From: Greg Kroah-Hartman Date: Tue, 2 Oct 2018 12:02:22 +0000 (-0700) Subject: 4.9-stable patches X-Git-Tag: v4.18.12~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a3a500ee46801ad5bfc89d32f1baa1cad2b77f87;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch arm-arm64-smccc-1.1-make-return-values-unsigned-long.patch arm64-kvm-tighten-guest-core-register-access-from-userspace.patch drm-amdgpu-enable-disable-gfx-pg-feature-in-rlc-safe-mode.patch drm-amdgpu-update-power-state-at-the-end-of-smu-hw_init.patch e1000-check-on-netif_running-before-calling-e1000_up.patch e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch ext4-never-move-the-system.data-xattr-out-of-the-inode-body.patch hwmon-adt7475-make-adt7475_read_word-return-errors.patch hwmon-ina2xx-fix-sysfs-shunt-resistor-read-access.patch i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch ib-hfi1-fix-sl-array-bounds-check.patch net-hns-fix-length-and-page_offset-overflow-when-config_arm64_64k_pages.patch net-hns-fix-skb-truesize-underestimation.patch qed-wait-for-mcp-halt-and-resume-commands-to-take-place.patch qed-wait-for-ready-indication-before-rereading-the-shmem.patch serial-imx-restore-handshaking-irq-for-imx1.patch thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch --- diff --git a/queue-4.9/arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch b/queue-4.9/arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch new file mode 100644 index 00000000000..e5d8eb06cc5 --- /dev/null +++ b/queue-4.9/arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch @@ -0,0 +1,135 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 15:08:30 +0100 +Subject: arm/arm64: smccc-1.1: Handle function result as parameters + +From: Marc Zyngier + +[ Upstream commit 755a8bf5579d22eb5636685c516d8dede799e27b ] + +If someone has the silly idea to write something along those lines: + + extern u64 foo(void); + + void bar(struct arm_smccc_res *res) + { + arm_smccc_1_1_smc(0xbad, foo(), res); + } + +they are in for a surprise, as this gets compiled as: + + 0000000000000588 : + 588: a9be7bfd stp x29, x30, [sp, #-32]! + 58c: 910003fd mov x29, sp + 590: f9000bf3 str x19, [sp, #16] + 594: aa0003f3 mov x19, x0 + 598: aa1e03e0 mov x0, x30 + 59c: 94000000 bl 0 <_mcount> + 5a0: 94000000 bl 0 + 5a4: aa0003e1 mov x1, x0 + 5a8: d4000003 smc #0x0 + 5ac: b4000073 cbz x19, 5b8 + 5b0: a9000660 stp x0, x1, [x19] + 5b4: a9010e62 stp x2, x3, [x19, #16] + 5b8: f9400bf3 ldr x19, [sp, #16] + 5bc: a8c27bfd ldp x29, x30, [sp], #32 + 5c0: d65f03c0 ret + 5c4: d503201f nop + +The call to foo "overwrites" the x0 register for the return value, +and we end up calling the wrong secure service. + +A solution is to evaluate all the parameters before assigning +anything to specific registers, leading to the expected result: + + 0000000000000588 : + 588: a9be7bfd stp x29, x30, [sp, #-32]! + 58c: 910003fd mov x29, sp + 590: f9000bf3 str x19, [sp, #16] + 594: aa0003f3 mov x19, x0 + 598: aa1e03e0 mov x0, x30 + 59c: 94000000 bl 0 <_mcount> + 5a0: 94000000 bl 0 + 5a4: aa0003e1 mov x1, x0 + 5a8: d28175a0 mov x0, #0xbad + 5ac: d4000003 smc #0x0 + 5b0: b4000073 cbz x19, 5bc + 5b4: a9000660 stp x0, x1, [x19] + 5b8: a9010e62 stp x2, x3, [x19, #16] + 5bc: f9400bf3 ldr x19, [sp, #16] + 5c0: a8c27bfd ldp x29, x30, [sp], #32 + 5c4: d65f03c0 ret + +Reported-by: Julien Grall +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/arm-smccc.h | 30 ++++++++++++++++++++---------- + 1 file changed, 20 insertions(+), 10 deletions(-) + +--- a/include/linux/arm-smccc.h ++++ b/include/linux/arm-smccc.h +@@ -205,41 +205,51 @@ asmlinkage void __arm_smccc_hvc(unsigned + register unsigned long r3 asm("r3") + + #define __declare_arg_1(a0, a1, res) \ ++ typeof(a1) __a1 = a1; \ + struct arm_smccc_res *___res = res; \ + register unsigned long r0 asm("r0") = (u32)a0; \ +- register unsigned long r1 asm("r1") = a1; \ ++ register unsigned long r1 asm("r1") = __a1; \ + register unsigned long r2 asm("r2"); \ + register unsigned long r3 asm("r3") + + #define __declare_arg_2(a0, a1, a2, res) \ ++ typeof(a1) __a1 = a1; \ ++ typeof(a2) __a2 = a2; \ + struct arm_smccc_res *___res = res; \ + register unsigned long r0 asm("r0") = (u32)a0; \ +- register unsigned long r1 asm("r1") = a1; \ +- register unsigned long r2 asm("r2") = a2; \ ++ register unsigned long r1 asm("r1") = __a1; \ ++ register unsigned long r2 asm("r2") = __a2; \ + register unsigned long r3 asm("r3") + + #define __declare_arg_3(a0, a1, a2, a3, res) \ ++ typeof(a1) __a1 = a1; \ ++ typeof(a2) __a2 = a2; \ ++ typeof(a3) __a3 = a3; \ + struct arm_smccc_res *___res = res; \ + register unsigned long r0 asm("r0") = (u32)a0; \ +- register unsigned long r1 asm("r1") = a1; \ +- register unsigned long r2 asm("r2") = a2; \ +- register unsigned long r3 asm("r3") = a3 ++ register unsigned long r1 asm("r1") = __a1; \ ++ register unsigned long r2 asm("r2") = __a2; \ ++ register unsigned long r3 asm("r3") = __a3 + + #define __declare_arg_4(a0, a1, a2, a3, a4, res) \ ++ typeof(a4) __a4 = a4; \ + __declare_arg_3(a0, a1, a2, a3, res); \ +- register typeof(a4) r4 asm("r4") = a4 ++ register unsigned long r4 asm("r4") = __a4 + + #define __declare_arg_5(a0, a1, a2, a3, a4, a5, res) \ ++ typeof(a5) __a5 = a5; \ + __declare_arg_4(a0, a1, a2, a3, a4, res); \ +- register typeof(a5) r5 asm("r5") = a5 ++ register unsigned long r5 asm("r5") = __a5 + + #define __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res) \ ++ typeof(a6) __a6 = a6; \ + __declare_arg_5(a0, a1, a2, a3, a4, a5, res); \ +- register typeof(a6) r6 asm("r6") = a6 ++ register unsigned long r6 asm("r6") = __a6 + + #define __declare_arg_7(a0, a1, a2, a3, a4, a5, a6, a7, res) \ ++ typeof(a7) __a7 = a7; \ + __declare_arg_6(a0, a1, a2, a3, a4, a5, a6, res); \ +- register typeof(a7) r7 asm("r7") = a7 ++ register unsigned long r7 asm("r7") = __a7 + + #define ___declare_args(count, ...) __declare_arg_ ## count(__VA_ARGS__) + #define __declare_args(count, ...) ___declare_args(count, __VA_ARGS__) diff --git a/queue-4.9/arm-arm64-smccc-1.1-make-return-values-unsigned-long.patch b/queue-4.9/arm-arm64-smccc-1.1-make-return-values-unsigned-long.patch new file mode 100644 index 00000000000..f6e4efeef38 --- /dev/null +++ b/queue-4.9/arm-arm64-smccc-1.1-make-return-values-unsigned-long.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Marc Zyngier +Date: Fri, 24 Aug 2018 15:08:29 +0100 +Subject: arm/arm64: smccc-1.1: Make return values unsigned long + +From: Marc Zyngier + +[ Upstream commit 1d8f574708a3fb6f18c85486d0c5217df893c0cf ] + +An unfortunate consequence of having a strong typing for the input +values to the SMC call is that it also affects the type of the +return values, limiting r0 to 32 bits and r{1,2,3} to whatever +was passed as an input. + +Let's turn everything into "unsigned long", which satisfies the +requirements of both architectures, and allows for the full +range of return values. + +Reported-by: Julien Grall +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/arm-smccc.h | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/include/linux/arm-smccc.h ++++ b/include/linux/arm-smccc.h +@@ -199,31 +199,31 @@ asmlinkage void __arm_smccc_hvc(unsigned + + #define __declare_arg_0(a0, res) \ + struct arm_smccc_res *___res = res; \ +- register u32 r0 asm("r0") = a0; \ ++ register unsigned long r0 asm("r0") = (u32)a0; \ + register unsigned long r1 asm("r1"); \ + register unsigned long r2 asm("r2"); \ + register unsigned long r3 asm("r3") + + #define __declare_arg_1(a0, a1, res) \ + struct arm_smccc_res *___res = res; \ +- register u32 r0 asm("r0") = a0; \ +- register typeof(a1) r1 asm("r1") = a1; \ ++ register unsigned long r0 asm("r0") = (u32)a0; \ ++ register unsigned long r1 asm("r1") = a1; \ + register unsigned long r2 asm("r2"); \ + register unsigned long r3 asm("r3") + + #define __declare_arg_2(a0, a1, a2, res) \ + struct arm_smccc_res *___res = res; \ +- register u32 r0 asm("r0") = a0; \ +- register typeof(a1) r1 asm("r1") = a1; \ +- register typeof(a2) r2 asm("r2") = a2; \ ++ register unsigned long r0 asm("r0") = (u32)a0; \ ++ register unsigned long r1 asm("r1") = a1; \ ++ register unsigned long r2 asm("r2") = a2; \ + register unsigned long r3 asm("r3") + + #define __declare_arg_3(a0, a1, a2, a3, res) \ + struct arm_smccc_res *___res = res; \ +- register u32 r0 asm("r0") = a0; \ +- register typeof(a1) r1 asm("r1") = a1; \ +- register typeof(a2) r2 asm("r2") = a2; \ +- register typeof(a3) r3 asm("r3") = a3 ++ register unsigned long r0 asm("r0") = (u32)a0; \ ++ register unsigned long r1 asm("r1") = a1; \ ++ register unsigned long r2 asm("r2") = a2; \ ++ register unsigned long r3 asm("r3") = a3 + + #define __declare_arg_4(a0, a1, a2, a3, a4, res) \ + __declare_arg_3(a0, a1, a2, a3, res); \ diff --git a/queue-4.9/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch b/queue-4.9/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch new file mode 100644 index 00000000000..1b05f980dda --- /dev/null +++ b/queue-4.9/arm64-kvm-tighten-guest-core-register-access-from-userspace.patch @@ -0,0 +1,99 @@ +From d26c25a9d19b5976b319af528886f89cf455692d Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 27 Sep 2018 16:53:21 +0100 +Subject: arm64: KVM: Tighten guest core register access from userspace + +From: Dave Martin + +commit d26c25a9d19b5976b319af528886f89cf455692d upstream. + +We currently allow userspace to access the core register file +in about any possible way, including straddling multiple +registers and doing unaligned accesses. + +This is not the expected use of the ABI, and nobody is actually +using it that way. Let's tighten it by explicitly checking +the size and alignment for each field of the register file. + +Cc: +Fixes: 2f4a07c5f9fe ("arm64: KVM: guest one-reg interface") +Reviewed-by: Christoffer Dall +Reviewed-by: Mark Rutland +Signed-off-by: Dave Martin +[maz: rewrote Dave's initial patch to be more easily backported] +Signed-off-by: Marc Zyngier +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kvm/guest.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 45 insertions(+) + +--- a/arch/arm64/kvm/guest.c ++++ b/arch/arm64/kvm/guest.c +@@ -57,6 +57,45 @@ static u64 core_reg_offset_from_id(u64 i + return id & ~(KVM_REG_ARCH_MASK | KVM_REG_SIZE_MASK | KVM_REG_ARM_CORE); + } + ++static int validate_core_offset(const struct kvm_one_reg *reg) ++{ ++ u64 off = core_reg_offset_from_id(reg->id); ++ int size; ++ ++ switch (off) { ++ case KVM_REG_ARM_CORE_REG(regs.regs[0]) ... ++ KVM_REG_ARM_CORE_REG(regs.regs[30]): ++ case KVM_REG_ARM_CORE_REG(regs.sp): ++ case KVM_REG_ARM_CORE_REG(regs.pc): ++ case KVM_REG_ARM_CORE_REG(regs.pstate): ++ case KVM_REG_ARM_CORE_REG(sp_el1): ++ case KVM_REG_ARM_CORE_REG(elr_el1): ++ case KVM_REG_ARM_CORE_REG(spsr[0]) ... ++ KVM_REG_ARM_CORE_REG(spsr[KVM_NR_SPSR - 1]): ++ size = sizeof(__u64); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.vregs[0]) ... ++ KVM_REG_ARM_CORE_REG(fp_regs.vregs[31]): ++ size = sizeof(__uint128_t); ++ break; ++ ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpsr): ++ case KVM_REG_ARM_CORE_REG(fp_regs.fpcr): ++ size = sizeof(__u32); ++ break; ++ ++ default: ++ return -EINVAL; ++ } ++ ++ if (KVM_REG_SIZE(reg->id) == size && ++ IS_ALIGNED(off, size / sizeof(__u32))) ++ return 0; ++ ++ return -EINVAL; ++} ++ + static int get_core_reg(struct kvm_vcpu *vcpu, const struct kvm_one_reg *reg) + { + /* +@@ -76,6 +115,9 @@ static int get_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (copy_to_user(uaddr, ((u32 *)regs) + off, KVM_REG_SIZE(reg->id))) + return -EFAULT; + +@@ -98,6 +140,9 @@ static int set_core_reg(struct kvm_vcpu + (off + (KVM_REG_SIZE(reg->id) / sizeof(__u32))) >= nr_regs) + return -ENOENT; + ++ if (validate_core_offset(reg)) ++ return -EINVAL; ++ + if (KVM_REG_SIZE(reg->id) > sizeof(tmp)) + return -EINVAL; + diff --git a/queue-4.9/drm-amdgpu-enable-disable-gfx-pg-feature-in-rlc-safe-mode.patch b/queue-4.9/drm-amdgpu-enable-disable-gfx-pg-feature-in-rlc-safe-mode.patch new file mode 100644 index 00000000000..4b55ea9def0 --- /dev/null +++ b/queue-4.9/drm-amdgpu-enable-disable-gfx-pg-feature-in-rlc-safe-mode.patch @@ -0,0 +1,49 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Rex Zhu +Date: Fri, 24 Aug 2018 17:26:23 +0800 +Subject: drm/amdgpu: Enable/disable gfx PG feature in rlc safe mode + +From: Rex Zhu + +[ Upstream commit 8ef23364b654d44244400d79988e677e504b21ba ] + +This is required by gfx hw and can fix the rlc hang when +do s3 stree test on Cz/St. + +Reviewed-by: Alex Deucher +Signed-off-by: Hang Zhou +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c +@@ -5551,6 +5551,11 @@ static int gfx_v8_0_set_powergating_stat + if (!(adev->pg_flags & AMD_PG_SUPPORT_GFX_PG)) + return 0; + ++ if (adev->pg_flags & (AMD_PG_SUPPORT_GFX_SMG | ++ AMD_PG_SUPPORT_RLC_SMU_HS | ++ AMD_PG_SUPPORT_CP | ++ AMD_PG_SUPPORT_GFX_DMG)) ++ adev->gfx.rlc.funcs->enter_safe_mode(adev); + switch (adev->asic_type) { + case CHIP_CARRIZO: + case CHIP_STONEY: +@@ -5586,7 +5591,11 @@ static int gfx_v8_0_set_powergating_stat + default: + break; + } +- ++ if (adev->pg_flags & (AMD_PG_SUPPORT_GFX_SMG | ++ AMD_PG_SUPPORT_RLC_SMU_HS | ++ AMD_PG_SUPPORT_CP | ++ AMD_PG_SUPPORT_GFX_DMG)) ++ adev->gfx.rlc.funcs->exit_safe_mode(adev); + return 0; + } + diff --git a/queue-4.9/drm-amdgpu-update-power-state-at-the-end-of-smu-hw_init.patch b/queue-4.9/drm-amdgpu-update-power-state-at-the-end-of-smu-hw_init.patch new file mode 100644 index 00000000000..415897c8308 --- /dev/null +++ b/queue-4.9/drm-amdgpu-update-power-state-at-the-end-of-smu-hw_init.patch @@ -0,0 +1,67 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Rex Zhu +Date: Fri, 24 Aug 2018 16:17:54 +0800 +Subject: drm/amdgpu: Update power state at the end of smu hw_init. + +From: Rex Zhu + +[ Upstream commit 2ab4d0e74256fc49b7b270f63c1d1e47c2455abc ] + +For SI/Kv, the power state is managed by function +amdgpu_pm_compute_clocks. + +when dpm enabled, we should call amdgpu_pm_compute_clocks +to update current power state instand of set boot state. + +this change can fix the oops when kfd driver was enabled on Kv. + +Reviewed-by: Alex Deucher +Tested-by: Michel Dänzer +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdgpu/kv_dpm.c | 4 +--- + drivers/gpu/drm/amd/amdgpu/si_dpm.c | 3 +-- + 2 files changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/kv_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/kv_dpm.c +@@ -1350,8 +1350,6 @@ static int kv_dpm_enable(struct amdgpu_d + return ret; + } + +- kv_update_current_ps(adev, adev->pm.dpm.boot_ps); +- + if (adev->irq.installed && + amdgpu_is_internal_thermal_sensor(adev->pm.int_thermal_type)) { + ret = kv_set_thermal_temperature_range(adev, KV_TEMP_RANGE_MIN, KV_TEMP_RANGE_MAX); +@@ -3086,7 +3084,7 @@ static int kv_dpm_hw_init(void *handle) + else + adev->pm.dpm_enabled = true; + mutex_unlock(&adev->pm.mutex); +- ++ amdgpu_pm_compute_clocks(adev); + return ret; + } + +--- a/drivers/gpu/drm/amd/amdgpu/si_dpm.c ++++ b/drivers/gpu/drm/amd/amdgpu/si_dpm.c +@@ -6959,7 +6959,6 @@ static int si_dpm_enable(struct amdgpu_d + + si_enable_auto_throttle_source(adev, AMDGPU_DPM_AUTO_THROTTLE_SRC_THERMAL, true); + si_thermal_start_thermal_controller(adev); +- ni_update_current_ps(adev, boot_ps); + + return 0; + } +@@ -7836,7 +7835,7 @@ static int si_dpm_hw_init(void *handle) + else + adev->pm.dpm_enabled = true; + mutex_unlock(&adev->pm.mutex); +- ++ amdgpu_pm_compute_clocks(adev); + return ret; + } + diff --git a/queue-4.9/e1000-check-on-netif_running-before-calling-e1000_up.patch b/queue-4.9/e1000-check-on-netif_running-before-calling-e1000_up.patch new file mode 100644 index 00000000000..e17b89f21be --- /dev/null +++ b/queue-4.9/e1000-check-on-netif_running-before-calling-e1000_up.patch @@ -0,0 +1,42 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Bo Chen +Date: Mon, 23 Jul 2018 09:01:29 -0700 +Subject: e1000: check on netif_running() before calling e1000_up() + +From: Bo Chen + +[ Upstream commit cf1acec008f8d7761aa3fd7c4bca7e17b2d2512d ] + +When the device is not up, the call to 'e1000_up()' from the error handling path +of 'e1000_set_ringparam()' causes a kernel oops with a null-pointer +dereference. The null-pointer dereference is triggered in function +'e1000_alloc_rx_buffers()' at line 'buffer_info = &rx_ring->buffer_info[i]'. + +This bug was reported by COD, a tool for testing kernel module binaries I am +building. This bug was also detected by KFI from Dr. Kai Cong. + +This patch fixes the bug by checking on 'netif_running()' before calling +'e1000_up()' in 'e1000_set_ringparam()'. + +Signed-off-by: Bo Chen +Acked-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -665,7 +665,8 @@ err_setup_rx: + err_alloc_rx: + kfree(txdr); + err_alloc_tx: +- e1000_up(adapter); ++ if (netif_running(adapter->netdev)) ++ e1000_up(adapter); + err_setup: + clear_bit(__E1000_RESETTING, &adapter->flags); + return err; diff --git a/queue-4.9/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch b/queue-4.9/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch new file mode 100644 index 00000000000..821193c5df0 --- /dev/null +++ b/queue-4.9/e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Bo Chen +Date: Mon, 23 Jul 2018 09:01:30 -0700 +Subject: e1000: ensure to free old tx/rx rings in set_ringparam() + +From: Bo Chen + +[ Upstream commit ee400a3f1bfe7004a3e14b81c38ccc5583c26295 ] + +In 'e1000_set_ringparam()', the tx_ring and rx_ring are updated with new value +and the old tx/rx rings are freed only when the device is up. There are resource +leaks on old tx/rx rings when the device is not up. This bug is reported by COD, +a tool for testing kernel module binaries I am building. + +This patch fixes the bug by always calling 'kfree()' on old tx/rx rings in +'e1000_set_ringparam()'. + +Signed-off-by: Bo Chen +Reviewed-by: Alexander Duyck +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000/e1000_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_ethtool.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_ethtool.c +@@ -645,14 +645,14 @@ static int e1000_set_ringparam(struct ne + adapter->tx_ring = tx_old; + e1000_free_all_rx_resources(adapter); + e1000_free_all_tx_resources(adapter); +- kfree(tx_old); +- kfree(rx_old); + adapter->rx_ring = rxdr; + adapter->tx_ring = txdr; + err = e1000_up(adapter); + if (err) + goto err_setup; + } ++ kfree(tx_old); ++ kfree(rx_old); + + clear_bit(__E1000_RESETTING, &adapter->flags); + return 0; diff --git a/queue-4.9/ext4-never-move-the-system.data-xattr-out-of-the-inode-body.patch b/queue-4.9/ext4-never-move-the-system.data-xattr-out-of-the-inode-body.patch new file mode 100644 index 00000000000..6bf6985f2ea --- /dev/null +++ b/queue-4.9/ext4-never-move-the-system.data-xattr-out-of-the-inode-body.patch @@ -0,0 +1,42 @@ +From 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sat, 16 Jun 2018 15:40:48 -0400 +Subject: ext4: never move the system.data xattr out of the inode body + +From: Theodore Ts'o + +commit 8cdb5240ec5928b20490a2bb34cb87e9a5f40226 upstream. + +When expanding the extra isize space, we must never move the +system.data xattr out of the inode body. For performance reasons, it +doesn't make any sense, and the inline data implementation assumes +that system.data xattr is never in the external xattr block. + +This addresses CVE-2018-10880 + +https://bugzilla.kernel.org/show_bug.cgi?id=200005 + +Signed-off-by: Theodore Ts'o +Cc: stable@kernel.org +[groeck: Context changes] +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1426,6 +1426,11 @@ static int ext4_xattr_make_inode_space(h + last = IFIRST(header); + /* Find the entry best suited to be pushed into EA block */ + for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ /* never move system.data out of the inode */ ++ if ((last->e_name_len == 4) && ++ (last->e_name_index == EXT4_XATTR_INDEX_SYSTEM) && ++ !memcmp(last->e_name, "data", 4)) ++ continue; + total_size = + EXT4_XATTR_SIZE(le32_to_cpu(last->e_value_size)) + + EXT4_XATTR_LEN(last->e_name_len); diff --git a/queue-4.9/hwmon-adt7475-make-adt7475_read_word-return-errors.patch b/queue-4.9/hwmon-adt7475-make-adt7475_read_word-return-errors.patch new file mode 100644 index 00000000000..13aaa1ab03a --- /dev/null +++ b/queue-4.9/hwmon-adt7475-make-adt7475_read_word-return-errors.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Dan Carpenter +Date: Tue, 14 Aug 2018 13:07:47 +0300 +Subject: hwmon: (adt7475) Make adt7475_read_word() return errors + +From: Dan Carpenter + +[ Upstream commit f196dec6d50abb2e65fb54a0621b2f1b4d922995 ] + +The adt7475_read_word() function was meant to return negative error +codes on failure. + +Signed-off-by: Dan Carpenter +Reviewed-by: Tokunori Ikegami +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/adt7475.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/hwmon/adt7475.c ++++ b/drivers/hwmon/adt7475.c +@@ -274,14 +274,18 @@ static inline u16 volt2reg(int channel, + return clamp_val(reg, 0, 1023) & (0xff << 2); + } + +-static u16 adt7475_read_word(struct i2c_client *client, int reg) ++static int adt7475_read_word(struct i2c_client *client, int reg) + { +- u16 val; ++ int val1, val2; + +- val = i2c_smbus_read_byte_data(client, reg); +- val |= (i2c_smbus_read_byte_data(client, reg + 1) << 8); ++ val1 = i2c_smbus_read_byte_data(client, reg); ++ if (val1 < 0) ++ return val1; ++ val2 = i2c_smbus_read_byte_data(client, reg + 1); ++ if (val2 < 0) ++ return val2; + +- return val; ++ return val1 | (val2 << 8); + } + + static void adt7475_write_word(struct i2c_client *client, int reg, u16 val) diff --git a/queue-4.9/hwmon-ina2xx-fix-sysfs-shunt-resistor-read-access.patch b/queue-4.9/hwmon-ina2xx-fix-sysfs-shunt-resistor-read-access.patch new file mode 100644 index 00000000000..218c9d227b7 --- /dev/null +++ b/queue-4.9/hwmon-ina2xx-fix-sysfs-shunt-resistor-read-access.patch @@ -0,0 +1,82 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Lothar Felten +Date: Tue, 14 Aug 2018 09:09:37 +0200 +Subject: hwmon: (ina2xx) fix sysfs shunt resistor read access + +From: Lothar Felten + +[ Upstream commit 3ad867001c91657c46dcf6656d52eb6080286fd5 ] + +fix the sysfs shunt resistor read access: return the shunt resistor +value, not the calibration register contents. + +update email address + +Signed-off-by: Lothar Felten +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/hwmon/ina2xx | 2 +- + drivers/hwmon/ina2xx.c | 13 +++++++++++-- + include/linux/platform_data/ina2xx.h | 2 +- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/Documentation/hwmon/ina2xx ++++ b/Documentation/hwmon/ina2xx +@@ -32,7 +32,7 @@ Supported chips: + Datasheet: Publicly available at the Texas Instruments website + http://www.ti.com/ + +-Author: Lothar Felten ++Author: Lothar Felten + + Description + ----------- +--- a/drivers/hwmon/ina2xx.c ++++ b/drivers/hwmon/ina2xx.c +@@ -17,7 +17,7 @@ + * Bi-directional Current/Power Monitor with I2C Interface + * Datasheet: http://www.ti.com/product/ina230 + * +- * Copyright (C) 2012 Lothar Felten ++ * Copyright (C) 2012 Lothar Felten + * Thanks to Jan Volkering + * + * This program is free software; you can redistribute it and/or modify +@@ -328,6 +328,15 @@ static int ina2xx_set_shunt(struct ina2x + return 0; + } + ++static ssize_t ina2xx_show_shunt(struct device *dev, ++ struct device_attribute *da, ++ char *buf) ++{ ++ struct ina2xx_data *data = dev_get_drvdata(dev); ++ ++ return snprintf(buf, PAGE_SIZE, "%li\n", data->rshunt); ++} ++ + static ssize_t ina2xx_store_shunt(struct device *dev, + struct device_attribute *da, + const char *buf, size_t count) +@@ -402,7 +411,7 @@ static SENSOR_DEVICE_ATTR(power1_input, + + /* shunt resistance */ + static SENSOR_DEVICE_ATTR(shunt_resistor, S_IRUGO | S_IWUSR, +- ina2xx_show_value, ina2xx_store_shunt, ++ ina2xx_show_shunt, ina2xx_store_shunt, + INA2XX_CALIBRATION); + + /* update interval (ina226 only) */ +--- a/include/linux/platform_data/ina2xx.h ++++ b/include/linux/platform_data/ina2xx.h +@@ -1,7 +1,7 @@ + /* + * Driver for Texas Instruments INA219, INA226 power monitor chips + * +- * Copyright (C) 2012 Lothar Felten ++ * Copyright (C) 2012 Lothar Felten + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as diff --git a/queue-4.9/i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch b/queue-4.9/i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch new file mode 100644 index 00000000000..e86b4d2f218 --- /dev/null +++ b/queue-4.9/i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch @@ -0,0 +1,94 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Mika Westerberg +Date: Thu, 30 Aug 2018 11:50:13 +0300 +Subject: i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus + +From: Mika Westerberg + +[ Upstream commit 7fd6d98b89f382d414e1db528e29a67bbd749457 ] + +Commit 7ae81952cda ("i2c: i801: Allow ACPI SystemIO OpRegion to conflict +with PCI BAR") made it possible for AML code to access SMBus I/O ports +by installing custom SystemIO OpRegion handler and blocking i80i driver +access upon first AML read/write to this OpRegion. + +However, while ThinkPad T560 does have SystemIO OpRegion declared under +the SMBus device, it does not access any of the SMBus registers: + + Device (SMBU) + { + ... + + OperationRegion (SMBP, PCI_Config, 0x50, 0x04) + Field (SMBP, DWordAcc, NoLock, Preserve) + { + , 5, + TCOB, 11, + Offset (0x04) + } + + Name (TCBV, 0x00) + Method (TCBS, 0, NotSerialized) + { + If ((TCBV == 0x00)) + { + TCBV = (\_SB.PCI0.SMBU.TCOB << 0x05) + } + + Return (TCBV) /* \_SB_.PCI0.SMBU.TCBV */ + } + + OperationRegion (TCBA, SystemIO, TCBS (), 0x10) + Field (TCBA, ByteAcc, NoLock, Preserve) + { + Offset (0x04), + , 9, + CPSC, 1 + } + } + +Problem with the current approach is that it blocks all I/O port access +and because this system has touchpad connected to the SMBus controller +after first AML access (happens during suspend/resume cycle) the +touchpad fails to work anymore. + +Fix this so that we allow ACPI AML I/O port access if it does not touch +the region reserved for the SMBus. + +Fixes: 7ae81952cda ("i2c: i801: Allow ACPI SystemIO OpRegion to conflict with PCI BAR") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=200737 +Reported-by: Yussuf Khalil +Signed-off-by: Mika Westerberg +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-i801.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -1408,6 +1408,13 @@ static void i801_add_tco(struct i801_pri + } + + #ifdef CONFIG_ACPI ++static bool i801_acpi_is_smbus_ioport(const struct i801_priv *priv, ++ acpi_physical_address address) ++{ ++ return address >= priv->smba && ++ address <= pci_resource_end(priv->pci_dev, SMBBAR); ++} ++ + static acpi_status + i801_acpi_io_handler(u32 function, acpi_physical_address address, u32 bits, + u64 *value, void *handler_context, void *region_context) +@@ -1423,7 +1430,7 @@ i801_acpi_io_handler(u32 function, acpi_ + */ + mutex_lock(&priv->acpi_lock); + +- if (!priv->acpi_reserved) { ++ if (!priv->acpi_reserved && i801_acpi_is_smbus_ioport(priv, address)) { + priv->acpi_reserved = true; + + dev_warn(&pdev->dev, "BIOS is accessing SMBus registers\n"); diff --git a/queue-4.9/ib-hfi1-fix-sl-array-bounds-check.patch b/queue-4.9/ib-hfi1-fix-sl-array-bounds-check.patch new file mode 100644 index 00000000000..dfae5a3cd7d --- /dev/null +++ b/queue-4.9/ib-hfi1-fix-sl-array-bounds-check.patch @@ -0,0 +1,48 @@ +From 0dbfaa9f2813787679e296eb5476e40938ab48c8 Mon Sep 17 00:00:00 2001 +From: Ira Weiny +Date: Thu, 20 Sep 2018 12:58:46 -0700 +Subject: IB/hfi1: Fix SL array bounds check + +From: Ira Weiny + +commit 0dbfaa9f2813787679e296eb5476e40938ab48c8 upstream. + +The SL specified by a user needs to be a valid SL. + +Add a range check to the user specified SL value which protects from +running off the end of the SL to SC table. + +CC: stable@vger.kernel.org +Fixes: 7724105686e7 ("IB/hfi1: add driver files") +Signed-off-by: Ira Weiny +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/infiniband/hw/hfi1/verbs.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/hfi1/verbs.c ++++ b/drivers/infiniband/hw/hfi1/verbs.c +@@ -1511,12 +1511,18 @@ static int hfi1_check_ah(struct ib_devic + struct hfi1_pportdata *ppd; + struct hfi1_devdata *dd; + u8 sc5; ++ u8 sl; + + /* test the mapping for validity */ + ibp = to_iport(ibdev, ah_attr->port_num); + ppd = ppd_from_ibp(ibp); +- sc5 = ibp->sl_to_sc[ah_attr->sl]; + dd = dd_from_ppd(ppd); ++ ++ sl = ah_attr->sl; ++ if (sl >= ARRAY_SIZE(ibp->sl_to_sc)) ++ return -EINVAL; ++ ++ sc5 = ibp->sl_to_sc[sl]; + if (sc_to_vlt(dd, sc5) > num_vls && sc_to_vlt(dd, sc5) != 0xf) + return -EINVAL; + return 0; diff --git a/queue-4.9/net-hns-fix-length-and-page_offset-overflow-when-config_arm64_64k_pages.patch b/queue-4.9/net-hns-fix-length-and-page_offset-overflow-when-config_arm64_64k_pages.patch new file mode 100644 index 00000000000..356c7795e56 --- /dev/null +++ b/queue-4.9/net-hns-fix-length-and-page_offset-overflow-when-config_arm64_64k_pages.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Huazhong Tan +Date: Thu, 23 Aug 2018 11:10:10 +0800 +Subject: net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES + +From: Huazhong Tan + +[ Upstream commit 3ed614dce3ca9912d22be215ff0f11104b69fe62 ] + +When enable the config item "CONFIG_ARM64_64K_PAGES", the size of PAGE_SIZE +is 65536(64K). But the type of length and page_offset are u16, they will +overflow. So change them to u32. + +Fixes: 6fe6611ff275 ("net: add Hisilicon Network Subsystem hnae framework support") +Signed-off-by: Huazhong Tan +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hnae.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hnae.h ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h +@@ -213,10 +213,10 @@ struct hnae_desc_cb { + + /* priv data for the desc, e.g. skb when use with ip stack*/ + void *priv; +- u16 page_offset; +- u16 reuse_flag; ++ u32 page_offset; ++ u32 length; /* length of the buffer */ + +- u16 length; /* length of the buffer */ ++ u16 reuse_flag; + + /* desc type, used by the ring user to mark the type of the priv data */ + u16 type; diff --git a/queue-4.9/net-hns-fix-skb-truesize-underestimation.patch b/queue-4.9/net-hns-fix-skb-truesize-underestimation.patch new file mode 100644 index 00000000000..93349eab99a --- /dev/null +++ b/queue-4.9/net-hns-fix-skb-truesize-underestimation.patch @@ -0,0 +1,39 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Huazhong Tan +Date: Thu, 23 Aug 2018 11:10:12 +0800 +Subject: net: hns: fix skb->truesize underestimation + +From: Huazhong Tan + +[ Upstream commit b1ccd4c0ab6ef499f47dd84ed4920502a7147bba ] + +skb->truesize is not meant to be tracking amount of used bytes in a skb, +but amount of reserved/consumed bytes in memory. + +For instance, if we use a single byte in last page fragment, we have to +account the full size of the fragment. + +So skb_add_rx_frag needs to calculate the length of the entire buffer into +turesize. + +Fixes: 9cbe9fd5214e ("net: hns: optimize XGE capability by reducing cpu usage") +Signed-off-by: Huazhong tan +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hns_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hns_enet.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_enet.c +@@ -529,7 +529,7 @@ static void hns_nic_reuse_page(struct sk + } + + skb_add_rx_frag(skb, i, desc_cb->priv, desc_cb->page_offset + pull_len, +- size - pull_len, truesize - pull_len); ++ size - pull_len, truesize); + + /* avoid re-using remote pages,flag default unreuse */ + if (unlikely(page_to_nid(desc_cb->priv) != numa_node_id())) diff --git a/queue-4.9/qed-wait-for-mcp-halt-and-resume-commands-to-take-place.patch b/queue-4.9/qed-wait-for-mcp-halt-and-resume-commands-to-take-place.patch new file mode 100644 index 00000000000..1f9c689ceb4 --- /dev/null +++ b/queue-4.9/qed-wait-for-mcp-halt-and-resume-commands-to-take-place.patch @@ -0,0 +1,107 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Tomer Tayar +Date: Mon, 20 Aug 2018 00:01:43 +0300 +Subject: qed: Wait for MCP halt and resume commands to take place + +From: Tomer Tayar + +[ Upstream commit 76271809f49056f079e202bf6513d17b0d6dd34d ] + +Successive iterations of halting and resuming the management chip (MCP) +might fail, since currently the driver doesn't wait for these operations to +actually take place. +This patch prevents the driver from moving forward before the operations +are reflected in the state register. + +Signed-off-by: Tomer Tayar +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 46 ++++++++++++++++++++----- + drivers/net/ethernet/qlogic/qed/qed_reg_addr.h | 1 + 2 files changed, 39 insertions(+), 8 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -1230,31 +1230,61 @@ qed_mcp_send_drv_version(struct qed_hwfn + return rc; + } + ++/* A maximal 100 msec waiting time for the MCP to halt */ ++#define QED_MCP_HALT_SLEEP_MS 10 ++#define QED_MCP_HALT_MAX_RETRIES 10 ++ + int qed_mcp_halt(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + { +- u32 resp = 0, param = 0; ++ u32 resp = 0, param = 0, cpu_state, cnt = 0; + int rc; + + rc = qed_mcp_cmd(p_hwfn, p_ptt, DRV_MSG_CODE_MCP_HALT, 0, &resp, + ¶m); +- if (rc) ++ if (rc) { + DP_ERR(p_hwfn, "MCP response failure, aborting\n"); ++ return rc; ++ } + +- return rc; ++ do { ++ msleep(QED_MCP_HALT_SLEEP_MS); ++ cpu_state = qed_rd(p_hwfn, p_ptt, MCP_REG_CPU_STATE); ++ if (cpu_state & MCP_REG_CPU_STATE_SOFT_HALTED) ++ break; ++ } while (++cnt < QED_MCP_HALT_MAX_RETRIES); ++ ++ if (cnt == QED_MCP_HALT_MAX_RETRIES) { ++ DP_NOTICE(p_hwfn, ++ "Failed to halt the MCP [CPU_MODE = 0x%08x, CPU_STATE = 0x%08x]\n", ++ qed_rd(p_hwfn, p_ptt, MCP_REG_CPU_MODE), cpu_state); ++ return -EBUSY; ++ } ++ ++ return 0; + } + ++#define QED_MCP_RESUME_SLEEP_MS 10 ++ + int qed_mcp_resume(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + { +- u32 value, cpu_mode; ++ u32 cpu_mode, cpu_state; + + qed_wr(p_hwfn, p_ptt, MCP_REG_CPU_STATE, 0xffffffff); + +- value = qed_rd(p_hwfn, p_ptt, MCP_REG_CPU_MODE); +- value &= ~MCP_REG_CPU_MODE_SOFT_HALT; +- qed_wr(p_hwfn, p_ptt, MCP_REG_CPU_MODE, value); + cpu_mode = qed_rd(p_hwfn, p_ptt, MCP_REG_CPU_MODE); ++ cpu_mode &= ~MCP_REG_CPU_MODE_SOFT_HALT; ++ qed_wr(p_hwfn, p_ptt, MCP_REG_CPU_MODE, cpu_mode); ++ msleep(QED_MCP_RESUME_SLEEP_MS); ++ cpu_state = qed_rd(p_hwfn, p_ptt, MCP_REG_CPU_STATE); ++ ++ if (cpu_state & MCP_REG_CPU_STATE_SOFT_HALTED) { ++ DP_NOTICE(p_hwfn, ++ "Failed to resume the MCP [CPU_MODE = 0x%08x, CPU_STATE = 0x%08x]\n", ++ cpu_mode, cpu_state); ++ return -EBUSY; ++ } + +- return (cpu_mode & MCP_REG_CPU_MODE_SOFT_HALT) ? -EAGAIN : 0; ++ return 0; + } + + int qed_mcp_set_led(struct qed_hwfn *p_hwfn, +--- a/drivers/net/ethernet/qlogic/qed/qed_reg_addr.h ++++ b/drivers/net/ethernet/qlogic/qed/qed_reg_addr.h +@@ -510,6 +510,7 @@ + 0 + #define MCP_REG_CPU_STATE \ + 0xe05004UL ++#define MCP_REG_CPU_STATE_SOFT_HALTED (0x1UL << 10) + #define MCP_REG_CPU_EVENT_MASK \ + 0xe05008UL + #define PGLUE_B_REG_PF_BAR0_SIZE \ diff --git a/queue-4.9/qed-wait-for-ready-indication-before-rereading-the-shmem.patch b/queue-4.9/qed-wait-for-ready-indication-before-rereading-the-shmem.patch new file mode 100644 index 00000000000..3f7d93688b3 --- /dev/null +++ b/queue-4.9/qed-wait-for-ready-indication-before-rereading-the-shmem.patch @@ -0,0 +1,99 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Tomer Tayar +Date: Mon, 20 Aug 2018 00:01:42 +0300 +Subject: qed: Wait for ready indication before rereading the shmem + +From: Tomer Tayar + +[ Upstream commit f00d25f3154b676fcea4502a25b94bd7f142ca74 ] + +The MFW might be reset and re-update its shared memory. +Upon the detection of such a reset the driver rereads this memory, but it +has to wait till the data is valid. +This patch adds the missing wait for a data ready indication. + +Signed-off-by: Tomer Tayar +Signed-off-by: Ariel Elior +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_mcp.c | 50 ++++++++++++++++++++++++------ + 1 file changed, 41 insertions(+), 9 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_mcp.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_mcp.c +@@ -97,18 +97,57 @@ int qed_mcp_free(struct qed_hwfn *p_hwfn + return 0; + } + ++/* Maximum of 1 sec to wait for the SHMEM ready indication */ ++#define QED_MCP_SHMEM_RDY_MAX_RETRIES 20 ++#define QED_MCP_SHMEM_RDY_ITER_MS 50 ++ + static int qed_load_mcp_offsets(struct qed_hwfn *p_hwfn, struct qed_ptt *p_ptt) + { + struct qed_mcp_info *p_info = p_hwfn->mcp_info; ++ u8 cnt = QED_MCP_SHMEM_RDY_MAX_RETRIES; ++ u8 msec = QED_MCP_SHMEM_RDY_ITER_MS; + u32 drv_mb_offsize, mfw_mb_offsize; + u32 mcp_pf_id = MCP_PF_ID(p_hwfn); + + p_info->public_base = qed_rd(p_hwfn, p_ptt, MISC_REG_SHARED_MEM_ADDR); +- if (!p_info->public_base) +- return 0; ++ if (!p_info->public_base) { ++ DP_NOTICE(p_hwfn, ++ "The address of the MCP scratch-pad is not configured\n"); ++ return -EINVAL; ++ } + + p_info->public_base |= GRCBASE_MCP; + ++ /* Get the MFW MB address and number of supported messages */ ++ mfw_mb_offsize = qed_rd(p_hwfn, p_ptt, ++ SECTION_OFFSIZE_ADDR(p_info->public_base, ++ PUBLIC_MFW_MB)); ++ p_info->mfw_mb_addr = SECTION_ADDR(mfw_mb_offsize, mcp_pf_id); ++ p_info->mfw_mb_length = (u16)qed_rd(p_hwfn, p_ptt, ++ p_info->mfw_mb_addr + ++ offsetof(struct public_mfw_mb, ++ sup_msgs)); ++ ++ /* The driver can notify that there was an MCP reset, and might read the ++ * SHMEM values before the MFW has completed initializing them. ++ * To avoid this, the "sup_msgs" field in the MFW mailbox is used as a ++ * data ready indication. ++ */ ++ while (!p_info->mfw_mb_length && --cnt) { ++ msleep(msec); ++ p_info->mfw_mb_length = ++ (u16)qed_rd(p_hwfn, p_ptt, ++ p_info->mfw_mb_addr + ++ offsetof(struct public_mfw_mb, sup_msgs)); ++ } ++ ++ if (!cnt) { ++ DP_NOTICE(p_hwfn, ++ "Failed to get the SHMEM ready notification after %d msec\n", ++ QED_MCP_SHMEM_RDY_MAX_RETRIES * msec); ++ return -EBUSY; ++ } ++ + /* Calculate the driver and MFW mailbox address */ + drv_mb_offsize = qed_rd(p_hwfn, p_ptt, + SECTION_OFFSIZE_ADDR(p_info->public_base, +@@ -118,13 +157,6 @@ static int qed_load_mcp_offsets(struct q + "drv_mb_offsiz = 0x%x, drv_mb_addr = 0x%x mcp_pf_id = 0x%x\n", + drv_mb_offsize, p_info->drv_mb_addr, mcp_pf_id); + +- /* Set the MFW MB address */ +- mfw_mb_offsize = qed_rd(p_hwfn, p_ptt, +- SECTION_OFFSIZE_ADDR(p_info->public_base, +- PUBLIC_MFW_MB)); +- p_info->mfw_mb_addr = SECTION_ADDR(mfw_mb_offsize, mcp_pf_id); +- p_info->mfw_mb_length = (u16)qed_rd(p_hwfn, p_ptt, p_info->mfw_mb_addr); +- + /* Get the current driver mailbox sequence before sending + * the first command + */ diff --git a/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch b/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch new file mode 100644 index 00000000000..94984b5a805 --- /dev/null +++ b/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch @@ -0,0 +1,43 @@ +From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 20 Sep 2018 14:11:17 +0200 +Subject: serial: imx: restore handshaking irq for imx1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7e620984b62532783912312e334f3c48cdacbd5d upstream. + +Back in 2015 when irda was dropped from the driver imx1 was broken. This +change reintroduces the support for the third interrupt of the UART. + +Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA") +Cc: stable +Signed-off-by: Uwe Kleine-König +Reviewed-by: Leonard Crestez +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/tty/serial/imx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2197,6 +2197,14 @@ static int serial_imx_probe(struct platf + ret); + return ret; + } ++ ++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_rtsint, 0, ++ dev_name(&pdev->dev), sport); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to request rts irq: %d\n", ++ ret); ++ return ret; ++ } + } else { + ret = devm_request_irq(&pdev->dev, rxirq, imx_int, 0, + dev_name(&pdev->dev), sport); diff --git a/queue-4.9/series b/queue-4.9/series index 91bd5eea429..7a4b54e2c64 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -74,3 +74,21 @@ ib-srp-avoid-that-sg_reset-d-srp_device-triggers-an-infinite-loop.patch ib-hfi1-invalid-user-input-can-result-in-crash.patch ib-hfi1-fix-context-recovery-when-pbc-has-an-unsupportedvl.patch scsi-target-iscsi-use-bin2hex-instead-of-a-re-implementation.patch +serial-imx-restore-handshaking-irq-for-imx1.patch +ib-hfi1-fix-sl-array-bounds-check.patch +arm64-kvm-tighten-guest-core-register-access-from-userspace.patch +ext4-never-move-the-system.data-xattr-out-of-the-inode-body.patch +qed-wait-for-ready-indication-before-rereading-the-shmem.patch +qed-wait-for-mcp-halt-and-resume-commands-to-take-place.patch +thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch +net-hns-fix-length-and-page_offset-overflow-when-config_arm64_64k_pages.patch +net-hns-fix-skb-truesize-underestimation.patch +e1000-check-on-netif_running-before-calling-e1000_up.patch +e1000-ensure-to-free-old-tx-rx-rings-in-set_ringparam.patch +hwmon-ina2xx-fix-sysfs-shunt-resistor-read-access.patch +hwmon-adt7475-make-adt7475_read_word-return-errors.patch +drm-amdgpu-enable-disable-gfx-pg-feature-in-rlc-safe-mode.patch +drm-amdgpu-update-power-state-at-the-end-of-smu-hw_init.patch +arm-arm64-smccc-1.1-make-return-values-unsigned-long.patch +arm-arm64-smccc-1.1-handle-function-result-as-parameters.patch +i2c-i801-allow-acpi-aml-access-i-o-ports-not-reserved-for-smbus.patch diff --git a/queue-4.9/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch b/queue-4.9/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch new file mode 100644 index 00000000000..beb11c13d62 --- /dev/null +++ b/queue-4.9/thermal-of-thermal-disable-passive-polling-when-thermal-zone-is-disabled.patch @@ -0,0 +1,43 @@ +From foo@baz Tue Oct 2 05:02:12 PDT 2018 +From: Anson Huang +Date: Tue, 31 Jul 2018 00:56:49 +0800 +Subject: thermal: of-thermal: disable passive polling when thermal zone is disabled + +From: Anson Huang + +[ Upstream commit 152395fd03d4ce1e535a75cdbf58105e50587611 ] + +When thermal zone is in passive mode, disabling its mode from +sysfs is NOT taking effect at all, it is still polling the +temperature of the disabled thermal zone and handling all thermal +trips, it makes user confused. The disabling operation should +disable the thermal zone behavior completely, for both active and +passive mode, this patch clears the passive_delay when thermal +zone is disabled and restores it when it is enabled. + +Signed-off-by: Anson Huang +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/of-thermal.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/thermal/of-thermal.c ++++ b/drivers/thermal/of-thermal.c +@@ -278,10 +278,13 @@ static int of_thermal_set_mode(struct th + + mutex_lock(&tz->lock); + +- if (mode == THERMAL_DEVICE_ENABLED) ++ if (mode == THERMAL_DEVICE_ENABLED) { + tz->polling_delay = data->polling_delay; +- else ++ tz->passive_delay = data->passive_delay; ++ } else { + tz->polling_delay = 0; ++ tz->passive_delay = 0; ++ } + + mutex_unlock(&tz->lock); +