From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 23:46:51 +0000 (-0700) Subject: 4.18-stable patches X-Git-Tag: v4.18.12~38 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4db217f015d9dde57b382f12b2aa1ed140f0b05;p=thirdparty%2Fkernel%2Fstable-queue.git 4.18-stable patches added patches: block-fix-deadline-elevator-drain-for-zoned-block-devices.patch floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch intel_th-fix-device-removal-logic.patch intel_th-fix-resource-handling-for-acpi-glue-layer.patch regulator-fix-crash-caused-by-null-driver-data.patch regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch serial-cpm_uart-return-immediately-from-console-poll.patch serial-imx-restore-handshaking-irq-for-imx1.patch serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch spi-rspi-fix-interrupted-dma-transfers.patch spi-rspi-fix-invalid-spi-use-during-system-suspend.patch spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch spi-tegra20-slink-explicitly-enable-disable-clock.patch tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch usb-core-safely-deal-with-the-dynamic-quirk-lists.patch usb-fix-error-handling-in-usb_driver_claim_interface.patch usb-handle-null-config-in-usb_find_alt_setting.patch usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch usb-roles-take-care-of-driver-module-reference-counting.patch x86-mm-expand-static-page-table-for-fixmap-space.patch --- diff --git a/queue-4.18/block-fix-deadline-elevator-drain-for-zoned-block-devices.patch b/queue-4.18/block-fix-deadline-elevator-drain-for-zoned-block-devices.patch new file mode 100644 index 00000000000..e06046b2691 --- /dev/null +++ b/queue-4.18/block-fix-deadline-elevator-drain-for-zoned-block-devices.patch @@ -0,0 +1,46 @@ +From 854f31ccdd7964c9c2e68da234a3a8aedb51cf6b Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Thu, 27 Sep 2018 10:55:13 +0900 +Subject: block: fix deadline elevator drain for zoned block devices + +From: Damien Le Moal + +commit 854f31ccdd7964c9c2e68da234a3a8aedb51cf6b upstream. + +When the deadline scheduler is used with a zoned block device, writes +to a zone will be dispatched one at a time. This causes the warning +message: + +deadline: forced dispatching is broken (nr_sorted=X), please report this + +to be displayed when switching to another elevator with the legacy I/O +path while write requests to a zone are being retained in the scheduler +queue. + +Prevent this message from being displayed when executing +elv_drain_elevator() for a zoned block device. __blk_drain_queue() will +loop until all writes are dispatched and completed, resulting in the +desired elevator queue drain without extensive modifications to the +deadline code itself to handle forced-dispatch calls. + +Signed-off-by: Damien Le Moal +Fixes: 8dc8146f9c92 ("deadline-iosched: Introduce zone locking support") +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/elevator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -609,7 +609,7 @@ void elv_drain_elevator(struct request_q + + while (e->type->ops.sq.elevator_dispatch_fn(q, 1)) + ; +- if (q->nr_sorted && printed++ < 10) { ++ if (q->nr_sorted && !blk_queue_is_zoned(q) && printed++ < 10 ) { + printk(KERN_ERR "%s: forced dispatching is broken " + "(nr_sorted=%u), please report this\n", + q->elevator->type->elevator_name, q->nr_sorted); diff --git a/queue-4.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch b/queue-4.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch new file mode 100644 index 00000000000..fe2a5ee3505 --- /dev/null +++ b/queue-4.18/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch @@ -0,0 +1,46 @@ +From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 20 Sep 2018 09:09:48 -0600 +Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + +From: Andy Whitcroft + +commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. + +The final field of a floppy_struct is the field "name", which is a pointer +to a string in kernel memory. The kernel pointer should not be copied to +user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, +including this "name" field. This pointer cannot be used by the user +and it will leak a kernel address to user-space, which will reveal the +location of kernel code and data and undermine KASLR protection. + +Model this code after the compat ioctl which copies the returned data +to a previously cleared temporary structure on the stack (excluding the +name pointer) and copy out to userspace from there. As we already have +an inparam union with an appropriate member and that memory is already +cleared even for read only calls make use of that as a temporary store. + +Based on an initial patch by Brian Belleville. + +CVE-2018-7755 +Signed-off-by: Andy Whitcroft +Broke up long line. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3470,6 +3470,9 @@ static int fd_locked_ioctl(struct block_ + (struct floppy_struct **)&outparam); + if (ret) + return ret; ++ memcpy(&inparam.g, outparam, ++ offsetof(struct floppy_struct, name)); ++ outparam = &inparam.g; + break; + case FDMSGON: + UDP->flags |= FTD_MSG; diff --git a/queue-4.18/intel_th-fix-device-removal-logic.patch b/queue-4.18/intel_th-fix-device-removal-logic.patch new file mode 100644 index 00000000000..65c9027b084 --- /dev/null +++ b/queue-4.18/intel_th-fix-device-removal-logic.patch @@ -0,0 +1,38 @@ +From 8801922cd94c918e4dc3a108ecaa500c4d40583f Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 18 Sep 2018 16:10:47 +0300 +Subject: intel_th: Fix device removal logic + +From: Alexander Shishkin + +commit 8801922cd94c918e4dc3a108ecaa500c4d40583f upstream. + +Commit a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +brings in new subdevice addition/removal logic that's broken for "host +mode": the SWITCH device has no children to begin with, which is not +handled in the code. This results in a null dereference bug later down +the path. + +This patch fixes the subdevice removal code to handle host mode correctly. + +Signed-off-by: Alexander Shishkin +Fixes: a753bfcfdb1f ("intel_th: Make the switch allocate its subdevices") +CC: stable@vger.kernel.org # v4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -139,7 +139,8 @@ static int intel_th_remove(struct device + th->thdev[i] = NULL; + } + +- th->num_thdevs = lowest; ++ if (lowest >= 0) ++ th->num_thdevs = lowest; + } + + if (thdrv->attr_group) diff --git a/queue-4.18/intel_th-fix-resource-handling-for-acpi-glue-layer.patch b/queue-4.18/intel_th-fix-resource-handling-for-acpi-glue-layer.patch new file mode 100644 index 00000000000..6edac8d2241 --- /dev/null +++ b/queue-4.18/intel_th-fix-resource-handling-for-acpi-glue-layer.patch @@ -0,0 +1,75 @@ +From ebe4582281d6e90972f057318a6edea14810ea48 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Tue, 18 Sep 2018 16:10:48 +0300 +Subject: intel_th: Fix resource handling for ACPI glue layer + +From: Alexander Shishkin + +commit ebe4582281d6e90972f057318a6edea14810ea48 upstream. + +The core of the driver expects the resource array from the glue layer +to be indexed by even numbers, as is the case for 64-bit PCI resources. +This doesn't hold true for others, ACPI in this instance, which leads +to an out-of-bounds access and an ioremap() on whatever address that +access fetches. + +This patch fixes the problem by reading resource array differently based +on whether the 64-bit flag is set, which would indicate PCI glue layer. + +Signed-off-by: Alexander Shishkin +Fixes: ebc57e399b8e ("intel_th: Add ACPI glue layer") +CC: stable@vger.kernel.org # v4.17+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/core.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/intel_th/core.c ++++ b/drivers/hwtracing/intel_th/core.c +@@ -488,7 +488,7 @@ static const struct intel_th_subdevice { + .flags = IORESOURCE_MEM, + }, + { +- .start = TH_MMIO_SW, ++ .start = 1, /* use resource[1] */ + .end = 0, + .flags = IORESOURCE_MEM, + }, +@@ -581,6 +581,7 @@ intel_th_subdevice_alloc(struct intel_th + struct intel_th_device *thdev; + struct resource res[3]; + unsigned int req = 0; ++ bool is64bit = false; + int r, err; + + thdev = intel_th_device_alloc(th, subdev->type, subdev->name, +@@ -590,12 +591,18 @@ intel_th_subdevice_alloc(struct intel_th + + thdev->drvdata = th->drvdata; + ++ for (r = 0; r < th->num_resources; r++) ++ if (th->resource[r].flags & IORESOURCE_MEM_64) { ++ is64bit = true; ++ break; ++ } ++ + memcpy(res, subdev->res, + sizeof(struct resource) * subdev->nres); + + for (r = 0; r < subdev->nres; r++) { + struct resource *devres = th->resource; +- int bar = TH_MMIO_CONFIG; ++ int bar = 0; /* cut subdevices' MMIO from resource[0] */ + + /* + * Take .end == 0 to mean 'take the whole bar', +@@ -604,6 +611,8 @@ intel_th_subdevice_alloc(struct intel_th + */ + if (!res[r].end && res[r].flags == IORESOURCE_MEM) { + bar = res[r].start; ++ if (is64bit) ++ bar *= 2; + res[r].start = 0; + res[r].end = resource_size(&devres[bar]) - 1; + } diff --git a/queue-4.18/regulator-fix-crash-caused-by-null-driver-data.patch b/queue-4.18/regulator-fix-crash-caused-by-null-driver-data.patch new file mode 100644 index 00000000000..21729b5038a --- /dev/null +++ b/queue-4.18/regulator-fix-crash-caused-by-null-driver-data.patch @@ -0,0 +1,42 @@ +From fb6de923ca3358a91525552b4907d4cb38730bdd Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Wed, 19 Sep 2018 15:30:51 -0600 +Subject: regulator: fix crash caused by null driver data + +From: Yu Zhao + +commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream. + +dev_set_drvdata() needs to be called before device_register() +exposes device to userspace. Otherwise kernel crashes after it +gets null pointer from dev_get_drvdata() when userspace tries +to access sysfs entries. + +[Removed backtrace for length -- broonie] + +Signed-off-by: Yu Zhao +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -4381,13 +4381,13 @@ regulator_register(const struct regulato + !rdev->desc->fixed_uV) + rdev->is_switch = true; + ++ dev_set_drvdata(&rdev->dev, rdev); + ret = device_register(&rdev->dev); + if (ret != 0) { + put_device(&rdev->dev); + goto unset_supplies; + } + +- dev_set_drvdata(&rdev->dev, rdev); + rdev_init_debugfs(rdev); + + /* try to resolve regulators supply since a new one was registered */ diff --git a/queue-4.18/regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch b/queue-4.18/regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch new file mode 100644 index 00000000000..38f6144839f --- /dev/null +++ b/queue-4.18/regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch @@ -0,0 +1,70 @@ +From 3edd79cf5a44b12dbb13bc320f5788aed6562b36 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Mon, 3 Sep 2018 16:49:37 +0200 +Subject: regulator: Fix 'do-nothing' value for regulators without suspend state + +From: Marek Szyprowski + +commit 3edd79cf5a44b12dbb13bc320f5788aed6562b36 upstream. + +Some regulators don't have all states defined and in such cases regulator +core should not assume anything. However in current implementation +of of_get_regulation_constraints() DO_NOTHING_IN_SUSPEND enable value was +set only for regulators which had suspend node defined, otherwise the +default 0 value was used, what means DISABLE_IN_SUSPEND. This lead to +broken system suspend/resume on boards, which had simple regulator +constraints definition (without suspend state nodes). + +To avoid further mismatches between the default and uninitialized values +of the suspend enabled/disabled states, change the values of the them, +so default '0' means DO_NOTHING_IN_SUSPEND. + +Fixes: 72069f9957a1: regulator: leave one item to record whether regulator is enabled +Signed-off-by: Marek Szyprowski +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 2 +- + drivers/regulator/of_regulator.c | 2 -- + include/linux/regulator/machine.h | 6 +++--- + 3 files changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -3147,7 +3147,7 @@ static inline int regulator_suspend_togg + if (!rstate->changeable) + return -EPERM; + +- rstate->enabled = en; ++ rstate->enabled = (en) ? ENABLE_IN_SUSPEND : DISABLE_IN_SUSPEND; + + return 0; + } +--- a/drivers/regulator/of_regulator.c ++++ b/drivers/regulator/of_regulator.c +@@ -213,8 +213,6 @@ static void of_get_regulation_constraint + else if (of_property_read_bool(suspend_np, + "regulator-off-in-suspend")) + suspend_state->enabled = DISABLE_IN_SUSPEND; +- else +- suspend_state->enabled = DO_NOTHING_IN_SUSPEND; + + if (!of_property_read_u32(np, "regulator-suspend-min-microvolt", + &pval)) +--- a/include/linux/regulator/machine.h ++++ b/include/linux/regulator/machine.h +@@ -48,9 +48,9 @@ struct regulator; + * DISABLE_IN_SUSPEND - turn off regulator in suspend states + * ENABLE_IN_SUSPEND - keep regulator on in suspend states + */ +-#define DO_NOTHING_IN_SUSPEND (-1) +-#define DISABLE_IN_SUSPEND 0 +-#define ENABLE_IN_SUSPEND 1 ++#define DO_NOTHING_IN_SUSPEND 0 ++#define DISABLE_IN_SUSPEND 1 ++#define ENABLE_IN_SUSPEND 2 + + /* Regulator active discharge flags */ + enum regulator_active_discharge { diff --git a/queue-4.18/serial-cpm_uart-return-immediately-from-console-poll.patch b/queue-4.18/serial-cpm_uart-return-immediately-from-console-poll.patch new file mode 100644 index 00000000000..bbd92e642d3 --- /dev/null +++ b/queue-4.18/serial-cpm_uart-return-immediately-from-console-poll.patch @@ -0,0 +1,48 @@ +From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Sep 2018 10:32:50 +0000 +Subject: serial: cpm_uart: return immediately from console poll + +From: Christophe Leroy + +commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream. + +kgdb expects poll function to return immediately and +returning NO_POLL_CHAR when no character is available. + +Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll") +Cc: Jason Wessel +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1054,8 +1054,8 @@ static int poll_wait_key(char *obuf, str + /* Get the address of the host memory buffer. + */ + bdp = pinfo->rx_cur; +- while (bdp->cbd_sc & BD_SC_EMPTY) +- ; ++ if (bdp->cbd_sc & BD_SC_EMPTY) ++ return NO_POLL_CHAR; + + /* If the buffer address is in the CPM DPRAM, don't + * convert it. +@@ -1090,7 +1090,11 @@ static int cpm_get_poll_char(struct uart + poll_chars = 0; + } + if (poll_chars <= 0) { +- poll_chars = poll_wait_key(poll_buf, pinfo); ++ int ret = poll_wait_key(poll_buf, pinfo); ++ ++ if (ret == NO_POLL_CHAR) ++ return ret; ++ poll_chars = ret; + pollp = poll_buf; + } + poll_chars--; diff --git a/queue-4.18/serial-imx-restore-handshaking-irq-for-imx1.patch b/queue-4.18/serial-imx-restore-handshaking-irq-for-imx1.patch new file mode 100644 index 00000000000..f4845ebcfd7 --- /dev/null +++ b/queue-4.18/serial-imx-restore-handshaking-irq-for-imx1.patch @@ -0,0 +1,42 @@ +From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 20 Sep 2018 14:11:17 +0200 +Subject: serial: imx: restore handshaking irq for imx1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7e620984b62532783912312e334f3c48cdacbd5d upstream. + +Back in 2015 when irda was dropped from the driver imx1 was broken. This +change reintroduces the support for the third interrupt of the UART. + +Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA") +Cc: stable +Signed-off-by: Uwe Kleine-König +Reviewed-by: Leonard Crestez +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2350,6 +2350,14 @@ static int imx_uart_probe(struct platfor + ret); + return ret; + } ++ ++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_uart_rtsint, 0, ++ dev_name(&pdev->dev), sport); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to request rts irq: %d\n", ++ ret); ++ return ret; ++ } + } else { + ret = devm_request_irq(&pdev->dev, rxirq, imx_uart_int, 0, + dev_name(&pdev->dev), sport); diff --git a/queue-4.18/serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch b/queue-4.18/serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch new file mode 100644 index 00000000000..bbd17ef065a --- /dev/null +++ b/queue-4.18/serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch @@ -0,0 +1,36 @@ +From e0bf2d4982fe7d9ddaf550dd023803ea286f47fc Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Sun, 26 Aug 2018 19:49:32 +0200 +Subject: serial: mvebu-uart: Fix reporting of effective CSIZE to userspace + +From: Jan Kiszka + +commit e0bf2d4982fe7d9ddaf550dd023803ea286f47fc upstream. + +Apparently, this driver (or the hardware) does not support character +length settings. It's apparently running in 8-bit mode, but it makes +userspace believe it's in 5-bit mode. That makes tcsetattr with CS8 +incorrectly fail, breaking e.g. getty from busybox, thus the login shell +on ttyMVx. + +Fix by hard-wiring CS8 into c_cflag. + +Signed-off-by: Jan Kiszka +Fixes: 30530791a7a0 ("serial: mvebu-uart: initial support for Armada-3700 serial port") +Cc: stable # 4.6+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/mvebu-uart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -511,6 +511,7 @@ static void mvebu_uart_set_termios(struc + termios->c_iflag |= old->c_iflag & ~(INPCK | IGNPAR); + termios->c_cflag &= CREAD | CBAUD; + termios->c_cflag |= old->c_cflag & ~(CREAD | CBAUD); ++ termios->c_cflag |= CS8; + } + + spin_unlock_irqrestore(&port->lock, flags); diff --git a/queue-4.18/series b/queue-4.18/series index 6213ef1f7c7..0705ed729d8 100644 --- a/queue-4.18/series +++ b/queue-4.18/series @@ -130,3 +130,24 @@ arm-dts-dra7-fix-dcan-node-addresses.patch drm-vc4-plane-expand-the-lower-bits-by-repeating-the-higher-bits.patch perf-tests-fix-indexing-when-invoking-subtests.patch gpio-tegra-fix-tegra_gpio_irq_set_type.patch +floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch +block-fix-deadline-elevator-drain-for-zoned-block-devices.patch +x86-mm-expand-static-page-table-for-fixmap-space.patch +tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch +serial-imx-restore-handshaking-irq-for-imx1.patch +serial-mvebu-uart-fix-reporting-of-effective-csize-to-userspace.patch +serial-cpm_uart-return-immediately-from-console-poll.patch +intel_th-fix-device-removal-logic.patch +intel_th-fix-resource-handling-for-acpi-glue-layer.patch +spi-tegra20-slink-explicitly-enable-disable-clock.patch +spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch +spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch +spi-rspi-fix-invalid-spi-use-during-system-suspend.patch +spi-rspi-fix-interrupted-dma-transfers.patch +regulator-fix-crash-caused-by-null-driver-data.patch +regulator-fix-do-nothing-value-for-regulators-without-suspend-state.patch +usb-fix-error-handling-in-usb_driver_claim_interface.patch +usb-handle-null-config-in-usb_find_alt_setting.patch +usb-roles-take-care-of-driver-module-reference-counting.patch +usb-core-safely-deal-with-the-dynamic-quirk-lists.patch +usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch diff --git a/queue-4.18/spi-rspi-fix-interrupted-dma-transfers.patch b/queue-4.18/spi-rspi-fix-interrupted-dma-transfers.patch new file mode 100644 index 00000000000..eee514a4dbe --- /dev/null +++ b/queue-4.18/spi-rspi-fix-interrupted-dma-transfers.patch @@ -0,0 +1,58 @@ +From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:39 +0200 +Subject: spi: rspi: Fix interrupted DMA transfers + +From: Geert Uytterhoeven + +commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream. + +When interrupted, wait_event_interruptible_timeout() returns +-ERESTARTSYS, and the SPI transfer in progress will fail, as expected: + + m25p80 spi0.0: SPI transfer failed: -512 + spi_master spi0: failed to transfer one message from queue + +However, as the underlying DMA transfers may not have completed, all +subsequent SPI transfers may start to fail: + + spi_master spi0: receive timeout + qspi_transfer_out_in() returned -110 + m25p80 spi0.0: SPI transfer failed: -110 + spi_master spi0: failed to transfer one message from queue + +Fix this by calling dmaengine_terminate_all() not only for timeouts, but +also for errors. + +This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed +by CTRL-C. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -598,11 +598,13 @@ static int rspi_dma_transfer(struct rspi + + ret = wait_event_interruptible_timeout(rspi->wait, + rspi->dma_callbacked, HZ); +- if (ret > 0 && rspi->dma_callbacked) ++ if (ret > 0 && rspi->dma_callbacked) { + ret = 0; +- else if (!ret) { +- dev_err(&rspi->master->dev, "DMA timeout\n"); +- ret = -ETIMEDOUT; ++ } else { ++ if (!ret) { ++ dev_err(&rspi->master->dev, "DMA timeout\n"); ++ ret = -ETIMEDOUT; ++ } + if (tx) + dmaengine_terminate_all(rspi->master->dma_tx); + if (rx) diff --git a/queue-4.18/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.18/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..45485e6682d --- /dev/null +++ b/queue-4.18/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,67 @@ +From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:38 +0200 +Subject: spi: rspi: Fix invalid SPI use during system suspend + +From: Geert Uytterhoeven + +commit c1ca59c22c56930b377a665fdd1b43351887830b upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume, +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Based on a patch for sh-msiof by Gaku Inami. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -1350,12 +1350,36 @@ static const struct platform_device_id s + + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int rspi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(rspi->master); ++} ++ ++static int rspi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(rspi->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume); ++#define DEV_PM_OPS &rspi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver rspi_driver = { + .probe = rspi_probe, + .remove = rspi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "renesas_spi", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(rspi_of_match), + }, + }; diff --git a/queue-4.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch b/queue-4.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch new file mode 100644 index 00000000000..34a7302ec50 --- /dev/null +++ b/queue-4.18/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch @@ -0,0 +1,38 @@ +From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001 +From: Hiromitsu Yamasaki +Date: Wed, 5 Sep 2018 10:49:37 +0200 +Subject: spi: sh-msiof: Fix handling of write value for SISTR register + +From: Hiromitsu Yamasaki + +commit 31a5fae4c5a009898da6d177901d5328051641ff upstream. + +This patch changes writing to the SISTR register according to the H/W +user's manual. + +The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written +their initial values of zero. + +Signed-off-by: Hiromitsu Yamasaki +[geert: reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -396,7 +396,8 @@ static void sh_msiof_spi_set_mode_regs(s + + static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p) + { +- sh_msiof_write(p, STR, sh_msiof_read(p, STR)); ++ sh_msiof_write(p, STR, ++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ)); + } + + static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p, diff --git a/queue-4.18/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.18/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..1efa9317af8 --- /dev/null +++ b/queue-4.18/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,69 @@ +From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001 +From: Gaku Inami +Date: Wed, 5 Sep 2018 10:49:36 +0200 +Subject: spi: sh-msiof: Fix invalid SPI use during system suspend + +From: Gaku Inami + +commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Signed-off-by: Gaku Inami +Signed-off-by: Hiromitsu Yamasaki +[geert: Cleanup, reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -1421,12 +1421,37 @@ static const struct platform_device_id s + }; + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int sh_msiof_spi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(p->master); ++} ++ ++static int sh_msiof_spi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(p->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend, ++ sh_msiof_spi_resume); ++#define DEV_PM_OPS &sh_msiof_spi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver sh_msiof_spi_drv = { + .probe = sh_msiof_spi_probe, + .remove = sh_msiof_spi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "spi_sh_msiof", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(sh_msiof_match), + }, + }; diff --git a/queue-4.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch b/queue-4.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch new file mode 100644 index 00000000000..f5a95fcec0e --- /dev/null +++ b/queue-4.18/spi-tegra20-slink-explicitly-enable-disable-clock.patch @@ -0,0 +1,84 @@ +From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Wed, 29 Aug 2018 08:47:57 +0200 +Subject: spi: tegra20-slink: explicitly enable/disable clock + +From: Marcel Ziswiler + +commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream. + +Depending on the SPI instance one may get an interrupt storm upon +requesting resp. interrupt unless the clock is explicitly enabled +beforehand. This has been observed trying to bring up instance 4 on +T20. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat + goto exit_free_master; + } + ++ /* disabled clock may cause interrupt storm upon request */ ++ tspi->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(tspi->clk)) { ++ ret = PTR_ERR(tspi->clk); ++ dev_err(&pdev->dev, "Can not get clock %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_prepare(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_enable(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret); ++ goto exit_free_master; ++ } ++ + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; + ret = request_threaded_irq(tspi->irq, tegra_slink_isr, +@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", + tspi->irq); +- goto exit_free_master; +- } +- +- tspi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(tspi->clk)) { +- dev_err(&pdev->dev, "can not get clock\n"); +- ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_clk_disable; + } + + tspi->rst = devm_reset_control_get_exclusive(&pdev->dev, "spi"); +@@ -1138,6 +1149,8 @@ exit_rx_dma_free: + tegra_slink_deinit_dma_param(tspi, true); + exit_free_irq: + free_irq(spi_irq, tspi); ++exit_clk_disable: ++ clk_disable(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla + + free_irq(tspi->irq, tspi); + ++ clk_disable(tspi->clk); ++ + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); + diff --git a/queue-4.18/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch b/queue-4.18/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch new file mode 100644 index 00000000000..9c1753c4d88 --- /dev/null +++ b/queue-4.18/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch @@ -0,0 +1,39 @@ +From 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Tue, 28 Aug 2018 12:44:24 +0200 +Subject: tty: serial: lpuart: avoid leaking struct tty_struct + +From: Stefan Agner + +commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream. + +The function tty_port_tty_get() gets a reference to the tty. Since +the code is not using tty_port_tty_set(), the reference is kept +even after closing the tty. + +Avoid using tty_port_tty_get() by directly access the tty instance. +Since lpuart_start_rx_dma() is called from the .startup() and +.set_termios() callback, it is safe to assume the tty instance is +valid. + +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx") +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -979,7 +979,8 @@ static inline int lpuart_start_rx_dma(st + struct circ_buf *ring = &sport->rx_ring; + int ret, nent; + int bits, baud; +- struct tty_struct *tty = tty_port_tty_get(&sport->port.state->port); ++ struct tty_port *port = &sport->port.state->port; ++ struct tty_struct *tty = port->tty; + struct ktermios *termios = &tty->termios; + + baud = tty_get_baud_rate(tty); diff --git a/queue-4.18/usb-core-safely-deal-with-the-dynamic-quirk-lists.patch b/queue-4.18/usb-core-safely-deal-with-the-dynamic-quirk-lists.patch new file mode 100644 index 00000000000..09196f21d2e --- /dev/null +++ b/queue-4.18/usb-core-safely-deal-with-the-dynamic-quirk-lists.patch @@ -0,0 +1,60 @@ +From 16c4cb19fa85c648a803752eb63cac0ef69231c2 Mon Sep 17 00:00:00 2001 +From: Harry Pan +Date: Fri, 14 Sep 2018 16:58:16 +0800 +Subject: usb: core: safely deal with the dynamic quirk lists + +From: Harry Pan + +commit 16c4cb19fa85c648a803752eb63cac0ef69231c2 upstream. + +Applying dynamic usbcore quirks in early booting when the slab is +not yet ready would cause kernel panic of null pointer dereference +because the quirk_count has been counted as 1 while the quirk_list +was failed to allocate. + +i.e., +[ 1.044970] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 1.044995] IP: [] usb_detect_quirks+0x88/0xd1 +[ 1.045016] PGD 0 +[ 1.045026] Oops: 0000 [#1] PREEMPT SMP +[ 1.046986] gsmi: Log Shutdown Reason 0x03 +[ 1.046995] Modules linked in: +[ 1.047008] CPU: 0 PID: 81 Comm: kworker/0:3 Not tainted 4.4.154 #28 +[ 1.047016] Hardware name: Google Coral/Coral, BIOS Google_Coral.10068.27.0 12/04/2017 +[ 1.047028] Workqueue: usb_hub_wq hub_event +[ 1.047037] task: ffff88017a321c80 task.stack: ffff88017a384000 +[ 1.047044] RIP: 0010:[] [] usb_detect_quirks+0x88/0xd1 + +To tackle this odd, let's balance the quirk_count to 0 when the kcalloc +call fails, and defer the quirk setting into a lower level callback +which ensures that the kernel memory management has been initialized. + +Fixes: 027bd6cafd9a ("usb: core: Add "quirks" parameter for usbcore") +Signed-off-by: Harry Pan +Acked-by: Kai-Heng Feng +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -58,6 +58,7 @@ static int quirks_param_set(const char * + quirk_list = kcalloc(quirk_count, sizeof(struct quirk_entry), + GFP_KERNEL); + if (!quirk_list) { ++ quirk_count = 0; + mutex_unlock(&quirk_mutex); + return -ENOMEM; + } +@@ -154,7 +155,7 @@ static struct kparam_string quirks_param + .string = quirks_param, + }; + +-module_param_cb(quirks, &quirks_param_ops, &quirks_param_string, 0644); ++device_param_cb(quirks, &quirks_param_ops, &quirks_param_string, 0644); + MODULE_PARM_DESC(quirks, "Add/modify USB quirks by specifying quirks=vendorID:productID:quirks"); + + /* Lists of quirky USB devices, split in device quirks and interface quirks. diff --git a/queue-4.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch b/queue-4.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch new file mode 100644 index 00000000000..90077937452 --- /dev/null +++ b/queue-4.18/usb-fix-error-handling-in-usb_driver_claim_interface.patch @@ -0,0 +1,58 @@ +From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 13:59:59 -0400 +Subject: USB: fix error handling in usb_driver_claim_interface() + +From: Alan Stern + +commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. + +The syzbot fuzzing project found a use-after-free bug in the USB +core. The bug was caused by usbfs not unbinding from an interface +when the USB device file was closed, which led another process to +attempt the unbind later on, after the private data structure had been +deallocated. + +The reason usbfs did not unbind the interface at the appropriate time +was because it thought the interface had never been claimed in the +first place. This was caused by the fact that +usb_driver_claim_interface() does not clean up properly when +device_bind_driver() returns an error. Although the error code gets +passed back to the caller, the iface->dev.driver pointer remains set +and iface->condition remains equal to USB_INTERFACE_BOUND. + +This patch adds proper error handling to usb_driver_claim_interface(). + +Signed-off-by: Alan Stern +Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -565,6 +565,21 @@ int usb_driver_claim_interface(struct us + if (!lpm_disable_error) + usb_unlocked_enable_lpm(udev); + ++ if (retval) { ++ dev->driver = NULL; ++ usb_set_intfdata(iface, NULL); ++ iface->needs_remote_wakeup = 0; ++ iface->condition = USB_INTERFACE_UNBOUND; ++ ++ /* ++ * Unbound interfaces are always runtime-PM-disabled ++ * and runtime-PM-suspended ++ */ ++ if (driver->supports_autosuspend) ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ } ++ + return retval; + } + EXPORT_SYMBOL_GPL(usb_driver_claim_interface); diff --git a/queue-4.18/usb-handle-null-config-in-usb_find_alt_setting.patch b/queue-4.18/usb-handle-null-config-in-usb_find_alt_setting.patch new file mode 100644 index 00000000000..f1f15494147 --- /dev/null +++ b/queue-4.18/usb-handle-null-config-in-usb_find_alt_setting.patch @@ -0,0 +1,38 @@ +From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 14:00:53 -0400 +Subject: USB: handle NULL config in usb_find_alt_setting() + +From: Alan Stern + +commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream. + +usb_find_alt_setting() takes a pointer to a struct usb_host_config as +an argument; it searches for an interface with specified interface and +alternate setting numbers in that config. However, it crashes if the +usb_host_config pointer argument is NULL. + +Since this is a general-purpose routine, available for use in many +places, we want to to be more robust. This patch makes it return NULL +whenever the config argument is NULL. + +Signed-off-by: Alan Stern +Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -228,6 +228,8 @@ struct usb_host_interface *usb_find_alt_ + struct usb_interface_cache *intf_cache = NULL; + int i; + ++ if (!config) ++ return NULL; + for (i = 0; i < config->desc.bNumInterfaces; i++) { + if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber + == iface_num) { diff --git a/queue-4.18/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch b/queue-4.18/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch new file mode 100644 index 00000000000..3d53fe30fe9 --- /dev/null +++ b/queue-4.18/usb-musb-dsps-do-not-disable-cppi41-irq-in-driver-teardown.patch @@ -0,0 +1,54 @@ +From 783f3b4e9ec50491c21746e7e05ec6c39c21f563 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Mon, 17 Sep 2018 11:40:22 -0500 +Subject: usb: musb: dsps: do not disable CPPI41 irq in driver teardown + +From: Bin Liu + +commit 783f3b4e9ec50491c21746e7e05ec6c39c21f563 upstream. + +TI AM335x CPPI 4.1 module uses a single register bit for CPPI interrupts +in both musb controllers. So disabling the CPPI irq in one musb driver +breaks the other musb module. + +Since musb is already disabled before tearing down dma controller in +musb_remove(), it is safe to not disable CPPI irq in +musb_dma_controller_destroy(). + +Fixes: 255348289f71 ("usb: musb: dsps: Manage CPPI 4.1 DMA interrupt in DSPS") +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_dsps.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/usb/musb/musb_dsps.c ++++ b/drivers/usb/musb/musb_dsps.c +@@ -658,16 +658,6 @@ dsps_dma_controller_create(struct musb * + return controller; + } + +-static void dsps_dma_controller_destroy(struct dma_controller *c) +-{ +- struct musb *musb = c->musb; +- struct dsps_glue *glue = dev_get_drvdata(musb->controller->parent); +- void __iomem *usbss_base = glue->usbss_base; +- +- musb_writel(usbss_base, USBSS_IRQ_CLEARR, USBSS_IRQ_PD_COMP); +- cppi41_dma_controller_destroy(c); +-} +- + #ifdef CONFIG_PM_SLEEP + static void dsps_dma_controller_suspend(struct dsps_glue *glue) + { +@@ -697,7 +687,7 @@ static struct musb_platform_ops dsps_ops + + #ifdef CONFIG_USB_TI_CPPI41_DMA + .dma_init = dsps_dma_controller_create, +- .dma_exit = dsps_dma_controller_destroy, ++ .dma_exit = cppi41_dma_controller_destroy, + #endif + .enable = dsps_musb_enable, + .disable = dsps_musb_disable, diff --git a/queue-4.18/usb-roles-take-care-of-driver-module-reference-counting.patch b/queue-4.18/usb-roles-take-care-of-driver-module-reference-counting.patch new file mode 100644 index 00000000000..41c9f040487 --- /dev/null +++ b/queue-4.18/usb-roles-take-care-of-driver-module-reference-counting.patch @@ -0,0 +1,55 @@ +From 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Wed, 19 Sep 2018 10:58:05 +0300 +Subject: usb: roles: Take care of driver module reference counting + +From: Heikki Krogerus + +commit 5c54fcac9a9de559b444ac63ec3cd82f1d157a0b upstream. + +This fixes potential "BUG: unable to handle kernel paging +request at ..." from happening. + +Cc: +Acked-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/common/roles.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/usb/common/roles.c ++++ b/drivers/usb/common/roles.c +@@ -109,8 +109,15 @@ static void *usb_role_switch_match(struc + */ + struct usb_role_switch *usb_role_switch_get(struct device *dev) + { +- return device_connection_find_match(dev, "usb-role-switch", NULL, +- usb_role_switch_match); ++ struct usb_role_switch *sw; ++ ++ sw = device_connection_find_match(dev, "usb-role-switch", NULL, ++ usb_role_switch_match); ++ ++ if (!IS_ERR_OR_NULL(sw)) ++ WARN_ON(!try_module_get(sw->dev.parent->driver->owner)); ++ ++ return sw; + } + EXPORT_SYMBOL_GPL(usb_role_switch_get); + +@@ -122,8 +129,10 @@ EXPORT_SYMBOL_GPL(usb_role_switch_get); + */ + void usb_role_switch_put(struct usb_role_switch *sw) + { +- if (!IS_ERR_OR_NULL(sw)) ++ if (!IS_ERR_OR_NULL(sw)) { + put_device(&sw->dev); ++ module_put(sw->dev.parent->driver->owner); ++ } + } + EXPORT_SYMBOL_GPL(usb_role_switch_put); + diff --git a/queue-4.18/x86-mm-expand-static-page-table-for-fixmap-space.patch b/queue-4.18/x86-mm-expand-static-page-table-for-fixmap-space.patch new file mode 100644 index 00000000000..0d14619502b --- /dev/null +++ b/queue-4.18/x86-mm-expand-static-page-table-for-fixmap-space.patch @@ -0,0 +1,181 @@ +From 05ab1d8a4b36ee912b7087c6da127439ed0a903e Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Thu, 20 Sep 2018 10:58:28 +0800 +Subject: x86/mm: Expand static page table for fixmap space + +From: Feng Tang + +commit 05ab1d8a4b36ee912b7087c6da127439ed0a903e upstream. + +We met a kernel panic when enabling earlycon, which is due to the fixmap +address of earlycon is not statically setup. + +Currently the static fixmap setup in head_64.S only covers 2M virtual +address space, while it actually could be in 4M space with different +kernel configurations, e.g. when VSYSCALL emulation is disabled. + +So increase the static space to 4M for now by defining FIXMAP_PMD_NUM to 2, +and add a build time check to ensure that the fixmap is covered by the +initial static page tables. + +Fixes: 1ad83c858c7d ("x86_64,vsyscall: Make vsyscall emulation configurable") +Suggested-by: Thomas Gleixner +Signed-off-by: Feng Tang +Signed-off-by: Thomas Gleixner +Tested-by: kernel test robot +Reviewed-by: Juergen Gross (Xen parts) +Cc: H Peter Anvin +Cc: Peter Zijlstra +Cc: Michal Hocko +Cc: Yinghai Lu +Cc: Dave Hansen +Cc: Andi Kleen +Cc: Andy Lutomirsky +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/20180920025828.23699-1-feng.tang@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fixmap.h | 10 ++++++++++ + arch/x86/include/asm/pgtable_64.h | 3 ++- + arch/x86/kernel/head64.c | 4 +++- + arch/x86/kernel/head_64.S | 16 ++++++++++++---- + arch/x86/mm/pgtable.c | 9 +++++++++ + arch/x86/xen/mmu_pv.c | 8 ++++++-- + 6 files changed, 42 insertions(+), 8 deletions(-) + +--- a/arch/x86/include/asm/fixmap.h ++++ b/arch/x86/include/asm/fixmap.h +@@ -14,6 +14,16 @@ + #ifndef _ASM_X86_FIXMAP_H + #define _ASM_X86_FIXMAP_H + ++/* ++ * Exposed to assembly code for setting up initial page tables. Cannot be ++ * calculated in assembly code (fixmap entries are an enum), but is sanity ++ * checked in the actual fixmap C code to make sure that the fixmap is ++ * covered fully. ++ */ ++#define FIXMAP_PMD_NUM 2 ++/* fixmap starts downwards from the 507th entry in level2_fixmap_pgt */ ++#define FIXMAP_PMD_TOP 507 ++ + #ifndef __ASSEMBLY__ + #include + #include +--- a/arch/x86/include/asm/pgtable_64.h ++++ b/arch/x86/include/asm/pgtable_64.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + + extern p4d_t level4_kernel_pgt[512]; + extern p4d_t level4_ident_pgt[512]; +@@ -22,7 +23,7 @@ extern pud_t level3_ident_pgt[512]; + extern pmd_t level2_kernel_pgt[512]; + extern pmd_t level2_fixmap_pgt[512]; + extern pmd_t level2_ident_pgt[512]; +-extern pte_t level1_fixmap_pgt[512]; ++extern pte_t level1_fixmap_pgt[512 * FIXMAP_PMD_NUM]; + extern pgd_t init_top_pgt[]; + + #define swapper_pg_dir init_top_pgt +--- a/arch/x86/kernel/head64.c ++++ b/arch/x86/kernel/head64.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + /* + * Manage page tables very early on. +@@ -165,7 +166,8 @@ unsigned long __head __startup_64(unsign + pud[511] += load_delta; + + pmd = fixup_pointer(level2_fixmap_pgt, physaddr); +- pmd[506] += load_delta; ++ for (i = FIXMAP_PMD_TOP; i > FIXMAP_PMD_TOP - FIXMAP_PMD_NUM; i--) ++ pmd[i] += load_delta; + + /* + * Set up the identity mapping for the switchover. These +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -24,6 +24,7 @@ + #include "../entry/calling.h" + #include + #include ++#include + + #ifdef CONFIG_PARAVIRT + #include +@@ -445,13 +446,20 @@ NEXT_PAGE(level2_kernel_pgt) + KERNEL_IMAGE_SIZE/PMD_SIZE) + + NEXT_PAGE(level2_fixmap_pgt) +- .fill 506,8,0 +- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE_NOENC +- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */ +- .fill 5,8,0 ++ .fill (512 - 4 - FIXMAP_PMD_NUM),8,0 ++ pgtno = 0 ++ .rept (FIXMAP_PMD_NUM) ++ .quad level1_fixmap_pgt + (pgtno << PAGE_SHIFT) - __START_KERNEL_map \ ++ + _PAGE_TABLE_NOENC; ++ pgtno = pgtno + 1 ++ .endr ++ /* 6 MB reserved space + a 2MB hole */ ++ .fill 4,8,0 + + NEXT_PAGE(level1_fixmap_pgt) ++ .rept (FIXMAP_PMD_NUM) + .fill 512,8,0 ++ .endr + + #undef PMDS + +--- a/arch/x86/mm/pgtable.c ++++ b/arch/x86/mm/pgtable.c +@@ -577,6 +577,15 @@ void __native_set_fixmap(enum fixed_addr + { + unsigned long address = __fix_to_virt(idx); + ++#ifdef CONFIG_X86_64 ++ /* ++ * Ensure that the static initial page tables are covering the ++ * fixmap completely. ++ */ ++ BUILD_BUG_ON(__end_of_permanent_fixed_addresses > ++ (FIXMAP_PMD_NUM * PTRS_PER_PTE)); ++#endif ++ + if (idx >= __end_of_fixed_addresses) { + BUG(); + return; +--- a/arch/x86/xen/mmu_pv.c ++++ b/arch/x86/xen/mmu_pv.c +@@ -1908,7 +1908,7 @@ void __init xen_setup_kernel_pagetable(p + /* L3_k[511] -> level2_fixmap_pgt */ + convert_pfn_mfn(level3_kernel_pgt); + +- /* L3_k[511][506] -> level1_fixmap_pgt */ ++ /* L3_k[511][508-FIXMAP_PMD_NUM ... 507] -> level1_fixmap_pgt */ + convert_pfn_mfn(level2_fixmap_pgt); + + /* We get [511][511] and have Xen's version of level2_kernel_pgt */ +@@ -1953,7 +1953,11 @@ void __init xen_setup_kernel_pagetable(p + set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO); + set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO); +- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO); ++ ++ for (i = 0; i < FIXMAP_PMD_NUM; i++) { ++ set_page_prot(level1_fixmap_pgt + i * PTRS_PER_PTE, ++ PAGE_KERNEL_RO); ++ } + + /* Pin down new L4 */ + pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,