From: Greg Kroah-Hartman Date: Mon, 9 Apr 2018 19:57:20 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.104~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7aefe6ee363b924c18c65b89b7f8c4c6f5d4b42c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-ec-fix-debugfs_create_-usage.patch acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch acpica-events-add-runtime-stub-support-for-event-apis.patch acpica-osl-add-support-to-exclude-stdarg.h.patch af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch arm-dts-qcom-ipq4019-fix-i2c_0-node.patch arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch arp-honour-gratuitous-arp-_replies_.patch asoc-intel-cht_bsw_rt5645-analog-mic-support.patch asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch asoc-simple-card-fix-mic-jack-initialization.patch async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch backlight-report-error-on-failure.patch backlight-tdo24m-fix-the-spi-cs-between-transfers.patch bcache-segregate-flash-only-volume-write-streams.patch bcache-stop-writeback-thread-after-detaching.patch bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch block-fix-an-error-code-in-add_partition.patch bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch bna-avoid-reading-past-end-of-buffer.patch bnx2x-allow-vfs-to-disable-txvlan-offload.patch bonding-don-t-update-slave-link-until-ready-to-commit.patch btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch cfg80211-make-rate_info_bw_20-the-default.patch cifs-silence-lockdep-splat-in-cifs_relock_file.patch clk-at91-fix-clk-generated-parenting.patch clk-fix-__set_clk_rates-error-print-string.patch clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch coresight-fix-reference-count-for-software-sources.patch coresight-tmc-configure-dma-mask-appropriately.patch cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch cpuidle-dt-add-missing-of_node_put.patch crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch cx25840-fix-unchecked-return-values.patch cxgb4-fix-incorrect-cim_la-output-for-t6.patch cxgb4-fix-netdev_features-flag.patch cxgb4-fw-upgrade-fixes.patch cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch cxl-unlock-on-error-in-probe.patch dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch drm-amdkfd-null-dereference-involving-create_process.patch drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch drm-omap-fix-tiled-buffer-stride-calculations.patch drm-sun4i-ignore-the-generic-connectors-for-components.patch drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch e1000e-fix-race-condition-around-skb_tstamp_tx.patch e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch edac-mv64x60-fix-an-error-handling-path.patch ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch fix-loop-device-flush-before-configure-v3.patch fix-race-in-drivers-char-random.c-get_reg.patch fix-serial-console-on-sni-rm400-machines.patch fsl-qe-add-bit-description-for-synl-register-for-gumr.patch geneve-add-missing-rx-stats-accounting.patch gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch gpio-label-descriptors-using-the-device-name.patch hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch hsr-fix-incorrect-warning.patch hwmon-ina2xx-make-calibration-register-value-fixed.patch i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch i40evf-fix-merge-error-in-older-patch.patch i40iw-correct-q1-xf-object-count-equation.patch i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch ib-srpt-fix-abort-handling.patch igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch iio-hi8435-avoid-garbage-event-at-first-enable.patch iio-hi8435-cleanup-reset-gpio.patch iio-light-rpr0521-poweroff-for-probe-fails.patch iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch iio-pressure-zpa2326-report-interrupted-case-as-failure.patch input-elan_i2c-check-if-device-is-there-before-really-probing.patch input-elan_i2c-clear-int-before-resetting-controller.patch input-elantech-force-relative-mode-on-a-certain-module.patch input-goodix-disable-irqs-while-suspended.patch ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch ipmi_ssif-unlock-on-allocation-failure.patch ipmr-vrf-find-vifs-using-the-actual-device.patch ipsec-check-return-value-of-skb_to_sgvec-always.patch ipv6-avoid-dad-failures-for-addresses-with-nodad.patch irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch irqchip-mbigen-fix-the-clear-register-offset-calculation.patch iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch iwlwifi-mvm-fix-firmware-debug-restart-recording.patch iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch kvm-nvmx-fix-handling-of-lmsw-instruction.patch kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch kvm-x86-fix-preempt-the-preemption-timer-cancel.patch l2tp-fix-missing-print-session-offset-info.patch leds-pca955x-correct-i2c-functionality.patch libceph-null-deref-on-crush_decode-error-path.patch lockd-fix-lockd-shutdown-race.patch mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch mac80211-fix-setting-tx-power-on-monitor-interfaces.patch macsec-check-return-value-of-skb_to_sgvec-always.patch mceusb-sporadic-rx-truncation-corruption-fix.patch md-cluster-fix-potential-lock-issue-in-add_new_disk.patch md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch mdio-mux-correct-mdio_mux_init-error-path-issues.patch mdio-mux-fix-device_node_continue.cocci-warnings.patch media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch mips-mm-adjust-pkmap-location.patch mips-mm-fixed-mappings-correct-initialisation.patch misdn-fix-a-sleep-in-atomic-bug.patch mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch mtd-mtd_oobtest-handle-bitflips-during-reads.patch mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch neighbour-update-neigh-timestamps-iff-update-is-effective.patch net-cdc_ncm-fix-tx-zero-padding.patch net-emac-fix-reset-timeout-with-ar8035-phy.patch net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch net-ena-add-missing-unmap-bars-on-device-removal.patch net-ena-disable-admin-msix-while-working-in-polling-mode.patch net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch net-freescale-fix-potential-null-pointer-dereference.patch net-ieee802154-fix-net_device-reference-release-too-early.patch net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch net-mlx4-fix-the-check-in-attaching-steering-rules.patch net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch net-mlx4_en-change-default-qos-settings.patch net-mlx5-avoid-build-warning-for-uniprocessor.patch net-mlx5-tolerate-irq_set_affinity_hint-failures.patch net-move-somaxconn-init-from-sysctl-code.patch net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch net-qca_spi-fix-alignment-issues-in-rx-path.patch net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch net-x25-fix-one-potential-use-after-free-issue.patch netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch nfsv4.1-work-around-a-linux-server-bug.patch nvme-fix-hang-in-remove-path.patch nvme-pci-fix-multiple-ctrl-removal-scheduling.patch ovl-filter-trusted-xattr-for-non-admin.patch ovl-persistent-inode-numbers-for-upper-hardlinks.patch pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch perf-core-correct-event-creation-with-perf_format_group.patch perf-core-fix-error-handling-in-perf_event_alloc.patch perf-header-set-proper-module-name-when-build-id-event-found.patch perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch perf-report-fix-off-by-one-for-non-activation-frames.patch perf-tests-decompress-kernel-module-before-objdump.patch perf-tools-decompress-kernel-module-when-reading-dso-data.patch perf-tools-fix-copyfile_offset-update-of-output-offset.patch perf-trace-add-mmap-alias-for-s390.patch pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch powercap-fix-an-error-code-in-powercap_register_zone.patch powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch powerpc-don-t-clobber-tcr-when-setting-tcr.patch powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch powerpc-spufs-fix-coredump-of-spu-contexts.patch pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch qed-correct-doorbell-configuration-for-4kb-pages.patch qed-fix-overriding-of-supported-autoneg-value.patch qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch qlge-avoid-reading-past-end-of-buffer.patch ray_cs-avoid-reading-past-end-of-buffer.patch rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch rtc-interface-validate-alarm-time-before-handling-rollover.patch rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch rtc-snvs-fix-an-incorrect-check-of-return-value.patch s390-dasd-fix-hanging-safe-offline.patch s390-move-_text-symbol-to-address-higher-than-zero.patch sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch sched-numa-use-down_read_trylock-for-the-mmap_sem.patch scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch scsi-libsas-fix-error-when-getting-phy-events.patch scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch selftests-kselftest_harness-fix-compile-warning.patch selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch selinux-do-not-check-open-permission-on-sockets.patch serial-8250-omap-disable-dma-for-console-uart.patch serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch sh_eth-use-platform-device-for-printing-before-register_netdev.patch signal-arm-document-conflicts-with-si_user-and-sigfpe.patch signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch sit-reload-iphdr-in-ipip6_rcv.patch skbuff-only-inherit-relevant-tx_flags.patch skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch smb2-fix-share-type-handling.patch sparc64-ldc-abort-during-vds-iso-boot.patch staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch tags-honor-compiled_source-with-apart-output-directory.patch tcp-better-validation-of-received-ack-sequences.patch thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch ubi-fastmap-fix-slab-corruption.patch uio-fix-incorrect-memory-leak-cleanup.patch usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch usb-dwc3-keystone-check-return-value.patch usb-ene_usb6250-fix-first-command-execution.patch usb-ene_usb6250-fix-scsi-residue-overwriting.patch vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch vfs-close-race-between-getcwd-and-d_move.patch vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch watchdog-f71808e_wdt-add-f71868-support.patch wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch x.509-fix-error-code-in-x509_cert_parse.patch x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch x86-boot-declare-error-as-noreturn.patch x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch x86-tsc-provide-tsc-unstable-boot-parameter.patch xen-avoid-type-warning-in-xchg_xen_ulong.patch xfrm-fix-state-migration-copy-replay-sequence-numbers.patch --- diff --git a/queue-4.9/acpi-ec-fix-debugfs_create_-usage.patch b/queue-4.9/acpi-ec-fix-debugfs_create_-usage.patch new file mode 100644 index 00000000000..2094e2cdf23 --- /dev/null +++ b/queue-4.9/acpi-ec-fix-debugfs_create_-usage.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Geert Uytterhoeven +Date: Tue, 2 Jan 2018 16:26:31 +0100 +Subject: ACPI: EC: Fix debugfs_create_*() usage + +From: Geert Uytterhoeven + + +[ Upstream commit 3522f867c13b63cf62acdf1b8ca5664c549a716a ] + +acpi_ec.gpe is "unsigned long", hence treating it as "u32" would expose +the wrong half on big-endian 64-bit systems. Fix this by changing its +type to "u32" and removing the cast, as all other code already uses u32 +or sometimes even only u8. + +Fixes: 1195a098168fcacf (ACPI: Provide /sys/kernel/debug/ec/...) +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/ec.c | 2 +- + drivers/acpi/ec_sys.c | 2 +- + drivers/acpi/internal.h | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -1518,7 +1518,7 @@ static int acpi_ec_setup(struct acpi_ec + } + + acpi_handle_info(ec->handle, +- "GPE=0x%lx, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n", ++ "GPE=0x%x, EC_CMD/EC_SC=0x%lx, EC_DATA=0x%lx\n", + ec->gpe, ec->command_addr, ec->data_addr); + return ret; + } +--- a/drivers/acpi/ec_sys.c ++++ b/drivers/acpi/ec_sys.c +@@ -128,7 +128,7 @@ static int acpi_ec_add_debugfs(struct ac + return -ENOMEM; + } + +- if (!debugfs_create_x32("gpe", 0444, dev_dir, (u32 *)&first_ec->gpe)) ++ if (!debugfs_create_x32("gpe", 0444, dev_dir, &first_ec->gpe)) + goto error; + if (!debugfs_create_bool("use_global_lock", 0444, dev_dir, + &first_ec->global_lock)) +--- a/drivers/acpi/internal.h ++++ b/drivers/acpi/internal.h +@@ -158,7 +158,7 @@ static inline void acpi_early_processor_ + -------------------------------------------------------------------------- */ + struct acpi_ec { + acpi_handle handle; +- unsigned long gpe; ++ u32 gpe; + unsigned long command_addr; + unsigned long data_addr; + bool global_lock; diff --git a/queue-4.9/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch b/queue-4.9/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch new file mode 100644 index 00000000000..bd58ddef9c2 --- /dev/null +++ b/queue-4.9/acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Sat, 23 Dec 2017 19:41:47 +0100 +Subject: ACPI / video: Default lcd_only to true on Win8-ready and newer machines + +From: Hans de Goede + + +[ Upstream commit 5928c281524fe451114e04f1dfa11246a37e859f ] + +We're seeing a lot of bogus backlight interfaces on newer machines without +a LCD such as desktops, servers and HDMI sticks. This causes userspace to +show a non-functional brightness slider in e.g. the GNOME3 system menu, +which is undesirable. And, in general, we should simply just not register +a non functional backlight interface. + +Checking the LCD flag causes the bogus acpi_video backlight interfaces to +go away (on the machines this was tested on). + +This change sets the lcd_only option by default on any machines which +are Win8-ready, to fix this. + +This is not entirely without a risk of regressions, but video_detect.c +already prefers native-backlight interfaces over the acpi_video one +on Win8-ready machines, calling acpi_video_unregister_backlight() as soon +as a native interface shows up. This is done because the ACPI backlight +interface often is broken on Win8-ready machines, because win8 does not +seem to actually use it. + +So in practice we already end up not registering the ACPI backlight +interface on (most) Win8-ready machines with a LCD panel, thus this +change does not change anything for (most) machines with a LCD panel +and on machines without a LCD panel we actually don't want to register +any backlight interfaces. + +This has been tested on the following machines and fixes a bogus backlight +interface showing up there: + - Desktop with an Asrock B150M Pro4S/D3 m.b. using i5-6500 builtin gfx + - Intel Compute Stick STK1AW32SC + - Meegopad T08 HDMI stick + +Bogus backlight interfaces have also been reported on: + - Desktop with Asus H87I-Plus m.b. + - Desktop with ASRock B75M-ITX m.b. + - Desktop with Gigabyte Z87-D3HP m.b. + - Dell PowerEdge T20 desktop + +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1097436 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133327 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133329 +Link: https://bugzilla.redhat.com/show_bug.cgi?id=1133646 +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_video.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -87,8 +87,8 @@ MODULE_PARM_DESC(report_key_events, + static bool device_id_scheme = false; + module_param(device_id_scheme, bool, 0444); + +-static bool only_lcd = false; +-module_param(only_lcd, bool, 0444); ++static int only_lcd = -1; ++module_param(only_lcd, int, 0444); + + static int register_count; + static DEFINE_MUTEX(register_count_mutex); +@@ -2082,6 +2082,16 @@ int acpi_video_register(void) + goto leave; + } + ++ /* ++ * We're seeing a lot of bogus backlight interfaces on newer machines ++ * without a LCD such as desktops, servers and HDMI sticks. Checking ++ * the lcd flag fixes this, so enable this on any machines which are ++ * win8 ready (where we also prefer the native backlight driver, so ++ * normally the acpi_video code should not register there anyways). ++ */ ++ if (only_lcd == -1) ++ only_lcd = acpi_osi_is_win8(); ++ + dmi_check_system(video_dmi_table); + + ret = acpi_bus_register_driver(&acpi_video_bus); diff --git a/queue-4.9/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch b/queue-4.9/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch new file mode 100644 index 00000000000..5e482ba82cc --- /dev/null +++ b/queue-4.9/acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Bob Moore +Date: Mon, 5 Jun 2017 16:40:34 +0800 +Subject: ACPICA: Disassembler: Abort on an invalid/unknown AML opcode + +From: Bob Moore + + +[ Upstream commit 6f0527b77d9e0129dd8e50945b0d610ed943d6b2 ] + +ACPICA commit ed0389cb11a61e63c568ac1f67948fc6a7bd1aeb + +An invalid opcode indicates something seriously wrong with the +input AML file. The AML parser is immediately confused and lost, +causing the resulting parse tree to be ill-formed. The actual +disassembly can then cause numerous unrelated errors and faults. + +This change aborts the disassembly upon discovery of such an +opcode during the AML parse phase. + +Link: https://github.com/acpica/acpica/commit/ed0389cb +Signed-off-by: Bob Moore +Signed-off-by: Lv Zheng +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/psobject.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/acpi/acpica/psobject.c ++++ b/drivers/acpi/acpica/psobject.c +@@ -121,6 +121,9 @@ static acpi_status acpi_ps_get_aml_opcod + (u32)(aml_offset + + sizeof(struct acpi_table_header))); + ++ ACPI_ERROR((AE_INFO, ++ "Aborting disassembly, AML byte code is corrupt")); ++ + /* Dump the context surrounding the invalid opcode */ + + acpi_ut_dump_buffer(((u8 *)walk_state->parser_state. +@@ -129,6 +132,14 @@ static acpi_status acpi_ps_get_aml_opcod + sizeof(struct acpi_table_header) - + 16)); + acpi_os_printf(" */\n"); ++ ++ /* ++ * Just abort the disassembly, cannot continue because the ++ * parser is essentially lost. The disassembler can then ++ * randomly fail because an ill-constructed parse tree ++ * can result. ++ */ ++ return_ACPI_STATUS(AE_AML_BAD_OPCODE); + #endif + } + +@@ -293,6 +304,9 @@ acpi_ps_create_op(struct acpi_walk_state + if (status == AE_CTRL_PARSE_CONTINUE) { + return_ACPI_STATUS(AE_CTRL_PARSE_CONTINUE); + } ++ if (ACPI_FAILURE(status)) { ++ return_ACPI_STATUS(status); ++ } + + /* Create Op structure and append to parent's argument list */ + diff --git a/queue-4.9/acpica-events-add-runtime-stub-support-for-event-apis.patch b/queue-4.9/acpica-events-add-runtime-stub-support-for-event-apis.patch new file mode 100644 index 00000000000..0dbafa2dc8d --- /dev/null +++ b/queue-4.9/acpica-events-add-runtime-stub-support-for-event-apis.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Lv Zheng +Date: Mon, 5 Jun 2017 16:40:02 +0800 +Subject: ACPICA: Events: Add runtime stub support for event APIs + +From: Lv Zheng + + +[ Upstream commit 861ba6351c520328e94a78c923b415faa9116287 ] + +ACPICA commit 99bc3beca92c6574ea1d69de42e54f872e6373ce + +It is reported that on Linux, RTC driver complains wrong errors on +hardware reduced platform: + [ 4.085420] ACPI Warning: Could not enable fixed event - real_time_clock (4) (20160422/evxface-654) + +This patch fixes this by correctly adding runtime reduced hardware check. +Reported by Chandan Tagore, fixed by Lv Zheng. + +Link: https://github.com/acpica/acpica/commit/99bc3bec +Tested-by: Chandan Tagore +Signed-off-by: Lv Zheng +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpica/evxfevnt.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/acpi/acpica/evxfevnt.c ++++ b/drivers/acpi/acpica/evxfevnt.c +@@ -180,6 +180,12 @@ acpi_status acpi_enable_event(u32 event, + + ACPI_FUNCTION_TRACE(acpi_enable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -237,6 +243,12 @@ acpi_status acpi_disable_event(u32 event + + ACPI_FUNCTION_TRACE(acpi_disable_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { +@@ -290,6 +302,12 @@ acpi_status acpi_clear_event(u32 event) + + ACPI_FUNCTION_TRACE(acpi_clear_event); + ++ /* If Hardware Reduced flag is set, there are no fixed events */ ++ ++ if (acpi_gbl_reduced_hardware) { ++ return_ACPI_STATUS(AE_OK); ++ } ++ + /* Decode the Fixed Event */ + + if (event > ACPI_EVENT_MAX) { diff --git a/queue-4.9/acpica-osl-add-support-to-exclude-stdarg.h.patch b/queue-4.9/acpica-osl-add-support-to-exclude-stdarg.h.patch new file mode 100644 index 00000000000..892b265f356 --- /dev/null +++ b/queue-4.9/acpica-osl-add-support-to-exclude-stdarg.h.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Lv Zheng +Date: Mon, 5 Jun 2017 16:39:56 +0800 +Subject: ACPICA: OSL: Add support to exclude stdarg.h + +From: Lv Zheng + + +[ Upstream commit 84676b87b27d8aefafb9f712a5b444938f284513 ] + +ACPICA commit e2df7455a9a4301b03668e4c9c02c7a564cc841c + +Some hosts may choose not to include stdarg.h, implementing a +configurability in acgcc.h, allowing OSen like Solaris to exclude stdarg.h. +This patch also fixes acintel.h accordingly without providing builtin +support as Intel compiler is similar as GCC. Reported by Dana Myers, fixed +by Lv Zheng. + +Link: https://github.com/acpica/acpica/commit/e2df7455 +Reported-by: Dana Myers +Signed-off-by: Lv Zheng +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/acpi/platform/acgcc.h | 10 ++++++++++ + include/acpi/platform/acintel.h | 2 ++ + 2 files changed, 12 insertions(+) + +--- a/include/acpi/platform/acgcc.h ++++ b/include/acpi/platform/acgcc.h +@@ -48,7 +48,17 @@ + * Use compiler specific is a good practice for even when + * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined. + */ ++#ifndef va_arg ++#ifdef ACPI_USE_BUILTIN_STDARG ++typedef __builtin_va_list va_list; ++#define va_start(v, l) __builtin_va_start(v, l) ++#define va_end(v) __builtin_va_end(v) ++#define va_arg(v, l) __builtin_va_arg(v, l) ++#define va_copy(d, s) __builtin_va_copy(d, s) ++#else + #include ++#endif ++#endif + + #define ACPI_INLINE __inline__ + +--- a/include/acpi/platform/acintel.h ++++ b/include/acpi/platform/acintel.h +@@ -48,7 +48,9 @@ + * Use compiler specific is a good practice for even when + * -nostdinc is specified (i.e., ACPI_USE_STANDARD_HEADERS undefined. + */ ++#ifndef va_arg + #include ++#endif + + /* Configuration specific to Intel 64-bit C compiler */ + diff --git a/queue-4.9/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch b/queue-4.9/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch new file mode 100644 index 00000000000..144c7d09e57 --- /dev/null +++ b/queue-4.9/af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Steffen Klassert +Date: Fri, 5 May 2017 07:40:42 +0200 +Subject: af_key: Fix slab-out-of-bounds in pfkey_compile_policy. + +From: Steffen Klassert + + +[ Upstream commit d90c902449a7561f1b1d58ba5a0d11728ce8b0b2 ] + +The sadb_x_sec_len is stored in the unit 'byte divided by eight'. +So we have to multiply this value by eight before we can do +size checks. Otherwise we may get a slab-out-of-bounds when +we memcpy the user sec_ctx. + +Fixes: df71837d502 ("[LSM-IPSec]: Security association restriction.") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/key/af_key.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3305,7 +3305,7 @@ static struct xfrm_policy *pfkey_compile + p += pol->sadb_x_policy_len*8; + sec_ctx = (struct sadb_x_sec_ctx *)p; + if (len < pol->sadb_x_policy_len*8 + +- sec_ctx->sadb_x_sec_len) { ++ sec_ctx->sadb_x_sec_len*8) { + *dir = -EINVAL; + goto out; + } diff --git a/queue-4.9/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch b/queue-4.9/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch new file mode 100644 index 00000000000..e3e5af07ffa --- /dev/null +++ b/queue-4.9/arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Suman Anna +Date: Tue, 16 May 2017 17:13:45 -0500 +Subject: ARM: davinci: da8xx: Create DSP device only when assigned memory + +From: Suman Anna + + +[ Upstream commit f97f03578b997a8ec2b9bc4928f958a865137268 ] + +The DSP device on Davinci platforms does not have an MMU and requires +specific DDR memory to boot. This memory is reserved using the rproc_mem +kernel boot parameter and is assigned to the device on non-DT boots. +The remoteproc core uses the DMA API and so will fall back to assigning +random memory if this memory is not assigned to the device, but the DSP +remote processor boot will not be successful in such cases. So, check +that memory has been reserved and assigned to the device specifically +before even creating the DSP device. + +Signed-off-by: Suman Anna +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/devices-da8xx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/arm/mach-davinci/devices-da8xx.c ++++ b/arch/arm/mach-davinci/devices-da8xx.c +@@ -821,6 +821,8 @@ static struct platform_device da8xx_dsp + .resource = da8xx_rproc_resources, + }; + ++static bool rproc_mem_inited __initdata; ++ + #if IS_ENABLED(CONFIG_DA8XX_REMOTEPROC) + + static phys_addr_t rproc_base __initdata; +@@ -859,6 +861,8 @@ void __init da8xx_rproc_reserve_cma(void + ret = dma_declare_contiguous(&da8xx_dsp.dev, rproc_size, rproc_base, 0); + if (ret) + pr_err("%s: dma_declare_contiguous failed %d\n", __func__, ret); ++ else ++ rproc_mem_inited = true; + } + + #else +@@ -873,6 +877,12 @@ int __init da8xx_register_rproc(void) + { + int ret; + ++ if (!rproc_mem_inited) { ++ pr_warn("%s: memory not reserved for DSP, not registering DSP device\n", ++ __func__); ++ return -ENOMEM; ++ } ++ + ret = platform_device_register(&da8xx_dsp); + if (ret) + pr_err("%s: can't register DSP device: %d\n", __func__, ret); diff --git a/queue-4.9/arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch b/queue-4.9/arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch new file mode 100644 index 00000000000..07c88937d3b --- /dev/null +++ b/queue-4.9/arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Geert Uytterhoeven +Date: Thu, 1 Jun 2017 12:27:00 +0200 +Subject: ARM: dts: armadillo800eva: Split LCD mux and gpio + +From: Geert Uytterhoeven + + +[ Upstream commit 13132b3f44d3600983aceb7e9920b8ebb55a7cf8 ] + +Configuration of the lcd0 pinmux group and GPIO hog for the external +GPIO mux are done using a single device node, causing the "output-high" +property to be applied to both. This will fail for the pinmux group, +but doesn't cause any harm, as the failure is ignored silently. + +However, after "pinctrl: sh-pfc: propagate errors on group config", the +failure will become fatal, leading to a broken display: + + sh-pfc e6050000.pin-controller: pin_config_group_set op failed for group 102 + sh-pfc e6050000.pin-controller: Error applying setting, reverse things back + sh-pfc e6050000.pin-controller: failed to select default state + +Move the GPIO hog to its own node to fix this. + +Fixes: ffd2f9a5afb730b9 ("ARM: shmobile: armadillo800eva dts: Add pinctrl and gpio-hog for lcdc0") +Signed-off-by: Geert Uytterhoeven +Acked-by: Laurent Pinchart +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/r8a7740-armadillo800eva.dts | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/r8a7740-armadillo800eva.dts ++++ b/arch/arm/boot/dts/r8a7740-armadillo800eva.dts +@@ -266,7 +266,9 @@ + lcd0_pins: lcd0 { + groups = "lcd0_data24_0", "lcd0_lclk_1", "lcd0_sync"; + function = "lcd0"; ++ }; + ++ lcd0_mux { + /* DBGMD/LCDC0/FSIA MUX */ + gpio-hog; + gpios = <176 0>; diff --git a/queue-4.9/arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch b/queue-4.9/arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch new file mode 100644 index 00000000000..a033feff9d5 --- /dev/null +++ b/queue-4.9/arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Fabio Estevam +Date: Wed, 12 Apr 2017 18:31:18 -0300 +Subject: ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin + +From: Fabio Estevam + + +[ Upstream commit 2fe4bff3516924a37e083e3211364abe59db1161 ] + +Currently the following errors are seen: + +[ 14.015056] mc13xxx 0-0008: Failed to read IRQ status: -6 +[ 27.321093] mc13xxx 0-0008: Failed to read IRQ status: -6 +[ 27.411681] mc13xxx 0-0008: Failed to read IRQ status: -6 +[ 27.456281] mc13xxx 0-0008: Failed to read IRQ status: -6 +[ 30.527106] mc13xxx 0-0008: Failed to read IRQ status: -6 +[ 36.596900] mc13xxx 0-0008: Failed to read IRQ status: -6 + +Also when reading the interrupts via 'cat /proc/interrupts' the +PMIC GPIO interrupt counter does not stop increasing. + +The reason for the storm of interrupts is that the PUS field of +register IOMUXC_SW_PAD_CTL_PAD_CSI0_DAT5 is currently configured as: +10 : 100k pullup + +and the PMIC interrupt is being registered as IRQ_TYPE_LEVEL_HIGH type, +which is the correct type as per the MC34708 datasheet. + +Use the default power on value for the IOMUX, which sets PUS field as: +00: 360k pull down + +This prevents the spurious PMIC interrupts from happening. + +Commit e1ffceb078c6 ("ARM: imx53: qsrb: fix PMIC interrupt level") +correctly described the irq type as IRQ_TYPE_LEVEL_HIGH, but +missed to update the IOMUX of the PMIC GPIO as pull down. + +Fixes: e1ffceb078c6 ("ARM: imx53: qsrb: fix PMIC interrupt level") +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx53-qsrb.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx53-qsrb.dts ++++ b/arch/arm/boot/dts/imx53-qsrb.dts +@@ -23,7 +23,7 @@ + imx53-qsrb { + pinctrl_pmic: pmicgrp { + fsl,pins = < +- MX53_PAD_CSI0_DAT5__GPIO5_23 0x1e4 /* IRQ */ ++ MX53_PAD_CSI0_DAT5__GPIO5_23 0x1c4 /* IRQ */ + >; + }; + }; diff --git a/queue-4.9/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch b/queue-4.9/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch new file mode 100644 index 00000000000..eb42c7be604 --- /dev/null +++ b/queue-4.9/arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Fabio Estevam +Date: Sun, 14 May 2017 11:50:50 -0300 +Subject: ARM: dts: imx6qdl-wandboard: Fix audio channel swap + +From: Fabio Estevam + + +[ Upstream commit 79935915300c5eb88a0e94fa9148a7505c14a02a ] + +When running a stress playback/stop loop test on a mx6wandboard channel +swaps can be noticed randomly. + +Increasing the SGTL5000 LRCLK pad strength to its maximum value fixes +the issue, so add the 'lrclk-strength' property to avoid the audio +channel swaps. + +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/imx6qdl-wandboard.dtsi ++++ b/arch/arm/boot/dts/imx6qdl-wandboard.dtsi +@@ -88,6 +88,7 @@ + clocks = <&clks IMX6QDL_CLK_CKO>; + VDDA-supply = <®_2p5v>; + VDDIO-supply = <®_3p3v>; ++ lrclk-strength = <3>; + }; + }; + diff --git a/queue-4.9/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch b/queue-4.9/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch new file mode 100644 index 00000000000..eb08f929080 --- /dev/null +++ b/queue-4.9/arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Rasmus Villemoes +Date: Thu, 16 Nov 2017 13:15:26 +0100 +Subject: ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node + +From: Rasmus Villemoes + + +[ Upstream commit d5c7b4d5ac2237a6da7ced3adfe6b8bf769f8cc6 ] + +Commit a22950c888e3 (mmc: sdhci-of-esdhc: add quirk +SDHCI_QUIRK_BROKEN_TIMEOUT_VAL for ls1021a) added logic to the driver to +enable the broken timeout val quirk for ls1021a, but did not add the +corresponding compatible string to the device tree, so it didn't really +have any effect. Fix that. + +Signed-off-by: Rasmus Villemoes +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -146,7 +146,7 @@ + }; + + esdhc: esdhc@1560000 { +- compatible = "fsl,esdhc"; ++ compatible = "fsl,ls1021a-esdhc", "fsl,esdhc"; + reg = <0x0 0x1560000 0x0 0x10000>; + interrupts = ; + clock-frequency = <0>; diff --git a/queue-4.9/arm-dts-qcom-ipq4019-fix-i2c_0-node.patch b/queue-4.9/arm-dts-qcom-ipq4019-fix-i2c_0-node.patch new file mode 100644 index 00000000000..573c36e7612 --- /dev/null +++ b/queue-4.9/arm-dts-qcom-ipq4019-fix-i2c_0-node.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christian Lamparter +Date: Tue, 2 May 2017 21:19:24 +0200 +Subject: ARM: dts: qcom: ipq4019: fix i2c_0 node + +From: Christian Lamparter + + +[ Upstream commit 650df439cfb96c303328935559b2d06127a5a0b0 ] + +This patch fixes two typos in the i2c_0 node for the ipq4019. +The reg property length is just 0x600. The core clock is +GCC_BLSP1_QUP1_I2C_APPS_CLK. GCC_BLSP1_QUP2_I2C_APPS_CLK is +used by the second i2c. + +Fixes: e76b4284b520ba3 ("qcom: ipq4019: add i2c node to ipq4019 SoC and DK01 device tree") +Signed-off-by: Christian Lamparter +Signed-off-by: Andy Gross +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/qcom-ipq4019.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/qcom-ipq4019.dtsi ++++ b/arch/arm/boot/dts/qcom-ipq4019.dtsi +@@ -154,10 +154,10 @@ + + i2c_0: i2c@78b7000 { + compatible = "qcom,i2c-qup-v2.2.1"; +- reg = <0x78b7000 0x6000>; ++ reg = <0x78b7000 0x600>; + interrupts = ; + clocks = <&gcc GCC_BLSP1_AHB_CLK>, +- <&gcc GCC_BLSP1_QUP2_I2C_APPS_CLK>; ++ <&gcc GCC_BLSP1_QUP1_I2C_APPS_CLK>; + clock-names = "iface", "core"; + #address-cells = <1>; + #size-cells = <0>; diff --git a/queue-4.9/arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch b/queue-4.9/arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch new file mode 100644 index 00000000000..b71db6c0f3a --- /dev/null +++ b/queue-4.9/arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Sugar Zhang +Date: Wed, 17 May 2017 17:52:24 +0800 +Subject: ARM: dts: rockchip: fix rk322x i2s1 pinctrl error + +From: Sugar Zhang + + +[ Upstream commit 9d420e9b4140f8938ad6aa0d29e2428a2af6122b ] + +Refer to Chapter 5.3.2 of rk3229 TRM, we can see that GPIO1A[2,4,5] +using RK_FUNC_2 not RK_FUNC_1. This patch fixes it. + +Signed-off-by: Sugar Zhang +Signed-off-by: Frank Wang +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/rk322x.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/boot/dts/rk322x.dtsi ++++ b/arch/arm/boot/dts/rk322x.dtsi +@@ -617,9 +617,9 @@ + <0 12 RK_FUNC_1 &pcfg_pull_none>, + <0 13 RK_FUNC_1 &pcfg_pull_none>, + <0 14 RK_FUNC_1 &pcfg_pull_none>, +- <1 2 RK_FUNC_1 &pcfg_pull_none>, +- <1 4 RK_FUNC_1 &pcfg_pull_none>, +- <1 5 RK_FUNC_1 &pcfg_pull_none>; ++ <1 2 RK_FUNC_2 &pcfg_pull_none>, ++ <1 4 RK_FUNC_2 &pcfg_pull_none>, ++ <1 5 RK_FUNC_2 &pcfg_pull_none>; + }; + }; + diff --git a/queue-4.9/arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch b/queue-4.9/arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch new file mode 100644 index 00000000000..5fdc44263e9 --- /dev/null +++ b/queue-4.9/arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Leonard Crestez +Date: Tue, 6 Jun 2017 20:50:42 +0300 +Subject: ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull + +From: Leonard Crestez + + +[ Upstream commit b3ea575770c7eeb259c77b6861cd14d00eb309df ] + +Support for imx6ull is already present but it's based on +of_machine_is_compatible("fsl,imx6ull") checks. Add it to the MXC_CPU_* +enumeration as well. + +This also fixes /sys/devices/soc0/soc_id reading "Unknown". + +Signed-off-by: Leonard Crestez +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-imx/cpu.c | 3 +++ + arch/arm/mach-imx/mxc.h | 6 ++++++ + 2 files changed, 9 insertions(+) + +--- a/arch/arm/mach-imx/cpu.c ++++ b/arch/arm/mach-imx/cpu.c +@@ -131,6 +131,9 @@ struct device * __init imx_soc_device_in + case MXC_CPU_IMX6UL: + soc_id = "i.MX6UL"; + break; ++ case MXC_CPU_IMX6ULL: ++ soc_id = "i.MX6ULL"; ++ break; + case MXC_CPU_IMX7D: + soc_id = "i.MX7D"; + break; +--- a/arch/arm/mach-imx/mxc.h ++++ b/arch/arm/mach-imx/mxc.h +@@ -39,6 +39,7 @@ + #define MXC_CPU_IMX6SX 0x62 + #define MXC_CPU_IMX6Q 0x63 + #define MXC_CPU_IMX6UL 0x64 ++#define MXC_CPU_IMX6ULL 0x65 + #define MXC_CPU_IMX7D 0x72 + + #define IMX_DDR_TYPE_LPDDR2 1 +@@ -73,6 +74,11 @@ static inline bool cpu_is_imx6ul(void) + return __mxc_cpu_type == MXC_CPU_IMX6UL; + } + ++static inline bool cpu_is_imx6ull(void) ++{ ++ return __mxc_cpu_type == MXC_CPU_IMX6ULL; ++} ++ + static inline bool cpu_is_imx6q(void) + { + return __mxc_cpu_type == MXC_CPU_IMX6Q; diff --git a/queue-4.9/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch b/queue-4.9/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch new file mode 100644 index 00000000000..2f106b96678 --- /dev/null +++ b/queue-4.9/arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Will Deacon +Date: Wed, 5 Apr 2017 11:14:05 +0100 +Subject: arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage + +From: Will Deacon + + +[ Upstream commit 5f16a046f8e144c294ef98cd29d9458b5f8273e5 ] + +FUTEX_OP_OPARG_SHIFT instructs the futex code to treat the 12-bit oparg +field as a shift value, potentially leading to a left shift value that +is negative or with an absolute value that is significantly larger then +the size of the type. UBSAN chokes with: + +================================================================================ +UBSAN: Undefined behaviour in ./arch/arm64/include/asm/futex.h:60:13 +shift exponent -1 is negative +CPU: 1 PID: 1449 Comm: syz-executor0 Not tainted 4.11.0-rc4-00005-g977eb52-dirty #11 +Hardware name: linux,dummy-virt (DT) +Call trace: +[] dump_backtrace+0x0/0x538 arch/arm64/kernel/traps.c:73 +[] show_stack+0x20/0x30 arch/arm64/kernel/traps.c:228 +[] __dump_stack lib/dump_stack.c:16 [inline] +[] dump_stack+0x120/0x188 lib/dump_stack.c:52 +[] ubsan_epilogue+0x18/0x98 lib/ubsan.c:164 +[] __ubsan_handle_shift_out_of_bounds+0x250/0x294 lib/ubsan.c:421 +[] futex_atomic_op_inuser arch/arm64/include/asm/futex.h:60 [inline] +[] futex_wake_op kernel/futex.c:1489 [inline] +[] do_futex+0x137c/0x1740 kernel/futex.c:3231 +[] SYSC_futex kernel/futex.c:3281 [inline] +[] SyS_futex+0x114/0x268 kernel/futex.c:3249 +[] el0_svc_naked+0x24/0x28 +================================================================================ +syz-executor1 uses obsolete (PF_INET,SOCK_PACKET) +sock: process `syz-executor0' is using obsolete setsockopt SO_BSDCOMPAT + +This patch attempts to fix some of this by: + + * Making encoded_op an unsigned type, so we can shift it left even if + the top bit is set. + + * Casting to signed prior to shifting right when extracting oparg + and cmparg + + * Consider only the bottom 5 bits of oparg when using it as a left-shift + value. + +Whilst I think this catches all of the issues, I'd much prefer to remove +this stuff, as I think it's unused and the bugs are copy-pasted between +a bunch of architectures. + +Reviewed-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/futex.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm64/include/asm/futex.h ++++ b/arch/arm64/include/asm/futex.h +@@ -51,16 +51,16 @@ + : "memory") + + static inline int +-futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr) ++futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) + { + int op = (encoded_op >> 28) & 7; + int cmp = (encoded_op >> 24) & 15; +- int oparg = (encoded_op << 8) >> 20; +- int cmparg = (encoded_op << 20) >> 20; ++ int oparg = (int)(encoded_op << 8) >> 20; ++ int cmparg = (int)(encoded_op << 20) >> 20; + int oldval = 0, ret, tmp; + + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) +- oparg = 1 << oparg; ++ oparg = 1U << (oparg & 0x1f); + + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) + return -EFAULT; diff --git a/queue-4.9/arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch b/queue-4.9/arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch new file mode 100644 index 00000000000..f13db9290e3 --- /dev/null +++ b/queue-4.9/arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch @@ -0,0 +1,77 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ard Biesheuvel +Date: Fri, 19 May 2017 16:42:00 +0100 +Subject: arm64: kernel: restrict /dev/mem read() calls to linear region + +From: Ard Biesheuvel + + +[ Upstream commit 1151f838cb626005f4d69bf675dacaaa5ea909d6 ] + +When running lscpu on an AArch64 system that has SMBIOS version 2.0 +tables, it will segfault in the following way: + + Unable to handle kernel paging request at virtual address ffff8000bfff0000 + pgd = ffff8000f9615000 + [ffff8000bfff0000] *pgd=0000000000000000 + Internal error: Oops: 96000007 [#1] PREEMPT SMP + Modules linked in: + CPU: 0 PID: 1284 Comm: lscpu Not tainted 4.11.0-rc3+ #103 + Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015 + task: ffff8000fa78e800 task.stack: ffff8000f9780000 + PC is at __arch_copy_to_user+0x90/0x220 + LR is at read_mem+0xcc/0x140 + +This is caused by the fact that lspci issues a read() on /dev/mem at the +offset where it expects to find the SMBIOS structure array. However, this +region is classified as EFI_RUNTIME_SERVICE_DATA (as per the UEFI spec), +and so it is omitted from the linear mapping. + +So let's restrict /dev/mem read/write access to those areas that are +covered by the linear region. + +Reported-by: Alexander Graf +Fixes: 4dffbfc48d65 ("arm64/efi: mark UEFI reserved regions as MEMBLOCK_NOMAP") +Signed-off-by: Ard Biesheuvel +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/mm/mmap.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +--- a/arch/arm64/mm/mmap.c ++++ b/arch/arm64/mm/mmap.c +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -102,12 +103,18 @@ void arch_pick_mmap_layout(struct mm_str + */ + int valid_phys_addr_range(phys_addr_t addr, size_t size) + { +- if (addr < PHYS_OFFSET) +- return 0; +- if (addr + size > __pa(high_memory - 1) + 1) +- return 0; +- +- return 1; ++ /* ++ * Check whether addr is covered by a memory region without the ++ * MEMBLOCK_NOMAP attribute, and whether that region covers the ++ * entire range. In theory, this could lead to false negatives ++ * if the range is covered by distinct but adjacent memory regions ++ * that only differ in other attributes. However, few of such ++ * attributes have been defined, and it is debatable whether it ++ * follows that /dev/mem read() calls should be able traverse ++ * such boundaries. ++ */ ++ return memblock_is_region_memory(addr, size) && ++ memblock_is_map_memory(addr); + } + + /* diff --git a/queue-4.9/arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch b/queue-4.9/arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch new file mode 100644 index 00000000000..bb124848fac --- /dev/null +++ b/queue-4.9/arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Timmy Li +Date: Mon, 22 May 2017 16:48:28 +0100 +Subject: ARM64: PCI: Fix struct acpi_pci_root_ops allocation failure path + +From: Timmy Li + + +[ Upstream commit 717902cc93118119a6fce7765da6cf2786987418 ] + +Commit 093d24a20442 ("arm64: PCI: Manage controller-specific data on +per-controller basis") added code to allocate ACPI PCI root_ops +dynamically on a per host bridge basis but failed to update the +corresponding memory allocation failure path in pci_acpi_scan_root() +leading to a potential memory leakage. + +Fix it by adding the required kfree call. + +Fixes: 093d24a20442 ("arm64: PCI: Manage controller-specific data on per-controller basis") +Reviewed-by: Tomasz Nowicki +Signed-off-by: Timmy Li +[lorenzo.pieralisi@arm.com: refactored code, rewrote commit log] +Signed-off-by: Lorenzo Pieralisi +CC: Will Deacon +CC: Bjorn Helgaas +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/pci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/arm64/kernel/pci.c ++++ b/arch/arm64/kernel/pci.c +@@ -175,8 +175,10 @@ struct pci_bus *pci_acpi_scan_root(struc + return NULL; + + root_ops = kzalloc_node(sizeof(*root_ops), GFP_KERNEL, node); +- if (!root_ops) ++ if (!root_ops) { ++ kfree(ri); + return NULL; ++ } + + ri->cfg = pci_acpi_setup_ecam_mapping(root); + if (!ri->cfg) { diff --git a/queue-4.9/arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch b/queue-4.9/arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch new file mode 100644 index 00000000000..14145b75964 --- /dev/null +++ b/queue-4.9/arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ganapatrao Kulkarni +Date: Tue, 2 May 2017 21:59:34 +0530 +Subject: arm64: perf: Ignore exclude_hv when kernel is running in HYP + +From: Ganapatrao Kulkarni + + +[ Upstream commit 78a19cfdf37d19002c83c8790853c1cc10feccdc ] + +commit d98ecdaca296 ("arm64: perf: Count EL2 events if the kernel is +running in HYP") returns -EINVAL when perf system call perf_event_open is +called with exclude_hv != exclude_kernel. This change breaks applications +on VHE enabled ARMv8.1 platforms. The issue was observed with HHVM +application, which calls perf_event_open with exclude_hv = 1 and +exclude_kernel = 0. + +There is no separate hypervisor privilege level when VHE is enabled, the +host kernel runs at EL2. So when VHE is enabled, we should ignore +exclude_hv from the application. This behaviour is consistent with PowerPC +where the exclude_hv is ignored when the hypervisor is not present and with +x86 where this flag is ignored. + +Signed-off-by: Ganapatrao Kulkarni +[will: added comment to justify the behaviour of exclude_hv] +Signed-off-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/perf_event.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/arch/arm64/kernel/perf_event.c ++++ b/arch/arm64/kernel/perf_event.c +@@ -871,15 +871,24 @@ static int armv8pmu_set_event_filter(str + + if (attr->exclude_idle) + return -EPERM; +- if (is_kernel_in_hyp_mode() && +- attr->exclude_kernel != attr->exclude_hv) +- return -EINVAL; ++ ++ /* ++ * If we're running in hyp mode, then we *are* the hypervisor. ++ * Therefore we ignore exclude_hv in this configuration, since ++ * there's no hypervisor to sample anyway. This is consistent ++ * with other architectures (x86 and Power). ++ */ ++ if (is_kernel_in_hyp_mode()) { ++ if (!attr->exclude_kernel) ++ config_base |= ARMV8_PMU_INCLUDE_EL2; ++ } else { ++ if (attr->exclude_kernel) ++ config_base |= ARMV8_PMU_EXCLUDE_EL1; ++ if (!attr->exclude_hv) ++ config_base |= ARMV8_PMU_INCLUDE_EL2; ++ } + if (attr->exclude_user) + config_base |= ARMV8_PMU_EXCLUDE_EL0; +- if (!is_kernel_in_hyp_mode() && attr->exclude_kernel) +- config_base |= ARMV8_PMU_EXCLUDE_EL1; +- if (!attr->exclude_hv) +- config_base |= ARMV8_PMU_INCLUDE_EL2; + + /* + * Install the filter into config_base as this is used to diff --git a/queue-4.9/arp-honour-gratuitous-arp-_replies_.patch b/queue-4.9/arp-honour-gratuitous-arp-_replies_.patch new file mode 100644 index 00000000000..a4491178187 --- /dev/null +++ b/queue-4.9/arp-honour-gratuitous-arp-_replies_.patch @@ -0,0 +1,81 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ihar Hrachyshka +Date: Tue, 16 May 2017 07:53:43 -0700 +Subject: arp: honour gratuitous ARP _replies_ + +From: Ihar Hrachyshka + + +[ Upstream commit 23d268eb240954e6e78f7cfab04f2b1e79f84489 ] + +When arp_accept is 1, gratuitous ARPs are supposed to override matching +entries irrespective of whether they arrive during locktime. This was +implemented in commit 56022a8fdd87 ("ipv4: arp: update neighbour address +when a gratuitous arp is received and arp_accept is set") + +There is a glitch in the patch though. RFC 2002, section 4.6, "ARP, +Proxy ARP, and Gratuitous ARP", defines gratuitous ARPs so that they can +be either of Request or Reply type. Those Reply gratuitous ARPs can be +triggered with standard tooling, for example, arping -A option does just +that. + +This patch fixes the glitch, making both Request and Reply flavours of +gratuitous ARPs to behave identically. + +As per RFC, if gratuitous ARPs are of Reply type, their Target Hardware +Address field should also be set to the link-layer address to which this +cache entry should be updated. The field is present in ARP over Ethernet +but not in IEEE 1394. In this patch, I don't consider any broadcasted +ARP replies as gratuitous if the field is not present, to conform the +standard. It's not clear whether there is such a thing for IEEE 1394 as +a gratuitous ARP reply; until it's cleared up, we will ignore such +broadcasts. Note that they will still update existing ARP cache entries, +assuming they arrive out of locktime time interval. + +Signed-off-by: Ihar Hrachyshka +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/arp.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/net/ipv4/arp.c ++++ b/net/ipv4/arp.c +@@ -658,6 +658,7 @@ static int arp_process(struct net *net, + unsigned char *arp_ptr; + struct rtable *rt; + unsigned char *sha; ++ unsigned char *tha = NULL; + __be32 sip, tip; + u16 dev_type = dev->type; + int addr_type; +@@ -729,6 +730,7 @@ static int arp_process(struct net *net, + break; + #endif + default: ++ tha = arp_ptr; + arp_ptr += dev->addr_len; + } + memcpy(&tip, arp_ptr, 4); +@@ -847,8 +849,18 @@ static int arp_process(struct net *net, + It is possible, that this option should be enabled for some + devices (strip is candidate) + */ +- is_garp = arp->ar_op == htons(ARPOP_REQUEST) && tip == sip && +- addr_type == RTN_UNICAST; ++ is_garp = tip == sip && addr_type == RTN_UNICAST; ++ ++ /* Unsolicited ARP _replies_ also require target hwaddr to be ++ * the same as source. ++ */ ++ if (is_garp && arp->ar_op == htons(ARPOP_REPLY)) ++ is_garp = ++ /* IPv4 over IEEE 1394 doesn't provide target ++ * hardware address field in its ARP payload. ++ */ ++ tha && ++ !memcmp(tha, sha, dev->addr_len); + + if (!n && + ((arp->ar_op == htons(ARPOP_REPLY) && diff --git a/queue-4.9/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch b/queue-4.9/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch new file mode 100644 index 00000000000..775443f34b3 --- /dev/null +++ b/queue-4.9/asoc-intel-cht_bsw_rt5645-analog-mic-support.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Tue, 2 Jan 2018 19:53:14 +0100 +Subject: ASoC: Intel: cht_bsw_rt5645: Analog Mic support + +From: Hans de Goede + + +[ Upstream commit b70b309950418437bbd2a30afd169c4f09dee3e5 ] + +Various Cherry Trail boards with a rt5645 codec have an analog mic +connected to IN2P + IN2N. The mic on this boards also needs micbias to +be enabled, on some boards micbias1 is used and on others micbias2, so +we enable both. + +This commit adds a new "Int Analog Mic" DAPM widget for this, so that we +do not end up enabling micbias on boards with a digital mic which uses +the already present "Int Mic" widget. Some existing UCM files already +refer to "Int Mic" for their "Internal Analog Microphones" SectionDevice, +but these don't work anyways since they enable the RECMIX BST1 Switch +instead of the BST2 switch. + +Signed-off-by: Hans de Goede +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/cht_bsw_rt5645.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/intel/boards/cht_bsw_rt5645.c ++++ b/sound/soc/intel/boards/cht_bsw_rt5645.c +@@ -111,6 +111,7 @@ static const struct snd_soc_dapm_widget + SND_SOC_DAPM_HP("Headphone", NULL), + SND_SOC_DAPM_MIC("Headset Mic", NULL), + SND_SOC_DAPM_MIC("Int Mic", NULL), ++ SND_SOC_DAPM_MIC("Int Analog Mic", NULL), + SND_SOC_DAPM_SPK("Ext Spk", NULL), + SND_SOC_DAPM_SUPPLY("Platform Clock", SND_SOC_NOPM, 0, 0, + platform_clock_control, SND_SOC_DAPM_PRE_PMU | SND_SOC_DAPM_POST_PMD), +@@ -121,6 +122,8 @@ static const struct snd_soc_dapm_route c + {"IN1N", NULL, "Headset Mic"}, + {"DMIC L1", NULL, "Int Mic"}, + {"DMIC R1", NULL, "Int Mic"}, ++ {"IN2P", NULL, "Int Analog Mic"}, ++ {"IN2N", NULL, "Int Analog Mic"}, + {"Headphone", NULL, "HPOL"}, + {"Headphone", NULL, "HPOR"}, + {"Ext Spk", NULL, "SPOL"}, +@@ -134,6 +137,9 @@ static const struct snd_soc_dapm_route c + {"Headphone", NULL, "Platform Clock"}, + {"Headset Mic", NULL, "Platform Clock"}, + {"Int Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "Platform Clock"}, ++ {"Int Analog Mic", NULL, "micbias1"}, ++ {"Int Analog Mic", NULL, "micbias2"}, + {"Ext Spk", NULL, "Platform Clock"}, + }; + +@@ -162,6 +168,7 @@ static const struct snd_kcontrol_new cht + SOC_DAPM_PIN_SWITCH("Headphone"), + SOC_DAPM_PIN_SWITCH("Headset Mic"), + SOC_DAPM_PIN_SWITCH("Int Mic"), ++ SOC_DAPM_PIN_SWITCH("Int Analog Mic"), + SOC_DAPM_PIN_SWITCH("Ext Spk"), + }; + diff --git a/queue-4.9/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch b/queue-4.9/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch new file mode 100644 index 00000000000..93b908f6a39 --- /dev/null +++ b/queue-4.9/asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Pardha Saradhi K +Date: Tue, 2 Jan 2018 14:59:57 +0530 +Subject: ASoC: Intel: Skylake: Disable clock gating during firmware and library download + +From: Pardha Saradhi K + + +[ Upstream commit d5cc0a1fcbb5ddbef9fdd4c4a978da3254ddbf37 ] + +During firmware and library download, sometimes it is observed that +firmware and library download is timed-out resulting into probe failure. + +This patch disables dynamic clock gating while firmware and library +download. + +Signed-off-by: Pardha Saradhi K +Signed-off-by: Sanyog Kale +Signed-off-by: Guneshwor Singh +Acked-By: Vinod Koul +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/skylake/skl-messages.c | 4 ++++ + sound/soc/intel/skylake/skl-pcm.c | 4 ++++ + 2 files changed, 8 insertions(+) + +--- a/sound/soc/intel/skylake/skl-messages.c ++++ b/sound/soc/intel/skylake/skl-messages.c +@@ -331,7 +331,11 @@ int skl_resume_dsp(struct skl *skl) + if (skl->skl_sst->is_first_boot == true) + return 0; + ++ /* disable dynamic clock gating during fw and lib download */ ++ ctx->enable_miscbdcge(ctx->dev, false); ++ + ret = skl_dsp_wake(ctx->dsp); ++ ctx->enable_miscbdcge(ctx->dev, true); + if (ret < 0) + return ret; + +--- a/sound/soc/intel/skylake/skl-pcm.c ++++ b/sound/soc/intel/skylake/skl-pcm.c +@@ -1191,7 +1191,11 @@ static int skl_platform_soc_probe(struct + return -EIO; + } + ++ /* disable dynamic clock gating during fw and lib download */ ++ skl->skl_sst->enable_miscbdcge(platform->dev, false); ++ + ret = ops->init_fw(platform->dev, skl->skl_sst); ++ skl->skl_sst->enable_miscbdcge(platform->dev, true); + if (ret < 0) { + dev_err(platform->dev, "Failed to boot first fw: %d\n", ret); + return ret; diff --git a/queue-4.9/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch b/queue-4.9/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch new file mode 100644 index 00000000000..5e80b7259cc --- /dev/null +++ b/queue-4.9/asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe JAILLET +Date: Sat, 6 Jan 2018 21:18:24 +0100 +Subject: ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' + +From: Christophe JAILLET + + +[ Upstream commit eaadb1caa966a91128297b754e90b7c92b350a00 ] + +In some error handling paths, an error code is assiegned to 'ret'. +However, the function always return 0. + +Fix it and return the error code if such an error paths is taken. + +Fixes: 3d9ff34622ba ("ASoC: Intel: sst: add stream operations") +Signed-off-by: Christophe JAILLET +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/atom/sst/sst_stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/atom/sst/sst_stream.c ++++ b/sound/soc/intel/atom/sst/sst_stream.c +@@ -221,7 +221,7 @@ int sst_send_byte_stream_mrfld(struct in + sst_free_block(sst_drv_ctx, block); + out: + test_and_clear_bit(pvt_id, &sst_drv_ctx->pvt_id); +- return 0; ++ return ret; + } + + /* diff --git a/queue-4.9/asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch b/queue-4.9/asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch new file mode 100644 index 00000000000..dc1c1605d89 --- /dev/null +++ b/queue-4.9/asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kuninori Morimoto +Date: Wed, 24 May 2017 01:17:10 +0000 +Subject: ASoC: rsnd: SSI PIO adjust to 24bit mode + +From: Kuninori Morimoto + + +[ Upstream commit 7819a942de7b993771bd9377babc80485fe7606b ] + +commit 90431eb49bff ("ASoC: rsnd: don't use PDTA bit for 24bit on SSI") +fixups 24bit mode data alignment, but PIO was not cared. +This patch fixes PIO mode 24bit data alignment + +Signed-off-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/ssi.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -552,6 +552,13 @@ static void __rsnd_ssi_interrupt(struct + struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io); + u32 *buf = (u32 *)(runtime->dma_area + + rsnd_dai_pointer_offset(io, 0)); ++ int shift = 0; ++ ++ switch (runtime->sample_bits) { ++ case 32: ++ shift = 8; ++ break; ++ } + + /* + * 8/16/32 data can be assesse to TDR/RDR register +@@ -559,9 +566,9 @@ static void __rsnd_ssi_interrupt(struct + * see rsnd_ssi_init() + */ + if (rsnd_io_is_play(io)) +- rsnd_mod_write(mod, SSITDR, *buf); ++ rsnd_mod_write(mod, SSITDR, (*buf) << shift); + else +- *buf = rsnd_mod_read(mod, SSIRDR); ++ *buf = (rsnd_mod_read(mod, SSIRDR) >> shift); + + elapsed = rsnd_dai_pointer_update(io, sizeof(*buf)); + } diff --git a/queue-4.9/asoc-simple-card-fix-mic-jack-initialization.patch b/queue-4.9/asoc-simple-card-fix-mic-jack-initialization.patch new file mode 100644 index 00000000000..81da9ef36ea --- /dev/null +++ b/queue-4.9/asoc-simple-card-fix-mic-jack-initialization.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Stefan Agner +Date: Mon, 15 May 2017 14:00:31 -0700 +Subject: ASoC: simple-card: fix mic jack initialization + +From: Stefan Agner + + +[ Upstream commit f746aa5e8636c83e53bbb2d988bb614f732b2b80 ] + +Initialize asoc_simple_card_init_mic with the correct struct +asoc_simple_jack. + +Fixes: 9eac361877b3 ("ASoC: simple-card: add new asoc_simple_jack and use it") +Signed-off-by: Stefan Agner +Acked-by: Kuninori Morimoto +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/generic/simple-card.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/generic/simple-card.c ++++ b/sound/soc/generic/simple-card.c +@@ -201,7 +201,7 @@ static int asoc_simple_card_dai_init(str + if (ret < 0) + return ret; + +- ret = asoc_simple_card_init_mic(rtd->card, &priv->hp_jack, PREFIX); ++ ret = asoc_simple_card_init_mic(rtd->card, &priv->mic_jack, PREFIX); + if (ret < 0) + return ret; + diff --git a/queue-4.9/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch b/queue-4.9/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch new file mode 100644 index 00000000000..7b6382455b0 --- /dev/null +++ b/queue-4.9/async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Anup Patel +Date: Mon, 15 May 2017 10:34:53 +0530 +Subject: async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() + +From: Anup Patel + + +[ Upstream commit baae03a0e2497f49704628fd0aaf993cf98e1b99 ] + +The DMA_PREP_FENCE is to be used when preparing Tx descriptor if output +of Tx descriptor is to be used by next/dependent Tx descriptor. + +The DMA_PREP_FENSE will not be set correctly in do_async_gen_syndrome() +when calling dma->device_prep_dma_pq() under following conditions: +1. ASYNC_TX_FENCE not set in submit->flags +2. DMA_PREP_FENCE not set in dma_flags +3. src_cnt (= (disks - 2)) is greater than dma_maxpq(dma, dma_flags) + +This patch fixes DMA_PREP_FENCE usage in do_async_gen_syndrome() taking +inspiration from do_async_xor() implementation. + +Signed-off-by: Anup Patel +Reviewed-by: Ray Jui +Reviewed-by: Scott Branden +Acked-by: Dan Williams +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/async_tx/async_pq.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/crypto/async_tx/async_pq.c ++++ b/crypto/async_tx/async_pq.c +@@ -62,9 +62,6 @@ do_async_gen_syndrome(struct dma_chan *c + dma_addr_t dma_dest[2]; + int src_off = 0; + +- if (submit->flags & ASYNC_TX_FENCE) +- dma_flags |= DMA_PREP_FENCE; +- + while (src_cnt > 0) { + submit->flags = flags_orig; + pq_src_cnt = min(src_cnt, dma_maxpq(dma, dma_flags)); +@@ -83,6 +80,8 @@ do_async_gen_syndrome(struct dma_chan *c + if (cb_fn_orig) + dma_flags |= DMA_PREP_INTERRUPT; + } ++ if (submit->flags & ASYNC_TX_FENCE) ++ dma_flags |= DMA_PREP_FENCE; + + /* Drivers force forward progress in case they can not provide + * a descriptor diff --git a/queue-4.9/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch b/queue-4.9/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch new file mode 100644 index 00000000000..40b154305a8 --- /dev/null +++ b/queue-4.9/ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Thomas Petazzoni +Date: Tue, 16 May 2017 14:06:12 +0200 +Subject: ata: libahci: properly propagate return value of platform_get_irq() + +From: Thomas Petazzoni + + +[ Upstream commit c034640a32f8456018d9c8c83799ead683046b95 ] + +When platform_get_irq() fails, it returns an error code, which +libahci_platform and replaces it by -EINVAL. This commit fixes that by +propagating the error code. It fixes the situation where +platform_get_irq() returns -EPROBE_DEFER because the interrupt +controller is not available yet, and generally looks like the right +thing to do. + +We pay attention to not show the "no irq" message when we are in an +EPROBE_DEFER situation, because the driver probing will be retried +later on, once the interrupt controller becomes available to provide +the interrupt. + +Signed-off-by: Thomas Petazzoni +Reviewed-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libahci_platform.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libahci_platform.c ++++ b/drivers/ata/libahci_platform.c +@@ -514,8 +514,9 @@ int ahci_platform_init_host(struct platf + + irq = platform_get_irq(pdev, 0); + if (irq <= 0) { +- dev_err(dev, "no irq\n"); +- return -EINVAL; ++ if (irq != -EPROBE_DEFER) ++ dev_err(dev, "no irq\n"); ++ return irq; + } + + hpriv->irq = irq; diff --git a/queue-4.9/ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch b/queue-4.9/ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch new file mode 100644 index 00000000000..9ceb43460b7 --- /dev/null +++ b/queue-4.9/ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Anilkumar Kolli +Date: Wed, 31 May 2017 14:21:27 +0300 +Subject: ath10k: add BMI parameters to fix calibration from DT/pre-cal + +From: Anilkumar Kolli + + +[ Upstream commit a9f5f287fa1d47d61dfa8b60f94831174b2ea4d0 ] + +QCA99X0, QCA9888, QCA9984 supports calibration data in +either OTP or DT/pre-cal file. Current ath10k supports +Calibration data from OTP only. + +If caldata is loaded from DT/pre-cal file, fetching board id +and applying calibration parameters like tx power gets failed. + +error log: +[ 15.733663] ath10k_pci 0000:01:00.0: failed to fetch board file: -2 +[ 15.741474] ath10k_pci 0000:01:00.0: could not probe fw (-2) + +This patch adds calibration data support from DT/pre-cal +file. Below parameters are used to get board id and +applying calibration parameters from cal data. + + EEPROM[OTP] FLASH[DT/pre-cal file] +Cal param 0x700 0x10000 +Board id 0x10 0x8000 + +Tested on QCA9888 with pre-cal file. + +Signed-off-by: Anilkumar Kolli +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/bmi.h | 2 ++ + drivers/net/wireless/ath/ath10k/core.c | 16 +++++++++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/bmi.h ++++ b/drivers/net/wireless/ath/ath10k/bmi.h +@@ -83,6 +83,8 @@ enum bmi_cmd_id { + #define BMI_NVRAM_SEG_NAME_SZ 16 + + #define BMI_PARAM_GET_EEPROM_BOARD_ID 0x10 ++#define BMI_PARAM_GET_FLASH_BOARD_ID 0x8000 ++#define BMI_PARAM_FLASH_SECTION_ALL 0x10000 + + #define ATH10K_BMI_BOARD_ID_FROM_OTP_MASK 0x7c00 + #define ATH10K_BMI_BOARD_ID_FROM_OTP_LSB 10 +--- a/drivers/net/wireless/ath/ath10k/core.c ++++ b/drivers/net/wireless/ath/ath10k/core.c +@@ -652,7 +652,7 @@ static int ath10k_core_get_board_id_from + { + u32 result, address; + u8 board_id, chip_id; +- int ret; ++ int ret, bmi_board_id_param; + + address = ar->hw_params.patch_load_addr; + +@@ -676,8 +676,13 @@ static int ath10k_core_get_board_id_from + return ret; + } + +- ret = ath10k_bmi_execute(ar, address, BMI_PARAM_GET_EEPROM_BOARD_ID, +- &result); ++ if (ar->cal_mode == ATH10K_PRE_CAL_MODE_DT || ++ ar->cal_mode == ATH10K_PRE_CAL_MODE_FILE) ++ bmi_board_id_param = BMI_PARAM_GET_FLASH_BOARD_ID; ++ else ++ bmi_board_id_param = BMI_PARAM_GET_EEPROM_BOARD_ID; ++ ++ ret = ath10k_bmi_execute(ar, address, bmi_board_id_param, &result); + if (ret) { + ath10k_err(ar, "could not execute otp for board id check: %d\n", + ret); +@@ -739,6 +744,11 @@ static int ath10k_download_and_run_otp(s + return ret; + } + ++ /* As of now pre-cal is valid for 10_4 variants */ ++ if (ar->cal_mode == ATH10K_PRE_CAL_MODE_DT || ++ ar->cal_mode == ATH10K_PRE_CAL_MODE_FILE) ++ bmi_otp_exe_param = BMI_PARAM_FLASH_SECTION_ALL; ++ + ret = ath10k_bmi_execute(ar, address, bmi_otp_exe_param, &result); + if (ret) { + ath10k_err(ar, "could not execute otp (%d)\n", ret); diff --git a/queue-4.9/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch b/queue-4.9/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch new file mode 100644 index 00000000000..9de5adef5a9 --- /dev/null +++ b/queue-4.9/ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Colin Ian King +Date: Wed, 3 May 2017 15:26:00 +0100 +Subject: ath5k: fix memory leak on buf on failed eeprom read + +From: Colin Ian King + + +[ Upstream commit 8fed6823e06e43ee9cf7c0ffecec2f9111ce6201 ] + +The AR5K_EEPROM_READ macro returns with -EIO if a read error +occurs causing a memory leak on the allocated buffer buf. Fix +this by explicitly calling ath5k_hw_nvram_read and exiting on +the via the freebuf label that performs the necessary free'ing +of buf when a read error occurs. + +Detected by CoverityScan, CID#1248782 ("Resource Leak") + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath5k/debug.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath5k/debug.c ++++ b/drivers/net/wireless/ath/ath5k/debug.c +@@ -939,7 +939,10 @@ static int open_file_eeprom(struct inode + } + + for (i = 0; i < eesize; ++i) { +- AR5K_EEPROM_READ(i, val); ++ if (!ath5k_hw_nvram_read(ah, i, &val)) { ++ ret = -EIO; ++ goto freebuf; ++ } + buf[i] = val; + } + diff --git a/queue-4.9/backlight-report-error-on-failure.patch b/queue-4.9/backlight-report-error-on-failure.patch new file mode 100644 index 00000000000..64910eafc56 --- /dev/null +++ b/queue-4.9/backlight-report-error-on-failure.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Sudip Mukherjee +Date: Wed, 17 May 2017 21:55:07 +0100 +Subject: backlight: Report error on failure + +From: Sudip Mukherjee + + +[ Upstream commit 7e715c2d9c27c23f3187454157c58cf292ed103e ] + +It is possible to update the backlight power and the brightness using +the sysfs and on writing it either returns the count or if the callback +function does not exist then returns the error code 'ENXIO'. + +We have a situation where the userspace client is writing to the sysfs +to update the power and since the callback function exists the client +receives the return value as count and considers the operation to be +successful. That is correct as the write to the sysfs was successful. +But there is no way to know if the actual operation was done or not. + +backlight_update_status() returns the error code if it fails. Pass that +to the userspace client who is trying to update the power so that the +client knows that the operation failed. + +Signed-off-by: Sudip Mukherjee +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/backlight/backlight.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/video/backlight/backlight.c ++++ b/drivers/video/backlight/backlight.c +@@ -134,7 +134,7 @@ static ssize_t bl_power_store(struct dev + { + int rc; + struct backlight_device *bd = to_backlight_device(dev); +- unsigned long power; ++ unsigned long power, old_power; + + rc = kstrtoul(buf, 0, &power); + if (rc) +@@ -145,10 +145,16 @@ static ssize_t bl_power_store(struct dev + if (bd->ops) { + pr_debug("set power to %lu\n", power); + if (bd->props.power != power) { ++ old_power = bd->props.power; + bd->props.power = power; +- backlight_update_status(bd); ++ rc = backlight_update_status(bd); ++ if (rc) ++ bd->props.power = old_power; ++ else ++ rc = count; ++ } else { ++ rc = count; + } +- rc = count; + } + mutex_unlock(&bd->ops_lock); + +@@ -176,8 +182,7 @@ int backlight_device_set_brightness(stru + else { + pr_debug("set brightness to %lu\n", brightness); + bd->props.brightness = brightness; +- backlight_update_status(bd); +- rc = 0; ++ rc = backlight_update_status(bd); + } + } + mutex_unlock(&bd->ops_lock); diff --git a/queue-4.9/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch b/queue-4.9/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch new file mode 100644 index 00000000000..46bafc9ab7a --- /dev/null +++ b/queue-4.9/backlight-tdo24m-fix-the-spi-cs-between-transfers.patch @@ -0,0 +1,81 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Robert Jarzmik +Date: Thu, 28 Dec 2017 09:27:41 +0100 +Subject: backlight: tdo24m: Fix the SPI CS between transfers + +From: Robert Jarzmik + + +[ Upstream commit 2023b0524a6310e9ea80daf085f51c71bff9289f ] + +Currently the LCD display (TD035S) on the cm-x300 platform is broken and +remains blank. + +The TD0245S specification requires that the chipselect is toggled +between commands sent to the panel. This was also the purpose of the +former patch of commit f64dcac0b124 ("backlight: tdo24m: ensure chip +select changes between transfers"). + +Unfortunately, the "cs_change" field of a SPI transfer is +misleading. Its true meaning is that for a SPI message holding multiple +transfers, the chip select is toggled between each transfer, but for the +last transfer it remains asserted. + +In this driver, all the SPI messages contain exactly one transfer, which +means that each transfer is the last of its message, and as a +consequence the chip select is never toggled. + +Actually, there was a second bug hidding the first one, hence the +problem was not seen until v4.6. This problem was fixed by commit +a52db659c79c ("spi: pxa2xx: Fix cs_change management") for PXA based +boards. + +This fix makes the TD035S work again on a cm-x300 board. The same +applies to other PXA boards, ie. corgi and tosa. + +Fixes: a52db659c79c ("spi: pxa2xx: Fix cs_change management") +Reported-by: Andrea Adami +Signed-off-by: Robert Jarzmik +Acked-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/backlight/corgi_lcd.c | 2 +- + drivers/video/backlight/tdo24m.c | 2 +- + drivers/video/backlight/tosa_lcd.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/backlight/corgi_lcd.c ++++ b/drivers/video/backlight/corgi_lcd.c +@@ -177,7 +177,7 @@ static int corgi_ssp_lcdtg_send(struct c + struct spi_message msg; + struct spi_transfer xfer = { + .len = 1, +- .cs_change = 1, ++ .cs_change = 0, + .tx_buf = lcd->buf, + }; + +--- a/drivers/video/backlight/tdo24m.c ++++ b/drivers/video/backlight/tdo24m.c +@@ -369,7 +369,7 @@ static int tdo24m_probe(struct spi_devic + + spi_message_init(m); + +- x->cs_change = 1; ++ x->cs_change = 0; + x->tx_buf = &lcd->buf[0]; + spi_message_add_tail(x, m); + +--- a/drivers/video/backlight/tosa_lcd.c ++++ b/drivers/video/backlight/tosa_lcd.c +@@ -49,7 +49,7 @@ static int tosa_tg_send(struct spi_devic + struct spi_message msg; + struct spi_transfer xfer = { + .len = 1, +- .cs_change = 1, ++ .cs_change = 0, + .tx_buf = buf, + }; + diff --git a/queue-4.9/bcache-segregate-flash-only-volume-write-streams.patch b/queue-4.9/bcache-segregate-flash-only-volume-write-streams.patch new file mode 100644 index 00000000000..c8872408d2a --- /dev/null +++ b/queue-4.9/bcache-segregate-flash-only-volume-write-streams.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:21 -0800 +Subject: bcache: segregate flash only volume write streams + +From: Tang Junhui + + +[ Upstream commit 4eca1cb28d8b0574ca4f1f48e9331c5f852d43b9 ] + +In such scenario that there are some flash only volumes +, and some cached devices, when many tasks request these devices in +writeback mode, the write IOs may fall to the same bucket as bellow: +| cached data | flash data | cached data | cached data| flash data| +then after writeback of these cached devices, the bucket would +be like bellow bucket: +| free | flash data | free | free | flash data | + +So, there are many free space in this bucket, but since data of flash +only volumes still exists, so this bucket cannot be reclaimable, +which would cause waste of bucket space. + +In this patch, we segregate flash only volume write streams from +cached devices, so data from flash only volumes and cached devices +can store in different buckets. + +Compare to v1 patch, this patch do not add a additionally open bucket +list, and it is try best to segregate flash only volume write streams +from cached devices, sectors of flash only volumes may still be mixed +with dirty sectors of cached device, but the number is very small. + +[mlyle: fixed commit log formatting, permissions, line endings] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/alloc.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/drivers/md/bcache/alloc.c ++++ b/drivers/md/bcache/alloc.c +@@ -512,15 +512,21 @@ struct open_bucket { + + /* + * We keep multiple buckets open for writes, and try to segregate different +- * write streams for better cache utilization: first we look for a bucket where +- * the last write to it was sequential with the current write, and failing that +- * we look for a bucket that was last used by the same task. ++ * write streams for better cache utilization: first we try to segregate flash ++ * only volume write streams from cached devices, secondly we look for a bucket ++ * where the last write to it was sequential with the current write, and ++ * failing that we look for a bucket that was last used by the same task. + * + * The ideas is if you've got multiple tasks pulling data into the cache at the + * same time, you'll get better cache utilization if you try to segregate their + * data and preserve locality. + * +- * For example, say you've starting Firefox at the same time you're copying a ++ * For example, dirty sectors of flash only volume is not reclaimable, if their ++ * dirty sectors mixed with dirty sectors of cached device, such buckets will ++ * be marked as dirty and won't be reclaimed, though the dirty data of cached ++ * device have been written back to backend device. ++ * ++ * And say you've starting Firefox at the same time you're copying a + * bunch of files. Firefox will likely end up being fairly hot and stay in the + * cache awhile, but the data you copied might not be; if you wrote all that + * data to the same buckets it'd get invalidated at the same time. +@@ -537,7 +543,10 @@ static struct open_bucket *pick_data_buc + struct open_bucket *ret, *ret_task = NULL; + + list_for_each_entry_reverse(ret, &c->data_buckets, list) +- if (!bkey_cmp(&ret->key, search)) ++ if (UUID_FLASH_ONLY(&c->uuids[KEY_INODE(&ret->key)]) != ++ UUID_FLASH_ONLY(&c->uuids[KEY_INODE(search)])) ++ continue; ++ else if (!bkey_cmp(&ret->key, search)) + goto found; + else if (ret->last_write_point == write_point) + ret_task = ret; diff --git a/queue-4.9/bcache-stop-writeback-thread-after-detaching.patch b/queue-4.9/bcache-stop-writeback-thread-after-detaching.patch new file mode 100644 index 00000000000..8b3df59626c --- /dev/null +++ b/queue-4.9/bcache-stop-writeback-thread-after-detaching.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tang Junhui +Date: Mon, 8 Jan 2018 12:21:19 -0800 +Subject: bcache: stop writeback thread after detaching + +From: Tang Junhui + + +[ Upstream commit 8d29c4426b9f8afaccf28de414fde8a722b35fdf ] + +Currently, when a cached device detaching from cache, writeback thread is +not stopped, and writeback_rate_update work is not canceled. For example, +after the following command: +echo 1 >/sys/block/sdb/bcache/detach +you can still see the writeback thread. Then you attach the device to the +cache again, bcache will create another writeback thread, for example, +after below command: +echo ba0fb5cd-658a-4533-9806-6ce166d883b9 > /sys/block/sdb/bcache/attach +then you will see 2 writeback threads. +This patch stops writeback thread and cancels writeback_rate_update work +when cached device detaching from cache. + +Compare with patch v1, this v2 patch moves code down into the register +lock for safety in case of any future changes as Coly and Mike suggested. + +[edit by mlyle: commit log spelling/formatting] + +Signed-off-by: Tang Junhui +Reviewed-by: Michael Lyle +Signed-off-by: Michael Lyle +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/bcache/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -892,6 +892,12 @@ static void cached_dev_detach_finish(str + + mutex_lock(&bch_register_lock); + ++ cancel_delayed_work_sync(&dc->writeback_rate_update); ++ if (!IS_ERR_OR_NULL(dc->writeback_thread)) { ++ kthread_stop(dc->writeback_thread); ++ dc->writeback_thread = NULL; ++ } ++ + memset(&dc->sb.set_uuid, 0, 16); + SET_BDEV_STATE(&dc->sb, BDEV_STATE_NONE); + diff --git a/queue-4.9/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch b/queue-4.9/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch new file mode 100644 index 00000000000..0f006d73e30 --- /dev/null +++ b/queue-4.9/bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dmitry Monakhov +Date: Wed, 10 May 2017 19:20:44 +0400 +Subject: bio-integrity: Do not allocate integrity context for bio w/o data + +From: Dmitry Monakhov + + +[ Upstream commit 3116a23bb30272d74ea81baf5d0ee23f602dd15b ] + +If bio has no data, such as ones from blkdev_issue_flush(), +then we have nothing to protect. + +This patch prevent bugon like follows: + +kfree_debugcheck: out of range ptr ac1fa1d106742a5ah +kernel BUG at mm/slab.c:2773! +invalid opcode: 0000 [#1] SMP +Modules linked in: bcache +CPU: 0 PID: 4428 Comm: xfs_io Tainted: G W 4.11.0-rc4-ext4-00041-g2ef0043-dirty #43 +Hardware name: Virtuozzo KVM, BIOS seabios-1.7.5-11.vz7.4 04/01/2014 +task: ffff880137786440 task.stack: ffffc90000ba8000 +RIP: 0010:kfree_debugcheck+0x25/0x2a +RSP: 0018:ffffc90000babde0 EFLAGS: 00010082 +RAX: 0000000000000034 RBX: ac1fa1d106742a5a RCX: 0000000000000007 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88013f3ccb40 +RBP: ffffc90000babde8 R08: 0000000000000000 R09: 0000000000000000 +R10: 00000000fcb76420 R11: 00000000725172ed R12: 0000000000000282 +R13: ffffffff8150e766 R14: ffff88013a145e00 R15: 0000000000000001 +FS: 00007fb09384bf40(0000) GS:ffff88013f200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fd0172f9e40 CR3: 0000000137fa9000 CR4: 00000000000006f0 +Call Trace: + kfree+0xc8/0x1b3 + bio_integrity_free+0xc3/0x16b + bio_free+0x25/0x66 + bio_put+0x14/0x26 + blkdev_issue_flush+0x7a/0x85 + blkdev_fsync+0x35/0x42 + vfs_fsync_range+0x8e/0x9f + vfs_fsync+0x1c/0x1e + do_fsync+0x31/0x4a + SyS_fsync+0x10/0x14 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: Dmitry Monakhov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/bio-integrity.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -175,6 +175,9 @@ bool bio_integrity_enabled(struct bio *b + if (!bio_is_rw(bio)) + return false; + ++ if (!bio_sectors(bio)) ++ return false; ++ + /* Already protected? */ + if (bio_integrity(bio)) + return false; diff --git a/queue-4.9/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch b/queue-4.9/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch new file mode 100644 index 00000000000..9b2069c31a7 --- /dev/null +++ b/queue-4.9/blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ming Lei +Date: Tue, 9 Jan 2018 21:28:29 +0800 +Subject: blk-mq: fix kernel oops in blk_mq_tag_idle() + +From: Ming Lei + + +[ Upstream commit 8ab0b7dc73e1b3e2987d42554b2bff503f692772 ] + +HW queues may be unmapped in some cases, such as blk_mq_update_nr_hw_queues(), +then we need to check it before calling blk_mq_tag_idle(), otherwise +the following kernel oops can be triggered, so fix it by checking if +the hw queue is unmapped since it doesn't make sense to idle the tags +any more after hw queues are unmapped. + +[ 440.771298] Workqueue: nvme-wq nvme_rdma_del_ctrl_work [nvme_rdma] +[ 440.779104] task: ffff894bae755ee0 ti: ffff893bf9bc8000 task.ti: ffff893bf9bc8000 +[ 440.788359] RIP: 0010:[] [] __blk_mq_tag_idle+0x24/0x40 +[ 440.798697] RSP: 0018:ffff893bf9bcbd10 EFLAGS: 00010286 +[ 440.805538] RAX: 0000000000000000 RBX: ffff895bb131dc00 RCX: 000000000000011f +[ 440.814426] RDX: 00000000ffffffff RSI: 0000000000000120 RDI: ffff895bb131dc00 +[ 440.823301] RBP: ffff893bf9bcbd10 R08: 000000000001b860 R09: 4a51d361c00c0000 +[ 440.832193] R10: b5907f32b4cc7003 R11: ffffd6cabfb57000 R12: ffff894bafd1e008 +[ 440.841091] R13: 0000000000000001 R14: ffff895baf770000 R15: 0000000000000080 +[ 440.849988] FS: 0000000000000000(0000) GS:ffff894bbdcc0000(0000) knlGS:0000000000000000 +[ 440.859955] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 440.867274] CR2: 0000000000000008 CR3: 000000103d098000 CR4: 00000000001407e0 +[ 440.876169] Call Trace: +[ 440.879818] [] blk_mq_exit_hctx+0xd8/0xe0 +[ 440.887051] [] blk_mq_free_queue+0xf0/0x160 +[ 440.894465] [] blk_cleanup_queue+0xd9/0x150 +[ 440.901881] [] nvme_ns_remove+0x5b/0xb0 [nvme_core] +[ 440.910068] [] nvme_remove_namespaces+0x3b/0x60 [nvme_core] +[ 440.919026] [] __nvme_rdma_remove_ctrl+0x2b/0xb0 [nvme_rdma] +[ 440.928079] [] nvme_rdma_del_ctrl_work+0x17/0x20 [nvme_rdma] +[ 440.937126] [] process_one_work+0x17a/0x440 +[ 440.944517] [] worker_thread+0x278/0x3c0 +[ 440.951607] [] ? manage_workers.isra.24+0x2a0/0x2a0 +[ 440.959760] [] kthread+0xcf/0xe0 +[ 440.966055] [] ? insert_kthread_work+0x40/0x40 +[ 440.973715] [] ret_from_fork+0x58/0x90 +[ 440.980586] [] ? insert_kthread_work+0x40/0x40 +[ 440.988229] Code: 5b 41 5c 5d c3 66 90 0f 1f 44 00 00 48 8b 87 20 01 00 00 f0 0f ba 77 40 01 19 d2 85 d2 75 08 c3 0f 1f 80 00 00 00 00 55 48 89 e5 ff 48 08 48 8d 78 10 e8 7f 0f 05 00 5d c3 0f 1f 00 66 2e 0f +[ 441.011620] RIP [] __blk_mq_tag_idle+0x24/0x40 +[ 441.019301] RSP +[ 441.024052] CR2: 0000000000000008 + +Reported-by: Zhang Yi +Tested-by: Zhang Yi +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1592,7 +1592,8 @@ static void blk_mq_exit_hctx(struct requ + { + unsigned flush_start_tag = set->queue_depth; + +- blk_mq_tag_idle(hctx); ++ if (blk_mq_hw_queue_mapped(hctx)) ++ blk_mq_tag_idle(hctx); + + if (set->ops->exit_request) + set->ops->exit_request(set->driver_data, diff --git a/queue-4.9/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch b/queue-4.9/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch new file mode 100644 index 00000000000..87dbfce5c5a --- /dev/null +++ b/queue-4.9/blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ming Lei +Date: Sat, 6 Jan 2018 16:27:40 +0800 +Subject: blk-mq: fix race between updating nr_hw_queues and switching io sched + +From: Ming Lei + + +[ Upstream commit fb350e0ad99359768e1e80b4784692031ec340e4 ] + +In both elevator_switch_mq() and blk_mq_update_nr_hw_queues(), sched tags +can be allocated, and q->nr_hw_queue is used, and race is inevitable, for +example: blk_mq_init_sched() may trigger use-after-free on hctx, which is +freed in blk_mq_realloc_hw_ctxs() when nr_hw_queues is decreased. + +This patch fixes the race be holding q->sysfs_lock. + +Reviewed-by: Christoph Hellwig +Reported-by: Yi Zhang +Tested-by: Yi Zhang +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1907,6 +1907,9 @@ static void blk_mq_realloc_hw_ctxs(struc + struct blk_mq_hw_ctx **hctxs = q->queue_hw_ctx; + + blk_mq_sysfs_unregister(q); ++ ++ /* protect against switching io scheduler */ ++ mutex_lock(&q->sysfs_lock); + for (i = 0; i < set->nr_hw_queues; i++) { + int node; + +@@ -1956,6 +1959,7 @@ static void blk_mq_realloc_hw_ctxs(struc + } + } + q->nr_hw_queues = i; ++ mutex_unlock(&q->sysfs_lock); + blk_mq_sysfs_register(q); + } + diff --git a/queue-4.9/blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch b/queue-4.9/blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch new file mode 100644 index 00000000000..a9207b44c7e --- /dev/null +++ b/queue-4.9/blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Wen Xiong +Date: Wed, 10 May 2017 08:54:11 -0500 +Subject: blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split op + +From: Wen Xiong + + +[ Upstream commit f36ea50ca0043e7b1204feaf1d2ba6bd68c08d36 ] + +When formatting NVMe to 512B/4K + T10 DIf/DIX, dd with split op returns +"Input/output error". Looks block layer split the bio after calling +bio_integrity_prep(bio). This patch fixes the issue. + +Below is how we debug this issue: +(1)format nvme to 4K block # size with type 2 DIF +(2)dd with block size bigger than 1024k. +oflag=direct +dd: error writing '/dev/nvme0n1': Input/output error + +We added some debug code in nvme device driver. It showed us the first +op and the second op have the same bi and pi address. This is not +correct. + +1st op: nvme0n1 Op:Wr slba 0x505 length 0x100, PI ctrl=0x1400, + dsmgmt=0x0, AT=0x0 & RT=0x505 + Guard 0x00b1, AT 0x0000, RT physical 0x00000505 RT virtual 0x00002828 + +2nd op: nvme0n1 Op:Wr slba 0x605 length 0x1, PI ctrl=0x1400, dsmgmt=0x0, + AT=0x0 & RT=0x605 ==> This op fails and subsequent 5 retires.. + Guard 0x00b1, AT 0x0000, RT physical 0x00000605 RT virtual 0x00002828 + +With the fix, It showed us both of the first op and the second op have +correct bi and pi address. + +1st op: nvme2n1 Op:Wr slba 0x505 length 0x100, PI ctrl=0x1400, + dsmgmt=0x0, AT=0x0 & RT=0x505 + Guard 0x5ccb, AT 0x0000, RT physical 0x00000505 RT virtual + 0x00002828 +2nd op: nvme2n1 Op:Wr slba 0x605 length 0x1, PI ctrl=0x1400, dsmgmt=0x0, + AT=0x0 & RT=0x605 + Guard 0xab4c, AT 0x0000, RT physical 0x00000605 RT virtual + 0x00003028 + +Signed-off-by: Wen Xiong +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -1265,13 +1265,13 @@ static blk_qc_t blk_mq_make_request(stru + + blk_queue_bounce(q, &bio); + ++ blk_queue_split(q, &bio, q->bio_split); ++ + if (bio_integrity_enabled(bio) && bio_integrity_prep(bio)) { + bio_io_error(bio); + return BLK_QC_T_NONE; + } + +- blk_queue_split(q, &bio, q->bio_split); +- + if (!is_flush_fua && !blk_queue_nomerges(q) && + blk_attempt_plug_merge(q, bio, &request_count, &same_queue_rq)) + return BLK_QC_T_NONE; diff --git a/queue-4.9/block-fix-an-error-code-in-add_partition.patch b/queue-4.9/block-fix-an-error-code-in-add_partition.patch new file mode 100644 index 00000000000..0f70a26a93b --- /dev/null +++ b/queue-4.9/block-fix-an-error-code-in-add_partition.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Tue, 23 May 2017 17:28:36 +0300 +Subject: block: fix an error code in add_partition() + +From: Dan Carpenter + + +[ Upstream commit 7bd897cfce1eb373892d35d7f73201b0f9b221c4 ] + +We don't set an error code on this path. It means that we return NULL +instead of an error pointer and the caller does a NULL dereference. + +Fixes: 6d1d8050b4bc ("block, partition: add partition_meta_info to hd_struct") +Signed-off-by: Dan Carpenter +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/partition-generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -321,8 +321,10 @@ struct hd_struct *add_partition(struct g + + if (info) { + struct partition_meta_info *pinfo = alloc_part_info(disk); +- if (!pinfo) ++ if (!pinfo) { ++ err = -ENOMEM; + goto out_free_stats; ++ } + memcpy(pinfo, info, sizeof(*info)); + p->info = pinfo; + } diff --git a/queue-4.9/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch b/queue-4.9/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch new file mode 100644 index 00000000000..187537722d8 --- /dev/null +++ b/queue-4.9/bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch @@ -0,0 +1,122 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Marcel Holtmann +Date: Fri, 9 Jun 2017 18:43:56 +0200 +Subject: Bluetooth: Send HCI Set Event Mask Page 2 command only when needed + +From: Marcel Holtmann + + +[ Upstream commit 313f6888c8fbb1bc8b36c9012ce4e1de848df696 ] + +The Broadcom BCM20702 Bluetooth controller in ThinkPad-T530 devices +report support for the Set Event Mask Page 2 command, but actually do +return an error when trying to use it. + + < HCI Command: Read Local Supported Commands (0x04|0x0002) plen 0 + > HCI Event: Command Complete (0x0e) plen 68 + Read Local Supported Commands (0x04|0x0002) ncmd 1 + Status: Success (0x00) + Commands: 162 entries + ... + Set Event Mask Page 2 (Octet 22 - Bit 2) + ... + + < HCI Command: Set Event Mask Page 2 (0x03|0x0063) plen 8 + Mask: 0x0000000000000000 + > HCI Event: Command Complete (0x0e) plen 4 + Set Event Mask Page 2 (0x03|0x0063) ncmd 1 + Status: Unknown HCI Command (0x01) + +Since these controllers do not support any feature that would require +the event mask page 2 to be modified, it is safe to not send this +command at all. The default value is all bits set to zero. + +T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=03 Dev#= 9 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0a5c ProdID=21e6 Rev= 1.12 +S: Manufacturer=Broadcom Corp +S: Product=BCM20702A0 +S: SerialNumber=F82FA8E8CFC0 +C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=btusb +E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) + +Signed-off-by: Marcel Holtmann +Reported-by: Sedat Dilek +Tested-by: Sedat Dilek +Signed-off-by: Szymon Janc +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_core.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -548,6 +548,7 @@ static void hci_set_event_mask_page_2(st + { + struct hci_dev *hdev = req->hdev; + u8 events[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; ++ bool changed = false; + + /* If Connectionless Slave Broadcast master role is supported + * enable all necessary events for it. +@@ -557,6 +558,7 @@ static void hci_set_event_mask_page_2(st + events[1] |= 0x80; /* Synchronization Train Complete */ + events[2] |= 0x10; /* Slave Page Response Timeout */ + events[2] |= 0x20; /* CSB Channel Map Change */ ++ changed = true; + } + + /* If Connectionless Slave Broadcast slave role is supported +@@ -567,13 +569,24 @@ static void hci_set_event_mask_page_2(st + events[2] |= 0x02; /* CSB Receive */ + events[2] |= 0x04; /* CSB Timeout */ + events[2] |= 0x08; /* Truncated Page Complete */ ++ changed = true; + } + + /* Enable Authenticated Payload Timeout Expired event if supported */ +- if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) ++ if (lmp_ping_capable(hdev) || hdev->le_features[0] & HCI_LE_PING) { + events[2] |= 0x80; ++ changed = true; ++ } + +- hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, sizeof(events), events); ++ /* Some Broadcom based controllers indicate support for Set Event ++ * Mask Page 2 command, but then actually do not support it. Since ++ * the default value is all bits set to zero, the command is only ++ * required if the event mask has to be changed. In case no change ++ * to the event mask is needed, skip this command. ++ */ ++ if (changed) ++ hci_req_add(req, HCI_OP_SET_EVENT_MASK_PAGE_2, ++ sizeof(events), events); + } + + static int hci_init3_req(struct hci_request *req, unsigned long opt) diff --git a/queue-4.9/bna-avoid-reading-past-end-of-buffer.patch b/queue-4.9/bna-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..087af382dff --- /dev/null +++ b/queue-4.9/bna-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:25:32 -0700 +Subject: bna: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit 9e4eb1ce472fbf7b007f23c88ec11c37265e401c ] + +Using memcpy() from a string that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. Instead, use strncpy() which will fill the trailing bytes +with zeros. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/brocade/bna/bfa_ioc.c ++++ b/drivers/net/ethernet/brocade/bna/bfa_ioc.c +@@ -2845,7 +2845,7 @@ bfa_ioc_get_adapter_optrom_ver(struct bf + static void + bfa_ioc_get_adapter_manufacturer(struct bfa_ioc *ioc, char *manufacturer) + { +- memcpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); ++ strncpy(manufacturer, BFA_MFG_NAME, BFA_ADAPTER_MFG_NAME_LEN); + } + + static void diff --git a/queue-4.9/bnx2x-allow-vfs-to-disable-txvlan-offload.patch b/queue-4.9/bnx2x-allow-vfs-to-disable-txvlan-offload.patch new file mode 100644 index 00000000000..61906c855c2 --- /dev/null +++ b/queue-4.9/bnx2x-allow-vfs-to-disable-txvlan-offload.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Mintz, Yuval" +Date: Fri, 9 Jun 2017 17:17:01 +0300 +Subject: bnx2x: Allow vfs to disable txvlan offload + +From: "Mintz, Yuval" + + +[ Upstream commit 92f85f05caa51d844af6ea14ffbc7a786446a644 ] + +VF clients are configured as enforced, meaning firmware is validating +the correctness of their ethertype/vid during transmission. +Once txvlan is disabled, VF would start getting SKBs for transmission +here vlan is on the payload - but it'll pass the packet's ethertype +instead of the vid, leading to firmware declaring it as malicious. + +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -3887,15 +3887,26 @@ netdev_tx_t bnx2x_start_xmit(struct sk_b + /* when transmitting in a vf, start bd must hold the ethertype + * for fw to enforce it + */ ++ u16 vlan_tci = 0; + #ifndef BNX2X_STOP_ON_ERROR +- if (IS_VF(bp)) ++ if (IS_VF(bp)) { + #endif +- tx_start_bd->vlan_or_ethertype = +- cpu_to_le16(ntohs(eth->h_proto)); ++ /* Still need to consider inband vlan for enforced */ ++ if (__vlan_get_tag(skb, &vlan_tci)) { ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(ntohs(eth->h_proto)); ++ } else { ++ tx_start_bd->bd_flags.as_bitfield |= ++ (X_ETH_INBAND_VLAN << ++ ETH_TX_BD_FLAGS_VLAN_MODE_SHIFT); ++ tx_start_bd->vlan_or_ethertype = ++ cpu_to_le16(vlan_tci); ++ } + #ifndef BNX2X_STOP_ON_ERROR +- else ++ } else { + /* used by FW for packet accounting */ + tx_start_bd->vlan_or_ethertype = cpu_to_le16(pkt_prod); ++ } + #endif + } + diff --git a/queue-4.9/bonding-don-t-update-slave-link-until-ready-to-commit.patch b/queue-4.9/bonding-don-t-update-slave-link-until-ready-to-commit.patch new file mode 100644 index 00000000000..5236d0f28d0 --- /dev/null +++ b/queue-4.9/bonding-don-t-update-slave-link-until-ready-to-commit.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Nithin Sujir +Date: Wed, 24 May 2017 19:45:17 -0700 +Subject: bonding: Don't update slave->link until ready to commit + +From: Nithin Sujir + + +[ Upstream commit 797a93647a48d6cb8a20641a86a71713a947f786 ] + +In the loadbalance arp monitoring scheme, when a slave link change is +detected, the slave->link is immediately updated and slave_state_changed +is set. Later down the function, the rtnl_lock is acquired and the +changes are committed, updating the bond link state. + +However, the acquisition of the rtnl_lock can fail. The next time the +monitor runs, since slave->link is already updated, it determines that +link is unchanged. This results in the bond link state permanently out +of sync with the slave link. + +This patch modifies bond_loadbalance_arp_mon() to handle link changes +identical to bond_ab_arp_{inspect/commit}(). The new link state is +maintained in slave->new_link until we're ready to commit at which point +it's copied into slave->link. + +NOTE: miimon_{inspect/commit}() has a more complex state machine +requiring the use of the bond_{propose,commit}_link_state() functions +which maintains the intermediate state in slave->link_new_state. The arp +monitors don't require that. + +Testing: This bug is very easy to reproduce with the following steps. +1. In a loop, toggle a slave link of a bond slave interface. +2. In a separate loop, do ifconfig up/down of an unrelated interface to +create contention for rtnl_lock. +Within a few iterations, the bond link goes out of sync with the slave +link. + +Signed-off-by: Nithin Nayak Sujir +Cc: Mahesh Bandewar +Cc: Jay Vosburgh +Acked-by: Mahesh Bandewar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2605,11 +2605,13 @@ static void bond_loadbalance_arp_mon(str + bond_for_each_slave_rcu(bond, slave, iter) { + unsigned long trans_start = dev_trans_start(slave->dev); + ++ slave->new_link = BOND_LINK_NOCHANGE; ++ + if (slave->link != BOND_LINK_UP) { + if (bond_time_in_interval(bond, trans_start, 1) && + bond_time_in_interval(bond, slave->last_rx, 1)) { + +- slave->link = BOND_LINK_UP; ++ slave->new_link = BOND_LINK_UP; + slave_state_changed = 1; + + /* primary_slave has no meaning in round-robin +@@ -2636,7 +2638,7 @@ static void bond_loadbalance_arp_mon(str + if (!bond_time_in_interval(bond, trans_start, 2) || + !bond_time_in_interval(bond, slave->last_rx, 2)) { + +- slave->link = BOND_LINK_DOWN; ++ slave->new_link = BOND_LINK_DOWN; + slave_state_changed = 1; + + if (slave->link_failure_count < UINT_MAX) +@@ -2667,6 +2669,11 @@ static void bond_loadbalance_arp_mon(str + if (!rtnl_trylock()) + goto re_arm; + ++ bond_for_each_slave(bond, slave, iter) { ++ if (slave->new_link != BOND_LINK_NOCHANGE) ++ slave->link = slave->new_link; ++ } ++ + if (slave_state_changed) { + bond_slave_state_change(bond); + if (BOND_MODE(bond) == BOND_MODE_XOR) diff --git a/queue-4.9/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch b/queue-4.9/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch new file mode 100644 index 00000000000..42269b6ce5c --- /dev/null +++ b/queue-4.9/btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Colin Ian King +Date: Tue, 9 May 2017 18:14:01 +0100 +Subject: btrfs: fix incorrect error return ret being passed to mapping_set_error + +From: Colin Ian King + + +[ Upstream commit bff5baf8aa37a97293725a16c03f49872249c07e ] + +The setting of return code ret should be based on the error code +passed into function end_extent_writepage and not on ret. Thanks +to Liu Bo for spotting this mistake in the original fix I submitted. + +Detected by CoverityScan, CID#1414312 ("Logically dead code") + +Fixes: 5dca6eea91653e ("Btrfs: mark mapping with error flag to report errors to userspace") +Signed-off-by: Colin Ian King +Reviewed-by: Liu Bo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/extent_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/extent_io.c ++++ b/fs/btrfs/extent_io.c +@@ -2453,7 +2453,7 @@ void end_extent_writepage(struct page *p + if (!uptodate) { + ClearPageUptodate(page); + SetPageError(page); +- ret = ret < 0 ? ret : -EIO; ++ ret = err < 0 ? err : -EIO; + mapping_set_error(page->mapping, ret); + } + } diff --git a/queue-4.9/bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch b/queue-4.9/bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch new file mode 100644 index 00000000000..710e1fe9f3a --- /dev/null +++ b/queue-4.9/bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch @@ -0,0 +1,142 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Doug Berger +Date: Wed, 29 Mar 2017 17:29:10 -0700 +Subject: bus: brcmstb_gisb: correct support for 64-bit address output + +From: Doug Berger + + +[ Upstream commit 0c2aa0e4b308815e877601845c1a89913f9bd2b9 ] + +The GISB bus can support addresses beyond 32-bits. So this commit +corrects support for reading a captured 64-bit address into a 64-bit +variable by obtaining the high bits from the ARB_ERR_CAP_HI_ADDR +register (when present) and then outputting the full 64-bit value. + +It also removes unused definitions. + +Fixes: 44127b771d9c ("bus: add Broadcom GISB bus arbiter timeout/error handler") +Signed-off-by: Doug Berger +Acked-by: Gregory Fong +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/brcmstb_gisb.c | 36 ++++++++++++++++++++---------------- + 1 file changed, 20 insertions(+), 16 deletions(-) + +--- a/drivers/bus/brcmstb_gisb.c ++++ b/drivers/bus/brcmstb_gisb.c +@@ -37,8 +37,6 @@ + #define ARB_ERR_CAP_CLEAR (1 << 0) + #define ARB_ERR_CAP_STATUS_TIMEOUT (1 << 12) + #define ARB_ERR_CAP_STATUS_TEA (1 << 11) +-#define ARB_ERR_CAP_STATUS_BS_SHIFT (1 << 2) +-#define ARB_ERR_CAP_STATUS_BS_MASK 0x3c + #define ARB_ERR_CAP_STATUS_WRITE (1 << 1) + #define ARB_ERR_CAP_STATUS_VALID (1 << 0) + +@@ -47,7 +45,6 @@ enum { + ARB_ERR_CAP_CLR, + ARB_ERR_CAP_HI_ADDR, + ARB_ERR_CAP_ADDR, +- ARB_ERR_CAP_DATA, + ARB_ERR_CAP_STATUS, + ARB_ERR_CAP_MASTER, + }; +@@ -57,7 +54,6 @@ static const int gisb_offsets_bcm7038[] + [ARB_ERR_CAP_CLR] = 0x0c4, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x0c8, +- [ARB_ERR_CAP_DATA] = 0x0cc, + [ARB_ERR_CAP_STATUS] = 0x0d0, + [ARB_ERR_CAP_MASTER] = -1, + }; +@@ -67,7 +63,6 @@ static const int gisb_offsets_bcm7400[] + [ARB_ERR_CAP_CLR] = 0x0c8, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x0cc, +- [ARB_ERR_CAP_DATA] = 0x0d0, + [ARB_ERR_CAP_STATUS] = 0x0d4, + [ARB_ERR_CAP_MASTER] = 0x0d8, + }; +@@ -77,7 +72,6 @@ static const int gisb_offsets_bcm7435[] + [ARB_ERR_CAP_CLR] = 0x168, + [ARB_ERR_CAP_HI_ADDR] = -1, + [ARB_ERR_CAP_ADDR] = 0x16c, +- [ARB_ERR_CAP_DATA] = 0x170, + [ARB_ERR_CAP_STATUS] = 0x174, + [ARB_ERR_CAP_MASTER] = 0x178, + }; +@@ -87,7 +81,6 @@ static const int gisb_offsets_bcm7445[] + [ARB_ERR_CAP_CLR] = 0x7e4, + [ARB_ERR_CAP_HI_ADDR] = 0x7e8, + [ARB_ERR_CAP_ADDR] = 0x7ec, +- [ARB_ERR_CAP_DATA] = 0x7f0, + [ARB_ERR_CAP_STATUS] = 0x7f4, + [ARB_ERR_CAP_MASTER] = 0x7f8, + }; +@@ -109,9 +102,13 @@ static u32 gisb_read(struct brcmstb_gisb + { + int offset = gdev->gisb_offsets[reg]; + +- /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */ +- if (offset == -1) +- return 1; ++ if (offset < 0) { ++ /* return 1 if the hardware doesn't have ARB_ERR_CAP_MASTER */ ++ if (reg == ARB_ERR_CAP_MASTER) ++ return 1; ++ else ++ return 0; ++ } + + if (gdev->big_endian) + return ioread32be(gdev->base + offset); +@@ -119,6 +116,16 @@ static u32 gisb_read(struct brcmstb_gisb + return ioread32(gdev->base + offset); + } + ++static u64 gisb_read_address(struct brcmstb_gisb_arb_device *gdev) ++{ ++ u64 value; ++ ++ value = gisb_read(gdev, ARB_ERR_CAP_ADDR); ++ value |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32; ++ ++ return value; ++} ++ + static void gisb_write(struct brcmstb_gisb_arb_device *gdev, u32 val, int reg) + { + int offset = gdev->gisb_offsets[reg]; +@@ -185,7 +192,7 @@ static int brcmstb_gisb_arb_decode_addr( + const char *reason) + { + u32 cap_status; +- unsigned long arb_addr; ++ u64 arb_addr; + u32 master; + const char *m_name; + char m_fmt[11]; +@@ -197,10 +204,7 @@ static int brcmstb_gisb_arb_decode_addr( + return 1; + + /* Read the address and master */ +- arb_addr = gisb_read(gdev, ARB_ERR_CAP_ADDR) & 0xffffffff; +-#if (IS_ENABLED(CONFIG_PHYS_ADDR_T_64BIT)) +- arb_addr |= (u64)gisb_read(gdev, ARB_ERR_CAP_HI_ADDR) << 32; +-#endif ++ arb_addr = gisb_read_address(gdev); + master = gisb_read(gdev, ARB_ERR_CAP_MASTER); + + m_name = brcmstb_gisb_master_to_str(gdev, master); +@@ -209,7 +213,7 @@ static int brcmstb_gisb_arb_decode_addr( + m_name = m_fmt; + } + +- pr_crit("%s: %s at 0x%lx [%c %s], core: %s\n", ++ pr_crit("%s: %s at 0x%llx [%c %s], core: %s\n", + __func__, reason, arb_addr, + cap_status & ARB_ERR_CAP_STATUS_WRITE ? 'W' : 'R', + cap_status & ARB_ERR_CAP_STATUS_TIMEOUT ? "timeout" : "", diff --git a/queue-4.9/bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch b/queue-4.9/bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch new file mode 100644 index 00000000000..761259e852f --- /dev/null +++ b/queue-4.9/bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Doug Berger +Date: Wed, 29 Mar 2017 17:29:09 -0700 +Subject: bus: brcmstb_gisb: Use register offsets with writes too + +From: Doug Berger + + +[ Upstream commit 856c7ccb9ce7a061f04bdf586f649cb93654e294 ] + +This commit corrects the bug introduced in commit f80835875d3d +("bus: brcmstb_gisb: Look up register offsets in a table") such +that gisb_write() translates the register enumeration into an +offset from the base address for writes as well as reads. + +Fixes: f80835875d3d ("bus: brcmstb_gisb: Look up register offsets in a table") +Signed-off-by: Doug Berger +Acked-by: Gregory Fong +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bus/brcmstb_gisb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/bus/brcmstb_gisb.c ++++ b/drivers/bus/brcmstb_gisb.c +@@ -1,5 +1,5 @@ + /* +- * Copyright (C) 2014 Broadcom Corporation ++ * Copyright (C) 2014-2017 Broadcom + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -127,9 +127,9 @@ static void gisb_write(struct brcmstb_gi + return; + + if (gdev->big_endian) +- iowrite32be(val, gdev->base + reg); ++ iowrite32be(val, gdev->base + offset); + else +- iowrite32(val, gdev->base + reg); ++ iowrite32(val, gdev->base + offset); + } + + static ssize_t gisb_arb_get_timeout(struct device *dev, diff --git a/queue-4.9/cfg80211-make-rate_info_bw_20-the-default.patch b/queue-4.9/cfg80211-make-rate_info_bw_20-the-default.patch new file mode 100644 index 00000000000..8d38c7c9b4b --- /dev/null +++ b/queue-4.9/cfg80211-make-rate_info_bw_20-the-default.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Johannes Berg +Date: Thu, 4 May 2017 08:42:30 +0200 +Subject: cfg80211: make RATE_INFO_BW_20 the default + +From: Johannes Berg + + +[ Upstream commit 842be75c77cb72ee546a2b19da9c285fb3ded660 ] + +Due to the way I did the RX bitrate conversions in mac80211 with +spatch, going setting flags to setting the value, many drivers now +don't set the bandwidth value for 20 MHz, since with the flags it +wasn't necessary to (there was no 20 MHz flag, only the others.) + +Rather than go through and try to fix up all the drivers, instead +renumber the enum so that 20 MHz, which is the typical bandwidth, +actually has the value 0, making those drivers all work again. + +If VHT was hit used with a driver not reporting it, e.g. iwlmvm, +this manifested in hitting the bandwidth warning in +cfg80211_calculate_bitrate_vht(). + +Reported-by: Linus Torvalds +Tested-by: Jens Axboe +Signed-off-by: Johannes Berg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -947,9 +947,9 @@ enum rate_info_flags { + * @RATE_INFO_BW_160: 160 MHz bandwidth + */ + enum rate_info_bw { ++ RATE_INFO_BW_20 = 0, + RATE_INFO_BW_5, + RATE_INFO_BW_10, +- RATE_INFO_BW_20, + RATE_INFO_BW_40, + RATE_INFO_BW_80, + RATE_INFO_BW_160, diff --git a/queue-4.9/cifs-silence-lockdep-splat-in-cifs_relock_file.patch b/queue-4.9/cifs-silence-lockdep-splat-in-cifs_relock_file.patch new file mode 100644 index 00000000000..32691146669 --- /dev/null +++ b/queue-4.9/cifs-silence-lockdep-splat-in-cifs_relock_file.patch @@ -0,0 +1,87 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Rabin Vincent +Date: Wed, 3 May 2017 17:17:21 +0200 +Subject: CIFS: silence lockdep splat in cifs_relock_file() + +From: Rabin Vincent + + +[ Upstream commit 560d388950ceda5e7c7cdef7f3d9a8ff297bbf9d ] + +cifs_relock_file() can perform a down_write() on the inode's lock_sem even +though it was already performed in cifs_strict_readv(). Lockdep complains +about this. AFAICS, there is no problem here, and lockdep just needs to be +told that this nesting is OK. + + ============================================= + [ INFO: possible recursive locking detected ] + 4.11.0+ #20 Not tainted + --------------------------------------------- + cat/701 is trying to acquire lock: + (&cifsi->lock_sem){++++.+}, at: cifs_reopen_file+0x7a7/0xc00 + + but task is already holding lock: + (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310 + + other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&cifsi->lock_sem); + lock(&cifsi->lock_sem); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + + 1 lock held by cat/701: + #0: (&cifsi->lock_sem){++++.+}, at: cifs_strict_readv+0x177/0x310 + + stack backtrace: + CPU: 0 PID: 701 Comm: cat Not tainted 4.11.0+ #20 + Call Trace: + dump_stack+0x85/0xc2 + __lock_acquire+0x17dd/0x2260 + ? trace_hardirqs_on_thunk+0x1a/0x1c + ? preempt_schedule_irq+0x6b/0x80 + lock_acquire+0xcc/0x260 + ? lock_acquire+0xcc/0x260 + ? cifs_reopen_file+0x7a7/0xc00 + down_read+0x2d/0x70 + ? cifs_reopen_file+0x7a7/0xc00 + cifs_reopen_file+0x7a7/0xc00 + ? printk+0x43/0x4b + cifs_readpage_worker+0x327/0x8a0 + cifs_readpage+0x8c/0x2a0 + generic_file_read_iter+0x692/0xd00 + cifs_strict_readv+0x29f/0x310 + generic_file_splice_read+0x11c/0x1c0 + do_splice_to+0xa5/0xc0 + splice_direct_to_actor+0xfa/0x350 + ? generic_pipe_buf_nosteal+0x10/0x10 + do_splice_direct+0xb5/0xe0 + do_sendfile+0x278/0x3a0 + SyS_sendfile64+0xc4/0xe0 + entry_SYSCALL_64_fastpath+0x1f/0xbe + +Signed-off-by: Rabin Vincent +Acked-by: Pavel Shilovsky +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -589,7 +589,7 @@ cifs_relock_file(struct cifsFileInfo *cf + struct cifs_tcon *tcon = tlink_tcon(cfile->tlink); + int rc = 0; + +- down_read(&cinode->lock_sem); ++ down_read_nested(&cinode->lock_sem, SINGLE_DEPTH_NESTING); + if (cinode->can_cache_brlcks) { + /* can cache locks - no need to relock */ + up_read(&cinode->lock_sem); diff --git a/queue-4.9/clk-at91-fix-clk-generated-parenting.patch b/queue-4.9/clk-at91-fix-clk-generated-parenting.patch new file mode 100644 index 00000000000..fe511fc5d0a --- /dev/null +++ b/queue-4.9/clk-at91-fix-clk-generated-parenting.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Alexandre Belloni +Date: Fri, 12 May 2017 16:25:30 +0200 +Subject: clk: at91: fix clk-generated parenting + +From: Alexandre Belloni + + +[ Upstream commit 8e56133e5c7b7a7a97f6a92d92f664d5ecd30745 ] + +clk_generated_startup is called after clk_hw_register. So the first call to +get_parent will not have the correct value (i.e. 0) and because this is +cached, it may never be updated. + +Signed-off-by: Alexandre Belloni +Fixes: df70aeef6083 ("clk: at91: add generated clock driver") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/at91/clk-generated.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/clk/at91/clk-generated.c ++++ b/drivers/clk/at91/clk-generated.c +@@ -260,13 +260,12 @@ at91_clk_register_generated(struct regma + gck->lock = lock; + gck->range = *range; + ++ clk_generated_startup(gck); + hw = &gck->hw; + ret = clk_hw_register(NULL, &gck->hw); + if (ret) { + kfree(gck); + hw = ERR_PTR(ret); +- } else +- clk_generated_startup(gck); + + return hw; + } diff --git a/queue-4.9/clk-fix-__set_clk_rates-error-print-string.patch b/queue-4.9/clk-fix-__set_clk_rates-error-print-string.patch new file mode 100644 index 00000000000..2f182d6d71f --- /dev/null +++ b/queue-4.9/clk-fix-__set_clk_rates-error-print-string.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Bryan O'Donoghue +Date: Mon, 15 May 2017 11:58:59 +0100 +Subject: clk: Fix __set_clk_rates error print-string + +From: Bryan O'Donoghue + + +[ Upstream commit ee177c5d6369f8e5d3e4793dce501cf4431313a1 ] + +When failing to set a clock the printout emitted is incorrect. +"u32 rate" is formatted as %d and should be %u whereas "unsigned long +clk_set_rate()" is formatted as %ld and should be %lu as per +Documentation/printk-formats.txt. + +Fixes: 2885c3b2a3da ("clk: Show correct information when fail to set clock rate") +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-conf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/clk-conf.c ++++ b/drivers/clk/clk-conf.c +@@ -106,7 +106,7 @@ static int __set_clk_rates(struct device + + rc = clk_set_rate(clk, rate); + if (rc < 0) +- pr_err("clk: couldn't set %s clk rate to %d (%d), current rate: %ld\n", ++ pr_err("clk: couldn't set %s clk rate to %u (%d), current rate: %lu\n", + __clk_get_name(clk), rate, rc, + clk_get_rate(clk)); + clk_put(clk); diff --git a/queue-4.9/clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch b/queue-4.9/clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch new file mode 100644 index 00000000000..ea634c14a30 --- /dev/null +++ b/queue-4.9/clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch @@ -0,0 +1,112 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Martin Blumenstingl +Date: Sun, 4 Jun 2017 20:33:39 +0200 +Subject: clk: meson: meson8b: add compatibles for Meson8 and Meson8m2 + +From: Martin Blumenstingl + + +[ Upstream commit 855f06a1009faabb0c6a3e9b49d115496d325856 ] + +The clock controller on Meson8, Meson8b and Meson8m2 is very similar +based on the code from the Amlogic GPL kernel sources. Add separate +compatibles for each SoC to make sure that we can easily implement +all the small differences for each SoC later on. + +In general the Meson8 and Meson8m2 seem to be almost identical as they +even share the same mach-meson8 directory in Amlogic's GPL kernel +sources. +The main clocks on Meson8, Meson8b and Meson8m2 are very similar, +because they are all using the same PLL values, 90% of the clock gates +are the same (the actual diffstat of the mach-meson8/clock.c and +mach-meson8b/clock.c files is around 30 to 40 lines, when excluding +all commented out code). +The difference between the Meson8 and Meson8b clock gates seem to be: +- Meson8 has AIU_PCLK, HDMI_RX, VCLK2_ENCT, VCLK2_ENCL, UART3, + CSI_DIG_CLKIN gates which don't seem to be available on Meson8b +- the gate on Meson8 for bit 7 seems to be named "_1200XXX" instead + of "PERIPHS_TOP" (on Meson8b) +- Meson8b has a SANA gate which doesn't seem to exist on Meson8 (or + on Meson8 the same bit is used by the UART3 gate in Amlogic's GPL + kernel sources) +None of these gates is added for now, since it's unclear whether these +definitions are actually correct (the VCLK2_ENCT gate for example is +defined, but only used in some commented block). + +The main difference between all three SoCs seem to be the video (VPU) +clocks. Apart from different supported clock rates (according to vpu.c +in mach-meson8 and mach-meson8b from Amlogic's GPL kernel sources) the +most notable difference is that Meson8m2 has a GP_PLL clock and a mux +(probably the same as on the Meson GX SoCs) to support glitch-free +(clock rate) switching. +None of these VPU clocks are not supported by our mainline meson8b +clock driver yet though. + +Signed-off-by: Martin Blumenstingl +Acked-by: Rob Herring +Acked-by: Kevin Hilman +Signed-off-by: Jerome Brunet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt | 11 ++++++---- + drivers/clk/meson/Kconfig | 6 ++--- + drivers/clk/meson/meson8b.c | 5 +++- + 3 files changed, 14 insertions(+), 8 deletions(-) + +--- a/Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt ++++ b/Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt +@@ -1,11 +1,14 @@ +-* Amlogic Meson8b Clock and Reset Unit ++* Amlogic Meson8, Meson8b and Meson8m2 Clock and Reset Unit + +-The Amlogic Meson8b clock controller generates and supplies clock to various +-controllers within the SoC. ++The Amlogic Meson8 / Meson8b / Meson8m2 clock controller generates and ++supplies clock to various controllers within the SoC. + + Required Properties: + +-- compatible: should be "amlogic,meson8b-clkc" ++- compatible: must be one of: ++ - "amlogic,meson8-clkc" for Meson8 (S802) SoCs ++ - "amlogic,meson8b-clkc" for Meson8 (S805) SoCs ++ - "amlogic,meson8m2-clkc" for Meson8m2 (S812) SoCs + - reg: it must be composed by two tuples: + 0) physical base address of the xtal register and length of memory + mapped region. +--- a/drivers/clk/meson/Kconfig ++++ b/drivers/clk/meson/Kconfig +@@ -7,9 +7,9 @@ config COMMON_CLK_MESON8B + bool + depends on COMMON_CLK_AMLOGIC + help +- Support for the clock controller on AmLogic S805 devices, aka +- meson8b. Say Y if you want peripherals and CPU frequency scaling to +- work. ++ Support for the clock controller on AmLogic S802 (Meson8), ++ S805 (Meson8b) and S812 (Meson8m2) devices. Say Y if you ++ want peripherals and CPU frequency scaling to work. + + config COMMON_CLK_GXBB + bool +--- a/drivers/clk/meson/meson8b.c ++++ b/drivers/clk/meson/meson8b.c +@@ -1,5 +1,6 @@ + /* +- * AmLogic S805 / Meson8b Clock Controller Driver ++ * AmLogic S802 (Meson8) / S805 (Meson8b) / S812 (Meson8m2) Clock Controller ++ * Driver + * + * Copyright (c) 2015 Endless Mobile, Inc. + * Author: Carlo Caione +@@ -661,7 +662,9 @@ iounmap: + } + + static const struct of_device_id meson8b_clkc_match_table[] = { ++ { .compatible = "amlogic,meson8-clkc" }, + { .compatible = "amlogic,meson8b-clkc" }, ++ { .compatible = "amlogic,meson8m2-clkc" }, + { } + }; + diff --git a/queue-4.9/clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch b/queue-4.9/clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch new file mode 100644 index 00000000000..bd71d40b6e7 --- /dev/null +++ b/queue-4.9/clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch @@ -0,0 +1,78 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Geert Uytterhoeven +Date: Wed, 29 Mar 2017 17:22:44 +0200 +Subject: clk: renesas: rcar-gen2: Fix PLL0 on R-Car V2H and E2 + +From: Geert Uytterhoeven + + +[ Upstream commit b7c563c489e94417efbad68d057ea5d2030ae44c ] + +R-Car V2H and E2 do not have the PLL0CR register, but use a fixed +multiplier (depending on mode pins) and divider. + +This corrects the clock rate of "pll0" (PLL0 VCO after post divider) on +R-Car V2H and E2 from 1.5 GHz to 1 GHz. + +Inspired by Sergei Shtylyov's work for the common R-Car Gen2 and RZ/G +Clock Pulse Generator support core. + +Fixes: 7c4163aae3d8e5b9 ("ARM: dts: r8a7792: initial SoC device tree") +Fixes: 0dce5454d5c25858 ("ARM: shmobile: Initial r8a7794 SoC device tree") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/renesas/clk-rcar-gen2.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/drivers/clk/renesas/clk-rcar-gen2.c ++++ b/drivers/clk/renesas/clk-rcar-gen2.c +@@ -271,11 +271,14 @@ struct cpg_pll_config { + unsigned int extal_div; + unsigned int pll1_mult; + unsigned int pll3_mult; ++ unsigned int pll0_mult; /* For R-Car V2H and E2 only */ + }; + + static const struct cpg_pll_config cpg_pll_configs[8] __initconst = { +- { 1, 208, 106 }, { 1, 208, 88 }, { 1, 156, 80 }, { 1, 156, 66 }, +- { 2, 240, 122 }, { 2, 240, 102 }, { 2, 208, 106 }, { 2, 208, 88 }, ++ { 1, 208, 106, 200 }, { 1, 208, 88, 200 }, ++ { 1, 156, 80, 150 }, { 1, 156, 66, 150 }, ++ { 2, 240, 122, 230 }, { 2, 240, 102, 230 }, ++ { 2, 208, 106, 200 }, { 2, 208, 88, 200 }, + }; + + /* SDHI divisors */ +@@ -297,6 +300,12 @@ static const struct clk_div_table cpg_sd + + static u32 cpg_mode __initdata; + ++static const char * const pll0_mult_match[] = { ++ "renesas,r8a7792-cpg-clocks", ++ "renesas,r8a7794-cpg-clocks", ++ NULL ++}; ++ + static struct clk * __init + rcar_gen2_cpg_register_clock(struct device_node *np, struct rcar_gen2_cpg *cpg, + const struct cpg_pll_config *config, +@@ -317,9 +326,15 @@ rcar_gen2_cpg_register_clock(struct devi + * clock implementation and we currently have no need to change + * the multiplier value. + */ +- u32 value = clk_readl(cpg->reg + CPG_PLL0CR); ++ if (of_device_compatible_match(np, pll0_mult_match)) { ++ /* R-Car V2H and E2 do not have PLL0CR */ ++ mult = config->pll0_mult; ++ div = 3; ++ } else { ++ u32 value = clk_readl(cpg->reg + CPG_PLL0CR); ++ mult = ((value >> 24) & ((1 << 7) - 1)) + 1; ++ } + parent_name = "main"; +- mult = ((value >> 24) & ((1 << 7) - 1)) + 1; + } else if (!strcmp(name, "pll1")) { + parent_name = "main"; + mult = config->pll1_mult / 2; diff --git a/queue-4.9/clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch b/queue-4.9/clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch new file mode 100644 index 00000000000..c065640dc29 --- /dev/null +++ b/queue-4.9/clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Sudeep Holla +Date: Thu, 18 May 2017 17:19:28 +0100 +Subject: clk: scpi: fix return type of __scpi_dvfs_round_rate + +From: Sudeep Holla + + +[ Upstream commit 7374aec95636ca39409545eba4ef5ff3125c2346 ] + +The frequencies above the maximum value of signed integer(i.e. 2^31 -1) +will overflow with the current code. + +This patch fixes the return type of __scpi_dvfs_round_rate from 'int' +to 'unsigned long'. + +Fixes: cd52c2a4b5c4 ("clk: add support for clocks provided by SCP(System Control Processor)") +Cc: Michael Turquette +Cc: Stephen Boyd +Signed-off-by: Sudeep Holla +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-scpi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/clk/clk-scpi.c ++++ b/drivers/clk/clk-scpi.c +@@ -71,15 +71,15 @@ static const struct clk_ops scpi_clk_ops + }; + + /* find closest match to given frequency in OPP table */ +-static int __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate) ++static long __scpi_dvfs_round_rate(struct scpi_clk *clk, unsigned long rate) + { + int idx; +- u32 fmin = 0, fmax = ~0, ftmp; ++ unsigned long fmin = 0, fmax = ~0, ftmp; + const struct scpi_opp *opp = clk->info->opps; + + for (idx = 0; idx < clk->info->count; idx++, opp++) { + ftmp = opp->freq; +- if (ftmp >= (u32)rate) { ++ if (ftmp >= rate) { + if (ftmp <= fmax) + fmax = ftmp; + break; diff --git a/queue-4.9/coresight-fix-reference-count-for-software-sources.patch b/queue-4.9/coresight-fix-reference-count-for-software-sources.patch new file mode 100644 index 00000000000..ebb2572e535 --- /dev/null +++ b/queue-4.9/coresight-fix-reference-count-for-software-sources.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Suzuki K Poulose +Date: Mon, 5 Jun 2017 14:15:03 -0600 +Subject: coresight: Fix reference count for software sources + +From: Suzuki K Poulose + + +[ Upstream commit 022aa1a81b778789ee7cf3124595854276a0330d ] + +For software sources (i.e STM), there could be multiple agents +generating the trace data, unlike the ETMs. So we need to +properly do the accounting for the active number of users +to disable the device when the last user goes away. Right +now, the reference counting is broken for sources as we skip +the actions when we detect that the source is enabled. + +This patch fixes the problem by adding the refcounting for +software sources, even when they are enabled. + +Cc: Mathieu Poirier +Reported-by: Robert Walker +Signed-off-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight.c ++++ b/drivers/hwtracing/coresight/coresight.c +@@ -498,6 +498,9 @@ int coresight_enable(struct coresight_de + { + int cpu, ret = 0; + struct list_head *path; ++ enum coresight_dev_subtype_source subtype; ++ ++ subtype = csdev->subtype.source_subtype; + + mutex_lock(&coresight_mutex); + +@@ -505,8 +508,16 @@ int coresight_enable(struct coresight_de + if (ret) + goto out; + +- if (csdev->enable) ++ if (csdev->enable) { ++ /* ++ * There could be multiple applications driving the software ++ * source. So keep the refcount for each such user when the ++ * source is already enabled. ++ */ ++ if (subtype == CORESIGHT_DEV_SUBTYPE_SOURCE_SOFTWARE) ++ atomic_inc(csdev->refcnt); + goto out; ++ } + + path = coresight_build_path(csdev); + if (IS_ERR(path)) { +@@ -523,7 +534,7 @@ int coresight_enable(struct coresight_de + if (ret) + goto err_source; + +- switch (csdev->subtype.source_subtype) { ++ switch (subtype) { + case CORESIGHT_DEV_SUBTYPE_SOURCE_PROC: + /* + * When working from sysFS it is important to keep track diff --git a/queue-4.9/coresight-tmc-configure-dma-mask-appropriately.patch b/queue-4.9/coresight-tmc-configure-dma-mask-appropriately.patch new file mode 100644 index 00000000000..eec3b6462db --- /dev/null +++ b/queue-4.9/coresight-tmc-configure-dma-mask-appropriately.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Robin Murphy +Date: Mon, 5 Jun 2017 14:15:09 -0600 +Subject: coresight: tmc: Configure DMA mask appropriately + +From: Robin Murphy + + +[ Upstream commit a3959c50b02f57df4c4e4f14f632220f1c0b1f79 ] + +Before making any DMA API calls, the ETR driver should really be setting +its masks to ensure that DMA is possible. Especially since it can +address more than the 32-bit default mask set by the AMBA bus code. + +Signed-off-by: Robin Murphy +Tested-by: Suzuki K Poulose +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-tmc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/hwtracing/coresight/coresight-tmc.c ++++ b/drivers/hwtracing/coresight/coresight-tmc.c +@@ -362,6 +362,13 @@ static int tmc_probe(struct amba_device + desc.type = CORESIGHT_DEV_TYPE_SINK; + desc.subtype.sink_subtype = CORESIGHT_DEV_SUBTYPE_SINK_BUFFER; + desc.ops = &tmc_etr_cs_ops; ++ /* ++ * ETR configuration uses a 40-bit AXI master in place of ++ * the embedded SRAM of ETB/ETF. ++ */ ++ ret = dma_set_mask_and_coherent(dev, DMA_BIT_MASK(40)); ++ if (ret) ++ goto out; + } else { + desc.type = CORESIGHT_DEV_TYPE_LINKSINK; + desc.subtype.link_subtype = CORESIGHT_DEV_SUBTYPE_LINK_FIFO; diff --git a/queue-4.9/cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch b/queue-4.9/cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch new file mode 100644 index 00000000000..0c52638c530 --- /dev/null +++ b/queue-4.9/cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch @@ -0,0 +1,95 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Thomas Gleixner +Date: Wed, 24 May 2017 10:15:43 +0200 +Subject: cpuhotplug: Link lock stacks for hotplug callbacks + +From: Thomas Gleixner + + +[ Upstream commit 49dfe2a6779717d9c18395684ee31bdc98b22e53 ] + +The CPU hotplug callbacks are not covered by lockdep versus the cpu hotplug +rwsem. + +CPU0 CPU1 +cpuhp_setup_state(STATE, startup, teardown); + cpus_read_lock(); + invoke_callback_on_ap(); + kick_hotplug_thread(ap); + wait_for_completion(); hotplug_thread_fn() + lock(m); + do_stuff(); + unlock(m); + +Lockdep does not know about this dependency and will not trigger on the +following code sequence: + + lock(m); + cpus_read_lock(); + +Add a lockdep map and connect the initiators lock chain with the hotplug +thread lock chain, so potential deadlocks can be detected. + +Signed-off-by: Thomas Gleixner +Tested-by: Paul E. McKenney +Acked-by: Ingo Molnar +Cc: Peter Zijlstra +Cc: Sebastian Siewior +Cc: Steven Rostedt +Link: http://lkml.kernel.org/r/20170524081549.709375845@linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cpu.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/kernel/cpu.c ++++ b/kernel/cpu.c +@@ -63,6 +63,12 @@ struct cpuhp_cpu_state { + + static DEFINE_PER_CPU(struct cpuhp_cpu_state, cpuhp_state); + ++#if defined(CONFIG_LOCKDEP) && defined(CONFIG_SMP) ++static struct lock_class_key cpuhp_state_key; ++static struct lockdep_map cpuhp_state_lock_map = ++ STATIC_LOCKDEP_MAP_INIT("cpuhp_state", &cpuhp_state_key); ++#endif ++ + /** + * cpuhp_step - Hotplug state machine step + * @name: Name of the step +@@ -563,6 +569,7 @@ static void cpuhp_thread_fun(unsigned in + + st->should_run = false; + ++ lock_map_acquire(&cpuhp_state_lock_map); + /* Single callback invocation for [un]install ? */ + if (st->single) { + if (st->cb_state < CPUHP_AP_ONLINE) { +@@ -594,6 +601,7 @@ static void cpuhp_thread_fun(unsigned in + else if (st->state > st->target) + ret = cpuhp_ap_offline(cpu, st); + } ++ lock_map_release(&cpuhp_state_lock_map); + st->result = ret; + complete(&st->done); + } +@@ -608,6 +616,9 @@ cpuhp_invoke_ap_callback(int cpu, enum c + if (!cpu_online(cpu)) + return 0; + ++ lock_map_acquire(&cpuhp_state_lock_map); ++ lock_map_release(&cpuhp_state_lock_map); ++ + /* + * If we are up and running, use the hotplug thread. For early calls + * we invoke the thread function directly. +@@ -651,6 +662,8 @@ static int cpuhp_kick_ap_work(unsigned i + enum cpuhp_state state = st->state; + + trace_cpuhp_enter(cpu, st->target, state, cpuhp_kick_ap_work); ++ lock_map_acquire(&cpuhp_state_lock_map); ++ lock_map_release(&cpuhp_state_lock_map); + __cpuhp_kick_ap_work(st); + wait_for_completion(&st->done); + trace_cpuhp_exit(cpu, st->state, state, st->result); diff --git a/queue-4.9/cpuidle-dt-add-missing-of_node_put.patch b/queue-4.9/cpuidle-dt-add-missing-of_node_put.patch new file mode 100644 index 00000000000..c6906a535da --- /dev/null +++ b/queue-4.9/cpuidle-dt-add-missing-of_node_put.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe Jaillet +Date: Sun, 11 Jun 2017 14:28:54 +0200 +Subject: cpuidle: dt: Add missing 'of_node_put()' + +From: Christophe Jaillet + + +[ Upstream commit b2cdd8e1b54849477a32d820acc2e87828a38f3d ] + +'of_node_put()' should be called on pointer returned by +'of_parse_phandle()' when done. In this function this is done in all path +except this 'continue', so add it. + +Fixes: 97735da074fd (drivers: cpuidle: Add status property to ARM idle states) +Signed-off-by: Christophe Jaillet +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpuidle/dt_idle_states.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/dt_idle_states.c ++++ b/drivers/cpuidle/dt_idle_states.c +@@ -174,8 +174,10 @@ int dt_init_idle_driver(struct cpuidle_d + if (!state_node) + break; + +- if (!of_device_is_available(state_node)) ++ if (!of_device_is_available(state_node)) { ++ of_node_put(state_node); + continue; ++ } + + if (!idle_state_valid(state_node, i, cpumask)) { + pr_warn("%s idle state not valid, bailing out\n", diff --git a/queue-4.9/crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch b/queue-4.9/crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch new file mode 100644 index 00000000000..c157f372b54 --- /dev/null +++ b/queue-4.9/crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tero Kristo +Date: Wed, 24 May 2017 10:35:32 +0300 +Subject: crypto: omap-sham - buffer handling fixes for hashing later + +From: Tero Kristo + + +[ Upstream commit 5d78d57ede8f9e7f656c610ed25be7be337e0529 ] + +Currently, the hash later code only handles the cases when we have +either new data coming in with the request or old data in the buffer, +but not the combination when we have both. Fix this by changing the +ordering of the code a bit and handling both cases properly +simultaneously if needed. Also, fix an issue with omap_sham_update +that surfaces with this fix, so that the code checks the bufcnt +instead of total data amount against buffer length to avoid any +buffer overflows. + +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/omap-sham.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -873,14 +873,21 @@ static int omap_sham_prepare_request(str + } + + if (hash_later) { +- if (req->nbytes) { +- scatterwalk_map_and_copy(rctx->buffer, req->src, +- req->nbytes - hash_later, +- hash_later, 0); +- } else { ++ int offset = 0; ++ ++ if (hash_later > req->nbytes) { + memcpy(rctx->buffer, rctx->buffer + xmit_len, +- hash_later); ++ hash_later - req->nbytes); ++ offset = hash_later - req->nbytes; ++ } ++ ++ if (req->nbytes) { ++ scatterwalk_map_and_copy(rctx->buffer + offset, ++ req->src, ++ offset + req->nbytes - ++ hash_later, hash_later, 0); + } ++ + rctx->bufcnt = hash_later; + } else { + rctx->bufcnt = 0; +@@ -1189,11 +1196,10 @@ static int omap_sham_update(struct ahash + if (!req->nbytes) + return 0; + +- if (ctx->total + req->nbytes < ctx->buflen) { ++ if (ctx->bufcnt + req->nbytes <= ctx->buflen) { + scatterwalk_map_and_copy(ctx->buffer + ctx->bufcnt, req->src, + 0, req->nbytes, 0); + ctx->bufcnt += req->nbytes; +- ctx->total += req->nbytes; + return 0; + } + diff --git a/queue-4.9/crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch b/queue-4.9/crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch new file mode 100644 index 00000000000..f5f3615eed1 --- /dev/null +++ b/queue-4.9/crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tero Kristo +Date: Wed, 24 May 2017 10:35:33 +0300 +Subject: crypto: omap-sham - fix closing of hash with separate finalize call + +From: Tero Kristo + + +[ Upstream commit 898d86a565925f09de3d0b30cf3b47ec2e409680 ] + +Currently there is an interesting corner case failure with omap-sham +driver, if the finalize call is done separately with no data, but +all previous data has already been processed. In this case, it is not +possible to close the hash with the hardware without providing any data, +so we get incorrect results. Fix this by adjusting the size of data +sent to the hardware crypto engine in case the non-final data size falls +on the block size boundary, by reducing the amount of data sent by one +full block. This makes it sure that we always have some data available +for the finalize call and we can close the hash properly. + +Signed-off-by: Tero Kristo +Reported-by: Aparna Balasubramanian +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/omap-sham.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -750,7 +750,10 @@ static int omap_sham_align_sgs(struct sc + if (final) + new_len = DIV_ROUND_UP(new_len, bs) * bs; + else +- new_len = new_len / bs * bs; ++ new_len = (new_len - 1) / bs * bs; ++ ++ if (nbytes != new_len) ++ list_ok = false; + + while (nbytes > 0 && sg_tmp) { + n++; +@@ -846,6 +849,8 @@ static int omap_sham_prepare_request(str + xmit_len = DIV_ROUND_UP(xmit_len, bs) * bs; + else + xmit_len = xmit_len / bs * bs; ++ } else if (!final) { ++ xmit_len -= bs; + } + + hash_later = rctx->total - xmit_len; +@@ -1137,7 +1142,7 @@ retry: + ctx = ahash_request_ctx(req); + + err = omap_sham_prepare_request(req, ctx->op == OP_UPDATE); +- if (err) ++ if (err || !ctx->total) + goto err1; + + dev_dbg(dd->dev, "handling new req, op: %lu, nbytes: %d\n", diff --git a/queue-4.9/cx25840-fix-unchecked-return-values.patch b/queue-4.9/cx25840-fix-unchecked-return-values.patch new file mode 100644 index 00000000000..a788eb3b433 --- /dev/null +++ b/queue-4.9/cx25840-fix-unchecked-return-values.patch @@ -0,0 +1,83 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 10:06:36 -0300 +Subject: [media] cx25840: fix unchecked return values + +From: Pan Bian + + +[ Upstream commit 35378ce143071c2a6bad4b59a000e9b9f8f6ea67 ] + +In functions cx25840_initialize(), cx231xx_initialize(), and +cx23885_initialize(), the return value of create_singlethread_workqueue() +is used without validation. This may result in NULL dereference and cause +kernel crash. This patch fixes it. + +Signed-off-by: Pan Bian +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/cx25840/cx25840-core.c | 36 ++++++++++++++++++------------- + 1 file changed, 21 insertions(+), 15 deletions(-) + +--- a/drivers/media/i2c/cx25840/cx25840-core.c ++++ b/drivers/media/i2c/cx25840/cx25840-core.c +@@ -420,11 +420,13 @@ static void cx25840_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* 6. */ + cx25840_write(client, 0x115, 0x8c); +@@ -634,11 +636,13 @@ static void cx23885_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + /* Call the cx23888 specific std setup func, we no longer rely on + * the generic cx24840 func. +@@ -752,11 +756,13 @@ static void cx231xx_initialize(struct i2 + INIT_WORK(&state->fw_work, cx25840_work_handler); + init_waitqueue_head(&state->fw_wait); + q = create_singlethread_workqueue("cx25840_fw"); +- prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); +- queue_work(q, &state->fw_work); +- schedule(); +- finish_wait(&state->fw_wait, &wait); +- destroy_workqueue(q); ++ if (q) { ++ prepare_to_wait(&state->fw_wait, &wait, TASK_UNINTERRUPTIBLE); ++ queue_work(q, &state->fw_work); ++ schedule(); ++ finish_wait(&state->fw_wait, &wait); ++ destroy_workqueue(q); ++ } + + cx25840_std_setup(client); + diff --git a/queue-4.9/cxgb4-fix-incorrect-cim_la-output-for-t6.patch b/queue-4.9/cxgb4-fix-incorrect-cim_la-output-for-t6.patch new file mode 100644 index 00000000000..673fa52e091 --- /dev/null +++ b/queue-4.9/cxgb4-fix-incorrect-cim_la-output-for-t6.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ganesh Goudar +Date: Wed, 31 May 2017 19:10:21 +0530 +Subject: cxgb4: fix incorrect cim_la output for T6 + +From: Ganesh Goudar + + +[ Upstream commit a97051f4553551d13e586ab3cb6ae13093a44a81 ] + +take care of UpDbgLaRdPtr[0-3] restriction for T6. + +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -8088,7 +8088,16 @@ int t4_cim_read_la(struct adapter *adap, + ret = t4_cim_read(adap, UP_UP_DBG_LA_DATA_A, 1, &la_buf[i]); + if (ret) + break; +- idx = (idx + 1) & UPDBGLARDPTR_M; ++ ++ /* Bits 0-3 of UpDbgLaRdPtr can be between 0000 to 1001 to ++ * identify the 32-bit portion of the full 312-bit data ++ */ ++ if (is_t6(adap->params.chip) && (idx & 0xf) >= 9) ++ idx = (idx & 0xff0) + 0x10; ++ else ++ idx++; ++ /* address can't exceed 0xfff */ ++ idx &= UPDBGLARDPTR_M; + } + restart: + if (cfg & UPDBGLAEN_F) { diff --git a/queue-4.9/cxgb4-fix-netdev_features-flag.patch b/queue-4.9/cxgb4-fix-netdev_features-flag.patch new file mode 100644 index 00000000000..bfa94d30341 --- /dev/null +++ b/queue-4.9/cxgb4-fix-netdev_features-flag.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arjun Vynipadath +Date: Tue, 30 May 2017 13:30:24 +0530 +Subject: cxgb4: Fix netdev_features flag + +From: Arjun Vynipadath + + +[ Upstream commit 90592b9a35836bacd34d92a3aba7958756b6a7c0 ] + +GRO is not supported by Chelsio HW when rx_csum is disabled. +Update the netdev features flag when rx_csum is modified. + +Signed-off-by: Arjun Vynipadath +Signed-off-by: Steve Wise +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -2742,6 +2742,16 @@ static int cxgb_setup_tc(struct net_devi + return -EOPNOTSUPP; + } + ++static netdev_features_t cxgb_fix_features(struct net_device *dev, ++ netdev_features_t features) ++{ ++ /* Disable GRO, if RX_CSUM is disabled */ ++ if (!(features & NETIF_F_RXCSUM)) ++ features &= ~NETIF_F_GRO; ++ ++ return features; ++} ++ + static const struct net_device_ops cxgb4_netdev_ops = { + .ndo_open = cxgb_open, + .ndo_stop = cxgb_close, +@@ -2766,6 +2776,7 @@ static const struct net_device_ops cxgb4 + #endif + .ndo_set_tx_maxrate = cxgb_set_tx_maxrate, + .ndo_setup_tc = cxgb_setup_tc, ++ .ndo_fix_features = cxgb_fix_features, + }; + + #ifdef CONFIG_PCI_IOV diff --git a/queue-4.9/cxgb4-fw-upgrade-fixes.patch b/queue-4.9/cxgb4-fw-upgrade-fixes.patch new file mode 100644 index 00000000000..69bc2ccb70f --- /dev/null +++ b/queue-4.9/cxgb4-fw-upgrade-fixes.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arjun Vynipadath +Date: Tue, 30 May 2017 18:06:06 +0530 +Subject: cxgb4: FW upgrade fixes + +From: Arjun Vynipadath + + +[ Upstream commit 26747211486c5bc7dd014c3caab206576e00c0d0 ] + +Disable FW_OK flag while flashing Firmware. This will help to fix any +potential mailbox timeouts during Firmware flash. + +Grab new devlog parameters after Firmware restart. When we FLASH new +Firmware onto an adapter, the new Firmware may have the Firmware Device Log +located at a different memory address or have a different size for it. + +Signed-off-by: Arjun Vynipadath +Signed-off-by: Casey Leedom +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/t4_hw.c +@@ -6185,13 +6185,18 @@ int t4_fw_upgrade(struct adapter *adap, + if (!t4_fw_matches_chip(adap, fw_hdr)) + return -EINVAL; + ++ /* Disable FW_OK flag so that mbox commands with FW_OK flag set ++ * wont be sent when we are flashing FW. ++ */ ++ adap->flags &= ~FW_OK; ++ + ret = t4_fw_halt(adap, mbox, force); + if (ret < 0 && !force) +- return ret; ++ goto out; + + ret = t4_load_fw(adap, fw_data, size); + if (ret < 0) +- return ret; ++ goto out; + + /* + * Older versions of the firmware don't understand the new +@@ -6202,7 +6207,17 @@ int t4_fw_upgrade(struct adapter *adap, + * its header flags to see if it advertises the capability. + */ + reset = ((be32_to_cpu(fw_hdr->flags) & FW_HDR_FLAGS_RESET_HALT) == 0); +- return t4_fw_restart(adap, mbox, reset); ++ ret = t4_fw_restart(adap, mbox, reset); ++ ++ /* Grab potentially new Firmware Device Log parameters so we can see ++ * how healthy the new Firmware is. It's okay to contact the new ++ * Firmware for these parameters even though, as far as it's ++ * concerned, we've never said "HELLO" to it ... ++ */ ++ (void)t4_init_devlog_params(adap); ++out: ++ adap->flags |= FW_OK; ++ return ret; + } + + /** diff --git a/queue-4.9/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch b/queue-4.9/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch new file mode 100644 index 00000000000..0839c57e56b --- /dev/null +++ b/queue-4.9/cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arjun Vynipadath +Date: Wed, 10 Jan 2018 12:02:13 +0530 +Subject: cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages + +From: Arjun Vynipadath + + +[ Upstream commit ea0a42109aee7b92e631c4eb3f2219fadf58acdd ] + +We'd come in with SGE_FL_BUFFER_SIZE[0] and [1] both equal to 64KB and +the extant logic would flag that as an error. This was already fixed in +cxgb4 driver with "92ddcc7 cxgb4: Fix some small bugs in +t4_sge_init_soft() when our Page Size is 64KB". + +Original Work by: Casey Leedom +Signed-off-by: Arjun Vynipadath +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 23 +++++++++++++++++------ + 1 file changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4vf/sge.c ++++ b/drivers/net/ethernet/chelsio/cxgb4vf/sge.c +@@ -2616,8 +2616,8 @@ void t4vf_sge_stop(struct adapter *adapt + int t4vf_sge_init(struct adapter *adapter) + { + struct sge_params *sge_params = &adapter->params.sge; +- u32 fl0 = sge_params->sge_fl_buffer_size[0]; +- u32 fl1 = sge_params->sge_fl_buffer_size[1]; ++ u32 fl_small_pg = sge_params->sge_fl_buffer_size[0]; ++ u32 fl_large_pg = sge_params->sge_fl_buffer_size[1]; + struct sge *s = &adapter->sge; + + /* +@@ -2625,9 +2625,20 @@ int t4vf_sge_init(struct adapter *adapte + * the Physical Function Driver. Ideally we should be able to deal + * with _any_ configuration. Practice is different ... + */ +- if (fl0 != PAGE_SIZE || (fl1 != 0 && fl1 <= fl0)) { ++ ++ /* We only bother using the Large Page logic if the Large Page Buffer ++ * is larger than our Page Size Buffer. ++ */ ++ if (fl_large_pg <= fl_small_pg) ++ fl_large_pg = 0; ++ ++ /* The Page Size Buffer must be exactly equal to our Page Size and the ++ * Large Page Size Buffer should be 0 (per above) or a power of 2. ++ */ ++ if (fl_small_pg != PAGE_SIZE || ++ (fl_large_pg & (fl_large_pg - 1)) != 0) { + dev_err(adapter->pdev_dev, "bad SGE FL buffer sizes [%d, %d]\n", +- fl0, fl1); ++ fl_small_pg, fl_large_pg); + return -EINVAL; + } + if ((sge_params->sge_control & RXPKTCPLMODE_F) != +@@ -2639,8 +2650,8 @@ int t4vf_sge_init(struct adapter *adapte + /* + * Now translate the adapter parameters into our internal forms. + */ +- if (fl1) +- s->fl_pg_order = ilog2(fl1) - PAGE_SHIFT; ++ if (fl_large_pg) ++ s->fl_pg_order = ilog2(fl_large_pg) - PAGE_SHIFT; + s->stat_len = ((sge_params->sge_control & EGRSTATUSPAGESIZE_F) + ? 128 : 64); + s->pktshift = PKTSHIFT_G(sge_params->sge_control); diff --git a/queue-4.9/cxl-unlock-on-error-in-probe.patch b/queue-4.9/cxl-unlock-on-error-in-probe.patch new file mode 100644 index 00000000000..dca746bbc38 --- /dev/null +++ b/queue-4.9/cxl-unlock-on-error-in-probe.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Fri, 5 May 2017 08:34:58 +0300 +Subject: cxl: Unlock on error in probe + +From: Dan Carpenter + + +[ Upstream commit 58d876fa7181f2f393190c1d32c056b5a9d34aa2 ] + +We should unlock if get_cxl_adapter() fails. + +Fixes: 594ff7d067ca ("cxl: Support to flash a new image on the adapter from a guest") +Signed-off-by: Dan Carpenter +Acked-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cxl/flash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/misc/cxl/flash.c ++++ b/drivers/misc/cxl/flash.c +@@ -401,8 +401,10 @@ static int device_open(struct inode *ino + if (down_interruptible(&sem) != 0) + return -EPERM; + +- if (!(adapter = get_cxl_adapter(adapter_num))) +- return -ENODEV; ++ if (!(adapter = get_cxl_adapter(adapter_num))) { ++ rc = -ENODEV; ++ goto err_unlock; ++ } + + file->private_data = adapter; + continue_token = 0; +@@ -446,6 +448,8 @@ err1: + free_page((unsigned long) le); + err: + put_device(&adapter->dev); ++err_unlock: ++ up(&sem); + + return rc; + } diff --git a/queue-4.9/dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch b/queue-4.9/dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch new file mode 100644 index 00000000000..6312f15db01 --- /dev/null +++ b/queue-4.9/dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arvind Yadav +Date: Wed, 24 May 2017 12:09:53 +0530 +Subject: dmaengine: imx-sdma: Handle return value of clk_prepare_enable + +From: Arvind Yadav + + +[ Upstream commit fb9caf370f4d0457789d13a1a1b110a8db846e5e ] + +clk_prepare_enable() can fail here and we must check its return value. + +Signed-off-by: Arvind Yadav +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma/imx-sdma.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1755,19 +1755,26 @@ static int sdma_probe(struct platform_de + if (IS_ERR(sdma->clk_ahb)) + return PTR_ERR(sdma->clk_ahb); + +- clk_prepare(sdma->clk_ipg); +- clk_prepare(sdma->clk_ahb); ++ ret = clk_prepare(sdma->clk_ipg); ++ if (ret) ++ return ret; ++ ++ ret = clk_prepare(sdma->clk_ahb); ++ if (ret) ++ goto err_clk; + + ret = devm_request_irq(&pdev->dev, irq, sdma_int_handler, 0, "sdma", + sdma); + if (ret) +- return ret; ++ goto err_irq; + + sdma->irq = irq; + + sdma->script_addrs = kzalloc(sizeof(*sdma->script_addrs), GFP_KERNEL); +- if (!sdma->script_addrs) +- return -ENOMEM; ++ if (!sdma->script_addrs) { ++ ret = -ENOMEM; ++ goto err_irq; ++ } + + /* initially no scripts available */ + saddr_arr = (s32 *)sdma->script_addrs; +@@ -1882,6 +1889,10 @@ err_register: + dma_async_device_unregister(&sdma->dma_device); + err_init: + kfree(sdma->script_addrs); ++err_irq: ++ clk_unprepare(sdma->clk_ahb); ++err_clk: ++ clk_unprepare(sdma->clk_ipg); + return ret; + } + +@@ -1893,6 +1904,8 @@ static int sdma_remove(struct platform_d + devm_free_irq(&pdev->dev, sdma->irq, sdma); + dma_async_device_unregister(&sdma->dma_device); + kfree(sdma->script_addrs); ++ clk_unprepare(sdma->clk_ahb); ++ clk_unprepare(sdma->clk_ipg); + /* Kill the tasklet */ + for (i = 0; i < MAX_DMA_CHANNELS; i++) { + struct sdma_channel *sdmac = &sdma->channel[i]; diff --git a/queue-4.9/drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch b/queue-4.9/drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch new file mode 100644 index 00000000000..03b70e7cb3b --- /dev/null +++ b/queue-4.9/drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Mon, 8 May 2017 15:55:14 -0700 +Subject: drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests + +From: Dan Carpenter + + +[ Upstream commit 146180c052a00172f4dc08eaade836fd02f61fb5 ] + +The "DIV_ROUND_UP(size, PAGE_SIZE)" operation can overflow if "size" is +more than ULLONG_MAX - PAGE_SIZE. + +Link: http://lkml.kernel.org/r/20170322111950.GA11279@mwanda +Signed-off-by: Dan Carpenter +Cc: Jorgen Hansen +Cc: Masahiro Yamada +Cc: Michal Hocko +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -298,8 +298,11 @@ static void *qp_alloc_queue(u64 size, u3 + size_t pas_size; + size_t vas_size; + size_t queue_size = sizeof(*queue) + sizeof(*queue->kernel_if); +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; ++ u64 num_pages; + ++ if (size > SIZE_MAX - PAGE_SIZE) ++ return NULL; ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + if (num_pages > + (SIZE_MAX - queue_size) / + (sizeof(*queue->kernel_if->u.g.pas) + +@@ -624,9 +627,12 @@ static struct vmci_queue *qp_host_alloc_ + { + struct vmci_queue *queue; + size_t queue_page_size; +- const u64 num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; ++ u64 num_pages; + const size_t queue_size = sizeof(*queue) + sizeof(*(queue->kernel_if)); + ++ if (size > SIZE_MAX - PAGE_SIZE) ++ return NULL; ++ num_pages = DIV_ROUND_UP(size, PAGE_SIZE) + 1; + if (num_pages > (SIZE_MAX - queue_size) / + sizeof(*queue->kernel_if->u.h.page)) + return NULL; diff --git a/queue-4.9/drm-amdkfd-null-dereference-involving-create_process.patch b/queue-4.9/drm-amdkfd-null-dereference-involving-create_process.patch new file mode 100644 index 00000000000..fdc5a5da4f1 --- /dev/null +++ b/queue-4.9/drm-amdkfd-null-dereference-involving-create_process.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Wed, 14 Jun 2017 13:58:53 +0300 +Subject: drm/amdkfd: NULL dereference involving create_process() + +From: Dan Carpenter + + +[ Upstream commit b312b2b25b6ac9e2eb03f4ca651b33108752de3a ] + +We accidentally return ERR_PTR(0) which is NULL. The caller is not +expecting that and it leads to an Oops. + +Fixes: dd59239a9862 ("amdkfd: init aperture once per process") +Signed-off-by: Dan Carpenter +Reviewed-by: Felix Kuehling +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_process.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c +@@ -317,7 +317,8 @@ static struct kfd_process *create_proces + + /* init process apertures*/ + process->is_32bit_user_mode = in_compat_syscall(); +- if (kfd_init_apertures(process) != 0) ++ err = kfd_init_apertures(process); ++ if (err != 0) + goto err_init_apretures; + + return process; diff --git a/queue-4.9/drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch b/queue-4.9/drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch new file mode 100644 index 00000000000..4cadd8ecd05 --- /dev/null +++ b/queue-4.9/drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jordan Crouse +Date: Mon, 8 May 2017 14:34:57 -0600 +Subject: drm/msm: Take the mutex before calling msm_gem_new_impl + +From: Jordan Crouse + + +[ Upstream commit 90dd57de4a043f642179b1323a31ca3ced826611 ] + +Amongst its other duties, msm_gem_new_impl adds the newly created +GEM object to the shared inactive list which may also be actively +modifiying the list during submission. All the paths to modify +the list are protected by the mutex except for the one through +msm_gem_import which can end up causing list corruption. + +Signed-off-by: Jordan Crouse +[add extra WARN_ON(!mutex_is_locked(&dev->struct_mutex))] +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -770,6 +770,8 @@ static int msm_gem_new_impl(struct drm_d + unsigned sz; + bool use_vram = false; + ++ WARN_ON(!mutex_is_locked(&dev->struct_mutex)); ++ + switch (flags & MSM_BO_CACHE_MASK) { + case MSM_BO_UNCACHED: + case MSM_BO_CACHED: +@@ -863,7 +865,11 @@ struct drm_gem_object *msm_gem_import(st + + size = PAGE_ALIGN(dmabuf->size); + ++ /* Take mutex so we can modify the inactive list in msm_gem_new_impl */ ++ mutex_lock(&dev->struct_mutex); + ret = msm_gem_new_impl(dev, size, MSM_BO_WC, dmabuf->resv, &obj); ++ mutex_unlock(&dev->struct_mutex); ++ + if (ret) + goto fail; + diff --git a/queue-4.9/drm-omap-fix-tiled-buffer-stride-calculations.patch b/queue-4.9/drm-omap-fix-tiled-buffer-stride-calculations.patch new file mode 100644 index 00000000000..b5cf2a01698 --- /dev/null +++ b/queue-4.9/drm-omap-fix-tiled-buffer-stride-calculations.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 18 May 2017 11:51:51 +0300 +Subject: drm/omap: fix tiled buffer stride calculations + +From: Tomi Valkeinen + + +[ Upstream commit cc8dd7661ccc2d8dc88921da8e6cc7c2fcdb0341 ] + +omap_gem uses page alignment for buffer stride. The related calculations +are a bit off, though, as byte stride of 4096 gets aligned to 8192, +instead of 4096. + +This patch changes the code to use DIV_ROUND_UP(), which fixes those +calculations and makes them more readable. + +Signed-off-by: Tomi Valkeinen +Reviewed-by: Laurent Pinchart +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/omap_gem.c ++++ b/drivers/gpu/drm/omapdrm/omap_gem.c +@@ -195,7 +195,7 @@ static void evict_entry(struct drm_gem_o + size_t size = PAGE_SIZE * n; + loff_t off = mmap_offset(obj) + + (entry->obj_pgoff << PAGE_SHIFT); +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + if (m > 1) { + int i; +@@ -442,7 +442,7 @@ static int fault_2d(struct drm_gem_objec + * into account in some of the math, so figure out virtual stride + * in pages + */ +- const int m = 1 + ((omap_obj->width << fmt) / PAGE_SIZE); ++ const int m = DIV_ROUND_UP(omap_obj->width << fmt, PAGE_SIZE); + + /* We don't use vmf->pgoff since that has the fake offset: */ + pgoff = ((unsigned long)vmf->virtual_address - diff --git a/queue-4.9/drm-sun4i-ignore-the-generic-connectors-for-components.patch b/queue-4.9/drm-sun4i-ignore-the-generic-connectors-for-components.patch new file mode 100644 index 00000000000..cde5b6dfb44 --- /dev/null +++ b/queue-4.9/drm-sun4i-ignore-the-generic-connectors-for-components.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Maxime Ripard +Date: Sat, 27 May 2017 18:09:32 +0200 +Subject: drm/sun4i: Ignore the generic connectors for components + +From: Maxime Ripard + + +[ Upstream commit 49baeb074783f5bdf770dc9fac5fbb2837190583 ] + +The generic connectors such as hdmi-connector doesn't have any driver in, +so if they are added to the component list, we will be waiting forever for +a non-existing driver to probe. + +Add a list of the connectors we want to ignore when building our component +list. + +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -212,6 +212,11 @@ static const struct component_master_ops + .unbind = sun4i_drv_unbind, + }; + ++static bool sun4i_drv_node_is_connector(struct device_node *node) ++{ ++ return of_device_is_compatible(node, "hdmi-connector"); ++} ++ + static bool sun4i_drv_node_is_frontend(struct device_node *node) + { + return of_device_is_compatible(node, "allwinner,sun5i-a13-display-frontend") || +@@ -252,6 +257,13 @@ static int sun4i_drv_add_endpoints(struc + !of_device_is_available(node)) + return 0; + ++ /* ++ * The connectors will be the last nodes in our pipeline, we ++ * can just bail out. ++ */ ++ if (sun4i_drv_node_is_connector(node)) ++ return 0; ++ + if (!sun4i_drv_node_is_frontend(node)) { + /* Add current component */ + DRM_DEBUG_DRIVER("Adding component %s\n", diff --git a/queue-4.9/drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch b/queue-4.9/drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch new file mode 100644 index 00000000000..cad87df0440 --- /dev/null +++ b/queue-4.9/drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe JAILLET +Date: Fri, 12 May 2017 14:38:03 +0200 +Subject: drm/vc4: Fix resource leak in 'vc4_get_hang_state_ioctl()' in error handling path + +From: Christophe JAILLET + + +[ Upstream commit d0b1d259a4b58b21a21ea82d7174bf7ea825e9cc ] + +If one 'drm_gem_handle_create()' fails, we leak somes handles and some +memory. + +In order to fix it: + - move the 'free(bo_state)' at the end of the function so that it is also + called in the eror handling path. This has the side effect to also try + to free it if the first 'kcalloc' fails. This is harmless. + - add a new label, err_delete_handle, in order to delete already + allocated handles in error handling path + - remove the now useless 'err' label + +The way the code is now written will also delete the handles if the +'copy_to_user()' call fails. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Eric Anholt +Link: http://patchwork.freedesktop.org/patch/msgid/20170512123803.1886-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_gem.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/vc4/vc4_gem.c ++++ b/drivers/gpu/drm/vc4/vc4_gem.c +@@ -110,8 +110,8 @@ vc4_get_hang_state_ioctl(struct drm_devi + &handle); + + if (ret) { +- state->bo_count = i - 1; +- goto err; ++ state->bo_count = i; ++ goto err_delete_handle; + } + bo_state[i].handle = handle; + bo_state[i].paddr = vc4_bo->base.paddr; +@@ -123,13 +123,16 @@ vc4_get_hang_state_ioctl(struct drm_devi + state->bo_count * sizeof(*bo_state))) + ret = -EFAULT; + +- kfree(bo_state); ++err_delete_handle: ++ if (ret) { ++ for (i = 0; i < state->bo_count; i++) ++ drm_gem_handle_delete(file_priv, bo_state[i].handle); ++ } + + err_free: +- + vc4_free_hang_state(dev, kernel_state); ++ kfree(bo_state); + +-err: + return ret; + } + diff --git a/queue-4.9/dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch b/queue-4.9/dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch new file mode 100644 index 00000000000..7200644cd90 --- /dev/null +++ b/queue-4.9/dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Maxime Ripard +Date: Sat, 27 May 2017 18:09:34 +0200 +Subject: dt-bindings: display: sun4i: Add allwinner,tcon-channel property + +From: Maxime Ripard + + +[ Upstream commit 22662f12768f971809b478386d9cc4947d00497a ] + +The Allwinner Timings Controller has two, mutually exclusive, channels. +When the binding has been introduced, it was assumed that there would be +only a single user per channel in the system. + +While this is likely for the channel 0 which only connects to LCD displays, +it turns out that the channel 1 can be connected to multiple controllers in +the SoC (HDMI and TV encoders for example). And while the simultaneous use +of HDMI and TV outputs cannot be achieved, switching from one to the other +at runtime definitely sounds plausible. + +Add an extra property, allwinner,tcon-channel, to specify for a given +endpoint which TCON channel it is connected to, while falling back to the +previous mechanism if that property is missing. + +Acked-by: Chen-Yu Tsai +Acked-by: Rob Herring +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt | 11 ++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt ++++ b/Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt +@@ -47,10 +47,13 @@ Required properties: + Documentation/devicetree/bindings/media/video-interfaces.txt. The + first port should be the input endpoint, the second one the output + +- The output should have two endpoints. The first is the block +- connected to the TCON channel 0 (usually a panel or a bridge), the +- second the block connected to the TCON channel 1 (usually the TV +- encoder) ++ The output may have multiple endpoints. The TCON has two channels, ++ usually with the first channel being used for the panels interfaces ++ (RGB, LVDS, etc.), and the second being used for the outputs that ++ require another controller (TV Encoder, HDMI, etc.). The endpoints ++ will take an extra property, allwinner,tcon-channel, to specify the ++ channel the endpoint is associated to. If that property is not ++ present, the endpoint number will be used as the channel number. + + On SoCs other than the A33, there is one more clock required: + - 'tcon-ch1': The clock driving the TCON channel 1 diff --git a/queue-4.9/e1000e-fix-race-condition-around-skb_tstamp_tx.patch b/queue-4.9/e1000e-fix-race-condition-around-skb_tstamp_tx.patch new file mode 100644 index 00000000000..73683e0a4f0 --- /dev/null +++ b/queue-4.9/e1000e-fix-race-condition-around-skb_tstamp_tx.patch @@ -0,0 +1,72 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jacob Keller +Date: Wed, 3 May 2017 10:28:50 -0700 +Subject: e1000e: fix race condition around skb_tstamp_tx() + +From: Jacob Keller + + +[ Upstream commit 5012863b7347866764c4a4e58b62fb05346b0d06 ] + +The e1000e driver and related hardware has a limitation on Tx PTP +packets which requires we limit to timestamping a single packet at once. +We do this by verifying that we never request a new Tx timestamp while +we still have a tx_hwtstamp_skb pointer. + +Unfortunately the driver suffers from a race condition around this. The +tx_hwtstamp_skb pointer is not set to NULL until after skb_tstamp_tx() +is called. This function notifies the stack and applications of a new +timestamp. Even a well behaved application that only sends a new request +when the first one is finished might be woken up and possibly send +a packet before we can free the timestamp in the driver again. The +result is that we needlessly ignore some Tx timestamp requests in this +corner case. + +Fix this by assigning the tx_hwtstamp_skb pointer prior to calling +skb_tstamp_tx() and use a temporary pointer to hold the timestamped skb +until that function finishes. This ensures that the application is not +woken up until the driver is ready to begin timestamping a new packet. + +This ensures that well behaved applications do not accidentally race +with condition to skip Tx timestamps. Obviously an application which +sends multiple Tx timestamp requests at once will still only timestamp +one packet at a time. Unfortunately there is nothing we can do about +this. + +Reported-by: David Mirabito +Signed-off-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -1182,6 +1182,7 @@ static void e1000e_tx_hwtstamp_work(stru + struct e1000_hw *hw = &adapter->hw; + + if (er32(TSYNCTXCTL) & E1000_TSYNCTXCTL_VALID) { ++ struct sk_buff *skb = adapter->tx_hwtstamp_skb; + struct skb_shared_hwtstamps shhwtstamps; + u64 txstmp; + +@@ -1190,9 +1191,14 @@ static void e1000e_tx_hwtstamp_work(stru + + e1000e_systim_to_hwtstamp(adapter, &shhwtstamps, txstmp); + +- skb_tstamp_tx(adapter->tx_hwtstamp_skb, &shhwtstamps); +- dev_kfree_skb_any(adapter->tx_hwtstamp_skb); ++ /* Clear the global tx_hwtstamp_skb pointer and force writes ++ * prior to notifying the stack of a Tx timestamp. ++ */ + adapter->tx_hwtstamp_skb = NULL; ++ wmb(); /* force write prior to skb_tstamp_tx */ ++ ++ skb_tstamp_tx(skb, &shhwtstamps); ++ dev_kfree_skb_any(skb); + } else if (time_after(jiffies, adapter->tx_hwtstamp_start + + adapter->tx_timeout_factor * HZ)) { + dev_kfree_skb_any(adapter->tx_hwtstamp_skb); diff --git a/queue-4.9/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch b/queue-4.9/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch new file mode 100644 index 00000000000..c62f71e9ab0 --- /dev/null +++ b/queue-4.9/e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch @@ -0,0 +1,91 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Chris Wilson +Date: Wed, 31 May 2017 18:50:43 +0300 +Subject: e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails + +From: Chris Wilson + + +[ Upstream commit 833521ebc65b1c3092e5c0d8a97092f98eec595d ] + +An error during suspend (e100e_pm_suspend), + +[ 429.994338] ACPI : EC: event blocked +[ 429.994633] e1000e: EEE TX LPI TIMER: 00000011 +[ 430.955451] pci_pm_suspend(): e1000e_pm_suspend+0x0/0x30 [e1000e] returns -2 +[ 430.955454] dpm_run_callback(): pci_pm_suspend+0x0/0x140 returns -2 +[ 430.955458] PM: Device 0000:00:19.0 failed to suspend async: error -2 +[ 430.955581] PM: Some devices failed to suspend, or early wake event detected +[ 430.957709] ACPI : EC: event unblocked + +lead to complete failure: + +[ 432.585002] ------------[ cut here ]------------ +[ 432.585013] WARNING: CPU: 3 PID: 8372 at kernel/irq/manage.c:1478 __free_irq+0x9f/0x280 +[ 432.585015] Trying to free already-free IRQ 20 +[ 432.585016] Modules linked in: cdc_ncm usbnet x86_pkg_temp_thermal intel_powerclamp coretemp mii crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hwdep lpc_ich snd_hda_core snd_pcm mei_me mei sdhci_pci sdhci i915 mmc_core e1000e ptp pps_core prime_numbers +[ 432.585042] CPU: 3 PID: 8372 Comm: kworker/u16:40 Tainted: G U 4.10.0-rc8-CI-Patchwork_3870+ #1 +[ 432.585044] Hardware name: LENOVO 2356GCG/2356GCG, BIOS G7ET31WW (1.13 ) 07/02/2012 +[ 432.585050] Workqueue: events_unbound async_run_entry_fn +[ 432.585051] Call Trace: +[ 432.585058] dump_stack+0x67/0x92 +[ 432.585062] __warn+0xc6/0xe0 +[ 432.585065] warn_slowpath_fmt+0x4a/0x50 +[ 432.585070] ? _raw_spin_lock_irqsave+0x49/0x60 +[ 432.585072] __free_irq+0x9f/0x280 +[ 432.585075] free_irq+0x34/0x80 +[ 432.585089] e1000_free_irq+0x65/0x70 [e1000e] +[ 432.585098] e1000e_pm_freeze+0x7a/0xb0 [e1000e] +[ 432.585106] e1000e_pm_suspend+0x21/0x30 [e1000e] +[ 432.585113] pci_pm_suspend+0x71/0x140 +[ 432.585118] dpm_run_callback+0x6f/0x330 +[ 432.585122] ? pci_pm_freeze+0xe0/0xe0 +[ 432.585125] __device_suspend+0xea/0x330 +[ 432.585128] async_suspend+0x1a/0x90 +[ 432.585132] async_run_entry_fn+0x34/0x160 +[ 432.585137] process_one_work+0x1f4/0x6d0 +[ 432.585140] ? process_one_work+0x16e/0x6d0 +[ 432.585143] worker_thread+0x49/0x4a0 +[ 432.585145] kthread+0x107/0x140 +[ 432.585148] ? process_one_work+0x6d0/0x6d0 +[ 432.585150] ? kthread_create_on_node+0x40/0x40 +[ 432.585154] ret_from_fork+0x2e/0x40 +[ 432.585156] ---[ end trace 6712df7f8c4b9124 ]--- + +The unwind failures stems from commit 2800209994f8 ("e1000e: Refactor PM +flows"), but it may be a later patch that introduced the non-recoverable +behaviour. + +Fixes: 2800209994f8 ("e1000e: Refactor PM flows") +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99847 +Signed-off-by: Chris Wilson +Signed-off-by: Jani Nikula +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -6651,12 +6651,17 @@ static int e1000e_pm_thaw(struct device + static int e1000e_pm_suspend(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); ++ int rc; + + e1000e_flush_lpic(pdev); + + e1000e_pm_freeze(dev); + +- return __e1000_shutdown(pdev, false); ++ rc = __e1000_shutdown(pdev, false); ++ if (rc) ++ e1000e_pm_thaw(dev); ++ ++ return rc; + } + + static int e1000e_pm_resume(struct device *dev) diff --git a/queue-4.9/edac-mv64x60-fix-an-error-handling-path.patch b/queue-4.9/edac-mv64x60-fix-an-error-handling-path.patch new file mode 100644 index 00000000000..1175a53ac77 --- /dev/null +++ b/queue-4.9/edac-mv64x60-fix-an-error-handling-path.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe JAILLET +Date: Sun, 7 Jan 2018 21:54:00 +0100 +Subject: EDAC, mv64x60: Fix an error handling path + +From: Christophe JAILLET + + +[ Upstream commit 68fa24f9121c04ef146b5158f538c8b32f285be5 ] + +We should not call edac_mc_del_mc() if a corresponding call to +edac_mc_add_mc() has not been performed yet. + +So here, we should go to err instead of err2 to branch at the right +place of the error handling path. + +Signed-off-by: Christophe JAILLET +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180107205400.14068-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/mv64x60_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/mv64x60_edac.c ++++ b/drivers/edac/mv64x60_edac.c +@@ -759,7 +759,7 @@ static int mv64x60_mc_err_probe(struct p + /* Non-ECC RAM? */ + printk(KERN_WARNING "%s: No ECC DIMMs discovered\n", __func__); + res = -ENODEV; +- goto err2; ++ goto err; + } + + edac_dbg(3, "init mci\n"); diff --git a/queue-4.9/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch b/queue-4.9/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch new file mode 100644 index 00000000000..848fb5c60cc --- /dev/null +++ b/queue-4.9/ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Eryu Guan +Date: Wed, 24 May 2017 18:02:20 -0400 +Subject: ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() + +From: Eryu Guan + + +[ Upstream commit 624327f8794704c5066b11a52f9da6a09dce7f9a ] + +ext4_find_unwritten_pgoff() is used to search for offset of hole or +data in page range [index, end] (both inclusive), and the max number +of pages to search should be at least one, if end == index. +Otherwise the only page is missed and no hole or data is found, +which is not correct. + +When block size is smaller than page size, this can be demonstrated +by preallocating a file with size smaller than page size and writing +data to the last block. E.g. run this xfs_io command on a 1k block +size ext4 on x86_64 host. + + # xfs_io -fc "falloc 0 3k" -c "pwrite 2k 1k" \ + -c "seek -d 0" /mnt/ext4/testfile + wrote 1024/1024 bytes at offset 2048 + 1 KiB, 1 ops; 0.0000 sec (42.459 MiB/sec and 43478.2609 ops/sec) + Whence Result + DATA EOF + +Data at offset 2k was missed, and lseek(2) returned ENXIO. + +This is unconvered by generic/285 subtest 07 and 08 on ppc64 host, +where pagesize is 64k. Because a recent change to generic/285 +reduced the preallocated file size to smaller than 64k. + +Signed-off-by: Eryu Guan +Signed-off-by: Theodore Ts'o +Reviewed-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -429,7 +429,7 @@ static int ext4_find_unwritten_pgoff(str + int i, num; + unsigned long nr_pages; + +- num = min_t(pgoff_t, end - index, PAGEVEC_SIZE); ++ num = min_t(pgoff_t, end - index, PAGEVEC_SIZE - 1) + 1; + nr_pages = pagevec_lookup(&pvec, inode->i_mapping, index, + (pgoff_t)num); + if (nr_pages == 0) diff --git a/queue-4.9/ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch b/queue-4.9/ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch new file mode 100644 index 00000000000..36e1b3c00a6 --- /dev/null +++ b/queue-4.9/ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Konstantin Khlebnikov +Date: Sun, 21 May 2017 22:35:23 -0400 +Subject: ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors + +From: Konstantin Khlebnikov + + +[ Upstream commit 9651e6b2e20648d04d5e1fe6479a3056047e8781 ] + +I've got another report about breaking ext4 by ENOMEM error returned from +ext4_mb_load_buddy() caused by memory shortage in memory cgroup. +This time inside ext4_discard_preallocations(). + +This patch replaces ext4_error() with ext4_warning() where errors returned +from ext4_mb_load_buddy() are not fatal and handled by caller: +* ext4_mb_discard_group_preallocations() - called before generating ENOSPC, + we'll try to discard other group or return ENOSPC into user-space. +* ext4_trim_all_free() - just stop trimming and return ENOMEM from ioctl. + +Some callers cannot handle errors, thus __GFP_NOFAIL is used for them: +* ext4_discard_preallocations() +* ext4_mb_discard_lg_preallocations() + +Fixes: adb7ef600cc9 ("ext4: use __GFP_NOFAIL in ext4_free_blocks()") +Signed-off-by: Konstantin Khlebnikov +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/mballoc.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -3877,7 +3877,8 @@ ext4_mb_discard_group_preallocations(str + + err = ext4_mb_load_buddy(sb, group, &e4b); + if (err) { +- ext4_error(sb, "Error loading buddy information for %u", group); ++ ext4_warning(sb, "Error %d loading buddy information for %u", ++ err, group); + put_bh(bitmap_bh); + return 0; + } +@@ -4034,10 +4035,11 @@ repeat: + BUG_ON(pa->pa_type != MB_INODE_PA); + group = ext4_get_group_number(sb, pa->pa_pstart); + +- err = ext4_mb_load_buddy(sb, group, &e4b); ++ err = ext4_mb_load_buddy_gfp(sb, group, &e4b, ++ GFP_NOFS|__GFP_NOFAIL); + if (err) { +- ext4_error(sb, "Error loading buddy information for %u", +- group); ++ ext4_error(sb, "Error %d loading buddy information for %u", ++ err, group); + continue; + } + +@@ -4293,11 +4295,14 @@ ext4_mb_discard_lg_preallocations(struct + spin_unlock(&lg->lg_prealloc_lock); + + list_for_each_entry_safe(pa, tmp, &discard_list, u.pa_tmp_list) { ++ int err; + + group = ext4_get_group_number(sb, pa->pa_pstart); +- if (ext4_mb_load_buddy(sb, group, &e4b)) { +- ext4_error(sb, "Error loading buddy information for %u", +- group); ++ err = ext4_mb_load_buddy_gfp(sb, group, &e4b, ++ GFP_NOFS|__GFP_NOFAIL); ++ if (err) { ++ ext4_error(sb, "Error %d loading buddy information for %u", ++ err, group); + continue; + } + ext4_lock_group(sb, group); +@@ -5117,8 +5122,8 @@ ext4_trim_all_free(struct super_block *s + + ret = ext4_mb_load_buddy(sb, group, &e4b); + if (ret) { +- ext4_error(sb, "Error in loading buddy " +- "information for %u", group); ++ ext4_warning(sb, "Error %d loading buddy information for %u", ++ ret, group); + return ret; + } + bitmap = e4b.bd_bitmap; diff --git a/queue-4.9/fix-loop-device-flush-before-configure-v3.patch b/queue-4.9/fix-loop-device-flush-before-configure-v3.patch new file mode 100644 index 00000000000..14e96bdbe1f --- /dev/null +++ b/queue-4.9/fix-loop-device-flush-before-configure-v3.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: James Wang +Date: Thu, 8 Jun 2017 14:52:51 +0800 +Subject: Fix loop device flush before configure v3 + +From: James Wang + + +[ Upstream commit 6460495709aeb651896bc8e5c134b2e4ca7d34a8 ] + +While installing SLES-12 (based on v4.4), I found that the installer +will stall for 60+ seconds during LVM disk scan. The root cause was +determined to be the removal of a bound device check in loop_flush() +by commit b5dd2f6047ca ("block: loop: improve performance via blk-mq"). + +Restoring this check, examining ->lo_state as set by loop_set_fd() +eliminates the bad behavior. + +Test method: +modprobe loop max_loop=64 +dd if=/dev/zero of=disk bs=512 count=200K +for((i=0;i<4;i++))do losetup -f disk; done +mkfs.ext4 -F /dev/loop0 +for((i=0;i<4;i++))do mkdir t$i; mount /dev/loop$i t$i;done +for f in `ls /dev/loop[0-9]*|sort`; do \ + echo $f; dd if=$f of=/dev/null bs=512 count=1; \ + done + +Test output: stock patched +/dev/loop0 18.1217e-05 8.3842e-05 +/dev/loop1 6.1114e-05 0.000147979 +/dev/loop10 0.414701 0.000116564 +/dev/loop11 0.7474 6.7942e-05 +/dev/loop12 0.747986 8.9082e-05 +/dev/loop13 0.746532 7.4799e-05 +/dev/loop14 0.480041 9.3926e-05 +/dev/loop15 1.26453 7.2522e-05 + +Note that from loop10 onward, the device is not mounted, yet the +stock kernel consumes several orders of magnitude more wall time +than it does for a mounted device. +(Thanks for Mike Galbraith , give a changelog review.) + +Reviewed-by: Hannes Reinecke +Reviewed-by: Ming Lei +Signed-off-by: James Wang +Fixes: b5dd2f6047ca ("block: loop: improve performance via blk-mq") +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/block/loop.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -612,6 +612,9 @@ static int loop_switch(struct loop_devic + */ + static int loop_flush(struct loop_device *lo) + { ++ /* loop not yet configured, no running thread, nothing to flush */ ++ if (lo->lo_state != Lo_bound) ++ return 0; + return loop_switch(lo, NULL); + } + diff --git a/queue-4.9/fix-race-in-drivers-char-random.c-get_reg.patch b/queue-4.9/fix-race-in-drivers-char-random.c-get_reg.patch new file mode 100644 index 00000000000..2c455ada345 --- /dev/null +++ b/queue-4.9/fix-race-in-drivers-char-random.c-get_reg.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Michael Schmitz +Date: Sun, 30 Apr 2017 19:49:21 +1200 +Subject: fix race in drivers/char/random.c:get_reg() + +From: Michael Schmitz + + +[ Upstream commit 9dfa7bba35ac08a63565d58c454dccb7e1bb0a08 ] + +get_reg() can be reentered on architectures with prioritized interrupts +(m68k in this case), causing f->reg_index to be incremented after the +range check. Out of bounds memory access past the pt_regs struct results. +This will go mostly undetected unless access is beyond end of memory. + +Prevent the race by disabling interrupts in get_reg(). + +Tested on m68k (Atari Falcon, and ARAnyM emulator). + +Kudos to Geert Uytterhoeven for helping to trace this race. + +Signed-off-by: Michael Schmitz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/random.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1115,12 +1115,16 @@ static void add_interrupt_bench(cycles_t + static __u32 get_reg(struct fast_pool *f, struct pt_regs *regs) + { + __u32 *ptr = (__u32 *) regs; ++ unsigned long flags; + + if (regs == NULL) + return 0; ++ local_irq_save(flags); + if (f->reg_idx >= sizeof(struct pt_regs) / sizeof(__u32)) + f->reg_idx = 0; +- return *(ptr + f->reg_idx++); ++ ptr += f->reg_idx++; ++ local_irq_restore(flags); ++ return *ptr; + } + + void add_interrupt_randomness(int irq, int irq_flags) diff --git a/queue-4.9/fix-serial-console-on-sni-rm400-machines.patch b/queue-4.9/fix-serial-console-on-sni-rm400-machines.patch new file mode 100644 index 00000000000..2718b2d9ee8 --- /dev/null +++ b/queue-4.9/fix-serial-console-on-sni-rm400-machines.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Thomas Bogendoerfer +Date: Wed, 31 May 2017 22:21:03 +0200 +Subject: Fix serial console on SNI RM400 machines + +From: Thomas Bogendoerfer + + +[ Upstream commit e279e6d98e0cf2c2fe008b3c29042b92f0e17b1d ] + +sccnxp driver doesn't get the correct uart clock rate, if CONFIG_HAVE_CLOCK +is disabled. Correct usage of clk API to make it work with/without it. + +Fixes: 90efa75f7ab0 (serial: sccnxp: Using CLK API for getting UART clock) + +Suggested-by: Russell King - ARM Linux +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sccnxp.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/sccnxp.c ++++ b/drivers/tty/serial/sccnxp.c +@@ -884,14 +884,19 @@ static int sccnxp_probe(struct platform_ + + clk = devm_clk_get(&pdev->dev, NULL); + if (IS_ERR(clk)) { +- if (PTR_ERR(clk) == -EPROBE_DEFER) { +- ret = -EPROBE_DEFER; ++ ret = PTR_ERR(clk); ++ if (ret == -EPROBE_DEFER) + goto err_out; +- } ++ uartclk = 0; ++ } else { ++ clk_prepare_enable(clk); ++ uartclk = clk_get_rate(clk); ++ } ++ ++ if (!uartclk) { + dev_notice(&pdev->dev, "Using default clock frequency\n"); + uartclk = s->chip->freq_std; +- } else +- uartclk = clk_get_rate(clk); ++ } + + /* Check input frequency */ + if ((uartclk < s->chip->freq_min) || (uartclk > s->chip->freq_max)) { diff --git a/queue-4.9/fsl-qe-add-bit-description-for-synl-register-for-gumr.patch b/queue-4.9/fsl-qe-add-bit-description-for-synl-register-for-gumr.patch new file mode 100644 index 00000000000..047a4060ebc --- /dev/null +++ b/queue-4.9/fsl-qe-add-bit-description-for-synl-register-for-gumr.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Holger Brunck +Date: Wed, 17 May 2017 17:24:37 +0200 +Subject: fsl/qe: add bit description for SYNL register for GUMR + +From: Holger Brunck + + +[ Upstream commit c7f235a7c2d09b1b83671ba2d93ebee981554467 ] + +Add the bitmask for the two bit SYNL register according to the QUICK +Engine Reference Manual. + +Signed-off-by: Holger Brunck +Cc: Zhao Qiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/soc/fsl/qe/qe.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/include/soc/fsl/qe/qe.h ++++ b/include/soc/fsl/qe/qe.h +@@ -668,6 +668,10 @@ struct ucc_slow_pram { + #define UCC_FAST_GUMR_CTSS 0x00800000 + #define UCC_FAST_GUMR_TXSY 0x00020000 + #define UCC_FAST_GUMR_RSYN 0x00010000 ++#define UCC_FAST_GUMR_SYNL_MASK 0x0000C000 ++#define UCC_FAST_GUMR_SYNL_16 0x0000C000 ++#define UCC_FAST_GUMR_SYNL_8 0x00008000 ++#define UCC_FAST_GUMR_SYNL_AUTO 0x00004000 + #define UCC_FAST_GUMR_RTSM 0x00002000 + #define UCC_FAST_GUMR_REVD 0x00000400 + #define UCC_FAST_GUMR_ENR 0x00000020 diff --git a/queue-4.9/geneve-add-missing-rx-stats-accounting.patch b/queue-4.9/geneve-add-missing-rx-stats-accounting.patch new file mode 100644 index 00000000000..7be2483eafd --- /dev/null +++ b/queue-4.9/geneve-add-missing-rx-stats-accounting.patch @@ -0,0 +1,112 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Girish Moodalbail +Date: Thu, 8 Jun 2017 17:07:48 -0700 +Subject: geneve: add missing rx stats accounting + +From: Girish Moodalbail + + +[ Upstream commit fe741e2362f33bbea813bcc3a921de356c6653db ] + +There are few places on the receive path where packet drops and packet +errors were not accounted for. This patch fixes that issue. + +Signed-off-by: Girish Moodalbail +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/geneve.c | 36 ++++++++++++++++++++++++------------ + 1 file changed, 24 insertions(+), 12 deletions(-) + +--- a/drivers/net/geneve.c ++++ b/drivers/net/geneve.c +@@ -209,6 +209,7 @@ static void geneve_rx(struct geneve_dev + struct genevehdr *gnvh = geneve_hdr(skb); + struct metadata_dst *tun_dst = NULL; + struct pcpu_sw_netstats *stats; ++ unsigned int len; + int err = 0; + void *oiph; + +@@ -222,8 +223,10 @@ static void geneve_rx(struct geneve_dev + tun_dst = udp_tun_rx_dst(skb, geneve_get_sk_family(gs), flags, + vni_to_tunnel_id(gnvh->vni), + gnvh->opt_len * 4); +- if (!tun_dst) ++ if (!tun_dst) { ++ geneve->dev->stats.rx_dropped++; + goto drop; ++ } + /* Update tunnel dst according to Geneve options. */ + ip_tunnel_info_opts_set(&tun_dst->u.tun_info, + gnvh->options, gnvh->opt_len * 4); +@@ -231,8 +234,11 @@ static void geneve_rx(struct geneve_dev + /* Drop packets w/ critical options, + * since we don't support any... + */ +- if (gnvh->critical) ++ if (gnvh->critical) { ++ geneve->dev->stats.rx_frame_errors++; ++ geneve->dev->stats.rx_errors++; + goto drop; ++ } + } + + skb_reset_mac_header(skb); +@@ -243,8 +249,10 @@ static void geneve_rx(struct geneve_dev + skb_dst_set(skb, &tun_dst->dst); + + /* Ignore packet loops (and multicast echo) */ +- if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) ++ if (ether_addr_equal(eth_hdr(skb)->h_source, geneve->dev->dev_addr)) { ++ geneve->dev->stats.rx_errors++; + goto drop; ++ } + + oiph = skb_network_header(skb); + skb_reset_network_header(skb); +@@ -276,13 +284,15 @@ static void geneve_rx(struct geneve_dev + } + } + +- stats = this_cpu_ptr(geneve->dev->tstats); +- u64_stats_update_begin(&stats->syncp); +- stats->rx_packets++; +- stats->rx_bytes += skb->len; +- u64_stats_update_end(&stats->syncp); +- +- gro_cells_receive(&geneve->gro_cells, skb); ++ len = skb->len; ++ err = gro_cells_receive(&geneve->gro_cells, skb); ++ if (likely(err == NET_RX_SUCCESS)) { ++ stats = this_cpu_ptr(geneve->dev->tstats); ++ u64_stats_update_begin(&stats->syncp); ++ stats->rx_packets++; ++ stats->rx_bytes += len; ++ u64_stats_update_end(&stats->syncp); ++ } + return; + drop: + /* Consume bad packet */ +@@ -332,7 +342,7 @@ static int geneve_udp_encap_recv(struct + struct geneve_sock *gs; + int opts_len; + +- /* Need Geneve and inner Ethernet header to be present */ ++ /* Need UDP and Geneve header to be present */ + if (unlikely(!pskb_may_pull(skb, GENEVE_BASE_HLEN))) + goto drop; + +@@ -355,8 +365,10 @@ static int geneve_udp_encap_recv(struct + opts_len = geneveh->opt_len * 4; + if (iptunnel_pull_header(skb, GENEVE_BASE_HLEN + opts_len, + htons(ETH_P_TEB), +- !net_eq(geneve->net, dev_net(geneve->dev)))) ++ !net_eq(geneve->net, dev_net(geneve->dev)))) { ++ geneve->dev->stats.rx_dropped++; + goto drop; ++ } + + geneve_rx(geneve, gs, skb); + return 0; diff --git a/queue-4.9/gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch b/queue-4.9/gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch new file mode 100644 index 00000000000..3796a87a8e9 --- /dev/null +++ b/queue-4.9/gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch @@ -0,0 +1,176 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Sat, 13 May 2017 14:39:53 +0200 +Subject: gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs + +From: Hans de Goede + + +[ Upstream commit 9a752b4c9ab924033bfdb8784c680d50b2bd5684 ] + +The Crystal Cove PMIC has 16 real GPIOs but the ACPI code for devices +with this PMIC may address up to 95 GPIOs, these extra GPIOs are +called virtual GPIOs and are used by the ACPI code as a method of +accessing various non GPIO bits of PMIC. + +Commit dcdc3018d635 ("gpio: crystalcove: support virtual GPIO") added +dummy support for these to avoid a bunch of ACPI errors, but instead of +ignoring writes / reads to them by doing: + +if (gpio >= CRYSTALCOVE_GPIO_NUM) + return 0; + +It accidentally introduced the following wrong check: + +if (gpio > CRYSTALCOVE_VGPIO_NUM) + return 0; + +Which means that attempts by the ACPI code to access these gpios +causes some arbitrary gpio to get touched through for example +GPIO1P0CTLO + gpionr % 8. + +Since we do support input/output (but not interrupts) on the 0x5e +virtual GPIO, this commit makes to_reg return -ENOTSUPP for unsupported +virtual GPIOs so as to not have to check for (gpio >= CRYSTALCOVE_GPIO_NUM +&& gpio != 0x5e) everywhere and to make it easier to add support for more +virtual GPIOs in the future. + +It then adds a check for to_reg returning an error to all callers where +this may happen fixing the ACPI code accessing virtual GPIOs accidentally +causing changes to real GPIOs. + +Fixes: dcdc3018d635 ("gpio: crystalcove: support virtual GPIO") +Cc: Aaron Lu +Signed-off-by: Hans de Goede +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-crystalcove.c | 54 ++++++++++++++++++++++++++-------------- + 1 file changed, 36 insertions(+), 18 deletions(-) + +--- a/drivers/gpio/gpio-crystalcove.c ++++ b/drivers/gpio/gpio-crystalcove.c +@@ -90,8 +90,18 @@ static inline int to_reg(int gpio, enum + { + int reg; + +- if (gpio == 94) +- return GPIOPANELCTL; ++ if (gpio >= CRYSTALCOVE_GPIO_NUM) { ++ /* ++ * Virtual GPIO called from ACPI, for now we only support ++ * the panel ctl. ++ */ ++ switch (gpio) { ++ case 0x5e: ++ return GPIOPANELCTL; ++ default: ++ return -EOPNOTSUPP; ++ } ++ } + + if (reg_type == CTRL_IN) { + if (gpio < 8) +@@ -130,36 +140,36 @@ static void crystalcove_update_irq_ctrl( + static int crystalcove_gpio_dir_in(struct gpio_chip *chip, unsigned gpio) + { + struct crystalcove_gpio *cg = gpiochip_get_data(chip); ++ int reg = to_reg(gpio, CTRL_OUT); + +- if (gpio > CRYSTALCOVE_VGPIO_NUM) ++ if (reg < 0) + return 0; + +- return regmap_write(cg->regmap, to_reg(gpio, CTRL_OUT), +- CTLO_INPUT_SET); ++ return regmap_write(cg->regmap, reg, CTLO_INPUT_SET); + } + + static int crystalcove_gpio_dir_out(struct gpio_chip *chip, unsigned gpio, + int value) + { + struct crystalcove_gpio *cg = gpiochip_get_data(chip); ++ int reg = to_reg(gpio, CTRL_OUT); + +- if (gpio > CRYSTALCOVE_VGPIO_NUM) ++ if (reg < 0) + return 0; + +- return regmap_write(cg->regmap, to_reg(gpio, CTRL_OUT), +- CTLO_OUTPUT_SET | value); ++ return regmap_write(cg->regmap, reg, CTLO_OUTPUT_SET | value); + } + + static int crystalcove_gpio_get(struct gpio_chip *chip, unsigned gpio) + { + struct crystalcove_gpio *cg = gpiochip_get_data(chip); +- int ret; + unsigned int val; ++ int ret, reg = to_reg(gpio, CTRL_IN); + +- if (gpio > CRYSTALCOVE_VGPIO_NUM) ++ if (reg < 0) + return 0; + +- ret = regmap_read(cg->regmap, to_reg(gpio, CTRL_IN), &val); ++ ret = regmap_read(cg->regmap, reg, &val); + if (ret) + return ret; + +@@ -170,14 +180,15 @@ static void crystalcove_gpio_set(struct + unsigned gpio, int value) + { + struct crystalcove_gpio *cg = gpiochip_get_data(chip); ++ int reg = to_reg(gpio, CTRL_OUT); + +- if (gpio > CRYSTALCOVE_VGPIO_NUM) ++ if (reg < 0) + return; + + if (value) +- regmap_update_bits(cg->regmap, to_reg(gpio, CTRL_OUT), 1, 1); ++ regmap_update_bits(cg->regmap, reg, 1, 1); + else +- regmap_update_bits(cg->regmap, to_reg(gpio, CTRL_OUT), 1, 0); ++ regmap_update_bits(cg->regmap, reg, 1, 0); + } + + static int crystalcove_irq_type(struct irq_data *data, unsigned type) +@@ -185,6 +196,9 @@ static int crystalcove_irq_type(struct i + struct crystalcove_gpio *cg = + gpiochip_get_data(irq_data_get_irq_chip_data(data)); + ++ if (data->hwirq >= CRYSTALCOVE_GPIO_NUM) ++ return 0; ++ + switch (type) { + case IRQ_TYPE_NONE: + cg->intcnt_value = CTLI_INTCNT_DIS; +@@ -235,8 +249,10 @@ static void crystalcove_irq_unmask(struc + struct crystalcove_gpio *cg = + gpiochip_get_data(irq_data_get_irq_chip_data(data)); + +- cg->set_irq_mask = false; +- cg->update |= UPDATE_IRQ_MASK; ++ if (data->hwirq < CRYSTALCOVE_GPIO_NUM) { ++ cg->set_irq_mask = false; ++ cg->update |= UPDATE_IRQ_MASK; ++ } + } + + static void crystalcove_irq_mask(struct irq_data *data) +@@ -244,8 +260,10 @@ static void crystalcove_irq_mask(struct + struct crystalcove_gpio *cg = + gpiochip_get_data(irq_data_get_irq_chip_data(data)); + +- cg->set_irq_mask = true; +- cg->update |= UPDATE_IRQ_MASK; ++ if (data->hwirq < CRYSTALCOVE_GPIO_NUM) { ++ cg->set_irq_mask = true; ++ cg->update |= UPDATE_IRQ_MASK; ++ } + } + + static struct irq_chip crystalcove_irqchip = { diff --git a/queue-4.9/gpio-label-descriptors-using-the-device-name.patch b/queue-4.9/gpio-label-descriptors-using-the-device-name.patch new file mode 100644 index 00000000000..0832122f868 --- /dev/null +++ b/queue-4.9/gpio-label-descriptors-using-the-device-name.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Linus Walleij +Date: Thu, 4 Jan 2018 22:31:11 +0100 +Subject: gpio: label descriptors using the device name + +From: Linus Walleij + + +[ Upstream commit 24e78079bf2250874e33da2e7cfbb6db72d3caf4 ] + +Some GPIO lines appear named "?" in the lsgpio dump due to their +requesting drivers not passing a reasonable label. + +Most typically this happens if a device tree node just defines +gpios = <...> and not foo-gpios = <...>, the former gets named +"foo" and the latter gets named "?". + +However the struct device passed in is always valid so let's +just label the GPIO with dev_name() on the device if no proper +label was passed. + +Cc: Reported-by: Jason Kridner +Reported-by: Jason Kridner +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpiolib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpio/gpiolib.c ++++ b/drivers/gpio/gpiolib.c +@@ -3231,7 +3231,8 @@ struct gpio_desc *__must_check gpiod_get + return desc; + } + +- status = gpiod_request(desc, con_id); ++ /* If a connection label was passed use that, else use the device name as label */ ++ status = gpiod_request(desc, con_id ? con_id : dev_name(dev)); + if (status < 0) + return ERR_PTR(status); + diff --git a/queue-4.9/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch b/queue-4.9/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch new file mode 100644 index 00000000000..87b871b7082 --- /dev/null +++ b/queue-4.9/hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Firo Yang +Date: Fri, 26 May 2017 22:37:38 +0800 +Subject: hdlcdrv: Fix divide by zero in hdlcdrv_ioctl + +From: Firo Yang + + +[ Upstream commit fb3ce90b7d7761b6f7f28f0ff5c456ef6b5229a1 ] + +syszkaller fuzzer triggered a divide by zero, when set calibration +through ioctl(). + +To fix it, test 'bitrate' if it is negative or 0, just return -EINVAL. + +Reported-by: Andrey Konovalov +Signed-off-by: Firo Yang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/hamradio/hdlcdrv.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/hamradio/hdlcdrv.c ++++ b/drivers/net/hamradio/hdlcdrv.c +@@ -576,6 +576,8 @@ static int hdlcdrv_ioctl(struct net_devi + case HDLCDRVCTL_CALIBRATE: + if(!capable(CAP_SYS_RAWIO)) + return -EPERM; ++ if (s->par.bitrate <= 0) ++ return -EINVAL; + if (bi.data.calibrate > INT_MAX / s->par.bitrate) + return -EINVAL; + s->hdlctx.calibrate = bi.data.calibrate * s->par.bitrate / 16; diff --git a/queue-4.9/hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch b/queue-4.9/hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch new file mode 100644 index 00000000000..7b82d2a7456 --- /dev/null +++ b/queue-4.9/hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Tue, 9 May 2017 10:04:36 +0200 +Subject: HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices + +From: Hans de Goede + + +[ Upstream commit f3d3eab667de62572376abb1aa26316191c39929 ] + +For ACPI devices which do not have a _PSC method, the ACPI subsys cannot +query their initial state at boot, so these devices are assumed to have +been put in D0 by the BIOS, but for touchscreens that is not always true. + +This commit adds a call to acpi_device_fix_up_power to explicitly put +devices without a _PSC method into D0 state (for devices with a _PSC +method it is a nop). Note we only need to do this on probe, after a +resume the ACPI subsys knows the device is in D3 and will properly +put it in D0. + +This fixes the SIS0817 i2c-hid touchscreen on a Peaq C1010 2-in-1 +device failing to probe with a "hid_descr_cmd failed" error. + +Acked-by: Benjamin Tissoires +Signed-off-by: Hans de Goede +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -968,6 +968,15 @@ static int i2c_hid_acpi_pdata(struct i2c + return ret < 0 && ret != -ENXIO ? ret : 0; + } + ++static void i2c_hid_acpi_fix_up_power(struct device *dev) ++{ ++ acpi_handle handle = ACPI_HANDLE(dev); ++ struct acpi_device *adev; ++ ++ if (handle && acpi_bus_get_device(handle, &adev) == 0) ++ acpi_device_fix_up_power(adev); ++} ++ + static const struct acpi_device_id i2c_hid_acpi_match[] = { + {"ACPI0C50", 0 }, + {"PNP0C50", 0 }, +@@ -980,6 +989,8 @@ static inline int i2c_hid_acpi_pdata(str + { + return -ENODEV; + } ++ ++static inline void i2c_hid_acpi_fix_up_power(struct device *dev) {} + #endif + + #ifdef CONFIG_OF +@@ -1082,6 +1093,8 @@ static int i2c_hid_probe(struct i2c_clie + if (ret < 0) + goto err; + ++ i2c_hid_acpi_fix_up_power(&client->dev); ++ + pm_runtime_get_noresume(&client->dev); + pm_runtime_set_active(&client->dev); + pm_runtime_enable(&client->dev); diff --git a/queue-4.9/hsr-fix-incorrect-warning.patch b/queue-4.9/hsr-fix-incorrect-warning.patch new file mode 100644 index 00000000000..93ceeb9e61e --- /dev/null +++ b/queue-4.9/hsr-fix-incorrect-warning.patch @@ -0,0 +1,94 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Karicheri, Muralidharan" +Date: Mon, 12 Jun 2017 15:06:26 -0400 +Subject: hsr: fix incorrect warning + +From: "Karicheri, Muralidharan" + + +[ Upstream commit 675c8da049fd6556eb2d6cdd745fe812752f07a8 ] + +When HSR interface is setup using ip link command, an annoying warning +appears with the trace as below:- + +[ 203.019828] hsr_get_node: Non-HSR frame +[ 203.019833] Modules linked in: +[ 203.019848] CPU: 0 PID: 158 Comm: sd-resolve Tainted: G W 4.12.0-rc3-00052-g9fa6bf70 #2 +[ 203.019853] Hardware name: Generic DRA74X (Flattened Device Tree) +[ 203.019869] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[ 203.019880] [] (show_stack) from [] (dump_stack+0xac/0xe0) +[ 203.019894] [] (dump_stack) from [] (__warn+0xd8/0x104) +[ 203.019907] [] (__warn) from [] (warn_slowpath_fmt+0x34/0x44) +root@am57xx-evm:~# [ 203.019921] [] (warn_slowpath_fmt) from [] (hsr_get_node+0x148/0x170) +[ 203.019932] [] (hsr_get_node) from [] (hsr_forward_skb+0x110/0x7c0) +[ 203.019942] [] (hsr_forward_skb) from [] (hsr_dev_xmit+0x2c/0x34) +[ 203.019954] [] (hsr_dev_xmit) from [] (dev_hard_start_xmit+0xc4/0x3bc) +[ 203.019963] [] (dev_hard_start_xmit) from [] (__dev_queue_xmit+0x7c4/0x98c) +[ 203.019974] [] (__dev_queue_xmit) from [] (ip6_finish_output2+0x330/0xc1c) +[ 203.019983] [] (ip6_finish_output2) from [] (ip6_output+0x58/0x454) +[ 203.019994] [] (ip6_output) from [] (mld_sendpack+0x420/0x744) + +As this is an expected path to hsr_get_node() with frame coming from +the master interface, add a check to ensure packet is not from the +master port and then warn. + +Signed-off-by: Murali Karicheri +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_forward.c | 3 +-- + net/hsr/hsr_framereg.c | 9 +++++++-- + net/hsr/hsr_framereg.h | 2 +- + 3 files changed, 9 insertions(+), 5 deletions(-) + +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -324,8 +324,7 @@ static int hsr_fill_frame_info(struct hs + unsigned long irqflags; + + frame->is_supervision = is_supervision_frame(port->hsr, skb); +- frame->node_src = hsr_get_node(&port->hsr->node_db, skb, +- frame->is_supervision); ++ frame->node_src = hsr_get_node(port, skb, frame->is_supervision); + if (frame->node_src == NULL) + return -1; /* Unknown node and !is_supervision, or no mem */ + +--- a/net/hsr/hsr_framereg.c ++++ b/net/hsr/hsr_framereg.c +@@ -158,9 +158,10 @@ struct hsr_node *hsr_add_node(struct lis + + /* Get the hsr_node from which 'skb' was sent. + */ +-struct hsr_node *hsr_get_node(struct list_head *node_db, struct sk_buff *skb, ++struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, + bool is_sup) + { ++ struct list_head *node_db = &port->hsr->node_db; + struct hsr_node *node; + struct ethhdr *ethhdr; + u16 seq_out; +@@ -186,7 +187,11 @@ struct hsr_node *hsr_get_node(struct lis + */ + seq_out = hsr_get_skb_sequence_nr(skb) - 1; + } else { +- WARN_ONCE(1, "%s: Non-HSR frame\n", __func__); ++ /* this is called also for frames from master port and ++ * so warn only for non master ports ++ */ ++ if (port->type != HSR_PT_MASTER) ++ WARN_ONCE(1, "%s: Non-HSR frame\n", __func__); + seq_out = HSR_SEQNR_START; + } + +--- a/net/hsr/hsr_framereg.h ++++ b/net/hsr/hsr_framereg.h +@@ -18,7 +18,7 @@ struct hsr_node; + + struct hsr_node *hsr_add_node(struct list_head *node_db, unsigned char addr[], + u16 seq_out); +-struct hsr_node *hsr_get_node(struct list_head *node_db, struct sk_buff *skb, ++struct hsr_node *hsr_get_node(struct hsr_port *port, struct sk_buff *skb, + bool is_sup); + void hsr_handle_sup_frame(struct sk_buff *skb, struct hsr_node *node_curr, + struct hsr_port *port); diff --git a/queue-4.9/hwmon-ina2xx-make-calibration-register-value-fixed.patch b/queue-4.9/hwmon-ina2xx-make-calibration-register-value-fixed.patch new file mode 100644 index 00000000000..923a6cec9b6 --- /dev/null +++ b/queue-4.9/hwmon-ina2xx-make-calibration-register-value-fixed.patch @@ -0,0 +1,214 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Maciej Purski +Date: Wed, 22 Nov 2017 16:32:15 +0100 +Subject: hwmon: (ina2xx) Make calibration register value fixed + +From: Maciej Purski + + +[ Upstream commit 5d389b125186cf254ad5b8015763ac07c151aea4 ] + +Calibration register is used for calculating current register in +hardware according to datasheet: +current = shunt_volt * calib_register / 2048 (ina 226) +current = shunt_volt * calib_register / 4096 (ina 219) + +Fix calib_register value to 2048 for ina226 and 4096 for ina 219 in +order to avoid truncation error and provide best precision allowed +by shunt_voltage measurement. Make current scale value follow changes +of shunt_resistor from sysfs as calib_register value is now fixed. + +Power_lsb value should also follow shunt_resistor changes as stated in +datasheet: +power_lsb = 25 * current_lsb (ina 226) +power_lsb = 20 * current_lsb (ina 219) + +Signed-off-by: Maciej Purski +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/ina2xx.c | 87 ++++++++++++++++++++++++++++--------------------- + 1 file changed, 50 insertions(+), 37 deletions(-) + +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -94,18 +94,20 @@ enum ina2xx_ids { ina219, ina226 }; + + struct ina2xx_config { + u16 config_default; +- int calibration_factor; ++ int calibration_value; + int registers; + int shunt_div; + int bus_voltage_shift; + int bus_voltage_lsb; /* uV */ +- int power_lsb; /* uW */ ++ int power_lsb_factor; + }; + + struct ina2xx_data { + const struct ina2xx_config *config; + + long rshunt; ++ long current_lsb_uA; ++ long power_lsb_uW; + struct mutex config_lock; + struct regmap *regmap; + +@@ -115,21 +117,21 @@ struct ina2xx_data { + static const struct ina2xx_config ina2xx_config[] = { + [ina219] = { + .config_default = INA219_CONFIG_DEFAULT, +- .calibration_factor = 40960000, ++ .calibration_value = 4096, + .registers = INA219_REGISTERS, + .shunt_div = 100, + .bus_voltage_shift = 3, + .bus_voltage_lsb = 4000, +- .power_lsb = 20000, ++ .power_lsb_factor = 20, + }, + [ina226] = { + .config_default = INA226_CONFIG_DEFAULT, +- .calibration_factor = 5120000, ++ .calibration_value = 2048, + .registers = INA226_REGISTERS, + .shunt_div = 400, + .bus_voltage_shift = 0, + .bus_voltage_lsb = 1250, +- .power_lsb = 25000, ++ .power_lsb_factor = 25, + }, + }; + +@@ -168,12 +170,16 @@ static u16 ina226_interval_to_reg(int in + return INA226_SHIFT_AVG(avg_bits); + } + ++/* ++ * Calibration register is set to the best value, which eliminates ++ * truncation errors on calculating current register in hardware. ++ * According to datasheet (eq. 3) the best values are 2048 for ++ * ina226 and 4096 for ina219. They are hardcoded as calibration_value. ++ */ + static int ina2xx_calibrate(struct ina2xx_data *data) + { +- u16 val = DIV_ROUND_CLOSEST(data->config->calibration_factor, +- data->rshunt); +- +- return regmap_write(data->regmap, INA2XX_CALIBRATION, val); ++ return regmap_write(data->regmap, INA2XX_CALIBRATION, ++ data->config->calibration_value); + } + + /* +@@ -186,10 +192,6 @@ static int ina2xx_init(struct ina2xx_dat + if (ret < 0) + return ret; + +- /* +- * Set current LSB to 1mA, shunt is in uOhms +- * (equation 13 in datasheet). +- */ + return ina2xx_calibrate(data); + } + +@@ -267,15 +269,15 @@ static int ina2xx_get_value(struct ina2x + val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_POWER: +- val = regval * data->config->power_lsb; ++ val = regval * data->power_lsb_uW; + break; + case INA2XX_CURRENT: +- /* signed register, LSB=1mA (selected), in mA */ +- val = (s16)regval; ++ /* signed register, result in mA */ ++ val = regval * data->current_lsb_uA; ++ val = DIV_ROUND_CLOSEST(val, 1000); + break; + case INA2XX_CALIBRATION: +- val = DIV_ROUND_CLOSEST(data->config->calibration_factor, +- regval); ++ val = regval; + break; + default: + /* programmer goofed */ +@@ -303,9 +305,32 @@ static ssize_t ina2xx_show_value(struct + ina2xx_get_value(data, attr->index, regval)); + } + +-static ssize_t ina2xx_set_shunt(struct device *dev, +- struct device_attribute *da, +- const char *buf, size_t count) ++/* ++ * In order to keep calibration register value fixed, the product ++ * of current_lsb and shunt_resistor should also be fixed and equal ++ * to shunt_voltage_lsb = 1 / shunt_div multiplied by 10^9 in order ++ * to keep the scale. ++ */ ++static int ina2xx_set_shunt(struct ina2xx_data *data, long val) ++{ ++ unsigned int dividend = DIV_ROUND_CLOSEST(1000000000, ++ data->config->shunt_div); ++ if (val <= 0 || val > dividend) ++ return -EINVAL; ++ ++ mutex_lock(&data->config_lock); ++ data->rshunt = val; ++ data->current_lsb_uA = DIV_ROUND_CLOSEST(dividend, val); ++ data->power_lsb_uW = data->config->power_lsb_factor * ++ data->current_lsb_uA; ++ mutex_unlock(&data->config_lock); ++ ++ return 0; ++} ++ ++static ssize_t ina2xx_store_shunt(struct device *dev, ++ struct device_attribute *da, ++ const char *buf, size_t count) + { + unsigned long val; + int status; +@@ -315,18 +340,9 @@ static ssize_t ina2xx_set_shunt(struct d + if (status < 0) + return status; + +- if (val == 0 || +- /* Values greater than the calibration factor make no sense. */ +- val > data->config->calibration_factor) +- return -EINVAL; +- +- mutex_lock(&data->config_lock); +- data->rshunt = val; +- status = ina2xx_calibrate(data); +- mutex_unlock(&data->config_lock); ++ status = ina2xx_set_shunt(data, val); + if (status < 0) + return status; +- + return count; + } + +@@ -386,7 +402,7 @@ static SENSOR_DEVICE_ATTR(power1_input, + + /* shunt resistance */ + static SENSOR_DEVICE_ATTR(shunt_resistor, S_IRUGO | S_IWUSR, +- ina2xx_show_value, ina2xx_set_shunt, ++ ina2xx_show_value, ina2xx_store_shunt, + INA2XX_CALIBRATION); + + /* update interval (ina226 only) */ +@@ -441,10 +457,7 @@ static int ina2xx_probe(struct i2c_clien + val = INA2XX_RSHUNT_DEFAULT; + } + +- if (val <= 0 || val > data->config->calibration_factor) +- return -ENODEV; +- +- data->rshunt = val; ++ ina2xx_set_shunt(data, val); + + ina2xx_regmap_config.max_register = data->config->registers; + diff --git a/queue-4.9/i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch b/queue-4.9/i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch new file mode 100644 index 00000000000..3561437b0cc --- /dev/null +++ b/queue-4.9/i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Peter Rosin +Date: Sun, 7 May 2017 07:16:30 +0200 +Subject: i2c: mux: reg: put away the parent i2c adapter on probe failure + +From: Peter Rosin + + +[ Upstream commit 68118e0e73aa3a6291c8b9eb1ee708e05f110cea ] + +It is only prudent to let go of resources that are not used. + +Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg") +Signed-off-by: Peter Rosin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/muxes/i2c-mux-reg.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/i2c/muxes/i2c-mux-reg.c ++++ b/drivers/i2c/muxes/i2c-mux-reg.c +@@ -196,20 +196,25 @@ static int i2c_mux_reg_probe(struct plat + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + mux->data.reg_size = resource_size(res); + mux->data.reg = devm_ioremap_resource(&pdev->dev, res); +- if (IS_ERR(mux->data.reg)) +- return PTR_ERR(mux->data.reg); ++ if (IS_ERR(mux->data.reg)) { ++ ret = PTR_ERR(mux->data.reg); ++ goto err_put_parent; ++ } + } + + if (mux->data.reg_size != 4 && mux->data.reg_size != 2 && + mux->data.reg_size != 1) { + dev_err(&pdev->dev, "Invalid register size\n"); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_put_parent; + } + + muxc = i2c_mux_alloc(parent, &pdev->dev, mux->data.n_values, 0, 0, + i2c_mux_reg_select, NULL); +- if (!muxc) +- return -ENOMEM; ++ if (!muxc) { ++ ret = -ENOMEM; ++ goto err_put_parent; ++ } + muxc->priv = mux; + + platform_set_drvdata(pdev, muxc); +@@ -235,6 +240,8 @@ static int i2c_mux_reg_probe(struct plat + + add_adapter_failed: + i2c_mux_del_adapters(muxc); ++err_put_parent: ++ i2c_put_adapter(parent); + + return ret; + } diff --git a/queue-4.9/i40evf-fix-merge-error-in-older-patch.patch b/queue-4.9/i40evf-fix-merge-error-in-older-patch.patch new file mode 100644 index 00000000000..6b21151e233 --- /dev/null +++ b/queue-4.9/i40evf-fix-merge-error-in-older-patch.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jesse Brandeburg +Date: Fri, 28 Apr 2017 16:53:16 -0700 +Subject: i40evf: fix merge error in older patch + +From: Jesse Brandeburg + + +[ Upstream commit 155b0f690051345deefc653774b739c786067d61 ] + +This patch fixes a missing line that was missed while merging, +which results in a driver feature in the VF not working to +enable RSS as a negotiated feature. + +Fixes: 43a3d9ba34c9c ("i40evf: Allow PF driver to configure RSS") +Signed-off-by: Jesse Brandeburg +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c ++++ b/drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c +@@ -154,6 +154,7 @@ int i40evf_send_vf_config_msg(struct i40 + adapter->current_op = I40E_VIRTCHNL_OP_GET_VF_RESOURCES; + adapter->aq_required &= ~I40EVF_FLAG_AQ_GET_CONFIG; + caps = I40E_VIRTCHNL_VF_OFFLOAD_L2 | ++ I40E_VIRTCHNL_VF_OFFLOAD_RSS_PF | + I40E_VIRTCHNL_VF_OFFLOAD_RSS_AQ | + I40E_VIRTCHNL_VF_OFFLOAD_RSS_REG | + I40E_VIRTCHNL_VF_OFFLOAD_VLAN | diff --git a/queue-4.9/i40iw-correct-q1-xf-object-count-equation.patch b/queue-4.9/i40iw-correct-q1-xf-object-count-equation.patch new file mode 100644 index 00000000000..dd0003224c7 --- /dev/null +++ b/queue-4.9/i40iw-correct-q1-xf-object-count-equation.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Shiraz Saleem +Date: Fri, 22 Dec 2017 09:46:56 -0600 +Subject: i40iw: Correct Q1/XF object count equation + +From: Shiraz Saleem + + +[ Upstream commit fe99afd1febd74e0ef1fed7e3283f09effe1f4f0 ] + +Lower Inbound RDMA Read Queue (Q1) object count by a factor of 2 +as it is incorrectly doubled. Also, round up Q1 and Transmit FIFO (XF) +object count to power of 2 to satisfy hardware requirement. + +Fixes: 86dbcd0f12e9 ("i40iw: add file to handle cqp calls") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_ctrl.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_ctrl.c +@@ -3644,8 +3644,10 @@ enum i40iw_status_code i40iw_config_fpm_ + hmc_info->hmc_obj[I40IW_HMC_IW_APBVT_ENTRY].cnt = 1; + hmc_info->hmc_obj[I40IW_HMC_IW_MR].cnt = mrwanted; + +- hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt = I40IW_MAX_WQ_ENTRIES * qpwanted; +- hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt = 4 * I40IW_MAX_IRD_SIZE * qpwanted; ++ hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt = ++ roundup_pow_of_two(I40IW_MAX_WQ_ENTRIES * qpwanted); ++ hmc_info->hmc_obj[I40IW_HMC_IW_Q1].cnt = ++ roundup_pow_of_two(2 * I40IW_MAX_IRD_SIZE * qpwanted); + hmc_info->hmc_obj[I40IW_HMC_IW_XFFL].cnt = + hmc_info->hmc_obj[I40IW_HMC_IW_XF].cnt / hmc_fpm_misc->xf_block_size; + hmc_info->hmc_obj[I40IW_HMC_IW_Q1FL].cnt = diff --git a/queue-4.9/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch b/queue-4.9/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch new file mode 100644 index 00000000000..df5a9b1dfcf --- /dev/null +++ b/queue-4.9/i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Shiraz Saleem +Date: Fri, 22 Dec 2017 09:46:59 -0600 +Subject: i40iw: Fix sequence number for the first partial FPDU + +From: Shiraz Saleem + + +[ Upstream commit df8b13a1b23356d01dfc4647a5629cdb0f4ce566 ] + +Partial FPDU processing is broken as the sequence number +for the first partial FPDU is wrong due to incorrect +Q2 buffer offset. The offset should be 64 rather than 16. + +Fixes: 786c6adb3a94 ("i40iw: add puda code") +Signed-off-by: Shiraz Saleem +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_d.h | 1 + + drivers/infiniband/hw/i40iw/i40iw_puda.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/i40iw/i40iw_d.h ++++ b/drivers/infiniband/hw/i40iw/i40iw_d.h +@@ -86,6 +86,7 @@ + #define RDMA_OPCODE_MASK 0x0f + #define RDMA_READ_REQ_OPCODE 1 + #define Q2_BAD_FRAME_OFFSET 72 ++#define Q2_FPSN_OFFSET 64 + #define CQE_MAJOR_DRV 0x8000 + + #define I40IW_TERM_SENT 0x01 +--- a/drivers/infiniband/hw/i40iw/i40iw_puda.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_puda.c +@@ -1320,7 +1320,7 @@ static void i40iw_ieq_handle_exception(s + u32 *hw_host_ctx = (u32 *)qp->hw_host_ctx; + u32 rcv_wnd = hw_host_ctx[23]; + /* first partial seq # in q2 */ +- u32 fps = qp->q2_buf[16]; ++ u32 fps = *(u32 *)(qp->q2_buf + Q2_FPSN_OFFSET); + struct list_head *rxlist = &pfpdu->rxlist; + struct list_head *plist; + diff --git a/queue-4.9/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch b/queue-4.9/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch new file mode 100644 index 00000000000..9480e8b4a91 --- /dev/null +++ b/queue-4.9/ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch @@ -0,0 +1,61 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Mike Marciniszyn +Date: Mon, 18 Dec 2017 19:57:06 -0800 +Subject: IB/rdmavt: Allocate CQ memory on the correct node + +From: Mike Marciniszyn + + +[ Upstream commit db9a2c6f9b6196b889b98e961cb9a37617b11ccf ] + +CQ allocation does not ensure that completion queue entries +and the completion queue structure are allocated on the correct +numa node. + +Fix by allocating the rvt_cq and kernel CQ entries on the device node, +leaving the user CQ entries on the default local node. Also ensure +CQ resizes use the correct allocator when extending a CQ. + +Reviewed-by: Sebastian Sanchez +Signed-off-by: Mike Marciniszyn +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rdmavt/cq.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/infiniband/sw/rdmavt/cq.c ++++ b/drivers/infiniband/sw/rdmavt/cq.c +@@ -197,7 +197,7 @@ struct ib_cq *rvt_create_cq(struct ib_de + return ERR_PTR(-EINVAL); + + /* Allocate the completion queue structure. */ +- cq = kzalloc(sizeof(*cq), GFP_KERNEL); ++ cq = kzalloc_node(sizeof(*cq), GFP_KERNEL, rdi->dparms.node); + if (!cq) + return ERR_PTR(-ENOMEM); + +@@ -213,7 +213,9 @@ struct ib_cq *rvt_create_cq(struct ib_de + sz += sizeof(struct ib_uverbs_wc) * (entries + 1); + else + sz += sizeof(struct ib_wc) * (entries + 1); +- wc = vmalloc_user(sz); ++ wc = udata ? ++ vmalloc_user(sz) : ++ vzalloc_node(sz, rdi->dparms.node); + if (!wc) { + ret = ERR_PTR(-ENOMEM); + goto bail_cq; +@@ -368,7 +370,9 @@ int rvt_resize_cq(struct ib_cq *ibcq, in + sz += sizeof(struct ib_uverbs_wc) * (cqe + 1); + else + sz += sizeof(struct ib_wc) * (cqe + 1); +- wc = vmalloc_user(sz); ++ wc = udata ? ++ vmalloc_user(sz) : ++ vzalloc_node(sz, rdi->dparms.node); + if (!wc) + return -ENOMEM; + diff --git a/queue-4.9/ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch b/queue-4.9/ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch new file mode 100644 index 00000000000..b406669178a --- /dev/null +++ b/queue-4.9/ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Bart Van Assche +Date: Thu, 4 May 2017 15:50:54 -0700 +Subject: IB/srpt: Avoid that aborting a command triggers a kernel warning + +From: Bart Van Assche + + +[ Upstream commit bd2c52d733f126ff75f99c537a27655b2db07e28 ] + +Avoid that the following warning is triggered: + +WARNING: CPU: 10 PID: 166 at ../drivers/infiniband/ulp/srpt/ib_srpt.c:2674 srpt_release_cmd+0x139/0x140 [ib_srpt] +CPU: 10 PID: 166 Comm: kworker/u24:8 Not tainted 4.9.4-1-default #1 +Workqueue: tmr-fileio target_tmr_work [target_core_mod] +Call Trace: + [] dump_stack+0x63/0x83 + [] __warn+0xcb/0xf0 + [] warn_slowpath_null+0x1d/0x20 + [] srpt_release_cmd+0x139/0x140 [ib_srpt] + [] target_release_cmd_kref+0xb7/0x120 [target_core_mod] + [] target_put_sess_cmd+0x2f/0x60 [target_core_mod] + [] core_tmr_lun_reset+0x340/0x790 [target_core_mod] + [] target_tmr_work+0xe6/0x140 [target_core_mod] + [] process_one_work+0x1f3/0x4d0 + [] worker_thread+0x48/0x4e0 + [] ? process_one_work+0x4d0/0x4d0 + [] kthread+0xca/0xe0 + [] ? kthread_park+0x60/0x60 + [] ret_from_fork+0x25/0x30 + +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Cc: Doug Ledford +Cc: Christoph Hellwig +Cc: David Disseldorp +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2666,7 +2666,8 @@ static void srpt_release_cmd(struct se_c + struct srpt_rdma_ch *ch = ioctx->ch; + unsigned long flags; + +- WARN_ON(ioctx->state != SRPT_STATE_DONE); ++ WARN_ON_ONCE(ioctx->state != SRPT_STATE_DONE && ++ !(ioctx->cmd.transport_state & CMD_T_ABORTED)); + + if (ioctx->n_rw_ctx) { + srpt_free_rw_ctxs(ch, ioctx); diff --git a/queue-4.9/ib-srpt-fix-abort-handling.patch b/queue-4.9/ib-srpt-fix-abort-handling.patch new file mode 100644 index 00000000000..176cf5c849b --- /dev/null +++ b/queue-4.9/ib-srpt-fix-abort-handling.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Bart Van Assche +Date: Thu, 4 May 2017 15:50:53 -0700 +Subject: IB/srpt: Fix abort handling + +From: Bart Van Assche + + +[ Upstream commit 55d694275f41a1c0eef4ef49044ff29bc3999490 ] + +Let the target core check the CMD_T_ABORTED flag instead of the SRP +target driver. Hence remove the transport_check_aborted_status() +call. Since state == SRPT_STATE_CMD_RSP_SENT is something that really +should not happen, do not try to recover if srpt_queue_response() is +called for an I/O context that is in that state. This patch is a bug +fix because the srpt_abort_cmd() call is misplaced - if that function +is called from srpt_queue_response() it should either be called +before the command state is changed or after the response has been +sent. + +Signed-off-by: Bart Van Assche +Reviewed-by: Hannes Reinecke +Cc: Doug Ledford +Cc: Christoph Hellwig +Cc: Andy Grover +Cc: David Disseldorp +Signed-off-by: Nicholas Bellinger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2292,12 +2292,8 @@ static void srpt_queue_response(struct s + } + spin_unlock_irqrestore(&ioctx->spinlock, flags); + +- if (unlikely(transport_check_aborted_status(&ioctx->cmd, false) +- || WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) { +- atomic_inc(&ch->req_lim_delta); +- srpt_abort_cmd(ioctx); ++ if (unlikely(WARN_ON_ONCE(state == SRPT_STATE_CMD_RSP_SENT))) + return; +- } + + /* For read commands, transfer the data to the initiator. */ + if (ioctx->cmd.data_direction == DMA_FROM_DEVICE && diff --git a/queue-4.9/igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch b/queue-4.9/igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch new file mode 100644 index 00000000000..1c86c057ef2 --- /dev/null +++ b/queue-4.9/igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch @@ -0,0 +1,75 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jacob Keller +Date: Wed, 3 May 2017 10:28:52 -0700 +Subject: igb: fix race condition with PTP_TX_IN_PROGRESS bits + +From: Jacob Keller + + +[ Upstream commit 4ccdc013b0ae04755a8f7905e0525955d52a77d0 ] + +Hardware related to the igb driver has a limitation of only handling one +Tx timestamp at a time. Thus, the driver uses a state bit lock to +enforce that only one timestamp request is honored at a time. + +Unfortunately this suffers from a simple race condition. The bit lock is +not cleared until after skb_tstamp_tx() is called notifying the stack of +a new Tx timestamp. Even a well behaved application which sends only one +timestamp request at once and waits for a response might wake up and +send a new packet before the bit lock is cleared. This results in +needlessly dropping some Tx timestamp requests. + +We can fix this by unlocking the state bit as soon as we read the +Timestamp register, as this is the first point at which it is safe to +unlock. + +To avoid issues with the skb pointer, we'll use a copy of the pointer +and set the global variable in the driver structure to NULL first. This +ensures that the next timestamp request does not modify our local copy +of the skb pointer. + +This ensures that well behaved applications do not accidentally race +with the unlock bit. Obviously an application which sends multiple Tx +timestamp requests at once will still only timestamp one packet at +a time. Unfortunately there is nothing we can do about this. + +Reported-by: David Mirabito +Signed-off-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/igb/igb_ptp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/igb/igb_ptp.c ++++ b/drivers/net/ethernet/intel/igb/igb_ptp.c +@@ -721,6 +721,7 @@ void igb_ptp_rx_hang(struct igb_adapter + **/ + static void igb_ptp_tx_hwtstamp(struct igb_adapter *adapter) + { ++ struct sk_buff *skb = adapter->ptp_tx_skb; + struct e1000_hw *hw = &adapter->hw; + struct skb_shared_hwtstamps shhwtstamps; + u64 regval; +@@ -748,10 +749,17 @@ static void igb_ptp_tx_hwtstamp(struct i + shhwtstamps.hwtstamp = + ktime_add_ns(shhwtstamps.hwtstamp, adjust); + +- skb_tstamp_tx(adapter->ptp_tx_skb, &shhwtstamps); +- dev_kfree_skb_any(adapter->ptp_tx_skb); ++ /* Clear the lock early before calling skb_tstamp_tx so that ++ * applications are not woken up before the lock bit is clear. We use ++ * a copy of the skb pointer to ensure other threads can't change it ++ * while we're notifying the stack. ++ */ + adapter->ptp_tx_skb = NULL; + clear_bit_unlock(__IGB_PTP_TX_IN_PROGRESS, &adapter->state); ++ ++ /* Notify the stack and free the skb after we've unlocked */ ++ skb_tstamp_tx(skb, &shhwtstamps); ++ dev_kfree_skb_any(skb); + } + + /** diff --git a/queue-4.9/iio-hi8435-avoid-garbage-event-at-first-enable.patch b/queue-4.9/iio-hi8435-avoid-garbage-event-at-first-enable.patch new file mode 100644 index 00000000000..b52eae0820c --- /dev/null +++ b/queue-4.9/iio-hi8435-avoid-garbage-event-at-first-enable.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Nikita Yushchenko +Date: Fri, 19 May 2017 17:48:00 +0300 +Subject: iio: hi8435: avoid garbage event at first enable + +From: Nikita Yushchenko + + +[ Upstream commit ee19ac340c5fdfd89c6348be4563453c61ab54a9 ] + +Currently, driver generates events for channels if new reading differs +from previous one. This "previous value" is initialized to zero, which +results into event if value is constant-one. + +Fix that by initializing "previous value" by reading at event enable +time. + +This provides reliable sequence for userspace: +- enable event, +- AFTER THAT read current value, +- AFTER THAT each event will correspond to change. + +Signed-off-by: Nikita Yushchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/hi8435.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/hi8435.c ++++ b/drivers/iio/adc/hi8435.c +@@ -121,10 +121,21 @@ static int hi8435_write_event_config(str + enum iio_event_direction dir, int state) + { + struct hi8435_priv *priv = iio_priv(idev); ++ int ret; ++ u32 tmp; ++ ++ if (state) { ++ ret = hi8435_readl(priv, HI8435_SO31_0_REG, &tmp); ++ if (ret < 0) ++ return ret; ++ if (tmp & BIT(chan->channel)) ++ priv->event_prev_val |= BIT(chan->channel); ++ else ++ priv->event_prev_val &= ~BIT(chan->channel); + +- priv->event_scan_mask &= ~BIT(chan->channel); +- if (state) + priv->event_scan_mask |= BIT(chan->channel); ++ } else ++ priv->event_scan_mask &= ~BIT(chan->channel); + + return 0; + } diff --git a/queue-4.9/iio-hi8435-cleanup-reset-gpio.patch b/queue-4.9/iio-hi8435-cleanup-reset-gpio.patch new file mode 100644 index 00000000000..cca9563bcc9 --- /dev/null +++ b/queue-4.9/iio-hi8435-cleanup-reset-gpio.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Nikita Yushchenko +Date: Fri, 19 May 2017 17:48:02 +0300 +Subject: iio: hi8435: cleanup reset gpio + +From: Nikita Yushchenko + + +[ Upstream commit 61305664a542f874283f74bf0b27ddb31f5045d7 ] + +Reset GPIO is active low. + +Currently driver uses gpiod_set_value(1) to clean reset, which depends +on device tree to contain GPIO_ACTIVE_HIGH - that does not match reality. + +This fixes driver to use _raw version of gpiod_set_value() to enforce +active-low semantics despite of what's written in device tree. Allowing +device tree to override that only opens possibility for errors and does +not add any value. + +Additionally, use _cansleep version to make things work with i2c-gpio +and other sleeping gpio drivers. + +Signed-off-by: Nikita Yushchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/hi8435.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/iio/adc/hi8435.c ++++ b/drivers/iio/adc/hi8435.c +@@ -453,13 +453,15 @@ static int hi8435_probe(struct spi_devic + priv->spi = spi; + + reset_gpio = devm_gpiod_get(&spi->dev, NULL, GPIOD_OUT_LOW); +- if (IS_ERR(reset_gpio)) { +- /* chip s/w reset if h/w reset failed */ ++ if (!IS_ERR(reset_gpio)) { ++ /* need >=100ns low pulse to reset chip */ ++ gpiod_set_raw_value_cansleep(reset_gpio, 0); ++ udelay(1); ++ gpiod_set_raw_value_cansleep(reset_gpio, 1); ++ } else { ++ /* s/w reset chip if h/w reset is not available */ + hi8435_writeb(priv, HI8435_CTRL_REG, HI8435_CTRL_SRST); + hi8435_writeb(priv, HI8435_CTRL_REG, 0); +- } else { +- udelay(5); +- gpiod_set_value(reset_gpio, 1); + } + + spi_set_drvdata(spi, idev); diff --git a/queue-4.9/iio-light-rpr0521-poweroff-for-probe-fails.patch b/queue-4.9/iio-light-rpr0521-poweroff-for-probe-fails.patch new file mode 100644 index 00000000000..0a7f7e6ecee --- /dev/null +++ b/queue-4.9/iio-light-rpr0521-poweroff-for-probe-fails.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Mikko Koivunen +Date: Thu, 18 May 2017 15:12:50 +0300 +Subject: iio: light: rpr0521 poweroff for probe fails + +From: Mikko Koivunen + + +[ Upstream commit 12d74949133e2450533894ea01ce0c56646ce006 ] + +Set sensor measurement off after probe fail in pm_runtime_set_active() or +iio_device_register(). Without this change sensor measurement stays on +even though probe fails on these calls. + +This is maybe rare case, but causes constant power drain without any +benefits when it happens. Power drain is 20-500uA, typically 180uA. + +Signed-off-by: Mikko Koivunen +Acked-by: Daniel Baluta +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/rpr0521.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/rpr0521.c ++++ b/drivers/iio/light/rpr0521.c +@@ -510,13 +510,26 @@ static int rpr0521_probe(struct i2c_clie + + ret = pm_runtime_set_active(&client->dev); + if (ret < 0) +- return ret; ++ goto err_poweroff; + + pm_runtime_enable(&client->dev); + pm_runtime_set_autosuspend_delay(&client->dev, RPR0521_SLEEP_DELAY_MS); + pm_runtime_use_autosuspend(&client->dev); + +- return iio_device_register(indio_dev); ++ ret = iio_device_register(indio_dev); ++ if (ret) ++ goto err_pm_disable; ++ ++ return 0; ++ ++err_pm_disable: ++ pm_runtime_disable(&client->dev); ++ pm_runtime_set_suspended(&client->dev); ++ pm_runtime_put_noidle(&client->dev); ++err_poweroff: ++ rpr0521_poweroff(data); ++ ++ return ret; + } + + static int rpr0521_remove(struct i2c_client *client) diff --git a/queue-4.9/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch b/queue-4.9/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch new file mode 100644 index 00000000000..43b9311382d --- /dev/null +++ b/queue-4.9/iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Lorenzo Bianconi +Date: Tue, 6 Jun 2017 22:51:24 +0200 +Subject: iio: magnetometer: st_magn_spi: fix spi_device_id table + +From: Lorenzo Bianconi + + +[ Upstream commit c83761ff0aac954aa368c623bb0f0d1a3214e834 ] + +Remove LSM303DLHC, LSM303DLM from st_magn_id_table since LSM303DL series +does not support spi interface + +Fixes: 872e79add756 (iio: magn: Add STMicroelectronics magn driver) +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/magnetometer/st_magn_spi.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/iio/magnetometer/st_magn_spi.c ++++ b/drivers/iio/magnetometer/st_magn_spi.c +@@ -48,8 +48,6 @@ static int st_magn_spi_remove(struct spi + } + + static const struct spi_device_id st_magn_id_table[] = { +- { LSM303DLHC_MAGN_DEV_NAME }, +- { LSM303DLM_MAGN_DEV_NAME }, + { LIS3MDL_MAGN_DEV_NAME }, + { LSM303AGR_MAGN_DEV_NAME }, + {}, diff --git a/queue-4.9/iio-pressure-zpa2326-report-interrupted-case-as-failure.patch b/queue-4.9/iio-pressure-zpa2326-report-interrupted-case-as-failure.patch new file mode 100644 index 00000000000..f2a6b4ecb66 --- /dev/null +++ b/queue-4.9/iio-pressure-zpa2326-report-interrupted-case-as-failure.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Nicholas Mc Guire +Date: Sun, 14 May 2017 10:43:55 +0200 +Subject: iio: pressure: zpa2326: report interrupted case as failure + +From: Nicholas Mc Guire + + +[ Upstream commit e7215fe4d51e69c9d2608ad0c409d48e844d0adc ] + +If the timeout-case prints a warning message then probably the interrupted +case should also. Further, wait_for_completion_interruptible_timeout() +returns long not int. + +Fixes: commit 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/pressure/zpa2326.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/iio/pressure/zpa2326.c ++++ b/drivers/iio/pressure/zpa2326.c +@@ -871,12 +871,13 @@ static int zpa2326_wait_oneshot_completi + { + int ret; + unsigned int val; ++ long timeout; + + zpa2326_dbg(indio_dev, "waiting for one shot completion interrupt"); + +- ret = wait_for_completion_interruptible_timeout( ++ timeout = wait_for_completion_interruptible_timeout( + &private->data_ready, ZPA2326_CONVERSION_JIFFIES); +- if (ret > 0) ++ if (timeout > 0) + /* + * Interrupt handler completed before timeout: return operation + * status. +@@ -886,13 +887,16 @@ static int zpa2326_wait_oneshot_completi + /* Clear all interrupts just to be sure. */ + regmap_read(private->regmap, ZPA2326_INT_SOURCE_REG, &val); + +- if (!ret) ++ if (!timeout) { + /* Timed out. */ ++ zpa2326_warn(indio_dev, "no one shot interrupt occurred (%ld)", ++ timeout); + ret = -ETIME; +- +- if (ret != -ERESTARTSYS) +- zpa2326_warn(indio_dev, "no one shot interrupt occurred (%d)", +- ret); ++ } else if (timeout < 0) { ++ zpa2326_warn(indio_dev, ++ "wait for one shot interrupt cancelled"); ++ ret = -ERESTARTSYS; ++ } + + return ret; + } diff --git a/queue-4.9/input-elan_i2c-check-if-device-is-there-before-really-probing.patch b/queue-4.9/input-elan_i2c-check-if-device-is-there-before-really-probing.patch new file mode 100644 index 00000000000..626328e9202 --- /dev/null +++ b/queue-4.9/input-elan_i2c-check-if-device-is-there-before-really-probing.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dmitry Torokhov +Date: Fri, 19 Dec 2014 12:57:49 -0800 +Subject: Input: elan_i2c - check if device is there before really probing + +From: Dmitry Torokhov + + +[ Upstream commit c5928551fd41b2eecdad78fa2be2a4a13ed5fde9 ] + +Before trying to properly initialize the touchpad and generate bunch of +errors, let's first see it there is anything at the given address. If we +get error, fail silently with -ENXIO. + +Reviewed-by: Guenter Roeck +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/elan_i2c_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -1082,6 +1082,13 @@ static int elan_probe(struct i2c_client + return error; + } + ++ /* Make sure there is something at this address */ ++ error = i2c_smbus_read_byte(client); ++ if (error < 0) { ++ dev_dbg(&client->dev, "nothing at this address: %d\n", error); ++ return -ENXIO; ++ } ++ + /* Initialize the touchpad. */ + error = elan_initialize(data); + if (error) diff --git a/queue-4.9/input-elan_i2c-clear-int-before-resetting-controller.patch b/queue-4.9/input-elan_i2c-clear-int-before-resetting-controller.patch new file mode 100644 index 00000000000..ecb4f67077d --- /dev/null +++ b/queue-4.9/input-elan_i2c-clear-int-before-resetting-controller.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: KT Liao +Date: Thu, 25 May 2017 10:06:21 -0700 +Subject: Input: elan_i2c - clear INT before resetting controller + +From: KT Liao + + +[ Upstream commit 4b3c7dbbfff0673e8a89575414b864d8b001d3bb ] + +Some old touchpad FWs need to have interrupt cleared before issuing reset +command after updating firmware. We clear interrupt by attempting to read +full report from the controller, and discarding any data read. + +Signed-off-by: KT Liao +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/elan_i2c_i2c.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/input/mouse/elan_i2c_i2c.c ++++ b/drivers/input/mouse/elan_i2c_i2c.c +@@ -557,7 +557,14 @@ static int elan_i2c_finish_fw_update(str + long ret; + int error; + int len; +- u8 buffer[ETP_I2C_INF_LENGTH]; ++ u8 buffer[ETP_I2C_REPORT_LEN]; ++ ++ len = i2c_master_recv(client, buffer, ETP_I2C_REPORT_LEN); ++ if (len != ETP_I2C_REPORT_LEN) { ++ error = len < 0 ? len : -EIO; ++ dev_warn(dev, "failed to read I2C data after FW WDT reset: %d (%d)\n", ++ error, len); ++ } + + reinit_completion(completion); + enable_irq(client->irq); diff --git a/queue-4.9/input-elantech-force-relative-mode-on-a-certain-module.patch b/queue-4.9/input-elantech-force-relative-mode-on-a-certain-module.patch new file mode 100644 index 00000000000..ab26d095887 --- /dev/null +++ b/queue-4.9/input-elantech-force-relative-mode-on-a-certain-module.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: KT Liao +Date: Mon, 12 Dec 2016 11:03:42 -0800 +Subject: Input: elantech - force relative mode on a certain module + +From: KT Liao + + +[ Upstream commit d899520b0431e70279bfb5066ecb6dc91d0b7072 ] + +One of Elan modules with sample version is 0x74 and hw_version is 0x03 has +a bug in absolute mode implementation, so let it run in default PS/2 +relative mode. + +Signed-off-by: KT Liao +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/mouse/elantech.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1711,6 +1711,17 @@ int elantech_init(struct psmouse *psmous + etd->samples[0], etd->samples[1], etd->samples[2]); + } + ++ if (etd->samples[1] == 0x74 && etd->hw_version == 0x03) { ++ /* ++ * This module has a bug which makes absolute mode ++ * unusable, so let's abort so we'll be using standard ++ * PS/2 protocol. ++ */ ++ psmouse_info(psmouse, ++ "absolute mode broken, forcing standard PS/2 protocol\n"); ++ goto init_fail; ++ } ++ + if (elantech_set_absolute_mode(psmouse)) { + psmouse_err(psmouse, + "failed to put touchpad into absolute mode.\n"); diff --git a/queue-4.9/input-goodix-disable-irqs-while-suspended.patch b/queue-4.9/input-goodix-disable-irqs-while-suspended.patch new file mode 100644 index 00000000000..d040eaaa7bb --- /dev/null +++ b/queue-4.9/input-goodix-disable-irqs-while-suspended.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Fri, 12 Jan 2018 00:36:48 -0800 +Subject: Input: goodix - disable IRQs while suspended + +From: Hans de Goede + + +[ Upstream commit faec44b6838312484d63e82286087cf2d5ebb891 ] + +We should not try to do any i2c transfers before the controller is +resumed (which happens before our resume method gets called). + +So we need to disable our IRQ while suspended to enforce this. The +code paths for devices with GPIOs for the int and reset pins already +disable the IRQ the through goodix_free_irq(). + +This commit also disables the IRQ while suspended for devices without +GPIOs for the int and reset pins. + +This fixes the i2c bus sometimes getting stuck after a suspend/resume +causing the touchscreen to sometimes not work after a suspend/resume. +This has been tested on a GPD pocked device. + +BugLink: https://github.com/nexus511/gpd-ubuntu-packages/issues/10 +BugLink: https://www.reddit.com/r/GPDPocket/comments/7niut2/fix_for_broken_touch_after_resume_all_linux/ +Tested-by: Hans de Goede +Signed-off-by: Hans de Goede +Reviewed-by: Bastien Nocera +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/goodix.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/input/touchscreen/goodix.c ++++ b/drivers/input/touchscreen/goodix.c +@@ -778,8 +778,10 @@ static int __maybe_unused goodix_suspend + int error; + + /* We need gpio pins to suspend/resume */ +- if (!ts->gpiod_int || !ts->gpiod_rst) ++ if (!ts->gpiod_int || !ts->gpiod_rst) { ++ disable_irq(client->irq); + return 0; ++ } + + wait_for_completion(&ts->firmware_loading_complete); + +@@ -819,8 +821,10 @@ static int __maybe_unused goodix_resume( + struct goodix_ts_data *ts = i2c_get_clientdata(client); + int error; + +- if (!ts->gpiod_int || !ts->gpiod_rst) ++ if (!ts->gpiod_int || !ts->gpiod_rst) { ++ enable_irq(client->irq); + return 0; ++ } + + /* + * Exit sleep mode by outputting HIGH level to INT pin diff --git a/queue-4.9/ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch b/queue-4.9/ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch new file mode 100644 index 00000000000..8abfcba64d8 --- /dev/null +++ b/queue-4.9/ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Liam McBirnie +Date: Thu, 1 Jun 2017 15:36:01 +1000 +Subject: ip6_tunnel: fix traffic class routing for tunnels + +From: Liam McBirnie + + +[ Upstream commit 5f733ee68f9a4df94775299ac6a7ab260704f6ed ] + +ip6_route_output() requires that the flowlabel contains the traffic +class for policy routing. + +Commit 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on +encapsulated packets") removed the code which previously added the +traffic class to the flowlabel. + +The traffic class is added here because only route lookup needs the +flowlabel to contain the traffic class. + +Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") +Signed-off-by: Liam McBirnie +Acked-by: Peter Dawson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -1097,6 +1097,9 @@ int ip6_tnl_xmit(struct sk_buff *skb, st + + if (!dst) { + route_lookup: ++ /* add dsfield to flowlabel for route lookup */ ++ fl6->flowlabel = ip6_make_flowinfo(dsfield, fl6->flowlabel); ++ + dst = ip6_route_output(net, NULL, fl6); + + if (dst->error) diff --git a/queue-4.9/ipmi_ssif-unlock-on-allocation-failure.patch b/queue-4.9/ipmi_ssif-unlock-on-allocation-failure.patch new file mode 100644 index 00000000000..cae3ae64994 --- /dev/null +++ b/queue-4.9/ipmi_ssif-unlock-on-allocation-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Fri, 5 May 2017 08:33:24 +0300 +Subject: ipmi_ssif: unlock on allocation failure + +From: Dan Carpenter + + +[ Upstream commit cf9806f32ef63b745f2486e0dbb2ac21f4ca44f0 ] + +We should unlock and re-enable IRQs if this allocation fails. + +Fixes: 259307074bfc ("ipmi: Add SMBus interface driver (SSIF) ") +Signed-off-by: Dan Carpenter +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_ssif.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -409,6 +409,7 @@ static void start_event_fetch(struct ssi + msg = ipmi_alloc_smi_msg(); + if (!msg) { + ssif_info->ssif_state = SSIF_NORMAL; ++ ipmi_ssif_unlock_cond(ssif_info, flags); + return; + } + +@@ -431,6 +432,7 @@ static void start_recv_msg_fetch(struct + msg = ipmi_alloc_smi_msg(); + if (!msg) { + ssif_info->ssif_state = SSIF_NORMAL; ++ ipmi_ssif_unlock_cond(ssif_info, flags); + return; + } + diff --git a/queue-4.9/ipmr-vrf-find-vifs-using-the-actual-device.patch b/queue-4.9/ipmr-vrf-find-vifs-using-the-actual-device.patch new file mode 100644 index 00000000000..8b8960e42e7 --- /dev/null +++ b/queue-4.9/ipmr-vrf-find-vifs-using-the-actual-device.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Thomas Winter +Date: Tue, 16 May 2017 10:14:44 +1200 +Subject: ipmr: vrf: Find VIFs using the actual device + +From: Thomas Winter + + +[ Upstream commit bcfc7d33110b0f33069d74138eeb7ca9acbb3c85 ] + +The skb->dev that is passed into ip_mr_input is +the loX device for VRFs. When we lookup a vif +for this dev, none is found as we do not create +vifs for loopbacks. Instead lookup a vif for the +actual device that the packet was received on, +eg the vlan. + +Signed-off-by: Thomas Winter +cc: David Ahern +cc: Nikolay Aleksandrov +cc: roopa +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipmr.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/net/ipv4/ipmr.c ++++ b/net/ipv4/ipmr.c +@@ -1929,6 +1929,20 @@ int ip_mr_input(struct sk_buff *skb) + struct net *net = dev_net(skb->dev); + int local = skb_rtable(skb)->rt_flags & RTCF_LOCAL; + struct mr_table *mrt; ++ struct net_device *dev; ++ ++ /* skb->dev passed in is the loX master dev for vrfs. ++ * As there are no vifs associated with loopback devices, ++ * get the proper interface that does have a vif associated with it. ++ */ ++ dev = skb->dev; ++ if (netif_is_l3_master(skb->dev)) { ++ dev = dev_get_by_index_rcu(net, IPCB(skb)->iif); ++ if (!dev) { ++ kfree_skb(skb); ++ return -ENODEV; ++ } ++ } + + /* Packet is looped back after forward, it should not be + * forwarded second time, but still can be delivered locally. +@@ -1966,7 +1980,7 @@ int ip_mr_input(struct sk_buff *skb) + /* already under rcu_read_lock() */ + cache = ipmr_cache_find(mrt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr); + if (!cache) { +- int vif = ipmr_find_vif(mrt, skb->dev); ++ int vif = ipmr_find_vif(mrt, dev); + + if (vif >= 0) + cache = ipmr_cache_find_any(mrt, ip_hdr(skb)->daddr, +@@ -1986,7 +2000,7 @@ int ip_mr_input(struct sk_buff *skb) + } + + read_lock(&mrt_lock); +- vif = ipmr_find_vif(mrt, skb->dev); ++ vif = ipmr_find_vif(mrt, dev); + if (vif >= 0) { + int err2 = ipmr_cache_unresolved(mrt, vif, skb); + read_unlock(&mrt_lock); diff --git a/queue-4.9/ipsec-check-return-value-of-skb_to_sgvec-always.patch b/queue-4.9/ipsec-check-return-value-of-skb_to_sgvec-always.patch new file mode 100644 index 00000000000..26444583545 --- /dev/null +++ b/queue-4.9/ipsec-check-return-value-of-skb_to_sgvec-always.patch @@ -0,0 +1,130 @@ +From 3f29770723fe498a5c5f57c3a31a996ebdde03e1 Mon Sep 17 00:00:00 2001 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:23 +0200 +Subject: ipsec: check return value of skb_to_sgvec always + +From: Jason A. Donenfeld + +commit 3f29770723fe498a5c5f57c3a31a996ebdde03e1 upstream. + +Signed-off-by: Jason A. Donenfeld +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Signed-off-by: David S. Miller +[natechancellor: Adjusted context due to lack of fca11ebde3f0] +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ah4.c | 8 ++++++-- + net/ipv4/esp4.c | 13 ++++++++----- + net/ipv6/ah6.c | 8 ++++++-- + net/ipv6/esp6.c | 12 ++++++++---- + 4 files changed, 28 insertions(+), 13 deletions(-) + +--- a/net/ipv4/ah4.c ++++ b/net/ipv4/ah4.c +@@ -220,7 +220,9 @@ static int ah_output(struct xfrm_state * + ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +@@ -393,7 +395,9 @@ static int ah_input(struct xfrm_state *x + skb_push(skb, ihl); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -268,10 +268,11 @@ static int esp_output(struct xfrm_state + esph->spi = x->id.spi; + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, +- (unsigned char *)esph - skb->data, +- assoclen + ivlen + clen + alen); +- ++ err = skb_to_sgvec(skb, sg, ++ (unsigned char *)esph - skb->data, ++ assoclen + ivlen + clen + alen); ++ if (unlikely(err < 0)) ++ goto error; + aead_request_set_crypt(req, sg, sg, ivlen + clen, iv); + aead_request_set_ad(req, assoclen); + +@@ -481,7 +482,9 @@ static int esp_input(struct xfrm_state * + } + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ err = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out; + + aead_request_set_crypt(req, sg, sg, elen + ivlen, iv); + aead_request_set_ad(req, assoclen); +--- a/net/ipv6/ah6.c ++++ b/net/ipv6/ah6.c +@@ -423,7 +423,9 @@ static int ah6_output(struct xfrm_state + ah->seq_no = htonl(XFRM_SKB_CB(skb)->seq.output.low); + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +@@ -603,7 +605,9 @@ static int ah6_input(struct xfrm_state * + ip6h->hop_limit = 0; + + sg_init_table(sg, nfrags + sglists); +- skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ err = skb_to_sgvec_nomark(skb, sg, 0, skb->len); ++ if (unlikely(err < 0)) ++ goto out_free; + + if (x->props.flags & XFRM_STATE_ESN) { + /* Attach seqhi sg right after packet payload */ +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -248,9 +248,11 @@ static int esp6_output(struct xfrm_state + esph->spi = x->id.spi; + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, +- (unsigned char *)esph - skb->data, +- assoclen + ivlen + clen + alen); ++ err = skb_to_sgvec(skb, sg, ++ (unsigned char *)esph - skb->data, ++ assoclen + ivlen + clen + alen); ++ if (unlikely(err < 0)) ++ goto error; + + aead_request_set_crypt(req, sg, sg, ivlen + clen, iv); + aead_request_set_ad(req, assoclen); +@@ -423,7 +425,9 @@ static int esp6_input(struct xfrm_state + } + + sg_init_table(sg, nfrags); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ ret = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(ret < 0)) ++ goto out; + + aead_request_set_crypt(req, sg, sg, elen + ivlen, iv); + aead_request_set_ad(req, assoclen); diff --git a/queue-4.9/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch b/queue-4.9/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch new file mode 100644 index 00000000000..5081d1ab8d6 --- /dev/null +++ b/queue-4.9/ipv6-avoid-dad-failures-for-addresses-with-nodad.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Mahesh Bandewar +Date: Fri, 12 May 2017 17:03:39 -0700 +Subject: ipv6: avoid dad-failures for addresses with NODAD + +From: Mahesh Bandewar + + +[ Upstream commit 66eb9f86e50547ec2a8ff7a75997066a74ef584b ] + +Every address gets added with TENTATIVE flag even for the addresses with +IFA_F_NODAD flag and dad-work is scheduled for them. During this DAD process +we realize it's an address with NODAD and complete the process without +sending any probe. However the TENTATIVE flags stays on the +address for sometime enough to cause misinterpretation when we receive a NS. +While processing NS, if the address has TENTATIVE flag, we mark it DADFAILED +and endup with an address that was originally configured as NODAD with +DADFAILED. + +We can't avoid scheduling dad_work for addresses with NODAD but we can +avoid adding TENTATIVE flag to avoid this racy situation. + +Signed-off-by: Mahesh Bandewar +Acked-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/addrconf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -988,7 +988,10 @@ ipv6_add_addr(struct inet6_dev *idev, co + INIT_HLIST_NODE(&ifa->addr_lst); + ifa->scope = scope; + ifa->prefix_len = pfxlen; +- ifa->flags = flags | IFA_F_TENTATIVE; ++ ifa->flags = flags; ++ /* No need to add the TENTATIVE flag for addresses with NODAD */ ++ if (!(flags & IFA_F_NODAD)) ++ ifa->flags |= IFA_F_TENTATIVE; + ifa->valid_lft = valid_lft; + ifa->prefered_lft = prefered_lft; + ifa->cstamp = ifa->tstamp = jiffies; diff --git a/queue-4.9/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch b/queue-4.9/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch new file mode 100644 index 00000000000..77fa1408d3b --- /dev/null +++ b/queue-4.9/irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch @@ -0,0 +1,92 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Shanker Donthineni +Date: Tue, 5 Dec 2017 13:16:21 -0600 +Subject: irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry + +From: Shanker Donthineni + + +[ Upstream commit ebe2f8718007d5a1238bb3cb8141b5bb2b4d5773 ] + +The ACPI specification says OS shouldn't attempt to use GICC configuration +parameters if the flag ACPI_MADT_ENABLED is cleared. The ARM64-SMP code +skips the disabled GICC entries but not causing any issue. However the +current GICv3 driver probe bails out causing kernel panic() instead of +skipping the disabled GICC interfaces. This issue happens on systems +where redistributor regions are not in the always-on power domain and +one of GICC interface marked with ACPI_MADT_ENABLED=0. + +This patch does the two things to fix the panic. + - Don't return an error in gic_acpi_match_gicc() for disabled GICC entry. + - No need to keep GICR region information for disabled GICC entry. + +Observed kernel crash on QDF2400 platform GICC entry is disabled. +Kernel crash traces: + Kernel panic - not syncing: No interrupt controller found. + CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.13.5 #26 + [] dump_backtrace+0x0/0x218 + [] show_stack+0x14/0x20 + [] dump_stack+0x98/0xb8 + [] panic+0x118/0x26c + [] init_IRQ+0x24/0x2c + [] start_kernel+0x230/0x394 + [] __primary_switched+0x64/0x6c + ---[ end Kernel panic - not syncing: No interrupt controller found. + +Disabled GICC subtable example: + Subtable Type : 0B [Generic Interrupt Controller] + Length : 50 + Reserved : 0000 + CPU Interface Number : 0000003D + Processor UID : 0000003D + Flags (decoded below) : 00000000 + Processor Enabled : 0 + Performance Interrupt Trig Mode : 0 + Virtual GIC Interrupt Trig Mode : 0 + Parking Protocol Version : 00000000 + Performance Interrupt : 00000017 + Parked Address : 0000000000000000 + Base Address : 0000000000000000 + Virtual GIC Base Address : 0000000000000000 + Hypervisor GIC Base Address : 0000000000000000 + Virtual GIC Interrupt : 00000019 + Redistributor Base Address : 0000FFFF88F40000 + ARM MPIDR : 000000000000000D + Efficiency Class : 00 + Reserved : 000000 +Signed-off-by: Shanker Donthineni +Signed-off-by: Marc Zyngier + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-gic-v3.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3.c ++++ b/drivers/irqchip/irq-gic-v3.c +@@ -1250,6 +1250,10 @@ gic_acpi_parse_madt_gicc(struct acpi_sub + u32 size = reg == GIC_PIDR2_ARCH_GICv4 ? SZ_64K * 4 : SZ_64K * 2; + void __iomem *redist_base; + ++ /* GICC entry which has !ACPI_MADT_ENABLED is not unusable so skip */ ++ if (!(gicc->flags & ACPI_MADT_ENABLED)) ++ return 0; ++ + redist_base = ioremap(gicc->gicr_base_address, size); + if (!redist_base) + return -ENOMEM; +@@ -1299,6 +1303,13 @@ static int __init gic_acpi_match_gicc(st + if ((gicc->flags & ACPI_MADT_ENABLED) && gicc->gicr_base_address) + return 0; + ++ /* ++ * It's perfectly valid firmware can pass disabled GICC entry, driver ++ * should not treat as errors, skip the entry instead of probe fail. ++ */ ++ if (!(gicc->flags & ACPI_MADT_ENABLED)) ++ return 0; ++ + return -ENODEV; + } + diff --git a/queue-4.9/irqchip-mbigen-fix-the-clear-register-offset-calculation.patch b/queue-4.9/irqchip-mbigen-fix-the-clear-register-offset-calculation.patch new file mode 100644 index 00000000000..03f7b26ea3b --- /dev/null +++ b/queue-4.9/irqchip-mbigen-fix-the-clear-register-offset-calculation.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: MaJun +Date: Fri, 12 May 2017 11:55:28 +0800 +Subject: irqchip/mbigen: Fix the clear register offset calculation + +From: MaJun + + +[ Upstream commit 9459a04b6a5a09967eec94a1b66f0a74312819d9 ] + +The register array offset for clearing an interrupt is calculated by: + + offset = (hwirq - RESERVED_IRQ_PER_MBIGEN_CHIP) / 32; + +This is wrong because the clear register array includes the reserved +interrupts. So the clear operation ends up in the wrong register. + +This went unnoticed so far, because the hardware clears the real bit +through a timeout mechanism when the hardware is configured in debug +mode. That debug mode was enabled on early generations of the hardware, so +the problem was papered over. + +On newer hardware with updated firmware the debug mode was disabled, so the +bits did not get cleared which causes the system to malfunction. + +Remove the subtraction of RESERVED_IRQ_PER_MBIGEN_CHIP, so the correct +register is accessed. + +[ tglx: Rewrote changelog ] + +Fixes: a6c2f87b8820 ("irqchip/mbigen: Implement the mbigen irq chip operation functions") +Signed-off-by: MaJun +Signed-off-by: Hanjun Guo +Acked-by: Marc Zyngier +Cc: Kefeng Wang +Cc: linuxarm@huawei.com +Cc: Wei Yongjun +Link: http://lkml.kernel.org/r/1494561328-39514-4-git-send-email-guohanjun@huawei.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/irqchip/irq-mbigen.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-mbigen.c ++++ b/drivers/irqchip/irq-mbigen.c +@@ -105,10 +105,7 @@ static inline void get_mbigen_type_reg(i + static inline void get_mbigen_clear_reg(irq_hw_number_t hwirq, + u32 *mask, u32 *addr) + { +- unsigned int ofst; +- +- hwirq -= RESERVED_IRQ_PER_MBIGEN_CHIP; +- ofst = hwirq / 32 * 4; ++ unsigned int ofst = (hwirq / 32) * 4; + + *mask = 1 << (hwirq % 32); + *addr = ofst + REG_MBIGEN_CLEAR_OFFSET; diff --git a/queue-4.9/iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch b/queue-4.9/iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch new file mode 100644 index 00000000000..57bce0fd516 --- /dev/null +++ b/queue-4.9/iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Luca Coelho +Date: Tue, 25 Apr 2017 10:18:10 +0300 +Subject: iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265 + +From: Luca Coelho + + +[ Upstream commit 15098803d38778070b8edfa5a3d5fc4fef10d0a1 ] + +In a previous commit, we removed support for API versions earlier than +22 for these NICs. By mistake, the *_UCODE_API_MIN definitions were +set to 17. Fix that. + +Fixes: 4b87e5af638b ("iwlwifi: remove support for fw older than -17 and -22") +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-7000.c | 4 ++-- + drivers/net/wireless/intel/iwlwifi/iwl-8000.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-7000.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-7000.c +@@ -79,8 +79,8 @@ + /* Lowest firmware API version supported */ + #define IWL7260_UCODE_API_MIN 17 + #define IWL7265_UCODE_API_MIN 17 +-#define IWL7265D_UCODE_API_MIN 17 +-#define IWL3168_UCODE_API_MIN 20 ++#define IWL7265D_UCODE_API_MIN 22 ++#define IWL3168_UCODE_API_MIN 22 + + /* NVM versions */ + #define IWL7260_NVM_VERSION 0x0a1d +--- a/drivers/net/wireless/intel/iwlwifi/iwl-8000.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-8000.c +@@ -74,8 +74,8 @@ + #define IWL8265_UCODE_API_MAX 26 + + /* Lowest firmware API version supported */ +-#define IWL8000_UCODE_API_MIN 17 +-#define IWL8265_UCODE_API_MIN 20 ++#define IWL8000_UCODE_API_MIN 22 ++#define IWL8265_UCODE_API_MIN 22 + + /* NVM versions */ + #define IWL8000_NVM_VERSION 0x0a1d diff --git a/queue-4.9/iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch b/queue-4.9/iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch new file mode 100644 index 00000000000..de46494a549 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Haim Dreyfuss +Date: Thu, 16 Mar 2017 17:26:03 +0200 +Subject: iwlwifi: mvm: Fix command queue number on d0i3 flow + +From: Haim Dreyfuss + + +[ Upstream commit c72c37b7f392ad7edc10b6092fa48c632ba6f4ed ] + +During d0i3 flow we flush all the queue except from the command queue. +Currently, in this flow the command queue is hard coded to 9. +In DQA the command queue number has changed from 9 to 0. +Fix that. + +This fixes a problem in runtime PM resume flow. + +Fixes: 097129c9e625 ("iwlwifi: mvm: move cmd queue to be #0 in dqa mode") +Signed-off-by: Haim Dreyfuss +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -1666,8 +1666,11 @@ int iwl_mvm_find_free_queue(struct iwl_m + */ + static inline u32 iwl_mvm_flushable_queues(struct iwl_mvm *mvm) + { ++ u32 cmd_queue = iwl_mvm_is_dqa_supported(mvm) ? IWL_MVM_DQA_CMD_QUEUE : ++ IWL_MVM_CMD_QUEUE; ++ + return ((BIT(mvm->cfg->base_params->num_of_queues) - 1) & +- ~BIT(IWL_MVM_CMD_QUEUE)); ++ ~BIT(cmd_queue)); + } + + static inline diff --git a/queue-4.9/iwlwifi-mvm-fix-firmware-debug-restart-recording.patch b/queue-4.9/iwlwifi-mvm-fix-firmware-debug-restart-recording.patch new file mode 100644 index 00000000000..bae793b0c11 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-firmware-debug-restart-recording.patch @@ -0,0 +1,139 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Emmanuel Grumbach +Date: Wed, 29 Mar 2017 10:21:09 +0300 +Subject: iwlwifi: mvm: fix firmware debug restart recording + +From: Emmanuel Grumbach + + +[ Upstream commit addce854f164a68da9cb158e2e7e447705068549 ] + +When we want to stop the recording of the firmware debug +and restart it later without reloading the firmware we +don't need to resend the configuration that comes with +host commands. +Sending those commands confused the hardware and led to +an NMI 0x66. + +Change the flow as following: +* read the relevant registers (DBGC_IN_SAMPLE, DBGC_OUT_CTRL) +* clear those registers +* wait for the hardware to complete its write to the buffer +* get the data +* restore the value of those registers (to restart the + recording) + +For early start (where the configuration is already +compiled in the firmware), we don't need to set those +registers after the firmware has been loaded, but only +when we want to restart the recording without having +restarted the firmware. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 12 --------- + drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 32 ++++++++++++++++++------ + 4 files changed, 27 insertions(+), 19 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/iwl-prph.h ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-prph.h +@@ -369,6 +369,7 @@ + #define MON_DMARB_RD_DATA_ADDR (0xa03c5c) + + #define DBGC_IN_SAMPLE (0xa03c00) ++#define DBGC_OUT_CTRL (0xa03c0c) + + /* enable the ID buf for read */ + #define WFPM_PS_CTL_CLR 0xA0300C +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c +@@ -914,14 +914,6 @@ int iwl_mvm_fw_dbg_collect_trig(struct i + return 0; + } + +-static inline void iwl_mvm_restart_early_start(struct iwl_mvm *mvm) +-{ +- if (mvm->cfg->device_family == IWL_DEVICE_FAMILY_7000) +- iwl_clear_bits_prph(mvm->trans, MON_BUFF_SAMPLE_CTL, 0x100); +- else +- iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, 1); +-} +- + int iwl_mvm_start_fw_dbg_conf(struct iwl_mvm *mvm, u8 conf_id) + { + u8 *ptr; +@@ -935,10 +927,8 @@ int iwl_mvm_start_fw_dbg_conf(struct iwl + /* EARLY START - firmware's configuration is hard coded */ + if ((!mvm->fw->dbg_conf_tlv[conf_id] || + !mvm->fw->dbg_conf_tlv[conf_id]->num_of_hcmds) && +- conf_id == FW_DBG_START_FROM_ALIVE) { +- iwl_mvm_restart_early_start(mvm); ++ conf_id == FW_DBG_START_FROM_ALIVE) + return 0; +- } + + if (!mvm->fw->dbg_conf_tlv[conf_id]) + return -EINVAL; +--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h +@@ -1687,6 +1687,7 @@ void iwl_mvm_enable_ac_txq(struct iwl_mv + static inline void iwl_mvm_stop_device(struct iwl_mvm *mvm) + { + mvm->ucode_loaded = false; ++ mvm->fw_dbg_conf = FW_DBG_INVALID; + iwl_trans_stop_device(mvm->trans); + } + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c +@@ -1118,21 +1118,37 @@ static void iwl_mvm_fw_error_dump_wk(str + + mutex_lock(&mvm->mutex); + +- /* stop recording */ + if (mvm->cfg->device_family == IWL_DEVICE_FAMILY_7000) { ++ /* stop recording */ + iwl_set_bits_prph(mvm->trans, MON_BUFF_SAMPLE_CTL, 0x100); ++ ++ iwl_mvm_fw_error_dump(mvm); ++ ++ /* start recording again if the firmware is not crashed */ ++ if (!test_bit(STATUS_FW_ERROR, &mvm->trans->status) && ++ mvm->fw->dbg_dest_tlv) ++ iwl_clear_bits_prph(mvm->trans, ++ MON_BUFF_SAMPLE_CTL, 0x100); + } else { ++ u32 in_sample = iwl_read_prph(mvm->trans, DBGC_IN_SAMPLE); ++ u32 out_ctrl = iwl_read_prph(mvm->trans, DBGC_OUT_CTRL); ++ ++ /* stop recording */ + iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, 0); +- /* wait before we collect the data till the DBGC stop */ + udelay(100); +- } ++ iwl_write_prph(mvm->trans, DBGC_OUT_CTRL, 0); ++ /* wait before we collect the data till the DBGC stop */ ++ udelay(500); + +- iwl_mvm_fw_error_dump(mvm); ++ iwl_mvm_fw_error_dump(mvm); + +- /* start recording again if the firmware is not crashed */ +- WARN_ON_ONCE((!test_bit(STATUS_FW_ERROR, &mvm->trans->status)) && +- mvm->fw->dbg_dest_tlv && +- iwl_mvm_start_fw_dbg_conf(mvm, mvm->fw_dbg_conf)); ++ /* start recording again if the firmware is not crashed */ ++ if (!test_bit(STATUS_FW_ERROR, &mvm->trans->status) && ++ mvm->fw->dbg_dest_tlv) { ++ iwl_write_prph(mvm->trans, DBGC_IN_SAMPLE, in_sample); ++ iwl_write_prph(mvm->trans, DBGC_OUT_CTRL, out_ctrl); ++ } ++ } + + mutex_unlock(&mvm->mutex); + diff --git a/queue-4.9/iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch b/queue-4.9/iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch new file mode 100644 index 00000000000..c44130194f7 --- /dev/null +++ b/queue-4.9/iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Luca Coelho +Date: Fri, 24 Mar 2017 11:01:45 +0200 +Subject: iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3 + +From: Luca Coelho + + +[ Upstream commit e4c49c4937951de1cdbe35572ade40c948dec1e1 ] + +We only need to handle d0i3 entry and exit during suspend resume if +system_pm is set to IWL_PLAT_PM_MODE_D0I3, otherwise d0i3 entry +failures will cause suspend to fail. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=194791 + +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c ++++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c +@@ -2824,7 +2824,8 @@ static struct iwl_trans_dump_data + #ifdef CONFIG_PM_SLEEP + static int iwl_trans_pcie_suspend(struct iwl_trans *trans) + { +- if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3) ++ if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3 && ++ (trans->system_pm_mode == IWL_PLAT_PM_MODE_D0I3)) + return iwl_pci_fw_enter_d0i3(trans); + + return 0; +@@ -2832,7 +2833,8 @@ static int iwl_trans_pcie_suspend(struct + + static void iwl_trans_pcie_resume(struct iwl_trans *trans) + { +- if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3) ++ if (trans->runtime_pm_mode == IWL_PLAT_PM_MODE_D0I3 && ++ (trans->system_pm_mode == IWL_PLAT_PM_MODE_D0I3)) + iwl_pci_fw_exit_d0i3(trans); + } + #endif /* CONFIG_PM_SLEEP */ diff --git a/queue-4.9/iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch b/queue-4.9/iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch new file mode 100644 index 00000000000..d6055704da9 --- /dev/null +++ b/queue-4.9/iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Johannes Berg +Date: Wed, 22 Mar 2017 22:00:10 +0100 +Subject: iwlwifi: tt: move ucode_loaded check under mutex + +From: Johannes Berg + + +[ Upstream commit d9954405758a0cbbe258d9b4d4dc12a06fa48a28 ] + +The ucode_loaded check should be under the mutex, since it can +otherwise change state after we looked at it and before we got +the mutex. Fix that. + +Fixes: 5c89e7bc557e ("iwlwifi: mvm: add registration to cooling device") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/tt.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/tt.c +@@ -790,11 +790,13 @@ static int iwl_mvm_tcool_set_cur_state(s + struct iwl_mvm *mvm = (struct iwl_mvm *)(cdev->devdata); + int ret; + +- if (!mvm->ucode_loaded || !(mvm->cur_ucode == IWL_UCODE_REGULAR)) +- return -EIO; +- + mutex_lock(&mvm->mutex); + ++ if (!mvm->ucode_loaded || !(mvm->cur_ucode == IWL_UCODE_REGULAR)) { ++ ret = -EIO; ++ goto unlock; ++ } ++ + if (new_state >= ARRAY_SIZE(iwl_mvm_cdev_budgets)) { + ret = -EINVAL; + goto unlock; diff --git a/queue-4.9/kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch b/queue-4.9/kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch new file mode 100644 index 00000000000..4097c10b31f --- /dev/null +++ b/queue-4.9/kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: James Morse +Date: Tue, 25 Apr 2017 18:02:44 +0100 +Subject: KVM: arm: Restore banked registers and physical timer access on hyp_panic() + +From: James Morse + + +[ Upstream commit d2e19368848ce6065daa785efca26faed54732b6 ] + +When KVM panics, it hurridly restores the host context and parachutes +into the host's panic() code. This looks like it was copied from arm64, +the 32bit KVM panic code needs to restore the host's banked registers +too. + +At some point panic() touches the physical timer/counter, this will +trap back to HYP. If we're lucky, we panic again. + +Add a __timer_save_state() call to KVMs hyp_panic() path, this saves the +guest registers and disables the traps for the host. + +Fixes: c36b6db5f3e4 ("ARM: KVM: Add panic handling code") +Signed-off-by: James Morse +Reviewed-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kvm/hyp/switch.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/kvm/hyp/switch.c ++++ b/arch/arm/kvm/hyp/switch.c +@@ -237,8 +237,10 @@ void __hyp_text __noreturn __hyp_panic(i + + vcpu = (struct kvm_vcpu *)read_sysreg(HTPIDR); + host_ctxt = kern_hyp_va(vcpu->arch.host_cpu_context); ++ __timer_save_state(vcpu); + __deactivate_traps(vcpu); + __deactivate_vm(vcpu); ++ __banked_restore_state(host_ctxt); + __sysreg_restore_state(host_ctxt); + } + diff --git a/queue-4.9/kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch b/queue-4.9/kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch new file mode 100644 index 00000000000..2808d1899d0 --- /dev/null +++ b/queue-4.9/kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: James Morse +Date: Tue, 25 Apr 2017 18:02:45 +0100 +Subject: KVM: arm64: Restore host physical timer access on hyp_panic() + +From: James Morse + + +[ Upstream commit e8ec032b182cd4841605de4fc297a8edffe55972 ] + +When KVM panics, it hurridly restores the host context and parachutes +into the host's panic() code. At some point panic() touches the physical +timer/counter. Unless we are an arm64 system with VHE, this traps back +to EL2. If we're lucky, we panic again. + +Add a __timer_save_state() call to KVMs hyp_panic() path, this saves the +guest registers and disables the traps for the host. + +Fixes: 53fd5b6487e4 ("arm64: KVM: Add panic handling") +Signed-off-by: James Morse +Reviewed-by: Marc Zyngier +Reviewed-by: Christoffer Dall +Signed-off-by: Christoffer Dall +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kvm/hyp/switch.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/kvm/hyp/switch.c ++++ b/arch/arm64/kvm/hyp/switch.c +@@ -404,6 +404,7 @@ void __hyp_text __noreturn __hyp_panic(v + + vcpu = (struct kvm_vcpu *)read_sysreg(tpidr_el2); + host_ctxt = kern_hyp_va(vcpu->arch.host_cpu_context); ++ __timer_save_state(vcpu); + __deactivate_traps(vcpu); + __deactivate_vm(vcpu); + __sysreg_restore_host_state(host_ctxt); diff --git a/queue-4.9/kvm-nvmx-fix-handling-of-lmsw-instruction.patch b/queue-4.9/kvm-nvmx-fix-handling-of-lmsw-instruction.patch new file mode 100644 index 00000000000..8daeda7e546 --- /dev/null +++ b/queue-4.9/kvm-nvmx-fix-handling-of-lmsw-instruction.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Jan H. Schönherr" +Date: Sat, 20 May 2017 13:22:56 +0200 +Subject: KVM: nVMX: Fix handling of lmsw instruction + +From: "Jan H. Schönherr" + + +[ Upstream commit e1d39b17e044e8ae819827810d87d809ba5f58c0 ] + +The decision whether or not to exit from L2 to L1 on an lmsw instruction is +based on bogus values: instead of using the information encoded within the +exit qualification, it uses the data also used for the mov-to-cr +instruction, which boils down to using whatever is in %eax at that point. + +Use the correct values instead. + +Without this fix, an L1 may not get notified when a 32-bit Linux L2 +switches its secondary CPUs to protected mode; the L1 is only notified on +the next modification of CR0. This short time window poses a problem, when +there is some other reason to exit to L1 in between. Then, L2 will be +resumed in real mode and chaos ensues. + +Signed-off-by: Jan H. Schönherr +Reviewed-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7924,11 +7924,13 @@ static bool nested_vmx_exit_handled_cr(s + { + unsigned long exit_qualification = vmcs_readl(EXIT_QUALIFICATION); + int cr = exit_qualification & 15; +- int reg = (exit_qualification >> 8) & 15; +- unsigned long val = kvm_register_readl(vcpu, reg); ++ int reg; ++ unsigned long val; + + switch ((exit_qualification >> 4) & 3) { + case 0: /* mov to cr */ ++ reg = (exit_qualification >> 8) & 15; ++ val = kvm_register_readl(vcpu, reg); + switch (cr) { + case 0: + if (vmcs12->cr0_guest_host_mask & +@@ -7983,6 +7985,7 @@ static bool nested_vmx_exit_handled_cr(s + * lmsw can change bits 1..3 of cr0, and only set bit 0 of + * cr0. Other attempted changes are ignored, with no exit. + */ ++ val = (exit_qualification >> LMSW_SOURCE_DATA_SHIFT) & 0x0f; + if (vmcs12->cr0_guest_host_mask & 0xe & + (val ^ vmcs12->cr0_read_shadow)) + return true; diff --git a/queue-4.9/kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch b/queue-4.9/kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch new file mode 100644 index 00000000000..2e6589aa59f --- /dev/null +++ b/queue-4.9/kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jim Mattson +Date: Thu, 1 Jun 2017 12:44:46 -0700 +Subject: KVM: nVMX: Update vmcs12->guest_linear_address on nested VM-exit + +From: Jim Mattson + + +[ Upstream commit d281e13b0bfe745a21061a194e386a949784393f ] + +The guest-linear address field is set for VM exits due to attempts to +execute LMSW with a memory operand and VM exits due to attempts to +execute INS or OUTS for which the relevant segment is usable, +regardless of whether or not EPT is in use. + +Fixes: 119a9c01a5922 ("KVM: nVMX: pass valid guest linear-address to the L1") +Signed-off-by: Jim Mattson +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10664,8 +10664,7 @@ static void prepare_vmcs12(struct kvm_vc + vmcs12->guest_pdptr3 = vmcs_read64(GUEST_PDPTR3); + } + +- if (nested_cpu_has_ept(vmcs12)) +- vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS); ++ vmcs12->guest_linear_address = vmcs_readl(GUEST_LINEAR_ADDRESS); + + if (nested_cpu_has_vid(vmcs12)) + vmcs12->guest_intr_status = vmcs_read16(GUEST_INTR_STATUS); diff --git a/queue-4.9/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch b/queue-4.9/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch new file mode 100644 index 00000000000..61939e21b97 --- /dev/null +++ b/queue-4.9/kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch @@ -0,0 +1,138 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Paul Mackerras +Date: Thu, 11 May 2017 11:33:30 +1000 +Subject: KVM: PPC: Book3S PR: Check copy_to/from_user return values + +From: Paul Mackerras + + +[ Upstream commit 67325e988faea735d663799b6d152b5f4254093c ] + +The PR KVM implementation of the PAPR HPT hypercalls (H_ENTER etc.) +access an image of the HPT in userspace memory using copy_from_user +and copy_to_user. Recently, the declarations of those functions were +annotated to indicate that the return value must be checked. Since +this code doesn't currently check the return value, this causes +compile warnings like the ones shown below, and since on PPC the +default is to compile arch/powerpc with -Werror, this causes the +build to fail. + +To fix this, we check the return values, and if non-zero, fail the +hypercall being processed with a H_FUNCTION error return value. +There is really no good error return value to use since PAPR didn't +envisage the possibility that the hypervisor may not be able to access +the guest's HPT, and H_FUNCTION (function not supported) seems as +good as any. + +The typical compile warnings look like this: + + CC arch/powerpc/kvm/book3s_pr_papr.o +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c: In function ‘kvmppc_h_pr_enter’: +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:53:2: error: ignoring return value of ‘copy_from_user’, declared with attribute warn_unused_result [-Werror=unused-result] + copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)); + ^ +/home/paulus/kernel/kvm/arch/powerpc/kvm/book3s_pr_papr.c:74:2: error: ignoring return value of ‘copy_to_user’, declared with attribute warn_unused_result [-Werror=unused-result] + copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE); + ^ + +... etc. + +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_pr_papr.c | 34 ++++++++++++++++++++++++++-------- + 1 file changed, 26 insertions(+), 8 deletions(-) + +--- a/arch/powerpc/kvm/book3s_pr_papr.c ++++ b/arch/powerpc/kvm/book3s_pr_papr.c +@@ -50,7 +50,9 @@ static int kvmppc_h_pr_enter(struct kvm_ + pteg_addr = get_pteg_addr(vcpu, pte_index); + + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pteg, (void __user *)pteg_addr, sizeof(pteg))) ++ goto done; + hpte = pteg; + + ret = H_PTEG_FULL; +@@ -71,7 +73,9 @@ static int kvmppc_h_pr_enter(struct kvm_ + hpte[0] = cpu_to_be64(kvmppc_get_gpr(vcpu, 6)); + hpte[1] = cpu_to_be64(kvmppc_get_gpr(vcpu, 7)); + pteg_addr += i * HPTE_SIZE; +- copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg_addr, hpte, HPTE_SIZE)) ++ goto done; + kvmppc_set_gpr(vcpu, 4, pte_index | i); + ret = H_SUCCESS; + +@@ -93,7 +97,9 @@ static int kvmppc_h_pr_remove(struct kvm + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -103,7 +109,9 @@ static int kvmppc_h_pr_remove(struct kvm + ((flags & H_ANDCOND) && (pte[0] & avpn) != 0)) + goto done; + +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) ++ goto done; + + rb = compute_tlbie_rb(pte[0], pte[1], pte_index); + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); +@@ -171,7 +179,10 @@ static int kvmppc_h_pr_bulk_remove(struc + } + + pteg = get_pteg_addr(vcpu, tsh & H_BULK_REMOVE_PTEX); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) { ++ ret = H_FUNCTION; ++ break; ++ } + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -184,7 +195,10 @@ static int kvmppc_h_pr_bulk_remove(struc + tsh |= H_BULK_REMOVE_NOT_FOUND; + } else { + /* Splat the pteg in (userland) hpt */ +- copy_to_user((void __user *)pteg, &v, sizeof(v)); ++ if (copy_to_user((void __user *)pteg, &v, sizeof(v))) { ++ ret = H_FUNCTION; ++ break; ++ } + + rb = compute_tlbie_rb(pte[0], pte[1], + tsh & H_BULK_REMOVE_PTEX); +@@ -211,7 +225,9 @@ static int kvmppc_h_pr_protect(struct kv + + pteg = get_pteg_addr(vcpu, pte_index); + mutex_lock(&vcpu->kvm->arch.hpt_mutex); +- copy_from_user(pte, (void __user *)pteg, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_from_user(pte, (void __user *)pteg, sizeof(pte))) ++ goto done; + pte[0] = be64_to_cpu((__force __be64)pte[0]); + pte[1] = be64_to_cpu((__force __be64)pte[1]); + +@@ -234,7 +250,9 @@ static int kvmppc_h_pr_protect(struct kv + vcpu->arch.mmu.tlbie(vcpu, rb, rb & 1 ? true : false); + pte[0] = (__force u64)cpu_to_be64(pte[0]); + pte[1] = (__force u64)cpu_to_be64(pte[1]); +- copy_to_user((void __user *)pteg, pte, sizeof(pte)); ++ ret = H_FUNCTION; ++ if (copy_to_user((void __user *)pteg, pte, sizeof(pte))) ++ goto done; + ret = H_SUCCESS; + + done: diff --git a/queue-4.9/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch b/queue-4.9/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch new file mode 100644 index 00000000000..548a68d0207 --- /dev/null +++ b/queue-4.9/kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Roman Pen +Date: Thu, 1 Jun 2017 10:55:03 +0200 +Subject: KVM: SVM: do not zero out segment attributes if segment is unusable or not present + +From: Roman Pen + + +[ Upstream commit d9c1b5431d5f0e07575db785a022bce91051ac1d ] + +This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt +was taken on userspace stack. The root cause lies in the specific AMD CPU +behaviour which manifests itself as unusable segment attributes on SYSRET. +The corresponding work around for the kernel is the following: + +61f01dd941ba ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue") + +In other turn virtualization side treated unusable segment incorrectly and +restored CPL from SS attributes, which were zeroed out few lines above. + +In current patch it is assured only that P bit is cleared in VMCB.save state +and segment attributes are not zeroed out if segment is not presented or is +unusable, therefore CPL can be safely restored from DPL field. + +This is only one part of the fix, since QEMU side should be fixed accordingly +not to zero out attributes on its side. Corresponding patch will follow. + +[1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com + +Signed-off-by: Roman Pen +Signed-off-by: Mikhail Sennikovskii +Cc: Paolo Bonzini +Cc: Radim KrÄmář +Cc: kvm@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -1879,6 +1879,7 @@ static void svm_get_segment(struct kvm_v + */ + if (var->unusable) + var->db = 0; ++ /* This is symmetric with svm_set_segment() */ + var->dpl = to_svm(vcpu)->vmcb->save.cpl; + break; + } +@@ -2024,18 +2025,14 @@ static void svm_set_segment(struct kvm_v + s->base = var->base; + s->limit = var->limit; + s->selector = var->selector; +- if (var->unusable) +- s->attrib = 0; +- else { +- s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); +- s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; +- s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; +- s->attrib |= (var->present & 1) << SVM_SELECTOR_P_SHIFT; +- s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; +- s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; +- s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; +- s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; +- } ++ s->attrib = (var->type & SVM_SELECTOR_TYPE_MASK); ++ s->attrib |= (var->s & 1) << SVM_SELECTOR_S_SHIFT; ++ s->attrib |= (var->dpl & 3) << SVM_SELECTOR_DPL_SHIFT; ++ s->attrib |= ((var->present & 1) && !var->unusable) << SVM_SELECTOR_P_SHIFT; ++ s->attrib |= (var->avl & 1) << SVM_SELECTOR_AVL_SHIFT; ++ s->attrib |= (var->l & 1) << SVM_SELECTOR_L_SHIFT; ++ s->attrib |= (var->db & 1) << SVM_SELECTOR_DB_SHIFT; ++ s->attrib |= (var->g & 1) << SVM_SELECTOR_G_SHIFT; + + /* + * This is always accurate, except if SYSRET returned to a segment +@@ -2044,7 +2041,8 @@ static void svm_set_segment(struct kvm_v + * would entail passing the CPL to userspace and back. + */ + if (seg == VCPU_SREG_SS) +- svm->vmcb->save.cpl = (s->attrib >> SVM_SELECTOR_DPL_SHIFT) & 3; ++ /* This is symmetric with svm_get_segment() */ ++ svm->vmcb->save.cpl = (var->dpl & 3); + + mark_dirty(svm->vmcb, VMCB_SEG); + } diff --git a/queue-4.9/kvm-x86-fix-preempt-the-preemption-timer-cancel.patch b/queue-4.9/kvm-x86-fix-preempt-the-preemption-timer-cancel.patch new file mode 100644 index 00000000000..9a3c00afdf6 --- /dev/null +++ b/queue-4.9/kvm-x86-fix-preempt-the-preemption-timer-cancel.patch @@ -0,0 +1,88 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Wanpeng Li +Date: Sat, 20 May 2017 20:32:32 -0700 +Subject: KVM: X86: Fix preempt the preemption timer cancel + +From: Wanpeng Li + + +[ Upstream commit 5acc1ca4fb15f00bfa3d4046e35ca381bc25d580 ] + +Preemption can occur during cancel preemption timer, and there will be +inconsistent status in lapic, vmx and vmcs field. + + CPU0 CPU1 + + preemption timer vmexit + handle_preemption_timer(vCPU0) + kvm_lapic_expired_hv_timer + vmx_cancel_hv_timer + vmx->hv_deadline_tsc = -1 + vmcs_clear_bits + /* hv_timer_in_use still true */ + sched_out + sched_in + kvm_arch_vcpu_load + vmx_set_hv_timer + write vmx->hv_deadline_tsc + vmcs_set_bits + /* back in kvm_lapic_expired_hv_timer */ + hv_timer_in_use = false + ... + vmx_vcpu_run + vmx_arm_hv_run + write preemption timer deadline + spurious preemption timer vmexit + handle_preemption_timer(vCPU0) + kvm_lapic_expired_hv_timer + WARN_ON(!apic->lapic_timer.hv_timer_in_use); + +This can be reproduced sporadically during boot of L2 on a +preemptible L1, causing a splat on L1. + + WARNING: CPU: 3 PID: 1952 at arch/x86/kvm/lapic.c:1529 kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm] + CPU: 3 PID: 1952 Comm: qemu-system-x86 Not tainted 4.12.0-rc1+ #24 RIP: 0010:kvm_lapic_expired_hv_timer+0xb5/0xd0 [kvm] + Call Trace: + handle_preemption_timer+0xe/0x20 [kvm_intel] + vmx_handle_exit+0xc9/0x15f0 [kvm_intel] + ? lock_acquire+0xdb/0x250 + ? lock_acquire+0xdb/0x250 + ? kvm_arch_vcpu_ioctl_run+0xdf3/0x1ce0 [kvm] + kvm_arch_vcpu_ioctl_run+0xe55/0x1ce0 [kvm] + kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm] + ? __fget+0xf3/0x210 + do_vfs_ioctl+0xa4/0x700 + ? __fget+0x114/0x210 + SyS_ioctl+0x79/0x90 + do_syscall_64+0x8f/0x750 + ? trace_hardirqs_on_thunk+0x1a/0x1c + entry_SYSCALL64_slow_path+0x25/0x25 + +This patch fixes it by disabling preemption while cancelling +preemption timer. This way cancel_hv_timer is atomic with +respect to kvm_arch_vcpu_load. + +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/lapic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1363,8 +1363,10 @@ EXPORT_SYMBOL_GPL(kvm_lapic_hv_timer_in_ + + static void cancel_hv_tscdeadline(struct kvm_lapic *apic) + { ++ preempt_disable(); + kvm_x86_ops->cancel_hv_timer(apic->vcpu); + apic->lapic_timer.hv_timer_in_use = false; ++ preempt_enable(); + } + + void kvm_lapic_expired_hv_timer(struct kvm_vcpu *vcpu) diff --git a/queue-4.9/l2tp-fix-missing-print-session-offset-info.patch b/queue-4.9/l2tp-fix-missing-print-session-offset-info.patch new file mode 100644 index 00000000000..4bf2660e6fe --- /dev/null +++ b/queue-4.9/l2tp-fix-missing-print-session-offset-info.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hangbin Liu +Date: Fri, 22 Dec 2017 15:10:17 +0100 +Subject: l2tp: fix missing print session offset info + +From: Hangbin Liu + + +[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ] + +Report offset parameter in L2TP_CMD_SESSION_GET command if +it has been configured by userspace + +Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP") +Reported-by: Jianlin Shi +Signed-off-by: Hangbin Liu +Signed-off-by: Lorenzo Bianconi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/l2tp/l2tp_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/l2tp/l2tp_netlink.c ++++ b/net/l2tp/l2tp_netlink.c +@@ -750,6 +750,8 @@ static int l2tp_nl_session_send(struct s + + if ((session->ifname[0] && + nla_put_string(skb, L2TP_ATTR_IFNAME, session->ifname)) || ++ (session->offset && ++ nla_put_u16(skb, L2TP_ATTR_OFFSET, session->offset)) || + (session->cookie_len && + nla_put(skb, L2TP_ATTR_COOKIE, session->cookie_len, + &session->cookie[0])) || diff --git a/queue-4.9/leds-pca955x-correct-i2c-functionality.patch b/queue-4.9/leds-pca955x-correct-i2c-functionality.patch new file mode 100644 index 00000000000..69ae9ed905d --- /dev/null +++ b/queue-4.9/leds-pca955x-correct-i2c-functionality.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tin Huynh +Date: Mon, 22 May 2017 16:19:20 +0700 +Subject: leds: pca955x: Correct I2C Functionality + +From: Tin Huynh + + +[ Upstream commit aace34c0bb8ea3c8bdcec865b6a4be4db0a68e33 ] + +The driver checks an incorrect flag of functionality of adapter. +When a driver requires i2c_smbus_read_byte_data and +i2c_smbus_write_byte_data, it should check I2C_FUNC_SMBUS_BYTE_DATA +instead I2C_FUNC_I2C. +This patch fixes the problem. + +Signed-off-by: Tin Huynh +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/leds/leds-pca955x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/leds/leds-pca955x.c ++++ b/drivers/leds/leds-pca955x.c +@@ -266,7 +266,7 @@ static int pca955x_probe(struct i2c_clie + "slave address 0x%02x\n", + id->name, chip->bits, client->addr); + +- if (!i2c_check_functionality(adapter, I2C_FUNC_I2C)) ++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA)) + return -EIO; + + if (pdata) { diff --git a/queue-4.9/libceph-null-deref-on-crush_decode-error-path.patch b/queue-4.9/libceph-null-deref-on-crush_decode-error-path.patch new file mode 100644 index 00000000000..365b720ad6a --- /dev/null +++ b/queue-4.9/libceph-null-deref-on-crush_decode-error-path.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Tue, 23 May 2017 17:25:10 +0300 +Subject: libceph: NULL deref on crush_decode() error path + +From: Dan Carpenter + + +[ Upstream commit 293dffaad8d500e1a5336eeb90d544cf40d4fbd8 ] + +If there is not enough space then ceph_decode_32_safe() does a goto bad. +We need to return an error code in that situation. The current code +returns ERR_PTR(0) which is NULL. The callers are not expecting that +and it results in a NULL dereference. + +Fixes: f24e9980eb86 ("ceph: OSD client") +Signed-off-by: Dan Carpenter +Reviewed-by: Ilya Dryomov +Signed-off-by: Ilya Dryomov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ceph/osdmap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ceph/osdmap.c ++++ b/net/ceph/osdmap.c +@@ -295,6 +295,7 @@ static struct crush_map *crush_decode(vo + u32 yes; + struct crush_rule *r; + ++ err = -EINVAL; + ceph_decode_32_safe(p, end, yes, bad); + if (!yes) { + dout("crush_decode NO rule %d off %x %p to %p\n", diff --git a/queue-4.9/lockd-fix-lockd-shutdown-race.patch b/queue-4.9/lockd-fix-lockd-shutdown-race.patch new file mode 100644 index 00000000000..3ccbb49f75c --- /dev/null +++ b/queue-4.9/lockd-fix-lockd-shutdown-race.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "J. Bruce Fields" +Date: Tue, 28 Mar 2017 21:25:08 -0400 +Subject: lockd: fix lockd shutdown race + +From: "J. Bruce Fields" + + +[ Upstream commit efda760fe95ea15291853c8fa9235c32d319cd98 ] + +As reported by David Jeffery: "a signal was sent to lockd while lockd +was shutting down from a request to stop nfs. The signal causes lockd +to call restart_grace() which puts the lockd_net structure on the grace +list. If this signal is received at the wrong time, it will occur after +lockd_down_net() has called locks_end_grace() but before +lockd_down_net() stops the lockd thread. This leads to lockd putting +the lockd_net structure back on the grace list, then exiting without +anything removing it from the list." + +So, perform the final locks_end_grace() from the the lockd thread; this +ensures it's serialized with respect to restart_grace(). + +Reported-by: David Jeffery +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/lockd/svc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/lockd/svc.c ++++ b/fs/lockd/svc.c +@@ -132,6 +132,8 @@ lockd(void *vrqstp) + { + int err = 0; + struct svc_rqst *rqstp = vrqstp; ++ struct net *net = &init_net; ++ struct lockd_net *ln = net_generic(net, lockd_net_id); + + /* try_to_freeze() is called from svc_recv() */ + set_freezable(); +@@ -176,6 +178,8 @@ lockd(void *vrqstp) + if (nlmsvc_ops) + nlmsvc_invalidate_all(); + nlm_shutdown_hosts(); ++ cancel_delayed_work_sync(&ln->grace_period_end); ++ locks_end_grace(&ln->lockd_manager); + return 0; + } + +@@ -270,8 +274,6 @@ static void lockd_down_net(struct svc_se + if (ln->nlmsvc_users) { + if (--ln->nlmsvc_users == 0) { + nlm_shutdown_hosts_net(net); +- cancel_delayed_work_sync(&ln->grace_period_end); +- locks_end_grace(&ln->lockd_manager); + svc_shutdown_net(serv, net); + dprintk("lockd_down_net: per-net data destroyed; net=%p\n", net); + } diff --git a/queue-4.9/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch b/queue-4.9/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch new file mode 100644 index 00000000000..3ea9f58710c --- /dev/null +++ b/queue-4.9/mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Luca Coelho +Date: Tue, 2 May 2017 17:56:21 +0300 +Subject: mac80211: bail out from prep_connection() if a reconfig is ongoing + +From: Luca Coelho + + +[ Upstream commit f8860ce836f2d502b07ef99559707fe55d90f5bc ] + +If ieee80211_hw_restart() is called during authentication, the +authentication process will continue, causing the driver to be called +in a wrong state. This ultimately causes an oops in the iwlwifi +driver (at least). + +This fixes bugzilla 195299 partly. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195299 +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4332,6 +4332,10 @@ static int ieee80211_prep_connection(str + if (WARN_ON(!ifmgd->auth_data && !ifmgd->assoc_data)) + return -EINVAL; + ++ /* If a reconfig is happening, bail out */ ++ if (local->in_reconfig) ++ return -EBUSY; ++ + if (assoc) { + rcu_read_lock(); + have_sta = sta_info_get(sdata, cbss->bssid); diff --git a/queue-4.9/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch b/queue-4.9/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch new file mode 100644 index 00000000000..c1c75dd10b0 --- /dev/null +++ b/queue-4.9/mac80211-fix-setting-tx-power-on-monitor-interfaces.patch @@ -0,0 +1,123 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Peter Große" +Date: Wed, 13 Dec 2017 18:29:46 +0100 +Subject: mac80211: Fix setting TX power on monitor interfaces + +From: "Peter Große" + + +[ Upstream commit 3a3713ec360138f806c6fc368d1de570f692b347 ] + +Instead of calling ieee80211_recalc_txpower on monitor interfaces +directly, call it using the virtual monitor interface, if one exists. + +In case of a single monitor interface given, reject setting TX power, +if no virtual monitor interface exists. + +That being checked, don't warn in ieee80211_bss_info_change_notify, +after setting TX power on a monitor interface. + +Fixes warning: +------------[ cut here ]------------ + WARNING: CPU: 0 PID: 2193 at net/mac80211/driver-ops.h:167 + ieee80211_bss_info_change_notify+0x111/0x190 Modules linked in: uvcvideo + videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core +rndis_host cdc_ether usbnet mii tp_smapi(O) thinkpad_ec(O) ohci_hcd vboxpci(O) + vboxnetadp(O) vboxnetflt(O) v boxdrv(O) x86_pkg_temp_thermal kvm_intel kvm + irqbypass iwldvm iwlwifi ehci_pci ehci_hcd tpm_tis tpm_tis_core tpm CPU: 0 + PID: 2193 Comm: iw Tainted: G O 4.12.12-gentoo #2 task: + ffff880186fd5cc0 task.stack: ffffc90001b54000 RIP: + 0010:ieee80211_bss_info_change_notify+0x111/0x190 RSP: 0018:ffffc90001b57a10 + EFLAGS: 00010246 RAX: 0000000000000006 RBX: ffff8801052ce840 RCX: + 0000000000000064 RDX: 00000000fffffffc RSI: 0000000000040000 RDI: + ffff8801052ce840 RBP: ffffc90001b57a38 R08: 0000000000000062 R09: + 0000000000000000 R10: ffff8802144b5000 R11: ffff880049dc4614 R12: + 0000000000040000 R13: 0000000000000064 R14: ffff8802105f0760 R15: + ffffc90001b57b48 FS: 00007f92644b4580(0000) GS:ffff88021e200000(0000) + knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00007f9263c109f0 CR3: 00000001df850000 CR4: 00000000000406f0 + Call Trace: + ieee80211_recalc_txpower+0x33/0x40 + ieee80211_set_tx_power+0x40/0x180 + nl80211_set_wiphy+0x32e/0x950 + +Reported-by: Peter Große +Signed-off-by: Peter Große + +Signed-off-by: Johannes Berg + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 28 +++++++++++++++++++++++++++- + net/mac80211/driver-ops.h | 3 ++- + 2 files changed, 29 insertions(+), 2 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2341,10 +2341,17 @@ static int ieee80211_set_tx_power(struct + struct ieee80211_sub_if_data *sdata; + enum nl80211_tx_power_setting txp_type = type; + bool update_txp_type = false; ++ bool has_monitor = false; + + if (wdev) { + sdata = IEEE80211_WDEV_TO_SUB_IF(wdev); + ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) { ++ sdata = rtnl_dereference(local->monitor_sdata); ++ if (!sdata) ++ return -EOPNOTSUPP; ++ } ++ + switch (type) { + case NL80211_TX_POWER_AUTOMATIC: + sdata->user_power_level = IEEE80211_UNSET_POWER_LEVEL; +@@ -2383,15 +2390,34 @@ static int ieee80211_set_tx_power(struct + + mutex_lock(&local->iflist_mtx); + list_for_each_entry(sdata, &local->interfaces, list) { ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) { ++ has_monitor = true; ++ continue; ++ } + sdata->user_power_level = local->user_power_level; + if (txp_type != sdata->vif.bss_conf.txpower_type) + update_txp_type = true; + sdata->vif.bss_conf.txpower_type = txp_type; + } +- list_for_each_entry(sdata, &local->interfaces, list) ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR) ++ continue; + ieee80211_recalc_txpower(sdata, update_txp_type); ++ } + mutex_unlock(&local->iflist_mtx); + ++ if (has_monitor) { ++ sdata = rtnl_dereference(local->monitor_sdata); ++ if (sdata) { ++ sdata->user_power_level = local->user_power_level; ++ if (txp_type != sdata->vif.bss_conf.txpower_type) ++ update_txp_type = true; ++ sdata->vif.bss_conf.txpower_type = txp_type; ++ ++ ieee80211_recalc_txpower(sdata, update_txp_type); ++ } ++ } ++ + return 0; + } + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -164,7 +164,8 @@ static inline void drv_bss_info_changed( + if (WARN_ON_ONCE(sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE || + sdata->vif.type == NL80211_IFTYPE_NAN || + (sdata->vif.type == NL80211_IFTYPE_MONITOR && +- !sdata->vif.mu_mimo_owner))) ++ !sdata->vif.mu_mimo_owner && ++ !(changed & BSS_CHANGED_TXPOWER)))) + return; + + if (!check_sdata_in_driver(sdata)) diff --git a/queue-4.9/macsec-check-return-value-of-skb_to_sgvec-always.patch b/queue-4.9/macsec-check-return-value-of-skb_to_sgvec-always.patch new file mode 100644 index 00000000000..74a5097d9e3 --- /dev/null +++ b/queue-4.9/macsec-check-return-value-of-skb_to_sgvec-always.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:25 +0200 +Subject: macsec: check return value of skb_to_sgvec always + +From: "Jason A. Donenfeld" + + +[ Upstream commit cda7ea6903502af34015000e16be290a79f07638 ] + +Signed-off-by: Jason A. Donenfeld +Cc: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/macsec.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/net/macsec.c ++++ b/drivers/net/macsec.c +@@ -742,7 +742,12 @@ static struct sk_buff *macsec_encrypt(st + macsec_fill_iv(iv, secy->sci, pn); + + sg_init_table(sg, ret); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ ret = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(ret < 0)) { ++ macsec_txsa_put(tx_sa); ++ kfree_skb(skb); ++ return ERR_PTR(ret); ++ } + + if (tx_sc->encrypt) { + int len = skb->len - macsec_hdr_len(sci_present) - +@@ -949,7 +954,11 @@ static struct sk_buff *macsec_decrypt(st + macsec_fill_iv(iv, sci, ntohl(hdr->packet_number)); + + sg_init_table(sg, ret); +- skb_to_sgvec(skb, sg, 0, skb->len); ++ ret = skb_to_sgvec(skb, sg, 0, skb->len); ++ if (unlikely(ret < 0)) { ++ kfree_skb(skb); ++ return ERR_PTR(ret); ++ } + + if (hdr->tci_an & MACSEC_TCI_E) { + /* confidentiality: ethernet + macsec header diff --git a/queue-4.9/mceusb-sporadic-rx-truncation-corruption-fix.patch b/queue-4.9/mceusb-sporadic-rx-truncation-corruption-fix.patch new file mode 100644 index 00000000000..7c656ab4336 --- /dev/null +++ b/queue-4.9/mceusb-sporadic-rx-truncation-corruption-fix.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: A Sun +Date: Sun, 26 Mar 2017 15:33:07 -0300 +Subject: [media] mceusb: sporadic RX truncation corruption fix + +From: A Sun + + +[ Upstream commit 8e175b22e8640bf3a58e071af54190b909e4a944 ] + +Intermittent RX truncation and loss of IR received data. This resulted +in receive stream synchronization errors where driver attempted to +incorrectly parse IR data (eg 0x90 below) as command response. + +[ 3969.139898] mceusb 1-1.2:1.0: processed IR data +[ 3969.151315] mceusb 1-1.2:1.0: rx data: 00 90 (length=2) +[ 3969.151321] mceusb 1-1.2:1.0: Unknown command 0x00 0x90 +[ 3969.151336] mceusb 1-1.2:1.0: rx data: 98 0a 8d 0a 8e 0a 8e 0a 8e 0a 8e 0a 9a 0a 8e 0a 0b 3a 8e 00 80 41 59 00 00 (length=25) +[ 3969.151341] mceusb 1-1.2:1.0: Raw IR data, 24 pulse/space samples +[ 3969.151348] mceusb 1-1.2:1.0: Storing space with duration 500000 + +Bug trigger appears to be normal, but heavy, IR receiver use. + +Signed-off-by: A Sun +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1381,8 +1381,13 @@ static int mceusb_dev_probe(struct usb_i + goto rc_dev_fail; + + /* wire up inbound data handler */ +- usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, +- mceusb_dev_recv, ir, ep_in->bInterval); ++ if (usb_endpoint_xfer_int(ep_in)) ++ usb_fill_int_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir, ep_in->bInterval); ++ else ++ usb_fill_bulk_urb(ir->urb_in, dev, pipe, ir->buf_in, maxp, ++ mceusb_dev_recv, ir); ++ + ir->urb_in->transfer_dma = ir->dma_in; + ir->urb_in->transfer_flags |= URB_NO_TRANSFER_DMA_MAP; + diff --git a/queue-4.9/md-cluster-fix-potential-lock-issue-in-add_new_disk.patch b/queue-4.9/md-cluster-fix-potential-lock-issue-in-add_new_disk.patch new file mode 100644 index 00000000000..f00830259d0 --- /dev/null +++ b/queue-4.9/md-cluster-fix-potential-lock-issue-in-add_new_disk.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Guoqing Jiang +Date: Tue, 16 May 2017 14:01:25 +0800 +Subject: md-cluster: fix potential lock issue in add_new_disk + +From: Guoqing Jiang + + +[ Upstream commit 2dffdc0724004f38f5e39907747b53e4b0d80e59 ] + +The add_new_disk returns with communication locked if +__sendmsg returns failure, fix it with call unlock_comm +before return. + +Reported-by: Dan Carpenter +CC: Goldwyn Rodrigues +Signed-off-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-cluster.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -1122,8 +1122,10 @@ static int add_new_disk(struct mddev *md + cmsg.raid_slot = cpu_to_le32(rdev->desc_nr); + lock_comm(cinfo); + ret = __sendmsg(cinfo, &cmsg); +- if (ret) ++ if (ret) { ++ unlock_comm(cinfo); + return ret; ++ } + cinfo->no_new_dev_lockres->flags |= DLM_LKF_NOQUEUE; + ret = dlm_lock_sync(cinfo->no_new_dev_lockres, DLM_LOCK_EX); + cinfo->no_new_dev_lockres->flags &= ~DLM_LKF_NOQUEUE; diff --git a/queue-4.9/md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch b/queue-4.9/md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch new file mode 100644 index 00000000000..bb435c1a1cc --- /dev/null +++ b/queue-4.9/md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch @@ -0,0 +1,90 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Julia Cartwright +Date: Fri, 28 Apr 2017 12:41:02 -0500 +Subject: md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock + +From: Julia Cartwright + + +[ Upstream commit 3d05f3aed5d721c2c77d20288c29ab26c6193ed5 ] + +On mainline, there is no functional difference, just less code, and +symmetric lock/unlock paths. + +On PREEMPT_RT builds, this fixes the following warning, seen by +Alexander GQ Gerasiov, due to the sleeping nature of spinlocks. + + BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:993 + in_atomic(): 0, irqs_disabled(): 1, pid: 58, name: kworker/u12:1 + CPU: 5 PID: 58 Comm: kworker/u12:1 Tainted: G W 4.9.20-rt16-stand6-686 #1 + Hardware name: Supermicro SYS-5027R-WRF/X9SRW-F, BIOS 3.2a 10/28/2015 + Workqueue: writeback wb_workfn (flush-253:0) + Call Trace: + dump_stack+0x47/0x68 + ? migrate_enable+0x4a/0xf0 + ___might_sleep+0x101/0x180 + rt_spin_lock+0x17/0x40 + add_stripe_bio+0x4e3/0x6c0 [raid456] + ? preempt_count_add+0x42/0xb0 + raid5_make_request+0x737/0xdd0 [raid456] + +Reported-by: Alexander GQ Gerasiov +Tested-by: Alexander GQ Gerasiov +Signed-off-by: Julia Cartwright +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid5.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -110,8 +110,7 @@ static inline void unlock_device_hash_lo + static inline void lock_all_device_hash_locks_irq(struct r5conf *conf) + { + int i; +- local_irq_disable(); +- spin_lock(conf->hash_locks); ++ spin_lock_irq(conf->hash_locks); + for (i = 1; i < NR_STRIPE_HASH_LOCKS; i++) + spin_lock_nest_lock(conf->hash_locks + i, conf->hash_locks); + spin_lock(&conf->device_lock); +@@ -121,9 +120,9 @@ static inline void unlock_all_device_has + { + int i; + spin_unlock(&conf->device_lock); +- for (i = NR_STRIPE_HASH_LOCKS; i; i--) +- spin_unlock(conf->hash_locks + i - 1); +- local_irq_enable(); ++ for (i = NR_STRIPE_HASH_LOCKS - 1; i; i--) ++ spin_unlock(conf->hash_locks + i); ++ spin_unlock_irq(conf->hash_locks); + } + + /* bio's attached to a stripe+device for I/O are linked together in bi_sector +@@ -732,12 +731,11 @@ static bool is_full_stripe_write(struct + + static void lock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2) + { +- local_irq_disable(); + if (sh1 > sh2) { +- spin_lock(&sh2->stripe_lock); ++ spin_lock_irq(&sh2->stripe_lock); + spin_lock_nested(&sh1->stripe_lock, 1); + } else { +- spin_lock(&sh1->stripe_lock); ++ spin_lock_irq(&sh1->stripe_lock); + spin_lock_nested(&sh2->stripe_lock, 1); + } + } +@@ -745,8 +743,7 @@ static void lock_two_stripes(struct stri + static void unlock_two_stripes(struct stripe_head *sh1, struct stripe_head *sh2) + { + spin_unlock(&sh1->stripe_lock); +- spin_unlock(&sh2->stripe_lock); +- local_irq_enable(); ++ spin_unlock_irq(&sh2->stripe_lock); + } + + /* Only freshly new full stripe normal write stripe can be added to a batch list */ diff --git a/queue-4.9/mdio-mux-correct-mdio_mux_init-error-path-issues.patch b/queue-4.9/mdio-mux-correct-mdio_mux_init-error-path-issues.patch new file mode 100644 index 00000000000..c4a396e70f5 --- /dev/null +++ b/queue-4.9/mdio-mux-correct-mdio_mux_init-error-path-issues.patch @@ -0,0 +1,86 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jon Mason +Date: Wed, 10 May 2017 11:20:27 -0400 +Subject: mdio: mux: Correct mdio_mux_init error path issues + +From: Jon Mason + + +[ Upstream commit b60161668199ac62011c024adc9e66713b9554e7 ] + +There is a potential unnecessary refcount decrement on error path of +put_device(&pb->mii_bus->dev), as it is possible to avoid the +of_mdio_find_bus() call if mux_bus is specified by the calling function. + +The same put_device() is not called in the error path if the +devm_kzalloc of pb fails. This caused the variable used in the +put_device() to be changed, as the pb pointer was obviously not set up. + +There is an unnecessary of_node_get() on child_bus_node if the +of_mdiobus_register() is successful, as the +for_each_available_child_of_node() automatically increments this. +Thus the refcount on this node will always be +1 more than it should be. + +There is no of_node_put() on child_bus_node if the of_mdiobus_register() +call fails. + +Finally, it is lacking devm_kfree() of pb in the error path. While this +might not be technically necessary, it was present in other parts of the +function. So, I am adding it where necessary to make it uniform. + +Signed-off-by: Jon Mason +Fixes: f20e6657a875 ("mdio: mux: Enhanced MDIO mux framework for integrated multiplexers") +Fixes: 0ca2997d1452 ("netdev/of/phy: Add MDIO bus multiplexer support.") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-mux.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/net/phy/mdio-mux.c ++++ b/drivers/net/phy/mdio-mux.c +@@ -122,10 +122,9 @@ int mdio_mux_init(struct device *dev, + pb = devm_kzalloc(dev, sizeof(*pb), GFP_KERNEL); + if (pb == NULL) { + ret_val = -ENOMEM; +- goto err_parent_bus; ++ goto err_pb_kz; + } + +- + pb->switch_data = data; + pb->switch_fn = switch_fn; + pb->current_child = -1; +@@ -154,6 +153,7 @@ int mdio_mux_init(struct device *dev, + cb->mii_bus = mdiobus_alloc(); + if (!cb->mii_bus) { + ret_val = -ENOMEM; ++ devm_kfree(dev, cb); + of_node_put(child_bus_node); + break; + } +@@ -169,8 +169,8 @@ int mdio_mux_init(struct device *dev, + if (r) { + mdiobus_free(cb->mii_bus); + devm_kfree(dev, cb); ++ of_node_put(child_bus_node); + } else { +- of_node_get(child_bus_node); + cb->next = pb->children; + pb->children = cb; + } +@@ -181,9 +181,11 @@ int mdio_mux_init(struct device *dev, + return 0; + } + ++ devm_kfree(dev, pb); ++err_pb_kz: + /* balance the reference of_mdio_find_bus() took */ +- put_device(&pb->mii_bus->dev); +- ++ if (!mux_bus) ++ put_device(&parent_bus->dev); + err_parent_bus: + of_node_put(parent_bus_node); + return ret_val; diff --git a/queue-4.9/mdio-mux-fix-device_node_continue.cocci-warnings.patch b/queue-4.9/mdio-mux-fix-device_node_continue.cocci-warnings.patch new file mode 100644 index 00000000000..e58d80021c7 --- /dev/null +++ b/queue-4.9/mdio-mux-fix-device_node_continue.cocci-warnings.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Julia Lawall +Date: Fri, 12 May 2017 22:54:23 +0800 +Subject: mdio: mux: fix device_node_continue.cocci warnings + +From: Julia Lawall + + +[ Upstream commit 8c977f5a856a7276450ddf3a7b57b4a8815b63f9 ] + +Device node iterators put the previous value of the index variable, so an +explicit put causes a double put. + +In particular, of_mdiobus_register can fail before doing anything +interesting, so one could view it as a no-op from the reference count +point of view. + +Generated by: scripts/coccinelle/iterators/device_node_continue.cocci + +CC: Jon Mason +Signed-off-by: Julia Lawall +Signed-off-by: Fengguang Wu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/mdio-mux.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/phy/mdio-mux.c ++++ b/drivers/net/phy/mdio-mux.c +@@ -169,7 +169,6 @@ int mdio_mux_init(struct device *dev, + if (r) { + mdiobus_free(cb->mii_bus); + devm_kfree(dev, cb); +- of_node_put(child_bus_node); + } else { + cb->next = pb->children; + pb->children = cb; diff --git a/queue-4.9/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch b/queue-4.9/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch new file mode 100644 index 00000000000..98d5c7105bf --- /dev/null +++ b/queue-4.9/media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch @@ -0,0 +1,82 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Mauro Carvalho Chehab +Date: Thu, 28 Dec 2017 09:16:47 -0500 +Subject: media: videobuf2-core: don't go out of the buffer range + +From: Mauro Carvalho Chehab + + +[ Upstream commit df93dc61b0d8b19a5c9db545cf3fcc24f88dfde4 ] + +Currently, there's no check if an invalid buffer range +is passed. However, while testing DVB memory mapped apps, +I got this: + + videobuf2_core: VB: num_buffers -2143943680, buffer 33, index -2143943647 + unable to handle kernel paging request at ffff888b773c0890 + IP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] + PGD 4142c7067 P4D 4142c7067 PUD 0 + Oops: 0002 [#1] SMP + Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables bluetooth rfkill ecdh_generic binfmt_misc rc_dvbsky sp2 ts2020 intel_rapl x86_pkg_temp_thermal dvb_usb_dvbsky intel_powerclamp dvb_usb_v2 coretemp m88ds3103 kvm_intel i2c_mux dvb_core snd_hda_codec_hdmi crct10dif_pclmul crc32_pclmul videobuf2_vmalloc videobuf2_memops snd_hda_intel ghash_clmulni_intel videobuf2_core snd_hda_codec rc_core mei_me intel_cstate snd_hwdep snd_hda_core videodev intel_uncore snd_pcm mei media tpm_tis tpm_tis_core intel_rapl_perf tpm snd_timer lpc_ich snd soundcore kvm irqbypass libcrc32c i915 i2c_algo_bit drm_kms_helper + e1000e ptp drm crc32c_intel video pps_core + CPU: 3 PID: 1776 Comm: dvbv5-zap Not tainted 4.14.0+ #78 + Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0364.2017.0511.0949 05/11/2017 + task: ffff88877c73bc80 task.stack: ffffb7c402418000 + RIP: 0010:__vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] + RSP: 0018:ffffb7c40241bc60 EFLAGS: 00010246 + RAX: 0000000080360421 RBX: 0000000000000021 RCX: 000000000000000a + RDX: ffffb7c40241bcf4 RSI: ffff888780362c60 RDI: ffff888796d8e130 + RBP: ffffb7c40241bcc8 R08: 0000000000000316 R09: 0000000000000004 + R10: ffff888780362c00 R11: 0000000000000001 R12: 000000000002f000 + R13: ffff8887758be700 R14: 0000000000021000 R15: 0000000000000001 + FS: 00007f2849024740(0000) GS:ffff888796d80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffff888b773c0890 CR3: 000000043beb2005 CR4: 00000000003606e0 + Call Trace: + vb2_core_reqbufs+0x226/0x420 [videobuf2_core] + dvb_vb2_reqbufs+0x2d/0xc0 [dvb_core] + dvb_dvr_do_ioctl+0x98/0x1d0 [dvb_core] + dvb_usercopy+0x53/0x1b0 [dvb_core] + ? dvb_demux_ioctl+0x20/0x20 [dvb_core] + ? tty_ldisc_deref+0x16/0x20 + ? tty_write+0x1f9/0x310 + ? process_echoes+0x70/0x70 + dvb_dvr_ioctl+0x15/0x20 [dvb_core] + do_vfs_ioctl+0xa5/0x600 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x1a/0xa5 + RIP: 0033:0x7f28486f7ea7 + RSP: 002b:00007ffc13b2db18 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 + RAX: ffffffffffffffda RBX: 000055b10fc06130 RCX: 00007f28486f7ea7 + RDX: 00007ffc13b2db48 RSI: 00000000c0086f3c RDI: 0000000000000007 + RBP: 0000000000000203 R08: 000055b10df1e02c R09: 000000000000002e + R10: 0036b42415108357 R11: 0000000000000246 R12: 0000000000000000 + R13: 00007f2849062f60 R14: 00000000000001f1 R15: 00007ffc13b2da54 + Code: 74 0a 60 8b 0a 48 83 c0 30 48 83 c2 04 89 48 d0 89 48 d4 48 39 f0 75 eb 41 8b 42 08 83 7d d4 01 41 c7 82 ec 01 00 00 ff ff ff ff <4d> 89 94 c5 88 00 00 00 74 14 83 c3 01 41 39 dc 0f 85 f1 fe ff + RIP: __vb2_queue_alloc+0x134/0x4e0 [videobuf2_core] RSP: ffffb7c40241bc60 + CR2: ffff888b773c0890 + +So, add a sanity check in order to prevent going past array. + +Signed-off-by: Mauro Carvalho Chehab +Acked-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/videobuf2-core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -334,6 +334,10 @@ static int __vb2_queue_alloc(struct vb2_ + struct vb2_buffer *vb; + int ret; + ++ /* Ensure that q->num_buffers+num_buffers is below VB2_MAX_FRAME */ ++ num_buffers = min_t(unsigned int, num_buffers, ++ VB2_MAX_FRAME - q->num_buffers); ++ + for (buffer = 0; buffer < num_buffers; ++buffer) { + /* Allocate videobuf buffer structures */ + vb = kzalloc(q->buf_struct_size, GFP_KERNEL); diff --git a/queue-4.9/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch b/queue-4.9/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch new file mode 100644 index 00000000000..0a65a87df5b --- /dev/null +++ b/queue-4.9/mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Marcin Nowakowski +Date: Thu, 8 Jun 2017 15:20:32 +0200 +Subject: MIPS: kprobes: flush_insn_slot should flush only if probe initialised + +From: Marcin Nowakowski + + +[ Upstream commit 698b851073ddf5a894910d63ca04605e0473414e ] + +When ftrace is used with kprobes, it is possible for a kprobe to contain +an invalid location (ie. only initialised to 0 and not to a specific +location in the code). Trying to perform a cache flush on such location +leads to a crash r4k_flush_icache_range(). + +Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.") +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16296/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/kprobes.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/mips/include/asm/kprobes.h ++++ b/arch/mips/include/asm/kprobes.h +@@ -40,7 +40,8 @@ typedef union mips_instruction kprobe_op + + #define flush_insn_slot(p) \ + do { \ +- flush_icache_range((unsigned long)p->addr, \ ++ if (p->addr) \ ++ flush_icache_range((unsigned long)p->addr, \ + (unsigned long)p->addr + \ + (MAX_INSN_SIZE * sizeof(kprobe_opcode_t))); \ + } while (0) diff --git a/queue-4.9/mips-mm-adjust-pkmap-location.patch b/queue-4.9/mips-mm-adjust-pkmap-location.patch new file mode 100644 index 00000000000..bd66a4cc71c --- /dev/null +++ b/queue-4.9/mips-mm-adjust-pkmap-location.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Marcin Nowakowski +Date: Tue, 11 Apr 2017 09:00:36 +0200 +Subject: MIPS: mm: adjust PKMAP location + +From: Marcin Nowakowski + + +[ Upstream commit c56e7a4c3e77f6fbd9b55c06c14eda65aae58958 ] + +Space reserved for PKMap should span from PKMAP_BASE to FIXADDR_START. +For large page sizes this is not the case as eg. for 64k pages the range +currently defined is from 0xfe000000 to 0x102000000(!!) which obviously +isn't right. +Remove the hardcoded location and set the BASE address as an offset from +FIXADDR_START. + +Since all PKMAP ptes have to be placed in a contiguous memory, ensure +that this is the case by placing them all in a single page. This is +achieved by aligning the end address to pkmap pages count pages. + +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15950/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/pgtable-32.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/mips/include/asm/pgtable-32.h ++++ b/arch/mips/include/asm/pgtable-32.h +@@ -18,6 +18,10 @@ + + #include + ++#ifdef CONFIG_HIGHMEM ++#include ++#endif ++ + extern int temp_tlb_entry; + + /* +@@ -61,7 +65,8 @@ extern int add_temporary_entry(unsigned + + #define VMALLOC_START MAP_BASE + +-#define PKMAP_BASE (0xfe000000UL) ++#define PKMAP_END ((FIXADDR_START) & ~((LAST_PKMAP << PAGE_SHIFT)-1)) ++#define PKMAP_BASE (PKMAP_END - PAGE_SIZE * LAST_PKMAP) + + #ifdef CONFIG_HIGHMEM + # define VMALLOC_END (PKMAP_BASE-2*PAGE_SIZE) diff --git a/queue-4.9/mips-mm-fixed-mappings-correct-initialisation.patch b/queue-4.9/mips-mm-fixed-mappings-correct-initialisation.patch new file mode 100644 index 00000000000..54835ece6ef --- /dev/null +++ b/queue-4.9/mips-mm-fixed-mappings-correct-initialisation.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Marcin Nowakowski +Date: Tue, 11 Apr 2017 09:00:34 +0200 +Subject: MIPS: mm: fixed mappings: correct initialisation + +From: Marcin Nowakowski + + +[ Upstream commit 71eb989ab5a110df8bcbb9609bacde73feacbedd ] + +fixrange_init operates at PMD-granularity and expects the addresses to +be PMD-size aligned, but currently that might not be the case for +PKMAP_BASE unless it is defined properly, so ensure a correct alignment +is used before passing the address to fixrange_init. + +fixed mappings: only align the start address that is passed to +fixrange_init rather than the value before adding the size, as we may +end up with uninitialised upper part of the range. + +Signed-off-by: Marcin Nowakowski +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/15948/ +Signed-off-by: Ralf Baechle +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/mm/pgtable-32.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/mips/mm/pgtable-32.c ++++ b/arch/mips/mm/pgtable-32.c +@@ -51,15 +51,15 @@ void __init pagetable_init(void) + /* + * Fixed mappings: + */ +- vaddr = __fix_to_virt(__end_of_fixed_addresses - 1) & PMD_MASK; +- fixrange_init(vaddr, vaddr + FIXADDR_SIZE, pgd_base); ++ vaddr = __fix_to_virt(__end_of_fixed_addresses - 1); ++ fixrange_init(vaddr & PMD_MASK, vaddr + FIXADDR_SIZE, pgd_base); + + #ifdef CONFIG_HIGHMEM + /* + * Permanent kmaps: + */ + vaddr = PKMAP_BASE; +- fixrange_init(vaddr, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); ++ fixrange_init(vaddr & PMD_MASK, vaddr + PAGE_SIZE*LAST_PKMAP, pgd_base); + + pgd = swapper_pg_dir + __pgd_offset(vaddr); + pud = pud_offset(pgd, vaddr); diff --git a/queue-4.9/misdn-fix-a-sleep-in-atomic-bug.patch b/queue-4.9/misdn-fix-a-sleep-in-atomic-bug.patch new file mode 100644 index 00000000000..29022fae28e --- /dev/null +++ b/queue-4.9/misdn-fix-a-sleep-in-atomic-bug.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 31 May 2017 15:08:25 +0800 +Subject: mISDN: Fix a sleep-in-atomic bug + +From: Jia-Ju Bai + + +[ Upstream commit 93818da5eed63fbc17b64080406ea53b86b23309 ] + +The driver may sleep under a read spin lock, and the function call path is: +send_socklist (acquire the lock by read_lock) + skb_copy(GFP_KERNEL) --> may sleep + +To fix it, the "GFP_KERNEL" is replaced with "GFP_ATOMIC". + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/mISDN/stack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/isdn/mISDN/stack.c ++++ b/drivers/isdn/mISDN/stack.c +@@ -72,7 +72,7 @@ send_socklist(struct mISDN_sock_list *sl + if (sk->sk_state != MISDN_BOUND) + continue; + if (!cskb) +- cskb = skb_copy(skb, GFP_KERNEL); ++ cskb = skb_copy(skb, GFP_ATOMIC); + if (!cskb) { + printk(KERN_WARNING "%s no skb\n", __func__); + break; diff --git a/queue-4.9/mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch b/queue-4.9/mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch new file mode 100644 index 00000000000..38fb6cf15a5 --- /dev/null +++ b/queue-4.9/mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jesper Dangaard Brouer +Date: Mon, 22 May 2017 20:13:07 +0200 +Subject: mlx5: fix bug reading rss_hash_type from CQE + +From: Jesper Dangaard Brouer + + +[ Upstream commit 12e8b570e732eaa5eae3a2895ba3fbcf91bde2b4 ] + +Masks for extracting part of the Completion Queue Entry (CQE) +field rss_hash_type was swapped, namely CQE_RSS_HTYPE_IP and +CQE_RSS_HTYPE_L4. + +The bug resulted in setting skb->l4_hash, even-though the +rss_hash_type indicated that hash was NOT computed over the +L4 (UDP or TCP) part of the packet. + +Added comments from the datasheet, to make it more clear what +these masks are selecting. + +Signed-off-by: Jesper Dangaard Brouer +Acked-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mlx5/device.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/mlx5/device.h ++++ b/include/linux/mlx5/device.h +@@ -750,8 +750,14 @@ enum { + }; + + enum { +- CQE_RSS_HTYPE_IP = 0x3 << 6, +- CQE_RSS_HTYPE_L4 = 0x3 << 2, ++ CQE_RSS_HTYPE_IP = 0x3 << 2, ++ /* cqe->rss_hash_type[3:2] - IP destination selected for hash ++ * (00 = none, 01 = IPv4, 10 = IPv6, 11 = Reserved) ++ */ ++ CQE_RSS_HTYPE_L4 = 0x3 << 6, ++ /* cqe->rss_hash_type[7:6] - L4 destination selected for hash ++ * (00 = none, 01 = TCP. 10 = UDP, 11 = IPSEC.SPI ++ */ + }; + + enum { diff --git a/queue-4.9/mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch b/queue-4.9/mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch new file mode 100644 index 00000000000..31f2e0b7c89 --- /dev/null +++ b/queue-4.9/mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ido Schimmel +Date: Thu, 18 May 2017 13:03:52 +0200 +Subject: mlxsw: spectrum: Avoid possible NULL pointer dereference + +From: Ido Schimmel + + +[ Upstream commit c0e01eac7ada785fdeaea1ae5476ec1cf3b00374 ] + +In case we got an FDB notification for a port that doesn't exist we +execute an FDB entry delete to prevent it from re-appearing the next +time we poll for notifications. + +If the operation failed we would trigger a NULL pointer dereference as +'mlxsw_sp_port' is NULL. + +Fix it by reporting the error using the underlying bus device instead. + +Fixes: 12f1501e7511 ("mlxsw: spectrum: remove FDB entry in case we get unknown object notification") +Signed-off-by: Ido Schimmel +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c ++++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c +@@ -1448,8 +1448,7 @@ do_fdb_op: + err = mlxsw_sp_port_fdb_uc_op(mlxsw_sp, local_port, mac, fid, + adding, true); + if (err) { +- if (net_ratelimit()) +- netdev_err(mlxsw_sp_port->dev, "Failed to set FDB entry\n"); ++ dev_err_ratelimited(mlxsw_sp->bus_info->dev, "Failed to set FDB entry\n"); + return; + } + +@@ -1509,8 +1508,7 @@ do_fdb_op: + err = mlxsw_sp_port_fdb_uc_lag_op(mlxsw_sp, lag_id, mac, fid, lag_vid, + adding, true); + if (err) { +- if (net_ratelimit()) +- netdev_err(mlxsw_sp_port->dev, "Failed to set FDB entry\n"); ++ dev_err_ratelimited(mlxsw_sp->bus_info->dev, "Failed to set FDB entry\n"); + return; + } + diff --git a/queue-4.9/mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch b/queue-4.9/mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch new file mode 100644 index 00000000000..11d1ee68f2f --- /dev/null +++ b/queue-4.9/mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Reza Arbab +Date: Fri, 12 May 2017 15:46:32 -0700 +Subject: mm, vmstat: Remove spurious WARN() during zoneinfo print + +From: Reza Arbab + + +[ Upstream commit 8d35bb310698c69d73073b26fc581f2e3f7f621d ] + +After commit e2ecc8a79ed4 ("mm, vmstat: print non-populated zones in +zoneinfo"), /proc/zoneinfo will show unpopulated zones. + +A memoryless node, having no populated zones at all, was previously +ignored, but will now trigger the WARN() in is_zone_first_populated(). + +Remove this warning, as its only purpose was to warn of a situation that +has since been enabled. + +Aside: The "per-node stats" are still printed under the first populated +zone, but that's not necessarily the first stanza any more. I'm not +sure which criteria is more important with regard to not breaking +parsers, but it looks a little weird to the eye. + +Fixes: e2ecc8a79ed4 ("mm, vmstat: print node-based stats in zoneinfo file") +Link: http://lkml.kernel.org/r/1493854905-10918-1-git-send-email-arbab@linux.vnet.ibm.com +Signed-off-by: Reza Arbab +Cc: David Rientjes +Cc: Anshuman Khandual +Cc: Vlastimil Babka +Cc: Mel Gorman +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmstat.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -1351,8 +1351,6 @@ static bool is_zone_first_populated(pg_d + return zone == compare; + } + +- /* The zone must be somewhere! */ +- WARN_ON_ONCE(1); + return false; + } + diff --git a/queue-4.9/mtd-mtd_oobtest-handle-bitflips-during-reads.patch b/queue-4.9/mtd-mtd_oobtest-handle-bitflips-during-reads.patch new file mode 100644 index 00000000000..3268232caba --- /dev/null +++ b/queue-4.9/mtd-mtd_oobtest-handle-bitflips-during-reads.patch @@ -0,0 +1,100 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Miquel Raynal +Date: Thu, 11 Jan 2018 21:39:20 +0100 +Subject: mtd: mtd_oobtest: Handle bitflips during reads + +From: Miquel Raynal + + +[ Upstream commit 12663b442e5ac5aa3d6097cd3f287c71ba46d26e ] + +Reads from NAND devices usually trigger bitflips, this is an expected +behavior. While bitflips are under a given threshold, the MTD core +returns 0. However, when the number of corrected bitflips is above this +same threshold, -EUCLEAN is returned to inform the upper layer that this +block is slightly dying and soon the ECC engine will be overtaken so +actions should be taken to move the data out of it. + +This particular condition should not be treated like an error and the +test should continue. + +Signed-off-by: Miquel Raynal +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/tests/oobtest.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/mtd/tests/oobtest.c ++++ b/drivers/mtd/tests/oobtest.c +@@ -193,6 +193,9 @@ static int verify_eraseblock(int ebnum) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != use_len) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -227,6 +230,9 @@ static int verify_eraseblock(int ebnum) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != mtd->oobavail) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -286,6 +292,9 @@ static int verify_eraseblock_in_one_go(i + + /* read entire block's OOB at one go */ + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err || ops.oobretlen != len) { + pr_err("error: readoob failed at %#llx\n", + (long long)addr); +@@ -527,6 +536,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to start read past end of OOB\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, addr0, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -571,6 +583,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to read past end of device\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -615,6 +630,9 @@ static int __init mtd_oobtest_init(void) + pr_info("attempting to read past end of device\n"); + pr_info("an error is expected...\n"); + err = mtd_read_oob(mtd, mtd->size - mtd->writesize, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) { + pr_info("error occurred as expected\n"); + err = 0; +@@ -684,6 +702,9 @@ static int __init mtd_oobtest_init(void) + ops.datbuf = NULL; + ops.oobbuf = readbuf; + err = mtd_read_oob(mtd, addr, &ops); ++ if (mtd_is_bitflip(err)) ++ err = 0; ++ + if (err) + goto out; + if (memcmpshow(addr, readbuf, writebuf, diff --git a/queue-4.9/mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch b/queue-4.9/mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch new file mode 100644 index 00000000000..aee2e44ab2b --- /dev/null +++ b/queue-4.9/mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Masahiro Yamada +Date: Thu, 25 May 2017 13:50:20 +0900 +Subject: mtd: nand: check ecc->total sanity in nand_scan_tail + +From: Masahiro Yamada + + +[ Upstream commit 79e0348c4e24fd1affdcf055e0269755580e0fcc ] + +Drivers are supposed to set correct ecc->{size,strength,bytes} before +calling nand_scan_tail(), but it does not complain about ecc->total +bigger than oobsize. + +In this case, chip->scan_bbt() crashes due to memory corruption, but +it is hard to debug. It would be kind to fail it earlier with a clear +message. + +Signed-off-by: Masahiro Yamada +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/nand_base.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -4785,6 +4785,11 @@ int nand_scan_tail(struct mtd_info *mtd) + goto err_free; + } + ecc->total = ecc->steps * ecc->bytes; ++ if (ecc->total > mtd->oobsize) { ++ WARN(1, "Total number of ECC bytes exceeded oobsize\n"); ++ ret = -EINVAL; ++ goto err_free; ++ } + + /* + * The number of bytes available for a client to place data into diff --git a/queue-4.9/mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch b/queue-4.9/mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch new file mode 100644 index 00000000000..ecacf7aa18e --- /dev/null +++ b/queue-4.9/mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Boris Brezillon +Date: Mon, 10 Apr 2017 10:35:17 +0200 +Subject: mtd: nand: gpmi: Fix gpmi_nand_init() error path + +From: Boris Brezillon + + +[ Upstream commit 4d02423e9afe6c46142ce98bbcaf5167316dbfbf ] + +The GPMI driver is wrongly assuming that nand_release() can safely be +called on an uninitialized/unregistered NAND device. + +Add a new err_nand_cleanup label in the error path and only execute if +nand_scan_tail() succeeded. + +Note that we now call nand_cleanup() instead of nand_release() +(nand_release() is actually grouping the mtd_device_unregister() and +nand_cleanup() in one call) because there's no point in trying to +unregister a device that has never been registered. + +Signed-off-by: Boris Brezillon +Reviewed-by: Marek Vasut +Acked-by: Han Xu +Reviewed-by: Marek Vasut +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -2047,18 +2047,20 @@ static int gpmi_nand_init(struct gpmi_na + + ret = nand_boot_init(this); + if (ret) +- goto err_out; ++ goto err_nand_cleanup; + ret = chip->scan_bbt(mtd); + if (ret) +- goto err_out; ++ goto err_nand_cleanup; + + ret = mtd_device_register(mtd, NULL, 0); + if (ret) +- goto err_out; ++ goto err_nand_cleanup; + return 0; + ++err_nand_cleanup: ++ nand_cleanup(chip); + err_out: +- gpmi_nand_exit(this); ++ gpmi_free_dma_buffer(this); + return ret; + } + diff --git a/queue-4.9/neighbour-update-neigh-timestamps-iff-update-is-effective.patch b/queue-4.9/neighbour-update-neigh-timestamps-iff-update-is-effective.patch new file mode 100644 index 00000000000..56e1706d6d3 --- /dev/null +++ b/queue-4.9/neighbour-update-neigh-timestamps-iff-update-is-effective.patch @@ -0,0 +1,95 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ihar Hrachyshka +Date: Tue, 16 May 2017 08:44:24 -0700 +Subject: neighbour: update neigh timestamps iff update is effective + +From: Ihar Hrachyshka + + +[ Upstream commit 77d7123342dcf6442341b67816321d71da8b2b16 ] + +It's a common practice to send gratuitous ARPs after moving an +IP address to another device to speed up healing of a service. To +fulfill service availability constraints, the timing of network peers +updating their caches to point to a new location of an IP address can be +particularly important. + +Sometimes neigh_update calls won't touch neither lladdr nor state, for +example if an update arrives in locktime interval. The neigh->updated +value is tested by the protocol specific neigh code, which in turn +will influence whether NEIGH_UPDATE_F_OVERRIDE gets set in the +call to neigh_update() or not. As a result, we may effectively ignore +the update request, bailing out of touching the neigh entry, except that +we still bump its timestamps inside neigh_update. + +This may be a problem for updates arriving in quick succession. For +example, consider the following scenario: + +A service is moved to another device with its IP address. The new device +sends three gratuitous ARP requests into the network with ~1 seconds +interval between them. Just before the first request arrives to one of +network peer nodes, its neigh entry for the IP address transitions from +STALE to DELAY. This transition, among other things, updates +neigh->updated. Once the kernel receives the first gratuitous ARP, it +ignores it because its arrival time is inside the locktime interval. The +kernel still bumps neigh->updated. Then the second gratuitous ARP +request arrives, and it's also ignored because it's still in the (new) +locktime interval. Same happens for the third request. The node +eventually heals itself (after delay_first_probe_time seconds since the +initial transition to DELAY state), but it just wasted some time and +require a new ARP request/reply round trip. This unfortunate behaviour +both puts more load on the network, as well as reduces service +availability. + +This patch changes neigh_update so that it bumps neigh->updated (as well +as neigh->confirmed) only once we are sure that either lladdr or entry +state will change). In the scenario described above, it means that the +second gratuitous ARP request will actually update the entry lladdr. + +Ideally, we would update the neigh entry on the very first gratuitous +ARP request. The locktime mechanism is designed to ignore ARP updates in +a short timeframe after a previous ARP update was honoured by the kernel +layer. This would require tracking timestamps for state transitions +separately from timestamps when actual updates are received. This would +probably involve changes in neighbour struct. Therefore, the patch +doesn't tackle the issue of the first gratuitous APR ignored, leaving +it for a follow-up. + +Signed-off-by: Ihar Hrachyshka +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/neighbour.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -1130,10 +1130,6 @@ int neigh_update(struct neighbour *neigh + lladdr = neigh->ha; + } + +- if (new & NUD_CONNECTED) +- neigh->confirmed = jiffies; +- neigh->updated = jiffies; +- + /* If entry was valid and address is not changed, + do not change entry state, if new one is STALE. + */ +@@ -1155,6 +1151,16 @@ int neigh_update(struct neighbour *neigh + } + } + ++ /* Update timestamps only once we know we will make a change to the ++ * neighbour entry. Otherwise we risk to move the locktime window with ++ * noop updates and ignore relevant ARP updates. ++ */ ++ if (new != old || lladdr != neigh->ha) { ++ if (new & NUD_CONNECTED) ++ neigh->confirmed = jiffies; ++ neigh->updated = jiffies; ++ } ++ + if (new != old) { + neigh_del_timer(neigh); + if (new & NUD_PROBE) diff --git a/queue-4.9/net-cdc_ncm-fix-tx-zero-padding.patch b/queue-4.9/net-cdc_ncm-fix-tx-zero-padding.patch new file mode 100644 index 00000000000..e5777c5110f --- /dev/null +++ b/queue-4.9/net-cdc_ncm-fix-tx-zero-padding.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jim Baxter +Date: Mon, 8 May 2017 13:49:57 +0100 +Subject: net: cdc_ncm: Fix TX zero padding + +From: Jim Baxter + + +[ Upstream commit aeca3a77b1e0ed06a095933b89c86aed007383eb ] + +The zero padding that is added to NTB's does +not zero the memory correctly. +This is because the skb_put modifies the value +of skb_out->len which results in the memset +command not setting any memory to zero as +(ctx->tx_max - skb_out->len) == 0. + +I have resolved this by storing the size of +the memory to be zeroed before the skb_put +and using this in the memset call. + +Signed-off-by: Jim Baxter +Reviewed-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -1118,6 +1118,7 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + u16 n = 0, index, ndplen; + u8 ready2send = 0; + u32 delayed_ndp_size; ++ size_t padding_count; + + /* When our NDP gets written in cdc_ncm_ndp(), then skb_out->len gets updated + * accordingly. Otherwise, we should check here. +@@ -1274,11 +1275,13 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev + * a ZLP after full sized NTBs. + */ + if (!(dev->driver_info->flags & FLAG_SEND_ZLP) && +- skb_out->len > ctx->min_tx_pkt) +- memset(skb_put(skb_out, ctx->tx_max - skb_out->len), 0, +- ctx->tx_max - skb_out->len); +- else if (skb_out->len < ctx->tx_max && (skb_out->len % dev->maxpacket) == 0) ++ skb_out->len > ctx->min_tx_pkt) { ++ padding_count = ctx->tx_max - skb_out->len; ++ memset(skb_put(skb_out, padding_count), 0, padding_count); ++ } else if (skb_out->len < ctx->tx_max && ++ (skb_out->len % dev->maxpacket) == 0) { + *skb_put(skb_out, 1) = 0; /* force short packet */ ++ } + + /* set final frame length */ + nth16 = (struct usb_cdc_ncm_nth16 *)skb_out->data; diff --git a/queue-4.9/net-emac-fix-reset-timeout-with-ar8035-phy.patch b/queue-4.9/net-emac-fix-reset-timeout-with-ar8035-phy.patch new file mode 100644 index 00000000000..0121f3b3bac --- /dev/null +++ b/queue-4.9/net-emac-fix-reset-timeout-with-ar8035-phy.patch @@ -0,0 +1,119 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christian Lamparter +Date: Wed, 7 Jun 2017 15:51:15 +0200 +Subject: net: emac: fix reset timeout with AR8035 phy + +From: Christian Lamparter + + +[ Upstream commit 19d90ece81da802207a9b91ce95a29fbdc40626e ] + +This patch fixes a problem where the AR8035 PHY can't be +detected on an Cisco Meraki MR24, if the ethernet cable is +not connected on boot. + +Russell Senior provided steps to reproduce the issue: +|Disconnect ethernet cable, apply power, wait until device has booted, +|plug in ethernet, check for interfaces, no eth0 is listed. +| +|This appears to be a problem during probing of the AR8035 Phy chip. +|When ethernet has no link, the phy detection fails, and eth0 is not +|created. Plugging ethernet later has no effect, because there is no +|interface as far as the kernel is concerned. The relevant part of +|the boot log looks like this: +|this is the failing case: +| +|[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode +|[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout +|[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY! +|and the succeeding case: +| +|[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode +|[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:.. +|[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01) + +Based on the comment and the commit message of +commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT"). +This is because the AR8035 PHY doesn't provide the TX Clock, +if the ethernet cable is not attached. This causes the reset +to timeout and the PHY detection code in emac_init_phy() is +unable to detect the AR8035 PHY. As a result, the emac driver +bails out early and the user left with no ethernet. + +In order to stay compatible with existing configurations, the driver +tries the current reset approach at first. Only if the first attempt +timed out, it does perform one more retry with the clock temporarily +switched to the internal source for just the duration of the reset. + +LEDE-Bug: #687 + +Cc: Chris Blake +Reported-by: Russell Senior +Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT") +Signed-off-by: Christian Lamparter +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/ibm/emac/core.c ++++ b/drivers/net/ethernet/ibm/emac/core.c +@@ -342,6 +342,7 @@ static int emac_reset(struct emac_instan + { + struct emac_regs __iomem *p = dev->emacp; + int n = 20; ++ bool __maybe_unused try_internal_clock = false; + + DBG(dev, "reset" NL); + +@@ -354,6 +355,7 @@ static int emac_reset(struct emac_instan + } + + #ifdef CONFIG_PPC_DCR_NATIVE ++do_retry: + /* + * PPC460EX/GT Embedded Processor Advanced User's Manual + * section 28.10.1 Mode Register 0 (EMACx_MR0) states: +@@ -361,10 +363,19 @@ static int emac_reset(struct emac_instan + * of the EMAC. If none is present, select the internal clock + * (SDR0_ETH_CFG[EMACx_PHY_CLK] = 1). + * After a soft reset, select the external clock. ++ * ++ * The AR8035-A PHY Meraki MR24 does not provide a TX Clk if the ++ * ethernet cable is not attached. This causes the reset to timeout ++ * and the PHY detection code in emac_init_phy() is unable to ++ * communicate and detect the AR8035-A PHY. As a result, the emac ++ * driver bails out early and the user has no ethernet. ++ * In order to stay compatible with existing configurations, the ++ * driver will temporarily switch to the internal clock, after ++ * the first reset fails. + */ + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: select internal loop clock before reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + 0, SDR0_ETH_CFG_ECS << dev->cell_index); +@@ -382,8 +393,15 @@ static int emac_reset(struct emac_instan + + #ifdef CONFIG_PPC_DCR_NATIVE + if (emac_has_feature(dev, EMAC_FTR_460EX_PHY_CLK_FIX)) { +- if (dev->phy_address == 0xffffffff && +- dev->phy_map == 0xffffffff) { ++ if (!n && !try_internal_clock) { ++ /* first attempt has timed out. */ ++ n = 20; ++ try_internal_clock = true; ++ goto do_retry; ++ } ++ ++ if (try_internal_clock || (dev->phy_address == 0xffffffff && ++ dev->phy_map == 0xffffffff)) { + /* No PHY: restore external clock source after reset */ + dcri_clrset(SDR0, SDR0_ETH_CFG, + SDR0_ETH_CFG_ECS << dev->cell_index, 0); diff --git a/queue-4.9/net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch b/queue-4.9/net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch new file mode 100644 index 00000000000..b4568296bbc --- /dev/null +++ b/queue-4.9/net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Netanel Belgazal +Date: Sun, 11 Jun 2017 15:42:45 +0300 +Subject: net: ena: add missing return when ena_com_get_io_handlers() fails + +From: Netanel Belgazal + + +[ Upstream commit 2d2c600a917127f16f179d5a88fc44ba3ed263ed ] + +Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -1542,6 +1542,7 @@ static int ena_create_io_tx_queue(struct + "Failed to get TX queue handlers. TX queue num %d rc: %d\n", + qid, rc); + ena_com_destroy_io_queue(ena_dev, ena_qid); ++ return rc; + } + + ena_com_update_numa_node(tx_ring->ena_com_io_cq, ctx.numa_node); +@@ -1606,6 +1607,7 @@ static int ena_create_io_rx_queue(struct + "Failed to get RX queue handlers. RX queue num %d rc: %d\n", + qid, rc); + ena_com_destroy_io_queue(ena_dev, ena_qid); ++ return rc; + } + + ena_com_update_numa_node(rx_ring->ena_com_io_cq, ctx.numa_node); diff --git a/queue-4.9/net-ena-add-missing-unmap-bars-on-device-removal.patch b/queue-4.9/net-ena-add-missing-unmap-bars-on-device-removal.patch new file mode 100644 index 00000000000..e7fb734a287 --- /dev/null +++ b/queue-4.9/net-ena-add-missing-unmap-bars-on-device-removal.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Netanel Belgazal +Date: Sun, 11 Jun 2017 15:42:47 +0300 +Subject: net: ena: add missing unmap bars on device removal + +From: Netanel Belgazal + + +[ Upstream commit 0857d92f71b6cb75281fde913554b2d5436c394b ] + +This patch also change the mapping functions to devm_ functions + +Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_netdev.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_netdev.c ++++ b/drivers/net/ethernet/amazon/ena/ena_netdev.c +@@ -2808,6 +2808,11 @@ static void ena_release_bars(struct ena_ + { + int release_bars; + ++ if (ena_dev->mem_bar) ++ devm_iounmap(&pdev->dev, ena_dev->mem_bar); ++ ++ devm_iounmap(&pdev->dev, ena_dev->reg_bar); ++ + release_bars = pci_select_bars(pdev, IORESOURCE_MEM) & ENA_BAR_MASK; + pci_release_selected_regions(pdev, release_bars); + } +@@ -2895,8 +2900,9 @@ static int ena_probe(struct pci_dev *pde + goto err_free_ena_dev; + } + +- ena_dev->reg_bar = ioremap(pci_resource_start(pdev, ENA_REG_BAR), +- pci_resource_len(pdev, ENA_REG_BAR)); ++ ena_dev->reg_bar = devm_ioremap(&pdev->dev, ++ pci_resource_start(pdev, ENA_REG_BAR), ++ pci_resource_len(pdev, ENA_REG_BAR)); + if (!ena_dev->reg_bar) { + dev_err(&pdev->dev, "failed to remap regs bar\n"); + rc = -EFAULT; +@@ -2916,8 +2922,9 @@ static int ena_probe(struct pci_dev *pde + ena_set_push_mode(pdev, ena_dev, &get_feat_ctx); + + if (ena_dev->tx_mem_queue_type == ENA_ADMIN_PLACEMENT_POLICY_DEV) { +- ena_dev->mem_bar = ioremap_wc(pci_resource_start(pdev, ENA_MEM_BAR), +- pci_resource_len(pdev, ENA_MEM_BAR)); ++ ena_dev->mem_bar = devm_ioremap_wc(&pdev->dev, ++ pci_resource_start(pdev, ENA_MEM_BAR), ++ pci_resource_len(pdev, ENA_MEM_BAR)); + if (!ena_dev->mem_bar) { + rc = -EFAULT; + goto err_device_destroy; diff --git a/queue-4.9/net-ena-disable-admin-msix-while-working-in-polling-mode.patch b/queue-4.9/net-ena-disable-admin-msix-while-working-in-polling-mode.patch new file mode 100644 index 00000000000..ca89081709d --- /dev/null +++ b/queue-4.9/net-ena-disable-admin-msix-while-working-in-polling-mode.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Netanel Belgazal +Date: Sun, 11 Jun 2017 15:42:49 +0300 +Subject: net: ena: disable admin msix while working in polling mode + +From: Netanel Belgazal + + +[ Upstream commit a2cc5198dac102775b21787752a2e0afe44ad311 ] + +Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -61,6 +61,8 @@ + + #define ENA_MMIO_READ_TIMEOUT 0xFFFFFFFF + ++#define ENA_REGS_ADMIN_INTR_MASK 1 ++ + /*****************************************************************************/ + /*****************************************************************************/ + /*****************************************************************************/ +@@ -1448,6 +1450,12 @@ void ena_com_admin_destroy(struct ena_co + + void ena_com_set_admin_polling_mode(struct ena_com_dev *ena_dev, bool polling) + { ++ u32 mask_value = 0; ++ ++ if (polling) ++ mask_value = ENA_REGS_ADMIN_INTR_MASK; ++ ++ writel(mask_value, ena_dev->reg_bar + ENA_REGS_INTR_MASK_OFF); + ena_dev->admin_queue.polling = polling; + } + diff --git a/queue-4.9/net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch b/queue-4.9/net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch new file mode 100644 index 00000000000..dae56720e72 --- /dev/null +++ b/queue-4.9/net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Netanel Belgazal +Date: Sun, 11 Jun 2017 15:42:46 +0300 +Subject: net: ena: fix race condition between submit and completion admin command + +From: Netanel Belgazal + + +[ Upstream commit 661d2b0ccef6a63f48b61105cf7be17403d1db01 ] + +Bug: +"Completion context is occupied" error printout will be noticed in +dmesg. +This error will cause the admin command to fail, which will lead to +an ena_probe() failure or a watchdog reset (depends on which admin +command failed). + +Root cause: +__ena_com_submit_admin_cmd() is the function that submits new entries to +the admin queue. +The function have a check that makes sure the queue is not full and the +function does not override any outstanding command. +It uses head and tail indexes for this check. +The head is increased by ena_com_handle_admin_completion() which runs +from interrupt context, and the tail index is increased by the submit +function (the function is running under ->q_lock, so there is no risk +of multithread increment). +Each command is associated with a completion context. This context +allocated before call to __ena_com_submit_admin_cmd() and freed by +ena_com_wait_and_process_admin_cq_interrupts(), right after the command +was completed. + +This can lead to a state where the head was increased, the check passed, +but the completion context is still in use. + +Solution: +Use the atomic variable ->outstanding_cmds instead of using the head and +the tail indexes. +This variable is safe for use since it is bumped in get_comp_ctx() in +__ena_com_submit_admin_cmd() and is freed by comp_ctxt_release() + +Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -232,11 +232,9 @@ static struct ena_comp_ctx *__ena_com_su + tail_masked = admin_queue->sq.tail & queue_size_mask; + + /* In case of queue FULL */ +- cnt = admin_queue->sq.tail - admin_queue->sq.head; ++ cnt = atomic_read(&admin_queue->outstanding_cmds); + if (cnt >= admin_queue->q_depth) { +- pr_debug("admin queue is FULL (tail %d head %d depth: %d)\n", +- admin_queue->sq.tail, admin_queue->sq.head, +- admin_queue->q_depth); ++ pr_debug("admin queue is full.\n"); + admin_queue->stats.out_of_space++; + return ERR_PTR(-ENOSPC); + } diff --git a/queue-4.9/net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch b/queue-4.9/net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch new file mode 100644 index 00000000000..aefc300849a --- /dev/null +++ b/queue-4.9/net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch @@ -0,0 +1,75 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Netanel Belgazal +Date: Sun, 11 Jun 2017 15:42:43 +0300 +Subject: net: ena: fix rare uncompleted admin command false alarm + +From: Netanel Belgazal + + +[ Upstream commit a77c1aafcc906f657d1a0890c1d898be9ee1d5c9 ] + +The current flow to detect admin completion is: +while (command_not_completed) { + if (timeout) + error + + check_for_completion() + sleep() + } +So in case the sleep took more than the timeout +(in case the thread/workqueue was not scheduled due to higher priority +task or prolonged VMexit), the driver can detect a stall even if +the completion is present. + +The fix changes the order of this function to first check for +completion and only after that check if the timeout expired. + +Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") +Signed-off-by: Netanel Belgazal +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/amazon/ena/ena_com.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/ethernet/amazon/ena/ena_com.c ++++ b/drivers/net/ethernet/amazon/ena/ena_com.c +@@ -508,15 +508,20 @@ static int ena_com_comp_status_to_errno( + static int ena_com_wait_and_process_admin_cq_polling(struct ena_comp_ctx *comp_ctx, + struct ena_com_admin_queue *admin_queue) + { +- unsigned long flags; +- u32 start_time; ++ unsigned long flags, timeout; + int ret; + +- start_time = ((u32)jiffies_to_usecs(jiffies)); ++ timeout = jiffies + ADMIN_CMD_TIMEOUT_US; + +- while (comp_ctx->status == ENA_CMD_SUBMITTED) { +- if ((((u32)jiffies_to_usecs(jiffies)) - start_time) > +- ADMIN_CMD_TIMEOUT_US) { ++ while (1) { ++ spin_lock_irqsave(&admin_queue->q_lock, flags); ++ ena_com_handle_admin_completion(admin_queue); ++ spin_unlock_irqrestore(&admin_queue->q_lock, flags); ++ ++ if (comp_ctx->status != ENA_CMD_SUBMITTED) ++ break; ++ ++ if (time_is_before_jiffies(timeout)) { + pr_err("Wait for completion (polling) timeout\n"); + /* ENA didn't have any completion */ + spin_lock_irqsave(&admin_queue->q_lock, flags); +@@ -528,10 +533,6 @@ static int ena_com_wait_and_process_admi + goto err; + } + +- spin_lock_irqsave(&admin_queue->q_lock, flags); +- ena_com_handle_admin_completion(admin_queue); +- spin_unlock_irqrestore(&admin_queue->q_lock, flags); +- + msleep(100); + } + diff --git a/queue-4.9/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch b/queue-4.9/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch new file mode 100644 index 00000000000..da2f0e01379 --- /dev/null +++ b/queue-4.9/net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Grygorii Strashko +Date: Mon, 8 May 2017 14:21:21 -0500 +Subject: net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control + +From: Grygorii Strashko + + +[ Upstream commit 48f5bccc60675f8426a6159935e8636a1fd89f56 ] + +When users set flow control using ethtool the bits are set properly in the +CPGMAC_SL MACCONTROL register, but the FIFO depth in the respective Port n +Maximum FIFO Blocks (Pn_MAX_BLKS) registers remains set to the minimum size +reset value. When receive flow control is enabled on a port, the port's +associated FIFO block allocation must be adjusted. The port RX allocation +must increase to accommodate the flow control runout. The TRM recommends +numbers of 5 or 6. + +Hence, apply required Port FIFO configuration to +Pn_MAX_BLKS.Pn_TX_MAX_BLKS=0xF and Pn_MAX_BLKS.Pn_RX_MAX_BLKS=0x5 during +interface initialization. + +Cc: Schuyler Patton +Signed-off-by: Grygorii Strashko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/cpsw.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -282,6 +282,10 @@ struct cpsw_ss_regs { + /* Bit definitions for the CPSW1_TS_SEQ_LTYPE register */ + #define CPSW_V1_SEQ_ID_OFS_SHIFT 16 + ++#define CPSW_MAX_BLKS_TX 15 ++#define CPSW_MAX_BLKS_TX_SHIFT 4 ++#define CPSW_MAX_BLKS_RX 5 ++ + struct cpsw_host_regs { + u32 max_blks; + u32 blk_cnt; +@@ -1160,11 +1164,23 @@ static void cpsw_slave_open(struct cpsw_ + switch (cpsw->version) { + case CPSW_VERSION_1: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW1_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW1_MAX_BLKS); + break; + case CPSW_VERSION_2: + case CPSW_VERSION_3: + case CPSW_VERSION_4: + slave_write(slave, TX_PRIORITY_MAPPING, CPSW2_TX_PRI_MAP); ++ /* Increase RX FIFO size to 5 for supporting fullduplex ++ * flow control mode ++ */ ++ slave_write(slave, ++ (CPSW_MAX_BLKS_TX << CPSW_MAX_BLKS_TX_SHIFT) | ++ CPSW_MAX_BLKS_RX, CPSW2_MAX_BLKS); + break; + } + diff --git a/queue-4.9/net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch b/queue-4.9/net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch new file mode 100644 index 00000000000..badcbd12fee --- /dev/null +++ b/queue-4.9/net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch @@ -0,0 +1,39 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Fabio Estevam +Date: Fri, 9 Jun 2017 22:37:22 -0300 +Subject: net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272 + +From: Fabio Estevam + + +[ Upstream commit bf292f1b2c813f1d6ac49b04bd1a9863d8314266 ] + +Commit 2b30842b23b9 ("net: fec: Clear and enable MIB counters on imx51") +introduced fec_enet_clear_ethtool_stats(), but missed to add a stub +for the CONFIG_M5272=y case, causing build failure for the +m5272c3_defconfig. + +Add the missing empty stub to fix the build failure. + +Reported-by: Paul Gortmaker +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fec_main.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -2371,6 +2371,10 @@ static int fec_enet_get_sset_count(struc + static inline void fec_enet_update_ethtool_stats(struct net_device *dev) + { + } ++ ++static inline void fec_enet_clear_ethtool_stats(struct net_device *dev) ++{ ++} + #endif /* !defined(CONFIG_M5272) */ + + static int fec_enet_nway_reset(struct net_device *dev) diff --git a/queue-4.9/net-freescale-fix-potential-null-pointer-dereference.patch b/queue-4.9/net-freescale-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..e460b5ad156 --- /dev/null +++ b/queue-4.9/net-freescale-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Tue, 30 May 2017 17:38:43 -0500 +Subject: net: freescale: fix potential null pointer dereference + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 06d2d6431bc8d41ef5ffd8bd4b52cea9f72aed22 ] + +Add NULL check before dereferencing pointer _id_ in order to avoid +a potential NULL pointer dereference. + +Addresses-Coverity-ID: 1397995 +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/freescale/fsl_pq_mdio.c ++++ b/drivers/net/ethernet/freescale/fsl_pq_mdio.c +@@ -381,7 +381,7 @@ static int fsl_pq_mdio_probe(struct plat + { + const struct of_device_id *id = + of_match_device(fsl_pq_mdio_match, &pdev->dev); +- const struct fsl_pq_mdio_data *data = id->data; ++ const struct fsl_pq_mdio_data *data; + struct device_node *np = pdev->dev.of_node; + struct resource res; + struct device_node *tbi; +@@ -389,6 +389,13 @@ static int fsl_pq_mdio_probe(struct plat + struct mii_bus *new_bus; + int err; + ++ if (!id) { ++ dev_err(&pdev->dev, "Failed to match device\n"); ++ return -ENODEV; ++ } ++ ++ data = id->data; ++ + dev_dbg(&pdev->dev, "found %s compatible node\n", id->compatible); + + new_bus = mdiobus_alloc_size(sizeof(*priv)); diff --git a/queue-4.9/net-ieee802154-fix-net_device-reference-release-too-early.patch b/queue-4.9/net-ieee802154-fix-net_device-reference-release-too-early.patch new file mode 100644 index 00000000000..07e8adee201 --- /dev/null +++ b/queue-4.9/net-ieee802154-fix-net_device-reference-release-too-early.patch @@ -0,0 +1,176 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Lin Zhang +Date: Tue, 23 May 2017 13:29:39 +0800 +Subject: net: ieee802154: fix net_device reference release too early + +From: Lin Zhang + + +[ Upstream commit a611c58b3d42a92e6b23423e166dd17c0c7fffce ] + +This patch fixes the kernel oops when release net_device reference in +advance. In function raw_sendmsg(i think the dgram_sendmsg has the same +problem), there is a race condition between dev_put and dev_queue_xmit +when the device is gong that maybe lead to dev_queue_ximt to see +an illegal net_device pointer. + +My test kernel is 3.13.0-32 and because i am not have a real 802154 +device, so i change lowpan_newlink function to this: + + /* find and hold real wpan device */ + real_dev = dev_get_by_index(src_net, nla_get_u32(tb[IFLA_LINK])); + if (!real_dev) + return -ENODEV; +// if (real_dev->type != ARPHRD_IEEE802154) { +// dev_put(real_dev); +// return -EINVAL; +// } + lowpan_dev_info(dev)->real_dev = real_dev; + lowpan_dev_info(dev)->fragment_tag = 0; + mutex_init(&lowpan_dev_info(dev)->dev_list_mtx); + +Also, in order to simulate preempt, i change the raw_sendmsg function +to this: + + skb->dev = dev; + skb->sk = sk; + skb->protocol = htons(ETH_P_IEEE802154); + dev_put(dev); + //simulate preempt + schedule_timeout_uninterruptible(30 * HZ); + err = dev_queue_xmit(skb); + if (err > 0) + err = net_xmit_errno(err); + +and this is my userspace test code named test_send_data: + +int main(int argc, char **argv) +{ + char buf[127]; + int sockfd; + sockfd = socket(AF_IEEE802154, SOCK_RAW, 0); + if (sockfd < 0) { + printf("create sockfd error: %s\n", strerror(errno)); + return -1; + } + send(sockfd, buf, sizeof(buf), 0); + return 0; +} + +This is my test case: + +root@zhanglin-x-computer:~/develop/802154# uname -a +Linux zhanglin-x-computer 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 +03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux +root@zhanglin-x-computer:~/develop/802154# ip link add link eth0 name +lowpan0 type lowpan +root@zhanglin-x-computer:~/develop/802154# +//keep the lowpan0 device down +root@zhanglin-x-computer:~/develop/802154# ./test_send_data & +//wait a while +root@zhanglin-x-computer:~/develop/802154# ip link del link dev lowpan0 +//the device is gone +//oops +[381.303307] general protection fault: 0000 [#1]SMP +[381.303407] Modules linked in: af_802154 6lowpan bnep rfcomm +bluetooth nls_iso8859_1 snd_hda_codec_hdmi snd_hda_codec_realtek +rts5139(C) snd_hda_intel +snd_had_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi +snd_seq_midi_event snd_rawmidi snd_req intel_rapl snd_seq_device +coretemp i915 kvm_intel +kvm snd_timer snd crct10dif_pclmul crc32_pclmul ghash_clmulni_intel +cypted drm_kms_helper drm i2c_algo_bit soundcore video mac_hid +parport_pc ppdev ip parport hid_generic +usbhid hid ahci r8169 mii libahdi +[381.304286] CPU:1 PID: 2524 Commm: 1 Tainted: G C 0 3.13.0-32-generic +[381.304409] Hardware name: Haier Haier DT Computer/Haier DT Codputer, +BIOS FIBT19H02_X64 06/09/2014 +[381.304546] tasks: ffff000096965fc0 ti: ffffB0013779c000 task.ti: +ffffB8013779c000 +[381.304659] RIP: 0010:[] [] +__dev_queue_ximt+0x61/0x500 +[381.304798] RSP: 0018:ffffB8013779dca0 EFLAGS: 00010202 +[381.304880] RAX: 272b031d57565351 RBX: 0000000000000000 RCX: ffff8800968f1a00 +[381.304987] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8800968f1a00 +[381.305095] RBP: ffff8e013773dce0 R08: 0000000000000266 R09: 0000000000000004 +[381.305202] R10: 0000000000000004 R11: 0000000000000005 R12: ffff88013902e000 +[381.305310] R13: 000000000000007f R14: 000000000000007f R15: ffff8800968f1a00 +[381.305418] FS: 00007fc57f50f740(0000) GS: ffff88013fc80000(0000) +knlGS: 0000000000000000 +[381.305540] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[381.305627] CR2: 00007fad0841c000 CR3: 00000001368dd000 CR4: 00000000001007e0 +[361.905734] Stack: +[381.305768] 00000000002052d0 000000003facb30a ffff88013779dcc0 +ffff880137764000 +[381.305898] ffff88013779de70 000000000000007f 000000000000007f +ffff88013902e000 +[381.306026] ffff88013779dcf0 ffffffff81622490 ffff88013779dd39 +ffffffffa03af9f1 +[381.306155] Call Trace: +[381.306202] [] dev_queue_xmit+0x10/0x20 +[381.306294] [] raw_sendmsg+0x1b1/0x270 [af_802154] +[381.306396] [] ieee802154_sock_sendmsg+0x14/0x20 [af_802154] +[381.306512] [] sock_sendmsg+0x8b/0xc0 +[381.306600] [] ? __d_alloc+0x25/0x180 +[381.306687] [] ? kmem_cache_alloc_trace+0x1c6/0x1f0 +[381.306791] [] SYSC_sendto+0x121/0x1c0 +[381.306878] [] ? vtime_account_user+x54/0x60 +[381.306975] [] ? syscall_trace_enter+0x145/0x250 +[381.307073] [] SyS_sendto+0xe/0x10 +[381.307156] [] tracesys+0xe1/0xe6 +[381.307233] Code: c6 a1 a4 ff 41 8b 57 78 49 8b 47 20 85 d2 48 8b 80 +78 07 00 00 75 21 49 8b 57 18 48 85 d2 74 18 48 85 c0 74 13 8b 92 ac +01 00 00 <3b> 50 10 73 08 8b 44 90 14 41 89 47 78 41 f6 84 24 d5 00 00 +00 +[381.307801] RIP [] _dev_queue_xmit+0x61/0x500 +[381.307901] RSP +[381.347512] Kernel panic - not syncing: Fatal exception in interrupt +[381.347747] drm_kms_helper: panic occurred, switching back to text console + +In my opinion, there is always exist a chance that the device is gong +before call dev_queue_xmit. + +I think the latest kernel is have the same problem and that +dev_put should be behind of the dev_queue_xmit. + +Signed-off-by: Lin Zhang +Acked-by: Stefan Schmidt +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ieee802154/socket.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ieee802154/socket.c ++++ b/net/ieee802154/socket.c +@@ -304,12 +304,12 @@ static int raw_sendmsg(struct sock *sk, + skb->sk = sk; + skb->protocol = htons(ETH_P_IEEE802154); + +- dev_put(dev); +- + err = dev_queue_xmit(skb); + if (err > 0) + err = net_xmit_errno(err); + ++ dev_put(dev); ++ + return err ?: size; + + out_skb: +@@ -693,12 +693,12 @@ static int dgram_sendmsg(struct sock *sk + skb->sk = sk; + skb->protocol = htons(ETH_P_IEEE802154); + +- dev_put(dev); +- + err = dev_queue_xmit(skb); + if (err > 0) + err = net_xmit_errno(err); + ++ dev_put(dev); ++ + return err ?: size; + + out_skb: diff --git a/queue-4.9/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch b/queue-4.9/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch new file mode 100644 index 00000000000..a92d3672087 --- /dev/null +++ b/queue-4.9/net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: linzhang +Date: Thu, 25 May 2017 14:07:18 +0800 +Subject: net: llc: add lock_sock in llc_ui_bind to avoid a race condition + +From: linzhang + + +[ Upstream commit 0908cf4dfef35fc6ac12329007052ebe93ff1081 ] + +There is a race condition in llc_ui_bind if two or more processes/threads +try to bind a same socket. + +If more processes/threads bind a same socket success that will lead to +two problems, one is this action is not what we expected, another is +will lead to kernel in unstable status or oops(in my simple test case, +cause llc2.ko can't unload). + +The current code is test SOCK_ZAPPED bit to avoid a process to +bind a same socket twice but that is can't avoid more processes/threads +try to bind a same socket at the same time. + +So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect. + +Signed-off-by: Lin Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/llc/af_llc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -309,6 +309,8 @@ static int llc_ui_bind(struct socket *so + int rc = -EINVAL; + + dprintk("%s: binding %02X\n", __func__, addr->sllc_sap); ++ ++ lock_sock(sk); + if (unlikely(!sock_flag(sk, SOCK_ZAPPED) || addrlen != sizeof(*addr))) + goto out; + rc = -EAFNOSUPPORT; +@@ -380,6 +382,7 @@ static int llc_ui_bind(struct socket *so + out_put: + llc_sap_put(sap); + out: ++ release_sock(sk); + return rc; + } + diff --git a/queue-4.9/net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch b/queue-4.9/net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch new file mode 100644 index 00000000000..732223258b4 --- /dev/null +++ b/queue-4.9/net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ido Shamay +Date: Mon, 5 Jun 2017 10:44:56 +0300 +Subject: net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport + +From: Ido Shamay + + +[ Upstream commit 269f9883fe254d109afdfc657875c456d6fabb08 ] + +The Granular QoS per VF feature must be enabled in FW before it can be +used. + +Thus, the driver cannot modify a QP's qos_vport value (via the UPDATE_QP FW +command) if the feature has not been enabled -- the FW returns an error if +this is attempted. + +Fixes: 08068cd5683f ("net/mlx4: Added qos_vport QP configuration in VST mode") +Signed-off-by: Ido Shamay +Signed-off-by: Jack Morgenstein +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/qp.c | 6 ++++++ + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 16 +++++++++++----- + 2 files changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -487,6 +487,12 @@ int mlx4_update_qp(struct mlx4_dev *dev, + } + + if (attr & MLX4_UPDATE_QP_QOS_VPORT) { ++ if (!(dev->caps.flags2 & MLX4_DEV_CAP_FLAG2_QOS_VPP)) { ++ mlx4_warn(dev, "Granular QoS per VF is not enabled\n"); ++ err = -EOPNOTSUPP; ++ goto out; ++ } ++ + qp_mask |= 1ULL << MLX4_UPD_QP_MASK_QOS_VPP; + cmd->qp_context.qos_vport = params->qos_vport; + } +--- a/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c ++++ b/drivers/net/ethernet/mellanox/mlx4/resource_tracker.c +@@ -5214,6 +5214,13 @@ void mlx4_delete_all_resources_for_slave + mutex_unlock(&priv->mfunc.master.res_tracker.slave_list[slave].mutex); + } + ++static void update_qos_vpp(struct mlx4_update_qp_context *ctx, ++ struct mlx4_vf_immed_vlan_work *work) ++{ ++ ctx->qp_mask |= cpu_to_be64(1ULL << MLX4_UPD_QP_MASK_QOS_VPP); ++ ctx->qp_context.qos_vport = work->qos_vport; ++} ++ + void mlx4_vf_immed_vlan_work_handler(struct work_struct *_work) + { + struct mlx4_vf_immed_vlan_work *work = +@@ -5328,11 +5335,10 @@ void mlx4_vf_immed_vlan_work_handler(str + qp->sched_queue & 0xC7; + upd_context->qp_context.pri_path.sched_queue |= + ((work->qos & 0x7) << 3); +- upd_context->qp_mask |= +- cpu_to_be64(1ULL << +- MLX4_UPD_QP_MASK_QOS_VPP); +- upd_context->qp_context.qos_vport = +- work->qos_vport; ++ ++ if (dev->caps.flags2 & ++ MLX4_DEV_CAP_FLAG2_QOS_VPP) ++ update_qos_vpp(upd_context, work); + } + + err = mlx4_cmd(dev, mailbox->dma, diff --git a/queue-4.9/net-mlx4-fix-the-check-in-attaching-steering-rules.patch b/queue-4.9/net-mlx4-fix-the-check-in-attaching-steering-rules.patch new file mode 100644 index 00000000000..1106ac38885 --- /dev/null +++ b/queue-4.9/net-mlx4-fix-the-check-in-attaching-steering-rules.patch @@ -0,0 +1,123 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Talat Batheesh +Date: Sun, 4 Jun 2017 14:30:07 +0300 +Subject: net/mlx4: Fix the check in attaching steering rules + +From: Talat Batheesh + + +[ Upstream commit 6dc06c08bef1c746ff8da33dab677cfbacdcad32 ] + +Our previous patch (cited below) introduced a regression +for RAW Eth QPs. + +Fix it by checking if the QP number provided by user-space +exists, hence allowing steering rules to be added for valid +QPs only. + +Fixes: 89c557687a32 ("net/mlx4_en: Avoid adding steering rules with invalid ring") +Reported-by: Or Gerlitz +Signed-off-by: Talat Batheesh +Signed-off-by: Tariq Toukan +Acked-by: Or Gerlitz +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 ----- + drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++++++++++---- + drivers/net/ethernet/mellanox/mlx4/qp.c | 13 +++++++++++++ + include/linux/mlx4/qp.h | 1 + + 4 files changed, 25 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1520,11 +1520,6 @@ static int mlx4_en_flow_replace(struct n + qpn = priv->drop_qp.qpn; + else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) { + qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1); +- if (qpn < priv->rss_map.base_qpn || +- qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) { +- en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn); +- return -EINVAL; +- } + } else { + if (cmd->fs.ring_cookie >= priv->rx_ring_num) { + en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n", +--- a/drivers/net/ethernet/mellanox/mlx4/mcg.c ++++ b/drivers/net/ethernet/mellanox/mlx4/mcg.c +@@ -35,6 +35,7 @@ + #include + + #include ++#include + #include + + #include "mlx4.h" +@@ -985,16 +986,21 @@ int mlx4_flow_attach(struct mlx4_dev *de + if (IS_ERR(mailbox)) + return PTR_ERR(mailbox); + ++ if (!mlx4_qp_lookup(dev, rule->qpn)) { ++ mlx4_err_rule(dev, "QP doesn't exist\n", rule); ++ ret = -EINVAL; ++ goto out; ++ } ++ + trans_rule_ctrl_to_hw(rule, mailbox->buf); + + size += sizeof(struct mlx4_net_trans_rule_hw_ctrl); + + list_for_each_entry(cur, &rule->list, list) { + ret = parse_trans_rule(dev, cur, mailbox->buf + size); +- if (ret < 0) { +- mlx4_free_cmd_mailbox(dev, mailbox); +- return ret; +- } ++ if (ret < 0) ++ goto out; ++ + size += ret; + } + +@@ -1021,6 +1027,7 @@ int mlx4_flow_attach(struct mlx4_dev *de + } + } + ++out: + mlx4_free_cmd_mailbox(dev, mailbox); + + return ret; +--- a/drivers/net/ethernet/mellanox/mlx4/qp.c ++++ b/drivers/net/ethernet/mellanox/mlx4/qp.c +@@ -387,6 +387,19 @@ static void mlx4_qp_free_icm(struct mlx4 + __mlx4_qp_free_icm(dev, qpn); + } + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn) ++{ ++ struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table; ++ struct mlx4_qp *qp; ++ ++ spin_lock(&qp_table->lock); ++ ++ qp = __mlx4_qp_lookup(dev, qpn); ++ ++ spin_unlock(&qp_table->lock); ++ return qp; ++} ++ + int mlx4_qp_alloc(struct mlx4_dev *dev, int qpn, struct mlx4_qp *qp, gfp_t gfp) + { + struct mlx4_priv *priv = mlx4_priv(dev); +--- a/include/linux/mlx4/qp.h ++++ b/include/linux/mlx4/qp.h +@@ -470,6 +470,7 @@ struct mlx4_update_qp_params { + u16 rate_val; + }; + ++struct mlx4_qp *mlx4_qp_lookup(struct mlx4_dev *dev, u32 qpn); + int mlx4_update_qp(struct mlx4_dev *dev, u32 qpn, + enum mlx4_update_qp_attr attr, + struct mlx4_update_qp_params *params); diff --git a/queue-4.9/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch b/queue-4.9/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch new file mode 100644 index 00000000000..32d1be44a6d --- /dev/null +++ b/queue-4.9/net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch @@ -0,0 +1,37 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Talat Batheesh +Date: Tue, 9 May 2017 14:45:23 +0300 +Subject: net/mlx4_en: Avoid adding steering rules with invalid ring + +From: Talat Batheesh + + +[ Upstream commit 89c557687a32c294e9d25670a96e9287c09f2d5f ] + +Inserting steering rules with illegal ring is an invalid operation, +block it. + +Fixes: 820672812f82 ('net/mlx4_en: Manage flow steering rules with ethtool') +Signed-off-by: Talat Batheesh +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_ethtool.c +@@ -1520,6 +1520,11 @@ static int mlx4_en_flow_replace(struct n + qpn = priv->drop_qp.qpn; + else if (cmd->fs.ring_cookie & EN_ETHTOOL_QP_ATTACH) { + qpn = cmd->fs.ring_cookie & (EN_ETHTOOL_QP_ATTACH - 1); ++ if (qpn < priv->rss_map.base_qpn || ++ qpn >= priv->rss_map.base_qpn + priv->rx_ring_num) { ++ en_warn(priv, "rxnfc: QP (0x%x) doesn't exist\n", qpn); ++ return -EINVAL; ++ } + } else { + if (cmd->fs.ring_cookie >= priv->rx_ring_num) { + en_warn(priv, "rxnfc: RX ring (%llu) doesn't exist\n", diff --git a/queue-4.9/net-mlx4_en-change-default-qos-settings.patch b/queue-4.9/net-mlx4_en-change-default-qos-settings.patch new file mode 100644 index 00000000000..b9716268541 --- /dev/null +++ b/queue-4.9/net-mlx4_en-change-default-qos-settings.patch @@ -0,0 +1,89 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Moni Shoua +Date: Thu, 28 Dec 2017 16:26:11 +0200 +Subject: net/mlx4_en: Change default QoS settings + +From: Moni Shoua + + +[ Upstream commit a42b63c1ac1986f17f71bc91a6b0aaa14d4dae71 ] + +Change the default mapping between TC and TCG as follows: + +Prio | TC/TCG + | from to + | (set by FW) (set by SW) +---------+----------------------------------- +0 | 0/0 0/7 +1 | 1/0 0/6 +2 | 2/0 0/5 +3 | 3/0 0/4 +4 | 4/0 0/3 +5 | 5/0 0/2 +6 | 6/0 0/1 +7 | 7/0 0/0 + +These new settings cause that a pause frame for any prio stops +traffic for all prios. + +Fixes: 564c274c3df0 ("net/mlx4_en: DCB QoS support") +Signed-off-by: Moni Shoua +Signed-off-by: Maor Gottlieb +Signed-off-by: Tariq Toukan +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 5 +++++ + drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 7 +++++++ + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 + + 3 files changed, 13 insertions(+) + +--- a/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c +@@ -310,6 +310,7 @@ static int mlx4_en_ets_validate(struct m + } + + switch (ets->tc_tsa[i]) { ++ case IEEE_8021QAZ_TSA_VENDOR: + case IEEE_8021QAZ_TSA_STRICT: + break; + case IEEE_8021QAZ_TSA_ETS: +@@ -347,6 +348,10 @@ static int mlx4_en_config_port_scheduler + /* higher TC means higher priority => lower pg */ + for (i = IEEE_8021QAZ_MAX_TCS - 1; i >= 0; i--) { + switch (ets->tc_tsa[i]) { ++ case IEEE_8021QAZ_TSA_VENDOR: ++ pg[i] = MLX4_EN_TC_VENDOR; ++ tc_tx_bw[i] = MLX4_EN_BW_MAX; ++ break; + case IEEE_8021QAZ_TSA_STRICT: + pg[i] = num_strict++; + tc_tx_bw[i] = MLX4_EN_BW_MAX; +--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c +@@ -3125,6 +3125,13 @@ int mlx4_en_init_netdev(struct mlx4_en_d + priv->msg_enable = MLX4_EN_MSG_LEVEL; + #ifdef CONFIG_MLX4_EN_DCB + if (!mlx4_is_slave(priv->mdev->dev)) { ++ u8 prio; ++ ++ for (prio = 0; prio < IEEE_8021QAZ_MAX_TCS; ++prio) { ++ priv->ets.prio_tc[prio] = prio; ++ priv->ets.tc_tsa[prio] = IEEE_8021QAZ_TSA_VENDOR; ++ } ++ + priv->dcbx_cap = DCB_CAP_DCBX_VER_CEE | DCB_CAP_DCBX_HOST | + DCB_CAP_DCBX_VER_IEEE; + priv->flags |= MLX4_EN_DCB_ENABLED; +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -472,6 +472,7 @@ struct mlx4_en_frag_info { + #define MLX4_EN_BW_MIN 1 + #define MLX4_EN_BW_MAX 100 /* Utilize 100% of the line */ + ++#define MLX4_EN_TC_VENDOR 0 + #define MLX4_EN_TC_ETS 7 + + enum dcb_pfc_type { diff --git a/queue-4.9/net-mlx5-avoid-build-warning-for-uniprocessor.patch b/queue-4.9/net-mlx5-avoid-build-warning-for-uniprocessor.patch new file mode 100644 index 00000000000..bb090765f1c --- /dev/null +++ b/queue-4.9/net-mlx5-avoid-build-warning-for-uniprocessor.patch @@ -0,0 +1,45 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arnd Bergmann +Date: Mon, 29 May 2017 15:00:17 +0200 +Subject: net/mlx5: avoid build warning for uniprocessor + +From: Arnd Bergmann + + +[ Upstream commit f0d7ae95fff4ab444b8433f07afc4b077ef1a285 ] + +Building the driver with CONFIG_SMP disabled results in a harmless +warning: + +ethernet/mellanox/mlx5/core/main.c: In function 'mlx5_irq_set_affinity_hint': +ethernet/mellanox/mlx5/core/main.c:615:6: error: unused variable 'irq' [-Werror=unused-variable] + +It's better to express the conditional compilation using IS_ENABLED() +here, as that lets the compiler see what the intented use for the variable +is, and that it can be silently discarded. + +Fixes: b665d98edc9a ("net/mlx5: Tolerate irq_set_affinity_hint() failures") +Signed-off-by: Arnd Bergmann +Acked-by: Saeed Mahameed +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -557,10 +557,9 @@ static int mlx5_irq_set_affinity_hint(st + cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node), + priv->irq_info[i].mask); + +-#ifdef CONFIG_SMP +- if (irq_set_affinity_hint(irq, priv->irq_info[i].mask)) ++ if (IS_ENABLED(CONFIG_SMP) && ++ irq_set_affinity_hint(irq, priv->irq_info[i].mask)) + mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq); +-#endif + + return 0; + } diff --git a/queue-4.9/net-mlx5-tolerate-irq_set_affinity_hint-failures.patch b/queue-4.9/net-mlx5-tolerate-irq_set_affinity_hint-failures.patch new file mode 100644 index 00000000000..8b0fbe5a06e --- /dev/null +++ b/queue-4.9/net-mlx5-tolerate-irq_set_affinity_hint-failures.patch @@ -0,0 +1,62 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tariq Toukan +Date: Thu, 18 May 2017 13:34:43 +0300 +Subject: net/mlx5: Tolerate irq_set_affinity_hint() failures + +From: Tariq Toukan + + +[ Upstream commit b665d98edc9ab295169be2fc5bb4e89a46de0a1a ] + +Add tolerance to failures of irq_set_affinity_hint(). +Its role is to give hints that optimizes performance, +and should not block the driver load. + +In non-SMP systems, functionality is not available as +there is a single core, and all these calls definitely +fail. Hence, do not call the function and avoid the +warning prints. + +Fixes: db058a186f98 ("net/mlx5_core: Set irq affinity hints") +Signed-off-by: Tariq Toukan +Cc: kernel-team@fb.com +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/main.c | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c +@@ -548,7 +548,6 @@ static int mlx5_irq_set_affinity_hint(st + struct mlx5_priv *priv = &mdev->priv; + struct msix_entry *msix = priv->msix_arr; + int irq = msix[i + MLX5_EQ_VEC_COMP_BASE].vector; +- int err; + + if (!zalloc_cpumask_var(&priv->irq_info[i].mask, GFP_KERNEL)) { + mlx5_core_warn(mdev, "zalloc_cpumask_var failed"); +@@ -558,18 +557,12 @@ static int mlx5_irq_set_affinity_hint(st + cpumask_set_cpu(cpumask_local_spread(i, priv->numa_node), + priv->irq_info[i].mask); + +- err = irq_set_affinity_hint(irq, priv->irq_info[i].mask); +- if (err) { +- mlx5_core_warn(mdev, "irq_set_affinity_hint failed,irq 0x%.4x", +- irq); +- goto err_clear_mask; +- } ++#ifdef CONFIG_SMP ++ if (irq_set_affinity_hint(irq, priv->irq_info[i].mask)) ++ mlx5_core_warn(mdev, "irq_set_affinity_hint failed, irq 0x%.4x", irq); ++#endif + + return 0; +- +-err_clear_mask: +- free_cpumask_var(priv->irq_info[i].mask); +- return err; + } + + static void mlx5_irq_clear_affinity_hint(struct mlx5_core_dev *mdev, int i) diff --git a/queue-4.9/net-move-somaxconn-init-from-sysctl-code.patch b/queue-4.9/net-move-somaxconn-init-from-sysctl-code.patch new file mode 100644 index 00000000000..1163fba59ef --- /dev/null +++ b/queue-4.9/net-move-somaxconn-init-from-sysctl-code.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Roman Kapl +Date: Wed, 24 May 2017 10:22:22 +0200 +Subject: net: move somaxconn init from sysctl code + +From: Roman Kapl + + +[ Upstream commit 7c3f1875c66fbc19762760097cabc91849ea0bbb ] + +The default value for somaxconn is set in sysctl_core_net_init(), but this +function is not called when kernel is configured without CONFIG_SYSCTL. + +This results in the kernel not being able to accept TCP connections, +because the backlog has zero size. Usually, the user ends up with: +"TCP: request_sock_TCP: Possible SYN flooding on port 7. Dropping request. Check SNMP counters." +If SYN cookies are not enabled the connection is rejected. + +Before ef547f2ac16 (tcp: remove max_qlen_log), the effects were less +severe, because the backlog was always at least eight slots long. + +Signed-off-by: Roman Kapl +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net_namespace.c | 19 +++++++++++++++++++ + net/core/sysctl_net_core.c | 2 -- + 2 files changed, 19 insertions(+), 2 deletions(-) + +--- a/net/core/net_namespace.c ++++ b/net/core/net_namespace.c +@@ -312,6 +312,25 @@ out_undo: + goto out; + } + ++static int __net_init net_defaults_init_net(struct net *net) ++{ ++ net->core.sysctl_somaxconn = SOMAXCONN; ++ return 0; ++} ++ ++static struct pernet_operations net_defaults_ops = { ++ .init = net_defaults_init_net, ++}; ++ ++static __init int net_defaults_init(void) ++{ ++ if (register_pernet_subsys(&net_defaults_ops)) ++ panic("Cannot initialize net default settings"); ++ ++ return 0; ++} ++ ++core_initcall(net_defaults_init); + + #ifdef CONFIG_NET_NS + static struct ucounts *inc_net_namespaces(struct user_namespace *ns) +--- a/net/core/sysctl_net_core.c ++++ b/net/core/sysctl_net_core.c +@@ -438,8 +438,6 @@ static __net_init int sysctl_core_net_in + { + struct ctl_table *tbl; + +- net->core.sysctl_somaxconn = SOMAXCONN; +- + tbl = netns_core_table; + if (!net_eq(net, &init_net)) { + tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL); diff --git a/queue-4.9/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch b/queue-4.9/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch new file mode 100644 index 00000000000..effbf1efc84 --- /dev/null +++ b/queue-4.9/net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Russell King +Date: Mon, 5 Jun 2017 12:22:55 +0100 +Subject: net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support + +From: Russell King + + +[ Upstream commit 41408ad519f7a2a1c5229e61f2a97f4df1b61adc ] + +Avoid calling genphy_aneg_done() for PHYs that do not implement the +Clause 22 register set. + +Clause 45 PHYs may implement the Clause 22 register set along with the +Clause 22 extension MMD. Hence, we can't simply block access to the +Clause 22 functions based on the PHY being a Clause 45 PHY. + +Signed-off-by: Russell King +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -148,6 +148,12 @@ static inline int phy_aneg_done(struct p + if (phydev->drv->aneg_done) + return phydev->drv->aneg_done(phydev); + ++ /* Avoid genphy_aneg_done() if the Clause 45 PHY does not ++ * implement Clause 22 registers ++ */ ++ if (phydev->is_c45 && !(phydev->c45_ids.devices_in_package & BIT(0))) ++ return -EINVAL; ++ + return genphy_aneg_done(phydev); + } + diff --git a/queue-4.9/net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch b/queue-4.9/net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch new file mode 100644 index 00000000000..80c64b84093 --- /dev/null +++ b/queue-4.9/net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch @@ -0,0 +1,103 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Leonard Crestez +Date: Wed, 31 May 2017 13:29:30 +0300 +Subject: net: phy: micrel: Restore led_mode and clk_sel on resume + +From: Leonard Crestez + + +[ Upstream commit 79e498a9c7da0737829ff864aae44df434105676 ] + +These bits seem to be lost after a suspend/resume cycle so just set them +again. Do this by splitting the handling of these bits into a function +that is also called on resume. + +This patch fixes ethernet suspend/resume on imx6ul-14x14-evk boards. + +Signed-off-by: Leonard Crestez +Reviewed-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/micrel.c | 42 ++++++++++++++++++++++++++++-------------- + 1 file changed, 28 insertions(+), 14 deletions(-) + +--- a/drivers/net/phy/micrel.c ++++ b/drivers/net/phy/micrel.c +@@ -268,23 +268,12 @@ out: + return ret; + } + +-static int kszphy_config_init(struct phy_device *phydev) ++/* Some config bits need to be set again on resume, handle them here. */ ++static int kszphy_config_reset(struct phy_device *phydev) + { + struct kszphy_priv *priv = phydev->priv; +- const struct kszphy_type *type; + int ret; + +- if (!priv) +- return 0; +- +- type = priv->type; +- +- if (type->has_broadcast_disable) +- kszphy_broadcast_disable(phydev); +- +- if (type->has_nand_tree_disable) +- kszphy_nand_tree_disable(phydev); +- + if (priv->rmii_ref_clk_sel) { + ret = kszphy_rmii_clk_sel(phydev, priv->rmii_ref_clk_sel_val); + if (ret) { +@@ -295,7 +284,7 @@ static int kszphy_config_init(struct phy + } + + if (priv->led_mode >= 0) +- kszphy_setup_led(phydev, type->led_mode_reg, priv->led_mode); ++ kszphy_setup_led(phydev, priv->type->led_mode_reg, priv->led_mode); + + if (phy_interrupt_is_valid(phydev)) { + int ctl = phy_read(phydev, MII_BMCR); +@@ -311,6 +300,25 @@ static int kszphy_config_init(struct phy + return 0; + } + ++static int kszphy_config_init(struct phy_device *phydev) ++{ ++ struct kszphy_priv *priv = phydev->priv; ++ const struct kszphy_type *type; ++ ++ if (!priv) ++ return 0; ++ ++ type = priv->type; ++ ++ if (type->has_broadcast_disable) ++ kszphy_broadcast_disable(phydev); ++ ++ if (type->has_nand_tree_disable) ++ kszphy_nand_tree_disable(phydev); ++ ++ return kszphy_config_reset(phydev); ++} ++ + static int ksz8041_config_init(struct phy_device *phydev) + { + struct device_node *of_node = phydev->mdio.dev.of_node; +@@ -715,8 +723,14 @@ static int kszphy_suspend(struct phy_dev + + static int kszphy_resume(struct phy_device *phydev) + { ++ int ret; ++ + genphy_resume(phydev); + ++ ret = kszphy_config_reset(phydev); ++ if (ret) ++ return ret; ++ + /* Enable PHY Interrupts */ + if (phy_interrupt_is_valid(phydev)) { + phydev->interrupts = PHY_INTERRUPT_ENABLED; diff --git a/queue-4.9/net-qca_spi-fix-alignment-issues-in-rx-path.patch b/queue-4.9/net-qca_spi-fix-alignment-issues-in-rx-path.patch new file mode 100644 index 00000000000..6be38144761 --- /dev/null +++ b/queue-4.9/net-qca_spi-fix-alignment-issues-in-rx-path.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Stefan Wahren +Date: Tue, 9 May 2017 15:40:38 +0200 +Subject: net: qca_spi: Fix alignment issues in rx path + +From: Stefan Wahren + + +[ Upstream commit 8d66c30b12ed3cb533696dea8b9a9eadd5da426a ] + +The qca_spi driver causes alignment issues on ARM devices. +So fix this by using netdev_alloc_skb_ip_align(). + +Signed-off-by: Stefan Wahren +Fixes: 291ab06ecf67 ("net: qualcomm: new Ethernet over SPI driver for QCA7000") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/qca_spi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qualcomm/qca_spi.c ++++ b/drivers/net/ethernet/qualcomm/qca_spi.c +@@ -296,8 +296,9 @@ qcaspi_receive(struct qcaspi *qca) + + /* Allocate rx SKB if we don't have one available. */ + if (!qca->rx_skb) { +- qca->rx_skb = netdev_alloc_skb(net_dev, +- net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, ++ net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); + qca->stats.out_of_mem++; +@@ -377,7 +378,7 @@ qcaspi_receive(struct qcaspi *qca) + qca->rx_skb, qca->rx_skb->dev); + qca->rx_skb->ip_summed = CHECKSUM_UNNECESSARY; + netif_rx_ni(qca->rx_skb); +- qca->rx_skb = netdev_alloc_skb(net_dev, ++ qca->rx_skb = netdev_alloc_skb_ip_align(net_dev, + net_dev->mtu + VLAN_ETH_HLEN); + if (!qca->rx_skb) { + netdev_dbg(net_dev, "out of RX resources\n"); +@@ -759,7 +760,8 @@ qcaspi_netdev_init(struct net_device *de + if (!qca->rx_buffer) + return -ENOBUFS; + +- qca->rx_skb = netdev_alloc_skb(dev, qca->net_dev->mtu + VLAN_ETH_HLEN); ++ qca->rx_skb = netdev_alloc_skb_ip_align(dev, qca->net_dev->mtu + ++ VLAN_ETH_HLEN); + if (!qca->rx_skb) { + kfree(qca->rx_buffer); + netdev_info(qca->net_dev, "Failed to allocate RX sk_buff.\n"); diff --git a/queue-4.9/net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch new file mode 100644 index 00000000000..03788e6114d --- /dev/null +++ b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Holger Brunck +Date: Wed, 17 May 2017 17:24:35 +0200 +Subject: net/wan/fsl_ucc_hdlc: fix incorrect memory allocation + +From: Holger Brunck + + +[ Upstream commit 5b8aad93c52bdda6a731cab8497998cfa0f2df07 ] + +We need space for the struct qe_bd and not for a pointer to this struct. + +Signed-off-by: Holger Brunck +Cc: Zhao Qiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -137,7 +137,7 @@ static int uhdlc_init(struct ucc_hdlc_pr + priv->tx_ring_size = TX_BD_RING_LEN; + /* Alloc Rx BD */ + priv->rx_bd_base = dma_alloc_coherent(priv->dev, +- RX_BD_RING_LEN * sizeof(struct qe_bd *), ++ RX_BD_RING_LEN * sizeof(struct qe_bd), + &priv->dma_rx_bd, GFP_KERNEL); + + if (!priv->rx_bd_base) { +@@ -148,7 +148,7 @@ static int uhdlc_init(struct ucc_hdlc_pr + + /* Alloc Tx BD */ + priv->tx_bd_base = dma_alloc_coherent(priv->dev, +- TX_BD_RING_LEN * sizeof(struct qe_bd *), ++ TX_BD_RING_LEN * sizeof(struct qe_bd), + &priv->dma_tx_bd, GFP_KERNEL); + + if (!priv->tx_bd_base) { +@@ -295,11 +295,11 @@ free_ucc_pram: + qe_muram_free(priv->ucc_pram_offset); + free_tx_bd: + dma_free_coherent(priv->dev, +- TX_BD_RING_LEN * sizeof(struct qe_bd *), ++ TX_BD_RING_LEN * sizeof(struct qe_bd), + priv->tx_bd_base, priv->dma_tx_bd); + free_rx_bd: + dma_free_coherent(priv->dev, +- RX_BD_RING_LEN * sizeof(struct qe_bd *), ++ RX_BD_RING_LEN * sizeof(struct qe_bd), + priv->rx_bd_base, priv->dma_rx_bd); + free_uccf: + ucc_fast_free(priv->uccf); +@@ -688,7 +688,7 @@ static void uhdlc_memclean(struct ucc_hd + + if (priv->rx_bd_base) { + dma_free_coherent(priv->dev, +- RX_BD_RING_LEN * sizeof(struct qe_bd *), ++ RX_BD_RING_LEN * sizeof(struct qe_bd), + priv->rx_bd_base, priv->dma_rx_bd); + + priv->rx_bd_base = NULL; +@@ -697,7 +697,7 @@ static void uhdlc_memclean(struct ucc_hd + + if (priv->tx_bd_base) { + dma_free_coherent(priv->dev, +- TX_BD_RING_LEN * sizeof(struct qe_bd *), ++ TX_BD_RING_LEN * sizeof(struct qe_bd), + priv->tx_bd_base, priv->dma_tx_bd); + + priv->tx_bd_base = NULL; diff --git a/queue-4.9/net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch new file mode 100644 index 00000000000..17aed68dc20 --- /dev/null +++ b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Holger Brunck +Date: Mon, 22 May 2017 09:31:15 +0200 +Subject: net/wan/fsl_ucc_hdlc: fix muram allocation error + +From: Holger Brunck + + +[ Upstream commit 85deed56032b6c98b541895bfda9bdd74f6ed987 ] + +sizeof(priv->ucc_pram) is 4 as it is the size of a pointer, but we want +to reserve space for the struct ucc_hdlc_param. + +Signed-off-by: Holger Brunck +Cc: Zhao Qiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -158,7 +158,7 @@ static int uhdlc_init(struct ucc_hdlc_pr + } + + /* Alloc parameter ram for ucc hdlc */ +- priv->ucc_pram_offset = qe_muram_alloc(sizeof(priv->ucc_pram), ++ priv->ucc_pram_offset = qe_muram_alloc(sizeof(struct ucc_hdlc_param), + ALIGNMENT_OF_UCC_HDLC_PRAM); + + if (priv->ucc_pram_offset < 0) { diff --git a/queue-4.9/net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch new file mode 100644 index 00000000000..7720d3a475b --- /dev/null +++ b/queue-4.9/net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Holger Brunck +Date: Wed, 17 May 2017 17:24:33 +0200 +Subject: net/wan/fsl_ucc_hdlc: fix unitialized variable warnings + +From: Holger Brunck + + +[ Upstream commit 66bb144bd9096dd5268ef736ba769b8b6f4ef100 ] + +This fixes the following compiler warnings: +drivers/net/wan/fsl_ucc_hdlc.c: In function 'ucc_hdlc_poll': +warning: 'skb' may be used uninitialized in this function +[-Wmaybe-uninitialized] + skb->mac_header = skb->data - skb->head; + +and + +drivers/net/wan/fsl_ucc_hdlc.c: In function 'ucc_hdlc_probe': +drivers/net/wan/fsl_ucc_hdlc.c:1127:3: warning: 'utdm' may be used +uninitialized in this function [-Wmaybe-uninitialized] + kfree(utdm); + +Signed-off-by: Holger Brunck +Cc: Zhao Qiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/fsl_ucc_hdlc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wan/fsl_ucc_hdlc.c ++++ b/drivers/net/wan/fsl_ucc_hdlc.c +@@ -454,7 +454,7 @@ static int hdlc_tx_done(struct ucc_hdlc_ + static int hdlc_rx_done(struct ucc_hdlc_private *priv, int rx_work_limit) + { + struct net_device *dev = priv->ndev; +- struct sk_buff *skb; ++ struct sk_buff *skb = NULL; + hdlc_device *hdlc = dev_to_hdlc(dev); + struct qe_bd *bd; + u32 bd_status; +@@ -1002,7 +1002,7 @@ static int ucc_hdlc_probe(struct platfor + struct device_node *np = pdev->dev.of_node; + struct ucc_hdlc_private *uhdlc_priv = NULL; + struct ucc_tdm_info *ut_info; +- struct ucc_tdm *utdm; ++ struct ucc_tdm *utdm = NULL; + struct resource res; + struct net_device *dev; + hdlc_device *hdlc; diff --git a/queue-4.9/net-x25-fix-one-potential-use-after-free-issue.patch b/queue-4.9/net-x25-fix-one-potential-use-after-free-issue.patch new file mode 100644 index 00000000000..249011613d8 --- /dev/null +++ b/queue-4.9/net-x25-fix-one-potential-use-after-free-issue.patch @@ -0,0 +1,109 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: linzhang +Date: Wed, 17 May 2017 12:05:07 +0800 +Subject: net: x25: fix one potential use-after-free issue + +From: linzhang + + +[ Upstream commit 64df6d525fcff1630098db9238bfd2b3e092d5c1 ] + +The function x25_init is not properly unregister related resources +on error handler.It is will result in kernel oops if x25_init init +failed, so add properly unregister call on error handler. + +Also, i adjust the coding style and make x25_register_sysctl properly +return failure. + +Signed-off-by: linzhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/net/x25.h | 4 ++-- + net/x25/af_x25.c | 24 ++++++++++++++++-------- + net/x25/sysctl_net_x25.c | 5 ++++- + 3 files changed, 22 insertions(+), 11 deletions(-) + +--- a/include/net/x25.h ++++ b/include/net/x25.h +@@ -298,10 +298,10 @@ void x25_check_rbuf(struct sock *); + + /* sysctl_net_x25.c */ + #ifdef CONFIG_SYSCTL +-void x25_register_sysctl(void); ++int x25_register_sysctl(void); + void x25_unregister_sysctl(void); + #else +-static inline void x25_register_sysctl(void) {}; ++static inline int x25_register_sysctl(void) { return 0; }; + static inline void x25_unregister_sysctl(void) {}; + #endif /* CONFIG_SYSCTL */ + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1790,32 +1790,40 @@ void x25_kill_by_neigh(struct x25_neigh + + static int __init x25_init(void) + { +- int rc = proto_register(&x25_proto, 0); ++ int rc; + +- if (rc != 0) ++ rc = proto_register(&x25_proto, 0); ++ if (rc) + goto out; + + rc = sock_register(&x25_family_ops); +- if (rc != 0) ++ if (rc) + goto out_proto; + + dev_add_pack(&x25_packet_type); + + rc = register_netdevice_notifier(&x25_dev_notifier); +- if (rc != 0) ++ if (rc) + goto out_sock; + +- pr_info("Linux Version 0.2\n"); ++ rc = x25_register_sysctl(); ++ if (rc) ++ goto out_dev; + +- x25_register_sysctl(); + rc = x25_proc_init(); +- if (rc != 0) +- goto out_dev; ++ if (rc) ++ goto out_sysctl; ++ ++ pr_info("Linux Version 0.2\n"); ++ + out: + return rc; ++out_sysctl: ++ x25_unregister_sysctl(); + out_dev: + unregister_netdevice_notifier(&x25_dev_notifier); + out_sock: ++ dev_remove_pack(&x25_packet_type); + sock_unregister(AF_X25); + out_proto: + proto_unregister(&x25_proto); +--- a/net/x25/sysctl_net_x25.c ++++ b/net/x25/sysctl_net_x25.c +@@ -73,9 +73,12 @@ static struct ctl_table x25_table[] = { + { 0, }, + }; + +-void __init x25_register_sysctl(void) ++int __init x25_register_sysctl(void) + { + x25_table_header = register_net_sysctl(&init_net, "net/x25", x25_table); ++ if (!x25_table_header) ++ return -ENOMEM; ++ return 0; + } + + void x25_unregister_sysctl(void) diff --git a/queue-4.9/netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch b/queue-4.9/netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch new file mode 100644 index 00000000000..87c3d0df710 --- /dev/null +++ b/queue-4.9/netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch @@ -0,0 +1,107 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Florian Westphal +Date: Sun, 21 May 2017 12:52:56 +0200 +Subject: netfilter: conntrack: don't call iter for non-confirmed conntracks + +From: Florian Westphal + + +[ Upstream commit b0feacaad13a0aa9657c37ed80991575981e2e3b ] + +nf_ct_iterate_cleanup_net currently calls iter() callback also for +conntracks on the unconfirmed list, but this is unsafe. + +Acesses to nf_conn are fine, but some users access the extension area +in the iter() callback, but that does only work reliably for confirmed +conntracks (ct->ext can be reallocated at any time for unconfirmed +conntrack). + +The seond issue is that there is a short window where a conntrack entry +is neither on the list nor in the table: To confirm an entry, it is first +removed from the unconfirmed list, then insert into the table. + +Fix this by iterating the unconfirmed list first and marking all entries +as dying, then wait for rcu grace period. + +This makes sure all entries that were about to be confirmed either are +in the main table, or will be dropped soon. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_core.c | 39 ++++++++++++++++++++++++++++---------- + 1 file changed, 29 insertions(+), 10 deletions(-) + +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1542,7 +1542,6 @@ get_next_corpse(struct net *net, int (*i + struct nf_conntrack_tuple_hash *h; + struct nf_conn *ct; + struct hlist_nulls_node *n; +- int cpu; + spinlock_t *lockp; + + for (; *bucket < nf_conntrack_htable_size; (*bucket)++) { +@@ -1564,24 +1563,40 @@ get_next_corpse(struct net *net, int (*i + cond_resched(); + } + ++ return NULL; ++found: ++ atomic_inc(&ct->ct_general.use); ++ spin_unlock(lockp); ++ local_bh_enable(); ++ return ct; ++} ++ ++static void ++__nf_ct_unconfirmed_destroy(struct net *net) ++{ ++ int cpu; ++ + for_each_possible_cpu(cpu) { +- struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); ++ struct nf_conntrack_tuple_hash *h; ++ struct hlist_nulls_node *n; ++ struct ct_pcpu *pcpu; ++ ++ pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); + + spin_lock_bh(&pcpu->lock); + hlist_nulls_for_each_entry(h, n, &pcpu->unconfirmed, hnnode) { ++ struct nf_conn *ct; ++ + ct = nf_ct_tuplehash_to_ctrack(h); +- if (iter(ct, data)) +- set_bit(IPS_DYING_BIT, &ct->status); ++ ++ /* we cannot call iter() on unconfirmed list, the ++ * owning cpu can reallocate ct->ext at any time. ++ */ ++ set_bit(IPS_DYING_BIT, &ct->status); + } + spin_unlock_bh(&pcpu->lock); + cond_resched(); + } +- return NULL; +-found: +- atomic_inc(&ct->ct_general.use); +- spin_unlock(lockp); +- local_bh_enable(); +- return ct; + } + + void nf_ct_iterate_cleanup(struct net *net, +@@ -1596,6 +1611,10 @@ void nf_ct_iterate_cleanup(struct net *n + if (atomic_read(&net->ct.count) == 0) + return; + ++ __nf_ct_unconfirmed_destroy(net); ++ ++ synchronize_net(); ++ + while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) { + /* Time to push up daises... */ + diff --git a/queue-4.9/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch b/queue-4.9/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch new file mode 100644 index 00000000000..d86b6fb9f28 --- /dev/null +++ b/queue-4.9/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch @@ -0,0 +1,60 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Liping Zhang +Date: Sun, 21 May 2017 07:22:49 +0800 +Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize + +From: Liping Zhang + + +[ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ] + +If nf_conntrack_htable_size was adjusted by the user during the ct +dump operation, we may invoke nf_ct_put twice for the same ct, i.e. +the "last" ct. This will cause the ct will be freed but still linked +in hash buckets. + +It's very easy to reproduce the problem by the following commands: + # while : ; do + echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets + done + # while : ; do + conntrack -L + done + # iperf -s 127.0.0.1 & + # iperf -c 127.0.0.1 -P 60 -t 36000 + +After a while, the system will hang like this: + NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184] + NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382] + ... + +So at last if we find cb->args[1] is equal to "last", this means hash +resize happened, then we can set cb->args[1] to 0 to fix the above +issue. + +Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping") +Signed-off-by: Liping Zhang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -890,8 +890,13 @@ restart: + } + out: + local_bh_enable(); +- if (last) ++ if (last) { ++ /* nf ct hash resize happened, now clear the leftover. */ ++ if ((struct nf_conn *)cb->args[1] == last) ++ cb->args[1] = 0; ++ + nf_ct_put(last); ++ } + + while (i) { + i--; diff --git a/queue-4.9/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch b/queue-4.9/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch new file mode 100644 index 00000000000..6144e8813dc --- /dev/null +++ b/queue-4.9/netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Colin Ian King +Date: Tue, 9 May 2017 17:19:42 +0100 +Subject: netxen_nic: set rcode to the return status from the call to netxen_issue_cmd + +From: Colin Ian King + + +[ Upstream commit 0fe20fafd1791f993806d417048213ec57b81045 ] + +Currently rcode is being initialized to NX_RCODE_SUCCESS and later it +is checked to see if it is not NX_RCODE_SUCCESS which is never true. It +appears that there is an unintentional missing assignment of rcode from +the return of the call to netxen_issue_cmd() that was dropped in +an earlier fix, so add it in. + +Detected by CoverityScan, CID#401900 ("Logically dead code") + +Fixes: 2dcd5d95ad6b2 ("netxen_nic: fix cdrp race condition") +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c ++++ b/drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c +@@ -247,7 +247,7 @@ nx_fw_cmd_set_mtu(struct netxen_adapter + cmd.req.arg3 = 0; + + if (recv_ctx->state == NX_HOST_CTX_STATE_ACTIVE) +- netxen_issue_cmd(adapter, &cmd); ++ rcode = netxen_issue_cmd(adapter, &cmd); + + if (rcode != NX_RCODE_SUCCESS) + return -EIO; diff --git a/queue-4.9/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch b/queue-4.9/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch new file mode 100644 index 00000000000..b639ff1c6aa --- /dev/null +++ b/queue-4.9/nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch @@ -0,0 +1,84 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Trond Myklebust +Date: Thu, 4 May 2017 13:44:04 -0400 +Subject: NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION + +From: Trond Myklebust + + +[ Upstream commit 0048fdd06614a4ea088f9fcad11511956b795698 ] + +If the server returns NFS4ERR_CONN_NOT_BOUND_TO_SESSION because we +are trunking, then RECLAIM_COMPLETE must handle that by calling +nfs4_schedule_session_recovery() and then retrying. + +Reported-by: Chuck Lever +Signed-off-by: Trond Myklebust +Tested-by: Chuck Lever +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 7 ++++++- + fs/nfs/nfs4state.c | 10 +++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -8173,6 +8173,12 @@ static int nfs41_reclaim_complete_handle + /* fall through */ + case -NFS4ERR_RETRY_UNCACHED_REP: + return -EAGAIN; ++ case -NFS4ERR_BADSESSION: ++ case -NFS4ERR_DEADSESSION: ++ case -NFS4ERR_CONN_NOT_BOUND_TO_SESSION: ++ nfs4_schedule_session_recovery(clp->cl_session, ++ task->tk_status); ++ break; + default: + nfs4_schedule_lease_recovery(clp); + } +@@ -8251,7 +8257,6 @@ static int nfs41_proc_reclaim_complete(s + if (status == 0) + status = task->tk_status; + rpc_put_task(task); +- return 0; + out: + dprintk("<-- %s status=%d\n", __func__, status); + return status; +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -1637,13 +1637,14 @@ static void nfs4_state_start_reclaim_reb + nfs4_state_mark_reclaim_helper(clp, nfs4_state_mark_reclaim_reboot); + } + +-static void nfs4_reclaim_complete(struct nfs_client *clp, ++static int nfs4_reclaim_complete(struct nfs_client *clp, + const struct nfs4_state_recovery_ops *ops, + struct rpc_cred *cred) + { + /* Notify the server we're done reclaiming our state */ + if (ops->reclaim_complete) +- (void)ops->reclaim_complete(clp, cred); ++ return ops->reclaim_complete(clp, cred); ++ return 0; + } + + static void nfs4_clear_reclaim_server(struct nfs_server *server) +@@ -1690,13 +1691,16 @@ static void nfs4_state_end_reclaim_reboo + { + const struct nfs4_state_recovery_ops *ops; + struct rpc_cred *cred; ++ int err; + + if (!nfs4_state_clear_reclaim_reboot(clp)) + return; + ops = clp->cl_mvops->reboot_recovery_ops; + cred = nfs4_get_clid_cred(clp); +- nfs4_reclaim_complete(clp, ops, cred); ++ err = nfs4_reclaim_complete(clp, ops, cred); + put_rpccred(cred); ++ if (err == -NFS4ERR_CONN_NOT_BOUND_TO_SESSION) ++ set_bit(NFS4CLNT_RECLAIM_REBOOT, &clp->cl_state); + } + + static void nfs4_state_start_reclaim_nograce(struct nfs_client *clp) diff --git a/queue-4.9/nfsv4.1-work-around-a-linux-server-bug.patch b/queue-4.9/nfsv4.1-work-around-a-linux-server-bug.patch new file mode 100644 index 00000000000..eacfe15e5be --- /dev/null +++ b/queue-4.9/nfsv4.1-work-around-a-linux-server-bug.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Trond Myklebust +Date: Tue, 9 May 2017 15:47:15 -0400 +Subject: NFSv4.1: Work around a Linux server bug... + +From: Trond Myklebust + + +[ Upstream commit f4b23de3dda1536590787c9e5c3d16b8738ab108 ] + +It turns out the Linux server has a bug in its implementation of +supattr_exclcreat; it returns the set of all attributes, whether +or not they are supported by minor version 1. +In order to avoid a regression, we therefore apply the supported_attrs +as a mask on top of whatever the server sent us. + +Reported-by: Anna Schumaker +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs4proc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -3300,6 +3300,7 @@ static int _nfs4_server_capabilities(str + .rpc_resp = &res, + }; + int status; ++ int i; + + bitmask[0] = FATTR4_WORD0_SUPPORTED_ATTRS | + FATTR4_WORD0_FH_EXPIRE_TYPE | +@@ -3365,8 +3366,13 @@ static int _nfs4_server_capabilities(str + server->cache_consistency_bitmask[0] &= FATTR4_WORD0_CHANGE|FATTR4_WORD0_SIZE; + server->cache_consistency_bitmask[1] &= FATTR4_WORD1_TIME_METADATA|FATTR4_WORD1_TIME_MODIFY; + server->cache_consistency_bitmask[2] = 0; ++ ++ /* Avoid a regression due to buggy server */ ++ for (i = 0; i < ARRAY_SIZE(res.exclcreat_bitmask); i++) ++ res.exclcreat_bitmask[i] &= res.attr_bitmask[i]; + memcpy(server->exclcreat_bitmask, res.exclcreat_bitmask, + sizeof(server->exclcreat_bitmask)); ++ + server->acl_bitmask = res.acl_bitmask; + server->fh_expire_type = res.fh_expire_type; + } diff --git a/queue-4.9/nvme-fix-hang-in-remove-path.patch b/queue-4.9/nvme-fix-hang-in-remove-path.patch new file mode 100644 index 00000000000..72f322ee17a --- /dev/null +++ b/queue-4.9/nvme-fix-hang-in-remove-path.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ming Lei +Date: Fri, 2 Jun 2017 16:32:08 +0800 +Subject: nvme: fix hang in remove path + +From: Ming Lei + + +[ Upstream commit 82654b6b8ef8b93ee87a97fc562f87f081fc2f91 ] + +We need to start admin queues too in nvme_kill_queues() +for avoiding hang in remove path[1]. + +This patch is very similar with 806f026f9b901eaf(nvme: use +blk_mq_start_hw_queues() in nvme_kill_queues()). + +[1] hang stack trace +[] blk_execute_rq+0x56/0x80 +[] __nvme_submit_sync_cmd+0x89/0xf0 +[] nvme_set_features+0x5e/0x90 +[] nvme_configure_apst+0x166/0x200 +[] nvme_set_latency_tolerance+0x35/0x50 +[] apply_constraint+0xb1/0xc0 +[] dev_pm_qos_constraints_destroy+0xf4/0x1f0 +[] dpm_sysfs_remove+0x2a/0x60 +[] device_del+0x101/0x320 +[] device_unregister+0x1a/0x60 +[] device_destroy+0x3c/0x50 +[] nvme_uninit_ctrl+0x45/0xa0 +[] nvme_remove+0x78/0x110 +[] pci_device_remove+0x39/0xb0 +[] device_release_driver_internal+0x155/0x210 +[] device_release_driver+0x12/0x20 +[] nvme_remove_dead_ctrl_work+0x6b/0x70 +[] process_one_work+0x18c/0x3a0 +[] worker_thread+0x4e/0x3b0 +[] kthread+0x109/0x140 +[] ret_from_fork+0x2c/0x40 +[] 0xffffffffffffffff + +Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions") +Reported-by: Rakesh Pandit +Tested-by: Rakesh Pandit +Reviewed-by: Sagi Grimberg +Signed-off-by: Ming Lei +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -2040,6 +2040,10 @@ void nvme_kill_queues(struct nvme_ctrl * + struct nvme_ns *ns; + + mutex_lock(&ctrl->namespaces_mutex); ++ ++ /* Forcibly start all queues to avoid having stuck requests */ ++ blk_mq_start_hw_queues(ctrl->admin_q); ++ + list_for_each_entry(ns, &ctrl->namespaces, list) { + /* + * Revalidating a dead namespace sets capacity to 0. This will diff --git a/queue-4.9/nvme-pci-fix-multiple-ctrl-removal-scheduling.patch b/queue-4.9/nvme-pci-fix-multiple-ctrl-removal-scheduling.patch new file mode 100644 index 00000000000..9bceb6bc1d6 --- /dev/null +++ b/queue-4.9/nvme-pci-fix-multiple-ctrl-removal-scheduling.patch @@ -0,0 +1,124 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Rakesh Pandit +Date: Mon, 5 Jun 2017 14:43:11 +0300 +Subject: nvme-pci: fix multiple ctrl removal scheduling + +From: Rakesh Pandit + + +[ Upstream commit 82b057caefaff2a891f821a617d939f46e03e844 ] + +Commit c5f6ce97c1210 tries to address multiple resets but fails as +work_busy doesn't involve any synchronization and can fail. This is +reproducible easily as can be seen by WARNING below which is triggered +with line: + +WARN_ON(dev->ctrl.state == NVME_CTRL_RESETTING) + +Allowing multiple resets can result in multiple controller removal as +well if different conditions inside nvme_reset_work fail and which +might deadlock on device_release_driver. + +[ 480.327007] WARNING: CPU: 3 PID: 150 at drivers/nvme/host/pci.c:1900 nvme_reset_work+0x36c/0xec0 +[ 480.327008] Modules linked in: rfcomm fuse nf_conntrack_netbios_ns nf_conntrack_broadcast... +[ 480.327044] btusb videobuf2_core ghash_clmulni_intel snd_hwdep cfg80211 acer_wmi hci_uart.. +[ 480.327065] CPU: 3 PID: 150 Comm: kworker/u16:2 Not tainted 4.12.0-rc1+ #13 +[ 480.327065] Hardware name: Acer Predator G9-591/Mustang_SLS, BIOS V1.10 03/03/2016 +[ 480.327066] Workqueue: nvme nvme_reset_work +[ 480.327067] task: ffff880498ad8000 task.stack: ffffc90002218000 +[ 480.327068] RIP: 0010:nvme_reset_work+0x36c/0xec0 +[ 480.327069] RSP: 0018:ffffc9000221bdb8 EFLAGS: 00010246 +[ 480.327070] RAX: 0000000000460000 RBX: ffff880498a98128 RCX: dead000000000200 +[ 480.327070] RDX: 0000000000000001 RSI: ffff8804b1028020 RDI: ffff880498a98128 +[ 480.327071] RBP: ffffc9000221be50 R08: 0000000000000000 R09: 0000000000000000 +[ 480.327071] R10: ffffc90001963ce8 R11: 000000000000020d R12: ffff880498a98000 +[ 480.327072] R13: ffff880498a53500 R14: ffff880498a98130 R15: ffff880498a98128 +[ 480.327072] FS: 0000000000000000(0000) GS:ffff8804c1cc0000(0000) knlGS:0000000000000000 +[ 480.327073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 480.327074] CR2: 00007ffcf3c37f78 CR3: 0000000001e09000 CR4: 00000000003406e0 +[ 480.327074] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 480.327075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 480.327075] Call Trace: +[ 480.327079] ? __switch_to+0x227/0x400 +[ 480.327081] process_one_work+0x18c/0x3a0 +[ 480.327082] worker_thread+0x4e/0x3b0 +[ 480.327084] kthread+0x109/0x140 +[ 480.327085] ? process_one_work+0x3a0/0x3a0 +[ 480.327087] ? kthread_park+0x60/0x60 +[ 480.327102] ret_from_fork+0x2c/0x40 +[ 480.327103] Code: e8 5a dc ff ff 85 c0 41 89 c1 0f..... + +This patch addresses the problem by using state of controller to +decide whether reset should be queued or not as state change is +synchronizated using controller spinlock. Also cancel_work_sync is +used to make sure remove cancels the reset_work and waits for it to +finish. This patch also changes return value from -ENODEV to more +appropriate -EBUSY if nvme_reset fails to change state. + +Fixes: c5f6ce97c1210 ("nvme: don't schedule multiple resets") +Signed-off-by: Rakesh Pandit +Reviewed-by: Sagi Grimberg +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/pci.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/nvme/host/pci.c ++++ b/drivers/nvme/host/pci.c +@@ -1263,7 +1263,7 @@ static bool nvme_should_reset(struct nvm + bool nssro = dev->subsystem && (csts & NVME_CSTS_NSSRO); + + /* If there is a reset ongoing, we shouldn't reset again. */ +- if (work_busy(&dev->reset_work)) ++ if (dev->ctrl.state == NVME_CTRL_RESETTING) + return false; + + /* We shouldn't reset unless the controller is on fatal error state +@@ -1755,7 +1755,7 @@ static void nvme_reset_work(struct work_ + struct nvme_dev *dev = container_of(work, struct nvme_dev, reset_work); + int result = -ENODEV; + +- if (WARN_ON(dev->ctrl.state == NVME_CTRL_RESETTING)) ++ if (WARN_ON(dev->ctrl.state != NVME_CTRL_RESETTING)) + goto out; + + /* +@@ -1765,9 +1765,6 @@ static void nvme_reset_work(struct work_ + if (dev->ctrl.ctrl_config & NVME_CC_ENABLE) + nvme_dev_disable(dev, false); + +- if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING)) +- goto out; +- + result = nvme_pci_enable(dev); + if (result) + goto out; +@@ -1841,8 +1838,8 @@ static int nvme_reset(struct nvme_dev *d + { + if (!dev->ctrl.admin_q || blk_queue_dying(dev->ctrl.admin_q)) + return -ENODEV; +- if (work_busy(&dev->reset_work)) +- return -ENODEV; ++ if (!nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING)) ++ return -EBUSY; + if (!queue_work(nvme_workq, &dev->reset_work)) + return -EBUSY; + return 0; +@@ -1944,6 +1941,7 @@ static int nvme_probe(struct pci_dev *pd + if (result) + goto release_pools; + ++ nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_RESETTING); + dev_info(dev->ctrl.device, "pci function %s\n", dev_name(&pdev->dev)); + + queue_work(nvme_workq, &dev->reset_work); +@@ -1987,6 +1985,7 @@ static void nvme_remove(struct pci_dev * + + nvme_change_ctrl_state(&dev->ctrl, NVME_CTRL_DELETING); + ++ cancel_work_sync(&dev->reset_work); + pci_set_drvdata(pdev, NULL); + + if (!pci_device_is_present(pdev)) { diff --git a/queue-4.9/ovl-filter-trusted-xattr-for-non-admin.patch b/queue-4.9/ovl-filter-trusted-xattr-for-non-admin.patch new file mode 100644 index 00000000000..f6cea8c685b --- /dev/null +++ b/queue-4.9/ovl-filter-trusted-xattr-for-non-admin.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Miklos Szeredi +Date: Mon, 29 May 2017 15:15:27 +0200 +Subject: ovl: filter trusted xattr for non-admin + +From: Miklos Szeredi + + +[ Upstream commit a082c6f680da298cf075886ff032f32ccb7c5e1a ] + +Filesystems filter out extended attributes in the "trusted." domain for +unprivlieged callers. + +Overlay calls underlying filesystem's method with elevated privs, so need +to do the filtering in overlayfs too. + +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/inode.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/fs/overlayfs/inode.c ++++ b/fs/overlayfs/inode.c +@@ -227,6 +227,16 @@ int ovl_xattr_get(struct dentry *dentry, + return res; + } + ++static bool ovl_can_list(const char *s) ++{ ++ /* List all non-trusted xatts */ ++ if (strncmp(s, XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN) != 0) ++ return true; ++ ++ /* Never list trusted.overlay, list other trusted for superuser only */ ++ return !ovl_is_private_xattr(s) && capable(CAP_SYS_ADMIN); ++} ++ + ssize_t ovl_listxattr(struct dentry *dentry, char *list, size_t size) + { + struct dentry *realdentry = ovl_dentry_real(dentry); +@@ -250,7 +260,7 @@ ssize_t ovl_listxattr(struct dentry *den + return -EIO; + + len -= slen; +- if (ovl_is_private_xattr(s)) { ++ if (!ovl_can_list(s)) { + res -= slen; + memmove(s, s + slen, len); + } else { diff --git a/queue-4.9/ovl-persistent-inode-numbers-for-upper-hardlinks.patch b/queue-4.9/ovl-persistent-inode-numbers-for-upper-hardlinks.patch new file mode 100644 index 00000000000..baab3943bea --- /dev/null +++ b/queue-4.9/ovl-persistent-inode-numbers-for-upper-hardlinks.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Amir Goldstein +Date: Mon, 24 Apr 2017 19:54:13 +0300 +Subject: ovl: persistent inode numbers for upper hardlinks + +From: Amir Goldstein + + +[ Upstream commit 5b6c9053fb38a66fd5c6177fcf5022b24767811a ] + +An upper type non directory dentry that is a copy up target +should have a reference to its lower copy up origin. + +There are three ways for an upper type dentry to be instantiated: +1. A lower type dentry that is being copied up +2. An entry that is found in upper dir by ovl_lookup() +3. A negative dentry is hardlinked to an upper type dentry + +In the first case, the lower reference is set before copy up. +In the second case, the lower reference is found by ovl_lookup(). +In the last case of hardlinked upper dentry, it is not easy to +update the lower reference of the negative dentry. Instead, +drop the newly hardlinked negative dentry from dcache and let +the next access call ovl_lookup() to find its lower reference. + +This makes sure that the inode number reported by stat(2) after +the hardlink is created is the same inode number that will be +reported by stat(2) after mount cycle, which is the inode number +of the lower copy up origin of the hardlink source. + +NOTE that this does not fix breaking of lower hardlinks on copy +up, but only fixes the case of lower nlink == 1, whose upper copy +up inode is hardlinked in upper dir. + +Signed-off-by: Amir Goldstein +Signed-off-by: Miklos Szeredi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/overlayfs/dir.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/overlayfs/dir.c ++++ b/fs/overlayfs/dir.c +@@ -180,6 +180,9 @@ static void ovl_instantiate(struct dentr + inc_nlink(inode); + } + d_instantiate(dentry, inode); ++ /* Force lookup of new upper hardlink to find its lower */ ++ if (hardlink) ++ d_drop(dentry); + } + + static int ovl_create_upper(struct dentry *dentry, struct inode *inode, diff --git a/queue-4.9/pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch b/queue-4.9/pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch new file mode 100644 index 00000000000..addf55f386e --- /dev/null +++ b/queue-4.9/pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christoph Hellwig +Date: Sat, 20 May 2017 18:59:54 +0200 +Subject: PCI/msi: fix the pci_alloc_irq_vectors_affinity stub + +From: Christoph Hellwig + + +[ Upstream commit 83b4605b0c16cde5b00c8cf192408d51eab75402 ] + +We need to return an error for any call that asks for MSI / MSI-X +vectors only, so that non-trivial fallback logic can work properly. + +Also valid dev->irq and use the "correct" errno value based on feedback +from Linus. + +Signed-off-by: Christoph Hellwig +Reported-by: Steven Rostedt +Fixes: aff17164 ("PCI: Provide sensible IRQ vector alloc/free routines") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/pci.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/pci.h ++++ b/include/linux/pci.h +@@ -1348,9 +1348,9 @@ static inline int pci_alloc_irq_vectors( + unsigned int min_vecs, unsigned int max_vecs, + unsigned int flags) + { +- if (min_vecs > 1) +- return -EINVAL; +- return 1; ++ if ((flags & PCI_IRQ_LEGACY) && min_vecs == 1 && dev->irq) ++ return 1; ++ return -ENOSPC; + } + static inline void pci_free_irq_vectors(struct pci_dev *dev) + { diff --git a/queue-4.9/perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch b/queue-4.9/perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch new file mode 100644 index 00000000000..b0fcd6361a2 --- /dev/null +++ b/queue-4.9/perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Will Deacon +Date: Tue, 9 May 2017 18:00:04 +0100 +Subject: perf/callchain: Force USER_DS when invoking perf_callchain_user() + +From: Will Deacon + + +[ Upstream commit 88b0193d9418c00340e45e0a913a0813bc6c8c96 ] + +Perf can generate and record a user callchain in response to a synchronous +request, such as a tracepoint firing. If this happens under set_fs(KERNEL_DS), +then we can end up walking the user stack (and dereferencing/saving whatever we +find there) without the protections usually afforded by checks such as +access_ok. + +Rather than play whack-a-mole with each architecture's stack unwinding +implementation, fix the root of the problem by ensuring that we force USER_DS +when invoking perf_callchain_user from the perf core. + +Reported-by: Al Viro +Signed-off-by: Will Deacon +Acked-by: Peter Zijlstra +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/callchain.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/events/callchain.c ++++ b/kernel/events/callchain.c +@@ -227,12 +227,18 @@ get_perf_callchain(struct pt_regs *regs, + } + + if (regs) { ++ mm_segment_t fs; ++ + if (crosstask) + goto exit_put; + + if (add_mark) + perf_callchain_store_context(&ctx, PERF_CONTEXT_USER); ++ ++ fs = get_fs(); ++ set_fs(USER_DS); + perf_callchain_user(&ctx, regs); ++ set_fs(fs); + } + } + diff --git a/queue-4.9/perf-core-correct-event-creation-with-perf_format_group.patch b/queue-4.9/perf-core-correct-event-creation-with-perf_format_group.patch new file mode 100644 index 00000000000..0ac25cab173 --- /dev/null +++ b/queue-4.9/perf-core-correct-event-creation-with-perf_format_group.patch @@ -0,0 +1,85 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Peter Zijlstra +Date: Tue, 30 May 2017 11:45:12 +0200 +Subject: perf/core: Correct event creation with PERF_FORMAT_GROUP + +From: Peter Zijlstra + + +[ Upstream commit ba5213ae6b88fb170c4771fef6553f759c7d8cdd ] + +Andi was asking about PERF_FORMAT_GROUP vs inherited events, which led +to the discovery of a bug from commit: + + 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff") + + - PERF_SAMPLE_GROUP = 1U << 4, + + PERF_SAMPLE_READ = 1U << 4, + + - if (attr->inherit && (attr->sample_type & PERF_SAMPLE_GROUP)) + + if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP)) + +is a clear fail :/ + +While this changes user visible behaviour; it was previously possible +to create an inherited event with PERF_SAMPLE_READ; this is deemed +acceptible because its results were always incorrect. + +Reported-by: Andi Kleen +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 3dab77fb1bf8 ("perf: Rework/fix the whole read vs group stuff") +Link: http://lkml.kernel.org/r/20170530094512.dy2nljns2uq7qa3j@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5669,9 +5669,6 @@ static void perf_output_read_one(struct + __output_copy(handle, values, n * sizeof(u64)); + } + +-/* +- * XXX PERF_FORMAT_GROUP vs inherited events seems difficult. +- */ + static void perf_output_read_group(struct perf_output_handle *handle, + struct perf_event *event, + u64 enabled, u64 running) +@@ -5716,6 +5713,13 @@ static void perf_output_read_group(struc + #define PERF_FORMAT_TOTAL_TIMES (PERF_FORMAT_TOTAL_TIME_ENABLED|\ + PERF_FORMAT_TOTAL_TIME_RUNNING) + ++/* ++ * XXX PERF_SAMPLE_READ vs inherited events seems difficult. ++ * ++ * The problem is that its both hard and excessively expensive to iterate the ++ * child list, not to mention that its impossible to IPI the children running ++ * on another CPU, from interrupt/NMI context. ++ */ + static void perf_output_read(struct perf_output_handle *handle, + struct perf_event *event) + { +@@ -9259,9 +9263,10 @@ perf_event_alloc(struct perf_event_attr + local64_set(&hwc->period_left, hwc->sample_period); + + /* +- * we currently do not support PERF_FORMAT_GROUP on inherited events ++ * We currently do not support PERF_SAMPLE_READ on inherited events. ++ * See perf_output_read(). + */ +- if (attr->inherit && (attr->read_format & PERF_FORMAT_GROUP)) ++ if (attr->inherit && (attr->sample_type & PERF_SAMPLE_READ)) + goto err_ns; + + if (!has_branch_stack(event)) diff --git a/queue-4.9/perf-core-fix-error-handling-in-perf_event_alloc.patch b/queue-4.9/perf-core-fix-error-handling-in-perf_event_alloc.patch new file mode 100644 index 00000000000..73f71333471 --- /dev/null +++ b/queue-4.9/perf-core-fix-error-handling-in-perf_event_alloc.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Mon, 22 May 2017 12:04:18 +0300 +Subject: perf/core: Fix error handling in perf_event_alloc() + +From: Dan Carpenter + + +[ Upstream commit 36cc2b9222b5106de34085c4dd8635ac67ef5cba ] + +We don't set an error code here which means that perf_event_alloc() +returns ERR_PTR(0) (in other words NULL). The callers are not expecting +that and would Oops. + +Signed-off-by: Dan Carpenter +Signed-off-by: Peter Zijlstra (Intel) +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Stephane Eranian +Cc: Thomas Gleixner +Cc: Vince Weaver +Fixes: 375637bc5249 ("perf/core: Introduce address range filtering") +Link: http://lkml.kernel.org/r/20170522090418.hvs6icgpdo53wkn5@mwanda +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9289,8 +9289,10 @@ perf_event_alloc(struct perf_event_attr + event->addr_filters_offs = kcalloc(pmu->nr_addr_filters, + sizeof(unsigned long), + GFP_KERNEL); +- if (!event->addr_filters_offs) ++ if (!event->addr_filters_offs) { ++ err = -ENOMEM; + goto err_per_task; ++ } + + /* force hw sync on the address filters */ + event->addr_filters_gen = 1; diff --git a/queue-4.9/perf-header-set-proper-module-name-when-build-id-event-found.patch b/queue-4.9/perf-header-set-proper-module-name-when-build-id-event-found.patch new file mode 100644 index 00000000000..64a3cda7585 --- /dev/null +++ b/queue-4.9/perf-header-set-proper-module-name-when-build-id-event-found.patch @@ -0,0 +1,73 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Namhyung Kim +Date: Wed, 31 May 2017 21:01:03 +0900 +Subject: perf header: Set proper module name when build-id event found + +From: Namhyung Kim + + +[ Upstream commit 1deec1bd96ccd8beb04d2112a6d12fe20505c3a6 ] + +When perf processes build-id event, it creates DSOs with the build-id. +But it didn't set the module short name (like '[module-name]') so when +processing a kernel mmap event of the module, it cannot found the DSO as +it only checks the short names. + +That leads for perf to create a same DSO without the build-id info and +it'll lookup the system path even if the DSO is already in the build-id +cache. After kernel was updated, perf cannot find the DSO and cannot +show symbols in it anymore. + +You can see this if you have an old data file (w/ old kernel version): + + $ perf report -i perf.data.old -v |& grep scsi_mod + build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz : cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 + Failed to open /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz, continuing without symbols + ... + +The second message didn't show the build-id. With this patch: + + $ perf report -i perf.data.old -v |& grep scsi_mod + build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz: cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 + /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz with build id cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 not found, continuing without symbols + ... + +Now it shows the build-id but still cannot load the symbol table. This +is a different problem which will be fixed in the next patch. + +Signed-off-by: Namhyung Kim +Acked-by: Jiri Olsa +Cc: Andi Kleen +Cc: David Ahern +Cc: Peter Zijlstra +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20170531120105.21731-1-namhyung@kernel.org +[ Fix the build on older compilers (debian <= 8, fedora <= 21, etc) wrt kmod_path var init ] +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/header.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -1454,8 +1454,16 @@ static int __event_process_build_id(stru + + dso__set_build_id(dso, &bev->build_id); + +- if (!is_kernel_module(filename, cpumode)) +- dso->kernel = dso_type; ++ if (dso_type != DSO_TYPE_USER) { ++ struct kmod_path m = { .name = NULL, }; ++ ++ if (!kmod_path__parse_name(&m, filename) && m.kmod) ++ dso__set_short_name(dso, strdup(m.name), true); ++ else ++ dso->kernel = dso_type; ++ ++ free(m.name); ++ } + + build_id__sprintf(dso->build_id, sizeof(dso->build_id), + sbuild_id); diff --git a/queue-4.9/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch b/queue-4.9/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch new file mode 100644 index 00000000000..fa6716d253d --- /dev/null +++ b/queue-4.9/perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 9 Dec 2017 01:26:46 +0900 +Subject: perf probe: Add warning message if there is unexpected event name + +From: Masami Hiramatsu + + +[ Upstream commit 9f5c6d8777a2d962b0eeacb2a16f37da6bea545b ] + +This improve the error message so that user can know event-name error +before writing new events to kprobe-events interface. + +E.g. + ====== + #./perf probe -x /lib64/libc-2.25.so malloc_get_state* + Internal error: "malloc_get_state@GLIBC_2" is an invalid event name. + Error: Failed to add events. + ====== + +Reported-by: Arnaldo Carvalho de Melo +Signed-off-by: Masami Hiramatsu +Acked-by: Ravi Bangoria +Reviewed-by: Thomas Richter +Tested-by: Arnaldo Carvalho de Melo +Cc: Paul Clarke +Cc: bhargavb +Cc: linux-rt-users@vger.kernel.org +Link: http://lkml.kernel.org/r/151275040665.24652.5188568529237584489.stgit@devbox +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/probe-event.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/perf/util/probe-event.c ++++ b/tools/perf/util/probe-event.c +@@ -2609,6 +2609,14 @@ static int get_new_event_name(char *buf, + + out: + free(nbase); ++ ++ /* Final validation */ ++ if (ret >= 0 && !is_c_func_name(buf)) { ++ pr_warning("Internal error: \"%s\" is an invalid event name.\n", ++ buf); ++ ret = -EINVAL; ++ } ++ + return ret; + } + diff --git a/queue-4.9/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch b/queue-4.9/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch new file mode 100644 index 00000000000..c9f6411bc28 --- /dev/null +++ b/queue-4.9/perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Milian Wolff +Date: Fri, 2 Jun 2017 16:37:52 +0200 +Subject: perf report: Ensure the perf DSO mapping matches what libdw sees + +From: Milian Wolff + + +[ Upstream commit 2538b9e2450ae255337c04356e9e0f8cb9ec48d9 ] + +In some situations the libdw unwinder stopped working properly. I.e. +with libunwind we see: + +~~~~~ +heaptrack_gui 2228 135073.400112: 641314 cycles: + e8ed _dl_fixup (/usr/lib/ld-2.25.so) + 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) + ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) + 608f3 _GLOBAL__sub_I_kdynamicjobtracker.cpp (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) + f199 call_init.part.0 (/usr/lib/ld-2.25.so) + f2a5 _dl_init (/usr/lib/ld-2.25.so) + db9 _dl_start_user (/usr/lib/ld-2.25.so) +~~~~~ + +But with libdw and without this patch this sample is not properly +unwound: + +~~~~~ +heaptrack_gui 2228 135073.400112: 641314 cycles: + e8ed _dl_fixup (/usr/lib/ld-2.25.so) + 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) + ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) +~~~~~ + +Debug output showed me that libdw found a module for the last frame +address, but it thinks it belongs to /usr/lib/ld-2.25.so. This patch +double-checks what libdw sees and what perf knows. If the mappings +mismatch, we now report the elf known to perf. This fixes the situation +above, and the libdw unwinder produces the same stack as libunwind. + +Signed-off-by: Milian Wolff +Cc: Jiri Olsa +Cc: Namhyung Kim +Link: http://lkml.kernel.org/r/20170602143753.16907-1-milian.wolff@kdab.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/unwind-libdw.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -38,6 +38,14 @@ static int __report_module(struct addr_l + return 0; + + mod = dwfl_addrmodule(ui->dwfl, ip); ++ if (mod) { ++ Dwarf_Addr s; ++ ++ dwfl_module_info(mod, NULL, &s, NULL, NULL, NULL, NULL, NULL); ++ if (s != al->map->start) ++ mod = 0; ++ } ++ + if (!mod) + mod = dwfl_report_elf(ui->dwfl, dso->short_name, + dso->long_name, -1, al->map->start, diff --git a/queue-4.9/perf-report-fix-off-by-one-for-non-activation-frames.patch b/queue-4.9/perf-report-fix-off-by-one-for-non-activation-frames.patch new file mode 100644 index 00000000000..32ce10a7514 --- /dev/null +++ b/queue-4.9/perf-report-fix-off-by-one-for-non-activation-frames.patch @@ -0,0 +1,246 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Milian Wolff +Date: Wed, 24 May 2017 15:21:25 +0900 +Subject: perf report: Fix off-by-one for non-activation frames + +From: Milian Wolff + + +[ Upstream commit 1982ad48fc82c284a5cc55697a012d3357e84d01 ] + +As the documentation for dwfl_frame_pc says, frames that +are no activation frames need to have their program counter +decremented by one to properly find the function of the caller. + +This fixes many cases where perf report currently attributes +the cost to the next line. I.e. I have code like this: + +~~~~~~~~~~~~~~~ + #include + #include + + using namespace std; + + int main() + { + this_thread::sleep_for(chrono::milliseconds(1000)); + this_thread::sleep_for(chrono::milliseconds(100)); + this_thread::sleep_for(chrono::milliseconds(10)); + + return 0; + } +~~~~~~~~~~~~~~~ + +Now compile and record it: + +~~~~~~~~~~~~~~~ + g++ -std=c++11 -g -O2 test.cpp + echo 1 | sudo tee /proc/sys/kernel/sched_schedstats + perf record \ + --event sched:sched_stat_sleep \ + --event sched:sched_process_exit \ + --event sched:sched_switch --call-graph=dwarf \ + --output perf.data.raw \ + ./a.out + echo 0 | sudo tee /proc/sys/kernel/sched_schedstats + perf inject --sched-stat --input perf.data.raw --output perf.data +~~~~~~~~~~~~~~~ + +Before this patch, the report clearly shows the off-by-one issue. +Most notably, the last sleep invocation is incorrectly attributed +to the "return 0;" line: + +~~~~~~~~~~~~~~~ + Overhead Source:Line + ........ ........... + + 100.00% core.c:0 + | + ---__schedule core.c:0 + schedule + do_nanosleep hrtimer.c:0 + hrtimer_nanosleep + sys_nanosleep + entry_SYSCALL_64_fastpath .tmp_entry_64.o:0 + __nanosleep_nocancel .:0 + std::this_thread::sleep_for > thread:323 + | + |--90.08%--main test.cpp:9 + | __libc_start_main + | _start + | + |--9.01%--main test.cpp:10 + | __libc_start_main + | _start + | + --0.91%--main test.cpp:13 + __libc_start_main + _start +~~~~~~~~~~~~~~~ + +With this patch here applied, the issue is fixed. The report becomes +much more usable: + +~~~~~~~~~~~~~~~ + Overhead Source:Line + ........ ........... + + 100.00% core.c:0 + | + ---__schedule core.c:0 + schedule + do_nanosleep hrtimer.c:0 + hrtimer_nanosleep + sys_nanosleep + entry_SYSCALL_64_fastpath .tmp_entry_64.o:0 + __nanosleep_nocancel .:0 + std::this_thread::sleep_for > thread:323 + | + |--90.08%--main test.cpp:8 + | __libc_start_main + | _start + | + |--9.01%--main test.cpp:9 + | __libc_start_main + | _start + | + --0.91%--main test.cpp:10 + __libc_start_main + _start +~~~~~~~~~~~~~~~ + +Similarly it works for signal frames: + +~~~~~~~~~~~~~~~ + __noinline void bar(void) + { + volatile long cnt = 0; + + for (cnt = 0; cnt < 100000000; cnt++); + } + + __noinline void foo(void) + { + bar(); + } + + void sig_handler(int sig) + { + foo(); + } + + int main(void) + { + signal(SIGUSR1, sig_handler); + raise(SIGUSR1); + + foo(); + return 0; + } +~~~~~~~~~~~~~~~~ + +Before, the report wrongly points to `signal.c:29` after raise(): + +~~~~~~~~~~~~~~~~ + $ perf report --stdio --no-children -g srcline -s srcline + ... + 100.00% signal.c:11 + | + ---bar signal.c:11 + | + |--50.49%--main signal.c:29 + | __libc_start_main + | _start + | + --49.51%--0x33a8f + raise .:0 + main signal.c:29 + __libc_start_main + _start +~~~~~~~~~~~~~~~~ + +With this patch in, the issue is fixed and we instead get: + +~~~~~~~~~~~~~~~~ + 100.00% signal signal [.] bar + | + ---bar signal.c:11 + | + |--50.49%--main signal.c:29 + | __libc_start_main + | _start + | + --49.51%--0x33a8f + raise .:0 + main signal.c:27 + __libc_start_main + _start +~~~~~~~~~~~~~~~~ + +Note how this patch fixes this issue for both unwinding methods, i.e. +both dwfl and libunwind. The former case is straight-forward thanks +to dwfl_frame_pc(). For libunwind, we replace the functionality via +unw_is_signal_frame() for any but the very first frame. + +Signed-off-by: Milian Wolff +Signed-off-by: Namhyung Kim +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: David Ahern +Cc: Jiri Olsa +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Yao Jin +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20170524062129.32529-4-namhyung@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/unwind-libdw.c | 6 +++++- + tools/perf/util/unwind-libunwind-local.c | 11 +++++++++++ + 2 files changed, 16 insertions(+), 1 deletion(-) + +--- a/tools/perf/util/unwind-libdw.c ++++ b/tools/perf/util/unwind-libdw.c +@@ -167,12 +167,16 @@ frame_callback(Dwfl_Frame *state, void * + { + struct unwind_info *ui = arg; + Dwarf_Addr pc; ++ bool isactivation; + +- if (!dwfl_frame_pc(state, &pc, NULL)) { ++ if (!dwfl_frame_pc(state, &pc, &isactivation)) { + pr_err("%s", dwfl_errmsg(-1)); + return DWARF_CB_ABORT; + } + ++ if (!isactivation) ++ --pc; ++ + return entry(pc, ui) || !(--ui->max_stack) ? + DWARF_CB_ABORT : DWARF_CB_OK; + } +--- a/tools/perf/util/unwind-libunwind-local.c ++++ b/tools/perf/util/unwind-libunwind-local.c +@@ -646,6 +646,17 @@ static int get_entries(struct unwind_inf + + while (!ret && (unw_step(&c) > 0) && i < max_stack) { + unw_get_reg(&c, UNW_REG_IP, &ips[i]); ++ ++ /* ++ * Decrement the IP for any non-activation frames. ++ * this is required to properly find the srcline ++ * for caller frames. ++ * See also the documentation for dwfl_frame_pc(), ++ * which this code tries to replicate. ++ */ ++ if (unw_is_signal_frame(&c) <= 0) ++ --ips[i]; ++ + ++i; + } + diff --git a/queue-4.9/perf-tests-decompress-kernel-module-before-objdump.patch b/queue-4.9/perf-tests-decompress-kernel-module-before-objdump.patch new file mode 100644 index 00000000000..314f3d91f88 --- /dev/null +++ b/queue-4.9/perf-tests-decompress-kernel-module-before-objdump.patch @@ -0,0 +1,67 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Namhyung Kim +Date: Thu, 8 Jun 2017 16:31:07 +0900 +Subject: perf tests: Decompress kernel module before objdump + +From: Namhyung Kim + + +[ Upstream commit 94df1040b1e6aacd8dec0ba3c61d7e77cd695f26 ] + +If a kernel modules is compressed, it should be decompressed before +running objdump to parse binary data correctly. This fixes a failure of +object code reading test for me. + +Signed-off-by: Namhyung Kim +Acked-by: Adrian Hunter +Acked-by: Jiri Olsa +Cc: David Ahern +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/code-reading.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/tools/perf/tests/code-reading.c ++++ b/tools/perf/tests/code-reading.c +@@ -224,6 +224,8 @@ static int read_object_code(u64 addr, si + unsigned char buf2[BUFSZ]; + size_t ret_len; + u64 objdump_addr; ++ const char *objdump_name; ++ char decomp_name[KMOD_DECOMP_LEN]; + int ret; + + pr_debug("Reading object code for memory address: %#"PRIx64"\n", addr); +@@ -284,9 +286,25 @@ static int read_object_code(u64 addr, si + state->done[state->done_cnt++] = al.map->start; + } + ++ objdump_name = al.map->dso->long_name; ++ if (dso__needs_decompress(al.map->dso)) { ++ if (dso__decompress_kmodule_path(al.map->dso, objdump_name, ++ decomp_name, ++ sizeof(decomp_name)) < 0) { ++ pr_debug("decompression failed\n"); ++ return -1; ++ } ++ ++ objdump_name = decomp_name; ++ } ++ + /* Read the object code using objdump */ + objdump_addr = map__rip_2objdump(al.map, al.addr); +- ret = read_via_objdump(al.map->dso->long_name, objdump_addr, buf2, len); ++ ret = read_via_objdump(objdump_name, objdump_addr, buf2, len); ++ ++ if (dso__needs_decompress(al.map->dso)) ++ unlink(objdump_name); ++ + if (ret > 0) { + /* + * The kernel maps are inaccurate - assume objdump is right in diff --git a/queue-4.9/perf-tools-decompress-kernel-module-when-reading-dso-data.patch b/queue-4.9/perf-tools-decompress-kernel-module-when-reading-dso-data.patch new file mode 100644 index 00000000000..8c00681cb85 --- /dev/null +++ b/queue-4.9/perf-tools-decompress-kernel-module-when-reading-dso-data.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Namhyung Kim +Date: Thu, 8 Jun 2017 16:31:05 +0900 +Subject: perf tools: Decompress kernel module when reading DSO data + +From: Namhyung Kim + + +[ Upstream commit 1d6b3c9ba756a5134fd7ad1959acac776d17404b ] + +Currently perf decompresses kernel modules when loading the symbol table +but it missed to do it when reading raw data. + +Signed-off-by: Namhyung Kim +Acked-by: Jiri Olsa +Cc: Adrian Hunter +Cc: David Ahern +Cc: Peter Zijlstra +Cc: Wang Nan +Cc: kernel-team@lge.com +Link: http://lkml.kernel.org/r/20170608073109.30699-6-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/dso.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -366,7 +366,23 @@ static int __open_dso(struct dso *dso, s + if (!is_regular_file(name)) + return -EINVAL; + ++ if (dso__needs_decompress(dso)) { ++ char newpath[KMOD_DECOMP_LEN]; ++ size_t len = sizeof(newpath); ++ ++ if (dso__decompress_kmodule_path(dso, name, newpath, len) < 0) { ++ free(name); ++ return -dso->load_errno; ++ } ++ ++ strcpy(name, newpath); ++ } ++ + fd = do_open(name); ++ ++ if (dso__needs_decompress(dso)) ++ unlink(name); ++ + free(name); + return fd; + } diff --git a/queue-4.9/perf-tools-fix-copyfile_offset-update-of-output-offset.patch b/queue-4.9/perf-tools-fix-copyfile_offset-update-of-output-offset.patch new file mode 100644 index 00000000000..92740343c42 --- /dev/null +++ b/queue-4.9/perf-tools-fix-copyfile_offset-update-of-output-offset.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jiri Olsa +Date: Tue, 9 Jan 2018 14:39:23 +0100 +Subject: perf tools: Fix copyfile_offset update of output offset + +From: Jiri Olsa + + +[ Upstream commit fa1195ccc0af2d121abe0fe266a1caee8c265eea ] + +We need to increase output offset in each iteration, not decrease it as +we currently do. + +I guess we were lucky to finish in most cases in first iteration, so the +bug never showed. However it shows a lot when working with big (~4GB) +size data. + +Signed-off-by: Jiri Olsa +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Fixes: 9c9f5a2f1944 ("perf tools: Introduce copyfile_offset() function") +Link: http://lkml.kernel.org/r/20180109133923.25406-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/util.c ++++ b/tools/perf/util/util.c +@@ -207,7 +207,7 @@ int copyfile_offset(int ifd, loff_t off_ + + size -= ret; + off_in += ret; +- off_out -= ret; ++ off_out += ret; + } + munmap(ptr, off_in + size); + diff --git a/queue-4.9/perf-trace-add-mmap-alias-for-s390.patch b/queue-4.9/perf-trace-add-mmap-alias-for-s390.patch new file mode 100644 index 00000000000..1671e9759d0 --- /dev/null +++ b/queue-4.9/perf-trace-add-mmap-alias-for-s390.patch @@ -0,0 +1,52 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jiri Olsa +Date: Wed, 31 May 2017 13:35:57 +0200 +Subject: perf trace: Add mmap alias for s390 + +From: Jiri Olsa + + +[ Upstream commit 54265664c15a68905d8d67d19205e9a767636434 ] + +The s390 architecture maps sys_mmap (nr 90) into sys_old_mmap. For this +reason perf trace can't find the proper syscall event to get args format +from and displays it wrongly as 'continued'. + +To fix that fill the "alias" field with "old_mmap" for trace's mmap record +to get the correct translation. + +Before: + 0.042 ( 0.011 ms): vest/43052 fstat(statbuf: 0x3ffff89fd90 ) = 0 + 0.042 ( 0.028 ms): vest/43052 ... [continued]: mmap()) = 0x3fffd6e2000 + 0.072 ( 0.025 ms): vest/43052 read(buf: 0x3fffd6e2000, count: 4096 ) = 6 + +After: + 0.045 ( 0.011 ms): fstat(statbuf: 0x3ffff8a0930 ) = 0 + 0.057 ( 0.018 ms): mmap(arg: 0x3ffff8a0858 ) = 0x3fffd14a000 + 0.076 ( 0.025 ms): read(buf: 0x3fffd14a000, count: 4096 ) = 6 + +Signed-off-by: Jiri Olsa +Cc: David Ahern +Cc: Namhyung Kim +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/20170531113557.19175-1-jolsa@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/builtin-trace.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/tools/perf/builtin-trace.c ++++ b/tools/perf/builtin-trace.c +@@ -679,6 +679,10 @@ static struct syscall_fmt { + { .name = "mlockall", .errmsg = true, + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ }, }, + { .name = "mmap", .hexret = true, ++/* The standard mmap maps to old_mmap on s390x */ ++#if defined(__s390x__) ++ .alias = "old_mmap", ++#endif + .arg_scnprintf = { [0] = SCA_HEX, /* addr */ + [2] = SCA_MMAP_PROT, /* prot */ + [3] = SCA_MMAP_FLAGS, /* flags */ }, }, diff --git a/queue-4.9/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch b/queue-4.9/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch new file mode 100644 index 00000000000..2d9074adfdf --- /dev/null +++ b/queue-4.9/pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch @@ -0,0 +1,68 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kirill Tkhai +Date: Mon, 8 May 2017 15:56:34 -0700 +Subject: pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() + +From: Kirill Tkhai + + +[ Upstream commit 8896c23d2ef803f1883fea73117a435925c2b4c4 ] + +alloc_pidmap() advances pid_namespace::last_pid. When first pid +allocation fails, then next created process will have pid 2 and +pid_ns_prepare_proc() won't be called. So, pid_namespace::proc_mnt will +never be initialized (not to mention that there won't be a child +reaper). + +I saw crash stack of such case on kernel 3.10: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: proc_flush_task+0x8f/0x1b0 + Call Trace: + release_task+0x3f/0x490 + wait_consider_task.part.10+0x7ff/0xb00 + do_wait+0x11f/0x280 + SyS_wait4+0x7d/0x110 + +We may fix this by restore of last_pid in 0 or by prohibiting of futher +allocations. Since there was a similar issue in Oleg Nesterov's commit +314a8ad0f18a ("pidns: fix free_pid() to handle the first fork failure"). +and it was fixed via prohibiting allocation, let's follow this way, and +do the same. + +Link: http://lkml.kernel.org/r/149201021004.4863.6762095011554287922.stgit@localhost.localdomain +Signed-off-by: Kirill Tkhai +Acked-by: Cyrill Gorcunov +Cc: Andrei Vagin +Cc: Andreas Gruenbacher +Cc: Kees Cook +Cc: Michael Kerrisk +Cc: Al Viro +Cc: Oleg Nesterov +Cc: Paul Moore +Cc: Eric Biederman +Cc: Andy Lutomirski +Cc: Ingo Molnar +Cc: Serge Hallyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/pid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/pid.c ++++ b/kernel/pid.c +@@ -322,8 +322,10 @@ struct pid *alloc_pid(struct pid_namespa + } + + if (unlikely(is_child_reaper(pid))) { +- if (pid_ns_prepare_proc(ns)) ++ if (pid_ns_prepare_proc(ns)) { ++ disable_pid_allocation(ns); + goto out_free; ++ } + } + + get_pid_ns(ns); diff --git a/queue-4.9/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch b/queue-4.9/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch new file mode 100644 index 00000000000..7c69182ffc8 --- /dev/null +++ b/queue-4.9/pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch @@ -0,0 +1,47 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Hans de Goede +Date: Mon, 1 Jan 2018 13:23:57 +0100 +Subject: pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts + +From: Hans de Goede + + +[ Upstream commit 9291c65b01d1c67ebd56644cb19317ad665c44b3 ] + +On some systems, some PCB traces attached to GpioInts are routed in such +a way that they pick up enough interference to constantly (many times per +second) trigger. + +Enabling glitch-filtering fixes this. + +Signed-off-by: Hans de Goede +Acked-by: Mika Westerberg +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/intel/pinctrl-baytrail.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/pinctrl/intel/pinctrl-baytrail.c ++++ b/drivers/pinctrl/intel/pinctrl-baytrail.c +@@ -46,6 +46,9 @@ + #define BYT_TRIG_POS BIT(25) + #define BYT_TRIG_LVL BIT(24) + #define BYT_DEBOUNCE_EN BIT(20) ++#define BYT_GLITCH_FILTER_EN BIT(19) ++#define BYT_GLITCH_F_SLOW_CLK BIT(17) ++#define BYT_GLITCH_F_FAST_CLK BIT(16) + #define BYT_PULL_STR_SHIFT 9 + #define BYT_PULL_STR_MASK (3 << BYT_PULL_STR_SHIFT) + #define BYT_PULL_STR_2K (0 << BYT_PULL_STR_SHIFT) +@@ -1579,6 +1582,9 @@ static int byt_irq_type(struct irq_data + */ + value &= ~(BYT_DIRECT_IRQ_EN | BYT_TRIG_POS | BYT_TRIG_NEG | + BYT_TRIG_LVL); ++ /* Enable glitch filtering */ ++ value |= BYT_GLITCH_FILTER_EN | BYT_GLITCH_F_SLOW_CLK | ++ BYT_GLITCH_F_FAST_CLK; + + writel(value, reg); + diff --git a/queue-4.9/pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch b/queue-4.9/pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch new file mode 100644 index 00000000000..468afbab37e --- /dev/null +++ b/queue-4.9/pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Heiner Kallweit +Date: Wed, 7 Jun 2017 07:44:20 +0200 +Subject: pinctrl: meson-gxbb: remove non-existing pin GPIOX_22 + +From: Heiner Kallweit + + +[ Upstream commit 4c8127cb523982e0a474ad80b14b665dc2f37b3b ] + +After commit 34e61801a3b9 "pinctrl: meson-gxbb: Add missing GPIODV_18 +pin entry" I started to get the following warning: + +"meson-pinctrl c8834000.periphs:pinctrl@4b0: names 119 do not match +number of GPIOs 120" + +It turned out that not the mentioned commit has a problem, it just +revealed another problem which had existed before. + +There is no PIN GPIOX_22 on Meson GXBB. + +Fixes: 468c234f9ed7 ("pinctrl: amlogic: Add support for Amlogic Meson GXBB SoC") +Signed-off-by: Heiner Kallweit +Reviewed-by: Neil Armstrong +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/meson/pinctrl-meson-gxbb.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pinctrl/meson/pinctrl-meson-gxbb.c ++++ b/drivers/pinctrl/meson/pinctrl-meson-gxbb.c +@@ -138,7 +138,6 @@ static const struct pinctrl_pin_desc mes + MESON_PIN(GPIOX_19, EE_OFF), + MESON_PIN(GPIOX_20, EE_OFF), + MESON_PIN(GPIOX_21, EE_OFF), +- MESON_PIN(GPIOX_22, EE_OFF), + + MESON_PIN(GPIOCLK_0, EE_OFF), + MESON_PIN(GPIOCLK_1, EE_OFF), diff --git a/queue-4.9/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch b/queue-4.9/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch new file mode 100644 index 00000000000..4796f2d2ff2 --- /dev/null +++ b/queue-4.9/pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch @@ -0,0 +1,41 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Gustavo A. R. Silva" +Date: Wed, 6 Dec 2017 14:20:15 -0600 +Subject: PM / devfreq: Fix potential NULL pointer dereference in governor_store + +From: "Gustavo A. R. Silva" + + +[ Upstream commit 63f1e05f7fe9ca509c60154d6a833abf96eecdc9 ] + +df->governor is being dereferenced before it is null checked, +hence there is a potential null pointer dereference. + +Notice that df->governor is being null checked at line 1004: +if (df->governor) {, which implies it might be null. + +Fix this by null checking df->governor before dereferencing it. + +Addresses-Coverity-ID: 1401988 ("Dereference before null check") +Fixes: bcf23c79c4e4 ("PM / devfreq: Fix available_governor sysfs") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Chanwoo Choi +Signed-off-by: MyungJoo Ham +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/devfreq/devfreq.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/devfreq/devfreq.c ++++ b/drivers/devfreq/devfreq.c +@@ -943,7 +943,8 @@ static ssize_t governor_store(struct dev + if (df->governor == governor) { + ret = 0; + goto out; +- } else if (df->governor->immutable || governor->immutable) { ++ } else if ((df->governor && df->governor->immutable) || ++ governor->immutable) { + ret = -EINVAL; + goto out; + } diff --git a/queue-4.9/pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch b/queue-4.9/pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch new file mode 100644 index 00000000000..faeef10e7d4 --- /dev/null +++ b/queue-4.9/pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Sat, 20 May 2017 00:31:12 +0300 +Subject: pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() + +From: Dan Carpenter + + +[ Upstream commit 662f9a105b4322b8559d448f86110e6ec24b8738 ] + +If xdr_inline_decode() fails then we end up returning ERR_PTR(0). The +caller treats NULL returns as -ENOMEM so it doesn't really hurt runtime, +but obviously we intended to set an error code here. + +Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/flexfilelayout/flexfilelayout.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/flexfilelayout/flexfilelayout.c ++++ b/fs/nfs/flexfilelayout/flexfilelayout.c +@@ -475,6 +475,7 @@ ff_layout_alloc_lseg(struct pnfs_layout_ + goto out_err_free; + + /* fh */ ++ rc = -EIO; + p = xdr_inline_decode(&stream, 4); + if (!p) + goto out_err_free; diff --git a/queue-4.9/powercap-fix-an-error-code-in-powercap_register_zone.patch b/queue-4.9/powercap-fix-an-error-code-in-powercap_register_zone.patch new file mode 100644 index 00000000000..cf44ce53eca --- /dev/null +++ b/queue-4.9/powercap-fix-an-error-code-in-powercap_register_zone.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Wed, 10 May 2017 22:40:06 +0300 +Subject: PowerCap: Fix an error code in powercap_register_zone() + +From: Dan Carpenter + + +[ Upstream commit 216c4e9db4c9d1d2a382b42880442dc632cd47d9 ] + +In the current code we accidentally return the successful result from +idr_alloc() instead of a negative error pointer. The caller is looking +for an error pointer and so it treats the returned value as a valid +pointer. + +This one might be a bit serious because if it lets people get around the +kernel's protection for remapping NULL. I'm not sure. + +Fixes: 75d2364ea0ca (PowerCap: Add class driver) +Signed-off-by: Dan Carpenter +Reviewed-by: Srinivas Pandruvada +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/powercap/powercap_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/powercap/powercap_sys.c ++++ b/drivers/powercap/powercap_sys.c +@@ -538,6 +538,7 @@ struct powercap_zone *powercap_register_ + + power_zone->id = result; + idr_init(&power_zone->idr); ++ result = -ENOMEM; + power_zone->name = kstrdup(name, GFP_KERNEL); + if (!power_zone->name) + goto err_name_alloc; diff --git a/queue-4.9/powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch b/queue-4.9/powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch new file mode 100644 index 00000000000..2244fb5bf9d --- /dev/null +++ b/queue-4.9/powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe Leroy +Date: Fri, 10 Mar 2017 11:37:01 +0100 +Subject: powerpc/8xx: fix mpc8xx_get_irq() return on no irq + +From: Christophe Leroy + + +[ Upstream commit 3c29b6038828c1f4c9ecbfec14d4fc5e25f1c947 ] + +IRQ 0 is a valid HW interrupt. So get_irq() shall return 0 when +there is no irq, instead of returning irq_linear_revmap(... ,0) + +Fixes: f2a0bd3753dad ("[POWERPC] 8xx: powerpc port of core CPM PIC") +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/sysdev/mpc8xx_pic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/mpc8xx_pic.c ++++ b/arch/powerpc/sysdev/mpc8xx_pic.c +@@ -79,7 +79,7 @@ unsigned int mpc8xx_get_irq(void) + irq = in_be32(&siu_reg->sc_sivec) >> 26; + + if (irq == PIC_VEC_SPURRIOUS) +- irq = 0; ++ return 0; + + return irq_linear_revmap(mpc8xx_pic_host, irq); + diff --git a/queue-4.9/powerpc-don-t-clobber-tcr-when-setting-tcr.patch b/queue-4.9/powerpc-don-t-clobber-tcr-when-setting-tcr.patch new file mode 100644 index 00000000000..0ddac7cf979 --- /dev/null +++ b/queue-4.9/powerpc-don-t-clobber-tcr-when-setting-tcr.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ivan Mikhaylov +Date: Fri, 19 May 2017 18:47:05 +0300 +Subject: powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE] + +From: Ivan Mikhaylov + + +[ Upstream commit 6e2f03e292ef46eed2b31b0a344a91d514f9cd81 ] + +Prevent a kernel panic caused by unintentionally clearing TCR watchdog +bits. At this point in the kernel boot, the watchdog may have already +been enabled by u-boot. The original code's attempt to write to the TCR +register results in an inadvertent clearing of the watchdog +configuration bits, causing the 476 to reset. + +Signed-off-by: Ivan Mikhaylov +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/time.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -719,12 +719,20 @@ static int __init get_freq(char *name, i + static void start_cpu_decrementer(void) + { + #if defined(CONFIG_BOOKE) || defined(CONFIG_40x) ++ unsigned int tcr; ++ + /* Clear any pending timer interrupts */ + mtspr(SPRN_TSR, TSR_ENW | TSR_WIS | TSR_DIS | TSR_FIS); + +- /* Enable decrementer interrupt */ +- mtspr(SPRN_TCR, TCR_DIE); +-#endif /* defined(CONFIG_BOOKE) || defined(CONFIG_40x) */ ++ tcr = mfspr(SPRN_TCR); ++ /* ++ * The watchdog may have already been enabled by u-boot. So leave ++ * TRC[WP] (Watchdog Period) alone. ++ */ ++ tcr &= TCR_WP_MASK; /* Clear all bits except for TCR[WP] */ ++ tcr |= TCR_DIE; /* Enable decrementer */ ++ mtspr(SPRN_TCR, tcr); ++#endif + } + + void __init generic_calibrate_decr(void) diff --git a/queue-4.9/powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch b/queue-4.9/powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch new file mode 100644 index 00000000000..59bb3b13c53 --- /dev/null +++ b/queue-4.9/powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Michael Ellerman +Date: Thu, 18 May 2017 20:37:31 +1000 +Subject: powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash + +From: Michael Ellerman + + +[ Upstream commit e41e53cd4fe331d0d1f06f8e4ed7e2cc63ee2c34 ] + +virt_addr_valid() is supposed to tell you if it's OK to call virt_to_page() on +an address. What this means in practice is that it should only return true for +addresses in the linear mapping which are backed by a valid PFN. + +We are failing to properly check that the address is in the linear mapping, +because virt_to_pfn() will return a valid looking PFN for more or less any +address. That bug is actually caused by __pa(), used in virt_to_pfn(). + +eg: __pa(0xc000000000010000) = 0x10000 # Good + __pa(0xd000000000010000) = 0x10000 # Bad! + __pa(0x0000000000010000) = 0x10000 # Bad! + +This started happening after commit bdbc29c19b26 ("powerpc: Work around gcc +miscompilation of __pa() on 64-bit") (Aug 2013), where we changed the definition +of __pa() to work around a GCC bug. Prior to that we subtracted PAGE_OFFSET from +the value passed to __pa(), meaning __pa() of a 0xd or 0x0 address would give +you something bogus back. + +Until we can verify if that GCC bug is no longer an issue, or come up with +another solution, this commit does the minimal fix to make virt_addr_valid() +work, by explicitly checking that the address is in the linear mapping region. + +Fixes: bdbc29c19b26 ("powerpc: Work around gcc miscompilation of __pa() on 64-bit") +Signed-off-by: Michael Ellerman +Reviewed-by: Paul Mackerras +Reviewed-by: Balbir Singh +Tested-by: Breno Leitao +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/page.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/powerpc/include/asm/page.h ++++ b/arch/powerpc/include/asm/page.h +@@ -132,7 +132,19 @@ extern long long virt_phys_offset; + #define virt_to_pfn(kaddr) (__pa(kaddr) >> PAGE_SHIFT) + #define virt_to_page(kaddr) pfn_to_page(virt_to_pfn(kaddr)) + #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT) ++ ++#ifdef CONFIG_PPC_BOOK3S_64 ++/* ++ * On hash the vmalloc and other regions alias to the kernel region when passed ++ * through __pa(), which virt_to_pfn() uses. That means virt_addr_valid() can ++ * return true for some vmalloc addresses, which is incorrect. So explicitly ++ * check that the address is in the kernel region. ++ */ ++#define virt_addr_valid(kaddr) (REGION_ID(kaddr) == KERNEL_REGION_ID && \ ++ pfn_valid(virt_to_pfn(kaddr))) ++#else + #define virt_addr_valid(kaddr) pfn_valid(virt_to_pfn(kaddr)) ++#endif + + /* + * On Book-E parts we need __va to parse the device tree and we can't diff --git a/queue-4.9/powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch b/queue-4.9/powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch new file mode 100644 index 00000000000..d8238e0c596 --- /dev/null +++ b/queue-4.9/powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Michael Ellerman +Date: Wed, 10 May 2017 16:57:49 +1000 +Subject: powerpc/modules: If mprofile-kernel is enabled add it to vermagic + +From: Michael Ellerman + + +[ Upstream commit 43e24e82f35291d4c1ca78877ce1b20d3aeb78f1 ] + +On powerpc we can build the kernel with two different ABIs for mcount(), which +is used by ftrace. Kernels built with one ABI do not know how to load modules +built with the other ABI. The new style ABI is called "mprofile-kernel", for +want of a better name. + +Currently if we build a module using the old style ABI, and the kernel with +mprofile-kernel, when we load the module we'll oops something like: + + # insmod autofs4-no-mprofile-kernel.ko + ftrace-powerpc: Unexpected instruction f8810028 around bl _mcount + ------------[ cut here ]------------ + WARNING: CPU: 6 PID: 3759 at ../kernel/trace/ftrace.c:2024 ftrace_bug+0x2b8/0x3c0 + CPU: 6 PID: 3759 Comm: insmod Not tainted 4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269 #11 + ... + NIP [c0000000001eaa48] ftrace_bug+0x2b8/0x3c0 + LR [c0000000001eaff8] ftrace_process_locs+0x4a8/0x590 + Call Trace: + alloc_pages_current+0xc4/0x1d0 (unreliable) + ftrace_process_locs+0x4a8/0x590 + load_module+0x1c8c/0x28f0 + SyS_finit_module+0x110/0x140 + system_call+0x38/0xfc + ... + ftrace failed to modify + [] 0xd000000002a31024 + actual: 35:65:00:48 + +We can avoid this by including in the vermagic whether the kernel/module was +built with mprofile-kernel. Which results in: + + # insmod autofs4-pg.ko + autofs4: version magic + '4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269 SMP mod_unload modversions ' + should be + '4.11.0-rc3-gcc-5.4.1-00017-g5a61ef74f269-dirty SMP mod_unload modversions mprofile-kernel' + insmod: ERROR: could not insert module autofs4-pg.ko: Invalid module format + +Fixes: 8c50b72a3b4f ("powerpc/ftrace: Add Kconfig & Make glue for mprofile-kernel") +Signed-off-by: Michael Ellerman +Acked-by: Balbir Singh +Acked-by: Jessica Yu +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/module.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/powerpc/include/asm/module.h ++++ b/arch/powerpc/include/asm/module.h +@@ -14,6 +14,10 @@ + #include + + ++#ifdef CC_USING_MPROFILE_KERNEL ++#define MODULE_ARCH_VERMAGIC "mprofile-kernel" ++#endif ++ + #ifndef __powerpc64__ + /* + * Thanks to Paul M for explaining this. diff --git a/queue-4.9/powerpc-spufs-fix-coredump-of-spu-contexts.patch b/queue-4.9/powerpc-spufs-fix-coredump-of-spu-contexts.patch new file mode 100644 index 00000000000..8feb8c5d6eb --- /dev/null +++ b/queue-4.9/powerpc-spufs-fix-coredump-of-spu-contexts.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Michael Ellerman +Date: Mon, 29 May 2017 20:26:07 +1000 +Subject: powerpc/spufs: Fix coredump of SPU contexts + +From: Michael Ellerman + + +[ Upstream commit 99acc9bede06bbb2662aafff51f5b9e529fa845e ] + +If a process dumps core while it has SPU contexts active then we have +code to also dump information about the SPU contexts. + +Unfortunately it's been broken for 3 1/2 years, and we didn't notice. In +commit 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") the nread +variable was removed and rc used instead. That means when the loop exits +successfully, rc has the number of bytes read, but it's then used as the +return value for the function, which should return 0 on success. + +So fix it by setting rc = 0 before returning in the success case. + +Fixes: 7b1f4020d0d1 ("spufs: get rid of dump_emit() wrappers") +Signed-off-by: Michael Ellerman +Acked-by: Jeremy Kerr +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/cell/spufs/coredump.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/platforms/cell/spufs/coredump.c ++++ b/arch/powerpc/platforms/cell/spufs/coredump.c +@@ -175,6 +175,8 @@ static int spufs_arch_write_note(struct + skip = roundup(cprm->pos - total + sz, 4) - cprm->pos; + if (!dump_skip(cprm, skip)) + goto Eio; ++ ++ rc = 0; + out: + free_page((unsigned long)buf); + return rc; diff --git a/queue-4.9/pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch b/queue-4.9/pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch new file mode 100644 index 00000000000..ce39e4c4b03 --- /dev/null +++ b/queue-4.9/pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Petr Cvek +Date: Mon, 24 Apr 2017 22:51:58 -0300 +Subject: [media] pxa_camera: fix module remove codepath for v4l2 clock + +From: Petr Cvek + + +[ Upstream commit e3b4d10cc057522353c4a02f2f90dca6a52e006f ] + +The conversion from soc_camera omitted a correct handling of the clock +gating for a sensor. When the pxa_camera driver module was removed it +tried to unregister clk, but this caused a similar warning: + + WARNING: CPU: 0 PID: 6740 at drivers/media/v4l2-core/v4l2-clk.c:278 + v4l2_clk_unregister(): Refusing to unregister ref-counted 0-0030 clock! + +The clock was at time still refcounted by the sensor driver. Before +the removing of the pxa_camera the clock must be dropped by the sensor +driver. This should be triggered by v4l2_async_notifier_unregister() call +which removes sensor driver module too, calls unbind() function and then +tries to probe sensor driver again. Inside unbind() we can safely +unregister the v4l2 clock as the sensor driver got removed. The original +v4l2_clk_unregister() should be put inside test as the clock can be +already unregistered from unbind(). If there was not any bound sensor +the clock is still present. + +The codepath is practically a copy from the old soc_camera. The bug was +tested with a pxa_camera+ov9640 combination during the conversion +of the ov9640 from the soc_camera. + +Signed-off-by: Petr Cvek +Tested-by: Robert Jarzmik +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/pxa_camera.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/pxa_camera.c ++++ b/drivers/media/platform/pxa_camera.c +@@ -2169,6 +2169,12 @@ static void pxa_camera_sensor_unbind(str + pxa_dma_stop_channels(pcdev); + + pxa_camera_destroy_formats(pcdev); ++ ++ if (pcdev->mclk_clk) { ++ v4l2_clk_unregister(pcdev->mclk_clk); ++ pcdev->mclk_clk = NULL; ++ } ++ + video_unregister_device(&pcdev->vdev); + pcdev->sensor = NULL; + +@@ -2495,7 +2501,13 @@ static int pxa_camera_remove(struct plat + dma_release_channel(pcdev->dma_chans[1]); + dma_release_channel(pcdev->dma_chans[2]); + +- v4l2_clk_unregister(pcdev->mclk_clk); ++ v4l2_async_notifier_unregister(&pcdev->notifier); ++ ++ if (pcdev->mclk_clk) { ++ v4l2_clk_unregister(pcdev->mclk_clk); ++ pcdev->mclk_clk = NULL; ++ } ++ + v4l2_device_unregister(&pcdev->v4l2_dev); + + dev_info(&pdev->dev, "PXA Camera driver unloaded\n"); diff --git a/queue-4.9/qed-correct-doorbell-configuration-for-4kb-pages.patch b/queue-4.9/qed-correct-doorbell-configuration-for-4kb-pages.patch new file mode 100644 index 00000000000..3b2e72f980e --- /dev/null +++ b/queue-4.9/qed-correct-doorbell-configuration-for-4kb-pages.patch @@ -0,0 +1,36 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Ram Amrani +Date: Tue, 9 May 2017 15:07:50 +0300 +Subject: qed: Correct doorbell configuration for !4Kb pages + +From: Ram Amrani + + +[ Upstream commit a82dadbce47395747824971db08a128130786fdc ] + +When configuring the doorbell DPI address, driver aligns the start +address to 4KB [HW-pages] instead of host PAGE_SIZE. +As a result, RoCE applications might receive addresses which are +unaligned to pages [when PAGE_SIZE > 4KB], which is a security risk. + +Fixes: 51ff17251c9c ("qed: Add support for RoCE hw init") +Signed-off-by: Ram Amrani +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -850,7 +850,7 @@ qed_hw_init_pf_doorbell_bar(struct qed_h + NULL) + + qed_cxt_get_proto_cid_count(p_hwfn, PROTOCOLID_ETH, + NULL); +- norm_regsize = roundup(QED_PF_DEMS_SIZE * non_pwm_conn, 4096); ++ norm_regsize = roundup(QED_PF_DEMS_SIZE * non_pwm_conn, PAGE_SIZE); + min_addr_reg1 = norm_regsize / 4096; + pwm_regsize = db_bar_size - norm_regsize; + diff --git a/queue-4.9/qed-fix-overriding-of-supported-autoneg-value.patch b/queue-4.9/qed-fix-overriding-of-supported-autoneg-value.patch new file mode 100644 index 00000000000..d3e3dc1893b --- /dev/null +++ b/queue-4.9/qed-fix-overriding-of-supported-autoneg-value.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "sudarsana.kalluru@cavium.com" +Date: Thu, 4 May 2017 08:15:04 -0700 +Subject: qed: Fix overriding of supported autoneg value. + +From: "sudarsana.kalluru@cavium.com" + + +[ Upstream commit 34f9199ce7b7e5c641b96e928bd60e086bf7f278 ] + +Driver currently uses advertised-autoneg value to populate the +supported-autoneg field. When advertised field is updated, user gets +the same value for supported field. Supported-autoneg value need to be +populated from the link capabilities value returned by the MFW. + +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: Yuval Mintz +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_dev.c | 3 +++ + drivers/net/ethernet/qlogic/qed/qed_main.c | 6 +++++- + drivers/net/ethernet/qlogic/qed/qed_mcp.h | 1 + + 3 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_dev.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_dev.c +@@ -1628,6 +1628,9 @@ static int qed_hw_get_nvm_info(struct qe + DP_NOTICE(p_hwfn, "Unknown Speed in 0x%08x\n", link_temp); + } + ++ p_hwfn->mcp_info->link_capabilities.default_speed_autoneg = ++ link->speed.autoneg; ++ + link_temp &= NVM_CFG1_PORT_DRV_FLOW_CONTROL_MASK; + link_temp >>= NVM_CFG1_PORT_DRV_FLOW_CONTROL_OFFSET; + link->pause.autoneg = !!(link_temp & +--- a/drivers/net/ethernet/qlogic/qed/qed_main.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_main.c +@@ -1240,7 +1240,7 @@ static void qed_fill_link(struct qed_hwf + + /* TODO - at the moment assume supported and advertised speed equal */ + if_link->supported_caps = QED_LM_FIBRE_BIT; +- if (params.speed.autoneg) ++ if (link_caps.default_speed_autoneg) + if_link->supported_caps |= QED_LM_Autoneg_BIT; + if (params.pause.autoneg || + (params.pause.forced_rx && params.pause.forced_tx)) +@@ -1250,6 +1250,10 @@ static void qed_fill_link(struct qed_hwf + if_link->supported_caps |= QED_LM_Pause_BIT; + + if_link->advertised_caps = if_link->supported_caps; ++ if (params.speed.autoneg) ++ if_link->advertised_caps |= QED_LM_Autoneg_BIT; ++ else ++ if_link->advertised_caps &= ~QED_LM_Autoneg_BIT; + if (params.speed.advertised_speeds & + NVM_CFG1_PORT_DRV_SPEED_CAPABILITY_MASK_1G) + if_link->advertised_caps |= QED_LM_1000baseT_Half_BIT | +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.h +@@ -35,6 +35,7 @@ struct qed_mcp_link_params { + + struct qed_mcp_link_capabilities { + u32 speed_capabilities; ++ bool default_speed_autoneg; + }; + + struct qed_mcp_link_state { diff --git a/queue-4.9/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch b/queue-4.9/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch new file mode 100644 index 00000000000..309a1f7f557 --- /dev/null +++ b/queue-4.9/qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jia-Ju Bai +Date: Thu, 1 Jun 2017 16:18:10 +0800 +Subject: qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M + +From: Jia-Ju Bai + + +[ Upstream commit 5ea6d691aac6c93b790f0905e3460d44cc4c449b ] + +The driver may sleep under a write spin lock, and the function +call path is: +qlcnic_82xx_hw_write_wx_2M (acquire the lock by write_lock_irqsave) + crb_win_lock + qlcnic_pcie_sem_lock + usleep_range +qlcnic_82xx_hw_read_wx_2M (acquire the lock by write_lock_irqsave) + crb_win_lock + qlcnic_pcie_sem_lock + usleep_range + +To fix it, the usleep_range is replaced with udelay. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c +@@ -341,7 +341,7 @@ qlcnic_pcie_sem_lock(struct qlcnic_adapt + } + return -EIO; + } +- usleep_range(1000, 1500); ++ udelay(1200); + } + + if (id_reg) diff --git a/queue-4.9/qlge-avoid-reading-past-end-of-buffer.patch b/queue-4.9/qlge-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..61d6bb8a197 --- /dev/null +++ b/queue-4.9/qlge-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:34:34 -0700 +Subject: qlge: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit df5303a8aa9a0a6934f4cea7427f1edf771f21c2 ] + +Using memcpy() from a string that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. Instead, use strncpy() which will fill the trailing bytes +with zeros. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +@@ -765,7 +765,7 @@ int ql_core_dump(struct ql_adapter *qdev + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_mpi_coredump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + /* Get generic NIC reg dump */ +@@ -1255,7 +1255,7 @@ static void ql_gen_reg_dump(struct ql_ad + sizeof(struct mpi_coredump_global_header); + mpi_coredump->mpi_global_header.imageSize = + sizeof(struct ql_reg_dump); +- memcpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", ++ strncpy(mpi_coredump->mpi_global_header.idString, "MPI Coredump", + sizeof(mpi_coredump->mpi_global_header.idString)); + + diff --git a/queue-4.9/ray_cs-avoid-reading-past-end-of-buffer.patch b/queue-4.9/ray_cs-avoid-reading-past-end-of-buffer.patch new file mode 100644 index 00000000000..668ff48448e --- /dev/null +++ b/queue-4.9/ray_cs-avoid-reading-past-end-of-buffer.patch @@ -0,0 +1,49 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 15:38:41 -0700 +Subject: ray_cs: Avoid reading past end of buffer + +From: Kees Cook + + +[ Upstream commit e48d661eb13f2f83861428f001c567fdb3f317e8 ] + +Using memcpy() from a buffer that is shorter than the length copied means +the destination buffer is being filled with arbitrary data from the kernel +rodata segment. In this case, the source was made longer, since it did not +match the destination structure size. Additionally removes a needless cast. + +This was found with the future CONFIG_FORTIFY_SOURCE feature. + +Cc: Daniel Micay +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ray_cs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ray_cs.c ++++ b/drivers/net/wireless/ray_cs.c +@@ -247,7 +247,10 @@ static const UCHAR b4_default_startup_pa + 0x04, 0x08, /* Noise gain, limit offset */ + 0x28, 0x28, /* det rssi, med busy offsets */ + 7, /* det sync thresh */ +- 0, 2, 2 /* test mode, min, max */ ++ 0, 2, 2, /* test mode, min, max */ ++ 0, /* rx/tx delay */ ++ 0, 0, 0, 0, 0, 0, /* current BSS id */ ++ 0 /* hop set */ + }; + + /*===========================================================================*/ +@@ -598,7 +601,7 @@ static void init_startup_params(ray_dev_ + * a_beacon_period = hops a_beacon_period = KuS + *//* 64ms = 010000 */ + if (local->fw_ver == 0x55) { +- memcpy((UCHAR *) &local->sparm.b4, b4_default_startup_parms, ++ memcpy(&local->sparm.b4, b4_default_startup_parms, + sizeof(struct b4_startup_params)); + /* Translate sane kus input values to old build 4/5 format */ + /* i = hop time in uS truncated to 3 bytes */ diff --git a/queue-4.9/rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch b/queue-4.9/rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch new file mode 100644 index 00000000000..50b48052984 --- /dev/null +++ b/queue-4.9/rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Steven L. Roberts" +Date: Wed, 10 May 2017 10:54:12 -0500 +Subject: RDMA/hfi1: fix array termination by appending NULL to attr array + +From: "Steven L. Roberts" + + +[ Upstream commit c4dd4b69f55abcc8dd079f8de55d9d8c2ddbefce ] + +This fixes a kernel panic when loading the hfi driver as a dynamic module. + +Signed-off-by: Steven L Roberts +Reviewed-by: Leon Romanovsky +Acked-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/sysfs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/sysfs.c ++++ b/drivers/infiniband/hw/hfi1/sysfs.c +@@ -196,7 +196,8 @@ static const struct sysfs_ops port_cc_sy + }; + + static struct attribute *port_cc_default_attributes[] = { +- &cc_prescan_attr.attr ++ &cc_prescan_attr.attr, ++ NULL + }; + + static struct kobj_type port_cc_ktype = { diff --git a/queue-4.9/rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch b/queue-4.9/rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch new file mode 100644 index 00000000000..3a3b5ba9b8a --- /dev/null +++ b/queue-4.9/rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Raju Rangoju +Date: Mon, 15 May 2017 06:40:39 +0000 +Subject: RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers + +From: Raju Rangoju + + +[ Upstream commit 1dad0ebeea1cd890b8892523f736916e245b0aef ] + +The patch 761e19a504af (RDMA/iw_cxgb4: Handle return value of +c4iw_ofld_send() in abort_arp_failure()) from May 6, 2016 +leads to the following static checker warning: + drivers/infiniband/hw/cxgb4/cm.c:575 abort_arp_failure() + warn: passing freed memory 'skb' + +Also fixes skb leak when l2t resolution fails + +Fixes: 761e19a504afa55 (RDMA/iw_cxgb4: Handle return value of +c4iw_ofld_send() in abort_arp_failure()) +Reported-by: Dan Carpenter +Cc: Dan Carpenter +Signed-off-by: Raju Rangoju +Reviewed-by: Steve Wise +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/cxgb4/cm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/cxgb4/cm.c ++++ b/drivers/infiniband/hw/cxgb4/cm.c +@@ -488,6 +488,7 @@ static int _put_ep_safe(struct c4iw_dev + + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + release_ep_resources(ep); ++ kfree_skb(skb); + return 0; + } + +@@ -498,6 +499,7 @@ static int _put_pass_ep_safe(struct c4iw + ep = *((struct c4iw_ep **)(skb->cb + 2 * sizeof(void *))); + c4iw_put_ep(&ep->parent_ep->com); + release_ep_resources(ep); ++ kfree_skb(skb); + return 0; + } + +@@ -569,11 +571,13 @@ static void abort_arp_failure(void *hand + + PDBG("%s rdev %p\n", __func__, rdev); + req->cmd = CPL_ABORT_NO_RST; ++ skb_get(skb); + ret = c4iw_ofld_send(rdev, skb); + if (ret) { + __state_set(&ep->com, DEAD); + queue_arp_failure_cpl(ep, skb, FAKE_CPL_PUT_EP_SAFE); +- } ++ } else ++ kfree_skb(skb); + } + + static int send_flowc(struct c4iw_ep *ep) diff --git a/queue-4.9/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch b/queue-4.9/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch new file mode 100644 index 00000000000..249bb2087d1 --- /dev/null +++ b/queue-4.9/rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch @@ -0,0 +1,54 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Sowmini Varadhan +Date: Fri, 22 Dec 2017 09:38:59 -0800 +Subject: rds; Reset rs->rs_bound_addr in rds_add_bound() failure path + +From: Sowmini Varadhan + + +[ Upstream commit 7ae0c649c47f1c5d2db8cee6dd75855970af1669 ] + +If the rds_sock is not added to the bind_hash_table, we must +reset rs_bound_addr so that rds_remove_bound will not trip on +this rds_sock. + +rds_add_bound() does a rds_sock_put() in this failure path, so +failing to reset rs_bound_addr will result in a socket refcount +bug, and will trigger a WARN_ON with the stack shown below when +the application subsequently tries to close the PF_RDS socket. + + WARNING: CPU: 20 PID: 19499 at net/rds/af_rds.c:496 \ + rds_sock_destruct+0x15/0x30 [rds] + : + __sk_destruct+0x21/0x190 + rds_remove_bound.part.13+0xb6/0x140 [rds] + rds_release+0x71/0x120 [rds] + sock_release+0x1a/0x70 + sock_close+0xe/0x20 + __fput+0xd5/0x210 + task_work_run+0x82/0xa0 + do_exit+0x2ce/0xb30 + ? syscall_trace_enter+0x1cc/0x2b0 + do_group_exit+0x39/0xa0 + SyS_exit_group+0x10/0x10 + do_syscall_64+0x61/0x1a0 + +Signed-off-by: Sowmini Varadhan +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/bind.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/rds/bind.c ++++ b/net/rds/bind.c +@@ -114,6 +114,7 @@ static int rds_add_bound(struct rds_sock + rs, &addr, (int)ntohs(*port)); + break; + } else { ++ rs->rs_bound_addr = 0; + rds_sock_put(rs); + ret = -ENOMEM; + break; diff --git a/queue-4.9/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch b/queue-4.9/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch new file mode 100644 index 00000000000..d18b8c83388 --- /dev/null +++ b/queue-4.9/rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Stanislaw Gruszka +Date: Tue, 19 Dec 2017 12:33:56 +0100 +Subject: rt2x00: do not pause queue unconditionally on error path + +From: Stanislaw Gruszka + + +[ Upstream commit 6dd80efd75ce7c2dbd9f117cf585ee2b33a42ee1 ] + +Pausing queue without checking threshold is racy with txdone path. +Moreover we do not need pause queue on any error, but only if queue +is full - in case when we send RTS frame ( other cases of almost full +queue are already handled in rt2x00queue_write_tx_frame() ). + +Patch fixes of theoretically possible problem of pausing empty +queue. + +Signed-off-by: Stanislaw Gruszka +Tested-by: Enrico Mioso +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c +@@ -142,15 +142,25 @@ void rt2x00mac_tx(struct ieee80211_hw *h + if (!rt2x00dev->ops->hw->set_rts_threshold && + (tx_info->control.rates[0].flags & (IEEE80211_TX_RC_USE_RTS_CTS | + IEEE80211_TX_RC_USE_CTS_PROTECT))) { +- if (rt2x00queue_available(queue) <= 1) +- goto exit_fail; ++ if (rt2x00queue_available(queue) <= 1) { ++ /* ++ * Recheck for full queue under lock to avoid race ++ * conditions with rt2x00lib_txdone(). ++ */ ++ spin_lock(&queue->tx_lock); ++ if (rt2x00queue_threshold(queue)) ++ rt2x00queue_pause_queue(queue); ++ spin_unlock(&queue->tx_lock); ++ ++ goto exit_free_skb; ++ } + + if (rt2x00mac_tx_rts_cts(rt2x00dev, queue, skb)) +- goto exit_fail; ++ goto exit_free_skb; + } + + if (unlikely(rt2x00queue_write_tx_frame(queue, skb, control->sta, false))) +- goto exit_fail; ++ goto exit_free_skb; + + /* + * Pausing queue has to be serialized with rt2x00lib_txdone(). Note +@@ -164,10 +174,6 @@ void rt2x00mac_tx(struct ieee80211_hw *h + + return; + +- exit_fail: +- spin_lock(&queue->tx_lock); +- rt2x00queue_pause_queue(queue); +- spin_unlock(&queue->tx_lock); + exit_free_skb: + ieee80211_free_txskb(hw, skb); + } diff --git a/queue-4.9/rtc-interface-validate-alarm-time-before-handling-rollover.patch b/queue-4.9/rtc-interface-validate-alarm-time-before-handling-rollover.patch new file mode 100644 index 00000000000..5577134e3e1 --- /dev/null +++ b/queue-4.9/rtc-interface-validate-alarm-time-before-handling-rollover.patch @@ -0,0 +1,71 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Vaibhav Jain +Date: Fri, 19 May 2017 22:18:55 +0530 +Subject: rtc: interface: Validate alarm-time before handling rollover + +From: Vaibhav Jain + + +[ Upstream commit da96aea0ed177105cb13ee83b328f6c61e061d3f ] + +In function __rtc_read_alarm() its possible for an alarm time-stamp to +be invalid even after replacing missing components with current +time-stamp. The condition 'alarm->time.tm_year < 70' will trigger this +case and will cause the call to 'rtc_tm_to_time64(&alarm->time)' +return a negative value for variable t_alm. + +While handling alarm rollover this negative t_alm (assumed to seconds +offset from '1970-01-01 00:00:00') is converted back to rtc_time via +rtc_time64_to_tm() which results in this error log with seemingly +garbage values: + +"rtc rtc0: invalid alarm value: -2-1--1041528741 +2005511117:71582844:32" + +This error was generated when the rtc driver (rtc-opal in this case) +returned an alarm time-stamp of '00-00-00 00:00:00' to indicate that +the alarm is disabled. Though I have submitted a separate fix for the +rtc-opal driver, this issue may potentially impact other +existing/future rtc drivers. + +To fix this issue the patch validates the alarm time-stamp just after +filling up the missing datetime components and if rtc_valid_tm() still +reports it to be invalid then bails out of the function without +handling the rollover. + +Reported-by: Steve Best +Signed-off-by: Vaibhav Jain +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -227,6 +227,13 @@ int __rtc_read_alarm(struct rtc_device * + missing = year; + } + ++ /* Can't proceed if alarm is still invalid after replacing ++ * missing fields. ++ */ ++ err = rtc_valid_tm(&alarm->time); ++ if (err) ++ goto done; ++ + /* with luck, no rollover is needed */ + t_now = rtc_tm_to_time64(&now); + t_alm = rtc_tm_to_time64(&alarm->time); +@@ -278,9 +285,9 @@ int __rtc_read_alarm(struct rtc_device * + dev_warn(&rtc->dev, "alarm rollover not handled\n"); + } + +-done: + err = rtc_valid_tm(&alarm->time); + ++done: + if (err) { + dev_warn(&rtc->dev, "invalid alarm value: %d-%d-%d %d:%d:%d\n", + alarm->time.tm_year + 1900, alarm->time.tm_mon + 1, diff --git a/queue-4.9/rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch b/queue-4.9/rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch new file mode 100644 index 00000000000..eedd4866112 --- /dev/null +++ b/queue-4.9/rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch @@ -0,0 +1,53 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Gary Bisson +Date: Tue, 25 Apr 2017 16:45:15 +0200 +Subject: rtc: m41t80: fix SQW dividers override when setting a date + +From: Gary Bisson + + +[ Upstream commit 0f546b058b86ea2f661cc7a6e931cee5a29959ef ] + +This patch is only relevant for RTC with the SQ_ALT feature which +means the clock output frequency divider is stored in the weekday +register. + +Current implementation discards the previous dividers value and clear +them as soon as the time is set. + +Signed-off-by: Gary Bisson +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-m41t80.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/rtc/rtc-m41t80.c ++++ b/drivers/rtc/rtc-m41t80.c +@@ -168,6 +168,7 @@ static int m41t80_get_datetime(struct i2 + /* Sets the given date and time to the real time clock. */ + static int m41t80_set_datetime(struct i2c_client *client, struct rtc_time *tm) + { ++ struct m41t80_data *clientdata = i2c_get_clientdata(client); + unsigned char buf[8]; + int err, flags; + +@@ -183,6 +184,17 @@ static int m41t80_set_datetime(struct i2 + buf[M41T80_REG_YEAR] = bin2bcd(tm->tm_year - 100); + buf[M41T80_REG_WDAY] = tm->tm_wday; + ++ /* If the square wave output is controlled in the weekday register */ ++ if (clientdata->features & M41T80_FEATURE_SQ_ALT) { ++ int val; ++ ++ val = i2c_smbus_read_byte_data(client, M41T80_REG_WDAY); ++ if (val < 0) ++ return val; ++ ++ buf[M41T80_REG_WDAY] |= (val & 0xf0); ++ } ++ + err = i2c_smbus_write_i2c_block_data(client, M41T80_REG_SSEC, + sizeof(buf), buf); + if (err < 0) { diff --git a/queue-4.9/rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch b/queue-4.9/rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch new file mode 100644 index 00000000000..d9f946ca8d5 --- /dev/null +++ b/queue-4.9/rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Vaibhav Jain +Date: Fri, 19 May 2017 15:35:09 +0530 +Subject: rtc: opal: Handle disabled TPO in opal_get_tpo_time() + +From: Vaibhav Jain + + +[ Upstream commit 6dc1cf6f932bb0ea4d8f5e913a0a401ecacd2f03 ] + +On PowerNV platform when Timed-Power-On(TPO) is disabled, read of +stored TPO yields value with all date components set to '0' inside +opal_get_tpo_time(). The function opal_to_tm() then converts it to an +offset from year 1900 yielding alarm-time == "1900-00-01 +00:00:00". This causes problems with __rtc_read_alarm() that +expecting an offset from "1970-00-01 00:00:00" and returned alarm-time +results in a -ve value for time64_t. Which ultimately results in this +error reported in kernel logs with a seemingly garbage value: + +"rtc rtc0: invalid alarm value: -2-1--1041528741 +2005511117:71582844:32" + +We fix this by explicitly handling the case of all alarm date-time +components being '0' inside opal_get_tpo_time() and returning -ENOENT +in such a case. This signals generic rtc that no alarm is set and it +bails out from the alarm initialization flow without reporting the +above error. + +Signed-off-by: Vaibhav Jain +Reported-by: Steve Best +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-opal.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/rtc/rtc-opal.c ++++ b/drivers/rtc/rtc-opal.c +@@ -150,6 +150,16 @@ static int opal_get_tpo_time(struct devi + + y_m_d = be32_to_cpu(__y_m_d); + h_m_s_ms = ((u64)be32_to_cpu(__h_m) << 32); ++ ++ /* check if no alarm is set */ ++ if (y_m_d == 0 && h_m_s_ms == 0) { ++ pr_debug("No alarm is set\n"); ++ rc = -ENOENT; ++ goto exit; ++ } else { ++ pr_debug("Alarm set to %x %llx\n", y_m_d, h_m_s_ms); ++ } ++ + opal_to_tm(y_m_d, h_m_s_ms, &alarm->time); + + exit: diff --git a/queue-4.9/rtc-snvs-fix-an-incorrect-check-of-return-value.patch b/queue-4.9/rtc-snvs-fix-an-incorrect-check-of-return-value.patch new file mode 100644 index 00000000000..97d0ca81965 --- /dev/null +++ b/queue-4.9/rtc-snvs-fix-an-incorrect-check-of-return-value.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 13:43:24 +0800 +Subject: rtc: snvs: fix an incorrect check of return value + +From: Pan Bian + + +[ Upstream commit 758929005f06f954b7e1c87a1c9fdb44157b228f ] + +Function devm_regmap_init_mmio() returns an ERR_PTR on error. However, +in function snvs_rtc_probe() its return value is checked against NULL. +This patch fixes it by checking the return value with IS_ERR(). + +Signed-off-by: Pan Bian +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-snvs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -257,7 +257,7 @@ static int snvs_rtc_probe(struct platfor + of_property_read_u32(pdev->dev.of_node, "offset", &data->offset); + } + +- if (!data->regmap) { ++ if (IS_ERR(data->regmap)) { + dev_err(&pdev->dev, "Can't find snvs syscon\n"); + return -ENODEV; + } diff --git a/queue-4.9/s390-dasd-fix-hanging-safe-offline.patch b/queue-4.9/s390-dasd-fix-hanging-safe-offline.patch new file mode 100644 index 00000000000..48f407c84fc --- /dev/null +++ b/queue-4.9/s390-dasd-fix-hanging-safe-offline.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Stefan Haberland +Date: Thu, 18 May 2017 13:24:45 +0200 +Subject: s390/dasd: fix hanging safe offline + +From: Stefan Haberland + + +[ Upstream commit e8ac01555d9e464249e8bb122337d6d6e5589ccc ] + +The safe offline processing may hang forever because it waits for I/O +which can not be started because of the offline flag that prevents new +I/O from being started. + +Allow I/O to be started during safe offline processing because in this +special case we take care that the queues are empty before throwing away +the device. + +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -1950,8 +1950,12 @@ static int __dasd_device_is_unusable(str + { + int mask = ~(DASD_STOPPED_DC_WAIT | DASD_UNRESUMED_PM); + +- if (test_bit(DASD_FLAG_OFFLINE, &device->flags)) { +- /* dasd is being set offline. */ ++ if (test_bit(DASD_FLAG_OFFLINE, &device->flags) && ++ !test_bit(DASD_FLAG_SAFE_OFFLINE_RUNNING, &device->flags)) { ++ /* ++ * dasd is being set offline ++ * but it is no safe offline where we have to allow I/O ++ */ + return 1; + } + if (device->stopped) { diff --git a/queue-4.9/s390-move-_text-symbol-to-address-higher-than-zero.patch b/queue-4.9/s390-move-_text-symbol-to-address-higher-than-zero.patch new file mode 100644 index 00000000000..ca58215c356 --- /dev/null +++ b/queue-4.9/s390-move-_text-symbol-to-address-higher-than-zero.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Heiko Carstens +Date: Thu, 4 May 2017 09:42:22 +0200 +Subject: s390: move _text symbol to address higher than zero + +From: Heiko Carstens + + +[ Upstream commit d04a4c76f71dd5335f8e499b59617382d84e2b8d ] + +The perf tool assumes that kernel symbols are never present at address +zero. In fact it assumes if functions that map symbols to addresses +return zero, that the symbol was not found. + +Given that s390's _text symbol historically is located at address zero +this yields at least a couple of false errors and warnings in one of +perf's test cases about not present symbols ("perf test 1"). + +To fix this simply move the _text symbol to address 0x200, just behind +the initial psw and channel program located at the beginning of the +kernel image. This is now hard coded within the linker script. + +I tried a nicer solution which moves the initial psw and channel +program into an own section. However that would move the symbols +within the "real" head.text section to different addresses, since the +".org" statements within head.S are relative to the head.text +section. If there is a new section in front, everything else will be +moved. Alternatively I could have adjusted all ".org" statements. But +this current solution seems to be the easiest one, since nobody really +cares where the _text symbol is actually located. + +Reported-by: Zvonko Kosic +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/vmlinux.lds.S | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -31,8 +31,14 @@ SECTIONS + { + . = 0x00000000; + .text : { +- _text = .; /* Text and read-only data */ ++ /* Text and read-only data */ + HEAD_TEXT ++ /* ++ * E.g. perf doesn't like symbols starting at address zero, ++ * therefore skip the initial PSW and channel program located ++ * at address zero and let _text start at 0x200. ++ */ ++ _text = 0x200; + TEXT_TEXT + SCHED_TEXT + CPUIDLE_TEXT diff --git a/queue-4.9/sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch b/queue-4.9/sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch new file mode 100644 index 00000000000..f90675bb93d --- /dev/null +++ b/queue-4.9/sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch @@ -0,0 +1,268 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Daniel Bristot de Oliveira +Date: Mon, 29 May 2017 16:24:03 +0200 +Subject: sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks + +From: Daniel Bristot de Oliveira + + +[ Upstream commit 3effcb4247e74a51f5d8b775a1ee4abf87cc089a ] + +We have been facing some problems with self-suspending constrained +deadline tasks. The main reason is that the original CBS was not +designed for such sort of tasks. + +One problem reported by Xunlei Pang takes place when a task +suspends, and then is awakened before the deadline, but so close +to the deadline that its remaining runtime can cause the task +to have an absolute density higher than allowed. In such situation, +the original CBS assumes that the task is facing an early activation, +and so it replenishes the task and set another deadline, one deadline +in the future. This rule works fine for implicit deadline tasks. +Moreover, it allows the system to adapt the period of a task in which +the external event source suffered from a clock drift. + +However, this opens the window for bandwidth leakage for constrained +deadline tasks. For instance, a task with the following parameters: + + runtime = 5 ms + deadline = 7 ms + [density] = 5 / 7 = 0.71 + period = 1000 ms + +If the task runs for 1 ms, and then suspends for another 1ms, +it will be awakened with the following parameters: + + remaining runtime = 4 + laxity = 5 + +presenting a absolute density of 4 / 5 = 0.80. + +In this case, the original CBS would assume the task had an early +wakeup. Then, CBS will reset the runtime, and the absolute deadline will +be postponed by one relative deadline, allowing the task to run. + +The problem is that, if the task runs this pattern forever, it will keep +receiving bandwidth, being able to run 1ms every 2ms. Following this +behavior, the task would be able to run 500 ms in 1 sec. Thus running +more than the 5 ms / 1 sec the admission control allowed it to run. + +Trying to address the self-suspending case, Luca Abeni, Giuseppe +Lipari, and Juri Lelli [1] revisited the CBS in order to deal with +self-suspending tasks. In the new approach, rather than +replenishing/postponing the absolute deadline, the revised wakeup rule +adjusts the remaining runtime, reducing it to fit into the allowed +density. + +A revised version of the idea is: + +At a given time t, the maximum absolute density of a task cannot be +higher than its relative density, that is: + + runtime / (deadline - t) <= dl_runtime / dl_deadline + +Knowing the laxity of a task (deadline - t), it is possible to move +it to the other side of the equality, thus enabling to define max +remaining runtime a task can use within the absolute deadline, without +over-running the allowed density: + + runtime = (dl_runtime / dl_deadline) * (deadline - t) + +For instance, in our previous example, the task could still run: + + runtime = ( 5 / 7 ) * 5 + runtime = 3.57 ms + +Without causing damage for other deadline tasks. It is note worthy +that the laxity cannot be negative because that would cause a negative +runtime. Thus, this patch depends on the patch: + + df8eac8cafce ("sched/deadline: Throttle a constrained deadline task activated after the deadline") + +Which throttles a constrained deadline task activated after the +deadline. + +Finally, it is also possible to use the revised wakeup rule for +all other tasks, but that would require some more discussions +about pros and cons. + +Reported-by: Xunlei Pang +Signed-off-by: Daniel Bristot de Oliveira +[peterz: replaced dl_is_constrained with dl_is_implicit] +Signed-off-by: Peter Zijlstra (Intel) +Cc: Juri Lelli +Cc: Linus Torvalds +Cc: Luca Abeni +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Romulo Silva de Oliveira +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: Tommaso Cucinotta +Link: http://lkml.kernel.org/r/5c800ab3a74a168a84ee5f3f84d12a02e11383be.1495803804.git.bristot@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 1 + kernel/sched/core.c | 2 + kernel/sched/deadline.c | 98 ++++++++++++++++++++++++++++++++++++++++++------ + 3 files changed, 89 insertions(+), 12 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1412,6 +1412,7 @@ struct sched_dl_entity { + u64 dl_deadline; /* relative deadline of each instance */ + u64 dl_period; /* separation of two instances (period) */ + u64 dl_bw; /* dl_runtime / dl_deadline */ ++ u64 dl_density; /* dl_runtime / dl_deadline */ + + /* + * Actual scheduling parameters. Initialized with the values above, +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -2184,6 +2184,7 @@ void __dl_clear_params(struct task_struc + dl_se->dl_period = 0; + dl_se->flags = 0; + dl_se->dl_bw = 0; ++ dl_se->dl_density = 0; + + dl_se->dl_throttled = 0; + dl_se->dl_yielded = 0; +@@ -3912,6 +3913,7 @@ __setparam_dl(struct task_struct *p, con + dl_se->dl_period = attr->sched_period ?: dl_se->dl_deadline; + dl_se->flags = attr->sched_flags; + dl_se->dl_bw = to_ratio(dl_se->dl_period, dl_se->dl_runtime); ++ dl_se->dl_density = to_ratio(dl_se->dl_deadline, dl_se->dl_runtime); + + /* + * Changing the parameters of a task is 'tricky' and we're not doing +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -484,13 +484,84 @@ static bool dl_entity_overflow(struct sc + } + + /* +- * When a -deadline entity is queued back on the runqueue, its runtime and +- * deadline might need updating. ++ * Revised wakeup rule [1]: For self-suspending tasks, rather then ++ * re-initializing task's runtime and deadline, the revised wakeup ++ * rule adjusts the task's runtime to avoid the task to overrun its ++ * density. + * +- * The policy here is that we update the deadline of the entity only if: +- * - the current deadline is in the past, +- * - using the remaining runtime with the current deadline would make +- * the entity exceed its bandwidth. ++ * Reasoning: a task may overrun the density if: ++ * runtime / (deadline - t) > dl_runtime / dl_deadline ++ * ++ * Therefore, runtime can be adjusted to: ++ * runtime = (dl_runtime / dl_deadline) * (deadline - t) ++ * ++ * In such way that runtime will be equal to the maximum density ++ * the task can use without breaking any rule. ++ * ++ * [1] Luca Abeni, Giuseppe Lipari, and Juri Lelli. 2015. Constant ++ * bandwidth server revisited. SIGBED Rev. 11, 4 (January 2015), 19-24. ++ */ ++static void ++update_dl_revised_wakeup(struct sched_dl_entity *dl_se, struct rq *rq) ++{ ++ u64 laxity = dl_se->deadline - rq_clock(rq); ++ ++ /* ++ * If the task has deadline < period, and the deadline is in the past, ++ * it should already be throttled before this check. ++ * ++ * See update_dl_entity() comments for further details. ++ */ ++ WARN_ON(dl_time_before(dl_se->deadline, rq_clock(rq))); ++ ++ dl_se->runtime = (dl_se->dl_density * laxity) >> 20; ++} ++ ++/* ++ * Regarding the deadline, a task with implicit deadline has a relative ++ * deadline == relative period. A task with constrained deadline has a ++ * relative deadline <= relative period. ++ * ++ * We support constrained deadline tasks. However, there are some restrictions ++ * applied only for tasks which do not have an implicit deadline. See ++ * update_dl_entity() to know more about such restrictions. ++ * ++ * The dl_is_implicit() returns true if the task has an implicit deadline. ++ */ ++static inline bool dl_is_implicit(struct sched_dl_entity *dl_se) ++{ ++ return dl_se->dl_deadline == dl_se->dl_period; ++} ++ ++/* ++ * When a deadline entity is placed in the runqueue, its runtime and deadline ++ * might need to be updated. This is done by a CBS wake up rule. There are two ++ * different rules: 1) the original CBS; and 2) the Revisited CBS. ++ * ++ * When the task is starting a new period, the Original CBS is used. In this ++ * case, the runtime is replenished and a new absolute deadline is set. ++ * ++ * When a task is queued before the begin of the next period, using the ++ * remaining runtime and deadline could make the entity to overflow, see ++ * dl_entity_overflow() to find more about runtime overflow. When such case ++ * is detected, the runtime and deadline need to be updated. ++ * ++ * If the task has an implicit deadline, i.e., deadline == period, the Original ++ * CBS is applied. the runtime is replenished and a new absolute deadline is ++ * set, as in the previous cases. ++ * ++ * However, the Original CBS does not work properly for tasks with ++ * deadline < period, which are said to have a constrained deadline. By ++ * applying the Original CBS, a constrained deadline task would be able to run ++ * runtime/deadline in a period. With deadline < period, the task would ++ * overrun the runtime/period allowed bandwidth, breaking the admission test. ++ * ++ * In order to prevent this misbehave, the Revisited CBS is used for ++ * constrained deadline tasks when a runtime overflow is detected. In the ++ * Revisited CBS, rather than replenishing & setting a new absolute deadline, ++ * the remaining runtime of the task is reduced to avoid runtime overflow. ++ * Please refer to the comments update_dl_revised_wakeup() function to find ++ * more about the Revised CBS rule. + */ + static void update_dl_entity(struct sched_dl_entity *dl_se, + struct sched_dl_entity *pi_se) +@@ -500,6 +571,14 @@ static void update_dl_entity(struct sche + + if (dl_time_before(dl_se->deadline, rq_clock(rq)) || + dl_entity_overflow(dl_se, pi_se, rq_clock(rq))) { ++ ++ if (unlikely(!dl_is_implicit(dl_se) && ++ !dl_time_before(dl_se->deadline, rq_clock(rq)) && ++ !dl_se->dl_boosted)){ ++ update_dl_revised_wakeup(dl_se, rq); ++ return; ++ } ++ + dl_se->deadline = rq_clock(rq) + pi_se->dl_deadline; + dl_se->runtime = pi_se->dl_runtime; + } +@@ -961,11 +1040,6 @@ static void dequeue_dl_entity(struct sch + __dequeue_dl_entity(dl_se); + } + +-static inline bool dl_is_constrained(struct sched_dl_entity *dl_se) +-{ +- return dl_se->dl_deadline < dl_se->dl_period; +-} +- + static void enqueue_task_dl(struct rq *rq, struct task_struct *p, int flags) + { + struct task_struct *pi_task = rt_mutex_get_top_task(p); +@@ -997,7 +1071,7 @@ static void enqueue_task_dl(struct rq *r + * If that is the case, the task will be throttled and + * the replenishment timer will be set to the next period. + */ +- if (!p->dl.dl_throttled && dl_is_constrained(&p->dl)) ++ if (!p->dl.dl_throttled && !dl_is_implicit(&p->dl)) + dl_check_constrained_dl(&p->dl); + + /* diff --git a/queue-4.9/sched-numa-use-down_read_trylock-for-the-mmap_sem.patch b/queue-4.9/sched-numa-use-down_read_trylock-for-the-mmap_sem.patch new file mode 100644 index 00000000000..5eb6bda1e1f --- /dev/null +++ b/queue-4.9/sched-numa-use-down_read_trylock-for-the-mmap_sem.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Vlastimil Babka +Date: Mon, 15 May 2017 15:13:16 +0200 +Subject: sched/numa: Use down_read_trylock() for the mmap_sem + +From: Vlastimil Babka + + +[ Upstream commit 8655d5497735b288f8a9b458bd22e7d1bf95bb61 ] + +A customer has reported a soft-lockup when running an intensive +memory stress test, where the trace on multiple CPU's looks like this: + + RIP: 0010:[] + [] native_queued_spin_lock_slowpath+0x10e/0x190 +... + Call Trace: + [] queued_spin_lock_slowpath+0x7/0xa + [] change_protection_range+0x3b1/0x930 + [] change_prot_numa+0x18/0x30 + [] task_numa_work+0x1fe/0x310 + [] task_work_run+0x72/0x90 + +Further investigation showed that the lock contention here is pmd_lock(). + +The task_numa_work() function makes sure that only one thread is let to perform +the work in a single scan period (via cmpxchg), but if there's a thread with +mmap_sem locked for writing for several periods, multiple threads in +task_numa_work() can build up a convoy waiting for mmap_sem for read and then +all get unblocked at once. + +This patch changes the down_read() to the trylock version, which prevents the +build up. For a workload experiencing mmap_sem contention, it's probably better +to postpone the NUMA balancing work anyway. This seems to have fixed the soft +lockups involving pmd_lock(), which is in line with the convoy theory. + +Signed-off-by: Vlastimil Babka +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Rik van Riel +Acked-by: Mel Gorman +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170515131316.21909-1-vbabka@suse.cz +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/fair.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -2429,7 +2429,8 @@ void task_numa_work(struct callback_head + return; + + +- down_read(&mm->mmap_sem); ++ if (!down_read_trylock(&mm->mmap_sem)) ++ return; + vma = find_vma(mm, start); + if (!vma) { + reset_ptenuma_scan(p); diff --git a/queue-4.9/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch b/queue-4.9/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch new file mode 100644 index 00000000000..09b0a995120 --- /dev/null +++ b/queue-4.9/scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch @@ -0,0 +1,101 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Maurizio Lombardi +Date: Wed, 24 May 2017 14:09:44 +0200 +Subject: scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() + +From: Maurizio Lombardi + + +[ Upstream commit c2dd893a3b0772d1c680e109b9d5715d7f73022b ] + +If multiple tasks attempt to read the stats, it may happen that the +start_req_done completion is re-initialized while still being used by +another task, causing a list corruption. + +This patch fixes the bug by adding a mutex to serialize the calls to +bnx2fc_get_host_stats(). + +WARNING: at lib/list_debug.c:48 list_del+0x6e/0xa0() (Not tainted) +Hardware name: PowerEdge R820 +list_del corruption. prev->next should be ffff882035627d90, but was ffff884069541588 + +Pid: 40267, comm: perl Not tainted 2.6.32-642.3.1.el6.x86_64 #1 +Call Trace: + [] ? warn_slowpath_common+0x91/0xe0 + [] ? warn_slowpath_fmt+0x46/0x60 + [] ? list_del+0x6e/0xa0 + [] ? wait_for_common+0x14d/0x180 + [] ? default_wake_function+0x0/0x20 + [] ? wait_for_completion_timeout+0x13/0x20 + [] ? bnx2fc_get_host_stats+0xa1/0x280 [bnx2fc] + [] ? fc_stat_show+0x90/0xc0 [scsi_transport_fc] + [] ? show_fcstat_tx_frames+0x16/0x20 [scsi_transport_fc] + [] ? dev_attr_show+0x27/0x50 + [] ? __get_free_pages+0xe/0x50 + [] ? sysfs_read_file+0x111/0x200 + [] ? vfs_read+0xb5/0x1a0 + [] ? fget_light_pos+0x16/0x50 + [] ? sys_read+0x51/0xb0 + [] ? __audit_syscall_exit+0x25e/0x290 + [] ? system_call_fastpath+0x16/0x1b + +Signed-off-by: Maurizio Lombardi +Acked-by: Chad Dupuis +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2fc/bnx2fc.h | 1 + + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/bnx2fc/bnx2fc.h ++++ b/drivers/scsi/bnx2fc/bnx2fc.h +@@ -191,6 +191,7 @@ struct bnx2fc_hba { + struct bnx2fc_cmd_mgr *cmd_mgr; + spinlock_t hba_lock; + struct mutex hba_mutex; ++ struct mutex hba_stats_mutex; + unsigned long adapter_state; + #define ADAPTER_STATE_UP 0 + #define ADAPTER_STATE_GOING_DOWN 1 +--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c ++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c +@@ -670,15 +670,17 @@ static struct fc_host_statistics *bnx2fc + if (!fw_stats) + return NULL; + ++ mutex_lock(&hba->hba_stats_mutex); ++ + bnx2fc_stats = fc_get_host_stats(shost); + + init_completion(&hba->stat_req_done); + if (bnx2fc_send_stat_req(hba)) +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + rc = wait_for_completion_timeout(&hba->stat_req_done, (2 * HZ)); + if (!rc) { + BNX2FC_HBA_DBG(lport, "FW stat req timed out\n"); +- return bnx2fc_stats; ++ goto unlock_stats_mutex; + } + BNX2FC_STATS(hba, rx_stat2, fc_crc_cnt); + bnx2fc_stats->invalid_crc_count += hba->bfw_stats.fc_crc_cnt; +@@ -700,6 +702,9 @@ static struct fc_host_statistics *bnx2fc + + memcpy(&hba->prev_stats, hba->stats_buffer, + sizeof(struct fcoe_statistics_params)); ++ ++unlock_stats_mutex: ++ mutex_unlock(&hba->hba_stats_mutex); + return bnx2fc_stats; + } + +@@ -1348,6 +1353,7 @@ static struct bnx2fc_hba *bnx2fc_hba_cre + } + spin_lock_init(&hba->hba_lock); + mutex_init(&hba->hba_mutex); ++ mutex_init(&hba->hba_stats_mutex); + + hba->cnic = cnic; + diff --git a/queue-4.9/scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch b/queue-4.9/scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch new file mode 100644 index 00000000000..390da39adbf --- /dev/null +++ b/queue-4.9/scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Varun Prakash +Date: Wed, 17 May 2017 20:30:43 +0530 +Subject: scsi: csiostor: fix use after free in csio_hw_use_fwconfig() + +From: Varun Prakash + + +[ Upstream commit a351e40b6de550049423a26f7ded7b639e363d89 ] + +mbp pointer is passed to csio_hw_validate_caps() so call mempool_free() +after calling csio_hw_validate_caps(). + +Signed-off-by: Varun Prakash +Fixes: 541c571fa2fd ("csiostor:Use firmware version from cxgb4/t4fw_version.h") +Reviewed-by: Johannes Thumshirn +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/csiostor/csio_hw.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -1769,7 +1769,6 @@ csio_hw_use_fwconfig(struct csio_hw *hw, + goto bye; + } + +- mempool_free(mbp, hw->mb_mempool); + if (finicsum != cfcsum) { + csio_warn(hw, + "Config File checksum mismatch: csum=%#x, computed=%#x\n", +@@ -1780,6 +1779,10 @@ csio_hw_use_fwconfig(struct csio_hw *hw, + rv = csio_hw_validate_caps(hw, mbp); + if (rv != 0) + goto bye; ++ ++ mempool_free(mbp, hw->mb_mempool); ++ mbp = NULL; ++ + /* + * Note that we're operating with parameters + * not supplied by the driver, rather than from hard-wired diff --git a/queue-4.9/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch b/queue-4.9/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch new file mode 100644 index 00000000000..537a72fb996 --- /dev/null +++ b/queue-4.9/scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch @@ -0,0 +1,104 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Rafael David Tinoco +Date: Thu, 7 Dec 2017 19:59:13 -0200 +Subject: scsi: libiscsi: Allow sd_shutdown on bad transport + +From: Rafael David Tinoco + + +[ Upstream commit d754941225a7dbc61f6dd2173fa9498049f9a7ee ] + +If, for any reason, userland shuts down iscsi transport interfaces +before proper logouts - like when logging in to LUNs manually, without +logging out on server shutdown, or when automated scripts can't +umount/logout from logged LUNs - kernel will hang forever on its +sd_sync_cache() logic, after issuing the SYNCHRONIZE_CACHE cmd to all +still existent paths. + +PID: 1 TASK: ffff8801a69b8000 CPU: 1 COMMAND: "systemd-shutdow" + #0 [ffff8801a69c3a30] __schedule at ffffffff8183e9ee + #1 [ffff8801a69c3a80] schedule at ffffffff8183f0d5 + #2 [ffff8801a69c3a98] schedule_timeout at ffffffff81842199 + #3 [ffff8801a69c3b40] io_schedule_timeout at ffffffff8183e604 + #4 [ffff8801a69c3b70] wait_for_completion_io_timeout at ffffffff8183fc6c + #5 [ffff8801a69c3bd0] blk_execute_rq at ffffffff813cfe10 + #6 [ffff8801a69c3c88] scsi_execute at ffffffff815c3fc7 + #7 [ffff8801a69c3cc8] scsi_execute_req_flags at ffffffff815c60fe + #8 [ffff8801a69c3d30] sd_sync_cache at ffffffff815d37d7 + #9 [ffff8801a69c3da8] sd_shutdown at ffffffff815d3c3c + +This happens because iscsi_eh_cmd_timed_out(), the transport layer +timeout helper, would tell the queue timeout function (scsi_times_out) +to reset the request timer over and over, until the session state is +back to logged in state. Unfortunately, during server shutdown, this +might never happen again. + +Other option would be "not to handle" the issue in the transport +layer. That would trigger the error handler logic, which would also need +the session state to be logged in again. + +Best option, for such case, is to tell upper layers that the command was +handled during the transport layer error handler helper, marking it as +DID_NO_CONNECT, which will allow completion and inform about the +problem. + +After the session was marked as ISCSI_STATE_FAILED, due to the first +timeout during the server shutdown phase, all subsequent cmds will fail +to be queued, allowing upper logic to fail faster. + +Signed-off-by: Rafael David Tinoco +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1695,6 +1695,15 @@ int iscsi_queuecommand(struct Scsi_Host + */ + switch (session->state) { + case ISCSI_STATE_FAILED: ++ /* ++ * cmds should fail during shutdown, if the session ++ * state is bad, allowing completion to happen ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ reason = FAILURE_SESSION_FAILED; ++ sc->result = DID_NO_CONNECT << 16; ++ break; ++ } + case ISCSI_STATE_IN_RECOVERY: + reason = FAILURE_SESSION_IN_RECOVERY; + sc->result = DID_IMM_RETRY << 16; +@@ -1980,6 +1989,19 @@ static enum blk_eh_timer_return iscsi_eh + + if (session->state != ISCSI_STATE_LOGGED_IN) { + /* ++ * During shutdown, if session is prematurely disconnected, ++ * recovery won't happen and there will be hung cmds. Not ++ * handling cmds would trigger EH, also bad in this case. ++ * Instead, handle cmd, allow completion to happen and let ++ * upper layer to deal with the result. ++ */ ++ if (unlikely(system_state != SYSTEM_RUNNING)) { ++ sc->result = DID_NO_CONNECT << 16; ++ ISCSI_DBG_EH(session, "sc on shutdown, handled\n"); ++ rc = BLK_EH_HANDLED; ++ goto done; ++ } ++ /* + * We are probably in the middle of iscsi recovery so let + * that complete and handle the error. + */ +@@ -2083,7 +2105,7 @@ done: + task->last_timeout = jiffies; + spin_unlock(&session->frwd_lock); + ISCSI_DBG_EH(session, "return %s\n", rc == BLK_EH_RESET_TIMER ? +- "timer reset" : "nh"); ++ "timer reset" : "shutdown or nh"); + return rc; + } + diff --git a/queue-4.9/scsi-libsas-fix-error-when-getting-phy-events.patch b/queue-4.9/scsi-libsas-fix-error-when-getting-phy-events.patch new file mode 100644 index 00000000000..33206f83ad0 --- /dev/null +++ b/queue-4.9/scsi-libsas-fix-error-when-getting-phy-events.patch @@ -0,0 +1,51 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:32 +0800 +Subject: scsi: libsas: fix error when getting phy events + +From: Jason Yan + + +[ Upstream commit 2b23d9509fd7174b362482cf5f3b5f9a2265bc33 ] + +The intend purpose here was to goto out if smp_execute_task() returned +error. Obviously something got screwed up. We will never get these link +error statistics below: + +~:/sys/class/sas_phy/phy-1:0:12 # cat invalid_dword_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat running_disparity_error_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat loss_of_dword_sync_count +0 +~:/sys/class/sas_phy/phy-1:0:12 # cat phy_reset_problem_count +0 + +Obviously we should goto error handler if smp_execute_task() returns +non-zero. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Hannes Reinecke +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -675,7 +675,7 @@ int sas_smp_get_phy_events(struct sas_ph + res = smp_execute_task(dev, req, RPEL_REQ_SIZE, + resp, RPEL_RESP_SIZE); + +- if (!res) ++ if (res) + goto out; + + phy->invalid_dword_count = scsi_to_u32(&resp[12]); diff --git a/queue-4.9/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch b/queue-4.9/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch new file mode 100644 index 00000000000..07cddb4833c --- /dev/null +++ b/queue-4.9/scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jason Yan +Date: Thu, 4 Jan 2018 21:04:31 +0800 +Subject: scsi: libsas: fix memory leak in sas_smp_get_phy_events() + +From: Jason Yan + + +[ Upstream commit 4a491b1ab11ca0556d2fda1ff1301e862a2d44c4 ] + +We've got a memory leak with the following producer: + +while true; +do cat /sys/class/sas_phy/phy-1:0:12/invalid_dword_count >/dev/null; +done + +The buffer req is allocated and not freed after we return. Fix it. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Signed-off-by: Jason Yan +CC: John Garry +CC: chenqilin +CC: chenxiang +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -684,6 +684,7 @@ int sas_smp_get_phy_events(struct sas_ph + phy->phy_reset_problem_count = scsi_to_u32(&resp[24]); + + out: ++ kfree(req); + kfree(resp); + return res; + diff --git a/queue-4.9/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch b/queue-4.9/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch new file mode 100644 index 00000000000..ff818b2e6ba --- /dev/null +++ b/queue-4.9/scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch @@ -0,0 +1,44 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: chenxiang +Date: Thu, 4 Jan 2018 21:04:33 +0800 +Subject: scsi: libsas: initialize sas_phy status according to response of DISCOVER + +From: chenxiang + + +[ Upstream commit affc67788fe5dfffad5cda3d461db5cf2b2ff2b0 ] + +The status of SAS PHY is in sas_phy->enabled. There is an issue that the +status of a remote SAS PHY may be initialized incorrectly: if disable +remote SAS PHY through sysfs interface (such as echo 0 > +/sys/class/sas_phy/phy-1:0:0/enable), then reboot the system, and we +will find the status of remote SAS PHY which is disabled before is +1 (cat /sys/class/sas_phy/phy-1:0:0/enable). But actually the status of +remote SAS PHY is disabled and the device attached is not found. + +In SAS protocol, NEGOTIATED LOGICAL LINK RATE field of DISCOVER response +is 0x1 when remote SAS PHY is disabled. So initialize sas_phy->enabled +according to the value of NEGOTIATED LOGICAL LINK RATE field. + +Signed-off-by: chenxiang +Reviewed-by: John Garry +Signed-off-by: Jason Yan +Reviewed-by: Christoph Hellwig +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libsas/sas_expander.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -282,6 +282,7 @@ static void sas_set_ex_phy(struct domain + phy->phy->minimum_linkrate = dr->pmin_linkrate; + phy->phy->maximum_linkrate = dr->pmax_linkrate; + phy->phy->negotiated_linkrate = phy->linkrate; ++ phy->phy->enabled = (phy->linkrate != SAS_PHY_DISABLED); + + skip: + if (new_phy) diff --git a/queue-4.9/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch b/queue-4.9/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch new file mode 100644 index 00000000000..dcd2d32667a --- /dev/null +++ b/queue-4.9/scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch @@ -0,0 +1,99 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Chaitra P B +Date: Wed, 27 Dec 2017 23:09:11 -0800 +Subject: scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag. + +From: Chaitra P B + + +[ Upstream commit f49d4aed1315a7b766d855f1367142e682b0cc87 ] + +1. In IO path, setting of "ATA command pending" flag early before device + removal, invalid device handle etc., checks causes any new commands + to be always returned with SAM_STAT_BUSY and when the driver removes + the drive the SML issues SYNC Cache command and that command is + always returned with SAM_STAT_BUSY and thus making SYNC Cache command + to requeued. + +2. If the driver gets an ATA PT command for a SATA drive then the driver + set "ATA command pending" flag in device specific data structure not + to allow any further commands until the ATA PT command is completed. + However, after setting the flag if the driver decides to return the + command back to upper layers without actually issuing to the firmware + (i.e., returns from qcmd failure return paths) then the corresponding + flag is not cleared and this prevents the driver from sending any new + commands to the drive. + +This patch fixes above two issues by setting of "ATA command pending" +flag after checking for whether device deleted, invalid device handle, +device busy with task management. And by setting "ATA command pending" +flag to false in all of the qcmd failure return paths after setting the +flag. + +Signed-off-by: Chaitra P B +Signed-off-by: Suganath Prabu S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -4065,19 +4065,6 @@ scsih_qcmd(struct Scsi_Host *shost, stru + return 0; + } + +- /* +- * Bug work around for firmware SATL handling. The loop +- * is based on atomic operations and ensures consistency +- * since we're lockless at this point +- */ +- do { +- if (test_bit(0, &sas_device_priv_data->ata_command_pending)) { +- scmd->result = SAM_STAT_BUSY; +- scmd->scsi_done(scmd); +- return 0; +- } +- } while (_scsih_set_satl_pending(scmd, true)); +- + sas_target_priv_data = sas_device_priv_data->sas_target; + + /* invalid device handle */ +@@ -4103,6 +4090,19 @@ scsih_qcmd(struct Scsi_Host *shost, stru + sas_device_priv_data->block) + return SCSI_MLQUEUE_DEVICE_BUSY; + ++ /* ++ * Bug work around for firmware SATL handling. The loop ++ * is based on atomic operations and ensures consistency ++ * since we're lockless at this point ++ */ ++ do { ++ if (test_bit(0, &sas_device_priv_data->ata_command_pending)) { ++ scmd->result = SAM_STAT_BUSY; ++ scmd->scsi_done(scmd); ++ return 0; ++ } ++ } while (_scsih_set_satl_pending(scmd, true)); ++ + if (scmd->sc_data_direction == DMA_FROM_DEVICE) + mpi_control = MPI2_SCSIIO_CONTROL_READ; + else if (scmd->sc_data_direction == DMA_TO_DEVICE) +@@ -4124,6 +4124,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru + if (!smid) { + pr_err(MPT3SAS_FMT "%s: failed obtaining a smid\n", + ioc->name, __func__); ++ _scsih_set_satl_pending(scmd, false); + goto out; + } + mpi_request = mpt3sas_base_get_msg_frame(ioc, smid); +@@ -4154,6 +4155,7 @@ scsih_qcmd(struct Scsi_Host *shost, stru + if (mpi_request->DataLength) { + if (ioc->build_sg_scmd(ioc, scmd, smid)) { + mpt3sas_base_free_smid(ioc, smid); ++ _scsih_set_satl_pending(scmd, false); + goto out; + } + } else diff --git a/queue-4.9/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch b/queue-4.9/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch new file mode 100644 index 00000000000..b99a1b5dd04 --- /dev/null +++ b/queue-4.9/sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch @@ -0,0 +1,74 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Xin Long +Date: Sat, 10 Jun 2017 14:56:56 +0800 +Subject: sctp: fix recursive locking warning in sctp_do_peeloff + +From: Xin Long + + +[ Upstream commit 6dfe4b97e08ec3d1a593fdaca099f0ef0a3a19e6 ] + +Dmitry got the following recursive locking report while running syzkaller +fuzzer, the Call Trace: + __dump_stack lib/dump_stack.c:16 [inline] + dump_stack+0x2ee/0x3ef lib/dump_stack.c:52 + print_deadlock_bug kernel/locking/lockdep.c:1729 [inline] + check_deadlock kernel/locking/lockdep.c:1773 [inline] + validate_chain kernel/locking/lockdep.c:2251 [inline] + __lock_acquire+0xef2/0x3430 kernel/locking/lockdep.c:3340 + lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3755 + lock_sock_nested+0xcb/0x120 net/core/sock.c:2536 + lock_sock include/net/sock.h:1460 [inline] + sctp_close+0xcd/0x9d0 net/sctp/socket.c:1497 + inet_release+0xed/0x1c0 net/ipv4/af_inet.c:425 + inet6_release+0x50/0x70 net/ipv6/af_inet6.c:432 + sock_release+0x8d/0x1e0 net/socket.c:597 + __sock_create+0x38b/0x870 net/socket.c:1226 + sock_create+0x7f/0xa0 net/socket.c:1237 + sctp_do_peeloff+0x1a2/0x440 net/sctp/socket.c:4879 + sctp_getsockopt_peeloff net/sctp/socket.c:4914 [inline] + sctp_getsockopt+0x111a/0x67e0 net/sctp/socket.c:6628 + sock_common_getsockopt+0x95/0xd0 net/core/sock.c:2690 + SYSC_getsockopt net/socket.c:1817 [inline] + SyS_getsockopt+0x240/0x380 net/socket.c:1799 + entry_SYSCALL_64_fastpath+0x1f/0xc2 + +This warning is caused by the lock held by sctp_getsockopt() is on one +socket, while the other lock that sctp_close() is getting later is on +the newly created (which failed) socket during peeloff operation. + +This patch is to avoid this warning by use lock_sock with subclass +SINGLE_DEPTH_NESTING as Wang Cong and Marcelo's suggestion. + +Reported-by: Dmitry Vyukov +Suggested-by: Marcelo Ricardo Leitner +Suggested-by: Cong Wang +Signed-off-by: Xin Long +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1519,7 +1519,7 @@ static void sctp_close(struct sock *sk, + + pr_debug("%s: sk:%p, timeout:%ld\n", __func__, sk, timeout); + +- lock_sock(sk); ++ lock_sock_nested(sk, SINGLE_DEPTH_NESTING); + sk->sk_shutdown = SHUTDOWN_MASK; + sk->sk_state = SCTP_SS_CLOSING; + +@@ -1569,7 +1569,7 @@ static void sctp_close(struct sock *sk, + * held and that should be grabbed before socket lock. + */ + spin_lock_bh(&net->sctp.addr_wq_lock); +- bh_lock_sock(sk); ++ bh_lock_sock_nested(sk); + + /* Hold the sock, since sk_common_release() will put sock_put() + * and we have just a little more cleanup. diff --git a/queue-4.9/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch b/queue-4.9/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch new file mode 100644 index 00000000000..4a7fa23c833 --- /dev/null +++ b/queue-4.9/sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch @@ -0,0 +1,59 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Andy Shevchenko +Date: Thu, 11 Jan 2018 15:51:58 +0200 +Subject: sdhci: Advertise 2.0v supply on SDIO host controller + +From: Andy Shevchenko + + +[ Upstream commit 2a609abe71ca59e4bd7139e161eaca2144ae6f2e ] + +On Intel Edison the Broadcom Wi-Fi card, which is connected to SDIO, +requires 2.0v, while the host, according to Intel Merrifield TRM, +supports 1.8v supply only. + +The card announces itself as + + mmc2: new ultra high speed DDR50 SDIO card at address 0001 + +Introduce a custom OCR mask for SDIO host controller on Intel Merrifield +and add a special case to sdhci_set_power_noreg() to override 2.0v supply +by enforcing 1.8v power choice. + +Signed-off-by: Andy Shevchenko +Acked-by: Adrian Hunter +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 2 ++ + drivers/mmc/host/sdhci.c | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -492,6 +492,8 @@ static int intel_mrfld_mmc_probe_slot(st + slot->host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V; + break; + case INTEL_MRFLD_SDIO: ++ /* Advertise 2.0v for compatibility with the SDIO card's OCR */ ++ slot->host->ocr_mask = MMC_VDD_20_21 | MMC_VDD_165_195; + slot->host->mmc->caps |= MMC_CAP_NONREMOVABLE | + MMC_CAP_POWER_OFF_CARD; + break; +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1404,6 +1404,13 @@ void sdhci_set_power_noreg(struct sdhci_ + if (mode != MMC_POWER_OFF) { + switch (1 << vdd) { + case MMC_VDD_165_195: ++ /* ++ * Without a regulator, SDHCI does not support 2.0v ++ * so we only get here if the driver deliberately ++ * added the 2.0v range to ocr_avail. Map it to 1.8v ++ * for the purpose of turning on the power. ++ */ ++ case MMC_VDD_20_21: + pwr = SDHCI_POWER_180; + break; + case MMC_VDD_29_30: diff --git a/queue-4.9/selftests-kselftest_harness-fix-compile-warning.patch b/queue-4.9/selftests-kselftest_harness-fix-compile-warning.patch new file mode 100644 index 00000000000..2d83266a59d --- /dev/null +++ b/queue-4.9/selftests-kselftest_harness-fix-compile-warning.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Mickaël Salaün" +Date: Sun, 11 Jun 2017 14:32:58 +0200 +Subject: selftests: kselftest_harness: Fix compile warning + +From: "Mickaël Salaün" + + +[ Upstream commit 34a048cc06802556e5f96f325dc32cc2f6a11225 ] + +Do not confuse the compiler with a semicolon preceding a block. Replace +the semicolon with an empty block to avoid a warning: + + gcc -Wl,-no-as-needed -Wall -lpthread seccomp_bpf.c -o /.../linux/tools/testing/selftests/seccomp/seccomp_bpf + In file included from seccomp_bpf.c:40:0: + seccomp_bpf.c: In function ‘change_syscall’: + ../kselftest_harness.h:558:2: warning: this ‘for’ clause does not guard... [-Wmisleading-indentation] + for (; _metadata->trigger; _metadata->trigger = __bail(_assert)) + ^ + ../kselftest_harness.h:574:14: note: in expansion of macro ‘OPTIONAL_HANDLER’ + } while (0); OPTIONAL_HANDLER(_assert) + ^~~~~~~~~~~~~~~~ + ../kselftest_harness.h:440:2: note: in expansion of macro ‘__EXPECT’ + __EXPECT(expected, seen, ==, 0) + ^~~~~~~~ + seccomp_bpf.c:1313:2: note: in expansion of macro ‘EXPECT_EQ’ + EXPECT_EQ(0, ret); + ^~~~~~~~~ + seccomp_bpf.c:1317:2: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the ‘for’ + { + ^ + +Signed-off-by: Mickaël Salaün +Cc: Andy Lutomirski +Cc: Kees Cook +Cc: Shuah Khan +Cc: Will Drewry +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/seccomp/seccomp_bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/seccomp/seccomp_bpf.c ++++ b/tools/testing/selftests/seccomp/seccomp_bpf.c +@@ -1318,7 +1318,7 @@ void change_syscall(struct __test_metada + iov.iov_len = sizeof(regs); + ret = ptrace(PTRACE_GETREGSET, tracee, NT_PRSTATUS, &iov); + #endif +- EXPECT_EQ(0, ret); ++ EXPECT_EQ(0, ret) {} + + #if defined(__x86_64__) || defined(__i386__) || defined(__powerpc__) || \ + defined(__s390__) || defined(__hppa__) diff --git a/queue-4.9/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch b/queue-4.9/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch new file mode 100644 index 00000000000..293e0300de0 --- /dev/null +++ b/queue-4.9/selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Michael Ellerman +Date: Fri, 19 May 2017 11:29:04 +1000 +Subject: selftests/powerpc: Fix TM resched DSCR test with some compilers + +From: Michael Ellerman + + +[ Upstream commit fe06fe860250a4f01d0eaf70a2563b1997174a74 ] + +The tm-resched-dscr test has started failing sometimes, depending on +what compiler it's built with, eg: + + test: tm_resched_dscr + Check DSCR TM context switch: tm-resched-dscr: tm-resched-dscr.c:76: test_body: Assertion `rv' failed. + !! child died by signal 6 + +When it fails we see that the compiler doesn't initialise rv to 1 before +entering the inline asm block. Although that's counter intuitive, it +is allowed because we tell the compiler that the inline asm will write +to rv (using "=r"), meaning the original value is irrelevant. + +Marking it as a read/write parameter would presumably work, but it seems +simpler to fix it by setting the initial value of rv in the inline asm. + +Fixes: 96d016108640 ("powerpc: Correct DSCR during TM context switch") +Signed-off-by: Michael Ellerman +Acked-by: Michael Neuling +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c ++++ b/tools/testing/selftests/powerpc/tm/tm-resched-dscr.c +@@ -42,12 +42,12 @@ int test_body(void) + printf("Check DSCR TM context switch: "); + fflush(stdout); + for (;;) { +- rv = 1; + asm __volatile__ ( + /* set a known value into the DSCR */ + "ld 3, %[dscr1];" + "mtspr %[sprn_dscr], 3;" + ++ "li %[rv], 1;" + /* start and suspend a transaction */ + "tbegin.;" + "beq 1f;" diff --git a/queue-4.9/selinux-do-not-check-open-permission-on-sockets.patch b/queue-4.9/selinux-do-not-check-open-permission-on-sockets.patch new file mode 100644 index 00000000000..09da979a240 --- /dev/null +++ b/queue-4.9/selinux-do-not-check-open-permission-on-sockets.patch @@ -0,0 +1,63 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Stephen Smalley +Date: Fri, 12 May 2017 12:41:24 -0400 +Subject: selinux: do not check open permission on sockets + +From: Stephen Smalley + + +[ Upstream commit ccb544781d34afdb73a9a73ae53035d824d193bf ] + +open permission is currently only defined for files in the kernel +(COMMON_FILE_PERMS rather than COMMON_FILE_SOCK_PERMS). Construction of +an artificial test case that tries to open a socket via /proc/pid/fd will +generate a recvfrom avc denial because recvfrom and open happen to map to +the same permission bit in socket vs file classes. + +open of a socket via /proc/pid/fd is not supported by the kernel regardless +and will ultimately return ENXIO. But we hit the permission check first and +can thus produce these odd/misleading denials. Omit the open check when +operating on a socket. + +Signed-off-by: Stephen Smalley +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + security/selinux/hooks.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -2033,8 +2033,9 @@ static inline u32 file_to_av(struct file + static inline u32 open_file_to_av(struct file *file) + { + u32 av = file_to_av(file); ++ struct inode *inode = file_inode(file); + +- if (selinux_policycap_openperm) ++ if (selinux_policycap_openperm && inode->i_sb->s_magic != SOCKFS_MAGIC) + av |= FILE__OPEN; + + return av; +@@ -3031,6 +3032,7 @@ static int selinux_inode_permission(stru + static int selinux_inode_setattr(struct dentry *dentry, struct iattr *iattr) + { + const struct cred *cred = current_cred(); ++ struct inode *inode = d_backing_inode(dentry); + unsigned int ia_valid = iattr->ia_valid; + __u32 av = FILE__WRITE; + +@@ -3046,8 +3048,10 @@ static int selinux_inode_setattr(struct + ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_TIMES_SET)) + return dentry_has_perm(cred, dentry, FILE__SETATTR); + +- if (selinux_policycap_openperm && (ia_valid & ATTR_SIZE) +- && !(ia_valid & ATTR_FILE)) ++ if (selinux_policycap_openperm && ++ inode->i_sb->s_magic != SOCKFS_MAGIC && ++ (ia_valid & ATTR_SIZE) && ++ !(ia_valid & ATTR_FILE)) + av |= FILE__OPEN; + + return dentry_has_perm(cred, dentry, av); diff --git a/queue-4.9/serial-8250-omap-disable-dma-for-console-uart.patch b/queue-4.9/serial-8250-omap-disable-dma-for-console-uart.patch new file mode 100644 index 00000000000..8545833592e --- /dev/null +++ b/queue-4.9/serial-8250-omap-disable-dma-for-console-uart.patch @@ -0,0 +1,46 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Vignesh R +Date: Sat, 22 Apr 2017 18:37:19 +0530 +Subject: serial: 8250: omap: Disable DMA for console UART + +From: Vignesh R + + +[ Upstream commit 84b40e3b57eef1417479c00490dd4c9f6e5ffdbc ] + +Kernel always writes log messages to console via +serial8250_console_write()->serial8250_console_putchar() which directly +accesses UART_TX register _without_ using DMA. + +But, if other processes like systemd using same UART port, then these +writes are handled by a different code flow using 8250_omap driver where +there is provision to use DMA. + +It seems that it is possible that both DMA and CPU might simultaneously +put data to UART FIFO and lead to potential loss of data due to FIFO +overflow and weird data corruption. This happens when both kernel +console and userspace tries to write simultaneously to the same UART +port. Therefore, disable DMA on kernel console port to avoid potential +race between CPU and DMA. + +Signed-off-by: Vignesh R +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_omap.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -613,6 +613,10 @@ static int omap_8250_startup(struct uart + up->lsr_saved_flags = 0; + up->msr_saved_flags = 0; + ++ /* Disable DMA for console UART */ ++ if (uart_console(port)) ++ up->dma = NULL; ++ + if (up->dma) { + ret = serial8250_request_dma(up); + if (ret) { diff --git a/queue-4.9/serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch b/queue-4.9/serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch new file mode 100644 index 00000000000..fc7f1dc261e --- /dev/null +++ b/queue-4.9/serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Geert Uytterhoeven +Date: Tue, 25 Apr 2017 20:15:35 +0200 +Subject: serial: sh-sci: Fix race condition causing garbage during shutdown + +From: Geert Uytterhoeven + + +[ Upstream commit 1cf4a7efdc71cab84c42cfea7200608711ea954f ] + +If DMA is enabled and used, a burst of old data may be seen on the +serial console during "poweroff" or "reboot". uart_flush_buffer() +clears the circular buffer, but sci_port.tx_dma_len is not reset. +This leads to a circular buffer overflow, dumping (UART_XMIT_SIZE - +sci_port.tx_dma_len) bytes. + +To fix this, add a .flush_buffer() callback that resets +sci_port.tx_dma_len. + +Inspired by commit 31ca2c63fdc0aee7 ("tty/serial: atmel: fix race +condition (TX+DMA)"). + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -1545,7 +1545,16 @@ static void sci_free_dma(struct uart_por + if (s->chan_rx) + sci_rx_dma_release(s, false); + } +-#else ++ ++static void sci_flush_buffer(struct uart_port *port) ++{ ++ /* ++ * In uart_flush_buffer(), the xmit circular buffer has just been ++ * cleared, so we have to reset tx_dma_len accordingly. ++ */ ++ to_sci_port(port)->tx_dma_len = 0; ++} ++#else /* !CONFIG_SERIAL_SH_SCI_DMA */ + static inline void sci_request_dma(struct uart_port *port) + { + } +@@ -1553,7 +1562,9 @@ static inline void sci_request_dma(struc + static inline void sci_free_dma(struct uart_port *port) + { + } +-#endif ++ ++#define sci_flush_buffer NULL ++#endif /* !CONFIG_SERIAL_SH_SCI_DMA */ + + static irqreturn_t sci_rx_interrupt(int irq, void *ptr) + { +@@ -2551,6 +2562,7 @@ static const struct uart_ops sci_uart_op + .break_ctl = sci_break_ctl, + .startup = sci_startup, + .shutdown = sci_shutdown, ++ .flush_buffer = sci_flush_buffer, + .set_termios = sci_set_termios, + .pm = sci_pm, + .type = sci_type, diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..559fc3fa979 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,273 @@ +qed-fix-overriding-of-supported-autoneg-value.patch +cfg80211-make-rate_info_bw_20-the-default.patch +md-raid5-make-use-of-spin_lock_irq-over-local_irq_disable-spin_lock.patch +rtc-snvs-fix-an-incorrect-check-of-return-value.patch +x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch +x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch +ovl-persistent-inode-numbers-for-upper-hardlinks.patch +nfsv4.1-reclaim_complete-must-handle-nfs4err_conn_not_bound_to_session.patch +x86-boot-declare-error-as-noreturn.patch +ib-srpt-fix-abort-handling.patch +ib-srpt-avoid-that-aborting-a-command-triggers-a-kernel-warning.patch +af_key-fix-slab-out-of-bounds-in-pfkey_compile_policy.patch +mac80211-bail-out-from-prep_connection-if-a-reconfig-is-ongoing.patch +bna-avoid-reading-past-end-of-buffer.patch +qlge-avoid-reading-past-end-of-buffer.patch +ubi-fastmap-fix-slab-corruption.patch +ipmi_ssif-unlock-on-allocation-failure.patch +net-cdc_ncm-fix-tx-zero-padding.patch +net-ethernet-ti-cpsw-adjust-cpsw-fifos-depth-for-fullduplex-flow-control.patch +lockd-fix-lockd-shutdown-race.patch +drivers-misc-vmw_vmci-vmci_queue_pair.c-fix-a-couple-integer-overflow-tests.patch +pidns-disable-pid-allocation-if-pid_ns_prepare_proc-is-failed-in-alloc_pid.patch +s390-move-_text-symbol-to-address-higher-than-zero.patch +net-mlx4_en-avoid-adding-steering-rules-with-invalid-ring.patch +qed-correct-doorbell-configuration-for-4kb-pages.patch +nfsv4.1-work-around-a-linux-server-bug.patch +cifs-silence-lockdep-splat-in-cifs_relock_file.patch +perf-callchain-force-user_ds-when-invoking-perf_callchain_user.patch +blk-mq-nvme-512b-4k-t10-dif-dix-format-returns-i-o-error-on-dd-with-split-op.patch +net-qca_spi-fix-alignment-issues-in-rx-path.patch +netxen_nic-set-rcode-to-the-return-status-from-the-call-to-netxen_issue_cmd.patch +mdio-mux-correct-mdio_mux_init-error-path-issues.patch +input-elan_i2c-check-if-device-is-there-before-really-probing.patch +input-elantech-force-relative-mode-on-a-certain-module.patch +kvm-ppc-book3s-pr-check-copy_to-from_user-return-values.patch +irqchip-mbigen-fix-the-clear-register-offset-calculation.patch +vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch +mm-vmstat-remove-spurious-warn-during-zoneinfo-print.patch +smb2-fix-share-type-handling.patch +bus-brcmstb_gisb-use-register-offsets-with-writes-too.patch +bus-brcmstb_gisb-correct-support-for-64-bit-address-output.patch +powercap-fix-an-error-code-in-powercap_register_zone.patch +iio-pressure-zpa2326-report-interrupted-case-as-failure.patch +arm-dts-imx53-qsrb-pulldown-pmic-irq-pin.patch +staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch +clk-renesas-rcar-gen2-fix-pll0-on-r-car-v2h-and-e2.patch +x86-tsc-provide-tsc-unstable-boot-parameter.patch +powerpc-modules-if-mprofile-kernel-is-enabled-add-it-to-vermagic.patch +arm-dts-imx6qdl-wandboard-fix-audio-channel-swap.patch +i2c-mux-reg-put-away-the-parent-i2c-adapter-on-probe-failure.patch +arm64-perf-ignore-exclude_hv-when-kernel-is-running-in-hyp.patch +mdio-mux-fix-device_node_continue.cocci-warnings.patch +ipv6-avoid-dad-failures-for-addresses-with-nodad.patch +async_tx-fix-dma_prep_fence-usage-in-do_async_gen_syndrome.patch +kvm-arm-restore-banked-registers-and-physical-timer-access-on-hyp_panic.patch +kvm-arm64-restore-host-physical-timer-access-on-hyp_panic.patch +usb-dwc3-keystone-check-return-value.patch +btrfs-fix-incorrect-error-return-ret-being-passed-to-mapping_set_error.patch +ata-libahci-properly-propagate-return-value-of-platform_get_irq.patch +ipmr-vrf-find-vifs-using-the-actual-device.patch +uio-fix-incorrect-memory-leak-cleanup.patch +neighbour-update-neigh-timestamps-iff-update-is-effective.patch +arp-honour-gratuitous-arp-_replies_.patch +arm-dts-rockchip-fix-rk322x-i2s1-pinctrl-error.patch +usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch +pxa_camera-fix-module-remove-codepath-for-v4l2-clock.patch +usb-ene_usb6250-fix-first-command-execution.patch +net-x25-fix-one-potential-use-after-free-issue.patch +usb-ene_usb6250-fix-scsi-residue-overwriting.patch +serial-8250-omap-disable-dma-for-console-uart.patch +serial-sh-sci-fix-race-condition-causing-garbage-during-shutdown.patch +net-wan-fsl_ucc_hdlc-fix-unitialized-variable-warnings.patch +net-wan-fsl_ucc_hdlc-fix-incorrect-memory-allocation.patch +fsl-qe-add-bit-description-for-synl-register-for-gumr.patch +sh_eth-use-platform-device-for-printing-before-register_netdev.patch +mlxsw-spectrum-avoid-possible-null-pointer-dereference.patch +scsi-csiostor-fix-use-after-free-in-csio_hw_use_fwconfig.patch +powerpc-mm-fix-virt_addr_valid-etc.-on-64-bit-hash.patch +ath5k-fix-memory-leak-on-buf-on-failed-eeprom-read.patch +selftests-powerpc-fix-tm-resched-dscr-test-with-some-compilers.patch +xfrm-fix-state-migration-copy-replay-sequence-numbers.patch +asoc-simple-card-fix-mic-jack-initialization.patch +iio-hi8435-avoid-garbage-event-at-first-enable.patch +iio-hi8435-cleanup-reset-gpio.patch +iio-light-rpr0521-poweroff-for-probe-fails.patch +ext4-handle-the-rest-of-ext4_mb_load_buddy-enomem-errors.patch +md-cluster-fix-potential-lock-issue-in-add_new_disk.patch +arm-davinci-da8xx-create-dsp-device-only-when-assigned-memory.patch +ray_cs-avoid-reading-past-end-of-buffer.patch +net-wan-fsl_ucc_hdlc-fix-muram-allocation-error.patch +leds-pca955x-correct-i2c-functionality.patch +perf-core-fix-error-handling-in-perf_event_alloc.patch +sched-numa-use-down_read_trylock-for-the-mmap_sem.patch +gpio-crystalcove-do-not-write-regular-gpio-registers-for-virtual-gpios.patch +net-mlx5-tolerate-irq_set_affinity_hint-failures.patch +selinux-do-not-check-open-permission-on-sockets.patch +block-fix-an-error-code-in-add_partition.patch +mlx5-fix-bug-reading-rss_hash_type-from-cqe.patch +net-ieee802154-fix-net_device-reference-release-too-early.patch +libceph-null-deref-on-crush_decode-error-path.patch +perf-report-fix-off-by-one-for-non-activation-frames.patch +netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch +pnfs-flexfiles-missing-error-code-in-ff_layout_alloc_lseg.patch +asoc-rsnd-ssi-pio-adjust-to-24bit-mode.patch +scsi-bnx2fc-fix-race-condition-in-bnx2fc_get_host_stats.patch +fix-race-in-drivers-char-random.c-get_reg.patch +ext4-fix-off-by-one-on-max-nr_pages-in-ext4_find_unwritten_pgoff.patch +arm64-pci-fix-struct-acpi_pci_root_ops-allocation-failure-path.patch +tcp-better-validation-of-received-ack-sequences.patch +net-move-somaxconn-init-from-sysctl-code.patch +input-elan_i2c-clear-int-before-resetting-controller.patch +bonding-don-t-update-slave-link-until-ready-to-commit.patch +cpuhotplug-link-lock-stacks-for-hotplug-callbacks.patch +pci-msi-fix-the-pci_alloc_irq_vectors_affinity-stub.patch +kvm-x86-fix-preempt-the-preemption-timer-cancel.patch +kvm-nvmx-fix-handling-of-lmsw-instruction.patch +net-llc-add-lock_sock-in-llc_ui_bind-to-avoid-a-race-condition.patch +drm-msm-take-the-mutex-before-calling-msm_gem_new_impl.patch +i40iw-fix-sequence-number-for-the-first-partial-fpdu.patch +i40iw-correct-q1-xf-object-count-equation.patch +arm-dts-ls1021a-add-fsl-ls1021a-esdhc-compatible-string-to-esdhc-node.patch +thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch +perf-probe-add-warning-message-if-there-is-unexpected-event-name.patch +l2tp-fix-missing-print-session-offset-info.patch +rds-reset-rs-rs_bound_addr-in-rds_add_bound-failure-path.patch +acpi-video-default-lcd_only-to-true-on-win8-ready-and-newer-machines.patch +net-mlx4_en-change-default-qos-settings.patch +vfs-close-race-between-getcwd-and-d_move.patch +pm-devfreq-fix-potential-null-pointer-dereference-in-governor_store.patch +hwmon-ina2xx-make-calibration-register-value-fixed.patch +media-videobuf2-core-don-t-go-out-of-the-buffer-range.patch +asoc-intel-skylake-disable-clock-gating-during-firmware-and-library-download.patch +asoc-intel-cht_bsw_rt5645-analog-mic-support.patch +scsi-libiscsi-allow-sd_shutdown-on-bad-transport.patch +scsi-mpt3sas-proper-handling-of-set-clear-of-ata-command-pending-flag.patch +irqchip-gic-v3-fix-the-driver-probe-fail-due-to-disabled-gicc-entry.patch +acpi-ec-fix-debugfs_create_-usage.patch +mac80211-fix-setting-tx-power-on-monitor-interfaces.patch +vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch +gpio-label-descriptors-using-the-device-name.patch +ib-rdmavt-allocate-cq-memory-on-the-correct-node.patch +blk-mq-fix-race-between-updating-nr_hw_queues-and-switching-io-sched.patch +backlight-tdo24m-fix-the-spi-cs-between-transfers.patch +pinctrl-baytrail-enable-glitch-filter-for-gpios-used-as-interrupts.patch +asoc-intel-sst-fix-the-return-value-of-sst_send_byte_stream_mrfld.patch +rt2x00-do-not-pause-queue-unconditionally-on-error-path.patch +wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch +hdlcdrv-fix-divide-by-zero-in-hdlcdrv_ioctl.patch +x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch +netfilter-conntrack-don-t-call-iter-for-non-confirmed-conntracks.patch +hid-i2c-call-acpi_device_fix_up_power-for-acpi-enumerated-devices.patch +ovl-filter-trusted-xattr-for-non-admin.patch +powerpc-don-t-clobber-tcr-when-setting-tcr.patch +dmaengine-imx-sdma-handle-return-value-of-clk_prepare_enable.patch +backlight-report-error-on-failure.patch +arm64-futex-fix-undefined-behaviour-with-futex_op_oparg_shift-usage.patch +net-mlx5-avoid-build-warning-for-uniprocessor.patch +cxgb4-fw-upgrade-fixes.patch +cxgb4-fix-netdev_features-flag.patch +rtc-m41t80-fix-sqw-dividers-override-when-setting-a-date.patch +i40evf-fix-merge-error-in-older-patch.patch +rtc-opal-handle-disabled-tpo-in-opal_get_tpo_time.patch +rtc-interface-validate-alarm-time-before-handling-rollover.patch +sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch +net-freescale-fix-potential-null-pointer-dereference.patch +clk-at91-fix-clk-generated-parenting.patch +drm-sun4i-ignore-the-generic-connectors-for-components.patch +dt-bindings-display-sun4i-add-allwinner-tcon-channel-property.patch +mtd-nand-gpmi-fix-gpmi_nand_init-error-path.patch +mtd-nand-check-ecc-total-sanity-in-nand_scan_tail.patch +kvm-svm-do-not-zero-out-segment-attributes-if-segment-is-unusable-or-not-present.patch +clk-scpi-fix-return-type-of-__scpi_dvfs_round_rate.patch +clk-fix-__set_clk_rates-error-print-string.patch +powerpc-spufs-fix-coredump-of-spu-contexts.patch +drm-amdkfd-null-dereference-involving-create_process.patch +ath10k-add-bmi-parameters-to-fix-calibration-from-dt-pre-cal.patch +perf-trace-add-mmap-alias-for-s390.patch +qlcnic-fix-a-sleep-in-atomic-bug-in-qlcnic_82xx_hw_write_wx_2m-and-qlcnic_82xx_hw_read_wx_2m.patch +arm64-kernel-restrict-dev-mem-read-calls-to-linear-region.patch +misdn-fix-a-sleep-in-atomic-bug.patch +net-phy-micrel-restore-led_mode-and-clk_sel-on-resume.patch +rdma-iw_cxgb4-avoid-touch-after-free-error-in-arp-failure-handlers.patch +rdma-hfi1-fix-array-termination-by-appending-null-to-attr-array.patch +drm-omap-fix-tiled-buffer-stride-calculations.patch +powerpc-8xx-fix-mpc8xx_get_irq-return-on-no-irq.patch +cxgb4-fix-incorrect-cim_la-output-for-t6.patch +fix-serial-console-on-sni-rm400-machines.patch +bio-integrity-do-not-allocate-integrity-context-for-bio-w-o-data.patch +ip6_tunnel-fix-traffic-class-routing-for-tunnels.patch +skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch +macsec-check-return-value-of-skb_to_sgvec-always.patch +sit-reload-iphdr-in-ipip6_rcv.patch +net-mlx4-fix-the-check-in-attaching-steering-rules.patch +net-mlx4-check-if-granular-qos-per-vf-has-been-enabled-before-updating-qp-qos_vport.patch +perf-header-set-proper-module-name-when-build-id-event-found.patch +perf-report-ensure-the-perf-dso-mapping-matches-what-libdw-sees.patch +iwlwifi-mvm-fix-firmware-debug-restart-recording.patch +watchdog-f71808e_wdt-add-f71868-support.patch +iwlwifi-mvm-fix-command-queue-number-on-d0i3-flow.patch +iwlwifi-tt-move-ucode_loaded-check-under-mutex.patch +iwlwifi-pcie-only-use-d0i3-in-suspend-resume-if-system_pm-is-set-to-d0i3.patch +iwlwifi-fix-min-api-version-for-7265d-3168-8000-and-8265.patch +tags-honor-compiled_source-with-apart-output-directory.patch +arm-dts-qcom-ipq4019-fix-i2c_0-node.patch +e1000e-fix-race-condition-around-skb_tstamp_tx.patch +igb-fix-race-condition-with-ptp_tx_in_progress-bits.patch +cxl-unlock-on-error-in-probe.patch +cx25840-fix-unchecked-return-values.patch +mceusb-sporadic-rx-truncation-corruption-fix.patch +net-phy-avoid-genphy_aneg_done-for-phys-without-clause-22-support.patch +arm-imx-add-mxc_cpu_imx6ull-and-cpu_is_imx6ull.patch +nvme-pci-fix-multiple-ctrl-removal-scheduling.patch +nvme-fix-hang-in-remove-path.patch +kvm-nvmx-update-vmcs12-guest_linear_address-on-nested-vm-exit.patch +e1000e-undo-e1000e_pm_freeze-if-__e1000_shutdown-fails.patch +perf-core-correct-event-creation-with-perf_format_group.patch +sched-deadline-use-the-revised-wakeup-rule-for-suspending-constrained-dl-tasks.patch +mips-mm-fixed-mappings-correct-initialisation.patch +mips-mm-adjust-pkmap-location.patch +mips-kprobes-flush_insn_slot-should-flush-only-if-probe-initialised.patch +arm-dts-armadillo800eva-split-lcd-mux-and-gpio.patch +fix-loop-device-flush-before-configure-v3.patch +net-emac-fix-reset-timeout-with-ar8035-phy.patch +perf-tools-decompress-kernel-module-when-reading-dso-data.patch +perf-tests-decompress-kernel-module-before-objdump.patch +skbuff-only-inherit-relevant-tx_flags.patch +xen-avoid-type-warning-in-xchg_xen_ulong.patch +x.509-fix-error-code-in-x509_cert_parse.patch +pinctrl-meson-gxbb-remove-non-existing-pin-gpiox_22.patch +coresight-fix-reference-count-for-software-sources.patch +coresight-tmc-configure-dma-mask-appropriately.patch +stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch +geneve-add-missing-rx-stats-accounting.patch +crypto-omap-sham-buffer-handling-fixes-for-hashing-later.patch +crypto-omap-sham-fix-closing-of-hash-with-separate-finalize-call.patch +bnx2x-allow-vfs-to-disable-txvlan-offload.patch +sctp-fix-recursive-locking-warning-in-sctp_do_peeloff.patch +net-fec-add-a-fec_enet_clear_ethtool_stats-stub-for-config_m5272.patch +sparc64-ldc-abort-during-vds-iso-boot.patch +iio-magnetometer-st_magn_spi-fix-spi_device_id-table.patch +net-ena-fix-rare-uncompleted-admin-command-false-alarm.patch +net-ena-fix-race-condition-between-submit-and-completion-admin-command.patch +net-ena-add-missing-return-when-ena_com_get_io_handlers-fails.patch +net-ena-add-missing-unmap-bars-on-device-removal.patch +net-ena-disable-admin-msix-while-working-in-polling-mode.patch +clk-meson-meson8b-add-compatibles-for-meson8-and-meson8m2.patch +bluetooth-send-hci-set-event-mask-page-2-command-only-when-needed.patch +cpuidle-dt-add-missing-of_node_put.patch +acpica-osl-add-support-to-exclude-stdarg.h.patch +acpica-events-add-runtime-stub-support-for-event-apis.patch +acpica-disassembler-abort-on-an-invalid-unknown-aml-opcode.patch +s390-dasd-fix-hanging-safe-offline.patch +vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch +hsr-fix-incorrect-warning.patch +selftests-kselftest_harness-fix-compile-warning.patch +drm-vc4-fix-resource-leak-in-vc4_get_hang_state_ioctl-in-error-handling-path.patch +bcache-stop-writeback-thread-after-detaching.patch +bcache-segregate-flash-only-volume-write-streams.patch +scsi-libsas-fix-memory-leak-in-sas_smp_get_phy_events.patch +scsi-libsas-fix-error-when-getting-phy-events.patch +scsi-libsas-initialize-sas_phy-status-according-to-response-of-discover.patch +blk-mq-fix-kernel-oops-in-blk_mq_tag_idle.patch +tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch +edac-mv64x60-fix-an-error-handling-path.patch +cxgb4vf-fix-sge-fl-buffer-initialization-logic-for-64k-pages.patch +sdhci-advertise-2.0v-supply-on-sdio-host-controller.patch +input-goodix-disable-irqs-while-suspended.patch +mtd-mtd_oobtest-handle-bitflips-during-reads.patch +perf-tools-fix-copyfile_offset-update-of-output-offset.patch +signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch +signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch +signal-arm-document-conflicts-with-si_user-and-sigfpe.patch +ipsec-check-return-value-of-skb_to_sgvec-always.patch diff --git a/queue-4.9/sh_eth-use-platform-device-for-printing-before-register_netdev.patch b/queue-4.9/sh_eth-use-platform-device-for-printing-before-register_netdev.patch new file mode 100644 index 00000000000..1e53c000871 --- /dev/null +++ b/queue-4.9/sh_eth-use-platform-device-for-printing-before-register_netdev.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Geert Uytterhoeven +Date: Thu, 18 May 2017 15:01:34 +0200 +Subject: sh_eth: Use platform device for printing before register_netdev() + +From: Geert Uytterhoeven + + +[ Upstream commit 5f5c5449acad0cd3322e53e1ac68c044483b0aa5 ] + +The MDIO initialization failure message is printed using the network +device, before it has been registered, leading to: + + (null): failed to initialise MDIO + +Use the platform device instead to fix this: + + sh-eth ee700000.ethernet: failed to initialise MDIO + +Fixes: daacf03f0bbfefee ("sh_eth: Register MDIO bus before registering the network device") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/renesas/sh_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/renesas/sh_eth.c ++++ b/drivers/net/ethernet/renesas/sh_eth.c +@@ -3133,7 +3133,7 @@ static int sh_eth_drv_probe(struct platf + /* MDIO bus init */ + ret = sh_mdio_init(mdp, pd); + if (ret) { +- dev_err(&ndev->dev, "failed to initialise MDIO\n"); ++ dev_err(&pdev->dev, "failed to initialise MDIO\n"); + goto out_release; + } + diff --git a/queue-4.9/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch b/queue-4.9/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch new file mode 100644 index 00000000000..1320ef4c352 --- /dev/null +++ b/queue-4.9/signal-arm-document-conflicts-with-si_user-and-sigfpe.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Eric W. Biederman" +Date: Thu, 17 Aug 2017 17:07:46 -0500 +Subject: signal/arm: Document conflicts with SI_USER and SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit 7771c66457004977b616bab785209f49d164f527 ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME, siginfo_layout will now return SIL_FAULT and the +appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen + +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Ref: 451436b7bbb2 ("[ARM] Add support code for ARM hardware vector floating point") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/uapi/asm/siginfo.h | 13 +++++++++++++ + arch/arm/vfp/vfpmodule.c | 2 +- + 2 files changed, 14 insertions(+), 1 deletion(-) + create mode 100644 arch/arm/include/uapi/asm/siginfo.h + +--- /dev/null ++++ b/arch/arm/include/uapi/asm/siginfo.h +@@ -0,0 +1,13 @@ ++#ifndef __ASM_SIGINFO_H ++#define __ASM_SIGINFO_H ++ ++#include ++ ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++#endif +--- a/arch/arm/vfp/vfpmodule.c ++++ b/arch/arm/vfp/vfpmodule.c +@@ -257,7 +257,7 @@ static void vfp_raise_exceptions(u32 exc + + if (exceptions == VFP_EXCEPTION_ERROR) { + vfp_panic("unhandled bounce", inst); +- vfp_raise_sigfpe(0, regs); ++ vfp_raise_sigfpe(FPE_FIXME, regs); + return; + } + diff --git a/queue-4.9/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch b/queue-4.9/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch new file mode 100644 index 00000000000..855752b2c62 --- /dev/null +++ b/queue-4.9/signal-metag-document-a-conflict-with-si_user-with-sigfpe.patch @@ -0,0 +1,66 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Eric W. Biederman" +Date: Tue, 1 Aug 2017 10:37:40 -0500 +Subject: signal/metag: Document a conflict with SI_USER with SIGFPE + +From: "Eric W. Biederman" + + +[ Upstream commit b80328be53c215346b153769267b38f531d89b4f ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +hat uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME siginfo_layout will now return SIL_FAULT and the +appropriate fields will reliably be copied. + +Possible ABI fixes includee: + - Send the signal without siginfo + - Don't generate a signal + - Possibly assign and use an appropriate si_code + - Don't handle cases which can't happen + +Cc: James Hogan +Cc: linux-metag@vger.kernel.org +Ref: ac919f0883e5 ("metag: Traps") +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/metag/include/uapi/asm/siginfo.h | 7 +++++++ + arch/metag/kernel/traps.c | 2 +- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/arch/metag/include/uapi/asm/siginfo.h ++++ b/arch/metag/include/uapi/asm/siginfo.h +@@ -5,4 +5,11 @@ + + #include + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ + #endif +--- a/arch/metag/kernel/traps.c ++++ b/arch/metag/kernel/traps.c +@@ -732,7 +732,7 @@ TBIRES fpe_handler(TBIRES State, int Sig + else if (error_state & TXSTAT_FPE_INEXACT_BIT) + info.si_code = FPE_FLTRES; + else +- info.si_code = 0; ++ info.si_code = FPE_FIXME; + info.si_errno = 0; + info.si_addr = (__force void __user *)regs->ctx.CurrPC; + force_sig_info(SIGFPE, &info, current); diff --git a/queue-4.9/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch b/queue-4.9/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch new file mode 100644 index 00000000000..01ec03f251a --- /dev/null +++ b/queue-4.9/signal-powerpc-document-conflicts-with-si_user-and-sigfpe-and-sigtrap.patch @@ -0,0 +1,114 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Eric W. Biederman" +Date: Sat, 19 Aug 2017 15:26:01 -0500 +Subject: signal/powerpc: Document conflicts with SI_USER and SIGFPE and SIGTRAP + +From: "Eric W. Biederman" + + +[ Upstream commit cf4674c46c66e45f238f8f7e81af2a444b970c0a ] + +Setting si_code to 0 results in a userspace seeing an si_code of 0. +This is the same si_code as SI_USER. Posix and common sense requires +that SI_USER not be a signal specific si_code. As such this use of 0 +for the si_code is a pretty horribly broken ABI. + +Further use of si_code == 0 guaranteed that copy_siginfo_to_user saw a +value of __SI_KILL and now sees a value of SIL_KILL with the result +that uid and pid fields are copied and which might copying the si_addr +field by accident but certainly not by design. Making this a very +flakey implementation. + +Utilizing FPE_FIXME and TRAP_FIXME, siginfo_layout() will now return +SIL_FAULT and the appropriate fields will be reliably copied. + +Possible ABI fixes includee: +- Send the signal without siginfo +- Don't generate a signal +- Possibly assign and use an appropriate si_code +- Don't handle cases which can't happen +Cc: Paul Mackerras +Cc: Kumar Gala +Cc: Michael Ellerman +Cc: Benjamin Herrenschmidt +Cc: linuxppc-dev@lists.ozlabs.org +Ref: 9bad068c24d7 ("[PATCH] ppc32: support for e500 and 85xx") +Ref: 0ed70f6105ef ("PPC32: Provide proper siginfo information on various exceptions.") +History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/uapi/asm/siginfo.h | 15 +++++++++++++++ + arch/powerpc/kernel/traps.c | 10 +++++----- + 2 files changed, 20 insertions(+), 5 deletions(-) + +--- a/arch/powerpc/include/uapi/asm/siginfo.h ++++ b/arch/powerpc/include/uapi/asm/siginfo.h +@@ -17,4 +17,19 @@ + #undef NSIGTRAP + #define NSIGTRAP 4 + ++/* ++ * SIGFPE si_codes ++ */ ++#ifdef __KERNEL__ ++#define FPE_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++/* ++ * SIGTRAP si_codes ++ */ ++#ifdef __KERNEL__ ++#define TRAP_FIXME 0 /* Broken dup of SI_USER */ ++#endif /* __KERNEL__ */ ++ ++ + #endif /* _ASM_POWERPC_SIGINFO_H */ +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -793,7 +793,7 @@ void unknown_exception(struct pt_regs *r + printk("Bad trap at PC: %lx, SR: %lx, vector=%lx\n", + regs->nip, regs->msr, regs->trap); + +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + + exception_exit(prev_state); + } +@@ -815,7 +815,7 @@ bail: + + void RunModeException(struct pt_regs *regs) + { +- _exception(SIGTRAP, regs, 0, 0); ++ _exception(SIGTRAP, regs, TRAP_FIXME, 0); + } + + void single_step_exception(struct pt_regs *regs) +@@ -851,7 +851,7 @@ static void emulate_single_step(struct p + + static inline int __parse_fpscr(unsigned long fpscr) + { +- int ret = 0; ++ int ret = FPE_FIXME; + + /* Invalid operation */ + if ((fpscr & FPSCR_VE) && (fpscr & FPSCR_VX)) +@@ -1855,7 +1855,7 @@ void SPEFloatingPointException(struct pt + extern int do_spe_mathemu(struct pt_regs *regs); + unsigned long spefscr; + int fpexc_mode; +- int code = 0; ++ int code = FPE_FIXME; + int err; + + flush_spe_to_thread(current); +@@ -1924,7 +1924,7 @@ void SPEFloatingPointRoundException(stru + printk(KERN_ERR "unrecognized spe instruction " + "in %s at %lx\n", current->comm, regs->nip); + } else { +- _exception(SIGFPE, regs, 0, regs->nip); ++ _exception(SIGFPE, regs, FPE_FIXME, regs->nip); + return; + } + } diff --git a/queue-4.9/sit-reload-iphdr-in-ipip6_rcv.patch b/queue-4.9/sit-reload-iphdr-in-ipip6_rcv.patch new file mode 100644 index 00000000000..7c9e7eec788 --- /dev/null +++ b/queue-4.9/sit-reload-iphdr-in-ipip6_rcv.patch @@ -0,0 +1,32 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Haishuang Yan +Date: Sun, 4 Jun 2017 14:43:43 +0800 +Subject: sit: reload iphdr in ipip6_rcv + +From: Haishuang Yan + + +[ Upstream commit b699d0035836f6712917a41e7ae58d84359b8ff9 ] + +Since iptunnel_pull_header() can call pskb_may_pull(), +we must reload any pointer that was related to skb->head. + +Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") +Signed-off-by: Haishuang Yan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -657,6 +657,7 @@ static int ipip6_rcv(struct sk_buff *skb + if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6), + !net_eq(tunnel->net, dev_net(tunnel->dev)))) + goto out; ++ iph = ip_hdr(skb); + + err = IP_ECN_decapsulate(iph, skb); + if (unlikely(err)) { diff --git a/queue-4.9/skbuff-only-inherit-relevant-tx_flags.patch b/queue-4.9/skbuff-only-inherit-relevant-tx_flags.patch new file mode 100644 index 00000000000..b24ad5aef4c --- /dev/null +++ b/queue-4.9/skbuff-only-inherit-relevant-tx_flags.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Willem de Bruijn +Date: Thu, 8 Jun 2017 11:35:03 -0400 +Subject: skbuff: only inherit relevant tx_flags + +From: Willem de Bruijn + + +[ Upstream commit fff88030b3ff930ca7a3d74acfee0472f33887ea ] + +When inheriting tx_flags from one skbuff to another, always apply a +mask to avoid overwriting unrelated other bits in the field. + +The two SKBTX_SHARED_FRAG cases clears all other bits. In practice, +tx_flags are zero at this point now. But this is fragile. Timestamp +flags are set, for instance, if in tcp_gso_segment, after this clear +in skb_segment. + +The SKBTX_ANY_TSTAMP mask in __skb_tstamp_tx ensures that new +skbs do not accidentally inherit flags such as SKBTX_SHARED_FRAG. + +Signed-off-by: Willem de Bruijn +Acked-by: Soheil Hassas Yeganeh +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2615,7 +2615,8 @@ void skb_split(struct sk_buff *skb, stru + { + int pos = skb_headlen(skb); + +- skb_shinfo(skb1)->tx_flags = skb_shinfo(skb)->tx_flags & SKBTX_SHARED_FRAG; ++ skb_shinfo(skb1)->tx_flags |= skb_shinfo(skb)->tx_flags & ++ SKBTX_SHARED_FRAG; + if (len < pos) /* Split line is inside header. */ + skb_split_inside_header(skb, skb1, len, pos); + else /* Second chunk has no header, nothing to copy. */ +@@ -3228,8 +3229,8 @@ normal: + skb_copy_from_linear_data_offset(head_skb, offset, + skb_put(nskb, hsize), hsize); + +- skb_shinfo(nskb)->tx_flags = skb_shinfo(head_skb)->tx_flags & +- SKBTX_SHARED_FRAG; ++ skb_shinfo(nskb)->tx_flags |= skb_shinfo(head_skb)->tx_flags & ++ SKBTX_SHARED_FRAG; + + while (pos < offset + len) { + if (i >= nfrags) { +@@ -3881,7 +3882,8 @@ void __skb_tstamp_tx(struct sk_buff *ori + return; + + if (tsonly) { +- skb_shinfo(skb)->tx_flags = skb_shinfo(orig_skb)->tx_flags; ++ skb_shinfo(skb)->tx_flags |= skb_shinfo(orig_skb)->tx_flags & ++ SKBTX_ANY_TSTAMP; + skb_shinfo(skb)->tskey = skb_shinfo(orig_skb)->tskey; + } + diff --git a/queue-4.9/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch b/queue-4.9/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch new file mode 100644 index 00000000000..fd2ea420858 --- /dev/null +++ b/queue-4.9/skbuff-return-emsgsize-in-skb_to_sgvec-to-prevent-overflow.patch @@ -0,0 +1,183 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Jason A. Donenfeld" +Date: Sun, 4 Jun 2017 04:16:22 +0200 +Subject: skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow + +From: "Jason A. Donenfeld" + + +[ Upstream commit 48a1df65334b74bd7531f932cca5928932abf769 ] + +This is a defense-in-depth measure in response to bugs like +4d6fa57b4dab ("macsec: avoid heap overflow in skb_to_sgvec"). There's +not only a potential overflow of sglist items, but also a stack overflow +potential, so we fix this by limiting the amount of recursion this function +is allowed to do. Not actually providing a bounded base case is a future +disaster that we can easily avoid here. + +As a small matter of house keeping, we take this opportunity to move the +documentation comment over the actual function the documentation is for. + +While this could be implemented by using an explicit stack of skbuffs, +when implementing this, the function complexity increased considerably, +and I don't think such complexity and bloat is actually worth it. So, +instead I built this and tested it on x86, x86_64, ARM, ARM64, and MIPS, +and measured the stack usage there. I also reverted the recent MIPS +changes that give it a separate IRQ stack, so that I could experience +some worst-case situations. I found that limiting it to 24 layers deep +yielded a good stack usage with room for safety, as well as being much +deeper than any driver actually ever creates. + +Signed-off-by: Jason A. Donenfeld +Cc: Steffen Klassert +Cc: Herbert Xu +Cc: "David S. Miller" +Cc: David Howells +Cc: Sabrina Dubroca +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/skbuff.h | 8 +++--- + net/core/skbuff.c | 65 +++++++++++++++++++++++++++++++------------------ + 2 files changed, 46 insertions(+), 27 deletions(-) + +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -984,10 +984,10 @@ struct sk_buff *skb_realloc_headroom(str + unsigned int headroom); + struct sk_buff *skb_copy_expand(const struct sk_buff *skb, int newheadroom, + int newtailroom, gfp_t priority); +-int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, +- int offset, int len); +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, +- int len); ++int __must_check skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); ++int __must_check skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, ++ int offset, int len); + int skb_cow_data(struct sk_buff *skb, int tailbits, struct sk_buff **trailer); + int skb_pad(struct sk_buff *skb, int pad); + #define dev_kfree_skb(a) consume_skb(a) +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -3475,24 +3475,18 @@ void __init skb_init(void) + NULL); + } + +-/** +- * skb_to_sgvec - Fill a scatter-gather list from a socket buffer +- * @skb: Socket buffer containing the buffers to be mapped +- * @sg: The scatter-gather list to map into +- * @offset: The offset into the buffer's contents to start mapping +- * @len: Length of buffer space to be mapped +- * +- * Fill the specified scatter-gather list with mappings/pointers into a +- * region of the buffer space attached to a socket buffer. +- */ + static int +-__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++__skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len, ++ unsigned int recursion_level) + { + int start = skb_headlen(skb); + int i, copy = start - offset; + struct sk_buff *frag_iter; + int elt = 0; + ++ if (unlikely(recursion_level >= 24)) ++ return -EMSGSIZE; ++ + if (copy > 0) { + if (copy > len) + copy = len; +@@ -3511,6 +3505,8 @@ __skb_to_sgvec(struct sk_buff *skb, stru + end = start + skb_frag_size(&skb_shinfo(skb)->frags[i]); + if ((copy = end - offset) > 0) { + skb_frag_t *frag = &skb_shinfo(skb)->frags[i]; ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; + + if (copy > len) + copy = len; +@@ -3525,16 +3521,22 @@ __skb_to_sgvec(struct sk_buff *skb, stru + } + + skb_walk_frags(skb, frag_iter) { +- int end; ++ int end, ret; + + WARN_ON(start > offset + len); + + end = start + frag_iter->len; + if ((copy = end - offset) > 0) { ++ if (unlikely(elt && sg_is_last(&sg[elt - 1]))) ++ return -EMSGSIZE; ++ + if (copy > len) + copy = len; +- elt += __skb_to_sgvec(frag_iter, sg+elt, offset - start, +- copy); ++ ret = __skb_to_sgvec(frag_iter, sg+elt, offset - start, ++ copy, recursion_level + 1); ++ if (unlikely(ret < 0)) ++ return ret; ++ elt += ret; + if ((len -= copy) == 0) + return elt; + offset += copy; +@@ -3545,6 +3547,31 @@ __skb_to_sgvec(struct sk_buff *skb, stru + return elt; + } + ++/** ++ * skb_to_sgvec - Fill a scatter-gather list from a socket buffer ++ * @skb: Socket buffer containing the buffers to be mapped ++ * @sg: The scatter-gather list to map into ++ * @offset: The offset into the buffer's contents to start mapping ++ * @len: Length of buffer space to be mapped ++ * ++ * Fill the specified scatter-gather list with mappings/pointers into a ++ * region of the buffer space attached to a socket buffer. Returns either ++ * the number of scatterlist items used, or -EMSGSIZE if the contents ++ * could not fit. ++ */ ++int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) ++{ ++ int nsg = __skb_to_sgvec(skb, sg, offset, len, 0); ++ ++ if (nsg <= 0) ++ return nsg; ++ ++ sg_mark_end(&sg[nsg - 1]); ++ ++ return nsg; ++} ++EXPORT_SYMBOL_GPL(skb_to_sgvec); ++ + /* As compared with skb_to_sgvec, skb_to_sgvec_nomark only map skb to given + * sglist without mark the sg which contain last skb data as the end. + * So the caller can mannipulate sg list as will when padding new data after +@@ -3567,19 +3594,11 @@ __skb_to_sgvec(struct sk_buff *skb, stru + int skb_to_sgvec_nomark(struct sk_buff *skb, struct scatterlist *sg, + int offset, int len) + { +- return __skb_to_sgvec(skb, sg, offset, len); ++ return __skb_to_sgvec(skb, sg, offset, len, 0); + } + EXPORT_SYMBOL_GPL(skb_to_sgvec_nomark); + +-int skb_to_sgvec(struct sk_buff *skb, struct scatterlist *sg, int offset, int len) +-{ +- int nsg = __skb_to_sgvec(skb, sg, offset, len); + +- sg_mark_end(&sg[nsg - 1]); +- +- return nsg; +-} +-EXPORT_SYMBOL_GPL(skb_to_sgvec); + + /** + * skb_cow_data - Check that a socket buffer's data buffers are writable diff --git a/queue-4.9/smb2-fix-share-type-handling.patch b/queue-4.9/smb2-fix-share-type-handling.patch new file mode 100644 index 00000000000..840af62b3f0 --- /dev/null +++ b/queue-4.9/smb2-fix-share-type-handling.patch @@ -0,0 +1,57 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Christophe JAILLET +Date: Fri, 12 May 2017 17:59:32 +0200 +Subject: SMB2: Fix share type handling + +From: Christophe JAILLET + + +[ Upstream commit cd1230070ae1c12fd34cf6a557bfa81bf9311009 ] + +In fs/cifs/smb2pdu.h, we have: +#define SMB2_SHARE_TYPE_DISK 0x01 +#define SMB2_SHARE_TYPE_PIPE 0x02 +#define SMB2_SHARE_TYPE_PRINT 0x03 + +Knowing that, with the current code, the SMB2_SHARE_TYPE_PRINT case can +never trigger and printer share would be interpreted as disk share. + +So, test the ShareType value for equality instead. + +Fixes: faaf946a7d5b ("CIFS: Add tree connect/disconnect capability for SMB2") +Signed-off-by: Christophe JAILLET +Acked-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2pdu.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -1151,15 +1151,19 @@ SMB2_tcon(const unsigned int xid, struct + goto tcon_exit; + } + +- if (rsp->ShareType & SMB2_SHARE_TYPE_DISK) ++ switch (rsp->ShareType) { ++ case SMB2_SHARE_TYPE_DISK: + cifs_dbg(FYI, "connection to disk share\n"); +- else if (rsp->ShareType & SMB2_SHARE_TYPE_PIPE) { ++ break; ++ case SMB2_SHARE_TYPE_PIPE: + tcon->ipc = true; + cifs_dbg(FYI, "connection to pipe share\n"); +- } else if (rsp->ShareType & SMB2_SHARE_TYPE_PRINT) { +- tcon->print = true; ++ break; ++ case SMB2_SHARE_TYPE_PRINT: ++ tcon->ipc = true; + cifs_dbg(FYI, "connection to printer\n"); +- } else { ++ break; ++ default: + cifs_dbg(VFS, "unknown share type %d\n", rsp->ShareType); + rc = -EOPNOTSUPP; + goto tcon_error_exit; diff --git a/queue-4.9/sparc64-ldc-abort-during-vds-iso-boot.patch b/queue-4.9/sparc64-ldc-abort-during-vds-iso-boot.patch new file mode 100644 index 00000000000..448681e8787 --- /dev/null +++ b/queue-4.9/sparc64-ldc-abort-during-vds-iso-boot.patch @@ -0,0 +1,58 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jag Raman +Date: Fri, 9 Jun 2017 12:29:31 -0400 +Subject: sparc64: ldc abort during vds iso boot + +From: Jag Raman + + +[ Upstream commit 6c95483b768c62f8ee933ae08a1bdbcb78b5410f ] + +Orabug: 20902628 + +When an ldc control-only packet is received during data exchange in +read_nonraw(), a new rx head is calculated but the rx queue head is not +actually advanced (rx_set_head() is not called) and a branch is taken to +'no_data' at which point two things can happen depending on the value +of the newly calculated rx head and the current rx tail: + +- If the rx queue is determined to be not empty, then the wrong packet + is picked up. + +- If the rx queue is determined to be empty, then a read error (EAGAIN) + is eventually returned since it is falsely assumed that more data was + expected. + +The fix is to update the rx head and return in case of a control only +packet during data exchange. + +Signed-off-by: Jagannathan Raman +Reviewed-by: Aaron Young +Reviewed-by: Alexandre Chartre +Reviewed-by: Bijan Mottahedeh +Reviewed-by: Liam Merwick +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ldc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/sparc/kernel/ldc.c ++++ b/arch/sparc/kernel/ldc.c +@@ -1733,9 +1733,14 @@ static int read_nonraw(struct ldc_channe + + lp->rcv_nxt = p->seqid; + ++ /* ++ * If this is a control-only packet, there is nothing ++ * else to do but advance the rx queue since the packet ++ * was already processed above. ++ */ + if (!(p->type & LDC_DATA)) { + new = rx_advance(lp, new); +- goto no_data; ++ break; + } + if (p->stype & (LDC_ACK | LDC_NACK)) { + err = data_ack_nack(lp, p); diff --git a/queue-4.9/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch b/queue-4.9/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch new file mode 100644 index 00000000000..977e9d6d08d --- /dev/null +++ b/queue-4.9/staging-wlan-ng-prism2mgmt.c-fixed-a-double-endian-conversion-before-calling-hfa384x_drvr_setconfig16-also-fixes-relative-sparse-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Andrea della Porta +Date: Sat, 29 Apr 2017 07:30:23 +0100 +Subject: staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning + +From: Andrea della Porta + + +[ Upstream commit dea20579a69ab68cdca6adf79bb7c0c162eb9b72 ] + +staging: wlan-ng: prism2mgmt.c: This patches fixes a double endian conversion. +cpu_to_le16() was called twice first in prism2mgmt_scan and again inside +hfa384x_drvr_setconfig16() for the same variable, hence it was swapped +twice. Incidentally, it also fixed the following sparse warning: + +drivers/staging/wlan-ng/prism2mgmt.c:173:30: warning: incorrect type in assignment (different base types) +drivers/staging/wlan-ng/prism2mgmt.c:173:30: expected unsigned short [unsigned] [usertype] word +drivers/staging/wlan-ng/prism2mgmt.c:173:30: got restricted __le16 [usertype] + +Unfortunately, only compile tested. + +Signed-off-by: Andrea della Porta +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -169,7 +169,7 @@ int prism2mgmt_scan(struct wlandevice *w + hw->ident_sta_fw.variant) > + HFA384x_FIRMWARE_VERSION(1, 5, 0)) { + if (msg->scantype.data != P80211ENUM_scantype_active) +- word = cpu_to_le16(msg->maxchanneltime.data); ++ word = msg->maxchanneltime.data; + else + word = 0; + diff --git a/queue-4.9/stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch b/queue-4.9/stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch new file mode 100644 index 00000000000..c0ded5d65a3 --- /dev/null +++ b/queue-4.9/stmmac-fix-ptp-header-for-gmac3-hw-timestamp.patch @@ -0,0 +1,75 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Mario Molitor +Date: Thu, 8 Jun 2017 22:41:02 +0200 +Subject: stmmac: fix ptp header for GMAC3 hw timestamp + +From: Mario Molitor + + +[ Upstream commit fd6720aefde06eacf17404eed2cad65c6ec103e1 ] + +According the CYCLON V documention only the bit 16 of snaptypesel should +set. +(more information see Table 17-20 (cv_5v4.pdf) : + Timestamp Snapshot Dependency on Register Bits) + +Fixes: d2042052a0aa ("stmmac: update the PTP header file") +Signed-off-by: Mario Molitor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 15 ++++++++++++--- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 3 ++- + 2 files changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +@@ -478,7 +478,10 @@ static int stmmac_hwtstamp_ioctl(struct + /* PTP v1, UDP, any kind of event packet */ + config.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; + /* take time stamp for all event messages */ +- snap_type_sel = PTP_TCR_SNAPTYPSEL_1; ++ if (priv->plat->has_gmac4) ++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1; ++ else ++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1; + + ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA; + ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA; +@@ -510,7 +513,10 @@ static int stmmac_hwtstamp_ioctl(struct + config.rx_filter = HWTSTAMP_FILTER_PTP_V2_L4_EVENT; + ptp_v2 = PTP_TCR_TSVER2ENA; + /* take time stamp for all event messages */ +- snap_type_sel = PTP_TCR_SNAPTYPSEL_1; ++ if (priv->plat->has_gmac4) ++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1; ++ else ++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1; + + ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA; + ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA; +@@ -544,7 +550,10 @@ static int stmmac_hwtstamp_ioctl(struct + config.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; + ptp_v2 = PTP_TCR_TSVER2ENA; + /* take time stamp for all event messages */ +- snap_type_sel = PTP_TCR_SNAPTYPSEL_1; ++ if (priv->plat->has_gmac4) ++ snap_type_sel = PTP_GMAC4_TCR_SNAPTYPSEL_1; ++ else ++ snap_type_sel = PTP_TCR_SNAPTYPSEL_1; + + ptp_over_ipv4_udp = PTP_TCR_TSIPV4ENA; + ptp_over_ipv6_udp = PTP_TCR_TSIPV6ENA; +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h +@@ -63,7 +63,8 @@ + /* Enable Snapshot for Messages Relevant to Master */ + #define PTP_TCR_TSMSTRENA BIT(15) + /* Select PTP packets for Taking Snapshots */ +-#define PTP_TCR_SNAPTYPSEL_1 GENMASK(17, 16) ++#define PTP_TCR_SNAPTYPSEL_1 BIT(16) ++#define PTP_GMAC4_TCR_SNAPTYPSEL_1 GENMASK(17, 16) + /* Enable MAC address for PTP Frame Filtering */ + #define PTP_TCR_TSENMACADDR BIT(18) + diff --git a/queue-4.9/sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch b/queue-4.9/sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch new file mode 100644 index 00000000000..3f85d3c047b --- /dev/null +++ b/queue-4.9/sunrpc-ensure-correct-error-is-reported-by-xs_tcp_setup_socket.patch @@ -0,0 +1,55 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: NeilBrown +Date: Thu, 25 May 2017 17:00:32 +1000 +Subject: SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() + +From: NeilBrown + + +[ Upstream commit 6ea44adce91526700535b3150f77f8639ae8c82d ] + +If you attempt a TCP mount from an host that is unreachable in a way +that triggers an immediate error from kernel_connect(), that error +does not propagate up, instead EAGAIN is reported. + +This results in call_connect_status receiving the wrong error. + +A case that it easy to demonstrate is to attempt to mount from an +address that results in ENETUNREACH, but first deleting any default +route. +Without this patch, the mount.nfs process is persistently runnable +and is hard to kill. With this patch it exits as it should. + +The problem is caused by the fact that xs_tcp_force_close() eventually +calls + xprt_wake_pending_tasks(xprt, -EAGAIN); +which causes an error return of -EAGAIN. so when xs_tcp_setup_sock() +calls + xprt_wake_pending_tasks(xprt, status); +the status is ignored. + +Fixes: 4efdd92c9211 ("SUNRPC: Remove TCP client connection reset hack") +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprtsock.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2384,7 +2384,12 @@ static void xs_tcp_setup_socket(struct w + case -EHOSTUNREACH: + case -EADDRINUSE: + case -ENOBUFS: +- /* retry with existing socket, after a delay */ ++ /* ++ * xs_tcp_force_close() wakes tasks with -EIO. ++ * We need to wake them first to ensure the ++ * correct error code. ++ */ ++ xprt_wake_pending_tasks(xprt, status); + xs_tcp_force_close(xprt); + goto out; + } diff --git a/queue-4.9/tags-honor-compiled_source-with-apart-output-directory.patch b/queue-4.9/tags-honor-compiled_source-with-apart-output-directory.patch new file mode 100644 index 00000000000..73d21127a1c --- /dev/null +++ b/queue-4.9/tags-honor-compiled_source-with-apart-output-directory.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Robert Jarzmik +Date: Mon, 5 Jun 2017 13:59:15 +0200 +Subject: tags: honor COMPILED_SOURCE with apart output directory + +From: Robert Jarzmik + + +[ Upstream commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 ] + +When the kernel is compiled with an "O=" argument, the object files are +not in the source tree, but in the build tree. + +This patch fixes O= build by looking for object files in the build tree. + +Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source") +Signed-off-by: Robert Jarzmik +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + scripts/tags.sh | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/tags.sh ++++ b/scripts/tags.sh +@@ -106,6 +106,7 @@ all_compiled_sources() + case "$i" in + *.[cS]) + j=${i/\.[cS]/\.o} ++ j="${j#$tree}" + if [ -e $j ]; then + echo $i + fi diff --git a/queue-4.9/tcp-better-validation-of-received-ack-sequences.patch b/queue-4.9/tcp-better-validation-of-received-ack-sequences.patch new file mode 100644 index 00000000000..1502a1603d3 --- /dev/null +++ b/queue-4.9/tcp-better-validation-of-received-ack-sequences.patch @@ -0,0 +1,140 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Eric Dumazet +Date: Tue, 23 May 2017 15:24:46 -0700 +Subject: tcp: better validation of received ack sequences + +From: Eric Dumazet + + +[ Upstream commit d0e1a1b5a833b625c93d3d49847609350ebd79db ] + +Paul Fiterau Brostean reported : + + +Linux TCP stack we analyze exhibits behavior that seems odd to me. +The scenario is as follows (all packets have empty payloads, no window +scaling, rcv/snd window size should not be a factor): + + TEST HARNESS (CLIENT) LINUX SERVER + + 1. - LISTEN (server listen, +then accepts) + + 2. - --> --> SYN-RECEIVED + + 3. - <-- <-- SYN-RECEIVED + + 4. - --> --> ESTABLISHED + + 5. - <-- <-- FIN WAIT-1 (server +opts to close the data connection calling "close" on the connection +socket) + + 6. - --> --> CLOSING (client sends +FIN,ACK with not yet sent acknowledgement number) + + 7. - <-- <-- CLOSING (ACK is 102 +instead of 101, why?) + +... (silence from CLIENT) + + 8. - <-- <-- CLOSING +(retransmission, again ACK is 102) + +Now, note that packet 6 while having the expected sequence number, +acknowledges something that wasn't sent by the server. So I would +expect +the packet to maybe prompt an ACK response from the server, and then be +ignored. Yet it is not ignored and actually leads to an increase of the +acknowledgement number in the server's retransmission of the FIN,ACK +packet. The explanation I found is that the FIN in packet 6 was +processed, despite the acknowledgement number being unacceptable. +Further experiments indeed show that the server processes this FIN, +transitioning to CLOSING, then on receiving an ACK for the FIN it had +send in packet 5, the server (or better said connection) transitions +from CLOSING to TIME_WAIT (as signaled by netstat). + + + +Indeed, tcp_rcv_state_process() calls tcp_ack() but +does not exploit the @acceptable status but for TCP_SYN_RECV +state. + +What we want here is to send a challenge ACK, if not in TCP_SYN_RECV +state. TCP_FIN_WAIT1 state is not the only state we should fix. + +Add a FLAG_NO_CHALLENGE_ACK so that tcp_rcv_state_process() +can choose to send a challenge ACK and discard the packet instead +of wrongly change socket state. + +With help from Neal Cardwell. + +Signed-off-by: Eric Dumazet +Reported-by: Paul Fiterau Brostean +Cc: Neal Cardwell +Cc: Yuchung Cheng +Cc: Soheil Hassas Yeganeh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 24 +++++++++++------------- + 1 file changed, 11 insertions(+), 13 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -115,6 +115,7 @@ int sysctl_tcp_invalid_ratelimit __read_ + #define FLAG_DSACKING_ACK 0x800 /* SACK blocks contained D-SACK info */ + #define FLAG_SACK_RENEGING 0x2000 /* snd_una advanced to a sacked seq */ + #define FLAG_UPDATE_TS_RECENT 0x4000 /* tcp_replace_ts_recent() */ ++#define FLAG_NO_CHALLENGE_ACK 0x8000 /* do not call tcp_send_challenge_ack() */ + + #define FLAG_ACKED (FLAG_DATA_ACKED|FLAG_SYN_ACKED) + #define FLAG_NOT_DUP (FLAG_DATA|FLAG_WIN_UPDATE|FLAG_ACKED) +@@ -3618,7 +3619,8 @@ static int tcp_ack(struct sock *sk, cons + if (before(ack, prior_snd_una)) { + /* RFC 5961 5.2 [Blind Data Injection Attack].[Mitigation] */ + if (before(ack, prior_snd_una - tp->max_window)) { +- tcp_send_challenge_ack(sk, skb); ++ if (!(flag & FLAG_NO_CHALLENGE_ACK)) ++ tcp_send_challenge_ack(sk, skb); + return -1; + } + goto old_ack; +@@ -5969,13 +5971,17 @@ int tcp_rcv_state_process(struct sock *s + + /* step 5: check the ACK field */ + acceptable = tcp_ack(sk, skb, FLAG_SLOWPATH | +- FLAG_UPDATE_TS_RECENT) > 0; ++ FLAG_UPDATE_TS_RECENT | ++ FLAG_NO_CHALLENGE_ACK) > 0; + ++ if (!acceptable) { ++ if (sk->sk_state == TCP_SYN_RECV) ++ return 1; /* send one RST */ ++ tcp_send_challenge_ack(sk, skb); ++ goto discard; ++ } + switch (sk->sk_state) { + case TCP_SYN_RECV: +- if (!acceptable) +- return 1; +- + if (!tp->srtt_us) + tcp_synack_rtt_meas(sk, req); + +@@ -6045,14 +6051,6 @@ int tcp_rcv_state_process(struct sock *s + * our SYNACK so stop the SYNACK timer. + */ + if (req) { +- /* Return RST if ack_seq is invalid. +- * Note that RFC793 only says to generate a +- * DUPACK for it but for TCP Fast Open it seems +- * better to treat this case like TCP_SYN_RECV +- * above. +- */ +- if (!acceptable) +- return 1; + /* We no longer need the request sock. */ + reqsk_fastopen_remove(sk, req, false); + tcp_rearm_rto(sk); diff --git a/queue-4.9/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch b/queue-4.9/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch new file mode 100644 index 00000000000..80121d5b62f --- /dev/null +++ b/queue-4.9/thermal-power_allocator-fix-one-race-condition-issue-for-thermal_instances-list.patch @@ -0,0 +1,69 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Yi Zeng +Date: Tue, 26 Dec 2017 19:22:26 +0800 +Subject: thermal: power_allocator: fix one race condition issue for thermal_instances list + +From: Yi Zeng + + +[ Upstream commit a5de11d67dcd268b8d0beb73dc374de5e97f0caf ] + +When invoking allow_maximum_power and traverse tz->thermal_instances, +we should grab thermal_zone_device->lock to avoid race condition. For +example, during the system reboot, if the mali GPU device implements +device shutdown callback and unregister GPU devfreq cooling device, +the deleted list head may be accessed to cause panic, as the following +log shows: + +[ 33.551070] c3 25 (kworker/3:0) Unable to handle kernel paging request at virtual address dead000000000070 +[ 33.566708] c3 25 (kworker/3:0) pgd = ffffffc0ed290000 +[ 33.572071] c3 25 (kworker/3:0) [dead000000000070] *pgd=00000001ed292003, *pud=00000001ed292003, *pmd=0000000000000000 +[ 33.581515] c3 25 (kworker/3:0) Internal error: Oops: 96000004 [#1] PREEMPT SMP +[ 33.599761] c3 25 (kworker/3:0) CPU: 3 PID: 25 Comm: kworker/3:0 Not tainted 4.4.35+ #912 +[ 33.614137] c3 25 (kworker/3:0) Workqueue: events_freezable thermal_zone_device_check +[ 33.620245] c3 25 (kworker/3:0) task: ffffffc0f32e4200 ti: ffffffc0f32f0000 task.ti: ffffffc0f32f0000 +[ 33.629466] c3 25 (kworker/3:0) PC is at power_allocator_throttle+0x7c8/0x8a4 +[ 33.636609] c3 25 (kworker/3:0) LR is at power_allocator_throttle+0x808/0x8a4 +[ 33.643742] c3 25 (kworker/3:0) pc : [] lr : [] pstate: 20000145 +[ 33.652874] c3 25 (kworker/3:0) sp : ffffffc0f32f3bb0 +[ 34.468519] c3 25 (kworker/3:0) Process kworker/3:0 (pid: 25, stack limit = 0xffffffc0f32f0020) +[ 34.477220] c3 25 (kworker/3:0) Stack: (0xffffffc0f32f3bb0 to 0xffffffc0f32f4000) +[ 34.819822] c3 25 (kworker/3:0) Call trace: +[ 34.824021] c3 25 (kworker/3:0) Exception stack(0xffffffc0f32f39c0 to 0xffffffc0f32f3af0) +[ 34.924993] c3 25 (kworker/3:0) [] power_allocator_throttle+0x7c8/0x8a4 +[ 34.933184] c3 25 (kworker/3:0) [] handle_thermal_trip.part.25+0x70/0x224 +[ 34.941545] c3 25 (kworker/3:0) [] thermal_zone_device_update+0xc0/0x20c +[ 34.949818] c3 25 (kworker/3:0) [] thermal_zone_device_check+0x20/0x2c +[ 34.957924] c3 25 (kworker/3:0) [] process_one_work+0x168/0x458 +[ 34.965414] c3 25 (kworker/3:0) [] worker_thread+0x13c/0x4b4 +[ 34.972650] c3 25 (kworker/3:0) [] kthread+0xe8/0xfc +[ 34.979187] c3 25 (kworker/3:0) [] ret_from_fork+0x10/0x40 +[ 34.986244] c3 25 (kworker/3:0) Code: f9405e73 eb1302bf d102e273 54ffc460 (b9402a61) +[ 34.994339] c3 25 (kworker/3:0) ---[ end trace 32057901e3b7e1db ]--- + +Signed-off-by: Yi Zeng +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/power_allocator.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/thermal/power_allocator.c ++++ b/drivers/thermal/power_allocator.c +@@ -523,6 +523,7 @@ static void allow_maximum_power(struct t + struct thermal_instance *instance; + struct power_allocator_params *params = tz->governor_data; + ++ mutex_lock(&tz->lock); + list_for_each_entry(instance, &tz->thermal_instances, tz_node) { + if ((instance->trip != params->trip_max_desired_temperature) || + (!cdev_is_power_actor(instance->cdev))) +@@ -534,6 +535,7 @@ static void allow_maximum_power(struct t + mutex_unlock(&instance->cdev->lock); + thermal_cdev_update(instance->cdev); + } ++ mutex_unlock(&tz->lock); + } + + /** diff --git a/queue-4.9/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch b/queue-4.9/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch new file mode 100644 index 00000000000..e8a3fa7cd10 --- /dev/null +++ b/queue-4.9/tty-n_gsm-allow-adm-response-in-addition-to-ua-for-control-dlci.patch @@ -0,0 +1,119 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Tony Lindgren +Date: Wed, 3 Jan 2018 10:18:03 -0800 +Subject: tty: n_gsm: Allow ADM response in addition to UA for control dlci + +From: Tony Lindgren + + +[ Upstream commit ea3d8465ab9b3e01be329ac5195970a84bef76c5 ] + +Some devices have the control dlci stay in ADM mode instead of the UA +mode. This can seen at least on droid 4 when trying to open the ts +27.010 mux port. Enabling n_gsm debug mode shows the control dlci +always respond with DM to SABM instead of UA: + +# modprobe n_gsm debug=0xff +# ldattach -d GSM0710 /dev/ttyS0 & +gsmld_output: 00000000: f9 03 3f 01 1c f9 +--> 0) C: SABM(P) +gsmld_receive: 00000000: f9 03 1f 01 36 f9 +<-- 0) C: DM(P) +... +$ minicom -D /dev/gsmtty1 +minicom: cannot open /dev/gsmtty1: No error information +$ strace minicom -D /dev/gsmtty1 +... +open("/dev/gsmtty1", O_RDWR|O_NOCTTY|O_NONBLOCK|O_LARGEFILE) = -1 EL2HLT + +Note that this is different issue from other n_gsm -EL2HLT issues such +as timeouts when the control dlci does not respond at all. + +The ADM mode seems to be a quite common according to "RF Wireless World" +article "GSM Issue-UE sends SABM and gets a DM response instead of +UA response": + + This issue is most commonly observed in GSM networks where in UE sends + SABM and expects network to send UA response but it ends up receiving + DM response from the network. SABM stands for Set asynchronous balanced + mode, UA stands for Unnumbered Acknowledge and DA stands for + Disconnected Mode. + + An RLP entity can be in one of two modes: + - Asynchronous Balanced Mode (ABM) + - Asynchronous Disconnected Mode (ADM) + +Currently Linux kernel closes the control dlci after several retries +in gsm_dlci_t1() on DM. This causes n_gsm /dev/gsmtty ports to produce +error code -EL2HLT when trying to open them as the closing of control +dlci has already set gsm->dead. + +Let's fix the issue by allowing control dlci stay in ADM mode after the +retries so the /dev/gsmtty ports can be opened and used. It seems that +it might take several attempts to get any response from the control +dlci, so it's best to allow ADM mode only after the SABM retries are +done. + +Note that for droid 4 additional patches are needed to mux the ttyS0 +pins and to toggle RTS gpio_149 to wake up the mdm6600 modem are also +needed to use n_gsm. And the mdm6600 modem needs to be powered on. + +Cc: linux-serial@vger.kernel.org +Cc: Alan Cox +Cc: Jiri Prchal +Cc: Jiri Slaby +Cc: Marcel Partap +Cc: Michael Scott +Cc: Peter Hurley +Cc: Russ Gorby +Cc: Sascha Hauer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_gsm.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1467,6 +1467,10 @@ static void gsm_dlci_open(struct gsm_dlc + * in which case an opening port goes back to closed and a closing port + * is simply put into closed state (any further frames from the other + * end will get a DM response) ++ * ++ * Some control dlci can stay in ADM mode with other dlci working just ++ * fine. In that case we can just keep the control dlci open after the ++ * DLCI_OPENING retries time out. + */ + + static void gsm_dlci_t1(unsigned long data) +@@ -1480,8 +1484,15 @@ static void gsm_dlci_t1(unsigned long da + if (dlci->retries) { + gsm_command(dlci->gsm, dlci->addr, SABM|PF); + mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); +- } else ++ } else if (!dlci->addr && gsm->control == (DM | PF)) { ++ if (debug & 8) ++ pr_info("DLCI %d opening in ADM mode.\n", ++ dlci->addr); ++ gsm_dlci_open(dlci); ++ } else { + gsm_dlci_close(dlci); ++ } ++ + break; + case DLCI_CLOSING: + dlci->retries--; +@@ -1499,8 +1510,8 @@ static void gsm_dlci_t1(unsigned long da + * @dlci: DLCI to open + * + * Commence opening a DLCI from the Linux side. We issue SABM messages +- * to the modem which should then reply with a UA, at which point we +- * will move into open state. Opening is done asynchronously with retry ++ * to the modem which should then reply with a UA or ADM, at which point ++ * we will move into open state. Opening is done asynchronously with retry + * running off timers and the responses. + */ + diff --git a/queue-4.9/ubi-fastmap-fix-slab-corruption.patch b/queue-4.9/ubi-fastmap-fix-slab-corruption.patch new file mode 100644 index 00000000000..39125af7ab4 --- /dev/null +++ b/queue-4.9/ubi-fastmap-fix-slab-corruption.patch @@ -0,0 +1,185 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Rabin Vincent +Date: Mon, 3 Apr 2017 13:44:11 +0200 +Subject: ubi: fastmap: Fix slab corruption + +From: Rabin Vincent + + +[ Upstream commit 8a1435880f452430b41374d27ac4a33e7bd381ea ] + +Booting with UBI fastmap and SLUB debugging enabled results in the +following splats. The problem is that ubi_scan_fastmap() moves the +fastmap blocks from the scan_ai (allocated in scan_fast()) to the ai +allocated in ubi_attach(). This results in two problems: + + - When the scan_ai is freed, aebs which were allocated from its slab + cache are still in use. + + - When the other ai is being destroyed in destroy_ai(), the + arguments to kmem_cache_free() call are incorrect since aebs on its + ->fastmap list were allocated with a slab cache from a differnt ai. + +Fix this by making a copy of the aebs in ubi_scan_fastmap() instead of +moving them. + + ============================================================================= + BUG ubi_aeb_slab_cache (Not tainted): Objects remaining in ubi_aeb_slab_cache on __kmem_cache_shutdown() + ----------------------------------------------------------------------------- + + INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000080 + CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3 + [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c) + [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0) + [<804a3274>] (dump_stack) from [<8026c47c>] (slab_err+0x78/0x88) + [<8026c47c>] (slab_err) from [<802735bc>] (__kmem_cache_shutdown+0x180/0x3e0) + [<802735bc>] (__kmem_cache_shutdown) from [<8024e13c>] (shutdown_cache+0x1c/0x60) + [<8024e13c>] (shutdown_cache) from [<8024ed64>] (kmem_cache_destroy+0x19c/0x20c) + [<8024ed64>] (kmem_cache_destroy) from [<8057cc14>] (destroy_ai+0x1dc/0x1e8) + [<8057cc14>] (destroy_ai) from [<8057f04c>] (ubi_attach+0x3f4/0x450) + [<8057f04c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8) + [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8) + [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00) + [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64) + [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c) + INFO: Object 0xb33d7e88 @offset=3720 + INFO: Allocated in scan_peb+0x608/0x81c age=72 cpu=1 pid=118 + kmem_cache_alloc+0x3b0/0x43c + scan_peb+0x608/0x81c + ubi_attach+0x124/0x450 + ubi_attach_mtd_dev+0x60c/0xff8 + ctrl_cdev_ioctl+0x110/0x2b8 + do_vfs_ioctl+0xac/0xa00 + SyS_ioctl+0x3c/0x64 + ret_fast_syscall+0x0/0x1c + kmem_cache_destroy ubi_aeb_slab_cache: Slab cache still has objects + CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3 + [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c) + [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0) + [<804a3274>] (dump_stack) from [<8024ed80>] (kmem_cache_destroy+0x1b8/0x20c) + [<8024ed80>] (kmem_cache_destroy) from [<8057cc14>] (destroy_ai+0x1dc/0x1e8) + [<8057cc14>] (destroy_ai) from [<8057f04c>] (ubi_attach+0x3f4/0x450) + [<8057f04c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8) + [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8) + [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00) + [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64) + [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c) + cache_from_obj: Wrong slab cache. ubi_aeb_slab_cache but object is from ubi_aeb_slab_cache + ------------[ cut here ]------------ + WARNING: CPU: 1 PID: 118 at mm/slab.h:354 kmem_cache_free+0x39c/0x450 + Modules linked in: + CPU: 1 PID: 118 Comm: ubiattach Tainted: G B 4.9.15 #3 + [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c) + [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0) + [<804a3274>] (dump_stack) from [<80120e40>] (__warn+0xf4/0x10c) + [<80120e40>] (__warn) from [<80120f20>] (warn_slowpath_null+0x28/0x30) + [<80120f20>] (warn_slowpath_null) from [<80271fe0>] (kmem_cache_free+0x39c/0x450) + [<80271fe0>] (kmem_cache_free) from [<8057cb88>] (destroy_ai+0x150/0x1e8) + [<8057cb88>] (destroy_ai) from [<8057ef1c>] (ubi_attach+0x2c4/0x450) + [<8057ef1c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8) + [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8) + [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00) + [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64) + [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c) + ---[ end trace 2bd8396277fd0a0b ]--- + ============================================================================= + BUG ubi_aeb_slab_cache (Tainted: G B W ): page slab pointer corrupt. + ----------------------------------------------------------------------------- + + INFO: Allocated in scan_peb+0x608/0x81c age=104 cpu=1 pid=118 + kmem_cache_alloc+0x3b0/0x43c + scan_peb+0x608/0x81c + ubi_attach+0x124/0x450 + ubi_attach_mtd_dev+0x60c/0xff8 + ctrl_cdev_ioctl+0x110/0x2b8 + do_vfs_ioctl+0xac/0xa00 + SyS_ioctl+0x3c/0x64 + ret_fast_syscall+0x0/0x1c + INFO: Slab 0xbfd2da3c objects=17 used=1 fp=0xb33d7748 flags=0x40000081 + INFO: Object 0xb33d7e88 @offset=3720 fp=0xb33d7da0 + + Redzone b33d7e80: cc cc cc cc cc cc cc cc ........ + Object b33d7e88: 02 00 00 00 01 00 00 00 00 f0 ff 7f ff ff ff ff ................ + Object b33d7e98: 00 00 00 00 00 00 00 00 bd 16 00 00 00 00 00 00 ................ + Object b33d7ea8: 00 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 ................ + Redzone b33d7eb8: cc cc cc cc .... + Padding b33d7f60: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ + CPU: 1 PID: 118 Comm: ubiattach Tainted: G B W 4.9.15 #3 + [<80111910>] (unwind_backtrace) from [<8010d498>] (show_stack+0x18/0x1c) + [<8010d498>] (show_stack) from [<804a3274>] (dump_stack+0xb4/0xe0) + [<804a3274>] (dump_stack) from [<80271770>] (free_debug_processing+0x320/0x3c4) + [<80271770>] (free_debug_processing) from [<80271ad0>] (__slab_free+0x2bc/0x430) + [<80271ad0>] (__slab_free) from [<80272024>] (kmem_cache_free+0x3e0/0x450) + [<80272024>] (kmem_cache_free) from [<8057cb88>] (destroy_ai+0x150/0x1e8) + [<8057cb88>] (destroy_ai) from [<8057ef1c>] (ubi_attach+0x2c4/0x450) + [<8057ef1c>] (ubi_attach) from [<8056fe70>] (ubi_attach_mtd_dev+0x60c/0xff8) + [<8056fe70>] (ubi_attach_mtd_dev) from [<80571d78>] (ctrl_cdev_ioctl+0x110/0x2b8) + [<80571d78>] (ctrl_cdev_ioctl) from [<8029c77c>] (do_vfs_ioctl+0xac/0xa00) + [<8029c77c>] (do_vfs_ioctl) from [<8029d10c>] (SyS_ioctl+0x3c/0x64) + [<8029d10c>] (SyS_ioctl) from [<80108860>] (ret_fast_syscall+0x0/0x1c) + FIX ubi_aeb_slab_cache: Object at 0xb33d7e88 not freed + +Signed-off-by: Rabin Vincent +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/ubi/fastmap.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -828,6 +828,24 @@ static int find_fm_anchor(struct ubi_att + return ret; + } + ++static struct ubi_ainf_peb *clone_aeb(struct ubi_attach_info *ai, ++ struct ubi_ainf_peb *old) ++{ ++ struct ubi_ainf_peb *new; ++ ++ new = ubi_alloc_aeb(ai, old->pnum, old->ec); ++ if (!new) ++ return NULL; ++ ++ new->vol_id = old->vol_id; ++ new->sqnum = old->sqnum; ++ new->lnum = old->lnum; ++ new->scrub = old->scrub; ++ new->copy_flag = old->copy_flag; ++ ++ return new; ++} ++ + /** + * ubi_scan_fastmap - scan the fastmap. + * @ubi: UBI device object +@@ -847,7 +865,7 @@ int ubi_scan_fastmap(struct ubi_device * + struct ubi_vid_hdr *vh; + struct ubi_ec_hdr *ech; + struct ubi_fastmap_layout *fm; +- struct ubi_ainf_peb *tmp_aeb, *aeb; ++ struct ubi_ainf_peb *aeb; + int i, used_blocks, pnum, fm_anchor, ret = 0; + size_t fm_size; + __be32 crc, tmp_crc; +@@ -857,9 +875,16 @@ int ubi_scan_fastmap(struct ubi_device * + if (fm_anchor < 0) + return UBI_NO_FASTMAP; + +- /* Move all (possible) fastmap blocks into our new attach structure. */ +- list_for_each_entry_safe(aeb, tmp_aeb, &scan_ai->fastmap, u.list) +- list_move_tail(&aeb->u.list, &ai->fastmap); ++ /* Copy all (possible) fastmap blocks into our new attach structure. */ ++ list_for_each_entry(aeb, &scan_ai->fastmap, u.list) { ++ struct ubi_ainf_peb *new; ++ ++ new = clone_aeb(ai, aeb); ++ if (!new) ++ return -ENOMEM; ++ ++ list_add(&new->u.list, &ai->fastmap); ++ } + + down_write(&ubi->fm_protect); + memset(ubi->fm_buf, 0, ubi->fm_size); diff --git a/queue-4.9/uio-fix-incorrect-memory-leak-cleanup.patch b/queue-4.9/uio-fix-incorrect-memory-leak-cleanup.patch new file mode 100644 index 00000000000..07225a2b5ff --- /dev/null +++ b/queue-4.9/uio-fix-incorrect-memory-leak-cleanup.patch @@ -0,0 +1,64 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Suman Anna +Date: Tue, 9 May 2017 18:58:24 -0500 +Subject: uio: fix incorrect memory leak cleanup + +From: Suman Anna + + +[ Upstream commit 0d83539092ddb1ab79b4d65bccb866bf07ea2ccd ] + +Commit 75f0aef6220d ("uio: fix memory leak") has fixed up some +memory leaks during the failure paths of the addition of uio +attributes, but still is not correct entirely. A kobject_uevent() +failure still needs a kobject_put() and the kobject container +structure allocation failure before the kobject_init() doesn't +need a kobject_put(). Fix this properly. + +Fixes: 75f0aef6220d ("uio: fix memory leak") +Signed-off-by: Suman Anna +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uio/uio.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -279,7 +279,7 @@ static int uio_dev_add_attributes(struct + map = kzalloc(sizeof(*map), GFP_KERNEL); + if (!map) { + ret = -ENOMEM; +- goto err_map_kobj; ++ goto err_map; + } + kobject_init(&map->kobj, &map_attr_type); + map->mem = mem; +@@ -289,7 +289,7 @@ static int uio_dev_add_attributes(struct + goto err_map_kobj; + ret = kobject_uevent(&map->kobj, KOBJ_ADD); + if (ret) +- goto err_map; ++ goto err_map_kobj; + } + + for (pi = 0; pi < MAX_UIO_PORT_REGIONS; pi++) { +@@ -308,7 +308,7 @@ static int uio_dev_add_attributes(struct + portio = kzalloc(sizeof(*portio), GFP_KERNEL); + if (!portio) { + ret = -ENOMEM; +- goto err_portio_kobj; ++ goto err_portio; + } + kobject_init(&portio->kobj, &portio_attr_type); + portio->port = port; +@@ -319,7 +319,7 @@ static int uio_dev_add_attributes(struct + goto err_portio_kobj; + ret = kobject_uevent(&portio->kobj, KOBJ_ADD); + if (ret) +- goto err_portio; ++ goto err_portio_kobj; + } + + return 0; diff --git a/queue-4.9/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch b/queue-4.9/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch new file mode 100644 index 00000000000..53983394dfa --- /dev/null +++ b/queue-4.9/usb-chipidea-properly-handle-host-or-gadget-initialization-failure.patch @@ -0,0 +1,93 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Jisheng Zhang +Date: Wed, 26 Apr 2017 16:59:34 +0800 +Subject: usb: chipidea: properly handle host or gadget initialization failure + +From: Jisheng Zhang + + +[ Upstream commit c4a0bbbdb7f6e3c37fa6deb3ef28c5ed99da6175 ] + +If ci_hdrc_host_init() or ci_hdrc_gadget_init() returns error and the +error != -ENXIO, as Peter pointed out, "it stands for initialization +for host or gadget has failed", so we'd better return failure rather +continue. + +And before destroying the otg, i.e ci_hdrc_otg_destroy(ci), we should +also check ci->roles[CI_ROLE_GADGET]. + +Signed-off-by: Jisheng Zhang +Signed-off-by: Peter Chen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -839,7 +839,7 @@ static inline void ci_role_destroy(struc + { + ci_hdrc_gadget_destroy(ci); + ci_hdrc_host_destroy(ci); +- if (ci->is_otg) ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) + ci_hdrc_otg_destroy(ci); + } + +@@ -939,27 +939,35 @@ static int ci_hdrc_probe(struct platform + /* initialize role(s) before the interrupt is requested */ + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_HOST) { + ret = ci_hdrc_host_init(ci); +- if (ret) +- dev_info(dev, "doesn't support host\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support host\n"); ++ else ++ goto deinit_phy; ++ } + } + + if (dr_mode == USB_DR_MODE_OTG || dr_mode == USB_DR_MODE_PERIPHERAL) { + ret = ci_hdrc_gadget_init(ci); +- if (ret) +- dev_info(dev, "doesn't support gadget\n"); ++ if (ret) { ++ if (ret == -ENXIO) ++ dev_info(dev, "doesn't support gadget\n"); ++ else ++ goto deinit_host; ++ } + } + + if (!ci->roles[CI_ROLE_HOST] && !ci->roles[CI_ROLE_GADGET]) { + dev_err(dev, "no supported roles\n"); + ret = -ENODEV; +- goto deinit_phy; ++ goto deinit_gadget; + } + + if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) { + ret = ci_hdrc_otg_init(ci); + if (ret) { + dev_err(dev, "init otg fails, ret = %d\n", ret); +- goto stop; ++ goto deinit_gadget; + } + } + +@@ -1024,7 +1032,12 @@ static int ci_hdrc_probe(struct platform + + ci_extcon_unregister(ci); + stop: +- ci_role_destroy(ci); ++ if (ci->is_otg && ci->roles[CI_ROLE_GADGET]) ++ ci_hdrc_otg_destroy(ci); ++deinit_gadget: ++ ci_hdrc_gadget_destroy(ci); ++deinit_host: ++ ci_hdrc_host_destroy(ci); + deinit_phy: + ci_usb_phy_exit(ci); + diff --git a/queue-4.9/usb-dwc3-keystone-check-return-value.patch b/queue-4.9/usb-dwc3-keystone-check-return-value.patch new file mode 100644 index 00000000000..497790cf143 --- /dev/null +++ b/queue-4.9/usb-dwc3-keystone-check-return-value.patch @@ -0,0 +1,35 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 13:55:13 +0800 +Subject: usb: dwc3: keystone: check return value + +From: Pan Bian + + +[ Upstream commit 018047a1dba7636e1f7fdae2cc290a528991d648 ] + +Function devm_clk_get() returns an ERR_PTR when it fails. However, in +function kdwc3_probe(), its return value is not checked, which may +result in a bad memory access bug. This patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/dwc3-keystone.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-keystone.c ++++ b/drivers/usb/dwc3/dwc3-keystone.c +@@ -107,6 +107,10 @@ static int kdwc3_probe(struct platform_d + return PTR_ERR(kdwc->usbss); + + kdwc->clk = devm_clk_get(kdwc->dev, "usb"); ++ if (IS_ERR(kdwc->clk)) { ++ dev_err(kdwc->dev, "unable to get usb clock\n"); ++ return PTR_ERR(kdwc->clk); ++ } + + error = clk_prepare_enable(kdwc->clk); + if (error < 0) { diff --git a/queue-4.9/usb-ene_usb6250-fix-first-command-execution.patch b/queue-4.9/usb-ene_usb6250-fix-first-command-execution.patch new file mode 100644 index 00000000000..a8fd8c9ed73 --- /dev/null +++ b/queue-4.9/usb-ene_usb6250-fix-first-command-execution.patch @@ -0,0 +1,65 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Alan Stern +Date: Tue, 16 May 2017 11:47:42 -0400 +Subject: USB: ene_usb6250: fix first command execution + +From: Alan Stern + + +[ Upstream commit 4b309f1c4972c8f09e03ac64fc63510dbf5591a4 ] + +In the ene_usb6250 sub-driver for usb-storage, the ene_transport() +routine is supposed to initialize the driver before executing the +current command, if the initialization has not already been performed. +However, a bug in the routine causes it to skip the command after +doing the initialization. Also, the routine does not return an +appropriate error code if either the initialization or the command +fails. + +As a result of the first bug, the first command (a SCSI INQUIRY) is +not carried out. The results can be seen in the system log, in the +form of a warning message and empty or garbage INQUIRY data: + +Apr 18 22:40:08 notebook2 kernel: scsi host6: scsi scan: INQUIRY result too short (5), using 36 +Apr 18 22:40:08 notebook2 kernel: scsi 6:0:0:0: Direct-Access PQ: 0 ANSI: 0 + +This patch fixes both errors. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Andreas Hartmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/ene_ub6250.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -2295,21 +2295,22 @@ static int ms_scsi_irp(struct us_data *u + + static int ene_transport(struct scsi_cmnd *srb, struct us_data *us) + { +- int result = 0; ++ int result = USB_STOR_XFER_GOOD; + struct ene_ub6250_info *info = (struct ene_ub6250_info *)(us->extra); + + /*US_DEBUG(usb_stor_show_command(us, srb)); */ + scsi_set_resid(srb, 0); +- if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) { ++ if (unlikely(!(info->SD_Status.Ready || info->MS_Status.Ready))) + result = ene_init(us); +- } else { ++ if (result == USB_STOR_XFER_GOOD) { ++ result = USB_STOR_TRANSPORT_ERROR; + if (info->SD_Status.Ready) + result = sd_scsi_irp(us, srb); + + if (info->MS_Status.Ready) + result = ms_scsi_irp(us, srb); + } +- return 0; ++ return result; + } + + static struct scsi_host_template ene_ub6250_host_template; diff --git a/queue-4.9/usb-ene_usb6250-fix-scsi-residue-overwriting.patch b/queue-4.9/usb-ene_usb6250-fix-scsi-residue-overwriting.patch new file mode 100644 index 00000000000..145ec6607bf --- /dev/null +++ b/queue-4.9/usb-ene_usb6250-fix-scsi-residue-overwriting.patch @@ -0,0 +1,40 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Alan Stern +Date: Tue, 16 May 2017 11:47:52 -0400 +Subject: USB: ene_usb6250: fix SCSI residue overwriting + +From: Alan Stern + + +[ Upstream commit aa18c4b6e0e39bfb00af48734ec24bc189ac9909 ] + +In the ene_usb6250 sub-driver for usb-storage, the SCSI residue is not +reported correctly. The residue is initialized to 0, but this value +is overwritten whenever the driver sends firmware to the card reader +before performing the current command. As a result, a valid READ or +WRITE operation appears to have failed, causing the SCSI core to retry +the command multiple times and eventually fail. + +This patch fixes the problem by resetting the SCSI residue to 0 after +sending firmware to the device. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Andreas Hartmann +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/ene_ub6250.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/storage/ene_ub6250.c ++++ b/drivers/usb/storage/ene_ub6250.c +@@ -1942,6 +1942,8 @@ static int ene_load_bincode(struct us_da + bcb->CDB[0] = 0xEF; + + result = ene_send_scsi_cmd(us, FDIR_WRITE, buf, 0); ++ if (us->srb != NULL) ++ scsi_set_resid(us->srb, 0); + info->BIN_FLAG = flag; + kfree(buf); + diff --git a/queue-4.9/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch b/queue-4.9/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch new file mode 100644 index 00000000000..61796b59bde --- /dev/null +++ b/queue-4.9/vfb-fix-video-mode-and-line_length-being-set-when-loaded.patch @@ -0,0 +1,105 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Pieter \\\"PoroCYon\\\" Sluys" +Date: Thu, 4 Jan 2018 16:53:50 +0100 +Subject: vfb: fix video mode and line_length being set when loaded + +From: "Pieter \\\"PoroCYon\\\" Sluys" + + +[ Upstream commit 7b9faf5df0ac495a1a3d7cdb64921c179f9008ac ] + +Currently, when loading the vfb module, the newly created fbdev +has a line_length of 0, and its video mode would be PSEUDOCOLOR +regardless of color depth. (The former could be worked around by +calling the FBIOPUT_VSCREENINFO ioctl with having the FBACTIVIATE_FORCE +flag set.) This patch automatically sets the line_length correctly, +and the video mode is derived from the bit depth now as well. + +Thanks to Geert Uytterhoeven for confirming the bug and helping me with +the patch. + +Output of `fbset -i' before the patch: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : PSEUDOCOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 0 <-- note this + Accelerator : No + +After: +mode "1366x768-60" + # D: 72.432 MHz, H: 47.403 kHz, V: 60.004 Hz + geometry 1366 768 1366 768 32 + timings 13806 120 10 14 3 32 5 + rgba 8/0,8/8,8/16,8/24 +endmode + +Frame buffer device information: + Name : Virtual FB + Address : 0xffffaa1405d85000 + Size : 4196352 + Type : PACKED PIXELS + Visual : TRUECOLOR + XPanStep : 1 + YPanStep : 1 + YWrapStep : 1 + LineLength : 5464 + Accelerator : No + +Signed-off-by: "Pieter \"PoroCYon\" Sluys" +Reviewed-by: Geert Uytterhoeven +[b.zolnierkie: minor fixups] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/vfb.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/video/fbdev/vfb.c ++++ b/drivers/video/fbdev/vfb.c +@@ -239,8 +239,23 @@ static int vfb_check_var(struct fb_var_s + */ + static int vfb_set_par(struct fb_info *info) + { ++ switch (info->var.bits_per_pixel) { ++ case 1: ++ info->fix.visual = FB_VISUAL_MONO01; ++ break; ++ case 8: ++ info->fix.visual = FB_VISUAL_PSEUDOCOLOR; ++ break; ++ case 16: ++ case 24: ++ case 32: ++ info->fix.visual = FB_VISUAL_TRUECOLOR; ++ break; ++ } ++ + info->fix.line_length = get_line_length(info->var.xres_virtual, + info->var.bits_per_pixel); ++ + return 0; + } + +@@ -450,6 +465,8 @@ static int vfb_probe(struct platform_dev + goto err2; + platform_set_drvdata(dev, info); + ++ vfb_set_par(info); ++ + fb_info(info, "Virtual frame buffer device, using %ldK of video memory\n", + videomemorysize >> 10); + return 0; diff --git a/queue-4.9/vfs-close-race-between-getcwd-and-d_move.patch b/queue-4.9/vfs-close-race-between-getcwd-and-d_move.patch new file mode 100644 index 00000000000..2360afa8bcd --- /dev/null +++ b/queue-4.9/vfs-close-race-between-getcwd-and-d_move.patch @@ -0,0 +1,114 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: NeilBrown +Date: Fri, 10 Nov 2017 15:45:41 +1100 +Subject: VFS: close race between getcwd() and d_move() + +From: NeilBrown + + +[ Upstream commit 61647823aa920e395afcce4b57c32afb51456cab ] + +d_move() will call __d_drop() and then __d_rehash() +on the dentry being moved. This creates a small window +when the dentry appears to be unhashed. Many tests +of d_unhashed() are made under ->d_lock and so are safe +from racing with this window, but some aren't. +In particular, getcwd() calls d_unlinked() (which calls +d_unhashed()) without d_lock protection, so it can race. + +This races has been seen in practice with lustre, which uses d_move() as +part of name lookup. See: + https://jira.hpdd.intel.com/browse/LU-9735 +It could race with a regular rename(), and result in ENOENT instead +of either the 'before' or 'after' name. + +The race can be demonstrated with a simple program which +has two threads, one renaming a directory back and forth +while another calls getcwd() within that directory: it should never +fail, but does. See: + https://patchwork.kernel.org/patch/9455345/ + +We could fix this race by taking d_lock and rechecking when +d_unhashed() reports true. Alternately when can remove the window, +which is the approach this patch takes. + +___d_drop() is introduce which does *not* clear d_hash.pprev +so the dentry still appears to be hashed. __d_drop() calls +___d_drop(), then clears d_hash.pprev. +__d_move() now uses ___d_drop() and only clears d_hash.pprev +when not rehashing. + +Signed-off-by: NeilBrown +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/dcache.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -461,9 +461,11 @@ static void dentry_lru_add(struct dentry + * d_drop() is used mainly for stuff that wants to invalidate a dentry for some + * reason (NFS timeouts or autofs deletes). + * +- * __d_drop requires dentry->d_lock. ++ * __d_drop requires dentry->d_lock ++ * ___d_drop doesn't mark dentry as "unhashed" ++ * (dentry->d_hash.pprev will be LIST_POISON2, not NULL). + */ +-void __d_drop(struct dentry *dentry) ++static void ___d_drop(struct dentry *dentry) + { + if (!d_unhashed(dentry)) { + struct hlist_bl_head *b; +@@ -479,12 +481,17 @@ void __d_drop(struct dentry *dentry) + + hlist_bl_lock(b); + __hlist_bl_del(&dentry->d_hash); +- dentry->d_hash.pprev = NULL; + hlist_bl_unlock(b); + /* After this call, in-progress rcu-walk path lookup will fail. */ + write_seqcount_invalidate(&dentry->d_seq); + } + } ++ ++void __d_drop(struct dentry *dentry) ++{ ++ ___d_drop(dentry); ++ dentry->d_hash.pprev = NULL; ++} + EXPORT_SYMBOL(__d_drop); + + void d_drop(struct dentry *dentry) +@@ -2378,7 +2385,7 @@ EXPORT_SYMBOL(d_delete); + static void __d_rehash(struct dentry *entry) + { + struct hlist_bl_head *b = d_hash(entry->d_name.hash); +- BUG_ON(!d_unhashed(entry)); ++ + hlist_bl_lock(b); + hlist_bl_add_head_rcu(&entry->d_hash, b); + hlist_bl_unlock(b); +@@ -2815,9 +2822,9 @@ static void __d_move(struct dentry *dent + write_seqcount_begin_nested(&target->d_seq, DENTRY_D_LOCK_NESTED); + + /* unhash both */ +- /* __d_drop does write_seqcount_barrier, but they're OK to nest. */ +- __d_drop(dentry); +- __d_drop(target); ++ /* ___d_drop does write_seqcount_barrier, but they're OK to nest. */ ++ ___d_drop(dentry); ++ ___d_drop(target); + + /* Switch the names.. */ + if (exchange) +@@ -2829,6 +2836,8 @@ static void __d_move(struct dentry *dent + __d_rehash(dentry); + if (exchange) + __d_rehash(target); ++ else ++ target->d_hash.pprev = NULL; + + /* ... and switch them in the tree */ + if (IS_ROOT(dentry)) { diff --git a/queue-4.9/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch b/queue-4.9/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch new file mode 100644 index 00000000000..8ea07815680 --- /dev/null +++ b/queue-4.9/vmxnet3-ensure-that-adapter-is-in-proper-state-during-force_close.patch @@ -0,0 +1,50 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Neil Horman +Date: Fri, 12 May 2017 12:00:01 -0400 +Subject: vmxnet3: ensure that adapter is in proper state during force_close + +From: Neil Horman + + +[ Upstream commit 1c4d5f51a812a82de97beee24f48ed05c65ebda5 ] + +There are several paths in vmxnet3, where settings changes cause the +adapter to be brought down and back up (vmxnet3_set_ringparam among +them). Should part of the reset operation fail, these paths call +vmxnet3_force_close, which enables all napi instances prior to calling +dev_close (with the expectation that vmxnet3_close will then properly +disable them again). However, vmxnet3_force_close neglects to clear +VMXNET3_STATE_BIT_QUIESCED prior to calling dev_close. As a result +vmxnet3_quiesce_dev (called from vmxnet3_close), returns early, and +leaves all the napi instances in a enabled state while the device itself +is closed. If a device in this state is activated again, napi_enable +will be called on already enabled napi_instances, leading to a BUG halt. + +The fix is to simply enausre that the QUIESCED bit is cleared in +vmxnet3_force_close to allow quesence to be completed properly on close. + +Signed-off-by: Neil Horman +CC: Shrikrishna Khare +CC: "VMware, Inc." +CC: "David S. Miller" +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vmxnet3/vmxnet3_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/vmxnet3/vmxnet3_drv.c ++++ b/drivers/net/vmxnet3/vmxnet3_drv.c +@@ -2962,6 +2962,11 @@ vmxnet3_force_close(struct vmxnet3_adapt + /* we need to enable NAPI, otherwise dev_close will deadlock */ + for (i = 0; i < adapter->num_rx_queues; i++) + napi_enable(&adapter->rx_queue[i].napi); ++ /* ++ * Need to clear the quiesce bit to ensure that vmxnet3_close ++ * can quiesce the device properly ++ */ ++ clear_bit(VMXNET3_STATE_BIT_QUIESCED, &adapter->state); + dev_close(adapter->netdev); + } + diff --git a/queue-4.9/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch b/queue-4.9/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch new file mode 100644 index 00000000000..b625f8f7683 --- /dev/null +++ b/queue-4.9/vxlan-dont-migrate-permanent-fdb-entries-during-learn.patch @@ -0,0 +1,34 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Roopa Prabhu +Date: Sun, 11 Jun 2017 16:32:50 -0700 +Subject: vxlan: dont migrate permanent fdb entries during learn + +From: Roopa Prabhu + + +[ Upstream commit e0090a9e979de5202c7d16c635dea2f005221073 ] + +This patch fixes vxlan_snoop to not move permanent fdb entries +on learn events. This is consistent with the bridge fdb +handling of permanent entries. + +Fixes: 26a41ae60438 ("vxlan: only migrate dynamic FDB entries") +Signed-off-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/vxlan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -930,7 +930,7 @@ static bool vxlan_snoop(struct net_devic + return false; + + /* Don't migrate static entries, drop packets */ +- if (f->state & NUD_NOARP) ++ if (f->state & (NUD_PERMANENT | NUD_NOARP)) + return true; + + if (net_ratelimit()) diff --git a/queue-4.9/watchdog-f71808e_wdt-add-f71868-support.patch b/queue-4.9/watchdog-f71808e_wdt-add-f71868-support.patch new file mode 100644 index 00000000000..3997b5c8a17 --- /dev/null +++ b/queue-4.9/watchdog-f71808e_wdt-add-f71868-support.patch @@ -0,0 +1,129 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: "Maciej S. Szmigiero" +Date: Mon, 17 Apr 2017 22:37:05 +0200 +Subject: watchdog: f71808e_wdt: Add F71868 support + +From: "Maciej S. Szmigiero" + + +[ Upstream commit 166fbcf88fdafa02f784ec25ac64745c716b2de0 ] + +This adds support for watchdog part of Fintek F71868 Super I/O chip to +f71808e_wdt driver. + +The F71868 chip is, in general, very similar to a F71869, however it has +slightly different set of available reset pulse widths. + +Tested on MSI A55M-P33 motherboard. + +Signed-off-by: Maciej S. Szmigiero +Reviewed-by: Guenter Roeck +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/watchdog/Kconfig | 7 ++++--- + drivers/watchdog/f71808e_wdt.c | 27 ++++++++++++++++++++------- + 2 files changed, 24 insertions(+), 10 deletions(-) + +--- a/drivers/watchdog/Kconfig ++++ b/drivers/watchdog/Kconfig +@@ -799,11 +799,12 @@ config EBC_C384_WDT + the timeout module parameter. + + config F71808E_WDT +- tristate "Fintek F71808E, F71862FG, F71869, F71882FG and F71889FG Watchdog" ++ tristate "Fintek F718xx, F818xx Super I/O Watchdog" + depends on X86 + help +- This is the driver for the hardware watchdog on the Fintek +- F71808E, F71862FG, F71869, F71882FG and F71889FG Super I/O controllers. ++ This is the driver for the hardware watchdog on the Fintek F71808E, ++ F71862FG, F71868, F71869, F71882FG, F71889FG, F81865 and F81866 ++ Super I/O controllers. + + You can compile this driver directly into the kernel, or use + it as a module. The module will be called f71808e_wdt. +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -57,6 +57,7 @@ + #define SIO_F71808_ID 0x0901 /* Chipset ID */ + #define SIO_F71858_ID 0x0507 /* Chipset ID */ + #define SIO_F71862_ID 0x0601 /* Chipset ID */ ++#define SIO_F71868_ID 0x1106 /* Chipset ID */ + #define SIO_F71869_ID 0x0814 /* Chipset ID */ + #define SIO_F71869A_ID 0x1007 /* Chipset ID */ + #define SIO_F71882_ID 0x0541 /* Chipset ID */ +@@ -101,7 +102,7 @@ MODULE_PARM_DESC(timeout, + static unsigned int pulse_width = WATCHDOG_PULSE_WIDTH; + module_param(pulse_width, uint, 0); + MODULE_PARM_DESC(pulse_width, +- "Watchdog signal pulse width. 0(=level), 1 ms, 25 ms, 125 ms or 5000 ms" ++ "Watchdog signal pulse width. 0(=level), 1, 25, 30, 125, 150, 5000 or 6000 ms" + " (default=" __MODULE_STRING(WATCHDOG_PULSE_WIDTH) ")"); + + static unsigned int f71862fg_pin = WATCHDOG_F71862FG_PIN; +@@ -119,13 +120,14 @@ module_param(start_withtimeout, uint, 0) + MODULE_PARM_DESC(start_withtimeout, "Start watchdog timer on module load with" + " given initial timeout. Zero (default) disables this feature."); + +-enum chips { f71808fg, f71858fg, f71862fg, f71869, f71882fg, f71889fg, f81865, +- f81866}; ++enum chips { f71808fg, f71858fg, f71862fg, f71868, f71869, f71882fg, f71889fg, ++ f81865, f81866}; + + static const char *f71808e_names[] = { + "f71808fg", + "f71858fg", + "f71862fg", ++ "f71868", + "f71869", + "f71882fg", + "f71889fg", +@@ -252,16 +254,23 @@ static int watchdog_set_timeout(int time + static int watchdog_set_pulse_width(unsigned int pw) + { + int err = 0; ++ unsigned int t1 = 25, t2 = 125, t3 = 5000; ++ ++ if (watchdog.type == f71868) { ++ t1 = 30; ++ t2 = 150; ++ t3 = 6000; ++ } + + mutex_lock(&watchdog.lock); + +- if (pw <= 1) { ++ if (pw <= 1) { + watchdog.pulse_val = 0; +- } else if (pw <= 25) { ++ } else if (pw <= t1) { + watchdog.pulse_val = 1; +- } else if (pw <= 125) { ++ } else if (pw <= t2) { + watchdog.pulse_val = 2; +- } else if (pw <= 5000) { ++ } else if (pw <= t3) { + watchdog.pulse_val = 3; + } else { + pr_err("pulse width out of range\n"); +@@ -354,6 +363,7 @@ static int watchdog_start(void) + goto exit_superio; + break; + ++ case f71868: + case f71869: + /* GPIO14 --> WDTRST# */ + superio_clear_bit(watchdog.sioaddr, SIO_REG_MFUNCT1, 4); +@@ -792,6 +802,9 @@ static int __init f71808e_find(int sioad + watchdog.type = f71862fg; + err = f71862fg_pin_configure(0); /* validate module parameter */ + break; ++ case SIO_F71868_ID: ++ watchdog.type = f71868; ++ break; + case SIO_F71869_ID: + case SIO_F71869A_ID: + watchdog.type = f71869; diff --git a/queue-4.9/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch b/queue-4.9/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch new file mode 100644 index 00000000000..3bad4fff5a6 --- /dev/null +++ b/queue-4.9/wl1251-check-return-from-call-to-wl1251_acx_arp_ip_filter.patch @@ -0,0 +1,38 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Colin Ian King +Date: Tue, 26 Dec 2017 17:33:18 +0000 +Subject: wl1251: check return from call to wl1251_acx_arp_ip_filter + +From: Colin Ian King + + +[ Upstream commit ac1181c60822292176ab96912208ec9f9819faf8 ] + +Currently the less than zero error check on ret is incorrect +as it is checking a far earlier ret assignment rather than the +return from the call to wl1251_acx_arp_ip_filter. Fix this by +adding in the missing assginment. + +Detected by CoverityScan, CID#1164835 ("Logically dead code") + +Fixes: 204cc5c44fb6 ("wl1251: implement hardware ARP filtering") +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wl1251/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/ti/wl1251/main.c ++++ b/drivers/net/wireless/ti/wl1251/main.c +@@ -1200,8 +1200,7 @@ static void wl1251_op_bss_info_changed(s + WARN_ON(wl->bss_type != BSS_TYPE_STA_BSS); + + enable = bss_conf->arp_addr_cnt == 1 && bss_conf->assoc; +- wl1251_acx_arp_ip_filter(wl, enable, addr); +- ++ ret = wl1251_acx_arp_ip_filter(wl, enable, addr); + if (ret < 0) + goto out_sleep; + } diff --git a/queue-4.9/x.509-fix-error-code-in-x509_cert_parse.patch b/queue-4.9/x.509-fix-error-code-in-x509_cert_parse.patch new file mode 100644 index 00000000000..90fd84a4c8c --- /dev/null +++ b/queue-4.9/x.509-fix-error-code-in-x509_cert_parse.patch @@ -0,0 +1,33 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Dan Carpenter +Date: Thu, 8 Jun 2017 14:47:49 +0100 +Subject: X.509: Fix error code in x509_cert_parse() + +From: Dan Carpenter + + +[ Upstream commit 4e880168e9ffb1cdbdb72b3b48ab0324b30c2d62 ] + +We forgot to set the error code on this path so it could result in +returning NULL which leads to a NULL dereference. + +Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") +Signed-off-by: Dan Carpenter +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/x509_cert_parser.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/asymmetric_keys/x509_cert_parser.c ++++ b/crypto/asymmetric_keys/x509_cert_parser.c +@@ -102,6 +102,7 @@ struct x509_certificate *x509_cert_parse + } + } + ++ ret = -ENOMEM; + cert->pub->key = kmemdup(ctx->key, ctx->key_size, GFP_KERNEL); + if (!cert->pub->key) + goto error_decode; diff --git a/queue-4.9/x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch b/queue-4.9/x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch new file mode 100644 index 00000000000..c815f6e9b8d --- /dev/null +++ b/queue-4.9/x86-asm-don-t-use-rbp-as-a-temporary-register-in-csum_partial_copy_generic.patch @@ -0,0 +1,106 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Josh Poimboeuf +Date: Thu, 4 May 2017 09:51:40 -0500 +Subject: x86/asm: Don't use RBP as a temporary register in csum_partial_copy_generic() + +From: Josh Poimboeuf + + +[ Upstream commit 42fc6c6cb1662ba2fa727dd01c9473c63be4e3b6 ] + +Andrey Konovalov reported the following warning while fuzzing the kernel +with syzkaller: + + WARNING: kernel stack regs at ffff8800686869f8 in a.out:4933 has bad 'bp' value c3fc855a10167ec0 + +The unwinder dump revealed that RBP had a bad value when an interrupt +occurred in csum_partial_copy_generic(). + +That function saves RBP on the stack and then overwrites it, using it as +a scratch register. That's problematic because it breaks stack traces +if an interrupt occurs in the middle of the function. + +Replace the usage of RBP with another callee-saved register (R15) so +stack traces are no longer affected. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Josh Poimboeuf +Cc: Cong Wang +Cc: David S . Miller +Cc: Dmitry Vyukov +Cc: Eric Dumazet +Cc: Kostya Serebryany +Cc: Linus Torvalds +Cc: Marcelo Ricardo Leitner +Cc: Neil Horman +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Vlad Yasevich +Cc: linux-sctp@vger.kernel.org +Cc: netdev +Cc: syzkaller +Link: http://lkml.kernel.org/r/4b03a961efda5ec9bfe46b7b9c9ad72d1efad343.1493909486.git.jpoimboe@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/lib/csum-copy_64.S | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/lib/csum-copy_64.S ++++ b/arch/x86/lib/csum-copy_64.S +@@ -55,7 +55,7 @@ ENTRY(csum_partial_copy_generic) + movq %r12, 3*8(%rsp) + movq %r14, 4*8(%rsp) + movq %r13, 5*8(%rsp) +- movq %rbp, 6*8(%rsp) ++ movq %r15, 6*8(%rsp) + + movq %r8, (%rsp) + movq %r9, 1*8(%rsp) +@@ -74,7 +74,7 @@ ENTRY(csum_partial_copy_generic) + /* main loop. clear in 64 byte blocks */ + /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */ + /* r11: temp3, rdx: temp4, r12 loopcnt */ +- /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */ ++ /* r10: temp5, r15: temp6, r14 temp7, r13 temp8 */ + .p2align 4 + .Lloop: + source +@@ -89,7 +89,7 @@ ENTRY(csum_partial_copy_generic) + source + movq 32(%rdi), %r10 + source +- movq 40(%rdi), %rbp ++ movq 40(%rdi), %r15 + source + movq 48(%rdi), %r14 + source +@@ -103,7 +103,7 @@ ENTRY(csum_partial_copy_generic) + adcq %r11, %rax + adcq %rdx, %rax + adcq %r10, %rax +- adcq %rbp, %rax ++ adcq %r15, %rax + adcq %r14, %rax + adcq %r13, %rax + +@@ -121,7 +121,7 @@ ENTRY(csum_partial_copy_generic) + dest + movq %r10, 32(%rsi) + dest +- movq %rbp, 40(%rsi) ++ movq %r15, 40(%rsi) + dest + movq %r14, 48(%rsi) + dest +@@ -203,7 +203,7 @@ ENTRY(csum_partial_copy_generic) + movq 3*8(%rsp), %r12 + movq 4*8(%rsp), %r14 + movq 5*8(%rsp), %r13 +- movq 6*8(%rsp), %rbp ++ movq 6*8(%rsp), %r15 + addq $7*8, %rsp + ret + diff --git a/queue-4.9/x86-boot-declare-error-as-noreturn.patch b/queue-4.9/x86-boot-declare-error-as-noreturn.patch new file mode 100644 index 00000000000..00608146637 --- /dev/null +++ b/queue-4.9/x86-boot-declare-error-as-noreturn.patch @@ -0,0 +1,48 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Kees Cook +Date: Fri, 5 May 2017 21:51:16 -0700 +Subject: x86/boot: Declare error() as noreturn + +From: Kees Cook + + +[ Upstream commit 60854a12d281e2fa25662fa32ac8022bbff17432 ] + +The compressed boot function error() is used to halt execution, but it +wasn't marked with "noreturn". This fixes that in preparation for +supporting kernel FORTIFY_SOURCE, which uses the noreturn annotation +on panic, and calls error(). GCC would warn about a noreturn function +calling a non-noreturn function: + + arch/x86/boot/compressed/misc.c: In function ‘fortify_panic’: + arch/x86/boot/compressed/misc.c:416:1: warning: ‘noreturn’ function does return + } + ^ + +Signed-off-by: Kees Cook +Cc: Daniel Micay +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: H. Peter Anvin +Link: http://lkml.kernel.org/r/20170506045116.GA2879@beast +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/boot/compressed/error.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/boot/compressed/error.h ++++ b/arch/x86/boot/compressed/error.h +@@ -1,7 +1,9 @@ + #ifndef BOOT_COMPRESSED_ERROR_H + #define BOOT_COMPRESSED_ERROR_H + ++#include ++ + void warn(char *m); +-void error(char *m); ++void error(char *m) __noreturn; + + #endif /* BOOT_COMPRESSED_ERROR_H */ diff --git a/queue-4.9/x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch b/queue-4.9/x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch new file mode 100644 index 00000000000..ef5e07e377f --- /dev/null +++ b/queue-4.9/x86-efi-disable-runtime-services-on-kexec-kernel-if-booted-with-efi-old_map.patch @@ -0,0 +1,76 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Sai Praneeth +Date: Fri, 26 May 2017 12:36:49 +0100 +Subject: x86/efi: Disable runtime services on kexec kernel if booted with efi=old_map + +From: Sai Praneeth + + +[ Upstream commit 4e52797d2efefac3271abdc54439a3435abd77b9 ] + +Booting kexec kernel with "efi=old_map" in kernel command line hits +kernel panic as shown below. + + BUG: unable to handle kernel paging request at ffff88007fe78070 + IP: virt_efi_set_variable.part.7+0x63/0x1b0 + PGD 7ea28067 + PUD 7ea2b067 + PMD 7ea2d067 + PTE 0 + [...] + Call Trace: + virt_efi_set_variable() + efi_delete_dummy_variable() + efi_enter_virtual_mode() + start_kernel() + x86_64_start_reservations() + x86_64_start_kernel() + start_cpu() + +[ efi=old_map was never intended to work with kexec. The problem with + using efi=old_map is that the virtual addresses are assigned from the + memory region used by other kernel mappings; vmalloc() space. + Potentially there could be collisions when booting kexec if something + else is mapped at the virtual address we allocated for runtime service + regions in the initial boot - Matt Fleming ] + +Since kexec was never intended to work with efi=old_map, disable +runtime services in kexec if booted with efi=old_map, so that we don't +panic. + +Tested-by: Lee Chun-Yi +Signed-off-by: Sai Praneeth Prakhya +Signed-off-by: Matt Fleming +Acked-by: Dave Young +Cc: Ard Biesheuvel +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Ravi Shankar +Cc: Ricardo Neri +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20170526113652.21339-4-matt@codeblueprint.co.uk +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/platform/efi/efi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -832,9 +832,11 @@ static void __init kexec_enter_virtual_m + + /* + * We don't do virtual mode, since we don't do runtime services, on +- * non-native EFI ++ * non-native EFI. With efi=old_map, we don't do runtime services in ++ * kexec kernel because in the initial boot something else might ++ * have been mapped at these virtual addresses. + */ +- if (!efi_is_native()) { ++ if (!efi_is_native() || efi_enabled(EFI_OLD_MEMMAP)) { + efi_memmap_unmap(); + clear_bit(EFI_RUNTIME_SERVICES, &efi.flags); + return; diff --git a/queue-4.9/x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch b/queue-4.9/x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch new file mode 100644 index 00000000000..638ed487b2b --- /dev/null +++ b/queue-4.9/x86-mm-kaslr-use-the-_asm_mul-macro-for-multiplication-to-work-around-clang-incompatibility.patch @@ -0,0 +1,70 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Matthias Kaehlcke +Date: Mon, 1 May 2017 15:47:41 -0700 +Subject: x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility + +From: Matthias Kaehlcke + + +[ Upstream commit 121843eb02a6e2fa30aefab64bfe183c97230c75 ] + +The constraint "rm" allows the compiler to put mix_const into memory. +When the input operand is a memory location then MUL needs an operand +size suffix, since Clang can't infer the multiplication width from the +operand. + +Add and use the _ASM_MUL macro which determines the operand size and +resolves to the NUL instruction with the corresponding suffix. + +This fixes the following error when building with clang: + + CC arch/x86/lib/kaslr.o + /tmp/kaslr-dfe1ad.s: Assembler messages: + /tmp/kaslr-dfe1ad.s:182: Error: no instruction mnemonic suffix given and no register operands; can't size instruction + +Signed-off-by: Matthias Kaehlcke +Cc: Grant Grundler +Cc: Greg Hackmann +Cc: Kees Cook +Cc: Linus Torvalds +Cc: Michael Davidson +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20170501224741.133938-1-mka@chromium.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/asm.h | 1 + + arch/x86/lib/kaslr.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/asm.h ++++ b/arch/x86/include/asm/asm.h +@@ -34,6 +34,7 @@ + #define _ASM_ADD __ASM_SIZE(add) + #define _ASM_SUB __ASM_SIZE(sub) + #define _ASM_XADD __ASM_SIZE(xadd) ++#define _ASM_MUL __ASM_SIZE(mul) + + #define _ASM_AX __ASM_REG(ax) + #define _ASM_BX __ASM_REG(bx) +--- a/arch/x86/lib/kaslr.c ++++ b/arch/x86/lib/kaslr.c +@@ -5,6 +5,7 @@ + * kernel starts. This file is included in the compressed kernel and + * normally linked in the regular. + */ ++#include + #include + #include + #include +@@ -79,7 +80,7 @@ unsigned long kaslr_get_random_long(cons + } + + /* Circular multiply for better bit diffusion */ +- asm("mul %3" ++ asm(_ASM_MUL "%3" + : "=a" (random), "=d" (raw) + : "a" (random), "rm" (mix_const)); + random += raw; diff --git a/queue-4.9/x86-tsc-provide-tsc-unstable-boot-parameter.patch b/queue-4.9/x86-tsc-provide-tsc-unstable-boot-parameter.patch new file mode 100644 index 00000000000..bc169e25292 --- /dev/null +++ b/queue-4.9/x86-tsc-provide-tsc-unstable-boot-parameter.patch @@ -0,0 +1,42 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Peter Zijlstra +Date: Thu, 13 Apr 2017 14:56:44 +0200 +Subject: x86/tsc: Provide 'tsc=unstable' boot parameter + +From: Peter Zijlstra + + +[ Upstream commit 8309f86cd41e8714526867177facf7a316d9be53 ] + +Since the clocksource watchdog will only detect broken TSC after the +fact, all TSC based clocks will likely have observed non-continuous +values before/when switching away from TSC. + +Therefore only thing to fully avoid random clock movement when your +BIOS randomly mucks with TSC values from SMI handlers is reporting the +TSC as unstable at boot. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -366,6 +366,8 @@ static int __init tsc_setup(char *str) + tsc_clocksource_reliable = 1; + if (!strncmp(str, "noirqtime", 9)) + no_sched_irq_time = 1; ++ if (!strcmp(str, "unstable")) ++ mark_tsc_unstable("boot parameter"); + return 1; + } + diff --git a/queue-4.9/xen-avoid-type-warning-in-xchg_xen_ulong.patch b/queue-4.9/xen-avoid-type-warning-in-xchg_xen_ulong.patch new file mode 100644 index 00000000000..d0e65dfb534 --- /dev/null +++ b/queue-4.9/xen-avoid-type-warning-in-xchg_xen_ulong.patch @@ -0,0 +1,43 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Arnd Bergmann +Date: Thu, 8 Jun 2017 10:53:10 +0200 +Subject: xen: avoid type warning in xchg_xen_ulong + +From: Arnd Bergmann + + +[ Upstream commit 9cc91f212111cdcbefa02dcdb7dd443f224bf52c ] + +The improved type-checking version of container_of() triggers a warning for +xchg_xen_ulong, pointing out that 'xen_ulong_t' is unsigned, but atomic64_t +contains a signed value: + +drivers/xen/events/events_2l.c: In function 'evtchn_2l_handle_events': +drivers/xen/events/events_2l.c:187:1020: error: call to '__compiletime_assert_187' declared with attribute error: pointer type mismatch in container_of() + +This adds a cast to work around the warning. + +Cc: Ian Abbott +Fixes: 85323a991d40 ("xen: arm: mandate EABI and use generic atomic operations.") +Fixes: daa2ac80834d ("kernel.h: handle pointers to arrays better in container_of()") +Signed-off-by: Arnd Bergmann +Signed-off-by: Stefano Stabellini +Reviewed-by: Stefano Stabellini +Acked-by: Ian Abbott +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/include/asm/xen/events.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/include/asm/xen/events.h ++++ b/arch/arm/include/asm/xen/events.h +@@ -16,7 +16,7 @@ static inline int xen_irqs_disabled(stru + return raw_irqs_disabled_flags(regs->ARM_cpsr); + } + +-#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((ptr), \ ++#define xchg_xen_ulong(ptr, val) atomic64_xchg(container_of((long long*)(ptr),\ + atomic64_t, \ + counter), (val)) + diff --git a/queue-4.9/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch b/queue-4.9/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch new file mode 100644 index 00000000000..6870ebbc007 --- /dev/null +++ b/queue-4.9/xfrm-fix-state-migration-copy-replay-sequence-numbers.patch @@ -0,0 +1,56 @@ +From foo@baz Mon Apr 9 17:09:24 CEST 2018 +From: Antony Antony +Date: Fri, 19 May 2017 12:47:00 +0200 +Subject: xfrm: fix state migration copy replay sequence numbers + +From: Antony Antony + + +[ Upstream commit a486cd23661c9387fb076c3f6ae8b2aa9d20d54a ] + +During xfrm migration copy replay and preplay sequence numbers +from the previous state. + +Here is a tcpdump output showing the problem. +10.0.10.46 is running vanilla kernel, is the IKE/IPsec responder. +After the migration it sent wrong sequence number, reset to 1. +The migration is from 10.0.0.52 to 10.0.0.53. + +IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7cf), length 136 +IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7cf), length 136 +IP 10.0.0.52.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d0), length 136 +IP 10.0.10.46.4500 > 10.0.0.52.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x7d0), length 136 + +IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I] +IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R] +IP 10.0.0.53.4500 > 10.0.10.46.4500: NONESP-encap: isakmp: child_sa inf2[I] +IP 10.0.10.46.4500 > 10.0.0.53.4500: NONESP-encap: isakmp: child_sa inf2[R] + +IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d1), length 136 + +NOTE: next sequence is wrong 0x1 + +IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x1), length 136 +IP 10.0.0.53.4500 > 10.0.10.46.4500: UDP-encap: ESP(spi=0x43ef462d,seq=0x7d2), length 136 +IP 10.0.10.46.4500 > 10.0.0.53.4500: UDP-encap: ESP(spi=0xca1c282d,seq=0x2), length 136 + +Signed-off-by: Antony Antony +Reviewed-by: Richard Guy Briggs +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/xfrm/xfrm_state.c ++++ b/net/xfrm/xfrm_state.c +@@ -1246,6 +1246,8 @@ static struct xfrm_state *xfrm_state_clo + x->curlft.add_time = orig->curlft.add_time; + x->km.state = orig->km.state; + x->km.seq = orig->km.seq; ++ x->replay = orig->replay; ++ x->preplay = orig->preplay; + + return x; +