From: Greg Kroah-Hartman Date: Sat, 28 Jul 2018 10:27:37 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.17.12~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7b5d3fc4122aacc991bdff3990f7f8ff1323081;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch alsa-fm801-add-error-handling-for-snd_ctl_add.patch alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch ath-add-regulatory-mapping-for-apl13_world.patch ath-add-regulatory-mapping-for-apl2_fcca.patch ath-add-regulatory-mapping-for-bahamas.patch ath-add-regulatory-mapping-for-bermuda.patch ath-add-regulatory-mapping-for-etsi8_world.patch ath-add-regulatory-mapping-for-fcc3_etsic.patch ath-add-regulatory-mapping-for-serbia.patch ath-add-regulatory-mapping-for-tanzania.patch ath-add-regulatory-mapping-for-uganda.patch audit-allow-not-equal-op-for-audit-by-executable.patch bluetooth-btusb-add-a-new-realtek-8723de-id-2ff8-b011.patch bluetooth-hci_qca-fix-sleep-inside-atomic-section-warning.patch bpf-fix-references-to-free_bpf_prog_info-in-comments.patch brcmfmac-add-support-for-bcm43364-wireless-chipset.patch btrfs-add-barriers-to-btrfs_sync_log-before-log_commit_wait-wakeups.patch btrfs-qgroup-finish-rescan-when-hit-the-last-leaf-of-extent-tree.patch crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch disable-loading-f2fs-module-on-page_size-4kb.patch dma-iommu-fix-compilation-when-config_iommu_dma.patch drm-add-dp-psr2-sink-enable-bit.patch drm-atomic-handling-the-case-when-setting-old-crtc-for-plane.patch drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch drm-radeon-fix-mode_valid-s-return-type.patch f2fs-fix-to-don-t-trigger-writeback-during-recovery.patch fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch hid-hid-plantronics-re-resend-update-to-map-button-for-ptt-products.patch hid-i2c-hid-check-if-device-is-there-before-really-probing.patch hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch infiniband-fix-a-possible-use-after-free-bug.patch ipconfig-correctly-initialise-ic_nameservers.patch iwlwifi-pcie-fix-race-in-rx-buffer-allocator.patch libata-fix-command-retry-decision.patch md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch media-saa7164-fix-driver-name-in-debug-output.patch media-si470x-fix-__be16-annotations.patch media-siano-get-rid-of-__le32-__le16-cast-warnings.patch media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch media-videobuf2-core-don-t-call-memop-finish-when-queueing.patch memory-tegra-apply-interrupts-mask-per-soc.patch memory-tegra-do-not-handle-spurious-interrupts.patch mfd-cros_ec-fail-early-if-we-cannot-identify-the-ec.patch microblaze-fix-simpleimage-format-generation.patch mm-slub.c-add-__printf-verification-to-slab_err.patch mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch mtd-rawnand-fsl_ifc-fix-fsl-nand-driver-to-read-all-onfi-parameter-pages.patch mwifiex-correct-histogram-data-with-appropriate-index.patch mwifiex-handle-race-during-mwifiex_usb_disconnect.patch netfilter-ipset-list-timing-out-entries-with-timeout-1-instead-of-zero.patch nfsd-fix-potential-use-after-free-in-nfsd4_decode_getdeviceinfo.patch pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch perf-fix-invalid-bit-in-diagnostic-entry.patch perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch pinctrl-at91-pio4-add-missing-of_node_put.patch powerpc-32-add-a-missing-include-header.patch powerpc-64s-fix-compiler-store-ordering-to-slb-shadow-area.patch powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch powerpc-powermac-mark-variable-x-as-unused.patch rdma-mad-convert-bug_ons-to-error-flows.patch regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch rsi-fix-invalid-vdd-warning-in-mmc.patch rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch scsi-3w-9xxx-fix-a-missing-check-bug.patch scsi-3w-xxxx-fix-a-missing-check-bug.patch scsi-megaraid-silence-a-static-checker-bug.patch scsi-megaraid_sas-increase-timeout-by-1-sec-for-non-raid-fastpath-ios.patch scsi-scsi_dh-replace-too-broad-tp9-string-with-the-exact-models.patch scsi-ufs-fix-exception-event-handling.patch thermal-exynos-fix-setting-rising_threshold-for-exynos5433.patch tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch --- diff --git a/queue-4.4/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch b/queue-4.4/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch new file mode 100644 index 00000000000..98754628322 --- /dev/null +++ b/queue-4.4/alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 16:18:40 +0800 +Subject: ALSA: emu10k1: add error handling for snd_ctl_add + +From: Zhouyang Jia + +[ Upstream commit 6d531e7b972cb62ded011c2dfcc2d9f72ea6c421 ] + +When snd_ctl_add fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling snd_ctl_add. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/emupcm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/emu10k1/emupcm.c ++++ b/sound/pci/emu10k1/emupcm.c +@@ -1850,7 +1850,9 @@ int snd_emu10k1_pcm_efx(struct snd_emu10 + if (!kctl) + return -ENOMEM; + kctl->id.device = device; +- snd_ctl_add(emu->card, kctl); ++ err = snd_ctl_add(emu->card, kctl); ++ if (err < 0) ++ return err; + + snd_pcm_lib_preallocate_pages_for_all(pcm, SNDRV_DMA_TYPE_DEV, snd_dma_pci_data(emu->pci), 64*1024, 64*1024); + diff --git a/queue-4.4/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch b/queue-4.4/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch new file mode 100644 index 00000000000..de1c45d1773 --- /dev/null +++ b/queue-4.4/alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Takashi Iwai +Date: Thu, 17 May 2018 20:02:23 +0200 +Subject: ALSA: emu10k1: Rate-limit error messages about page errors + +From: Takashi Iwai + +[ Upstream commit 11d42c81036324697d367600bfc16f6dd37636fd ] + +The error messages at sanity checks of memory pages tend to repeat too +many times once when it hits, and without the rate limit, it may flood +and become unreadable. Replace such messages with the *_ratelimited() +variant. + +Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1093027 +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/emu10k1/memory.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/emu10k1/memory.c ++++ b/sound/pci/emu10k1/memory.c +@@ -237,13 +237,13 @@ __found_pages: + static int is_valid_page(struct snd_emu10k1 *emu, dma_addr_t addr) + { + if (addr & ~emu->dma_mask) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "max memory size is 0x%lx (addr = 0x%lx)!!\n", + emu->dma_mask, (unsigned long)addr); + return 0; + } + if (addr & (EMUPAGESIZE-1)) { +- dev_err(emu->card->dev, "page is not aligned\n"); ++ dev_err_ratelimited(emu->card->dev, "page is not aligned\n"); + return 0; + } + return 1; +@@ -334,7 +334,7 @@ snd_emu10k1_alloc_pages(struct snd_emu10 + else + addr = snd_pcm_sgbuf_get_addr(substream, ofs); + if (! is_valid_page(emu, addr)) { +- dev_err(emu->card->dev, ++ dev_err_ratelimited(emu->card->dev, + "emu: failure page = %d\n", idx); + mutex_unlock(&hdr->block_mutex); + return NULL; diff --git a/queue-4.4/alsa-fm801-add-error-handling-for-snd_ctl_add.patch b/queue-4.4/alsa-fm801-add-error-handling-for-snd_ctl_add.patch new file mode 100644 index 00000000000..d3a93c7b919 --- /dev/null +++ b/queue-4.4/alsa-fm801-add-error-handling-for-snd_ctl_add.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 16:04:06 +0800 +Subject: ALSA: fm801: add error handling for snd_ctl_add + +From: Zhouyang Jia + +[ Upstream commit ef1ffbe7889e99f5b5cccb41c89e5c94f50f3218 ] + +When snd_ctl_add fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling snd_ctl_add. + +Signed-off-by: Zhouyang Jia +Acked-by: Andy Shevchenko +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/fm801.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +--- a/sound/pci/fm801.c ++++ b/sound/pci/fm801.c +@@ -1050,11 +1050,19 @@ static int snd_fm801_mixer(struct fm801 + if ((err = snd_ac97_mixer(chip->ac97_bus, &ac97, &chip->ac97_sec)) < 0) + return err; + } +- for (i = 0; i < FM801_CONTROLS; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ for (i = 0; i < FM801_CONTROLS; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls[i], chip)); ++ if (err < 0) ++ return err; ++ } + if (chip->multichannel) { +- for (i = 0; i < FM801_CONTROLS_MULTI; i++) +- snd_ctl_add(chip->card, snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ for (i = 0; i < FM801_CONTROLS_MULTI; i++) { ++ err = snd_ctl_add(chip->card, ++ snd_ctl_new1(&snd_fm801_controls_multi[i], chip)); ++ if (err < 0) ++ return err; ++ } + } + return 0; + } diff --git a/queue-4.4/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch b/queue-4.4/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch new file mode 100644 index 00000000000..db80b7b7040 --- /dev/null +++ b/queue-4.4/alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Takashi Sakamoto +Date: Wed, 2 May 2018 22:48:16 +0900 +Subject: ALSA: hda/ca0132: fix build failure when a local macro is defined + +From: Takashi Sakamoto + +[ Upstream commit 8e142e9e628975b0dddd05cf1b095331dff6e2de ] + +DECLARE_TLV_DB_SCALE (alias of SNDRV_CTL_TLVD_DECLARE_DB_SCALE) is used but +tlv.h is not included. This causes build failure when local macro is +defined by comment-out. + +This commit fixes the bug. At the same time, the alias macro is replaced +with a destination macro added at a commit 46e860f76804 ("ALSA: rename +TLV-related macros so that they're friendly to user applications") + +Reported-by: Connor McAdams +Fixes: 44f0c9782cc6 ('ALSA: hda/ca0132: Add tuning controls') +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_ca0132.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -38,6 +38,10 @@ + /* Enable this to see controls for tuning purpose. */ + /*#define ENABLE_TUNING_CONTROLS*/ + ++#ifdef ENABLE_TUNING_CONTROLS ++#include ++#endif ++ + #define FLOAT_ZERO 0x00000000 + #define FLOAT_ONE 0x3f800000 + #define FLOAT_TWO 0x40000000 +@@ -3067,8 +3071,8 @@ static int equalizer_ctl_put(struct snd_ + return 1; + } + +-static const DECLARE_TLV_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); +-static const DECLARE_TLV_DB_SCALE(eq_db_scale, -2400, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(voice_focus_db_scale, 2000, 100, 0); ++static const SNDRV_CTL_TLVD_DECLARE_DB_SCALE(eq_db_scale, -2400, 100, 0); + + static int add_tuning_control(struct hda_codec *codec, + hda_nid_t pnid, hda_nid_t nid, diff --git a/queue-4.4/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch b/queue-4.4/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch new file mode 100644 index 00000000000..5ff02246221 --- /dev/null +++ b/queue-4.4/alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Takashi Iwai +Date: Wed, 16 May 2018 20:07:18 +0200 +Subject: ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback + +From: Takashi Iwai + +[ Upstream commit 377a879d9832f4ba69bd6a1fc996bb4181b1e504 ] + +retire_capture_urb() may print warning messages when the given URB +doesn't align, and this may flood the system log easily. +Put the rate limit to the message for avoiding it. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1093485 +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -1300,7 +1300,7 @@ static void retire_capture_urb(struct sn + if (bytes % (runtime->sample_bits >> 3) != 0) { + int oldbytes = bytes; + bytes = frames * stride; +- dev_warn(&subs->dev->dev, ++ dev_warn_ratelimited(&subs->dev->dev, + "Corrected urb data len. %d->%d\n", + oldbytes, bytes); + } diff --git a/queue-4.4/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch b/queue-4.4/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch new file mode 100644 index 00000000000..00285ea80ad --- /dev/null +++ b/queue-4.4/asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Kai Chieh Chuang +Date: Mon, 28 May 2018 10:18:18 +0800 +Subject: ASoC: dpcm: fix BE dai not hw_free and shutdown + +From: Kai Chieh Chuang + +[ Upstream commit 9c0ac70ad24d76b873c1551e27790c7f6a815d5c ] + +In case, one BE is used by two FE1/FE2 +FE1--->BE--> + | +FE2----] +when FE1/FE2 call dpcm_be_dai_hw_free() together +the BE users will be 2 (> 1), hence cannot be hw_free +the be state will leave at, ex. SND_SOC_DPCM_STATE_STOP + +later FE1/FE2 call dpcm_be_dai_shutdown(), +will be skip due to wrong state. +leaving the BE not being hw_free and shutdown. + +The BE dai will be hw_free later when calling +dpcm_be_dai_shutdown() if still in invalid state. + +Signed-off-by: KaiChieh Chuang +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-pcm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-pcm.c ++++ b/sound/soc/soc-pcm.c +@@ -1682,8 +1682,10 @@ int dpcm_be_dai_shutdown(struct snd_soc_ + continue; + + if ((be->dpcm[stream].state != SND_SOC_DPCM_STATE_HW_FREE) && +- (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) +- continue; ++ (be->dpcm[stream].state != SND_SOC_DPCM_STATE_OPEN)) { ++ soc_pcm_hw_free(be_substream); ++ be->dpcm[stream].state = SND_SOC_DPCM_STATE_HW_FREE; ++ } + + dev_dbg(be->dev, "ASoC: close BE %s\n", + dpcm->fe->dai_link->name); diff --git a/queue-4.4/ath-add-regulatory-mapping-for-apl13_world.patch b/queue-4.4/ath-add-regulatory-mapping-for-apl13_world.patch new file mode 100644 index 00000000000..b2f4d2d68b5 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-apl13_world.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:14 +0300 +Subject: ath: Add regulatory mapping for APL13_WORLD + +From: Sven Eckelmann + +[ Upstream commit 9ba8df0c52b3e6baa436374b429d3d73bd09a320 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -69,6 +69,7 @@ enum EnumRd { + APL1_ETSIC = 0x55, + APL2_ETSIC = 0x56, + APL5_WORLD = 0x58, ++ APL13_WORLD = 0x5A, + APL6_WORLD = 0x5B, + APL7_FCCA = 0x5C, + APL8_WORLD = 0x5D, +@@ -195,6 +196,7 @@ static struct reg_dmn_pair_mapping regDo + {APL3_WORLD, CTL_FCC, CTL_ETSI}, + {APL4_WORLD, CTL_FCC, CTL_ETSI}, + {APL5_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL13_WORLD, CTL_ETSI, CTL_ETSI}, + {APL6_WORLD, CTL_ETSI, CTL_ETSI}, + {APL8_WORLD, CTL_ETSI, CTL_ETSI}, + {APL9_WORLD, CTL_ETSI, CTL_ETSI}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-apl2_fcca.patch b/queue-4.4/ath-add-regulatory-mapping-for-apl2_fcca.patch new file mode 100644 index 00000000000..3c315197fb8 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-apl2_fcca.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:05 +0300 +Subject: ath: Add regulatory mapping for APL2_FCCA + +From: Sven Eckelmann + +[ Upstream commit 4f183687e3fad3ce0e06e38976cad81bc4541990 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: FCC +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -61,6 +61,7 @@ enum EnumRd { + MKK1_MKKA1 = 0x4A, + MKK1_MKKA2 = 0x4B, + MKK1_MKKC = 0x4C, ++ APL2_FCCA = 0x4D, + + APL3_FCCA = 0x50, + APL1_WORLD = 0x52, +@@ -193,6 +194,7 @@ static struct reg_dmn_pair_mapping regDo + {FCC1_FCCA, CTL_FCC, CTL_FCC}, + {APL1_WORLD, CTL_FCC, CTL_ETSI}, + {APL2_WORLD, CTL_FCC, CTL_ETSI}, ++ {APL2_FCCA, CTL_FCC, CTL_FCC}, + {APL3_WORLD, CTL_FCC, CTL_ETSI}, + {APL4_WORLD, CTL_FCC, CTL_ETSI}, + {APL5_WORLD, CTL_FCC, CTL_ETSI}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-bahamas.patch b/queue-4.4/ath-add-regulatory-mapping-for-bahamas.patch new file mode 100644 index 00000000000..6659e463e55 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-bahamas.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:09:53 +0300 +Subject: ath: Add regulatory mapping for Bahamas + +From: Sven Eckelmann + +[ Upstream commit 699e2302c286a14afe7b7394151ce6c4e1790cc1 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -68,6 +68,7 @@ enum CountryCode { + CTRY_AUSTRALIA = 36, + CTRY_AUSTRIA = 40, + CTRY_AZERBAIJAN = 31, ++ CTRY_BAHAMAS = 44, + CTRY_BAHRAIN = 48, + CTRY_BANGLADESH = 50, + CTRY_BARBADOS = 52, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -306,6 +306,7 @@ static struct country_code_to_enum_rd al + {CTRY_AUSTRALIA2, FCC6_WORLD, "AU"}, + {CTRY_AUSTRIA, ETSI1_WORLD, "AT"}, + {CTRY_AZERBAIJAN, ETSI4_WORLD, "AZ"}, ++ {CTRY_BAHAMAS, FCC3_WORLD, "BS"}, + {CTRY_BAHRAIN, APL6_WORLD, "BH"}, + {CTRY_BANGLADESH, NULL1_WORLD, "BD"}, + {CTRY_BARBADOS, FCC2_WORLD, "BB"}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-bermuda.patch b/queue-4.4/ath-add-regulatory-mapping-for-bermuda.patch new file mode 100644 index 00000000000..af38c717b1f --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-bermuda.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:09:59 +0300 +Subject: ath: Add regulatory mapping for Bermuda + +From: Sven Eckelmann + +[ Upstream commit 9c790f2d234f65697e3b0948adbfdf36dbe63dd7 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: FCC +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -74,6 +74,7 @@ enum CountryCode { + CTRY_BELARUS = 112, + CTRY_BELGIUM = 56, + CTRY_BELIZE = 84, ++ CTRY_BERMUDA = 60, + CTRY_BOLIVIA = 68, + CTRY_BOSNIA_HERZ = 70, + CTRY_BRAZIL = 76, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -313,6 +313,7 @@ static struct country_code_to_enum_rd al + {CTRY_BELGIUM, ETSI1_WORLD, "BE"}, + {CTRY_BELGIUM2, ETSI4_WORLD, "BL"}, + {CTRY_BELIZE, APL1_ETSIC, "BZ"}, ++ {CTRY_BERMUDA, FCC3_FCCA, "BM"}, + {CTRY_BOLIVIA, APL1_ETSIC, "BO"}, + {CTRY_BOSNIA_HERZ, ETSI1_WORLD, "BA"}, + {CTRY_BRAZIL, FCC3_WORLD, "BR"}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-etsi8_world.patch b/queue-4.4/ath-add-regulatory-mapping-for-etsi8_world.patch new file mode 100644 index 00000000000..78394d568e1 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-etsi8_world.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:18 +0300 +Subject: ath: Add regulatory mapping for ETSI8_WORLD + +From: Sven Eckelmann + +[ Upstream commit 45faf6e096da8bb80e1ddf8c08a26a9601d9469e ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -45,6 +45,7 @@ enum EnumRd { + ETSI4_ETSIC = 0x38, + ETSI5_WORLD = 0x39, + ETSI6_WORLD = 0x34, ++ ETSI8_WORLD = 0x3D, + ETSI_RESERVED = 0x33, + + MKK1_MKKA = 0x40, +@@ -181,6 +182,7 @@ static struct reg_dmn_pair_mapping regDo + {ETSI4_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI5_WORLD, CTL_ETSI, CTL_ETSI}, + {ETSI6_WORLD, CTL_ETSI, CTL_ETSI}, ++ {ETSI8_WORLD, CTL_ETSI, CTL_ETSI}, + + /* XXX: For ETSI3_ETSIA, Was NO_CTL meant for the 2 GHz band ? */ + {ETSI3_ETSIA, CTL_ETSI, CTL_ETSI}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-fcc3_etsic.patch b/queue-4.4/ath-add-regulatory-mapping-for-fcc3_etsic.patch new file mode 100644 index 00000000000..1bdc66a0d89 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-fcc3_etsic.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:11:30 +0300 +Subject: ath: Add regulatory mapping for FCC3_ETSIC + +From: Sven Eckelmann + +[ Upstream commit 01fb2994a98dc72c8818c274f7b5983d5dd885c7 ] + +The regdomain code is used to select the correct the correct conformance +test limits (CTL) for a country. If the regdomain code isn't available and +it is still programmed in the EEPROM then it will cause an error and stop +the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this regdomain code are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd_common.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -35,6 +35,7 @@ enum EnumRd { + FRANCE_RES = 0x31, + FCC3_FCCA = 0x3A, + FCC3_WORLD = 0x3B, ++ FCC3_ETSIC = 0x3F, + + ETSI1_WORLD = 0x37, + ETSI3_ETSIA = 0x32, +@@ -168,6 +169,7 @@ static struct reg_dmn_pair_mapping regDo + {FCC2_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC3_FCCA, CTL_FCC, CTL_FCC}, + {FCC3_WORLD, CTL_FCC, CTL_ETSI}, ++ {FCC3_ETSIC, CTL_FCC, CTL_ETSI}, + {FCC4_FCCA, CTL_FCC, CTL_FCC}, + {FCC5_FCCA, CTL_FCC, CTL_FCC}, + {FCC6_FCCA, CTL_FCC, CTL_FCC}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-serbia.patch b/queue-4.4/ath-add-regulatory-mapping-for-serbia.patch new file mode 100644 index 00000000000..f2ce83b8749 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-serbia.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:43 +0300 +Subject: ath: Add regulatory mapping for Serbia + +From: Sven Eckelmann + +[ Upstream commit 2a3169a54bb53717928392a04fb84deb765b51f1 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: ETSI + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -159,6 +159,7 @@ enum CountryCode { + CTRY_ROMANIA = 642, + CTRY_RUSSIA = 643, + CTRY_SAUDI_ARABIA = 682, ++ CTRY_SERBIA = 688, + CTRY_SERBIA_MONTENEGRO = 891, + CTRY_SINGAPORE = 702, + CTRY_SLOVAKIA = 703, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -452,6 +452,7 @@ static struct country_code_to_enum_rd al + {CTRY_ROMANIA, NULL1_WORLD, "RO"}, + {CTRY_RUSSIA, NULL1_WORLD, "RU"}, + {CTRY_SAUDI_ARABIA, NULL1_WORLD, "SA"}, ++ {CTRY_SERBIA, ETSI1_WORLD, "RS"}, + {CTRY_SERBIA_MONTENEGRO, ETSI1_WORLD, "CS"}, + {CTRY_SINGAPORE, APL6_WORLD, "SG"}, + {CTRY_SLOVAKIA, ETSI1_WORLD, "SK"}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-tanzania.patch b/queue-4.4/ath-add-regulatory-mapping-for-tanzania.patch new file mode 100644 index 00000000000..6dd307fa090 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-tanzania.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:48 +0300 +Subject: ath: Add regulatory mapping for Tanzania + +From: Sven Eckelmann + +[ Upstream commit 667ddac5745fb9fddfe8f7fd2523070f50bd4442 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -170,6 +170,7 @@ enum CountryCode { + CTRY_SWITZERLAND = 756, + CTRY_SYRIA = 760, + CTRY_TAIWAN = 158, ++ CTRY_TANZANIA = 834, + CTRY_THAILAND = 764, + CTRY_TRINIDAD_Y_TOBAGO = 780, + CTRY_TUNISIA = 788, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -463,6 +463,7 @@ static struct country_code_to_enum_rd al + {CTRY_SWITZERLAND, ETSI1_WORLD, "CH"}, + {CTRY_SYRIA, NULL1_WORLD, "SY"}, + {CTRY_TAIWAN, APL3_FCCA, "TW"}, ++ {CTRY_TANZANIA, APL1_WORLD, "TZ"}, + {CTRY_THAILAND, FCC3_WORLD, "TH"}, + {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"}, + {CTRY_TUNISIA, ETSI3_WORLD, "TN"}, diff --git a/queue-4.4/ath-add-regulatory-mapping-for-uganda.patch b/queue-4.4/ath-add-regulatory-mapping-for-uganda.patch new file mode 100644 index 00000000000..bc433acf482 --- /dev/null +++ b/queue-4.4/ath-add-regulatory-mapping-for-uganda.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sven Eckelmann +Date: Wed, 23 May 2018 11:10:54 +0300 +Subject: ath: Add regulatory mapping for Uganda + +From: Sven Eckelmann + +[ Upstream commit 1ea3986ad2bc72081c69f3fbc1e5e0eeb3c44f17 ] + +The country code is used by the ath to detect the ISO 3166-1 alpha-2 name +and to select the correct conformance test limits (CTL) for a country. If +the country isn't available and it is still programmed in the EEPROM then +it will cause an error and stop the initialization with: + + Invalid EEPROM contents + +The current CTL mappings for this country are: + +* 2.4GHz: ETSI +* 5GHz: FCC + +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.h | 1 + + drivers/net/wireless/ath/regd_common.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/regd.h ++++ b/drivers/net/wireless/ath/regd.h +@@ -175,6 +175,7 @@ enum CountryCode { + CTRY_TUNISIA = 788, + CTRY_TURKEY = 792, + CTRY_UAE = 784, ++ CTRY_UGANDA = 800, + CTRY_UKRAINE = 804, + CTRY_UNITED_KINGDOM = 826, + CTRY_UNITED_STATES = 840, +--- a/drivers/net/wireless/ath/regd_common.h ++++ b/drivers/net/wireless/ath/regd_common.h +@@ -467,6 +467,7 @@ static struct country_code_to_enum_rd al + {CTRY_TRINIDAD_Y_TOBAGO, FCC3_WORLD, "TT"}, + {CTRY_TUNISIA, ETSI3_WORLD, "TN"}, + {CTRY_TURKEY, ETSI3_WORLD, "TR"}, ++ {CTRY_UGANDA, FCC3_WORLD, "UG"}, + {CTRY_UKRAINE, NULL1_WORLD, "UA"}, + {CTRY_UAE, NULL1_WORLD, "AE"}, + {CTRY_UNITED_KINGDOM, ETSI1_WORLD, "GB"}, diff --git a/queue-4.4/audit-allow-not-equal-op-for-audit-by-executable.patch b/queue-4.4/audit-allow-not-equal-op-for-audit-by-executable.patch new file mode 100644 index 00000000000..383280c3542 --- /dev/null +++ b/queue-4.4/audit-allow-not-equal-op-for-audit-by-executable.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: "Ondrej Mosnáček" +Date: Mon, 9 Apr 2018 10:00:06 +0200 +Subject: audit: allow not equal op for audit by executable + +From: "Ondrej Mosnáček" + +[ Upstream commit 23bcc480dac204c7dbdf49d96b2c918ed98223c2 ] + +Current implementation of auditing by executable name only implements +the 'equal' operator. This patch extends it to also support the 'not +equal' operator. + +See: https://github.com/linux-audit/audit-kernel/issues/53 + +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Richard Guy Briggs +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditfilter.c | 2 +- + kernel/auditsc.c | 2 ++ + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/auditfilter.c ++++ b/kernel/auditfilter.c +@@ -406,7 +406,7 @@ static int audit_field_valid(struct audi + return -EINVAL; + break; + case AUDIT_EXE: +- if (f->op != Audit_equal) ++ if (f->op != Audit_not_equal && f->op != Audit_equal) + return -EINVAL; + if (entry->rule.listnr != AUDIT_FILTER_EXIT) + return -EINVAL; +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -470,6 +470,8 @@ static int audit_filter_rules(struct tas + break; + case AUDIT_EXE: + result = audit_exe_compare(tsk, rule->exe); ++ if (f->op == Audit_not_equal) ++ result = !result; + break; + case AUDIT_UID: + result = audit_uid_comparator(cred->uid, f->op, f->uid); diff --git a/queue-4.4/bluetooth-btusb-add-a-new-realtek-8723de-id-2ff8-b011.patch b/queue-4.4/bluetooth-btusb-add-a-new-realtek-8723de-id-2ff8-b011.patch new file mode 100644 index 00000000000..aa6cfcf1e4c --- /dev/null +++ b/queue-4.4/bluetooth-btusb-add-a-new-realtek-8723de-id-2ff8-b011.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Jian-Hong Pan +Date: Mon, 21 May 2018 18:09:20 +0800 +Subject: Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011 + +From: Jian-Hong Pan + +[ Upstream commit 66d9975c5a7c40aa7e4bb0ec0b0c37ba1f190923 ] + +Without this patch we cannot turn on the Bluethooth adapter on ASUS +E406MA. + +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=2ff8 ProdID=b011 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=802.11n WLAN Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -339,6 +339,9 @@ static const struct usb_device_id blackl + /* Additional Realtek 8723BU Bluetooth devices */ + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723DE Bluetooth devices */ ++ { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.4/bluetooth-hci_qca-fix-sleep-inside-atomic-section-warning.patch b/queue-4.4/bluetooth-hci_qca-fix-sleep-inside-atomic-section-warning.patch new file mode 100644 index 00000000000..a065ea88650 --- /dev/null +++ b/queue-4.4/bluetooth-hci_qca-fix-sleep-inside-atomic-section-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Thierry Escande +Date: Tue, 29 May 2018 18:37:16 +0200 +Subject: Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning + +From: Thierry Escande + +[ Upstream commit 9960521c44a5d828f29636ceac0600603ecbddbf ] + +This patch fixes the following warning during boot: + + do not call blocking ops when !TASK_RUNNING; state=1 set at + [<(ptrval)>] qca_setup+0x194/0x750 [hci_uart] + WARNING: CPU: 2 PID: 1878 at kernel/sched/core.c:6135 + __might_sleep+0x7c/0x88 + +In qca_set_baudrate(), the current task state is set to +TASK_UNINTERRUPTIBLE before going to sleep for 300ms. It was then +restored to TASK_INTERRUPTIBLE. This patch sets the current task state +back to TASK_RUNNING instead. + +Signed-off-by: Thierry Escande +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/hci_qca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -884,7 +884,7 @@ static int qca_set_baudrate(struct hci_d + */ + set_current_state(TASK_UNINTERRUPTIBLE); + schedule_timeout(msecs_to_jiffies(BAUDRATE_SETTLE_TIMEOUT_MS)); +- set_current_state(TASK_INTERRUPTIBLE); ++ set_current_state(TASK_RUNNING); + + return 0; + } diff --git a/queue-4.4/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch b/queue-4.4/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch new file mode 100644 index 00000000000..7ff79ec6e56 --- /dev/null +++ b/queue-4.4/bpf-fix-references-to-free_bpf_prog_info-in-comments.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Jakub Kicinski +Date: Thu, 3 May 2018 18:37:17 -0700 +Subject: bpf: fix references to free_bpf_prog_info() in comments + +From: Jakub Kicinski + +[ Upstream commit ab7f5bf0928be2f148d000a6eaa6c0a36e74750e ] + +Comments in the verifier refer to free_bpf_prog_info() which +seems to have never existed in tree. Replace it with +free_used_maps(). + +Signed-off-by: Jakub Kicinski +Reviewed-by: Quentin Monnet +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2101,7 +2101,7 @@ static int replace_map_fd_with_map_ptr(s + /* hold the map. If the program is rejected by verifier, + * the map will be released by release_maps() or it + * will be used by the valid program until it's unloaded +- * and all maps are released in free_bpf_prog_info() ++ * and all maps are released in free_used_maps() + */ + map = bpf_map_inc(map, false); + if (IS_ERR(map)) { +@@ -2487,7 +2487,7 @@ free_log_buf: + vfree(log_buf); + if (!env->prog->aux->used_maps) + /* if we didn't copy map pointers into bpf_prog_info, release +- * them now. Otherwise free_bpf_prog_info() will release them. ++ * them now. Otherwise free_used_maps() will release them. + */ + release_maps(env); + *prog = env->prog; diff --git a/queue-4.4/brcmfmac-add-support-for-bcm43364-wireless-chipset.patch b/queue-4.4/brcmfmac-add-support-for-bcm43364-wireless-chipset.patch new file mode 100644 index 00000000000..d0b304ea972 --- /dev/null +++ b/queue-4.4/brcmfmac-add-support-for-bcm43364-wireless-chipset.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sean Lanigan +Date: Fri, 4 May 2018 16:48:23 +1000 +Subject: brcmfmac: Add support for bcm43364 wireless chipset + +From: Sean Lanigan + +[ Upstream commit 9c4a121e82634aa000a702c98cd6f05b27d6e186 ] + +Add support for the BCM43364 chipset via an SDIO interface, as used in +e.g. the Murata 1FX module. + +The BCM43364 uses the same firmware as the BCM43430 (which is already +included), the only difference is the omission of Bluetooth. + +However, the SDIO_ID for the BCM43364 is 02D0:A9A4, giving it a MODALIAS +of sdio:c00v02D0dA9A4, which doesn't get recognised and hence doesn't +load the brcmfmac module. Adding the 'A9A4' ID in the appropriate place +triggers the brcmfmac driver to load, and then correctly use the +firmware file 'brcmfmac43430-sdio.bin'. + +Signed-off-by: Sean Lanigan +Acked-by: Ulf Hansson +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c | 1 + + include/linux/mmc/sdio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/bcmsdh.c +@@ -1109,6 +1109,7 @@ static const struct sdio_device_id brcmf + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43340), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43341), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43362), ++ BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43364), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4335_4339), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_43430), + BRCMF_SDIO_DEVICE(SDIO_DEVICE_ID_BROADCOM_4345), +--- a/include/linux/mmc/sdio_ids.h ++++ b/include/linux/mmc/sdio_ids.h +@@ -33,6 +33,7 @@ + #define SDIO_DEVICE_ID_BROADCOM_43341 0xa94d + #define SDIO_DEVICE_ID_BROADCOM_4335_4339 0x4335 + #define SDIO_DEVICE_ID_BROADCOM_43362 0xa962 ++#define SDIO_DEVICE_ID_BROADCOM_43364 0xa9a4 + #define SDIO_DEVICE_ID_BROADCOM_43430 0xa9a6 + #define SDIO_DEVICE_ID_BROADCOM_4345 0x4345 + #define SDIO_DEVICE_ID_BROADCOM_4354 0x4354 diff --git a/queue-4.4/btrfs-add-barriers-to-btrfs_sync_log-before-log_commit_wait-wakeups.patch b/queue-4.4/btrfs-add-barriers-to-btrfs_sync_log-before-log_commit_wait-wakeups.patch new file mode 100644 index 00000000000..1c76cf07f08 --- /dev/null +++ b/queue-4.4/btrfs-add-barriers-to-btrfs_sync_log-before-log_commit_wait-wakeups.patch @@ -0,0 +1,97 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: David Sterba +Date: Tue, 24 Apr 2018 14:53:56 +0200 +Subject: btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups + +From: David Sterba + +[ Upstream commit 3d3a2e610ea5e7c6d4f9481ecce5d8e2d8317843 ] + +Currently the code assumes that there's an implied barrier by the +sequence of code preceding the wakeup, namely the mutex unlock. + +As Nikolay pointed out: + +I think this is wrong (not your code) but the original assumption that +the RELEASE semantics provided by mutex_unlock is sufficient. +According to memory-barriers.txt: + +Section 'LOCK ACQUISITION FUNCTIONS' states: + + (2) RELEASE operation implication: + + Memory operations issued before the RELEASE will be completed before the + RELEASE operation has completed. + + Memory operations issued after the RELEASE *may* be completed before the + RELEASE operation has completed. + +(I've bolded the may portion) + +The example given there: + +As an example, consider the following: + + *A = a; + *B = b; + ACQUIRE + *C = c; + *D = d; + RELEASE + *E = e; + *F = f; + +The following sequence of events is acceptable: + + ACQUIRE, {*F,*A}, *E, {*C,*D}, *B, RELEASE + +So if we assume that *C is modifying the flag which the waitqueue is checking, +and *E is the actual wakeup, then those accesses can be re-ordered... + +IMHO this code should be considered broken... +Signed-off-by: Greg Kroah-Hartman +--- + +To be on the safe side, add the barriers. The synchronization logic +around log using the mutexes and several other threads does not make it +easy to reason for/against the barrier. + +CC: Nikolay Borisov +Link: https://lkml.kernel.org/r/6ee068d8-1a69-3728-00d1-d86293d43c9f@suse.com +Reviewed-by: Nikolay Borisov +Signed-off-by: David Sterba + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/tree-log.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/tree-log.c ++++ b/fs/btrfs/tree-log.c +@@ -2961,8 +2961,11 @@ out_wake_log_root: + mutex_unlock(&log_root_tree->log_mutex); + + /* +- * The barrier before waitqueue_active is implied by mutex_unlock ++ * The barrier before waitqueue_active is needed so all the updates ++ * above are seen by the woken threads. It might not be necessary, but ++ * proving that seems to be hard. + */ ++ smp_mb(); + if (waitqueue_active(&log_root_tree->log_commit_wait[index2])) + wake_up(&log_root_tree->log_commit_wait[index2]); + out: +@@ -2973,8 +2976,11 @@ out: + mutex_unlock(&root->log_mutex); + + /* +- * The barrier before waitqueue_active is implied by mutex_unlock ++ * The barrier before waitqueue_active is needed so all the updates ++ * above are seen by the woken threads. It might not be necessary, but ++ * proving that seems to be hard. + */ ++ smp_mb(); + if (waitqueue_active(&root->log_commit_wait[index1])) + wake_up(&root->log_commit_wait[index1]); + return ret; diff --git a/queue-4.4/btrfs-qgroup-finish-rescan-when-hit-the-last-leaf-of-extent-tree.patch b/queue-4.4/btrfs-qgroup-finish-rescan-when-hit-the-last-leaf-of-extent-tree.patch new file mode 100644 index 00000000000..d191356b816 --- /dev/null +++ b/queue-4.4/btrfs-qgroup-finish-rescan-when-hit-the-last-leaf-of-extent-tree.patch @@ -0,0 +1,110 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Qu Wenruo +Date: Mon, 14 May 2018 09:38:13 +0800 +Subject: btrfs: qgroup: Finish rescan when hit the last leaf of extent tree + +From: Qu Wenruo + +[ Upstream commit ff3d27a048d926b3920ccdb75d98788c567cae0d ] + +Under the following case, qgroup rescan can double account cowed tree +blocks: + +In this case, extent tree only has one tree block. + +- +| transid=5 last committed=4 +| btrfs_qgroup_rescan_worker() +| |- btrfs_start_transaction() +| | transid = 5 +| |- qgroup_rescan_leaf() +| |- btrfs_search_slot_for_read() on extent tree +| Get the only extent tree block from commit root (transid = 4). +| Scan it, set qgroup_rescan_progress to the last +| EXTENT/META_ITEM + 1 +| now qgroup_rescan_progress = A + 1. +| +| fs tree get CoWed, new tree block is at A + 16K +| transid 5 get committed +- +| transid=6 last committed=5 +| btrfs_qgroup_rescan_worker() +| btrfs_qgroup_rescan_worker() +| |- btrfs_start_transaction() +| | transid = 5 +| |- qgroup_rescan_leaf() +| |- btrfs_search_slot_for_read() on extent tree +| Get the only extent tree block from commit root (transid = 5). +| scan it using qgroup_rescan_progress (A + 1). +| found new tree block beyong A, and it's fs tree block, +| account it to increase qgroup numbers. +- + +In above case, tree block A, and tree block A + 16K get accounted twice, +while qgroup rescan should stop when it already reach the last leaf, +other than continue using its qgroup_rescan_progress. + +Such case could happen by just looping btrfs/017 and with some +possibility it can hit such double qgroup accounting problem. + +Fix it by checking the path to determine if we should finish qgroup +rescan, other than relying on next loop to exit. + +Reported-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/qgroup.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -2186,6 +2186,21 @@ void assert_qgroups_uptodate(struct btrf + } + + /* ++ * Check if the leaf is the last leaf. Which means all node pointers ++ * are at their last position. ++ */ ++static bool is_last_leaf(struct btrfs_path *path) ++{ ++ int i; ++ ++ for (i = 1; i < BTRFS_MAX_LEVEL && path->nodes[i]; i++) { ++ if (path->slots[i] != btrfs_header_nritems(path->nodes[i]) - 1) ++ return false; ++ } ++ return true; ++} ++ ++/* + * returns < 0 on error, 0 when more leafs are to be scanned. + * returns 1 when done. + */ +@@ -2198,6 +2213,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info + struct ulist *roots = NULL; + struct seq_list tree_mod_seq_elem = SEQ_LIST_INIT(tree_mod_seq_elem); + u64 num_bytes; ++ bool done; + int slot; + int ret; + +@@ -2225,6 +2241,7 @@ qgroup_rescan_leaf(struct btrfs_fs_info + mutex_unlock(&fs_info->qgroup_rescan_lock); + return ret; + } ++ done = is_last_leaf(path); + + btrfs_item_key_to_cpu(path->nodes[0], &found, + btrfs_header_nritems(path->nodes[0]) - 1); +@@ -2271,6 +2288,8 @@ out: + } + btrfs_put_tree_mod_seq(fs_info, &tree_mod_seq_elem); + ++ if (done && !ret) ++ ret = 1; + return ret; + } + diff --git a/queue-4.4/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch b/queue-4.4/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch new file mode 100644 index 00000000000..d1383f4764f --- /dev/null +++ b/queue-4.4/crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Tudor-Dan Ambarus +Date: Tue, 3 Apr 2018 09:39:00 +0300 +Subject: crypto: authenc - don't leak pointers to authenc keys + +From: Tudor-Dan Ambarus + +[ Upstream commit ad2fdcdf75d169e7a5aec6c7cb421c0bec8ec711 ] + +In crypto_authenc_setkey we save pointers to the authenc keys in +a local variable of type struct crypto_authenc_keys and we don't +zeroize it after use. Fix this and don't leak pointers to the +authenc keys. + +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/authenc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -108,6 +108,7 @@ static int crypto_authenc_setkey(struct + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: diff --git a/queue-4.4/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch b/queue-4.4/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch new file mode 100644 index 00000000000..b974ed71d5f --- /dev/null +++ b/queue-4.4/crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Tudor-Dan Ambarus +Date: Tue, 3 Apr 2018 09:39:01 +0300 +Subject: crypto: authencesn - don't leak pointers to authenc keys + +From: Tudor-Dan Ambarus + +[ Upstream commit 31545df391d58a3bb60e29b1192644a6f2b5a8dd ] + +In crypto_authenc_esn_setkey we save pointers to the authenc keys +in a local variable of type struct crypto_authenc_keys and we don't +zeroize it after use. Fix this and don't leak pointers to the +authenc keys. + +Signed-off-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/authencesn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -90,6 +90,7 @@ static int crypto_authenc_esn_setkey(str + CRYPTO_TFM_RES_MASK); + + out: ++ memzero_explicit(&keys, sizeof(keys)); + return err; + + badkey: diff --git a/queue-4.4/disable-loading-f2fs-module-on-page_size-4kb.patch b/queue-4.4/disable-loading-f2fs-module-on-page_size-4kb.patch new file mode 100644 index 00000000000..28d7942e790 --- /dev/null +++ b/queue-4.4/disable-loading-f2fs-module-on-page_size-4kb.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Anatoly Pugachev +Date: Mon, 28 May 2018 02:06:37 +0300 +Subject: disable loading f2fs module on PAGE_SIZE > 4KB + +From: Anatoly Pugachev + +[ Upstream commit 4071e67cffcc5c2a007116a02437471351f550eb ] + +The following patch disables loading of f2fs module on architectures +which have PAGE_SIZE > 4096 , since it is impossible to mount f2fs on +such architectures , log messages are: + +mount: /mnt: wrong fs type, bad option, bad superblock on +/dev/vdiskb1, missing codepage or helper program, or other error. +/dev/vdiskb1: F2FS filesystem, +UUID=1d8b9ca4-2389-4910-af3b-10998969f09c, volume name "" + +May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid +page_cache_size (8192), supports only 4KB +May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Can't find valid F2FS +filesystem in 1th superblock +May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid +page_cache_size (8192), supports only 4KB +May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Can't find valid F2FS +filesystem in 2th superblock +May 15 18:03:13 ttip kernel: F2FS-fs (vdiskb1): Invalid +page_cache_size (8192), supports only 4KB + +which was introduced by git commit 5c9b469295fb6b10d98923eab5e79c4edb80ed20 + +tested on git kernel 4.17.0-rc6-00309-gec30dcf7f425 + +with patch applied: + +modprobe: ERROR: could not insert 'f2fs': Invalid argument +May 28 01:40:28 v215 kernel: F2FS not supported on PAGE_SIZE(8192) != 4096 + +Signed-off-by: Anatoly Pugachev +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -1566,6 +1566,12 @@ static int __init init_f2fs_fs(void) + { + int err; + ++ if (PAGE_SIZE != F2FS_BLKSIZE) { ++ printk("F2FS not supported on PAGE_SIZE(%lu) != %d\n", ++ PAGE_SIZE, F2FS_BLKSIZE); ++ return -EINVAL; ++ } ++ + f2fs_build_trace_ios(); + + err = init_inodecache(); diff --git a/queue-4.4/dma-iommu-fix-compilation-when-config_iommu_dma.patch b/queue-4.4/dma-iommu-fix-compilation-when-config_iommu_dma.patch new file mode 100644 index 00000000000..a0bef9a71ba --- /dev/null +++ b/queue-4.4/dma-iommu-fix-compilation-when-config_iommu_dma.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Marc Zyngier +Date: Tue, 8 May 2018 13:14:33 +0100 +Subject: dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA + +From: Marc Zyngier + +[ Upstream commit 8a22a3e1e768c309b718f99bd86f9f25a453e0dc ] + +Inclusion of include/dma-iommu.h when CONFIG_IOMMU_DMA is not selected +results in the following splat: + +In file included from drivers/irqchip/irq-gic-v3-mbi.c:20:0: +./include/linux/dma-iommu.h:95:69: error: unknown type name ‘dma_addr_t’ + static inline int iommu_get_msi_cookie(struct iommu_domain *domain, dma_addr_t base) + ^~~~~~~~~~ +./include/linux/dma-iommu.h:108:74: warning: ‘struct list_head’ declared inside parameter list will not be visible outside of this definition or declaration + static inline void iommu_dma_get_resv_regions(struct device *dev, struct list_head *list) + ^~~~~~~~~ +scripts/Makefile.build:312: recipe for target 'drivers/irqchip/irq-gic-v3-mbi.o' failed + +Fix it by including linux/types.h. + +Signed-off-by: Marc Zyngier +Signed-off-by: Thomas Gleixner +Cc: Rob Herring +Cc: Jason Cooper +Cc: Ard Biesheuvel +Cc: Srinivas Kandagatla +Cc: Thomas Petazzoni +Cc: Miquel Raynal +Link: https://lkml.kernel.org/r/20180508121438.11301-5-marc.zyngier@arm.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/dma-iommu.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/linux/dma-iommu.h ++++ b/include/linux/dma-iommu.h +@@ -17,6 +17,7 @@ + #define __DMA_IOMMU_H + + #ifdef __KERNEL__ ++#include + #include + + #ifdef CONFIG_IOMMU_DMA diff --git a/queue-4.4/drm-add-dp-psr2-sink-enable-bit.patch b/queue-4.4/drm-add-dp-psr2-sink-enable-bit.patch new file mode 100644 index 00000000000..2c86a2c734a --- /dev/null +++ b/queue-4.4/drm-add-dp-psr2-sink-enable-bit.patch @@ -0,0 +1,31 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: José Roberto de Souza +Date: Wed, 28 Mar 2018 15:30:37 -0700 +Subject: drm: Add DP PSR2 sink enable bit + +From: José Roberto de Souza + +[ Upstream commit 4f212e40468650e220c1770876c7f25b8e0c1ff5 ] + +To comply with eDP1.4a this bit should be set when enabling PSR2. + +Signed-off-by: José Roberto de Souza +Reviewed-by: Rodrigo Vivi +Signed-off-by: Rodrigo Vivi +Link: https://patchwork.freedesktop.org/patch/msgid/20180328223046.16125-1-jose.souza@intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/drm/drm_dp_helper.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/include/drm/drm_dp_helper.h ++++ b/include/drm/drm_dp_helper.h +@@ -342,6 +342,7 @@ + # define DP_PSR_FRAME_CAPTURE (1 << 3) + # define DP_PSR_SELECTIVE_UPDATE (1 << 4) + # define DP_PSR_IRQ_HPD_WITH_CRC_ERRORS (1 << 5) ++# define DP_PSR_ENABLE_PSR2 (1 << 6) /* eDP 1.4a */ + + #define DP_ADAPTER_CTRL 0x1a0 + # define DP_ADAPTER_CTRL_FORCE_LOAD_SENSE (1 << 0) diff --git a/queue-4.4/drm-atomic-handling-the-case-when-setting-old-crtc-for-plane.patch b/queue-4.4/drm-atomic-handling-the-case-when-setting-old-crtc-for-plane.patch new file mode 100644 index 00000000000..001742cdf43 --- /dev/null +++ b/queue-4.4/drm-atomic-handling-the-case-when-setting-old-crtc-for-plane.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Satendra Singh Thakur +Date: Thu, 3 May 2018 11:19:32 +0530 +Subject: drm/atomic: Handling the case when setting old crtc for plane + +From: Satendra Singh Thakur + +[ Upstream commit fc2a69f3903dfd97cd47f593e642b47918c949df ] + +In the func drm_atomic_set_crtc_for_plane, with the current code, +if crtc of the plane_state and crtc passed as argument to the func +are same, entire func will executed in vein. +It will get state of crtc and clear and set the bits in plane_mask. +All these steps are not required for same old crtc. +Ideally, we should do nothing in this case, this patch handles the same, +and causes the program to return without doing anything in such scenario. + +Signed-off-by: Satendra Singh Thakur +Cc: Madhur Verma +Cc: Hemanshu Srivastava +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/1525326572-25854-1-git-send-email-satendra.t@samsung.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_atomic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_atomic.c ++++ b/drivers/gpu/drm/drm_atomic.c +@@ -960,7 +960,9 @@ drm_atomic_set_crtc_for_plane(struct drm + { + struct drm_plane *plane = plane_state->plane; + struct drm_crtc_state *crtc_state; +- ++ /* Nothing to do for same crtc*/ ++ if (plane_state->crtc == crtc) ++ return 0; + if (plane_state->crtc) { + crtc_state = drm_atomic_get_crtc_state(plane_state->state, + plane_state->crtc); diff --git a/queue-4.4/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch b/queue-4.4/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch new file mode 100644 index 00000000000..04fa7f726b7 --- /dev/null +++ b/queue-4.4/drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Luc Van Oostenryck +Date: Tue, 24 Apr 2018 15:14:57 +0200 +Subject: drm/gma500: fix psb_intel_lvds_mode_valid()'s return type + +From: Luc Van Oostenryck + +[ Upstream commit 2ea009095c6e7396915a1d0dd480c41f02985f79 ] + +The method struct drm_connector_helper_funcs::mode_valid is defined +as returning an 'enum drm_mode_status' but the driver implementation +for this method, psb_intel_lvds_mode_valid(), uses an 'int' for it. + +Fix this by using 'enum drm_mode_status' for psb_intel_lvds_mode_valid(). + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180424131458.2060-1-luc.vanoostenryck@gmail.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/gma500/psb_intel_drv.h | 2 +- + drivers/gpu/drm/gma500/psb_intel_lvds.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/gma500/psb_intel_drv.h ++++ b/drivers/gpu/drm/gma500/psb_intel_drv.h +@@ -252,7 +252,7 @@ extern int intelfb_remove(struct drm_dev + extern bool psb_intel_lvds_mode_fixup(struct drm_encoder *encoder, + const struct drm_display_mode *mode, + struct drm_display_mode *adjusted_mode); +-extern int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++extern enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode); + extern int psb_intel_lvds_set_property(struct drm_connector *connector, + struct drm_property *property, +--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c ++++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c +@@ -343,7 +343,7 @@ static void psb_intel_lvds_restore(struc + } + } + +-int psb_intel_lvds_mode_valid(struct drm_connector *connector, ++enum drm_mode_status psb_intel_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_psb_private *dev_priv = connector->dev->dev_private; diff --git a/queue-4.4/drm-radeon-fix-mode_valid-s-return-type.patch b/queue-4.4/drm-radeon-fix-mode_valid-s-return-type.patch new file mode 100644 index 00000000000..65ccf5621ff --- /dev/null +++ b/queue-4.4/drm-radeon-fix-mode_valid-s-return-type.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Luc Van Oostenryck +Date: Tue, 24 Apr 2018 15:15:13 +0200 +Subject: drm/radeon: fix mode_valid's return type + +From: Luc Van Oostenryck + +[ Upstream commit 7a47f20eb1fb8fa8d7a8fe3a4fd8c721f04c2174 ] + +The method struct drm_connector_helper_funcs::mode_valid is defined +as returning an 'enum drm_mode_status' but the driver implementation +for this method uses an 'int' for it. + +Fix this by using 'enum drm_mode_status' in the driver too. + +Signed-off-by: Luc Van Oostenryck +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -844,7 +844,7 @@ static int radeon_lvds_get_modes(struct + return ret; + } + +-static int radeon_lvds_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_lvds_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_encoder *encoder = radeon_best_single_encoder(connector); +@@ -993,7 +993,7 @@ static int radeon_vga_get_modes(struct d + return ret; + } + +-static int radeon_vga_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_vga_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1136,7 +1136,7 @@ static int radeon_tv_get_modes(struct dr + return 1; + } + +-static int radeon_tv_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_tv_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + if ((mode->hdisplay > 1024) || (mode->vdisplay > 768)) +@@ -1477,7 +1477,7 @@ static void radeon_dvi_force(struct drm_ + radeon_connector->use_digital = true; + } + +-static int radeon_dvi_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dvi_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; +@@ -1778,7 +1778,7 @@ out: + return ret; + } + +-static int radeon_dp_mode_valid(struct drm_connector *connector, ++static enum drm_mode_status radeon_dp_mode_valid(struct drm_connector *connector, + struct drm_display_mode *mode) + { + struct drm_device *dev = connector->dev; diff --git a/queue-4.4/f2fs-fix-to-don-t-trigger-writeback-during-recovery.patch b/queue-4.4/f2fs-fix-to-don-t-trigger-writeback-during-recovery.patch new file mode 100644 index 00000000000..8e363622d55 --- /dev/null +++ b/queue-4.4/f2fs-fix-to-don-t-trigger-writeback-during-recovery.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Chao Yu +Date: Sat, 26 May 2018 18:03:34 +0800 +Subject: f2fs: fix to don't trigger writeback during recovery + +From: Chao Yu + +[ Upstream commit 64c74a7ab505ea40d1b3e5d02735ecab08ae1b14 ] + +- f2fs_fill_super + - recover_fsync_data + - recover_data + - del_fsync_inode + - iput + - iput_final + - write_inode_now + - f2fs_write_inode + - f2fs_balance_fs + - f2fs_balance_fs_bg + - sync_dirty_inodes + +With data_flush mount option, during recovery, in order to avoid entering +above writeback flow, let's detect recovery status and do skip in +f2fs_balance_fs_bg. + +Signed-off-by: Chao Yu +Signed-off-by: Yunlei He +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/segment.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/f2fs/segment.c ++++ b/fs/f2fs/segment.c +@@ -295,6 +295,9 @@ void f2fs_balance_fs(struct f2fs_sb_info + + void f2fs_balance_fs_bg(struct f2fs_sb_info *sbi) + { ++ if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING))) ++ return; ++ + /* try to shrink extent cache when there is no enough memory */ + if (!available_free_memory(sbi, EXTENT_CACHE)) + f2fs_shrink_extent_tree(sbi, EXTENT_CACHE_SHRINK_NUMBER); diff --git a/queue-4.4/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch b/queue-4.4/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch new file mode 100644 index 00000000000..e56b747b92d --- /dev/null +++ b/queue-4.4/fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch @@ -0,0 +1,118 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Kirill Tkhai +Date: Thu, 5 Apr 2018 14:58:06 +0300 +Subject: fasync: Fix deadlock between task-context and interrupt-context kill_fasync() + +From: Kirill Tkhai + +[ Upstream commit 7a107c0f55a3b4c6f84a4323df5610360bde1684 ] + +I observed the following deadlock between them: + +[task 1] [task 2] [task 3] +kill_fasync() mm_update_next_owner() copy_process() + spin_lock_irqsave(&fa->fa_lock) read_lock(&tasklist_lock) write_lock_irq(&tasklist_lock) + send_sigio() ... + read_lock(&fown->lock) kill_fasync() ... + read_lock(&tasklist_lock) spin_lock_irqsave(&fa->fa_lock) ... + +Task 1 can't acquire read locked tasklist_lock, since there is +already task 3 expressed its wish to take the lock exclusive. +Task 2 holds the read locked lock, but it can't take the spin lock. + +Also, there is possible another deadlock (which I haven't observed): + +[task 1] [task 2] +f_getown() kill_fasync() + read_lock(&f_own->lock) spin_lock_irqsave(&fa->fa_lock,) + send_sigio() write_lock_irq(&f_own->lock) + kill_fasync() read_lock(&fown->lock) + spin_lock_irqsave(&fa->fa_lock,) + +Actually, we do not need exclusive fa->fa_lock in kill_fasync_rcu(), +as it guarantees fa->fa_file->f_owner integrity only. It may seem, +that it used to give a task a small possibility to receive two sequential +signals, if there are two parallel kill_fasync() callers, and task +handles the first signal fastly, but the behaviour won't become +different, since there is exclusive sighand lock in do_send_sig_info(). + +The patch converts fa_lock into rwlock_t, and this fixes two above +deadlocks, as rwlock is allowed to be taken from interrupt handler +by qrwlock design. + +Signed-off-by: Kirill Tkhai +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fcntl.c | 15 +++++++-------- + include/linux/fs.h | 2 +- + 2 files changed, 8 insertions(+), 9 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -587,9 +587,9 @@ int fasync_remove_entry(struct file *fil + if (fa->fa_file != filp) + continue; + +- spin_lock_irq(&fa->fa_lock); ++ write_lock_irq(&fa->fa_lock); + fa->fa_file = NULL; +- spin_unlock_irq(&fa->fa_lock); ++ write_unlock_irq(&fa->fa_lock); + + *fp = fa->fa_next; + call_rcu(&fa->fa_rcu, fasync_free_rcu); +@@ -634,13 +634,13 @@ struct fasync_struct *fasync_insert_entr + if (fa->fa_file != filp) + continue; + +- spin_lock_irq(&fa->fa_lock); ++ write_lock_irq(&fa->fa_lock); + fa->fa_fd = fd; +- spin_unlock_irq(&fa->fa_lock); ++ write_unlock_irq(&fa->fa_lock); + goto out; + } + +- spin_lock_init(&new->fa_lock); ++ rwlock_init(&new->fa_lock); + new->magic = FASYNC_MAGIC; + new->fa_file = filp; + new->fa_fd = fd; +@@ -703,14 +703,13 @@ static void kill_fasync_rcu(struct fasyn + { + while (fa) { + struct fown_struct *fown; +- unsigned long flags; + + if (fa->magic != FASYNC_MAGIC) { + printk(KERN_ERR "kill_fasync: bad magic number in " + "fasync_struct!\n"); + return; + } +- spin_lock_irqsave(&fa->fa_lock, flags); ++ read_lock(&fa->fa_lock); + if (fa->fa_file) { + fown = &fa->fa_file->f_owner; + /* Don't send SIGURG to processes which have not set a +@@ -719,7 +718,7 @@ static void kill_fasync_rcu(struct fasyn + if (!(sig == SIGURG && fown->signum == 0)) + send_sigio(fown, fa->fa_fd, band); + } +- spin_unlock_irqrestore(&fa->fa_lock, flags); ++ read_unlock(&fa->fa_lock); + fa = rcu_dereference(fa->fa_next); + } + } +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -1254,7 +1254,7 @@ static inline int locks_lock_file_wait(s + } + + struct fasync_struct { +- spinlock_t fa_lock; ++ rwlock_t fa_lock; + int magic; + int fa_fd; + struct fasync_struct *fa_next; /* singly linked list */ diff --git a/queue-4.4/hid-hid-plantronics-re-resend-update-to-map-button-for-ptt-products.patch b/queue-4.4/hid-hid-plantronics-re-resend-update-to-map-button-for-ptt-products.patch new file mode 100644 index 00000000000..2c49d6f49f7 --- /dev/null +++ b/queue-4.4/hid-hid-plantronics-re-resend-update-to-map-button-for-ptt-products.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Terry Junge +Date: Mon, 30 Apr 2018 13:32:46 -0700 +Subject: HID: hid-plantronics: Re-resend Update to map button for PTT products + +From: Terry Junge + +[ Upstream commit 37e376df5f4993677c33968a0c19b0c5acbf1108 ] + +Add a mapping for Push-To-Talk joystick trigger button. + +Tested on ChromeBox/ChromeBook with various Plantronics devices. + +Signed-off-by: Terry Junge +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-plantronics.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/hid/hid-plantronics.c ++++ b/drivers/hid/hid-plantronics.c +@@ -2,7 +2,7 @@ + * Plantronics USB HID Driver + * + * Copyright (c) 2014 JD Cole +- * Copyright (c) 2015 Terry Junge ++ * Copyright (c) 2015-2018 Terry Junge + */ + + /* +@@ -48,6 +48,10 @@ static int plantronics_input_mapping(str + unsigned short mapped_key; + unsigned long plt_type = (unsigned long)hid_get_drvdata(hdev); + ++ /* special case for PTT products */ ++ if (field->application == HID_GD_JOYSTICK) ++ goto defaulted; ++ + /* handle volume up/down mapping */ + /* non-standard types or multi-HID interfaces - plt_type is PID */ + if (!(plt_type & HID_USAGE_PAGE)) { diff --git a/queue-4.4/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch b/queue-4.4/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch new file mode 100644 index 00000000000..47ff509bcda --- /dev/null +++ b/queue-4.4/hid-i2c-hid-check-if-device-is-there-before-really-probing.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Dmitry Torokhov +Date: Wed, 9 May 2018 12:12:15 -0700 +Subject: HID: i2c-hid: check if device is there before really probing + +From: Dmitry Torokhov + +[ Upstream commit b3a81b6c4fc6730ac49e20d789a93c0faabafc98 ] + +On many Chromebooks touch devices are multi-sourced; the components are +electrically compatible and one can be freely swapped for another without +changing the OS image or firmware. + +To avoid bunch of scary messages when device is not actually present in the +system let's try testing basic communication with it and if there is no +response terminate probe early with -ENXIO. + +Signed-off-by: Dmitry Torokhov +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -1017,6 +1017,14 @@ static int i2c_hid_probe(struct i2c_clie + pm_runtime_set_active(&client->dev); + pm_runtime_enable(&client->dev); + ++ /* Make sure there is something at this address */ ++ ret = i2c_smbus_read_byte(client); ++ if (ret < 0) { ++ dev_dbg(&client->dev, "nothing at this address: %d\n", ret); ++ ret = -ENXIO; ++ goto err_pm; ++ } ++ + ret = i2c_hid_fetch_hid_descriptor(ihid); + if (ret < 0) + goto err_pm; diff --git a/queue-4.4/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch b/queue-4.4/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch new file mode 100644 index 00000000000..91ddaa231b5 --- /dev/null +++ b/queue-4.4/hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Stewart Smith +Date: Thu, 29 Mar 2018 17:02:46 +1100 +Subject: hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common() + +From: Stewart Smith + +[ Upstream commit 447808bf500a7cc92173266a59f8a494e132b122 ] + +time_init() will set up tb_ticks_per_usec based on reality. +time_init() is called *after* udbg_init_opal_common() during boot. + +from arch/powerpc/kernel/time.c: + unsigned long tb_ticks_per_usec = 100; /* sane default */ + +Currently, all powernv systems have a timebase frequency of 512mhz +(512000000/1000000 == 0x200) - although there's nothing written +down anywhere that I can find saying that we couldn't make that +different based on the requirements in the ISA. + +So, we've been (accidentally) thwacking the (currently) correct +(for powernv at least) value for tb_ticks_per_usec earlier than +we otherwise would have. + +The "sane default" seems to be adequate for our purposes between +udbg_init_opal_common() and time_init() being called, and if it isn't, +then we should probably be setting it somewhere that isn't hvc_opal.c! + +Signed-off-by: Stewart Smith +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/hvc/hvc_opal.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/hvc/hvc_opal.c ++++ b/drivers/tty/hvc/hvc_opal.c +@@ -323,7 +323,6 @@ static void udbg_init_opal_common(void) + udbg_putc = udbg_opal_putc; + udbg_getc = udbg_opal_getc; + udbg_getc_poll = udbg_opal_getc_poll; +- tb_ticks_per_usec = 0x200; /* Make udelay not suck */ + } + + void __init hvc_opal_init_early(void) diff --git a/queue-4.4/infiniband-fix-a-possible-use-after-free-bug.patch b/queue-4.4/infiniband-fix-a-possible-use-after-free-bug.patch new file mode 100644 index 00000000000..ee61430cfef --- /dev/null +++ b/queue-4.4/infiniband-fix-a-possible-use-after-free-bug.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Cong Wang +Date: Fri, 1 Jun 2018 11:31:44 -0700 +Subject: infiniband: fix a possible use-after-free bug + +From: Cong Wang + +[ Upstream commit cb2595c1393b4a5211534e6f0a0fbad369e21ad8 ] + +ucma_process_join() will free the new allocated "mc" struct, +if there is any error after that, especially the copy_to_user(). + +But in parallel, ucma_leave_multicast() could find this "mc" +through idr_find() before ucma_process_join() frees it, since it +is already published. + +So "mc" could be used in ucma_leave_multicast() after it is been +allocated and freed in ucma_process_join(), since we don't refcnt +it. + +Fix this by separating "publish" from ID allocation, so that we +can get an ID first and publish it later after copy_to_user(). + +Fixes: c8f6a362bf3e ("RDMA/cma: Add multicast communication support") +Reported-by: Noam Rathaus +Signed-off-by: Cong Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/ucma.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/ucma.c ++++ b/drivers/infiniband/core/ucma.c +@@ -217,7 +217,7 @@ static struct ucma_multicast* ucma_alloc + return NULL; + + mutex_lock(&mut); +- mc->id = idr_alloc(&multicast_idr, mc, 0, 0, GFP_KERNEL); ++ mc->id = idr_alloc(&multicast_idr, NULL, 0, 0, GFP_KERNEL); + mutex_unlock(&mut); + if (mc->id < 0) + goto error; +@@ -1375,6 +1375,10 @@ static ssize_t ucma_process_join(struct + goto err3; + } + ++ mutex_lock(&mut); ++ idr_replace(&multicast_idr, mc, mc->id); ++ mutex_unlock(&mut); ++ + mutex_unlock(&file->mut); + ucma_put_ctx(ctx); + return 0; diff --git a/queue-4.4/ipconfig-correctly-initialise-ic_nameservers.patch b/queue-4.4/ipconfig-correctly-initialise-ic_nameservers.patch new file mode 100644 index 00000000000..d7b68aae1b9 --- /dev/null +++ b/queue-4.4/ipconfig-correctly-initialise-ic_nameservers.patch @@ -0,0 +1,86 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Chris Novakovic +Date: Tue, 24 Apr 2018 03:56:37 +0100 +Subject: ipconfig: Correctly initialise ic_nameservers + +From: Chris Novakovic + +[ Upstream commit 300eec7c0a2495f771709c7642aa15f7cc148b83 ] + +ic_nameservers, which stores the list of name servers discovered by +ipconfig, is initialised (i.e. has all of its elements set to NONE, or +0xffffffff) by ic_nameservers_predef() in the following scenarios: + + - before the "ip=" and "nfsaddrs=" kernel command line parameters are + parsed (in ip_auto_config_setup()); + - before autoconfiguring via DHCP or BOOTP (in ic_bootp_init()), in + order to clear any values that may have been set after parsing "ip=" + or "nfsaddrs=" and are no longer needed. + +This means that ic_nameservers_predef() is not called when neither "ip=" +nor "nfsaddrs=" is specified on the kernel command line. In this +scenario, every element in ic_nameservers remains set to 0x00000000, +which is indistinguishable from ANY and causes pnp_seq_show() to write +the following (bogus) information to /proc/net/pnp: + + #MANUAL + nameserver 0.0.0.0 + nameserver 0.0.0.0 + nameserver 0.0.0.0 + +This is potentially problematic for systems that blindly link +/etc/resolv.conf to /proc/net/pnp. + +Ensure that ic_nameservers is also initialised when neither "ip=" nor +"nfsaddrs=" are specified by calling ic_nameservers_predef() in +ip_auto_config(), but only when ip_auto_config_setup() was not called +earlier. This causes the following to be written to /proc/net/pnp, and +is consistent with what gets written when ipconfig is configured +manually but no name servers are specified on the kernel command line: + + #MANUAL + +Signed-off-by: Chris Novakovic +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ipconfig.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -790,6 +790,11 @@ static void __init ic_bootp_init_ext(u8 + */ + static inline void __init ic_bootp_init(void) + { ++ /* Re-initialise all name servers to NONE, in case any were set via the ++ * "ip=" or "nfsaddrs=" kernel command line parameters: any IP addresses ++ * specified there will already have been decoded but are no longer ++ * needed ++ */ + ic_nameservers_predef(); + + dev_add_pack(&bootp_packet_type); +@@ -1423,6 +1428,13 @@ static int __init ip_auto_config(void) + int err; + unsigned int i; + ++ /* Initialise all name servers to NONE (but only if the "ip=" or ++ * "nfsaddrs=" kernel command line parameters weren't decoded, otherwise ++ * we'll overwrite the IP addresses specified there) ++ */ ++ if (ic_set_manually == 0) ++ ic_nameservers_predef(); ++ + #ifdef CONFIG_PROC_FS + proc_create("pnp", S_IRUGO, init_net.proc_net, &pnp_seq_fops); + #endif /* CONFIG_PROC_FS */ +@@ -1640,6 +1652,7 @@ static int __init ip_auto_config_setup(c + return 1; + } + ++ /* Initialise all name servers to NONE */ + ic_nameservers_predef(); + + /* Parse string for static IP assignment. */ diff --git a/queue-4.4/iwlwifi-pcie-fix-race-in-rx-buffer-allocator.patch b/queue-4.4/iwlwifi-pcie-fix-race-in-rx-buffer-allocator.patch new file mode 100644 index 00000000000..8b73e871e66 --- /dev/null +++ b/queue-4.4/iwlwifi-pcie-fix-race-in-rx-buffer-allocator.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Shaul Triebitz +Date: Thu, 22 Mar 2018 14:14:45 +0200 +Subject: iwlwifi: pcie: fix race in Rx buffer allocator + +From: Shaul Triebitz + +[ Upstream commit 0f22e40053bd5378ad1e3250e65c574fd61c0cd6 ] + +Make sure the rx_allocator worker is canceled before running the +rx_init routine. rx_init frees and re-allocates all rxb's pages. The +rx_allocator worker also allocates pages for the used rxb's. Running +rx_init and rx_allocator simultaniously causes a kernel panic. Fix +that by canceling the work in rx_init. + +Signed-off-by: Shaul Triebitz +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/iwlwifi/pcie/rx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/pcie/rx.c ++++ b/drivers/net/wireless/iwlwifi/pcie/rx.c +@@ -713,6 +713,8 @@ int iwl_pcie_rx_init(struct iwl_trans *t + WQ_HIGHPRI | WQ_UNBOUND, 1); + INIT_WORK(&rba->rx_alloc, iwl_pcie_rx_allocator_work); + ++ cancel_work_sync(&rba->rx_alloc); ++ + spin_lock(&rba->lock); + atomic_set(&rba->req_pending, 0); + atomic_set(&rba->req_ready, 0); diff --git a/queue-4.4/libata-fix-command-retry-decision.patch b/queue-4.4/libata-fix-command-retry-decision.patch new file mode 100644 index 00000000000..f8d8bde6696 --- /dev/null +++ b/queue-4.4/libata-fix-command-retry-decision.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Damien Le Moal +Date: Wed, 9 May 2018 09:28:12 +0900 +Subject: libata: Fix command retry decision + +From: Damien Le Moal + +[ Upstream commit 804689ad2d9b66d0d3920b48cf05881049d44589 ] + +For failed commands with valid sense data (e.g. NCQ commands), +scsi_check_sense() is used in ata_analyze_tf() to determine if the +command can be retried. In such case, rely on this decision and ignore +the command error mask based decision done in ata_worth_retry(). + +This fixes useless retries of commands such as unaligned writes on zoned +disks (TYPE_ZAC). + +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-eh.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2198,12 +2198,16 @@ static void ata_eh_link_autopsy(struct a + if (qc->err_mask & ~AC_ERR_OTHER) + qc->err_mask &= ~AC_ERR_OTHER; + +- /* SENSE_VALID trumps dev/unknown error and revalidation */ ++ /* ++ * SENSE_VALID trumps dev/unknown error and revalidation. Upper ++ * layers will determine whether the command is worth retrying ++ * based on the sense data and device class/type. Otherwise, ++ * determine directly if the command is worth retrying using its ++ * error mask and flags. ++ */ + if (qc->flags & ATA_QCFLAG_SENSE_VALID) + qc->err_mask &= ~(AC_ERR_DEV | AC_ERR_OTHER); +- +- /* determine whether the command is worth retrying */ +- if (ata_eh_worth_retry(qc)) ++ else if (ata_eh_worth_retry(qc)) + qc->flags |= ATA_QCFLAG_RETRY; + + /* accumulate error info */ diff --git a/queue-4.4/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch b/queue-4.4/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch new file mode 100644 index 00000000000..97fce8dcbec --- /dev/null +++ b/queue-4.4/md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Yufen Yu +Date: Fri, 4 May 2018 18:08:10 +0800 +Subject: md: fix NULL dereference of mddev->pers in remove_and_add_spares() + +From: Yufen Yu + +[ Upstream commit c42a0e2675721e1444f56e6132a07b7b1ec169ac ] + +We met NULL pointer BUG as follow: + +[ 151.760358] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060 +[ 151.761340] PGD 80000001011eb067 P4D 80000001011eb067 PUD 1011ea067 PMD 0 +[ 151.762039] Oops: 0000 [#1] SMP PTI +[ 151.762406] Modules linked in: +[ 151.762723] CPU: 2 PID: 3561 Comm: mdadm-test Kdump: loaded Not tainted 4.17.0-rc1+ #238 +[ 151.763542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014 +[ 151.764432] RIP: 0010:remove_and_add_spares.part.56+0x13c/0x3a0 +[ 151.765061] RSP: 0018:ffffc90001d7fcd8 EFLAGS: 00010246 +[ 151.765590] RAX: 0000000000000000 RBX: ffff88013601d600 RCX: 0000000000000000 +[ 151.766306] RDX: 0000000000000000 RSI: ffff88013601d600 RDI: ffff880136187000 +[ 151.767014] RBP: ffff880136187018 R08: 0000000000000003 R09: 0000000000000051 +[ 151.767728] R10: ffffc90001d7fed8 R11: 0000000000000000 R12: ffff88013601d600 +[ 151.768447] R13: ffff8801298b1300 R14: ffff880136187000 R15: 0000000000000000 +[ 151.769160] FS: 00007f2624276700(0000) GS:ffff88013ae80000(0000) knlGS:0000000000000000 +[ 151.769971] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 151.770554] CR2: 0000000000000060 CR3: 0000000111aac000 CR4: 00000000000006e0 +[ 151.771272] Call Trace: +[ 151.771542] md_ioctl+0x1df2/0x1e10 +[ 151.771906] ? __switch_to+0x129/0x440 +[ 151.772295] ? __schedule+0x244/0x850 +[ 151.772672] blkdev_ioctl+0x4bd/0x970 +[ 151.773048] block_ioctl+0x39/0x40 +[ 151.773402] do_vfs_ioctl+0xa4/0x610 +[ 151.773770] ? dput.part.23+0x87/0x100 +[ 151.774151] ksys_ioctl+0x70/0x80 +[ 151.774493] __x64_sys_ioctl+0x16/0x20 +[ 151.774877] do_syscall_64+0x5b/0x180 +[ 151.775258] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +For raid6, when two disk of the array are offline, two spare disks can +be added into the array. Before spare disks recovery completing, +system reboot and mdadm thinks it is ok to restart the degraded +array by md_ioctl(). Since disks in raid6 is not only_parity(), +raid5_run() will abort, when there is no PPL feature or not setting +'start_dirty_degraded' parameter. Therefore, mddev->pers is NULL. + +But, mddev->raid_disks has been set and it will not be cleared when +raid5_run abort. md_ioctl() can execute cmd 'HOT_REMOVE_DISK' to +remove a disk by mdadm, which will cause NULL pointer dereference +in remove_and_add_spares() finally. + +Signed-off-by: Yufen Yu +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -6145,6 +6145,9 @@ static int hot_remove_disk(struct mddev + struct md_rdev *rdev; + int ret = -1; + ++ if (!mddev->pers) ++ return -ENODEV; ++ + rdev = find_rdev(mddev, dev); + if (!rdev) + return -ENXIO; diff --git a/queue-4.4/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch b/queue-4.4/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch new file mode 100644 index 00000000000..d7a576f12f5 --- /dev/null +++ b/queue-4.4/media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Suman Anna +Date: Wed, 14 Mar 2018 11:41:36 -0400 +Subject: media: omap3isp: fix unbalanced dma_iommu_mapping + +From: Suman Anna + +[ Upstream commit b7e1e6859fbf60519fd82d7120cee106a6019512 ] + +The OMAP3 ISP driver manages its MMU mappings through the IOMMU-aware +ARM DMA backend. The current code creates a dma_iommu_mapping and +attaches this to the ISP device, but never detaches the mapping in +either the probe failure paths or the driver remove path resulting +in an unbalanced mapping refcount and a memory leak. Fix this properly. + +Reported-by: Pavel Machek +Signed-off-by: Suman Anna +Tested-by: Pavel Machek +Reviewed-by: Laurent Pinchart +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/isp.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2077,6 +2077,7 @@ error_csiphy: + + static void isp_detach_iommu(struct isp_device *isp) + { ++ arm_iommu_detach_device(isp->dev); + arm_iommu_release_mapping(isp->mapping); + isp->mapping = NULL; + iommu_group_remove_device(isp->dev); +@@ -2110,8 +2111,7 @@ static int isp_attach_iommu(struct isp_d + mapping = arm_iommu_create_mapping(&platform_bus_type, SZ_1G, SZ_2G); + if (IS_ERR(mapping)) { + dev_err(isp->dev, "failed to create ARM IOMMU mapping\n"); +- ret = PTR_ERR(mapping); +- goto error; ++ return PTR_ERR(mapping); + } + + isp->mapping = mapping; +@@ -2126,7 +2126,8 @@ static int isp_attach_iommu(struct isp_d + return 0; + + error: +- isp_detach_iommu(isp); ++ arm_iommu_release_mapping(isp->mapping); ++ isp->mapping = NULL; + return ret; + } + diff --git a/queue-4.4/media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch b/queue-4.4/media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch new file mode 100644 index 00000000000..21fa5c50b55 --- /dev/null +++ b/queue-4.4/media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Wei Yongjun +Date: Tue, 12 Jul 2016 07:21:46 -0400 +Subject: media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open() + +From: Wei Yongjun + +[ Upstream commit 43d0d3c52787df0221d1c52494daabd824fe84f1 ] + +Add the missing clk_disable_unprepare() before return from +jpu_open() in the software reset error handling case. + +Signed-off-by: Wei Yongjun +Acked-by: Mikhail Ulyanov +Reviewed-by: Kieran Bingham +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/rcar_jpu.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/platform/rcar_jpu.c ++++ b/drivers/media/platform/rcar_jpu.c +@@ -1278,7 +1278,7 @@ static int jpu_open(struct file *file) + /* ...issue software reset */ + ret = jpu_reset(jpu); + if (ret) +- goto device_prepare_rollback; ++ goto jpu_reset_rollback; + } + + jpu->ref_count++; +@@ -1286,6 +1286,8 @@ static int jpu_open(struct file *file) + mutex_unlock(&jpu->mutex); + return 0; + ++jpu_reset_rollback: ++ clk_disable_unprepare(jpu->clk); + device_prepare_rollback: + mutex_unlock(&jpu->mutex); + v4l_prepare_rollback: diff --git a/queue-4.4/media-saa7164-fix-driver-name-in-debug-output.patch b/queue-4.4/media-saa7164-fix-driver-name-in-debug-output.patch new file mode 100644 index 00000000000..31ec96543aa --- /dev/null +++ b/queue-4.4/media-saa7164-fix-driver-name-in-debug-output.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Brad Love +Date: Fri, 4 May 2018 17:53:35 -0400 +Subject: media: saa7164: Fix driver name in debug output + +From: Brad Love + +[ Upstream commit 0cc4655cb57af0b7e105d075c4f83f8046efafe7 ] + +This issue was reported by a user who downloaded a corrupt saa7164 +firmware, then went looking for a valid xc5000 firmware to fix the +error displayed...but the device in question has no xc5000, thus after +much effort, the wild goose chase eventually led to a support call. + +The xc5000 has nothing to do with saa7164 (as far as I can tell), +so replace the string with saa7164 as well as give a meaningful +hint on the firmware mismatch. + +Signed-off-by: Brad Love +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/saa7164/saa7164-fw.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/pci/saa7164/saa7164-fw.c ++++ b/drivers/media/pci/saa7164/saa7164-fw.c +@@ -430,7 +430,8 @@ int saa7164_downloadfirmware(struct saa7 + __func__, fw->size); + + if (fw->size != fwlength) { +- printk(KERN_ERR "xc5000: firmware incorrect size\n"); ++ printk(KERN_ERR "saa7164: firmware incorrect size %zu != %u\n", ++ fw->size, fwlength); + ret = -ENOMEM; + goto out; + } diff --git a/queue-4.4/media-si470x-fix-__be16-annotations.patch b/queue-4.4/media-si470x-fix-__be16-annotations.patch new file mode 100644 index 00000000000..138ddbc5e55 --- /dev/null +++ b/queue-4.4/media-si470x-fix-__be16-annotations.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mauro Carvalho Chehab +Date: Fri, 6 Apr 2018 07:54:51 -0400 +Subject: media: si470x: fix __be16 annotations + +From: Mauro Carvalho Chehab + +[ Upstream commit 90db5c829692a0a7845e977e45719b4699216bd4 ] + +The annotations there are wrong as warned: + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:107:35: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: warning: incorrect type in assignment (different base types) + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: expected unsigned short [unsigned] [short] + drivers/media/radio/si470x/radio-si470x-i2c.c:129:24: got restricted __be16 [usertype] + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + drivers/media/radio/si470x/radio-si470x-i2c.c:163:39: warning: cast to restricted __be16 + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -96,7 +96,7 @@ MODULE_PARM_DESC(max_rds_errors, "RDS ma + */ + int si470x_get_register(struct si470x_device *radio, int regnr) + { +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -121,7 +121,7 @@ int si470x_get_register(struct si470x_de + int si470x_set_register(struct si470x_device *radio, int regnr) + { + int i; +- u16 buf[WRITE_REG_NUM]; ++ __be16 buf[WRITE_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, +@@ -151,7 +151,7 @@ int si470x_set_register(struct si470x_de + static int si470x_get_all_registers(struct si470x_device *radio) + { + int i; +- u16 buf[READ_REG_NUM]; ++ __be16 buf[READ_REG_NUM]; + struct i2c_msg msgs[1] = { + { + .addr = radio->client->addr, diff --git a/queue-4.4/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch b/queue-4.4/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch new file mode 100644 index 00000000000..76d5cb8dd77 --- /dev/null +++ b/queue-4.4/media-siano-get-rid-of-__le32-__le16-cast-warnings.patch @@ -0,0 +1,108 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mauro Carvalho Chehab +Date: Fri, 20 Apr 2018 08:32:16 -0400 +Subject: media: siano: get rid of __le32/__le16 cast warnings + +From: Mauro Carvalho Chehab + +[ Upstream commit e1b7f11b37def5f3021c06e8c2b4953e099357aa ] + +Those are all false-positives that appear with smatch when building for +arm: + + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:38:36: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:47:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:67:35: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:84:44: warning: cast to restricted __le32 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:98:26: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:99:28: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + drivers/media/common/siano/smsendian.c:100:27: warning: cast to restricted __le16 + +Get rid of them by adding explicit forced casts. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/common/siano/smsendian.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/media/common/siano/smsendian.c ++++ b/drivers/media/common/siano/smsendian.c +@@ -35,7 +35,7 @@ void smsendian_handle_tx_message(void *b + switch (msg->x_msg_header.msg_type) { + case MSG_SMS_DATA_DOWNLOAD_REQ: + { +- msg->msg_data[0] = le32_to_cpu(msg->msg_data[0]); ++ msg->msg_data[0] = le32_to_cpu((__force __le32)(msg->msg_data[0])); + break; + } + +@@ -44,7 +44,7 @@ void smsendian_handle_tx_message(void *b + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -64,7 +64,7 @@ void smsendian_handle_rx_message(void *b + { + struct sms_version_res *ver = + (struct sms_version_res *) msg; +- ver->chip_model = le16_to_cpu(ver->chip_model); ++ ver->chip_model = le16_to_cpu((__force __le16)ver->chip_model); + break; + } + +@@ -81,7 +81,7 @@ void smsendian_handle_rx_message(void *b + sizeof(struct sms_msg_hdr))/4; + + for (i = 0; i < msg_words; i++) +- msg->msg_data[i] = le32_to_cpu(msg->msg_data[i]); ++ msg->msg_data[i] = le32_to_cpu((__force __le32)msg->msg_data[i]); + + break; + } +@@ -95,9 +95,9 @@ void smsendian_handle_message_header(voi + #ifdef __BIG_ENDIAN + struct sms_msg_hdr *phdr = (struct sms_msg_hdr *)msg; + +- phdr->msg_type = le16_to_cpu(phdr->msg_type); +- phdr->msg_length = le16_to_cpu(phdr->msg_length); +- phdr->msg_flags = le16_to_cpu(phdr->msg_flags); ++ phdr->msg_type = le16_to_cpu((__force __le16)phdr->msg_type); ++ phdr->msg_length = le16_to_cpu((__force __le16)phdr->msg_length); ++ phdr->msg_flags = le16_to_cpu((__force __le16)phdr->msg_flags); + #endif /* __BIG_ENDIAN */ + } + EXPORT_SYMBOL_GPL(smsendian_handle_message_header); diff --git a/queue-4.4/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch b/queue-4.4/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch new file mode 100644 index 00000000000..f7cc2c68f90 --- /dev/null +++ b/queue-4.4/media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Colin Ian King +Date: Wed, 25 Apr 2018 11:04:21 -0400 +Subject: media: smiapp: fix timeout checking in smiapp_read_nvm + +From: Colin Ian King + +[ Upstream commit 7a2148dfda8001c983f0effd9afd8a7fa58e99c4 ] + +The current code decrements the timeout counter i and the end of +each loop i is incremented, so the check for timeout will always +be false and hence the timeout mechanism is just a dead code path. +Potentially, if the RD_READY bit is not set, we could end up in +an infinite loop. + +Fix this so the timeout starts from 1000 and decrements to zero, +if at the end of the loop i is zero we have a timeout condition. + +Detected by CoverityScan, CID#1324008 ("Logically dead code") + +Fixes: ccfc97bdb5ae ("[media] smiapp: Add driver") + +Signed-off-by: Colin Ian King +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/smiapp/smiapp-core.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/smiapp/smiapp-core.c ++++ b/drivers/media/i2c/smiapp/smiapp-core.c +@@ -981,7 +981,7 @@ static int smiapp_read_nvm(struct smiapp + if (rval) + goto out; + +- for (i = 0; i < 1000; i++) { ++ for (i = 1000; i > 0; i--) { + rval = smiapp_read( + sensor, + SMIAPP_REG_U8_DATA_TRANSFER_IF_1_STATUS, &s); +@@ -992,11 +992,10 @@ static int smiapp_read_nvm(struct smiapp + if (s & SMIAPP_DATA_TRANSFER_IF_1_STATUS_RD_READY) + break; + +- if (--i == 0) { +- rval = -ETIMEDOUT; +- goto out; +- } +- ++ } ++ if (!i) { ++ rval = -ETIMEDOUT; ++ goto out; + } + + for (i = 0; i < SMIAPP_NVM_PAGE_SIZE; i++) { diff --git a/queue-4.4/media-videobuf2-core-don-t-call-memop-finish-when-queueing.patch b/queue-4.4/media-videobuf2-core-don-t-call-memop-finish-when-queueing.patch new file mode 100644 index 00000000000..fc07418f5d1 --- /dev/null +++ b/queue-4.4/media-videobuf2-core-don-t-call-memop-finish-when-queueing.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Hans Verkuil +Date: Mon, 21 May 2018 08:43:02 -0400 +Subject: media: videobuf2-core: don't call memop 'finish' when queueing + +From: Hans Verkuil + +[ Upstream commit 90b2da89a083e1395cb322521a42397c49ae4500 ] + +When a buffer is queued or requeued in vb2_buffer_done, then don't +call the finish memop. In this case the buffer is only returned to vb2, +not to userspace. + +Calling 'finish' here will cause an unbalance when the queue is +canceled, since the core will call the same memop again. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/videobuf2-core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/media/v4l2-core/videobuf2-core.c ++++ b/drivers/media/v4l2-core/videobuf2-core.c +@@ -870,9 +870,12 @@ void vb2_buffer_done(struct vb2_buffer * + dprintk(4, "done processing on buffer %d, state: %d\n", + vb->index, state); + +- /* sync buffers */ +- for (plane = 0; plane < vb->num_planes; ++plane) +- call_void_memop(vb, finish, vb->planes[plane].mem_priv); ++ if (state != VB2_BUF_STATE_QUEUED && ++ state != VB2_BUF_STATE_REQUEUEING) { ++ /* sync buffers */ ++ for (plane = 0; plane < vb->num_planes; ++plane) ++ call_void_memop(vb, finish, vb->planes[plane].mem_priv); ++ } + + spin_lock_irqsave(&q->done_lock, flags); + if (state == VB2_BUF_STATE_QUEUED || diff --git a/queue-4.4/memory-tegra-apply-interrupts-mask-per-soc.patch b/queue-4.4/memory-tegra-apply-interrupts-mask-per-soc.patch new file mode 100644 index 00000000000..a6deb876c96 --- /dev/null +++ b/queue-4.4/memory-tegra-apply-interrupts-mask-per-soc.patch @@ -0,0 +1,161 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Dmitry Osipenko +Date: Mon, 9 Apr 2018 22:28:29 +0300 +Subject: memory: tegra: Apply interrupts mask per SoC + +From: Dmitry Osipenko + +[ Upstream commit 1c74d5c0de0c2cc29fef97a19251da2ad6f579bd ] + +Currently we are enabling handling of interrupts specific to Tegra124+ +which happen to overlap with previous generations. Let's specify +interrupts mask per SoC generation for consistency and in a preparation +of squashing of Tegra20 driver into the common one that will enable +handling of GART faults which may be undesirable by newer generations. + +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memory/tegra/mc.c | 21 +++------------------ + drivers/memory/tegra/mc.h | 9 +++++++++ + drivers/memory/tegra/tegra114.c | 2 ++ + drivers/memory/tegra/tegra124.c | 6 ++++++ + drivers/memory/tegra/tegra210.c | 3 +++ + drivers/memory/tegra/tegra30.c | 2 ++ + include/soc/tegra/mc.h | 2 ++ + 7 files changed, 27 insertions(+), 18 deletions(-) + +--- a/drivers/memory/tegra/mc.c ++++ b/drivers/memory/tegra/mc.c +@@ -20,14 +20,6 @@ + #include "mc.h" + + #define MC_INTSTATUS 0x000 +-#define MC_INT_DECERR_MTS (1 << 16) +-#define MC_INT_SECERR_SEC (1 << 13) +-#define MC_INT_DECERR_VPR (1 << 12) +-#define MC_INT_INVALID_APB_ASID_UPDATE (1 << 11) +-#define MC_INT_INVALID_SMMU_PAGE (1 << 10) +-#define MC_INT_ARBITRATION_EMEM (1 << 9) +-#define MC_INT_SECURITY_VIOLATION (1 << 8) +-#define MC_INT_DECERR_EMEM (1 << 6) + + #define MC_INTMASK 0x004 + +@@ -248,13 +240,11 @@ static const char *const error_names[8] + static irqreturn_t tegra_mc_irq(int irq, void *data) + { + struct tegra_mc *mc = data; +- unsigned long status, mask; ++ unsigned long status; + unsigned int bit; + + /* mask all interrupts to avoid flooding */ +- mask = mc_readl(mc, MC_INTMASK); +- status = mc_readl(mc, MC_INTSTATUS) & mask; +- ++ status = mc_readl(mc, MC_INTSTATUS) & mc->soc->intmask; + if (!status) + return IRQ_NONE; + +@@ -349,7 +339,6 @@ static int tegra_mc_probe(struct platfor + const struct of_device_id *match; + struct resource *res; + struct tegra_mc *mc; +- u32 value; + int err; + + match = of_match_node(tegra_mc_of_match, pdev->dev.of_node); +@@ -417,11 +406,7 @@ static int tegra_mc_probe(struct platfor + + WARN(!mc->soc->client_id_mask, "Missing client ID mask for this SoC\n"); + +- value = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | +- MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | +- MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM; +- +- mc_writel(mc, value, MC_INTMASK); ++ mc_writel(mc, mc->soc->intmask, MC_INTMASK); + + return 0; + } +--- a/drivers/memory/tegra/mc.h ++++ b/drivers/memory/tegra/mc.h +@@ -14,6 +14,15 @@ + + #include + ++#define MC_INT_DECERR_MTS (1 << 16) ++#define MC_INT_SECERR_SEC (1 << 13) ++#define MC_INT_DECERR_VPR (1 << 12) ++#define MC_INT_INVALID_APB_ASID_UPDATE (1 << 11) ++#define MC_INT_INVALID_SMMU_PAGE (1 << 10) ++#define MC_INT_ARBITRATION_EMEM (1 << 9) ++#define MC_INT_SECURITY_VIOLATION (1 << 8) ++#define MC_INT_DECERR_EMEM (1 << 6) ++ + static inline u32 mc_readl(struct tegra_mc *mc, unsigned long offset) + { + return readl(mc->regs + offset); +--- a/drivers/memory/tegra/tegra114.c ++++ b/drivers/memory/tegra/tegra114.c +@@ -930,4 +930,6 @@ const struct tegra_mc_soc tegra114_mc_so + .atom_size = 32, + .client_id_mask = 0x7f, + .smmu = &tegra114_smmu_soc, ++ .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION | ++ MC_INT_DECERR_EMEM, + }; +--- a/drivers/memory/tegra/tegra124.c ++++ b/drivers/memory/tegra/tegra124.c +@@ -1019,6 +1019,9 @@ const struct tegra_mc_soc tegra124_mc_so + .smmu = &tegra124_smmu_soc, + .emem_regs = tegra124_mc_emem_regs, + .num_emem_regs = ARRAY_SIZE(tegra124_mc_emem_regs), ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; + #endif /* CONFIG_ARCH_TEGRA_124_SOC */ + +@@ -1041,5 +1044,8 @@ const struct tegra_mc_soc tegra132_mc_so + .atom_size = 32, + .client_id_mask = 0x7f, + .smmu = &tegra132_smmu_soc, ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; + #endif /* CONFIG_ARCH_TEGRA_132_SOC */ +--- a/drivers/memory/tegra/tegra210.c ++++ b/drivers/memory/tegra/tegra210.c +@@ -1077,4 +1077,7 @@ const struct tegra_mc_soc tegra210_mc_so + .atom_size = 64, + .client_id_mask = 0xff, + .smmu = &tegra210_smmu_soc, ++ .intmask = MC_INT_DECERR_MTS | MC_INT_SECERR_SEC | MC_INT_DECERR_VPR | ++ MC_INT_INVALID_APB_ASID_UPDATE | MC_INT_INVALID_SMMU_PAGE | ++ MC_INT_SECURITY_VIOLATION | MC_INT_DECERR_EMEM, + }; +--- a/drivers/memory/tegra/tegra30.c ++++ b/drivers/memory/tegra/tegra30.c +@@ -952,4 +952,6 @@ const struct tegra_mc_soc tegra30_mc_soc + .atom_size = 16, + .client_id_mask = 0x7f, + .smmu = &tegra30_smmu_soc, ++ .intmask = MC_INT_INVALID_SMMU_PAGE | MC_INT_SECURITY_VIOLATION | ++ MC_INT_DECERR_EMEM, + }; +--- a/include/soc/tegra/mc.h ++++ b/include/soc/tegra/mc.h +@@ -99,6 +99,8 @@ struct tegra_mc_soc { + u8 client_id_mask; + + const struct tegra_smmu_soc *smmu; ++ ++ u32 intmask; + }; + + struct tegra_mc { diff --git a/queue-4.4/memory-tegra-do-not-handle-spurious-interrupts.patch b/queue-4.4/memory-tegra-do-not-handle-spurious-interrupts.patch new file mode 100644 index 00000000000..2f04a0ae44d --- /dev/null +++ b/queue-4.4/memory-tegra-do-not-handle-spurious-interrupts.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Dmitry Osipenko +Date: Mon, 9 Apr 2018 22:28:27 +0300 +Subject: memory: tegra: Do not handle spurious interrupts + +From: Dmitry Osipenko + +[ Upstream commit bf3fbdfbec947cdd04b2f2c4bce11534c8786eee ] + +The ISR reads interrupts-enable mask, but doesn't utilize it. Apply the +mask to the interrupt status and don't handle interrupts that MC driver +haven't asked for. Kernel would disable spurious MC IRQ and report the +error. This would happen only in a case of a very severe bug. + +Signed-off-by: Dmitry Osipenko +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/memory/tegra/mc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/memory/tegra/mc.c ++++ b/drivers/memory/tegra/mc.c +@@ -252,8 +252,11 @@ static irqreturn_t tegra_mc_irq(int irq, + unsigned int bit; + + /* mask all interrupts to avoid flooding */ +- status = mc_readl(mc, MC_INTSTATUS); + mask = mc_readl(mc, MC_INTMASK); ++ status = mc_readl(mc, MC_INTSTATUS) & mask; ++ ++ if (!status) ++ return IRQ_NONE; + + for_each_set_bit(bit, &status, 32) { + const char *error = status_names[bit] ?: "unknown"; diff --git a/queue-4.4/mfd-cros_ec-fail-early-if-we-cannot-identify-the-ec.patch b/queue-4.4/mfd-cros_ec-fail-early-if-we-cannot-identify-the-ec.patch new file mode 100644 index 00000000000..8092c62fda4 --- /dev/null +++ b/queue-4.4/mfd-cros_ec-fail-early-if-we-cannot-identify-the-ec.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Vincent Palatin +Date: Wed, 18 Apr 2018 12:23:58 +0200 +Subject: mfd: cros_ec: Fail early if we cannot identify the EC + +From: Vincent Palatin + +[ Upstream commit 0dbbf25561b29ffab5ba6277429760abdf49ceff ] + +If we cannot communicate with the EC chip to detect the protocol version +and its features, it's very likely useless to continue. Else we will +commit all kind of uninformed mistakes (using the wrong protocol, the +wrong buffer size, mixing the EC with other chips). + +Signed-off-by: Vincent Palatin +Acked-by: Benson Leung +Signed-off-by: Enric Balletbo i Serra +Reviewed-by: Gwendal Grignou +Reviewed-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/cros_ec.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/mfd/cros_ec.c ++++ b/drivers/mfd/cros_ec.c +@@ -68,7 +68,11 @@ int cros_ec_register(struct cros_ec_devi + + mutex_init(&ec_dev->lock); + +- cros_ec_query_all(ec_dev); ++ err = cros_ec_query_all(ec_dev); ++ if (err) { ++ dev_err(dev, "Cannot identify the EC: error %d\n", err); ++ return err; ++ } + + err = mfd_add_devices(ec_dev->dev, PLATFORM_DEVID_AUTO, &ec_cell, 1, + NULL, ec_dev->irq, NULL); diff --git a/queue-4.4/microblaze-fix-simpleimage-format-generation.patch b/queue-4.4/microblaze-fix-simpleimage-format-generation.patch new file mode 100644 index 00000000000..907a3b02525 --- /dev/null +++ b/queue-4.4/microblaze-fix-simpleimage-format-generation.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Michal Simek +Date: Tue, 10 Apr 2018 15:05:42 +0200 +Subject: microblaze: Fix simpleImage format generation + +From: Michal Simek + +[ Upstream commit ece97f3a5fb50cf5f98886fbc63c9665f2bb199d ] + +simpleImage generation was broken for some time. This patch is fixing +steps how simpleImage.*.ub file is generated. Steps are objdump of +vmlinux and create .ub. +Also make sure that there is striped elf version with .strip suffix. + +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/microblaze/boot/Makefile | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/arch/microblaze/boot/Makefile ++++ b/arch/microblaze/boot/Makefile +@@ -21,17 +21,19 @@ $(obj)/linux.bin.gz: $(obj)/linux.bin FO + quiet_cmd_cp = CP $< $@$2 + cmd_cp = cat $< >$@$2 || (rm -f $@ && echo false) + +-quiet_cmd_strip = STRIP $@ ++quiet_cmd_strip = STRIP $< $@$2 + cmd_strip = $(STRIP) -K microblaze_start -K _end -K __log_buf \ +- -K _fdt_start vmlinux -o $@ ++ -K _fdt_start $< -o $@$2 + + UIMAGE_LOADADDR = $(CONFIG_KERNEL_BASE_ADDR) ++UIMAGE_IN = $@ ++UIMAGE_OUT = $@.ub + + $(obj)/simpleImage.%: vmlinux FORCE + $(call if_changed,cp,.unstrip) + $(call if_changed,objcopy) + $(call if_changed,uimage) +- $(call if_changed,strip) +- @echo 'Kernel: $@ is ready' ' (#'`cat .version`')' ++ $(call if_changed,strip,.strip) ++ @echo 'Kernel: $(UIMAGE_OUT) is ready' ' (#'`cat .version`')' + + clean-files += simpleImage.*.unstrip linux.bin.ub dts/*.dtb diff --git a/queue-4.4/mm-slub.c-add-__printf-verification-to-slab_err.patch b/queue-4.4/mm-slub.c-add-__printf-verification-to-slab_err.patch new file mode 100644 index 00000000000..d322704d5b0 --- /dev/null +++ b/queue-4.4/mm-slub.c-add-__printf-verification-to-slab_err.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 7 Jun 2018 17:05:17 -0700 +Subject: mm/slub.c: add __printf verification to slab_err() + +From: Mathieu Malaterre + +[ Upstream commit a38965bf941b7c2af50de09c96bc5f03e136caef ] + +__printf is useful to verify format and arguments. Remove the following +warning (with W=1): + + mm/slub.c:721:2: warning: function might be possible candidate for `gnu_printf' format attribute [-Wsuggest-attribute=format] + +Link: http://lkml.kernel.org/r/20180505200706.19986-1-malat@debian.org +Signed-off-by: Mathieu Malaterre +Reviewed-by: Andrew Morton +Cc: Christoph Lameter +Cc: Pekka Enberg +Cc: David Rientjes +Cc: Joonsoo Kim +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/slub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slub.c ++++ b/mm/slub.c +@@ -659,7 +659,7 @@ void object_err(struct kmem_cache *s, st + print_trailer(s, page, object); + } + +-static void slab_err(struct kmem_cache *s, struct page *page, ++static __printf(3, 4) void slab_err(struct kmem_cache *s, struct page *page, + const char *fmt, ...) + { + va_list args; diff --git a/queue-4.4/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch b/queue-4.4/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch new file mode 100644 index 00000000000..69afa6bb3a5 --- /dev/null +++ b/queue-4.4/mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch @@ -0,0 +1,64 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Chintan Pandya +Date: Thu, 7 Jun 2018 17:06:50 -0700 +Subject: mm: vmalloc: avoid racy handling of debugobjects in vunmap + +From: Chintan Pandya + +[ Upstream commit f3c01d2f3ade6790db67f80fef60df84424f8964 ] + +Currently, __vunmap flow is, + 1) Release the VM area + 2) Free the debug objects corresponding to that vm area. + +This leave some race window open. + 1) Release the VM area + 1.5) Some other client gets the same vm area + 1.6) This client allocates new debug objects on the same + vm area + 2) Free the debug objects corresponding to this vm area. + +Here, we actually free 'other' client's debug objects. + +Fix this by freeing the debug objects first and then releasing the VM +area. + +Link: http://lkml.kernel.org/r/1523961828-9485-2-git-send-email-cpandya@codeaurora.org +Signed-off-by: Chintan Pandya +Reviewed-by: Andrew Morton +Cc: Ard Biesheuvel +Cc: Byungchul Park +Cc: Catalin Marinas +Cc: Florian Fainelli +Cc: Johannes Weiner +Cc: Laura Abbott +Cc: Vlastimil Babka +Cc: Wei Yang +Cc: Yisheng Xie +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/vmalloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -1460,7 +1460,7 @@ static void __vunmap(const void *addr, i + addr)) + return; + +- area = remove_vm_area(addr); ++ area = find_vmap_area((unsigned long)addr)->vm; + if (unlikely(!area)) { + WARN(1, KERN_ERR "Trying to vfree() nonexistent vm area (%p)\n", + addr); +@@ -1470,6 +1470,7 @@ static void __vunmap(const void *addr, i + debug_check_no_locks_freed(addr, get_vm_area_size(area)); + debug_check_no_obj_freed(addr, get_vm_area_size(area)); + ++ remove_vm_area(addr); + if (deallocate_pages) { + int i; + diff --git a/queue-4.4/mtd-rawnand-fsl_ifc-fix-fsl-nand-driver-to-read-all-onfi-parameter-pages.patch b/queue-4.4/mtd-rawnand-fsl_ifc-fix-fsl-nand-driver-to-read-all-onfi-parameter-pages.patch new file mode 100644 index 00000000000..a3d4397aaa5 --- /dev/null +++ b/queue-4.4/mtd-rawnand-fsl_ifc-fix-fsl-nand-driver-to-read-all-onfi-parameter-pages.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Jane Wan +Date: Tue, 8 May 2018 14:19:53 -0700 +Subject: mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages + +From: Jane Wan + +[ Upstream commit a75bbe71a27875fdc61cde1af6d799037cef6bed ] + +Per ONFI specification (Rev. 4.0), if the CRC of the first parameter page +read is not valid, the host should read redundant parameter page copies. +Fix FSL NAND driver to read the two redundant copies which are mandatory +in the specification. + +Signed-off-by: Jane Wan +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/fsl_ifc_nand.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/mtd/nand/fsl_ifc_nand.c ++++ b/drivers/mtd/nand/fsl_ifc_nand.c +@@ -449,9 +449,16 @@ static void fsl_ifc_cmdfunc(struct mtd_i + + case NAND_CMD_READID: + case NAND_CMD_PARAM: { ++ /* ++ * For READID, read 8 bytes that are currently used. ++ * For PARAM, read all 3 copies of 256-bytes pages. ++ */ ++ int len = 8; + int timing = IFC_FIR_OP_RB; +- if (command == NAND_CMD_PARAM) ++ if (command == NAND_CMD_PARAM) { + timing = IFC_FIR_OP_RBCD; ++ len = 256 * 3; ++ } + + ifc_out32((IFC_FIR_OP_CW0 << IFC_NAND_FIR0_OP0_SHIFT) | + (IFC_FIR_OP_UA << IFC_NAND_FIR0_OP1_SHIFT) | +@@ -461,12 +468,8 @@ static void fsl_ifc_cmdfunc(struct mtd_i + &ifc->ifc_nand.nand_fcr0); + ifc_out32(column, &ifc->ifc_nand.row3); + +- /* +- * although currently it's 8 bytes for READID, we always read +- * the maximum 256 bytes(for PARAM) +- */ +- ifc_out32(256, &ifc->ifc_nand.nand_fbcr); +- ifc_nand_ctrl->read_bytes = 256; ++ ifc_out32(len, &ifc->ifc_nand.nand_fbcr); ++ ifc_nand_ctrl->read_bytes = len; + + set_addr(mtd, 0, 0, 0); + fsl_ifc_run_command(mtd); diff --git a/queue-4.4/mwifiex-correct-histogram-data-with-appropriate-index.patch b/queue-4.4/mwifiex-correct-histogram-data-with-appropriate-index.patch new file mode 100644 index 00000000000..d8f450dda07 --- /dev/null +++ b/queue-4.4/mwifiex-correct-histogram-data-with-appropriate-index.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Xinming Hu +Date: Fri, 18 May 2018 15:38:54 +0800 +Subject: mwifiex: correct histogram data with appropriate index + +From: Xinming Hu + +[ Upstream commit 30bfce0b63fa68c14ae1613eb9d259fa18644074 ] + +Correct snr/nr/rssi data index to avoid possible buffer underflow. + +Signed-off-by: Xinming Hu +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mwifiex/util.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mwifiex/util.c ++++ b/drivers/net/wireless/mwifiex/util.c +@@ -702,12 +702,14 @@ void mwifiex_hist_data_set(struct mwifie + s8 nflr) + { + struct mwifiex_histogram_data *phist_data = priv->hist_data; ++ s8 nf = -nflr; ++ s8 rssi = snr - nflr; + + atomic_inc(&phist_data->num_samples); + atomic_inc(&phist_data->rx_rate[rx_rate]); +- atomic_inc(&phist_data->snr[snr]); +- atomic_inc(&phist_data->noise_flr[128 + nflr]); +- atomic_inc(&phist_data->sig_str[nflr - snr]); ++ atomic_inc(&phist_data->snr[snr + 128]); ++ atomic_inc(&phist_data->noise_flr[nf + 128]); ++ atomic_inc(&phist_data->sig_str[rssi + 128]); + } + + /* function to reset histogram data during init/reset */ diff --git a/queue-4.4/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch b/queue-4.4/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch new file mode 100644 index 00000000000..a681650b86a --- /dev/null +++ b/queue-4.4/mwifiex-handle-race-during-mwifiex_usb_disconnect.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Ganapathi Bhat +Date: Thu, 24 May 2018 19:18:27 +0530 +Subject: mwifiex: handle race during mwifiex_usb_disconnect + +From: Ganapathi Bhat + +[ Upstream commit b817047ae70c0bd67b677b65d0d69d72cd6e9728 ] + +Race condition is observed during rmmod of mwifiex_usb: + +1. The rmmod thread will call mwifiex_usb_disconnect(), download + SHUTDOWN command and do wait_event_interruptible_timeout(), + waiting for response. + +2. The main thread will handle the response and will do a + wake_up_interruptible(), unblocking rmmod thread. + +3. On getting unblocked, rmmod thread will make rx_cmd.urb = NULL in + mwifiex_usb_free(). + +4. The main thread will try to resubmit rx_cmd.urb in + mwifiex_usb_submit_rx_urb(), which is NULL. + +To fix, wait for main thread to complete before calling +mwifiex_usb_free(). + +Signed-off-by: Ganapathi Bhat +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mwifiex/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mwifiex/usb.c ++++ b/drivers/net/wireless/mwifiex/usb.c +@@ -624,6 +624,9 @@ static void mwifiex_usb_disconnect(struc + MWIFIEX_FUNC_SHUTDOWN); + } + ++ if (adapter->workqueue) ++ flush_workqueue(adapter->workqueue); ++ + mwifiex_usb_free(card); + + mwifiex_dbg(adapter, FATAL, diff --git a/queue-4.4/netfilter-ipset-list-timing-out-entries-with-timeout-1-instead-of-zero.patch b/queue-4.4/netfilter-ipset-list-timing-out-entries-with-timeout-1-instead-of-zero.patch new file mode 100644 index 00000000000..4640131b494 --- /dev/null +++ b/queue-4.4/netfilter-ipset-list-timing-out-entries-with-timeout-1-instead-of-zero.patch @@ -0,0 +1,45 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Jozsef Kadlecsik +Date: Thu, 31 May 2018 18:45:21 +0200 +Subject: netfilter: ipset: List timing out entries with "timeout 1" instead of zero + +From: Jozsef Kadlecsik + +[ Upstream commit bd975e691486ba52790ba23cc9b4fecab7bc0d31 ] + +When listing sets with timeout support, there's a probability that +just timing out entries with "0" timeout value is listed/saved. +However when restoring the saved list, the zero timeout value means +permanent elelements. + +The new behaviour is that timing out entries are listed with "timeout 1" +instead of zero. + +Fixes netfilter bugzilla #1258. + +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/netfilter/ipset/ip_set_timeout.h | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/include/linux/netfilter/ipset/ip_set_timeout.h ++++ b/include/linux/netfilter/ipset/ip_set_timeout.h +@@ -65,8 +65,14 @@ ip_set_timeout_set(unsigned long *timeou + static inline u32 + ip_set_timeout_get(unsigned long *timeout) + { +- return *timeout == IPSET_ELEM_PERMANENT ? 0 : +- jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC; ++ u32 t; ++ ++ if (*timeout == IPSET_ELEM_PERMANENT) ++ return 0; ++ ++ t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC; ++ /* Zero value in userspace means no timeout */ ++ return t == 0 ? 1 : t; + } + + #endif /* __KERNEL__ */ diff --git a/queue-4.4/nfsd-fix-potential-use-after-free-in-nfsd4_decode_getdeviceinfo.patch b/queue-4.4/nfsd-fix-potential-use-after-free-in-nfsd4_decode_getdeviceinfo.patch new file mode 100644 index 00000000000..12d7924c084 --- /dev/null +++ b/queue-4.4/nfsd-fix-potential-use-after-free-in-nfsd4_decode_getdeviceinfo.patch @@ -0,0 +1,108 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Scott Mayhew +Date: Fri, 8 Jun 2018 16:31:46 -0400 +Subject: nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo + +From: Scott Mayhew + +[ Upstream commit 3171822fdcdd6e6d536047c425af6dc7a92dc585 ] + +When running a fuzz tester against a KASAN-enabled kernel, the following +splat periodically occurs. + +The problem occurs when the test sends a GETDEVICEINFO request with a +malformed xdr array (size but no data) for gdia_notify_types and the +array size is > 0x3fffffff, which results in an overflow in the value of +nbytes which is passed to read_buf(). + +If the array size is 0x40000000, 0x80000000, or 0xc0000000, then after +the overflow occurs, the value of nbytes 0, and when that happens the +pointer returned by read_buf() points to the end of the xdr data (i.e. +argp->end) when really it should be returning NULL. + +Fix this by returning NFS4ERR_BAD_XDR if the array size is > 1000 (this +value is arbitrary, but it's the same threshold used by +nfsd4_decode_bitmap()... in could really be any value >= 1 since it's +expected to get at most a single bitmap in gdia_notify_types). + +[ 119.256854] ================================================================== +[ 119.257611] BUG: KASAN: use-after-free in nfsd4_decode_getdeviceinfo+0x5a4/0x5b0 [nfsd] +[ 119.258422] Read of size 4 at addr ffff880113ada000 by task nfsd/538 + +[ 119.259146] CPU: 0 PID: 538 Comm: nfsd Not tainted 4.17.0+ #1 +[ 119.259662] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.3-1.fc25 04/01/2014 +[ 119.261202] Call Trace: +[ 119.262265] dump_stack+0x71/0xab +[ 119.263371] print_address_description+0x6a/0x270 +[ 119.264609] kasan_report+0x258/0x380 +[ 119.265854] ? nfsd4_decode_getdeviceinfo+0x5a4/0x5b0 [nfsd] +[ 119.267291] nfsd4_decode_getdeviceinfo+0x5a4/0x5b0 [nfsd] +[ 119.268549] ? nfs4svc_decode_compoundargs+0xa5b/0x13c0 [nfsd] +[ 119.269873] ? nfsd4_decode_sequence+0x490/0x490 [nfsd] +[ 119.271095] nfs4svc_decode_compoundargs+0xa5b/0x13c0 [nfsd] +[ 119.272393] ? nfsd4_release_compoundargs+0x1b0/0x1b0 [nfsd] +[ 119.273658] nfsd_dispatch+0x183/0x850 [nfsd] +[ 119.274918] svc_process+0x161c/0x31a0 [sunrpc] +[ 119.276172] ? svc_printk+0x190/0x190 [sunrpc] +[ 119.277386] ? svc_xprt_release+0x451/0x680 [sunrpc] +[ 119.278622] nfsd+0x2b9/0x430 [nfsd] +[ 119.279771] ? nfsd_destroy+0x1c0/0x1c0 [nfsd] +[ 119.281157] kthread+0x2db/0x390 +[ 119.282347] ? kthread_create_worker_on_cpu+0xc0/0xc0 +[ 119.283756] ret_from_fork+0x35/0x40 + +[ 119.286041] Allocated by task 436: +[ 119.287525] kasan_kmalloc+0xa0/0xd0 +[ 119.288685] kmem_cache_alloc+0xe9/0x1f0 +[ 119.289900] get_empty_filp+0x7b/0x410 +[ 119.291037] path_openat+0xca/0x4220 +[ 119.292242] do_filp_open+0x182/0x280 +[ 119.293411] do_sys_open+0x216/0x360 +[ 119.294555] do_syscall_64+0xa0/0x2f0 +[ 119.295721] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +[ 119.298068] Freed by task 436: +[ 119.299271] __kasan_slab_free+0x130/0x180 +[ 119.300557] kmem_cache_free+0x78/0x210 +[ 119.301823] rcu_process_callbacks+0x35b/0xbd0 +[ 119.303162] __do_softirq+0x192/0x5ea + +[ 119.305443] The buggy address belongs to the object at ffff880113ada000 + which belongs to the cache filp of size 256 +[ 119.308556] The buggy address is located 0 bytes inside of + 256-byte region [ffff880113ada000, ffff880113ada100) +[ 119.311376] The buggy address belongs to the page: +[ 119.312728] page:ffffea00044eb680 count:1 mapcount:0 mapping:0000000000000000 index:0xffff880113ada780 +[ 119.314428] flags: 0x17ffe000000100(slab) +[ 119.315740] raw: 0017ffe000000100 0000000000000000 ffff880113ada780 00000001000c0001 +[ 119.317379] raw: ffffea0004553c60 ffffea00045c11e0 ffff88011b167e00 0000000000000000 +[ 119.319050] page dumped because: kasan: bad access detected + +[ 119.321652] Memory state around the buggy address: +[ 119.322993] ffff880113ad9f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 119.324515] ffff880113ad9f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 119.326087] >ffff880113ada000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 119.327547] ^ +[ 119.328730] ffff880113ada080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 119.330218] ffff880113ada100: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb +[ 119.331740] ================================================================== + +Signed-off-by: Scott Mayhew +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4xdr.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1538,6 +1538,8 @@ nfsd4_decode_getdeviceinfo(struct nfsd4_ + gdev->gd_maxcount = be32_to_cpup(p++); + num = be32_to_cpup(p++); + if (num) { ++ if (num > 1000) ++ goto xdr_error; + READ_BUF(4 * num); + gdev->gd_notify_types = be32_to_cpup(p++); + for (i = 1; i < num; i++) { diff --git a/queue-4.4/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch b/queue-4.4/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch new file mode 100644 index 00000000000..3ec9b391222 --- /dev/null +++ b/queue-4.4/pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mika Westerberg +Date: Wed, 23 May 2018 17:19:22 -0500 +Subject: PCI: pciehp: Request control of native hotplug only if supported + +From: Mika Westerberg + +[ Upstream commit 408fec36a1ab3d14273c2116b449ef1e9be3cb8b ] + +Currently we request control of native PCIe hotplug unconditionally. +Native PCIe hotplug events are handled by the pciehp driver, and if it is +not enabled those events will be lost. + +Request control of native PCIe hotplug only if the pciehp driver is +enabled, so we will actually handle native PCIe hotplug events. + +Suggested-by: Bjorn Helgaas +Signed-off-by: Mika Westerberg +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/pci_root.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -472,9 +472,11 @@ static void negotiate_os_control(struct + } + + control = OSC_PCI_EXPRESS_CAPABILITY_CONTROL +- | OSC_PCI_EXPRESS_NATIVE_HP_CONTROL + | OSC_PCI_EXPRESS_PME_CONTROL; + ++ if (IS_ENABLED(CONFIG_HOTPLUG_PCI_PCIE)) ++ control |= OSC_PCI_EXPRESS_NATIVE_HP_CONTROL; ++ + if (pci_aer_available()) { + if (aer_acpi_firmware_first()) + dev_info(&device->dev, diff --git a/queue-4.4/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch b/queue-4.4/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch new file mode 100644 index 00000000000..0d5bf068bbe --- /dev/null +++ b/queue-4.4/pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Christoph Hellwig +Date: Fri, 18 May 2018 18:56:24 +0200 +Subject: PCI: Prevent sysfs disable of device while driver is attached + +From: Christoph Hellwig + +[ Upstream commit 6f5cdfa802733dcb561bf664cc89d203f2fd958f ] + +Manipulating the enable_cnt behind the back of the driver will wreak +complete havoc with the kernel state, so disallow it. + +Signed-off-by: Christoph Hellwig +Signed-off-by: Bjorn Helgaas +Reviewed-by: Johannes Thumshirn +Acked-by: Keith Busch +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -180,13 +180,16 @@ static ssize_t enable_store(struct devic + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- if (!val) { +- if (pci_is_enabled(pdev)) +- pci_disable_device(pdev); +- else +- result = -EIO; +- } else ++ device_lock(dev); ++ if (dev->driver) ++ result = -EBUSY; ++ else if (val) + result = pci_enable_device(pdev); ++ else if (pci_is_enabled(pdev)) ++ pci_disable_device(pdev); ++ else ++ result = -EIO; ++ device_unlock(dev); + + return result < 0 ? result : count; + } diff --git a/queue-4.4/perf-fix-invalid-bit-in-diagnostic-entry.patch b/queue-4.4/perf-fix-invalid-bit-in-diagnostic-entry.patch new file mode 100644 index 00000000000..4f0de7864db --- /dev/null +++ b/queue-4.4/perf-fix-invalid-bit-in-diagnostic-entry.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Thomas Richter +Date: Tue, 8 May 2018 07:53:39 +0200 +Subject: perf: fix invalid bit in diagnostic entry + +From: Thomas Richter + +[ Upstream commit 3c0a83b14ea71fef5ccc93a3bd2de5f892be3194 ] + +The s390 CPU measurement facility sampling mode supports basic entries +and diagnostic entries. Each entry has a valid bit to indicate the +status of the entry as valid or invalid. + +This bit is bit 31 in the diagnostic entry, but the bit mask definition +refers to bit 30. + +Fix this by making the reserved field one bit larger. + +Fixes: 7e75fc3ff4cf ("s390/cpum_sf: Add raw data sampling to support the diagnostic-sampling function") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -113,7 +113,7 @@ struct hws_basic_entry { + + struct hws_diag_entry { + unsigned int def:16; /* 0-15 Data Entry Format */ +- unsigned int R:14; /* 16-19 and 20-30 reserved */ ++ unsigned int R:15; /* 16-19 and 20-30 reserved */ + unsigned int I:1; /* 31 entry valid or invalid */ + u8 data[]; /* Machine-dependent sample data */ + } __packed; diff --git a/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch b/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch new file mode 100644 index 00000000000..9f250c48666 --- /dev/null +++ b/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Kan Liang +Date: Thu, 3 May 2018 11:25:07 -0700 +Subject: perf/x86/intel/uncore: Correct fixed counter index check for NHM + +From: Kan Liang + +[ Upstream commit d71f11c076c420c4e2fceb4faefa144e055e0935 ] + +For Nehalem and Westmere, there is only one fixed counter for W-Box. +There is no index which is bigger than UNCORE_PMC_IDX_FIXED. +It is not correct to use >= to check fixed counter. +The code quality issue will bring problem when new counter index is +introduced. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: acme@kernel.org +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/1525371913-10597-2-git-send-email-kan.liang@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore_nhmex.c +@@ -240,7 +240,7 @@ static void nhmex_uncore_msr_enable_even + { + struct hw_perf_event *hwc = &event->hw; + +- if (hwc->idx >= UNCORE_PMC_IDX_FIXED) ++ if (hwc->idx == UNCORE_PMC_IDX_FIXED) + wrmsrl(hwc->config_base, NHMEX_PMON_CTL_EN_BIT0); + else if (box->pmu->type->event_mask & NHMEX_PMON_CTL_EN_BIT0) + wrmsrl(hwc->config_base, hwc->config | NHMEX_PMON_CTL_EN_BIT22); diff --git a/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch b/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch new file mode 100644 index 00000000000..9b48347ac93 --- /dev/null +++ b/queue-4.4/perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Kan Liang +Date: Thu, 3 May 2018 11:25:08 -0700 +Subject: perf/x86/intel/uncore: Correct fixed counter index check in generic code + +From: Kan Liang + +[ Upstream commit 4749f8196452eeb73cf2086a6a9705bae479d33d ] + +There is no index which is bigger than UNCORE_PMC_IDX_FIXED. The only +exception is client IMC uncore, which has been specially handled. +For generic code, it is not correct to use >= to check fixed counter. +The code quality issue will bring problem when a new counter index is +introduced. + +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Thomas Gleixner +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: acme@kernel.org +Cc: eranian@google.com +Link: http://lkml.kernel.org/r/1525371913-10597-3-git-send-email-kan.liang@intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/perf_event_intel_uncore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c +@@ -229,7 +229,7 @@ void uncore_perf_event_update(struct int + u64 prev_count, new_count, delta; + int shift; + +- if (event->hw.idx >= UNCORE_PMC_IDX_FIXED) ++ if (event->hw.idx == UNCORE_PMC_IDX_FIXED) + shift = 64 - uncore_fixed_ctr_bits(box); + else + shift = 64 - uncore_perf_ctr_bits(box); diff --git a/queue-4.4/pinctrl-at91-pio4-add-missing-of_node_put.patch b/queue-4.4/pinctrl-at91-pio4-add-missing-of_node_put.patch new file mode 100644 index 00000000000..49c718c25ed --- /dev/null +++ b/queue-4.4/pinctrl-at91-pio4-add-missing-of_node_put.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Julia Lawall +Date: Wed, 23 May 2018 21:07:12 +0200 +Subject: pinctrl: at91-pio4: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit 21816364715f508c10da1e087e352bc1e326614f ] + +The device node iterators perform an of_node_get on each iteration, so a +jump out of the loop requires an of_node_put. + +The semantic patch that fixes this problem is as follows +(http://coccinelle.lip6.fr): + +// +@@ +expression root,e; +local idexpression child; +iterator name for_each_child_of_node; +@@ + + for_each_child_of_node(root, child) { + ... when != of_node_put(child) + when != e = child ++ of_node_put(child); +? break; + ... +} +... when != child +// + +Signed-off-by: Julia Lawall +Acked-by: Ludovic Desroches +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -568,8 +568,10 @@ static int atmel_pctl_dt_node_to_map(str + for_each_child_of_node(np_config, np) { + ret = atmel_pctl_dt_subnode_to_map(pctldev, np, map, + &reserved_maps, num_maps); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(np); + break; ++ } + } + } + diff --git a/queue-4.4/powerpc-32-add-a-missing-include-header.patch b/queue-4.4/powerpc-32-add-a-missing-include-header.patch new file mode 100644 index 00000000000..281fc880a21 --- /dev/null +++ b/queue-4.4/powerpc-32-add-a-missing-include-header.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 22 Mar 2018 21:20:03 +0100 +Subject: powerpc/32: Add a missing include header + +From: Mathieu Malaterre + +[ Upstream commit c89ca593220931c150cffda24b4d4ccf82f13fc8 ] + +The header file was missing from the includes. Fix the +following warning, treated as error with W=1: + + arch/powerpc/kernel/pci_32.c:286:6: error: no previous prototype for ‘sys_pciconfig_iobase’ [-Werror=missing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/pci_32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/pci_32.c ++++ b/arch/powerpc/kernel/pci_32.c +@@ -11,6 +11,7 @@ + #include + #include + #include ++#include + #include + #include + #include diff --git a/queue-4.4/powerpc-64s-fix-compiler-store-ordering-to-slb-shadow-area.patch b/queue-4.4/powerpc-64s-fix-compiler-store-ordering-to-slb-shadow-area.patch new file mode 100644 index 00000000000..9ee49da03bd --- /dev/null +++ b/queue-4.4/powerpc-64s-fix-compiler-store-ordering-to-slb-shadow-area.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Nicholas Piggin +Date: Wed, 30 May 2018 20:31:22 +1000 +Subject: powerpc/64s: Fix compiler store ordering to SLB shadow area + +From: Nicholas Piggin + +[ Upstream commit 926bc2f100c24d4842b3064b5af44ae964c1d81c ] + +The stores to update the SLB shadow area must be made as they appear +in the C code, so that the hypervisor does not see an entry with +mismatched vsid and esid. Use WRITE_ONCE for this. + +GCC has been observed to elide the first store to esid in the update, +which means that if the hypervisor interrupts the guest after storing +to vsid, it could see an entry with old esid and new vsid, which may +possibly result in memory corruption. + +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/mm/slb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/mm/slb.c ++++ b/arch/powerpc/mm/slb.c +@@ -69,14 +69,14 @@ static inline void slb_shadow_update(uns + * updating it. No write barriers are needed here, provided + * we only update the current CPU's SLB shadow buffer. + */ +- p->save_area[index].esid = 0; +- p->save_area[index].vsid = cpu_to_be64(mk_vsid_data(ea, ssize, flags)); +- p->save_area[index].esid = cpu_to_be64(mk_esid_data(ea, ssize, index)); ++ WRITE_ONCE(p->save_area[index].esid, 0); ++ WRITE_ONCE(p->save_area[index].vsid, cpu_to_be64(mk_vsid_data(ea, ssize, flags))); ++ WRITE_ONCE(p->save_area[index].esid, cpu_to_be64(mk_esid_data(ea, ssize, index))); + } + + static inline void slb_shadow_clear(enum slb_index index) + { +- get_slb_shadow()->save_area[index].esid = 0; ++ WRITE_ONCE(get_slb_shadow()->save_area[index].esid, 0); + } + + static inline void create_shadowed_slbe(unsigned long ea, int ssize, diff --git a/queue-4.4/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch b/queue-4.4/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch new file mode 100644 index 00000000000..7e541ba4904 --- /dev/null +++ b/queue-4.4/powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Christophe Leroy +Date: Thu, 24 May 2018 11:02:06 +0000 +Subject: powerpc/8xx: fix invalid register expression in head_8xx.S + +From: Christophe Leroy + +[ Upstream commit e4ccb1dae6bdef228d729c076c38161ef6e7ca34 ] + +New binutils generate the following warning + + AS arch/powerpc/kernel/head_8xx.o +arch/powerpc/kernel/head_8xx.S: Assembler messages: +arch/powerpc/kernel/head_8xx.S:916: Warning: invalid register expression + +This patch fixes it. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/head_8xx.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/head_8xx.S ++++ b/arch/powerpc/kernel/head_8xx.S +@@ -720,7 +720,7 @@ start_here: + tovirt(r6,r6) + lis r5, abatron_pteptrs@h + ori r5, r5, abatron_pteptrs@l +- stw r5, 0xf0(r0) /* Must match your Abatron config file */ ++ stw r5, 0xf0(0) /* Must match your Abatron config file */ + tophys(r5,r5) + stw r6, 0(r5) + diff --git a/queue-4.4/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch b/queue-4.4/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch new file mode 100644 index 00000000000..1d7abf21bd3 --- /dev/null +++ b/queue-4.4/powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mathieu Malaterre +Date: Thu, 22 Mar 2018 21:19:56 +0100 +Subject: powerpc/chrp/time: Make some functions static, add missing header include + +From: Mathieu Malaterre + +[ Upstream commit b87a358b4a1421abd544c0b554b1b7159b2b36c0 ] + +Add a missing include . + +These functions can all be static, make it so. Fix warnings treated as +errors with W=1: + + arch/powerpc/platforms/chrp/time.c:41:13: error: no previous prototype for ‘chrp_time_init’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:66:5: error: no previous prototype for ‘chrp_cmos_clock_read’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:74:6: error: no previous prototype for ‘chrp_cmos_clock_write’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:86:5: error: no previous prototype for ‘chrp_set_rtc_time’ [-Werror=missing-prototypes] + arch/powerpc/platforms/chrp/time.c:130:6: error: no previous prototype for ‘chrp_get_rtc_time’ [-Werror=missing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/chrp/time.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/platforms/chrp/time.c ++++ b/arch/powerpc/platforms/chrp/time.c +@@ -27,6 +27,8 @@ + #include + #include + ++#include ++ + extern spinlock_t rtc_lock; + + #define NVRAM_AS0 0x74 +@@ -62,7 +64,7 @@ long __init chrp_time_init(void) + return 0; + } + +-int chrp_cmos_clock_read(int addr) ++static int chrp_cmos_clock_read(int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); +@@ -70,7 +72,7 @@ int chrp_cmos_clock_read(int addr) + return (inb(nvram_data)); + } + +-void chrp_cmos_clock_write(unsigned long val, int addr) ++static void chrp_cmos_clock_write(unsigned long val, int addr) + { + if (nvram_as1 != 0) + outb(addr>>8, nvram_as1); diff --git a/queue-4.4/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch b/queue-4.4/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch new file mode 100644 index 00000000000..bce99582af4 --- /dev/null +++ b/queue-4.4/powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch @@ -0,0 +1,56 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Jonathan Neuschäfer +Date: Thu, 10 May 2018 23:59:19 +0200 +Subject: powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet + +From: Jonathan Neuschäfer + +[ Upstream commit 9dcb3df4281876731e4e8bff7940514d72375154 ] + +The interrupt controller inside the Wii's Hollywood chip is connected to +two masters, the "Broadway" PowerPC and the "Starlet" ARM926, each with +their own interrupt status and mask registers. + +When booting the Wii with mini[1], interrupts from the SD card +controller (IRQ 7) are handled by the ARM, because mini provides SD +access over IPC. Linux however can't currently use or disable this IPC +service, so both sides try to handle IRQ 7 without coordination. + +Let's instead make sure that all interrupts that are unmasked on the PPC +side are masked on the ARM side; this will also make sure that Linux can +properly talk to the SD card controller (and potentially other devices). + +If access to a device through IPC is desired in the future, interrupts +from that device should not be handled by Linux directly. + +[1]: https://github.com/lewurm/mini + +Signed-off-by: Jonathan Neuschäfer +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -35,6 +35,8 @@ + */ + #define HW_BROADWAY_ICR 0x00 + #define HW_BROADWAY_IMR 0x04 ++#define HW_STARLET_ICR 0x08 ++#define HW_STARLET_IMR 0x0c + + + /* +@@ -74,6 +76,9 @@ static void hlwd_pic_unmask(struct irq_d + void __iomem *io_base = irq_data_get_irq_chip_data(d); + + setbits32(io_base + HW_BROADWAY_IMR, 1 << irq); ++ ++ /* Make sure the ARM (aka. Starlet) doesn't handle this interrupt. */ ++ clrbits32(io_base + HW_STARLET_IMR, 1 << irq); + } + + diff --git a/queue-4.4/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch b/queue-4.4/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch new file mode 100644 index 00000000000..6c2b81072ba --- /dev/null +++ b/queue-4.4/powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 4 Apr 2018 22:13:05 +0200 +Subject: powerpc/powermac: Add missing prototype for note_bootable_part() + +From: Mathieu Malaterre + +[ Upstream commit f72cf3f1d49f2c35d6cb682af2e8c93550f264e4 ] + +Add a missing prototype for function `note_bootable_part` to silence a +warning treated as error with W=1: + + arch/powerpc/platforms/powermac/setup.c:361:12: error: no previous prototype for ‘note_bootable_part’ [-Werror=missing-prototypes] + +Suggested-by: Christophe Leroy +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powermac/setup.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/platforms/powermac/setup.c ++++ b/arch/powerpc/platforms/powermac/setup.c +@@ -359,6 +359,7 @@ static int pmac_late_init(void) + } + machine_late_initcall(powermac, pmac_late_init); + ++void note_bootable_part(dev_t dev, int part, int goodness); + /* + * This is __init_refok because we check for "initializing" before + * touching any of the __init sensitive things and "initializing" diff --git a/queue-4.4/powerpc-powermac-mark-variable-x-as-unused.patch b/queue-4.4/powerpc-powermac-mark-variable-x-as-unused.patch new file mode 100644 index 00000000000..c3575bc7548 --- /dev/null +++ b/queue-4.4/powerpc-powermac-mark-variable-x-as-unused.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 4 Apr 2018 22:07:46 +0200 +Subject: powerpc/powermac: Mark variable x as unused + +From: Mathieu Malaterre + +[ Upstream commit 5a4b475cf8511da721f20ba432c244061db7139f ] + +Since the value of x is never intended to be read, declare it with gcc +attribute as unused. Fix warning treated as error with W=1: + + arch/powerpc/platforms/powermac/bootx_init.c:471:21: error: variable ‘x’ set but not used [-Werror=unused-but-set-variable] + +Suggested-by: Christophe Leroy +Signed-off-by: Mathieu Malaterre +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powermac/bootx_init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powermac/bootx_init.c ++++ b/arch/powerpc/platforms/powermac/bootx_init.c +@@ -467,7 +467,7 @@ void __init bootx_init(unsigned long r3, + boot_infos_t *bi = (boot_infos_t *) r4; + unsigned long hdr; + unsigned long space; +- unsigned long ptr, x; ++ unsigned long ptr; + char *model; + unsigned long offset = reloc_offset(); + +@@ -561,6 +561,8 @@ void __init bootx_init(unsigned long r3, + * MMU switched OFF, so this should not be useful anymore. + */ + if (bi->version < 4) { ++ unsigned long x __maybe_unused; ++ + bootx_printf("Touching pages...\n"); + + /* diff --git a/queue-4.4/rdma-mad-convert-bug_ons-to-error-flows.patch b/queue-4.4/rdma-mad-convert-bug_ons-to-error-flows.patch new file mode 100644 index 00000000000..09648007fe7 --- /dev/null +++ b/queue-4.4/rdma-mad-convert-bug_ons-to-error-flows.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Leon Romanovsky +Date: Tue, 29 May 2018 14:56:19 +0300 +Subject: RDMA/mad: Convert BUG_ONs to error flows + +From: Leon Romanovsky + +[ Upstream commit 2468b82d69e3a53d024f28d79ba0fdb8bf43dfbf ] + +Let's perform checks in-place instead of BUG_ONs. + +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/mad.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -1548,7 +1548,8 @@ static int add_oui_reg_req(struct ib_mad + mad_reg_req->oui, 3)) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(!*method); ++ if (!*method) ++ goto error3; + goto check_in_use; + } + } +@@ -1558,10 +1559,12 @@ static int add_oui_reg_req(struct ib_mad + vclass]->oui[i])) { + method = &(*vendor_table)->vendor_class[ + vclass]->method_table[i]; +- BUG_ON(*method); + /* Allocate method table for this OUI */ +- if ((ret = allocate_method_table(method))) +- goto error3; ++ if (!*method) { ++ ret = allocate_method_table(method); ++ if (ret) ++ goto error3; ++ } + memcpy((*vendor_table)->vendor_class[vclass]->oui[i], + mad_reg_req->oui, 3); + goto check_in_use; diff --git a/queue-4.4/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch b/queue-4.4/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch new file mode 100644 index 00000000000..6a039a901f1 --- /dev/null +++ b/queue-4.4/regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Anson Huang +Date: Thu, 17 May 2018 15:27:22 +0800 +Subject: regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops + +From: Anson Huang + +[ Upstream commit 0b01fd3d40fe6402e5fa3b491ef23109feb1aaa5 ] + +If is_enabled() is not defined, regulator core will assume +this regulator is already enabled, then it can NOT be really +enabled after disabled. + +Based on Li Jun's patch from the NXP kernel tree. + +Signed-off-by: Anson Huang +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/regulator/pfuze100-regulator.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -152,6 +152,7 @@ static struct regulator_ops pfuze100_sw_ + static struct regulator_ops pfuze100_swb_regulator_ops = { + .enable = regulator_enable_regmap, + .disable = regulator_disable_regmap, ++ .is_enabled = regulator_is_enabled_regmap, + .list_voltage = regulator_list_voltage_table, + .map_voltage = regulator_map_voltage_ascend, + .set_voltage_sel = regulator_set_voltage_sel_regmap, diff --git a/queue-4.4/rsi-fix-invalid-vdd-warning-in-mmc.patch b/queue-4.4/rsi-fix-invalid-vdd-warning-in-mmc.patch new file mode 100644 index 00000000000..29112667866 --- /dev/null +++ b/queue-4.4/rsi-fix-invalid-vdd-warning-in-mmc.patch @@ -0,0 +1,76 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Siva Rebbagondla +Date: Wed, 11 Apr 2018 12:13:32 +0530 +Subject: rsi: Fix 'invalid vdd' warning in mmc + +From: Siva Rebbagondla + +[ Upstream commit 78e450719c702784e42af6da912d3692fd3da0cb ] + +While performing cleanup, driver is messing with card->ocr +value by not masking rocr against ocr_avail. Below panic +is observed with some of the SDIO host controllers due to +this. Issue is resolved by reverting incorrect modifications +to vdd. + +[ 927.423821] mmc1: Invalid vdd 0x1f +[ 927.423925] Modules linked in: rsi_sdio(+) cmac bnep arc4 rsi_91x + mac80211 cfg80211 btrsi rfcomm bluetooth ecdh_generic +[ 927.424073] CPU: 0 PID: 1624 Comm: insmod Tainted: G W 4.15.0-1000-caracalla #1 +[ 927.424075] Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.06 01/22/2018 +[ 927.424082] RIP: 0010:sdhci_set_power_noreg+0xdd/0x190[sdhci] +[ 927.424085] RSP: 0018:ffffac3fc064b930 EFLAGS: 00010282 +[ 927.424107] Call Trace: +[ 927.424118] sdhci_set_power+0x5a/0x60 [sdhci] +[ 927.424125] sdhci_set_ios+0x360/0x3b0 [sdhci] +[ 927.424133] mmc_set_initial_state+0x92/0x120 +[ 927.424137] mmc_power_up.part.34+0x33/0x1d0 +[ 927.424141] mmc_power_up+0x17/0x20 +[ 927.424147] mmc_sdio_runtime_resume+0x2d/0x50 +[ 927.424151] mmc_runtime_resume+0x17/0x20 +[ 927.424156] __rpm_callback+0xc4/0x200 +[ 927.424161] ? idr_alloc_cyclic+0x57/0xd0 +[ 927.424165] ? mmc_runtime_suspend+0x20/0x20 +[ 927.424169] rpm_callback+0x24/0x80 +[ 927.424172] ? mmc_runtime_suspend+0x20/0x20 +[ 927.424176] rpm_resume+0x4b3/0x6c0 +[ 927.424181] __pm_runtime_resume+0x4e/0x80 +[ 927.424188] driver_probe_device+0x41/0x490 +[ 927.424192] __driver_attach+0xdf/0xf0 +[ 927.424196] ? driver_probe_device+0x490/0x490 +[ 927.424201] bus_for_each_dev+0x6c/0xc0 +[ 927.424205] driver_attach+0x1e/0x20 +[ 927.424209] bus_add_driver+0x1f4/0x270 +[ 927.424217] ? rsi_sdio_ack_intr+0x50/0x50 [rsi_sdio] +[ 927.424221] driver_register+0x60/0xe0 +[ 927.424227] ? rsi_sdio_ack_intr+0x50/0x50 [rsi_sdio] +[ 927.424231] sdio_register_driver+0x20/0x30 +[ 927.424237] rsi_module_init+0x16/0x40 [rsi_sdio] + +Signed-off-by: Siva Rebbagondla +Signed-off-by: Amitkumar Karwar +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_sdio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_sdio.c ++++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c +@@ -155,7 +155,6 @@ static void rsi_reset_card(struct sdio_f + int err; + struct mmc_card *card = pfunction->card; + struct mmc_host *host = card->host; +- s32 bit = (fls(host->ocr_avail) - 1); + u8 cmd52_resp; + u32 clock, resp, i; + u16 rca; +@@ -175,7 +174,6 @@ static void rsi_reset_card(struct sdio_f + msleep(20); + + /* Initialize the SDIO card */ +- host->ios.vdd = bit; + host->ios.chip_select = MMC_CS_DONTCARE; + host->ios.bus_mode = MMC_BUSMODE_OPENDRAIN; + host->ios.power_mode = MMC_POWER_UP; diff --git a/queue-4.4/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch b/queue-4.4/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch new file mode 100644 index 00000000000..fa9479d1289 --- /dev/null +++ b/queue-4.4/rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Alexandre Belloni +Date: Tue, 5 Jun 2018 23:09:14 +0200 +Subject: rtc: ensure rtc_set_alarm fails when alarms are not supported + +From: Alexandre Belloni + +[ Upstream commit abfdff44bc38e9e2ef7929f633fb8462632299d4 ] + +When using RTC_ALM_SET or RTC_WKALM_SET with rtc_wkalrm.enabled not set, +rtc_timer_enqueue() is not called and rtc_set_alarm() may succeed but the +subsequent RTC_AIE_ON ioctl will fail. RTC_ALM_READ would also fail in that +case. + +Ensure rtc_set_alarm() fails when alarms are not supported to avoid letting +programs think the alarms are working for a particular RTC when they are +not. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/interface.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/rtc/interface.c ++++ b/drivers/rtc/interface.c +@@ -349,6 +349,11 @@ int rtc_set_alarm(struct rtc_device *rtc + { + int err; + ++ if (!rtc->ops) ++ return -ENODEV; ++ else if (!rtc->ops->set_alarm) ++ return -EINVAL; ++ + err = rtc_valid_tm(&alarm->time); + if (err != 0) + return err; diff --git a/queue-4.4/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch b/queue-4.4/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch new file mode 100644 index 00000000000..5209721142b --- /dev/null +++ b/queue-4.4/s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Thomas Richter +Date: Tue, 8 May 2018 10:18:39 +0200 +Subject: s390/cpum_sf: Add data entry sizes to sampling trailer entry + +From: Thomas Richter + +[ Upstream commit 77715b7ddb446bd39a06f3376e85f4bb95b29bb8 ] + +The CPU Measurement sampling facility creates a trailer entry for each +Sample-Data-Block of stored samples. The trailer entry contains the sizes +(in bytes) of the stored sampling types: + - basic-sampling data entry size + - diagnostic-sampling data entry size +Both sizes are 2 bytes long. + +This patch changes the trailer entry definition to reflect this. + +Fixes: fcc77f507333 ("s390/cpum_sf: Atomically reset trailer entry fields of sample-data-blocks") +Signed-off-by: Thomas Richter +Reviewed-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/include/asm/cpu_mf.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/s390/include/asm/cpu_mf.h ++++ b/arch/s390/include/asm/cpu_mf.h +@@ -129,7 +129,9 @@ struct hws_trailer_entry { + unsigned int f:1; /* 0 - Block Full Indicator */ + unsigned int a:1; /* 1 - Alert request control */ + unsigned int t:1; /* 2 - Timestamp format */ +- unsigned long long:61; /* 3 - 63: Reserved */ ++ unsigned int :29; /* 3 - 31: Reserved */ ++ unsigned int bsdes:16; /* 32-47: size of basic SDE */ ++ unsigned int dsdes:16; /* 48-63: size of diagnostic SDE */ + }; + unsigned long long flags; /* 0 - 63: All indicators */ + }; diff --git a/queue-4.4/scsi-3w-9xxx-fix-a-missing-check-bug.patch b/queue-4.4/scsi-3w-9xxx-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..a15a9cfb5ed --- /dev/null +++ b/queue-4.4/scsi-3w-9xxx-fix-a-missing-check-bug.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Wenwen Wang +Date: Mon, 7 May 2018 19:46:43 -0500 +Subject: scsi: 3w-9xxx: fix a missing-check bug + +From: Wenwen Wang + +[ Upstream commit c9318a3e0218bc9dacc25be46b9eec363259536f ] + +In twa_chrdev_ioctl(), the ioctl driver command is firstly copied from +the userspace pointer 'argp' and saved to the kernel object +'driver_command'. Then a security check is performed on the data buffer +size indicated by 'driver_command', which is +'driver_command.buffer_length'. If the security check is passed, the +entire ioctl command is copied again from the 'argp' pointer and saved +to the kernel object 'tw_ioctl'. Then, various operations are performed +on 'tw_ioctl' according to the 'cmd'. Given that the 'argp' pointer +resides in userspace, a malicious userspace process can race to change +the buffer size between the two copies. This way, the user can bypass +the security check and inject invalid data buffer size. This can cause +potential security issues in the following execution. + +This patch checks for capable(CAP_SYS_ADMIN) in twa_chrdev_open()t o +avoid the above issues. + +Signed-off-by: Wenwen Wang +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-9xxx.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -889,6 +889,11 @@ static int twa_chrdev_open(struct inode + unsigned int minor_number; + int retval = TW_IOCTL_ERROR_OS_ENODEV; + ++ if (!capable(CAP_SYS_ADMIN)) { ++ retval = -EACCES; ++ goto out; ++ } ++ + minor_number = iminor(inode); + if (minor_number >= twa_device_extension_count) + goto out; diff --git a/queue-4.4/scsi-3w-xxxx-fix-a-missing-check-bug.patch b/queue-4.4/scsi-3w-xxxx-fix-a-missing-check-bug.patch new file mode 100644 index 00000000000..820a7db33e6 --- /dev/null +++ b/queue-4.4/scsi-3w-xxxx-fix-a-missing-check-bug.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Wenwen Wang +Date: Mon, 7 May 2018 19:54:01 -0500 +Subject: scsi: 3w-xxxx: fix a missing-check bug + +From: Wenwen Wang + +[ Upstream commit 9899e4d3523faaef17c67141aa80ff2088f17871 ] + +In tw_chrdev_ioctl(), the length of the data buffer is firstly copied +from the userspace pointer 'argp' and saved to the kernel object +'data_buffer_length'. Then a security check is performed on it to make +sure that the length is not more than 'TW_MAX_IOCTL_SECTORS * +512'. Otherwise, an error code -EINVAL is returned. If the security +check is passed, the entire ioctl command is copied again from the +'argp' pointer and saved to the kernel object 'tw_ioctl'. Then, various +operations are performed on 'tw_ioctl' according to the 'cmd'. Given +that the 'argp' pointer resides in userspace, a malicious userspace +process can race to change the buffer length between the two +copies. This way, the user can bypass the security check and inject +invalid data buffer length. This can cause potential security issues in +the following execution. + +This patch checks for capable(CAP_SYS_ADMIN) in tw_chrdev_open() to +avoid the above issues. + +Signed-off-by: Wenwen Wang +Acked-by: Adam Radford +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/3w-xxxx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -1034,6 +1034,9 @@ static int tw_chrdev_open(struct inode * + + dprintk(KERN_WARNING "3w-xxxx: tw_ioctl_open()\n"); + ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EACCES; ++ + minor_number = iminor(inode); + if (minor_number >= tw_device_extension_count) + return -ENODEV; diff --git a/queue-4.4/scsi-megaraid-silence-a-static-checker-bug.patch b/queue-4.4/scsi-megaraid-silence-a-static-checker-bug.patch new file mode 100644 index 00000000000..7fda931410f --- /dev/null +++ b/queue-4.4/scsi-megaraid-silence-a-static-checker-bug.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Dan Carpenter +Date: Thu, 3 May 2018 13:54:32 +0300 +Subject: scsi: megaraid: silence a static checker bug + +From: Dan Carpenter + +[ Upstream commit 27e833dabab74ee665e487e291c9afc6d71effba ] + +If we had more than 32 megaraid cards then it would cause memory +corruption. That's not likely, of course, but it's handy to enforce it +and make the static checker happy. + +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/megaraid.c ++++ b/drivers/scsi/megaraid.c +@@ -4197,6 +4197,9 @@ megaraid_probe_one(struct pci_dev *pdev, + int irq, i, j; + int error = -ENODEV; + ++ if (hba_count >= MAX_CONTROLLERS) ++ goto out; ++ + if (pci_enable_device(pdev)) + goto out; + pci_set_master(pdev); diff --git a/queue-4.4/scsi-megaraid_sas-increase-timeout-by-1-sec-for-non-raid-fastpath-ios.patch b/queue-4.4/scsi-megaraid_sas-increase-timeout-by-1-sec-for-non-raid-fastpath-ios.patch new file mode 100644 index 00000000000..0f05d54a847 --- /dev/null +++ b/queue-4.4/scsi-megaraid_sas-increase-timeout-by-1-sec-for-non-raid-fastpath-ios.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Shivasharan S +Date: Fri, 6 Apr 2018 02:02:11 -0700 +Subject: scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs + +From: Shivasharan S + +[ Upstream commit 3239b8cd28fd849a2023483257d35d68c5876c74 ] + +Hardware could time out Fastpath IOs one second earlier than the timeout +provided by the host. + +For non-RAID devices, driver provides timeout value based on OS provided +timeout value. Under certain scenarios, if the OS provides a timeout +value of 1 second, due to above behavior hardware will timeout +immediately. + +Increase timeout value for non-RAID fastpath IOs by 1 second. + +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -1886,6 +1886,9 @@ megasas_build_syspd_fusion(struct megasa + pRAID_Context->timeoutValue = cpu_to_le16(os_timeout_value); + pRAID_Context->VirtualDiskTgtId = cpu_to_le16(device_id); + } else { ++ if (os_timeout_value) ++ os_timeout_value++; ++ + /* system pd Fast Path */ + io_request->Function = MPI2_FUNCTION_SCSI_IO_REQUEST; + timeout_limit = (scmd->device->type == TYPE_DISK) ? diff --git a/queue-4.4/scsi-scsi_dh-replace-too-broad-tp9-string-with-the-exact-models.patch b/queue-4.4/scsi-scsi_dh-replace-too-broad-tp9-string-with-the-exact-models.patch new file mode 100644 index 00000000000..7cc7dd1c1e8 --- /dev/null +++ b/queue-4.4/scsi-scsi_dh-replace-too-broad-tp9-string-with-the-exact-models.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Xose Vazquez Perez +Date: Sat, 7 Apr 2018 00:47:23 +0200 +Subject: scsi: scsi_dh: replace too broad "TP9" string with the exact models + +From: Xose Vazquez Perez + +[ Upstream commit 37b37d2609cb0ac267280ef27350b962d16d272e ] + +SGI/TP9100 is not an RDAC array: + ^^^ +https://git.opensvc.com/gitweb.cgi?p=multipath-tools/.git;a=blob;f=libmultipath/hwtable.c;h=88b4700beb1d8940008020fbe4c3cd97d62f4a56;hb=HEAD#l235 + +This partially reverts commit 35204772ea03 ("[SCSI] scsi_dh_rdac : +Consolidate rdac strings together") + +[mkp: fixed up the new entries to align with rest of struct] + +Cc: NetApp RDAC team +Cc: Hannes Reinecke +Cc: James E.J. Bottomley +Cc: Martin K. Petersen +Cc: SCSI ML +Cc: DM ML +Signed-off-by: Xose Vazquez Perez +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_dh.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_dh.c ++++ b/drivers/scsi/scsi_dh.c +@@ -58,7 +58,10 @@ static const struct scsi_dh_blist scsi_d + {"IBM", "3526", "rdac", }, + {"IBM", "3542", "rdac", }, + {"IBM", "3552", "rdac", }, +- {"SGI", "TP9", "rdac", }, ++ {"SGI", "TP9300", "rdac", }, ++ {"SGI", "TP9400", "rdac", }, ++ {"SGI", "TP9500", "rdac", }, ++ {"SGI", "TP9700", "rdac", }, + {"SGI", "IS", "rdac", }, + {"STK", "OPENstorage", "rdac", }, + {"STK", "FLEXLINE 380", "rdac", }, diff --git a/queue-4.4/scsi-ufs-fix-exception-event-handling.patch b/queue-4.4/scsi-ufs-fix-exception-event-handling.patch new file mode 100644 index 00000000000..94276e890c3 --- /dev/null +++ b/queue-4.4/scsi-ufs-fix-exception-event-handling.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Maya Erez +Date: Thu, 3 May 2018 16:37:16 +0530 +Subject: scsi: ufs: fix exception event handling + +From: Maya Erez + +[ Upstream commit 2e3611e9546c2ed4def152a51dfd34e8dddae7a5 ] + +The device can set the exception event bit in one of the response UPIU, +for example to notify the need for urgent BKOPs operation. In such a +case, the host driver calls ufshcd_exception_event_handler to handle +this notification. When trying to check the exception event status (for +finding the cause for the exception event), the device may be busy with +additional SCSI commands handling and may not respond within the 100ms +timeout. + +To prevent that, we need to block SCSI commands during handling of +exception events and allow retransmissions of the query requests, in +case of timeout. + +Signed-off-by: Subhash Jadavani +Signed-off-by: Maya Erez +Signed-off-by: Can Guo +Signed-off-by: Asutosh Das +Reviewed-by: Subhash Jadavani +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ufs/ufshcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/ufs/ufshcd.c ++++ b/drivers/scsi/ufs/ufshcd.c +@@ -3447,6 +3447,7 @@ static void ufshcd_exception_event_handl + hba = container_of(work, struct ufs_hba, eeh_work); + + pm_runtime_get_sync(hba->dev); ++ scsi_block_requests(hba->host); + err = ufshcd_get_ee_status(hba, &status); + if (err) { + dev_err(hba->dev, "%s: failed to get exception status %d\n", +@@ -3462,6 +3463,7 @@ static void ufshcd_exception_event_handl + __func__, err); + } + out: ++ scsi_unblock_requests(hba->host); + pm_runtime_put_sync(hba->dev); + return; + } diff --git a/queue-4.4/series b/queue-4.4/series index 5ada53fb022..523b75e403d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -6,3 +6,92 @@ tracing-fix-double-free-of-event_trigger_data.patch tracing-fix-possible-double-free-in-event_enable_trigger_func.patch tracing-kprobes-fix-trace_probe-flags-on-enable_trace_kprobe-failure.patch tracing-quiet-gcc-warning-about-maybe-unused-link-variable.patch +xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch +alsa-emu10k1-add-error-handling-for-snd_ctl_add.patch +alsa-fm801-add-error-handling-for-snd_ctl_add.patch +nfsd-fix-potential-use-after-free-in-nfsd4_decode_getdeviceinfo.patch +mm-vmalloc-avoid-racy-handling-of-debugobjects-in-vunmap.patch +mm-slub.c-add-__printf-verification-to-slab_err.patch +rtc-ensure-rtc_set_alarm-fails-when-alarms-are-not-supported.patch +netfilter-ipset-list-timing-out-entries-with-timeout-1-instead-of-zero.patch +infiniband-fix-a-possible-use-after-free-bug.patch +hvc_opal-don-t-set-tb_ticks_per_usec-in-udbg_init_opal_common.patch +powerpc-64s-fix-compiler-store-ordering-to-slb-shadow-area.patch +rdma-mad-convert-bug_ons-to-error-flows.patch +disable-loading-f2fs-module-on-page_size-4kb.patch +f2fs-fix-to-don-t-trigger-writeback-during-recovery.patch +usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch +perf-x86-intel-uncore-correct-fixed-counter-index-check-in-generic-code.patch +perf-x86-intel-uncore-correct-fixed-counter-index-check-for-nhm.patch +iwlwifi-pcie-fix-race-in-rx-buffer-allocator.patch +bluetooth-hci_qca-fix-sleep-inside-atomic-section-warning.patch +bluetooth-btusb-add-a-new-realtek-8723de-id-2ff8-b011.patch +asoc-dpcm-fix-be-dai-not-hw_free-and-shutdown.patch +mfd-cros_ec-fail-early-if-we-cannot-identify-the-ec.patch +mwifiex-handle-race-during-mwifiex_usb_disconnect.patch +wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch +media-videobuf2-core-don-t-call-memop-finish-when-queueing.patch +btrfs-add-barriers-to-btrfs_sync_log-before-log_commit_wait-wakeups.patch +btrfs-qgroup-finish-rescan-when-hit-the-last-leaf-of-extent-tree.patch +pci-prevent-sysfs-disable-of-device-while-driver-is-attached.patch +ath-add-regulatory-mapping-for-fcc3_etsic.patch +ath-add-regulatory-mapping-for-etsi8_world.patch +ath-add-regulatory-mapping-for-apl13_world.patch +ath-add-regulatory-mapping-for-apl2_fcca.patch +ath-add-regulatory-mapping-for-uganda.patch +ath-add-regulatory-mapping-for-tanzania.patch +ath-add-regulatory-mapping-for-serbia.patch +ath-add-regulatory-mapping-for-bermuda.patch +ath-add-regulatory-mapping-for-bahamas.patch +powerpc-32-add-a-missing-include-header.patch +powerpc-chrp-time-make-some-functions-static-add-missing-header-include.patch +powerpc-powermac-add-missing-prototype-for-note_bootable_part.patch +powerpc-powermac-mark-variable-x-as-unused.patch +powerpc-8xx-fix-invalid-register-expression-in-head_8xx.s.patch +pinctrl-at91-pio4-add-missing-of_node_put.patch +pci-pciehp-request-control-of-native-hotplug-only-if-supported.patch +mwifiex-correct-histogram-data-with-appropriate-index.patch +scsi-ufs-fix-exception-event-handling.patch +alsa-emu10k1-rate-limit-error-messages-about-page-errors.patch +regulator-pfuze100-add-.is_enable-for-pfuze100_swb_regulator_ops.patch +md-fix-null-dereference-of-mddev-pers-in-remove_and_add_spares.patch +media-smiapp-fix-timeout-checking-in-smiapp_read_nvm.patch +alsa-usb-audio-apply-rate-limit-to-warning-messages-in-urb-complete-callback.patch +hid-hid-plantronics-re-resend-update-to-map-button-for-ptt-products.patch +drm-radeon-fix-mode_valid-s-return-type.patch +powerpc-embedded6xx-hlwd-pic-prevent-interrupts-from-being-handled-by-starlet.patch +hid-i2c-hid-check-if-device-is-there-before-really-probing.patch +tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch +dma-iommu-fix-compilation-when-config_iommu_dma.patch +tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch +media-rcar_jpu-add-missing-clk_disable_unprepare-on-error-in-jpu_open.patch +libata-fix-command-retry-decision.patch +media-saa7164-fix-driver-name-in-debug-output.patch +mtd-rawnand-fsl_ifc-fix-fsl-nand-driver-to-read-all-onfi-parameter-pages.patch +brcmfmac-add-support-for-bcm43364-wireless-chipset.patch +s390-cpum_sf-add-data-entry-sizes-to-sampling-trailer-entry.patch +perf-fix-invalid-bit-in-diagnostic-entry.patch +scsi-3w-9xxx-fix-a-missing-check-bug.patch +scsi-3w-xxxx-fix-a-missing-check-bug.patch +scsi-megaraid-silence-a-static-checker-bug.patch +thermal-exynos-fix-setting-rising_threshold-for-exynos5433.patch +bpf-fix-references-to-free_bpf_prog_info-in-comments.patch +media-siano-get-rid-of-__le32-__le16-cast-warnings.patch +drm-atomic-handling-the-case-when-setting-old-crtc-for-plane.patch +alsa-hda-ca0132-fix-build-failure-when-a-local-macro-is-defined.patch +fasync-fix-deadlock-between-task-context-and-interrupt-context-kill_fasync.patch +memory-tegra-do-not-handle-spurious-interrupts.patch +memory-tegra-apply-interrupts-mask-per-soc.patch +drm-gma500-fix-psb_intel_lvds_mode_valid-s-return-type.patch +ipconfig-correctly-initialise-ic_nameservers.patch +rsi-fix-invalid-vdd-warning-in-mmc.patch +audit-allow-not-equal-op-for-audit-by-executable.patch +microblaze-fix-simpleimage-format-generation.patch +usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch +crypto-authencesn-don-t-leak-pointers-to-authenc-keys.patch +crypto-authenc-don-t-leak-pointers-to-authenc-keys.patch +media-omap3isp-fix-unbalanced-dma_iommu_mapping.patch +scsi-scsi_dh-replace-too-broad-tp9-string-with-the-exact-models.patch +scsi-megaraid_sas-increase-timeout-by-1-sec-for-non-raid-fastpath-ios.patch +media-si470x-fix-__be16-annotations.patch +drm-add-dp-psr2-sink-enable-bit.patch diff --git a/queue-4.4/thermal-exynos-fix-setting-rising_threshold-for-exynos5433.patch b/queue-4.4/thermal-exynos-fix-setting-rising_threshold-for-exynos5433.patch new file mode 100644 index 00000000000..615b95967c1 --- /dev/null +++ b/queue-4.4/thermal-exynos-fix-setting-rising_threshold-for-exynos5433.patch @@ -0,0 +1,30 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Bartlomiej Zolnierkiewicz +Date: Thu, 26 Apr 2018 13:51:16 +0200 +Subject: thermal: exynos: fix setting rising_threshold for Exynos5433 + +From: Bartlomiej Zolnierkiewicz + +[ Upstream commit 8bfc218d0ebbabcba8ed2b8ec1831e0cf1f71629 ] + +Add missing clearing of the previous value when setting rising +temperature threshold. + +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/samsung/exynos_tmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -585,6 +585,7 @@ static int exynos5433_tmu_initialize(str + threshold_code = temp_to_code(data, temp); + + rising_threshold = readl(data->base + rising_reg_offset); ++ rising_threshold &= ~(0xff << j * 8); + rising_threshold |= (threshold_code << j * 8); + writel(rising_threshold, data->base + rising_reg_offset); + diff --git a/queue-4.4/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch b/queue-4.4/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch new file mode 100644 index 00000000000..bd5fd2466dd --- /dev/null +++ b/queue-4.4/tick-prefer-a-lower-rating-device-only-if-it-s-cpu-local-device.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Sudeep Holla +Date: Wed, 9 May 2018 17:02:08 +0100 +Subject: tick: Prefer a lower rating device only if it's CPU local device + +From: Sudeep Holla + +[ Upstream commit 1332a90558013ae4242e3dd7934bdcdeafb06c0d ] + +Checking the equality of cpumask for both new and old tick device doesn't +ensure that it's CPU local device. This will cause issue if a low rating +clockevent tick device is registered first followed by the registration +of higher rating clockevent tick device. + +In such case, clockevents_released list will never get emptied as both +the devices get selected as preferred one and we will loop forever in +clockevents_notify_released. + +Signed-off-by: Sudeep Holla +Signed-off-by: Thomas Gleixner +Cc: Frederic Weisbecker +Link: https://lkml.kernel.org/r/1525881728-4858-1-git-send-email-sudeep.holla@arm.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/tick-common.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/tick-common.c ++++ b/kernel/time/tick-common.c +@@ -277,7 +277,8 @@ static bool tick_check_preferred(struct + */ + return !curdev || + newdev->rating > curdev->rating || +- !cpumask_equal(curdev->cpumask, newdev->cpumask); ++ (!cpumask_equal(curdev->cpumask, newdev->cpumask) && ++ !tick_check_percpu(curdev, newdev, smp_processor_id())); + } + + /* diff --git a/queue-4.4/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch b/queue-4.4/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch new file mode 100644 index 00000000000..771055c59d3 --- /dev/null +++ b/queue-4.4/tty-fix-data-race-in-tty_insert_flip_string_fixed_flag.patch @@ -0,0 +1,96 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: DaeRyong Jeong +Date: Tue, 1 May 2018 00:27:04 +0900 +Subject: tty: Fix data race in tty_insert_flip_string_fixed_flag + +From: DaeRyong Jeong + +[ Upstream commit b6da31b2c07c46f2dcad1d86caa835227a16d9ff ] + +Unlike normal serials, in pty layer, there is no guarantee that multiple +threads don't insert input characters at the same time. If it is happened, +tty_insert_flip_string_fixed_flag can be executed concurrently. This can +lead slab out-of-bounds write in tty_insert_flip_string_fixed_flag. + +Call sequences are as follows. +CPU0 CPU1 +n_tty_ioctl_helper n_tty_ioctl_helper +__start_tty tty_send_xchar +tty_wakeup pty_write +n_hdlc_tty_wakeup tty_insert_flip_string +n_hdlc_send_frames tty_insert_flip_string_fixed_flag +pty_write +tty_insert_flip_string +tty_insert_flip_string_fixed_flag + +To fix the race, acquire port->lock in pty_write() before it inserts input +characters to tty buffer. It prevents multiple threads from inserting +input characters concurrently. + +The crash log is as follows: +BUG: KASAN: slab-out-of-bounds in tty_insert_flip_string_fixed_flag+0xb5/ +0x130 drivers/tty/tty_buffer.c:316 at addr ffff880114fcc121 +Write of size 1792 by task syz-executor0/30017 +CPU: 1 PID: 30017 Comm: syz-executor0 Not tainted 4.8.0 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 + 0000000000000000 ffff88011638f888 ffffffff81694cc3 ffff88007d802140 + ffff880114fcb300 ffff880114fcc300 ffff880114fcb300 ffff88011638f8b0 + ffffffff8130075c ffff88011638f940 ffff88007d802140 ffff880194fcc121 +Call Trace: + __dump_stack lib/dump_stack.c:15 [inline] + dump_stack+0xb3/0x110 lib/dump_stack.c:51 + kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 + print_address_description mm/kasan/report.c:194 [inline] + kasan_report_error+0x1f7/0x4e0 mm/kasan/report.c:283 + kasan_report+0x36/0x40 mm/kasan/report.c:303 + check_memory_region_inline mm/kasan/kasan.c:292 [inline] + check_memory_region+0x13e/0x1a0 mm/kasan/kasan.c:299 + memcpy+0x37/0x50 mm/kasan/kasan.c:335 + tty_insert_flip_string_fixed_flag+0xb5/0x130 drivers/tty/tty_buffer.c:316 + tty_insert_flip_string include/linux/tty_flip.h:35 [inline] + pty_write+0x7f/0xc0 drivers/tty/pty.c:115 + n_hdlc_send_frames+0x1d4/0x3b0 drivers/tty/n_hdlc.c:419 + n_hdlc_tty_wakeup+0x73/0xa0 drivers/tty/n_hdlc.c:496 + tty_wakeup+0x92/0xb0 drivers/tty/tty_io.c:601 + __start_tty.part.26+0x66/0x70 drivers/tty/tty_io.c:1018 + __start_tty+0x34/0x40 drivers/tty/tty_io.c:1013 + n_tty_ioctl_helper+0x146/0x1e0 drivers/tty/tty_ioctl.c:1138 + n_hdlc_tty_ioctl+0xb3/0x2b0 drivers/tty/n_hdlc.c:794 + tty_ioctl+0xa85/0x16d0 drivers/tty/tty_io.c:2992 + vfs_ioctl fs/ioctl.c:43 [inline] + do_vfs_ioctl+0x13e/0xba0 fs/ioctl.c:679 + SYSC_ioctl fs/ioctl.c:694 [inline] + SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685 + entry_SYSCALL_64_fastpath+0x1f/0xbd + +Signed-off-by: DaeRyong Jeong +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/pty.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -106,16 +106,19 @@ static void pty_unthrottle(struct tty_st + static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + { + struct tty_struct *to = tty->link; ++ unsigned long flags; + + if (tty->stopped) + return 0; + + if (c > 0) { ++ spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); ++ spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } diff --git a/queue-4.4/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch b/queue-4.4/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch new file mode 100644 index 00000000000..ed4c3c5ca51 --- /dev/null +++ b/queue-4.4/usb-hub-don-t-wait-for-connect-state-at-resume-for-powered-off-ports.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Dominik Bozek +Date: Fri, 13 Apr 2018 10:42:31 -0700 +Subject: usb: hub: Don't wait for connect state at resume for powered-off ports + +From: Dominik Bozek + +[ Upstream commit 5d111f5190848d6fb1c414dc57797efea3526a2f ] + +wait_for_connected() wait till a port change status to +USB_PORT_STAT_CONNECTION, but this is not possible if +the port is unpowered. The loop will only exit at timeout. + +Such case take place if an over-current incident happen +while system is in S3. Then during resume wait_for_connected() +will wait 2s, which may be noticeable by the user. + +Signed-off-by: Dominik Bozek +Signed-off-by: Kuppuswamy Sathyanarayanan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3308,6 +3308,10 @@ static int wait_for_ss_port_enable(struc + while (delay_ms < 2000) { + if (status || *portstatus & USB_PORT_STAT_CONNECTION) + break; ++ if (!port_is_power_on(hub, *portstatus)) { ++ status = -ENODEV; ++ break; ++ } + msleep(20); + delay_ms += 20; + status = hub_port_status(hub, *port1, portstatus, portchange); diff --git a/queue-4.4/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch b/queue-4.4/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch new file mode 100644 index 00000000000..56590f1b252 --- /dev/null +++ b/queue-4.4/usbip-usbip_detach-fix-memory-udev-context-and-udev-leak.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: "Shuah Khan (Samsung OSG)" +Date: Tue, 29 May 2018 16:13:03 -0600 +Subject: usbip: usbip_detach: Fix memory, udev context and udev leak + +From: "Shuah Khan (Samsung OSG)" + +[ Upstream commit d179f99a651685b19333360e6558110da2fe9bd7 ] + +detach_port() fails to call usbip_vhci_driver_close() from its error +path after usbip_vhci_detach_device() returns failure, leaking memory +allocated in usbip_vhci_driver_open() and holding udev_context and udev +references. Fix it to call usbip_vhci_driver_close(). + +Signed-off-by: Shuah Khan (Samsung OSG) +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/usbip/src/usbip_detach.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/tools/usb/usbip/src/usbip_detach.c ++++ b/tools/usb/usbip/src/usbip_detach.c +@@ -43,7 +43,7 @@ void usbip_detach_usage(void) + + static int detach_port(char *port) + { +- int ret; ++ int ret = 0; + uint8_t portnum; + char path[PATH_MAX+1]; + +@@ -73,9 +73,12 @@ static int detach_port(char *port) + } + + ret = usbip_vhci_detach_device(portnum); +- if (ret < 0) +- return -1; ++ if (ret < 0) { ++ ret = -1; ++ goto call_driver_close; ++ } + ++call_driver_close: + usbip_vhci_driver_close(); + + return ret; diff --git a/queue-4.4/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch b/queue-4.4/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch new file mode 100644 index 00000000000..f96e74be70d --- /dev/null +++ b/queue-4.4/wlcore-sdio-check-for-valid-platform-device-data-before-suspend.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Eyal Reizer +Date: Mon, 28 May 2018 11:36:42 +0300 +Subject: wlcore: sdio: check for valid platform device data before suspend + +From: Eyal Reizer + +[ Upstream commit 6e91d48371e79862ea2c05867aaebe4afe55a865 ] + +the wl pointer can be null In case only wlcore_sdio is probed while +no WiLink module is successfully probed, as in the case of mounting a +wl12xx module while using a device tree file configured with wl18xx +related settings. +In this case the system was crashing in wl1271_suspend() as platform +device data is not set. +Make sure wl the pointer is valid before using it. + +Signed-off-by: Eyal Reizer +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/sdio.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/sdio.c ++++ b/drivers/net/wireless/ti/wlcore/sdio.c +@@ -388,6 +388,11 @@ static int wl1271_suspend(struct device + mmc_pm_flag_t sdio_flags; + int ret = 0; + ++ if (!wl) { ++ dev_err(dev, "no wilink module was probed\n"); ++ goto out; ++ } ++ + dev_dbg(dev, "wl1271 suspend. wow_enabled: %d\n", + wl->wow_enabled); + diff --git a/queue-4.4/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch b/queue-4.4/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch new file mode 100644 index 00000000000..40bd247bfe2 --- /dev/null +++ b/queue-4.4/xen-netfront-raise-max-number-of-slots-in-xennet_get_responses.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Jul 28 12:10:33 CEST 2018 +From: Juergen Gross +Date: Tue, 12 Jun 2018 08:57:53 +0200 +Subject: xen/netfront: raise max number of slots in xennet_get_responses() + +From: Juergen Gross + +[ Upstream commit 57f230ab04d2910a06d17d988f1c4d7586a59113 ] + +The max number of slots used in xennet_get_responses() is set to +MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD). + +In old kernel-xen MAX_SKB_FRAGS was 18, while nowadays it is 17. This +difference is resulting in frequent messages "too many slots" and a +reduced network throughput for some workloads (factor 10 below that of +a kernel-xen based guest). + +Replacing MAX_SKB_FRAGS by XEN_NETIF_NR_SLOTS_MIN for calculation of +the max number of slots to use solves that problem (tests showed no +more messages "too many slots" and throughput was as high as with the +kernel-xen based guest system). + +Replace MAX_SKB_FRAGS-2 by XEN_NETIF_NR_SLOTS_MIN-1 in +netfront_tx_slot_available() for making it clearer what is really being +tested without actually modifying the tested value. + +Signed-off-by: Juergen Gross +Reviewed-by: Boris Ostrovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/xen-netfront.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -238,7 +238,7 @@ static void rx_refill_timeout(unsigned l + static int netfront_tx_slot_available(struct netfront_queue *queue) + { + return (queue->tx.req_prod_pvt - queue->tx.rsp_cons) < +- (NET_TX_RING_SIZE - MAX_SKB_FRAGS - 2); ++ (NET_TX_RING_SIZE - XEN_NETIF_NR_SLOTS_MIN - 1); + } + + static void xennet_maybe_wake_tx(struct netfront_queue *queue) +@@ -775,7 +775,7 @@ static int xennet_get_responses(struct n + RING_IDX cons = queue->rx.rsp_cons; + struct sk_buff *skb = xennet_get_rx_skb(queue, cons); + grant_ref_t ref = xennet_get_rx_ref(queue, cons); +- int max = MAX_SKB_FRAGS + (rx->status <= RX_COPY_THRESHOLD); ++ int max = XEN_NETIF_NR_SLOTS_MIN + (rx->status <= RX_COPY_THRESHOLD); + int slots = 1; + int err = 0; + unsigned long ret;