From: Sasha Levin Date: Sat, 23 Feb 2019 21:02:55 +0000 (-0500) Subject: patches for 4.4 X-Git-Tag: v4.9.161~37 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f601ab3af2642dda5c0f4d7aa146012d42eb4579;p=thirdparty%2Fkernel%2Fstable-queue.git patches for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/atm-he-fix-sign-extension-overflow-on-large-shift.patch b/queue-4.4/atm-he-fix-sign-extension-overflow-on-large-shift.patch new file mode 100644 index 00000000000..063083fba43 --- /dev/null +++ b/queue-4.4/atm-he-fix-sign-extension-overflow-on-large-shift.patch @@ -0,0 +1,38 @@ +From b01ece8c3fc5dfe3061f377fb911e2a10a1fd22b Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 15 Jan 2019 18:03:38 +0000 +Subject: atm: he: fix sign-extension overflow on large shift + +[ Upstream commit cb12d72b27a6f41325ae23a11033cf5fedfa1b97 ] + +Shifting the 1 by exp by an int can lead to sign-extension overlow when +exp is 31 since 1 is an signed int and sign-extending this result to an +unsigned long long will set the upper 32 bits. Fix this by shifting an +unsigned long. + +Detected by cppcheck: +(warning) Shifting signed 32-bit value by 31 bits is undefined behaviour + +Signed-off-by: Colin Ian King +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/he.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/atm/he.c b/drivers/atm/he.c +index 0f5cb37636bcc..010581e8bee05 100644 +--- a/drivers/atm/he.c ++++ b/drivers/atm/he.c +@@ -717,7 +717,7 @@ static int he_init_cs_block_rcm(struct he_dev *he_dev) + instead of '/ 512', use '>> 9' to prevent a call + to divdu3 on x86 platforms + */ +- rate_cps = (unsigned long long) (1 << exp) * (man + 512) >> 9; ++ rate_cps = (unsigned long long) (1UL << exp) * (man + 512) >> 9; + + if (rate_cps < 10) + rate_cps = 10; /* 2.2.1 minimum payload rate is 10 cps */ +-- +2.19.1 + diff --git a/queue-4.4/isdn-avm-fix-string-plus-integer-warning-from-clang.patch b/queue-4.4/isdn-avm-fix-string-plus-integer-warning-from-clang.patch new file mode 100644 index 00000000000..e96b8b0bf6c --- /dev/null +++ b/queue-4.4/isdn-avm-fix-string-plus-integer-warning-from-clang.patch @@ -0,0 +1,48 @@ +From 89d5f008f80bda7e978809270c414952d2e689e2 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 9 Jan 2019 22:41:08 -0700 +Subject: isdn: avm: Fix string plus integer warning from Clang + +[ Upstream commit 7afa81c55fca0cad589722cb4bce698b4803b0e1 ] + +A recent commit in Clang expanded the -Wstring-plus-int warning, showing +some odd behavior in this file. + +drivers/isdn/hardware/avm/b1.c:426:30: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int] + cinfo->version[j] = "\0\0" + 1; + ~~~~~~~^~~ +drivers/isdn/hardware/avm/b1.c:426:30: note: use array indexing to silence this warning + cinfo->version[j] = "\0\0" + 1; + ^ + & [ ] +1 warning generated. + +This is equivalent to just "\0". Nick pointed out that it is smarter to +use "" instead of "\0" because "" is used elsewhere in the kernel and +can be deduplicated at the linking stage. + +Link: https://github.com/ClangBuiltLinux/linux/issues/309 +Suggested-by: Nick Desaulniers +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/avm/b1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c +index 4d9b195547c5c..df2a10157720a 100644 +--- a/drivers/isdn/hardware/avm/b1.c ++++ b/drivers/isdn/hardware/avm/b1.c +@@ -423,7 +423,7 @@ void b1_parse_version(avmctrl_info *cinfo) + int i, j; + + for (j = 0; j < AVM_MAXVERSION; j++) +- cinfo->version[j] = "\0\0" + 1; ++ cinfo->version[j] = ""; + for (i = 0, j = 0; + j < AVM_MAXVERSION && i < cinfo->versionlen; + j++, i += cinfo->versionbuf[i] + 1) +-- +2.19.1 + diff --git a/queue-4.4/isdn-i4l-isdn_tty-fix-some-concurrency-double-free-b.patch b/queue-4.4/isdn-i4l-isdn_tty-fix-some-concurrency-double-free-b.patch new file mode 100644 index 00000000000..24902b5dfa5 --- /dev/null +++ b/queue-4.4/isdn-i4l-isdn_tty-fix-some-concurrency-double-free-b.patch @@ -0,0 +1,67 @@ +From 0a6e96e12fb9b442c546acd100207fefc212349b Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Tue, 8 Jan 2019 21:04:48 +0800 +Subject: isdn: i4l: isdn_tty: Fix some concurrency double-free bugs + +[ Upstream commit 2ff33d6637393fe9348357285931811b76e1402f ] + +The functions isdn_tty_tiocmset() and isdn_tty_set_termios() may be +concurrently executed. + +isdn_tty_tiocmset + isdn_tty_modem_hup + line 719: kfree(info->dtmf_state); + line 721: kfree(info->silence_state); + line 723: kfree(info->adpcms); + line 725: kfree(info->adpcmr); + +isdn_tty_set_termios + isdn_tty_modem_hup + line 719: kfree(info->dtmf_state); + line 721: kfree(info->silence_state); + line 723: kfree(info->adpcms); + line 725: kfree(info->adpcmr); + +Thus, some concurrency double-free bugs may occur. + +These possible bugs are found by a static tool written by myself and +my manual code review. + +To fix these possible bugs, the mutex lock "modem_info_mutex" used in +isdn_tty_tiocmset() is added in isdn_tty_set_termios(). + +Signed-off-by: Jia-Ju Bai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/i4l/isdn_tty.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c +index 2175225af7421..8291e9cc949ad 100644 +--- a/drivers/isdn/i4l/isdn_tty.c ++++ b/drivers/isdn/i4l/isdn_tty.c +@@ -1459,15 +1459,19 @@ isdn_tty_set_termios(struct tty_struct *tty, struct ktermios *old_termios) + { + modem_info *info = (modem_info *) tty->driver_data; + ++ mutex_lock(&modem_info_mutex); + if (!old_termios) + isdn_tty_change_speed(info); + else { + if (tty->termios.c_cflag == old_termios->c_cflag && + tty->termios.c_ispeed == old_termios->c_ispeed && +- tty->termios.c_ospeed == old_termios->c_ospeed) ++ tty->termios.c_ospeed == old_termios->c_ospeed) { ++ mutex_unlock(&modem_info_mutex); + return; ++ } + isdn_tty_change_speed(info); + } ++ mutex_unlock(&modem_info_mutex); + } + + /* +-- +2.19.1 + diff --git a/queue-4.4/leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch b/queue-4.4/leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch new file mode 100644 index 00000000000..e0fe64c3c8a --- /dev/null +++ b/queue-4.4/leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch @@ -0,0 +1,38 @@ +From 48142bcd0c0163698860aa1ce7854580c4a62da8 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 25 Dec 2018 22:18:23 -0600 +Subject: leds: lp5523: fix a missing check of return value of lp55xx_read + +[ Upstream commit 248b57015f35c94d4eae2fdd8c6febf5cd703900 ] + +When lp55xx_read() fails, "status" is an uninitialized variable and thus +may contain random value; using it leads to undefined behaviors. + +The fix inserts a check for the return value of lp55xx_read: if it +fails, returns with its error code. + +Signed-off-by: Kangjie Lu +Signed-off-by: Jacek Anaszewski +Signed-off-by: Sasha Levin +--- + drivers/leds/leds-lp5523.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/leds/leds-lp5523.c b/drivers/leds/leds-lp5523.c +index 1d0187f42941a..d12370352ae34 100644 +--- a/drivers/leds/leds-lp5523.c ++++ b/drivers/leds/leds-lp5523.c +@@ -318,7 +318,9 @@ static int lp5523_init_program_engine(struct lp55xx_chip *chip) + + /* Let the programs run for couple of ms and check the engine status */ + usleep_range(3000, 6000); +- lp55xx_read(chip, LP5523_REG_STATUS, &status); ++ ret = lp55xx_read(chip, LP5523_REG_STATUS, &status); ++ if (ret) ++ return ret; + status &= LP5523_ENG_STATUS_MASK; + + if (status != LP5523_ENG_STATUS_MASK) { +-- +2.19.1 + diff --git a/queue-4.4/mfd-ab8500-core-return-zero-in-get_register_interrup.patch b/queue-4.4/mfd-ab8500-core-return-zero-in-get_register_interrup.patch new file mode 100644 index 00000000000..18e8b07b208 --- /dev/null +++ b/queue-4.4/mfd-ab8500-core-return-zero-in-get_register_interrup.patch @@ -0,0 +1,40 @@ +From 7da38c2f4131e2951c099ea476e498b887101647 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 25 Oct 2018 15:43:44 +0300 +Subject: mfd: ab8500-core: Return zero in get_register_interruptible() + +[ Upstream commit 10628e3ecf544fa2e4e24f8e112d95c37884dc98 ] + +This function is supposed to return zero on success or negative error +codes on error. Unfortunately, there is a bug so it sometimes returns +non-zero, positive numbers on success. + +I noticed this bug during review and I can't test it. It does appear +that the return is sometimes propogated back to _regmap_read() where all +non-zero returns are treated as failure so this may affect run time. + +Fixes: 47c1697508f2 ("mfd: Align ab8500 with the abx500 interface") +Signed-off-by: Dan Carpenter +Reviewed-by: Linus Walleij +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/ab8500-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mfd/ab8500-core.c b/drivers/mfd/ab8500-core.c +index fefbe4cfa61dd..1263cfd8b4d2f 100644 +--- a/drivers/mfd/ab8500-core.c ++++ b/drivers/mfd/ab8500-core.c +@@ -259,7 +259,7 @@ static int get_register_interruptible(struct ab8500 *ab8500, u8 bank, + mutex_unlock(&ab8500->lock); + dev_vdbg(ab8500->dev, "rd: addr %#x => data %#x\n", addr, ret); + +- return ret; ++ return (ret < 0) ? ret : 0; + } + + static int ab8500_get_register(struct device *dev, u8 bank, +-- +2.19.1 + diff --git a/queue-4.4/mfd-db8500-prcmu-fix-some-section-annotations.patch b/queue-4.4/mfd-db8500-prcmu-fix-some-section-annotations.patch new file mode 100644 index 00000000000..1a10d971ae5 --- /dev/null +++ b/queue-4.4/mfd-db8500-prcmu-fix-some-section-annotations.patch @@ -0,0 +1,61 @@ +From 695975cfbeac23f21c159e72db0ee1e9af59fe29 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 17:56:28 -0700 +Subject: mfd: db8500-prcmu: Fix some section annotations + +[ Upstream commit a3888f62fe66429fad3be7f2ba962e1e08c26fd6 ] + +When building the kernel with Clang, the following section mismatch +warnings appear: + +WARNING: vmlinux.o(.text+0x7239cc): Section mismatch in reference from +the function db8500_prcmu_probe() to the function +.init.text:init_prcm_registers() +The function db8500_prcmu_probe() references +the function __init init_prcm_registers(). +This is often because db8500_prcmu_probe lacks a __init +annotation or the annotation of init_prcm_registers is wrong. + +WARNING: vmlinux.o(.text+0x723e28): Section mismatch in reference from +the function db8500_prcmu_probe() to the function +.init.text:fw_project_name() +The function db8500_prcmu_probe() references +the function __init fw_project_name(). +This is often because db8500_prcmu_probe lacks a __init +annotation or the annotation of fw_project_name is wrong. + +db8500_prcmu_probe should not be marked as __init so remove the __init +annotation from fw_project_name and init_prcm_registers. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/db8500-prcmu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/db8500-prcmu.c b/drivers/mfd/db8500-prcmu.c +index 12099b09a9a71..e71b9f23379d0 100644 +--- a/drivers/mfd/db8500-prcmu.c ++++ b/drivers/mfd/db8500-prcmu.c +@@ -2610,7 +2610,7 @@ static struct irq_chip prcmu_irq_chip = { + .irq_unmask = prcmu_irq_unmask, + }; + +-static __init char *fw_project_name(u32 project) ++static char *fw_project_name(u32 project) + { + switch (project) { + case PRCMU_FW_PROJECT_U8500: +@@ -2758,7 +2758,7 @@ void __init db8500_prcmu_early_init(u32 phy_base, u32 size) + INIT_WORK(&mb0_transfer.mask_work, prcmu_mask_work); + } + +-static void __init init_prcm_registers(void) ++static void init_prcm_registers(void) + { + u32 val; + +-- +2.19.1 + diff --git a/queue-4.4/mfd-mc13xxx-fix-a-missing-check-of-a-register-read-f.patch b/queue-4.4/mfd-mc13xxx-fix-a-missing-check-of-a-register-read-f.patch new file mode 100644 index 00000000000..9db0042a9d8 --- /dev/null +++ b/queue-4.4/mfd-mc13xxx-fix-a-missing-check-of-a-register-read-f.patch @@ -0,0 +1,38 @@ +From 303baa65bf8dc8c90de0e2d628accfbf1c286782 Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Thu, 20 Dec 2018 15:12:11 -0600 +Subject: mfd: mc13xxx: Fix a missing check of a register-read failure + +[ Upstream commit 9e28989d41c0eab57ec0bb156617a8757406ff8a ] + +When mc13xxx_reg_read() fails, "old_adc0" is uninitialized and will +contain random value. Further execution uses "old_adc0" even when +mc13xxx_reg_read() fails. +The fix checks the return value of mc13xxx_reg_read(), and exits +the execution when it fails. + +Signed-off-by: Kangjie Lu +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/mc13xxx-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/mc13xxx-core.c b/drivers/mfd/mc13xxx-core.c +index 3f9f4c874d2aa..8d74806b83c12 100644 +--- a/drivers/mfd/mc13xxx-core.c ++++ b/drivers/mfd/mc13xxx-core.c +@@ -274,7 +274,9 @@ int mc13xxx_adc_do_conversion(struct mc13xxx *mc13xxx, unsigned int mode, + + mc13xxx->adcflags |= MC13XXX_ADC_WORKING; + +- mc13xxx_reg_read(mc13xxx, MC13XXX_ADC0, &old_adc0); ++ ret = mc13xxx_reg_read(mc13xxx, MC13XXX_ADC0, &old_adc0); ++ if (ret) ++ goto out; + + adc0 = MC13XXX_ADC0_ADINC1 | MC13XXX_ADC0_ADINC2; + adc1 = MC13XXX_ADC1_ADEN | MC13XXX_ADC1_ADTRIGIGN | MC13XXX_ADC1_ASC; +-- +2.19.1 + diff --git a/queue-4.4/mfd-qcom_rpm-write-fw_version-to-ctrl_reg.patch b/queue-4.4/mfd-qcom_rpm-write-fw_version-to-ctrl_reg.patch new file mode 100644 index 00000000000..de62d31bee4 --- /dev/null +++ b/queue-4.4/mfd-qcom_rpm-write-fw_version-to-ctrl_reg.patch @@ -0,0 +1,37 @@ +From 49af16973530e806fbf5f2efb0d38722831342a1 Mon Sep 17 00:00:00 2001 +From: Jonathan Marek +Date: Mon, 19 Nov 2018 14:53:17 -0500 +Subject: mfd: qcom_rpm: write fw_version to CTRL_REG + +[ Upstream commit 504e4175829c44328773b96ad9c538e4783a8d22 ] + +This is required as part of the initialization sequence on certain SoCs. + +If these registers are not initialized, the hardware can be unresponsive. +This fixes the driver on apq8060 (HP TouchPad device). + +Signed-off-by: Jonathan Marek +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/qcom_rpm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mfd/qcom_rpm.c b/drivers/mfd/qcom_rpm.c +index a867cc91657ef..27486f278201e 100644 +--- a/drivers/mfd/qcom_rpm.c ++++ b/drivers/mfd/qcom_rpm.c +@@ -570,6 +570,10 @@ static int qcom_rpm_probe(struct platform_device *pdev) + return -EFAULT; + } + ++ writel(fw_version[0], RPM_CTRL_REG(rpm, 0)); ++ writel(fw_version[1], RPM_CTRL_REG(rpm, 1)); ++ writel(fw_version[2], RPM_CTRL_REG(rpm, 2)); ++ + dev_info(&pdev->dev, "RPM firmware %u.%u.%u\n", fw_version[0], + fw_version[1], + fw_version[2]); +-- +2.19.1 + diff --git a/queue-4.4/mfd-ti_am335x_tscadc-use-platform_devid_auto-while-r.patch b/queue-4.4/mfd-ti_am335x_tscadc-use-platform_devid_auto-while-r.patch new file mode 100644 index 00000000000..68ae3918360 --- /dev/null +++ b/queue-4.4/mfd-ti_am335x_tscadc-use-platform_devid_auto-while-r.patch @@ -0,0 +1,38 @@ +From 6d96c03a7dfb6aaf87fcd54ea1cf330746962720 Mon Sep 17 00:00:00 2001 +From: Vignesh R +Date: Mon, 3 Dec 2018 13:31:17 +0530 +Subject: mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd + cells + +[ Upstream commit b40ee006fe6a8a25093434e5d394128c356a48f3 ] + +Use PLATFORM_DEVID_AUTO to number mfd cells while registering, so that +different instances are uniquely identified. This is required in order +to support registering of multiple instances of same ti_am335x_tscadc IP. + +Signed-off-by: Vignesh R +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/ti_am335x_tscadc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/ti_am335x_tscadc.c b/drivers/mfd/ti_am335x_tscadc.c +index 4a0f076c91ba0..faf8ce5be576f 100644 +--- a/drivers/mfd/ti_am335x_tscadc.c ++++ b/drivers/mfd/ti_am335x_tscadc.c +@@ -279,8 +279,9 @@ static int ti_tscadc_probe(struct platform_device *pdev) + cell->pdata_size = sizeof(tscadc); + } + +- err = mfd_add_devices(&pdev->dev, pdev->id, tscadc->cells, +- tscadc->used_cells, NULL, 0, NULL); ++ err = mfd_add_devices(&pdev->dev, PLATFORM_DEVID_AUTO, ++ tscadc->cells, tscadc->used_cells, NULL, ++ 0, NULL); + if (err < 0) + goto err_disable_clk; + +-- +2.19.1 + diff --git a/queue-4.4/mfd-twl-core-fix-section-annotations-on-un-protect_p.patch b/queue-4.4/mfd-twl-core-fix-section-annotations-on-un-protect_p.patch new file mode 100644 index 00000000000..ce533956557 --- /dev/null +++ b/queue-4.4/mfd-twl-core-fix-section-annotations-on-un-protect_p.patch @@ -0,0 +1,53 @@ +From 8bb69ecf0c15e9bdbe2d71d9f13e475f7a2dc965 Mon Sep 17 00:00:00 2001 +From: Nathan Chancellor +Date: Wed, 17 Oct 2018 10:13:23 -0700 +Subject: mfd: twl-core: Fix section annotations on {,un}protect_pm_master + +[ Upstream commit 8838555089f0345b87f4277fe5a8dd647dc65589 ] + +When building the kernel with Clang, the following section mismatch +warning appears: + +WARNING: vmlinux.o(.text+0x3d84a3b): Section mismatch in reference from +the function twl_probe() to the function +.init.text:unprotect_pm_master() +The function twl_probe() references +the function __init unprotect_pm_master(). +This is often because twl_probe lacks a __init +annotation or the annotation of unprotect_pm_master is wrong. + +Remove the __init annotation on the *protect_pm_master functions so +there is no more mismatch. + +Signed-off-by: Nathan Chancellor +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/twl-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/twl-core.c b/drivers/mfd/twl-core.c +index 831696ee2472b..90732a655d573 100644 +--- a/drivers/mfd/twl-core.c ++++ b/drivers/mfd/twl-core.c +@@ -982,7 +982,7 @@ add_children(struct twl4030_platform_data *pdata, unsigned irq_base, + * letting it generate the right frequencies for USB, MADC, and + * other purposes. + */ +-static inline int __init protect_pm_master(void) ++static inline int protect_pm_master(void) + { + int e = 0; + +@@ -991,7 +991,7 @@ static inline int __init protect_pm_master(void) + return e; + } + +-static inline int __init unprotect_pm_master(void) ++static inline int unprotect_pm_master(void) + { + int e = 0; + +-- +2.19.1 + diff --git a/queue-4.4/mfd-wm5110-add-missing-asrc-rate-register.patch b/queue-4.4/mfd-wm5110-add-missing-asrc-rate-register.patch new file mode 100644 index 00000000000..8048fb5bc88 --- /dev/null +++ b/queue-4.4/mfd-wm5110-add-missing-asrc-rate-register.patch @@ -0,0 +1,37 @@ +From 7f91992a0fe1b34a0d5543a8fe00794c25658cff Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Wed, 28 Nov 2018 10:04:22 +0000 +Subject: mfd: wm5110: Add missing ASRC rate register + +[ Upstream commit 04c801c18ded421845324255e660147a6f58dcd6 ] + +Signed-off-by: Charles Keepax +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/wm5110-tables.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mfd/wm5110-tables.c b/drivers/mfd/wm5110-tables.c +index 2bb2d0467a92d..c47efe6dcb01b 100644 +--- a/drivers/mfd/wm5110-tables.c ++++ b/drivers/mfd/wm5110-tables.c +@@ -1622,6 +1622,7 @@ static const struct reg_default wm5110_reg_default[] = { + { 0x00000ECD, 0x0000 }, /* R3789 - HPLPF4_2 */ + { 0x00000EE0, 0x0000 }, /* R3808 - ASRC_ENABLE */ + { 0x00000EE2, 0x0000 }, /* R3810 - ASRC_RATE1 */ ++ { 0x00000EE3, 0x4000 }, /* R3811 - ASRC_RATE2 */ + { 0x00000EF0, 0x0000 }, /* R3824 - ISRC 1 CTRL 1 */ + { 0x00000EF1, 0x0000 }, /* R3825 - ISRC 1 CTRL 2 */ + { 0x00000EF2, 0x0000 }, /* R3826 - ISRC 1 CTRL 3 */ +@@ -2877,6 +2878,7 @@ static bool wm5110_readable_register(struct device *dev, unsigned int reg) + case ARIZONA_ASRC_ENABLE: + case ARIZONA_ASRC_STATUS: + case ARIZONA_ASRC_RATE1: ++ case ARIZONA_ASRC_RATE2: + case ARIZONA_ISRC_1_CTRL_1: + case ARIZONA_ISRC_1_CTRL_2: + case ARIZONA_ISRC_1_CTRL_3: +-- +2.19.1 + diff --git a/queue-4.4/mips-ath79-enable-of-serial-ports-in-the-default-con.patch b/queue-4.4/mips-ath79-enable-of-serial-ports-in-the-default-con.patch new file mode 100644 index 00000000000..b3512761a38 --- /dev/null +++ b/queue-4.4/mips-ath79-enable-of-serial-ports-in-the-default-con.patch @@ -0,0 +1,37 @@ +From 6f83d16fbcd9d7530d07896082c73c98c26af1bd Mon Sep 17 00:00:00 2001 +From: Alban Bedel +Date: Mon, 7 Jan 2019 20:45:15 +0100 +Subject: MIPS: ath79: Enable OF serial ports in the default config + +[ Upstream commit 565dc8a4f55e491935bfb04866068d21784ea9a4 ] + +CONFIG_SERIAL_OF_PLATFORM is needed to get a working console on the OF +boards, enable it in the default config to get a working setup out of +the box. + +Signed-off-by: Alban Bedel +Signed-off-by: Paul Burton +Cc: linux-mips@vger.kernel.org +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/configs/ath79_defconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/configs/ath79_defconfig b/arch/mips/configs/ath79_defconfig +index 134879c1310a0..4ed369c0ec6a1 100644 +--- a/arch/mips/configs/ath79_defconfig ++++ b/arch/mips/configs/ath79_defconfig +@@ -74,6 +74,7 @@ CONFIG_SERIAL_8250_CONSOLE=y + # CONFIG_SERIAL_8250_PCI is not set + CONFIG_SERIAL_8250_NR_UARTS=1 + CONFIG_SERIAL_8250_RUNTIME_UARTS=1 ++CONFIG_SERIAL_OF_PLATFORM=y + CONFIG_SERIAL_AR933X=y + CONFIG_SERIAL_AR933X_CONSOLE=y + # CONFIG_HW_RANDOM is not set +-- +2.19.1 + diff --git a/queue-4.4/mips-jazz-fix-64bit-build.patch b/queue-4.4/mips-jazz-fix-64bit-build.patch new file mode 100644 index 00000000000..61d3a0535fb --- /dev/null +++ b/queue-4.4/mips-jazz-fix-64bit-build.patch @@ -0,0 +1,75 @@ +From fb071b9b226a510e2bc42b2b95e5411ed6fd28be Mon Sep 17 00:00:00 2001 +From: Thomas Bogendoerfer +Date: Wed, 9 Jan 2019 18:12:16 +0100 +Subject: MIPS: jazz: fix 64bit build + +[ Upstream commit 41af167fbc0032f9d7562854f58114eaa9270336 ] + +64bit JAZZ builds failed with + + linux-next/arch/mips/jazz/jazzdma.c: In function `vdma_init`: + /linux-next/arch/mips/jazz/jazzdma.c:77:30: error: implicit declaration + of function `KSEG1ADDR`; did you mean `CKSEG1ADDR`? + [-Werror=implicit-function-declaration] + pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); + ^~~~~~~~~ + CKSEG1ADDR + /linux-next/arch/mips/jazz/jazzdma.c:77:10: error: cast to pointer from + integer of different size [-Werror=int-to-pointer-cast] + pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); + ^ + In file included from /linux-next/arch/mips/include/asm/barrier.h:11:0, + from /linux-next/include/linux/compiler.h:248, + from /linux-next/include/linux/kernel.h:10, + from /linux-next/arch/mips/jazz/jazzdma.c:11: + /linux-next/arch/mips/include/asm/addrspace.h:41:29: error: cast from + pointer to integer of different size [-Werror=pointer-to-int-cast] + #define _ACAST32_ (_ATYPE_)(_ATYPE32_) /* widen if necessary */ + ^ + /linux-next/arch/mips/include/asm/addrspace.h:53:25: note: in + expansion of macro `_ACAST32_` + #define CPHYSADDR(a) ((_ACAST32_(a)) & 0x1fffffff) + ^~~~~~~~~ + /linux-next/arch/mips/jazz/jazzdma.c:84:44: note: in expansion of + macro `CPHYSADDR` + r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, CPHYSADDR(pgtbl)); + +Using correct casts and CKSEG1ADDR when dealing with the pgtbl setup +fixes this. + +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Paul Burton +Cc: Ralf Baechle +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Sasha Levin +--- + arch/mips/jazz/jazzdma.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/jazz/jazzdma.c b/arch/mips/jazz/jazzdma.c +index db6f5afff4ff1..ea897912bc712 100644 +--- a/arch/mips/jazz/jazzdma.c ++++ b/arch/mips/jazz/jazzdma.c +@@ -71,14 +71,15 @@ static int __init vdma_init(void) + get_order(VDMA_PGTBL_SIZE)); + BUG_ON(!pgtbl); + dma_cache_wback_inv((unsigned long)pgtbl, VDMA_PGTBL_SIZE); +- pgtbl = (VDMA_PGTBL_ENTRY *)KSEG1ADDR(pgtbl); ++ pgtbl = (VDMA_PGTBL_ENTRY *)CKSEG1ADDR((unsigned long)pgtbl); + + /* + * Clear the R4030 translation table + */ + vdma_pgtbl_init(); + +- r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, CPHYSADDR(pgtbl)); ++ r4030_write_reg32(JAZZ_R4030_TRSTBL_BASE, ++ CPHYSADDR((unsigned long)pgtbl)); + r4030_write_reg32(JAZZ_R4030_TRSTBL_LIM, VDMA_PGTBL_SIZE); + r4030_write_reg32(JAZZ_R4030_TRSTBL_INV, 0); + +-- +2.19.1 + diff --git a/queue-4.4/net-hns-fix-use-after-free-identified-by-slub-debug.patch b/queue-4.4/net-hns-fix-use-after-free-identified-by-slub-debug.patch new file mode 100644 index 00000000000..eb6098c5296 --- /dev/null +++ b/queue-4.4/net-hns-fix-use-after-free-identified-by-slub-debug.patch @@ -0,0 +1,93 @@ +From 60290613a73c6df50da06338a383957342a814ce Mon Sep 17 00:00:00 2001 +From: Yonglong Liu +Date: Fri, 4 Jan 2019 20:18:11 +0800 +Subject: net: hns: Fix use after free identified by SLUB debug + +[ Upstream commit bb989501abcafa0de5f18b0ec0ec459b5b817908 ] + +When enable SLUB debug, than remove hns_enet_drv module, SLUB debug will +identify a use after free bug: + +[134.189505] Unable to handle kernel paging request at virtual address + 006b6b6b6b6b6b6b +[134.197553] Mem abort info: +[134.200381] ESR = 0x96000004 +[134.203487] Exception class = DABT (current EL), IL = 32 bits +[134.209497] SET = 0, FnV = 0 +[134.212596] EA = 0, S1PTW = 0 +[134.215777] Data abort info: +[134.218701] ISV = 0, ISS = 0x00000004 +[134.222596] CM = 0, WnR = 0 +[134.225606] [006b6b6b6b6b6b6b] address between user and kernel address ranges +[134.232851] Internal error: Oops: 96000004 [#1] SMP +[134.237798] CPU: 21 PID: 27834 Comm: rmmod Kdump: loaded Tainted: G + OE 4.19.5-1.2.34.aarch64 #1 +[134.247856] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.58 10/24/2018 +[134.255181] pstate: 20000005 (nzCv daif -PAN -UAO) +[134.260044] pc : hns_ae_put_handle+0x38/0x60 +[134.264372] lr : hns_ae_put_handle+0x24/0x60 +[134.268700] sp : ffff00001be93c50 +[134.272054] x29: ffff00001be93c50 x28: ffff802faaec8040 +[134.277442] x27: 0000000000000000 x26: 0000000000000000 +[134.282830] x25: 0000000056000000 x24: 0000000000000015 +[134.288284] x23: ffff0000096fe098 x22: ffff000001050070 +[134.293671] x21: ffff801fb3c044a0 x20: ffff80afb75ec098 +[134.303287] x19: ffff80afb75ec098 x18: 0000000000000000 +[134.312945] x17: 0000000000000000 x16: 0000000000000000 +[134.322517] x15: 0000000000000002 x14: 0000000000000000 +[134.332030] x13: dead000000000100 x12: ffff7e02bea3c988 +[134.341487] x11: ffff80affbee9e68 x10: 0000000000000000 +[134.351033] x9 : 6fffff8000008101 x8 : 0000000000000000 +[134.360569] x7 : dead000000000100 x6 : ffff000009579748 +[134.370059] x5 : 0000000000210d00 x4 : 0000000000000000 +[134.379550] x3 : 0000000000000001 x2 : 0000000000000000 +[134.388813] x1 : 6b6b6b6b6b6b6b6b x0 : 0000000000000000 +[134.397993] Process rmmod (pid: 27834, stack limit = 0x00000000d474b7fd) +[134.408498] Call trace: +[134.414611] hns_ae_put_handle+0x38/0x60 +[134.422208] hnae_put_handle+0xd4/0x108 +[134.429563] hns_nic_dev_remove+0x60/0xc0 [hns_enet_drv] +[134.438342] platform_drv_remove+0x2c/0x70 +[134.445958] device_release_driver_internal+0x174/0x208 +[134.454810] driver_detach+0x70/0xd8 +[134.461913] bus_remove_driver+0x64/0xe8 +[134.469396] driver_unregister+0x34/0x60 +[134.476822] platform_driver_unregister+0x20/0x30 +[134.485130] hns_nic_dev_driver_exit+0x14/0x6e4 [hns_enet_drv] +[134.494634] __arm64_sys_delete_module+0x238/0x290 + +struct hnae_handle is a member of struct hnae_vf_cb, so when vf_cb is +freed, than use hnae_handle will cause use after free panic. + +This patch frees vf_cb after hnae_handle used. + +Signed-off-by: Yonglong Liu +Signed-off-by: Huazhong Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +index 1a16c0307b475..bd36fbe81ad2a 100644 +--- a/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c ++++ b/drivers/net/ethernet/hisilicon/hns/hns_ae_adapt.c +@@ -188,12 +188,10 @@ static void hns_ae_put_handle(struct hnae_handle *handle) + struct hnae_vf_cb *vf_cb = hns_ae_get_vf_cb(handle); + int i; + +- vf_cb->mac_cb = NULL; +- +- kfree(vf_cb); +- + for (i = 0; i < handle->q_num; i++) + hns_ae_get_ring_pair(handle->qs[i])->used_by_vf = 0; ++ ++ kfree(vf_cb); + } + + static void hns_ae_ring_enable_all(struct hnae_handle *handle, int val) +-- +2.19.1 + diff --git a/queue-4.4/scsi-isci-initialize-shost-fully-before-calling-scsi.patch b/queue-4.4/scsi-isci-initialize-shost-fully-before-calling-scsi.patch new file mode 100644 index 00000000000..76a7e5cb1ee --- /dev/null +++ b/queue-4.4/scsi-isci-initialize-shost-fully-before-calling-scsi.patch @@ -0,0 +1,97 @@ +From f2f4b368f132159c5a96b942edbf1c611dda56d3 Mon Sep 17 00:00:00 2001 +From: Logan Gunthorpe +Date: Tue, 8 Jan 2019 13:50:43 -0700 +Subject: scsi: isci: initialize shost fully before calling scsi_add_host() + +[ Upstream commit cc29a1b0a3f2597ce887d339222fa85b9307706d ] + +scsi_mq_setup_tags(), which is called by scsi_add_host(), calculates the +command size to allocate based on the prot_capabilities. In the isci +driver, scsi_host_set_prot() is called after scsi_add_host() so the command +size gets calculated to be smaller than it needs to be. Eventually, +scsi_mq_init_request() locates the 'prot_sdb' after the command assuming it +was sized correctly and a buffer overrun may occur. + +However, seeing blk_mq_alloc_rqs() rounds up to the nearest cache line +size, the mistake can go unnoticed. + +The bug was noticed after the struct request size was reduced by commit +9d037ad707ed ("block: remove req->timeout_list") + +Which likely reduced the allocated space for the request by an entire cache +line, enough that the overflow could be hit and it caused a panic, on boot, +at: + + RIP: 0010:t10_pi_complete+0x77/0x1c0 + Call Trace: + + sd_done+0xf5/0x340 + scsi_finish_command+0xc3/0x120 + blk_done_softirq+0x83/0xb0 + __do_softirq+0xa1/0x2e6 + irq_exit+0xbc/0xd0 + call_function_single_interrupt+0xf/0x20 + + +sd_done() would call scsi_prot_sg_count() which reads the number of +entities in 'prot_sdb', but seeing 'prot_sdb' is located after the end of +the allocated space it reads a garbage number and erroneously calls +t10_pi_complete(). + +To prevent this, the calls to scsi_host_set_prot() are moved into +isci_host_alloc() before the call to scsi_add_host(). Out of caution, also +move the similar call to scsi_host_set_guard(). + +Fixes: 3d2d75254915 ("[SCSI] isci: T10 DIF support") +Link: http://lkml.kernel.org/r/da851333-eadd-163a-8c78-e1f4ec5ec857@deltatee.com +Signed-off-by: Logan Gunthorpe +Cc: Intel SCU Linux support +Cc: Artur Paszkiewicz +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Jeff Moyer +Reviewed-by: Jeff Moyer +Reviewed-by: Jens Axboe +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/isci/init.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/scsi/isci/init.c b/drivers/scsi/isci/init.c +index 77128d680e3bc..6f38fa1f468a7 100644 +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -595,6 +595,13 @@ static struct isci_host *isci_host_alloc(struct pci_dev *pdev, int id) + shost->max_lun = ~0; + shost->max_cmd_len = MAX_COMMAND_SIZE; + ++ /* turn on DIF support */ ++ scsi_host_set_prot(shost, ++ SHOST_DIF_TYPE1_PROTECTION | ++ SHOST_DIF_TYPE2_PROTECTION | ++ SHOST_DIF_TYPE3_PROTECTION); ++ scsi_host_set_guard(shost, SHOST_DIX_GUARD_CRC); ++ + err = scsi_add_host(shost, &pdev->dev); + if (err) + goto err_shost; +@@ -682,13 +689,6 @@ static int isci_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + goto err_host_alloc; + } + pci_info->hosts[i] = h; +- +- /* turn on DIF support */ +- scsi_host_set_prot(to_shost(h), +- SHOST_DIF_TYPE1_PROTECTION | +- SHOST_DIF_TYPE2_PROTECTION | +- SHOST_DIF_TYPE3_PROTECTION); +- scsi_host_set_guard(to_shost(h), SHOST_DIX_GUARD_CRC); + } + + err = isci_setup_interrupts(pdev); +-- +2.19.1 + diff --git a/queue-4.4/scsi-qla4xxx-check-return-code-of-qla4xxx_copy_from_.patch b/queue-4.4/scsi-qla4xxx-check-return-code-of-qla4xxx_copy_from_.patch new file mode 100644 index 00000000000..ca1bdff24e7 --- /dev/null +++ b/queue-4.4/scsi-qla4xxx-check-return-code-of-qla4xxx_copy_from_.patch @@ -0,0 +1,33 @@ +From 7300a6a79bc8a571b7d4e689341fcbd72cd79010 Mon Sep 17 00:00:00 2001 +From: YueHaibing +Date: Thu, 20 Dec 2018 11:16:07 +0800 +Subject: scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param + +[ Upstream commit 72b4a0465f995175a2e22cf4a636bf781f1f28a7 ] + +The return code should be check while qla4xxx_copy_from_fwddb_param fails. + +Signed-off-by: YueHaibing +Acked-by: Manish Rangankar +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index d8c03431d0aa8..f9f899ec94270 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -7245,6 +7245,8 @@ static int qla4xxx_sysfs_ddb_tgt_create(struct scsi_qla_host *ha, + + rc = qla4xxx_copy_from_fwddb_param(fnode_sess, fnode_conn, + fw_ddb_entry); ++ if (rc) ++ goto free_sess; + + ql4_printk(KERN_INFO, ha, "%s: sysfs entry %s created\n", + __func__, fnode_sess->dev.kobj.name); +-- +2.19.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 8d69dab7bf8..0a0069874a2 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,3 +1,19 @@ ceph-avoid-repeatedly-adding-inode-to-mdsc-snap_flush_list.patch numa-change-get_mempolicy-to-use-nr_node_ids-instead-of-max_numnodes.patch keys-allow-reaching-the-keys-quotas-exactly.patch +mfd-ti_am335x_tscadc-use-platform_devid_auto-while-r.patch +mfd-twl-core-fix-section-annotations-on-un-protect_p.patch +mfd-db8500-prcmu-fix-some-section-annotations.patch +mfd-ab8500-core-return-zero-in-get_register_interrup.patch +mfd-qcom_rpm-write-fw_version-to-ctrl_reg.patch +mfd-wm5110-add-missing-asrc-rate-register.patch +mfd-mc13xxx-fix-a-missing-check-of-a-register-read-f.patch +net-hns-fix-use-after-free-identified-by-slub-debug.patch +mips-ath79-enable-of-serial-ports-in-the-default-con.patch +scsi-qla4xxx-check-return-code-of-qla4xxx_copy_from_.patch +scsi-isci-initialize-shost-fully-before-calling-scsi.patch +mips-jazz-fix-64bit-build.patch +isdn-i4l-isdn_tty-fix-some-concurrency-double-free-b.patch +atm-he-fix-sign-extension-overflow-on-large-shift.patch +leds-lp5523-fix-a-missing-check-of-return-value-of-l.patch +isdn-avm-fix-string-plus-integer-warning-from-clang.patch