From: Sasha Levin Date: Thu, 28 Feb 2019 01:02:07 +0000 (-0500) Subject: patches for 4.9 X-Git-Tag: v4.9.162~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a9593ee3f1894e1ade4709578dd34b83016ee6ba;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/alsa-compress-prevent-potential-divide-by-zero-bugs.patch b/queue-4.9/alsa-compress-prevent-potential-divide-by-zero-bugs.patch new file mode 100644 index 00000000000..7ba4e44a80f --- /dev/null +++ b/queue-4.9/alsa-compress-prevent-potential-divide-by-zero-bugs.patch @@ -0,0 +1,45 @@ +From 46df7aa08cd2c627933e0943a7982bcd97953745 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 12:06:58 +0300 +Subject: ALSA: compress: prevent potential divide by zero bugs + +[ Upstream commit 678e2b44c8e3fec3afc7202f1996a4500a50be93 ] + +The problem is seen in the q6asm_dai_compr_set_params() function: + + ret = q6asm_map_memory_regions(dir, prtd->audio_client, prtd->phys, + (prtd->pcm_size / prtd->periods), + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + prtd->periods); + +In this code prtd->pcm_size is the buffer_size and prtd->periods comes +from params->buffer.fragments. If we allow the number of fragments to +be zero then it results in a divide by zero bug. One possible fix would +be to use prtd->pcm_count directly instead of using the division to +re-calculate it. But I decided that it doesn't really make sense to +allow zero fragments. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 4490a699030b1..555df64d46ffc 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -529,7 +529,8 @@ static int snd_compress_check_input(struct snd_compr_params *params) + { + /* first let's check the buffer parameter's */ + if (params->buffer.fragment_size == 0 || +- params->buffer.fragments > INT_MAX / params->buffer.fragment_size) ++ params->buffer.fragments > INT_MAX / params->buffer.fragment_size || ++ params->buffer.fragments == 0) + return -EINVAL; + + /* now codec parameters */ +-- +2.19.1 + diff --git a/queue-4.9/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch b/queue-4.9/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch new file mode 100644 index 00000000000..c74147a9702 --- /dev/null +++ b/queue-4.9/arc-fix-__ffs-return-value-to-avoid-build-warnings.patch @@ -0,0 +1,74 @@ +From 1ff144d5cd786241b06cf18fb3c4216003277bdc Mon Sep 17 00:00:00 2001 +From: Eugeniy Paltsev +Date: Thu, 13 Dec 2018 18:42:57 +0300 +Subject: ARC: fix __ffs return value to avoid build warnings + +[ Upstream commit 4e868f8419cb4cb558c5d428e7ab5629cef864c7 ] + +| CC mm/nobootmem.o +|In file included from ./include/asm-generic/bug.h:18:0, +| from ./arch/arc/include/asm/bug.h:32, +| from ./include/linux/bug.h:5, +| from ./include/linux/mmdebug.h:5, +| from ./include/linux/gfp.h:5, +| from ./include/linux/slab.h:15, +| from mm/nobootmem.c:14: +|mm/nobootmem.c: In function '__free_pages_memory': +|./include/linux/kernel.h:845:29: warning: comparison of distinct pointer types lacks a cast +| (!!(sizeof((typeof(x) *)1 == (typeof(y) *)1))) +| ^ +|./include/linux/kernel.h:859:4: note: in expansion of macro '__typecheck' +| (__typecheck(x, y) && __no_side_effects(x, y)) +| ^~~~~~~~~~~ +|./include/linux/kernel.h:869:24: note: in expansion of macro '__safe_cmp' +| __builtin_choose_expr(__safe_cmp(x, y), \ +| ^~~~~~~~~~ +|./include/linux/kernel.h:878:19: note: in expansion of macro '__careful_cmp' +| #define min(x, y) __careful_cmp(x, y, <) +| ^~~~~~~~~~~~~ +|mm/nobootmem.c:104:11: note: in expansion of macro 'min' +| order = min(MAX_ORDER - 1UL, __ffs(start)); + +Change __ffs return value from 'int' to 'unsigned long' as it +is done in other implementations (like asm-generic, x86, etc...) +to avoid build-time warnings in places where type is strictly +checked. + +As __ffs may return values in [0-31] interval changing return +type to unsigned is valid. + +Signed-off-by: Eugeniy Paltsev +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +--- + arch/arc/include/asm/bitops.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arc/include/asm/bitops.h b/arch/arc/include/asm/bitops.h +index 8da87feec59aa..99e6d8948f4ac 100644 +--- a/arch/arc/include/asm/bitops.h ++++ b/arch/arc/include/asm/bitops.h +@@ -340,7 +340,7 @@ static inline __attribute__ ((const)) int __fls(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long word) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long word) + { + if (!word) + return word; +@@ -400,9 +400,9 @@ static inline __attribute__ ((const)) int ffs(unsigned long x) + /* + * __ffs: Similar to ffs, but zero based (0-31) + */ +-static inline __attribute__ ((const)) int __ffs(unsigned long x) ++static inline __attribute__ ((const)) unsigned long __ffs(unsigned long x) + { +- int n; ++ unsigned long n; + + asm volatile( + " ffs.f %0, %1 \n" /* 0:31; 31(Z) if src 0 */ +-- +2.19.1 + diff --git a/queue-4.9/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch b/queue-4.9/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch new file mode 100644 index 00000000000..c13b44a6907 --- /dev/null +++ b/queue-4.9/asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch @@ -0,0 +1,83 @@ +From 5e083d33169cd0f747db24b404e5fa6c0a0cd181 Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Sat, 12 Jan 2019 16:28:43 +0100 +Subject: ASoC: dapm: change snprintf to scnprintf for possible overflow + +[ Upstream commit e581e151e965bf1f2815dd94620b638fec4d0a7e ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-dapm.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/sound/soc/soc-dapm.c b/sound/soc/soc-dapm.c +index 8bfc534e3b342..ab647f1fe11bd 100644 +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1976,19 +1976,19 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + out = is_connected_output_ep(w, NULL, NULL); + } + +- ret = snprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", ++ ret = scnprintf(buf, PAGE_SIZE, "%s: %s%s in %d out %d", + w->name, w->power ? "On" : "Off", + w->force ? " (forced)" : "", in, out); + + if (w->reg >= 0) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " - R%d(0x%x) mask 0x%x", + w->reg, w->reg, w->mask << w->shift); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (w->sname) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, " stream %s %s\n", + w->sname, + w->active ? "active" : "inactive"); + +@@ -2001,7 +2001,7 @@ static ssize_t dapm_widget_power_read_file(struct file *file, + if (!p->connect) + continue; + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + " %s \"%s\" \"%s\"\n", + (rdir == SND_SOC_DAPM_DIR_IN) ? "in" : "out", + p->name ? p->name : "static", +-- +2.19.1 + diff --git a/queue-4.9/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch b/queue-4.9/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch new file mode 100644 index 00000000000..3ec4eab3779 --- /dev/null +++ b/queue-4.9/asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch @@ -0,0 +1,117 @@ +From b3afcf3e116a3e5d9d972d86d93dd2e933d6197f Mon Sep 17 00:00:00 2001 +From: Silvio Cesare +Date: Tue, 15 Jan 2019 04:27:27 +0100 +Subject: ASoC: imx-audmux: change snprintf to scnprintf for possible overflow + +[ Upstream commit c407cd008fd039320d147088b52d0fa34ed3ddcb ] + +Change snprintf to scnprintf. There are generally two cases where using +snprintf causes problems. + +1) Uses of size += snprintf(buf, SIZE - size, fmt, ...) +In this case, if snprintf would have written more characters than what the +buffer size (SIZE) is, then size will end up larger than SIZE. In later +uses of snprintf, SIZE - size will result in a negative number, leading +to problems. Note that size might already be too large by using +size = snprintf before the code reaches a case of size += snprintf. + +2) If size is ultimately used as a length parameter for a copy back to user +space, then it will potentially allow for a buffer overflow and information +disclosure when size is greater than SIZE. When the size is used to index +the buffer directly, we can have memory corruption. This also means when +size = snprintf... is used, it may also cause problems since size may become +large. Copying to userspace is mitigated by the HARDENED_USERCOPY kernel +configuration. + +The solution to these issues is to use scnprintf which returns the number of +characters actually written to the buffer, so the size variable will never +exceed SIZE. + +Signed-off-by: Silvio Cesare +Cc: Timur Tabi +Cc: Nicolin Chen +Cc: Mark Brown +Cc: Xiubo Li +Cc: Fabio Estevam +Cc: Dan Carpenter +Cc: Kees Cook +Cc: Will Deacon +Cc: Greg KH +Signed-off-by: Willy Tarreau +Acked-by: Nicolin Chen +Reviewed-by: Kees Cook +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/imx-audmux.c | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/sound/soc/fsl/imx-audmux.c b/sound/soc/fsl/imx-audmux.c +index fc57da341d610..136df38c4536c 100644 +--- a/sound/soc/fsl/imx-audmux.c ++++ b/sound/soc/fsl/imx-audmux.c +@@ -86,49 +86,49 @@ static ssize_t audmux_read_file(struct file *file, char __user *user_buf, + if (!buf) + return -ENOMEM; + +- ret = snprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", ++ ret = scnprintf(buf, PAGE_SIZE, "PDCR: %08x\nPTCR: %08x\n", + pdcr, ptcr); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS output from %s, ", + audmux_port_string((ptcr >> 27) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_TCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk output from %s", + audmux_port_string((ptcr >> 22) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "TxClk input"); + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, "\n"); ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, "\n"); + + if (ptcr & IMX_AUDMUX_V2_PTCR_SYN) { +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "Port is symmetric"); + } else { + if (ptcr & IMX_AUDMUX_V2_PTCR_RFSDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS output from %s, ", + audmux_port_string((ptcr >> 17) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxFS input, "); + + if (ptcr & IMX_AUDMUX_V2_PTCR_RCLKDIR) +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk output from %s", + audmux_port_string((ptcr >> 12) & 0x7)); + else +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "RxClk input"); + } + +- ret += snprintf(buf + ret, PAGE_SIZE - ret, ++ ret += scnprintf(buf + ret, PAGE_SIZE - ret, + "\nData received from %s\n", + audmux_port_string((pdcr >> 13) & 0x7)); + +-- +2.19.1 + diff --git a/queue-4.9/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch b/queue-4.9/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch new file mode 100644 index 00000000000..c7db6171d90 --- /dev/null +++ b/queue-4.9/asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch @@ -0,0 +1,50 @@ +From 63f864df3f83b69519723ee00f7a567f80199492 Mon Sep 17 00:00:00 2001 +From: Rander Wang +Date: Tue, 18 Dec 2018 16:24:54 +0800 +Subject: ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field + +[ Upstream commit 906a9abc5de73c383af518f5a806f4be2993a0c7 ] + +For some reason this field was set to zero when all other drivers use +.dynamic = 1 for front-ends. This change was tested on Dell XPS13 and +has no impact with the existing legacy driver. The SOF driver also works +with this change which enables it to override the fixed topology. + +Signed-off-by: Rander Wang +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/boards/broadwell.c | 2 +- + sound/soc/intel/boards/haswell.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/intel/boards/broadwell.c b/sound/soc/intel/boards/broadwell.c +index 7486a0022fdea..993d2c105ae14 100644 +--- a/sound/soc/intel/boards/broadwell.c ++++ b/sound/soc/intel/boards/broadwell.c +@@ -191,7 +191,7 @@ static struct snd_soc_dai_link broadwell_rt286_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +diff --git a/sound/soc/intel/boards/haswell.c b/sound/soc/intel/boards/haswell.c +index 863f1d5e2a2c9..11d0cc2b0e390 100644 +--- a/sound/soc/intel/boards/haswell.c ++++ b/sound/soc/intel/boards/haswell.c +@@ -145,7 +145,7 @@ static struct snd_soc_dai_link haswell_rt5640_dais[] = { + .stream_name = "Loopback", + .cpu_dai_name = "Loopback Pin", + .platform_name = "haswell-pcm-audio", +- .dynamic = 0, ++ .dynamic = 1, + .codec_name = "snd-soc-dummy", + .codec_dai_name = "snd-soc-dummy-dai", + .trigger = {SND_SOC_DPCM_TRIGGER_POST, SND_SOC_DPCM_TRIGGER_POST}, +-- +2.19.1 + diff --git a/queue-4.9/cfg80211-extend-range-deviation-for-dmg.patch b/queue-4.9/cfg80211-extend-range-deviation-for-dmg.patch new file mode 100644 index 00000000000..37722b13332 --- /dev/null +++ b/queue-4.9/cfg80211-extend-range-deviation-for-dmg.patch @@ -0,0 +1,43 @@ +From 33e44e428d05e81651bda47a8bbc4b17758ac152 Mon Sep 17 00:00:00 2001 +From: Chaitanya Tata +Date: Sat, 19 Jan 2019 03:17:47 +0530 +Subject: cfg80211: extend range deviation for DMG + +[ Upstream commit 93183bdbe73bbdd03e9566c8dc37c9d06b0d0db6 ] + +Recently, DMG frequency bands have been extended till 71GHz, so extend +the range check till 20GHz (45-71GHZ), else some channels will be marked +as disabled. + +Signed-off-by: Chaitanya Tata +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/reg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 36d1d25082e32..7c19d0d2549b1 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -773,7 +773,7 @@ static bool reg_does_bw_fit(const struct ieee80211_freq_range *freq_range, + * definitions (the "2.4 GHz band", the "5 GHz band" and the "60GHz band"), + * however it is safe for now to assume that a frequency rule should not be + * part of a frequency's band if the start freq or end freq are off by more +- * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 10 GHz for the ++ * than 2 GHz for the 2.4 and 5 GHz bands, and by more than 20 GHz for the + * 60 GHz band. + * This resolution can be lowered and should be considered as we add + * regulatory rule support for other "bands". +@@ -788,7 +788,7 @@ static bool freq_in_rule_band(const struct ieee80211_freq_range *freq_range, + * with the Channel starting frequency above 45 GHz. + */ + u32 limit = freq_khz > 45 * ONE_GHZ_IN_KHZ ? +- 10 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; ++ 20 * ONE_GHZ_IN_KHZ : 2 * ONE_GHZ_IN_KHZ; + if (abs(freq_khz - freq_range->start_freq_khz) <= limit) + return true; + if (abs(freq_khz - freq_range->end_freq_khz) <= limit) +-- +2.19.1 + diff --git a/queue-4.9/direct-io-allow-direct-writes-to-empty-inodes.patch b/queue-4.9/direct-io-allow-direct-writes-to-empty-inodes.patch new file mode 100644 index 00000000000..a88a06679f3 --- /dev/null +++ b/queue-4.9/direct-io-allow-direct-writes-to-empty-inodes.patch @@ -0,0 +1,56 @@ +From a9dabad5b5b71df84829fb4c9add53f342349667 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ernesto=20A=2E=20Fern=C3=A1ndez?= + +Date: Mon, 8 Oct 2018 20:58:23 -0300 +Subject: direct-io: allow direct writes to empty inodes +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 8b9433eb4de3c26a9226c981c283f9f4896ae030 ] + +On a DIO_SKIP_HOLES filesystem, the ->get_block() method is currently +not allowed to create blocks for an empty inode. This confusion comes +from trying to bit shift a negative number, so check the size of the +inode first. + +The problem is most visible for hfsplus, because the fallback to +buffered I/O doesn't happen and the write fails with EIO. This is in +part the fault of the module, because it gives a wrong return value on +->get_block(); that will be fixed in a separate patch. + +Reviewed-by: Jeff Moyer +Reviewed-by: Jan Kara +Signed-off-by: Ernesto A. Fernández +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/direct-io.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/fs/direct-io.c b/fs/direct-io.c +index 07cc38ec66ca6..fc90f0c33cbe4 100644 +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -616,6 +616,7 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, + unsigned long fs_count; /* Number of filesystem-sized blocks */ + int create; + unsigned int i_blkbits = sdio->blkbits + sdio->blkfactor; ++ loff_t i_size; + + /* + * If there was a memory error and we've overwritten all the +@@ -645,8 +646,8 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, + */ + create = dio->op == REQ_OP_WRITE; + if (dio->flags & DIO_SKIP_HOLES) { +- if (fs_startblk <= ((i_size_read(dio->inode) - 1) >> +- i_blkbits)) ++ i_size = i_size_read(dio->inode); ++ if (i_size && fs_startblk <= (i_size - 1) >> i_blkbits) + create = 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch b/queue-4.9/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch new file mode 100644 index 00000000000..bd533e4ac33 --- /dev/null +++ b/queue-4.9/drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch @@ -0,0 +1,113 @@ +From f5d17a89c386b9e711ab3bb535bb343becb75223 Mon Sep 17 00:00:00 2001 +From: Aaron Hill +Date: Mon, 24 Dec 2018 14:23:36 -0500 +Subject: drivers: thermal: int340x_thermal: Fix sysfs race condition + +[ Upstream commit 129699bb8c7572106b5bbb2407c2daee4727ccad ] + +Changes since V1: +* Use dev_info instead of printk +* Use dev_warn instead of BUG_ON + +Previously, sysfs_create_group was called before all initialization had +fully run - specifically, before pci_set_drvdata was called. Since the +sysctl group is visible to userspace as soon as sysfs_create_group +returns, a small window of time existed during which a process could read +from an uninitialized/partially-initialized device. + +This commit moves the creation of the sysctl group to after all +initialized is completed. This ensures that it's impossible for +userspace to read from a sysctl file before initialization has fully +completed. + +To catch any future regressions, I've added a check to ensure +that proc_thermal_emum_mode is never PROC_THERMAL_NONE when a process +tries to read from a sysctl file. Previously, the aforementioned race +condition could result in the 'else' branch +running while PROC_THERMAL_NONE was set, +leading to a null pointer deference. + +Signed-off-by: Aaron Hill +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + .../processor_thermal_device.c | 28 ++++++++++--------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index 06d46e2ff337e..1fdf6fd24cdff 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -77,7 +77,12 @@ static ssize_t power_limit_##index##_##suffix##_show(struct device *dev, \ + struct pci_dev *pci_dev; \ + struct platform_device *pdev; \ + struct proc_thermal_device *proc_dev; \ +-\ ++ \ ++ if (proc_thermal_emum_mode == PROC_THERMAL_NONE) { \ ++ dev_warn(dev, "Attempted to get power limit before device was initialized!\n"); \ ++ return 0; \ ++ } \ ++ \ + if (proc_thermal_emum_mode == PROC_THERMAL_PLATFORM_DEV) { \ + pdev = to_platform_device(dev); \ + proc_dev = platform_get_drvdata(pdev); \ +@@ -291,11 +296,6 @@ static int proc_thermal_add(struct device *dev, + *priv = proc_priv; + + ret = proc_thermal_read_ppcc(proc_priv); +- if (!ret) { +- ret = sysfs_create_group(&dev->kobj, +- &power_limit_attribute_group); +- +- } + if (ret) + return ret; + +@@ -309,8 +309,7 @@ static int proc_thermal_add(struct device *dev, + + proc_priv->int340x_zone = int340x_thermal_zone_add(adev, ops); + if (IS_ERR(proc_priv->int340x_zone)) { +- ret = PTR_ERR(proc_priv->int340x_zone); +- goto remove_group; ++ return PTR_ERR(proc_priv->int340x_zone); + } else + ret = 0; + +@@ -324,9 +323,6 @@ static int proc_thermal_add(struct device *dev, + + remove_zone: + int340x_thermal_zone_remove(proc_priv->int340x_zone); +-remove_group: +- sysfs_remove_group(&proc_priv->dev->kobj, +- &power_limit_attribute_group); + + return ret; + } +@@ -357,7 +353,10 @@ static int int3401_add(struct platform_device *pdev) + platform_set_drvdata(pdev, proc_priv); + proc_thermal_emum_mode = PROC_THERMAL_PLATFORM_DEV; + +- return 0; ++ dev_info(&pdev->dev, "Creating sysfs group for PROC_THERMAL_PLATFORM_DEV\n"); ++ ++ return sysfs_create_group(&pdev->dev.kobj, ++ &power_limit_attribute_group); + } + + static int int3401_remove(struct platform_device *pdev) +@@ -434,7 +433,10 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + dev_err(&pdev->dev, "No auxiliary DTSs enabled\n"); + } + +- return 0; ++ dev_info(&pdev->dev, "Creating sysfs group for PROC_THERMAL_PCI\n"); ++ ++ return sysfs_create_group(&pdev->dev.kobj, ++ &power_limit_attribute_group); + } + + static void proc_thermal_pci_remove(struct pci_dev *pdev) +-- +2.19.1 + diff --git a/queue-4.9/drm-msm-unblock-writer-if-reader-closes-file.patch b/queue-4.9/drm-msm-unblock-writer-if-reader-closes-file.patch new file mode 100644 index 00000000000..0ec4ca4a4c9 --- /dev/null +++ b/queue-4.9/drm-msm-unblock-writer-if-reader-closes-file.patch @@ -0,0 +1,45 @@ +From 0dc86610a886e1629fa04f36b92830d135392d9b Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Wed, 19 Dec 2018 08:57:41 -0800 +Subject: drm/msm: Unblock writer if reader closes file + +[ Upstream commit 99c66bc051e7407fe0bf0607b142ec0be1a1d1dd ] + +Prevents deadlock when fifo is full and reader closes file. + +Signed-off-by: Kristian H. Kristensen +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_rd.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/msm/msm_rd.c b/drivers/gpu/drm/msm/msm_rd.c +index 8487f461f05f3..4823019eb422b 100644 +--- a/drivers/gpu/drm/msm/msm_rd.c ++++ b/drivers/gpu/drm/msm/msm_rd.c +@@ -112,7 +112,9 @@ static void rd_write(struct msm_rd_state *rd, const void *buf, int sz) + char *fptr = &fifo->buf[fifo->head]; + int n; + +- wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0); ++ wait_event(rd->fifo_event, circ_space(&rd->fifo) > 0 || !rd->open); ++ if (!rd->open) ++ return; + + n = min(sz, circ_space_to_end(&rd->fifo)); + memcpy(fptr, ptr, n); +@@ -202,7 +204,10 @@ static int rd_open(struct inode *inode, struct file *file) + static int rd_release(struct inode *inode, struct file *file) + { + struct msm_rd_state *rd = inode->i_private; ++ + rd->open = false; ++ wake_up_all(&rd->fifo_event); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/ibmveth-do-not-process-frames-after-calling-napi_res.patch b/queue-4.9/ibmveth-do-not-process-frames-after-calling-napi_res.patch new file mode 100644 index 00000000000..a05fd11b247 --- /dev/null +++ b/queue-4.9/ibmveth-do-not-process-frames-after-calling-napi_res.patch @@ -0,0 +1,43 @@ +From ad480a81f7f8ad105ddc940101cd22c69cc93a83 Mon Sep 17 00:00:00 2001 +From: Thomas Falcon +Date: Thu, 24 Jan 2019 11:17:01 -0600 +Subject: ibmveth: Do not process frames after calling napi_reschedule + +[ Upstream commit e95d22c69b2c130ccce257b84daf283fd82d611e ] + +The IBM virtual ethernet driver's polling function continues +to process frames after rescheduling NAPI, resulting in a warning +if it exhausted its budget. Do not restart polling after calling +napi_reschedule. Instead let frames be processed in the following +instance. + +Signed-off-by: Thomas Falcon +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ibmveth.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ibmveth.c b/drivers/net/ethernet/ibm/ibmveth.c +index 4996228fd7e61..955f658f3b65f 100644 +--- a/drivers/net/ethernet/ibm/ibmveth.c ++++ b/drivers/net/ethernet/ibm/ibmveth.c +@@ -1240,7 +1240,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + struct iphdr *iph; + u16 mss = 0; + +-restart_poll: + while (frames_processed < budget) { + if (!ibmveth_rxq_pending_buffer(adapter)) + break; +@@ -1338,7 +1337,6 @@ static int ibmveth_poll(struct napi_struct *napi, int budget) + napi_reschedule(napi)) { + lpar_rc = h_vio_signal(adapter->vdev->unit_address, + VIO_IRQ_DISABLE); +- goto restart_poll; + } + } + +-- +2.19.1 + diff --git a/queue-4.9/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch b/queue-4.9/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch new file mode 100644 index 00000000000..66b01cea088 --- /dev/null +++ b/queue-4.9/kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch @@ -0,0 +1,47 @@ +From 6e80be2039cd4fd16ec424ebaab89eb66411ac52 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Mon, 7 Jan 2019 19:44:51 +0100 +Subject: KVM: nSVM: clear events pending from svm_complete_interrupts() when + exiting to L1 + +[ Upstream commit 619ad846fc3452adaf71ca246c5aa711e2055398 ] + +kvm-unit-tests' eventinj "NMI failing on IDT" test results in NMI being +delivered to the host (L1) when it's running nested. The problem seems to +be: svm_complete_interrupts() raises 'nmi_injected' flag but later we +decide to reflect EXIT_NPF to L1. The flag remains pending and we do NMI +injection upon entry so it got delivered to L1 instead of L2. + +It seems that VMX code solves the same issue in prepare_vmcs12(), this was +introduced with code refactoring in commit 5f3d5799974b ("KVM: nVMX: Rework +event injection and recovery"). + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index afc2bd03b4d9e..01eb0451b96d3 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -2862,6 +2862,14 @@ static int nested_svm_vmexit(struct vcpu_svm *svm) + kvm_mmu_reset_context(&svm->vcpu); + kvm_mmu_load(&svm->vcpu); + ++ /* ++ * Drop what we picked up for L2 via svm_complete_interrupts() so it ++ * doesn't end up in L1. ++ */ ++ svm->vcpu.arch.nmi_injected = false; ++ kvm_clear_exception_queue(&svm->vcpu); ++ kvm_clear_interrupt_queue(&svm->vcpu); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/locking-rwsem-fix-possible-missed-wakeup.patch b/queue-4.9/locking-rwsem-fix-possible-missed-wakeup.patch new file mode 100644 index 00000000000..ce07843035d --- /dev/null +++ b/queue-4.9/locking-rwsem-fix-possible-missed-wakeup.patch @@ -0,0 +1,63 @@ +From 012a134056bf40d5c46fe729385b47e4a099a891 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Thu, 29 Nov 2018 20:50:30 +0800 +Subject: locking/rwsem: Fix (possible) missed wakeup + +[ Upstream commit e158488be27b157802753a59b336142dc0eb0380 ] + +Because wake_q_add() can imply an immediate wakeup (cmpxchg failure +case), we must not rely on the wakeup being delayed. However, commit: + + e38513905eea ("locking/rwsem: Rework zeroing reader waiter->task") + +relies on exactly that behaviour in that the wakeup must not happen +until after we clear waiter->task. + +[ peterz: Added changelog. ] + +Signed-off-by: Xie Yongji +Signed-off-by: Zhang Yu +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: e38513905eea ("locking/rwsem: Rework zeroing reader waiter->task") +Link: https://lkml.kernel.org/r/1543495830-2644-1-git-send-email-xieyongji@baidu.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/locking/rwsem-xadd.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kernel/locking/rwsem-xadd.c b/kernel/locking/rwsem-xadd.c +index a4112dfcd0fb1..be06c45cbe4f9 100644 +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -195,15 +195,22 @@ static void __rwsem_mark_wake(struct rw_semaphore *sem, + woken++; + tsk = waiter->task; + +- wake_q_add(wake_q, tsk); ++ get_task_struct(tsk); + list_del(&waiter->list); + /* +- * Ensure that the last operation is setting the reader ++ * Ensure calling get_task_struct() before setting the reader + * waiter to nil such that rwsem_down_read_failed() cannot + * race with do_exit() by always holding a reference count + * to the task to wakeup. + */ + smp_store_release(&waiter->task, NULL); ++ /* ++ * Ensure issuing the wakeup (either by us or someone else) ++ * after setting the reader waiter to nil. ++ */ ++ wake_q_add(wake_q, tsk); ++ /* wake_q_add() already take the task ref */ ++ put_task_struct(tsk); + } + + adjustment = woken * RWSEM_ACTIVE_READ_BIAS - adjustment; +-- +2.19.1 + diff --git a/queue-4.9/mac80211-add-attribute-aligned-2-to-struct-action.patch b/queue-4.9/mac80211-add-attribute-aligned-2-to-struct-action.patch new file mode 100644 index 00000000000..2ac83691022 --- /dev/null +++ b/queue-4.9/mac80211-add-attribute-aligned-2-to-struct-action.patch @@ -0,0 +1,62 @@ +From 6182305e0fa25d5dfce4dc2e1f3a8a142379afee Mon Sep 17 00:00:00 2001 +From: Mathieu Malaterre +Date: Thu, 24 Jan 2019 19:19:57 +0100 +Subject: mac80211: Add attribute aligned(2) to struct 'action' + +[ Upstream commit 7c53eb5d87bc21464da4268c3c0c47457b6d9c9b ] + +During refactor in commit 9e478066eae4 ("mac80211: fix MU-MIMO +follow-MAC mode") a new struct 'action' was declared with packed +attribute as: + + struct { + struct ieee80211_hdr_3addr hdr; + u8 category; + u8 action_code; + } __packed action; + +But since struct 'ieee80211_hdr_3addr' is declared with an aligned +keyword as: + + struct ieee80211_hdr { + __le16 frame_control; + __le16 duration_id; + u8 addr1[ETH_ALEN]; + u8 addr2[ETH_ALEN]; + u8 addr3[ETH_ALEN]; + __le16 seq_ctrl; + u8 addr4[ETH_ALEN]; + } __packed __aligned(2); + +Solve the ambiguity of placing aligned structure in a packed one by +adding the aligned(2) attribute to struct 'action'. + +This removes the following warning (W=1): + + net/mac80211/rx.c:234:2: warning: alignment 1 of 'struct ' is less than 2 [-Wpacked-not-aligned] + +Cc: Johannes Berg +Suggested-by: Johannes Berg +Signed-off-by: Mathieu Malaterre +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 7013b37637556..23f6c8baae951 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -217,7 +217,7 @@ static void ieee80211_handle_mu_mimo_mon(struct ieee80211_sub_if_data *sdata, + struct ieee80211_hdr_3addr hdr; + u8 category; + u8 action_code; +- } __packed action; ++ } __packed __aligned(2) action; + + if (!sdata) + return; +-- +2.19.1 + diff --git a/queue-4.9/mac80211-don-t-initiate-tdls-connection-if-station-i.patch b/queue-4.9/mac80211-don-t-initiate-tdls-connection-if-station-i.patch new file mode 100644 index 00000000000..92452d17f5e --- /dev/null +++ b/queue-4.9/mac80211-don-t-initiate-tdls-connection-if-station-i.patch @@ -0,0 +1,57 @@ +From 0976d058e4a303db345fd24ca67d021ca5a814c9 Mon Sep 17 00:00:00 2001 +From: Balaji Pothunoori +Date: Mon, 21 Jan 2019 12:30:43 +0530 +Subject: mac80211: don't initiate TDLS connection if station is not associated + to AP + +[ Upstream commit 7ed5285396c257fd4070b1e29e7b2341aae2a1ce ] + +Following call trace is observed while adding TDLS peer entry in driver +during TDLS setup. + +Call Trace: +[] dump_stack+0x47/0x61 +[] __warn+0xe2/0x100 +[] ? sta_apply_parameters+0x49f/0x550 [mac80211] +[] warn_slowpath_null+0x25/0x30 +[] sta_apply_parameters+0x49f/0x550 [mac80211] +[] ? sta_info_alloc+0x1c2/0x450 [mac80211] +[] ieee80211_add_station+0xe3/0x160 [mac80211] +[] nl80211_new_station+0x273/0x420 +[] genl_rcv_msg+0x219/0x3c0 +[] ? genl_rcv+0x30/0x30 +[] netlink_rcv_skb+0x8e/0xb0 +[] genl_rcv+0x1c/0x30 +[] netlink_unicast+0x13a/0x1d0 +[] netlink_sendmsg+0x2d8/0x390 +[] sock_sendmsg+0x2d/0x40 +[] ___sys_sendmsg+0x1d9/0x1e0 + +Fixing this by allowing TDLS setup request only when we have completed +association. + +Signed-off-by: Balaji Pothunoori +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 6ef9d32c34f1e..954315e1661df 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1425,6 +1425,10 @@ static int ieee80211_add_station(struct wiphy *wiphy, struct net_device *dev, + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + ++ if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); +-- +2.19.1 + diff --git a/queue-4.9/mac80211-fix-miscounting-of-ttl-dropped-frames.patch b/queue-4.9/mac80211-fix-miscounting-of-ttl-dropped-frames.patch new file mode 100644 index 00000000000..1c1b9ae5de4 --- /dev/null +++ b/queue-4.9/mac80211-fix-miscounting-of-ttl-dropped-frames.patch @@ -0,0 +1,44 @@ +From b6f68a7959c8b7cefa760251fef7eca9ced31e73 Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Thu, 17 Jan 2019 16:32:42 -0500 +Subject: mac80211: fix miscounting of ttl-dropped frames + +[ Upstream commit a0dc02039a2ee54fb4ae400e0b755ed30e73e58c ] + +In ieee80211_rx_h_mesh_fwding, we increment the 'dropped_frames_ttl' +counter when we decrement the ttl to zero. For unicast frames +destined for other hosts, we stop processing the frame at that point. + +For multicast frames, we do not rebroadcast it in this case, but we +do pass the frame up the stack to process it on this STA. That +doesn't match the usual definition of "dropped," so don't count +those as such. + +With this change, something like `ping6 -i0.2 ff02::1%mesh0` from a +peer in a ttl=1 network no longer increments the counter rapidly. + +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index af02d2136a066..7013b37637556 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2510,7 +2510,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) + skb_set_queue_mapping(skb, q); + + if (!--mesh_hdr->ttl) { +- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); ++ if (!is_multicast_ether_addr(hdr->addr1)) ++ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, ++ dropped_frames_ttl); + goto out; + } + +-- +2.19.1 + diff --git a/queue-4.9/net-altera_tse-fix-connect_local_phy-error-path.patch b/queue-4.9/net-altera_tse-fix-connect_local_phy-error-path.patch new file mode 100644 index 00000000000..c7d1149d24a --- /dev/null +++ b/queue-4.9/net-altera_tse-fix-connect_local_phy-error-path.patch @@ -0,0 +1,37 @@ +From a705e0e13e3e0178d483a5dda0484260fbfb3d9b Mon Sep 17 00:00:00 2001 +From: Atsushi Nemoto +Date: Mon, 21 Jan 2019 17:26:41 +0900 +Subject: net: altera_tse: fix connect_local_phy error path + +[ Upstream commit 17b42a20d7ca59377788c6a2409e77569570cc10 ] + +The connect_local_phy should return NULL (not negative errno) on +error, since its caller expects it. + +Signed-off-by: Atsushi Nemoto +Acked-by: Thor Thayer +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/altera/altera_tse_main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c +index a0eee72186957..e306342506f1f 100644 +--- a/drivers/net/ethernet/altera/altera_tse_main.c ++++ b/drivers/net/ethernet/altera/altera_tse_main.c +@@ -692,8 +692,10 @@ static struct phy_device *connect_local_phy(struct net_device *dev) + + phydev = phy_connect(dev, phy_id_fmt, &altera_tse_adjust_link, + priv->phy_iface); +- if (IS_ERR(phydev)) ++ if (IS_ERR(phydev)) { + netdev_err(dev, "Could not attach to PHY\n"); ++ phydev = NULL; ++ } + + } else { + int ret; +-- +2.19.1 + diff --git a/queue-4.9/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch b/queue-4.9/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch new file mode 100644 index 00000000000..d918dfe2249 --- /dev/null +++ b/queue-4.9/net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch @@ -0,0 +1,63 @@ +From 54cc453057168eca9e53d21043a861dab1a90368 Mon Sep 17 00:00:00 2001 +From: Zhang Run +Date: Thu, 24 Jan 2019 13:48:49 +0800 +Subject: net: usb: asix: ax88772_bind return error when hw_reset fail + +[ Upstream commit 6eea3527e68acc22483f4763c8682f223eb90029 ] + +The ax88772_bind() should return error code immediately when the PHY +was not reset properly through ax88772a_hw_reset(). +Otherwise, The asix_get_phyid() will block when get the PHY +Identifier from the PHYSID1 MII registers through asix_mdio_read() +due to the PHY isn't ready. Furthermore, it will produce a lot of +error message cause system crash.As follows: +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to send + software reset: ffffffb9 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable + software MII access +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to write + reg index 0x0000: -71 +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to enable + software MII access +asix 1-1:1.0 (unnamed net_device) (uninitialized): Failed to read + reg index 0x0000: -71 +... + +Signed-off-by: Zhang Run +Reviewed-by: Yang Wei +Tested-by: Marcel Ziswiler +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/asix_devices.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/asix_devices.c b/drivers/net/usb/asix_devices.c +index 5be6b67492d52..393fd3ed6b94c 100644 +--- a/drivers/net/usb/asix_devices.c ++++ b/drivers/net/usb/asix_devices.c +@@ -729,8 +729,13 @@ static int ax88772_bind(struct usbnet *dev, struct usb_interface *intf) + asix_read_cmd(dev, AX_CMD_STATMNGSTS_REG, 0, 0, 1, &chipcode, 0); + chipcode &= AX_CHIPCODE_MASK; + +- (chipcode == AX_AX88772_CHIPCODE) ? ax88772_hw_reset(dev, 0) : +- ax88772a_hw_reset(dev, 0); ++ ret = (chipcode == AX_AX88772_CHIPCODE) ? ax88772_hw_reset(dev, 0) : ++ ax88772a_hw_reset(dev, 0); ++ ++ if (ret < 0) { ++ netdev_dbg(dev->net, "Failed to reset AX88772: %d\n", ret); ++ return ret; ++ } + + /* Read PHYID register *AFTER* the PHY was reset properly */ + phyid = asix_get_phyid(dev); +-- +2.19.1 + diff --git a/queue-4.9/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch b/queue-4.9/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch new file mode 100644 index 00000000000..f9365fb0d1c --- /dev/null +++ b/queue-4.9/scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch @@ -0,0 +1,41 @@ +From b140b79d7638c2d933f48dee2d5e3e30402a52f5 Mon Sep 17 00:00:00 2001 +From: Varun Prakash +Date: Sat, 12 Jan 2019 22:14:30 +0530 +Subject: scsi: csiostor: fix NULL pointer dereference in + csio_vport_set_state() + +[ Upstream commit fe35a40e675473eb65f2f5462b82770f324b5689 ] + +Assign fc_vport to ln->fc_vport before calling csio_fcoe_alloc_vnp() to +avoid a NULL pointer dereference in csio_vport_set_state(). + +ln->fc_vport is dereferenced in csio_vport_set_state(). + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_attr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_attr.c b/drivers/scsi/csiostor/csio_attr.c +index 2d1c4ebd40f91..6587f20cff1a1 100644 +--- a/drivers/scsi/csiostor/csio_attr.c ++++ b/drivers/scsi/csiostor/csio_attr.c +@@ -582,12 +582,12 @@ csio_vport_create(struct fc_vport *fc_vport, bool disable) + } + + fc_vport_set_state(fc_vport, FC_VPORT_INITIALIZING); ++ ln->fc_vport = fc_vport; + + if (csio_fcoe_alloc_vnp(hw, ln)) + goto error; + + *(struct csio_lnode **)fc_vport->dd_data = ln; +- ln->fc_vport = fc_vport; + if (!fc_vport->node_name) + fc_vport->node_name = wwn_to_u64(csio_ln_wwnn(ln)); + if (!fc_vport->port_name) +-- +2.19.1 + diff --git a/queue-4.9/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch b/queue-4.9/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch new file mode 100644 index 00000000000..0b46e17496a --- /dev/null +++ b/queue-4.9/serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch @@ -0,0 +1,34 @@ +From 883c417ee8888df416089f1136ea330bb9d15a41 Mon Sep 17 00:00:00 2001 +From: Tomonori Sakita +Date: Mon, 21 Jan 2019 17:34:16 +0900 +Subject: serial: fsl_lpuart: fix maximum acceptable baud rate with + over-sampling + +[ Upstream commit 815d835b7ba46685c316b000013367dacb2b461b ] + +Using over-sampling ratio, lpuart can accept baud rate upto uartclk / 4. + +Signed-off-by: Tomonori Sakita +Signed-off-by: Atsushi Nemoto +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index 5c471c3481bdf..800996522fdc2 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1494,7 +1494,7 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + } + + /* ask the core to calculate the divisor */ +- baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 16); ++ baud = uart_get_baud_rate(port, termios, old, 50, port->uartclk / 4); + + spin_lock_irqsave(&sport->port.lock, flags); + +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 408661a3d23..833c8f07526 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,28 @@ revert-loop-fix-double-mutex_unlock-loop_ctl_mutex-in-loop_control_ioctl.patch revert-loop-get-rid-of-loop_index_mutex.patch revert-loop-fold-__loop_release-into-loop_release.patch scsi-libsas-fix-rphy-phy_identifier-for-phys-with-end-devices-attached.patch +drm-msm-unblock-writer-if-reader-closes-file.patch +asoc-intel-haswell-broadwell-fix-setting-for-.dynami.patch +alsa-compress-prevent-potential-divide-by-zero-bugs.patch +thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch +usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch +usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch +usb-gadget-potential-null-dereference-on-allocation-.patch +asoc-dapm-change-snprintf-to-scnprintf-for-possible-.patch +asoc-imx-audmux-change-snprintf-to-scnprintf-for-pos.patch +arc-fix-__ffs-return-value-to-avoid-build-warnings.patch +drivers-thermal-int340x_thermal-fix-sysfs-race-condi.patch +mac80211-fix-miscounting-of-ttl-dropped-frames.patch +locking-rwsem-fix-possible-missed-wakeup.patch +serial-fsl_lpuart-fix-maximum-acceptable-baud-rate-w.patch +direct-io-allow-direct-writes-to-empty-inodes.patch +scsi-csiostor-fix-null-pointer-dereference-in-csio_v.patch +net-altera_tse-fix-connect_local_phy-error-path.patch +sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch +net-usb-asix-ax88772_bind-return-error-when-hw_reset.patch +ibmveth-do-not-process-frames-after-calling-napi_res.patch +mac80211-don-t-initiate-tdls-connection-if-station-i.patch +mac80211-add-attribute-aligned-2-to-struct-action.patch +cfg80211-extend-range-deviation-for-dmg.patch +svm-fix-avic-incomplete-ipi-emulation.patch +kvm-nsvm-clear-events-pending-from-svm_complete_inte.patch diff --git a/queue-4.9/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch b/queue-4.9/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch new file mode 100644 index 00000000000..5bb764e2ff2 --- /dev/null +++ b/queue-4.9/sfc-suppress-duplicate-nvmem-partition-types-in-efx_.patch @@ -0,0 +1,98 @@ +From c28505471f3a7566619d117d5224a896d4e03aaf Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Tue, 22 Jan 2019 19:02:17 +0000 +Subject: sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe + +[ Upstream commit 3366463513f544c12c6b88c13da4462ee9e7a1a1 ] + +Use a bitmap to keep track of which partition types we've already seen; + for duplicates, return -EEXIST from efx_ef10_mtd_probe_partition() and + thus skip adding that partition. +Duplicate partitions occur because of the A/B backup scheme used by newer + sfc NICs. Prior to this patch they cause sysfs_warn_dup errors because + they have the same name, causing us not to expose any MTDs at all. + +Signed-off-by: Edward Cree +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sfc/ef10.c | 29 +++++++++++++++++++++-------- + 1 file changed, 21 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/ef10.c b/drivers/net/ethernet/sfc/ef10.c +index 3d5d5d54c1033..34e2256c93f46 100644 +--- a/drivers/net/ethernet/sfc/ef10.c ++++ b/drivers/net/ethernet/sfc/ef10.c +@@ -5093,22 +5093,25 @@ static const struct efx_ef10_nvram_type_info efx_ef10_nvram_types[] = { + { NVRAM_PARTITION_TYPE_LICENSE, 0, 0, "sfc_license" }, + { NVRAM_PARTITION_TYPE_PHY_MIN, 0xff, 0, "sfc_phy_fw" }, + }; ++#define EF10_NVRAM_PARTITION_COUNT ARRAY_SIZE(efx_ef10_nvram_types) + + static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + struct efx_mcdi_mtd_partition *part, +- unsigned int type) ++ unsigned int type, ++ unsigned long *found) + { + MCDI_DECLARE_BUF(inbuf, MC_CMD_NVRAM_METADATA_IN_LEN); + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_METADATA_OUT_LENMAX); + const struct efx_ef10_nvram_type_info *info; + size_t size, erase_size, outlen; ++ int type_idx = 0; + bool protected; + int rc; + +- for (info = efx_ef10_nvram_types; ; info++) { +- if (info == +- efx_ef10_nvram_types + ARRAY_SIZE(efx_ef10_nvram_types)) ++ for (type_idx = 0; ; type_idx++) { ++ if (type_idx == EF10_NVRAM_PARTITION_COUNT) + return -ENODEV; ++ info = efx_ef10_nvram_types + type_idx; + if ((type & ~info->type_mask) == info->type) + break; + } +@@ -5121,6 +5124,13 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + if (protected) + return -ENODEV; /* hide it */ + ++ /* If we've already exposed a partition of this type, hide this ++ * duplicate. All operations on MTDs are keyed by the type anyway, ++ * so we can't act on the duplicate. ++ */ ++ if (__test_and_set_bit(type_idx, found)) ++ return -EEXIST; ++ + part->nvram_type = type; + + MCDI_SET_DWORD(inbuf, NVRAM_METADATA_IN_TYPE, type); +@@ -5149,6 +5159,7 @@ static int efx_ef10_mtd_probe_partition(struct efx_nic *efx, + static int efx_ef10_mtd_probe(struct efx_nic *efx) + { + MCDI_DECLARE_BUF(outbuf, MC_CMD_NVRAM_PARTITIONS_OUT_LENMAX); ++ DECLARE_BITMAP(found, EF10_NVRAM_PARTITION_COUNT); + struct efx_mcdi_mtd_partition *parts; + size_t outlen, n_parts_total, i, n_parts; + unsigned int type; +@@ -5177,11 +5188,13 @@ static int efx_ef10_mtd_probe(struct efx_nic *efx) + for (i = 0; i < n_parts_total; i++) { + type = MCDI_ARRAY_DWORD(outbuf, NVRAM_PARTITIONS_OUT_TYPE_ID, + i); +- rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type); +- if (rc == 0) +- n_parts++; +- else if (rc != -ENODEV) ++ rc = efx_ef10_mtd_probe_partition(efx, &parts[n_parts], type, ++ found); ++ if (rc == -EEXIST || rc == -ENODEV) ++ continue; ++ if (rc) + goto fail; ++ n_parts++; + } + + rc = efx_mtd_add(efx, &parts[0].common, n_parts, sizeof(*parts)); +-- +2.19.1 + diff --git a/queue-4.9/svm-fix-avic-incomplete-ipi-emulation.patch b/queue-4.9/svm-fix-avic-incomplete-ipi-emulation.patch new file mode 100644 index 00000000000..7676bc88a9a --- /dev/null +++ b/queue-4.9/svm-fix-avic-incomplete-ipi-emulation.patch @@ -0,0 +1,58 @@ +From fcbe00c7276be22464570b598d42cbc108ff1d00 Mon Sep 17 00:00:00 2001 +From: Suravee Suthikulpanit +Date: Tue, 22 Jan 2019 10:25:13 +0000 +Subject: svm: Fix AVIC incomplete IPI emulation + +[ Upstream commit bb218fbcfaaa3b115d4cd7a43c0ca164f3a96e57 ] + +In case of incomplete IPI with invalid interrupt type, the current +SVM driver does not properly emulate the IPI, and fails to boot +FreeBSD guests with multiple vcpus when enabling AVIC. + +Fix this by update APIC ICR high/low registers, which also +emulate sending the IPI. + +Signed-off-by: Suravee Suthikulpanit +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 19 ++++--------------- + 1 file changed, 4 insertions(+), 15 deletions(-) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index c8efacf2e65f1..afc2bd03b4d9e 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3932,25 +3932,14 @@ static int avic_incomplete_ipi_interception(struct vcpu_svm *svm) + kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + case AVIC_IPI_FAILURE_TARGET_NOT_RUNNING: { +- int i; +- struct kvm_vcpu *vcpu; +- struct kvm *kvm = svm->vcpu.kvm; + struct kvm_lapic *apic = svm->vcpu.arch.apic; + + /* +- * At this point, we expect that the AVIC HW has already +- * set the appropriate IRR bits on the valid target +- * vcpus. So, we just need to kick the appropriate vcpu. ++ * Update ICR high and low, then emulate sending IPI, ++ * which is handled when writing APIC_ICR. + */ +- kvm_for_each_vcpu(i, vcpu, kvm) { +- bool m = kvm_apic_match_dest(vcpu, apic, +- icrl & KVM_APIC_SHORT_MASK, +- GET_APIC_DEST_FIELD(icrh), +- icrl & KVM_APIC_DEST_MASK); +- +- if (m && !avic_vcpu_is_running(vcpu)) +- kvm_vcpu_wake_up(vcpu); +- } ++ kvm_lapic_reg_write(apic, APIC_ICR2, icrh); ++ kvm_lapic_reg_write(apic, APIC_ICR, icrl); + break; + } + case AVIC_IPI_FAILURE_INVALID_TARGET: +-- +2.19.1 + diff --git a/queue-4.9/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch b/queue-4.9/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch new file mode 100644 index 00000000000..46fb4b1e8bd --- /dev/null +++ b/queue-4.9/thermal-int340x_thermal-fix-a-null-vs-is_err-check.patch @@ -0,0 +1,34 @@ +From 0dddda9c14789893c9c0515159cba3d674a1822b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 17 Dec 2018 10:02:42 +0300 +Subject: thermal: int340x_thermal: Fix a NULL vs IS_ERR() check + +[ Upstream commit 3fe931b31a4078395c1967f0495dcc9e5ec6b5e3 ] + +The intel_soc_dts_iosf_init() function doesn't return NULL, it returns +error pointers. + +Fixes: 4d0dd6c1576b ("Thermal/int340x/processor_thermal: Enable auxiliary DTS for Braswell") +Signed-off-by: Dan Carpenter +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/int340x_thermal/processor_thermal_device.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/int340x_thermal/processor_thermal_device.c b/drivers/thermal/int340x_thermal/processor_thermal_device.c +index ff3b36f339e34..06d46e2ff337e 100644 +--- a/drivers/thermal/int340x_thermal/processor_thermal_device.c ++++ b/drivers/thermal/int340x_thermal/processor_thermal_device.c +@@ -416,7 +416,7 @@ static int proc_thermal_pci_probe(struct pci_dev *pdev, + proc_priv->soc_dts = intel_soc_dts_iosf_init( + INTEL_SOC_DTS_INTERRUPT_MSI, 2, 0); + +- if (proc_priv->soc_dts && pdev->irq) { ++ if (!IS_ERR(proc_priv->soc_dts) && pdev->irq) { + ret = pci_enable_msi(pdev); + if (!ret) { + ret = request_threaded_irq(pdev->irq, NULL, +-- +2.19.1 + diff --git a/queue-4.9/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch b/queue-4.9/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch new file mode 100644 index 00000000000..3f5a1cd429b --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-fix-the-uninitialized-link_state-whe.patch @@ -0,0 +1,57 @@ +From 9d1cbb81f38c5e96e95060f89b14f9f450f62576 Mon Sep 17 00:00:00 2001 +From: Zeng Tao +Date: Wed, 26 Dec 2018 19:22:00 +0800 +Subject: usb: dwc3: gadget: Fix the uninitialized link_state when udc starts + +[ Upstream commit 88b1bb1f3b88e0bf20b05d543a53a5b99bd7ceb6 ] + +Currently the link_state is uninitialized and the default value is 0(U0) +before the first time we start the udc, and after we start the udc then + stop the udc, the link_state will be undefined. +We may have the following warnings if we start the udc again with +an undefined link_state: + +WARNING: CPU: 0 PID: 327 at drivers/usb/dwc3/gadget.c:294 dwc3_send_gadget_ep_cmd+0x304/0x308 +dwc3 100e0000.hidwc3_0: wakeup failed --> -22 +[...] +Call Trace: +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x84/0x98) +[] (dump_stack) from [] (__warn+0xe8/0x100) +[] (__warn) from [](warn_slowpath_fmt+0x38/0x48) +[] (warn_slowpath_fmt) from [](dwc3_send_gadget_ep_cmd+0x304/0x308) +[] (dwc3_send_gadget_ep_cmd) from [](dwc3_ep0_start_trans+0x48/0xf4) +[] (dwc3_ep0_start_trans) from [](dwc3_ep0_out_start+0x64/0x80) +[] (dwc3_ep0_out_start) from [](__dwc3_gadget_start+0x1e0/0x278) +[] (__dwc3_gadget_start) from [](dwc3_gadget_start+0x88/0x10c) +[] (dwc3_gadget_start) from [](udc_bind_to_driver+0x88/0xbc) +[] (udc_bind_to_driver) from [](usb_gadget_probe_driver+0xf8/0x140) +[] (usb_gadget_probe_driver) from [](gadget_dev_desc_UDC_store+0xac/0xc4 [libcomposite]) +[] (gadget_dev_desc_UDC_store [libcomposite]) from[] (configfs_write_file+0xd4/0x160) +[] (configfs_write_file) from [] (__vfs_write+0x1c/0x114) +[] (__vfs_write) from [] (vfs_write+0xa4/0x168) +[] (vfs_write) from [] (SyS_write+0x3c/0x90) +[] (SyS_write) from [] (ret_fast_syscall+0x0/0x3c) + +Signed-off-by: Zeng Tao +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index c481df18a5a1d..712bd450f8573 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1705,6 +1705,7 @@ static int __dwc3_gadget_start(struct dwc3 *dwc) + + /* begin to receive SETUP packets */ + dwc->ep0state = EP0_SETUP_PHASE; ++ dwc->link_state = DWC3_LINK_STATE_SS_DIS; + dwc3_ep0_out_start(dwc); + + dwc3_gadget_enable_irq(dwc); +-- +2.19.1 + diff --git a/queue-4.9/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch b/queue-4.9/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch new file mode 100644 index 00000000000..793e42043e2 --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-synchronize_irq-dwc-irq-in-suspend.patch @@ -0,0 +1,38 @@ +From da08d130afaa96cbc3d7b38903fb6f8f07b0005a Mon Sep 17 00:00:00 2001 +From: Bo He +Date: Mon, 14 Jan 2019 09:48:32 +0200 +Subject: usb: dwc3: gadget: synchronize_irq dwc irq in suspend + +[ Upstream commit 01c10880d24291a96a4ab0da773e3c5ce4d12da8 ] + +We see dwc3 endpoint stopped by unwanted irq during +suspend resume test, which is caused dwc3 ep can't be started +with error "No Resource". + +Here, add synchronize_irq before suspend to sync the +pending IRQ handlers complete. + +Signed-off-by: Bo He +Signed-off-by: Yu Wang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/gadget.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c +index ed6b9bfe37595..c481df18a5a1d 100644 +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3096,6 +3096,8 @@ int dwc3_gadget_suspend(struct dwc3 *dwc) + dwc3_disconnect_gadget(dwc); + __dwc3_gadget_stop(dwc); + ++ synchronize_irq(dwc->irq_gadget); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/usb-gadget-potential-null-dereference-on-allocation-.patch b/queue-4.9/usb-gadget-potential-null-dereference-on-allocation-.patch new file mode 100644 index 00000000000..0e0def008c5 --- /dev/null +++ b/queue-4.9/usb-gadget-potential-null-dereference-on-allocation-.patch @@ -0,0 +1,37 @@ +From 79b96a16237201792375b1f11e7fb453c74d0aad Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Dec 2018 23:42:52 +0300 +Subject: usb: gadget: Potential NULL dereference on allocation error + +[ Upstream commit df28169e1538e4a8bcd8b779b043e5aa6524545c ] + +The source_sink_alloc_func() function is supposed to return error +pointers on error. The function is called from usb_get_function() which +doesn't check for NULL returns so it would result in an Oops. + +Of course, in the current kernel, small allocations always succeed so +this doesn't affect runtime. + +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_sourcesink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_sourcesink.c b/drivers/usb/gadget/function/f_sourcesink.c +index 8784fa12ea2c6..6e9d958004a0d 100644 +--- a/drivers/usb/gadget/function/f_sourcesink.c ++++ b/drivers/usb/gadget/function/f_sourcesink.c +@@ -842,7 +842,7 @@ static struct usb_function *source_sink_alloc_func( + + ss = kzalloc(sizeof(*ss), GFP_KERNEL); + if (!ss) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + ss_opts = container_of(fi, struct f_ss_opts, func_inst); + +-- +2.19.1 +