From: Sasha Levin Date: Sat, 9 Feb 2019 17:52:47 +0000 (-0500) Subject: autosel patches for 4.9 X-Git-Tag: v4.9.156~48 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c06fc8f8ac01b3bdac23b31448453f79fac8c39a;p=thirdparty%2Fkernel%2Fstable-queue.git autosel patches for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch b/queue-4.9/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch new file mode 100644 index 00000000000..5b01beeb79f --- /dev/null +++ b/queue-4.9/arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch @@ -0,0 +1,63 @@ +From 475f0e96581fc91bc417913fecedcf1998638269 Mon Sep 17 00:00:00 2001 +From: Yufen Wang +Date: Fri, 2 Nov 2018 11:51:31 +0100 +Subject: ARM: 8808/1: kexec:offline panic_smp_self_stop CPU + +[ Upstream commit 82c08c3e7f171aa7f579b231d0abbc1d62e91974 ] + +In case panic() and panic() called at the same time on different CPUS. +For example: +CPU 0: + panic() + __crash_kexec + machine_crash_shutdown + crash_smp_send_stop + machine_kexec + BUG_ON(num_online_cpus() > 1); + +CPU 1: + panic() + local_irq_disable + panic_smp_self_stop + +If CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop(), kdump +fails. CPU1 can't receive the ipi irq, CPU1 will be always online. +To fix this problem, this patch split out the panic_smp_self_stop() +and add set_cpu_online(smp_processor_id(), false). + +Signed-off-by: Yufen Wang +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/smp.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c +index d2ce37da87d8..4b129aac7233 100644 +--- a/arch/arm/kernel/smp.c ++++ b/arch/arm/kernel/smp.c +@@ -690,6 +690,21 @@ void smp_send_stop(void) + pr_warn("SMP: failed to stop secondary CPUs\n"); + } + ++/* In case panic() and panic() called at the same time on CPU1 and CPU2, ++ * and CPU 1 calls panic_smp_self_stop() before crash_smp_send_stop() ++ * CPU1 can't receive the ipi irqs from CPU2, CPU1 will be always online, ++ * kdump fails. So split out the panic_smp_self_stop() and add ++ * set_cpu_online(smp_processor_id(), false). ++ */ ++void panic_smp_self_stop(void) ++{ ++ pr_debug("CPU %u will stop doing anything useful since another CPU has paniced\n", ++ smp_processor_id()); ++ set_cpu_online(smp_processor_id(), false); ++ while (1) ++ cpu_relax(); ++} ++ + /* + * not supported here + */ +-- +2.19.1 + diff --git a/queue-4.9/arm-dts-fix-omap4430-sdp-ethernet-startup.patch b/queue-4.9/arm-dts-fix-omap4430-sdp-ethernet-startup.patch new file mode 100644 index 00000000000..1f58b4f9e37 --- /dev/null +++ b/queue-4.9/arm-dts-fix-omap4430-sdp-ethernet-startup.patch @@ -0,0 +1,65 @@ +From a206f78f12d9e827aef84e73f0142c1144a4b4ab Mon Sep 17 00:00:00 2001 +From: Russell King - ARM Linux +Date: Fri, 7 Dec 2018 09:17:07 -0800 +Subject: ARM: dts: Fix OMAP4430 SDP Ethernet startup + +[ Upstream commit 84fb6c7feb1494ebb7d1ec8b95cfb7ada0264465 ] + +It was noticed that unbinding and rebinding the KSZ8851 ethernet +resulted in the driver reporting "failed to read device ID" at probe. +Probing the reset line with a 'scope while repeatedly attempting to +bind the driver in a shell loop revealed that the KSZ8851 RSTN pin is +constantly held at zero, meaning the device is held in reset, and +does not respond on the SPI bus. + +Experimentation with the startup delay on the regulator set to 50ms +shows that the reset is positively released after 20ms. + +Schematics for this board are not available, and the traces are buried +in the inner layers of the board which makes tracing where the RSTN pin +extremely difficult. We can only guess that the RSTN pin is wired to a +reset generator chip driven off the ethernet supply, which fits the +observed behaviour. + +Include this delay in the regulator startup delay - effectively +treating the reset as a "supply stable" indicator. + +This can not be modelled as a delay in the KSZ8851 driver since the +reset generation is board specific - if the RSTN pin had been wired to +a GPIO, reset could be released earlier via the already provided support +in the KSZ8851 driver. + +This also got confirmed by Peter Ujfalusi based +on Blaze schematics that should be very close to SDP4430: + +TPS22902YFPR is used as the regulator switch (gpio48 controlled): +Convert arm boot_lock to raw The VOUT is routed to TPS3808G01DBV. +(SCH Note: Threshold set at 90%. Vsense: 0.405V). + +According to the TPS3808 data sheet the RESET delay time when Ct is +open (this is the case in the schema): MIN/TYP/MAX: 12/20/28 ms. + +Signed-off-by: Russell King +Reviewed-by: Peter Ujfalusi +[tony@atomide.com: updated with notes from schematics from Peter] +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap4-sdp.dts | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/omap4-sdp.dts b/arch/arm/boot/dts/omap4-sdp.dts +index d728ec963111..891ba75fd459 100644 +--- a/arch/arm/boot/dts/omap4-sdp.dts ++++ b/arch/arm/boot/dts/omap4-sdp.dts +@@ -33,6 +33,7 @@ + gpio = <&gpio2 16 GPIO_ACTIVE_HIGH>; /* gpio line 48 */ + enable-active-high; + regulator-boot-on; ++ startup-delay-us = <25000>; + }; + + vbat: fixedregulator-vbat { +-- +2.19.1 + diff --git a/queue-4.9/arm-dts-mmp2-fix-twsi2.patch b/queue-4.9/arm-dts-mmp2-fix-twsi2.patch new file mode 100644 index 00000000000..63e1ad7c497 --- /dev/null +++ b/queue-4.9/arm-dts-mmp2-fix-twsi2.patch @@ -0,0 +1,56 @@ +From 3a4560a4e39ec8c2edf3e72d69cd017d18a62537 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 28 Nov 2018 18:53:10 +0100 +Subject: ARM: dts: mmp2: fix TWSI2 + +[ Upstream commit 1147e05ac9fc2ef86a3691e7ca5c2db7602d81dd ] + +Marvell keeps their MMP2 datasheet secret, but there are good clues +that TWSI2 is not on 0xd4025000 on that platform, not does it use +IRQ 58. In fact, the IRQ 58 on MMP2 seems to be a signal processor: + + arch/arm/mach-mmp/irqs.h:#define IRQ_MMP2_MSP 58 + +I'm taking a somewhat educated guess that is probably a copy & paste +error from PXA168 or PXA910 and that the real controller in fact hides +at address 0xd4031000 and uses an interrupt line multiplexed via IRQ 17. + +I'm also copying some properties from TWSI1 that were missing or +incorrect. + +Tested on a OLPC XO 1.75 machine, where the RTC is on TWSI2. + +Signed-off-by: Lubomir Rintel +Tested-by: Pavel Machek +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/mmp2.dtsi | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/mmp2.dtsi b/arch/arm/boot/dts/mmp2.dtsi +index 766bbb8495b6..47e5b63339d1 100644 +--- a/arch/arm/boot/dts/mmp2.dtsi ++++ b/arch/arm/boot/dts/mmp2.dtsi +@@ -220,12 +220,15 @@ + status = "disabled"; + }; + +- twsi2: i2c@d4025000 { ++ twsi2: i2c@d4031000 { + compatible = "mrvl,mmp-twsi"; +- reg = <0xd4025000 0x1000>; +- interrupts = <58>; ++ reg = <0xd4031000 0x1000>; ++ interrupt-parent = <&intcmux17>; ++ interrupts = <0>; + clocks = <&soc_clocks MMP2_CLK_TWSI1>; + resets = <&soc_clocks MMP2_CLK_TWSI1>; ++ #address-cells = <1>; ++ #size-cells = <0>; + status = "disabled"; + }; + +-- +2.19.1 + diff --git a/queue-4.9/arm-mmp-fix-timer_init-calls.patch b/queue-4.9/arm-mmp-fix-timer_init-calls.patch new file mode 100644 index 00000000000..fba8f427637 --- /dev/null +++ b/queue-4.9/arm-mmp-fix-timer_init-calls.patch @@ -0,0 +1,112 @@ +From 422047616e6f15c3944834c9447c6c6f260db73e Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 21:43:01 +0100 +Subject: ARM: mmp: fix timer_init calls + +[ Upstream commit 12d3a30db4a3b3df5fbadf5974b9cf50544a9950 ] + +The change to passing the timer frequency as a function argument +was a good idea, but caused a build failure for one user that +was missed in the update: + +arch/arm/mach-mmp/time.c: In function 'mmp_dt_init_timer': +arch/arm/mach-mmp/time.c:242:2: error: implicit declaration of function 'timer_init'; did you mean 'hrtimer_init'? [-Werror=implicit-function-declaration] + +Change that as well to fix the build error, and rename the +function to put it into a proper namespace and make it clearer +what is actually going on. + +I saw that the high 6500000 HZ frequency was previously only +set with CONFIG_MMP2, but is now also used with MMP (pxa910), +so I'm changing that back here. Please make sure that the +frequencies are all correct now. + +Fixes: f36797ee4380 ("ARM: mmp/mmp2: dt: enable the clock") +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/common.h | 2 +- + arch/arm/mach-mmp/mmp2.c | 2 +- + arch/arm/mach-mmp/pxa168.c | 2 +- + arch/arm/mach-mmp/pxa910.c | 2 +- + arch/arm/mach-mmp/time.c | 4 ++-- + 5 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h +index 9ffc0e4a87bf..f0f5170cacf0 100644 +--- a/arch/arm/mach-mmp/common.h ++++ b/arch/arm/mach-mmp/common.h +@@ -1,7 +1,7 @@ + #include + #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x) + +-extern void timer_init(int irq, unsigned long rate); ++extern void mmp_timer_init(int irq, unsigned long rate); + + extern void __init mmp_map_io(void); + extern void mmp_restart(enum reboot_mode, const char *); +diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c +index fb3e7e32c882..726c1a642dea 100644 +--- a/arch/arm/mach-mmp/mmp2.c ++++ b/arch/arm/mach-mmp/mmp2.c +@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void) + clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1); + __raw_writel(clk_rst, APBC_TIMERS); + +- timer_init(IRQ_MMP2_TIMER1, 6500000); ++ mmp_timer_init(IRQ_MMP2_TIMER1, 6500000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c +index 77a358165a56..cdcf65ace3f9 100644 +--- a/arch/arm/mach-mmp/pxa168.c ++++ b/arch/arm/mach-mmp/pxa168.c +@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void) + /* 3.25MHz, bus/functional clock enabled, release reset */ + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA168_TIMER1, 6500000); ++ mmp_timer_init(IRQ_PXA168_TIMER1, 3250000); + } + + void pxa168_clear_keypad_wakeup(void) +diff --git a/arch/arm/mach-mmp/pxa910.c b/arch/arm/mach-mmp/pxa910.c +index 1ccbba9ac495..d30a7d12bc98 100644 +--- a/arch/arm/mach-mmp/pxa910.c ++++ b/arch/arm/mach-mmp/pxa910.c +@@ -116,7 +116,7 @@ void __init pxa910_timer_init(void) + __raw_writel(APBC_APBCLK | APBC_RST, APBC_TIMERS); + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA910_AP1_TIMER1); ++ mmp_timer_init(IRQ_PXA910_AP1_TIMER1, 3250000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index 5f849cb996c7..c03ca8ffb92f 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -184,7 +184,7 @@ static struct irqaction timer_irq = { + .dev_id = &ckevt, + }; + +-void __init timer_init(int irq, unsigned long rate) ++void __init mmp_timer_init(int irq, unsigned long rate) + { + timer_config(); + +@@ -239,7 +239,7 @@ void __init mmp_dt_init_timer(void) + ret = -ENOMEM; + goto out; + } +- timer_init(irq, rate); ++ mmp_timer_init(irq, rate); + return; + out: + pr_err("Failed to get timer from device tree with error:%d\n", ret); +-- +2.19.1 + diff --git a/queue-4.9/arm-mmp-mmp2-dt-enable-the-clock.patch b/queue-4.9/arm-mmp-mmp2-dt-enable-the-clock.patch new file mode 100644 index 00000000000..3add9682f2c --- /dev/null +++ b/queue-4.9/arm-mmp-mmp2-dt-enable-the-clock.patch @@ -0,0 +1,153 @@ +From 48332f50eff0c3102d2d16630934515e705358f7 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Wed, 28 Nov 2018 18:53:20 +0100 +Subject: ARM: mmp/mmp2: dt: enable the clock + +[ Upstream commit f36797ee43802b367e59f0f9a9805304a4ff0c98 ] + +The device-tree booted MMP2 needs to enable the timer clock, otherwise +it would stop ticking when the boot finishes. + +It can also use the clock rate from the clk, the non-DT boards need to +keep using the hardcoded rates. + +Signed-off-by: Lubomir Rintel +Acked-by: Pavel Machek +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/common.h | 2 +- + arch/arm/mach-mmp/mmp2.c | 2 +- + arch/arm/mach-mmp/pxa168.c | 2 +- + arch/arm/mach-mmp/time.c | 32 ++++++++++++++++++++------------ + 4 files changed, 23 insertions(+), 15 deletions(-) + +diff --git a/arch/arm/mach-mmp/common.h b/arch/arm/mach-mmp/common.h +index 7453a90c34bd..9ffc0e4a87bf 100644 +--- a/arch/arm/mach-mmp/common.h ++++ b/arch/arm/mach-mmp/common.h +@@ -1,7 +1,7 @@ + #include + #define ARRAY_AND_SIZE(x) (x), ARRAY_SIZE(x) + +-extern void timer_init(int irq); ++extern void timer_init(int irq, unsigned long rate); + + extern void __init mmp_map_io(void); + extern void mmp_restart(enum reboot_mode, const char *); +diff --git a/arch/arm/mach-mmp/mmp2.c b/arch/arm/mach-mmp/mmp2.c +index afba5460cdaf..fb3e7e32c882 100644 +--- a/arch/arm/mach-mmp/mmp2.c ++++ b/arch/arm/mach-mmp/mmp2.c +@@ -134,7 +134,7 @@ void __init mmp2_timer_init(void) + clk_rst = APBC_APBCLK | APBC_FNCLK | APBC_FNCLKSEL(1); + __raw_writel(clk_rst, APBC_TIMERS); + +- timer_init(IRQ_MMP2_TIMER1); ++ timer_init(IRQ_MMP2_TIMER1, 6500000); + } + + /* on-chip devices */ +diff --git a/arch/arm/mach-mmp/pxa168.c b/arch/arm/mach-mmp/pxa168.c +index 0f5f16fb8c66..77a358165a56 100644 +--- a/arch/arm/mach-mmp/pxa168.c ++++ b/arch/arm/mach-mmp/pxa168.c +@@ -79,7 +79,7 @@ void __init pxa168_timer_init(void) + /* 3.25MHz, bus/functional clock enabled, release reset */ + __raw_writel(TIMER_CLK_RST, APBC_TIMERS); + +- timer_init(IRQ_PXA168_TIMER1); ++ timer_init(IRQ_PXA168_TIMER1, 6500000); + } + + void pxa168_clear_keypad_wakeup(void) +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index 3c2c92aaa0ae..5f849cb996c7 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -38,12 +39,6 @@ + #include "cputype.h" + #include "clock.h" + +-#ifdef CONFIG_CPU_MMP2 +-#define MMP_CLOCK_FREQ 6500000 +-#else +-#define MMP_CLOCK_FREQ 3250000 +-#endif +- + #define TIMERS_VIRT_BASE TIMERS1_VIRT_BASE + + #define MAX_DELTA (0xfffffffe) +@@ -189,19 +184,18 @@ static struct irqaction timer_irq = { + .dev_id = &ckevt, + }; + +-void __init timer_init(int irq) ++void __init timer_init(int irq, unsigned long rate) + { + timer_config(); + +- sched_clock_register(mmp_read_sched_clock, 32, MMP_CLOCK_FREQ); ++ sched_clock_register(mmp_read_sched_clock, 32, rate); + + ckevt.cpumask = cpumask_of(0); + + setup_irq(irq, &timer_irq); + +- clocksource_register_hz(&cksrc, MMP_CLOCK_FREQ); +- clockevents_config_and_register(&ckevt, MMP_CLOCK_FREQ, +- MIN_DELTA, MAX_DELTA); ++ clocksource_register_hz(&cksrc, rate); ++ clockevents_config_and_register(&ckevt, rate, MIN_DELTA, MAX_DELTA); + } + + #ifdef CONFIG_OF +@@ -213,7 +207,9 @@ static const struct of_device_id mmp_timer_dt_ids[] = { + void __init mmp_dt_init_timer(void) + { + struct device_node *np; ++ struct clk *clk; + int irq, ret; ++ unsigned long rate; + + np = of_find_matching_node(NULL, mmp_timer_dt_ids); + if (!np) { +@@ -221,6 +217,18 @@ void __init mmp_dt_init_timer(void) + goto out; + } + ++ clk = of_clk_get(np, 0); ++ if (!IS_ERR(clk)) { ++ ret = clk_prepare_enable(clk); ++ if (ret) ++ goto out; ++ rate = clk_get_rate(clk) / 2; ++ } else if (cpu_is_pj4()) { ++ rate = 6500000; ++ } else { ++ rate = 3250000; ++ } ++ + irq = irq_of_parse_and_map(np, 0); + if (!irq) { + ret = -EINVAL; +@@ -231,7 +239,7 @@ void __init mmp_dt_init_timer(void) + ret = -ENOMEM; + goto out; + } +- timer_init(irq); ++ timer_init(irq, rate); + return; + out: + pr_err("Failed to get timer from device tree with error:%d\n", ret); +-- +2.19.1 + diff --git a/queue-4.9/arm-omap2-hwmod-fix-some-section-annotations.patch b/queue-4.9/arm-omap2-hwmod-fix-some-section-annotations.patch new file mode 100644 index 00000000000..d36bc0a39bd --- /dev/null +++ b/queue-4.9/arm-omap2-hwmod-fix-some-section-annotations.patch @@ -0,0 +1,76 @@ +From a6ecd7d955ceec4fa65b2c84b4ee98d2d1d35ab3 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:52:07 -0700 +Subject: ARM: OMAP2+: hwmod: Fix some section annotations + +[ Upstream commit c10b26abeb53cabc1e6271a167d3f3d396ce0218 ] + +When building the kernel with Clang, the following section mismatch +warnings appears: + +WARNING: vmlinux.o(.text+0x2d398): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_iclk_autoidle() +The function _setup() references +the function __init _setup_iclk_autoidle(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_iclk_autoidle is wrong. + +WARNING: vmlinux.o(.text+0x2d3a0): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_reset() +The function _setup() references +the function __init _setup_reset(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_reset is wrong. + +WARNING: vmlinux.o(.text+0x2d408): Section mismatch in reference from +the function _setup() to the function .init.text:_setup_postsetup() +The function _setup() references +the function __init _setup_postsetup(). +This is often because _setup lacks a __init +annotation or the annotation of _setup_postsetup is wrong. + +_setup is used in omap_hwmod_allocate_module, which isn't marked __init +and looks like it shouldn't be, meaning to fix these warnings, those +functions must be moved out of the init section, which this patch does. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/omap_hwmod.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c +index b5c1714ebfdd..bfc74954540c 100644 +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -2551,7 +2551,7 @@ static int __init _init(struct omap_hwmod *oh, void *data) + * a stub; implementing this properly requires iclk autoidle usecounting in + * the clock code. No return value. + */ +-static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) ++static void _setup_iclk_autoidle(struct omap_hwmod *oh) + { + struct omap_hwmod_ocp_if *os; + struct list_head *p; +@@ -2586,7 +2586,7 @@ static void __init _setup_iclk_autoidle(struct omap_hwmod *oh) + * reset. Returns 0 upon success or a negative error code upon + * failure. + */ +-static int __init _setup_reset(struct omap_hwmod *oh) ++static int _setup_reset(struct omap_hwmod *oh) + { + int r; + +@@ -2647,7 +2647,7 @@ static int __init _setup_reset(struct omap_hwmod *oh) + * + * No return value. + */ +-static void __init _setup_postsetup(struct omap_hwmod *oh) ++static void _setup_postsetup(struct omap_hwmod *oh) + { + u8 postsetup_state; + +-- +2.19.1 + diff --git a/queue-4.9/arm-pxa-avoid-section-mismatch-warning.patch b/queue-4.9/arm-pxa-avoid-section-mismatch-warning.patch new file mode 100644 index 00000000000..bcb2ea65191 --- /dev/null +++ b/queue-4.9/arm-pxa-avoid-section-mismatch-warning.patch @@ -0,0 +1,76 @@ +From e4e16f3812bda4d0ea903f052fb297e4b3a44daf Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 10 Dec 2018 22:58:39 +0100 +Subject: ARM: pxa: avoid section mismatch warning + +[ Upstream commit 88af3209aa0881aa5ffd99664b6080a4be5f24e5 ] + +WARNING: vmlinux.o(.text+0x19f90): Section mismatch in reference from the function littleton_init_lcd() to the function .init.text:pxa_set_fb_info() +The function littleton_init_lcd() references +the function __init pxa_set_fb_info(). +This is often because littleton_init_lcd lacks a __init +annotation or the annotation of pxa_set_fb_info is wrong. + +WARNING: vmlinux.o(.text+0xf824): Section mismatch in reference from the function zeus_register_ohci() to the function .init.text:pxa_set_ohci_info() +The function zeus_register_ohci() references +the function __init pxa_set_ohci_info(). +This is often because zeus_register_ohci lacks a __init +annotation or the annotation of pxa_set_ohci_info is wrong. + +WARNING: vmlinux.o(.text+0xf95c): Section mismatch in reference from the function cm_x300_init_u2d() to the function .init.text:pxa3xx_set_u2d_info() +The function cm_x300_init_u2d() references +the function __init pxa3xx_set_u2d_info(). +This is often because cm_x300_init_u2d lacks a __init +annotation or the annotation of pxa3xx_set_u2d_info is wrong. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-pxa/cm-x300.c | 2 +- + arch/arm/mach-pxa/littleton.c | 2 +- + arch/arm/mach-pxa/zeus.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c +index 868448d2cd82..38ab30869821 100644 +--- a/arch/arm/mach-pxa/cm-x300.c ++++ b/arch/arm/mach-pxa/cm-x300.c +@@ -547,7 +547,7 @@ static struct pxa3xx_u2d_platform_data cm_x300_u2d_platform_data = { + .exit = cm_x300_u2d_exit, + }; + +-static void cm_x300_init_u2d(void) ++static void __init cm_x300_init_u2d(void) + { + pxa3xx_set_u2d_info(&cm_x300_u2d_platform_data); + } +diff --git a/arch/arm/mach-pxa/littleton.c b/arch/arm/mach-pxa/littleton.c +index 051c554776a6..ebdef6661f5f 100644 +--- a/arch/arm/mach-pxa/littleton.c ++++ b/arch/arm/mach-pxa/littleton.c +@@ -183,7 +183,7 @@ static struct pxafb_mach_info littleton_lcd_info = { + .lcd_conn = LCD_COLOR_TFT_16BPP, + }; + +-static void littleton_init_lcd(void) ++static void __init littleton_init_lcd(void) + { + pxa_set_fb_info(NULL, &littleton_lcd_info); + } +diff --git a/arch/arm/mach-pxa/zeus.c b/arch/arm/mach-pxa/zeus.c +index 3b94ecfb9426..3fcd5854bf5b 100644 +--- a/arch/arm/mach-pxa/zeus.c ++++ b/arch/arm/mach-pxa/zeus.c +@@ -557,7 +557,7 @@ static struct pxaohci_platform_data zeus_ohci_platform_data = { + .flags = ENABLE_PORT_ALL | POWER_SENSE_LOW, + }; + +-static void zeus_register_ohci(void) ++static void __init zeus_register_ohci(void) + { + /* Port 2 is shared between host and client interface. */ + UP2OCR = UP2OCR_HXOE | UP2OCR_HXS | UP2OCR_DMPDE | UP2OCR_DPPDE; +-- +2.19.1 + diff --git a/queue-4.9/arm64-ftrace-don-t-adjust-the-lr-value.patch b/queue-4.9/arm64-ftrace-don-t-adjust-the-lr-value.patch new file mode 100644 index 00000000000..efdce173707 --- /dev/null +++ b/queue-4.9/arm64-ftrace-don-t-adjust-the-lr-value.patch @@ -0,0 +1,53 @@ +From 34c59e86dd9686e295cafd25c357a6dd189042a9 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 15 Nov 2018 22:42:01 +0000 +Subject: arm64: ftrace: don't adjust the LR value + +[ Upstream commit 6e803e2e6e367db9a0d6ecae1bd24bb5752011bd ] + +The core ftrace code requires that when it is handed the PC of an +instrumented function, this PC is the address of the instrumented +instruction. This is necessary so that the core ftrace code can identify +the specific instrumentation site. Since the instrumented function will +be a BL, the address of the instrumented function is LR - 4 at entry to +the ftrace code. + +This fixup is applied in the mcount_get_pc and mcount_get_pc0 helpers, +which acquire the PC of the instrumented function. + +The mcount_get_lr helper is used to acquire the LR of the instrumented +function, whose value does not require this adjustment, and cannot be +adjusted to anything meaningful. No adjustment of this value is made on +other architectures, including arm. However, arm64 adjusts this value by +4. + +This patch brings arm64 in line with other architectures and removes the +adjustment of the LR value. + +Signed-off-by: Mark Rutland +Cc: AKASHI Takahiro +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Torsten Duwe +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/entry-ftrace.S | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm64/kernel/entry-ftrace.S b/arch/arm64/kernel/entry-ftrace.S +index aef02d2af3b5..7a87d32e98f4 100644 +--- a/arch/arm64/kernel/entry-ftrace.S ++++ b/arch/arm64/kernel/entry-ftrace.S +@@ -78,7 +78,6 @@ + .macro mcount_get_lr reg + ldr \reg, [x29] + ldr \reg, [\reg, #8] +- mcount_adjust_addr \reg, \reg + .endm + + .macro mcount_get_lr_addr reg +-- +2.19.1 + diff --git a/queue-4.9/arm64-kvm-skip-mmio-insn-after-emulation.patch b/queue-4.9/arm64-kvm-skip-mmio-insn-after-emulation.patch new file mode 100644 index 00000000000..247e467d3cf --- /dev/null +++ b/queue-4.9/arm64-kvm-skip-mmio-insn-after-emulation.patch @@ -0,0 +1,63 @@ +From 81170e43bcc199093d5cc7edbf705df3b1ca27eb Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Fri, 9 Nov 2018 15:07:10 +0000 +Subject: arm64: KVM: Skip MMIO insn after emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0d640732dbebed0f10f18526de21652931f0b2f2 ] + +When we emulate an MMIO instruction, we advance the CPU state within +decode_hsr(), before emulating the instruction effects. + +Having this logic in decode_hsr() is opaque, and advancing the state +before emulation is problematic. It gets in the way of applying +consistent single-step logic, and it prevents us from being able to fail +an MMIO instruction with a synchronous exception. + +Clean this up by only advancing the CPU state *after* the effects of the +instruction are emulated. + +Cc: Peter Maydell +Reviewed-by: Alex Bennée +Reviewed-by: Christoffer Dall +Signed-off-by: Mark Rutland +Signed-off-by: Marc Zyngier +Signed-off-by: Sasha Levin +--- + arch/arm/kvm/mmio.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/kvm/mmio.c b/arch/arm/kvm/mmio.c +index dac7ceb1a677..08443a15e6be 100644 +--- a/arch/arm/kvm/mmio.c ++++ b/arch/arm/kvm/mmio.c +@@ -117,6 +117,12 @@ int kvm_handle_mmio_return(struct kvm_vcpu *vcpu, struct kvm_run *run) + vcpu_set_reg(vcpu, vcpu->arch.mmio_decode.rt, data); + } + ++ /* ++ * The MMIO instruction is emulated and should not be re-executed ++ * in the guest. ++ */ ++ kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); ++ + return 0; + } + +@@ -144,11 +150,6 @@ static int decode_hsr(struct kvm_vcpu *vcpu, bool *is_write, int *len) + vcpu->arch.mmio_decode.sign_extend = sign_extend; + vcpu->arch.mmio_decode.rt = rt; + +- /* +- * The MMIO instruction is emulated and should not be re-executed +- * in the guest. +- */ +- kvm_skip_instr(vcpu, kvm_vcpu_trap_il_is32bit(vcpu)); + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch b/queue-4.9/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch new file mode 100644 index 00000000000..00a76ea1a4e --- /dev/null +++ b/queue-4.9/asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch @@ -0,0 +1,45 @@ +From 21ebb4f74449b8d8d4c4ad86f8928ba4b49f682c Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 13 Dec 2018 00:08:38 -0200 +Subject: ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M + +[ Upstream commit add6883619a9e3bf9658eaff1a547354131bbcd9 ] + +eukrea-tlv320.c machine driver runs on non-DT platforms +and include header file in order to be able +to use some machine_is_eukrea_xxx() macros. + +Building it for ARM64 causes the following build error: + +sound/soc/fsl/eukrea-tlv320.c:28:10: fatal error: asm/mach-types.h: No such file or directory + +Avoid this error by not allowing to build the SND_SOC_EUKREA_TLV320 +driver when ARM64 is selected. + +This is needed in preparation for the i.MX8M support. + +Reported-by: kbuild test robot +Signed-off-by: Fabio Estevam +Acked-by: Shawn Guo +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/fsl/Kconfig b/sound/soc/fsl/Kconfig +index 19bdcac71775..a732b3a065c9 100644 +--- a/sound/soc/fsl/Kconfig ++++ b/sound/soc/fsl/Kconfig +@@ -220,7 +220,7 @@ config SND_SOC_PHYCORE_AC97 + + config SND_SOC_EUKREA_TLV320 + tristate "Eukrea TLV320" +- depends on ARCH_MXC && I2C ++ depends on ARCH_MXC && !ARM64 && I2C + select SND_SOC_TLV320AIC23_I2C + select SND_SOC_IMX_AUDMUX + select SND_SOC_IMX_SSI +-- +2.19.1 + diff --git a/queue-4.9/asoc-intel-mrfld-fix-uninitialized-variable-access.patch b/queue-4.9/asoc-intel-mrfld-fix-uninitialized-variable-access.patch new file mode 100644 index 00000000000..553e11d5199 --- /dev/null +++ b/queue-4.9/asoc-intel-mrfld-fix-uninitialized-variable-access.patch @@ -0,0 +1,54 @@ +From bbea2a71aaca0e4d2ae1c06c33a1eec1c17e4810 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Sat, 3 Nov 2018 22:21:22 +0100 +Subject: ASoC: Intel: mrfld: fix uninitialized variable access + +[ Upstream commit 1539c7f23f256120f89f8b9ec53160790bce9ed2 ] + +Randconfig testing revealed a very old bug, with gcc-8: + +sound/soc/intel/atom/sst/sst_loader.c: In function 'sst_load_fw': +sound/soc/intel/atom/sst/sst_loader.c:357:5: error: 'fw' may be used uninitialized in this function [-Werror=maybe-uninitialized] + if (fw == NULL) { + ^ +sound/soc/intel/atom/sst/sst_loader.c:354:25: note: 'fw' was declared here + const struct firmware *fw; + +We must check the return code of request_firmware() before we look at the +pointer result that may be uninitialized when the function fails. + +Fixes: 9012c9544eea ("ASoC: Intel: mrfld - Add DSP load and management") +Signed-off-by: Arnd Bergmann +Acked-by: Pierre-Louis Bossart +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/atom/sst/sst_loader.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/intel/atom/sst/sst_loader.c b/sound/soc/intel/atom/sst/sst_loader.c +index 33917146d9c4..054b1d514e8a 100644 +--- a/sound/soc/intel/atom/sst/sst_loader.c ++++ b/sound/soc/intel/atom/sst/sst_loader.c +@@ -354,14 +354,14 @@ static int sst_request_fw(struct intel_sst_drv *sst) + const struct firmware *fw; + + retval = request_firmware(&fw, sst->firmware_name, sst->dev); +- if (fw == NULL) { +- dev_err(sst->dev, "fw is returning as null\n"); +- return -EINVAL; +- } + if (retval) { + dev_err(sst->dev, "request fw failed %d\n", retval); + return retval; + } ++ if (fw == NULL) { ++ dev_err(sst->dev, "fw is returning as null\n"); ++ return -EINVAL; ++ } + mutex_lock(&sst->sst_lock); + retval = sst_cache_and_parse_fw(sst, fw); + mutex_unlock(&sst->sst_lock); +-- +2.19.1 + diff --git a/queue-4.9/ath9k-dynack-use-authentication-messages-for-late-ac.patch b/queue-4.9/ath9k-dynack-use-authentication-messages-for-late-ac.patch new file mode 100644 index 00000000000..fb2d0db7bec --- /dev/null +++ b/queue-4.9/ath9k-dynack-use-authentication-messages-for-late-ac.patch @@ -0,0 +1,39 @@ +From 2a5884c2a66c0d7d0a329fd890b4a66648d5ef57 Mon Sep 17 00:00:00 2001 +From: Lorenzo Bianconi +Date: Fri, 2 Nov 2018 21:49:55 +0100 +Subject: ath9k: dynack: use authentication messages for 'late' ack + +[ Upstream commit 3831a2a0010c72e3956020cbf1057a1701a2e469 ] + +In order to properly support dynack in ad-hoc mode running +wpa_supplicant, take into account authentication frames for +'late ack' detection. This patch has been tested on devices +mounted on offshore high-voltage stations connected through +~24Km link + +Reported-by: Koen Vandeputte +Tested-by: Koen Vandeputte +Signed-off-by: Lorenzo Bianconi +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/dynack.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/dynack.c b/drivers/net/wireless/ath/ath9k/dynack.c +index 7334c9b09e82..cc0dc966c512 100644 +--- a/drivers/net/wireless/ath/ath9k/dynack.c ++++ b/drivers/net/wireless/ath/ath9k/dynack.c +@@ -187,7 +187,8 @@ void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb, + /* late ACK */ + if (ts->ts_status & ATH9K_TXERR_XRETRY) { + if (ieee80211_is_assoc_req(hdr->frame_control) || +- ieee80211_is_assoc_resp(hdr->frame_control)) { ++ ieee80211_is_assoc_resp(hdr->frame_control) || ++ ieee80211_is_auth(hdr->frame_control)) { + ath_dbg(common, DYNACK, "late ack\n"); + ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2); + ath9k_hw_set_ack_timeout(ah, LATEACK_TO); +-- +2.19.1 + diff --git a/queue-4.9/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch b/queue-4.9/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch new file mode 100644 index 00000000000..654939cf09a --- /dev/null +++ b/queue-4.9/block-swim3-fix-ebusy-error-when-re-opening-device-a.patch @@ -0,0 +1,42 @@ +From 92432dbb873e2e7783f730a930a2f3505cf8b5df Mon Sep 17 00:00:00 2001 +From: Finn Thain +Date: Mon, 31 Dec 2018 16:44:09 +1100 +Subject: block/swim3: Fix -EBUSY error when re-opening device after unmount + +[ Upstream commit 296dcc40f2f2e402facf7cd26cf3f2c8f4b17d47 ] + +When the block device is opened with FMODE_EXCL, ref_count is set to -1. +This value doesn't get reset when the device is closed which means the +device cannot be opened again. Fix this by checking for refcount <= 0 +in the release method. + +Reported-and-tested-by: Stan Johnson +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Finn Thain +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/swim3.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/swim3.c b/drivers/block/swim3.c +index c264f2d284a7..2e0a9e2531cb 100644 +--- a/drivers/block/swim3.c ++++ b/drivers/block/swim3.c +@@ -1027,7 +1027,11 @@ static void floppy_release(struct gendisk *disk, fmode_t mode) + struct swim3 __iomem *sw = fs->swim3; + + mutex_lock(&swim3_mutex); +- if (fs->ref_count > 0 && --fs->ref_count == 0) { ++ if (fs->ref_count > 0) ++ --fs->ref_count; ++ else if (fs->ref_count == -1) ++ fs->ref_count = 0; ++ if (fs->ref_count == 0) { + swim3_action(fs, MOTOR_OFF); + out_8(&sw->control_bic, 0xff); + swim3_select(fs, RELAX); +-- +2.19.1 + diff --git a/queue-4.9/bluetooth-fix-unnecessary-error-message-for-hci-requ.patch b/queue-4.9/bluetooth-fix-unnecessary-error-message-for-hci-requ.patch new file mode 100644 index 00000000000..67f35a1cc98 --- /dev/null +++ b/queue-4.9/bluetooth-fix-unnecessary-error-message-for-hci-requ.patch @@ -0,0 +1,43 @@ +From 43688466b349d3e1c40ade54ab4f7ce0c6c884a2 Mon Sep 17 00:00:00 2001 +From: Johan Hedberg +Date: Tue, 27 Nov 2018 11:37:46 +0200 +Subject: Bluetooth: Fix unnecessary error message for HCI request completion + +[ Upstream commit 1629db9c75342325868243d6bca5853017d91cf8 ] + +In case a command which completes in Command Status was sent using the +hci_cmd_send-family of APIs there would be a misleading error in the +hci_get_cmd_complete function, since the code would be trying to fetch +the Command Complete parameters when there are none. + +Avoid the misleading error and silently bail out from the function in +case the received event is a command status. + +Signed-off-by: Johan Hedberg +Acked-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index d2f9eb169ba8..6f78489fdb13 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5212,6 +5212,12 @@ static bool hci_get_cmd_complete(struct hci_dev *hdev, u16 opcode, + return true; + } + ++ /* Check if request ended in Command Status - no way to retreive ++ * any extra parameters in this case. ++ */ ++ if (hdr->evt == HCI_EV_CMD_STATUS) ++ return false; ++ + if (hdr->evt != HCI_EV_CMD_COMPLETE) { + BT_DBG("Last event is not cmd complete (0x%2.2x)", hdr->evt); + return false; +-- +2.19.1 + diff --git a/queue-4.9/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch b/queue-4.9/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch new file mode 100644 index 00000000000..2e99c839f82 --- /dev/null +++ b/queue-4.9/cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch @@ -0,0 +1,48 @@ +From ba5f16f3f3d5db7b77bfbfb854e69820e1711edb Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Thu, 13 Dec 2018 08:06:16 +1000 +Subject: cifs: check ntwrk_buf_start for NULL before dereferencing it + +[ Upstream commit 59a63e479ce36a3f24444c3a36efe82b78e4a8e0 ] + +RHBZ: 1021460 + +There is an issue where when multiple threads open/close the same directory +ntwrk_buf_start might end up being NULL, causing the call to smbCalcSize +later to oops with a NULL deref. + +The real bug is why this happens and why this can become NULL for an +open cfile, which should not be allowed. +This patch tries to avoid a oops until the time when we fix the underlying +issue. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/readdir.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/readdir.c b/fs/cifs/readdir.c +index ef24b4527459..68183872bf8b 100644 +--- a/fs/cifs/readdir.c ++++ b/fs/cifs/readdir.c +@@ -655,7 +655,14 @@ find_cifs_entry(const unsigned int xid, struct cifs_tcon *tcon, loff_t pos, + /* scan and find it */ + int i; + char *cur_ent; +- char *end_of_smb = cfile->srch_inf.ntwrk_buf_start + ++ char *end_of_smb; ++ ++ if (cfile->srch_inf.ntwrk_buf_start == NULL) { ++ cifs_dbg(VFS, "ntwrk_buf_start is NULL during readdir\n"); ++ return -EIO; ++ } ++ ++ end_of_smb = cfile->srch_inf.ntwrk_buf_start + + server->ops->calc_smb_size( + cfile->srch_inf.ntwrk_buf_start); + +-- +2.19.1 + diff --git a/queue-4.9/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch b/queue-4.9/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch new file mode 100644 index 00000000000..9ffda682592 --- /dev/null +++ b/queue-4.9/clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch @@ -0,0 +1,46 @@ +From 3ac8bb1a9adb8fa6e56c97972bb99ca2fae244f3 Mon Sep 17 00:00:00 2001 +From: Anson Huang +Date: Fri, 30 Nov 2018 07:23:47 +0000 +Subject: clk: imx6sl: ensure MMDC CH0 handshake is bypassed + +[ Upstream commit 0efcc2c0fd2001a83240a8c3d71f67770484917e ] + +Same as other i.MX6 SoCs, ensure unused MMDC channel's +handshake is bypassed, this is to make sure no request +signal will be generated when periphe_clk_sel is changed +or SRC warm reset is triggered. + +Signed-off-by: Anson Huang +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/imx/clk-imx6sl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/imx/clk-imx6sl.c b/drivers/clk/imx/clk-imx6sl.c +index 5fd4ddac1bf1..f3d9dc2d2405 100644 +--- a/drivers/clk/imx/clk-imx6sl.c ++++ b/drivers/clk/imx/clk-imx6sl.c +@@ -17,6 +17,8 @@ + + #include "clk.h" + ++#define CCDR 0x4 ++#define BM_CCM_CCDR_MMDC_CH0_MASK (1 << 17) + #define CCSR 0xc + #define BM_CCSR_PLL1_SW_CLK_SEL (1 << 2) + #define CACRR 0x10 +@@ -414,6 +416,10 @@ static void __init imx6sl_clocks_init(struct device_node *ccm_node) + clks[IMX6SL_CLK_USDHC3] = imx_clk_gate2("usdhc3", "usdhc3_podf", base + 0x80, 6); + clks[IMX6SL_CLK_USDHC4] = imx_clk_gate2("usdhc4", "usdhc4_podf", base + 0x80, 8); + ++ /* Ensure the MMDC CH0 handshake is bypassed */ ++ writel_relaxed(readl_relaxed(base + CCDR) | ++ BM_CCM_CCDR_MMDC_CH0_MASK, base + CCDR); ++ + imx_check_clocks(clks, ARRAY_SIZE(clks)); + + clk_data.clks = clks; +-- +2.19.1 + diff --git a/queue-4.9/clk-sunxi-ng-a33-set-clk_set_rate_parent-for-all-aud.patch b/queue-4.9/clk-sunxi-ng-a33-set-clk_set_rate_parent-for-all-aud.patch new file mode 100644 index 00000000000..b5d9c7c7b97 --- /dev/null +++ b/queue-4.9/clk-sunxi-ng-a33-set-clk_set_rate_parent-for-all-aud.patch @@ -0,0 +1,54 @@ +From 1257fb6b55a41552cb6a6812ff4c62d0dce5bdb8 Mon Sep 17 00:00:00 2001 +From: Chen-Yu Tsai +Date: Wed, 5 Dec 2018 18:11:51 +0800 +Subject: clk: sunxi-ng: a33: Set CLK_SET_RATE_PARENT for all audio module + clocks + +[ Upstream commit 6e6da2039c82271dd873b9ad2b902a692a7dd554 ] + +All the audio interfaces on Allwinner SoCs need to change their module +clocks during operation, to switch between support for 44.1 kHz and 48 +kHz family sample rates. The clock rate for the module clocks is +governed by their upstream audio PLL. The module clocks themselves only +have a gate, and sometimes a divider or mux. Thus any rate changes need +to be propagated upstream. + +Set the CLK_SET_RATE_PARENT flag for all audio module clocks to achieve +this. + +Signed-off-by: Chen-Yu Tsai +Signed-off-by: Maxime Ripard +Signed-off-by: Sasha Levin +--- + drivers/clk/sunxi-ng/ccu-sun8i-a33.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c +index e1dc4e5b34e1..82add4670c53 100644 +--- a/drivers/clk/sunxi-ng/ccu-sun8i-a33.c ++++ b/drivers/clk/sunxi-ng/ccu-sun8i-a33.c +@@ -362,10 +362,10 @@ static SUNXI_CCU_MP_WITH_MUX_GATE(spi1_clk, "spi1", mod0_default_parents, 0x0a4, + static const char * const i2s_parents[] = { "pll-audio-8x", "pll-audio-4x", + "pll-audio-2x", "pll-audio" }; + static SUNXI_CCU_MUX_WITH_GATE(i2s0_clk, "i2s0", i2s_parents, +- 0x0b0, 16, 2, BIT(31), 0); ++ 0x0b0, 16, 2, BIT(31), CLK_SET_RATE_PARENT); + + static SUNXI_CCU_MUX_WITH_GATE(i2s1_clk, "i2s1", i2s_parents, +- 0x0b4, 16, 2, BIT(31), 0); ++ 0x0b4, 16, 2, BIT(31), CLK_SET_RATE_PARENT); + + /* TODO: the parent for most of the USB clocks is not known */ + static SUNXI_CCU_GATE(usb_phy0_clk, "usb-phy0", "osc24M", +@@ -442,7 +442,7 @@ static SUNXI_CCU_M_WITH_GATE(ve_clk, "ve", "pll-ve", + static SUNXI_CCU_GATE(ac_dig_clk, "ac-dig", "pll-audio", + 0x140, BIT(31), 0); + static SUNXI_CCU_GATE(ac_dig_4x_clk, "ac-dig-4x", "pll-audio-4x", +- 0x140, BIT(30), 0); ++ 0x140, BIT(30), CLK_SET_RATE_PARENT); + static SUNXI_CCU_GATE(avs_clk, "avs", "osc24M", + 0x144, BIT(31), 0); + +-- +2.19.1 + diff --git a/queue-4.9/cpuidle-big.little-fix-refcount-leak.patch b/queue-4.9/cpuidle-big.little-fix-refcount-leak.patch new file mode 100644 index 00000000000..de43d411f29 --- /dev/null +++ b/queue-4.9/cpuidle-big.little-fix-refcount-leak.patch @@ -0,0 +1,47 @@ +From a1f3072ec74861a708e22cda4805fbd8bda6ae0a Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Mon, 10 Dec 2018 11:26:41 -0500 +Subject: cpuidle: big.LITTLE: fix refcount leak + +[ Upstream commit 9456823c842f346c74265fcd98d008d87a7eb6f5 ] + +of_find_node_by_path() acquires a reference to the node +returned by it and that reference needs to be dropped by its caller. +bl_idle_init() doesn't do that, so fix it. + +Signed-off-by: Yangtao Li +Acked-by: Daniel Lezcano +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/cpuidle-big_little.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/cpuidle-big_little.c b/drivers/cpuidle/cpuidle-big_little.c +index db2ede565f1a..b44476a1b7ad 100644 +--- a/drivers/cpuidle/cpuidle-big_little.c ++++ b/drivers/cpuidle/cpuidle-big_little.c +@@ -167,6 +167,7 @@ static int __init bl_idle_init(void) + { + int ret; + struct device_node *root = of_find_node_by_path("/"); ++ const struct of_device_id *match_id; + + if (!root) + return -ENODEV; +@@ -174,7 +175,11 @@ static int __init bl_idle_init(void) + /* + * Initialize the driver just for a compliant set of machines + */ +- if (!of_match_node(compatible_machine_match, root)) ++ match_id = of_match_node(compatible_machine_match, root); ++ ++ of_node_put(root); ++ ++ if (!match_id) + return -ENODEV; + + if (!mcpm_is_available()) +-- +2.19.1 + diff --git a/queue-4.9/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch b/queue-4.9/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch new file mode 100644 index 00000000000..bc848e67b85 --- /dev/null +++ b/queue-4.9/crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch @@ -0,0 +1,62 @@ +From 36015c3c70e91bdf10d44daacfdc6945c413e202 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Dec 2018 16:49:29 -0700 +Subject: crypto: ux500 - Use proper enum in cryp_set_dma_transfer + +[ Upstream commit 9d880c5945c748d8edcac30965f3349a602158c4 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/cryp/cryp_core.c:559:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK); + ^~~~~~~~~ +drivers/crypto/ux500/cryp/cryp_core.c:583:5: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, + ^~~~~~~~~ +2 warnings generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +Because we know the value of the dma_data_direction enum from the +switch statement, we can just use the proper value from +dma_transfer_direction so there is no more conversion. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 +DMA_FROM_DEVICE = DMA_DEV_TO_MEM = 2 + +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/cryp/cryp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/ux500/cryp/cryp_core.c b/drivers/crypto/ux500/cryp/cryp_core.c +index 790f7cadc1ed..efebc484e371 100644 +--- a/drivers/crypto/ux500/cryp/cryp_core.c ++++ b/drivers/crypto/ux500/cryp/cryp_core.c +@@ -555,7 +555,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_src, + ctx->device->dma.sg_src_len, +- direction, DMA_CTRL_ACK); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK); + break; + + case DMA_FROM_DEVICE: +@@ -579,7 +579,7 @@ static int cryp_set_dma_transfer(struct cryp_ctx *ctx, + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg_dst, + ctx->device->dma.sg_dst_len, +- direction, ++ DMA_DEV_TO_MEM, + DMA_CTRL_ACK | + DMA_PREP_INTERRUPT); + +-- +2.19.1 + diff --git a/queue-4.9/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch b/queue-4.9/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch new file mode 100644 index 00000000000..b5b81a77915 --- /dev/null +++ b/queue-4.9/crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch @@ -0,0 +1,47 @@ +From 096d7b9a3432e5bccc43bfb330f134ef25ad6c79 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Mon, 10 Dec 2018 16:49:54 -0700 +Subject: crypto: ux500 - Use proper enum in hash_set_dma_transfer + +[ Upstream commit 5ac93f808338f4dd465402e91869702eb87db241 ] + +Clang warns when one enumerated type is implicitly converted to another: + +drivers/crypto/ux500/hash/hash_core.c:169:4: warning: implicit +conversion from enumeration type 'enum dma_data_direction' to different +enumeration type 'enum dma_transfer_direction' [-Wenum-conversion] + direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + ^~~~~~~~~ +1 warning generated. + +dmaengine_prep_slave_sg expects an enum from dma_transfer_direction. +We know that the only direction supported by this function is +DMA_TO_DEVICE because of the check at the top of this function so we can +just use the equivalent value from dma_transfer_direction. + +DMA_TO_DEVICE = DMA_MEM_TO_DEV = 1 + +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/hash/hash_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index 9acccad26928..17c8e2b28c42 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -165,7 +165,7 @@ static int hash_set_dma_transfer(struct hash_ctx *ctx, struct scatterlist *sg, + __func__); + desc = dmaengine_prep_slave_sg(channel, + ctx->device->dma.sg, ctx->device->dma.sg_len, +- direction, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); ++ DMA_MEM_TO_DEV, DMA_CTRL_ACK | DMA_PREP_INTERRUPT); + if (!desc) { + dev_err(ctx->device->dev, + "%s: dmaengine_prep_slave_sg() failed!\n", __func__); +-- +2.19.1 + diff --git a/queue-4.9/cw1200-fix-concurrency-use-after-free-bugs-in-cw1200.patch b/queue-4.9/cw1200-fix-concurrency-use-after-free-bugs-in-cw1200.patch new file mode 100644 index 00000000000..6be3f37d902 --- /dev/null +++ b/queue-4.9/cw1200-fix-concurrency-use-after-free-bugs-in-cw1200.patch @@ -0,0 +1,81 @@ +From fa32130dba65210d3675dc2b7ef5c2045636e3de Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Fri, 14 Dec 2018 11:55:21 +0800 +Subject: cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() + +[ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ] + +The function cw1200_bss_info_changed() and cw1200_hw_scan() can be +concurrently executed. +The two functions both access a possible shared variable "frame.skb". + +This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(), +which is called by cw1200_bss_info_changed(). The free operation is +protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed(). + +In cw1200_hw_scan(), this shared variable is accessed without the +protection of the mutex lock "priv->conf_mutex". +Thus, concurrency use-after-free bugs may occur. + +To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and +mutex_unlock(&priv->conf_mutex) are moved to the places, which can +protect the accesses to the shared variable. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/st/cw1200/scan.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/st/cw1200/scan.c b/drivers/net/wireless/st/cw1200/scan.c +index 0a0ff7e31f5b..c5492d792f43 100644 +--- a/drivers/net/wireless/st/cw1200/scan.c ++++ b/drivers/net/wireless/st/cw1200/scan.c +@@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS) + return -EINVAL; + ++ /* will be unlocked in cw1200_scan_work() */ ++ down(&priv->scan.lock); ++ mutex_lock(&priv->conf_mutex); ++ + frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0, + req->ie_len); + if (!frame.skb) +@@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + if (req->ie_len) + memcpy(skb_put(frame.skb, req->ie_len), req->ie, req->ie_len); + +- /* will be unlocked in cw1200_scan_work() */ +- down(&priv->scan.lock); +- mutex_lock(&priv->conf_mutex); +- + ret = wsm_set_template_frame(priv, &frame); + if (!ret) { + /* Host want to be the probe responder. */ + ret = wsm_set_probe_responder(priv, true); + } + if (ret) { ++ dev_kfree_skb(frame.skb); + mutex_unlock(&priv->conf_mutex); + up(&priv->scan.lock); +- dev_kfree_skb(frame.skb); + return ret; + } + +@@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, + ++priv->scan.n_ssids; + } + +- mutex_unlock(&priv->conf_mutex); +- + if (frame.skb) + dev_kfree_skb(frame.skb); ++ mutex_unlock(&priv->conf_mutex); + queue_work(priv->workqueue, &priv->scan.work); + return 0; + } +-- +2.19.1 + diff --git a/queue-4.9/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch b/queue-4.9/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch new file mode 100644 index 00000000000..40310da26df --- /dev/null +++ b/queue-4.9/dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch @@ -0,0 +1,60 @@ +From 50e5da2c050b0b6d14a1536e6d838fe78ff1e49c Mon Sep 17 00:00:00 2001 +From: Bob Peterson +Date: Thu, 8 Nov 2018 14:04:50 -0500 +Subject: dlm: Don't swamp the CPU with callbacks queued during recovery + +[ Upstream commit 216f0efd19b9cc32207934fd1b87a45f2c4c593e ] + +Before this patch, recovery would cause all callbacks to be delayed, +put on a queue, and afterward they were all queued to the callback +work queue. This patch does the same thing, but occasionally takes +a break after 25 of them so it won't swamp the CPU at the expense +of other RT processes like corosync. + +Signed-off-by: Bob Peterson +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/ast.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/fs/dlm/ast.c b/fs/dlm/ast.c +index dcea1e37a1b7..f18619bc2e09 100644 +--- a/fs/dlm/ast.c ++++ b/fs/dlm/ast.c +@@ -290,6 +290,8 @@ void dlm_callback_suspend(struct dlm_ls *ls) + flush_workqueue(ls->ls_callback_wq); + } + ++#define MAX_CB_QUEUE 25 ++ + void dlm_callback_resume(struct dlm_ls *ls) + { + struct dlm_lkb *lkb, *safe; +@@ -300,15 +302,23 @@ void dlm_callback_resume(struct dlm_ls *ls) + if (!ls->ls_callback_wq) + return; + ++more: + mutex_lock(&ls->ls_cb_mutex); + list_for_each_entry_safe(lkb, safe, &ls->ls_cb_delay, lkb_cb_list) { + list_del_init(&lkb->lkb_cb_list); + queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work); + count++; ++ if (count == MAX_CB_QUEUE) ++ break; + } + mutex_unlock(&ls->ls_cb_mutex); + + if (count) + log_rinfo(ls, "dlm_callback_resume %d", count); ++ if (count == MAX_CB_QUEUE) { ++ count = 0; ++ cond_resched(); ++ goto more; ++ } + } + +-- +2.19.1 + diff --git a/queue-4.9/dmaengine-xilinx_dma-remove-__aligned-attribute-on-z.patch b/queue-4.9/dmaengine-xilinx_dma-remove-__aligned-attribute-on-z.patch new file mode 100644 index 00000000000..ee16ea1bf1f --- /dev/null +++ b/queue-4.9/dmaengine-xilinx_dma-remove-__aligned-attribute-on-z.patch @@ -0,0 +1,51 @@ +From e7ffa726aeb0b6927d40025eb6d212bce74314b9 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 25 Oct 2018 11:05:25 -0700 +Subject: dmaengine: xilinx_dma: Remove __aligned attribute on + zynqmp_dma_desc_ll + +[ Upstream commit aeaebcc17cdf37065d2693865eeb1ff1c7dc5bf3 ] + +Clang warns: + +drivers/dma/xilinx/zynqmp_dma.c:166:4: warning: attribute 'aligned' is +ignored, place it after "struct" to apply attribute to type declaration +[-Wignored-attributes] +}; __aligned(64) + ^ +./include/linux/compiler_types.h:200:38: note: expanded from macro +'__aligned' + ^ +1 warning generated. + +As Nick pointed out in the previous version of this patch, the author +likely intended for this struct to be 8-byte (64-bit) aligned, not +64-byte, which is the default. Remove the hanging __aligned attribute. + +Fixes: b0cc417c1637 ("dmaengine: Add Xilinx zynqmp dma engine driver support") +Reported-by: Nick Desaulniers +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/xilinx/zynqmp_dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c +index 22658057fe27..9069fb854319 100644 +--- a/drivers/dma/xilinx/zynqmp_dma.c ++++ b/drivers/dma/xilinx/zynqmp_dma.c +@@ -159,7 +159,7 @@ struct zynqmp_dma_desc_ll { + u32 ctrl; + u64 nxtdscraddr; + u64 rsvd; +-}; __aligned(64) ++}; + + /** + * struct zynqmp_dma_desc_sw - Per Transaction structure +-- +2.19.1 + diff --git a/queue-4.9/drbd-avoid-clang-warning-about-pointless-switch-stat.patch b/queue-4.9/drbd-avoid-clang-warning-about-pointless-switch-stat.patch new file mode 100644 index 00000000000..619212093a6 --- /dev/null +++ b/queue-4.9/drbd-avoid-clang-warning-about-pointless-switch-stat.patch @@ -0,0 +1,72 @@ +From ca03c4bf1097e021786983d6da213c3e0ac54905 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Thu, 20 Dec 2018 17:23:43 +0100 +Subject: drbd: Avoid Clang warning about pointless switch statment + +[ Upstream commit a52c5a16cf19d8a85831bb1b915a221dd4ffae3c ] + +There are several warnings from Clang about no case statement matching +the constant 0: + +In file included from drivers/block/drbd/drbd_receiver.c:48: +In file included from drivers/block/drbd/drbd_int.h:48: +In file included from ./include/linux/drbd_genl_api.h:54: +In file included from ./include/linux/genl_magic_struct.h:236: +./include/linux/drbd_genl.h:321:1: warning: no case matching constant +switch condition '0' +GENL_struct(DRBD_NLA_HELPER, 24, drbd_helper_info, +^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +./include/linux/genl_magic_struct.h:220:10: note: expanded from macro +'GENL_struct' + switch (0) { + ^ + +Silence this warning by adding a 'case 0:' statement. Additionally, +adjust the alignment of the statements in the ct_assert_unique macro to +avoid a checkpatch warning. + +This solution was originally sent by Arnd Bergmann with a default case +statement: https://lore.kernel.org/patchwork/patch/756723/ + +Link: https://github.com/ClangBuiltLinux/linux/issues/43 +Suggested-by: Lars Ellenberg +Signed-off-by: Nathan Chancellor +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + include/linux/genl_magic_struct.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/genl_magic_struct.h b/include/linux/genl_magic_struct.h +index 6270a56e5edc..d0d6fdc22698 100644 +--- a/include/linux/genl_magic_struct.h ++++ b/include/linux/genl_magic_struct.h +@@ -190,6 +190,7 @@ static inline void ct_assert_unique_operations(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -208,6 +209,7 @@ static inline void ct_assert_unique_top_level_attributes(void) + { + switch (0) { + #include GENL_MAGIC_INCLUDE_FILE ++ case 0: + ; + } + } +@@ -217,7 +219,8 @@ static inline void ct_assert_unique_top_level_attributes(void) + static inline void ct_assert_unique_ ## s_name ## _attributes(void) \ + { \ + switch (0) { \ +- s_fields \ ++ s_fields \ ++ case 0: \ + ; \ + } \ + } +-- +2.19.1 + diff --git a/queue-4.9/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch b/queue-4.9/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch new file mode 100644 index 00000000000..8284f9c6e60 --- /dev/null +++ b/queue-4.9/drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch @@ -0,0 +1,46 @@ +From da05ad5f25496aace48dd4f47c8bbaee790d650e Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 20 Dec 2018 17:23:32 +0100 +Subject: drbd: disconnect, if the wrong UUIDs are attached on a connected peer + +[ Upstream commit b17b59602b6dcf8f97a7dc7bc489a48388d7063a ] + +With "on-no-data-accessible suspend-io", DRBD requires the next attach +or connect to be to the very same data generation uuid tag it lost last. + +If we first lost connection to the peer, +then later lost connection to our own disk, +we would usually refuse to re-connect to the peer, +because it presents the wrong data set. + +However, if the peer first connects without a disk, +and then attached its disk, we accepted that same wrong data set, +which would be "unexpected" by any user of that DRBD +and cause "undefined results" (read: very likely data corruption). + +The fix is to forcefully disconnect as soon as we notice that the peer +attached to the "wrong" dataset. + +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 77d0f80f62f9..83957a1e15ed 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -4199,7 +4199,7 @@ static int receive_uuids(struct drbd_connection *connection, struct packet_info + kfree(device->p_uuid); + device->p_uuid = p_uuid; + +- if (device->state.conn < C_CONNECTED && ++ if ((device->state.conn < C_CONNECTED || device->state.pdsk == D_DISKLESS) && + device->state.disk < D_INCONSISTENT && + device->state.role == R_PRIMARY && + (device->ed_uuid & ~((u64)1)) != (p_uuid[UI_CURRENT] & ~((u64)1))) { +-- +2.19.1 + diff --git a/queue-4.9/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch b/queue-4.9/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch new file mode 100644 index 00000000000..ee6ac6a505e --- /dev/null +++ b/queue-4.9/drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch @@ -0,0 +1,82 @@ +From d75c26aa367d3cd52376b37b0f331760295eddf4 Mon Sep 17 00:00:00 2001 +From: Roland Kammerer +Date: Thu, 20 Dec 2018 17:23:28 +0100 +Subject: drbd: narrow rcu_read_lock in drbd_sync_handshake + +[ Upstream commit d29e89e34952a9ad02c77109c71a80043544296e ] + +So far there was the possibility that we called +genlmsg_new(GFP_NOIO)/mutex_lock() while holding an rcu_read_lock(). + +This included cases like: + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + drbd_bcast_event + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + genlmsg_new(GFP_NOIO) --> may sleep + +drbd_sync_handshake (acquire the RCU lock) + drbd_asb_recover_1p + drbd_khelper + notify_helper + mutex_lock --> may sleep + +While using GFP_ATOMIC whould have been possible in the first two cases, +the real fix is to narrow the rcu_read_lock. + +Reported-by: Jia-Ju Bai +Reviewed-by: Lars Ellenberg +Signed-off-by: Roland Kammerer +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_receiver.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c +index 942384f34e22..77d0f80f62f9 100644 +--- a/drivers/block/drbd/drbd_receiver.c ++++ b/drivers/block/drbd/drbd_receiver.c +@@ -3421,7 +3421,7 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + enum drbd_conns rv = C_MASK; + enum drbd_disk_state mydisk; + struct net_conf *nc; +- int hg, rule_nr, rr_conflict, tentative; ++ int hg, rule_nr, rr_conflict, tentative, always_asbp; + + mydisk = device->state.disk; + if (mydisk == D_NEGOTIATING) +@@ -3472,8 +3472,12 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + + rcu_read_lock(); + nc = rcu_dereference(peer_device->connection->net_conf); ++ always_asbp = nc->always_asbp; ++ rr_conflict = nc->rr_conflict; ++ tentative = nc->tentative; ++ rcu_read_unlock(); + +- if (hg == 100 || (hg == -100 && nc->always_asbp)) { ++ if (hg == 100 || (hg == -100 && always_asbp)) { + int pcount = (device->state.role == R_PRIMARY) + + (peer_role == R_PRIMARY); + int forced = (hg == -100); +@@ -3512,9 +3516,6 @@ static enum drbd_conns drbd_sync_handshake(struct drbd_peer_device *peer_device, + "Sync from %s node\n", + (hg < 0) ? "peer" : "this"); + } +- rr_conflict = nc->rr_conflict; +- tentative = nc->tentative; +- rcu_read_unlock(); + + if (hg == -100) { + /* FIXME this log message is not correct if we end up here +-- +2.19.1 + diff --git a/queue-4.9/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch b/queue-4.9/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch new file mode 100644 index 00000000000..5983f5beff4 --- /dev/null +++ b/queue-4.9/drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch @@ -0,0 +1,60 @@ +From 371cf158b6956ef39f0ace0fcf8d4c91feca0d15 Mon Sep 17 00:00:00 2001 +From: Lars Ellenberg +Date: Thu, 20 Dec 2018 17:23:41 +0100 +Subject: drbd: skip spurious timeout (ping-timeo) when failing promote + +[ Upstream commit 9848b6ddd8c92305252f94592c5e278574e7a6ac ] + +If you try to promote a Secondary while connected to a Primary +and allow-two-primaries is NOT set, we will wait for "ping-timeout" +to give this node a chance to detect a dead primary, +in case the cluster manager noticed faster than we did. + +But if we then are *still* connected to a Primary, +we fail (after an additional timeout of ping-timout). + +This change skips the spurious second timeout. + +Most people won't notice really, +since "ping-timeout" by default is half a second. + +But in some installations, ping-timeout may be 10 or 20 seconds or more, +and spuriously delaying the error return becomes annoying. + +Signed-off-by: Lars Ellenberg +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_nl.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c +index f35db29cac76..abee91940a36 100644 +--- a/drivers/block/drbd/drbd_nl.c ++++ b/drivers/block/drbd/drbd_nl.c +@@ -668,14 +668,15 @@ drbd_set_role(struct drbd_device *const device, enum drbd_role new_role, int for + if (rv == SS_TWO_PRIMARIES) { + /* Maybe the peer is detected as dead very soon... + retry at most once more in this case. */ +- int timeo; +- rcu_read_lock(); +- nc = rcu_dereference(connection->net_conf); +- timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; +- rcu_read_unlock(); +- schedule_timeout_interruptible(timeo); +- if (try < max_tries) ++ if (try < max_tries) { ++ int timeo; + try = max_tries - 1; ++ rcu_read_lock(); ++ nc = rcu_dereference(connection->net_conf); ++ timeo = nc ? (nc->ping_timeo + 1) * HZ / 10 : 1; ++ rcu_read_unlock(); ++ schedule_timeout_interruptible(timeo); ++ } + continue; + } + if (rv < SS_SUCCESS) { +-- +2.19.1 + diff --git a/queue-4.9/drm-bufs-fix-spectre-v1-vulnerability.patch b/queue-4.9/drm-bufs-fix-spectre-v1-vulnerability.patch new file mode 100644 index 00000000000..9f3696a99a0 --- /dev/null +++ b/queue-4.9/drm-bufs-fix-spectre-v1-vulnerability.patch @@ -0,0 +1,55 @@ +From 4cb9f475bf2f7f417553d4c783281f4de5cfadfa Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Tue, 16 Oct 2018 11:55:49 +0200 +Subject: drm/bufs: Fix Spectre v1 vulnerability + +[ Upstream commit a37805098900a6e73a55b3a43b7d3bcd987bb3f4 ] + +idx can be indirectly controlled by user-space, hence leading to a +potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/gpu/drm/drm_bufs.c:1420 drm_legacy_freebufs() warn: potential +spectre issue 'dma->buflist' [r] (local cap) + +Fix this by sanitizing idx before using it to index dma->buflist + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20181016095549.GA23586@embeddedor.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_bufs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/drm_bufs.c b/drivers/gpu/drm/drm_bufs.c +index adb1dd7fde5f..9ccd7d702cd3 100644 +--- a/drivers/gpu/drm/drm_bufs.c ++++ b/drivers/gpu/drm/drm_bufs.c +@@ -36,6 +36,8 @@ + #include + #include "drm_legacy.h" + ++#include ++ + static struct drm_map_list *drm_find_matching_map(struct drm_device *dev, + struct drm_local_map *map) + { +@@ -1413,6 +1415,7 @@ int drm_legacy_freebufs(struct drm_device *dev, void *data, + idx, dma->buf_count - 1); + return -EINVAL; + } ++ idx = array_index_nospec(idx, dma->buf_count); + buf = dma->buflist[idx]; + if (buf->file_priv != file_priv) { + DRM_ERROR("Process %d freeing buffer not owned\n", +-- +2.19.1 + diff --git a/queue-4.9/drm-vc4-x_scaling-1-should-never-be-set-to-vc4_scali.patch b/queue-4.9/drm-vc4-x_scaling-1-should-never-be-set-to-vc4_scali.patch new file mode 100644 index 00000000000..9371ada7763 --- /dev/null +++ b/queue-4.9/drm-vc4-x_scaling-1-should-never-be-set-to-vc4_scali.patch @@ -0,0 +1,54 @@ +From ab4b4a66288158a7839fe604ba105044768d62ba Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 9 Nov 2018 11:26:32 +0100 +Subject: drm/vc4: ->x_scaling[1] should never be set to VC4_SCALING_NONE + +[ Upstream commit 0560054da5673b25d56bea6c57c8d069673af73b ] + +For the YUV conversion to work properly, ->x_scaling[1] should never +be set to VC4_SCALING_NONE, but vc4_get_scaling_mode() might return +VC4_SCALING_NONE if the horizontal scaling ratio exactly matches the +horizontal subsampling factor. Add a test to turn VC4_SCALING_NONE +into VC4_SCALING_PPF when that happens. + +The old ->x_scaling[0] adjustment is dropped as I couldn't find any +mention to this constraint in the spec and it's proven to be +unnecessary (I tested various multi-planar YUV formats with scaling +disabled, and all of them worked fine without this adjustment). + +Fixes: fc04023fafec ("drm/vc4: Add support for YUV planes.") +Signed-off-by: Boris Brezillon +Reviewed-by: Eric Anholt +Link: https://patchwork.freedesktop.org/patch/msgid/20181109102633.32603-1-boris.brezillon@bootlin.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_plane.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_plane.c b/drivers/gpu/drm/vc4/vc4_plane.c +index 70051bf0ee5c..0376c0c2fc66 100644 +--- a/drivers/gpu/drm/vc4/vc4_plane.c ++++ b/drivers/gpu/drm/vc4/vc4_plane.c +@@ -345,12 +345,14 @@ static int vc4_plane_setup_clipping_and_scaling(struct drm_plane_state *state) + vc4_get_scaling_mode(vc4_state->src_h[1], + vc4_state->crtc_h); + +- /* YUV conversion requires that horizontal scaling be enabled, +- * even on a plane that's otherwise 1:1. Looks like only PPF +- * works in that case, so let's pick that one. ++ /* YUV conversion requires that horizontal scaling be enabled ++ * on the UV plane even if vc4_get_scaling_mode() returned ++ * VC4_SCALING_NONE (which can happen when the down-scaling ++ * ratio is 0.5). Let's force it to VC4_SCALING_PPF in this ++ * case. + */ +- if (vc4_state->is_unity) +- vc4_state->x_scaling[0] = VC4_SCALING_PPF; ++ if (vc4_state->x_scaling[1] == VC4_SCALING_NONE) ++ vc4_state->x_scaling[1] = VC4_SCALING_PPF; + } else { + vc4_state->is_yuv = false; + vc4_state->x_scaling[1] = VC4_SCALING_NONE; +-- +2.19.1 + diff --git a/queue-4.9/exec-load_script-don-t-blindly-truncate-shebang-stri.patch b/queue-4.9/exec-load_script-don-t-blindly-truncate-shebang-stri.patch new file mode 100644 index 00000000000..49e7e3f3398 --- /dev/null +++ b/queue-4.9/exec-load_script-don-t-blindly-truncate-shebang-stri.patch @@ -0,0 +1,54 @@ +From 9e3e0b396a9928eb33e3d7db094b6591927f0d8b Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Thu, 3 Jan 2019 15:28:07 -0800 +Subject: exec: load_script: don't blindly truncate shebang string + +[ Upstream commit 8099b047ecc431518b9bb6bdbba3549bbecdc343 ] + +load_script() simply truncates bprm->buf and this is very wrong if the +length of shebang string exceeds BINPRM_BUF_SIZE-2. This can silently +truncate i_arg or (worse) we can execute the wrong binary if buf[2:126] +happens to be the valid executable path. + +Change load_script() to return ENOEXEC if it can't find '\n' or zero in +bprm->buf. Note that '\0' can come from either +prepare_binprm()->memset() or from kernel_read(), we do not care. + +Link: http://lkml.kernel.org/r/20181112160931.GA28463@redhat.com +Signed-off-by: Oleg Nesterov +Acked-by: Kees Cook +Acked-by: Michal Hocko +Cc: Ben Woodard +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/binfmt_script.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/fs/binfmt_script.c b/fs/binfmt_script.c +index afdf4e3cafc2..634bdbb23851 100644 +--- a/fs/binfmt_script.c ++++ b/fs/binfmt_script.c +@@ -43,10 +43,14 @@ static int load_script(struct linux_binprm *bprm) + fput(bprm->file); + bprm->file = NULL; + +- bprm->buf[BINPRM_BUF_SIZE - 1] = '\0'; +- if ((cp = strchr(bprm->buf, '\n')) == NULL) +- cp = bprm->buf+BINPRM_BUF_SIZE-1; ++ for (cp = bprm->buf+2;; cp++) { ++ if (cp >= bprm->buf + BINPRM_BUF_SIZE) ++ return -ENOEXEC; ++ if (!*cp || (*cp == '\n')) ++ break; ++ } + *cp = '\0'; ++ + while (cp > bprm->buf) { + cp--; + if ((*cp == ' ') || (*cp == '\t')) +-- +2.19.1 + diff --git a/queue-4.9/f2fs-avoid-build-warn-of-fall_through.patch b/queue-4.9/f2fs-avoid-build-warn-of-fall_through.patch new file mode 100644 index 00000000000..4ec3a440725 --- /dev/null +++ b/queue-4.9/f2fs-avoid-build-warn-of-fall_through.patch @@ -0,0 +1,43 @@ +From 12ef0be5dbfdc31db1f75addcb6c3553a7827461 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Mon, 26 Nov 2018 14:20:32 -0800 +Subject: f2fs: avoid build warn of fall_through + +[ Upstream commit f5d5510e7389fa264337fb524346bac9eb93adc8 ] + +After merging the f2fs tree, today's linux-next build + (x86_64_allmodconfig) produced this warning: + + In file included from fs/f2fs/dir.c:11: + fs/f2fs/f2fs.h: In function '__mark_inode_dirty_flag': + fs/f2fs/f2fs.h:2388:6: warning: this statement may fall through [-Wimplicit-fallthrough=] + if (set) + ^ + fs/f2fs/f2fs.h:2390:2: note: here + case FI_DATA_EXIST: + ^~~~ + + Exposed by my use of -Wimplicit-fallthrough + +Reported-by: Stephen Rothwell +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 9c380885b0fc..662084490089 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1635,6 +1635,7 @@ static inline void __mark_inode_dirty_flag(struct inode *inode, + case FI_INLINE_DENTRY: + if (set) + return; ++ /* fall through */ + case FI_DATA_EXIST: + case FI_INLINE_DOTS: + f2fs_mark_inode_dirty_sync(inode); +-- +2.19.1 + diff --git a/queue-4.9/f2fs-fix-sbi-extent_list-corruption-issue.patch b/queue-4.9/f2fs-fix-sbi-extent_list-corruption-issue.patch new file mode 100644 index 00000000000..8ea6cf608bc --- /dev/null +++ b/queue-4.9/f2fs-fix-sbi-extent_list-corruption-issue.patch @@ -0,0 +1,92 @@ +From 6c76dce2e36def770dd550d956099a5dc63810aa Mon Sep 17 00:00:00 2001 +From: Sahitya Tummala +Date: Tue, 18 Dec 2018 16:39:24 +0530 +Subject: f2fs: fix sbi->extent_list corruption issue + +[ Upstream commit e4589fa545e0020dbbc3c9bde35f35f949901392 ] + +When there is a failure in f2fs_fill_super() after/during +the recovery of fsync'd nodes, it frees the current sbi and +retries again. This time the mount is successful, but the files +that got recovered before retry, still holds the extent tree, +whose extent nodes list is corrupted since sbi and sbi->extent_list +is freed up. The list_del corruption issue is observed when the +file system is getting unmounted and when those recoverd files extent +node is being freed up in the below context. + +list_del corruption. prev->next should be fffffff1e1ef5480, but was (null) +<...> +kernel BUG at kernel/msm-4.14/lib/list_debug.c:53! +lr : __list_del_entry_valid+0x94/0xb4 +pc : __list_del_entry_valid+0x94/0xb4 +<...> +Call trace: +__list_del_entry_valid+0x94/0xb4 +__release_extent_node+0xb0/0x114 +__free_extent_tree+0x58/0x7c +f2fs_shrink_extent_tree+0xdc/0x3b0 +f2fs_leave_shrinker+0x28/0x7c +f2fs_put_super+0xfc/0x1e0 +generic_shutdown_super+0x70/0xf4 +kill_block_super+0x2c/0x5c +kill_f2fs_super+0x44/0x50 +deactivate_locked_super+0x60/0x8c +deactivate_super+0x68/0x74 +cleanup_mnt+0x40/0x78 +__cleanup_mnt+0x1c/0x28 +task_work_run+0x48/0xd0 +do_notify_resume+0x678/0xe98 +work_pending+0x8/0x14 + +Fix this by not creating extents for those recovered files if shrinker is +not registered yet. Once mount is successful and shrinker is registered, +those files can have extents again. + +Signed-off-by: Sahitya Tummala +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/f2fs.h | 11 ++++++++++- + fs/f2fs/shrinker.c | 2 +- + 2 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h +index 662084490089..6c069c9c0bb6 100644 +--- a/fs/f2fs/f2fs.h ++++ b/fs/f2fs/f2fs.h +@@ -1886,10 +1886,19 @@ static inline bool is_dot_dotdot(const struct qstr *str) + + static inline bool f2fs_may_extent_tree(struct inode *inode) + { +- if (!test_opt(F2FS_I_SB(inode), EXTENT_CACHE) || ++ struct f2fs_sb_info *sbi = F2FS_I_SB(inode); ++ ++ if (!test_opt(sbi, EXTENT_CACHE) || + is_inode_flag_set(inode, FI_NO_EXTENT)) + return false; + ++ /* ++ * for recovered files during mount do not create extents ++ * if shrinker is not registered. ++ */ ++ if (list_empty(&sbi->s_list)) ++ return false; ++ + return S_ISREG(inode->i_mode); + } + +diff --git a/fs/f2fs/shrinker.c b/fs/f2fs/shrinker.c +index 46c915425923..a40bfa7fafec 100644 +--- a/fs/f2fs/shrinker.c ++++ b/fs/f2fs/shrinker.c +@@ -136,6 +136,6 @@ void f2fs_leave_shrinker(struct f2fs_sb_info *sbi) + f2fs_shrink_extent_tree(sbi, __count_extent_cache(sbi)); + + spin_lock(&f2fs_list_lock); +- list_del(&sbi->s_list); ++ list_del_init(&sbi->s_list); + spin_unlock(&f2fs_list_lock); + } +-- +2.19.1 + diff --git a/queue-4.9/f2fs-fix-wrong-return-value-of-f2fs_acl_create.patch b/queue-4.9/f2fs-fix-wrong-return-value-of-f2fs_acl_create.patch new file mode 100644 index 00000000000..4df9569230a --- /dev/null +++ b/queue-4.9/f2fs-fix-wrong-return-value-of-f2fs_acl_create.patch @@ -0,0 +1,61 @@ +From 8ce5882650228a86730078112e6f0dca17948fef Mon Sep 17 00:00:00 2001 +From: Tiezhu Yang +Date: Wed, 21 Nov 2018 07:21:38 +0800 +Subject: f2fs: fix wrong return value of f2fs_acl_create + +[ Upstream commit f6176473a0c7472380eef72ebeb330cf9485bf0a ] + +When call f2fs_acl_create_masq() failed, the caller f2fs_acl_create() +should return -EIO instead of -ENOMEM, this patch makes it consistent +with posix_acl_create() which has been fixed in commit beaf226b863a +("posix_acl: don't ignore return value of posix_acl_create_masq()"). + +Fixes: 83dfe53c185e ("f2fs: fix reference leaks in f2fs_acl_create") +Signed-off-by: Tiezhu Yang +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/acl.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/fs/f2fs/acl.c b/fs/f2fs/acl.c +index 55aa29c0c78d..a9894089d9dc 100644 +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -348,12 +348,14 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode, + return PTR_ERR(p); + + clone = f2fs_acl_clone(p, GFP_NOFS); +- if (!clone) +- goto no_mem; ++ if (!clone) { ++ ret = -ENOMEM; ++ goto release_acl; ++ } + + ret = f2fs_acl_create_masq(clone, mode); + if (ret < 0) +- goto no_mem_clone; ++ goto release_clone; + + if (ret == 0) + posix_acl_release(clone); +@@ -367,11 +369,11 @@ static int f2fs_acl_create(struct inode *dir, umode_t *mode, + + return 0; + +-no_mem_clone: ++release_clone: + posix_acl_release(clone); +-no_mem: ++release_acl: + posix_acl_release(p); +- return -ENOMEM; ++ return ret; + } + + int f2fs_init_acl(struct inode *inode, struct inode *dir, struct page *ipage, +-- +2.19.1 + diff --git a/queue-4.9/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch b/queue-4.9/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch new file mode 100644 index 00000000000..cbd2e757291 --- /dev/null +++ b/queue-4.9/f2fs-move-dir-data-flush-to-write-checkpoint-process.patch @@ -0,0 +1,48 @@ +From 12a0cb2eb77fd42a7b80492e5fa21269f1abe121 Mon Sep 17 00:00:00 2001 +From: Yunlei He +Date: Tue, 6 Nov 2018 10:25:29 +0800 +Subject: f2fs: move dir data flush to write checkpoint process + +[ Upstream commit b61ac5b720146c619c7cdf17eff2551b934399e5 ] + +This patch move dir data flush to write checkpoint process, by +doing this, it may reduce some time for dir fsync. + +pre: + -f2fs_do_sync_file enter + -file_write_and_wait_range <- flush & wait + -write_checkpoint + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +now: + -f2fs_do_sync_file enter + -write_checkpoint + -block_operations <- flush dir & no wait + -do_checkpoint <- wait all + -f2fs_do_sync_file exit + +Signed-off-by: Yunlei He +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/file.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c +index b768f495603e..f46ac1651bd5 100644 +--- a/fs/f2fs/file.c ++++ b/fs/f2fs/file.c +@@ -198,6 +198,9 @@ static int f2fs_do_sync_file(struct file *file, loff_t start, loff_t end, + + trace_f2fs_sync_file_enter(inode); + ++ if (S_ISDIR(inode->i_mode)) ++ goto go_write; ++ + /* if fdatasync is triggered, let's do in-place-update */ + if (datasync || get_dirty_pages(inode) <= SM_I(sbi)->min_fsync_blocks) + set_inode_flag(inode, FI_NEED_IPU); +-- +2.19.1 + diff --git a/queue-4.9/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch b/queue-4.9/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch new file mode 100644 index 00000000000..3d413a2201c --- /dev/null +++ b/queue-4.9/fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch @@ -0,0 +1,84 @@ +From 21ea1b6847fc7f69218dd0a1f8b24b960661c812 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Thu, 20 Dec 2018 19:13:09 +0100 +Subject: fbdev: fbcon: Fix unregister crash when more than one framebuffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2122b40580dd9d0620398739c773d07a7b7939d0 ] + +When unregistering fbdev using unregister_framebuffer(), any bound +console will unbind automatically. This is working fine if this is the +only framebuffer, resulting in a switch to the dummy console. However if +there is a fb0 and I unregister fb1 having a bound console, I eventually +get a crash. The fastest way for me to trigger the crash is to do a +reboot, resulting in this splat: + +[ 76.478825] WARNING: CPU: 0 PID: 527 at linux/kernel/workqueue.c:1442 __queue_work+0x2d4/0x41c +[ 76.478849] Modules linked in: raspberrypi_hwmon gpio_backlight backlight bcm2835_rng rng_core [last unloaded: tinydrm] +[ 76.478916] CPU: 0 PID: 527 Comm: systemd-udevd Not tainted 4.20.0-rc4+ #4 +[ 76.478933] Hardware name: BCM2835 +[ 76.478949] Backtrace: +[ 76.478995] [] (dump_backtrace) from [] (show_stack+0x20/0x24) +[ 76.479022] r6:00000000 r5:c0bc73be r4:00000000 r3:6fb5bf81 +[ 76.479060] [] (show_stack) from [] (dump_stack+0x20/0x28) +[ 76.479102] [] (dump_stack) from [] (__warn+0xec/0x12c) +[ 76.479134] [] (__warn) from [] (warn_slowpath_null+0x4c/0x58) +[ 76.479165] r9:c0eb6944 r8:00000001 r7:c0e927f8 r6:c0bc73be r5:000005a2 r4:c0139e84 +[ 76.479197] [] (warn_slowpath_null) from [] (__queue_work+0x2d4/0x41c) +[ 76.479222] r6:d7666a00 r5:c0e918ee r4:dbc4e700 +[ 76.479251] [] (__queue_work) from [] (queue_work_on+0x60/0x88) +[ 76.479281] r10:c0496bf8 r9:00000100 r8:c0e92ae0 r7:00000001 r6:d9403700 r5:d7666a00 +[ 76.479298] r4:20000113 +[ 76.479348] [] (queue_work_on) from [] (cursor_timer_handler+0x30/0x54) +[ 76.479374] r7:d8a8fabc r6:c0e08088 r5:d8afdc5c r4:d8a8fabc +[ 76.479413] [] (cursor_timer_handler) from [] (call_timer_fn+0x100/0x230) +[ 76.479435] r4:c0e9192f r3:d758a340 +[ 76.479465] [] (call_timer_fn) from [] (expire_timers+0x10c/0x12c) +[ 76.479495] r10:40000000 r9:c0e9192f r8:c0e92ae0 r7:d8afdccc r6:c0e19280 r5:c0496bf8 +[ 76.479513] r4:d8a8fabc +[ 76.479541] [] (expire_timers) from [] (run_timer_softirq+0xa8/0x184) +[ 76.479570] r9:00000001 r8:c0e19280 r7:00000000 r6:c0e08088 r5:c0e1a3e0 r4:c0e19280 +[ 76.479603] [] (run_timer_softirq) from [] (__do_softirq+0x1ac/0x3fc) +[ 76.479632] r10:c0e91680 r9:d8afc020 r8:0000000a r7:00000100 r6:00000001 r5:00000002 +[ 76.479650] r4:c0eb65ec +[ 76.479686] [] (__do_softirq) from [] (irq_exit+0xe8/0x168) +[ 76.479716] r10:d8d1a9b0 r9:d8afc000 r8:00000001 r7:d949c000 r6:00000000 r5:c0e8b3f0 +[ 76.479734] r4:00000000 +[ 76.479764] [] (irq_exit) from [] (__handle_domain_irq+0x94/0xb0) +[ 76.479793] [] (__handle_domain_irq) from [] (bcm2835_handle_irq+0x3c/0x48) +[ 76.479823] r8:d8afdebc r7:d8afddfc r6:ffffffff r5:c0e089f8 r4:d8afddc8 r3:d8afddc8 +[ 76.479851] [] (bcm2835_handle_irq) from [] (__irq_svc+0x70/0x98) + +The problem is in the console rebinding in fbcon_fb_unbind(). It uses the +virtual console index as the new framebuffer index to bind the console(s) +to. The correct way is to use the con2fb_map lookup table to find the +framebuffer index. + +Fixes: cfafca8067c6 ("fbdev: fbcon: console unregistration from unregister_framebuffer") +Signed-off-by: Noralf Trønnes +Reviewed-by: Mikulas Patocka +Acked-by: Daniel Vetter +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/console/fbcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c +index 4db10d7990c9..178b507a6fe0 100644 +--- a/drivers/video/console/fbcon.c ++++ b/drivers/video/console/fbcon.c +@@ -3030,7 +3030,7 @@ static int fbcon_fb_unbind(int idx) + for (i = first_fb_vc; i <= last_fb_vc; i++) { + if (con2fb_map[i] != idx && + con2fb_map[i] != -1) { +- new_idx = i; ++ new_idx = con2fb_map[i]; + break; + } + } +-- +2.19.1 + diff --git a/queue-4.9/fbdev-fbmem-behave-better-with-small-rotated-display.patch b/queue-4.9/fbdev-fbmem-behave-better-with-small-rotated-display.patch new file mode 100644 index 00000000000..8d406477cc7 --- /dev/null +++ b/queue-4.9/fbdev-fbmem-behave-better-with-small-rotated-display.patch @@ -0,0 +1,62 @@ +From 2a428d176a63363dc27796bb58f86e7470c84790 Mon Sep 17 00:00:00 2001 +From: Peter Rosin +Date: Thu, 20 Dec 2018 19:13:07 +0100 +Subject: fbdev: fbmem: behave better with small rotated displays and many CPUs + +[ Upstream commit f75df8d4b4fabfad7e3cba2debfad12741c6fde7 ] + +Blitting an image with "negative" offsets is not working since there +is no clipping. It hopefully just crashes. For the bootup logo, there +is protection so that blitting does not happen as the image is drawn +further and further to the right (ROTATE_UR) or further and further +down (ROTATE_CW). There is however no protection when drawing in the +opposite directions (ROTATE_UD and ROTATE_CCW). + +Add back this protection. + +The regression is 20-odd years old but the mindless warning-killing +mentality displayed in commit 34bdb666f4b2 ("fbdev: fbmem: remove +positive test on unsigned values") is also to blame, methinks. + +Fixes: 448d479747b8 ("fbdev: fb_do_show_logo() updates") +Signed-off-by: Peter Rosin +Cc: Tomi Valkeinen +Cc: Fabian Frederick +Cc: Geert Uytterhoeven +cc: Geoff Levand +Cc: James Simmons +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/core/fbmem.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c +index 74273bc7ca9a..a1d93151c059 100644 +--- a/drivers/video/fbdev/core/fbmem.c ++++ b/drivers/video/fbdev/core/fbmem.c +@@ -433,7 +433,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dx += image->width + 8; + } + } else if (rotate == FB_ROTATE_UD) { +- for (x = 0; x < num; x++) { ++ u32 dx = image->dx; ++ ++ for (x = 0; x < num && image->dx <= dx; x++) { + info->fbops->fb_imageblit(info, image); + image->dx -= image->width + 8; + } +@@ -445,7 +447,9 @@ static void fb_do_show_logo(struct fb_info *info, struct fb_image *image, + image->dy += image->height + 8; + } + } else if (rotate == FB_ROTATE_CCW) { +- for (x = 0; x < num; x++) { ++ u32 dy = image->dy; ++ ++ for (x = 0; x < num && image->dy <= dy; x++) { + info->fbops->fb_imageblit(info, image); + image->dy -= image->height + 8; + } +-- +2.19.1 + diff --git a/queue-4.9/firmware-efi-add-null-pointer-checks-in-efivars-api-.patch b/queue-4.9/firmware-efi-add-null-pointer-checks-in-efivars-api-.patch new file mode 100644 index 00000000000..aed82d39e8f --- /dev/null +++ b/queue-4.9/firmware-efi-add-null-pointer-checks-in-efivars-api-.patch @@ -0,0 +1,318 @@ +From 460b09265b44296246bc7fc899052b2def13c69b Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Thu, 29 Nov 2018 18:12:27 +0100 +Subject: firmware/efi: Add NULL pointer checks in efivars API functions + +[ Upstream commit ab2180a15ce54739fed381efb4cb12e78dfb1561 ] + +Since commit: + + ce2e6db554fa ("brcmfmac: Add support for getting nvram contents from EFI variables") + +we have a device driver accessing the efivars API. Several functions in +the efivars API assume __efivars is set, i.e., that they will be accessed +only after efivars_register() has been called. However, the following NULL +pointer access was reported calling efivar_entry_size() from the brcmfmac +device driver: + + Unable to handle kernel NULL pointer dereference at virtual address 00000008 + pgd = 60bfa5f1 + [00000008] *pgd=00000000 + Internal error: Oops: 5 [#1] SMP ARM + ... + Hardware name: NVIDIA Tegra SoC (Flattened Device Tree) + Workqueue: events request_firmware_work_func + PC is at efivar_entry_size+0x28/0x90 + LR is at brcmf_fw_complete_request+0x3f8/0x8d4 [brcmfmac] + pc : [] lr : [] psr: a00d0113 + sp : ede7fe28 ip : ee983410 fp : c1787f30 + r10: 00000000 r9 : 00000000 r8 : bf2b2258 + r7 : ee983000 r6 : c1604c48 r5 : ede7fe88 r4 : edf337c0 + r3 : 00000000 r2 : 00000000 r1 : ede7fe88 r0 : c17712c8 + Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none + Control: 10c5387d Table: ad16804a DAC: 00000051 + +Disassembly showed that the local static variable __efivars is NULL, +which is not entirely unexpected given that it is a non-EFI platform. + +So add a NULL pointer check to efivar_entry_size(), and to related +functions while at it. In efivars_register() a couple of sanity checks +are added as well. + +Reported-by: Jon Hunter +Signed-off-by: Arend van Spriel +Signed-off-by: Ard Biesheuvel +Cc: Andy Lutomirski +Cc: Bhupesh Sharma +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Eric Snowberg +Cc: Hans de Goede +Cc: Joe Perches +Cc: Julien Thierry +Cc: Linus Torvalds +Cc: Marc Zyngier +Cc: Matt Fleming +Cc: Nathan Chancellor +Cc: Peter Zijlstra +Cc: Sai Praneeth Prakhya +Cc: Sedat Dilek +Cc: Thomas Gleixner +Cc: YiFei Zhu +Cc: linux-efi@vger.kernel.org +Link: http://lkml.kernel.org/r/20181129171230.18699-9-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/firmware/efi/vars.c | 99 +++++++++++++++++++++++++++++-------- + 1 file changed, 78 insertions(+), 21 deletions(-) + +diff --git a/drivers/firmware/efi/vars.c b/drivers/firmware/efi/vars.c +index 9336ffdf6e2c..fceaafd67ec6 100644 +--- a/drivers/firmware/efi/vars.c ++++ b/drivers/firmware/efi/vars.c +@@ -318,7 +318,12 @@ EXPORT_SYMBOL_GPL(efivar_variable_is_removable); + static efi_status_t + check_var_size(u32 attributes, unsigned long size) + { +- const struct efivar_operations *fops = __efivars->ops; ++ const struct efivar_operations *fops; ++ ++ if (!__efivars) ++ return EFI_UNSUPPORTED; ++ ++ fops = __efivars->ops; + + if (!fops->query_variable_store) + return EFI_UNSUPPORTED; +@@ -329,7 +334,12 @@ check_var_size(u32 attributes, unsigned long size) + static efi_status_t + check_var_size_nonblocking(u32 attributes, unsigned long size) + { +- const struct efivar_operations *fops = __efivars->ops; ++ const struct efivar_operations *fops; ++ ++ if (!__efivars) ++ return EFI_UNSUPPORTED; ++ ++ fops = __efivars->ops; + + if (!fops->query_variable_store) + return EFI_UNSUPPORTED; +@@ -429,13 +439,18 @@ static void dup_variable_bug(efi_char16_t *str16, efi_guid_t *vendor_guid, + int efivar_init(int (*func)(efi_char16_t *, efi_guid_t, unsigned long, void *), + void *data, bool duplicates, struct list_head *head) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + unsigned long variable_name_size = 1024; + efi_char16_t *variable_name; + efi_status_t status; + efi_guid_t vendor_guid; + int err = 0; + ++ if (!__efivars) ++ return -EFAULT; ++ ++ ops = __efivars->ops; ++ + variable_name = kzalloc(variable_name_size, GFP_KERNEL); + if (!variable_name) { + printk(KERN_ERR "efivars: Memory allocation failed.\n"); +@@ -583,12 +598,14 @@ static void efivar_entry_list_del_unlock(struct efivar_entry *entry) + */ + int __efivar_entry_delete(struct efivar_entry *entry) + { +- const struct efivar_operations *ops = __efivars->ops; + efi_status_t status; + +- status = ops->set_variable(entry->var.VariableName, +- &entry->var.VendorGuid, +- 0, 0, NULL); ++ if (!__efivars) ++ return -EINVAL; ++ ++ status = __efivars->ops->set_variable(entry->var.VariableName, ++ &entry->var.VendorGuid, ++ 0, 0, NULL); + + return efi_status_to_err(status); + } +@@ -607,12 +624,17 @@ EXPORT_SYMBOL_GPL(__efivar_entry_delete); + */ + int efivar_entry_delete(struct efivar_entry *entry) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_status_t status; + + if (down_interruptible(&efivars_lock)) + return -EINTR; + ++ if (!__efivars) { ++ up(&efivars_lock); ++ return -EINVAL; ++ } ++ ops = __efivars->ops; + status = ops->set_variable(entry->var.VariableName, + &entry->var.VendorGuid, + 0, 0, NULL); +@@ -650,13 +672,19 @@ EXPORT_SYMBOL_GPL(efivar_entry_delete); + int efivar_entry_set(struct efivar_entry *entry, u32 attributes, + unsigned long size, void *data, struct list_head *head) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_status_t status; + efi_char16_t *name = entry->var.VariableName; + efi_guid_t vendor = entry->var.VendorGuid; + + if (down_interruptible(&efivars_lock)) + return -EINTR; ++ ++ if (!__efivars) { ++ up(&efivars_lock); ++ return -EINVAL; ++ } ++ ops = __efivars->ops; + if (head && efivar_entry_find(name, vendor, head, false)) { + up(&efivars_lock); + return -EEXIST; +@@ -687,12 +715,17 @@ static int + efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor, + u32 attributes, unsigned long size, void *data) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_status_t status; + + if (down_trylock(&efivars_lock)) + return -EBUSY; + ++ if (!__efivars) { ++ up(&efivars_lock); ++ return -EINVAL; ++ } ++ + status = check_var_size_nonblocking(attributes, + size + ucs2_strsize(name, 1024)); + if (status != EFI_SUCCESS) { +@@ -700,6 +733,7 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor, + return -ENOSPC; + } + ++ ops = __efivars->ops; + status = ops->set_variable_nonblocking(name, &vendor, attributes, + size, data); + +@@ -727,9 +761,13 @@ efivar_entry_set_nonblocking(efi_char16_t *name, efi_guid_t vendor, + int efivar_entry_set_safe(efi_char16_t *name, efi_guid_t vendor, u32 attributes, + bool block, unsigned long size, void *data) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_status_t status; + ++ if (!__efivars) ++ return -EINVAL; ++ ++ ops = __efivars->ops; + if (!ops->query_variable_store) + return -ENOSYS; + +@@ -829,13 +867,18 @@ EXPORT_SYMBOL_GPL(efivar_entry_find); + */ + int efivar_entry_size(struct efivar_entry *entry, unsigned long *size) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_status_t status; + + *size = 0; + + if (down_interruptible(&efivars_lock)) + return -EINTR; ++ if (!__efivars) { ++ up(&efivars_lock); ++ return -EINVAL; ++ } ++ ops = __efivars->ops; + status = ops->get_variable(entry->var.VariableName, + &entry->var.VendorGuid, NULL, size, NULL); + up(&efivars_lock); +@@ -861,12 +904,14 @@ EXPORT_SYMBOL_GPL(efivar_entry_size); + int __efivar_entry_get(struct efivar_entry *entry, u32 *attributes, + unsigned long *size, void *data) + { +- const struct efivar_operations *ops = __efivars->ops; + efi_status_t status; + +- status = ops->get_variable(entry->var.VariableName, +- &entry->var.VendorGuid, +- attributes, size, data); ++ if (!__efivars) ++ return -EINVAL; ++ ++ status = __efivars->ops->get_variable(entry->var.VariableName, ++ &entry->var.VendorGuid, ++ attributes, size, data); + + return efi_status_to_err(status); + } +@@ -882,14 +927,19 @@ EXPORT_SYMBOL_GPL(__efivar_entry_get); + int efivar_entry_get(struct efivar_entry *entry, u32 *attributes, + unsigned long *size, void *data) + { +- const struct efivar_operations *ops = __efivars->ops; + efi_status_t status; + + if (down_interruptible(&efivars_lock)) + return -EINTR; +- status = ops->get_variable(entry->var.VariableName, +- &entry->var.VendorGuid, +- attributes, size, data); ++ ++ if (!__efivars) { ++ up(&efivars_lock); ++ return -EINVAL; ++ } ++ ++ status = __efivars->ops->get_variable(entry->var.VariableName, ++ &entry->var.VendorGuid, ++ attributes, size, data); + up(&efivars_lock); + + return efi_status_to_err(status); +@@ -921,7 +971,7 @@ EXPORT_SYMBOL_GPL(efivar_entry_get); + int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, + unsigned long *size, void *data, bool *set) + { +- const struct efivar_operations *ops = __efivars->ops; ++ const struct efivar_operations *ops; + efi_char16_t *name = entry->var.VariableName; + efi_guid_t *vendor = &entry->var.VendorGuid; + efi_status_t status; +@@ -940,6 +990,11 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, + if (down_interruptible(&efivars_lock)) + return -EINTR; + ++ if (!__efivars) { ++ err = -EINVAL; ++ goto out; ++ } ++ + /* + * Ensure that the available space hasn't shrunk below the safe level + */ +@@ -956,6 +1011,8 @@ int efivar_entry_set_get_size(struct efivar_entry *entry, u32 attributes, + } + } + ++ ops = __efivars->ops; ++ + status = ops->set_variable(name, vendor, attributes, *size, data); + if (status != EFI_SUCCESS) { + err = efi_status_to_err(status); +-- +2.19.1 + diff --git a/queue-4.9/fs-epoll-drop-ovflist-branch-prediction.patch b/queue-4.9/fs-epoll-drop-ovflist-branch-prediction.patch new file mode 100644 index 00000000000..f408c2499bd --- /dev/null +++ b/queue-4.9/fs-epoll-drop-ovflist-branch-prediction.patch @@ -0,0 +1,55 @@ +From a705bac17a6d9b947e4300cc92169b11f950623f Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Thu, 3 Jan 2019 15:27:09 -0800 +Subject: fs/epoll: drop ovflist branch prediction + +[ Upstream commit 76699a67f3041ff4c7af6d6ee9be2bfbf1ffb671 ] + +The ep->ovflist is a secondary ready-list to temporarily store events +that might occur when doing sproc without holding the ep->wq.lock. This +accounts for every time we check for ready events and also send events +back to userspace; both callbacks, particularly the latter because of +copy_to_user, can account for a non-trivial time. + +As such, the unlikely() check to see if the pointer is being used, seems +both misleading and sub-optimal. In fact, we go to an awful lot of +trouble to sync both lists, and populating the ovflist is far from an +uncommon scenario. + +For example, profiling a concurrent epoll_wait(2) benchmark, with +CONFIG_PROFILE_ANNOTATED_BRANCHES shows that for a two threads a 33% +incorrect rate was seen; and when incrementally increasing the number of +epoll instances (which is used, for example for multiple queuing load +balancing models), up to a 90% incorrect rate was seen. + +Similarly, by deleting the prediction, 3% throughput boost was seen +across incremental threads. + +Link: http://lkml.kernel.org/r/20181108051006.18751-4-dave@stgolabs.net +Signed-off-by: Davidlohr Bueso +Reviewed-by: Andrew Morton +Cc: Al Viro +Cc: Jason Baron +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/eventpoll.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 3cbc30413add..a9c0bf8782f5 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -1040,7 +1040,7 @@ static int ep_poll_callback(wait_queue_t *wait, unsigned mode, int sync, void *k + * semantics). All the events that happen during that period of time are + * chained in ep->ovflist and requeued later on. + */ +- if (unlikely(ep->ovflist != EP_UNACTIVE_PTR)) { ++ if (ep->ovflist != EP_UNACTIVE_PTR) { + if (epi->next == EP_UNACTIVE_PTR) { + epi->next = ep->ovflist; + ep->ovflist = epi; +-- +2.19.1 + diff --git a/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch b/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch new file mode 100644 index 00000000000..0499a963403 --- /dev/null +++ b/queue-4.9/fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch @@ -0,0 +1,77 @@ +From 161c6ea33a40f3775d2af91f3ae20c89048a3c19 Mon Sep 17 00:00:00 2001 +From: Benjamin Gordon +Date: Thu, 3 Jan 2019 15:25:56 -0800 +Subject: fs/proc/base.c: use ns_capable instead of capable for timerslack_ns + +[ Upstream commit 8da0b4f692c6d90b09c91f271517db746a22ff67 ] + +Access to timerslack_ns is controlled by a process having CAP_SYS_NICE +in its effective capability set, but the current check looks in the root +namespace instead of the process' user namespace. Since a process is +allowed to do other activities controlled by CAP_SYS_NICE inside a +namespace, it should also be able to adjust timerslack_ns. + +Link: http://lkml.kernel.org/r/20181030180012.232896-1-bmgordon@google.com +Signed-off-by: Benjamin Gordon +Acked-by: "Eric W. Biederman" +Cc: John Stultz +Cc: "Eric W. Biederman" +Cc: Kees Cook +Cc: "Serge E. Hallyn" +Cc: Thomas Gleixner +Cc: Arjan van de Ven +Cc: Oren Laadan +Cc: Ruchi Kandoi +Cc: Rom Lemarchand +Cc: Todd Kjos +Cc: Colin Cross +Cc: Nick Kralevich +Cc: Dmitry Shmidt +Cc: Elliott Hughes +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/proc/base.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 79702d405ba7..f73de326c630 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2337,10 +2337,13 @@ static ssize_t timerslack_ns_write(struct file *file, const char __user *buf, + return -ESRCH; + + if (p != current) { +- if (!capable(CAP_SYS_NICE)) { ++ rcu_read_lock(); ++ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { ++ rcu_read_unlock(); + count = -EPERM; + goto out; + } ++ rcu_read_unlock(); + + err = security_task_setscheduler(p); + if (err) { +@@ -2373,11 +2376,14 @@ static int timerslack_ns_show(struct seq_file *m, void *v) + return -ESRCH; + + if (p != current) { +- +- if (!capable(CAP_SYS_NICE)) { ++ rcu_read_lock(); ++ if (!ns_capable(__task_cred(p)->user_ns, CAP_SYS_NICE)) { ++ rcu_read_unlock(); + err = -EPERM; + goto out; + } ++ rcu_read_unlock(); ++ + err = security_task_getscheduler(p); + if (err) + goto out; +-- +2.19.1 + diff --git a/queue-4.9/fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch b/queue-4.9/fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch new file mode 100644 index 00000000000..649876c3608 --- /dev/null +++ b/queue-4.9/fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch @@ -0,0 +1,73 @@ +From cd5fee2555faa00bd549aa4fdc5fa5a0c1a26716 Mon Sep 17 00:00:00 2001 +From: Scott Wood +Date: Thu, 27 Dec 2018 18:29:09 -0600 +Subject: fsl/fman: Use GFP_ATOMIC in {memac,tgec}_add_hash_mac_address() + +[ Upstream commit 0d9c9a238faf925823bde866182c663b6d734f2e ] + +These functions are called from atomic context: + +[ 9.150239] BUG: sleeping function called from invalid context at /home/scott/git/linux/mm/slab.h:421 +[ 9.158159] in_atomic(): 1, irqs_disabled(): 0, pid: 4432, name: ip +[ 9.163128] CPU: 8 PID: 4432 Comm: ip Not tainted 4.20.0-rc2-00169-g63d86876f324 #29 +[ 9.163130] Call Trace: +[ 9.170701] [c0000002e899a980] [c0000000009c1068] .dump_stack+0xa8/0xec (unreliable) +[ 9.177140] [c0000002e899aa10] [c00000000007a7b4] .___might_sleep+0x138/0x164 +[ 9.184440] [c0000002e899aa80] [c0000000001d5bac] .kmem_cache_alloc_trace+0x238/0x30c +[ 9.191216] [c0000002e899ab40] [c00000000065ea1c] .memac_add_hash_mac_address+0x104/0x198 +[ 9.199464] [c0000002e899abd0] [c00000000065a788] .set_multi+0x1c8/0x218 +[ 9.206242] [c0000002e899ac80] [c0000000006615ec] .dpaa_set_rx_mode+0xdc/0x17c +[ 9.213544] [c0000002e899ad00] [c00000000083d2b0] .__dev_set_rx_mode+0x80/0xd4 +[ 9.219535] [c0000002e899ad90] [c00000000083d334] .dev_set_rx_mode+0x30/0x54 +[ 9.225271] [c0000002e899ae10] [c00000000083d4a0] .__dev_open+0x148/0x1c8 +[ 9.230751] [c0000002e899aeb0] [c00000000083d934] .__dev_change_flags+0x19c/0x1e0 +[ 9.230755] [c0000002e899af60] [c00000000083d9a4] .dev_change_flags+0x2c/0x80 +[ 9.242752] [c0000002e899aff0] [c0000000008554ec] .do_setlink+0x350/0xf08 +[ 9.248228] [c0000002e899b170] [c000000000857ad0] .rtnl_newlink+0x588/0x7e0 +[ 9.253965] [c0000002e899b740] [c000000000852424] .rtnetlink_rcv_msg+0x3e0/0x498 +[ 9.261440] [c0000002e899b820] [c000000000884790] .netlink_rcv_skb+0x134/0x14c +[ 9.267607] [c0000002e899b8e0] [c000000000851840] .rtnetlink_rcv+0x18/0x2c +[ 9.274558] [c0000002e899b950] [c000000000883c8c] .netlink_unicast+0x214/0x318 +[ 9.281163] [c0000002e899ba00] [c000000000884220] .netlink_sendmsg+0x348/0x444 +[ 9.287076] [c0000002e899bae0] [c00000000080d13c] .sock_sendmsg+0x2c/0x54 +[ 9.287080] [c0000002e899bb50] [c0000000008106c0] .___sys_sendmsg+0x2d0/0x2d8 +[ 9.298375] [c0000002e899bd30] [c000000000811a80] .__sys_sendmsg+0x5c/0xb0 +[ 9.303939] [c0000002e899be20] [c0000000000006b0] system_call+0x60/0x6c + +Signed-off-by: Scott Wood +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_memac.c | 2 +- + drivers/net/ethernet/freescale/fman/fman_tgec.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_memac.c b/drivers/net/ethernet/freescale/fman/fman_memac.c +index 71a5ded9d1de..21dd5579130e 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_memac.c ++++ b/drivers/net/ethernet/freescale/fman/fman_memac.c +@@ -923,7 +923,7 @@ int memac_add_hash_mac_address(struct fman_mac *memac, enet_addr_t *eth_addr) + hash = get_mac_addr_hash_code(addr) & HASH_CTRL_ADDR_MASK; + + /* Create element to be added to the driver hash table */ +- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL); ++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC); + if (!hash_entry) + return -ENOMEM; + hash_entry->addr = addr; +diff --git a/drivers/net/ethernet/freescale/fman/fman_tgec.c b/drivers/net/ethernet/freescale/fman/fman_tgec.c +index 4b0f3a50b293..e575259d20f4 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_tgec.c ++++ b/drivers/net/ethernet/freescale/fman/fman_tgec.c +@@ -551,7 +551,7 @@ int tgec_add_hash_mac_address(struct fman_mac *tgec, enet_addr_t *eth_addr) + hash = (crc >> TGEC_HASH_MCAST_SHIFT) & TGEC_HASH_ADR_MSK; + + /* Create element to be added to the driver hash table */ +- hash_entry = kmalloc(sizeof(*hash_entry), GFP_KERNEL); ++ hash_entry = kmalloc(sizeof(*hash_entry), GFP_ATOMIC); + if (!hash_entry) + return -ENOMEM; + hash_entry->addr = addr; +-- +2.19.1 + diff --git a/queue-4.9/gdrom-fix-a-memory-leak-bug.patch b/queue-4.9/gdrom-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..2b1050cbd0b --- /dev/null +++ b/queue-4.9/gdrom-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From 88b20fc389fdbb6d3eece87d9025aa5df26635d3 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Wed, 26 Dec 2018 20:15:13 -0600 +Subject: gdrom: fix a memory leak bug + +[ Upstream commit 093c48213ee37c3c3ff1cf5ac1aa2a9d8bc66017 ] + +In probe_gdrom(), the buffer pointed by 'gd.cd_info' is allocated through +kzalloc() and is used to hold the information of the gdrom device. To +register and unregister the device, the pointer 'gd.cd_info' is passed to +the functions register_cdrom() and unregister_cdrom(), respectively. +However, this buffer is not freed after it is used, which can cause a +memory leak bug. + +This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the +above issue. + +Signed-off-by: Wenwen Wang +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/cdrom/gdrom.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c +index e2808fefbb78..1852d19d0d7b 100644 +--- a/drivers/cdrom/gdrom.c ++++ b/drivers/cdrom/gdrom.c +@@ -882,6 +882,7 @@ static void __exit exit_gdrom(void) + platform_device_unregister(pd); + platform_driver_unregister(&gdrom_driver); + kfree(gd.toc); ++ kfree(gd.cd_info); + } + + module_init(init_gdrom); +-- +2.19.1 + diff --git a/queue-4.9/gpu-ipu-v3-image-convert-prevent-race-between-run-an.patch b/queue-4.9/gpu-ipu-v3-image-convert-prevent-race-between-run-an.patch new file mode 100644 index 00000000000..c53caa99945 --- /dev/null +++ b/queue-4.9/gpu-ipu-v3-image-convert-prevent-race-between-run-an.patch @@ -0,0 +1,72 @@ +From 9314a6344e1b5ffd392c4b9547d71f4fb068e2f6 Mon Sep 17 00:00:00 2001 +From: Steve Longerbeam +Date: Wed, 19 Sep 2018 16:07:18 -0700 +Subject: gpu: ipu-v3: image-convert: Prevent race between run and unprepare + +[ Upstream commit 819bec35c8c9706185498c9222bd244e0781ad35 ] + +Prevent possible race by parallel threads between ipu_image_convert_run() +and ipu_image_convert_unprepare(). This involves setting ctx->aborting +to true unconditionally so that no new job runs can be queued during +unprepare, and holding the ctx->aborting flag until the context is freed. + +Note that the "normal" ipu_image_convert_abort() case (e.g. not during +context unprepare) should clear the ctx->aborting flag after aborting +any active run and clearing the context's pending queue. This is because +it should be possible to continue to use the conversion context and queue +more runs after an abort. + +Signed-off-by: Steve Longerbeam +Tested-by: Philipp Zabel +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-image-convert.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/ipu-v3/ipu-image-convert.c b/drivers/gpu/ipu-v3/ipu-image-convert.c +index 805b6fa7b5f4..50b73f3876fb 100644 +--- a/drivers/gpu/ipu-v3/ipu-image-convert.c ++++ b/drivers/gpu/ipu-v3/ipu-image-convert.c +@@ -1513,7 +1513,7 @@ unlock: + EXPORT_SYMBOL_GPL(ipu_image_convert_queue); + + /* Abort any active or pending conversions for this context */ +-void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx) ++static void __ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx) + { + struct ipu_image_convert_chan *chan = ctx->chan; + struct ipu_image_convert_priv *priv = chan->priv; +@@ -1540,7 +1540,7 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx) + + need_abort = (run_count || active_run); + +- ctx->aborting = need_abort; ++ ctx->aborting = true; + + spin_unlock_irqrestore(&chan->irqlock, flags); + +@@ -1561,7 +1561,11 @@ void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx) + dev_warn(priv->ipu->dev, "%s: timeout\n", __func__); + force_abort(ctx); + } ++} + ++void ipu_image_convert_abort(struct ipu_image_convert_ctx *ctx) ++{ ++ __ipu_image_convert_abort(ctx); + ctx->aborting = false; + } + EXPORT_SYMBOL_GPL(ipu_image_convert_abort); +@@ -1575,7 +1579,7 @@ void ipu_image_convert_unprepare(struct ipu_image_convert_ctx *ctx) + bool put_res; + + /* make sure no runs are hanging around */ +- ipu_image_convert_abort(ctx); ++ __ipu_image_convert_abort(ctx); + + dev_dbg(priv->ipu->dev, "%s: task %u: removing ctx %p\n", __func__, + chan->ic_task, ctx); +-- +2.19.1 + diff --git a/queue-4.9/hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch b/queue-4.9/hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch new file mode 100644 index 00000000000..583e654c8c6 --- /dev/null +++ b/queue-4.9/hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch @@ -0,0 +1,48 @@ +From f18a907d5386cce1628cd956cdb0763f07ebe941 Mon Sep 17 00:00:00 2001 +From: Aditya Pakki +Date: Mon, 24 Dec 2018 15:39:14 -0600 +Subject: HID: lenovo: Add checks to fix of_led_classdev_register + +[ Upstream commit 6ae16dfb61bce538d48b7fe98160fada446056c5 ] + +In lenovo_probe_tpkbd(), the function of_led_classdev_register() could +return an error value that is unchecked. The fix adds these checks. + +Signed-off-by: Aditya Pakki +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-lenovo.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-lenovo.c b/drivers/hid/hid-lenovo.c +index 1ac4ff4d57a6..d409cc8759fc 100644 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -713,7 +713,9 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev) + data_pointer->led_mute.brightness_get = lenovo_led_brightness_get_tpkbd; + data_pointer->led_mute.brightness_set = lenovo_led_brightness_set_tpkbd; + data_pointer->led_mute.dev = dev; +- led_classdev_register(dev, &data_pointer->led_mute); ++ ret = led_classdev_register(dev, &data_pointer->led_mute); ++ if (ret < 0) ++ goto err; + + data_pointer->led_micmute.name = name_micmute; + data_pointer->led_micmute.brightness_get = +@@ -721,7 +723,11 @@ static int lenovo_probe_tpkbd(struct hid_device *hdev) + data_pointer->led_micmute.brightness_set = + lenovo_led_brightness_set_tpkbd; + data_pointer->led_micmute.dev = dev; +- led_classdev_register(dev, &data_pointer->led_micmute); ++ ret = led_classdev_register(dev, &data_pointer->led_micmute); ++ if (ret < 0) { ++ led_classdev_unregister(&data_pointer->led_mute); ++ goto err; ++ } + + lenovo_features_set_tpkbd(hdev); + +-- +2.19.1 + diff --git a/queue-4.9/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch b/queue-4.9/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch new file mode 100644 index 00000000000..c42dd4f3abe --- /dev/null +++ b/queue-4.9/hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch @@ -0,0 +1,53 @@ +From 40d6ffd4122d319fa1eac5dbc1058001dd78c42a Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 21 Dec 2018 13:10:39 -0600 +Subject: hwmon: (lm80) fix a missing check of bus read in lm80 probe + +[ Upstream commit 9aa3aa15f4c2f74f47afd6c5db4b420fadf3f315 ] + +In lm80_probe(), if lm80_read_value() fails, it returns a negative +error number which is stored to data->fan[f_min] and will be further +used. We should avoid using the data if the read fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm80.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 47ddae6b7038..cb6606a0470d 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -628,6 +628,7 @@ static int lm80_probe(struct i2c_client *client, + struct device *dev = &client->dev; + struct device *hwmon_dev; + struct lm80_data *data; ++ int rv; + + data = devm_kzalloc(dev, sizeof(struct lm80_data), GFP_KERNEL); + if (!data) +@@ -640,8 +641,14 @@ static int lm80_probe(struct i2c_client *client, + lm80_init_client(client); + + /* A few vars need to be filled upon startup */ +- data->fan[f_min][0] = lm80_read_value(client, LM80_REG_FAN_MIN(1)); +- data->fan[f_min][1] = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(1)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][0] = rv; ++ rv = lm80_read_value(client, LM80_REG_FAN_MIN(2)); ++ if (rv < 0) ++ return rv; ++ data->fan[f_min][1] = rv; + + hwmon_dev = devm_hwmon_device_register_with_groups(dev, client->name, + data, lm80_groups); +-- +2.19.1 + diff --git a/queue-4.9/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch b/queue-4.9/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch new file mode 100644 index 00000000000..15d10027cd4 --- /dev/null +++ b/queue-4.9/hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch @@ -0,0 +1,58 @@ +From 8b66b9478d700ca407a0014a4066022c15f1d4a5 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Fri, 21 Dec 2018 13:01:33 -0600 +Subject: hwmon: (lm80) fix a missing check of the status of SMBus read + +[ Upstream commit c9c63915519b1def7043b184680f33c24cd49d7b ] + +If lm80_read_value() fails, it returns a negative number instead of the +correct read data. Therefore, we should avoid using the data if it +fails. + +The fix checks if lm80_read_value() fails, and if so, returns with the +error number. + +Signed-off-by: Kangjie Lu +[groeck: One variable for return values is enough] +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/lm80.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/hwmon/lm80.c b/drivers/hwmon/lm80.c +index 4bcd9b882948..47ddae6b7038 100644 +--- a/drivers/hwmon/lm80.c ++++ b/drivers/hwmon/lm80.c +@@ -360,9 +360,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + struct i2c_client *client = data->client; + unsigned long min, val; + u8 reg; +- int err = kstrtoul(buf, 10, &val); +- if (err < 0) +- return err; ++ int rv; ++ ++ rv = kstrtoul(buf, 10, &val); ++ if (rv < 0) ++ return rv; + + /* Save fan_min */ + mutex_lock(&data->update_lock); +@@ -390,8 +392,11 @@ static ssize_t set_fan_div(struct device *dev, struct device_attribute *attr, + return -EINVAL; + } + +- reg = (lm80_read_value(client, LM80_REG_FANDIV) & +- ~(3 << (2 * (nr + 1)))) | (data->fan_div[nr] << (2 * (nr + 1))); ++ rv = lm80_read_value(client, LM80_REG_FANDIV); ++ if (rv < 0) ++ return rv; ++ reg = (rv & ~(3 << (2 * (nr + 1)))) ++ | (data->fan_div[nr] << (2 * (nr + 1))); + lm80_write_value(client, LM80_REG_FANDIV, reg); + + /* Restore fan_min */ +-- +2.19.1 + diff --git a/queue-4.9/i2c-axxia-check-for-error-conditions-first.patch b/queue-4.9/i2c-axxia-check-for-error-conditions-first.patch new file mode 100644 index 00000000000..08c4458f18b --- /dev/null +++ b/queue-4.9/i2c-axxia-check-for-error-conditions-first.patch @@ -0,0 +1,85 @@ +From 49f17752b5e7ad566e921d6e8de578f3ce475e5b Mon Sep 17 00:00:00 2001 +From: "Adamski, Krzysztof (Nokia - PL/Wroclaw)" +Date: Mon, 10 Dec 2018 15:01:27 +0000 +Subject: i2c-axxia: check for error conditions first + +[ Upstream commit 4f5c85fe3a60ace555d09898166af372547f97fc ] + +It was observed that when using seqentional mode contrary to the +documentation, the SS bit (which is supposed to only be set if +automatic/sequence command completed normally), is sometimes set +together with NA (NAK in address phase) causing transfer to falsely be +considered successful. + +My assumption is that this does not happen during manual mode since the +controller is stopping its work the moment it sets NA/ND bit in status +register. This is not the case in Automatic/Sequentional mode where it +is still working to send STOP condition and the actual status we get +depends on the time when the ISR is run. + +This patch changes the order of checking status bits in ISR - error +conditions are checked first and only if none of them occurred, the +transfer may be considered successful. This is required to introduce +using of sequentional mode in next patch. + +Signed-off-by: Krzysztof Adamski +Reviewed-by: Alexander Sverdlin +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-axxia.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-axxia.c b/drivers/i2c/busses/i2c-axxia.c +index 96a6d5df9b26..b0962897bc45 100644 +--- a/drivers/i2c/busses/i2c-axxia.c ++++ b/drivers/i2c/busses/i2c-axxia.c +@@ -296,22 +296,7 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev) + i2c_int_disable(idev, MST_STATUS_TFL); + } + +- if (status & MST_STATUS_SCC) { +- /* Stop completed */ +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- complete(&idev->msg_complete); +- } else if (status & MST_STATUS_SNS) { +- /* Transfer done */ +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len) +- axxia_i2c_empty_rx_fifo(idev); +- complete(&idev->msg_complete); +- } else if (status & MST_STATUS_TSS) { +- /* Transfer timeout */ +- idev->msg_err = -ETIMEDOUT; +- i2c_int_disable(idev, ~MST_STATUS_TSS); +- complete(&idev->msg_complete); +- } else if (unlikely(status & MST_STATUS_ERR)) { ++ if (unlikely(status & MST_STATUS_ERR)) { + /* Transfer error */ + i2c_int_disable(idev, ~0); + if (status & MST_STATUS_AL) +@@ -328,6 +313,21 @@ static irqreturn_t axxia_i2c_isr(int irq, void *_dev) + readl(idev->base + MST_TX_BYTES_XFRD), + readl(idev->base + MST_TX_XFER)); + complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_SCC) { ++ /* Stop completed */ ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_SNS) { ++ /* Transfer done */ ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ if (i2c_m_rd(idev->msg) && idev->msg_xfrd < idev->msg->len) ++ axxia_i2c_empty_rx_fifo(idev); ++ complete(&idev->msg_complete); ++ } else if (status & MST_STATUS_TSS) { ++ /* Transfer timeout */ ++ idev->msg_err = -ETIMEDOUT; ++ i2c_int_disable(idev, ~MST_STATUS_TSS); ++ complete(&idev->msg_complete); + } + + out: +-- +2.19.1 + diff --git a/queue-4.9/i40e-define-proper-net_device-neigh_priv_len.patch b/queue-4.9/i40e-define-proper-net_device-neigh_priv_len.patch new file mode 100644 index 00000000000..7aa1ae8be00 --- /dev/null +++ b/queue-4.9/i40e-define-proper-net_device-neigh_priv_len.patch @@ -0,0 +1,46 @@ +From 26cb84ec0316f1d9bf8d020cf8d21f2508cb14f9 Mon Sep 17 00:00:00 2001 +From: Konstantin Khorenko +Date: Fri, 23 Nov 2018 19:10:28 +0300 +Subject: i40e: define proper net_device::neigh_priv_len + +[ Upstream commit 31389b53b3e0b535867af9090a5d19ec64768d55 ] + +Out of bound read reported by KASan. + +i40iw_net_event() reads unconditionally 16 bytes from +neigh->primary_key while the memory allocated for +"neighbour" struct is evaluated in neigh_alloc() as + + tbl->entry_size + dev->neigh_priv_len + +where "dev" is a net_device. + +But the driver does not setup dev->neigh_priv_len and +we read beyond the neigh entry allocated memory, +so the patch in the next mail fixes this. + +Signed-off-by: Konstantin Khorenko +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 57c7456a5751..7836072d3f63 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -9194,6 +9194,9 @@ static int i40e_config_netdev(struct i40e_vsi *vsi) + ether_addr_copy(netdev->dev_addr, mac_addr); + ether_addr_copy(netdev->perm_addr, mac_addr); + ++ /* i40iw_net_event() reads 16 bytes from neigh->primary_key */ ++ netdev->neigh_priv_len = sizeof(u32) * 4; ++ + netdev->priv_flags |= IFF_UNICAST_FLT; + netdev->priv_flags |= IFF_SUPP_NOFCS; + /* Setup netdev TC information */ +-- +2.19.1 + diff --git a/queue-4.9/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch b/queue-4.9/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch new file mode 100644 index 00000000000..41ba6ed3ba6 --- /dev/null +++ b/queue-4.9/igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch @@ -0,0 +1,48 @@ +From 95ab09685d90ae9ae7719c9ed9ae87f028bb107b Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 3 Dec 2018 13:54:38 +0800 +Subject: igb: Fix an issue that PME is not enabled during runtime suspend + +[ Upstream commit 1fb3a7a75e2efcc83ef21f2434069cddd6fae6f5 ] + +I210 ethernet card doesn't wakeup when a cable gets plugged. It's +because its PME is not set. + +Since commit 42eca2302146 ("PCI: Don't touch card regs after runtime +suspend D3"), if the PCI state is saved, pci_pm_runtime_suspend() stops +calling pci_finish_runtime_suspend(), which enables the PCI PME. + +To fix the issue, let's not to save PCI states when it's runtime +suspend, to let the PCI subsystem enables PME. + +Fixes: 42eca2302146 ("PCI: Don't touch card regs after runtime suspend D3") +Signed-off-by: Kai-Heng Feng +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 3a61491421b1..82e48e355fb9 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -7564,9 +7564,11 @@ static int __igb_shutdown(struct pci_dev *pdev, bool *enable_wake, + rtnl_unlock(); + + #ifdef CONFIG_PM +- retval = pci_save_state(pdev); +- if (retval) +- return retval; ++ if (!runtime) { ++ retval = pci_save_state(pdev); ++ if (retval) ++ return retval; ++ } + #endif + + status = rd32(E1000_STATUS); +-- +2.19.1 + diff --git a/queue-4.9/iio-accel-kxcjk1013-add-kiox010a-acpi-hardware-id.patch b/queue-4.9/iio-accel-kxcjk1013-add-kiox010a-acpi-hardware-id.patch new file mode 100644 index 00000000000..8a32e973bea --- /dev/null +++ b/queue-4.9/iio-accel-kxcjk1013-add-kiox010a-acpi-hardware-id.patch @@ -0,0 +1,38 @@ +From de80371b4c1ba4b1916dc600d24bfdfd73521973 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Tue, 20 Nov 2018 12:10:14 +0100 +Subject: iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID + +[ Upstream commit 7f6232e69539971cf9eaed07a6c14ab4a2361133 ] + +Various 2-in-1's use KIOX010A and KIOX020A as HIDs for 2 KXCJ91008 +accelerometers. The KIOX010A HID is for the one in the base and the +KIOX020A for the accelerometer in the keyboard. + +Since userspace does not have a way yet to deal with (or ignore) the +accelerometer in the keyboard, this commit just adds the KIOX010A HID +for now so that display rotation will work. + +Related: https://github.com/hadess/iio-sensor-proxy/issues/166 +Signed-off-by: Hans de Goede +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/kxcjk-1013.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/iio/accel/kxcjk-1013.c b/drivers/iio/accel/kxcjk-1013.c +index 3f968c46e667..784636800361 100644 +--- a/drivers/iio/accel/kxcjk-1013.c ++++ b/drivers/iio/accel/kxcjk-1013.c +@@ -1393,6 +1393,7 @@ static const struct acpi_device_id kx_acpi_match[] = { + {"KXCJ1008", KXCJ91008}, + {"KXCJ9000", KXCJ91008}, + {"KIOX000A", KXCJ91008}, ++ {"KIOX010A", KXCJ91008}, /* KXCJ91008 inside the display of a 2-in-1 */ + {"KXTJ1009", KXTJ21009}, + {"SMO8500", KXCJ91008}, + { }, +-- +2.19.1 + diff --git a/queue-4.9/iommu-amd-fix-amd_iommu-force_isolation.patch b/queue-4.9/iommu-amd-fix-amd_iommu-force_isolation.patch new file mode 100644 index 00000000000..2519112abc2 --- /dev/null +++ b/queue-4.9/iommu-amd-fix-amd_iommu-force_isolation.patch @@ -0,0 +1,55 @@ +From f6e867518d2277b4559763851b1ebdd14ebbc2c6 Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Thu, 6 Dec 2018 14:39:15 -0700 +Subject: iommu/amd: Fix amd_iommu=force_isolation + +[ Upstream commit c12b08ebbe16f0d3a96a116d86709b04c1ee8e74 ] + +The parameter is still there but it's ignored. We need to check its +value before deciding to go into passthrough mode for AMD IOMMU v2 +capable device. + +We occasionally use this parameter to force v2 capable device into +translation mode to debug memory corruption that we suspect is +caused by DMA writes. + +To address the following comment from Joerg Roedel on the first +version, v2 capability of device is completely ignored. +> This breaks the iommu_v2 use-case, as it needs a direct mapping for the +> devices that support it. + +And from Documentation/admin-guide/kernel-parameters.txt: + This option does not override iommu=pt + +Fixes: aafd8ba0ca74 ("iommu/amd: Implement add_device and remove_device") + +Signed-off-by: Yu Zhao +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/amd_iommu.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c +index bba1b9f2f782..e984418ffa2a 100644 +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -464,7 +464,14 @@ static int iommu_init_device(struct device *dev) + + dev_data->alias = get_alias(dev); + +- if (dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) { ++ /* ++ * By default we use passthrough mode for IOMMUv2 capable device. ++ * But if amd_iommu=force_isolation is set (e.g. to debug DMA to ++ * invalid address), we ignore the capability for the device so ++ * it'll be forced to go into translation mode. ++ */ ++ if ((iommu_pass_through || !amd_iommu_force_isolation) && ++ dev_is_pci(dev) && pci_iommuv2_capable(to_pci_dev(dev))) { + struct amd_iommu *iommu; + + iommu = amd_iommu_rlookup_table[dev_data->devid]; +-- +2.19.1 + diff --git a/queue-4.9/iommu-arm-smmu-add-support-for-qcom-smmu-v2-variant.patch b/queue-4.9/iommu-arm-smmu-add-support-for-qcom-smmu-v2-variant.patch new file mode 100644 index 00000000000..2794eeb073c --- /dev/null +++ b/queue-4.9/iommu-arm-smmu-add-support-for-qcom-smmu-v2-variant.patch @@ -0,0 +1,55 @@ +From f6fc41358bc5a3dbe1308d991315911a20de5a8e Mon Sep 17 00:00:00 2001 +From: Vivek Gautam +Date: Tue, 4 Dec 2018 11:52:13 +0530 +Subject: iommu/arm-smmu: Add support for qcom,smmu-v2 variant + +[ Upstream commit 89cddc563743cb1e0068867ac97013b2a5bf86aa ] + +qcom,smmu-v2 is an arm,smmu-v2 implementation with specific +clock and power requirements. +On msm8996, multiple cores, viz. mdss, video, etc. use this +smmu. On sdm845, this smmu is used with gpu. +Add bindings for the same. + +Signed-off-by: Vivek Gautam +Reviewed-by: Rob Herring +Reviewed-by: Tomasz Figa +Tested-by: Srinivas Kandagatla +Reviewed-by: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c +index 5a9a4416f467..f7ecb30a0bac 100644 +--- a/drivers/iommu/arm-smmu.c ++++ b/drivers/iommu/arm-smmu.c +@@ -297,6 +297,7 @@ enum arm_smmu_implementation { + GENERIC_SMMU, + ARM_MMU500, + CAVIUM_SMMUV2, ++ QCOM_SMMUV2, + }; + + struct arm_smmu_s2cr { +@@ -1894,6 +1895,7 @@ ARM_SMMU_MATCH_DATA(smmu_generic_v2, ARM_SMMU_V2, GENERIC_SMMU); + ARM_SMMU_MATCH_DATA(arm_mmu401, ARM_SMMU_V1_64K, GENERIC_SMMU); + ARM_SMMU_MATCH_DATA(arm_mmu500, ARM_SMMU_V2, ARM_MMU500); + ARM_SMMU_MATCH_DATA(cavium_smmuv2, ARM_SMMU_V2, CAVIUM_SMMUV2); ++ARM_SMMU_MATCH_DATA(qcom_smmuv2, ARM_SMMU_V2, QCOM_SMMUV2); + + static const struct of_device_id arm_smmu_of_match[] = { + { .compatible = "arm,smmu-v1", .data = &smmu_generic_v1 }, +@@ -1902,6 +1904,7 @@ static const struct of_device_id arm_smmu_of_match[] = { + { .compatible = "arm,mmu-401", .data = &arm_mmu401 }, + { .compatible = "arm,mmu-500", .data = &arm_mmu500 }, + { .compatible = "cavium,smmu-v2", .data = &cavium_smmuv2 }, ++ { .compatible = "qcom,smmu-v2", .data = &qcom_smmuv2 }, + { }, + }; + MODULE_DEVICE_TABLE(of, arm_smmu_of_match); +-- +2.19.1 + diff --git a/queue-4.9/iommu-arm-smmu-v3-use-explicit-mb-when-moving-cons-p.patch b/queue-4.9/iommu-arm-smmu-v3-use-explicit-mb-when-moving-cons-p.patch new file mode 100644 index 00000000000..3fff17c11c2 --- /dev/null +++ b/queue-4.9/iommu-arm-smmu-v3-use-explicit-mb-when-moving-cons-p.patch @@ -0,0 +1,48 @@ +From 7715d878621cbbe642b87c22d1876257fa051862 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Wed, 7 Nov 2018 22:58:24 +0000 +Subject: iommu/arm-smmu-v3: Use explicit mb() when moving cons pointer + +[ Upstream commit a868e8530441286342f90c1fd9c5f24de3aa2880 ] + +After removing an entry from a queue (e.g. reading an event in +arm_smmu_evtq_thread()) it is necessary to advance the MMIO consumer +pointer to free the queue slot back to the SMMU. A memory barrier is +required here so that all reads targetting the queue entry have +completed before the consumer pointer is updated. + +The implementation of queue_inc_cons() relies on a writel() to complete +the previous reads, but this is incorrect because writel() is only +guaranteed to complete prior writes. This patch replaces the call to +writel() with an mb(); writel_relaxed() sequence, which gives us the +read->write ordering which we require. + +Cc: Robin Murphy +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + drivers/iommu/arm-smmu-v3.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/arm-smmu-v3.c b/drivers/iommu/arm-smmu-v3.c +index ff4be1174ff0..7bd98585d78d 100644 +--- a/drivers/iommu/arm-smmu-v3.c ++++ b/drivers/iommu/arm-smmu-v3.c +@@ -697,7 +697,13 @@ static void queue_inc_cons(struct arm_smmu_queue *q) + u32 cons = (Q_WRP(q, q->cons) | Q_IDX(q, q->cons)) + 1; + + q->cons = Q_OVF(q, q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons); +- writel(q->cons, q->cons_reg); ++ ++ /* ++ * Ensure that all CPU accesses (reads and writes) to the queue ++ * are complete before we update the cons pointer. ++ */ ++ mb(); ++ writel_relaxed(q->cons, q->cons_reg); + } + + static int queue_sync_prod(struct arm_smmu_queue *q) +-- +2.19.1 + diff --git a/queue-4.9/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch b/queue-4.9/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch new file mode 100644 index 00000000000..6ed5dbbe89f --- /dev/null +++ b/queue-4.9/isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch @@ -0,0 +1,53 @@ +From fae10c15ac20e4dd443aa7c028f7c576954efddc Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 26 Dec 2018 22:09:34 +0800 +Subject: isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug + in HFCPCI_l1hw() + +[ Upstream commit 7418e6520f22a2e35815122fa5a53d5bbfa2c10f ] + +In drivers/isdn/hisax/hfc_pci.c, the functions hfcpci_interrupt() and +HFCPCI_l1hw() may be concurrently executed. + +HFCPCI_l1hw() + line 1173: if (!cs->tx_skb) + +hfcpci_interrupt() + line 942: spin_lock_irqsave(); + line 1066: dev_kfree_skb_irq(cs->tx_skb); + +Thus, a possible concurrency use-after-free bug may occur +in HFCPCI_l1hw(). + +To fix these bugs, the calls to spin_lock_irqsave() and +spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the +access to cs->tx_skb. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hisax/hfc_pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/isdn/hisax/hfc_pci.c b/drivers/isdn/hisax/hfc_pci.c +index 90449e1e91e5..1b1453d62fed 100644 +--- a/drivers/isdn/hisax/hfc_pci.c ++++ b/drivers/isdn/hisax/hfc_pci.c +@@ -1169,11 +1169,13 @@ HFCPCI_l1hw(struct PStack *st, int pr, void *arg) + if (cs->debug & L1_DEB_LAPD) + debugl1(cs, "-> PH_REQUEST_PULL"); + #endif ++ spin_lock_irqsave(&cs->lock, flags); + if (!cs->tx_skb) { + test_and_clear_bit(FLG_L1_PULL_REQ, &st->l1.Flags); + st->l1.l1l2(st, PH_PULL | CONFIRM, NULL); + } else + test_and_set_bit(FLG_L1_PULL_REQ, &st->l1.Flags); ++ spin_unlock_irqrestore(&cs->lock, flags); + break; + case (HW_RESET | REQUEST): + spin_lock_irqsave(&cs->lock, flags); +-- +2.19.1 + diff --git a/queue-4.9/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch b/queue-4.9/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch new file mode 100644 index 00000000000..516978aa2c2 --- /dev/null +++ b/queue-4.9/kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch @@ -0,0 +1,69 @@ +From a42c36e8cb87761d21d0eda8b48d1dbc2ea40b99 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 3 Jan 2019 15:26:31 -0800 +Subject: kernel/hung_task.c: break RCU locks based on jiffies + +[ Upstream commit 304ae42739b108305f8d7b3eb3c1aec7c2b643a9 ] + +check_hung_uninterruptible_tasks() is currently calling rcu_lock_break() +for every 1024 threads. But check_hung_task() is very slow if printk() +was called, and is very fast otherwise. + +If many threads within some 1024 threads called printk(), the RCU grace +period might be extended enough to trigger RCU stall warnings. +Therefore, calling rcu_lock_break() for every some fixed jiffies will be +safer. + +Link: http://lkml.kernel.org/r/1544800658-11423-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Acked-by: Paul E. McKenney +Cc: Petr Mladek +Cc: Sergey Senozhatsky +Cc: Dmitry Vyukov +Cc: "Rafael J. Wysocki" +Cc: Vitaly Kuznetsov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/hung_task.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/kernel/hung_task.c b/kernel/hung_task.c +index 2b59c82cc3e1..fd781a468f32 100644 +--- a/kernel/hung_task.c ++++ b/kernel/hung_task.c +@@ -30,7 +30,7 @@ int __read_mostly sysctl_hung_task_check_count = PID_MAX_LIMIT; + * is disabled during the critical section. It also controls the size of + * the RCU grace period. So it needs to be upper-bound. + */ +-#define HUNG_TASK_BATCHING 1024 ++#define HUNG_TASK_LOCK_BREAK (HZ / 10) + + /* + * Zero means infinite timeout - no checking done: +@@ -158,7 +158,7 @@ static bool rcu_lock_break(struct task_struct *g, struct task_struct *t) + static void check_hung_uninterruptible_tasks(unsigned long timeout) + { + int max_count = sysctl_hung_task_check_count; +- int batch_count = HUNG_TASK_BATCHING; ++ unsigned long last_break = jiffies; + struct task_struct *g, *t; + + /* +@@ -172,10 +172,10 @@ static void check_hung_uninterruptible_tasks(unsigned long timeout) + for_each_process_thread(g, t) { + if (!max_count--) + goto unlock; +- if (!--batch_count) { +- batch_count = HUNG_TASK_BATCHING; ++ if (time_after(jiffies, last_break + HUNG_TASK_LOCK_BREAK)) { + if (!rcu_lock_break(g, t)) + goto unlock; ++ last_break = jiffies; + } + /* use "==" to skip the TASK_KILLABLE tasks waiting on NFS */ + if (t->state == TASK_UNINTERRUPTIBLE) +-- +2.19.1 + diff --git a/queue-4.9/kvm-s390-unregister-debug-feature-on-failing-arch-in.patch b/queue-4.9/kvm-s390-unregister-debug-feature-on-failing-arch-in.patch new file mode 100644 index 00000000000..b5ab8349885 --- /dev/null +++ b/queue-4.9/kvm-s390-unregister-debug-feature-on-failing-arch-in.patch @@ -0,0 +1,65 @@ +From a92919085eff9bd84723d1b2684398275ee5f645 Mon Sep 17 00:00:00 2001 +From: Michael Mueller +Date: Fri, 30 Nov 2018 15:32:06 +0100 +Subject: KVM: s390: unregister debug feature on failing arch init + +[ Upstream commit 308c3e6673b012beecb96ef04cc65f4a0e7cdd99 ] + +Make sure the debug feature and its allocated resources get +released upon unsuccessful architecture initialization. + +A related indication of the issue will be reported as kernel +message. + +Signed-off-by: Michael Mueller +Reviewed-by: Cornelia Huck +Reviewed-by: Pierre Morel +Reviewed-by: David Hildenbrand +Message-Id: <20181130143215.69496-2-mimu@linux.ibm.com> +Signed-off-by: Christian Borntraeger +Signed-off-by: Sasha Levin +--- + arch/s390/kvm/kvm-s390.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index 2032ab81b2d7..c82b73f111b5 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -319,19 +319,30 @@ static void kvm_s390_cpu_feat_init(void) + + int kvm_arch_init(void *opaque) + { ++ int rc; ++ + kvm_s390_dbf = debug_register("kvm-trace", 32, 1, 7 * sizeof(long)); + if (!kvm_s390_dbf) + return -ENOMEM; + + if (debug_register_view(kvm_s390_dbf, &debug_sprintf_view)) { +- debug_unregister(kvm_s390_dbf); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto out_debug_unreg; + } + + kvm_s390_cpu_feat_init(); + + /* Register floating interrupt controller interface. */ +- return kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC); ++ rc = kvm_register_device_ops(&kvm_flic_ops, KVM_DEV_TYPE_FLIC); ++ if (rc) { ++ pr_err("Failed to register FLIC rc=%d\n", rc); ++ goto out_debug_unreg; ++ } ++ return 0; ++ ++out_debug_unreg: ++ debug_unregister(kvm_s390_dbf); ++ return rc; + } + + void kvm_arch_exit(void) +-- +2.19.1 + diff --git a/queue-4.9/kvm-x86-svm-report-msr_ia32_mcg_ext_ctl-as-unsupport.patch b/queue-4.9/kvm-x86-svm-report-msr_ia32_mcg_ext_ctl-as-unsupport.patch new file mode 100644 index 00000000000..75b51ffe4c5 --- /dev/null +++ b/queue-4.9/kvm-x86-svm-report-msr_ia32_mcg_ext_ctl-as-unsupport.patch @@ -0,0 +1,45 @@ +From d03bb8aa2a13f00e52c1b8994be6594425fb2591 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Wed, 19 Dec 2018 12:06:13 +0100 +Subject: KVM: x86: svm: report MSR_IA32_MCG_EXT_CTL as unsupported +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e87555e550cef4941579cd879759a7c0dee24e68 ] + +AMD doesn't seem to implement MSR_IA32_MCG_EXT_CTL and svm code in kvm +knows nothing about it, however, this MSR is among emulated_msrs and +thus returned with KVM_GET_MSR_INDEX_LIST. The consequent KVM_GET_MSRS, +of course, fails. + +Report the MSR as unsupported to not confuse userspace. + +Signed-off-by: Vitaly Kuznetsov +Signed-off-by: Radim Krčmář +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/svm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c +index fa1b0e3c8a06..c8efacf2e65f 100644 +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -5223,6 +5223,13 @@ static bool svm_cpu_has_accelerated_tpr(void) + + static bool svm_has_emulated_msr(int index) + { ++ switch (index) { ++ case MSR_IA32_MCG_EXT_CTL: ++ return false; ++ default: ++ break; ++ } ++ + return true; + } + +-- +2.19.1 + diff --git a/queue-4.9/mac80211-fix-radiotap-vendor-presence-bitmap-handlin.patch b/queue-4.9/mac80211-fix-radiotap-vendor-presence-bitmap-handlin.patch new file mode 100644 index 00000000000..71553c9bba7 --- /dev/null +++ b/queue-4.9/mac80211-fix-radiotap-vendor-presence-bitmap-handlin.patch @@ -0,0 +1,50 @@ +From 031a81b23e3d7d5de4f0a0312a5406488da55360 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 15 Dec 2018 11:03:12 +0200 +Subject: mac80211: fix radiotap vendor presence bitmap handling + +[ Upstream commit efc38dd7d5fa5c8cdd0c917c5d00947aa0539443 ] + +Due to the alignment handling, it actually matters where in the code +we add the 4 bytes for the presence bitmap to the length; the first +field is the timestamp with 8 byte alignment so we need to add the +space for the extra vendor namespace presence bitmap *before* we do +any alignment for the fields. + +Move the presence bitmap length accounting to the right place to fix +the alignment for the data properly. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c +index 93c332737e86..af02d2136a06 100644 +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -152,6 +152,9 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local, + /* allocate extra bitmaps */ + if (status->chains) + len += 4 * hweight8(status->chains); ++ /* vendor presence bitmap */ ++ if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) ++ len += 4; + + if (ieee80211_have_rx_timestamp(status)) { + len = ALIGN(len, 8); +@@ -193,8 +196,6 @@ ieee80211_rx_radiotap_hdrlen(struct ieee80211_local *local, + if (status->flag & RX_FLAG_RADIOTAP_VENDOR_DATA) { + struct ieee80211_vendor_radiotap *rtap = (void *)skb->data; + +- /* vendor presence bitmap */ +- len += 4; + /* alignment for fixed 6-byte vendor data header */ + len = ALIGN(len, 2); + /* vendor data header */ +-- +2.19.1 + diff --git a/queue-4.9/media-adv-tc358743-ths8200-fill-in-min-width-height-.patch b/queue-4.9/media-adv-tc358743-ths8200-fill-in-min-width-height-.patch new file mode 100644 index 00000000000..a95f62d975d --- /dev/null +++ b/queue-4.9/media-adv-tc358743-ths8200-fill-in-min-width-height-.patch @@ -0,0 +1,131 @@ +From b8c6e7f2c5ecf65fd12f162a053e040a18bb6519 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Thu, 8 Nov 2018 04:51:51 -0500 +Subject: media: adv*/tc358743/ths8200: fill in min width/height/pixelclock + +[ Upstream commit 2912289a518077ddb8214e05336700148e97e235 ] + +The v4l2_dv_timings_cap struct is used to do sanity checks when setting and +enumerating DV timings, ensuring that only valid timings as per the HW +capabilities are allowed. + +However, many drivers just filled in 0 for the minimum width, height or +pixelclock frequency. This can cause timings with e.g. 0 as width and height +to be accepted, which will in turn lead to a potential division by zero. + +Fill in proper values are minimum boundaries. 640x350 was chosen since it is +the smallest resolution in v4l2-dv-timings.h. Same for 13 MHz as the lowest +pixelclock frequency (it's slightly below the minimum of 13.5 MHz in the +v4l2-dv-timings.h header). + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ad9389b.c | 2 +- + drivers/media/i2c/adv7511.c | 2 +- + drivers/media/i2c/adv7604.c | 4 ++-- + drivers/media/i2c/adv7842.c | 4 ++-- + drivers/media/i2c/tc358743.c | 2 +- + drivers/media/i2c/ths8200.c | 2 +- + 6 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/media/i2c/ad9389b.c b/drivers/media/i2c/ad9389b.c +index 50f354144ee7..2abbbc6392c0 100644 +--- a/drivers/media/i2c/ad9389b.c ++++ b/drivers/media/i2c/ad9389b.c +@@ -590,7 +590,7 @@ static const struct v4l2_dv_timings_cap ad9389b_timings_cap = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING | +diff --git a/drivers/media/i2c/adv7511.c b/drivers/media/i2c/adv7511.c +index 5ba0f21bcfe4..5f1c8ee8a50e 100644 +--- a/drivers/media/i2c/adv7511.c ++++ b/drivers/media/i2c/adv7511.c +@@ -142,7 +142,7 @@ static const struct v4l2_dv_timings_cap adv7511_timings_cap = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, ADV7511_MAX_WIDTH, 0, ADV7511_MAX_HEIGHT, ++ V4L2_INIT_BT_TIMINGS(640, ADV7511_MAX_WIDTH, 350, ADV7511_MAX_HEIGHT, + ADV7511_MIN_PIXELCLOCK, ADV7511_MAX_PIXELCLOCK, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, +diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c +index 7b1935ab03c8..ce6f93074ae0 100644 +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -777,7 +777,7 @@ static const struct v4l2_dv_timings_cap adv7604_timings_cap_analog = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING | +@@ -788,7 +788,7 @@ static const struct v4l2_dv_timings_cap adv76xx_timings_cap_digital = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING | +diff --git a/drivers/media/i2c/adv7842.c b/drivers/media/i2c/adv7842.c +index 8c2a52e280af..cf3b42c9417e 100644 +--- a/drivers/media/i2c/adv7842.c ++++ b/drivers/media/i2c/adv7842.c +@@ -676,7 +676,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_analog = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 170000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 170000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING | +@@ -687,7 +687,7 @@ static const struct v4l2_dv_timings_cap adv7842_timings_cap_digital = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1200, 25000000, 225000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 25000000, 225000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | V4L2_DV_BT_CAP_REDUCED_BLANKING | +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 0f572bff64f5..7ebcb9473956 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -66,7 +66,7 @@ static const struct v4l2_dv_timings_cap tc358743_timings_cap = { + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, + /* Pixel clock from REF_01 p. 20. Min/max height/width are unknown */ +- V4L2_INIT_BT_TIMINGS(1, 10000, 1, 10000, 0, 165000000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1200, 13000000, 165000000, + V4L2_DV_BT_STD_CEA861 | V4L2_DV_BT_STD_DMT | + V4L2_DV_BT_STD_GTF | V4L2_DV_BT_STD_CVT, + V4L2_DV_BT_CAP_PROGRESSIVE | +diff --git a/drivers/media/i2c/ths8200.c b/drivers/media/i2c/ths8200.c +index 42340e364cea..e06e2de87f90 100644 +--- a/drivers/media/i2c/ths8200.c ++++ b/drivers/media/i2c/ths8200.c +@@ -49,7 +49,7 @@ static const struct v4l2_dv_timings_cap ths8200_timings_cap = { + .type = V4L2_DV_BT_656_1120, + /* keep this initialization for compatibility with GCC < 4.4.6 */ + .reserved = { 0 }, +- V4L2_INIT_BT_TIMINGS(0, 1920, 0, 1080, 25000000, 148500000, ++ V4L2_INIT_BT_TIMINGS(640, 1920, 350, 1080, 25000000, 148500000, + V4L2_DV_BT_STD_CEA861, V4L2_DV_BT_CAP_PROGRESSIVE) + }; + +-- +2.19.1 + diff --git a/queue-4.9/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch b/queue-4.9/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch new file mode 100644 index 00000000000..979a28b0865 --- /dev/null +++ b/queue-4.9/media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch @@ -0,0 +1,55 @@ +From acac6635618c29d7155543903c562bfb1f61aed7 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Fri, 23 Nov 2018 16:56:26 -0500 +Subject: media: DaVinci-VPBE: fix error handling in vpbe_initialize() + +[ Upstream commit aa35dc3c71950e3fec3e230c06c27c0fbd0067f8 ] + +If vpbe_set_default_output() or vpbe_set_default_mode() fails, +vpbe_initialize() returns error code without releasing resources. + +The patch adds error handling for that case. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/davinci/vpbe.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/davinci/vpbe.c b/drivers/media/platform/davinci/vpbe.c +index 9a6c2cc38acb..abce9c4a1a8e 100644 +--- a/drivers/media/platform/davinci/vpbe.c ++++ b/drivers/media/platform/davinci/vpbe.c +@@ -753,7 +753,7 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default output %s", + def_output); +- return ret; ++ goto fail_kfree_amp; + } + + printk(KERN_NOTICE "Setting default mode to %s\n", def_mode); +@@ -761,12 +761,15 @@ static int vpbe_initialize(struct device *dev, struct vpbe_device *vpbe_dev) + if (ret) { + v4l2_err(&vpbe_dev->v4l2_dev, "Failed to set default mode %s", + def_mode); +- return ret; ++ goto fail_kfree_amp; + } + vpbe_dev->initialized = 1; + /* TBD handling of bootargs for default output and mode */ + return 0; + ++fail_kfree_amp: ++ mutex_lock(&vpbe_dev->lock); ++ kfree(vpbe_dev->amp); + fail_kfree_encoders: + kfree(vpbe_dev->encoders); + fail_dev_unregister: +-- +2.19.1 + diff --git a/queue-4.9/media-mtk-vcodec-release-device-nodes-in-mtk_vcodec_.patch b/queue-4.9/media-mtk-vcodec-release-device-nodes-in-mtk_vcodec_.patch new file mode 100644 index 00000000000..adad58b11dd --- /dev/null +++ b/queue-4.9/media-mtk-vcodec-release-device-nodes-in-mtk_vcodec_.patch @@ -0,0 +1,62 @@ +From 6634045246967c133c6783f6297a83ec8b28156a Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Sat, 20 Oct 2018 13:50:19 -0400 +Subject: media: mtk-vcodec: Release device nodes in mtk_vcodec_init_enc_pm() + +[ Upstream commit 8ea0f2ba0fa3f91ea1b8d823a54b042026ada6b3 ] + +of_parse_phandle() returns the device node with refcount incremented. +There are two nodes that are used temporary in mtk_vcodec_init_enc_pm(), +but their refcounts are not decremented. + +The patch adds one of_node_put() and fixes returning error codes. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c +index 3e73e9db781f..7c025045ea90 100644 +--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c ++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_pm.c +@@ -41,25 +41,27 @@ int mtk_vcodec_init_enc_pm(struct mtk_vcodec_dev *mtkdev) + node = of_parse_phandle(dev->of_node, "mediatek,larb", 0); + if (!node) { + mtk_v4l2_err("no mediatek,larb found"); +- return -1; ++ return -ENODEV; + } + pdev = of_find_device_by_node(node); ++ of_node_put(node); + if (!pdev) { + mtk_v4l2_err("no mediatek,larb device found"); +- return -1; ++ return -ENODEV; + } + pm->larbvenc = &pdev->dev; + + node = of_parse_phandle(dev->of_node, "mediatek,larb", 1); + if (!node) { + mtk_v4l2_err("no mediatek,larb found"); +- return -1; ++ return -ENODEV; + } + + pdev = of_find_device_by_node(node); ++ of_node_put(node); + if (!pdev) { + mtk_v4l2_err("no mediatek,larb device found"); +- return -1; ++ return -ENODEV; + } + + pm->larbvenclt = &pdev->dev; +-- +2.19.1 + diff --git a/queue-4.9/memstick-prevent-memstick-host-from-getting-runtime-.patch b/queue-4.9/memstick-prevent-memstick-host-from-getting-runtime-.patch new file mode 100644 index 00000000000..37540801798 --- /dev/null +++ b/queue-4.9/memstick-prevent-memstick-host-from-getting-runtime-.patch @@ -0,0 +1,57 @@ +From ed523b2bd1c15b580191ee6cc64e50b0b36e76e1 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Mon, 5 Nov 2018 16:45:04 +0800 +Subject: memstick: Prevent memstick host from getting runtime suspended during + card detection + +[ Upstream commit e03e303edf1c63e6dd455ccd568c74e93ef3ba8c ] + +We can use MEMSTICK_POWER_{ON,OFF} along with pm_runtime_{get,put} +helpers to let memstick host support runtime pm. + +The rpm count may go down to zero before the memstick host powers on, so +the host can be runtime suspended. + +So before doing card detection, increment the rpm count to avoid the +host gets runtime suspended. Balance the rpm count after card detection +is done. + +Signed-off-by: Kai-Heng Feng +Tested-by: Oleksandr Natalenko +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/memstick.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c +index a0547dbf9806..4d673a626db4 100644 +--- a/drivers/memstick/core/memstick.c ++++ b/drivers/memstick/core/memstick.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #define DRIVER_NAME "memstick" + +@@ -436,6 +437,7 @@ static void memstick_check(struct work_struct *work) + struct memstick_dev *card; + + dev_dbg(&host->dev, "memstick_check started\n"); ++ pm_runtime_get_noresume(host->dev.parent); + mutex_lock(&host->lock); + if (!host->card) { + if (memstick_power_on(host)) +@@ -479,6 +481,7 @@ out_power_off: + host->set_param(host, MEMSTICK_POWER, MEMSTICK_POWER_OFF); + + mutex_unlock(&host->lock); ++ pm_runtime_put(host->dev.parent); + dev_dbg(&host->dev, "memstick_check finished\n"); + } + +-- +2.19.1 + diff --git a/queue-4.9/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch b/queue-4.9/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch new file mode 100644 index 00000000000..64c7fddde08 --- /dev/null +++ b/queue-4.9/mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch @@ -0,0 +1,47 @@ +From b73e297d66e990e5268ee28ab104ffb1ae891fa1 Mon Sep 17 00:00:00 2001 +From: Jiong Wang +Date: Mon, 3 Dec 2018 17:27:54 -0500 +Subject: mips: bpf: fix encoding bug for mm_srlv32_op + +[ Upstream commit 17f6c83fb5ebf7db4fcc94a5be4c22d5a7bfe428 ] + +For micro-mips, srlv inside POOL32A encoding space should use 0x50 +sub-opcode, NOT 0x90. + +Some early version ISA doc describes the encoding as 0x90 for both srlv and +srav, this looks to me was a typo. I checked Binutils libopcode +implementation which is using 0x50 for srlv and 0x90 for srav. + +v1->v2: + - Keep mm_srlv32_op sorted by value. + +Fixes: f31318fdf324 ("MIPS: uasm: Add srlv uasm instruction") +Cc: Markos Chandras +Cc: Paul Burton +Cc: linux-mips@vger.kernel.org +Acked-by: Jakub Kicinski +Acked-by: Song Liu +Signed-off-by: Jiong Wang +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/mips/include/uapi/asm/inst.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/include/uapi/asm/inst.h b/arch/mips/include/uapi/asm/inst.h +index 711d9b8465b8..377d5179ea3b 100644 +--- a/arch/mips/include/uapi/asm/inst.h ++++ b/arch/mips/include/uapi/asm/inst.h +@@ -361,8 +361,8 @@ enum mm_32a_minor_op { + mm_ext_op = 0x02c, + mm_pool32axf_op = 0x03c, + mm_srl32_op = 0x040, ++ mm_srlv32_op = 0x050, + mm_sra_op = 0x080, +- mm_srlv32_op = 0x090, + mm_rotr_op = 0x0c0, + mm_lwxs_op = 0x118, + mm_addu32_op = 0x150, +-- +2.19.1 + diff --git a/queue-4.9/mips-ralink-select-config_cpu_mipsr2_irq_vi-on-mt762.patch b/queue-4.9/mips-ralink-select-config_cpu_mipsr2_irq_vi-on-mt762.patch new file mode 100644 index 00000000000..ef3374212cc --- /dev/null +++ b/queue-4.9/mips-ralink-select-config_cpu_mipsr2_irq_vi-on-mt762.patch @@ -0,0 +1,54 @@ +From 273e24fc1dabe21e320f6dba909f328786f20913 Mon Sep 17 00:00:00 2001 +From: Stefan Roese +Date: Mon, 17 Dec 2018 10:47:48 +0100 +Subject: MIPS: ralink: Select CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 + +[ Upstream commit 0b15394475e3bcaf35ca4bf22fc55d56df67224e ] + +Testing has shown, that when using mainline U-Boot on MT7688 based +boards, the system may hang or crash while mounting the root-fs. The +main issue here is that mainline U-Boot configures EBase to a value +near the end of system memory. And with CONFIG_CPU_MIPSR2_IRQ_VI +disabled, trap_init() will not allocate a new area to place the +exception handler. The original value will be used and the handler +will be copied to this location, which might already be used by some +userspace application. + +The MT7688 supports VI - its config3 register is 0x00002420, so VInt +(Bit 5) is set. But without setting CONFIG_CPU_MIPSR2_IRQ_VI this +bit will not be evaluated to result in "cpu_has_vi" being set. This +patch now selects CONFIG_CPU_MIPSR2_IRQ_VI on MT7620/8 which results +trap_init() to allocate some memory for the exception handler. + +Please note that this issue was not seen with the Mediatek U-Boot +version, as it does not touch EBase (stays at default of 0x8000.0000). +This is strictly also not correct as the kernel (_text) resides +here. + +Signed-off-by: Stefan Roese +[paul.burton@mips.com: s/beeing/being/] +Signed-off-by: Paul Burton +Cc: John Crispin +Cc: Daniel Schwierzeck +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +--- + arch/mips/ralink/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/ralink/Kconfig b/arch/mips/ralink/Kconfig +index 813826a456ca..55a5fee781e8 100644 +--- a/arch/mips/ralink/Kconfig ++++ b/arch/mips/ralink/Kconfig +@@ -38,6 +38,7 @@ choice + + config SOC_MT7620 + bool "MT7620/8" ++ select CPU_MIPSR2_IRQ_VI + select HW_HAS_PCI + + config SOC_MT7621 +-- +2.19.1 + diff --git a/queue-4.9/modpost-validate-symbol-names-also-in-find_elf_symbo.patch b/queue-4.9/modpost-validate-symbol-names-also-in-find_elf_symbo.patch new file mode 100644 index 00000000000..ca071f06b48 --- /dev/null +++ b/queue-4.9/modpost-validate-symbol-names-also-in-find_elf_symbo.patch @@ -0,0 +1,102 @@ +From ecec7ff76818803bae34551583247bb64201dbe1 Mon Sep 17 00:00:00 2001 +From: Sami Tolvanen +Date: Tue, 23 Oct 2018 15:15:35 -0700 +Subject: modpost: validate symbol names also in find_elf_symbol + +[ Upstream commit 5818c683a619c534c113e1f66d24f636defc29bc ] + +If an ARM mapping symbol shares an address with a valid symbol, +find_elf_symbol can currently return the mapping symbol instead, as the +symbol is not validated. This can result in confusing warnings: + + WARNING: vmlinux.o(.text+0x18f4028): Section mismatch in reference + from the function set_reset_devices() to the variable .init.text:$x.0 + +This change adds a call to is_valid_name to find_elf_symbol, similarly +to how it's already used in find_elf_symbol2. + +Signed-off-by: Sami Tolvanen +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 50 ++++++++++++++++++++++--------------------- + 1 file changed, 26 insertions(+), 24 deletions(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 88b3dc19bbae..fdf5bbfd00cd 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1198,6 +1198,30 @@ static int secref_whitelist(const struct sectioncheck *mismatch, + return 1; + } + ++static inline int is_arm_mapping_symbol(const char *str) ++{ ++ return str[0] == '$' && strchr("axtd", str[1]) ++ && (str[2] == '\0' || str[2] == '.'); ++} ++ ++/* ++ * If there's no name there, ignore it; likewise, ignore it if it's ++ * one of the magic symbols emitted used by current ARM tools. ++ * ++ * Otherwise if find_symbols_between() returns those symbols, they'll ++ * fail the whitelist tests and cause lots of false alarms ... fixable ++ * only by merging __exit and __init sections into __text, bloating ++ * the kernel (which is especially evil on embedded platforms). ++ */ ++static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) ++{ ++ const char *name = elf->strtab + sym->st_name; ++ ++ if (!name || !strlen(name)) ++ return 0; ++ return !is_arm_mapping_symbol(name); ++} ++ + /** + * Find symbol based on relocation record info. + * In some cases the symbol supplied is a valid symbol so +@@ -1223,6 +1247,8 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + continue; + if (ELF_ST_TYPE(sym->st_info) == STT_SECTION) + continue; ++ if (!is_valid_name(elf, sym)) ++ continue; + if (sym->st_value == addr) + return sym; + /* Find a symbol nearby - addr are maybe negative */ +@@ -1241,30 +1267,6 @@ static Elf_Sym *find_elf_symbol(struct elf_info *elf, Elf64_Sword addr, + return NULL; + } + +-static inline int is_arm_mapping_symbol(const char *str) +-{ +- return str[0] == '$' && strchr("axtd", str[1]) +- && (str[2] == '\0' || str[2] == '.'); +-} +- +-/* +- * If there's no name there, ignore it; likewise, ignore it if it's +- * one of the magic symbols emitted used by current ARM tools. +- * +- * Otherwise if find_symbols_between() returns those symbols, they'll +- * fail the whitelist tests and cause lots of false alarms ... fixable +- * only by merging __exit and __init sections into __text, bloating +- * the kernel (which is especially evil on embedded platforms). +- */ +-static inline int is_valid_name(struct elf_info *elf, Elf_Sym *sym) +-{ +- const char *name = elf->strtab + sym->st_name; +- +- if (!name || !strlen(name)) +- return 0; +- return !is_arm_mapping_symbol(name); +-} +- + /* + * Find symbols before or equal addr and after addr - in the section sec. + * If we find two symbols with equal offset prefer one with a valid name. +-- +2.19.1 + diff --git a/queue-4.9/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch b/queue-4.9/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch new file mode 100644 index 00000000000..4cf0618630c --- /dev/null +++ b/queue-4.9/nfs-nfs_compare_mount_options-always-compare-auth-fl.patch @@ -0,0 +1,55 @@ +From caf2b4c5d6100ac65e8f4b58efc8d3d4ad056b8a Mon Sep 17 00:00:00 2001 +From: Chris Perl +Date: Mon, 17 Dec 2018 10:56:38 -0500 +Subject: NFS: nfs_compare_mount_options always compare auth flavors. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 594d1644cd59447f4fceb592448d5cd09eb09b5e ] + +This patch removes the check from nfs_compare_mount_options to see if a +`sec' option was passed for the current mount before comparing auth +flavors and instead just always compares auth flavors. + +Consider the following scenario: + +You have a server with the address 192.168.1.1 and two exports /export/a +and /export/b. The first export supports `sys' and `krb5' security, the +second just `sys'. + +Assume you start with no mounts from the server. + +The following results in EIOs being returned as the kernel nfs client +incorrectly thinks it can share the underlying `struct nfs_server's: + +$ mkdir /tmp/{a,b} +$ sudo mount -t nfs -o vers=3,sec=krb5 192.168.1.1:/export/a /tmp/a +$ sudo mount -t nfs -o vers=3 192.168.1.1:/export/b /tmp/b +$ df >/dev/null +df: ‘/tmp/b’: Input/output error + +Signed-off-by: Chris Perl +Signed-off-by: Anna Schumaker +Signed-off-by: Sasha Levin +--- + fs/nfs/super.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/nfs/super.c b/fs/nfs/super.c +index 2fdb8f5a7b69..35aef192a13f 100644 +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -2403,8 +2403,7 @@ static int nfs_compare_mount_options(const struct super_block *s, const struct n + goto Ebusy; + if (a->acdirmax != b->acdirmax) + goto Ebusy; +- if (b->auth_info.flavor_len > 0 && +- clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) ++ if (clnt_a->cl_auth->au_flavor != clnt_b->cl_auth->au_flavor) + goto Ebusy; + return 1; + Ebusy: +-- +2.19.1 + diff --git a/queue-4.9/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch b/queue-4.9/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch new file mode 100644 index 00000000000..a79d0eae6c5 --- /dev/null +++ b/queue-4.9/nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch @@ -0,0 +1,40 @@ +From 09a32620f777108a54c292112ccc7b5384b07d68 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 27 Nov 2018 15:54:17 -0500 +Subject: nfsd4: fix crash on writing v4_end_grace before nfsd startup + +[ Upstream commit 62a063b8e7d1db684db3f207261a466fa3194e72 ] + +Anatoly Trosinenko reports that this: + +1) Checkout fresh master Linux branch (tested with commit e195ca6cb) +2) Copy x84_64-config-4.14 to .config, then enable NFS server v4 and build +3) From `kvm-xfstests shell`: + +results in NULL dereference in locks_end_grace. + +Check that nfsd has been started before trying to end the grace period. + +Reported-by: Anatoly Trosinenko +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfsctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c +index 36b2af931e06..797a155c9a67 100644 +--- a/fs/nfsd/nfsctl.c ++++ b/fs/nfsd/nfsctl.c +@@ -1103,6 +1103,8 @@ static ssize_t write_v4_end_grace(struct file *file, char *buf, size_t size) + case 'Y': + case 'y': + case '1': ++ if (nn->nfsd_serv) ++ return -EBUSY; + nfsd4_end_grace(nn); + break; + default: +-- +2.19.1 + diff --git a/queue-4.9/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch b/queue-4.9/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch new file mode 100644 index 00000000000..728249f541e --- /dev/null +++ b/queue-4.9/niu-fix-missing-checks-of-niu_pci_eeprom_read.patch @@ -0,0 +1,49 @@ +From 469b3441f05bcd30e875a03b099801a542e460c6 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 25 Dec 2018 01:56:14 -0600 +Subject: niu: fix missing checks of niu_pci_eeprom_read + +[ Upstream commit 26fd962bde0b15e54234fe762d86bc0349df1de4 ] + +niu_pci_eeprom_read() may fail, so we should check its return value +before using the read data. + +Signed-off-by: Kangjie Lu +Acked-by: Shannon Nelson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/sun/niu.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/sun/niu.c b/drivers/net/ethernet/sun/niu.c +index e45e2f14fb94..fe5b0ac8c631 100644 +--- a/drivers/net/ethernet/sun/niu.c ++++ b/drivers/net/ethernet/sun/niu.c +@@ -8121,6 +8121,8 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + start += 3; + + prop_len = niu_pci_eeprom_read(np, start + 4); ++ if (prop_len < 0) ++ return prop_len; + err = niu_pci_vpd_get_propname(np, start + 5, namebuf, 64); + if (err < 0) + return err; +@@ -8165,8 +8167,12 @@ static int niu_pci_vpd_scan_props(struct niu *np, u32 start, u32 end) + netif_printk(np, probe, KERN_DEBUG, np->dev, + "VPD_SCAN: Reading in property [%s] len[%d]\n", + namebuf, prop_len); +- for (i = 0; i < prop_len; i++) +- *prop_buf++ = niu_pci_eeprom_read(np, off + i); ++ for (i = 0; i < prop_len; i++) { ++ err = niu_pci_eeprom_read(np, off + i); ++ if (err >= 0) ++ *prop_buf = err; ++ ++prop_buf; ++ } + } + + start += len; +-- +2.19.1 + diff --git a/queue-4.9/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch b/queue-4.9/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch new file mode 100644 index 00000000000..586f4d0151e --- /dev/null +++ b/queue-4.9/ocfs2-don-t-clear-bh-uptodate-for-block-read.patch @@ -0,0 +1,68 @@ +From f87644edb9d80a08470f26268abab1d125eff930 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Fri, 28 Dec 2018 00:32:57 -0800 +Subject: ocfs2: don't clear bh uptodate for block read + +[ Upstream commit 70306d9dce75abde855cefaf32b3f71eed8602a3 ] + +For sync io read in ocfs2_read_blocks_sync(), first clear bh uptodate flag +and submit the io, second wait io done, last check whether bh uptodate, if +not return io error. + +If two sync io for the same bh were issued, it could be the first io done +and set uptodate flag, but just before check that flag, the second io came +in and cleared uptodate, then ocfs2_read_blocks_sync() for the first io +will return IO error. + +Indeed it's not necessary to clear uptodate flag, as the io end handler +end_buffer_read_sync() will set or clear it based on io succeed or failed. + +The following message was found from a nfs server but the underlying +storage returned no error. + +[4106438.567376] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2780 ERROR: read block 1238823695 failed -5 +[4106438.567569] (nfsd,7146,3):ocfs2_get_suballoc_slot_bit:2812 ERROR: status = -5 +[4106438.567611] (nfsd,7146,3):ocfs2_test_inode_bit:2894 ERROR: get alloc slot and bit failed -5 +[4106438.567643] (nfsd,7146,3):ocfs2_test_inode_bit:2932 ERROR: status = -5 +[4106438.567675] (nfsd,7146,3):ocfs2_get_dentry:94 ERROR: test inode bit failed -5 + +Same issue in non sync read ocfs2_read_blocks(), fixed it as well. + +Link: http://lkml.kernel.org/r/20181121020023.3034-4-junxiao.bi@oracle.com +Signed-off-by: Junxiao Bi +Reviewed-by: Changwei Ge +Reviewed-by: Yiwen Jiang +Cc: Joel Becker +Cc: Joseph Qi +Cc: Jun Piao +Cc: Mark Fasheh +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ocfs2/buffer_head_io.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/fs/ocfs2/buffer_head_io.c b/fs/ocfs2/buffer_head_io.c +index 25c8b328c43d..935bac253991 100644 +--- a/fs/ocfs2/buffer_head_io.c ++++ b/fs/ocfs2/buffer_head_io.c +@@ -151,7 +151,6 @@ int ocfs2_read_blocks_sync(struct ocfs2_super *osb, u64 block, + #endif + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + bh->b_end_io = end_buffer_read_sync; + submit_bh(REQ_OP_READ, 0, bh); +@@ -305,7 +304,6 @@ int ocfs2_read_blocks(struct ocfs2_caching_info *ci, u64 block, int nr, + continue; + } + +- clear_buffer_uptodate(bh); + get_bh(bh); /* for end_buffer_read_sync() */ + if (validate) + set_buffer_needs_validate(bh); +-- +2.19.1 + diff --git a/queue-4.9/perf-header-fix-unchecked-usage-of-strncpy.patch b/queue-4.9/perf-header-fix-unchecked-usage-of-strncpy.patch new file mode 100644 index 00000000000..a5dfd03a7ea --- /dev/null +++ b/queue-4.9/perf-header-fix-unchecked-usage-of-strncpy.patch @@ -0,0 +1,48 @@ +From 6fc24a806f4a9b5ce58e522d2270a949d90b0748 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 6 Dec 2018 11:02:57 -0300 +Subject: perf header: Fix unchecked usage of strncpy() + +[ Upstream commit 7572588085a13d5db02bf159542189f52fdb507e ] + +The strncpy() function may leave the destination string buffer +unterminated, better use strlcpy() that we have a __weak fallback +implementation for systems without it. + +This fixes this warning on an Alpine Linux Edge system with gcc 8.2: + + util/header.c: In function 'perf_event__synthesize_event_update_unit': + util/header.c:3586:2: error: 'strncpy' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation] + strncpy(ev->data, evsel->unit, size); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + util/header.c:3579:16: note: length computed here + size_t size = strlen(evsel->unit); + ^~~~~~~~~~~~~~~~~~~ + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Namhyung Kim +Fixes: a6e5281780d1 ("perf tools: Add event_update event unit type") +Link: https://lkml.kernel.org/n/tip-fiikh5nay70bv4zskw2aa858@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/header.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/header.c b/tools/perf/util/header.c +index ab36aa5585b4..a11f6760cce8 100644 +--- a/tools/perf/util/header.c ++++ b/tools/perf/util/header.c +@@ -2988,7 +2988,7 @@ perf_event__synthesize_event_update_unit(struct perf_tool *tool, + if (ev == NULL) + return -ENOMEM; + +- strncpy(ev->data, evsel->unit, size); ++ strlcpy(ev->data, evsel->unit, size + 1); + err = process(tool, (union perf_event *)ev, NULL, NULL); + free(ev); + return err; +-- +2.19.1 + diff --git a/queue-4.9/perf-probe-fix-unchecked-usage-of-strncpy.patch b/queue-4.9/perf-probe-fix-unchecked-usage-of-strncpy.patch new file mode 100644 index 00000000000..ad626a3d577 --- /dev/null +++ b/queue-4.9/perf-probe-fix-unchecked-usage-of-strncpy.patch @@ -0,0 +1,53 @@ +From 0f0f63d3c42ae0ce14a8cdc8fee46c26b0fdf318 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 6 Dec 2018 11:50:08 -0300 +Subject: perf probe: Fix unchecked usage of strncpy() + +[ Upstream commit bef0b8970f27da5ca223e522a174d03e2587761d ] + +The strncpy() function may leave the destination string buffer +unterminated, better use strlcpy() that we have a __weak fallback +implementation for systems without it. + +In this case the 'target' buffer is coming from a list of build-ids that +are expected to have a len of at most (SBUILD_ID_SIZE - 1) chars, so +probably we're safe, but since we're using strncpy() here, use strlcpy() +instead to provide the intended safety checking without the using the +problematic strncpy() function. + +This fixes this warning on an Alpine Linux Edge system with gcc 8.2: + + util/probe-file.c: In function 'probe_cache__open.isra.5': + util/probe-file.c:427:3: error: 'strncpy' specified bound 41 equals destination size [-Werror=stringop-truncation] + strncpy(sbuildid, target, SBUILD_ID_SIZE); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cc1: all warnings being treated as errors + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Fixes: 1f3736c9c833 ("perf probe: Show all cached probes") +Link: https://lkml.kernel.org/n/tip-l7n8ggc9kl38qtdlouke5yp5@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/probe-file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/util/probe-file.c b/tools/perf/util/probe-file.c +index 436b64731f65..b9507a8d0e30 100644 +--- a/tools/perf/util/probe-file.c ++++ b/tools/perf/util/probe-file.c +@@ -414,7 +414,7 @@ static int probe_cache__open(struct probe_cache *pcache, const char *target) + + if (target && build_id_cache__cached(target)) { + /* This is a cached buildid */ +- strncpy(sbuildid, target, SBUILD_ID_SIZE); ++ strlcpy(sbuildid, target, SBUILD_ID_SIZE); + dir_name = build_id_cache__linkname(sbuildid, NULL, 0); + goto found; + } +-- +2.19.1 + diff --git a/queue-4.9/perf-tools-add-hygon-dhyana-support.patch b/queue-4.9/perf-tools-add-hygon-dhyana-support.patch new file mode 100644 index 00000000000..56346d1d69c --- /dev/null +++ b/queue-4.9/perf-tools-add-hygon-dhyana-support.patch @@ -0,0 +1,42 @@ +From 82ea2a6af5096225a6728e691398a08978c26869 Mon Sep 17 00:00:00 2001 +From: Pu Wen +Date: Mon, 12 Nov 2018 15:40:51 +0800 +Subject: perf tools: Add Hygon Dhyana support + +[ Upstream commit 4787eff3fa88f62fede6ed7afa06477ae6bf984d ] + +The tool perf is useful for the performance analysis on the Hygon Dhyana +platform. But right now there is no Hygon support for it to analyze the +KVM guest os data. So add Hygon Dhyana support to it by checking vendor +string to share the code path of AMD. + +Signed-off-by: Pu Wen +Acked-by: Borislav Petkov +Cc: Alexander Shishkin +Cc: Jiri Olsa +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1542008451-31735-1-git-send-email-puwen@hygon.cn +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/arch/x86/util/kvm-stat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/perf/arch/x86/util/kvm-stat.c b/tools/perf/arch/x86/util/kvm-stat.c +index b63d4be655a2..2020e12a856f 100644 +--- a/tools/perf/arch/x86/util/kvm-stat.c ++++ b/tools/perf/arch/x86/util/kvm-stat.c +@@ -154,7 +154,7 @@ int cpu_isa_init(struct perf_kvm_stat *kvm, const char *cpuid) + if (strstr(cpuid, "Intel")) { + kvm->exit_reasons = vmx_exit_reasons; + kvm->exit_reasons_isa = "VMX"; +- } else if (strstr(cpuid, "AMD")) { ++ } else if (strstr(cpuid, "AMD") || strstr(cpuid, "Hygon")) { + kvm->exit_reasons = svm_exit_reasons; + kvm->exit_reasons_isa = "SVM"; + } else +-- +2.19.1 + diff --git a/queue-4.9/pinctrl-meson-meson8-fix-the-gpio-function-for-the-g.patch b/queue-4.9/pinctrl-meson-meson8-fix-the-gpio-function-for-the-g.patch new file mode 100644 index 00000000000..8a9b7446c42 --- /dev/null +++ b/queue-4.9/pinctrl-meson-meson8-fix-the-gpio-function-for-the-g.patch @@ -0,0 +1,49 @@ +From 246431dc5882cdd5df2ab16e0a6bc937bed1125c Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sun, 9 Dec 2018 20:50:50 +0100 +Subject: pinctrl: meson: meson8: fix the GPIO function for the GPIOAO pins + +[ Upstream commit 42f9b48cc5402be11d2364275eb18c257d2a79e8 ] + +The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N) +only belong to the pin controller in the AO domain. With the current +definition these pins cannot be referred to in .dts files as group +(which is possible on GXBB and GXL for example). + +Add a separate "gpio_aobus" function to fix the mapping between the pin +controller and the GPIO pins in the AO domain. This is similar to how +the GXBB and GXL drivers implement this functionality. + +Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8.c b/drivers/pinctrl/meson/pinctrl-meson8.c +index 07f1cb21c1b8..0de7fa414beb 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8.c +@@ -736,7 +736,9 @@ static const char * const gpio_groups[] = { + "BOOT_5", "BOOT_6", "BOOT_7", "BOOT_8", "BOOT_9", + "BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14", + "BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18", ++}; + ++static const char * const gpio_aobus_groups[] = { + "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3", + "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7", + "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11", +@@ -908,6 +910,7 @@ static struct meson_pmx_func meson8_cbus_functions[] = { + }; + + static struct meson_pmx_func meson8_aobus_functions[] = { ++ FUNCTION(gpio_aobus), + FUNCTION(uart_ao), + FUNCTION(remote), + FUNCTION(i2c_slave_ao), +-- +2.19.1 + diff --git a/queue-4.9/pinctrl-meson-meson8b-fix-the-gpio-function-for-the-.patch b/queue-4.9/pinctrl-meson-meson8b-fix-the-gpio-function-for-the-.patch new file mode 100644 index 00000000000..6b4569658af --- /dev/null +++ b/queue-4.9/pinctrl-meson-meson8b-fix-the-gpio-function-for-the-.patch @@ -0,0 +1,63 @@ +From dfd28184b0967d5978b6f36bc8a6e9c07e3fb7f1 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Sun, 9 Dec 2018 20:50:51 +0100 +Subject: pinctrl: meson: meson8b: fix the GPIO function for the GPIOAO pins + +[ Upstream commit 2b745ac3cceb8fc1d9985990c8241a821ea97e53 ] + +The GPIOAO pins (as well as the two exotic GPIO_BSD_EN and GPIO_TEST_N) +only belong to the pin controller in the AO domain. With the current +definition these pins cannot be referred to in .dts files as group +(which is possible on GXBB and GXL for example). + +Add a separate "gpio_aobus" function to fix the mapping between the pin +controller and the GPIO pins in the AO domain. This is similar to how +the GXBB and GXL drivers implement this functionality. + +Fixes: 9dab1868ec0db4 ("pinctrl: amlogic: Make driver independent from two-domain configuration") +Signed-off-by: Martin Blumenstingl +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/meson/pinctrl-meson8b.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/drivers/pinctrl/meson/pinctrl-meson8b.c b/drivers/pinctrl/meson/pinctrl-meson8b.c +index f87ef5a0ee6c..cbe5f5cbddb8 100644 +--- a/drivers/pinctrl/meson/pinctrl-meson8b.c ++++ b/drivers/pinctrl/meson/pinctrl-meson8b.c +@@ -643,16 +643,18 @@ static const char * const gpio_groups[] = { + "BOOT_10", "BOOT_11", "BOOT_12", "BOOT_13", "BOOT_14", + "BOOT_15", "BOOT_16", "BOOT_17", "BOOT_18", + +- "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3", +- "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7", +- "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11", +- "GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N", +- + "DIF_0_P", "DIF_0_N", "DIF_1_P", "DIF_1_N", + "DIF_2_P", "DIF_2_N", "DIF_3_P", "DIF_3_N", + "DIF_4_P", "DIF_4_N" + }; + ++static const char * const gpio_aobus_groups[] = { ++ "GPIOAO_0", "GPIOAO_1", "GPIOAO_2", "GPIOAO_3", ++ "GPIOAO_4", "GPIOAO_5", "GPIOAO_6", "GPIOAO_7", ++ "GPIOAO_8", "GPIOAO_9", "GPIOAO_10", "GPIOAO_11", ++ "GPIOAO_12", "GPIOAO_13", "GPIO_BSD_EN", "GPIO_TEST_N" ++}; ++ + static const char * const sd_a_groups[] = { + "sd_d0_a", "sd_d1_a", "sd_d2_a", "sd_d3_a", "sd_clk_a", + "sd_cmd_a" +@@ -868,6 +870,7 @@ static struct meson_pmx_func meson8b_cbus_functions[] = { + }; + + static struct meson_pmx_func meson8b_aobus_functions[] = { ++ FUNCTION(gpio_aobus), + FUNCTION(uart_ao), + FUNCTION(uart_ao_b), + FUNCTION(i2c_slave_ao), +-- +2.19.1 + diff --git a/queue-4.9/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch b/queue-4.9/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch new file mode 100644 index 00000000000..26a5a31b5ee --- /dev/null +++ b/queue-4.9/powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch @@ -0,0 +1,45 @@ +From 16ae996532296a0d654a819e515dc387f4837e5c Mon Sep 17 00:00:00 2001 +From: Frank Rowand +Date: Thu, 4 Oct 2018 20:27:16 -0700 +Subject: powerpc/pseries: add of_node_put() in dlpar_detach_node() + +[ Upstream commit 5b3f5c408d8cc59b87e47f1ab9803dbd006e4a91 ] + +The previous commit, "of: overlay: add missing of_node_get() in +__of_attach_node_sysfs" added a missing of_node_get() to +__of_attach_node_sysfs(). This results in a refcount imbalance +for nodes attached with dlpar_attach_node(). The calling sequence +from dlpar_attach_node() to __of_attach_node_sysfs() is: + + dlpar_attach_node() + of_attach_node() + __of_attach_node_sysfs() + +For more detailed description of the node refcount, see +commit 68baf692c435 ("powerpc/pseries: Fix of_node_put() underflow +during DLPAR remove"). + +Tested-by: Alan Tull +Acked-by: Michael Ellerman +Signed-off-by: Frank Rowand +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/dlpar.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c +index 72ae2cdbcd6a..999b04819d69 100644 +--- a/arch/powerpc/platforms/pseries/dlpar.c ++++ b/arch/powerpc/platforms/pseries/dlpar.c +@@ -288,6 +288,8 @@ int dlpar_detach_node(struct device_node *dn) + if (rc) + return rc; + ++ of_node_put(dn); ++ + return 0; + } + +-- +2.19.1 + diff --git a/queue-4.9/powerpc-uaccess-fix-warning-error-with-access_ok.patch b/queue-4.9/powerpc-uaccess-fix-warning-error-with-access_ok.patch new file mode 100644 index 00000000000..af0dd545ee8 --- /dev/null +++ b/queue-4.9/powerpc-uaccess-fix-warning-error-with-access_ok.patch @@ -0,0 +1,45 @@ +From 996bfa401f8e176c2c5aeea7f88f760583b9efef Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Mon, 10 Dec 2018 06:50:09 +0000 +Subject: powerpc/uaccess: fix warning/error with access_ok() + +[ Upstream commit 05a4ab823983d9136a460b7b5e0d49ee709a6f86 ] + +With the following piece of code, the following compilation warning +is encountered: + + if (_IOC_DIR(ioc) != _IOC_NONE) { + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + + if (!access_ok(verify, ioarg, _IOC_SIZE(ioc))) { + +drivers/platform/test/dev.c: In function 'my_ioctl': +drivers/platform/test/dev.c:219:7: warning: unused variable 'verify' [-Wunused-variable] + int verify = _IOC_DIR(ioc) & _IOC_READ ? VERIFY_WRITE : VERIFY_READ; + +This patch fixes it by referencing 'type' in the macro allthough +doing nothing with it. + +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h +index c266227fdd5b..31913b3ac7ab 100644 +--- a/arch/powerpc/include/asm/uaccess.h ++++ b/arch/powerpc/include/asm/uaccess.h +@@ -59,7 +59,7 @@ + #endif + + #define access_ok(type, addr, size) \ +- (__chk_user_ptr(addr), \ ++ (__chk_user_ptr(addr), (void)(type), \ + __access_ok((__force unsigned long)(addr), (size), get_fs())) + + /* +-- +2.19.1 + diff --git a/queue-4.9/proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch b/queue-4.9/proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch new file mode 100644 index 00000000000..70b63227648 --- /dev/null +++ b/queue-4.9/proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch @@ -0,0 +1,104 @@ +From 89fd677279f9a4ad0ce34bca89b70cef8481e614 Mon Sep 17 00:00:00 2001 +From: Cheng Lin +Date: Thu, 3 Jan 2019 15:26:13 -0800 +Subject: proc/sysctl: fix return error for proc_doulongvec_minmax() + +[ Upstream commit 09be178400829dddc1189b50a7888495dd26aa84 ] + +If the number of input parameters is less than the total parameters, an +EINVAL error will be returned. + +For example, we use proc_doulongvec_minmax to pass up to two parameters +with kern_table: + +{ + .procname = "monitor_signals", + .data = &monitor_sigs, + .maxlen = 2*sizeof(unsigned long), + .mode = 0644, + .proc_handler = proc_doulongvec_minmax, +}, + +Reproduce: + +When passing two parameters, it's work normal. But passing only one +parameter, an error "Invalid argument"(EINVAL) is returned. + + [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals + [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals + 1 2 + [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals + -bash: echo: write error: Invalid argument + [root@cl150 ~]# echo $? + 1 + [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals + 3 2 + [root@cl150 ~]# + +The following is the result after apply this patch. No error is +returned when the number of input parameters is less than the total +parameters. + + [root@cl150 ~]# echo 1 2 > /proc/sys/kernel/monitor_signals + [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals + 1 2 + [root@cl150 ~]# echo 3 > /proc/sys/kernel/monitor_signals + [root@cl150 ~]# echo $? + 0 + [root@cl150 ~]# cat /proc/sys/kernel/monitor_signals + 3 2 + [root@cl150 ~]# + +There are three processing functions dealing with digital parameters, +__do_proc_dointvec/__do_proc_douintvec/__do_proc_doulongvec_minmax. + +This patch deals with __do_proc_doulongvec_minmax, just as +__do_proc_dointvec does, adding a check for parameters 'left'. In +__do_proc_douintvec, its code implementation explicitly does not support +multiple inputs. + +static int __do_proc_douintvec(...){ + ... + /* + * Arrays are not supported, keep this simple. *Do not* add + * support for them. + */ + if (vleft != 1) { + *lenp = 0; + return -EINVAL; + } + ... +} + +So, just __do_proc_doulongvec_minmax has the problem. And most use of +proc_doulongvec_minmax/proc_doulongvec_ms_jiffies_minmax just have one +parameter. + +Link: http://lkml.kernel.org/r/1544081775-15720-1-git-send-email-cheng.lin130@zte.com.cn +Signed-off-by: Cheng Lin +Acked-by: Luis Chamberlain +Reviewed-by: Kees Cook +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + kernel/sysctl.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/sysctl.c b/kernel/sysctl.c +index 23f658d311c0..93c7b02279b9 100644 +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2503,6 +2503,8 @@ static int __do_proc_doulongvec_minmax(void *data, struct ctl_table *table, int + bool neg; + + left -= proc_skip_spaces(&p); ++ if (!left) ++ break; + + err = proc_get_long(&p, &left, &val, &neg, + proc_wspace_sep, +-- +2.19.1 + diff --git a/queue-4.9/ptp-check-gettime64-return-code-in-ptp_sys_offset-io.patch b/queue-4.9/ptp-check-gettime64-return-code-in-ptp_sys_offset-io.patch new file mode 100644 index 00000000000..53a1e3073fd --- /dev/null +++ b/queue-4.9/ptp-check-gettime64-return-code-in-ptp_sys_offset-io.patch @@ -0,0 +1,45 @@ +From faaa0c8b1c82ef7377be303b8590d25e269a30ef Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Fri, 9 Nov 2018 11:14:43 +0100 +Subject: ptp: check gettime64 return code in PTP_SYS_OFFSET ioctl + +[ Upstream commit 83d0bdc7390b890905634186baaa294475cd6a06 ] + +If a gettime64 call fails, return the error and avoid copying data back +to user. + +Cc: Richard Cochran +Cc: Jacob Keller +Signed-off-by: Miroslav Lichvar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/ptp/ptp_chardev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/ptp/ptp_chardev.c b/drivers/ptp/ptp_chardev.c +index a421d6c551b6..ecb41eacd74b 100644 +--- a/drivers/ptp/ptp_chardev.c ++++ b/drivers/ptp/ptp_chardev.c +@@ -228,7 +228,9 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg) + pct->sec = ts.tv_sec; + pct->nsec = ts.tv_nsec; + pct++; +- ptp->info->gettime64(ptp->info, &ts); ++ err = ptp->info->gettime64(ptp->info, &ts); ++ if (err) ++ goto out; + pct->sec = ts.tv_sec; + pct->nsec = ts.tv_nsec; + pct++; +@@ -281,6 +283,7 @@ long ptp_ioctl(struct posix_clock *pc, unsigned int cmd, unsigned long arg) + break; + } + ++out: + kfree(sysoff); + return err; + } +-- +2.19.1 + diff --git a/queue-4.9/sata_rcar-fix-deferred-probing.patch b/queue-4.9/sata_rcar-fix-deferred-probing.patch new file mode 100644 index 00000000000..40c5be8cdc6 --- /dev/null +++ b/queue-4.9/sata_rcar-fix-deferred-probing.patch @@ -0,0 +1,41 @@ +From b4eade0da12fef78b4a1f45bb5be48026d8183c7 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Sat, 24 Nov 2018 21:14:16 +0300 +Subject: sata_rcar: fix deferred probing + +[ Upstream commit 9f83cfdb1ace3ef268ecc6fda50058d2ec37d603 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Reviewed-by: Simon Horman +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Sergei Shtylyov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_rcar.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/ata/sata_rcar.c b/drivers/ata/sata_rcar.c +index e83a3d3421b9..07e146b772ea 100644 +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -872,7 +872,9 @@ static int sata_rcar_probe(struct platform_device *pdev) + int ret = 0; + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) ++ return irq; ++ if (!irq) + return -EINVAL; + + priv = devm_kzalloc(&pdev->dev, sizeof(struct sata_rcar_priv), +-- +2.19.1 + diff --git a/queue-4.9/scripts-decode_stacktrace-only-strip-base-path-when-.patch b/queue-4.9/scripts-decode_stacktrace-only-strip-base-path-when-.patch new file mode 100644 index 00000000000..d5e69e1bb6c --- /dev/null +++ b/queue-4.9/scripts-decode_stacktrace-only-strip-base-path-when-.patch @@ -0,0 +1,48 @@ +From 3193a64c2a0d1a80dc4817f43148ba14a520e668 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Fri, 28 Dec 2018 00:31:25 -0800 +Subject: scripts/decode_stacktrace: only strip base path when a prefix of the + path + +[ Upstream commit 67a28de47faa83585dd644bd4c31e5a1d9346c50 ] + +Running something like: + + decodecode vmlinux . + +leads to interested results where not only the leading "." gets stripped +from the displayed paths, but also anywhere in the string, displaying +something like: + + kvm_vcpu_check_block (arch/arm64/kvm/virt/kvm/kvm_mainc:2141) + +which doesn't help further processing. + +Fix it by only stripping the base path if it is a prefix of the path. + +Link: http://lkml.kernel.org/r/20181210174659.31054-3-marc.zyngier@arm.com +Signed-off-by: Marc Zyngier +Cc: Will Deacon +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + scripts/decode_stacktrace.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh +index c332684e1b5a..edde8250195c 100755 +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -77,7 +77,7 @@ parse_symbol() { + fi + + # Strip out the base of the path +- code=${code//$basepath/""} ++ code=${code//^$basepath/""} + + # In the case of inlines, move everything to same line + code=${code//$'\n'/' '} +-- +2.19.1 + diff --git a/queue-4.9/scsi-lpfc-correct-lcb-rjt-handling.patch b/queue-4.9/scsi-lpfc-correct-lcb-rjt-handling.patch new file mode 100644 index 00000000000..12196a4fbca --- /dev/null +++ b/queue-4.9/scsi-lpfc-correct-lcb-rjt-handling.patch @@ -0,0 +1,37 @@ +From 6134b95ce32ebb758a8592f8b63c7ce37659b431 Mon Sep 17 00:00:00 2001 +From: James Smart +Date: Tue, 23 Oct 2018 13:41:07 -0700 +Subject: scsi: lpfc: Correct LCB RJT handling + +[ Upstream commit b114d9009d386276bfc3352289fc235781ae3353 ] + +When LCB's are rejected, if beaconing was already in progress, the +Reason Code Explanation was not being set. Should have been set to +command in progress. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_els.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c +index fc7addaf24da..4905455bbfc7 100644 +--- a/drivers/scsi/lpfc/lpfc_els.c ++++ b/drivers/scsi/lpfc/lpfc_els.c +@@ -5396,6 +5396,9 @@ error: + stat = (struct ls_rjt *)(pcmd + sizeof(uint32_t)); + stat->un.b.lsRjtRsnCode = LSRJT_UNABLE_TPC; + ++ if (shdr_add_status == ADD_STATUS_OPERATION_ALREADY_ACTIVE) ++ stat->un.b.lsRjtRsnCodeExp = LSEXP_CMD_IN_PROGRESS; ++ + elsiocb->iocb_cmpl = lpfc_cmpl_els_rsp; + phba->fc_stat.elsXmitLSRJT++; + rc = lpfc_sli_issue_iocb(phba, LPFC_ELS_RING, elsiocb, 0); +-- +2.19.1 + diff --git a/queue-4.9/scsi-smartpqi-correct-host-serial-num-for-ssa.patch b/queue-4.9/scsi-smartpqi-correct-host-serial-num-for-ssa.patch new file mode 100644 index 00000000000..da6a7730fcd --- /dev/null +++ b/queue-4.9/scsi-smartpqi-correct-host-serial-num-for-ssa.patch @@ -0,0 +1,46 @@ +From e594806a02bbff13e96079023c22eccdfdf0f65b Mon Sep 17 00:00:00 2001 +From: Mahesh Rajashekhara +Date: Fri, 7 Dec 2018 16:28:29 -0600 +Subject: scsi: smartpqi: correct host serial num for ssa + +[ Upstream commit b2346b5030cf9458f30a84028d9fe904b8c942a7 ] + +Reviewed-by: Scott Benesh +Reviewed-by: Ajish Koshy +Reviewed-by: Murthy Bhat +Reviewed-by: Mahesh Rajashekhara +Reviewed-by: Dave Carroll +Reviewed-by: Scott Teel +Reviewed-by: Kevin Barnett +Signed-off-by: Mahesh Rajashekhara +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index b2b969990a5d..9a208961cc0b 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -473,6 +473,7 @@ struct bmic_host_wellness_driver_version { + u8 driver_version_tag[2]; + __le16 driver_version_length; + char driver_version[32]; ++ u8 dont_write_tag[2]; + u8 end_tag[2]; + }; + +@@ -502,6 +503,8 @@ static int pqi_write_driver_version_to_host_wellness( + strncpy(buffer->driver_version, DRIVER_VERSION, + sizeof(buffer->driver_version) - 1); + buffer->driver_version[sizeof(buffer->driver_version) - 1] = '\0'; ++ buffer->dont_write_tag[0] = 'D'; ++ buffer->dont_write_tag[1] = 'W'; + buffer->end_tag[0] = 'Z'; + buffer->end_tag[1] = 'Z'; + +-- +2.19.1 + diff --git a/queue-4.9/scsi-smartpqi-correct-volume-status.patch b/queue-4.9/scsi-smartpqi-correct-volume-status.patch new file mode 100644 index 00000000000..d75fc5eba9e --- /dev/null +++ b/queue-4.9/scsi-smartpqi-correct-volume-status.patch @@ -0,0 +1,43 @@ +From 7e579de0a0e7126f1eb6834601760d9dffc2503f Mon Sep 17 00:00:00 2001 +From: Dave Carroll +Date: Fri, 7 Dec 2018 16:29:45 -0600 +Subject: scsi: smartpqi: correct volume status + +[ Upstream commit 7ff44499bafbd376115f0bb6b578d980f56ee13b ] + +- fix race condition when a unit is deleted after an RLL, + and before we have gotten the LV_STATUS page of the unit. + - In this case we will get a standard inquiry, rather than + the desired page. This will result in a unit presented + which no longer exists. + - If we ask for LV_STATUS, insure we get LV_STATUS + +Reviewed-by: Murthy Bhat +Reviewed-by: Mahesh Rajashekhara +Reviewed-by: Scott Teel +Reviewed-by: Kevin Barnett +Signed-off-by: Dave Carroll +Signed-off-by: Don Brace +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/smartpqi/smartpqi_init.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c +index 9a208961cc0b..06a062455404 100644 +--- a/drivers/scsi/smartpqi/smartpqi_init.c ++++ b/drivers/scsi/smartpqi/smartpqi_init.c +@@ -983,6 +983,9 @@ static void pqi_get_volume_status(struct pqi_ctrl_info *ctrl_info, + if (rc) + goto out; + ++ if (vpd->page_code != CISS_VPD_LV_STATUS) ++ goto out; ++ + page_length = offsetof(struct ciss_vpd_logical_volume_status, + volume_status) + vpd->page_length; + if (page_length < sizeof(*vpd)) +-- +2.19.1 + diff --git a/queue-4.9/seq_buf-make-seq_buf_puts-null-terminate-the-buffer.patch b/queue-4.9/seq_buf-make-seq_buf_puts-null-terminate-the-buffer.patch new file mode 100644 index 00000000000..2934e1878bc --- /dev/null +++ b/queue-4.9/seq_buf-make-seq_buf_puts-null-terminate-the-buffer.patch @@ -0,0 +1,69 @@ +From 86c63f6a1c5e5b87516f6af8e081af462c9c2558 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 19 Oct 2018 15:21:08 +1100 +Subject: seq_buf: Make seq_buf_puts() null-terminate the buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 0464ed24380905d640030d368cd84a4e4d1e15e2 ] + +Currently seq_buf_puts() will happily create a non null-terminated +string for you in the buffer. This is particularly dangerous if the +buffer is on the stack. + +For example: + + char buf[8]; + char secret = "secret"; + struct seq_buf s; + + seq_buf_init(&s, buf, sizeof(buf)); + seq_buf_puts(&s, "foo"); + printk("Message is %s\n", buf); + +Can result in: + + Message is fooªªªªªsecret + +We could require all users to memset() their buffer to zero before +use. But that seems likely to be forgotten and lead to bugs. + +Instead we can change seq_buf_puts() to always leave the buffer in a +null-terminated state. + +The only downside is that this makes the buffer 1 character smaller +for seq_buf_puts(), but that seems like a good trade off. + +Link: http://lkml.kernel.org/r/20181019042109.8064-1-mpe@ellerman.id.au + +Acked-by: Kees Cook +Signed-off-by: Michael Ellerman +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + lib/seq_buf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/lib/seq_buf.c b/lib/seq_buf.c +index cb18469e1f49..5954f9fb6675 100644 +--- a/lib/seq_buf.c ++++ b/lib/seq_buf.c +@@ -143,9 +143,13 @@ int seq_buf_puts(struct seq_buf *s, const char *str) + + WARN_ON(s->size == 0); + ++ /* Add 1 to len for the trailing null byte which must be there */ ++ len += 1; ++ + if (seq_buf_can_fit(s, len)) { + memcpy(s->buffer + s->len, str, len); +- s->len += len; ++ /* Don't count the trailing null byte against the capacity */ ++ s->len += len - 1; + return 0; + } + seq_buf_set_overflow(s); +-- +2.19.1 + diff --git a/queue-4.9/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch b/queue-4.9/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch new file mode 100644 index 00000000000..a71207bd7bb --- /dev/null +++ b/queue-4.9/serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch @@ -0,0 +1,49 @@ +From e5dd5ebc5f3f1056d9c891e98eddade02f3e15bf Mon Sep 17 00:00:00 2001 +From: Andy Duan +Date: Tue, 16 Oct 2018 07:32:22 +0000 +Subject: serial: fsl_lpuart: clear parity enable bit when disable parity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 397bd9211fe014b347ca8f95a8f4e1017bac1aeb ] + +Current driver only enable parity enable bit and never clear it +when user set the termios. The fix clear the parity enable bit when +PARENB flag is not set in termios->c_cflag. + +Cc: Lukas Wunner +Signed-off-by: Andy Duan +Reviewed-by: Fabio Estevam +Acked-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/fsl_lpuart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c +index e2ec04904f54..5c471c3481bd 100644 +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -1344,6 +1344,8 @@ lpuart_set_termios(struct uart_port *port, struct ktermios *termios, + else + cr1 &= ~UARTCR1_PT; + } ++ } else { ++ cr1 &= ~UARTCR1_PE; + } + + /* ask the core to calculate the divisor */ +@@ -1487,6 +1489,8 @@ lpuart32_set_termios(struct uart_port *port, struct ktermios *termios, + else + ctrl &= ~UARTCTRL_PT; + } ++ } else { ++ ctrl &= ~UARTCTRL_PE; + } + + /* ask the core to calculate the divisor */ +-- +2.19.1 + diff --git a/queue-4.9/series b/queue-4.9/series new file mode 100644 index 00000000000..278f4f57e67 --- /dev/null +++ b/queue-4.9/series @@ -0,0 +1,103 @@ +drm-bufs-fix-spectre-v1-vulnerability.patch +staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch +asoc-intel-mrfld-fix-uninitialized-variable-access.patch +gpu-ipu-v3-image-convert-prevent-race-between-run-an.patch +ath9k-dynack-use-authentication-messages-for-late-ac.patch +scsi-lpfc-correct-lcb-rjt-handling.patch +arm-8808-1-kexec-offline-panic_smp_self_stop-cpu.patch +dlm-don-t-swamp-the-cpu-with-callbacks-queued-during.patch +x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch +powerpc-pseries-add-of_node_put-in-dlpar_detach_node.patch +drm-vc4-x_scaling-1-should-never-be-set-to-vc4_scali.patch +serial-fsl_lpuart-clear-parity-enable-bit-when-disab.patch +ptp-check-gettime64-return-code-in-ptp_sys_offset-io.patch +staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch +staging-iio-ad7780-update-voltage-on-read.patch +arm-omap2-hwmod-fix-some-section-annotations.patch +modpost-validate-symbol-names-also-in-find_elf_symbo.patch +perf-tools-add-hygon-dhyana-support.patch +soc-tegra-don-t-leak-device-tree-node-reference.patch +media-mtk-vcodec-release-device-nodes-in-mtk_vcodec_.patch +dmaengine-xilinx_dma-remove-__aligned-attribute-on-z.patch +iio-accel-kxcjk1013-add-kiox010a-acpi-hardware-id.patch +media-adv-tc358743-ths8200-fill-in-min-width-height-.patch +f2fs-move-dir-data-flush-to-write-checkpoint-process.patch +f2fs-avoid-build-warn-of-fall_through.patch +f2fs-fix-wrong-return-value-of-f2fs_acl_create.patch +sunvdc-do-not-spin-in-an-infinite-loop-when-vio_ldc_.patch +soc-bcm-brcmstb-don-t-leak-device-tree-node-referenc.patch +nfsd4-fix-crash-on-writing-v4_end_grace-before-nfsd-.patch +thermal-do-not-clear-passive-state-during-system-sle.patch +firmware-efi-add-null-pointer-checks-in-efivars-api-.patch +arm64-ftrace-don-t-adjust-the-lr-value.patch +arm-dts-mmp2-fix-twsi2.patch +arm-mmp-mmp2-dt-enable-the-clock.patch +x86-fpu-add-might_fault-to-user_insn.patch +media-davinci-vpbe-fix-error-handling-in-vpbe_initia.patch +smack-fix-access-permissions-for-keyring.patch +usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch +timekeeping-use-proper-seqcount-initializer.patch +clk-sunxi-ng-a33-set-clk_set_rate_parent-for-all-aud.patch +iommu-amd-fix-amd_iommu-force_isolation.patch +arm-dts-fix-omap4430-sdp-ethernet-startup.patch +mips-bpf-fix-encoding-bug-for-mm_srlv32_op.patch +tracing-have-trace_stack-nr_entries-compare-not-be-s.patch +iommu-arm-smmu-add-support-for-qcom-smmu-v2-variant.patch +iommu-arm-smmu-v3-use-explicit-mb-when-moving-cons-p.patch +sata_rcar-fix-deferred-probing.patch +clk-imx6sl-ensure-mmdc-ch0-handshake-is-bypassed.patch +cpuidle-big.little-fix-refcount-leak.patch +i2c-axxia-check-for-error-conditions-first.patch +udf-fix-bug-on-corrupted-inode.patch +arm-pxa-avoid-section-mismatch-warning.patch +asoc-fsl-fix-snd_soc_eukrea_tlv320-build-error-on-i..patch +arm-mmp-fix-timer_init-calls.patch +memstick-prevent-memstick-host-from-getting-runtime-.patch +tty-serial-samsung-properly-set-flags-in-autocts-mod.patch +perf-header-fix-unchecked-usage-of-strncpy.patch +perf-probe-fix-unchecked-usage-of-strncpy.patch +kvm-s390-unregister-debug-feature-on-failing-arch-in.patch +arm64-kvm-skip-mmio-insn-after-emulation.patch +powerpc-uaccess-fix-warning-error-with-access_ok.patch +mac80211-fix-radiotap-vendor-presence-bitmap-handlin.patch +xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch +bluetooth-fix-unnecessary-error-message-for-hci-requ.patch +scsi-smartpqi-correct-host-serial-num-for-ssa.patch +scsi-smartpqi-correct-volume-status.patch +cw1200-fix-concurrency-use-after-free-bugs-in-cw1200.patch +drbd-narrow-rcu_read_lock-in-drbd_sync_handshake.patch +drbd-disconnect-if-the-wrong-uuids-are-attached-on-a.patch +drbd-skip-spurious-timeout-ping-timeo-when-failing-p.patch +drbd-avoid-clang-warning-about-pointless-switch-stat.patch +video-clps711x-fb-release-disp-device-node-in-probe.patch +fbdev-fbmem-behave-better-with-small-rotated-display.patch +i40e-define-proper-net_device-neigh_priv_len.patch +igb-fix-an-issue-that-pme-is-not-enabled-during-runt.patch +fbdev-fbcon-fix-unregister-crash-when-more-than-one-.patch +pinctrl-meson-meson8-fix-the-gpio-function-for-the-g.patch +pinctrl-meson-meson8b-fix-the-gpio-function-for-the-.patch +kvm-x86-svm-report-msr_ia32_mcg_ext_ctl-as-unsupport.patch +nfs-nfs_compare_mount_options-always-compare-auth-fl.patch +hwmon-lm80-fix-a-missing-check-of-the-status-of-smbu.patch +hwmon-lm80-fix-a-missing-check-of-bus-read-in-lm80-p.patch +seq_buf-make-seq_buf_puts-null-terminate-the-buffer.patch +crypto-ux500-use-proper-enum-in-cryp_set_dma_transfe.patch +crypto-ux500-use-proper-enum-in-hash_set_dma_transfe.patch +mips-ralink-select-config_cpu_mipsr2_irq_vi-on-mt762.patch +cifs-check-ntwrk_buf_start-for-null-before-dereferen.patch +um-avoid-marking-pages-with-changed-protection.patch +niu-fix-missing-checks-of-niu_pci_eeprom_read.patch +f2fs-fix-sbi-extent_list-corruption-issue.patch +scripts-decode_stacktrace-only-strip-base-path-when-.patch +ocfs2-don-t-clear-bh-uptodate-for-block-read.patch +isdn-hisax-hfc_pci-fix-a-possible-concurrency-use-af.patch +gdrom-fix-a-memory-leak-bug.patch +fsl-fman-use-gfp_atomic-in-memac-tgec-_add_hash_mac_.patch +block-swim3-fix-ebusy-error-when-re-opening-device-a.patch +thermal-generic-adc-fix-adc-to-temp-interpolation.patch +hid-lenovo-add-checks-to-fix-of_led_classdev_registe.patch +fs-proc-base.c-use-ns_capable-instead-of-capable-for.patch +kernel-hung_task.c-break-rcu-locks-based-on-jiffies.patch +proc-sysctl-fix-return-error-for-proc_doulongvec_min.patch +fs-epoll-drop-ovflist-branch-prediction.patch +exec-load_script-don-t-blindly-truncate-shebang-stri.patch diff --git a/queue-4.9/smack-fix-access-permissions-for-keyring.patch b/queue-4.9/smack-fix-access-permissions-for-keyring.patch new file mode 100644 index 00000000000..48c5b3fd51a --- /dev/null +++ b/queue-4.9/smack-fix-access-permissions-for-keyring.patch @@ -0,0 +1,66 @@ +From 30673d6465da7d1b0fcd3af76224034845a64236 Mon Sep 17 00:00:00 2001 +From: Zoran Markovic +Date: Wed, 17 Oct 2018 16:25:44 -0700 +Subject: smack: fix access permissions for keyring + +[ Upstream commit 5b841bfab695e3b8ae793172a9ff7990f99cc3e2 ] + +Function smack_key_permission() only issues smack requests for the +following operations: + - KEY_NEED_READ (issues MAY_READ) + - KEY_NEED_WRITE (issues MAY_WRITE) + - KEY_NEED_LINK (issues MAY_WRITE) + - KEY_NEED_SETATTR (issues MAY_WRITE) +A blank smack request is issued in all other cases, resulting in +smack access being granted if there is any rule defined between +subject and object, or denied with -EACCES otherwise. + +Request MAY_READ access for KEY_NEED_SEARCH and KEY_NEED_VIEW. +Fix the logic in the unlikely case when both MAY_READ and +MAY_WRITE are needed. Validate access permission field for valid +contents. + +Signed-off-by: Zoran Markovic +Signed-off-by: Casey Schaufler +Cc: Casey Schaufler +Cc: James Morris +Cc: "Serge E. Hallyn" +Signed-off-by: Sasha Levin +--- + security/smack/smack_lsm.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c +index fb7c534fb57d..aeb3ba70f907 100644 +--- a/security/smack/smack_lsm.c ++++ b/security/smack/smack_lsm.c +@@ -4362,6 +4362,12 @@ static int smack_key_permission(key_ref_t key_ref, + int request = 0; + int rc; + ++ /* ++ * Validate requested permissions ++ */ ++ if (perm & ~KEY_NEED_ALL) ++ return -EINVAL; ++ + keyp = key_ref_to_ptr(key_ref); + if (keyp == NULL) + return -EINVAL; +@@ -4381,10 +4387,10 @@ static int smack_key_permission(key_ref_t key_ref, + ad.a.u.key_struct.key = keyp->serial; + ad.a.u.key_struct.key_desc = keyp->description; + #endif +- if (perm & KEY_NEED_READ) +- request = MAY_READ; ++ if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW)) ++ request |= MAY_READ; + if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR)) +- request = MAY_WRITE; ++ request |= MAY_WRITE; + rc = smk_access(tkp, keyp->security, request, &ad); + rc = smk_bu_note("key access", tkp, keyp->security, request, rc); + return rc; +-- +2.19.1 + diff --git a/queue-4.9/soc-bcm-brcmstb-don-t-leak-device-tree-node-referenc.patch b/queue-4.9/soc-bcm-brcmstb-don-t-leak-device-tree-node-referenc.patch new file mode 100644 index 00000000000..438d618acd7 --- /dev/null +++ b/queue-4.9/soc-bcm-brcmstb-don-t-leak-device-tree-node-referenc.patch @@ -0,0 +1,47 @@ +From a74f1279a57edd08060cb8f26c38a3a2796cedad Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Sat, 24 Nov 2018 09:52:23 -0500 +Subject: soc: bcm: brcmstb: Don't leak device tree node reference + +[ Upstream commit 1861a7f07e02292830a1ca256328d370deefea30 ] + +of_find_node_by_path() acquires a reference to the node returned by it +and that reference needs to be dropped by its caller. soc_is_brcmstb() +doesn't do that, so fix it. + +[treding: slightly rewrite to avoid inline comparison] + +Fixes: d52fad262041 ("soc: add stubs for brcmstb SoC's") +Signed-off-by: Yangtao Li +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +--- + drivers/soc/bcm/brcmstb/common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/bcm/brcmstb/common.c b/drivers/soc/bcm/brcmstb/common.c +index 94e7335553f4..3f6063b639ac 100644 +--- a/drivers/soc/bcm/brcmstb/common.c ++++ b/drivers/soc/bcm/brcmstb/common.c +@@ -31,13 +31,17 @@ static const struct of_device_id brcmstb_machine_match[] = { + + bool soc_is_brcmstb(void) + { ++ const struct of_device_id *match; + struct device_node *root; + + root = of_find_node_by_path("/"); + if (!root) + return false; + +- return of_match_node(brcmstb_machine_match, root) != NULL; ++ match = of_match_node(brcmstb_machine_match, root); ++ of_node_put(root); ++ ++ return match != NULL; + } + + static const struct of_device_id sun_top_ctrl_match[] = { +-- +2.19.1 + diff --git a/queue-4.9/soc-tegra-don-t-leak-device-tree-node-reference.patch b/queue-4.9/soc-tegra-don-t-leak-device-tree-node-reference.patch new file mode 100644 index 00000000000..8c80473ae8d --- /dev/null +++ b/queue-4.9/soc-tegra-don-t-leak-device-tree-node-reference.patch @@ -0,0 +1,44 @@ +From 2898c5c9680a38bf60eb07f028a7662f6520a87f Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Wed, 21 Nov 2018 07:49:12 -0500 +Subject: soc/tegra: Don't leak device tree node reference + +[ Upstream commit 9eb40fa2cd2d1f6829e7b49bb22692f754b9cfe0 ] + +of_find_node_by_path() acquires a reference to the node returned by it +and that reference needs to be dropped by its caller. soc_is_tegra() +doesn't do that, so fix it. + +Signed-off-by: Yangtao Li +Acked-by: Jon Hunter +[treding: slightly rewrite to avoid inline comparison] +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/soc/tegra/common.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/tegra/common.c b/drivers/soc/tegra/common.c +index cd8f41351add..7bfb154d6fa5 100644 +--- a/drivers/soc/tegra/common.c ++++ b/drivers/soc/tegra/common.c +@@ -22,11 +22,15 @@ static const struct of_device_id tegra_machine_match[] = { + + bool soc_is_tegra(void) + { ++ const struct of_device_id *match; + struct device_node *root; + + root = of_find_node_by_path("/"); + if (!root) + return false; + +- return of_match_node(tegra_machine_match, root) != NULL; ++ match = of_match_node(tegra_machine_match, root); ++ of_node_put(root); ++ ++ return match != NULL; + } +-- +2.19.1 + diff --git a/queue-4.9/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch b/queue-4.9/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch new file mode 100644 index 00000000000..9cd7ef35f83 --- /dev/null +++ b/queue-4.9/staging-iio-ad2s90-make-probe-handle-spi_setup-failu.patch @@ -0,0 +1,46 @@ +From c22e7b1aab4328dcb6f4915c9988992e3022e43d Mon Sep 17 00:00:00 2001 +From: Matheus Tavares +Date: Sat, 3 Nov 2018 19:49:44 -0300 +Subject: staging:iio:ad2s90: Make probe handle spi_setup failure + +[ Upstream commit b3a3eafeef769c6982e15f83631dcbf8d1794efb ] + +Previously, ad2s90_probe ignored the return code from spi_setup, not +handling its possible failure. This patch makes ad2s90_probe check if +the code is an error code and, if so, do the following: + +- Call dev_err with an appropriate error message. +- Return the spi_setup's error code. + +Note: The 'return ret' statement could be out of the 'if' block, but +this whole block will be moved up in the function in the patch: +'staging:iio:ad2s90: Move device registration to the end of probe'. + +Signed-off-by: Matheus Tavares +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/resolver/ad2s90.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/resolver/ad2s90.c b/drivers/staging/iio/resolver/ad2s90.c +index 5b1c0db33e7f..b44253eb62ec 100644 +--- a/drivers/staging/iio/resolver/ad2s90.c ++++ b/drivers/staging/iio/resolver/ad2s90.c +@@ -86,7 +86,12 @@ static int ad2s90_probe(struct spi_device *spi) + /* need 600ns between CS and the first falling edge of SCLK */ + spi->max_speed_hz = 830000; + spi->mode = SPI_MODE_3; +- spi_setup(spi); ++ ret = spi_setup(spi); ++ ++ if (ret < 0) { ++ dev_err(&spi->dev, "spi_setup failed!\n"); ++ return ret; ++ } + + return 0; + } +-- +2.19.1 + diff --git a/queue-4.9/staging-iio-ad7780-update-voltage-on-read.patch b/queue-4.9/staging-iio-ad7780-update-voltage-on-read.patch new file mode 100644 index 00000000000..4735652d287 --- /dev/null +++ b/queue-4.9/staging-iio-ad7780-update-voltage-on-read.patch @@ -0,0 +1,44 @@ +From 75af5e5de290237ad8e4557f745ecf92cb8b38cf Mon Sep 17 00:00:00 2001 +From: Renato Lui Geh +Date: Mon, 5 Nov 2018 17:14:58 -0200 +Subject: staging: iio: ad7780: update voltage on read + +[ Upstream commit 336650c785b62c3bea7c8cf6061c933a90241f67 ] + +The ad7780 driver previously did not read the correct device output, as +it read an outdated value set at initialization. It now updates its +voltage on read. + +Signed-off-by: Renato Lui Geh +Acked-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7780.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/iio/adc/ad7780.c b/drivers/staging/iio/adc/ad7780.c +index c9a0c2aa602f..5d163386ab6e 100644 +--- a/drivers/staging/iio/adc/ad7780.c ++++ b/drivers/staging/iio/adc/ad7780.c +@@ -87,12 +87,16 @@ static int ad7780_read_raw(struct iio_dev *indio_dev, + long m) + { + struct ad7780_state *st = iio_priv(indio_dev); ++ int voltage_uv; + + switch (m) { + case IIO_CHAN_INFO_RAW: + return ad_sigma_delta_single_conversion(indio_dev, chan, val); + case IIO_CHAN_INFO_SCALE: +- *val = st->int_vref_mv * st->gain; ++ voltage_uv = regulator_get_voltage(st->reg); ++ if (voltage_uv < 0) ++ return voltage_uv; ++ *val = (voltage_uv / 1000) * st->gain; + *val2 = chan->scan_type.realbits - 1; + return IIO_VAL_FRACTIONAL_LOG2; + case IIO_CHAN_INFO_OFFSET: +-- +2.19.1 + diff --git a/queue-4.9/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch b/queue-4.9/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch new file mode 100644 index 00000000000..63cece36bd2 --- /dev/null +++ b/queue-4.9/staging-iio-adc-ad7280a-handle-error-from-__ad7280_r.patch @@ -0,0 +1,70 @@ +From 1f55bdb7ed6c96a44b60cb09013a0998ccd07a6c Mon Sep 17 00:00:00 2001 +From: Slawomir Stepien +Date: Sat, 20 Oct 2018 23:04:11 +0200 +Subject: staging: iio: adc: ad7280a: handle error from __ad7280_read32() + +[ Upstream commit 0559ef7fde67bc6c83c6eb6329dbd6649528263e ] + +Inside __ad7280_read32(), the spi_sync_transfer() can fail with negative +error code. This change will ensure that this error is being passed up +in the call stack, so it can be handled. + +Signed-off-by: Slawomir Stepien +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/staging/iio/adc/ad7280a.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c +index b460dda7eb65..dec25fadba8c 100644 +--- a/drivers/staging/iio/adc/ad7280a.c ++++ b/drivers/staging/iio/adc/ad7280a.c +@@ -250,7 +250,9 @@ static int ad7280_read(struct ad7280_state *st, unsigned int devaddr, + if (ret) + return ret; + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -288,7 +290,9 @@ static int ad7280_read_channel(struct ad7280_state *st, unsigned int devaddr, + + ad7280_delay(st); + +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -321,7 +325,9 @@ static int ad7280_read_all_channels(struct ad7280_state *st, unsigned int cnt, + ad7280_delay(st); + + for (i = 0; i < cnt; i++) { +- __ad7280_read32(st, &tmp); ++ ret = __ad7280_read32(st, &tmp); ++ if (ret) ++ return ret; + + if (ad7280_check_crc(st, tmp)) + return -EIO; +@@ -364,7 +370,10 @@ static int ad7280_chain_setup(struct ad7280_state *st) + return ret; + + for (n = 0; n <= AD7280A_MAX_CHAIN; n++) { +- __ad7280_read32(st, &val); ++ ret = __ad7280_read32(st, &val); ++ if (ret) ++ return ret; ++ + if (val == 0) + return n - 1; + +-- +2.19.1 + diff --git a/queue-4.9/sunvdc-do-not-spin-in-an-infinite-loop-when-vio_ldc_.patch b/queue-4.9/sunvdc-do-not-spin-in-an-infinite-loop-when-vio_ldc_.patch new file mode 100644 index 00000000000..5ce7a530be6 --- /dev/null +++ b/queue-4.9/sunvdc-do-not-spin-in-an-infinite-loop-when-vio_ldc_.patch @@ -0,0 +1,54 @@ +From 1c82b3abe8774152d8e82c24d0f246518875dbd7 Mon Sep 17 00:00:00 2001 +From: Young Xiao +Date: Wed, 28 Nov 2018 12:36:39 +0000 +Subject: sunvdc: Do not spin in an infinite loop when vio_ldc_send() returns + EAGAIN + +[ Upstream commit a11f6ca9aef989b56cd31ff4ee2af4fb31a172ec ] + +__vdc_tx_trigger should only loop on EAGAIN a finite +number of times. + +See commit adddc32d6fde ("sunvnet: Do not spin in an +infinite loop when vio_ldc_send() returns EAGAIN") for detail. + +Signed-off-by: Young Xiao +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/sunvdc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/block/sunvdc.c b/drivers/block/sunvdc.c +index cab157331c4e..c6d43a2a807d 100644 +--- a/drivers/block/sunvdc.c ++++ b/drivers/block/sunvdc.c +@@ -40,6 +40,8 @@ MODULE_VERSION(DRV_MODULE_VERSION); + #define WAITING_FOR_GEN_CMD 0x04 + #define WAITING_FOR_ANY -1 + ++#define VDC_MAX_RETRIES 10 ++ + static struct workqueue_struct *sunvdc_wq; + + struct vdc_req_entry { +@@ -419,6 +421,7 @@ static int __vdc_tx_trigger(struct vdc_port *port) + .end_idx = dr->prod, + }; + int err, delay; ++ int retries = 0; + + hdr.seq = dr->snd_nxt; + delay = 1; +@@ -431,6 +434,8 @@ static int __vdc_tx_trigger(struct vdc_port *port) + udelay(delay); + if ((delay <<= 1) > 128) + delay = 128; ++ if (retries++ > VDC_MAX_RETRIES) ++ break; + } while (err == -EAGAIN); + + if (err == -ENOTCONN) +-- +2.19.1 + diff --git a/queue-4.9/thermal-do-not-clear-passive-state-during-system-sle.patch b/queue-4.9/thermal-do-not-clear-passive-state-during-system-sle.patch new file mode 100644 index 00000000000..ec4a3bc47f8 --- /dev/null +++ b/queue-4.9/thermal-do-not-clear-passive-state-during-system-sle.patch @@ -0,0 +1,68 @@ +From db2d8c2ab5ceb8d2acf76312f2dfc94674f20a26 Mon Sep 17 00:00:00 2001 +From: Wei Wang +Date: Wed, 7 Nov 2018 14:36:11 -0800 +Subject: Thermal: do not clear passive state during system sleep + +[ Upstream commit 964f4843a455d2ffb199512b08be8d5f077c4cac ] + +commit ff140fea847e ("Thermal: handle thermal zone device properly +during system sleep") added PM hook to call thermal zone reset during +sleep. However resetting thermal zone will also clear the passive state +and thus cancel the polling queue which leads the passive cooling device +state not being cleared properly after sleep. + +thermal_pm_notify => thermal_zone_device_reset set passive to 0 +thermal_zone_trip_update will skip update passive as `old_target == +instance->target'. +monitor_thermal_zone => thermal_zone_device_set_polling will cancel +tz->poll_queue, so the cooling device state will not be changed +afterwards. + +Reported-by: Kame Wang +Signed-off-by: Wei Wang +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 226b0b4aced6..cd82ae34ddfa 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -597,16 +597,20 @@ static void update_temperature(struct thermal_zone_device *tz) + tz->last_temperature, tz->temperature); + } + +-static void thermal_zone_device_reset(struct thermal_zone_device *tz) ++static void thermal_zone_device_init(struct thermal_zone_device *tz) + { + struct thermal_instance *pos; +- + tz->temperature = THERMAL_TEMP_INVALID; +- tz->passive = 0; + list_for_each_entry(pos, &tz->thermal_instances, tz_node) + pos->initialized = false; + } + ++static void thermal_zone_device_reset(struct thermal_zone_device *tz) ++{ ++ tz->passive = 0; ++ thermal_zone_device_init(tz); ++} ++ + void thermal_zone_device_update(struct thermal_zone_device *tz, + enum thermal_notify_event event) + { +@@ -2297,7 +2301,7 @@ static int thermal_pm_notify(struct notifier_block *nb, + case PM_POST_SUSPEND: + atomic_set(&in_suspend, 0); + list_for_each_entry(tz, &thermal_tz_list, node) { +- thermal_zone_device_reset(tz); ++ thermal_zone_device_init(tz); + thermal_zone_device_update(tz, + THERMAL_EVENT_UNSPECIFIED); + } +-- +2.19.1 + diff --git a/queue-4.9/thermal-generic-adc-fix-adc-to-temp-interpolation.patch b/queue-4.9/thermal-generic-adc-fix-adc-to-temp-interpolation.patch new file mode 100644 index 00000000000..ee98368fb48 --- /dev/null +++ b/queue-4.9/thermal-generic-adc-fix-adc-to-temp-interpolation.patch @@ -0,0 +1,63 @@ +From ed28dea6faaa1d3d461e2bff87b569479e4b2c25 Mon Sep 17 00:00:00 2001 +From: Bjorn Andersson +Date: Sun, 23 Dec 2018 23:26:44 -0800 +Subject: thermal: generic-adc: Fix adc to temp interpolation + +[ Upstream commit 9d216211fded20fff301d0317af3238d8383634c ] + +First correct the edge case to return the last element if we're +outside the range, rather than at the last element, so that +interpolation is not omitted for points between the two last entries in +the table. + +Then correct the formula to perform linear interpolation based the two +points surrounding the read ADC value. The indices for temp are kept as +"hi" and "lo" to pair with the adc indices, but there's no requirement +that the temperature is provided in descendent order. mult_frac() is +used to prevent issues with overflowing the int. + +Cc: Laxman Dewangan +Signed-off-by: Bjorn Andersson +Signed-off-by: Eduardo Valentin +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal-generic-adc.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/thermal/thermal-generic-adc.c b/drivers/thermal/thermal-generic-adc.c +index 73f55d6a1721..ad601e5b4175 100644 +--- a/drivers/thermal/thermal-generic-adc.c ++++ b/drivers/thermal/thermal-generic-adc.c +@@ -26,7 +26,7 @@ struct gadc_thermal_info { + + static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val) + { +- int temp, adc_hi, adc_lo; ++ int temp, temp_hi, temp_lo, adc_hi, adc_lo; + int i; + + for (i = 0; i < gti->nlookup_table; i++) { +@@ -36,13 +36,17 @@ static int gadc_thermal_adc_to_temp(struct gadc_thermal_info *gti, int val) + + if (i == 0) { + temp = gti->lookup_table[0]; +- } else if (i >= (gti->nlookup_table - 1)) { ++ } else if (i >= gti->nlookup_table) { + temp = gti->lookup_table[2 * (gti->nlookup_table - 1)]; + } else { + adc_hi = gti->lookup_table[2 * i - 1]; + adc_lo = gti->lookup_table[2 * i + 1]; +- temp = gti->lookup_table[2 * i]; +- temp -= ((val - adc_lo) * 1000) / (adc_hi - adc_lo); ++ ++ temp_hi = gti->lookup_table[2 * i - 2]; ++ temp_lo = gti->lookup_table[2 * i]; ++ ++ temp = temp_hi + mult_frac(temp_lo - temp_hi, val - adc_hi, ++ adc_lo - adc_hi); + } + + return temp; +-- +2.19.1 + diff --git a/queue-4.9/timekeeping-use-proper-seqcount-initializer.patch b/queue-4.9/timekeeping-use-proper-seqcount-initializer.patch new file mode 100644 index 00000000000..9d1c084ee39 --- /dev/null +++ b/queue-4.9/timekeeping-use-proper-seqcount-initializer.patch @@ -0,0 +1,45 @@ +From 02237aa1ef35c6b3e19094c932f42451eaac6d11 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Wed, 28 Nov 2018 15:43:09 -0800 +Subject: timekeeping: Use proper seqcount initializer + +[ Upstream commit ce10a5b3954f2514af726beb78ed8d7350c5e41c ] + +tk_core.seq is initialized open coded, but that misses to initialize the +lockdep map when lockdep is enabled. Lockdep splats involving tk_core seq +consequently lack a name and are hard to read. + +Use the proper initializer which takes care of the lockdep map +initialization. + +[ tglx: Massaged changelog ] + +Signed-off-by: Bart Van Assche +Signed-off-by: Thomas Gleixner +Cc: peterz@infradead.org +Cc: tj@kernel.org +Cc: johannes.berg@intel.com +Link: https://lkml.kernel.org/r/20181128234325.110011-12-bvanassche@acm.org +Signed-off-by: Sasha Levin +--- + kernel/time/timekeeping.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c +index d831827d7ab0..e24e1f0c5690 100644 +--- a/kernel/time/timekeeping.c ++++ b/kernel/time/timekeeping.c +@@ -39,7 +39,9 @@ + static struct { + seqcount_t seq; + struct timekeeper timekeeper; +-} tk_core ____cacheline_aligned; ++} tk_core ____cacheline_aligned = { ++ .seq = SEQCNT_ZERO(tk_core.seq), ++}; + + static DEFINE_RAW_SPINLOCK(timekeeper_lock); + static struct timekeeper shadow_timekeeper; +-- +2.19.1 + diff --git a/queue-4.9/tracing-have-trace_stack-nr_entries-compare-not-be-s.patch b/queue-4.9/tracing-have-trace_stack-nr_entries-compare-not-be-s.patch new file mode 100644 index 00000000000..acb97894a02 --- /dev/null +++ b/queue-4.9/tracing-have-trace_stack-nr_entries-compare-not-be-s.patch @@ -0,0 +1,65 @@ +From 524d1667c8df34808d91ea4fb2d1a8235d86fc4d Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 20 Jun 2018 14:08:00 +0300 +Subject: tracing: Have trace_stack nr_entries compare not be so subtle + +[ Upstream commit ca16b0fbb05242f18da9d810c07d3882ffed831c ] + +Dan Carpenter reviewed the trace_stack.c code and figured he found an off by +one bug. + + "From reviewing the code, it seems possible for + stack_trace_max.nr_entries to be set to .max_entries and in that case we + would be reading one element beyond the end of the stack_dump_trace[] + array. If it's not set to .max_entries then the bug doesn't affect + runtime." + +Although it looks to be the case, it is not. Because we have: + + static unsigned long stack_dump_trace[STACK_TRACE_ENTRIES+1] = + { [0 ... (STACK_TRACE_ENTRIES)] = ULONG_MAX }; + + struct stack_trace stack_trace_max = { + .max_entries = STACK_TRACE_ENTRIES - 1, + .entries = &stack_dump_trace[0], + }; + +And: + + stack_trace_max.nr_entries = x; + for (; x < i; x++) + stack_dump_trace[x] = ULONG_MAX; + +Even if nr_entries equals max_entries, indexing with it into the +stack_dump_trace[] array will not overflow the array. But if it is the case, +the second part of the conditional that tests stack_dump_trace[nr_entries] +to ULONG_MAX will always be true. + +By applying Dan's patch, it removes the subtle aspect of it and makes the if +conditional slightly more efficient. + +Link: http://lkml.kernel.org/r/20180620110758.crunhd5bfep7zuiz@kili.mountain + +Signed-off-by: Dan Carpenter +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_stack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c +index 2a1abbaca10e..f9255740411e 100644 +--- a/kernel/trace/trace_stack.c ++++ b/kernel/trace/trace_stack.c +@@ -290,7 +290,7 @@ __next(struct seq_file *m, loff_t *pos) + { + long n = *pos - 1; + +- if (n > stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX) ++ if (n >= stack_trace_max.nr_entries || stack_dump_trace[n] == ULONG_MAX) + return NULL; + + m->private = (void *)n; +-- +2.19.1 + diff --git a/queue-4.9/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch b/queue-4.9/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch new file mode 100644 index 00000000000..8d9c02b1d81 --- /dev/null +++ b/queue-4.9/tty-serial-samsung-properly-set-flags-in-autocts-mod.patch @@ -0,0 +1,45 @@ +From 1ebf90f8d9b6db29f32b03c20d76caf50202169f Mon Sep 17 00:00:00 2001 +From: Beomho Seo +Date: Fri, 14 Dec 2018 12:34:08 +0100 +Subject: tty: serial: samsung: Properly set flags in autoCTS mode + +[ Upstream commit 31e933645742ee6719d37573a27cce0761dcf92b ] + +Commit 391f93f2ec9f ("serial: core: Rework hw-assited flow control support") +has changed the way the autoCTS mode is handled. + +According to that change, serial drivers which enable H/W autoCTS mode must +set UPSTAT_AUTOCTS to prevent the serial core from inadvertently disabling +TX. This patch adds proper handling of UPSTAT_AUTOCTS flag. + +Signed-off-by: Beomho Seo +[mszyprow: rephrased commit message] +Signed-off-by: Marek Szyprowski +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/samsung.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c +index 5609305b3676..01ff8ec78023 100644 +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -1335,11 +1335,14 @@ static void s3c24xx_serial_set_termios(struct uart_port *port, + wr_regl(port, S3C2410_ULCON, ulcon); + wr_regl(port, S3C2410_UBRDIV, quot); + ++ port->status &= ~UPSTAT_AUTOCTS; ++ + umcon = rd_regl(port, S3C2410_UMCON); + if (termios->c_cflag & CRTSCTS) { + umcon |= S3C2410_UMCOM_AFC; + /* Disable RTS when RX FIFO contains 63 bytes */ + umcon &= ~S3C2412_UMCON_AFC_8; ++ port->status = UPSTAT_AUTOCTS; + } else { + umcon &= ~S3C2410_UMCOM_AFC; + } +-- +2.19.1 + diff --git a/queue-4.9/udf-fix-bug-on-corrupted-inode.patch b/queue-4.9/udf-fix-bug-on-corrupted-inode.patch new file mode 100644 index 00000000000..3997f7b3528 --- /dev/null +++ b/queue-4.9/udf-fix-bug-on-corrupted-inode.patch @@ -0,0 +1,38 @@ +From 66a581d5782e9e4fddf09deb37431bc41ef51b0c Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 12 Dec 2018 14:29:20 +0100 +Subject: udf: Fix BUG on corrupted inode + +[ Upstream commit d288d95842f1503414b7eebce3773bac3390457e ] + +When inode is corrupted so that extent type is invalid, some functions +(such as udf_truncate_extents()) will just BUG. Check that extent type +is valid when loading the inode to memory. + +Reported-by: Anatoly Trosinenko +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 035943501b9f..fd817022cb9b 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1372,6 +1372,12 @@ reread: + + iinfo->i_alloc_type = le16_to_cpu(fe->icbTag.flags) & + ICBTAG_FLAG_AD_MASK; ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_SHORT && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_LONG && ++ iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB) { ++ ret = -EIO; ++ goto out; ++ } + iinfo->i_unique = 0; + iinfo->i_lenEAttr = 0; + iinfo->i_lenExtents = 0; +-- +2.19.1 + diff --git a/queue-4.9/um-avoid-marking-pages-with-changed-protection.patch b/queue-4.9/um-avoid-marking-pages-with-changed-protection.patch new file mode 100644 index 00000000000..74bf0b63ef2 --- /dev/null +++ b/queue-4.9/um-avoid-marking-pages-with-changed-protection.patch @@ -0,0 +1,56 @@ +From c26727564812ddf86f9156b1280fda041d09d5af Mon Sep 17 00:00:00 2001 +From: Anton Ivanov +Date: Wed, 5 Dec 2018 12:37:41 +0000 +Subject: um: Avoid marking pages with "changed protection" + +[ Upstream commit 8892d8545f2d0342b9c550defbfb165db237044b ] + +Changing protection is a very high cost operation in UML +because in addition to an extra syscall it also interrupts +mmap merge sequences generated by the tlb. + +While the condition is not particularly common it is worth +avoiding. + +Signed-off-by: Anton Ivanov +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/asm/pgtable.h | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/arch/um/include/asm/pgtable.h b/arch/um/include/asm/pgtable.h +index 7485398d0737..9c04562310b3 100644 +--- a/arch/um/include/asm/pgtable.h ++++ b/arch/um/include/asm/pgtable.h +@@ -197,12 +197,17 @@ static inline pte_t pte_mkold(pte_t pte) + + static inline pte_t pte_wrprotect(pte_t pte) + { +- pte_clear_bits(pte, _PAGE_RW); ++ if (likely(pte_get_bits(pte, _PAGE_RW))) ++ pte_clear_bits(pte, _PAGE_RW); ++ else ++ return pte; + return(pte_mknewprot(pte)); + } + + static inline pte_t pte_mkread(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_USER))) ++ return pte; + pte_set_bits(pte, _PAGE_USER); + return(pte_mknewprot(pte)); + } +@@ -221,6 +226,8 @@ static inline pte_t pte_mkyoung(pte_t pte) + + static inline pte_t pte_mkwrite(pte_t pte) + { ++ if (unlikely(pte_get_bits(pte, _PAGE_RW))) ++ return pte; + pte_set_bits(pte, _PAGE_RW); + return(pte_mknewprot(pte)); + } +-- +2.19.1 + diff --git a/queue-4.9/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch b/queue-4.9/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch new file mode 100644 index 00000000000..ed871405955 --- /dev/null +++ b/queue-4.9/usb-hub-delay-hub-autosuspend-if-usb3-port-is-still-.patch @@ -0,0 +1,49 @@ +From 21dda6d39a3636b68ee54ed7632ed8934dcd0167 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Wed, 28 Nov 2018 15:55:21 +0200 +Subject: usb: hub: delay hub autosuspend if USB3 port is still link training + +[ Upstream commit e86108940e541febf35813402ff29fa6f4a9ac0b ] + +When initializing a hub we want to give a USB3 port in link training +the same debounce delay time before autosuspening the hub as already +trained, connected enabled ports. + +USB3 ports won't reach the enabled state with "current connect status" and +"connect status change" bits set until the USB3 link training finishes. + +Catching the port in link training (polling) and adding the debounce delay +prevents unnecessary failed attempts to autosuspend the hub. + +Signed-off-by: Mathias Nyman +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 67679f619c3b..7b6919086539 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1108,6 +1108,16 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + USB_PORT_FEAT_ENABLE); + } + ++ /* ++ * Add debounce if USB3 link is in polling/link training state. ++ * Link will automatically transition to Enabled state after ++ * link training completes. ++ */ ++ if (hub_is_superspeed(hdev) && ++ ((portstatus & USB_PORT_STAT_LINK_STATE) == ++ USB_SS_PORT_LS_POLLING)) ++ need_debounce_delay = true; ++ + /* Clear status-change flags; we'll debounce later */ + if (portchange & USB_PORT_STAT_C_CONNECTION) { + need_debounce_delay = true; +-- +2.19.1 + diff --git a/queue-4.9/video-clps711x-fb-release-disp-device-node-in-probe.patch b/queue-4.9/video-clps711x-fb-release-disp-device-node-in-probe.patch new file mode 100644 index 00000000000..98585ddbafb --- /dev/null +++ b/queue-4.9/video-clps711x-fb-release-disp-device-node-in-probe.patch @@ -0,0 +1,47 @@ +From 3d39e72ec503b32afbbb23a6cd969c49b5df4aa7 Mon Sep 17 00:00:00 2001 +From: Alexey Khoroshilov +Date: Thu, 20 Dec 2018 19:13:07 +0100 +Subject: video: clps711x-fb: release disp device node in probe() + +[ Upstream commit fdac751355cd76e049f628afe6acb8ff4b1399f7 ] + +clps711x_fb_probe() increments refcnt of disp device node by +of_parse_phandle() and leaves it undecremented on both +successful and error paths. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Cc: Alexander Shiyan +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/clps711x-fb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/clps711x-fb.c b/drivers/video/fbdev/clps711x-fb.c +index ff561073ee4e..42f909618f04 100644 +--- a/drivers/video/fbdev/clps711x-fb.c ++++ b/drivers/video/fbdev/clps711x-fb.c +@@ -287,14 +287,17 @@ static int clps711x_fb_probe(struct platform_device *pdev) + } + + ret = of_get_fb_videomode(disp, &cfb->mode, OF_USE_NATIVE_MODE); +- if (ret) ++ if (ret) { ++ of_node_put(disp); + goto out_fb_release; ++ } + + of_property_read_u32(disp, "ac-prescale", &cfb->ac_prescale); + cfb->cmap_invert = of_property_read_bool(disp, "cmap-invert"); + + ret = of_property_read_u32(disp, "bits-per-pixel", + &info->var.bits_per_pixel); ++ of_node_put(disp); + if (ret) + goto out_fb_release; + +-- +2.19.1 + diff --git a/queue-4.9/x86-fpu-add-might_fault-to-user_insn.patch b/queue-4.9/x86-fpu-add-might_fault-to-user_insn.patch new file mode 100644 index 00000000000..8466f2b1bd7 --- /dev/null +++ b/queue-4.9/x86-fpu-add-might_fault-to-user_insn.patch @@ -0,0 +1,54 @@ +From 010a5049d67c4d0a3c0d607b7e307849a54c87a6 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Wed, 28 Nov 2018 23:20:11 +0100 +Subject: x86/fpu: Add might_fault() to user_insn() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 6637401c35b2f327a35d27f44bda05e327f2f017 ] + +Every user of user_insn() passes an user memory pointer to this macro. + +Add might_fault() to user_insn() so we can spot users which are using +this macro in sections where page faulting is not allowed. + + [ bp: Space it out to make it more visible. ] + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Borislav Petkov +Reviewed-by: Rik van Riel +Cc: "H. Peter Anvin" +Cc: "Jason A. Donenfeld" +Cc: Andy Lutomirski +Cc: Dave Hansen +Cc: Ingo Molnar +Cc: Jann Horn +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Thomas Gleixner +Cc: kvm ML +Cc: x86-ml +Link: https://lkml.kernel.org/r/20181128222035.2996-6-bigeasy@linutronix.de +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/fpu/internal.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h +index 499d6ed0e376..21d6fa27b4a9 100644 +--- a/arch/x86/include/asm/fpu/internal.h ++++ b/arch/x86/include/asm/fpu/internal.h +@@ -97,6 +97,9 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu); + #define user_insn(insn, output, input...) \ + ({ \ + int err; \ ++ \ ++ might_fault(); \ ++ \ + asm volatile(ASM_STAC "\n" \ + "1:" #insn "\n\t" \ + "2: " ASM_CLAC "\n" \ +-- +2.19.1 + diff --git a/queue-4.9/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch b/queue-4.9/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch new file mode 100644 index 00000000000..421e02ac7d0 --- /dev/null +++ b/queue-4.9/x86-pci-fix-broadcom-cnb20le-unintended-sign-extensi.patch @@ -0,0 +1,42 @@ +From f64c862d43119755e4fcc6fe6af24cbd93309b71 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 25 Oct 2018 14:52:31 +0100 +Subject: x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) + +[ Upstream commit 53bb565fc5439f2c8c57a786feea5946804aa3e9 ] + +In the expression "word1 << 16", word1 starts as u16, but is promoted to a +signed int, then sign-extended to resource_size_t, which is probably not +what was intended. Cast to resource_size_t to avoid the sign extension. + +This fixes an identical issue as fixed by commit 0b2d70764bb3 ("x86/PCI: +Fix Broadcom CNB20LE unintended sign extension") back in 2014. + +Detected by CoverityScan, CID#138749, 138750 ("Unintended sign extension") + +Fixes: 3f6ea84a3035 ("PCI: read memory ranges out of Broadcom CNB20LE host bridge") +Signed-off-by: Colin Ian King +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +--- + arch/x86/pci/broadcom_bus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/pci/broadcom_bus.c b/arch/x86/pci/broadcom_bus.c +index 526536c81ddc..ca1e8e6dccc8 100644 +--- a/arch/x86/pci/broadcom_bus.c ++++ b/arch/x86/pci/broadcom_bus.c +@@ -50,8 +50,8 @@ static void __init cnb20le_res(u8 bus, u8 slot, u8 func) + word1 = read_pci_config_16(bus, slot, func, 0xc0); + word2 = read_pci_config_16(bus, slot, func, 0xc2); + if (word1 != word2) { +- res.start = (word1 << 16) | 0x0000; +- res.end = (word2 << 16) | 0xffff; ++ res.start = ((resource_size_t) word1 << 16) | 0x0000; ++ res.end = ((resource_size_t) word2 << 16) | 0xffff; + res.flags = IORESOURCE_MEM; + update_res(info, res.start, res.end, res.flags, 0); + } +-- +2.19.1 + diff --git a/queue-4.9/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch b/queue-4.9/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch new file mode 100644 index 00000000000..cf6b6811964 --- /dev/null +++ b/queue-4.9/xfrm6_tunnel-fix-spi-check-in-__xfrm6_tunnel_alloc_s.patch @@ -0,0 +1,39 @@ +From 17635b2a0c2f71b165241df9e8d3167ff0116183 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Wed, 19 Dec 2018 14:45:09 +0800 +Subject: xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi + +[ Upstream commit fa89a4593b927b3f59c3b69379f31d3b22272e4e ] + +gcc warn this: + +net/ipv6/xfrm6_tunnel.c:143 __xfrm6_tunnel_alloc_spi() warn: + always true condition '(spi <= 4294967295) => (0-u32max <= u32max)' + +'spi' is u32, which always not greater than XFRM6_TUNNEL_SPI_MAX +because of wrap around. So the second forloop will never reach. + +Signed-off-by: YueHaibing +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/ipv6/xfrm6_tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c +index e1c0bbe7996c..3a2701d42f47 100644 +--- a/net/ipv6/xfrm6_tunnel.c ++++ b/net/ipv6/xfrm6_tunnel.c +@@ -144,6 +144,9 @@ static u32 __xfrm6_tunnel_alloc_spi(struct net *net, xfrm_address_t *saddr) + index = __xfrm6_tunnel_spi_check(net, spi); + if (index >= 0) + goto alloc_spi; ++ ++ if (spi == XFRM6_TUNNEL_SPI_MAX) ++ break; + } + for (spi = XFRM6_TUNNEL_SPI_MIN; spi < xfrm6_tn->spi; spi++) { + index = __xfrm6_tunnel_spi_check(net, spi); +-- +2.19.1 +