From: Greg Kroah-Hartman Date: Wed, 20 Mar 2019 20:26:32 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.137~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5b95bcd1d14721fbd096fd911c06c4ca9a2e28c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch clk-uniphier-fix-update-register-for-cpu-gear.patch cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch cpufreq-tegra124-add-missing-of_node_put.patch cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch device-property-fix-the-length-used-in-property_entry_string.patch ext2-fix-underflow-in-ext2_max_size.patch ext4-add-mask-of-ext4-flags-to-swap.patch ext4-fix-crash-during-online-resizing.patch i2c-tegra-fix-maximum-transfer-size.patch ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch intel_th-don-t-reference-unassigned-outputs.patch irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch x86-kprobes-prohibit-probing-on-optprobe-template-code.patch --- diff --git a/queue-4.14/clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch b/queue-4.14/clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch new file mode 100644 index 00000000000..bde7d50025b --- /dev/null +++ b/queue-4.14/clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch @@ -0,0 +1,117 @@ +From 5ae51d67aec95f6f9386aa8dd5db424964895575 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Mon, 11 Feb 2019 14:59:07 -0800 +Subject: clk: clk-twl6040: Fix imprecise external abort for pdmclk + +From: Tony Lindgren + +commit 5ae51d67aec95f6f9386aa8dd5db424964895575 upstream. + +I noticed that modprobe clk-twl6040 can fail after a cold boot with: +abe_cm:clk:0010:0: failed to enable +... +Unhandled fault: imprecise external abort (0x1406) at 0xbe896b20 + +WARNING: CPU: 1 PID: 29 at drivers/clk/clk.c:828 clk_core_disable_lock+0x18/0x24 +... +(clk_core_disable_lock) from [] (_disable_clocks+0x18/0x90) +(_disable_clocks) from [] (_idle+0x17c/0x244) +(_idle) from [] (omap_hwmod_idle+0x24/0x44) +(omap_hwmod_idle) from [] (sysc_runtime_suspend+0x48/0x108) +(sysc_runtime_suspend) from [] (__rpm_callback+0x144/0x1d8) +(__rpm_callback) from [] (rpm_callback+0x20/0x80) +(rpm_callback) from [] (rpm_suspend+0x120/0x694) +(rpm_suspend) from [] (__pm_runtime_idle+0x60/0x84) +(__pm_runtime_idle) from [] (sysc_probe+0x874/0xf2c) +(sysc_probe) from [] (platform_drv_probe+0x48/0x98) + +After searching around for a similar issue, I came across an earlier fix +that never got merged upstream in the Android tree for glass-omap-xrr02. +There is patch "MFD: twl6040-codec: Implement PDMCLK cold temp errata" +by Misael Lopez Cruz . + +Based on my observations, this fix is also needed when cold booting +devices, and not just for deeper idle modes. Since we now have a clock +driver for pdmclk, let's fix the issue in twl6040_pdmclk_prepare(). + +Cc: Misael Lopez Cruz +Cc: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Acked-by: Peter Ujfalusi +Cc: +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-twl6040.c | 53 ++++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 51 insertions(+), 2 deletions(-) + +--- a/drivers/clk/clk-twl6040.c ++++ b/drivers/clk/clk-twl6040.c +@@ -41,6 +41,43 @@ static int twl6040_pdmclk_is_prepared(st + return pdmclk->enabled; + } + ++static int twl6040_pdmclk_reset_one_clock(struct twl6040_pdmclk *pdmclk, ++ unsigned int reg) ++{ ++ const u8 reset_mask = TWL6040_HPLLRST; /* Same for HPPLL and LPPLL */ ++ int ret; ++ ++ ret = twl6040_set_bits(pdmclk->twl6040, reg, reset_mask); ++ if (ret < 0) ++ return ret; ++ ++ ret = twl6040_clear_bits(pdmclk->twl6040, reg, reset_mask); ++ if (ret < 0) ++ return ret; ++ ++ return 0; ++} ++ ++/* ++ * TWL6040A2 Phoenix Audio IC erratum #6: "PDM Clock Generation Issue At ++ * Cold Temperature". This affects cold boot and deeper idle states it ++ * seems. The workaround consists of resetting HPPLL and LPPLL. ++ */ ++static int twl6040_pdmclk_quirk_reset_clocks(struct twl6040_pdmclk *pdmclk) ++{ ++ int ret; ++ ++ ret = twl6040_pdmclk_reset_one_clock(pdmclk, TWL6040_REG_HPPLLCTL); ++ if (ret) ++ return ret; ++ ++ ret = twl6040_pdmclk_reset_one_clock(pdmclk, TWL6040_REG_LPPLLCTL); ++ if (ret) ++ return ret; ++ ++ return 0; ++} ++ + static int twl6040_pdmclk_prepare(struct clk_hw *hw) + { + struct twl6040_pdmclk *pdmclk = container_of(hw, struct twl6040_pdmclk, +@@ -48,8 +85,20 @@ static int twl6040_pdmclk_prepare(struct + int ret; + + ret = twl6040_power(pdmclk->twl6040, 1); +- if (!ret) +- pdmclk->enabled = 1; ++ if (ret) ++ return ret; ++ ++ ret = twl6040_pdmclk_quirk_reset_clocks(pdmclk); ++ if (ret) ++ goto out_err; ++ ++ pdmclk->enabled = 1; ++ ++ return 0; ++ ++out_err: ++ dev_err(pdmclk->dev, "%s: error %i\n", __func__, ret); ++ twl6040_power(pdmclk->twl6040, 0); + + return ret; + } diff --git a/queue-4.14/clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch b/queue-4.14/clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch new file mode 100644 index 00000000000..34fe427056e --- /dev/null +++ b/queue-4.14/clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch @@ -0,0 +1,34 @@ +From 7ca4c922aad2e3c46767a12f80d01c6b25337b59 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sun, 27 Jan 2019 23:09:21 -0300 +Subject: clk: ingenic: Fix doc of ingenic_cgu_div_info + +From: Paul Cercueil + +commit 7ca4c922aad2e3c46767a12f80d01c6b25337b59 upstream. + +The 'div' field does not represent a number of bits used to divide +(understand: right-shift) the divider, but a number itself used to +divide the divider. + +Signed-off-by: Paul Cercueil +Signed-off-by: Maarten ter Huurne +Cc: +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/cgu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/ingenic/cgu.h ++++ b/drivers/clk/ingenic/cgu.h +@@ -78,7 +78,7 @@ struct ingenic_cgu_mux_info { + * @reg: offset of the divider control register within the CGU + * @shift: number of bits to left shift the divide value by (ie. the index of + * the lowest bit of the divide value within its control register) +- * @div: number of bits to divide the divider value by (i.e. if the ++ * @div: number to divide the divider value by (i.e. if the + * effective divider value is the value written to the register + * multiplied by some constant) + * @bits: the size of the divide value in bits diff --git a/queue-4.14/clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch b/queue-4.14/clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch new file mode 100644 index 00000000000..40b5e49e230 --- /dev/null +++ b/queue-4.14/clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch @@ -0,0 +1,63 @@ +From bc5d922c93491878c44c9216e9d227c7eeb81d7f Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sun, 27 Jan 2019 23:09:20 -0300 +Subject: clk: ingenic: Fix round_rate misbehaving with non-integer dividers + +From: Paul Cercueil + +commit bc5d922c93491878c44c9216e9d227c7eeb81d7f upstream. + +Take a parent rate of 180 MHz, and a requested rate of 4.285715 MHz. +This results in a theorical divider of 41.999993 which is then rounded +up to 42. The .round_rate function would then return (180 MHz / 42) as +the clock, rounded down, so 4.285714 MHz. + +Calling clk_set_rate on 4.285714 MHz would round the rate again, and +give a theorical divider of 42,0000028, now rounded up to 43, and the +rate returned would be (180 MHz / 43) which is 4.186046 MHz, aka. not +what we requested. + +Fix this by rounding up the divisions. + +Signed-off-by: Paul Cercueil +Tested-by: Maarten ter Huurne +Cc: +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/ingenic/cgu.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/clk/ingenic/cgu.c ++++ b/drivers/clk/ingenic/cgu.c +@@ -364,16 +364,16 @@ ingenic_clk_round_rate(struct clk_hw *hw + struct ingenic_clk *ingenic_clk = to_ingenic_clk(hw); + struct ingenic_cgu *cgu = ingenic_clk->cgu; + const struct ingenic_cgu_clk_info *clk_info; +- long rate = *parent_rate; ++ unsigned int div = 1; + + clk_info = &cgu->clock_info[ingenic_clk->idx]; + + if (clk_info->type & CGU_CLK_DIV) +- rate /= ingenic_clk_calc_div(clk_info, *parent_rate, req_rate); ++ div = ingenic_clk_calc_div(clk_info, *parent_rate, req_rate); + else if (clk_info->type & CGU_CLK_FIXDIV) +- rate /= clk_info->fixdiv.div; ++ div = clk_info->fixdiv.div; + +- return rate; ++ return DIV_ROUND_UP(*parent_rate, div); + } + + static int +@@ -393,7 +393,7 @@ ingenic_clk_set_rate(struct clk_hw *hw, + + if (clk_info->type & CGU_CLK_DIV) { + div = ingenic_clk_calc_div(clk_info, parent_rate, req_rate); +- rate = parent_rate / div; ++ rate = DIV_ROUND_UP(parent_rate, div); + + if (rate != req_rate) + return -EINVAL; diff --git a/queue-4.14/clk-uniphier-fix-update-register-for-cpu-gear.patch b/queue-4.14/clk-uniphier-fix-update-register-for-cpu-gear.patch new file mode 100644 index 00000000000..9a17f4806e3 --- /dev/null +++ b/queue-4.14/clk-uniphier-fix-update-register-for-cpu-gear.patch @@ -0,0 +1,34 @@ +From 521282237b9d78b9bff423ec818becd4c95841c2 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Fri, 8 Feb 2019 11:25:23 +0900 +Subject: clk: uniphier: Fix update register for CPU-gear + +From: Kunihiko Hayashi + +commit 521282237b9d78b9bff423ec818becd4c95841c2 upstream. + +Need to set the update bit in UNIPHIER_CLK_CPUGEAR_UPD to update +the CPU-gear value. + +Fixes: d08f1f0d596c ("clk: uniphier: add CPU-gear change (cpufreq) support") +Cc: linux-stable@vger.kernel.org +Signed-off-by: Kunihiko Hayashi +Acked-by: Masahiro Yamada +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/uniphier/clk-uniphier-cpugear.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/uniphier/clk-uniphier-cpugear.c ++++ b/drivers/clk/uniphier/clk-uniphier-cpugear.c +@@ -47,7 +47,7 @@ static int uniphier_clk_cpugear_set_pare + return ret; + + ret = regmap_write_bits(gear->regmap, +- gear->regbase + UNIPHIER_CLK_CPUGEAR_SET, ++ gear->regbase + UNIPHIER_CLK_CPUGEAR_UPD, + UNIPHIER_CLK_CPUGEAR_UPD_BIT, + UNIPHIER_CLK_CPUGEAR_UPD_BIT); + if (ret) diff --git a/queue-4.14/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch b/queue-4.14/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch new file mode 100644 index 00000000000..a449ec4fe7e --- /dev/null +++ b/queue-4.14/cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch @@ -0,0 +1,53 @@ +From 9505b98ccddc454008ca7efff90044e3e857c827 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 7 Mar 2019 11:22:41 +0100 +Subject: cpufreq: pxa2xx: remove incorrect __init annotation + +From: Arnd Bergmann + +commit 9505b98ccddc454008ca7efff90044e3e857c827 upstream. + +pxa_cpufreq_init_voltages() is marked __init but usually inlined into +the non-__init pxa_cpufreq_init() function. When building with clang, +it can stay as a standalone function in a discarded section, and produce +this warning: + +WARNING: vmlinux.o(.text+0x616a00): Section mismatch in reference from the function pxa_cpufreq_init() to the function .init.text:pxa_cpufreq_init_voltages() +The function pxa_cpufreq_init() references +the function __init pxa_cpufreq_init_voltages(). +This is often because pxa_cpufreq_init lacks a __init +annotation or the annotation of pxa_cpufreq_init_voltages is wrong. + +Fixes: 50e77fcd790e ("ARM: pxa: remove __init from cpufreq_driver->init()") +Signed-off-by: Arnd Bergmann +Acked-by: Viresh Kumar +Reviewed-by: Nathan Chancellor +Acked-by: Robert Jarzmik +Cc: All applicable +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/pxa2xx-cpufreq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/cpufreq/pxa2xx-cpufreq.c ++++ b/drivers/cpufreq/pxa2xx-cpufreq.c +@@ -192,7 +192,7 @@ static int pxa_cpufreq_change_voltage(co + return ret; + } + +-static void __init pxa_cpufreq_init_voltages(void) ++static void pxa_cpufreq_init_voltages(void) + { + vcc_core = regulator_get(NULL, "vcc_core"); + if (IS_ERR(vcc_core)) { +@@ -208,7 +208,7 @@ static int pxa_cpufreq_change_voltage(co + return 0; + } + +-static void __init pxa_cpufreq_init_voltages(void) { } ++static void pxa_cpufreq_init_voltages(void) { } + #endif + + static void find_freq_tables(struct cpufreq_frequency_table **freq_table, diff --git a/queue-4.14/cpufreq-tegra124-add-missing-of_node_put.patch b/queue-4.14/cpufreq-tegra124-add-missing-of_node_put.patch new file mode 100644 index 00000000000..27cb92fc6ee --- /dev/null +++ b/queue-4.14/cpufreq-tegra124-add-missing-of_node_put.patch @@ -0,0 +1,35 @@ +From 446fae2bb5395f3028d8e3aae1508737e5a72ea1 Mon Sep 17 00:00:00 2001 +From: Yangtao Li +Date: Mon, 4 Feb 2019 02:48:54 -0500 +Subject: cpufreq: tegra124: add missing of_node_put() + +From: Yangtao Li + +commit 446fae2bb5395f3028d8e3aae1508737e5a72ea1 upstream. + +of_cpu_device_node_get() will increase the refcount of device_node, +it is necessary to call of_node_put() at the end to release the +refcount. + +Fixes: 9eb15dbbfa1a2 ("cpufreq: Add cpufreq driver for Tegra124") +Cc: # 4.4+ +Signed-off-by: Yangtao Li +Acked-by: Thierry Reding +Signed-off-by: Viresh Kumar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/tegra124-cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/cpufreq/tegra124-cpufreq.c ++++ b/drivers/cpufreq/tegra124-cpufreq.c +@@ -134,6 +134,8 @@ static int tegra124_cpufreq_probe(struct + + platform_set_drvdata(pdev, priv); + ++ of_node_put(np); ++ + return 0; + + out_switch_to_pllx: diff --git a/queue-4.14/cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch b/queue-4.14/cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch new file mode 100644 index 00000000000..4daa25e9cb0 --- /dev/null +++ b/queue-4.14/cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch @@ -0,0 +1,191 @@ +From edeb304f659792fb5bab90d7d6f3408b4c7301fb Mon Sep 17 00:00:00 2001 +From: Vaibhav Jain +Date: Tue, 29 Jan 2019 16:36:18 +0530 +Subject: cxl: Wrap iterations over afu slices inside 'afu_list_lock' + +From: Vaibhav Jain + +commit edeb304f659792fb5bab90d7d6f3408b4c7301fb upstream. + +Within cxl module, iteration over array 'adapter->afu' may be racy +at few points as it might be simultaneously read during an EEH and its +contents being set to NULL while driver is being unloaded or unbound +from the adapter. This might result in a NULL pointer to 'struct afu' +being de-referenced during an EEH thereby causing a kernel oops. + +This patch fixes this by making sure that all access to the array +'adapter->afu' is wrapped within the context of spin-lock +'adapter->afu_list_lock'. + +Fixes: 9e8df8a21963 ("cxl: EEH support") +Cc: stable@vger.kernel.org # v4.3+ +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Acked-by: Christophe Lombard +Signed-off-by: Vaibhav Jain +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/cxl/guest.c | 2 ++ + drivers/misc/cxl/pci.c | 39 ++++++++++++++++++++++++++++++--------- + 2 files changed, 32 insertions(+), 9 deletions(-) + +--- a/drivers/misc/cxl/guest.c ++++ b/drivers/misc/cxl/guest.c +@@ -267,6 +267,7 @@ static int guest_reset(struct cxl *adapt + int i, rc; + + pr_devel("Adapter reset request\n"); ++ spin_lock(&adapter->afu_list_lock); + for (i = 0; i < adapter->slices; i++) { + if ((afu = adapter->afu[i])) { + pci_error_handlers(afu, CXL_ERROR_DETECTED_EVENT, +@@ -283,6 +284,7 @@ static int guest_reset(struct cxl *adapt + pci_error_handlers(afu, CXL_RESUME_EVENT, 0); + } + } ++ spin_unlock(&adapter->afu_list_lock); + return rc; + } + +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -2050,7 +2050,7 @@ static pci_ers_result_t cxl_vphb_error_d + /* There should only be one entry, but go through the list + * anyway + */ +- if (afu->phb == NULL) ++ if (afu == NULL || afu->phb == NULL) + return result; + + list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) { +@@ -2077,7 +2077,8 @@ static pci_ers_result_t cxl_pci_error_de + { + struct cxl *adapter = pci_get_drvdata(pdev); + struct cxl_afu *afu; +- pci_ers_result_t result = PCI_ERS_RESULT_NEED_RESET, afu_result; ++ pci_ers_result_t result = PCI_ERS_RESULT_NEED_RESET; ++ pci_ers_result_t afu_result = PCI_ERS_RESULT_NEED_RESET; + int i; + + /* At this point, we could still have an interrupt pending. +@@ -2088,6 +2089,7 @@ static pci_ers_result_t cxl_pci_error_de + + /* If we're permanently dead, give up. */ + if (state == pci_channel_io_perm_failure) { ++ spin_lock(&adapter->afu_list_lock); + for (i = 0; i < adapter->slices; i++) { + afu = adapter->afu[i]; + /* +@@ -2096,6 +2098,7 @@ static pci_ers_result_t cxl_pci_error_de + */ + cxl_vphb_error_detected(afu, state); + } ++ spin_unlock(&adapter->afu_list_lock); + return PCI_ERS_RESULT_DISCONNECT; + } + +@@ -2177,11 +2180,17 @@ static pci_ers_result_t cxl_pci_error_de + * * In slot_reset, free the old resources and allocate new ones. + * * In resume, clear the flag to allow things to start. + */ ++ ++ /* Make sure no one else changes the afu list */ ++ spin_lock(&adapter->afu_list_lock); ++ + for (i = 0; i < adapter->slices; i++) { + afu = adapter->afu[i]; + +- afu_result = cxl_vphb_error_detected(afu, state); ++ if (afu == NULL) ++ continue; + ++ afu_result = cxl_vphb_error_detected(afu, state); + cxl_context_detach_all(afu); + cxl_ops->afu_deactivate_mode(afu, afu->current_mode); + pci_deconfigure_afu(afu); +@@ -2193,6 +2202,7 @@ static pci_ers_result_t cxl_pci_error_de + (result == PCI_ERS_RESULT_NEED_RESET)) + result = PCI_ERS_RESULT_NONE; + } ++ spin_unlock(&adapter->afu_list_lock); + + /* should take the context lock here */ + if (cxl_adapter_context_lock(adapter) != 0) +@@ -2225,14 +2235,18 @@ static pci_ers_result_t cxl_pci_slot_res + */ + cxl_adapter_context_unlock(adapter); + ++ spin_lock(&adapter->afu_list_lock); + for (i = 0; i < adapter->slices; i++) { + afu = adapter->afu[i]; + ++ if (afu == NULL) ++ continue; ++ + if (pci_configure_afu(afu, adapter, pdev)) +- goto err; ++ goto err_unlock; + + if (cxl_afu_select_best_mode(afu)) +- goto err; ++ goto err_unlock; + + if (afu->phb == NULL) + continue; +@@ -2244,16 +2258,16 @@ static pci_ers_result_t cxl_pci_slot_res + ctx = cxl_get_context(afu_dev); + + if (ctx && cxl_release_context(ctx)) +- goto err; ++ goto err_unlock; + + ctx = cxl_dev_context_init(afu_dev); + if (IS_ERR(ctx)) +- goto err; ++ goto err_unlock; + + afu_dev->dev.archdata.cxl_ctx = ctx; + + if (cxl_ops->afu_check_and_enable(afu)) +- goto err; ++ goto err_unlock; + + afu_dev->error_state = pci_channel_io_normal; + +@@ -2274,8 +2288,13 @@ static pci_ers_result_t cxl_pci_slot_res + result = PCI_ERS_RESULT_DISCONNECT; + } + } ++ ++ spin_unlock(&adapter->afu_list_lock); + return result; + ++err_unlock: ++ spin_unlock(&adapter->afu_list_lock); ++ + err: + /* All the bits that happen in both error_detected and cxl_remove + * should be idempotent, so we don't need to worry about leaving a mix +@@ -2296,10 +2315,11 @@ static void cxl_pci_resume(struct pci_de + * This is not the place to be checking if everything came back up + * properly, because there's no return value: do that in slot_reset. + */ ++ spin_lock(&adapter->afu_list_lock); + for (i = 0; i < adapter->slices; i++) { + afu = adapter->afu[i]; + +- if (afu->phb == NULL) ++ if (afu == NULL || afu->phb == NULL) + continue; + + list_for_each_entry(afu_dev, &afu->phb->bus->devices, bus_list) { +@@ -2308,6 +2328,7 @@ static void cxl_pci_resume(struct pci_de + afu_dev->driver->err_handler->resume(afu_dev); + } + } ++ spin_unlock(&adapter->afu_list_lock); + } + + static const struct pci_error_handlers cxl_err_handler = { diff --git a/queue-4.14/device-property-fix-the-length-used-in-property_entry_string.patch b/queue-4.14/device-property-fix-the-length-used-in-property_entry_string.patch new file mode 100644 index 00000000000..06d9aa2da3b --- /dev/null +++ b/queue-4.14/device-property-fix-the-length-used-in-property_entry_string.patch @@ -0,0 +1,42 @@ +From 2b6e492467c78183bb629bb0a100ea3509b615a5 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Wed, 23 Jan 2019 17:44:16 +0300 +Subject: device property: Fix the length used in PROPERTY_ENTRY_STRING() + +From: Heikki Krogerus + +commit 2b6e492467c78183bb629bb0a100ea3509b615a5 upstream. + +With string type property entries we need to use +sizeof(const char *) instead of the number of characters as +the length of the entry. + +If the string was shorter then sizeof(const char *), +attempts to read it would have failed with -EOVERFLOW. The +problem has been hidden because all build-in string +properties have had a string longer then 8 characters until +now. + +Fixes: a85f42047533 ("device property: helper macros for property entry creation") +Cc: 4.5+ # 4.5+ +Signed-off-by: Heikki Krogerus +Reviewed-by: Andy Shevchenko +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + + +--- + include/linux/property.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/property.h ++++ b/include/linux/property.h +@@ -252,7 +252,7 @@ struct property_entry { + #define PROPERTY_ENTRY_STRING(_name_, _val_) \ + (struct property_entry) { \ + .name = _name_, \ +- .length = sizeof(_val_), \ ++ .length = sizeof(const char *), \ + .is_string = true, \ + { .value = { .str = _val_ } }, \ + } diff --git a/queue-4.14/ext2-fix-underflow-in-ext2_max_size.patch b/queue-4.14/ext2-fix-underflow-in-ext2_max_size.patch new file mode 100644 index 00000000000..b337647419f --- /dev/null +++ b/queue-4.14/ext2-fix-underflow-in-ext2_max_size.patch @@ -0,0 +1,98 @@ +From 1c2d14212b15a60300a2d4f6364753e87394c521 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 29 Jan 2019 17:17:24 +0100 +Subject: ext2: Fix underflow in ext2_max_size() + +From: Jan Kara + +commit 1c2d14212b15a60300a2d4f6364753e87394c521 upstream. + +When ext2 filesystem is created with 64k block size, ext2_max_size() +will return value less than 0. Also, we cannot write any file in this fs +since the sb->maxbytes is less than 0. The core of the problem is that +the size of block index tree for such large block size is more than +i_blocks can carry. So fix the computation to count with this +possibility. + +File size limits computed with the new function for the full range of +possible block sizes look like: + +bits file_size +10 17247252480 +11 275415851008 +12 2196873666560 +13 2197948973056 +14 2198486220800 +15 2198754754560 +16 2198888906752 + +CC: stable@vger.kernel.org +Reported-by: yangerkun +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext2/super.c | 41 ++++++++++++++++++++++++++--------------- + 1 file changed, 26 insertions(+), 15 deletions(-) + +--- a/fs/ext2/super.c ++++ b/fs/ext2/super.c +@@ -754,7 +754,8 @@ static loff_t ext2_max_size(int bits) + { + loff_t res = EXT2_NDIR_BLOCKS; + int meta_blocks; +- loff_t upper_limit; ++ unsigned int upper_limit; ++ unsigned int ppb = 1 << (bits-2); + + /* This is calculated to be the largest file size for a + * dense, file such that the total number of +@@ -768,24 +769,34 @@ static loff_t ext2_max_size(int bits) + /* total blocks in file system block size */ + upper_limit >>= (bits - 9); + +- +- /* indirect blocks */ +- meta_blocks = 1; +- /* double indirect blocks */ +- meta_blocks += 1 + (1LL << (bits-2)); +- /* tripple indirect blocks */ +- meta_blocks += 1 + (1LL << (bits-2)) + (1LL << (2*(bits-2))); +- +- upper_limit -= meta_blocks; +- upper_limit <<= bits; +- ++ /* Compute how many blocks we can address by block tree */ + res += 1LL << (bits-2); + res += 1LL << (2*(bits-2)); + res += 1LL << (3*(bits-2)); ++ /* Does block tree limit file size? */ ++ if (res < upper_limit) ++ goto check_lfs; ++ ++ res = upper_limit; ++ /* How many metadata blocks are needed for addressing upper_limit? */ ++ upper_limit -= EXT2_NDIR_BLOCKS; ++ /* indirect blocks */ ++ meta_blocks = 1; ++ upper_limit -= ppb; ++ /* double indirect blocks */ ++ if (upper_limit < ppb * ppb) { ++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb); ++ res -= meta_blocks; ++ goto check_lfs; ++ } ++ meta_blocks += 1 + ppb; ++ upper_limit -= ppb * ppb; ++ /* tripple indirect blocks for the rest */ ++ meta_blocks += 1 + DIV_ROUND_UP(upper_limit, ppb) + ++ DIV_ROUND_UP(upper_limit, ppb*ppb); ++ res -= meta_blocks; ++check_lfs: + res <<= bits; +- if (res > upper_limit) +- res = upper_limit; +- + if (res > MAX_LFS_FILESIZE) + res = MAX_LFS_FILESIZE; + diff --git a/queue-4.14/ext4-add-mask-of-ext4-flags-to-swap.patch b/queue-4.14/ext4-add-mask-of-ext4-flags-to-swap.patch new file mode 100644 index 00000000000..70caff4ce6e --- /dev/null +++ b/queue-4.14/ext4-add-mask-of-ext4-flags-to-swap.patch @@ -0,0 +1,59 @@ +From abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 Mon Sep 17 00:00:00 2001 +From: yangerkun +Date: Mon, 11 Feb 2019 00:35:06 -0500 +Subject: ext4: add mask of ext4 flags to swap + +From: yangerkun + +commit abdc644e8cbac2e9b19763680e5a7cf9bab2bee7 upstream. + +The reason is that while swapping two inode, we swap the flags too. +Some flags such as EXT4_JOURNAL_DATA_FL can really confuse the things +since we're not resetting the address operations structure. The +simplest way to keep things sane is to restrict the flags that can be +swapped. + +Signed-off-by: yangerkun +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/ext4.h | 3 +++ + fs/ext4/ioctl.c | 6 +++++- + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -426,6 +426,9 @@ struct flex_groups { + /* Flags that are appropriate for non-directories/regular files. */ + #define EXT4_OTHER_FLMASK (EXT4_NODUMP_FL | EXT4_NOATIME_FL) + ++/* The only flags that should be swapped */ ++#define EXT4_FL_SHOULD_SWAP (EXT4_HUGE_FILE_FL | EXT4_EXTENTS_FL) ++ + /* Mask out flags that are inappropriate for the given type of inode. */ + static inline __u32 ext4_mask_flags(umode_t mode, __u32 flags) + { +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -61,6 +61,7 @@ static void swap_inode_data(struct inode + loff_t isize; + struct ext4_inode_info *ei1; + struct ext4_inode_info *ei2; ++ unsigned long tmp; + + ei1 = EXT4_I(inode1); + ei2 = EXT4_I(inode2); +@@ -73,7 +74,10 @@ static void swap_inode_data(struct inode + swap(inode1->i_mtime, inode2->i_mtime); + + memswap(ei1->i_data, ei2->i_data, sizeof(ei1->i_data)); +- swap(ei1->i_flags, ei2->i_flags); ++ tmp = ei1->i_flags & EXT4_FL_SHOULD_SWAP; ++ ei1->i_flags = (ei2->i_flags & EXT4_FL_SHOULD_SWAP) | ++ (ei1->i_flags & ~EXT4_FL_SHOULD_SWAP); ++ ei2->i_flags = tmp | (ei2->i_flags & ~EXT4_FL_SHOULD_SWAP); + swap(ei1->i_disksize, ei2->i_disksize); + ext4_es_remove_extent(inode1, 0, EXT_MAX_BLOCKS); + ext4_es_remove_extent(inode2, 0, EXT_MAX_BLOCKS); diff --git a/queue-4.14/ext4-fix-crash-during-online-resizing.patch b/queue-4.14/ext4-fix-crash-during-online-resizing.patch new file mode 100644 index 00000000000..6a01c6f3611 --- /dev/null +++ b/queue-4.14/ext4-fix-crash-during-online-resizing.patch @@ -0,0 +1,48 @@ +From f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Mon, 11 Feb 2019 13:30:32 -0500 +Subject: ext4: fix crash during online resizing + +From: Jan Kara + +commit f96c3ac8dfc24b4e38fc4c2eba5fea2107b929d1 upstream. + +When computing maximum size of filesystem possible with given number of +group descriptor blocks, we forget to include s_first_data_block into +the number of blocks. Thus for filesystems with non-zero +s_first_data_block it can happen that computed maximum filesystem size +is actually lower than current filesystem size which confuses the code +and eventually leads to a BUG_ON in ext4_alloc_group_tables() hitting on +flex_gd->count == 0. The problem can be reproduced like: + +truncate -s 100g /tmp/image +mkfs.ext4 -b 1024 -E resize=262144 /tmp/image 32768 +mount -t ext4 -o loop /tmp/image /mnt +resize2fs /dev/loop0 262145 +resize2fs /dev/loop0 300000 + +Fix the problem by properly including s_first_data_block into the +computed number of filesystem blocks. + +Fixes: 1c6bd7173d66 "ext4: convert file system to meta_bg if needed..." +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/resize.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/ext4/resize.c ++++ b/fs/ext4/resize.c +@@ -1930,7 +1930,8 @@ retry: + le16_to_cpu(es->s_reserved_gdt_blocks); + n_group = n_desc_blocks * EXT4_DESC_PER_BLOCK(sb); + n_blocks_count = (ext4_fsblk_t)n_group * +- EXT4_BLOCKS_PER_GROUP(sb); ++ EXT4_BLOCKS_PER_GROUP(sb) + ++ le32_to_cpu(es->s_first_data_block); + n_group--; /* set to last group number */ + } + diff --git a/queue-4.14/i2c-tegra-fix-maximum-transfer-size.patch b/queue-4.14/i2c-tegra-fix-maximum-transfer-size.patch new file mode 100644 index 00000000000..0b819a1d433 --- /dev/null +++ b/queue-4.14/i2c-tegra-fix-maximum-transfer-size.patch @@ -0,0 +1,37 @@ +From f4e3f4ae1d9c9330de355f432b69952e8cef650c Mon Sep 17 00:00:00 2001 +From: Sowjanya Komatineni +Date: Tue, 12 Feb 2019 11:06:44 -0800 +Subject: i2c: tegra: fix maximum transfer size + +From: Sowjanya Komatineni + +commit f4e3f4ae1d9c9330de355f432b69952e8cef650c upstream. + +Tegra186 and prior supports maximum 4K bytes per packet transfer +including 12 bytes of packet header. + +This patch fixes max write length limit to account packet header +size for transfers. + +Cc: stable@vger.kernel.org # 4.4+ + +Reviewed-by: Dmitry Osipenko +Signed-off-by: Sowjanya Komatineni +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-tegra.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -794,7 +794,7 @@ static const struct i2c_algorithm tegra_ + /* payload size is only 12 bit */ + static const struct i2c_adapter_quirks tegra_i2c_quirks = { + .max_read_len = 4096, +- .max_write_len = 4096, ++ .max_write_len = 4096 - 12, + }; + + static const struct tegra_i2c_hw_feature tegra20_i2c_hw = { diff --git a/queue-4.14/ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch b/queue-4.14/ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch new file mode 100644 index 00000000000..28c37d39582 --- /dev/null +++ b/queue-4.14/ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch @@ -0,0 +1,142 @@ +From bc5add09764c123f58942a37c8335247e683d234 Mon Sep 17 00:00:00 2001 +From: "Michael J. Ruhl" +Date: Tue, 26 Feb 2019 08:45:35 -0800 +Subject: IB/hfi1: Close race condition on user context disable and close + +From: Michael J. Ruhl + +commit bc5add09764c123f58942a37c8335247e683d234 upstream. + +When disabling and removing a receive context, it is possible for an +asynchronous event (i.e IRQ) to occur. Because of this, there is a race +between cleaning up the context, and the context being used by the +asynchronous event. + +cpu 0 (context cleanup) + rc->ref_count-- (ref_count == 0) + hfi1_rcd_free() +cpu 1 (IRQ (with rcd index)) + rcd_get_by_index() + lock + ref_count+++ <-- reference count race (WARNING) + return rcd + unlock +cpu 0 + hfi1_free_ctxtdata() <-- incorrect free location + lock + remove rcd from array + unlock + free rcd + +This race will cause the following WARNING trace: + +WARNING: CPU: 0 PID: 175027 at include/linux/kref.h:52 hfi1_rcd_get_by_index+0x84/0xa0 [hfi1] +CPU: 0 PID: 175027 Comm: IMB-MPI1 Kdump: loaded Tainted: G OE ------------ 3.10.0-957.el7.x86_64 #1 +Hardware name: Intel Corporation S2600KP/S2600KP, BIOS SE5C610.86B.11.01.0076.C4.111920150602 11/19/2015 +Call Trace: + dump_stack+0x19/0x1b + __warn+0xd8/0x100 + warn_slowpath_null+0x1d/0x20 + hfi1_rcd_get_by_index+0x84/0xa0 [hfi1] + is_rcv_urgent_int+0x24/0x90 [hfi1] + general_interrupt+0x1b6/0x210 [hfi1] + __handle_irq_event_percpu+0x44/0x1c0 + handle_irq_event_percpu+0x32/0x80 + handle_irq_event+0x3c/0x60 + handle_edge_irq+0x7f/0x150 + handle_irq+0xe4/0x1a0 + do_IRQ+0x4d/0xf0 + common_interrupt+0x162/0x162 + +The race can also lead to a use after free which could be similar to: + +general protection fault: 0000 1 SMP +CPU: 71 PID: 177147 Comm: IMB-MPI1 Kdump: loaded Tainted: G W OE ------------ 3.10.0-957.el7.x86_64 #1 +Hardware name: Intel Corporation S2600KP/S2600KP, BIOS SE5C610.86B.11.01.0076.C4.111920150602 11/19/2015 +task: ffff9962a8098000 ti: ffff99717a508000 task.ti: ffff99717a508000 __kmalloc+0x94/0x230 +Call Trace: + ? hfi1_user_sdma_process_request+0x9c8/0x1250 [hfi1] + hfi1_user_sdma_process_request+0x9c8/0x1250 [hfi1] + hfi1_aio_write+0xba/0x110 [hfi1] + do_sync_readv_writev+0x7b/0xd0 + do_readv_writev+0xce/0x260 + ? handle_mm_fault+0x39d/0x9b0 + ? pick_next_task_fair+0x5f/0x1b0 + ? sched_clock_cpu+0x85/0xc0 + ? __schedule+0x13a/0x890 + vfs_writev+0x35/0x60 + SyS_writev+0x7f/0x110 + system_call_fastpath+0x22/0x27 + +Use the appropriate kref API to verify access. + +Reorder context cleanup to ensure context removal before cleanup occurs +correctly. + +Cc: stable@vger.kernel.org # v4.14.0+ +Fixes: f683c80ca68e ("IB/hfi1: Resolve kernel panics by reference counting receive contexts") +Reviewed-by: Mike Marciniszyn +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Jason Gunthorpe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/hfi1/hfi.h | 2 +- + drivers/infiniband/hw/hfi1/init.c | 14 +++++++++----- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/hfi.h ++++ b/drivers/infiniband/hw/hfi1/hfi.h +@@ -1398,7 +1398,7 @@ void hfi1_init_pportdata(struct pci_dev + struct hfi1_devdata *dd, u8 hw_pidx, u8 port); + void hfi1_free_ctxtdata(struct hfi1_devdata *dd, struct hfi1_ctxtdata *rcd); + int hfi1_rcd_put(struct hfi1_ctxtdata *rcd); +-void hfi1_rcd_get(struct hfi1_ctxtdata *rcd); ++int hfi1_rcd_get(struct hfi1_ctxtdata *rcd); + struct hfi1_ctxtdata *hfi1_rcd_get_by_index(struct hfi1_devdata *dd, u16 ctxt); + int handle_receive_interrupt(struct hfi1_ctxtdata *rcd, int thread); + int handle_receive_interrupt_nodma_rtail(struct hfi1_ctxtdata *rcd, int thread); +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -215,12 +215,12 @@ static void hfi1_rcd_free(struct kref *k + struct hfi1_ctxtdata *rcd = + container_of(kref, struct hfi1_ctxtdata, kref); + +- hfi1_free_ctxtdata(rcd->dd, rcd); +- + spin_lock_irqsave(&rcd->dd->uctxt_lock, flags); + rcd->dd->rcd[rcd->ctxt] = NULL; + spin_unlock_irqrestore(&rcd->dd->uctxt_lock, flags); + ++ hfi1_free_ctxtdata(rcd->dd, rcd); ++ + kfree(rcd); + } + +@@ -243,10 +243,13 @@ int hfi1_rcd_put(struct hfi1_ctxtdata *r + * @rcd: pointer to an initialized rcd data structure + * + * Use this to get a reference after the init. ++ * ++ * Return : reflect kref_get_unless_zero(), which returns non-zero on ++ * increment, otherwise 0. + */ +-void hfi1_rcd_get(struct hfi1_ctxtdata *rcd) ++int hfi1_rcd_get(struct hfi1_ctxtdata *rcd) + { +- kref_get(&rcd->kref); ++ return kref_get_unless_zero(&rcd->kref); + } + + /** +@@ -305,7 +308,8 @@ struct hfi1_ctxtdata *hfi1_rcd_get_by_in + spin_lock_irqsave(&dd->uctxt_lock, flags); + if (dd->rcd[ctxt]) { + rcd = dd->rcd[ctxt]; +- hfi1_rcd_get(rcd); ++ if (!hfi1_rcd_get(rcd)) ++ rcd = NULL; + } + spin_unlock_irqrestore(&dd->uctxt_lock, flags); + diff --git a/queue-4.14/intel_th-don-t-reference-unassigned-outputs.patch b/queue-4.14/intel_th-don-t-reference-unassigned-outputs.patch new file mode 100644 index 00000000000..70e1eaf126c --- /dev/null +++ b/queue-4.14/intel_th-don-t-reference-unassigned-outputs.patch @@ -0,0 +1,60 @@ +From 9ed3f22223c33347ed963e7c7019cf2956dd4e37 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Thu, 24 Jan 2019 15:11:53 +0200 +Subject: intel_th: Don't reference unassigned outputs + +From: Alexander Shishkin + +commit 9ed3f22223c33347ed963e7c7019cf2956dd4e37 upstream. + +When an output port driver is removed, also remove references to it from +any masters. Failing to do this causes a NULL ptr dereference when +configuring another output port: + +> BUG: unable to handle kernel NULL pointer dereference at 000000000000000d +> RIP: 0010:master_attr_store+0x9d/0x160 [intel_th_gth] +> Call Trace: +> dev_attr_store+0x1b/0x30 +> sysfs_kf_write+0x3c/0x50 +> kernfs_fop_write+0x125/0x1a0 +> __vfs_write+0x3a/0x190 +> ? __vfs_write+0x5/0x190 +> ? _cond_resched+0x1a/0x50 +> ? rcu_all_qs+0x5/0xb0 +> ? __vfs_write+0x5/0x190 +> vfs_write+0xb8/0x1b0 +> ksys_write+0x55/0xc0 +> __x64_sys_write+0x1a/0x20 +> do_syscall_64+0x5a/0x140 +> entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Signed-off-by: Alexander Shishkin +Fixes: b27a6a3f97b9 ("intel_th: Add Global Trace Hub driver") +CC: stable@vger.kernel.org # v4.4+ +Reported-by: Ammy Yi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/gth.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hwtracing/intel_th/gth.c ++++ b/drivers/hwtracing/intel_th/gth.c +@@ -615,6 +615,7 @@ static void intel_th_gth_unassign(struct + { + struct gth_device *gth = dev_get_drvdata(&thdev->dev); + int port = othdev->output.port; ++ int master; + + if (thdev->host_mode) + return; +@@ -623,6 +624,9 @@ static void intel_th_gth_unassign(struct + othdev->output.port = -1; + othdev->output.active = false; + gth->output[port].output = NULL; ++ for (master = 0; master < TH_CONFIGURABLE_MASTERS; master++) ++ if (gth->master[master] == port) ++ gth->master[master] = -1; + spin_unlock(>h->gth_lock); + } + diff --git a/queue-4.14/irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch b/queue-4.14/irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch new file mode 100644 index 00000000000..73219dca3df --- /dev/null +++ b/queue-4.14/irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch @@ -0,0 +1,34 @@ +From 8d565748b6035eeda18895c213396a4c9fac6a4c Mon Sep 17 00:00:00 2001 +From: Zenghui Yu +Date: Sun, 10 Feb 2019 05:24:10 +0000 +Subject: irqchip/gic-v3-its: Avoid parsing _indirect_ twice for Device table + +From: Zenghui Yu + +commit 8d565748b6035eeda18895c213396a4c9fac6a4c upstream. + +In current logic, its_parse_indirect_baser() will be invoked twice +when allocating Device tables. Add a *break* to omit the unnecessary +and annoying (might be ...) invoking. + +Fixes: 32bd44dc19de ("irqchip/gic-v3-its: Fix the incorrect parsing of VCPU table size") +Cc: stable@vger.kernel.org +Signed-off-by: Zenghui Yu +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-gic-v3-its.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/irqchip/irq-gic-v3-its.c ++++ b/drivers/irqchip/irq-gic-v3-its.c +@@ -1708,6 +1708,8 @@ static int its_alloc_tables(struct its_n + indirect = its_parse_indirect_baser(its, baser, + psz, &order, + its->device_ids); ++ break; ++ + case GITS_BASER_TYPE_VCPU: + indirect = its_parse_indirect_baser(its, baser, + psz, &order, diff --git a/queue-4.14/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch b/queue-4.14/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch new file mode 100644 index 00000000000..38833aa7eca --- /dev/null +++ b/queue-4.14/kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch @@ -0,0 +1,52 @@ +From 8cf7630b29701d364f8df4a50e4f1f5e752b2778 Mon Sep 17 00:00:00 2001 +From: Zev Weiss +Date: Mon, 11 Mar 2019 23:28:02 -0700 +Subject: kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv + +From: Zev Weiss + +commit 8cf7630b29701d364f8df4a50e4f1f5e752b2778 upstream. + +This bug has apparently existed since the introduction of this function +in the pre-git era (4500e91754d3 in Thomas Gleixner's history.git, +"[NET]: Add proc_dointvec_userhz_jiffies, use it for proper handling of +neighbour sysctls."). + +As a minimal fix we can simply duplicate the corresponding check in +do_proc_dointvec_conv(). + +Link: http://lkml.kernel.org/r/20190207123426.9202-3-zev@bewilderbeest.net +Signed-off-by: Zev Weiss +Cc: Brendan Higgins +Cc: Iurii Zaikin +Cc: Kees Cook +Cc: Luis Chamberlain +Cc: [2.6.2+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sysctl.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -2530,7 +2530,16 @@ static int do_proc_dointvec_minmax_conv( + { + struct do_proc_dointvec_minmax_conv_param *param = data; + if (write) { +- int val = *negp ? -*lvalp : *lvalp; ++ int val; ++ if (*negp) { ++ if (*lvalp > (unsigned long) INT_MAX + 1) ++ return -EINVAL; ++ val = -*lvalp; ++ } else { ++ if (*lvalp > (unsigned long) INT_MAX) ++ return -EINVAL; ++ val = *lvalp; ++ } + if ((param->min && *param->min > val) || + (param->max && *param->max < val)) + return -EINVAL; diff --git a/queue-4.14/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch b/queue-4.14/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch new file mode 100644 index 00000000000..cbe71d9cc57 --- /dev/null +++ b/queue-4.14/libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch @@ -0,0 +1,36 @@ +From 607076a904c435f2677fadaadd4af546279db68b Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sun, 10 Feb 2019 20:47:49 +0100 +Subject: libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer + +From: Lubomir Rintel + +commit 607076a904c435f2677fadaadd4af546279db68b upstream. + +It doesn't make sense and the USB core warns on each submit of such +URB, easily flooding the message buffer with tracebacks. + +Analogous issue was fixed in regular libertas driver in commit 6528d8804780 +("libertas: don't set URB_ZERO_PACKET on IN USB transfer"). + +Cc: stable@vger.kernel.org +Signed-off-by: Lubomir Rintel +Reviewed-by: Steve deRosier +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c +@@ -433,8 +433,6 @@ static int __if_usb_submit_rx_urb(struct + skb_tail_pointer(skb), + MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, cardp); + +- cardp->rx_urb->transfer_flags |= URB_ZERO_PACKET; +- + lbtf_deb_usb2(&cardp->udev->dev, "Pointer for rx_urb %p\n", + cardp->rx_urb); + ret = usb_submit_urb(cardp->rx_urb, GFP_ATOMIC); diff --git a/queue-4.14/mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch b/queue-4.14/mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch new file mode 100644 index 00000000000..e20b9d3f259 --- /dev/null +++ b/queue-4.14/mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch @@ -0,0 +1,76 @@ +From 46612b751c4941c5c0472ddf04027e877ae5990f Mon Sep 17 00:00:00 2001 +From: zhongjiang +Date: Tue, 5 Mar 2019 15:41:16 -0800 +Subject: mm: hwpoison: fix thp split handing in soft_offline_in_use_page() + +From: zhongjiang + +commit 46612b751c4941c5c0472ddf04027e877ae5990f upstream. + +When soft_offline_in_use_page() runs on a thp tail page after pmd is +split, we trigger the following VM_BUG_ON_PAGE(): + + Memory failure: 0x3755ff: non anonymous thp + __get_any_page: 0x3755ff: unknown zero refcount page type 2fffff80000000 + Soft offlining pfn 0x34d805 at process virtual address 0x20fff000 + page:ffffea000d360140 count:0 mapcount:0 mapping:0000000000000000 index:0x1 + flags: 0x2fffff80000000() + raw: 002fffff80000000 ffffea000d360108 ffffea000d360188 0000000000000000 + raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000 + page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) + ------------[ cut here ]------------ + kernel BUG at ./include/linux/mm.h:519! + +soft_offline_in_use_page() passed refcount and page lock from tail page +to head page, which is not needed because we can pass any subpage to +split_huge_page(). + +Naoya had fixed a similar issue in c3901e722b29 ("mm: hwpoison: fix thp +split handling in memory_failure()"). But he missed fixing soft +offline. + +Link: http://lkml.kernel.org/r/1551452476-24000-1-git-send-email-zhongjiang@huawei.com +Fixes: 61f5d698cc97 ("mm: re-enable THP") +Signed-off-by: zhongjiang +Acked-by: Naoya Horiguchi +Cc: Michal Hocko +Cc: Hugh Dickins +Cc: Kirill A. Shutemov +Cc: Andrea Arcangeli +Cc: [4.5+] +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory-failure.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +--- a/mm/memory-failure.c ++++ b/mm/memory-failure.c +@@ -1701,19 +1701,17 @@ static int soft_offline_in_use_page(stru + struct page *hpage = compound_head(page); + + if (!PageHuge(page) && PageTransHuge(hpage)) { +- lock_page(hpage); +- if (!PageAnon(hpage) || unlikely(split_huge_page(hpage))) { +- unlock_page(hpage); +- if (!PageAnon(hpage)) ++ lock_page(page); ++ if (!PageAnon(page) || unlikely(split_huge_page(page))) { ++ unlock_page(page); ++ if (!PageAnon(page)) + pr_info("soft offline: %#lx: non anonymous thp\n", page_to_pfn(page)); + else + pr_info("soft offline: %#lx: thp split failed\n", page_to_pfn(page)); +- put_hwpoison_page(hpage); ++ put_hwpoison_page(page); + return -EBUSY; + } +- unlock_page(hpage); +- get_hwpoison_page(page); +- put_hwpoison_page(hpage); ++ unlock_page(page); + } + + if (PageHuge(page)) diff --git a/queue-4.14/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch b/queue-4.14/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch new file mode 100644 index 00000000000..ab361de8dc2 --- /dev/null +++ b/queue-4.14/mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch @@ -0,0 +1,86 @@ +From 401592d2e095947344e10ec0623adbcd58934dd4 Mon Sep 17 00:00:00 2001 +From: Roman Penyaev +Date: Tue, 5 Mar 2019 15:43:20 -0800 +Subject: mm/vmalloc: fix size check for remap_vmalloc_range_partial() + +From: Roman Penyaev + +commit 401592d2e095947344e10ec0623adbcd58934dd4 upstream. + +When VM_NO_GUARD is not set area->size includes adjacent guard page, +thus for correct size checking get_vm_area_size() should be used, but +not area->size. + +This fixes possible kernel oops when userspace tries to mmap an area on +1 page bigger than was allocated by vmalloc_user() call: the size check +inside remap_vmalloc_range_partial() accounts non-existing guard page +also, so check successfully passes but vmalloc_to_page() returns NULL +(guard page does not physically exist). + +The following code pattern example should trigger an oops: + + static int oops_mmap(struct file *file, struct vm_area_struct *vma) + { + void *mem; + + mem = vmalloc_user(4096); + BUG_ON(!mem); + /* Do not care about mem leak */ + + return remap_vmalloc_range(vma, mem, 0); + } + +And userspace simply mmaps size + PAGE_SIZE: + + mmap(NULL, 8192, PROT_WRITE|PROT_READ, MAP_PRIVATE, fd, 0); + +Possible candidates for oops which do not have any explicit size +checks: + + *** drivers/media/usb/stkwebcam/stk-webcam.c: + v4l_stk_mmap[789] ret = remap_vmalloc_range(vma, sbuf->buffer, 0); + +Or the following one: + + *** drivers/video/fbdev/core/fbmem.c + static int + fb_mmap(struct file *file, struct vm_area_struct * vma) + ... + res = fb->fb_mmap(info, vma); + +Where fb_mmap callback calls remap_vmalloc_range() directly without any +explicit checks: + + *** drivers/video/fbdev/vfb.c + static int vfb_mmap(struct fb_info *info, + struct vm_area_struct *vma) + { + return remap_vmalloc_range(vma, (void *)info->fix.smem_start, vma->vm_pgoff); + } + +Link: http://lkml.kernel.org/r/20190103145954.16942-2-rpenyaev@suse.de +Signed-off-by: Roman Penyaev +Acked-by: Michal Hocko +Cc: Andrey Ryabinin +Cc: Joe Perches +Cc: "Luis R. Rodriguez" +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -2262,7 +2262,7 @@ int remap_vmalloc_range_partial(struct v + if (!(area->flags & VM_USERMAP)) + return -EINVAL; + +- if (kaddr + size > area->addr + area->size) ++ if (kaddr + size > area->addr + get_vm_area_size(area)) + return -EINVAL; + + do { diff --git a/queue-4.14/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch b/queue-4.14/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch new file mode 100644 index 00000000000..a2ef1029629 --- /dev/null +++ b/queue-4.14/nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch @@ -0,0 +1,55 @@ +From 43f89877f26671c6309cd87d7364b1a3e66e71cf Mon Sep 17 00:00:00 2001 +From: Dexuan Cui +Date: Wed, 30 Jan 2019 01:23:01 +0000 +Subject: nfit: acpi_nfit_ctl(): Check out_obj->type in the right place + +From: Dexuan Cui + +commit 43f89877f26671c6309cd87d7364b1a3e66e71cf upstream. + +In the case of ND_CMD_CALL, we should also check out_obj->type. + +The patch uses out_obj->type, which is a short alias to +out_obj->package.type. + +Fixes: 31eca76ba2fc ("nfit, libnvdimm: limited/whitelisted dimm command marshaling mechanism") +Cc: +Signed-off-by: Dexuan Cui +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/acpi/nfit/core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/acpi/nfit/core.c ++++ b/drivers/acpi/nfit/core.c +@@ -329,6 +329,13 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + return -EINVAL; + } + ++ if (out_obj->type != ACPI_TYPE_BUFFER) { ++ dev_dbg(dev, "%s unexpected output object type cmd: %s type: %d\n", ++ dimm_name, cmd_name, out_obj->type); ++ rc = -EINVAL; ++ goto out; ++ } ++ + if (call_pkg) { + call_pkg->nd_fw_size = out_obj->buffer.length; + memcpy(call_pkg->nd_payload + call_pkg->nd_size_in, +@@ -347,13 +354,6 @@ int acpi_nfit_ctl(struct nvdimm_bus_desc + return 0; + } + +- if (out_obj->package.type != ACPI_TYPE_BUFFER) { +- dev_dbg(dev, "%s:%s unexpected output object type cmd: %s type: %d\n", +- __func__, dimm_name, cmd_name, out_obj->type); +- rc = -EINVAL; +- goto out; +- } +- + dev_dbg(dev, "%s:%s cmd: %s output length: %d\n", __func__, dimm_name, + cmd_name, out_obj->buffer.length); + print_hex_dump_debug(cmd_name, DUMP_PREFIX_OFFSET, 4, 4, diff --git a/queue-4.14/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch b/queue-4.14/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch new file mode 100644 index 00000000000..0deff712d87 --- /dev/null +++ b/queue-4.14/parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch @@ -0,0 +1,40 @@ +From 21698fd57984cd28207d841dbdaa026d6061bceb Mon Sep 17 00:00:00 2001 +From: QiaoChong +Date: Sat, 9 Feb 2019 20:59:07 +0000 +Subject: parport_pc: fix find_superio io compare code, should use equal test. + +From: QiaoChong + +commit 21698fd57984cd28207d841dbdaa026d6061bceb upstream. + +In the original code before 181bf1e815a2 the loop was continuing until +it finds the first matching superios[i].io and p->base. +But after 181bf1e815a2 the logic changed and the loop now returns the +pointer to the first mismatched array element which is then used in +get_superio_dma() and get_superio_irq() and thus returning the wrong +value. +Fix the condition so that it now returns the correct pointer. + +Fixes: 181bf1e815a2 ("parport_pc: clean up the modified while loops using for") +Cc: Alan Cox +Cc: stable@vger.kernel.org +Signed-off-by: QiaoChong +[rewrite the commit message] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parport/parport_pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -1377,7 +1377,7 @@ static struct superio_struct *find_super + { + int i; + for (i = 0; i < NR_SUPERIOS; i++) +- if (superios[i].io != p->base) ++ if (superios[i].io == p->base) + return &superios[i]; + return NULL; + } diff --git a/queue-4.14/series b/queue-4.14/series index fe6fd8c6642..d2b8dedce52 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -106,3 +106,26 @@ btrfs-setup-a-nofs-context-for-memory-allocation-at-__btrfs_set_acl.patch btrfs-ensure-that-a-dup-or-raid1-block-group-has-exactly-two-stripes.patch btrfs-fix-corruption-reading-shared-and-compressed-extents-after-hole-punching.patch crypto-pcbc-remove-bogus-memcpy-s-with-src-dest.patch +libertas_tf-don-t-set-urb_zero_packet-on-in-usb-transfer.patch +irqchip-gic-v3-its-avoid-parsing-_indirect_-twice-for-device-table.patch +x86-kprobes-prohibit-probing-on-optprobe-template-code.patch +cpufreq-tegra124-add-missing-of_node_put.patch +cpufreq-pxa2xx-remove-incorrect-__init-annotation.patch +ext4-add-mask-of-ext4-flags-to-swap.patch +ext4-fix-crash-during-online-resizing.patch +ib-hfi1-close-race-condition-on-user-context-disable-and-close.patch +cxl-wrap-iterations-over-afu-slices-inside-afu_list_lock.patch +ext2-fix-underflow-in-ext2_max_size.patch +clk-uniphier-fix-update-register-for-cpu-gear.patch +clk-clk-twl6040-fix-imprecise-external-abort-for-pdmclk.patch +clk-ingenic-fix-round_rate-misbehaving-with-non-integer-dividers.patch +clk-ingenic-fix-doc-of-ingenic_cgu_div_info.patch +usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch +nfit-acpi_nfit_ctl-check-out_obj-type-in-the-right-place.patch +mm-hwpoison-fix-thp-split-handing-in-soft_offline_in_use_page.patch +mm-vmalloc-fix-size-check-for-remap_vmalloc_range_partial.patch +kernel-sysctl.c-add-missing-range-check-in-do_proc_dointvec_minmax_conv.patch +device-property-fix-the-length-used-in-property_entry_string.patch +intel_th-don-t-reference-unassigned-outputs.patch +parport_pc-fix-find_superio-io-compare-code-should-use-equal-test.patch +i2c-tegra-fix-maximum-transfer-size.patch diff --git a/queue-4.14/usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch b/queue-4.14/usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch new file mode 100644 index 00000000000..f2c25de7908 --- /dev/null +++ b/queue-4.14/usb-chipidea-tegra-fix-missed-ci_hdrc_remove_device.patch @@ -0,0 +1,32 @@ +From 563b9372f7ec57e44e8f9a8600c5107d7ffdd166 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sun, 24 Feb 2019 18:36:22 +0300 +Subject: usb: chipidea: tegra: Fix missed ci_hdrc_remove_device() + +From: Dmitry Osipenko + +commit 563b9372f7ec57e44e8f9a8600c5107d7ffdd166 upstream. + +The ChipIdea's platform device need to be unregistered on Tegra's driver +module removal. + +Fixes: dfebb5f43a78827a ("usb: chipidea: Add support for Tegra20/30/114/124") +Signed-off-by: Dmitry Osipenko +Acked-by: Peter Chen +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/chipidea/ci_hdrc_tegra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/chipidea/ci_hdrc_tegra.c ++++ b/drivers/usb/chipidea/ci_hdrc_tegra.c +@@ -133,6 +133,7 @@ static int tegra_udc_remove(struct platf + { + struct tegra_udc *udc = platform_get_drvdata(pdev); + ++ ci_hdrc_remove_device(udc->dev); + usb_phy_set_suspend(udc->phy, 1); + clk_disable_unprepare(udc->clk); + diff --git a/queue-4.14/x86-kprobes-prohibit-probing-on-optprobe-template-code.patch b/queue-4.14/x86-kprobes-prohibit-probing-on-optprobe-template-code.patch new file mode 100644 index 00000000000..a7cc2687384 --- /dev/null +++ b/queue-4.14/x86-kprobes-prohibit-probing-on-optprobe-template-code.patch @@ -0,0 +1,47 @@ +From 0192e6535ebe9af68614198ced4fd6d37b778ebf Mon Sep 17 00:00:00 2001 +From: Masami Hiramatsu +Date: Wed, 13 Feb 2019 01:11:19 +0900 +Subject: x86/kprobes: Prohibit probing on optprobe template code + +From: Masami Hiramatsu + +commit 0192e6535ebe9af68614198ced4fd6d37b778ebf upstream. + +Prohibit probing on optprobe template code, since it is not +a code but a template instruction sequence. If we modify +this template, copied template must be broken. + +Signed-off-by: Masami Hiramatsu +Cc: Alexander Shishkin +Cc: Andrea Righi +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Mathieu Desnoyers +Cc: Peter Zijlstra +Cc: Steven Rostedt +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: 9326638cbee2 ("kprobes, x86: Use NOKPROBE_SYMBOL() instead of __kprobes annotation") +Link: http://lkml.kernel.org/r/154998787911.31052.15274376330136234452.stgit@devbox +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/kprobes/opt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kernel/kprobes/opt.c ++++ b/arch/x86/kernel/kprobes/opt.c +@@ -141,6 +141,11 @@ asm ( + + void optprobe_template_func(void); + STACK_FRAME_NON_STANDARD(optprobe_template_func); ++NOKPROBE_SYMBOL(optprobe_template_func); ++NOKPROBE_SYMBOL(optprobe_template_entry); ++NOKPROBE_SYMBOL(optprobe_template_val); ++NOKPROBE_SYMBOL(optprobe_template_call); ++NOKPROBE_SYMBOL(optprobe_template_end); + + #define TMPL_MOVE_IDX \ + ((long)&optprobe_template_val - (long)&optprobe_template_entry)