From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 12:06:23 +0000 (-0700) Subject: 4.18-stable patches X-Git-Tag: v4.18.12~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb0165fb9dd2d853c07d1b6c317a4951a03f6c87;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: 6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch acpi-button-increment-wakeup-count-only-when-notified.patch alarmtimer-prevent-overflow-for-relative-nanosleep.patch alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch alsa-snd-aoa-add-of_node_put-in-error-path.patch arm-dts-dra7-fix-dcan-node-addresses.patch arm-dts-ls1021a-add-missing-cooling-device-properties-for-cpus.patch arm-dts-mediatek-add-missing-cooling-device-properties-for-cpus.patch arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch arm64-dts-renesas-fix-vspd-registers-range.patch arm64-dts-renesas-salvator-common-fix-adv7482-decimal-unit-addresses.patch asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch asoc-intel-bytcr_rt5640-fix-acer-iconia-8-over-current-detect-threshold.patch asoc-qdsp6-qdafe-fix-some-off-by-one-bugs.patch asoc-rsnd-ssi-parent-cares-swsp-bit.patch asoc-rt1305-use-ull-suffixes-for-64-bit-constants.patch ath10k-fix-incorrect-size-of-dma_free_coherent-in-ath10k_ce_alloc_src_ring_64.patch ath10k-fix-memory-leak-of-tpc_stats.patch ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch ath10k-sdio-set-skb-len-for-all-rx-packets.patch ath10k-sdio-use-same-endpoint-id-for-all-packets-in-a-bundle.patch ath10k-snoc-use-correct-bus-specific-pointer-in-rx-retry.patch ath10k-transmit-queued-frames-after-processing-rx-packets.patch ath10k-use-locked-skb_dequeue-for-rx-completions.patch audit-fix-extended-comparison-of-gid-egid.patch bitfield-fix-_encode_bits.patch bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch brcmsmac-fix-wrap-around-in-conversion-from-constant-to-s16.patch crypto-skcipher-fix-wstringop-truncation-warnings.patch cxgb4-fix-the-condition-to-check-if-the-card-is-t5.patch documentation-process-fix-rest-table-border-error.patch drivers-tty-add-error-handling-for-pcmcia_loop_config.patch drm-amd-display-dc-dce-fix-multiple-potential-integer-overflows.patch drm-amd-display-fix-use-of-uninitialized-memory.patch drm-omap-gem-fix-mm_list-locking.patch drm-sun4i-enable-dw-hdmi-phy-clock.patch drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch drm-v3d-take-a-lock-across-gpu-scheduler-job-creation-and-queuing.patch drm-vc4-add-missing-formats-to-vc4_format_mod_supported.patch drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch edac-altera-fix-an-error-handling-path-in-altr_s10_sdram_probe.patch edac-fix-memleak-in-module-init-error-path.patch edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch fs-lock-skip-lock-owner-pid-translation-in-case-we-are-in-init_pid_ns.patch gpio-fix-wrong-rounding-in-gpio-menz127.patch gpio-tegra-fix-tegra_gpio_irq_set_type.patch hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch hid-i2c-hid-use-devm-to-allocate-i2c_hid-struct.patch ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch ib-mlx4-test-port-number-before-querying-type.patch ib-mlx5-fix-gre-flow-specification.patch iio-104-quad-8-fix-off-by-one-error-in-register-selection.patch iio-accel-adxl345-convert-address-field-usage-in-iio_chan_spec.patch iio-adc-ina2xx-avoid-kthread_stop-with-stale-task_struct.patch include-rdma-opa_addr.h-fix-an-endianness-issue.patch input-xen-kbdfront-fix-multi-touch-xenstore-node-s-locations.patch iomap-complete-partial-direct-i-o-writes-synchronously.patch iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch iommu-msm-don-t-call-iommu_device_-un-link-from-atomic-context.patch md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch media-fsl-viu-fix-error-handling-in-viu_of_probe.patch media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch media-ov772x-add-checks-for-register-read-errors.patch media-ov772x-allow-i2c-controllers-without-i2c_func_protocol_mangling.patch media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch media-soc_camera-ov772x-correct-setting-of-banding-filter.patch media-staging-imx-fill-vb2_v4l2_buffer-field-entry.patch media-tm6000-add-error-handling-for-dvb_register_adapter.patch mips-boot-fix-build-rule-of-vmlinux.its.s.patch misc-ibmvmc-use-gfp_atomic-under-spin-lock.patch misc-sram-enable-clock-before-registering-regions.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch mt76x2-fix-mrr-idx-count-estimation-in-mt76x2_mac_fill_tx_status.patch mtd-rawnand-atmel-add-module-param-to-avoid-using-dma.patch net-hns3-fix-for-mac-pause-not-disable-in-pfc-mode.patch net-hns3-fix-for-mailbox-message-truncated-problem.patch net-hns3-fix-get_vector-ops-in-hclgevf_main-module.patch net-hns3-fix-warning-bug-when-doing-lp-selftest.patch net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch net-phy-xgmiitorgmii-check-read_status-results.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch perf-hw_breakpoint-split-attribute-parse-and-commit.patch perf-tests-fix-indexing-when-invoking-subtests.patch perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch platform-x86-asus-wireless-fix-uninitialized-symbol-usage.patch posix-timers-make-forward-callback-return-s64.patch posix-timers-sanitize-overrun-handling.patch power-remove-possible-deadlock-when-unregistering-power_supply.patch power-supply-axp288_charger-fix-initial-constant_charge_current-value.patch power-vexpress-fix-corruption-in-notifier-registration.patch powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch rdma-bnxt_re-fix-a-bunch-of-off-by-one-bugs-in-qplib_fp.c.patch rdma-bnxt_re-fix-a-couple-off-by-one-bugs.patch rdma-i40w-hold-read-semaphore-while-looking-after-vma.patch rdma-uverbs-don-t-overwrite-null-pointer-with-zero_size_ptr.patch rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch s390-extmem-fix-gcc-8-stringop-overflow-warning.patch s390-mm-correct-allocate_pgste-proc_handler-callback.patch s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch s390-sysinfo-add-missing-ifdef-config_proc_fs.patch scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch scsi-hisi_sas-fix-the-conflict-between-dev-gone-and-host-reset.patch scsi-ibmvscsi-improve-strings-handling.patch scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch scsi-megaraid_sas-update-controller-info-during-resume.patch scsi-target-avoid-that-extended-copy-commands-trigger-lock-inversion.patch scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch selftests-forwarding-tweak-tc-filters-for-mirror-to-gretap-tests.patch serial-pxa-fix-an-error-handling-path-in-serial_pxa_probe.patch serial-sh-sci-stop-rx-fifo-timer-during-port-shutdown.patch siox-don-t-create-a-thread-without-starting-it.patch spi-orion-fix-cs-gpio-handling-again.patch staging-android-ashmem-fix-mmap-size-validation.patch staging-mt7621-dts-fix-remaining-pcie-warnings.patch staging-mt7621-eth-fix-memory-leak-in-mtk_add_mac-error-path.patch staging-pi433-fix-race-condition-in-pi433_ioctl.patch staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch thermal-i.mx-allow-thermal-probe-to-fail-gracefully-in-case-of-bad-calibration.patch tsl2550-fix-lux1_input-error-in-low-light.patch usb-serial-kobil_sct-fix-modem-status-error-handling.patch usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch uwb-hwa-rc-fix-memory-leak-at-probe.patch vhost_net-avoid-tx-vring-kicks-during-busyloop.patch vmci-type-promotion-bug-in-qp_host_get_user_memory.patch wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch x86-entry-64-add-two-more-instruction-suffixes.patch x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch x86-tsc-add-missing-header-to-tsc_msr.c.patch --- diff --git a/queue-4.18/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch b/queue-4.18/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch new file mode 100644 index 00000000000..757541db718 --- /dev/null +++ b/queue-4.18/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Michael Scott +Date: Tue, 19 Jun 2018 16:44:06 -0700 +Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic + +From: Michael Scott + +[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ] + +After decompression of 6lowpan socket data, an IPv6 header is inserted +before the existing socket payload. After this, we reset the +network_header value of the skb to account for the difference in payload +size from prior to decompression + the addition of the IPv6 header. + +However, we fail to reset the mac_header value. + +Leaving the mac_header value untouched here, can cause a calculation +error in net/packet/af_packet.c packet_rcv() function when an +AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan +interface. + +On line 2088, the data pointer is moved backward by the value returned +from skb_mac_header(). If skb->data is adjusted so that it is before +the skb->head pointer (which can happen when an old value of mac_header +is left in place) the kernel generates a panic in net/core/skbuff.c +line 1717. + +This panic can be generated by BLE 6lowpan interfaces (such as bt0) and +802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan +sources for compression and decompression. + +Signed-off-by: Michael Scott +Acked-by: Alexander Aring +Acked-by: Jukka Rissanen +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/6lowpan/iphc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/6lowpan/iphc.c ++++ b/net/6lowpan/iphc.c +@@ -770,6 +770,7 @@ int lowpan_header_decompress(struct sk_b + hdr.hop_limit, &hdr.daddr); + + skb_push(skb, sizeof(hdr)); ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_copy_to_linear_data(skb, &hdr, sizeof(hdr)); + diff --git a/queue-4.18/acpi-button-increment-wakeup-count-only-when-notified.patch b/queue-4.18/acpi-button-increment-wakeup-count-only-when-notified.patch new file mode 100644 index 00000000000..ce0110d1bcf --- /dev/null +++ b/queue-4.18/acpi-button-increment-wakeup-count-only-when-notified.patch @@ -0,0 +1,77 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Ravi Chandra Sadineni +Date: Wed, 27 Jun 2018 10:55:02 -0700 +Subject: ACPI / button: increment wakeup count only when notified + +From: Ravi Chandra Sadineni + +[ Upstream commit 7c058c7c74b3dbeb7d157c273959f87faf710350 ] + +Because acpi_lid_initialize_state() is called on every system +resume and it triggers acpi_lid_notify_state() which invokes +acpi_pm_wakeup_event() for the lid device, the lid's wakeup count is +incremented even if the lid was not the source of the event that woke up +the system. That behavior confuses user space deamons using +wakeup_count to identify the potential system wakeup source. To avoid +the confusion, only trigger acpi_pm_wakeup_event() in the +acpi_button_notify() path and don't do that in the +acpi_lid_initialize_state() path. + +Signed-off-by: Ravi Chandra Sadineni +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/button.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/acpi/button.c ++++ b/drivers/acpi/button.c +@@ -235,9 +235,6 @@ static int acpi_lid_notify_state(struct + button->last_time = ktime_get(); + } + +- if (state) +- acpi_pm_wakeup_event(&device->dev); +- + ret = blocking_notifier_call_chain(&acpi_lid_notifier, state, device); + if (ret == NOTIFY_DONE) + ret = blocking_notifier_call_chain(&acpi_lid_notifier, state, +@@ -366,7 +363,8 @@ int acpi_lid_open(void) + } + EXPORT_SYMBOL(acpi_lid_open); + +-static int acpi_lid_update_state(struct acpi_device *device) ++static int acpi_lid_update_state(struct acpi_device *device, ++ bool signal_wakeup) + { + int state; + +@@ -374,6 +372,9 @@ static int acpi_lid_update_state(struct + if (state < 0) + return state; + ++ if (state && signal_wakeup) ++ acpi_pm_wakeup_event(&device->dev); ++ + return acpi_lid_notify_state(device, state); + } + +@@ -384,7 +385,7 @@ static void acpi_lid_initialize_state(st + (void)acpi_lid_notify_state(device, 1); + break; + case ACPI_BUTTON_LID_INIT_METHOD: +- (void)acpi_lid_update_state(device); ++ (void)acpi_lid_update_state(device, false); + break; + case ACPI_BUTTON_LID_INIT_IGNORE: + default: +@@ -409,7 +410,7 @@ static void acpi_button_notify(struct ac + users = button->input->users; + mutex_unlock(&button->input->mutex); + if (users) +- acpi_lid_update_state(device); ++ acpi_lid_update_state(device, true); + } else { + int keycode; + diff --git a/queue-4.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch b/queue-4.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch new file mode 100644 index 00000000000..c7d627b6de2 --- /dev/null +++ b/queue-4.18/alarmtimer-prevent-overflow-for-relative-nanosleep.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Thomas Gleixner +Date: Mon, 2 Jul 2018 09:34:29 +0200 +Subject: alarmtimer: Prevent overflow for relative nanosleep + +From: Thomas Gleixner + +[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ] + +Air Icy reported: + + UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7 + signed integer overflow: + 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int' + Call Trace: + alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811 + __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline] + __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline] + __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213 + do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 + +alarm_timer_nsleep() uses ktime_add() to add the current time and the +relative expiry value. ktime_add() has no sanity checks so the addition +can overflow when the relative timeout is large enough. + +Use ktime_add_safe() which has the necessary sanity checks in place and +limits the result to the valid range. + +Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers") +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -808,7 +808,8 @@ static int alarm_timer_nsleep(const cloc + /* Convert (if necessary) to absolute time */ + if (flags != TIMER_ABSTIME) { + ktime_t now = alarm_bases[type].gettime(); +- exp = ktime_add(now, exp); ++ ++ exp = ktime_add_safe(now, exp); + } + + ret = alarmtimer_do_nsleep(&alarm, exp, type); diff --git a/queue-4.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch b/queue-4.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch new file mode 100644 index 00000000000..8c99cbc4ff5 --- /dev/null +++ b/queue-4.18/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Kai-Heng Feng +Date: Thu, 28 Jun 2018 15:28:24 +0800 +Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge + +From: Kai-Heng Feng + +[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ] + +This patch can make audio controller in AMD Raven Ridge gets runtime +suspended to D3, to save ~1W power when it's not in use. + +Cc: Vijendar Mukunda +Signed-off-by: Kai-Heng Feng +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2535,7 +2535,8 @@ static const struct pci_device_id azx_id + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, + /* AMD Raven */ + { PCI_DEVICE(0x1022, 0x15e3), +- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | ++ AZX_DCAPS_PM_RUNTIME }, + /* ATI HDMI */ + { PCI_DEVICE(0x1002, 0x0002), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, diff --git a/queue-4.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch b/queue-4.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch new file mode 100644 index 00000000000..715a53a28e3 --- /dev/null +++ b/queue-4.18/alsa-snd-aoa-add-of_node_put-in-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 19:07:42 +0200 +Subject: ALSA: snd-aoa: add of_node_put() in error path + +From: Nicholas Mc Guire + +[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ] + + Both calls to of_find_node_by_name() and of_get_next_child() return a +node pointer with refcount incremented thus it must be explicidly +decremented here after the last usage. As we are assured to have a +refcounted np either from the initial +of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np) +in the while loop if we reached the error code path below, an +x of_node_put(np) is needed. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/aoa/core/gpio-feature.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/aoa/core/gpio-feature.c ++++ b/sound/aoa/core/gpio-feature.c +@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char + } + + reg = of_get_property(np, "reg", NULL); +- if (!reg) ++ if (!reg) { ++ of_node_put(np); + return NULL; ++ } + + *gpioptr = *reg; + diff --git a/queue-4.18/arm-dts-dra7-fix-dcan-node-addresses.patch b/queue-4.18/arm-dts-dra7-fix-dcan-node-addresses.patch new file mode 100644 index 00000000000..e32d1d8f993 --- /dev/null +++ b/queue-4.18/arm-dts-dra7-fix-dcan-node-addresses.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Kevin Hilman +Date: Mon, 21 May 2018 13:08:32 -0700 +Subject: ARM: dts: dra7: fix DCAN node addresses + +From: Kevin Hilman + +[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ] + +Fix the DT node addresses to match the reg property addresses, +which were verified to match the TRM: +http://www.ti.com/lit/pdf/sprui30 + +Cc: Roger Quadros +Signed-off-by: Kevin Hilman +Acked-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -1893,7 +1893,7 @@ + }; + }; + +- dcan1: can@481cc000 { ++ dcan1: can@4ae3c000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan1"; + reg = <0x4ae3c000 0x2000>; +@@ -1903,7 +1903,7 @@ + status = "disabled"; + }; + +- dcan2: can@481d0000 { ++ dcan2: can@48480000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan2"; + reg = <0x48480000 0x2000>; diff --git a/queue-4.18/arm-dts-ls1021a-add-missing-cooling-device-properties-for-cpus.patch b/queue-4.18/arm-dts-ls1021a-add-missing-cooling-device-properties-for-cpus.patch new file mode 100644 index 00000000000..89fe0370ca0 --- /dev/null +++ b/queue-4.18/arm-dts-ls1021a-add-missing-cooling-device-properties-for-cpus.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Viresh Kumar +Date: Fri, 25 May 2018 16:01:48 +0530 +Subject: ARM: dts: ls1021a: Add missing cooling device properties for CPUs + +From: Viresh Kumar + +[ Upstream commit 47768f372eae030db6fab5225f9504a820d2c07f ] + +The cooling device properties, like "#cooling-cells" and +"dynamic-power-coefficient", should either be present for all the CPUs +of a cluster or none. If these are present only for a subset of CPUs of +a cluster then things will start falling apart as soon as the CPUs are +brought online in a different order. For example, this will happen +because the operating system looks for such properties in the CPU node +it is trying to bring up, so that it can register a cooling device. + +Add such missing properties. + +Signed-off-by: Viresh Kumar +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/ls1021a.dtsi | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/boot/dts/ls1021a.dtsi ++++ b/arch/arm/boot/dts/ls1021a.dtsi +@@ -84,6 +84,7 @@ + device_type = "cpu"; + reg = <0xf01>; + clocks = <&clockgen 1 0>; ++ #cooling-cells = <2>; + }; + }; + diff --git a/queue-4.18/arm-dts-mediatek-add-missing-cooling-device-properties-for-cpus.patch b/queue-4.18/arm-dts-mediatek-add-missing-cooling-device-properties-for-cpus.patch new file mode 100644 index 00000000000..aabca691139 --- /dev/null +++ b/queue-4.18/arm-dts-mediatek-add-missing-cooling-device-properties-for-cpus.patch @@ -0,0 +1,53 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Viresh Kumar +Date: Fri, 25 May 2018 16:01:49 +0530 +Subject: arm: dts: mediatek: Add missing cooling device properties for CPUs + +From: Viresh Kumar + +[ Upstream commit 0c7f7a5150023f3c6f0b27c4d4940ce3dfaf62cc ] + +The cooling device properties, like "#cooling-cells" and +"dynamic-power-coefficient", should either be present for all the CPUs +of a cluster or none. If these are present only for a subset of CPUs of +a cluster then things will start falling apart as soon as the CPUs are +brought online in a different order. For example, this will happen +because the operating system looks for such properties in the CPU node +it is trying to bring up, so that it can register a cooling device. + +Add such missing properties. + +Signed-off-by: Viresh Kumar +Signed-off-by: Matthias Brugger +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/mt7623.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/boot/dts/mt7623.dtsi ++++ b/arch/arm/boot/dts/mt7623.dtsi +@@ -92,6 +92,7 @@ + <&apmixedsys CLK_APMIXED_MAINPLL>; + clock-names = "cpu", "intermediate"; + operating-points-v2 = <&cpu_opp_table>; ++ #cooling-cells = <2>; + clock-frequency = <1300000000>; + }; + +@@ -103,6 +104,7 @@ + <&apmixedsys CLK_APMIXED_MAINPLL>; + clock-names = "cpu", "intermediate"; + operating-points-v2 = <&cpu_opp_table>; ++ #cooling-cells = <2>; + clock-frequency = <1300000000>; + }; + +@@ -114,6 +116,7 @@ + <&apmixedsys CLK_APMIXED_MAINPLL>; + clock-names = "cpu", "intermediate"; + operating-points-v2 = <&cpu_opp_table>; ++ #cooling-cells = <2>; + clock-frequency = <1300000000>; + }; + }; diff --git a/queue-4.18/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch b/queue-4.18/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch new file mode 100644 index 00000000000..9965c836168 --- /dev/null +++ b/queue-4.18/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dave Gerlach +Date: Thu, 21 Jun 2018 14:43:08 +0530 +Subject: ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled + +From: Dave Gerlach + +[ Upstream commit 6d609b35c815ba20132b7b64bcca04516bb17c56 ] + +When the RTC lock and unlock functions were introduced it was likely +assumed that they would always be called from irq enabled context, hence +the use of local_irq_disable/enable. This is no longer true as the +RTC+DDR path makes a late call during the suspend path after irqs +have been disabled to enable the RTC hwmod which calls both unlock and +lock, leading to IRQs being reenabled through the local_irq_enable call +in omap_hwmod_rtc_lock call. + +To avoid this change the local_irq_disable/enable to +local_irq_save/restore to ensure that from whatever context this is +called the proper IRQ configuration is maintained. + +Signed-off-by: Dave Gerlach +Signed-off-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap_hwmod_reset.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/arm/mach-omap2/omap_hwmod_reset.c ++++ b/arch/arm/mach-omap2/omap_hwmod_reset.c +@@ -92,11 +92,13 @@ static void omap_rtc_wait_not_busy(struc + */ + void omap_hwmod_rtc_unlock(struct omap_hwmod *oh) + { +- local_irq_disable(); ++ unsigned long flags; ++ ++ local_irq_save(flags); + omap_rtc_wait_not_busy(oh); + omap_hwmod_write(OMAP_RTC_KICK0_VALUE, oh, OMAP_RTC_KICK0_REG); + omap_hwmod_write(OMAP_RTC_KICK1_VALUE, oh, OMAP_RTC_KICK1_REG); +- local_irq_enable(); ++ local_irq_restore(flags); + } + + /** +@@ -110,9 +112,11 @@ void omap_hwmod_rtc_unlock(struct omap_h + */ + void omap_hwmod_rtc_lock(struct omap_hwmod *oh) + { +- local_irq_disable(); ++ unsigned long flags; ++ ++ local_irq_save(flags); + omap_rtc_wait_not_busy(oh); + omap_hwmod_write(0x0, oh, OMAP_RTC_KICK0_REG); + omap_hwmod_write(0x0, oh, OMAP_RTC_KICK1_REG); +- local_irq_enable(); ++ local_irq_restore(flags); + } diff --git a/queue-4.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch b/queue-4.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch new file mode 100644 index 00000000000..b1253fc35f8 --- /dev/null +++ b/queue-4.18/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Ethan Tuttle +Date: Tue, 19 Jun 2018 21:31:08 -0700 +Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c + +From: Ethan Tuttle + +[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ] + +With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to +detect buffer overflows. If src or dest is declared as a char, attempts to +copy more than byte will result in a fortify_panic(). + +Address this problem in mvebu_setup_boot_addr_wa() by declaring +mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove +a couple addressof operators to avoid "arithmetic on pointer to an +incomplete type" compiler error. + +See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays, +not single characters") for a similar fix. + +Fixes "detected buffer overflow in memcpy" error during init on some mvebu +systems (armada-370-xp, armada-375): + +(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4) +(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204) +(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8) +(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254) +(kernel_init_freeable) from (kernel_init+0x8/0x114) +(kernel_init) from (ret_from_fork+0x14/0x2c) + +Signed-off-by: Ethan Tuttle +Tested-by: Ethan Tuttle +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-mvebu/pmsu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -116,8 +116,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw + PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu)); + } + +-extern unsigned char mvebu_boot_wa_start; +-extern unsigned char mvebu_boot_wa_end; ++extern unsigned char mvebu_boot_wa_start[]; ++extern unsigned char mvebu_boot_wa_end[]; + + /* + * This function sets up the boot address workaround needed for SMP +@@ -130,7 +130,7 @@ int mvebu_setup_boot_addr_wa(unsigned in + phys_addr_t resume_addr_reg) + { + void __iomem *sram_virt_base; +- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start; ++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start; + + mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE); + mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute, diff --git a/queue-4.18/arm64-dts-renesas-fix-vspd-registers-range.patch b/queue-4.18/arm64-dts-renesas-fix-vspd-registers-range.patch new file mode 100644 index 00000000000..ceb6a857abb --- /dev/null +++ b/queue-4.18/arm64-dts-renesas-fix-vspd-registers-range.patch @@ -0,0 +1,156 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Laurent Pinchart +Date: Fri, 8 Jun 2018 15:21:15 +0300 +Subject: arm64: dts: renesas: Fix VSPD registers range + +From: Laurent Pinchart + +[ Upstream commit e21adc781bb45e810f1c396c4bc2c1624a4c25b9 ] + +The VSPD and FCPVD nodes have overlapping register ranges, as the FCPVD +devices are mapped in the memory range usually used by the VSP LUT and +CLU, which are not present in the VSPD. Fix this by shortening the VSPD +registers range to 0x5000. + +Fixes: 9f8573e38a0b ("arm64: dts: renesas: r8a7795: Add VSP instances") +Fixes: 291e0c4994d0 ("arm64: dts: r8a7795: Add support for R-Car H3 ES2.0") +Fixes: f06ffdfbdd90 ("arm64: dts: r8a7796: Add VSP instances") +Fixes: b4f92030d5d3 ("arm64: dts: renesas: r8a77970: add VSPD support") +Fixes: 295952a183d3 ("arm64: dts: renesas: r8a77995: add VSP instances") +Fixes: 85cb3229218a ("arm64: dts: renesas: r8a77965: Add VSP instances") +Reported-by: Simon Horman +Reported-by: Geert Uytterhoeven +Signed-off-by: Laurent Pinchart +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi | 2 +- + arch/arm64/boot/dts/renesas/r8a7795.dtsi | 6 +++--- + arch/arm64/boot/dts/renesas/r8a7796.dtsi | 6 +++--- + arch/arm64/boot/dts/renesas/r8a77965.dtsi | 4 ++-- + arch/arm64/boot/dts/renesas/r8a77970.dtsi | 2 +- + arch/arm64/boot/dts/renesas/r8a77995.dtsi | 4 ++-- + 6 files changed, 12 insertions(+), 12 deletions(-) + +--- a/arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a7795-es1.dtsi +@@ -80,7 +80,7 @@ + + vspd3: vsp@fea38000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea38000 0 0x8000>; ++ reg = <0 0xfea38000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 620>; + power-domains = <&sysc R8A7795_PD_ALWAYS_ON>; +--- a/arch/arm64/boot/dts/renesas/r8a7795.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a7795.dtsi +@@ -2530,7 +2530,7 @@ + + vspd0: vsp@fea20000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea20000 0 0x8000>; ++ reg = <0 0xfea20000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 623>; + power-domains = <&sysc R8A7795_PD_ALWAYS_ON>; +@@ -2541,7 +2541,7 @@ + + vspd1: vsp@fea28000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea28000 0 0x8000>; ++ reg = <0 0xfea28000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 622>; + power-domains = <&sysc R8A7795_PD_ALWAYS_ON>; +@@ -2552,7 +2552,7 @@ + + vspd2: vsp@fea30000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea30000 0 0x8000>; ++ reg = <0 0xfea30000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 621>; + power-domains = <&sysc R8A7795_PD_ALWAYS_ON>; +--- a/arch/arm64/boot/dts/renesas/r8a7796.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a7796.dtsi +@@ -2212,7 +2212,7 @@ + + vspd0: vsp@fea20000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea20000 0 0x8000>; ++ reg = <0 0xfea20000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 623>; + power-domains = <&sysc R8A7796_PD_ALWAYS_ON>; +@@ -2223,7 +2223,7 @@ + + vspd1: vsp@fea28000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea28000 0 0x8000>; ++ reg = <0 0xfea28000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 622>; + power-domains = <&sysc R8A7796_PD_ALWAYS_ON>; +@@ -2234,7 +2234,7 @@ + + vspd2: vsp@fea30000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea30000 0 0x8000>; ++ reg = <0 0xfea30000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 621>; + power-domains = <&sysc R8A7796_PD_ALWAYS_ON>; +--- a/arch/arm64/boot/dts/renesas/r8a77965.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77965.dtsi +@@ -1397,7 +1397,7 @@ + + vspd0: vsp@fea20000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea20000 0 0x8000>; ++ reg = <0 0xfea20000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 623>; + power-domains = <&sysc R8A77965_PD_ALWAYS_ON>; +@@ -1416,7 +1416,7 @@ + + vspd1: vsp@fea28000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea28000 0 0x8000>; ++ reg = <0 0xfea28000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 622>; + power-domains = <&sysc R8A77965_PD_ALWAYS_ON>; +--- a/arch/arm64/boot/dts/renesas/r8a77970.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77970.dtsi +@@ -776,7 +776,7 @@ + + vspd0: vsp@fea20000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea20000 0 0x8000>; ++ reg = <0 0xfea20000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 623>; + power-domains = <&sysc R8A77970_PD_ALWAYS_ON>; +--- a/arch/arm64/boot/dts/renesas/r8a77995.dtsi ++++ b/arch/arm64/boot/dts/renesas/r8a77995.dtsi +@@ -699,7 +699,7 @@ + + vspd0: vsp@fea20000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea20000 0 0x8000>; ++ reg = <0 0xfea20000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 623>; + power-domains = <&sysc R8A77995_PD_ALWAYS_ON>; +@@ -709,7 +709,7 @@ + + vspd1: vsp@fea28000 { + compatible = "renesas,vsp2"; +- reg = <0 0xfea28000 0 0x8000>; ++ reg = <0 0xfea28000 0 0x5000>; + interrupts = ; + clocks = <&cpg CPG_MOD 622>; + power-domains = <&sysc R8A77995_PD_ALWAYS_ON>; diff --git a/queue-4.18/arm64-dts-renesas-salvator-common-fix-adv7482-decimal-unit-addresses.patch b/queue-4.18/arm64-dts-renesas-salvator-common-fix-adv7482-decimal-unit-addresses.patch new file mode 100644 index 00000000000..7d2041b6f6b --- /dev/null +++ b/queue-4.18/arm64-dts-renesas-salvator-common-fix-adv7482-decimal-unit-addresses.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Geert Uytterhoeven +Date: Thu, 14 Jun 2018 15:48:08 +0200 +Subject: arm64: dts: renesas: salvator-common: Fix adv7482 decimal unit addresses + +From: Geert Uytterhoeven + +[ Upstream commit c5a884838ce34681200b5a45b2330177036affd0 ] + +With recent dtc and W=1: + + ...salvator-x.dtb: Warning (graph_port): /soc/i2c@e66d8000/video-receiver@70/port@10: graph node unit address error, expected "a" + ...salvator-x.dtb: Warning (graph_port): /soc/i2c@e66d8000/video-receiver@70/port@11: graph node unit address error, expected "b" + +Unit addresses are always hexadecimal (without prefix), while the bases +of reg property values depend on their prefixes. + +Fixes: 908001d778eba06e ("arm64: dts: renesas: salvator-common: Add ADV7482 support") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Rob Herring +Acked-by: Kieran Bingham +Signed-off-by: Simon Horman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/renesas/salvator-common.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/boot/dts/renesas/salvator-common.dtsi ++++ b/arch/arm64/boot/dts/renesas/salvator-common.dtsi +@@ -440,7 +440,7 @@ + }; + }; + +- port@10 { ++ port@a { + reg = <10>; + + adv7482_txa: endpoint { +@@ -450,7 +450,7 @@ + }; + }; + +- port@11 { ++ port@b { + reg = <11>; + + adv7482_txb: endpoint { diff --git a/queue-4.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch b/queue-4.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch new file mode 100644 index 00000000000..476e0e06801 --- /dev/null +++ b/queue-4.18/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Liam Girdwood +Date: Thu, 14 Jun 2018 20:26:42 +0100 +Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs + +From: Liam Girdwood + +[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ] + +Sometime a component or topology may configure a DAI widget with no +private data leading to a dev_dbg() dereferencne of this data. + +Fix this to check for non NULL private data and let users know if widget +is missing DAI. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -4073,6 +4073,13 @@ int snd_soc_dapm_link_dai_widgets(struct + continue; + } + ++ /* let users know there is no DAI to link */ ++ if (!dai_w->priv) { ++ dev_dbg(card->dev, "dai widget %s has no DAI\n", ++ dai_w->name); ++ continue; ++ } ++ + dai = dai_w->priv; + + /* ...find all widgets with the same stream and link them */ diff --git a/queue-4.18/asoc-intel-bytcr_rt5640-fix-acer-iconia-8-over-current-detect-threshold.patch b/queue-4.18/asoc-intel-bytcr_rt5640-fix-acer-iconia-8-over-current-detect-threshold.patch new file mode 100644 index 00000000000..0920b622c6e --- /dev/null +++ b/queue-4.18/asoc-intel-bytcr_rt5640-fix-acer-iconia-8-over-current-detect-threshold.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Hans de Goede +Date: Sun, 3 Jun 2018 15:42:32 +0200 +Subject: ASoC: Intel: bytcr_rt5640: Fix Acer Iconia 8 over-current detect threshold + +From: Hans de Goede + +[ Upstream commit f12a0a3c4cc6f594d7c2ea361f2396ae5c518d2c ] + +Change the over-current detect threshold on the Acer Iconia 8 from +2000ua to 1500uA, this fixes headset button presses not being detected. + +Signed-off-by: Hans de Goede +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/intel/boards/bytcr_rt5640.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/intel/boards/bytcr_rt5640.c ++++ b/sound/soc/intel/boards/bytcr_rt5640.c +@@ -404,7 +404,7 @@ static const struct dmi_system_id byt_rt + }, + .driver_data = (void *)(BYT_RT5640_DMIC1_MAP | + BYT_RT5640_JD_SRC_JD1_IN4P | +- BYT_RT5640_OVCD_TH_2000UA | ++ BYT_RT5640_OVCD_TH_1500UA | + BYT_RT5640_OVCD_SF_0P75 | + BYT_RT5640_SSP0_AIF1 | + BYT_RT5640_MCLK_EN), diff --git a/queue-4.18/asoc-qdsp6-qdafe-fix-some-off-by-one-bugs.patch b/queue-4.18/asoc-qdsp6-qdafe-fix-some-off-by-one-bugs.patch new file mode 100644 index 00000000000..3f659d430e5 --- /dev/null +++ b/queue-4.18/asoc-qdsp6-qdafe-fix-some-off-by-one-bugs.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Wed, 27 Jun 2018 11:56:53 +0300 +Subject: ASoC: qdsp6: qdafe: fix some off by one bugs + +From: Dan Carpenter + +[ Upstream commit c54c1c5ee8e73b7cb752834e52e2129b1dab00bd ] + +The > should be >= or we could read one element beyond the end of the +port_maps[] array. + +Fixes: 7fa2d70f9766 ("ASoC: qdsp6: q6afe: Add q6afe driver") +Signed-off-by: Dan Carpenter +Acked-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/qcom/qdsp6/q6afe.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/soc/qcom/qdsp6/q6afe.c ++++ b/sound/soc/qcom/qdsp6/q6afe.c +@@ -777,7 +777,7 @@ static int q6afe_callback(struct apr_dev + */ + int q6afe_get_port_id(int index) + { +- if (index < 0 || index > AFE_PORT_MAX) ++ if (index < 0 || index >= AFE_PORT_MAX) + return -EINVAL; + + return port_maps[index].port_id; +@@ -1014,7 +1014,7 @@ int q6afe_port_stop(struct q6afe_port *p + + port_id = port->id; + index = port->token; +- if (index < 0 || index > AFE_PORT_MAX) { ++ if (index < 0 || index >= AFE_PORT_MAX) { + dev_err(afe->dev, "AFE port index[%d] invalid!\n", index); + return -EINVAL; + } +@@ -1355,7 +1355,7 @@ struct q6afe_port *q6afe_port_get_from_i + unsigned long flags; + int cfg_type; + +- if (id < 0 || id > AFE_PORT_MAX) { ++ if (id < 0 || id >= AFE_PORT_MAX) { + dev_err(dev, "AFE port token[%d] invalid!\n", id); + return ERR_PTR(-EINVAL); + } diff --git a/queue-4.18/asoc-rsnd-ssi-parent-cares-swsp-bit.patch b/queue-4.18/asoc-rsnd-ssi-parent-cares-swsp-bit.patch new file mode 100644 index 00000000000..3db428a75f1 --- /dev/null +++ b/queue-4.18/asoc-rsnd-ssi-parent-cares-swsp-bit.patch @@ -0,0 +1,116 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Kuninori Morimoto +Date: Tue, 12 Jun 2018 05:52:17 +0000 +Subject: ASoC: rsnd: SSI parent cares SWSP bit + +From: Kuninori Morimoto + +[ Upstream commit 203cdf51f28820bee7893b4be392847418e6f4ec ] + +SSICR has SWSP bit (= Serial WS Polarity) which decides WS pin 1st +channel polarity (low or hi). This bit shouldn't exchange after running. + +Current SSI "parent" doesn't care SSICR, just controls clock only. +Because of this behavior, if platform uses SSI0 as playback, +SSI1 as capture, and if user starts capture -> playback order, +SSI0 SSICR::SWSP bit exchanged 0 -> 1 during captureing, and it makes +capture noise. +This patch cares SSICR on SSI parent, too. +Special thanks to Yokoyama-san + +Reported-by: Hiroyuki Yokoyama +Signed-off-by: Kuninori Morimoto +Tested-by: Hiroyuki Yokoyama +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/sh/rcar/ssi.c | 32 +++++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/sound/soc/sh/rcar/ssi.c ++++ b/sound/soc/sh/rcar/ssi.c +@@ -37,6 +37,7 @@ + #define CHNL_4 (1 << 22) /* Channels */ + #define CHNL_6 (2 << 22) /* Channels */ + #define CHNL_8 (3 << 22) /* Channels */ ++#define DWL_MASK (7 << 19) /* Data Word Length mask */ + #define DWL_8 (0 << 19) /* Data Word Length */ + #define DWL_16 (1 << 19) /* Data Word Length */ + #define DWL_18 (2 << 19) /* Data Word Length */ +@@ -353,21 +354,18 @@ static void rsnd_ssi_config_init(struct + struct rsnd_dai *rdai = rsnd_io_to_rdai(io); + struct snd_pcm_runtime *runtime = rsnd_io_to_runtime(io); + struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod); +- u32 cr_own; +- u32 cr_mode; +- u32 wsr; ++ u32 cr_own = ssi->cr_own; ++ u32 cr_mode = ssi->cr_mode; ++ u32 wsr = ssi->wsr; + int is_tdm; + +- if (rsnd_ssi_is_parent(mod, io)) +- return; +- + is_tdm = rsnd_runtime_is_ssi_tdm(io); + + /* + * always use 32bit system word. + * see also rsnd_ssi_master_clk_enable() + */ +- cr_own = FORCE | SWL_32; ++ cr_own |= FORCE | SWL_32; + + if (rdai->bit_clk_inv) + cr_own |= SCKP; +@@ -377,9 +375,18 @@ static void rsnd_ssi_config_init(struct + cr_own |= SDTA; + if (rdai->sys_delay) + cr_own |= DEL; ++ ++ /* ++ * We shouldn't exchange SWSP after running. ++ * This means, parent needs to care it. ++ */ ++ if (rsnd_ssi_is_parent(mod, io)) ++ goto init_end; ++ + if (rsnd_io_is_play(io)) + cr_own |= TRMD; + ++ cr_own &= ~DWL_MASK; + switch (snd_pcm_format_width(runtime->format)) { + case 16: + cr_own |= DWL_16; +@@ -406,7 +413,7 @@ static void rsnd_ssi_config_init(struct + wsr |= WS_MODE; + cr_own |= CHNL_8; + } +- ++init_end: + ssi->cr_own = cr_own; + ssi->cr_mode = cr_mode; + ssi->wsr = wsr; +@@ -465,15 +472,18 @@ static int rsnd_ssi_quit(struct rsnd_mod + return -EIO; + } + +- if (!rsnd_ssi_is_parent(mod, io)) +- ssi->cr_own = 0; +- + rsnd_ssi_master_clk_stop(mod, io); + + rsnd_mod_power_off(mod); + + ssi->usrcnt--; + ++ if (!ssi->usrcnt) { ++ ssi->cr_own = 0; ++ ssi->cr_mode = 0; ++ ssi->wsr = 0; ++ } ++ + return 0; + } + diff --git a/queue-4.18/asoc-rt1305-use-ull-suffixes-for-64-bit-constants.patch b/queue-4.18/asoc-rt1305-use-ull-suffixes-for-64-bit-constants.patch new file mode 100644 index 00000000000..dc8b69533de --- /dev/null +++ b/queue-4.18/asoc-rt1305-use-ull-suffixes-for-64-bit-constants.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Geert Uytterhoeven +Date: Thu, 7 Jun 2018 15:50:48 +0200 +Subject: ASoC: rt1305: Use ULL suffixes for 64-bit constants + +From: Geert Uytterhoeven + +[ Upstream commit 4f29b663c08d369fe320a148179996c94cf7d01b ] + +With gcc 4.1.2: + + sound/soc/codecs/rt1305.c: In function ‘rt1305_calibrate’: + sound/soc/codecs/rt1305.c:1069: warning: integer constant is too large for ‘long’ type + sound/soc/codecs/rt1305.c:1086: warning: integer constant is too large for ‘long’ type + +Add the missing "ULL" suffixes to fix this. + +Fixes: 29bc643ddd7efb74 ("ASoC: rt1305: Add RT1305/RT1306 amplifier driver") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt1305.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/rt1305.c ++++ b/sound/soc/codecs/rt1305.c +@@ -1066,7 +1066,7 @@ static void rt1305_calibrate(struct rt13 + pr_debug("Left_rhl = 0x%x rh=0x%x rl=0x%x\n", rhl, rh, rl); + pr_info("Left channel %d.%dohm\n", (r0ohm/10), (r0ohm%10)); + +- r0l = 562949953421312; ++ r0l = 562949953421312ULL; + if (rhl != 0) + do_div(r0l, rhl); + pr_debug("Left_r0 = 0x%llx\n", r0l); +@@ -1083,7 +1083,7 @@ static void rt1305_calibrate(struct rt13 + pr_debug("Right_rhl = 0x%x rh=0x%x rl=0x%x\n", rhl, rh, rl); + pr_info("Right channel %d.%dohm\n", (r0ohm/10), (r0ohm%10)); + +- r0r = 562949953421312; ++ r0r = 562949953421312ULL; + if (rhl != 0) + do_div(r0r, rhl); + pr_debug("Right_r0 = 0x%llx\n", r0r); diff --git a/queue-4.18/ath10k-fix-incorrect-size-of-dma_free_coherent-in-ath10k_ce_alloc_src_ring_64.patch b/queue-4.18/ath10k-fix-incorrect-size-of-dma_free_coherent-in-ath10k_ce_alloc_src_ring_64.patch new file mode 100644 index 00000000000..46c593a352e --- /dev/null +++ b/queue-4.18/ath10k-fix-incorrect-size-of-dma_free_coherent-in-ath10k_ce_alloc_src_ring_64.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: YueHaibing +Date: Fri, 1 Jun 2018 19:25:48 +0800 +Subject: ath10k: fix incorrect size of dma_free_coherent in ath10k_ce_alloc_src_ring_64 + +From: YueHaibing + +[ Upstream commit 5a211627004e2cddd0ab8b9df19e5fb0bbe97634 ] + +sizeof(struct ce_desc) should be a copy-paste mistake +just use sizeof(struct ce_desc_64) to avoid mem leak + +Fixes: b7ba83f7c414 ("ath10k: add support for shadow register for WNC3990") +Signed-off-by: YueHaibing +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/ce.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/ce.c ++++ b/drivers/net/wireless/ath/ath10k/ce.c +@@ -1512,7 +1512,7 @@ ath10k_ce_alloc_src_ring_64(struct ath10 + ret = ath10k_ce_alloc_shadow_base(ar, src_ring, nentries); + if (ret) { + dma_free_coherent(ar->dev, +- (nentries * sizeof(struct ce_desc) + ++ (nentries * sizeof(struct ce_desc_64) + + CE_DESC_RING_ALIGN), + src_ring->base_addr_owner_space_unaligned, + base_addr); diff --git a/queue-4.18/ath10k-fix-memory-leak-of-tpc_stats.patch b/queue-4.18/ath10k-fix-memory-leak-of-tpc_stats.patch new file mode 100644 index 00000000000..1f0c2380162 --- /dev/null +++ b/queue-4.18/ath10k-fix-memory-leak-of-tpc_stats.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Colin Ian King +Date: Sun, 27 May 2018 22:17:02 +0100 +Subject: ath10k: fix memory leak of tpc_stats + +From: Colin Ian King + +[ Upstream commit 260e629bbf441585860e21d5e10d2e88437f47c8 ] + +Currently tpc_stats is allocated and is leaked on the return +path if num_tx_chain is greater than WMI_TPC_TX_N_CHAIN. Avoid +this leak by performing the check on num_tx_chain before the +allocation of tpc_stats. + +Detected by CoverityScan, CID#1469422 ("Resource Leak") +Fixes: 4b190675ad06 ("ath10k: fix kernel panic while reading tpc_stats") + +Signed-off-by: Colin Ian King +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -4602,10 +4602,6 @@ void ath10k_wmi_event_pdev_tpc_config(st + + ev = (struct wmi_pdev_tpc_config_event *)skb->data; + +- tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); +- if (!tpc_stats) +- return; +- + num_tx_chain = __le32_to_cpu(ev->num_tx_chain); + + if (num_tx_chain > WMI_TPC_TX_N_CHAIN) { +@@ -4614,6 +4610,10 @@ void ath10k_wmi_event_pdev_tpc_config(st + return; + } + ++ tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC); ++ if (!tpc_stats) ++ return; ++ + ath10k_wmi_tpc_config_get_rate_code(rate_code, pream_table, + num_tx_chain); + diff --git a/queue-4.18/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch b/queue-4.18/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch new file mode 100644 index 00000000000..3503137b0fd --- /dev/null +++ b/queue-4.18/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Ben Greear +Date: Mon, 18 Jun 2018 17:00:56 +0300 +Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock + +From: Ben Greear + +[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ] + +While debugging driver crashes related to a buggy firmware +crashing under load, I noticed that ath10k_htt_rx_ring_free +could be called without being under lock. I'm not sure if this +is the root cause of the crash or not, but it seems prudent to +protect it. + +Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware +running on 9984 NIC. + +Signed-off-by: Ben Greear +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -268,11 +268,12 @@ int ath10k_htt_rx_ring_refill(struct ath + spin_lock_bh(&htt->rx_ring.lock); + ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level - + htt->rx_ring.fill_cnt)); +- spin_unlock_bh(&htt->rx_ring.lock); + + if (ret) + ath10k_htt_rx_ring_free(htt); + ++ spin_unlock_bh(&htt->rx_ring.lock); ++ + return ret; + } + +@@ -284,7 +285,9 @@ void ath10k_htt_rx_free(struct ath10k_ht + skb_queue_purge(&htt->rx_in_ord_compl_q); + skb_queue_purge(&htt->tx_fetch_ind_q); + ++ spin_lock_bh(&htt->rx_ring.lock); + ath10k_htt_rx_ring_free(htt); ++ spin_unlock_bh(&htt->rx_ring.lock); + + dma_free_coherent(htt->ar->dev, + ath10k_htt_get_rx_ring_size(htt), diff --git a/queue-4.18/ath10k-sdio-set-skb-len-for-all-rx-packets.patch b/queue-4.18/ath10k-sdio-set-skb-len-for-all-rx-packets.patch new file mode 100644 index 00000000000..a4c3f7490fa --- /dev/null +++ b/queue-4.18/ath10k-sdio-set-skb-len-for-all-rx-packets.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Alagu Sankar +Date: Fri, 29 Jun 2018 16:28:00 +0300 +Subject: ath10k: sdio: set skb len for all rx packets + +From: Alagu Sankar + +[ Upstream commit 8530b4e7b22bc3bd8240579f3844c73947cd5f71 ] + +Without this, packets larger than 1500 will silently be dropped. +Easily reproduced by sending a ping packet with a size larger +than 1500. + +Co-Developed-by: Niklas Cassel +Signed-off-by: Alagu Sankar +Signed-off-by: Niklas Cassel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/sdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -396,6 +396,7 @@ static int ath10k_sdio_mbox_rx_process_p + int ret; + + payload_len = le16_to_cpu(htc_hdr->len); ++ skb->len = payload_len + sizeof(struct ath10k_htc_hdr); + + if (trailer_present) { + trailer = skb->data + sizeof(*htc_hdr) + diff --git a/queue-4.18/ath10k-sdio-use-same-endpoint-id-for-all-packets-in-a-bundle.patch b/queue-4.18/ath10k-sdio-use-same-endpoint-id-for-all-packets-in-a-bundle.patch new file mode 100644 index 00000000000..c0f5180e3f7 --- /dev/null +++ b/queue-4.18/ath10k-sdio-use-same-endpoint-id-for-all-packets-in-a-bundle.patch @@ -0,0 +1,58 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Alagu Sankar +Date: Fri, 29 Jun 2018 16:27:56 +0300 +Subject: ath10k: sdio: use same endpoint id for all packets in a bundle + +From: Alagu Sankar + +[ Upstream commit 679e1f07c86221b7183dd69df7068fd42d0041f6 ] + +All packets in a bundle should use the same endpoint id as the +first lookahead. + +This matches how things are done is ath6kl, however, +this patch can theoretically handle several bundles +in ath10k_sdio_mbox_rx_process_packets(). + +Without this patch we get lots of errors about invalid endpoint id: + +ath10k_sdio mmc2:0001:1: invalid endpoint in look-ahead: 224 +ath10k_sdio mmc2:0001:1: failed to get pending recv messages: -12 +ath10k_sdio mmc2:0001:1: failed to process pending SDIO interrupts: -12 + +Co-Developed-by: Niklas Cassel +Signed-off-by: Alagu Sankar +Signed-off-by: Niklas Cassel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/sdio.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -434,12 +434,14 @@ static int ath10k_sdio_mbox_rx_process_p + enum ath10k_htc_ep_id id; + int ret, i, *n_lookahead_local; + u32 *lookaheads_local; ++ int lookahead_idx = 0; + + for (i = 0; i < ar_sdio->n_rx_pkts; i++) { + lookaheads_local = lookaheads; + n_lookahead_local = n_lookahead; + +- id = ((struct ath10k_htc_hdr *)&lookaheads[i])->eid; ++ id = ((struct ath10k_htc_hdr *) ++ &lookaheads[lookahead_idx++])->eid; + + if (id >= ATH10K_HTC_EP_COUNT) { + ath10k_warn(ar, "invalid endpoint in look-ahead: %d\n", +@@ -462,6 +464,7 @@ static int ath10k_sdio_mbox_rx_process_p + /* Only read lookahead's from RX trailers + * for the last packet in a bundle. + */ ++ lookahead_idx--; + lookaheads_local = NULL; + n_lookahead_local = NULL; + } diff --git a/queue-4.18/ath10k-snoc-use-correct-bus-specific-pointer-in-rx-retry.patch b/queue-4.18/ath10k-snoc-use-correct-bus-specific-pointer-in-rx-retry.patch new file mode 100644 index 00000000000..f4c1c96a7d9 --- /dev/null +++ b/queue-4.18/ath10k-snoc-use-correct-bus-specific-pointer-in-rx-retry.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Brian Norris +Date: Mon, 11 Jun 2018 14:09:43 -0700 +Subject: ath10k: snoc: use correct bus-specific pointer in RX retry + +From: Brian Norris + +[ Upstream commit 426a0f0b5a2fe1df3496ba299ee3521159dba302 ] + +We're 'ath10k_snoc', not 'ath10k_pci'. This probably means we're +accessing junk data in ath10k_snoc_rx_replenish_retry(), unless +'ath10k_snoc' and 'ath10k_pci' happen to have very similar struct +layouts. + +Noticed by inspection. + +Fixes: d915105231ca ("ath10k: add hif rx methods for wcn3990") +Signed-off-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/snoc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/snoc.c ++++ b/drivers/net/wireless/ath/ath10k/snoc.c +@@ -449,7 +449,7 @@ static void ath10k_snoc_htt_rx_cb(struct + + static void ath10k_snoc_rx_replenish_retry(struct timer_list *t) + { +- struct ath10k_pci *ar_snoc = from_timer(ar_snoc, t, rx_post_retry); ++ struct ath10k_snoc *ar_snoc = from_timer(ar_snoc, t, rx_post_retry); + struct ath10k *ar = ar_snoc->ar; + + ath10k_snoc_rx_post(ar); diff --git a/queue-4.18/ath10k-transmit-queued-frames-after-processing-rx-packets.patch b/queue-4.18/ath10k-transmit-queued-frames-after-processing-rx-packets.patch new file mode 100644 index 00000000000..dd3e534f032 --- /dev/null +++ b/queue-4.18/ath10k-transmit-queued-frames-after-processing-rx-packets.patch @@ -0,0 +1,89 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Niklas Cassel +Date: Mon, 18 Jun 2018 17:00:49 +0300 +Subject: ath10k: transmit queued frames after processing rx packets + +From: Niklas Cassel + +[ Upstream commit 3f04950f32d5d592ab4fcaecac2178558a6f7437 ] + +When running iperf on ath10k SDIO, TX can stop working: + +iperf -c 192.168.1.1 -i 1 -t 20 -w 10K +[ 3] 0.0- 1.0 sec 2.00 MBytes 16.8 Mbits/sec +[ 3] 1.0- 2.0 sec 3.12 MBytes 26.2 Mbits/sec +[ 3] 2.0- 3.0 sec 3.25 MBytes 27.3 Mbits/sec +[ 3] 3.0- 4.0 sec 655 KBytes 5.36 Mbits/sec +[ 3] 4.0- 5.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 5.0- 6.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 6.0- 7.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 7.0- 8.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 8.0- 9.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 9.0-10.0 sec 0.00 Bytes 0.00 bits/sec +[ 3] 0.0-10.3 sec 9.01 MBytes 7.32 Mbits/sec + +There are frames in the ieee80211_txq and there are frames that have +been removed from from this queue, but haven't yet been sent on the wire +(num_pending_tx). + +When num_pending_tx reaches max_num_pending_tx, we will stop the queues +by calling ieee80211_stop_queues(). + +As frames that have previously been sent for transmission +(num_pending_tx) are completed, we will decrease num_pending_tx and wake +the queues by calling ieee80211_wake_queue(). ieee80211_wake_queue() +does not call wake_tx_queue, so we might still have frames in the +queue at this point. + +While the queues were stopped, the socket buffer might have filled up, +and in order for user space to write more, we need to free the frames +in the queue, since they are accounted to the socket. In order to free +them, we first need to transmit them. + +This problem cannot be reproduced on low-latency devices, e.g. pci, +since they call ath10k_mac_tx_push_pending() from +ath10k_htt_txrx_compl_task(). ath10k_htt_txrx_compl_task() is not called +on high-latency devices. +Fix the problem by calling ath10k_mac_tx_push_pending(), after +processing rx packets, just like for low-latency devices, also in the +SDIO case. Since we are calling ath10k_mac_tx_push_pending() directly, +we also need to export it. + +Signed-off-by: Niklas Cassel +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/mac.c | 1 + + drivers/net/wireless/ath/ath10k/sdio.c | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4054,6 +4054,7 @@ void ath10k_mac_tx_push_pending(struct a + rcu_read_unlock(); + spin_unlock_bh(&ar->txqs_lock); + } ++EXPORT_SYMBOL(ath10k_mac_tx_push_pending); + + /************/ + /* Scanning */ +--- a/drivers/net/wireless/ath/ath10k/sdio.c ++++ b/drivers/net/wireless/ath/ath10k/sdio.c +@@ -30,6 +30,7 @@ + #include "debug.h" + #include "hif.h" + #include "htc.h" ++#include "mac.h" + #include "targaddrs.h" + #include "trace.h" + #include "sdio.h" +@@ -1346,6 +1347,8 @@ static void ath10k_sdio_irq_handler(stru + break; + } while (time_before(jiffies, timeout) && !done); + ++ ath10k_mac_tx_push_pending(ar); ++ + sdio_claim_host(ar_sdio->func); + + if (ret && ret != -ECANCELED) diff --git a/queue-4.18/ath10k-use-locked-skb_dequeue-for-rx-completions.patch b/queue-4.18/ath10k-use-locked-skb_dequeue-for-rx-completions.patch new file mode 100644 index 00000000000..a0d97e1e2aa --- /dev/null +++ b/queue-4.18/ath10k-use-locked-skb_dequeue-for-rx-completions.patch @@ -0,0 +1,140 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Bob Copeland +Date: Thu, 21 Jun 2018 08:25:48 -0400 +Subject: ath10k: use locked skb_dequeue for rx completions + +From: Bob Copeland + +[ Upstream commit 62652555c616cad23a572f76cb5e870ab5395191 ] + +In our environment we are occasionally seeing the following stack trace +in ath10k: + +Unable to handle kernel paging request at virtual address 0000a800 +pgd = c0204000 +[0000a800] *pgd=00000000 +Internal error: Oops: 17 [#1] SMP ARM +Modules linked in: dwc3 dwc3_of_simple phy_qcom_dwc3 nf_nat xt_connmark +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.31 #2 +Hardware name: Generic DT based system +task: c09f4f40 task.stack: c09ee000 +PC is at kfree_skb_list+0x1c/0x2c +LR is at skb_release_data+0x6c/0x108 +pc : [] lr : [] psr: 200f0113 +sp : c09efb68 ip : c09efb80 fp : c09efb7c +r10: 00000000 r9 : 00000000 r8 : 043fddd1 +r7 : bf15d160 r6 : 00000000 r5 : d4ca2f00 r4 : ca7c6480 +r3 : 000000a0 r2 : 01000000 r1 : c0a57470 r0 : 0000a800 +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 10c5787d Table: 56e6006a DAC: 00000051 +Process swapper/0 (pid: 0, stack limit = 0xc09ee210) +Stack: (0xc09efb68 to 0xc09f0000) +fb60: ca7c6480 d4ca2f00 c09efb9c c09efb80 c065da5c c065dcb4 +fb80: d4ca2f00 00000000 dcbf8400 bf15d160 c09efbb4 c09efba0 c065db28 c065d9fc +fba0: d4ca2f00 00000000 c09efbcc c09efbb8 c065db48 c065db04 d4ca2f00 00000000 +fbc0: c09efbe4 c09efbd0 c065ddd0 c065db38 d4ca2f00 00000000 c09efc64 c09efbe8 +fbe0: bf09bd00 c065dd10 00000003 7fffffff c09efc24 dcbfc9c0 01200000 00000000 +fc00: 00000000 00000000 ddb7e440 c09e9440 c09efc48 1d195000 c09efc7c c09efc28 +fc20: c027bb68 c028aa00 ddb7e4f8 bf13231c ddb7e454 0004091f bf154571 d4ca2f00 +fc40: dcbf8d00 ca7c5df6 bf154538 01200000 00000000 bf154538 c09efd1c c09efc68 +fc60: bf132458 bf09bbbc ca7c5dec 00000041 bf154538 bf154539 000007bf bf154545 +fc80: bf154538 bf154538 bf154538 bf154538 bf154538 00000000 00000000 000016c1 +fca0: 00000001 c09efcb0 01200000 00000000 00000000 00000000 00000000 00000001 +fcc0: bf154539 00000041 00000000 00000007 00000000 000000d0 ffffffff 3160ffff +fce0: 9ad93e97 3e973160 7bf09ad9 0004091f d4ca2f00 c09efdb0 dcbf94e8 00000000 +fd00: dcbf8d00 01200000 00000000 dcbf8d00 c09efd44 c09efd20 bf132544 bf132130 +fd20: dcbf8d00 00000000 d4ca2f00 c09efdb0 00000001 d4ca2f00 c09efdec c09efd48 +fd40: bf133630 bf1324d0 ca7c5cc0 000007c0 c09efd88 c09efd70 c0764230 c02277d8 +fd60: 200f0113 ffffffff dcbf94c8 bf000000 dcbf93b0 dcbf8d00 00000040 dcbf945c +fd80: dcbf94e8 00000000 c09efdcc 00000000 c09efd90 c09efd90 00000000 00000024 +fda0: dcbf8d00 00000000 00000005 dcbf8d00 c09efdb0 c09efdb0 00000000 00000040 +fdc0: c09efdec dcbf8d00 dcbfc9c0 c09ed140 00000040 00000000 00000100 00000040 +fde0: c09efe14 c09efdf0 bf1739b4 bf132840 dcbfc9c0 ddb82140 c09ed140 1d195000 +fe00: 00000001 00000100 c09efe64 c09efe18 c067136c bf173958 ddb7fac8 c09f0d00 +fe20: 001df678 0000012c c09efe28 c09efe28 c09efe30 c09efe30 c0a7fb28 ffffe000 +fe40: c09f008c 00000003 00000008 c0a598c0 00000100 c09f0080 c09efeb4 c09efe68 +fe60: c02096e0 c0671278 c0494584 00000080 dd5c3300 c09f0d00 00000004 001df677 +fe80: 0000000a 00200100 dd5c3300 00000000 00000000 c09eaa70 00000060 dd410800 +fea0: c09ee000 00000000 c09efecc c09efeb8 c0227944 c02094c4 00000000 00000000 +fec0: c09efef4 c09efed0 c0268b64 c02278ac de802000 c09f1b1c c09eff20 c0a16cc0 +fee0: de803000 c09ee000 c09eff1c c09efef8 c020947c c0268ae0 c02103dc 600f0013 +ff00: ffffffff c09eff54 ffffe000 c09ee000 c09eff7c c09eff20 c021448c c0209424 +ff20: 00000001 00000000 00000000 c021ddc0 00000000 00000000 c09f1024 00000001 +ff40: ffffe000 c09f1078 00000000 c09eff7c c09eff80 c09eff70 c02103ec c02103dc +ff60: 600f0013 ffffffff 00000051 00000000 c09eff8c c09eff80 c0763cc4 c02103bc +ff80: c09effa4 c09eff90 c025f0e4 c0763c98 c0a59040 c09f1000 c09effb4 c09effa8 +ffa0: c075efe0 c025efd4 c09efff4 c09effb8 c097dcac c075ef7c ffffffff ffffffff +ffc0: 00000000 c097d6c4 00000000 c09c1a28 c0a59294 c09f101c c09c1a24 c09f61c0 +ffe0: 4220406a 512f04d0 00000000 c09efff8 4220807c c097d95c 00000000 00000000 +[] (kfree_skb_list) from [] (skb_release_data+0x6c/0x108) +[] (skb_release_data) from [] (skb_release_all+0x30/0x34) +[] (skb_release_all) from [] (__kfree_skb+0x1c/0x9c) +[] (__kfree_skb) from [] (consume_skb+0xcc/0xd8) +[] (consume_skb) from [] (ieee80211_rx_napi+0x150/0x82c [mac80211]) +[] (ieee80211_rx_napi [mac80211]) from [] (ath10k_htt_t2h_msg_handler+0x15e8/0x19c4 [ath10k_core]) +[] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_t2h_msg_handler+0x16d4/0x19c4 [ath10k_core]) +[] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_txrx_compl_task+0xdfc/0x12cc [ath10k_core]) +[] (ath10k_htt_txrx_compl_task [ath10k_core]) from [] (ath10k_pci_napi_poll+0x68/0xf4 [ath10k_pci]) +[] (ath10k_pci_napi_poll [ath10k_pci]) from [] (net_rx_action+0x100/0x33c) +[] (net_rx_action) from [] (__do_softirq+0x228/0x31c) +[] (__do_softirq) from [] (irq_exit+0xa4/0x114) + +The trace points to a corrupt skb inside kfree_skb(), seemingly because +one of the shared skb queues is getting corrupted. Most of the skb queues +ath10k uses are local to a single call stack, but three are shared among +multiple codepaths: + + - rx_msdus_q, + - rx_in_ord_compl_q, and + - tx_fetch_ind_q + +Of the three, the first two are manipulated using the unlocked skb_queue +functions without any additional lock protecting them. Use the locked +variants of skb_queue_* functions to protect these manipulations. + +Signed-off-by: Bob Copeland +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -1089,7 +1089,7 @@ static void ath10k_htt_rx_h_queue_msdu(s + status = IEEE80211_SKB_RXCB(skb); + *status = *rx_status; + +- __skb_queue_tail(&ar->htt.rx_msdus_q, skb); ++ skb_queue_tail(&ar->htt.rx_msdus_q, skb); + } + + static void ath10k_process_rx(struct ath10k *ar, struct sk_buff *skb) +@@ -2810,7 +2810,7 @@ bool ath10k_htt_t2h_msg_handler(struct a + break; + } + case HTT_T2H_MSG_TYPE_RX_IN_ORD_PADDR_IND: { +- __skb_queue_tail(&htt->rx_in_ord_compl_q, skb); ++ skb_queue_tail(&htt->rx_in_ord_compl_q, skb); + return false; + } + case HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND: +@@ -2874,7 +2874,7 @@ static int ath10k_htt_rx_deliver_msdu(st + if (skb_queue_empty(&ar->htt.rx_msdus_q)) + break; + +- skb = __skb_dequeue(&ar->htt.rx_msdus_q); ++ skb = skb_dequeue(&ar->htt.rx_msdus_q); + if (!skb) + break; + ath10k_process_rx(ar, skb); +@@ -2905,7 +2905,7 @@ int ath10k_htt_txrx_compl_task(struct at + goto exit; + } + +- while ((skb = __skb_dequeue(&htt->rx_in_ord_compl_q))) { ++ while ((skb = skb_dequeue(&htt->rx_in_ord_compl_q))) { + spin_lock_bh(&htt->rx_ring.lock); + ret = ath10k_htt_rx_in_ord_ind(ar, skb); + spin_unlock_bh(&htt->rx_ring.lock); diff --git a/queue-4.18/audit-fix-extended-comparison-of-gid-egid.patch b/queue-4.18/audit-fix-extended-comparison-of-gid-egid.patch new file mode 100644 index 00000000000..f143c08573d --- /dev/null +++ b/queue-4.18/audit-fix-extended-comparison-of-gid-egid.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "Ondrej Mosnáček" +Date: Tue, 5 Jun 2018 11:00:10 +0200 +Subject: audit: Fix extended comparison of GID/EGID + +From: "Ondrej Mosnáček" + +[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ] + +The audit_filter_rules() function in auditsc.c used the in_[e]group_p() +functions to check GID/EGID match, but these functions use the current +task's credentials, while the comparison should use the credentials of +the task given to audit_filter_rules() as a parameter (tsk). + +Note that we can use group_search(cred->group_info, ...) as a +replacement for both in_group_p and in_egroup_p as these functions only +compare the parameter to cred->fsgid/egid and then call group_search. + +In fact, the usage of in_group_p was even more incorrect: it compares to +cred->fsgid (which is usually equal to cred->egid) and not cred->gid. + +GitHub issue: +https://github.com/linux-audit/audit-kernel/issues/82 + +Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -494,20 +494,20 @@ static int audit_filter_rules(struct tas + result = audit_gid_comparator(cred->gid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_group_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_group_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_EGID: + result = audit_gid_comparator(cred->egid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_egroup_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_egroup_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_SGID: diff --git a/queue-4.18/bitfield-fix-_encode_bits.patch b/queue-4.18/bitfield-fix-_encode_bits.patch new file mode 100644 index 00000000000..75715bff64f --- /dev/null +++ b/queue-4.18/bitfield-fix-_encode_bits.patch @@ -0,0 +1,56 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Johannes Berg +Date: Wed, 20 Jun 2018 08:58:28 +0200 +Subject: bitfield: fix *_encode_bits() + +From: Johannes Berg + +[ Upstream commit e7d4a95da86e0b048702765bbdcdc968aaf312e7 ] + +There's a bug in *_encode_bits() in using ~field_multiplier() for +the check whether or not the constant value fits into the field, +this is wrong and clearly ~field_mask() was intended. This was +triggering for me for both constant and non-constant values. + +Additionally, make this case actually into an compile error. +Declaring the extern function that will never exist with just a +warning is pointless as then later we'll just get a link error. + +While at it, also fix the indentation in those lines I'm touching. + +Finally, as suggested by Andy Shevchenko, add some tests and for +that introduce also u8 helpers. The tests don't compile without +the fix, showing that it's necessary. + +Fixes: 00b0c9b82663 ("Add primitives for manipulating bitfields both in host- and fixed-endian.") +Reviewed-by: Andy Shevchenko +Signed-off-by: Johannes Berg +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/bitfield.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/include/linux/bitfield.h ++++ b/include/linux/bitfield.h +@@ -104,7 +104,7 @@ + (typeof(_mask))(((_reg) & (_mask)) >> __bf_shf(_mask)); \ + }) + +-extern void __compiletime_warning("value doesn't fit into mask") ++extern void __compiletime_error("value doesn't fit into mask") + __field_overflow(void); + extern void __compiletime_error("bad bitfield mask") + __bad_mask(void); +@@ -121,8 +121,8 @@ static __always_inline u64 field_mask(u6 + #define ____MAKE_OP(type,base,to,from) \ + static __always_inline __##type type##_encode_bits(base v, base field) \ + { \ +- if (__builtin_constant_p(v) && (v & ~field_multiplier(field))) \ +- __field_overflow(); \ ++ if (__builtin_constant_p(v) && (v & ~field_mask(field))) \ ++ __field_overflow(); \ + return to((v & field_mask(field)) * field_multiplier(field)); \ + } \ + static __always_inline __##type type##_replace_bits(__##type old, \ diff --git a/queue-4.18/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch b/queue-4.18/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch new file mode 100644 index 00000000000..2e6dbbe620b --- /dev/null +++ b/queue-4.18/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jian-Hong Pan +Date: Fri, 25 May 2018 17:54:52 +0800 +Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 + +From: Jian-Hong Pan + +[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ] + +Without this patch we cannot turn on the Bluethooth adapter on HP +14-bs007la. + +T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=b009 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=802.11n WLAN Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -374,6 +374,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8723DE Bluetooth devices */ ++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8821AE Bluetooth devices */ diff --git a/queue-4.18/brcmsmac-fix-wrap-around-in-conversion-from-constant-to-s16.patch b/queue-4.18/brcmsmac-fix-wrap-around-in-conversion-from-constant-to-s16.patch new file mode 100644 index 00000000000..7f9ae02a020 --- /dev/null +++ b/queue-4.18/brcmsmac-fix-wrap-around-in-conversion-from-constant-to-s16.patch @@ -0,0 +1,44 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Stefan Agner +Date: Sun, 17 Jun 2018 12:33:50 +0200 +Subject: brcmsmac: fix wrap around in conversion from constant to s16 + +From: Stefan Agner + +[ Upstream commit c9a61469fc97672a08b2f798830a55ea6e03dc4a ] + +The last value in the log_table wraps around to a negative value +since s16 has a value range of -32768 to 32767. This is not what +the table intends to represent. Use the closest positive value +32767. + +This fixes a warning seen with clang: +drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c:216:2: warning: + implicit conversion from 'int' to 's16' (aka 'short') changes +value from 32768 + to -32768 [-Wconstant-conversion] + 32768 + ^~~~~ +1 warning generated. + +Fixes: 4c0bfeaae9f9 ("brcmsmac: fix array out-of-bounds access in qm_log10") +Cc: Tobias Regnery +Signed-off-by: Stefan Agner +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/phy/phy_qmath.c +@@ -213,7 +213,7 @@ static const s16 log_table[] = { + 30498, + 31267, + 32024, +- 32768 ++ 32767 + }; + + #define LOG_TABLE_SIZE 32 /* log_table size */ diff --git a/queue-4.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch b/queue-4.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch new file mode 100644 index 00000000000..bc9c3b6d5c9 --- /dev/null +++ b/queue-4.18/crypto-skcipher-fix-wstringop-truncation-warnings.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Stafford Horne +Date: Mon, 25 Jun 2018 21:45:37 +0900 +Subject: crypto: skcipher - Fix -Wstringop-truncation warnings + +From: Stafford Horne + +[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] + +As of GCC 9.0.0 the build is reporting warnings like: + + crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: + crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(rblkcipher.geniv)); + ~~~~~~~~~~~~~~~~~~~~~~~~~ + +This means the strnycpy might create a non null terminated string. Fix this by +explicitly performing '\0' termination. + +Cc: Greg Kroah-Hartman +Cc: Arnd Bergmann +Cc: Max Filippov +Cc: Eric Biggers +Cc: Nick Desaulniers +Signed-off-by: Stafford Horne +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ablkcipher.c | 2 ++ + crypto/blkcipher.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -368,6 +368,7 @@ static int crypto_ablkcipher_report(stru + strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +@@ -442,6 +443,7 @@ static int crypto_givcipher_report(struc + strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -510,6 +510,7 @@ static int crypto_blkcipher_report(struc + strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; diff --git a/queue-4.18/cxgb4-fix-the-condition-to-check-if-the-card-is-t5.patch b/queue-4.18/cxgb4-fix-the-condition-to-check-if-the-card-is-t5.patch new file mode 100644 index 00000000000..88df3f522b3 --- /dev/null +++ b/queue-4.18/cxgb4-fix-the-condition-to-check-if-the-card-is-t5.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Ganesh Goudar +Date: Wed, 4 Jul 2018 17:49:33 +0530 +Subject: cxgb4: Fix the condition to check if the card is T5 + +From: Ganesh Goudar + +[ Upstream commit dfecc759e64b0ea581468fe2359836f1998deac9 ] + +Use 'chip_ver' rather than 'chip' to check if the card +is T5. + +Fixes: e8d452923ae6 ("cxgb4: clean up init_one") +Signed-off-by: Ganesh Goudar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c +@@ -5705,7 +5705,7 @@ static int init_one(struct pci_dev *pdev + if (t4_read_reg(adapter, LE_DB_CONFIG_A) & HASHEN_F) { + u32 hash_base, hash_reg; + +- if (chip <= CHELSIO_T5) { ++ if (chip_ver <= CHELSIO_T5) { + hash_reg = LE_DB_TID_HASHBASE_A; + hash_base = t4_read_reg(adapter, hash_reg); + adapter->tids.hash_base = hash_base / 4; diff --git a/queue-4.18/documentation-process-fix-rest-table-border-error.patch b/queue-4.18/documentation-process-fix-rest-table-border-error.patch new file mode 100644 index 00000000000..48ba063ee9b --- /dev/null +++ b/queue-4.18/documentation-process-fix-rest-table-border-error.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Randy Dunlap +Date: Sat, 16 Jun 2018 19:02:03 -0700 +Subject: Documentation/process: fix reST table border error + +From: Randy Dunlap + +[ Upstream commit cccd289f12d0e827070c847b1ff96ba02eb20eaf ] + +Fix reST error in Documentation/process/: + +Documentation/process/2.Process.rst:131: ERROR: Malformed table. +Bottom/header table border does not match top border. + +Fixes: 8962e40c1993 ("docs: update kernel versions and dates in tables") + +Signed-off-by: Randy Dunlap +Cc: Jonathan Corbet +Cc: Tim Bird +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/2.Process.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/process/2.Process.rst ++++ b/Documentation/process/2.Process.rst +@@ -134,7 +134,7 @@ and their maintainers are: + 4.4 Greg Kroah-Hartman (very long-term stable kernel) + 4.9 Greg Kroah-Hartman + 4.14 Greg Kroah-Hartman +- ====== ====================== =========================== ++ ====== ====================== ============================== + + The selection of a kernel for long-term support is purely a matter of a + maintainer having the need and the time to maintain that release. There diff --git a/queue-4.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch b/queue-4.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch new file mode 100644 index 00000000000..aa3d7c71ab3 --- /dev/null +++ b/queue-4.18/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 12:36:25 +0800 +Subject: drivers/tty: add error handling for pcmcia_loop_config + +From: Zhouyang Jia + +[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ] + +When pcmcia_loop_config fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling pcmcia_loop_config. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/serial_cs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -638,8 +638,10 @@ static int serial_config(struct pcmcia_d + (link->has_func_id) && + (link->socket->pcmcia_pfc == 0) && + ((link->func_id == CISTPL_FUNCID_MULTI) || +- (link->func_id == CISTPL_FUNCID_SERIAL))) +- pcmcia_loop_config(link, serial_check_for_multi, info); ++ (link->func_id == CISTPL_FUNCID_SERIAL))) { ++ if (pcmcia_loop_config(link, serial_check_for_multi, info)) ++ goto failed; ++ } + + /* + * Apply any multi-port quirk. diff --git a/queue-4.18/drm-amd-display-dc-dce-fix-multiple-potential-integer-overflows.patch b/queue-4.18/drm-amd-display-dc-dce-fix-multiple-potential-integer-overflows.patch new file mode 100644 index 00000000000..ace8b6e4f77 --- /dev/null +++ b/queue-4.18/drm-amd-display-dc-dce-fix-multiple-potential-integer-overflows.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "Gustavo A. R. Silva" +Date: Wed, 4 Jul 2018 08:22:11 -0500 +Subject: drm/amd/display/dc/dce: Fix multiple potential integer overflows + +From: "Gustavo A. R. Silva" + +[ Upstream commit 6f3472a993e7cb63cde5d818dcabc8e42fc03744 ] + +Add suffix ULL to constant 5 and cast variables target_pix_clk_khz and +feedback_divider to uint64_t in order to avoid multiple potential integer +overflows and give the compiler complete information about the proper +arithmetic to use. + +Notice that such constant and variables are used in contexts that +expect expressions of type uint64_t (64 bits, unsigned). The current +casts to uint64_t effectively apply to each expression as a whole, +but they do not prevent them from being evaluated using 32-bit +arithmetic instead of 64-bit arithmetic. + +Also, once the expressions are properly evaluated using 64-bit +arithmentic, there is no need for the parentheses that enclose +them. + +Addresses-Coverity-ID: 1460245 ("Unintentional integer overflow") +Addresses-Coverity-ID: 1460286 ("Unintentional integer overflow") +Addresses-Coverity-ID: 1460401 ("Unintentional integer overflow") +Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)") +Signed-off-by: Gustavo A. R. Silva +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c ++++ b/drivers/gpu/drm/amd/display/dc/dce/dce_clock_source.c +@@ -133,7 +133,7 @@ static bool calculate_fb_and_fractional_ + uint64_t feedback_divider; + + feedback_divider = +- (uint64_t)(target_pix_clk_khz * ref_divider * post_divider); ++ (uint64_t)target_pix_clk_khz * ref_divider * post_divider; + feedback_divider *= 10; + /* additional factor, since we divide by 10 afterwards */ + feedback_divider *= (uint64_t)(calc_pll_cs->fract_fb_divider_factor); +@@ -145,8 +145,8 @@ static bool calculate_fb_and_fractional_ + * of fractional feedback decimal point and the fractional FB Divider precision + * is 2 then the equation becomes (ullfeedbackDivider + 5*100) / (10*100))*/ + +- feedback_divider += (uint64_t) +- (5 * calc_pll_cs->fract_fb_divider_precision_factor); ++ feedback_divider += 5ULL * ++ calc_pll_cs->fract_fb_divider_precision_factor; + feedback_divider = + div_u64(feedback_divider, + calc_pll_cs->fract_fb_divider_precision_factor * 10); +@@ -203,8 +203,8 @@ static bool calc_fb_divider_checking_tol + &fract_feedback_divider); + + /*Actual calculated value*/ +- actual_calc_clk_khz = (uint64_t)(feedback_divider * +- calc_pll_cs->fract_fb_divider_factor) + ++ actual_calc_clk_khz = (uint64_t)feedback_divider * ++ calc_pll_cs->fract_fb_divider_factor + + fract_feedback_divider; + actual_calc_clk_khz *= calc_pll_cs->ref_freq_khz; + actual_calc_clk_khz = diff --git a/queue-4.18/drm-amd-display-fix-use-of-uninitialized-memory.patch b/queue-4.18/drm-amd-display-fix-use-of-uninitialized-memory.patch new file mode 100644 index 00000000000..ac132c24920 --- /dev/null +++ b/queue-4.18/drm-amd-display-fix-use-of-uninitialized-memory.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Wesley Chalmers +Date: Tue, 29 May 2018 17:45:05 -0400 +Subject: drm/amd/display: fix use of uninitialized memory + +From: Wesley Chalmers + +[ Upstream commit f3e077d95ca0a016fdf3d6b1e97a9910dfdaff17 ] + +DML does not calculate chroma values for RQ when surface is not YUV, but DC +will unconditionally use the uninitialized values for HW programming. +This does not cause visual corruption since HW will ignore garbage chroma +values when surface is not YUV, but causes presubmission tests to fail +golden value comparison. + +Signed-off-by: Wesley Chalmers +Signed-off-by: Eryk Brol +Reviewed-by: Wenjing Liu +Acked-by: Harry Wentland +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c ++++ b/drivers/gpu/drm/amd/display/dc/dml/dml1_display_rq_dlg_calc.c +@@ -239,6 +239,8 @@ void dml1_extract_rq_regs( + extract_rq_sizing_regs(mode_lib, &(rq_regs->rq_regs_l), rq_param.sizing.rq_l); + if (rq_param.yuv420) + extract_rq_sizing_regs(mode_lib, &(rq_regs->rq_regs_c), rq_param.sizing.rq_c); ++ else ++ memset(&(rq_regs->rq_regs_c), 0, sizeof(rq_regs->rq_regs_c)); + + rq_regs->rq_regs_l.swath_height = dml_log2(rq_param.dlg.rq_l.swath_height); + rq_regs->rq_regs_c.swath_height = dml_log2(rq_param.dlg.rq_c.swath_height); diff --git a/queue-4.18/drm-omap-gem-fix-mm_list-locking.patch b/queue-4.18/drm-omap-gem-fix-mm_list-locking.patch new file mode 100644 index 00000000000..fbe3d575231 --- /dev/null +++ b/queue-4.18/drm-omap-gem-fix-mm_list-locking.patch @@ -0,0 +1,118 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Daniel Vetter +Date: Fri, 25 May 2018 19:39:24 +0300 +Subject: drm/omap: gem: Fix mm_list locking + +From: Daniel Vetter + +[ Upstream commit 5117bd898e8c0a31e8ab3a9b8523aecf0706e997 ] + +- None of the list walkings where protected. + +- Switch to a mutex since the list walking at device resume time can + sleep when pinning buffers through the tiler. + +Only thing we need to be careful with here is that while we walk the +list we can't unreference any gem objects, since the final unref would +result in a recursive deadlock. But the only functions that walk the +list is the device resume and debugfs dumping, so all safe. + +Signed-off-by: Daniel Vetter +Reviewed-by: Tomi Valkeinen +Reviewed-by: Laurent Pinchart +Signed-off-by: Laurent Pinchart +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_debugfs.c | 2 ++ + drivers/gpu/drm/omapdrm/omap_drv.c | 2 +- + drivers/gpu/drm/omapdrm/omap_drv.h | 2 +- + drivers/gpu/drm/omapdrm/omap_gem.c | 15 +++++++++------ + 4 files changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/omap_debugfs.c ++++ b/drivers/gpu/drm/omapdrm/omap_debugfs.c +@@ -37,7 +37,9 @@ static int gem_show(struct seq_file *m, + return ret; + + seq_printf(m, "All Objects:\n"); ++ mutex_lock(&priv->list_lock); + omap_gem_describe_objects(&priv->obj_list, m); ++ mutex_unlock(&priv->list_lock); + + mutex_unlock(&dev->struct_mutex); + +--- a/drivers/gpu/drm/omapdrm/omap_drv.c ++++ b/drivers/gpu/drm/omapdrm/omap_drv.c +@@ -540,7 +540,7 @@ static int omapdrm_init(struct omap_drm_ + priv->omaprev = soc ? (unsigned int)soc->data : 0; + priv->wq = alloc_ordered_workqueue("omapdrm", 0); + +- spin_lock_init(&priv->list_lock); ++ mutex_init(&priv->list_lock); + INIT_LIST_HEAD(&priv->obj_list); + + /* Allocate and initialize the DRM device. */ +--- a/drivers/gpu/drm/omapdrm/omap_drv.h ++++ b/drivers/gpu/drm/omapdrm/omap_drv.h +@@ -71,7 +71,7 @@ struct omap_drm_private { + struct workqueue_struct *wq; + + /* lock for obj_list below */ +- spinlock_t list_lock; ++ struct mutex list_lock; + + /* list of GEM objects: */ + struct list_head obj_list; +--- a/drivers/gpu/drm/omapdrm/omap_gem.c ++++ b/drivers/gpu/drm/omapdrm/omap_gem.c +@@ -1001,6 +1001,7 @@ int omap_gem_resume(struct drm_device *d + struct omap_gem_object *omap_obj; + int ret = 0; + ++ mutex_lock(&priv->list_lock); + list_for_each_entry(omap_obj, &priv->obj_list, mm_list) { + if (omap_obj->block) { + struct drm_gem_object *obj = &omap_obj->base; +@@ -1012,12 +1013,14 @@ int omap_gem_resume(struct drm_device *d + omap_obj->roll, true); + if (ret) { + dev_err(dev->dev, "could not repin: %d\n", ret); +- return ret; ++ goto done; + } + } + } + +- return 0; ++done: ++ mutex_unlock(&priv->list_lock); ++ return ret; + } + #endif + +@@ -1085,9 +1088,9 @@ void omap_gem_free_object(struct drm_gem + + WARN_ON(!mutex_is_locked(&dev->struct_mutex)); + +- spin_lock(&priv->list_lock); ++ mutex_lock(&priv->list_lock); + list_del(&omap_obj->mm_list); +- spin_unlock(&priv->list_lock); ++ mutex_unlock(&priv->list_lock); + + /* this means the object is still pinned.. which really should + * not happen. I think.. +@@ -1206,9 +1209,9 @@ struct drm_gem_object *omap_gem_new(stru + goto err_release; + } + +- spin_lock(&priv->list_lock); ++ mutex_lock(&priv->list_lock); + list_add(&omap_obj->mm_list, &priv->obj_list); +- spin_unlock(&priv->list_lock); ++ mutex_unlock(&priv->list_lock); + + return obj; + diff --git a/queue-4.18/drm-sun4i-enable-dw-hdmi-phy-clock.patch b/queue-4.18/drm-sun4i-enable-dw-hdmi-phy-clock.patch new file mode 100644 index 00000000000..8c87c59705d --- /dev/null +++ b/queue-4.18/drm-sun4i-enable-dw-hdmi-phy-clock.patch @@ -0,0 +1,61 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jernej Skrabec +Date: Mon, 25 Jun 2018 14:02:56 +0200 +Subject: drm/sun4i: Enable DW HDMI PHY clock + +From: Jernej Skrabec + +[ Upstream commit 09773c532d30187f86a142901c27c93e629ce6ba ] + +Current DW HDMI PHY code never prepares and enables PHY clock after it is +created. It's just used as it is. This may work in some cases, but it's +clearly wrong. Fix it by adding proper calls to enable/disable PHY +clock. + +Fixes: 4f86e81748fe ("drm/sun4i: Add support for H3 HDMI PHY variant") + +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-17-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c ++++ b/drivers/gpu/drm/sun4i/sun8i_hdmi_phy.c +@@ -477,13 +477,15 @@ int sun8i_hdmi_phy_probe(struct sun8i_dw + dev_err(dev, "Couldn't create the PHY clock\n"); + goto err_put_clk_pll0; + } ++ ++ clk_prepare_enable(phy->clk_phy); + } + + phy->rst_phy = of_reset_control_get_shared(node, "phy"); + if (IS_ERR(phy->rst_phy)) { + dev_err(dev, "Could not get phy reset control\n"); + ret = PTR_ERR(phy->rst_phy); +- goto err_put_clk_pll0; ++ goto err_disable_clk_phy; + } + + ret = reset_control_deassert(phy->rst_phy); +@@ -514,6 +516,8 @@ err_deassert_rst_phy: + reset_control_assert(phy->rst_phy); + err_put_rst_phy: + reset_control_put(phy->rst_phy); ++err_disable_clk_phy: ++ clk_disable_unprepare(phy->clk_phy); + err_put_clk_pll0: + if (phy->variant->has_phy_clk) + clk_put(phy->clk_pll0); +@@ -531,6 +535,7 @@ void sun8i_hdmi_phy_remove(struct sun8i_ + + clk_disable_unprepare(phy->clk_mod); + clk_disable_unprepare(phy->clk_bus); ++ clk_disable_unprepare(phy->clk_phy); + + reset_control_assert(phy->rst_phy); + diff --git a/queue-4.18/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch b/queue-4.18/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch new file mode 100644 index 00000000000..0f04d307f79 --- /dev/null +++ b/queue-4.18/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jernej Skrabec +Date: Mon, 25 Jun 2018 14:02:46 +0200 +Subject: drm/sun4i: Fix releasing node when enumerating enpoints + +From: Jernej Skrabec + +[ Upstream commit 367c359aa8637b15ee8df6335c5a29b7623966ec ] + +sun4i_drv_add_endpoints() has a memory leak since it uses of_node_put() +when remote is equal to NULL and does nothing when remote has a valid +pointer. + +Invert the logic to fix memory leak. + +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-7-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -283,7 +283,6 @@ static int sun4i_drv_add_endpoints(struc + remote = of_graph_get_remote_port_parent(ep); + if (!remote) { + DRM_DEBUG_DRIVER("Error retrieving the output node\n"); +- of_node_put(remote); + continue; + } + +@@ -297,11 +296,13 @@ static int sun4i_drv_add_endpoints(struc + + if (of_graph_parse_endpoint(ep, &endpoint)) { + DRM_DEBUG_DRIVER("Couldn't parse endpoint\n"); ++ of_node_put(remote); + continue; + } + + if (!endpoint.id) { + DRM_DEBUG_DRIVER("Endpoint is our panel... skipping\n"); ++ of_node_put(remote); + continue; + } + } diff --git a/queue-4.18/drm-v3d-take-a-lock-across-gpu-scheduler-job-creation-and-queuing.patch b/queue-4.18/drm-v3d-take-a-lock-across-gpu-scheduler-job-creation-and-queuing.patch new file mode 100644 index 00000000000..e6b1141d940 --- /dev/null +++ b/queue-4.18/drm-v3d-take-a-lock-across-gpu-scheduler-job-creation-and-queuing.patch @@ -0,0 +1,74 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Eric Anholt +Date: Wed, 6 Jun 2018 10:48:51 -0700 +Subject: drm/v3d: Take a lock across GPU scheduler job creation and queuing. + +From: Eric Anholt + +[ Upstream commit 7122b68b8a9692dcc3acf89595f04c492872115f ] + +Between creation and queueing of a job, you need to prevent any other +job from being created and queued. Otherwise the scheduler's fences +may be signaled out of seqno order. + +v2: move mutex unlock to the error label. + +Signed-off-by: Eric Anholt +Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D V3.x+") +Link: https://patchwork.freedesktop.org/patch/msgid/20180606174851.12433-1-eric@anholt.net +Reviewed-by: Lucas Stach +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/v3d/v3d_drv.h | 5 +++++ + drivers/gpu/drm/v3d/v3d_gem.c | 4 ++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/gpu/drm/v3d/v3d_drv.h ++++ b/drivers/gpu/drm/v3d/v3d_drv.h +@@ -85,6 +85,11 @@ struct v3d_dev { + */ + struct mutex reset_lock; + ++ /* Lock taken when creating and pushing the GPU scheduler ++ * jobs, to keep the sched-fence seqnos in order. ++ */ ++ struct mutex sched_lock; ++ + struct { + u32 num_allocated; + u32 pages_allocated; +--- a/drivers/gpu/drm/v3d/v3d_gem.c ++++ b/drivers/gpu/drm/v3d/v3d_gem.c +@@ -550,6 +550,7 @@ v3d_submit_cl_ioctl(struct drm_device *d + if (ret) + goto fail; + ++ mutex_lock(&v3d->sched_lock); + if (exec->bin.start != exec->bin.end) { + ret = drm_sched_job_init(&exec->bin.base, + &v3d->queue[V3D_BIN].sched, +@@ -576,6 +577,7 @@ v3d_submit_cl_ioctl(struct drm_device *d + kref_get(&exec->refcount); /* put by scheduler job completion */ + drm_sched_entity_push_job(&exec->render.base, + &v3d_priv->sched_entity[V3D_RENDER]); ++ mutex_unlock(&v3d->sched_lock); + + v3d_attach_object_fences(exec); + +@@ -594,6 +596,7 @@ v3d_submit_cl_ioctl(struct drm_device *d + return 0; + + fail_unreserve: ++ mutex_unlock(&v3d->sched_lock); + v3d_unlock_bo_reservations(dev, exec, &acquire_ctx); + fail: + v3d_exec_put(exec); +@@ -615,6 +618,7 @@ v3d_gem_init(struct drm_device *dev) + spin_lock_init(&v3d->job_lock); + mutex_init(&v3d->bo_lock); + mutex_init(&v3d->reset_lock); ++ mutex_init(&v3d->sched_lock); + + /* Note: We don't allocate address 0. Various bits of HW + * treat 0 as special, such as the occlusion query counters diff --git a/queue-4.18/drm-vc4-add-missing-formats-to-vc4_format_mod_supported.patch b/queue-4.18/drm-vc4-add-missing-formats-to-vc4_format_mod_supported.patch new file mode 100644 index 00000000000..9fa4d5dfe33 --- /dev/null +++ b/queue-4.18/drm-vc4-add-missing-formats-to-vc4_format_mod_supported.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Eric Anholt +Date: Fri, 16 Mar 2018 15:04:34 -0700 +Subject: drm/vc4: Add missing formats to vc4_format_mod_supported(). + +From: Eric Anholt + +[ Upstream commit 1e871d65e375280757833d9fce91dda71980bdf5 ] + +Daniel's format_mod_supported() patch predated Dave's for NV21/61, and +I didn't catch that when rebasing. This is a problem since the +formats are now getting validated before being passed to the driver's +atomic hooks. + +Signed-off-by: Eric Anholt +Acked-by: Daniel Stone +Cc: Dave Stevenson +Fixes: 423ad7b3cbd1 ("drm/vc4: Advertise supported modifiers for planes") +Link: https://patchwork.freedesktop.org/patch/msgid/20180316220435.31416-2-eric@anholt.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_plane.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -874,7 +874,9 @@ static bool vc4_format_mod_supported(str + case DRM_FORMAT_YUV420: + case DRM_FORMAT_YVU420: + case DRM_FORMAT_NV12: ++ case DRM_FORMAT_NV21: + case DRM_FORMAT_NV16: ++ case DRM_FORMAT_NV61: + default: + return (modifier == DRM_FORMAT_MOD_LINEAR); + } diff --git a/queue-4.18/drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch b/queue-4.18/drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch new file mode 100644 index 00000000000..f34de1261ea --- /dev/null +++ b/queue-4.18/drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Maxime Ripard +Date: Thu, 17 May 2018 15:37:59 +0200 +Subject: drm/vc4: plane: Expand the lower bits by repeating the higher bits + +From: Maxime Ripard + +[ Upstream commit 3257ec797d3a8c5232389eb1952d4451e80f3931 ] + +The vc4 HVS uses an internal RGB888 representation of the frames, and will +by default expand formats using a lower depth using zeros. + +This causes an issue when we try to use other compositing software such as +pixman that fill the missing bits by repeating the higher significant bits. +As such, we can't check the display output in a reliable way by doing a +software composition and an hardware one and compare both. + +To prevent this, force the same behaviour so that we can do such things. + +Signed-off-by: Maxime Ripard +Signed-off-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20180517133759.25626-1-maxime.ripard@bootlin.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vc4/vc4_plane.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -543,6 +543,7 @@ static int vc4_plane_mode_set(struct drm + /* Control word */ + vc4_dlist_write(vc4_state, + SCALER_CTL0_VALID | ++ VC4_SET_FIELD(SCALER_CTL0_RGBA_EXPAND_ROUND, SCALER_CTL0_RGBA_EXPAND) | + (format->pixel_order << SCALER_CTL0_ORDER_SHIFT) | + (format->hvs << SCALER_CTL0_PIXEL_FORMAT_SHIFT) | + VC4_SET_FIELD(tiling, SCALER_CTL0_TILING) | diff --git a/queue-4.18/edac-altera-fix-an-error-handling-path-in-altr_s10_sdram_probe.patch b/queue-4.18/edac-altera-fix-an-error-handling-path-in-altr_s10_sdram_probe.patch new file mode 100644 index 00000000000..19f8868c5be --- /dev/null +++ b/queue-4.18/edac-altera-fix-an-error-handling-path-in-altr_s10_sdram_probe.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Christophe JAILLET +Date: Sun, 10 Jun 2018 19:45:32 +0200 +Subject: EDAC, altera: Fix an error handling path in altr_s10_sdram_probe() + +From: Christophe JAILLET + +[ Upstream commit 9d72fe1ce81bc757ecb6d57b58e5fd95b9ad1b26 ] + +If regmap_write() fails, we should release some resources as done in all +the other error handling paths of the function. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Thor Thayer +Cc: linux-edac +Link: http://lkml.kernel.org/r/20180610174532.22071-1-christophe.jaillet@wanadoo.fr +Fixes: e9918d7fafae ("EDAC, altera: Handle SDRAM Uncorrectable Errors on Stratix10") +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/altera_edac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/edac/altera_edac.c ++++ b/drivers/edac/altera_edac.c +@@ -730,7 +730,8 @@ static int altr_s10_sdram_probe(struct p + S10_DDR0_IRQ_MASK)) { + edac_printk(KERN_ERR, EDAC_MC, + "Error clearing SDRAM ECC count\n"); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err2; + } + + if (regmap_update_bits(drvdata->mc_vbase, priv->ecc_irq_en_offset, diff --git a/queue-4.18/edac-fix-memleak-in-module-init-error-path.patch b/queue-4.18/edac-fix-memleak-in-module-init-error-path.patch new file mode 100644 index 00000000000..4a6e5b598b8 --- /dev/null +++ b/queue-4.18/edac-fix-memleak-in-module-init-error-path.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Johan Hovold +Date: Tue, 12 Jun 2018 14:43:34 +0200 +Subject: EDAC: Fix memleak in module init error path + +From: Johan Hovold + +[ Upstream commit 4708aa85d50cc6e962dfa8acf5ad4e0d290a21db ] + +Make sure to use put_device() to free the initialised struct device so +that resources managed by driver core also gets released in the event of +a registration failure. + +Signed-off-by: Johan Hovold +Cc: Denis Kirjanov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 2d56b109e3a5 ("EDAC: Handle error path in edac_mc_sysfs_init() properly") +Link: http://lkml.kernel.org/r/20180612124335.6420-1-johan@kernel.org +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/edac_mc_sysfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -1075,14 +1075,14 @@ int __init edac_mc_sysfs_init(void) + + err = device_add(mci_pdev); + if (err < 0) +- goto out_dev_free; ++ goto out_put_device; + + edac_dbg(0, "device %s created\n", dev_name(mci_pdev)); + + return 0; + +- out_dev_free: +- kfree(mci_pdev); ++ out_put_device: ++ put_device(mci_pdev); + out: + return err; + } diff --git a/queue-4.18/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch b/queue-4.18/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch new file mode 100644 index 00000000000..31781d2fac2 --- /dev/null +++ b/queue-4.18/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch @@ -0,0 +1,81 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Johan Hovold +Date: Tue, 12 Jun 2018 14:43:35 +0200 +Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove + +From: Johan Hovold + +[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ] + +Make sure to free and deregister the addrmatch and chancounts devices +allocated during probe in all error paths. Also fix use-after-free in a +probe error path and in the remove success path where the devices were +being put before before deregistration. + +Signed-off-by: Johan Hovold +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy") +Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i7core_edac.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/edac/i7core_edac.c ++++ b/drivers/edac/i7core_edac.c +@@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->addrmatch_dev); + if (rc < 0) +- return rc; ++ goto err_put_addrmatch; + + if (!pvt->is_registered) { + pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev), + GFP_KERNEL); + if (!pvt->chancounts_dev) { +- put_device(pvt->addrmatch_dev); +- device_del(pvt->addrmatch_dev); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto err_del_addrmatch; + } + + pvt->chancounts_dev->type = &all_channel_counts_type; +@@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->chancounts_dev); + if (rc < 0) +- return rc; ++ goto err_put_chancounts; + } + return 0; ++ ++err_put_chancounts: ++ put_device(pvt->chancounts_dev); ++err_del_addrmatch: ++ device_del(pvt->addrmatch_dev); ++err_put_addrmatch: ++ put_device(pvt->addrmatch_dev); ++ ++ return rc; + } + + static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci) +@@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices( + edac_dbg(1, "\n"); + + if (!pvt->is_registered) { +- put_device(pvt->chancounts_dev); + device_del(pvt->chancounts_dev); ++ put_device(pvt->chancounts_dev); + } +- put_device(pvt->addrmatch_dev); + device_del(pvt->addrmatch_dev); ++ put_device(pvt->addrmatch_dev); + } + + /**************************************************************************** diff --git a/queue-4.18/fs-lock-skip-lock-owner-pid-translation-in-case-we-are-in-init_pid_ns.patch b/queue-4.18/fs-lock-skip-lock-owner-pid-translation-in-case-we-are-in-init_pid_ns.patch new file mode 100644 index 00000000000..15866888e8d --- /dev/null +++ b/queue-4.18/fs-lock-skip-lock-owner-pid-translation-in-case-we-are-in-init_pid_ns.patch @@ -0,0 +1,64 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Konstantin Khorenko +Date: Fri, 8 Jun 2018 17:27:11 +0300 +Subject: fs/lock: skip lock owner pid translation in case we are in init_pid_ns + +From: Konstantin Khorenko + +[ Upstream commit 826d7bc9f013d01e92997883d2fd0c25f4af1f1c ] + +If the flock owner process is dead and its pid has been already freed, +pid translation won't work, but we still want to show flock owner pid +number when expecting /proc/$PID/fdinfo/$FD in init pidns. + +Reproducer: +process A process A1 process A2 +fork()---------> +exit() open() + flock() + fork()---------> + exit() sleep() + +Before the patch: +================ +(root@vz7)/: cat /proc/${PID_A2}/fdinfo/3 +pos: 4 +flags: 02100002 +mnt_id: 257 +lock: (root@vz7)/: + +After the patch: +=============== +(root@vz7)/:cat /proc/${PID_A2}/fdinfo/3 +pos: 4 +flags: 02100002 +mnt_id: 295 +lock: 1: FLOCK ADVISORY WRITE ${PID_A1} b6:f8a61:529946 0 EOF + +Fixes: 9d5b86ac13c5 ("fs/locks: Remove fl_nspid and use fs-specific l_pid for remote locks") +Signed-off-by: Konstantin Khorenko +Acked-by: Andrey Vagin +Reviewed-by: Benjamin Coddington +Signed-off-by: Jeff Layton +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/locks.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/locks.c ++++ b/fs/locks.c +@@ -2072,6 +2072,13 @@ static pid_t locks_translate_pid(struct + return -1; + if (IS_REMOTELCK(fl)) + return fl->fl_pid; ++ /* ++ * If the flock owner process is dead and its pid has been already ++ * freed, the translation below won't work, but we still want to show ++ * flock owner pid number in init pidns. ++ */ ++ if (ns == &init_pid_ns) ++ return (pid_t)fl->fl_pid; + + rcu_read_lock(); + pid = find_pid_ns(fl->fl_pid, &init_pid_ns); diff --git a/queue-4.18/gpio-fix-wrong-rounding-in-gpio-menz127.patch b/queue-4.18/gpio-fix-wrong-rounding-in-gpio-menz127.patch new file mode 100644 index 00000000000..989de84c74d --- /dev/null +++ b/queue-4.18/gpio-fix-wrong-rounding-in-gpio-menz127.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Nadav Amit +Date: Mon, 4 Jun 2018 06:58:14 -0700 +Subject: gpio: Fix wrong rounding in gpio-menz127 + +From: Nadav Amit + +[ Upstream commit 7279d9917560bbd0d82813d6bf00490a82c06783 ] + +men_z127_debounce() tries to round up and down, but uses functions which +are only suitable when the divider is a power of two, which is not the +case. Use the appropriate ones. + +Found by static check. Compile tested. + +Fixes: f436bc2726c64 ("gpio: add driver for MEN 16Z127 GPIO controller") +Signed-off-by: Nadav Amit +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-menz127.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-menz127.c ++++ b/drivers/gpio/gpio-menz127.c +@@ -56,9 +56,9 @@ static int men_z127_debounce(struct gpio + rnd = fls(debounce) - 1; + + if (rnd && (debounce & BIT(rnd - 1))) +- debounce = round_up(debounce, MEN_Z127_DB_MIN_US); ++ debounce = roundup(debounce, MEN_Z127_DB_MIN_US); + else +- debounce = round_down(debounce, MEN_Z127_DB_MIN_US); ++ debounce = rounddown(debounce, MEN_Z127_DB_MIN_US); + + if (debounce > MEN_Z127_DB_MAX_US) + debounce = MEN_Z127_DB_MAX_US; diff --git a/queue-4.18/gpio-tegra-fix-tegra_gpio_irq_set_type.patch b/queue-4.18/gpio-tegra-fix-tegra_gpio_irq_set_type.patch new file mode 100644 index 00000000000..977c8dce428 --- /dev/null +++ b/queue-4.18/gpio-tegra-fix-tegra_gpio_irq_set_type.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dmitry Osipenko +Date: Tue, 17 Jul 2018 19:10:38 +0300 +Subject: gpio: tegra: Fix tegra_gpio_irq_set_type() + +From: Dmitry Osipenko + +[ Upstream commit f78709a5d4114edc21a5d86586ed5e56e284f2bd ] + +Commit 36b312792b97 ("gpiolib: Respect error code of ->get_direction()") +broke tegra_gpio_irq_set_type() because requesting of GPIO direction must +be done after enabling GPIO function for a pin. + +This patch fixes drivers probe failure like this: + + gpio gpiochip0: (tegra-gpio): gpiochip_lock_as_irq: cannot get GPIO direction + tegra-gpio 6000d000.gpio: unable to lock Tegra GPIO 144 as IRQ + +Fixes: 36b312792b97 ("gpiolib: Respect error code of ->get_direction()") +Signed-off-by: Dmitry Osipenko +Acked-by: Jon Hunter +Tested-by: Jon Hunter +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-tegra.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/gpio/gpio-tegra.c ++++ b/drivers/gpio/gpio-tegra.c +@@ -323,13 +323,6 @@ static int tegra_gpio_irq_set_type(struc + return -EINVAL; + } + +- ret = gpiochip_lock_as_irq(&tgi->gc, gpio); +- if (ret) { +- dev_err(tgi->dev, +- "unable to lock Tegra GPIO %u as IRQ\n", gpio); +- return ret; +- } +- + spin_lock_irqsave(&bank->lvl_lock[port], flags); + + val = tegra_gpio_readl(tgi, GPIO_INT_LVL(tgi, gpio)); +@@ -342,6 +335,14 @@ static int tegra_gpio_irq_set_type(struc + tegra_gpio_mask_write(tgi, GPIO_MSK_OE(tgi, gpio), gpio, 0); + tegra_gpio_enable(tgi, gpio); + ++ ret = gpiochip_lock_as_irq(&tgi->gc, gpio); ++ if (ret) { ++ dev_err(tgi->dev, ++ "unable to lock Tegra GPIO %u as IRQ\n", gpio); ++ tegra_gpio_disable(tgi, gpio); ++ return ret; ++ } ++ + if (type & (IRQ_TYPE_LEVEL_LOW | IRQ_TYPE_LEVEL_HIGH)) + irq_set_handler_locked(d, handle_level_irq); + else if (type & (IRQ_TYPE_EDGE_FALLING | IRQ_TYPE_EDGE_RISING)) diff --git a/queue-4.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch b/queue-4.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch new file mode 100644 index 00000000000..8a9f8a9a2d3 --- /dev/null +++ b/queue-4.18/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Zhouyang Jia +Date: Thu, 14 Jun 2018 21:37:17 +0800 +Subject: HID: hid-ntrig: add error handling for sysfs_create_group + +From: Zhouyang Jia + +[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ] + +When sysfs_create_group fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling sysfs_create_group. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ntrig.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device + + ret = sysfs_create_group(&hdev->dev.kobj, + &ntrig_attribute_group); ++ if (ret) ++ hid_err(hdev, "cannot create sysfs group\n"); + + return 0; + err_free: diff --git a/queue-4.18/hid-i2c-hid-use-devm-to-allocate-i2c_hid-struct.patch b/queue-4.18/hid-i2c-hid-use-devm-to-allocate-i2c_hid-struct.patch new file mode 100644 index 00000000000..58d79225721 --- /dev/null +++ b/queue-4.18/hid-i2c-hid-use-devm-to-allocate-i2c_hid-struct.patch @@ -0,0 +1,69 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Stephen Boyd +Date: Thu, 21 Jun 2018 19:27:16 -0700 +Subject: HID: i2c-hid: Use devm to allocate i2c_hid struct + +From: Stephen Boyd + +[ Upstream commit d6f83894110de247a81392ab7ef89e5498df7e80 ] + +Use devm here to save some lines and prepare for bulk regulator usage in +this driver. Otherwise, when we devm bulk get regulators we'll free the +containing i2c_hid structure and try to put regulator pointers from +freed memory. + +Cc: Benjamin Tissoires +Cc: Hans de Goede +Cc: Andy Shevchenko +Cc: Dmitry Torokhov +Cc: Doug Anderson +Signed-off-by: Stephen Boyd +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/drivers/hid/i2c-hid/i2c-hid.c ++++ b/drivers/hid/i2c-hid/i2c-hid.c +@@ -1004,18 +1004,18 @@ static int i2c_hid_probe(struct i2c_clie + return client->irq; + } + +- ihid = kzalloc(sizeof(struct i2c_hid), GFP_KERNEL); ++ ihid = devm_kzalloc(&client->dev, sizeof(*ihid), GFP_KERNEL); + if (!ihid) + return -ENOMEM; + + if (client->dev.of_node) { + ret = i2c_hid_of_probe(client, &ihid->pdata); + if (ret) +- goto err; ++ return ret; + } else if (!platform_data) { + ret = i2c_hid_acpi_pdata(client, &ihid->pdata); + if (ret) +- goto err; ++ return ret; + } else { + ihid->pdata = *platform_data; + } +@@ -1128,7 +1128,6 @@ err_regulator: + + err: + i2c_hid_free_buffers(ihid); +- kfree(ihid); + return ret; + } + +@@ -1152,8 +1151,6 @@ static int i2c_hid_remove(struct i2c_cli + + regulator_disable(ihid->pdata.supply); + +- kfree(ihid); +- + return 0; + } + diff --git a/queue-4.18/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch b/queue-4.18/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch new file mode 100644 index 00000000000..240a4e6fca5 --- /dev/null +++ b/queue-4.18/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:32:12 +0300 +Subject: IB/core: type promotion bug in rdma_rw_init_one_mr() + +From: Dan Carpenter + +[ Upstream commit c2d7c8ff89b22ddefb1ac2986c0d48444a667689 ] + +"nents" is an unsigned int, so if ib_map_mr_sg() returns a negative +error code then it's type promoted to a high unsigned int which is +treated as success. + +Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API") +Signed-off-by: Dan Carpenter +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/rw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rw.c ++++ b/drivers/infiniband/core/rw.c +@@ -87,7 +87,7 @@ static int rdma_rw_init_one_mr(struct ib + } + + ret = ib_map_mr_sg(reg->mr, sg, nents, &offset, PAGE_SIZE); +- if (ret < nents) { ++ if (ret < 0 || ret < nents) { + ib_mr_pool_put(qp, &qp->rdma_mrs, reg->mr); + return -EINVAL; + } diff --git a/queue-4.18/ib-mlx4-test-port-number-before-querying-type.patch b/queue-4.18/ib-mlx4-test-port-number-before-querying-type.patch new file mode 100644 index 00000000000..731ccc20308 --- /dev/null +++ b/queue-4.18/ib-mlx4-test-port-number-before-querying-type.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Tarick Bedeir +Date: Mon, 2 Jul 2018 14:02:34 -0700 +Subject: IB/mlx4: Test port number before querying type. + +From: Tarick Bedeir + +[ Upstream commit f1228867adaf8890826f2b59e4caddb1c5cc2df7 ] + +rdma_ah_find_type() can reach into ib_device->port_immutable with a +potentially out-of-bounds port number, so check that the port number is +valid first. + +Fixes: 44c58487d51a ("IB/core: Define 'ib' and 'roce' rdma_ah_attr types") +Signed-off-by: Tarick Bedeir +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx4/qp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -4047,9 +4047,9 @@ static void to_rdma_ah_attr(struct mlx4_ + u8 port_num = path->sched_queue & 0x40 ? 2 : 1; + + memset(ah_attr, 0, sizeof(*ah_attr)); +- ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, port_num); + if (port_num == 0 || port_num > dev->caps.num_ports) + return; ++ ah_attr->type = rdma_ah_find_type(&ibdev->ib_dev, port_num); + + if (ah_attr->type == RDMA_AH_ATTR_TYPE_ROCE) + rdma_ah_set_sl(ah_attr, ((path->sched_queue >> 3) & 0x7) | diff --git a/queue-4.18/ib-mlx5-fix-gre-flow-specification.patch b/queue-4.18/ib-mlx5-fix-gre-flow-specification.patch new file mode 100644 index 00000000000..2685c11cc9a --- /dev/null +++ b/queue-4.18/ib-mlx5-fix-gre-flow-specification.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Maor Gottlieb +Date: Sun, 1 Jul 2018 15:50:17 +0300 +Subject: IB/mlx5: Fix GRE flow specification + +From: Maor Gottlieb + +[ Upstream commit a93b632c4531ff50c43d658447a45cbc11f488fd ] + +Currently the driver sets the mask of the gre_protocol to 0xffff +without consideration in the user request. + +Fix it by copy the mask from the verbs spec. + +Fixes: da2f22ae7707 ("IB/mlx5: Add support for GRE flow specification") +Signed-off-by: Maor Gottlieb +Reviewed-by: Ariel Levkovich +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/mlx5/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/hw/mlx5/main.c ++++ b/drivers/infiniband/hw/mlx5/main.c +@@ -2699,7 +2699,7 @@ static int parse_flow_attr(struct mlx5_c + IPPROTO_GRE); + + MLX5_SET(fte_match_set_misc, misc_params_c, gre_protocol, +- 0xffff); ++ ntohs(ib_spec->gre.mask.protocol)); + MLX5_SET(fte_match_set_misc, misc_params_v, gre_protocol, + ntohs(ib_spec->gre.val.protocol)); + diff --git a/queue-4.18/iio-104-quad-8-fix-off-by-one-error-in-register-selection.patch b/queue-4.18/iio-104-quad-8-fix-off-by-one-error-in-register-selection.patch new file mode 100644 index 00000000000..6279eb8a060 --- /dev/null +++ b/queue-4.18/iio-104-quad-8-fix-off-by-one-error-in-register-selection.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: William Breathitt Gray +Date: Thu, 24 May 2018 16:37:46 -0400 +Subject: iio: 104-quad-8: Fix off-by-one error in register selection + +From: William Breathitt Gray + +[ Upstream commit 2873c3f0e2bd12a7612e905c920c058855f4072a ] + +The reset flags operation is selected by bit 2 in the "Reset and Load +Signals Decoders" register, not bit 1. + +Fixes: 28e5d3bb0325 ("iio: 104-quad-8: Add IIO support for the ACCES 104-QUAD-8") +Signed-off-by: William Breathitt Gray +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/counter/104-quad-8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/counter/104-quad-8.c ++++ b/drivers/iio/counter/104-quad-8.c +@@ -138,7 +138,7 @@ static int quad8_write_raw(struct iio_de + outb(val >> (8 * i), base_offset); + + /* Reset Borrow, Carry, Compare, and Sign flags */ +- outb(0x02, base_offset + 1); ++ outb(0x04, base_offset + 1); + /* Reset Error flag */ + outb(0x06, base_offset + 1); + diff --git a/queue-4.18/iio-accel-adxl345-convert-address-field-usage-in-iio_chan_spec.patch b/queue-4.18/iio-accel-adxl345-convert-address-field-usage-in-iio_chan_spec.patch new file mode 100644 index 00000000000..6be69340220 --- /dev/null +++ b/queue-4.18/iio-accel-adxl345-convert-address-field-usage-in-iio_chan_spec.patch @@ -0,0 +1,93 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Tue, 26 Jun 2018 00:22:41 +0900 +Subject: iio: accel: adxl345: convert address field usage in iio_chan_spec + +From: Akinobu Mita + +[ Upstream commit 9048f1f18a70a01eaa3c8e7166fdb2538929d780 ] + +Currently the address field in iio_chan_spec is filled with an accel +data register address for the corresponding axis. + +In preparation for adding calibration offset support, this sets the +address field to the index of accel data registers instead of the actual +register address. + +This change makes it easier to access both accel registers and +calibration offset registers with fewer lines of code as these are +located in X-axis, Y-axis, Z-axis order. + +Cc: Eva Rachel Retuya +Cc: Andy Shevchenko +Cc: Jonathan Cameron +Signed-off-by: Akinobu Mita +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/adxl345_core.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/iio/accel/adxl345_core.c ++++ b/drivers/iio/accel/adxl345_core.c +@@ -21,6 +21,8 @@ + #define ADXL345_REG_DATAX0 0x32 + #define ADXL345_REG_DATAY0 0x34 + #define ADXL345_REG_DATAZ0 0x36 ++#define ADXL345_REG_DATA_AXIS(index) \ ++ (ADXL345_REG_DATAX0 + (index) * sizeof(__le16)) + + #define ADXL345_POWER_CTL_MEASURE BIT(3) + #define ADXL345_POWER_CTL_STANDBY 0x00 +@@ -47,19 +49,19 @@ struct adxl345_data { + u8 data_range; + }; + +-#define ADXL345_CHANNEL(reg, axis) { \ ++#define ADXL345_CHANNEL(index, axis) { \ + .type = IIO_ACCEL, \ + .modified = 1, \ + .channel2 = IIO_MOD_##axis, \ +- .address = reg, \ ++ .address = index, \ + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW), \ + .info_mask_shared_by_type = BIT(IIO_CHAN_INFO_SCALE), \ + } + + static const struct iio_chan_spec adxl345_channels[] = { +- ADXL345_CHANNEL(ADXL345_REG_DATAX0, X), +- ADXL345_CHANNEL(ADXL345_REG_DATAY0, Y), +- ADXL345_CHANNEL(ADXL345_REG_DATAZ0, Z), ++ ADXL345_CHANNEL(0, X), ++ ADXL345_CHANNEL(1, Y), ++ ADXL345_CHANNEL(2, Z), + }; + + static int adxl345_read_raw(struct iio_dev *indio_dev, +@@ -67,7 +69,7 @@ static int adxl345_read_raw(struct iio_d + int *val, int *val2, long mask) + { + struct adxl345_data *data = iio_priv(indio_dev); +- __le16 regval; ++ __le16 accel; + int ret; + + switch (mask) { +@@ -77,12 +79,13 @@ static int adxl345_read_raw(struct iio_d + * ADXL345_REG_DATA(X0/Y0/Z0) contain the least significant byte + * and ADXL345_REG_DATA(X0/Y0/Z0) + 1 the most significant byte + */ +- ret = regmap_bulk_read(data->regmap, chan->address, ®val, +- sizeof(regval)); ++ ret = regmap_bulk_read(data->regmap, ++ ADXL345_REG_DATA_AXIS(chan->address), ++ &accel, sizeof(accel)); + if (ret < 0) + return ret; + +- *val = sign_extend32(le16_to_cpu(regval), 12); ++ *val = sign_extend32(le16_to_cpu(accel), 12); + return IIO_VAL_INT; + case IIO_CHAN_INFO_SCALE: + *val = 0; diff --git a/queue-4.18/iio-adc-ina2xx-avoid-kthread_stop-with-stale-task_struct.patch b/queue-4.18/iio-adc-ina2xx-avoid-kthread_stop-with-stale-task_struct.patch new file mode 100644 index 00000000000..1d45b802ffe --- /dev/null +++ b/queue-4.18/iio-adc-ina2xx-avoid-kthread_stop-with-stale-task_struct.patch @@ -0,0 +1,80 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Mon, 25 Jun 2018 00:05:21 +0900 +Subject: iio: adc: ina2xx: avoid kthread_stop() with stale task_struct + +From: Akinobu Mita + +[ Upstream commit 7d6cd21d82bacab2d1786fe5e989e4815b75d9a3 ] + +When the buffer is enabled for ina2xx driver, a dedicated kthread is +invoked to capture mesurement data. When the buffer is disabled, the +kthread is stopped. + +However if the kthread gets register access errors, it immediately exits +and when the malfunctional buffer is disabled, the stale task_struct +pointer is accessed as there is no kthread to be stopped. + +A similar issue in the usbip driver is prevented by kthread_get_run and +kthread_stop_put helpers by increasing usage count of the task_struct. +This change applies the same solution. + +Cc: Stefan Brüns +Cc: Jonathan Cameron +Signed-off-by: Akinobu Mita +Fixes: c43a102e67db ("iio: ina2xx: add support for TI INA2xx Power Monitors") +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ina2xx-adc.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +--- a/drivers/iio/adc/ina2xx-adc.c ++++ b/drivers/iio/adc/ina2xx-adc.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -826,6 +827,7 @@ static int ina2xx_buffer_enable(struct i + { + struct ina2xx_chip_info *chip = iio_priv(indio_dev); + unsigned int sampling_us = SAMPLING_PERIOD(chip); ++ struct task_struct *task; + + dev_dbg(&indio_dev->dev, "Enabling buffer w/ scan_mask %02x, freq = %d, avg =%u\n", + (unsigned int)(*indio_dev->active_scan_mask), +@@ -835,11 +837,17 @@ static int ina2xx_buffer_enable(struct i + dev_dbg(&indio_dev->dev, "Async readout mode: %d\n", + chip->allow_async_readout); + +- chip->task = kthread_run(ina2xx_capture_thread, (void *)indio_dev, +- "%s:%d-%uus", indio_dev->name, indio_dev->id, +- sampling_us); ++ task = kthread_create(ina2xx_capture_thread, (void *)indio_dev, ++ "%s:%d-%uus", indio_dev->name, indio_dev->id, ++ sampling_us); ++ if (IS_ERR(task)) ++ return PTR_ERR(task); ++ ++ get_task_struct(task); ++ wake_up_process(task); ++ chip->task = task; + +- return PTR_ERR_OR_ZERO(chip->task); ++ return 0; + } + + static int ina2xx_buffer_disable(struct iio_dev *indio_dev) +@@ -848,6 +856,7 @@ static int ina2xx_buffer_disable(struct + + if (chip->task) { + kthread_stop(chip->task); ++ put_task_struct(chip->task); + chip->task = NULL; + } + diff --git a/queue-4.18/include-rdma-opa_addr.h-fix-an-endianness-issue.patch b/queue-4.18/include-rdma-opa_addr.h-fix-an-endianness-issue.patch new file mode 100644 index 00000000000..167abbe4568 --- /dev/null +++ b/queue-4.18/include-rdma-opa_addr.h-fix-an-endianness-issue.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Bart Van Assche +Date: Mon, 2 Jul 2018 10:06:51 -0700 +Subject: include/rdma/opa_addr.h: Fix an endianness issue + +From: Bart Van Assche + +[ Upstream commit 4eefd62c17a9a5e7576207e84f3d2b4f73aba750 ] + +IB_MULTICAST_LID_BASE is defined as follows: + + #define IB_MULTICAST_LID_BASE cpu_to_be16(0xC000) + +Hence use be16_to_cpu() to convert it to CPU endianness. Compile-tested +only. + +Fixes: af808ece5ce9 ("IB/SA: Check dlid before SA agent queries for ClassPortInfo") +Signed-off-by: Bart Van Assche +Cc: Venkata Sandeep Dhanalakota +Cc: Mike Marciniszyn +Cc: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/rdma/opa_addr.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/rdma/opa_addr.h ++++ b/include/rdma/opa_addr.h +@@ -120,7 +120,7 @@ static inline bool rdma_is_valid_unicast + if (attr->type == RDMA_AH_ATTR_TYPE_IB) { + if (!rdma_ah_get_dlid(attr) || + rdma_ah_get_dlid(attr) >= +- be32_to_cpu(IB_MULTICAST_LID_BASE)) ++ be16_to_cpu(IB_MULTICAST_LID_BASE)) + return false; + } else if (attr->type == RDMA_AH_ATTR_TYPE_OPA) { + if (!rdma_ah_get_dlid(attr) || diff --git a/queue-4.18/input-xen-kbdfront-fix-multi-touch-xenstore-node-s-locations.patch b/queue-4.18/input-xen-kbdfront-fix-multi-touch-xenstore-node-s-locations.patch new file mode 100644 index 00000000000..a97b89e22df --- /dev/null +++ b/queue-4.18/input-xen-kbdfront-fix-multi-touch-xenstore-node-s-locations.patch @@ -0,0 +1,53 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Oleksandr Andrushchenko +Date: Tue, 12 Jun 2018 15:03:36 -0700 +Subject: Input: xen-kbdfront - fix multi-touch XenStore node's locations + +From: Oleksandr Andrushchenko + +[ Upstream commit ce6f7d087e2b037f47349c1c36ac97678d02e394 ] + +kbdif protocol describes multi-touch device parameters as a +part of frontend's XenBus configuration nodes while they +belong to backend's configuration. Fix this by reading the +parameters as defined by the protocol. + +Fixes: 49aac8204da5 ("Input: xen-kbdfront - add multi-touch support") + +Signed-off-by: Oleksandr Andrushchenko +Reviewed-by: Juergen Gross +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/misc/xen-kbdfront.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/misc/xen-kbdfront.c ++++ b/drivers/input/misc/xen-kbdfront.c +@@ -229,7 +229,7 @@ static int xenkbd_probe(struct xenbus_de + } + } + +- touch = xenbus_read_unsigned(dev->nodename, ++ touch = xenbus_read_unsigned(dev->otherend, + XENKBD_FIELD_FEAT_MTOUCH, 0); + if (touch) { + ret = xenbus_write(XBT_NIL, dev->nodename, +@@ -304,13 +304,13 @@ static int xenkbd_probe(struct xenbus_de + if (!mtouch) + goto error_nomem; + +- num_cont = xenbus_read_unsigned(info->xbdev->nodename, ++ num_cont = xenbus_read_unsigned(info->xbdev->otherend, + XENKBD_FIELD_MT_NUM_CONTACTS, + 1); +- width = xenbus_read_unsigned(info->xbdev->nodename, ++ width = xenbus_read_unsigned(info->xbdev->otherend, + XENKBD_FIELD_MT_WIDTH, + XENFB_WIDTH); +- height = xenbus_read_unsigned(info->xbdev->nodename, ++ height = xenbus_read_unsigned(info->xbdev->otherend, + XENKBD_FIELD_MT_HEIGHT, + XENFB_HEIGHT); + diff --git a/queue-4.18/iomap-complete-partial-direct-i-o-writes-synchronously.patch b/queue-4.18/iomap-complete-partial-direct-i-o-writes-synchronously.patch new file mode 100644 index 00000000000..ef76c029004 --- /dev/null +++ b/queue-4.18/iomap-complete-partial-direct-i-o-writes-synchronously.patch @@ -0,0 +1,103 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Andreas Gruenbacher +Date: Tue, 19 Jun 2018 15:10:55 -0700 +Subject: iomap: complete partial direct I/O writes synchronously + +From: Andreas Gruenbacher + +[ Upstream commit ebf00be37de35788cad72f4f20b4a39e30c0be4a ] + +According to xfstest generic/240, applications seem to expect direct I/O +writes to either complete as a whole or to fail; short direct I/O writes +are apparently not appreciated. This means that when only part of an +asynchronous direct I/O write succeeds, we can either fail the entire +write, or we can wait for the partial write to complete and retry the +remaining write as buffered I/O. The old __blockdev_direct_IO helper +has code for waiting for partial writes to complete; the new +iomap_dio_rw iomap helper does not. + +The above mentioned fallback mode is needed for gfs2, which doesn't +allow block allocations under direct I/O to avoid taking cluster-wide +exclusive locks. As a consequence, an asynchronous direct I/O write to +a file range that contains a hole will result in a short write. In that +case, wait for the short write to complete to allow gfs2 to recover. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Christoph Hellwig +Reviewed-by: Darrick J. Wong +Signed-off-by: Darrick J. Wong +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/iomap.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/fs/iomap.c ++++ b/fs/iomap.c +@@ -811,6 +811,7 @@ struct iomap_dio { + atomic_t ref; + unsigned flags; + int error; ++ bool wait_for_completion; + + union { + /* used during submission and for synchronous completion: */ +@@ -914,9 +915,8 @@ static void iomap_dio_bio_end_io(struct + iomap_dio_set_error(dio, blk_status_to_errno(bio->bi_status)); + + if (atomic_dec_and_test(&dio->ref)) { +- if (is_sync_kiocb(dio->iocb)) { ++ if (dio->wait_for_completion) { + struct task_struct *waiter = dio->submit.waiter; +- + WRITE_ONCE(dio->submit.waiter, NULL); + wake_up_process(waiter); + } else if (dio->flags & IOMAP_DIO_WRITE) { +@@ -1131,13 +1131,12 @@ iomap_dio_rw(struct kiocb *iocb, struct + dio->end_io = end_io; + dio->error = 0; + dio->flags = 0; ++ dio->wait_for_completion = is_sync_kiocb(iocb); + + dio->submit.iter = iter; +- if (is_sync_kiocb(iocb)) { +- dio->submit.waiter = current; +- dio->submit.cookie = BLK_QC_T_NONE; +- dio->submit.last_queue = NULL; +- } ++ dio->submit.waiter = current; ++ dio->submit.cookie = BLK_QC_T_NONE; ++ dio->submit.last_queue = NULL; + + if (iov_iter_rw(iter) == READ) { + if (pos >= dio->i_size) +@@ -1187,7 +1186,7 @@ iomap_dio_rw(struct kiocb *iocb, struct + dio_warn_stale_pagecache(iocb->ki_filp); + ret = 0; + +- if (iov_iter_rw(iter) == WRITE && !is_sync_kiocb(iocb) && ++ if (iov_iter_rw(iter) == WRITE && !dio->wait_for_completion && + !inode->i_sb->s_dio_done_wq) { + ret = sb_init_dio_done_wq(inode->i_sb); + if (ret < 0) +@@ -1202,8 +1201,10 @@ iomap_dio_rw(struct kiocb *iocb, struct + iomap_dio_actor); + if (ret <= 0) { + /* magic error code to fall back to buffered I/O */ +- if (ret == -ENOTBLK) ++ if (ret == -ENOTBLK) { ++ dio->wait_for_completion = true; + ret = 0; ++ } + break; + } + pos += ret; +@@ -1224,7 +1225,7 @@ iomap_dio_rw(struct kiocb *iocb, struct + dio->flags &= ~IOMAP_DIO_NEED_SYNC; + + if (!atomic_dec_and_test(&dio->ref)) { +- if (!is_sync_kiocb(iocb)) ++ if (!dio->wait_for_completion) + return -EIOCBQUEUED; + + for (;;) { diff --git a/queue-4.18/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch b/queue-4.18/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch new file mode 100644 index 00000000000..e3824e96b23 --- /dev/null +++ b/queue-4.18/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Zhen Lei +Date: Wed, 6 Jun 2018 10:18:46 +0800 +Subject: iommu/amd: make sure TLB to be flushed before IOVA freed + +From: Zhen Lei + +[ Upstream commit 3c120143f584360a13614787e23ae2cdcb5e5ccd ] + +Although the mapping has already been removed in the page table, it maybe +still exist in TLB. Suppose the freed IOVAs is reused by others before the +flush operation completed, the new user can not correctly access to its +meomory. + +Signed-off-by: Zhen Lei +Fixes: b1516a14657a ('iommu/amd: Implement flush queue') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2405,9 +2405,9 @@ static void __unmap_single(struct dma_op + } + + if (amd_iommu_unmap_flush) { +- dma_ops_free_iova(dma_dom, dma_addr, pages); + domain_flush_tlb(&dma_dom->domain); + domain_flush_complete(&dma_dom->domain); ++ dma_ops_free_iova(dma_dom, dma_addr, pages); + } else { + pages = __roundup_pow_of_two(pages); + queue_iova(&dma_dom->iovad, dma_addr >> PAGE_SHIFT, pages, 0); diff --git a/queue-4.18/iommu-msm-don-t-call-iommu_device_-un-link-from-atomic-context.patch b/queue-4.18/iommu-msm-don-t-call-iommu_device_-un-link-from-atomic-context.patch new file mode 100644 index 00000000000..fa262a41012 --- /dev/null +++ b/queue-4.18/iommu-msm-don-t-call-iommu_device_-un-link-from-atomic-context.patch @@ -0,0 +1,109 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Niklas Cassel +Date: Tue, 12 Jun 2018 16:06:10 +0200 +Subject: iommu/msm: Don't call iommu_device_{,un}link from atomic context + +From: Niklas Cassel + +[ Upstream commit 379521462e4add27f3514da8e4ab1fd7a54fe1c7 ] + +Fixes the following splat during boot: + +BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747 +in_atomic(): 1, irqs_disabled(): 128, pid: 77, name: kworker/2:1 +4 locks held by kworker/2:1/77: + #0: (ptrval) ((wq_completion)"events"){+.+.}, at: process_one_work+0x1fc/0x8fc + #1: (ptrval) (deferred_probe_work){+.+.}, at: process_one_work+0x1fc/0x8fc + #2: (ptrval) (&dev->mutex){....}, at: __device_attach+0x40/0x178 + #3: (ptrval) (msm_iommu_lock){....}, at: msm_iommu_add_device+0x28/0xcc +irq event stamp: 348 +hardirqs last enabled at (347): [] kfree+0xe0/0x3c0 +hardirqs last disabled at (348): [] _raw_spin_lock_irqsave+0x2c/0x68 +softirqs last enabled at (0): [] copy_process.part.5+0x280/0x1a68 +softirqs last disabled at (0): [<00000000>] (null) +Preemption disabled at: +[<00000000>] (null) +CPU: 2 PID: 77 Comm: kworker/2:1 Not tainted 4.17.0-rc5-wt-ath-01075-gaca0516bb4cf #239 +Hardware name: Generic DT based system +Workqueue: events deferred_probe_work_func +[] (unwind_backtrace) from [] (show_stack+0x20/0x24) +[] (show_stack) from [] (dump_stack+0xa0/0xcc) +[] (dump_stack) from [] (___might_sleep+0x1f8/0x2d4) +ath10k_sdio mmc2:0001:1: Direct firmware load for ath10k/QCA9377/hw1.0/board-2.bin failed with error -2 +[] (___might_sleep) from [] (__might_sleep+0x70/0xa8) +[] (__might_sleep) from [] (__mutex_lock+0x50/0xb28) +[] (__mutex_lock) from [] (mutex_lock_nested+0x2c/0x34) +ath10k_sdio mmc2:0001:1: board_file api 1 bmi_id N/A crc32 544289f7 +[] (mutex_lock_nested) from [] (kernfs_find_and_get_ns+0x30/0x5c) +[] (kernfs_find_and_get_ns) from [] (sysfs_add_link_to_group+0x28/0x58) +[] (sysfs_add_link_to_group) from [] (iommu_device_link+0x50/0xb4) +[] (iommu_device_link) from [] (msm_iommu_add_device+0xa0/0xcc) +[] (msm_iommu_add_device) from [] (add_iommu_group+0x3c/0x64) +[] (add_iommu_group) from [] (bus_for_each_dev+0x84/0xc4) +[] (bus_for_each_dev) from [] (bus_set_iommu+0xd0/0x10c) +[] (bus_set_iommu) from [] (msm_iommu_probe+0x5b8/0x66c) +[] (msm_iommu_probe) from [] (platform_drv_probe+0x60/0xbc) +[] (platform_drv_probe) from [] (driver_probe_device+0x30c/0x4cc) +[] (driver_probe_device) from [] (__device_attach_driver+0xac/0x14c) +[] (__device_attach_driver) from [] (bus_for_each_drv+0x68/0xc8) +[] (bus_for_each_drv) from [] (__device_attach+0xe4/0x178) +[] (__device_attach) from [] (device_initial_probe+0x1c/0x20) +[] (device_initial_probe) from [] (bus_probe_device+0x98/0xa0) +[] (bus_probe_device) from [] (deferred_probe_work_func+0x74/0x198) +[] (deferred_probe_work_func) from [] (process_one_work+0x2c4/0x8fc) +[] (process_one_work) from [] (worker_thread+0x2c4/0x5cc) +[] (worker_thread) from [] (kthread+0x180/0x188) +[] (kthread) from [] (ret_from_fork+0x14/0x20) + +Fixes: 42df43b36163 ("iommu/msm: Make use of iommu_device_register interface") +Signed-off-by: Niklas Cassel +Reviewed-by: Vivek Gautam +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/msm_iommu.c | 16 +++++----------- + 1 file changed, 5 insertions(+), 11 deletions(-) + +--- a/drivers/iommu/msm_iommu.c ++++ b/drivers/iommu/msm_iommu.c +@@ -395,20 +395,15 @@ static int msm_iommu_add_device(struct d + struct msm_iommu_dev *iommu; + struct iommu_group *group; + unsigned long flags; +- int ret = 0; + + spin_lock_irqsave(&msm_iommu_lock, flags); +- + iommu = find_iommu_for_dev(dev); ++ spin_unlock_irqrestore(&msm_iommu_lock, flags); ++ + if (iommu) + iommu_device_link(&iommu->iommu, dev); + else +- ret = -ENODEV; +- +- spin_unlock_irqrestore(&msm_iommu_lock, flags); +- +- if (ret) +- return ret; ++ return -ENODEV; + + group = iommu_group_get_for_dev(dev); + if (IS_ERR(group)) +@@ -425,13 +420,12 @@ static void msm_iommu_remove_device(stru + unsigned long flags; + + spin_lock_irqsave(&msm_iommu_lock, flags); +- + iommu = find_iommu_for_dev(dev); ++ spin_unlock_irqrestore(&msm_iommu_lock, flags); ++ + if (iommu) + iommu_device_unlink(&iommu->iommu, dev); + +- spin_unlock_irqrestore(&msm_iommu_lock, flags); +- + iommu_group_remove_device(dev); + } + diff --git a/queue-4.18/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch b/queue-4.18/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch new file mode 100644 index 00000000000..2fbbc23ca31 --- /dev/null +++ b/queue-4.18/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Guoqing Jiang +Date: Mon, 2 Jul 2018 16:26:24 +0800 +Subject: md-cluster: clear another node's suspend_area after the copy is finished + +From: Guoqing Jiang + +[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ] + +When one node leaves cluster or stops the resyncing +(resync or recovery) array, then other nodes need to +call recover_bitmaps to continue the unfinished task. + +But we need to clear suspend_area later after other +nodes copy the resync information to their bitmap +(by call bitmap_copy_from_slot). Otherwise, all nodes +could write to the suspend_area even the suspend_area +is not handled by any node, because area_resyncing +returns 0 at the beginning of raid1_write_request. +Which means one node could write suspend_area while +another node is resyncing the same area, then data +could be inconsistent. + +So let's clear suspend_area later to avoid above issue +with the protection of bm lock. Also it is straightforward +to clear suspend_area after nodes have copied the resync +info to bitmap. + +Signed-off-by: Guoqing Jiang +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-cluster.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -304,15 +304,6 @@ static void recover_bitmaps(struct md_th + while (cinfo->recovery_map) { + slot = fls64((u64)cinfo->recovery_map) - 1; + +- /* Clear suspend_area associated with the bitmap */ +- spin_lock_irq(&cinfo->suspend_lock); +- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) +- if (slot == s->slot) { +- list_del(&s->list); +- kfree(s); +- } +- spin_unlock_irq(&cinfo->suspend_lock); +- + snprintf(str, 64, "bitmap%04d", slot); + bm_lockres = lockres_init(mddev, str, NULL, 1); + if (!bm_lockres) { +@@ -331,6 +322,16 @@ static void recover_bitmaps(struct md_th + pr_err("md-cluster: Could not copy data from bitmap %d\n", slot); + goto clear_bit; + } ++ ++ /* Clear suspend_area associated with the bitmap */ ++ spin_lock_irq(&cinfo->suspend_lock); ++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) ++ if (slot == s->slot) { ++ list_del(&s->list); ++ kfree(s); ++ } ++ spin_unlock_irq(&cinfo->suspend_lock); ++ + if (hi > 0) { + if (lo < mddev->recovery_cp) + mddev->recovery_cp = lo; diff --git a/queue-4.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch b/queue-4.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch new file mode 100644 index 00000000000..913516783c7 --- /dev/null +++ b/queue-4.18/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Sylwester Nawrocki +Date: Tue, 15 May 2018 05:21:45 -0400 +Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() + +From: Sylwester Nawrocki + +[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ] + +This patch fixes potential NULL pointer dereference as indicated +by the following static checker warning: + +drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane() +error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'. + +Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") + +Reported-by: Dan Carpenter +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -384,12 +384,17 @@ static void __isp_video_try_fmt(struct f + struct v4l2_pix_format_mplane *pixm, + const struct fimc_fmt **fmt) + { +- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ const struct fimc_fmt *__fmt; ++ ++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ ++ if (fmt) ++ *fmt = __fmt; + + pixm->colorspace = V4L2_COLORSPACE_SRGB; + pixm->field = V4L2_FIELD_NONE; +- pixm->num_planes = (*fmt)->memplanes; +- pixm->pixelformat = (*fmt)->fourcc; ++ pixm->num_planes = __fmt->memplanes; ++ pixm->pixelformat = __fmt->fourcc; + /* + * TODO: double check with the docmentation these width/height + * constraints are correct. diff --git a/queue-4.18/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch b/queue-4.18/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch new file mode 100644 index 00000000000..178d85a6b34 --- /dev/null +++ b/queue-4.18/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Alexey Khoroshilov +Date: Fri, 29 Jun 2018 17:49:22 -0400 +Subject: media: fsl-viu: fix error handling in viu_of_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ] + +viu_of_probe() ignores fails in i2c_get_adapter(), +tries to unlock uninitialized mutex on error path. + +The patch streamlining the error handling in viu_of_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/media/platform/fsl-viu.c ++++ b/drivers/media/platform/fsl-viu.c +@@ -1414,7 +1414,7 @@ static int viu_of_probe(struct platform_ + sizeof(struct viu_reg), DRV_NAME)) { + dev_err(&op->dev, "Error while requesting mem region\n"); + ret = -EBUSY; +- goto err; ++ goto err_irq; + } + + /* remap registers */ +@@ -1422,7 +1422,7 @@ static int viu_of_probe(struct platform_ + if (!viu_regs) { + dev_err(&op->dev, "Can't map register set\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + /* Prepare our private structure */ +@@ -1430,7 +1430,7 @@ static int viu_of_probe(struct platform_ + if (!viu_dev) { + dev_err(&op->dev, "Can't allocate private structure\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + viu_dev->vr = viu_regs; +@@ -1446,16 +1446,21 @@ static int viu_of_probe(struct platform_ + ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev); + if (ret < 0) { + dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret); +- goto err; ++ goto err_irq; + } + + ad = i2c_get_adapter(0); ++ if (!ad) { ++ ret = -EFAULT; ++ dev_err(&op->dev, "couldn't get i2c adapter\n"); ++ goto err_v4l2; ++ } + + v4l2_ctrl_handler_init(&viu_dev->hdl, 5); + if (viu_dev->hdl.error) { + ret = viu_dev->hdl.error; + dev_err(&op->dev, "couldn't register control\n"); +- goto err_vdev; ++ goto err_i2c; + } + /* This control handler will inherit the control(s) from the + sub-device(s). */ +@@ -1471,7 +1476,7 @@ static int viu_of_probe(struct platform_ + vdev = video_device_alloc(); + if (vdev == NULL) { + ret = -ENOMEM; +- goto err_vdev; ++ goto err_hdl; + } + + *vdev = viu_template; +@@ -1492,7 +1497,7 @@ static int viu_of_probe(struct platform_ + ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1); + if (ret < 0) { + video_device_release(viu_dev->vdev); +- goto err_vdev; ++ goto err_unlock; + } + + /* enable VIU clock */ +@@ -1500,12 +1505,12 @@ static int viu_of_probe(struct platform_ + if (IS_ERR(clk)) { + dev_err(&op->dev, "failed to lookup the clock!\n"); + ret = PTR_ERR(clk); +- goto err_clk; ++ goto err_vdev; + } + ret = clk_prepare_enable(clk); + if (ret) { + dev_err(&op->dev, "failed to enable the clock!\n"); +- goto err_clk; ++ goto err_vdev; + } + viu_dev->clk = clk; + +@@ -1516,7 +1521,7 @@ static int viu_of_probe(struct platform_ + if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) { + dev_err(&op->dev, "Request VIU IRQ failed.\n"); + ret = -ENODEV; +- goto err_irq; ++ goto err_clk; + } + + mutex_unlock(&viu_dev->lock); +@@ -1524,16 +1529,19 @@ static int viu_of_probe(struct platform_ + dev_info(&op->dev, "Freescale VIU Video Capture Board\n"); + return ret; + +-err_irq: +- clk_disable_unprepare(viu_dev->clk); + err_clk: +- video_unregister_device(viu_dev->vdev); ++ clk_disable_unprepare(viu_dev->clk); + err_vdev: +- v4l2_ctrl_handler_free(&viu_dev->hdl); ++ video_unregister_device(viu_dev->vdev); ++err_unlock: + mutex_unlock(&viu_dev->lock); ++err_hdl: ++ v4l2_ctrl_handler_free(&viu_dev->hdl); ++err_i2c: + i2c_put_adapter(ad); ++err_v4l2: + v4l2_device_unregister(&viu_dev->v4l2_dev); +-err: ++err_irq: + irq_dispose_mapping(viu_irq); + return ret; + } diff --git a/queue-4.18/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch b/queue-4.18/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch new file mode 100644 index 00000000000..a8a104a446e --- /dev/null +++ b/queue-4.18/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Javier Martinez Canillas +Date: Sat, 9 Jun 2018 08:22:45 -0400 +Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data + +From: Javier Martinez Canillas + +[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ] + +The struct clk_init_data init variable is declared in the isp_xclk_init() +function so is an automatic variable allocated in the stack. But it's not +explicitly zero-initialized, so some init fields are left uninitialized. + +This causes the data structure to have undefined values that may confuse +the common clock framework when the clock is registered. + +For example, the uninitialized .flags field could have the CLK_IS_CRITICAL +bit set, causing the framework to wrongly prepare the clk on registration. +This leads to the isp_xclk_prepare() callback being called, which in turn +calls to the omap3isp_get() function that increments the isp dev refcount. + +Since this omap3isp_get() call is unexpected, this leads to an unbalanced +omap3isp_get() call that prevents the requested IRQ to be later enabled, +due the refcount not being 0 when the correct omap3isp_get() call happens. + +Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework") + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Sebastian Reichel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/isp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -300,7 +300,7 @@ static struct clk *isp_xclk_src_get(stru + static int isp_xclk_init(struct isp_device *isp) + { + struct device_node *np = isp->dev->of_node; +- struct clk_init_data init; ++ struct clk_init_data init = { 0 }; + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i) diff --git a/queue-4.18/media-ov772x-add-checks-for-register-read-errors.patch b/queue-4.18/media-ov772x-add-checks-for-register-read-errors.patch new file mode 100644 index 00000000000..c7a737054a7 --- /dev/null +++ b/queue-4.18/media-ov772x-add-checks-for-register-read-errors.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Sun, 6 May 2018 10:19:19 -0400 +Subject: media: ov772x: add checks for register read errors + +From: Akinobu Mita + +[ Upstream commit 30f3b17eaf4913e9e56be15915ce57aae69db701 ] + +This change adds checks for register read errors and returns correct +error code. + +Cc: Laurent Pinchart +Cc: Hans Verkuil +Reviewed-by: Jacopo Mondi +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov772x.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/ov772x.c ++++ b/drivers/media/i2c/ov772x.c +@@ -1136,7 +1136,7 @@ static int ov772x_set_fmt(struct v4l2_su + static int ov772x_video_probe(struct ov772x_priv *priv) + { + struct i2c_client *client = v4l2_get_subdevdata(&priv->subdev); +- u8 pid, ver; ++ int pid, ver, midh, midl; + const char *devname; + int ret; + +@@ -1146,7 +1146,11 @@ static int ov772x_video_probe(struct ov7 + + /* Check and show product ID and manufacturer ID. */ + pid = ov772x_read(client, PID); ++ if (pid < 0) ++ return pid; + ver = ov772x_read(client, VER); ++ if (ver < 0) ++ return ver; + + switch (VERSION(pid, ver)) { + case OV7720: +@@ -1162,13 +1166,17 @@ static int ov772x_video_probe(struct ov7 + goto done; + } + ++ midh = ov772x_read(client, MIDH); ++ if (midh < 0) ++ return midh; ++ midl = ov772x_read(client, MIDL); ++ if (midl < 0) ++ return midl; ++ + dev_info(&client->dev, + "%s Product ID %0x:%0x Manufacturer ID %x:%x\n", +- devname, +- pid, +- ver, +- ov772x_read(client, MIDH), +- ov772x_read(client, MIDL)); ++ devname, pid, ver, midh, midl); ++ + ret = v4l2_ctrl_handler_setup(&priv->hdl); + + done: diff --git a/queue-4.18/media-ov772x-allow-i2c-controllers-without-i2c_func_protocol_mangling.patch b/queue-4.18/media-ov772x-allow-i2c-controllers-without-i2c_func_protocol_mangling.patch new file mode 100644 index 00000000000..e4b2a69b987 --- /dev/null +++ b/queue-4.18/media-ov772x-allow-i2c-controllers-without-i2c_func_protocol_mangling.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Sun, 6 May 2018 10:19:18 -0400 +Subject: media: ov772x: allow i2c controllers without I2C_FUNC_PROTOCOL_MANGLING + +From: Akinobu Mita + +[ Upstream commit 0b964d183cbf3f95a062ad9f3eec87ffa2790558 ] + +The ov772x driver only works when the i2c controller have +I2C_FUNC_PROTOCOL_MANGLING. However, many i2c controller drivers don't +support it. + +The reason that the ov772x requires I2C_FUNC_PROTOCOL_MANGLING is that +it doesn't support repeated starts. + +This changes the reading ov772x register method so that it doesn't +require I2C_FUNC_PROTOCOL_MANGLING by calling two separated i2c messages. + +Cc: Laurent Pinchart +Cc: Hans Verkuil +Cc: Wolfram Sang +Reviewed-by: Jacopo Mondi +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ov772x.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/drivers/media/i2c/ov772x.c ++++ b/drivers/media/i2c/ov772x.c +@@ -542,9 +542,19 @@ static struct ov772x_priv *to_ov772x(str + return container_of(sd, struct ov772x_priv, subdev); + } + +-static inline int ov772x_read(struct i2c_client *client, u8 addr) ++static int ov772x_read(struct i2c_client *client, u8 addr) + { +- return i2c_smbus_read_byte_data(client, addr); ++ int ret; ++ u8 val; ++ ++ ret = i2c_master_send(client, &addr, 1); ++ if (ret < 0) ++ return ret; ++ ret = i2c_master_recv(client, &val, 1); ++ if (ret < 0) ++ return ret; ++ ++ return val; + } + + static inline int ov772x_write(struct i2c_client *client, u8 addr, u8 value) +@@ -1263,13 +1273,11 @@ static int ov772x_probe(struct i2c_clien + return -EINVAL; + } + +- if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA | +- I2C_FUNC_PROTOCOL_MANGLING)) { ++ if (!i2c_check_functionality(adapter, I2C_FUNC_SMBUS_BYTE_DATA)) { + dev_err(&adapter->dev, +- "I2C-Adapter doesn't support SMBUS_BYTE_DATA or PROTOCOL_MANGLING\n"); ++ "I2C-Adapter doesn't support SMBUS_BYTE_DATA\n"); + return -EIO; + } +- client->flags |= I2C_CLIENT_SCCB; + + priv = devm_kzalloc(&client->dev, sizeof(*priv), GFP_KERNEL); + if (!priv) diff --git a/queue-4.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch b/queue-4.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch new file mode 100644 index 00000000000..67227a4d09b --- /dev/null +++ b/queue-4.18/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:01 -0400 +Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power + +From: Akinobu Mita + +[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ] + +When the subdevice doesn't provide s_power core ops callback, the +v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice +doesn't have the special handling for its power saving mode, the s_power +isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be +ignored. + +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Acked-by: Sylwester Nawrocki +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif + + if (camif->sensor.power_count == !on) + err = v4l2_subdev_call(sensor->sd, core, s_power, on); ++ if (err == -ENOIOCTLCMD) ++ err = 0; + if (!err) + sensor->power_count += on ? 1 : -1; + diff --git a/queue-4.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch b/queue-4.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch new file mode 100644 index 00000000000..0e940dbc0c5 --- /dev/null +++ b/queue-4.18/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:26 -0400 +Subject: media: soc_camera: ov772x: correct setting of banding filter + +From: Akinobu Mita + +[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ] + +The banding filter ON/OFF is controlled via bit 5 of COM8 register. It +is attempted to be enabled in ov772x_set_params() by the following line. + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); + +But this unexpectedly results disabling the banding filter, because the +mask and set bits are exclusive. + +On the other hand, ov772x_s_ctrl() correctly sets the bit by: + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + +The same fix was already applied to non-soc_camera version of ov772x +driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting +of banding filter") + +Cc: Jacopo Mondi +Cc: Laurent Pinchart +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/soc_camera/ov772x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/soc_camera/ov772x.c ++++ b/drivers/media/i2c/soc_camera/ov772x.c +@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77 + * set COM8 + */ + if (priv->band_filter) { +- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); ++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + if (!ret) + ret = ov772x_mask_set(client, BDBASE, + 0xff, 256 - priv->band_filter); diff --git a/queue-4.18/media-staging-imx-fill-vb2_v4l2_buffer-field-entry.patch b/queue-4.18/media-staging-imx-fill-vb2_v4l2_buffer-field-entry.patch new file mode 100644 index 00000000000..0e3cf85c5f5 --- /dev/null +++ b/queue-4.18/media-staging-imx-fill-vb2_v4l2_buffer-field-entry.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Peter Seiderer +Date: Thu, 15 Mar 2018 15:13:22 -0400 +Subject: media: staging/imx: fill vb2_v4l2_buffer field entry + +From: Peter Seiderer + +[ Upstream commit a38d4b71cb7a12b65317f4e3d59883a918957719 ] + +- fixes gstreamer v4l2src warning: + + 0:00:00.716640334 349 0x164f720 WARN v4l2bufferpool gstv4l2bufferpool.c:1195:gst_v4l2_buffer_pool_dqbuf: Driver should never set v4l2_buffer.field to ANY + +- fixes v4l2-compliance test failure: + + Streaming ioctls: + test read/write: OK (Not Supported) + Video Capture: + Buffer: 0 Sequence: 0 Field: Any Timestamp: 58.383658s + fail: v4l2-test-buffers.cpp(297): g_field() == V4L2_FIELD_ANY + +Signed-off-by: Peter Seiderer +Reviewed-by: Steve Longerbeam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/imx/imx-ic-prpencvf.c | 1 + + drivers/staging/media/imx/imx-media-csi.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/staging/media/imx/imx-ic-prpencvf.c ++++ b/drivers/staging/media/imx/imx-ic-prpencvf.c +@@ -210,6 +210,7 @@ static void prp_vb2_buf_done(struct prp_ + + done = priv->active_vb2_buf[priv->ipu_buf_num]; + if (done) { ++ done->vbuf.field = vdev->fmt.fmt.pix.field; + vb = &done->vbuf.vb2_buf; + vb->timestamp = ktime_get_ns(); + vb2_buffer_done(vb, priv->nfb4eof ? +--- a/drivers/staging/media/imx/imx-media-csi.c ++++ b/drivers/staging/media/imx/imx-media-csi.c +@@ -236,6 +236,7 @@ static void csi_vb2_buf_done(struct csi_ + + done = priv->active_vb2_buf[priv->ipu_buf_num]; + if (done) { ++ done->vbuf.field = vdev->fmt.fmt.pix.field; + vb = &done->vbuf.vb2_buf; + vb->timestamp = ktime_get_ns(); + vb2_buffer_done(vb, priv->nfb4eof ? diff --git a/queue-4.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch b/queue-4.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch new file mode 100644 index 00000000000..0add5e5f0c2 --- /dev/null +++ b/queue-4.18/media-tm6000-add-error-handling-for-dvb_register_adapter.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 00:39:20 -0400 +Subject: media: tm6000: add error handling for dvb_register_adapter + +From: Zhouyang Jia + +[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ] + +When dvb_register_adapter fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling dvb_register_adapter. + +Signed-off-by: Zhouyang Jia +[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter] +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -266,6 +266,11 @@ static int register_dvb(struct tm6000_co + + ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T", + THIS_MODULE, &dev->udev->dev, adapter_nr); ++ if (ret < 0) { ++ pr_err("tm6000: couldn't register the adapter!\n"); ++ goto err; ++ } ++ + dvb->adapter.priv = dev; + + if (dvb->frontend) { diff --git a/queue-4.18/mips-boot-fix-build-rule-of-vmlinux.its.s.patch b/queue-4.18/mips-boot-fix-build-rule-of-vmlinux.its.s.patch new file mode 100644 index 00000000000..73306edb7e0 --- /dev/null +++ b/queue-4.18/mips-boot-fix-build-rule-of-vmlinux.its.s.patch @@ -0,0 +1,45 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Masahiro Yamada +Date: Mon, 16 Apr 2018 23:47:43 +0900 +Subject: MIPS: boot: fix build rule of vmlinux.its.S + +From: Masahiro Yamada + +[ Upstream commit 67e09db507db3e1642ddce512a4313d20addd6e5 ] + +As Documentation/kbuild/makefile.txt says, it is a typical mistake +to forget the FORCE prerequisite for the rule invoked by if_changed. + +Add the FORCE to the prerequisite, but it must be filtered-out from +the files passed to the 'cat' command. Because this rule generates +.vmlinux.its.S.cmd, vmlinux.its.S must be specified as targets so +that the .cmd file is included. + +Signed-off-by: Masahiro Yamada +Patchwork: https://patchwork.linux-mips.org/patch/19097/ +Signed-off-by: Paul Burton +Cc: Kees Cook +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/boot/Makefile | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/mips/boot/Makefile ++++ b/arch/mips/boot/Makefile +@@ -118,10 +118,12 @@ ifeq ($(ADDR_BITS),64) + itb_addr_cells = 2 + endif + ++targets += vmlinux.its.S ++ + quiet_cmd_its_cat = CAT $@ +- cmd_its_cat = cat $^ >$@ ++ cmd_its_cat = cat $(filter-out $(PHONY), $^) >$@ + +-$(obj)/vmlinux.its.S: $(addprefix $(srctree)/arch/mips/$(PLATFORM)/,$(ITS_INPUTS)) ++$(obj)/vmlinux.its.S: $(addprefix $(srctree)/arch/mips/$(PLATFORM)/,$(ITS_INPUTS)) FORCE + $(call if_changed,its_cat) + + quiet_cmd_cpp_its_S = ITS $@ diff --git a/queue-4.18/misc-ibmvmc-use-gfp_atomic-under-spin-lock.patch b/queue-4.18/misc-ibmvmc-use-gfp_atomic-under-spin-lock.patch new file mode 100644 index 00000000000..2596976fc63 --- /dev/null +++ b/queue-4.18/misc-ibmvmc-use-gfp_atomic-under-spin-lock.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Wei Yongjun +Date: Sat, 26 May 2018 09:45:59 +0000 +Subject: misc: ibmvmc: Use GFP_ATOMIC under spin lock + +From: Wei Yongjun + +[ Upstream commit 97b715b62e5b4c6edb75d023f556fd09a46cb4e1 ] + +The function alloc_dma_buffer() is called from ibmvmc_add_buffer(), +in which a spin lock be held here, so we should use GFP_ATOMIC when +a lock is held. + +Fixes: 0eca353e7ae7 ("misc: IBM Virtual Management Channel Driver (VMC)") +Signed-off-by: Wei Yongjun +Reviewed-by: Bryant G. Ly +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/ibmvmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/ibmvmc.c ++++ b/drivers/misc/ibmvmc.c +@@ -273,7 +273,7 @@ static void *alloc_dma_buffer(struct vio + dma_addr_t *dma_handle) + { + /* allocate memory */ +- void *buffer = kzalloc(size, GFP_KERNEL); ++ void *buffer = kzalloc(size, GFP_ATOMIC); + + if (!buffer) { + *dma_handle = 0; diff --git a/queue-4.18/misc-sram-enable-clock-before-registering-regions.patch b/queue-4.18/misc-sram-enable-clock-before-registering-regions.patch new file mode 100644 index 00000000000..216cf4ddc07 --- /dev/null +++ b/queue-4.18/misc-sram-enable-clock-before-registering-regions.patch @@ -0,0 +1,66 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Johan Hovold +Date: Tue, 3 Jul 2018 12:05:48 +0200 +Subject: misc: sram: enable clock before registering regions + +From: Johan Hovold + +[ Upstream commit d5b9653dd2bb7a2b1c8cc783c5d3b607bbb6b271 ] + +Make sure to enable the clock before registering regions and exporting +partitions to user space at which point we must be prepared for I/O. + +Fixes: ee895ccdf776 ("misc: sram: fix enabled clock leak on error path") +Signed-off-by: Johan Hovold +Reviewed-by: Vladimir Zapolskiy +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/sram.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/misc/sram.c ++++ b/drivers/misc/sram.c +@@ -391,23 +391,23 @@ static int sram_probe(struct platform_de + if (IS_ERR(sram->pool)) + return PTR_ERR(sram->pool); + +- ret = sram_reserve_regions(sram, res); +- if (ret) +- return ret; +- + sram->clk = devm_clk_get(sram->dev, NULL); + if (IS_ERR(sram->clk)) + sram->clk = NULL; + else + clk_prepare_enable(sram->clk); + ++ ret = sram_reserve_regions(sram, res); ++ if (ret) ++ goto err_disable_clk; ++ + platform_set_drvdata(pdev, sram); + + init_func = of_device_get_match_data(&pdev->dev); + if (init_func) { + ret = init_func(); + if (ret) +- goto err_disable_clk; ++ goto err_free_partitions; + } + + dev_dbg(sram->dev, "SRAM pool: %zu KiB @ 0x%p\n", +@@ -415,10 +415,11 @@ static int sram_probe(struct platform_de + + return 0; + ++err_free_partitions: ++ sram_free_partitions(sram); + err_disable_clk: + if (sram->clk) + clk_disable_unprepare(sram->clk); +- sram_free_partitions(sram); + + return ret; + } diff --git a/queue-4.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch b/queue-4.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch new file mode 100644 index 00000000000..3bed8f1b7fc --- /dev/null +++ b/queue-4.18/module-exclude-shn_undef-symbols-from-kallsyms-api.patch @@ -0,0 +1,54 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jessica Yu +Date: Tue, 5 Jun 2018 10:22:52 +0200 +Subject: module: exclude SHN_UNDEF symbols from kallsyms api + +From: Jessica Yu + +[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ] + +Livepatch modules are special in that we preserve their entire symbol +tables in order to be able to apply relocations after module load. The +unwanted side effect of this is that undefined (SHN_UNDEF) symbols of +livepatch modules are accessible via the kallsyms api and this can +confuse symbol resolution in livepatch (klp_find_object_symbol()) and +cause subtle bugs in livepatch. + +Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols +are usually not available for normal modules anyway as we cut down their +symbol tables to just the core (non-undefined) symbols, so this should +really just affect livepatch modules. Note that this patch doesn't +affect the display of undefined symbols in /proc/kallsyms. + +Reported-by: Josh Poimboeuf +Tested-by: Josh Poimboeuf +Reviewed-by: Josh Poimboeuf +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -4067,7 +4067,7 @@ static unsigned long mod_find_symname(st + + for (i = 0; i < kallsyms->num_symtab; i++) + if (strcmp(name, symname(kallsyms, i)) == 0 && +- kallsyms->symtab[i].st_info != 'U') ++ kallsyms->symtab[i].st_shndx != SHN_UNDEF) + return kallsyms->symtab[i].st_value; + return 0; + } +@@ -4113,6 +4113,10 @@ int module_kallsyms_on_each_symbol(int ( + if (mod->state == MODULE_STATE_UNFORMED) + continue; + for (i = 0; i < kallsyms->num_symtab; i++) { ++ ++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) ++ continue; ++ + ret = fn(data, symname(kallsyms, i), + mod, kallsyms->symtab[i].st_value); + if (ret != 0) diff --git a/queue-4.18/mt76x2-fix-mrr-idx-count-estimation-in-mt76x2_mac_fill_tx_status.patch b/queue-4.18/mt76x2-fix-mrr-idx-count-estimation-in-mt76x2_mac_fill_tx_status.patch new file mode 100644 index 00000000000..9823d37c9a3 --- /dev/null +++ b/queue-4.18/mt76x2-fix-mrr-idx-count-estimation-in-mt76x2_mac_fill_tx_status.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Lorenzo Bianconi +Date: Mon, 4 Jun 2018 11:19:41 +0200 +Subject: mt76x2: fix mrr idx/count estimation in mt76x2_mac_fill_tx_status() + +From: Lorenzo Bianconi + +[ Upstream commit 2d1e9be0016230f3707812243561fbd16f1aea4b ] + +Fix mcs and attempt count estimation in mt76x2_mac_fill_tx_status routine +if the number of tx retries reported by the hw is grater than +IEEE80211_TX_MAX_RATES + +Fixes: 7bc04215a66b ("mt76: add driver code for MT76x2e") +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76x2_mac.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c +@@ -439,15 +439,13 @@ mt76x2_mac_fill_tx_status(struct mt76x2_ + if (last_rate < IEEE80211_TX_MAX_RATES - 1) + rate[last_rate + 1].idx = -1; + +- cur_idx = rate[last_rate].idx + st->retry; ++ cur_idx = rate[last_rate].idx + last_rate; + for (i = 0; i <= last_rate; i++) { + rate[i].flags = rate[last_rate].flags; + rate[i].idx = max_t(int, 0, cur_idx - i); + rate[i].count = 1; + } +- +- if (last_rate > 0) +- rate[last_rate - 1].count = st->retry + 1 - last_rate; ++ rate[last_rate].count = st->retry + 1 - last_rate; + + info->status.ampdu_len = n_frames; + info->status.ampdu_ack_len = st->success ? n_frames : 0; diff --git a/queue-4.18/mtd-rawnand-atmel-add-module-param-to-avoid-using-dma.patch b/queue-4.18/mtd-rawnand-atmel-add-module-param-to-avoid-using-dma.patch new file mode 100644 index 00000000000..91fb1b9fb64 --- /dev/null +++ b/queue-4.18/mtd-rawnand-atmel-add-module-param-to-avoid-using-dma.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Peter Rosin +Date: Thu, 29 Mar 2018 15:10:54 +0200 +Subject: mtd: rawnand: atmel: add module param to avoid using dma + +From: Peter Rosin + +[ Upstream commit efc6362c6f8c1e74b340e2611f1b35e7d557ce7b ] + +On a sama5d31 with a Full-HD dual LVDS panel (132MHz pixel clock) NAND +flash accesses have a tendency to cause display disturbances. Add a +module param to disable DMA from the NAND controller, since that fixes +the display problem for me. + +Signed-off-by: Peter Rosin +Reviewed-by: Boris Brezillon +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/atmel/nand-controller.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/nand/raw/atmel/nand-controller.c ++++ b/drivers/mtd/nand/raw/atmel/nand-controller.c +@@ -129,6 +129,11 @@ + #define DEFAULT_TIMEOUT_MS 1000 + #define MIN_DMA_LEN 128 + ++static bool atmel_nand_avoid_dma __read_mostly; ++ ++MODULE_PARM_DESC(avoiddma, "Avoid using DMA"); ++module_param_named(avoiddma, atmel_nand_avoid_dma, bool, 0400); ++ + enum atmel_nand_rb_type { + ATMEL_NAND_NO_RB, + ATMEL_NAND_NATIVE_RB, +@@ -1977,7 +1982,7 @@ static int atmel_nand_controller_init(st + return ret; + } + +- if (nc->caps->has_dma) { ++ if (nc->caps->has_dma && !atmel_nand_avoid_dma) { + dma_cap_mask_t mask; + + dma_cap_zero(mask); diff --git a/queue-4.18/net-hns3-fix-for-mac-pause-not-disable-in-pfc-mode.patch b/queue-4.18/net-hns3-fix-for-mac-pause-not-disable-in-pfc-mode.patch new file mode 100644 index 00000000000..859962f1cb4 --- /dev/null +++ b/queue-4.18/net-hns3-fix-for-mac-pause-not-disable-in-pfc-mode.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Yunsheng Lin +Date: Fri, 6 Jul 2018 11:27:56 +0100 +Subject: net: hns3: Fix for mac pause not disable in pfc mode + +From: Yunsheng Lin + +[ Upstream commit 6d0ec65cb5810f9bf08671be008785bb8c84d39f ] + +When pfc pause mode is enable, the mac pause mode need to be +disabled, otherwise the pfc pause packet will not be sent when +congestion happens. + +This patch fixes by disabling the mac pause when pfc pause is +enabled. + +Fixes: 848440544b41 ("net: hns3: Add support of TX Scheduler & Shaper to HNS3 driver") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c +@@ -1223,6 +1223,10 @@ static int hclge_mac_pause_setup_hw(stru + tx_en = true; + rx_en = true; + break; ++ case HCLGE_FC_PFC: ++ tx_en = false; ++ rx_en = false; ++ break; + default: + tx_en = true; + rx_en = true; +@@ -1240,8 +1244,9 @@ int hclge_pause_setup_hw(struct hclge_de + if (ret) + return ret; + +- if (hdev->tm_info.fc_mode != HCLGE_FC_PFC) +- return hclge_mac_pause_setup_hw(hdev); ++ ret = hclge_mac_pause_setup_hw(hdev); ++ if (ret) ++ return ret; + + /* Only DCB-supported dev supports qset back pressure and pfc cmd */ + if (!hnae3_dev_dcb_supported(hdev)) diff --git a/queue-4.18/net-hns3-fix-for-mailbox-message-truncated-problem.patch b/queue-4.18/net-hns3-fix-for-mailbox-message-truncated-problem.patch new file mode 100644 index 00000000000..b3d919264e3 --- /dev/null +++ b/queue-4.18/net-hns3-fix-for-mailbox-message-truncated-problem.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Fuyun Liang +Date: Fri, 6 Jul 2018 11:27:59 +0100 +Subject: net: hns3: Fix for mailbox message truncated problem + +From: Fuyun Liang + +[ Upstream commit ead5bd4d35c0a14d5ce1474177718c678dff5205 ] + +The payload of mailbox message is 16 byte and the value of +HCLGE_MBX_MAX_ARQ_MSG_SIZE is 8. A message truncated problem will +happen when mailbox message is converted to ARQ message. This patch +replaces HCLGE_MBX_MAX_ARQ_MSG_SIZE with the size of ARQ message in +hclgevf_mbx_handler to fix this problem. + +Fixes: b11a0bb231f3 ("net: hns3: Add mailbox support to VF driver") +Signed-off-by: Fuyun Liang +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c +@@ -208,7 +208,8 @@ void hclgevf_mbx_handler(struct hclgevf_ + + /* tail the async message in arq */ + msg_q = hdev->arq.msg_q[hdev->arq.tail]; +- memcpy(&msg_q[0], req->msg, HCLGE_MBX_MAX_ARQ_MSG_SIZE); ++ memcpy(&msg_q[0], req->msg, ++ HCLGE_MBX_MAX_ARQ_MSG_SIZE * sizeof(u16)); + hclge_mbx_tail_ptr_move_arq(hdev->arq); + hdev->arq.count++; + diff --git a/queue-4.18/net-hns3-fix-get_vector-ops-in-hclgevf_main-module.patch b/queue-4.18/net-hns3-fix-get_vector-ops-in-hclgevf_main-module.patch new file mode 100644 index 00000000000..832fab9742f --- /dev/null +++ b/queue-4.18/net-hns3-fix-get_vector-ops-in-hclgevf_main-module.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Yunsheng Lin +Date: Fri, 6 Jul 2018 11:28:02 +0100 +Subject: net: hns3: Fix get_vector ops in hclgevf_main module + +From: Yunsheng Lin + +[ Upstream commit 03718db97bfb57535f3aa8110f0cbe0c616a67c0 ] + +The hclgevf_free_vector function expects the caller to pass +the vector_id to it, and hclgevf_put_vector pass vector to +it now, which will cause vector allocation problem. + +This patch fixes it by converting vector into vector_id before +calling hclgevf_free_vector. + +Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c +@@ -648,8 +648,17 @@ static int hclgevf_unmap_ring_from_vecto + static int hclgevf_put_vector(struct hnae3_handle *handle, int vector) + { + struct hclgevf_dev *hdev = hclgevf_ae_get_hdev(handle); ++ int vector_id; + +- hclgevf_free_vector(hdev, vector); ++ vector_id = hclgevf_get_vector_index(hdev, vector); ++ if (vector_id < 0) { ++ dev_err(&handle->pdev->dev, ++ "hclgevf_put_vector get vector index fail. ret =%d\n", ++ vector_id); ++ return vector_id; ++ } ++ ++ hclgevf_free_vector(hdev, vector_id); + + return 0; + } diff --git a/queue-4.18/net-hns3-fix-warning-bug-when-doing-lp-selftest.patch b/queue-4.18/net-hns3-fix-warning-bug-when-doing-lp-selftest.patch new file mode 100644 index 00000000000..c67ad14eb79 --- /dev/null +++ b/queue-4.18/net-hns3-fix-warning-bug-when-doing-lp-selftest.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Yunsheng Lin +Date: Fri, 6 Jul 2018 11:28:01 +0100 +Subject: net: hns3: Fix warning bug when doing lp selftest + +From: Yunsheng Lin + +[ Upstream commit d7099d15478e89edb9bc6c6e3ab4cd341884a367 ] + +The napi_alloc_skb is excepted to be called under the +non-preemptible code path when it is called by hns3_clean_rx_ring +during loopback selftest, otherwise the below warning will be +logged: + +[ 92.420780] BUG: using smp_processor_id() in preemptible +[00000000] code: ethtool/1873 + +[ 92.463202] check_preemption_disabled+0xf8/0x100 +[ 92.467893] debug_smp_processor_id+0x1c/0x28 +[ 92.472239] __napi_alloc_skb+0x30/0x130 +[ 92.476158] hns3_clean_rx_ring+0x118/0x5f0 [hns3] +[ 92.480941] hns3_self_test+0x32c/0x4d0 [hns3] +[ 92.485375] ethtool_self_test+0xdc/0x1e8 +[ 92.489372] dev_ethtool+0x1020/0x1da8 +[ 92.493109] dev_ioctl+0x188/0x3a0 +[ 92.496499] sock_do_ioctl+0xf4/0x208 +[ 92.500148] sock_ioctl+0x228/0x3e8 +[ 92.503626] do_vfs_ioctl+0xc4/0x880 +[ 92.507189] SyS_ioctl+0x94/0xa8 +[ 92.510404] el0_svc_naked+0x30/0x34 + +This patch fix it by disabling preemption when calling +hns3_clean_rx_ring during loopback selftest. + +Fixes: c39c4d98dc65 ("net: hns3: Add mac loopback selftest support in hns3 driver") +Signed-off-by: Yunsheng Lin +Signed-off-by: Peng Li +Signed-off-by: Salil Mehta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c ++++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c +@@ -201,7 +201,9 @@ static u32 hns3_lb_check_rx_ring(struct + rx_group = &ring->tqp_vector->rx_group; + pre_rx_pkt = rx_group->total_packets; + ++ preempt_disable(); + hns3_clean_rx_ring(ring, budget, hns3_lb_check_skb_data); ++ preempt_enable(); + + rcv_good_pkt_total += (rx_group->total_packets - pre_rx_pkt); + rx_group->total_packets = pre_rx_pkt; diff --git a/queue-4.18/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch b/queue-4.18/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch new file mode 100644 index 00000000000..95d857f47a2 --- /dev/null +++ b/queue-4.18/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch @@ -0,0 +1,90 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Brandon Maier +Date: Tue, 26 Jun 2018 12:50:48 -0500 +Subject: net: phy: xgmiitorgmii: Check phy_driver ready before accessing + +From: Brandon Maier + +[ Upstream commit ab4e6ee578e88a659938db8fbf33720bc048d29c ] + +Since a phy_device is added to the global mdio_bus list during +phy_device_register(), but a phy_device's phy_driver doesn't get +attached until phy_probe(). It's possible of_phy_find_device() in +xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to +a NULL pointer access during the memcpy(). + +Fixes this Oops: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0004000 +[00000000] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.40 #1 +Hardware name: Xilinx Zynq Platform +task: ce4c8d00 task.stack: ce4ca000 +PC is at memcpy+0x48/0x330 +LR is at xgmiitorgmii_probe+0x90/0xe8 +pc : [] lr : [] psr: 20000013 +sp : ce4cbb54 ip : 00000000 fp : ce4cbb8c +r10: 00000000 r9 : 00000000 r8 : c0c49178 +r7 : 00000000 r6 : cdc14718 r5 : ce762800 r4 : cdc14710 +r3 : 00000000 r2 : 00000054 r1 : 00000000 r0 : cdc14718 +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 18c5387d Table: 0000404a DAC: 00000051 +Process swapper/0 (pid: 1, stack limit = 0xce4ca210) +... +[] (memcpy) from [] (xgmiitorgmii_probe+0x90/0xe8) +[] (xgmiitorgmii_probe) from [] (mdio_probe+0x28/0x34) +[] (mdio_probe) from [] (driver_probe_device+0x254/0x414) +[] (driver_probe_device) from [] (__device_attach_driver+0xac/0x10c) +[] (__device_attach_driver) from [] (bus_for_each_drv+0x84/0xc8) +[] (bus_for_each_drv) from [] (__device_attach+0xd0/0x134) +[] (__device_attach) from [] (device_initial_probe+0x1c/0x20) +[] (device_initial_probe) from [] (bus_probe_device+0x98/0xa0) +[] (bus_probe_device) from [] (device_add+0x43c/0x5d0) +[] (device_add) from [] (mdio_device_register+0x34/0x80) +[] (mdio_device_register) from [] (of_mdiobus_register+0x170/0x30c) +[] (of_mdiobus_register) from [] (macb_probe+0x710/0xc00) +[] (macb_probe) from [] (platform_drv_probe+0x44/0x80) +[] (platform_drv_probe) from [] (driver_probe_device+0x254/0x414) +[] (driver_probe_device) from [] (__driver_attach+0x10c/0x118) +[] (__driver_attach) from [] (bus_for_each_dev+0x8c/0xd0) +[] (bus_for_each_dev) from [] (driver_attach+0x2c/0x30) +[] (driver_attach) from [] (bus_add_driver+0x50/0x260) +[] (bus_add_driver) from [] (driver_register+0x88/0x108) +[] (driver_register) from [] (__platform_driver_register+0x50/0x58) +[] (__platform_driver_register) from [] (macb_driver_init+0x24/0x28) +[] (macb_driver_init) from [] (do_one_initcall+0x60/0x1a4) +[] (do_one_initcall) from [] (kernel_init_freeable+0x15c/0x1f8) +[] (kernel_init_freeable) from [] (kernel_init+0x18/0x124) +[] (kernel_init) from [] (ret_from_fork+0x14/0x20) +Code: ba000002 f5d1f03c f5d1f05c f5d1f07c (e8b151f8) +---[ end trace 3e4ec21905820a1f ]--- + +Signed-off-by: Brandon Maier +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli + +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/xilinx_gmii2rgmii.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/phy/xilinx_gmii2rgmii.c ++++ b/drivers/net/phy/xilinx_gmii2rgmii.c +@@ -84,6 +84,11 @@ static int xgmiitorgmii_probe(struct mdi + return -EPROBE_DEFER; + } + ++ if (!priv->phy_dev->drv) { ++ dev_info(dev, "Attached phy not ready\n"); ++ return -EPROBE_DEFER; ++ } ++ + priv->addr = mdiodev->addr; + priv->phy_drv = priv->phy_dev->drv; + memcpy(&priv->conv_phy_drv, priv->phy_dev->drv, diff --git a/queue-4.18/net-phy-xgmiitorgmii-check-read_status-results.patch b/queue-4.18/net-phy-xgmiitorgmii-check-read_status-results.patch new file mode 100644 index 00000000000..e448209c103 --- /dev/null +++ b/queue-4.18/net-phy-xgmiitorgmii-check-read_status-results.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Brandon Maier +Date: Tue, 26 Jun 2018 12:50:50 -0500 +Subject: net: phy: xgmiitorgmii: Check read_status results + +From: Brandon Maier + +[ Upstream commit 8d0752d11312be830c33e84dfd1016e6a47c2938 ] + +We're ignoring the result of the attached phy device's read_status(). +Return it so we can detect errors. + +Signed-off-by: Brandon Maier +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/xilinx_gmii2rgmii.c ++++ b/drivers/net/phy/xilinx_gmii2rgmii.c +@@ -40,8 +40,11 @@ static int xgmiitorgmii_read_status(stru + { + struct gmii2rgmii *priv = phydev->priv; + u16 val = 0; ++ int err; + +- priv->phy_drv->read_status(phydev); ++ err = priv->phy_drv->read_status(phydev); ++ if (err < 0) ++ return err; + + val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG); + val &= ~XILINX_GMII2RGMII_SPEED_MASK; diff --git a/queue-4.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch b/queue-4.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch new file mode 100644 index 00000000000..ae39c8cd807 --- /dev/null +++ b/queue-4.18/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "J. Bruce Fields" +Date: Wed, 13 Jun 2018 15:21:35 -0400 +Subject: nfsd: fix corrupted reply to badly ordered compound + +From: "J. Bruce Fields" + +[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ] + +We're encoding a single op in the reply but leaving the number of ops +zero, so the reply makes no sense. + +Somewhat academic as this isn't a case any real client will hit, though +in theory perhaps that could change in a future protocol extension. + +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1726,6 +1726,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs + if (status) { + op = &args->ops[0]; + op->status = status; ++ resp->opcnt = 1; + goto encode_op; + } + diff --git a/queue-4.18/perf-hw_breakpoint-split-attribute-parse-and-commit.patch b/queue-4.18/perf-hw_breakpoint-split-attribute-parse-and-commit.patch new file mode 100644 index 00000000000..0571651b433 --- /dev/null +++ b/queue-4.18/perf-hw_breakpoint-split-attribute-parse-and-commit.patch @@ -0,0 +1,155 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Frederic Weisbecker +Date: Tue, 26 Jun 2018 04:58:48 +0200 +Subject: perf/hw_breakpoint: Split attribute parse and commit + +From: Frederic Weisbecker + +[ Upstream commit 9a4903dde2c8633c5fcf887b98c4e047a6154a54 ] + +arch_validate_hwbkpt_settings() mixes up attribute check and commit into +a single code entity. Therefore the validation may return an error due to +incorrect atributes while still leaving halfway modified architecture +breakpoint data. + +This is harmless when we deal with a new breakpoint but it becomes a +problem when we modify an existing breakpoint. + +Split attribute parse and commit to fix that. The architecture is +passed a "struct arch_hw_breakpoint" to fill on top of the new attr +and the core takes care about copying the backend data once it's fully +validated. The architectures then need to implement the new API. + +Original-patch-by: Andy Lutomirski +Reported-by: Linus Torvalds +Signed-off-by: Frederic Weisbecker +Cc: Alexander Shishkin +Cc: Andy Lutomirski +Cc: Arnaldo Carvalho de Melo +Cc: Arnaldo Carvalho de Melo +Cc: Benjamin Herrenschmidt +Cc: Catalin Marinas +Cc: Chris Zankel +Cc: Jiri Olsa +Cc: Joel Fernandes +Cc: Mark Rutland +Cc: Max Filippov +Cc: Michael Ellerman +Cc: Namhyung Kim +Cc: Paul Mackerras +Cc: Peter Zijlstra +Cc: Rich Felker +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: Yoshinori Sato +Link: http://lkml.kernel.org/r/1529981939-8231-2-git-send-email-frederic@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/hw_breakpoint.c | 57 ++++++++++++++++++++++++++++++------------ + 1 file changed, 41 insertions(+), 16 deletions(-) + +--- a/kernel/events/hw_breakpoint.c ++++ b/kernel/events/hw_breakpoint.c +@@ -400,16 +400,35 @@ int dbg_release_bp_slot(struct perf_even + return 0; + } + +-static int validate_hw_breakpoint(struct perf_event *bp) ++#ifndef hw_breakpoint_arch_parse ++int hw_breakpoint_arch_parse(struct perf_event *bp, ++ const struct perf_event_attr *attr, ++ struct arch_hw_breakpoint *hw) + { +- int ret; ++ int err; + +- ret = arch_validate_hwbkpt_settings(bp); +- if (ret) +- return ret; ++ err = arch_validate_hwbkpt_settings(bp); ++ if (err) ++ return err; ++ ++ *hw = bp->hw.info; ++ ++ return 0; ++} ++#endif ++ ++static int hw_breakpoint_parse(struct perf_event *bp, ++ const struct perf_event_attr *attr, ++ struct arch_hw_breakpoint *hw) ++{ ++ int err; ++ ++ err = hw_breakpoint_arch_parse(bp, attr, hw); ++ if (err) ++ return err; + + if (arch_check_bp_in_kernelspace(bp)) { +- if (bp->attr.exclude_kernel) ++ if (attr->exclude_kernel) + return -EINVAL; + /* + * Don't let unprivileged users set a breakpoint in the trap +@@ -424,19 +443,22 @@ static int validate_hw_breakpoint(struct + + int register_perf_hw_breakpoint(struct perf_event *bp) + { +- int ret; ++ struct arch_hw_breakpoint hw; ++ int err; + +- ret = reserve_bp_slot(bp); +- if (ret) +- return ret; +- +- ret = validate_hw_breakpoint(bp); ++ err = reserve_bp_slot(bp); ++ if (err) ++ return err; + +- /* if arch_validate_hwbkpt_settings() fails then release bp slot */ +- if (ret) ++ err = hw_breakpoint_parse(bp, &bp->attr, &hw); ++ if (err) { + release_bp_slot(bp); ++ return err; ++ } ++ ++ bp->hw.info = hw; + +- return ret; ++ return 0; + } + + /** +@@ -464,6 +486,7 @@ modify_user_hw_breakpoint_check(struct p + u64 old_len = bp->attr.bp_len; + int old_type = bp->attr.bp_type; + bool modify = attr->bp_type != old_type; ++ struct arch_hw_breakpoint hw; + int err = 0; + + bp->attr.bp_addr = attr->bp_addr; +@@ -473,7 +496,7 @@ modify_user_hw_breakpoint_check(struct p + if (check && memcmp(&bp->attr, attr, sizeof(*attr))) + return -EINVAL; + +- err = validate_hw_breakpoint(bp); ++ err = hw_breakpoint_parse(bp, attr, &hw); + if (!err && modify) + err = modify_bp_slot(bp, old_type); + +@@ -484,7 +507,9 @@ modify_user_hw_breakpoint_check(struct p + return err; + } + ++ bp->hw.info = hw; + bp->attr.disabled = attr->disabled; ++ + return 0; + } + diff --git a/queue-4.18/perf-tests-fix-indexing-when-invoking-subtests.patch b/queue-4.18/perf-tests-fix-indexing-when-invoking-subtests.patch new file mode 100644 index 00000000000..4c75d563acf --- /dev/null +++ b/queue-4.18/perf-tests-fix-indexing-when-invoking-subtests.patch @@ -0,0 +1,96 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Sandipan Das +Date: Thu, 26 Jul 2018 22:47:33 +0530 +Subject: perf tests: Fix indexing when invoking subtests + +From: Sandipan Das + +[ Upstream commit aa90f9f9554616d5738f7bedb4a8f0e5e14d1bc6 ] + +Recently, the subtest numbering was changed to start from 1. While it +is fine for displaying results, this should not be the case when the +subtests are actually invoked. + +Typically, the subtests are stored in zero-indexed arrays and invoked +based on the index passed to the main test function. Since the index +now starts from 1, the second subtest in the array (index 1) gets +invoked instead of the first (index 0). This applies to all of the +following subtests but for the last one, the subtest always fails +because it does not meet the boundary condition of the subtest index +being lesser than the number of subtests. + +This can be observed on powerpc64 and x86_64 systems running Fedora 28 +as shown below. + +Before: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : FAILED! + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : FAILED! + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : FAILED! + +After: + + # perf test "builtin clang support" + 55: builtin clang support : + 55.1: builtin clang compile C source to IR : Ok + 55.2: builtin clang compile C source to ELF object : Ok + + # perf test "LLVM search and compile" + 38: LLVM search and compile : + 38.1: Basic BPF llvm compile : Ok + 38.2: kbuild searching : Ok + 38.3: Compile source for BPF prologue generation : Ok + 38.4: Compile source for BPF relocation : Ok + + # perf test "BPF filter" + 40: BPF filter : + 40.1: Basic BPF filtering : Ok + 40.2: BPF pinning : Ok + 40.3: BPF prologue generation : Ok + 40.4: BPF relocation checker : Ok + +Signed-off-by: Sandipan Das +Reported-by: Arnaldo Carvalho de Melo +Tested-by: Arnaldo Carvalho de Melo +Cc: Heiko Carstens +Cc: Hendrik Brueckner +Cc: Jiri Olsa +Cc: Martin Schwidefsky +Cc: Naveen N. Rao +Cc: Ravi Bangoria +Cc: Thomas Richter +Fixes: 9ef0112442bd ("perf test: Fix subtest number when showing results") +Link: http://lkml.kernel.org/r/20180726171733.33208-1-sandipan@linux.ibm.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/builtin-test.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/builtin-test.c ++++ b/tools/perf/tests/builtin-test.c +@@ -385,7 +385,7 @@ static int test_and_print(struct test *t + if (!t->subtest.get_nr) + pr_debug("%s:", t->desc); + else +- pr_debug("%s subtest %d:", t->desc, subtest); ++ pr_debug("%s subtest %d:", t->desc, subtest + 1); + + switch (err) { + case TEST_OK: diff --git a/queue-4.18/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch b/queue-4.18/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch new file mode 100644 index 00000000000..b89f7312997 --- /dev/null +++ b/queue-4.18/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch @@ -0,0 +1,255 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Kan Liang +Date: Tue, 5 Jun 2018 08:38:45 -0700 +Subject: perf/x86/intel/lbr: Fix incomplete LBR call stack + +From: Kan Liang + +[ Upstream commit 0592e57b24e7e05ec1f4c50b9666c013abff7017 ] + +LBR has a limited stack size. If a task has a deeper call stack than +LBR's stack size, only the overflowed part is reported. A complete call +stack may not be reconstructed by perf tool. + +Current code doesn't access all LBR registers. It only read the ones +below the TOS. The LBR registers above the TOS will be discarded +unconditionally. + +When a CALL is captured, the TOS is incremented by 1 , modulo max LBR +stack size. The LBR HW only records the call stack information to the +register which the TOS points to. It will not touch other LBR +registers. So the registers above the TOS probably still store the valid +call stack information for an overflowed call stack, which need to be +reported. + +To retrieve complete call stack information, we need to start from TOS, +read all LBR registers until an invalid entry is detected. +0s can be used to detect the invalid entry, because: + + - When a RET is captured, the HW zeros the LBR register which TOS points + to, then decreases the TOS. + - The LBR registers are reset to 0 when adding a new LBR event or + scheduling an existing LBR event. + - A taken branch at IP 0 is not expected + +The context switch code is also modified to save/restore all valid LBR +registers. Furthermore, the LBR registers, which don't have valid call +stack information, need to be reset in restore, because they may be +polluted while swapped out. + +Here is a small test program, tchain_deep. +Its call stack is deeper than 32. + + noinline void f33(void) + { + int i; + + for (i = 0; i < 10000000;) { + if (i%2) + i++; + else + i++; + } + } + + noinline void f32(void) + { + f33(); + } + + noinline void f31(void) + { + f32(); + } + + ... ... + + noinline void f1(void) + { + f2(); + } + + int main() + { + f1(); + } + +Here is the test result on SKX. The max stack size of SKX is 32. + +Without the patch: + + $ perf record -e cycles --call-graph lbr -- ./tchain_deep + $ perf report --stdio + # + # Children Self Command Shared Object Symbol + # ........ ........ ........... ................ ................. + # + 100.00% 99.99% tchain_deep tchain_deep [.] f33 + | + --99.99%--f30 + f31 + f32 + f33 + +With the patch: + + $ perf record -e cycles --call-graph lbr -- ./tchain_deep + $ perf report --stdio + # Children Self Command Shared Object Symbol + # ........ ........ ........... ................ .................. + # + 99.99% 0.00% tchain_deep tchain_deep [.] f1 + | + ---f1 + f2 + f3 + f4 + f5 + f6 + f7 + f8 + f9 + f10 + f11 + f12 + f13 + f14 + f15 + f16 + f17 + f18 + f19 + f20 + f21 + f22 + f23 + f24 + f25 + f26 + f27 + f28 + f29 + f30 + f31 + f32 + f33 + +Signed-off-by: Kan Liang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Stephane Eranian +Cc: Vince Weaver +Cc: Alexander Shishkin +Cc: Thomas Gleixner +Cc: acme@kernel.org +Cc: eranian@google.com +Link: https://lore.kernel.org/lkml/1528213126-4312-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/lbr.c | 32 ++++++++++++++++++++++++++------ + arch/x86/events/perf_event.h | 1 + + 2 files changed, 27 insertions(+), 6 deletions(-) + +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -346,7 +346,7 @@ static void __intel_pmu_lbr_restore(stru + + mask = x86_pmu.lbr_nr - 1; + tos = task_ctx->tos; +- for (i = 0; i < tos; i++) { ++ for (i = 0; i < task_ctx->valid_lbrs; i++) { + lbr_idx = (tos - i) & mask; + wrlbr_from(lbr_idx, task_ctx->lbr_from[i]); + wrlbr_to (lbr_idx, task_ctx->lbr_to[i]); +@@ -354,6 +354,15 @@ static void __intel_pmu_lbr_restore(stru + if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) + wrmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]); + } ++ ++ for (; i < x86_pmu.lbr_nr; i++) { ++ lbr_idx = (tos - i) & mask; ++ wrlbr_from(lbr_idx, 0); ++ wrlbr_to(lbr_idx, 0); ++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) ++ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, 0); ++ } ++ + wrmsrl(x86_pmu.lbr_tos, tos); + task_ctx->lbr_stack_state = LBR_NONE; + } +@@ -361,7 +370,7 @@ static void __intel_pmu_lbr_restore(stru + static void __intel_pmu_lbr_save(struct x86_perf_task_context *task_ctx) + { + unsigned lbr_idx, mask; +- u64 tos; ++ u64 tos, from; + int i; + + if (task_ctx->lbr_callstack_users == 0) { +@@ -371,13 +380,17 @@ static void __intel_pmu_lbr_save(struct + + mask = x86_pmu.lbr_nr - 1; + tos = intel_pmu_lbr_tos(); +- for (i = 0; i < tos; i++) { ++ for (i = 0; i < x86_pmu.lbr_nr; i++) { + lbr_idx = (tos - i) & mask; +- task_ctx->lbr_from[i] = rdlbr_from(lbr_idx); ++ from = rdlbr_from(lbr_idx); ++ if (!from) ++ break; ++ task_ctx->lbr_from[i] = from; + task_ctx->lbr_to[i] = rdlbr_to(lbr_idx); + if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) + rdmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]); + } ++ task_ctx->valid_lbrs = i; + task_ctx->tos = tos; + task_ctx->lbr_stack_state = LBR_VALID; + } +@@ -531,7 +544,7 @@ static void intel_pmu_lbr_read_32(struct + */ + static void intel_pmu_lbr_read_64(struct cpu_hw_events *cpuc) + { +- bool need_info = false; ++ bool need_info = false, call_stack = false; + unsigned long mask = x86_pmu.lbr_nr - 1; + int lbr_format = x86_pmu.intel_cap.lbr_format; + u64 tos = intel_pmu_lbr_tos(); +@@ -542,7 +555,7 @@ static void intel_pmu_lbr_read_64(struct + if (cpuc->lbr_sel) { + need_info = !(cpuc->lbr_sel->config & LBR_NO_INFO); + if (cpuc->lbr_sel->config & LBR_CALL_STACK) +- num = tos; ++ call_stack = true; + } + + for (i = 0; i < num; i++) { +@@ -555,6 +568,13 @@ static void intel_pmu_lbr_read_64(struct + from = rdlbr_from(lbr_idx); + to = rdlbr_to(lbr_idx); + ++ /* ++ * Read LBR call stack entries ++ * until invalid entry (0s) is detected. ++ */ ++ if (call_stack && !from) ++ break; ++ + if (lbr_format == LBR_FORMAT_INFO && need_info) { + u64 info; + +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -648,6 +648,7 @@ struct x86_perf_task_context { + u64 lbr_to[MAX_LBR_ENTRIES]; + u64 lbr_info[MAX_LBR_ENTRIES]; + int tos; ++ int valid_lbrs; + int lbr_callstack_users; + int lbr_stack_state; + }; diff --git a/queue-4.18/platform-x86-asus-wireless-fix-uninitialized-symbol-usage.patch b/queue-4.18/platform-x86-asus-wireless-fix-uninitialized-symbol-usage.patch new file mode 100644 index 00000000000..e3ef7e7a7c5 --- /dev/null +++ b/queue-4.18/platform-x86-asus-wireless-fix-uninitialized-symbol-usage.patch @@ -0,0 +1,90 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "João Paulo Rechi Vita" +Date: Fri, 29 Jun 2018 15:12:46 -0700 +Subject: platform/x86: asus-wireless: Fix uninitialized symbol usage + +From: "João Paulo Rechi Vita" + +[ Upstream commit eca4c4e47eb0658ad251f0bff465e23c055377da ] + +'ret' will not be initialized if acpi_evaluate_integer() returns through +an error path, so it should not be used in this case. This fixes the +following Smatch static analyser error: + + drivers/platform/x86/asus-wireless.c:76 asus_wireless_method() error: + uninitialized symbol 'ret'. + +Reported-by: Dan Carpenter +Signed-off-by: João Paulo Rechi Vita +Signed-off-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-wireless.c | 23 +++++++++++++---------- + 1 file changed, 13 insertions(+), 10 deletions(-) + +--- a/drivers/platform/x86/asus-wireless.c ++++ b/drivers/platform/x86/asus-wireless.c +@@ -52,13 +52,12 @@ static const struct acpi_device_id devic + }; + MODULE_DEVICE_TABLE(acpi, device_ids); + +-static u64 asus_wireless_method(acpi_handle handle, const char *method, +- int param) ++static acpi_status asus_wireless_method(acpi_handle handle, const char *method, ++ int param, u64 *ret) + { + struct acpi_object_list p; + union acpi_object obj; + acpi_status s; +- u64 ret; + + acpi_handle_debug(handle, "Evaluating method %s, parameter %#x\n", + method, param); +@@ -67,24 +66,27 @@ static u64 asus_wireless_method(acpi_han + p.count = 1; + p.pointer = &obj; + +- s = acpi_evaluate_integer(handle, (acpi_string) method, &p, &ret); ++ s = acpi_evaluate_integer(handle, (acpi_string) method, &p, ret); + if (ACPI_FAILURE(s)) + acpi_handle_err(handle, + "Failed to eval method %s, param %#x (%d)\n", + method, param, s); +- acpi_handle_debug(handle, "%s returned %#llx\n", method, ret); +- return ret; ++ else ++ acpi_handle_debug(handle, "%s returned %#llx\n", method, *ret); ++ ++ return s; + } + + static enum led_brightness led_state_get(struct led_classdev *led) + { + struct asus_wireless_data *data; +- int s; ++ acpi_status s; ++ u64 ret; + + data = container_of(led, struct asus_wireless_data, led); + s = asus_wireless_method(acpi_device_handle(data->adev), "HSWC", +- data->hswc_params->status); +- if (s == data->hswc_params->on) ++ data->hswc_params->status, &ret); ++ if (ACPI_SUCCESS(s) && ret == data->hswc_params->on) + return LED_FULL; + return LED_OFF; + } +@@ -92,10 +94,11 @@ static enum led_brightness led_state_get + static void led_state_update(struct work_struct *work) + { + struct asus_wireless_data *data; ++ u64 ret; + + data = container_of(work, struct asus_wireless_data, led_work); + asus_wireless_method(acpi_device_handle(data->adev), "HSWC", +- data->led_state); ++ data->led_state, &ret); + } + + static void led_state_set(struct led_classdev *led, enum led_brightness value) diff --git a/queue-4.18/posix-timers-make-forward-callback-return-s64.patch b/queue-4.18/posix-timers-make-forward-callback-return-s64.patch new file mode 100644 index 00000000000..00998080c17 --- /dev/null +++ b/queue-4.18/posix-timers-make-forward-callback-return-s64.patch @@ -0,0 +1,86 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Thomas Gleixner +Date: Tue, 26 Jun 2018 15:21:31 +0200 +Subject: posix-timers: Make forward callback return s64 + +From: Thomas Gleixner + +[ Upstream commit 6fec64e1c92d5c715c6d0f50786daa7708266bde ] + +The posix timer ti_overrun handling is broken because the forwarding +functions can return a huge number of overruns which does not fit in an +int. As a consequence timer_getoverrun(2) and siginfo::si_overrun can turn +into random number generators. + +As a first step to address that let the timer_forward() callbacks return +the full 64 bit value. + +Cast it to (int) temporarily until k_itimer::ti_overrun is converted to +64bit and the conversion to user space visible values is sanitized. + +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Cc: Peter Zijlstra +Cc: Michael Kerrisk +Link: https://lkml.kernel.org/r/20180626132704.922098090@linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 4 ++-- + kernel/time/posix-timers.c | 6 +++--- + kernel/time/posix-timers.h | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -581,11 +581,11 @@ static void alarm_timer_rearm(struct k_i + * @timr: Pointer to the posixtimer data struct + * @now: Current time to forward the timer against + */ +-static int alarm_timer_forward(struct k_itimer *timr, ktime_t now) ++static s64 alarm_timer_forward(struct k_itimer *timr, ktime_t now) + { + struct alarm *alarm = &timr->it.alarm.alarmtimer; + +- return (int) alarm_forward(alarm, timr->it_interval, now); ++ return alarm_forward(alarm, timr->it_interval, now); + } + + /** +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -645,11 +645,11 @@ static ktime_t common_hrtimer_remaining( + return __hrtimer_expires_remaining_adjusted(timer, now); + } + +-static int common_hrtimer_forward(struct k_itimer *timr, ktime_t now) ++static s64 common_hrtimer_forward(struct k_itimer *timr, ktime_t now) + { + struct hrtimer *timer = &timr->it.real.timer; + +- return (int)hrtimer_forward(timer, now, timr->it_interval); ++ return hrtimer_forward(timer, now, timr->it_interval); + } + + /* +@@ -702,7 +702,7 @@ void common_timer_get(struct k_itimer *t + * expiry time forward by intervals, so expiry is > now. + */ + if (iv && (timr->it_requeue_pending & REQUEUE_PENDING || sig_none)) +- timr->it_overrun += kc->timer_forward(timr, now); ++ timr->it_overrun += (int)kc->timer_forward(timr, now); + + remaining = kc->timer_remaining(timr, now); + /* Return 0 only, when the timer is expired and not pending */ +--- a/kernel/time/posix-timers.h ++++ b/kernel/time/posix-timers.h +@@ -19,7 +19,7 @@ struct k_clock { + void (*timer_get)(struct k_itimer *timr, + struct itimerspec64 *cur_setting); + void (*timer_rearm)(struct k_itimer *timr); +- int (*timer_forward)(struct k_itimer *timr, ktime_t now); ++ s64 (*timer_forward)(struct k_itimer *timr, ktime_t now); + ktime_t (*timer_remaining)(struct k_itimer *timr, ktime_t now); + int (*timer_try_to_cancel)(struct k_itimer *timr); + void (*timer_arm)(struct k_itimer *timr, ktime_t expires, diff --git a/queue-4.18/posix-timers-sanitize-overrun-handling.patch b/queue-4.18/posix-timers-sanitize-overrun-handling.patch new file mode 100644 index 00000000000..ea16a586553 --- /dev/null +++ b/queue-4.18/posix-timers-sanitize-overrun-handling.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Thomas Gleixner +Date: Tue, 26 Jun 2018 15:21:32 +0200 +Subject: posix-timers: Sanitize overrun handling + +From: Thomas Gleixner + +[ Upstream commit 78c9c4dfbf8c04883941445a195276bb4bb92c76 ] + +The posix timer overrun handling is broken because the forwarding functions +can return a huge number of overruns which does not fit in an int. As a +consequence timer_getoverrun(2) and siginfo::si_overrun can turn into +random number generators. + +The k_clock::timer_forward() callbacks return a 64 bit value now. Make +k_itimer::ti_overrun[_last] 64bit as well, so the kernel internal +accounting is correct. 3Remove the temporary (int) casts. + +Add a helper function which clamps the overrun value returned to user space +via timer_getoverrun(2) or siginfo::si_overrun limited to a positive value +between 0 and INT_MAX. INT_MAX is an indicator for user space that the +overrun value has been clamped. + +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Acked-by: John Stultz +Cc: Peter Zijlstra +Cc: Michael Kerrisk +Link: https://lkml.kernel.org/r/20180626132705.018623573@linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/posix-timers.h | 4 ++-- + kernel/time/posix-cpu-timers.c | 2 +- + kernel/time/posix-timers.c | 31 ++++++++++++++++++++----------- + 3 files changed, 23 insertions(+), 14 deletions(-) + +--- a/include/linux/posix-timers.h ++++ b/include/linux/posix-timers.h +@@ -95,8 +95,8 @@ struct k_itimer { + clockid_t it_clock; + timer_t it_id; + int it_active; +- int it_overrun; +- int it_overrun_last; ++ s64 it_overrun; ++ s64 it_overrun_last; + int it_requeue_pending; + int it_sigev_notify; + ktime_t it_interval; +--- a/kernel/time/posix-cpu-timers.c ++++ b/kernel/time/posix-cpu-timers.c +@@ -85,7 +85,7 @@ static void bump_cpu_timer(struct k_itim + continue; + + timer->it.cpu.expires += incr; +- timer->it_overrun += 1 << i; ++ timer->it_overrun += 1LL << i; + delta -= incr; + } + } +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -283,6 +283,17 @@ static __init int init_posix_timers(void + } + __initcall(init_posix_timers); + ++/* ++ * The siginfo si_overrun field and the return value of timer_getoverrun(2) ++ * are of type int. Clamp the overrun value to INT_MAX ++ */ ++static inline int timer_overrun_to_int(struct k_itimer *timr, int baseval) ++{ ++ s64 sum = timr->it_overrun_last + (s64)baseval; ++ ++ return sum > (s64)INT_MAX ? INT_MAX : (int)sum; ++} ++ + static void common_hrtimer_rearm(struct k_itimer *timr) + { + struct hrtimer *timer = &timr->it.real.timer; +@@ -290,9 +301,8 @@ static void common_hrtimer_rearm(struct + if (!timr->it_interval) + return; + +- timr->it_overrun += (unsigned int) hrtimer_forward(timer, +- timer->base->get_time(), +- timr->it_interval); ++ timr->it_overrun += hrtimer_forward(timer, timer->base->get_time(), ++ timr->it_interval); + hrtimer_restart(timer); + } + +@@ -321,10 +331,10 @@ void posixtimer_rearm(struct siginfo *in + + timr->it_active = 1; + timr->it_overrun_last = timr->it_overrun; +- timr->it_overrun = -1; ++ timr->it_overrun = -1LL; + ++timr->it_requeue_pending; + +- info->si_overrun += timr->it_overrun_last; ++ info->si_overrun = timer_overrun_to_int(timr, info->si_overrun); + } + + unlock_timer(timr, flags); +@@ -418,9 +428,8 @@ static enum hrtimer_restart posix_timer_ + now = ktime_add(now, kj); + } + #endif +- timr->it_overrun += (unsigned int) +- hrtimer_forward(timer, now, +- timr->it_interval); ++ timr->it_overrun += hrtimer_forward(timer, now, ++ timr->it_interval); + ret = HRTIMER_RESTART; + ++timr->it_requeue_pending; + timr->it_active = 1; +@@ -524,7 +533,7 @@ static int do_timer_create(clockid_t whi + new_timer->it_id = (timer_t) new_timer_id; + new_timer->it_clock = which_clock; + new_timer->kclock = kc; +- new_timer->it_overrun = -1; ++ new_timer->it_overrun = -1LL; + + if (event) { + rcu_read_lock(); +@@ -702,7 +711,7 @@ void common_timer_get(struct k_itimer *t + * expiry time forward by intervals, so expiry is > now. + */ + if (iv && (timr->it_requeue_pending & REQUEUE_PENDING || sig_none)) +- timr->it_overrun += (int)kc->timer_forward(timr, now); ++ timr->it_overrun += kc->timer_forward(timr, now); + + remaining = kc->timer_remaining(timr, now); + /* Return 0 only, when the timer is expired and not pending */ +@@ -789,7 +798,7 @@ SYSCALL_DEFINE1(timer_getoverrun, timer_ + if (!timr) + return -EINVAL; + +- overrun = timr->it_overrun_last; ++ overrun = timer_overrun_to_int(timr, 0); + unlock_timer(timr, flags); + + return overrun; diff --git a/queue-4.18/power-remove-possible-deadlock-when-unregistering-power_supply.patch b/queue-4.18/power-remove-possible-deadlock-when-unregistering-power_supply.patch new file mode 100644 index 00000000000..22582e896fc --- /dev/null +++ b/queue-4.18/power-remove-possible-deadlock-when-unregistering-power_supply.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Benjamin Tissoires +Date: Mon, 25 Jun 2018 09:51:48 +0200 +Subject: power: remove possible deadlock when unregistering power_supply + +From: Benjamin Tissoires + +[ Upstream commit 3ffa6583e24e1ad1abab836d24bfc9d2308074e5 ] + +If a device gets removed right after having registered a power_supply node, +we might enter in a deadlock between the remove call (that has a lock on +the parent device) and the deferred register work. + +Allow the deferred register work to exit without taking the lock when +we are in the remove state. + +Stack trace on a Ubuntu 16.04: + +[16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds. +[16072.109127] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu +[16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[16072.109132] kworker/u16:2 D 0 1180 2 0x80000000 +[16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work +[16072.109144] Call Trace: +[16072.109152] __schedule+0x3d6/0x8b0 +[16072.109155] schedule+0x36/0x80 +[16072.109158] schedule_preempt_disabled+0xe/0x10 +[16072.109161] __mutex_lock.isra.2+0x2ab/0x4e0 +[16072.109166] __mutex_lock_slowpath+0x13/0x20 +[16072.109168] ? __mutex_lock_slowpath+0x13/0x20 +[16072.109171] mutex_lock+0x2f/0x40 +[16072.109174] power_supply_deferred_register_work+0x2b/0x50 +[16072.109179] process_one_work+0x15b/0x410 +[16072.109182] worker_thread+0x4b/0x460 +[16072.109186] kthread+0x10c/0x140 +[16072.109189] ? process_one_work+0x410/0x410 +[16072.109191] ? kthread_create_on_node+0x70/0x70 +[16072.109194] ret_from_fork+0x35/0x40 +[16072.109199] INFO: task test:2257 blocked for more than 120 seconds. +[16072.109202] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu +[16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[16072.109206] test D 0 2257 2256 0x00000004 +[16072.109208] Call Trace: +[16072.109211] __schedule+0x3d6/0x8b0 +[16072.109215] schedule+0x36/0x80 +[16072.109218] schedule_timeout+0x1f3/0x360 +[16072.109221] ? check_preempt_curr+0x5a/0xa0 +[16072.109224] ? ttwu_do_wakeup+0x1e/0x150 +[16072.109227] wait_for_completion+0xb4/0x140 +[16072.109230] ? wait_for_completion+0xb4/0x140 +[16072.109233] ? wake_up_q+0x70/0x70 +[16072.109236] flush_work+0x129/0x1e0 +[16072.109240] ? worker_detach_from_pool+0xb0/0xb0 +[16072.109243] __cancel_work_timer+0x10f/0x190 +[16072.109247] ? device_del+0x264/0x310 +[16072.109250] ? __wake_up+0x44/0x50 +[16072.109253] cancel_delayed_work_sync+0x13/0x20 +[16072.109257] power_supply_unregister+0x37/0xb0 +[16072.109260] devm_power_supply_release+0x11/0x20 +[16072.109263] release_nodes+0x110/0x200 +[16072.109266] devres_release_group+0x7c/0xb0 +[16072.109274] wacom_remove+0xc2/0x110 [wacom] +[16072.109279] hid_device_remove+0x6e/0xd0 [hid] +[16072.109284] device_release_driver_internal+0x158/0x210 +[16072.109288] device_release_driver+0x12/0x20 +[16072.109291] bus_remove_device+0xec/0x160 +[16072.109293] device_del+0x1de/0x310 +[16072.109298] hid_destroy_device+0x27/0x60 [hid] +[16072.109303] usbhid_disconnect+0x51/0x70 [usbhid] +[16072.109308] usb_unbind_interface+0x77/0x270 +[16072.109311] device_release_driver_internal+0x158/0x210 +[16072.109315] device_release_driver+0x12/0x20 +[16072.109318] usb_driver_release_interface+0x77/0x80 +[16072.109321] proc_ioctl+0x20f/0x250 +[16072.109325] usbdev_do_ioctl+0x57f/0x1140 +[16072.109327] ? __wake_up+0x44/0x50 +[16072.109331] usbdev_ioctl+0xe/0x20 +[16072.109336] do_vfs_ioctl+0xa4/0x600 +[16072.109339] ? vfs_write+0x15a/0x1b0 +[16072.109343] SyS_ioctl+0x79/0x90 +[16072.109347] entry_SYSCALL_64_fastpath+0x24/0xab +[16072.109349] RIP: 0033:0x7f20da807f47 +[16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47 +[16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009 +[16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010 +[16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000 +[16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000 + +Reported-and-tested-by: Richard Hughes +Tested-by: Aaron Skomra +Signed-off-by: Benjamin Tissoires +Fixes: 7f1a57fdd6cb ("power_supply: Fix possible NULL pointer dereference on early uevent") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/power_supply_core.c | 11 +++++++++-- + include/linux/power_supply.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -140,8 +141,13 @@ static void power_supply_deferred_regist + struct power_supply *psy = container_of(work, struct power_supply, + deferred_register_work.work); + +- if (psy->dev.parent) +- mutex_lock(&psy->dev.parent->mutex); ++ if (psy->dev.parent) { ++ while (!mutex_trylock(&psy->dev.parent->mutex)) { ++ if (psy->removing) ++ return; ++ msleep(10); ++ } ++ } + + power_supply_changed(psy); + +@@ -1082,6 +1088,7 @@ EXPORT_SYMBOL_GPL(devm_power_supply_regi + void power_supply_unregister(struct power_supply *psy) + { + WARN_ON(atomic_dec_return(&psy->use_cnt)); ++ psy->removing = true; + cancel_work_sync(&psy->changed_work); + cancel_delayed_work_sync(&psy->deferred_register_work); + sysfs_remove_link(&psy->dev.kobj, "powers"); +--- a/include/linux/power_supply.h ++++ b/include/linux/power_supply.h +@@ -269,6 +269,7 @@ struct power_supply { + spinlock_t changed_lock; + bool changed; + bool initialized; ++ bool removing; + atomic_t use_cnt; + #ifdef CONFIG_THERMAL + struct thermal_zone_device *tzd; diff --git a/queue-4.18/power-supply-axp288_charger-fix-initial-constant_charge_current-value.patch b/queue-4.18/power-supply-axp288_charger-fix-initial-constant_charge_current-value.patch new file mode 100644 index 00000000000..05cc3201245 --- /dev/null +++ b/queue-4.18/power-supply-axp288_charger-fix-initial-constant_charge_current-value.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Hans de Goede +Date: Wed, 23 May 2018 15:33:21 +0200 +Subject: power: supply: axp288_charger: Fix initial constant_charge_current value + +From: Hans de Goede + +[ Upstream commit f2a42595f0865886a2d40524b0e9d15600848670 ] + +We should look at val which contains the value read from the register, +not ret which is always 0 on a successful read. + +Signed-off-by: Hans de Goede +Fixes: eac53b3664f59 ("power: supply: axp288_charger: Drop platform_data dependency") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/axp288_charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/axp288_charger.c ++++ b/drivers/power/supply/axp288_charger.c +@@ -718,7 +718,7 @@ static int charger_init_hw_regs(struct a + } + + /* Determine charge current limit */ +- cc = (ret & CHRG_CCCV_CC_MASK) >> CHRG_CCCV_CC_BIT_POS; ++ cc = (val & CHRG_CCCV_CC_MASK) >> CHRG_CCCV_CC_BIT_POS; + cc = (cc * CHRG_CCCV_CC_LSB_RES) + CHRG_CCCV_CC_OFFSET; + info->cc = cc; + diff --git a/queue-4.18/power-vexpress-fix-corruption-in-notifier-registration.patch b/queue-4.18/power-vexpress-fix-corruption-in-notifier-registration.patch new file mode 100644 index 00000000000..440736ac750 --- /dev/null +++ b/queue-4.18/power-vexpress-fix-corruption-in-notifier-registration.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Sudeep Holla +Date: Mon, 18 Jun 2018 16:54:32 +0100 +Subject: power: vexpress: fix corruption in notifier registration + +From: Sudeep Holla + +[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ] + +Vexpress platforms provide two different restart handlers: SYS_REBOOT +that restart the entire system, while DB_RESET only restarts the +daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT +if it exists. + +notifier_chain_register used in register_restart_handler by design +relies on notifiers to be registered once only, however vexpress restart +notifier can get registered twice. When this happen it corrupts list +of notifiers, as result some notifiers can be not called on proper +event, traverse on list can be cycled forever, and second unregister +can access already freed memory. + +So far, since this was the only restart handler in the system, no issue +was observed even if the same notifier was registered twice. However +commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added +support for SP805 restart handlers and since the system under test +contains two vexpress restart and two SP805 watchdog instances, it was +observed that during the boot traversing the restart handler list looped +forever as there's a cycle in that list resulting in boot hang. + +This patch fixes the issues by ensuring that the notifier is installed +only once. + +Cc: Sebastian Reichel +Signed-off-by: Sudeep Holla +Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/reset/vexpress-poweroff.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/power/reset/vexpress-poweroff.c ++++ b/drivers/power/reset/vexpress-poweroff.c +@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev + } + + static struct device *vexpress_power_off_device; ++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0); + + static void vexpress_power_off(void) + { +@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha + int err; + + vexpress_restart_device = dev; +- err = register_restart_handler(&vexpress_restart_nb); +- if (err) { +- dev_err(dev, "cannot register restart handler (err=%d)\n", err); +- return err; ++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) { ++ err = register_restart_handler(&vexpress_restart_nb); ++ if (err) { ++ dev_err(dev, "cannot register restart handler (err=%d)\n", err); ++ atomic_dec(&vexpress_restart_nb_refcnt); ++ return err; ++ } + } + device_create_file(dev, &dev_attr_active); + diff --git a/queue-4.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch b/queue-4.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch new file mode 100644 index 00000000000..db97c72c888 --- /dev/null +++ b/queue-4.18/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Hari Bathini +Date: Thu, 28 Jun 2018 10:49:56 +0530 +Subject: powerpc/kdump: Handle crashkernel memory reservation failure + +From: Hari Bathini + +[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ] + +Memory reservation for crashkernel could fail if there are holes around +kdump kernel offset (128M). Fail gracefully in such cases and print an +error message. + +Signed-off-by: Hari Bathini +Tested-by: David Gibson +Reviewed-by: Dave Young +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/machine_kexec.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -188,7 +188,12 @@ void __init reserve_crashkernel(void) + (unsigned long)(crashk_res.start >> 20), + (unsigned long)(memblock_phys_mem_size() >> 20)); + +- memblock_reserve(crashk_res.start, crash_size); ++ if (!memblock_is_region_memory(crashk_res.start, crash_size) || ++ memblock_reserve(crashk_res.start, crash_size)) { ++ pr_err("Failed to reserve memory for crashkernel!\n"); ++ crashk_res.start = crashk_res.end = 0; ++ return; ++ } + } + + int overlaps_crashkernel(unsigned long start, unsigned long size) diff --git a/queue-4.18/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch b/queue-4.18/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch new file mode 100644 index 00000000000..4d7d847c964 --- /dev/null +++ b/queue-4.18/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Alexey Kardashevskiy +Date: Fri, 1 Jun 2018 18:06:16 +1000 +Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size + +From: Alexey Kardashevskiy + +[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ] + +We use PHB in mode1 which uses bit 59 to select a correct DMA window. +However there is mode2 which uses bits 59:55 and allows up to 32 DMA +windows per a PE. + +Even though documentation does not clearly specify that, it seems that +the actual hardware does not support bits 59:55 even in mode1, in other +words we can create a window as big as 1<<58 but DMA simply won't work. + +This reduces the upper limit from 59 to 55 bits to let the userspace know +about the hardware limits. + +Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested" +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -2841,7 +2841,7 @@ static long pnv_pci_ioda2_table_alloc_pa + level_shift = entries_shift + 3; + level_shift = max_t(unsigned, level_shift, PAGE_SHIFT); + +- if ((level_shift - 3) * levels + page_shift >= 60) ++ if ((level_shift - 3) * levels + page_shift >= 55) + return -EINVAL; + + /* Allocate TCE table */ diff --git a/queue-4.18/rdma-bnxt_re-fix-a-bunch-of-off-by-one-bugs-in-qplib_fp.c.patch b/queue-4.18/rdma-bnxt_re-fix-a-bunch-of-off-by-one-bugs-in-qplib_fp.c.patch new file mode 100644 index 00000000000..e57ea8f4f28 --- /dev/null +++ b/queue-4.18/rdma-bnxt_re-fix-a-bunch-of-off-by-one-bugs-in-qplib_fp.c.patch @@ -0,0 +1,79 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:58:02 +0300 +Subject: RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c + +From: Dan Carpenter + +[ Upstream commit c1dfc0114c901b4f46c85ceff0491debf2b2a2ec ] + +The srq->swq[] is allocated in bnxt_qplib_create_srq(). It has +srq->hwq.max_elements elements so these tests should be > instead of >= +or we might go beyond the end of the array. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Dan Carpenter +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/qplib_fp.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_fp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_fp.c +@@ -2354,7 +2354,7 @@ static int bnxt_qplib_cq_process_res_rc( + srq = qp->srq; + if (!srq) + return -EINVAL; +- if (wr_id_idx > srq->hwq.max_elements) { ++ if (wr_id_idx >= srq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process RC "); + dev_err(&cq->hwq.pdev->dev, +@@ -2369,7 +2369,7 @@ static int bnxt_qplib_cq_process_res_rc( + *pcqe = cqe; + } else { + rq = &qp->rq; +- if (wr_id_idx > rq->hwq.max_elements) { ++ if (wr_id_idx >= rq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process RC "); + dev_err(&cq->hwq.pdev->dev, +@@ -2437,7 +2437,7 @@ static int bnxt_qplib_cq_process_res_ud( + if (!srq) + return -EINVAL; + +- if (wr_id_idx > srq->hwq.max_elements) { ++ if (wr_id_idx >= srq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process UD "); + dev_err(&cq->hwq.pdev->dev, +@@ -2452,7 +2452,7 @@ static int bnxt_qplib_cq_process_res_ud( + *pcqe = cqe; + } else { + rq = &qp->rq; +- if (wr_id_idx > rq->hwq.max_elements) { ++ if (wr_id_idx >= rq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process UD "); + dev_err(&cq->hwq.pdev->dev, +@@ -2546,7 +2546,7 @@ static int bnxt_qplib_cq_process_res_raw + "QPLIB: FP: SRQ used but not defined??"); + return -EINVAL; + } +- if (wr_id_idx > srq->hwq.max_elements) { ++ if (wr_id_idx >= srq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process Raw/QP1 "); + dev_err(&cq->hwq.pdev->dev, +@@ -2561,7 +2561,7 @@ static int bnxt_qplib_cq_process_res_raw + *pcqe = cqe; + } else { + rq = &qp->rq; +- if (wr_id_idx > rq->hwq.max_elements) { ++ if (wr_id_idx >= rq->hwq.max_elements) { + dev_err(&cq->hwq.pdev->dev, + "QPLIB: FP: CQ Process Raw/QP1 RQ wr_id "); + dev_err(&cq->hwq.pdev->dev, diff --git a/queue-4.18/rdma-bnxt_re-fix-a-couple-off-by-one-bugs.patch b/queue-4.18/rdma-bnxt_re-fix-a-couple-off-by-one-bugs.patch new file mode 100644 index 00000000000..bb14389fb0f --- /dev/null +++ b/queue-4.18/rdma-bnxt_re-fix-a-couple-off-by-one-bugs.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:57:11 +0300 +Subject: RDMA/bnxt_re: Fix a couple off by one bugs + +From: Dan Carpenter + +[ Upstream commit 474e5a86067e5f12c97d1db8b170c7f45b53097a ] + +The sgid_tbl->tbl[] array is allocated in bnxt_qplib_alloc_sgid_tbl(). +It has sgid_tbl->max elements. So the > should be >= to prevent +accessing one element beyond the end of the array. + +Fixes: 1ac5a4047975 ("RDMA/bnxt_re: Add bnxt_re RoCE driver") +Signed-off-by: Dan Carpenter +Acked-by: Selvin Xavier +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/bnxt_re/qplib_sp.c ++++ b/drivers/infiniband/hw/bnxt_re/qplib_sp.c +@@ -197,7 +197,7 @@ int bnxt_qplib_get_sgid(struct bnxt_qpli + struct bnxt_qplib_sgid_tbl *sgid_tbl, int index, + struct bnxt_qplib_gid *gid) + { +- if (index > sgid_tbl->max) { ++ if (index >= sgid_tbl->max) { + dev_err(&res->pdev->dev, + "QPLIB: Index %d exceeded SGID table max (%d)", + index, sgid_tbl->max); +@@ -402,7 +402,7 @@ int bnxt_qplib_get_pkey(struct bnxt_qpli + *pkey = 0xFFFF; + return 0; + } +- if (index > pkey_tbl->max) { ++ if (index >= pkey_tbl->max) { + dev_err(&res->pdev->dev, + "QPLIB: Index %d exceeded PKEY table max (%d)", + index, pkey_tbl->max); diff --git a/queue-4.18/rdma-i40w-hold-read-semaphore-while-looking-after-vma.patch b/queue-4.18/rdma-i40w-hold-read-semaphore-while-looking-after-vma.patch new file mode 100644 index 00000000000..b53e57e6bf3 --- /dev/null +++ b/queue-4.18/rdma-i40w-hold-read-semaphore-while-looking-after-vma.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Leon Romanovsky +Date: Sun, 1 Jul 2018 19:36:24 +0300 +Subject: RDMA/i40w: Hold read semaphore while looking after VMA + +From: Leon Romanovsky + +[ Upstream commit 5d9a2b0e28759e319a623da33940dbb3ce952b7d ] + +VMA lookup is supposed to be performed while mmap_sem is held. + +Fixes: f26c7c83395b ("i40iw: Add 2MB page support") +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/i40iw/i40iw_verbs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/infiniband/hw/i40iw/i40iw_verbs.c ++++ b/drivers/infiniband/hw/i40iw/i40iw_verbs.c +@@ -1409,6 +1409,7 @@ static void i40iw_set_hugetlb_values(u64 + struct vm_area_struct *vma; + struct hstate *h; + ++ down_read(¤t->mm->mmap_sem); + vma = find_vma(current->mm, addr); + if (vma && is_vm_hugetlb_page(vma)) { + h = hstate_vma(vma); +@@ -1417,6 +1418,7 @@ static void i40iw_set_hugetlb_values(u64 + iwmr->page_msk = huge_page_mask(h); + } + } ++ up_read(¤t->mm->mmap_sem); + } + + /** diff --git a/queue-4.18/rdma-uverbs-don-t-overwrite-null-pointer-with-zero_size_ptr.patch b/queue-4.18/rdma-uverbs-don-t-overwrite-null-pointer-with-zero_size_ptr.patch new file mode 100644 index 00000000000..8ae1dfa1843 --- /dev/null +++ b/queue-4.18/rdma-uverbs-don-t-overwrite-null-pointer-with-zero_size_ptr.patch @@ -0,0 +1,45 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Leon Romanovsky +Date: Sun, 24 Jun 2018 11:23:47 +0300 +Subject: RDMA/uverbs: Don't overwrite NULL pointer with ZERO_SIZE_PTR + +From: Leon Romanovsky + +[ Upstream commit a5cc9831af05e658543593abaee45a29d061bac4 ] + +Number of specs is provided by user and in valid case can be equal to zero. +Such argument causes to call to kcalloc() with zero-length request and in +return the ZERO_SIZE_PTR is assigned. This pointer is different from NULL +and makes various if (..) checks to success. + +Fixes: b6ba4a9aa59f ("IB/uverbs: Add support for flow counters") +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_cmd.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -2812,6 +2812,9 @@ static struct ib_uflow_resources *flow_r + if (!resources) + goto err_res; + ++ if (!num_specs) ++ goto out; ++ + resources->counters = + kcalloc(num_specs, sizeof(*resources->counters), GFP_KERNEL); + +@@ -2824,8 +2827,8 @@ static struct ib_uflow_resources *flow_r + if (!resources->collection) + goto err_collection; + ++out: + resources->max = num_specs; +- + return resources; + + err_collection: diff --git a/queue-4.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch b/queue-4.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch new file mode 100644 index 00000000000..4906763c2a1 --- /dev/null +++ b/queue-4.18/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Tue, 5 Jun 2018 14:31:39 +0300 +Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + +From: Dan Carpenter + +[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ] + +This is a static checker fix, not something I have tested. The issue +is that on the second iteration through the loop, we jump forward by +le32_to_cpu(auth_req->length) bytes. The problem is that if the length +is more than "buflen" then we end up with a negative "buflen". A +negative buflen is type promoted to a high positive value and the loop +continues but it's accessing beyond the end of the buffer. + +I believe the "auth_req->length" comes from the firmware and if the +firmware is malicious or buggy, you're already toasted so the impact of +this bug is probably not very severe. + +Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -2928,6 +2928,8 @@ static void rndis_wlan_auth_indication(s + + while (buflen >= sizeof(*auth_req)) { + auth_req = (void *)buf; ++ if (buflen < le32_to_cpu(auth_req->length)) ++ return; + type = "unknown"; + flags = le32_to_cpu(auth_req->flags); + pairwise_error = false; diff --git a/queue-4.18/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch b/queue-4.18/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch new file mode 100644 index 00000000000..5656fa999b8 --- /dev/null +++ b/queue-4.18/s390-dasd-correct-numa_node-in-dasd_alloc_queue.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Vasily Gorbik +Date: Sun, 24 Jun 2018 09:21:59 +0200 +Subject: s390/dasd: correct numa_node in dasd_alloc_queue + +From: Vasily Gorbik + +[ Upstream commit b17e3abb0af404cb62ad4ef1a5962f58b06e2b78 ] + +The numa_node field of the tag_set struct has to be explicitly +initialized, otherwise it stays as 0, which is a valid numa node id and +cause memory allocation failure if node 0 is offline. + +Acked-by: Stefan Haberland +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/dasd.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -3127,6 +3127,7 @@ static int dasd_alloc_queue(struct dasd_ + block->tag_set.nr_hw_queues = nr_hw_queues; + block->tag_set.queue_depth = queue_depth; + block->tag_set.flags = BLK_MQ_F_SHOULD_MERGE; ++ block->tag_set.numa_node = NUMA_NO_NODE; + + rc = blk_mq_alloc_tag_set(&block->tag_set); + if (rc) diff --git a/queue-4.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch b/queue-4.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch new file mode 100644 index 00000000000..afdf5021e11 --- /dev/null +++ b/queue-4.18/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Vasily Gorbik +Date: Sun, 17 Jun 2018 00:30:43 +0200 +Subject: s390/extmem: fix gcc 8 stringop-overflow warning + +From: Vasily Gorbik + +[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ] + +arch/s390/mm/extmem.c: In function '__segment_load': +arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals +source length [-Wstringop-overflow=] + strncat(seg->res_name, " (DCSS)", 7); + +What gcc complains about here is the misuse of strncat function, which +in this case does not limit a number of bytes taken from "src", so it is +in the end the same as strcat(seg->res_name, " (DCSS)"); + +Keeping in mind that a res_name is 15 bytes, strncat in this case +would overflow the buffer and write 0 into alignment byte between the +fields in the struct. To avoid that increasing res_name size to 16, +and reusing strlcat. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/extmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -80,7 +80,7 @@ struct qin64 { + struct dcss_segment { + struct list_head list; + char dcss_name[8]; +- char res_name[15]; ++ char res_name[16]; + unsigned long start_addr; + unsigned long end; + atomic_t ref_count; +@@ -433,7 +433,7 @@ __segment_load (char *name, int do_nonsh + memcpy(&seg->res_name, seg->dcss_name, 8); + EBCASC(seg->res_name, 8); + seg->res_name[8] = '\0'; +- strncat(seg->res_name, " (DCSS)", 7); ++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; + rc = seg->vm_segtype; + if (rc == SEG_TYPE_SC || diff --git a/queue-4.18/s390-mm-correct-allocate_pgste-proc_handler-callback.patch b/queue-4.18/s390-mm-correct-allocate_pgste-proc_handler-callback.patch new file mode 100644 index 00000000000..c233541944c --- /dev/null +++ b/queue-4.18/s390-mm-correct-allocate_pgste-proc_handler-callback.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Vasily Gorbik +Date: Sun, 24 Jun 2018 12:17:43 +0200 +Subject: s390/mm: correct allocate_pgste proc_handler callback + +From: Vasily Gorbik + +[ Upstream commit 5bedf8aa03c28cb8dc98bdd32a41b66d8f7d3eaa ] + +Since proc_dointvec does not perform value range control, +proc_dointvec_minmax should be used to limit value range, which is +clearly intended here, as the internal representation of the value: + +unsigned int alloc_pgste:1; + +In fact it currently works, since we have + + mm->context.alloc_pgste = page_table_allocate_pgste || ... + +... since commit 23fefe119ceb5 ("s390/kvm: avoid global config of vm.alloc_pgste=1") + +Before that it was + + mm->context.alloc_pgste = page_table_allocate_pgste; + +which was broken. That was introduced with commit 0b46e0a3ec0d7 ("s390/kvm: +remove delayed reallocation of page tables for KVM"). + +Fixes: 0b46e0a3ec0d7 ("s390/kvm: remove delayed reallocation of page tables for KVM") +Acked-by: Christian Borntraeger +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/pgalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -28,7 +28,7 @@ static struct ctl_table page_table_sysct + .data = &page_table_allocate_pgste, + .maxlen = sizeof(int), + .mode = S_IRUGO | S_IWUSR, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = &page_table_allocate_pgste_min, + .extra2 = &page_table_allocate_pgste_max, + }, diff --git a/queue-4.18/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch b/queue-4.18/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch new file mode 100644 index 00000000000..dd077f440df --- /dev/null +++ b/queue-4.18/s390-scm_blk-correct-numa_node-in-scm_blk_dev_setup.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Vasily Gorbik +Date: Mon, 25 Jun 2018 14:30:42 +0200 +Subject: s390/scm_blk: correct numa_node in scm_blk_dev_setup + +From: Vasily Gorbik + +[ Upstream commit d642d6262f4fcfa5d200ec6e218c17f0c15b3390 ] + +The numa_node field of the tag_set struct has to be explicitly +initialized, otherwise it stays as 0, which is a valid numa node id and +cause memory allocation failure if node 0 is offline. + +Acked-by: Sebastian Ott +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/block/scm_blk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/s390/block/scm_blk.c ++++ b/drivers/s390/block/scm_blk.c +@@ -455,6 +455,7 @@ int scm_blk_dev_setup(struct scm_blk_dev + bdev->tag_set.nr_hw_queues = nr_requests; + bdev->tag_set.queue_depth = nr_requests_per_io * nr_requests; + bdev->tag_set.flags = BLK_MQ_F_SHOULD_MERGE; ++ bdev->tag_set.numa_node = NUMA_NO_NODE; + + ret = blk_mq_alloc_tag_set(&bdev->tag_set); + if (ret) diff --git a/queue-4.18/s390-sysinfo-add-missing-ifdef-config_proc_fs.patch b/queue-4.18/s390-sysinfo-add-missing-ifdef-config_proc_fs.patch new file mode 100644 index 00000000000..68655e716c6 --- /dev/null +++ b/queue-4.18/s390-sysinfo-add-missing-ifdef-config_proc_fs.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Heiko Carstens +Date: Mon, 2 Jul 2018 10:54:02 +0200 +Subject: s390/sysinfo: add missing #ifdef CONFIG_PROC_FS + +From: Heiko Carstens + +[ Upstream commit 9f35b818a2f90fb6cb291aa0c9f835d4f0974a9a ] + +Get rid of this compile warning for !PROC_FS: + + CC arch/s390/kernel/sysinfo.o +arch/s390/kernel/sysinfo.c:275:12: warning: 'sysinfo_show' defined but not used [-Wunused-function] + static int sysinfo_show(struct seq_file *m, void *v) + +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/kernel/sysinfo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/s390/kernel/sysinfo.c ++++ b/arch/s390/kernel/sysinfo.c +@@ -59,6 +59,8 @@ int stsi(void *sysinfo, int fc, int sel1 + } + EXPORT_SYMBOL(stsi); + ++#ifdef CONFIG_PROC_FS ++ + static bool convert_ext_name(unsigned char encoding, char *name, size_t len) + { + switch (encoding) { +@@ -301,6 +303,8 @@ static int __init sysinfo_create_proc(vo + } + device_initcall(sysinfo_create_proc); + ++#endif /* CONFIG_PROC_FS */ ++ + /* + * Service levels interface. + */ diff --git a/queue-4.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch b/queue-4.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch new file mode 100644 index 00000000000..3837f98c382 --- /dev/null +++ b/queue-4.18/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 11:13:00 +0800 +Subject: scsi: bnx2i: add error handling for ioremap_nocache + +From: Zhouyang Jia + +[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ] + +When ioremap_nocache fails, the lack of error-handling code may cause +unexpected results. + +This patch adds error-handling code after calling ioremap_nocache. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Johannes Thumshirn +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -2727,6 +2727,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i + BNX2X_DOORBELL_PCI_BAR); + reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF); + ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4); ++ if (!ep->qp.ctx_base) ++ return -ENOMEM; + goto arm_cq; + } + diff --git a/queue-4.18/scsi-hisi_sas-fix-the-conflict-between-dev-gone-and-host-reset.patch b/queue-4.18/scsi-hisi_sas-fix-the-conflict-between-dev-gone-and-host-reset.patch new file mode 100644 index 00000000000..03334434430 --- /dev/null +++ b/queue-4.18/scsi-hisi_sas-fix-the-conflict-between-dev-gone-and-host-reset.patch @@ -0,0 +1,87 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Xiaofei Tan +Date: Thu, 31 May 2018 20:50:44 +0800 +Subject: scsi: hisi_sas: Fix the conflict between dev gone and host reset + +From: Xiaofei Tan + +[ Upstream commit d2fc401e47529d9ffd2673a5395d56002e31ad98 ] + +There is a possible conflict when a device is removed and host reset occurs +concurrently. + +The reason is that then the device is notified as gone, we try to clear the +ITCT, which is notified via an interrupt. The dev gone function pends on +this event with a completion, which is completed when the ITCT interrupt +occurs. + +But host reset will disable all interrupts, the wait_for_completion() may +wait indefinitely. + +This patch adds an semaphore to synchronise this two processes. The +semaphore is taken by the host reset as the basis of synchronising. + +Signed-off-by: Xiaofei Tan +Signed-off-by: John Garry +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/hisi_sas/hisi_sas.h | 1 + + drivers/scsi/hisi_sas/hisi_sas_main.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/scsi/hisi_sas/hisi_sas.h ++++ b/drivers/scsi/hisi_sas/hisi_sas.h +@@ -277,6 +277,7 @@ struct hisi_hba { + + int n_phy; + spinlock_t lock; ++ struct semaphore sem; + + struct timer_list timer; + struct workqueue_struct *wq; +--- a/drivers/scsi/hisi_sas/hisi_sas_main.c ++++ b/drivers/scsi/hisi_sas/hisi_sas_main.c +@@ -914,7 +914,9 @@ static void hisi_sas_dev_gone(struct dom + + hisi_sas_dereg_device(hisi_hba, device); + ++ down(&hisi_hba->sem); + hisi_hba->hw->clear_itct(hisi_hba, sas_dev); ++ up(&hisi_hba->sem); + device->lldd_dev = NULL; + } + +@@ -1364,6 +1366,7 @@ static int hisi_sas_controller_reset(str + if (test_and_set_bit(HISI_SAS_RESET_BIT, &hisi_hba->flags)) + return -1; + ++ down(&hisi_hba->sem); + dev_info(dev, "controller resetting...\n"); + old_state = hisi_hba->hw->get_phys_state(hisi_hba); + +@@ -1378,6 +1381,7 @@ static int hisi_sas_controller_reset(str + if (rc) { + dev_warn(dev, "controller reset failed (%d)\n", rc); + clear_bit(HISI_SAS_REJECT_CMD_BIT, &hisi_hba->flags); ++ up(&hisi_hba->sem); + scsi_unblock_requests(shost); + goto out; + } +@@ -1388,6 +1392,7 @@ static int hisi_sas_controller_reset(str + hisi_hba->hw->phys_init(hisi_hba); + msleep(1000); + hisi_sas_refresh_port_id(hisi_hba); ++ up(&hisi_hba->sem); + + if (hisi_hba->reject_stp_links_msk) + hisi_sas_terminate_stp_reject(hisi_hba); +@@ -2016,6 +2021,7 @@ int hisi_sas_alloc(struct hisi_hba *hisi + struct device *dev = hisi_hba->dev; + int i, s, max_command_entries = hisi_hba->hw->max_command_entries; + ++ sema_init(&hisi_hba->sem, 1); + spin_lock_init(&hisi_hba->lock); + for (i = 0; i < hisi_hba->n_phy; i++) { + hisi_sas_phy_init(hisi_hba, i); diff --git a/queue-4.18/scsi-ibmvscsi-improve-strings-handling.patch b/queue-4.18/scsi-ibmvscsi-improve-strings-handling.patch new file mode 100644 index 00000000000..7673be87a51 --- /dev/null +++ b/queue-4.18/scsi-ibmvscsi-improve-strings-handling.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Breno Leitao +Date: Tue, 26 Jun 2018 17:35:16 -0300 +Subject: scsi: ibmvscsi: Improve strings handling + +From: Breno Leitao + +[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ] + +Currently an open firmware property is copied into partition_name variable +without keeping a room for \0. + +Later one, this variable (partition_name), which is 97 bytes long, is +strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is +96 bytes long, possibly truncating it 'again' and removing the \0. + +This patch simply decreases the partition name to 96 and just copy using +strlcpy() which guarantees that the string is \0 terminated. I think there +is no issue if this there is a truncation in this very first copy, i.e, +when the open firmware property is read and copied into the driver for the +very first time; + +This issue also causes the following warning on GCC 8: + + drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] + ... + inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: + drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation] + +CC: Bart Van Assche +CC: Tyrel Datwyler +Signed-off-by: Breno Leitao +Acked-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R + static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; + static int fast_fail = 1; + static int client_reserve = 1; +-static char partition_name[97] = "UNKNOWN"; ++static char partition_name[96] = "UNKNOWN"; + static unsigned int partition_number = -1; + static LIST_HEAD(ibmvscsi_head); + +@@ -262,7 +262,7 @@ static void gather_partition_info(void) + + ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL); + if (ppartition_name) +- strncpy(partition_name, ppartition_name, ++ strlcpy(partition_name, ppartition_name, + sizeof(partition_name)); + p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL); + if (p_number_ptr) diff --git a/queue-4.18/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch b/queue-4.18/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch new file mode 100644 index 00000000000..6fc56cf7fb0 --- /dev/null +++ b/queue-4.18/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch @@ -0,0 +1,102 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:54:49 -0700 +Subject: scsi: klist: Make it safe to use klists in atomic context + +From: Bart Van Assche + +[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ] + +In the scsi_transport_srp implementation it cannot be avoided to +iterate over a klist from atomic context when using the legacy block +layer instead of blk-mq. Hence this patch that makes it safe to use +klists in atomic context. This patch avoids that lockdep reports the +following: + +WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(&k->k_lock)->rlock); + local_irq_disable(); + lock(&(&q->__queue_lock)->rlock); + lock(&(&k->k_lock)->rlock); + + lock(&(&q->__queue_lock)->rlock); + +stack backtrace: +Workqueue: kblockd blk_timeout_work +Call Trace: + dump_stack+0xa4/0xf5 + check_usage+0x6e6/0x700 + __lock_acquire+0x185d/0x1b50 + lock_acquire+0xd2/0x260 + _raw_spin_lock+0x32/0x50 + klist_next+0x47/0x190 + device_for_each_child+0x8e/0x100 + srp_timed_out+0xaf/0x1d0 [scsi_transport_srp] + scsi_times_out+0xd4/0x410 [scsi_mod] + blk_rq_timed_out+0x36/0x70 + blk_timeout_work+0x1b5/0x220 + process_one_work+0x4fe/0xad0 + worker_thread+0x63/0x5a0 + kthread+0x1c1/0x1e0 + ret_from_fork+0x24/0x30 + +See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to +rport translation"). + +Signed-off-by: Bart Van Assche +Cc: Martin K. Petersen +Cc: James Bottomley +Acked-by: Greg Kroah-Hartman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/klist.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/lib/klist.c ++++ b/lib/klist.c +@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *prev; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + prev = to_klist_node(last->n_node.prev); +@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli + prev = to_klist_node(prev->n_node.prev); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); +@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *next; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + next = to_klist_node(last->n_node.next); +@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli + next = to_klist_node(next->n_node.next); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); diff --git a/queue-4.18/scsi-megaraid_sas-update-controller-info-during-resume.patch b/queue-4.18/scsi-megaraid_sas-update-controller-info-during-resume.patch new file mode 100644 index 00000000000..87c07bc059e --- /dev/null +++ b/queue-4.18/scsi-megaraid_sas-update-controller-info-during-resume.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Shivasharan S +Date: Mon, 4 Jun 2018 03:45:10 -0700 +Subject: scsi: megaraid_sas: Update controller info during resume + +From: Shivasharan S + +[ Upstream commit c3b10a55abc943a526aaecd7e860b15671beb906 ] + +There is a possibility that firmware on the controller was upgraded before +system was suspended. During resume, driver needs to read updated +controller properties. + +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -6789,6 +6789,9 @@ megasas_resume(struct pci_dev *pdev) + goto fail_init_mfi; + } + ++ if (megasas_get_ctrl_info(instance) != DCMD_SUCCESS) ++ goto fail_init_mfi; ++ + tasklet_init(&instance->isr_tasklet, instance->instancet->tasklet, + (unsigned long)instance); + diff --git a/queue-4.18/scsi-target-avoid-that-extended-copy-commands-trigger-lock-inversion.patch b/queue-4.18/scsi-target-avoid-that-extended-copy-commands-trigger-lock-inversion.patch new file mode 100644 index 00000000000..625bec48f51 --- /dev/null +++ b/queue-4.18/scsi-target-avoid-that-extended-copy-commands-trigger-lock-inversion.patch @@ -0,0 +1,189 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Bart Van Assche +Date: Thu, 28 Jun 2018 13:48:57 -0500 +Subject: scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion + +From: Bart Van Assche + +[ Upstream commit 36d4cb460bcbe2a1323732a6e4bb9dd783284368 ] + +The approach for adding a device to the devices_idr data structure and for +removing it is as follows: + +* &dev->dev_group.cg_item is initialized before a device is added to + devices_idr. + +* If the reference count of a device drops to zero then + target_free_device() removes the device from devices_idr. + +* All devices_idr manipulations are protected by device_mutex. + +This means that increasing the reference count of a device is sufficient to +prevent removal from devices_idr and also that it is safe access +dev_group.cg_item for any device that is referenced by devices_idr. Use +this to modify target_find_device() and target_for_each_device() such that +these functions no longer introduce a dependency between device_mutex and +the configfs root inode mutex. + +Note: it is safe to pass a NULL pointer to config_item_put() and also to +config_item_get_unless_zero(). + +This patch prevents that lockdep reports the following complaint: + +====================================================== +WARNING: possible circular locking dependency detected +4.12.0-rc1-dbg+ #1 Not tainted +------------------------------------------------------ +rmdir/12053 is trying to acquire lock: + (device_mutex#2){+.+.+.}, at: [] +target_free_device+0xae/0xf0 [target_core_mod] + +but task is already holding lock: + (&sb->s_type->i_mutex_key#14){++++++}, at: [] +vfs_rmdir+0x50/0x140 + +which lock already depends on the new lock. + +the existing dependency chain (in reverse order) is: + +-> #1 (&sb->s_type->i_mutex_key#14){++++++}: + lock_acquire+0x59/0x80 + down_write+0x36/0x70 + configfs_depend_item+0x3a/0xb0 [configfs] + target_depend_item+0x13/0x20 [target_core_mod] + target_xcopy_locate_se_dev_e4_iter+0x87/0x100 [target_core_mod] + target_devices_idr_iter+0x16/0x20 [target_core_mod] + idr_for_each+0x39/0xc0 + target_for_each_device+0x36/0x50 [target_core_mod] + target_xcopy_locate_se_dev_e4+0x28/0x80 [target_core_mod] + target_xcopy_do_work+0x2e9/0xdd0 [target_core_mod] + process_one_work+0x1ca/0x3f0 + worker_thread+0x49/0x3b0 + kthread+0x109/0x140 + ret_from_fork+0x31/0x40 + +-> #0 (device_mutex#2){+.+.+.}: + __lock_acquire+0x101f/0x11d0 + lock_acquire+0x59/0x80 + __mutex_lock+0x7e/0x950 + mutex_lock_nested+0x16/0x20 + target_free_device+0xae/0xf0 [target_core_mod] + target_core_dev_release+0x10/0x20 [target_core_mod] + config_item_put+0x6e/0xb0 [configfs] + configfs_rmdir+0x1a6/0x300 [configfs] + vfs_rmdir+0xb7/0x140 + do_rmdir+0x1f4/0x200 + SyS_rmdir+0x11/0x20 + entry_SYSCALL_64_fastpath+0x23/0xc2 + +other info that might help us debug this: + + Possible unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&sb->s_type->i_mutex_key#14); + lock(device_mutex#2); + lock(&sb->s_type->i_mutex_key#14); + lock(device_mutex#2); + + *** DEADLOCK *** + +3 locks held by rmdir/12053: + #0: (sb_writers#10){.+.+.+}, at: [] +mnt_want_write+0x1f/0x50 + #1: (&sb->s_type->i_mutex_key#14/1){+.+.+.}, at: [] +do_rmdir+0x15e/0x200 + #2: (&sb->s_type->i_mutex_key#14){++++++}, at: [] +vfs_rmdir+0x50/0x140 + +stack backtrace: +CPU: 3 PID: 12053 Comm: rmdir Not tainted 4.12.0-rc1-dbg+ #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +1.0.0-prebuilt.qemu-project.org 04/01/2014 +Call Trace: + dump_stack+0x86/0xcf + print_circular_bug+0x1c7/0x220 + __lock_acquire+0x101f/0x11d0 + lock_acquire+0x59/0x80 + __mutex_lock+0x7e/0x950 + mutex_lock_nested+0x16/0x20 + target_free_device+0xae/0xf0 [target_core_mod] + target_core_dev_release+0x10/0x20 [target_core_mod] + config_item_put+0x6e/0xb0 [configfs] + configfs_rmdir+0x1a6/0x300 [configfs] + vfs_rmdir+0xb7/0x140 + do_rmdir+0x1f4/0x200 + SyS_rmdir+0x11/0x20 + entry_SYSCALL_64_fastpath+0x23/0xc2 + +Signed-off-by: Bart Van Assche +[Rebased to handle conflict withe target_find_device removal] +Signed-off-by: Mike Christie + +Signed-off-by: Martin K. Petersen + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_device.c | 22 +++++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +--- a/drivers/target/target_core_device.c ++++ b/drivers/target/target_core_device.c +@@ -904,14 +904,20 @@ struct se_device *target_find_device(int + EXPORT_SYMBOL(target_find_device); + + struct devices_idr_iter { ++ struct config_item *prev_item; + int (*fn)(struct se_device *dev, void *data); + void *data; + }; + + static int target_devices_idr_iter(int id, void *p, void *data) ++ __must_hold(&device_mutex) + { + struct devices_idr_iter *iter = data; + struct se_device *dev = p; ++ int ret; ++ ++ config_item_put(iter->prev_item); ++ iter->prev_item = NULL; + + /* + * We add the device early to the idr, so it can be used +@@ -922,7 +928,15 @@ static int target_devices_idr_iter(int i + if (!(dev->dev_flags & DF_CONFIGURED)) + return 0; + +- return iter->fn(dev, iter->data); ++ iter->prev_item = config_item_get_unless_zero(&dev->dev_group.cg_item); ++ if (!iter->prev_item) ++ return 0; ++ mutex_unlock(&device_mutex); ++ ++ ret = iter->fn(dev, iter->data); ++ ++ mutex_lock(&device_mutex); ++ return ret; + } + + /** +@@ -936,15 +950,13 @@ static int target_devices_idr_iter(int i + int target_for_each_device(int (*fn)(struct se_device *dev, void *data), + void *data) + { +- struct devices_idr_iter iter; ++ struct devices_idr_iter iter = { .fn = fn, .data = data }; + int ret; + +- iter.fn = fn; +- iter.data = data; +- + mutex_lock(&device_mutex); + ret = idr_for_each(&devices_idr, target_devices_idr_iter, &iter); + mutex_unlock(&device_mutex); ++ config_item_put(iter.prev_item); + return ret; + } + diff --git a/queue-4.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch b/queue-4.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch new file mode 100644 index 00000000000..3815ee10bdc --- /dev/null +++ b/queue-4.18/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:53:01 -0700 +Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size + +From: Bart Van Assche + +[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ] + +Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") +Signed-off-by: Bart Van Assche +Reviewed-by: Mike Christie +Cc: Mike Christie +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_tpg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -636,8 +636,7 @@ int iscsit_ta_authentication(struct iscs + none = strstr(buf1, NONE); + if (none) + goto out; +- strncat(buf1, ",", strlen(",")); +- strncat(buf1, NONE, strlen(NONE)); ++ strlcat(buf1, "," NONE, sizeof(buf1)); + if (iscsi_update_param_value(param, buf1) < 0) + return -EINVAL; + } diff --git a/queue-4.18/selftests-forwarding-tweak-tc-filters-for-mirror-to-gretap-tests.patch b/queue-4.18/selftests-forwarding-tweak-tc-filters-for-mirror-to-gretap-tests.patch new file mode 100644 index 00000000000..7f1872d3741 --- /dev/null +++ b/queue-4.18/selftests-forwarding-tweak-tc-filters-for-mirror-to-gretap-tests.patch @@ -0,0 +1,78 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Petr Machata +Date: Thu, 28 Jun 2018 18:56:33 +0200 +Subject: selftests: forwarding: Tweak tc filters for mirror-to-gretap tests + +From: Petr Machata + +[ Upstream commit ec9fdc99f5a6a2cfe4061e807fcb0cc1129f0a2d ] + +When running mirror_gre_bridge_1d_vlan tests on veth, several issues +cause spurious failures: + +- vlan_ethtype should be ip, not ipv6 even in mirror-to-ip6gretap case, + because the overlay packet is still IPv4. +- Similarly ip_proto matches the innermost IP protocol, so can't be used + to filter out GRE packet. Drop the corresponding condition. +- Because the above fixes the filters to match in slow path as well, + they need to be made skip_hw so as not to double-count packets. + +Signed-off-by: Petr Machata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh | 6 ++++-- + tools/testing/selftests/net/forwarding/mirror_gre_lib.sh | 2 +- + tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh | 6 ++++-- + 3 files changed, 9 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_bridge_1d_vlan.sh +@@ -74,12 +74,14 @@ test_vlan_match() + + test_gretap() + { +- test_vlan_match gt4 'vlan_id 555 vlan_ethtype ip' "mirror to gretap" ++ test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \ ++ "mirror to gretap" + } + + test_ip6gretap() + { +- test_vlan_match gt6 'vlan_id 555 vlan_ethtype ipv6' "mirror to ip6gretap" ++ test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ip' \ ++ "mirror to ip6gretap" + } + + test_gretap_stp() +--- a/tools/testing/selftests/net/forwarding/mirror_gre_lib.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_lib.sh +@@ -62,7 +62,7 @@ full_test_span_gre_dir_vlan_ips() + "$backward_type" "$ip1" "$ip2" + + tc filter add dev $h3 ingress pref 77 prot 802.1q \ +- flower $vlan_match ip_proto 0x2f \ ++ flower $vlan_match \ + action pass + mirror_test v$h1 $ip1 $ip2 $h3 77 10 + tc filter del dev $h3 ingress pref 77 +--- a/tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh ++++ b/tools/testing/selftests/net/forwarding/mirror_gre_vlan_bridge_1q.sh +@@ -79,12 +79,14 @@ test_vlan_match() + + test_gretap() + { +- test_vlan_match gt4 'vlan_id 555 vlan_ethtype ip' "mirror to gretap" ++ test_vlan_match gt4 'skip_hw vlan_id 555 vlan_ethtype ip' \ ++ "mirror to gretap" + } + + test_ip6gretap() + { +- test_vlan_match gt6 'vlan_id 555 vlan_ethtype ipv6' "mirror to ip6gretap" ++ test_vlan_match gt6 'skip_hw vlan_id 555 vlan_ethtype ip' \ ++ "mirror to ip6gretap" + } + + test_span_gre_forbidden_cpu() diff --git a/queue-4.18/serial-pxa-fix-an-error-handling-path-in-serial_pxa_probe.patch b/queue-4.18/serial-pxa-fix-an-error-handling-path-in-serial_pxa_probe.patch new file mode 100644 index 00000000000..fb9c47ad21a --- /dev/null +++ b/queue-4.18/serial-pxa-fix-an-error-handling-path-in-serial_pxa_probe.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Christophe JAILLET +Date: Mon, 11 Jun 2018 19:30:35 +0200 +Subject: serial: pxa: Fix an error handling path in 'serial_pxa_probe()' + +From: Christophe JAILLET + +[ Upstream commit 95a0e656580fab3128c7bee5f660c50784f53651 ] + +If port.line is out of range, we still need to release some resources, or +we will leak them. + +Fixes: afc7851fab83 ("serial: pxa: Fix out-of-bounds access through serial port index") +Signed-off-by: Christophe JAILLET +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/pxa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/pxa.c ++++ b/drivers/tty/serial/pxa.c +@@ -887,7 +887,8 @@ static int serial_pxa_probe(struct platf + goto err_clk; + if (sport->port.line >= ARRAY_SIZE(serial_pxa_ports)) { + dev_err(&dev->dev, "serial%d out of range\n", sport->port.line); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_clk; + } + snprintf(sport->name, PXA_NAME_LEN - 1, "UART%d", sport->port.line + 1); + diff --git a/queue-4.18/serial-sh-sci-stop-rx-fifo-timer-during-port-shutdown.patch b/queue-4.18/serial-sh-sci-stop-rx-fifo-timer-during-port-shutdown.patch new file mode 100644 index 00000000000..9f516defc7d --- /dev/null +++ b/queue-4.18/serial-sh-sci-stop-rx-fifo-timer-during-port-shutdown.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Geert Uytterhoeven +Date: Fri, 6 Jul 2018 11:08:36 +0200 +Subject: serial: sh-sci: Stop RX FIFO timer during port shutdown + +From: Geert Uytterhoeven + +[ Upstream commit c5a9262fa8bfed0dddc7466ef10fcd292e2af61b ] + +The RX FIFO timer may be armed when the port is shut down, hence the +timer function may still be called afterwards. + +Fix this race condition by deleting the timer during port shutdown. + +Fixes: 039403765e5da3c6 ("serial: sh-sci: SCIFA/B RX FIFO software timeout") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sh-sci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2099,6 +2099,8 @@ static void sci_shutdown(struct uart_por + } + #endif + ++ if (s->rx_trigger > 1 && s->rx_fifo_timeout > 0) ++ del_timer_sync(&s->rx_fifo_timer); + sci_free_irq(s); + sci_free_dma(port); + } diff --git a/queue-4.18/siox-don-t-create-a-thread-without-starting-it.patch b/queue-4.18/siox-don-t-create-a-thread-without-starting-it.patch new file mode 100644 index 00000000000..967d68ceb9b --- /dev/null +++ b/queue-4.18/siox-don-t-create-a-thread-without-starting-it.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "Uwe Kleine-König" +Date: Thu, 28 Jun 2018 09:57:42 +0200 +Subject: siox: don't create a thread without starting it + +From: "Uwe Kleine-König" + +[ Upstream commit e890591413819eeb604207ad3261ba617b2ec0bb ] + +When a siox master device is registered a kthread is created that is +only started when triggered by userspace. So this thread might be in +TASK_UNINTERRUPTIBLE state for long and trigger a warning + + [ 241.130465] INFO: task siox-0:626 blocked for more than 120 seconds. + +with the respective debug settings enabled. It might be right to put an +unstarted thread to TASK_IDLE (in kernel/kthread.c:kthread()) instead, +but independant of this discussion it is cleaner for +siox_master_register() to start the thread immediately. The effect is +that it enters its own waiting state and then stays in state TASK_IDLE +which doesn't trigger the above warning. + +As siox_poll_thread() uses some variables of the device the +initialisation of these is moved before thread creation. + +Acked-by: Peter Zijlstra (Intel) +Signed-off-by: Uwe Kleine-König +Acked-by: Gavin Schenk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/siox/siox-core.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/siox/siox-core.c ++++ b/drivers/siox/siox-core.c +@@ -715,17 +715,17 @@ int siox_master_register(struct siox_mas + + dev_set_name(&smaster->dev, "siox-%d", smaster->busno); + ++ mutex_init(&smaster->lock); ++ INIT_LIST_HEAD(&smaster->devices); ++ + smaster->last_poll = jiffies; +- smaster->poll_thread = kthread_create(siox_poll_thread, smaster, +- "siox-%d", smaster->busno); ++ smaster->poll_thread = kthread_run(siox_poll_thread, smaster, ++ "siox-%d", smaster->busno); + if (IS_ERR(smaster->poll_thread)) { + smaster->active = 0; + return PTR_ERR(smaster->poll_thread); + } + +- mutex_init(&smaster->lock); +- INIT_LIST_HEAD(&smaster->devices); +- + ret = device_add(&smaster->dev); + if (ret) + kthread_stop(smaster->poll_thread); diff --git a/queue-4.18/spi-orion-fix-cs-gpio-handling-again.patch b/queue-4.18/spi-orion-fix-cs-gpio-handling-again.patch new file mode 100644 index 00000000000..a76a806679d --- /dev/null +++ b/queue-4.18/spi-orion-fix-cs-gpio-handling-again.patch @@ -0,0 +1,149 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: "Jan Kundrát" +Date: Mon, 4 Jun 2018 16:34:25 +0200 +Subject: spi: orion: fix CS GPIO handling again + +From: "Jan Kundrát" + +[ Upstream commit fb9acf5f1f21f1de193523ff780bda375b4c2e21 ] + +The code did not de-assert any CS GPIOs before probing slaves. This +means that several CS signals could be active at once, garbling the +communication. Whether this was actually a problem depended on the type +of the SPI device attached (so my "spidev" for userspace access worked +correctly because its probe was effectively a no-op), and on the state +of the GPIO pins at SoC's boot. + +The code was already iterating through all DT children of the SPI +controller, so this change re-uses that loop for CS GPIO setup as well. +This means that this might change the number of the HW CS signal which +is picked for all GPIO CS devices. Previously, the lowest one was used, +but we now use the first one from the DT. + +With this move of the code, we can also finally initialize each GPIO CS +lane before registering the SPI controller (which in turn probes for +slaves). + +I tried to fix this in 544248623b95 already, but that only did it half +way by registering the GPIOs properly. That patch failed to set their +logic signals early enough, though. + +Signed-off-by: Jan Kundrát +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-orion.c | 77 ++++++++++++++++++++++++------------------------ + 1 file changed, 40 insertions(+), 37 deletions(-) + +--- a/drivers/spi/spi-orion.c ++++ b/drivers/spi/spi-orion.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -681,9 +682,9 @@ static int orion_spi_probe(struct platfo + goto out_rel_axi_clk; + } + +- /* Scan all SPI devices of this controller for direct mapped devices */ + for_each_available_child_of_node(pdev->dev.of_node, np) { + u32 cs; ++ int cs_gpio; + + /* Get chip-select number from the "reg" property */ + status = of_property_read_u32(np, "reg", &cs); +@@ -695,6 +696,44 @@ static int orion_spi_probe(struct platfo + } + + /* ++ * Initialize the CS GPIO: ++ * - properly request the actual GPIO signal ++ * - de-assert the logical signal so that all GPIO CS lines ++ * are inactive when probing for slaves ++ * - find an unused physical CS which will be driven for any ++ * slave which uses a CS GPIO ++ */ ++ cs_gpio = of_get_named_gpio(pdev->dev.of_node, "cs-gpios", cs); ++ if (cs_gpio > 0) { ++ char *gpio_name; ++ int cs_flags; ++ ++ if (spi->unused_hw_gpio == -1) { ++ dev_info(&pdev->dev, ++ "Selected unused HW CS#%d for any GPIO CSes\n", ++ cs); ++ spi->unused_hw_gpio = cs; ++ } ++ ++ gpio_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, ++ "%s-CS%d", dev_name(&pdev->dev), cs); ++ if (!gpio_name) { ++ status = -ENOMEM; ++ goto out_rel_axi_clk; ++ } ++ ++ cs_flags = of_property_read_bool(np, "spi-cs-high") ? ++ GPIOF_OUT_INIT_LOW : GPIOF_OUT_INIT_HIGH; ++ status = devm_gpio_request_one(&pdev->dev, cs_gpio, ++ cs_flags, gpio_name); ++ if (status) { ++ dev_err(&pdev->dev, ++ "Can't request GPIO for CS %d\n", cs); ++ goto out_rel_axi_clk; ++ } ++ } ++ ++ /* + * Check if an address is configured for this SPI device. If + * not, the MBus mapping via the 'ranges' property in the 'soc' + * node is not configured and this device should not use the +@@ -740,44 +779,8 @@ static int orion_spi_probe(struct platfo + if (status < 0) + goto out_rel_pm; + +- if (master->cs_gpios) { +- int i; +- for (i = 0; i < master->num_chipselect; ++i) { +- char *gpio_name; +- +- if (!gpio_is_valid(master->cs_gpios[i])) { +- continue; +- } +- +- gpio_name = devm_kasprintf(&pdev->dev, GFP_KERNEL, +- "%s-CS%d", dev_name(&pdev->dev), i); +- if (!gpio_name) { +- status = -ENOMEM; +- goto out_rel_master; +- } +- +- status = devm_gpio_request(&pdev->dev, +- master->cs_gpios[i], gpio_name); +- if (status) { +- dev_err(&pdev->dev, +- "Can't request GPIO for CS %d\n", +- master->cs_gpios[i]); +- goto out_rel_master; +- } +- if (spi->unused_hw_gpio == -1) { +- dev_info(&pdev->dev, +- "Selected unused HW CS#%d for any GPIO CSes\n", +- i); +- spi->unused_hw_gpio = i; +- } +- } +- } +- +- + return status; + +-out_rel_master: +- spi_unregister_master(master); + out_rel_pm: + pm_runtime_disable(&pdev->dev); + out_rel_axi_clk: diff --git a/queue-4.18/staging-android-ashmem-fix-mmap-size-validation.patch b/queue-4.18/staging-android-ashmem-fix-mmap-size-validation.patch new file mode 100644 index 00000000000..e76016651ff --- /dev/null +++ b/queue-4.18/staging-android-ashmem-fix-mmap-size-validation.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Alistair Strachan +Date: Tue, 19 Jun 2018 17:57:35 -0700 +Subject: staging: android: ashmem: Fix mmap size validation + +From: Alistair Strachan + +[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ] + +The ashmem driver did not check that the size/offset of the vma passed +to its .mmap() function was not larger than the ashmem object being +mapped. This could cause mmap() to succeed, even though accessing parts +of the mapping would later fail with a segmentation fault. + +Ensure an error is returned by the ashmem_mmap() function if the vma +size is larger than the ashmem object size. This enables safer handling +of the problem in userspace. + +Cc: Todd Kjos +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-team@android.com +Cc: Joel Fernandes +Signed-off-by: Alistair Strachan +Acked-by: Joel Fernandes (Google) +Reviewed-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/android/ashmem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -366,6 +366,12 @@ static int ashmem_mmap(struct file *file + goto out; + } + ++ /* requested mapping size larger than object size */ ++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* requested protection bits must match our allowed protection mask */ + if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) & + calc_vm_prot_bits(PROT_MASK, 0))) { diff --git a/queue-4.18/staging-mt7621-dts-fix-remaining-pcie-warnings.patch b/queue-4.18/staging-mt7621-dts-fix-remaining-pcie-warnings.patch new file mode 100644 index 00000000000..b701136b5e0 --- /dev/null +++ b/queue-4.18/staging-mt7621-dts-fix-remaining-pcie-warnings.patch @@ -0,0 +1,93 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Rosen Penev +Date: Sat, 16 Jun 2018 19:17:50 -0700 +Subject: staging: mt7621-dts: Fix remaining pcie warnings + +From: Rosen Penev + +[ Upstream commit d0233204fbc10f003d1ef077f57341c2feca4002 ] + +This currently fixes the remaining dtb warnings: + +Node /pcie@1e140000/pcie0 has a reg or ranges property, but no unit name +Node /pcie@1e140000/pcie1 has a reg or ranges property, but no unit name +Node /pcie@1e140000/pcie2 has a reg or ranges property, but no unit name +Node /pcie@1e140000/pcie0 node name is not "pci" or "pcie" +Node /pcie@1e140000/pcie0 missing ranges for PCI bridge (or not a bridge) +Node /pcie@1e140000/pcie0 missing bus-range for PCI bridge +Node /pcie@1e140000/pcie1 node name is not "pci" or "pcie" +Node /pcie@1e140000/pcie1 missing ranges for PCI bridge (or not a bridge) +Node /pcie@1e140000/pcie1 missing bus-range for PCI bridge +Node /pcie@1e140000/pcie2 node name is not "pci" or "pcie" +Node /pcie@1e140000/pcie2 missing ranges for PCI bridge (or not a bridge) +Node /pcie@1e140000/pcie2 missing bus-range for PCI bridge +Warning (unit_address_format): Failed prerequisite 'pci_bridge' +Warning (pci_device_reg): Failed prerequisite 'pci_bridge' +Warning (pci_device_bus_num): Failed prerequisite 'pci_bridge' + +device_type was removed since according to documentation, it's deprecated +for pci(e) devices. + +Signed-off-by: Rosen Penev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/mt7621-dts/gbpc1.dts | 2 ++ + drivers/staging/mt7621-dts/mt7621.dtsi | 21 +++++++++------------ + 2 files changed, 11 insertions(+), 12 deletions(-) + +--- a/drivers/staging/mt7621-dts/gbpc1.dts ++++ b/drivers/staging/mt7621-dts/gbpc1.dts +@@ -113,6 +113,8 @@ + }; + + &pcie { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pcie_pins>; + status = "okay"; + }; + +--- a/drivers/staging/mt7621-dts/mt7621.dtsi ++++ b/drivers/staging/mt7621-dts/mt7621.dtsi +@@ -447,31 +447,28 @@ + clocks = <&clkctrl 24 &clkctrl 25 &clkctrl 26>; + clock-names = "pcie0", "pcie1", "pcie2"; + +- pcie0 { ++ pcie@0,0 { + reg = <0x0000 0 0 0 0>; +- + #address-cells = <3>; + #size-cells = <2>; +- +- device_type = "pci"; ++ ranges; ++ bus-range = <0x00 0xff>; + }; + +- pcie1 { ++ pcie@1,0 { + reg = <0x0800 0 0 0 0>; +- + #address-cells = <3>; + #size-cells = <2>; +- +- device_type = "pci"; ++ ranges; ++ bus-range = <0x00 0xff>; + }; + +- pcie2 { ++ pcie@2,0 { + reg = <0x1000 0 0 0 0>; +- + #address-cells = <3>; + #size-cells = <2>; +- +- device_type = "pci"; ++ ranges; ++ bus-range = <0x00 0xff>; + }; + }; + }; diff --git a/queue-4.18/staging-mt7621-eth-fix-memory-leak-in-mtk_add_mac-error-path.patch b/queue-4.18/staging-mt7621-eth-fix-memory-leak-in-mtk_add_mac-error-path.patch new file mode 100644 index 00000000000..ec3d014236f --- /dev/null +++ b/queue-4.18/staging-mt7621-eth-fix-memory-leak-in-mtk_add_mac-error-path.patch @@ -0,0 +1,57 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Kamal Heib +Date: Tue, 19 Jun 2018 20:04:08 +0300 +Subject: staging: mt7621-eth: Fix memory leak in mtk_add_mac() error path + +From: Kamal Heib + +[ Upstream commit 85e1d42663a0c163002961d2685be952067b0dc2 ] + +Fix memory leak in error path of mtk_add_mac() by make sure to free +the allocated netdev. + +Fixes: e3cbf478f846 ('staging: mt7621-eth: add the drivers core files') +Signed-off-by: Kamal Heib +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/mt7621-eth/mtk_eth_soc.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/staging/mt7621-eth/mtk_eth_soc.c ++++ b/drivers/staging/mt7621-eth/mtk_eth_soc.c +@@ -2012,8 +2012,10 @@ static int mtk_add_mac(struct mtk_eth *e + mac->hw_stats = devm_kzalloc(eth->dev, + sizeof(*mac->hw_stats), + GFP_KERNEL); +- if (!mac->hw_stats) +- return -ENOMEM; ++ if (!mac->hw_stats) { ++ err = -ENOMEM; ++ goto free_netdev; ++ } + spin_lock_init(&mac->hw_stats->stats_lock); + mac->hw_stats->reg_offset = id * MTK_STAT_OFFSET; + } +@@ -2037,7 +2039,8 @@ static int mtk_add_mac(struct mtk_eth *e + err = register_netdev(eth->netdev[id]); + if (err) { + dev_err(eth->dev, "error bringing up device\n"); +- return err; ++ err = -ENOMEM; ++ goto free_netdev; + } + eth->netdev[id]->irq = eth->irq; + netif_info(eth, probe, eth->netdev[id], +@@ -2045,6 +2048,10 @@ static int mtk_add_mac(struct mtk_eth *e + eth->netdev[id]->base_addr, eth->netdev[id]->irq); + + return 0; ++ ++free_netdev: ++ free_netdev(eth->netdev[id]); ++ return err; + } + + static int mtk_probe(struct platform_device *pdev) diff --git a/queue-4.18/staging-pi433-fix-race-condition-in-pi433_ioctl.patch b/queue-4.18/staging-pi433-fix-race-condition-in-pi433_ioctl.patch new file mode 100644 index 00000000000..f86d2dfb0ae --- /dev/null +++ b/queue-4.18/staging-pi433-fix-race-condition-in-pi433_ioctl.patch @@ -0,0 +1,61 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Hugo Lefeuvre +Date: Wed, 13 Jun 2018 21:04:38 -0400 +Subject: staging: pi433: fix race condition in pi433_ioctl + +From: Hugo Lefeuvre + +[ Upstream commit 6de4ef65a8c6f53ce7eef06666410bc3b6e4b624 ] + +In the PI433_IOC_WR_TX_CFG case in pi433_ioctl, instance->tx_cfg is +modified via + +copy_from_user(&instance->tx_cfg, argp, sizeof(struct pi433_tx_cfg))) + +without any kind of synchronization. In the case where two threads +would execute this same command concurrently the tx_cfg field might +enter in an inconsistent state. + +Additionally: if ioctl(PI433_IOC_WR_TX_CFG) and write() execute +concurrently the tx config might be modified while it is being +copied to the fifo, resulting in potential data corruption. + +Fix: Get instance->tx_cfg_lock before modifying tx config in the +PI433_IOC_WR_TX_CFG case in pi433_ioctl. + +Also, do not copy data directly from user space to instance->tx_cfg. +Instead use a temporary buffer allowing future checks for correctness +of copied data and simpler code. + +Signed-off-by: Hugo Lefeuvre +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/pi433/pi433_if.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/staging/pi433/pi433_if.c ++++ b/drivers/staging/pi433/pi433_if.c +@@ -880,6 +880,7 @@ pi433_ioctl(struct file *filp, unsigned + int retval = 0; + struct pi433_instance *instance; + struct pi433_device *device; ++ struct pi433_tx_cfg tx_cfg; + void __user *argp = (void __user *)arg; + + /* Check type and command number */ +@@ -902,9 +903,11 @@ pi433_ioctl(struct file *filp, unsigned + return -EFAULT; + break; + case PI433_IOC_WR_TX_CFG: +- if (copy_from_user(&instance->tx_cfg, argp, +- sizeof(struct pi433_tx_cfg))) ++ if (copy_from_user(&tx_cfg, argp, sizeof(struct pi433_tx_cfg))) + return -EFAULT; ++ mutex_lock(&device->tx_fifo_lock); ++ memcpy(&instance->tx_cfg, &tx_cfg, sizeof(struct pi433_tx_cfg)); ++ mutex_unlock(&device->tx_fifo_lock); + break; + case PI433_IOC_RD_RX_CFG: + if (copy_to_user(argp, &device->rx_cfg, diff --git a/queue-4.18/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch b/queue-4.18/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch new file mode 100644 index 00000000000..acfc4e8ab82 --- /dev/null +++ b/queue-4.18/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Colin Ian King +Date: Mon, 2 Jul 2018 14:27:35 +0100 +Subject: staging: rts5208: fix missing error check on call to rtsx_write_register + +From: Colin Ian King + +[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ] + +Currently the check on error return from the call to rtsx_write_register +is checking the error status from the previous call. Fix this by adding +in the missing assignment of retval. + +Detected by CoverityScan, CID#709877 + +Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rts5208/sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/sd.c ++++ b/drivers/staging/rts5208/sd.c +@@ -4996,7 +4996,7 @@ int sd_execute_write_data(struct scsi_cm + goto sd_execute_write_cmd_failed; + } + +- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); ++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); + if (retval != STATUS_SUCCESS) { + rtsx_trace(chip); + goto sd_execute_write_cmd_failed; diff --git a/queue-4.18/thermal-i.mx-allow-thermal-probe-to-fail-gracefully-in-case-of-bad-calibration.patch b/queue-4.18/thermal-i.mx-allow-thermal-probe-to-fail-gracefully-in-case-of-bad-calibration.patch new file mode 100644 index 00000000000..b68af5483f7 --- /dev/null +++ b/queue-4.18/thermal-i.mx-allow-thermal-probe-to-fail-gracefully-in-case-of-bad-calibration.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jean-Christophe Dubois +Date: Sun, 1 Jul 2018 00:10:50 +0200 +Subject: thermal: i.MX: Allow thermal probe to fail gracefully in case of bad calibration. + +From: Jean-Christophe Dubois + +[ Upstream commit be926ceeb4efc3bf44cb9b56f5c71aac9b1f8bbe ] + +Without this fix, the thermal probe on i.MX6 might trigger a division +by zero exception later in the probe if the calibration does fail. + +Note: This linux behavior (Division by zero in kernel) has been triggered +on a Qemu i.MX6 emulation where parameters in nvmem were not set. With this +fix the division by zero is not triggeed anymore as the thermal probe does +fail early. + +Signed-off-by: Jean-Christophe Dubois +Reviewed-by: Fabio Estevam +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/imx_thermal.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/thermal/imx_thermal.c ++++ b/drivers/thermal/imx_thermal.c +@@ -604,7 +604,10 @@ static int imx_init_from_nvmem_cells(str + ret = nvmem_cell_read_u32(&pdev->dev, "calib", &val); + if (ret) + return ret; +- imx_init_calib(pdev, val); ++ ++ ret = imx_init_calib(pdev, val); ++ if (ret) ++ return ret; + + ret = nvmem_cell_read_u32(&pdev->dev, "temp_grade", &val); + if (ret) diff --git a/queue-4.18/tsl2550-fix-lux1_input-error-in-low-light.patch b/queue-4.18/tsl2550-fix-lux1_input-error-in-low-light.patch new file mode 100644 index 00000000000..7144999bc2e --- /dev/null +++ b/queue-4.18/tsl2550-fix-lux1_input-error-in-low-light.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Matt Ranostay +Date: Fri, 8 Jun 2018 23:58:15 -0700 +Subject: tsl2550: fix lux1_input error in low light + +From: Matt Ranostay + +[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ] + +ADC channel 0 photodiode detects both infrared + visible light, +but ADC channel 1 just detects infrared. However, the latter is a bit +more sensitive in that range so complete darkness or low light causes +a error condition in which the chan0 - chan1 is negative that +results in a -EAGAIN. + +This patch changes the resulting lux1_input sysfs attribute message from +"Resource temporarily unavailable" to a user-grokable lux value of 0. + +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Signed-off-by: Matt Ranostay +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/tsl2550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/tsl2550.c ++++ b/drivers/misc/tsl2550.c +@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0, + } else + lux = 0; + else +- return -EAGAIN; ++ return 0; + + /* LUX range check */ + return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux; diff --git a/queue-4.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch b/queue-4.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..0ef392c12d3 --- /dev/null +++ b/queue-4.18/usb-serial-kobil_sct-fix-modem-status-error-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Johan Hovold +Date: Wed, 4 Jul 2018 17:02:18 +0200 +Subject: USB: serial: kobil_sct: fix modem-status error handling + +From: Johan Hovold + +[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ] + +Make sure to return -EIO in case of a short modem-status read request. + +While at it, split the debug message to not include the (zeroed) +transfer-buffer content in case of errors. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kobil_sct.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -393,12 +393,20 @@ static int kobil_tiocmget(struct tty_str + transfer_buffer_length, + KOBIL_TIMEOUT); + +- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n", +- __func__, result, transfer_buffer[0]); ++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n", ++ result); ++ if (result < 1) { ++ if (result >= 0) ++ result = -EIO; ++ goto out_free; ++ } ++ ++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]); + + result = 0; + if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0) + result = TIOCM_DSR; ++out_free: + kfree(transfer_buffer); + return result; + } diff --git a/queue-4.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch b/queue-4.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch new file mode 100644 index 00000000000..9d576305ca1 --- /dev/null +++ b/queue-4.18/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Julia Lawall +Date: Sun, 1 Jul 2018 19:32:04 +0200 +Subject: usb: wusbcore: security: cast sizeof to int for comparison + +From: Julia Lawall + +[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ] + +Comparing an int to a size, which is unsigned, causes the int to become +unsigned, giving the wrong result. usb_get_descriptor can return a +negative error code. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@@ +int x; +expression e,e1; +identifier f; +@@ + +*x = f(...); +... when != x = e1 + when != if (x < 0 || ...) { ... return ...; } +*x < sizeof(e) +// + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/wusbcore/security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/wusbcore/security.c ++++ b/drivers/usb/wusbcore/security.c +@@ -217,7 +217,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb + + result = usb_get_descriptor(usb_dev, USB_DT_SECURITY, + 0, secd, sizeof(*secd)); +- if (result < sizeof(*secd)) { ++ if (result < (int)sizeof(*secd)) { + dev_err(dev, "Can't read security descriptor or " + "not enough data: %d\n", result); + goto out; diff --git a/queue-4.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch b/queue-4.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch new file mode 100644 index 00000000000..57a93963c67 --- /dev/null +++ b/queue-4.18/uwb-hwa-rc-fix-memory-leak-at-probe.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Anton Vasilyev +Date: Fri, 6 Jul 2018 15:32:53 +0300 +Subject: uwb: hwa-rc: fix memory leak at probe + +From: Anton Vasilyev + +[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ] + +hwarc_probe() allocates memory for hwarc, but does not free it +if uwb_rc_add() or hwarc_get_version() fail. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uwb/hwa-rc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -873,6 +873,7 @@ error_get_version: + error_rc_add: + usb_put_intf(iface); + usb_put_dev(hwarc->usb_dev); ++ kfree(hwarc); + error_alloc: + uwb_rc_put(uwb_rc); + error_rc_alloc: diff --git a/queue-4.18/vhost_net-avoid-tx-vring-kicks-during-busyloop.patch b/queue-4.18/vhost_net-avoid-tx-vring-kicks-during-busyloop.patch new file mode 100644 index 00000000000..c6dafd7f8e6 --- /dev/null +++ b/queue-4.18/vhost_net-avoid-tx-vring-kicks-during-busyloop.patch @@ -0,0 +1,129 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Toshiaki Makita +Date: Tue, 3 Jul 2018 16:31:32 +0900 +Subject: vhost_net: Avoid tx vring kicks during busyloop + +From: Toshiaki Makita + +[ Upstream commit 027b17603b030f1334ade079b7a3e986569c956b ] + +Under heavy load vhost busypoll may run without suppressing +notification. For example tx zerocopy callback can push tx work while +handle_tx() is running, then busyloop exits due to vhost_has_work() +condition and enables notification but immediately reenters handle_tx() +because the pushed work was tx. In this case handle_tx() tries to +disable notification again, but when using event_idx it by design +cannot. Then busyloop will run without suppressing notification. +Another example is the case where handle_tx() tries to enable +notification but avail idx is advanced so disables it again. This case +also leads to the same situation with event_idx. + +The problem is that once we enter this situation busyloop does not work +under heavy load for considerable amount of time, because notification +is likely to happen during busyloop and handle_tx() immediately enables +notification after notification happens. Specifically busyloop detects +notification by vhost_has_work() and then handle_tx() calls +vhost_enable_notify(). Because the detected work was the tx work, it +enters handle_tx(), and enters busyloop without suppression again. +This is likely to be repeated, so with event_idx we are almost not able +to suppress notification in this case. + +To fix this, poll the work instead of enabling notification when +busypoll is interrupted by something. IMHO vhost_has_work() is kind of +interruption rather than a signal to completely cancel the busypoll, so +let's run busypoll after the necessary work is done. + +Signed-off-by: Toshiaki Makita +Acked-by: Jason Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/net.c | 35 ++++++++++++++++++++++------------- + 1 file changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -396,13 +396,10 @@ static inline unsigned long busy_clock(v + return local_clock() >> 10; + } + +-static bool vhost_can_busy_poll(struct vhost_dev *dev, +- unsigned long endtime) ++static bool vhost_can_busy_poll(unsigned long endtime) + { +- return likely(!need_resched()) && +- likely(!time_after(busy_clock(), endtime)) && +- likely(!signal_pending(current)) && +- !vhost_has_work(dev); ++ return likely(!need_resched() && !time_after(busy_clock(), endtime) && ++ !signal_pending(current)); + } + + static void vhost_net_disable_vq(struct vhost_net *n, +@@ -434,7 +431,8 @@ static int vhost_net_enable_vq(struct vh + static int vhost_net_tx_get_vq_desc(struct vhost_net *net, + struct vhost_virtqueue *vq, + struct iovec iov[], unsigned int iov_size, +- unsigned int *out_num, unsigned int *in_num) ++ unsigned int *out_num, unsigned int *in_num, ++ bool *busyloop_intr) + { + unsigned long uninitialized_var(endtime); + int r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov), +@@ -443,9 +441,15 @@ static int vhost_net_tx_get_vq_desc(stru + if (r == vq->num && vq->busyloop_timeout) { + preempt_disable(); + endtime = busy_clock() + vq->busyloop_timeout; +- while (vhost_can_busy_poll(vq->dev, endtime) && +- vhost_vq_avail_empty(vq->dev, vq)) ++ while (vhost_can_busy_poll(endtime)) { ++ if (vhost_has_work(vq->dev)) { ++ *busyloop_intr = true; ++ break; ++ } ++ if (!vhost_vq_avail_empty(vq->dev, vq)) ++ break; + cpu_relax(); ++ } + preempt_enable(); + r = vhost_get_vq_desc(vq, vq->iov, ARRAY_SIZE(vq->iov), + out_num, in_num, NULL, NULL); +@@ -501,20 +505,24 @@ static void handle_tx(struct vhost_net * + zcopy = nvq->ubufs; + + for (;;) { ++ bool busyloop_intr; ++ + /* Release DMAs done buffers first */ + if (zcopy) + vhost_zerocopy_signal_used(net, vq); + +- ++ busyloop_intr = false; + head = vhost_net_tx_get_vq_desc(net, vq, vq->iov, + ARRAY_SIZE(vq->iov), +- &out, &in); ++ &out, &in, &busyloop_intr); + /* On error, stop handling until the next kick. */ + if (unlikely(head < 0)) + break; + /* Nothing new? Wait for eventfd to tell us they refilled. */ + if (head == vq->num) { +- if (unlikely(vhost_enable_notify(&net->dev, vq))) { ++ if (unlikely(busyloop_intr)) { ++ vhost_poll_queue(&vq->poll); ++ } else if (unlikely(vhost_enable_notify(&net->dev, vq))) { + vhost_disable_notify(&net->dev, vq); + continue; + } +@@ -663,7 +671,8 @@ static int vhost_net_rx_peek_head_len(st + preempt_disable(); + endtime = busy_clock() + vq->busyloop_timeout; + +- while (vhost_can_busy_poll(&net->dev, endtime) && ++ while (vhost_can_busy_poll(endtime) && ++ !vhost_has_work(&net->dev) && + !sk_has_rx_data(sk) && + vhost_vq_avail_empty(&net->dev, vq)) + cpu_relax(); diff --git a/queue-4.18/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch b/queue-4.18/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch new file mode 100644 index 00000000000..4c3e86b98e0 --- /dev/null +++ b/queue-4.18/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:33:34 +0300 +Subject: vmci: type promotion bug in qp_host_get_user_memory() + +From: Dan Carpenter + +[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ] + +The problem is that if get_user_pages_fast() fails and returns a +negative error code, it gets type promoted to a high positive value and +treated as a success. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -668,7 +668,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) produce_uva, + produce_q->kernel_if->num_pages, 1, + produce_q->kernel_if->u.h.header_page); +- if (retval < produce_q->kernel_if->num_pages) { ++ if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); + qp_release_pages(produce_q->kernel_if->u.h.header_page, +@@ -680,7 +680,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) consume_uva, + consume_q->kernel_if->num_pages, 1, + consume_q->kernel_if->u.h.header_page); +- if (retval < consume_q->kernel_if->num_pages) { ++ if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); + qp_release_pages(consume_q->kernel_if->u.h.header_page, diff --git a/queue-4.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch b/queue-4.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch new file mode 100644 index 00000000000..56a4dea6f44 --- /dev/null +++ b/queue-4.18/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Tony Lindgren +Date: Tue, 19 Jun 2018 02:43:35 -0700 +Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() + +From: Tony Lindgren + +[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ] + +Otherwise we can get: + +WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84 + +I've only seen this few times with the runtime PM patches enabled +so this one is probably not needed before that. This seems to +work currently based on the current PM implementation timer. Let's +apply this separately though in case others are hitting this issue. + +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,6 +35,7 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" ++#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + ++ ret = wl1271_ps_elp_wakeup(wl); ++ if (ret < 0) ++ return ret; ++ + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout + } while (!event); + + out: ++ wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } diff --git a/queue-4.18/x86-entry-64-add-two-more-instruction-suffixes.patch b/queue-4.18/x86-entry-64-add-two-more-instruction-suffixes.patch new file mode 100644 index 00000000000..233e9159452 --- /dev/null +++ b/queue-4.18/x86-entry-64-add-two-more-instruction-suffixes.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Jan Beulich +Date: Mon, 2 Jul 2018 04:47:57 -0600 +Subject: x86/entry/64: Add two more instruction suffixes + +From: Jan Beulich + +[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ] + +Sadly, other than claimed in: + + a368d7fd2a ("x86/entry/64: Add instruction suffix") + +... there are two more instances which want to be adjusted. + +As said there, omitting suffixes from instructions in AT&T mode is bad +practice when operand size cannot be determined by the assembler from +register operands, and is likely going to be warned about by upstream +gas in the future (mine does already). + +Add the other missing suffixes here as well. + +Signed-off-by: Jan Beulich +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -92,7 +92,7 @@ END(native_usergs_sysret64) + .endm + + .macro TRACE_IRQS_IRETQ_DEBUG +- bt $9, EFLAGS(%rsp) /* interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON_DEBUG + 1: +@@ -701,7 +701,7 @@ retint_kernel: + #ifdef CONFIG_PREEMPT + /* Interrupts are off */ + /* Check if we need preemption */ +- bt $9, EFLAGS(%rsp) /* were interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* were interrupts off? */ + jnc 1f + 0: cmpl $0, PER_CPU_VAR(__preempt_count) + jnz 1f diff --git a/queue-4.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch b/queue-4.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch new file mode 100644 index 00000000000..2359a668aef --- /dev/null +++ b/queue-4.18/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Dan Williams +Date: Fri, 6 Jul 2018 09:08:01 -0700 +Subject: x86/numa_emulation: Fix emulated-to-physical node mapping + +From: Dan Williams + +[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ] + +Without this change the distance table calculation for emulated nodes +may use the wrong numa node and report an incorrect distance. + +Signed-off-by: Dan Williams +Cc: David Rientjes +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Wei Yang +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/numa_emulation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -61,7 +61,7 @@ static int __init emu_setup_memblk(struc + eb->nid = nid; + + if (emu_nid_to_phys[nid] == NUMA_NO_NODE) +- emu_nid_to_phys[nid] = nid; ++ emu_nid_to_phys[nid] = pb->nid; + + pb->start += size; + if (pb->start >= pb->end) { diff --git a/queue-4.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch b/queue-4.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch new file mode 100644 index 00000000000..ecfca0afe69 --- /dev/null +++ b/queue-4.18/x86-tsc-add-missing-header-to-tsc_msr.c.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:24:28 PDT 2018 +From: Andy Shevchenko +Date: Fri, 29 Jun 2018 22:31:10 +0300 +Subject: x86/tsc: Add missing header to tsc_msr.c + +From: Andy Shevchenko + +[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ] + +Add a missing header otherwise compiler warns about missed prototype: + +CC arch/x86/kernel/tsc_msr.o +arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes] + unsigned long cpu_khz_from_msr(void) + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Pavel Tatashin +Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc_msr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/tsc_msr.c ++++ b/arch/x86/kernel/tsc_msr.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #define MAX_NUM_FREQS 9 +