From: Sasha Levin Date: Wed, 14 Aug 2019 02:33:32 +0000 (-0400) Subject: fixes for 4.4 X-Git-Tag: v5.2.9~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e939b44eeef5ad5a78fac2b3541f51f957c48936;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-compress-be-more-restrictive-about-when-a-drain.patch b/queue-4.4/alsa-compress-be-more-restrictive-about-when-a-drain.patch new file mode 100644 index 00000000000..704515eca70 --- /dev/null +++ b/queue-4.4/alsa-compress-be-more-restrictive-about-when-a-drain.patch @@ -0,0 +1,49 @@ +From 09f6e499df216526b3c7263e12dfdcaca6b0081f Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:36 +0100 +Subject: ALSA: compress: Be more restrictive about when a drain is allowed + +[ Upstream commit 3b8179944cb0dd53e5223996966746cdc8a60657 ] + +Draining makes little sense in the situation of hardware overrun, as the +hardware will have consumed all its available samples. Additionally, +draining whilst the stream is paused would presumably get stuck as no +data is being consumed on the DSP side. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index d0a21a5867673..771d7b334ad87 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -749,7 +749,10 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +@@ -794,7 +797,10 @@ static int snd_compr_partial_drain(struct snd_compr_stream *stream) + case SNDRV_PCM_STATE_OPEN: + case SNDRV_PCM_STATE_SETUP: + case SNDRV_PCM_STATE_PREPARED: ++ case SNDRV_PCM_STATE_PAUSED: + return -EPERM; ++ case SNDRV_PCM_STATE_XRUN: ++ return -EPIPE; + default: + break; + } +-- +2.20.1 + diff --git a/queue-4.4/alsa-compress-fix-regression-on-compressed-capture-s.patch b/queue-4.4/alsa-compress-fix-regression-on-compressed-capture-s.patch new file mode 100644 index 00000000000..5ddfdb67661 --- /dev/null +++ b/queue-4.4/alsa-compress-fix-regression-on-compressed-capture-s.patch @@ -0,0 +1,82 @@ +From c8d977eebc4da360790c6646adc9ad43f1fa9b11 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:33 +0100 +Subject: ALSA: compress: Fix regression on compressed capture streams + +[ Upstream commit 4475f8c4ab7b248991a60d9c02808dbb813d6be8 ] + +A previous fix to the stop handling on compressed capture streams causes +some knock on issues. The previous fix updated snd_compr_drain_notify to +set the state back to PREPARED for capture streams. This causes some +issues however as the handling for snd_compr_poll differs between the +two states and some user-space applications were relying on the poll +failing after the stream had been stopped. + +To correct this regression whilst still fixing the original problem the +patch was addressing, update the capture handling to skip the PREPARED +state rather than skipping the SETUP state as it has done until now. + +Fixes: 4f2ab5e1d13d ("ALSA: compress: Fix stop handling on compressed capture streams") +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/sound/compress_driver.h | 5 +---- + sound/core/compress_offload.c | 16 +++++++++++----- + 2 files changed, 12 insertions(+), 9 deletions(-) + +diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h +index 85ff3181e6f11..a5c6e6da3d3d4 100644 +--- a/include/sound/compress_driver.h ++++ b/include/sound/compress_driver.h +@@ -178,10 +178,7 @@ static inline void snd_compr_drain_notify(struct snd_compr_stream *stream) + if (snd_BUG_ON(!stream)) + return; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + + wake_up(&stream->runtime->sleep); + } +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 3c88a33840645..16269e7ff3904 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -551,10 +551,7 @@ snd_compr_set_params(struct snd_compr_stream *stream, unsigned long arg) + stream->metadata_set = false; + stream->next_track = false; + +- if (stream->direction == SND_COMPRESS_PLAYBACK) +- stream->runtime->state = SNDRV_PCM_STATE_SETUP; +- else +- stream->runtime->state = SNDRV_PCM_STATE_PREPARED; ++ stream->runtime->state = SNDRV_PCM_STATE_SETUP; + } else { + return -EPERM; + } +@@ -670,8 +667,17 @@ static int snd_compr_start(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state != SNDRV_PCM_STATE_PREPARED) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_SETUP: ++ if (stream->direction != SND_COMPRESS_CAPTURE) ++ return -EPERM; ++ break; ++ case SNDRV_PCM_STATE_PREPARED: ++ break; ++ default: + return -EPERM; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_START); + if (!retval) + stream->runtime->state = SNDRV_PCM_STATE_RUNNING; +-- +2.20.1 + diff --git a/queue-4.4/alsa-compress-prevent-bypasses-of-set_params.patch b/queue-4.4/alsa-compress-prevent-bypasses-of-set_params.patch new file mode 100644 index 00000000000..82467f6510b --- /dev/null +++ b/queue-4.4/alsa-compress-prevent-bypasses-of-set_params.patch @@ -0,0 +1,83 @@ +From 70f498639f59b617f8a8a4975717652f2daca621 Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Mon, 22 Jul 2019 10:24:34 +0100 +Subject: ALSA: compress: Prevent bypasses of set_params + +[ Upstream commit 26c3f1542f5064310ad26794c09321780d00c57d ] + +Currently, whilst in SNDRV_PCM_STATE_OPEN it is possible to call +snd_compr_stop, snd_compr_drain and snd_compr_partial_drain, which +allow a transition to SNDRV_PCM_STATE_SETUP. The stream should +only be able to move to the setup state once it has received a +SNDRV_COMPRESS_SET_PARAMS ioctl. Fix this issue by not allowing +those ioctls whilst in the open state. + +Signed-off-by: Charles Keepax +Acked-by: Vinod Koul +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/compress_offload.c | 30 ++++++++++++++++++++++++------ + 1 file changed, 24 insertions(+), 6 deletions(-) + +diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c +index 16269e7ff3904..d0a21a5867673 100644 +--- a/sound/core/compress_offload.c ++++ b/sound/core/compress_offload.c +@@ -688,9 +688,15 @@ static int snd_compr_stop(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + retval = stream->ops->trigger(stream, SNDRV_PCM_TRIGGER_STOP); + if (!retval) { + snd_compr_drain_notify(stream); +@@ -739,9 +745,14 @@ static int snd_compr_drain(struct snd_compr_stream *stream) + { + int retval; + +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } + + retval = stream->ops->trigger(stream, SND_COMPR_TRIGGER_DRAIN); + if (retval) { +@@ -778,9 +789,16 @@ static int snd_compr_next_track(struct snd_compr_stream *stream) + static int snd_compr_partial_drain(struct snd_compr_stream *stream) + { + int retval; +- if (stream->runtime->state == SNDRV_PCM_STATE_PREPARED || +- stream->runtime->state == SNDRV_PCM_STATE_SETUP) ++ ++ switch (stream->runtime->state) { ++ case SNDRV_PCM_STATE_OPEN: ++ case SNDRV_PCM_STATE_SETUP: ++ case SNDRV_PCM_STATE_PREPARED: + return -EPERM; ++ default: ++ break; ++ } ++ + /* stream can be drained only when next track has been signalled */ + if (stream->next_track == false) + return -EPERM; +-- +2.20.1 + diff --git a/queue-4.4/arm-davinci-fix-sleep.s-build-error-on-armv4.patch b/queue-4.4/arm-davinci-fix-sleep.s-build-error-on-armv4.patch new file mode 100644 index 00000000000..8ef08daa2f1 --- /dev/null +++ b/queue-4.4/arm-davinci-fix-sleep.s-build-error-on-armv4.patch @@ -0,0 +1,40 @@ +From 24c9edd7ccd22756afaf435397cbf1acc8c9a3c9 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 22 Jul 2019 16:51:50 +0200 +Subject: ARM: davinci: fix sleep.S build error on ARMv4 + +[ Upstream commit d64b212ea960db4276a1d8372bd98cb861dfcbb0 ] + +When building a multiplatform kernel that includes armv4 support, +the default target CPU does not support the blx instruction, +which leads to a build failure: + +arch/arm/mach-davinci/sleep.S: Assembler messages: +arch/arm/mach-davinci/sleep.S:56: Error: selected processor does not support `blx ip' in ARM mode + +Add a .arch statement in the sources to make this file build. + +Link: https://lore.kernel.org/r/20190722145211.1154785-1-arnd@arndb.de +Acked-by: Sekhar Nori +Signed-off-by: Arnd Bergmann +Signed-off-by: Olof Johansson +Signed-off-by: Sasha Levin +--- + arch/arm/mach-davinci/sleep.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-davinci/sleep.S b/arch/arm/mach-davinci/sleep.S +index a5336a5e27395..459d081caf79b 100644 +--- a/arch/arm/mach-davinci/sleep.S ++++ b/arch/arm/mach-davinci/sleep.S +@@ -37,6 +37,7 @@ + #define DEEPSLEEP_SLEEPENABLE_BIT BIT(31) + + .text ++ .arch armv5te + /* + * Move DaVinci into deep sleep state + * +-- +2.20.1 + diff --git a/queue-4.4/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch b/queue-4.4/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch new file mode 100644 index 00000000000..eb1344685c8 --- /dev/null +++ b/queue-4.4/cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch @@ -0,0 +1,73 @@ +From 5594c01f1c37f4ad9629101908f331e123f97e91 Mon Sep 17 00:00:00 2001 +From: Wen Yang +Date: Wed, 17 Jul 2019 11:55:04 +0800 +Subject: cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() + +[ Upstream commit e0a12445d1cb186d875410d093a00d215bec6a89 ] + +The cpu variable is still being used in the of_get_property() call +after the of_node_put() call, which may result in use-after-free. + +Fixes: a9acc26b75f6 ("cpufreq/pasemi: fix possible object reference leak") +Signed-off-by: Wen Yang +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/pasemi-cpufreq.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +diff --git a/drivers/cpufreq/pasemi-cpufreq.c b/drivers/cpufreq/pasemi-cpufreq.c +index 58c933f483004..991b6a3062c4f 100644 +--- a/drivers/cpufreq/pasemi-cpufreq.c ++++ b/drivers/cpufreq/pasemi-cpufreq.c +@@ -145,10 +145,18 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + int err = -ENODEV; + + cpu = of_get_cpu_node(policy->cpu, NULL); ++ if (!cpu) ++ goto out; + ++ max_freqp = of_get_property(cpu, "clock-frequency", NULL); + of_node_put(cpu); +- if (!cpu) ++ if (!max_freqp) { ++ err = -EINVAL; + goto out; ++ } ++ ++ /* we need the freq in kHz */ ++ max_freq = *max_freqp / 1000; + + dn = of_find_compatible_node(NULL, NULL, "1682m-sdc"); + if (!dn) +@@ -185,16 +193,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + } + + pr_debug("init cpufreq on CPU %d\n", policy->cpu); +- +- max_freqp = of_get_property(cpu, "clock-frequency", NULL); +- if (!max_freqp) { +- err = -EINVAL; +- goto out_unmap_sdcpwr; +- } +- +- /* we need the freq in kHz */ +- max_freq = *max_freqp / 1000; +- + pr_debug("max clock-frequency is at %u kHz\n", max_freq); + pr_debug("initializing frequency table\n"); + +@@ -212,9 +210,6 @@ static int pas_cpufreq_cpu_init(struct cpufreq_policy *policy) + + return cpufreq_generic_init(policy, pas_freqs, get_gizmo_latency()); + +-out_unmap_sdcpwr: +- iounmap(sdcpwr_mapbase); +- + out_unmap_sdcasr: + iounmap(sdcasr_mapbase); + out: +-- +2.20.1 + diff --git a/queue-4.4/hwmon-nct6775-fix-register-address-and-added-missed-.patch b/queue-4.4/hwmon-nct6775-fix-register-address-and-added-missed-.patch new file mode 100644 index 00000000000..710076ca93c --- /dev/null +++ b/queue-4.4/hwmon-nct6775-fix-register-address-and-added-missed-.patch @@ -0,0 +1,43 @@ +From 8d5da466f3cff4a6df0242b696d8cb885281035f Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Gerhart?= +Date: Mon, 15 Jul 2019 18:33:55 +0200 +Subject: hwmon: (nct6775) Fix register address and added missed tolerance for + nct6106 + +[ Upstream commit f3d43e2e45fd9d44ba52d20debd12cd4ee9c89bf ] + +Fixed address of third NCT6106_REG_WEIGHT_DUTY_STEP, and +added missed NCT6106_REG_TOLERANCE_H. + +Fixes: 6c009501ff200 ("hwmon: (nct6775) Add support for NCT6102D/6106D") +Signed-off-by: Bjoern Gerhart +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/nct6775.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c +index d3c6115f16b90..db38dff3f9867 100644 +--- a/drivers/hwmon/nct6775.c ++++ b/drivers/hwmon/nct6775.c +@@ -696,7 +696,7 @@ static const u16 NCT6106_REG_TARGET[] = { 0x111, 0x121, 0x131 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_SEL[] = { 0x168, 0x178, 0x188 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP[] = { 0x169, 0x179, 0x189 }; + static const u16 NCT6106_REG_WEIGHT_TEMP_STEP_TOL[] = { 0x16a, 0x17a, 0x18a }; +-static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x17c }; ++static const u16 NCT6106_REG_WEIGHT_DUTY_STEP[] = { 0x16b, 0x17b, 0x18b }; + static const u16 NCT6106_REG_WEIGHT_TEMP_BASE[] = { 0x16c, 0x17c, 0x18c }; + static const u16 NCT6106_REG_WEIGHT_DUTY_BASE[] = { 0x16d, 0x17d, 0x18d }; + +@@ -3478,6 +3478,7 @@ static int nct6775_probe(struct platform_device *pdev) + data->REG_FAN_TIME[0] = NCT6106_REG_FAN_STOP_TIME; + data->REG_FAN_TIME[1] = NCT6106_REG_FAN_STEP_UP_TIME; + data->REG_FAN_TIME[2] = NCT6106_REG_FAN_STEP_DOWN_TIME; ++ data->REG_TOLERANCE_H = NCT6106_REG_TOLERANCE_H; + data->REG_PWM[0] = NCT6106_REG_PWM; + data->REG_PWM[1] = NCT6106_REG_FAN_START_OUTPUT; + data->REG_PWM[2] = NCT6106_REG_FAN_STOP_OUTPUT; +-- +2.20.1 + diff --git a/queue-4.4/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch b/queue-4.4/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch new file mode 100644 index 00000000000..5ed01b7fbaf --- /dev/null +++ b/queue-4.4/iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch @@ -0,0 +1,70 @@ +From 2b31d185c69d1bfbcef5074f42a7a1862eb4d909 Mon Sep 17 00:00:00 2001 +From: Thomas Tai +Date: Thu, 18 Jul 2019 18:37:34 +0000 +Subject: iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND + +[ Upstream commit 94bccc34071094c165c79b515d21b63c78f7e968 ] + +iscsi_ibft can use ACPI to find the iBFT entry during bootup, +currently, ISCSI_IBFT depends on ISCSI_IBFT_FIND which is +a X86 legacy way to find the iBFT by searching through the +low memory. This patch changes the dependency so that other +arch like ARM64 can use ISCSI_IBFT as long as the arch supports +ACPI. + +ibft_init() needs to use the global variable ibft_addr declared +in iscsi_ibft_find.c. A #ifndef CONFIG_ISCSI_IBFT_FIND is needed +to declare the variable if CONFIG_ISCSI_IBFT_FIND is not selected. +Moving ibft_addr into the iscsi_ibft.c does not work because if +ISCSI_IBFT is selected as a module, the arch/x86/kernel/setup.c won't +be able to find the variable at compile time. + +Signed-off-by: Thomas Tai +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Sasha Levin +--- + drivers/firmware/Kconfig | 5 +++-- + drivers/firmware/iscsi_ibft.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index cf478fe6b335b..b0d42234fba0e 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -135,7 +135,7 @@ config DMI_SCAN_MACHINE_NON_EFI_FALLBACK + + config ISCSI_IBFT_FIND + bool "iSCSI Boot Firmware Table Attributes" +- depends on X86 && ACPI ++ depends on X86 && ISCSI_IBFT + default n + help + This option enables the kernel to find the region of memory +@@ -146,7 +146,8 @@ config ISCSI_IBFT_FIND + config ISCSI_IBFT + tristate "iSCSI Boot Firmware Table Attributes module" + select ISCSI_BOOT_SYSFS +- depends on ISCSI_IBFT_FIND && SCSI && SCSI_LOWLEVEL ++ select ISCSI_IBFT_FIND if X86 ++ depends on ACPI && SCSI && SCSI_LOWLEVEL + default n + help + This option enables support for detection and exposing of iSCSI +diff --git a/drivers/firmware/iscsi_ibft.c b/drivers/firmware/iscsi_ibft.c +index 437c8ef90643b..30d67fbe00c73 100644 +--- a/drivers/firmware/iscsi_ibft.c ++++ b/drivers/firmware/iscsi_ibft.c +@@ -93,6 +93,10 @@ MODULE_DESCRIPTION("sysfs interface to BIOS iBFT information"); + MODULE_LICENSE("GPL"); + MODULE_VERSION(IBFT_ISCSI_VERSION); + ++#ifndef CONFIG_ISCSI_IBFT_FIND ++struct acpi_table_ibft *ibft_addr; ++#endif ++ + struct ibft_hdr { + u8 id; + u8 version; +-- +2.20.1 + diff --git a/queue-4.4/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch b/queue-4.4/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch new file mode 100644 index 00000000000..95edc411a6c --- /dev/null +++ b/queue-4.4/mac80211-don-t-warn-about-cw-params-when-not-using-t.patch @@ -0,0 +1,52 @@ +From 340e2822d1f8097adce1d14e31ab704296966e21 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Wed, 17 Jul 2019 18:57:12 -0700 +Subject: mac80211: don't warn about CW params when not using them + +[ Upstream commit d2b3fe42bc629c2d4002f652b3abdfb2e72991c7 ] + +ieee80211_set_wmm_default() normally sets up the initial CW min/max for +each queue, except that it skips doing this if the driver doesn't +support ->conf_tx. We still end up calling drv_conf_tx() in some cases +(e.g., ieee80211_reconfig()), which also still won't do anything +useful...except it complains here about the invalid CW parameters. + +Let's just skip the WARN if we weren't going to do anything useful with +the parameters. + +Signed-off-by: Brian Norris +Link: https://lore.kernel.org/r/20190718015712.197499-1-briannorris@chromium.org +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/driver-ops.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c +index c258f1041d330..df2e4e3112177 100644 +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -169,11 +169,16 @@ int drv_conf_tx(struct ieee80211_local *local, + if (!check_sdata_in_driver(sdata)) + return -EIO; + +- if (WARN_ONCE(params->cw_min == 0 || +- params->cw_min > params->cw_max, +- "%s: invalid CW_min/CW_max: %d/%d\n", +- sdata->name, params->cw_min, params->cw_max)) ++ if (params->cw_min == 0 || params->cw_min > params->cw_max) { ++ /* ++ * If we can't configure hardware anyway, don't warn. We may ++ * never have initialized the CW parameters. ++ */ ++ WARN_ONCE(local->ops->conf_tx, ++ "%s: invalid CW_min/CW_max: %d/%d\n", ++ sdata->name, params->cw_min, params->cw_max); + return -EINVAL; ++ } + + trace_drv_conf_tx(local, sdata, ac, params); + if (local->ops->conf_tx) +-- +2.20.1 + diff --git a/queue-4.4/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch b/queue-4.4/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch new file mode 100644 index 00000000000..900c6a8b92e --- /dev/null +++ b/queue-4.4/netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch @@ -0,0 +1,75 @@ +From b5a487d360b0437d7f8ee7a67cb9a5260ac70e83 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 2 Jul 2019 21:41:40 +0200 +Subject: netfilter: nfnetlink: avoid deadlock due to synchronous + request_module + +[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ] + +Thomas and Juliana report a deadlock when running: + +(rmmod nf_conntrack_netlink/xfrm_user) + + conntrack -e NEW -E & + modprobe -v xfrm_user + +They provided following analysis: + +conntrack -e NEW -E + netlink_bind() + netlink_lock_table() -> increases "nl_table_users" + nfnetlink_bind() + # does not unlock the table as it's locked by netlink_bind() + __request_module() + call_usermodehelper_exec() + +This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind() +won't return until modprobe process is done. + +"modprobe xfrm_user": + xfrm_user_init() + register_pernet_subsys() + -> grab pernet_ops_rwsem + .. + netlink_table_grab() + calls schedule() as "nl_table_users" is non-zero + +so modprobe is blocked because netlink_bind() increased +nl_table_users while also holding pernet_ops_rwsem. + +"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink: + ctnetlink_init() + register_pernet_subsys() + -> blocks on "pernet_ops_rwsem" thanks to xfrm_user module + +both modprobe processes wait on one another -- neither can make +progress. + +Switch netlink_bind() to "nowait" modprobe -- this releases the netlink +table lock, which then allows both modprobe instances to complete. + +Reported-by: Thomas Jarosch +Reported-by: Juliana Rodrigueiro +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c +index 9adedba78eeac..044559c10e98e 100644 +--- a/net/netfilter/nfnetlink.c ++++ b/net/netfilter/nfnetlink.c +@@ -495,7 +495,7 @@ static int nfnetlink_bind(struct net *net, int group) + ss = nfnetlink_get_subsys(type << 8); + rcu_read_unlock(); + if (!ss) +- request_module("nfnetlink-subsys-%d", type); ++ request_module_nowait("nfnetlink-subsys-%d", type); + return 0; + } + #endif +-- +2.20.1 + diff --git a/queue-4.4/perf-core-fix-creating-kernel-counters-for-pmus-that.patch b/queue-4.4/perf-core-fix-creating-kernel-counters-for-pmus-that.patch new file mode 100644 index 00000000000..4c0d340ffc5 --- /dev/null +++ b/queue-4.4/perf-core-fix-creating-kernel-counters-for-pmus-that.patch @@ -0,0 +1,61 @@ +From 6da3630d2ae7948ae36b06586e6ae3b9875b8f1b Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Wed, 24 Jul 2019 15:53:24 +0300 +Subject: perf/core: Fix creating kernel counters for PMUs that override + event->cpu + +[ Upstream commit 4ce54af8b33d3e21ca935fc1b89b58cbba956051 ] + +Some hardware PMU drivers will override perf_event.cpu inside their +event_init callback. This causes a lockdep splat when initialized through +the kernel API: + + WARNING: CPU: 0 PID: 250 at kernel/events/core.c:2917 ctx_sched_out+0x78/0x208 + pc : ctx_sched_out+0x78/0x208 + Call trace: + ctx_sched_out+0x78/0x208 + __perf_install_in_context+0x160/0x248 + remote_function+0x58/0x68 + generic_exec_single+0x100/0x180 + smp_call_function_single+0x174/0x1b8 + perf_install_in_context+0x178/0x188 + perf_event_create_kernel_counter+0x118/0x160 + +Fix this by calling perf_install_in_context with event->cpu, just like +perf_event_open + +Signed-off-by: Leonard Crestez +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Mark Rutland +Cc: Alexander Shishkin +Cc: Arnaldo Carvalho de Melo +Cc: Frank Li +Cc: Jiri Olsa +Cc: Linus Torvalds +Cc: Namhyung Kim +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: Will Deacon +Link: https://lkml.kernel.org/r/c4ebe0503623066896d7046def4d6b1e06e0eb2e.1563972056.git.leonard.crestez@nxp.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 41fe80e3380f5..a7014f854e67b 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8757,7 +8757,7 @@ perf_event_create_kernel_counter(struct perf_event_attr *attr, int cpu, + goto err_free; + } + +- perf_install_in_context(ctx, event, cpu); ++ perf_install_in_context(ctx, event, event->cpu); + perf_unpin_context(ctx); + mutex_unlock(&ctx->mutex); + +-- +2.20.1 + diff --git a/queue-4.4/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch b/queue-4.4/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch new file mode 100644 index 00000000000..bb435ec0b16 --- /dev/null +++ b/queue-4.4/perf-probe-avoid-calling-freeing-routine-multiple-ti.patch @@ -0,0 +1,50 @@ +From 865d4e402c2c803473797d34f89a3932690a4d77 Mon Sep 17 00:00:00 2001 +From: Arnaldo Carvalho de Melo +Date: Thu, 18 Jul 2019 11:28:37 -0300 +Subject: perf probe: Avoid calling freeing routine multiple times for same + pointer + +[ Upstream commit d95daf5accf4a72005daa13fbb1d1bd8709f2861 ] + +When perf_add_probe_events() we call cleanup_perf_probe_events() for the +pev pointer it receives, then, as part of handling this failure the main +'perf probe' goes on and calls cleanup_params() and that will again call +cleanup_perf_probe_events()for the same pointer, so just set nevents to +zero when handling the failure of perf_add_probe_events() to avoid the +double free. + +Cc: Adrian Hunter +Cc: Jiri Olsa +Cc: Masami Hiramatsu +Cc: Namhyung Kim +Link: https://lkml.kernel.org/n/tip-x8qgma4g813z96dvtw9w219q@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-probe.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tools/perf/builtin-probe.c b/tools/perf/builtin-probe.c +index 9d4ac90ca87e4..66fb1d53d0f08 100644 +--- a/tools/perf/builtin-probe.c ++++ b/tools/perf/builtin-probe.c +@@ -613,6 +613,16 @@ __cmd_probe(int argc, const char **argv, const char *prefix __maybe_unused) + + ret = perf_add_probe_events(params.events, params.nevents); + if (ret < 0) { ++ ++ /* ++ * When perf_add_probe_events() fails it calls ++ * cleanup_perf_probe_events(pevs, npevs), i.e. ++ * cleanup_perf_probe_events(params.events, params.nevents), which ++ * will call clear_perf_probe_event(), so set nevents to zero ++ * to avoid cleanup_params() to call clear_perf_probe_event() again ++ * on the same pevs. ++ */ ++ params.nevents = 0; + pr_err_with_code(" Error: Failed to add events.", ret); + return ret; + } +-- +2.20.1 + diff --git a/queue-4.4/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch b/queue-4.4/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch new file mode 100644 index 00000000000..a23eb96317e --- /dev/null +++ b/queue-4.4/s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch @@ -0,0 +1,50 @@ +From b9b8a716ce48cb590cac4fed0ea5d21405617a7d Mon Sep 17 00:00:00 2001 +From: Julian Wiedmann +Date: Thu, 11 Jul 2019 18:17:36 +0200 +Subject: s390/qdio: add sanity checks to the fast-requeue path + +[ Upstream commit a6ec414a4dd529eeac5c3ea51c661daba3397108 ] + +If the device driver were to send out a full queue's worth of SBALs, +current code would end up discovering the last of those SBALs as PRIMED +and erroneously skip the SIGA-w. This immediately stalls the queue. + +Add a check to not attempt fast-requeue in this case. While at it also +make sure that the state of the previous SBAL was successfully extracted +before inspecting it. + +Signed-off-by: Julian Wiedmann +Reviewed-by: Jens Remus +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + drivers/s390/cio/qdio_main.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c +index 8d7fc3b6ca63f..adf322a86a01b 100644 +--- a/drivers/s390/cio/qdio_main.c ++++ b/drivers/s390/cio/qdio_main.c +@@ -1576,13 +1576,13 @@ static int handle_outbound(struct qdio_q *q, unsigned int callflags, + rc = qdio_kick_outbound_q(q, phys_aob); + } else if (need_siga_sync(q)) { + rc = qdio_siga_sync_q(q); ++ } else if (count < QDIO_MAX_BUFFERS_PER_Q && ++ get_buf_state(q, prev_buf(bufnr), &state, 0) > 0 && ++ state == SLSB_CU_OUTPUT_PRIMED) { ++ /* The previous buffer is not processed yet, tack on. */ ++ qperf_inc(q, fast_requeue); + } else { +- /* try to fast requeue buffers */ +- get_buf_state(q, prev_buf(bufnr), &state, 0); +- if (state != SLSB_CU_OUTPUT_PRIMED) +- rc = qdio_kick_outbound_q(q, 0); +- else +- qperf_inc(q, fast_requeue); ++ rc = qdio_kick_outbound_q(q, 0); + } + + /* in case of SIGA errors we must process the error immediately */ +-- +2.20.1 + diff --git a/queue-4.4/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch b/queue-4.4/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch new file mode 100644 index 00000000000..276bf1f6af9 --- /dev/null +++ b/queue-4.4/scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch @@ -0,0 +1,73 @@ +From 5461aca2657587f64707c8e3cf061cfb1bfc6733 Mon Sep 17 00:00:00 2001 +From: Tyrel Datwyler +Date: Wed, 17 Jul 2019 14:48:27 -0500 +Subject: scsi: ibmvfc: fix WARN_ON during event pool release + +[ Upstream commit 5578257ca0e21056821e6481bd534ba267b84e58 ] + +While removing an ibmvfc client adapter a WARN_ON like the following +WARN_ON is seen in the kernel log: + +WARNING: CPU: 6 PID: 5421 at ./include/linux/dma-mapping.h:541 +ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +CPU: 6 PID: 5421 Comm: rmmod Tainted: G E 4.17.0-rc1-next-20180419-autotest #1 +NIP: d00000000290328c LR: d00000000290325c CTR: c00000000036ee20 +REGS: c000000288d1b7e0 TRAP: 0700 Tainted: G E (4.17.0-rc1-next-20180419-autotest) +MSR: 800000010282b033 CR: 44008828 XER: 20000000 +CFAR: c00000000036e408 SOFTE: 1 +GPR00: d00000000290325c c000000288d1ba60 d000000002917900 c000000289d75448 +GPR04: 0000000000000071 c0000000ff870000 0000000018040000 0000000000000001 +GPR08: 0000000000000000 c00000000156e838 0000000000000001 d00000000290c640 +GPR12: c00000000036ee20 c00000001ec4dc00 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 00000100276901e0 0000000010020598 +GPR20: 0000000010020550 0000000010020538 0000000010020578 00000000100205b0 +GPR24: 0000000000000000 0000000000000000 0000000010020590 5deadbeef0000100 +GPR28: 5deadbeef0000200 d000000002910b00 0000000000000071 c0000002822f87d8 +NIP [d00000000290328c] ibmvfc_free_event_pool+0x12c/0x1f0 [ibmvfc] +LR [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] +Call Trace: +[c000000288d1ba60] [d00000000290325c] ibmvfc_free_event_pool+0xfc/0x1f0 [ibmvfc] (unreliable) +[c000000288d1baf0] [d000000002909390] ibmvfc_abort_task_set+0x7b0/0x8b0 [ibmvfc] +[c000000288d1bb70] [c0000000000d8c68] vio_bus_remove+0x68/0x100 +[c000000288d1bbb0] [c0000000007da7c4] device_release_driver_internal+0x1f4/0x2d0 +[c000000288d1bc00] [c0000000007da95c] driver_detach+0x7c/0x100 +[c000000288d1bc40] [c0000000007d8af4] bus_remove_driver+0x84/0x140 +[c000000288d1bcb0] [c0000000007db6ac] driver_unregister+0x4c/0xa0 +[c000000288d1bd20] [c0000000000d6e7c] vio_unregister_driver+0x2c/0x50 +[c000000288d1bd50] [d00000000290ba0c] cleanup_module+0x24/0x15e0 [ibmvfc] +[c000000288d1bd70] [c0000000001dadb0] sys_delete_module+0x220/0x2d0 +[c000000288d1be30] [c00000000000b284] system_call+0x58/0x6c +Instruction dump: +e8410018 e87f0068 809f0078 e8bf0080 e8df0088 2fa30000 419e008c e9230200 +2fa90000 419e0080 894d098a 794a07e0 <0b0a0000> e9290008 2fa90000 419e0028 + +This is tripped as a result of irqs being disabled during the call to +dma_free_coherent() by ibmvfc_free_event_pool(). At this point in the code path +we have quiesced the adapter and its overly paranoid anyways to be holding the +host lock. + +Reported-by: Abdul Haleem +Signed-off-by: Tyrel Datwyler +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index 1f9f9e5af2072..0526a47e30a3f 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4869,8 +4869,8 @@ static int ibmvfc_remove(struct vio_dev *vdev) + + spin_lock_irqsave(vhost->host->host_lock, flags); + ibmvfc_purge_requests(vhost, DID_ERROR); +- ibmvfc_free_event_pool(vhost); + spin_unlock_irqrestore(vhost->host->host_lock, flags); ++ ibmvfc_free_event_pool(vhost); + + ibmvfc_free_mem(vhost); + spin_lock(&ibmvfc_driver_lock); +-- +2.20.1 + diff --git a/queue-4.4/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch b/queue-4.4/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch new file mode 100644 index 00000000000..3f19708d2bf --- /dev/null +++ b/queue-4.4/scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch @@ -0,0 +1,43 @@ +From ea3ff3b580fe9c0052376a9eb28fdddc57d85326 Mon Sep 17 00:00:00 2001 +From: Junxiao Bi +Date: Mon, 22 Jul 2019 09:15:24 -0700 +Subject: scsi: megaraid_sas: fix panic on loading firmware crashdump + +[ Upstream commit 3b5f307ef3cb5022bfe3c8ca5b8f2114d5bf6c29 ] + +While loading fw crashdump in function fw_crash_buffer_show(), left bytes +in one dma chunk was not checked, if copying size over it, overflow access +will cause kernel panic. + +Signed-off-by: Junxiao Bi +Acked-by: Sumit Saxena +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/megaraid/megaraid_sas_base.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/megaraid/megaraid_sas_base.c b/drivers/scsi/megaraid/megaraid_sas_base.c +index 2422094f1f15c..5e0bac8de6381 100644 +--- a/drivers/scsi/megaraid/megaraid_sas_base.c ++++ b/drivers/scsi/megaraid/megaraid_sas_base.c +@@ -2752,6 +2752,7 @@ megasas_fw_crash_buffer_show(struct device *cdev, + u32 size; + unsigned long buff_addr; + unsigned long dmachunk = CRASH_DMA_BUF_SIZE; ++ unsigned long chunk_left_bytes; + unsigned long src_addr; + unsigned long flags; + u32 buff_offset; +@@ -2777,6 +2778,8 @@ megasas_fw_crash_buffer_show(struct device *cdev, + } + + size = (instance->fw_crash_buffer_size * dmachunk) - buff_offset; ++ chunk_left_bytes = dmachunk - (buff_offset % dmachunk); ++ size = (size > chunk_left_bytes) ? chunk_left_bytes : size; + size = (size >= PAGE_SIZE) ? (PAGE_SIZE - 1) : size; + + src_addr = (unsigned long)instance->crash_buf[buff_offset / dmachunk] + +-- +2.20.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 28be3e64384..f3a32fb8e58 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,18 @@ mm-vmalloc-sync-unmappings-in-__purge_vmap_area_lazy.patch perf-db-export-fix-thread__exec_comm.patch usb-yurex-fix-use-after-free-in-yurex_delete.patch can-peak_usb-fix-potential-double-kfree_skb.patch +netfilter-nfnetlink-avoid-deadlock-due-to-synchronou.patch +iscsi_ibft-make-iscsi_ibft-dependson-acpi-instead-of.patch +mac80211-don-t-warn-about-cw-params-when-not-using-t.patch +hwmon-nct6775-fix-register-address-and-added-missed-.patch +cpufreq-pasemi-fix-use-after-free-in-pas_cpufreq_cpu.patch +s390-qdio-add-sanity-checks-to-the-fast-requeue-path.patch +alsa-compress-fix-regression-on-compressed-capture-s.patch +alsa-compress-prevent-bypasses-of-set_params.patch +alsa-compress-be-more-restrictive-about-when-a-drain.patch +perf-probe-avoid-calling-freeing-routine-multiple-ti.patch +arm-davinci-fix-sleep.s-build-error-on-armv4.patch +scsi-megaraid_sas-fix-panic-on-loading-firmware-cras.patch +scsi-ibmvfc-fix-warn_on-during-event-pool-release.patch +tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch +perf-core-fix-creating-kernel-counters-for-pmus-that.patch diff --git a/queue-4.4/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch b/queue-4.4/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch new file mode 100644 index 00000000000..afec61fff92 --- /dev/null +++ b/queue-4.4/tty-ldsem-locking-rwsem-add-missing-acquire-to-read_.patch @@ -0,0 +1,75 @@ +From 7215f7a9865f7ac41e70aa8adcd008900a1394e6 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 18 Jul 2019 15:03:15 +0200 +Subject: tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep + loop + +[ Upstream commit 952041a8639a7a3a73a2b6573cb8aa8518bc39f8 ] + +While reviewing rwsem down_slowpath, Will noticed ldsem had a copy of +a bug we just found for rwsem. + + X = 0; + + CPU0 CPU1 + + rwsem_down_read() + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + + X = 1; + rwsem_up_write(); + rwsem_mark_wake() + atomic_long_add(adjustment, &sem->count); + smp_store_release(&waiter->task, NULL); + + if (!waiter.task) + break; + + ... + } + + r = X; + +Allows 'r == 0'. + +Reported-by: Will Deacon +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Will Deacon +Cc: Linus Torvalds +Cc: Peter Hurley +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 4898e640caf0 ("tty: Add timed, writer-prioritized rw semaphore") +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_ldsem.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/tty_ldsem.c b/drivers/tty/tty_ldsem.c +index 34234c2338511..656c2ade6a434 100644 +--- a/drivers/tty/tty_ldsem.c ++++ b/drivers/tty/tty_ldsem.c +@@ -137,8 +137,7 @@ static void __ldsem_wake_readers(struct ld_semaphore *sem) + + list_for_each_entry_safe(waiter, next, &sem->read_wait, list) { + tsk = waiter->task; +- smp_mb(); +- waiter->task = NULL; ++ smp_store_release(&waiter->task, NULL); + wake_up_process(tsk); + put_task_struct(tsk); + } +@@ -234,7 +233,7 @@ down_read_failed(struct ld_semaphore *sem, long count, long timeout) + for (;;) { + set_task_state(tsk, TASK_UNINTERRUPTIBLE); + +- if (!waiter.task) ++ if (!smp_load_acquire(&waiter.task)) + break; + if (!timeout) + break; +-- +2.20.1 +