From: Greg Kroah-Hartman Date: Fri, 21 Sep 2018 07:25:15 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.123~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b71495ab294706d312c1244341ad459c0e5274a4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: alsa-msnd-fix-the-default-sample-sizes.patch alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch fbdev-distinguish-between-interlaced-and-progressive-modes.patch fbdev-omapfb-off-by-one-in-omapfb_register_client.patch fbdev-via-fix-defined-but-not-used-warning.patch gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch gfs2-special-case-rindex-for-gfs2_grow.patch mac80211-restrict-delayed-tailroom-needed-decrement.patch mips-ath79-fix-system-restart.patch mtd-maps-fix-solutionengine.c-printk-format-warnings.patch perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch perf-powerpc-fix-callchain-ip-filtering.patch platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch powerpc-powernv-opal_put_chars-partial-write-fix.patch s390-qeth-fix-race-in-used-buffer-accounting.patch s390-qeth-reset-layer2-attribute-on-layer-switch.patch video-goldfishfb-fix-memory-leak-on-driver-remove.patch xfrm-fix-passing-zero-to-err_ptr-warning.patch --- diff --git a/queue-3.18/alsa-msnd-fix-the-default-sample-sizes.patch b/queue-3.18/alsa-msnd-fix-the-default-sample-sizes.patch new file mode 100644 index 00000000000..a8f16f665dd --- /dev/null +++ b/queue-3.18/alsa-msnd-fix-the-default-sample-sizes.patch @@ -0,0 +1,34 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:00:48 +0200 +Subject: ALSA: msnd: Fix the default sample sizes + +From: Takashi Iwai + +[ Upstream commit 7c500f9ea139d0c9b80fdea5a9c911db3166ea54 ] + +The default sample sizes set by msnd driver are bogus; it sets ALSA +PCM format, not the actual bit width. + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/isa/msnd/msnd_pinnacle.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/isa/msnd/msnd_pinnacle.c ++++ b/sound/isa/msnd/msnd_pinnacle.c +@@ -82,10 +82,10 @@ + + static void set_default_audio_parameters(struct snd_msnd *chip) + { +- chip->play_sample_size = DEFSAMPLESIZE; ++ chip->play_sample_size = snd_pcm_format_width(DEFSAMPLESIZE); + chip->play_sample_rate = DEFSAMPLERATE; + chip->play_channels = DEFCHANNELS; +- chip->capture_sample_size = DEFSAMPLESIZE; ++ chip->capture_sample_size = snd_pcm_format_width(DEFSAMPLESIZE); + chip->capture_sample_rate = DEFSAMPLERATE; + chip->capture_channels = DEFCHANNELS; + } diff --git a/queue-3.18/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch b/queue-3.18/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch new file mode 100644 index 00000000000..6cbbb4e37d2 --- /dev/null +++ b/queue-3.18/alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Takashi Iwai +Date: Wed, 25 Jul 2018 23:00:46 +0200 +Subject: ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro + +From: Takashi Iwai + +[ Upstream commit bd1cd0eb2ce9141100628d476ead4de485501b29 ] + +AU0828_DEVICE() macro in quirks-table.h uses USB_DEVICE_VENDOR_SPEC() +for expanding idVendor and idProduct fields. However, the latter +macro adds also match_flags and bInterfaceClass, which are different +from the values AU0828_DEVICE() macro sets after that. + +For fixing them, just expand idVendor and idProduct fields manually in +AU0828_DEVICE(). + +This fixes sparse warnings like: + sound/usb/quirks-table.h:2892:1: warning: Initializer entry defined twice + +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks-table.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/quirks-table.h ++++ b/sound/usb/quirks-table.h +@@ -2910,7 +2910,8 @@ YAMAHA_DEVICE(0x7010, "UB99"), + */ + + #define AU0828_DEVICE(vid, pid, vname, pname) { \ +- USB_DEVICE_VENDOR_SPEC(vid, pid), \ ++ .idVendor = vid, \ ++ .idProduct = pid, \ + .match_flags = USB_DEVICE_ID_MATCH_DEVICE | \ + USB_DEVICE_ID_MATCH_INT_CLASS | \ + USB_DEVICE_ID_MATCH_INT_SUBCLASS, \ diff --git a/queue-3.18/fbdev-distinguish-between-interlaced-and-progressive-modes.patch b/queue-3.18/fbdev-distinguish-between-interlaced-and-progressive-modes.patch new file mode 100644 index 00000000000..40fdd14ae02 --- /dev/null +++ b/queue-3.18/fbdev-distinguish-between-interlaced-and-progressive-modes.patch @@ -0,0 +1,123 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Fredrik Noring +Date: Tue, 24 Jul 2018 19:11:24 +0200 +Subject: fbdev: Distinguish between interlaced and progressive modes + +From: Fredrik Noring + +[ Upstream commit 1ba0a59cea41ea05fda92daaf2a2958a2246b9cf ] + +I discovered the problem when developing a frame buffer driver for the +PlayStation 2 (not yet merged), using the following video modes for the +PlayStation 3 in drivers/video/fbdev/ps3fb.c: + + }, { + /* 1080if */ + "1080if", 50, 1920, 1080, 13468, 148, 484, 36, 4, 88, 5, + FB_SYNC_BROADCAST, FB_VMODE_INTERLACED + }, { + /* 1080pf */ + "1080pf", 50, 1920, 1080, 6734, 148, 484, 36, 4, 88, 5, + FB_SYNC_BROADCAST, FB_VMODE_NONINTERLACED + }, + +In ps3fb_probe, the mode_option module parameter is used with fb_find_mode +but it can only select the interlaced variant of 1920x1080 since the loop +matching the modes does not take the difference between interlaced and +progressive modes into account. + +In short, without the patch, progressive 1920x1080 cannot be chosen as a +mode_option parameter since fb_find_mode (falsely) thinks interlace is a +perfect match. + +Signed-off-by: Fredrik Noring +Cc: "Maciej W. Rozycki" +[b.zolnierkie: updated patch description] +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/core/modedb.c | 41 +++++++++++++++++++++++++++----------- + 1 file changed, 30 insertions(+), 11 deletions(-) + +--- a/drivers/video/fbdev/core/modedb.c ++++ b/drivers/video/fbdev/core/modedb.c +@@ -533,7 +533,7 @@ static int fb_try_mode(struct fb_var_scr + * + * Valid mode specifiers for @mode_option: + * +- * x[M][R][-][@][i][m] or ++ * x[M][R][-][@][i][p][m] or + * [-][@] + * + * with , , and decimal numbers and +@@ -542,10 +542,10 @@ static int fb_try_mode(struct fb_var_scr + * If 'M' is present after yres (and before refresh/bpp if present), + * the function will compute the timings using VESA(tm) Coordinated + * Video Timings (CVT). If 'R' is present after 'M', will compute with +- * reduced blanking (for flatpanels). If 'i' is present, compute +- * interlaced mode. If 'm' is present, add margins equal to 1.8% +- * of xres rounded down to 8 pixels, and 1.8% of yres. The char +- * 'i' and 'm' must be after 'M' and 'R'. Example: ++ * reduced blanking (for flatpanels). If 'i' or 'p' are present, compute ++ * interlaced or progressive mode. If 'm' is present, add margins equal ++ * to 1.8% of xres rounded down to 8 pixels, and 1.8% of yres. The chars ++ * 'i', 'p' and 'm' must be after 'M' and 'R'. Example: + * + * 1024x768MR-8@60m - Reduced blank with margins at 60Hz. + * +@@ -586,7 +586,8 @@ int fb_find_mode(struct fb_var_screeninf + unsigned int namelen = strlen(name); + int res_specified = 0, bpp_specified = 0, refresh_specified = 0; + unsigned int xres = 0, yres = 0, bpp = default_bpp, refresh = 0; +- int yres_specified = 0, cvt = 0, rb = 0, interlace = 0; ++ int yres_specified = 0, cvt = 0, rb = 0; ++ int interlace_specified = 0, interlace = 0; + int margins = 0; + u32 best, diff, tdiff; + +@@ -637,9 +638,17 @@ int fb_find_mode(struct fb_var_screeninf + if (!cvt) + margins = 1; + break; ++ case 'p': ++ if (!cvt) { ++ interlace = 0; ++ interlace_specified = 1; ++ } ++ break; + case 'i': +- if (!cvt) ++ if (!cvt) { + interlace = 1; ++ interlace_specified = 1; ++ } + break; + default: + goto done; +@@ -708,11 +717,21 @@ done: + if ((name_matches(db[i], name, namelen) || + (res_specified && res_matches(db[i], xres, yres))) && + !fb_try_mode(var, info, &db[i], bpp)) { +- if (refresh_specified && db[i].refresh == refresh) +- return 1; ++ const int db_interlace = (db[i].vmode & ++ FB_VMODE_INTERLACED ? 1 : 0); ++ int score = abs(db[i].refresh - refresh); ++ ++ if (interlace_specified) ++ score += abs(db_interlace - interlace); ++ ++ if (!interlace_specified || ++ db_interlace == interlace) ++ if (refresh_specified && ++ db[i].refresh == refresh) ++ return 1; + +- if (abs(db[i].refresh - refresh) < diff) { +- diff = abs(db[i].refresh - refresh); ++ if (score < diff) { ++ diff = score; + best = i; + } + } diff --git a/queue-3.18/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch b/queue-3.18/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch new file mode 100644 index 00000000000..5980f3f08d7 --- /dev/null +++ b/queue-3.18/fbdev-omapfb-off-by-one-in-omapfb_register_client.patch @@ -0,0 +1,33 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Dan Carpenter +Date: Tue, 24 Jul 2018 19:11:28 +0200 +Subject: fbdev: omapfb: off by one in omapfb_register_client() + +From: Dan Carpenter + +[ Upstream commit 5ec1ec35b2979b59d0b33381e7c9aac17e159d16 ] + +The omapfb_register_client[] array has OMAPFB_PLANE_NUM elements so the +> should be >= or we are one element beyond the end of the array. + +Fixes: 8b08cf2b64f5 ("OMAP: add TI OMAP framebuffer driver") +Signed-off-by: Dan Carpenter +Cc: Imre Deak +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/omap/omapfb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap/omapfb_main.c ++++ b/drivers/video/fbdev/omap/omapfb_main.c +@@ -982,7 +982,7 @@ int omapfb_register_client(struct omapfb + { + int r; + +- if ((unsigned)omapfb_nb->plane_idx > OMAPFB_PLANE_NUM) ++ if ((unsigned)omapfb_nb->plane_idx >= OMAPFB_PLANE_NUM) + return -EINVAL; + + if (!notifier_inited) { diff --git a/queue-3.18/fbdev-via-fix-defined-but-not-used-warning.patch b/queue-3.18/fbdev-via-fix-defined-but-not-used-warning.patch new file mode 100644 index 00000000000..86348c9f74a --- /dev/null +++ b/queue-3.18/fbdev-via-fix-defined-but-not-used-warning.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Randy Dunlap +Date: Tue, 24 Jul 2018 19:11:27 +0200 +Subject: fbdev/via: fix defined but not used warning + +From: Randy Dunlap + +[ Upstream commit b6566b47a67e07fdca44cf51abb14e2fbe17d3eb ] + +Fix a build warning in viafbdev.c when CONFIG_PROC_FS is not enabled +by marking the unused function as __maybe_unused. + +../drivers/video/fbdev/via/viafbdev.c:1471:12: warning: 'viafb_sup_odev_proc_show' defined but not used [-Wunused-function] + +Signed-off-by: Randy Dunlap +Cc: Florian Tobias Schandinat +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/via/viafbdev.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/via/viafbdev.c ++++ b/drivers/video/fbdev/via/viafbdev.c +@@ -19,6 +19,7 @@ + * 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + ++#include + #include + #include + #include +@@ -1468,7 +1469,7 @@ static const struct file_operations viaf + + #endif /* CONFIG_FB_VIA_DIRECT_PROCFS */ + +-static int viafb_sup_odev_proc_show(struct seq_file *m, void *v) ++static int __maybe_unused viafb_sup_odev_proc_show(struct seq_file *m, void *v) + { + via_odev_to_seq(m, supported_odev_map[ + viaparinfo->shared->chip_info.gfx_chip_name]); diff --git a/queue-3.18/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch b/queue-3.18/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch new file mode 100644 index 00000000000..2b20e7870a2 --- /dev/null +++ b/queue-3.18/gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch @@ -0,0 +1,42 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Bob Peterson +Date: Mon, 18 Jun 2018 13:24:13 -0500 +Subject: gfs2: Don't reject a supposedly full bitmap if we have blocks reserved + +From: Bob Peterson + +[ Upstream commit e79e0e1428188b24c3b57309ffa54a33c4ae40c4 ] + +Before this patch, you could get into situations like this: + +1. Process 1 searches for X free blocks, finds them, makes a reservation +2. Process 2 searches for free blocks in the same rgrp, but now the + bitmap is full because process 1's reservation is skipped over. + So it marks the bitmap as GBF_FULL. +3. Process 1 tries to allocate blocks from its own reservation, but + since the GBF_FULL bit is set, it skips over the rgrp and searches + elsewhere, thus not using its own reservation. + +This patch adds an additional check to allow processes to use their +own reservations. + +Signed-off-by: Bob Peterson +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/rgrp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/gfs2/rgrp.c ++++ b/fs/gfs2/rgrp.c +@@ -1643,7 +1643,8 @@ static int gfs2_rbm_find(struct gfs2_rbm + + while(1) { + bi = rbm_bi(rbm); +- if (test_bit(GBF_FULL, &bi->bi_flags) && ++ if ((ip == NULL || !gfs2_rs_active(&ip->i_res)) && ++ test_bit(GBF_FULL, &bi->bi_flags) && + (state == GFS2_BLKST_FREE)) + goto next_bitmap; + diff --git a/queue-3.18/gfs2-special-case-rindex-for-gfs2_grow.patch b/queue-3.18/gfs2-special-case-rindex-for-gfs2_grow.patch new file mode 100644 index 00000000000..0d61eb35bba --- /dev/null +++ b/queue-3.18/gfs2-special-case-rindex-for-gfs2_grow.patch @@ -0,0 +1,48 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Andreas Gruenbacher +Date: Wed, 25 Jul 2018 18:45:08 +0100 +Subject: gfs2: Special-case rindex for gfs2_grow + +From: Andreas Gruenbacher + +[ Upstream commit 776125785a87ff05d49938bd5b9f336f2a05bff6 ] + +To speed up the common case of appending to a file, +gfs2_write_alloc_required presumes that writing beyond the end of a file +will always require additional blocks to be allocated. This assumption +is incorrect for preallocates files, but there are no negative +consequences as long as *some* space is still left on the filesystem. + +One special file that always has some space preallocated beyond the end +of the file is the rindex: when growing a filesystem, gfs2_grow adds one +or more new resource groups and appends records describing those +resource groups to the rindex; the preallocated space ensures that this +is always possible. + +However, when a filesystem is completely full, gfs2_write_alloc_required +will indicate that an additional allocation is required, and appending +the next record to the rindex will fail even though space for that +record has already been preallocated. To fix that, skip the incorrect +optimization in gfs2_write_alloc_required, but for the rindex only. +Other writes to preallocated space beyond the end of the file are still +allowed to fail on completely full filesystems. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Bob Peterson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/gfs2/bmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/bmap.c ++++ b/fs/gfs2/bmap.c +@@ -1476,7 +1476,7 @@ int gfs2_write_alloc_required(struct gfs + end_of_file = (i_size_read(&ip->i_inode) + sdp->sd_sb.sb_bsize - 1) >> shift; + lblock = offset >> shift; + lblock_stop = (offset + len + sdp->sd_sb.sb_bsize - 1) >> shift; +- if (lblock_stop > end_of_file) ++ if (lblock_stop > end_of_file && ip != GFS2_I(sdp->sd_rindex)) + return 1; + + size = (lblock_stop - lblock) << shift; diff --git a/queue-3.18/mac80211-restrict-delayed-tailroom-needed-decrement.patch b/queue-3.18/mac80211-restrict-delayed-tailroom-needed-decrement.patch new file mode 100644 index 00000000000..b8a66ca2ae4 --- /dev/null +++ b/queue-3.18/mac80211-restrict-delayed-tailroom-needed-decrement.patch @@ -0,0 +1,138 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Manikanta Pubbisetty +Date: Tue, 10 Jul 2018 16:48:27 +0530 +Subject: mac80211: restrict delayed tailroom needed decrement + +From: Manikanta Pubbisetty + +[ Upstream commit 133bf90dbb8b873286f8ec2e81ba26e863114b8c ] + +As explained in ieee80211_delayed_tailroom_dec(), during roam, +keys of the old AP will be destroyed and new keys will be +installed. Deletion of the old key causes +crypto_tx_tailroom_needed_cnt to go from 1 to 0 and the new key +installation causes a transition from 0 to 1. + +Whenever crypto_tx_tailroom_needed_cnt transitions from 0 to 1, +we invoke synchronize_net(); the reason for doing this is to avoid +a race in the TX path as explained in increment_tailroom_need_count(). +This synchronize_net() operation can be slow and can affect the station +roam time. To avoid this, decrementing the crypto_tx_tailroom_needed_cnt +is delayed for a while so that upon installation of new key the +transition would be from 1 to 2 instead of 0 to 1 and thereby +improving the roam time. + +This is all correct for a STA iftype, but deferring the tailroom_needed +decrement for other iftypes may be unnecessary. + +For example, let's consider the case of a 4-addr client connecting to +an AP for which AP_VLAN interface is also created, let the initial +value for tailroom_needed on the AP be 1. + +* 4-addr client connects to the AP (AP: tailroom_needed = 1) +* AP will clear old keys, delay decrement of tailroom_needed count +* AP_VLAN is created, it takes the tailroom count from master + (AP_VLAN: tailroom_needed = 1, AP: tailroom_needed = 1) +* Install new key for the station, assume key is plumbed in the HW, + there won't be any change in tailroom_needed count on AP iface +* Delayed decrement of tailroom_needed count on AP + (AP: tailroom_needed = 0, AP_VLAN: tailroom_needed = 1) + +Because of the delayed decrement on AP iface, tailroom_needed count goes +out of sync between AP(master iface) and AP_VLAN(slave iface) and +there would be unnecessary tailroom created for the packets going +through AP_VLAN iface. + +Also, WARN_ONs were observed while trying to bring down the AP_VLAN +interface: +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (ieee80211_free_keys+0x114/0x1e4) +(ieee80211_free_keys) (ieee80211_del_virtual_monitor+0x51c/0x850) +(ieee80211_del_virtual_monitor) (ieee80211_stop+0x30/0x3c) +(ieee80211_stop) (__dev_close_many+0x94/0xb8) +(__dev_close_many) (dev_close_many+0x5c/0xc8) + +Restricting delayed decrement to station interface alone fixes the problem +and it makes sense to do so because delayed decrement is done to improve +roam time which is applicable only for client devices. + +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 2 +- + net/mac80211/key.c | 24 +++++++++++++++--------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -276,7 +276,7 @@ static int ieee80211_del_key(struct wiph + goto out_unlock; + } + +- ieee80211_key_free(key, true); ++ ieee80211_key_free(key, sdata->vif.type == NL80211_IFTYPE_STATION); + + ret = 0; + out_unlock: +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -515,11 +515,15 @@ int ieee80211_key_link(struct ieee80211_ + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_key *old_key; +- int idx, ret; +- bool pairwise; +- +- pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; +- idx = key->conf.keyidx; ++ int idx = key->conf.keyidx; ++ bool pairwise = key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE; ++ /* ++ * We want to delay tailroom updates only for station - in that ++ * case it helps roaming speed, but in other cases it hurts and ++ * can cause warnings to appear. ++ */ ++ bool delay_tailroom = sdata->vif.type == NL80211_IFTYPE_STATION; ++ int ret; + + mutex_lock(&sdata->local->key_mtx); + +@@ -547,14 +551,14 @@ int ieee80211_key_link(struct ieee80211_ + increment_tailroom_need_count(sdata); + + ieee80211_key_replace(sdata, sta, pairwise, old_key, key); +- ieee80211_key_destroy(old_key, true); ++ ieee80211_key_destroy(old_key, delay_tailroom); + + ieee80211_debugfs_key_add(key); + + if (!local->wowlan) { + ret = ieee80211_key_enable_hw_accel(key); + if (ret) +- ieee80211_key_free(key, true); ++ ieee80211_key_free(key, delay_tailroom); + } else { + ret = 0; + } +@@ -705,7 +709,8 @@ void ieee80211_free_sta_keys(struct ieee + ieee80211_key_replace(key->sdata, key->sta, + key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE, + key, NULL); +- __ieee80211_key_destroy(key, true); ++ __ieee80211_key_destroy(key, key->sdata->vif.type == ++ NL80211_IFTYPE_STATION); + } + + for (i = 0; i < NUM_DEFAULT_KEYS; i++) { +@@ -715,7 +720,8 @@ void ieee80211_free_sta_keys(struct ieee + ieee80211_key_replace(key->sdata, key->sta, + key->conf.flags & IEEE80211_KEY_FLAG_PAIRWISE, + key, NULL); +- __ieee80211_key_destroy(key, true); ++ __ieee80211_key_destroy(key, key->sdata->vif.type == ++ NL80211_IFTYPE_STATION); + } + + mutex_unlock(&local->key_mtx); diff --git a/queue-3.18/mips-ath79-fix-system-restart.patch b/queue-3.18/mips-ath79-fix-system-restart.patch new file mode 100644 index 00000000000..235d8d0a64b --- /dev/null +++ b/queue-3.18/mips-ath79-fix-system-restart.patch @@ -0,0 +1,46 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Felix Fietkau +Date: Fri, 20 Jul 2018 13:58:22 +0200 +Subject: MIPS: ath79: fix system restart + +From: Felix Fietkau + +[ Upstream commit f8a7bfe1cb2c1ebfa07775c9c8ac0ad3ba8e5ff5 ] + +This patch disables irq on reboot to fix hang issues that were observed +due to pending interrupts. + +Signed-off-by: Felix Fietkau +Signed-off-by: John Crispin +Signed-off-by: Paul Burton +Patchwork: https://patchwork.linux-mips.org/patch/19913/ +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/ath79/setup.c | 1 + + arch/mips/include/asm/mach-ath79/ath79.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/arch/mips/ath79/setup.c ++++ b/arch/mips/ath79/setup.c +@@ -40,6 +40,7 @@ static char ath79_sys_type[ATH79_SYS_TYP + + static void ath79_restart(char *command) + { ++ local_irq_disable(); + ath79_device_reset_set(AR71XX_RESET_FULL_CHIP); + for (;;) + if (cpu_wait) +--- a/arch/mips/include/asm/mach-ath79/ath79.h ++++ b/arch/mips/include/asm/mach-ath79/ath79.h +@@ -132,6 +132,7 @@ static inline u32 ath79_pll_rr(unsigned + static inline void ath79_reset_wr(unsigned reg, u32 val) + { + __raw_writel(val, ath79_reset_base + reg); ++ (void) __raw_readl(ath79_reset_base + reg); /* flush */ + } + + static inline u32 ath79_reset_rr(unsigned reg) diff --git a/queue-3.18/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch b/queue-3.18/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch new file mode 100644 index 00000000000..967176a6ad9 --- /dev/null +++ b/queue-3.18/mtd-maps-fix-solutionengine.c-printk-format-warnings.patch @@ -0,0 +1,60 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Randy Dunlap +Date: Tue, 24 Jul 2018 11:29:01 -0700 +Subject: mtd/maps: fix solutionengine.c printk format warnings + +From: Randy Dunlap + +[ Upstream commit 1d25e3eeed1d987404e2d2e451eebac8c15cecc1 ] + +Fix 2 printk format warnings (this driver is currently only used by +arch/sh/) by using "%pap" instead of "%lx". + +Fixes these build warnings: + +../drivers/mtd/maps/solutionengine.c: In function 'init_soleng_maps': +../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 2 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=] +../drivers/mtd/maps/solutionengine.c:62:54: note: format string is defined here + printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", + ~~~~^ + %08x +../include/linux/kern_levels.h:5:18: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'resource_size_t' {aka 'unsigned int'} [-Wformat=] +../drivers/mtd/maps/solutionengine.c:62:72: note: format string is defined here + printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", + ~~~~^ + %08x + +Cc: David Woodhouse +Cc: Brian Norris +Cc: Boris Brezillon +Cc: Marek Vasut +Cc: Richard Weinberger +Cc: linux-mtd@lists.infradead.org +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Cc: Sergei Shtylyov + +Signed-off-by: Randy Dunlap +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/maps/solutionengine.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/maps/solutionengine.c ++++ b/drivers/mtd/maps/solutionengine.c +@@ -59,9 +59,9 @@ static int __init init_soleng_maps(void) + return -ENXIO; + } + } +- printk(KERN_NOTICE "Solution Engine: Flash at 0x%08lx, EPROM at 0x%08lx\n", +- soleng_flash_map.phys & 0x1fffffff, +- soleng_eprom_map.phys & 0x1fffffff); ++ printk(KERN_NOTICE "Solution Engine: Flash at 0x%pap, EPROM at 0x%pap\n", ++ &soleng_flash_map.phys, ++ &soleng_eprom_map.phys); + flash_mtd->owner = THIS_MODULE; + + eprom_mtd = do_map_probe("map_rom", &soleng_eprom_map); diff --git a/queue-3.18/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch b/queue-3.18/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch new file mode 100644 index 00000000000..5460df91596 --- /dev/null +++ b/queue-3.18/perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch @@ -0,0 +1,113 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Sandipan Das +Date: Tue, 10 Jul 2018 19:28:14 +0530 +Subject: perf powerpc: Fix callchain ip filtering when return address is in a register + +From: Sandipan Das + +[ Upstream commit 9068533e4f470daf2b0f29c71d865990acd8826e ] + +For powerpc64, perf will filter out the second entry in the callchain, +i.e. the LR value, if the return address of the function corresponding +to the probed location has already been saved on its caller's stack. + +The state of the return address is determined using debug information. +At any point within a function, if the return address is already saved +somewhere, a DWARF expression can tell us about its location. If the +return address in still in LR only, no DWARF expression would exist. + +Typically, the instructions in a function's prologue first copy the LR +value to R0 and then pushes R0 on to the stack. If LR has already been +copied to R0 but R0 is yet to be pushed to the stack, we can still get a +DWARF expression that says that the return address is in R0. This is +indicating that getting a DWARF expression for the return address does +not guarantee the fact that it has already been saved on the stack. + +This can be observed on a powerpc64le system running Fedora 27 as shown +below. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000015af20 : + 15af20: 0b 00 4c 3c addis r2,r12,11 + 15af24: e0 c1 42 38 addi r2,r2,-15904 + 15af28: a6 02 08 7c mflr r0 + 15af2c: f0 ff c1 fb std r30,-16(r1) + 15af30: f8 ff e1 fb std r31,-8(r1) + 15af34: 78 1b 7f 7c mr r31,r3 + 15af38: 78 23 83 7c mr r3,r4 + 15af3c: 78 2b be 7c mr r30,r5 + 15af40: 10 00 01 f8 std r0,16(r1) + 15af44: c1 ff 21 f8 stdu r1,-64(r1) + 15af48: 28 00 81 f8 std r4,40(r1) + ... + + # readelf --debug-dump=frames-interp /usr/lib64/libc-2.26.so | less + ... + 00027024 0000000000000024 00027028 FDE cie=00000000 pc=000000000015af20..000000000015af88 + LOC CFA r30 r31 ra + 000000000015af20 r1+0 u u u + 000000000015af34 r1+0 c-16 c-8 r0 + 000000000015af48 r1+64 c-16 c-8 c+16 + 000000000015af5c r1+0 c-16 c-8 c+16 + 000000000015af78 r1+0 u u + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x18 + # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1 + # perf script + +Before: + + ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) + 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) + 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 12f152d70 _init+0xbfc (/usr/bin/ping) + 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + ping 2829 [005] 512917.460174: probe_libc:inet_pton: (7fff7e2baf38) + 7fff7e2baf38 __GI___inet_pton+0x18 (/usr/lib64/libc-2.26.so) + 7fff7e26fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so) + 7fff7e2705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 12f152d70 _init+0xbfc (/usr/bin/ping) + 7fff7e1836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fff7e183898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Reported-by: Ravi Bangoria +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Maynard Johnson +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Sukadev Bhattiprolu +Link: http://lkml.kernel.org/r/66e848a7bdf2d43b39210a705ff6d828a0865661.1530724939.git.sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/skip-callchain-idx.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c ++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c +@@ -58,9 +58,13 @@ static int check_return_reg(int ra_regno + } + + /* +- * Check if return address is on the stack. ++ * Check if return address is on the stack. If return address ++ * is in a register (typically R0), it is yet to be saved on ++ * the stack. + */ +- if (nops != 0 || ops != NULL) ++ if ((nops != 0 || ops != NULL) && ++ !(nops == 1 && ops[0].atom == DW_OP_regx && ++ ops[0].number2 == 0 && ops[0].offset == 0)) + return 0; + + /* diff --git a/queue-3.18/perf-powerpc-fix-callchain-ip-filtering.patch b/queue-3.18/perf-powerpc-fix-callchain-ip-filtering.patch new file mode 100644 index 00000000000..dc485c71bdf --- /dev/null +++ b/queue-3.18/perf-powerpc-fix-callchain-ip-filtering.patch @@ -0,0 +1,180 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Sandipan Das +Date: Tue, 10 Jul 2018 19:28:13 +0530 +Subject: perf powerpc: Fix callchain ip filtering + +From: Sandipan Das + +[ Upstream commit c715fcfda5a08edabaa15508742be926b7ee51db ] + +For powerpc64, redundant entries in the callchain are filtered out by +determining the state of the return address and the stack frame using +DWARF debug information. + +For making these filtering decisions we must analyze the debug +information for the location corresponding to the program counter value, +i.e. the first entry in the callchain, and not the LR value; otherwise, +perf may filter out either the second or the third entry in the +callchain incorrectly. + +This can be observed on a powerpc64le system running Fedora 27 as shown +below. + +Case 1 - Attaching a probe at inet_pton+0x8 (binary offset 0x15af28). + Return address is still in LR and a new stack frame is not yet + allocated. The LR value, i.e. the second entry, should not be + filtered out. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000010eb10 : + ... + 10fa48: 78 bb e4 7e mr r4,r23 + 10fa4c: 0a 00 60 38 li r3,10 + 10fa50: d9 b4 04 48 bl 15af28 + 10fa54: 00 00 00 60 nop + 10fa58: ac f4 ff 4b b 10ef04 + ... + 0000000000110450 : + ... + 1105a8: 54 00 ff 38 addi r7,r31,84 + 1105ac: 58 00 df 38 addi r6,r31,88 + 1105b0: 69 e5 ff 4b bl 10eb18 + 1105b4: 78 1b 71 7c mr r17,r3 + 1105b8: 50 01 7f e8 ld r3,336(r31) + ... + 000000000015af20 : + 15af20: 0b 00 4c 3c addis r2,r12,11 + 15af24: e0 c1 42 38 addi r2,r2,-15904 + 15af28: a6 02 08 7c mflr r0 + 15af2c: f0 ff c1 fb std r30,-16(r1) + 15af30: f8 ff e1 fb std r31,-8(r1) + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a inet_pton+0x8 + # perf record -e probe_libc:inet_pton -g ping -6 -c 1 ::1 + # perf script + +Before: + + ping 4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28) + 7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so) + 7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 13fb52d70 _init+0xbfc (/usr/bin/ping) + 7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + ping 4507 [002] 514985.546540: probe_libc:inet_pton: (7fffa7dbaf28) + 7fffa7dbaf28 __GI___inet_pton+0x8 (/usr/lib64/libc-2.26.so) + 7fffa7d6fa54 gaih_inet.constprop.7+0xf44 (/usr/lib64/libc-2.26.so) + 7fffa7d705b4 getaddrinfo+0x164 (/usr/lib64/libc-2.26.so) + 13fb52d70 _init+0xbfc (/usr/bin/ping) + 7fffa7c836a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa7c83898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Case 2 - Attaching a probe at _int_malloc+0x180 (binary offset 0x9cf10). + Return address in still in LR and a new stack frame has already + been allocated but not used. The caller's caller, i.e. the third + entry, is invalid and should be filtered out and not the second + one. + + # objdump -d /usr/lib64/libc-2.26.so | less + ... + 000000000009cd90 <_int_malloc>: + 9cd90: 17 00 4c 3c addis r2,r12,23 + 9cd94: 70 a3 42 38 addi r2,r2,-23696 + 9cd98: 26 00 80 7d mfcr r12 + 9cd9c: f8 ff e1 fb std r31,-8(r1) + 9cda0: 17 00 e4 3b addi r31,r4,23 + 9cda4: d8 ff 61 fb std r27,-40(r1) + 9cda8: 78 23 9b 7c mr r27,r4 + 9cdac: 1f 00 bf 2b cmpldi cr7,r31,31 + 9cdb0: f0 ff c1 fb std r30,-16(r1) + 9cdb4: b0 ff c1 fa std r22,-80(r1) + 9cdb8: 78 1b 7e 7c mr r30,r3 + 9cdbc: 08 00 81 91 stw r12,8(r1) + 9cdc0: 11 ff 21 f8 stdu r1,-240(r1) + 9cdc4: 4c 01 9d 41 bgt cr7,9cf10 <_int_malloc+0x180> + 9cdc8: 20 00 a4 2b cmpldi cr7,r4,32 + ... + 9cf08: 00 00 00 60 nop + 9cf0c: 00 00 42 60 ori r2,r2,0 + 9cf10: e4 06 ff 7b rldicr r31,r31,0,59 + 9cf14: 40 f8 a4 7f cmpld cr7,r4,r31 + 9cf18: 68 05 9d 41 bgt cr7,9d480 <_int_malloc+0x6f0> + ... + 000000000009e3c0 : + ... + 9e420: 40 02 80 38 li r4,576 + 9e424: 78 fb e3 7f mr r3,r31 + 9e428: 71 e9 ff 4b bl 9cd98 <_int_malloc+0x8> + 9e42c: 00 00 a3 2f cmpdi cr7,r3,0 + 9e430: 78 1b 7e 7c mr r30,r3 + ... + 000000000009f7a0 <__libc_malloc>: + ... + 9f8f8: 00 00 89 2f cmpwi cr7,r9,0 + 9f8fc: 1c ff 9e 40 bne cr7,9f818 <__libc_malloc+0x78> + 9f900: c9 ea ff 4b bl 9e3c8 + 9f904: 00 00 00 60 nop + 9f908: e8 90 22 e9 ld r9,-28440(r2) + ... + + # perf probe -x /usr/lib64/libc-2.26.so -a _int_malloc+0x180 + # perf record -e probe_libc:_int_malloc -g ./test-malloc + # perf script + +Before: + + test-malloc 6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10) + 7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so) + 7fffa6dd0000 [unknown] (/usr/lib64/libc-2.26.so) + 7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so) + 7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so) + 100006b4 main+0x38 (/home/testuser/test-malloc) + 7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +After: + + test-malloc 6554 [009] 515975.797403: probe_libc:_int_malloc: (7fffa6e6cf10) + 7fffa6e6cf10 _int_malloc+0x180 (/usr/lib64/libc-2.26.so) + 7fffa6e6e42c tcache_init.part.4+0x6c (/usr/lib64/libc-2.26.so) + 7fffa6e6f904 malloc+0x164 (/usr/lib64/libc-2.26.so) + 7fffa6e6f9fc malloc+0x25c (/usr/lib64/libc-2.26.so) + 100006b4 main+0x38 (/home/sandipan/test-malloc) + 7fffa6df36a0 generic_start_main.isra.0+0x140 (/usr/lib64/libc-2.26.so) + 7fffa6df3898 __libc_start_main+0xb8 (/usr/lib64/libc-2.26.so) + 0 [unknown] ([unknown]) + +Signed-off-by: Sandipan Das +Cc: Jiri Olsa +Cc: Maynard Johnson +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Sukadev Bhattiprolu +Fixes: a60335ba3298 ("perf tools powerpc: Adjust callchain based on DWARF debug info") +Link: http://lkml.kernel.org/r/24bb726d91ed173aebc972ec3f41a2ef2249434e.1530724939.git.sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/arch/powerpc/util/skip-callchain-idx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/arch/powerpc/util/skip-callchain-idx.c ++++ b/tools/perf/arch/powerpc/util/skip-callchain-idx.c +@@ -237,7 +237,7 @@ int arch_skip_callchain_idx(struct machi + if (!chain || chain->nr < 3) + return skip_slot; + +- ip = chain->ips[2]; ++ ip = chain->ips[1]; + + thread__find_addr_location(thread, machine, PERF_RECORD_MISC_USER, + MAP__FUNCTION, ip, &al); diff --git a/queue-3.18/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch b/queue-3.18/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch new file mode 100644 index 00000000000..f0e6af17e43 --- /dev/null +++ b/queue-3.18/platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Randy Dunlap +Date: Fri, 6 Jul 2018 20:53:09 -0700 +Subject: platform/x86: toshiba_acpi: Fix defined but not used build warnings + +From: Randy Dunlap + +[ Upstream commit c2e2a618eb7104e18fdcf739d4d911563812a81c ] + +Fix a build warning in toshiba_acpi.c when CONFIG_PROC_FS is not enabled +by marking the unused function as __maybe_unused. + +../drivers/platform/x86/toshiba_acpi.c:1685:12: warning: 'version_proc_show' defined but not used [-Wunused-function] + +Signed-off-by: Randy Dunlap +Cc: Azael Avalos +Cc: platform-driver-x86@vger.kernel.org +Cc: Andy Shevchenko +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/toshiba_acpi.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -41,6 +41,7 @@ + #define TOSHIBA_ACPI_VERSION "0.20" + #define PROC_INTERFACE_VERSION 1 + ++#include + #include + #include + #include +@@ -1233,7 +1234,7 @@ static const struct file_operations keys + .write = keys_proc_write, + }; + +-static int version_proc_show(struct seq_file *m, void *v) ++static int __maybe_unused version_proc_show(struct seq_file *m, void *v) + { + seq_printf(m, "driver: %s\n", TOSHIBA_ACPI_VERSION); + seq_printf(m, "proc_interface: %d\n", PROC_INTERFACE_VERSION); diff --git a/queue-3.18/powerpc-powernv-opal_put_chars-partial-write-fix.patch b/queue-3.18/powerpc-powernv-opal_put_chars-partial-write-fix.patch new file mode 100644 index 00000000000..0c08975a891 --- /dev/null +++ b/queue-3.18/powerpc-powernv-opal_put_chars-partial-write-fix.patch @@ -0,0 +1,38 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Nicholas Piggin +Date: Tue, 1 May 2018 00:55:44 +1000 +Subject: powerpc/powernv: opal_put_chars partial write fix + +From: Nicholas Piggin + +[ Upstream commit bd90284cc6c1c9e8e48c8eadd0c79574fcce0b81 ] + +The intention here is to consume and discard the remaining buffer +upon error. This works if there has not been a previous partial write. +If there has been, then total_len is no longer total number of bytes +to copy. total_len is always "bytes left to copy", so it should be +added to written bytes. + +This code may not be exercised any more if partial writes will not be +hit, but this is a small bugfix before a larger change. + +Reviewed-by: Benjamin Herrenschmidt +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/opal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/opal.c ++++ b/arch/powerpc/platforms/powernv/opal.c +@@ -452,7 +452,7 @@ int opal_put_chars(uint32_t vtermno, con + /* Closed or other error drop */ + if (rc != OPAL_SUCCESS && rc != OPAL_BUSY && + rc != OPAL_BUSY_EVENT) { +- written = total_len; ++ written += total_len; + break; + } + if (rc == OPAL_SUCCESS) { diff --git a/queue-3.18/s390-qeth-fix-race-in-used-buffer-accounting.patch b/queue-3.18/s390-qeth-fix-race-in-used-buffer-accounting.patch new file mode 100644 index 00000000000..090ff1691e5 --- /dev/null +++ b/queue-3.18/s390-qeth-fix-race-in-used-buffer-accounting.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Jul 2018 12:43:48 +0200 +Subject: s390/qeth: fix race in used-buffer accounting + +From: Julian Wiedmann + +[ Upstream commit a702349a4099cd5a7bab0904689d8e0bf8dcd622 ] + +By updating q->used_buffers only _after_ do_QDIO() has completed, there +is a potential race against the buffer's TX completion. In the unlikely +case that the TX completion path wins, qeth_qdio_output_handler() would +decrement the counter before qeth_flush_buffers() even incremented it. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -3489,13 +3489,14 @@ static void qeth_flush_buffers(struct qe + qdio_flags = QDIO_FLAG_SYNC_OUTPUT; + if (atomic_read(&queue->set_pci_flags_count)) + qdio_flags |= QDIO_FLAG_PCI_OUT; ++ atomic_add(count, &queue->used_buffers); ++ + rc = do_QDIO(CARD_DDEV(queue->card), qdio_flags, + queue->queue_no, index, count); + if (queue->card->options.performance_stats) + queue->card->perf_stats.outbound_do_qdio_time += + qeth_get_micros() - + queue->card->perf_stats.outbound_do_qdio_start_time; +- atomic_add(count, &queue->used_buffers); + if (rc) { + queue->card->stats.tx_errors += count; + /* ignore temporary SIGA errors without busy condition */ diff --git a/queue-3.18/s390-qeth-reset-layer2-attribute-on-layer-switch.patch b/queue-3.18/s390-qeth-reset-layer2-attribute-on-layer-switch.patch new file mode 100644 index 00000000000..633af1becd2 --- /dev/null +++ b/queue-3.18/s390-qeth-reset-layer2-attribute-on-layer-switch.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Jul 2018 12:43:49 +0200 +Subject: s390/qeth: reset layer2 attribute on layer switch + +From: Julian Wiedmann + +[ Upstream commit 70551dc46ffa3555a0b5f3545b0cd87ab67fd002 ] + +After the subdriver's remove() routine has completed, the card's layer +mode is undetermined again. Reflect this in the layer2 field. + +If qeth_dev_layer2_store() hits an error after remove() was called, the +card _always_ requires a setup(), even if the previous layer mode is +requested again. +But qeth_dev_layer2_store() bails out early if the requested layer mode +still matches the current one. So unless we reset the layer2 field, +re-probing the card back to its previous mode is currently not possible. + +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_sys.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/net/qeth_core_sys.c ++++ b/drivers/s390/net/qeth_core_sys.c +@@ -456,6 +456,7 @@ static ssize_t qeth_dev_layer2_store(str + if (card->discipline) { + card->discipline->remove(card->gdev); + qeth_core_free_discipline(card); ++ card->options.layer2 = -1; + } + + rc = qeth_core_load_discipline(card, newdis); diff --git a/queue-3.18/series b/queue-3.18/series index 6a8691d2ea2..bfd29ff66a5 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -59,3 +59,21 @@ mips-warn_on-invalid-dma-cache-maintenance-not-bug_on.patch xhci-fix-use-after-free-in-xhci_free_virt_device.patch netfilter-x_tables-avoid-stack-out-of-bounds-read-in-xt_copy_counters_from_user.patch mm-get-rid-of-vmacache_flush_all-entirely.patch +alsa-msnd-fix-the-default-sample-sizes.patch +alsa-usb-audio-fix-multiple-definitions-in-au0828_device-macro.patch +xfrm-fix-passing-zero-to-err_ptr-warning.patch +gfs2-special-case-rindex-for-gfs2_grow.patch +mips-ath79-fix-system-restart.patch +mtd-maps-fix-solutionengine.c-printk-format-warnings.patch +gfs2-don-t-reject-a-supposedly-full-bitmap-if-we-have-blocks-reserved.patch +fbdev-omapfb-off-by-one-in-omapfb_register_client.patch +video-goldfishfb-fix-memory-leak-on-driver-remove.patch +fbdev-via-fix-defined-but-not-used-warning.patch +perf-powerpc-fix-callchain-ip-filtering-when-return-address-is-in-a-register.patch +fbdev-distinguish-between-interlaced-and-progressive-modes.patch +perf-powerpc-fix-callchain-ip-filtering.patch +powerpc-powernv-opal_put_chars-partial-write-fix.patch +mac80211-restrict-delayed-tailroom-needed-decrement.patch +s390-qeth-fix-race-in-used-buffer-accounting.patch +s390-qeth-reset-layer2-attribute-on-layer-switch.patch +platform-x86-toshiba_acpi-fix-defined-but-not-used-build-warnings.patch diff --git a/queue-3.18/video-goldfishfb-fix-memory-leak-on-driver-remove.patch b/queue-3.18/video-goldfishfb-fix-memory-leak-on-driver-remove.patch new file mode 100644 index 00000000000..69e7fafb361 --- /dev/null +++ b/queue-3.18/video-goldfishfb-fix-memory-leak-on-driver-remove.patch @@ -0,0 +1,37 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: Anton Vasilyev +Date: Tue, 24 Jul 2018 19:11:27 +0200 +Subject: video: goldfishfb: fix memory leak on driver remove + +From: Anton Vasilyev + +[ Upstream commit 5958fde72d04e7b8c6de3669d1f794a90997e3eb ] + +goldfish_fb_probe() allocates memory for fb, but goldfish_fb_remove() does +not have deallocation of fb, which leads to memory leak on probe/remove. + +The patch adds deallocation into goldfish_fb_remove(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Cc: Aleksandar Markovic +Cc: Miodrag Dinic +Cc: Goran Ferenc +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/goldfishfb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/goldfishfb.c ++++ b/drivers/video/fbdev/goldfishfb.c +@@ -301,6 +301,7 @@ static int goldfish_fb_remove(struct pla + dma_free_coherent(&pdev->dev, framesize, (void *)fb->fb.screen_base, + fb->fb.fix.smem_start); + iounmap(fb->reg_base); ++ kfree(fb); + return 0; + } + diff --git a/queue-3.18/xfrm-fix-passing-zero-to-err_ptr-warning.patch b/queue-3.18/xfrm-fix-passing-zero-to-err_ptr-warning.patch new file mode 100644 index 00000000000..31f19890d6d --- /dev/null +++ b/queue-3.18/xfrm-fix-passing-zero-to-err_ptr-warning.patch @@ -0,0 +1,39 @@ +From foo@baz Fri Sep 21 09:23:07 CEST 2018 +From: YueHaibing +Date: Wed, 25 Jul 2018 16:54:33 +0800 +Subject: xfrm: fix 'passing zero to ERR_PTR()' warning + +From: YueHaibing + +[ Upstream commit 934ffce1343f22ed5e2d0bd6da4440f4848074de ] + +Fix a static code checker warning: + + net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR' + +xfrm_tmpl_resolve return 0 just means no xdst found, return NULL +instead of passing zero to ERR_PTR. + +Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms") +Signed-off-by: YueHaibing +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -1809,7 +1809,10 @@ xfrm_resolve_and_create_bundle(struct xf + /* Try to instantiate a bundle */ + err = xfrm_tmpl_resolve(pols, num_pols, fl, xfrm, family); + if (err <= 0) { +- if (err != 0 && err != -EAGAIN) ++ if (err == 0) ++ return NULL; ++ ++ if (err != -EAGAIN) + XFRM_INC_STATS(net, LINUX_MIB_XFRMOUTPOLERROR); + return ERR_PTR(err); + } diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..e69de29bb2d