From: Greg Kroah-Hartman Date: Sun, 27 Jan 2019 15:34:29 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.9.154~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91bf57558a9d1cf9e9b3c5285d8b9f3542277e99;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch alsa-hda-realtek-fix-typo-for-alc225-model.patch arc-adjust-memblock_reserve-of-kernel-memory.patch arc-perf-map-generic-branches-to-correct-hardware-condition.patch arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch char-mwave-fix-potential-spectre-v1-vulnerability.patch clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch mei-me-add-denverton-innovation-engine-device-ids.patch mei-me-mark-lbg-devices-as-having-dma-support.patch misc-ibmvsm-fix-potential-null-pointer-dereference.patch mmc-dw_mmc-bluefield-fix-the-license-information.patch mmc-meson-gx-free-irq-in-release-callback.patch s390-early-improve-machine-detection.patch s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch usb-leds-fix-regression-in-usbport-led-trigger.patch usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch --- diff --git a/queue-4.19/alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch b/queue-4.19/alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch new file mode 100644 index 00000000000..efe1fbdad74 --- /dev/null +++ b/queue-4.19/alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch @@ -0,0 +1,31 @@ +From 699390381a7bae2fab01a22f742a17235c44ed8a Mon Sep 17 00:00:00 2001 +From: Anthony Wong +Date: Sat, 19 Jan 2019 12:22:31 +0800 +Subject: ALSA: hda - Add mute LED support for HP ProBook 470 G5 + +From: Anthony Wong + +commit 699390381a7bae2fab01a22f742a17235c44ed8a upstream. + +Support speaker and mic mute LEDs on HP ProBook 470 G5. + +BugLink: https://bugs.launchpad.net/bugs/1811254 +Signed-off-by: Anthony Wong +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -931,6 +931,7 @@ static const struct snd_pci_quirk cxt506 + SND_PCI_QUIRK(0x103c, 0x814f, "HP ZBook 15u G3", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x822e, "HP ProBook 440 G4", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x836e, "HP ProBook 455 G5", CXT_FIXUP_MUTE_LED_GPIO), ++ SND_PCI_QUIRK(0x103c, 0x837f, "HP ProBook 470 G5", CXT_FIXUP_MUTE_LED_GPIO), + SND_PCI_QUIRK(0x103c, 0x8299, "HP 800 G3 SFF", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x829a, "HP 800 G3 DM", CXT_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x8455, "HP Z2 G4", CXT_FIXUP_HP_MIC_NO_PRESENCE), diff --git a/queue-4.19/alsa-hda-realtek-fix-typo-for-alc225-model.patch b/queue-4.19/alsa-hda-realtek-fix-typo-for-alc225-model.patch new file mode 100644 index 00000000000..d8280931a0f --- /dev/null +++ b/queue-4.19/alsa-hda-realtek-fix-typo-for-alc225-model.patch @@ -0,0 +1,34 @@ +From 82aa0d7e09840704d9a37434fef1770179d663fb Mon Sep 17 00:00:00 2001 +From: Kailang Yang +Date: Fri, 11 Jan 2019 17:15:53 +0800 +Subject: ALSA: hda/realtek - Fix typo for ALC225 model + +From: Kailang Yang + +commit 82aa0d7e09840704d9a37434fef1770179d663fb upstream. + +Fix typo for model alc255-dell1 to alc225-dell1. + +Enable headset mode support for new WYSE NB platform. + +Fixes: a26d96c7802e ("ALSA: hda/realtek - Comprehensive model list for ALC259 & co") +Signed-off-by: Kailang Yang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6842,7 +6842,7 @@ static const struct hda_model_fixup alc2 + {.id = ALC293_FIXUP_LENOVO_SPK_NOISE, .name = "lenovo-spk-noise"}, + {.id = ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, .name = "lenovo-hotkey"}, + {.id = ALC255_FIXUP_DELL_SPK_NOISE, .name = "dell-spk-noise"}, +- {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc255-dell1"}, ++ {.id = ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "alc225-dell1"}, + {.id = ALC295_FIXUP_DISABLE_DAC3, .name = "alc295-disable-dac3"}, + {.id = ALC280_FIXUP_HP_HEADSET_MIC, .name = "alc280-hp-headset"}, + {.id = ALC221_FIXUP_HP_FRONT_MIC, .name = "alc221-hp-mic"}, diff --git a/queue-4.19/arc-adjust-memblock_reserve-of-kernel-memory.patch b/queue-4.19/arc-adjust-memblock_reserve-of-kernel-memory.patch new file mode 100644 index 00000000000..0943f7e927f --- /dev/null +++ b/queue-4.19/arc-adjust-memblock_reserve-of-kernel-memory.patch @@ -0,0 +1,47 @@ +From a3010a0465383300f909f62b8a83f83ffa7b2517 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Wed, 19 Dec 2018 19:16:16 +0300 +Subject: ARC: adjust memblock_reserve of kernel memory + +From: Eugeniy Paltsev + +commit a3010a0465383300f909f62b8a83f83ffa7b2517 upstream. + +In setup_arch_memory we reserve the memory area wherein the kernel +is located. Current implementation may reserve more memory than +it actually required in case of CONFIG_LINUX_LINK_BASE is not +equal to CONFIG_LINUX_RAM_BASE. This happens because we calculate +start of the reserved region relatively to the CONFIG_LINUX_RAM_BASE +and end of the region relatively to the CONFIG_LINUX_RAM_BASE. + +For example in case of HSDK board we wasted 256MiB of physical memory: +------------------->8------------------------------ +Memory: 770416K/1048576K available (5496K kernel code, + 240K rwdata, 1064K rodata, 2200K init, 275K bss, + 278160K reserved, 0K cma-reserved) +------------------->8------------------------------ + +Fix that. + +Fixes: 9ed68785f7f2b ("ARC: mm: Decouple RAM base address from kernel link addr") +Cc: stable@vger.kernel.org #4.14+ +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/mm/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/mm/init.c ++++ b/arch/arc/mm/init.c +@@ -138,7 +138,8 @@ void __init setup_arch_memory(void) + */ + + memblock_add_node(low_mem_start, low_mem_sz, 0); +- memblock_reserve(low_mem_start, __pa(_end) - low_mem_start); ++ memblock_reserve(CONFIG_LINUX_LINK_BASE, ++ __pa(_end) - CONFIG_LINUX_LINK_BASE); + + #ifdef CONFIG_BLK_DEV_INITRD + if (initrd_start) diff --git a/queue-4.19/arc-perf-map-generic-branches-to-correct-hardware-condition.patch b/queue-4.19/arc-perf-map-generic-branches-to-correct-hardware-condition.patch new file mode 100644 index 00000000000..c14321f6dbb --- /dev/null +++ b/queue-4.19/arc-perf-map-generic-branches-to-correct-hardware-condition.patch @@ -0,0 +1,41 @@ +From 3affbf0e154ee351add6fcc254c59c3f3947fa8f Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Mon, 17 Dec 2018 12:54:23 +0300 +Subject: ARC: perf: map generic branches to correct hardware condition + +From: Eugeniy Paltsev + +commit 3affbf0e154ee351add6fcc254c59c3f3947fa8f upstream. + +So far we've mapped branches to "ijmp" which also counts conditional +branches NOT taken. This makes us different from other architectures +such as ARM which seem to be counting only taken branches. + +So use "ijmptak" hardware condition which only counts (all jump +instructions that are taken) + +'ijmptak' event is available on both ARCompact and ARCv2 ISA based +cores. + +Signed-off-by: Eugeniy Paltsev +Cc: stable@vger.kernel.org +Signed-off-by: Vineet Gupta +[vgupta: reworked changelog] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/perf_event.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/perf_event.h ++++ b/arch/arc/include/asm/perf_event.h +@@ -103,7 +103,8 @@ static const char * const arc_pmu_ev_hw_ + + /* counts condition */ + [PERF_COUNT_HW_INSTRUCTIONS] = "iall", +- [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmp", /* Excludes ZOL jumps */ ++ /* All jump instructions that are taken */ ++ [PERF_COUNT_HW_BRANCH_INSTRUCTIONS] = "ijmptak", + [PERF_COUNT_ARC_BPOK] = "bpok", /* NP-NT, PT-T, PNT-NT */ + #ifdef CONFIG_ISA_ARCV2 + [PERF_COUNT_HW_BRANCH_MISSES] = "bpmp", diff --git a/queue-4.19/arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch b/queue-4.19/arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch new file mode 100644 index 00000000000..70dd17d254c --- /dev/null +++ b/queue-4.19/arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch @@ -0,0 +1,107 @@ +From e6a72b7daeeb521753803550f0ed711152bb2555 Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Mon, 14 Jan 2019 18:16:48 +0300 +Subject: ARCv2: lib: memeset: fix doing prefetchw outside of buffer + +From: Eugeniy Paltsev + +commit e6a72b7daeeb521753803550f0ed711152bb2555 upstream. + +ARCv2 optimized memset uses PREFETCHW instruction for prefetching the +next cache line but doesn't ensure that the line is not past the end of +the buffer. PRETECHW changes the line ownership and marks it dirty, +which can cause issues in SMP config when next line was already owned by +other core. Fix the issue by avoiding the PREFETCHW + +Some more details: + +The current code has 3 logical loops (ignroing the unaligned part) + (a) Big loop for doing aligned 64 bytes per iteration with PREALLOC + (b) Loop for 32 x 2 bytes with PREFETCHW + (c) any left over bytes + +loop (a) was already eliding the last 64 bytes, so PREALLOC was +safe. The fix was removing PREFETCW from (b). + +Another potential issue (applicable to configs with 32 or 128 byte L1 +cache line) is that PREALLOC assumes 64 byte cache line and may not do +the right thing specially for 32b. While it would be easy to adapt, +there are no known configs with those lie sizes, so for now, just +compile out PREALLOC in such cases. + +Signed-off-by: Eugeniy Paltsev +Cc: stable@vger.kernel.org #4.4+ +Signed-off-by: Vineet Gupta +[vgupta: rewrote changelog, used asm .macro vs. "C" macro] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/lib/memset-archs.S | 40 ++++++++++++++++++++++++++++++++-------- + 1 file changed, 32 insertions(+), 8 deletions(-) + +--- a/arch/arc/lib/memset-archs.S ++++ b/arch/arc/lib/memset-archs.S +@@ -7,11 +7,39 @@ + */ + + #include ++#include + +-#undef PREALLOC_NOT_AVAIL ++/* ++ * The memset implementation below is optimized to use prefetchw and prealloc ++ * instruction in case of CPU with 64B L1 data cache line (L1_CACHE_SHIFT == 6) ++ * If you want to implement optimized memset for other possible L1 data cache ++ * line lengths (32B and 128B) you should rewrite code carefully checking ++ * we don't call any prefetchw/prealloc instruction for L1 cache lines which ++ * don't belongs to memset area. ++ */ ++ ++#if L1_CACHE_SHIFT == 6 ++ ++.macro PREALLOC_INSTR reg, off ++ prealloc [\reg, \off] ++.endm ++ ++.macro PREFETCHW_INSTR reg, off ++ prefetchw [\reg, \off] ++.endm ++ ++#else ++ ++.macro PREALLOC_INSTR ++.endm ++ ++.macro PREFETCHW_INSTR ++.endm ++ ++#endif + + ENTRY_CFI(memset) +- prefetchw [r0] ; Prefetch the write location ++ PREFETCHW_INSTR r0, 0 ; Prefetch the first write location + mov.f 0, r2 + ;;; if size is zero + jz.d [blink] +@@ -48,11 +76,8 @@ ENTRY_CFI(memset) + + lpnz @.Lset64bytes + ;; LOOP START +-#ifdef PREALLOC_NOT_AVAIL +- prefetchw [r3, 64] ;Prefetch the next write location +-#else +- prealloc [r3, 64] +-#endif ++ PREALLOC_INSTR r3, 64 ; alloc next line w/o fetching ++ + #ifdef CONFIG_ARC_HAS_LL64 + std.ab r4, [r3, 8] + std.ab r4, [r3, 8] +@@ -85,7 +110,6 @@ ENTRY_CFI(memset) + lsr.f lp_count, r2, 5 ;Last remaining max 124 bytes + lpnz .Lset32bytes + ;; LOOP START +- prefetchw [r3, 32] ;Prefetch the next write location + #ifdef CONFIG_ARC_HAS_LL64 + std.ab r4, [r3, 8] + std.ab r4, [r3, 8] diff --git a/queue-4.19/asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch b/queue-4.19/asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch new file mode 100644 index 00000000000..73377218197 --- /dev/null +++ b/queue-4.19/asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch @@ -0,0 +1,39 @@ +From 44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 25 Dec 2018 20:29:48 -0600 +Subject: ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages + +From: Kangjie Lu + +commit 44fabd8cdaaa3acb80ad2bb3b5c61ae2136af661 upstream. + +snd_pcm_lib_malloc_pages() may fail, so let's check its status and +return its error code upstream. + +Signed-off-by: Kangjie Lu +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/atom/sst-mfld-platform-pcm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/sound/soc/intel/atom/sst-mfld-platform-pcm.c ++++ b/sound/soc/intel/atom/sst-mfld-platform-pcm.c +@@ -399,7 +399,13 @@ static int sst_media_hw_params(struct sn + struct snd_pcm_hw_params *params, + struct snd_soc_dai *dai) + { +- snd_pcm_lib_malloc_pages(substream, params_buffer_bytes(params)); ++ int ret; ++ ++ ret = ++ snd_pcm_lib_malloc_pages(substream, ++ params_buffer_bytes(params)); ++ if (ret) ++ return ret; + memset(substream->runtime->dma_area, 0, params_buffer_bytes(params)); + return 0; + } diff --git a/queue-4.19/asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch b/queue-4.19/asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..dbe7a96419a --- /dev/null +++ b/queue-4.19/asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 060d0bf491874daece47053c4e1fb0489eb867d2 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 15 Jan 2019 11:57:23 -0600 +Subject: ASoC: rt5514-spi: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit 060d0bf491874daece47053c4e1fb0489eb867d2 upstream. + +There is a potential NULL pointer dereference in case devm_kzalloc() +fails and returns NULL. + +Fix this by adding a NULL check on rt5514_dsp. + +This issue was detected with the help of Coccinelle. + +Fixes: 6eebf35b0e4a ("ASoC: rt5514: add rt5514 SPI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/rt5514-spi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/soc/codecs/rt5514-spi.c ++++ b/sound/soc/codecs/rt5514-spi.c +@@ -278,6 +278,8 @@ static int rt5514_spi_pcm_probe(struct s + + rt5514_dsp = devm_kzalloc(component->dev, sizeof(*rt5514_dsp), + GFP_KERNEL); ++ if (!rt5514_dsp) ++ return -ENOMEM; + + rt5514_dsp->dev = &rt5514_spi->dev; + mutex_init(&rt5514_dsp->dma_lock); diff --git a/queue-4.19/asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch b/queue-4.19/asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch new file mode 100644 index 00000000000..779e6214207 --- /dev/null +++ b/queue-4.19/asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch @@ -0,0 +1,42 @@ +From 667e9334fa64da2273e36ce131b05ac9e47c5769 Mon Sep 17 00:00:00 2001 +From: b-ak +Date: Mon, 7 Jan 2019 22:30:22 +0530 +Subject: ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode + +From: b-ak + +commit 667e9334fa64da2273e36ce131b05ac9e47c5769 upstream. + +During the bootup of the kernel, the DAPM bias level is in the OFF +state. As soon as the DAPM framework kicks in it pushes the codec +into STANDBY state. + +The probe function doesn't prepare the clock, and STANDBY state +does a clk_disable_unprepare() without checking the previous state. +This leads to an OOPS. + +Not transitioning from an OFF state to the STANDBY state fixes the +problem. + +Signed-off-by: b-ak +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/tlv320aic32x4.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/soc/codecs/tlv320aic32x4.c ++++ b/sound/soc/codecs/tlv320aic32x4.c +@@ -822,6 +822,10 @@ static int aic32x4_set_bias_level(struct + case SND_SOC_BIAS_PREPARE: + break; + case SND_SOC_BIAS_STANDBY: ++ /* Initial cold start */ ++ if (snd_soc_component_get_bias_level(component) == SND_SOC_BIAS_OFF) ++ break; ++ + /* Switch off BCLK_N Divider */ + snd_soc_component_update_bits(component, AIC32X4_BCLKN, + AIC32X4_BCLKEN, 0); diff --git a/queue-4.19/ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch b/queue-4.19/ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch new file mode 100644 index 00000000000..b3dfe49776d --- /dev/null +++ b/queue-4.19/ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch @@ -0,0 +1,34 @@ +From d95e674c01cfb5461e8b9fdeebf6d878c9b80b2f Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Thu, 10 Jan 2019 15:41:09 +0800 +Subject: ceph: clear inode pointer when snap realm gets dropped by its inode + +From: Yan, Zheng + +commit d95e674c01cfb5461e8b9fdeebf6d878c9b80b2f upstream. + +snap realm and corresponding inode have pointers to each other. +The two pointer should get clear at the same time. Otherwise, +snap realm's pointer may reference freed inode. + +Cc: stable@vger.kernel.org # 4.17+ +Signed-off-by: "Yan, Zheng" +Reviewed-by: Luis Henriques +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/caps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ceph/caps.c ++++ b/fs/ceph/caps.c +@@ -1030,6 +1030,8 @@ static void drop_inode_snap_realm(struct + list_del_init(&ci->i_snap_realm_item); + ci->i_snap_realm_counter++; + ci->i_snap_realm = NULL; ++ if (realm->ino == ci->i_vino.ino) ++ realm->inode = NULL; + spin_unlock(&realm->inodes_with_caps_lock); + ceph_put_snap_realm(ceph_sb_to_client(ci->vfs_inode.i_sb)->mdsc, + realm); diff --git a/queue-4.19/char-mwave-fix-potential-spectre-v1-vulnerability.patch b/queue-4.19/char-mwave-fix-potential-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..44242d37459 --- /dev/null +++ b/queue-4.19/char-mwave-fix-potential-spectre-v1-vulnerability.patch @@ -0,0 +1,69 @@ +From 701956d4018e5d5438570e39e8bda47edd32c489 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 9 Jan 2019 13:02:36 -0600 +Subject: char/mwave: fix potential Spectre v1 vulnerability + +From: Gustavo A. R. Silva + +commit 701956d4018e5d5438570e39e8bda47edd32c489 upstream. + +ipcnum is indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/char/mwave/mwavedd.c:299 mwave_ioctl() warn: potential spectre issue 'pDrvData->IPCs' [w] (local cap) + +Fix this by sanitizing ipcnum before using it to index pDrvData->IPCs. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/mwave/mwavedd.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/char/mwave/mwavedd.c ++++ b/drivers/char/mwave/mwavedd.c +@@ -59,6 +59,7 @@ + #include + #include + #include ++#include + #include "smapi.h" + #include "mwavedd.h" + #include "3780i.h" +@@ -289,6 +290,8 @@ static long mwave_ioctl(struct file *fil + ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + PRINTK_3(TRACE_MWAVE, + "mwavedd::mwave_ioctl IOCTL_MW_REGISTER_IPC" + " ipcnum %x entry usIntCount %x\n", +@@ -317,6 +320,8 @@ static long mwave_ioctl(struct file *fil + " Invalid ipcnum %x\n", ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + PRINTK_3(TRACE_MWAVE, + "mwavedd::mwave_ioctl IOCTL_MW_GET_IPC" + " ipcnum %x, usIntCount %x\n", +@@ -383,6 +388,8 @@ static long mwave_ioctl(struct file *fil + ipcnum); + return -EINVAL; + } ++ ipcnum = array_index_nospec(ipcnum, ++ ARRAY_SIZE(pDrvData->IPCs)); + mutex_lock(&mwave_mutex); + if (pDrvData->IPCs[ipcnum].bIsEnabled == true) { + pDrvData->IPCs[ipcnum].bIsEnabled = false; diff --git a/queue-4.19/clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch b/queue-4.19/clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch new file mode 100644 index 00000000000..ab1e8224254 --- /dev/null +++ b/queue-4.19/clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch @@ -0,0 +1,69 @@ +From b488517b28a47d16b228ce8dcf07f5cb8e5b3dc5 Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Wed, 2 Jan 2019 08:59:31 -0600 +Subject: clk: socfpga: stratix10: fix naming convention for the fixed-clocks + +From: Dinh Nguyen + +commit b488517b28a47d16b228ce8dcf07f5cb8e5b3dc5 upstream. + +The fixed clocks in the DTS file have a hyphen, but the clock driver has +the fixed clocks using underbar. Thus the clock driver cannot detect the +other fixed clocks correctly. Change the fixed clock names to a hyphen. + +Fixes: 07afb8db7340 ("clk: socfpga: stratix10: add clock driver for +Stratix10 platform") +Cc: linux-stable@vger.kernel.org +Signed-off-by: Dinh Nguyen +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/socfpga/clk-s10.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/clk/socfpga/clk-s10.c ++++ b/drivers/clk/socfpga/clk-s10.c +@@ -12,17 +12,17 @@ + + #include "stratix10-clk.h" + +-static const char * const pll_mux[] = { "osc1", "cb_intosc_hs_div2_clk", +- "f2s_free_clk",}; ++static const char * const pll_mux[] = { "osc1", "cb-intosc-hs-div2-clk", ++ "f2s-free-clk",}; + static const char * const cntr_mux[] = { "main_pll", "periph_pll", +- "osc1", "cb_intosc_hs_div2_clk", +- "f2s_free_clk"}; +-static const char * const boot_mux[] = { "osc1", "cb_intosc_hs_div2_clk",}; ++ "osc1", "cb-intosc-hs-div2-clk", ++ "f2s-free-clk"}; ++static const char * const boot_mux[] = { "osc1", "cb-intosc-hs-div2-clk",}; + + static const char * const noc_free_mux[] = {"main_noc_base_clk", + "peri_noc_base_clk", +- "osc1", "cb_intosc_hs_div2_clk", +- "f2s_free_clk"}; ++ "osc1", "cb-intosc-hs-div2-clk", ++ "f2s-free-clk"}; + + static const char * const emaca_free_mux[] = {"peri_emaca_clk", "boot_clk"}; + static const char * const emacb_free_mux[] = {"peri_emacb_clk", "boot_clk"}; +@@ -33,14 +33,14 @@ static const char * const s2f_usr1_free_ + static const char * const psi_ref_free_mux[] = {"peri_psi_ref_clk", "boot_clk"}; + static const char * const mpu_mux[] = { "mpu_free_clk", "boot_clk",}; + +-static const char * const s2f_usr0_mux[] = {"f2s_free_clk", "boot_clk"}; ++static const char * const s2f_usr0_mux[] = {"f2s-free-clk", "boot_clk"}; + static const char * const emac_mux[] = {"emaca_free_clk", "emacb_free_clk"}; + static const char * const noc_mux[] = {"noc_free_clk", "boot_clk"}; + + static const char * const mpu_free_mux[] = {"main_mpu_base_clk", + "peri_mpu_base_clk", +- "osc1", "cb_intosc_hs_div2_clk", +- "f2s_free_clk"}; ++ "osc1", "cb-intosc-hs-div2-clk", ++ "f2s-free-clk"}; + + /* clocks in AO (always on) controller */ + static const struct stratix10_pll_clock s10_pll_clks[] = { diff --git a/queue-4.19/clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch b/queue-4.19/clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch new file mode 100644 index 00000000000..f706fa7338a --- /dev/null +++ b/queue-4.19/clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch @@ -0,0 +1,34 @@ +From c0a636e4cc2eb39244d23c0417c117be4c96a7fe Mon Sep 17 00:00:00 2001 +From: Dinh Nguyen +Date: Mon, 17 Dec 2018 18:06:14 -0600 +Subject: clk: socfpga: stratix10: fix rate calculation for pll clocks + +From: Dinh Nguyen + +commit c0a636e4cc2eb39244d23c0417c117be4c96a7fe upstream. + +The main PLL calculation has a mistake. We should be using the +multiplying the VCO frequency, not the parent clock frequency. + +Fixes: 07afb8db7340 ("clk: socfpga: stratix10: add clock driver for +Stratix10 platform") +Cc: linux-stable@vger.kernel.org +Signed-off-by: Dinh Nguyen +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/socfpga/clk-pll-s10.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/socfpga/clk-pll-s10.c ++++ b/drivers/clk/socfpga/clk-pll-s10.c +@@ -43,7 +43,7 @@ static unsigned long clk_pll_recalc_rate + /* Read mdiv and fdiv from the fdbck register */ + reg = readl(socfpgaclk->hw.reg + 0x4); + mdiv = (reg & SOCFPGA_PLL_MDIV_MASK) >> SOCFPGA_PLL_MDIV_SHIFT; +- vco_freq = (unsigned long long)parent_rate * (mdiv + 6); ++ vco_freq = (unsigned long long)vco_freq * (mdiv + 6); + + return (unsigned long)vco_freq; + } diff --git a/queue-4.19/inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch b/queue-4.19/inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch new file mode 100644 index 00000000000..76698fb299d --- /dev/null +++ b/queue-4.19/inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch @@ -0,0 +1,38 @@ +From 125892edfe69915a227d8d125ff0e1cd713178f4 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Tue, 1 Jan 2019 18:54:26 +0900 +Subject: inotify: Fix fd refcount leak in inotify_add_watch(). + +From: Tetsuo Handa + +commit 125892edfe69915a227d8d125ff0e1cd713178f4 upstream. + +Commit 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for +inotify_add_watch()") forgot to call fdput() before bailing out. + +Fixes: 4d97f7d53da7dc83 ("inotify: Add flag IN_MASK_CREATE for inotify_add_watch()") +CC: stable@vger.kernel.org +Signed-off-by: Tetsuo Handa +Reviewed-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inotify/inotify_user.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -724,8 +724,10 @@ SYSCALL_DEFINE3(inotify_add_watch, int, + return -EBADF; + + /* IN_MASK_ADD and IN_MASK_CREATE don't make sense together */ +- if (unlikely((mask & IN_MASK_ADD) && (mask & IN_MASK_CREATE))) +- return -EINVAL; ++ if (unlikely((mask & IN_MASK_ADD) && (mask & IN_MASK_CREATE))) { ++ ret = -EINVAL; ++ goto fput_and_out; ++ } + + /* verify that this is indeed an inotify instance */ + if (unlikely(f.file->f_op != &inotify_fops)) { diff --git a/queue-4.19/mei-me-add-denverton-innovation-engine-device-ids.patch b/queue-4.19/mei-me-add-denverton-innovation-engine-device-ids.patch new file mode 100644 index 00000000000..e219576ad78 --- /dev/null +++ b/queue-4.19/mei-me-add-denverton-innovation-engine-device-ids.patch @@ -0,0 +1,45 @@ +From f7ee8ead151f9d0b8dac6ab6c3ff49bbe809c564 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Sun, 13 Jan 2019 14:24:48 +0200 +Subject: mei: me: add denverton innovation engine device IDs + +From: Tomas Winkler + +commit f7ee8ead151f9d0b8dac6ab6c3ff49bbe809c564 upstream. + +Add the Denverton innovation engine (IE) device ids. +The IE is an ME-like device which provides HW security +offloading. + +Cc: +Signed-off-by: Tomas Winkler +Signed-off-by: Alexander Usyskin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 2 ++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -127,6 +127,8 @@ + #define MEI_DEV_ID_BXT_M 0x1A9A /* Broxton M */ + #define MEI_DEV_ID_APL_I 0x5A9A /* Apollo Lake I */ + ++#define MEI_DEV_ID_DNV_IE 0x19E5 /* Denverton IE */ ++ + #define MEI_DEV_ID_GLK 0x319A /* Gemini Lake */ + + #define MEI_DEV_ID_KBP 0xA2BA /* Kaby Point */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -93,6 +93,8 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, MEI_ME_PCH8_CFG)}, + ++ {MEI_PCI_DEVICE(MEI_DEV_ID_DNV_IE, MEI_ME_PCH8_CFG)}, ++ + {MEI_PCI_DEVICE(MEI_DEV_ID_GLK, MEI_ME_PCH8_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_KBP, MEI_ME_PCH8_CFG)}, diff --git a/queue-4.19/mei-me-mark-lbg-devices-as-having-dma-support.patch b/queue-4.19/mei-me-mark-lbg-devices-as-having-dma-support.patch new file mode 100644 index 00000000000..b2a6eb6cea5 --- /dev/null +++ b/queue-4.19/mei-me-mark-lbg-devices-as-having-dma-support.patch @@ -0,0 +1,31 @@ +From 173436ba800d01178a8b19e5de4a8cb02c0db760 Mon Sep 17 00:00:00 2001 +From: Alexander Usyskin +Date: Sun, 13 Jan 2019 14:24:47 +0200 +Subject: mei: me: mark LBG devices as having dma support + +From: Alexander Usyskin + +commit 173436ba800d01178a8b19e5de4a8cb02c0db760 upstream. + +The LBG server platform sports DMA support. + +Cc: #v5.0+ +Signed-off-by: Alexander Usyskin +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/pci-me.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -88,7 +88,7 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_2, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H, MEI_ME_PCH8_SPS_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_SPT_H_2, MEI_ME_PCH8_SPS_CFG)}, +- {MEI_PCI_DEVICE(MEI_DEV_ID_LBG, MEI_ME_PCH8_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_LBG, MEI_ME_PCH12_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_BXT_M, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_APL_I, MEI_ME_PCH8_CFG)}, diff --git a/queue-4.19/misc-ibmvsm-fix-potential-null-pointer-dereference.patch b/queue-4.19/misc-ibmvsm-fix-potential-null-pointer-dereference.patch new file mode 100644 index 00000000000..ec952fb3534 --- /dev/null +++ b/queue-4.19/misc-ibmvsm-fix-potential-null-pointer-dereference.patch @@ -0,0 +1,57 @@ +From e25df7812c91f62581301f9a7ac102acf92e4937 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 16 Jan 2019 10:46:16 -0600 +Subject: misc: ibmvsm: Fix potential NULL pointer dereference + +From: Gustavo A. R. Silva + +commit e25df7812c91f62581301f9a7ac102acf92e4937 upstream. + +There is a potential NULL pointer dereference in case kzalloc() +fails and returns NULL. + +Fix this by adding a NULL check on *session* + +Also, update the function header with information about the +expected return on failure and remove unnecessary variable rc. + +This issue was detected with the help of Coccinelle. + +Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)") +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/ibmvmc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/misc/ibmvmc.c ++++ b/drivers/misc/ibmvmc.c +@@ -820,21 +820,24 @@ static int ibmvmc_send_msg(struct crq_se + * + * Return: + * 0 - Success ++ * Non-zero - Failure + */ + static int ibmvmc_open(struct inode *inode, struct file *file) + { + struct ibmvmc_file_session *session; +- int rc = 0; + + pr_debug("%s: inode = 0x%lx, file = 0x%lx, state = 0x%x\n", __func__, + (unsigned long)inode, (unsigned long)file, + ibmvmc.state); + + session = kzalloc(sizeof(*session), GFP_KERNEL); ++ if (!session) ++ return -ENOMEM; ++ + session->file = file; + file->private_data = session; + +- return rc; ++ return 0; + } + + /** diff --git a/queue-4.19/mmc-dw_mmc-bluefield-fix-the-license-information.patch b/queue-4.19/mmc-dw_mmc-bluefield-fix-the-license-information.patch new file mode 100644 index 00000000000..66acd8c4e05 --- /dev/null +++ b/queue-4.19/mmc-dw_mmc-bluefield-fix-the-license-information.patch @@ -0,0 +1,38 @@ +From f3716b8ae9347797b73896725f192c3a7b0069b5 Mon Sep 17 00:00:00 2001 +From: Liming Sun +Date: Fri, 18 Jan 2019 13:12:06 -0500 +Subject: mmc: dw_mmc-bluefield: : Fix the license information + +From: Liming Sun + +commit f3716b8ae9347797b73896725f192c3a7b0069b5 upstream. + +The SPDX license identifier and the boiler plate text are +contradicting. Only the SPDX license identifier is needed. The +other one is removed. + +Fixes: 86958dcc5ad7 ("mmc: dw_mmc-bluefield: Add driver extension") +Cc: stable@vger.kernel.org +Reviewed-by: David Woods +Signed-off-by: Liming Sun +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/dw_mmc-bluefield.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/mmc/host/dw_mmc-bluefield.c ++++ b/drivers/mmc/host/dw_mmc-bluefield.c +@@ -1,11 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0 + /* + * Copyright (C) 2018 Mellanox Technologies. +- * +- * This program is free software; you can redistribute it and/or modify +- * it under the terms of the GNU General Public License as published by +- * the Free Software Foundation; either version 2 of the License, or +- * (at your option) any later version. + */ + + #include diff --git a/queue-4.19/mmc-meson-gx-free-irq-in-release-callback.patch b/queue-4.19/mmc-meson-gx-free-irq-in-release-callback.patch new file mode 100644 index 00000000000..d75615a020d --- /dev/null +++ b/queue-4.19/mmc-meson-gx-free-irq-in-release-callback.patch @@ -0,0 +1,108 @@ +From bb364890323cca6e43f13e86d190ebf34a7d8cea Mon Sep 17 00:00:00 2001 +From: Remi Pommarel +Date: Fri, 11 Jan 2019 00:01:35 +0100 +Subject: mmc: meson-gx: Free irq in release() callback + +From: Remi Pommarel + +commit bb364890323cca6e43f13e86d190ebf34a7d8cea upstream. + +Because the irq was requested through device managed resources API +(devm_request_threaded_irq()) it was freed after meson_mmc_remove() +completion, thus after mmc_free_host() has reclaimed meson_host memory. +As this irq is IRQF_SHARED, while using CONFIG_DEBUG_SHIRQ, its handler +get called by free_irq(). So meson_mmc_irq() was called after the +meson_host memory reclamation and was using invalid memory. + +We ended up with the following scenario: +device_release_driver() + meson_mmc_remove() + mmc_free_host() /* Freeing host memory */ + ... + devres_release_all() + devm_irq_release() + __free_irq() + meson_mmc_irq() /* Uses freed memory */ + +To avoid this, the irq is released in meson_mmc_remove() and in +mseon_mmc_probe() error path before mmc_free_host() gets called. + +Reported-by: Elie Roudninski +Signed-off-by: Remi Pommarel +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/meson-gx-mmc.c | 18 +++++++++++------- + 1 file changed, 11 insertions(+), 7 deletions(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -174,6 +174,8 @@ struct meson_host { + struct sd_emmc_desc *descs; + dma_addr_t descs_dma_addr; + ++ int irq; ++ + bool vqmmc_enabled; + }; + +@@ -1181,7 +1183,7 @@ static int meson_mmc_probe(struct platfo + struct resource *res; + struct meson_host *host; + struct mmc_host *mmc; +- int ret, irq; ++ int ret; + + mmc = mmc_alloc_host(sizeof(struct meson_host), &pdev->dev); + if (!mmc) +@@ -1228,8 +1230,8 @@ static int meson_mmc_probe(struct platfo + goto free_host; + } + +- irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ host->irq = platform_get_irq(pdev, 0); ++ if (host->irq <= 0) { + dev_err(&pdev->dev, "failed to get interrupt resource.\n"); + ret = -EINVAL; + goto free_host; +@@ -1283,9 +1285,8 @@ static int meson_mmc_probe(struct platfo + writel(IRQ_CRC_ERR | IRQ_TIMEOUTS | IRQ_END_OF_CHAIN, + host->regs + SD_EMMC_IRQ_EN); + +- ret = devm_request_threaded_irq(&pdev->dev, irq, meson_mmc_irq, +- meson_mmc_irq_thread, IRQF_SHARED, +- NULL, host); ++ ret = request_threaded_irq(host->irq, meson_mmc_irq, ++ meson_mmc_irq_thread, IRQF_SHARED, NULL, host); + if (ret) + goto err_init_clk; + +@@ -1303,7 +1304,7 @@ static int meson_mmc_probe(struct platfo + if (host->bounce_buf == NULL) { + dev_err(host->dev, "Unable to map allocate DMA bounce buffer.\n"); + ret = -ENOMEM; +- goto err_init_clk; ++ goto err_free_irq; + } + + host->descs = dma_alloc_coherent(host->dev, SD_EMMC_DESC_BUF_LEN, +@@ -1322,6 +1323,8 @@ static int meson_mmc_probe(struct platfo + err_bounce_buf: + dma_free_coherent(host->dev, host->bounce_buf_size, + host->bounce_buf, host->bounce_dma_addr); ++err_free_irq: ++ free_irq(host->irq, host); + err_init_clk: + clk_disable_unprepare(host->mmc_clk); + err_core_clk: +@@ -1339,6 +1342,7 @@ static int meson_mmc_remove(struct platf + + /* disable interrupts */ + writel(0, host->regs + SD_EMMC_IRQ_EN); ++ free_irq(host->irq, host); + + dma_free_coherent(host->dev, SD_EMMC_DESC_BUF_LEN, + host->descs, host->descs_dma_addr); diff --git a/queue-4.19/s390-early-improve-machine-detection.patch b/queue-4.19/s390-early-improve-machine-detection.patch new file mode 100644 index 00000000000..eb0ddd13229 --- /dev/null +++ b/queue-4.19/s390-early-improve-machine-detection.patch @@ -0,0 +1,53 @@ +From 03aa047ef2db4985e444af6ee1c1dd084ad9fb4c Mon Sep 17 00:00:00 2001 +From: Christian Borntraeger +Date: Fri, 9 Nov 2018 09:21:47 +0100 +Subject: s390/early: improve machine detection + +From: Christian Borntraeger + +commit 03aa047ef2db4985e444af6ee1c1dd084ad9fb4c upstream. + +Right now the early machine detection code check stsi 3.2.2 for "KVM" +and set MACHINE_IS_VM if this is different. As the console detection +uses diagnose 8 if MACHINE_IS_VM returns true this will crash Linux +early for any non z/VM system that sets a different value than KVM. +So instead of assuming z/VM, do not set any of MACHINE_IS_LPAR, +MACHINE_IS_VM, or MACHINE_IS_KVM. + +CC: stable@vger.kernel.org +Reviewed-by: Heiko Carstens +Signed-off-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/early.c | 4 ++-- + arch/s390/kernel/setup.c | 2 ++ + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/s390/kernel/early.c ++++ b/arch/s390/kernel/early.c +@@ -64,10 +64,10 @@ static noinline __init void detect_machi + if (stsi(vmms, 3, 2, 2) || !vmms->count) + return; + +- /* Running under KVM? If not we assume z/VM */ ++ /* Detect known hypervisors */ + if (!memcmp(vmms->vm[0].cpi, "\xd2\xe5\xd4", 3)) + S390_lowcore.machine_flags |= MACHINE_FLAG_KVM; +- else ++ else if (!memcmp(vmms->vm[0].cpi, "\xa9\x61\xe5\xd4", 4)) + S390_lowcore.machine_flags |= MACHINE_FLAG_VM; + } + +--- a/arch/s390/kernel/setup.c ++++ b/arch/s390/kernel/setup.c +@@ -882,6 +882,8 @@ void __init setup_arch(char **cmdline_p) + pr_info("Linux is running under KVM in 64-bit mode\n"); + else if (MACHINE_IS_LPAR) + pr_info("Linux is running natively in 64-bit mode\n"); ++ else ++ pr_info("Linux is running as a guest in 64-bit mode\n"); + + /* Have one command line that is parsed and saved in /proc/cmdline */ + /* boot_command_line has been already set up in early.c */ diff --git a/queue-4.19/s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch b/queue-4.19/s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch new file mode 100644 index 00000000000..fda8747dd8e --- /dev/null +++ b/queue-4.19/s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch @@ -0,0 +1,51 @@ +From a38662084c8bdb829ff486468c7ea801c13fcc34 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 8 Jan 2019 12:44:57 +0100 +Subject: s390/mm: always force a load of the primary ASCE on context switch + +From: Martin Schwidefsky + +commit a38662084c8bdb829ff486468c7ea801c13fcc34 upstream. + +The ASCE of an mm_struct can be modified after a task has been created, +e.g. via crst_table_downgrade for a compat process. The active_mm logic +to avoid the switch_mm call if the next task is a kernel thread can +lead to a situation where switch_mm is called where 'prev == next' is +true but 'prev->context.asce == next->context.asce' is not. + +This can lead to a situation where a CPU uses the outdated ASCE to run +a task. The result can be a crash, endless loops and really subtle +problem due to TLBs being created with an invalid ASCE. + +Cc: stable@kernel.org # v3.15+ +Fixes: 53e857f30867 ("s390/mm,tlb: race of lazy TLB flush vs. recreation") +Reported-by: Heiko Carstens +Reviewed-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/mmu_context.h | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/s390/include/asm/mmu_context.h ++++ b/arch/s390/include/asm/mmu_context.h +@@ -89,8 +89,6 @@ static inline void switch_mm(struct mm_s + { + int cpu = smp_processor_id(); + +- if (prev == next) +- return; + S390_lowcore.user_asce = next->context.asce; + cpumask_set_cpu(cpu, &next->context.cpu_attach_mask); + /* Clear previous user-ASCE from CR1 and CR7 */ +@@ -102,7 +100,8 @@ static inline void switch_mm(struct mm_s + __ctl_load(S390_lowcore.vdso_asce, 7, 7); + clear_cpu_flag(CIF_ASCE_SECONDARY); + } +- cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask); ++ if (prev != next) ++ cpumask_clear_cpu(cpu, &prev->context.cpu_attach_mask); + } + + #define finish_arch_post_lock_switch finish_arch_post_lock_switch diff --git a/queue-4.19/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch b/queue-4.19/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch new file mode 100644 index 00000000000..5dc5b8aa6b6 --- /dev/null +++ b/queue-4.19/s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch @@ -0,0 +1,84 @@ +From b7cb707c373094ce4008d4a6ac9b6b366ec52da5 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 9 Jan 2019 13:00:03 +0100 +Subject: s390/smp: fix CPU hotplug deadlock with CPU rescan + +From: Gerald Schaefer + +commit b7cb707c373094ce4008d4a6ac9b6b366ec52da5 upstream. + +smp_rescan_cpus() is called without the device_hotplug_lock, which can lead +to a dedlock when a new CPU is found and immediately set online by a udev +rule. + +This was observed on an older kernel version, where the cpu_hotplug_begin() +loop was still present, and it resulted in hanging chcpu and systemd-udev +processes. This specific deadlock will not show on current kernels. However, +there may be other possible deadlocks, and since smp_rescan_cpus() can still +trigger a CPU hotplug operation, the device_hotplug_lock should be held. + +For reference, this was the deadlock with the old cpu_hotplug_begin() loop: + + chcpu (rescan) systemd-udevd + + echo 1 > /sys/../rescan + -> smp_rescan_cpus() + -> (*) get_online_cpus() + (increases refcount) + -> smp_add_present_cpu() + (new CPU found) + -> register_cpu() + -> device_add() + -> udev "add" event triggered -----------> udev rule sets CPU online + -> echo 1 > /sys/.../online + -> lock_device_hotplug_sysfs() + (this is missing in rescan path) + -> device_online() + -> (**) device_lock(new CPU dev) + -> cpu_up() + -> cpu_hotplug_begin() + (loops until refcount == 0) + -> deadlock with (*) + -> bus_probe_device() + -> device_attach() + -> device_lock(new CPU dev) + -> deadlock with (**) + +Fix this by taking the device_hotplug_lock in the CPU rescan path. + +Cc: +Signed-off-by: Gerald Schaefer +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/smp.c | 4 ++++ + drivers/s390/char/sclp_config.c | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/arch/s390/kernel/smp.c ++++ b/arch/s390/kernel/smp.c +@@ -1152,7 +1152,11 @@ static ssize_t __ref rescan_store(struct + { + int rc; + ++ rc = lock_device_hotplug_sysfs(); ++ if (rc) ++ return rc; + rc = smp_rescan_cpus(); ++ unlock_device_hotplug(); + return rc ? rc : count; + } + static DEVICE_ATTR_WO(rescan); +--- a/drivers/s390/char/sclp_config.c ++++ b/drivers/s390/char/sclp_config.c +@@ -60,7 +60,9 @@ static void sclp_cpu_capability_notify(s + + static void __ref sclp_cpu_change_notify(struct work_struct *work) + { ++ lock_device_hotplug(); + smp_rescan_cpus(); ++ unlock_device_hotplug(); + } + + static void sclp_conf_receiver_fn(struct evbuf_header *evbuf) diff --git a/queue-4.19/series b/queue-4.19/series index 186abb90116..4699e7ee3a7 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -19,3 +19,28 @@ erspan-build-the-header-with-the-right-proto-according-to-erspan_ver.patch net-phy-marvell-fix-deadlock-from-wrong-locking.patch ip6_gre-update-version-related-info-when-changing-link.patch tcp-allow-msg_zerocopy-transmission-also-in-close_wait-state.patch +mei-me-mark-lbg-devices-as-having-dma-support.patch +mei-me-add-denverton-innovation-engine-device-ids.patch +usb-leds-fix-regression-in-usbport-led-trigger.patch +usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch +usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch +ceph-clear-inode-pointer-when-snap-realm-gets-dropped-by-its-inode.patch +asoc-atom-fix-a-missing-check-of-snd_pcm_lib_malloc_pages.patch +asoc-rt5514-spi-fix-potential-null-pointer-dereference.patch +asoc-tlv320aic32x4-kernel-oops-while-entering-dapm-standby-mode.patch +clk-socfpga-stratix10-fix-rate-calculation-for-pll-clocks.patch +clk-socfpga-stratix10-fix-naming-convention-for-the-fixed-clocks.patch +inotify-fix-fd-refcount-leak-in-inotify_add_watch.patch +alsa-hda-realtek-fix-typo-for-alc225-model.patch +alsa-hda-add-mute-led-support-for-hp-probook-470-g5.patch +arcv2-lib-memeset-fix-doing-prefetchw-outside-of-buffer.patch +arc-adjust-memblock_reserve-of-kernel-memory.patch +arc-perf-map-generic-branches-to-correct-hardware-condition.patch +s390-mm-always-force-a-load-of-the-primary-asce-on-context-switch.patch +s390-early-improve-machine-detection.patch +s390-smp-fix-cpu-hotplug-deadlock-with-cpu-rescan.patch +misc-ibmvsm-fix-potential-null-pointer-dereference.patch +char-mwave-fix-potential-spectre-v1-vulnerability.patch +mmc-dw_mmc-bluefield-fix-the-license-information.patch +mmc-meson-gx-free-irq-in-release-callback.patch +staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch diff --git a/queue-4.19/staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch b/queue-4.19/staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch new file mode 100644 index 00000000000..7d1cf791a47 --- /dev/null +++ b/queue-4.19/staging-rtl8188eu-add-device-code-for-d-link-dwa-121-rev-b1.patch @@ -0,0 +1,32 @@ +From 5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a Mon Sep 17 00:00:00 2001 +From: Michael Straube +Date: Mon, 7 Jan 2019 18:28:58 +0100 +Subject: staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 + +From: Michael Straube + +commit 5f74a8cbb38d10615ed46bc3e37d9a4c9af8045a upstream. + +This device was added to the stand-alone driver on github. +Add it to the staging driver as well. + +Link: https://github.com/lwfinger/rtl8188eu/commit/a0619a07cd1e +Signed-off-by: Michael Straube +Acked-by: Larry Finger +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -35,6 +35,7 @@ static const struct usb_device_id rtw_us + {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */ + {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */ + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ ++ {USB_DEVICE(0x2001, 0x331B)}, /* D-Link DWA-121 rev B1 */ + {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ diff --git a/queue-4.19/usb-leds-fix-regression-in-usbport-led-trigger.patch b/queue-4.19/usb-leds-fix-regression-in-usbport-led-trigger.patch new file mode 100644 index 00000000000..f909443acf1 --- /dev/null +++ b/queue-4.19/usb-leds-fix-regression-in-usbport-led-trigger.patch @@ -0,0 +1,96 @@ +From 91f7d2e89868fcac0e750a28230fdb1ad4512137 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Fri, 11 Jan 2019 17:29:45 +0100 +Subject: USB: leds: fix regression in usbport led trigger + +From: Christian Lamparter + +commit 91f7d2e89868fcac0e750a28230fdb1ad4512137 upstream. + +The patch "usb: simplify usbport trigger" together with "leds: triggers: +add device attribute support" caused an regression for the usbport +trigger. it will no longer enumerate any active usb hub ports under the +"ports" directory in the sysfs class directory, if the usb host drivers +are fully initialized before the usbport trigger was loaded. + +The reason is that the usbport driver tries to register the sysfs +entries during the activate() callback. And this will fail with -2 / +ENOENT because the patch "leds: triggers: add device attribute support" +made it so that the sysfs "ports" group was only being added after the +activate() callback succeeded. + +This version of the patch reverts parts of the "usb: simplify usbport +trigger" patch and restores usbport trigger's functionality. + +Fixes: 6f7b0bad8839 ("usb: simplify usbport trigger") +Signed-off-by: Christian Lamparter +Cc: stable +Acked-by: Jacek Anaszewski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/ledtrig-usbport.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/usb/core/ledtrig-usbport.c ++++ b/drivers/usb/core/ledtrig-usbport.c +@@ -119,11 +119,6 @@ static const struct attribute_group port + .attrs = ports_attrs, + }; + +-static const struct attribute_group *ports_groups[] = { +- &ports_group, +- NULL +-}; +- + /*************************************** + * Adding & removing ports + ***************************************/ +@@ -307,6 +302,7 @@ static int usbport_trig_notify(struct no + static int usbport_trig_activate(struct led_classdev *led_cdev) + { + struct usbport_trig_data *usbport_data; ++ int err; + + usbport_data = kzalloc(sizeof(*usbport_data), GFP_KERNEL); + if (!usbport_data) +@@ -315,6 +311,9 @@ static int usbport_trig_activate(struct + + /* List of ports */ + INIT_LIST_HEAD(&usbport_data->ports); ++ err = sysfs_create_group(&led_cdev->dev->kobj, &ports_group); ++ if (err) ++ goto err_free; + usb_for_each_dev(usbport_data, usbport_trig_add_usb_dev_ports); + usbport_trig_update_count(usbport_data); + +@@ -322,8 +321,11 @@ static int usbport_trig_activate(struct + usbport_data->nb.notifier_call = usbport_trig_notify; + led_set_trigger_data(led_cdev, usbport_data); + usb_register_notify(&usbport_data->nb); +- + return 0; ++ ++err_free: ++ kfree(usbport_data); ++ return err; + } + + static void usbport_trig_deactivate(struct led_classdev *led_cdev) +@@ -335,6 +337,8 @@ static void usbport_trig_deactivate(stru + usbport_trig_remove_port(usbport_data, port); + } + ++ sysfs_remove_group(&led_cdev->dev->kobj, &ports_group); ++ + usb_unregister_notify(&usbport_data->nb); + + kfree(usbport_data); +@@ -344,7 +348,6 @@ static struct led_trigger usbport_led_tr + .name = "usbport", + .activate = usbport_trig_activate, + .deactivate = usbport_trig_deactivate, +- .groups = ports_groups, + }; + + static int __init usbport_trig_init(void) diff --git a/queue-4.19/usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch b/queue-4.19/usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch new file mode 100644 index 00000000000..67e234e180f --- /dev/null +++ b/queue-4.19/usb-serial-pl2303-add-new-pid-to-support-pl2303tb.patch @@ -0,0 +1,49 @@ +From 4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb Mon Sep 17 00:00:00 2001 +From: Charles Yeh +Date: Tue, 15 Jan 2019 23:13:56 +0800 +Subject: USB: serial: pl2303: add new PID to support PL2303TB + +From: Charles Yeh + +commit 4dcf9ddc9ad5ab649abafa98c5a4d54b1a33dabb upstream. + +Add new PID to support PL2303TB (TYPE_HX) + +Signed-off-by: Charles Yeh +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -46,6 +46,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_HCR331) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MOTOROLA) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ZTEK) }, ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_TB) }, + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID) }, + { USB_DEVICE(IODATA_VENDOR_ID, IODATA_PRODUCT_ID_RSAQ5) }, + { USB_DEVICE(ATEN_VENDOR_ID, ATEN_PRODUCT_ID), +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -8,6 +8,7 @@ + + #define PL2303_VENDOR_ID 0x067b + #define PL2303_PRODUCT_ID 0x2303 ++#define PL2303_PRODUCT_ID_TB 0x2304 + #define PL2303_PRODUCT_ID_RSAQ2 0x04bb + #define PL2303_PRODUCT_ID_DCU11 0x1234 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0 +@@ -20,6 +21,7 @@ + #define PL2303_PRODUCT_ID_MOTOROLA 0x0307 + #define PL2303_PRODUCT_ID_ZTEK 0xe1f1 + ++ + #define ATEN_VENDOR_ID 0x0557 + #define ATEN_VENDOR_ID2 0x0547 + #define ATEN_PRODUCT_ID 0x2008 diff --git a/queue-4.19/usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch b/queue-4.19/usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch new file mode 100644 index 00000000000..35f441cf15a --- /dev/null +++ b/queue-4.19/usb-serial-simple-add-motorola-tetra-tpg2200-device-id.patch @@ -0,0 +1,41 @@ +From b81c2c33eab79dfd3650293b2227ee5c6036585c Mon Sep 17 00:00:00 2001 +From: Max Schulze +Date: Mon, 7 Jan 2019 08:31:49 +0100 +Subject: USB: serial: simple: add Motorola Tetra TPG2200 device id + +From: Max Schulze + +commit b81c2c33eab79dfd3650293b2227ee5c6036585c upstream. + +Add new Motorola Tetra device id for Motorola Solutions TETRA PEI device + +T: Bus=02 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0cad ProdID=9016 Rev=24.16 +S: Manufacturer=Motorola Solutions, Inc. +S: Product=TETRA PEI interface +C: #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=usb_serial_simple + +Signed-off-by: Max Schulze +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial-simple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -85,7 +85,8 @@ DEVICE(moto_modem, MOTO_IDS); + /* Motorola Tetra driver */ + #define MOTOROLA_TETRA_IDS() \ + { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \ +- { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */ ++ { USB_DEVICE(0x0cad, 0x9012) }, /* MTP6550 */ \ ++ { USB_DEVICE(0x0cad, 0x9016) } /* TPG2200 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); + + /* Novatel Wireless GPS driver */