From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 12:06:37 +0000 (-0700) Subject: 4.9-stable patches X-Git-Tag: v4.18.12~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e3829b400312ec65df2d3279495ed091b18d3be7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: 6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch alarmtimer-prevent-overflow-for-relative-nanosleep.patch alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch alsa-snd-aoa-add-of_node_put-in-error-path.patch arm-dts-dra7-fix-dcan-node-addresses.patch arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch audit-fix-extended-comparison-of-gid-egid.patch bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch crypto-skcipher-fix-wstringop-truncation-warnings.patch drivers-tty-add-error-handling-for-pcmcia_loop_config.patch drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch edac-fix-memleak-in-module-init-error-path.patch edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch gpio-fix-wrong-rounding-in-gpio-menz127.patch hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch media-fsl-viu-fix-error-handling-in-viu_of_probe.patch media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch media-soc_camera-ov772x-correct-setting-of-banding-filter.patch media-tm6000-add-error-handling-for-dvb_register_adapter.patch module-exclude-shn_undef-symbols-from-kallsyms-api.patch net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch net-phy-xgmiitorgmii-check-read_status-results.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch power-remove-possible-deadlock-when-unregistering-power_supply.patch power-vexpress-fix-corruption-in-notifier-registration.patch powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch s390-extmem-fix-gcc-8-stringop-overflow-warning.patch s390-mm-correct-allocate_pgste-proc_handler-callback.patch scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch scsi-ibmvscsi-improve-strings-handling.patch scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch scsi-megaraid_sas-update-controller-info-during-resume.patch scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch staging-android-ashmem-fix-mmap-size-validation.patch staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch tsl2550-fix-lux1_input-error-in-low-light.patch usb-serial-kobil_sct-fix-modem-status-error-handling.patch usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch uwb-hwa-rc-fix-memory-leak-at-probe.patch vmci-type-promotion-bug-in-qp_host_get_user_memory.patch wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch x86-entry-64-add-two-more-instruction-suffixes.patch x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch x86-tsc-add-missing-header-to-tsc_msr.c.patch --- diff --git a/queue-4.9/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch b/queue-4.9/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch new file mode 100644 index 00000000000..84105a52d56 --- /dev/null +++ b/queue-4.9/6lowpan-iphc-reset-mac_header-after-decompress-to-fix-panic.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Michael Scott +Date: Tue, 19 Jun 2018 16:44:06 -0700 +Subject: 6lowpan: iphc: reset mac_header after decompress to fix panic + +From: Michael Scott + +[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ] + +After decompression of 6lowpan socket data, an IPv6 header is inserted +before the existing socket payload. After this, we reset the +network_header value of the skb to account for the difference in payload +size from prior to decompression + the addition of the IPv6 header. + +However, we fail to reset the mac_header value. + +Leaving the mac_header value untouched here, can cause a calculation +error in net/packet/af_packet.c packet_rcv() function when an +AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan +interface. + +On line 2088, the data pointer is moved backward by the value returned +from skb_mac_header(). If skb->data is adjusted so that it is before +the skb->head pointer (which can happen when an old value of mac_header +is left in place) the kernel generates a panic in net/core/skbuff.c +line 1717. + +This panic can be generated by BLE 6lowpan interfaces (such as bt0) and +802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan +sources for compression and decompression. + +Signed-off-by: Michael Scott +Acked-by: Alexander Aring +Acked-by: Jukka Rissanen +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/6lowpan/iphc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/6lowpan/iphc.c ++++ b/net/6lowpan/iphc.c +@@ -745,6 +745,7 @@ int lowpan_header_decompress(struct sk_b + hdr.hop_limit, &hdr.daddr); + + skb_push(skb, sizeof(hdr)); ++ skb_reset_mac_header(skb); + skb_reset_network_header(skb); + skb_copy_to_linear_data(skb, &hdr, sizeof(hdr)); + diff --git a/queue-4.9/alarmtimer-prevent-overflow-for-relative-nanosleep.patch b/queue-4.9/alarmtimer-prevent-overflow-for-relative-nanosleep.patch new file mode 100644 index 00000000000..5332374ef60 --- /dev/null +++ b/queue-4.9/alarmtimer-prevent-overflow-for-relative-nanosleep.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Thomas Gleixner +Date: Mon, 2 Jul 2018 09:34:29 +0200 +Subject: alarmtimer: Prevent overflow for relative nanosleep + +From: Thomas Gleixner + +[ Upstream commit 5f936e19cc0ef97dbe3a56e9498922ad5ba1edef ] + +Air Icy reported: + + UBSAN: Undefined behaviour in kernel/time/alarmtimer.c:811:7 + signed integer overflow: + 1529859276030040771 + 9223372036854775807 cannot be represented in type 'long long int' + Call Trace: + alarm_timer_nsleep+0x44c/0x510 kernel/time/alarmtimer.c:811 + __do_sys_clock_nanosleep kernel/time/posix-timers.c:1235 [inline] + __se_sys_clock_nanosleep kernel/time/posix-timers.c:1213 [inline] + __x64_sys_clock_nanosleep+0x326/0x4e0 kernel/time/posix-timers.c:1213 + do_syscall_64+0xb8/0x3a0 arch/x86/entry/common.c:290 + +alarm_timer_nsleep() uses ktime_add() to add the current time and the +relative expiry value. ktime_add() has no sanity checks so the addition +can overflow when the relative timeout is large enough. + +Use ktime_add_safe() which has the necessary sanity checks in place and +limits the result to the valid range. + +Fixes: 9a7adcf5c6de ("timers: Posix interface for alarm-timers") +Reported-by: Team OWL337 +Signed-off-by: Thomas Gleixner +Cc: John Stultz +Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1807020926360.1595@nanos.tec.linutronix.de +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/alarmtimer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/time/alarmtimer.c ++++ b/kernel/time/alarmtimer.c +@@ -786,7 +786,8 @@ static int alarm_timer_nsleep(const cloc + /* Convert (if necessary) to absolute time */ + if (flags != TIMER_ABSTIME) { + ktime_t now = alarm_bases[type].gettime(); +- exp = ktime_add(now, exp); ++ ++ exp = ktime_add_safe(now, exp); + } + + if (alarmtimer_do_nsleep(&alarm, exp)) diff --git a/queue-4.9/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch b/queue-4.9/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch new file mode 100644 index 00000000000..6d1429b99fb --- /dev/null +++ b/queue-4.9/alsa-hda-add-azx_dcaps_pm_runtime-for-amd-raven-ridge.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Kai-Heng Feng +Date: Thu, 28 Jun 2018 15:28:24 +0800 +Subject: ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge + +From: Kai-Heng Feng + +[ Upstream commit 1adca4b0cd65c14cb8b8c9c257720385869c3d5f ] + +This patch can make audio controller in AMD Raven Ridge gets runtime +suspended to D3, to save ~1W power when it's not in use. + +Cc: Vijendar Mukunda +Signed-off-by: Kai-Heng Feng +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/hda_intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2349,7 +2349,8 @@ static const struct pci_device_id azx_id + .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, + /* AMD Raven */ + { PCI_DEVICE(0x1022, 0x15e3), +- .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB }, ++ .driver_data = AZX_DRIVER_GENERIC | AZX_DCAPS_PRESET_ATI_SB | ++ AZX_DCAPS_PM_RUNTIME }, + /* ATI HDMI */ + { PCI_DEVICE(0x1002, 0x0002), + .driver_data = AZX_DRIVER_ATIHDMI_NS | AZX_DCAPS_PRESET_ATI_HDMI_NS }, diff --git a/queue-4.9/alsa-snd-aoa-add-of_node_put-in-error-path.patch b/queue-4.9/alsa-snd-aoa-add-of_node_put-in-error-path.patch new file mode 100644 index 00000000000..4afa73a21bb --- /dev/null +++ b/queue-4.9/alsa-snd-aoa-add-of_node_put-in-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Nicholas Mc Guire +Date: Fri, 29 Jun 2018 19:07:42 +0200 +Subject: ALSA: snd-aoa: add of_node_put() in error path + +From: Nicholas Mc Guire + +[ Upstream commit 222bce5eb88d1af656419db04bcd84b2419fb900 ] + + Both calls to of_find_node_by_name() and of_get_next_child() return a +node pointer with refcount incremented thus it must be explicidly +decremented here after the last usage. As we are assured to have a +refcounted np either from the initial +of_find_node_by_name(NULL, name); or from the of_get_next_child(gpio, np) +in the while loop if we reached the error code path below, an +x of_node_put(np) is needed. + +Signed-off-by: Nicholas Mc Guire +Fixes: commit f3d9478b2ce4 ("[ALSA] snd-aoa: add snd-aoa") +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/aoa/core/gpio-feature.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/aoa/core/gpio-feature.c ++++ b/sound/aoa/core/gpio-feature.c +@@ -88,8 +88,10 @@ static struct device_node *get_gpio(char + } + + reg = of_get_property(np, "reg", NULL); +- if (!reg) ++ if (!reg) { ++ of_node_put(np); + return NULL; ++ } + + *gpioptr = *reg; + diff --git a/queue-4.9/arm-dts-dra7-fix-dcan-node-addresses.patch b/queue-4.9/arm-dts-dra7-fix-dcan-node-addresses.patch new file mode 100644 index 00000000000..6e1672af3cc --- /dev/null +++ b/queue-4.9/arm-dts-dra7-fix-dcan-node-addresses.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Kevin Hilman +Date: Mon, 21 May 2018 13:08:32 -0700 +Subject: ARM: dts: dra7: fix DCAN node addresses + +From: Kevin Hilman + +[ Upstream commit 949bdcc8a97c6078f21c8d4966436b117f2e4cd3 ] + +Fix the DT node addresses to match the reg property addresses, +which were verified to match the TRM: +http://www.ti.com/lit/pdf/sprui30 + +Cc: Roger Quadros +Signed-off-by: Kevin Hilman +Acked-by: Roger Quadros +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/dra7.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/dra7.dtsi ++++ b/arch/arm/boot/dts/dra7.dtsi +@@ -1770,7 +1770,7 @@ + }; + }; + +- dcan1: can@481cc000 { ++ dcan1: can@4ae3c000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan1"; + reg = <0x4ae3c000 0x2000>; +@@ -1780,7 +1780,7 @@ + status = "disabled"; + }; + +- dcan2: can@481d0000 { ++ dcan2: can@48480000 { + compatible = "ti,dra7-d_can"; + ti,hwmods = "dcan2"; + reg = <0x48480000 0x2000>; diff --git a/queue-4.9/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch b/queue-4.9/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch new file mode 100644 index 00000000000..548972106b1 --- /dev/null +++ b/queue-4.9/arm-hwmod-rtc-don-t-assume-lock-unlock-will-be-called-with-irq-enabled.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Dave Gerlach +Date: Thu, 21 Jun 2018 14:43:08 +0530 +Subject: ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled + +From: Dave Gerlach + +[ Upstream commit 6d609b35c815ba20132b7b64bcca04516bb17c56 ] + +When the RTC lock and unlock functions were introduced it was likely +assumed that they would always be called from irq enabled context, hence +the use of local_irq_disable/enable. This is no longer true as the +RTC+DDR path makes a late call during the suspend path after irqs +have been disabled to enable the RTC hwmod which calls both unlock and +lock, leading to IRQs being reenabled through the local_irq_enable call +in omap_hwmod_rtc_lock call. + +To avoid this change the local_irq_disable/enable to +local_irq_save/restore to ensure that from whatever context this is +called the proper IRQ configuration is maintained. + +Signed-off-by: Dave Gerlach +Signed-off-by: Keerthy +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/omap_hwmod_reset.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/arm/mach-omap2/omap_hwmod_reset.c ++++ b/arch/arm/mach-omap2/omap_hwmod_reset.c +@@ -92,11 +92,13 @@ static void omap_rtc_wait_not_busy(struc + */ + void omap_hwmod_rtc_unlock(struct omap_hwmod *oh) + { +- local_irq_disable(); ++ unsigned long flags; ++ ++ local_irq_save(flags); + omap_rtc_wait_not_busy(oh); + omap_hwmod_write(OMAP_RTC_KICK0_VALUE, oh, OMAP_RTC_KICK0_REG); + omap_hwmod_write(OMAP_RTC_KICK1_VALUE, oh, OMAP_RTC_KICK1_REG); +- local_irq_enable(); ++ local_irq_restore(flags); + } + + /** +@@ -110,9 +112,11 @@ void omap_hwmod_rtc_unlock(struct omap_h + */ + void omap_hwmod_rtc_lock(struct omap_hwmod *oh) + { +- local_irq_disable(); ++ unsigned long flags; ++ ++ local_irq_save(flags); + omap_rtc_wait_not_busy(oh); + omap_hwmod_write(0x0, oh, OMAP_RTC_KICK0_REG); + omap_hwmod_write(0x0, oh, OMAP_RTC_KICK1_REG); +- local_irq_enable(); ++ local_irq_restore(flags); + } diff --git a/queue-4.9/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch b/queue-4.9/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch new file mode 100644 index 00000000000..25508cdc253 --- /dev/null +++ b/queue-4.9/arm-mvebu-declare-asm-symbols-as-character-arrays-in-pmsu.c.patch @@ -0,0 +1,62 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Ethan Tuttle +Date: Tue, 19 Jun 2018 21:31:08 -0700 +Subject: ARM: mvebu: declare asm symbols as character arrays in pmsu.c + +From: Ethan Tuttle + +[ Upstream commit d0d378ff451a66e486488eec842e507d28145813 ] + +With CONFIG_FORTIFY_SOURCE, memcpy uses the declared size of operands to +detect buffer overflows. If src or dest is declared as a char, attempts to +copy more than byte will result in a fortify_panic(). + +Address this problem in mvebu_setup_boot_addr_wa() by declaring +mvebu_boot_wa_start and mvebu_boot_wa_end as character arrays. Also remove +a couple addressof operators to avoid "arithmetic on pointer to an +incomplete type" compiler error. + +See commit 54a7d50b9205 ("x86: mark kprobe templates as character arrays, +not single characters") for a similar fix. + +Fixes "detected buffer overflow in memcpy" error during init on some mvebu +systems (armada-370-xp, armada-375): + +(fortify_panic) from (mvebu_setup_boot_addr_wa+0xb0/0xb4) +(mvebu_setup_boot_addr_wa) from (mvebu_v7_cpu_pm_init+0x154/0x204) +(mvebu_v7_cpu_pm_init) from (do_one_initcall+0x7c/0x1a8) +(do_one_initcall) from (kernel_init_freeable+0x1bc/0x254) +(kernel_init_freeable) from (kernel_init+0x8/0x114) +(kernel_init) from (ret_from_fork+0x14/0x2c) + +Signed-off-by: Ethan Tuttle +Tested-by: Ethan Tuttle +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-mvebu/pmsu.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-mvebu/pmsu.c ++++ b/arch/arm/mach-mvebu/pmsu.c +@@ -116,8 +116,8 @@ void mvebu_pmsu_set_cpu_boot_addr(int hw + PMSU_BOOT_ADDR_REDIRECT_OFFSET(hw_cpu)); + } + +-extern unsigned char mvebu_boot_wa_start; +-extern unsigned char mvebu_boot_wa_end; ++extern unsigned char mvebu_boot_wa_start[]; ++extern unsigned char mvebu_boot_wa_end[]; + + /* + * This function sets up the boot address workaround needed for SMP +@@ -130,7 +130,7 @@ int mvebu_setup_boot_addr_wa(unsigned in + phys_addr_t resume_addr_reg) + { + void __iomem *sram_virt_base; +- u32 code_len = &mvebu_boot_wa_end - &mvebu_boot_wa_start; ++ u32 code_len = mvebu_boot_wa_end - mvebu_boot_wa_start; + + mvebu_mbus_del_window(BOOTROM_BASE, BOOTROM_SIZE); + mvebu_mbus_add_window_by_id(crypto_eng_target, crypto_eng_attribute, diff --git a/queue-4.9/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch b/queue-4.9/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch new file mode 100644 index 00000000000..64da8aac8c5 --- /dev/null +++ b/queue-4.9/asoc-dapm-fix-potential-dai-widget-pointer-deref-when-linking-dais.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Liam Girdwood +Date: Thu, 14 Jun 2018 20:26:42 +0100 +Subject: ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs + +From: Liam Girdwood + +[ Upstream commit e01b4f624278d5efe5fb5da585ca371947b16680 ] + +Sometime a component or topology may configure a DAI widget with no +private data leading to a dev_dbg() dereferencne of this data. + +Fix this to check for non NULL private data and let users know if widget +is missing DAI. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-dapm.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -3913,6 +3913,13 @@ int snd_soc_dapm_link_dai_widgets(struct + continue; + } + ++ /* let users know there is no DAI to link */ ++ if (!dai_w->priv) { ++ dev_dbg(card->dev, "dai widget %s has no DAI\n", ++ dai_w->name); ++ continue; ++ } ++ + dai = dai_w->priv; + + /* ...find all widgets with the same stream and link them */ diff --git a/queue-4.9/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch b/queue-4.9/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch new file mode 100644 index 00000000000..96b090a61ec --- /dev/null +++ b/queue-4.9/ath10k-protect-ath10k_htt_rx_ring_free-with-rx_ring.lock.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Ben Greear +Date: Mon, 18 Jun 2018 17:00:56 +0300 +Subject: ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock + +From: Ben Greear + +[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ] + +While debugging driver crashes related to a buggy firmware +crashing under load, I noticed that ath10k_htt_rx_ring_free +could be called without being under lock. I'm not sure if this +is the root cause of the crash or not, but it seems prudent to +protect it. + +Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware +running on 9984 NIC. + +Signed-off-by: Ben Greear +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -214,11 +214,12 @@ int ath10k_htt_rx_ring_refill(struct ath + spin_lock_bh(&htt->rx_ring.lock); + ret = ath10k_htt_rx_ring_fill_n(htt, (htt->rx_ring.fill_level - + htt->rx_ring.fill_cnt)); +- spin_unlock_bh(&htt->rx_ring.lock); + + if (ret) + ath10k_htt_rx_ring_free(htt); + ++ spin_unlock_bh(&htt->rx_ring.lock); ++ + return ret; + } + +@@ -230,7 +231,9 @@ void ath10k_htt_rx_free(struct ath10k_ht + skb_queue_purge(&htt->rx_in_ord_compl_q); + skb_queue_purge(&htt->tx_fetch_ind_q); + ++ spin_lock_bh(&htt->rx_ring.lock); + ath10k_htt_rx_ring_free(htt); ++ spin_unlock_bh(&htt->rx_ring.lock); + + dma_free_coherent(htt->ar->dev, + (htt->rx_ring.size * diff --git a/queue-4.9/audit-fix-extended-comparison-of-gid-egid.patch b/queue-4.9/audit-fix-extended-comparison-of-gid-egid.patch new file mode 100644 index 00000000000..1409bd48d2f --- /dev/null +++ b/queue-4.9/audit-fix-extended-comparison-of-gid-egid.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: "Ondrej Mosnáček" +Date: Tue, 5 Jun 2018 11:00:10 +0200 +Subject: audit: Fix extended comparison of GID/EGID + +From: "Ondrej Mosnáček" + +[ Upstream commit af85d1772e31fed34165a1b3decef340cf4080c0 ] + +The audit_filter_rules() function in auditsc.c used the in_[e]group_p() +functions to check GID/EGID match, but these functions use the current +task's credentials, while the comparison should use the credentials of +the task given to audit_filter_rules() as a parameter (tsk). + +Note that we can use group_search(cred->group_info, ...) as a +replacement for both in_group_p and in_egroup_p as these functions only +compare the parameter to cred->fsgid/egid and then call group_search. + +In fact, the usage of in_group_p was even more incorrect: it compares to +cred->fsgid (which is usually equal to cred->egid) and not cred->gid. + +GitHub issue: +https://github.com/linux-audit/audit-kernel/issues/82 + +Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic") +Signed-off-by: Ondrej Mosnacek +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/auditsc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -488,20 +488,20 @@ static int audit_filter_rules(struct tas + result = audit_gid_comparator(cred->gid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_group_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_group_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_EGID: + result = audit_gid_comparator(cred->egid, f->op, f->gid); + if (f->op == Audit_equal) { + if (!result) +- result = in_egroup_p(f->gid); ++ result = groups_search(cred->group_info, f->gid); + } else if (f->op == Audit_not_equal) { + if (result) +- result = !in_egroup_p(f->gid); ++ result = !groups_search(cred->group_info, f->gid); + } + break; + case AUDIT_SGID: diff --git a/queue-4.9/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch b/queue-4.9/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch new file mode 100644 index 00000000000..3ef786e9ef3 --- /dev/null +++ b/queue-4.9/bluetooth-add-a-new-realtek-8723de-id-0bda-b009.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Jian-Hong Pan +Date: Fri, 25 May 2018 17:54:52 +0800 +Subject: Bluetooth: Add a new Realtek 8723DE ID 0bda:b009 + +From: Jian-Hong Pan + +[ Upstream commit 45ae68b8cfc25bdbffc11248001c47ab1b76ff6e ] + +Without this patch we cannot turn on the Bluethooth adapter on HP +14-bs007la. + +T: Bus=01 Lev=02 Prnt=03 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=b009 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=802.11n WLAN Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Jian-Hong Pan +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -349,6 +349,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8723DE Bluetooth devices */ ++ { USB_DEVICE(0x0bda, 0xb009), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x2ff8, 0xb011), .driver_info = BTUSB_REALTEK }, + + /* Additional Realtek 8821AE Bluetooth devices */ diff --git a/queue-4.9/crypto-skcipher-fix-wstringop-truncation-warnings.patch b/queue-4.9/crypto-skcipher-fix-wstringop-truncation-warnings.patch new file mode 100644 index 00000000000..a6b029408c1 --- /dev/null +++ b/queue-4.9/crypto-skcipher-fix-wstringop-truncation-warnings.patch @@ -0,0 +1,63 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Stafford Horne +Date: Mon, 25 Jun 2018 21:45:37 +0900 +Subject: crypto: skcipher - Fix -Wstringop-truncation warnings + +From: Stafford Horne + +[ Upstream commit cefd769fd0192c84d638f66da202459ed8ad63ba ] + +As of GCC 9.0.0 the build is reporting warnings like: + + crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’: + crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation] + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + sizeof(rblkcipher.geniv)); + ~~~~~~~~~~~~~~~~~~~~~~~~~ + +This means the strnycpy might create a non null terminated string. Fix this by +explicitly performing '\0' termination. + +Cc: Greg Kroah-Hartman +Cc: Arnd Bergmann +Cc: Max Filippov +Cc: Eric Biggers +Cc: Nick Desaulniers +Signed-off-by: Stafford Horne +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + crypto/ablkcipher.c | 2 ++ + crypto/blkcipher.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/crypto/ablkcipher.c ++++ b/crypto/ablkcipher.c +@@ -367,6 +367,7 @@ static int crypto_ablkcipher_report(stru + strncpy(rblkcipher.type, "ablkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +@@ -441,6 +442,7 @@ static int crypto_givcipher_report(struc + strncpy(rblkcipher.type, "givcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_ablkcipher.min_keysize; +--- a/crypto/blkcipher.c ++++ b/crypto/blkcipher.c +@@ -510,6 +510,7 @@ static int crypto_blkcipher_report(struc + strncpy(rblkcipher.type, "blkcipher", sizeof(rblkcipher.type)); + strncpy(rblkcipher.geniv, alg->cra_blkcipher.geniv ?: "", + sizeof(rblkcipher.geniv)); ++ rblkcipher.geniv[sizeof(rblkcipher.geniv) - 1] = '\0'; + + rblkcipher.blocksize = alg->cra_blocksize; + rblkcipher.min_keysize = alg->cra_blkcipher.min_keysize; diff --git a/queue-4.9/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch b/queue-4.9/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch new file mode 100644 index 00000000000..311534f53b7 --- /dev/null +++ b/queue-4.9/drivers-tty-add-error-handling-for-pcmcia_loop_config.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 12:36:25 +0800 +Subject: drivers/tty: add error handling for pcmcia_loop_config + +From: Zhouyang Jia + +[ Upstream commit 85c634e919bd6ef17427f26a52920aeba12e16ee ] + +When pcmcia_loop_config fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling pcmcia_loop_config. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/serial_cs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/serial_cs.c ++++ b/drivers/tty/serial/8250/serial_cs.c +@@ -637,8 +637,10 @@ static int serial_config(struct pcmcia_d + (link->has_func_id) && + (link->socket->pcmcia_pfc == 0) && + ((link->func_id == CISTPL_FUNCID_MULTI) || +- (link->func_id == CISTPL_FUNCID_SERIAL))) +- pcmcia_loop_config(link, serial_check_for_multi, info); ++ (link->func_id == CISTPL_FUNCID_SERIAL))) { ++ if (pcmcia_loop_config(link, serial_check_for_multi, info)) ++ goto failed; ++ } + + /* + * Apply any multi-port quirk. diff --git a/queue-4.9/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch b/queue-4.9/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch new file mode 100644 index 00000000000..4f84958e751 --- /dev/null +++ b/queue-4.9/drm-sun4i-fix-releasing-node-when-enumerating-enpoints.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Jernej Skrabec +Date: Mon, 25 Jun 2018 14:02:46 +0200 +Subject: drm/sun4i: Fix releasing node when enumerating enpoints + +From: Jernej Skrabec + +[ Upstream commit 367c359aa8637b15ee8df6335c5a29b7623966ec ] + +sun4i_drv_add_endpoints() has a memory leak since it uses of_node_put() +when remote is equal to NULL and does nothing when remote has a valid +pointer. + +Invert the logic to fix memory leak. + +Signed-off-by: Jernej Skrabec +Signed-off-by: Maxime Ripard +Link: https://patchwork.freedesktop.org/patch/msgid/20180625120304.7543-7-jernej.skrabec@siol.net +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/sun4i/sun4i_drv.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/sun4i/sun4i_drv.c ++++ b/drivers/gpu/drm/sun4i/sun4i_drv.c +@@ -283,7 +283,6 @@ static int sun4i_drv_add_endpoints(struc + remote = of_graph_get_remote_port_parent(ep); + if (!remote) { + DRM_DEBUG_DRIVER("Error retrieving the output node\n"); +- of_node_put(remote); + continue; + } + +@@ -297,11 +296,13 @@ static int sun4i_drv_add_endpoints(struc + + if (of_graph_parse_endpoint(ep, &endpoint)) { + DRM_DEBUG_DRIVER("Couldn't parse endpoint\n"); ++ of_node_put(remote); + continue; + } + + if (!endpoint.id) { + DRM_DEBUG_DRIVER("Endpoint is our panel... skipping\n"); ++ of_node_put(remote); + continue; + } + } diff --git a/queue-4.9/edac-fix-memleak-in-module-init-error-path.patch b/queue-4.9/edac-fix-memleak-in-module-init-error-path.patch new file mode 100644 index 00000000000..b6382f77648 --- /dev/null +++ b/queue-4.9/edac-fix-memleak-in-module-init-error-path.patch @@ -0,0 +1,46 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Johan Hovold +Date: Tue, 12 Jun 2018 14:43:34 +0200 +Subject: EDAC: Fix memleak in module init error path + +From: Johan Hovold + +[ Upstream commit 4708aa85d50cc6e962dfa8acf5ad4e0d290a21db ] + +Make sure to use put_device() to free the initialised struct device so +that resources managed by driver core also gets released in the event of +a registration failure. + +Signed-off-by: Johan Hovold +Cc: Denis Kirjanov +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 2d56b109e3a5 ("EDAC: Handle error path in edac_mc_sysfs_init() properly") +Link: http://lkml.kernel.org/r/20180612124335.6420-1-johan@kernel.org +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/edac_mc_sysfs.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/edac/edac_mc_sysfs.c ++++ b/drivers/edac/edac_mc_sysfs.c +@@ -1059,14 +1059,14 @@ int __init edac_mc_sysfs_init(void) + + err = device_add(mci_pdev); + if (err < 0) +- goto out_dev_free; ++ goto out_put_device; + + edac_dbg(0, "device %s created\n", dev_name(mci_pdev)); + + return 0; + +- out_dev_free: +- kfree(mci_pdev); ++ out_put_device: ++ put_device(mci_pdev); + out: + return err; + } diff --git a/queue-4.9/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch b/queue-4.9/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch new file mode 100644 index 00000000000..28617309b01 --- /dev/null +++ b/queue-4.9/edac-i7core-fix-memleaks-and-use-after-free-on-probe-and-remove.patch @@ -0,0 +1,81 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Johan Hovold +Date: Tue, 12 Jun 2018 14:43:35 +0200 +Subject: EDAC, i7core: Fix memleaks and use-after-free on probe and remove + +From: Johan Hovold + +[ Upstream commit 6c974d4dfafe5e9ee754f2a6fba0eb1864f1649e ] + +Make sure to free and deregister the addrmatch and chancounts devices +allocated during probe in all error paths. Also fix use-after-free in a +probe error path and in the remove success path where the devices were +being put before before deregistration. + +Signed-off-by: Johan Hovold +Cc: Mauro Carvalho Chehab +Cc: linux-edac +Fixes: 356f0a30860d ("i7core_edac: change the mem allocation scheme to make Documentation/kobject.txt happy") +Link: http://lkml.kernel.org/r/20180612124335.6420-2-johan@kernel.org +Signed-off-by: Borislav Petkov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/edac/i7core_edac.c | 22 +++++++++++++++------- + 1 file changed, 15 insertions(+), 7 deletions(-) + +--- a/drivers/edac/i7core_edac.c ++++ b/drivers/edac/i7core_edac.c +@@ -1177,15 +1177,14 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->addrmatch_dev); + if (rc < 0) +- return rc; ++ goto err_put_addrmatch; + + if (!pvt->is_registered) { + pvt->chancounts_dev = kzalloc(sizeof(*pvt->chancounts_dev), + GFP_KERNEL); + if (!pvt->chancounts_dev) { +- put_device(pvt->addrmatch_dev); +- device_del(pvt->addrmatch_dev); +- return -ENOMEM; ++ rc = -ENOMEM; ++ goto err_del_addrmatch; + } + + pvt->chancounts_dev->type = &all_channel_counts_type; +@@ -1199,9 +1198,18 @@ static int i7core_create_sysfs_devices(s + + rc = device_add(pvt->chancounts_dev); + if (rc < 0) +- return rc; ++ goto err_put_chancounts; + } + return 0; ++ ++err_put_chancounts: ++ put_device(pvt->chancounts_dev); ++err_del_addrmatch: ++ device_del(pvt->addrmatch_dev); ++err_put_addrmatch: ++ put_device(pvt->addrmatch_dev); ++ ++ return rc; + } + + static void i7core_delete_sysfs_devices(struct mem_ctl_info *mci) +@@ -1211,11 +1219,11 @@ static void i7core_delete_sysfs_devices( + edac_dbg(1, "\n"); + + if (!pvt->is_registered) { +- put_device(pvt->chancounts_dev); + device_del(pvt->chancounts_dev); ++ put_device(pvt->chancounts_dev); + } +- put_device(pvt->addrmatch_dev); + device_del(pvt->addrmatch_dev); ++ put_device(pvt->addrmatch_dev); + } + + /**************************************************************************** diff --git a/queue-4.9/gpio-fix-wrong-rounding-in-gpio-menz127.patch b/queue-4.9/gpio-fix-wrong-rounding-in-gpio-menz127.patch new file mode 100644 index 00000000000..0a3045c82f4 --- /dev/null +++ b/queue-4.9/gpio-fix-wrong-rounding-in-gpio-menz127.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Nadav Amit +Date: Mon, 4 Jun 2018 06:58:14 -0700 +Subject: gpio: Fix wrong rounding in gpio-menz127 + +From: Nadav Amit + +[ Upstream commit 7279d9917560bbd0d82813d6bf00490a82c06783 ] + +men_z127_debounce() tries to round up and down, but uses functions which +are only suitable when the divider is a power of two, which is not the +case. Use the appropriate ones. + +Found by static check. Compile tested. + +Fixes: f436bc2726c64 ("gpio: add driver for MEN 16Z127 GPIO controller") +Signed-off-by: Nadav Amit +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpio/gpio-menz127.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpio/gpio-menz127.c ++++ b/drivers/gpio/gpio-menz127.c +@@ -56,9 +56,9 @@ static int men_z127_debounce(struct gpio + rnd = fls(debounce) - 1; + + if (rnd && (debounce & BIT(rnd - 1))) +- debounce = round_up(debounce, MEN_Z127_DB_MIN_US); ++ debounce = roundup(debounce, MEN_Z127_DB_MIN_US); + else +- debounce = round_down(debounce, MEN_Z127_DB_MIN_US); ++ debounce = rounddown(debounce, MEN_Z127_DB_MIN_US); + + if (debounce > MEN_Z127_DB_MAX_US) + debounce = MEN_Z127_DB_MAX_US; diff --git a/queue-4.9/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch b/queue-4.9/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch new file mode 100644 index 00000000000..c9bc8636723 --- /dev/null +++ b/queue-4.9/hid-hid-ntrig-add-error-handling-for-sysfs_create_group.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Zhouyang Jia +Date: Thu, 14 Jun 2018 21:37:17 +0800 +Subject: HID: hid-ntrig: add error handling for sysfs_create_group + +From: Zhouyang Jia + +[ Upstream commit 44d4d51de9a3534a2b63d69efda02a10e66541e4 ] + +When sysfs_create_group fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling sysfs_create_group. + +Signed-off-by: Zhouyang Jia +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-ntrig.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -955,6 +955,8 @@ static int ntrig_probe(struct hid_device + + ret = sysfs_create_group(&hdev->dev.kobj, + &ntrig_attribute_group); ++ if (ret) ++ hid_err(hdev, "cannot create sysfs group\n"); + + return 0; + err_free: diff --git a/queue-4.9/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch b/queue-4.9/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch new file mode 100644 index 00000000000..6acec9c4712 --- /dev/null +++ b/queue-4.9/ib-core-type-promotion-bug-in-rdma_rw_init_one_mr.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:32:12 +0300 +Subject: IB/core: type promotion bug in rdma_rw_init_one_mr() + +From: Dan Carpenter + +[ Upstream commit c2d7c8ff89b22ddefb1ac2986c0d48444a667689 ] + +"nents" is an unsigned int, so if ib_map_mr_sg() returns a negative +error code then it's type promoted to a high unsigned int which is +treated as success. + +Fixes: a060b5629ab0 ("IB/core: generic RDMA READ/WRITE API") +Signed-off-by: Dan Carpenter +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/rw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/rw.c ++++ b/drivers/infiniband/core/rw.c +@@ -87,7 +87,7 @@ static int rdma_rw_init_one_mr(struct ib + } + + ret = ib_map_mr_sg(reg->mr, sg, nents, &offset, PAGE_SIZE); +- if (ret < nents) { ++ if (ret < 0 || ret < nents) { + ib_mr_pool_put(qp, &qp->rdma_mrs, reg->mr); + return -EINVAL; + } diff --git a/queue-4.9/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch b/queue-4.9/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch new file mode 100644 index 00000000000..d3d81ce8c21 --- /dev/null +++ b/queue-4.9/iommu-amd-make-sure-tlb-to-be-flushed-before-iova-freed.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Zhen Lei +Date: Wed, 6 Jun 2018 10:18:46 +0800 +Subject: iommu/amd: make sure TLB to be flushed before IOVA freed + +From: Zhen Lei + +[ Upstream commit 3c120143f584360a13614787e23ae2cdcb5e5ccd ] + +Although the mapping has already been removed in the page table, it maybe +still exist in TLB. Suppose the freed IOVAs is reused by others before the +flush operation completed, the new user can not correctly access to its +meomory. + +Signed-off-by: Zhen Lei +Fixes: b1516a14657a ('iommu/amd: Implement flush queue') +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2452,9 +2452,9 @@ static void __unmap_single(struct dma_op + } + + if (amd_iommu_unmap_flush) { +- dma_ops_free_iova(dma_dom, dma_addr, pages); + domain_flush_tlb(&dma_dom->domain); + domain_flush_complete(&dma_dom->domain); ++ dma_ops_free_iova(dma_dom, dma_addr, pages); + } else { + queue_add(dma_dom, dma_addr, pages); + } diff --git a/queue-4.9/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch b/queue-4.9/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch new file mode 100644 index 00000000000..cba8c6caad8 --- /dev/null +++ b/queue-4.9/md-cluster-clear-another-node-s-suspend_area-after-the-copy-is-finished.patch @@ -0,0 +1,72 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Guoqing Jiang +Date: Mon, 2 Jul 2018 16:26:24 +0800 +Subject: md-cluster: clear another node's suspend_area after the copy is finished + +From: Guoqing Jiang + +[ Upstream commit 010228e4a932ca1e8365e3b58c8e1e44c16ff793 ] + +When one node leaves cluster or stops the resyncing +(resync or recovery) array, then other nodes need to +call recover_bitmaps to continue the unfinished task. + +But we need to clear suspend_area later after other +nodes copy the resync information to their bitmap +(by call bitmap_copy_from_slot). Otherwise, all nodes +could write to the suspend_area even the suspend_area +is not handled by any node, because area_resyncing +returns 0 at the beginning of raid1_write_request. +Which means one node could write suspend_area while +another node is resyncing the same area, then data +could be inconsistent. + +So let's clear suspend_area later to avoid above issue +with the protection of bm lock. Also it is straightforward +to clear suspend_area after nodes have copied the resync +info to bitmap. + +Signed-off-by: Guoqing Jiang +Reviewed-by: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/md-cluster.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/drivers/md/md-cluster.c ++++ b/drivers/md/md-cluster.c +@@ -302,15 +302,6 @@ static void recover_bitmaps(struct md_th + while (cinfo->recovery_map) { + slot = fls64((u64)cinfo->recovery_map) - 1; + +- /* Clear suspend_area associated with the bitmap */ +- spin_lock_irq(&cinfo->suspend_lock); +- list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) +- if (slot == s->slot) { +- list_del(&s->list); +- kfree(s); +- } +- spin_unlock_irq(&cinfo->suspend_lock); +- + snprintf(str, 64, "bitmap%04d", slot); + bm_lockres = lockres_init(mddev, str, NULL, 1); + if (!bm_lockres) { +@@ -329,6 +320,16 @@ static void recover_bitmaps(struct md_th + pr_err("md-cluster: Could not copy data from bitmap %d\n", slot); + goto clear_bit; + } ++ ++ /* Clear suspend_area associated with the bitmap */ ++ spin_lock_irq(&cinfo->suspend_lock); ++ list_for_each_entry_safe(s, tmp, &cinfo->suspend_list, list) ++ if (slot == s->slot) { ++ list_del(&s->list); ++ kfree(s); ++ } ++ spin_unlock_irq(&cinfo->suspend_lock); ++ + if (hi > 0) { + if (lo < mddev->recovery_cp) + mddev->recovery_cp = lo; diff --git a/queue-4.9/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch b/queue-4.9/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch new file mode 100644 index 00000000000..58cf392cba8 --- /dev/null +++ b/queue-4.9/media-exynos4-is-prevent-null-pointer-dereference-in-__isp_video_try_fmt.patch @@ -0,0 +1,49 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Sylwester Nawrocki +Date: Tue, 15 May 2018 05:21:45 -0400 +Subject: media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt() + +From: Sylwester Nawrocki + +[ Upstream commit 7c1b9a5aeed91bef98988ac0fcf38c8c1f4f9a3a ] + +This patch fixes potential NULL pointer dereference as indicated +by the following static checker warning: + +drivers/media/platform/exynos4-is/fimc-isp-video.c:408 isp_video_try_fmt_mplane() +error: NULL dereference inside function '__isp_video_try_fmt(isp, &f->fmt.pix_mp, (0))()'. + +Fixes: 34947b8aebe3: ("[media] exynos4-is: Add the FIMC-IS ISP capture DMA driver") + +Reported-by: Dan Carpenter +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/exynos4-is/fimc-isp-video.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/media/platform/exynos4-is/fimc-isp-video.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp-video.c +@@ -384,12 +384,17 @@ static void __isp_video_try_fmt(struct f + struct v4l2_pix_format_mplane *pixm, + const struct fimc_fmt **fmt) + { +- *fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ const struct fimc_fmt *__fmt; ++ ++ __fmt = fimc_isp_find_format(&pixm->pixelformat, NULL, 2); ++ ++ if (fmt) ++ *fmt = __fmt; + + pixm->colorspace = V4L2_COLORSPACE_SRGB; + pixm->field = V4L2_FIELD_NONE; +- pixm->num_planes = (*fmt)->memplanes; +- pixm->pixelformat = (*fmt)->fourcc; ++ pixm->num_planes = __fmt->memplanes; ++ pixm->pixelformat = __fmt->fourcc; + /* + * TODO: double check with the docmentation these width/height + * constraints are correct. diff --git a/queue-4.9/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch b/queue-4.9/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch new file mode 100644 index 00000000000..fbd50547064 --- /dev/null +++ b/queue-4.9/media-fsl-viu-fix-error-handling-in-viu_of_probe.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Alexey Khoroshilov +Date: Fri, 29 Jun 2018 17:49:22 -0400 +Subject: media: fsl-viu: fix error handling in viu_of_probe() + +From: Alexey Khoroshilov + +[ Upstream commit 662a99e145661c2b35155cf375044deae9b79896 ] + +viu_of_probe() ignores fails in i2c_get_adapter(), +tries to unlock uninitialized mutex on error path. + +The patch streamlining the error handling in viu_of_probe(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/fsl-viu.c | 38 +++++++++++++++++++++++--------------- + 1 file changed, 23 insertions(+), 15 deletions(-) + +--- a/drivers/media/platform/fsl-viu.c ++++ b/drivers/media/platform/fsl-viu.c +@@ -1417,7 +1417,7 @@ static int viu_of_probe(struct platform_ + sizeof(struct viu_reg), DRV_NAME)) { + dev_err(&op->dev, "Error while requesting mem region\n"); + ret = -EBUSY; +- goto err; ++ goto err_irq; + } + + /* remap registers */ +@@ -1425,7 +1425,7 @@ static int viu_of_probe(struct platform_ + if (!viu_regs) { + dev_err(&op->dev, "Can't map register set\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + /* Prepare our private structure */ +@@ -1433,7 +1433,7 @@ static int viu_of_probe(struct platform_ + if (!viu_dev) { + dev_err(&op->dev, "Can't allocate private structure\n"); + ret = -ENOMEM; +- goto err; ++ goto err_irq; + } + + viu_dev->vr = viu_regs; +@@ -1449,16 +1449,21 @@ static int viu_of_probe(struct platform_ + ret = v4l2_device_register(viu_dev->dev, &viu_dev->v4l2_dev); + if (ret < 0) { + dev_err(&op->dev, "v4l2_device_register() failed: %d\n", ret); +- goto err; ++ goto err_irq; + } + + ad = i2c_get_adapter(0); ++ if (!ad) { ++ ret = -EFAULT; ++ dev_err(&op->dev, "couldn't get i2c adapter\n"); ++ goto err_v4l2; ++ } + + v4l2_ctrl_handler_init(&viu_dev->hdl, 5); + if (viu_dev->hdl.error) { + ret = viu_dev->hdl.error; + dev_err(&op->dev, "couldn't register control\n"); +- goto err_vdev; ++ goto err_i2c; + } + /* This control handler will inherit the control(s) from the + sub-device(s). */ +@@ -1476,7 +1481,7 @@ static int viu_of_probe(struct platform_ + vdev = video_device_alloc(); + if (vdev == NULL) { + ret = -ENOMEM; +- goto err_vdev; ++ goto err_hdl; + } + + *vdev = viu_template; +@@ -1497,7 +1502,7 @@ static int viu_of_probe(struct platform_ + ret = video_register_device(viu_dev->vdev, VFL_TYPE_GRABBER, -1); + if (ret < 0) { + video_device_release(viu_dev->vdev); +- goto err_vdev; ++ goto err_unlock; + } + + /* enable VIU clock */ +@@ -1505,12 +1510,12 @@ static int viu_of_probe(struct platform_ + if (IS_ERR(clk)) { + dev_err(&op->dev, "failed to lookup the clock!\n"); + ret = PTR_ERR(clk); +- goto err_clk; ++ goto err_vdev; + } + ret = clk_prepare_enable(clk); + if (ret) { + dev_err(&op->dev, "failed to enable the clock!\n"); +- goto err_clk; ++ goto err_vdev; + } + viu_dev->clk = clk; + +@@ -1521,7 +1526,7 @@ static int viu_of_probe(struct platform_ + if (request_irq(viu_dev->irq, viu_intr, 0, "viu", (void *)viu_dev)) { + dev_err(&op->dev, "Request VIU IRQ failed.\n"); + ret = -ENODEV; +- goto err_irq; ++ goto err_clk; + } + + mutex_unlock(&viu_dev->lock); +@@ -1529,16 +1534,19 @@ static int viu_of_probe(struct platform_ + dev_info(&op->dev, "Freescale VIU Video Capture Board\n"); + return ret; + +-err_irq: +- clk_disable_unprepare(viu_dev->clk); + err_clk: +- video_unregister_device(viu_dev->vdev); ++ clk_disable_unprepare(viu_dev->clk); + err_vdev: +- v4l2_ctrl_handler_free(&viu_dev->hdl); ++ video_unregister_device(viu_dev->vdev); ++err_unlock: + mutex_unlock(&viu_dev->lock); ++err_hdl: ++ v4l2_ctrl_handler_free(&viu_dev->hdl); ++err_i2c: + i2c_put_adapter(ad); ++err_v4l2: + v4l2_device_unregister(&viu_dev->v4l2_dev); +-err: ++err_irq: + irq_dispose_mapping(viu_irq); + return ret; + } diff --git a/queue-4.9/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch b/queue-4.9/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch new file mode 100644 index 00000000000..ce57a2cecf8 --- /dev/null +++ b/queue-4.9/media-omap3isp-zero-initialize-the-isp-cam_xclk-a-b-initial-data.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Javier Martinez Canillas +Date: Sat, 9 Jun 2018 08:22:45 -0400 +Subject: media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data + +From: Javier Martinez Canillas + +[ Upstream commit 2ec7debd44b49927a6e2861521994cc075a389ed ] + +The struct clk_init_data init variable is declared in the isp_xclk_init() +function so is an automatic variable allocated in the stack. But it's not +explicitly zero-initialized, so some init fields are left uninitialized. + +This causes the data structure to have undefined values that may confuse +the common clock framework when the clock is registered. + +For example, the uninitialized .flags field could have the CLK_IS_CRITICAL +bit set, causing the framework to wrongly prepare the clk on registration. +This leads to the isp_xclk_prepare() callback being called, which in turn +calls to the omap3isp_get() function that increments the isp dev refcount. + +Since this omap3isp_get() call is unexpected, this leads to an unbalanced +omap3isp_get() call that prevents the requested IRQ to be later enabled, +due the refcount not being 0 when the correct omap3isp_get() call happens. + +Fixes: 9b28ee3c9122 ("[media] omap3isp: Use the common clock framework") + +Signed-off-by: Javier Martinez Canillas +Reviewed-by: Sebastian Reichel +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/omap3isp/isp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -304,7 +304,7 @@ static struct clk *isp_xclk_src_get(stru + static int isp_xclk_init(struct isp_device *isp) + { + struct device_node *np = isp->dev->of_node; +- struct clk_init_data init; ++ struct clk_init_data init = { 0 }; + unsigned int i; + + for (i = 0; i < ARRAY_SIZE(isp->xclks); ++i) diff --git a/queue-4.9/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch b/queue-4.9/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch new file mode 100644 index 00000000000..ae708686ffd --- /dev/null +++ b/queue-4.9/media-s3c-camif-ignore-enoioctlcmd-from-v4l2_subdev_call-for-s_power.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:01 -0400 +Subject: media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power + +From: Akinobu Mita + +[ Upstream commit 30ed2b83343bd1e07884ca7355dac70d25ffc158 ] + +When the subdevice doesn't provide s_power core ops callback, the +v4l2_subdev_call for s_power returns -ENOIOCTLCMD. If the subdevice +doesn't have the special handling for its power saving mode, the s_power +isn't required. So -ENOIOCTLCMD from the v4l2_subdev_call should be +ignored. + +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Acked-by: Sylwester Nawrocki +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/platform/s3c-camif/camif-capture.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -117,6 +117,8 @@ static int sensor_set_power(struct camif + + if (camif->sensor.power_count == !on) + err = v4l2_subdev_call(sensor->sd, core, s_power, on); ++ if (err == -ENOIOCTLCMD) ++ err = 0; + if (!err) + sensor->power_count += on ? 1 : -1; + diff --git a/queue-4.9/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch b/queue-4.9/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch new file mode 100644 index 00000000000..5b1254048e1 --- /dev/null +++ b/queue-4.9/media-soc_camera-ov772x-correct-setting-of-banding-filter.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Akinobu Mita +Date: Sun, 10 Jun 2018 11:42:26 -0400 +Subject: media: soc_camera: ov772x: correct setting of banding filter + +From: Akinobu Mita + +[ Upstream commit 22216ec41e919682c15345e95928f266e8ba6f9e ] + +The banding filter ON/OFF is controlled via bit 5 of COM8 register. It +is attempted to be enabled in ov772x_set_params() by the following line. + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); + +But this unexpectedly results disabling the banding filter, because the +mask and set bits are exclusive. + +On the other hand, ov772x_s_ctrl() correctly sets the bit by: + + ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + +The same fix was already applied to non-soc_camera version of ov772x +driver in the commit commit a024ee14cd36 ("media: ov772x: correct setting +of banding filter") + +Cc: Jacopo Mondi +Cc: Laurent Pinchart +Cc: Hans Verkuil +Signed-off-by: Akinobu Mita +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/soc_camera/ov772x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/soc_camera/ov772x.c ++++ b/drivers/media/i2c/soc_camera/ov772x.c +@@ -834,7 +834,7 @@ static int ov772x_set_params(struct ov77 + * set COM8 + */ + if (priv->band_filter) { +- ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, 1); ++ ret = ov772x_mask_set(client, COM8, BNDF_ON_OFF, BNDF_ON_OFF); + if (!ret) + ret = ov772x_mask_set(client, BDBASE, + 0xff, 256 - priv->band_filter); diff --git a/queue-4.9/media-tm6000-add-error-handling-for-dvb_register_adapter.patch b/queue-4.9/media-tm6000-add-error-handling-for-dvb_register_adapter.patch new file mode 100644 index 00000000000..8a73ad626de --- /dev/null +++ b/queue-4.9/media-tm6000-add-error-handling-for-dvb_register_adapter.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Zhouyang Jia +Date: Mon, 11 Jun 2018 00:39:20 -0400 +Subject: media: tm6000: add error handling for dvb_register_adapter + +From: Zhouyang Jia + +[ Upstream commit e95d7c6eb94c634852eaa5ff4caf3db05b5d2e86 ] + +When dvb_register_adapter fails, the lack of error-handling code may +cause unexpected results. + +This patch adds error-handling code after calling dvb_register_adapter. + +Signed-off-by: Zhouyang Jia +[hans.verkuil@cisco.com: use pr_err and fix typo: adater -> adapter] +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/tm6000/tm6000-dvb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/media/usb/tm6000/tm6000-dvb.c ++++ b/drivers/media/usb/tm6000/tm6000-dvb.c +@@ -273,6 +273,11 @@ static int register_dvb(struct tm6000_co + + ret = dvb_register_adapter(&dvb->adapter, "Trident TVMaster 6000 DVB-T", + THIS_MODULE, &dev->udev->dev, adapter_nr); ++ if (ret < 0) { ++ pr_err("tm6000: couldn't register the adapter!\n"); ++ goto err; ++ } ++ + dvb->adapter.priv = dev; + + if (dvb->frontend) { diff --git a/queue-4.9/module-exclude-shn_undef-symbols-from-kallsyms-api.patch b/queue-4.9/module-exclude-shn_undef-symbols-from-kallsyms-api.patch new file mode 100644 index 00000000000..b311d9eac4c --- /dev/null +++ b/queue-4.9/module-exclude-shn_undef-symbols-from-kallsyms-api.patch @@ -0,0 +1,54 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Jessica Yu +Date: Tue, 5 Jun 2018 10:22:52 +0200 +Subject: module: exclude SHN_UNDEF symbols from kallsyms api + +From: Jessica Yu + +[ Upstream commit 9f2d1e68cf4d641def734adaccfc3823d3575e6c ] + +Livepatch modules are special in that we preserve their entire symbol +tables in order to be able to apply relocations after module load. The +unwanted side effect of this is that undefined (SHN_UNDEF) symbols of +livepatch modules are accessible via the kallsyms api and this can +confuse symbol resolution in livepatch (klp_find_object_symbol()) and +cause subtle bugs in livepatch. + +Have the module kallsyms api skip over SHN_UNDEF symbols. These symbols +are usually not available for normal modules anyway as we cut down their +symbol tables to just the core (non-undefined) symbols, so this should +really just affect livepatch modules. Note that this patch doesn't +affect the display of undefined symbols in /proc/kallsyms. + +Reported-by: Josh Poimboeuf +Tested-by: Josh Poimboeuf +Reviewed-by: Josh Poimboeuf +Signed-off-by: Jessica Yu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/module.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -4011,7 +4011,7 @@ static unsigned long mod_find_symname(st + + for (i = 0; i < kallsyms->num_symtab; i++) + if (strcmp(name, symname(kallsyms, i)) == 0 && +- kallsyms->symtab[i].st_info != 'U') ++ kallsyms->symtab[i].st_shndx != SHN_UNDEF) + return kallsyms->symtab[i].st_value; + return 0; + } +@@ -4057,6 +4057,10 @@ int module_kallsyms_on_each_symbol(int ( + if (mod->state == MODULE_STATE_UNFORMED) + continue; + for (i = 0; i < kallsyms->num_symtab; i++) { ++ ++ if (kallsyms->symtab[i].st_shndx == SHN_UNDEF) ++ continue; ++ + ret = fn(data, symname(kallsyms, i), + mod, kallsyms->symtab[i].st_value); + if (ret != 0) diff --git a/queue-4.9/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch b/queue-4.9/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch new file mode 100644 index 00000000000..ed2e13526a0 --- /dev/null +++ b/queue-4.9/net-phy-xgmiitorgmii-check-phy_driver-ready-before-accessing.patch @@ -0,0 +1,90 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Brandon Maier +Date: Tue, 26 Jun 2018 12:50:48 -0500 +Subject: net: phy: xgmiitorgmii: Check phy_driver ready before accessing + +From: Brandon Maier + +[ Upstream commit ab4e6ee578e88a659938db8fbf33720bc048d29c ] + +Since a phy_device is added to the global mdio_bus list during +phy_device_register(), but a phy_device's phy_driver doesn't get +attached until phy_probe(). It's possible of_phy_find_device() in +xgmiitorgmii will return a valid phy with a NULL phy_driver. Leading to +a NULL pointer access during the memcpy(). + +Fixes this Oops: + +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +pgd = c0004000 +[00000000] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.14.40 #1 +Hardware name: Xilinx Zynq Platform +task: ce4c8d00 task.stack: ce4ca000 +PC is at memcpy+0x48/0x330 +LR is at xgmiitorgmii_probe+0x90/0xe8 +pc : [] lr : [] psr: 20000013 +sp : ce4cbb54 ip : 00000000 fp : ce4cbb8c +r10: 00000000 r9 : 00000000 r8 : c0c49178 +r7 : 00000000 r6 : cdc14718 r5 : ce762800 r4 : cdc14710 +r3 : 00000000 r2 : 00000054 r1 : 00000000 r0 : cdc14718 +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none +Control: 18c5387d Table: 0000404a DAC: 00000051 +Process swapper/0 (pid: 1, stack limit = 0xce4ca210) +... +[] (memcpy) from [] (xgmiitorgmii_probe+0x90/0xe8) +[] (xgmiitorgmii_probe) from [] (mdio_probe+0x28/0x34) +[] (mdio_probe) from [] (driver_probe_device+0x254/0x414) +[] (driver_probe_device) from [] (__device_attach_driver+0xac/0x10c) +[] (__device_attach_driver) from [] (bus_for_each_drv+0x84/0xc8) +[] (bus_for_each_drv) from [] (__device_attach+0xd0/0x134) +[] (__device_attach) from [] (device_initial_probe+0x1c/0x20) +[] (device_initial_probe) from [] (bus_probe_device+0x98/0xa0) +[] (bus_probe_device) from [] (device_add+0x43c/0x5d0) +[] (device_add) from [] (mdio_device_register+0x34/0x80) +[] (mdio_device_register) from [] (of_mdiobus_register+0x170/0x30c) +[] (of_mdiobus_register) from [] (macb_probe+0x710/0xc00) +[] (macb_probe) from [] (platform_drv_probe+0x44/0x80) +[] (platform_drv_probe) from [] (driver_probe_device+0x254/0x414) +[] (driver_probe_device) from [] (__driver_attach+0x10c/0x118) +[] (__driver_attach) from [] (bus_for_each_dev+0x8c/0xd0) +[] (bus_for_each_dev) from [] (driver_attach+0x2c/0x30) +[] (driver_attach) from [] (bus_add_driver+0x50/0x260) +[] (bus_add_driver) from [] (driver_register+0x88/0x108) +[] (driver_register) from [] (__platform_driver_register+0x50/0x58) +[] (__platform_driver_register) from [] (macb_driver_init+0x24/0x28) +[] (macb_driver_init) from [] (do_one_initcall+0x60/0x1a4) +[] (do_one_initcall) from [] (kernel_init_freeable+0x15c/0x1f8) +[] (kernel_init_freeable) from [] (kernel_init+0x18/0x124) +[] (kernel_init) from [] (ret_from_fork+0x14/0x20) +Code: ba000002 f5d1f03c f5d1f05c f5d1f07c (e8b151f8) +---[ end trace 3e4ec21905820a1f ]--- + +Signed-off-by: Brandon Maier +Reviewed-by: Andrew Lunn +Reviewed-by: Florian Fainelli + +Signed-off-by: David S. Miller + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/xilinx_gmii2rgmii.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/phy/xilinx_gmii2rgmii.c ++++ b/drivers/net/phy/xilinx_gmii2rgmii.c +@@ -84,6 +84,11 @@ static int xgmiitorgmii_probe(struct mdi + return -EPROBE_DEFER; + } + ++ if (!priv->phy_dev->drv) { ++ dev_info(dev, "Attached phy not ready\n"); ++ return -EPROBE_DEFER; ++ } ++ + priv->addr = mdiodev->addr; + priv->phy_drv = priv->phy_dev->drv; + memcpy(&priv->conv_phy_drv, priv->phy_dev->drv, diff --git a/queue-4.9/net-phy-xgmiitorgmii-check-read_status-results.patch b/queue-4.9/net-phy-xgmiitorgmii-check-read_status-results.patch new file mode 100644 index 00000000000..39880856fd9 --- /dev/null +++ b/queue-4.9/net-phy-xgmiitorgmii-check-read_status-results.patch @@ -0,0 +1,36 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Brandon Maier +Date: Tue, 26 Jun 2018 12:50:50 -0500 +Subject: net: phy: xgmiitorgmii: Check read_status results + +From: Brandon Maier + +[ Upstream commit 8d0752d11312be830c33e84dfd1016e6a47c2938 ] + +We're ignoring the result of the attached phy device's read_status(). +Return it so we can detect errors. + +Signed-off-by: Brandon Maier +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/xilinx_gmii2rgmii.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/phy/xilinx_gmii2rgmii.c ++++ b/drivers/net/phy/xilinx_gmii2rgmii.c +@@ -40,8 +40,11 @@ static int xgmiitorgmii_read_status(stru + { + struct gmii2rgmii *priv = phydev->priv; + u16 val = 0; ++ int err; + +- priv->phy_drv->read_status(phydev); ++ err = priv->phy_drv->read_status(phydev); ++ if (err < 0) ++ return err; + + val = mdiobus_read(phydev->mdio.bus, priv->addr, XILINX_GMII2RGMII_REG); + val &= ~XILINX_GMII2RGMII_SPEED_MASK; diff --git a/queue-4.9/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch b/queue-4.9/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch new file mode 100644 index 00000000000..0c75fbd56ec --- /dev/null +++ b/queue-4.9/nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: "J. Bruce Fields" +Date: Wed, 13 Jun 2018 15:21:35 -0400 +Subject: nfsd: fix corrupted reply to badly ordered compound + +From: "J. Bruce Fields" + +[ Upstream commit 5b7b15aee641904ae269be9846610a3950cbd64c ] + +We're encoding a single op in the reply but leaving the number of ops +zero, so the reply makes no sense. + +Somewhat academic as this isn't a case any real client will hit, though +in theory perhaps that could change in a future protocol extension. + +Reviewed-by: Jeff Layton +Signed-off-by: J. Bruce Fields +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4proc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -1725,6 +1725,7 @@ nfsd4_proc_compound(struct svc_rqst *rqs + if (status) { + op = &args->ops[0]; + op->status = status; ++ resp->opcnt = 1; + goto encode_op; + } + diff --git a/queue-4.9/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch b/queue-4.9/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch new file mode 100644 index 00000000000..a73c42ba032 --- /dev/null +++ b/queue-4.9/perf-x86-intel-lbr-fix-incomplete-lbr-call-stack.patch @@ -0,0 +1,255 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Kan Liang +Date: Tue, 5 Jun 2018 08:38:45 -0700 +Subject: perf/x86/intel/lbr: Fix incomplete LBR call stack + +From: Kan Liang + +[ Upstream commit 0592e57b24e7e05ec1f4c50b9666c013abff7017 ] + +LBR has a limited stack size. If a task has a deeper call stack than +LBR's stack size, only the overflowed part is reported. A complete call +stack may not be reconstructed by perf tool. + +Current code doesn't access all LBR registers. It only read the ones +below the TOS. The LBR registers above the TOS will be discarded +unconditionally. + +When a CALL is captured, the TOS is incremented by 1 , modulo max LBR +stack size. The LBR HW only records the call stack information to the +register which the TOS points to. It will not touch other LBR +registers. So the registers above the TOS probably still store the valid +call stack information for an overflowed call stack, which need to be +reported. + +To retrieve complete call stack information, we need to start from TOS, +read all LBR registers until an invalid entry is detected. +0s can be used to detect the invalid entry, because: + + - When a RET is captured, the HW zeros the LBR register which TOS points + to, then decreases the TOS. + - The LBR registers are reset to 0 when adding a new LBR event or + scheduling an existing LBR event. + - A taken branch at IP 0 is not expected + +The context switch code is also modified to save/restore all valid LBR +registers. Furthermore, the LBR registers, which don't have valid call +stack information, need to be reset in restore, because they may be +polluted while swapped out. + +Here is a small test program, tchain_deep. +Its call stack is deeper than 32. + + noinline void f33(void) + { + int i; + + for (i = 0; i < 10000000;) { + if (i%2) + i++; + else + i++; + } + } + + noinline void f32(void) + { + f33(); + } + + noinline void f31(void) + { + f32(); + } + + ... ... + + noinline void f1(void) + { + f2(); + } + + int main() + { + f1(); + } + +Here is the test result on SKX. The max stack size of SKX is 32. + +Without the patch: + + $ perf record -e cycles --call-graph lbr -- ./tchain_deep + $ perf report --stdio + # + # Children Self Command Shared Object Symbol + # ........ ........ ........... ................ ................. + # + 100.00% 99.99% tchain_deep tchain_deep [.] f33 + | + --99.99%--f30 + f31 + f32 + f33 + +With the patch: + + $ perf record -e cycles --call-graph lbr -- ./tchain_deep + $ perf report --stdio + # Children Self Command Shared Object Symbol + # ........ ........ ........... ................ .................. + # + 99.99% 0.00% tchain_deep tchain_deep [.] f1 + | + ---f1 + f2 + f3 + f4 + f5 + f6 + f7 + f8 + f9 + f10 + f11 + f12 + f13 + f14 + f15 + f16 + f17 + f18 + f19 + f20 + f21 + f22 + f23 + f24 + f25 + f26 + f27 + f28 + f29 + f30 + f31 + f32 + f33 + +Signed-off-by: Kan Liang +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Peter Zijlstra +Cc: Arnaldo Carvalho de Melo +Cc: Jiri Olsa +Cc: Stephane Eranian +Cc: Vince Weaver +Cc: Alexander Shishkin +Cc: Thomas Gleixner +Cc: acme@kernel.org +Cc: eranian@google.com +Link: https://lore.kernel.org/lkml/1528213126-4312-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/lbr.c | 32 ++++++++++++++++++++++++++------ + arch/x86/events/perf_event.h | 1 + + 2 files changed, 27 insertions(+), 6 deletions(-) + +--- a/arch/x86/events/intel/lbr.c ++++ b/arch/x86/events/intel/lbr.c +@@ -342,7 +342,7 @@ static void __intel_pmu_lbr_restore(stru + + mask = x86_pmu.lbr_nr - 1; + tos = task_ctx->tos; +- for (i = 0; i < tos; i++) { ++ for (i = 0; i < task_ctx->valid_lbrs; i++) { + lbr_idx = (tos - i) & mask; + wrlbr_from(lbr_idx, task_ctx->lbr_from[i]); + wrlbr_to (lbr_idx, task_ctx->lbr_to[i]); +@@ -350,6 +350,15 @@ static void __intel_pmu_lbr_restore(stru + if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) + wrmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]); + } ++ ++ for (; i < x86_pmu.lbr_nr; i++) { ++ lbr_idx = (tos - i) & mask; ++ wrlbr_from(lbr_idx, 0); ++ wrlbr_to(lbr_idx, 0); ++ if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) ++ wrmsrl(MSR_LBR_INFO_0 + lbr_idx, 0); ++ } ++ + wrmsrl(x86_pmu.lbr_tos, tos); + task_ctx->lbr_stack_state = LBR_NONE; + } +@@ -357,7 +366,7 @@ static void __intel_pmu_lbr_restore(stru + static void __intel_pmu_lbr_save(struct x86_perf_task_context *task_ctx) + { + unsigned lbr_idx, mask; +- u64 tos; ++ u64 tos, from; + int i; + + if (task_ctx->lbr_callstack_users == 0) { +@@ -367,13 +376,17 @@ static void __intel_pmu_lbr_save(struct + + mask = x86_pmu.lbr_nr - 1; + tos = intel_pmu_lbr_tos(); +- for (i = 0; i < tos; i++) { ++ for (i = 0; i < x86_pmu.lbr_nr; i++) { + lbr_idx = (tos - i) & mask; +- task_ctx->lbr_from[i] = rdlbr_from(lbr_idx); ++ from = rdlbr_from(lbr_idx); ++ if (!from) ++ break; ++ task_ctx->lbr_from[i] = from; + task_ctx->lbr_to[i] = rdlbr_to(lbr_idx); + if (x86_pmu.intel_cap.lbr_format == LBR_FORMAT_INFO) + rdmsrl(MSR_LBR_INFO_0 + lbr_idx, task_ctx->lbr_info[i]); + } ++ task_ctx->valid_lbrs = i; + task_ctx->tos = tos; + task_ctx->lbr_stack_state = LBR_VALID; + } +@@ -522,7 +535,7 @@ static void intel_pmu_lbr_read_32(struct + */ + static void intel_pmu_lbr_read_64(struct cpu_hw_events *cpuc) + { +- bool need_info = false; ++ bool need_info = false, call_stack = false; + unsigned long mask = x86_pmu.lbr_nr - 1; + int lbr_format = x86_pmu.intel_cap.lbr_format; + u64 tos = intel_pmu_lbr_tos(); +@@ -533,7 +546,7 @@ static void intel_pmu_lbr_read_64(struct + if (cpuc->lbr_sel) { + need_info = !(cpuc->lbr_sel->config & LBR_NO_INFO); + if (cpuc->lbr_sel->config & LBR_CALL_STACK) +- num = tos; ++ call_stack = true; + } + + for (i = 0; i < num; i++) { +@@ -546,6 +559,13 @@ static void intel_pmu_lbr_read_64(struct + from = rdlbr_from(lbr_idx); + to = rdlbr_to(lbr_idx); + ++ /* ++ * Read LBR call stack entries ++ * until invalid entry (0s) is detected. ++ */ ++ if (call_stack && !from) ++ break; ++ + if (lbr_format == LBR_FORMAT_INFO && need_info) { + u64 info; + +--- a/arch/x86/events/perf_event.h ++++ b/arch/x86/events/perf_event.h +@@ -633,6 +633,7 @@ struct x86_perf_task_context { + u64 lbr_to[MAX_LBR_ENTRIES]; + u64 lbr_info[MAX_LBR_ENTRIES]; + int tos; ++ int valid_lbrs; + int lbr_callstack_users; + int lbr_stack_state; + }; diff --git a/queue-4.9/power-remove-possible-deadlock-when-unregistering-power_supply.patch b/queue-4.9/power-remove-possible-deadlock-when-unregistering-power_supply.patch new file mode 100644 index 00000000000..9a7648eda13 --- /dev/null +++ b/queue-4.9/power-remove-possible-deadlock-when-unregistering-power_supply.patch @@ -0,0 +1,145 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Benjamin Tissoires +Date: Mon, 25 Jun 2018 09:51:48 +0200 +Subject: power: remove possible deadlock when unregistering power_supply + +From: Benjamin Tissoires + +[ Upstream commit 3ffa6583e24e1ad1abab836d24bfc9d2308074e5 ] + +If a device gets removed right after having registered a power_supply node, +we might enter in a deadlock between the remove call (that has a lock on +the parent device) and the deferred register work. + +Allow the deferred register work to exit without taking the lock when +we are in the remove state. + +Stack trace on a Ubuntu 16.04: + +[16072.109121] INFO: task kworker/u16:2:1180 blocked for more than 120 seconds. +[16072.109127] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu +[16072.109129] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[16072.109132] kworker/u16:2 D 0 1180 2 0x80000000 +[16072.109142] Workqueue: events_power_efficient power_supply_deferred_register_work +[16072.109144] Call Trace: +[16072.109152] __schedule+0x3d6/0x8b0 +[16072.109155] schedule+0x36/0x80 +[16072.109158] schedule_preempt_disabled+0xe/0x10 +[16072.109161] __mutex_lock.isra.2+0x2ab/0x4e0 +[16072.109166] __mutex_lock_slowpath+0x13/0x20 +[16072.109168] ? __mutex_lock_slowpath+0x13/0x20 +[16072.109171] mutex_lock+0x2f/0x40 +[16072.109174] power_supply_deferred_register_work+0x2b/0x50 +[16072.109179] process_one_work+0x15b/0x410 +[16072.109182] worker_thread+0x4b/0x460 +[16072.109186] kthread+0x10c/0x140 +[16072.109189] ? process_one_work+0x410/0x410 +[16072.109191] ? kthread_create_on_node+0x70/0x70 +[16072.109194] ret_from_fork+0x35/0x40 +[16072.109199] INFO: task test:2257 blocked for more than 120 seconds. +[16072.109202] Not tainted 4.13.0-41-generic #46~16.04.1-Ubuntu +[16072.109204] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +[16072.109206] test D 0 2257 2256 0x00000004 +[16072.109208] Call Trace: +[16072.109211] __schedule+0x3d6/0x8b0 +[16072.109215] schedule+0x36/0x80 +[16072.109218] schedule_timeout+0x1f3/0x360 +[16072.109221] ? check_preempt_curr+0x5a/0xa0 +[16072.109224] ? ttwu_do_wakeup+0x1e/0x150 +[16072.109227] wait_for_completion+0xb4/0x140 +[16072.109230] ? wait_for_completion+0xb4/0x140 +[16072.109233] ? wake_up_q+0x70/0x70 +[16072.109236] flush_work+0x129/0x1e0 +[16072.109240] ? worker_detach_from_pool+0xb0/0xb0 +[16072.109243] __cancel_work_timer+0x10f/0x190 +[16072.109247] ? device_del+0x264/0x310 +[16072.109250] ? __wake_up+0x44/0x50 +[16072.109253] cancel_delayed_work_sync+0x13/0x20 +[16072.109257] power_supply_unregister+0x37/0xb0 +[16072.109260] devm_power_supply_release+0x11/0x20 +[16072.109263] release_nodes+0x110/0x200 +[16072.109266] devres_release_group+0x7c/0xb0 +[16072.109274] wacom_remove+0xc2/0x110 [wacom] +[16072.109279] hid_device_remove+0x6e/0xd0 [hid] +[16072.109284] device_release_driver_internal+0x158/0x210 +[16072.109288] device_release_driver+0x12/0x20 +[16072.109291] bus_remove_device+0xec/0x160 +[16072.109293] device_del+0x1de/0x310 +[16072.109298] hid_destroy_device+0x27/0x60 [hid] +[16072.109303] usbhid_disconnect+0x51/0x70 [usbhid] +[16072.109308] usb_unbind_interface+0x77/0x270 +[16072.109311] device_release_driver_internal+0x158/0x210 +[16072.109315] device_release_driver+0x12/0x20 +[16072.109318] usb_driver_release_interface+0x77/0x80 +[16072.109321] proc_ioctl+0x20f/0x250 +[16072.109325] usbdev_do_ioctl+0x57f/0x1140 +[16072.109327] ? __wake_up+0x44/0x50 +[16072.109331] usbdev_ioctl+0xe/0x20 +[16072.109336] do_vfs_ioctl+0xa4/0x600 +[16072.109339] ? vfs_write+0x15a/0x1b0 +[16072.109343] SyS_ioctl+0x79/0x90 +[16072.109347] entry_SYSCALL_64_fastpath+0x24/0xab +[16072.109349] RIP: 0033:0x7f20da807f47 +[16072.109351] RSP: 002b:00007ffc422ae398 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[16072.109353] RAX: ffffffffffffffda RBX: 00000000010b8560 RCX: 00007f20da807f47 +[16072.109355] RDX: 00007ffc422ae3a0 RSI: 00000000c0105512 RDI: 0000000000000009 +[16072.109356] RBP: 0000000000000000 R08: 00007ffc422ae3e0 R09: 0000000000000010 +[16072.109357] R10: 00000000000000a6 R11: 0000000000000246 R12: 0000000000000000 +[16072.109359] R13: 00000000010b8560 R14: 00007ffc422ae2e0 R15: 0000000000000000 + +Reported-and-tested-by: Richard Hughes +Tested-by: Aaron Skomra +Signed-off-by: Benjamin Tissoires +Fixes: 7f1a57fdd6cb ("power_supply: Fix possible NULL pointer dereference on early uevent") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/power_supply_core.c | 11 +++++++++-- + include/linux/power_supply.h | 1 + + 2 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -138,8 +139,13 @@ static void power_supply_deferred_regist + struct power_supply *psy = container_of(work, struct power_supply, + deferred_register_work.work); + +- if (psy->dev.parent) +- mutex_lock(&psy->dev.parent->mutex); ++ if (psy->dev.parent) { ++ while (!mutex_trylock(&psy->dev.parent->mutex)) { ++ if (psy->removing) ++ return; ++ msleep(10); ++ } ++ } + + power_supply_changed(psy); + +@@ -944,6 +950,7 @@ EXPORT_SYMBOL_GPL(devm_power_supply_regi + void power_supply_unregister(struct power_supply *psy) + { + WARN_ON(atomic_dec_return(&psy->use_cnt)); ++ psy->removing = true; + cancel_work_sync(&psy->changed_work); + cancel_delayed_work_sync(&psy->deferred_register_work); + sysfs_remove_link(&psy->dev.kobj, "powers"); +--- a/include/linux/power_supply.h ++++ b/include/linux/power_supply.h +@@ -249,6 +249,7 @@ struct power_supply { + spinlock_t changed_lock; + bool changed; + bool initialized; ++ bool removing; + atomic_t use_cnt; + #ifdef CONFIG_THERMAL + struct thermal_zone_device *tzd; diff --git a/queue-4.9/power-vexpress-fix-corruption-in-notifier-registration.patch b/queue-4.9/power-vexpress-fix-corruption-in-notifier-registration.patch new file mode 100644 index 00000000000..82f9ca78966 --- /dev/null +++ b/queue-4.9/power-vexpress-fix-corruption-in-notifier-registration.patch @@ -0,0 +1,70 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Sudeep Holla +Date: Mon, 18 Jun 2018 16:54:32 +0100 +Subject: power: vexpress: fix corruption in notifier registration + +From: Sudeep Holla + +[ Upstream commit 09bebb1adb21ecd04adf7ccb3b06f73e3a851e93 ] + +Vexpress platforms provide two different restart handlers: SYS_REBOOT +that restart the entire system, while DB_RESET only restarts the +daughter board containing the CPU. DB_RESET is overridden by SYS_REBOOT +if it exists. + +notifier_chain_register used in register_restart_handler by design +relies on notifiers to be registered once only, however vexpress restart +notifier can get registered twice. When this happen it corrupts list +of notifiers, as result some notifiers can be not called on proper +event, traverse on list can be cycled forever, and second unregister +can access already freed memory. + +So far, since this was the only restart handler in the system, no issue +was observed even if the same notifier was registered twice. However +commit 6c5c0d48b686 ("watchdog: sp805: add restart handler") added +support for SP805 restart handlers and since the system under test +contains two vexpress restart and two SP805 watchdog instances, it was +observed that during the boot traversing the restart handler list looped +forever as there's a cycle in that list resulting in boot hang. + +This patch fixes the issues by ensuring that the notifier is installed +only once. + +Cc: Sebastian Reichel +Signed-off-by: Sudeep Holla +Fixes: 46c99ac66222 ("power/reset: vexpress: Register with kernel restart handler") +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/reset/vexpress-poweroff.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/power/reset/vexpress-poweroff.c ++++ b/drivers/power/reset/vexpress-poweroff.c +@@ -35,6 +35,7 @@ static void vexpress_reset_do(struct dev + } + + static struct device *vexpress_power_off_device; ++static atomic_t vexpress_restart_nb_refcnt = ATOMIC_INIT(0); + + static void vexpress_power_off(void) + { +@@ -99,10 +100,13 @@ static int _vexpress_register_restart_ha + int err; + + vexpress_restart_device = dev; +- err = register_restart_handler(&vexpress_restart_nb); +- if (err) { +- dev_err(dev, "cannot register restart handler (err=%d)\n", err); +- return err; ++ if (atomic_inc_return(&vexpress_restart_nb_refcnt) == 1) { ++ err = register_restart_handler(&vexpress_restart_nb); ++ if (err) { ++ dev_err(dev, "cannot register restart handler (err=%d)\n", err); ++ atomic_dec(&vexpress_restart_nb_refcnt); ++ return err; ++ } + } + device_create_file(dev, &dev_attr_active); + diff --git a/queue-4.9/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch b/queue-4.9/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch new file mode 100644 index 00000000000..88ae86bf880 --- /dev/null +++ b/queue-4.9/powerpc-kdump-handle-crashkernel-memory-reservation-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Hari Bathini +Date: Thu, 28 Jun 2018 10:49:56 +0530 +Subject: powerpc/kdump: Handle crashkernel memory reservation failure + +From: Hari Bathini + +[ Upstream commit 8950329c4a64c6d3ca0bc34711a1afbd9ce05657 ] + +Memory reservation for crashkernel could fail if there are holes around +kdump kernel offset (128M). Fail gracefully in such cases and print an +error message. + +Signed-off-by: Hari Bathini +Tested-by: David Gibson +Reviewed-by: Dave Young +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/machine_kexec.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/machine_kexec.c ++++ b/arch/powerpc/kernel/machine_kexec.c +@@ -186,7 +186,12 @@ void __init reserve_crashkernel(void) + (unsigned long)(crashk_res.start >> 20), + (unsigned long)(memblock_phys_mem_size() >> 20)); + +- memblock_reserve(crashk_res.start, crash_size); ++ if (!memblock_is_region_memory(crashk_res.start, crash_size) || ++ memblock_reserve(crashk_res.start, crash_size)) { ++ pr_err("Failed to reserve memory for crashkernel!\n"); ++ crashk_res.start = crashk_res.end = 0; ++ return; ++ } + } + + int overlaps_crashkernel(unsigned long start, unsigned long size) diff --git a/queue-4.9/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch b/queue-4.9/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch new file mode 100644 index 00000000000..e67cb30ab97 --- /dev/null +++ b/queue-4.9/powerpc-powernv-ioda2-reduce-upper-limit-for-dma-window-size.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Alexey Kardashevskiy +Date: Fri, 1 Jun 2018 18:06:16 +1000 +Subject: powerpc/powernv/ioda2: Reduce upper limit for DMA window size + +From: Alexey Kardashevskiy + +[ Upstream commit d3d4ffaae439981e1e441ebb125aa3588627c5d8 ] + +We use PHB in mode1 which uses bit 59 to select a correct DMA window. +However there is mode2 which uses bits 59:55 and allows up to 32 DMA +windows per a PE. + +Even though documentation does not clearly specify that, it seems that +the actual hardware does not support bits 59:55 even in mode1, in other +words we can create a window as big as 1<<58 but DMA simply won't work. + +This reduces the upper limit from 59 to 55 bits to let the userspace know +about the hardware limits. + +Fixes: 7aafac11e3 "powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested" +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -2623,7 +2623,7 @@ static long pnv_pci_ioda2_table_alloc_pa + level_shift = entries_shift + 3; + level_shift = max_t(unsigned, level_shift, PAGE_SHIFT); + +- if ((level_shift - 3) * levels + page_shift >= 60) ++ if ((level_shift - 3) * levels + page_shift >= 55) + return -EINVAL; + + /* Allocate TCE table */ diff --git a/queue-4.9/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch b/queue-4.9/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch new file mode 100644 index 00000000000..2b035fdcbbd --- /dev/null +++ b/queue-4.9/rndis_wlan-potential-buffer-overflow-in-rndis_wlan_auth_indication.patch @@ -0,0 +1,40 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Dan Carpenter +Date: Tue, 5 Jun 2018 14:31:39 +0300 +Subject: rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication() + +From: Dan Carpenter + +[ Upstream commit ae636fb1554833ee5133ca47bf4b2791b6739c52 ] + +This is a static checker fix, not something I have tested. The issue +is that on the second iteration through the loop, we jump forward by +le32_to_cpu(auth_req->length) bytes. The problem is that if the length +is more than "buflen" then we end up with a negative "buflen". A +negative buflen is type promoted to a high positive value and the loop +continues but it's accessing beyond the end of the buffer. + +I believe the "auth_req->length" comes from the firmware and if the +firmware is malicious or buggy, you're already toasted so the impact of +this bug is probably not very severe. + +Fixes: 030645aceb3d ("rndis_wlan: handle 802.11 indications from device") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -2921,6 +2921,8 @@ static void rndis_wlan_auth_indication(s + + while (buflen >= sizeof(*auth_req)) { + auth_req = (void *)buf; ++ if (buflen < le32_to_cpu(auth_req->length)) ++ return; + type = "unknown"; + flags = le32_to_cpu(auth_req->flags); + pairwise_error = false; diff --git a/queue-4.9/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch b/queue-4.9/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch new file mode 100644 index 00000000000..a51957369e8 --- /dev/null +++ b/queue-4.9/s390-extmem-fix-gcc-8-stringop-overflow-warning.patch @@ -0,0 +1,52 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Vasily Gorbik +Date: Sun, 17 Jun 2018 00:30:43 +0200 +Subject: s390/extmem: fix gcc 8 stringop-overflow warning + +From: Vasily Gorbik + +[ Upstream commit 6b2ddf33baec23dace85bd647e3fc4ac070963e8 ] + +arch/s390/mm/extmem.c: In function '__segment_load': +arch/s390/mm/extmem.c:436:2: warning: 'strncat' specified bound 7 equals +source length [-Wstringop-overflow=] + strncat(seg->res_name, " (DCSS)", 7); + +What gcc complains about here is the misuse of strncat function, which +in this case does not limit a number of bytes taken from "src", so it is +in the end the same as strcat(seg->res_name, " (DCSS)"); + +Keeping in mind that a res_name is 15 bytes, strncat in this case +would overflow the buffer and write 0 into alignment byte between the +fields in the struct. To avoid that increasing res_name size to 16, +and reusing strlcat. + +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/extmem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/mm/extmem.c ++++ b/arch/s390/mm/extmem.c +@@ -79,7 +79,7 @@ struct qin64 { + struct dcss_segment { + struct list_head list; + char dcss_name[8]; +- char res_name[15]; ++ char res_name[16]; + unsigned long start_addr; + unsigned long end; + atomic_t ref_count; +@@ -432,7 +432,7 @@ __segment_load (char *name, int do_nonsh + memcpy(&seg->res_name, seg->dcss_name, 8); + EBCASC(seg->res_name, 8); + seg->res_name[8] = '\0'; +- strncat(seg->res_name, " (DCSS)", 7); ++ strlcat(seg->res_name, " (DCSS)", sizeof(seg->res_name)); + seg->res->name = seg->res_name; + rc = seg->vm_segtype; + if (rc == SEG_TYPE_SC || diff --git a/queue-4.9/s390-mm-correct-allocate_pgste-proc_handler-callback.patch b/queue-4.9/s390-mm-correct-allocate_pgste-proc_handler-callback.patch new file mode 100644 index 00000000000..25569b3f56d --- /dev/null +++ b/queue-4.9/s390-mm-correct-allocate_pgste-proc_handler-callback.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Vasily Gorbik +Date: Sun, 24 Jun 2018 12:17:43 +0200 +Subject: s390/mm: correct allocate_pgste proc_handler callback + +From: Vasily Gorbik + +[ Upstream commit 5bedf8aa03c28cb8dc98bdd32a41b66d8f7d3eaa ] + +Since proc_dointvec does not perform value range control, +proc_dointvec_minmax should be used to limit value range, which is +clearly intended here, as the internal representation of the value: + +unsigned int alloc_pgste:1; + +In fact it currently works, since we have + + mm->context.alloc_pgste = page_table_allocate_pgste || ... + +... since commit 23fefe119ceb5 ("s390/kvm: avoid global config of vm.alloc_pgste=1") + +Before that it was + + mm->context.alloc_pgste = page_table_allocate_pgste; + +which was broken. That was introduced with commit 0b46e0a3ec0d7 ("s390/kvm: +remove delayed reallocation of page tables for KVM"). + +Fixes: 0b46e0a3ec0d7 ("s390/kvm: remove delayed reallocation of page tables for KVM") +Acked-by: Christian Borntraeger +Reviewed-by: Heiko Carstens +Signed-off-by: Vasily Gorbik +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/s390/mm/pgalloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/s390/mm/pgalloc.c ++++ b/arch/s390/mm/pgalloc.c +@@ -26,7 +26,7 @@ static struct ctl_table page_table_sysct + .data = &page_table_allocate_pgste, + .maxlen = sizeof(int), + .mode = S_IRUGO | S_IWUSR, +- .proc_handler = proc_dointvec, ++ .proc_handler = proc_dointvec_minmax, + .extra1 = &page_table_allocate_pgste_min, + .extra2 = &page_table_allocate_pgste_max, + }, diff --git a/queue-4.9/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch b/queue-4.9/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch new file mode 100644 index 00000000000..9bf2130b3b1 --- /dev/null +++ b/queue-4.9/scsi-bnx2i-add-error-handling-for-ioremap_nocache.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Zhouyang Jia +Date: Tue, 12 Jun 2018 11:13:00 +0800 +Subject: scsi: bnx2i: add error handling for ioremap_nocache + +From: Zhouyang Jia + +[ Upstream commit aa154ea885eb0c2407457ce9c1538d78c95456fa ] + +When ioremap_nocache fails, the lack of error-handling code may cause +unexpected results. + +This patch adds error-handling code after calling ioremap_nocache. + +Signed-off-by: Zhouyang Jia +Reviewed-by: Johannes Thumshirn +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/bnx2i/bnx2i_hwi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/bnx2i/bnx2i_hwi.c ++++ b/drivers/scsi/bnx2i/bnx2i_hwi.c +@@ -2742,6 +2742,8 @@ int bnx2i_map_ep_dbell_regs(struct bnx2i + BNX2X_DOORBELL_PCI_BAR); + reg_off = (1 << BNX2X_DB_SHIFT) * (cid_num & 0x1FFFF); + ep->qp.ctx_base = ioremap_nocache(reg_base + reg_off, 4); ++ if (!ep->qp.ctx_base) ++ return -ENOMEM; + goto arm_cq; + } + diff --git a/queue-4.9/scsi-ibmvscsi-improve-strings-handling.patch b/queue-4.9/scsi-ibmvscsi-improve-strings-handling.patch new file mode 100644 index 00000000000..e0f36b124e6 --- /dev/null +++ b/queue-4.9/scsi-ibmvscsi-improve-strings-handling.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Breno Leitao +Date: Tue, 26 Jun 2018 17:35:16 -0300 +Subject: scsi: ibmvscsi: Improve strings handling + +From: Breno Leitao + +[ Upstream commit 1262dc09dc9ae7bf4ad00b6a2c5ed6a6936bcd10 ] + +Currently an open firmware property is copied into partition_name variable +without keeping a room for \0. + +Later one, this variable (partition_name), which is 97 bytes long, is +strncpyed into ibmvcsci_host_data->madapter_info->partition_name, which is +96 bytes long, possibly truncating it 'again' and removing the \0. + +This patch simply decreases the partition name to 96 and just copy using +strlcpy() which guarantees that the string is \0 terminated. I think there +is no issue if this there is a truncation in this very first copy, i.e, +when the open firmware property is read and copied into the driver for the +very first time; + +This issue also causes the following warning on GCC 8: + + drivers/scsi/ibmvscsi/ibmvscsi.c:281:2: warning: strncpy output may be truncated copying 96 bytes from a string of length 96 [-Wstringop-truncation] + ... + inlined from ibmvscsi_probe at drivers/scsi/ibmvscsi/ibmvscsi.c:2221:7: + drivers/scsi/ibmvscsi/ibmvscsi.c:265:3: warning: strncpy specified bound 97 equals destination size [-Wstringop-truncation] + +CC: Bart Van Assche +CC: Tyrel Datwyler +Signed-off-by: Breno Leitao +Acked-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -93,7 +93,7 @@ static int max_requests = IBMVSCSI_MAX_R + static int max_events = IBMVSCSI_MAX_REQUESTS_DEFAULT + 2; + static int fast_fail = 1; + static int client_reserve = 1; +-static char partition_name[97] = "UNKNOWN"; ++static char partition_name[96] = "UNKNOWN"; + static unsigned int partition_number = -1; + + static struct scsi_transport_template *ibmvscsi_transport_template; +@@ -259,7 +259,7 @@ static void gather_partition_info(void) + + ppartition_name = of_get_property(of_root, "ibm,partition-name", NULL); + if (ppartition_name) +- strncpy(partition_name, ppartition_name, ++ strlcpy(partition_name, ppartition_name, + sizeof(partition_name)); + p_number_ptr = of_get_property(of_root, "ibm,partition-no", NULL); + if (p_number_ptr) diff --git a/queue-4.9/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch b/queue-4.9/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch new file mode 100644 index 00000000000..188e91aaacc --- /dev/null +++ b/queue-4.9/scsi-klist-make-it-safe-to-use-klists-in-atomic-context.patch @@ -0,0 +1,102 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:54:49 -0700 +Subject: scsi: klist: Make it safe to use klists in atomic context + +From: Bart Van Assche + +[ Upstream commit 624fa7790f80575a4ec28fbdb2034097dc18d051 ] + +In the scsi_transport_srp implementation it cannot be avoided to +iterate over a klist from atomic context when using the legacy block +layer instead of blk-mq. Hence this patch that makes it safe to use +klists in atomic context. This patch avoids that lockdep reports the +following: + +WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected + Possible interrupt unsafe locking scenario: + + CPU0 CPU1 + ---- ---- + lock(&(&k->k_lock)->rlock); + local_irq_disable(); + lock(&(&q->__queue_lock)->rlock); + lock(&(&k->k_lock)->rlock); + + lock(&(&q->__queue_lock)->rlock); + +stack backtrace: +Workqueue: kblockd blk_timeout_work +Call Trace: + dump_stack+0xa4/0xf5 + check_usage+0x6e6/0x700 + __lock_acquire+0x185d/0x1b50 + lock_acquire+0xd2/0x260 + _raw_spin_lock+0x32/0x50 + klist_next+0x47/0x190 + device_for_each_child+0x8e/0x100 + srp_timed_out+0xaf/0x1d0 [scsi_transport_srp] + scsi_times_out+0xd4/0x410 [scsi_mod] + blk_rq_timed_out+0x36/0x70 + blk_timeout_work+0x1b5/0x220 + process_one_work+0x4fe/0xad0 + worker_thread+0x63/0x5a0 + kthread+0x1c1/0x1e0 + ret_from_fork+0x24/0x30 + +See also commit c9ddf73476ff ("scsi: scsi_transport_srp: Fix shost to +rport translation"). + +Signed-off-by: Bart Van Assche +Cc: Martin K. Petersen +Cc: James Bottomley +Acked-by: Greg Kroah-Hartman +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + lib/klist.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/lib/klist.c ++++ b/lib/klist.c +@@ -336,8 +336,9 @@ struct klist_node *klist_prev(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *prev; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + prev = to_klist_node(last->n_node.prev); +@@ -356,7 +357,7 @@ struct klist_node *klist_prev(struct kli + prev = to_klist_node(prev->n_node.prev); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); +@@ -377,8 +378,9 @@ struct klist_node *klist_next(struct kli + void (*put)(struct klist_node *) = i->i_klist->put; + struct klist_node *last = i->i_cur; + struct klist_node *next; ++ unsigned long flags; + +- spin_lock(&i->i_klist->k_lock); ++ spin_lock_irqsave(&i->i_klist->k_lock, flags); + + if (last) { + next = to_klist_node(last->n_node.next); +@@ -397,7 +399,7 @@ struct klist_node *klist_next(struct kli + next = to_klist_node(next->n_node.next); + } + +- spin_unlock(&i->i_klist->k_lock); ++ spin_unlock_irqrestore(&i->i_klist->k_lock, flags); + + if (put && last) + put(last); diff --git a/queue-4.9/scsi-megaraid_sas-update-controller-info-during-resume.patch b/queue-4.9/scsi-megaraid_sas-update-controller-info-during-resume.patch new file mode 100644 index 00000000000..7fa3e138951 --- /dev/null +++ b/queue-4.9/scsi-megaraid_sas-update-controller-info-during-resume.patch @@ -0,0 +1,33 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Shivasharan S +Date: Mon, 4 Jun 2018 03:45:10 -0700 +Subject: scsi: megaraid_sas: Update controller info during resume + +From: Shivasharan S + +[ Upstream commit c3b10a55abc943a526aaecd7e860b15671beb906 ] + +There is a possibility that firmware on the controller was upgraded before +system was suspended. During resume, driver needs to read updated +controller properties. + +Signed-off-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -6193,6 +6193,9 @@ megasas_resume(struct pci_dev *pdev) + goto fail_init_mfi; + } + ++ if (megasas_get_ctrl_info(instance) != DCMD_SUCCESS) ++ goto fail_init_mfi; ++ + tasklet_init(&instance->isr_tasklet, instance->instancet->tasklet, + (unsigned long)instance); + diff --git a/queue-4.9/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch b/queue-4.9/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch new file mode 100644 index 00000000000..c488dd19238 --- /dev/null +++ b/queue-4.9/scsi-target-iscsi-make-iscsit_ta_authentication-respect-the-output-buffer-size.patch @@ -0,0 +1,34 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Bart Van Assche +Date: Fri, 22 Jun 2018 14:53:01 -0700 +Subject: scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size + +From: Bart Van Assche + +[ Upstream commit 35bea5c84fd13c643cce63f0b5cd4b148f8c901d ] + +Fixes: e48354ce078c ("iscsi-target: Add iSCSI fabric support for target v4.1") +Signed-off-by: Bart Van Assche +Reviewed-by: Mike Christie +Cc: Mike Christie +Cc: Christoph Hellwig +Cc: Hannes Reinecke +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/iscsi/iscsi_target_tpg.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_tpg.c ++++ b/drivers/target/iscsi/iscsi_target_tpg.c +@@ -637,8 +637,7 @@ int iscsit_ta_authentication(struct iscs + none = strstr(buf1, NONE); + if (none) + goto out; +- strncat(buf1, ",", strlen(",")); +- strncat(buf1, NONE, strlen(NONE)); ++ strlcat(buf1, "," NONE, sizeof(buf1)); + if (iscsi_update_param_value(param, buf1) < 0) + return -EINVAL; + } diff --git a/queue-4.9/staging-android-ashmem-fix-mmap-size-validation.patch b/queue-4.9/staging-android-ashmem-fix-mmap-size-validation.patch new file mode 100644 index 00000000000..3cded4164ab --- /dev/null +++ b/queue-4.9/staging-android-ashmem-fix-mmap-size-validation.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Alistair Strachan +Date: Tue, 19 Jun 2018 17:57:35 -0700 +Subject: staging: android: ashmem: Fix mmap size validation + +From: Alistair Strachan + +[ Upstream commit 8632c614565d0c5fdde527889601c018e97b6384 ] + +The ashmem driver did not check that the size/offset of the vma passed +to its .mmap() function was not larger than the ashmem object being +mapped. This could cause mmap() to succeed, even though accessing parts +of the mapping would later fail with a segmentation fault. + +Ensure an error is returned by the ashmem_mmap() function if the vma +size is larger than the ashmem object size. This enables safer handling +of the problem in userspace. + +Cc: Todd Kjos +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Cc: kernel-team@android.com +Cc: Joel Fernandes +Signed-off-by: Alistair Strachan +Acked-by: Joel Fernandes (Google) +Reviewed-by: Martijn Coenen +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/android/ashmem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -383,6 +383,12 @@ static int ashmem_mmap(struct file *file + goto out; + } + ++ /* requested mapping size larger than object size */ ++ if (vma->vm_end - vma->vm_start > PAGE_ALIGN(asma->size)) { ++ ret = -EINVAL; ++ goto out; ++ } ++ + /* requested protection bits must match our allowed protection mask */ + if (unlikely((vma->vm_flags & ~calc_vm_prot_bits(asma->prot_mask, 0)) & + calc_vm_prot_bits(PROT_MASK, 0))) { diff --git a/queue-4.9/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch b/queue-4.9/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch new file mode 100644 index 00000000000..638f8f847ee --- /dev/null +++ b/queue-4.9/staging-rts5208-fix-missing-error-check-on-call-to-rtsx_write_register.patch @@ -0,0 +1,35 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Colin Ian King +Date: Mon, 2 Jul 2018 14:27:35 +0100 +Subject: staging: rts5208: fix missing error check on call to rtsx_write_register + +From: Colin Ian King + +[ Upstream commit c5fae4f4fd28189b1062fb8ef7b21fec37cb8b17 ] + +Currently the check on error return from the call to rtsx_write_register +is checking the error status from the previous call. Fix this by adding +in the missing assignment of retval. + +Detected by CoverityScan, CID#709877 + +Fixes: fa590c222fba ("staging: rts5208: add support for rts5208 and rts5288") +Signed-off-by: Colin Ian King +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rts5208/sd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/rts5208/sd.c ++++ b/drivers/staging/rts5208/sd.c +@@ -4976,7 +4976,7 @@ int sd_execute_write_data(struct scsi_cm + goto SD_Execute_Write_Cmd_Failed; + } + +- rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); ++ retval = rtsx_write_register(chip, SD_BYTE_CNT_L, 0xFF, 0x00); + if (retval != STATUS_SUCCESS) { + rtsx_trace(chip); + goto SD_Execute_Write_Cmd_Failed; diff --git a/queue-4.9/tsl2550-fix-lux1_input-error-in-low-light.patch b/queue-4.9/tsl2550-fix-lux1_input-error-in-low-light.patch new file mode 100644 index 00000000000..1ee8e69e147 --- /dev/null +++ b/queue-4.9/tsl2550-fix-lux1_input-error-in-low-light.patch @@ -0,0 +1,39 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Matt Ranostay +Date: Fri, 8 Jun 2018 23:58:15 -0700 +Subject: tsl2550: fix lux1_input error in low light + +From: Matt Ranostay + +[ Upstream commit ce054546cc2c26891cefa2f284d90d93b52205de ] + +ADC channel 0 photodiode detects both infrared + visible light, +but ADC channel 1 just detects infrared. However, the latter is a bit +more sensitive in that range so complete darkness or low light causes +a error condition in which the chan0 - chan1 is negative that +results in a -EAGAIN. + +This patch changes the resulting lux1_input sysfs attribute message from +"Resource temporarily unavailable" to a user-grokable lux value of 0. + +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Signed-off-by: Matt Ranostay +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/tsl2550.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/tsl2550.c ++++ b/drivers/misc/tsl2550.c +@@ -177,7 +177,7 @@ static int tsl2550_calculate_lux(u8 ch0, + } else + lux = 0; + else +- return -EAGAIN; ++ return 0; + + /* LUX range check */ + return lux > TSL2550_MAX_LUX ? TSL2550_MAX_LUX : lux; diff --git a/queue-4.9/usb-serial-kobil_sct-fix-modem-status-error-handling.patch b/queue-4.9/usb-serial-kobil_sct-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..536fb5eef9e --- /dev/null +++ b/queue-4.9/usb-serial-kobil_sct-fix-modem-status-error-handling.patch @@ -0,0 +1,47 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Johan Hovold +Date: Wed, 4 Jul 2018 17:02:18 +0200 +Subject: USB: serial: kobil_sct: fix modem-status error handling + +From: Johan Hovold + +[ Upstream commit a420b5d939ee58f1d950f0ea782834056520aeaa ] + +Make sure to return -EIO in case of a short modem-status read request. + +While at it, split the debug message to not include the (zeroed) +transfer-buffer content in case of errors. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/kobil_sct.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/kobil_sct.c ++++ b/drivers/usb/serial/kobil_sct.c +@@ -408,12 +408,20 @@ static int kobil_tiocmget(struct tty_str + transfer_buffer_length, + KOBIL_TIMEOUT); + +- dev_dbg(&port->dev, "%s - Send get_status_line_state URB returns: %i. Statusline: %02x\n", +- __func__, result, transfer_buffer[0]); ++ dev_dbg(&port->dev, "Send get_status_line_state URB returns: %i\n", ++ result); ++ if (result < 1) { ++ if (result >= 0) ++ result = -EIO; ++ goto out_free; ++ } ++ ++ dev_dbg(&port->dev, "Statusline: %02x\n", transfer_buffer[0]); + + result = 0; + if ((transfer_buffer[0] & SUSBCR_GSL_DSR) != 0) + result = TIOCM_DSR; ++out_free: + kfree(transfer_buffer); + return result; + } diff --git a/queue-4.9/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch b/queue-4.9/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch new file mode 100644 index 00000000000..af61c83fea7 --- /dev/null +++ b/queue-4.9/usb-wusbcore-security-cast-sizeof-to-int-for-comparison.patch @@ -0,0 +1,48 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Julia Lawall +Date: Sun, 1 Jul 2018 19:32:04 +0200 +Subject: usb: wusbcore: security: cast sizeof to int for comparison + +From: Julia Lawall + +[ Upstream commit d3ac5598c5010a8999978ebbcca3b1c6188ca36b ] + +Comparing an int to a size, which is unsigned, causes the int to become +unsigned, giving the wrong result. usb_get_descriptor can return a +negative error code. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@@ +int x; +expression e,e1; +identifier f; +@@ + +*x = f(...); +... when != x = e1 + when != if (x < 0 || ...) { ... return ...; } +*x < sizeof(e) +// + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/wusbcore/security.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/wusbcore/security.c ++++ b/drivers/usb/wusbcore/security.c +@@ -230,7 +230,7 @@ int wusb_dev_sec_add(struct wusbhc *wusb + + result = usb_get_descriptor(usb_dev, USB_DT_SECURITY, + 0, secd, sizeof(*secd)); +- if (result < sizeof(*secd)) { ++ if (result < (int)sizeof(*secd)) { + dev_err(dev, "Can't read security descriptor or " + "not enough data: %d\n", result); + goto out; diff --git a/queue-4.9/uwb-hwa-rc-fix-memory-leak-at-probe.patch b/queue-4.9/uwb-hwa-rc-fix-memory-leak-at-probe.patch new file mode 100644 index 00000000000..74f3e16b094 --- /dev/null +++ b/queue-4.9/uwb-hwa-rc-fix-memory-leak-at-probe.patch @@ -0,0 +1,32 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Anton Vasilyev +Date: Fri, 6 Jul 2018 15:32:53 +0300 +Subject: uwb: hwa-rc: fix memory leak at probe + +From: Anton Vasilyev + +[ Upstream commit 11b71782c1d10d9bccc31825cf84291cd7588a1e ] + +hwarc_probe() allocates memory for hwarc, but does not free it +if uwb_rc_add() or hwarc_get_version() fail. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Anton Vasilyev +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/uwb/hwa-rc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -873,6 +873,7 @@ error_get_version: + error_rc_add: + usb_put_intf(iface); + usb_put_dev(hwarc->usb_dev); ++ kfree(hwarc); + error_alloc: + uwb_rc_put(uwb_rc); + error_rc_alloc: diff --git a/queue-4.9/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch b/queue-4.9/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch new file mode 100644 index 00000000000..54117e44c33 --- /dev/null +++ b/queue-4.9/vmci-type-promotion-bug-in-qp_host_get_user_memory.patch @@ -0,0 +1,42 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Dan Carpenter +Date: Wed, 4 Jul 2018 12:33:34 +0300 +Subject: vmci: type promotion bug in qp_host_get_user_memory() + +From: Dan Carpenter + +[ Upstream commit 7fb2fd4e25fc1fb10dcb30b5519de257cfeae84c ] + +The problem is that if get_user_pages_fast() fails and returns a +negative error code, it gets type promoted to a high positive value and +treated as a success. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -755,7 +755,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) produce_uva, + produce_q->kernel_if->num_pages, 1, + produce_q->kernel_if->u.h.header_page); +- if (retval < produce_q->kernel_if->num_pages) { ++ if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); + qp_release_pages(produce_q->kernel_if->u.h.header_page, +@@ -767,7 +767,7 @@ static int qp_host_get_user_memory(u64 p + retval = get_user_pages_fast((uintptr_t) consume_uva, + consume_q->kernel_if->num_pages, 1, + consume_q->kernel_if->u.h.header_page); +- if (retval < consume_q->kernel_if->num_pages) { ++ if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); + qp_release_pages(consume_q->kernel_if->u.h.header_page, diff --git a/queue-4.9/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch b/queue-4.9/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch new file mode 100644 index 00000000000..d9617a1e211 --- /dev/null +++ b/queue-4.9/wlcore-add-missing-pm-call-for-wlcore_cmd_wait_for_event_or_timeout.patch @@ -0,0 +1,55 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Tony Lindgren +Date: Tue, 19 Jun 2018 02:43:35 -0700 +Subject: wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout() + +From: Tony Lindgren + +[ Upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1 ] + +Otherwise we can get: + +WARNING: CPU: 0 PID: 55 at drivers/net/wireless/ti/wlcore/io.h:84 + +I've only seen this few times with the runtime PM patches enabled +so this one is probably not needed before that. This seems to +work currently based on the current PM implementation timer. Let's +apply this separately though in case others are hitting this issue. + +Signed-off-by: Tony Lindgren +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ti/wlcore/cmd.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/wireless/ti/wlcore/cmd.c ++++ b/drivers/net/wireless/ti/wlcore/cmd.c +@@ -35,6 +35,7 @@ + #include "wl12xx_80211.h" + #include "cmd.h" + #include "event.h" ++#include "ps.h" + #include "tx.h" + #include "hw_ops.h" + +@@ -191,6 +192,10 @@ int wlcore_cmd_wait_for_event_or_timeout + + timeout_time = jiffies + msecs_to_jiffies(WL1271_EVENT_TIMEOUT); + ++ ret = wl1271_ps_elp_wakeup(wl); ++ if (ret < 0) ++ return ret; ++ + do { + if (time_after(jiffies, timeout_time)) { + wl1271_debug(DEBUG_CMD, "timeout waiting for event %d", +@@ -222,6 +227,7 @@ int wlcore_cmd_wait_for_event_or_timeout + } while (!event); + + out: ++ wl1271_ps_elp_sleep(wl); + kfree(events_vector); + return ret; + } diff --git a/queue-4.9/x86-entry-64-add-two-more-instruction-suffixes.patch b/queue-4.9/x86-entry-64-add-two-more-instruction-suffixes.patch new file mode 100644 index 00000000000..3f694d8fb1c --- /dev/null +++ b/queue-4.9/x86-entry-64-add-two-more-instruction-suffixes.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Jan Beulich +Date: Mon, 2 Jul 2018 04:47:57 -0600 +Subject: x86/entry/64: Add two more instruction suffixes + +From: Jan Beulich + +[ Upstream commit 6709812f094d96543b443645c68daaa32d3d3e77 ] + +Sadly, other than claimed in: + + a368d7fd2a ("x86/entry/64: Add instruction suffix") + +... there are two more instances which want to be adjusted. + +As said there, omitting suffixes from instructions in AT&T mode is bad +practice when operand size cannot be determined by the assembler from +register operands, and is likely going to be warned about by upstream +gas in the future (mine does already). + +Add the other missing suffixes here as well. + +Signed-off-by: Jan Beulich +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Brian Gerst +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Josh Poimboeuf +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/5B3A02DD02000078001CFB78@prv1-mh.provo.novell.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/entry/entry_64.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/entry/entry_64.S ++++ b/arch/x86/entry/entry_64.S +@@ -91,7 +91,7 @@ ENDPROC(native_usergs_sysret64) + .endm + + .macro TRACE_IRQS_IRETQ_DEBUG +- bt $9, EFLAGS(%rsp) /* interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* interrupts off? */ + jnc 1f + TRACE_IRQS_ON_DEBUG + 1: +@@ -485,7 +485,7 @@ retint_kernel: + #ifdef CONFIG_PREEMPT + /* Interrupts are off */ + /* Check if we need preemption */ +- bt $9, EFLAGS(%rsp) /* were interrupts off? */ ++ btl $9, EFLAGS(%rsp) /* were interrupts off? */ + jnc 1f + 0: cmpl $0, PER_CPU_VAR(__preempt_count) + jnz 1f diff --git a/queue-4.9/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch b/queue-4.9/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch new file mode 100644 index 00000000000..36ec5ad0c7c --- /dev/null +++ b/queue-4.9/x86-numa_emulation-fix-emulated-to-physical-node-mapping.patch @@ -0,0 +1,38 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Dan Williams +Date: Fri, 6 Jul 2018 09:08:01 -0700 +Subject: x86/numa_emulation: Fix emulated-to-physical node mapping + +From: Dan Williams + +[ Upstream commit 3b6c62f363a19ce82bf378187ab97c9dc01e3927 ] + +Without this change the distance table calculation for emulated nodes +may use the wrong numa node and report an incorrect distance. + +Signed-off-by: Dan Williams +Cc: David Rientjes +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Wei Yang +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/153089328103.27680.14778434392225818887.stgit@dwillia2-desk3.amr.corp.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/mm/numa_emulation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/mm/numa_emulation.c ++++ b/arch/x86/mm/numa_emulation.c +@@ -60,7 +60,7 @@ static int __init emu_setup_memblk(struc + eb->nid = nid; + + if (emu_nid_to_phys[nid] == NUMA_NO_NODE) +- emu_nid_to_phys[nid] = nid; ++ emu_nid_to_phys[nid] = pb->nid; + + pb->start += size; + if (pb->start >= pb->end) { diff --git a/queue-4.9/x86-tsc-add-missing-header-to-tsc_msr.c.patch b/queue-4.9/x86-tsc-add-missing-header-to-tsc_msr.c.patch new file mode 100644 index 00000000000..694ed647913 --- /dev/null +++ b/queue-4.9/x86-tsc-add-missing-header-to-tsc_msr.c.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Sep 29 04:29:21 PDT 2018 +From: Andy Shevchenko +Date: Fri, 29 Jun 2018 22:31:10 +0300 +Subject: x86/tsc: Add missing header to tsc_msr.c + +From: Andy Shevchenko + +[ Upstream commit dbd0fbc76c77daac08ddd245afdcbade0d506e19 ] + +Add a missing header otherwise compiler warns about missed prototype: + +CC arch/x86/kernel/tsc_msr.o +arch/x86/kernel/tsc_msr.c:73:15: warning: no previous prototype for ‘cpu_khz_from_msr’ [-Wmissing-prototypes] + unsigned long cpu_khz_from_msr(void) + ^~~~~~~~~~~~~~~~ + +Signed-off-by: Andy Shevchenko +Signed-off-by: Thomas Gleixner +Cc: "H. Peter Anvin" +Cc: Pavel Tatashin +Link: https://lkml.kernel.org/r/20180629193113.84425-4-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/tsc_msr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/tsc_msr.c ++++ b/arch/x86/kernel/tsc_msr.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #define MAX_NUM_FREQS 9 +