From: Greg Kroah-Hartman Date: Thu, 22 Mar 2018 14:17:12 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v3.18.102~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f470d41b0ab4805afcf035fc3ec848af942fb06b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: acpi-processor-replace-racy-task-affinity-logic.patch alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch ath-fix-updating-radar-flags-for-coutry-code-india.patch bnx2x-align-rx-buffers.patch btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch cifs-small-underflow-in-cnvrtdosunixtm.patch clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch cpufreq-sh-replace-racy-task-affinity-logic.patch drm-msm-fix-leak-in-failed-get_pages.patch drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch i2c-i2c-scmi-add-a-ms-hid.patch ia64-fix-module-loading-for-gcc-5.4.patch ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch md-raid10-skip-spare-disk-as-first-disk.patch media-bt8xx-fix-err-bt878_probe.patch media-dvb-core-race-condition-when-writing-to-cam.patch media-media-dvb-frontends-add-delay-to-si2168-restart.patch mfd-palmas-reset-the-powerhold-mux-during-power-off.patch mmc-avoid-removing-non-removable-hosts-during-suspend.patch mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch net-ipv6-send-unsolicited-na-on-admin-up.patch pinctrl-really-force-states-during-suspend-resume.patch platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch power-supply-pda_power-move-from-timer-to-delayed_work.patch qlcnic-fix-unchecked-return-value.patch rdma-cma-use-correct-size-when-writing-netlink-stats.patch rndis_wlan-add-return-value-validation.patch scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch scsi-virtio_scsi-always-try-to-read-vpd-pages.patch sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch spi-dw-disable-clock-after-unregistering-the-host.patch tcp-remove-poll-flakes-with-fastopen.patch vgacon-set-vga-struct-resource-types.patch video-fbdev-udlfb-fix-buffer-on-stack.patch wan-pc300too-abort-path-on-failure.patch x86-i8259-export-legacy_pic-symbol.patch --- diff --git a/queue-3.18/acpi-processor-replace-racy-task-affinity-logic.patch b/queue-3.18/acpi-processor-replace-racy-task-affinity-logic.patch new file mode 100644 index 00000000000..2edcf7f609a --- /dev/null +++ b/queue-3.18/acpi-processor-replace-racy-task-affinity-logic.patch @@ -0,0 +1,200 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Thomas Gleixner +Date: Wed, 12 Apr 2017 22:07:34 +0200 +Subject: ACPI/processor: Replace racy task affinity logic + +From: Thomas Gleixner + + +[ Upstream commit 8153f9ac43897f9f4786b30badc134fcc1a4fb11 ] + +acpi_processor_get_throttling() requires to invoke the getter function on +the target CPU. This is achieved by temporarily setting the affinity of the +calling user space thread to the requested CPU and reset it to the original +affinity afterwards. + +That's racy vs. CPU hotplug and concurrent affinity settings for that +thread resulting in code executing on the wrong CPU and overwriting the +new affinity setting. + +acpi_processor_get_throttling() is invoked in two ways: + +1) The CPU online callback, which is already running on the target CPU and + obviously protected against hotplug and not affected by affinity + settings. + +2) The ACPI driver probe function, which is not protected against hotplug + during modprobe. + +Switch it over to work_on_cpu() and protect the probe function against CPU +hotplug. + +Signed-off-by: Thomas Gleixner +Cc: Fenghua Yu +Cc: Tony Luck +Cc: Herbert Xu +Cc: "Rafael J. Wysocki" +Cc: Peter Zijlstra +Cc: Benjamin Herrenschmidt +Cc: Sebastian Siewior +Cc: Lai Jiangshan +Cc: linux-acpi@vger.kernel.org +Cc: Viresh Kumar +Cc: Michael Ellerman +Cc: Tejun Heo +Cc: "David S. Miller" +Cc: Len Brown +Link: http://lkml.kernel.org/r/20170412201042.785920903@linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/processor_driver.c | 7 +++- + drivers/acpi/processor_throttling.c | 62 ++++++++++++++++++++---------------- + 2 files changed, 42 insertions(+), 27 deletions(-) + +--- a/drivers/acpi/processor_driver.c ++++ b/drivers/acpi/processor_driver.c +@@ -231,11 +231,16 @@ static int __acpi_processor_start(struct + static int acpi_processor_start(struct device *dev) + { + struct acpi_device *device = ACPI_COMPANION(dev); ++ int ret; + + if (!device) + return -ENODEV; + +- return __acpi_processor_start(device); ++ /* Protect against concurrent CPU hotplug operations */ ++ get_online_cpus(); ++ ret = __acpi_processor_start(device); ++ put_online_cpus(); ++ return ret; + } + + static int acpi_processor_stop(struct device *dev) +--- a/drivers/acpi/processor_throttling.c ++++ b/drivers/acpi/processor_throttling.c +@@ -66,8 +66,8 @@ struct acpi_processor_throttling_arg { + #define THROTTLING_POSTCHANGE (2) + + static int acpi_processor_get_throttling(struct acpi_processor *pr); +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force); ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct); + + static int acpi_processor_update_tsd_coord(void) + { +@@ -886,7 +886,8 @@ static int acpi_processor_get_throttling + ACPI_DEBUG_PRINT((ACPI_DB_INFO, + "Invalid throttling state, reset\n")); + state = 0; +- ret = acpi_processor_set_throttling(pr, state, true); ++ ret = __acpi_processor_set_throttling(pr, state, true, ++ true); + if (ret) + return ret; + } +@@ -896,36 +897,31 @@ static int acpi_processor_get_throttling + return 0; + } + +-static int acpi_processor_get_throttling(struct acpi_processor *pr) ++static long __acpi_processor_get_throttling(void *data) + { +- cpumask_var_t saved_mask; +- int ret; ++ struct acpi_processor *pr = data; ++ ++ return pr->throttling.acpi_processor_get_throttling(pr); ++} + ++static int acpi_processor_get_throttling(struct acpi_processor *pr) ++{ + if (!pr) + return -EINVAL; + + if (!pr->flags.throttling) + return -ENODEV; + +- if (!alloc_cpumask_var(&saved_mask, GFP_KERNEL)) +- return -ENOMEM; +- + /* +- * Migrate task to the cpu pointed by pr. ++ * This is either called from the CPU hotplug callback of ++ * processor_driver or via the ACPI probe function. In the latter ++ * case the CPU is not guaranteed to be online. Both call sites are ++ * protected against CPU hotplug. + */ +- cpumask_copy(saved_mask, ¤t->cpus_allowed); +- /* FIXME: use work_on_cpu() */ +- if (set_cpus_allowed_ptr(current, cpumask_of(pr->id))) { +- /* Can't migrate to the target pr->id CPU. Exit */ +- free_cpumask_var(saved_mask); ++ if (!cpu_online(pr->id)) + return -ENODEV; +- } +- ret = pr->throttling.acpi_processor_get_throttling(pr); +- /* restore the previous state */ +- set_cpus_allowed_ptr(current, saved_mask); +- free_cpumask_var(saved_mask); + +- return ret; ++ return work_on_cpu(pr->id, __acpi_processor_get_throttling, pr); + } + + static int acpi_processor_get_fadt_info(struct acpi_processor *pr) +@@ -1075,8 +1071,15 @@ static long acpi_processor_throttling_fn + arg->target_state, arg->force); + } + +-int acpi_processor_set_throttling(struct acpi_processor *pr, +- int state, bool force) ++static int call_on_cpu(int cpu, long (*fn)(void *), void *arg, bool direct) ++{ ++ if (direct) ++ return fn(arg); ++ return work_on_cpu(cpu, fn, arg); ++} ++ ++static int __acpi_processor_set_throttling(struct acpi_processor *pr, ++ int state, bool force, bool direct) + { + int ret = 0; + unsigned int i; +@@ -1125,7 +1128,8 @@ int acpi_processor_set_throttling(struct + arg.pr = pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, &arg, ++ direct); + } else { + /* + * When the T-state coordination is SW_ALL or HW_ALL, +@@ -1158,8 +1162,8 @@ int acpi_processor_set_throttling(struct + arg.pr = match_pr; + arg.target_state = state; + arg.force = force; +- ret = work_on_cpu(pr->id, acpi_processor_throttling_fn, +- &arg); ++ ret = call_on_cpu(pr->id, acpi_processor_throttling_fn, ++ &arg, direct); + } + } + /* +@@ -1177,6 +1181,12 @@ int acpi_processor_set_throttling(struct + return ret; + } + ++int acpi_processor_set_throttling(struct acpi_processor *pr, int state, ++ bool force) ++{ ++ return __acpi_processor_set_throttling(pr, state, force, false); ++} ++ + int acpi_processor_get_throttling_info(struct acpi_processor *pr) + { + int result = 0; diff --git a/queue-3.18/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch b/queue-3.18/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch new file mode 100644 index 00000000000..cbf1f506f61 --- /dev/null +++ b/queue-3.18/alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch @@ -0,0 +1,61 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Mikhail Paulyshka +Date: Fri, 21 Apr 2017 08:52:42 +0200 +Subject: ALSA: hda - Fix headset microphone detection for ASUS N551 and N751 + +From: Mikhail Paulyshka + + +[ Upstream commit fc7438b1eb12b6c93d7b7a62423779eb5dfc673c ] + +Headset microphone does not work out of the box on ASUS Nx51 +laptops. This patch fixes it. + +Patch tested on Asus N551 laptop. Asus N751 part is not tested, but +according to [1] this laptop uses the same audiosystem. + +1. https://bugzilla.kernel.org/show_bug.cgi?id=117781 + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195437 +Signed-off-by: Mikhail Paulyshka +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6493,6 +6493,7 @@ enum { + ALC668_FIXUP_DELL_DISABLE_AAMIX, + ALC668_FIXUP_DELL_XPS13, + ALC662_FIXUP_ASUS_Nx50, ++ ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + ALC668_FIXUP_ASUS_Nx51, + }; + +@@ -6740,14 +6741,21 @@ static const struct hda_fixup alc662_fix + .chained = true, + .chain_id = ALC662_FIXUP_BASS_1A + }, ++ [ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc_fixup_headset_mode_alc668, ++ .chain_id = ALC662_FIXUP_BASS_CHMAP ++ }, + [ALC668_FIXUP_ASUS_Nx51] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { +- {0x1a, 0x90170151}, /* bass speaker */ ++ { 0x19, 0x03a1913d }, /* use as headphone mic, without its own jack detect */ ++ { 0x1a, 0x90170151 }, /* bass speaker */ ++ { 0x1b, 0x03a1113c }, /* use as headset mic, without its own jack detect */ + {} + }, + .chained = true, +- .chain_id = ALC662_FIXUP_BASS_CHMAP, ++ .chain_id = ALC668_FIXUP_ASUS_Nx51_HEADSET_MODE, + }, + }; + diff --git a/queue-3.18/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch b/queue-3.18/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch new file mode 100644 index 00000000000..a29e4953cc4 --- /dev/null +++ b/queue-3.18/arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Kishon Vijay Abraham I +Date: Mon, 27 Mar 2017 15:15:20 +0530 +Subject: ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP + +From: Kishon Vijay Abraham I + + +[ Upstream commit 2c949ce38f4e81d7487f165fa3b8f77d74a2a6c4 ] + +The PCIe programming sequence in TRM suggests CLKSTCTRL of PCIe should be +set to SW_WKUP. There are no issues when CLKSTCTRL is set to HW_AUTO in RC +mode. However in EP mode, the host system is not able to access the +MEMSPACE and setting the CLKSTCTRL to SW_WKUP fixes it. + +Acked-by: Tony Lindgren +Signed-off-by: Kishon Vijay Abraham I +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/clockdomains7xx_data.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mach-omap2/clockdomains7xx_data.c ++++ b/arch/arm/mach-omap2/clockdomains7xx_data.c +@@ -524,7 +524,7 @@ static struct clockdomain pcie_7xx_clkdm + .dep_bit = DRA7XX_PCIE_STATDEP_SHIFT, + .wkdep_srcs = pcie_wkup_sleep_deps, + .sleepdep_srcs = pcie_wkup_sleep_deps, +- .flags = CLKDM_CAN_HWSUP_SWSUP, ++ .flags = CLKDM_CAN_SWSUP, + }; + + static struct clockdomain atl_7xx_clkdm = { diff --git a/queue-3.18/ath-fix-updating-radar-flags-for-coutry-code-india.patch b/queue-3.18/ath-fix-updating-radar-flags-for-coutry-code-india.patch new file mode 100644 index 00000000000..94b28c4c59e --- /dev/null +++ b/queue-3.18/ath-fix-updating-radar-flags-for-coutry-code-india.patch @@ -0,0 +1,92 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Mohammed Shafi Shajakhan +Date: Wed, 12 Apr 2017 23:19:37 +0530 +Subject: ath: Fix updating radar flags for coutry code India + +From: Mohammed Shafi Shajakhan + + +[ Upstream commit c0c345d4cacc6a1f39d4856f37dcf6e34f51a5e4 ] + +As per latest regulatory update for India, channel 52, 56, 60, 64 +is no longer restricted to DFS. Enabling DFS/no infra flags in driver +results in applying all DFS related restrictions (like doing CAC etc +before this channel moves to 'available state') for these channels +even though the country code is programmed as 'India' in he hardware, +fix this by relaxing the frequency range while applying RADAR flags +only if the country code is programmed to India. If the frequency range +needs to modified based on different country code, ath_is_radar_freq +can be extended/modified dynamically. + +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/regd.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/regd.c ++++ b/drivers/net/wireless/ath/regd.c +@@ -254,8 +254,12 @@ bool ath_is_49ghz_allowed(u16 regdomain) + EXPORT_SYMBOL(ath_is_49ghz_allowed); + + /* Frequency is one where radar detection is required */ +-static bool ath_is_radar_freq(u16 center_freq) ++static bool ath_is_radar_freq(u16 center_freq, ++ struct ath_regulatory *reg) ++ + { ++ if (reg->country_code == CTRY_INDIA) ++ return (center_freq >= 5500 && center_freq <= 5700); + return (center_freq >= 5260 && center_freq <= 5700); + } + +@@ -306,7 +310,7 @@ __ath_reg_apply_beaconing_flags(struct w + enum nl80211_reg_initiator initiator, + struct ieee80211_channel *ch) + { +- if (ath_is_radar_freq(ch->center_freq) || ++ if (ath_is_radar_freq(ch->center_freq, reg) || + (ch->flags & IEEE80211_CHAN_RADAR)) + return; + +@@ -395,8 +399,9 @@ ath_reg_apply_ir_flags(struct wiphy *wip + } + } + +-/* Always apply Radar/DFS rules on freq range 5260 MHz - 5700 MHz */ +-static void ath_reg_apply_radar_flags(struct wiphy *wiphy) ++/* Always apply Radar/DFS rules on freq range 5500 MHz - 5700 MHz */ ++static void ath_reg_apply_radar_flags(struct wiphy *wiphy, ++ struct ath_regulatory *reg) + { + struct ieee80211_supported_band *sband; + struct ieee80211_channel *ch; +@@ -409,7 +414,7 @@ static void ath_reg_apply_radar_flags(st + + for (i = 0; i < sband->n_channels; i++) { + ch = &sband->channels[i]; +- if (!ath_is_radar_freq(ch->center_freq)) ++ if (!ath_is_radar_freq(ch->center_freq, reg)) + continue; + /* We always enable radar detection/DFS on this + * frequency range. Additionally we also apply on +@@ -505,7 +510,7 @@ void ath_reg_notifier_apply(struct wiphy + struct ath_common *common = container_of(reg, struct ath_common, + regulatory); + /* We always apply this */ +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + + /* + * This would happen when we have sent a custom regulatory request +@@ -653,7 +658,7 @@ ath_regd_init_wiphy(struct ath_regulator + } + + wiphy_apply_custom_regulatory(wiphy, regd); +- ath_reg_apply_radar_flags(wiphy); ++ ath_reg_apply_radar_flags(wiphy, reg); + ath_reg_apply_world_flags(wiphy, NL80211_REGDOM_SET_BY_DRIVER, reg); + return 0; + } diff --git a/queue-3.18/bnx2x-align-rx-buffers.patch b/queue-3.18/bnx2x-align-rx-buffers.patch new file mode 100644 index 00000000000..58718fbfb95 --- /dev/null +++ b/queue-3.18/bnx2x-align-rx-buffers.patch @@ -0,0 +1,78 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Scott Wood +Date: Fri, 28 Apr 2017 19:17:41 -0500 +Subject: bnx2x: Align RX buffers + +From: Scott Wood + + +[ Upstream commit 9b70de6d0266888b3743f03802502e43131043c8 ] + +The bnx2x driver is not providing proper alignment on the receive buffers it +passes to build_skb(), causing skb_shared_info to be misaligned. +skb_shared_info contains an atomic, and while PPC normally supports +unaligned accesses, it does not support unaligned atomics. + +Aligning the size of rx buffers will ensure that page_frag_alloc() returns +aligned addresses. + +This can be reproduced on PPC by setting the network MTU to 1450 (or other +non-multiple-of-4) and then generating sufficient inbound network traffic +(one or two large "wget"s usually does it), producing the following oops: + +Unable to handle kernel paging request for unaligned access at address 0xc00000ffc43af656 +Faulting instruction address: 0xc00000000080ef8c +Oops: Kernel access of bad area, sig: 7 [#1] +SMP NR_CPUS=2048 +NUMA +PowerNV +Modules linked in: vmx_crypto powernv_rng rng_core powernv_op_panel leds_powernv led_class nfsd ip_tables x_tables autofs4 xfs lpfc bnx2x mdio libcrc32c crc_t10dif crct10dif_generic crct10dif_common +CPU: 104 PID: 0 Comm: swapper/104 Not tainted 4.11.0-rc8-00088-g4c761da #2 +task: c00000ffd4892400 task.stack: c00000ffd4920000 +NIP: c00000000080ef8c LR: c00000000080eee8 CTR: c0000000001f8320 +REGS: c00000ffffc33710 TRAP: 0600 Not tainted (4.11.0-rc8-00088-g4c761da) +MSR: 9000000000009033 + CR: 24082042 XER: 00000000 +CFAR: c00000000080eea0 DAR: c00000ffc43af656 DSISR: 00000000 SOFTE: 1 +GPR00: c000000000907f64 c00000ffffc33990 c000000000dd3b00 c00000ffcaf22100 +GPR04: c00000ffcaf22e00 0000000000000000 0000000000000000 0000000000000000 +GPR08: 0000000000b80008 c00000ffc43af636 c00000ffc43af656 0000000000000000 +GPR12: c0000000001f6f00 c00000000fe1a000 000000000000049f 000000000000c51f +GPR16: 00000000ffffef33 0000000000000000 0000000000008a43 0000000000000001 +GPR20: c00000ffc58a90c0 0000000000000000 000000000000dd86 0000000000000000 +GPR24: c000007fd0ed10c0 00000000ffffffff 0000000000000158 000000000000014a +GPR28: c00000ffc43af010 c00000ffc9144000 c00000ffcaf22e00 c00000ffcaf22100 +NIP [c00000000080ef8c] __skb_clone+0xdc/0x140 +LR [c00000000080eee8] __skb_clone+0x38/0x140 +Call Trace: +[c00000ffffc33990] [c00000000080fb74] skb_clone+0x74/0x110 (unreliable) +[c00000ffffc339c0] [c000000000907f64] packet_rcv+0x144/0x510 +[c00000ffffc33a40] [c000000000827b64] __netif_receive_skb_core+0x5b4/0xd80 +[c00000ffffc33b00] [c00000000082b2bc] netif_receive_skb_internal+0x2c/0xc0 +[c00000ffffc33b40] [c00000000082c49c] napi_gro_receive+0x11c/0x260 +[c00000ffffc33b80] [d000000066483d68] bnx2x_poll+0xcf8/0x17b0 [bnx2x] +[c00000ffffc33d00] [c00000000082babc] net_rx_action+0x31c/0x480 +[c00000ffffc33e10] [c0000000000d5a44] __do_softirq+0x164/0x3d0 +[c00000ffffc33f00] [c0000000000d60a8] irq_exit+0x108/0x120 +[c00000ffffc33f20] [c000000000015b98] __do_irq+0x98/0x200 +[c00000ffffc33f90] [c000000000027f14] call_do_irq+0x14/0x24 +[c00000ffd4923a90] [c000000000015d94] do_IRQ+0x94/0x110 +[c00000ffd4923ae0] [c000000000008d90] hardware_interrupt_common+0x150/0x160 + +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2024,6 +2024,7 @@ static void bnx2x_set_rx_buf_size(struct + ETH_OVREHEAD + + mtu + + BNX2X_FW_RX_ALIGN_END; ++ fp->rx_buf_size = SKB_DATA_ALIGN(fp->rx_buf_size); + /* Note : rx_buf_size doesn't take into account NET_SKB_PAD */ + if (fp->rx_buf_size + NET_SKB_PAD <= PAGE_SIZE) + fp->rx_frag_size = fp->rx_buf_size + NET_SKB_PAD; diff --git a/queue-3.18/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch b/queue-3.18/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch new file mode 100644 index 00000000000..e9778b7ac2d --- /dev/null +++ b/queue-3.18/btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch @@ -0,0 +1,87 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Filipe Manana +Date: Tue, 4 Apr 2017 20:31:00 +0100 +Subject: Btrfs: send, fix file hole not being preserved due to inline extent + +From: Filipe Manana + + +[ Upstream commit e1cbfd7bf6dabdac561c75d08357571f44040a45 ] + +Normally we don't have inline extents followed by regular extents, but +there's currently at least one harmless case where this happens. For +example, when the page size is 4Kb and compression is enabled: + + $ mkfs.btrfs -f /dev/sdb + $ mount -o compress /dev/sdb /mnt + $ xfs_io -f -c "pwrite -S 0xaa 0 4K" -c "fsync" /mnt/foobar + $ xfs_io -c "pwrite -S 0xbb 8K 4K" -c "fsync" /mnt/foobar + +In this case we get a compressed inline extent, representing 4Kb of +data, followed by a hole extent and then a regular data extent. The +inline extent was not expanded/converted to a regular extent exactly +because it represents 4Kb of data. This does not cause any apparent +problem (such as the issue solved by commit e1699d2d7bf6 +("btrfs: add missing memset while reading compressed inline extents")) +except trigger an unexpected case in the incremental send code path +that makes us issue an operation to write a hole when it's not needed, +resulting in more writes at the receiver and wasting space at the +receiver. + +So teach the incremental send code to deal with this particular case. + +The issue can be currently triggered by running fstests btrfs/137 with +compression enabled (MOUNT_OPTIONS="-o compress" ./check btrfs/137). + +Signed-off-by: Filipe Manana +Reviewed-by: Liu Bo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/send.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/send.c ++++ b/fs/btrfs/send.c +@@ -4663,13 +4663,19 @@ static int is_extent_unchanged(struct se + while (key.offset < ekey->offset + left_len) { + ei = btrfs_item_ptr(eb, slot, struct btrfs_file_extent_item); + right_type = btrfs_file_extent_type(eb, ei); +- if (right_type != BTRFS_FILE_EXTENT_REG) { ++ if (right_type != BTRFS_FILE_EXTENT_REG && ++ right_type != BTRFS_FILE_EXTENT_INLINE) { + ret = 0; + goto out; + } + + right_disknr = btrfs_file_extent_disk_bytenr(eb, ei); +- right_len = btrfs_file_extent_num_bytes(eb, ei); ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ right_len = btrfs_file_extent_inline_len(eb, slot, ei); ++ right_len = PAGE_ALIGN(right_len); ++ } else { ++ right_len = btrfs_file_extent_num_bytes(eb, ei); ++ } + right_offset = btrfs_file_extent_offset(eb, ei); + right_gen = btrfs_file_extent_generation(eb, ei); + +@@ -4683,6 +4689,19 @@ static int is_extent_unchanged(struct se + goto out; + } + ++ /* ++ * We just wanted to see if when we have an inline extent, what ++ * follows it is a regular extent (wanted to check the above ++ * condition for inline extents too). This should normally not ++ * happen but it's possible for example when we have an inline ++ * compressed extent representing data with a size matching ++ * the page size (currently the same as sector size). ++ */ ++ if (right_type == BTRFS_FILE_EXTENT_INLINE) { ++ ret = 0; ++ goto out; ++ } ++ + left_offset_fixed = left_offset; + if (key.offset < ekey->offset) { + /* Fix the right offset for 2a and 7. */ diff --git a/queue-3.18/cifs-small-underflow-in-cnvrtdosunixtm.patch b/queue-3.18/cifs-small-underflow-in-cnvrtdosunixtm.patch new file mode 100644 index 00000000000..cc54e273ee4 --- /dev/null +++ b/queue-3.18/cifs-small-underflow-in-cnvrtdosunixtm.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Dan Carpenter +Date: Mon, 1 May 2017 21:43:43 +0300 +Subject: cifs: small underflow in cnvrtDosUnixTm() + +From: Dan Carpenter + + +[ Upstream commit 564277eceeca01e02b1ef3e141cfb939184601b4 ] + +January is month 1. There is no zero-th month. If someone passes a +zero month then it means we read from one space before the start of the +total_days_of_prev_months[] array. + +We may as well also be strict about days as well. + +Fixes: 1bd5bbcb6531 ("[CIFS] Legacy time handling for Win9x and OS/2 part 1") +Signed-off-by: Dan Carpenter +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/netmisc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/cifs/netmisc.c ++++ b/fs/cifs/netmisc.c +@@ -980,10 +980,10 @@ struct timespec cnvrtDosUnixTm(__le16 le + cifs_dbg(VFS, "illegal hours %d\n", st->Hours); + days = sd->Day; + month = sd->Month; +- if ((days > 31) || (month > 12)) { ++ if (days < 1 || days > 31 || month < 1 || month > 12) { + cifs_dbg(VFS, "illegal date, month %d day: %d\n", month, days); +- if (month > 12) +- month = 12; ++ days = clamp(days, 1, 31); ++ month = clamp(month, 1, 12); + } + month -= 1; + days += total_days_of_prev_months[month]; diff --git a/queue-3.18/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch b/queue-3.18/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch new file mode 100644 index 00000000000..eb8b7dace53 --- /dev/null +++ b/queue-3.18/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Sergej Sawazki +Date: Tue, 25 Jul 2017 23:21:02 +0200 +Subject: clk: si5351: Rename internal plls to avoid name collisions + +From: Sergej Sawazki + + +[ Upstream commit cdba9a4fb0b53703959ac861e415816cb61aded4 ] + +This drivers probe fails due to a clock name collision if a clock named +'plla' or 'pllb' is already registered when registering this drivers +internal plls. + +Fix it by renaming internal plls to avoid name collisions. + +Cc: Sebastian Hesselbarth +Cc: Rabeeh Khoury +Signed-off-by: Sergej Sawazki +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-si5351.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/clk-si5351.c ++++ b/drivers/clk/clk-si5351.c +@@ -72,7 +72,7 @@ static const char * const si5351_input_n + "xtal", "clkin" + }; + static const char * const si5351_pll_names[] = { +- "plla", "pllb", "vxco" ++ "si5351_plla", "si5351_pllb", "si5351_vxco" + }; + static const char * const si5351_msynth_names[] = { + "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7" diff --git a/queue-3.18/cpufreq-sh-replace-racy-task-affinity-logic.patch b/queue-3.18/cpufreq-sh-replace-racy-task-affinity-logic.patch new file mode 100644 index 00000000000..c36fe5ae8e3 --- /dev/null +++ b/queue-3.18/cpufreq-sh-replace-racy-task-affinity-logic.patch @@ -0,0 +1,127 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Thomas Gleixner +Date: Wed, 12 Apr 2017 22:07:36 +0200 +Subject: cpufreq/sh: Replace racy task affinity logic + +From: Thomas Gleixner + + +[ Upstream commit 205dcc1ecbc566cbc20acf246e68de3b080b3ecf ] + +The target() callback must run on the affected cpu. This is achieved by +temporarily setting the affinity of the calling thread to the requested CPU +and reset it to the original affinity afterwards. + +That's racy vs. concurrent affinity settings for that thread resulting in +code executing on the wrong CPU. + +Replace it by work_on_cpu(). All call pathes which invoke the callbacks are +already protected against CPU hotplug. + +Signed-off-by: Thomas Gleixner +Acked-by: Viresh Kumar +Cc: Fenghua Yu +Cc: Tony Luck +Cc: Herbert Xu +Cc: "Rafael J. Wysocki" +Cc: Peter Zijlstra +Cc: Benjamin Herrenschmidt +Cc: Sebastian Siewior +Cc: linux-pm@vger.kernel.org +Cc: Lai Jiangshan +Cc: Michael Ellerman +Cc: Tejun Heo +Cc: "David S. Miller" +Cc: Len Brown +Link: http://lkml.kernel.org/r/20170412201042.958216363@linutronix.de +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/cpufreq/sh-cpufreq.c | 45 +++++++++++++++++++++++++------------------ + 1 file changed, 27 insertions(+), 18 deletions(-) + +--- a/drivers/cpufreq/sh-cpufreq.c ++++ b/drivers/cpufreq/sh-cpufreq.c +@@ -30,54 +30,63 @@ + + static DEFINE_PER_CPU(struct clk, sh_cpuclk); + ++struct cpufreq_target { ++ struct cpufreq_policy *policy; ++ unsigned int freq; ++}; ++ + static unsigned int sh_cpufreq_get(unsigned int cpu) + { + return (clk_get_rate(&per_cpu(sh_cpuclk, cpu)) + 500) / 1000; + } + +-/* +- * Here we notify other drivers of the proposed change and the final change. +- */ +-static int sh_cpufreq_target(struct cpufreq_policy *policy, +- unsigned int target_freq, +- unsigned int relation) ++static long __sh_cpufreq_target(void *arg) + { +- unsigned int cpu = policy->cpu; ++ struct cpufreq_target *target = arg; ++ struct cpufreq_policy *policy = target->policy; ++ int cpu = policy->cpu; + struct clk *cpuclk = &per_cpu(sh_cpuclk, cpu); +- cpumask_t cpus_allowed; + struct cpufreq_freqs freqs; + struct device *dev; + long freq; + +- cpus_allowed = current->cpus_allowed; +- set_cpus_allowed_ptr(current, cpumask_of(cpu)); +- +- BUG_ON(smp_processor_id() != cpu); ++ if (smp_processor_id() != cpu) ++ return -ENODEV; + + dev = get_cpu_device(cpu); + + /* Convert target_freq from kHz to Hz */ +- freq = clk_round_rate(cpuclk, target_freq * 1000); ++ freq = clk_round_rate(cpuclk, target->freq * 1000); + + if (freq < (policy->min * 1000) || freq > (policy->max * 1000)) + return -EINVAL; + +- dev_dbg(dev, "requested frequency %u Hz\n", target_freq * 1000); ++ dev_dbg(dev, "requested frequency %u Hz\n", target->freq * 1000); + + freqs.old = sh_cpufreq_get(cpu); + freqs.new = (freq + 500) / 1000; + freqs.flags = 0; + +- cpufreq_freq_transition_begin(policy, &freqs); +- set_cpus_allowed_ptr(current, &cpus_allowed); ++ cpufreq_freq_transition_begin(target->policy, &freqs); + clk_set_rate(cpuclk, freq); +- cpufreq_freq_transition_end(policy, &freqs, 0); ++ cpufreq_freq_transition_end(target->policy, &freqs, 0); + + dev_dbg(dev, "set frequency %lu Hz\n", freq); +- + return 0; + } + ++/* ++ * Here we notify other drivers of the proposed change and the final change. ++ */ ++static int sh_cpufreq_target(struct cpufreq_policy *policy, ++ unsigned int target_freq, ++ unsigned int relation) ++{ ++ struct cpufreq_target data = { .policy = policy, .freq = target_freq }; ++ ++ return work_on_cpu(policy->cpu, __sh_cpufreq_target, &data); ++} ++ + static int sh_cpufreq_verify(struct cpufreq_policy *policy) + { + struct clk *cpuclk = &per_cpu(sh_cpuclk, policy->cpu); diff --git a/queue-3.18/drm-msm-fix-leak-in-failed-get_pages.patch b/queue-3.18/drm-msm-fix-leak-in-failed-get_pages.patch new file mode 100644 index 00000000000..79feb314da8 --- /dev/null +++ b/queue-3.18/drm-msm-fix-leak-in-failed-get_pages.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Prakash Kamliya +Date: Mon, 4 Dec 2017 19:10:15 +0530 +Subject: drm/msm: fix leak in failed get_pages + +From: Prakash Kamliya + + +[ Upstream commit 62e3a3e342af3c313ab38603811ecdb1fcc79edb ] + +get_pages doesn't keep a reference of the pages allocated +when it fails later in the code path. This can lead to +a memory leak. Keep reference of the allocated pages so +that it can be freed when msm_gem_free_object gets called +later during cleanup. + +Signed-off-by: Prakash Kamliya +Signed-off-by: Sharat Masetty +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -83,14 +83,17 @@ static struct page **get_pages(struct dr + return p; + } + ++ msm_obj->pages = p; ++ + msm_obj->sgt = drm_prime_pages_to_sg(p, npages); + if (IS_ERR(msm_obj->sgt)) { ++ void *ptr = ERR_CAST(msm_obj->sgt); ++ + dev_err(dev->dev, "failed to allocate sgt\n"); +- return ERR_CAST(msm_obj->sgt); ++ msm_obj->sgt = NULL; ++ return ptr; + } + +- msm_obj->pages = p; +- + /* For non-cached buffers, ensure the new pages are clean + * because display controller, GPU, etc. are not coherent: + */ +@@ -113,7 +116,10 @@ static void put_pages(struct drm_gem_obj + if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) + dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, + msm_obj->sgt->nents, DMA_BIDIRECTIONAL); +- sg_free_table(msm_obj->sgt); ++ ++ if (msm_obj->sgt) ++ sg_free_table(msm_obj->sgt); ++ + kfree(msm_obj->sgt); + + if (iommu_present(&platform_bus_type)) diff --git a/queue-3.18/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch b/queue-3.18/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch new file mode 100644 index 00000000000..160c59ef5ca --- /dev/null +++ b/queue-3.18/drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Peter Ujfalusi +Date: Fri, 29 Sep 2017 14:49:49 +0300 +Subject: drm/omap: DMM: Check for DMM readiness after successful transaction commit + +From: Peter Ujfalusi + + +[ Upstream commit b7ea6b286c4051e043f691781785e3c4672f014a ] + +Check the status of the DMM engine after it is reported that the +transaction was completed as in rare cases the engine might not reached a +working state. + +The wait_status() will print information in case the DMM is not reached the +expected state and the dmm_txn_commit() will return with an error code to +make sure that we are not continuing with a broken setup. + +Signed-off-by: Peter Ujfalusi +Signed-off-by: Tomi Valkeinen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -280,7 +280,12 @@ static int dmm_txn_commit(struct dmm_txn + msecs_to_jiffies(1)) <= 0) { + dev_err(dmm->dev, "timed out waiting for done\n"); + ret = -ETIMEDOUT; ++ goto cleanup; + } ++ ++ /* Check the engine status before continue */ ++ ret = wait_status(engine, DMM_PATSTATUS_READY | ++ DMM_PATSTATUS_VALID | DMM_PATSTATUS_DONE); + } + + cleanup: diff --git a/queue-3.18/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch b/queue-3.18/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch new file mode 100644 index 00000000000..9a33a56c39f --- /dev/null +++ b/queue-3.18/e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch @@ -0,0 +1,45 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Bernd Faust +Date: Thu, 16 Feb 2017 19:42:07 +0100 +Subject: e1000e: fix timing for 82579 Gigabit Ethernet controller + +From: Bernd Faust + + +[ Upstream commit 5313eeccd2d7f486be4e5c7560e3e2be239ec8f7 ] + +After an upgrade to Linux kernel v4.x the hardware timestamps of the +82579 Gigabit Ethernet Controller are different than expected. +The values that are being read are almost four times as big as before +the kernel upgrade. + +The difference is that after the upgrade the driver sets the clock +frequency to 25MHz, where before the upgrade it was set to 96MHz. Intel +confirmed that the correct frequency for this network adapter is 96MHz. + +Signed-off-by: Bernd Faust +Acked-by: Sasha Neftin +Acked-by: Jacob Keller +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/e1000e/netdev.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/intel/e1000e/netdev.c ++++ b/drivers/net/ethernet/intel/e1000e/netdev.c +@@ -3507,6 +3507,12 @@ s32 e1000e_get_base_timinca(struct e1000 + + switch (hw->mac.type) { + case e1000_pch2lan: ++ /* Stable 96MHz frequency */ ++ incperiod = INCPERIOD_96MHz; ++ incvalue = INCVALUE_96MHz; ++ shift = INCVALUE_SHIFT_96MHz; ++ adapter->cc.shift = shift + INCPERIOD_SHIFT_96MHz; ++ break; + case e1000_pch_lpt: + /* On I217, the clock frequency is 25MHz or 96MHz as + * indicated by the System Clock Frequency Indication diff --git a/queue-3.18/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch b/queue-3.18/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch new file mode 100644 index 00000000000..97da5fa5b67 --- /dev/null +++ b/queue-3.18/fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: James Smart +Date: Fri, 21 Apr 2017 16:04:56 -0700 +Subject: Fix driver usage of 128B WQEs when WQ_CREATE is V1. + +From: James Smart + + +[ Upstream commit 3f247de750b8dd8f50a2c1390e2a1238790a9dff ] + +There are two versions of a structure for queue creation and setup that the +driver shares with FW. The driver was only treating as version 0. + +Verify WQ_CREATE with 128B WQEs in V0 and V1. + +Code review of another bug showed the driver passing +128B WQEs and 8 pages in WQ CREATE and V0. +Code inspection/instrumentation showed that the driver +uses V0 in WQ_CREATE and if the caller passes queue->entry_size +128B, the driver sets the hdr_version to V1 so all is good. +When I tested the V1 WQ_CREATE, the mailbox failed causing +the driver to unload. + +Signed-off-by: Dick Kennedy +Signed-off-by: James Smart +Reviewed-by: Johannes Thumshirn +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/lpfc/lpfc_sli.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/lpfc/lpfc_sli.c ++++ b/drivers/scsi/lpfc/lpfc_sli.c +@@ -13469,6 +13469,9 @@ lpfc_wq_create(struct lpfc_hba *phba, st + case LPFC_Q_CREATE_VERSION_1: + bf_set(lpfc_mbx_wq_create_wqe_count, &wq_create->u.request_1, + wq->entry_count); ++ bf_set(lpfc_mbox_hdr_version, &shdr->request, ++ LPFC_Q_CREATE_VERSION_1); ++ + switch (wq->entry_size) { + default: + case 64: diff --git a/queue-3.18/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch b/queue-3.18/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch new file mode 100644 index 00000000000..97a2867373d --- /dev/null +++ b/queue-3.18/genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch @@ -0,0 +1,59 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Hans de Goede +Date: Sat, 15 Apr 2017 12:08:31 +0200 +Subject: genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs + +From: Hans de Goede + + +[ Upstream commit 382bd4de61827dbaaf5fb4fb7b1f4be4a86505e7 ] + +When requesting a shared irq with IRQF_TRIGGER_NONE then the irqaction +flags get filled with the trigger type from the irq_data: + + if (!(new->flags & IRQF_TRIGGER_MASK)) + new->flags |= irqd_get_trigger_type(&desc->irq_data); + +On the first setup_irq() the trigger type in irq_data is NONE when the +above code executes, then the irq is started up for the first time and +then the actual trigger type gets established, but that's too late to fix +up new->flags. + +When then a second user of the irq requests the irq with IRQF_TRIGGER_NONE +its irqaction's triggertype gets set to the actual trigger type and the +following check fails: + + if (!((old->flags ^ new->flags) & IRQF_TRIGGER_MASK)) + +Resulting in the request_irq failing with -EBUSY even though both +users requested the irq with IRQF_SHARED | IRQF_TRIGGER_NONE + +Fix this by comparing the new irqaction's trigger type to the trigger type +stored in the irq_data which correctly reflects the actual trigger type +being used for the irq. + +Suggested-by: Thomas Gleixner +Signed-off-by: Hans de Goede +Acked-by: Marc Zyngier +Link: http://lkml.kernel.org/r/20170415100831.17073-1-hdegoede@redhat.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -1058,8 +1058,10 @@ __setup_irq(unsigned int irq, struct irq + * set the trigger type must match. Also all must + * agree on ONESHOT. + */ ++ unsigned int oldtype = irqd_get_trigger_type(&desc->irq_data); ++ + if (!((old->flags & new->flags) & IRQF_SHARED) || +- ((old->flags ^ new->flags) & IRQF_TRIGGER_MASK) || ++ (oldtype != (new->flags & IRQF_TRIGGER_MASK)) || + ((old->flags ^ new->flags) & IRQF_ONESHOT)) + goto mismatch; + diff --git a/queue-3.18/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch b/queue-3.18/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch new file mode 100644 index 00000000000..3fcc98835cb --- /dev/null +++ b/queue-3.18/hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch @@ -0,0 +1,44 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Dan Carpenter +Date: Fri, 21 Apr 2017 13:39:09 +0300 +Subject: HSI: ssi_protocol: double free in ssip_pn_xmit() + +From: Dan Carpenter + + +[ Upstream commit 3026050179a3a9a6f5c892c414b5e36ecf092081 ] + +If skb_pad() fails then it frees skb and we don't need to free it again +at the end of the function. + +Fixes: dc7bf5d7 ("HSI: Introduce driver for SSI Protocol") +Signed-off-by: Dan Carpenter +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hsi/clients/ssi_protocol.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -976,7 +976,7 @@ static int ssip_pn_xmit(struct sk_buff * + goto drop; + /* Pad to 32-bits - FIXME: Revisit*/ + if ((skb->len & 3) && skb_pad(skb, 4 - (skb->len & 3))) +- goto drop; ++ goto inc_dropped; + + /* + * Modem sends Phonet messages over SSI with its own endianess... +@@ -1028,8 +1028,9 @@ static int ssip_pn_xmit(struct sk_buff * + drop2: + hsi_free_msg(msg); + drop: +- dev->stats.tx_dropped++; + dev_kfree_skb(skb); ++inc_dropped: ++ dev->stats.tx_dropped++; + + return 0; + } diff --git a/queue-3.18/i2c-i2c-scmi-add-a-ms-hid.patch b/queue-3.18/i2c-i2c-scmi-add-a-ms-hid.patch new file mode 100644 index 00000000000..60f9c99bab1 --- /dev/null +++ b/queue-3.18/i2c-i2c-scmi-add-a-ms-hid.patch @@ -0,0 +1,66 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Edgar Cherkasov +Date: Tue, 4 Apr 2017 19:18:27 +0300 +Subject: i2c: i2c-scmi: add a MS HID + +From: Edgar Cherkasov + + +[ Upstream commit e058e7a4bc89104540a8a303682248614b5df6f1 ] + +Description of the problem: + - i2c-scmi driver contains only two identifiers "SMBUS01" and "SMBUSIBM"; + - the fist HID (SMBUS01) is clearly defined in "SMBus Control Method + Interface Specification, version 1.0": "Each device must specify + 'SMBUS01' as its _HID and use a unique _UID value"; + - unfortunately, BIOS vendors (like AMI) seem to ignore this requirement + and implement "SMB0001" HID instead of "SMBUS01"; + - I speculate that they do this because only "SMB0001" is hard coded in + Windows SMBus driver produced by Microsoft. + +This leads to following situation: + - SMBus works out of box in Windows but not in Linux; + - board vendors are forced to add correct "SMBUS01" HID to BIOS to make + SMBus work in Linux. Moreover the same board vendors complain that + tools (3-rd party ASL compiler) do not like the "SMBUS01" identifier + and produce errors. So they need to constantly patch the compiler for + each new version of BIOS. + +As it is very unlikely that BIOS vendors implement a correct HID in +future, I would propose to consider whether it is possible to work around +the problem by adding MS HID to the Linux i2c-scmi driver. + +v2: move the definition of the new HID to the driver itself. + +Signed-off-by: Edgar Cherkasov +Signed-off-by: Michael Brunner +Acked-by: Viktor Krasnov +Reviewed-by: Jean Delvare +Reviewed-by: Mika Westerberg +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-scmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/i2c/busses/i2c-scmi.c ++++ b/drivers/i2c/busses/i2c-scmi.c +@@ -18,6 +18,9 @@ + #define ACPI_SMBUS_HC_CLASS "smbus" + #define ACPI_SMBUS_HC_DEVICE_NAME "cmi" + ++/* SMBUS HID definition as supported by Microsoft Windows */ ++#define ACPI_SMBUS_MS_HID "SMB0001" ++ + ACPI_MODULE_NAME("smbus_cmi"); + + struct smbus_methods_t { +@@ -51,6 +54,7 @@ static const struct smbus_methods_t ibm_ + static const struct acpi_device_id acpi_smbus_cmi_ids[] = { + {"SMBUS01", (kernel_ulong_t)&smbus_methods}, + {ACPI_SMBUS_IBM_HID, (kernel_ulong_t)&ibm_smbus_methods}, ++ {ACPI_SMBUS_MS_HID, (kernel_ulong_t)&smbus_methods}, + {"", 0} + }; + MODULE_DEVICE_TABLE(acpi, acpi_smbus_cmi_ids); diff --git a/queue-3.18/ia64-fix-module-loading-for-gcc-5.4.patch b/queue-3.18/ia64-fix-module-loading-for-gcc-5.4.patch new file mode 100644 index 00000000000..5bcd55afb75 --- /dev/null +++ b/queue-3.18/ia64-fix-module-loading-for-gcc-5.4.patch @@ -0,0 +1,65 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Sergei Trofimovich +Date: Mon, 1 May 2017 11:51:55 -0700 +Subject: ia64: fix module loading for gcc-5.4 + +From: Sergei Trofimovich + + +[ Upstream commit a25fb8508c1b80dce742dbeaa4d75a1e9f2c5617 ] + +Starting from gcc-5.4+ gcc generates MLX instructions in more cases to +refer local symbols: + + https://gcc.gnu.org/PR60465 + +That caused ia64 module loader to choke on such instructions: + + fuse: invalid slot number 1 for IMM64 + +The Linux kernel used to handle only case where relocation pointed to +slot=2 instruction in the bundle. That limitation was fixed in linux by +commit 9c184a073bfd ("[IA64] Fix 2.6 kernel for the new ia64 assembler") +See + + http://sources.redhat.com/bugzilla/show_bug.cgi?id=1433 + +This change lifts the slot=2 restriction from the kernel module loader. + +Tested on 'fuse' and 'btrfs' kernel modules. + +Cc: Markus Elfring +Cc: H J Lu +Cc: Fenghua Yu +Cc: Andrew Morton +Bug: https://bugs.gentoo.org/601014 +Tested-by: Émeric MASCHINO +Signed-off-by: Sergei Trofimovich +Signed-off-by: Tony Luck +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/module.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/ia64/kernel/module.c ++++ b/arch/ia64/kernel/module.c +@@ -153,7 +153,7 @@ slot (const struct insn *insn) + static int + apply_imm64 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM64\n", + mod->name, slot(insn)); + return 0; +@@ -165,7 +165,7 @@ apply_imm64 (struct module *mod, struct + static int + apply_imm60 (struct module *mod, struct insn *insn, uint64_t val) + { +- if (slot(insn) != 2) { ++ if (slot(insn) != 1 && slot(insn) != 2) { + printk(KERN_ERR "%s: invalid slot number %d for IMM60\n", + mod->name, slot(insn)); + return 0; diff --git a/queue-3.18/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch b/queue-3.18/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch new file mode 100644 index 00000000000..52b6a931182 --- /dev/null +++ b/queue-3.18/ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch @@ -0,0 +1,64 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Erez Shitrit +Date: Tue, 14 Nov 2017 14:51:53 +0200 +Subject: IB/ipoib: Avoid memory leak if the SA returns a different DGID + +From: Erez Shitrit + + +[ Upstream commit 439000892ee17a9c92f1e4297818790ef8bb4ced ] + +The ipoib path database is organized around DGIDs from the LLADDR, but the +SA is free to return a different GID when asked for path. This causes a +bug because the SA's modified DGID is copied into the database key, even +though it is no longer the correct lookup key, causing a memory leak and +other malfunctions. + +Ensure the database key does not change after the SA query completes. + +Demonstration of the bug is as follows +ipoib wants to send to GID fe80:0000:0000:0000:0002:c903:00ef:5ee2, it +creates new record in the DB with that gid as a key, and issues a new +request to the SM. +Now, the SM from some reason returns path-record with other SGID (for +example, 2001:0000:0000:0000:0002:c903:00ef:5ee2 that contains the local +subnet prefix) now ipoib will overwrite the current entry with the new +one, and if new request to the original GID arrives ipoib will not find +it in the DB (was overwritten) and will create new record that in its +turn will also be overwritten by the response from the SM, and so on +till the driver eats all the device memory. + +Signed-off-by: Erez Shitrit +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -488,6 +488,22 @@ static void path_rec_completion(int stat + spin_lock_irqsave(&priv->lock, flags); + + if (!IS_ERR_OR_NULL(ah)) { ++ /* ++ * pathrec.dgid is used as the database key from the LLADDR, ++ * it must remain unchanged even if the SA returns a different ++ * GID to use in the AH. ++ */ ++ if (memcmp(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid))) { ++ ipoib_dbg( ++ priv, ++ "%s got PathRec for gid %pI6 while asked for %pI6\n", ++ dev->name, pathrec->dgid.raw, ++ path->pathrec.dgid.raw); ++ memcpy(pathrec->dgid.raw, path->pathrec.dgid.raw, ++ sizeof(union ib_gid)); ++ } ++ + path->pathrec = *pathrec; + + old_ah = path->ah; diff --git a/queue-3.18/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch b/queue-3.18/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch new file mode 100644 index 00000000000..1ede8046ca4 --- /dev/null +++ b/queue-3.18/ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch @@ -0,0 +1,56 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Feras Daoud +Date: Sun, 19 Mar 2017 11:18:54 +0200 +Subject: IB/ipoib: Update broadcast object if PKey value was changed in index 0 + +From: Feras Daoud + + +[ Upstream commit 9a9b8112699d78e7f317019b37f377e90023f3ed ] + +Update the broadcast address in the priv->broadcast object when the +Pkey value changes in index 0, otherwise the multicast GID value will +keep the previous value of the PKey, and will not be updated. +This leads to interface state down because the interface will keep the +old PKey value. + +For example, in SR-IOV environment, if the PF changes the value of PKey +index 0 for one of the VFs, then the VF receives PKey change event that +triggers heavy flush. This flush calls update_parent_pkey that update the +broadcast object and its relevant members. If in this case the multicast +GID will not be updated, the interface state will be down. + +Fixes: c2904141696e ("IPoIB: Fix pkey change flow for virtualization environments") +Signed-off-by: Feras Daoud +Signed-off-by: Erez Shitrit +Reviewed-by: Alex Vesker +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/ipoib/ipoib_ib.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_ib.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_ib.c +@@ -955,6 +955,19 @@ static inline int update_parent_pkey(str + */ + priv->dev->broadcast[8] = priv->pkey >> 8; + priv->dev->broadcast[9] = priv->pkey & 0xff; ++ ++ /* ++ * Update the broadcast address in the priv->broadcast object, ++ * in case it already exists, otherwise no one will do that. ++ */ ++ if (priv->broadcast) { ++ spin_lock_irq(&priv->lock); ++ memcpy(priv->broadcast->mcmember.mgid.raw, ++ priv->dev->broadcast + 4, ++ sizeof(union ib_gid)); ++ spin_unlock_irq(&priv->lock); ++ } ++ + return 0; + } + diff --git a/queue-3.18/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch b/queue-3.18/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch new file mode 100644 index 00000000000..a63af49f8d3 --- /dev/null +++ b/queue-3.18/input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Dmitry Torokhov +Date: Mon, 12 Dec 2016 15:32:57 -0800 +Subject: Input: ar1021_i2c - fix too long name in driver's device table + +From: Dmitry Torokhov + + +[ Upstream commit 95123fc43560d6f4a60e74f72836e63cd8848f76 ] + +The name field in structure i2c_device_id is 20 characters, and we expect +it to be NULL-terminated, however we are trying to stuff it with 21 bytes +and thus NULL-terminator is lost. This causes issues when one creates +device with name "MICROCHIP_AR1021_I2C" as i2c core cuts off the last "C", +and automatic module loading by alias does not work as result. + +The -I2C suffix in the device name is superfluous, we know what bus we are +dealing with, so let's drop it. Also, no other driver uses capitals, and +the manufacturer name is normally not included, except in very rare cases +of incompatible name collisions. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116211 +Fixes: dd4cae8bf166 ("Input: Add Microchip AR1021 i2c touchscreen") +Reviewed-By: Christian Gmeiner +Tested-by: Martin Kepplinger +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/ar1021_i2c.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/ar1021_i2c.c ++++ b/drivers/input/touchscreen/ar1021_i2c.c +@@ -152,7 +152,7 @@ static int __maybe_unused ar1021_i2c_res + static SIMPLE_DEV_PM_OPS(ar1021_i2c_pm, ar1021_i2c_suspend, ar1021_i2c_resume); + + static const struct i2c_device_id ar1021_i2c_id[] = { +- { "MICROCHIP_AR1021_I2C", 0 }, ++ { "ar1021", 0 }, + { }, + }; + MODULE_DEVICE_TABLE(i2c, ar1021_i2c_id); diff --git a/queue-3.18/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch b/queue-3.18/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch new file mode 100644 index 00000000000..46746155dbc --- /dev/null +++ b/queue-3.18/ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch @@ -0,0 +1,60 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Robert Lippert +Date: Thu, 20 Apr 2017 16:49:47 -0700 +Subject: ipmi/watchdog: fix wdog hang on panic waiting for ipmi response + +From: Robert Lippert + + +[ Upstream commit 2c1175c2e8e5487233cabde358a19577562ac83e ] + +Commit c49c097610fe ("ipmi: Don't call receive handler in the +panic context") means that the panic_recv_free is not called during a +panic and the atomic count does not drop to 0. + +Fix this by only expecting one decrement of the atomic variable +which comes from panic_smi_free. + +Signed-off-by: Robert Lippert +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/ipmi/ipmi_watchdog.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -509,7 +509,7 @@ static void panic_halt_ipmi_heartbeat(vo + msg.cmd = IPMI_WDOG_RESET_TIMER; + msg.data = NULL; + msg.data_len = 0; +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = ipmi_request_supply_msgs(watchdog_user, + (struct ipmi_addr *) &addr, + 0, +@@ -519,7 +519,7 @@ static void panic_halt_ipmi_heartbeat(vo + &panic_halt_heartbeat_recv_msg, + 1); + if (rv) +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + } + + static struct ipmi_smi_msg panic_halt_smi_msg = { +@@ -543,12 +543,12 @@ static void panic_halt_ipmi_set_timeout( + /* Wait for the messages to be free. */ + while (atomic_read(&panic_done_count) != 0) + ipmi_poll_interface(watchdog_user); +- atomic_add(2, &panic_done_count); ++ atomic_add(1, &panic_done_count); + rv = i_ipmi_set_timeout(&panic_halt_smi_msg, + &panic_halt_recv_msg, + &send_heartbeat_now); + if (rv) { +- atomic_sub(2, &panic_done_count); ++ atomic_sub(1, &panic_done_count); + printk(KERN_WARNING PFX + "Unable to extend the watchdog timeout."); + } else { diff --git a/queue-3.18/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch b/queue-3.18/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch new file mode 100644 index 00000000000..df5a1ef09c3 --- /dev/null +++ b/queue-3.18/kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Alexey Kardashevskiy +Date: Fri, 24 Mar 2017 17:48:10 +1100 +Subject: KVM: PPC: Book3S PR: Exit KVM on failed mapping + +From: Alexey Kardashevskiy + + +[ Upstream commit bd9166ffe624000140fc6b606b256df01fc0d060 ] + +At the moment kvmppc_mmu_map_page() returns -1 if +mmu_hash_ops.hpte_insert() fails for any reason so the page fault handler +resumes the guest and it faults on the same address again. + +This adds distinction to kvmppc_mmu_map_page() to return -EIO if +mmu_hash_ops.hpte_insert() failed for a reason other than full pteg. +At the moment only pSeries_lpar_hpte_insert() returns -2 if +plpar_pte_enter() failed with a code other than H_PTEG_FULL. +Other mmu_hash_ops.hpte_insert() instances can only fail with +-1 "full pteg". + +With this change, if PR KVM fails to update HPT, it can signal +the userspace about this instead of returning to guest and having +the very same page fault over and over again. + +Signed-off-by: Alexey Kardashevskiy +Reviewed-by: David Gibson +Signed-off-by: Paul Mackerras +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kvm/book3s_64_mmu_host.c | 5 ++++- + arch/powerpc/kvm/book3s_pr.c | 6 +++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kvm/book3s_64_mmu_host.c ++++ b/arch/powerpc/kvm/book3s_64_mmu_host.c +@@ -176,12 +176,15 @@ map_again: + ret = ppc_md.hpte_insert(hpteg, vpn, hpaddr, rflags, vflags, + hpsize, hpsize, MMU_SEGSIZE_256M); + +- if (ret < 0) { ++ if (ret == -1) { + /* If we couldn't map a primary PTE, try a secondary */ + hash = ~hash; + vflags ^= HPTE_V_SECONDARY; + attempt++; + goto map_again; ++ } else if (ret < 0) { ++ r = -EIO; ++ goto out_unlock; + } else { + trace_kvm_book3s_64_mmu_map(rflags, hpteg, + vpn, hpaddr, orig_pte); +--- a/arch/powerpc/kvm/book3s_pr.c ++++ b/arch/powerpc/kvm/book3s_pr.c +@@ -625,7 +625,11 @@ int kvmppc_handle_pagefault(struct kvm_r + kvmppc_mmu_unmap_page(vcpu, &pte); + } + /* The guest's PTE is not mapped yet. Map on the host */ +- kvmppc_mmu_map_page(vcpu, &pte, iswrite); ++ if (kvmppc_mmu_map_page(vcpu, &pte, iswrite) == -EIO) { ++ /* Exit KVM if mapping failed */ ++ run->exit_reason = KVM_EXIT_INTERNAL_ERROR; ++ return RESUME_HOST; ++ } + if (data) + vcpu->stat.sp_storage++; + else if (vcpu->arch.mmu.is_dcbz32(vcpu) && diff --git a/queue-3.18/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch b/queue-3.18/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch new file mode 100644 index 00000000000..f1aca0e4b60 --- /dev/null +++ b/queue-3.18/mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch @@ -0,0 +1,48 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Emmanuel Grumbach +Date: Wed, 26 Apr 2017 10:58:51 +0300 +Subject: mac80211: don't parse encrypted management frames in ieee80211_frame_acked + +From: Emmanuel Grumbach + + +[ Upstream commit cf147085fdda044622973a12e4e06f1c753ab677 ] + +ieee80211_frame_acked is called when a frame is acked by +the peer. In case this is a management frame, we check +if this an SMPS frame, in which case we can update our +antenna configuration. + +When we parse the management frame we look at the category +in case it is an action frame. That byte sits after the IV +in case the frame was encrypted. This means that if the +frame was encrypted, we basically look at the IV instead +of looking at the category. It is then theorically +possible that we think that an SMPS action frame was acked +where really we had another frame that was encrypted. + +Since the only management frame whose ack needs to be +tracked is the SMPS action frame, and that frame is not +a robust management frame, it will never be encrypted. +The easiest way to fix this problem is then to not look +at frames that were encrypted. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/status.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -194,6 +194,7 @@ static void ieee80211_frame_acked(struct + } + + if (ieee80211_is_action(mgmt->frame_control) && ++ !ieee80211_has_protected(mgmt->frame_control) && + mgmt->u.action.category == WLAN_CATEGORY_HT && + mgmt->u.action.u.ht_smps.action == WLAN_HT_ACTION_SMPS && + ieee80211_sdata_running(sdata)) { diff --git a/queue-3.18/md-raid10-skip-spare-disk-as-first-disk.patch b/queue-3.18/md-raid10-skip-spare-disk-as-first-disk.patch new file mode 100644 index 00000000000..074ea98df21 --- /dev/null +++ b/queue-3.18/md-raid10-skip-spare-disk-as-first-disk.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Shaohua Li +Date: Mon, 1 May 2017 12:15:07 -0700 +Subject: md/raid10: skip spare disk as 'first' disk + +From: Shaohua Li + + +[ Upstream commit b506335e5d2b4ec687dde392a3bdbf7601778f1d ] + +Commit 6f287ca(md/raid10: reset the 'first' at the end of loop) ignores +a case in reshape, the first rdev could be a spare disk, which shouldn't +be accounted as the first disk since it doesn't include the offset info. + +Fix: 6f287ca(md/raid10: reset the 'first' at the end of loop) +Cc: Guoqing Jiang +Cc: NeilBrown +Signed-off-by: Shaohua Li +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/raid10.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -4132,6 +4132,7 @@ static int raid10_start_reshape(struct m + diff = 0; + if (first || diff < min_offset_diff) + min_offset_diff = diff; ++ first = 0; + } + } + diff --git a/queue-3.18/media-bt8xx-fix-err-bt878_probe.patch b/queue-3.18/media-bt8xx-fix-err-bt878_probe.patch new file mode 100644 index 00000000000..b70df30af90 --- /dev/null +++ b/queue-3.18/media-bt8xx-fix-err-bt878_probe.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Christophe JAILLET +Date: Thu, 21 Sep 2017 19:23:56 -0400 +Subject: media: bt8xx: Fix err 'bt878_probe()' + +From: Christophe JAILLET + + +[ Upstream commit 45392ff6881dbe56d41ef0b17c2e576065f8ffa1 ] + +This is odd to call 'pci_disable_device()' in an error path before a +coresponding successful 'pci_enable_device()'. + +Return directly instead. + +Fixes: 77e0be12100a ("V4L/DVB (4176): Bug-fix: Fix memory overflow") + +Signed-off-by: Christophe JAILLET +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/pci/bt8xx/bt878.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -425,8 +425,7 @@ static int bt878_probe(struct pci_dev *d + bt878_num); + if (bt878_num >= BT878_MAX) { + printk(KERN_ERR "bt878: Too many devices inserted\n"); +- result = -ENOMEM; +- goto fail0; ++ return -ENOMEM; + } + if (pci_enable_device(dev)) + return -EIO; diff --git a/queue-3.18/media-dvb-core-race-condition-when-writing-to-cam.patch b/queue-3.18/media-dvb-core-race-condition-when-writing-to-cam.patch new file mode 100644 index 00000000000..46725a84605 --- /dev/null +++ b/queue-3.18/media-dvb-core-race-condition-when-writing-to-cam.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Jasmin J +Date: Fri, 17 Mar 2017 23:04:20 -0300 +Subject: [media] media/dvb-core: Race condition when writing to CAM + +From: Jasmin J + + +[ Upstream commit e7080d4471d805d921a9ea21b32f911a91e248cb ] + +It started with a sporadic message in syslog: "CAM tried to send a +buffer larger than the ecount size" This message is not the fault +itself, but a consecutive fault, after a read error from the CAM. This +happens only on several CAMs, several hardware, and of course sporadic. + +It is a consecutive fault, if the last read from the CAM did fail. I +guess this will not happen on all CAMs, but at least it did on mine. +There was a write error to the CAM and during the re-initialization +procedure, the CAM finished the last read, although it got a RS. + +The write error to the CAM happened because a race condition between HC +write, checking DA and FR. + +This patch added an additional check for DA(RE), just after checking FR. +It is important to read the CAMs status register again, to give the CAM +the necessary time for a proper reaction to HC. Please note the +description within the source code (patch below). + +[mchehab@s-opensource.com: make checkpatch happy] + +Signed-off-by: Jasmin jessich +Tested-by: Ralph Metzler +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-core/dvb_ca_en50221.c | 23 +++++++++++++++++++++++ + 1 file changed, 23 insertions(+) + +--- a/drivers/media/dvb-core/dvb_ca_en50221.c ++++ b/drivers/media/dvb-core/dvb_ca_en50221.c +@@ -749,6 +749,29 @@ static int dvb_ca_en50221_write_data(str + goto exit; + } + ++ /* ++ * It may need some time for the CAM to settle down, or there might ++ * be a race condition between the CAM, writing HC and our last ++ * check for DA. This happens, if the CAM asserts DA, just after ++ * checking DA before we are setting HC. In this case it might be ++ * a bug in the CAM to keep the FR bit, the lower layer/HW ++ * communication requires a longer timeout or the CAM needs more ++ * time internally. But this happens in reality! ++ * We need to read the status from the HW again and do the same ++ * we did for the previous check for DA ++ */ ++ status = ca->pub->read_cam_control(ca->pub, slot, CTRLIF_STATUS); ++ if (status < 0) ++ goto exit; ++ ++ if (status & (STATUSREG_DA | STATUSREG_RE)) { ++ if (status & STATUSREG_DA) ++ dvb_ca_en50221_thread_wakeup(ca); ++ ++ status = -EAGAIN; ++ goto exit; ++ } ++ + /* send the amount of data */ + if ((status = ca->pub->write_cam_control(ca->pub, slot, CTRLIF_SIZE_HIGH, bytes_write >> 8)) != 0) + goto exit; diff --git a/queue-3.18/media-media-dvb-frontends-add-delay-to-si2168-restart.patch b/queue-3.18/media-media-dvb-frontends-add-delay-to-si2168-restart.patch new file mode 100644 index 00000000000..e496a416d6b --- /dev/null +++ b/queue-3.18/media-media-dvb-frontends-add-delay-to-si2168-restart.patch @@ -0,0 +1,41 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Ron Economos +Date: Mon, 11 Dec 2017 19:51:53 -0500 +Subject: media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart + +From: Ron Economos + + +[ Upstream commit 380a6c86457573aa42d27ae11e025eb25941a0b7 ] + +On faster CPUs a delay is required after the resume command and the restart command. Without the delay, the restart command often returns -EREMOTEIO and the Si2168 does not restart. + +Note that this patch fixes the same issue as https://patchwork.linuxtv.org/patch/44304/, but I believe my udelay() fix addresses the actual problem. + +Signed-off-by: Ron Economos +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/si2168.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/dvb-frontends/si2168.c ++++ b/drivers/media/dvb-frontends/si2168.c +@@ -14,6 +14,8 @@ + * GNU General Public License for more details. + */ + ++#include ++ + #include "si2168_priv.h" + + static const struct dvb_frontend_ops si2168_ops; +@@ -380,6 +382,7 @@ static int si2168_init(struct dvb_fronte + if (ret) + goto err; + ++ udelay(100); + memcpy(cmd.args, "\x85", 1); + cmd.wlen = 1; + cmd.rlen = 1; diff --git a/queue-3.18/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch b/queue-3.18/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch new file mode 100644 index 00000000000..d55bc962387 --- /dev/null +++ b/queue-3.18/mfd-palmas-reset-the-powerhold-mux-during-power-off.patch @@ -0,0 +1,51 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Keerthy +Date: Thu, 10 Nov 2016 10:39:18 +0530 +Subject: mfd: palmas: Reset the POWERHOLD mux during power off + +From: Keerthy + + +[ Upstream commit 85fdaf8eb9bbec1f0f8a52fd5d85659d60738816 ] + +POWERHOLD signal has higher priority over the DEV_ON bit. +So power off will not happen if the POWERHOLD is held high. +Hence reset the MUX to GPIO_7 mode to release the POWERHOLD +and the DEV_ON bit to take effect to power off the PMIC. + +PMIC Power off happens in dire situations like thermal shutdown +so irrespective of the POWERHOLD setting go ahead and turn off +the powerhold. Currently poweroff is broken on boards that have +powerhold enabled. This fixes poweroff on those boards. + +Signed-off-by: Keerthy +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/palmas.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/drivers/mfd/palmas.c ++++ b/drivers/mfd/palmas.c +@@ -430,6 +430,20 @@ static void palmas_power_off(void) + { + unsigned int addr; + int ret, slave; ++ struct device_node *np = palmas_dev->dev->of_node; ++ ++ if (of_property_read_bool(np, "ti,palmas-override-powerhold")) { ++ addr = PALMAS_BASE_TO_REG(PALMAS_PU_PD_OD_BASE, ++ PALMAS_PRIMARY_SECONDARY_PAD2); ++ slave = PALMAS_BASE_TO_SLAVE(PALMAS_PU_PD_OD_BASE); ++ ++ ret = regmap_update_bits(palmas_dev->regmap[slave], addr, ++ PALMAS_PRIMARY_SECONDARY_PAD2_GPIO_7_MASK, 0); ++ if (ret) ++ dev_err(palmas_dev->dev, ++ "Unable to write PRIMARY_SECONDARY_PAD2 %d\n", ++ ret); ++ } + + if (!palmas_dev) + return; diff --git a/queue-3.18/mmc-avoid-removing-non-removable-hosts-during-suspend.patch b/queue-3.18/mmc-avoid-removing-non-removable-hosts-during-suspend.patch new file mode 100644 index 00000000000..e52b2134034 --- /dev/null +++ b/queue-3.18/mmc-avoid-removing-non-removable-hosts-during-suspend.patch @@ -0,0 +1,62 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Daniel Drake +Date: Tue, 12 Dec 2017 10:49:02 +0000 +Subject: mmc: avoid removing non-removable hosts during suspend + +From: Daniel Drake + + +[ Upstream commit de8dcc3d2c0e08e5068ee1e26fc46415c15e3637 ] + +The Weibu F3C MiniPC has an onboard AP6255 module, presenting +two SDIO functions on a single MMC host (Bluetooth/btsdio and +WiFi/brcmfmac), and the mmc layer correctly detects this as +non-removable. + +After suspend/resume, the wifi and bluetooth interfaces disappear +and do not get probed again. + +The conditions here are: + + 1. During suspend, we reach mmc_pm_notify() + + 2. mmc_pm_notify() calls mmc_sdio_pre_suspend() to see if we can + suspend the SDIO host. However, mmc_sdio_pre_suspend() returns + -ENOSYS because btsdio_driver does not have a suspend method. + + 3. mmc_pm_notify() proceeds to remove the card + + 4. Upon resume, mmc_rescan() does nothing with this host, because of + the rescan_entered check which aims to only scan a non-removable + device a single time (i.e. during boot). + +Fix the loss of functionality by detecting that we are unable to +suspend a non-removable host, so avoid the forced removal in that +case. The comment above this function already indicates that this +code was only intended for removable devices. + +Signed-off-by: Daniel Drake +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/mmc/core/core.c ++++ b/drivers/mmc/core/core.c +@@ -2656,6 +2656,14 @@ int mmc_pm_notify(struct notifier_block + if (!err) + break; + ++ if (!mmc_card_is_removable(host)) { ++ dev_warn(mmc_dev(host), ++ "pre_suspend failed for non-removable host: " ++ "%d\n", err); ++ /* Avoid removing non-removable hosts */ ++ break; ++ } ++ + /* Calling bus_ops->remove() with a claimed host can deadlock */ + host->bus_ops->remove(host); + mmc_claim_host(host); diff --git a/queue-3.18/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch b/queue-3.18/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch new file mode 100644 index 00000000000..7cab2ba7501 --- /dev/null +++ b/queue-3.18/mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Dan Carpenter +Date: Mon, 10 Apr 2017 16:54:17 +0300 +Subject: mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() + +From: Dan Carpenter + + +[ Upstream commit ec5ab8933772c87f24ad62a4a602fe8949f423c2 ] + +devm_pinctrl_get() returns error pointers, it never returns NULL. + +Fixes: 455e5cd6f736 ("mmc: omap_hsmmc: Pin remux workaround to support SDIO interrupt on AM335x") +Signed-off-by: Dan Carpenter +Reviewed-by: Kishon Vijay Abraham I +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/omap_hsmmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1757,8 +1757,8 @@ static int omap_hsmmc_configure_wake_irq + */ + if (host->pdata->controller_flags & OMAP_HSMMC_SWAKEUP_MISSING) { + struct pinctrl *p = devm_pinctrl_get(host->dev); +- if (!p) { +- ret = -ENODEV; ++ if (IS_ERR(p)) { ++ ret = PTR_ERR(p); + goto err_free_irq; + } + if (IS_ERR(pinctrl_lookup_state(p, PINCTRL_STATE_DEFAULT))) { diff --git a/queue-3.18/net-ipv6-send-unsolicited-na-on-admin-up.patch b/queue-3.18/net-ipv6-send-unsolicited-na-on-admin-up.patch new file mode 100644 index 00000000000..770f9f8e7e4 --- /dev/null +++ b/queue-3.18/net-ipv6-send-unsolicited-na-on-admin-up.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: David Ahern +Date: Wed, 12 Apr 2017 11:49:04 -0700 +Subject: net: ipv6: send unsolicited NA on admin up + +From: David Ahern + + +[ Upstream commit 4a6e3c5def13c91adf2acc613837001f09af3baa ] + +ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is +set to 1, gratuitous arp requests are sent when the device is brought up. +The same is expected when ndisc_notify is set to 1 (per ndisc_notify in +Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP +event; add it. + +Fixes: 5cb04436eef6 ("ipv6: add knob to send unsolicited ND on link-layer address change") +Signed-off-by: David Ahern +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ndisc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/ndisc.c ++++ b/net/ipv6/ndisc.c +@@ -1646,6 +1646,8 @@ static int ndisc_netdev_event(struct not + case NETDEV_CHANGEADDR: + neigh_changeaddr(&nd_tbl, dev); + fib6_run_gc(0, net, false); ++ /* fallthrough */ ++ case NETDEV_UP: + idev = in6_dev_get(dev); + if (!idev) + break; diff --git a/queue-3.18/pinctrl-really-force-states-during-suspend-resume.patch b/queue-3.18/pinctrl-really-force-states-during-suspend-resume.patch new file mode 100644 index 00000000000..5eefc7299a7 --- /dev/null +++ b/queue-3.18/pinctrl-really-force-states-during-suspend-resume.patch @@ -0,0 +1,107 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Florian Fainelli +Date: Wed, 1 Mar 2017 10:32:57 -0800 +Subject: pinctrl: Really force states during suspend/resume + +From: Florian Fainelli + + +[ Upstream commit 981ed1bfbc6c4660b2ddaa8392893e20a6255048 ] + +In case a platform only defaults a "default" set of pins, but not a +"sleep" set of pins, and this particular platform suspends and resumes +in a way that the pin states are not preserved by the hardware, when we +resume, we would call pinctrl_single_resume() -> pinctrl_force_default() +-> pinctrl_select_state() and the first thing we do is check that the +pins state is the same as before, and do nothing. + +In order to fix this, decouple the actual state change from +pinctrl_select_state() and move it pinctrl_commit_state(), while keeping +the p->state == state check in pinctrl_select_state() not to change the +caller assumptions. pinctrl_force_sleep() and pinctrl_force_default() +are updated to bypass the state check by calling pinctrl_commit_state(). + +[Linus Walleij] +The forced pin control states are currently only used in some pin +controller drivers that grab their own reference to their own pins. +This is equal to the pin control hogs: pins taken by pin control +devices since there are no corresponding device in the Linux device +hierarchy, such as memory controller lines or unused GPIO lines, +or GPIO lines that are used orthogonally from the GPIO subsystem +but pincontrol-wise managed as hogs (non-strict mode, allowing +simultaneous use by GPIO and pin control). For this case forcing +the state from the drivers' suspend()/resume() callbacks makes +sense and should semantically match the name of the function. + +Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device") +Signed-off-by: Florian Fainelli +Reviewed-by: Andy Shevchenko +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -977,19 +977,16 @@ struct pinctrl_state *pinctrl_lookup_sta + EXPORT_SYMBOL_GPL(pinctrl_lookup_state); + + /** +- * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * pinctrl_commit_state() - select/activate/program a pinctrl state to HW + * @p: the pinctrl handle for the device that requests configuration + * @state: the state handle to select/activate/program + */ +-int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state) + { + struct pinctrl_setting *setting, *setting2; + struct pinctrl_state *old_state = p->state; + int ret; + +- if (p->state == state) +- return 0; +- + if (p->state) { + /* + * For each pinmux setting in the old state, forget SW's record +@@ -1053,6 +1050,19 @@ unapply_new_state: + + return ret; + } ++ ++/** ++ * pinctrl_select_state() - select/activate/program a pinctrl state to HW ++ * @p: the pinctrl handle for the device that requests configuration ++ * @state: the state handle to select/activate/program ++ */ ++int pinctrl_select_state(struct pinctrl *p, struct pinctrl_state *state) ++{ ++ if (p->state == state) ++ return 0; ++ ++ return pinctrl_commit_state(p, state); ++} + EXPORT_SYMBOL_GPL(pinctrl_select_state); + + static void devm_pinctrl_release(struct device *dev, void *res) +@@ -1221,7 +1231,7 @@ void pinctrl_unregister_map(struct pinct + int pinctrl_force_sleep(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_sleep)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_sleep); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_sleep); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_sleep); +@@ -1233,7 +1243,7 @@ EXPORT_SYMBOL_GPL(pinctrl_force_sleep); + int pinctrl_force_default(struct pinctrl_dev *pctldev) + { + if (!IS_ERR(pctldev->p) && !IS_ERR(pctldev->hog_default)) +- return pinctrl_select_state(pctldev->p, pctldev->hog_default); ++ return pinctrl_commit_state(pctldev->p, pctldev->hog_default); + return 0; + } + EXPORT_SYMBOL_GPL(pinctrl_force_default); diff --git a/queue-3.18/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch b/queue-3.18/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch new file mode 100644 index 00000000000..6ad92ecb85d --- /dev/null +++ b/queue-3.18/platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch @@ -0,0 +1,39 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Santeri Toivonen +Date: Tue, 4 Apr 2017 21:09:00 +0300 +Subject: platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA + +From: Santeri Toivonen + + +[ Upstream commit f35823619db8bbaa2afea8705f239c3cecb9d22f ] + +Asus laptop X302UA starts up with Wi-Fi disabled, +without a way to enable it. Set wapf=4 to fix the problem. + +Signed-off-by: Santeri Toivonen +Signed-off-by: Darren Hart (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/platform/x86/asus-nb-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/platform/x86/asus-nb-wmi.c ++++ b/drivers/platform/x86/asus-nb-wmi.c +@@ -101,6 +101,15 @@ static const struct dmi_system_id asus_q + }, + { + .callback = dmi_matched, ++ .ident = "ASUSTeK COMPUTER INC. X302UA", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "X302UA"), ++ }, ++ .driver_data = &quirk_asus_wapf4, ++ }, ++ { ++ .callback = dmi_matched, + .ident = "ASUSTeK COMPUTER INC. X401U", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), diff --git a/queue-3.18/power-supply-pda_power-move-from-timer-to-delayed_work.patch b/queue-3.18/power-supply-pda_power-move-from-timer-to-delayed_work.patch new file mode 100644 index 00000000000..4fa6a93a2e1 --- /dev/null +++ b/queue-3.18/power-supply-pda_power-move-from-timer-to-delayed_work.patch @@ -0,0 +1,179 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Michael Trimarchi +Date: Tue, 25 Apr 2017 15:18:05 +0200 +Subject: power: supply: pda_power: move from timer to delayed_work + +From: Michael Trimarchi + + +[ Upstream commit 633e8799ddc09431be2744c4a1efdbda13af2b0b ] + +This changed is needed to avoid locking problem during +boot as shown: + +<5>[ 8.824096] Registering SWP/SWPB emulation handler +<6>[ 8.977294] clock: disabling unused clocks to save power +<3>[ 9.108154] BUG: sleeping function called from invalid context at kernel_albert/kernel/mutex.c:269 +<3>[ 9.122894] in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: swapper/0 +<4>[ 9.130249] 3 locks held by swapper/0/1: +<4>[ 9.134613] #0: (&__lockdep_no_validate__){......}, at: [] __driver_attach+0x58/0xa8 +<4>[ 9.144500] #1: (&__lockdep_no_validate__){......}, at: [] __driver_attach+0x68/0xa8 +<4>[ 9.154357] #2: (&polling_timer){......}, at: [] run_timer_softirq+0x108/0x3ec +<4>[ 9.163726] Backtrace: +<4>[ 9.166473] [] (dump_backtrace+0x0/0x114) from [] (dump_stack+0x20/0x24) +<4>[ 9.175811] r6:00203230 r5:0000010d r4:d782e000 r3:60000113 +<4>[ 9.182250] [] (dump_stack+0x0/0x24) from [] (__might_sleep+0x10c/0x128) +<4>[ 9.191650] [] (__might_sleep+0x0/0x128) from [] (mutex_lock_nested+0x34/0x36c) +<4>[ 9.201660] r5:c02d5350 r4:d79a0c64 +<4>[ 9.205688] [] (mutex_lock_nested+0x0/0x36c) from [] (regulator_set_current_limit+0x30/0x118) +<4>[ 9.217071] [] (regulator_set_current_limit+0x0/0x118) from [] (update_charger+0x84/0xc4) +<4>[ 9.228027] r7:d782fb20 r6:00000101 r5:c1767e94 r4:00000000 +<4>[ 9.234436] [] (update_charger+0x0/0xc4) from [] (psy_changed+0x20/0x48) +<4>[ 9.243804] r5:d782e000 r4:c1767e94 +<4>[ 9.247802] [] (psy_changed+0x0/0x48) from [] (polling_timer_func+0x84/0xb8) +<4>[ 9.257537] r4:c1767e94 r3:00000002 +<4>[ 9.261566] [] (polling_timer_func+0x0/0xb8) from [] (run_timer_softirq+0x17c/0x3ec) +<4>[ 9.272033] r4:c1767eb0 r3:00000000 +<4>[ 9.276062] [] (run_timer_softirq+0x0/0x3ec) from [] (__do_softirq+0xf0/0x298) +<4>[ 9.286010] [] (__do_softirq+0x0/0x298) from [] (irq_exit+0x98/0xa0) +<4>[ 9.295013] [] (irq_exit+0x0/0xa0) from [] (handle_IRQ+0x60/0xc0) +<4>[ 9.303680] r4:c1194e98 r3:c00bc778 +<4>[ 9.307708] [] (handle_IRQ+0x0/0xc0) from [] (gic_handle_irq+0x34/0x68) +<4>[ 9.316955] r8:000ac383 r7:d782fc3c r6:d782fc08 r5:c11936c4 r4:e0802100 +<4>[ 9.324310] r3:c026ba48 +<4>[ 9.327301] [] (gic_handle_irq+0x0/0x68) from [] (__irq_svc+0x40/0x74) +<4>[ 9.336456] Exception stack(0xd782fc08 to 0xd782fc50) +<4>[ 9.342041] fc00: d6e30e6c ac383627 00000000 ac383417 ea19c000 ea200000 +<4>[ 9.351104] fc20: beffffff 00000667 000ac383 d6e30670 d6e3066c d782fc94 d782fbe8 d782fc50 +<4>[ 9.360168] fc40: c026ba48 c001d1f0 00000113 ffffffff + +Fixes: b2998049cfae ("[BATTERY] pda_power platform driver") +Signed-off-by: Michael Trimarchi +Signed-off-by: Anthony Brandon +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/pda_power.c | 49 +++++++++++++++++++++++++--------------------- + 1 file changed, 27 insertions(+), 22 deletions(-) + +--- a/drivers/power/pda_power.c ++++ b/drivers/power/pda_power.c +@@ -30,9 +30,9 @@ static inline unsigned int get_irq_flags + static struct device *dev; + static struct pda_power_pdata *pdata; + static struct resource *ac_irq, *usb_irq; +-static struct timer_list charger_timer; +-static struct timer_list supply_timer; +-static struct timer_list polling_timer; ++static struct delayed_work charger_work; ++static struct delayed_work polling_work; ++static struct delayed_work supply_work; + static int polling; + + #if IS_ENABLED(CONFIG_USB_PHY) +@@ -143,7 +143,7 @@ static void update_charger(void) + } + } + +-static void supply_timer_func(unsigned long unused) ++static void supply_work_func(struct work_struct *work) + { + if (ac_status == PDA_PSY_TO_CHANGE) { + ac_status = new_ac_status; +@@ -164,11 +164,12 @@ static void psy_changed(void) + * Okay, charger set. Now wait a bit before notifying supplicants, + * charge power should stabilize. + */ +- mod_timer(&supply_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_charger)); ++ cancel_delayed_work(&supply_work); ++ schedule_delayed_work(&supply_work, ++ msecs_to_jiffies(pdata->wait_for_charger)); + } + +-static void charger_timer_func(unsigned long unused) ++static void charger_work_func(struct work_struct *work) + { + update_status(); + psy_changed(); +@@ -187,13 +188,14 @@ static irqreturn_t power_changed_isr(int + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return IRQ_HANDLED; + } + +-static void polling_timer_func(unsigned long unused) ++static void polling_work_func(struct work_struct *work) + { + int changed = 0; + +@@ -214,8 +216,9 @@ static void polling_timer_func(unsigned + if (changed) + psy_changed(); + +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + #if IS_ENABLED(CONFIG_USB_PHY) +@@ -253,8 +256,9 @@ static int otg_handle_notification(struc + * Wait a bit before reading ac/usb line status and setting charger, + * because ac/usb status readings may lag from irq. + */ +- mod_timer(&charger_timer, +- jiffies + msecs_to_jiffies(pdata->wait_for_status)); ++ cancel_delayed_work(&charger_work); ++ schedule_delayed_work(&charger_work, ++ msecs_to_jiffies(pdata->wait_for_status)); + + return NOTIFY_OK; + } +@@ -302,8 +306,8 @@ static int pda_power_probe(struct platfo + if (!pdata->ac_max_uA) + pdata->ac_max_uA = 500000; + +- setup_timer(&charger_timer, charger_timer_func, 0); +- setup_timer(&supply_timer, supply_timer_func, 0); ++ INIT_DELAYED_WORK(&charger_work, charger_work_func); ++ INIT_DELAYED_WORK(&supply_work, supply_work_func); + + ac_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "ac"); + usb_irq = platform_get_resource_byname(pdev, IORESOURCE_IRQ, "usb"); +@@ -381,9 +385,10 @@ static int pda_power_probe(struct platfo + + if (polling) { + dev_dbg(dev, "will poll for status\n"); +- setup_timer(&polling_timer, polling_timer_func, 0); +- mod_timer(&polling_timer, +- jiffies + msecs_to_jiffies(pdata->polling_interval)); ++ INIT_DELAYED_WORK(&polling_work, polling_work_func); ++ cancel_delayed_work(&polling_work); ++ schedule_delayed_work(&polling_work, ++ msecs_to_jiffies(pdata->polling_interval)); + } + + if (ac_irq || usb_irq) +@@ -429,9 +434,9 @@ static int pda_power_remove(struct platf + free_irq(ac_irq->start, &pda_psy_ac); + + if (polling) +- del_timer_sync(&polling_timer); +- del_timer_sync(&charger_timer); +- del_timer_sync(&supply_timer); ++ cancel_delayed_work_sync(&polling_work); ++ cancel_delayed_work_sync(&charger_work); ++ cancel_delayed_work_sync(&supply_work); + + if (pdata->is_usb_online) + power_supply_unregister(&pda_psy_usb); diff --git a/queue-3.18/qlcnic-fix-unchecked-return-value.patch b/queue-3.18/qlcnic-fix-unchecked-return-value.patch new file mode 100644 index 00000000000..9308bb9e0d6 --- /dev/null +++ b/queue-3.18/qlcnic-fix-unchecked-return-value.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 20:04:04 +0800 +Subject: qlcnic: fix unchecked return value + +From: Pan Bian + + +[ Upstream commit 91ec701a553cb3de470fd471c6fefe3ad1125455 ] + +Function pci_find_ext_capability() may return 0, which is an invalid +address. In function qlcnic_sriov_virtid_fn(), its return value is used +without validation. This may result in invalid memory access bugs. This +patch fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -126,6 +126,8 @@ static int qlcnic_sriov_virtid_fn(struct + return 0; + + pos = pci_find_ext_capability(dev, PCI_EXT_CAP_ID_SRIOV); ++ if (!pos) ++ return 0; + pci_read_config_word(dev, pos + PCI_SRIOV_VF_OFFSET, &offset); + pci_read_config_word(dev, pos + PCI_SRIOV_VF_STRIDE, &stride); + diff --git a/queue-3.18/rdma-cma-use-correct-size-when-writing-netlink-stats.patch b/queue-3.18/rdma-cma-use-correct-size-when-writing-netlink-stats.patch new file mode 100644 index 00000000000..87549519b28 --- /dev/null +++ b/queue-3.18/rdma-cma-use-correct-size-when-writing-netlink-stats.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Parav Pandit +Date: Tue, 14 Nov 2017 14:51:55 +0200 +Subject: RDMA/cma: Use correct size when writing netlink stats + +From: Parav Pandit + + +[ Upstream commit 7baaa49af3716fb31877c61f59b74d029ce15b75 ] + +The code was using the src size when formatting the dst. They are almost +certainly the same value but it reads wrong. + +Fixes: ce117ffac2e9 ("RDMA/cma: Export AF_IB statistics") +Signed-off-by: Parav Pandit +Reviewed-by: Daniel Jurgens +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -3632,7 +3632,7 @@ static int cma_get_id_stats(struct sk_bu + RDMA_NL_RDMA_CM_ATTR_SRC_ADDR)) + goto out; + if (ibnl_put_attr(skb, nlh, +- rdma_addr_size(cma_src_addr(id_priv)), ++ rdma_addr_size(cma_dst_addr(id_priv)), + cma_dst_addr(id_priv), + RDMA_NL_RDMA_CM_ATTR_DST_ADDR)) + goto out; diff --git a/queue-3.18/rndis_wlan-add-return-value-validation.patch b/queue-3.18/rndis_wlan-add-return-value-validation.patch new file mode 100644 index 00000000000..d3c9e328157 --- /dev/null +++ b/queue-3.18/rndis_wlan-add-return-value-validation.patch @@ -0,0 +1,37 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Pan Bian +Date: Mon, 24 Apr 2017 08:40:28 +0800 +Subject: rndis_wlan: add return value validation + +From: Pan Bian + + +[ Upstream commit 9dc7efd3978aa67ae598129d2a3f240b390ce508 ] + +Function create_singlethread_workqueue() will return a NULL pointer if +there is no enough memory, and its return value should be validated +before using. However, in function rndis_wlan_bind(), its return value +is not checked. This may cause NULL dereference bugs. This patch fixes +it. + +Signed-off-by: Pan Bian +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rndis_wlan.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/rndis_wlan.c ++++ b/drivers/net/wireless/rndis_wlan.c +@@ -3425,6 +3425,10 @@ static int rndis_wlan_bind(struct usbnet + + /* because rndis_command() sleeps we need to use workqueue */ + priv->workqueue = create_singlethread_workqueue("rndis_wlan"); ++ if (!priv->workqueue) { ++ wiphy_free(wiphy); ++ return -ENOMEM; ++ } + INIT_WORK(&priv->work, rndis_wlan_worker); + INIT_DELAYED_WORK(&priv->dev_poller_work, rndis_device_poller); + INIT_DELAYED_WORK(&priv->scan_work, rndis_get_scan_results); diff --git a/queue-3.18/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch b/queue-3.18/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch new file mode 100644 index 00000000000..39e4880aba2 --- /dev/null +++ b/queue-3.18/scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch @@ -0,0 +1,94 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Finn Thain +Date: Sun, 2 Apr 2017 17:08:05 +1000 +Subject: scsi: mac_esp: Replace bogus memory barrier with spinlock + +From: Finn Thain + + +[ Upstream commit 4da2b1eb230ba4ad19b58984dc52e05b1073df5f ] + +Commit da244654c66e ("[SCSI] mac_esp: fix for quadras with two esp +chips") added mac_scsi_esp_intr() to handle the IRQ lines from a pair of +on-board ESP chips (a normal shared IRQ did not work). + +Proper mutual exclusion was missing from that patch. This patch fixes +race conditions between comparison and assignment of esp_chips[] +pointers. + +Signed-off-by: Finn Thain +Reviewed-by: Michael Schmitz +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/mac_esp.c | 33 +++++++++++++++++++++++---------- + 1 file changed, 23 insertions(+), 10 deletions(-) + +--- a/drivers/scsi/mac_esp.c ++++ b/drivers/scsi/mac_esp.c +@@ -55,6 +55,7 @@ struct mac_esp_priv { + int error; + }; + static struct esp *esp_chips[2]; ++static DEFINE_SPINLOCK(esp_chips_lock); + + #define MAC_ESP_GET_PRIV(esp) ((struct mac_esp_priv *) \ + platform_get_drvdata((struct platform_device *) \ +@@ -562,15 +563,18 @@ static int esp_mac_probe(struct platform + } + + host->irq = IRQ_MAC_SCSI; +- esp_chips[dev->id] = esp; +- mb(); +- if (esp_chips[!dev->id] == NULL) { +- err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); +- if (err < 0) { +- esp_chips[dev->id] = NULL; +- goto fail_free_priv; +- } ++ ++ /* The request_irq() call is intended to succeed for the first device ++ * and fail for the second device. ++ */ ++ err = request_irq(host->irq, mac_scsi_esp_intr, 0, "ESP", NULL); ++ spin_lock(&esp_chips_lock); ++ if (err < 0 && esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); ++ goto fail_free_priv; + } ++ esp_chips[dev->id] = esp; ++ spin_unlock(&esp_chips_lock); + + err = scsi_esp_register(esp, &dev->dev); + if (err) +@@ -579,8 +583,13 @@ static int esp_mac_probe(struct platform + return 0; + + fail_free_irq: +- if (esp_chips[!dev->id] == NULL) ++ spin_lock(&esp_chips_lock); ++ esp_chips[dev->id] = NULL; ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(host->irq, esp); ++ } else ++ spin_unlock(&esp_chips_lock); + fail_free_priv: + kfree(mep); + fail_free_command_block: +@@ -599,9 +608,13 @@ static int esp_mac_remove(struct platfor + + scsi_esp_unregister(esp); + ++ spin_lock(&esp_chips_lock); + esp_chips[dev->id] = NULL; +- if (!(esp_chips[0] || esp_chips[1])) ++ if (esp_chips[!dev->id] == NULL) { ++ spin_unlock(&esp_chips_lock); + free_irq(irq, NULL); ++ } else ++ spin_unlock(&esp_chips_lock); + + kfree(mep); + diff --git a/queue-3.18/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch b/queue-3.18/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch new file mode 100644 index 00000000000..8f388b0bd3f --- /dev/null +++ b/queue-3.18/scsi-virtio_scsi-always-try-to-read-vpd-pages.patch @@ -0,0 +1,86 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: David Gibson +Date: Thu, 13 Apr 2017 12:13:00 +1000 +Subject: scsi: virtio_scsi: Always try to read VPD pages + +From: David Gibson + + +[ Upstream commit 25d1d50e23275e141e3a3fe06c25a99f4c4bf4e0 ] + +Passed through SCSI targets may have transfer limits which come from the +host SCSI controller or something on the host side other than the target +itself. + +To make this work properly, the hypervisor can adjust the target's VPD +information to advertise these limits. But for that to work, the guest +has to look at the VPD pages, which we won't do by default if it is an +SPC-2 device, even if it does actually support it. + +This adds a workaround to address this, forcing devices attached to a +virtio-scsi controller to always check the VPD pages. This is modelled +on a similar workaround for the storvsc (Hyper-V) SCSI controller, +although that exists for slightly different reasons. + +A specific case which causes this is a volume from IBM's IPR RAID +controller (which presents as an SPC-2 device, although it does support +VPD) passed through with qemu's 'scsi-block' device. + +[mkp: fixed typo] + +Signed-off-by: David Gibson +Acked-by: Paolo Bonzini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/virtio_scsi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/scsi/virtio_scsi.c ++++ b/drivers/scsi/virtio_scsi.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include + + #define VIRTIO_SCSI_MEMPOOL_SZ 64 +@@ -664,6 +665,28 @@ static int virtscsi_device_reset(struct + return virtscsi_tmf(vscsi, cmd); + } + ++static int virtscsi_device_alloc(struct scsi_device *sdevice) ++{ ++ /* ++ * Passed through SCSI targets (e.g. with qemu's 'scsi-block') ++ * may have transfer limits which come from the host SCSI ++ * controller or something on the host side other than the ++ * target itself. ++ * ++ * To make this work properly, the hypervisor can adjust the ++ * target's VPD information to advertise these limits. But ++ * for that to work, the guest has to look at the VPD pages, ++ * which we won't do by default if it is an SPC-2 device, even ++ * if it does actually support it. ++ * ++ * So, set the blist to always try to read the VPD pages. ++ */ ++ sdevice->sdev_bflags = BLIST_TRY_VPD_PAGES; ++ ++ return 0; ++} ++ ++ + /** + * virtscsi_change_queue_depth() - Change a virtscsi target's queue depth + * @sdev: Virtscsi target whose queue depth to change +@@ -752,6 +775,7 @@ static struct scsi_host_template virtscs + .change_queue_depth = virtscsi_change_queue_depth, + .eh_abort_handler = virtscsi_abort, + .eh_device_reset_handler = virtscsi_device_reset, ++ .slave_alloc = virtscsi_device_alloc, + + .can_queue = 1024, + .dma_boundary = UINT_MAX, diff --git a/queue-3.18/series b/queue-3.18/series index e69de29bb2d..d4e553c77ae 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -0,0 +1,46 @@ +platform-x86-asus-nb-wmi-add-wapf4-quirk-for-the-x302ua.patch +x86-i8259-export-legacy_pic-symbol.patch +input-ar1021_i2c-fix-too-long-name-in-driver-s-device-table.patch +acpi-processor-replace-racy-task-affinity-logic.patch +cpufreq-sh-replace-racy-task-affinity-logic.patch +genirq-use-irqd_get_trigger_type-to-compare-the-trigger-type-for-shared-irqs.patch +i2c-i2c-scmi-add-a-ms-hid.patch +net-ipv6-send-unsolicited-na-on-admin-up.patch +media-dvb-core-race-condition-when-writing-to-cam.patch +spi-dw-disable-clock-after-unregistering-the-host.patch +ath-fix-updating-radar-flags-for-coutry-code-india.patch +scsi-virtio_scsi-always-try-to-read-vpd-pages.patch +kvm-ppc-book3s-pr-exit-kvm-on-failed-mapping.patch +tcp-remove-poll-flakes-with-fastopen.patch +e1000e-fix-timing-for-82579-gigabit-ethernet-controller.patch +alsa-hda-fix-headset-microphone-detection-for-asus-n551-and-n751.patch +ib-ipoib-update-broadcast-object-if-pkey-value-was-changed-in-index-0.patch +hsi-ssi_protocol-double-free-in-ssip_pn_xmit.patch +fix-driver-usage-of-128b-wqes-when-wq_create-is-v1.patch +mmc-host-omap_hsmmc-checking-for-null-instead-of-is_err.patch +wan-pc300too-abort-path-on-failure.patch +qlcnic-fix-unchecked-return-value.patch +scsi-mac_esp-replace-bogus-memory-barrier-with-spinlock.patch +rndis_wlan-add-return-value-validation.patch +btrfs-send-fix-file-hole-not-being-preserved-due-to-inline-extent.patch +mac80211-don-t-parse-encrypted-management-frames-in-ieee80211_frame_acked.patch +mfd-palmas-reset-the-powerhold-mux-during-power-off.patch +arm-dra7-clockdomain-change-the-clktrctrl-of-cm_pcie_clkstctrl-to-sw_wkup.patch +ipmi-watchdog-fix-wdog-hang-on-panic-waiting-for-ipmi-response.patch +bnx2x-align-rx-buffers.patch +power-supply-pda_power-move-from-timer-to-delayed_work.patch +md-raid10-skip-spare-disk-as-first-disk.patch +ia64-fix-module-loading-for-gcc-5.4.patch +video-fbdev-udlfb-fix-buffer-on-stack.patch +sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch +cifs-small-underflow-in-cnvrtdosunixtm.patch +drm-msm-fix-leak-in-failed-get_pages.patch +media-bt8xx-fix-err-bt878_probe.patch +media-media-dvb-frontends-add-delay-to-si2168-restart.patch +mmc-avoid-removing-non-removable-hosts-during-suspend.patch +ib-ipoib-avoid-memory-leak-if-the-sa-returns-a-different-dgid.patch +rdma-cma-use-correct-size-when-writing-netlink-stats.patch +vgacon-set-vga-struct-resource-types.patch +drm-omap-dmm-check-for-dmm-readiness-after-successful-transaction-commit.patch +pinctrl-really-force-states-during-suspend-resume.patch +clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch diff --git a/queue-3.18/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch b/queue-3.18/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch new file mode 100644 index 00000000000..a429cf2148a --- /dev/null +++ b/queue-3.18/sm501fb-don-t-return-zero-on-failure-path-in-sm501fb_start.patch @@ -0,0 +1,35 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Alexey Khoroshilov +Date: Tue, 2 May 2017 13:47:53 +0200 +Subject: sm501fb: don't return zero on failure path in sm501fb_start() + +From: Alexey Khoroshilov + + +[ Upstream commit dc85e9a87420613b3129d5cc5ecd79c58351c546 ] + +If fbmem iomemory mapping failed, sm501fb_start() breaks off +initialization, deallocates resources, but returns zero. +As a result, double deallocation can happen in sm501fb_stop(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Alexey Khoroshilov +Cc: Tomi Valkeinen +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/sm501fb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/fbdev/sm501fb.c ++++ b/drivers/video/fbdev/sm501fb.c +@@ -1600,6 +1600,7 @@ static int sm501fb_start(struct sm501fb_ + info->fbmem = ioremap(res->start, resource_size(res)); + if (info->fbmem == NULL) { + dev_err(dev, "cannot remap framebuffer\n"); ++ ret = -ENXIO; + goto err_mem_res; + } + diff --git a/queue-3.18/spi-dw-disable-clock-after-unregistering-the-host.patch b/queue-3.18/spi-dw-disable-clock-after-unregistering-the-host.patch new file mode 100644 index 00000000000..991821f8e94 --- /dev/null +++ b/queue-3.18/spi-dw-disable-clock-after-unregistering-the-host.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Marek Vasut +Date: Tue, 18 Apr 2017 20:09:06 +0200 +Subject: spi: dw: Disable clock after unregistering the host + +From: Marek Vasut + + +[ Upstream commit 400c18e3dc86e04ef5afec9b86a8586ca629b9e9 ] + +The dw_mmio driver disables the block clock before unregistering +the host. The code unregistering the host may access the SPI block +registers. If register access happens with block clock disabled, +this may lead to a bus hang. Disable the clock after unregistering +the host to prevent such situation. + +This bug was observed on Altera Cyclone V SoC. + +Signed-off-by: Marek Vasut +Cc: Andy Shevchenko +Cc: Mark Brown +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-dw-mmio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-dw-mmio.c ++++ b/drivers/spi/spi-dw-mmio.c +@@ -118,8 +118,8 @@ static int dw_spi_mmio_remove(struct pla + { + struct dw_spi_mmio *dwsmmio = platform_get_drvdata(pdev); + +- clk_disable_unprepare(dwsmmio->clk); + dw_spi_remove_host(&dwsmmio->dws); ++ clk_disable_unprepare(dwsmmio->clk); + + return 0; + } diff --git a/queue-3.18/tcp-remove-poll-flakes-with-fastopen.patch b/queue-3.18/tcp-remove-poll-flakes-with-fastopen.patch new file mode 100644 index 00000000000..6bfd1ff5a2b --- /dev/null +++ b/queue-3.18/tcp-remove-poll-flakes-with-fastopen.patch @@ -0,0 +1,69 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Eric Dumazet +Date: Tue, 18 Apr 2017 09:45:52 -0700 +Subject: tcp: remove poll() flakes with FastOpen + +From: Eric Dumazet + + +[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ] + +When using TCP FastOpen for an active session, we send one wakeup event +from tcp_finish_connect(), right before the data eventually contained in +the received SYNACK is queued to sk->sk_receive_queue. + +This means that depending on machine load or luck, poll() users +might receive POLLOUT events instead of POLLIN|POLLOUT + +To fix this, we need to move the call to sk->sk_state_change() +after the (optional) call to tcp_rcv_fastopen_synack() + +Signed-off-by: Eric Dumazet +Acked-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp_input.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -5322,10 +5322,6 @@ void tcp_finish_connect(struct sock *sk, + else + tp->pred_flags = 0; + +- if (!sock_flag(sk, SOCK_DEAD)) { +- sk->sk_state_change(sk); +- sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); +- } + } + + static bool tcp_rcv_fastopen_synack(struct sock *sk, struct sk_buff *synack, +@@ -5380,6 +5376,7 @@ static int tcp_rcv_synsent_state_process + struct tcp_sock *tp = tcp_sk(sk); + struct tcp_fastopen_cookie foc = { .len = -1 }; + int saved_clamp = tp->rx_opt.mss_clamp; ++ bool fastopen_fail; + + tcp_parse_options(skb, &tp->rx_opt, 0, &foc); + if (tp->rx_opt.saw_tstamp && tp->rx_opt.rcv_tsecr) +@@ -5482,10 +5479,15 @@ static int tcp_rcv_synsent_state_process + + tcp_finish_connect(sk, skb); + +- if ((tp->syn_fastopen || tp->syn_data) && +- tcp_rcv_fastopen_synack(sk, skb, &foc)) +- return -1; ++ fastopen_fail = (tp->syn_fastopen || tp->syn_data) && ++ tcp_rcv_fastopen_synack(sk, skb, &foc); + ++ if (!sock_flag(sk, SOCK_DEAD)) { ++ sk->sk_state_change(sk); ++ sk_wake_async(sk, SOCK_WAKE_IO, POLL_OUT); ++ } ++ if (fastopen_fail) ++ return -1; + if (sk->sk_write_pending || + icsk->icsk_accept_queue.rskq_defer_accept || + icsk->icsk_ack.pingpong) { diff --git a/queue-3.18/vgacon-set-vga-struct-resource-types.patch b/queue-3.18/vgacon-set-vga-struct-resource-types.patch new file mode 100644 index 00000000000..e396feef25c --- /dev/null +++ b/queue-3.18/vgacon-set-vga-struct-resource-types.patch @@ -0,0 +1,110 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Bjorn Helgaas +Date: Fri, 1 Dec 2017 11:06:39 -0600 +Subject: vgacon: Set VGA struct resource types + +From: Bjorn Helgaas + + +[ Upstream commit c82084117f79bcae085e40da526253736a247120 ] + +Set the resource type when we reserve VGA-related I/O port resources. + +The resource code doesn't actually look at the type, so it inserts +resources without a type in the tree correctly even without this change. +But if we ever print a resource without a type, it looks like this: + + vga+ [??? 0x000003c0-0x000003df flags 0x0] + +Setting the type means it will be printed correctly as: + + vga+ [io 0x000003c0-0x000003df] + +Signed-off-by: Bjorn Helgaas +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/alpha/kernel/console.c | 1 + + drivers/video/console/vgacon.c | 34 ++++++++++++++++++++++++++-------- + 2 files changed, 27 insertions(+), 8 deletions(-) + +--- a/arch/alpha/kernel/console.c ++++ b/arch/alpha/kernel/console.c +@@ -20,6 +20,7 @@ + struct pci_controller *pci_vga_hose; + static struct resource alpha_vga = { + .name = "alpha-vga+", ++ .flags = IORESOURCE_IO, + .start = 0x3C0, + .end = 0x3DF + }; +--- a/drivers/video/console/vgacon.c ++++ b/drivers/video/console/vgacon.c +@@ -409,7 +409,10 @@ static const char *vgacon_startup(void) + vga_video_port_val = VGA_CRT_DM; + if ((screen_info.orig_video_ega_bx & 0xff) != 0x10) { + static struct resource ega_console_resource = +- { .name = "ega", .start = 0x3B0, .end = 0x3BF }; ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_EGAM; + vga_vram_size = 0x8000; + display_desc = "EGA+"; +@@ -417,9 +420,15 @@ static const char *vgacon_startup(void) + &ega_console_resource); + } else { + static struct resource mda1_console_resource = +- { .name = "mda", .start = 0x3B0, .end = 0x3BB }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3B0, ++ .end = 0x3BB }; + static struct resource mda2_console_resource = +- { .name = "mda", .start = 0x3BF, .end = 0x3BF }; ++ { .name = "mda", ++ .flags = IORESOURCE_IO, ++ .start = 0x3BF, ++ .end = 0x3BF }; + vga_video_type = VIDEO_TYPE_MDA; + vga_vram_size = 0x2000; + display_desc = "*MDA"; +@@ -441,15 +450,21 @@ static const char *vgacon_startup(void) + vga_vram_size = 0x8000; + + if (!screen_info.orig_video_isVGA) { +- static struct resource ega_console_resource +- = { .name = "ega", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource ega_console_resource = ++ { .name = "ega", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_EGAC; + display_desc = "EGA"; + request_resource(&ioport_resource, + &ega_console_resource); + } else { +- static struct resource vga_console_resource +- = { .name = "vga+", .start = 0x3C0, .end = 0x3DF }; ++ static struct resource vga_console_resource = ++ { .name = "vga+", ++ .flags = IORESOURCE_IO, ++ .start = 0x3C0, ++ .end = 0x3DF }; + vga_video_type = VIDEO_TYPE_VGAC; + display_desc = "VGA+"; + request_resource(&ioport_resource, +@@ -493,7 +508,10 @@ static const char *vgacon_startup(void) + } + } else { + static struct resource cga_console_resource = +- { .name = "cga", .start = 0x3D4, .end = 0x3D5 }; ++ { .name = "cga", ++ .flags = IORESOURCE_IO, ++ .start = 0x3D4, ++ .end = 0x3D5 }; + vga_video_type = VIDEO_TYPE_CGA; + vga_vram_size = 0x2000; + display_desc = "*CGA"; diff --git a/queue-3.18/video-fbdev-udlfb-fix-buffer-on-stack.patch b/queue-3.18/video-fbdev-udlfb-fix-buffer-on-stack.patch new file mode 100644 index 00000000000..3bce7f2aac8 --- /dev/null +++ b/queue-3.18/video-fbdev-udlfb-fix-buffer-on-stack.patch @@ -0,0 +1,53 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Maksim Salau +Date: Tue, 2 May 2017 13:47:53 +0200 +Subject: video: fbdev: udlfb: Fix buffer on stack + +From: Maksim Salau + + +[ Upstream commit 45f580c42e5c125d55dbd8099750a1998de3d917 ] + +Allocate buffers on HEAP instead of STACK for local array +that is to be sent using usb_control_msg(). + +Signed-off-by: Maksim Salau +Cc: Bernie Thompson +Cc: Geert Uytterhoeven +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/video/fbdev/udlfb.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/video/fbdev/udlfb.c ++++ b/drivers/video/fbdev/udlfb.c +@@ -1490,15 +1490,25 @@ static struct device_attribute fb_device + static int dlfb_select_std_channel(struct dlfb_data *dev) + { + int ret; +- u8 set_def_chn[] = { 0x57, 0xCD, 0xDC, 0xA7, ++ void *buf; ++ static const u8 set_def_chn[] = { ++ 0x57, 0xCD, 0xDC, 0xA7, + 0x1C, 0x88, 0x5E, 0x15, + 0x60, 0xFE, 0xC6, 0x97, + 0x16, 0x3D, 0x47, 0xF2 }; + ++ buf = kmemdup(set_def_chn, sizeof(set_def_chn), GFP_KERNEL); ++ ++ if (!buf) ++ return -ENOMEM; ++ + ret = usb_control_msg(dev->udev, usb_sndctrlpipe(dev->udev, 0), + NR_USB_REQUEST_CHANNEL, + (USB_DIR_OUT | USB_TYPE_VENDOR), 0, 0, +- set_def_chn, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ buf, sizeof(set_def_chn), USB_CTRL_SET_TIMEOUT); ++ ++ kfree(buf); ++ + return ret; + } + diff --git a/queue-3.18/wan-pc300too-abort-path-on-failure.patch b/queue-3.18/wan-pc300too-abort-path-on-failure.patch new file mode 100644 index 00000000000..48e2557d68b --- /dev/null +++ b/queue-3.18/wan-pc300too-abort-path-on-failure.patch @@ -0,0 +1,33 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Pan Bian +Date: Sun, 23 Apr 2017 17:38:35 +0800 +Subject: wan: pc300too: abort path on failure + +From: Pan Bian + + +[ Upstream commit 2a39e7aa8a98f777f0732ca7125b6c9668791760 ] + +In function pc300_pci_init_one(), on the ioremap error path, function +pc300_pci_remove_one() is called to free the allocated memory. However, +the path is not terminated, and the freed memory will be used later, +resulting in use-after-free bugs. This path fixes the bug. + +Signed-off-by: Pan Bian +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wan/pc300too.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wan/pc300too.c ++++ b/drivers/net/wan/pc300too.c +@@ -347,6 +347,7 @@ static int pc300_pci_init_one(struct pci + card->rambase == NULL) { + pr_err("ioremap() failed\n"); + pc300_pci_remove_one(pdev); ++ return -ENOMEM; + } + + /* PLX PCI 9050 workaround for local configuration register read bug */ diff --git a/queue-3.18/x86-i8259-export-legacy_pic-symbol.patch b/queue-3.18/x86-i8259-export-legacy_pic-symbol.patch new file mode 100644 index 00000000000..6707d89e79b --- /dev/null +++ b/queue-3.18/x86-i8259-export-legacy_pic-symbol.patch @@ -0,0 +1,43 @@ +From foo@baz Thu Mar 22 15:16:04 CET 2018 +From: Hans de Goede +Date: Sat, 8 Apr 2017 19:54:20 +0200 +Subject: x86: i8259: export legacy_pic symbol + +From: Hans de Goede + + +[ Upstream commit 7ee06cb2f840a96be46233181ed4557901a74385 ] + +The classic PC rtc-coms driver has a workaround for broken ACPI device +nodes for it which lack an irq resource. This workaround used to +unconditionally hardcode the irq to 8 in these cases. + +This was causing irq conflict problems on systems without a legacy-pic +so a recent patch added an if (nr_legacy_irqs()) guard to the +workaround to avoid this irq conflict. + +nr_legacy_irqs() uses the legacy_pic symbol under the hood causing +an undefined symbol error if the rtc-cmos code is build as a module. + +This commit exports the legacy_pic symbol to fix this. + +Cc: rtc-linux@googlegroups.com +Cc: alexandre.belloni@free-electrons.com +Signed-off-by: Hans de Goede +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/i8259.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/kernel/i8259.c ++++ b/arch/x86/kernel/i8259.c +@@ -405,6 +405,7 @@ struct legacy_pic default_legacy_pic = { + }; + + struct legacy_pic *legacy_pic = &default_legacy_pic; ++EXPORT_SYMBOL(legacy_pic); + + static int __init i8259A_init_ops(void) + {