From: Greg Kroah-Hartman Date: Thu, 23 May 2019 09:52:25 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v5.1.5~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=edd3a73a7ab6807f80135408daec620c8f95967a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: ceph-flush-dirty-inodes-before-proceeding-with-remount.patch cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch fuse-fix-writepages-on-32bit.patch fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch intel_th-msu-fix-single-mode-with-iommu.patch iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch nfs4-fix-v4.0-client-state-corruption-when-mount.patch of-fix-clang-wunsequenced-for-be32_to_cpu.patch p54-drop-device-reference-count-if-fails-to-enable-device.patch parisc-export-running_on_qemu-symbol-for-modules.patch parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch parisc-skip-registering-led-when-running-in-qemu.patch stm-class-fix-channel-bitmap-on-32-bit-systems.patch stm-class-fix-channel-free-in-stm-output-free-path.patch --- diff --git a/queue-4.9/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch b/queue-4.9/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch new file mode 100644 index 0000000000..d3c6654443 --- /dev/null +++ b/queue-4.9/ceph-flush-dirty-inodes-before-proceeding-with-remount.patch @@ -0,0 +1,48 @@ +From 00abf69dd24f4444d185982379c5cc3bb7b6d1fc Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 7 May 2019 09:20:54 -0400 +Subject: ceph: flush dirty inodes before proceeding with remount + +From: Jeff Layton + +commit 00abf69dd24f4444d185982379c5cc3bb7b6d1fc upstream. + +xfstest generic/452 was triggering a "Busy inodes after umount" warning. +ceph was allowing the mount to go read-only without first flushing out +dirty inodes in the cache. Ensure we sync out the filesystem before +allowing a remount to proceed. + +Cc: stable@vger.kernel.org +Link: http://tracker.ceph.com/issues/39571 +Signed-off-by: Jeff Layton +Reviewed-by: "Yan, Zheng" +Signed-off-by: Ilya Dryomov +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/super.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/ceph/super.c ++++ b/fs/ceph/super.c +@@ -742,6 +742,12 @@ static void ceph_umount_begin(struct sup + return; + } + ++static int ceph_remount(struct super_block *sb, int *flags, char *data) ++{ ++ sync_filesystem(sb); ++ return 0; ++} ++ + static const struct super_operations ceph_super_ops = { + .alloc_inode = ceph_alloc_inode, + .destroy_inode = ceph_destroy_inode, +@@ -750,6 +756,7 @@ static const struct super_operations cep + .evict_inode = ceph_evict_inode, + .sync_fs = ceph_sync_fs, + .put_super = ceph_put_super, ++ .remount_fs = ceph_remount, + .show_options = ceph_show_options, + .statfs = ceph_statfs, + .umount_begin = ceph_umount_begin, diff --git a/queue-4.9/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch b/queue-4.9/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch new file mode 100644 index 0000000000..77f7f1158c --- /dev/null +++ b/queue-4.9/cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch @@ -0,0 +1,62 @@ +From 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb Mon Sep 17 00:00:00 2001 +From: Christoph Probst +Date: Tue, 7 May 2019 17:16:40 +0200 +Subject: cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() + +From: Christoph Probst + +commit 6a54b2e002c9d00b398d35724c79f9fe0d9b38fb upstream. + +Change strcat to strncpy in the "None" case to fix a buffer overflow +when cinode->oplock is reset to 0 by another thread accessing the same +cinode. It is never valid to append "None" to any other message. + +Consolidate multiple writes to cinode->oplock to reduce raciness. + +Signed-off-by: Christoph Probst +Reviewed-by: Pavel Shilovsky +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1413,26 +1413,28 @@ smb21_set_oplock_level(struct cifsInodeI + unsigned int epoch, bool *purge_cache) + { + char message[5] = {0}; ++ unsigned int new_oplock = 0; + + oplock &= 0xFF; + if (oplock == SMB2_OPLOCK_LEVEL_NOCHANGE) + return; + +- cinode->oplock = 0; + if (oplock & SMB2_LEASE_READ_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_READ_FLG; ++ new_oplock |= CIFS_CACHE_READ_FLG; + strcat(message, "R"); + } + if (oplock & SMB2_LEASE_HANDLE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_HANDLE_FLG; ++ new_oplock |= CIFS_CACHE_HANDLE_FLG; + strcat(message, "H"); + } + if (oplock & SMB2_LEASE_WRITE_CACHING_HE) { +- cinode->oplock |= CIFS_CACHE_WRITE_FLG; ++ new_oplock |= CIFS_CACHE_WRITE_FLG; + strcat(message, "W"); + } +- if (!cinode->oplock) +- strcat(message, "None"); ++ if (!new_oplock) ++ strncpy(message, "None", sizeof(message)); ++ ++ cinode->oplock = new_oplock; + cifs_dbg(FYI, "%s Lease granted on inode %p\n", message, + &cinode->vfs_inode); + } diff --git a/queue-4.9/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch b/queue-4.9/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch new file mode 100644 index 0000000000..3aa496b0c0 --- /dev/null +++ b/queue-4.9/clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch @@ -0,0 +1,39 @@ +From 40db569d6769ffa3864fd1b89616b1a7323568a8 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Fri, 12 Apr 2019 00:48:34 +0300 +Subject: clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider + +From: Dmitry Osipenko + +commit 40db569d6769ffa3864fd1b89616b1a7323568a8 upstream. + +There are wrongly set parenthesis in the code that are resulting in a +wrong configuration being programmed for PLLM. The original fix was made +by Danny Huang in the downstream kernel. The patch was tested on Nyan Big +Tegra124 chromebook, PLLM rate changing works correctly now and system +doesn't lock up after changing the PLLM rate due to EMC scaling. + +Cc: +Tested-by: Steev Klimaszewski +Signed-off-by: Dmitry Osipenko +Acked-By: Peter De Schrijver +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/tegra/clk-pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/tegra/clk-pll.c ++++ b/drivers/clk/tegra/clk-pll.c +@@ -638,8 +638,8 @@ static void _update_pll_mnp(struct tegra + pll_override_writel(val, params->pmc_divp_reg, pll); + + val = pll_override_readl(params->pmc_divnm_reg, pll); +- val &= ~(divm_mask(pll) << div_nmp->override_divm_shift) | +- ~(divn_mask(pll) << div_nmp->override_divn_shift); ++ val &= ~((divm_mask(pll) << div_nmp->override_divm_shift) | ++ (divn_mask(pll) << div_nmp->override_divn_shift)); + val |= (cfg->m << div_nmp->override_divm_shift) | + (cfg->n << div_nmp->override_divn_shift); + pll_override_writel(val, params->pmc_divnm_reg, pll); diff --git a/queue-4.9/fuse-fix-writepages-on-32bit.patch b/queue-4.9/fuse-fix-writepages-on-32bit.patch new file mode 100644 index 0000000000..e9f152a341 --- /dev/null +++ b/queue-4.9/fuse-fix-writepages-on-32bit.patch @@ -0,0 +1,36 @@ +From 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Wed, 24 Apr 2019 17:05:06 +0200 +Subject: fuse: fix writepages on 32bit + +From: Miklos Szeredi + +commit 9de5be06d0a89ca97b5ab902694d42dfd2bb77d2 upstream. + +Writepage requests were cropped to i_size & 0xffffffff, which meant that +mmaped writes to any file larger than 4G might be silently discarded. + +Fix by storing the file size in a properly sized variable (loff_t instead +of size_t). + +Reported-by: Antonio SJ Musumeci +Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests") +Cc: # v3.13 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1521,7 +1521,7 @@ __acquires(fc->lock) + { + struct fuse_conn *fc = get_fuse_conn(inode); + struct fuse_inode *fi = get_fuse_inode(inode); +- size_t crop = i_size_read(inode); ++ loff_t crop = i_size_read(inode); + struct fuse_req *req; + + while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) { diff --git a/queue-4.9/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch b/queue-4.9/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch new file mode 100644 index 0000000000..05a05f9bce --- /dev/null +++ b/queue-4.9/fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch @@ -0,0 +1,40 @@ +From 0cbade024ba501313da3b7e5dd2a188a6bc491b5 Mon Sep 17 00:00:00 2001 +From: Liu Bo +Date: Thu, 18 Apr 2019 04:04:41 +0800 +Subject: fuse: honor RLIMIT_FSIZE in fuse_file_fallocate + +From: Liu Bo + +commit 0cbade024ba501313da3b7e5dd2a188a6bc491b5 upstream. + +fstests generic/228 reported this failure that fuse fallocate does not +honor what 'ulimit -f' has set. + +This adds the necessary inode_newsize_ok() check. + +Signed-off-by: Liu Bo +Fixes: 05ba1f082300 ("fuse: add FALLOCATE operation") +Cc: # v3.5 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -2961,6 +2961,13 @@ static long fuse_file_fallocate(struct f + } + } + ++ if (!(mode & FALLOC_FL_KEEP_SIZE) && ++ offset + length > i_size_read(inode)) { ++ err = inode_newsize_ok(inode, offset + length); ++ if (err) ++ return err; ++ } ++ + if (!(mode & FALLOC_FL_KEEP_SIZE)) + set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state); + diff --git a/queue-4.9/intel_th-msu-fix-single-mode-with-iommu.patch b/queue-4.9/intel_th-msu-fix-single-mode-with-iommu.patch new file mode 100644 index 0000000000..2df5232eed --- /dev/null +++ b/queue-4.9/intel_th-msu-fix-single-mode-with-iommu.patch @@ -0,0 +1,104 @@ +From 4e0eaf239fb33ebc671303e2b736fa043462e2f4 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Fri, 3 May 2019 11:44:34 +0300 +Subject: intel_th: msu: Fix single mode with IOMMU + +From: Alexander Shishkin + +commit 4e0eaf239fb33ebc671303e2b736fa043462e2f4 upstream. + +Currently, the pages that are allocated for the single mode of MSC are not +mapped into the device's dma space and the code is incorrectly using +*_to_phys() in place of a dma address. This fails with IOMMU enabled and +is otherwise bad practice. + +Fix the single mode buffer allocation to map the pages into the device's +DMA space. + +Signed-off-by: Alexander Shishkin +Fixes: ba82664c134e ("intel_th: Add Memory Storage Unit driver") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/msu.c | 35 ++++++++++++++++++++++++++++++++--- + 1 file changed, 32 insertions(+), 3 deletions(-) + +--- a/drivers/hwtracing/intel_th/msu.c ++++ b/drivers/hwtracing/intel_th/msu.c +@@ -90,6 +90,7 @@ struct msc_iter { + * @reg_base: register window base address + * @thdev: intel_th_device pointer + * @win_list: list of windows in multiblock mode ++ * @single_sgt: single mode buffer + * @nr_pages: total number of pages allocated for this buffer + * @single_sz: amount of data in single mode + * @single_wrap: single mode wrap occurred +@@ -110,6 +111,7 @@ struct msc { + struct intel_th_device *thdev; + + struct list_head win_list; ++ struct sg_table single_sgt; + unsigned long nr_pages; + unsigned long single_sz; + unsigned int single_wrap : 1; +@@ -623,22 +625,45 @@ static void intel_th_msc_deactivate(stru + */ + static int msc_buffer_contig_alloc(struct msc *msc, unsigned long size) + { ++ unsigned long nr_pages = size >> PAGE_SHIFT; + unsigned int order = get_order(size); + struct page *page; ++ int ret; + + if (!size) + return 0; + ++ ret = sg_alloc_table(&msc->single_sgt, 1, GFP_KERNEL); ++ if (ret) ++ goto err_out; ++ ++ ret = -ENOMEM; + page = alloc_pages(GFP_KERNEL | __GFP_ZERO, order); + if (!page) +- return -ENOMEM; ++ goto err_free_sgt; + + split_page(page, order); +- msc->nr_pages = size >> PAGE_SHIFT; ++ sg_set_buf(msc->single_sgt.sgl, page_address(page), size); ++ ++ ret = dma_map_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, 1, ++ DMA_FROM_DEVICE); ++ if (ret < 0) ++ goto err_free_pages; ++ ++ msc->nr_pages = nr_pages; + msc->base = page_address(page); +- msc->base_addr = page_to_phys(page); ++ msc->base_addr = sg_dma_address(msc->single_sgt.sgl); + + return 0; ++ ++err_free_pages: ++ __free_pages(page, order); ++ ++err_free_sgt: ++ sg_free_table(&msc->single_sgt); ++ ++err_out: ++ return ret; + } + + /** +@@ -649,6 +674,10 @@ static void msc_buffer_contig_free(struc + { + unsigned long off; + ++ dma_unmap_sg(msc_dev(msc)->parent->parent, msc->single_sgt.sgl, ++ 1, DMA_FROM_DEVICE); ++ sg_free_table(&msc->single_sgt); ++ + for (off = 0; off < msc->nr_pages << PAGE_SHIFT; off += PAGE_SIZE) { + struct page *page = virt_to_page(msc->base + off); + diff --git a/queue-4.9/iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch b/queue-4.9/iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch new file mode 100644 index 0000000000..99abf36bc9 --- /dev/null +++ b/queue-4.9/iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch @@ -0,0 +1,81 @@ +From 43a0541e312f7136e081e6bf58f6c8a2e9672688 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Thu, 7 Mar 2019 01:50:07 +0300 +Subject: iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 + +From: Dmitry Osipenko + +commit 43a0541e312f7136e081e6bf58f6c8a2e9672688 upstream. + +Both Tegra30 and Tegra114 have 4 ASID's and the corresponding bitfield of +the TLB_FLUSH register differs from later Tegra generations that have 128 +ASID's. + +In a result the PTE's are now flushed correctly from TLB and this fixes +problems with graphics (randomly failing tests) on Tegra30. + +Cc: stable +Signed-off-by: Dmitry Osipenko +Acked-by: Thierry Reding +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/tegra-smmu.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/iommu/tegra-smmu.c ++++ b/drivers/iommu/tegra-smmu.c +@@ -91,7 +91,6 @@ static inline u32 smmu_readl(struct tegr + #define SMMU_TLB_FLUSH_VA_MATCH_ALL (0 << 0) + #define SMMU_TLB_FLUSH_VA_MATCH_SECTION (2 << 0) + #define SMMU_TLB_FLUSH_VA_MATCH_GROUP (3 << 0) +-#define SMMU_TLB_FLUSH_ASID(x) (((x) & 0x7f) << 24) + #define SMMU_TLB_FLUSH_VA_SECTION(addr) ((((addr) & 0xffc00000) >> 12) | \ + SMMU_TLB_FLUSH_VA_MATCH_SECTION) + #define SMMU_TLB_FLUSH_VA_GROUP(addr) ((((addr) & 0xffffc000) >> 12) | \ +@@ -194,8 +193,12 @@ static inline void smmu_flush_tlb_asid(s + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_MATCH_ALL; ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_MATCH_ALL; + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + +@@ -205,8 +208,12 @@ static inline void smmu_flush_tlb_sectio + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_SECTION(iova); ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_SECTION(iova); + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + +@@ -216,8 +223,12 @@ static inline void smmu_flush_tlb_group( + { + u32 value; + +- value = SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_ASID(asid) | +- SMMU_TLB_FLUSH_VA_GROUP(iova); ++ if (smmu->soc->num_asids == 4) ++ value = (asid & 0x3) << 29; ++ else ++ value = (asid & 0x7f) << 24; ++ ++ value |= SMMU_TLB_FLUSH_ASID_MATCH | SMMU_TLB_FLUSH_VA_GROUP(iova); + smmu_writel(smmu, value, SMMU_TLB_FLUSH); + } + diff --git a/queue-4.9/md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch b/queue-4.9/md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch new file mode 100644 index 0000000000..682a863a36 --- /dev/null +++ b/queue-4.9/md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch @@ -0,0 +1,41 @@ +From ee37e62191a59d253fc916b9fc763deb777211e2 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 2 Apr 2019 14:22:14 +0800 +Subject: md: add mddev->pers to avoid potential NULL pointer dereference + +From: Yufen Yu + +commit ee37e62191a59d253fc916b9fc763deb777211e2 upstream. + +When doing re-add, we need to ensure rdev->mddev->pers is not NULL, +which can avoid potential NULL pointer derefence in fallowing +add_bound_rdev(). + +Fixes: a6da4ef85cef ("md: re-add a failed disk") +Cc: Xiao Ni +Cc: NeilBrown +Cc: # 4.4+ +Reviewed-by: NeilBrown +Signed-off-by: Yufen Yu +Signed-off-by: Song Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -2694,8 +2694,10 @@ state_store(struct md_rdev *rdev, const + err = 0; + } + } else if (cmd_match(buf, "re-add")) { +- if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) && +- rdev->saved_raid_disk >= 0) { ++ if (!rdev->mddev->pers) ++ err = -EINVAL; ++ else if (test_bit(Faulty, &rdev->flags) && (rdev->raid_disk == -1) && ++ rdev->saved_raid_disk >= 0) { + /* clear_bit is performed _after_ all the devices + * have their local Faulty bit cleared. If any writes + * happen in the meantime in the local node, they diff --git a/queue-4.9/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch b/queue-4.9/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch new file mode 100644 index 0000000000..8ca3d641c4 --- /dev/null +++ b/queue-4.9/media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch @@ -0,0 +1,47 @@ +From 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 Mon Sep 17 00:00:00 2001 +From: Janusz Krzysztofik +Date: Sun, 24 Mar 2019 20:21:12 -0400 +Subject: media: ov6650: Fix sensor possibly not detected on probe + +From: Janusz Krzysztofik + +commit 933c1320847f5ed6b61a7d10f0a948aa98ccd7b0 upstream. + +After removal of clock_start() from before soc_camera_init_i2c() in +soc_camera_probe() by commit 9aea470b399d ("[media] soc-camera: switch +I2C subdevice drivers to use v4l2-clk") introduced in v3.11, the ov6650 +driver could no longer probe the sensor successfully because its clock +was no longer turned on in advance. The issue was initially worked +around by adding that missing clock_start() equivalent to OMAP1 camera +interface driver - the only user of this sensor - but a propoer fix +should be rather implemented in the sensor driver code itself. + +Fix the issue by inserting a delay between the clock is turned on and +the sensor I2C registers are read for the first time. + +Tested on Amstrad Delta with now out of tree but still locally +maintained omap1_camera host driver. + +Fixes: 9aea470b399d ("[media] soc-camera: switch I2C subdevice drivers to use v4l2-clk") + +Signed-off-by: Janusz Krzysztofik +Cc: stable@vger.kernel.org +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/soc_camera/ov6650.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/soc_camera/ov6650.c ++++ b/drivers/media/i2c/soc_camera/ov6650.c +@@ -844,6 +844,8 @@ static int ov6650_video_probe(struct i2c + if (ret < 0) + return ret; + ++ msleep(20); ++ + /* + * check and show product ID and manufacturer ID + */ diff --git a/queue-4.9/nfs4-fix-v4.0-client-state-corruption-when-mount.patch b/queue-4.9/nfs4-fix-v4.0-client-state-corruption-when-mount.patch new file mode 100644 index 0000000000..cd0734d42f --- /dev/null +++ b/queue-4.9/nfs4-fix-v4.0-client-state-corruption-when-mount.patch @@ -0,0 +1,47 @@ +From f02f3755dbd14fb935d24b14650fff9ba92243b8 Mon Sep 17 00:00:00 2001 +From: ZhangXiaoxu +Date: Mon, 6 May 2019 11:57:03 +0800 +Subject: NFS4: Fix v4.0 client state corruption when mount + +From: ZhangXiaoxu + +commit f02f3755dbd14fb935d24b14650fff9ba92243b8 upstream. + +stat command with soft mount never return after server is stopped. + +When alloc a new client, the state of the client will be set to +NFS4CLNT_LEASE_EXPIRED. + +When the server is stopped, the state manager will work, and accord +the state to recover. But the state is NFS4CLNT_LEASE_EXPIRED, it +will drain the slot table and lead other task to wait queue, until +the client recovered. Then the stat command is hung. + +When discover server trunking, the client will renew the lease, +but check the client state, it lead the client state corruption. + +So, we need to call state manager to recover it when detect server +ip trunking. + +Signed-off-by: ZhangXiaoxu +Cc: stable@vger.kernel.org +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4state.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/nfs/nfs4state.c ++++ b/fs/nfs/nfs4state.c +@@ -143,6 +143,10 @@ int nfs40_discover_server_trunking(struc + /* Sustain the lease, even if it's empty. If the clientid4 + * goes stale it's of no use for trunking discovery. */ + nfs4_schedule_state_renewal(*result); ++ ++ /* If the client state need to recover, do it. */ ++ if (clp->cl_state) ++ nfs4_schedule_state_manager(clp); + } + out: + return status; diff --git a/queue-4.9/of-fix-clang-wunsequenced-for-be32_to_cpu.patch b/queue-4.9/of-fix-clang-wunsequenced-for-be32_to_cpu.patch new file mode 100644 index 0000000000..05515a9fd6 --- /dev/null +++ b/queue-4.9/of-fix-clang-wunsequenced-for-be32_to_cpu.patch @@ -0,0 +1,56 @@ +From 440868661f36071886ed360d91de83bd67c73b4f Mon Sep 17 00:00:00 2001 +From: Phong Tran +Date: Tue, 30 Apr 2019 21:56:24 +0700 +Subject: of: fix clang -Wunsequenced for be32_to_cpu() + +From: Phong Tran + +commit 440868661f36071886ed360d91de83bd67c73b4f upstream. + +Now, make the loop explicit to avoid clang warning. + +./include/linux/of.h:238:37: warning: multiple unsequenced modifications +to 'cell' [-Wunsequenced] + r = (r << 32) | be32_to_cpu(*(cell++)); + ^~ +./include/linux/byteorder/generic.h:95:21: note: expanded from macro +'be32_to_cpu' + ^ +./include/uapi/linux/byteorder/little_endian.h:40:59: note: expanded +from macro '__be32_to_cpu' + ^ +./include/uapi/linux/swab.h:118:21: note: expanded from macro '__swab32' + ___constant_swab32(x) : \ + ^ +./include/uapi/linux/swab.h:18:12: note: expanded from macro +'___constant_swab32' + (((__u32)(x) & (__u32)0x000000ffUL) << 24) | \ + ^ + +Signed-off-by: Phong Tran +Reported-by: Nick Desaulniers +Link: https://github.com/ClangBuiltLinux/linux/issues/460 +Suggested-by: David Laight +Reviewed-by: Nick Desaulniers +Cc: stable@vger.kernel.org +[robh: fix up whitespace] +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/of.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/of.h ++++ b/include/linux/of.h +@@ -220,8 +220,8 @@ extern struct device_node *of_find_all_n + static inline u64 of_read_number(const __be32 *cell, int size) + { + u64 r = 0; +- while (size--) +- r = (r << 32) | be32_to_cpu(*(cell++)); ++ for (; size--; cell++) ++ r = (r << 32) | be32_to_cpu(*cell); + return r; + } + diff --git a/queue-4.9/p54-drop-device-reference-count-if-fails-to-enable-device.patch b/queue-4.9/p54-drop-device-reference-count-if-fails-to-enable-device.patch new file mode 100644 index 0000000000..89727ccc0c --- /dev/null +++ b/queue-4.9/p54-drop-device-reference-count-if-fails-to-enable-device.patch @@ -0,0 +1,42 @@ +From 8149069db81853570a665f5e5648c0e526dc0e43 Mon Sep 17 00:00:00 2001 +From: Pan Bian +Date: Wed, 17 Apr 2019 17:41:23 +0800 +Subject: p54: drop device reference count if fails to enable device + +From: Pan Bian + +commit 8149069db81853570a665f5e5648c0e526dc0e43 upstream. + +The function p54p_probe takes an extra reference count of the PCI +device. However, the extra reference count is not dropped when it fails +to enable the PCI device. This patch fixes the bug. + +Cc: stable@vger.kernel.org +Signed-off-by: Pan Bian +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54pci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intersil/p54/p54pci.c ++++ b/drivers/net/wireless/intersil/p54/p54pci.c +@@ -554,7 +554,7 @@ static int p54p_probe(struct pci_dev *pd + err = pci_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Cannot enable new PCI device\n"); +- return err; ++ goto err_put; + } + + mem_addr = pci_resource_start(pdev, 0); +@@ -639,6 +639,7 @@ static int p54p_probe(struct pci_dev *pd + pci_release_regions(pdev); + err_disable_dev: + pci_disable_device(pdev); ++err_put: + pci_dev_put(pdev); + return err; + } diff --git a/queue-4.9/parisc-export-running_on_qemu-symbol-for-modules.patch b/queue-4.9/parisc-export-running_on_qemu-symbol-for-modules.patch new file mode 100644 index 0000000000..7a3e33b9fb --- /dev/null +++ b/queue-4.9/parisc-export-running_on_qemu-symbol-for-modules.patch @@ -0,0 +1,27 @@ +From 3e1120f4b57bc12437048494ab56648edaa5b57d Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 6 Apr 2019 16:45:14 +0200 +Subject: parisc: Export running_on_qemu symbol for modules + +From: Helge Deller + +commit 3e1120f4b57bc12437048494ab56648edaa5b57d upstream. + +Signed-off-by: Helge Deller +CC: stable@vger.kernel.org # v4.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/process.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/parisc/kernel/process.c ++++ b/arch/parisc/kernel/process.c +@@ -189,6 +189,7 @@ int dump_task_fpu (struct task_struct *t + */ + + int running_on_qemu __read_mostly; ++EXPORT_SYMBOL(running_on_qemu); + + void __cpuidle arch_cpu_idle_dead(void) + { diff --git a/queue-4.9/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch b/queue-4.9/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch new file mode 100644 index 0000000000..3adcc3935a --- /dev/null +++ b/queue-4.9/parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch @@ -0,0 +1,75 @@ +From 1829dda0e87f4462782ca81be474c7890efe31ce Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 5 May 2019 23:54:34 +0200 +Subject: parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code + +From: Helge Deller + +commit 1829dda0e87f4462782ca81be474c7890efe31ce upstream. + +LEVEL is a very common word, and now after many years it suddenly +clashed with another LEVEL define in the DRBD code. +Rename it to PA_ASM_LEVEL instead. + +Reported-by: kbuild test robot +Signed-off-by: Helge Deller +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/assembly.h | 6 +++--- + arch/parisc/kernel/head.S | 4 ++-- + arch/parisc/kernel/syscall.S | 2 +- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/parisc/include/asm/assembly.h ++++ b/arch/parisc/include/asm/assembly.h +@@ -59,14 +59,14 @@ + #define LDCW ldcw,co + #define BL b,l + # ifdef CONFIG_64BIT +-# define LEVEL 2.0w ++# define PA_ASM_LEVEL 2.0w + # else +-# define LEVEL 2.0 ++# define PA_ASM_LEVEL 2.0 + # endif + #else + #define LDCW ldcw + #define BL bl +-#define LEVEL 1.1 ++#define PA_ASM_LEVEL 1.1 + #endif + + #ifdef __ASSEMBLY__ +--- a/arch/parisc/kernel/head.S ++++ b/arch/parisc/kernel/head.S +@@ -22,7 +22,7 @@ + #include + #include + +- .level LEVEL ++ .level PA_ASM_LEVEL + + __INITDATA + ENTRY(boot_args) +@@ -254,7 +254,7 @@ stext_pdc_ret: + ldo R%PA(fault_vector_11)(%r10),%r10 + + $is_pa20: +- .level LEVEL /* restore 1.1 || 2.0w */ ++ .level PA_ASM_LEVEL /* restore 1.1 || 2.0w */ + #endif /*!CONFIG_64BIT*/ + load32 PA(fault_vector_20),%r10 + +--- a/arch/parisc/kernel/syscall.S ++++ b/arch/parisc/kernel/syscall.S +@@ -48,7 +48,7 @@ registers). + */ + #define KILL_INSN break 0,0 + +- .level LEVEL ++ .level PA_ASM_LEVEL + + .text + diff --git a/queue-4.9/parisc-skip-registering-led-when-running-in-qemu.patch b/queue-4.9/parisc-skip-registering-led-when-running-in-qemu.patch new file mode 100644 index 0000000000..aa59c7c3a3 --- /dev/null +++ b/queue-4.9/parisc-skip-registering-led-when-running-in-qemu.patch @@ -0,0 +1,31 @@ +From b438749044356dd1329c45e9b5a9377b6ea13eb2 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 2 Apr 2019 12:17:08 +0200 +Subject: parisc: Skip registering LED when running in QEMU + +From: Helge Deller + +commit b438749044356dd1329c45e9b5a9377b6ea13eb2 upstream. + +No need to spend CPU cycles when we run on QEMU. + +Signed-off-by: Helge Deller +CC: stable@vger.kernel.org # v4.9+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/parisc/led.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -568,6 +568,9 @@ int __init register_led_driver(int model + break; + + case DISPLAY_MODEL_LASI: ++ /* Skip to register LED in QEMU */ ++ if (running_on_qemu) ++ return 1; + LED_DATA_REG = data_reg; + led_func_ptr = led_LASI_driver; + printk(KERN_INFO "LED display at %lx registered\n", LED_DATA_REG); diff --git a/queue-4.9/series b/queue-4.9/series index fc0b611561..dc3dd66bdb 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -5,3 +5,20 @@ tipc-switch-order-of-device-registration-to-fix-a-crash.patch vsock-virtio-free-packets-during-the-socket-release.patch tipc-fix-modprobe-tipc-failed-after-switch-order-of-device-registration.patch vsock-virtio-initialize-core-virtio-vsock-before-registering-the-driver.patch +parisc-export-running_on_qemu-symbol-for-modules.patch +parisc-skip-registering-led-when-running-in-qemu.patch +parisc-rename-level-to-pa_asm_level-to-avoid-name-clash-with-drbd-code.patch +stm-class-fix-channel-free-in-stm-output-free-path.patch +stm-class-fix-channel-bitmap-on-32-bit-systems.patch +md-add-mddev-pers-to-avoid-potential-null-pointer-dereference.patch +intel_th-msu-fix-single-mode-with-iommu.patch +p54-drop-device-reference-count-if-fails-to-enable-device.patch +of-fix-clang-wunsequenced-for-be32_to_cpu.patch +cifs-fix-strcat-buffer-overflow-and-reduce-raciness-in-smb21_set_oplock_level.patch +media-ov6650-fix-sensor-possibly-not-detected-on-probe.patch +nfs4-fix-v4.0-client-state-corruption-when-mount.patch +clk-tegra-fix-pllm-programming-on-tegra124-when-pmc-overrides-divider.patch +fuse-fix-writepages-on-32bit.patch +fuse-honor-rlimit_fsize-in-fuse_file_fallocate.patch +iommu-tegra-smmu-fix-invalid-asid-bits-on-tegra30-114.patch +ceph-flush-dirty-inodes-before-proceeding-with-remount.patch diff --git a/queue-4.9/stm-class-fix-channel-bitmap-on-32-bit-systems.patch b/queue-4.9/stm-class-fix-channel-bitmap-on-32-bit-systems.patch new file mode 100644 index 0000000000..69b4610c4d --- /dev/null +++ b/queue-4.9/stm-class-fix-channel-bitmap-on-32-bit-systems.patch @@ -0,0 +1,45 @@ +From 51e0f227812ed81a368de54157ebe14396b4be03 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 17 Apr 2019 10:35:35 +0300 +Subject: stm class: Fix channel bitmap on 32-bit systems + +From: Alexander Shishkin + +commit 51e0f227812ed81a368de54157ebe14396b4be03 upstream. + +Commit 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace +Module devices") naively calculates the channel bitmap size in 64-bit +chunks regardless of the size of underlying unsigned long, making the +bitmap half as big on a 32-bit system. This leads to an out of bounds +access with the upper half of the bitmap. + +Fix this by using BITS_TO_LONGS. While at it, convert to using +struct_size() for the total size calculation of the master struct. + +Signed-off-by: Alexander Shishkin +Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") +Reported-by: Mulu He +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -174,11 +174,10 @@ stm_master(struct stm_device *stm, unsig + static int stp_master_alloc(struct stm_device *stm, unsigned int idx) + { + struct stp_master *master; +- size_t size; + +- size = ALIGN(stm->data->sw_nchannels, 8) / 8; +- size += sizeof(struct stp_master); +- master = kzalloc(size, GFP_ATOMIC); ++ master = kzalloc(struct_size(master, chan_map, ++ BITS_TO_LONGS(stm->data->sw_nchannels)), ++ GFP_ATOMIC); + if (!master) + return -ENOMEM; + diff --git a/queue-4.9/stm-class-fix-channel-free-in-stm-output-free-path.patch b/queue-4.9/stm-class-fix-channel-free-in-stm-output-free-path.patch new file mode 100644 index 0000000000..4cbd3217ca --- /dev/null +++ b/queue-4.9/stm-class-fix-channel-free-in-stm-output-free-path.patch @@ -0,0 +1,40 @@ +From ee496da4c3915de3232b5f5cd20e21ae3e46fe8d Mon Sep 17 00:00:00 2001 +From: Tingwei Zhang +Date: Wed, 17 Apr 2019 10:35:34 +0300 +Subject: stm class: Fix channel free in stm output free path + +From: Tingwei Zhang + +commit ee496da4c3915de3232b5f5cd20e21ae3e46fe8d upstream. + +Number of free masters is not set correctly in stm +free path. Fix this by properly adding the number +of output channels before setting them to 0 in +stm_output_disclaim(). + +Currently it is equivalent to doing nothing since +master->nr_free is incremented by 0. + +Fixes: 7bd1d4093c2f ("stm class: Introduce an abstraction for System Trace Module devices") +Signed-off-by: Tingwei Zhang +Signed-off-by: Sai Prakash Ranjan +Cc: stable@vger.kernel.org # v4.4 +Signed-off-by: Alexander Shishkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/stm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/stm/core.c ++++ b/drivers/hwtracing/stm/core.c +@@ -226,8 +226,8 @@ stm_output_disclaim(struct stm_device *s + bitmap_release_region(&master->chan_map[0], output->channel, + ilog2(output->nr_chans)); + +- output->nr_chans = 0; + master->nr_free += output->nr_chans; ++ output->nr_chans = 0; + } + + /*