From: Greg Kroah-Hartman Date: Thu, 14 Jun 2018 09:50:09 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.17.2~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f1f201fefaf82850fc4b4a8aa6eb9df5b4d48b46;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch crypto-ccree-correct-host-regs-offset.patch doc-fix-sysfs-abi-documentation.patch input-xpad-add-gpd-win-2-controller-usb-ids.patch kvm-fix-typo-in-flag-name.patch kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch kvm-x86-introduce-linear_-read-write-_system.patch kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch serial-sh-sci-stop-using-printk-format-pcr.patch staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch tty-pl011-avoid-spuriously-stuck-off-interrupts.patch tty-serial-atmel-use-port-name-as-name-in-request_irq.patch usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch usb-typec-wcove-remove-dependency-on-hw-fsm.patch usbip-vhci_sysfs-fix-potential-spectre-v1.patch vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch --- diff --git a/queue-4.17/arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch b/queue-4.17/arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch new file mode 100644 index 00000000000..632b76f91e9 --- /dev/null +++ b/queue-4.17/arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch @@ -0,0 +1,39 @@ +From 1e31927aa64545ee97a2a41db9984c9931afc50a Mon Sep 17 00:00:00 2001 +From: Sean Wang +Date: Fri, 20 Apr 2018 16:58:05 +0800 +Subject: arm64: defconfig: Enable CONFIG_PINCTRL_MT7622 by default + +From: Sean Wang + +commit 1e31927aa64545ee97a2a41db9984c9931afc50a upstream. + +Recently kernelCI reported the board mt7622-rfb1 has a fail test with +kernel: ERROR: did not start booting whose details could be seen at [1]. + +The cause is that UART0 can't output anything when it's missing a proper +pin setup with current DTS, so the essential driver is always getting +enabled to fix up the issue. + +[1] https://kernelci.org/boot/id/5ad7d62759b51461bfb1f829/ + +Cc: Kevin Hilman +Cc: stable@vger.kernel.org +Fixes: ae457b7679c4 ("arm64: dts: mt7622: add SoC and peripheral related device nodes") +Signed-off-by: Sean Wang +Signed-off-by: Matthias Brugger +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/configs/defconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm64/configs/defconfig ++++ b/arch/arm64/configs/defconfig +@@ -320,6 +320,7 @@ CONFIG_PINCTRL_MAX77620=y + CONFIG_PINCTRL_MSM8916=y + CONFIG_PINCTRL_MSM8994=y + CONFIG_PINCTRL_MSM8996=y ++CONFIG_PINCTRL_MT7622=y + CONFIG_PINCTRL_QDF2XXX=y + CONFIG_PINCTRL_QCOM_SPMI_PMIC=y + CONFIG_GPIO_DWAPB=y diff --git a/queue-4.17/crypto-ccree-correct-host-regs-offset.patch b/queue-4.17/crypto-ccree-correct-host-regs-offset.patch new file mode 100644 index 00000000000..fd1ede49dd3 --- /dev/null +++ b/queue-4.17/crypto-ccree-correct-host-regs-offset.patch @@ -0,0 +1,125 @@ +From 281a58c8326ca62ca6341f9d2cc2eb08044670e8 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 24 May 2018 15:19:06 +0100 +Subject: crypto: ccree - correct host regs offset + +From: Gilad Ben-Yossef + +commit 281a58c8326ca62ca6341f9d2cc2eb08044670e8 upstream. + +The product signature and HW revision register have different offset on the +older HW revisions. +This fixes the problem of the driver failing sanity check on silicon +despite working on the FPGA emulation systems. + +Fixes: 27b3b22dd98c ("crypto: ccree - add support for older HW revs") +Cc: stable@vger.kernel.org +Signed-off-by: Gilad Ben-Yossef +Reviewed-by: Simon Horman +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccree/cc_debugfs.c | 7 +++++-- + drivers/crypto/ccree/cc_driver.c | 8 ++++++-- + drivers/crypto/ccree/cc_driver.h | 2 ++ + drivers/crypto/ccree/cc_host_regs.h | 6 ++++-- + 4 files changed, 17 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/ccree/cc_debugfs.c ++++ b/drivers/crypto/ccree/cc_debugfs.c +@@ -26,7 +26,8 @@ struct cc_debugfs_ctx { + static struct dentry *cc_debugfs_dir; + + static struct debugfs_reg32 debug_regs[] = { +- CC_DEBUG_REG(HOST_SIGNATURE), ++ { .name = "SIGNATURE" }, /* Must be 0th */ ++ { .name = "VERSION" }, /* Must be 1st */ + CC_DEBUG_REG(HOST_IRR), + CC_DEBUG_REG(HOST_POWER_DOWN_EN), + CC_DEBUG_REG(AXIM_MON_ERR), +@@ -34,7 +35,6 @@ static struct debugfs_reg32 debug_regs[] + CC_DEBUG_REG(HOST_IMR), + CC_DEBUG_REG(AXIM_CFG), + CC_DEBUG_REG(AXIM_CACHE_PARAMS), +- CC_DEBUG_REG(HOST_VERSION), + CC_DEBUG_REG(GPR_HOST), + CC_DEBUG_REG(AXIM_MON_COMP), + }; +@@ -58,6 +58,9 @@ int cc_debugfs_init(struct cc_drvdata *d + struct debugfs_regset32 *regset; + struct dentry *file; + ++ debug_regs[0].offset = drvdata->sig_offset; ++ debug_regs[1].offset = drvdata->ver_offset; ++ + ctx = devm_kzalloc(dev, sizeof(*ctx), GFP_KERNEL); + if (!ctx) + return -ENOMEM; +--- a/drivers/crypto/ccree/cc_driver.c ++++ b/drivers/crypto/ccree/cc_driver.c +@@ -207,9 +207,13 @@ static int init_cc_resources(struct plat + if (hw_rev->rev >= CC_HW_REV_712) { + new_drvdata->hash_len_sz = HASH_LEN_SIZE_712; + new_drvdata->axim_mon_offset = CC_REG(AXIM_MON_COMP); ++ new_drvdata->sig_offset = CC_REG(HOST_SIGNATURE_712); ++ new_drvdata->ver_offset = CC_REG(HOST_VERSION_712); + } else { + new_drvdata->hash_len_sz = HASH_LEN_SIZE_630; + new_drvdata->axim_mon_offset = CC_REG(AXIM_MON_COMP8); ++ new_drvdata->sig_offset = CC_REG(HOST_SIGNATURE_630); ++ new_drvdata->ver_offset = CC_REG(HOST_VERSION_630); + } + + platform_set_drvdata(plat_dev, new_drvdata); +@@ -276,7 +280,7 @@ static int init_cc_resources(struct plat + } + + /* Verify correct mapping */ +- signature_val = cc_ioread(new_drvdata, CC_REG(HOST_SIGNATURE)); ++ signature_val = cc_ioread(new_drvdata, new_drvdata->sig_offset); + if (signature_val != hw_rev->sig) { + dev_err(dev, "Invalid CC signature: SIGNATURE=0x%08X != expected=0x%08X\n", + signature_val, hw_rev->sig); +@@ -287,7 +291,7 @@ static int init_cc_resources(struct plat + + /* Display HW versions */ + dev_info(dev, "ARM CryptoCell %s Driver: HW version 0x%08X, Driver version %s\n", +- hw_rev->name, cc_ioread(new_drvdata, CC_REG(HOST_VERSION)), ++ hw_rev->name, cc_ioread(new_drvdata, new_drvdata->ver_offset), + DRV_MODULE_VERSION); + + rc = init_cc_regs(new_drvdata, true); +--- a/drivers/crypto/ccree/cc_driver.h ++++ b/drivers/crypto/ccree/cc_driver.h +@@ -129,6 +129,8 @@ struct cc_drvdata { + enum cc_hw_rev hw_rev; + u32 hash_len_sz; + u32 axim_mon_offset; ++ u32 sig_offset; ++ u32 ver_offset; + }; + + struct cc_crypto_alg { +--- a/drivers/crypto/ccree/cc_host_regs.h ++++ b/drivers/crypto/ccree/cc_host_regs.h +@@ -45,7 +45,8 @@ + #define CC_HOST_ICR_DSCRPTR_WATERMARK_QUEUE0_CLEAR_BIT_SIZE 0x1UL + #define CC_HOST_ICR_AXIM_COMP_INT_CLEAR_BIT_SHIFT 0x17UL + #define CC_HOST_ICR_AXIM_COMP_INT_CLEAR_BIT_SIZE 0x1UL +-#define CC_HOST_SIGNATURE_REG_OFFSET 0xA24UL ++#define CC_HOST_SIGNATURE_712_REG_OFFSET 0xA24UL ++#define CC_HOST_SIGNATURE_630_REG_OFFSET 0xAC8UL + #define CC_HOST_SIGNATURE_VALUE_BIT_SHIFT 0x0UL + #define CC_HOST_SIGNATURE_VALUE_BIT_SIZE 0x20UL + #define CC_HOST_BOOT_REG_OFFSET 0xA28UL +@@ -105,7 +106,8 @@ + #define CC_HOST_BOOT_ONLY_ENCRYPT_LOCAL_BIT_SIZE 0x1UL + #define CC_HOST_BOOT_AES_EXISTS_LOCAL_BIT_SHIFT 0x1EUL + #define CC_HOST_BOOT_AES_EXISTS_LOCAL_BIT_SIZE 0x1UL +-#define CC_HOST_VERSION_REG_OFFSET 0xA40UL ++#define CC_HOST_VERSION_712_REG_OFFSET 0xA40UL ++#define CC_HOST_VERSION_630_REG_OFFSET 0xAD8UL + #define CC_HOST_VERSION_VALUE_BIT_SHIFT 0x0UL + #define CC_HOST_VERSION_VALUE_BIT_SIZE 0x20UL + #define CC_HOST_KFDE0_VALID_REG_OFFSET 0xA60UL diff --git a/queue-4.17/doc-fix-sysfs-abi-documentation.patch b/queue-4.17/doc-fix-sysfs-abi-documentation.patch new file mode 100644 index 00000000000..4fc0fd92777 --- /dev/null +++ b/queue-4.17/doc-fix-sysfs-abi-documentation.patch @@ -0,0 +1,188 @@ +From f59acbc5e0f7f90452efd4c3318d5e5ec042c3e0 Mon Sep 17 00:00:00 2001 +From: Stephen Hemminger +Date: Sat, 12 May 2018 01:45:29 -0700 +Subject: doc: fix sysfs ABI documentation + +From: Stephen Hemminger + +commit f59acbc5e0f7f90452efd4c3318d5e5ec042c3e0 upstream. + +In 4.9 kernel, the sysfs files for Hyper-V VMBus changed name but +the documentation files were not updated. The current sysfs file +names are /sys/bus/vmbus/devices//... + +See commit 9a56e5d6a0ba ("Drivers: hv: make VMBus bus ids persistent") +and commit f6b2db084b65 ("vmbus: make sysfs names consistent with PCI") + +Reported-by: Michael Kelley +Signed-off-by: Stephen Hemminger +Cc: stable@vger.kernel.org +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/ABI/stable/sysfs-bus-vmbus | 40 +++++++++++++++---------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/Documentation/ABI/stable/sysfs-bus-vmbus ++++ b/Documentation/ABI/stable/sysfs-bus-vmbus +@@ -1,25 +1,25 @@ +-What: /sys/bus/vmbus/devices/vmbus_*/id ++What: /sys/bus/vmbus/devices//id + Date: Jul 2009 + KernelVersion: 2.6.31 + Contact: K. Y. Srinivasan + Description: The VMBus child_relid of the device's primary channel + Users: tools/hv/lsvmbus + +-What: /sys/bus/vmbus/devices/vmbus_*/class_id ++What: /sys/bus/vmbus/devices//class_id + Date: Jul 2009 + KernelVersion: 2.6.31 + Contact: K. Y. Srinivasan + Description: The VMBus interface type GUID of the device + Users: tools/hv/lsvmbus + +-What: /sys/bus/vmbus/devices/vmbus_*/device_id ++What: /sys/bus/vmbus/devices//device_id + Date: Jul 2009 + KernelVersion: 2.6.31 + Contact: K. Y. Srinivasan + Description: The VMBus interface instance GUID of the device + Users: tools/hv/lsvmbus + +-What: /sys/bus/vmbus/devices/vmbus_*/channel_vp_mapping ++What: /sys/bus/vmbus/devices//channel_vp_mapping + Date: Jul 2015 + KernelVersion: 4.2.0 + Contact: K. Y. Srinivasan +@@ -28,112 +28,112 @@ Description: The mapping of which primar + Format: + Users: tools/hv/lsvmbus + +-What: /sys/bus/vmbus/devices/vmbus_*/device ++What: /sys/bus/vmbus/devices//device + Date: Dec. 2015 + KernelVersion: 4.5 + Contact: K. Y. Srinivasan + Description: The 16 bit device ID of the device + Users: tools/hv/lsvmbus and user level RDMA libraries + +-What: /sys/bus/vmbus/devices/vmbus_*/vendor ++What: /sys/bus/vmbus/devices//vendor + Date: Dec. 2015 + KernelVersion: 4.5 + Contact: K. Y. Srinivasan + Description: The 16 bit vendor ID of the device + Users: tools/hv/lsvmbus and user level RDMA libraries + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN ++What: /sys/bus/vmbus/devices//channels/ + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Directory for per-channel information + NN is the VMBUS relid associtated with the channel. + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu ++What: /sys/bus/vmbus/devices//channels//cpu + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: VCPU (sub)channel is affinitized to + Users: tools/hv/lsvmbus and other debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu ++What: /sys/bus/vmbus/devices//channels//cpu + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: VCPU (sub)channel is affinitized to + Users: tools/hv/lsvmbus and other debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/in_mask ++What: /sys/bus/vmbus/devices//channels//in_mask + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Host to guest channel interrupt mask + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/latency ++What: /sys/bus/vmbus/devices//channels//latency + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Channel signaling latency + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/out_mask ++What: /sys/bus/vmbus/devices//channels//out_mask + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Guest to host channel interrupt mask + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/pending ++What: /sys/bus/vmbus/devices//channels//pending + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Channel interrupt pending state + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/read_avail ++What: /sys/bus/vmbus/devices//channels//read_avail + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Bytes available to read + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/write_avail ++What: /sys/bus/vmbus/devices//channels//write_avail + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Bytes available to write + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/events ++What: /sys/bus/vmbus/devices//channels//events + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Number of times we have signaled the host + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/interrupts ++What: /sys/bus/vmbus/devices//channels//interrupts + Date: September. 2017 + KernelVersion: 4.14 + Contact: Stephen Hemminger + Description: Number of times we have taken an interrupt (incoming) + Users: Debugging tools + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/subchannel_id ++What: /sys/bus/vmbus/devices//channels//subchannel_id + Date: January. 2018 + KernelVersion: 4.16 + Contact: Stephen Hemminger + Description: Subchannel ID associated with VMBUS channel + Users: Debugging tools and userspace drivers + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/monitor_id ++What: /sys/bus/vmbus/devices//channels//monitor_id + Date: January. 2018 + KernelVersion: 4.16 + Contact: Stephen Hemminger + Description: Monitor bit associated with channel + Users: Debugging tools and userspace drivers + +-What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/ring ++What: /sys/bus/vmbus/devices//channels//ring + Date: January. 2018 + KernelVersion: 4.16 + Contact: Stephen Hemminger diff --git a/queue-4.17/input-xpad-add-gpd-win-2-controller-usb-ids.patch b/queue-4.17/input-xpad-add-gpd-win-2-controller-usb-ids.patch new file mode 100644 index 00000000000..0a62d998aca --- /dev/null +++ b/queue-4.17/input-xpad-add-gpd-win-2-controller-usb-ids.patch @@ -0,0 +1,40 @@ +From c1ba08390a8bb13c927e699330896adc15b78205 Mon Sep 17 00:00:00 2001 +From: Ethan Lee +Date: Fri, 1 Jun 2018 11:46:08 -0700 +Subject: Input: xpad - add GPD Win 2 Controller USB IDs + +From: Ethan Lee + +commit c1ba08390a8bb13c927e699330896adc15b78205 upstream. + +GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp + +Tested on a unit from the first production run sent to Indiegogo backers + +Signed-off-by: Ethan Lee +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -123,6 +123,7 @@ static const struct xpad_device { + u8 mapping; + u8 xtype; + } xpad_device[] = { ++ { 0x0079, 0x18d4, "GPD Win 2 Controller", 0, XTYPE_XBOX360 }, + { 0x044f, 0x0f00, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f03, "Thrustmaster Wheel", 0, XTYPE_XBOX }, + { 0x044f, 0x0f07, "Thrustmaster, Inc. Controller", 0, XTYPE_XBOX }, +@@ -409,6 +410,7 @@ static const signed short xpad_abs_trigg + + static const struct usb_device_id xpad_table[] = { + { USB_INTERFACE_INFO('X', 'B', 0) }, /* X-Box USB-IF not approved class */ ++ XPAD_XBOX360_VENDOR(0x0079), /* GPD Win 2 Controller */ + XPAD_XBOX360_VENDOR(0x044f), /* Thrustmaster X-Box 360 controllers */ + XPAD_XBOX360_VENDOR(0x045e), /* Microsoft X-Box 360 controllers */ + XPAD_XBOXONE_VENDOR(0x045e), /* Microsoft X-Box One controllers */ diff --git a/queue-4.17/kvm-fix-typo-in-flag-name.patch b/queue-4.17/kvm-fix-typo-in-flag-name.patch new file mode 100644 index 00000000000..4a7c9f2f735 --- /dev/null +++ b/queue-4.17/kvm-fix-typo-in-flag-name.patch @@ -0,0 +1,74 @@ +From 766d3571d8e50d3a73b77043dc632226f9e6b389 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 8 Jun 2018 02:19:53 +0300 +Subject: kvm: fix typo in flag name + +From: Michael S. Tsirkin + +commit 766d3571d8e50d3a73b77043dc632226f9e6b389 upstream. + +KVM_X86_DISABLE_EXITS_HTL really refers to exit on halt. +Obviously a typo: should be named KVM_X86_DISABLE_EXITS_HLT. + +Fixes: caa057a2cad ("KVM: X86: Provide a capability to disable HLT intercepts") +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 4 ++-- + include/uapi/linux/kvm.h | 4 ++-- + tools/include/uapi/linux/kvm.h | 4 ++-- + 3 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2894,7 +2894,7 @@ int kvm_vm_ioctl_check_extension(struct + r = KVM_CLOCK_TSC_STABLE; + break; + case KVM_CAP_X86_DISABLE_EXITS: +- r |= KVM_X86_DISABLE_EXITS_HTL | KVM_X86_DISABLE_EXITS_PAUSE; ++ r |= KVM_X86_DISABLE_EXITS_HLT | KVM_X86_DISABLE_EXITS_PAUSE; + if(kvm_can_mwait_in_guest()) + r |= KVM_X86_DISABLE_EXITS_MWAIT; + break; +@@ -4248,7 +4248,7 @@ split_irqchip_unlock: + if ((cap->args[0] & KVM_X86_DISABLE_EXITS_MWAIT) && + kvm_can_mwait_in_guest()) + kvm->arch.mwait_in_guest = true; +- if (cap->args[0] & KVM_X86_DISABLE_EXITS_HTL) ++ if (cap->args[0] & KVM_X86_DISABLE_EXITS_HLT) + kvm->arch.hlt_in_guest = true; + if (cap->args[0] & KVM_X86_DISABLE_EXITS_PAUSE) + kvm->arch.pause_in_guest = true; +--- a/include/uapi/linux/kvm.h ++++ b/include/uapi/linux/kvm.h +@@ -677,10 +677,10 @@ struct kvm_ioeventfd { + }; + + #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0) +-#define KVM_X86_DISABLE_EXITS_HTL (1 << 1) ++#define KVM_X86_DISABLE_EXITS_HLT (1 << 1) + #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2) + #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \ +- KVM_X86_DISABLE_EXITS_HTL | \ ++ KVM_X86_DISABLE_EXITS_HLT | \ + KVM_X86_DISABLE_EXITS_PAUSE) + + /* for KVM_ENABLE_CAP */ +--- a/tools/include/uapi/linux/kvm.h ++++ b/tools/include/uapi/linux/kvm.h +@@ -677,10 +677,10 @@ struct kvm_ioeventfd { + }; + + #define KVM_X86_DISABLE_EXITS_MWAIT (1 << 0) +-#define KVM_X86_DISABLE_EXITS_HTL (1 << 1) ++#define KVM_X86_DISABLE_EXITS_HLT (1 << 1) + #define KVM_X86_DISABLE_EXITS_PAUSE (1 << 2) + #define KVM_X86_DISABLE_VALID_EXITS (KVM_X86_DISABLE_EXITS_MWAIT | \ +- KVM_X86_DISABLE_EXITS_HTL | \ ++ KVM_X86_DISABLE_EXITS_HLT | \ + KVM_X86_DISABLE_EXITS_PAUSE) + + /* for KVM_ENABLE_CAP */ diff --git a/queue-4.17/kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch b/queue-4.17/kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch new file mode 100644 index 00000000000..0ff4b951af0 --- /dev/null +++ b/queue-4.17/kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch @@ -0,0 +1,68 @@ +From 727ba748e110b4de50d142edca9d6a9b7e6111d8 Mon Sep 17 00:00:00 2001 +From: Felix Wilhelm +Date: Mon, 11 Jun 2018 09:43:44 +0200 +Subject: kvm: nVMX: Enforce cpl=0 for VMX instructions + +From: Felix Wilhelm + +commit 727ba748e110b4de50d142edca9d6a9b7e6111d8 upstream. + +VMX instructions executed inside a L1 VM will always trigger a VM exit +even when executed with cpl 3. This means we must perform the +privilege check in software. + +Fixes: 70f3aac964ae("kvm: nVMX: Remove superfluous VMX instruction fault checks") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Wilhelm +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7670,6 +7670,12 @@ static int handle_vmon(struct kvm_vcpu * + return 1; + } + ++ /* CPL=0 must be checked manually. */ ++ if (vmx_get_cpl(vcpu)) { ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 1; ++ } ++ + if (vmx->nested.vmxon) { + nested_vmx_failValid(vcpu, VMXERR_VMXON_IN_VMX_ROOT_OPERATION); + return kvm_skip_emulated_instruction(vcpu); +@@ -7729,6 +7735,11 @@ static int handle_vmon(struct kvm_vcpu * + */ + static int nested_vmx_check_permission(struct kvm_vcpu *vcpu) + { ++ if (vmx_get_cpl(vcpu)) { ++ kvm_queue_exception(vcpu, UD_VECTOR); ++ return 0; ++ } ++ + if (!to_vmx(vcpu)->nested.vmxon) { + kvm_queue_exception(vcpu, UD_VECTOR); + return 0; +@@ -8029,7 +8040,7 @@ static int handle_vmread(struct kvm_vcpu + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, true, &gva)) + return 1; +- /* _system ok, as hardware has verified cpl=0 */ ++ /* _system ok, nested_vmx_check_permission has verified cpl=0 */ + kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, + &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); + } +@@ -8189,7 +8200,7 @@ static int handle_vmptrst(struct kvm_vcp + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, true, &vmcs_gva)) + return 1; +- /* ok to use *_system, as hardware has verified cpl=0 */ ++ /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ + if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, + (void *)&to_vmx(vcpu)->nested.current_vmptr, + sizeof(u64), &e)) { diff --git a/queue-4.17/kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch b/queue-4.17/kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch new file mode 100644 index 00000000000..adb49fdbf2e --- /dev/null +++ b/queue-4.17/kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch @@ -0,0 +1,58 @@ +From a780a3ea628268b2ad0ed43d7f28d90db0ff18be Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Sun, 13 May 2018 02:24:47 -0700 +Subject: KVM: X86: Fix reserved bits check for MOV to CR3 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit a780a3ea628268b2ad0ed43d7f28d90db0ff18be upstream. + +MSB of CR3 is a reserved bit if the PCIDE bit is not set in CR4. +It should be checked when PCIDE bit is not set, however commit +'d1cd3ce900441 ("KVM: MMU: check guest CR3 reserved bits based on +its physical address width")' removes the bit 63 checking +unconditionally. This patch fixes it by checking bit 63 of CR3 +when PCIDE bit is not set in CR4. + +Fixes: d1cd3ce900441 (KVM: MMU: check guest CR3 reserved bits based on its physical address width) +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Liran Alon +Cc: stable@vger.kernel.org +Reviewed-by: Junaid Shahid +Signed-off-by: Wanpeng Li +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 4 +++- + arch/x86/kvm/x86.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4189,7 +4189,9 @@ static int check_cr_write(struct x86_emu + maxphyaddr = eax & 0xff; + else + maxphyaddr = 36; +- rsvd = rsvd_bits(maxphyaddr, 62); ++ rsvd = rsvd_bits(maxphyaddr, 63); ++ if (ctxt->ops->get_cr(ctxt, 4) & X86_CR4_PCIDE) ++ rsvd &= ~CR3_PCID_INVD; + } + + if (new_val & rsvd) +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -856,7 +856,7 @@ int kvm_set_cr3(struct kvm_vcpu *vcpu, u + } + + if (is_long_mode(vcpu) && +- (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 62))) ++ (cr3 & rsvd_bits(cpuid_maxphyaddr(vcpu), 63))) + return 1; + else if (is_pae(vcpu) && is_paging(vcpu) && + !load_pdptrs(vcpu, vcpu->arch.walk_mmu, cr3)) diff --git a/queue-4.17/kvm-x86-introduce-linear_-read-write-_system.patch b/queue-4.17/kvm-x86-introduce-linear_-read-write-_system.patch new file mode 100644 index 00000000000..24abea7f8b9 --- /dev/null +++ b/queue-4.17/kvm-x86-introduce-linear_-read-write-_system.patch @@ -0,0 +1,185 @@ +From 79367a65743975e5cac8d24d08eccc7fdae832b0 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 6 Jun 2018 16:43:02 +0200 +Subject: KVM: x86: introduce linear_{read,write}_system + +From: Paolo Bonzini + +commit 79367a65743975e5cac8d24d08eccc7fdae832b0 upstream. + +Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so +as to have a smaller patch when the functions grow another argument. + +Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12) +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 64 ++++++++++++++++++++++++------------------------- + 1 file changed, 32 insertions(+), 32 deletions(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -812,6 +812,19 @@ static inline int jmp_rel(struct x86_emu + return assign_eip_near(ctxt, ctxt->_eip + rel); + } + ++static int linear_read_system(struct x86_emulate_ctxt *ctxt, ulong linear, ++ void *data, unsigned size) ++{ ++ return ctxt->ops->read_std(ctxt, linear, data, size, &ctxt->exception); ++} ++ ++static int linear_write_system(struct x86_emulate_ctxt *ctxt, ++ ulong linear, void *data, ++ unsigned int size) ++{ ++ return ctxt->ops->write_std(ctxt, linear, data, size, &ctxt->exception); ++} ++ + static int segmented_read_std(struct x86_emulate_ctxt *ctxt, + struct segmented_address addr, + void *data, +@@ -1496,8 +1509,7 @@ static int read_interrupt_descriptor(str + return emulate_gp(ctxt, index << 3 | 0x2); + + addr = dt.address + index * 8; +- return ctxt->ops->read_std(ctxt, addr, desc, sizeof *desc, +- &ctxt->exception); ++ return linear_read_system(ctxt, addr, desc, sizeof *desc); + } + + static void get_descriptor_table_ptr(struct x86_emulate_ctxt *ctxt, +@@ -1560,8 +1572,7 @@ static int read_segment_descriptor(struc + if (rc != X86EMUL_CONTINUE) + return rc; + +- return ctxt->ops->read_std(ctxt, *desc_addr_p, desc, sizeof(*desc), +- &ctxt->exception); ++ return linear_read_system(ctxt, *desc_addr_p, desc, sizeof(*desc)); + } + + /* allowed just for 8 bytes segments */ +@@ -1575,8 +1586,7 @@ static int write_segment_descriptor(stru + if (rc != X86EMUL_CONTINUE) + return rc; + +- return ctxt->ops->write_std(ctxt, addr, desc, sizeof *desc, +- &ctxt->exception); ++ return linear_write_system(ctxt, addr, desc, sizeof *desc); + } + + static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, +@@ -1737,8 +1747,7 @@ static int __load_segment_descriptor(str + return ret; + } + } else if (ctxt->mode == X86EMUL_MODE_PROT64) { +- ret = ctxt->ops->read_std(ctxt, desc_addr+8, &base3, +- sizeof(base3), &ctxt->exception); ++ ret = linear_read_system(ctxt, desc_addr+8, &base3, sizeof(base3)); + if (ret != X86EMUL_CONTINUE) + return ret; + if (emul_is_noncanonical_address(get_desc_base(&seg_desc) | +@@ -2051,11 +2060,11 @@ static int __emulate_int_real(struct x86 + eip_addr = dt.address + (irq << 2); + cs_addr = dt.address + (irq << 2) + 2; + +- rc = ops->read_std(ctxt, cs_addr, &cs, 2, &ctxt->exception); ++ rc = linear_read_system(ctxt, cs_addr, &cs, 2); + if (rc != X86EMUL_CONTINUE) + return rc; + +- rc = ops->read_std(ctxt, eip_addr, &eip, 2, &ctxt->exception); ++ rc = linear_read_system(ctxt, eip_addr, &eip, 2); + if (rc != X86EMUL_CONTINUE) + return rc; + +@@ -3053,35 +3062,30 @@ static int task_switch_16(struct x86_emu + u16 tss_selector, u16 old_tss_sel, + ulong old_tss_base, struct desc_struct *new_desc) + { +- const struct x86_emulate_ops *ops = ctxt->ops; + struct tss_segment_16 tss_seg; + int ret; + u32 new_tss_base = get_desc_base(new_desc); + +- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + save_state_to_tss16(ctxt, &tss_seg); + +- ret = ops->write_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + +- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + if (old_tss_sel != 0xffff) { + tss_seg.prev_task_link = old_tss_sel; + +- ret = ops->write_std(ctxt, new_tss_base, +- &tss_seg.prev_task_link, +- sizeof tss_seg.prev_task_link, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, new_tss_base, ++ &tss_seg.prev_task_link, ++ sizeof tss_seg.prev_task_link); + if (ret != X86EMUL_CONTINUE) + return ret; + } +@@ -3197,38 +3201,34 @@ static int task_switch_32(struct x86_emu + u16 tss_selector, u16 old_tss_sel, + ulong old_tss_base, struct desc_struct *new_desc) + { +- const struct x86_emulate_ops *ops = ctxt->ops; + struct tss_segment_32 tss_seg; + int ret; + u32 new_tss_base = get_desc_base(new_desc); + u32 eip_offset = offsetof(struct tss_segment_32, eip); + u32 ldt_sel_offset = offsetof(struct tss_segment_32, ldt_selector); + +- ret = ops->read_std(ctxt, old_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, old_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + save_state_to_tss32(ctxt, &tss_seg); + + /* Only GP registers and segment selectors are saved */ +- ret = ops->write_std(ctxt, old_tss_base + eip_offset, &tss_seg.eip, +- ldt_sel_offset - eip_offset, &ctxt->exception); ++ ret = linear_write_system(ctxt, old_tss_base + eip_offset, &tss_seg.eip, ++ ldt_sel_offset - eip_offset); + if (ret != X86EMUL_CONTINUE) + return ret; + +- ret = ops->read_std(ctxt, new_tss_base, &tss_seg, sizeof tss_seg, +- &ctxt->exception); ++ ret = linear_read_system(ctxt, new_tss_base, &tss_seg, sizeof tss_seg); + if (ret != X86EMUL_CONTINUE) + return ret; + + if (old_tss_sel != 0xffff) { + tss_seg.prev_task_link = old_tss_sel; + +- ret = ops->write_std(ctxt, new_tss_base, +- &tss_seg.prev_task_link, +- sizeof tss_seg.prev_task_link, +- &ctxt->exception); ++ ret = linear_write_system(ctxt, new_tss_base, ++ &tss_seg.prev_task_link, ++ sizeof tss_seg.prev_task_link); + if (ret != X86EMUL_CONTINUE) + return ret; + } diff --git a/queue-4.17/kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch b/queue-4.17/kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch new file mode 100644 index 00000000000..7f947708292 --- /dev/null +++ b/queue-4.17/kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch @@ -0,0 +1,193 @@ +From ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 6 Jun 2018 17:37:49 +0200 +Subject: KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system + +From: Paolo Bonzini + +commit ce14e868a54edeb2e30cb7a7b104a2fc4b9d76ca upstream. + +Int the next patch the emulator's .read_std and .write_std callbacks will +grow another argument, which is not needed in kvm_read_guest_virt and +kvm_write_guest_virt_system's callers. Since we have to make separate +functions, let's give the currently existing names a nicer interface, too. + +Fixes: 129a72a0d3c8 ("KVM: x86: Introduce segmented_write_std", 2017-01-12) +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 23 ++++++++++------------- + arch/x86/kvm/x86.c | 39 ++++++++++++++++++++++++++------------- + arch/x86/kvm/x86.h | 4 ++-- + 3 files changed, 38 insertions(+), 28 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -7588,8 +7588,7 @@ static int nested_vmx_get_vmptr(struct k + vmcs_read32(VMX_INSTRUCTION_INFO), false, &gva)) + return 1; + +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, vmpointer, +- sizeof(*vmpointer), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, vmpointer, sizeof(*vmpointer), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -8041,8 +8040,8 @@ static int handle_vmread(struct kvm_vcpu + vmx_instruction_info, true, &gva)) + return 1; + /* _system ok, nested_vmx_check_permission has verified cpl=0 */ +- kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, gva, +- &field_value, (is_long_mode(vcpu) ? 8 : 4), NULL); ++ kvm_write_guest_virt_system(vcpu, gva, &field_value, ++ (is_long_mode(vcpu) ? 8 : 4), NULL); + } + + nested_vmx_succeed(vcpu); +@@ -8080,8 +8079,8 @@ static int handle_vmwrite(struct kvm_vcp + if (get_vmx_mem_address(vcpu, exit_qualification, + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, +- &field_value, (is_64_bit_mode(vcpu) ? 8 : 4), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &field_value, ++ (is_64_bit_mode(vcpu) ? 8 : 4), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -8201,9 +8200,9 @@ static int handle_vmptrst(struct kvm_vcp + vmx_instruction_info, true, &vmcs_gva)) + return 1; + /* *_system ok, nested_vmx_check_permission has verified cpl=0 */ +- if (kvm_write_guest_virt_system(&vcpu->arch.emulate_ctxt, vmcs_gva, +- (void *)&to_vmx(vcpu)->nested.current_vmptr, +- sizeof(u64), &e)) { ++ if (kvm_write_guest_virt_system(vcpu, vmcs_gva, ++ (void *)&to_vmx(vcpu)->nested.current_vmptr, ++ sizeof(u64), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -8250,8 +8249,7 @@ static int handle_invept(struct kvm_vcpu + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand, +- sizeof(operand), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +@@ -8315,8 +8313,7 @@ static int handle_invvpid(struct kvm_vcp + if (get_vmx_mem_address(vcpu, vmcs_readl(EXIT_QUALIFICATION), + vmx_instruction_info, false, &gva)) + return 1; +- if (kvm_read_guest_virt(&vcpu->arch.emulate_ctxt, gva, &operand, +- sizeof(operand), &e)) { ++ if (kvm_read_guest_virt(vcpu, gva, &operand, sizeof(operand), &e)) { + kvm_inject_page_fault(vcpu, &e); + return 1; + } +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4787,11 +4787,10 @@ static int kvm_fetch_guest_virt(struct x + return X86EMUL_CONTINUE; + } + +-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt, ++int kvm_read_guest_virt(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception) + { +- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + u32 access = (kvm_x86_ops->get_cpl(vcpu) == 3) ? PFERR_USER_MASK : 0; + + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, access, +@@ -4799,9 +4798,9 @@ int kvm_read_guest_virt(struct x86_emula + } + EXPORT_SYMBOL_GPL(kvm_read_guest_virt); + +-static int kvm_read_guest_virt_system(struct x86_emulate_ctxt *ctxt, +- gva_t addr, void *val, unsigned int bytes, +- struct x86_exception *exception) ++static int emulator_read_std(struct x86_emulate_ctxt *ctxt, ++ gva_t addr, void *val, unsigned int bytes, ++ struct x86_exception *exception) + { + struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + return kvm_read_guest_virt_helper(addr, val, bytes, vcpu, 0, exception); +@@ -4816,18 +4815,16 @@ static int kvm_read_guest_phys_system(st + return r < 0 ? X86EMUL_IO_NEEDED : X86EMUL_CONTINUE; + } + +-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, +- gva_t addr, void *val, +- unsigned int bytes, +- struct x86_exception *exception) ++static int kvm_write_guest_virt_helper(gva_t addr, void *val, unsigned int bytes, ++ struct kvm_vcpu *vcpu, u32 access, ++ struct x86_exception *exception) + { +- struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); + void *data = val; + int r = X86EMUL_CONTINUE; + + while (bytes) { + gpa_t gpa = vcpu->arch.walk_mmu->gva_to_gpa(vcpu, addr, +- PFERR_WRITE_MASK, ++ access, + exception); + unsigned offset = addr & (PAGE_SIZE-1); + unsigned towrite = min(bytes, (unsigned)PAGE_SIZE - offset); +@@ -4848,6 +4845,22 @@ int kvm_write_guest_virt_system(struct x + out: + return r; + } ++ ++static int emulator_write_std(struct x86_emulate_ctxt *ctxt, gva_t addr, void *val, ++ unsigned int bytes, struct x86_exception *exception) ++{ ++ struct kvm_vcpu *vcpu = emul_to_vcpu(ctxt); ++ ++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, ++ PFERR_WRITE_MASK, exception); ++} ++ ++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, gva_t addr, void *val, ++ unsigned int bytes, struct x86_exception *exception) ++{ ++ return kvm_write_guest_virt_helper(addr, val, bytes, vcpu, ++ PFERR_WRITE_MASK, exception); ++} + EXPORT_SYMBOL_GPL(kvm_write_guest_virt_system); + + int handle_ud(struct kvm_vcpu *vcpu) +@@ -5600,8 +5613,8 @@ static int emulator_pre_leave_smm(struct + static const struct x86_emulate_ops emulate_ops = { + .read_gpr = emulator_read_gpr, + .write_gpr = emulator_write_gpr, +- .read_std = kvm_read_guest_virt_system, +- .write_std = kvm_write_guest_virt_system, ++ .read_std = emulator_read_std, ++ .write_std = emulator_write_std, + .read_phys = kvm_read_guest_phys_system, + .fetch = kvm_fetch_guest_virt, + .read_emulated = emulator_read_emulated, +--- a/arch/x86/kvm/x86.h ++++ b/arch/x86/kvm/x86.h +@@ -247,11 +247,11 @@ int kvm_inject_realmode_interrupt(struct + void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr); + u64 get_kvmclock_ns(struct kvm *kvm); + +-int kvm_read_guest_virt(struct x86_emulate_ctxt *ctxt, ++int kvm_read_guest_virt(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception); + +-int kvm_write_guest_virt_system(struct x86_emulate_ctxt *ctxt, ++int kvm_write_guest_virt_system(struct kvm_vcpu *vcpu, + gva_t addr, void *val, unsigned int bytes, + struct x86_exception *exception); + diff --git a/queue-4.17/nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch b/queue-4.17/nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch new file mode 100644 index 00000000000..0c7f2c49fcc --- /dev/null +++ b/queue-4.17/nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch @@ -0,0 +1,145 @@ +From dbafc28955fa6779dc23d1607a0fee5e509a278b Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 20 May 2018 15:19:46 +0200 +Subject: NFC: pn533: don't send USB data off of the stack + +From: Greg Kroah-Hartman + +commit dbafc28955fa6779dc23d1607a0fee5e509a278b upstream. + +It's amazing that this driver ever worked, but now that x86 doesn't +allow USB data to be sent off of the stack, it really does not work at +all. Fix this up by properly allocating the data for the small +"commands" that get sent to the device off of the stack. + +We do this for one command by having a whole urb just for ack messages, +as they can be submitted in interrupt context, so we can not use +usb_bulk_msg(). But the poweron command can sleep (and does), so use +usb_bulk_msg() for that transfer. + +Reported-by: Carlos Manuel Santos +Cc: Samuel Ortiz +Cc: Stephen Hemminger +Cc: stable +Reviewed-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/pn533/usb.c | 42 ++++++++++++++++++++++++++++++------------ + 1 file changed, 30 insertions(+), 12 deletions(-) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -62,6 +62,9 @@ struct pn533_usb_phy { + struct urb *out_urb; + struct urb *in_urb; + ++ struct urb *ack_urb; ++ u8 *ack_buffer; ++ + struct pn533 *priv; + }; + +@@ -150,13 +153,16 @@ static int pn533_usb_send_ack(struct pn5 + struct pn533_usb_phy *phy = dev->phy; + static const u8 ack[6] = {0x00, 0x00, 0xff, 0x00, 0xff, 0x00}; + /* spec 7.1.1.3: Preamble, SoPC (2), ACK Code (2), Postamble */ +- int rc; + +- phy->out_urb->transfer_buffer = (u8 *)ack; +- phy->out_urb->transfer_buffer_length = sizeof(ack); +- rc = usb_submit_urb(phy->out_urb, flags); ++ if (!phy->ack_buffer) { ++ phy->ack_buffer = kmemdup(ack, sizeof(ack), flags); ++ if (!phy->ack_buffer) ++ return -ENOMEM; ++ } + +- return rc; ++ phy->ack_urb->transfer_buffer = phy->ack_buffer; ++ phy->ack_urb->transfer_buffer_length = sizeof(ack); ++ return usb_submit_urb(phy->ack_urb, flags); + } + + static int pn533_usb_send_frame(struct pn533 *dev, +@@ -375,26 +381,31 @@ static int pn533_acr122_poweron_rdr(stru + /* Power on th reader (CCID cmd) */ + u8 cmd[10] = {PN533_ACR122_PC_TO_RDR_ICCPOWERON, + 0, 0, 0, 0, 0, 0, 3, 0, 0}; ++ char *buffer; ++ int transferred; + int rc; + void *cntx; + struct pn533_acr122_poweron_rdr_arg arg; + + dev_dbg(&phy->udev->dev, "%s\n", __func__); + ++ buffer = kmemdup(cmd, sizeof(cmd), GFP_KERNEL); ++ if (!buffer) ++ return -ENOMEM; ++ + init_completion(&arg.done); + cntx = phy->in_urb->context; /* backup context */ + + phy->in_urb->complete = pn533_acr122_poweron_rdr_resp; + phy->in_urb->context = &arg; + +- phy->out_urb->transfer_buffer = cmd; +- phy->out_urb->transfer_buffer_length = sizeof(cmd); +- + print_hex_dump_debug("ACR122 TX: ", DUMP_PREFIX_NONE, 16, 1, + cmd, sizeof(cmd), false); + +- rc = usb_submit_urb(phy->out_urb, GFP_KERNEL); +- if (rc) { ++ rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd), ++ &transferred, 0); ++ kfree(buffer); ++ if (rc || (transferred != sizeof(cmd))) { + nfc_err(&phy->udev->dev, + "Reader power on cmd error %d\n", rc); + return rc; +@@ -490,8 +501,9 @@ static int pn533_usb_probe(struct usb_in + + phy->in_urb = usb_alloc_urb(0, GFP_KERNEL); + phy->out_urb = usb_alloc_urb(0, GFP_KERNEL); ++ phy->ack_urb = usb_alloc_urb(0, GFP_KERNEL); + +- if (!phy->in_urb || !phy->out_urb) ++ if (!phy->in_urb || !phy->out_urb || !phy->ack_urb) + goto error; + + usb_fill_bulk_urb(phy->in_urb, phy->udev, +@@ -501,7 +513,9 @@ static int pn533_usb_probe(struct usb_in + usb_fill_bulk_urb(phy->out_urb, phy->udev, + usb_sndbulkpipe(phy->udev, out_endpoint), + NULL, 0, pn533_send_complete, phy); +- ++ usb_fill_bulk_urb(phy->ack_urb, phy->udev, ++ usb_sndbulkpipe(phy->udev, out_endpoint), ++ NULL, 0, pn533_send_complete, phy); + + switch (id->driver_info) { + case PN533_DEVICE_STD: +@@ -554,6 +568,7 @@ static int pn533_usb_probe(struct usb_in + error: + usb_free_urb(phy->in_urb); + usb_free_urb(phy->out_urb); ++ usb_free_urb(phy->ack_urb); + usb_put_dev(phy->udev); + kfree(in_buf); + +@@ -573,10 +588,13 @@ static void pn533_usb_disconnect(struct + + usb_kill_urb(phy->in_urb); + usb_kill_urb(phy->out_urb); ++ usb_kill_urb(phy->ack_urb); + + kfree(phy->in_urb->transfer_buffer); + usb_free_urb(phy->in_urb); + usb_free_urb(phy->out_urb); ++ usb_free_urb(phy->ack_urb); ++ kfree(phy->ack_buffer); + + nfc_info(&interface->dev, "NXP PN533 NFC device disconnected\n"); + } diff --git a/queue-4.17/phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch b/queue-4.17/phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch new file mode 100644 index 00000000000..f9db8373bc3 --- /dev/null +++ b/queue-4.17/phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch @@ -0,0 +1,39 @@ +From 0b4555e776ba0712c6fafb98b226b21fd05d2427 Mon Sep 17 00:00:00 2001 +From: Manu Gautam +Date: Thu, 3 May 2018 02:36:10 +0530 +Subject: phy: qcom-qusb2: Fix crash if nvmem cell not specified + +From: Manu Gautam + +commit 0b4555e776ba0712c6fafb98b226b21fd05d2427 upstream. + +Driver currently crashes due to NULL pointer deference +while updating PHY tune register if nvmem cell is NULL. +Since, fused value for Tune1/2 register is optional, +we'd rather bail out. + +Fixes: ca04d9d3e1b1 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips") +Reviewed-by: Vivek Gautam +Reviewed-by: Evan Green +Cc: stable # 4.14+ +Signed-off-by: Manu Gautam +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/phy/qualcomm/phy-qcom-qusb2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/phy/qualcomm/phy-qcom-qusb2.c ++++ b/drivers/phy/qualcomm/phy-qcom-qusb2.c +@@ -315,6 +315,10 @@ static void qusb2_phy_set_tune2_param(st + const struct qusb2_phy_cfg *cfg = qphy->cfg; + u8 *val; + ++ /* efuse register is optional */ ++ if (!qphy->cell) ++ return; ++ + /* + * Read efuse register having TUNE2/1 parameter's high nibble. + * If efuse register shows value as 0x0, or if we fail to find diff --git a/queue-4.17/serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch b/queue-4.17/serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch new file mode 100644 index 00000000000..ee62acbf29a --- /dev/null +++ b/queue-4.17/serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch @@ -0,0 +1,92 @@ +From 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Fri, 4 May 2018 10:44:09 -0700 +Subject: serial: 8250: omap: Fix idling of clocks for unused uarts + +From: Tony Lindgren + +commit 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba upstream. + +I noticed that unused UARTs won't necessarily idle properly always +unless at least one byte tx transfer is done first. + +After some debugging I narrowed down the problem to the scr register +dma configuration bits that need to be set before softreset for the +clocks to idle. Unless we do this, the module clkctrl idlest bits +may be set to 1 instead of 3 meaning the clock will never idle and +is blocking deeper idle states for the whole domain. + +This might be related to the configuration done by the bootloader +or kexec booting where certain configurations cause the 8250 or +the clkctrl clock to jam in a way where setting of the scr bits +and reset is needed to clear it. I've tried diffing the 8250 +registers for the various modes, but did not see anything specific. +So far I've only seen this on omap4 but I'm suspecting this might +also happen on the other clkctrl using SoCs considering they +already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE. + +Let's fix the issue by configuring scr before reset for basic dma +even if we don't use it. The scr register will be reset when we do +softreset few lines after, and we restore scr on resume. We should +do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag +set since the ones with UART_ERRATA_CLOCK_DISABLE are all based +using clkctrl similar to omap4. + +Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL +bits are needed for the clkctrl to idle after a softreset. + +And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE +for the related workaround to be enabled. This same compatible +value will also be used for omap5. + +Fixes: cdb929e4452a ("serial: 8250_omap: workaround errata around idling UART after using DMA") +Cc: Keerthy +Cc: Matthijs van Duin +Cc: Sekhar Nori +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_omap.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1110,13 +1110,14 @@ static int omap8250_no_handle_irq(struct + return 0; + } + ++static const u8 omap4_habit = UART_ERRATA_CLOCK_DISABLE; + static const u8 am3352_habit = OMAP_DMA_TX_KICK | UART_ERRATA_CLOCK_DISABLE; + static const u8 dra742_habit = UART_ERRATA_CLOCK_DISABLE; + + static const struct of_device_id omap8250_dt_ids[] = { + { .compatible = "ti,omap2-uart" }, + { .compatible = "ti,omap3-uart" }, +- { .compatible = "ti,omap4-uart" }, ++ { .compatible = "ti,omap4-uart", .data = &omap4_habit, }, + { .compatible = "ti,am3352-uart", .data = &am3352_habit, }, + { .compatible = "ti,am4372-uart", .data = &am3352_habit, }, + { .compatible = "ti,dra742-uart", .data = &dra742_habit, }, +@@ -1353,6 +1354,19 @@ static int omap8250_soft_reset(struct de + int sysc; + int syss; + ++ /* ++ * At least on omap4, unused uarts may not idle after reset without ++ * a basic scr dma configuration even with no dma in use. The ++ * module clkctrl status bits will be 1 instead of 3 blocking idle ++ * for the whole clockdomain. The softreset below will clear scr, ++ * and we restore it on resume so this is safe to do on all SoCs ++ * needing omap8250_soft_reset() quirk. Do it in two writes as ++ * recommended in the comment for omap8250_update_scr(). ++ */ ++ serial_out(up, UART_OMAP_SCR, OMAP_UART_SCR_DMAMODE_1); ++ serial_out(up, UART_OMAP_SCR, ++ OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL); ++ + sysc = serial_in(up, UART_OMAP_SYSC); + + /* softreset the UART */ diff --git a/queue-4.17/serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch b/queue-4.17/serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch new file mode 100644 index 00000000000..16be63cf06a --- /dev/null +++ b/queue-4.17/serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch @@ -0,0 +1,43 @@ +From aa2f80e752c75e593b3820f42c416ed9458fa73e Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 10 May 2018 08:41:13 +0200 +Subject: serial: samsung: fix maxburst parameter for DMA transactions + +From: Marek Szyprowski + +commit aa2f80e752c75e593b3820f42c416ed9458fa73e upstream. + +The best granularity of residue that DMA engine can report is in the BURST +units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE +if it relies on exact number of bytes transferred by DMA engine. + +Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") +Signed-off-by: Marek Szyprowski +Acked-by: Krzysztof Kozlowski +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/samsung.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/tty/serial/samsung.c ++++ b/drivers/tty/serial/samsung.c +@@ -862,15 +862,12 @@ static int s3c24xx_serial_request_dma(st + dma->rx_conf.direction = DMA_DEV_TO_MEM; + dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH; +- dma->rx_conf.src_maxburst = 16; ++ dma->rx_conf.src_maxburst = 1; + + dma->tx_conf.direction = DMA_MEM_TO_DEV; + dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; + dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH; +- if (dma_get_cache_alignment() >= 16) +- dma->tx_conf.dst_maxburst = 16; +- else +- dma->tx_conf.dst_maxburst = 1; ++ dma->tx_conf.dst_maxburst = 1; + + dma->rx_chan = dma_request_chan(p->port.dev, "rx"); + diff --git a/queue-4.17/serial-sh-sci-stop-using-printk-format-pcr.patch b/queue-4.17/serial-sh-sci-stop-using-printk-format-pcr.patch new file mode 100644 index 00000000000..37cbd9477ae --- /dev/null +++ b/queue-4.17/serial-sh-sci-stop-using-printk-format-pcr.patch @@ -0,0 +1,59 @@ +From d63c16f8e1ab761775275adcf54f4bef7c330295 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Fri, 1 Jun 2018 11:28:21 +0200 +Subject: serial: sh-sci: Stop using printk format %pCr + +From: Geert Uytterhoeven + +commit d63c16f8e1ab761775275adcf54f4bef7c330295 upstream. + +Printk format "%pCr" will be removed soon, as clk_get_rate() must not be +called in atomic context. + +Replace it by open-coding the operation. This is safe here, as the code +runs in task context. + +Link: http://lkml.kernel.org/r/1527845302-12159-4-git-send-email-geert+renesas@glider.be +To: Jia-Ju Bai +To: Jonathan Corbet +To: Michael Turquette +To: Stephen Boyd +To: Zhang Rui +To: Eduardo Valentin +To: Eric Anholt +To: Stefan Wahren +To: Greg Kroah-Hartman +Cc: Sergey Senozhatsky +Cc: Petr Mladek +Cc: Linus Torvalds +Cc: Steven Rostedt +Cc: linux-doc@vger.kernel.org +Cc: linux-clk@vger.kernel.org +Cc: linux-pm@vger.kernel.org +Cc: linux-serial@vger.kernel.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: linux-renesas-soc@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Geert Uytterhoeven +Cc: stable@vger.kernel.org # 4.5+ +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Petr Mladek +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2704,8 +2704,8 @@ found: + dev_dbg(dev, "failed to get %s (%ld)\n", clk_names[i], + PTR_ERR(clk)); + else +- dev_dbg(dev, "clk %s is %pC rate %pCr\n", clk_names[i], +- clk, clk); ++ dev_dbg(dev, "clk %s is %pC rate %lu\n", clk_names[i], ++ clk, clk_get_rate(clk)); + sci_port->clks[i] = IS_ERR(clk) ? NULL : clk; + } + return 0; diff --git a/queue-4.17/series b/queue-4.17/series index 5d7c1d9706d..7b42a8b8b43 100644 --- a/queue-4.17/series +++ b/queue-4.17/series @@ -1,2 +1,32 @@ crypto-chelsio-request-to-hw-should-wrap.patch blkdev_report_zones_ioctl-use-vmalloc-to-allocate-large-buffers.patch +kvm-x86-fix-reserved-bits-check-for-mov-to-cr3.patch +kvm-x86-introduce-linear_-read-write-_system.patch +kvm-fix-typo-in-flag-name.patch +kvm-nvmx-enforce-cpl-0-for-vmx-instructions.patch +kvm-x86-pass-kvm_vcpu-to-kvm_read_guest_virt-and-kvm_write_guest_virt_system.patch +staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch +nfc-pn533-don-t-send-usb-data-off-of-the-stack.patch +usbip-vhci_sysfs-fix-potential-spectre-v1.patch +usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch +usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch +input-xpad-add-gpd-win-2-controller-usb-ids.patch +phy-qcom-qusb2-fix-crash-if-nvmem-cell-not-specified.patch +usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch +usb-typec-wcove-remove-dependency-on-hw-fsm.patch +usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch +usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch +usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch +usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch +usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch +usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch +usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch +serial-sh-sci-stop-using-printk-format-pcr.patch +tty-serial-atmel-use-port-name-as-name-in-request_irq.patch +serial-samsung-fix-maxburst-parameter-for-dma-transactions.patch +serial-8250-omap-fix-idling-of-clocks-for-unused-uarts.patch +vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch +doc-fix-sysfs-abi-documentation.patch +arm64-defconfig-enable-config_pinctrl_mt7622-by-default.patch +tty-pl011-avoid-spuriously-stuck-off-interrupts.patch +crypto-ccree-correct-host-regs-offset.patch diff --git a/queue-4.17/staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch b/queue-4.17/staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch new file mode 100644 index 00000000000..26849f20d83 --- /dev/null +++ b/queue-4.17/staging-android-ion-switch-to-pr_warn_once-in-ion_buffer_destroy.patch @@ -0,0 +1,45 @@ +From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 14 May 2018 14:35:09 -0700 +Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy + +From: Laura Abbott + +commit 45ad559a29629cb1c64ee636563c69b71524f077 upstream. + +Syzbot reported yet another warning with Ion: + +WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 +ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 +Kernel panic - not syncing: panic_on_warn set ... + +This is catching that a buffer was freed with an existing kernel mapping +still present. This can be easily be triggered from userspace by calling +DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single +pr_warn_once to indicate the error without being disruptive. + +Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com +Reported-by: syzbot +Signed-off-by: Laura Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ion/ion.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/staging/android/ion/ion.c ++++ b/drivers/staging/android/ion/ion.c +@@ -114,8 +114,11 @@ err2: + + void ion_buffer_destroy(struct ion_buffer *buffer) + { +- if (WARN_ON(buffer->kmap_cnt > 0)) ++ if (buffer->kmap_cnt > 0) { ++ pr_warn_once("%s: buffer still mapped in the kernel\n", ++ __func__); + buffer->heap->ops->unmap_kernel(buffer->heap, buffer); ++ } + buffer->heap->ops->free(buffer); + kfree(buffer); + } diff --git a/queue-4.17/tty-pl011-avoid-spuriously-stuck-off-interrupts.patch b/queue-4.17/tty-pl011-avoid-spuriously-stuck-off-interrupts.patch new file mode 100644 index 00000000000..121f3688538 --- /dev/null +++ b/queue-4.17/tty-pl011-avoid-spuriously-stuck-off-interrupts.patch @@ -0,0 +1,103 @@ +From 4a7e625ce50412a7711efa0f2ef0b96ce3826759 Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Thu, 10 May 2018 18:08:23 +0100 +Subject: tty: pl011: Avoid spuriously stuck-off interrupts + +From: Dave Martin + +commit 4a7e625ce50412a7711efa0f2ef0b96ce3826759 upstream. + +Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts") +clears the RX and receive timeout interrupts on pl011 startup, to +avoid a screaming-interrupt scenario that can occur when the +firmware or bootloader leaves these interrupts asserted. + +This has been noted as an issue when running Linux on qemu [1]. + +Unfortunately, the above fix seems to lead to potential +misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously +on driver startup, if the RX FIFO is also already full to the +trigger level. + +Clearing the RX FIFO interrupt does not change the FIFO fill level. +In this scenario, because the interrupt is now clear and because +the FIFO is already full to the trigger level, no new assertion of +the RX FIFO interrupt can occur unless the FIFO is drained back +below the trigger level. This never occurs because the pl011 +driver is waiting for an RX FIFO interrupt to tell it that there is +something to read, and does not read the FIFO at all until that +interrupt occurs. + +Thus, simply clearing "spurious" interrupts on startup may be +misguided, since there is no way to be sure that the interrupts are +truly spurious, and things can go wrong if they are not. + +This patch instead clears the interrupt condition by draining the +RX FIFO during UART startup, after clearing any potentially +spurious interrupt. This should ensure that an interrupt will +definitely be asserted if the RX FIFO subsequently becomes +sufficiently full. + +The drain is done at the point of enabling interrupts only. This +means that it will occur any time the UART is newly opened through +the tty layer. It will not apply to polled-mode use of the UART by +kgdboc: since that scenario cannot use interrupts by design, this +should not matter. kgdboc will interact badly with "normal" use of +the UART in any case: this patch makes no attempt to paper over +such issues. + +This patch does not attempt to address the case where the RX FIFO +fills faster than it can be drained: that is a pathological +hardware design problem that is beyond the scope of the driver to +work around. As a failsafe, the number of poll iterations for +draining the FIFO is limited to twice the FIFO size. This will +ensure that the kernel at least boots even if it is impossible to +drain the FIFO for some reason. + +[1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo +before enabled the interruption +https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html + +Reported-by: Wei Xu +Cc: Russell King +Cc: Linus Walleij +Cc: Peter Maydell +Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts") +Signed-off-by: Dave Martin +Cc: stable +Tested-by: Wei Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1727,10 +1727,26 @@ static int pl011_allocate_irq(struct uar + */ + static void pl011_enable_interrupts(struct uart_amba_port *uap) + { ++ unsigned int i; ++ + spin_lock_irq(&uap->port.lock); + + /* Clear out any spuriously appearing RX interrupts */ + pl011_write(UART011_RTIS | UART011_RXIS, uap, REG_ICR); ++ ++ /* ++ * RXIS is asserted only when the RX FIFO transitions from below ++ * to above the trigger threshold. If the RX FIFO is already ++ * full to the threshold this can't happen and RXIS will now be ++ * stuck off. Drain the RX FIFO explicitly to fix this: ++ */ ++ for (i = 0; i < uap->fifosize * 2; ++i) { ++ if (pl011_read(uap, REG_FR) & UART01x_FR_RXFE) ++ break; ++ ++ pl011_read(uap, REG_DR); ++ } ++ + uap->im = UART011_RTIM; + if (!pl011_dma_rx_running(uap)) + uap->im |= UART011_RXIM; diff --git a/queue-4.17/tty-serial-atmel-use-port-name-as-name-in-request_irq.patch b/queue-4.17/tty-serial-atmel-use-port-name-as-name-in-request_irq.patch new file mode 100644 index 00000000000..997b96bac5f --- /dev/null +++ b/queue-4.17/tty-serial-atmel-use-port-name-as-name-in-request_irq.patch @@ -0,0 +1,63 @@ +From 9594b5be7ec110ed11acec58fa94f3f293668c85 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Mon, 7 May 2018 19:11:30 +0200 +Subject: tty/serial: atmel: use port->name as name in request_irq() + +From: Sebastian Andrzej Siewior + +commit 9594b5be7ec110ed11acec58fa94f3f293668c85 upstream. + +I was puzzled while looking at /proc/interrupts and random things showed +up between reboots. This occurred more often but I realised it later. The +"correct" output should be: +|38: 11861 atmel-aic5 2 Level ttyS0 + +but I saw sometimes +|38: 6426 atmel-aic5 2 Level tty1 + +and accounted it wrongly as correct. This is use after free and the +former example randomly got the "old" pointer which pointed to the same +content. With SLAB_FREELIST_RANDOM and HARDENED I even got +|38: 7067 atmel-aic5 2 Level E=Started User Manager for UID 0 + +or other nonsense. +As it turns out the tty, pointer that is accessed in atmel_startup(), is +freed() before atmel_shutdown(). It seems to happen quite often that the +tty for ttyS0 is allocated and freed while ->shutdown is not invoked. I +don't do anything special - just a systemd boot :) + +Use dev_name(&pdev->dev) as the IRQ name for request_irq(). This exists +as long as the driver is loaded so no use-after-free here. + +Cc: stable@vger.kernel.org +Fixes: 761ed4a94582 ("tty: serial_core: convert uart_close to use tty_port_close") +Acked-by: Richard Genoud +Acked-by: Rob Herring +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1757,7 +1757,6 @@ static int atmel_startup(struct uart_por + { + struct platform_device *pdev = to_platform_device(port->dev); + struct atmel_uart_port *atmel_port = to_atmel_uart_port(port); +- struct tty_struct *tty = port->state->port.tty; + int retval; + + /* +@@ -1772,8 +1771,8 @@ static int atmel_startup(struct uart_por + * Allocate the IRQ + */ + retval = request_irq(port->irq, atmel_interrupt, +- IRQF_SHARED | IRQF_COND_SUSPEND, +- tty ? tty->name : "atmel_serial", port); ++ IRQF_SHARED | IRQF_COND_SUSPEND, ++ dev_name(&pdev->dev), port); + if (retval) { + dev_err(port->dev, "atmel_startup - Can't get irq\n"); + return retval; diff --git a/queue-4.17/usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch b/queue-4.17/usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch new file mode 100644 index 00000000000..b3cf6e346dd --- /dev/null +++ b/queue-4.17/usb-core-message-remove-extra-endianness-conversion-in-usb_set_isoch_delay.patch @@ -0,0 +1,35 @@ +From 48b73d0fa11aa8613d51f7be61d2fa7f0ab05fd3 Mon Sep 17 00:00:00 2001 +From: Ruslan Bilovol +Date: Fri, 25 May 2018 19:11:40 +0300 +Subject: usb: core: message: remove extra endianness conversion in usb_set_isoch_delay + +From: Ruslan Bilovol + +commit 48b73d0fa11aa8613d51f7be61d2fa7f0ab05fd3 upstream. + +No need to do extra endianness conversion in +usb_set_isoch_delay because it is already done +in usb_control_msg() + +Fixes: 886ee36e7205 ("usb: core: add support for USB_REQ_SET_ISOCH_DELAY") +Cc: Dmytro Panchenko +Cc: Felipe Balbi +Cc: stable # v4.16+ +Signed-off-by: Ruslan Bilovol +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -940,7 +940,7 @@ int usb_set_isoch_delay(struct usb_devic + return usb_control_msg(dev, usb_sndctrlpipe(dev, 0), + USB_REQ_SET_ISOCH_DELAY, + USB_DIR_OUT | USB_TYPE_STANDARD | USB_RECIP_DEVICE, +- cpu_to_le16(dev->hub_delay), 0, NULL, 0, ++ dev->hub_delay, 0, NULL, 0, + USB_CTRL_SET_TIMEOUT); + } + diff --git a/queue-4.17/usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch b/queue-4.17/usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch new file mode 100644 index 00000000000..6de8aba9af2 --- /dev/null +++ b/queue-4.17/usb-gadget-function-printer-avoid-wrong-list-handling-in-printer_write.patch @@ -0,0 +1,53 @@ +From 4a014a7339f441b0851ce012f469c0fadac61c81 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 21 May 2018 20:18:07 +0900 +Subject: usb: gadget: function: printer: avoid wrong list handling in printer_write() + +From: Yoshihiro Shimoda + +commit 4a014a7339f441b0851ce012f469c0fadac61c81 upstream. + +When printer_write() calls usb_ep_queue(), a udc driver (e.g. +renesas_usbhs driver) may call usb_gadget_giveback_request() in +the udc .queue ops immediately. Then, printer_write() calls +list_add(&req->list, &dev->tx_reqs_active) wrongly. After that, +if we do unbind the printer driver, WARN_ON() happens in +printer_func_unbind() because the list entry is not removed. + +So, this patch moves list_add(&req->list, &dev->tx_reqs_active) +calling before usb_ep_queue(). + +Signed-off-by: Yoshihiro Shimoda +Acked-by: Felipe Balbi +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_printer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -631,19 +631,19 @@ printer_write(struct file *fd, const cha + return -EAGAIN; + } + ++ list_add(&req->list, &dev->tx_reqs_active); ++ + /* here, we unlock, and only unlock, to avoid deadlock. */ + spin_unlock(&dev->lock); + value = usb_ep_queue(dev->in_ep, req, GFP_ATOMIC); + spin_lock(&dev->lock); + if (value) { ++ list_del(&req->list); + list_add(&req->list, &dev->tx_reqs); + spin_unlock_irqrestore(&dev->lock, flags); + mutex_unlock(&dev->lock_printer_io); + return -EAGAIN; + } +- +- list_add(&req->list, &dev->tx_reqs_active); +- + } + + spin_unlock_irqrestore(&dev->lock, flags); diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch new file mode 100644 index 00000000000..eaa36482d58 --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-disable-the-controller-s-irqs-for-reconnecting.patch @@ -0,0 +1,40 @@ +From bd6bce004d78b867ba0c6d3712f1c5b50398af9a Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 10 Apr 2018 14:38:54 +0900 +Subject: usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting + +From: Yoshihiro Shimoda + +commit bd6bce004d78b867ba0c6d3712f1c5b50398af9a upstream. + +This patch fixes an issue that reconnection is possible to fail +because unexpected state handling happens by the irqs. To fix the issue, +the driver disables the controller's irqs when disconnected. + +Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") +Cc: # v4.5+ +Reviewed-by: Simon Horman +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -623,6 +623,13 @@ static void usb3_disconnect(struct renes + usb3_usb2_pullup(usb3, 0); + usb3_clear_bit(usb3, USB30_CON_B3_CONNECT, USB3_USB30_CON); + usb3_reset_epc(usb3); ++ usb3_disable_irq_1(usb3, USB_INT_1_B2_RSUM | USB_INT_1_B3_PLLWKUP | ++ USB_INT_1_B3_LUPSUCS | USB_INT_1_B3_DISABLE | ++ USB_INT_1_SPEED | USB_INT_1_B3_WRMRST | ++ USB_INT_1_B3_HOTRST | USB_INT_1_B2_SPND | ++ USB_INT_1_B2_L1SPND | USB_INT_1_B2_USBRST); ++ usb3_clear_bit(usb3, USB_COM_CON_SPD_MODE, USB3_USB_COM_CON); ++ usb3_init_epc_registers(usb3); + + if (usb3->driver) + usb3->driver->disconnect(&usb3->gadget); diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch new file mode 100644 index 00000000000..5d4fb08b0ef --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-fix-double-phy_put.patch @@ -0,0 +1,35 @@ +From 8223b2f89ca63e203dcb54148e30d94979f17b0b Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Mon, 2 Apr 2018 21:21:31 +0900 +Subject: usb: gadget: udc: renesas_usb3: fix double phy_put() + +From: Yoshihiro Shimoda + +commit 8223b2f89ca63e203dcb54148e30d94979f17b0b upstream. + +This patch fixes an issue that this driver cause double phy_put() +calling. This driver must not call phy_put() in the remove because +the driver calls devm_phy_get() in the probe. + +Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy") +Cc: # v4.15+ +Reviewed-by: Simon Horman +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2408,8 +2408,6 @@ static int renesas_usb3_remove(struct pl + renesas_usb3_dma_free_prd(usb3, &pdev->dev); + + __renesas_usb3_ep_free_request(usb3->ep0_req); +- if (usb3->phy) +- phy_put(usb3->phy); + pm_runtime_disable(&pdev->dev); + + return 0; diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch new file mode 100644 index 00000000000..dd0462b3d71 --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-devm_phy_get-before-add-udc.patch @@ -0,0 +1,57 @@ +From 003bc1dee216b1fb8e02040a95672bea0f1fe797 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 10 Apr 2018 14:38:52 +0900 +Subject: usb: gadget: udc: renesas_usb3: should call devm_phy_get() before add udc + +From: Yoshihiro Shimoda + +commit 003bc1dee216b1fb8e02040a95672bea0f1fe797 upstream. + +This patch fixes an issue that this driver cannot call phy_init() +if a gadget driver is alreadly loaded because usb_add_gadget_udc() +might call renesas_usb3_start() via .udc_start. +This patch also revises the typo (s/an optional/optional/). + +Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy") +Cc: # v4.15+ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2632,6 +2632,14 @@ static int renesas_usb3_probe(struct pla + if (ret < 0) + goto err_alloc_prd; + ++ /* ++ * This is optional. So, if this driver cannot get a phy, ++ * this driver will not handle a phy anymore. ++ */ ++ usb3->phy = devm_phy_get(&pdev->dev, "usb"); ++ if (IS_ERR(usb3->phy)) ++ usb3->phy = NULL; ++ + pm_runtime_enable(&pdev->dev); + ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget); + if (ret < 0) +@@ -2641,14 +2649,6 @@ static int renesas_usb3_probe(struct pla + if (ret < 0) + goto err_dev_create; + +- /* +- * This is an optional. So, if this driver cannot get a phy, +- * this driver will not handle a phy anymore. +- */ +- usb3->phy = devm_phy_get(&pdev->dev, "usb"); +- if (IS_ERR(usb3->phy)) +- usb3->phy = NULL; +- + usb3->workaround_for_vbus = priv->workaround_for_vbus; + + renesas_usb3_debugfs_init(usb3, &pdev->dev); diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch new file mode 100644 index 00000000000..c7ab92b0e25 --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-should-call-pm_runtime_enable-before-add-udc.patch @@ -0,0 +1,45 @@ +From d998844016b24a8d71b9aa5eae7e51d70f2de438 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 10 Apr 2018 14:38:51 +0900 +Subject: usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add udc + +From: Yoshihiro Shimoda + +commit d998844016b24a8d71b9aa5eae7e51d70f2de438 upstream. + +This patch fixes an issue that this driver causes panic if a gadget +driver is already loaded because usb_add_gadget_udc() might call +renesas_usb3_start() via .udc_start, and then pm_runtime_get_sync() +in renesas_usb3_start() doesn't work correctly. +Note that the usb3_to_dev() macro should not be called at this timing +because the macro uses the gadget structure. + +Fixes: cf06df3fae28 ("usb: gadget: udc: renesas_usb3: move pm_runtime_{en,dis}able()") +Cc: # v4.15+ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2632,6 +2632,7 @@ static int renesas_usb3_probe(struct pla + if (ret < 0) + goto err_alloc_prd; + ++ pm_runtime_enable(&pdev->dev); + ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget); + if (ret < 0) + goto err_add_udc; +@@ -2653,7 +2654,6 @@ static int renesas_usb3_probe(struct pla + renesas_usb3_debugfs_init(usb3, &pdev->dev); + + dev_info(&pdev->dev, "probed%s\n", usb3->phy ? " with phy" : ""); +- pm_runtime_enable(usb3_to_dev(usb3)); + + return 0; + diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch new file mode 100644 index 00000000000..20eb804f156 --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-should-fail-if-devm_phy_get-returns-error.patch @@ -0,0 +1,43 @@ +From 0259068f63f23a665ded28647f2f9cdb6b20dc72 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 10 Apr 2018 14:38:53 +0900 +Subject: usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error + +From: Yoshihiro Shimoda + +commit 0259068f63f23a665ded28647f2f9cdb6b20dc72 upstream. + +This patch fixes an issue that this driver ignores errors other than +the non-existence of the device, f.e. a memory allocation failure +in devm_phy_get(). So, this patch replaces devm_phy_get() with +devm_phy_optional_get(). + +Reported-by: Simon Horman +Fixes: 279d4bc64060 ("usb: gadget: udc: renesas_usb3: add support for generic phy") +Cc: # v4.15+ +Reviewed-by: Simon Horman +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2636,9 +2636,11 @@ static int renesas_usb3_probe(struct pla + * This is optional. So, if this driver cannot get a phy, + * this driver will not handle a phy anymore. + */ +- usb3->phy = devm_phy_get(&pdev->dev, "usb"); +- if (IS_ERR(usb3->phy)) +- usb3->phy = NULL; ++ usb3->phy = devm_phy_optional_get(&pdev->dev, "usb"); ++ if (IS_ERR(usb3->phy)) { ++ ret = PTR_ERR(usb3->phy); ++ goto err_add_udc; ++ } + + pm_runtime_enable(&pdev->dev); + ret = usb_add_gadget_udc(&pdev->dev, &usb3->gadget); diff --git a/queue-4.17/usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch b/queue-4.17/usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch new file mode 100644 index 00000000000..c0306c1c98f --- /dev/null +++ b/queue-4.17/usb-gadget-udc-renesas_usb3-should-remove-debugfs.patch @@ -0,0 +1,54 @@ +From 1990cf7c21ea185cec98c6d45a82c04481261e35 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 10 Apr 2018 14:38:50 +0900 +Subject: usb: gadget: udc: renesas_usb3: should remove debugfs + +From: Yoshihiro Shimoda + +commit 1990cf7c21ea185cec98c6d45a82c04481261e35 upstream. + +This patch fixes an issue that this driver doesn't remove its debugfs. + +Fixes: 43ba968b00ea ("usb: gadget: udc: renesas_usb3: add debugfs to set the b-device mode") +Cc: # v4.14+ +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/renesas_usb3.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -333,6 +333,7 @@ struct renesas_usb3 { + struct extcon_dev *extcon; + struct work_struct extcon_work; + struct phy *phy; ++ struct dentry *dentry; + + struct renesas_usb3_ep *usb3_ep; + int num_usb3_eps; +@@ -2393,8 +2394,12 @@ static void renesas_usb3_debugfs_init(st + + file = debugfs_create_file("b_device", 0644, root, usb3, + &renesas_usb3_b_device_fops); +- if (!file) ++ if (!file) { + dev_info(dev, "%s: Can't create debugfs mode\n", __func__); ++ debugfs_remove_recursive(root); ++ } else { ++ usb3->dentry = root; ++ } + } + + /*------- platform_driver ------------------------------------------------*/ +@@ -2402,6 +2407,7 @@ static int renesas_usb3_remove(struct pl + { + struct renesas_usb3 *usb3 = platform_get_drvdata(pdev); + ++ debugfs_remove_recursive(usb3->dentry); + device_remove_file(&pdev->dev, &dev_attr_role); + + usb_del_gadget_udc(&usb3->gadget); diff --git a/queue-4.17/usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch b/queue-4.17/usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch new file mode 100644 index 00000000000..0365094d754 --- /dev/null +++ b/queue-4.17/usb-storage-add-compatibility-quirk-flags-for-g-technologies-g-drive.patch @@ -0,0 +1,77 @@ +From ca7d9515d0e6825351ce106066cea1f60e40b1c8 Mon Sep 17 00:00:00 2001 +From: Alexander Kappner +Date: Fri, 18 May 2018 21:50:16 -0700 +Subject: usb-storage: Add compatibility quirk flags for G-Technologies G-Drive + +From: Alexander Kappner + +commit ca7d9515d0e6825351ce106066cea1f60e40b1c8 upstream. + +The "G-Drive" (sold by G-Technology) external USB 3.0 drive + hangs on write access under UAS and usb-storage: + +[ 136.079121] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +[ 136.079144] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current] +[ 136.079152] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb +[ 136.079176] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00 +[ 136.079180] print_req_error: critical target error, dev sdi, sector 0 +[ 136.079183] Buffer I/O error on dev sdi, logical block 0, lost sync page write +[ 136.173148] EXT4-fs (sdi): mounted filesystem with ordered data mode. Opts: (null) +[ 140.583998] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +[ 140.584010] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current] +[ 140.584016] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb +[ 140.584022] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 e8 c4 00 18 00 00 00 08 00 00 +[ 140.584025] print_req_error: critical target error, dev sdi, sector 3905159192 +[ 140.584044] print_req_error: critical target error, dev sdi, sector 3905159192 +[ 140.584052] Aborting journal on device sdi-8. + +The proposed patch adds compatibility quirks. Because the drive requires two +quirks (one to work with UAS, and another to work with usb-storage), adding this +under unusual_devs.h and not just unusual_uas.h so kernels compiled without UAS +receive the quirk. With the patch, the drive works reliably on UAS and usb- +storage. +(tested on NEC Corporation uPD720200 USB 3.0 host controller). + +Signed-off-by: Alexander Kappner +Acked-by: Alan Stern +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 9 +++++++++ + drivers/usb/storage/unusual_uas.h | 9 +++++++++ + 2 files changed, 18 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2321,6 +2321,15 @@ UNUSUAL_DEV( 0x4146, 0xba01, 0x0100, 0x + "Micro Mini 1GB", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ), + ++/* "G-DRIVE" external HDD hangs on write without these. ++ * Patch submitted by Alexander Kappner ++ */ ++UNUSUAL_DEV(0x4971, 0x8024, 0x0000, 0x9999, ++ "SimpleTech", ++ "External HDD", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_ALWAYS_SYNC), ++ + /* + * Nick Bowler + * SCSI stack spams (otherwise harmless) error messages. +--- a/drivers/usb/storage/unusual_uas.h ++++ b/drivers/usb/storage/unusual_uas.h +@@ -107,3 +107,12 @@ UNUSUAL_DEV(0x4971, 0x8017, 0x0000, 0x99 + "External HDD", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_NO_REPORT_OPCODES), ++ ++/* "G-DRIVE" external HDD hangs on write without these. ++ * Patch submitted by Alexander Kappner ++ */ ++UNUSUAL_DEV(0x4971, 0x8024, 0x0000, 0x9999, ++ "SimpleTech", ++ "External HDD", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_ALWAYS_SYNC), diff --git a/queue-4.17/usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch b/queue-4.17/usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch new file mode 100644 index 00000000000..c62709397d2 --- /dev/null +++ b/queue-4.17/usb-storage-add-support-for-fl_always_sync-flag-in-the-uas-driver.patch @@ -0,0 +1,39 @@ +From 8c4e97ddfe73a0958bb0abf7e6a3bc4cc3e04936 Mon Sep 17 00:00:00 2001 +From: Alexander Kappner +Date: Fri, 18 May 2018 21:50:15 -0700 +Subject: usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver + +From: Alexander Kappner + +commit 8c4e97ddfe73a0958bb0abf7e6a3bc4cc3e04936 upstream. + +The ALWAYS_SYNC flag is currently honored by the usb-storage driver but not UAS +and is required to work around devices that become unstable upon being +queried for cache. This code is taken straight from: +drivers/usb/storage/scsiglue.c:284 + +Signed-off-by: Alexander Kappner +Acked-by: Alan Stern +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -836,6 +836,12 @@ static int uas_slave_configure(struct sc + if (devinfo->flags & US_FL_BROKEN_FUA) + sdev->broken_fua = 1; + ++ /* UAS also needs to support FL_ALWAYS_SYNC */ ++ if (devinfo->flags & US_FL_ALWAYS_SYNC) { ++ sdev->skip_ms_page_3f = 1; ++ sdev->skip_ms_page_8 = 1; ++ sdev->wce_default_on = 1; ++ } + scsi_change_queue_depth(sdev, devinfo->qdepth - 2); + return 0; + } diff --git a/queue-4.17/usb-typec-wcove-remove-dependency-on-hw-fsm.patch b/queue-4.17/usb-typec-wcove-remove-dependency-on-hw-fsm.patch new file mode 100644 index 00000000000..750585e1ed9 --- /dev/null +++ b/queue-4.17/usb-typec-wcove-remove-dependency-on-hw-fsm.patch @@ -0,0 +1,75 @@ +From 05826ff135ee083d28c006fbde6e810f17437166 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 24 May 2018 13:49:52 +0300 +Subject: usb: typec: wcove: Remove dependency on HW FSM + +From: Heikki Krogerus + +commit 05826ff135ee083d28c006fbde6e810f17437166 upstream. + +The USB Type-C PHY in Intel WhiskeyCove PMIC has build-in +USB Type-C state machine which we were relying on to +configure the CC lines correctly. This patch removes that +dependency and configures the CC line according to commands +from the port manager (tcpm.c) in wcove_set_cc(). + +This fixes an issue where USB devices attached to the USB +Type-C port do not get enumerated. When acting as +source/host, the HW FSM sometimes fails to configure the PHY +correctly. + +Fixes: 3c4fb9f16921 ("usb: typec: wcove: start using tcpm for USB PD support") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/typec_wcove.c | 30 ++++++++++++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/typec_wcove.c ++++ b/drivers/usb/typec/typec_wcove.c +@@ -202,6 +202,10 @@ static int wcove_init(struct tcpc_dev *t + struct wcove_typec *wcove = tcpc_to_wcove(tcpc); + int ret; + ++ ret = regmap_write(wcove->regmap, USBC_CONTROL1, 0); ++ if (ret) ++ return ret; ++ + /* Unmask everything */ + ret = regmap_write(wcove->regmap, USBC_IRQMASK1, 0); + if (ret) +@@ -285,8 +289,30 @@ static int wcove_get_cc(struct tcpc_dev + + static int wcove_set_cc(struct tcpc_dev *tcpc, enum typec_cc_status cc) + { +- /* XXX: Relying on the HW FSM to configure things correctly for now */ +- return 0; ++ struct wcove_typec *wcove = tcpc_to_wcove(tcpc); ++ unsigned int ctrl; ++ ++ switch (cc) { ++ case TYPEC_CC_RD: ++ ctrl = USBC_CONTROL1_MODE_SNK; ++ break; ++ case TYPEC_CC_RP_DEF: ++ ctrl = USBC_CONTROL1_CURSRC_UA_80 | USBC_CONTROL1_MODE_SRC; ++ break; ++ case TYPEC_CC_RP_1_5: ++ ctrl = USBC_CONTROL1_CURSRC_UA_180 | USBC_CONTROL1_MODE_SRC; ++ break; ++ case TYPEC_CC_RP_3_0: ++ ctrl = USBC_CONTROL1_CURSRC_UA_330 | USBC_CONTROL1_MODE_SRC; ++ break; ++ case TYPEC_CC_OPEN: ++ ctrl = 0; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ return regmap_write(wcove->regmap, USBC_CONTROL1, ctrl); + } + + static int wcove_set_polarity(struct tcpc_dev *tcpc, enum typec_cc_polarity pol) diff --git a/queue-4.17/usbip-vhci_sysfs-fix-potential-spectre-v1.patch b/queue-4.17/usbip-vhci_sysfs-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..90facf99789 --- /dev/null +++ b/queue-4.17/usbip-vhci_sysfs-fix-potential-spectre-v1.patch @@ -0,0 +1,102 @@ +From a0d6ec88090d7b1b008429c44532a388e29bb1bd Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Fri, 18 May 2018 20:13:42 -0500 +Subject: usbip: vhci_sysfs: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit a0d6ec88090d7b1b008429c44532a388e29bb1bd upstream. + +pdev_nr and rhport can be controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: +drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis' +drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis' +drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev' +drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev' + +Fix this by sanitizing pdev_nr and rhport before using them to index +vhcis and vhci->vhci_hcd_ss->vdev respectively. + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Acked-by: Shuah Khan (Samsung OSG) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_sysfs.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +--- a/drivers/usb/usbip/vhci_sysfs.c ++++ b/drivers/usb/usbip/vhci_sysfs.c +@@ -10,6 +10,9 @@ + #include + #include + ++/* Hardening for Spectre-v1 */ ++#include ++ + #include "usbip_common.h" + #include "vhci.h" + +@@ -205,16 +208,20 @@ static int vhci_port_disconnect(struct v + return 0; + } + +-static int valid_port(__u32 pdev_nr, __u32 rhport) ++static int valid_port(__u32 *pdev_nr, __u32 *rhport) + { +- if (pdev_nr >= vhci_num_controllers) { +- pr_err("pdev %u\n", pdev_nr); ++ if (*pdev_nr >= vhci_num_controllers) { ++ pr_err("pdev %u\n", *pdev_nr); + return 0; + } +- if (rhport >= VHCI_HC_PORTS) { +- pr_err("rhport %u\n", rhport); ++ *pdev_nr = array_index_nospec(*pdev_nr, vhci_num_controllers); ++ ++ if (*rhport >= VHCI_HC_PORTS) { ++ pr_err("rhport %u\n", *rhport); + return 0; + } ++ *rhport = array_index_nospec(*rhport, VHCI_HC_PORTS); ++ + return 1; + } + +@@ -232,7 +239,7 @@ static ssize_t detach_store(struct devic + pdev_nr = port_to_pdev_nr(port); + rhport = port_to_rhport(port); + +- if (!valid_port(pdev_nr, rhport)) ++ if (!valid_port(&pdev_nr, &rhport)) + return -EINVAL; + + hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); +@@ -258,7 +265,8 @@ static ssize_t detach_store(struct devic + } + static DEVICE_ATTR_WO(detach); + +-static int valid_args(__u32 pdev_nr, __u32 rhport, enum usb_device_speed speed) ++static int valid_args(__u32 *pdev_nr, __u32 *rhport, ++ enum usb_device_speed speed) + { + if (!valid_port(pdev_nr, rhport)) { + return 0; +@@ -322,7 +330,7 @@ static ssize_t attach_store(struct devic + sockfd, devid, speed); + + /* check received parameters */ +- if (!valid_args(pdev_nr, rhport, speed)) ++ if (!valid_args(&pdev_nr, &rhport, speed)) + return -EINVAL; + + hcd = platform_get_drvdata(vhcis[pdev_nr].pdev); diff --git a/queue-4.17/vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch b/queue-4.17/vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch new file mode 100644 index 00000000000..12b824338f0 --- /dev/null +++ b/queue-4.17/vmw_balloon-fixing-double-free-when-batching-mode-is-off.patch @@ -0,0 +1,114 @@ +From b23220fe054e92f616b82450fae8cd3ab176cc60 Mon Sep 17 00:00:00 2001 +From: Gil Kupfer +Date: Fri, 1 Jun 2018 00:47:47 -0700 +Subject: vmw_balloon: fixing double free when batching mode is off + +From: Gil Kupfer + +commit b23220fe054e92f616b82450fae8cd3ab176cc60 upstream. + +The balloon.page field is used for two different purposes if batching is +on or off. If batching is on, the field point to the page which is used +to communicate with with the hypervisor. If it is off, balloon.page +points to the page that is about to be (un)locked. + +Unfortunately, this dual-purpose of the field introduced a bug: when the +balloon is popped (e.g., when the machine is reset or the balloon driver +is explicitly removed), the balloon driver frees, unconditionally, the +page that is held in balloon.page. As a result, if batching is +disabled, this leads to double freeing the last page that is sent to the +hypervisor. + +The following error occurs during rmmod when kernel checkers are on, and +the balloon is not empty: + +[ 42.307653] ------------[ cut here ]------------ +[ 42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable] +[ 42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC +[ 42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi +[ 42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5 +[ 42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016 +[ 42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000 +[ 42.313290] RIP: 0010:__free_pages+0x38/0x40 +[ 42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246 +[ 42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006 +[ 42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0 +[ 42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000 +[ 42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4 +[ 42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200 +[ 42.314550] FS: 00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000 +[ 42.314599] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0 +[ 42.314864] Call Trace: +[ 42.315774] vmballoon_pop+0x102/0x130 [vmw_balloon] +[ 42.315816] vmballoon_exit+0x42/0xd64 [vmw_balloon] +[ 42.315853] SyS_delete_module+0x1e2/0x250 +[ 42.315891] entry_SYSCALL_64_fastpath+0x23/0xc2 +[ 42.315924] RIP: 0033:0x7f3af5b0e8e7 +[ 42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 +[ 42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7 +[ 42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248 +[ 42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999 +[ 42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130 +[ 42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0 +[ 42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48 +[ 42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98 +[ 42.325735] ---[ end trace 872e008e33f81508 ]--- + +To solve the bug, we eliminate the dual purpose of balloon.page. + +Fixes: f220a80f0c2e ("VMware balloon: add batching to the vmw_balloon.") +Cc: stable@vger.kernel.org +Reported-by: Oleksandr Natalenko +Signed-off-by: Gil Kupfer +Signed-off-by: Nadav Amit +Reviewed-by: Xavier Deguillard +Tested-by: Oleksandr Natalenko +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/vmw_balloon.c | 23 +++++++---------------- + 1 file changed, 7 insertions(+), 16 deletions(-) + +--- a/drivers/misc/vmw_balloon.c ++++ b/drivers/misc/vmw_balloon.c +@@ -576,15 +576,9 @@ static void vmballoon_pop(struct vmballo + } + } + +- if (b->batch_page) { +- vunmap(b->batch_page); +- b->batch_page = NULL; +- } +- +- if (b->page) { +- __free_page(b->page); +- b->page = NULL; +- } ++ /* Clearing the batch_page unconditionally has no adverse effect */ ++ free_page((unsigned long)b->batch_page); ++ b->batch_page = NULL; + } + + /* +@@ -991,16 +985,13 @@ static const struct vmballoon_ops vmball + + static bool vmballoon_init_batching(struct vmballoon *b) + { +- b->page = alloc_page(VMW_PAGE_ALLOC_NOSLEEP); +- if (!b->page) +- return false; ++ struct page *page; + +- b->batch_page = vmap(&b->page, 1, VM_MAP, PAGE_KERNEL); +- if (!b->batch_page) { +- __free_page(b->page); ++ page = alloc_page(GFP_KERNEL | __GFP_ZERO); ++ if (!page) + return false; +- } + ++ b->batch_page = page_address(page); + return true; + } +