From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 10 Dec 2018 14:28:03 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v4.19.9~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba67265fb6d439aef45908e67daf939122ed07b7;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch
	sunrpc-fix-leak-of-krb5p-encode-pages.patch
	xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
---

diff --git a/queue-3.18/dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch b/queue-3.18/dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch
new file mode 100644
index 00000000000..0fa8ee84183
--- /dev/null
+++ b/queue-3.18/dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch
@@ -0,0 +1,62 @@
+From 59861547ec9a9736e7882f6fb0c096a720ff811a Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Mon, 12 Nov 2018 09:43:22 -0600
+Subject: dmaengine: cppi41: delete channel from pending list when stop channel
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 59861547ec9a9736e7882f6fb0c096a720ff811a upstream.
+
+The driver defines three states for a cppi channel.
+- idle: .chan_busy == 0 && not in .pending list
+- pending: .chan_busy == 0 && in .pending list
+- busy: .chan_busy == 1 && not in .pending list
+
+There are cases in which the cppi channel could be in the pending state
+when cppi41_dma_issue_pending() is called after cppi41_runtime_suspend()
+is called.
+
+cppi41_stop_chan() has a bug for these cases to set channels to idle state.
+It only checks the .chan_busy flag, but not the .pending list, then later
+when cppi41_runtime_resume() is called the channels in .pending list will
+be transitioned to busy state.
+
+Removing channels from the .pending list solves the problem.
+
+Fixes: 975faaeb9985 ("dma: cppi41: start tear down only if channel is busy")
+Cc: stable@vger.kernel.org # v3.15+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/dma/cppi41.c |   16 +++++++++++++++-
+ 1 file changed, 15 insertions(+), 1 deletion(-)
+
+--- a/drivers/dma/cppi41.c
++++ b/drivers/dma/cppi41.c
+@@ -629,8 +629,22 @@ static int cppi41_stop_chan(struct dma_c
+ 
+ 	desc_phys = lower_32_bits(c->desc_phys);
+ 	desc_num = (desc_phys - cdd->descs_phys) / sizeof(struct cppi41_desc);
+-	if (!cdd->chan_busy[desc_num])
++	if (!cdd->chan_busy[desc_num]) {
++		struct cppi41_channel *cc, *_ct;
++
++		/*
++		 * channels might still be in the pendling list if
++		 * cppi41_dma_issue_pending() is called after
++		 * cppi41_runtime_suspend() is called
++		 */
++		list_for_each_entry_safe(cc, _ct, &cdd->pending, node) {
++			if (cc != c)
++				continue;
++			list_del(&cc->node);
++			break;
++		}
+ 		return 0;
++	}
+ 
+ 	ret = cppi41_tear_down_chan(c);
+ 	if (ret)
diff --git a/queue-3.18/series b/queue-3.18/series
index e262efcb41f..9a6c3bf1db1 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -44,3 +44,6 @@ usb-check-usb_get_extra_descriptor-for-proper-size.patch
 alsa-hda-add-support-for-amd-stoney-ridge.patch
 alsa-pcm-call-snd_pcm_unlink-conditionally-at-closing.patch
 alsa-pcm-fix-interval-evaluation-with-openmin-max.patch
+sunrpc-fix-leak-of-krb5p-encode-pages.patch
+dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch
+xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
diff --git a/queue-3.18/sunrpc-fix-leak-of-krb5p-encode-pages.patch b/queue-3.18/sunrpc-fix-leak-of-krb5p-encode-pages.patch
new file mode 100644
index 00000000000..ce09179729c
--- /dev/null
+++ b/queue-3.18/sunrpc-fix-leak-of-krb5p-encode-pages.patch
@@ -0,0 +1,42 @@
+From 8dae5398ab1ac107b1517e8195ed043d5f422bd0 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Fri, 30 Nov 2018 15:39:57 -0500
+Subject: SUNRPC: Fix leak of krb5p encode pages
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 8dae5398ab1ac107b1517e8195ed043d5f422bd0 upstream.
+
+call_encode can be invoked more than once per RPC call. Ensure that
+each call to gss_wrap_req_priv does not overwrite pointers to
+previously allocated memory.
+
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Cc: stable@kernel.org
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/auth_gss/auth_gss.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/sunrpc/auth_gss/auth_gss.c
++++ b/net/sunrpc/auth_gss/auth_gss.c
+@@ -1721,6 +1721,7 @@ priv_release_snd_buf(struct rpc_rqst *rq
+ 	for (i=0; i < rqstp->rq_enc_pages_num; i++)
+ 		__free_page(rqstp->rq_enc_pages[i]);
+ 	kfree(rqstp->rq_enc_pages);
++	rqstp->rq_release_snd_buf = NULL;
+ }
+ 
+ static int
+@@ -1729,6 +1730,9 @@ alloc_enc_pages(struct rpc_rqst *rqstp)
+ 	struct xdr_buf *snd_buf = &rqstp->rq_snd_buf;
+ 	int first, last, i;
+ 
++	if (rqstp->rq_release_snd_buf)
++		rqstp->rq_release_snd_buf(rqstp);
++
+ 	if (snd_buf->page_len == 0) {
+ 		rqstp->rq_enc_pages_num = 0;
+ 		return 0;
diff --git a/queue-3.18/xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch b/queue-3.18/xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
new file mode 100644
index 00000000000..23341fcc169
--- /dev/null
+++ b/queue-3.18/xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch
@@ -0,0 +1,61 @@
+From 0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 5 Dec 2018 14:22:39 +0200
+Subject: xhci: Prevent U1/U2 link pm states if exit latency is too long
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 0472bf06c6fd33c1a18aaead4c8f91e5a03d8d7b upstream.
+
+Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
+reaches the service interval for a periodic endpoint.
+
+This is according to xhci 1.1 specification section 4.23.5.2 extra note:
+
+"Software shall ensure that a device is prevented from entering a U-state
+ where its worst case exit latency approaches the ESIT."
+
+Allowing too long exit latencies for periodic endpoint confuses xHC
+internal scheduling, and new devices may fail to enumerate with a
+"Not enough bandwidth for new device state" error from the host.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c |   16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -4377,6 +4377,14 @@ static u16 xhci_calculate_u1_timeout(str
+ {
+ 	unsigned long long timeout_ns;
+ 
++	/* Prevent U1 if service interval is shorter than U1 exit latency */
++	if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
++		if (xhci_service_interval_to_ns(desc) <= udev->u1_params.mel) {
++			dev_dbg(&udev->dev, "Disable U1, ESIT shorter than exit latency\n");
++			return USB3_LPM_DISABLED;
++		}
++	}
++
+ 	if (xhci->quirks & XHCI_INTEL_HOST)
+ 		timeout_ns = xhci_calculate_intel_u1_timeout(udev, desc);
+ 	else
+@@ -4433,6 +4441,14 @@ static u16 xhci_calculate_u2_timeout(str
+ {
+ 	unsigned long long timeout_ns;
+ 
++	/* Prevent U2 if service interval is shorter than U2 exit latency */
++	if (usb_endpoint_xfer_int(desc) || usb_endpoint_xfer_isoc(desc)) {
++		if (xhci_service_interval_to_ns(desc) <= udev->u2_params.mel) {
++			dev_dbg(&udev->dev, "Disable U2, ESIT shorter than exit latency\n");
++			return USB3_LPM_DISABLED;
++		}
++	}
++
+ 	if (xhci->quirks & XHCI_INTEL_HOST)
+ 		timeout_ns = xhci_calculate_intel_u2_timeout(udev, desc);
+ 	else