From: Sasha Levin Date: Tue, 19 Mar 2019 22:13:50 +0000 (-0400) Subject: patches for 4.9 X-Git-Tag: v3.18.137~83 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c2b94c3ad38af292c1a4291335f3dfa997c24ab;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch b/queue-4.9/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch new file mode 100644 index 00000000000..5eb9231973d --- /dev/null +++ b/queue-4.9/arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch @@ -0,0 +1,59 @@ +From eaa3a55f2d4d9a40057faa069573e94440ed590f Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Tue, 5 Feb 2019 10:07:07 -0800 +Subject: ARC: uacces: remove lp_start, lp_end from clobber list + +[ Upstream commit d5e3c55e01d8b1774b37b4647c30fb22f1d39077 ] + +Newer ARC gcc handles lp_start, lp_end in a different way and doesn't +like them in the clobber list. + +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/uaccess.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arc/include/asm/uaccess.h b/arch/arc/include/asm/uaccess.h +index 0684fd2f42e8..f82393f89215 100644 +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -209,7 +209,7 @@ __arc_copy_from_user(void *to, const void __user *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -438,7 +438,7 @@ __arc_copy_to_user(void __user *to, const void *from, unsigned long n) + */ + "=&r" (tmp), "+r" (to), "+r" (from) + : +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return n; + } +@@ -658,7 +658,7 @@ static inline unsigned long __arc_clear_user(void __user *to, unsigned long n) + " .previous \n" + : "+r"(d_char), "+r"(res) + : "i"(0) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +@@ -691,7 +691,7 @@ __arc_strncpy_from_user(char *dst, const char __user *src, long count) + " .previous \n" + : "+r"(res), "+r"(dst), "+r"(src), "=r"(val) + : "g"(-EFAULT), "r"(count) +- : "lp_count", "lp_start", "lp_end", "memory"); ++ : "lp_count", "memory"); + + return res; + } +-- +2.19.1 + diff --git a/queue-4.9/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch b/queue-4.9/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch new file mode 100644 index 00000000000..becb3c7333c --- /dev/null +++ b/queue-4.9/arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch @@ -0,0 +1,102 @@ +From b6381e375fb1d2d9a3fca962d98f6f503c654348 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 30 Jan 2019 19:32:40 +0300 +Subject: ARCv2: lib: memcpy: fix doing prefetchw outside of buffer + +[ Upstream commit f8a15f97664178f27dfbf86a38f780a532cb6df0 ] + +ARCv2 optimized memcpy uses PREFETCHW instruction for prefetching the +next cache line but doesn't ensure that the line is not past the end of +the buffer. PRETECHW changes the line ownership and marks it dirty, +which can cause data corruption if this area is used for DMA IO. + +Fix the issue by avoiding the PREFETCHW. This leads to performance +degradation but it is OK as we'll introduce new memcpy implementation +optimized for unaligned memory access using. + +We also cut off all PREFETCH instructions at they are quite useless +here: + * we call PREFETCH right before LOAD instruction call. + * we copy 16 or 32 bytes of data (depending on CONFIG_ARC_HAS_LL64) + in a main logical loop. so we call PREFETCH 4 times (or 2 times) + for each L1 cache line (in case of 64B L1 cache Line which is + default case). Obviously this is not optimal. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/lib/memcpy-archs.S | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/arch/arc/lib/memcpy-archs.S b/arch/arc/lib/memcpy-archs.S +index d61044dd8b58..ea14b0bf3116 100644 +--- a/arch/arc/lib/memcpy-archs.S ++++ b/arch/arc/lib/memcpy-archs.S +@@ -25,15 +25,11 @@ + #endif + + #ifdef CONFIG_ARC_HAS_LL64 +-# define PREFETCH_READ(RX) prefetch [RX, 56] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 64] + # define LOADX(DST,RX) ldd.ab DST, [RX, 8] + # define STOREX(SRC,RX) std.ab SRC, [RX, 8] + # define ZOLSHFT 5 + # define ZOLAND 0x1F + #else +-# define PREFETCH_READ(RX) prefetch [RX, 28] +-# define PREFETCH_WRITE(RX) prefetchw [RX, 32] + # define LOADX(DST,RX) ld.ab DST, [RX, 4] + # define STOREX(SRC,RX) st.ab SRC, [RX, 4] + # define ZOLSHFT 4 +@@ -41,8 +37,6 @@ + #endif + + ENTRY_CFI(memcpy) +- prefetch [r1] ; Prefetch the read location +- prefetchw [r0] ; Prefetch the write location + mov.f 0, r2 + ;;; if size is zero + jz.d [blink] +@@ -72,8 +66,6 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy32_64bytes + ;; LOOP START + LOADX (r6, r1) +- PREFETCH_READ (r1) +- PREFETCH_WRITE (r3) + LOADX (r8, r1) + LOADX (r10, r1) + LOADX (r4, r1) +@@ -117,9 +109,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_1 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 24) + or r7, r7, r5 +@@ -162,9 +152,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_2 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 16) + or r7, r7, r5 +@@ -204,9 +192,7 @@ ENTRY_CFI(memcpy) + lpnz @.Lcopy8bytes_3 + ;; LOOP START + ld.ab r6, [r1, 4] +- prefetch [r1, 28] ;Prefetch the next read location + ld.ab r8, [r1,4] +- prefetchw [r3, 32] ;Prefetch the next write location + + SHIFT_1 (r7, r6, 8) + or r7, r7, r5 +-- +2.19.1 + diff --git a/queue-4.9/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch b/queue-4.9/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch new file mode 100644 index 00000000000..72ce5fec287 --- /dev/null +++ b/queue-4.9/arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch @@ -0,0 +1,156 @@ +From 938d21cb581de5fa6b27f8ac2b003bd47a32f89a Mon Sep 17 00:00:00 2001 +From: Dietmar Eggemann +Date: Mon, 21 Jan 2019 14:42:42 +0100 +Subject: ARM: 8824/1: fix a migrating irq bug when hotplug cpu + +[ Upstream commit 1b5ba350784242eb1f899bcffd95d2c7cff61e84 ] + +Arm TC2 fails cpu hotplug stress test. + +This issue was tracked down to a missing copy of the new affinity +cpumask for the vexpress-spc interrupt into struct +irq_common_data.affinity when the interrupt is migrated in +migrate_one_irq(). + +Fix it by replacing the arm specific hotplug cpu migration with the +generic irq code. + +This is the counterpart implementation to commit 217d453d473c ("arm64: +fix a migrating irq bug when hotplug cpu"). + +Tested with cpu hotplug stress test on Arm TC2 (multi_v7_defconfig plus +CONFIG_ARM_BIG_LITTLE_CPUFREQ=y and CONFIG_ARM_VEXPRESS_SPC_CPUFREQ=y). +The vexpress-spc interrupt (irq=22) on this board is affine to CPU0. +Its affinity cpumask now changes correctly e.g. from 0 to 1-4 when +CPU0 is hotplugged out. + +Suggested-by: Marc Zyngier +Signed-off-by: Dietmar Eggemann +Acked-by: Marc Zyngier +Reviewed-by: Linus Walleij +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 + + arch/arm/include/asm/irq.h | 1 - + arch/arm/kernel/irq.c | 62 -------------------------------------- + arch/arm/kernel/smp.c | 2 +- + 4 files changed, 2 insertions(+), 64 deletions(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index b5d529fdffab..74a70f91b01a 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1457,6 +1457,7 @@ config NR_CPUS + config HOTPLUG_CPU + bool "Support for hot-pluggable CPUs" + depends on SMP ++ select GENERIC_IRQ_MIGRATION + help + Say Y here to experiment with turning CPUs off and on. CPUs + can be controlled through /sys/devices/system/cpu. +diff --git a/arch/arm/include/asm/irq.h b/arch/arm/include/asm/irq.h +index e53638c8ed8a..61e1d089ce1a 100644 +--- a/arch/arm/include/asm/irq.h ++++ b/arch/arm/include/asm/irq.h +@@ -24,7 +24,6 @@ + #ifndef __ASSEMBLY__ + struct irqaction; + struct pt_regs; +-extern void migrate_irqs(void); + + extern void asm_do_IRQ(unsigned int, struct pt_regs *); + void handle_IRQ(unsigned int, struct pt_regs *); +diff --git a/arch/arm/kernel/irq.c b/arch/arm/kernel/irq.c +index ece04a457486..5b07c7a31c31 100644 +--- a/arch/arm/kernel/irq.c ++++ b/arch/arm/kernel/irq.c +@@ -31,7 +31,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -119,64 +118,3 @@ int __init arch_probe_nr_irqs(void) + return nr_irqs; + } + #endif +- +-#ifdef CONFIG_HOTPLUG_CPU +-static bool migrate_one_irq(struct irq_desc *desc) +-{ +- struct irq_data *d = irq_desc_get_irq_data(desc); +- const struct cpumask *affinity = irq_data_get_affinity_mask(d); +- struct irq_chip *c; +- bool ret = false; +- +- /* +- * If this is a per-CPU interrupt, or the affinity does not +- * include this CPU, then we have nothing to do. +- */ +- if (irqd_is_per_cpu(d) || !cpumask_test_cpu(smp_processor_id(), affinity)) +- return false; +- +- if (cpumask_any_and(affinity, cpu_online_mask) >= nr_cpu_ids) { +- affinity = cpu_online_mask; +- ret = true; +- } +- +- c = irq_data_get_irq_chip(d); +- if (!c->irq_set_affinity) +- pr_debug("IRQ%u: unable to set affinity\n", d->irq); +- else if (c->irq_set_affinity(d, affinity, false) == IRQ_SET_MASK_OK && ret) +- cpumask_copy(irq_data_get_affinity_mask(d), affinity); +- +- return ret; +-} +- +-/* +- * The current CPU has been marked offline. Migrate IRQs off this CPU. +- * If the affinity settings do not allow other CPUs, force them onto any +- * available CPU. +- * +- * Note: we must iterate over all IRQs, whether they have an attached +- * action structure or not, as we need to get chained interrupts too. +- */ +-void migrate_irqs(void) +-{ +- unsigned int i; +- struct irq_desc *desc; +- unsigned long flags; +- +- local_irq_save(flags); +- +- for_each_irq_desc(i, desc) { +- bool affinity_broken; +- +- raw_spin_lock(&desc->lock); +- affinity_broken = migrate_one_irq(desc); +- raw_spin_unlock(&desc->lock); +- +- if (affinity_broken) +- pr_warn_ratelimited("IRQ%u no longer affine to CPU%u\n", +- i, smp_processor_id()); +- } +- +- local_irq_restore(flags); +-} +-#endif /* CONFIG_HOTPLUG_CPU */ +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index 8faf869e9fb2..bc83ec7ed53f 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -253,7 +253,7 @@ int __cpu_disable(void) + /* + * OK - migrate IRQs away from this CPU + */ +- migrate_irqs(); ++ irq_migrate_all_off_this_cpu(); + + /* + * Flush user cache and TLB mappings, and then remove this CPU +-- +2.19.1 + diff --git a/queue-4.9/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch b/queue-4.9/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch new file mode 100644 index 00000000000..64391741b4b --- /dev/null +++ b/queue-4.9/arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch @@ -0,0 +1,48 @@ +From 485a2c6623239796de97faa6f26b991b89a84b2c Mon Sep 17 00:00:00 2001 +From: Yizhuo +Date: Fri, 25 Jan 2019 22:32:20 -0800 +Subject: ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be + uninitialized + +[ Upstream commit dc30e70391376ba3987aeb856ae6d9c0706534f1 ] + +In function omap4_dsi_mux_pads(), local variable "reg" could +be uninitialized if function regmap_read() returns -EINVAL. +However, it will be used directly in the later context, which +is potentially unsafe. + +Signed-off-by: Yizhuo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/display.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/display.c b/arch/arm/mach-omap2/display.c +index 70b3eaf085e4..5ca7e29ad851 100644 +--- a/arch/arm/mach-omap2/display.c ++++ b/arch/arm/mach-omap2/display.c +@@ -115,6 +115,7 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + u32 enable_mask, enable_shift; + u32 pipd_mask, pipd_shift; + u32 reg; ++ int ret; + + if (dsi_id == 0) { + enable_mask = OMAP4_DSI1_LANEENABLE_MASK; +@@ -130,7 +131,11 @@ static int omap4_dsi_mux_pads(int dsi_id, unsigned lanes) + return -ENODEV; + } + +- regmap_read(omap4_dsi_mux_syscon, OMAP4_DSIPHY_SYSCON_OFFSET, ®); ++ ret = regmap_read(omap4_dsi_mux_syscon, ++ OMAP4_DSIPHY_SYSCON_OFFSET, ++ ®); ++ if (ret) ++ return ret; + + reg &= ~enable_mask; + reg &= ~pipd_mask; +-- +2.19.1 + diff --git a/queue-4.9/arm64-relax-gic-version-check-during-early-boot.patch b/queue-4.9/arm64-relax-gic-version-check-during-early-boot.patch new file mode 100644 index 00000000000..8cbf9fec5ce --- /dev/null +++ b/queue-4.9/arm64-relax-gic-version-check-during-early-boot.patch @@ -0,0 +1,40 @@ +From c33c0d7f195cd26de2300f7245f828450b7661a2 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Wed, 20 Feb 2019 11:43:05 +0000 +Subject: arm64: Relax GIC version check during early boot + +[ Upstream commit 74698f6971f25d045301139413578865fc2bd8f9 ] + +Updates to the GIC architecture allow ID_AA64PFR0_EL1.GIC to have +values other than 0 or 1. At the moment, Linux is quite strict in the +way it handles this field at early boot stage (cpufeature is fine) and +will refuse to use the system register CPU interface if it doesn't +find the value 1. + +Fixes: 021f653791ad17e03f98aaa7fb933816ae16f161 ("irqchip: gic-v3: Initial support for GICv3") +Reported-by: Chase Conklin +Reviewed-by: Marc Zyngier +Signed-off-by: Vladimir Murzin +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/head.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/head.S b/arch/arm64/kernel/head.S +index 3289d1458791..db6ff1944c41 100644 +--- a/arch/arm64/kernel/head.S ++++ b/arch/arm64/kernel/head.S +@@ -534,8 +534,7 @@ set_hcr: + /* GICv3 system register access */ + mrs x0, id_aa64pfr0_el1 + ubfx x0, x0, #24, #4 +- cmp x0, #1 +- b.ne 3f ++ cbz x0, 3f + + mrs_s x0, ICC_SRE_EL2 + orr x0, x0, #ICC_SRE_EL2_SRE // Set ICC_SRE_EL2.SRE==1 +-- +2.19.1 + diff --git a/queue-4.9/asoc-topology-free-created-components-in-tplg-load-e.patch b/queue-4.9/asoc-topology-free-created-components-in-tplg-load-e.patch new file mode 100644 index 00000000000..73cb444ff85 --- /dev/null +++ b/queue-4.9/asoc-topology-free-created-components-in-tplg-load-e.patch @@ -0,0 +1,45 @@ +From 2a12fccf7a90b6f3c2737e9a87f86a5518fb02d8 Mon Sep 17 00:00:00 2001 +From: Bard liao +Date: Sun, 17 Feb 2019 21:23:47 +0800 +Subject: ASoC: topology: free created components in tplg load error + +[ Upstream commit 304017d31df36fb61eb2ed3ebf65fb6870b3c731 ] + +Topology resources are no longer needed if any element failed to load. + +Signed-off-by: Bard liao +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-topology.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/soc-topology.c b/sound/soc/soc-topology.c +index d6b48c796bfc..086fe4d27f60 100644 +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -1989,6 +1989,7 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + struct snd_soc_tplg_ops *ops, const struct firmware *fw, u32 id) + { + struct soc_tplg tplg; ++ int ret; + + /* setup parsing context */ + memset(&tplg, 0, sizeof(tplg)); +@@ -2002,7 +2003,12 @@ int snd_soc_tplg_component_load(struct snd_soc_component *comp, + tplg.bytes_ext_ops = ops->bytes_ext_ops; + tplg.bytes_ext_ops_count = ops->bytes_ext_ops_count; + +- return soc_tplg_load(&tplg); ++ ret = soc_tplg_load(&tplg); ++ /* free the created components if fail to load topology */ ++ if (ret) ++ snd_soc_tplg_component_remove(comp, SND_SOC_TPLG_INDEX_ALL); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(snd_soc_tplg_component_load); + +-- +2.19.1 + diff --git a/queue-4.9/assoc_array-fix-shortcut-creation.patch b/queue-4.9/assoc_array-fix-shortcut-creation.patch new file mode 100644 index 00000000000..db3c0129e55 --- /dev/null +++ b/queue-4.9/assoc_array-fix-shortcut-creation.patch @@ -0,0 +1,57 @@ +From a1c3868502645002fcff36adcc7a6ef5ea480bb9 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 14 Feb 2019 16:20:15 +0000 +Subject: assoc_array: Fix shortcut creation + +[ Upstream commit bb2ba2d75a2d673e76ddaf13a9bd30d6a8b1bb08 ] + +Fix the creation of shortcuts for which the length of the index key value +is an exact multiple of the machine word size. The problem is that the +code that blanks off the unused bits of the shortcut value malfunctions if +the number of bits in the last word equals machine word size. This is due +to the "<<" operator being given a shift of zero in this case, and so the +mask that should be all zeros is all ones instead. This causes the +subsequent masking operation to clear everything rather than clearing +nothing. + +Ordinarily, the presence of the hash at the beginning of the tree index key +makes the issue very hard to test for, but in this case, it was encountered +due to a development mistake that caused the hash output to be either 0 +(keyring) or 1 (non-keyring) only. This made it susceptible to the +keyctl/unlink/valid test in the keyutils package. + +The fix is simply to skip the blanking if the shift would be 0. For +example, an index key that is 64 bits long would produce a 0 shift and thus +a 'blank' of all 1s. This would then be inverted and AND'd onto the +index_key, incorrectly clearing the entire last word. + +Fixes: 3cb989501c26 ("Add a generic associative array implementation.") +Signed-off-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Sasha Levin +--- + lib/assoc_array.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/assoc_array.c b/lib/assoc_array.c +index 5cd093589c5a..3b46c5433b7a 100644 +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -781,9 +781,11 @@ all_leaves_cluster_together: + new_s0->index_key[i] = + ops->get_key_chunk(index_key, i * ASSOC_ARRAY_KEY_CHUNK_SIZE); + +- blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); +- pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); +- new_s0->index_key[keylen - 1] &= ~blank; ++ if (level & ASSOC_ARRAY_KEY_CHUNK_MASK) { ++ blank = ULONG_MAX << (level & ASSOC_ARRAY_KEY_CHUNK_MASK); ++ pr_devel("blank off [%zu] %d: %lx\n", keylen - 1, level, blank); ++ new_s0->index_key[keylen - 1] &= ~blank; ++ } + + /* This now reduces to a node splitting exercise for which we'll need + * to regenerate the disparity table. +-- +2.19.1 + diff --git a/queue-4.9/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch b/queue-4.9/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch new file mode 100644 index 00000000000..3eb38d8a9e5 --- /dev/null +++ b/queue-4.9/clk-sunxi-a31-fix-wrong-ahb-gate-number.patch @@ -0,0 +1,39 @@ +From 1aa3a45fb67535aea063369616ac229c3871752f Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Wed, 23 Jan 2019 00:59:11 +0000 +Subject: clk: sunxi: A31: Fix wrong AHB gate number + +[ Upstream commit ee0b27a3a4da0b0ed2318aa092f8856896e9450b ] + +According to the manual the gate clock for MMC3 is at bit 11, and NAND1 +is controlled by bit 12. + +Fix the gate bit definitions in the clock driver. + +Fixes: c6e6c96d8fa6 ("clk: sunxi-ng: Add A31/A31s clocks") +Signed-off-by: Andre Przywara +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun6i-a31.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +index 6ea5401e6881..7f1281298651 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun6i-a31.c ++++ b/drivers/clk/sunxi-ng/ccu-sun6i-a31.c +@@ -252,9 +252,9 @@ static SUNXI_CCU_GATE(ahb1_mmc1_clk, "ahb1-mmc1", "ahb1", + static SUNXI_CCU_GATE(ahb1_mmc2_clk, "ahb1-mmc2", "ahb1", + 0x060, BIT(10), 0); + static SUNXI_CCU_GATE(ahb1_mmc3_clk, "ahb1-mmc3", "ahb1", +- 0x060, BIT(12), 0); ++ 0x060, BIT(11), 0); + static SUNXI_CCU_GATE(ahb1_nand1_clk, "ahb1-nand1", "ahb1", +- 0x060, BIT(13), 0); ++ 0x060, BIT(12), 0); + static SUNXI_CCU_GATE(ahb1_nand0_clk, "ahb1-nand0", "ahb1", + 0x060, BIT(13), 0); + static SUNXI_CCU_GATE(ahb1_sdram_clk, "ahb1-sdram", "ahb1", +-- +2.19.1 + diff --git a/queue-4.9/floppy-check_events-callback-should-not-return-a-neg.patch b/queue-4.9/floppy-check_events-callback-should-not-return-a-neg.patch new file mode 100644 index 00000000000..80d47a218c3 --- /dev/null +++ b/queue-4.9/floppy-check_events-callback-should-not-return-a-neg.patch @@ -0,0 +1,41 @@ +From 6eb6bb99b40ed9ae0705e902096763fbd442c439 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 29 Jan 2019 16:34:04 +0800 +Subject: floppy: check_events callback should not return a negative number + +[ Upstream commit 96d7cb932e826219ec41ac02e5af037ffae6098c ] + +floppy_check_events() is supposed to return bit flags to say which +events occured. We should return zero to say that no event flags are +set. Only BIT(0) and BIT(1) are used in the caller. And .check_events +interface also expect to return an unsigned int value. + +However, after commit a0c80efe5956, it may return -EINTR (-4u). +Here, both BIT(0) and BIT(1) are cleared. So this patch shouldn't +affect runtime, but it obviously is still worth fixing. + +Reviewed-by: Dan Carpenter +Fixes: a0c80efe5956 ("floppy: fix lock_fdc() signal handling") +Signed-off-by: Yufen Yu +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 326b9ba4518e..6914c6e1e1a8 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3752,7 +3752,7 @@ static unsigned int floppy_check_events(struct gendisk *disk, + + if (time_after(jiffies, UDRS->last_checked + UDP->checkfreq)) { + if (lock_fdc(drive)) +- return -EINTR; ++ return 0; + poll_drive(false, 0); + process_fd_request(); + } +-- +2.19.1 + diff --git a/queue-4.9/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch b/queue-4.9/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch new file mode 100644 index 00000000000..788fdfaf5ca --- /dev/null +++ b/queue-4.9/gpu-ipu-v3-fix-csi-offsets-for-imx53.patch @@ -0,0 +1,37 @@ +From 1f9ca6841f63e1d84dcb58b172ca91b607050b75 Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Tue, 16 Oct 2018 17:31:40 -0700 +Subject: gpu: ipu-v3: Fix CSI offsets for imx53 + +[ Upstream commit bb867d219fda7fbaabea3314702474c4eac2b91d ] + +The CSI offsets are wrong for both CSI0 and CSI1. They are at +physical address 0x1e030000 and 0x1e038000 respectively. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Steve Longerbeam +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index d41983f3ad3e..57d22bc963b5 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -900,8 +900,8 @@ static struct ipu_devtype ipu_type_imx53 = { + .cpmem_ofs = 0x07000000, + .srm_ofs = 0x07040000, + .tpm_ofs = 0x07060000, +- .csi0_ofs = 0x07030000, +- .csi1_ofs = 0x07038000, ++ .csi0_ofs = 0x06030000, ++ .csi1_ofs = 0x06038000, + .ic_ofs = 0x06020000, + .disp0_ofs = 0x06040000, + .disp1_ofs = 0x06048000, +-- +2.19.1 + diff --git a/queue-4.9/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch b/queue-4.9/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch new file mode 100644 index 00000000000..9372792d2d3 --- /dev/null +++ b/queue-4.9/gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch @@ -0,0 +1,38 @@ +From 6556a88e3a1ddb47e9f3838cf7894fbecd394a6a Mon Sep 17 00:00:00 2001 +From: Alexander Shiyan +Date: Thu, 20 Dec 2018 11:06:38 +0300 +Subject: gpu: ipu-v3: Fix i.MX51 CSI control registers offset + +[ Upstream commit 2c0408dd0d8906b26fe8023889af7adf5e68b2c2 ] + +The CSI0/CSI1 registers offset is at +0xe030000/+0xe038000 relative +to the control module registers on IPUv3EX. +This patch fixes wrong values for i.MX51 CSI0/CSI1. + +Fixes: 2ffd48f2e7 ("gpu: ipu-v3: Add Camera Sensor Interface unit") + +Signed-off-by: Alexander Shiyan +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index 99c813a4ec1f..d41983f3ad3e 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -884,8 +884,8 @@ static struct ipu_devtype ipu_type_imx51 = { + .cpmem_ofs = 0x1f000000, + .srm_ofs = 0x1f040000, + .tpm_ofs = 0x1f060000, +- .csi0_ofs = 0x1f030000, +- .csi1_ofs = 0x1f038000, ++ .csi0_ofs = 0x1e030000, ++ .csi1_ofs = 0x1e038000, + .ic_ofs = 0x1e020000, + .disp0_ofs = 0x1e040000, + .disp1_ofs = 0x1e048000, +-- +2.19.1 + diff --git a/queue-4.9/i2c-cadence-fix-the-hold-bit-setting.patch b/queue-4.9/i2c-cadence-fix-the-hold-bit-setting.patch new file mode 100644 index 00000000000..a6481ff7590 --- /dev/null +++ b/queue-4.9/i2c-cadence-fix-the-hold-bit-setting.patch @@ -0,0 +1,56 @@ +From 384cbc9728dd4f6325269ba4b2fb1d6e5f536081 Mon Sep 17 00:00:00 2001 +From: Shubhrajyoti Datta +Date: Tue, 5 Feb 2019 16:42:53 +0530 +Subject: i2c: cadence: Fix the hold bit setting + +[ Upstream commit d358def706880defa4c9e87381c5bf086a97d5f9 ] + +In case the hold bit is not needed we are carrying the old values. +Fix the same by resetting the bit when not needed. + +Fixes the sporadic i2c bus lockups on National Instruments +Zynq-based devices. + +Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") +Reported-by: Kyle Roeschley +Acked-by: Michal Simek +Signed-off-by: Shubhrajyoti Datta +Tested-by: Kyle Roeschley +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-cadence.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c +index 45d6771fac8c..59c08d5b75d6 100644 +--- a/drivers/i2c/busses/i2c-cadence.c ++++ b/drivers/i2c/busses/i2c-cadence.c +@@ -382,8 +382,10 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->recv_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->recv_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; + + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + +@@ -440,8 +442,11 @@ static void cdns_i2c_msend(struct cdns_i2c *id) + * Check for the message size against FIFO depth and set the + * 'hold bus' bit if it is greater than FIFO depth. + */ +- if (id->send_count > CDNS_I2C_FIFO_DEPTH) ++ if ((id->send_count > CDNS_I2C_FIFO_DEPTH) || id->bus_hold_flag) + ctrl_reg |= CDNS_I2C_CR_HOLD; ++ else ++ ctrl_reg = ctrl_reg & ~CDNS_I2C_CR_HOLD; ++ + cdns_i2c_writereg(ctrl_reg, CDNS_I2C_CR_OFFSET); + + /* Clear the interrupts in interrupt status register. */ +-- +2.19.1 + diff --git a/queue-4.9/input-cap11xx-switch-to-using-set_brightness_blockin.patch b/queue-4.9/input-cap11xx-switch-to-using-set_brightness_blockin.patch new file mode 100644 index 00000000000..dbebe7b0bf1 --- /dev/null +++ b/queue-4.9/input-cap11xx-switch-to-using-set_brightness_blockin.patch @@ -0,0 +1,101 @@ +From 1a4b9f2d108b34b09dc046f73ac45b6038887b03 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 5 Feb 2019 13:52:26 -0800 +Subject: Input: cap11xx - switch to using set_brightness_blocking() + +[ Upstream commit 628442880af8c201d307a45f3862a7a17df8a189 ] + +Updating LED state requires access to regmap and therefore we may sleep, +so we could not do that directly form set_brightness() method. +Historically we used private work to adjust the brightness, but with the +introduction of set_brightness_blocking() we no longer need it. + +As a bonus, not having our own work item means we do not have +use-after-free issue as we neglected to cancel outstanding work on +driver unbind. + +Reported-by: Sven Van Asbroeck +Reviewed-by: Sven Van Asbroeck +Acked-by: Jacek Anaszewski +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/cap11xx.c | 35 ++++++++++---------------------- + 1 file changed, 11 insertions(+), 24 deletions(-) + +diff --git a/drivers/input/keyboard/cap11xx.c b/drivers/input/keyboard/cap11xx.c +index 4401be225d64..3c53aa5d5c0c 100644 +--- a/drivers/input/keyboard/cap11xx.c ++++ b/drivers/input/keyboard/cap11xx.c +@@ -75,9 +75,7 @@ + struct cap11xx_led { + struct cap11xx_priv *priv; + struct led_classdev cdev; +- struct work_struct work; + u32 reg; +- enum led_brightness new_brightness; + }; + #endif + +@@ -233,30 +231,21 @@ static void cap11xx_input_close(struct input_dev *idev) + } + + #ifdef CONFIG_LEDS_CLASS +-static void cap11xx_led_work(struct work_struct *work) ++static int cap11xx_led_set(struct led_classdev *cdev, ++ enum led_brightness value) + { +- struct cap11xx_led *led = container_of(work, struct cap11xx_led, work); ++ struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); + struct cap11xx_priv *priv = led->priv; +- int value = led->new_brightness; + + /* +- * All LEDs share the same duty cycle as this is a HW limitation. +- * Brightness levels per LED are either 0 (OFF) and 1 (ON). ++ * All LEDs share the same duty cycle as this is a HW ++ * limitation. Brightness levels per LED are either ++ * 0 (OFF) and 1 (ON). + */ +- regmap_update_bits(priv->regmap, CAP11XX_REG_LED_OUTPUT_CONTROL, +- BIT(led->reg), value ? BIT(led->reg) : 0); +-} +- +-static void cap11xx_led_set(struct led_classdev *cdev, +- enum led_brightness value) +-{ +- struct cap11xx_led *led = container_of(cdev, struct cap11xx_led, cdev); +- +- if (led->new_brightness == value) +- return; +- +- led->new_brightness = value; +- schedule_work(&led->work); ++ return regmap_update_bits(priv->regmap, ++ CAP11XX_REG_LED_OUTPUT_CONTROL, ++ BIT(led->reg), ++ value ? BIT(led->reg) : 0); + } + + static int cap11xx_init_leds(struct device *dev, +@@ -299,7 +288,7 @@ static int cap11xx_init_leds(struct device *dev, + led->cdev.default_trigger = + of_get_property(child, "linux,default-trigger", NULL); + led->cdev.flags = 0; +- led->cdev.brightness_set = cap11xx_led_set; ++ led->cdev.brightness_set_blocking = cap11xx_led_set; + led->cdev.max_brightness = 1; + led->cdev.brightness = LED_OFF; + +@@ -312,8 +301,6 @@ static int cap11xx_init_leds(struct device *dev, + led->reg = reg; + led->priv = priv; + +- INIT_WORK(&led->work, cap11xx_led_work); +- + error = devm_led_classdev_register(dev, &led->cdev); + if (error) { + of_node_put(child); +-- +2.19.1 + diff --git a/queue-4.9/input-matrix_keypad-use-flush_delayed_work.patch b/queue-4.9/input-matrix_keypad-use-flush_delayed_work.patch new file mode 100644 index 00000000000..2e035764ffe --- /dev/null +++ b/queue-4.9/input-matrix_keypad-use-flush_delayed_work.patch @@ -0,0 +1,34 @@ +From 6ff92f28d5ff06e2591c69acf7abab7292039c22 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Thu, 7 Feb 2019 14:39:40 -0800 +Subject: Input: matrix_keypad - use flush_delayed_work() + +[ Upstream commit a342083abe576db43594a32d458a61fa81f7cb32 ] + +We should be using flush_delayed_work() instead of flush_work() in +matrix_keypad_stop() to ensure that we are not missing work that is +scheduled but not yet put in the workqueue (i.e. its delay timer has not +expired yet). + +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/matrix_keypad.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/keyboard/matrix_keypad.c b/drivers/input/keyboard/matrix_keypad.c +index c64d87442a62..2e12e31f45c5 100644 +--- a/drivers/input/keyboard/matrix_keypad.c ++++ b/drivers/input/keyboard/matrix_keypad.c +@@ -220,7 +220,7 @@ static void matrix_keypad_stop(struct input_dev *dev) + keypad->stopped = true; + spin_unlock_irq(&keypad->lock); + +- flush_work(&keypad->work.work); ++ flush_delayed_work(&keypad->work); + /* + * matrix_keypad_scan() will leave IRQs enabled; + * we should disable them now. +-- +2.19.1 + diff --git a/queue-4.9/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch b/queue-4.9/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch new file mode 100644 index 00000000000..1314f88a4e0 --- /dev/null +++ b/queue-4.9/input-st-keyscan-fix-potential-zalloc-null-dereferen.patch @@ -0,0 +1,45 @@ +From 7ce1b58203d158d19fd9d3c3d892f79ec63988c2 Mon Sep 17 00:00:00 2001 +From: Gabriel Fernandez +Date: Sat, 16 Feb 2019 21:10:16 -0800 +Subject: Input: st-keyscan - fix potential zalloc NULL dereference + +[ Upstream commit 2439d37e1bf8a34d437573c086572abe0f3f1b15 ] + +This patch fixes the following static checker warning: + +drivers/input/keyboard/st-keyscan.c:156 keyscan_probe() +error: potential zalloc NULL dereference: 'keypad_data->input_dev' + +Reported-by: Dan Carpenter +Signed-off-by: Gabriel Fernandez +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/st-keyscan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/st-keyscan.c b/drivers/input/keyboard/st-keyscan.c +index de7be4f03d91..ebf9f643d910 100644 +--- a/drivers/input/keyboard/st-keyscan.c ++++ b/drivers/input/keyboard/st-keyscan.c +@@ -153,6 +153,8 @@ static int keyscan_probe(struct platform_device *pdev) + + input_dev->id.bustype = BUS_HOST; + ++ keypad_data->input_dev = input_dev; ++ + error = keypad_matrix_key_parse_dt(keypad_data); + if (error) + return error; +@@ -168,8 +170,6 @@ static int keyscan_probe(struct platform_device *pdev) + + input_set_drvdata(input_dev, keypad_data); + +- keypad_data->input_dev = input_dev; +- + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + keypad_data->base = devm_ioremap_resource(&pdev->dev, res); + if (IS_ERR(keypad_data->base)) +-- +2.19.1 + diff --git a/queue-4.9/kasan-slab-fix-conflicts-with-config_hardened_userco.patch b/queue-4.9/kasan-slab-fix-conflicts-with-config_hardened_userco.patch new file mode 100644 index 00000000000..63971881c7a --- /dev/null +++ b/queue-4.9/kasan-slab-fix-conflicts-with-config_hardened_userco.patch @@ -0,0 +1,44 @@ +From 6d7a655f67ed6a63372e82e343c84daff705542b Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:20:25 -0800 +Subject: kasan, slab: fix conflicts with CONFIG_HARDENED_USERCOPY + +[ Upstream commit 219667c23c68eb3dbc0d5662b9246f28477fe529 ] + +Similarly to commit 96fedce27e13 ("kasan: make tag based mode work with +CONFIG_HARDENED_USERCOPY"), we need to reset pointer tags in +__check_heap_object() in mm/slab.c before doing any pointer math. + +Link: http://lkml.kernel.org/r/9a5c0f958db10e69df5ff9f2b997866b56b7effc.1550602886.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Tested-by: Qian Cai +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Kostya Serebryany +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slab.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/slab.c b/mm/slab.c +index 354a09deecff..b30b58de793b 100644 +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -4461,6 +4461,8 @@ const char *__check_heap_object(const void *ptr, unsigned long n, + unsigned int objnr; + unsigned long offset; + ++ ptr = kasan_reset_tag(ptr); ++ + /* Find and validate object. */ + cachep = page->slab_cache; + objnr = obj_to_index(cachep, page, (void *)ptr); +-- +2.19.1 + diff --git a/queue-4.9/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch b/queue-4.9/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch new file mode 100644 index 00000000000..0d459c13044 --- /dev/null +++ b/queue-4.9/kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch @@ -0,0 +1,86 @@ +From fc44c0fdcc0d414fadd94ea09d4cabf0cf8fa507 Mon Sep 17 00:00:00 2001 +From: Andrey Konovalov +Date: Wed, 20 Feb 2019 22:19:23 -0800 +Subject: kasan, slub: move kasan_poison_slab hook before page_address + +[ Upstream commit a71012242837fe5e67d8c999cfc357174ed5dba0 ] + +With tag based KASAN page_address() looks at the page flags to see whether +the resulting pointer needs to have a tag set. Since we don't want to set +a tag when page_address() is called on SLAB pages, we call +page_kasan_tag_reset() in kasan_poison_slab(). However in allocate_slab() +page_address() is called before kasan_poison_slab(). Fix it by changing +the order. + +[andreyknvl@google.com: fix compilation error when CONFIG_SLUB_DEBUG=n] + Link: http://lkml.kernel.org/r/ac27cc0bbaeb414ed77bcd6671a877cf3546d56e.1550066133.git.andreyknvl@google.com +Link: http://lkml.kernel.org/r/cd895d627465a3f1c712647072d17f10883be2a1.1549921721.git.andreyknvl@google.com +Signed-off-by: Andrey Konovalov +Cc: Alexander Potapenko +Cc: Andrey Ryabinin +Cc: Catalin Marinas +Cc: Christoph Lameter +Cc: David Rientjes +Cc: Dmitry Vyukov +Cc: Evgeniy Stepanov +Cc: Joonsoo Kim +Cc: Kostya Serebryany +Cc: Pekka Enberg +Cc: Qian Cai +Cc: Vincenzo Frascino +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/slub.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +diff --git a/mm/slub.c b/mm/slub.c +index 131dee87a67c..979400b1a781 100644 +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -1052,6 +1052,16 @@ static void setup_object_debug(struct kmem_cache *s, struct page *page, + init_tracking(s, object); + } + ++static void setup_page_debug(struct kmem_cache *s, void *addr, int order) ++{ ++ if (!(s->flags & SLAB_POISON)) ++ return; ++ ++ metadata_access_enable(); ++ memset(addr, POISON_INUSE, PAGE_SIZE << order); ++ metadata_access_disable(); ++} ++ + static inline int alloc_consistency_checks(struct kmem_cache *s, + struct page *page, + void *object, unsigned long addr) +@@ -1269,6 +1279,8 @@ unsigned long kmem_cache_flags(unsigned long object_size, + #else /* !CONFIG_SLUB_DEBUG */ + static inline void setup_object_debug(struct kmem_cache *s, + struct page *page, void *object) {} ++static inline void setup_page_debug(struct kmem_cache *s, ++ void *addr, int order) {} + + static inline int alloc_debug_processing(struct kmem_cache *s, + struct page *page, void *object, unsigned long addr) { return 0; } +@@ -1584,12 +1596,11 @@ static struct page *allocate_slab(struct kmem_cache *s, gfp_t flags, int node) + if (page_is_pfmemalloc(page)) + SetPageSlabPfmemalloc(page); + +- start = page_address(page); ++ kasan_poison_slab(page); + +- if (unlikely(s->flags & SLAB_POISON)) +- memset(start, POISON_INUSE, PAGE_SIZE << order); ++ start = page_address(page); + +- kasan_poison_slab(page); ++ setup_page_debug(s, start, order); + + shuffle = shuffle_freelist(s, page); + +-- +2.19.1 + diff --git a/queue-4.9/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch b/queue-4.9/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch new file mode 100644 index 00000000000..cb61905e911 --- /dev/null +++ b/queue-4.9/mac80211_hwsim-propagate-genlmsg_reply-return-code.patch @@ -0,0 +1,32 @@ +From bb711794ba06346591c10b87ad348614ab0498cf Mon Sep 17 00:00:00 2001 +From: Li RongQing +Date: Tue, 19 Feb 2019 13:12:40 +0800 +Subject: mac80211_hwsim: propagate genlmsg_reply return code + +[ Upstream commit 17407715240456448e4989bee46ffc93991add83 ] + +genlmsg_reply can fail, so propagate its return code + +Signed-off-by: Li RongQing +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 780acf23fd19..e9ec1da9935d 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -3167,7 +3167,7 @@ static int hwsim_get_radio_nl(struct sk_buff *msg, struct genl_info *info) + goto out_err; + } + +- genlmsg_reply(skb, info); ++ res = genlmsg_reply(skb, info); + break; + } + +-- +2.19.1 + diff --git a/queue-4.9/mm-gup-fix-gup_pmd_range-for-dax.patch b/queue-4.9/mm-gup-fix-gup_pmd_range-for-dax.patch new file mode 100644 index 00000000000..1a30b048603 --- /dev/null +++ b/queue-4.9/mm-gup-fix-gup_pmd_range-for-dax.patch @@ -0,0 +1,48 @@ +From 3ca08c3ab53f6ba880f172828f5659cdbf891fcc Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Tue, 12 Feb 2019 15:35:58 -0800 +Subject: mm/gup: fix gup_pmd_range() for dax + +[ Upstream commit 414fd080d125408cb15d04ff4907e1dd8145c8c7 ] + +For dax pmd, pmd_trans_huge() returns false but pmd_huge() returns true +on x86. So the function works as long as hugetlb is configured. +However, dax doesn't depend on hugetlb. + +Link: http://lkml.kernel.org/r/20190111034033.601-1-yuzhao@google.com +Signed-off-by: Yu Zhao +Reviewed-by: Jan Kara +Cc: Dan Williams +Cc: Huang Ying +Cc: Matthew Wilcox +Cc: Keith Busch +Cc: "Michael S . Tsirkin" +Cc: John Hubbard +Cc: Wei Yang +Cc: Mike Rapoport +Cc: Andrea Arcangeli +Cc: "Kirill A . Shutemov" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/gup.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/mm/gup.c b/mm/gup.c +index d71da7216c6e..99c2f10188c0 100644 +--- a/mm/gup.c ++++ b/mm/gup.c +@@ -1423,7 +1423,8 @@ static int gup_pmd_range(pud_t pud, unsigned long addr, unsigned long end, + if (pmd_none(pmd)) + return 0; + +- if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd))) { ++ if (unlikely(pmd_trans_huge(pmd) || pmd_huge(pmd) || ++ pmd_devmap(pmd))) { + /* + * NUMA hinting faults need to be handled in the GUP + * slowpath for accounting purposes and so that they +-- +2.19.1 + diff --git a/queue-4.9/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch b/queue-4.9/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch new file mode 100644 index 00000000000..f195d4b9ce4 --- /dev/null +++ b/queue-4.9/mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch @@ -0,0 +1,72 @@ +From 0ec857113bf9235803665433c71203436c72b565 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 13 Feb 2019 22:45:59 +0100 +Subject: mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs + +[ Upstream commit 2c2ade81741c66082f8211f0b96cf509cc4c0218 ] + +The basic idea behind ->pagecnt_bias is: If we pre-allocate the maximum +number of references that we might need to create in the fastpath later, +the bump-allocation fastpath only has to modify the non-atomic bias value +that tracks the number of extra references we hold instead of the atomic +refcount. The maximum number of allocations we can serve (under the +assumption that no allocation is made with size 0) is nc->size, so that's +the bias used. + +However, even when all memory in the allocation has been given away, a +reference to the page is still held; and in the `offset < 0` slowpath, the +page may be reused if everyone else has dropped their references. +This means that the necessary number of references is actually +`nc->size+1`. + +Luckily, from a quick grep, it looks like the only path that can call +page_frag_alloc(fragsz=1) is TAP with the IFF_NAPI_FRAGS flag, which +requires CAP_NET_ADMIN in the init namespace and is only intended to be +used for kernel testing and fuzzing. + +To test for this issue, put a `WARN_ON(page_ref_count(page) == 0)` in the +`offset < 0` path, below the virt_to_page() call, and then repeatedly call +writev() on a TAP device with IFF_TAP|IFF_NO_PI|IFF_NAPI_FRAGS|IFF_NAPI, +with a vector consisting of 15 elements containing 1 byte each. + +Signed-off-by: Jann Horn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + mm/page_alloc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index 3af727d95c17..05f141e39ac1 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3955,11 +3955,11 @@ refill: + /* Even if we own the page, we do not use atomic_set(). + * This would break get_page_unless_zero() users. + */ +- page_ref_add(page, size - 1); ++ page_ref_add(page, size); + + /* reset page count bias and offset to start of new frag */ + nc->pfmemalloc = page_is_pfmemalloc(page); +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + nc->offset = size; + } + +@@ -3975,10 +3975,10 @@ refill: + size = nc->size; + #endif + /* OK, page count is 0, we can safely set it */ +- set_page_count(page, size); ++ set_page_count(page, size + 1); + + /* reset page count bias and offset to start of new frag */ +- nc->pagecnt_bias = size; ++ nc->pagecnt_bias = size + 1; + offset = size - fragsz; + } + +-- +2.19.1 + diff --git a/queue-4.9/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch b/queue-4.9/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch new file mode 100644 index 00000000000..4ef356b2244 --- /dev/null +++ b/queue-4.9/net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch @@ -0,0 +1,40 @@ +From 0c3bf87b00b6c9e88aa255833e2de8a0d262b67e Mon Sep 17 00:00:00 2001 +From: Huang Zijiang +Date: Thu, 14 Feb 2019 14:41:45 +0800 +Subject: net: hns: Fix object reference leaks in hns_dsaf_roce_reset() + +[ Upstream commit c969c6e7ab8cb42b5c787c567615474fdbad9d6a ] + +The of_find_device_by_node() takes a reference to the underlying device +structure, we should release that reference. + +Signed-off-by: Huang Zijiang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +index 5bb019d49409..551b2a9ebf0f 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_main.c +@@ -2820,6 +2820,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + dsaf_dev = dev_get_drvdata(&pdev->dev); + if (!dsaf_dev) { + dev_err(&pdev->dev, "dsaf_dev is NULL\n"); ++ put_device(&pdev->dev); + return -ENODEV; + } + +@@ -2827,6 +2828,7 @@ int hns_dsaf_roce_reset(struct fwnode_handle *dsaf_fwnode, bool dereset) + if (AE_IS_VER1(dsaf_dev->dsaf_ver)) { + dev_err(dsaf_dev->dev, "%s v1 chip doesn't support RoCE!\n", + dsaf_dev->ae_dev.name); ++ put_device(&pdev->dev); + return -ENODEV; + } + +-- +2.19.1 + diff --git a/queue-4.9/net-marvell-mvneta-fix-dma-debug-warning.patch b/queue-4.9/net-marvell-mvneta-fix-dma-debug-warning.patch new file mode 100644 index 00000000000..b34873495de --- /dev/null +++ b/queue-4.9/net-marvell-mvneta-fix-dma-debug-warning.patch @@ -0,0 +1,58 @@ +From e3cc3e3531e28431996f2d3fc66f3758cbbf2595 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 15 Feb 2019 13:55:47 +0000 +Subject: net: marvell: mvneta: fix DMA debug warning + +[ Upstream commit a8fef9ba58c9966ddb1fec916d8d8137c9d8bc89 ] + +Booting 4.20 on SolidRun Clearfog issues this warning with DMA API +debug enabled: + +WARNING: CPU: 0 PID: 555 at kernel/dma/debug.c:1230 check_sync+0x514/0x5bc +mvneta f1070000.ethernet: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x000000002dd7dc00] [size=240 bytes] +Modules linked in: ahci mv88e6xxx dsa_core xhci_plat_hcd xhci_hcd devlink armada_thermal marvell_cesa des_generic ehci_orion phy_armada38x_comphy mcp3021 spi_orion evbug sfp mdio_i2c ip_tables x_tables +CPU: 0 PID: 555 Comm: bridge-network- Not tainted 4.20.0+ #291 +Hardware name: Marvell Armada 380/385 (Device Tree) +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x9c/0xd4) +[] (dump_stack) from [] (__warn+0xf8/0x124) +[] (__warn) from [] (warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [] (check_sync+0x514/0x5bc) +[] (check_sync) from [] (debug_dma_sync_single_range_for_cpu+0x6c/0x74) +[] (debug_dma_sync_single_range_for_cpu) from [] (mvneta_poll+0x298/0xf58) +[] (mvneta_poll) from [] (net_rx_action+0x128/0x424) +[] (net_rx_action) from [] (__do_softirq+0xf0/0x540) +[] (__do_softirq) from [] (irq_exit+0x124/0x144) +[] (irq_exit) from [] (__handle_domain_irq+0x58/0xb0) +[] (__handle_domain_irq) from [] (gic_handle_irq+0x48/0x98) +[] (gic_handle_irq) from [] (__irq_svc+0x70/0x98) +... + +This appears to be caused by mvneta_rx_hwbm() calling +dma_sync_single_range_for_cpu() with the wrong struct device pointer, +as the buffer manager device pointer is used to map and unmap the +buffer. Fix this. + +Signed-off-by: Russell King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mvneta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mvneta.c b/drivers/net/ethernet/marvell/mvneta.c +index c92ffdf91065..d98b874a7238 100644 +--- a/drivers/net/ethernet/marvell/mvneta.c ++++ b/drivers/net/ethernet/marvell/mvneta.c +@@ -2050,7 +2050,7 @@ err_drop_frame: + if (unlikely(!skb)) + goto err_drop_frame_ret_pool; + +- dma_sync_single_range_for_cpu(dev->dev.parent, ++ dma_sync_single_range_for_cpu(&pp->bm_priv->pdev->dev, + rx_desc->buf_phys_addr, + MVNETA_MH_SIZE + NET_SKB_PAD, + rx_bytes, +-- +2.19.1 + diff --git a/queue-4.9/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch b/queue-4.9/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch new file mode 100644 index 00000000000..eababe49323 --- /dev/null +++ b/queue-4.9/net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch @@ -0,0 +1,48 @@ +From 41fc6fe45da9eebb71ca130b13ce024899519ef2 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 16 Feb 2019 00:20:54 +0300 +Subject: net: mv643xx_eth: disable clk on error path in + mv643xx_eth_shared_probe() + +[ Upstream commit e928b5d6b75e239feb9c6d5488974b6646a0ebc8 ] + +If mv643xx_eth_shared_of_probe() fails, mv643xx_eth_shared_probe() +leaves clk enabled. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 5b12022adf1f..526d07e02bbc 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2886,7 +2886,7 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + + ret = mv643xx_eth_shared_of_probe(pdev); + if (ret) +- return ret; ++ goto err_put_clk; + pd = dev_get_platdata(&pdev->dev); + + msp->tx_csum_limit = (pd != NULL && pd->tx_csum_limit) ? +@@ -2894,6 +2894,11 @@ static int mv643xx_eth_shared_probe(struct platform_device *pdev) + infer_hw_params(msp); + + return 0; ++ ++err_put_clk: ++ if (!IS_ERR(msp->clk)) ++ clk_disable_unprepare(msp->clk); ++ return ret; + } + + static int mv643xx_eth_shared_remove(struct platform_device *pdev) +-- +2.19.1 + diff --git a/queue-4.9/net-set-static-variable-an-initial-value-in-atl2_pro.patch b/queue-4.9/net-set-static-variable-an-initial-value-in-atl2_pro.patch new file mode 100644 index 00000000000..08b59661edd --- /dev/null +++ b/queue-4.9/net-set-static-variable-an-initial-value-in-atl2_pro.patch @@ -0,0 +1,40 @@ +From 71d842ce40fd15d6bd42c04d77c7fef3d57a1ef1 Mon Sep 17 00:00:00 2001 +From: Mao Wenan +Date: Fri, 22 Feb 2019 14:57:23 +0800 +Subject: net: set static variable an initial value in atl2_probe() + +[ Upstream commit 4593403fa516a5a4cffe6883c5062d60932cbfbe ] + +cards_found is a static variable, but when it enters atl2_probe(), +cards_found is set to zero, the value is not consistent with last probe, +so next behavior is not our expect. + +Signed-off-by: Mao Wenan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/atheros/atlx/atl2.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atlx/atl2.c b/drivers/net/ethernet/atheros/atlx/atl2.c +index 2ff465848b65..097a0bf592ab 100644 +--- a/drivers/net/ethernet/atheros/atlx/atl2.c ++++ b/drivers/net/ethernet/atheros/atlx/atl2.c +@@ -1338,13 +1338,11 @@ static int atl2_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { + struct net_device *netdev; + struct atl2_adapter *adapter; +- static int cards_found; ++ static int cards_found = 0; + unsigned long mmio_start; + int mmio_len; + int err; + +- cards_found = 0; +- + err = pci_enable_device(pdev); + if (err) + return err; +-- +2.19.1 + diff --git a/queue-4.9/net-systemport-fix-reception-of-bpdus.patch b/queue-4.9/net-systemport-fix-reception-of-bpdus.patch new file mode 100644 index 00000000000..c87749dd352 --- /dev/null +++ b/queue-4.9/net-systemport-fix-reception-of-bpdus.patch @@ -0,0 +1,38 @@ +From ac3e9c8991765e31a2b23c5cc81c2bcca1a4c79a Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Fri, 15 Feb 2019 12:16:51 -0800 +Subject: net: systemport: Fix reception of BPDUs + +[ Upstream commit a40061ea2e39494104602b3048751341bda374a1 ] + +SYSTEMPORT has its RXCHK parser block that attempts to validate the +packet structures, unfortunately setting the L2 header check bit will +cause Bridge PDUs (BPDUs) to be incorrectly rejected because they look +like LLC/SNAP packets with a non-IPv4 or non-IPv6 Ethernet Type. + +Fixes: 4e8aedfe78c7 ("net: systemport: Turn on offloads by default") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bcmsysport.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c +index 53a506b0d790..95874c10c23b 100644 +--- a/drivers/net/ethernet/broadcom/bcmsysport.c ++++ b/drivers/net/ethernet/broadcom/bcmsysport.c +@@ -104,6 +104,10 @@ static int bcm_sysport_set_rx_csum(struct net_device *dev, + + priv->rx_chk_en = !!(wanted & NETIF_F_RXCSUM); + reg = rxchk_readl(priv, RXCHK_CONTROL); ++ /* Clear L2 header checks, which would prevent BPDUs ++ * from being received. ++ */ ++ reg &= ~RXCHK_L2_HDR_DIS; + if (priv->rx_chk_en) + reg |= RXCHK_EN; + else +-- +2.19.1 + diff --git a/queue-4.9/net-thunderx-make-cfg_done-message-to-run-through-ge.patch b/queue-4.9/net-thunderx-make-cfg_done-message-to-run-through-ge.patch new file mode 100644 index 00000000000..e14ba123905 --- /dev/null +++ b/queue-4.9/net-thunderx-make-cfg_done-message-to-run-through-ge.patch @@ -0,0 +1,78 @@ +From 2159f48befb4f6e4a4ef7420b1a5afd2b0bc8bad Mon Sep 17 00:00:00 2001 +From: Vadim Lomovtsev +Date: Wed, 20 Feb 2019 11:02:43 +0000 +Subject: net: thunderx: make CFG_DONE message to run through generic send-ack + sequence + +[ Upstream commit 0dd563b9a62c4cbabf5d4fd6596440c2491e72b1 ] + +At the end of NIC VF initialization VF sends CFG_DONE message to PF without +using nicvf_msg_send_to_pf routine. This potentially could re-write data in +mailbox. This commit is to implement common way of sending CFG_DONE message +by the same way with other configuration messages by using +nicvf_send_msg_to_pf() routine. + +Signed-off-by: Vadim Lomovtsev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cavium/thunder/nic_main.c | 2 +- + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 15 ++++++++++++--- + 2 files changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/cavium/thunder/nic_main.c b/drivers/net/ethernet/cavium/thunder/nic_main.c +index da142f6bd0c3..18ddd243dfa1 100644 +--- a/drivers/net/ethernet/cavium/thunder/nic_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nic_main.c +@@ -999,7 +999,7 @@ static void nic_handle_mbx_intr(struct nicpf *nic, int vf) + case NIC_MBOX_MSG_CFG_DONE: + /* Last message of VF config msg sequence */ + nic_enable_vf(nic, vf, true); +- goto unlock; ++ break; + case NIC_MBOX_MSG_SHUTDOWN: + /* First msg in VF teardown sequence */ + if (vf >= nic->num_vf_en) +diff --git a/drivers/net/ethernet/cavium/thunder/nicvf_main.c b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +index c75d4ea9342b..71f228cece03 100644 +--- a/drivers/net/ethernet/cavium/thunder/nicvf_main.c ++++ b/drivers/net/ethernet/cavium/thunder/nicvf_main.c +@@ -162,6 +162,17 @@ static int nicvf_check_pf_ready(struct nicvf *nic) + return 1; + } + ++static void nicvf_send_cfg_done(struct nicvf *nic) ++{ ++ union nic_mbx mbx = {}; ++ ++ mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; ++ if (nicvf_send_msg_to_pf(nic, &mbx)) { ++ netdev_err(nic->netdev, ++ "PF didn't respond to CFG DONE msg\n"); ++ } ++} ++ + static void nicvf_read_bgx_stats(struct nicvf *nic, struct bgx_stats_msg *bgx) + { + if (bgx->rx) +@@ -1178,7 +1189,6 @@ int nicvf_open(struct net_device *netdev) + struct nicvf *nic = netdev_priv(netdev); + struct queue_set *qs = nic->qs; + struct nicvf_cq_poll *cq_poll = NULL; +- union nic_mbx mbx = {}; + + netif_carrier_off(netdev); + +@@ -1267,8 +1277,7 @@ int nicvf_open(struct net_device *netdev) + nicvf_enable_intr(nic, NICVF_INTR_RBDR, qidx); + + /* Send VF config done msg to PF */ +- mbx.msg.msg = NIC_MBOX_MSG_CFG_DONE; +- nicvf_write_to_mbx(nic, &mbx); ++ nicvf_send_cfg_done(nic); + + return 0; + cleanup: +-- +2.19.1 + diff --git a/queue-4.9/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch b/queue-4.9/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch new file mode 100644 index 00000000000..6a8a6e85753 --- /dev/null +++ b/queue-4.9/nfp-bpf-fix-alu32-high-bits-clearance-bug.patch @@ -0,0 +1,96 @@ +From f7e9a5f8467d8ed675f455284328e4ae79b76704 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:04 +0000 +Subject: nfp: bpf: fix ALU32 high bits clearance bug + +[ Upstream commit f036ebd9bfbe1e91a3d855e85e05fc5ff156b641 ] + +NFP BPF JIT compiler is doing a couple of small optimizations when jitting +ALU imm instructions, some of these optimizations could save code-gen, for +example: + + A & -1 = A + A | 0 = A + A ^ 0 = A + +However, for ALU32, high 32-bit of the 64-bit register should still be +cleared according to ISA semantics. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + .../net/ethernet/netronome/nfp/nfp_bpf_jit.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c b/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c +index 6bfcd6eb74ca..73087770d72f 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c +@@ -756,15 +756,10 @@ wrp_alu64_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, + + static int + wrp_alu32_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta, +- enum alu_op alu_op, bool skip) ++ enum alu_op alu_op) + { + const struct bpf_insn *insn = &meta->insn; + +- if (skip) { +- meta->skip = true; +- return 0; +- } +- + wrp_alu_imm(nfp_prog, insn->dst_reg * 2, alu_op, insn->imm); + wrp_immed(nfp_prog, reg_both(insn->dst_reg * 2 + 1), 0); + +@@ -1017,7 +1012,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1027,7 +1022,7 @@ static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int and_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_AND); + } + + static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1037,7 +1032,7 @@ static int or_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int or_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_OR); + } + + static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1047,7 +1042,7 @@ static int add_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int add_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_ADD); + } + + static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +@@ -1057,7 +1052,7 @@ static int sub_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int sub_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB, !meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_SUB); + } + + static int shl_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.9/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch b/queue-4.9/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch new file mode 100644 index 00000000000..9a07c2af3ba --- /dev/null +++ b/queue-4.9/nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch @@ -0,0 +1,34 @@ +From 14ae8a96aede1e36cbbd92df75c8ec2c16b2ef87 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Fri, 22 Feb 2019 22:36:03 +0000 +Subject: nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K + +[ Upstream commit 71c190249f0ced5b26377ea6bf829ab3af77a40c ] + +The intended optimization should be A ^ 0 = A, not A ^ -1 = A. + +Fixes: cd7df56ed3e6 ("nfp: add BPF to NFP code translator") +Reviewed-by: Jakub Kicinski +Signed-off-by: Jiong Wang +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c b/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c +index f8df5300f49c..6bfcd6eb74ca 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_bpf_jit.c +@@ -1017,7 +1017,7 @@ static int xor_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + + static int xor_imm(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) + { +- return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !~meta->insn.imm); ++ return wrp_alu32_imm(nfp_prog, meta, ALU_OP_XOR, !meta->insn.imm); + } + + static int and_reg(struct nfp_prog *nfp_prog, struct nfp_insn_meta *meta) +-- +2.19.1 + diff --git a/queue-4.9/phonet-fix-building-with-clang.patch b/queue-4.9/phonet-fix-building-with-clang.patch new file mode 100644 index 00000000000..879f74ee4e4 --- /dev/null +++ b/queue-4.9/phonet-fix-building-with-clang.patch @@ -0,0 +1,184 @@ +From fe3f064b3e2ecc3fd8d24a4eaf60076f1ba28bd0 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Tue, 19 Feb 2019 22:53:50 +0100 +Subject: phonet: fix building with clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6321aa197547da397753757bd84c6ce64b3e3d89 ] + +clang warns about overflowing the data[] member in the struct pnpipehdr: + +net/phonet/pep.c:295:8: warning: array index 4 is past the end of the array (which contains 1 element) [-Warray-bounds] + if (hdr->data[4] == PEP_IND_READY) + ^ ~ +include/net/phonet/pep.h:66:3: note: array 'data' declared here + u8 data[1]; + +Using a flexible array member at the end of the struct avoids the +warning, but since we cannot have a flexible array member inside +of the union, each index now has to be moved back by one, which +makes it a little uglier. + +Signed-off-by: Arnd Bergmann +Acked-by: Rémi Denis-Courmont +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/phonet/pep.h | 5 +++-- + net/phonet/pep.c | 32 ++++++++++++++++---------------- + 2 files changed, 19 insertions(+), 18 deletions(-) + +diff --git a/include/net/phonet/pep.h b/include/net/phonet/pep.h +index b669fe6dbc3b..98f31c7ea23d 100644 +--- a/include/net/phonet/pep.h ++++ b/include/net/phonet/pep.h +@@ -63,10 +63,11 @@ struct pnpipehdr { + u8 state_after_reset; /* reset request */ + u8 error_code; /* any response */ + u8 pep_type; /* status indication */ +- u8 data[1]; ++ u8 data0; /* anything else */ + }; ++ u8 data[]; + }; +-#define other_pep_type data[1] ++#define other_pep_type data[0] + + static inline struct pnpipehdr *pnp_hdr(struct sk_buff *skb) + { +diff --git a/net/phonet/pep.c b/net/phonet/pep.c +index 850a86cde0b3..f6aa532bcbf6 100644 +--- a/net/phonet/pep.c ++++ b/net/phonet/pep.c +@@ -131,7 +131,7 @@ static int pep_indicate(struct sock *sk, u8 id, u8 code, + ph->utid = 0; + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -152,7 +152,7 @@ static int pipe_handler_request(struct sock *sk, u8 id, u8 code, + ph->utid = id; /* whatever */ + ph->message_id = id; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = code; ++ ph->error_code = code; + return pn_skb_send(sk, skb, NULL); + } + +@@ -207,7 +207,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + struct pnpipehdr *ph; + struct sockaddr_pn dst; + u8 data[4] = { +- oph->data[0], /* PEP type */ ++ oph->pep_type, /* PEP type */ + code, /* error code, at an unusual offset */ + PAD, PAD, + }; +@@ -220,7 +220,7 @@ static int pep_ctrlreq_error(struct sock *sk, struct sk_buff *oskb, u8 code, + ph->utid = oph->utid; + ph->message_id = PNS_PEP_CTRL_RESP; + ph->pipe_handle = oph->pipe_handle; +- ph->data[0] = oph->data[1]; /* CTRL id */ ++ ph->data0 = oph->data[0]; /* CTRL id */ + + pn_skb_get_src_sockaddr(oskb, &dst); + return pn_skb_send(sk, skb, &dst); +@@ -271,17 +271,17 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + return -EINVAL; + + hdr = pnp_hdr(skb); +- if (hdr->data[0] != PN_PEP_TYPE_COMMON) { ++ if (hdr->pep_type != PN_PEP_TYPE_COMMON) { + net_dbg_ratelimited("Phonet unknown PEP type: %u\n", +- (unsigned int)hdr->data[0]); ++ (unsigned int)hdr->pep_type); + return -EOPNOTSUPP; + } + +- switch (hdr->data[1]) { ++ switch (hdr->data[0]) { + case PN_PEP_IND_FLOW_CONTROL: + switch (pn->tx_fc) { + case PN_LEGACY_FLOW_CONTROL: +- switch (hdr->data[4]) { ++ switch (hdr->data[3]) { + case PEP_IND_BUSY: + atomic_set(&pn->tx_credits, 0); + break; +@@ -291,7 +291,7 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + } + break; + case PN_ONE_CREDIT_FLOW_CONTROL: +- if (hdr->data[4] == PEP_IND_READY) ++ if (hdr->data[3] == PEP_IND_READY) + atomic_set(&pn->tx_credits, wake = 1); + break; + } +@@ -300,12 +300,12 @@ static int pipe_rcv_status(struct sock *sk, struct sk_buff *skb) + case PN_PEP_IND_ID_MCFC_GRANT_CREDITS: + if (pn->tx_fc != PN_MULTI_CREDIT_FLOW_CONTROL) + break; +- atomic_add(wake = hdr->data[4], &pn->tx_credits); ++ atomic_add(wake = hdr->data[3], &pn->tx_credits); + break; + + default: + net_dbg_ratelimited("Phonet unknown PEP indication: %u\n", +- (unsigned int)hdr->data[1]); ++ (unsigned int)hdr->data[0]); + return -EOPNOTSUPP; + } + if (wake) +@@ -317,7 +317,7 @@ static int pipe_rcv_created(struct sock *sk, struct sk_buff *skb) + { + struct pep_sock *pn = pep_sk(sk); + struct pnpipehdr *hdr = pnp_hdr(skb); +- u8 n_sb = hdr->data[0]; ++ u8 n_sb = hdr->data0; + + pn->rx_fc = pn->tx_fc = PN_LEGACY_FLOW_CONTROL; + __skb_pull(skb, sizeof(*hdr)); +@@ -505,7 +505,7 @@ static int pep_connresp_rcv(struct sock *sk, struct sk_buff *skb) + return -ECONNREFUSED; + + /* Parse sub-blocks */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[6], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -738,7 +738,7 @@ static int pipe_do_remove(struct sock *sk) + ph->utid = 0; + ph->message_id = PNS_PIPE_REMOVE_REQ; + ph->pipe_handle = pn->pipe_handle; +- ph->data[0] = PAD; ++ ph->data0 = PAD; + return pn_skb_send(sk, skb, NULL); + } + +@@ -815,7 +815,7 @@ static struct sock *pep_sock_accept(struct sock *sk, int flags, int *errp) + peer_type = hdr->other_pep_type << 8; + + /* Parse sub-blocks (options) */ +- n_sb = hdr->data[4]; ++ n_sb = hdr->data[3]; + while (n_sb > 0) { + u8 type, buf[1], len = sizeof(buf); + const u8 *data = pep_get_sb(skb, &type, &len, buf); +@@ -1106,7 +1106,7 @@ static int pipe_skb_send(struct sock *sk, struct sk_buff *skb) + ph->utid = 0; + if (pn->aligned) { + ph->message_id = PNS_PIPE_ALIGNED_DATA; +- ph->data[0] = 0; /* padding */ ++ ph->data0 = 0; /* padding */ + } else + ph->message_id = PNS_PIPE_DATA; + ph->pipe_handle = pn->pipe_handle; +-- +2.19.1 + diff --git a/queue-4.9/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch b/queue-4.9/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch new file mode 100644 index 00000000000..a4c1ee57bf1 --- /dev/null +++ b/queue-4.9/pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch @@ -0,0 +1,36 @@ +From 9e95f89bbea010e5d43bd1fe1ee89af022828268 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sat, 9 Feb 2019 02:01:01 +0100 +Subject: pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins + +[ Upstream commit c17abcfa93bf0be5e48bb011607d237ac2bfc839 ] + +Fix the mismatch between the "sdxc_d13_1_a" pin group definition from +meson8b_cbus_groups and the entry in sdxc_a_groups ("sdxc_d0_13_1_a"). +This makes it possible to use "sdxc_d13_1_a" in device-tree files to +route the MMC data 1..3 pins to GPIOX_1..3. + +Fixes: 0fefcb6876d0d6 ("pinctrl: Add support for Meson8b") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8b.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index cbe5f5cbddb8..e1b689f840ab 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -662,7 +662,7 @@ static const char * const sd_a_groups[] = { + + static const char * const sdxc_a_groups[] = { + "sdxc_d0_0_a", "sdxc_d13_0_a", "sdxc_d47_a", "sdxc_clk_a", +- "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d0_13_1_a" ++ "sdxc_cmd_a", "sdxc_d0_1_a", "sdxc_d13_1_a" + }; + + static const char * const pcm_a_groups[] = { +-- +2.19.1 + diff --git a/queue-4.9/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch b/queue-4.9/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch new file mode 100644 index 00000000000..26a701409fd --- /dev/null +++ b/queue-4.9/qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch @@ -0,0 +1,40 @@ +From cec3dd1b5563b66c037bcd49ae5a8a68a7525f08 Mon Sep 17 00:00:00 2001 +From: Beniamino Galvani +Date: Fri, 15 Feb 2019 13:20:42 +0100 +Subject: qmi_wwan: apply SET_DTR quirk to Sierra WP7607 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 97dc47a1308a3af46a09b1546cfb869f2e382a81 ] + +The 1199:68C0 USB ID is reused by Sierra WP7607 which requires the DTR +quirk to be detected. Apply QMI_QUIRK_SET_DTR unconditionally as +already done for other IDs shared between different devices. + +Signed-off-by: Beniamino Galvani +Acked-by: Bjørn Mork +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 134eb184fa22..16e5c8cd104d 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -895,8 +895,8 @@ static const struct usb_device_id products[] = { + {QMI_FIXED_INTF(0x114f, 0x68a2, 8)}, /* Sierra Wireless MC7750 */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 8)}, /* Sierra Wireless MC7710 in QMI mode */ + {QMI_FIXED_INTF(0x1199, 0x68a2, 19)}, /* Sierra Wireless MC7710 in QMI mode */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354 */ +- {QMI_FIXED_INTF(0x1199, 0x68c0, 10)}, /* Sierra Wireless MC7304/MC7354 */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 8)}, /* Sierra Wireless MC7304/MC7354, WP76xx */ ++ {QMI_QUIRK_SET_DTR(0x1199, 0x68c0, 10)},/* Sierra Wireless MC7304/MC7354 */ + {QMI_FIXED_INTF(0x1199, 0x901c, 8)}, /* Sierra Wireless EM7700 */ + {QMI_FIXED_INTF(0x1199, 0x901f, 8)}, /* Sierra Wireless EM7355 */ + {QMI_FIXED_INTF(0x1199, 0x9041, 8)}, /* Sierra Wireless MC7305/MC7355 */ +-- +2.19.1 + diff --git a/queue-4.9/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch b/queue-4.9/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch new file mode 100644 index 00000000000..48218553506 --- /dev/null +++ b/queue-4.9/s390-dasd-fix-using-offset-into-zero-size-array-erro.patch @@ -0,0 +1,96 @@ +From a0df418c26cd131f3b69fb8004f5259dc0098e61 Mon Sep 17 00:00:00 2001 +From: Stefan Haberland +Date: Wed, 21 Nov 2018 12:39:47 +0100 +Subject: s390/dasd: fix using offset into zero size array error + +[ Upstream commit 4a8ef6999bce998fa5813023a9a6b56eea329dba ] + +Dan Carpenter reported the following: + +The patch 52898025cf7d: "[S390] dasd: security and PSF update patch +for EMC CKD ioctl" from Mar 8, 2010, leads to the following static +checker warning: + + drivers/s390/block/dasd_eckd.c:4486 dasd_symm_io() + error: using offset into zero size array 'psf_data[]' + +drivers/s390/block/dasd_eckd.c + 4458 /* Copy parms from caller */ + 4459 rc = -EFAULT; + 4460 if (copy_from_user(&usrparm, argp, sizeof(usrparm))) + ^^^^^^^ +The user can specify any "usrparm.psf_data_len". They choose zero by +mistake. + + 4461 goto out; + 4462 if (is_compat_task()) { + 4463 /* Make sure pointers are sane even on 31 bit. */ + 4464 rc = -EINVAL; + 4465 if ((usrparm.psf_data >> 32) != 0) + 4466 goto out; + 4467 if ((usrparm.rssd_result >> 32) != 0) + 4468 goto out; + 4469 usrparm.psf_data &= 0x7fffffffULL; + 4470 usrparm.rssd_result &= 0x7fffffffULL; + 4471 } + 4472 /* alloc I/O data area */ + 4473 psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL + | GFP_DMA); + 4474 rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL + | GFP_DMA); + 4475 if (!psf_data || !rssd_result) { + +kzalloc() returns a ZERO_SIZE_PTR (0x16). + + 4476 rc = -ENOMEM; + 4477 goto out_free; + 4478 } + 4479 + 4480 /* get syscall header from user space */ + 4481 rc = -EFAULT; + 4482 if (copy_from_user(psf_data, + 4483 (void __user *)(unsigned long) + usrparm.psf_data, + 4484 usrparm.psf_data_len)) + +That all works great. + + 4485 goto out_free; + 4486 psf0 = psf_data[0]; + 4487 psf1 = psf_data[1]; + +But now we're assuming that "->psf_data_len" was at least 2 bytes. + +Fix this by checking the user specified length psf_data_len. + +Fixes: 52898025cf7d ("[S390] dasd: security and PSF update patch for EMC CKD ioctl") +Reported-by: Dan Carpenter +Signed-off-by: Stefan Haberland +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +--- + drivers/s390/block/dasd_eckd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/s390/block/dasd_eckd.c b/drivers/s390/block/dasd_eckd.c +index be17de9807b6..11c6335b1951 100644 +--- a/drivers/s390/block/dasd_eckd.c ++++ b/drivers/s390/block/dasd_eckd.c +@@ -4508,6 +4508,14 @@ static int dasd_symm_io(struct dasd_device *device, void __user *argp) + usrparm.psf_data &= 0x7fffffffULL; + usrparm.rssd_result &= 0x7fffffffULL; + } ++ /* at least 2 bytes are accessed and should be allocated */ ++ if (usrparm.psf_data_len < 2) { ++ DBF_DEV_EVENT(DBF_WARNING, device, ++ "Symmetrix ioctl invalid data length %d", ++ usrparm.psf_data_len); ++ rc = -EINVAL; ++ goto out; ++ } + /* alloc I/O data area */ + psf_data = kzalloc(usrparm.psf_data_len, GFP_KERNEL | GFP_DMA); + rssd_result = kzalloc(usrparm.rssd_result_len, GFP_KERNEL | GFP_DMA); +-- +2.19.1 + diff --git a/queue-4.9/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch b/queue-4.9/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch new file mode 100644 index 00000000000..56e432b8c60 --- /dev/null +++ b/queue-4.9/scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch @@ -0,0 +1,110 @@ +From eea22cd4c30d0c4068b3cd52e76b22d7180fd99e Mon Sep 17 00:00:00 2001 +From: Anoob Soman +Date: Wed, 13 Feb 2019 13:21:39 +0800 +Subject: scsi: libiscsi: Fix race between iscsi_xmit_task and + iscsi_complete_task + +[ Upstream commit 79edd00dc6a96644d76b4a1cb97d94d49e026768 ] + +When a target sends Check Condition, whilst initiator is busy xmiting +re-queued data, could lead to race between iscsi_complete_task() and +iscsi_xmit_task() and eventually crashing with the following kernel +backtrace. + +[3326150.987523] ALERT: BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 +[3326150.987549] ALERT: IP: [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987571] WARN: PGD 569c8067 PUD 569c9067 PMD 0 +[3326150.987582] WARN: Oops: 0002 [#1] SMP +[3326150.987593] WARN: Modules linked in: tun nfsv3 nfs fscache dm_round_robin +[3326150.987762] WARN: CPU: 2 PID: 8399 Comm: kworker/u32:1 Tainted: G O 4.4.0+2 #1 +[3326150.987774] WARN: Hardware name: Dell Inc. PowerEdge R720/0W7JN5, BIOS 2.5.4 01/22/2016 +[3326150.987790] WARN: Workqueue: iscsi_q_13 iscsi_xmitworker [libiscsi] +[3326150.987799] WARN: task: ffff8801d50f3800 ti: ffff8801f5458000 task.ti: ffff8801f5458000 +[3326150.987810] WARN: RIP: e030:[] [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.987825] WARN: RSP: e02b:ffff8801f545bdb0 EFLAGS: 00010246 +[3326150.987831] WARN: RAX: 00000000ffffffc3 RBX: ffff880282d2ab20 RCX: ffff88026b6ac480 +[3326150.987842] WARN: RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffff880282d2ab20 +[3326150.987852] WARN: RBP: ffff8801f545bdc8 R08: 0000000000000000 R09: 0000000000000008 +[3326150.987862] WARN: R10: 0000000000000000 R11: 000000000000fe88 R12: 0000000000000000 +[3326150.987872] WARN: R13: ffff880282d2abe8 R14: ffff880282d2abd8 R15: ffff880282d2ac08 +[3326150.987890] WARN: FS: 00007f5a866b4840(0000) GS:ffff88028a640000(0000) knlGS:0000000000000000 +[3326150.987900] WARN: CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 +[3326150.987907] WARN: CR2: 0000000000000078 CR3: 0000000070244000 CR4: 0000000000042660 +[3326150.987918] WARN: Stack: +[3326150.987924] WARN: ffff880282d2ad58 ffff880282d2ab20 ffff880282d2abe8 ffff8801f545be18 +[3326150.987938] WARN: ffffffffa05cea90 ffff880282d2abf8 ffff88026b59cc80 ffff88026b59cc00 +[3326150.987951] WARN: ffff88022acf32c0 ffff880289491800 ffff880255a80800 0000000000000400 +[3326150.987964] WARN: Call Trace: +[3326150.987975] WARN: [] iscsi_xmitworker+0x2f0/0x360 [libiscsi] +[3326150.987988] WARN: [] process_one_work+0x1fc/0x3b0 +[3326150.987997] WARN: [] worker_thread+0x2a5/0x470 +[3326150.988006] WARN: [] ? __schedule+0x648/0x870 +[3326150.988015] WARN: [] ? rescuer_thread+0x300/0x300 +[3326150.988023] WARN: [] kthread+0xd5/0xe0 +[3326150.988031] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988040] WARN: [] ret_from_fork+0x3f/0x70 +[3326150.988048] WARN: [] ? kthread_stop+0x110/0x110 +[3326150.988127] ALERT: RIP [] iscsi_xmit_task+0x2d/0xc0 [libiscsi] +[3326150.988138] WARN: RSP +[3326150.988144] WARN: CR2: 0000000000000078 +[3326151.020366] WARN: ---[ end trace 1c60974d4678d81b ]--- + +Commit 6f8830f5bbab ("scsi: libiscsi: add lock around task lists to fix +list corruption regression") introduced "taskqueuelock" to fix list +corruption during the race, but this wasn't enough. + +Re-setting of conn->task to NULL, could race with iscsi_xmit_task(). +iscsi_complete_task() +{ + .... + if (conn->task == task) + conn->task = NULL; +} + +conn->task in iscsi_xmit_task() could be NULL and so will be task. +__iscsi_get_task(task) will crash (NullPtr de-ref), trying to access +refcount. + +iscsi_xmit_task() +{ + struct iscsi_task *task = conn->task; + + __iscsi_get_task(task); +} + +This commit will take extra conn->session->back_lock in iscsi_xmit_task() +to ensure iscsi_xmit_task() waits for iscsi_complete_task(), if +iscsi_complete_task() wins the race. If iscsi_xmit_task() wins the race, +iscsi_xmit_task() increments task->refcount +(__iscsi_get_task) ensuring iscsi_complete_task() will not iscsi_free_task(). + +Signed-off-by: Anoob Soman +Signed-off-by: Bob Liu +Acked-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libiscsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c +index c79743de48f9..2ffe10453e30 100644 +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -1448,7 +1448,13 @@ static int iscsi_xmit_task(struct iscsi_conn *conn) + if (test_bit(ISCSI_SUSPEND_BIT, &conn->suspend_tx)) + return -ENODATA; + ++ spin_lock_bh(&conn->session->back_lock); ++ if (conn->task == NULL) { ++ spin_unlock_bh(&conn->session->back_lock); ++ return -ENODATA; ++ } + __iscsi_get_task(task); ++ spin_unlock_bh(&conn->session->back_lock); + spin_unlock_bh(&conn->session->frwd_lock); + rc = conn->session->tt->xmit_task(task); + spin_lock_bh(&conn->session->frwd_lock); +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 31f511c10f3..54e2e782fe8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -6,3 +6,38 @@ iio-adc-exynos-adc-fix-null-pointer-exception-on-unbind.patch stm-class-fix-an-endless-loop-in-channel-allocation.patch crypto-caam-fixed-handling-of-sg-list.patch crypto-ahash-fix-another-early-termination-in-hash-walk.patch +gpu-ipu-v3-fix-i.mx51-csi-control-registers-offset.patch +gpu-ipu-v3-fix-csi-offsets-for-imx53.patch +s390-dasd-fix-using-offset-into-zero-size-array-erro.patch +arm-omap2-variable-reg-in-function-omap4_dsi_mux_pad.patch +input-cap11xx-switch-to-using-set_brightness_blockin.patch +input-matrix_keypad-use-flush_delayed_work.patch +floppy-check_events-callback-should-not-return-a-neg.patch +mm-gup-fix-gup_pmd_range-for-dax.patch +mm-page_alloc-fix-ref-bias-in-page_frag_alloc-for-1-.patch +net-hns-fix-object-reference-leaks-in-hns_dsaf_roce_.patch +i2c-cadence-fix-the-hold-bit-setting.patch +input-st-keyscan-fix-potential-zalloc-null-dereferen.patch +clk-sunxi-a31-fix-wrong-ahb-gate-number.patch +arm-8824-1-fix-a-migrating-irq-bug-when-hotplug-cpu.patch +assoc_array-fix-shortcut-creation.patch +scsi-libiscsi-fix-race-between-iscsi_xmit_task-and-i.patch +net-systemport-fix-reception-of-bpdus.patch +pinctrl-meson-meson8b-fix-the-sdxc_a-data-1.3-pins.patch +qmi_wwan-apply-set_dtr-quirk-to-sierra-wp7607.patch +net-mv643xx_eth-disable-clk-on-error-path-in-mv643xx.patch +asoc-topology-free-created-components-in-tplg-load-e.patch +arm64-relax-gic-version-check-during-early-boot.patch +net-marvell-mvneta-fix-dma-debug-warning.patch +kasan-slub-move-kasan_poison_slab-hook-before-page_a.patch +tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch +kasan-slab-fix-conflicts-with-config_hardened_userco.patch +arcv2-lib-memcpy-fix-doing-prefetchw-outside-of-buff.patch +arc-uacces-remove-lp_start-lp_end-from-clobber-list.patch +phonet-fix-building-with-clang.patch +mac80211_hwsim-propagate-genlmsg_reply-return-code.patch +net-thunderx-make-cfg_done-message-to-run-through-ge.patch +nfp-bpf-fix-code-gen-bug-on-bpf_alu-bpf_xor-bpf_k.patch +nfp-bpf-fix-alu32-high-bits-clearance-bug.patch +net-set-static-variable-an-initial-value-in-atl2_pro.patch +tmpfs-fix-uninitialized-return-value-in-shmem_link.patch diff --git a/queue-4.9/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch b/queue-4.9/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch new file mode 100644 index 00000000000..1b779cc3de1 --- /dev/null +++ b/queue-4.9/tmpfs-fix-link-accounting-when-a-tmpfile-is-linked-i.patch @@ -0,0 +1,62 @@ +From f7651a21c27f7c3071f283bdcf584d30e40a599d Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Thu, 21 Feb 2019 08:48:09 -0800 +Subject: tmpfs: fix link accounting when a tmpfile is linked in + +[ Upstream commit 1062af920c07f5b54cf5060fde3339da6df0cf6b ] + +tmpfs has a peculiarity of accounting hard links as if they were +separate inodes: so that when the number of inodes is limited, as it is +by default, a user cannot soak up an unlimited amount of unreclaimable +dcache memory just by repeatedly linking a file. + +But when v3.11 added O_TMPFILE, and the ability to use linkat() on the +fd, we missed accommodating this new case in tmpfs: "df -i" shows that +an extra "inode" remains accounted after the file is unlinked and the fd +closed and the actual inode evicted. If a user repeatedly links +tmpfiles into a tmpfs, the limit will be hit (ENOSPC) even after they +are deleted. + +Just skip the extra reservation from shmem_link() in this case: there's +a sense in which this first link of a tmpfile is then cheaper than a +hard link of another file, but the accounting works out, and there's +still good limiting, so no need to do anything more complicated. + +Link: http://lkml.kernel.org/r/alpine.LSU.2.11.1902182134370.7035@eggly.anvils +Fixes: f4e0c30c191 ("allow the temp files created by open() to be linked to") +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Reported-by: Matej Kupljen +Acked-by: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 9b17bd4cbc5e..214773472530 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2902,10 +2902,14 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr + * No ordinary (disk based) filesystem counts links as inodes; + * but each new link needs a new dentry, pinning lowmem, and + * tmpfs dentries cannot be pruned until they are unlinked. ++ * But if an O_TMPFILE file is linked into the tmpfs, the ++ * first link must skip that, to get the accounting right. + */ +- ret = shmem_reserve_inode(inode->i_sb); +- if (ret) +- goto out; ++ if (inode->i_nlink) { ++ ret = shmem_reserve_inode(inode->i_sb); ++ if (ret) ++ goto out; ++ } + + dir->i_size += BOGO_DIRENT_SIZE; + inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode); +-- +2.19.1 + diff --git a/queue-4.9/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch b/queue-4.9/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch new file mode 100644 index 00000000000..b551ba19a2e --- /dev/null +++ b/queue-4.9/tmpfs-fix-uninitialized-return-value-in-shmem_link.patch @@ -0,0 +1,40 @@ +From 3fd68dafca815ae13ef6083dd5a058317721fdb4 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Fri, 22 Feb 2019 22:35:32 -0800 +Subject: tmpfs: fix uninitialized return value in shmem_link + +[ Upstream commit 29b00e609960ae0fcff382f4c7079dd0874a5311 ] + +When we made the shmem_reserve_inode call in shmem_link conditional, we +forgot to update the declaration for ret so that it always has a known +value. Dan Carpenter pointed out this deficiency in the original patch. + +Fixes: 1062af920c07 ("tmpfs: fix link accounting when a tmpfile is linked in") +Reported-by: Dan Carpenter +Signed-off-by: Darrick J. Wong +Signed-off-by: Hugh Dickins +Cc: Matej Kupljen +Cc: Al Viro +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + mm/shmem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/mm/shmem.c b/mm/shmem.c +index 214773472530..944242491059 100644 +--- a/mm/shmem.c ++++ b/mm/shmem.c +@@ -2896,7 +2896,7 @@ static int shmem_create(struct inode *dir, struct dentry *dentry, umode_t mode, + static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentry *dentry) + { + struct inode *inode = d_inode(old_dentry); +- int ret; ++ int ret = 0; + + /* + * No ordinary (disk based) filesystem counts links as inodes; +-- +2.19.1 +