From: Sasha Levin Date: Thu, 28 Feb 2019 01:02:07 +0000 (-0500) Subject: patches for 4.14 X-Git-Tag: v4.9.162~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9aa60b56b417e82cc7088a858491af66b520139e;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/alsa-compress-prevent-potential-divide-by-zero-bugs.patch b/queue-4.14/alsa-compress-prevent-potential-divide-by-zero-bugs.patch new file mode 100644 index 00000000000..6d8d6b7a0c3 --- /dev/null +++ b/queue-4.14/alsa-compress-prevent-potential-divide-by-zero-bugs.patch @@ -0,0 +1,45 @@ +From c474ce5d94ea0e99fae8b82aebd627fa0d3de4f1 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 12:06:58 +0300 +Subject: ALSA: compress: prevent potential divide by zero bugs + +[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ] + +The problem is seen in the q6asm_dai_compr_set_params() function: + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, + (prtd->pcm_size / prtd->periods), + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + prtd->periods); + +In this code prtd->pcm_size is the buffer_size and prtd->periods comes +from params->buffer.fragments. If we allow the number of fragments to +be zero then it results in a divide by zero bug. One possible fix would +be to use prtd->pcm_count directly instead of using the division to +re-calculate it. But I decided that it doesn't really make sense to +allow zero fragments. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 4490a699030b1..555df64d46ffc 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -529,7 +529,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) + { + /* first let's check the buffer parameter's */ + if (params->buffer.fragment_size == 0 || +- params->buffer.fragments > INT_MAX / params->buffer.fragment_size) ++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size || ++ params->buffer.fragments == 0) + return -EINVAL; + + /* now codec parameters */ +-- +2.19.1 + diff --git a/queue-4.14/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch b/queue-4.14/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch new file mode 100644 index 00000000000..617e93dcd61 --- /dev/null +++ b/queue-4.14/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch @@ -0,0 +1,74 @@ +From b675aad7fce587cd65eaf882a9cf8248f27b6a4e Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Thu, 13 Dec 2018 18:42:57 +0300 +Subject: ARC: fix __ffs return value to avoid build warnings + +[ Upstream commit 4e868f8419cb4cb558c5d428e7ab5629cef864c7 ] + +| CC mm/nobootmem.o +|In file included from ./include/asm-generic/bug.h:18:0, +| from ./arch/arc/include/asm/bug.h:32, +| from ./include/linux/bug.h:5, +| from ./include/linux/mmdebug.h:5, +| from ./include/linux/gfp.h:5, +| from ./include/linux/slab.h:15, +| from mm/nobootmem.c:14: +|mm/nobootmem.c: In function '__free_pages_memory': +|./include/linux/kernel.h:845:29: warning: comparison of distinct pointer types lacks a cast +| (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) +| ^ +|./include/linux/kernel.h:859:4: note: in expansion of macro '__typecheck' +| (__typecheck(x, y) && __no_side_effects(x, y)) +| ^~~~~~~~~~~ +|./include/linux/kernel.h:869:24: note: in expansion of macro '__safe_cmp' +| __builtin_choose_expr(__safe_cmp(x, y), \ +| ^~~~~~~~~~ +|./include/linux/kernel.h:878:19: note: in expansion of macro '__careful_cmp' +| #define min(x, y) __careful_cmp(x, y, <) +| ^~~~~~~~~~~~~ +|mm/nobootmem.c:104:11: note: in expansion of macro 'min' +| order = min(MAX_ORDER - 1UL, __ffs(start)); + +Change __ffs return value from 'int' to 'unsigned long' as it +is done in other implementations (like asm-generic, x86, etc...) +to avoid build-time warnings in places where type is strictly +checked. + +As __ffs may return values in [0-31] interval changing return +type to unsigned is valid. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/bitops.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h +index 8da87feec59aa..99e6d8948f4ac 100644 +--- a/arch/arc/include/asm/bitops.h ++++ b/arch/arc/include/asm/bitops.h +@@ -340,7 +340,7 @@ static inline __attribute__ ((const)) int __fls(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long word) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long word) + { + if (!word) + return word; +@@ -400,9 +400,9 @@ static inline __attribute__ ((const)) int ffs(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long x) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long x) + { +- int n; ++ unsigned long n; + + asm volatile( + " ffs.f %0, %1 \n" /* 0:31; 31(Z) if src 0 */ +-- +2.19.1 + diff --git a/queue-4.14/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch b/queue-4.14/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch new file mode 100644 index 00000000000..bd85dd85df3 --- /dev/null +++ b/queue-4.14/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch @@ -0,0 +1,83 @@ +From c362fd26b99f2681545877affd704147ee431457 Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Sat, 12 Jan 2019 16:28:43 +0100 +Subject: ASoC: dapm: change snprintf to scnprintf for possible overflow + +[ Upstream commit e581e151e965bf1f2815dd94620b638fec4d0a7e ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 53c9d75256393..bba6a917cd02d 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -2009,19 +2009,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + out = is_connected_output_ep(w, NULL, NULL); + } + +- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", ++ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", + w->name, w->power ? "On" : "Off", + w->force ? " (forced)" : "", in, out); + + if (w->reg >= 0) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " - R%d(0x%x) mask 0x%x", + w->reg, w->reg, w->mask << w->shift); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (w->sname) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", + w->sname, + w->active ? "active" : "inactive"); + +@@ -2034,7 +2034,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + if (!p->connect) + continue; + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " %s \"%s\" \"%s\"\n", + (rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out", + p->name ? p->name : "static", +-- +2.19.1 + diff --git a/queue-4.14/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch b/queue-4.14/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch new file mode 100644 index 00000000000..cb6dd0416ee --- /dev/null +++ b/queue-4.14/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch @@ -0,0 +1,117 @@ +From a037d74923737660baf0f401f5f2b6d532455ce2 Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Tue, 15 Jan 2019 04:27:27 +0100 +Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow + +[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Mark Brown +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Acked-by: Nicolin Chen +Reviewed-by: Kees Cook +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c +index 392d5eef356d3..99e07b01a2ce9 100644 +--- a/sound/soc/fsl/imx-audmux.c ++++ b/sound/soc/fsl/imx-audmux.c +@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, + if (!buf) + return -ENOMEM; + +- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", ++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", + pdcr, ptcr); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS output from %s, ", + audmux_port_string((ptcr >> 27) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk output from %s", + audmux_port_string((ptcr >> 22) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk input"); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "Port is symmetric"); + } else { + if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS output from %s, ", + audmux_port_string((ptcr >> 17) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk output from %s", + audmux_port_string((ptcr >> 12) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk input"); + } + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "\nData received from %s\n", + audmux_port_string((pdcr >> 13) & 0x7)); + +-- +2.19.1 + diff --git a/queue-4.14/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch b/queue-4.14/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch new file mode 100644 index 00000000000..67bc268c171 --- /dev/null +++ b/queue-4.14/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch @@ -0,0 +1,50 @@ +From fa1f99b745671e3b5a19063bfb7cfc0cf9781856 Mon Sep 17 00:00:00 2001 +From: Rander Wang +Date: Tue, 18 Dec 2018 16:24:54 +0800 +Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field + +[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ] + +For some reason this field was set to zero when all other drivers use +.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and +has no impact with the existing legacy driver. The SOF driver also works +with this change which enables it to override the fixed topology. + +Signed-off-by: Rander Wang +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/broadwell.c | 2 +- + sound/soc/intel/boards/haswell.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c +index 6dcbbcefc25b4..88c26ab7b0273 100644 +--- a/sound/soc/intel/boards/broadwell.c ++++ b/sound/soc/intel/boards/broadwell.c +@@ -191,7 +191,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c +index 5e1ea0371c909..8158409921e02 100644 +--- a/sound/soc/intel/boards/haswell.c ++++ b/sound/soc/intel/boards/haswell.c +@@ -145,7 +145,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +-- +2.19.1 + diff --git a/queue-4.14/asoc-variable-val-in-function-rt274_i2c_probe-could-.patch b/queue-4.14/asoc-variable-val-in-function-rt274_i2c_probe-could-.patch new file mode 100644 index 00000000000..620b941e331 --- /dev/null +++ b/queue-4.14/asoc-variable-val-in-function-rt274_i2c_probe-could-.patch @@ -0,0 +1,39 @@ +From d3bddf22d2f96286e006214345fafef203785750 Mon Sep 17 00:00:00 2001 +From: Yizhuo +Date: Thu, 3 Jan 2019 13:59:12 -0800 +Subject: ASoC: Variable "val" in function rt274_i2c_probe() could be + uninitialized + +[ Upstream commit 8c3590de0a378c2449fc1aec127cc693632458e4 ] + +Inside function rt274_i2c_probe(), if regmap_read() function +returns -EINVAL, then local variable "val" leaves uninitialized +but used in if statement. This is potentially unsafe. + +Signed-off-by: Yizhuo +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/rt274.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/rt274.c b/sound/soc/codecs/rt274.c +index 8f92e5c4dd9d7..cd048df762327 100644 +--- a/sound/soc/codecs/rt274.c ++++ b/sound/soc/codecs/rt274.c +@@ -1128,8 +1128,11 @@ static int rt274_i2c_probe(struct i2c_client *i2c, + return ret; + } + +- regmap_read(rt274->regmap, ++ ret = regmap_read(rt274->regmap, + RT274_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val); ++ if (ret) ++ return ret; ++ + if (val != RT274_VENDOR_ID) { + dev_err(&i2c->dev, + "Device with ID register %#x is not rt274\n", val); +-- +2.19.1 + diff --git a/queue-4.14/cfg80211-extend-range-deviation-for-dmg.patch b/queue-4.14/cfg80211-extend-range-deviation-for-dmg.patch new file mode 100644 index 00000000000..18828c6920e --- /dev/null +++ b/queue-4.14/cfg80211-extend-range-deviation-for-dmg.patch @@ -0,0 +1,43 @@ +From 6d6d8d6e87963e83ebd55fdd10b495ab34cd5562 Mon Sep 17 00:00:00 2001 +From: Chaitanya Tata +Date: Sat, 19 Jan 2019 03:17:47 +0530 +Subject: cfg80211: extend range deviation for DMG + +[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ] + +Recently, DMG frequency bands have been extended till 71GHz, so extend +the range check till 20GHz (45-71GHZ), else some channels will be marked +as disabled. + +Signed-off-by: Chaitanya Tata +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index bd91de4160353..ebfbc3f1be428 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -759,7 +759,7 @@ static bool is_valid_rd(const struct ieee80211_regdomain *rd) + * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"), + * however it is safe for now to assume that a frequency rule should not be + * part of a frequency's band if the start freq or end freq are off by more +- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the ++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the + * 60 GHz band. + * This resolution can be lowered and should be considered as we add + * regulatory rule support for other "bands". +@@ -774,7 +774,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range, + * with the Channel starting frequency above 45 GHz. + */ + u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ? +- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; ++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; + if (abs(freq_khz - freq_range->start_freq_khz) <= limit) + return true; + if (abs(freq_khz - freq_range->end_freq_khz) <= limit) +-- +2.19.1 + diff --git a/queue-4.14/clk-vc5-abort-clock-configuration-without-upstream-c.patch b/queue-4.14/clk-vc5-abort-clock-configuration-without-upstream-c.patch new file mode 100644 index 00000000000..00ab490d3a5 --- /dev/null +++ b/queue-4.14/clk-vc5-abort-clock-configuration-without-upstream-c.patch @@ -0,0 +1,49 @@ +From 3e969e74b31d0840410d32232deb0c9db4410b5f Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Sat, 15 Dec 2018 01:55:19 +0100 +Subject: clk: vc5: Abort clock configuration without upstream clock + +[ Upstream commit 2137a109a5e39c2bdccfffe65230ed3fadbaac0e ] + +In case the upstream clock are not set, which can happen in case the +VC5 has no valid upstream clock, the $src variable is used uninited +by regmap_update_bits(). Check for this condition and return -EINVAL +in such case. + +Note that in case the VC5 has no valid upstream clock, the VC5 can +not operate correctly. That is a hardware property of the VC5. The +internal oscilator present in some VC5 models is also considered +upstream clock. + +Signed-off-by: Marek Vasut +Cc: Alexey Firago +Cc: Laurent Pinchart +Cc: Stephen Boyd +Cc: linux-renesas-soc@vger.kernel.org +[sboyd@kernel.org: Added comment about probe preventing this from +happening in the first place] +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-versaclock5.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/clk/clk-versaclock5.c b/drivers/clk/clk-versaclock5.c +index decffb3826ece..a738af893532f 100644 +--- a/drivers/clk/clk-versaclock5.c ++++ b/drivers/clk/clk-versaclock5.c +@@ -262,8 +262,10 @@ static int vc5_mux_set_parent(struct clk_hw *hw, u8 index) + + if (vc5->clk_mux_ins == VC5_MUX_IN_XIN) + src = VC5_PRIM_SRC_SHDN_EN_XTAL; +- if (vc5->clk_mux_ins == VC5_MUX_IN_CLKIN) ++ else if (vc5->clk_mux_ins == VC5_MUX_IN_CLKIN) + src = VC5_PRIM_SRC_SHDN_EN_CLKIN; ++ else /* Invalid; should have been caught by vc5_probe() */ ++ return -EINVAL; + } + + return regmap_update_bits(vc5->regmap, VC5_PRIM_SRC_SHDN, mask, src); +-- +2.19.1 + diff --git a/queue-4.14/direct-io-allow-direct-writes-to-empty-inodes.patch b/queue-4.14/direct-io-allow-direct-writes-to-empty-inodes.patch new file mode 100644 index 00000000000..fc5a4931afb --- /dev/null +++ b/queue-4.14/direct-io-allow-direct-writes-to-empty-inodes.patch @@ -0,0 +1,56 @@ +From 4af8e2bb64878a5d743c6c33fefefca4f66c2291 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= + +Date: Mon, 8 Oct 2018 20:58:23 -0300 +Subject: direct-io: allow direct writes to empty inodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 8b9433eb4de3c26a9226c981c283f9f4896ae030 ] + +On a DIO_SKIP_HOLES filesystem, the ->get_block() method is currently +not allowed to create blocks for an empty inode. This confusion comes +from trying to bit shift a negative number, so check the size of the +inode first. + +The problem is most visible for hfsplus, because the fallback to +buffered I/O doesn't happen and the write fails with EIO. This is in +part the fault of the module, because it gives a wrong return value on +->get_block(); that will be fixed in a separate patch. + +Reviewed-by: Jeff Moyer +Reviewed-by: Jan Kara +Signed-off-by: Ernesto A. Fernández +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/direct-io.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/direct-io.c b/fs/direct-io.c +index 40567501015f2..2c90d541f5275 100644 +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -658,6 +658,7 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, + unsigned long fs_count; /* Number of filesystem-sized blocks */ + int create; + unsigned int i_blkbits = sdio->blkbits + sdio->blkfactor; ++ loff_t i_size; + + /* + * If there was a memory error and we've overwritten all the +@@ -687,8 +688,8 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, + */ + create = dio->op == REQ_OP_WRITE; + if (dio->flags & DIO_SKIP_HOLES) { +- if (fs_startblk <= ((i_size_read(dio->inode) - 1) >> +- i_blkbits)) ++ i_size = i_size_read(dio->inode); ++ if (i_size && fs_startblk <= (i_size - 1) >> i_blkbits) + create = 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch b/queue-4.14/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch new file mode 100644 index 00000000000..16f6a70ef79 --- /dev/null +++ b/queue-4.14/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch @@ -0,0 +1,113 @@ +From 7f10741ab50aef9fa882c4976f6bdd31ad06fd9f Mon Sep 17 00:00:00 2001 +From: Aaron Hill +Date: Mon, 24 Dec 2018 14:23:36 -0500 +Subject: drivers: thermal: int340x_thermal: Fix sysfs race condition + +[ Upstream commit 129699bb8c7572106b5bbb2407c2daee4727ccad ] + +Changes since V1: +* Use dev_info instead of printk +* Use dev_warn instead of BUG_ON + +Previously, sysfs_create_group was called before all initialization had +fully run - specifically, before pci_set_drvdata was called. Since the +sysctl group is visible to userspace as soon as sysfs_create_group +returns, a small window of time existed during which a process could read +from an uninitialized/partially-initialized device. + +This commit moves the creation of the sysctl group to after all +initialized is completed. This ensures that it's impossible for +userspace to read from a sysctl file before initialization has fully +completed. + +To catch any future regressions, I've added a check to ensure +that proc_thermal_emum_mode is never PROC_THERMAL_NONE when a process +tries to read from a sysctl file. Previously, the aforementioned race +condition could result in the 'else' branch +running while PROC_THERMAL_NONE was set, +leading to a null pointer deference. + +Signed-off-by: Aaron Hill +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + .../processor_thermal_device.c | 28 ++++++++++--------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index c6ab7db8c8e23..c344a3783625a 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -77,7 +77,12 @@ static ssize_t power_limit_##index##_##suffix##_show(struct device *dev, \ + struct pci_dev *pci_dev; \ + struct platform_device *pdev; \ + struct proc_thermal_device *proc_dev; \ +-\ ++ \ ++ if (proc_thermal_emum_mode == PROC_THERMAL_NONE) { \ ++ dev_warn(dev, "Attempted to get power limit before device was initialized!\n"); \ ++ return 0; \ ++ } \ ++ \ + if (proc_thermal_emum_mode == PROC_THERMAL_PLATFORM_DEV) { \ + pdev = to_platform_device(dev); \ + proc_dev = platform_get_drvdata(pdev); \ +@@ -291,11 +296,6 @@ static int proc_thermal_add(struct device *dev, + *priv = proc_priv; + + ret = proc_thermal_read_ppcc(proc_priv); +- if (!ret) { +- ret = sysfs_create_group(&dev->kobj, +- &power_limit_attribute_group); +- +- } + if (ret) + return ret; + +@@ -309,8 +309,7 @@ static int proc_thermal_add(struct device *dev, + + proc_priv->int340x_zone = int340x_thermal_zone_add(adev, ops); + if (IS_ERR(proc_priv->int340x_zone)) { +- ret = PTR_ERR(proc_priv->int340x_zone); +- goto remove_group; ++ return PTR_ERR(proc_priv->int340x_zone); + } else + ret = 0; + +@@ -324,9 +323,6 @@ static int proc_thermal_add(struct device *dev, + + remove_zone: + int340x_thermal_zone_remove(proc_priv->int340x_zone); +-remove_group: +- sysfs_remove_group(&proc_priv->dev->kobj, +- &power_limit_attribute_group); + + return ret; + } +@@ -357,7 +353,10 @@ static int int3401_add(struct platform_device *pdev) + platform_set_drvdata(pdev, proc_priv); + proc_thermal_emum_mode = PROC_THERMAL_PLATFORM_DEV; + +- return 0; ++ dev_info(&pdev->dev, "Creating sysfs group for PROC_THERMAL_PLATFORM_DEV\n"); ++ ++ return sysfs_create_group(&pdev->dev.kobj, ++ &power_limit_attribute_group); + } + + static int int3401_remove(struct platform_device *pdev) +@@ -434,7 +433,10 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + dev_err(&pdev->dev, "No auxiliary DTSs enabled\n"); + } + +- return 0; ++ dev_info(&pdev->dev, "Creating sysfs group for PROC_THERMAL_PCI\n"); ++ ++ return sysfs_create_group(&pdev->dev.kobj, ++ &power_limit_attribute_group); + } + + static void proc_thermal_pci_remove(struct pci_dev *pdev) +-- +2.19.1 + diff --git a/queue-4.14/drm-amd-powerplay-od-setting-fix-on-vega10.patch b/queue-4.14/drm-amd-powerplay-od-setting-fix-on-vega10.patch new file mode 100644 index 00000000000..c7fa0bd36d1 --- /dev/null +++ b/queue-4.14/drm-amd-powerplay-od-setting-fix-on-vega10.patch @@ -0,0 +1,61 @@ +From 91acd317b2bde867ab270884b2d366e2754bfbd2 Mon Sep 17 00:00:00 2001 +From: Kenneth Feng +Date: Fri, 18 Jan 2019 18:08:19 +0800 +Subject: drm/amd/powerplay: OD setting fix on Vega10 + +[ Upstream commit 6d87dc97eb3341de3f7b1efa3156cb0e014f4a96 ] + +gfxclk for OD setting is limited to 1980M for non-acg +ASICs of Vega10 + +Signed-off-by: Kenneth Feng +Reviewed-by: Evan Quan +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + .../powerplay/hwmgr/vega10_processpptables.c | 22 ++++++++++++++++++- + 1 file changed, 21 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_processpptables.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_processpptables.c +index e343df1903754..05bb87a54e909 100644 +--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_processpptables.c ++++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_processpptables.c +@@ -32,6 +32,7 @@ + #include "vega10_pptable.h" + + #define NUM_DSPCLK_LEVELS 8 ++#define VEGA10_ENGINECLOCK_HARDMAX 198000 + + static void set_hw_cap(struct pp_hwmgr *hwmgr, bool enable, + enum phm_platform_caps cap) +@@ -258,7 +259,26 @@ static int init_over_drive_limits( + struct pp_hwmgr *hwmgr, + const ATOM_Vega10_POWERPLAYTABLE *powerplay_table) + { +- hwmgr->platform_descriptor.overdriveLimit.engineClock = ++ const ATOM_Vega10_GFXCLK_Dependency_Table *gfxclk_dep_table = ++ (const ATOM_Vega10_GFXCLK_Dependency_Table *) ++ (((unsigned long) powerplay_table) + ++ le16_to_cpu(powerplay_table->usGfxclkDependencyTableOffset)); ++ bool is_acg_enabled = false; ++ ATOM_Vega10_GFXCLK_Dependency_Record_V2 *patom_record_v2; ++ ++ if (gfxclk_dep_table->ucRevId == 1) { ++ patom_record_v2 = ++ (ATOM_Vega10_GFXCLK_Dependency_Record_V2 *)gfxclk_dep_table->entries; ++ is_acg_enabled = ++ (bool)patom_record_v2[gfxclk_dep_table->ucNumEntries-1].ucACGEnable; ++ } ++ ++ if (powerplay_table->ulMaxODEngineClock > VEGA10_ENGINECLOCK_HARDMAX && ++ !is_acg_enabled) ++ hwmgr->platform_descriptor.overdriveLimit.engineClock = ++ VEGA10_ENGINECLOCK_HARDMAX; ++ else ++ hwmgr->platform_descriptor.overdriveLimit.engineClock = + le32_to_cpu(powerplay_table->ulMaxODEngineClock); + hwmgr->platform_descriptor.overdriveLimit.memoryClock = + le32_to_cpu(powerplay_table->ulMaxODMemoryClock); +-- +2.19.1 + diff --git a/queue-4.14/drm-msm-unblock-writer-if-reader-closes-file.patch b/queue-4.14/drm-msm-unblock-writer-if-reader-closes-file.patch new file mode 100644 index 00000000000..a963b4ea6f1 --- /dev/null +++ b/queue-4.14/drm-msm-unblock-writer-if-reader-closes-file.patch @@ -0,0 +1,45 @@ +From 9aa1497f2c861db6e7a44e9d6cd9c5c0c7ab1b85 Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Wed, 19 Dec 2018 08:57:41 -0800 +Subject: drm/msm: Unblock writer if reader closes file + +[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ] + +Prevents deadlock when fifo is full and reader closes file. + +Signed-off-by: Kristian H. Kristensen +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_rd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c +index ec56794ad0399..bdce1c9434c6c 100644 +--- a/drivers/gpu/drm/msm/msm_rd.c ++++ b/drivers/gpu/drm/msm/msm_rd.c +@@ -109,7 +109,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz) + char *fptr = &fifo->buf[fifo->head]; + int n; + +- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0); ++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open); ++ if (!rd->open) ++ return; + + /* Note that smp_load_acquire() is not strictly required + * as CIRC_SPACE_TO_END() does not access the tail more +@@ -207,7 +209,10 @@ static int rd_open(struct inode *inode, struct file *file) + static int rd_release(struct inode *inode, struct file *file) + { + struct msm_rd_state *rd = inode->i_private; ++ + rd->open = false; ++ wake_up_all(&rd->fifo_event); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/futex-fix-possible-missed-wakeup.patch b/queue-4.14/futex-fix-possible-missed-wakeup.patch new file mode 100644 index 00000000000..c829e575c0e --- /dev/null +++ b/queue-4.14/futex-fix-possible-missed-wakeup.patch @@ -0,0 +1,61 @@ +From 55a9c23935eff6b602ffb80552d3ddf0dafcd6d7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 29 Nov 2018 14:44:49 +0100 +Subject: futex: Fix (possible) missed wakeup + +[ Upstream commit b061c38bef43406df8e73c5be06cbfacad5ee6ad ] + +We must not rely on wake_q_add() to delay the wakeup; in particular +commit: + + 1d0dcb3ad9d3 ("futex: Implement lockless wakeups") + +moved wake_q_add() before smp_store_release(&q->lock_ptr, NULL), which +could result in futex_wait() waking before observing ->lock_ptr == +NULL and going back to sleep again. + +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 1d0dcb3ad9d3 ("futex: Implement lockless wakeups") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/futex.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/kernel/futex.c b/kernel/futex.c +index 29d708d0b3d19..22f83064abb35 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1462,11 +1462,7 @@ static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q) + if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n")) + return; + +- /* +- * Queue the task for later wakeup for after we've released +- * the hb->lock. wake_q_add() grabs reference to p. +- */ +- wake_q_add(wake_q, p); ++ get_task_struct(p); + __unqueue_futex(q); + /* + * The waiting task can free the futex_q as soon as q->lock_ptr = NULL +@@ -1476,6 +1472,13 @@ static void mark_wake_futex(struct wake_q_head *wake_q, struct futex_q *q) + * plist_del in __unqueue_futex(). + */ + smp_store_release(&q->lock_ptr, NULL); ++ ++ /* ++ * Queue the task for later wakeup for after we've released ++ * the hb->lock. wake_q_add() grabs reference to p. ++ */ ++ wake_q_add(wake_q, p); ++ put_task_struct(p); + } + + /* +-- +2.19.1 + diff --git a/queue-4.14/genirq-make-sure-the-initial-affinity-is-not-empty.patch b/queue-4.14/genirq-make-sure-the-initial-affinity-is-not-empty.patch new file mode 100644 index 00000000000..0d391086579 --- /dev/null +++ b/queue-4.14/genirq-make-sure-the-initial-affinity-is-not-empty.patch @@ -0,0 +1,40 @@ +From f8b20fb876b29251f6fb24a06c73a9ed935e5ac8 Mon Sep 17 00:00:00 2001 +From: Srinivas Ramana +Date: Thu, 20 Dec 2018 19:05:57 +0530 +Subject: genirq: Make sure the initial affinity is not empty + +[ Upstream commit bddda606ec76550dd63592e32a6e87e7d32583f7 ] + +If all CPUs in the irq_default_affinity mask are offline when an interrupt +is initialized then irq_setup_affinity() can set an empty affinity mask for +a newly allocated interrupt. + +Fix this by falling back to cpu_online_mask in case the resulting affinity +mask is zero. + +Signed-off-by: Srinivas Ramana +Signed-off-by: Thomas Gleixner +Cc: linux-arm-msm@vger.kernel.org +Link: https://lkml.kernel.org/r/1545312957-8504-1-git-send-email-sramana@codeaurora.org +Signed-off-by: Sasha Levin +--- + kernel/irq/manage.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c +index 4cd85870f00e6..6c877d28838f2 100644 +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -360,6 +360,9 @@ int irq_setup_affinity(struct irq_desc *desc) + } + + cpumask_and(&mask, cpu_online_mask, set); ++ if (cpumask_empty(&mask)) ++ cpumask_copy(&mask, cpu_online_mask); ++ + if (node != NUMA_NO_NODE) { + const struct cpumask *nodemask = cpumask_of_node(node); + +-- +2.19.1 + diff --git a/queue-4.14/hv_netvsc-fix-ethtool-change-hash-key-error.patch b/queue-4.14/hv_netvsc-fix-ethtool-change-hash-key-error.patch new file mode 100644 index 00000000000..b34e183406d --- /dev/null +++ b/queue-4.14/hv_netvsc-fix-ethtool-change-hash-key-error.patch @@ -0,0 +1,81 @@ +From 12054d07099326edda95a2ac4d76767f767d5c2f Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Tue, 15 Jan 2019 00:51:42 +0000 +Subject: hv_netvsc: Fix ethtool change hash key error + +[ Upstream commit b4a10c750424e01b5e37372fef0a574ebf7b56c3 ] + +Hyper-V hosts require us to disable RSS before changing RSS key, +otherwise the changing request will fail. This patch fixes the +coding error. + +Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table") +Reported-by: Wei Hu +Signed-off-by: Haiyang Zhang +Reviewed-by: Michael Kelley +[sl: fix up subject line] +Signed-off-by: Sasha Levin +--- + drivers/net/hyperv/rndis_filter.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c +index 17025d46bdac8..fc1d5e14d83e9 100644 +--- a/drivers/net/hyperv/rndis_filter.c ++++ b/drivers/net/hyperv/rndis_filter.c +@@ -711,8 +711,8 @@ rndis_filter_set_offload_params(struct net_device *ndev, + return ret; + } + +-int rndis_filter_set_rss_param(struct rndis_device *rdev, +- const u8 *rss_key) ++static int rndis_set_rss_param_msg(struct rndis_device *rdev, ++ const u8 *rss_key, u16 flag) + { + struct net_device *ndev = rdev->ndev; + struct rndis_request *request; +@@ -741,7 +741,7 @@ int rndis_filter_set_rss_param(struct rndis_device *rdev, + rssp->hdr.type = NDIS_OBJECT_TYPE_RSS_PARAMETERS; + rssp->hdr.rev = NDIS_RECEIVE_SCALE_PARAMETERS_REVISION_2; + rssp->hdr.size = sizeof(struct ndis_recv_scale_param); +- rssp->flag = 0; ++ rssp->flag = flag; + rssp->hashinfo = NDIS_HASH_FUNC_TOEPLITZ | NDIS_HASH_IPV4 | + NDIS_HASH_TCP_IPV4 | NDIS_HASH_IPV6 | + NDIS_HASH_TCP_IPV6; +@@ -766,9 +766,12 @@ int rndis_filter_set_rss_param(struct rndis_device *rdev, + + wait_for_completion(&request->wait_event); + set_complete = &request->response_msg.msg.set_complete; +- if (set_complete->status == RNDIS_STATUS_SUCCESS) +- memcpy(rdev->rss_key, rss_key, NETVSC_HASH_KEYLEN); +- else { ++ if (set_complete->status == RNDIS_STATUS_SUCCESS) { ++ if (!(flag & NDIS_RSS_PARAM_FLAG_DISABLE_RSS) && ++ !(flag & NDIS_RSS_PARAM_FLAG_HASH_KEY_UNCHANGED)) ++ memcpy(rdev->rss_key, rss_key, NETVSC_HASH_KEYLEN); ++ ++ } else { + netdev_err(ndev, "Fail to set RSS parameters:0x%x\n", + set_complete->status); + ret = -EINVAL; +@@ -779,6 +782,16 @@ int rndis_filter_set_rss_param(struct rndis_device *rdev, + return ret; + } + ++int rndis_filter_set_rss_param(struct rndis_device *rdev, ++ const u8 *rss_key) ++{ ++ /* Disable RSS before change */ ++ rndis_set_rss_param_msg(rdev, rss_key, ++ NDIS_RSS_PARAM_FLAG_DISABLE_RSS); ++ ++ return rndis_set_rss_param_msg(rdev, rss_key, 0); ++} ++ + static int rndis_filter_query_device_link_status(struct rndis_device *dev, + struct netvsc_device *net_device) + { +-- +2.19.1 + diff --git a/queue-4.14/ibmveth-do-not-process-frames-after-calling-napi_res.patch b/queue-4.14/ibmveth-do-not-process-frames-after-calling-napi_res.patch new file mode 100644 index 00000000000..009de019d99 --- /dev/null +++ b/queue-4.14/ibmveth-do-not-process-frames-after-calling-napi_res.patch @@ -0,0 +1,43 @@ +From 600cf8c181dfdcb711045c4ca8a625f43258bdb2 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Thu, 24 Jan 2019 11:17:01 -0600 +Subject: ibmveth: Do not process frames after calling napi_reschedule + +[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ] + +The IBM virtual ethernet driver's polling function continues +to process frames after rescheduling NAPI, resulting in a warning +if it exhausted its budget. Do not restart polling after calling +napi_reschedule. Instead let frames be processed in the following +instance. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 6c05819d995ea..754dff4c1771e 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1314,7 +1314,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + unsigned long lpar_rc; + u16 mss = 0; + +-restart_poll: + while (frames_processed < budget) { + if (!ibmveth_rxq_pending_buffer(adapter)) + break; +@@ -1402,7 +1401,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + napi_reschedule(napi)) { + lpar_rc = h_vio_signal(adapter->vdev->unit_address, + VIO_IRQ_DISABLE); +- goto restart_poll; + } + } + +-- +2.19.1 + diff --git a/queue-4.14/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch b/queue-4.14/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 00000000000..b84bc41bbc3 --- /dev/null +++ b/queue-4.14/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +From b93b9a0a6c69159fd02a1a35328662c06d078c99 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when + exiting to L1 + +[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ] + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index a94beaecd3e02..c387047e926a2 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2929,6 +2929,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/locking-rwsem-fix-possible-missed-wakeup.patch b/queue-4.14/locking-rwsem-fix-possible-missed-wakeup.patch new file mode 100644 index 00000000000..87f77c1c4c2 --- /dev/null +++ b/queue-4.14/locking-rwsem-fix-possible-missed-wakeup.patch @@ -0,0 +1,63 @@ +From e2bf8c1179d3ff2ecfc4bbcd956a7caba7585d03 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Thu, 29 Nov 2018 20:50:30 +0800 +Subject: locking/rwsem: Fix (possible) missed wakeup + +[ Upstream commit e158488be27b157802753a59b336142dc0eb0380 ] + +Because wake_q_add() can imply an immediate wakeup (cmpxchg failure +case), we must not rely on the wakeup being delayed. However, commit: + + e38513905eea ("locking/rwsem: Rework zeroing reader waiter->task") + +relies on exactly that behaviour in that the wakeup must not happen +until after we clear waiter->task. + +[ peterz: Added changelog. ] + +Signed-off-by: Xie Yongji +Signed-off-by: Zhang Yu +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: e38513905eea ("locking/rwsem: Rework zeroing reader waiter->task") +Link: https://lkml.kernel.org/r/1543495830-2644-1-git-send-email-xieyongji@baidu.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/rwsem-xadd.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index a903367793758..c75017326c37a 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -198,15 +198,22 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + woken++; + tsk = waiter->task; + +- wake_q_add(wake_q, tsk); ++ get_task_struct(tsk); + list_del(&waiter->list); + /* +- * Ensure that the last operation is setting the reader ++ * Ensure calling get_task_struct() before setting the reader + * waiter to nil such that rwsem_down_read_failed() cannot + * race with do_exit() by always holding a reference count + * to the task to wakeup. + */ + smp_store_release(&waiter->task, NULL); ++ /* ++ * Ensure issuing the wakeup (either by us or someone else) ++ * after setting the reader waiter to nil. ++ */ ++ wake_q_add(wake_q, tsk); ++ /* wake_q_add() already take the task ref */ ++ put_task_struct(tsk); + } + + adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; +-- +2.19.1 + diff --git a/queue-4.14/mac80211-add-attribute-aligned-2-to-struct-action.patch b/queue-4.14/mac80211-add-attribute-aligned-2-to-struct-action.patch new file mode 100644 index 00000000000..6b88570082a --- /dev/null +++ b/queue-4.14/mac80211-add-attribute-aligned-2-to-struct-action.patch @@ -0,0 +1,62 @@ +From 4c24abf06a4d046d8175586d29ed4877ed02e562 Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Thu, 24 Jan 2019 19:19:57 +0100 +Subject: mac80211: Add attribute aligned(2) to struct 'action' + +[ Upstream commit 7c53eb5d87bc21464da4268c3c0c47457b6d9c9b ] + +During refactor in commit 9e478066eae4 ("mac80211: fix MU-MIMO +follow-MAC mode") a new struct 'action' was declared with packed +attribute as: + + struct { + struct ieee80211_hdr_3addr hdr; + u8 category; + u8 action_code; + } __packed action; + +But since struct 'ieee80211_hdr_3addr' is declared with an aligned +keyword as: + + struct ieee80211_hdr { + __le16 frame_control; + __le16 duration_id; + u8 addr1[ETH_ALEN]; + u8 addr2[ETH_ALEN]; + u8 addr3[ETH_ALEN]; + __le16 seq_ctrl; + u8 addr4[ETH_ALEN]; + } __packed __aligned(2); + +Solve the ambiguity of placing aligned structure in a packed one by +adding the aligned(2) attribute to struct 'action'. + +This removes the following warning (W=1): + + net/mac80211/rx.c:234:2: warning: alignment 1 of 'struct ' is less than 2 [-Wpacked-not-aligned] + +Cc: Johannes Berg +Suggested-by: Johannes Berg +Signed-off-by: Mathieu Malaterre +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index dfc2af6833aff..1512e547a5e05 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -206,7 +206,7 @@ static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata, + struct ieee80211_hdr_3addr hdr; + u8 category; + u8 action_code; +- } __packed action; ++ } __packed __aligned(2) action; + + if (!sdata) + return; +-- +2.19.1 + diff --git a/queue-4.14/mac80211-don-t-initiate-tdls-connection-if-station-i.patch b/queue-4.14/mac80211-don-t-initiate-tdls-connection-if-station-i.patch new file mode 100644 index 00000000000..7e53301ac2f --- /dev/null +++ b/queue-4.14/mac80211-don-t-initiate-tdls-connection-if-station-i.patch @@ -0,0 +1,57 @@ +From 40983607cf3cbeec46678a436aacfc40fbcae6c6 Mon Sep 17 00:00:00 2001 +From: Balaji Pothunoori +Date: Mon, 21 Jan 2019 12:30:43 +0530 +Subject: mac80211: don't initiate TDLS connection if station is not associated + to AP + +[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ] + +Following call trace is observed while adding TDLS peer entry in driver +during TDLS setup. + +Call Trace: +[] dump_stack+0x47/0x61 +[] __warn+0xe2/0x100 +[] ? sta_apply_parameters+0x49f/0x550 [mac80211] +[] warn_slowpath_null+0x25/0x30 +[] sta_apply_parameters+0x49f/0x550 [mac80211] +[] ? sta_info_alloc+0x1c2/0x450 [mac80211] +[] ieee80211_add_station+0xe3/0x160 [mac80211] +[] nl80211_new_station+0x273/0x420 +[] genl_rcv_msg+0x219/0x3c0 +[] ? genl_rcv+0x30/0x30 +[] netlink_rcv_skb+0x8e/0xb0 +[] genl_rcv+0x1c/0x30 +[] netlink_unicast+0x13a/0x1d0 +[] netlink_sendmsg+0x2d8/0x390 +[] sock_sendmsg+0x2d/0x40 +[] ___sys_sendmsg+0x1d9/0x1e0 + +Fixing this by allowing TDLS setup request only when we have completed +association. + +Signed-off-by: Balaji Pothunoori +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index ebc8045ddee68..150dd2160cefb 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1466,6 +1466,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + ++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); +-- +2.19.1 + diff --git a/queue-4.14/mac80211-fix-miscounting-of-ttl-dropped-frames.patch b/queue-4.14/mac80211-fix-miscounting-of-ttl-dropped-frames.patch new file mode 100644 index 00000000000..3e1083bc284 --- /dev/null +++ b/queue-4.14/mac80211-fix-miscounting-of-ttl-dropped-frames.patch @@ -0,0 +1,44 @@ +From 610961caa56d0bed4cb9de4c1296f3019354c7ab Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Thu, 17 Jan 2019 16:32:42 -0500 +Subject: mac80211: fix miscounting of ttl-dropped frames + +[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ] + +In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl' +counter when we decrement the ttl to zero. For unicast frames +destined for other hosts, we stop processing the frame at that point. + +For multicast frames, we do not rebroadcast it in this case, but we +do pass the frame up the stack to process it on this STA. That +doesn't match the usual definition of "dropped," so don't count +those as such. + +With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a +peer in a ttl=1 network no longer increments the counter rapidly. + +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index c7ac1a480b1dd..dfc2af6833aff 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2533,7 +2533,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + skb_set_queue_mapping(skb, q); + + if (!--mesh_hdr->ttl) { +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ if (!is_multicast_ether_addr(hdr->addr1)) ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, ++ dropped_frames_ttl); + goto out; + } + +-- +2.19.1 + diff --git a/queue-4.14/net-altera_tse-fix-connect_local_phy-error-path.patch b/queue-4.14/net-altera_tse-fix-connect_local_phy-error-path.patch new file mode 100644 index 00000000000..6b91e3ccf36 --- /dev/null +++ b/queue-4.14/net-altera_tse-fix-connect_local_phy-error-path.patch @@ -0,0 +1,37 @@ +From 3a083ecda005012ed9cc8786e156420115fd8b42 Mon Sep 17 00:00:00 2001 +From: Atsushi Nemoto +Date: Mon, 21 Jan 2019 17:26:41 +0900 +Subject: net: altera_tse: fix connect_local_phy error path + +[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ] + +The connect_local_phy should return NULL (not negative errno) on +error, since its caller expects it. + +Signed-off-by: Atsushi Nemoto +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index 527908c7e3845..84def1ff6cb64 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -714,8 +714,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev) + + phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link, + priv->phy_iface); +- if (IS_ERR(phydev)) ++ if (IS_ERR(phydev)) { + netdev_err(dev, "Could not attach to PHY\n"); ++ phydev = NULL; ++ } + + } else { + int ret; +-- +2.19.1 + diff --git a/queue-4.14/net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch b/queue-4.14/net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch new file mode 100644 index 00000000000..19d7896c808 --- /dev/null +++ b/queue-4.14/net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch @@ -0,0 +1,36 @@ +From 196304d56a56b129b56af54424e6fd2694494508 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Thu, 24 Jan 2019 03:07:02 -0800 +Subject: net: dev_is_mac_header_xmit() true for ARPHRD_RAWIP +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 3b707c3008cad04604c1f50e39f456621821c414 ] + +__bpf_redirect() and act_mirred checks this boolean +to determine whether to prefix an ethernet header. + +Signed-off-by: Maciej Żenczykowski +Acked-by: Daniel Borkmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/if_arp.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/include/linux/if_arp.h b/include/linux/if_arp.h +index 3355efc897816..4125f60ee53b0 100644 +--- a/include/linux/if_arp.h ++++ b/include/linux/if_arp.h +@@ -54,6 +54,7 @@ static inline bool dev_is_mac_header_xmit(const struct net_device *dev) + case ARPHRD_IPGRE: + case ARPHRD_VOID: + case ARPHRD_NONE: ++ case ARPHRD_RAWIP: + return false; + default: + return true; +-- +2.19.1 + diff --git a/queue-4.14/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch b/queue-4.14/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch new file mode 100644 index 00000000000..4e40b1cc0a6 --- /dev/null +++ b/queue-4.14/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch @@ -0,0 +1,63 @@ +From 92eccdf3ba645cafed679b287c912955b9005a5e Mon Sep 17 00:00:00 2001 +From: Zhang Run +Date: Thu, 24 Jan 2019 13:48:49 +0800 +Subject: net: usb: asix: ax88772_bind return error when hw_reset fail + +[ Upstream commit 6eea3527e68acc22483f4763c8682f223eb90029 ] + +The ax88772_bind() should return error code immediately when the PHY +was not reset properly through ax88772a_hw_reset(). +Otherwise, The asix_get_phyid() will block when get the PHY +Identifier from the PHYSID1 MII registers through asix_mdio_read() +due to the PHY isn't ready. Furthermore, it will produce a lot of +error message cause system crash.As follows: +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to send + software reset: ffffffb9 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable + software MII access +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable + software MII access +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read + reg index 0x0000: -71 +... + +Signed-off-by: Zhang Run +Reviewed-by: Yang Wei +Tested-by: Marcel Ziswiler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_devices.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index b1b3d8f7e67dd..d0c0ac0c3519c 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -731,8 +731,13 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, 0, 0, 1, &chipcode, 0); + chipcode &= AX_CHIPCODE_MASK; + +- (chipcode == AX_AX88772_CHIPCODE) ? ax88772_hw_reset(dev, 0) : +- ax88772a_hw_reset(dev, 0); ++ ret = (chipcode == AX_AX88772_CHIPCODE) ? ax88772_hw_reset(dev, 0) : ++ ax88772a_hw_reset(dev, 0); ++ ++ if (ret < 0) { ++ netdev_dbg(dev->net, "Failed to reset AX88772: %d\n", ret); ++ return ret; ++ } + + /* Read PHYID register *AFTER* the PHY was reset properly */ + phyid = asix_get_phyid(dev); +-- +2.19.1 + diff --git a/queue-4.14/sched-wait-fix-rcuwait_wake_up-ordering.patch b/queue-4.14/sched-wait-fix-rcuwait_wake_up-ordering.patch new file mode 100644 index 00000000000..6b09646a3d4 --- /dev/null +++ b/queue-4.14/sched-wait-fix-rcuwait_wake_up-ordering.patch @@ -0,0 +1,65 @@ +From dd0bb02a0d201feb8661f9afc9366b99b6a81e5a Mon Sep 17 00:00:00 2001 +From: Prateek Sood +Date: Fri, 30 Nov 2018 20:40:56 +0530 +Subject: sched/wait: Fix rcuwait_wake_up() ordering + +[ Upstream commit 6dc080eeb2ba01973bfff0d79844d7a59e12542e ] + +For some peculiar reason rcuwait_wake_up() has the right barrier in +the comment, but not in the code. + +This mistake has been observed to cause a deadlock in the following +situation: + + P1 P2 + + percpu_up_read() percpu_down_write() + rcu_sync_is_idle() // false + rcu_sync_enter() + ... + __percpu_up_read() + +[S] ,- __this_cpu_dec(*sem->read_count) + | smp_rmb(); +[L] | task = rcu_dereference(w->task) // NULL + | + | [S] w->task = current + | smp_mb(); + | [L] readers_active_check() // fail + `-> + +Where the smp_rmb() (obviously) fails to constrain the store. + +[ peterz: Added changelog. ] + +Signed-off-by: Prateek Sood +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Andrea Parri +Acked-by: Davidlohr Bueso +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 8f95c90ceb54 ("sched/wait, RCU: Introduce rcuwait machinery") +Link: https://lkml.kernel.org/r/1543590656-7157-1-git-send-email-prsood@codeaurora.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/exit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/exit.c b/kernel/exit.c +index 3aa01b74c1e36..5523fb0c20c8c 100644 +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -306,7 +306,7 @@ void rcuwait_wake_up(struct rcuwait *w) + * MB (A) MB (B) + * [L] cond [L] tsk + */ +- smp_rmb(); /* (B) */ ++ smp_mb(); /* (B) */ + + /* + * Avoid using task_rcu_dereference() magic as long as we are careful, +-- +2.19.1 + diff --git a/queue-4.14/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch b/queue-4.14/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch new file mode 100644 index 00000000000..9e1725b311b --- /dev/null +++ b/queue-4.14/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch @@ -0,0 +1,41 @@ +From d31f3400ba05cc7b3cb03f7f17d5e1d80c90bd68 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Sat, 12 Jan 2019 22:14:30 +0530 +Subject: scsi: csiostor: fix NULL pointer dereference in + csio_vport_set_state() + +[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ] + +Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to +avoid a NULL pointer dereference in csio_vport_set_state(). + +ln->fc_vport is dereferenced in csio_vport_set_state(). + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c +index 2d1c4ebd40f91..6587f20cff1a1 100644 +--- a/drivers/scsi/csiostor/csio_attr.c ++++ b/drivers/scsi/csiostor/csio_attr.c +@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable) + } + + fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING); ++ ln->fc_vport = fc_vport; + + if (csio_fcoe_alloc_vnp(hw, ln)) + goto error; + + *(struct csio_lnode **)fc_vport->dd_data = ln; +- ln->fc_vport = fc_vport; + if (!fc_vport->node_name) + fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln)); + if (!fc_vport->port_name) +-- +2.19.1 + diff --git a/queue-4.14/selftests-gpio-mockup-chardev-check-asprintf-for-err.patch b/queue-4.14/selftests-gpio-mockup-chardev-check-asprintf-for-err.patch new file mode 100644 index 00000000000..c5a1daca3d5 --- /dev/null +++ b/queue-4.14/selftests-gpio-mockup-chardev-check-asprintf-for-err.patch @@ -0,0 +1,56 @@ +From 9ddb957200a17aef7f20a9fc6ae7ac3cf98d4455 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 14 Jan 2019 14:51:33 +0100 +Subject: selftests: gpio-mockup-chardev: Check asprintf() for error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 508cacd7da6659ae7b7bdd0a335f675422277758 ] + +With gcc 7.3.0: + + gpio-mockup-chardev.c: In function ‘get_debugfs’: + gpio-mockup-chardev.c:62:3: warning: ignoring return value of ‘asprintf’, declared with attribute warn_unused_result [-Wunused-result] + asprintf(path, "%s/gpio", mnt_fs_get_target(fs)); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Handle asprintf() failures to fix this. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/gpio/gpio-mockup-chardev.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/tools/testing/selftests/gpio/gpio-mockup-chardev.c b/tools/testing/selftests/gpio/gpio-mockup-chardev.c +index 667e916fa7cc1..6ceeeed4eeb98 100644 +--- a/tools/testing/selftests/gpio/gpio-mockup-chardev.c ++++ b/tools/testing/selftests/gpio/gpio-mockup-chardev.c +@@ -37,7 +37,7 @@ static int get_debugfs(char **path) + struct libmnt_table *tb; + struct libmnt_iter *itr = NULL; + struct libmnt_fs *fs; +- int found = 0; ++ int found = 0, ret; + + cxt = mnt_new_context(); + if (!cxt) +@@ -58,8 +58,11 @@ static int get_debugfs(char **path) + break; + } + } +- if (found) +- asprintf(path, "%s/gpio", mnt_fs_get_target(fs)); ++ if (found) { ++ ret = asprintf(path, "%s/gpio", mnt_fs_get_target(fs)); ++ if (ret < 0) ++ err(EXIT_FAILURE, "failed to format string"); ++ } + + mnt_free_iter(itr); + mnt_free_context(cxt); +-- +2.19.1 + diff --git a/queue-4.14/selftests-seccomp-use-ldlibs-instead-of-ldflags.patch b/queue-4.14/selftests-seccomp-use-ldlibs-instead-of-ldflags.patch new file mode 100644 index 00000000000..ca6c7da7daa --- /dev/null +++ b/queue-4.14/selftests-seccomp-use-ldlibs-instead-of-ldflags.patch @@ -0,0 +1,126 @@ +From a2a8d0da8b3521411e5bb48c4971cf59904691ca Mon Sep 17 00:00:00 2001 +From: Fathi Boudra +Date: Wed, 16 Jan 2019 11:43:19 -0600 +Subject: selftests: seccomp: use LDLIBS instead of LDFLAGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 5bbc73a841d7f0bbe025a342146dde462a796a5a ] + +seccomp_bpf fails to build due to undefined reference errors: + + aarch64-linaro-linux-gcc --sysroot=/build/tmp-rpb-glibc/sysroots/hikey + -O2 -pipe -g -feliminate-unused-debug-types -Wl,-no-as-needed -Wall + -Wl,-O1 -Wl,--hash-style=gnu -Wl,--as-needed -lpthread seccomp_bpf.c -o + /build/tmp-rpb-glibc/work/hikey-linaro-linux/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf + /tmp/ccrlR3MW.o: In function `tsync_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1920: undefined reference to `sem_post' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1920: undefined reference to `sem_post' + /tmp/ccrlR3MW.o: In function `TSYNC_setup': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1863: undefined reference to `sem_init' + /tmp/ccrlR3MW.o: In function `TSYNC_teardown': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1904: undefined reference to `sem_destroy' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1897: undefined reference to `pthread_kill' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1898: undefined reference to `pthread_cancel' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1899: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_siblings_fail_prctl': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1978: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1990: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1992: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_two_siblings_with_ancestor': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2016: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2032: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2034: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_two_sibling_want_nnp': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2046: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2058: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2060: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_two_siblings_with_no_filter': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2073: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2098: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2100: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_two_siblings_with_one_divergence': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2125: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2143: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2145: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + /tmp/ccrlR3MW.o: In function `TSYNC_two_siblings_not_under_filter': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2169: undefined reference to `sem_wait' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2202: undefined reference to `pthread_join' + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:2227: undefined reference to `pthread_join' + /tmp/ccrlR3MW.o: In function `tsync_start_sibling': + /usr/src/debug/kselftests/4.12-r0/linux-4.12-rc7/tools/testing/selftests/seccomp/seccomp_bpf.c:1941: undefined reference to `pthread_create' + +It's GNU Make and linker specific. + +The default Makefile rule looks like: + +$(CC) $(CFLAGS) $(LDFLAGS) $@ $^ $(LDLIBS) + +When linking is done by gcc itself, no issue, but when it needs to be passed +to proper ld, only LDLIBS follows and then ld cannot know what libs to link +with. + +More detail: +https://www.gnu.org/software/make/manual/html_node/Implicit-Variables.html + +LDFLAGS +Extra flags to give to compilers when they are supposed to invoke the linker, +‘ld’, such as -L. Libraries (-lfoo) should be added to the LDLIBS variable +instead. + +LDLIBS +Library flags or names given to compilers when they are supposed to invoke the +linker, ‘ld’. LOADLIBES is a deprecated (but still supported) alternative to +LDLIBS. Non-library linker flags, such as -L, should go in the LDFLAGS +variable. + +https://lkml.org/lkml/2010/2/10/362 + +tools/perf: libraries must come after objects + +Link order matters, use LDLIBS instead of LDFLAGS to properly link against +libpthread. + +Signed-off-by: Fathi Boudra +Acked-by: Kees Cook +Signed-off-by: Shuah Khan +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/seccomp/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/seccomp/Makefile b/tools/testing/selftests/seccomp/Makefile +index fce7f4ce06925..1760b3e397306 100644 +--- a/tools/testing/selftests/seccomp/Makefile ++++ b/tools/testing/selftests/seccomp/Makefile +@@ -9,7 +9,7 @@ BINARIES := seccomp_bpf seccomp_benchmark + CFLAGS += -Wl,-no-as-needed -Wall + + seccomp_bpf: seccomp_bpf.c ../kselftest_harness.h +- $(CC) $(CFLAGS) $(LDFLAGS) -lpthread $< -o $@ ++ $(CC) $(CFLAGS) $(LDFLAGS) $< -lpthread -o $@ + + TEST_PROGS += $(BINARIES) + EXTRA_CLEAN := $(BINARIES) +-- +2.19.1 + diff --git a/queue-4.14/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch b/queue-4.14/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch new file mode 100644 index 00000000000..ea1890cf639 --- /dev/null +++ b/queue-4.14/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch @@ -0,0 +1,34 @@ +From 2a12ef5899be5646be02b1dbad8f6e21e3b0db05 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Mon, 21 Jan 2019 17:34:16 +0900 +Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with + over-sampling + +[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ] + +Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 716c33b2a11cb..32a473f9d1d38 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1701,7 +1701,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + } + + /* ask the core to calculate the divisor */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4); + + spin_lock_irqsave(&sport->port.lock, flags); + +-- +2.19.1 + diff --git a/queue-4.14/series b/queue-4.14/series index f0735a6f1e6..92e835fa8e3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -4,3 +4,41 @@ revert-loop-fold-__loop_release-into-loop_release.patch net-stmmac-fix-reception-of-broadcom-switches-tags.patch net-stmmac-disable-acs-feature-for-gmac-4.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch +drm-msm-unblock-writer-if-reader-closes-file.patch +asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch +alsa-compress-prevent-potential-divide-by-zero-bugs.patch +asoc-variable-val-in-function-rt274_i2c_probe-could-.patch +clk-vc5-abort-clock-configuration-without-upstream-c.patch +thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch +usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch +usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch +usb-gadget-potential-null-dereference-on-allocation-.patch +genirq-make-sure-the-initial-affinity-is-not-empty.patch +asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch +asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch +selftests-seccomp-use-ldlibs-instead-of-ldflags.patch +selftests-gpio-mockup-chardev-check-asprintf-for-err.patch +arc-fix-__ffs-return-value-to-avoid-build-warnings.patch +drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch +staging-rtl8723bs-fix-build-error-with-clang-when-in.patch +mac80211-fix-miscounting-of-ttl-dropped-frames.patch +sched-wait-fix-rcuwait_wake_up-ordering.patch +futex-fix-possible-missed-wakeup.patch +locking-rwsem-fix-possible-missed-wakeup.patch +drm-amd-powerplay-od-setting-fix-on-vega10.patch +serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch +staging-android-ion-support-cpu-access-during-dma_bu.patch +direct-io-allow-direct-writes-to-empty-inodes.patch +writeback-synchronize-sync-2-against-cgroup-writebac.patch +scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch +net-altera_tse-fix-connect_local_phy-error-path.patch +hv_netvsc-fix-ethtool-change-hash-key-error.patch +sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch +net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch +net-dev_is_mac_header_xmit-true-for-arphrd_rawip.patch +ibmveth-do-not-process-frames-after-calling-napi_res.patch +mac80211-don-t-initiate-tdls-connection-if-station-i.patch +mac80211-add-attribute-aligned-2-to-struct-action.patch +cfg80211-extend-range-deviation-for-dmg.patch +svm-fix-avic-incomplete-ipi-emulation.patch +kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch diff --git a/queue-4.14/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch b/queue-4.14/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch new file mode 100644 index 00000000000..e28e3c60dc8 --- /dev/null +++ b/queue-4.14/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch @@ -0,0 +1,98 @@ +From ffcf79025fa8805aa07366b85d8ea3e9c6476cee Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Tue, 22 Jan 2019 19:02:17 +0000 +Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe + +[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ] + +Use a bitmap to keep track of which partition types we've already seen; + for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and + thus skip adding that partition. +Duplicate partitions occur because of the A/B backup scheme used by newer + sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because + they have the same name, causing us not to expose any MTDs at all. + +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 09352ee43b55c..cc3be94d05622 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -5852,22 +5852,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = { + { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" }, + { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" }, + }; ++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types) + + static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + struct efx_mcdi_mtd_partition *part, +- unsigned int type) ++ unsigned int type, ++ unsigned long *found) + { + MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN); + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX); + const struct efx_ef10_nvram_type_info *info; + size_t size, erase_size, outlen; ++ int type_idx = 0; + bool protected; + int rc; + +- for (info = efx_ef10_nvram_types; ; info++) { +- if (info == +- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types)) ++ for (type_idx = 0; ; type_idx++) { ++ if (type_idx == EF10_NVRAM_PARTITION_COUNT) + return -ENODEV; ++ info = efx_ef10_nvram_types + type_idx; + if ((type & ~info->type_mask) == info->type) + break; + } +@@ -5880,6 +5883,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + if (protected) + return -ENODEV; /* hide it */ + ++ /* If we've already exposed a partition of this type, hide this ++ * duplicate. All operations on MTDs are keyed by the type anyway, ++ * so we can't act on the duplicate. ++ */ ++ if (__test_and_set_bit(type_idx, found)) ++ return -EEXIST; ++ + part->nvram_type = type; + + MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type); +@@ -5908,6 +5918,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + static int efx_ef10_mtd_probe(struct efx_nic *efx) + { + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX); ++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT); + struct efx_mcdi_mtd_partition *parts; + size_t outlen, n_parts_total, i, n_parts; + unsigned int type; +@@ -5936,11 +5947,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + for (i = 0; i < n_parts_total; i++) { + type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID, + i); +- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type); +- if (rc == 0) +- n_parts++; +- else if (rc != -ENODEV) ++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type, ++ found); ++ if (rc == -EEXIST || rc == -ENODEV) ++ continue; ++ if (rc) + goto fail; ++ n_parts++; + } + + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); +-- +2.19.1 + diff --git a/queue-4.14/staging-android-ion-support-cpu-access-during-dma_bu.patch b/queue-4.14/staging-android-ion-support-cpu-access-during-dma_bu.patch new file mode 100644 index 00000000000..81b5db6a635 --- /dev/null +++ b/queue-4.14/staging-android-ion-support-cpu-access-during-dma_bu.patch @@ -0,0 +1,51 @@ +From b52ef64415b1186d7bcfe0cb1af1b8f3f729145e Mon Sep 17 00:00:00 2001 +From: Liam Mark +Date: Fri, 18 Jan 2019 10:37:44 -0800 +Subject: staging: android: ion: Support cpu access during dma_buf_detach + +[ Upstream commit 31eb79db420a3f94c4c45a8c0a05cd30e333f981 ] + +Often userspace doesn't know when the kernel will be calling dma_buf_detach +on the buffer. +If userpace starts its CPU access at the same time as the sg list is being +freed it could end up accessing the sg list after it has been freed. + +Thread A Thread B +- DMA_BUF_IOCTL_SYNC IOCT + - ion_dma_buf_begin_cpu_access + - list_for_each_entry + - ion_dma_buf_detatch + - free_duped_table + - dma_sync_sg_for_cpu + +Fix this by getting the ion_buffer lock before freeing the sg table memory. + +Fixes: 2a55e7b5e544 ("staging: android: ion: Call dma_map_sg for syncing and mapping") +Signed-off-by: Liam Mark +Acked-by: Laura Abbott +Acked-by: Andrew F. Davis +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/android/ion/ion.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c +index 24cb666c92242..dd96ca61a5152 100644 +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -257,10 +257,10 @@ static void ion_dma_buf_detatch(struct dma_buf *dmabuf, + struct ion_dma_buf_attachment *a = attachment->priv; + struct ion_buffer *buffer = dmabuf->priv; + +- free_duped_table(a->table); + mutex_lock(&buffer->lock); + list_del(&a->list); + mutex_unlock(&buffer->lock); ++ free_duped_table(a->table); + + kfree(a); + } +-- +2.19.1 + diff --git a/queue-4.14/staging-rtl8723bs-fix-build-error-with-clang-when-in.patch b/queue-4.14/staging-rtl8723bs-fix-build-error-with-clang-when-in.patch new file mode 100644 index 00000000000..303d2cf0b58 --- /dev/null +++ b/queue-4.14/staging-rtl8723bs-fix-build-error-with-clang-when-in.patch @@ -0,0 +1,68 @@ +From e45fdabb485ff4c0c58f6d60c7b66244a37a7364 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 16 Jan 2019 06:20:11 -0700 +Subject: staging: rtl8723bs: Fix build error with Clang when inlining is + disabled + +[ Upstream commit 97715058b70da1262fd07798c8b2e3e894f759dd ] + +When CONFIG_NO_AUTO_INLINE was present in linux-next (which added +'-fno-inline-functions' to KBUILD_CFLAGS), an allyesconfig build with +Clang failed at the modpost stage: + +ERROR: "is_broadcast_mac_addr" [drivers/staging/rtl8723bs/r8723bs.ko] undefined! +ERROR: "is_zero_mac_addr" [drivers/staging/rtl8723bs/r8723bs.ko] undefined! +ERROR: "is_multicast_mac_addr" [drivers/staging/rtl8723bs/r8723bs.ko] undefined! + +These functions were marked as extern inline, meaning that if inlining +doesn't happen, the function will be undefined, as it is above. + +This happens to work with GCC because the '-fno-inline-functions' option +respects the __inline attribute so all instances of these functions are +inlined as expected and the definition doesn't actually matter. However, +with Clang and '-fno-inline-functions', a function has to be marked with +the __always_inline attribute to be considered for inlining, which none +of these functions are. Clang tries to find the symbol definition +elsewhere as it was told and fails, which trickles down to modpost. + +To make sure that this code compiles regardless of compiler and make the +intention of the code clearer, use 'static' to ensure these functions +are always defined, regardless of inlining. Additionally, silence a +checkpatch warning by switching from '__inline' to 'inline'. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8723bs/include/ieee80211.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/rtl8723bs/include/ieee80211.h b/drivers/staging/rtl8723bs/include/ieee80211.h +index 73ce63770c3ce..fa9c80fc77739 100644 +--- a/drivers/staging/rtl8723bs/include/ieee80211.h ++++ b/drivers/staging/rtl8723bs/include/ieee80211.h +@@ -1008,18 +1008,18 @@ enum ieee80211_state { + #define IP_FMT "%pI4" + #define IP_ARG(x) (x) + +-extern __inline int is_multicast_mac_addr(const u8 *addr) ++static inline int is_multicast_mac_addr(const u8 *addr) + { + return ((addr[0] != 0xff) && (0x01 & addr[0])); + } + +-extern __inline int is_broadcast_mac_addr(const u8 *addr) ++static inline int is_broadcast_mac_addr(const u8 *addr) + { + return ((addr[0] == 0xff) && (addr[1] == 0xff) && (addr[2] == 0xff) && \ + (addr[3] == 0xff) && (addr[4] == 0xff) && (addr[5] == 0xff)); + } + +-extern __inline int is_zero_mac_addr(const u8 *addr) ++static inline int is_zero_mac_addr(const u8 *addr) + { + return ((addr[0] == 0x00) && (addr[1] == 0x00) && (addr[2] == 0x00) && \ + (addr[3] == 0x00) && (addr[4] == 0x00) && (addr[5] == 0x00)); +-- +2.19.1 + diff --git a/queue-4.14/svm-fix-avic-incomplete-ipi-emulation.patch b/queue-4.14/svm-fix-avic-incomplete-ipi-emulation.patch new file mode 100644 index 00000000000..1e7a6ff3839 --- /dev/null +++ b/queue-4.14/svm-fix-avic-incomplete-ipi-emulation.patch @@ -0,0 +1,58 @@ +From e3228fcba101988e5d61ed85eca023bfec00cdf6 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Tue, 22 Jan 2019 10:25:13 +0000 +Subject: svm: Fix AVIC incomplete IPI emulation + +[ Upstream commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57 ] + +In case of incomplete IPI with invalid interrupt type, the current +SVM driver does not properly emulate the IPI, and fails to boot +FreeBSD guests with multiple vcpus when enabling AVIC. + +Fix this by update APIC ICR high/low registers, which also +emulate sending the IPI. + +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index 656ac12f54392..a94beaecd3e02 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4006,25 +4006,14 @@ static int avic_incomplete_ipi_interception(struct vcpu_svm *svm) + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { +- int i; +- struct kvm_vcpu *vcpu; +- struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * At this point, we expect that the AVIC HW has already +- * set the appropriate IRR bits on the valid target +- * vcpus. So, we just need to kick the appropriate vcpu. ++ * Update ICR high and low, then emulate sending IPI, ++ * which is handled when writing APIC_ICR. + */ +- kvm_for_each_vcpu(i, vcpu, kvm) { +- bool m = kvm_apic_match_dest(vcpu, apic, +- icrl & KVM_APIC_SHORT_MASK, +- GET_APIC_DEST_FIELD(icrh), +- icrl & KVM_APIC_DEST_MASK); +- +- if (m && !avic_vcpu_is_running(vcpu)) +- kvm_vcpu_wake_up(vcpu); +- } ++ kvm_lapic_reg_write(apic, APIC_ICR2, icrh); ++ kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: +-- +2.19.1 + diff --git a/queue-4.14/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch b/queue-4.14/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch new file mode 100644 index 00000000000..8450859facc --- /dev/null +++ b/queue-4.14/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch @@ -0,0 +1,34 @@ +From 0d6def51deecd6e7b6230bda259fef49a1b8bcc6 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 17 Dec 2018 10:02:42 +0300 +Subject: thermal: int340x_thermal: Fix a NULL vs IS_ERR() check + +[ Upstream commit 3fe931b31a4078395c1967f0495dcc9e5ec6b5e3 ] + +The intel_soc_dts_iosf_init() function doesn't return NULL, it returns +error pointers. + +Fixes: 4d0dd6c1576b ("Thermal/int340x/processor_thermal: Enable auxiliary DTS for Braswell") +Signed-off-by: Dan Carpenter +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/int340x_thermal/processor_thermal_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index f02341f7134d4..c6ab7db8c8e23 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -416,7 +416,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + proc_priv->soc_dts = intel_soc_dts_iosf_init( + INTEL_SOC_DTS_INTERRUPT_MSI, 2, 0); + +- if (proc_priv->soc_dts && pdev->irq) { ++ if (!IS_ERR(proc_priv->soc_dts) && pdev->irq) { + ret = pci_enable_msi(pdev); + if (!ret) { + ret = request_threaded_irq(pdev->irq, NULL, +-- +2.19.1 + diff --git a/queue-4.14/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch b/queue-4.14/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch new file mode 100644 index 00000000000..1099a0ef8b9 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch @@ -0,0 +1,57 @@ +From 599eb8e9c87588dcd1f4b916ae7d89979ce2c5eb Mon Sep 17 00:00:00 2001 +From: Zeng Tao +Date: Wed, 26 Dec 2018 19:22:00 +0800 +Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts + +[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ] + +Currently the link_state is uninitialized and the default value is 0(U0) +before the first time we start the udc, and after we start the udc then + stop the udc, the link_state will be undefined. +We may have the following warnings if we start the udc again with +an undefined link_state: + +WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308 +dwc3 100e0000.hidwc3_0: wakeup failed --> -22 +[...] +Call Trace: +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x84/0x98) +[] (dump_stack) from [] (__warn+0xe8/0x100) +[] (__warn) from [](warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [](dwc3_send_gadget_ep_cmd+0x304/0x308) +[] (dwc3_send_gadget_ep_cmd) from [](dwc3_ep0_start_trans+0x48/0xf4) +[] (dwc3_ep0_start_trans) from [](dwc3_ep0_out_start+0x64/0x80) +[] (dwc3_ep0_out_start) from [](__dwc3_gadget_start+0x1e0/0x278) +[] (__dwc3_gadget_start) from [](dwc3_gadget_start+0x88/0x10c) +[] (dwc3_gadget_start) from [](udc_bind_to_driver+0x88/0xbc) +[] (udc_bind_to_driver) from [](usb_gadget_probe_driver+0xf8/0x140) +[] (usb_gadget_probe_driver) from [](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite]) +[] (gadget_dev_desc_UDC_store [libcomposite]) from[] (configfs_write_file+0xd4/0x160) +[] (configfs_write_file) from [] (__vfs_write+0x1c/0x114) +[] (__vfs_write) from [] (vfs_write+0xa4/0x168) +[] (vfs_write) from [] (SyS_write+0x3c/0x90) +[] (SyS_write) from [] (ret_fast_syscall+0x0/0x3c) + +Signed-off-by: Zeng Tao +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 5da078bf5f76a..32dd0d3462da1 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1910,6 +1910,7 @@ static int __dwc3_gadget_start(struct dwc3 *dwc) + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; ++ dwc->link_state = DWC3_LINK_STATE_SS_DIS; + dwc3_ep0_out_start(dwc); + + dwc3_gadget_enable_irq(dwc); +-- +2.19.1 + diff --git a/queue-4.14/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch b/queue-4.14/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch new file mode 100644 index 00000000000..6fdc7a7001e --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch @@ -0,0 +1,38 @@ +From b163ed4ec1effc3d286ba2f1e34efb16b525e912 Mon Sep 17 00:00:00 2001 +From: Bo He +Date: Mon, 14 Jan 2019 09:48:32 +0200 +Subject: usb: dwc3: gadget: synchronize_irq dwc irq in suspend + +[ Upstream commit 01c10880d24291a96a4ab0da773e3c5ce4d12da8 ] + +We see dwc3 endpoint stopped by unwanted irq during +suspend resume test, which is caused dwc3 ep can't be started +with error "No Resource". + +Here, add synchronize_irq before suspend to sync the +pending IRQ handlers complete. + +Signed-off-by: Bo He +Signed-off-by: Yu Wang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index 2f96d2d0addd1..5da078bf5f76a 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3327,6 +3327,8 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) + dwc3_disconnect_gadget(dwc); + __dwc3_gadget_stop(dwc); + ++ synchronize_irq(dwc->irq_gadget); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.14/usb-gadget-potential-null-dereference-on-allocation-.patch b/queue-4.14/usb-gadget-potential-null-dereference-on-allocation-.patch new file mode 100644 index 00000000000..a8ea5d6f4de --- /dev/null +++ b/queue-4.14/usb-gadget-potential-null-dereference-on-allocation-.patch @@ -0,0 +1,37 @@ +From a13682f8be3ba84889f3f43b4fdf9b09e453db3b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 23:42:52 +0300 +Subject: usb: gadget: Potential NULL dereference on allocation error + +[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ] + +The source_sink_alloc_func() function is supposed to return error +pointers on error. The function is called from usb_get_function() which +doesn't check for NULL returns so it would result in an Oops. + +Of course, in the current kernel, small allocations always succeed so +this doesn't affect runtime. + +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_sourcesink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 8784fa12ea2c6..6e9d958004a0d 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -842,7 +842,7 @@ static struct usb_function *source_sink_alloc_func( + + ss = kzalloc(sizeof(*ss), GFP_KERNEL); + if (!ss) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + ss_opts = container_of(fi, struct f_ss_opts, func_inst); + +-- +2.19.1 + diff --git a/queue-4.14/writeback-synchronize-sync-2-against-cgroup-writebac.patch b/queue-4.14/writeback-synchronize-sync-2-against-cgroup-writebac.patch new file mode 100644 index 00000000000..8fc91c15cde --- /dev/null +++ b/queue-4.14/writeback-synchronize-sync-2-against-cgroup-writebac.patch @@ -0,0 +1,168 @@ +From 21442b247263a8ddea8a899eac40eefdf6a6decd Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 12 Dec 2017 08:38:30 -0800 +Subject: writeback: synchronize sync(2) against cgroup writeback membership + switches + +[ Upstream commit 7fc5854f8c6efae9e7624970ab49a1eac2faefb1 ] + +sync_inodes_sb() can race against cgwb (cgroup writeback) membership +switches and fail to writeback some inodes. For example, if an inode +switches to another wb while sync_inodes_sb() is in progress, the new +wb might not be visible to bdi_split_work_to_wbs() at all or the inode +might jump from a wb which hasn't issued writebacks yet to one which +already has. + +This patch adds backing_dev_info->wb_switch_rwsem to synchronize cgwb +switch path against sync_inodes_sb() so that sync_inodes_sb() is +guaranteed to see all the target wbs and inodes can't jump wbs to +escape syncing. + +v2: Fixed misplaced rwsem init. Spotted by Jiufei. + +Signed-off-by: Tejun Heo +Reported-by: Jiufei Xue +Link: http://lkml.kernel.org/r/dc694ae2-f07f-61e1-7097-7c8411cee12d@gmail.com +Acked-by: Jan Kara +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 40 ++++++++++++++++++++++++++++++-- + include/linux/backing-dev-defs.h | 1 + + mm/backing-dev.c | 1 + + 3 files changed, 40 insertions(+), 2 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 3244932f4d5cc..6a76616c9401b 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -331,11 +331,22 @@ struct inode_switch_wbs_context { + struct work_struct work; + }; + ++static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi) ++{ ++ down_write(&bdi->wb_switch_rwsem); ++} ++ ++static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi) ++{ ++ up_write(&bdi->wb_switch_rwsem); ++} ++ + static void inode_switch_wbs_work_fn(struct work_struct *work) + { + struct inode_switch_wbs_context *isw = + container_of(work, struct inode_switch_wbs_context, work); + struct inode *inode = isw->inode; ++ struct backing_dev_info *bdi = inode_to_bdi(inode); + struct address_space *mapping = inode->i_mapping; + struct bdi_writeback *old_wb = inode->i_wb; + struct bdi_writeback *new_wb = isw->new_wb; +@@ -343,6 +354,12 @@ static void inode_switch_wbs_work_fn(struct work_struct *work) + bool switched = false; + void **slot; + ++ /* ++ * If @inode switches cgwb membership while sync_inodes_sb() is ++ * being issued, sync_inodes_sb() might miss it. Synchronize. ++ */ ++ down_read(&bdi->wb_switch_rwsem); ++ + /* + * By the time control reaches here, RCU grace period has passed + * since I_WB_SWITCH assertion and all wb stat update transactions +@@ -435,6 +452,8 @@ static void inode_switch_wbs_work_fn(struct work_struct *work) + spin_unlock(&new_wb->list_lock); + spin_unlock(&old_wb->list_lock); + ++ up_read(&bdi->wb_switch_rwsem); ++ + if (switched) { + wb_wakeup(new_wb); + wb_put(old_wb); +@@ -475,9 +494,18 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + if (inode->i_state & I_WB_SWITCH) + return; + ++ /* ++ * Avoid starting new switches while sync_inodes_sb() is in ++ * progress. Otherwise, if the down_write protected issue path ++ * blocks heavily, we might end up starting a large number of ++ * switches which will block on the rwsem. ++ */ ++ if (!down_read_trylock(&bdi->wb_switch_rwsem)) ++ return; ++ + isw = kzalloc(sizeof(*isw), GFP_ATOMIC); + if (!isw) +- return; ++ goto out_unlock; + + /* find and pin the new wb */ + rcu_read_lock(); +@@ -511,12 +539,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + * Let's continue after I_WB_SWITCH is guaranteed to be visible. + */ + call_rcu(&isw->rcu_head, inode_switch_wbs_rcu_fn); +- return; ++ goto out_unlock; + + out_free: + if (isw->new_wb) + wb_put(isw->new_wb); + kfree(isw); ++out_unlock: ++ up_read(&bdi->wb_switch_rwsem); + } + + /** +@@ -894,6 +924,9 @@ fs_initcall(cgroup_writeback_init); + + #else /* CONFIG_CGROUP_WRITEBACK */ + ++static void bdi_down_write_wb_switch_rwsem(struct backing_dev_info *bdi) { } ++static void bdi_up_write_wb_switch_rwsem(struct backing_dev_info *bdi) { } ++ + static struct bdi_writeback * + locked_inode_to_wb_and_lock_list(struct inode *inode) + __releases(&inode->i_lock) +@@ -2408,8 +2441,11 @@ void sync_inodes_sb(struct super_block *sb) + return; + WARN_ON(!rwsem_is_locked(&sb->s_umount)); + ++ /* protect against inode wb switch, see inode_switch_wbs_work_fn() */ ++ bdi_down_write_wb_switch_rwsem(bdi); + bdi_split_work_to_wbs(bdi, &work, false); + wb_wait_for_completion(bdi, &done); ++ bdi_up_write_wb_switch_rwsem(bdi); + + wait_sb_inodes(sb); + } +diff --git a/include/linux/backing-dev-defs.h b/include/linux/backing-dev-defs.h +index 19240379637fe..b186c4b464e02 100644 +--- a/include/linux/backing-dev-defs.h ++++ b/include/linux/backing-dev-defs.h +@@ -165,6 +165,7 @@ struct backing_dev_info { + struct radix_tree_root cgwb_tree; /* radix tree of active cgroup wbs */ + struct rb_root cgwb_congested_tree; /* their congested states */ + struct mutex cgwb_release_mutex; /* protect shutdown of wb structs */ ++ struct rw_semaphore wb_switch_rwsem; /* no cgwb switch while syncing */ + #else + struct bdi_writeback_congested *wb_congested; + #endif +diff --git a/mm/backing-dev.c b/mm/backing-dev.c +index 9386c98dac123..6fa31754eadd9 100644 +--- a/mm/backing-dev.c ++++ b/mm/backing-dev.c +@@ -684,6 +684,7 @@ static int cgwb_bdi_init(struct backing_dev_info *bdi) + INIT_RADIX_TREE(&bdi->cgwb_tree, GFP_ATOMIC); + bdi->cgwb_congested_tree = RB_ROOT; + mutex_init(&bdi->cgwb_release_mutex); ++ init_rwsem(&bdi->wb_switch_rwsem); + + ret = wb_init(&bdi->wb, bdi, 1, GFP_KERNEL); + if (!ret) { +-- +2.19.1 +