc_phy_workarounds_nphy(str + }; + u8 rfseq_rx2tx_dlys_rev3[] = { 8, 6, 6, 4, 4, 18, 42, 1, 1 }; + +- u8 rfseq_rx2tx_events_rev3_ipa[] = { ++ static const u8 rfseq_rx2tx_events_rev3_ipa[] = { + NPHY_REV3_RFSEQ_CMD_NOP, + NPHY_REV3_RFSEQ_CMD_RXG_FBW, + NPHY_REV3_RFSEQ_CMD_TR_SWITCH, +@@ -16121,15 +16118,15 @@ static void wlc_phy_workarounds_nphy(str + NPHY_REV3_RFSEQ_CMD_INT_PA_PU, + NPHY_REV3_RFSEQ_CMD_END + }; +- u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; +- u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; ++ static const u8 rfseq_rx2tx_dlys_rev3_ipa[] = { 8, 6, 6, 4, 4, 16, 43, 1, 1 }; ++ static const u16 rfseq_rx2tx_dacbufpu_rev7[] = { 0x10f, 0x10f }; + + s16 alpha0, alpha1, alpha2; + s16 beta0, beta1, beta2; + u32 leg_data_weights, ht_data_weights, nss1_data_weights, + stbc_data_weights; + u8 chan_freq_range = 0; +- u16 dac_control = 0x0002; ++ static const u16 dac_control = 0x0002; + u16 aux_adc_vmid_rev7_core0[] = { 0x8e, 0x96, 0x96, 0x96 }; + u16 aux_adc_vmid_rev7_core1[] = { 0x8f, 0x9f, 0x9f, 0x96 }; + u16 aux_adc_vmid_rev4[] = { 0xa2, 0xb4, 0xb4, 0x89 }; +@@ -16139,8 +16136,8 @@ static void wlc_phy_workarounds_nphy(str + u16 aux_adc_gain_rev4[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 aux_adc_gain_rev3[] = { 0x02, 0x02, 0x02, 0x00 }; + u16 *aux_adc_gain; +- u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; +- u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; ++ static const u16 sk_adc_vmid[] = { 0xb4, 0xb4, 0xb4, 0x24 }; ++ static const u16 sk_adc_gain[] = { 0x02, 0x02, 0x02, 0x02 }; + s32 min_nvar_val = 0x18d; + s32 min_nvar_offset_6mbps = 20; + u8 pdetrange; +@@ -16151,9 +16148,9 @@ static void wlc_phy_workarounds_nphy(str + u16 rfseq_rx2tx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_tx2rx_lpf_h_hpc_rev7 = 0x77; + u16 rfseq_pktgn_lpf_h_hpc_rev7 = 0x77; +- u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; +- u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; +- u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_htpktgn_lpf_hpc_rev7[] = { 0x77, 0x11, 0x11 }; ++ static const u16 rfseq_pktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; ++ static const u16 rfseq_cckpktgn_lpf_hpc_rev7[] = { 0x11, 0x11 }; + u16 ipalvlshift_3p3_war_en = 0; + u16 rccal_bcap_val, rccal_scap_val; + u16 rccal_tx20_11b_bcap = 0; +@@ -24291,13 +24288,13 @@ static void wlc_phy_update_txcal_ladder_ + u16 bbmult; + u16 tblentry; + +- struct nphy_txiqcal_ladder ladder_lo[] = { ++ static const struct nphy_txiqcal_ladder ladder_lo[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {25, 1}, {25, 2}, {25, 3}, {25, 4}, {25, 5}, + {25, 6}, {25, 7}, {35, 7}, {50, 7}, {71, 7}, {100, 7} + }; + +- struct nphy_txiqcal_ladder ladder_iq[] = { ++ static const struct nphy_txiqcal_ladder ladder_iq[] = { + {3, 0}, {4, 0}, {6, 0}, {9, 0}, {13, 0}, {18, 0}, + {25, 0}, {35, 0}, {50, 0}, {71, 0}, {100, 0}, {100, 1}, + {100, 2}, {100, 3}, {100, 4}, {100, 5}, {100, 6}, {100, 7} +@@ -25773,67 +25770,67 @@ wlc_phy_cal_txiqlo_nphy(struct brcms_phy + u16 cal_gain[2]; + struct nphy_iqcal_params cal_params[2]; + u32 tbl_len; +- void *tbl_ptr; ++ const void *tbl_ptr; + bool ladder_updated[2]; + u8 mphase_cal_lastphase = 0; + int bcmerror = 0; + bool phyhang_avoid_state = false; + +- u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_20[] = { + 0x0300, 0x0500, 0x0700, 0x0900, 0x0d00, 0x1100, 0x1900, 0x1901, + 0x1902, + 0x1903, 0x1904, 0x1905, 0x1906, 0x1907, 0x2407, 0x3207, 0x4607, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_20[] = { + 0x0200, 0x0300, 0x0600, 0x0900, 0x0d00, 0x1100, 0x1900, 0x2400, + 0x3200, + 0x4600, 0x6400, 0x6401, 0x6402, 0x6403, 0x6404, 0x6405, 0x6406, + 0x6407 + }; + +- u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_loft_ladder_40[] = { + 0x0200, 0x0300, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1201, + 0x1202, + 0x1203, 0x1204, 0x1205, 0x1206, 0x1207, 0x1907, 0x2307, 0x3207, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { ++ static const u16 tbl_tx_iqlo_cal_iqimb_ladder_40[] = { + 0x0100, 0x0200, 0x0400, 0x0700, 0x0900, 0x0c00, 0x1200, 0x1900, + 0x2300, + 0x3200, 0x4700, 0x4701, 0x4702, 0x4703, 0x4704, 0x4705, 0x4706, + 0x4707 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal[] = { + 0x8123, 0x8264, 0x8086, 0x8245, 0x8056, + 0x9123, 0x9264, 0x9086, 0x9245, 0x9056 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal[] = { + 0x8101, 0x8253, 0x8053, 0x8234, 0x8034, + 0x9101, 0x9253, 0x9053, 0x9234, 0x9034 + }; + +- u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_startcoefs_nphyrev3[] = { + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, + 0x0000 + }; + +- u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_fullcal_nphyrev3[] = { + 0x8434, 0x8334, 0x8084, 0x8267, 0x8056, 0x8234, + 0x9434, 0x9334, 0x9084, 0x9267, 0x9056, 0x9234 + }; + +- u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { ++ static const u16 tbl_tx_iqlo_cal_cmds_recal_nphyrev3[] = { + 0x8423, 0x8323, 0x8073, 0x8256, 0x8045, 0x8223, + 0x9423, 0x9323, 0x9073, 0x9256, 0x9045, 0x9223 + }; diff --git a/queue-4.13/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch b/queue-4.13/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch new file mode 100644 index 00000000000..db5fde5dc4b --- /dev/null +++ b/queue-4.13/bus-mbus-fix-window-size-calculation-for-4gb-windows.patch @@ -0,0 +1,58 @@ +From 2bbbd96357ce76cc45ec722c00f654aa7b189112 Mon Sep 17 00:00:00 2001 +From: Jan Luebbe +Date: Mon, 28 Aug 2017 17:25:16 +0200 +Subject: bus: mbus: fix window size calculation for 4GB windows + +From: Jan Luebbe + +commit 2bbbd96357ce76cc45ec722c00f654aa7b189112 upstream. + +At least the Armada XP SoC supports 4GB on a single DRAM window. Because +the size register values contain the actual size - 1, the MSB is set in +that case. For example, the SDRAM window's control register's value is +0xffffffe1 for 4GB (bits 31 to 24 contain the size). + +The MBUS driver reads back each window's size from registers and +calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which +overflows for 32 bit values, resulting in other miscalculations further +on (a bad RAM window for the CESA crypto engine calculated by +mvebu_mbus_setup_cpu_target_nooverlap() in my case). + +This patch changes the type in 'struct mbus_dram_window' from u32 to +u64, which allows us to keep using the same register calculation code in +most MBUS-using drivers (which calculate ->size - 1 again). + +Fixes: fddddb52a6c4 ("bus: introduce an Marvell EBU MBus driver") +Signed-off-by: Jan Luebbe +Signed-off-by: Gregory CLEMENT +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/mvebu-mbus.c | 2 +- + include/linux/mbus.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -720,7 +720,7 @@ mvebu_mbus_default_setup_cpu_target(stru + if (mbus->hw_io_coherency) + w->mbus_attr |= ATTR_HW_COHERENCY; + w->base = base & DDR_BASE_CS_LOW_MASK; +- w->size = (size | ~DDR_SIZE_MASK) + 1; ++ w->size = (u64)(size | ~DDR_SIZE_MASK) + 1; + } + } + mvebu_mbus_dram_info.num_cs = cs; +--- a/include/linux/mbus.h ++++ b/include/linux/mbus.h +@@ -31,8 +31,8 @@ struct mbus_dram_target_info + struct mbus_dram_window { + u8 cs_index; + u8 mbus_attr; +- u32 base; +- u32 size; ++ u64 base; ++ u64 size; + } cs[4]; + }; + diff --git a/queue-4.13/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch b/queue-4.13/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch new file mode 100644 index 00000000000..7293eb2631a --- /dev/null +++ b/queue-4.13/clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch @@ -0,0 +1,45 @@ +From eb39a7c0355393c5a8d930f342ad7a6231b552c4 Mon Sep 17 00:00:00 2001 +From: David Kozub +Date: Thu, 19 Oct 2017 22:57:02 +0200 +Subject: clockevents/drivers/cs5535: Improve resilience to spurious interrupts + +From: David Kozub + +commit eb39a7c0355393c5a8d930f342ad7a6231b552c4 upstream. + +The interrupt handler mfgpt_tick() is not robust versus spurious interrupts +which happen before the clock event device is registered and fully +initialized. + +The reason is that the safe guard against spurious interrupts solely checks +for the clockevents shutdown state, but lacks a check for detached +state. If the interrupt hits while the device is in detached state it +passes the safe guard and dereferences the event handler call back which is +NULL. + +Add the missing state check. + +Fixes: 8f9327cbb6e8 ("clockevents/drivers/cs5535: Migrate to new 'set-state' interface") +Suggested-by: Thomas Gleixner +Signed-off-by: David Kozub +Signed-off-by: Thomas Gleixner +Cc: Daniel Lezcano +Link: https://lkml.kernel.org/r/20171020093103.3317F6004D@linux.fjfi.cvut.cz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clocksource/cs5535-clockevt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/clocksource/cs5535-clockevt.c ++++ b/drivers/clocksource/cs5535-clockevt.c +@@ -117,7 +117,8 @@ static irqreturn_t mfgpt_tick(int irq, v + /* Turn off the clock (and clear the event) */ + disable_timer(cs5535_event_clock); + +- if (clockevent_state_shutdown(&cs5535_clockevent)) ++ if (clockevent_state_detached(&cs5535_clockevent) || ++ clockevent_state_shutdown(&cs5535_clockevent)) + return IRQ_HANDLED; + + /* Clear the counter */ diff --git a/queue-4.13/drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch b/queue-4.13/drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch new file mode 100644 index 00000000000..7d5517b1b97 --- /dev/null +++ b/queue-4.13/drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch @@ -0,0 +1,48 @@ +From fbe776cc3a753618877f7ce87a28ae3480743348 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 13 Oct 2017 16:47:35 +0100 +Subject: drm/i915: Use bdw_ddi_translations_fdi for Broadwell +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Chris Wilson + +commit fbe776cc3a753618877f7ce87a28ae3480743348 upstream. + +The compiler warns: + + drivers/gpu/drm/i915/intel_ddi.c:118:35: warning: ‘bdw_ddi_translations_fdi’ defined but not used + +Lo and behold, if we look at intel_ddi_get_buf_trans_fdi(), it uses +hsw_ddi_translations_fdi[] for both Haswell and *Broadwell* + +Fixes: 7d1c42e679f9 ("drm/i915: Refactor code to select the DDI buf translation table") +Signed-off-by: Chris Wilson +Cc: Ville Syrjälä +Cc: David Weinehall +Cc: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/20171013154735.27163-1-chris@chris-wilson.co.uk +Reviewed-by: Jani Nikula +Reviewed-by: Ville Syrjälä +(cherry picked from commit 1210d3889077653b90b0bfd2cc54e19f4766e4e6) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_ddi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -664,8 +664,8 @@ intel_ddi_get_buf_trans_fdi(struct drm_i + int *n_entries) + { + if (IS_BROADWELL(dev_priv)) { +- *n_entries = ARRAY_SIZE(hsw_ddi_translations_fdi); +- return hsw_ddi_translations_fdi; ++ *n_entries = ARRAY_SIZE(bdw_ddi_translations_fdi); ++ return bdw_ddi_translations_fdi; + } else if (IS_HASWELL(dev_priv)) { + *n_entries = ARRAY_SIZE(hsw_ddi_translations_fdi); + return hsw_ddi_translations_fdi; diff --git a/queue-4.13/drm-nouveau-bsp-g92-disable-by-default.patch b/queue-4.13/drm-nouveau-bsp-g92-disable-by-default.patch new file mode 100644 index 00000000000..bc6dea2079a --- /dev/null +++ b/queue-4.13/drm-nouveau-bsp-g92-disable-by-default.patch @@ -0,0 +1,35 @@ +From 194d68dd051c2dd5ac2b522ae16100e774e8d869 Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Sun, 1 Oct 2017 13:52:43 -0400 +Subject: drm/nouveau/bsp/g92: disable by default + +From: Ilia Mirkin + +commit 194d68dd051c2dd5ac2b522ae16100e774e8d869 upstream. + +G92's seem to require some additional bit of initialization before the +BSP engine can work. It feels like clocks are not set up for the +underlying VLD engine, which means that all commands submitted to the +xtensa chip end up hanging. VP seems to work fine though. + +This still allows people to force-enable the bsp engine if they want to +play around with it, but makes it harder for the card to hang by +default. + +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c ++++ b/drivers/gpu/drm/nouveau/nvkm/engine/bsp/g84.c +@@ -39,5 +39,5 @@ int + g84_bsp_new(struct nvkm_device *device, int index, struct nvkm_engine **pengine) + { + return nvkm_xtensa_new_(&g84_bsp, device, index, +- true, 0x103000, pengine); ++ device->chipset != 0x92, 0x103000, pengine); + } diff --git a/queue-4.13/drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch b/queue-4.13/drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch new file mode 100644 index 00000000000..d5c83147e9f --- /dev/null +++ b/queue-4.13/drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch @@ -0,0 +1,35 @@ +From 227f66d2f9954f68375736af62ebcd73c6754d69 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Tue, 3 Oct 2017 16:24:28 +1000 +Subject: drm/nouveau/kms/nv50: fix oops during DP IRQ handling on non-MST boards + +From: Ben Skeggs + +commit 227f66d2f9954f68375736af62ebcd73c6754d69 upstream. + +Reported-by: Woody Suwalski +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nv50_display.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/nouveau/nv50_display.c ++++ b/drivers/gpu/drm/nouveau/nv50_display.c +@@ -3281,11 +3281,14 @@ nv50_mstm = { + void + nv50_mstm_service(struct nv50_mstm *mstm) + { +- struct drm_dp_aux *aux = mstm->mgr.aux; ++ struct drm_dp_aux *aux = mstm ? mstm->mgr.aux : NULL; + bool handled = true; + int ret; + u8 esi[8] = {}; + ++ if (!aux) ++ return; ++ + while (handled) { + ret = drm_dp_dpcd_read(aux, DP_SINK_COUNT_ESI, esi, 8); + if (ret != 8) { diff --git a/queue-4.13/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch b/queue-4.13/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch new file mode 100644 index 00000000000..a3187dbfeac --- /dev/null +++ b/queue-4.13/drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch @@ -0,0 +1,33 @@ +From 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Mon, 25 Sep 2017 15:05:38 +1000 +Subject: drm/nouveau/mmu: flush tlbs before deleting page tables + +From: Ben Skeggs + +commit 77913bbcb43ac9a07a6fe849c2fd3bf85fc8bdd8 upstream. + +Even though we've zeroed the PDE, the GPU may have cached the PD, so we +need to flush when deleting them. + +Noticed while working on replacement MMU code, but a backport might be a +good idea, so let's fix it in the current code too. + +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c ++++ b/drivers/gpu/drm/nouveau/nvkm/subdev/mmu/base.c +@@ -241,6 +241,8 @@ nvkm_vm_unmap_pgt(struct nvkm_vm *vm, in + mmu->func->map_pgt(vpgd->obj, pde, vpgt->mem); + } + ++ mmu->func->flush(vm); ++ + nvkm_memory_del(&pgt); + } + } diff --git a/queue-4.13/ecryptfs-fix-dereference-of-null-user_key_payload.patch b/queue-4.13/ecryptfs-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..78795f29a41 --- /dev/null +++ b/queue-4.13/ecryptfs-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,105 @@ +From f66665c09ab489a11ca490d6a82df57cfc1bea3e Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:51:27 -0700 +Subject: ecryptfs: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit f66665c09ab489a11ca490d6a82df57cfc1bea3e upstream. + +In eCryptfs, we failed to verify that the authentication token keys are +not revoked before dereferencing their payloads, which is problematic +because the payload of a revoked key is NULL. request_key() *does* skip +revoked keys, but there is still a window where the key can be revoked +before we acquire the key semaphore. + +Fix it by updating ecryptfs_get_key_payload_data() to return +-EKEYREVOKED if the key payload is NULL. For completeness we check this +for "encrypted" keys as well as "user" keys, although encrypted keys +cannot be revoked currently. + +Alternatively we could use key_validate(), but since we'll also need to +fix ecryptfs_get_key_payload_data() to validate the payload length, it +seems appropriate to just check the payload pointer. + +Fixes: 237fead61998 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig") +Reviewed-by: James Morris +Cc: Michael Halcrow +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/ecryptfs_kernel.h | 24 +++++++++++++++++------- + fs/ecryptfs/keystore.c | 9 ++++++++- + 2 files changed, 25 insertions(+), 8 deletions(-) + +--- a/fs/ecryptfs/ecryptfs_kernel.h ++++ b/fs/ecryptfs/ecryptfs_kernel.h +@@ -84,11 +84,16 @@ struct ecryptfs_page_crypt_context { + static inline struct ecryptfs_auth_tok * + ecryptfs_get_encrypted_key_payload_data(struct key *key) + { +- if (key->type == &key_type_encrypted) +- return (struct ecryptfs_auth_tok *) +- (&((struct encrypted_key_payload *)key->payload.data[0])->payload_data); +- else ++ struct encrypted_key_payload *payload; ++ ++ if (key->type != &key_type_encrypted) + return NULL; ++ ++ payload = key->payload.data[0]; ++ if (!payload) ++ return ERR_PTR(-EKEYREVOKED); ++ ++ return (struct ecryptfs_auth_tok *)payload->payload_data; + } + + static inline struct key *ecryptfs_get_encrypted_key(char *sig) +@@ -114,12 +119,17 @@ static inline struct ecryptfs_auth_tok * + ecryptfs_get_key_payload_data(struct key *key) + { + struct ecryptfs_auth_tok *auth_tok; ++ struct user_key_payload *ukp; + + auth_tok = ecryptfs_get_encrypted_key_payload_data(key); +- if (!auth_tok) +- return (struct ecryptfs_auth_tok *)user_key_payload_locked(key)->data; +- else ++ if (auth_tok) + return auth_tok; ++ ++ ukp = user_key_payload_locked(key); ++ if (!ukp) ++ return ERR_PTR(-EKEYREVOKED); ++ ++ return (struct ecryptfs_auth_tok *)ukp->data; + } + + #define ECRYPTFS_MAX_KEYSET_SIZE 1024 +--- a/fs/ecryptfs/keystore.c ++++ b/fs/ecryptfs/keystore.c +@@ -459,7 +459,8 @@ out: + * @auth_tok_key: key containing the authentication token + * @auth_tok: authentication token + * +- * Returns zero on valid auth tok; -EINVAL otherwise ++ * Returns zero on valid auth tok; -EINVAL if the payload is invalid; or ++ * -EKEYREVOKED if the key was revoked before we acquired its semaphore. + */ + static int + ecryptfs_verify_auth_tok_from_key(struct key *auth_tok_key, +@@ -468,6 +469,12 @@ ecryptfs_verify_auth_tok_from_key(struct + int rc = 0; + + (*auth_tok) = ecryptfs_get_key_payload_data(auth_tok_key); ++ if (IS_ERR(*auth_tok)) { ++ rc = PTR_ERR(*auth_tok); ++ *auth_tok = NULL; ++ goto out; ++ } ++ + if (ecryptfs_verify_version((*auth_tok)->version)) { + printk(KERN_ERR "Data structure version mismatch. Userspace " + "tools must match eCryptfs kernel module with major " diff --git a/queue-4.13/fs-cache-fix-dereference-of-null-user_key_payload.patch b/queue-4.13/fs-cache-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..5d44c8631ae --- /dev/null +++ b/queue-4.13/fs-cache-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,45 @@ +From d124b2c53c7bee6569d2a2d0b18b4a1afde00134 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:40:00 -0700 +Subject: FS-Cache: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream. + +When the file /proc/fs/fscache/objects (available with +CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with +description "fscache:objlist", then access its payload. However, a +revoked key has a NULL payload, and we failed to check for this. +request_key() *does* skip revoked keys, but there is still a window +where the key can be revoked before we access its payload. + +Fix it by checking for a NULL payload, treating it like a key which was +already revoked at the time it was requested. + +Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped") +Reviewed-by: James Morris +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fscache/object-list.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/fscache/object-list.c ++++ b/fs/fscache/object-list.c +@@ -330,6 +330,13 @@ static void fscache_objlist_config(struc + rcu_read_lock(); + + confkey = user_key_payload_rcu(key); ++ if (!confkey) { ++ /* key was revoked */ ++ rcu_read_unlock(); ++ key_put(key); ++ goto no_config; ++ } ++ + buf = confkey->data; + + for (len = confkey->datalen - 1; len >= 0; len--) { diff --git a/queue-4.13/fscrypt-fix-dereference-of-null-user_key_payload.patch b/queue-4.13/fscrypt-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..23938e23b5a --- /dev/null +++ b/queue-4.13/fscrypt-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,42 @@ +From d60b5b7854c3d135b869f74fb93eaf63cbb1991a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:46:18 -0700 +Subject: fscrypt: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit d60b5b7854c3d135b869f74fb93eaf63cbb1991a upstream. + +When an fscrypt-encrypted file is opened, we request the file's master +key from the keyrings service as a logon key, then access its payload. +However, a revoked key has a NULL payload, and we failed to check for +this. request_key() *does* skip revoked keys, but there is still a +window where the key can be revoked before we acquire its semaphore. + +Fix it by checking for a NULL payload, treating it like a key which was +already revoked at the time it was requested. + +Fixes: 88bd6ccdcdd6 ("ext4 crypto: add encryption key management facilities") +Reviewed-by: James Morris +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + fs/crypto/keyinfo.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/crypto/keyinfo.c ++++ b/fs/crypto/keyinfo.c +@@ -109,6 +109,11 @@ static int validate_user_key(struct fscr + goto out; + } + ukp = user_key_payload_locked(keyring_key); ++ if (!ukp) { ++ /* key was revoked before we acquired its semaphore */ ++ res = -EKEYREVOKED; ++ goto out; ++ } + if (ukp->datalen != sizeof(struct fscrypt_key)) { + res = -EINVAL; + goto out; diff --git a/queue-4.13/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch b/queue-4.13/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch new file mode 100644 index 00000000000..6858db53596 --- /dev/null +++ b/queue-4.13/i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch @@ -0,0 +1,58 @@ +From c6ebcedbab7ca78984959386012a17b21183e1a3 Mon Sep 17 00:00:00 2001 +From: Pontus Andersson +Date: Mon, 2 Oct 2017 14:45:19 +0200 +Subject: i2c: ismt: Separate I2C block read from SMBus block read + +From: Pontus Andersson + +commit c6ebcedbab7ca78984959386012a17b21183e1a3 upstream. + +Commit b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for +block reads") broke I2C block reads. It aimed to fix normal SMBus block +read, but changed the correct behavior of I2C block read in the process. + +According to Documentation/i2c/smbus-protocol, one vital difference +between normal SMBus block read and I2C block read is that there is no +byte count prefixed in the data sent on the wire: + + SMBus Block Read: i2c_smbus_read_block_data() + S Addr Wr [A] Comm [A] + S Addr Rd [A] [Count] A [Data] A [Data] A ... A [Data] NA P + + I2C Block Read: i2c_smbus_read_i2c_block_data() + S Addr Wr [A] Comm [A] + S Addr Rd [A] [Data] A [Data] A ... A [Data] NA P + +Therefore the two transaction types need to be processed differently in +the driver by copying of the dma_buffer as done previously for the +I2C_SMBUS_I2C_BLOCK_DATA case. + +Fixes: b6c159a9cb69 ("i2c: ismt: Don't duplicate the receive length for block reads") +Signed-off-by: Pontus Andersson +Tested-by: Stephen Douthit +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-ismt.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -340,12 +340,15 @@ static int ismt_process_desc(const struc + data->word = dma_buffer[0] | (dma_buffer[1] << 8); + break; + case I2C_SMBUS_BLOCK_DATA: +- case I2C_SMBUS_I2C_BLOCK_DATA: + if (desc->rxbytes != dma_buffer[0] + 1) + return -EMSGSIZE; + + memcpy(data->block, dma_buffer, desc->rxbytes); + break; ++ case I2C_SMBUS_I2C_BLOCK_DATA: ++ memcpy(&data->block[1], dma_buffer, desc->rxbytes); ++ data->block[0] = desc->rxbytes; ++ break; + } + return 0; + } diff --git a/queue-4.13/i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch b/queue-4.13/i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch new file mode 100644 index 00000000000..43a84034d97 --- /dev/null +++ b/queue-4.13/i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch @@ -0,0 +1,105 @@ +From 0fe16195f89173652cf111d7b384941b00c5aabd Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Sat, 15 Jul 2017 16:51:26 -0700 +Subject: i2c: piix4: Fix SMBus port selection for AMD Family 17h chips +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Guenter Roeck + +commit 0fe16195f89173652cf111d7b384941b00c5aabd upstream. + +AMD Family 17h uses the KERNCZ SMBus controller. While its documentation +is not publicly available, it is documented in the BIOS and Kernel +Developer’s Guide for AMD Family 15h Models 60h-6Fh Processors. + +On this SMBus controller, the port select register is at PMx register +0x02, bit 4:3 (PMx00 register bit 20:19). + +Without this patch, the 4 SMBus channels on AMD Family 17h chips are +mirrored and report the same chips on all channels. + +Signed-off-by: Guenter Roeck +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-piix4.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-piix4.c ++++ b/drivers/i2c/busses/i2c-piix4.c +@@ -94,6 +94,12 @@ + #define SB800_PIIX4_PORT_IDX_ALT 0x2e + #define SB800_PIIX4_PORT_IDX_SEL 0x2f + #define SB800_PIIX4_PORT_IDX_MASK 0x06 ++#define SB800_PIIX4_PORT_IDX_SHIFT 1 ++ ++/* On kerncz, SmBus0Sel is at bit 20:19 of PMx00 DecodeEn */ ++#define SB800_PIIX4_PORT_IDX_KERNCZ 0x02 ++#define SB800_PIIX4_PORT_IDX_MASK_KERNCZ 0x18 ++#define SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ 3 + + /* insmod parameters */ + +@@ -149,6 +155,8 @@ static const struct dmi_system_id piix4_ + */ + static DEFINE_MUTEX(piix4_mutex_sb800); + static u8 piix4_port_sel_sb800; ++static u8 piix4_port_mask_sb800; ++static u8 piix4_port_shift_sb800; + static const char *piix4_main_port_names_sb800[PIIX4_MAX_ADAPTERS] = { + " port 0", " port 2", " port 3", " port 4" + }; +@@ -347,7 +355,19 @@ static int piix4_setup_sb800(struct pci_ + + /* Find which register is used for port selection */ + if (PIIX4_dev->vendor == PCI_VENDOR_ID_AMD) { +- piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT; ++ switch (PIIX4_dev->device) { ++ case PCI_DEVICE_ID_AMD_KERNCZ_SMBUS: ++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_KERNCZ; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK_KERNCZ; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT_KERNCZ; ++ break; ++ case PCI_DEVICE_ID_AMD_HUDSON2_SMBUS: ++ default: ++ piix4_port_sel_sb800 = SB800_PIIX4_PORT_IDX_ALT; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT; ++ break; ++ } + } else { + mutex_lock(&piix4_mutex_sb800); + outb_p(SB800_PIIX4_PORT_IDX_SEL, SB800_PIIX4_SMB_IDX); +@@ -355,6 +375,8 @@ static int piix4_setup_sb800(struct pci_ + piix4_port_sel_sb800 = (port_sel & 0x01) ? + SB800_PIIX4_PORT_IDX_ALT : + SB800_PIIX4_PORT_IDX; ++ piix4_port_mask_sb800 = SB800_PIIX4_PORT_IDX_MASK; ++ piix4_port_shift_sb800 = SB800_PIIX4_PORT_IDX_SHIFT; + mutex_unlock(&piix4_mutex_sb800); + } + +@@ -616,8 +638,8 @@ static s32 piix4_access_sb800(struct i2c + smba_en_lo = inb_p(SB800_PIIX4_SMB_IDX + 1); + + port = adapdata->port; +- if ((smba_en_lo & SB800_PIIX4_PORT_IDX_MASK) != port) +- outb_p((smba_en_lo & ~SB800_PIIX4_PORT_IDX_MASK) | port, ++ if ((smba_en_lo & piix4_port_mask_sb800) != port) ++ outb_p((smba_en_lo & ~piix4_port_mask_sb800) | port, + SB800_PIIX4_SMB_IDX + 1); + + retval = piix4_access(adap, addr, flags, read_write, +@@ -706,7 +728,7 @@ static int piix4_add_adapter(struct pci_ + + adapdata->smba = smba; + adapdata->sb800_main = sb800_main; +- adapdata->port = port << 1; ++ adapdata->port = port << piix4_port_shift_sb800; + + /* set up the sysfs linkage to our parent device */ + adap->dev.parent = &dev->dev; diff --git a/queue-4.13/input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch b/queue-4.13/input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch new file mode 100644 index 00000000000..e5a3f345400 --- /dev/null +++ b/queue-4.13/input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch @@ -0,0 +1,43 @@ +From c9bfb2f0031a2de664147ebbfb90f95bb12fdf79 Mon Sep 17 00:00:00 2001 +From: Chanwoo Choi +Date: Wed, 18 Oct 2017 17:28:36 -0700 +Subject: Input: stmfts - fix setting ABS_MT_POSITION_* maximum size + +From: Chanwoo Choi + +commit c9bfb2f0031a2de664147ebbfb90f95bb12fdf79 upstream. + +The commit 78bcac7b2ae1e ("Input: add support for the STMicroelectronics +FingerTip touchscreen) used the 'touchscreen_parse_properties()' helper +function in order to get the value of common properties. + +But, commit 78bcac7b2ae1e didn't set the capability of ABS_MT_POSITION_* +before calling touchscreen_parse_properties(). In result, the max_x and +max_y of 'struct touchscreen_properties' were not set. + +Fixes: 78bcac7b2ae1e ("Input: add support for the STMicroelectronics FingerTip touchscreen") +Signed-off-by: Chanwoo Choi +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/stmfts.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/input/touchscreen/stmfts.c ++++ b/drivers/input/touchscreen/stmfts.c +@@ -663,12 +663,10 @@ static int stmfts_probe(struct i2c_clien + sdata->input->open = stmfts_input_open; + sdata->input->close = stmfts_input_close; + ++ input_set_capability(sdata->input, EV_ABS, ABS_MT_POSITION_X); ++ input_set_capability(sdata->input, EV_ABS, ABS_MT_POSITION_Y); + touchscreen_parse_properties(sdata->input, true, &sdata->prop); + +- input_set_abs_params(sdata->input, ABS_MT_POSITION_X, 0, +- sdata->prop.max_x, 0, 0); +- input_set_abs_params(sdata->input, ABS_MT_POSITION_Y, 0, +- sdata->prop.max_y, 0, 0); + input_set_abs_params(sdata->input, ABS_MT_TOUCH_MAJOR, 0, 255, 0, 0); + input_set_abs_params(sdata->input, ABS_MT_TOUCH_MINOR, 0, 255, 0, 0); + input_set_abs_params(sdata->input, ABS_MT_ORIENTATION, 0, 255, 0, 0); diff --git a/queue-4.13/keys-don-t-let-add_key-update-an-uninstantiated-key.patch b/queue-4.13/keys-don-t-let-add_key-update-an-uninstantiated-key.patch new file mode 100644 index 00000000000..d64e219d462 --- /dev/null +++ b/queue-4.13/keys-don-t-let-add_key-update-an-uninstantiated-key.patch @@ -0,0 +1,120 @@ +From 60ff5b2f547af3828aebafd54daded44cfb0807a Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 12 Oct 2017 16:00:41 +0100 +Subject: KEYS: don't let add_key() update an uninstantiated key + +From: David Howells + +commit 60ff5b2f547af3828aebafd54daded44cfb0807a upstream. + +Currently, when passed a key that already exists, add_key() will call the +key's ->update() method if such exists. But this is heavily broken in the +case where the key is uninstantiated because it doesn't call +__key_instantiate_and_link(). Consequently, it doesn't do most of the +things that are supposed to happen when the key is instantiated, such as +setting the instantiation state, clearing KEY_FLAG_USER_CONSTRUCT and +awakening tasks waiting on it, and incrementing key->user->nikeys. + +It also never takes key_construction_mutex, which means that +->instantiate() can run concurrently with ->update() on the same key. In +the case of the "user" and "logon" key types this causes a memory leak, at +best. Maybe even worse, the ->update() methods of the "encrypted" and +"trusted" key types actually just dereference a NULL pointer when passed an +uninstantiated key. + +Change key_create_or_update() to wait interruptibly for the key to finish +construction before continuing. + +This patch only affects *uninstantiated* keys. For now we still allow a +negatively instantiated key to be updated (thereby positively +instantiating it), although that's broken too (the next patch fixes it) +and I'm not sure that anyone actually uses that functionality either. + +Here is a simple reproducer for the bug using the "encrypted" key type +(requires CONFIG_ENCRYPTED_KEYS=y), though as noted above the bug +pertained to more than just the "encrypted" key type: + + #include + #include + #include + + int main(void) + { + int ringid = keyctl_join_session_keyring(NULL); + + if (fork()) { + for (;;) { + const char payload[] = "update user:foo 32"; + + usleep(rand() % 10000); + add_key("encrypted", "desc", payload, sizeof(payload), ringid); + keyctl_clear(ringid); + } + } else { + for (;;) + request_key("encrypted", "desc", "callout_info", ringid); + } + } + +It causes: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 + IP: encrypted_update+0xb0/0x170 + PGD 7a178067 P4D 7a178067 PUD 77269067 PMD 0 + PREEMPT SMP + CPU: 0 PID: 340 Comm: reproduce Tainted: G D 4.14.0-rc1-00025-g428490e38b2e #796 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + task: ffff8a467a39a340 task.stack: ffffb15c40770000 + RIP: 0010:encrypted_update+0xb0/0x170 + RSP: 0018:ffffb15c40773de8 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: ffff8a467a275b00 RCX: 0000000000000000 + RDX: 0000000000000005 RSI: ffff8a467a275b14 RDI: ffffffffb742f303 + RBP: ffffb15c40773e20 R08: 0000000000000000 R09: ffff8a467a275b17 + R10: 0000000000000020 R11: 0000000000000000 R12: 0000000000000000 + R13: 0000000000000000 R14: ffff8a4677057180 R15: ffff8a467a275b0f + FS: 00007f5d7fb08700(0000) GS:ffff8a467f200000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000018 CR3: 0000000077262005 CR4: 00000000001606f0 + Call Trace: + key_create_or_update+0x2bc/0x460 + SyS_add_key+0x10c/0x1d0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + RIP: 0033:0x7f5d7f211259 + RSP: 002b:00007ffed03904c8 EFLAGS: 00000246 ORIG_RAX: 00000000000000f8 + RAX: ffffffffffffffda RBX: 000000003b2a7955 RCX: 00007f5d7f211259 + RDX: 00000000004009e4 RSI: 00000000004009ff RDI: 0000000000400a04 + RBP: 0000000068db8bad R08: 000000003b2a7955 R09: 0000000000000004 + R10: 000000000000001a R11: 0000000000000246 R12: 0000000000400868 + R13: 00007ffed03905d0 R14: 0000000000000000 R15: 0000000000000000 + Code: 77 28 e8 64 34 1f 00 45 31 c0 31 c9 48 8d 55 c8 48 89 df 48 8d 75 d0 e8 ff f9 ff ff 85 c0 41 89 c4 0f 88 84 00 00 00 4c 8b 7d c8 <49> 8b 75 18 4c 89 ff e8 24 f8 ff ff 85 c0 41 89 c4 78 6d 49 8b + RIP: encrypted_update+0xb0/0x170 RSP: ffffb15c40773de8 + CR2: 0000000000000018 + +Reported-by: Eric Biggers +Signed-off-by: David Howells +cc: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/key.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -945,6 +945,16 @@ error: + */ + __key_link_end(keyring, &index_key, edit); + ++ key = key_ref_to_ptr(key_ref); ++ if (test_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) { ++ ret = wait_for_key_construction(key, true); ++ if (ret < 0) { ++ key_ref_put(key_ref); ++ key_ref = ERR_PTR(ret); ++ goto error_free_prep; ++ } ++ } ++ + key_ref = __key_update(key_ref, &prep); + goto error_free_prep; + } diff --git a/queue-4.13/keys-fix-race-between-updating-and-finding-a-negative-key.patch b/queue-4.13/keys-fix-race-between-updating-and-finding-a-negative-key.patch new file mode 100644 index 00000000000..157672b79f9 --- /dev/null +++ b/queue-4.13/keys-fix-race-between-updating-and-finding-a-negative-key.patch @@ -0,0 +1,467 @@ +From 363b02dab09b3226f3bd1420dad9c72b79a42a76 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 4 Oct 2017 16:43:25 +0100 +Subject: KEYS: Fix race between updating and finding a negative key + +From: David Howells + +commit 363b02dab09b3226f3bd1420dad9c72b79a42a76 upstream. + +Consolidate KEY_FLAG_INSTANTIATED, KEY_FLAG_NEGATIVE and the rejection +error into one field such that: + + (1) The instantiation state can be modified/read atomically. + + (2) The error can be accessed atomically with the state. + + (3) The error isn't stored unioned with the payload pointers. + +This deals with the problem that the state is spread over three different +objects (two bits and a separate variable) and reading or updating them +atomically isn't practical, given that not only can uninstantiated keys +change into instantiated or rejected keys, but rejected keys can also turn +into instantiated keys - and someone accessing the key might not be using +any locking. + +The main side effect of this problem is that what was held in the payload +may change, depending on the state. For instance, you might observe the +key to be in the rejected state. You then read the cached error, but if +the key semaphore wasn't locked, the key might've become instantiated +between the two reads - and you might now have something in hand that isn't +actually an error code. + +The state is now KEY_IS_UNINSTANTIATED, KEY_IS_POSITIVE or a negative error +code if the key is negatively instantiated. The key_is_instantiated() +function is replaced with key_is_positive() to avoid confusion as negative +keys are also 'instantiated'. + +Additionally, barriering is included: + + (1) Order payload-set before state-set during instantiation. + + (2) Order state-read before payload-read when using the key. + +Further separate barriering is necessary if RCU is being used to access the +payload content after reading the payload pointers. + +Fixes: 146aa8b1453b ("KEYS: Merge the type-specific data with the payload data") +Reported-by: Eric Biggers +Signed-off-by: David Howells +Reviewed-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/key.h | 47 +++++++++++++++++++------------ + net/dns_resolver/dns_key.c | 2 - + security/keys/big_key.c | 4 +- + security/keys/encrypted-keys/encrypted.c | 2 - + security/keys/gc.c | 8 ++--- + security/keys/key.c | 31 +++++++++++++------- + security/keys/keyctl.c | 9 ++--- + security/keys/keyring.c | 10 +++--- + security/keys/proc.c | 7 +++- + security/keys/process_keys.c | 2 - + security/keys/request_key.c | 7 +--- + security/keys/request_key_auth.c | 2 - + security/keys/trusted.c | 2 - + security/keys/user_defined.c | 4 +- + 14 files changed, 80 insertions(+), 57 deletions(-) + +--- a/include/linux/key.h ++++ b/include/linux/key.h +@@ -138,6 +138,11 @@ struct key_restriction { + struct key_type *keytype; + }; + ++enum key_state { ++ KEY_IS_UNINSTANTIATED, ++ KEY_IS_POSITIVE, /* Positively instantiated */ ++}; ++ + /*****************************************************************************/ + /* + * authentication token / access credential / keyring +@@ -169,6 +174,7 @@ struct key { + * - may not match RCU dereferenced payload + * - payload should contain own length + */ ++ short state; /* Key state (+) or rejection error (-) */ + + #ifdef KEY_DEBUGGING + unsigned magic; +@@ -176,18 +182,16 @@ struct key { + #endif + + unsigned long flags; /* status flags (change with bitops) */ +-#define KEY_FLAG_INSTANTIATED 0 /* set if key has been instantiated */ +-#define KEY_FLAG_DEAD 1 /* set if key type has been deleted */ +-#define KEY_FLAG_REVOKED 2 /* set if key had been revoked */ +-#define KEY_FLAG_IN_QUOTA 3 /* set if key consumes quota */ +-#define KEY_FLAG_USER_CONSTRUCT 4 /* set if key is being constructed in userspace */ +-#define KEY_FLAG_NEGATIVE 5 /* set if key is negative */ +-#define KEY_FLAG_ROOT_CAN_CLEAR 6 /* set if key can be cleared by root without permission */ +-#define KEY_FLAG_INVALIDATED 7 /* set if key has been invalidated */ +-#define KEY_FLAG_BUILTIN 8 /* set if key is built in to the kernel */ +-#define KEY_FLAG_ROOT_CAN_INVAL 9 /* set if key can be invalidated by root without permission */ +-#define KEY_FLAG_KEEP 10 /* set if key should not be removed */ +-#define KEY_FLAG_UID_KEYRING 11 /* set if key is a user or user session keyring */ ++#define KEY_FLAG_DEAD 0 /* set if key type has been deleted */ ++#define KEY_FLAG_REVOKED 1 /* set if key had been revoked */ ++#define KEY_FLAG_IN_QUOTA 2 /* set if key consumes quota */ ++#define KEY_FLAG_USER_CONSTRUCT 3 /* set if key is being constructed in userspace */ ++#define KEY_FLAG_ROOT_CAN_CLEAR 4 /* set if key can be cleared by root without permission */ ++#define KEY_FLAG_INVALIDATED 5 /* set if key has been invalidated */ ++#define KEY_FLAG_BUILTIN 6 /* set if key is built in to the kernel */ ++#define KEY_FLAG_ROOT_CAN_INVAL 7 /* set if key can be invalidated by root without permission */ ++#define KEY_FLAG_KEEP 8 /* set if key should not be removed */ ++#define KEY_FLAG_UID_KEYRING 9 /* set if key is a user or user session keyring */ + + /* the key type and key description string + * - the desc is used to match a key against search criteria +@@ -213,7 +217,6 @@ struct key { + struct list_head name_link; + struct assoc_array keys; + }; +- int reject_error; + }; + + /* This is set on a keyring to restrict the addition of a link to a key +@@ -353,17 +356,27 @@ extern void key_set_timeout(struct key * + #define KEY_NEED_SETATTR 0x20 /* Require permission to change attributes */ + #define KEY_NEED_ALL 0x3f /* All the above permissions */ + ++static inline short key_read_state(const struct key *key) ++{ ++ /* Barrier versus mark_key_instantiated(). */ ++ return smp_load_acquire(&key->state); ++} ++ + /** +- * key_is_instantiated - Determine if a key has been positively instantiated ++ * key_is_positive - Determine if a key has been positively instantiated + * @key: The key to check. + * + * Return true if the specified key has been positively instantiated, false + * otherwise. + */ +-static inline bool key_is_instantiated(const struct key *key) ++static inline bool key_is_positive(const struct key *key) ++{ ++ return key_read_state(key) == KEY_IS_POSITIVE; ++} ++ ++static inline bool key_is_negative(const struct key *key) + { +- return test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && +- !test_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ return key_read_state(key) < 0; + } + + #define dereference_key_rcu(KEY) \ +--- a/net/dns_resolver/dns_key.c ++++ b/net/dns_resolver/dns_key.c +@@ -224,7 +224,7 @@ static int dns_resolver_match_preparse(s + static void dns_resolver_describe(const struct key *key, struct seq_file *m) + { + seq_puts(m, key->description); +- if (key_is_instantiated(key)) { ++ if (key_is_positive(key)) { + int err = PTR_ERR(key->payload.data[dns_key_error]); + + if (err) +--- a/security/keys/big_key.c ++++ b/security/keys/big_key.c +@@ -247,7 +247,7 @@ void big_key_revoke(struct key *key) + + /* clear the quota */ + key_payload_reserve(key, 0); +- if (key_is_instantiated(key) && ++ if (key_is_positive(key) && + (size_t)key->payload.data[big_key_len] > BIG_KEY_FILE_THRESHOLD) + vfs_truncate(path, 0); + } +@@ -279,7 +279,7 @@ void big_key_describe(const struct key * + + seq_puts(m, key->description); + +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, ": %zu [%s]", + datalen, + datalen > BIG_KEY_FILE_THRESHOLD ? "file" : "buff"); +--- a/security/keys/encrypted-keys/encrypted.c ++++ b/security/keys/encrypted-keys/encrypted.c +@@ -854,7 +854,7 @@ static int encrypted_update(struct key * + size_t datalen = prep->datalen; + int ret = 0; + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_negative(key)) + return -ENOKEY; + if (datalen <= 0 || datalen > 32767 || !prep->data) + return -EINVAL; +--- a/security/keys/gc.c ++++ b/security/keys/gc.c +@@ -129,15 +129,15 @@ static noinline void key_gc_unused_keys( + while (!list_empty(keys)) { + struct key *key = + list_entry(keys->next, struct key, graveyard_link); ++ short state = key->state; ++ + list_del(&key->graveyard_link); + + kdebug("- %u", key->serial); + key_check(key); + + /* Throw away the key data if the key is instantiated */ +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags) && +- !test_bit(KEY_FLAG_NEGATIVE, &key->flags) && +- key->type->destroy) ++ if (state == KEY_IS_POSITIVE && key->type->destroy) + key->type->destroy(key); + + security_key_free(key); +@@ -151,7 +151,7 @@ static noinline void key_gc_unused_keys( + } + + atomic_dec(&key->user->nkeys); +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) ++ if (state != KEY_IS_UNINSTANTIATED) + atomic_dec(&key->user->nikeys); + + key_user_put(key->user); +--- a/security/keys/key.c ++++ b/security/keys/key.c +@@ -402,6 +402,18 @@ int key_payload_reserve(struct key *key, + EXPORT_SYMBOL(key_payload_reserve); + + /* ++ * Change the key state to being instantiated. ++ */ ++static void mark_key_instantiated(struct key *key, int reject_error) ++{ ++ /* Commit the payload before setting the state; barrier versus ++ * key_read_state(). ++ */ ++ smp_store_release(&key->state, ++ (reject_error < 0) ? reject_error : KEY_IS_POSITIVE); ++} ++ ++/* + * Instantiate a key and link it into the target keyring atomically. Must be + * called with the target keyring's semaphore writelocked. The target key's + * semaphore need not be locked as instantiation is serialised by +@@ -424,14 +436,14 @@ static int __key_instantiate_and_link(st + mutex_lock(&key_construction_mutex); + + /* can't instantiate twice */ +- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state == KEY_IS_UNINSTANTIATED) { + /* instantiate the key */ + ret = key->type->instantiate(key, prep); + + if (ret == 0) { + /* mark the key as being instantiated */ + atomic_inc(&key->user->nikeys); +- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); ++ mark_key_instantiated(key, 0); + + if (test_and_clear_bit(KEY_FLAG_USER_CONSTRUCT, &key->flags)) + awaken = 1; +@@ -577,13 +589,10 @@ int key_reject_and_link(struct key *key, + mutex_lock(&key_construction_mutex); + + /* can't instantiate twice */ +- if (!test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state == KEY_IS_UNINSTANTIATED) { + /* mark the key as being negatively instantiated */ + atomic_inc(&key->user->nikeys); +- key->reject_error = -error; +- smp_wmb(); +- set_bit(KEY_FLAG_NEGATIVE, &key->flags); +- set_bit(KEY_FLAG_INSTANTIATED, &key->flags); ++ mark_key_instantiated(key, -error); + now = current_kernel_time(); + key->expiry = now.tv_sec + timeout; + key_schedule_gc(key->expiry + key_gc_delay); +@@ -752,8 +761,8 @@ static inline key_ref_t __key_update(key + + ret = key->type->update(key, prep); + if (ret == 0) +- /* updating a negative key instantiates it */ +- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ /* Updating a negative key positively instantiates it */ ++ mark_key_instantiated(key, 0); + + up_write(&key->sem); + +@@ -986,8 +995,8 @@ int key_update(key_ref_t key_ref, const + + ret = key->type->update(key, &prep); + if (ret == 0) +- /* updating a negative key instantiates it */ +- clear_bit(KEY_FLAG_NEGATIVE, &key->flags); ++ /* Updating a negative key positively instantiates it */ ++ mark_key_instantiated(key, 0); + + up_write(&key->sem); + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -766,10 +766,9 @@ long keyctl_read_key(key_serial_t keyid, + + key = key_ref_to_ptr(key_ref); + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { +- ret = -ENOKEY; +- goto error2; +- } ++ ret = key_read_state(key); ++ if (ret < 0) ++ goto error2; /* Negatively instantiated */ + + /* see if we can read it directly */ + ret = key_permission(key_ref, KEY_NEED_READ); +@@ -901,7 +900,7 @@ long keyctl_chown_key(key_serial_t id, u + atomic_dec(&key->user->nkeys); + atomic_inc(&newowner->nkeys); + +- if (test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) { ++ if (key->state != KEY_IS_UNINSTANTIATED) { + atomic_dec(&key->user->nikeys); + atomic_inc(&newowner->nikeys); + } +--- a/security/keys/keyring.c ++++ b/security/keys/keyring.c +@@ -414,7 +414,7 @@ static void keyring_describe(const struc + else + seq_puts(m, "[anon]"); + +- if (key_is_instantiated(keyring)) { ++ if (key_is_positive(keyring)) { + if (keyring->keys.nr_leaves_on_tree != 0) + seq_printf(m, ": %lu", keyring->keys.nr_leaves_on_tree); + else +@@ -553,7 +553,8 @@ static int keyring_search_iterator(const + { + struct keyring_search_context *ctx = iterator_data; + const struct key *key = keyring_ptr_to_key(object); +- unsigned long kflags = key->flags; ++ unsigned long kflags = READ_ONCE(key->flags); ++ short state = READ_ONCE(key->state); + + kenter("{%d}", key->serial); + +@@ -597,9 +598,8 @@ static int keyring_search_iterator(const + + if (ctx->flags & KEYRING_SEARCH_DO_STATE_CHECK) { + /* we set a different error code if we pass a negative key */ +- if (kflags & (1 << KEY_FLAG_NEGATIVE)) { +- smp_rmb(); +- ctx->result = ERR_PTR(key->reject_error); ++ if (state < 0) { ++ ctx->result = ERR_PTR(state); + kleave(" = %d [neg]", ctx->skipped_ret); + goto skipped; + } +--- a/security/keys/proc.c ++++ b/security/keys/proc.c +@@ -182,6 +182,7 @@ static int proc_keys_show(struct seq_fil + unsigned long timo; + key_ref_t key_ref, skey_ref; + char xbuf[16]; ++ short state; + int rc; + + struct keyring_search_context ctx = { +@@ -240,17 +241,19 @@ static int proc_keys_show(struct seq_fil + sprintf(xbuf, "%luw", timo / (60*60*24*7)); + } + ++ state = key_read_state(key); ++ + #define showflag(KEY, LETTER, FLAG) \ + (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') + + seq_printf(m, "%08x %c%c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", + key->serial, +- showflag(key, 'I', KEY_FLAG_INSTANTIATED), ++ state != KEY_IS_UNINSTANTIATED ? 'I' : '-', + showflag(key, 'R', KEY_FLAG_REVOKED), + showflag(key, 'D', KEY_FLAG_DEAD), + showflag(key, 'Q', KEY_FLAG_IN_QUOTA), + showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), +- showflag(key, 'N', KEY_FLAG_NEGATIVE), ++ state < 0 ? 'N' : '-', + showflag(key, 'i', KEY_FLAG_INVALIDATED), + refcount_read(&key->usage), + xbuf, +--- a/security/keys/process_keys.c ++++ b/security/keys/process_keys.c +@@ -730,7 +730,7 @@ try_again: + + ret = -EIO; + if (!(lflags & KEY_LOOKUP_PARTIAL) && +- !test_bit(KEY_FLAG_INSTANTIATED, &key->flags)) ++ key_read_state(key) == KEY_IS_UNINSTANTIATED) + goto invalid_key; + + /* check the permissions */ +--- a/security/keys/request_key.c ++++ b/security/keys/request_key.c +@@ -595,10 +595,9 @@ int wait_for_key_construction(struct key + intr ? TASK_INTERRUPTIBLE : TASK_UNINTERRUPTIBLE); + if (ret) + return -ERESTARTSYS; +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) { +- smp_rmb(); +- return key->reject_error; +- } ++ ret = key_read_state(key); ++ if (ret < 0) ++ return ret; + return key_validate(key); + } + EXPORT_SYMBOL(wait_for_key_construction); +--- a/security/keys/request_key_auth.c ++++ b/security/keys/request_key_auth.c +@@ -73,7 +73,7 @@ static void request_key_auth_describe(co + + seq_puts(m, "key:"); + seq_puts(m, key->description); +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, " pid:%d ci:%zu", rka->pid, rka->callout_len); + } + +--- a/security/keys/trusted.c ++++ b/security/keys/trusted.c +@@ -1066,7 +1066,7 @@ static int trusted_update(struct key *ke + char *datablob; + int ret = 0; + +- if (test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_negative(key)) + return -ENOKEY; + p = key->payload.data[0]; + if (!p->migratable) +--- a/security/keys/user_defined.c ++++ b/security/keys/user_defined.c +@@ -114,7 +114,7 @@ int user_update(struct key *key, struct + + /* attach the new data, displacing the old */ + key->expiry = prep->expiry; +- if (!test_bit(KEY_FLAG_NEGATIVE, &key->flags)) ++ if (key_is_positive(key)) + zap = dereference_key_locked(key); + rcu_assign_keypointer(key, prep->payload.data[0]); + prep->payload.data[0] = NULL; +@@ -162,7 +162,7 @@ EXPORT_SYMBOL_GPL(user_destroy); + void user_describe(const struct key *key, struct seq_file *m) + { + seq_puts(m, key->description); +- if (key_is_instantiated(key)) ++ if (key_is_positive(key)) + seq_printf(m, ": %u", key->datalen); + } + diff --git a/queue-4.13/lib-digsig-fix-dereference-of-null-user_key_payload.patch b/queue-4.13/lib-digsig-fix-dereference-of-null-user_key_payload.patch new file mode 100644 index 00000000000..8a4de787f7a --- /dev/null +++ b/queue-4.13/lib-digsig-fix-dereference-of-null-user_key_payload.patch @@ -0,0 +1,43 @@ +From 192cabd6a296cbc57b3d8c05c4c89d87fc102506 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 9 Oct 2017 12:43:20 -0700 +Subject: lib/digsig: fix dereference of NULL user_key_payload + +From: Eric Biggers + +commit 192cabd6a296cbc57b3d8c05c4c89d87fc102506 upstream. + +digsig_verify() requests a user key, then accesses its payload. +However, a revoked key has a NULL payload, and we failed to check for +this. request_key() *does* skip revoked keys, but there is still a +window where the key can be revoked before we acquire its semaphore. + +Fix it by checking for a NULL payload, treating it like a key which was +already revoked at the time it was requested. + +Fixes: 051dbb918c7f ("crypto: digital signature verification support") +Reviewed-by: James Morris +Cc: Dmitry Kasatkin +Signed-off-by: Eric Biggers +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + lib/digsig.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/lib/digsig.c ++++ b/lib/digsig.c +@@ -87,6 +87,12 @@ static int digsig_verify_rsa(struct key + down_read(&key->sem); + ukp = user_key_payload_locked(key); + ++ if (!ukp) { ++ /* key was revoked before we acquired its semaphore */ ++ err = -EKEYREVOKED; ++ goto err1; ++ } ++ + if (ukp->datalen < sizeof(*pkh)) + goto err1; + diff --git a/queue-4.13/media-cec-respond-to-unregistered-initiators-when-applicable.patch b/queue-4.13/media-cec-respond-to-unregistered-initiators-when-applicable.patch new file mode 100644 index 00000000000..58a11d9660f --- /dev/null +++ b/queue-4.13/media-cec-respond-to-unregistered-initiators-when-applicable.patch @@ -0,0 +1,62 @@ +From 845d6524d69b40bd6abd61dc1264a8657159aa55 Mon Sep 17 00:00:00 2001 +From: Jose Abreu +Date: Thu, 14 Sep 2017 11:23:38 -0400 +Subject: media: cec: Respond to unregistered initiators, when applicable + +From: Jose Abreu + +commit 845d6524d69b40bd6abd61dc1264a8657159aa55 upstream. + +Running CEC 1.4 compliance test we get the following error on test +11.1.6.2: "ERROR: The DUT did not broadcast a + message to the unregistered device." + +Fix this by letting GIVE_PHYSICAL_ADDR message respond to unregistered +device. Also, GIVE_DEVICE_VENDOR_ID and GIVE_FEATURES fall in the +same category so, respond also to these messages. + +With this fix we pass CEC 1.4 official compliance. + +Signed-off-by: Jose Abreu +Cc: Joao Pinto +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/cec/cec-adap.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/media/cec/cec-adap.c ++++ b/drivers/media/cec/cec-adap.c +@@ -1726,12 +1726,19 @@ static int cec_receive_notify(struct cec + */ + switch (msg->msg[1]) { + case CEC_MSG_GET_CEC_VERSION: +- case CEC_MSG_GIVE_DEVICE_VENDOR_ID: + case CEC_MSG_ABORT: + case CEC_MSG_GIVE_DEVICE_POWER_STATUS: +- case CEC_MSG_GIVE_PHYSICAL_ADDR: + case CEC_MSG_GIVE_OSD_NAME: ++ /* ++ * These messages reply with a directed message, so ignore if ++ * the initiator is Unregistered. ++ */ ++ if (!adap->passthrough && from_unregistered) ++ return 0; ++ /* Fall through */ ++ case CEC_MSG_GIVE_DEVICE_VENDOR_ID: + case CEC_MSG_GIVE_FEATURES: ++ case CEC_MSG_GIVE_PHYSICAL_ADDR: + /* + * Skip processing these messages if the passthrough mode + * is on. +@@ -1739,7 +1746,7 @@ static int cec_receive_notify(struct cec + if (adap->passthrough) + goto skip_processing; + /* Ignore if addressing is wrong */ +- if (is_broadcast || from_unregistered) ++ if (is_broadcast) + return 0; + break; + diff --git a/queue-4.13/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch b/queue-4.13/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch new file mode 100644 index 00000000000..8584ff7108e --- /dev/null +++ b/queue-4.13/media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch @@ -0,0 +1,253 @@ +From b4756707152700c96acdfe149cb1ca4cec306c7a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sat, 2 Sep 2017 07:42:42 -0400 +Subject: media: dvb: i2c transfers over usb cannot be done from stack + +From: Sean Young + +commit b4756707152700c96acdfe149cb1ca4cec306c7a upstream. + +Since commit 29d2fef8be11 ("usb: catch attempts to submit urbs +with a vmalloc'd transfer buffer"), the AverMedia AverTV DVB-T +USB 2.0 (a800) fails to probe. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/dib3000mc.c | 50 +++++++++++++++++++++------ + drivers/media/dvb-frontends/dvb-pll.c | 22 +++++++++-- + drivers/media/tuners/mt2060.c | 59 +++++++++++++++++++++++++------- + 3 files changed, 103 insertions(+), 28 deletions(-) + +--- a/drivers/media/dvb-frontends/dib3000mc.c ++++ b/drivers/media/dvb-frontends/dib3000mc.c +@@ -55,29 +55,57 @@ struct dib3000mc_state { + + static u16 dib3000mc_read_word(struct dib3000mc_state *state, u16 reg) + { +- u8 wb[2] = { (reg >> 8) | 0x80, reg & 0xff }; +- u8 rb[2]; + struct i2c_msg msg[2] = { +- { .addr = state->i2c_addr >> 1, .flags = 0, .buf = wb, .len = 2 }, +- { .addr = state->i2c_addr >> 1, .flags = I2C_M_RD, .buf = rb, .len = 2 }, ++ { .addr = state->i2c_addr >> 1, .flags = 0, .len = 2 }, ++ { .addr = state->i2c_addr >> 1, .flags = I2C_M_RD, .len = 2 }, + }; ++ u16 word; ++ u8 *b; ++ ++ b = kmalloc(4, GFP_KERNEL); ++ if (!b) ++ return 0; ++ ++ b[0] = (reg >> 8) | 0x80; ++ b[1] = reg; ++ b[2] = 0; ++ b[3] = 0; ++ ++ msg[0].buf = b; ++ msg[1].buf = b + 2; + + if (i2c_transfer(state->i2c_adap, msg, 2) != 2) + dprintk("i2c read error on %d\n",reg); + +- return (rb[0] << 8) | rb[1]; ++ word = (b[2] << 8) | b[3]; ++ kfree(b); ++ ++ return word; + } + + static int dib3000mc_write_word(struct dib3000mc_state *state, u16 reg, u16 val) + { +- u8 b[4] = { +- (reg >> 8) & 0xff, reg & 0xff, +- (val >> 8) & 0xff, val & 0xff, +- }; + struct i2c_msg msg = { +- .addr = state->i2c_addr >> 1, .flags = 0, .buf = b, .len = 4 ++ .addr = state->i2c_addr >> 1, .flags = 0, .len = 4 + }; +- return i2c_transfer(state->i2c_adap, &msg, 1) != 1 ? -EREMOTEIO : 0; ++ int rc; ++ u8 *b; ++ ++ b = kmalloc(4, GFP_KERNEL); ++ if (!b) ++ return -ENOMEM; ++ ++ b[0] = reg >> 8; ++ b[1] = reg; ++ b[2] = val >> 8; ++ b[3] = val; ++ ++ msg.buf = b; ++ ++ rc = i2c_transfer(state->i2c_adap, &msg, 1) != 1 ? -EREMOTEIO : 0; ++ kfree(b); ++ ++ return rc; + } + + static int dib3000mc_identify(struct dib3000mc_state *state) +--- a/drivers/media/dvb-frontends/dvb-pll.c ++++ b/drivers/media/dvb-frontends/dvb-pll.c +@@ -753,13 +753,19 @@ struct dvb_frontend *dvb_pll_attach(stru + struct i2c_adapter *i2c, + unsigned int pll_desc_id) + { +- u8 b1 [] = { 0 }; +- struct i2c_msg msg = { .addr = pll_addr, .flags = I2C_M_RD, +- .buf = b1, .len = 1 }; ++ u8 *b1; ++ struct i2c_msg msg = { .addr = pll_addr, .flags = I2C_M_RD, .len = 1 }; + struct dvb_pll_priv *priv = NULL; + int ret; + const struct dvb_pll_desc *desc; + ++ b1 = kmalloc(1, GFP_KERNEL); ++ if (!b1) ++ return NULL; ++ ++ b1[0] = 0; ++ msg.buf = b1; ++ + if ((id[dvb_pll_devcount] > DVB_PLL_UNDEFINED) && + (id[dvb_pll_devcount] < ARRAY_SIZE(pll_list))) + pll_desc_id = id[dvb_pll_devcount]; +@@ -773,15 +779,19 @@ struct dvb_frontend *dvb_pll_attach(stru + fe->ops.i2c_gate_ctrl(fe, 1); + + ret = i2c_transfer (i2c, &msg, 1); +- if (ret != 1) ++ if (ret != 1) { ++ kfree(b1); + return NULL; ++ } + if (fe->ops.i2c_gate_ctrl) + fe->ops.i2c_gate_ctrl(fe, 0); + } + + priv = kzalloc(sizeof(struct dvb_pll_priv), GFP_KERNEL); +- if (priv == NULL) ++ if (!priv) { ++ kfree(b1); + return NULL; ++ } + + priv->pll_i2c_address = pll_addr; + priv->i2c = i2c; +@@ -811,6 +821,8 @@ struct dvb_frontend *dvb_pll_attach(stru + "insmod option" : "autodetected"); + } + ++ kfree(b1); ++ + return fe; + } + EXPORT_SYMBOL(dvb_pll_attach); +--- a/drivers/media/tuners/mt2060.c ++++ b/drivers/media/tuners/mt2060.c +@@ -38,41 +38,74 @@ MODULE_PARM_DESC(debug, "Turn on/off deb + static int mt2060_readreg(struct mt2060_priv *priv, u8 reg, u8 *val) + { + struct i2c_msg msg[2] = { +- { .addr = priv->cfg->i2c_address, .flags = 0, .buf = ®, .len = 1 }, +- { .addr = priv->cfg->i2c_address, .flags = I2C_M_RD, .buf = val, .len = 1 }, ++ { .addr = priv->cfg->i2c_address, .flags = 0, .len = 1 }, ++ { .addr = priv->cfg->i2c_address, .flags = I2C_M_RD, .len = 1 }, + }; ++ int rc = 0; ++ u8 *b; ++ ++ b = kmalloc(2, GFP_KERNEL); ++ if (!b) ++ return -ENOMEM; ++ ++ b[0] = reg; ++ b[1] = 0; ++ ++ msg[0].buf = b; ++ msg[1].buf = b + 1; + + if (i2c_transfer(priv->i2c, msg, 2) != 2) { + printk(KERN_WARNING "mt2060 I2C read failed\n"); +- return -EREMOTEIO; ++ rc = -EREMOTEIO; + } +- return 0; ++ *val = b[1]; ++ kfree(b); ++ ++ return rc; + } + + // Writes a single register + static int mt2060_writereg(struct mt2060_priv *priv, u8 reg, u8 val) + { +- u8 buf[2] = { reg, val }; + struct i2c_msg msg = { +- .addr = priv->cfg->i2c_address, .flags = 0, .buf = buf, .len = 2 ++ .addr = priv->cfg->i2c_address, .flags = 0, .len = 2 + }; ++ u8 *buf; ++ int rc = 0; ++ ++ buf = kmalloc(2, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ buf[0] = reg; ++ buf[1] = val; ++ ++ msg.buf = buf; + + if (i2c_transfer(priv->i2c, &msg, 1) != 1) { + printk(KERN_WARNING "mt2060 I2C write failed\n"); +- return -EREMOTEIO; ++ rc = -EREMOTEIO; + } +- return 0; ++ kfree(buf); ++ return rc; + } + + // Writes a set of consecutive registers + static int mt2060_writeregs(struct mt2060_priv *priv,u8 *buf, u8 len) + { + int rem, val_len; +- u8 xfer_buf[16]; ++ u8 *xfer_buf; ++ int rc = 0; + struct i2c_msg msg = { +- .addr = priv->cfg->i2c_address, .flags = 0, .buf = xfer_buf ++ .addr = priv->cfg->i2c_address, .flags = 0 + }; + ++ xfer_buf = kmalloc(16, GFP_KERNEL); ++ if (!xfer_buf) ++ return -ENOMEM; ++ ++ msg.buf = xfer_buf; ++ + for (rem = len - 1; rem > 0; rem -= priv->i2c_max_regs) { + val_len = min_t(int, rem, priv->i2c_max_regs); + msg.len = 1 + val_len; +@@ -81,11 +114,13 @@ static int mt2060_writeregs(struct mt206 + + if (i2c_transfer(priv->i2c, &msg, 1) != 1) { + printk(KERN_WARNING "mt2060 I2C write failed (len=%i)\n", val_len); +- return -EREMOTEIO; ++ rc = -EREMOTEIO; ++ break; + } + } + +- return 0; ++ kfree(xfer_buf); ++ return rc; + } + + // Initialisation sequences diff --git a/queue-4.13/media-s5p-cec-add-nack-detection-support.patch b/queue-4.13/media-s5p-cec-add-nack-detection-support.patch new file mode 100644 index 00000000000..b61e1bdcd2a --- /dev/null +++ b/queue-4.13/media-s5p-cec-add-nack-detection-support.patch @@ -0,0 +1,89 @@ +From e949f61461ab83b094cad564c89a8d2b078b4508 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 31 Aug 2017 12:56:10 -0400 +Subject: media: s5p-cec: add NACK detection support + +From: Hans Verkuil + +commit e949f61461ab83b094cad564c89a8d2b078b4508 upstream. + +The s5p-cec driver returned CEC_TX_STATUS_ERROR for the NACK condition. + +Some digging into the datasheet uncovered the S5P_CEC_TX_STAT1 register where +bit 0 indicates if the transmit was nacked or not. + +Use this to return the correct CEC_TX_STATUS_NACK status to userspace. + +This was the only driver that couldn't tell a NACK from another error, and +that was very unusual. And a potential problem for applications as well. + +Tested with my Odroid-U3. + +Signed-off-by: Hans Verkuil +Acked-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c | 3 ++- + drivers/media/platform/s5p-cec/s5p_cec.c | 11 ++++++++++- + drivers/media/platform/s5p-cec/s5p_cec.h | 2 ++ + 3 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c ++++ b/drivers/media/platform/s5p-cec/exynos_hdmi_cecctrl.c +@@ -172,7 +172,8 @@ u32 s5p_cec_get_status(struct s5p_cec_de + { + u32 status = 0; + +- status = readb(cec->reg + S5P_CEC_STATUS_0); ++ status = readb(cec->reg + S5P_CEC_STATUS_0) & 0xf; ++ status |= (readb(cec->reg + S5P_CEC_TX_STAT1) & 0xf) << 4; + status |= readb(cec->reg + S5P_CEC_STATUS_1) << 8; + status |= readb(cec->reg + S5P_CEC_STATUS_2) << 16; + status |= readb(cec->reg + S5P_CEC_STATUS_3) << 24; +--- a/drivers/media/platform/s5p-cec/s5p_cec.c ++++ b/drivers/media/platform/s5p-cec/s5p_cec.c +@@ -92,7 +92,10 @@ static irqreturn_t s5p_cec_irq_handler(i + dev_dbg(cec->dev, "irq received\n"); + + if (status & CEC_STATUS_TX_DONE) { +- if (status & CEC_STATUS_TX_ERROR) { ++ if (status & CEC_STATUS_TX_NACK) { ++ dev_dbg(cec->dev, "CEC_STATUS_TX_NACK set\n"); ++ cec->tx = STATE_NACK; ++ } else if (status & CEC_STATUS_TX_ERROR) { + dev_dbg(cec->dev, "CEC_STATUS_TX_ERROR set\n"); + cec->tx = STATE_ERROR; + } else { +@@ -135,6 +138,12 @@ static irqreturn_t s5p_cec_irq_handler_t + cec_transmit_done(cec->adap, CEC_TX_STATUS_OK, 0, 0, 0, 0); + cec->tx = STATE_IDLE; + break; ++ case STATE_NACK: ++ cec_transmit_done(cec->adap, ++ CEC_TX_STATUS_MAX_RETRIES | CEC_TX_STATUS_NACK, ++ 0, 1, 0, 0); ++ cec->tx = STATE_IDLE; ++ break; + case STATE_ERROR: + cec_transmit_done(cec->adap, + CEC_TX_STATUS_MAX_RETRIES | CEC_TX_STATUS_ERROR, +--- a/drivers/media/platform/s5p-cec/s5p_cec.h ++++ b/drivers/media/platform/s5p-cec/s5p_cec.h +@@ -35,6 +35,7 @@ + #define CEC_STATUS_TX_TRANSFERRING (1 << 1) + #define CEC_STATUS_TX_DONE (1 << 2) + #define CEC_STATUS_TX_ERROR (1 << 3) ++#define CEC_STATUS_TX_NACK (1 << 4) + #define CEC_STATUS_TX_BYTES (0xFF << 8) + #define CEC_STATUS_RX_RUNNING (1 << 16) + #define CEC_STATUS_RX_RECEIVING (1 << 17) +@@ -55,6 +56,7 @@ enum cec_state { + STATE_IDLE, + STATE_BUSY, + STATE_DONE, ++ STATE_NACK, + STATE_ERROR + }; + diff --git a/queue-4.13/mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch b/queue-4.13/mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch new file mode 100644 index 00000000000..4c015467e7f --- /dev/null +++ b/queue-4.13/mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch @@ -0,0 +1,34 @@ +From eb701ce16a45ed9880897c48f05ee608d77c72e3 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 9 Oct 2017 10:24:01 +0300 +Subject: mmc: sdhci-pci: Fix default d3_retune for Intel host controllers + +From: Adrian Hunter + +commit eb701ce16a45ed9880897c48f05ee608d77c72e3 upstream. + +The default for d3_retune is true, but that was not being set in all cases, +which results in eMMC errors because re-tuning has not been done. +Fix by initializing d3_retune to true. + +Signed-off-by: Adrian Hunter +Fixes: c959a6b00ff5 ("mmc: sdhci-pci: Don't re-tune with runtime pm for some Intel devices") +Reported-and-tested-by: ojab +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-pci-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -449,6 +449,8 @@ static void intel_dsm_init(struct intel_ + int err; + u32 val; + ++ intel_host->d3_retune = true; ++ + err = __intel_dsm(intel_host, dev, INTEL_DSM_FNS, &intel_host->dsm_fns); + if (err) { + pr_debug("%s: DSM not supported, error %d\n", diff --git a/queue-4.13/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch b/queue-4.13/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch new file mode 100644 index 00000000000..b8092e95469 --- /dev/null +++ b/queue-4.13/pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch @@ -0,0 +1,34 @@ +From 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a Mon Sep 17 00:00:00 2001 +From: Eric Sesterhenn +Date: Sun, 8 Oct 2017 20:02:32 +0200 +Subject: pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. + +From: Eric Sesterhenn + +commit 68a1fdbbf8bd3378325e45c19e167a165f9ffc3a upstream. + +The ASN.1 parser does not necessarily set the sinfo field, +this patch prevents a NULL pointer dereference on broken +input. + +Fixes: 99db44350672 ("PKCS#7: Appropriately restrict authenticated attributes and content type") +Signed-off-by: Eric Sesterhenn +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/asymmetric_keys/pkcs7_parser.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/crypto/asymmetric_keys/pkcs7_parser.c ++++ b/crypto/asymmetric_keys/pkcs7_parser.c +@@ -88,6 +88,9 @@ static int pkcs7_check_authattrs(struct + bool want = false; + + sinfo = msg->signed_infos; ++ if (!sinfo) ++ goto inconsistent; ++ + if (sinfo->authattrs) { + want = true; + msg->have_authattrs = true; diff --git a/queue-4.13/revert-tools-power-turbostat-stop-migrating-unless-m.patch b/queue-4.13/revert-tools-power-turbostat-stop-migrating-unless-m.patch new file mode 100644 index 00000000000..c9fc9d19b37 --- /dev/null +++ b/queue-4.13/revert-tools-power-turbostat-stop-migrating-unless-m.patch @@ -0,0 +1,72 @@ +From c97cc7dbce2fe6f46e137f4b040f915a0181ee85 Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Tue, 17 Oct 2017 16:00:02 -0400 +Subject: Revert "tools/power turbostat: stop migrating, unless '-m'" + +From: Len Brown + +commit c97cc7dbce2fe6f46e137f4b040f915a0181ee85 upstream. + +This reverts commit c91fc8519d87715a3a173475ea3778794c139996. + +That change caused a C6 and PC6 residency regression on large idle systems. + +Users also complained about new output indicating jitter: + +turbostat: cpu6 jitter 3794 9142 + +Signed-off-by: Len Brown +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/x86/turbostat/turbostat.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -92,7 +92,6 @@ unsigned int do_ring_perf_limit_reasons; + unsigned int crystal_hz; + unsigned long long tsc_hz; + int base_cpu; +-int do_migrate; + double discover_bclk(unsigned int family, unsigned int model); + unsigned int has_hwp; /* IA32_PM_ENABLE, IA32_HWP_CAPABILITIES */ + /* IA32_HWP_REQUEST, IA32_HWP_STATUS */ +@@ -303,9 +302,6 @@ int for_all_cpus(int (func)(struct threa + + int cpu_migrate(int cpu) + { +- if (!do_migrate) +- return 0; +- + CPU_ZERO_S(cpu_affinity_setsize, cpu_affinity_set); + CPU_SET_S(cpu, cpu_affinity_setsize, cpu_affinity_set); + if (sched_setaffinity(0, cpu_affinity_setsize, cpu_affinity_set) == -1) +@@ -5007,7 +5003,6 @@ void cmdline(int argc, char **argv) + {"hide", required_argument, 0, 'H'}, // meh, -h taken by --help + {"Joules", no_argument, 0, 'J'}, + {"list", no_argument, 0, 'l'}, +- {"migrate", no_argument, 0, 'm'}, + {"out", required_argument, 0, 'o'}, + {"quiet", no_argument, 0, 'q'}, + {"show", required_argument, 0, 's'}, +@@ -5019,7 +5014,7 @@ void cmdline(int argc, char **argv) + + progname = argv[0]; + +- while ((opt = getopt_long_only(argc, argv, "+C:c:Ddhi:Jmo:qST:v", ++ while ((opt = getopt_long_only(argc, argv, "+C:c:Ddhi:JM:m:o:qST:v", + long_options, &option_index)) != -1) { + switch (opt) { + case 'a': +@@ -5062,9 +5057,6 @@ void cmdline(int argc, char **argv) + list_header_only++; + quiet++; + break; +- case 'm': +- do_migrate = 1; +- break; + case 'o': + outf = fopen_or_die(optarg, "w"); + break; diff --git a/queue-4.13/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch b/queue-4.13/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch new file mode 100644 index 00000000000..8bce34212de --- /dev/null +++ b/queue-4.13/rtlwifi-rtl8821ae-fix-connection-lost-problem.patch @@ -0,0 +1,36 @@ +From b8b8b16352cd90c6083033fd4487f04fae935c18 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 20 Sep 2017 16:15:05 -0500 +Subject: rtlwifi: rtl8821ae: Fix connection lost problem + +From: Larry Finger + +commit b8b8b16352cd90c6083033fd4487f04fae935c18 upstream. + +In commit 40b368af4b75 ("rtlwifi: Fix alignment issues"), the read +of REG_DBI_READ was changed from 16 to 8 bits. For unknown reasonsi +this change results in reduced stability for the wireless connection. +This regression was located using bisection. + +Fixes: 40b368af4b75 ("rtlwifi: Fix alignment issues") +Reported-and-tested-by: James Cameron +Signed-off-by: Larry Finger +Cc: Ping-Ke Shih +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8821ae/hw.c +@@ -1122,7 +1122,7 @@ static u8 _rtl8821ae_dbi_read(struct rtl + } + if (0 == tmp) { + read_addr = REG_DBI_RDATA + addr % 4; +- ret = rtl_read_byte(rtlpriv, read_addr); ++ ret = rtl_read_word(rtlpriv, read_addr); + } + return ret; + } diff --git a/queue-4.13/series b/queue-4.13/series index 3d90bd7e87c..f1ed61320a5 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -33,3 +33,33 @@ can-flexcan-fix-i.mx6-state-transition-issue.patch can-flexcan-fix-i.mx28-state-transition-issue.patch can-flexcan-fix-p1010-state-transition-issue.patch keys-encrypted-fix-dereference-of-null-user_key_payload.patch +mmc-sdhci-pci-fix-default-d3_retune-for-intel-host-controllers.patch +drm-i915-use-bdw_ddi_translations_fdi-for-broadwell.patch +drm-nouveau-kms-nv50-fix-oops-during-dp-irq-handling-on-non-mst-boards.patch +drm-nouveau-bsp-g92-disable-by-default.patch +drm-nouveau-mmu-flush-tlbs-before-deleting-page-tables.patch +media-s5p-cec-add-nack-detection-support.patch +media-cec-respond-to-unregistered-initiators-when-applicable.patch +media-dvb-i2c-transfers-over-usb-cannot-be-done-from-stack.patch +tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch +alsa-seq-enable-use-locking-in-all-configurations.patch +alsa-hda-remove-superfluous-added-by-printk-conversion.patch +alsa-hda-abort-capability-probe-at-invalid-register-read.patch +i2c-ismt-separate-i2c-block-read-from-smbus-block-read.patch +i2c-piix4-fix-smbus-port-selection-for-amd-family-17h-chips.patch +revert-tools-power-turbostat-stop-migrating-unless-m.patch +input-stmfts-fix-setting-abs_mt_position_-maximum-size.patch +brcmfmac-add-check-for-short-event-packets.patch +brcmsmac-make-some-local-variables-static-const-to-reduce-stack-size.patch +arm-dts-sun6i-fix-endpoint-ids-in-second-display-pipeline.patch +bus-mbus-fix-window-size-calculation-for-4gb-windows.patch +clockevents-drivers-cs5535-improve-resilience-to-spurious-interrupts.patch +rtlwifi-rtl8821ae-fix-connection-lost-problem.patch +x86-microcode-intel-disable-late-loading-on-model-79.patch +lib-digsig-fix-dereference-of-null-user_key_payload.patch +fscrypt-fix-dereference-of-null-user_key_payload.patch +ecryptfs-fix-dereference-of-null-user_key_payload.patch +keys-fix-race-between-updating-and-finding-a-negative-key.patch +fs-cache-fix-dereference-of-null-user_key_payload.patch +keys-don-t-let-add_key-update-an-uninstantiated-key.patch +pkcs7-prevent-null-pointer-dereference-since-sinfo-is-not-always-set.patch diff --git a/queue-4.13/tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch b/queue-4.13/tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch new file mode 100644 index 00000000000..bcdd490f642 --- /dev/null +++ b/queue-4.13/tracing-samples-fix-creation-and-deletion-of-simple_thread_fn-creation.patch @@ -0,0 +1,74 @@ +From 6575257c60e1a26a5319ccf2b5ce5b6449001017 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (VMware)" +Date: Tue, 17 Oct 2017 14:55:24 -0400 +Subject: tracing/samples: Fix creation and deletion of simple_thread_fn creation + +From: Steven Rostedt (VMware) + +commit 6575257c60e1a26a5319ccf2b5ce5b6449001017 upstream. + +Commit 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and +DEFINE_EVENT()") added template examples for all the events. It created a +DEFINE_EVENT_FN() example which reused the foo_bar_reg and foo_bar_unreg +functions. + +Enabling both the TRACE_EVENT_FN() and DEFINE_EVENT_FN() example trace +events caused the foo_bar_reg to be called twice, creating the test thread +twice. The foo_bar_unreg would remove it only once, even if it was called +multiple times, leaving a thread existing when the module is unloaded, +causing an oops. + +Add a ref count and allow foo_bar_reg() and foo_bar_unreg() be called by +multiple trace events. + +Fixes: 7496946a8 ("tracing: Add samples of DECLARE_EVENT_CLASS() and DEFINE_EVENT()") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + samples/trace_events/trace-events-sample.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/samples/trace_events/trace-events-sample.c ++++ b/samples/trace_events/trace-events-sample.c +@@ -78,29 +78,37 @@ static int simple_thread_fn(void *arg) + } + + static DEFINE_MUTEX(thread_mutex); ++static bool simple_thread_cnt; + + int foo_bar_reg(void) + { ++ mutex_lock(&thread_mutex); ++ if (simple_thread_cnt++) ++ goto out; ++ + pr_info("Starting thread for foo_bar_fn\n"); + /* + * We shouldn't be able to start a trace when the module is + * unloading (there's other locks to prevent that). But + * for consistency sake, we still take the thread_mutex. + */ +- mutex_lock(&thread_mutex); + simple_tsk_fn = kthread_run(simple_thread_fn, NULL, "event-sample-fn"); ++ out: + mutex_unlock(&thread_mutex); + return 0; + } + + void foo_bar_unreg(void) + { +- pr_info("Killing thread for foo_bar_fn\n"); +- /* protect against module unloading */ + mutex_lock(&thread_mutex); ++ if (--simple_thread_cnt) ++ goto out; ++ ++ pr_info("Killing thread for foo_bar_fn\n"); + if (simple_tsk_fn) + kthread_stop(simple_tsk_fn); + simple_tsk_fn = NULL; ++ out: + mutex_unlock(&thread_mutex); + } + diff --git a/queue-4.13/x86-microcode-intel-disable-late-loading-on-model-79.patch b/queue-4.13/x86-microcode-intel-disable-late-loading-on-model-79.patch new file mode 100644 index 00000000000..f81d7ae8ee2 --- /dev/null +++ b/queue-4.13/x86-microcode-intel-disable-late-loading-on-model-79.patch @@ -0,0 +1,73 @@ +From 723f2828a98c8ca19842042f418fb30dd8cfc0f7 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Wed, 18 Oct 2017 13:12:25 +0200 +Subject: x86/microcode/intel: Disable late loading on model 79 + +From: Borislav Petkov + +commit 723f2828a98c8ca19842042f418fb30dd8cfc0f7 upstream. + +Blacklist Broadwell X model 79 for late loading due to an erratum. + +Signed-off-by: Borislav Petkov +Acked-by: Tony Luck +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20171018111225.25635-1-bp@alien8.de +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/microcode/intel.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/arch/x86/kernel/cpu/microcode/intel.c ++++ b/arch/x86/kernel/cpu/microcode/intel.c +@@ -34,6 +34,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -917,6 +918,18 @@ static int get_ucode_fw(void *to, const + return 0; + } + ++static bool is_blacklisted(unsigned int cpu) ++{ ++ struct cpuinfo_x86 *c = &cpu_data(cpu); ++ ++ if (c->x86 == 6 && c->x86_model == INTEL_FAM6_BROADWELL_X) { ++ pr_err_once("late loading on model 79 is disabled.\n"); ++ return true; ++ } ++ ++ return false; ++} ++ + static enum ucode_state request_microcode_fw(int cpu, struct device *device, + bool refresh_fw) + { +@@ -925,6 +938,9 @@ static enum ucode_state request_microcod + const struct firmware *firmware; + enum ucode_state ret; + ++ if (is_blacklisted(cpu)) ++ return UCODE_NFOUND; ++ + sprintf(name, "intel-ucode/%02x-%02x-%02x", + c->x86, c->x86_model, c->x86_mask); + +@@ -949,6 +965,9 @@ static int get_ucode_user(void *to, cons + static enum ucode_state + request_microcode_user(int cpu, const void __user *buf, size_t size) + { ++ if (is_blacklisted(cpu)) ++ return UCODE_NFOUND; ++ + return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user); + } +