From: Greg Kroah-Hartman Date: Tue, 28 Aug 2018 14:09:58 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.121~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=da4c5a48e4548fed2c97f2ff4ab9bb7d5b956419;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: arc-fix-build-errors-in-arc-include-asm-delay.h.patch arc-fix-type-warnings-in-arc-mm-cache.c.patch atl1c-reserve-min-skb-headroom.patch bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch can-mpc5xxx_can-check-of_iomap-return-before-use.patch drivers-net-lmc-fix-case-value-for-target-abort-error.patch drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch drm-re-enable-error-handling.patch enic-handle-mtu-change-for-vf-properly.patch fscache-allow-cancelled-operations-to-be-enqueued.patch mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch mm-memory.c-check-return-value-of-ioremap_prot.patch net-axienet-fix-double-deregister-of-mdio.patch net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch nl80211-add-a-missing-break-in-parse_station_flags.patch revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch scsi-fcoe-drop-frames-in-els-logo-error-path.patch scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch tools-power-turbostat-fix-s-on-up-systems.patch tools-power-turbostat-read-extended-processor-family-from-cpuid.patch tools-usb-ffs-test-fix-build-on-big-endian-systems.patch usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch xfrm-free-skb-if-nlsk-pointer-is-null.patch zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch --- diff --git a/queue-3.18/arc-fix-build-errors-in-arc-include-asm-delay.h.patch b/queue-3.18/arc-fix-build-errors-in-arc-include-asm-delay.h.patch new file mode 100644 index 00000000000..ffa6bb31317 --- /dev/null +++ b/queue-3.18/arc-fix-build-errors-in-arc-include-asm-delay.h.patch @@ -0,0 +1,52 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Randy Dunlap +Date: Thu, 26 Jul 2018 20:16:35 -0700 +Subject: arc: fix build errors in arc/include/asm/delay.h + +From: Randy Dunlap + +[ Upstream commit 2423665ec53f2a29191b35382075e9834288a975 ] + +Fix build errors in arch/arc/'s delay.h: +- add "extern unsigned long loops_per_jiffy;" +- add for "u64" + +In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32: +../arch/arc/include/asm/delay.h: In function '__udelay': +../arch/arc/include/asm/delay.h:61:12: error: 'u64' undeclared (first use in this function) + loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32; + ^~~ + +In file included from ../drivers/infiniband/hw/cxgb3/cxio_hal.c:32: +../arch/arc/include/asm/delay.h: In function '__udelay': +../arch/arc/include/asm/delay.h:63:37: error: 'loops_per_jiffy' undeclared (first use in this function) + loops = ((u64) usecs * 4295 * HZ * loops_per_jiffy) >> 32; + ^~~~~~~~~~~~~~~ + +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: linux-snps-arc@lists.infradead.org +Cc: Elad Kanfi +Cc: Leon Romanovsky +Cc: Ofer Levi +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/include/asm/delay.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arc/include/asm/delay.h ++++ b/arch/arc/include/asm/delay.h +@@ -17,8 +17,11 @@ + #ifndef __ASM_ARC_UDELAY_H + #define __ASM_ARC_UDELAY_H + ++#include + #include /* HZ */ + ++extern unsigned long loops_per_jiffy; ++ + static inline void __delay(unsigned long loops) + { + __asm__ __volatile__( diff --git a/queue-3.18/arc-fix-type-warnings-in-arc-mm-cache.c.patch b/queue-3.18/arc-fix-type-warnings-in-arc-mm-cache.c.patch new file mode 100644 index 00000000000..e5d8da45972 --- /dev/null +++ b/queue-3.18/arc-fix-type-warnings-in-arc-mm-cache.c.patch @@ -0,0 +1,55 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Randy Dunlap +Date: Thu, 26 Jul 2018 20:16:35 -0700 +Subject: arc: fix type warnings in arc/mm/cache.c + +From: Randy Dunlap + +[ Upstream commit ec837d620c750c0d4996a907c8c4f7febe1bbeee ] + +Fix type warnings in arch/arc/mm/cache.c. + +../arch/arc/mm/cache.c: In function 'flush_anon_page': +../arch/arc/mm/cache.c:1062:55: warning: passing argument 2 of '__flush_dcache_page' makes integer from pointer without a cast [-Wint-conversion] + __flush_dcache_page((phys_addr_t)page_address(page), page_address(page)); + ^~~~~~~~~~~~~~~~~~ +../arch/arc/mm/cache.c:1013:59: note: expected 'long unsigned int' but argument is of type 'void *' + void __flush_dcache_page(phys_addr_t paddr, unsigned long vaddr) + ~~~~~~~~~~~~~~^~~~~ + +Signed-off-by: Randy Dunlap +Cc: Vineet Gupta +Cc: linux-snps-arc@lists.infradead.org +Cc: Elad Kanfi +Cc: Leon Romanovsky +Cc: Ofer Levi +Signed-off-by: Vineet Gupta +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arc/mm/cache_arc700.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/arc/mm/cache_arc700.c ++++ b/arch/arc/mm/cache_arc700.c +@@ -642,7 +642,7 @@ void flush_cache_mm(struct mm_struct *mm + void flush_cache_page(struct vm_area_struct *vma, unsigned long u_vaddr, + unsigned long pfn) + { +- unsigned int paddr = pfn << PAGE_SHIFT; ++ phys_addr_t paddr = pfn << PAGE_SHIFT; + + u_vaddr &= PAGE_MASK; + +@@ -662,8 +662,9 @@ void flush_anon_page(struct vm_area_stru + unsigned long u_vaddr) + { + /* TBD: do we really need to clear the kernel mapping */ +- __flush_dcache_page(page_address(page), u_vaddr); +- __flush_dcache_page(page_address(page), page_address(page)); ++ __flush_dcache_page((phys_addr_t)page_address(page), u_vaddr); ++ __flush_dcache_page((phys_addr_t)page_address(page), ++ (phys_addr_t)page_address(page)); + + } + diff --git a/queue-3.18/atl1c-reserve-min-skb-headroom.patch b/queue-3.18/atl1c-reserve-min-skb-headroom.patch new file mode 100644 index 00000000000..13da833b213 --- /dev/null +++ b/queue-3.18/atl1c-reserve-min-skb-headroom.patch @@ -0,0 +1,51 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Florian Westphal +Date: Fri, 20 Jul 2018 19:30:57 +0200 +Subject: atl1c: reserve min skb headroom + +From: Florian Westphal + +[ Upstream commit 6e56830776828d8ca9897fc4429eeab47c3bb432 ] + +Got crash report with following backtrace: +BUG: unable to handle kernel paging request at ffff8801869daffe +RIP: 0010:[] [] ip6_finish_output2+0x394/0x4c0 +RSP: 0018:ffff880186c83a98 EFLAGS: 00010283 +RAX: ffff8801869db00e ... + [] ip6_finish_output+0x8c/0xf0 + [] ip6_output+0x57/0x100 + [] ip6_forward+0x4b9/0x840 + [] ip6_rcv_finish+0x66/0xc0 + [] ipv6_rcv+0x319/0x530 + [] netif_receive_skb+0x1c/0x70 + [] atl1c_clean+0x1ec/0x310 [atl1c] + ... + +The bad access is in neigh_hh_output(), at skb->data - 16 (HH_DATA_MOD). +atl1c driver provided skb with no headroom, so 14 bytes (ethernet +header) got pulled, but then 16 are copied. + +Reserve NET_SKB_PAD bytes headroom, like netdev_alloc_skb(). + +Compile tested only; I lack hardware. + +Fixes: 7b7017642199 ("atl1c: Fix misuse of netdev_alloc_skb in refilling rx ring") +Signed-off-by: Florian Westphal +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/atheros/atl1c/atl1c_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/atheros/atl1c/atl1c_main.c ++++ b/drivers/net/ethernet/atheros/atl1c/atl1c_main.c +@@ -1674,6 +1674,7 @@ static struct sk_buff *atl1c_alloc_skb(s + skb = build_skb(page_address(page) + adapter->rx_page_offset, + adapter->rx_frag_size); + if (likely(skb)) { ++ skb_reserve(skb, NET_SKB_PAD); + adapter->rx_page_offset += adapter->rx_frag_size; + if (adapter->rx_page_offset >= PAGE_SIZE) + adapter->rx_page = NULL; diff --git a/queue-3.18/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch b/queue-3.18/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch new file mode 100644 index 00000000000..834c9cfadcc --- /dev/null +++ b/queue-3.18/bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Sudarsana Reddy Kalluru +Date: Tue, 24 Jul 2018 02:43:52 -0700 +Subject: bnx2x: Fix invalid memory access in rss hash config path. + +From: Sudarsana Reddy Kalluru + +[ Upstream commit ae2dcb28c24794a87e424a726a1cf1a61980f52d ] + +Rx hash/filter table configuration uses rss_conf_obj to configure filters +in the hardware. This object is initialized only when the interface is +brought up. +This patch adds driver changes to configure rss params only when the device +is in opened state. In port disabled case, the config will be cached in the +driver structure which will be applied in the successive load path. + +Please consider applying it to 'net' branch. + +Signed-off-by: Sudarsana Reddy Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c +@@ -3296,14 +3296,18 @@ static int bnx2x_set_rss_flags(struct bn + DP(BNX2X_MSG_ETHTOOL, + "rss re-configured, UDP 4-tupple %s\n", + udp_rss_requested ? "enabled" : "disabled"); +- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_rss(bp, &bp->rss_conf_obj, false, ++ true); + } else if ((info->flow_type == UDP_V6_FLOW) && + (bp->rss_conf_obj.udp_rss_v6 != udp_rss_requested)) { + bp->rss_conf_obj.udp_rss_v6 = udp_rss_requested; + DP(BNX2X_MSG_ETHTOOL, + "rss re-configured, UDP 4-tupple %s\n", + udp_rss_requested ? "enabled" : "disabled"); +- return bnx2x_rss(bp, &bp->rss_conf_obj, false, true); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_rss(bp, &bp->rss_conf_obj, false, ++ true); + } + return 0; + +@@ -3401,7 +3405,10 @@ static int bnx2x_set_rxfh(struct net_dev + bp->rss_conf_obj.ind_table[i] = indir[i] + bp->fp->cl_id; + } + +- return bnx2x_config_rss_eth(bp, false); ++ if (bp->state == BNX2X_STATE_OPEN) ++ return bnx2x_config_rss_eth(bp, false); ++ ++ return 0; + } + + /** diff --git a/queue-3.18/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch b/queue-3.18/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch new file mode 100644 index 00000000000..3011b5c83fe --- /dev/null +++ b/queue-3.18/cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch @@ -0,0 +1,118 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Kiran Kumar Modukuri +Date: Tue, 18 Jul 2017 16:25:49 -0700 +Subject: cachefiles: Fix refcounting bug in backing-file read monitoring + +From: Kiran Kumar Modukuri + +[ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ] + +cachefiles_read_waiter() has the right to access a 'monitor' object by +virtue of being called under the waitqueue lock for one of the pages in its +purview. However, it has no ref on that monitor object or on the +associated operation. + +What it is allowed to do is to move the monitor object to the operation's +to_do list, but once it drops the work_lock, it's actually no longer +permitted to access that object. However, it is trying to enqueue the +retrieval operation for processing - but it can only do this via a pointer +in the monitor object, something it shouldn't be doing. + +If it doesn't enqueue the operation, the operation may not get processed. +If the order is flipped so that the enqueue is first, then it's possible +for the work processor to look at the to_do list before the monitor is +enqueued upon it. + +Fix this by getting a ref on the operation so that we can trust that it +will still be there once we've added the monitor to the to_do list and +dropped the work_lock. The op can then be enqueued after the lock is +dropped. + +The bug can manifest in one of a couple of ways. The first manifestation +looks like: + + FS-Cache: + FS-Cache: Assertion failed + FS-Cache: 6 == 5 is false + ------------[ cut here ]------------ + kernel BUG at fs/fscache/operation.c:494! + RIP: 0010:fscache_put_operation+0x1e3/0x1f0 + ... + fscache_op_work_func+0x26/0x50 + process_one_work+0x131/0x290 + worker_thread+0x45/0x360 + kthread+0xf8/0x130 + ? create_worker+0x190/0x190 + ? kthread_cancel_work_sync+0x10/0x10 + ret_from_fork+0x1f/0x30 + +This is due to the operation being in the DEAD state (6) rather than +INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through +fscache_put_operation(). + +The bug can also manifest like the following: + + kernel BUG at fs/fscache/operation.c:69! + ... + [exception RIP: fscache_enqueue_operation+246] + ... + #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6 + #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48 + #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028 + +I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not +entirely clear which assertion failed. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Reported-by: Lei Xue +Reported-by: Vegard Nossum +Reported-by: Anthony DeRobertis +Reported-by: NeilBrown +Reported-by: Daniel Axtens +Reported-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Reviewed-by: Daniel Axtens +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/rdwr.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/fs/cachefiles/rdwr.c ++++ b/fs/cachefiles/rdwr.c +@@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q + struct cachefiles_one_read *monitor = + container_of(wait, struct cachefiles_one_read, monitor); + struct cachefiles_object *object; ++ struct fscache_retrieval *op = monitor->op; + struct wait_bit_key *key = _key; + struct page *page = wait->private; + +@@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q + list_del(&wait->task_list); + + /* move onto the action list and queue for FS-Cache thread pool */ +- ASSERT(monitor->op); ++ ASSERT(op); + +- object = container_of(monitor->op->op.object, +- struct cachefiles_object, fscache); ++ /* We need to temporarily bump the usage count as we don't own a ref ++ * here otherwise cachefiles_read_copier() may free the op between the ++ * monitor being enqueued on the op->to_do list and the op getting ++ * enqueued on the work queue. ++ */ ++ fscache_get_retrieval(op); + ++ object = container_of(op->op.object, struct cachefiles_object, fscache); + spin_lock(&object->work_lock); +- list_add_tail(&monitor->op_link, &monitor->op->to_do); ++ list_add_tail(&monitor->op_link, &op->to_do); + spin_unlock(&object->work_lock); + +- fscache_enqueue_retrieval(monitor->op); ++ fscache_enqueue_retrieval(op); ++ fscache_put_retrieval(op); + return 0; + } + diff --git a/queue-3.18/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch b/queue-3.18/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch new file mode 100644 index 00000000000..761a1e94355 --- /dev/null +++ b/queue-3.18/cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch @@ -0,0 +1,37 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Kiran Kumar Modukuri +Date: Thu, 21 Jun 2018 13:25:53 -0700 +Subject: cachefiles: Wait rather than BUG'ing on "Unexpected object collision" + +From: Kiran Kumar Modukuri + +[ Upstream commit c2412ac45a8f8f1cd582723c1a139608694d410d ] + +If we meet a conflicting object that is marked FSCACHE_OBJECT_IS_LIVE in +the active object tree, we have been emitting a BUG after logging +information about it and the new object. + +Instead, we should wait for the CACHEFILES_OBJECT_ACTIVE flag to be cleared +on the old object (or return an error). The ACTIVE flag should be cleared +after it has been removed from the active object tree. A timeout of 60s is +used in the wait, so we shouldn't be able to get stuck there. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Signed-off-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/namei.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/fs/cachefiles/namei.c ++++ b/fs/cachefiles/namei.c +@@ -193,7 +193,6 @@ wait_for_old_object: + pr_err("\n"); + pr_err("Error: Unexpected object collision\n"); + cachefiles_printk_object(object, xobject); +- BUG(); + } + atomic_inc(&xobject->usage); + write_unlock(&cache->active_lock); diff --git a/queue-3.18/can-mpc5xxx_can-check-of_iomap-return-before-use.patch b/queue-3.18/can-mpc5xxx_can-check-of_iomap-return-before-use.patch new file mode 100644 index 00000000000..c1938067f07 --- /dev/null +++ b/queue-3.18/can-mpc5xxx_can-check-of_iomap-return-before-use.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Nicholas Mc Guire +Date: Mon, 9 Jul 2018 21:16:40 +0200 +Subject: can: mpc5xxx_can: check of_iomap return before use + +From: Nicholas Mc Guire + +[ Upstream commit b5c1a23b17e563b656cc9bb76ce5323b997d90e8 ] + +of_iomap() can return NULL so that return needs to be checked and NULL +treated as failure. While at it also take care of the missing +of_node_put() in the error path. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit afa17a500a36 ("net/can: add driver for mscan family & mpc52xx_mscan") +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/mscan/mpc5xxx_can.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/can/mscan/mpc5xxx_can.c ++++ b/drivers/net/can/mscan/mpc5xxx_can.c +@@ -86,6 +86,11 @@ static u32 mpc52xx_can_get_clock(struct + return 0; + } + cdm = of_iomap(np_cdm, 0); ++ if (!cdm) { ++ of_node_put(np_cdm); ++ dev_err(&ofdev->dev, "can't map clock node!\n"); ++ return 0; ++ } + + if (in_8(&cdm->ipb_clk_sel) & 0x1) + freq *= 2; diff --git a/queue-3.18/drivers-net-lmc-fix-case-value-for-target-abort-error.patch b/queue-3.18/drivers-net-lmc-fix-case-value-for-target-abort-error.patch new file mode 100644 index 00000000000..df214681f37 --- /dev/null +++ b/queue-3.18/drivers-net-lmc-fix-case-value-for-target-abort-error.patch @@ -0,0 +1,35 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Colin Ian King +Date: Wed, 1 Aug 2018 18:22:41 +0100 +Subject: drivers: net: lmc: fix case value for target abort error + +From: Colin Ian King + +[ Upstream commit afb41bb039656f0cecb54eeb8b2e2088201295f5 ] + +Current value for a target abort error is 0x010, however, this value +should in fact be 0x002. As it stands, the range of error is 0..7 so +it is currently never being detected. This bug has been in the driver +since the early 2.6.12 days (or before). + +Detected by CoverityScan, CID#744290 ("Logically dead code") + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/lmc/lmc_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wan/lmc/lmc_main.c ++++ b/drivers/net/wan/lmc/lmc_main.c +@@ -1384,7 +1384,7 @@ static irqreturn_t lmc_interrupt (int ir + case 0x001: + printk(KERN_WARNING "%s: Master Abort (naughty)\n", dev->name); + break; +- case 0x010: ++ case 0x002: + printk(KERN_WARNING "%s: Target Abort (not so naughty)\n", dev->name); + break; + default: diff --git a/queue-3.18/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch b/queue-3.18/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch new file mode 100644 index 00000000000..3d6373e5a8e --- /dev/null +++ b/queue-3.18/drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Lucas Stach +Date: Wed, 11 Apr 2018 17:31:36 +0200 +Subject: drm/imx: imx-ldb: check if channel is enabled before printing warning + +From: Lucas Stach + +[ Upstream commit c80d673b91a6c81d765864e10f2b15110ee900ad ] + +If the second LVDS channel has been disabled in the DT when using dual-channel +mode we should not print a warning. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/imx-drm/imx-ldb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/imx-drm/imx-ldb.c ++++ b/drivers/staging/imx-drm/imx-ldb.c +@@ -500,14 +500,14 @@ static int imx_ldb_bind(struct device *d + if (ret || i < 0 || i > 1) + return -EINVAL; + ++ if (!of_device_is_available(child)) ++ continue; ++ + if (dual && i > 0) { + dev_warn(dev, "dual-channel mode, ignoring second output\n"); + continue; + } + +- if (!of_device_is_available(child)) +- continue; +- + channel = &imx_ldb->channel[i]; + channel->ldb = imx_ldb; + channel->chno = i; diff --git a/queue-3.18/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch b/queue-3.18/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch new file mode 100644 index 00000000000..922321f260d --- /dev/null +++ b/queue-3.18/drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Lucas Stach +Date: Wed, 11 Apr 2018 17:31:35 +0200 +Subject: drm/imx: imx-ldb: disable LDB on driver bind + +From: Lucas Stach + +[ Upstream commit b58262396fabd43dc869b576e3defdd23b32fe94 ] + +The LVDS signal integrity is only guaranteed when the correct enable +sequence (first IPU DI, then LDB) is used. If the LDB display output was +active before the imx-drm driver is loaded (like when a bootsplash was +active) the DI will be disabled by the full IPU reset we do when loading +the driver. The LDB control registers are not part of the IPU range and +thus will remain unchanged. + +This leads to the LDB still being active when the DI is getting enabled, +effectively reversing the required enable sequence. Fix this by also +disabling the LDB on driver bind. + +Signed-off-by: Lucas Stach +Signed-off-by: Philipp Zabel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/imx-drm/imx-ldb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/imx-drm/imx-ldb.c ++++ b/drivers/staging/imx-drm/imx-ldb.c +@@ -460,6 +460,9 @@ static int imx_ldb_bind(struct device *d + return PTR_ERR(imx_ldb->regmap); + } + ++ /* disable LDB by resetting the control register to POR default */ ++ regmap_write(imx_ldb->regmap, IOMUXC_GPR2, 0); ++ + imx_ldb->dev = dev; + + if (of_id) diff --git a/queue-3.18/drm-re-enable-error-handling.patch b/queue-3.18/drm-re-enable-error-handling.patch new file mode 100644 index 00000000000..6dff4c0c2fe --- /dev/null +++ b/queue-3.18/drm-re-enable-error-handling.patch @@ -0,0 +1,36 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Nicholas Mc Guire +Date: Sat, 14 Jul 2018 14:32:12 +0200 +Subject: drm: re-enable error handling + +From: Nicholas Mc Guire + +[ Upstream commit d530b5f1ca0bb66958a2b714bebe40a1248b9c15 ] + +drm_legacy_ctxbitmap_next() returns idr_alloc() which can return +-ENOMEM, -EINVAL or -ENOSPC none of which are -1 . but the call sites +of drm_legacy_ctxbitmap_next() seem to be assuming that the error case +would be -1 (original return of drm_ctxbitmap_next() prior to 2.6.23 +was actually -1). Thus reenable error handling by checking for < 0. + +Signed-off-by: Nicholas Mc Guire +Fixes: 62968144e673 ("drm: convert drm context code to use Linux idr") +Signed-off-by: Sean Paul +Link: https://patchwork.freedesktop.org/patch/msgid/1531571532-22733-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_context.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_context.c ++++ b/drivers/gpu/drm/drm_context.c +@@ -341,7 +341,7 @@ int drm_legacy_addctx(struct drm_device + ctx->handle = drm_legacy_ctxbitmap_next(dev); + } + DRM_DEBUG("%d\n", ctx->handle); +- if (ctx->handle == -1) { ++ if (ctx->handle < 0) { + DRM_DEBUG("Not enough free contexts.\n"); + /* Should this return -EBUSY instead? */ + return -ENOMEM; diff --git a/queue-3.18/enic-handle-mtu-change-for-vf-properly.patch b/queue-3.18/enic-handle-mtu-change-for-vf-properly.patch new file mode 100644 index 00000000000..2bd874a68be --- /dev/null +++ b/queue-3.18/enic-handle-mtu-change-for-vf-properly.patch @@ -0,0 +1,131 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Govindarajulu Varadarajan +Date: Fri, 27 Jul 2018 11:19:29 -0700 +Subject: enic: handle mtu change for vf properly + +From: Govindarajulu Varadarajan + +[ Upstream commit ab123fe071c9aa9680ecd62eb080eb26cff4892c ] + +When driver gets notification for mtu change, driver does not handle it for +all RQs. It handles only RQ[0]. + +Fix is to use enic_change_mtu() interface to change mtu for vf. + +Signed-off-by: Govindarajulu Varadarajan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/cisco/enic/enic_main.c | 78 +++++++++------------------- + 1 file changed, 27 insertions(+), 51 deletions(-) + +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1717,10 +1717,32 @@ static int enic_stop(struct net_device * + return 0; + } + ++static int _enic_change_mtu(struct net_device *netdev, int new_mtu) ++{ ++ bool running = netif_running(netdev); ++ int err = 0; ++ ++ ASSERT_RTNL(); ++ if (running) { ++ err = enic_stop(netdev); ++ if (err) ++ return err; ++ } ++ ++ netdev->mtu = new_mtu; ++ ++ if (running) { ++ err = enic_open(netdev); ++ if (err) ++ return err; ++ } ++ ++ return 0; ++} ++ + static int enic_change_mtu(struct net_device *netdev, int new_mtu) + { + struct enic *enic = netdev_priv(netdev); +- int running = netif_running(netdev); + + if (new_mtu < ENIC_MIN_MTU || new_mtu > ENIC_MAX_MTU) + return -EINVAL; +@@ -1728,20 +1750,12 @@ static int enic_change_mtu(struct net_de + if (enic_is_dynamic(enic) || enic_is_sriov_vf(enic)) + return -EOPNOTSUPP; + +- if (running) +- enic_stop(netdev); +- +- netdev->mtu = new_mtu; +- + if (netdev->mtu > enic->port_mtu) + netdev_warn(netdev, +- "interface MTU (%d) set higher than port MTU (%d)\n", +- netdev->mtu, enic->port_mtu); +- +- if (running) +- enic_open(netdev); ++ "interface MTU (%d) set higher than port MTU (%d)\n", ++ netdev->mtu, enic->port_mtu); + +- return 0; ++ return _enic_change_mtu(netdev, new_mtu); + } + + static void enic_change_mtu_work(struct work_struct *work) +@@ -1749,47 +1763,9 @@ static void enic_change_mtu_work(struct + struct enic *enic = container_of(work, struct enic, change_mtu_work); + struct net_device *netdev = enic->netdev; + int new_mtu = vnic_dev_mtu(enic->vdev); +- int err; +- unsigned int i; +- +- new_mtu = max_t(int, ENIC_MIN_MTU, min_t(int, ENIC_MAX_MTU, new_mtu)); + + rtnl_lock(); +- +- /* Stop RQ */ +- del_timer_sync(&enic->notify_timer); +- +- for (i = 0; i < enic->rq_count; i++) +- napi_disable(&enic->napi[i]); +- +- vnic_intr_mask(&enic->intr[0]); +- enic_synchronize_irqs(enic); +- err = vnic_rq_disable(&enic->rq[0]); +- if (err) { +- rtnl_unlock(); +- netdev_err(netdev, "Unable to disable RQ.\n"); +- return; +- } +- vnic_rq_clean(&enic->rq[0], enic_free_rq_buf); +- vnic_cq_clean(&enic->cq[0]); +- vnic_intr_clean(&enic->intr[0]); +- +- /* Fill RQ with new_mtu-sized buffers */ +- netdev->mtu = new_mtu; +- vnic_rq_fill(&enic->rq[0], enic_rq_alloc_buf); +- /* Need at least one buffer on ring to get going */ +- if (vnic_rq_desc_used(&enic->rq[0]) == 0) { +- rtnl_unlock(); +- netdev_err(netdev, "Unable to alloc receive buffers.\n"); +- return; +- } +- +- /* Start RQ */ +- vnic_rq_enable(&enic->rq[0]); +- napi_enable(&enic->napi[0]); +- vnic_intr_unmask(&enic->intr[0]); +- enic_notify_timer_start(enic); +- ++ (void)_enic_change_mtu(netdev, new_mtu); + rtnl_unlock(); + + netdev_info(netdev, "interface MTU set as %d\n", netdev->mtu); diff --git a/queue-3.18/fscache-allow-cancelled-operations-to-be-enqueued.patch b/queue-3.18/fscache-allow-cancelled-operations-to-be-enqueued.patch new file mode 100644 index 00000000000..69ff2cf287f --- /dev/null +++ b/queue-3.18/fscache-allow-cancelled-operations-to-be-enqueued.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Kiran Kumar Modukuri +Date: Wed, 25 Jul 2018 14:31:20 +0100 +Subject: fscache: Allow cancelled operations to be enqueued + +From: Kiran Kumar Modukuri + +[ Upstream commit d0eb06afe712b7b103b6361f40a9a0c638524669 ] + +Alter the state-check assertion in fscache_enqueue_operation() to allow +cancelled operations to be given processing time so they can be cleaned up. + +Also fix a debugging statement that was requiring such operations to have +an object assigned. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +Reported-by: Kiran Kumar Modukuri +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/fscache/operation.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/fscache/operation.c ++++ b/fs/fscache/operation.c +@@ -37,7 +37,8 @@ void fscache_enqueue_operation(struct fs + ASSERT(op->processor != NULL); + ASSERT(fscache_object_is_available(op->object)); + ASSERTCMP(atomic_read(&op->usage), >, 0); +- ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS); ++ ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, ++ op->state, ==, FSCACHE_OP_ST_CANCELLED); + + fscache_stat(&fscache_n_op_enqueue); + switch (op->flags & FSCACHE_OP_TYPE) { +@@ -401,7 +402,8 @@ void fscache_put_operation(struct fscach + struct fscache_cache *cache; + + _enter("{OBJ%x OP%x,%d}", +- op->object->debug_id, op->debug_id, atomic_read(&op->usage)); ++ op->object ? op->object->debug_id : 0, ++ op->debug_id, atomic_read(&op->usage)); + + ASSERTCMP(atomic_read(&op->usage), >, 0); + diff --git a/queue-3.18/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch b/queue-3.18/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch new file mode 100644 index 00000000000..2875bf05ef1 --- /dev/null +++ b/queue-3.18/mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch @@ -0,0 +1,80 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: "mpubbise@codeaurora.org" +Date: Mon, 2 Jul 2018 15:40:14 +0530 +Subject: mac80211: add stations tied to AP_VLANs during hw reconfig + +From: "mpubbise@codeaurora.org" + +[ Upstream commit 19103a4bfb42f320395daa5616ece3e89e759d63 ] + +As part of hw reconfig, only stations linked to AP interfaces are added +back to the driver ignoring those which are tied to AP_VLAN interfaces. + +It is true that there could be stations tied to the AP_VLAN interface while +serving 4addr clients or when using AP_VLAN for VLAN operations; we should +be adding these stations back to the driver as part of hw reconfig, failing +to do so can cause functional issues. + +In the case of ath10k driver, the following errors were observed. + +ath10k_pci : failed to install key for non-existent peer XX:XX:XX:XX:XX:XX +Workqueue: events_freezable ieee80211_restart_work [mac80211] +(unwind_backtrace) from (show_stack+0x10/0x14) +(show_stack) (dump_stack+0x80/0xa0) +(dump_stack) (warn_slowpath_common+0x68/0x8c) +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (ieee80211_enable_keys+0x88/0x154 [mac80211]) +(ieee80211_enable_keys) (ieee80211_reconfig+0xc90/0x19c8 [mac80211]) +(ieee80211_reconfig]) (ieee80211_restart_work+0x8c/0xa0 [mac80211]) +(ieee80211_restart_work) (process_one_work+0x284/0x488) +(process_one_work) (worker_thread+0x228/0x360) +(worker_thread) (kthread+0xd8/0xec) +(kthread) (ret_from_fork+0x14/0x24) + +Also while bringing down the AP VAP, WARN_ONs and errors related to peer +removal were observed. + +ath10k_pci : failed to clear all peer wep keys for vdev 0: -2 +ath10k_pci : failed to disassociate station: 8c:fd:f0:0a:8c:f5 vdev 0: -2 +(unwind_backtrace) (show_stack+0x10/0x14) +(show_stack) (dump_stack+0x80/0xa0) +(dump_stack) (warn_slowpath_common+0x68/0x8c) +(warn_slowpath_common) (warn_slowpath_null+0x18/0x20) +(warn_slowpath_null) (sta_set_sinfo+0xb98/0xc9c [mac80211]) +(sta_set_sinfo [mac80211]) (__sta_info_flush+0xf0/0x134 [mac80211]) +(__sta_info_flush [mac80211]) (ieee80211_stop_ap+0xe8/0x390 [mac80211]) +(ieee80211_stop_ap [mac80211]) (__cfg80211_stop_ap+0xe0/0x3dc [cfg80211]) +(__cfg80211_stop_ap [cfg80211]) (cfg80211_stop_ap+0x30/0x44 [cfg80211]) +(cfg80211_stop_ap [cfg80211]) (genl_rcv_msg+0x274/0x30c) +(genl_rcv_msg) (netlink_rcv_skb+0x58/0xac) +(netlink_rcv_skb) (genl_rcv+0x20/0x34) +(genl_rcv) (netlink_unicast+0x11c/0x204) +(netlink_unicast) (netlink_sendmsg+0x30c/0x370) +(netlink_sendmsg) (sock_sendmsg+0x70/0x84) +(sock_sendmsg) (___sys_sendmsg.part.3+0x188/0x228) +(___sys_sendmsg.part.3) (__sys_sendmsg+0x4c/0x70) +(__sys_sendmsg) (ret_fast_syscall+0x0/0x44) + +These issues got fixed by adding the stations which are +tied to AP_VLANs back to the driver. + +Signed-off-by: Manikanta Pubbisetty +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/util.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -1876,7 +1876,8 @@ int ieee80211_reconfig(struct ieee80211_ + if (!sta->uploaded) + continue; + +- if (sta->sdata->vif.type != NL80211_IFTYPE_AP) ++ if (sta->sdata->vif.type != NL80211_IFTYPE_AP && ++ sta->sdata->vif.type != NL80211_IFTYPE_AP_VLAN) + continue; + + for (state = IEEE80211_STA_NOTEXIST; diff --git a/queue-3.18/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch b/queue-3.18/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch new file mode 100644 index 00000000000..4f03342a0c0 --- /dev/null +++ b/queue-3.18/media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Guenter Roeck +Date: Mon, 23 Jul 2018 14:39:33 -0700 +Subject: media: staging: omap4iss: Include asm/cacheflush.h after generic includes + +From: Guenter Roeck + +[ Upstream commit 0894da849f145af51bde88a6b84f95b9c9e0bc66 ] + +Including asm/cacheflush.h first results in the following build error +when trying to build sparc32:allmodconfig, because 'struct page' has not +been declared, and the function declaration ends up creating a separate +(private) declaration of struct page (as a result of function arguments +being in the scope of the function declaration and definition, not in +global scope). + +The C scoping rules do not just affect variable visibility, they also +affect type declaration visibility. + +The end result is that when the actual call site is seen in +, the 'struct page' type in the caller is not the same +'struct page' that the function was declared with, resulting in: + + In file included from arch/sparc/include/asm/page.h:10:0, + ... + from drivers/staging/media/omap4iss/iss_video.c:15: + include/linux/highmem.h: In function 'clear_user_highpage': + include/linux/highmem.h:137:31: error: + passing argument 1 of 'sparc_flush_page_to_ram' from incompatible + pointer type + +Include generic includes files first to fix the problem. + +Fixes: fc96d58c10162 ("[media] v4l: omap4iss: Add support for OMAP4 camera interface - Video devices") +Suggested-by: Linus Torvalds +Acked-by: David S. Miller +Cc: Randy Dunlap +Signed-off-by: Guenter Roeck +[ Added explanation of C scope rules - Linus ] +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/media/omap4iss/iss_video.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/media/omap4iss/iss_video.c ++++ b/drivers/staging/media/omap4iss/iss_video.c +@@ -11,7 +11,6 @@ + * (at your option) any later version. + */ + +-#include + #include + #include + #include +@@ -22,6 +21,8 @@ + #include + #include + ++#include ++ + #include "iss_video.h" + #include "iss.h" + diff --git a/queue-3.18/mm-memory.c-check-return-value-of-ioremap_prot.patch b/queue-3.18/mm-memory.c-check-return-value-of-ioremap_prot.patch new file mode 100644 index 00000000000..701ac8c1ae2 --- /dev/null +++ b/queue-3.18/mm-memory.c-check-return-value-of-ioremap_prot.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: "jie@chenjie6@huwei.com" +Date: Fri, 10 Aug 2018 17:23:06 -0700 +Subject: mm/memory.c: check return value of ioremap_prot + +From: "jie@chenjie6@huwei.com" + +[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ] + +ioremap_prot() can return NULL which could lead to an oops. + +Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com +Signed-off-by: chen jie +Reviewed-by: Andrew Morton +Cc: Li Zefan +Cc: chenjie +Cc: Yang Shi +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memory.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -3522,6 +3522,9 @@ int generic_access_phys(struct vm_area_s + return -EINVAL; + + maddr = ioremap_prot(phys_addr, PAGE_ALIGN(len + offset), prot); ++ if (!maddr) ++ return -ENOMEM; ++ + if (write) + memcpy_toio(maddr + offset, buf, len); + else diff --git a/queue-3.18/net-axienet-fix-double-deregister-of-mdio.patch b/queue-3.18/net-axienet-fix-double-deregister-of-mdio.patch new file mode 100644 index 00000000000..7b6f78707a7 --- /dev/null +++ b/queue-3.18/net-axienet-fix-double-deregister-of-mdio.patch @@ -0,0 +1,61 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Shubhrajyoti Datta +Date: Tue, 24 Jul 2018 10:09:53 +0530 +Subject: net: axienet: Fix double deregister of mdio + +From: Shubhrajyoti Datta + +[ Upstream commit 03bc7cab7d7218088412a75e141696a89059ab00 ] + +If the registration fails then mdio_unregister is called. +However at unbind the unregister ia attempted again resulting +in the below crash + +[ 73.544038] kernel BUG at drivers/net/phy/mdio_bus.c:415! +[ 73.549362] Internal error: Oops - BUG: 0 [#1] SMP +[ 73.554127] Modules linked in: +[ 73.557168] CPU: 0 PID: 2249 Comm: sh Not tainted 4.14.0 #183 +[ 73.562895] Hardware name: xlnx,zynqmp (DT) +[ 73.567062] task: ffffffc879e41180 task.stack: ffffff800cbe0000 +[ 73.572973] PC is at mdiobus_unregister+0x84/0x88 +[ 73.577656] LR is at axienet_mdio_teardown+0x18/0x30 +[ 73.582601] pc : [] lr : [] +pstate: 20000145 +[ 73.589981] sp : ffffff800cbe3c30 +[ 73.593277] x29: ffffff800cbe3c30 x28: ffffffc879e41180 +[ 73.598573] x27: ffffff8008a21000 x26: 0000000000000040 +[ 73.603868] x25: 0000000000000124 x24: ffffffc879efe920 +[ 73.609164] x23: 0000000000000060 x22: ffffffc879e02000 +[ 73.614459] x21: ffffffc879e02800 x20: ffffffc87b0b8870 +[ 73.619754] x19: ffffffc879e02800 x18: 000000000000025d +[ 73.625050] x17: 0000007f9a719ad0 x16: ffffff8008195bd8 +[ 73.630345] x15: 0000007f9a6b3d00 x14: 0000000000000010 +[ 73.635640] x13: 74656e7265687465 x12: 0000000000000030 +[ 73.640935] x11: 0000000000000030 x10: 0101010101010101 +[ 73.646231] x9 : 241f394f42533300 x8 : ffffffc8799f6e98 +[ 73.651526] x7 : ffffffc8799f6f18 x6 : ffffffc87b0ba318 +[ 73.656822] x5 : ffffffc87b0ba498 x4 : 0000000000000000 +[ 73.662117] x3 : 0000000000000000 x2 : 0000000000000008 +[ 73.667412] x1 : 0000000000000004 x0 : ffffffc8799f4000 +[ 73.672708] Process sh (pid: 2249, stack limit = 0xffffff800cbe0000) + +Fix the same by making the bus NULL on unregister. + +Signed-off-by: Shubhrajyoti Datta +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c ++++ b/drivers/net/ethernet/xilinx/xilinx_axienet_mdio.c +@@ -219,6 +219,7 @@ issue: + ret = of_mdiobus_register(bus, np1); + if (ret) { + mdiobus_free(bus); ++ lp->mii_bus = NULL; + return ret; + } + return 0; diff --git a/queue-3.18/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch b/queue-3.18/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch new file mode 100644 index 00000000000..8b3ad2ca23e --- /dev/null +++ b/queue-3.18/net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch @@ -0,0 +1,34 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: YueHaibing +Date: Thu, 19 Jul 2018 10:27:13 +0800 +Subject: net: caif: Add a missing rcu_read_unlock() in caif_flow_cb + +From: YueHaibing + +[ Upstream commit 64119e05f7b31e83e2555f6782e6cdc8f81c63f4 ] + +Add a missing rcu_read_unlock in the error path + +Fixes: c95567c80352 ("caif: added check for potential null return") +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -131,8 +131,10 @@ static void caif_flow_cb(struct sk_buff + caifd = caif_get(skb->dev); + + WARN_ON(caifd == NULL); +- if (caifd == NULL) ++ if (!caifd) { ++ rcu_read_unlock(); + return; ++ } + + caifd_hold(caifd); + rcu_read_unlock(); diff --git a/queue-3.18/nl80211-add-a-missing-break-in-parse_station_flags.patch b/queue-3.18/nl80211-add-a-missing-break-in-parse_station_flags.patch new file mode 100644 index 00000000000..9e31668ff02 --- /dev/null +++ b/queue-3.18/nl80211-add-a-missing-break-in-parse_station_flags.patch @@ -0,0 +1,38 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Bernd Edlinger +Date: Sun, 8 Jul 2018 09:57:22 +0000 +Subject: nl80211: Add a missing break in parse_station_flags + +From: Bernd Edlinger + +[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ] + +I was looking at usually suppressed gcc warnings, +[-Wimplicit-fallthrough=] in this case: + +The code definitely looks like a break is missing here. +However I am not able to test the NL80211_IFTYPE_MESH_POINT, +nor do I actually know what might be :) +So please use this patch with caution and only if you are +able to do some testing. + +Signed-off-by: Bernd Edlinger +[johannes: looks obvious enough to apply as is, interesting + though that it never seems to have been a problem] +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3490,6 +3490,7 @@ static int parse_station_flags(struct ge + params->sta_flags_mask = BIT(NL80211_STA_FLAG_AUTHENTICATED) | + BIT(NL80211_STA_FLAG_MFP) | + BIT(NL80211_STA_FLAG_AUTHORIZED); ++ break; + default: + return -EINVAL; + } diff --git a/queue-3.18/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch b/queue-3.18/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch new file mode 100644 index 00000000000..fb175db7573 --- /dev/null +++ b/queue-3.18/revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch @@ -0,0 +1,83 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: "Rafał Miłecki" +Date: Fri, 27 Jul 2018 13:13:39 +0200 +Subject: Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum" + +From: "Rafał Miłecki" + +[ Upstream commit d5ea019f8a381f88545bb26993b62ec24a2796b7 ] + +This reverts commit 2a027b47dba6 ("MIPS: BCM47XX: Enable 74K Core +ExternalSync for PCIe erratum"). + +Enabling ExternalSync caused a regression for BCM4718A1 (used e.g. in +Netgear E3000 and ASUS RT-N16): it simply hangs during PCIe +initialization. It's likely that BCM4717A1 is also affected. + +I didn't notice that earlier as the only BCM47XX devices with PCIe I +own are: +1) BCM4706 with 2 x 14e4:4331 +2) BCM4706 with 14e4:4360 and 14e4:4331 +it appears that BCM4706 is unaffected. + +While BCM5300X-ES300-RDS.pdf seems to document that erratum and its +workarounds (according to quotes provided by Tokunori) it seems not even +Broadcom follows them. + +According to the provided info Broadcom should define CONF7_ES in their +SDK's mipsinc.h and implement workaround in the si_mips_init(). Checking +both didn't reveal such code. It *could* mean Broadcom also had some +problems with the given workaround. + +Signed-off-by: Rafał Miłecki +Signed-off-by: Paul Burton +Reported-by: Michael Marley +Patchwork: https://patchwork.linux-mips.org/patch/20032/ +URL: https://bugs.openwrt.org/index.php?do=details&task_id=1688 +Cc: Tokunori Ikegami +Cc: Hauke Mehrtens +Cc: Chris Packham +Cc: James Hogan +Cc: Ralf Baechle +Cc: linux-mips@linux-mips.org +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/bcm47xx/setup.c | 6 ------ + arch/mips/include/asm/mipsregs.h | 3 --- + 2 files changed, 9 deletions(-) + +--- a/arch/mips/bcm47xx/setup.c ++++ b/arch/mips/bcm47xx/setup.c +@@ -269,12 +269,6 @@ static int __init bcm47xx_cpu_fixes(void + */ + if (bcm47xx_bus.bcma.bus.chipinfo.id == BCMA_CHIP_ID_BCM4706) + cpu_wait = NULL; +- +- /* +- * BCM47XX Erratum "R10: PCIe Transactions Periodically Fail" +- * Enable ExternalSync for sync instruction to take effect +- */ +- set_c0_config7(MIPS_CONF7_ES); + break; + #endif + } +--- a/arch/mips/include/asm/mipsregs.h ++++ b/arch/mips/include/asm/mipsregs.h +@@ -667,8 +667,6 @@ + #define MIPS_CONF7_WII (_ULCAST_(1) << 31) + + #define MIPS_CONF7_RPS (_ULCAST_(1) << 2) +-/* ExternalSync */ +-#define MIPS_CONF7_ES (_ULCAST_(1) << 8) + + #define MIPS_CONF7_IAR (_ULCAST_(1) << 10) + #define MIPS_CONF7_AR (_ULCAST_(1) << 16) +@@ -1865,7 +1863,6 @@ __BUILD_SET_C0(status) + __BUILD_SET_C0(cause) + __BUILD_SET_C0(config) + __BUILD_SET_C0(config5) +-__BUILD_SET_C0(config7) + __BUILD_SET_C0(intcontrol) + __BUILD_SET_C0(intctl) + __BUILD_SET_C0(srsmap) diff --git a/queue-3.18/scsi-fcoe-drop-frames-in-els-logo-error-path.patch b/queue-3.18/scsi-fcoe-drop-frames-in-els-logo-error-path.patch new file mode 100644 index 00000000000..114e2d44c7e --- /dev/null +++ b/queue-3.18/scsi-fcoe-drop-frames-in-els-logo-error-path.patch @@ -0,0 +1,56 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Johannes Thumshirn +Date: Tue, 31 Jul 2018 15:46:02 +0200 +Subject: scsi: fcoe: drop frames in ELS LOGO error path + +From: Johannes Thumshirn + +[ Upstream commit 63d0e3dffda311e77b9a8c500d59084e960a824a ] + +Drop the frames in the ELS LOGO error path instead of just returning an +error. + +This fixes the following kmemleak report: +unreferenced object 0xffff880064cb1000 (size 424): + comm "kworker/0:2", pid 24, jiffies 4294904293 (age 68.504s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<(____ptrval____)>] _fc_frame_alloc+0x2c/0x180 [libfc] + [<(____ptrval____)>] fc_lport_enter_logo+0x106/0x360 [libfc] + [<(____ptrval____)>] fc_fabric_logoff+0x8c/0xc0 [libfc] + [<(____ptrval____)>] fcoe_if_destroy+0x79/0x3b0 [fcoe] + [<(____ptrval____)>] fcoe_destroy_work+0xd2/0x170 [fcoe] + [<(____ptrval____)>] process_one_work+0x7ff/0x1420 + [<(____ptrval____)>] worker_thread+0x87/0xef0 + [<(____ptrval____)>] kthread+0x2db/0x390 + [<(____ptrval____)>] ret_from_fork+0x35/0x40 + [<(____ptrval____)>] 0xffffffffffffffff + +which can be triggered by issuing +echo eth0 > /sys/bus/fcoe/ctlr_destroy + +Signed-off-by: Johannes Thumshirn +Reviewed-by: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/fcoe/fcoe_ctlr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/fcoe/fcoe_ctlr.c ++++ b/drivers/scsi/fcoe/fcoe_ctlr.c +@@ -752,9 +752,9 @@ int fcoe_ctlr_els_send(struct fcoe_ctlr + case ELS_LOGO: + if (fip->mode == FIP_MODE_VN2VN) { + if (fip->state != FIP_ST_VNMP_UP) +- return -EINVAL; ++ goto drop; + if (ntoh24(fh->fh_d_id) == FC_FID_FLOGI) +- return -EINVAL; ++ goto drop; + } else { + if (fip->state != FIP_ST_ENABLED) + return 0; diff --git a/queue-3.18/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch b/queue-3.18/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch new file mode 100644 index 00000000000..0fdf0e50c59 --- /dev/null +++ b/queue-3.18/scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch @@ -0,0 +1,69 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Varun Prakash +Date: Wed, 11 Jul 2018 22:09:52 +0530 +Subject: scsi: libiscsi: fix possible NULL pointer dereference in case of TMF + +From: Varun Prakash + +[ Upstream commit a17037e7d59075053b522048742a08ac9500bde8 ] + +In iscsi_check_tmf_restrictions() task->hdr is dereferenced to print the +opcode, it is possible that task->hdr is NULL. + +There are two cases based on opcode argument: + +1. ISCSI_OP_SCSI_CMD - In this case alloc_pdu() is called +after iscsi_check_tmf_restrictions() + +iscsi_prep_scsi_cmd_pdu() -> iscsi_check_tmf_restrictions() -> alloc_pdu(). + +Transport drivers allocate memory for iSCSI hdr in alloc_pdu() and assign +it to task->hdr. In case of TMF task->hdr will be NULL resulting in NULL +pointer dereference. + +2. ISCSI_OP_SCSI_DATA_OUT - In this case transport driver can free the +memory for iSCSI hdr after transmitting the pdu so task->hdr can be NULL or +invalid. + +This patch fixes this issue by removing task->hdr->opcode from the printk +statement. + +Signed-off-by: Varun Prakash +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/libiscsi.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/libiscsi.c ++++ b/drivers/scsi/libiscsi.c +@@ -283,11 +283,11 @@ static int iscsi_check_tmf_restrictions( + */ + if (opcode != ISCSI_OP_SCSI_DATA_OUT) { + iscsi_conn_printk(KERN_INFO, conn, +- "task [op %x/%x itt " ++ "task [op %x itt " + "0x%x/0x%x] " + "rejected.\n", +- task->hdr->opcode, opcode, +- task->itt, task->hdr_itt); ++ opcode, task->itt, ++ task->hdr_itt); + return -EACCES; + } + /* +@@ -296,10 +296,10 @@ static int iscsi_check_tmf_restrictions( + */ + if (conn->session->fast_abort) { + iscsi_conn_printk(KERN_INFO, conn, +- "task [op %x/%x itt " ++ "task [op %x itt " + "0x%x/0x%x] fast abort.\n", +- task->hdr->opcode, opcode, +- task->itt, task->hdr_itt); ++ opcode, task->itt, ++ task->hdr_itt); + return -EACCES; + } + break; diff --git a/queue-3.18/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch b/queue-3.18/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch new file mode 100644 index 00000000000..387ba511dbf --- /dev/null +++ b/queue-3.18/scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch @@ -0,0 +1,47 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Jim Gill +Date: Thu, 2 Aug 2018 14:13:30 -0700 +Subject: scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED + +From: Jim Gill + +[ Upstream commit e95153b64d03c2b6e8d62e51bdcc33fcad6e0856 ] + +Commands that are reset are returned with status +SAM_STAT_COMMAND_TERMINATED. PVSCSI currently returns DID_OK | +SAM_STAT_COMMAND_TERMINATED which fails the command. Instead, set hostbyte +to DID_RESET to allow upper layers to retry. + +Tested by copying a large file between two pvscsi disks on same adapter +while performing a bus reset at 1-second intervals. Before fix, commands +sometimes fail with DID_OK. After fix, commands observed to fail with +DID_RESET. + +Signed-off-by: Jim Gill +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/vmw_pvscsi.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -567,9 +567,14 @@ static void pvscsi_complete_request(stru + (btstat == BTSTAT_SUCCESS || + btstat == BTSTAT_LINKED_COMMAND_COMPLETED || + btstat == BTSTAT_LINKED_COMMAND_COMPLETED_WITH_FLAG)) { +- cmd->result = (DID_OK << 16) | sdstat; +- if (sdstat == SAM_STAT_CHECK_CONDITION && cmd->sense_buffer) +- cmd->result |= (DRIVER_SENSE << 24); ++ if (sdstat == SAM_STAT_COMMAND_TERMINATED) { ++ cmd->result = (DID_RESET << 16); ++ } else { ++ cmd->result = (DID_OK << 16) | sdstat; ++ if (sdstat == SAM_STAT_CHECK_CONDITION && ++ cmd->sense_buffer) ++ cmd->result |= (DRIVER_SENSE << 24); ++ } + } else + switch (btstat) { + case BTSTAT_SUCCESS: diff --git a/queue-3.18/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch b/queue-3.18/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch new file mode 100644 index 00000000000..e86480d8d3f --- /dev/null +++ b/queue-3.18/selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch @@ -0,0 +1,60 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Masami Hiramatsu +Date: Sat, 14 Jul 2018 01:28:44 +0900 +Subject: selftests/ftrace: Add snapshot and tracing_on test case + +From: Masami Hiramatsu + +[ Upstream commit 82f4f3e69c5c29bce940dd87a2c0f16c51d48d17 ] + +Add a testcase for checking snapshot and tracing_on +relationship. This ensures that the snapshotting doesn't +affect current tracing on/off settings. + +Link: http://lkml.kernel.org/r/153149932412.11274.15289227592627901488.stgit@devbox + +Cc: Tom Zanussi +Cc: Hiraku Toyooka +Signed-off-by: Masami Hiramatsu +Cc: Ingo Molnar +Cc: Shuah Khan +Cc: linux-kselftest@vger.kernel.org +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc | 28 ++++++++++++++ + 1 file changed, 28 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/00basic/snapshot.tc +@@ -0,0 +1,28 @@ ++#!/bin/sh ++# description: Snapshot and tracing setting ++# flags: instance ++ ++[ ! -f snapshot ] && exit_unsupported ++ ++echo "Set tracing off" ++echo 0 > tracing_on ++ ++echo "Allocate and take a snapshot" ++echo 1 > snapshot ++ ++# Since trace buffer is empty, snapshot is also empty, but allocated ++grep -q "Snapshot is allocated" snapshot ++ ++echo "Ensure keep tracing off" ++test `cat tracing_on` -eq 0 ++ ++echo "Set tracing on" ++echo 1 > tracing_on ++ ++echo "Take a snapshot again" ++echo 1 > snapshot ++ ++echo "Ensure keep tracing on" ++test `cat tracing_on` -eq 1 ++ ++exit 0 diff --git a/queue-3.18/series b/queue-3.18/series index 58ce1ac0ce8..1da528ff4c7 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -1,2 +1,36 @@ sched-sysctl-check-user-input-value-of-sysctl_sched_time_avg.patch cipso-cipso_v4_optptr-enter-infinite-loop.patch +xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch +xfrm-free-skb-if-nlsk-pointer-is-null.patch +mac80211-add-stations-tied-to-ap_vlans-during-hw-reconfig.patch +nl80211-add-a-missing-break-in-parse_station_flags.patch +scsi-libiscsi-fix-possible-null-pointer-dereference-in-case-of-tmf.patch +drm-re-enable-error-handling.patch +drm-imx-imx-ldb-disable-ldb-on-driver-bind.patch +drm-imx-imx-ldb-check-if-channel-is-enabled-before-printing-warning.patch +usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch +usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch +usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch +tools-usb-ffs-test-fix-build-on-big-endian-systems.patch +usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch +tools-power-turbostat-fix-s-on-up-systems.patch +net-caif-add-a-missing-rcu_read_unlock-in-caif_flow_cb.patch +atl1c-reserve-min-skb-headroom.patch +can-mpc5xxx_can-check-of_iomap-return-before-use.patch +media-staging-omap4iss-include-asm-cacheflush.h-after-generic-includes.patch +bnx2x-fix-invalid-memory-access-in-rss-hash-config-path.patch +net-axienet-fix-double-deregister-of-mdio.patch +fscache-allow-cancelled-operations-to-be-enqueued.patch +cachefiles-fix-refcounting-bug-in-backing-file-read-monitoring.patch +cachefiles-wait-rather-than-bug-ing-on-unexpected-object-collision.patch +selftests-ftrace-add-snapshot-and-tracing_on-test-case.patch +zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch +tools-power-turbostat-read-extended-processor-family-from-cpuid.patch +revert-mips-bcm47xx-enable-74k-core-externalsync-for-pcie-erratum.patch +enic-handle-mtu-change-for-vf-properly.patch +arc-fix-build-errors-in-arc-include-asm-delay.h.patch +arc-fix-type-warnings-in-arc-mm-cache.c.patch +drivers-net-lmc-fix-case-value-for-target-abort-error.patch +scsi-fcoe-drop-frames-in-els-logo-error-path.patch +scsi-vmw_pvscsi-return-did_reset-for-status-sam_stat_command_terminated.patch +mm-memory.c-check-return-value-of-ioremap_prot.patch diff --git a/queue-3.18/tools-power-turbostat-fix-s-on-up-systems.patch b/queue-3.18/tools-power-turbostat-fix-s-on-up-systems.patch new file mode 100644 index 00000000000..d2e3b16d7fa --- /dev/null +++ b/queue-3.18/tools-power-turbostat-fix-s-on-up-systems.patch @@ -0,0 +1,32 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Len Brown +Date: Fri, 20 Jul 2018 14:47:03 -0400 +Subject: tools/power turbostat: fix -S on UP systems + +From: Len Brown + +[ Upstream commit 9d83601a9cc1884d1b5706ee2acc661d558c6838 ] + +The -S (system summary) option failed to print any data on a 1-processor system. + +Reported-by: Artem Bityutskiy +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/x86/turbostat/turbostat.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -605,9 +605,7 @@ void format_all_counters(struct thread_d + if (!printed || !summary_only) + print_header(); + +- if (topo.num_cpus > 1) +- format_counters(&average.threads, &average.cores, +- &average.packages); ++ format_counters(&average.threads, &average.cores, &average.packages); + + printed = 1; + diff --git a/queue-3.18/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch b/queue-3.18/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch new file mode 100644 index 00000000000..00deefa0b1d --- /dev/null +++ b/queue-3.18/tools-power-turbostat-read-extended-processor-family-from-cpuid.patch @@ -0,0 +1,41 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Calvin Walton +Date: Fri, 27 Jul 2018 07:50:53 -0400 +Subject: tools/power turbostat: Read extended processor family from CPUID + +From: Calvin Walton + +[ Upstream commit 5aa3d1a20a233d4a5f1ec3d62da3f19d9afea682 ] + +This fixes the reported family on modern AMD processors (e.g. Ryzen, +which is family 0x17). Previously these processors all showed up as +family 0xf. + +See the document +https://support.amd.com/TechDocs/56255_OSRR.pdf +section CPUID_Fn00000001_EAX for how to calculate the family +from the BaseFamily and ExtFamily values. + +This matches the code in arch/x86/lib/cpu.c + +Signed-off-by: Calvin Walton +Signed-off-by: Len Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/power/x86/turbostat/turbostat.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/tools/power/x86/turbostat/turbostat.c ++++ b/tools/power/x86/turbostat/turbostat.c +@@ -2009,7 +2009,9 @@ void check_cpuid() + family = (fms >> 8) & 0xf; + model = (fms >> 4) & 0xf; + stepping = fms & 0xf; +- if (family == 6 || family == 0xf) ++ if (family == 0xf) ++ family += (fms >> 20) & 0xff; ++ if (family >= 6) + model += ((fms >> 16) & 0xf) << 4; + + if (verbose) diff --git a/queue-3.18/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch b/queue-3.18/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch new file mode 100644 index 00000000000..414d80da15d --- /dev/null +++ b/queue-3.18/tools-usb-ffs-test-fix-build-on-big-endian-systems.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Peter Senna Tschudin +Date: Tue, 10 Jul 2018 16:01:45 +0200 +Subject: tools: usb: ffs-test: Fix build on big endian systems + +From: Peter Senna Tschudin + +[ Upstream commit a2b22dddc7bb6110ac3b5ed1a60aa9279836fadb ] + +The tools/usb/ffs-test.c file defines cpu_to_le16/32 by using the C +library htole16/32 function calls. However, cpu_to_le16/32 are used when +initializing structures, i.e in a context where a function call is not +allowed. + +It works fine on little endian systems because htole16/32 are defined by +the C library as no-ops. But on big-endian systems, they are actually +doing something, which might involve calling a function, causing build +failures, such as: + + ffs-test.c:48:25: error: initializer element is not constant + #define cpu_to_le32(x) htole32(x) + ^~~~~~~ + ffs-test.c:128:12: note: in expansion of macro ‘cpu_to_le32’ + .magic = cpu_to_le32(FUNCTIONFS_DESCRIPTORS_MAGIC_V2), + ^~~~~~~~~~~ + +To solve this, we code cpu_to_le16/32 in a way that allows them to be +used when initializing structures. This fix was imported from +meta-openembedded/android-tools/fix-big-endian-build.patch written by +Thomas Petazzoni . + +CC: Thomas Petazzoni +Signed-off-by: Peter Senna Tschudin +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/usb/ffs-test.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/tools/usb/ffs-test.c ++++ b/tools/usb/ffs-test.c +@@ -44,12 +44,25 @@ + + /******************** Little Endian Handling ********************************/ + +-#define cpu_to_le16(x) htole16(x) +-#define cpu_to_le32(x) htole32(x) ++/* ++ * cpu_to_le16/32 are used when initializing structures, a context where a ++ * function call is not allowed. To solve this, we code cpu_to_le16/32 in a way ++ * that allows them to be used when initializing structures. ++ */ ++ ++#if __BYTE_ORDER == __LITTLE_ENDIAN ++#define cpu_to_le16(x) (x) ++#define cpu_to_le32(x) (x) ++#else ++#define cpu_to_le16(x) ((((x) >> 8) & 0xffu) | (((x) & 0xffu) << 8)) ++#define cpu_to_le32(x) \ ++ ((((x) & 0xff000000u) >> 24) | (((x) & 0x00ff0000u) >> 8) | \ ++ (((x) & 0x0000ff00u) << 8) | (((x) & 0x000000ffu) << 24)) ++#endif ++ + #define le32_to_cpu(x) le32toh(x) + #define le16_to_cpu(x) le16toh(x) + +- + /******************** Messages and Errors ***********************************/ + + static const char argv0[] = "ffs-test"; diff --git a/queue-3.18/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch b/queue-3.18/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch new file mode 100644 index 00000000000..a4199be2707 --- /dev/null +++ b/queue-3.18/usb-gadget-f_uac2-fix-endianness-of-struct-cntrl_-_lay3.patch @@ -0,0 +1,96 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Eugeniu Rosca +Date: Mon, 2 Jul 2018 23:46:47 +0200 +Subject: usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3' + +From: Eugeniu Rosca + +[ Upstream commit eec24f2a0d4dc3b1d95a3ccd2feb523ede3ba775 ] + +The list [1] of commits doing endianness fixes in USB subsystem is long +due to below quote from USB spec Revision 2.0 from April 27, 2000: + +------------ +8.1 Byte/Bit Ordering + +Multiple byte fields in standard descriptors, requests, and responses +are interpreted as and moved over the bus in little-endian order, i.e. +LSB to MSB. +------------ + +This commit belongs to the same family. + +[1] Example of endianness fixes in USB subsystem: +commit 14e1d56cbea6 ("usb: gadget: f_uac2: endianness fixes.") +commit 42370b821168 ("usb: gadget: f_uac1: endianness fixes.") +commit 63afd5cc7877 ("USB: chaoskey: fix Alea quirk on big-endian hosts") +commit 74098c4ac782 ("usb: gadget: acm: fix endianness in notifications") +commit cdd7928df0d2 ("ACM gadget: fix endianness in notifications") +commit 323ece54e076 ("cdc-wdm: fix endianness bug in debug statements") +commit e102609f1072 ("usb: gadget: uvc: Fix endianness mismatches") + list goes on + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Eugeniu Rosca +Reviewed-by: Ruslan Bilovol +Signed-off-by: Felipe Balbi + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -941,14 +941,14 @@ static struct usb_descriptor_header *hs_ + }; + + struct cntrl_cur_lay3 { +- __u32 dCUR; ++ __le32 dCUR; + }; + + struct cntrl_range_lay3 { +- __u16 wNumSubRanges; +- __u32 dMIN; +- __u32 dMAX; +- __u32 dRES; ++ __le16 wNumSubRanges; ++ __le32 dMIN; ++ __le32 dMAX; ++ __le32 dRES; + } __packed; + + static inline void +@@ -1274,9 +1274,9 @@ in_rq_cur(struct usb_function *fn, const + struct cntrl_cur_lay3 c; + + if (entity_id == USB_IN_CLK_ID) +- c.dCUR = p_srate; ++ c.dCUR = cpu_to_le32(p_srate); + else if (entity_id == USB_OUT_CLK_ID) +- c.dCUR = c_srate; ++ c.dCUR = cpu_to_le32(c_srate); + + value = min_t(unsigned, w_length, sizeof c); + memcpy(req->buf, &c, value); +@@ -1314,15 +1314,15 @@ in_rq_range(struct usb_function *fn, con + + if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) { + if (entity_id == USB_IN_CLK_ID) +- r.dMIN = p_srate; ++ r.dMIN = cpu_to_le32(p_srate); + else if (entity_id == USB_OUT_CLK_ID) +- r.dMIN = c_srate; ++ r.dMIN = cpu_to_le32(c_srate); + else + return -EOPNOTSUPP; + + r.dMAX = r.dMIN; + r.dRES = 0; +- r.wNumSubRanges = 1; ++ r.wNumSubRanges = cpu_to_le16(1); + + value = min_t(unsigned, w_length, sizeof r); + memcpy(req->buf, &r, value); diff --git a/queue-3.18/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch b/queue-3.18/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch new file mode 100644 index 00000000000..549a0f3edae --- /dev/null +++ b/queue-3.18/usb-gadget-r8a66597-fix-a-possible-sleep-in-atomic-context-bugs-in-r8a66597_queue.patch @@ -0,0 +1,46 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 20 Jun 2018 11:55:08 +0800 +Subject: usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue() + +From: Jia-Ju Bai + +[ Upstream commit f36b507c14c4b6e634463a610294e9cb0065c8ea ] + +The driver may sleep in an interrupt handler. +The function call path (from bottom to top) in Linux-4.16.7 is: + +[FUNC] r8a66597_queue(GFP_KERNEL) +drivers/usb/gadget/udc/r8a66597-udc.c, 1193: + r8a66597_queue in get_status +drivers/usb/gadget/udc/r8a66597-udc.c, 1301: + get_status in setup_packet +drivers/usb/gadget/udc/r8a66597-udc.c, 1381: + setup_packet in irq_control_stage +drivers/usb/gadget/udc/r8a66597-udc.c, 1508: + irq_control_stage in r8a66597_irq (interrupt handler) + +To fix this bug, GFP_KERNEL is replaced with GFP_ATOMIC. + +This bug is found by my static analysis tool (DSAC-2) and checked by +my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/r8a66597-udc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/r8a66597-udc.c ++++ b/drivers/usb/gadget/udc/r8a66597-udc.c +@@ -1193,7 +1193,7 @@ __acquires(r8a66597->lock) + r8a66597->ep0_req->length = 2; + /* AV: what happens if we get called again before that gets through? */ + spin_unlock(&r8a66597->lock); +- r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_KERNEL); ++ r8a66597_queue(r8a66597->gadget.ep0, r8a66597->ep0_req, GFP_ATOMIC); + spin_lock(&r8a66597->lock); + } + diff --git a/queue-3.18/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch b/queue-3.18/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch new file mode 100644 index 00000000000..a9b9bf8ebdc --- /dev/null +++ b/queue-3.18/usb-gadget-r8a66597-fix-two-possible-sleep-in-atomic-context-bugs-in-init_controller.patch @@ -0,0 +1,57 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Jia-Ju Bai +Date: Wed, 20 Jun 2018 11:54:53 +0800 +Subject: usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller() + +From: Jia-Ju Bai + +[ Upstream commit 0602088b10a7c0b4e044a810678ef93d7cc5bf48 ] + +The driver may sleep with holding a spinlock. +The function call paths (from bottom to top) in Linux-4.16.7 are: + +[FUNC] msleep +drivers/usb/gadget/udc/r8a66597-udc.c, 839: + msleep in init_controller +drivers/usb/gadget/udc/r8a66597-udc.c, 96: + init_controller in r8a66597_usb_disconnect +drivers/usb/gadget/udc/r8a66597-udc.c, 93: + spin_lock in r8a66597_usb_disconnect + +[FUNC] msleep +drivers/usb/gadget/udc/r8a66597-udc.c, 835: + msleep in init_controller +drivers/usb/gadget/udc/r8a66597-udc.c, 96: + init_controller in r8a66597_usb_disconnect +drivers/usb/gadget/udc/r8a66597-udc.c, 93: + spin_lock in r8a66597_usb_disconnect + +To fix these bugs, msleep() is replaced with mdelay(). + +This bug is found by my static analysis tool (DSAC-2) and checked by +my code review. + +Signed-off-by: Jia-Ju Bai +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/r8a66597-udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/udc/r8a66597-udc.c ++++ b/drivers/usb/gadget/udc/r8a66597-udc.c +@@ -835,11 +835,11 @@ static void init_controller(struct r8a66 + + r8a66597_bset(r8a66597, XCKE, SYSCFG0); + +- msleep(3); ++ mdelay(3); + + r8a66597_bset(r8a66597, PLLC, SYSCFG0); + +- msleep(1); ++ mdelay(1); + + r8a66597_bset(r8a66597, SCKE, SYSCFG0); + diff --git a/queue-3.18/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch b/queue-3.18/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch new file mode 100644 index 00000000000..bc54a39e2f5 --- /dev/null +++ b/queue-3.18/usb-phy-fix-ppc64-build-errors-in-phy-fsl-usb.c.patch @@ -0,0 +1,71 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Randy Dunlap +Date: Sun, 15 Jul 2018 10:37:37 -0700 +Subject: usb/phy: fix PPC64 build errors in phy-fsl-usb.c + +From: Randy Dunlap + +[ Upstream commit a39ba90a1cc7010edb0a7132e1b67f3d80b994e9 ] + +Fix build errors when built for PPC64: +These variables are only used on PPC32 so they don't need to be +initialized for PPC64. + +../drivers/usb/phy/phy-fsl-usb.c: In function 'usb_otg_start': +../drivers/usb/phy/phy-fsl-usb.c:865:3: error: '_fsl_readl' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_be; +../drivers/usb/phy/phy-fsl-usb.c:865:16: error: '_fsl_readl_be' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_be; +../drivers/usb/phy/phy-fsl-usb.c:866:3: error: '_fsl_writel' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_be; +../drivers/usb/phy/phy-fsl-usb.c:866:17: error: '_fsl_writel_be' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_be; +../drivers/usb/phy/phy-fsl-usb.c:868:16: error: '_fsl_readl_le' undeclared (first use in this function); did you mean 'fsl_readl'? + _fsl_readl = _fsl_readl_le; +../drivers/usb/phy/phy-fsl-usb.c:869:17: error: '_fsl_writel_le' undeclared (first use in this function); did you mean 'fsl_writel'? + _fsl_writel = _fsl_writel_le; + +and the sysfs "show" function return type should be ssize_t, not int: + +../drivers/usb/phy/phy-fsl-usb.c:1042:49: error: initialization of 'ssize_t (*)(struct device *, struct device_attribute *, char *)' {aka 'long int (*)(struct device *, struct device_attribute *, char *)'} from incompatible pointer type 'int (*)(struct device *, struct device_attribute *, char *)' [-Werror=incompatible-pointer-types] + static DEVICE_ATTR(fsl_usb2_otg_state, S_IRUGO, show_fsl_usb2_otg_state, NULL); + +Signed-off-by: Randy Dunlap +Cc: Felipe Balbi +Cc: linux-usb@vger.kernel.org +Cc: Michael Ellerman +Cc: linuxppc-dev@lists.ozlabs.org +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/phy/phy-fsl-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -913,6 +913,7 @@ int usb_otg_start(struct platform_device + if (pdata->init && pdata->init(pdev) != 0) + return -EINVAL; + ++#ifdef CONFIG_PPC32 + if (pdata->big_endian_mmio) { + _fsl_readl = _fsl_readl_be; + _fsl_writel = _fsl_writel_be; +@@ -920,6 +921,7 @@ int usb_otg_start(struct platform_device + _fsl_readl = _fsl_readl_le; + _fsl_writel = _fsl_writel_le; + } ++#endif + + /* request irq */ + p_otg->irq = platform_get_irq(pdev, 0); +@@ -1010,7 +1012,7 @@ int usb_otg_start(struct platform_device + /* + * state file in sysfs + */ +-static int show_fsl_usb2_otg_state(struct device *dev, ++static ssize_t show_fsl_usb2_otg_state(struct device *dev, + struct device_attribute *attr, char *buf) + { + struct otg_fsm *fsm = &fsl_otg_dev->fsm; diff --git a/queue-3.18/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch b/queue-3.18/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch new file mode 100644 index 00000000000..22718f745c9 --- /dev/null +++ b/queue-3.18/xfrm-fix-missing-dst_release-after-policy-blocking-lbcast-and-multicast.patch @@ -0,0 +1,67 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Tommi Rantala +Date: Thu, 21 Jun 2018 09:30:47 +0300 +Subject: xfrm: fix missing dst_release() after policy blocking lbcast and multicast + +From: Tommi Rantala + +[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ] + +Fix missing dst_release() when local broadcast or multicast traffic is +xfrm policy blocked. + +For IPv4 this results to dst leak: ip_route_output_flow() allocates +dst_entry via __ip_route_output_key() and passes it to +xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is +propagated. The dst that was allocated is never released. + +IPv4 local broadcast testcase: + ping -b 192.168.1.255 & + sleep 1 + ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block + +IPv4 multicast testcase: + ping 224.0.0.1 & + sleep 1 + ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block + +For IPv6 the missing dst_release() causes trouble e.g. when used in netns: + ip netns add TEST + ip netns exec TEST ip link set lo up + ip link add dummy0 type dummy + ip link set dev dummy0 netns TEST + ip netns exec TEST ip addr add fd00::1111 dev dummy0 + ip netns exec TEST ip link set dummy0 up + ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 & + sleep 1 + ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block + wait + ip netns del TEST + +After netns deletion we see: +[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2 +[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2 + +Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()") +Signed-off-by: Tommi Rantala +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_policy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -2291,6 +2291,9 @@ struct dst_entry *xfrm_lookup_route(stru + if (IS_ERR(dst) && PTR_ERR(dst) == -EREMOTE) + return make_blackhole(net, dst_orig->ops->family, dst_orig); + ++ if (IS_ERR(dst)) ++ dst_release(dst_orig); ++ + return dst; + } + EXPORT_SYMBOL(xfrm_lookup_route); diff --git a/queue-3.18/xfrm-free-skb-if-nlsk-pointer-is-null.patch b/queue-3.18/xfrm-free-skb-if-nlsk-pointer-is-null.patch new file mode 100644 index 00000000000..9cf78f4315c --- /dev/null +++ b/queue-3.18/xfrm-free-skb-if-nlsk-pointer-is-null.patch @@ -0,0 +1,40 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Florian Westphal +Date: Mon, 25 Jun 2018 14:00:07 +0200 +Subject: xfrm: free skb if nlsk pointer is NULL + +From: Florian Westphal + +[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ] + +nlmsg_multicast() always frees the skb, so in case we cannot call +it we must do that ourselves. + +Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification") +Signed-off-by: Florian Westphal +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/xfrm/xfrm_user.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/xfrm/xfrm_user.c ++++ b/net/xfrm/xfrm_user.c +@@ -955,10 +955,12 @@ static inline int xfrm_nlmsg_multicast(s + { + struct sock *nlsk = rcu_dereference(net->xfrm.nlsk); + +- if (nlsk) +- return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); +- else +- return -1; ++ if (!nlsk) { ++ kfree_skb(skb); ++ return -EPIPE; ++ } ++ ++ return nlmsg_multicast(nlsk, skb, pid, group, GFP_ATOMIC); + } + + static inline size_t xfrm_spdinfo_msgsize(void) diff --git a/queue-3.18/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch b/queue-3.18/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch new file mode 100644 index 00000000000..4368d3640c4 --- /dev/null +++ b/queue-3.18/zswap-re-check-zswap_is_full-after-do-zswap_shrink.patch @@ -0,0 +1,65 @@ +From foo@baz Tue Aug 28 16:08:28 CEST 2018 +From: Li Wang +Date: Thu, 26 Jul 2018 16:37:42 -0700 +Subject: zswap: re-check zswap_is_full() after do zswap_shrink() + +From: Li Wang + +[ Upstream commit 16e536ef47f567289a5699abee9ff7bb304bc12d ] + +/sys/../zswap/stored_pages keeps rising in a zswap test with +"zswap.max_pool_percent=0" parameter. But it should not compress or +store pages any more since there is no space in the compressed pool. + +Reproduce steps: + 1. Boot kernel with "zswap.enabled=1" + 2. Set the max_pool_percent to 0 + # echo 0 > /sys/module/zswap/parameters/max_pool_percent + 3. Do memory stress test to see if some pages have been compressed + # stress --vm 1 --vm-bytes $mem_available"M" --timeout 60s + 4. Watching the 'stored_pages' number increasing or not + +The root cause is: + + When zswap_max_pool_percent is set to 0 via kernel parameter, + zswap_is_full() will always return true due to zswap_shrink(). But if + the shinking is able to reclain a page successfully the code then + proceeds to compressing/storing another page, so the value of + stored_pages will keep changing. + +To solve the issue, this patch adds a zswap_is_full() check again after + zswap_shrink() to make sure it's now under the max_pool_percent, and to + not compress/store if we reached the limit. + +Link: http://lkml.kernel.org/r/20180530103936.17812-1-liwang@redhat.com +Signed-off-by: Li Wang +Acked-by: Dan Streetman +Cc: Seth Jennings +Cc: Huang Ying +Cc: Yu Zhao +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/zswap.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/mm/zswap.c ++++ b/mm/zswap.c +@@ -662,6 +662,15 @@ static int zswap_frontswap_store(unsigne + ret = -ENOMEM; + goto reject; + } ++ ++ /* A second zswap_is_full() check after ++ * zswap_shrink() to make sure it's now ++ * under the max_pool_percent ++ */ ++ if (zswap_is_full()) { ++ ret = -ENOMEM; ++ goto reject; ++ } + } + + /* allocate entry */