From: Greg Kroah-Hartman Date: Sun, 25 Mar 2018 09:42:20 +0000 (+0200) Subject: 4.15-stable patches X-Git-Tag: v4.15.14~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7cab97ceac8954abf52e49dbc7c95cfe96926982;p=thirdparty%2Fkernel%2Fstable-queue.git 4.15-stable patches added patches: bluetooth-btusb-add-dell-optiplex-3060-to-btusb_needs_reset_resume_table.patch bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch bluetooth-btusb-remove-yoga-920-from-the-btusb_needs_reset_resume_table.patch cgroup-fix-rule-checking-for-threaded-mode-switching.patch libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch libata-enable-queued-trim-for-samsung-ssd-860.patch libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch libata-remove-warn-for-dma-or-pio-command-without-data.patch media-tegra-cec-reset-rx_buf_cnt-when-start-bit-detected.patch nfsd-remove-blocked-locks-on-client-teardown.patch pinctrl-samsung-validate-alias-coming-from-dt.patch sched-cgroup-don-t-reject-lower-cpu.max-on-ancestors.patch --- diff --git a/queue-4.15/bluetooth-btusb-add-dell-optiplex-3060-to-btusb_needs_reset_resume_table.patch b/queue-4.15/bluetooth-btusb-add-dell-optiplex-3060-to-btusb_needs_reset_resume_table.patch new file mode 100644 index 00000000000..59955dee290 --- /dev/null +++ b/queue-4.15/bluetooth-btusb-add-dell-optiplex-3060-to-btusb_needs_reset_resume_table.patch @@ -0,0 +1,47 @@ +From 0c6e526646c04ce31d4aaa280ed2237dd1cd774c Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 1 Mar 2018 13:42:52 +0800 +Subject: Bluetooth: btusb: Add Dell OptiPlex 3060 to btusb_needs_reset_resume_table + +From: Kai-Heng Feng + +commit 0c6e526646c04ce31d4aaa280ed2237dd1cd774c upstream. + +The issue can be reproduced before commit fd865802c66b ("Bluetooth: +btusb: fix QCA Rome suspend/resume") gets introduced, so the reset +resume quirk is still needed for this system. + +T: Bus=01 Lev=01 Prnt=01 Port=13 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=e007 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +Cc: stable@vger.kernel.org +Cc: Brian Norris +Cc: Hans de Goede +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -382,6 +382,13 @@ static const struct usb_device_id blackl + * the module itself. So we use a DMI list to match known broken platforms. + */ + static const struct dmi_system_id btusb_needs_reset_resume_table[] = { ++ { ++ /* Dell OptiPlex 3060 (QCA ROME device 0cf3:e007) */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "OptiPlex 3060"), ++ }, ++ }, + {} + }; + diff --git a/queue-4.15/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch b/queue-4.15/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch new file mode 100644 index 00000000000..4c5d69efbd1 --- /dev/null +++ b/queue-4.15/bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch @@ -0,0 +1,75 @@ +From f44cb4b19ed40b655c2d422c9021ab2c2625adb6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 15 Mar 2018 17:02:34 +0100 +Subject: Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174 + +From: Takashi Iwai + +commit f44cb4b19ed40b655c2d422c9021ab2c2625adb6 upstream. + +The Atheros 1525/QCA6174 BT doesn't seem working properly on the +recent kernels, as it tries to load a wrong firmware +ar3k/AthrBT_0x00000200.dfu and it fails. + +This seems to have been a problem for some time, and the known +workaround is to apply BTUSB_QCA_ROM quirk instead of BTUSB_ATH3012. + +The device in question is: + +T: Bus=01 Lev=01 Prnt=01 Port=09 Cnt=03 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0cf3 ProdID=3004 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1082504 +Reported-by: Ivan Levshin +Tested-by: Ivan Levshin +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -230,7 +230,6 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0930, 0x0227), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0b05, 0x17d0), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x0036), .driver_info = BTUSB_ATH3012 }, +- { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0cf3, 0x311e), .driver_info = BTUSB_ATH3012 }, +@@ -263,6 +262,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe03c), .driver_info = BTUSB_ATH3012 }, + + /* QCA ROME chipset */ ++ { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe007), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe009), .driver_info = BTUSB_QCA_ROME }, + { USB_DEVICE(0x0cf3, 0xe300), .driver_info = BTUSB_QCA_ROME }, diff --git a/queue-4.15/bluetooth-btusb-remove-yoga-920-from-the-btusb_needs_reset_resume_table.patch b/queue-4.15/bluetooth-btusb-remove-yoga-920-from-the-btusb_needs_reset_resume_table.patch new file mode 100644 index 00000000000..4493a797f62 --- /dev/null +++ b/queue-4.15/bluetooth-btusb-remove-yoga-920-from-the-btusb_needs_reset_resume_table.patch @@ -0,0 +1,57 @@ +From f0e8c61110c2c85903b136ba070daf643a8b6842 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Wed, 28 Feb 2018 11:57:50 +0100 +Subject: Bluetooth: btusb: Remove Yoga 920 from the btusb_needs_reset_resume_table + +From: Hans de Goede + +commit f0e8c61110c2c85903b136ba070daf643a8b6842 upstream. + +Commit 1fdb92697469 ("Bluetooth: btusb: Use DMI matching for QCA +reset_resume quirking"), added the Lenovo Yoga 920 to the +btusb_needs_reset_resume_table. + +Testing has shown that this is a false positive and the problems where +caused by issues with the initial fix: commit fd865802c66b ("Bluetooth: +btusb: fix QCA Rome suspend/resume"), which has already been reverted. + +So the QCA Rome BT in the Yoga 920 does not need a reset-resume quirk at +all and this commit removes it from the btusb_needs_reset_resume_table. + +Note that after this commit the btusb_needs_reset_resume_table is now +empty. It is kept around on purpose, since this whole series of commits +started for a reason and there are actually broken platforms around, +which need to be added to it. + +BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1514836 +Fixes: 1fdb92697469 ("Bluetooth: btusb: Use DMI matching for QCA ...") +Cc: stable@vger.kernel.org +Cc: Brian Norris +Cc: Kai-Heng Feng +Tested-by: Kevin Fenzi +Suggested-by: Brian Norris +Signed-off-by: Hans de Goede +Reviewed-by: Brian Norris +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -382,13 +382,6 @@ static const struct usb_device_id blackl + * the module itself. So we use a DMI list to match known broken platforms. + */ + static const struct dmi_system_id btusb_needs_reset_resume_table[] = { +- { +- /* Lenovo Yoga 920 (QCA Rome device 0cf3:e300) */ +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo YOGA 920"), +- }, +- }, + {} + }; + diff --git a/queue-4.15/cgroup-fix-rule-checking-for-threaded-mode-switching.patch b/queue-4.15/cgroup-fix-rule-checking-for-threaded-mode-switching.patch new file mode 100644 index 00000000000..9201ef1bea2 --- /dev/null +++ b/queue-4.15/cgroup-fix-rule-checking-for-threaded-mode-switching.patch @@ -0,0 +1,52 @@ +From d1897c9538edafd4ae6bbd03cc075962ddde2c21 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 21 Feb 2018 11:39:22 -0800 +Subject: cgroup: fix rule checking for threaded mode switching + +From: Tejun Heo + +commit d1897c9538edafd4ae6bbd03cc075962ddde2c21 upstream. + +A domain cgroup isn't allowed to be turned threaded if its subtree is +populated or domain controllers are enabled. cgroup_enable_threaded() +depended on cgroup_can_be_thread_root() test to enforce this rule. A +parent which has populated domain descendants or have domain +controllers enabled can't become a thread root, so the above rules are +enforced automatically. + +However, for the root cgroup which can host mixed domain and threaded +children, cgroup_can_be_thread_root() doesn't check any of those +conditions and thus first level cgroups ends up escaping those rules. + +This patch fixes the bug by adding explicit checks for those rules in +cgroup_enable_threaded(). + +Reported-by: Michael Kerrisk (man-pages) +Signed-off-by: Tejun Heo +Fixes: 8cfd8147df67 ("cgroup: implement cgroup v2 thread support") +Cc: stable@vger.kernel.org # v4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup/cgroup.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/kernel/cgroup/cgroup.c ++++ b/kernel/cgroup/cgroup.c +@@ -3183,6 +3183,16 @@ static int cgroup_enable_threaded(struct + if (cgroup_is_threaded(cgrp)) + return 0; + ++ /* ++ * If @cgroup is populated or has domain controllers enabled, it ++ * can't be switched. While the below cgroup_can_be_thread_root() ++ * test can catch the same conditions, that's only when @parent is ++ * not mixable, so let's check it explicitly. ++ */ ++ if (cgroup_is_populated(cgrp) || ++ cgrp->subtree_control & ~cgrp_dfl_threaded_ss_mask) ++ return -EOPNOTSUPP; ++ + /* we're joining the parent's domain, ensure its validity */ + if (!cgroup_is_valid_domain(dom_cgrp) || + !cgroup_can_be_thread_root(dom_cgrp)) diff --git a/queue-4.15/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch b/queue-4.15/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch new file mode 100644 index 00000000000..8b5f30744bf --- /dev/null +++ b/queue-4.15/libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch @@ -0,0 +1,51 @@ +From 62ac3f7305470e3f52f159de448bc1a771717e88 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:33:58 +0100 +Subject: libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs + +From: Hans de Goede + +commit 62ac3f7305470e3f52f159de448bc1a771717e88 upstream. + +There have been reports of the Crucial M500 480GB model not working +with LPM set to min_power / med_power_with_dipm level. + +It has not been tested with medium_power, but that typically has no +measurable power-savings. + +Note the reporters Crucial_CT480M500SSD3 has a firmware version of MU03 +and there is a MU05 update available, but that update does not mention any +LPM fixes in its changelog, so the quirk matches all firmware versions. + +In my experience the LPM problems with (older) Crucial SSDs seem to be +limited to higher capacity versions of the SSDs (different firmware?), +so this commit adds a NOLPM quirk for the 480 and 960GB versions of the +M500, to avoid LPM causing issues with these SSDs. + +Cc: stable@vger.kernel.org +Reported-and-tested-by: Martin Steigerwald +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4538,6 +4538,14 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, + ++ /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */ ++ { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ { "Crucial_CT960M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.15/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch b/queue-4.15/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch new file mode 100644 index 00000000000..14a1554ac01 --- /dev/null +++ b/queue-4.15/libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch @@ -0,0 +1,46 @@ +From 9c7be59fc519af9081c46c48f06f2b8fadf55ad8 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 16 Feb 2018 10:48:20 +0100 +Subject: libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs + +From: Hans de Goede + +commit 9c7be59fc519af9081c46c48f06f2b8fadf55ad8 upstream. + +Various people have reported the Crucial MX100 512GB model not working +with LPM set to min_power. I've now received a report that it also does +not work with the new med_power_with_dipm level. + +It does work with medium_power, but that has no measurable power-savings +and given the amount of people being bitten by the other levels not +working, this commit just disables LPM altogether. + +Note all reporters of this have either the 512GB model (max capacity), or +are not specifying their SSD's size. So for now this quirk assumes this is +a problem with the 512GB model only. + +Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=89261 +Buglink: https://github.com/linrunner/TLP/issues/84 +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4530,6 +4530,11 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, ++ + /* devices that don't properly handle queued TRIM commands */ + { "Micron_M500_*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.15/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch b/queue-4.15/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch new file mode 100644 index 00000000000..49f65ac1633 --- /dev/null +++ b/queue-4.15/libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch @@ -0,0 +1,39 @@ +From b17e5729a630d8326a48ec34ef02e6b4464a6aef Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Sun, 18 Feb 2018 22:17:09 +0800 +Subject: libata: disable LPM for Crucial BX100 SSD 500GB drive + +From: Kai-Heng Feng + +commit b17e5729a630d8326a48ec34ef02e6b4464a6aef upstream. + +After Laptop Mode Tools starts to use min_power for LPM, a user found +out Crucial BX100 SSD can't get mounted. + +Crucial BX100 SSD 500GB drive don't work well with min_power. This also +happens to med_power_with_dipm. + +So let's disable LPM for Crucial BX100 SSD 500GB drive. + +BugLink: https://bugs.launchpad.net/bugs/1726930 +Signed-off-by: Kai-Heng Feng +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4530,6 +4530,9 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* Crucial BX100 SSD 500GB has broken LPM support */ ++ { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM }, ++ + /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ + { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM | diff --git a/queue-4.15/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch b/queue-4.15/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch new file mode 100644 index 00000000000..7a6309b9a2e --- /dev/null +++ b/queue-4.15/libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch @@ -0,0 +1,63 @@ +From 2c1ec6fda2d07044cda922ee25337cf5d4b429b3 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:33:51 -0800 +Subject: libata: don't try to pass through NCQ commands to non-NCQ devices + +From: Eric Biggers + +commit 2c1ec6fda2d07044cda922ee25337cf5d4b429b3 upstream. + +syzkaller hit a WARN() in ata_bmdma_qc_issue() when writing to /dev/sg0. +This happened because it issued an ATA pass-through command (ATA_16) +where the protocol field indicated that NCQ should be used -- but the +device did not support NCQ. + +We could just remove the WARN() from libata-sff.c, but the real problem +seems to be that the SCSI -> ATA translation code passes through NCQ +commands without verifying that the device actually supports NCQ. + +Fix this by adding the appropriate check to ata_scsi_pass_thru(). + +Here's reproducer that works in QEMU when /dev/sg0 refers to a disk of +the default type ("82371SB PIIX3 IDE"): + + #include + #include + + int main() + { + char buf[53] = { 0 }; + + buf[36] = 0x85; /* ATA_16 */ + buf[37] = (12 << 1); /* FPDMA */ + buf[38] = 0x1; /* Has data */ + buf[51] = 0xC8; /* ATA_CMD_READ */ + write(open("/dev/sg0", O_RDWR), buf, sizeof(buf)); + } + +Fixes: ee7fb331c3ac ("libata: add support for NCQ commands for SG interface") +Reported-by: syzbot+2f69ca28df61bdfc77cd36af2e789850355a221e@syzkaller.appspotmail.com +Cc: # v4.4+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -3316,6 +3316,12 @@ static unsigned int ata_scsi_pass_thru(s + goto invalid_fld; + } + ++ /* We may not issue NCQ commands to devices not supporting NCQ */ ++ if (ata_is_ncq(tf->protocol) && !ata_ncq_enabled(dev)) { ++ fp = 1; ++ goto invalid_fld; ++ } ++ + /* sanity check for pio multi commands */ + if ((cdb[1] & 0xe0) && !is_multi_taskfile(tf)) { + fp = 1; diff --git a/queue-4.15/libata-enable-queued-trim-for-samsung-ssd-860.patch b/queue-4.15/libata-enable-queued-trim-for-samsung-ssd-860.patch new file mode 100644 index 00000000000..8803798fce6 --- /dev/null +++ b/queue-4.15/libata-enable-queued-trim-for-samsung-ssd-860.patch @@ -0,0 +1,37 @@ +From ca6bfcb2f6d9deab3924bf901e73622a94900473 Mon Sep 17 00:00:00 2001 +From: Ju Hyung Park +Date: Sun, 11 Mar 2018 02:28:35 +0900 +Subject: libata: Enable queued TRIM for Samsung SSD 860 + +From: Ju Hyung Park + +commit ca6bfcb2f6d9deab3924bf901e73622a94900473 upstream. + +Samsung explicitly states that queued TRIM is supported for Linux with +860 PRO and 860 EVO. + +Make the previous blacklist to cover only 840 and 850 series. + +Signed-off-by: Park Ju Hyung +Reviewed-by: Martin K. Petersen +Signed-off-by: Tejun Heo +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4549,7 +4549,9 @@ static const struct ata_blacklist_entry + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "Crucial_CT*MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, +- { "Samsung SSD 8*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ { "Samsung SSD 840*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ ATA_HORKAGE_ZERO_AFTER_TRIM, }, ++ { "Samsung SSD 850*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, + { "FCCT*M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM, }, diff --git a/queue-4.15/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch b/queue-4.15/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch new file mode 100644 index 00000000000..dd9b8c10374 --- /dev/null +++ b/queue-4.15/libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch @@ -0,0 +1,102 @@ +From 058f58e235cbe03e923b30ea7c49995a46a8725f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:30:56 -0800 +Subject: libata: fix length validation of ATAPI-relayed SCSI commands + +From: Eric Biggers + +commit 058f58e235cbe03e923b30ea7c49995a46a8725f upstream. + +syzkaller reported a crash in ata_bmdma_fill_sg() when writing to +/dev/sg1. The immediate cause was that the ATA command's scatterlist +was not DMA-mapped, which causes 'pi - 1' to underflow, resulting in a +write to 'qc->ap->bmdma_prd[0xffffffff]'. + +Strangely though, the flag ATA_QCFLAG_DMAMAP was set in qc->flags. The +root cause is that when __ata_scsi_queuecmd() is preparing to relay a +SCSI command to an ATAPI device, it doesn't correctly validate the CDB +length before copying it into the 16-byte buffer 'cdb' in 'struct +ata_queued_cmd'. Namely, it validates the fixed CDB length expected +based on the SCSI opcode but not the actual CDB length, which can be +larger due to the use of the SG_NEXT_CMD_LEN ioctl. Since 'flags' is +the next member in ata_queued_cmd, a buffer overflow corrupts it. + +Fix it by requiring that the actual CDB length be <= 16 (ATAPI_CDB_LEN). + +[Really it seems the length should be required to be <= dev->cdb_len, +but the current behavior seems to have been intentionally introduced by +commit 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands +in 16-byte CDBs") to work around a userspace bug in mplayer. Probably +the workaround is no longer needed (mplayer was fixed in 2007), but +continuing to allow lengths to up 16 appears harmless for now.] + +Here's a reproducer that works in QEMU when /dev/sg1 refers to the +CD-ROM drive that qemu-system-x86_64 creates by default: + + #include + #include + #include + + #define SG_NEXT_CMD_LEN 0x2283 + + int main() + { + char buf[53] = { [36] = 0x7e, [52] = 0x02 }; + int fd = open("/dev/sg1", O_RDWR); + ioctl(fd, SG_NEXT_CMD_LEN, &(int){ 17 }); + write(fd, buf, sizeof(buf)); + } + +The crash was: + + BUG: unable to handle kernel paging request at ffff8cb97db37ffc + IP: ata_bmdma_fill_sg drivers/ata/libata-sff.c:2623 [inline] + IP: ata_bmdma_qc_prep+0xa4/0xc0 drivers/ata/libata-sff.c:2727 + PGD fb6c067 P4D fb6c067 PUD 0 + Oops: 0002 [#1] SMP + CPU: 1 PID: 150 Comm: syz_ata_bmdma_q Not tainted 4.15.0-next-20180202 #99 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 + [...] + Call Trace: + ata_qc_issue+0x100/0x1d0 drivers/ata/libata-core.c:5421 + ata_scsi_translate+0xc9/0x1a0 drivers/ata/libata-scsi.c:2024 + __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4326 [inline] + ata_scsi_queuecmd+0x8c/0x210 drivers/ata/libata-scsi.c:4375 + scsi_dispatch_cmd+0xa2/0xe0 drivers/scsi/scsi_lib.c:1727 + scsi_request_fn+0x24c/0x530 drivers/scsi/scsi_lib.c:1865 + __blk_run_queue_uncond block/blk-core.c:412 [inline] + __blk_run_queue+0x3a/0x60 block/blk-core.c:432 + blk_execute_rq_nowait+0x93/0xc0 block/blk-exec.c:78 + sg_common_write.isra.7+0x272/0x5a0 drivers/scsi/sg.c:806 + sg_write+0x1ef/0x340 drivers/scsi/sg.c:677 + __vfs_write+0x31/0x160 fs/read_write.c:480 + vfs_write+0xa7/0x160 fs/read_write.c:544 + SYSC_write fs/read_write.c:589 [inline] + SyS_write+0x4d/0xc0 fs/read_write.c:581 + do_syscall_64+0x5e/0x110 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x21/0x86 + +Fixes: 607126c2a21c ("libata-scsi: be tolerant of 12-byte ATAPI commands in 16-byte CDBs") +Reported-by: syzbot+1ff6f9fcc3c35f1c72a95e26528c8e7e3276e4da@syzkaller.appspotmail.com +Cc: # v2.6.24+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -4309,7 +4309,9 @@ static inline int __ata_scsi_queuecmd(st + if (likely((scsi_op != ATA_16) || !atapi_passthru16)) { + /* relay SCSI command to ATAPI device */ + int len = COMMAND_SIZE(scsi_op); +- if (unlikely(len > scmd->cmd_len || len > dev->cdb_len)) ++ if (unlikely(len > scmd->cmd_len || ++ len > dev->cdb_len || ++ scmd->cmd_len > ATAPI_CDB_LEN)) + goto bad_cdb_len; + + xlat_func = atapi_xlat; diff --git a/queue-4.15/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch b/queue-4.15/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch new file mode 100644 index 00000000000..a92b40bda0f --- /dev/null +++ b/queue-4.15/libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch @@ -0,0 +1,41 @@ +From 3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:33:59 +0100 +Subject: libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions + +From: Hans de Goede + +commit 3bf7b5d6d017c27e0d3b160aafb35a8e7cfeda1f upstream. + +Commit b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB +drive"), introduced a ATA_HORKAGE_NOLPM quirk for Crucial BX100 500GB SSDs +but limited this to the MU02 firmware version, according to: +http://www.crucial.com/usa/en/support-ssd-firmware + +MU02 is the last version, so there are no newer possibly fixed versions +and if the MU02 version has broken LPM then the MU01 almost certainly +also has broken LPM, so this commit changes the quirk to apply to all +firmware versions. + +Fixes: b17e5729a630 ("libata: disable LPM for Crucial BX100 SSD 500GB...") +Cc: stable@vger.kernel.org +Cc: Kai-Heng Feng +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4531,7 +4531,7 @@ static const struct ata_blacklist_entry + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + + /* Crucial BX100 SSD 500GB has broken LPM support */ +- { "CT500BX100SSD1", "MU02", ATA_HORKAGE_NOLPM }, ++ { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, + + /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ + { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.15/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch b/queue-4.15/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch new file mode 100644 index 00000000000..4fd770d339d --- /dev/null +++ b/queue-4.15/libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch @@ -0,0 +1,49 @@ +From d418ff56b8f2d2b296daafa8da151fe27689b757 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 19 Mar 2018 16:34:00 +0100 +Subject: libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version + +From: Hans de Goede + +commit d418ff56b8f2d2b296daafa8da151fe27689b757 upstream. + +When commit 9c7be59fc519af ("libata: Apply NOLPM quirk to Crucial MX100 +512GB SSDs") was added it inherited the ATA_HORKAGE_NO_NCQ_TRIM quirk +from the existing "Crucial_CT*MX100*" entry, but that entry sets model_rev +to "MU01", where as the entry adding the NOLPM quirk sets it to NULL. + +This means that after this commit we no apply the NO_NCQ_TRIM quirk to +all "Crucial_CT512MX100*" SSDs even if they have the fixed "MU02" +firmware. This commit splits the "Crucial_CT512MX100*" quirk into 2 +quirks, one for the "MU01" firmware and one for all other firmware +versions, so that we once again only apply the NO_NCQ_TRIM quirk to the +"MU01" firmware version. + +Fixes: 9c7be59fc519af ("libata: Apply NOLPM quirk to ... MX100 512GB SSDs") +Cc: stable@vger.kernel.org +Signed-off-by: Hans de Goede +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4533,10 +4533,13 @@ static const struct ata_blacklist_entry + /* Crucial BX100 SSD 500GB has broken LPM support */ + { "CT500BX100SSD1", NULL, ATA_HORKAGE_NOLPM }, + +- /* The 512GB version of the MX100 has both queued TRIM and LPM issues */ +- { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | ++ /* 512GB MX100 with MU01 firmware has both queued TRIM and LPM issues */ ++ { "Crucial_CT512MX100*", "MU01", ATA_HORKAGE_NO_NCQ_TRIM | + ATA_HORKAGE_ZERO_AFTER_TRIM | + ATA_HORKAGE_NOLPM, }, ++ /* 512GB MX100 with newer firmware has only LPM issues */ ++ { "Crucial_CT512MX100*", NULL, ATA_HORKAGE_ZERO_AFTER_TRIM | ++ ATA_HORKAGE_NOLPM, }, + + /* 480GB+ M500 SSDs have both queued TRIM and LPM issues */ + { "Crucial_CT480M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM | diff --git a/queue-4.15/libata-remove-warn-for-dma-or-pio-command-without-data.patch b/queue-4.15/libata-remove-warn-for-dma-or-pio-command-without-data.patch new file mode 100644 index 00000000000..03a5eca0f7b --- /dev/null +++ b/queue-4.15/libata-remove-warn-for-dma-or-pio-command-without-data.patch @@ -0,0 +1,51 @@ +From 9173e5e80729c8434b8d27531527c5245f4a5594 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Sat, 3 Feb 2018 20:33:27 -0800 +Subject: libata: remove WARN() for DMA or PIO command without data + +From: Eric Biggers + +commit 9173e5e80729c8434b8d27531527c5245f4a5594 upstream. + +syzkaller hit a WARN() in ata_qc_issue() when writing to /dev/sg0. This +happened because it issued a READ_6 command with no data buffer. + +Just remove the WARN(), as it doesn't appear indicate a kernel bug. The +expected behavior is to fail the command, which the code does. + +Here's a reproducer that works in QEMU when /dev/sg0 refers to a disk of +the default type ("82371SB PIIX3 IDE"): + + #include + #include + + int main() + { + char buf[42] = { [36] = 0x8 /* READ_6 */ }; + + write(open("/dev/sg0", O_RDWR), buf, sizeof(buf)); + } + +Fixes: f92a26365a72 ("libata: change ATA_QCFLAG_DMAMAP semantics") +Reported-by: syzbot+f7b556d1766502a69d85071d2ff08bd87be53d0f@syzkaller.appspotmail.com +Cc: # v2.6.25+ +Signed-off-by: Eric Biggers +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -5401,8 +5401,7 @@ void ata_qc_issue(struct ata_queued_cmd + * We guarantee to LLDs that they will have at least one + * non-zero sg if the command is a data command. + */ +- if (WARN_ON_ONCE(ata_is_data(prot) && +- (!qc->sg || !qc->n_elem || !qc->nbytes))) ++ if (ata_is_data(prot) && (!qc->sg || !qc->n_elem || !qc->nbytes)) + goto sys_err; + + if (ata_is_dma(prot) || (ata_is_pio(prot) && diff --git a/queue-4.15/media-tegra-cec-reset-rx_buf_cnt-when-start-bit-detected.patch b/queue-4.15/media-tegra-cec-reset-rx_buf_cnt-when-start-bit-detected.patch new file mode 100644 index 00000000000..9e166edc4db --- /dev/null +++ b/queue-4.15/media-tegra-cec-reset-rx_buf_cnt-when-start-bit-detected.patch @@ -0,0 +1,62 @@ +From e113d65ae417ae6d9be229649b81d404c47ade79 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Wed, 28 Feb 2018 05:47:07 -0500 +Subject: media: tegra-cec: reset rx_buf_cnt when start bit detected + +From: Hans Verkuil + +commit e113d65ae417ae6d9be229649b81d404c47ade79 upstream. + +If a start bit is detected, then reset the receive buffer counter to 0. + +This ensures that no stale data is in the buffer if a message is +broken off midstream due to e.g. a Low Drive condition and then +retransmitted. + +The only Rx interrupts we need to listen to are RX_REGISTER_FULL (i.e. +a valid byte was received) and RX_START_BIT_DETECTED (i.e. a new +message starts and we need to reset the counter). + +Signed-off-by: Hans Verkuil +Cc: # for v4.15 and up +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/tegra-cec/tegra_cec.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +--- a/drivers/media/platform/tegra-cec/tegra_cec.c ++++ b/drivers/media/platform/tegra-cec/tegra_cec.c +@@ -172,16 +172,13 @@ static irqreturn_t tegra_cec_irq_handler + } + } + +- if (status & (TEGRA_CEC_INT_STAT_RX_REGISTER_OVERRUN | +- TEGRA_CEC_INT_STAT_RX_BUS_ANOMALY_DETECTED | +- TEGRA_CEC_INT_STAT_RX_START_BIT_DETECTED | +- TEGRA_CEC_INT_STAT_RX_BUS_ERROR_DETECTED)) { ++ if (status & TEGRA_CEC_INT_STAT_RX_START_BIT_DETECTED) { + cec_write(cec, TEGRA_CEC_INT_STAT, +- (TEGRA_CEC_INT_STAT_RX_REGISTER_OVERRUN | +- TEGRA_CEC_INT_STAT_RX_BUS_ANOMALY_DETECTED | +- TEGRA_CEC_INT_STAT_RX_START_BIT_DETECTED | +- TEGRA_CEC_INT_STAT_RX_BUS_ERROR_DETECTED)); +- } else if (status & TEGRA_CEC_INT_STAT_RX_REGISTER_FULL) { ++ TEGRA_CEC_INT_STAT_RX_START_BIT_DETECTED); ++ cec->rx_done = false; ++ cec->rx_buf_cnt = 0; ++ } ++ if (status & TEGRA_CEC_INT_STAT_RX_REGISTER_FULL) { + u32 v; + + cec_write(cec, TEGRA_CEC_INT_STAT, +@@ -255,7 +252,7 @@ static int tegra_cec_adap_enable(struct + TEGRA_CEC_INT_MASK_TX_BUS_ANOMALY_DETECTED | + TEGRA_CEC_INT_MASK_TX_FRAME_TRANSMITTED | + TEGRA_CEC_INT_MASK_RX_REGISTER_FULL | +- TEGRA_CEC_INT_MASK_RX_REGISTER_OVERRUN); ++ TEGRA_CEC_INT_MASK_RX_START_BIT_DETECTED); + + cec_write(cec, TEGRA_CEC_HW_CONTROL, TEGRA_CEC_HWCTRL_TX_RX_MODE); + return 0; diff --git a/queue-4.15/nfsd-remove-blocked-locks-on-client-teardown.patch b/queue-4.15/nfsd-remove-blocked-locks-on-client-teardown.patch new file mode 100644 index 00000000000..cde05498591 --- /dev/null +++ b/queue-4.15/nfsd-remove-blocked-locks-on-client-teardown.patch @@ -0,0 +1,142 @@ +From 68ef3bc3166468678d5e1fdd216628c35bd1186f Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 16 Mar 2018 11:32:02 -0400 +Subject: nfsd: remove blocked locks on client teardown + +From: Jeff Layton + +commit 68ef3bc3166468678d5e1fdd216628c35bd1186f upstream. + +We had some reports of panics in nfsd4_lm_notify, and that showed a +nfs4_lockowner that had outlived its so_client. + +Ensure that we walk any leftover lockowners after tearing down all of +the stateids, and remove any blocked locks that they hold. + +With this change, we also don't need to walk the nbl_lru on nfsd_net +shutdown, as that will happen naturally when we tear down the clients. + +Fixes: 76d348fadff5 (nfsd: have nfsd4_lock use blocking locks for v4.1+ locks) +Reported-by: Frank Sorenson +Signed-off-by: Jeff Layton +Cc: stable@vger.kernel.org # 4.9 +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4state.c | 62 ++++++++++++++++++++++++++++++++++++---------------- + 1 file changed, 43 insertions(+), 19 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -268,6 +268,35 @@ free_blocked_lock(struct nfsd4_blocked_l + kfree(nbl); + } + ++static void ++remove_blocked_locks(struct nfs4_lockowner *lo) ++{ ++ struct nfs4_client *clp = lo->lo_owner.so_client; ++ struct nfsd_net *nn = net_generic(clp->net, nfsd_net_id); ++ struct nfsd4_blocked_lock *nbl; ++ LIST_HEAD(reaplist); ++ ++ /* Dequeue all blocked locks */ ++ spin_lock(&nn->blocked_locks_lock); ++ while (!list_empty(&lo->lo_blocked)) { ++ nbl = list_first_entry(&lo->lo_blocked, ++ struct nfsd4_blocked_lock, ++ nbl_list); ++ list_del_init(&nbl->nbl_list); ++ list_move(&nbl->nbl_lru, &reaplist); ++ } ++ spin_unlock(&nn->blocked_locks_lock); ++ ++ /* Now free them */ ++ while (!list_empty(&reaplist)) { ++ nbl = list_first_entry(&reaplist, struct nfsd4_blocked_lock, ++ nbl_lru); ++ list_del_init(&nbl->nbl_lru); ++ posix_unblock_lock(&nbl->nbl_lock); ++ free_blocked_lock(nbl); ++ } ++} ++ + static int + nfsd4_cb_notify_lock_done(struct nfsd4_callback *cb, struct rpc_task *task) + { +@@ -1866,6 +1895,7 @@ static __be32 mark_client_expired_locked + static void + __destroy_client(struct nfs4_client *clp) + { ++ int i; + struct nfs4_openowner *oo; + struct nfs4_delegation *dp; + struct list_head reaplist; +@@ -1895,6 +1925,16 @@ __destroy_client(struct nfs4_client *clp + nfs4_get_stateowner(&oo->oo_owner); + release_openowner(oo); + } ++ for (i = 0; i < OWNER_HASH_SIZE; i++) { ++ struct nfs4_stateowner *so, *tmp; ++ ++ list_for_each_entry_safe(so, tmp, &clp->cl_ownerstr_hashtbl[i], ++ so_strhash) { ++ /* Should be no openowners at this point */ ++ WARN_ON_ONCE(so->so_is_open_owner); ++ remove_blocked_locks(lockowner(so)); ++ } ++ } + nfsd4_return_all_client_layouts(clp); + nfsd4_shutdown_callback(clp); + if (clp->cl_cb_conn.cb_xprt) +@@ -6358,6 +6398,7 @@ nfsd4_release_lockowner(struct svc_rqst + } + spin_unlock(&clp->cl_lock); + free_ol_stateid_reaplist(&reaplist); ++ remove_blocked_locks(lo); + nfs4_put_stateowner(&lo->lo_owner); + + return status; +@@ -7143,6 +7184,8 @@ nfs4_state_destroy_net(struct net *net) + } + } + ++ WARN_ON(!list_empty(&nn->blocked_locks_lru)); ++ + for (i = 0; i < CLIENT_HASH_SIZE; i++) { + while (!list_empty(&nn->unconf_id_hashtbl[i])) { + clp = list_entry(nn->unconf_id_hashtbl[i].next, struct nfs4_client, cl_idhash); +@@ -7209,7 +7252,6 @@ nfs4_state_shutdown_net(struct net *net) + struct nfs4_delegation *dp = NULL; + struct list_head *pos, *next, reaplist; + struct nfsd_net *nn = net_generic(net, nfsd_net_id); +- struct nfsd4_blocked_lock *nbl; + + cancel_delayed_work_sync(&nn->laundromat_work); + locks_end_grace(&nn->nfsd4_manager); +@@ -7230,24 +7272,6 @@ nfs4_state_shutdown_net(struct net *net) + nfs4_put_stid(&dp->dl_stid); + } + +- BUG_ON(!list_empty(&reaplist)); +- spin_lock(&nn->blocked_locks_lock); +- while (!list_empty(&nn->blocked_locks_lru)) { +- nbl = list_first_entry(&nn->blocked_locks_lru, +- struct nfsd4_blocked_lock, nbl_lru); +- list_move(&nbl->nbl_lru, &reaplist); +- list_del_init(&nbl->nbl_list); +- } +- spin_unlock(&nn->blocked_locks_lock); +- +- while (!list_empty(&reaplist)) { +- nbl = list_first_entry(&reaplist, +- struct nfsd4_blocked_lock, nbl_lru); +- list_del_init(&nbl->nbl_lru); +- posix_unblock_lock(&nbl->nbl_lock); +- free_blocked_lock(nbl); +- } +- + nfsd4_client_tracking_exit(net); + nfs4_state_destroy_net(net); + } diff --git a/queue-4.15/pinctrl-samsung-validate-alias-coming-from-dt.patch b/queue-4.15/pinctrl-samsung-validate-alias-coming-from-dt.patch new file mode 100644 index 00000000000..4f0f5826516 --- /dev/null +++ b/queue-4.15/pinctrl-samsung-validate-alias-coming-from-dt.patch @@ -0,0 +1,510 @@ +From 93b0beae721b3344923b4b8317e9d83b542f4ca6 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 20 Feb 2018 19:17:51 +0100 +Subject: pinctrl: samsung: Validate alias coming from DT + +From: Krzysztof Kozlowski + +commit 93b0beae721b3344923b4b8317e9d83b542f4ca6 upstream. + +Driver uses alias from Device Tree as an index of pin controller data +array. In case of a wrong DTB or an out-of-tree DTB, the alias could be +outside of this data array leading to out-of-bounds access. + +Depending on binary and memory layout, this could be handled properly +(showing error like "samsung-pinctrl 3860000.pinctrl: driver data not +available") or could lead to exceptions. + +Reported-by: Geert Uytterhoeven +Cc: +Fixes: 30574f0db1b1 ("pinctrl: add samsung pinctrl and gpiolib driver") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Geert Uytterhoeven +Acked-by: Tomasz Figa +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/samsung/pinctrl-exynos-arm.c | 56 +++++++++++++++++++--- + drivers/pinctrl/samsung/pinctrl-exynos-arm64.c | 14 ++++- + drivers/pinctrl/samsung/pinctrl-s3c24xx.c | 28 +++++++++-- + drivers/pinctrl/samsung/pinctrl-s3c64xx.c | 7 ++ + drivers/pinctrl/samsung/pinctrl-samsung.c | 61 +++++++++++++++---------- + drivers/pinctrl/samsung/pinctrl-samsung.h | 40 ++++++++++------ + 6 files changed, 154 insertions(+), 52 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm.c +@@ -129,7 +129,7 @@ static const struct samsung_pin_bank_dat + EXYNOS_PIN_BANK_EINTW(8, 0xc60, "gph3", 0x0c), + }; + +-const struct samsung_pin_ctrl s5pv210_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s5pv210_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = s5pv210_pin_bank, +@@ -142,6 +142,11 @@ const struct samsung_pin_ctrl s5pv210_pi + }, + }; + ++const struct samsung_pinctrl_of_match_data s5pv210_of_data __initconst = { ++ .ctrl = s5pv210_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s5pv210_pin_ctrl), ++}; ++ + /* Pad retention control code for accessing PMU regmap */ + static atomic_t exynos_shared_retention_refcnt; + +@@ -204,7 +209,7 @@ static const struct samsung_retention_da + * Samsung pinctrl driver data for Exynos3250 SoC. Exynos3250 SoC includes + * two gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos3250_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos3250_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos3250_pin_banks0, +@@ -225,6 +230,11 @@ const struct samsung_pin_ctrl exynos3250 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos3250_of_data __initconst = { ++ .ctrl = exynos3250_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos3250_pin_ctrl), ++}; ++ + /* pin banks of exynos4210 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos4210_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(8, 0x000, "gpa0", 0x00), +@@ -308,7 +318,7 @@ static const struct samsung_retention_da + * Samsung pinctrl driver data for Exynos4210 SoC. Exynos4210 SoC includes + * three gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos4210_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos4210_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos4210_pin_banks0, +@@ -334,6 +344,11 @@ const struct samsung_pin_ctrl exynos4210 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos4210_of_data __initconst = { ++ .ctrl = exynos4210_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos4210_pin_ctrl), ++}; ++ + /* pin banks of exynos4x12 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos4x12_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(8, 0x000, "gpa0", 0x00), +@@ -396,7 +411,7 @@ static const struct samsung_pin_bank_dat + * Samsung pinctrl driver data for Exynos4x12 SoC. Exynos4x12 SoC includes + * four gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos4x12_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos4x12_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos4x12_pin_banks0, +@@ -432,6 +447,11 @@ const struct samsung_pin_ctrl exynos4x12 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos4x12_of_data __initconst = { ++ .ctrl = exynos4x12_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos4x12_pin_ctrl), ++}; ++ + /* pin banks of exynos5250 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos5250_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(8, 0x000, "gpa0", 0x00), +@@ -492,7 +512,7 @@ static const struct samsung_pin_bank_dat + * Samsung pinctrl driver data for Exynos5250 SoC. Exynos5250 SoC includes + * four gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos5250_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos5250_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos5250_pin_banks0, +@@ -528,6 +548,11 @@ const struct samsung_pin_ctrl exynos5250 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos5250_of_data __initconst = { ++ .ctrl = exynos5250_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos5250_pin_ctrl), ++}; ++ + /* pin banks of exynos5260 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos5260_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(4, 0x000, "gpa0", 0x00), +@@ -572,7 +597,7 @@ static const struct samsung_pin_bank_dat + * Samsung pinctrl driver data for Exynos5260 SoC. Exynos5260 SoC includes + * three gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos5260_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos5260_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos5260_pin_banks0, +@@ -592,6 +617,11 @@ const struct samsung_pin_ctrl exynos5260 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos5260_of_data __initconst = { ++ .ctrl = exynos5260_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos5260_pin_ctrl), ++}; ++ + /* pin banks of exynos5410 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos5410_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(8, 0x000, "gpa0", 0x00), +@@ -662,7 +692,7 @@ static const struct samsung_pin_bank_dat + * Samsung pinctrl driver data for Exynos5410 SoC. Exynos5410 SoC includes + * four gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos5410_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos5410_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos5410_pin_banks0, +@@ -695,6 +725,11 @@ const struct samsung_pin_ctrl exynos5410 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos5410_of_data __initconst = { ++ .ctrl = exynos5410_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos5410_pin_ctrl), ++}; ++ + /* pin banks of exynos5420 pin-controller 0 */ + static const struct samsung_pin_bank_data exynos5420_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTG(8, 0x000, "gpy7", 0x00), +@@ -779,7 +814,7 @@ static const struct samsung_retention_da + * Samsung pinctrl driver data for Exynos5420 SoC. Exynos5420 SoC includes + * four gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos5420_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos5420_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos5420_pin_banks0, +@@ -813,3 +848,8 @@ const struct samsung_pin_ctrl exynos5420 + .retention_data = &exynos4_audio_retention_data, + }, + }; ++ ++const struct samsung_pinctrl_of_match_data exynos5420_of_data __initconst = { ++ .ctrl = exynos5420_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos5420_pin_ctrl), ++}; +--- a/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c ++++ b/drivers/pinctrl/samsung/pinctrl-exynos-arm64.c +@@ -180,7 +180,7 @@ static const struct samsung_retention_da + * Samsung pinctrl driver data for Exynos5433 SoC. Exynos5433 SoC includes + * ten gpio/pin-mux/pinconfig controllers. + */ +-const struct samsung_pin_ctrl exynos5433_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos5433_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 data */ + .pin_banks = exynos5433_pin_banks0, +@@ -265,6 +265,11 @@ const struct samsung_pin_ctrl exynos5433 + }, + }; + ++const struct samsung_pinctrl_of_match_data exynos5433_of_data __initconst = { ++ .ctrl = exynos5433_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos5433_pin_ctrl), ++}; ++ + /* pin banks of exynos7 pin-controller - ALIVE */ + static const struct samsung_pin_bank_data exynos7_pin_banks0[] __initconst = { + EXYNOS_PIN_BANK_EINTW(8, 0x000, "gpa0", 0x00), +@@ -344,7 +349,7 @@ static const struct samsung_pin_bank_dat + EXYNOS_PIN_BANK_EINTG(4, 0x020, "gpz1", 0x04), + }; + +-const struct samsung_pin_ctrl exynos7_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl exynos7_pin_ctrl[] __initconst = { + { + /* pin-controller instance 0 Alive data */ + .pin_banks = exynos7_pin_banks0, +@@ -397,3 +402,8 @@ const struct samsung_pin_ctrl exynos7_pi + .eint_gpio_init = exynos_eint_gpio_init, + }, + }; ++ ++const struct samsung_pinctrl_of_match_data exynos7_of_data __initconst = { ++ .ctrl = exynos7_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(exynos7_pin_ctrl), ++}; +--- a/drivers/pinctrl/samsung/pinctrl-s3c24xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c24xx.c +@@ -570,7 +570,7 @@ static const struct samsung_pin_bank_dat + PIN_BANK_2BIT(13, 0x080, "gpj"), + }; + +-const struct samsung_pin_ctrl s3c2412_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s3c2412_pin_ctrl[] __initconst = { + { + .pin_banks = s3c2412_pin_banks, + .nr_banks = ARRAY_SIZE(s3c2412_pin_banks), +@@ -578,6 +578,11 @@ const struct samsung_pin_ctrl s3c2412_pi + }, + }; + ++const struct samsung_pinctrl_of_match_data s3c2412_of_data __initconst = { ++ .ctrl = s3c2412_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s3c2412_pin_ctrl), ++}; ++ + static const struct samsung_pin_bank_data s3c2416_pin_banks[] __initconst = { + PIN_BANK_A(27, 0x000, "gpa"), + PIN_BANK_2BIT(11, 0x010, "gpb"), +@@ -592,7 +597,7 @@ static const struct samsung_pin_bank_dat + PIN_BANK_2BIT(2, 0x100, "gpm"), + }; + +-const struct samsung_pin_ctrl s3c2416_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s3c2416_pin_ctrl[] __initconst = { + { + .pin_banks = s3c2416_pin_banks, + .nr_banks = ARRAY_SIZE(s3c2416_pin_banks), +@@ -600,6 +605,11 @@ const struct samsung_pin_ctrl s3c2416_pi + }, + }; + ++const struct samsung_pinctrl_of_match_data s3c2416_of_data __initconst = { ++ .ctrl = s3c2416_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s3c2416_pin_ctrl), ++}; ++ + static const struct samsung_pin_bank_data s3c2440_pin_banks[] __initconst = { + PIN_BANK_A(25, 0x000, "gpa"), + PIN_BANK_2BIT(11, 0x010, "gpb"), +@@ -612,7 +622,7 @@ static const struct samsung_pin_bank_dat + PIN_BANK_2BIT(13, 0x0d0, "gpj"), + }; + +-const struct samsung_pin_ctrl s3c2440_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s3c2440_pin_ctrl[] __initconst = { + { + .pin_banks = s3c2440_pin_banks, + .nr_banks = ARRAY_SIZE(s3c2440_pin_banks), +@@ -620,6 +630,11 @@ const struct samsung_pin_ctrl s3c2440_pi + }, + }; + ++const struct samsung_pinctrl_of_match_data s3c2440_of_data __initconst = { ++ .ctrl = s3c2440_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s3c2440_pin_ctrl), ++}; ++ + static const struct samsung_pin_bank_data s3c2450_pin_banks[] __initconst = { + PIN_BANK_A(28, 0x000, "gpa"), + PIN_BANK_2BIT(11, 0x010, "gpb"), +@@ -635,10 +650,15 @@ static const struct samsung_pin_bank_dat + PIN_BANK_2BIT(2, 0x100, "gpm"), + }; + +-const struct samsung_pin_ctrl s3c2450_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s3c2450_pin_ctrl[] __initconst = { + { + .pin_banks = s3c2450_pin_banks, + .nr_banks = ARRAY_SIZE(s3c2450_pin_banks), + .eint_wkup_init = s3c24xx_eint_init, + }, + }; ++ ++const struct samsung_pinctrl_of_match_data s3c2450_of_data __initconst = { ++ .ctrl = s3c2450_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s3c2450_pin_ctrl), ++}; +--- a/drivers/pinctrl/samsung/pinctrl-s3c64xx.c ++++ b/drivers/pinctrl/samsung/pinctrl-s3c64xx.c +@@ -794,7 +794,7 @@ static const struct samsung_pin_bank_dat + * Samsung pinctrl driver data for S3C64xx SoC. S3C64xx SoC includes + * one gpio/pin-mux/pinconfig controller. + */ +-const struct samsung_pin_ctrl s3c64xx_pin_ctrl[] __initconst = { ++static const struct samsung_pin_ctrl s3c64xx_pin_ctrl[] __initconst = { + { + /* pin-controller instance 1 data */ + .pin_banks = s3c64xx_pin_banks0, +@@ -803,3 +803,8 @@ const struct samsung_pin_ctrl s3c64xx_pi + .eint_wkup_init = s3c64xx_eint_eint0_init, + }, + }; ++ ++const struct samsung_pinctrl_of_match_data s3c64xx_of_data __initconst = { ++ .ctrl = s3c64xx_pin_ctrl, ++ .num_ctrl = ARRAY_SIZE(s3c64xx_pin_ctrl), ++}; +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -947,12 +947,33 @@ static int samsung_gpiolib_register(stru + return 0; + } + ++static const struct samsung_pin_ctrl * ++samsung_pinctrl_get_soc_data_for_of_alias(struct platform_device *pdev) ++{ ++ struct device_node *node = pdev->dev.of_node; ++ const struct samsung_pinctrl_of_match_data *of_data; ++ int id; ++ ++ id = of_alias_get_id(node, "pinctrl"); ++ if (id < 0) { ++ dev_err(&pdev->dev, "failed to get alias id\n"); ++ return NULL; ++ } ++ ++ of_data = of_device_get_match_data(&pdev->dev); ++ if (id >= of_data->num_ctrl) { ++ dev_err(&pdev->dev, "invalid alias id %d\n", id); ++ return NULL; ++ } ++ ++ return &(of_data->ctrl[id]); ++} ++ + /* retrieve the soc specific data */ + static const struct samsung_pin_ctrl * + samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d, + struct platform_device *pdev) + { +- int id; + struct device_node *node = pdev->dev.of_node; + struct device_node *np; + const struct samsung_pin_bank_data *bdata; +@@ -962,13 +983,9 @@ samsung_pinctrl_get_soc_data(struct sams + void __iomem *virt_base[SAMSUNG_PINCTRL_NUM_RESOURCES]; + unsigned int i; + +- id = of_alias_get_id(node, "pinctrl"); +- if (id < 0) { +- dev_err(&pdev->dev, "failed to get alias id\n"); ++ ctrl = samsung_pinctrl_get_soc_data_for_of_alias(pdev); ++ if (!ctrl) + return ERR_PTR(-ENOENT); +- } +- ctrl = of_device_get_match_data(&pdev->dev); +- ctrl += id; + + d->suspend = ctrl->suspend; + d->resume = ctrl->resume; +@@ -1193,41 +1210,41 @@ static int __maybe_unused samsung_pinctr + static const struct of_device_id samsung_pinctrl_dt_match[] = { + #ifdef CONFIG_PINCTRL_EXYNOS_ARM + { .compatible = "samsung,exynos3250-pinctrl", +- .data = exynos3250_pin_ctrl }, ++ .data = &exynos3250_of_data }, + { .compatible = "samsung,exynos4210-pinctrl", +- .data = exynos4210_pin_ctrl }, ++ .data = &exynos4210_of_data }, + { .compatible = "samsung,exynos4x12-pinctrl", +- .data = exynos4x12_pin_ctrl }, ++ .data = &exynos4x12_of_data }, + { .compatible = "samsung,exynos5250-pinctrl", +- .data = exynos5250_pin_ctrl }, ++ .data = &exynos5250_of_data }, + { .compatible = "samsung,exynos5260-pinctrl", +- .data = exynos5260_pin_ctrl }, ++ .data = &exynos5260_of_data }, + { .compatible = "samsung,exynos5410-pinctrl", +- .data = exynos5410_pin_ctrl }, ++ .data = &exynos5410_of_data }, + { .compatible = "samsung,exynos5420-pinctrl", +- .data = exynos5420_pin_ctrl }, ++ .data = &exynos5420_of_data }, + { .compatible = "samsung,s5pv210-pinctrl", +- .data = s5pv210_pin_ctrl }, ++ .data = &s5pv210_of_data }, + #endif + #ifdef CONFIG_PINCTRL_EXYNOS_ARM64 + { .compatible = "samsung,exynos5433-pinctrl", +- .data = exynos5433_pin_ctrl }, ++ .data = &exynos5433_of_data }, + { .compatible = "samsung,exynos7-pinctrl", +- .data = exynos7_pin_ctrl }, ++ .data = &exynos7_of_data }, + #endif + #ifdef CONFIG_PINCTRL_S3C64XX + { .compatible = "samsung,s3c64xx-pinctrl", +- .data = s3c64xx_pin_ctrl }, ++ .data = &s3c64xx_of_data }, + #endif + #ifdef CONFIG_PINCTRL_S3C24XX + { .compatible = "samsung,s3c2412-pinctrl", +- .data = s3c2412_pin_ctrl }, ++ .data = &s3c2412_of_data }, + { .compatible = "samsung,s3c2416-pinctrl", +- .data = s3c2416_pin_ctrl }, ++ .data = &s3c2416_of_data }, + { .compatible = "samsung,s3c2440-pinctrl", +- .data = s3c2440_pin_ctrl }, ++ .data = &s3c2440_of_data }, + { .compatible = "samsung,s3c2450-pinctrl", +- .data = s3c2450_pin_ctrl }, ++ .data = &s3c2450_of_data }, + #endif + {}, + }; +--- a/drivers/pinctrl/samsung/pinctrl-samsung.h ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.h +@@ -286,6 +286,16 @@ struct samsung_pinctrl_drv_data { + }; + + /** ++ * struct samsung_pinctrl_of_match_data: OF match device specific configuration data. ++ * @ctrl: array of pin controller data. ++ * @num_ctrl: size of array @ctrl. ++ */ ++struct samsung_pinctrl_of_match_data { ++ const struct samsung_pin_ctrl *ctrl; ++ unsigned int num_ctrl; ++}; ++ ++/** + * struct samsung_pin_group: represent group of pins of a pinmux function. + * @name: name of the pin group, used to lookup the group. + * @pins: the pins included in this group. +@@ -313,20 +323,20 @@ struct samsung_pmx_func { + }; + + /* list of all exported SoC specific data */ +-extern const struct samsung_pin_ctrl exynos3250_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos4210_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos4x12_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos5250_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos5260_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos5410_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos5420_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos5433_pin_ctrl[]; +-extern const struct samsung_pin_ctrl exynos7_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s3c64xx_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s3c2412_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s3c2416_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s3c2440_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s3c2450_pin_ctrl[]; +-extern const struct samsung_pin_ctrl s5pv210_pin_ctrl[]; ++extern const struct samsung_pinctrl_of_match_data exynos3250_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos4210_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos4x12_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos5250_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos5260_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos5410_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos5420_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos5433_of_data; ++extern const struct samsung_pinctrl_of_match_data exynos7_of_data; ++extern const struct samsung_pinctrl_of_match_data s3c64xx_of_data; ++extern const struct samsung_pinctrl_of_match_data s3c2412_of_data; ++extern const struct samsung_pinctrl_of_match_data s3c2416_of_data; ++extern const struct samsung_pinctrl_of_match_data s3c2440_of_data; ++extern const struct samsung_pinctrl_of_match_data s3c2450_of_data; ++extern const struct samsung_pinctrl_of_match_data s5pv210_of_data; + + #endif /* __PINCTRL_SAMSUNG_H */ diff --git a/queue-4.15/sched-cgroup-don-t-reject-lower-cpu.max-on-ancestors.patch b/queue-4.15/sched-cgroup-don-t-reject-lower-cpu.max-on-ancestors.patch new file mode 100644 index 00000000000..f6c922f5191 --- /dev/null +++ b/queue-4.15/sched-cgroup-don-t-reject-lower-cpu.max-on-ancestors.patch @@ -0,0 +1,59 @@ +From c53593e5cb693d59d9e8b64fb3a79436bf99c3b3 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 22 Jan 2018 11:26:18 -0800 +Subject: sched, cgroup: Don't reject lower cpu.max on ancestors + +From: Tejun Heo + +commit c53593e5cb693d59d9e8b64fb3a79436bf99c3b3 upstream. + +While adding cgroup2 interface for the cpu controller, 0d5936344f30 +("sched: Implement interface for cgroup unified hierarchy") forgot to +update input validation and left it to reject cpu.max config if any +descendant has set a higher value. + +cgroup2 officially supports delegation and a descendant must not be +able to restrict what its ancestors can configure. For absolute +limits such as cpu.max and memory.max, this means that the config at +each level should only act as the upper limit at that level and +shouldn't interfere with what other cgroups can configure. + +This patch updates config validation on cgroup2 so that the cpu +controller follows the same convention. + +Signed-off-by: Tejun Heo +Fixes: 0d5936344f30 ("sched: Implement interface for cgroup unified hierarchy") +Acked-by: Peter Zijlstra (Intel) +Cc: stable@vger.kernel.org # v4.15+ +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -6611,13 +6611,18 @@ static int tg_cfs_schedulable_down(struc + parent_quota = parent_b->hierarchical_quota; + + /* +- * Ensure max(child_quota) <= parent_quota, inherit when no ++ * Ensure max(child_quota) <= parent_quota. On cgroup2, ++ * always take the min. On cgroup1, only inherit when no + * limit is set: + */ +- if (quota == RUNTIME_INF) +- quota = parent_quota; +- else if (parent_quota != RUNTIME_INF && quota > parent_quota) +- return -EINVAL; ++ if (cgroup_subsys_on_dfl(cpu_cgrp_subsys)) { ++ quota = min(quota, parent_quota); ++ } else { ++ if (quota == RUNTIME_INF) ++ quota = parent_quota; ++ else if (parent_quota != RUNTIME_INF && quota > parent_quota) ++ return -EINVAL; ++ } + } + cfs_b->hierarchical_quota = quota; + diff --git a/queue-4.15/series b/queue-4.15/series index 075a38cc134..17e230c0819 100644 --- a/queue-4.15/series +++ b/queue-4.15/series @@ -27,3 +27,20 @@ clk-bcm2835-protect-sections-updating-shared-registers.patch clk-sunxi-ng-a31-fix-clk_out_-clock-ops.patch rdma-mlx5-fix-crash-while-accessing-garbage-pointer-and-freed-memory.patch drivers-hv-vmbus-fix-ring-buffer-signaling.patch +pinctrl-samsung-validate-alias-coming-from-dt.patch +bluetooth-btusb-remove-yoga-920-from-the-btusb_needs_reset_resume_table.patch +bluetooth-btusb-add-dell-optiplex-3060-to-btusb_needs_reset_resume_table.patch +bluetooth-btusb-fix-quirk-for-atheros-1525-qca6174.patch +libata-fix-length-validation-of-atapi-relayed-scsi-commands.patch +libata-remove-warn-for-dma-or-pio-command-without-data.patch +libata-don-t-try-to-pass-through-ncq-commands-to-non-ncq-devices.patch +libata-apply-nolpm-quirk-to-crucial-mx100-512gb-ssds.patch +libata-disable-lpm-for-crucial-bx100-ssd-500gb-drive.patch +libata-enable-queued-trim-for-samsung-ssd-860.patch +libata-apply-nolpm-quirk-to-crucial-m500-480-and-960gb-ssds.patch +libata-make-crucial-bx100-500gb-lpm-quirk-apply-to-all-firmware-versions.patch +libata-modify-quirks-for-mx100-to-limit-ncq_trim-quirk-to-mu01-version.patch +sched-cgroup-don-t-reject-lower-cpu.max-on-ancestors.patch +cgroup-fix-rule-checking-for-threaded-mode-switching.patch +nfsd-remove-blocked-locks-on-client-teardown.patch +media-tegra-cec-reset-rx_buf_cnt-when-start-bit-detected.patch