From: Sasha Levin Date: Wed, 14 Aug 2019 02:33:31 +0000 (-0400) Subject: fixes for 4.9 X-Git-Tag: v5.2.9~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8bcec5d13c2a1162d78f3e932a2f82a2e5283612;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch b/queue-4.9/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch new file mode 100644 index 00000000000..fa6b22f01af --- /dev/null +++ b/queue-4.9/acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch @@ -0,0 +1,48 @@ +From cd8feeba05c183494550b42900e665bc7606cce2 Mon Sep 17 00:00:00 2001 +From: Lorenzo Pieralisi +Date: Mon, 22 Jul 2019 17:25:48 +0100 +Subject: ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() + +[ Upstream commit 5a46d3f71d5e5a9f82eabc682f996f1281705ac7 ] + +Static analysis identified that index comparison against ITS entries in +iort_dev_find_its_id() is off by one. + +Update the comparison condition and clarify the resulting error +message. + +Fixes: 4bf2efd26d76 ("ACPI: Add new IORT functions to support MSI domain handling") +Link: https://lore.kernel.org/linux-arm-kernel/20190613065410.GB16334@mwanda/ +Reviewed-by: Hanjun Guo +Reported-by: Dan Carpenter +Signed-off-by: Lorenzo Pieralisi +Cc: Dan Carpenter +Cc: Will Deacon +Cc: Hanjun Guo +Cc: Sudeep Holla +Cc: Catalin Marinas +Cc: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/acpi/arm64/iort.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/arm64/iort.c b/drivers/acpi/arm64/iort.c +index 6b81746cd13c8..e5b1b3f1c2319 100644 +--- a/drivers/acpi/arm64/iort.c ++++ b/drivers/acpi/arm64/iort.c +@@ -324,8 +324,8 @@ static int iort_dev_find_its_id(struct device *dev, u32 req_id, + + /* Move to ITS specific data */ + its = (struct acpi_iort_its_group *)node->node_data; +- if (idx > its->its_count) { +- dev_err(dev, "requested ITS ID index [%d] is greater than available [%d]\n", ++ if (idx >= its->its_count) { ++ dev_err(dev, "requested ITS ID index [%d] overruns ITS entries [%d]\n", + idx, its->its_count); + return -ENXIO; + } +-- +2.20.1 + diff --git a/queue-4.9/alsa-compress-be-more-restrictive-about-when-a-drain.patch b/queue-4.9/alsa-compress-be-more-restrictive-about-when-a-drain.patch new file mode 100644 index 00000000000..335fa07be0e --- /dev/null +++ b/queue-4.9/alsa-compress-be-more-restrictive-about-when-a-drain.patch @@ -0,0 +1,49 @@ +From 8e60e57f1b3c7ee8c525cf08d7f3a914baf9aeef Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:36 +0100 +Subject: ALSA: compress: Be more restrictive about when a drain is allowed + +[ Upstream commit 3b8179944cb0dd53e5223996966746cdc8a60657 ] + +Draining makes little sense in the situation of hardware overrun, as the +hardware will have consumed all its available samples. Additionally, +draining whilst the stream is paused would presumably get stuck as no +data is being consumed on the DSP side. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index b4f1536b17cb5..2e2d184684911 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -812,7 +812,10 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +@@ -861,7 +864,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +-- +2.20.1 + diff --git a/queue-4.9/alsa-compress-don-t-allow-paritial-drain-operations-.patch b/queue-4.9/alsa-compress-don-t-allow-paritial-drain-operations-.patch new file mode 100644 index 00000000000..ae6b77759a7 --- /dev/null +++ b/queue-4.9/alsa-compress-don-t-allow-paritial-drain-operations-.patch @@ -0,0 +1,49 @@ +From 685b1063e5ae853e4008cc01f77812754317c69a Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:35 +0100 +Subject: ALSA: compress: Don't allow paritial drain operations on capture + streams + +[ Upstream commit a70ab8a8645083f3700814e757f2940a88b7ef88 ] + +Partial drain and next track are intended for gapless playback and +don't really have an obvious interpretation for a capture stream, so +makes sense to not allow those operations on capture streams. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 1538fbc7562b8..b4f1536b17cb5 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -835,6 +835,10 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + if (stream->runtime->state != SNDRV_PCM_STATE_RUNNING) + return -EPERM; + ++ /* next track doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* you can signal next track if this is intended to be a gapless stream + * and current track metadata is set + */ +@@ -862,6 +866,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + break; + } + ++ /* partial drain doesn't have any meaning for capture streams */ ++ if (stream->direction == SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.9/alsa-compress-fix-regression-on-compressed-capture-s.patch b/queue-4.9/alsa-compress-fix-regression-on-compressed-capture-s.patch new file mode 100644 index 00000000000..a001a9e74ba --- /dev/null +++ b/queue-4.9/alsa-compress-fix-regression-on-compressed-capture-s.patch @@ -0,0 +1,82 @@ +From dbf71956cedc1a526247389dbc48a6f02d65dc58 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:33 +0100 +Subject: ALSA: compress: Fix regression on compressed capture streams + +[ Upstream commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 ] + +A previous fix to the stop handling on compressed capture streams causes +some knock on issues. The previous fix updated snd_compr_drain_notify to +set the state back to PREPARED for capture streams. This causes some +issues however as the handling for snd_compr_poll differs between the +two states and some user-space applications were relying on the poll +failing after the stream had been stopped. + +To correct this regression whilst still fixing the original problem the +patch was addressing, update the capture handling to skip the PREPARED +state rather than skipping the SETUP state as it has done until now. + +Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams") +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 5 +---- + sound/core/compress_offload.c | 16 +++++++++++----- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index 96bc5acdade38..49482080311a1 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -185,10 +185,7 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 555df64d46ffc..cf1317546b0ff 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -575,10 +575,7 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) + stream->metadata_set = false; + stream->next_track = false; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + } else { + return -EPERM; + } +@@ -694,8 +691,17 @@ static int snd_compr_start(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_SETUP: ++ if (stream->direction != SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ break; ++ case SNDRV_PCM_STATE_PREPARED: ++ break; ++ default: + return -EPERM; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START); + if (!retval) + stream->runtime->state = SNDRV_PCM_STATE_RUNNING; +-- +2.20.1 + diff --git a/queue-4.9/alsa-compress-prevent-bypasses-of-set_params.patch b/queue-4.9/alsa-compress-prevent-bypasses-of-set_params.patch new file mode 100644 index 00000000000..435af2e9b6b --- /dev/null +++ b/queue-4.9/alsa-compress-prevent-bypasses-of-set_params.patch @@ -0,0 +1,83 @@ +From 2ee302f05723e8ff514ce5a79f043881eb1214eb Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:34 +0100 +Subject: ALSA: compress: Prevent bypasses of set_params + +[ Upstream commit 26c3f1542f5064310ad26794c09321780d00c57d ] + +Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call +snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which +allow a transition to SNDRV_PCM_STATE_SETUP. The stream should +only be able to move to the setup state once it has received a +SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing +those ioctls whilst in the open state. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index cf1317546b0ff..1538fbc7562b8 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -712,9 +712,15 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { + snd_compr_drain_notify(stream); +@@ -802,9 +808,14 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } + + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_DRAIN); + if (retval) { +@@ -841,9 +852,16 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + static int snd_compr_partial_drain(struct snd_compr_stream *stream) + { + int retval; +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.9/arm-davinci-fix-sleep.s-build-error-on-armv4.patch b/queue-4.9/arm-davinci-fix-sleep.s-build-error-on-armv4.patch new file mode 100644 index 00000000000..ed49ee382f5 --- /dev/null +++ b/queue-4.9/arm-davinci-fix-sleep.s-build-error-on-armv4.patch @@ -0,0 +1,40 @@ +From 0598226ba69597c27b07669d3f2656e9bed69d96 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 16:51:50 +0200 +Subject: ARM: davinci: fix sleep.S build error on ARMv4 + +[ Upstream commit d64b212ea960db4276a1d8372bd98cb861dfcbb0 ] + +When building a multiplatform kernel that includes armv4 support, +the default target CPU does not support the blx instruction, +which leads to a build failure: + +arch/arm/mach-davinci/sleep.S: Assembler messages: +arch/arm/mach-davinci/sleep.S:56: Error: selected processor does not support `blx ip' in ARM mode + +Add a .arch statement in the sources to make this file build. + +Link: https://lore.kernel.org/r/20190722145211.1154785-1-arnd@arndb.de +Acked-by: Sekhar Nori +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/sleep.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-davinci/sleep.S b/arch/arm/mach-davinci/sleep.S +index cd350dee4df37..efcd400b2abb3 100644 +--- a/arch/arm/mach-davinci/sleep.S ++++ b/arch/arm/mach-davinci/sleep.S +@@ -37,6 +37,7 @@ + #define DEEPSLEEP_SLEEPENABLE_BIT BIT(31) + + .text ++ .arch armv5te + /* + * Move DaVinci into deep sleep state + * +-- +2.20.1 + diff --git a/queue-4.9/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch b/queue-4.9/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch new file mode 100644 index 00000000000..f79dcc3ee57 --- /dev/null +++ b/queue-4.9/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch @@ -0,0 +1,73 @@ +From 9583d1ad10eb36a6cefb381e924d9936ed91418c Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Wed, 17 Jul 2019 11:55:04 +0800 +Subject: cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() + +[ Upstream commit e0a12445d1cb186d875410d093a00d215bec6a89 ] + +The cpu variable is still being used in the of_get_property() call +after the of_node_put() call, which may result in use-after-free. + +Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak") +Signed-off-by: Wen Yang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pasemi-cpufreq.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index 58c933f483004..991b6a3062c4f 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -145,10 +145,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + int err = -ENODEV; + + cpu = of_get_cpu_node(policy->cpu, NULL); ++ if (!cpu) ++ goto out; + ++ max_freqp = of_get_property(cpu, "clock-frequency", NULL); + of_node_put(cpu); +- if (!cpu) ++ if (!max_freqp) { ++ err = -EINVAL; + goto out; ++ } ++ ++ /* we need the freq in kHz */ ++ max_freq = *max_freqp / 1000; + + dn = of_find_compatible_node(NULL, NULL, "1682m-sdc"); + if (!dn) +@@ -185,16 +193,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + } + + pr_debug("init cpufreq on CPU %d\n", policy->cpu); +- +- max_freqp = of_get_property(cpu, "clock-frequency", NULL); +- if (!max_freqp) { +- err = -EINVAL; +- goto out_unmap_sdcpwr; +- } +- +- /* we need the freq in kHz */ +- max_freq = *max_freqp / 1000; +- + pr_debug("max clock-frequency is at %u kHz\n", max_freq); + pr_debug("initializing frequency table\n"); + +@@ -212,9 +210,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency()); + +-out_unmap_sdcpwr: +- iounmap(sdcpwr_mapbase); +- + out_unmap_sdcasr: + iounmap(sdcasr_mapbase); + out: +-- +2.20.1 + diff --git a/queue-4.9/drbd-dynamically-allocate-shash-descriptor.patch b/queue-4.9/drbd-dynamically-allocate-shash-descriptor.patch new file mode 100644 index 00000000000..da8969ee4a9 --- /dev/null +++ b/queue-4.9/drbd-dynamically-allocate-shash-descriptor.patch @@ -0,0 +1,69 @@ +From dd7a67ce0db4151ae90ad9a662f5dfa857aaa6b1 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 14:26:34 +0200 +Subject: drbd: dynamically allocate shash descriptor + +[ Upstream commit 77ce56e2bfaa64127ae5e23ef136c0168b818777 ] + +Building with clang and KASAN, we get a warning about an overly large +stack frame on 32-bit architectures: + +drivers/block/drbd/drbd_receiver.c:921:31: error: stack frame size of 1280 bytes in function 'conn_connect' + [-Werror,-Wframe-larger-than=] + +We already allocate other data dynamically in this function, so +just do the same for the shash descriptor, which makes up most of +this memory. + +Link: https://lore.kernel.org/lkml/20190617132440.2721536-1-arnd@arndb.de/ +Reviewed-by: Kees Cook +Reviewed-by: Roland Kammerer +Signed-off-by: Arnd Bergmann +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 83957a1e15ed7..8e8e4ccb128f3 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -5297,7 +5297,7 @@ static int drbd_do_auth(struct drbd_connection *connection) + unsigned int key_len; + char secret[SHARED_SECRET_MAX]; /* 64 byte */ + unsigned int resp_size; +- SHASH_DESC_ON_STACK(desc, connection->cram_hmac_tfm); ++ struct shash_desc *desc; + struct packet_info pi; + struct net_conf *nc; + int err, rv; +@@ -5310,6 +5310,13 @@ static int drbd_do_auth(struct drbd_connection *connection) + memcpy(secret, nc->shared_secret, key_len); + rcu_read_unlock(); + ++ desc = kmalloc(sizeof(struct shash_desc) + ++ crypto_shash_descsize(connection->cram_hmac_tfm), ++ GFP_KERNEL); ++ if (!desc) { ++ rv = -1; ++ goto fail; ++ } + desc->tfm = connection->cram_hmac_tfm; + desc->flags = 0; + +@@ -5452,7 +5459,10 @@ static int drbd_do_auth(struct drbd_connection *connection) + kfree(peers_ch); + kfree(response); + kfree(right_response); +- shash_desc_zero(desc); ++ if (desc) { ++ shash_desc_zero(desc); ++ kfree(desc); ++ } + + return rv; + } +-- +2.20.1 + diff --git a/queue-4.9/hwmon-nct6775-fix-register-address-and-added-missed-.patch b/queue-4.9/hwmon-nct6775-fix-register-address-and-added-missed-.patch new file mode 100644 index 00000000000..a2c8bdbcc3a --- /dev/null +++ b/queue-4.9/hwmon-nct6775-fix-register-address-and-added-missed-.patch @@ -0,0 +1,43 @@ +From bcb49e2664735902a09a47c5f995f61493788587 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Gerhart?= +Date: Mon, 15 Jul 2019 18:33:55 +0200 +Subject: hwmon: (nct6775) Fix register address and added missed tolerance for + nct6106 + +[ Upstream commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf ] + +Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and +added missed NCT6106_REG_TOLERANCE_H. + +Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D") +Signed-off-by: Bjoern Gerhart +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index 2b31b84d0a5b9..006f090c1b0a7 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -698,7 +698,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a }; +-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c }; ++static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b }; + static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c }; + static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d }; + +@@ -3481,6 +3481,7 @@ static int nct6775_probe(struct platform_device *pdev) + data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME; + data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME; + data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME; ++ data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H; + data->REG_PWM[0] = NCT6106_REG_PWM; + data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT; + data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT; +-- +2.20.1 + diff --git a/queue-4.9/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch b/queue-4.9/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch new file mode 100644 index 00000000000..d1a083271b6 --- /dev/null +++ b/queue-4.9/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch @@ -0,0 +1,70 @@ +From bd133a9244cdef2c7c06491fbaa4db9e3788d865 Mon Sep 17 00:00:00 2001 +From: Thomas Tai +Date: Thu, 18 Jul 2019 18:37:34 +0000 +Subject: iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND + +[ Upstream commit 94bccc34071094c165c79b515d21b63c78f7e968 ] + +iscsi_ibft can use ACPI to find the iBFT entry during bootup, +currently, ISCSI_IBFT depends on ISCSI_IBFT_FIND which is +a X86 legacy way to find the iBFT by searching through the +low memory. This patch changes the dependency so that other +arch like ARM64 can use ISCSI_IBFT as long as the arch supports +ACPI. + +ibft_init() needs to use the global variable ibft_addr declared +in iscsi_ibft_find.c. A #ifndef CONFIG_ISCSI_IBFT_FIND is needed +to declare the variable if CONFIG_ISCSI_IBFT_FIND is not selected. +Moving ibft_addr into the iscsi_ibft.c does not work because if +ISCSI_IBFT is selected as a module, the arch/x86/kernel/setup.c won't +be able to find the variable at compile time. + +Signed-off-by: Thomas Tai +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + drivers/firmware/Kconfig | 5 +++-- + drivers/firmware/iscsi_ibft.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index bca172d42c743..854df538ae01e 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -144,7 +144,7 @@ config DMI_SCAN_MACHINE_NON_EFI_FALLBACK + + config ISCSI_IBFT_FIND + bool "iSCSI Boot Firmware Table Attributes" +- depends on X86 && ACPI ++ depends on X86 && ISCSI_IBFT + default n + help + This option enables the kernel to find the region of memory +@@ -155,7 +155,8 @@ config ISCSI_IBFT_FIND + config ISCSI_IBFT + tristate "iSCSI Boot Firmware Table Attributes module" + select ISCSI_BOOT_SYSFS +- depends on ISCSI_IBFT_FIND && SCSI && SCSI_LOWLEVEL ++ select ISCSI_IBFT_FIND if X86 ++ depends on ACPI && SCSI && SCSI_LOWLEVEL + default n + help + This option enables support for detection and exposing of iSCSI +diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c +index 132b9bae4b6aa..220bbc91cebdb 100644 +--- a/drivers/firmware/iscsi_ibft.c ++++ b/drivers/firmware/iscsi_ibft.c +@@ -93,6 +93,10 @@ MODULE_DESCRIPTION("sysfs interface to BIOS iBFT information"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(IBFT_ISCSI_VERSION); + ++#ifndef CONFIG_ISCSI_IBFT_FIND ++struct acpi_table_ibft *ibft_addr; ++#endif ++ + struct ibft_hdr { + u8 id; + u8 version; +-- +2.20.1 + diff --git a/queue-4.9/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch b/queue-4.9/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch new file mode 100644 index 00000000000..7d96be7192b --- /dev/null +++ b/queue-4.9/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch @@ -0,0 +1,52 @@ +From 1987bb11993f9bf39418f2917f54ba79cad03a97 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 17 Jul 2019 18:57:12 -0700 +Subject: mac80211: don't warn about CW params when not using them + +[ Upstream commit d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 ] + +ieee80211_set_wmm_default() normally sets up the initial CW min/max for +each queue, except that it skips doing this if the driver doesn't +support ->conf_tx. We still end up calling drv_conf_tx() in some cases +(e.g., ieee80211_reconfig()), which also still won't do anything +useful...except it complains here about the invalid CW parameters. + +Let's just skip the WARN if we weren't going to do anything useful with +the parameters. + +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index bb886e7db47f1..f783d1377d9a8 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -169,11 +169,16 @@ int drv_conf_tx(struct ieee80211_local *local, + if (!check_sdata_in_driver(sdata)) + return -EIO; + +- if (WARN_ONCE(params->cw_min == 0 || +- params->cw_min > params->cw_max, +- "%s: invalid CW_min/CW_max: %d/%d\n", +- sdata->name, params->cw_min, params->cw_max)) ++ if (params->cw_min == 0 || params->cw_min > params->cw_max) { ++ /* ++ * If we can't configure hardware anyway, don't warn. We may ++ * never have initialized the CW parameters. ++ */ ++ WARN_ONCE(local->ops->conf_tx, ++ "%s: invalid CW_min/CW_max: %d/%d\n", ++ sdata->name, params->cw_min, params->cw_max); + return -EINVAL; ++ } + + trace_drv_conf_tx(local, sdata, ac, params); + if (local->ops->conf_tx) +-- +2.20.1 + diff --git a/queue-4.9/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch b/queue-4.9/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch new file mode 100644 index 00000000000..59a23ff20c3 --- /dev/null +++ b/queue-4.9/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch @@ -0,0 +1,75 @@ +From 8265b9c428e4e9b9dc5fbfe9c22165b608b363d2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 2 Jul 2019 21:41:40 +0200 +Subject: netfilter: nfnetlink: avoid deadlock due to synchronous + request_module + +[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ] + +Thomas and Juliana report a deadlock when running: + +(rmmod nf_conntrack_netlink/xfrm_user) + + conntrack -e NEW -E & + modprobe -v xfrm_user + +They provided following analysis: + +conntrack -e NEW -E + netlink_bind() + netlink_lock_table() -> increases "nl_table_users" + nfnetlink_bind() + # does not unlock the table as it's locked by netlink_bind() + __request_module() + call_usermodehelper_exec() + +This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind() +won't return until modprobe process is done. + +"modprobe xfrm_user": + xfrm_user_init() + register_pernet_subsys() + -> grab pernet_ops_rwsem + .. + netlink_table_grab() + calls schedule() as "nl_table_users" is non-zero + +so modprobe is blocked because netlink_bind() increased +nl_table_users while also holding pernet_ops_rwsem. + +"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink: + ctnetlink_init() + register_pernet_subsys() + -> blocks on "pernet_ops_rwsem" thanks to xfrm_user module + +both modprobe processes wait on one another -- neither can make +progress. + +Switch netlink_bind() to "nowait" modprobe -- this releases the netlink +table lock, which then allows both modprobe instances to complete. + +Reported-by: Thomas Jarosch +Reported-by: Juliana Rodrigueiro +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 2278d9ab723bf..9837a61cb3e3b 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -490,7 +490,7 @@ static int nfnetlink_bind(struct net *net, int group) + ss = nfnetlink_get_subsys(type << 8); + rcu_read_unlock(); + if (!ss) +- request_module("nfnetlink-subsys-%d", type); ++ request_module_nowait("nfnetlink-subsys-%d", type); + return 0; + } + #endif +-- +2.20.1 + diff --git a/queue-4.9/perf-core-fix-creating-kernel-counters-for-pmus-that.patch b/queue-4.9/perf-core-fix-creating-kernel-counters-for-pmus-that.patch new file mode 100644 index 00000000000..00c0029604d --- /dev/null +++ b/queue-4.9/perf-core-fix-creating-kernel-counters-for-pmus-that.patch @@ -0,0 +1,61 @@ +From 04e65c2dabe5e8ec722351da7bf748b456cfde0a Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Wed, 24 Jul 2019 15:53:24 +0300 +Subject: perf/core: Fix creating kernel counters for PMUs that override + event->cpu + +[ Upstream commit 4ce54af8b33d3e21ca935fc1b89b58cbba956051 ] + +Some hardware PMU drivers will override perf_event.cpu inside their +event_init callback. This causes a lockdep splat when initialized through +the kernel API: + + WARNING: CPU: 0 PID: 250 at kernel/events/core.c:2917 ctx_sched_out+0x78/0x208 + pc : ctx_sched_out+0x78/0x208 + Call trace: + ctx_sched_out+0x78/0x208 + __perf_install_in_context+0x160/0x248 + remote_function+0x58/0x68 + generic_exec_single+0x100/0x180 + smp_call_function_single+0x174/0x1b8 + perf_install_in_context+0x178/0x188 + perf_event_create_kernel_counter+0x118/0x160 + +Fix this by calling perf_install_in_context with event->cpu, just like +perf_event_open + +Signed-off-by: Leonard Crestez +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Frank Li +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/c4ebe0503623066896d7046def4d6b1e06e0eb2e.1563972056.git.leonard.crestez@nxp.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 93d7333c64d89..5bbf7537a6121 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -10130,7 +10130,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu, + goto err_unlock; + } + +- perf_install_in_context(ctx, event, cpu); ++ perf_install_in_context(ctx, event, event->cpu); + perf_unpin_context(ctx); + mutex_unlock(&ctx->mutex); + +-- +2.20.1 + diff --git a/queue-4.9/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch b/queue-4.9/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch new file mode 100644 index 00000000000..d491fa01526 --- /dev/null +++ b/queue-4.9/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch @@ -0,0 +1,50 @@ +From cd7e91f8e7081b6d3d192cf16bb4005fb255d9de Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 18 Jul 2019 11:28:37 -0300 +Subject: perf probe: Avoid calling freeing routine multiple times for same + pointer + +[ Upstream commit d95daf5accf4a72005daa13fbb1d1bd8709f2861 ] + +When perf_add_probe_events() we call cleanup_perf_probe_events() for the +pev pointer it receives, then, as part of handling this failure the main +'perf probe' goes on and calls cleanup_params() and that will again call +cleanup_perf_probe_events()for the same pointer, so just set nevents to +zero when handling the failure of perf_add_probe_events() to avoid the +double free. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-x8qgma4g813z96dvtw9w219q@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-probe.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c +index 9a250c71840e9..2b420e7a92c0c 100644 +--- a/tools/perf/builtin-probe.c ++++ b/tools/perf/builtin-probe.c +@@ -675,6 +675,16 @@ __cmd_probe(int argc, const char **argv, const char *prefix __maybe_unused) + + ret = perf_add_probe_events(params.events, params.nevents); + if (ret < 0) { ++ ++ /* ++ * When perf_add_probe_events() fails it calls ++ * cleanup_perf_probe_events(pevs, npevs), i.e. ++ * cleanup_perf_probe_events(params.events, params.nevents), which ++ * will call clear_perf_probe_event(), so set nevents to zero ++ * to avoid cleanup_params() to call clear_perf_probe_event() again ++ * on the same pevs. ++ */ ++ params.nevents = 0; + pr_err_with_code(" Error: Failed to add events.", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.9/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch b/queue-4.9/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch new file mode 100644 index 00000000000..5de36f8fd02 --- /dev/null +++ b/queue-4.9/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch @@ -0,0 +1,50 @@ +From 6ea4d4ec65612f19617a1719d48dfcb6c0276823 Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Thu, 11 Jul 2019 18:17:36 +0200 +Subject: s390/qdio: add sanity checks to the fast-requeue path + +[ Upstream commit a6ec414a4dd529eeac5c3ea51c661daba3397108 ] + +If the device driver were to send out a full queue's worth of SBALs, +current code would end up discovering the last of those SBALs as PRIMED +and erroneously skip the SIGA-w. This immediately stalls the queue. + +Add a check to not attempt fast-requeue in this case. While at it also +make sure that the state of the previous SBAL was successfully extracted +before inspecting it. + +Signed-off-by: Julian Wiedmann +Reviewed-by: Jens Remus +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 58cd0e0c9680b..b65cab4448021 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1576,13 +1576,13 @@ static int handle_outbound(struct qdio_q *q, unsigned int callflags, + rc = qdio_kick_outbound_q(q, phys_aob); + } else if (need_siga_sync(q)) { + rc = qdio_siga_sync_q(q); ++ } else if (count < QDIO_MAX_BUFFERS_PER_Q && ++ get_buf_state(q, prev_buf(bufnr), &state, 0) > 0 && ++ state == SLSB_CU_OUTPUT_PRIMED) { ++ /* The previous buffer is not processed yet, tack on. */ ++ qperf_inc(q, fast_requeue); + } else { +- /* try to fast requeue buffers */ +- get_buf_state(q, prev_buf(bufnr), &state, 0); +- if (state != SLSB_CU_OUTPUT_PRIMED) +- rc = qdio_kick_outbound_q(q, 0); +- else +- qperf_inc(q, fast_requeue); ++ rc = qdio_kick_outbound_q(q, 0); + } + + /* in case of SIGA errors we must process the error immediately */ +-- +2.20.1 + diff --git a/queue-4.9/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch b/queue-4.9/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch new file mode 100644 index 00000000000..ee752e43b24 --- /dev/null +++ b/queue-4.9/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch @@ -0,0 +1,73 @@ +From 282591841926e711cfde163611cffd59159ae24b Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 17 Jul 2019 14:48:27 -0500 +Subject: scsi: ibmvfc: fix WARN_ON during event pool release + +[ Upstream commit 5578257ca0e21056821e6481bd534ba267b84e58 ] + +While removing an ibmvfc client adapter a WARN_ON like the following +WARN_ON is seen in the kernel log: + +WARNING: CPU: 6 PID: 5421 at ./include/linux/dma-mapping.h:541 +ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +CPU: 6 PID: 5421 Comm: rmmod Tainted: G E 4.17.0-rc1-next-20180419-autotest #1 +NIP: d00000000290328c LR: d00000000290325c CTR: c00000000036ee20 +REGS: c000000288d1b7e0 TRAP: 0700 Tainted: G E (4.17.0-rc1-next-20180419-autotest) +MSR: 800000010282b033 CR: 44008828 XER: 20000000 +CFAR: c00000000036e408 SOFTE: 1 +GPR00: d00000000290325c c000000288d1ba60 d000000002917900 c000000289d75448 +GPR04: 0000000000000071 c0000000ff870000 0000000018040000 0000000000000001 +GPR08: 0000000000000000 c00000000156e838 0000000000000001 d00000000290c640 +GPR12: c00000000036ee20 c00000001ec4dc00 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 00000100276901e0 0000000010020598 +GPR20: 0000000010020550 0000000010020538 0000000010020578 00000000100205b0 +GPR24: 0000000000000000 0000000000000000 0000000010020590 5deadbeef0000100 +GPR28: 5deadbeef0000200 d000000002910b00 0000000000000071 c0000002822f87d8 +NIP [d00000000290328c] ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +LR [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] +Call Trace: +[c000000288d1ba60] [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] (unreliable) +[c000000288d1baf0] [d000000002909390] ibmvfc_abort_task_set+0x7b0/0x8b0 [ibmvfc] +[c000000288d1bb70] [c0000000000d8c68] vio_bus_remove+0x68/0x100 +[c000000288d1bbb0] [c0000000007da7c4] device_release_driver_internal+0x1f4/0x2d0 +[c000000288d1bc00] [c0000000007da95c] driver_detach+0x7c/0x100 +[c000000288d1bc40] [c0000000007d8af4] bus_remove_driver+0x84/0x140 +[c000000288d1bcb0] [c0000000007db6ac] driver_unregister+0x4c/0xa0 +[c000000288d1bd20] [c0000000000d6e7c] vio_unregister_driver+0x2c/0x50 +[c000000288d1bd50] [d00000000290ba0c] cleanup_module+0x24/0x15e0 [ibmvfc] +[c000000288d1bd70] [c0000000001dadb0] sys_delete_module+0x220/0x2d0 +[c000000288d1be30] [c00000000000b284] system_call+0x58/0x6c +Instruction dump: +e8410018 e87f0068 809f0078 e8bf0080 e8df0088 2fa30000 419e008c e9230200 +2fa90000 419e0080 894d098a 794a07e0 <0b0a0000> e9290008 2fa90000 419e0028 + +This is tripped as a result of irqs being disabled during the call to +dma_free_coherent() by ibmvfc_free_event_pool(). At this point in the code path +we have quiesced the adapter and its overly paranoid anyways to be holding the +host lock. + +Reported-by: Abdul Haleem +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index 7e487c78279cb..54dea767dfde9 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4883,8 +4883,8 @@ static int ibmvfc_remove(struct vio_dev *vdev) + + spin_lock_irqsave(vhost->host->host_lock, flags); + ibmvfc_purge_requests(vhost, DID_ERROR); +- ibmvfc_free_event_pool(vhost); + spin_unlock_irqrestore(vhost->host->host_lock, flags); ++ ibmvfc_free_event_pool(vhost); + + ibmvfc_free_mem(vhost); + spin_lock(&ibmvfc_driver_lock); +-- +2.20.1 + diff --git a/queue-4.9/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch b/queue-4.9/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch new file mode 100644 index 00000000000..b2879d1cf01 --- /dev/null +++ b/queue-4.9/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch @@ -0,0 +1,43 @@ +From 9dbc8faa2381251c07566e6d17c3f26deadffb4d Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 22 Jul 2019 09:15:24 -0700 +Subject: scsi: megaraid_sas: fix panic on loading firmware crashdump + +[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ] + +While loading fw crashdump in function fw_crash_buffer_show(), left bytes +in one dma chunk was not checked, if copying size over it, overflow access +will cause kernel panic. + +Signed-off-by: Junxiao Bi +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 5b1c37e3913cd..d90693b2767fd 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2847,6 +2847,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, + u32 size; + unsigned long buff_addr; + unsigned long dmachunk = CRASH_DMA_BUF_SIZE; ++ unsigned long chunk_left_bytes; + unsigned long src_addr; + unsigned long flags; + u32 buff_offset; +@@ -2872,6 +2873,8 @@ megasas_fw_crash_buffer_show(struct device *cdev, + } + + size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset; ++ chunk_left_bytes = dmachunk - (buff_offset % dmachunk); ++ size = (size > chunk_left_bytes) ? chunk_left_bytes : size; + size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size; + + src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] + +-- +2.20.1 + diff --git a/queue-4.9/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch b/queue-4.9/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch new file mode 100644 index 00000000000..be887ee636e --- /dev/null +++ b/queue-4.9/scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch @@ -0,0 +1,61 @@ +From 8937664bca7cdfcaf3bf926ad785a8532e16fffd Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Fri, 12 Jul 2019 08:53:47 +0200 +Subject: scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG + +[ Upstream commit 20122994e38aef0ae50555884d287adde6641c94 ] + +Retrying immediately after we've received a 'transitioning' sense code is +pretty much pointless, we should always use a delay before retrying. So +ensure the default delay is applied before retrying. + +Signed-off-by: Hannes Reinecke +Tested-by: Zhangguanghui +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/device_handler/scsi_dh_alua.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/device_handler/scsi_dh_alua.c b/drivers/scsi/device_handler/scsi_dh_alua.c +index d3145799b92fa..98787588247bf 100644 +--- a/drivers/scsi/device_handler/scsi_dh_alua.c ++++ b/drivers/scsi/device_handler/scsi_dh_alua.c +@@ -53,6 +53,7 @@ + #define ALUA_FAILOVER_TIMEOUT 60 + #define ALUA_FAILOVER_RETRIES 5 + #define ALUA_RTPG_DELAY_MSECS 5 ++#define ALUA_RTPG_RETRY_DELAY 2 + + /* device handler flags */ + #define ALUA_OPTIMIZE_STPG 0x01 +@@ -681,7 +682,7 @@ static int alua_rtpg(struct scsi_device *sdev, struct alua_port_group *pg) + case SCSI_ACCESS_STATE_TRANSITIONING: + if (time_before(jiffies, pg->expiry)) { + /* State transition, retry */ +- pg->interval = 2; ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + err = SCSI_DH_RETRY; + } else { + struct alua_dh_data *h; +@@ -809,6 +810,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + pg->flags &= ~ALUA_PG_RUNNING; + pg->flags |= ALUA_PG_RUN_RTPG; ++ if (!pg->interval) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(alua_wq, &pg->rtpg_work, + pg->interval * HZ); +@@ -820,6 +823,8 @@ static void alua_rtpg_work(struct work_struct *work) + spin_lock_irqsave(&pg->lock, flags); + if (err == SCSI_DH_RETRY || pg->flags & ALUA_PG_RUN_RTPG) { + pg->flags &= ~ALUA_PG_RUNNING; ++ if (!pg->interval && !(pg->flags & ALUA_PG_RUN_RTPG)) ++ pg->interval = ALUA_RTPG_RETRY_DELAY; + pg->flags |= ALUA_PG_RUN_RTPG; + spin_unlock_irqrestore(&pg->lock, flags); + queue_delayed_work(alua_wq, &pg->rtpg_work, +-- +2.20.1 + diff --git a/queue-4.9/series b/queue-4.9/series index fb93c69f1c6..86675d50985 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -9,3 +9,22 @@ perf-db-export-fix-thread__exec_comm.patch perf-record-fix-module-size-on-s390.patch usb-yurex-fix-use-after-free-in-yurex_delete.patch can-peak_usb-fix-potential-double-kfree_skb.patch +netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch +iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch +mac80211-don-t-warn-about-cw-params-when-not-using-t.patch +hwmon-nct6775-fix-register-address-and-added-missed-.patch +cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch +s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch +alsa-compress-fix-regression-on-compressed-capture-s.patch +alsa-compress-prevent-bypasses-of-set_params.patch +alsa-compress-don-t-allow-paritial-drain-operations-.patch +alsa-compress-be-more-restrictive-about-when-a-drain.patch +perf-probe-avoid-calling-freeing-routine-multiple-ti.patch +drbd-dynamically-allocate-shash-descriptor.patch +acpi-iort-fix-off-by-one-check-in-iort_dev_find_its_.patch +arm-davinci-fix-sleep.s-build-error-on-armv4.patch +scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch +scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch +scsi-scsi_dh_alua-always-use-a-2-second-delay-before.patch +tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch +perf-core-fix-creating-kernel-counters-for-pmus-that.patch diff --git a/queue-4.9/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch b/queue-4.9/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch new file mode 100644 index 00000000000..866728973e8 --- /dev/null +++ b/queue-4.9/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch @@ -0,0 +1,75 @@ +From b5b6b9a83a78e07cb7aaedd8b204fe69484cde84 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 15:03:15 +0200 +Subject: tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep + loop + +[ Upstream commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 ] + +While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of +a bug we just found for rwsem. + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Hurley +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_ldsem.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c +index dbd7ba32caac3..6c5eb99fcfcee 100644 +--- a/drivers/tty/tty_ldsem.c ++++ b/drivers/tty/tty_ldsem.c +@@ -137,8 +137,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem) + + list_for_each_entry_safe(waiter, next, &sem->read_wait, list) { + tsk = waiter->task; +- smp_mb(); +- waiter->task = NULL; ++ smp_store_release(&waiter->task, NULL); + wake_up_process(tsk); + put_task_struct(tsk); + } +@@ -234,7 +233,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout) + for (;;) { + set_task_state(tsk, TASK_UNINTERRUPTIBLE); + +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) + break; + if (!timeout) + break; +-- +2.20.1 +