From: Greg Kroah-Hartman Date: Sun, 17 Jun 2018 11:23:17 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.16.17~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8bf977fbb79448f1fba520302885a7a467a307e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch afs-fix-the-non-encryption-of-calls.patch agp-uninorth-make-two-functions-static.patch arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch arm-davinci-board-dm355-evm-fix-broken-networking.patch arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch arm-davinci-dm646x-fix-timer-interrupt-generation.patch arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch arm-dts-logicpd-som-lv-fix-audio-mute.patch arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch arm-kexec-fix-kdump-register-saving-on-panic.patch arm-keystone-fix-platform_domain_notifier-array-overrun.patch arm-omap1-ams-delta-fix-deferred_fiq-handler.patch arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch arm64-add-midr-encoding-for-nvidia-cpus.patch arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch arm64-ptrace-remove-addr_limit-manipulation.patch arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch asoc-rt5514-add-the-missing-register-in-the-readable-table.patch asoc-topology-check-widget-kcontrols-before-deref.patch asoc-topology-fix-bugs-of-freeing-soc-topology.patch ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch blk-mq-fix-sysfs-inflight-counter.patch blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch blkcg-init-root-blkcg_gq-under-lock.patch bpf-fix-uninitialized-variable-in-bpf-tools.patch bpf-x64-fix-memleak-when-not-converging-after-image.patch can-dev-increase-bus-off-message-severity.patch cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch clk-imx6ull-use-osc-clock-during-axi-rate-change.patch clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch doc-add-vendor-prefix-for-kieback-peter-gmbh.patch driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch drm-omap-check-return-value-from-soc_device_match.patch drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch drm-omap-fix-uninitialized-ret-variable.patch drm-omap-handle-alloc-failures-in-omap_connector.patch drm-omap-silence-unititialized-variable-warning.patch dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch efi-libstub-arm64-handle-randomized-text_offset.patch fsnotify-fix-ignore-mask-logic-in-send_to_group.patch hexagon-add-memset_io-helper.patch hexagon-export-csum_partial_copy_nocheck.patch hid-intel-ish-hid-use-put_device-instead-of-kfree.patch hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch i2c-pmcmsp-fix-error-return-from-master_xfer.patch i2c-pmcmsp-return-message-count-on-master_xfer-success.patch i2c-sprd-fix-the-i2c-count-issue.patch i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch i2c-viperboard-return-message-count-on-master_xfer-success.patch ib-core-make-ib_mad_client_id-atomic.patch ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch ib-hfi1-use-correct-type-for-num_user_context.patch ib-make-infiniband_addr_trans-configurable.patch ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch ib-rxe-avoid-double-kfree_skb.patch ib-uverbs-fix-validating-mandatory-attributes.patch ib_srp-depend-on-infiniband_addr_trans.patch ib_srpt-depend-on-infiniband_addr_trans.patch init-fix-false-positives-in-w-x-checking.patch input-atmel_mxt_ts-fix-the-firmware-update.patch input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch isofs-fix-potential-memory-leak-in-mount-option-parsing.patch ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch kthread-sched-wait-fix-kthread_parkme-wait-loop.patch kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch kvm-extend-max_irq_routes-to-4096-for-all-archs.patch kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch libahci-allow-drivers-to-override-stop_engine.patch linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch mac80211-adjust-sae-authentication-timeout.patch mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch mips-dts-boston-fix-pci-bus-dtc-warnings.patch mips-io-add-barrier-after-register-read-in-readx.patch mips-io-prevent-compiler-reordering-writex.patch mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch mtd-fix-comparison-in-map_word_andequal.patch net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch net-hns-avoid-action-name-truncation.patch net-phy-marvell-clear-wol-event-before-setting-it.patch net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch nfp-ignore-signals-when-communicating-with-management-fw.patch nvme-depend-on-infiniband_addr_trans.patch nvme-fix-potential-memory-leak-in-option-parsing.patch nvme-set-integrity-flag-for-user-passthrough-commands.patch nvmet-rdma-depend-on-infiniband_addr_trans.patch objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch parisc-drivers.c-fix-section-mismatches.patch parisc-move-setup_profiling_timer-out-of-init-section.patch parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch pci-kirin-fix-reset-gpio-name.patch perf-report-fix-switching-to-another-perf.data-file.patch perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch powerpc-trace-syscalls-update-syscall-name-matching-logic.patch proc-kcore-don-t-bounds-check-against-address-0.patch proc-revalidate-kernel-thread-inodes-to-root-root.patch qed-fix-l2-initializations-over-iwarp-personality.patch qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch rdma-iwpm-fix-memory-leak-on-map_info.patch rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch remoteproc-qcom-fix-potential-device-node-leaks.patch rpmsg-added-module_alias-for-rpmsg_char.patch rxrpc-fix-error-reception-on-af_inet6-sockets.patch rxrpc-fix-the-min-security-level-for-kernel-calls.patch s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch s390-smsgiucv-disable-smsg-on-module-unload.patch sched-core-introduce-set_special_state.patch sched-deadline-make-the-grub_reclaim-function-static.patch sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch scsi-isci-fix-infinite-loop-in-while-loop.patch scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch scsi-target-fix-crash-with-iscsi-target-and-dvd.patch scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch smc-fix-sendpage-call.patch soc-bcm-raspberrypi-power-fix-use-of-__packed.patch soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch tee-check-shm-references-are-consistent-in-offset-size.patch thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch usb-musb-fix-remote-wakeup-racing-with-suspend.patch usb-typec-ucsi-fix-tracepoint-related-build-error.patch vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch x86-cpu-intel-add-missing-tlb-cpuid-values.patch x86-delay-skip-of-emulated-hypercall-instruction.patch x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch x86-pkeys-selftests-add-a-test-for-pkey-0.patch x86-pkeys-selftests-add-prot_exec-test.patch x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch x86-pkeys-selftests-allow-faults-on-unknown-keys.patch x86-pkeys-selftests-factor-out-instruction-page.patch x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch x86-pkeys-selftests-fix-pointer-math.patch x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch x86-pkeys-selftests-save-off-prot-for-allocations.patch x86-pkeys-selftests-stop-using-assert.patch x86-selftests-add-mov_to_ss-test.patch x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch xen-xenbus_dev_frontend-really-return-response-string.patch --- diff --git a/queue-4.14/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch b/queue-4.14/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch new file mode 100644 index 00000000000..912e2ac828f --- /dev/null +++ b/queue-4.14/acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Chen Yu +Date: Tue, 10 Apr 2018 23:07:51 +0800 +Subject: ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) + +From: Chen Yu + +[ Upstream commit 855c1c2fce8bdbd796cba1d1456ca8f0e876c2f1 ] + +ThinkPad X1 Tablet(2016) is reported to have issues with +the Low Power S0 Idle _DSM interface and since this machine +model generally can do ACPI S3 just fine, and user would +like to use S3 as default sleep model, add a blacklist +entry to disable that interface for ThinkPad X1 Tablet(2016). + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199057 +Reported-and-tested-by: Robin Lee +Signed-off-by: Chen Yu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/sleep.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/acpi/sleep.c ++++ b/drivers/acpi/sleep.c +@@ -364,6 +364,19 @@ static const struct dmi_system_id acpisl + DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9360"), + }, + }, ++ /* ++ * ThinkPad X1 Tablet(2016) cannot do suspend-to-idle using ++ * the Low Power S0 Idle firmware interface (see ++ * https://bugzilla.kernel.org/show_bug.cgi?id=199057). ++ */ ++ { ++ .callback = init_no_lps0, ++ .ident = "ThinkPad X1 Tablet(2016)", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "20GGA00L00"), ++ }, ++ }, + {}, + }; + diff --git a/queue-4.14/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch b/queue-4.14/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch new file mode 100644 index 00000000000..7a6bcec3eba --- /dev/null +++ b/queue-4.14/acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch @@ -0,0 +1,118 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mika Westerberg +Date: Mon, 23 Apr 2018 14:16:03 +0300 +Subject: ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 + +From: Mika Westerberg + +[ Upstream commit a0a37862a4e1844793d39aca9ccb8fecbdcb8659 ] + +WDAT table on Lenovo Z50-70 is using RTC SRAM (ports 0x70 and 0x71) to +store state of the timer. This conflicts with Linux RTC driver +(rtc-cmos.c) who fails to reserve those ports for itself preventing RTC +from functioning. In addition the WDAT table seems not to be fully +functional because it does not reset the system when the watchdog times +out. + +On this system iTCO_wdt works just fine so we simply prefer to use it +instead of WDAT. This makes RTC working again and also results working +watchdog via iTCO_wdt. + +Reported-by: Peter Milley +Link: https://bugzilla.kernel.org/show_bug.cgi?id=199033 +Signed-off-by: Mika Westerberg +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_watchdog.c | 59 +++++++++++++++++++++++++++++++++++-------- + 1 file changed, 49 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/acpi_watchdog.c ++++ b/drivers/acpi/acpi_watchdog.c +@@ -12,23 +12,64 @@ + #define pr_fmt(fmt) "ACPI: watchdog: " fmt + + #include ++#include + #include + #include + + #include "internal.h" + ++static const struct dmi_system_id acpi_watchdog_skip[] = { ++ { ++ /* ++ * On Lenovo Z50-70 there are two issues with the WDAT ++ * table. First some of the instructions use RTC SRAM ++ * to store persistent information. This does not work well ++ * with Linux RTC driver. Second, more important thing is ++ * that the instructions do not actually reset the system. ++ * ++ * On this particular system iTCO_wdt seems to work just ++ * fine so we prefer that over WDAT for now. ++ * ++ * See also https://bugzilla.kernel.org/show_bug.cgi?id=199033. ++ */ ++ .ident = "Lenovo Z50-70", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "20354"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Z50-70"), ++ }, ++ }, ++ {} ++}; ++ ++static const struct acpi_table_wdat *acpi_watchdog_get_wdat(void) ++{ ++ const struct acpi_table_wdat *wdat = NULL; ++ acpi_status status; ++ ++ if (acpi_disabled) ++ return NULL; ++ ++ if (dmi_check_system(acpi_watchdog_skip)) ++ return NULL; ++ ++ status = acpi_get_table(ACPI_SIG_WDAT, 0, ++ (struct acpi_table_header **)&wdat); ++ if (ACPI_FAILURE(status)) { ++ /* It is fine if there is no WDAT */ ++ return NULL; ++ } ++ ++ return wdat; ++} ++ + /** + * Returns true if this system should prefer ACPI based watchdog instead of + * the native one (which are typically the same hardware). + */ + bool acpi_has_watchdog(void) + { +- struct acpi_table_header hdr; +- +- if (acpi_disabled) +- return false; +- +- return ACPI_SUCCESS(acpi_get_table_header(ACPI_SIG_WDAT, 0, &hdr)); ++ return !!acpi_watchdog_get_wdat(); + } + EXPORT_SYMBOL_GPL(acpi_has_watchdog); + +@@ -41,12 +82,10 @@ void __init acpi_watchdog_init(void) + struct platform_device *pdev; + struct resource *resources; + size_t nresources = 0; +- acpi_status status; + int i; + +- status = acpi_get_table(ACPI_SIG_WDAT, 0, +- (struct acpi_table_header **)&wdat); +- if (ACPI_FAILURE(status)) { ++ wdat = acpi_watchdog_get_wdat(); ++ if (!wdat) { + /* It is fine if there is no WDAT */ + return; + } diff --git a/queue-4.14/afs-fix-the-non-encryption-of-calls.patch b/queue-4.14/afs-fix-the-non-encryption-of-calls.patch new file mode 100644 index 00000000000..8474f6671ac --- /dev/null +++ b/queue-4.14/afs-fix-the-non-encryption-of-calls.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:10:40 +0100 +Subject: afs: Fix the non-encryption of calls + +From: David Howells + +[ Upstream commit 4776cab43fd3111618112737a257dc3ef368eddd ] + +Some AFS servers refuse to accept unencrypted traffic, so can't be accessed +with kAFS. Set the AF_RXRPC security level to encrypt client calls to deal +with this. + +Note that incoming service calls are set by the remote client and so aren't +affected by this. + +This requires an AF_RXRPC patch to pass the value set by setsockopt to calls +begun by the kernel. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/afs/rxrpc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/afs/rxrpc.c ++++ b/fs/afs/rxrpc.c +@@ -55,6 +55,7 @@ int afs_open_socket(void) + { + struct sockaddr_rxrpc srx; + struct socket *socket; ++ unsigned int min_level; + int ret; + + _enter(""); +@@ -80,6 +81,12 @@ int afs_open_socket(void) + memset(&srx.transport.sin.sin_addr, 0, + sizeof(srx.transport.sin.sin_addr)); + ++ min_level = RXRPC_SECURITY_ENCRYPT; ++ ret = kernel_setsockopt(socket, SOL_RXRPC, RXRPC_MIN_SECURITY_LEVEL, ++ (void *)&min_level, sizeof(min_level)); ++ if (ret < 0) ++ goto error_2; ++ + ret = kernel_bind(socket, (struct sockaddr *) &srx, sizeof(srx)); + if (ret < 0) + goto error_2; diff --git a/queue-4.14/agp-uninorth-make-two-functions-static.patch b/queue-4.14/agp-uninorth-make-two-functions-static.patch new file mode 100644 index 00000000000..5879bac70e7 --- /dev/null +++ b/queue-4.14/agp-uninorth-make-two-functions-static.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mathieu Malaterre +Date: Sat, 5 May 2018 21:54:05 +0200 +Subject: agp: uninorth: make two functions static + +From: Mathieu Malaterre + +[ Upstream commit dec60f3a9b7251f2657d743d96ba9a83dca02351 ] + +Both ‘uninorth_remove_memory’ and ‘null_cache_flush’ can be made +static. So make them. + +Silence the following gcc warning (W=1): + + drivers/char/agp/uninorth-agp.c:198:5: warning: no previous prototype for ‘uninorth_remove_memory’ [-Wmissing-prototypes] + +and + + drivers/char/agp/uninorth-agp.c:473:6: warning: no previous prototype for ‘null_cache_flush’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Dave Airlie +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/agp/uninorth-agp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/agp/uninorth-agp.c ++++ b/drivers/char/agp/uninorth-agp.c +@@ -195,7 +195,7 @@ static int uninorth_insert_memory(struct + return 0; + } + +-int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type) ++static int uninorth_remove_memory(struct agp_memory *mem, off_t pg_start, int type) + { + size_t i; + u32 *gp; +@@ -470,7 +470,7 @@ static int uninorth_free_gatt_table(stru + return 0; + } + +-void null_cache_flush(void) ++static void null_cache_flush(void) + { + mb(); + } diff --git a/queue-4.14/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch b/queue-4.14/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch new file mode 100644 index 00000000000..56e55527de6 --- /dev/null +++ b/queue-4.14/arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch @@ -0,0 +1,86 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Łukasz Stelmach" +Date: Tue, 3 Apr 2018 09:04:57 +0100 +Subject: ARM: 8753/1: decompressor: add a missing parameter to the addruart macro + +From: "Łukasz Stelmach" + +[ Upstream commit e07e3c33b9c0b5751ade624f44325c9bf2487ea6 ] + +In commit 639da5ee374b ("ARM: add an extra temp register to the low +level debugging addruart macro") an additional temporary register was +added to the addruart macro, but the decompressor code wasn't updated. + +Fixes: 639da5ee374b ("ARM: add an extra temp register to the low level debugging addruart macro") +Signed-off-by: Łukasz Stelmach +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/head.S | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -29,19 +29,19 @@ + #if defined(CONFIG_DEBUG_ICEDCC) + + #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_V6K) || defined(CONFIG_CPU_V7) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c0, c5, 0 + .endm + #elif defined(CONFIG_CPU_XSCALE) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c8, c0, 0 + .endm + #else +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + .endm + .macro writeb, ch, rb + mcr p14, 0, \ch, c1, c0, 0 +@@ -57,7 +57,7 @@ + .endm + + #if defined(CONFIG_ARCH_SA1100) +- .macro loadsp, rb, tmp ++ .macro loadsp, rb, tmp1, tmp2 + mov \rb, #0x80000000 @ physical base address + #ifdef CONFIG_DEBUG_LL_SER3 + add \rb, \rb, #0x00050000 @ Ser3 +@@ -66,8 +66,8 @@ + #endif + .endm + #else +- .macro loadsp, rb, tmp +- addruart \rb, \tmp ++ .macro loadsp, rb, tmp1, tmp2 ++ addruart \rb, \tmp1, \tmp2 + .endm + #endif + #endif +@@ -1295,7 +1295,7 @@ phex: adr r3, phexbuf + b 1b + + @ puts corrupts {r0, r1, r2, r3} +-puts: loadsp r3, r1 ++puts: loadsp r3, r2, r1 + 1: ldrb r2, [r0], #1 + teq r2, #0 + moveq pc, lr +@@ -1312,8 +1312,8 @@ puts: loadsp r3, r1 + @ putc corrupts {r0, r1, r2, r3} + putc: + mov r2, r0 ++ loadsp r3, r1, r0 + mov r0, #0 +- loadsp r3, r1 + b 2b + + @ memdump corrupts {r0, r1, r2, r3, r10, r11, r12, lr} diff --git a/queue-4.14/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch b/queue-4.14/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch new file mode 100644 index 00000000000..06eac659b42 --- /dev/null +++ b/queue-4.14/arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Łukasz Stelmach" +Date: Wed, 4 Apr 2018 08:46:58 +0100 +Subject: ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel + +From: "Łukasz Stelmach" + +[ Upstream commit f2ae9de019e4e2807d812ec4fe1df7c34788a0a0 ] + +The hypervisor setup before __enter_kernel destroys the value +sotred in r1. The value needs to be restored just before the jump. + +Fixes: 6b52f7bdb888 ("ARM: hyp-stub: Use r1 for the soft-restart address") +Signed-off-by: Łukasz Stelmach +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/compressed/head.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -559,8 +559,6 @@ not_relocated: mov r0, #0 + bl decompress_kernel + bl cache_clean_flush + bl cache_off +- mov r1, r7 @ restore architecture number +- mov r2, r8 @ restore atags pointer + + #ifdef CONFIG_ARM_VIRT_EXT + mrs r0, spsr @ Get saved CPU boot mode +@@ -1363,6 +1361,8 @@ __hyp_reentry_vectors: + + __enter_kernel: + mov r0, #0 @ must be 0 ++ mov r1, r7 @ restore architecture number ++ mov r2, r8 @ restore atags pointer + ARM( mov pc, r4 ) @ call kernel + M_CLASS( add r4, r4, #1 ) @ enter in Thumb mode for M class + THUMB( bx r4 ) @ entry point is always ARM for A/R classes diff --git a/queue-4.14/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch b/queue-4.14/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch new file mode 100644 index 00000000000..91ea6f3d2a1 --- /dev/null +++ b/queue-4.14/arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:03 +0530 +Subject: ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD + +From: Sekhar Nori + +[ Upstream commit 51e9f12163223546bd3aa9f7af6817931f980da8 ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers +as they are not offsets within a bank. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Fixes: b5e1438cf98a ("ARM: davinci: da830-evm: use gpio descriptor for mmc pins") +Reported-by: David Lechner +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da830-evm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-davinci/board-da830-evm.c ++++ b/arch/arm/mach-davinci/board-da830-evm.c +@@ -205,12 +205,17 @@ static const short da830_evm_mmc_sd_pins + -1 + }; + ++#define DA830_MMCSD_WP_PIN GPIO_TO_PIN(2, 1) ++#define DA830_MMCSD_CD_PIN GPIO_TO_PIN(2, 2) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { + /* gpio chip 1 contains gpio range 32-63 */ +- GPIO_LOOKUP("davinci_gpio.1", 2, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.1", 1, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA830_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.14/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch b/queue-4.14/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch new file mode 100644 index 00000000000..93d28cb1d48 --- /dev/null +++ b/queue-4.14/arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:04 +0530 +Subject: ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD + +From: Sekhar Nori + +[ Upstream commit 67c6b6ff221f807180aea6dd597246f87e1dd98a ] + +The GPIO chip is called davinci_gpio.0 in legacy mode. Fix it, so that +mmc can correctly lookup the wp and cp gpios. Also fix the GPIO numbers +as they are not offsets within a bank. + +Note that it is the gpio-davinci driver that sets the gpiochip label to +davinci_gpio.0. + +Fixes: bdf0e8364fd3 ("ARM: davinci: da850-evm: use gpio descriptor for mmc pins") +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-da850-evm.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -763,12 +763,17 @@ static const short da850_evm_mcasp_pins[ + -1 + }; + ++#define DA850_MMCSD_CD_PIN GPIO_TO_PIN(4, 0) ++#define DA850_MMCSD_WP_PIN GPIO_TO_PIN(4, 1) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { + /* gpio chip 2 contains gpio range 64-95 */ +- GPIO_LOOKUP("davinci_gpio.2", 0, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.2", 1, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.14/arm-davinci-board-dm355-evm-fix-broken-networking.patch b/queue-4.14/arm-davinci-board-dm355-evm-fix-broken-networking.patch new file mode 100644 index 00000000000..ee0ce6cfdf3 --- /dev/null +++ b/queue-4.14/arm-davinci-board-dm355-evm-fix-broken-networking.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Wed, 25 Apr 2018 14:53:23 +0530 +Subject: ARM: davinci: board-dm355-evm: fix broken networking + +From: Sekhar Nori + +[ Upstream commit 5c054de228dd6d97bf8e38962bd118953b66e5a0 ] + +Since commit 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all +error conditions of dm9000_parse_dt()"), passing either non-NULL +platform data or device-tree for dm9000 driver to probe is +mandatory. + +DM335 board was using none, so networking failed to initialize. +Fix it by passing non-NULL (but empty) platform data. + +Fixes: 09f3756bb9a8 ("dm9000: Return an ERR_PTR() in all error conditions of dm9000_parse_dt()") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm355-evm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/mach-davinci/board-dm355-evm.c ++++ b/arch/arm/mach-davinci/board-dm355-evm.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -168,11 +169,16 @@ static struct resource dm355evm_dm9000_r + }, + }; + ++static struct dm9000_plat_data dm335evm_dm9000_platdata; ++ + static struct platform_device dm355evm_dm9000 = { + .name = "dm9000", + .id = -1, + .resource = dm355evm_dm9000_rsrc, + .num_resources = ARRAY_SIZE(dm355evm_dm9000_rsrc), ++ .dev = { ++ .platform_data = &dm335evm_dm9000_platdata, ++ }, + }; + + static struct tvp514x_platform_data tvp5146_pdata = { diff --git a/queue-4.14/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch b/queue-4.14/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch new file mode 100644 index 00000000000..e822e005f89 --- /dev/null +++ b/queue-4.14/arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:35 +0530 +Subject: ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF + +From: Sekhar Nori + +[ Upstream commit 7d46899d57f8b61eb28701d9a4043b71e3392c26 ] + +commit a16cb91ad9c4 ("[media] media: vpif: use a configurable +i2c_adapter_id for vpif display") removed hardcoded I2C adaptor +setting in VPIF driver, but missed updating platform data passed +from DM646x board. + +Fix it. + +Fixes: a16cb91ad9c4 ("[media] media: vpif: use a configurable i2c_adapter_id for vpif display") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm646x-evm.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-davinci/board-dm646x-evm.c ++++ b/arch/arm/mach-davinci/board-dm646x-evm.c +@@ -534,6 +534,7 @@ static struct vpif_display_config dm646x + .set_clock = set_vpif_clock, + .subdevinfo = dm646x_vpif_subdev, + .subdev_count = ARRAY_SIZE(dm646x_vpif_subdev), ++ .i2c_adapter_id = 1, + .chan_config[0] = { + .outputs = dm6467_ch0_outputs, + .output_count = ARRAY_SIZE(dm6467_ch0_outputs), +@@ -676,6 +677,7 @@ static struct vpif_capture_config dm646x + .setup_input_channel_mode = setup_vpif_input_channel_mode, + .subdev_info = vpif_capture_sdev_info, + .subdev_count = ARRAY_SIZE(vpif_capture_sdev_info), ++ .i2c_adapter_id = 1, + .chan_config[0] = { + .inputs = dm6467_ch0_inputs, + .input_count = ARRAY_SIZE(dm6467_ch0_inputs), diff --git a/queue-4.14/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch b/queue-4.14/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch new file mode 100644 index 00000000000..16ee9c4ad7b --- /dev/null +++ b/queue-4.14/arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:36 +0530 +Subject: ARM: davinci: board-dm646x-evm: set VPIF capture card name + +From: Sekhar Nori + +[ Upstream commit bb7298a7e87cf3430eb62be8746e5d7a07ca9d7c ] + +VPIF capture driver expects card name to be set since it +uses it without checking for NULL. The commit which +introduced VPIF display and capture support added card +name only for display, not for capture. + +Set it in platform data to probe driver successfully. + +While at it, also fix the display card name to something more +appropriate. + +Fixes: 85609c1ccda6 ("DaVinci: DM646x - platform changes for vpif capture and display drivers") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-dm646x-evm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/board-dm646x-evm.c ++++ b/arch/arm/mach-davinci/board-dm646x-evm.c +@@ -539,7 +539,7 @@ static struct vpif_display_config dm646x + .outputs = dm6467_ch0_outputs, + .output_count = ARRAY_SIZE(dm6467_ch0_outputs), + }, +- .card_name = "DM646x EVM", ++ .card_name = "DM646x EVM Video Display", + }; + + /** +@@ -698,6 +698,7 @@ static struct vpif_capture_config dm646x + .fid_pol = 0, + }, + }, ++ .card_name = "DM646x EVM Video Capture", + }; + + static void __init evm_init_video(void) diff --git a/queue-4.14/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch b/queue-4.14/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch new file mode 100644 index 00000000000..94af454df96 --- /dev/null +++ b/queue-4.14/arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Tue, 24 Apr 2018 20:05:06 +0530 +Subject: ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup + +From: Sekhar Nori + +[ Upstream commit d45622c0eaa5992a1a2248cbe93e1ff7a2da7be4 ] + +commit c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") +fixed the GPIO chip name for look-up of MMC/SD CD and WP pins, but forgot +to change the GPIO numbers passed. + +The GPIO numbers are not offsets from within a 32 GPIO bank. Fix the +GPIO numbers as well as remove the misleading comment. + +Fixes: c4dc56be7e26 ("ARM: davinci: fix the GPIO lookup for omapl138-hawk") +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/board-omapl138-hawk.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-davinci/board-omapl138-hawk.c ++++ b/arch/arm/mach-davinci/board-omapl138-hawk.c +@@ -123,12 +123,16 @@ static const short hawk_mmcsd0_pins[] = + -1 + }; + ++#define DA850_HAWK_MMCSD_CD_PIN GPIO_TO_PIN(3, 12) ++#define DA850_HAWK_MMCSD_WP_PIN GPIO_TO_PIN(3, 13) ++ + static struct gpiod_lookup_table mmc_gpios_table = { + .dev_id = "da830-mmc.0", + .table = { +- /* CD: gpio3_12: gpio60: chip 1 contains gpio range 32-63*/ +- GPIO_LOOKUP("davinci_gpio.0", 28, "cd", GPIO_ACTIVE_LOW), +- GPIO_LOOKUP("davinci_gpio.0", 29, "wp", GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_CD_PIN, "cd", ++ GPIO_ACTIVE_LOW), ++ GPIO_LOOKUP("davinci_gpio.0", DA850_HAWK_MMCSD_WP_PIN, "wp", ++ GPIO_ACTIVE_LOW), + }, + }; + diff --git a/queue-4.14/arm-davinci-dm646x-fix-timer-interrupt-generation.patch b/queue-4.14/arm-davinci-dm646x-fix-timer-interrupt-generation.patch new file mode 100644 index 00000000000..52f63e45bca --- /dev/null +++ b/queue-4.14/arm-davinci-dm646x-fix-timer-interrupt-generation.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Fri, 11 May 2018 20:51:34 +0530 +Subject: ARM: davinci: dm646x: fix timer interrupt generation + +From: Sekhar Nori + +[ Upstream commit 73d4337ed9ceddef4b2f0e226634d5f985aa2d1c ] + +commit b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt +definition for DM646x") inadvertently removed priority setting for +timer0_12 (bottom half of timer0). This timer is used as clockevent. + +When INTPRIn register setting for an interrupt is left at 0, it is +mapped to FIQ by the AINTC causing the timer interrupt to not get +generated. + +Fix it by including an entry for timer0_12 in interrupt priority map +array. While at it, move the clockevent comment to the right place. + +Fixes: b38434145b34 ("ARM: davinci: irqs: Correct McASP1 TX interrupt definition for DM646x") +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-davinci/dm646x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arm/mach-davinci/dm646x.c ++++ b/arch/arm/mach-davinci/dm646x.c +@@ -495,7 +495,8 @@ static u8 dm646x_default_priorities[DAVI + [IRQ_DM646X_MCASP0TXINT] = 7, + [IRQ_DM646X_MCASP0RXINT] = 7, + [IRQ_DM646X_RESERVED_3] = 7, +- [IRQ_DM646X_MCASP1TXINT] = 7, /* clockevent */ ++ [IRQ_DM646X_MCASP1TXINT] = 7, ++ [IRQ_TINT0_TINT12] = 7, /* clockevent */ + [IRQ_TINT0_TINT34] = 7, /* clocksource */ + [IRQ_TINT1_TINT12] = 7, /* DSP timer */ + [IRQ_TINT1_TINT34] = 7, /* system tick */ diff --git a/queue-4.14/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch b/queue-4.14/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch new file mode 100644 index 00000000000..00bf8df3068 --- /dev/null +++ b/queue-4.14/arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Clément Péron" +Date: Thu, 3 May 2018 17:32:07 +0200 +Subject: ARM: dts: cygnus: fix irq type for arm global timer + +From: "Clément Péron" + +[ Upstream commit 675c7215aacf54242b2e8bc64bab698abbe764db ] + +As per ARM documentation +PPI(0) ID27 - global timer interrupt is rising-edge sensitive. + +set IRQ triggering type to IRQ_TYPE_EDGE_RISING for ARM Global timers. + +Fixes: c9ad7bc5fe3 ("ARM: dts: Enable Broadcom Cygnus SoC") +Signed-off-by: Clément Péron +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/bcm-cygnus.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/bcm-cygnus.dtsi ++++ b/arch/arm/boot/dts/bcm-cygnus.dtsi +@@ -69,7 +69,7 @@ + timer@20200 { + compatible = "arm,cortex-a9-global-timer"; + reg = <0x20200 0x100>; +- interrupts = ; ++ interrupts = ; + clocks = <&periph_clk>; + }; + diff --git a/queue-4.14/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch b/queue-4.14/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch new file mode 100644 index 00000000000..968a55ccb83 --- /dev/null +++ b/queue-4.14/arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sekhar Nori +Date: Tue, 17 Apr 2018 18:06:00 +0530 +Subject: ARM: dts: da850: fix W=1 warnings with pinmux node + +From: Sekhar Nori + +[ Upstream commit 94a82284ad4711b7f9fd78981fdc7a1cb645030b ] + +Remove unused #address-cells and #size-cells from pinmux +node. This fixes W=1 warnings of the type: + +arch/arm/boot/dts/da850-lcdk.dtb: Warning (avoid_unnecessary_addr_size): /soc@1c00000/pinmux@14120: unnecessary #address-cells/#size-cells without "ranges" or child "reg" property + +Tested on DA850 LCDK by checking output of: + +/sys/kernel/debug/pinctrl/1c14120.pinmux-pinctrl-single/pins + +before and after the change. + +Reviewed-by: David Lechner +Signed-off-by: Sekhar Nori +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/da850.dtsi | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/arm/boot/dts/da850.dtsi ++++ b/arch/arm/boot/dts/da850.dtsi +@@ -34,8 +34,6 @@ + pmx_core: pinmux@14120 { + compatible = "pinctrl-single"; + reg = <0x14120 0x50>; +- #address-cells = <1>; +- #size-cells = <0>; + #pinctrl-cells = <2>; + pinctrl-single,bit-per-mux; + pinctrl-single,register-width = <32>; diff --git a/queue-4.14/arm-dts-logicpd-som-lv-fix-audio-mute.patch b/queue-4.14/arm-dts-logicpd-som-lv-fix-audio-mute.patch new file mode 100644 index 00000000000..ea44a25fea5 --- /dev/null +++ b/queue-4.14/arm-dts-logicpd-som-lv-fix-audio-mute.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Adam Ford +Date: Tue, 1 May 2018 08:58:53 -0500 +Subject: ARM: dts: logicpd-som-lv: Fix Audio Mute + +From: Adam Ford + +[ Upstream commit 95e59fc3c3fa3187a07a75f40b21637deb4bd12d ] + +The Audio has worked, but the mute pin has a weak pulldown which alows +some of the audio signal to pass very quietly. This patch fixes +that so the mute pin is actively driven high for mute or low for normal +operation. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic +PD DM3730 SOM-LV") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -108,6 +108,7 @@ + twl_audio: audio { + compatible = "ti,twl4030-audio"; + codec { ++ ti,hs_extmute_gpio = <&gpio2 25 GPIO_ACTIVE_HIGH>; + }; + }; + }; +@@ -221,6 +222,7 @@ + pinctrl-single,pins = < + OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */ + OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */ ++ OMAP3_CORE1_IOPAD(0x20ba, PIN_OUTPUT | MUX_MODE4) /* gpmc_ncs6.gpio_57 */ + >; + }; + }; diff --git a/queue-4.14/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch b/queue-4.14/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch new file mode 100644 index 00000000000..c3c94740aab --- /dev/null +++ b/queue-4.14/arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Adam Ford +Date: Mon, 30 Apr 2018 18:24:34 -0500 +Subject: ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues + +From: Adam Ford + +[ Upstream commit 189822cbcbf3ea37c26a15612d8f922c440bc0e0 ] + +The VAUX3 rail from the PMIC powers a clock driver which clocks +the WL127x. This corrects a bug which did not correctly associate +the vin-supply with the proper power rail. + +This also fixes a typo in the pinmuxing to properly configure the +interrupt pin. + +Fixes: ab8dd3aed011 ("ARM: DTS: Add minimal Support for Logic PD +DM3730 SOM-LV") + +Signed-off-by: Adam Ford +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/logicpd-som-lv.dtsi | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/logicpd-som-lv.dtsi ++++ b/arch/arm/boot/dts/logicpd-som-lv.dtsi +@@ -26,7 +26,7 @@ + gpio = <&gpio1 3 0>; /* gpio_3 */ + startup-delay-us = <70000>; + enable-active-high; +- vin-supply = <&vmmc2>; ++ vin-supply = <&vaux3>; + }; + + /* HS USB Host PHY on PORT 1 */ +@@ -235,7 +235,7 @@ + }; + wl127x_gpio: pinmux_wl127x_gpio_pin { + pinctrl-single,pins = < +- OMAP3_WKUP_IOPAD(0x2a0c, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */ ++ OMAP3_WKUP_IOPAD(0x2a0a, PIN_INPUT | MUX_MODE4) /* sys_boot0.gpio_2 */ + OMAP3_WKUP_IOPAD(0x2a0c, PIN_OUTPUT | MUX_MODE4) /* sys_boot1.gpio_3 */ + >; + }; +@@ -270,6 +270,11 @@ + #include "twl4030.dtsi" + #include "twl4030_omap3.dtsi" + ++&vaux3 { ++ regulator-min-microvolt = <2800000>; ++ regulator-max-microvolt = <2800000>; ++}; ++ + &twl { + twl_power: power { + compatible = "ti,twl4030-power-idle-osc-off", "ti,twl4030-power-idle"; diff --git a/queue-4.14/arm-kexec-fix-kdump-register-saving-on-panic.patch b/queue-4.14/arm-kexec-fix-kdump-register-saving-on-panic.patch new file mode 100644 index 00000000000..750a1bd9b8d --- /dev/null +++ b/queue-4.14/arm-kexec-fix-kdump-register-saving-on-panic.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Russell King +Date: Wed, 11 Apr 2018 18:24:01 +0100 +Subject: ARM: kexec: fix kdump register saving on panic() + +From: Russell King + +[ Upstream commit 2d7b3c64431245c95b05a441669c074da10db943 ] + +When a panic() occurs, the kexec code uses smp_send_stop() to stop +the other CPUs, but this results in the CPU register state not being +saved, and gdb is unable to inspect the state of other CPUs. + +Commit 0ee59413c967 ("x86/panic: replace smp_send_stop() with kdump +friendly version in panic path") addressed the issue on x86, but +ignored other architectures. Address the issue on ARM by splitting +out the crash stop implementation to crash_smp_send_stop() and +adding the necessary protection. + +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/kernel/machine_kexec.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/arch/arm/kernel/machine_kexec.c ++++ b/arch/arm/kernel/machine_kexec.c +@@ -95,6 +95,27 @@ void machine_crash_nonpanic_core(void *u + cpu_relax(); + } + ++void crash_smp_send_stop(void) ++{ ++ static int cpus_stopped; ++ unsigned long msecs; ++ ++ if (cpus_stopped) ++ return; ++ ++ atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1); ++ smp_call_function(machine_crash_nonpanic_core, NULL, false); ++ msecs = 1000; /* Wait at most a second for the other cpus to stop */ ++ while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) { ++ mdelay(1); ++ msecs--; ++ } ++ if (atomic_read(&waiting_for_crash_ipi) > 0) ++ pr_warn("Non-crashing CPUs did not react to IPI\n"); ++ ++ cpus_stopped = 1; ++} ++ + static void machine_kexec_mask_interrupts(void) + { + unsigned int i; +@@ -120,19 +141,8 @@ static void machine_kexec_mask_interrupt + + void machine_crash_shutdown(struct pt_regs *regs) + { +- unsigned long msecs; +- + local_irq_disable(); +- +- atomic_set(&waiting_for_crash_ipi, num_online_cpus() - 1); +- smp_call_function(machine_crash_nonpanic_core, NULL, false); +- msecs = 1000; /* Wait at most a second for the other cpus to stop */ +- while ((atomic_read(&waiting_for_crash_ipi) > 0) && msecs) { +- mdelay(1); +- msecs--; +- } +- if (atomic_read(&waiting_for_crash_ipi) > 0) +- pr_warn("Non-crashing CPUs did not react to IPI\n"); ++ crash_smp_send_stop(); + + crash_save_cpu(regs, smp_processor_id()); + machine_kexec_mask_interrupts(); diff --git a/queue-4.14/arm-keystone-fix-platform_domain_notifier-array-overrun.patch b/queue-4.14/arm-keystone-fix-platform_domain_notifier-array-overrun.patch new file mode 100644 index 00000000000..738c714fbc0 --- /dev/null +++ b/queue-4.14/arm-keystone-fix-platform_domain_notifier-array-overrun.patch @@ -0,0 +1,84 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Russell King +Date: Thu, 10 May 2018 14:24:20 +0100 +Subject: ARM: keystone: fix platform_domain_notifier array overrun + +From: Russell King + +[ Upstream commit 9954b80b8c0e8abc98e17bba0fccd9876211ceaa ] + +platform_domain_notifier contains a variable sized array, which the +pm_clk_notify() notifier treats as a NULL terminated array: + + for (con_id = clknb->con_ids; *con_id; con_id++) + pm_clk_add(dev, *con_id); + +Omitting the initialiser for con_ids means that the array is zero +sized, and there is no NULL terminator. This leads to pm_clk_notify() +overrunning into what ever structure follows, which may not be NULL. +This leads to an oops: + +Unable to handle kernel NULL pointer dereference at virtual address 0000008c +pgd = c0003000 +[0000008c] *pgd=80000800004003c, *pmd=00000000c +Internal error: Oops: 206 [#1] PREEMPT SMP ARM +Modules linked in:c +CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.16.0+ #9 +Hardware name: Keystone +PC is at strlen+0x0/0x34 +LR is at kstrdup+0x18/0x54 +pc : [] lr : [] psr: 20000013 +sp : eec73dc0 ip : eed780c0 fp : 00000001 +r10: 00000000 r9 : 00000000 r8 : eed71e10 +r7 : 0000008c r6 : 0000008c r5 : 014000c0 r4 : c03a6ff4 +r3 : c09445d0 r2 : 00000000 r1 : 014000c0 r0 : 0000008c +Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 30c5387d Table: 00003000 DAC: fffffffd +Process swapper/0 (pid: 1, stack limit = 0xeec72210) +Stack: (0xeec73dc0 to 0xeec74000) +... +[] (strlen) from [] (kstrdup+0x18/0x54) +[] (kstrdup) from [] (__pm_clk_add+0x58/0x120) +[] (__pm_clk_add) from [] (pm_clk_notify+0x64/0xa8) +[] (pm_clk_notify) from [] (notifier_call_chain+0x44/0x84) +[] (notifier_call_chain) from [] (__blocking_notifier_call_chain+0x48/0x60) +[] (__blocking_notifier_call_chain) from [] (blocking_notifier_call_chain+0x18/0x20) +[] (blocking_notifier_call_chain) from [] (device_add+0x36c/0x534) +[] (device_add) from [] (of_platform_device_create_pdata+0x70/0xa4) +[] (of_platform_device_create_pdata) from [] (of_platform_bus_create+0xf0/0x1ec) +[] (of_platform_bus_create) from [] (of_platform_populate+0x5c/0xac) +[] (of_platform_populate) from [] (of_platform_default_populate_init+0x8c/0xa8) +[] (of_platform_default_populate_init) from [] (do_one_initcall+0x3c/0x164) +[] (do_one_initcall) from [] (kernel_init_freeable+0x10c/0x1d0) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xf0) +[] (kernel_init) from [] (ret_from_fork+0x14/0x3c) +Exception stack(0xeec73fb0 to 0xeec73ff8) +3fa0: 00000000 00000000 00000000 00000000 +3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +3fe0: 00000000 00000000 00000000 00000000 00000013 00000000 +Code: e3520000 1afffff7 e12fff1e c0801730 (e5d02000) +---[ end trace cafa8f148e262e80 ]--- + +Fix this by adding the necessary initialiser. + +Fixes: fc20ffe1213b ("ARM: keystone: add PM domain support for clock management") +Signed-off-by: Russell King +Acked-by: Santosh Shilimkar +Signed-off-by: Olof Johansson + +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-keystone/pm_domain.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/arm/mach-keystone/pm_domain.c ++++ b/arch/arm/mach-keystone/pm_domain.c +@@ -29,6 +29,7 @@ static struct dev_pm_domain keystone_pm_ + + static struct pm_clk_notifier_block platform_domain_notifier = { + .pm_domain = &keystone_pm_domain, ++ .con_ids = { NULL }, + }; + + static const struct of_device_id of_keystone_table[] = { diff --git a/queue-4.14/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch b/queue-4.14/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch new file mode 100644 index 00000000000..3957dbe5ab4 --- /dev/null +++ b/queue-4.14/arm-omap1-ams-delta-fix-deferred_fiq-handler.patch @@ -0,0 +1,67 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Janusz Krzysztofik +Date: Wed, 2 May 2018 20:32:03 +0200 +Subject: ARM: OMAP1: ams-delta: fix deferred_fiq handler + +From: Janusz Krzysztofik + +[ Upstream commit baf64250b4a513bf4ac226fd938692dc1836f4f6 ] + +The deferred_fiq handler used to limit hardware operations to IRQ +unmask only, relying on gpio-omap assigned handler performing the ACKs. +Since commit 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") this +is no longer the case as handle_edge_irq() has been replaced with +handle_simmple_irq() which doesn't touch the hardware. + +Add single ACK operation per each active IRQ pin to the handler. While +being at it, move unmask operation out of irq_counter loop so it is +also called only once for each active IRQ pin. + +Fixes: 80ac93c27441 ("gpio: omap: Fix lost edge interrupts") +Signed-off-by: Janusz Krzysztofik +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap1/ams-delta-fiq.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +--- a/arch/arm/mach-omap1/ams-delta-fiq.c ++++ b/arch/arm/mach-omap1/ams-delta-fiq.c +@@ -58,22 +58,24 @@ static irqreturn_t deferred_fiq(int irq, + irq_num = gpio_to_irq(gpio); + fiq_count = fiq_buffer[FIQ_CNT_INT_00 + gpio]; + +- while (irq_counter[gpio] < fiq_count) { +- if (gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) { +- struct irq_data *d = irq_get_irq_data(irq_num); ++ if (irq_counter[gpio] < fiq_count && ++ gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) { ++ struct irq_data *d = irq_get_irq_data(irq_num); + +- /* +- * It looks like handle_edge_irq() that +- * OMAP GPIO edge interrupts default to, +- * expects interrupt already unmasked. +- */ +- if (irq_chip && irq_chip->irq_unmask) ++ /* ++ * handle_simple_irq() that OMAP GPIO edge ++ * interrupts default to since commit 80ac93c27441 ++ * requires interrupt already acked and unmasked. ++ */ ++ if (irq_chip) { ++ if (irq_chip->irq_ack) ++ irq_chip->irq_ack(d); ++ if (irq_chip->irq_unmask) + irq_chip->irq_unmask(d); + } +- generic_handle_irq(irq_num); +- +- irq_counter[gpio]++; + } ++ for (; irq_counter[gpio] < fiq_count; irq_counter[gpio]++) ++ generic_handle_irq(irq_num); + } + return IRQ_HANDLED; + } diff --git a/queue-4.14/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch b/queue-4.14/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch new file mode 100644 index 00000000000..7bcb1e13aa0 --- /dev/null +++ b/queue-4.14/arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tero Kristo +Date: Fri, 9 Mar 2018 11:50:20 +0200 +Subject: ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace + +From: Tero Kristo + +[ Upstream commit 33e9572483031a79ad0a4468064675144d9269ec ] + +smp_processor_id() checks preemption if CONFIG_DEBUG_PREEMPT is enabled, +causing a warning dump during boot: + +[ 5.042377] BUG: using smp_processor_id() in preemptible [00000000] code: swapper/0/1 +[ 5.050281] caller is pwrdm_set_next_pwrst+0x48/0x88 +[ 5.055330] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.14.24-g57341df0b4 #1 + +Use the raw_smp_processor_id() for the trace instead, this value does +not need to be perfectly correct. The alternative of disabling preempt +is too heavy weight operation to be applied in PM hot path for just +tracing purposes. + +Signed-off-by: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/mach-omap2/powerdomain.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/mach-omap2/powerdomain.c ++++ b/arch/arm/mach-omap2/powerdomain.c +@@ -188,7 +188,7 @@ static int _pwrdm_state_switch(struct po + ((prev & OMAP_POWERSTATE_MASK) << 0)); + trace_power_domain_target_rcuidle(pwrdm->name, + trace_state, +- smp_processor_id()); ++ raw_smp_processor_id()); + } + break; + default: +@@ -518,7 +518,7 @@ int pwrdm_set_next_pwrst(struct powerdom + if (arch_pwrdm && arch_pwrdm->pwrdm_set_next_pwrst) { + /* Trace the pwrdm desired target state */ + trace_power_domain_target_rcuidle(pwrdm->name, pwrst, +- smp_processor_id()); ++ raw_smp_processor_id()); + /* Program the pwrdm desired target state */ + ret = arch_pwrdm->pwrdm_set_next_pwrst(pwrdm, pwrst); + } diff --git a/queue-4.14/arm64-add-midr-encoding-for-nvidia-cpus.patch b/queue-4.14/arm64-add-midr-encoding-for-nvidia-cpus.patch new file mode 100644 index 00000000000..89dadbc19a6 --- /dev/null +++ b/queue-4.14/arm64-add-midr-encoding-for-nvidia-cpus.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: David Gilhooley +Date: Tue, 8 May 2018 15:49:42 -0700 +Subject: arm64: Add MIDR encoding for NVIDIA CPUs + +From: David Gilhooley + +[ Upstream commit 1b06bd8dd95f7a19ab33fdf0f477c94950822ab3 ] + +This patch adds the MIDR encodings for NVIDIA as well as +the Denver and Carmel CPUs used in Tegra SoCs. + +Signed-off-by: David Gilhooley +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/cputype.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm64/include/asm/cputype.h ++++ b/arch/arm64/include/asm/cputype.h +@@ -75,6 +75,7 @@ + #define ARM_CPU_IMP_CAVIUM 0x43 + #define ARM_CPU_IMP_BRCM 0x42 + #define ARM_CPU_IMP_QCOM 0x51 ++#define ARM_CPU_IMP_NVIDIA 0x4E + + #define ARM_CPU_PART_AEM_V8 0xD0F + #define ARM_CPU_PART_FOUNDATION 0xD00 +@@ -98,6 +99,9 @@ + #define QCOM_CPU_PART_FALKOR 0xC00 + #define QCOM_CPU_PART_KRYO 0x200 + ++#define NVIDIA_CPU_PART_DENVER 0x003 ++#define NVIDIA_CPU_PART_CARMEL 0x004 ++ + #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) + #define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) + #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) +@@ -112,6 +116,8 @@ + #define MIDR_QCOM_FALKOR_V1 MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR_V1) + #define MIDR_QCOM_FALKOR MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_FALKOR) + #define MIDR_QCOM_KRYO MIDR_CPU_MODEL(ARM_CPU_IMP_QCOM, QCOM_CPU_PART_KRYO) ++#define MIDR_NVIDIA_DENVER MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_DENVER) ++#define MIDR_NVIDIA_CARMEL MIDR_CPU_MODEL(ARM_CPU_IMP_NVIDIA, NVIDIA_CPU_PART_CARMEL) + + #ifndef __ASSEMBLY__ + diff --git a/queue-4.14/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch b/queue-4.14/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch new file mode 100644 index 00000000000..fd9dafa1f5d --- /dev/null +++ b/queue-4.14/arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mark Rutland +Date: Wed, 25 Apr 2018 17:13:40 +0100 +Subject: arm64: fix possible spectre-v1 in ptrace_hbp_get_event() + +From: Mark Rutland + +[ Upstream commit 19791a7ca674fb3009bb068260e852a2f05b605c ] + +It's possible for userspace to control idx. Sanitize idx when using it +as an array index. + +Found by smatch. + +Signed-off-by: Mark Rutland +Cc: Catalin Marinas +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -247,15 +248,20 @@ static struct perf_event *ptrace_hbp_get + + switch (note_type) { + case NT_ARM_HW_BREAK: +- if (idx < ARM_MAX_BRP) +- bp = tsk->thread.debug.hbp_break[idx]; ++ if (idx >= ARM_MAX_BRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_BRP); ++ bp = tsk->thread.debug.hbp_break[idx]; + break; + case NT_ARM_HW_WATCH: +- if (idx < ARM_MAX_WRP) +- bp = tsk->thread.debug.hbp_watch[idx]; ++ if (idx >= ARM_MAX_WRP) ++ goto out; ++ idx = array_index_nospec(idx, ARM_MAX_WRP); ++ bp = tsk->thread.debug.hbp_watch[idx]; + break; + } + ++out: + return bp; + } + diff --git a/queue-4.14/arm64-ptrace-remove-addr_limit-manipulation.patch b/queue-4.14/arm64-ptrace-remove-addr_limit-manipulation.patch new file mode 100644 index 00000000000..88e88486e66 --- /dev/null +++ b/queue-4.14/arm64-ptrace-remove-addr_limit-manipulation.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mark Rutland +Date: Tue, 24 Apr 2018 13:11:22 +0100 +Subject: arm64: ptrace: remove addr_limit manipulation + +From: Mark Rutland + +[ Upstream commit 59275a0c037ed6fabd6354730f1e3104264ab719 ] + +We transiently switch to KERNEL_DS in compat_ptrace_gethbpregs() and +compat_ptrace_sethbpregs(), but in either case this is pointless as we +don't perform any uaccess during this window. + +let's rip out the redundant addr_limit manipulation. + +Acked-by: Catalin Marinas +Signed-off-by: Mark Rutland +Cc: Will Deacon +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/ptrace.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/arm64/kernel/ptrace.c ++++ b/arch/arm64/kernel/ptrace.c +@@ -1194,9 +1194,7 @@ static int compat_ptrace_gethbpregs(stru + { + int ret; + u32 kdata; +- mm_segment_t old_fs = get_fs(); + +- set_fs(KERNEL_DS); + /* Watchpoint */ + if (num < 0) { + ret = compat_ptrace_hbp_get(NT_ARM_HW_WATCH, tsk, num, &kdata); +@@ -1207,7 +1205,6 @@ static int compat_ptrace_gethbpregs(stru + } else { + ret = compat_ptrace_hbp_get(NT_ARM_HW_BREAK, tsk, num, &kdata); + } +- set_fs(old_fs); + + if (!ret) + ret = put_user(kdata, data); +@@ -1220,7 +1217,6 @@ static int compat_ptrace_sethbpregs(stru + { + int ret; + u32 kdata = 0; +- mm_segment_t old_fs = get_fs(); + + if (num == 0) + return 0; +@@ -1229,12 +1225,10 @@ static int compat_ptrace_sethbpregs(stru + if (ret) + return ret; + +- set_fs(KERNEL_DS); + if (num < 0) + ret = compat_ptrace_hbp_set(NT_ARM_HW_WATCH, tsk, num, &kdata); + else + ret = compat_ptrace_hbp_set(NT_ARM_HW_BREAK, tsk, num, &kdata); +- set_fs(old_fs); + + return ret; + } diff --git a/queue-4.14/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch b/queue-4.14/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch new file mode 100644 index 00000000000..1041a048553 --- /dev/null +++ b/queue-4.14/arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Bhadram Varka +Date: Wed, 2 May 2018 20:44:40 +0530 +Subject: arm64: tegra: Make BCM89610 PHY interrupt as active low + +From: Bhadram Varka + +[ Upstream commit 9df50ba76ac1485b844beffa1f3f5d9659d9cdaf ] + +Need to configure PHY interrupt as active low for P3310 Tegra186 +platform otherwise it results in spurious interrupts. + +This issue wasn't seen before because the generic PHY driver without +interrupt support was used. + +Signed-off-by: Bhadram Varka +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi ++++ b/arch/arm64/boot/dts/nvidia/tegra186-p3310.dtsi +@@ -46,7 +46,7 @@ + compatible = "ethernet-phy-ieee802.3-c22"; + reg = <0x0>; + interrupt-parent = <&gpio>; +- interrupts = ; ++ interrupts = ; + }; + }; + }; diff --git a/queue-4.14/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch b/queue-4.14/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch new file mode 100644 index 00000000000..ceeb0dd0cd5 --- /dev/null +++ b/queue-4.14/asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Srinivas Kandagatla +Date: Wed, 18 Apr 2018 18:46:37 +0100 +Subject: ASoC: msm8916-wcd-analog: use threaded context for mbhc events + +From: Srinivas Kandagatla + +[ Upstream commit a8419a0cd98ddf628a9e38a92110af7cc650dde7 ] + +As snd_soc_jack_report() can sleep, move handling of mbhc events to a +thread context rather than in interrupt context. + +Fixes: de66b3455023 ('ASoC: codecs: msm8916-wcd-analog: add MBHC support') +Reported-by: Bjorn Andersson +Signed-off-by: Srinivas Kandagatla +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/msm8916-wcd-analog.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/msm8916-wcd-analog.c ++++ b/sound/soc/codecs/msm8916-wcd-analog.c +@@ -1184,7 +1184,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, pm8916_mbhc_switch_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ pm8916_mbhc_switch_irq_handler, + IRQF_TRIGGER_RISING | IRQF_TRIGGER_FALLING | + IRQF_ONESHOT, + "mbhc switch irq", priv); +@@ -1198,7 +1199,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, mbhc_btn_press_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ mbhc_btn_press_irq_handler, + IRQF_TRIGGER_RISING | + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "mbhc btn press irq", priv); +@@ -1211,7 +1213,8 @@ static int pm8916_wcd_analog_spmi_probe( + return irq; + } + +- ret = devm_request_irq(dev, irq, mbhc_btn_release_irq_handler, ++ ret = devm_request_threaded_irq(dev, irq, NULL, ++ mbhc_btn_release_irq_handler, + IRQF_TRIGGER_RISING | + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "mbhc btn release irq", priv); diff --git a/queue-4.14/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch b/queue-4.14/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch new file mode 100644 index 00000000000..1e607fa2de4 --- /dev/null +++ b/queue-4.14/asoc-rt5514-add-the-missing-register-in-the-readable-table.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "oder_chiou@realtek.com" +Date: Fri, 30 Mar 2018 15:41:55 +0800 +Subject: ASoC: rt5514: Add the missing register in the readable table + +From: "oder_chiou@realtek.com" + +[ Upstream commit 5ef5ac8de125fe6b4b23293bee026ca7ea1529b9 ] + +The patch adds the missing register in the readable table. + +Signed-off-by: Oder Chiou +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/codecs/rt5514.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/codecs/rt5514.c ++++ b/sound/soc/codecs/rt5514.c +@@ -89,6 +89,7 @@ static const struct reg_default rt5514_r + {RT5514_PLL3_CALIB_CTRL5, 0x40220012}, + {RT5514_DELAY_BUF_CTRL1, 0x7fff006a}, + {RT5514_DELAY_BUF_CTRL3, 0x00000000}, ++ {RT5514_ASRC_IN_CTRL1, 0x00000003}, + {RT5514_DOWNFILTER0_CTRL1, 0x00020c2f}, + {RT5514_DOWNFILTER0_CTRL2, 0x00020c2f}, + {RT5514_DOWNFILTER0_CTRL3, 0x10000362}, +@@ -181,6 +182,7 @@ static bool rt5514_readable_register(str + case RT5514_PLL3_CALIB_CTRL5: + case RT5514_DELAY_BUF_CTRL1: + case RT5514_DELAY_BUF_CTRL3: ++ case RT5514_ASRC_IN_CTRL1: + case RT5514_DOWNFILTER0_CTRL1: + case RT5514_DOWNFILTER0_CTRL2: + case RT5514_DOWNFILTER0_CTRL3: +@@ -238,6 +240,7 @@ static bool rt5514_i2c_readable_register + case RT5514_DSP_MAPPING | RT5514_PLL3_CALIB_CTRL5: + case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DELAY_BUF_CTRL3: ++ case RT5514_DSP_MAPPING | RT5514_ASRC_IN_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL1: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL2: + case RT5514_DSP_MAPPING | RT5514_DOWNFILTER0_CTRL3: diff --git a/queue-4.14/asoc-topology-check-widget-kcontrols-before-deref.patch b/queue-4.14/asoc-topology-check-widget-kcontrols-before-deref.patch new file mode 100644 index 00000000000..79635062da9 --- /dev/null +++ b/queue-4.14/asoc-topology-check-widget-kcontrols-before-deref.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Liam Girdwood +Date: Tue, 27 Mar 2018 14:30:44 +0100 +Subject: ASoC: topology: Check widget kcontrols before deref. + +From: Liam Girdwood + +[ Upstream commit 05bdcf12905533b8628627b6634608cd3b57c607 ] + +Validate the topology input before we dereference the pointer. + +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -510,7 +510,7 @@ static void remove_widget(struct snd_soc + */ + if (dobj->widget.kcontrol_type == SND_SOC_TPLG_TYPE_ENUM) { + /* enumerated widget mixer */ +- for (i = 0; i < w->num_kcontrols; i++) { ++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) { + struct snd_kcontrol *kcontrol = w->kcontrols[i]; + struct soc_enum *se = + (struct soc_enum *)kcontrol->private_value; +@@ -528,7 +528,7 @@ static void remove_widget(struct snd_soc + kfree(w->kcontrol_news); + } else { + /* volume mixer or bytes controls */ +- for (i = 0; i < w->num_kcontrols; i++) { ++ for (i = 0; w->kcontrols != NULL && i < w->num_kcontrols; i++) { + struct snd_kcontrol *kcontrol = w->kcontrols[i]; + + if (dobj->widget.kcontrol_type diff --git a/queue-4.14/asoc-topology-fix-bugs-of-freeing-soc-topology.patch b/queue-4.14/asoc-topology-fix-bugs-of-freeing-soc-topology.patch new file mode 100644 index 00000000000..93b4f6dc1a9 --- /dev/null +++ b/queue-4.14/asoc-topology-fix-bugs-of-freeing-soc-topology.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Yan Wang +Date: Mon, 26 Mar 2018 16:48:00 +0100 +Subject: ASoC: topology: Fix bugs of freeing soc topology + +From: Yan Wang + +[ Upstream commit feb12f0cd8d7b1e8df2e6fce19fc9a026a468cc2 ] + +In snd_soc_tplg_component_remove(), it should compare index and +not dobj->index with SND_SOC_TPLG_INDEX_ALL for removing all +topology objects. + +Signed-off-by: Yan Wang +Signed-off-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/soc/soc-topology.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-topology.c ++++ b/sound/soc/soc-topology.c +@@ -2571,7 +2571,7 @@ int snd_soc_tplg_component_remove(struct + + /* match index */ + if (dobj->index != index && +- dobj->index != SND_SOC_TPLG_INDEX_ALL) ++ index != SND_SOC_TPLG_INDEX_ALL) + continue; + + switch (dobj->type) { diff --git a/queue-4.14/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch b/queue-4.14/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch new file mode 100644 index 00000000000..4cab1b6c7f5 --- /dev/null +++ b/queue-4.14/ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch @@ -0,0 +1,113 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Evan Wang +Date: Fri, 13 Apr 2018 12:32:31 +0800 +Subject: ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI + +From: Evan Wang + +[ Upstream commit daa2e3bdbb0b3e691cf20a042350817310cb8cb5 ] + +There is an issue(Errata Ref#226) that the SATA can not be +detected via SATA Port-MultiPlayer(PMP) with following +error log: + ata1.15: PMP product ID mismatch + ata1.15: SATA link up 6.0 Gbps (SStatus 133 SControl 300) + ata1.15: Port Multiplier vendor mismatch '0x1b4b'!='0x0' + ata1.15: PMP revalidation failed (errno=-19) + +After debugging, the reason is found that the value Port-x +FIS-based Switching Control(PxFBS@0x40) become wrong. +According to design, the bits[11:8, 0] of register PxFBS +are cleared when Port Command and Status (0x18) bit[0] +changes its value from 1 to 0, i.e. falling edge of Port +Command and Status bit[0] sends PULSE that resets PxFBS +bits[11:8; 0]. +So it needs a mvebu SATA WA to save the port PxFBS register +before PxCMD ST write and restore it afterwards. + +This patch implements the WA in a separate function of +ahci_mvebu_stop_engine to override ahci_stop_gngine. + +Signed-off-by: Evan Wang +Cc: Ofer Heifetz +Cc: Tejun Heo +Cc: Thomas Petazzoni +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci_mvebu.c | 56 +++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/drivers/ata/ahci_mvebu.c ++++ b/drivers/ata/ahci_mvebu.c +@@ -62,6 +62,60 @@ static void ahci_mvebu_regret_option(str + writel(0x80, hpriv->mmio + AHCI_VENDOR_SPECIFIC_0_DATA); + } + ++/** ++ * ahci_mvebu_stop_engine ++ * ++ * @ap: Target ata port ++ * ++ * Errata Ref#226 - SATA Disk HOT swap issue when connected through ++ * Port Multiplier in FIS-based Switching mode. ++ * ++ * To avoid the issue, according to design, the bits[11:8, 0] of ++ * register PxFBS are cleared when Port Command and Status (0x18) bit[0] ++ * changes its value from 1 to 0, i.e. falling edge of Port ++ * Command and Status bit[0] sends PULSE that resets PxFBS ++ * bits[11:8; 0]. ++ * ++ * This function is used to override function of "ahci_stop_engine" ++ * from libahci.c by adding the mvebu work around(WA) to save PxFBS ++ * value before the PxCMD ST write of 0, then restore PxFBS value. ++ * ++ * Return: 0 on success; Error code otherwise. ++ */ ++int ahci_mvebu_stop_engine(struct ata_port *ap) ++{ ++ void __iomem *port_mmio = ahci_port_base(ap); ++ u32 tmp, port_fbs; ++ ++ tmp = readl(port_mmio + PORT_CMD); ++ ++ /* check if the HBA is idle */ ++ if ((tmp & (PORT_CMD_START | PORT_CMD_LIST_ON)) == 0) ++ return 0; ++ ++ /* save the port PxFBS register for later restore */ ++ port_fbs = readl(port_mmio + PORT_FBS); ++ ++ /* setting HBA to idle */ ++ tmp &= ~PORT_CMD_START; ++ writel(tmp, port_mmio + PORT_CMD); ++ ++ /* ++ * bit #15 PxCMD signal doesn't clear PxFBS, ++ * restore the PxFBS register right after clearing the PxCMD ST, ++ * no need to wait for the PxCMD bit #15. ++ */ ++ writel(port_fbs, port_mmio + PORT_FBS); ++ ++ /* wait for engine to stop. This could be as long as 500 msec */ ++ tmp = ata_wait_register(ap, port_mmio + PORT_CMD, ++ PORT_CMD_LIST_ON, PORT_CMD_LIST_ON, 1, 500); ++ if (tmp & PORT_CMD_LIST_ON) ++ return -EIO; ++ ++ return 0; ++} ++ + #ifdef CONFIG_PM_SLEEP + static int ahci_mvebu_suspend(struct platform_device *pdev, pm_message_t state) + { +@@ -112,6 +166,8 @@ static int ahci_mvebu_probe(struct platf + if (rc) + return rc; + ++ hpriv->stop_engine = ahci_mvebu_stop_engine; ++ + if (of_device_is_compatible(pdev->dev.of_node, + "marvell,armada-380-ahci")) { + dram = mv_mbus_dram_info(); diff --git a/queue-4.14/blk-mq-fix-sysfs-inflight-counter.patch b/queue-4.14/blk-mq-fix-sysfs-inflight-counter.patch new file mode 100644 index 00000000000..05633103c8c --- /dev/null +++ b/queue-4.14/blk-mq-fix-sysfs-inflight-counter.patch @@ -0,0 +1,122 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Omar Sandoval +Date: Thu, 26 Apr 2018 00:21:59 -0700 +Subject: blk-mq: fix sysfs inflight counter + +From: Omar Sandoval + +[ Upstream commit bf0ddaba65ddbb2715af97041da8e7a45b2d8628 ] + +When the blk-mq inflight implementation was added, /proc/diskstats was +converted to use it, but /sys/block/$dev/inflight was not. Fix it by +adding another helper to count in-flight requests by data direction. + +Fixes: f299b7c7a9de ("blk-mq: provide internal in-flight variant") +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-mq.c | 19 +++++++++++++++++++ + block/blk-mq.h | 4 +++- + block/genhd.c | 12 ++++++++++++ + block/partition-generic.c | 10 ++++++---- + include/linux/genhd.h | 4 +++- + 5 files changed, 43 insertions(+), 6 deletions(-) + +--- a/block/blk-mq.c ++++ b/block/blk-mq.c +@@ -118,6 +118,25 @@ void blk_mq_in_flight(struct request_que + blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight, &mi); + } + ++static void blk_mq_check_inflight_rw(struct blk_mq_hw_ctx *hctx, ++ struct request *rq, void *priv, ++ bool reserved) ++{ ++ struct mq_inflight *mi = priv; ++ ++ if (rq->part == mi->part) ++ mi->inflight[rq_data_dir(rq)]++; ++} ++ ++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]) ++{ ++ struct mq_inflight mi = { .part = part, .inflight = inflight, }; ++ ++ inflight[0] = inflight[1] = 0; ++ blk_mq_queue_tag_busy_iter(q, blk_mq_check_inflight_rw, &mi); ++} ++ + void blk_freeze_queue_start(struct request_queue *q) + { + int freeze_depth; +--- a/block/blk-mq.h ++++ b/block/blk-mq.h +@@ -136,6 +136,8 @@ static inline bool blk_mq_hw_queue_mappe + } + + void blk_mq_in_flight(struct request_queue *q, struct hd_struct *part, +- unsigned int inflight[2]); ++ unsigned int inflight[2]); ++void blk_mq_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]); + + #endif +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -82,6 +82,18 @@ void part_in_flight(struct request_queue + } + } + ++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]) ++{ ++ if (q->mq_ops) { ++ blk_mq_in_flight_rw(q, part, inflight); ++ return; ++ } ++ ++ inflight[0] = atomic_read(&part->in_flight[0]); ++ inflight[1] = atomic_read(&part->in_flight[1]); ++} ++ + struct hd_struct *__disk_get_part(struct gendisk *disk, int partno) + { + struct disk_part_tbl *ptbl = rcu_dereference(disk->part_tbl); +--- a/block/partition-generic.c ++++ b/block/partition-generic.c +@@ -145,13 +145,15 @@ ssize_t part_stat_show(struct device *de + jiffies_to_msecs(part_stat_read(p, time_in_queue))); + } + +-ssize_t part_inflight_show(struct device *dev, +- struct device_attribute *attr, char *buf) ++ssize_t part_inflight_show(struct device *dev, struct device_attribute *attr, ++ char *buf) + { + struct hd_struct *p = dev_to_part(dev); ++ struct request_queue *q = part_to_disk(p)->queue; ++ unsigned int inflight[2]; + +- return sprintf(buf, "%8u %8u\n", atomic_read(&p->in_flight[0]), +- atomic_read(&p->in_flight[1])); ++ part_in_flight_rw(q, p, inflight); ++ return sprintf(buf, "%8u %8u\n", inflight[0], inflight[1]); + } + + #ifdef CONFIG_FAIL_MAKE_REQUEST +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -365,7 +365,9 @@ static inline void free_part_stats(struc + part_stat_add(cpu, gendiskp, field, -subnd) + + void part_in_flight(struct request_queue *q, struct hd_struct *part, +- unsigned int inflight[2]); ++ unsigned int inflight[2]); ++void part_in_flight_rw(struct request_queue *q, struct hd_struct *part, ++ unsigned int inflight[2]); + void part_dec_in_flight(struct request_queue *q, struct hd_struct *part, + int rw); + void part_inc_in_flight(struct request_queue *q, struct hd_struct *part, diff --git a/queue-4.14/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch b/queue-4.14/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch new file mode 100644 index 00000000000..e518688369b --- /dev/null +++ b/queue-4.14/blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jiang Biao +Date: Wed, 18 Apr 2018 08:37:18 -0600 +Subject: blkcg: don't hold blkcg lock when deactivating policy + +From: Jiang Biao + +[ Upstream commit 946b81da114b8ba5c74bb01e57c0c6eca2bdc801 ] + +As described in the comment of blkcg_activate_policy(), +*Update of each blkg is protected by both queue and blkcg locks so +that holding either lock and testing blkcg_policy_enabled() is +always enough for dereferencing policy data.* +with queue lock held, there is no need to hold blkcg lock in +blkcg_deactivate_policy(). Similar case is in +blkcg_activate_policy(), which has removed holding of blkcg lock in +commit 4c55f4f9ad3001ac1fefdd8d8ca7641d18558e23. + +Signed-off-by: Jiang Biao +Signed-off-by: Wen Yang +CC: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1374,17 +1374,12 @@ void blkcg_deactivate_policy(struct requ + __clear_bit(pol->plid, q->blkcg_pols); + + list_for_each_entry(blkg, &q->blkg_list, q_node) { +- /* grab blkcg lock too while removing @pd from @blkg */ +- spin_lock(&blkg->blkcg->lock); +- + if (blkg->pd[pol->plid]) { + if (pol->pd_offline_fn) + pol->pd_offline_fn(blkg->pd[pol->plid]); + pol->pd_free_fn(blkg->pd[pol->plid]); + blkg->pd[pol->plid] = NULL; + } +- +- spin_unlock(&blkg->blkcg->lock); + } + + spin_unlock_irq(q->queue_lock); diff --git a/queue-4.14/blkcg-init-root-blkcg_gq-under-lock.patch b/queue-4.14/blkcg-init-root-blkcg_gq-under-lock.patch new file mode 100644 index 00000000000..85d3e94b363 --- /dev/null +++ b/queue-4.14/blkcg-init-root-blkcg_gq-under-lock.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jiang Biao +Date: Thu, 19 Apr 2018 12:06:09 +0800 +Subject: blkcg: init root blkcg_gq under lock + +From: Jiang Biao + +[ Upstream commit 901932a3f9b2b80352896be946c6d577c0a9652c ] + +The initializing of q->root_blkg is currently outside of queue lock +and rcu, so the blkg may be destroied before the initializing, which +may cause dangling/null references. On the other side, the destroys +of blkg are protected by queue lock or rcu. Put the initializing +inside the queue lock and rcu to make it safer. + +Signed-off-by: Jiang Biao +Signed-off-by: Wen Yang +CC: Tejun Heo +CC: Jens Axboe +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-cgroup.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -1149,18 +1149,16 @@ int blkcg_init_queue(struct request_queu + rcu_read_lock(); + spin_lock_irq(q->queue_lock); + blkg = blkg_create(&blkcg_root, q, new_blkg); ++ if (IS_ERR(blkg)) ++ goto err_unlock; ++ q->root_blkg = blkg; ++ q->root_rl.blkg = blkg; + spin_unlock_irq(q->queue_lock); + rcu_read_unlock(); + + if (preloaded) + radix_tree_preload_end(); + +- if (IS_ERR(blkg)) +- return PTR_ERR(blkg); +- +- q->root_blkg = blkg; +- q->root_rl.blkg = blkg; +- + ret = blk_throtl_init(q); + if (ret) { + spin_lock_irq(q->queue_lock); +@@ -1168,6 +1166,13 @@ int blkcg_init_queue(struct request_queu + spin_unlock_irq(q->queue_lock); + } + return ret; ++ ++err_unlock: ++ spin_unlock_irq(q->queue_lock); ++ rcu_read_unlock(); ++ if (preloaded) ++ radix_tree_preload_end(); ++ return PTR_ERR(blkg); + } + + /** diff --git a/queue-4.14/bpf-fix-uninitialized-variable-in-bpf-tools.patch b/queue-4.14/bpf-fix-uninitialized-variable-in-bpf-tools.patch new file mode 100644 index 00000000000..437852205a7 --- /dev/null +++ b/queue-4.14/bpf-fix-uninitialized-variable-in-bpf-tools.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: John Fastabend +Date: Wed, 25 Apr 2018 15:08:53 -0700 +Subject: bpf: fix uninitialized variable in bpf tools + +From: John Fastabend + +[ Upstream commit 815425567dea6c54494e85050631d6bdda907c5d ] + +Here the variable cont is used as the saved_pointer for a call to +strtok_r(). It is safe to use the value uninitialized in this +context however and the later reference is only ever used if +the strtok_r is successful. But, 'gcc-5' at least doesn't have all +this knowledge so initialize cont to NULL. Additionally, do the +natural NULL check before accessing just for completness. + +The warning is the following: + +./bpf/tools/bpf/bpf_dbg.c: In function ‘cmd_load’: +./bpf/tools/bpf/bpf_dbg.c:1077:13: warning: ‘cont’ may be used uninitialized in this function [-Wmaybe-uninitialized] + } else if (matches(subcmd, "pcap") == 0) { + +Fixes: fd981e3c321a "filter: bpf_dbg: add minimal bpf debugger" +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/net/bpf_dbg.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/net/bpf_dbg.c ++++ b/tools/net/bpf_dbg.c +@@ -1063,7 +1063,7 @@ static int cmd_load_pcap(char *file) + + static int cmd_load(char *arg) + { +- char *subcmd, *cont, *tmp = strdup(arg); ++ char *subcmd, *cont = NULL, *tmp = strdup(arg); + int ret = CMD_OK; + + subcmd = strtok_r(tmp, " ", &cont); +@@ -1073,7 +1073,10 @@ static int cmd_load(char *arg) + bpf_reset(); + bpf_reset_breakpoints(); + +- ret = cmd_load_bpf(cont); ++ if (!cont) ++ ret = CMD_ERR; ++ else ++ ret = cmd_load_bpf(cont); + } else if (matches(subcmd, "pcap") == 0) { + ret = cmd_load_pcap(cont); + } else { diff --git a/queue-4.14/bpf-x64-fix-memleak-when-not-converging-after-image.patch b/queue-4.14/bpf-x64-fix-memleak-when-not-converging-after-image.patch new file mode 100644 index 00000000000..8fbb6e7b6b9 --- /dev/null +++ b/queue-4.14/bpf-x64-fix-memleak-when-not-converging-after-image.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Daniel Borkmann +Date: Wed, 2 May 2018 20:12:22 +0200 +Subject: bpf, x64: fix memleak when not converging after image + +From: Daniel Borkmann + +[ Upstream commit 3aab8884c9eb99189a3569ac4e6b205371c9ac0b ] + +While reviewing x64 JIT code, I noticed that we leak the prior allocated +JIT image in the case where proglen != oldproglen during the JIT passes. +Prior to the commit e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT +compiler") we would just break out of the loop, and using the image as the +JITed prog since it could only shrink in size anyway. After e0ee9c12157d, +we would bail out to out_addrs label where we free addrs and jit_data but +not the image coming from bpf_jit_binary_alloc(). + +Fixes: e0ee9c12157d ("x86: bpf_jit: fix two bugs in eBPF JIT compiler") +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Acked-by: David S. Miller +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/net/bpf_jit_comp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/net/bpf_jit_comp.c ++++ b/arch/x86/net/bpf_jit_comp.c +@@ -1159,6 +1159,7 @@ struct bpf_prog *bpf_int_jit_compile(str + for (pass = 0; pass < 20 || image; pass++) { + proglen = do_jit(prog, addrs, image, oldproglen, &ctx); + if (proglen <= 0) { ++out_image: + image = NULL; + if (header) + bpf_jit_binary_free(header); +@@ -1169,8 +1170,7 @@ struct bpf_prog *bpf_int_jit_compile(str + if (proglen != oldproglen) { + pr_err("bpf_jit: proglen=%d != oldproglen=%d\n", + proglen, oldproglen); +- prog = orig_prog; +- goto out_addrs; ++ goto out_image; + } + break; + } diff --git a/queue-4.14/can-dev-increase-bus-off-message-severity.patch b/queue-4.14/can-dev-increase-bus-off-message-severity.patch new file mode 100644 index 00000000000..548fb0a5449 --- /dev/null +++ b/queue-4.14/can-dev-increase-bus-off-message-severity.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jakob Unterwurzacher +Date: Wed, 18 Apr 2018 16:10:03 +0200 +Subject: can: dev: increase bus-off message severity + +From: Jakob Unterwurzacher + +[ Upstream commit 71c23a821c6bcacba71a094efe49ee689605906b ] + +bus-off is usually caused by hardware malfunction or configuration error +(baud rate mismatch) and causes a complete loss of communication. + +Increase the "bus-off" message's severity from netdev_dbg() to +netdev_info() to make it visible to the user. + +A can interface going into bus-off is similar in severity to ethernet's +"Link is Down" message, which is also printed at info level. + +It is debatable whether the the "restarted" message should also be +changed to netdev_info() to make the interface state changes +comprehensible from the kernel log. I have chosen to keep the +"restarted" message at dbg for now as the "bus-off" message should be +enough for the user to notice and investigate the problem. + +Signed-off-by: Jakob Unterwurzacher +Cc: linux-can@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -604,7 +604,7 @@ void can_bus_off(struct net_device *dev) + { + struct can_priv *priv = netdev_priv(dev); + +- netdev_dbg(dev, "bus-off\n"); ++ netdev_info(dev, "bus-off\n"); + + netif_carrier_off(dev); + diff --git a/queue-4.14/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch b/queue-4.14/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch new file mode 100644 index 00000000000..1291fb728fc --- /dev/null +++ b/queue-4.14/cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Paulo Alcantara +Date: Fri, 4 May 2018 11:25:26 -0300 +Subject: cifs: smb2ops: Fix listxattr() when there are no EAs + +From: Paulo Alcantara + +[ Upstream commit ae2cd7fb478b8da707906ee1706ae1379968a8f9 ] + +As per listxattr(2): + + On success, a nonnegative number is returned indicating the size + of the extended attribute name list. On failure, -1 is returned + and errno is set appropriately. + +In SMB1, when the server returns an empty EA list through a listxattr(), +it will correctly return 0 as there are no EAs for the given file. + +However, in SMB2+, it returns -ENODATA in listxattr() which is wrong since +the request and response were sent successfully, although there's no actual +EA for the given file. + +This patch fixes listxattr() for SMB2+ by returning 0 in cifs_listxattr() +when the server returns an empty list of EAs. + +Signed-off-by: Paulo Alcantara +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -570,9 +570,15 @@ smb2_query_eas(const unsigned int xid, s + + SMB2_close(xid, tcon, fid.persistent_fid, fid.volatile_fid); + ++ /* ++ * If ea_name is NULL (listxattr) and there are no EAs, return 0 as it's ++ * not an error. Otherwise, the specified ea_name was not found. ++ */ + if (!rc) + rc = move_smb2_ea_to_cifs(ea_data, buf_size, smb2_data, + SMB2_MAX_EA_BUF, ea_name); ++ else if (!ea_name && rc == -ENODATA) ++ rc = 0; + + kfree(smb2_data); + return rc; diff --git a/queue-4.14/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch b/queue-4.14/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch new file mode 100644 index 00000000000..0275d27daab --- /dev/null +++ b/queue-4.14/clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch @@ -0,0 +1,85 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jerome Brunet +Date: Mon, 9 Apr 2018 15:59:20 +0200 +Subject: clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux + +From: Jerome Brunet + +[ Upstream commit 4ad69b80e886a845f56ce0a3d10211208693d92b ] + +CLK_MUX_ROUND_CLOSEST is part of the clk_mux documentation but clk_mux +directly calls __clk_mux_determine_rate(), which overrides the flag. +As result, if clk_mux is instantiated with CLK_MUX_ROUND_CLOSEST, the +flag will be ignored and the clock rounded down. + +To solve this, this patch expose clk_mux_determine_rate_flags() in the +clk-provider API and uses it in the determine_rate() callback of clk_mux. + +Fixes: 15a02c1f6dd7 ("clk: Add __clk_mux_determine_rate_closest") +Signed-off-by: Jerome Brunet +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/clk-mux.c | 10 +++++++++- + drivers/clk/clk.c | 7 ++++--- + include/linux/clk-provider.h | 3 +++ + 3 files changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/clk/clk-mux.c ++++ b/drivers/clk/clk-mux.c +@@ -101,10 +101,18 @@ static int clk_mux_set_parent(struct clk + return 0; + } + ++static int clk_mux_determine_rate(struct clk_hw *hw, ++ struct clk_rate_request *req) ++{ ++ struct clk_mux *mux = to_clk_mux(hw); ++ ++ return clk_mux_determine_rate_flags(hw, req, mux->flags); ++} ++ + const struct clk_ops clk_mux_ops = { + .get_parent = clk_mux_get_parent, + .set_parent = clk_mux_set_parent, +- .determine_rate = __clk_mux_determine_rate, ++ .determine_rate = clk_mux_determine_rate, + }; + EXPORT_SYMBOL_GPL(clk_mux_ops); + +--- a/drivers/clk/clk.c ++++ b/drivers/clk/clk.c +@@ -351,9 +351,9 @@ static bool mux_is_better_rate(unsigned + return now <= rate && now > best; + } + +-static int +-clk_mux_determine_rate_flags(struct clk_hw *hw, struct clk_rate_request *req, +- unsigned long flags) ++int clk_mux_determine_rate_flags(struct clk_hw *hw, ++ struct clk_rate_request *req, ++ unsigned long flags) + { + struct clk_core *core = hw->core, *parent, *best_parent = NULL; + int i, num_parents, ret; +@@ -413,6 +413,7 @@ out: + + return 0; + } ++EXPORT_SYMBOL_GPL(clk_mux_determine_rate_flags); + + struct clk *__clk_lookup(const char *name) + { +--- a/include/linux/clk-provider.h ++++ b/include/linux/clk-provider.h +@@ -752,6 +752,9 @@ int __clk_mux_determine_rate(struct clk_ + int __clk_determine_rate(struct clk_hw *core, struct clk_rate_request *req); + int __clk_mux_determine_rate_closest(struct clk_hw *hw, + struct clk_rate_request *req); ++int clk_mux_determine_rate_flags(struct clk_hw *hw, ++ struct clk_rate_request *req, ++ unsigned long flags); + void clk_hw_reparent(struct clk_hw *hw, struct clk_hw *new_parent); + void clk_hw_set_rate_range(struct clk_hw *hw, unsigned long min_rate, + unsigned long max_rate); diff --git a/queue-4.14/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch b/queue-4.14/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch new file mode 100644 index 00000000000..e41ca4596d7 --- /dev/null +++ b/queue-4.14/clk-imx6ull-use-osc-clock-during-axi-rate-change.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Stefan Agner +Date: Wed, 18 Apr 2018 14:49:08 +0200 +Subject: clk: imx6ull: use OSC clock during AXI rate change + +From: Stefan Agner + +[ Upstream commit 2e5be528ab0182ad4b42b9feea3b80f85f37179b ] + +On i.MX6 ULL using PLL3 seems to cause a freeze when setting +the parent to IMX6UL_CLK_PLL3_USB_OTG. This only seems to appear +since commit 6f9575e55632 ("clk: imx: Add CLK_IS_CRITICAL flag +for busy divider and busy mux"), probably because the clock is +now forced to be on. + +Fixes: 6f9575e55632("clk: imx: Add CLK_IS_CRITICAL flag for busy divider and busy mux") +Signed-off-by: Stefan Agner +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/imx/clk-imx6ul.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/imx/clk-imx6ul.c ++++ b/drivers/clk/imx/clk-imx6ul.c +@@ -461,7 +461,7 @@ static void __init imx6ul_clocks_init(st + clk_set_rate(clks[IMX6UL_CLK_AHB], 99000000); + + /* Change periph_pre clock to pll2_bus to adjust AXI rate to 264MHz */ +- clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_PLL3_USB_OTG]); ++ clk_set_parent(clks[IMX6UL_CLK_PERIPH_CLK2_SEL], clks[IMX6UL_CLK_OSC]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_CLK2]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH_PRE], clks[IMX6UL_CLK_PLL2_BUS]); + clk_set_parent(clks[IMX6UL_CLK_PERIPH], clks[IMX6UL_CLK_PERIPH_PRE]); diff --git a/queue-4.14/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch b/queue-4.14/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch new file mode 100644 index 00000000000..87de745ac88 --- /dev/null +++ b/queue-4.14/clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Anson Huang +Date: Wed, 28 Mar 2018 11:22:37 +0800 +Subject: clocksource/drivers/imx-tpm: Correct some registers operation flow + +From: Anson Huang + +[ Upstream commit 506a7be93ff773d5d4cf75a59f342865605b4910 ] + +According to i.MX7ULP reference manual, TPM_SC_CPWMS can ONLY be written when +counter is disabled, TPM_SC_TOF is write-1-clear, TPM_C0SC_CHF is also +write-1-clear, correct these registers initialization flow; + +Signed-off-by: Anson Huang +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clocksource/timer-imx-tpm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/clocksource/timer-imx-tpm.c ++++ b/drivers/clocksource/timer-imx-tpm.c +@@ -20,6 +20,7 @@ + #define TPM_SC 0x10 + #define TPM_SC_CMOD_INC_PER_CNT (0x1 << 3) + #define TPM_SC_CMOD_DIV_DEFAULT 0x3 ++#define TPM_SC_TOF_MASK (0x1 << 7) + #define TPM_CNT 0x14 + #define TPM_MOD 0x18 + #define TPM_STATUS 0x1c +@@ -29,6 +30,7 @@ + #define TPM_C0SC_MODE_SHIFT 2 + #define TPM_C0SC_MODE_MASK 0x3c + #define TPM_C0SC_MODE_SW_COMPARE 0x4 ++#define TPM_C0SC_CHF_MASK (0x1 << 7) + #define TPM_C0V 0x24 + + static void __iomem *timer_base; +@@ -205,9 +207,13 @@ static int __init tpm_timer_init(struct + * 4) Channel0 disabled + * 5) DMA transfers disabled + */ ++ /* make sure counter is disabled */ + writel(0, timer_base + TPM_SC); ++ /* TOF is W1C */ ++ writel(TPM_SC_TOF_MASK, timer_base + TPM_SC); + writel(0, timer_base + TPM_CNT); +- writel(0, timer_base + TPM_C0SC); ++ /* CHF is W1C */ ++ writel(TPM_C0SC_CHF_MASK, timer_base + TPM_C0SC); + + /* increase per cnt, div 8 by default */ + writel(TPM_SC_CMOD_INC_PER_CNT | TPM_SC_CMOD_DIV_DEFAULT, diff --git a/queue-4.14/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch b/queue-4.14/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch new file mode 100644 index 00000000000..a6267a2bafe --- /dev/null +++ b/queue-4.14/doc-add-vendor-prefix-for-kieback-peter-gmbh.patch @@ -0,0 +1,30 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Lukasz Majewski +Date: Wed, 4 Apr 2018 09:52:04 +0200 +Subject: doc: Add vendor prefix for Kieback & Peter GmbH + +From: Lukasz Majewski + +[ Upstream commit 99bf8f27f3f94d2a37291354b8dc83f13728f75f ] + +The 'kiebackpeter' entry has been added to vendor-prefixes.txt to indicate +products from Kieback & Peter GmbH. + +Signed-off-by: Lukasz Majewski +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/vendor-prefixes.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/vendor-prefixes.txt ++++ b/Documentation/devicetree/bindings/vendor-prefixes.txt +@@ -172,6 +172,7 @@ karo Ka-Ro electronics GmbH + keithkoep Keith & Koep GmbH + keymile Keymile GmbH + khadas Khadas ++kiebackpeter Kieback & Peter GmbH + kinetic Kinetic Technologies + kingnovel Kingnovel Technology Co., Ltd. + kosagi Sutajio Ko-Usagi PTE Ltd. diff --git a/queue-4.14/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch b/queue-4.14/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch new file mode 100644 index 00000000000..85b6477517a --- /dev/null +++ b/queue-4.14/driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mathieu Malaterre +Date: Sat, 5 May 2018 22:00:37 +0200 +Subject: driver core: add __printf verification to __ata_ehi_pushv_desc + +From: Mathieu Malaterre + +[ Upstream commit 0d74d872c3f8b9cb3d096fb932a063b43b37f188 ] + +__printf is useful to verify format and arguments. Remove the following +warning (with W=1): + + drivers/ata/libata-eh.c:183:10: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format] + +Signed-off-by: Mathieu Malaterre +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/libata-eh.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -175,8 +175,8 @@ static void ata_eh_handle_port_resume(st + { } + #endif /* CONFIG_PM */ + +-static void __ata_ehi_pushv_desc(struct ata_eh_info *ehi, const char *fmt, +- va_list args) ++static __printf(2, 0) void __ata_ehi_pushv_desc(struct ata_eh_info *ehi, ++ const char *fmt, va_list args) + { + ehi->desc_len += vscnprintf(ehi->desc + ehi->desc_len, + ATA_EH_DESC_LEN - ehi->desc_len, diff --git a/queue-4.14/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch b/queue-4.14/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch new file mode 100644 index 00000000000..634e02ad0dc --- /dev/null +++ b/queue-4.14/drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Andres Rodriguez +Date: Tue, 10 Apr 2018 17:32:33 -0400 +Subject: drm/amdkfd: fix clock counter retrieval for node without GPU + +From: Andres Rodriguez + +[ Upstream commit 1cf6cc74bbeb85bb87c3ca3f3df97a283c3aa737 ] + +Currently if a user requests clock counters for a node without a GPU +resource we will always return EINVAL. + +Instead if no GPU resource is attached, fill the gpu_clock_counter +argument with zeroes so that we may proceed and return valid CPU +counters. + +Signed-off-by: Andres Rodriguez +Signed-off-by: Felix Kuehling +Reviewed-by: Oded Gabbay +Signed-off-by: Oded Gabbay +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c ++++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c +@@ -716,12 +716,13 @@ static int kfd_ioctl_get_clock_counters( + struct timespec64 time; + + dev = kfd_device_by_id(args->gpu_id); +- if (dev == NULL) +- return -EINVAL; +- +- /* Reading GPU clock counter from KGD */ +- args->gpu_clock_counter = +- dev->kfd2kgd->get_gpu_clock_counter(dev->kgd); ++ if (dev) ++ /* Reading GPU clock counter from KGD */ ++ args->gpu_clock_counter = ++ dev->kfd2kgd->get_gpu_clock_counter(dev->kgd); ++ else ++ /* Node without GPU resource */ ++ args->gpu_clock_counter = 0; + + /* No access to rdtsc. Using raw monotonic time */ + getrawmonotonic64(&time); diff --git a/queue-4.14/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch b/queue-4.14/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch new file mode 100644 index 00000000000..feac4583331 --- /dev/null +++ b/queue-4.14/drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dan Carpenter +Date: Wed, 16 May 2018 17:00:26 +0300 +Subject: drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() + +From: Dan Carpenter + +[ Upstream commit 2b6207291b7b277a5df9d1aab44b56815a292dba ] + +There is a comment here which says that DIV_ROUND_UP() and that's where +the problem comes from. Say you pick: + + args->bpp = UINT_MAX - 7; + args->width = 4; + args->height = 1; + +The integer overflow in DIV_ROUND_UP() means "cpp" is UINT_MAX / 8 and +because of how we picked args->width that means cpp < UINT_MAX / 4. + +I've fixed it by preventing the integer overflow in DIV_ROUND_UP(). I +removed the check for !cpp because it's not possible after this change. +I also changed all the 0xffffffffU references to U32_MAX. + +Signed-off-by: Dan Carpenter +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20180516140026.GA19340@mwanda +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dumb_buffers.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/drm_dumb_buffers.c ++++ b/drivers/gpu/drm/drm_dumb_buffers.c +@@ -65,12 +65,13 @@ int drm_mode_create_dumb_ioctl(struct dr + return -EINVAL; + + /* overflow checks for 32bit size calculations */ +- /* NOTE: DIV_ROUND_UP() can overflow */ ++ if (args->bpp > U32_MAX - 8) ++ return -EINVAL; + cpp = DIV_ROUND_UP(args->bpp, 8); +- if (!cpp || cpp > 0xffffffffU / args->width) ++ if (cpp > U32_MAX / args->width) + return -EINVAL; + stride = cpp * args->width; +- if (args->height > 0xffffffffU / stride) ++ if (args->height > U32_MAX / stride) + return -EINVAL; + + /* test for wrap-around */ diff --git a/queue-4.14/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch b/queue-4.14/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch new file mode 100644 index 00000000000..cb6a3754dba --- /dev/null +++ b/queue-4.14/drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Emil Velikov +Date: Wed, 28 Mar 2018 17:22:16 +0100 +Subject: drm/msm: don't deref error pointer in the msm_fbdev_create error path + +From: Emil Velikov + +[ Upstream commit 789d4c300e10eb2096ee83c3497118e67ccc951e ] + +Currently the error pointer returned by msm_alloc_stolen_fb gets passed +to drm_framebuffer_remove. The latter handles only NULL pointers, thus +a nasty crash will occur. + +Drop the unnecessary fail label and the associated checks - both err and +fb will be set at this stage. + +Cc: Rob Clark +Cc: linux-arm-msm@vger.kernel.org +Cc: dri-devel@lists.freedesktop.org +Cc: freedreno@lists.freedesktop.org +Signed-off-by: Emil Velikov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_fbdev.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_fbdev.c ++++ b/drivers/gpu/drm/msm/msm_fbdev.c +@@ -92,8 +92,7 @@ static int msm_fbdev_create(struct drm_f + + if (IS_ERR(fb)) { + dev_err(dev->dev, "failed to allocate fb\n"); +- ret = PTR_ERR(fb); +- goto fail; ++ return PTR_ERR(fb); + } + + bo = msm_framebuffer_bo(fb, 0); +@@ -151,13 +150,7 @@ static int msm_fbdev_create(struct drm_f + + fail_unlock: + mutex_unlock(&dev->struct_mutex); +-fail: +- +- if (ret) { +- if (fb) +- drm_framebuffer_remove(fb); +- } +- ++ drm_framebuffer_remove(fb); + return ret; + } + diff --git a/queue-4.14/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch b/queue-4.14/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch new file mode 100644 index 00000000000..0a7f07a7233 --- /dev/null +++ b/queue-4.14/drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Stefan Agner +Date: Mon, 19 Mar 2018 22:26:32 +0100 +Subject: drm/msm/dsi: use correct enum in dsi_get_cmd_fmt + +From: Stefan Agner + +[ Upstream commit a4af89286f8fc382459308764ea05935dc477cdc ] + +The function dsi_get_cmd_fmt returns enum dsi_cmd_dst_format, +use the correct enum value also for MIPI_DSI_FMT_RGB666/_PACKED. + +This has been discovered using clang: + drivers/gpu/drm/msm/dsi/dsi_host.c:743:35: warning: implicit conversion + from enumeration type 'enum dsi_vid_dst_format' to different + enumeration type 'enum dsi_cmd_dst_format' [-Wenum-conversion] + case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666; + ~~~~~~ ^~~~~~~~~~~~~~~~~~~~~ + +Signed-off-by: Stefan Agner +Reviewed-by: Archit Taneja +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -740,7 +740,7 @@ static inline enum dsi_cmd_dst_format ds + switch (mipi_fmt) { + case MIPI_DSI_FMT_RGB888: return CMD_DST_FORMAT_RGB888; + case MIPI_DSI_FMT_RGB666_PACKED: +- case MIPI_DSI_FMT_RGB666: return VID_DST_FORMAT_RGB666; ++ case MIPI_DSI_FMT_RGB666: return CMD_DST_FORMAT_RGB666; + case MIPI_DSI_FMT_RGB565: return CMD_DST_FORMAT_RGB565; + default: return CMD_DST_FORMAT_RGB888; + } diff --git a/queue-4.14/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch b/queue-4.14/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch new file mode 100644 index 00000000000..c45ba0277e3 --- /dev/null +++ b/queue-4.14/drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ben Hutchings +Date: Tue, 3 Apr 2018 23:38:45 +0100 +Subject: drm/msm: Fix possible null dereference on failure of get_pages() + +From: Ben Hutchings + +[ Upstream commit 3976626ea3d2011f8fd3f3a47070a8b792018253 ] + +Commit 62e3a3e342af changed get_pages() to initialise +msm_gem_object::pages before trying to initialise msm_gem_object::sgt, +so that put_pages() would properly clean up pages in the failure +case. + +However, this means that put_pages() now needs to check that +msm_gem_object::sgt is not null before trying to clean it up, and +this check was only applied to part of the cleanup code. Move +it all into the conditional block. (Strictly speaking we don't +need to make the kfree() conditional, but since we can't avoid +checking for null ourselves we may as well do so.) + +Fixes: 62e3a3e342af ("drm/msm: fix leak in failed get_pages") +Signed-off-by: Ben Hutchings +Reviewed-by: Jordan Crouse +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/msm_gem.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -132,17 +132,19 @@ static void put_pages(struct drm_gem_obj + struct msm_gem_object *msm_obj = to_msm_bo(obj); + + if (msm_obj->pages) { +- /* For non-cached buffers, ensure the new pages are clean +- * because display controller, GPU, etc. are not coherent: +- */ +- if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) +- dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, +- msm_obj->sgt->nents, DMA_BIDIRECTIONAL); ++ if (msm_obj->sgt) { ++ /* For non-cached buffers, ensure the new ++ * pages are clean because display controller, ++ * GPU, etc. are not coherent: ++ */ ++ if (msm_obj->flags & (MSM_BO_WC|MSM_BO_UNCACHED)) ++ dma_unmap_sg(obj->dev->dev, msm_obj->sgt->sgl, ++ msm_obj->sgt->nents, ++ DMA_BIDIRECTIONAL); + +- if (msm_obj->sgt) + sg_free_table(msm_obj->sgt); +- +- kfree(msm_obj->sgt); ++ kfree(msm_obj->sgt); ++ } + + if (use_pages(obj)) + drm_gem_put_pages(obj, msm_obj->pages, true, false); diff --git a/queue-4.14/drm-omap-check-return-value-from-soc_device_match.patch b/queue-4.14/drm-omap-check-return-value-from-soc_device_match.patch new file mode 100644 index 00000000000..ff231edfc2c --- /dev/null +++ b/queue-4.14/drm-omap-check-return-value-from-soc_device_match.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tomi Valkeinen +Date: Wed, 2 May 2018 12:11:56 +0300 +Subject: drm/omap: check return value from soc_device_match + +From: Tomi Valkeinen + +[ Upstream commit 4d6cb5e2fee52af17001e92950f0894304706ee4 ] + +soc_device_match() can return NULL, so add a check and fail if +soc_device_match() fails. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-2-tomi.valkeinen@ti.com +Reviewed-by: Benoit Parrot +Reviewed-by: Peter Ujfalusi +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/hdmi4_core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4_core.c +@@ -926,8 +926,13 @@ int hdmi4_core_init(struct platform_devi + { + const struct hdmi4_features *features; + struct resource *res; ++ const struct soc_device_attribute *soc; + +- features = soc_device_match(hdmi4_soc_devices)->data; ++ soc = soc_device_match(hdmi4_soc_devices); ++ if (!soc) ++ return -ENODEV; ++ ++ features = soc->data; + core->cts_swmode = features->cts_swmode; + core->audio_use_mclk = features->audio_use_mclk; + diff --git a/queue-4.14/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch b/queue-4.14/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch new file mode 100644 index 00000000000..7abf0e90b64 --- /dev/null +++ b/queue-4.14/drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 29 Mar 2018 13:40:37 +0300 +Subject: drm/omap: fix possible NULL ref issue in tiler_reserve_2d + +From: Tomi Valkeinen + +[ Upstream commit 6a0f0c55619f0b82a677cab72e77c3444a5eee58 ] + +tiler_reserve_2d allocates memory but does not check if it got the +memory. Add the check and return ENOMEM on failure. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-2-tomi.valkeinen@ti.com +Reviewed-by: Emil Velikov +Reviewed-by: Laurent Pinchart +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c ++++ b/drivers/gpu/drm/omapdrm/omap_dmm_tiler.c +@@ -389,12 +389,16 @@ int tiler_unpin(struct tiler_block *bloc + struct tiler_block *tiler_reserve_2d(enum tiler_fmt fmt, uint16_t w, + uint16_t h, uint16_t align) + { +- struct tiler_block *block = kzalloc(sizeof(*block), GFP_KERNEL); ++ struct tiler_block *block; + u32 min_align = 128; + int ret; + unsigned long flags; + u32 slot_bytes; + ++ block = kzalloc(sizeof(*block), GFP_KERNEL); ++ if (!block) ++ return ERR_PTR(-ENOMEM); ++ + BUG_ON(!validfmt(fmt)); + + /* convert width/height to slots */ diff --git a/queue-4.14/drm-omap-fix-uninitialized-ret-variable.patch b/queue-4.14/drm-omap-fix-uninitialized-ret-variable.patch new file mode 100644 index 00000000000..aee868bb96a --- /dev/null +++ b/queue-4.14/drm-omap-fix-uninitialized-ret-variable.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tomi Valkeinen +Date: Thu, 29 Mar 2018 13:40:36 +0300 +Subject: drm/omap: fix uninitialized ret variable + +From: Tomi Valkeinen + +[ Upstream commit 77eeac24b10fc84d3ffd5b11a897dff88dde244d ] + +audio_config function for both HDMI4 and HDMI5 return uninitialized +value as the error code if the display is not currently enabled. For +some reason this has not caused any issues. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180329104038.29154-1-tomi.valkeinen@ti.com +Reviewed-by: Emil Velikov +Reviewed-by: Laurent Pinchart +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/dss/hdmi4.c | 2 +- + drivers/gpu/drm/omapdrm/dss/hdmi5.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi4.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi4.c +@@ -634,7 +634,7 @@ static int hdmi_audio_config(struct devi + struct omap_dss_audio *dss_audio) + { + struct omap_hdmi *hd = dev_get_drvdata(dev); +- int ret; ++ int ret = 0; + + mutex_lock(&hd->lock); + +--- a/drivers/gpu/drm/omapdrm/dss/hdmi5.c ++++ b/drivers/gpu/drm/omapdrm/dss/hdmi5.c +@@ -660,7 +660,7 @@ static int hdmi_audio_config(struct devi + struct omap_dss_audio *dss_audio) + { + struct omap_hdmi *hd = dev_get_drvdata(dev); +- int ret; ++ int ret = 0; + + mutex_lock(&hd->lock); + diff --git a/queue-4.14/drm-omap-handle-alloc-failures-in-omap_connector.patch b/queue-4.14/drm-omap-handle-alloc-failures-in-omap_connector.patch new file mode 100644 index 00000000000..e4d5a551a59 --- /dev/null +++ b/queue-4.14/drm-omap-handle-alloc-failures-in-omap_connector.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tomi Valkeinen +Date: Wed, 2 May 2018 12:11:59 +0300 +Subject: drm/omap: handle alloc failures in omap_connector + +From: Tomi Valkeinen + +[ Upstream commit 47aaaec818dfd1009d1358974a2931f05dd57203 ] + +Handle memory allocation failures in omap_connector to avoid NULL +derefs. + +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180502091159.7071-5-tomi.valkeinen@ti.com +Reviewed-by: Benoit Parrot +Reviewed-by: Peter Ujfalusi +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/omap_connector.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/gpu/drm/omapdrm/omap_connector.c ++++ b/drivers/gpu/drm/omapdrm/omap_connector.c +@@ -123,6 +123,9 @@ static int omap_connector_get_modes(stru + if (dssdrv->read_edid) { + void *edid = kzalloc(MAX_EDID, GFP_KERNEL); + ++ if (!edid) ++ return 0; ++ + if ((dssdrv->read_edid(dssdev, edid, MAX_EDID) > 0) && + drm_edid_is_valid(edid)) { + drm_mode_connector_update_edid_property( +@@ -141,6 +144,9 @@ static int omap_connector_get_modes(stru + struct drm_display_mode *mode = drm_mode_create(dev); + struct videomode vm = {0}; + ++ if (!mode) ++ return 0; ++ + dssdrv->get_timings(dssdev, &vm); + + drm_display_mode_from_videomode(&vm, mode); +@@ -196,6 +202,10 @@ static int omap_connector_mode_valid(str + if (!r) { + /* check if vrefresh is still valid */ + new_mode = drm_mode_duplicate(dev, mode); ++ ++ if (!new_mode) ++ return MODE_BAD; ++ + new_mode->clock = vm.pixelclock / 1000; + new_mode->vrefresh = 0; + if (mode->vrefresh == drm_mode_vrefresh(new_mode)) diff --git a/queue-4.14/drm-omap-silence-unititialized-variable-warning.patch b/queue-4.14/drm-omap-silence-unititialized-variable-warning.patch new file mode 100644 index 00000000000..75a706c6f75 --- /dev/null +++ b/queue-4.14/drm-omap-silence-unititialized-variable-warning.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dan Carpenter +Date: Wed, 18 Apr 2018 17:29:37 +0300 +Subject: drm/omap: silence unititialized variable warning + +From: Dan Carpenter + +[ Upstream commit 4a9fbfcab19d3f71ad2bf0bcb653c4ee84e69c7f ] + +Smatch complains that "area_free" could be used without being +initialized. This code is several years old and premusably works fine +so this can't be a very serious bug. But it's easy enough to silence +the warning. If "area_free" is false at the end of the function then +we return -ENOMEM. + +Signed-off-by: Dan Carpenter +Signed-off-by: Tomi Valkeinen +Link: https://patchwork.freedesktop.org/patch/msgid/20180418142937.GA13828@mwanda +Signed-off-by: Sean Paul +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/omapdrm/tcm-sita.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/omapdrm/tcm-sita.c ++++ b/drivers/gpu/drm/omapdrm/tcm-sita.c +@@ -92,7 +92,7 @@ static int l2r_t2b(uint16_t w, uint16_t + { + int i; + unsigned long index; +- bool area_free; ++ bool area_free = false; + unsigned long slots_per_band = PAGE_SIZE / slot_bytes; + unsigned long bit_offset = (offset > 0) ? offset / slot_bytes : 0; + unsigned long curr_bit = bit_offset; diff --git a/queue-4.14/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch b/queue-4.14/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch new file mode 100644 index 00000000000..d53d68928eb --- /dev/null +++ b/queue-4.14/dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jacopo Mondi +Date: Mon, 16 Apr 2018 15:56:08 +0200 +Subject: dt-bindings: dmaengine: rcar-dmac: document R8A77965 support + +From: Jacopo Mondi + +[ Upstream commit b89bc283286b105e50aab9ab35992c0237ac77d8 ] + +Add documentation for r8a77965 compatible string to rcar-dmac device +tree bindings documentation. + +Signed-off-by: Jacopo Mondi +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Simon Horman +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt ++++ b/Documentation/devicetree/bindings/dma/renesas,rcar-dmac.txt +@@ -25,6 +25,7 @@ Required Properties: + - "renesas,dmac-r8a7794" (R-Car E2) + - "renesas,dmac-r8a7795" (R-Car H3) + - "renesas,dmac-r8a7796" (R-Car M3-W) ++ - "renesas,dmac-r8a77965" (R-Car M3-N) + - "renesas,dmac-r8a77970" (R-Car V3M) + + - reg: base address and length of the registers block for the DMAC diff --git a/queue-4.14/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch b/queue-4.14/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch new file mode 100644 index 00000000000..8fc27147ba9 --- /dev/null +++ b/queue-4.14/dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch @@ -0,0 +1,28 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Geert Uytterhoeven +Date: Mon, 23 Apr 2018 09:32:40 +0200 +Subject: dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ + +From: Geert Uytterhoeven + +[ Upstream commit 34df2466b48dfe258e14fe2a7bc4641416575ade ] + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt ++++ b/Documentation/devicetree/bindings/serial/amlogic,meson-uart.txt +@@ -21,7 +21,7 @@ Required properties: + - interrupts : identifier to the device interrupt + - clocks : a list of phandle + clock-specifier pairs, one for each + entry in clock names. +-- clocks-names : ++- clock-names : + * "xtal" for external xtal clock identifier + * "pclk" for the bus core clock, either the clk81 clock or the gate clock + * "baud" for the source of the baudrate generator, can be either the xtal diff --git a/queue-4.14/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch b/queue-4.14/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch new file mode 100644 index 00000000000..b44e3d9e8a2 --- /dev/null +++ b/queue-4.14/dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Geert Uytterhoeven +Date: Wed, 25 Apr 2018 09:49:38 +0200 +Subject: dt-bindings: panel: lvds: Fix path to display timing bindings + +From: Geert Uytterhoeven + +[ Upstream commit f130307054a59ca21d2396f386be77ebd2e8ca96 ] + +Fixes: 14da3ed8dd08c581 ("devicetree/bindings: display: Document common +panel properties") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Laurent Pinchart +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/display/panel/panel-common.txt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/display/panel/panel-common.txt ++++ b/Documentation/devicetree/bindings/display/panel/panel-common.txt +@@ -38,7 +38,7 @@ Display Timings + require specific display timings. The panel-timing subnode expresses those + timings as specified in the timing subnode section of the display timing + bindings defined in +- Documentation/devicetree/bindings/display/display-timing.txt. ++ Documentation/devicetree/bindings/display/panel/display-timing.txt. + + + Connectivity diff --git a/queue-4.14/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch b/queue-4.14/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch new file mode 100644 index 00000000000..46250bc5200 --- /dev/null +++ b/queue-4.14/dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Matheus Castello +Date: Wed, 11 Apr 2018 01:17:03 -0400 +Subject: dt-bindings: pinctrl: sunxi: Fix reference to driver + +From: Matheus Castello + +[ Upstream commit b614e905a0bc8fc5d4fa72665ac26ae00c874a4e ] + +Bindings describe hardware, not drivers. +Use reference to hardware Allwinner A1X Pin Controller instead driver. + +Signed-off-by: Matheus Castello +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt ++++ b/Documentation/devicetree/bindings/pinctrl/allwinner,sunxi-pinctrl.txt +@@ -55,9 +55,9 @@ pins it needs, and how they should be co + configuration, drive strength and pullups. If one of these options is + not set, its actual value will be unspecified. + +-This driver supports the generic pin multiplexing and configuration +-bindings. For details on each properties, you can refer to +-./pinctrl-bindings.txt. ++Allwinner A1X Pin Controller supports the generic pin multiplexing and ++configuration bindings. For details on each properties, you can refer to ++ ./pinctrl-bindings.txt. + + Required sub-node properties: + - pins diff --git a/queue-4.14/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch b/queue-4.14/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch new file mode 100644 index 00000000000..2dc7719e17d --- /dev/null +++ b/queue-4.14/dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jacopo Mondi +Date: Mon, 16 Apr 2018 15:55:28 +0200 +Subject: dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF + +From: Jacopo Mondi + +[ Upstream commit 7de5b7e5f6a67c285b86d1478e8e150929c93482 ] + +Add documentation for r8a77965 compatible string to Renesas sci-serial +device tree bindings documentation. + +Signed-off-by: Jacopo Mondi +Reviewed-by: Geert Uytterhoeven +Signed-off-by: Rob Herring +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/serial/renesas,sci-serial.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt ++++ b/Documentation/devicetree/bindings/serial/renesas,sci-serial.txt +@@ -41,6 +41,8 @@ Required properties: + - "renesas,hscif-r8a7795" for R8A7795 (R-Car H3) HSCIF compatible UART. + - "renesas,scif-r8a7796" for R8A7796 (R-Car M3-W) SCIF compatible UART. + - "renesas,hscif-r8a7796" for R8A7796 (R-Car M3-W) HSCIF compatible UART. ++ - "renesas,scif-r8a77965" for R8A77965 (R-Car M3-N) SCIF compatible UART. ++ - "renesas,hscif-r8a77965" for R8A77965 (R-Car M3-N) HSCIF compatible UART. + - "renesas,scif-r8a77970" for R8A77970 (R-Car V3M) SCIF compatible UART. + - "renesas,hscif-r8a77970" for R8A77970 (R-Car V3M) HSCIF compatible UART. + - "renesas,scif-r8a77995" for R8A77995 (R-Car D3) SCIF compatible UART. diff --git a/queue-4.14/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch b/queue-4.14/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch new file mode 100644 index 00000000000..c131156dd51 --- /dev/null +++ b/queue-4.14/ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch @@ -0,0 +1,154 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tyler Hicks +Date: Wed, 28 Mar 2018 23:41:52 +0000 +Subject: eCryptfs: don't pass up plaintext names when using filename encryption + +From: Tyler Hicks + +[ Upstream commit e86281e700cca8a773f9a572fa406adf2784ba5c ] + +Both ecryptfs_filldir() and ecryptfs_readlink_lower() use +ecryptfs_decode_and_decrypt_filename() to translate lower filenames to +upper filenames. The function correctly passes up lower filenames, +unchanged, when filename encryption isn't in use. However, it was also +passing up lower filenames when the filename wasn't encrypted or +when decryption failed. Since 88ae4ab9802e, eCryptfs refuses to lookup +lower plaintext names when filename encryption is enabled so this +resulted in a situation where userspace would see lower plaintext +filenames in calls to getdents(2) but then not be able to lookup those +filenames. + +An example of this can be seen when enabling filename encryption on an +eCryptfs mount at the root directory of an Ext4 filesystem: + +$ ls -1i /lower +12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- +11 lost+found +$ ls -1i /upper +ls: cannot access '/upper/lost+found': No such file or directory + ? lost+found +12 test + +With this change, the lower lost+found dentry is ignored: + +$ ls -1i /lower +12 ECRYPTFS_FNEK_ENCRYPTED.FWYZD8TcW.5FV-TKTEYOHsheiHX9a-w.NURCCYIMjI8pn5BDB9-h3fXwrE-- +11 lost+found +$ ls -1i /upper +12 test + +Additionally, some potentially noisy error/info messages in the related +code paths are turned into debug messages so that the logs can't be +easily filled. + +Fixes: 88ae4ab9802e ("ecryptfs_lookup(): try either only encrypted or plaintext name") +Reported-by: Guenter Roeck +Cc: Al Viro +Signed-off-by: Tyler Hicks +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ecryptfs/crypto.c | 41 ++++++++++++++++++++++++++++------------- + fs/ecryptfs/file.c | 21 ++++++++++++++++----- + 2 files changed, 44 insertions(+), 18 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -2026,6 +2026,16 @@ out: + return rc; + } + ++static bool is_dot_dotdot(const char *name, size_t name_size) ++{ ++ if (name_size == 1 && name[0] == '.') ++ return true; ++ else if (name_size == 2 && name[0] == '.' && name[1] == '.') ++ return true; ++ ++ return false; ++} ++ + /** + * ecryptfs_decode_and_decrypt_filename - converts the encoded cipher text name to decoded plaintext + * @plaintext_name: The plaintext name +@@ -2050,13 +2060,21 @@ int ecryptfs_decode_and_decrypt_filename + size_t packet_size; + int rc = 0; + +- if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) +- && !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED) +- && (name_size > ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) +- && (strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, +- ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE) == 0)) { +- const char *orig_name = name; +- size_t orig_name_size = name_size; ++ if ((mount_crypt_stat->flags & ECRYPTFS_GLOBAL_ENCRYPT_FILENAMES) && ++ !(mount_crypt_stat->flags & ECRYPTFS_ENCRYPTED_VIEW_ENABLED)) { ++ if (is_dot_dotdot(name, name_size)) { ++ rc = ecryptfs_copy_filename(plaintext_name, ++ plaintext_name_size, ++ name, name_size); ++ goto out; ++ } ++ ++ if (name_size <= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE || ++ strncmp(name, ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX, ++ ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE)) { ++ rc = -EINVAL; ++ goto out; ++ } + + name += ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; + name_size -= ECRYPTFS_FNEK_ENCRYPTED_FILENAME_PREFIX_SIZE; +@@ -2079,12 +2097,9 @@ int ecryptfs_decode_and_decrypt_filename + decoded_name, + decoded_name_size); + if (rc) { +- printk(KERN_INFO "%s: Could not parse tag 70 packet " +- "from filename; copying through filename " +- "as-is\n", __func__); +- rc = ecryptfs_copy_filename(plaintext_name, +- plaintext_name_size, +- orig_name, orig_name_size); ++ ecryptfs_printk(KERN_DEBUG, ++ "%s: Could not parse tag 70 packet from filename\n", ++ __func__); + goto out_free; + } + } else { +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -82,17 +82,28 @@ ecryptfs_filldir(struct dir_context *ctx + buf->sb, lower_name, + lower_namelen); + if (rc) { +- printk(KERN_ERR "%s: Error attempting to decode and decrypt " +- "filename [%s]; rc = [%d]\n", __func__, lower_name, +- rc); +- goto out; ++ if (rc != -EINVAL) { ++ ecryptfs_printk(KERN_DEBUG, ++ "%s: Error attempting to decode and decrypt filename [%s]; rc = [%d]\n", ++ __func__, lower_name, rc); ++ return rc; ++ } ++ ++ /* Mask -EINVAL errors as these are most likely due a plaintext ++ * filename present in the lower filesystem despite filename ++ * encryption being enabled. One unavoidable example would be ++ * the "lost+found" dentry in the root directory of an Ext4 ++ * filesystem. ++ */ ++ return 0; + } ++ + buf->caller->pos = buf->ctx.pos; + rc = !dir_emit(buf->caller, name, name_size, ino, d_type); + kfree(name); + if (!rc) + buf->entries_written++; +-out: ++ + return rc; + } + diff --git a/queue-4.14/efi-libstub-arm64-handle-randomized-text_offset.patch b/queue-4.14/efi-libstub-arm64-handle-randomized-text_offset.patch new file mode 100644 index 00000000000..b877af21a17 --- /dev/null +++ b/queue-4.14/efi-libstub-arm64-handle-randomized-text_offset.patch @@ -0,0 +1,62 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mark Rutland +Date: Fri, 18 May 2018 16:08:41 +0200 +Subject: efi/libstub/arm64: Handle randomized TEXT_OFFSET + +From: Mark Rutland + +[ Upstream commit 4f74d72aa7067e75af92fbab077e6d7d0210be66 ] + +When CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET is an arbitrary +multiple of PAGE_SIZE in the interval [0, 2MB). + +The EFI stub does not account for the potential misalignment of +TEXT_OFFSET relative to EFI_KIMG_ALIGN, and produces a randomized +physical offset which is always a round multiple of EFI_KIMG_ALIGN. +This may result in statically allocated objects whose alignment exceeds +PAGE_SIZE to appear misaligned in memory. This has been observed to +result in spurious stack overflow reports and failure to make use of +the IRQ stacks, and theoretically could result in a number of other +issues. + +We can OR in the low bits of TEXT_OFFSET to ensure that we have the +necessary offset (and hence preserve the misalignment of TEXT_OFFSET +relative to EFI_KIMG_ALIGN), so let's do that. + +Reported-by: Kim Phillips +Tested-by: Kim Phillips +[ardb: clarify comment and commit log, drop unneeded parens] +Signed-off-by: Mark Rutland +Signed-off-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Fixes: 6f26b3671184c36d ("arm64: kaslr: increase randomization granularity") +Link: http://lkml.kernel.org/r/20180518140841.9731-2-ard.biesheuvel@linaro.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/libstub/arm64-stub.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/firmware/efi/libstub/arm64-stub.c ++++ b/drivers/firmware/efi/libstub/arm64-stub.c +@@ -98,6 +98,16 @@ efi_status_t handle_kernel_image(efi_sys + (phys_seed >> 32) & mask : TEXT_OFFSET; + + /* ++ * With CONFIG_RANDOMIZE_TEXT_OFFSET=y, TEXT_OFFSET may not ++ * be a multiple of EFI_KIMG_ALIGN, and we must ensure that ++ * we preserve the misalignment of 'offset' relative to ++ * EFI_KIMG_ALIGN so that statically allocated objects whose ++ * alignment exceeds PAGE_SIZE appear correctly aligned in ++ * memory. ++ */ ++ offset |= TEXT_OFFSET % EFI_KIMG_ALIGN; ++ ++ /* + * If KASLR is enabled, and we have some randomness available, + * locate the kernel at a randomized offset in physical memory. + */ diff --git a/queue-4.14/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch b/queue-4.14/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch new file mode 100644 index 00000000000..844d296e9bb --- /dev/null +++ b/queue-4.14/fsnotify-fix-ignore-mask-logic-in-send_to_group.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Amir Goldstein +Date: Thu, 5 Apr 2018 16:18:03 +0300 +Subject: fsnotify: fix ignore mask logic in send_to_group() + +From: Amir Goldstein + +[ Upstream commit 92183a42898dc400b89da35685d1814ac6acd3d8 ] + +The ignore mask logic in send_to_group() does not match the logic +in fanotify_should_send_event(). In the latter, a vfsmount mark ignore +mask precedes an inode mark mask and in the former, it does not. + +That difference may cause events to be sent to fanotify backend for no +reason. Fix the logic in send_to_group() to match that of +fanotify_should_send_event(). + +Signed-off-by: Amir Goldstein +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/notify/fsnotify.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +--- a/fs/notify/fsnotify.c ++++ b/fs/notify/fsnotify.c +@@ -192,8 +192,9 @@ static int send_to_group(struct inode *t + struct fsnotify_iter_info *iter_info) + { + struct fsnotify_group *group = NULL; +- __u32 inode_test_mask = 0; +- __u32 vfsmount_test_mask = 0; ++ __u32 test_mask = (mask & ~FS_EVENT_ON_CHILD); ++ __u32 marks_mask = 0; ++ __u32 marks_ignored_mask = 0; + + if (unlikely(!inode_mark && !vfsmount_mark)) { + BUG(); +@@ -213,29 +214,25 @@ static int send_to_group(struct inode *t + /* does the inode mark tell us to do something? */ + if (inode_mark) { + group = inode_mark->group; +- inode_test_mask = (mask & ~FS_EVENT_ON_CHILD); +- inode_test_mask &= inode_mark->mask; +- inode_test_mask &= ~inode_mark->ignored_mask; ++ marks_mask |= inode_mark->mask; ++ marks_ignored_mask |= inode_mark->ignored_mask; + } + + /* does the vfsmount_mark tell us to do something? */ + if (vfsmount_mark) { +- vfsmount_test_mask = (mask & ~FS_EVENT_ON_CHILD); + group = vfsmount_mark->group; +- vfsmount_test_mask &= vfsmount_mark->mask; +- vfsmount_test_mask &= ~vfsmount_mark->ignored_mask; +- if (inode_mark) +- vfsmount_test_mask &= ~inode_mark->ignored_mask; ++ marks_mask |= vfsmount_mark->mask; ++ marks_ignored_mask |= vfsmount_mark->ignored_mask; + } + + pr_debug("%s: group=%p to_tell=%p mask=%x inode_mark=%p" +- " inode_test_mask=%x vfsmount_mark=%p vfsmount_test_mask=%x" ++ " vfsmount_mark=%p marks_mask=%x marks_ignored_mask=%x" + " data=%p data_is=%d cookie=%d\n", +- __func__, group, to_tell, mask, inode_mark, +- inode_test_mask, vfsmount_mark, vfsmount_test_mask, data, ++ __func__, group, to_tell, mask, inode_mark, vfsmount_mark, ++ marks_mask, marks_ignored_mask, data, + data_is, cookie); + +- if (!inode_test_mask && !vfsmount_test_mask) ++ if (!(test_mask & marks_mask & ~marks_ignored_mask)) + return 0; + + return group->ops->handle_event(group, to_tell, inode_mark, diff --git a/queue-4.14/hexagon-add-memset_io-helper.patch b/queue-4.14/hexagon-add-memset_io-helper.patch new file mode 100644 index 00000000000..ca32b548668 --- /dev/null +++ b/queue-4.14/hexagon-add-memset_io-helper.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Arnd Bergmann +Date: Fri, 6 Apr 2018 16:28:22 +0200 +Subject: hexagon: add memset_io() helper + +From: Arnd Bergmann + +[ Upstream commit a57ab96ef9dde231d4d46edba4d5f73720edc16a ] + +We already have memcpy_toio(), but not memset_io(), so let's +add the obvious version to allow building an allmodconfig kernel +without errors like + +drivers/gpu/drm/ttm/ttm_bo_util.c: In function 'ttm_bo_move_memcpy': +drivers/gpu/drm/ttm/ttm_bo_util.c:390:3: error: implicit declaration of function 'memset_io' [-Werror=implicit-function-declaration] + +Signed-off-by: Arnd Bergmann +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/include/asm/io.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/hexagon/include/asm/io.h ++++ b/arch/hexagon/include/asm/io.h +@@ -216,6 +216,12 @@ static inline void memcpy_toio(volatile + memcpy((void *) dst, src, count); + } + ++static inline void memset_io(volatile void __iomem *addr, int value, ++ size_t size) ++{ ++ memset((void __force *)addr, value, size); ++} ++ + #define PCI_IO_ADDR (volatile void __iomem *) + + /* diff --git a/queue-4.14/hexagon-export-csum_partial_copy_nocheck.patch b/queue-4.14/hexagon-export-csum_partial_copy_nocheck.patch new file mode 100644 index 00000000000..e831801ee43 --- /dev/null +++ b/queue-4.14/hexagon-export-csum_partial_copy_nocheck.patch @@ -0,0 +1,27 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Arnd Bergmann +Date: Fri, 6 Apr 2018 16:28:23 +0200 +Subject: hexagon: export csum_partial_copy_nocheck + +From: Arnd Bergmann + +[ Upstream commit 330e261c35dfb969c48f996dbbc8b334b5ee8d9d ] + +This is needed to link ipv6 as a loadable module, which in turn happens +in allmodconfig. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Richard Kuo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/hexagon/lib/checksum.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/hexagon/lib/checksum.c ++++ b/arch/hexagon/lib/checksum.c +@@ -199,3 +199,4 @@ csum_partial_copy_nocheck(const void *sr + memcpy(dst, src, len); + return csum_partial(dst, len, sum); + } ++EXPORT_SYMBOL(csum_partial_copy_nocheck); diff --git a/queue-4.14/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch b/queue-4.14/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch new file mode 100644 index 00000000000..a8f83299bc7 --- /dev/null +++ b/queue-4.14/hid-intel-ish-hid-use-put_device-instead-of-kfree.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Arvind Yadav +Date: Fri, 30 Mar 2018 16:56:10 +0530 +Subject: HID: intel-ish-hid: use put_device() instead of kfree() + +From: Arvind Yadav + +[ Upstream commit a4eb490a41a0da3b1275fc7427084cf9ae2c3c1c ] + +Never directly free @dev after calling device_register(), even +if it returned an error. Always use put_device() to give up the +reference initialized. + +Signed-off-by: Arvind Yadav +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ishtp/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/intel-ish-hid/ishtp/bus.c ++++ b/drivers/hid/intel-ish-hid/ishtp/bus.c +@@ -418,7 +418,7 @@ static struct ishtp_cl_device *ishtp_bus + list_del(&device->device_link); + spin_unlock_irqrestore(&dev->device_list_lock, flags); + dev_err(dev->devc, "Failed to register ISHTP client device\n"); +- kfree(device); ++ put_device(&device->dev); + return NULL; + } + diff --git a/queue-4.14/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch b/queue-4.14/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch new file mode 100644 index 00000000000..61d66940dc6 --- /dev/null +++ b/queue-4.14/hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch @@ -0,0 +1,135 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: pgzh +Date: Thu, 12 Apr 2018 19:36:47 +0200 +Subject: HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice + +From: pgzh + +[ Upstream commit a230cd52b8a2be39cd6e9a13b3e62af57f21372a ] + +The IBM/Lenovo Scrollpoint mice feature a trackpoint-like stick instead of a +scrolling wheel capable of 2-D (vertical+horizontal) scrolling. hid-generic +does only expose 1-D (vertical) scrolling functionality for these mice. This +patch adds support for horizontal scrolling for the IBM/Lenovo Scrollpoint mice +to hid-lenovo. + +[jkosina@suse.cz: remove change versioning from git changelog] +Signed-off-by: Peter Ganzhorn +Reviewed-by: Benjamin Tissoires +Signed-off-by: Peter De Wachter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/Kconfig | 7 ++++--- + drivers/hid/hid-ids.h | 8 ++++++++ + drivers/hid/hid-lenovo.c | 36 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 48 insertions(+), 3 deletions(-) + +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -436,10 +436,11 @@ config HID_LENOVO + select NEW_LEDS + select LEDS_CLASS + ---help--- +- Support for Lenovo devices that are not fully compliant with HID standard. ++ Support for IBM/Lenovo devices that are not fully compliant with HID standard. + +- Say Y if you want support for the non-compliant features of the Lenovo +- Thinkpad standalone keyboards, e.g: ++ Say Y if you want support for horizontal scrolling of the IBM/Lenovo ++ Scrollpoint mice or the non-compliant features of the Lenovo Thinkpad ++ standalone keyboards, e.g: + - ThinkPad USB Keyboard with TrackPoint (supports extra LEDs and trackpoint + configuration) + - ThinkPad Compact Bluetooth Keyboard with TrackPoint (supports Fn keys) +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -532,6 +532,13 @@ + #define USB_VENDOR_ID_HUION 0x256c + #define USB_DEVICE_ID_HUION_TABLET 0x006e + ++#define USB_VENDOR_ID_IBM 0x04b3 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_III 0x3100 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_PRO 0x3103 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL 0x3105 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL 0x3108 ++#define USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO 0x3109 ++ + #define USB_VENDOR_ID_IDEACOM 0x1cb6 + #define USB_DEVICE_ID_IDEACOM_IDC6650 0x6650 + #define USB_DEVICE_ID_IDEACOM_IDC6651 0x6651 +@@ -664,6 +671,7 @@ + #define USB_DEVICE_ID_LENOVO_TPKBD 0x6009 + #define USB_DEVICE_ID_LENOVO_CUSBKBD 0x6047 + #define USB_DEVICE_ID_LENOVO_CBTKBD 0x6048 ++#define USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL 0x6049 + #define USB_DEVICE_ID_LENOVO_TPPRODOCK 0x6067 + #define USB_DEVICE_ID_LENOVO_X1_COVER 0x6085 + #define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3 +--- a/drivers/hid/hid-lenovo.c ++++ b/drivers/hid/hid-lenovo.c +@@ -6,6 +6,17 @@ + * + * Copyright (c) 2012 Bernhard Seibold + * Copyright (c) 2014 Jamie Lentin ++ * ++ * Linux IBM/Lenovo Scrollpoint mouse driver: ++ * - IBM Scrollpoint III ++ * - IBM Scrollpoint Pro ++ * - IBM Scrollpoint Optical ++ * - IBM Scrollpoint Optical 800dpi ++ * - IBM Scrollpoint Optical 800dpi Pro ++ * - Lenovo Scrollpoint Optical ++ * ++ * Copyright (c) 2012 Peter De Wachter ++ * Copyright (c) 2018 Peter Ganzhorn + */ + + /* +@@ -160,6 +171,17 @@ static int lenovo_input_mapping_cptkbd(s + return 0; + } + ++static int lenovo_input_mapping_scrollpoint(struct hid_device *hdev, ++ struct hid_input *hi, struct hid_field *field, ++ struct hid_usage *usage, unsigned long **bit, int *max) ++{ ++ if (usage->hid == HID_GD_Z) { ++ hid_map_usage(hi, usage, bit, max, EV_REL, REL_HWHEEL); ++ return 1; ++ } ++ return 0; ++} ++ + static int lenovo_input_mapping(struct hid_device *hdev, + struct hid_input *hi, struct hid_field *field, + struct hid_usage *usage, unsigned long **bit, int *max) +@@ -172,6 +194,14 @@ static int lenovo_input_mapping(struct h + case USB_DEVICE_ID_LENOVO_CBTKBD: + return lenovo_input_mapping_cptkbd(hdev, hi, field, + usage, bit, max); ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_III: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_PRO: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL: ++ case USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO: ++ case USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL: ++ return lenovo_input_mapping_scrollpoint(hdev, hi, field, ++ usage, bit, max); + default: + return 0; + } +@@ -883,6 +913,12 @@ static const struct hid_device_id lenovo + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CUSBKBD) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_CBTKBD) }, + { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_TPPRODOCK) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_III) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_IBM, USB_DEVICE_ID_IBM_SCROLLPOINT_800DPI_OPTICAL_PRO) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_LENOVO, USB_DEVICE_ID_LENOVO_SCROLLPOINT_OPTICAL) }, + { } + }; + diff --git a/queue-4.14/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch b/queue-4.14/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch new file mode 100644 index 00000000000..dd60d98eaf0 --- /dev/null +++ b/queue-4.14/hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Arvind Yadav +Date: Tue, 24 Apr 2018 13:33:03 +0530 +Subject: HID: wacom: Release device resource data obtained by devres_alloc() + +From: Arvind Yadav + +[ Upstream commit 097b8f62dd793e08f1732fc74dbb64596c7fbff9 ] + +Free device resource data, if __wacom_devm_sysfs_create_group +is not successful. + +Signed-off-by: Arvind Yadav +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_sys.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_sys.c ++++ b/drivers/hid/wacom_sys.c +@@ -1102,8 +1102,10 @@ static int __wacom_devm_sysfs_create_gro + devres->root = root; + + error = sysfs_create_group(devres->root, group); +- if (error) ++ if (error) { ++ devres_free(devres); + return error; ++ } + + devres_add(&wacom->hdev->dev, devres); + diff --git a/queue-4.14/i2c-pmcmsp-fix-error-return-from-master_xfer.patch b/queue-4.14/i2c-pmcmsp-fix-error-return-from-master_xfer.patch new file mode 100644 index 00000000000..788c9eee07c --- /dev/null +++ b/queue-4.14/i2c-pmcmsp-fix-error-return-from-master_xfer.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:46:30 +0200 +Subject: i2c: pmcmsp: fix error return from master_xfer + +From: Peter Rosin + +[ Upstream commit 12d9bbc5a7f347eaa65ff2a9d34995cadc05eb1b ] + +Returning -1 (-EPERM) is not appropriate here, go with -EIO. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -564,7 +564,7 @@ static int pmcmsptwi_master_xfer(struct + * TODO: We could potentially loop and retry in the case + * of MSP_TWI_XFER_TIMEOUT. + */ +- return -1; ++ return -EIO; + } + + return num; diff --git a/queue-4.14/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch b/queue-4.14/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch new file mode 100644 index 00000000000..34719a0badd --- /dev/null +++ b/queue-4.14/i2c-pmcmsp-return-message-count-on-master_xfer-success.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:46:29 +0200 +Subject: i2c: pmcmsp: return message count on master_xfer success + +From: Peter Rosin + +[ Upstream commit de9a8634f1cb4560a35696d472cc7f1383d9b866 ] + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 1b144df1d7d6 ("i2c: New PMC MSP71xx TWI bus driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-pmcmsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-pmcmsp.c ++++ b/drivers/i2c/busses/i2c-pmcmsp.c +@@ -567,7 +567,7 @@ static int pmcmsptwi_master_xfer(struct + return -1; + } + +- return 0; ++ return num; + } + + static u32 pmcmsptwi_i2c_func(struct i2c_adapter *adapter) diff --git a/queue-4.14/i2c-sprd-fix-the-i2c-count-issue.patch b/queue-4.14/i2c-sprd-fix-the-i2c-count-issue.patch new file mode 100644 index 00000000000..b048550e5d6 --- /dev/null +++ b/queue-4.14/i2c-sprd-fix-the-i2c-count-issue.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Baolin Wang +Date: Mon, 9 Apr 2018 14:40:55 +0800 +Subject: i2c: sprd: Fix the i2c count issue + +From: Baolin Wang + +[ Upstream commit 2a010461207cc96bee5ab81748325dec1972976f ] + +We found the I2C controller count register is unreliable sometimes, +that will cause I2C to lose data. Thus we can read the data count +from 'i2c_dev->count' instead of the I2C controller count register. + +Signed-off-by: Baolin Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-sprd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-sprd.c ++++ b/drivers/i2c/busses/i2c-sprd.c +@@ -368,13 +368,12 @@ static irqreturn_t sprd_i2c_isr_thread(i + struct sprd_i2c *i2c_dev = dev_id; + struct i2c_msg *msg = i2c_dev->msg; + bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK); +- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT); + u32 i2c_tran; + + if (msg->flags & I2C_M_RD) + i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD; + else +- i2c_tran = i2c_count; ++ i2c_tran = i2c_dev->count; + + /* + * If we got one ACK from slave when writing data, and we did not +@@ -412,14 +411,13 @@ static irqreturn_t sprd_i2c_isr(int irq, + { + struct sprd_i2c *i2c_dev = dev_id; + struct i2c_msg *msg = i2c_dev->msg; +- u32 i2c_count = readl(i2c_dev->base + I2C_COUNT); + bool ack = !(readl(i2c_dev->base + I2C_STATUS) & I2C_RX_ACK); + u32 i2c_tran; + + if (msg->flags & I2C_M_RD) + i2c_tran = i2c_dev->count >= I2C_FIFO_FULL_THLD; + else +- i2c_tran = i2c_count; ++ i2c_tran = i2c_dev->count; + + /* + * If we did not get one ACK from slave when writing data, then we diff --git a/queue-4.14/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch b/queue-4.14/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch new file mode 100644 index 00000000000..3c6d78cc504 --- /dev/null +++ b/queue-4.14/i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Baolin Wang +Date: Mon, 9 Apr 2018 14:40:54 +0800 +Subject: i2c: sprd: Prevent i2c accesses after suspend is called + +From: Baolin Wang + +[ Upstream commit da33aa03fa34c918faf2c371ebda0dd961d7ccb2 ] + +Add one flag to indicate if the i2c controller has been in suspend state, +which can prevent i2c accesses after i2c controller is suspended following +system suspend. + +Signed-off-by: Baolin Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-sprd.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/i2c/busses/i2c-sprd.c ++++ b/drivers/i2c/busses/i2c-sprd.c +@@ -86,6 +86,7 @@ struct sprd_i2c { + u32 count; + int irq; + int err; ++ bool is_suspended; + }; + + static void sprd_i2c_set_count(struct sprd_i2c *i2c_dev, u32 count) +@@ -283,6 +284,9 @@ static int sprd_i2c_master_xfer(struct i + struct sprd_i2c *i2c_dev = i2c_adap->algo_data; + int im, ret; + ++ if (i2c_dev->is_suspended) ++ return -EBUSY; ++ + ret = pm_runtime_get_sync(i2c_dev->dev); + if (ret < 0) + return ret; +@@ -586,11 +590,23 @@ static int sprd_i2c_remove(struct platfo + + static int __maybe_unused sprd_i2c_suspend_noirq(struct device *pdev) + { ++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev); ++ ++ i2c_lock_adapter(&i2c_dev->adap); ++ i2c_dev->is_suspended = true; ++ i2c_unlock_adapter(&i2c_dev->adap); ++ + return pm_runtime_force_suspend(pdev); + } + + static int __maybe_unused sprd_i2c_resume_noirq(struct device *pdev) + { ++ struct sprd_i2c *i2c_dev = dev_get_drvdata(pdev); ++ ++ i2c_lock_adapter(&i2c_dev->adap); ++ i2c_dev->is_suspended = false; ++ i2c_unlock_adapter(&i2c_dev->adap); ++ + return pm_runtime_force_resume(pdev); + } + diff --git a/queue-4.14/i2c-viperboard-return-message-count-on-master_xfer-success.patch b/queue-4.14/i2c-viperboard-return-message-count-on-master_xfer-success.patch new file mode 100644 index 00000000000..919994661bc --- /dev/null +++ b/queue-4.14/i2c-viperboard-return-message-count-on-master_xfer-success.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Rosin +Date: Wed, 9 May 2018 21:47:48 +0200 +Subject: i2c: viperboard: return message count on master_xfer success + +From: Peter Rosin + +[ Upstream commit 35cd67a0caf767aba472452865dcb4471fcce2b1 ] + +Returning zero is wrong in this case. + +Signed-off-by: Peter Rosin +Signed-off-by: Wolfram Sang +Fixes: 174a13aa8669 ("i2c: Add viperboard i2c master driver") +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/i2c/busses/i2c-viperboard.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-viperboard.c ++++ b/drivers/i2c/busses/i2c-viperboard.c +@@ -337,7 +337,7 @@ static int vprbrd_i2c_xfer(struct i2c_ad + } + mutex_unlock(&vb->lock); + } +- return 0; ++ return num; + error: + mutex_unlock(&vb->lock); + return error; diff --git a/queue-4.14/ib-core-make-ib_mad_client_id-atomic.patch b/queue-4.14/ib-core-make-ib_mad_client_id-atomic.patch new file mode 100644 index 00000000000..a911056d694 --- /dev/null +++ b/queue-4.14/ib-core-make-ib_mad_client_id-atomic.patch @@ -0,0 +1,51 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Håkon Bugge" +Date: Wed, 18 Apr 2018 16:24:50 +0200 +Subject: IB/core: Make ib_mad_client_id atomic + +From: "Håkon Bugge" + +[ Upstream commit db82476f37413eaeff5f836a9d8b022d6544accf ] + +Currently, the kernel protects access to the agent ID allocator on a per +port basis using a spinlock, so it is impossible for two apps/threads on +the same port to get the same TID, but it is entirely possible for two +threads on different ports to end up with the same TID. + +As this can be confusing (regardless of it being legal according to the +IB Spec 1.3, C13-18.1.1, in section 13.4.6.4 - TransactionID usage), +and as the rdma-core user space API for /dev/umad devices implies unique +TIDs even across ports, make the TID an atomic type so that no two +allocations, regardless of port number, will be the same. + +Signed-off-by: HÃ¥kon Bugge +Reviewed-by: Jack Morgenstein +Reviewed-by: Ira Weiny +Reviewed-by: Zhu Yanjun +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/mad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/mad.c ++++ b/drivers/infiniband/core/mad.c +@@ -60,7 +60,7 @@ module_param_named(recv_queue_size, mad_ + MODULE_PARM_DESC(recv_queue_size, "Size of receive queue in number of work requests"); + + static struct list_head ib_mad_port_list; +-static u32 ib_mad_client_id = 0; ++static atomic_t ib_mad_client_id = ATOMIC_INIT(0); + + /* Port list lock */ + static DEFINE_SPINLOCK(ib_mad_port_list_lock); +@@ -378,7 +378,7 @@ struct ib_mad_agent *ib_register_mad_age + } + + spin_lock_irqsave(&port_priv->reg_lock, flags); +- mad_agent_priv->agent.hi_tid = ++ib_mad_client_id; ++ mad_agent_priv->agent.hi_tid = atomic_inc_return(&ib_mad_client_id); + + /* + * Make sure MAD registration (if supplied) diff --git a/queue-4.14/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch b/queue-4.14/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch new file mode 100644 index 00000000000..3fe44d464bd --- /dev/null +++ b/queue-4.14/ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sebastian Sanchez +Date: Tue, 1 May 2018 05:36:13 -0700 +Subject: IB/hfi1: Fix memory leak in exception path in get_irq_affinity() + +From: Sebastian Sanchez + +[ Upstream commit 59482a14918b282ca2a98f38c69da5ebeb1107d2 ] + +When IRQ affinity is set and the interrupt type is unknown, a cpu +mask allocated within the function is never freed. Fix this memory +leak by allocating memory within the scope where it is used. + +Reviewed-by: Mike Marciniszyn +Reviewed-by: Michael J. Ruhl +Signed-off-by: Sebastian Sanchez +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/affinity.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/affinity.c ++++ b/drivers/infiniband/hw/hfi1/affinity.c +@@ -412,7 +412,6 @@ static void hfi1_cleanup_sdma_notifier(s + static int get_irq_affinity(struct hfi1_devdata *dd, + struct hfi1_msix_entry *msix) + { +- int ret; + cpumask_var_t diff; + struct hfi1_affinity_node *entry; + struct cpu_mask_set *set = NULL; +@@ -424,10 +423,6 @@ static int get_irq_affinity(struct hfi1_ + extra[0] = '\0'; + cpumask_clear(&msix->mask); + +- ret = zalloc_cpumask_var(&diff, GFP_KERNEL); +- if (!ret) +- return -ENOMEM; +- + entry = node_affinity_lookup(dd->node); + + switch (msix->type) { +@@ -458,6 +453,9 @@ static int get_irq_affinity(struct hfi1_ + * finds its CPU here. + */ + if (cpu == -1 && set) { ++ if (!zalloc_cpumask_var(&diff, GFP_KERNEL)) ++ return -ENOMEM; ++ + if (cpumask_equal(&set->mask, &set->used)) { + /* + * We've used up all the CPUs, bump up the generation +@@ -469,6 +467,8 @@ static int get_irq_affinity(struct hfi1_ + cpumask_andnot(diff, &set->mask, &set->used); + cpu = cpumask_first(diff); + cpumask_set_cpu(cpu, &set->used); ++ ++ free_cpumask_var(diff); + } + + cpumask_set_cpu(cpu, &msix->mask); +@@ -482,7 +482,6 @@ static int get_irq_affinity(struct hfi1_ + hfi1_setup_sdma_notifier(msix); + } + +- free_cpumask_var(diff); + return 0; + } + diff --git a/queue-4.14/ib-hfi1-use-correct-type-for-num_user_context.patch b/queue-4.14/ib-hfi1-use-correct-type-for-num_user_context.patch new file mode 100644 index 00000000000..ef90b20546b --- /dev/null +++ b/queue-4.14/ib-hfi1-use-correct-type-for-num_user_context.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Michael J. Ruhl" +Date: Tue, 1 May 2018 05:35:43 -0700 +Subject: IB/hfi1 Use correct type for num_user_context + +From: "Michael J. Ruhl" + +[ Upstream commit 5da9e742be44d9b7c68b1bf6e1aaf46a1aa7a52b ] + +The module parameter num_user_context is defined as 'int' and +defaults to -1. The module_param_named() says that it is uint. + +Correct module_param_named() type information and update the modinfo +text to reflect the default value. + +Reviewed-by: Dennis Dalessandro +Signed-off-by: Michael J. Ruhl +Signed-off-by: Dennis Dalessandro +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/hfi1/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/hfi1/init.c ++++ b/drivers/infiniband/hw/hfi1/init.c +@@ -88,9 +88,9 @@ + * pio buffers per ctxt, etc.) Zero means use one user context per CPU. + */ + int num_user_contexts = -1; +-module_param_named(num_user_contexts, num_user_contexts, uint, S_IRUGO); ++module_param_named(num_user_contexts, num_user_contexts, int, 0444); + MODULE_PARM_DESC( +- num_user_contexts, "Set max number of user contexts to use"); ++ num_user_contexts, "Set max number of user contexts to use (default: -1 will use the real (non-HT) CPU count)"); + + uint krcvqs[RXE_NUM_DATA_VL]; + int krcvqsset; diff --git a/queue-4.14/ib-make-infiniband_addr_trans-configurable.patch b/queue-4.14/ib-make-infiniband_addr_trans-configurable.patch new file mode 100644 index 00000000000..27ad1d6b12d --- /dev/null +++ b/queue-4.14/ib-make-infiniband_addr_trans-configurable.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:35 -0700 +Subject: IB: make INFINIBAND_ADDR_TRANS configurable + +From: Greg Thelen + +[ Upstream commit f7cb7b85be55a4906b4b4b30596db1043dae6335 ] + +Allow INFINIBAND without INFINIBAND_ADDR_TRANS because fuzzing has been +finding fair number of CM bugs. So provide option to disable it. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/Kconfig | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/Kconfig ++++ b/drivers/infiniband/Kconfig +@@ -60,9 +60,12 @@ config INFINIBAND_ON_DEMAND_PAGING + pages on demand instead. + + config INFINIBAND_ADDR_TRANS +- bool ++ bool "RDMA/CM" + depends on INFINIBAND + default y ++ ---help--- ++ Support for RDMA communication manager (CM). ++ This allows for a generic connection abstraction over RDMA. + + config INFINIBAND_ADDR_TRANS_CONFIGFS + bool diff --git a/queue-4.14/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch b/queue-4.14/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch new file mode 100644 index 00000000000..72209b099c9 --- /dev/null +++ b/queue-4.14/ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jianchao Wang +Date: Thu, 26 Apr 2018 11:52:39 +0800 +Subject: IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV + +From: Jianchao Wang + +[ Upstream commit 2da36d44a9d54a2c6e1f8da1f7ccc26b0bc6cfec ] + +w/o RXE_START_MASK, the last_psn of IB_OPCODE_RC_SEND_ONLY_INV +will not be updated in update_wqe_psn, and the corresponding +wqe will not be acked in rxe_completer due to its last_psn is +zero. Finally, the other wqe will also not be able to be acked, +because the wqe of IB_OPCODE_RC_SEND_ONLY_INV with last_psn 0 +is still there. This causes large amount of io timeout when +nvmeof is over rxe. + +Add RXE_START_MASK for IB_OPCODE_RC_SEND_ONLY_INV to fix this. + +Signed-off-by: Jianchao Wang +Reviewed-by: Zhu Yanjun +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_opcode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/sw/rxe/rxe_opcode.c ++++ b/drivers/infiniband/sw/rxe/rxe_opcode.c +@@ -390,7 +390,7 @@ struct rxe_opcode_info rxe_opcode[RXE_NU + .name = "IB_OPCODE_RC_SEND_ONLY_INV", + .mask = RXE_IETH_MASK | RXE_PAYLOAD_MASK | RXE_REQ_MASK + | RXE_COMP_MASK | RXE_RWR_MASK | RXE_SEND_MASK +- | RXE_END_MASK, ++ | RXE_END_MASK | RXE_START_MASK, + .length = RXE_BTH_BYTES + RXE_IETH_BYTES, + .offset = { + [RXE_BTH] = 0, diff --git a/queue-4.14/ib-rxe-avoid-double-kfree_skb.patch b/queue-4.14/ib-rxe-avoid-double-kfree_skb.patch new file mode 100644 index 00000000000..852e7633981 --- /dev/null +++ b/queue-4.14/ib-rxe-avoid-double-kfree_skb.patch @@ -0,0 +1,97 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Zhu Yanjun +Date: Thu, 26 Apr 2018 00:41:10 -0400 +Subject: IB/rxe: avoid double kfree_skb + +From: Zhu Yanjun + +[ Upstream commit 9fd4350ba8953804f05215999e11a6cfb7b41f2b ] + +When skb is sent, it will pass the following functions in soft roce. + +rxe_send [rdma_rxe] + ip_local_out + __ip_local_out + ip_output + ip_finish_output + ip_finish_output2 + dev_queue_xmit + __dev_queue_xmit + dev_hard_start_xmit + +In the above functions, if error occurs in the above functions or +iptables rules drop skb after ip_local_out, kfree_skb will be called. +So it is not necessary to call kfree_skb in soft roce module again. +Or else crash will occur. + +The steps to reproduce: + + server client + --------- --------- + |1.1.1.1|<----rxe-channel--->|1.1.1.2| + --------- --------- + +On server: rping -s -a 1.1.1.1 -v -C 10000 -S 512 +On client: rping -c -a 1.1.1.1 -v -C 10000 -S 512 + +The kernel configs CONFIG_DEBUG_KMEMLEAK and +CONFIG_DEBUG_OBJECTS are enabled on both server and client. + +When rping runs, run the following command in server: + +iptables -I OUTPUT -p udp --dport 4791 -j DROP + +Without this patch, crash will occur. + +CC: Srinivas Eeda +CC: Junxiao Bi +Signed-off-by: Zhu Yanjun +Reviewed-by: Yuval Shaia +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/sw/rxe/rxe_req.c | 1 - + drivers/infiniband/sw/rxe/rxe_resp.c | 6 +----- + 2 files changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/infiniband/sw/rxe/rxe_req.c ++++ b/drivers/infiniband/sw/rxe/rxe_req.c +@@ -728,7 +728,6 @@ next_wqe: + rollback_state(wqe, qp, &rollback_wqe, rollback_psn); + + if (ret == -EAGAIN) { +- kfree_skb(skb); + rxe_run_task(&qp->req.task, 1); + goto exit; + } +--- a/drivers/infiniband/sw/rxe/rxe_resp.c ++++ b/drivers/infiniband/sw/rxe/rxe_resp.c +@@ -742,7 +742,6 @@ static enum resp_states read_reply(struc + err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb); + if (err) { + pr_err("Failed sending RDMA reply.\n"); +- kfree_skb(skb); + return RESPST_ERR_RNR; + } + +@@ -955,10 +954,8 @@ static int send_ack(struct rxe_qp *qp, s + } + + err = rxe_xmit_packet(rxe, qp, &ack_pkt, skb); +- if (err) { ++ if (err) + pr_err_ratelimited("Failed sending ack\n"); +- kfree_skb(skb); +- } + + err1: + return err; +@@ -1151,7 +1148,6 @@ static enum resp_states duplicate_reques + if (rc) { + pr_err("Failed resending result. This flow is not handled - skb ignored\n"); + rxe_drop_ref(qp); +- kfree_skb(skb_copy); + rc = RESPST_CLEANUP; + goto out; + } diff --git a/queue-4.14/ib-uverbs-fix-validating-mandatory-attributes.patch b/queue-4.14/ib-uverbs-fix-validating-mandatory-attributes.patch new file mode 100644 index 00000000000..399b865fb10 --- /dev/null +++ b/queue-4.14/ib-uverbs-fix-validating-mandatory-attributes.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Matan Barak +Date: Tue, 24 Apr 2018 08:15:20 +0000 +Subject: IB/uverbs: Fix validating mandatory attributes + +From: Matan Barak + +[ Upstream commit f604db645a66b7ba4f21c426fe73253928dada41 ] + +Previously, if a method contained mandatory attributes in a namespace +that wasn't given by the user, these attributes weren't validated. +Fixing this by iterating over all specification namespaces. + +Fixes: fac9658cabb9 ("IB/core: Add new ioctl interface") +Signed-off-by: Matan Barak +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/uverbs_ioctl.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/infiniband/core/uverbs_ioctl.c ++++ b/drivers/infiniband/core/uverbs_ioctl.c +@@ -191,6 +191,15 @@ static int uverbs_validate_kernel_mandat + return -EINVAL; + } + ++ for (; i < method_spec->num_buckets; i++) { ++ struct uverbs_attr_spec_hash *attr_spec_bucket = ++ method_spec->attr_buckets[i]; ++ ++ if (!bitmap_empty(attr_spec_bucket->mandatory_attrs_bitmask, ++ attr_spec_bucket->num_attrs)) ++ return -EINVAL; ++ } ++ + return 0; + } + diff --git a/queue-4.14/ib_srp-depend-on-infiniband_addr_trans.patch b/queue-4.14/ib_srp-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..4bccdb527c4 --- /dev/null +++ b/queue-4.14/ib_srp-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:34 -0700 +Subject: ib_srp: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 5a3bc8a4abbd2d553430218d3a320400dce811b7 ] + +INFINIBAND_SRP code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srp/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srp/Kconfig ++++ b/drivers/infiniband/ulp/srp/Kconfig +@@ -1,6 +1,6 @@ + config INFINIBAND_SRP + tristate "InfiniBand SCSI RDMA Protocol" +- depends on SCSI ++ depends on SCSI && INFINIBAND_ADDR_TRANS + select SCSI_SRP_ATTRS + ---help--- + Support for the SCSI RDMA Protocol over InfiniBand. This diff --git a/queue-4.14/ib_srpt-depend-on-infiniband_addr_trans.patch b/queue-4.14/ib_srpt-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..683860571b7 --- /dev/null +++ b/queue-4.14/ib_srpt-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:32 -0700 +Subject: ib_srpt: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 346a47b65d10e450778ec0d21e4a9409f25daaa8 ] + +INFINIBAND_SRPT code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Reviewed-by: Bart Van Assche +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/ulp/srpt/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srpt/Kconfig ++++ b/drivers/infiniband/ulp/srpt/Kconfig +@@ -1,6 +1,6 @@ + config INFINIBAND_SRPT + tristate "InfiniBand SCSI RDMA Protocol target support" +- depends on INFINIBAND && TARGET_CORE ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && TARGET_CORE + ---help--- + + Support for the SCSI RDMA Protocol (SRP) Target driver. The diff --git a/queue-4.14/init-fix-false-positives-in-w-x-checking.patch b/queue-4.14/init-fix-false-positives-in-w-x-checking.patch new file mode 100644 index 00000000000..6643772dca4 --- /dev/null +++ b/queue-4.14/init-fix-false-positives-in-w-x-checking.patch @@ -0,0 +1,80 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jeffrey Hugo +Date: Fri, 11 May 2018 16:01:42 -0700 +Subject: init: fix false positives in W+X checking + +From: Jeffrey Hugo + +[ Upstream commit ae646f0b9ca135b87bc73ff606ef996c3029780a ] + +load_module() creates W+X mappings via __vmalloc_node_range() (from +layout_and_allocate()->move_module()->module_alloc()) by using +PAGE_KERNEL_EXEC. These mappings are later cleaned up via +"call_rcu_sched(&freeinit->rcu, do_free_init)" from do_init_module(). + +This is a problem because call_rcu_sched() queues work, which can be run +after debug_checkwx() is run, resulting in a race condition. If hit, +the race results in a nasty splat about insecure W+X mappings, which +results in a poor user experience as these are not the mappings that +debug_checkwx() is intended to catch. + +This issue is observed on multiple arm64 platforms, and has been +artificially triggered on an x86 platform. + +Address the race by flushing the queued work before running the +arch-defined mark_rodata_ro() which then calls debug_checkwx(). + +Link: http://lkml.kernel.org/r/1525103946-29526-1-git-send-email-jhugo@codeaurora.org +Fixes: e1a58320a38d ("x86/mm: Warn on W^X mappings") +Signed-off-by: Jeffrey Hugo +Reported-by: Timur Tabi +Reported-by: Jan Glauber +Acked-by: Kees Cook +Acked-by: Ingo Molnar +Acked-by: Will Deacon +Acked-by: Laura Abbott +Cc: Mark Rutland +Cc: Ard Biesheuvel +Cc: Catalin Marinas +Cc: Stephen Smalley +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + init/main.c | 7 +++++++ + kernel/module.c | 5 +++++ + 2 files changed, 12 insertions(+) + +--- a/init/main.c ++++ b/init/main.c +@@ -974,6 +974,13 @@ __setup("rodata=", set_debug_rodata); + static void mark_readonly(void) + { + if (rodata_enabled) { ++ /* ++ * load_module() results in W+X mappings, which are cleaned up ++ * with call_rcu_sched(). Let's make sure that queued work is ++ * flushed so that we don't hit false positives looking for ++ * insecure pages which are W+X. ++ */ ++ rcu_barrier_sched(); + mark_rodata_ro(); + rodata_test(); + } else +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3506,6 +3506,11 @@ static noinline int do_init_module(struc + * walking this with preempt disabled. In all the failure paths, we + * call synchronize_sched(), but we don't want to slow down the success + * path, so use actual RCU here. ++ * Note that module_alloc() on most architectures creates W+X page ++ * mappings which won't be cleaned up until do_free_init() runs. Any ++ * code such as mark_rodata_ro() which depends on those mappings to ++ * be cleaned up needs to sync with the queued work - ie ++ * rcu_barrier_sched() + */ + call_rcu_sched(&freeinit->rcu, do_free_init); + mutex_unlock(&module_mutex); diff --git a/queue-4.14/input-atmel_mxt_ts-fix-the-firmware-update.patch b/queue-4.14/input-atmel_mxt_ts-fix-the-firmware-update.patch new file mode 100644 index 00000000000..b1549b3f9ae --- /dev/null +++ b/queue-4.14/input-atmel_mxt_ts-fix-the-firmware-update.patch @@ -0,0 +1,412 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Nick Dyer +Date: Tue, 1 May 2018 11:40:18 -0700 +Subject: Input: atmel_mxt_ts - fix the firmware update + +From: Nick Dyer + +[ Upstream commit 068bdb67ef74df0ad1627b7247a163e3e252ac11 ] + +The automatic update mechanism will trigger an update if the +info block CRCs are different between maxtouch configuration +file (maxtouch.cfg) and chip. + +The driver compared the CRCs without retrieving the chip CRC, +resulting always in a failure and firmware flashing action +triggered. Fix this issue by retrieving the chip info block +CRC before the check. + +Note that this solution has the benefit that by reading the +information block and the object table into a contiguous region +of memory, we can verify the checksum at probe time. This means +we make sure that we are indeed talking to a chip that supports +object protocol correctly. + +Using this patch on a kevin chromebook, the touchscreen and +touchpad drivers are able to match the CRC: + + atmel_mxt_ts 3-004b: Family: 164 Variant: 14 Firmware V2.3.AA Objects: 40 + atmel_mxt_ts 5-004a: Family: 164 Variant: 17 Firmware V2.0.AA Objects: 31 + atmel_mxt_ts 3-004b: Resetting device + atmel_mxt_ts 5-004a: Resetting device + atmel_mxt_ts 3-004b: Config CRC 0x573E89: OK + atmel_mxt_ts 3-004b: Touchscreen size X4095Y2729 + input: Atmel maXTouch Touchscreen as /devices/platform/ff130000.i2c/i2c-3/3-004b/input/input5 + atmel_mxt_ts 5-004a: Config CRC 0x0AF6BA: OK + atmel_mxt_ts 5-004a: Touchscreen size X1920Y1080 + input: Atmel maXTouch Touchpad as /devices/platform/ff140000.i2c/i2c-5/5-004a/input/input6 + +Signed-off-by: Nick Dyer +Acked-by: Benson Leung +[Ezequiel: minor patch massage] +Signed-off-by: Ezequiel Garcia +Tested-by: Sebastian Reichel +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 186 ++++++++++++++++++------------- + 1 file changed, 110 insertions(+), 76 deletions(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -275,7 +275,8 @@ struct mxt_data { + char phys[64]; /* device physical location */ + const struct mxt_platform_data *pdata; + struct mxt_object *object_table; +- struct mxt_info info; ++ struct mxt_info *info; ++ void *raw_info_block; + unsigned int irq; + unsigned int max_x; + unsigned int max_y; +@@ -450,12 +451,13 @@ static int mxt_lookup_bootloader_address + { + u8 appmode = data->client->addr; + u8 bootloader; ++ u8 family_id = data->info ? data->info->family_id : 0; + + switch (appmode) { + case 0x4a: + case 0x4b: + /* Chips after 1664S use different scheme */ +- if (retry || data->info.family_id >= 0xa2) { ++ if (retry || family_id >= 0xa2) { + bootloader = appmode - 0x24; + break; + } +@@ -682,7 +684,7 @@ mxt_get_object(struct mxt_data *data, u8 + struct mxt_object *object; + int i; + +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + object = data->object_table + i; + if (object->type == type) + return object; +@@ -1453,12 +1455,12 @@ static int mxt_update_cfg(struct mxt_dat + data_pos += offset; + } + +- if (cfg_info.family_id != data->info.family_id) { ++ if (cfg_info.family_id != data->info->family_id) { + dev_err(dev, "Family ID mismatch!\n"); + return -EINVAL; + } + +- if (cfg_info.variant_id != data->info.variant_id) { ++ if (cfg_info.variant_id != data->info->variant_id) { + dev_err(dev, "Variant ID mismatch!\n"); + return -EINVAL; + } +@@ -1503,7 +1505,7 @@ static int mxt_update_cfg(struct mxt_dat + + /* Malloc memory to store configuration */ + cfg_start_ofs = MXT_OBJECT_START + +- data->info.object_num * sizeof(struct mxt_object) + ++ data->info->object_num * sizeof(struct mxt_object) + + MXT_INFO_CHECKSUM_SIZE; + config_mem_size = data->mem_size - cfg_start_ofs; + config_mem = kzalloc(config_mem_size, GFP_KERNEL); +@@ -1554,20 +1556,6 @@ release_mem: + return ret; + } + +-static int mxt_get_info(struct mxt_data *data) +-{ +- struct i2c_client *client = data->client; +- struct mxt_info *info = &data->info; +- int error; +- +- /* Read 7-byte info block starting at address 0 */ +- error = __mxt_read_reg(client, 0, sizeof(*info), info); +- if (error) +- return error; +- +- return 0; +-} +- + static void mxt_free_input_device(struct mxt_data *data) + { + if (data->input_dev) { +@@ -1582,9 +1570,10 @@ static void mxt_free_object_table(struct + video_unregister_device(&data->dbg.vdev); + v4l2_device_unregister(&data->dbg.v4l2); + #endif +- +- kfree(data->object_table); + data->object_table = NULL; ++ data->info = NULL; ++ kfree(data->raw_info_block); ++ data->raw_info_block = NULL; + kfree(data->msg_buf); + data->msg_buf = NULL; + data->T5_address = 0; +@@ -1600,34 +1589,18 @@ static void mxt_free_object_table(struct + data->max_reportid = 0; + } + +-static int mxt_get_object_table(struct mxt_data *data) ++static int mxt_parse_object_table(struct mxt_data *data, ++ struct mxt_object *object_table) + { + struct i2c_client *client = data->client; +- size_t table_size; +- struct mxt_object *object_table; +- int error; + int i; + u8 reportid; + u16 end_address; + +- table_size = data->info.object_num * sizeof(struct mxt_object); +- object_table = kzalloc(table_size, GFP_KERNEL); +- if (!object_table) { +- dev_err(&data->client->dev, "Failed to allocate memory\n"); +- return -ENOMEM; +- } +- +- error = __mxt_read_reg(client, MXT_OBJECT_START, table_size, +- object_table); +- if (error) { +- kfree(object_table); +- return error; +- } +- + /* Valid Report IDs start counting from 1 */ + reportid = 1; + data->mem_size = 0; +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + struct mxt_object *object = object_table + i; + u8 min_id, max_id; + +@@ -1651,8 +1624,8 @@ static int mxt_get_object_table(struct m + + switch (object->type) { + case MXT_GEN_MESSAGE_T5: +- if (data->info.family_id == 0x80 && +- data->info.version < 0x20) { ++ if (data->info->family_id == 0x80 && ++ data->info->version < 0x20) { + /* + * On mXT224 firmware versions prior to V2.0 + * read and discard unused CRC byte otherwise +@@ -1707,24 +1680,102 @@ static int mxt_get_object_table(struct m + /* If T44 exists, T5 position has to be directly after */ + if (data->T44_address && (data->T5_address != data->T44_address + 1)) { + dev_err(&client->dev, "Invalid T44 position\n"); +- error = -EINVAL; +- goto free_object_table; ++ return -EINVAL; + } + + data->msg_buf = kcalloc(data->max_reportid, + data->T5_msg_size, GFP_KERNEL); +- if (!data->msg_buf) { +- dev_err(&client->dev, "Failed to allocate message buffer\n"); ++ if (!data->msg_buf) ++ return -ENOMEM; ++ ++ return 0; ++} ++ ++static int mxt_read_info_block(struct mxt_data *data) ++{ ++ struct i2c_client *client = data->client; ++ int error; ++ size_t size; ++ void *id_buf, *buf; ++ uint8_t num_objects; ++ u32 calculated_crc; ++ u8 *crc_ptr; ++ ++ /* If info block already allocated, free it */ ++ if (data->raw_info_block) ++ mxt_free_object_table(data); ++ ++ /* Read 7-byte ID information block starting at address 0 */ ++ size = sizeof(struct mxt_info); ++ id_buf = kzalloc(size, GFP_KERNEL); ++ if (!id_buf) ++ return -ENOMEM; ++ ++ error = __mxt_read_reg(client, 0, size, id_buf); ++ if (error) ++ goto err_free_mem; ++ ++ /* Resize buffer to give space for rest of info block */ ++ num_objects = ((struct mxt_info *)id_buf)->object_num; ++ size += (num_objects * sizeof(struct mxt_object)) ++ + MXT_INFO_CHECKSUM_SIZE; ++ ++ buf = krealloc(id_buf, size, GFP_KERNEL); ++ if (!buf) { + error = -ENOMEM; +- goto free_object_table; ++ goto err_free_mem; ++ } ++ id_buf = buf; ++ ++ /* Read rest of info block */ ++ error = __mxt_read_reg(client, MXT_OBJECT_START, ++ size - MXT_OBJECT_START, ++ id_buf + MXT_OBJECT_START); ++ if (error) ++ goto err_free_mem; ++ ++ /* Extract & calculate checksum */ ++ crc_ptr = id_buf + size - MXT_INFO_CHECKSUM_SIZE; ++ data->info_crc = crc_ptr[0] | (crc_ptr[1] << 8) | (crc_ptr[2] << 16); ++ ++ calculated_crc = mxt_calculate_crc(id_buf, 0, ++ size - MXT_INFO_CHECKSUM_SIZE); ++ ++ /* ++ * CRC mismatch can be caused by data corruption due to I2C comms ++ * issue or else device is not using Object Based Protocol (eg i2c-hid) ++ */ ++ if ((data->info_crc == 0) || (data->info_crc != calculated_crc)) { ++ dev_err(&client->dev, ++ "Info Block CRC error calculated=0x%06X read=0x%06X\n", ++ calculated_crc, data->info_crc); ++ error = -EIO; ++ goto err_free_mem; ++ } ++ ++ data->raw_info_block = id_buf; ++ data->info = (struct mxt_info *)id_buf; ++ ++ dev_info(&client->dev, ++ "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n", ++ data->info->family_id, data->info->variant_id, ++ data->info->version >> 4, data->info->version & 0xf, ++ data->info->build, data->info->object_num); ++ ++ /* Parse object table information */ ++ error = mxt_parse_object_table(data, id_buf + MXT_OBJECT_START); ++ if (error) { ++ dev_err(&client->dev, "Error %d parsing object table\n", error); ++ mxt_free_object_table(data); ++ goto err_free_mem; + } + +- data->object_table = object_table; ++ data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START); + + return 0; + +-free_object_table: +- mxt_free_object_table(data); ++err_free_mem: ++ kfree(id_buf); + return error; + } + +@@ -2039,7 +2090,7 @@ static int mxt_initialize(struct mxt_dat + int error; + + while (1) { +- error = mxt_get_info(data); ++ error = mxt_read_info_block(data); + if (!error) + break; + +@@ -2070,16 +2121,9 @@ static int mxt_initialize(struct mxt_dat + msleep(MXT_FW_RESET_TIME); + } + +- /* Get object table information */ +- error = mxt_get_object_table(data); +- if (error) { +- dev_err(&client->dev, "Error %d reading object table\n", error); +- return error; +- } +- + error = mxt_acquire_irq(data); + if (error) +- goto err_free_object_table; ++ return error; + + error = request_firmware_nowait(THIS_MODULE, true, MXT_CFG_NAME, + &client->dev, GFP_KERNEL, data, +@@ -2087,14 +2131,10 @@ static int mxt_initialize(struct mxt_dat + if (error) { + dev_err(&client->dev, "Failed to invoke firmware loader: %d\n", + error); +- goto err_free_object_table; ++ return error; + } + + return 0; +- +-err_free_object_table: +- mxt_free_object_table(data); +- return error; + } + + static int mxt_set_t7_power_cfg(struct mxt_data *data, u8 sleep) +@@ -2155,7 +2195,7 @@ recheck: + static u16 mxt_get_debug_value(struct mxt_data *data, unsigned int x, + unsigned int y) + { +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + struct mxt_dbg *dbg = &data->dbg; + unsigned int ofs, page; + unsigned int col = 0; +@@ -2483,7 +2523,7 @@ static const struct video_device mxt_vid + + static void mxt_debug_init(struct mxt_data *data) + { +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + struct mxt_dbg *dbg = &data->dbg; + struct mxt_object *object; + int error; +@@ -2569,7 +2609,6 @@ static int mxt_configure_objects(struct + const struct firmware *cfg) + { + struct device *dev = &data->client->dev; +- struct mxt_info *info = &data->info; + int error; + + error = mxt_init_t7_power_cfg(data); +@@ -2594,11 +2633,6 @@ static int mxt_configure_objects(struct + + mxt_debug_init(data); + +- dev_info(dev, +- "Family: %u Variant: %u Firmware V%u.%u.%02X Objects: %u\n", +- info->family_id, info->variant_id, info->version >> 4, +- info->version & 0xf, info->build, info->object_num); +- + return 0; + } + +@@ -2607,7 +2641,7 @@ static ssize_t mxt_fw_version_show(struc + struct device_attribute *attr, char *buf) + { + struct mxt_data *data = dev_get_drvdata(dev); +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + return scnprintf(buf, PAGE_SIZE, "%u.%u.%02X\n", + info->version >> 4, info->version & 0xf, info->build); + } +@@ -2617,7 +2651,7 @@ static ssize_t mxt_hw_version_show(struc + struct device_attribute *attr, char *buf) + { + struct mxt_data *data = dev_get_drvdata(dev); +- struct mxt_info *info = &data->info; ++ struct mxt_info *info = data->info; + return scnprintf(buf, PAGE_SIZE, "%u.%u\n", + info->family_id, info->variant_id); + } +@@ -2656,7 +2690,7 @@ static ssize_t mxt_object_show(struct de + return -ENOMEM; + + error = 0; +- for (i = 0; i < data->info.object_num; i++) { ++ for (i = 0; i < data->info->object_num; i++) { + object = data->object_table + i; + + if (!mxt_object_readable(object->type)) diff --git a/queue-4.14/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch b/queue-4.14/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch new file mode 100644 index 00000000000..89ae4df7b37 --- /dev/null +++ b/queue-4.14/input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Christophe JAILLET +Date: Fri, 6 Apr 2018 15:36:11 -0700 +Subject: Input: synaptics-rmi4 - fix an unchecked out of memory error path + +From: Christophe JAILLET + +[ Upstream commit 839c42273617787318da7baf6151d553108f5e17 ] + +When extending the rmi_spi buffers, we must check that no out of memory +error occurs, otherwise we may access data above the currently allocated +memory. + +Propagate the error code returned by 'rmi_spi_manage_pools()' instead. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Andrew Duggan +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/rmi4/rmi_spi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/input/rmi4/rmi_spi.c ++++ b/drivers/input/rmi4/rmi_spi.c +@@ -147,8 +147,11 @@ static int rmi_spi_xfer(struct rmi_spi_x + if (len > RMI_SPI_XFER_SIZE_LIMIT) + return -EINVAL; + +- if (rmi_spi->xfer_buf_size < len) +- rmi_spi_manage_pools(rmi_spi, len); ++ if (rmi_spi->xfer_buf_size < len) { ++ ret = rmi_spi_manage_pools(rmi_spi, len); ++ if (ret < 0) ++ return ret; ++ } + + if (addr == 0) + /* diff --git a/queue-4.14/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch b/queue-4.14/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch new file mode 100644 index 00000000000..2948ebe1d60 --- /dev/null +++ b/queue-4.14/iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Changbin Du +Date: Fri, 20 Apr 2018 13:29:55 +0800 +Subject: iommu/vt-d: fix shift-out-of-bounds in bug checking + +From: Changbin Du + +[ Upstream commit 0dfc0c792d691f8056f38b5c30789f504be0e467 ] + +It allows to flush more than 4GB of device TLBs. So the mask should be +64bit wide. UBSAN captured this fault as below. + +[ 3.760024] ================================================================================ +[ 3.768440] UBSAN: Undefined behaviour in drivers/iommu/dmar.c:1348:3 +[ 3.774864] shift exponent 64 is too large for 32-bit type 'int' +[ 3.780853] CPU: 2 PID: 0 Comm: swapper/2 Tainted: G U 4.17.0-rc1+ #89 +[ 3.788661] Hardware name: Dell Inc. OptiPlex 7040/0Y7WYT, BIOS 1.2.8 01/26/2016 +[ 3.796034] Call Trace: +[ 3.798472] +[ 3.800479] dump_stack+0x90/0xfb +[ 3.803787] ubsan_epilogue+0x9/0x40 +[ 3.807353] __ubsan_handle_shift_out_of_bounds+0x10e/0x170 +[ 3.812916] ? qi_flush_dev_iotlb+0x124/0x180 +[ 3.817261] qi_flush_dev_iotlb+0x124/0x180 +[ 3.821437] iommu_flush_dev_iotlb+0x94/0xf0 +[ 3.825698] iommu_flush_iova+0x10b/0x1c0 +[ 3.829699] ? fq_ring_free+0x1d0/0x1d0 +[ 3.833527] iova_domain_flush+0x25/0x40 +[ 3.837448] fq_flush_timeout+0x55/0x160 +[ 3.841368] ? fq_ring_free+0x1d0/0x1d0 +[ 3.845200] ? fq_ring_free+0x1d0/0x1d0 +[ 3.849034] call_timer_fn+0xbe/0x310 +[ 3.852696] ? fq_ring_free+0x1d0/0x1d0 +[ 3.856530] run_timer_softirq+0x223/0x6e0 +[ 3.860625] ? sched_clock+0x5/0x10 +[ 3.864108] ? sched_clock+0x5/0x10 +[ 3.867594] __do_softirq+0x1b5/0x6f5 +[ 3.871250] irq_exit+0xd4/0x130 +[ 3.874470] smp_apic_timer_interrupt+0xb8/0x2f0 +[ 3.879075] apic_timer_interrupt+0xf/0x20 +[ 3.883159] +[ 3.885255] RIP: 0010:poll_idle+0x60/0xe7 +[ 3.889252] RSP: 0018:ffffb1b201943e30 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 +[ 3.896802] RAX: 0000000080200000 RBX: 000000000000008e RCX: 000000000000001f +[ 3.903918] RDX: 0000000000000000 RSI: 000000002819aa06 RDI: 0000000000000000 +[ 3.911031] RBP: ffff9e93c6b33280 R08: 00000010f717d567 R09: 000000000010d205 +[ 3.918146] R10: ffffb1b201943df8 R11: 0000000000000001 R12: 00000000e01b169d +[ 3.925260] R13: 0000000000000000 R14: ffffffffb12aa400 R15: 0000000000000000 +[ 3.932382] cpuidle_enter_state+0xb4/0x470 +[ 3.936558] do_idle+0x222/0x310 +[ 3.939779] cpu_startup_entry+0x78/0x90 +[ 3.943693] start_secondary+0x205/0x2e0 +[ 3.947607] secondary_startup_64+0xa5/0xb0 +[ 3.951783] ================================================================================ + +Signed-off-by: Changbin Du +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/dmar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/dmar.c ++++ b/drivers/iommu/dmar.c +@@ -1342,7 +1342,7 @@ void qi_flush_dev_iotlb(struct intel_iom + struct qi_desc desc; + + if (mask) { +- BUG_ON(addr & ((1 << (VTD_PAGE_SHIFT + mask)) - 1)); ++ BUG_ON(addr & ((1ULL << (VTD_PAGE_SHIFT + mask)) - 1)); + addr |= (1ULL << (VTD_PAGE_SHIFT + mask - 1)) - 1; + desc.high = QI_DEV_IOTLB_ADDR(addr) | QI_DEV_IOTLB_SIZE; + } else diff --git a/queue-4.14/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch b/queue-4.14/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch new file mode 100644 index 00000000000..15916e1c98e --- /dev/null +++ b/queue-4.14/isofs-fix-potential-memory-leak-in-mount-option-parsing.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Chengguang Xu +Date: Sat, 14 Apr 2018 20:16:06 +0800 +Subject: isofs: fix potential memory leak in mount option parsing + +From: Chengguang Xu + +[ Upstream commit 4f34a5130a471f32f2fe7750769ab4057dc3eaa0 ] + +When specifying string type mount option (e.g., iocharset) +several times in a mount, current option parsing may +cause memory leak. Hence, call kfree for previous one +in this case. Meanwhile, check memory allocation result +for it. + +Signed-off-by: Chengguang Xu +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/isofs/inode.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/isofs/inode.c ++++ b/fs/isofs/inode.c +@@ -394,7 +394,10 @@ static int parse_options(char *options, + break; + #ifdef CONFIG_JOLIET + case Opt_iocharset: ++ kfree(popt->iocharset); + popt->iocharset = match_strdup(&args[0]); ++ if (!popt->iocharset) ++ return 0; + break; + #endif + case Opt_map_a: diff --git a/queue-4.14/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch b/queue-4.14/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch new file mode 100644 index 00000000000..8ad9b25c6d3 --- /dev/null +++ b/queue-4.14/ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Emil Tantilov +Date: Thu, 19 Apr 2018 17:06:57 -0700 +Subject: ixgbe: return error on unsupported SFP module when resetting + +From: Emil Tantilov + +[ Upstream commit bbb2707623f3ccc48695da2433f06d7c38193451 ] + +Add check for unsupported module and return the error code. +This fixes a Coverity hit due to unused return status from setup_sfp. + +Signed-off-by: Emil Tantilov +Tested-by: Andrew Bowers +Signed-off-by: Jeff Kirsher +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c +@@ -3413,6 +3413,9 @@ static s32 ixgbe_reset_hw_X550em(struct + hw->phy.sfp_setup_needed = false; + } + ++ if (status == IXGBE_ERR_SFP_NOT_SUPPORTED) ++ return status; ++ + /* Reset PHY */ + if (!hw->phy.reset_disable && hw->phy.ops.reset) + hw->phy.ops.reset(hw); diff --git a/queue-4.14/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch b/queue-4.14/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch new file mode 100644 index 00000000000..b9475fc3584 --- /dev/null +++ b/queue-4.14/kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Young +Date: Fri, 20 Apr 2018 14:56:10 -0700 +Subject: kexec_file: do not add extra alignment to efi memmap + +From: Dave Young + +[ Upstream commit a841aa83dff0af75c88aa846ba610a8af4c5ee21 ] + +Chun-Yi reported a kernel warning message below: + + WARNING: CPU: 0 PID: 0 at ../mm/early_ioremap.c:182 early_iounmap+0x4f/0x12c() + early_iounmap(ffffffffff200180, 00000118) [0] size not consistent 00000120 + +The problem is x86 kexec_file_load adds extra alignment to the efi +memmap: in bzImage64_load(): + + efi_map_sz = efi_get_runtime_map_size(); + efi_map_sz = ALIGN(efi_map_sz, 16); + +And __efi_memmap_init maps with the size including the alignment bytes +but efi_memmap_unmap use nr_maps * desc_size which does not include the +extra bytes. + +The alignment in kexec code is only needed for the kexec buffer internal +use Actually kexec should pass exact size of the efi memmap to 2nd +kernel. + +Link: http://lkml.kernel.org/r/20180417083600.GA1972@dhcp-128-65.nay.redhat.com +Signed-off-by: Dave Young +Reported-by: joeyli +Tested-by: Randy Wright +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/kexec-bzimage64.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/kexec-bzimage64.c ++++ b/arch/x86/kernel/kexec-bzimage64.c +@@ -398,11 +398,10 @@ static void *bzImage64_load(struct kimag + * little bit simple + */ + efi_map_sz = efi_get_runtime_map_size(); +- efi_map_sz = ALIGN(efi_map_sz, 16); + params_cmdline_sz = sizeof(struct boot_params) + cmdline_len + + MAX_ELFCOREHDR_STR_LEN; + params_cmdline_sz = ALIGN(params_cmdline_sz, 16); +- kbuf.bufsz = params_cmdline_sz + efi_map_sz + ++ kbuf.bufsz = params_cmdline_sz + ALIGN(efi_map_sz, 16) + + sizeof(struct setup_data) + + sizeof(struct efi_setup_data); + +@@ -410,7 +409,7 @@ static void *bzImage64_load(struct kimag + if (!params) + return ERR_PTR(-ENOMEM); + efi_map_offset = params_cmdline_sz; +- efi_setup_data_offset = efi_map_offset + efi_map_sz; ++ efi_setup_data_offset = efi_map_offset + ALIGN(efi_map_sz, 16); + + /* Copy setup header onto bootparams. Documentation/x86/boot.txt */ + setup_header_size = 0x0202 + kernel[0x0201] - setup_hdr_offset; diff --git a/queue-4.14/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch b/queue-4.14/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch new file mode 100644 index 00000000000..69205176876 --- /dev/null +++ b/queue-4.14/kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch @@ -0,0 +1,83 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Masami Hiramatsu +Date: Wed, 9 May 2018 21:58:15 +0900 +Subject: kprobes/x86: Prohibit probing on exception masking instructions + +From: Masami Hiramatsu + +[ Upstream commit ee6a7354a3629f9b65bc18dbe393503e9440d6f5 ] + +Since MOV SS and POP SS instructions will delay the exceptions until the +next instruction is executed, single-stepping on it by kprobes must be +prohibited. + +However, kprobes usually executes those instructions directly on trampoline +buffer (a.k.a. kprobe-booster), except for the kprobes which has +post_handler. Thus if kprobe user probes MOV SS with post_handler, it will +do single-stepping on the MOV SS. + +This means it is safe that if it is used via ftrace or perf/bpf since those +don't use the post_handler. + +Anyway, since the stack switching is a rare case, it is safer just +rejecting kprobes on such instructions. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Thomas Gleixner +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Oleg Nesterov +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Link: https://lkml.kernel.org/r/152587069574.17316.3311695234863248641.stgit@devbox +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ + arch/x86/kernel/kprobes/core.c | 4 ++++ + 2 files changed, 22 insertions(+) + +--- a/arch/x86/include/asm/insn.h ++++ b/arch/x86/include/asm/insn.h +@@ -208,4 +208,22 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++#define POP_SS_OPCODE 0x1f ++#define MOV_SREG_OPCODE 0x8e ++ ++/* ++ * Intel SDM Vol.3A 6.8.3 states; ++ * "Any single-step trap that would be delivered following the MOV to SS ++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is ++ * suppressed." ++ * This function returns true if @insn is MOV SS or POP SS. On these ++ * instructions, single stepping is suppressed. ++ */ ++static inline int insn_masking_exception(struct insn *insn) ++{ ++ return insn->opcode.bytes[0] == POP_SS_OPCODE || ++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE && ++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2); ++} ++ + #endif /* _ASM_X86_INSN_H */ +--- a/arch/x86/kernel/kprobes/core.c ++++ b/arch/x86/kernel/kprobes/core.c +@@ -369,6 +369,10 @@ int __copy_instruction(u8 *dest, u8 *src + if (insn->opcode.bytes[0] == BREAKPOINT_INSTRUCTION) + return 0; + ++ /* We should not singlestep on the exception masking instructions */ ++ if (insn_masking_exception(insn)) ++ return 0; ++ + #ifdef CONFIG_X86_64 + /* Only x86_64 has RIP relative instructions */ + if (insn_rip_relative(insn)) { diff --git a/queue-4.14/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch b/queue-4.14/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch new file mode 100644 index 00000000000..01c459f882d --- /dev/null +++ b/queue-4.14/kthread-sched-wait-fix-kthread_parkme-wait-loop.patch @@ -0,0 +1,71 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Zijlstra +Date: Mon, 30 Apr 2018 14:50:22 +0200 +Subject: kthread, sched/wait: Fix kthread_parkme() wait-loop + +From: Peter Zijlstra + +[ Upstream commit 741a76b350897604c48fb12beff1c9b77724dc96 ] + +Gaurav reported a problem with __kthread_parkme() where a concurrent +try_to_wake_up() could result in competing stores to ->state which, +when the TASK_PARKED store got lost bad things would happen. + +The comment near set_current_state() actually mentions this competing +store, but only mentions the case against TASK_RUNNING. This same +store, with different timing, can happen against a subsequent !RUNNING +store. + +This normally is not a problem, because as per that same comment, the +!RUNNING state store is inside a condition based wait-loop: + + for (;;) { + set_current_state(TASK_UNINTERRUPTIBLE); + if (!need_sleep) + break; + schedule(); + } + __set_current_state(TASK_RUNNING); + +If we loose the (first) TASK_UNINTERRUPTIBLE store to a previous +(concurrent) wakeup, the schedule() will NO-OP and we'll go around the +loop once more. + +The problem here is that the TASK_PARKED store is not inside the +KTHREAD_SHOULD_PARK condition wait-loop. + +There is a genuine issue with sleeps that do not have a condition; +this is addressed in a subsequent patch. + +Reported-by: Gaurav Kohli +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Oleg Nesterov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/kthread.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/kernel/kthread.c ++++ b/kernel/kthread.c +@@ -169,12 +169,13 @@ void *kthread_probe_data(struct task_str + + static void __kthread_parkme(struct kthread *self) + { +- __set_current_state(TASK_PARKED); +- while (test_bit(KTHREAD_SHOULD_PARK, &self->flags)) { ++ for (;;) { ++ set_current_state(TASK_PARKED); ++ if (!test_bit(KTHREAD_SHOULD_PARK, &self->flags)) ++ break; + if (!test_and_set_bit(KTHREAD_IS_PARKED, &self->flags)) + complete(&self->parked); + schedule(); +- __set_current_state(TASK_PARKED); + } + clear_bit(KTHREAD_IS_PARKED, &self->flags); + __set_current_state(TASK_RUNNING); diff --git a/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch b/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch new file mode 100644 index 00000000000..41c472a05f7 --- /dev/null +++ b/queue-4.14/kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch @@ -0,0 +1,52 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mark Rutland +Date: Wed, 25 Apr 2018 17:13:42 +0100 +Subject: KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() + +From: Mark Rutland + +[ Upstream commit 5e1ca5e23b167987d5b6d8b08f2d5b7dd2d13f49 ] + +It's possible for userspace to control n. Sanitize n when using it as an +array index. + +Note that while it appears that n must be bound to the interval [0,3] +due to the way it is extracted from addr, we cannot guarantee that +compiler transformations (and/or future refactoring) will ensure this is +the case, and given this is a slow path it's better to always perform +the masking. + +Found by smatch. + +Signed-off-by: Mark Rutland +Acked-by: Christoffer Dall +Acked-by: Marc Zyngier +Cc: kvmarm@lists.cs.columbia.edu +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + virt/kvm/arm/vgic/vgic-mmio-v2.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/virt/kvm/arm/vgic/vgic-mmio-v2.c ++++ b/virt/kvm/arm/vgic/vgic-mmio-v2.c +@@ -14,6 +14,8 @@ + #include + #include + #include ++#include ++ + #include + #include + +@@ -320,6 +322,9 @@ static unsigned long vgic_mmio_read_apr( + + if (n > vgic_v3_max_apr_idx(vcpu)) + return 0; ++ ++ n = array_index_nospec(n, 4); ++ + /* GICv3 only uses ICH_AP1Rn for memory mapped (GICv2) guests */ + return vgicv3->vgic_ap1r[n]; + } diff --git a/queue-4.14/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch b/queue-4.14/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch new file mode 100644 index 00000000000..187b01a5080 --- /dev/null +++ b/queue-4.14/kvm-extend-max_irq_routes-to-4096-for-all-archs.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Wanpeng Li +Date: Thu, 26 Apr 2018 17:55:03 -0700 +Subject: KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs + +From: Wanpeng Li + +[ Upstream commit ddc9cfb79c1096a0855839631c091aa7e9602052 ] + +Our virtual machines make use of device assignment by configuring +12 NVMe disks for high I/O performance. Each NVMe device has 129 +MSI-X Table entries: +Capabilities: [50] MSI-X: Enable+ Count=129 Masked-Vector table: BAR=0 offset=00002000 +The windows virtual machines fail to boot since they will map the number of +MSI-table entries that the NVMe hardware reported to the bus to msi routing +table, this will exceed the 1024. This patch extends MAX_IRQ_ROUTES to 4096 +for all archs, in the future this might be extended again if needed. + +Reviewed-by: Cornelia Huck +Cc: Paolo Bonzini +Cc: Radim KrÄmář +Cc: Cornelia Huck +Cc: Christian Borntraeger +Signed-off-by: Wanpeng Li +Signed-off-by: Tonny Lu +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -1044,13 +1044,7 @@ static inline int mmu_notifier_retry(str + + #ifdef CONFIG_HAVE_KVM_IRQ_ROUTING + +-#ifdef CONFIG_S390 +-#define KVM_MAX_IRQ_ROUTES 4096 //FIXME: we can have more than that... +-#elif defined(CONFIG_ARM64) +-#define KVM_MAX_IRQ_ROUTES 4096 +-#else +-#define KVM_MAX_IRQ_ROUTES 1024 +-#endif ++#define KVM_MAX_IRQ_ROUTES 4096 /* might need extension/rework in the future */ + + bool kvm_arch_can_set_irq_routing(struct kvm *kvm); + int kvm_set_irq_routing(struct kvm *kvm, diff --git a/queue-4.14/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch b/queue-4.14/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch new file mode 100644 index 00000000000..8c3d250fc42 --- /dev/null +++ b/queue-4.14/kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: hu huajun +Date: Wed, 11 Apr 2018 15:16:40 +0800 +Subject: KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update + +From: hu huajun + +[ Upstream commit 2698d82e519413c6ad287e6f14b29e0373ed37f8 ] + +In arch/x86/kvm/trace.h, this function is declared as host_irq the +first input, and vcpu_id the second, instead of otherwise. + +Signed-off-by: hu huajun +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/svm.c | 5 ++--- + arch/x86/kvm/vmx.c | 2 +- + 2 files changed, 3 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -4756,9 +4756,8 @@ static int svm_update_pi_irte(struct kvm + } + + if (!ret && svm) { +- trace_kvm_pi_irte_update(svm->vcpu.vcpu_id, +- host_irq, e->gsi, +- vcpu_info.vector, ++ trace_kvm_pi_irte_update(host_irq, svm->vcpu.vcpu_id, ++ e->gsi, vcpu_info.vector, + vcpu_info.pi_desc_addr, set); + } + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12171,7 +12171,7 @@ static int vmx_update_pi_irte(struct kvm + vcpu_info.pi_desc_addr = __pa(vcpu_to_pi_desc(vcpu)); + vcpu_info.vector = irq.vector; + +- trace_kvm_pi_irte_update(vcpu->vcpu_id, host_irq, e->gsi, ++ trace_kvm_pi_irte_update(host_irq, vcpu->vcpu_id, e->gsi, + vcpu_info.vector, vcpu_info.pi_desc_addr, set); + + if (set) diff --git a/queue-4.14/libahci-allow-drivers-to-override-stop_engine.patch b/queue-4.14/libahci-allow-drivers-to-override-stop_engine.patch new file mode 100644 index 00000000000..c9108753476 --- /dev/null +++ b/queue-4.14/libahci-allow-drivers-to-override-stop_engine.patch @@ -0,0 +1,217 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Evan Wang +Date: Fri, 13 Apr 2018 12:32:30 +0800 +Subject: libahci: Allow drivers to override stop_engine + +From: Evan Wang + +[ Upstream commit fa89f53bd7288d6aa7a982841119e7123faf5a53 ] + +Marvell armada37xx, armada7k and armada8k share the same +AHCI sata controller IP, and currently there is an issue +(Errata Ref#226)that the SATA can not be detected via SATA +Port-MultiPlayer(PMP). After debugging, the reason is +found that the value of Port-x FIS-based Switching Control +(PxFBS@0x40) became wrong. +According to design, the bits[11:8, 0] of register PxFBS +are cleared when Port Command and Status (0x18) bit[0] +changes its value from 1 to 0, i.e. falling edge of Port +Command and Status bit[0] sends PULSE that resets PxFBS +bits[11:8; 0]. +So it needs save the port PxFBS register before PxCMD +ST write and restore the port PxFBS register afterwards +in ahci_stop_engine(). + +This commit allows drivers to override ahci_stop_engine +behavior for use by the Marvell AHCI driver(and potentially +other drivers in the future). + +Signed-off-by: Evan Wang +Cc: Ofer Heifetz +Cc: Tejun Heo +Cc: Thomas Petazzoni +Signed-off-by: Tejun Heo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/ahci.c | 6 +++--- + drivers/ata/ahci.h | 7 +++++++ + drivers/ata/ahci_qoriq.c | 2 +- + drivers/ata/ahci_xgene.c | 4 ++-- + drivers/ata/libahci.c | 20 ++++++++++++-------- + drivers/ata/sata_highbank.c | 2 +- + 6 files changed, 26 insertions(+), 15 deletions(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -686,7 +686,7 @@ static int ahci_vt8251_hardreset(struct + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + rc = sata_link_hardreset(link, sata_ehc_deb_timing(&link->eh_context), + deadline, &online, NULL); +@@ -712,7 +712,7 @@ static int ahci_p5wdh_hardreset(struct a + bool online; + int rc; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); +@@ -776,7 +776,7 @@ static int ahci_avn_hardreset(struct ata + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + for (i = 0; i < 2; i++) { + u16 val; +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -361,6 +361,13 @@ struct ahci_host_priv { + * be overridden anytime before the host is activated. + */ + void (*start_engine)(struct ata_port *ap); ++ /* ++ * Optional ahci_stop_engine override, if not set this gets set to the ++ * default ahci_stop_engine during ahci_save_initial_config, this can ++ * be overridden anytime before the host is activated. ++ */ ++ int (*stop_engine)(struct ata_port *ap); ++ + irqreturn_t (*irq_handler)(int irq, void *dev_instance); + + /* only required for per-port MSI(-X) support */ +--- a/drivers/ata/ahci_qoriq.c ++++ b/drivers/ata/ahci_qoriq.c +@@ -94,7 +94,7 @@ static int ahci_qoriq_hardreset(struct a + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* + * There is a errata on ls1021a Rev1.0 and Rev2.0 which is: +--- a/drivers/ata/ahci_xgene.c ++++ b/drivers/ata/ahci_xgene.c +@@ -165,7 +165,7 @@ static int xgene_ahci_restart_engine(str + PORT_CMD_ISSUE, 0x0, 1, 100)) + return -EBUSY; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + ahci_start_fis_rx(ap); + + /* +@@ -421,7 +421,7 @@ static int xgene_ahci_hardreset(struct a + portrxfis_saved = readl(port_mmio + PORT_FIS_ADDR); + portrxfishi_saved = readl(port_mmio + PORT_FIS_ADDR_HI); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + rc = xgene_ahci_do_hardreset(link, deadline, &online); + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -560,6 +560,9 @@ void ahci_save_initial_config(struct dev + if (!hpriv->start_engine) + hpriv->start_engine = ahci_start_engine; + ++ if (!hpriv->stop_engine) ++ hpriv->stop_engine = ahci_stop_engine; ++ + if (!hpriv->irq_handler) + hpriv->irq_handler = ahci_single_level_irq_intr; + } +@@ -887,9 +890,10 @@ static void ahci_start_port(struct ata_p + static int ahci_deinit_port(struct ata_port *ap, const char **emsg) + { + int rc; ++ struct ahci_host_priv *hpriv = ap->host->private_data; + + /* disable DMA */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) { + *emsg = "failed to stop engine"; + return rc; +@@ -1299,7 +1303,7 @@ int ahci_kick_engine(struct ata_port *ap + int busy, rc; + + /* stop engine */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + goto out_restart; + +@@ -1538,7 +1542,7 @@ int ahci_do_hardreset(struct ata_link *l + + DPRINTK("ENTER\n"); + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); +@@ -2064,14 +2068,14 @@ void ahci_error_handler(struct ata_port + + if (!(ap->pflags & ATA_PFLAG_FROZEN)) { + /* restart engine */ +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + hpriv->start_engine(ap); + } + + sata_pmp_error_handler(ap); + + if (!ata_dev_enabled(ap->link.device)) +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + } + EXPORT_SYMBOL_GPL(ahci_error_handler); + +@@ -2118,7 +2122,7 @@ static void ahci_set_aggressive_devslp(s + return; + + /* set DITO, MDAT, DETO and enable DevSlp, need to stop engine first */ +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +@@ -2178,7 +2182,7 @@ static void ahci_enable_fbs(struct ata_p + return; + } + +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +@@ -2211,7 +2215,7 @@ static void ahci_disable_fbs(struct ata_ + return; + } + +- rc = ahci_stop_engine(ap); ++ rc = hpriv->stop_engine(ap); + if (rc) + return; + +--- a/drivers/ata/sata_highbank.c ++++ b/drivers/ata/sata_highbank.c +@@ -410,7 +410,7 @@ static int ahci_highbank_hardreset(struc + int rc; + int retry = 100; + +- ahci_stop_engine(ap); ++ hpriv->stop_engine(ap); + + /* clear D2H reception area to properly wait for D2H FIS */ + ata_tf_init(link->device, &tf); diff --git a/queue-4.14/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch b/queue-4.14/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch new file mode 100644 index 00000000000..58329f490d0 --- /dev/null +++ b/queue-4.14/linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch @@ -0,0 +1,70 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Amir Goldstein +Date: Mon, 5 Feb 2018 19:32:18 +0200 +Subject: : fix end_name_hash() for 64bit long + +From: Amir Goldstein + +[ Upstream commit 19b9ad67310ed2f685062a00aec602bec33835f0 ] + +The comment claims that this helper will try not to loose bits, but for +64bit long it looses the high bits before hashing 64bit long into 32bit +int. Use the helper hash_long() to do the right thing for 64bit long. +For 32bit long, there is no change. + +All the callers of end_name_hash() either assign the result to +qstr->hash, which is u32 or return the result as an int value (e.g. +full_name_hash()). Change the helper return type to int to conform to +its users. + +[ It took me a while to apply this, because my initial reaction to it + was - incorrectly - that it could make for slower code. + + After having looked more at it, I take back all my complaints about + the patch, Amir was right and I was mis-reading things or just being + stupid. + + I also don't worry too much about the possible performance impact of + this on 64-bit, since most architectures that actually care about + performance end up not using this very much (the dcache code is the + most performance-critical, but the word-at-a-time case uses its own + hashing anyway). + + So this ends up being mostly used for filesystems that do their own + degraded hashing (usually because they want a case-insensitive + comparison function). + + A _tiny_ worry remains, in that not everybody uses DCACHE_WORD_ACCESS, + and then this potentially makes things more expensive on 64-bit + architectures with slow or lacking multipliers even for the normal + case. + + That said, realistically the only such architecture I can think of is + PA-RISC. Nobody really cares about performance on that, it's more of a + "look ma, I've got warts^W an odd machine" platform. + + So the patch is fine, and all my initial worries were just misplaced + from not looking at this properly. - Linus ] + +Signed-off-by: Amir Goldstein +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/stringhash.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/stringhash.h ++++ b/include/linux/stringhash.h +@@ -50,9 +50,9 @@ partial_name_hash(unsigned long c, unsig + * losing bits). This also has the property (wanted by the dcache) + * that the msbits make a good hash table index. + */ +-static inline unsigned long end_name_hash(unsigned long hash) ++static inline unsigned int end_name_hash(unsigned long hash) + { +- return __hash_32((unsigned int)hash); ++ return hash_long(hash, 32); + } + + /* diff --git a/queue-4.14/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch b/queue-4.14/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch new file mode 100644 index 00000000000..8c1f6bc4796 --- /dev/null +++ b/queue-4.14/locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch @@ -0,0 +1,108 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Waiman Long +Date: Tue, 15 May 2018 17:49:51 -0400 +Subject: locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN + +From: Waiman Long + +[ Upstream commit 5a817641f68a6399a5fac8b7d2da67a73698ffed ] + +The filesystem freezing code needs to transfer ownership of a rwsem +embedded in a percpu-rwsem from the task that does the freezing to +another one that does the thawing by calling percpu_rwsem_release() +after freezing and percpu_rwsem_acquire() before thawing. + +However, the new rwsem debug code runs afoul with this scheme by warning +that the task that releases the rwsem isn't the one that acquires it, +as reported by Amir Goldstein: + + DEBUG_LOCKS_WARN_ON(sem->owner != get_current()) + WARNING: CPU: 1 PID: 1401 at /home/amir/build/src/linux/kernel/locking/rwsem.c:133 up_write+0x59/0x79 + + Call Trace: + percpu_up_write+0x1f/0x28 + thaw_super_locked+0xdf/0x120 + do_vfs_ioctl+0x270/0x5f1 + ksys_ioctl+0x52/0x71 + __x64_sys_ioctl+0x16/0x19 + do_syscall_64+0x5d/0x167 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +To work properly with the rwsem debug code, we need to annotate that the +rwsem ownership is unknown during the tranfer period until a brave soul +comes forward to acquire the ownership. During that period, optimistic +spinning will be disabled. + +Reported-by: Amir Goldstein +Tested-by: Amir Goldstein +Signed-off-by: Waiman Long +Acked-by: Peter Zijlstra +Cc: Andrew Morton +Cc: Davidlohr Bueso +Cc: Jan Kara +Cc: Linus Torvalds +Cc: Matthew Wilcox +Cc: Oleg Nesterov +Cc: Paul E. McKenney +Cc: Theodore Y. Ts'o +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-fsdevel@vger.kernel.org +Link: http://lkml.kernel.org/r/1526420991-21213-3-git-send-email-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/percpu-rwsem.h | 6 +++++- + include/linux/rwsem.h | 6 ++++++ + kernel/locking/rwsem-xadd.c | 2 ++ + 3 files changed, 13 insertions(+), 1 deletion(-) + +--- a/include/linux/percpu-rwsem.h ++++ b/include/linux/percpu-rwsem.h +@@ -133,7 +133,7 @@ static inline void percpu_rwsem_release( + lock_release(&sem->rw_sem.dep_map, 1, ip); + #ifdef CONFIG_RWSEM_SPIN_ON_OWNER + if (!read) +- sem->rw_sem.owner = NULL; ++ sem->rw_sem.owner = RWSEM_OWNER_UNKNOWN; + #endif + } + +@@ -141,6 +141,10 @@ static inline void percpu_rwsem_acquire( + bool read, unsigned long ip) + { + lock_acquire(&sem->rw_sem.dep_map, 0, 1, read, 1, NULL, ip); ++#ifdef CONFIG_RWSEM_SPIN_ON_OWNER ++ if (!read) ++ sem->rw_sem.owner = current; ++#endif + } + + #endif +--- a/include/linux/rwsem.h ++++ b/include/linux/rwsem.h +@@ -44,6 +44,12 @@ struct rw_semaphore { + #endif + }; + ++/* ++ * Setting bit 0 of the owner field with other non-zero bits will indicate ++ * that the rwsem is writer-owned with an unknown owner. ++ */ ++#define RWSEM_OWNER_UNKNOWN ((struct task_struct *)-1L) ++ + extern struct rw_semaphore *rwsem_down_read_failed(struct rw_semaphore *sem); + extern struct rw_semaphore *rwsem_down_read_failed_killable(struct rw_semaphore *sem); + extern struct rw_semaphore *rwsem_down_write_failed(struct rw_semaphore *sem); +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -352,6 +352,8 @@ static inline bool rwsem_can_spin_on_own + struct task_struct *owner; + bool ret = true; + ++ BUILD_BUG_ON(!rwsem_has_anonymous_owner(RWSEM_OWNER_UNKNOWN)); ++ + if (need_resched()) + return false; + diff --git a/queue-4.14/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch b/queue-4.14/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch new file mode 100644 index 00000000000..ba755f0e965 --- /dev/null +++ b/queue-4.14/locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch @@ -0,0 +1,168 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Waiman Long +Date: Tue, 15 May 2018 17:49:50 -0400 +Subject: locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag + +From: Waiman Long + +[ Upstream commit d7d760efad70c7a030725499bf9f342f04af24dd ] + +There are use cases where a rwsem can be acquired by one task, but +released by another task. In thess cases, optimistic spinning may need +to be disabled. One example will be the filesystem freeze/thaw code +where the task that freezes the filesystem will acquire a write lock +on a rwsem and then un-owns it before returning to userspace. Later on, +another task will come along, acquire the ownership, thaw the filesystem +and release the rwsem. + +Bit 0 of the owner field was used to designate that it is a reader +owned rwsem. It is now repurposed to mean that the owner of the rwsem +is not known. If only bit 0 is set, the rwsem is reader owned. If bit +0 and other bits are set, it is writer owned with an unknown owner. +One such value for the latter case is (-1L). So we can set owner to 1 for +reader-owned, -1 for writer-owned. The owner is unknown in both cases. + +To handle transfer of rwsem ownership, the higher level code should +set the owner field to -1 to indicate a write-locked rwsem with unknown +owner. Optimistic spinning will be disabled in this case. + +Once the higher level code figures who the new owner is, it can then +set the owner field accordingly. + +Tested-by: Amir Goldstein +Signed-off-by: Waiman Long +Acked-by: Peter Zijlstra +Cc: Andrew Morton +Cc: Davidlohr Bueso +Cc: Jan Kara +Cc: Linus Torvalds +Cc: Matthew Wilcox +Cc: Oleg Nesterov +Cc: Paul E. McKenney +Cc: Theodore Y. Ts'o +Cc: Thomas Gleixner +Cc: Will Deacon +Cc: linux-fsdevel@vger.kernel.org +Link: http://lkml.kernel.org/r/1526420991-21213-2-git-send-email-longman@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/locking/rwsem-xadd.c | 17 +++++++---------- + kernel/locking/rwsem.c | 2 -- + kernel/locking/rwsem.h | 30 +++++++++++++++++++++--------- + 3 files changed, 28 insertions(+), 21 deletions(-) + +--- a/kernel/locking/rwsem-xadd.c ++++ b/kernel/locking/rwsem-xadd.c +@@ -357,11 +357,8 @@ static inline bool rwsem_can_spin_on_own + + rcu_read_lock(); + owner = READ_ONCE(sem->owner); +- if (!rwsem_owner_is_writer(owner)) { +- /* +- * Don't spin if the rwsem is readers owned. +- */ +- ret = !rwsem_owner_is_reader(owner); ++ if (!owner || !is_rwsem_owner_spinnable(owner)) { ++ ret = !owner; /* !owner is spinnable */ + goto done; + } + +@@ -382,11 +379,11 @@ static noinline bool rwsem_spin_on_owner + { + struct task_struct *owner = READ_ONCE(sem->owner); + +- if (!rwsem_owner_is_writer(owner)) +- goto out; ++ if (!is_rwsem_owner_spinnable(owner)) ++ return false; + + rcu_read_lock(); +- while (sem->owner == owner) { ++ while (owner && (READ_ONCE(sem->owner) == owner)) { + /* + * Ensure we emit the owner->on_cpu, dereference _after_ + * checking sem->owner still matches owner, if that fails, +@@ -408,12 +405,12 @@ static noinline bool rwsem_spin_on_owner + cpu_relax(); + } + rcu_read_unlock(); +-out: ++ + /* + * If there is a new owner or the owner is not set, we continue + * spinning. + */ +- return !rwsem_owner_is_reader(READ_ONCE(sem->owner)); ++ return is_rwsem_owner_spinnable(READ_ONCE(sem->owner)); + } + + static bool rwsem_optimistic_spin(struct rw_semaphore *sem) +--- a/kernel/locking/rwsem.c ++++ b/kernel/locking/rwsem.c +@@ -201,5 +201,3 @@ void up_read_non_owner(struct rw_semapho + EXPORT_SYMBOL(up_read_non_owner); + + #endif +- +- +--- a/kernel/locking/rwsem.h ++++ b/kernel/locking/rwsem.h +@@ -1,20 +1,24 @@ + /* SPDX-License-Identifier: GPL-2.0 */ + /* + * The owner field of the rw_semaphore structure will be set to +- * RWSEM_READ_OWNED when a reader grabs the lock. A writer will clear ++ * RWSEM_READER_OWNED when a reader grabs the lock. A writer will clear + * the owner field when it unlocks. A reader, on the other hand, will + * not touch the owner field when it unlocks. + * +- * In essence, the owner field now has the following 3 states: ++ * In essence, the owner field now has the following 4 states: + * 1) 0 + * - lock is free or the owner hasn't set the field yet + * 2) RWSEM_READER_OWNED + * - lock is currently or previously owned by readers (lock is free + * or not set by owner yet) +- * 3) Other non-zero value +- * - a writer owns the lock ++ * 3) RWSEM_ANONYMOUSLY_OWNED bit set with some other bits set as well ++ * - lock is owned by an anonymous writer, so spinning on the lock ++ * owner should be disabled. ++ * 4) Other non-zero value ++ * - a writer owns the lock and other writers can spin on the lock owner. + */ +-#define RWSEM_READER_OWNED ((struct task_struct *)1UL) ++#define RWSEM_ANONYMOUSLY_OWNED (1UL << 0) ++#define RWSEM_READER_OWNED ((struct task_struct *)RWSEM_ANONYMOUSLY_OWNED) + + #ifdef CONFIG_RWSEM_SPIN_ON_OWNER + /* +@@ -45,14 +49,22 @@ static inline void rwsem_set_reader_owne + WRITE_ONCE(sem->owner, RWSEM_READER_OWNED); + } + +-static inline bool rwsem_owner_is_writer(struct task_struct *owner) ++/* ++ * Return true if the a rwsem waiter can spin on the rwsem's owner ++ * and steal the lock, i.e. the lock is not anonymously owned. ++ * N.B. !owner is considered spinnable. ++ */ ++static inline bool is_rwsem_owner_spinnable(struct task_struct *owner) + { +- return owner && owner != RWSEM_READER_OWNED; ++ return !((unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED); + } + +-static inline bool rwsem_owner_is_reader(struct task_struct *owner) ++/* ++ * Return true if rwsem is owned by an anonymous writer or readers. ++ */ ++static inline bool rwsem_has_anonymous_owner(struct task_struct *owner) + { +- return owner == RWSEM_READER_OWNED; ++ return (unsigned long)owner & RWSEM_ANONYMOUSLY_OWNED; + } + #else + static inline void rwsem_set_owner(struct rw_semaphore *sem) diff --git a/queue-4.14/mac80211-adjust-sae-authentication-timeout.patch b/queue-4.14/mac80211-adjust-sae-authentication-timeout.patch new file mode 100644 index 00000000000..cbefde83d94 --- /dev/null +++ b/queue-4.14/mac80211-adjust-sae-authentication-timeout.patch @@ -0,0 +1,77 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ilan Peer +Date: Fri, 20 Apr 2018 13:49:20 +0300 +Subject: mac80211: Adjust SAE authentication timeout + +From: Ilan Peer + +[ Upstream commit 407879b690ba3a6bf29be896d02dad63463bd1c0 ] + +The IEEE P802.11-REVmd D1.0 specification updated the SAE authentication +timeout to be 2000 milliseconds (see dot11RSNASAERetransPeriod). Update +the SAE timeout setting accordingly. + +While at it, reduce some code duplication in the timeout configuration. + +Signed-off-by: Ilan Peer +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/mlme.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -35,6 +35,7 @@ + #define IEEE80211_AUTH_TIMEOUT (HZ / 5) + #define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2) + #define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10) ++#define IEEE80211_AUTH_TIMEOUT_SAE (HZ * 2) + #define IEEE80211_AUTH_MAX_TRIES 3 + #define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5) + #define IEEE80211_ASSOC_TIMEOUT (HZ / 5) +@@ -3798,16 +3799,19 @@ static int ieee80211_auth(struct ieee802 + tx_flags); + + if (tx_flags == 0) { +- auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; +- auth_data->timeout_started = true; +- run_again(sdata, auth_data->timeout); ++ if (auth_data->algorithm == WLAN_AUTH_SAE) ++ auth_data->timeout = jiffies + ++ IEEE80211_AUTH_TIMEOUT_SAE; ++ else ++ auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; + } else { + auth_data->timeout = + round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG); +- auth_data->timeout_started = true; +- run_again(sdata, auth_data->timeout); + } + ++ auth_data->timeout_started = true; ++ run_again(sdata, auth_data->timeout); ++ + return 0; + } + +@@ -3878,8 +3882,15 @@ void ieee80211_sta_work(struct ieee80211 + ifmgd->status_received = false; + if (ifmgd->auth_data && ieee80211_is_auth(fc)) { + if (status_acked) { +- ifmgd->auth_data->timeout = +- jiffies + IEEE80211_AUTH_TIMEOUT_SHORT; ++ if (ifmgd->auth_data->algorithm == ++ WLAN_AUTH_SAE) ++ ifmgd->auth_data->timeout = ++ jiffies + ++ IEEE80211_AUTH_TIMEOUT_SAE; ++ else ++ ifmgd->auth_data->timeout = ++ jiffies + ++ IEEE80211_AUTH_TIMEOUT_SHORT; + run_again(sdata, ifmgd->auth_data->timeout); + } else { + ifmgd->auth_data->timeout = jiffies - 1; diff --git a/queue-4.14/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch b/queue-4.14/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch new file mode 100644 index 00000000000..fc9e5cb64a3 --- /dev/null +++ b/queue-4.14/mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sara Sharon +Date: Fri, 20 Apr 2018 13:49:19 +0300 +Subject: mac80211: use timeout from the AddBA response instead of the request + +From: Sara Sharon + +[ Upstream commit 914eac248d876f9c00cd1792ffec3d182c863f13 ] + +2016 spec, section 10.24.2 specifies that the block ack +timeout in the ADD BA request is advisory. + +That means we should check the value in the response and +act upon it (same as buffer size). + +Signed-off-by: Sara Sharon +Signed-off-by: Luca Coelho +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-tx.c | 4 ++++ + net/mac80211/tx.c | 3 ++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -8,6 +8,7 @@ + * Copyright 2007, Michael Wu + * Copyright 2007-2010, Intel Corporation + * Copyright(c) 2015-2017 Intel Deutschland GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -987,6 +988,9 @@ void ieee80211_process_addba_resp(struct + + sta->ampdu_mlme.addba_req_num[tid] = 0; + ++ tid_tx->timeout = ++ le16_to_cpu(mgmt->u.action.u.addba_resp.timeout); ++ + if (tid_tx->timeout) { + mod_timer(&tid_tx->session_timer, + TU_TO_EXP_TIME(tid_tx->timeout)); +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -4,6 +4,7 @@ + * Copyright 2006-2007 Jiri Benc + * Copyright 2007 Johannes Berg + * Copyright 2013-2014 Intel Mobile Communications GmbH ++ * Copyright (C) 2018 Intel Corporation + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as +@@ -1138,7 +1139,7 @@ static bool ieee80211_tx_prep_agg(struct + } + + /* reset session timer */ +- if (reset_agg_timer && tid_tx->timeout) ++ if (reset_agg_timer) + tid_tx->last_tx = jiffies; + + return queued; diff --git a/queue-4.14/mips-dts-boston-fix-pci-bus-dtc-warnings.patch b/queue-4.14/mips-dts-boston-fix-pci-bus-dtc-warnings.patch new file mode 100644 index 00000000000..4b3a33c4b71 --- /dev/null +++ b/queue-4.14/mips-dts-boston-fix-pci-bus-dtc-warnings.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Matt Redfearn +Date: Fri, 13 Apr 2018 09:50:44 +0100 +Subject: MIPS: dts: Boston: Fix PCI bus dtc warnings: + +From: Matt Redfearn + +[ Upstream commit 2c2bf522ed8cbfaac666f7dc65cfd38de2b89f0f ] + +dtc recently (v1.4.4-8-g756ffc4f52f6) added PCI bus checks. Fix the +warnings now emitted: + +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@10000000: missing bus-range for PCI bridge +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@12000000: missing bus-range for PCI bridge +arch/mips/boot/dts/img/boston.dtb: Warning (pci_bridge): /pci@14000000: missing bus-range for PCI bridge + +Signed-off-by: Matt Redfearn +Cc: Ralf Baechle +Cc: Paul Burton +Cc: Rob Herring +Cc: Mark Rutland +Cc: linux-mips@linux-mips.org +Cc: devicetree@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/19070/ +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/boot/dts/img/boston.dts | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/mips/boot/dts/img/boston.dts ++++ b/arch/mips/boot/dts/img/boston.dts +@@ -51,6 +51,8 @@ + ranges = <0x02000000 0 0x40000000 + 0x40000000 0 0x40000000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci0_intc 1>, + <0 0 0 2 &pci0_intc 2>, +@@ -79,6 +81,8 @@ + ranges = <0x02000000 0 0x20000000 + 0x20000000 0 0x20000000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci1_intc 1>, + <0 0 0 2 &pci1_intc 2>, +@@ -107,6 +111,8 @@ + ranges = <0x02000000 0 0x16000000 + 0x16000000 0 0x100000>; + ++ bus-range = <0x00 0xff>; ++ + interrupt-map-mask = <0 0 0 7>; + interrupt-map = <0 0 0 1 &pci2_intc 1>, + <0 0 0 2 &pci2_intc 2>, diff --git a/queue-4.14/mips-io-add-barrier-after-register-read-in-readx.patch b/queue-4.14/mips-io-add-barrier-after-register-read-in-readx.patch new file mode 100644 index 00000000000..3341111fa42 --- /dev/null +++ b/queue-4.14/mips-io-add-barrier-after-register-read-in-readx.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sinan Kaya +Date: Thu, 12 Apr 2018 22:30:44 -0400 +Subject: MIPS: io: Add barrier after register read in readX() + +From: Sinan Kaya + +[ Upstream commit a1cc7034e33d12dc17d13fbcd7d597d552889097 ] + +While a barrier is present in the writeX() functions before the register +write, a similar barrier is missing in the readX() functions after the +register read. This could allow memory accesses following readX() to +observe stale data. + +Signed-off-by: Sinan Kaya +Reported-by: Arnd Bergmann +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/19069/ +[jhogan@kernel.org: Tidy commit message] +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -377,6 +377,8 @@ static inline type pfx##read##bwlq(const + BUG(); \ + } \ + \ ++ /* prevent prefetching of coherent DMA data prematurely */ \ ++ rmb(); \ + return pfx##ioswab##bwlq(__mem, __val); \ + } + diff --git a/queue-4.14/mips-io-prevent-compiler-reordering-writex.patch b/queue-4.14/mips-io-prevent-compiler-reordering-writex.patch new file mode 100644 index 00000000000..b89de910a81 --- /dev/null +++ b/queue-4.14/mips-io-prevent-compiler-reordering-writex.patch @@ -0,0 +1,39 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Sinan Kaya +Date: Tue, 3 Apr 2018 08:55:03 -0400 +Subject: MIPS: io: Prevent compiler reordering writeX() + +From: Sinan Kaya + +[ Upstream commit f6b7aeee8f167409195fbf1364d02988fecad1d0 ] + +writeX() has strong ordering semantics with respect to memory updates. +In the absence of a write barrier or a compiler barrier, the compiler +can reorder register and memory update instructions. This breaks the +writeX() API. + +Signed-off-by: Sinan Kaya +Cc: Arnd Bergmann +Cc: Ralf Baechle +Cc: Paul Burton +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/18997/ +[jhogan@kernel.org: Tidy commit message] +Signed-off-by: James Hogan +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/mips/include/asm/io.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/include/asm/io.h ++++ b/arch/mips/include/asm/io.h +@@ -307,7 +307,7 @@ static inline void iounmap(const volatil + #if defined(CONFIG_CPU_CAVIUM_OCTEON) || defined(CONFIG_LOONGSON3_ENHANCEMENT) + #define war_io_reorder_wmb() wmb() + #else +-#define war_io_reorder_wmb() do { } while (0) ++#define war_io_reorder_wmb() barrier() + #endif + + #define __BUILD_MEMORY_SINGLE(pfx, bwlq, type, irq) \ diff --git a/queue-4.14/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch b/queue-4.14/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch new file mode 100644 index 00000000000..c725adfa65e --- /dev/null +++ b/queue-4.14/mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch @@ -0,0 +1,89 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Minchan Kim +Date: Fri, 20 Apr 2018 14:56:17 -0700 +Subject: mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() + +From: Minchan Kim + +[ Upstream commit c892fd82cc0632d425ae011a4dd75eb59e9f84ee ] + +If there is heavy memory pressure, page allocation with __GFP_NOWAIT +fails easily although it's order-0 request. I got below warning 9 times +for normal boot. + + : page allocation failure: order:0, mode:0x2200000(GFP_NOWAIT|__GFP_NOTRACK) + .. snip .. + Call trace: + dump_backtrace+0x0/0x4 + dump_stack+0xa4/0xc0 + warn_alloc+0xd4/0x15c + __alloc_pages_nodemask+0xf88/0x10fc + alloc_slab_page+0x40/0x18c + new_slab+0x2b8/0x2e0 + ___slab_alloc+0x25c/0x464 + __kmalloc+0x394/0x498 + memcg_kmem_get_cache+0x114/0x2b8 + kmem_cache_alloc+0x98/0x3e8 + mmap_region+0x3bc/0x8c0 + do_mmap+0x40c/0x43c + vm_mmap_pgoff+0x15c/0x1e4 + sys_mmap+0xb0/0xc8 + el0_svc_naked+0x24/0x28 + Mem-Info: + active_anon:17124 inactive_anon:193 isolated_anon:0 + active_file:7898 inactive_file:712955 isolated_file:55 + unevictable:0 dirty:27 writeback:18 unstable:0 + slab_reclaimable:12250 slab_unreclaimable:23334 + mapped:19310 shmem:212 pagetables:816 bounce:0 + free:36561 free_pcp:1205 free_cma:35615 + Node 0 active_anon:68496kB inactive_anon:772kB active_file:31592kB inactive_file:2851820kB unevictable:0kB isolated(anon):0kB isolated(file):220kB mapped:77240kB dirty:108kB writeback:72kB shmem:848kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no + DMA free:142188kB min:3056kB low:3820kB high:4584kB active_anon:10052kB inactive_anon:12kB active_file:312kB inactive_file:1412620kB unevictable:0kB writepending:0kB present:1781412kB managed:1604728kB mlocked:0kB slab_reclaimable:3592kB slab_unreclaimable:876kB kernel_stack:400kB pagetables:52kB bounce:0kB free_pcp:1436kB local_pcp:124kB free_cma:142492kB + lowmem_reserve[]: 0 1842 1842 + Normal free:4056kB min:4172kB low:5212kB high:6252kB active_anon:58376kB inactive_anon:760kB active_file:31348kB inactive_file:1439040kB unevictable:0kB writepending:180kB present:2000636kB managed:1923688kB mlocked:0kB slab_reclaimable:45408kB slab_unreclaimable:92460kB kernel_stack:9680kB pagetables:3212kB bounce:0kB free_pcp:3392kB local_pcp:688kB free_cma:0kB + lowmem_reserve[]: 0 0 0 + DMA: 0*4kB 0*8kB 1*16kB (C) 0*32kB 0*64kB 0*128kB 1*256kB (C) 1*512kB (C) 0*1024kB 1*2048kB (C) 34*4096kB (C) = 142096kB + Normal: 228*4kB (UMEH) 172*8kB (UMH) 23*16kB (UH) 24*32kB (H) 5*64kB (H) 1*128kB (H) 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 3872kB + 721350 total pagecache pages + 0 pages in swap cache + Swap cache stats: add 0, delete 0, find 0/0 + Free swap = 0kB + Total swap = 0kB + 945512 pages RAM + 0 pages HighMem/MovableOnly + 63408 pages reserved + 51200 pages cma reserved + +__memcg_schedule_kmem_cache_create() tries to create a shadow slab cache +and the worker allocation failure is not really critical because we will +retry on the next kmem charge. We might miss some charges but that +shouldn't be critical. The excessive allocation failure report is not +very helpful. + +[mhocko@kernel.org: changelog update] +Link: http://lkml.kernel.org/r/20180418022912.248417-1-minchan@kernel.org +Signed-off-by: Minchan Kim +Acked-by: Johannes Weiner +Reviewed-by: Andrew Morton +Cc: Michal Hocko +Cc: Vladimir Davydov +Cc: Minchan Kim +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + mm/memcontrol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/memcontrol.c ++++ b/mm/memcontrol.c +@@ -2205,7 +2205,7 @@ static void __memcg_schedule_kmem_cache_ + { + struct memcg_kmem_cache_create_work *cw; + +- cw = kmalloc(sizeof(*cw), GFP_NOWAIT); ++ cw = kmalloc(sizeof(*cw), GFP_NOWAIT | __GFP_NOWARN); + if (!cw) + return; + diff --git a/queue-4.14/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch b/queue-4.14/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch new file mode 100644 index 00000000000..acc2e922d6f --- /dev/null +++ b/queue-4.14/mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Huang Ying +Date: Fri, 20 Apr 2018 14:55:38 -0700 +Subject: mm, pagemap: fix swap offset value for PMD migration entry + +From: Huang Ying + +[ Upstream commit 88c28f2469151b031f8cea9b28ed5be1b74a4172 ] + +The swap offset reported by /proc//pagemap may be not correct for +PMD migration entries. If addr passed into pagemap_pmd_range() isn't +aligned with PMD start address, the swap offset reported doesn't +reflect this. And in the loop to report information of each sub-page, +the swap offset isn't increased accordingly as that for PFN. + +This may happen after opening /proc//pagemap and seeking to a page +whose address doesn't align with a PMD start address. I have verified +this with a simple test program. + +BTW: migration swap entries have PFN information, do we need to restrict +whether to show them? + +[akpm@linux-foundation.org: fix typo, per Huang, Ying] +Link: http://lkml.kernel.org/r/20180408033737.10897-1-ying.huang@intel.com +Signed-off-by: "Huang, Ying" +Cc: Michal Hocko +Cc: "Kirill A. Shutemov" +Cc: Andrei Vagin +Cc: Dan Williams +Cc: "Jerome Glisse" +Cc: Daniel Colascione +Cc: Zi Yan +Cc: Naoya Horiguchi +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/task_mmu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1327,9 +1327,11 @@ static int pagemap_pmd_range(pmd_t *pmdp + #ifdef CONFIG_ARCH_ENABLE_THP_MIGRATION + else if (is_swap_pmd(pmd)) { + swp_entry_t entry = pmd_to_swp_entry(pmd); ++ unsigned long offset = swp_offset(entry); + ++ offset += (addr & ~PMD_MASK) >> PAGE_SHIFT; + frame = swp_type(entry) | +- (swp_offset(entry) << MAX_SWAPFILES_SHIFT); ++ (offset << MAX_SWAPFILES_SHIFT); + flags |= PM_SWAP; + if (pmd_swp_soft_dirty(pmd)) + flags |= PM_SOFT_DIRTY; +@@ -1349,6 +1351,8 @@ static int pagemap_pmd_range(pmd_t *pmdp + break; + if (pm->show_pfn && (flags & PM_PRESENT)) + frame++; ++ else if (flags & PM_SWAP) ++ frame += (1 << MAX_SWAPFILES_SHIFT); + } + spin_unlock(ptl); + return err; diff --git a/queue-4.14/mtd-fix-comparison-in-map_word_andequal.patch b/queue-4.14/mtd-fix-comparison-in-map_word_andequal.patch new file mode 100644 index 00000000000..fc32d1a5d66 --- /dev/null +++ b/queue-4.14/mtd-fix-comparison-in-map_word_andequal.patch @@ -0,0 +1,37 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ben Hutchings +Date: Thu, 10 May 2018 19:20:54 +0100 +Subject: mtd: Fix comparison in map_word_andequal() + +From: Ben Hutchings + +[ Upstream commit ea739a287f4f16d6250bea779a1026ead79695f2 ] + +Commit 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +changed map_word_andequal() into a macro, but also changed the right +hand side of the comparison from val3 to val2. Change it back to use +val3 on the right hand side. + +Thankfully this did not cause a regression because all callers +currently pass the same argument for val2 and val3. + +Fixes: 9e343e87d2c4 ("mtd: cfi: convert inline functions to macros") +Signed-off-by: Ben Hutchings +Signed-off-by: Boris Brezillon +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mtd/map.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -312,7 +312,7 @@ void map_destroy(struct mtd_info *mtd); + ({ \ + int i, ret = 1; \ + for (i = 0; i < map_words(map); i++) { \ +- if (((val1).x[i] & (val2).x[i]) != (val2).x[i]) { \ ++ if (((val1).x[i] & (val2).x[i]) != (val3).x[i]) { \ + ret = 0; \ + break; \ + } \ diff --git a/queue-4.14/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch b/queue-4.14/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch new file mode 100644 index 00000000000..d144d2b0811 --- /dev/null +++ b/queue-4.14/net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Igor Russkikh +Date: Mon, 7 May 2018 16:10:38 +0300 +Subject: net: aquantia: driver should correctly declare vlan_features bits + +From: Igor Russkikh + +[ Upstream commit 8c61ab7f111a2b29d051348b9cb9a39804ebf1f8 ] + +In particular, not reporting SG forced skbs to be linear for vlan +interfaces over atlantic NIC. + +With this fix it is possible to enable SG feature on device and +therefore optimize performance. + +Reported-by: Ma Yuying +Signed-off-by: Igor Russkikh +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/aquantia/atlantic/aq_nic.c ++++ b/drivers/net/ethernet/aquantia/atlantic/aq_nic.c +@@ -310,6 +310,8 @@ int aq_nic_ndev_init(struct aq_nic_s *se + + self->ndev->hw_features |= aq_hw_caps->hw_features; + self->ndev->features = aq_hw_caps->hw_features; ++ self->ndev->vlan_features |= NETIF_F_HW_CSUM | NETIF_F_RXCSUM | ++ NETIF_F_RXHASH | NETIF_F_SG | NETIF_F_LRO; + self->ndev->priv_flags = aq_hw_caps->hw_priv_flags; + self->ndev->mtu = aq_nic_cfg->mtu - ETH_HLEN; + self->ndev->max_mtu = self->aq_hw_caps.mtu - ETH_FCS_LEN - ETH_HLEN; diff --git a/queue-4.14/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch b/queue-4.14/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch new file mode 100644 index 00000000000..55ab9a7783a --- /dev/null +++ b/queue-4.14/net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Florian Fainelli +Date: Mon, 23 Apr 2018 15:51:38 -0700 +Subject: net: ethtool: Add missing kernel doc for FEC parameters + +From: Florian Fainelli + +[ Upstream commit d805c5209350ae725e3a1ee0204ba27d9e75ce3e ] + +While adding support for ethtool::get_fecparam and set_fecparam, kernel +doc for these functions was missed, add those. + +Fixes: 1a5f3da20bd9 ("net: ethtool: add support for forward error correction modes") +Signed-off-by: Florian Fainelli +Acked-by: Roopa Prabhu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/ethtool.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/ethtool.h ++++ b/include/linux/ethtool.h +@@ -300,6 +300,8 @@ bool ethtool_convert_link_mode_to_legacy + * fields should be ignored (use %__ETHTOOL_LINK_MODE_MASK_NBITS + * instead of the latter), any change to them will be overwritten + * by kernel. Returns a negative error code or zero. ++ * @get_fecparam: Get the network device Forward Error Correction parameters. ++ * @set_fecparam: Set the network device Forward Error Correction parameters. + * + * All operations are optional (i.e. the function pointer may be set + * to %NULL) and callers must take this into account. Callers must diff --git a/queue-4.14/net-hns-avoid-action-name-truncation.patch b/queue-4.14/net-hns-avoid-action-name-truncation.patch new file mode 100644 index 00000000000..95056f30f27 --- /dev/null +++ b/queue-4.14/net-hns-avoid-action-name-truncation.patch @@ -0,0 +1,63 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: dann frazier +Date: Wed, 18 Apr 2018 21:55:41 -0600 +Subject: net: hns: Avoid action name truncation + +From: dann frazier + +[ Upstream commit f4ea89110df237da6fbcaab76af431e85f07d904 ] + +When longer interface names are used, the action names exposed in +/proc/interrupts and /proc/irq/* maybe truncated. For example, when +using the predictable name algorithm in systemd on a HiSilicon D05, +I see: + + ubuntu@d05-3:~$ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' + enahisic2i0-tx0 + enahisic2i0-tx1 + [...] + enahisic2i0-tx8 + enahisic2i0-tx9 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + enahisic2i0-tx1 + +Increase the max ring name length to allow for an interface name +of IFNAMSIZE. After this change, I now see: + + $ grep enahisic2i0-tx /proc/interrupts | sed 's/.* //' + enahisic2i0-tx0 + enahisic2i0-tx1 + enahisic2i0-tx2 + [...] + enahisic2i0-tx8 + enahisic2i0-tx9 + enahisic2i0-tx10 + enahisic2i0-tx11 + enahisic2i0-tx12 + enahisic2i0-tx13 + enahisic2i0-tx14 + enahisic2i0-tx15 + +Signed-off-by: dann frazier +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/hisilicon/hns/hnae.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/hisilicon/hns/hnae.h ++++ b/drivers/net/ethernet/hisilicon/hns/hnae.h +@@ -87,7 +87,7 @@ do { \ + + #define HNAE_AE_REGISTER 0x1 + +-#define RCB_RING_NAME_LEN 16 ++#define RCB_RING_NAME_LEN (IFNAMSIZ + 4) + + #define HNAE_LOWEST_LATENCY_COAL_PARAM 30 + #define HNAE_LOW_LATENCY_COAL_PARAM 80 diff --git a/queue-4.14/net-phy-marvell-clear-wol-event-before-setting-it.patch b/queue-4.14/net-phy-marvell-clear-wol-event-before-setting-it.patch new file mode 100644 index 00000000000..05c10195112 --- /dev/null +++ b/queue-4.14/net-phy-marvell-clear-wol-event-before-setting-it.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jingju Hou +Date: Mon, 23 Apr 2018 15:22:49 +0800 +Subject: net: phy: marvell: clear wol event before setting it + +From: Jingju Hou + +[ Upstream commit b6a930fa88083b41d26ddf1cab95cbd740936c22 ] + +If WOL event happened once, the LED[2] interrupt pin will not be +cleared unless we read the CSISR register. If interrupts are in use, +the normal interrupt handling will clear the WOL event. Let's clear the +WOL event before enabling it if !phy_interrupt_is_valid(). + +Signed-off-by: Jingju Hou +Signed-off-by: Jisheng Zhang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/marvell.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/net/phy/marvell.c ++++ b/drivers/net/phy/marvell.c +@@ -1409,6 +1409,15 @@ static int m88e1318_set_wol(struct phy_d + if (err < 0) + return err; + ++ /* If WOL event happened once, the LED[2] interrupt pin ++ * will not be cleared unless we reading the interrupt status ++ * register. If interrupts are in use, the normal interrupt ++ * handling will clear the WOL event. Clear the WOL event ++ * before enabling it if !phy_interrupt_is_valid() ++ */ ++ if (!phy_interrupt_is_valid(phydev)) ++ phy_read(phydev, MII_M1011_IEVENT); ++ + /* Enable the WOL interrupt */ + temp = phy_read(phydev, MII_88E1318S_PHY_CSIER); + temp |= MII_88E1318S_PHY_CSIER_WOL_EIE; diff --git a/queue-4.14/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch b/queue-4.14/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch new file mode 100644 index 00000000000..c6ac30b8a57 --- /dev/null +++ b/queue-4.14/net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch @@ -0,0 +1,99 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Roman Mashak +Date: Fri, 11 May 2018 10:55:09 -0400 +Subject: net sched actions: fix invalid pointer dereferencing if skbedit flags missing + +From: Roman Mashak + +[ Upstream commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a ] + +When application fails to pass flags in netlink TLV for a new skbedit action, +the kernel results in the following oops: + +[ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 +[ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 +[ 8.310595] Oops: 0000 [#1] SMP PTI +[ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw +[ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 +[ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 +[ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 +[ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 +[ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 +[ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 +[ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 +[ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 +[ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 +[ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 +[ 8.329289] Call Trace: +[ 8.329735] tcf_skbedit_init+0xa7/0xb0 +[ 8.330423] tcf_action_init_1+0x362/0x410 +[ 8.331139] ? try_to_wake_up+0x44/0x430 +[ 8.331817] tcf_action_init+0x103/0x190 +[ 8.332511] tc_ctl_action+0x11a/0x220 +[ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 +[ 8.333902] ? _cond_resched+0x16/0x40 +[ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 +[ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 +[ 8.336178] netlink_rcv_skb+0xdb/0x110 +[ 8.336855] netlink_unicast+0x167/0x220 +[ 8.337550] netlink_sendmsg+0x2a7/0x390 +[ 8.338258] sock_sendmsg+0x30/0x40 +[ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 +[ 8.339531] ? pagecache_get_page+0x27/0x210 +[ 8.340271] ? filemap_fault+0xa2/0x630 +[ 8.340943] ? page_add_file_rmap+0x108/0x200 +[ 8.341732] ? alloc_set_pte+0x2aa/0x530 +[ 8.342573] ? finish_fault+0x4e/0x70 +[ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 +[ 8.344337] ? __sys_sendmsg+0x53/0x80 +[ 8.345040] __sys_sendmsg+0x53/0x80 +[ 8.345678] do_syscall_64+0x4f/0x100 +[ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 8.347206] RIP: 0033:0x7f591191da67 +[ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +[ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 +[ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 +[ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 +[ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 +[ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 +[ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 +00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 +74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c +[ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 +[ 8.359770] CR2: 0000000000021130 +[ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- + +The caller calls action's ->init() and passes pointer to "struct tc_action *a", +which later may be initialized to point at the existing action, otherwise +"struct tc_action *a" is still invalid, and therefore dereferencing it is an +error as happens in tcf_idr_release, where refcnt is decremented. + +So in case of missing flags tcf_idr_release must be called only for +existing actions. + +v2: + - prepare patch for net tree + +Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") +Signed-off-by: Roman Mashak +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_skbedit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/act_skbedit.c ++++ b/net/sched/act_skbedit.c +@@ -121,7 +121,8 @@ static int tcf_skbedit_init(struct net * + return 0; + + if (!flags) { +- tcf_idr_release(*a, bind); ++ if (exists) ++ tcf_idr_release(*a, bind); + return -EINVAL; + } + diff --git a/queue-4.14/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch b/queue-4.14/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch new file mode 100644 index 00000000000..529ff676504 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch @@ -0,0 +1,63 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Taehee Yoo +Date: Wed, 18 Apr 2018 23:35:34 +0900 +Subject: netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update + +From: Taehee Yoo + +[ Upstream commit d71efb599ad42ef1e564c652d8084252bdc85edf ] + +When chain name is changed, nft_chain_commit_update is called. +In the nft_chain_commit_update, trans->ctx.chain->name has old chain name +and nft_trans_chain_name(trans) has new chain name. +If new chain name is longer than old chain name, KASAN warns +slab-out-of-bounds. + +[ 175.015012] BUG: KASAN: slab-out-of-bounds in strcpy+0x9e/0xb0 +[ 175.022735] Write of size 1 at addr ffff880114e022da by task iptables-compat/1458 + +[ 175.031353] CPU: 0 PID: 1458 Comm: iptables-compat Not tainted 4.16.0-rc7+ #146 +[ 175.031353] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[ 175.031353] Call Trace: +[ 175.031353] dump_stack+0x68/0xa0 +[ 175.031353] print_address_description+0xd0/0x260 +[ 175.031353] ? strcpy+0x9e/0xb0 +[ 175.031353] kasan_report+0x234/0x350 +[ 175.031353] __asan_report_store1_noabort+0x1c/0x20 +[ 175.031353] strcpy+0x9e/0xb0 +[ 175.031353] nf_tables_commit+0x1ccc/0x2990 +[ 175.031353] nfnetlink_rcv+0x141e/0x16c0 +[ 175.031353] ? nfnetlink_net_init+0x150/0x150 +[ 175.031353] ? lock_acquire+0x370/0x370 +[ 175.031353] ? lock_acquire+0x370/0x370 +[ 175.031353] netlink_unicast+0x444/0x640 +[ 175.031353] ? netlink_attachskb+0x700/0x700 +[ 175.031353] ? _copy_from_iter_full+0x180/0x740 +[ 175.031353] ? kasan_check_write+0x14/0x20 +[ 175.031353] ? _copy_from_user+0x9b/0xd0 +[ 175.031353] netlink_sendmsg+0x845/0xc70 +[ ... ] + +Steps to reproduce: + iptables-compat -N 1 + iptables-compat -E 1 aaaaaaaaa + +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -4977,7 +4977,7 @@ static void nft_chain_commit_update(stru + struct nft_base_chain *basechain; + + if (nft_trans_chain_name(trans)) +- strcpy(trans->ctx.chain->name, nft_trans_chain_name(trans)); ++ swap(trans->ctx.chain->name, nft_trans_chain_name(trans)); + + if (!nft_is_base_chain(trans->ctx.chain)) + return; diff --git a/queue-4.14/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch b/queue-4.14/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch new file mode 100644 index 00000000000..06d6e41eac5 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch @@ -0,0 +1,110 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Pablo Neira Ayuso +Date: Wed, 18 Apr 2018 12:23:39 +0200 +Subject: netfilter: nf_tables: NAT chain and extensions require NF_TABLES + +From: Pablo Neira Ayuso + +[ Upstream commit 39f2ff0816e5421476c2bc538b68b4bb0708a78e ] + +Move these options inside the scope of the 'if' NF_TABLES and +NF_TABLES_IPV6 dependencies. This patch fixes: + + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to `nft_do_chain' + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_exit': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:94: undefined reference to `nft_unregister_chain_type' + net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_chain_nat_ipv6_init': +>> net/ipv6/netfilter/nft_chain_nat_ipv6.c:87: undefined reference to `nft_register_chain_type' + +that happens with: + +CONFIG_NF_TABLES=m +CONFIG_NFT_CHAIN_NAT_IPV6=y + +Fixes: 02c7b25e5f54 ("netfilter: nf_tables: build-in filter chain type") +Reported-by: kbuild test robot +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/netfilter/Kconfig | 55 ++++++++++++++++++++++----------------------- + 1 file changed, 28 insertions(+), 27 deletions(-) + +--- a/net/ipv6/netfilter/Kconfig ++++ b/net/ipv6/netfilter/Kconfig +@@ -48,6 +48,34 @@ config NFT_CHAIN_ROUTE_IPV6 + fields such as the source, destination, flowlabel, hop-limit and + the packet mark. + ++if NF_NAT_IPV6 ++ ++config NFT_CHAIN_NAT_IPV6 ++ tristate "IPv6 nf_tables nat chain support" ++ help ++ This option enables the "nat" chain for IPv6 in nf_tables. This ++ chain type is used to perform Network Address Translation (NAT) ++ packet transformations such as the source, destination address and ++ source and destination ports. ++ ++config NFT_MASQ_IPV6 ++ tristate "IPv6 masquerade support for nf_tables" ++ depends on NFT_MASQ ++ select NF_NAT_MASQUERADE_IPV6 ++ help ++ This is the expression that provides IPv4 masquerading support for ++ nf_tables. ++ ++config NFT_REDIR_IPV6 ++ tristate "IPv6 redirect support for nf_tables" ++ depends on NFT_REDIR ++ select NF_NAT_REDIRECT ++ help ++ This is the expression that provides IPv4 redirect support for ++ nf_tables. ++ ++endif # NF_NAT_IPV6 ++ + config NFT_REJECT_IPV6 + select NF_REJECT_IPV6 + default NFT_REJECT +@@ -99,39 +127,12 @@ config NF_NAT_IPV6 + + if NF_NAT_IPV6 + +-config NFT_CHAIN_NAT_IPV6 +- depends on NF_TABLES_IPV6 +- tristate "IPv6 nf_tables nat chain support" +- help +- This option enables the "nat" chain for IPv6 in nf_tables. This +- chain type is used to perform Network Address Translation (NAT) +- packet transformations such as the source, destination address and +- source and destination ports. +- + config NF_NAT_MASQUERADE_IPV6 + tristate "IPv6 masquerade support" + help + This is the kernel functionality to provide NAT in the masquerade + flavour (automatic source address selection) for IPv6. + +-config NFT_MASQ_IPV6 +- tristate "IPv6 masquerade support for nf_tables" +- depends on NF_TABLES_IPV6 +- depends on NFT_MASQ +- select NF_NAT_MASQUERADE_IPV6 +- help +- This is the expression that provides IPv4 masquerading support for +- nf_tables. +- +-config NFT_REDIR_IPV6 +- tristate "IPv6 redirect support for nf_tables" +- depends on NF_TABLES_IPV6 +- depends on NFT_REDIR +- select NF_NAT_REDIRECT +- help +- This is the expression that provides IPv4 redirect support for +- nf_tables. +- + endif # NF_NAT_IPV6 + + config IP6_NF_IPTABLES diff --git a/queue-4.14/nfp-ignore-signals-when-communicating-with-management-fw.patch b/queue-4.14/nfp-ignore-signals-when-communicating-with-management-fw.patch new file mode 100644 index 00000000000..b268ff4066b --- /dev/null +++ b/queue-4.14/nfp-ignore-signals-when-communicating-with-management-fw.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jakub Kicinski +Date: Wed, 11 Apr 2018 16:47:35 -0700 +Subject: nfp: ignore signals when communicating with management FW + +From: Jakub Kicinski + +[ Upstream commit 5496295aefe86995e41398b0f76de601308fc3f5 ] + +We currently allow signals to interrupt the wait for management FW +commands. Exiting the wait should not cause trouble, the FW will +just finish executing the command in the background and new commands +will wait for the old one to finish. + +However, this may not be what users expect (Ctrl-C not actually stopping +the command). Moreover some systems routinely request link information +with signals pending (Ubuntu 14.04 runs a landscape-sysinfo python tool +from MOTD) worrying users with errors like these: + +nfp 0000:04:00.0: nfp_nsp: Error -512 waiting for code 0x0007 to start +nfp 0000:04:00.0: nfp: reading port table failed -512 + +Make the wait for management FW responses non-interruptible. + +Fixes: 1a64821c6af7 ("nfp: add support for service processor access") +Signed-off-by: Jakub Kicinski +Reviewed-by: Dirk van der Merwe +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c ++++ b/drivers/net/ethernet/netronome/nfp/nfpcore/nfp_nsp.c +@@ -277,8 +277,7 @@ nfp_nsp_wait_reg(struct nfp_cpp *cpp, u6 + if ((*reg & mask) == val) + return 0; + +- if (msleep_interruptible(25)) +- return -ERESTARTSYS; ++ msleep(25); + + if (time_after(start_time, wait_until)) + return -ETIMEDOUT; diff --git a/queue-4.14/nvme-depend-on-infiniband_addr_trans.patch b/queue-4.14/nvme-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..e2e872ad263 --- /dev/null +++ b/queue-4.14/nvme-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:30 -0700 +Subject: nvme: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit 3af7a156bdc356946098e13180be66b6420619bf ] + +NVME_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. So +declare the kconfig dependency. This is necessary to allow for enabling +INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/host/Kconfig ++++ b/drivers/nvme/host/Kconfig +@@ -18,7 +18,7 @@ config NVME_FABRICS + + config NVME_RDMA + tristate "NVM Express over Fabrics RDMA host driver" +- depends on INFINIBAND && BLOCK ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS && BLOCK + select NVME_CORE + select NVME_FABRICS + select SG_POOL diff --git a/queue-4.14/nvme-fix-potential-memory-leak-in-option-parsing.patch b/queue-4.14/nvme-fix-potential-memory-leak-in-option-parsing.patch new file mode 100644 index 00000000000..720a587e334 --- /dev/null +++ b/queue-4.14/nvme-fix-potential-memory-leak-in-option-parsing.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Chengguang Xu +Date: Sat, 14 Apr 2018 20:06:19 +0800 +Subject: nvme: fix potential memory leak in option parsing + +From: Chengguang Xu + +[ Upstream commit 59a2f3f00fd744dbad22593f47552037d3154ca6 ] + +When specifying same string type option several times, +current option parsing may cause memory leak. Hence, +call kfree for previous one in this case. + +Signed-off-by: Chengguang Xu +Reviewed-by: Christoph Hellwig +Reviewed-by: Sagi Grimberg +Signed-off-by: Keith Busch +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/fabrics.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/nvme/host/fabrics.c ++++ b/drivers/nvme/host/fabrics.c +@@ -587,6 +587,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->transport); + opts->transport = p; + break; + case NVMF_OPT_NQN: +@@ -595,6 +596,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->subsysnqn); + opts->subsysnqn = p; + nqnlen = strlen(opts->subsysnqn); + if (nqnlen >= NVMF_NQN_SIZE) { +@@ -617,6 +619,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->traddr); + opts->traddr = p; + break; + case NVMF_OPT_TRSVCID: +@@ -625,6 +628,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->trsvcid); + opts->trsvcid = p; + break; + case NVMF_OPT_QUEUE_SIZE: +@@ -706,6 +710,7 @@ static int nvmf_parse_options(struct nvm + ret = -EINVAL; + goto out; + } ++ nvmf_host_put(opts->host); + opts->host = nvmf_host_add(p); + kfree(p); + if (!opts->host) { +@@ -731,6 +736,7 @@ static int nvmf_parse_options(struct nvm + ret = -ENOMEM; + goto out; + } ++ kfree(opts->host_traddr); + opts->host_traddr = p; + break; + case NVMF_OPT_HOST_ID: diff --git a/queue-4.14/nvme-set-integrity-flag-for-user-passthrough-commands.patch b/queue-4.14/nvme-set-integrity-flag-for-user-passthrough-commands.patch new file mode 100644 index 00000000000..8bb39e605bf --- /dev/null +++ b/queue-4.14/nvme-set-integrity-flag-for-user-passthrough-commands.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Keith Busch +Date: Tue, 17 Apr 2018 14:42:44 -0600 +Subject: nvme: Set integrity flag for user passthrough commands + +From: Keith Busch + +[ Upstream commit f31a21103c03bb62846409fdc60cc9faf2398cfb ] + +If the command a separate metadata buffer attached, the request needs +to have the integrity flag set so the driver knows to map it. + +Signed-off-by: Keith Busch +Reviewed-by: Martin K. Petersen +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/host/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/nvme/host/core.c ++++ b/drivers/nvme/host/core.c +@@ -665,6 +665,7 @@ static int nvme_submit_user_cmd(struct r + ret = PTR_ERR(meta); + goto out_unmap; + } ++ req->cmd_flags |= REQ_INTEGRITY; + } + } + diff --git a/queue-4.14/nvmet-rdma-depend-on-infiniband_addr_trans.patch b/queue-4.14/nvmet-rdma-depend-on-infiniband_addr_trans.patch new file mode 100644 index 00000000000..92b9cd95292 --- /dev/null +++ b/queue-4.14/nvmet-rdma-depend-on-infiniband_addr_trans.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Greg Thelen +Date: Thu, 26 Apr 2018 11:19:31 -0700 +Subject: nvmet-rdma: depend on INFINIBAND_ADDR_TRANS + +From: Greg Thelen + +[ Upstream commit d6fc6a22fc7d3df987666725496ed5dd2dd30f23 ] + +NVME_TARGET_RDMA code depends on INFINIBAND_ADDR_TRANS provided symbols. +So declare the kconfig dependency. This is necessary to allow for +enabling INFINIBAND without INFINIBAND_ADDR_TRANS. + +Signed-off-by: Greg Thelen +Cc: Tarick Bedeir +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvme/target/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nvme/target/Kconfig ++++ b/drivers/nvme/target/Kconfig +@@ -27,7 +27,7 @@ config NVME_TARGET_LOOP + + config NVME_TARGET_RDMA + tristate "NVMe over Fabrics RDMA target support" +- depends on INFINIBAND ++ depends on INFINIBAND && INFINIBAND_ADDR_TRANS + depends on NVME_TARGET + help + This enables the NVMe RDMA target support, which allows exporting NVMe diff --git a/queue-4.14/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch b/queue-4.14/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch new file mode 100644 index 00000000000..41333ecb088 --- /dev/null +++ b/queue-4.14/objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:15:54 +0200 +Subject: objtool, kprobes/x86: Sync the latest header with tools/objtool/arch/x86/include/asm/insn.h + +From: Ingo Molnar + +[ Upstream commit 4fe875e4bd3cae85ae6f6eaf77f63fabe613b66e ] + +The following commit: + + ee6a7354a362: kprobes/x86: Prohibit probing on exception masking instructions + +Modified , adding the insn_masking_exception() function. + +Sync the tooling version of the header to it, to fix this warning: + + Warning: synced file at 'tools/objtool/arch/x86/include/asm/insn.h' differs from latest kernel version at 'arch/x86/include/asm/insn.h' + +Cc: Peter Zijlstra +Cc: Josh Poimboeuf +Cc: Masami Hiramatsu +Cc: Thomas Gleixner +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Oleg Nesterov +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/arch/x86/include/asm/insn.h | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/tools/objtool/arch/x86/include/asm/insn.h ++++ b/tools/objtool/arch/x86/include/asm/insn.h +@@ -208,4 +208,22 @@ static inline int insn_offset_immediate( + return insn_offset_displacement(insn) + insn->displacement.nbytes; + } + ++#define POP_SS_OPCODE 0x1f ++#define MOV_SREG_OPCODE 0x8e ++ ++/* ++ * Intel SDM Vol.3A 6.8.3 states; ++ * "Any single-step trap that would be delivered following the MOV to SS ++ * instruction or POP to SS instruction (because EFLAGS.TF is 1) is ++ * suppressed." ++ * This function returns true if @insn is MOV SS or POP SS. On these ++ * instructions, single stepping is suppressed. ++ */ ++static inline int insn_masking_exception(struct insn *insn) ++{ ++ return insn->opcode.bytes[0] == POP_SS_OPCODE || ++ (insn->opcode.bytes[0] == MOV_SREG_OPCODE && ++ X86_MODRM_REG(insn->modrm.bytes[0]) == 2); ++} ++ + #endif /* _ASM_X86_INSN_H */ diff --git a/queue-4.14/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch b/queue-4.14/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch new file mode 100644 index 00000000000..0757192bca3 --- /dev/null +++ b/queue-4.14/ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch @@ -0,0 +1,90 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ashish Samant +Date: Fri, 11 May 2018 16:02:07 -0700 +Subject: ocfs2: take inode cluster lock before moving reflinked inode from orphan dir + +From: Ashish Samant + +[ Upstream commit e4383029201470523c3ffe339bd7d57e9b4a7d65 ] + +While reflinking an inode, we create a new inode in orphan directory, +then take EX lock on it, reflink the original inode to orphan inode and +release EX lock. Once the lock is released another node could request +it in EX mode from ocfs2_recover_orphans() which causes downconvert of +the lock, on this node, to NL mode. + +Later we attempt to initialize security acl for the orphan inode and +move it to the reflink destination. However, while doing this we dont +take EX lock on the inode. This could potentially cause problems +because we could be starting transaction, accessing journal and +modifying metadata of the inode while holding NL lock and with another +node holding EX lock on the inode. + +Fix this by taking orphan inode cluster lock in EX mode before +initializing security and moving orphan inode to reflink destination. +Use the __tracker variant while taking inode lock to avoid recursive +locking in the ocfs2_init_security_and_acl() call chain. + +Link: http://lkml.kernel.org/r/1523475107-7639-1-git-send-email-ashish.samant@oracle.com +Signed-off-by: Ashish Samant +Reviewed-by: Joseph Qi +Reviewed-by: Junxiao Bi +Acked-by: Jun Piao +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Changwei Ge +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/ocfs2/refcounttree.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/fs/ocfs2/refcounttree.c ++++ b/fs/ocfs2/refcounttree.c +@@ -4250,10 +4250,11 @@ out: + static int ocfs2_reflink(struct dentry *old_dentry, struct inode *dir, + struct dentry *new_dentry, bool preserve) + { +- int error; ++ int error, had_lock; + struct inode *inode = d_inode(old_dentry); + struct buffer_head *old_bh = NULL; + struct inode *new_orphan_inode = NULL; ++ struct ocfs2_lock_holder oh; + + if (!ocfs2_refcount_tree(OCFS2_SB(inode->i_sb))) + return -EOPNOTSUPP; +@@ -4295,6 +4296,14 @@ static int ocfs2_reflink(struct dentry * + goto out; + } + ++ had_lock = ocfs2_inode_lock_tracker(new_orphan_inode, NULL, 1, ++ &oh); ++ if (had_lock < 0) { ++ error = had_lock; ++ mlog_errno(error); ++ goto out; ++ } ++ + /* If the security isn't preserved, we need to re-initialize them. */ + if (!preserve) { + error = ocfs2_init_security_and_acl(dir, new_orphan_inode, +@@ -4302,14 +4311,15 @@ static int ocfs2_reflink(struct dentry * + if (error) + mlog_errno(error); + } +-out: + if (!error) { + error = ocfs2_mv_orphaned_inode_to_new(dir, new_orphan_inode, + new_dentry); + if (error) + mlog_errno(error); + } ++ ocfs2_inode_unlock_tracker(new_orphan_inode, 1, &oh, had_lock); + ++out: + if (new_orphan_inode) { + /* + * We need to open_unlock the inode no matter whether we diff --git a/queue-4.14/parisc-drivers.c-fix-section-mismatches.patch b/queue-4.14/parisc-drivers.c-fix-section-mismatches.patch new file mode 100644 index 00000000000..269c6731222 --- /dev/null +++ b/queue-4.14/parisc-drivers.c-fix-section-mismatches.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Helge Deller +Date: Fri, 20 Apr 2018 23:19:17 +0200 +Subject: parisc: drivers.c: Fix section mismatches + +From: Helge Deller + +[ Upstream commit b819439fea305a0bfd6ca23a7994fd1a8847c0d8 ] + +Fix two section mismatches in drivers.c: +1) Section mismatch in reference from the function alloc_tree_node() to + the function .init.text:create_tree_node(). +2) Section mismatch in reference from the function walk_native_bus() to + the function .init.text:alloc_pa_dev(). + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/drivers.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/parisc/kernel/drivers.c ++++ b/arch/parisc/kernel/drivers.c +@@ -448,7 +448,8 @@ static int match_by_id(struct device * d + * Checks all the children of @parent for a matching @id. If none + * found, it allocates a new device and returns it. + */ +-static struct parisc_device * alloc_tree_node(struct device *parent, char id) ++static struct parisc_device * __init alloc_tree_node( ++ struct device *parent, char id) + { + struct match_id_data d = { + .id = id, +@@ -825,8 +826,8 @@ void walk_lower_bus(struct parisc_device + * devices which are not physically connected (such as extra serial & + * keyboard ports). This problem is not yet solved. + */ +-static void walk_native_bus(unsigned long io_io_low, unsigned long io_io_high, +- struct device *parent) ++static void __init walk_native_bus(unsigned long io_io_low, ++ unsigned long io_io_high, struct device *parent) + { + int i, devices_found = 0; + unsigned long hpa = io_io_low; diff --git a/queue-4.14/parisc-move-setup_profiling_timer-out-of-init-section.patch b/queue-4.14/parisc-move-setup_profiling_timer-out-of-init-section.patch new file mode 100644 index 00000000000..5e3a6c76159 --- /dev/null +++ b/queue-4.14/parisc-move-setup_profiling_timer-out-of-init-section.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Helge Deller +Date: Fri, 18 May 2018 16:12:12 +0200 +Subject: parisc: Move setup_profiling_timer() out of init section + +From: Helge Deller + +[ Upstream commit 01f56832cfb6fcc204e7203f46841b6185ebd574 ] + +No other architecture has setup_profiling_timer() in the init section, +thus on parisc we face this section mismatch warning: + Reference from the function devm_device_add_group() to the function .init.text:setup_profiling_timer() + +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/smp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/parisc/kernel/smp.c ++++ b/arch/parisc/kernel/smp.c +@@ -418,8 +418,7 @@ int __cpu_up(unsigned int cpu, struct ta + } + + #ifdef CONFIG_PROC_FS +-int __init +-setup_profiling_timer(unsigned int multiplier) ++int setup_profiling_timer(unsigned int multiplier) + { + return -EINVAL; + } diff --git a/queue-4.14/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch b/queue-4.14/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch new file mode 100644 index 00000000000..3c6c1c9d841 --- /dev/null +++ b/queue-4.14/parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Baolin Wang +Date: Thu, 19 Apr 2018 14:51:03 +0800 +Subject: parisc: time: Convert read_persistent_clock() to read_persistent_clock64() + +From: Baolin Wang + +[ Upstream commit f76cdd00ef0e39d880139b074e3b247594dff95a ] + +The read_persistent_clock() uses a timespec, which is not year 2038 safe +on 32bit systems. On parisc architecture, we have implemented generic +RTC drivers that can be used to compensate the system suspend time, but +the RTC time can not represent the nanosecond resolution, so this patch +just converts to read_persistent_clock64() with timespec64. + +Signed-off-by: Baolin Wang +Acked-by: Arnd Bergmann +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/time.c ++++ b/arch/parisc/kernel/time.c +@@ -205,7 +205,7 @@ static int __init rtc_init(void) + device_initcall(rtc_init); + #endif + +-void read_persistent_clock(struct timespec *ts) ++void read_persistent_clock64(struct timespec64 *ts) + { + static struct pdc_tod tod_data; + if (pdc_tod_read(&tod_data) == 0) { diff --git a/queue-4.14/pci-kirin-fix-reset-gpio-name.patch b/queue-4.14/pci-kirin-fix-reset-gpio-name.patch new file mode 100644 index 00000000000..732943ae81a --- /dev/null +++ b/queue-4.14/pci-kirin-fix-reset-gpio-name.patch @@ -0,0 +1,36 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Loic Poulain +Date: Tue, 3 Apr 2018 11:19:01 +0200 +Subject: PCI: kirin: Fix reset gpio name + +From: Loic Poulain + +[ Upstream commit 5db8f8d1099bd93a64a80b609dbcce887327ffc8 ] + +As documented in the devicetree bindings (pci/kirin-pcie.txt) and the +reset gpio name must be 'reset-gpios'. However, current driver +erroneously looks for a 'reset-gpio' resource which makes the driver +probe fail. Fix it. + +Fixes: fc5165db245a ("PCI: kirin: Add HiSilicon Kirin SoC PCIe controller driver") +Signed-off-by: Loic Poulain +[lorenzo.pieralisi@arm.com: updated the commit log] +Signed-off-by: Lorenzo Pieralisi +Acked-by: Xiaowei Song +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/dwc/pcie-kirin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pci/dwc/pcie-kirin.c ++++ b/drivers/pci/dwc/pcie-kirin.c +@@ -490,7 +490,7 @@ static int kirin_pcie_probe(struct platf + return ret; + + kirin_pcie->gpio_id_reset = of_get_named_gpio(dev->of_node, +- "reset-gpio", 0); ++ "reset-gpios", 0); + if (kirin_pcie->gpio_id_reset < 0) + return -ENODEV; + diff --git a/queue-4.14/perf-report-fix-switching-to-another-perf.data-file.patch b/queue-4.14/perf-report-fix-switching-to-another-perf.data-file.patch new file mode 100644 index 00000000000..89dd321d6fa --- /dev/null +++ b/queue-4.14/perf-report-fix-switching-to-another-perf.data-file.patch @@ -0,0 +1,66 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Arnaldo Carvalho de Melo +Date: Thu, 12 Apr 2018 14:58:24 -0300 +Subject: perf report: Fix switching to another perf.data file + +From: Arnaldo Carvalho de Melo + +[ Upstream commit 7b366142a50ad79e48de8e67c5b3e8cfb9fa82dd ] + +In the TUI the 's' hotkey can be used to switch to another perf.data +file in the current directory, but that got broken in Fixes: +b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()"), +that would show this once another file was chosen: + + ┌─Fatal Error─────────────────────────────────────┐ + │Annotation needs to be init before symbol__init()│ + │ │ + │ │ + │Press any key... │ + └─────────────────────────────────────────────────┘ + +Fix it by just silently bailing out if symbol__annotation_init() was already +called, just like is done with symbol__init(), i.e. they are done just once at +session start, not when switching to a new perf.data file. + +Cc: Adrian Hunter +Cc: Andi Kleen +Cc: David Ahern +Cc: Jin Yao +Cc: Jiri Olsa +Cc: Martin LiÅ¡ka +Cc: Namhyung Kim +Cc: Ravi Bangoria +Cc: Thomas Richter +Cc: Wang Nan +Fixes: b01141f4f59c ("perf annotate: Initialize the priv are in symbol__new()") +Link: https://lkml.kernel.org/n/tip-ogppdtpzfax7y1h6gjdv5s6u@git.kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/symbol.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -2093,16 +2093,14 @@ static bool symbol__read_kptr_restrict(v + + int symbol__annotation_init(void) + { ++ if (symbol_conf.init_annotation) ++ return 0; ++ + if (symbol_conf.initialized) { + pr_err("Annotation needs to be init before symbol__init()\n"); + return -1; + } + +- if (symbol_conf.init_annotation) { +- pr_warning("Annotation being initialized multiple times\n"); +- return 0; +- } +- + symbol_conf.priv_size += sizeof(struct annotation); + symbol_conf.init_annotation = true; + return 0; diff --git a/queue-4.14/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch b/queue-4.14/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch new file mode 100644 index 00000000000..a397df19a08 --- /dev/null +++ b/queue-4.14/perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Kan Liang +Date: Wed, 25 Apr 2018 14:57:17 -0400 +Subject: perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 + +From: Kan Liang + +[ Upstream commit 4e949e9b9d1e3edcdab3b54656c5851bd9e49c67 ] + +The SMM freeze feature was introduced since PerfMon V2. But the current +code unconditionally enables the feature for all platforms. It can +generate #GP exception, if the related FREEZE_WHILE_SMM bit is set for +the machine with PerfMon V1. + +To disable the feature for PerfMon V1, perf needs to +- Remove the freeze_on_smi sysfs entry by moving intel_pmu_attrs to + intel_pmu, which is only applied to PerfMon V2 and later. +- Check the PerfMon version before flipping the SMM bit when starting CPU + +Fixes: 6089327f5424 ("perf/x86: Add sysfs entry to freeze counters on SMI") +Signed-off-by: Kan Liang +Signed-off-by: Thomas Gleixner +Acked-by: Peter Zijlstra (Intel) +Cc: ak@linux.intel.com +Cc: eranian@google.com +Cc: acme@redhat.com +Link: https://lkml.kernel.org/r/1524682637-63219-1-git-send-email-kan.liang@linux.intel.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -3331,7 +3331,8 @@ static void intel_pmu_cpu_starting(int c + + cpuc->lbr_sel = NULL; + +- flip_smm_bit(&x86_pmu.attr_freeze_on_smi); ++ if (x86_pmu.version > 1) ++ flip_smm_bit(&x86_pmu.attr_freeze_on_smi); + + if (!cpuc->shared_regs) + return; +@@ -3494,6 +3495,8 @@ static __initconst const struct x86_pmu + .cpu_dying = intel_pmu_cpu_dying, + }; + ++static struct attribute *intel_pmu_attrs[]; ++ + static __initconst const struct x86_pmu intel_pmu = { + .name = "Intel", + .handle_irq = intel_pmu_handle_irq, +@@ -3524,6 +3527,8 @@ static __initconst const struct x86_pmu + .format_attrs = intel_arch3_formats_attr, + .events_sysfs_show = intel_event_sysfs_show, + ++ .attrs = intel_pmu_attrs, ++ + .cpu_prepare = intel_pmu_cpu_prepare, + .cpu_starting = intel_pmu_cpu_starting, + .cpu_dying = intel_pmu_cpu_dying, +@@ -3902,8 +3907,6 @@ __init int intel_pmu_init(void) + + x86_pmu.max_pebs_events = min_t(unsigned, MAX_PEBS_EVENTS, x86_pmu.num_counters); + +- +- x86_pmu.attrs = intel_pmu_attrs; + /* + * Quirk: v2 perfmon does not report fixed-purpose events, so + * assume at least 3 events, when not running in a hypervisor: diff --git a/queue-4.14/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch b/queue-4.14/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch new file mode 100644 index 00000000000..42be61e8061 --- /dev/null +++ b/queue-4.14/powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Balbir Singh +Date: Fri, 6 Apr 2018 15:24:24 +1000 +Subject: powerpc/powernv/memtrace: Let the arch hotunplug code flush cache + +From: Balbir Singh + +[ Upstream commit 7fd6641de28fe9b5bce0c38d2adee0a72a72619e ] + +Don't do this via custom code, instead now that we have support in the +arch hotplug/hotunplug code, rely on those routines to do the right +thing. + +The existing flush doesn't work because it uses ppc64_caches.l1d.size +instead of ppc64_caches.l1d.line_size. + +Fixes: 9d5171a8f248 ("powerpc/powernv: Enable removal of memory for in memory tracing") +Signed-off-by: Balbir Singh +Reviewed-by: Rashmica Gupta +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/platforms/powernv/memtrace.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/arch/powerpc/platforms/powernv/memtrace.c ++++ b/arch/powerpc/platforms/powernv/memtrace.c +@@ -82,19 +82,6 @@ static const struct file_operations memt + .open = simple_open, + }; + +-static void flush_memory_region(u64 base, u64 size) +-{ +- unsigned long line_size = ppc64_caches.l1d.size; +- u64 end = base + size; +- u64 addr; +- +- base = round_down(base, line_size); +- end = round_up(end, line_size); +- +- for (addr = base; addr < end; addr += line_size) +- asm volatile("dcbf 0,%0" : "=r" (addr) :: "memory"); +-} +- + static int check_memblock_online(struct memory_block *mem, void *arg) + { + if (mem->state != MEM_ONLINE) +@@ -132,10 +119,6 @@ static bool memtrace_offline_pages(u32 n + walk_memory_range(start_pfn, end_pfn, (void *)MEM_OFFLINE, + change_memblock_state); + +- /* RCU grace period? */ +- flush_memory_region((u64)__va(start_pfn << PAGE_SHIFT), +- nr_pages << PAGE_SHIFT); +- + lock_device_hotplug(); + remove_memory(nid, start_pfn << PAGE_SHIFT, nr_pages << PAGE_SHIFT); + unlock_device_hotplug(); diff --git a/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch b/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch new file mode 100644 index 00000000000..a7f63358461 --- /dev/null +++ b/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch @@ -0,0 +1,58 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Naveen N. Rao" +Date: Fri, 4 May 2018 18:44:25 +0530 +Subject: powerpc/trace/syscalls: Update syscall name matching logic to account for ppc_ prefix + +From: "Naveen N. Rao" + +[ Upstream commit edf6a2dfe3889daf97e7c164891a87832169e3e4 ] + +Some syscall entry functions on powerpc are prefixed with +ppc_/ppc32_/ppc64_ rather than the usual sys_/__se_sys prefix. fork(), +clone(), swapcontext() are some examples of syscalls with such entry +points. We need to match against these names when initializing ftrace +syscall tracing. + +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ftrace.h | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/ftrace.h ++++ b/arch/powerpc/include/asm/ftrace.h +@@ -69,13 +69,30 @@ struct dyn_arch_ftrace { + #endif + + #if defined(CONFIG_FTRACE_SYSCALLS) && !defined(__ASSEMBLY__) +-#ifdef PPC64_ELF_ABI_v1 ++/* ++ * Some syscall entry functions on powerpc start with "ppc_" (fork and clone, ++ * for instance) or ppc32_/ppc64_. We should also match the sys_ variant with ++ * those. ++ */ + #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME ++#ifdef PPC64_ELF_ABI_v1 + static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) + { + /* We need to skip past the initial dot, and the __se_sys alias */ + return !strcmp(sym + 1, name) || +- (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)); ++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)) || ++ (!strncmp(sym, ".ppc_", 5) && !strcmp(sym + 5, name + 4)) || ++ (!strncmp(sym, ".ppc32_", 7) && !strcmp(sym + 7, name + 4)) || ++ (!strncmp(sym, ".ppc64_", 7) && !strcmp(sym + 7, name + 4)); ++} ++#else ++static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) ++{ ++ return !strcmp(sym, name) || ++ (!strncmp(sym, "__se_sys", 8) && !strcmp(sym + 5, name)) || ++ (!strncmp(sym, "ppc_", 4) && !strcmp(sym + 4, name + 4)) || ++ (!strncmp(sym, "ppc32_", 6) && !strcmp(sym + 6, name + 4)) || ++ (!strncmp(sym, "ppc64_", 6) && !strcmp(sym + 6, name + 4)); + } + #endif + #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */ diff --git a/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch b/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch new file mode 100644 index 00000000000..d79711c0a1c --- /dev/null +++ b/queue-4.14/powerpc-trace-syscalls-update-syscall-name-matching-logic.patch @@ -0,0 +1,46 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Naveen N. Rao" +Date: Fri, 4 May 2018 18:44:24 +0530 +Subject: powerpc/trace/syscalls: Update syscall name matching logic + +From: "Naveen N. Rao" + +[ Upstream commit 0b7758aaf6543b9a10c8671db559e9d374a3fd95 ] + +On powerpc64 ABIv1, we are enabling syscall tracing for only ~20 +syscalls. This is due to commit e145242ea0df6 ("syscalls/core, +syscalls/x86: Clean up syscall stub naming convention") which has +changed the syscall entry wrapper prefix from "SyS" to "__se_sys". + +Update the logic for ABIv1 to not just skip the initial dot, but also +the "__se_sys" prefix. + +Fixes: commit e145242ea0df6 ("syscalls/core, syscalls/x86: Clean up syscall stub naming convention") +Reported-by: Michael Ellerman +Signed-off-by: Naveen N. Rao +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/ftrace.h | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/include/asm/ftrace.h ++++ b/arch/powerpc/include/asm/ftrace.h +@@ -73,13 +73,9 @@ struct dyn_arch_ftrace { + #define ARCH_HAS_SYSCALL_MATCH_SYM_NAME + static inline bool arch_syscall_match_sym_name(const char *sym, const char *name) + { +- /* +- * Compare the symbol name with the system call name. Skip the .sys or .SyS +- * prefix from the symbol name and the sys prefix from the system call name and +- * just match the rest. This is only needed on ppc64 since symbol names on +- * 32bit do not start with a period so the generic function will work. +- */ +- return !strcmp(sym + 4, name + 3); ++ /* We need to skip past the initial dot, and the __se_sys alias */ ++ return !strcmp(sym + 1, name) || ++ (!strncmp(sym, ".__se_sys", 9) && !strcmp(sym + 6, name)); + } + #endif + #endif /* CONFIG_FTRACE_SYSCALLS && !__ASSEMBLY__ */ diff --git a/queue-4.14/proc-kcore-don-t-bounds-check-against-address-0.patch b/queue-4.14/proc-kcore-don-t-bounds-check-against-address-0.patch new file mode 100644 index 00000000000..a33ea4f3f0b --- /dev/null +++ b/queue-4.14/proc-kcore-don-t-bounds-check-against-address-0.patch @@ -0,0 +1,78 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Laura Abbott +Date: Fri, 11 May 2018 16:01:57 -0700 +Subject: proc/kcore: don't bounds check against address 0 + +From: Laura Abbott + +[ Upstream commit 3955333df9a50e8783d115613a397ae55d905080 ] + +The existing kcore code checks for bad addresses against __va(0) with +the assumption that this is the lowest address on the system. This may +not hold true on some systems (e.g. arm64) and produce overflows and +crashes. Switch to using other functions to validate the address range. + +It's currently only seen on arm64 and it's not clear if anyone wants to +use that particular combination on a stable release. So this is not +urgent for stable. + +Link: http://lkml.kernel.org/r/20180501201143.15121-1-labbott@redhat.com +Signed-off-by: Laura Abbott +Tested-by: Dave Anderson +Cc: Kees Cook +Cc: Ard Biesheuvel +Cc: Ingo Molnar +Cc: Andi Kleen +Cc: Alexey Dobriyan a +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/kcore.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -209,25 +209,34 @@ kclist_add_private(unsigned long pfn, un + { + struct list_head *head = (struct list_head *)arg; + struct kcore_list *ent; ++ struct page *p; ++ ++ if (!pfn_valid(pfn)) ++ return 1; ++ ++ p = pfn_to_page(pfn); ++ if (!memmap_valid_within(pfn, p, page_zone(p))) ++ return 1; + + ent = kmalloc(sizeof(*ent), GFP_KERNEL); + if (!ent) + return -ENOMEM; +- ent->addr = (unsigned long)__va((pfn << PAGE_SHIFT)); ++ ent->addr = (unsigned long)page_to_virt(p); + ent->size = nr_pages << PAGE_SHIFT; + +- /* Sanity check: Can happen in 32bit arch...maybe */ +- if (ent->addr < (unsigned long) __va(0)) ++ if (!virt_addr_valid(ent->addr)) + goto free_out; + + /* cut not-mapped area. ....from ppc-32 code. */ + if (ULONG_MAX - ent->addr < ent->size) + ent->size = ULONG_MAX - ent->addr; + +- /* cut when vmalloc() area is higher than direct-map area */ +- if (VMALLOC_START > (unsigned long)__va(0)) { +- if (ent->addr > VMALLOC_START) +- goto free_out; ++ /* ++ * We've already checked virt_addr_valid so we know this address ++ * is a valid pointer, therefore we can check against it to determine ++ * if we need to trim ++ */ ++ if (VMALLOC_START > ent->addr) { + if (VMALLOC_START - ent->addr < ent->size) + ent->size = VMALLOC_START - ent->addr; + } diff --git a/queue-4.14/proc-revalidate-kernel-thread-inodes-to-root-root.patch b/queue-4.14/proc-revalidate-kernel-thread-inodes-to-root-root.patch new file mode 100644 index 00000000000..77731ebd419 --- /dev/null +++ b/queue-4.14/proc-revalidate-kernel-thread-inodes-to-root-root.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Alexey Dobriyan +Date: Fri, 20 Apr 2018 14:56:03 -0700 +Subject: proc: revalidate kernel thread inodes to root:root + +From: Alexey Dobriyan + +[ Upstream commit 2e0ad552f5f8cd0fda02bc45fcd2b89821c62fd1 ] + +task_dump_owner() has the following code: + + mm = task->mm; + if (mm) { + if (get_dumpable(mm) != SUID_DUMP_USER) { + uid = ... + } + } + +Check for ->mm is buggy -- kernel thread might be borrowing mm +and inode will go to some random uid:gid pair. + +Link: http://lkml.kernel.org/r/20180412220109.GA20978@avx2 +Signed-off-by: Alexey Dobriyan +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/base.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -1694,6 +1694,12 @@ void task_dump_owner(struct task_struct + kuid_t uid; + kgid_t gid; + ++ if (unlikely(task->flags & PF_KTHREAD)) { ++ *ruid = GLOBAL_ROOT_UID; ++ *rgid = GLOBAL_ROOT_GID; ++ return; ++ } ++ + /* Default to the tasks effective ownership */ + rcu_read_lock(); + cred = __task_cred(task); diff --git a/queue-4.14/qed-fix-l2-initializations-over-iwarp-personality.patch b/queue-4.14/qed-fix-l2-initializations-over-iwarp-personality.patch new file mode 100644 index 00000000000..a2316f75b07 --- /dev/null +++ b/queue-4.14/qed-fix-l2-initializations-over-iwarp-personality.patch @@ -0,0 +1,45 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Michal Kalderon +Date: Tue, 8 May 2018 21:29:18 +0300 +Subject: qed: Fix l2 initializations over iWARP personality + +From: Michal Kalderon + +[ Upstream commit af6858ee423a309d93054c361c61099b8eb12bbf ] + +If qede driver was loaded on a device configured for iWARP +the l2 mutex wouldn't be allocated, and some l2 related +resources wouldn't be freed. + +fixes: c851a9dc4359 ("qed: Introduce iWARP personality") +Signed-off-by: Michal Kalderon +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qed/qed_l2.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/net/ethernet/qlogic/qed/qed_l2.c ++++ b/drivers/net/ethernet/qlogic/qed/qed_l2.c +@@ -115,8 +115,7 @@ int qed_l2_alloc(struct qed_hwfn *p_hwfn + + void qed_l2_setup(struct qed_hwfn *p_hwfn) + { +- if (p_hwfn->hw_info.personality != QED_PCI_ETH && +- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE) ++ if (!QED_IS_L2_PERSONALITY(p_hwfn)) + return; + + mutex_init(&p_hwfn->p_l2_info->lock); +@@ -126,8 +125,7 @@ void qed_l2_free(struct qed_hwfn *p_hwfn + { + u32 i; + +- if (p_hwfn->hw_info.personality != QED_PCI_ETH && +- p_hwfn->hw_info.personality != QED_PCI_ETH_ROCE) ++ if (!QED_IS_L2_PERSONALITY(p_hwfn)) + return; + + if (!p_hwfn->p_l2_info) diff --git a/queue-4.14/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch b/queue-4.14/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch new file mode 100644 index 00000000000..21691515489 --- /dev/null +++ b/queue-4.14/qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch @@ -0,0 +1,35 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Michal Kalderon +Date: Tue, 8 May 2018 21:29:19 +0300 +Subject: qede: Fix gfp flags sent to rdma event node allocation + +From: Michal Kalderon + +[ Upstream commit 090477e4acb31c5dd674940c7c01d4f16bd1ac41 ] + +A previous commit 4609adc27175 ("qede: Fix qedr link update") +added a flow that could allocate rdma event objects from an +interrupt path (link notification). Therefore the kzalloc call +should be done with GFP_ATOMIC. + +fixes: 4609adc27175 ("qede: Fix qedr link update") +Signed-off-by: Michal Kalderon +Signed-off-by: Sudarsana Kalluru +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qede/qede_rdma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qede/qede_rdma.c ++++ b/drivers/net/ethernet/qlogic/qede/qede_rdma.c +@@ -238,7 +238,7 @@ qede_rdma_get_free_event_node(struct qed + } + + if (!found) { +- event_node = kzalloc(sizeof(*event_node), GFP_KERNEL); ++ event_node = kzalloc(sizeof(*event_node), GFP_ATOMIC); + if (!event_node) { + DP_NOTICE(edev, + "qedr: Could not allocate memory for rdma work\n"); diff --git a/queue-4.14/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch b/queue-4.14/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch new file mode 100644 index 00000000000..a57ddf5d777 --- /dev/null +++ b/queue-4.14/rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Parav Pandit +Date: Wed, 2 May 2018 13:18:59 +0300 +Subject: RDMA/cma: Do not query GID during QP state transition to RTR + +From: Parav Pandit + +[ Upstream commit 9aa169213d1166d30ae357a44abbeae93459339d ] + +When commit [1] was added, SGID was queried to derive the SMAC address. +Then, later on during a refactor [2], SMAC was no longer needed. However, +the now useless GID query remained. Then during additional code changes +later on, the GID query was being done in such a way that it caused iWARP +queries to start breaking. Remove the useless GID query and resolve the +iWARP breakage at the same time. + +This is discussed in [3]. + +[1] commit dd5f03beb4f7 ("IB/core: Ethernet L2 attributes in verbs/cm structures") +[2] commit 5c266b2304fb ("IB/cm: Remove the usage of smac and vid of qp_attr and cm_av") +[3] https://www.spinics.net/lists/linux-rdma/msg63951.html + +Suggested-by: Shiraz Saleem +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -900,7 +900,6 @@ static int cma_modify_qp_rtr(struct rdma + { + struct ib_qp_attr qp_attr; + int qp_attr_mask, ret; +- union ib_gid sgid; + + mutex_lock(&id_priv->qp_mutex); + if (!id_priv->id.qp) { +@@ -923,12 +922,6 @@ static int cma_modify_qp_rtr(struct rdma + if (ret) + goto out; + +- ret = ib_query_gid(id_priv->id.device, id_priv->id.port_num, +- rdma_ah_read_grh(&qp_attr.ah_attr)->sgid_index, +- &sgid, NULL); +- if (ret) +- goto out; +- + BUG_ON(id_priv->cma_dev->device != id_priv->id.device); + + if (conn_param) diff --git a/queue-4.14/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch b/queue-4.14/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch new file mode 100644 index 00000000000..b5315808fbe --- /dev/null +++ b/queue-4.14/rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch @@ -0,0 +1,152 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Parav Pandit +Date: Tue, 24 Apr 2018 20:13:45 +0300 +Subject: RDMA/cma: Fix use after destroy access to net namespace for IPoIB + +From: Parav Pandit + +[ Upstream commit 2918c1a900252b4a0c730715ec205437c7daf79d ] + +There are few issues with validation of netdevice and listen id lookup +for IB (IPoIB) while processing incoming CM request as below. + +1. While performing lookup of bind_list in cma_ps_find(), net namespace +of the netdevice can get deleted in cma_exit_net(), resulting in use +after free access of idr and/or net namespace structures. +This lookup occurs from the workqueue context (and not userspace +context where net namespace is always valid). + + CPU0 CPU1 + ==== ==== + + bind_list = cma_ps_find(); + move netdevice to new namespace + delete net namespace + cma_exit_net() + idr_destroy(idr); + + [..] + cma_find_listener(bind_list, ..); + +2. While netdevice is validated for IP address in given net namespace, +netdevice's net namespace and/or ifindex can change in +cma_get_net_dev() and cma_match_net_dev(). + +Above issues are overcome by using rcu lock along with netdevice +UP/DOWN state as described below. +When a net namespace is getting deleted, netdevice is closed and +shutdown before moving it back to init_net namespace. +change_net_namespace() synchronizes with any existing use of netdevice +before changing the netdev properties such as net or ifindex. +Once netdevice IFF_UP flags is cleared, such fields are not guaranteed +to be valid. +Therefore, rcu lock along with netdevice state check ensures that, +while route lookup and cm_id lookup is in progress, netdevice of +interest won't migrate to any other net namespace. +This ensures that associated net namespace of netdevice won't get +deleted while rcu lock is held for netdevice which is in IFF_UP state. + +Fixes: fa20105e09e9 ("IB/cma: Add support for network namespaces") +Fixes: 4be74b42a6d0 ("IB/cma: Separate port allocation to network namespaces") +Fixes: f887f2ac87c2 ("IB/cma: Validate routing of incoming requests") +Signed-off-by: Parav Pandit +Signed-off-by: Leon Romanovsky +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/cma.c | 53 ++++++++++++++++++++++++++++++++++-------- + 1 file changed, 43 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/core/cma.c ++++ b/drivers/infiniband/core/cma.c +@@ -420,6 +420,8 @@ struct cma_hdr { + #define CMA_VERSION 0x00 + + struct cma_req_info { ++ struct sockaddr_storage listen_addr_storage; ++ struct sockaddr_storage src_addr_storage; + struct ib_device *device; + int port; + union ib_gid local_gid; +@@ -1372,11 +1374,11 @@ static bool validate_net_dev(struct net_ + } + + static struct net_device *cma_get_net_dev(struct ib_cm_event *ib_event, +- const struct cma_req_info *req) ++ struct cma_req_info *req) + { +- struct sockaddr_storage listen_addr_storage, src_addr_storage; +- struct sockaddr *listen_addr = (struct sockaddr *)&listen_addr_storage, +- *src_addr = (struct sockaddr *)&src_addr_storage; ++ struct sockaddr *listen_addr = ++ (struct sockaddr *)&req->listen_addr_storage; ++ struct sockaddr *src_addr = (struct sockaddr *)&req->src_addr_storage; + struct net_device *net_dev; + const union ib_gid *gid = req->has_gid ? &req->local_gid : NULL; + int err; +@@ -1391,11 +1393,6 @@ static struct net_device *cma_get_net_de + if (!net_dev) + return ERR_PTR(-ENODEV); + +- if (!validate_net_dev(net_dev, listen_addr, src_addr)) { +- dev_put(net_dev); +- return ERR_PTR(-EHOSTUNREACH); +- } +- + return net_dev; + } + +@@ -1531,15 +1528,51 @@ static struct rdma_id_private *cma_id_fr + } + } + ++ /* ++ * Net namespace might be getting deleted while route lookup, ++ * cm_id lookup is in progress. Therefore, perform netdevice ++ * validation, cm_id lookup under rcu lock. ++ * RCU lock along with netdevice state check, synchronizes with ++ * netdevice migrating to different net namespace and also avoids ++ * case where net namespace doesn't get deleted while lookup is in ++ * progress. ++ * If the device state is not IFF_UP, its properties such as ifindex ++ * and nd_net cannot be trusted to remain valid without rcu lock. ++ * net/core/dev.c change_net_namespace() ensures to synchronize with ++ * ongoing operations on net device after device is closed using ++ * synchronize_net(). ++ */ ++ rcu_read_lock(); ++ if (*net_dev) { ++ /* ++ * If netdevice is down, it is likely that it is administratively ++ * down or it might be migrating to different namespace. ++ * In that case avoid further processing, as the net namespace ++ * or ifindex may change. ++ */ ++ if (((*net_dev)->flags & IFF_UP) == 0) { ++ id_priv = ERR_PTR(-EHOSTUNREACH); ++ goto err; ++ } ++ ++ if (!validate_net_dev(*net_dev, ++ (struct sockaddr *)&req.listen_addr_storage, ++ (struct sockaddr *)&req.src_addr_storage)) { ++ id_priv = ERR_PTR(-EHOSTUNREACH); ++ goto err; ++ } ++ } ++ + bind_list = cma_ps_find(*net_dev ? dev_net(*net_dev) : &init_net, + rdma_ps_from_service_id(req.service_id), + cma_port_from_service_id(req.service_id)); + id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev); ++err: ++ rcu_read_unlock(); + if (IS_ERR(id_priv) && *net_dev) { + dev_put(*net_dev); + *net_dev = NULL; + } +- + return id_priv; + } + diff --git a/queue-4.14/rdma-iwpm-fix-memory-leak-on-map_info.patch b/queue-4.14/rdma-iwpm-fix-memory-leak-on-map_info.patch new file mode 100644 index 00000000000..4ddb5eca213 --- /dev/null +++ b/queue-4.14/rdma-iwpm-fix-memory-leak-on-map_info.patch @@ -0,0 +1,48 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Colin Ian King +Date: Wed, 25 Apr 2018 17:24:04 +0100 +Subject: RDMA/iwpm: fix memory leak on map_info + +From: Colin Ian King + +[ Upstream commit f96416cea7bce9afe619c15e87fced70f93f9098 ] + +In the cases where iwpm_hash_bucket is NULL and where function +get_mapinfo_hash_bucket returns NULL then the map_info is never added +to hash_bucket_head and hence there is a leak of map_info. Fix this +by nullifying hash_bucket_head and if that is null we know that +that map_info was not added to hash_bucket_head and hence map_info +should be free'd. + +Detected by CoverityScan, CID#1222481 ("Resource Leak") + +Fixes: 30dc5e63d6a5 ("RDMA/core: Add support for iWARP Port Mapper user space service") +Signed-off-by: Colin Ian King +Signed-off-by: Doug Ledford +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/core/iwpm_util.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/infiniband/core/iwpm_util.c ++++ b/drivers/infiniband/core/iwpm_util.c +@@ -114,7 +114,7 @@ int iwpm_create_mapinfo(struct sockaddr_ + struct sockaddr_storage *mapped_sockaddr, + u8 nl_client) + { +- struct hlist_head *hash_bucket_head; ++ struct hlist_head *hash_bucket_head = NULL; + struct iwpm_mapping_info *map_info; + unsigned long flags; + int ret = -EINVAL; +@@ -142,6 +142,9 @@ int iwpm_create_mapinfo(struct sockaddr_ + } + } + spin_unlock_irqrestore(&iwpm_mapinfo_lock, flags); ++ ++ if (!hash_bucket_head) ++ kfree(map_info); + return ret; + } + diff --git a/queue-4.14/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch b/queue-4.14/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch new file mode 100644 index 00000000000..f4c5e8ec48a --- /dev/null +++ b/queue-4.14/rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dag Moxnes +Date: Wed, 25 Apr 2018 13:22:01 +0200 +Subject: rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp + +From: Dag Moxnes + +[ Upstream commit 91a825290ca4eae88603bc811bf74a45f94a3f46 ] + +The function rds_ib_setup_qp is calling rds_ib_get_client_data and +should correspondingly call rds_ib_dev_put. This call was lost in +the non-error path with the introduction of error handling done in +commit 3b12f73a5c29 ("rds: ib: add error handle") + +Signed-off-by: Dag Moxnes +Reviewed-by: HÃ¥kon Bugge +Acked-by: Santosh Shilimkar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rds/ib_cm.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/rds/ib_cm.c ++++ b/net/rds/ib_cm.c +@@ -546,7 +546,7 @@ static int rds_ib_setup_qp(struct rds_co + rdsdebug("conn %p pd %p cq %p %p\n", conn, ic->i_pd, + ic->i_send_cq, ic->i_recv_cq); + +- return ret; ++ goto out; + + sends_out: + vfree(ic->i_sends); +@@ -571,6 +571,7 @@ send_cq_out: + ic->i_send_cq = NULL; + rds_ibdev_out: + rds_ib_remove_conn(rds_ibdev, conn); ++out: + rds_ib_dev_put(rds_ibdev); + + return ret; diff --git a/queue-4.14/remoteproc-qcom-fix-potential-device-node-leaks.patch b/queue-4.14/remoteproc-qcom-fix-potential-device-node-leaks.patch new file mode 100644 index 00000000000..910d0da14da --- /dev/null +++ b/queue-4.14/remoteproc-qcom-fix-potential-device-node-leaks.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tobias Jordan +Date: Thu, 15 Feb 2018 16:12:55 +0100 +Subject: remoteproc: qcom: Fix potential device node leaks + +From: Tobias Jordan + +[ Upstream commit 278d744c46fd4f1925aec77752d18a0e4a9cbec3 ] + +Add missing of_node_put()s at two places for device nodes returned by +of_parse_phandle(). + +Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating + Hexagon v5") +Signed-off-by: Tobias Jordan +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_q6v5_pil.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/remoteproc/qcom_q6v5_pil.c ++++ b/drivers/remoteproc/qcom_q6v5_pil.c +@@ -915,6 +915,7 @@ static int q6v5_alloc_memory_region(stru + dev_err(qproc->dev, "unable to resolve mba region\n"); + return ret; + } ++ of_node_put(node); + + qproc->mba_phys = r.start; + qproc->mba_size = resource_size(&r); +@@ -932,6 +933,7 @@ static int q6v5_alloc_memory_region(stru + dev_err(qproc->dev, "unable to resolve mpss region\n"); + return ret; + } ++ of_node_put(node); + + qproc->mpss_phys = qproc->mpss_reloc = r.start; + qproc->mpss_size = resource_size(&r); diff --git a/queue-4.14/rpmsg-added-module_alias-for-rpmsg_char.patch b/queue-4.14/rpmsg-added-module_alias-for-rpmsg_char.patch new file mode 100644 index 00000000000..ad65454339b --- /dev/null +++ b/queue-4.14/rpmsg-added-module_alias-for-rpmsg_char.patch @@ -0,0 +1,29 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ramon Fried +Date: Fri, 23 Mar 2018 00:09:12 -0400 +Subject: rpmsg: added MODULE_ALIAS for rpmsg_char + +From: Ramon Fried + +[ Upstream commit 93dd4e73c0d9cc32f835d76a54257020b0bfc75a ] + +Added "rpmsg:rpmsg_chrdev" MODULE_ALIAS to autoload +rpmg_chrdev module automatically. + +Signed-off-by: Ramon Fried +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rpmsg/rpmsg_char.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/rpmsg/rpmsg_char.c ++++ b/drivers/rpmsg/rpmsg_char.c +@@ -581,4 +581,6 @@ static void rpmsg_chrdev_exit(void) + unregister_chrdev_region(rpmsg_major, RPMSG_DEV_MAX); + } + module_exit(rpmsg_chrdev_exit); ++ ++MODULE_ALIAS("rpmsg:rpmsg_chrdev"); + MODULE_LICENSE("GPL v2"); diff --git a/queue-4.14/rxrpc-fix-error-reception-on-af_inet6-sockets.patch b/queue-4.14/rxrpc-fix-error-reception-on-af_inet6-sockets.patch new file mode 100644 index 00000000000..3a6a1419dc4 --- /dev/null +++ b/queue-4.14/rxrpc-fix-error-reception-on-af_inet6-sockets.patch @@ -0,0 +1,94 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:26:00 +0100 +Subject: rxrpc: Fix error reception on AF_INET6 sockets + +From: David Howells + +[ Upstream commit f2aeed3a591ff29a82495eeaa92ac4780bad7487 ] + +AF_RXRPC tries to turn on IP_RECVERR and IP_MTU_DISCOVER on the UDP socket +it just opened for communications with the outside world, regardless of the +type of socket. Unfortunately, this doesn't work with an AF_INET6 socket. + +Fix this by turning on IPV6_RECVERR and IPV6_MTU_DISCOVER instead if the +socket is of the AF_INET6 family. + +Without this, kAFS server and address rotation doesn't work correctly +because the algorithm doesn't detect received network errors. + +Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/local_object.c | 57 ++++++++++++++++++++++++++++++++++------------- + 1 file changed, 42 insertions(+), 15 deletions(-) + +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -133,22 +133,49 @@ static int rxrpc_open_socket(struct rxrp + } + } + +- /* we want to receive ICMP errors */ +- opt = 1; +- ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR, +- (char *) &opt, sizeof(opt)); +- if (ret < 0) { +- _debug("setsockopt failed"); +- goto error; +- } ++ switch (local->srx.transport.family) { ++ case AF_INET: ++ /* we want to receive ICMP errors */ ++ opt = 1; ++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_RECVERR, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ ++ /* we want to set the don't fragment bit */ ++ opt = IP_PMTUDISC_DO; ++ ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ break; ++ ++ case AF_INET6: ++ /* we want to receive ICMP errors */ ++ opt = 1; ++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_RECVERR, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ ++ /* we want to set the don't fragment bit */ ++ opt = IPV6_PMTUDISC_DO; ++ ret = kernel_setsockopt(local->socket, SOL_IPV6, IPV6_MTU_DISCOVER, ++ (char *) &opt, sizeof(opt)); ++ if (ret < 0) { ++ _debug("setsockopt failed"); ++ goto error; ++ } ++ break; + +- /* we want to set the don't fragment bit */ +- opt = IP_PMTUDISC_DO; +- ret = kernel_setsockopt(local->socket, SOL_IP, IP_MTU_DISCOVER, +- (char *) &opt, sizeof(opt)); +- if (ret < 0) { +- _debug("setsockopt failed"); +- goto error; ++ default: ++ BUG(); + } + + /* set the socket up */ diff --git a/queue-4.14/rxrpc-fix-the-min-security-level-for-kernel-calls.patch b/queue-4.14/rxrpc-fix-the-min-security-level-for-kernel-calls.patch new file mode 100644 index 00000000000..27b80cf59ee --- /dev/null +++ b/queue-4.14/rxrpc-fix-the-min-security-level-for-kernel-calls.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: David Howells +Date: Thu, 10 May 2018 23:26:01 +0100 +Subject: rxrpc: Fix the min security level for kernel calls + +From: David Howells + +[ Upstream commit 93864fc3ffcc4bf70e96cfb5cc6e941630419ad0 ] + +Fix the kernel call initiation to set the minimum security level for kernel +initiated calls (such as from kAFS) from the sockopt value. + +Fixes: 19ffa01c9c45 ("rxrpc: Use structs to hold connection params and protocol info") +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/af_rxrpc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/rxrpc/af_rxrpc.c ++++ b/net/rxrpc/af_rxrpc.c +@@ -302,7 +302,7 @@ struct rxrpc_call *rxrpc_kernel_begin_ca + memset(&cp, 0, sizeof(cp)); + cp.local = rx->local; + cp.key = key; +- cp.security_level = 0; ++ cp.security_level = rx->min_sec_level; + cp.exclusive = false; + cp.service_id = srx->srx_service; + call = rxrpc_new_client_call(rx, &cp, srx, user_call_ID, tx_total_len, diff --git a/queue-4.14/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch b/queue-4.14/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch new file mode 100644 index 00000000000..c09fa0a2264 --- /dev/null +++ b/queue-4.14/s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Julian Wiedmann +Date: Thu, 19 Apr 2018 12:52:11 +0200 +Subject: s390/qeth: use Read device to query hypervisor for MAC + +From: Julian Wiedmann + +[ Upstream commit b7493e91c11a757cf0f8ab26989642ee4bb2c642 ] + +For z/VM NICs, qeth needs to consider which of the three CCW devices in +an MPC group it uses for requesting a managed MAC address. + +On the Base device, the hypervisor returns a default MAC which is +pre-assigned when creating the NIC (this MAC is also returned by the +READ MAC primitive). Querying any other device results in the allocation +of an additional MAC address. + +For consistency with READ MAC and to avoid using up more addresses than +necessary, it is preferable to use the NIC's default MAC. So switch the +the diag26c over to using a NIC's Read device, which should always be +identical to the Base device. + +Fixes: ec61bd2fd2a2 ("s390/qeth: use diag26c to get MAC address on L2") +Signed-off-by: Julian Wiedmann +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/qeth_core_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/qeth_core_main.c ++++ b/drivers/s390/net/qeth_core_main.c +@@ -4837,7 +4837,7 @@ int qeth_vm_request_mac(struct qeth_card + goto out; + } + +- ccw_device_get_id(CARD_DDEV(card), &id); ++ ccw_device_get_id(CARD_RDEV(card), &id); + request->resp_buf_len = sizeof(*response); + request->resp_version = DIAG26C_VERSION2; + request->op_code = DIAG26C_GET_MAC; diff --git a/queue-4.14/s390-smsgiucv-disable-smsg-on-module-unload.patch b/queue-4.14/s390-smsgiucv-disable-smsg-on-module-unload.patch new file mode 100644 index 00000000000..5c18580a5a3 --- /dev/null +++ b/queue-4.14/s390-smsgiucv-disable-smsg-on-module-unload.patch @@ -0,0 +1,31 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Martin Schwidefsky +Date: Tue, 3 Apr 2018 11:08:52 +0200 +Subject: s390/smsgiucv: disable SMSG on module unload + +From: Martin Schwidefsky + +[ Upstream commit 760dd0eeaec1689430243ead14e5a429613d8c52 ] + +The module exit function of the smsgiucv module uses the incorrect CP +command to disable SMSG messages. The correct command is "SET SMSG OFF". +Use it. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/s390/net/smsgiucv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/s390/net/smsgiucv.c ++++ b/drivers/s390/net/smsgiucv.c +@@ -189,7 +189,7 @@ static struct device_driver smsg_driver + + static void __exit smsg_exit(void) + { +- cpcmd("SET SMSG IUCV", NULL, 0, NULL); ++ cpcmd("SET SMSG OFF", NULL, 0, NULL); + device_unregister(smsg_dev); + iucv_unregister(&smsg_handler, 1); + driver_unregister(&smsg_driver); diff --git a/queue-4.14/sched-core-introduce-set_special_state.patch b/queue-4.14/sched-core-introduce-set_special_state.patch new file mode 100644 index 00000000000..02b8006f03f --- /dev/null +++ b/queue-4.14/sched-core-introduce-set_special_state.patch @@ -0,0 +1,206 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Zijlstra +Date: Mon, 30 Apr 2018 14:51:01 +0200 +Subject: sched/core: Introduce set_special_state() + +From: Peter Zijlstra + +[ Upstream commit b5bf9a90bbebffba888c9144c5a8a10317b04064 ] + +Gaurav reported a perceived problem with TASK_PARKED, which turned out +to be a broken wait-loop pattern in __kthread_parkme(), but the +reported issue can (and does) in fact happen for states that do not do +condition based sleeps. + +When the 'current->state = TASK_RUNNING' store of a previous +(concurrent) try_to_wake_up() collides with the setting of a 'special' +sleep state, we can loose the sleep state. + +Normal condition based wait-loops are immune to this problem, but for +sleep states that are not condition based are subject to this problem. + +There already is a fix for TASK_DEAD. Abstract that and also apply it +to TASK_STOPPED and TASK_TRACED, both of which are also without +condition based wait-loop. + +Reported-by: Gaurav Kohli +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Oleg Nesterov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sched.h | 50 ++++++++++++++++++++++++++++++++++++++----- + include/linux/sched/signal.h | 2 - + kernel/sched/core.c | 17 -------------- + kernel/signal.c | 17 ++++++++++++-- + 4 files changed, 62 insertions(+), 24 deletions(-) + +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -113,17 +113,36 @@ struct task_group; + + #ifdef CONFIG_DEBUG_ATOMIC_SLEEP + ++/* ++ * Special states are those that do not use the normal wait-loop pattern. See ++ * the comment with set_special_state(). ++ */ ++#define is_special_task_state(state) \ ++ ((state) & (__TASK_STOPPED | __TASK_TRACED | TASK_DEAD)) ++ + #define __set_current_state(state_value) \ + do { \ ++ WARN_ON_ONCE(is_special_task_state(state_value));\ + current->task_state_change = _THIS_IP_; \ + current->state = (state_value); \ + } while (0) ++ + #define set_current_state(state_value) \ + do { \ ++ WARN_ON_ONCE(is_special_task_state(state_value));\ + current->task_state_change = _THIS_IP_; \ + smp_store_mb(current->state, (state_value)); \ + } while (0) + ++#define set_special_state(state_value) \ ++ do { \ ++ unsigned long flags; /* may shadow */ \ ++ WARN_ON_ONCE(!is_special_task_state(state_value)); \ ++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \ ++ current->task_state_change = _THIS_IP_; \ ++ current->state = (state_value); \ ++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \ ++ } while (0) + #else + /* + * set_current_state() includes a barrier so that the write of current->state +@@ -145,8 +164,8 @@ struct task_group; + * + * The above is typically ordered against the wakeup, which does: + * +- * need_sleep = false; +- * wake_up_state(p, TASK_UNINTERRUPTIBLE); ++ * need_sleep = false; ++ * wake_up_state(p, TASK_UNINTERRUPTIBLE); + * + * Where wake_up_state() (and all other wakeup primitives) imply enough + * barriers to order the store of the variable against wakeup. +@@ -155,12 +174,33 @@ struct task_group; + * once it observes the TASK_UNINTERRUPTIBLE store the waking CPU can issue a + * TASK_RUNNING store which can collide with __set_current_state(TASK_RUNNING). + * +- * This is obviously fine, since they both store the exact same value. ++ * However, with slightly different timing the wakeup TASK_RUNNING store can ++ * also collide with the TASK_UNINTERRUPTIBLE store. Loosing that store is not ++ * a problem either because that will result in one extra go around the loop ++ * and our @cond test will save the day. + * + * Also see the comments of try_to_wake_up(). + */ +-#define __set_current_state(state_value) do { current->state = (state_value); } while (0) +-#define set_current_state(state_value) smp_store_mb(current->state, (state_value)) ++#define __set_current_state(state_value) \ ++ current->state = (state_value) ++ ++#define set_current_state(state_value) \ ++ smp_store_mb(current->state, (state_value)) ++ ++/* ++ * set_special_state() should be used for those states when the blocking task ++ * can not use the regular condition based wait-loop. In that case we must ++ * serialize against wakeups such that any possible in-flight TASK_RUNNING stores ++ * will not collide with our state change. ++ */ ++#define set_special_state(state_value) \ ++ do { \ ++ unsigned long flags; /* may shadow */ \ ++ raw_spin_lock_irqsave(¤t->pi_lock, flags); \ ++ current->state = (state_value); \ ++ raw_spin_unlock_irqrestore(¤t->pi_lock, flags); \ ++ } while (0) ++ + #endif + + /* Task command name length: */ +--- a/include/linux/sched/signal.h ++++ b/include/linux/sched/signal.h +@@ -280,7 +280,7 @@ static inline void kernel_signal_stop(vo + { + spin_lock_irq(¤t->sighand->siglock); + if (current->jobctl & JOBCTL_STOP_DEQUEUED) +- __set_current_state(TASK_STOPPED); ++ set_special_state(TASK_STOPPED); + spin_unlock_irq(¤t->sighand->siglock); + + schedule(); +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -3374,23 +3374,8 @@ static void __sched notrace __schedule(b + + void __noreturn do_task_dead(void) + { +- /* +- * The setting of TASK_RUNNING by try_to_wake_up() may be delayed +- * when the following two conditions become true. +- * - There is race condition of mmap_sem (It is acquired by +- * exit_mm()), and +- * - SMI occurs before setting TASK_RUNINNG. +- * (or hypervisor of virtual machine switches to other guest) +- * As a result, we may become TASK_RUNNING after becoming TASK_DEAD +- * +- * To avoid it, we have to wait for releasing tsk->pi_lock which +- * is held by try_to_wake_up() +- */ +- raw_spin_lock_irq(¤t->pi_lock); +- raw_spin_unlock_irq(¤t->pi_lock); +- + /* Causes final put_task_struct in finish_task_switch(): */ +- __set_current_state(TASK_DEAD); ++ set_special_state(TASK_DEAD); + + /* Tell freezer to ignore us: */ + current->flags |= PF_NOFREEZE; +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -1828,14 +1828,27 @@ static void ptrace_stop(int exit_code, i + return; + } + ++ set_special_state(TASK_TRACED); ++ + /* + * We're committing to trapping. TRACED should be visible before + * TRAPPING is cleared; otherwise, the tracer might fail do_wait(). + * Also, transition to TRACED and updates to ->jobctl should be + * atomic with respect to siglock and should be done after the arch + * hook as siglock is released and regrabbed across it. ++ * ++ * TRACER TRACEE ++ * ++ * ptrace_attach() ++ * [L] wait_on_bit(JOBCTL_TRAPPING) [S] set_special_state(TRACED) ++ * do_wait() ++ * set_current_state() smp_wmb(); ++ * ptrace_do_wait() ++ * wait_task_stopped() ++ * task_stopped_code() ++ * [L] task_is_traced() [S] task_clear_jobctl_trapping(); + */ +- set_current_state(TASK_TRACED); ++ smp_wmb(); + + current->last_siginfo = info; + current->exit_code = exit_code; +@@ -2043,7 +2056,7 @@ static bool do_signal_stop(int signr) + if (task_participate_group_stop(current)) + notify = CLD_STOPPED; + +- __set_current_state(TASK_STOPPED); ++ set_special_state(TASK_STOPPED); + spin_unlock_irq(¤t->sighand->siglock); + + /* diff --git a/queue-4.14/sched-deadline-make-the-grub_reclaim-function-static.patch b/queue-4.14/sched-deadline-make-the-grub_reclaim-function-static.patch new file mode 100644 index 00000000000..c245af1f163 --- /dev/null +++ b/queue-4.14/sched-deadline-make-the-grub_reclaim-function-static.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 16 May 2018 22:09:02 +0200 +Subject: sched/deadline: Make the grub_reclaim() function static + +From: Mathieu Malaterre + +[ Upstream commit 3febfc8a219a036633b57a34c6678e21b6a0580d ] + +Since the grub_reclaim() function can be made static, make it so. + +Silences the following GCC warning (W=1): + + kernel/sched/deadline.c:1120:5: warning: no previous prototype for ‘grub_reclaim’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180516200902.959-1-malat@debian.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -1084,7 +1084,7 @@ extern bool sched_rt_bandwidth_account(s + * should be larger than 2^(64 - 20 - 8), which is more than 64 seconds. + * So, overflow is not an issue here. + */ +-u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se) ++static u64 grub_reclaim(u64 delta, struct rq *rq, struct sched_dl_entity *dl_se) + { + u64 u_inact = rq->dl.this_bw - rq->dl.running_bw; /* Utot - Uact */ + u64 u_act; diff --git a/queue-4.14/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch b/queue-4.14/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch new file mode 100644 index 00000000000..a547bf9dc72 --- /dev/null +++ b/queue-4.14/sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch @@ -0,0 +1,78 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Mathieu Malaterre +Date: Wed, 16 May 2018 21:53:47 +0200 +Subject: sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h + +From: Mathieu Malaterre + +[ Upstream commit f6a3463063f42d9fb2c78f386437a822e0ad1792 ] + +In the following commit: + + 6b55c9654fcc ("sched/debug: Move print_cfs_rq() declaration to kernel/sched/sched.h") + +the print_cfs_rq() prototype was added to , +right next to the prototypes for print_cfs_stats(), print_rt_stats() +and print_dl_stats(). + +Finish this previous commit and also move related prototypes for +print_rt_rq() and print_dl_rq(). + +Remove existing extern declarations now that they not needed anymore. + +Silences the following GCC warning, triggered by W=1: + + kernel/sched/debug.c:573:6: warning: no previous prototype for ‘print_rt_rq’ [-Wmissing-prototypes] + kernel/sched/debug.c:603:6: warning: no previous prototype for ‘print_dl_rq’ [-Wmissing-prototypes] + +Signed-off-by: Mathieu Malaterre +Acked-by: Peter Zijlstra +Cc: Linus Torvalds +Cc: Srikar Dronamraju +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180516195348.30426-1-malat@debian.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sched/deadline.c | 2 -- + kernel/sched/rt.c | 2 -- + kernel/sched/sched.h | 5 +++-- + 3 files changed, 3 insertions(+), 6 deletions(-) + +--- a/kernel/sched/deadline.c ++++ b/kernel/sched/deadline.c +@@ -2655,8 +2655,6 @@ bool dl_cpu_busy(unsigned int cpu) + #endif + + #ifdef CONFIG_SCHED_DEBUG +-extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq); +- + void print_dl_stats(struct seq_file *m, int cpu) + { + print_dl_rq(m, cpu, &cpu_rq(cpu)->dl); +--- a/kernel/sched/rt.c ++++ b/kernel/sched/rt.c +@@ -2689,8 +2689,6 @@ int sched_rr_handler(struct ctl_table *t + } + + #ifdef CONFIG_SCHED_DEBUG +-extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq); +- + void print_rt_stats(struct seq_file *m, int cpu) + { + rt_rq_iter_t iter; +--- a/kernel/sched/sched.h ++++ b/kernel/sched/sched.h +@@ -1969,8 +1969,9 @@ extern bool sched_debug_enabled; + extern void print_cfs_stats(struct seq_file *m, int cpu); + extern void print_rt_stats(struct seq_file *m, int cpu); + extern void print_dl_stats(struct seq_file *m, int cpu); +-extern void +-print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq); ++extern void print_cfs_rq(struct seq_file *m, int cpu, struct cfs_rq *cfs_rq); ++extern void print_rt_rq(struct seq_file *m, int cpu, struct rt_rq *rt_rq); ++extern void print_dl_rq(struct seq_file *m, int cpu, struct dl_rq *dl_rq); + #ifdef CONFIG_NUMA_BALANCING + extern void + show_numa_stats(struct task_struct *p, struct seq_file *m); diff --git a/queue-4.14/scsi-isci-fix-infinite-loop-in-while-loop.patch b/queue-4.14/scsi-isci-fix-infinite-loop-in-while-loop.patch new file mode 100644 index 00000000000..81cfc341817 --- /dev/null +++ b/queue-4.14/scsi-isci-fix-infinite-loop-in-while-loop.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Colin Ian King +Date: Fri, 20 Apr 2018 10:57:16 +0100 +Subject: scsi: isci: Fix infinite loop in while loop + +From: Colin Ian King + +[ Upstream commit 4bc83b3f272fe8f36450f9c003df49cf07ffe5fd ] + +In the case when the phy_mask is bitwise anded with the phy_index bit is +zero the continue statement currently jumps to the next iteration of the +while loop and phy_index is never actually incremented, potentially +causing an infinite loop if phy_index is less than SCI_MAX_PHS. Fix this +by turning the while loop into a for loop. + +Signed-off-by: Colin Ian King +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/isci/port_config.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/isci/port_config.c ++++ b/drivers/scsi/isci/port_config.c +@@ -291,7 +291,7 @@ sci_mpc_agent_validate_phy_configuration + * Note: We have not moved the current phy_index so we will actually + * compare the startting phy with itself. + * This is expected and required to add the phy to the port. */ +- while (phy_index < SCI_MAX_PHYS) { ++ for (; phy_index < SCI_MAX_PHYS; phy_index++) { + if ((phy_mask & (1 << phy_index)) == 0) + continue; + sci_phy_get_sas_address(&ihost->phys[phy_index], +@@ -311,7 +311,6 @@ sci_mpc_agent_validate_phy_configuration + &ihost->phys[phy_index]); + + assigned_phy_mask |= (1 << phy_index); +- phy_index++; + } + + } diff --git a/queue-4.14/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch b/queue-4.14/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch new file mode 100644 index 00000000000..ca02cf2b3d8 --- /dev/null +++ b/queue-4.14/scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch @@ -0,0 +1,124 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Chris Leech +Date: Mon, 9 Apr 2018 15:15:28 -0700 +Subject: scsi: iscsi: respond to netlink with unicast when appropriate + +From: Chris Leech + +[ Upstream commit af17092810a887178195276255b7b31f8fbe7dbe ] + +Instead of always multicasting responses, send a unicast netlink message +directed at the correct pid. This will be needed if we ever want to +support multiple userspace processes interacting with the kernel over +iSCSI netlink simultaneously. Limitations can currently be seen if you +attempt to run multiple iscsistart commands in parallel. + +We've fixed up the userspace issues in iscsistart that prevented +multiple instances from running, so now attempts to speed up booting by +bringing up multiple iscsi sessions at once in the initramfs are just +running into misrouted responses that this fixes. + +Signed-off-by: Chris Leech +Reviewed-by: Lee Duncan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_transport_iscsi.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/scsi_transport_iscsi.c ++++ b/drivers/scsi/scsi_transport_iscsi.c +@@ -2322,6 +2322,12 @@ iscsi_multicast_skb(struct sk_buff *skb, + return nlmsg_multicast(nls, skb, 0, group, gfp); + } + ++static int ++iscsi_unicast_skb(struct sk_buff *skb, u32 portid) ++{ ++ return nlmsg_unicast(nls, skb, portid); ++} ++ + int iscsi_recv_pdu(struct iscsi_cls_conn *conn, struct iscsi_hdr *hdr, + char *data, uint32_t data_size) + { +@@ -2524,14 +2530,11 @@ void iscsi_ping_comp_event(uint32_t host + EXPORT_SYMBOL_GPL(iscsi_ping_comp_event); + + static int +-iscsi_if_send_reply(uint32_t group, int seq, int type, int done, int multi, +- void *payload, int size) ++iscsi_if_send_reply(u32 portid, int type, void *payload, int size) + { + struct sk_buff *skb; + struct nlmsghdr *nlh; + int len = nlmsg_total_size(size); +- int flags = multi ? NLM_F_MULTI : 0; +- int t = done ? NLMSG_DONE : type; + + skb = alloc_skb(len, GFP_ATOMIC); + if (!skb) { +@@ -2539,10 +2542,9 @@ iscsi_if_send_reply(uint32_t group, int + return -ENOMEM; + } + +- nlh = __nlmsg_put(skb, 0, 0, t, (len - sizeof(*nlh)), 0); +- nlh->nlmsg_flags = flags; ++ nlh = __nlmsg_put(skb, 0, 0, type, (len - sizeof(*nlh)), 0); + memcpy(nlmsg_data(nlh), payload, size); +- return iscsi_multicast_skb(skb, group, GFP_ATOMIC); ++ return iscsi_unicast_skb(skb, portid); + } + + static int +@@ -3470,6 +3472,7 @@ static int + iscsi_if_recv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, uint32_t *group) + { + int err = 0; ++ u32 portid; + struct iscsi_uevent *ev = nlmsg_data(nlh); + struct iscsi_transport *transport = NULL; + struct iscsi_internal *priv; +@@ -3490,10 +3493,12 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + if (!try_module_get(transport->owner)) + return -EINVAL; + ++ portid = NETLINK_CB(skb).portid; ++ + switch (nlh->nlmsg_type) { + case ISCSI_UEVENT_CREATE_SESSION: + err = iscsi_if_create_session(priv, ep, ev, +- NETLINK_CB(skb).portid, ++ portid, + ev->u.c_session.initial_cmdsn, + ev->u.c_session.cmds_max, + ev->u.c_session.queue_depth); +@@ -3506,7 +3511,7 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + } + + err = iscsi_if_create_session(priv, ep, ev, +- NETLINK_CB(skb).portid, ++ portid, + ev->u.c_bound_session.initial_cmdsn, + ev->u.c_bound_session.cmds_max, + ev->u.c_bound_session.queue_depth); +@@ -3664,6 +3669,8 @@ iscsi_if_recv_msg(struct sk_buff *skb, s + static void + iscsi_if_rx(struct sk_buff *skb) + { ++ u32 portid = NETLINK_CB(skb).portid; ++ + mutex_lock(&rx_queue_mutex); + while (skb->len >= NLMSG_HDRLEN) { + int err; +@@ -3699,8 +3706,8 @@ iscsi_if_rx(struct sk_buff *skb) + break; + if (ev->type == ISCSI_UEVENT_GET_CHAP && !err) + break; +- err = iscsi_if_send_reply(group, nlh->nlmsg_seq, +- nlh->nlmsg_type, 0, 0, ev, sizeof(*ev)); ++ err = iscsi_if_send_reply(portid, nlh->nlmsg_type, ++ ev, sizeof(*ev)); + } while (err < 0 && err != -ECONNREFUSED && err != -ESRCH); + skb_pull(skb, rlen); + } diff --git a/queue-4.14/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch b/queue-4.14/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch new file mode 100644 index 00000000000..4cb4da69457 --- /dev/null +++ b/queue-4.14/scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Vinson Lee +Date: Wed, 21 Mar 2018 21:04:12 +0000 +Subject: scsi: megaraid_sas: Do not log an error if FW successfully initializes. + +From: Vinson Lee + +[ Upstream commit fb1633d56b0025233ed3dc49b44544748d509d9d ] + +Fixes: 2d2c2331673c ("scsi: megaraid_sas: modified few prints in OCR and IOC INIT path") +Signed-off-by: Vinson Lee +Acked-by: Shivasharan S +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/megaraid/megaraid_sas_fusion.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/megaraid/megaraid_sas_fusion.c ++++ b/drivers/scsi/megaraid/megaraid_sas_fusion.c +@@ -903,7 +903,7 @@ megasas_ioc_init_fusion(struct megasas_i + goto fail_fw_init; + } + +- ret = 0; ++ return 0; + + fail_fw_init: + megasas_return_cmd(instance, cmd); +@@ -913,8 +913,8 @@ fail_fw_init: + IOCInitMessage, ioc_init_handle); + fail_get_cmd: + dev_err(&instance->pdev->dev, +- "Init cmd return status %s for SCSI host %d\n", +- ret ? "FAILED" : "SUCCESS", instance->host->host_no); ++ "Init cmd return status FAILED for SCSI host %d\n", ++ instance->host->host_no); + + return ret; + } diff --git a/queue-4.14/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch b/queue-4.14/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch new file mode 100644 index 00000000000..b4c4f639d50 --- /dev/null +++ b/queue-4.14/scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Long Li +Date: Thu, 22 Mar 2018 14:47:18 -0700 +Subject: scsi: storvsc: Set up correct queue depth values for IDE devices + +From: Long Li + +[ Upstream commit f286299c1d0ba5e2ca0377610307b370fe178767 ] + +Unlike SCSI and FC, we don't use multiple channels for IDE. Also fix +the calculation for sub-channels. + +Signed-off-by: Long Li +Reviewed-by: Michael Kelley +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/storvsc_drv.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/storvsc_drv.c ++++ b/drivers/scsi/storvsc_drv.c +@@ -1725,11 +1725,14 @@ static int storvsc_probe(struct hv_devic + max_targets = STORVSC_MAX_TARGETS; + max_channels = STORVSC_MAX_CHANNELS; + /* +- * On Windows8 and above, we support sub-channels for storage. ++ * On Windows8 and above, we support sub-channels for storage ++ * on SCSI and FC controllers. + * The number of sub-channels offerred is based on the number of + * VCPUs in the guest. + */ +- max_sub_channels = (num_cpus / storvsc_vcpus_per_sub_channel); ++ if (!dev_is_ide) ++ max_sub_channels = ++ (num_cpus - 1) / storvsc_vcpus_per_sub_channel; + } + + scsi_driver.can_queue = (max_outstanding_req_per_channel * diff --git a/queue-4.14/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch b/queue-4.14/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch new file mode 100644 index 00000000000..bcb93fde93e --- /dev/null +++ b/queue-4.14/scsi-target-fix-crash-with-iscsi-target-and-dvd.patch @@ -0,0 +1,49 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ming Lei +Date: Mon, 16 Apr 2018 17:48:41 +0800 +Subject: scsi: target: fix crash with iscsi target and dvd + +From: Ming Lei + +[ Upstream commit 8e1ceafe50ec4d1bcfae154dd70e7cb6946a6177 ] + +When the current page can't be added to bio, one new bio should be +created for adding this page again, instead of ignoring this page. + +This patch fixes kernel crash with iscsi target and dvd, as reported by +Wakko. + +Cc: Wakko Warner +Cc: Bart Van Assche +Cc: target-devel@vger.kernel.org +Cc: linux-scsi@vger.kernel.org +Cc: "Nicholas A. Bellinger" +Cc: Christoph Hellwig +Fixes: 84c8590646d5b35804 ("target: avoid accessing .bi_vcnt directly") +Signed-off-by: Ming Lei +Reviewed-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/target/target_core_pscsi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/target/target_core_pscsi.c ++++ b/drivers/target/target_core_pscsi.c +@@ -890,6 +890,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct + bytes = min(bytes, data_len); + + if (!bio) { ++new_bio: + nr_vecs = min_t(int, BIO_MAX_PAGES, nr_pages); + nr_pages -= nr_vecs; + /* +@@ -931,6 +932,7 @@ pscsi_map_sg(struct se_cmd *cmd, struct + * be allocated with pscsi_get_bio() above. + */ + bio = NULL; ++ goto new_bio; + } + + data_len -= bytes; diff --git a/queue-4.14/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch b/queue-4.14/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch new file mode 100644 index 00000000000..19cf44a4f9c --- /dev/null +++ b/queue-4.14/scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch @@ -0,0 +1,32 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jim Gill +Date: Fri, 20 Apr 2018 19:04:47 -0700 +Subject: scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts + +From: Jim Gill + +[ Upstream commit f4b024271ae3e9786e5d6f1c05b01b57a74e1d6d ] + +The vmw_pvscsi driver returns DID_ABORT for commands aborted internally +by the adapter, leading to the filesystem going read-only. Change the +result to DID_BUS_BUSY, causing the kernel to retry the command. + +Signed-off-by: Jim Gill +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/vmw_pvscsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/vmw_pvscsi.c ++++ b/drivers/scsi/vmw_pvscsi.c +@@ -609,7 +609,7 @@ static void pvscsi_complete_request(stru + break; + + case BTSTAT_ABORTQUEUE: +- cmd->result = (DID_ABORT << 16); ++ cmd->result = (DID_BUS_BUSY << 16); + break; + + case BTSTAT_SCSIPARITY: diff --git a/queue-4.14/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch b/queue-4.14/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch new file mode 100644 index 00000000000..022c83d0ea9 --- /dev/null +++ b/queue-4.14/selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch @@ -0,0 +1,74 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Masami Hiramatsu +Date: Thu, 5 Apr 2018 18:29:12 +0900 +Subject: selftests: ftrace: Add a testcase for multiple actions on trigger + +From: Masami Hiramatsu + +[ Upstream commit 25aa50e0ca397a5e5d4d6fcecefa8107877d1dd0 ] + +Add a testcase for multiple actions with different +parameters on an event trigger, which has been fixed +by commit 192c283e93bd ("tracing: Add action comparisons + when testing matching hist triggers"). + +Link: http://lkml.kernel.org/r/152292055227.15769.6327959816123227152.stgit@devbox + +Reviewed-by: Tom Zanussi +Tested-by: Tom Zanussi +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc | 44 ++++++++++ + 1 file changed, 44 insertions(+) + create mode 100644 tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc + +--- /dev/null ++++ b/tools/testing/selftests/ftrace/test.d/trigger/inter-event/trigger-multi-actions-accept.tc +@@ -0,0 +1,44 @@ ++#!/bin/sh ++# description: event trigger - test multiple actions on hist trigger ++ ++ ++do_reset() { ++ reset_trigger ++ echo > set_event ++ clear_trace ++} ++ ++fail() { #msg ++ do_reset ++ echo $1 ++ exit_fail ++} ++ ++if [ ! -f set_event ]; then ++ echo "event tracing is not supported" ++ exit_unsupported ++fi ++ ++if [ ! -f synthetic_events ]; then ++ echo "synthetic event is not supported" ++ exit_unsupported ++fi ++ ++clear_synthetic_events ++reset_tracer ++do_reset ++ ++echo "Test multiple actions on hist trigger" ++echo 'wakeup_latency u64 lat; pid_t pid' >> synthetic_events ++TRIGGER1=events/sched/sched_wakeup/trigger ++TRIGGER2=events/sched/sched_switch/trigger ++ ++echo 'hist:keys=pid:ts0=common_timestamp.usecs if comm=="cyclictest"' > $TRIGGER1 ++echo 'hist:keys=next_pid:wakeup_lat=common_timestamp.usecs-$ts0 if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,next_pid) if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid:onmatch(sched.sched_wakeup).wakeup_latency(sched.sched_switch.$wakeup_lat,prev_pid) if next_comm=="cyclictest"' >> $TRIGGER2 ++echo 'hist:keys=next_pid if next_comm=="cyclictest"' >> $TRIGGER2 ++ ++do_reset ++ ++exit 0 diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..e11dfd393c9 --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,185 @@ +clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch +input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch +kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch +x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch +mips-io-prevent-compiler-reordering-writex.patch +nfp-ignore-signals-when-communicating-with-management-fw.patch +perf-report-fix-switching-to-another-perf.data-file.patch +fsnotify-fix-ignore-mask-logic-in-send_to_group.patch +mips-io-add-barrier-after-register-read-in-readx.patch +s390-smsgiucv-disable-smsg-on-module-unload.patch +isofs-fix-potential-memory-leak-in-mount-option-parsing.patch +mips-dts-boston-fix-pci-bus-dtc-warnings.patch +spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch +doc-add-vendor-prefix-for-kieback-peter-gmbh.patch +dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch +dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch +dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch +clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch +asoc-rt5514-add-the-missing-register-in-the-readable-table.patch +ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch +soc-bcm-raspberrypi-power-fix-use-of-__packed.patch +soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch +pci-kirin-fix-reset-gpio-name.patch +asoc-topology-fix-bugs-of-freeing-soc-topology.patch +xen-xenbus_dev_frontend-really-return-response-string.patch +asoc-topology-check-widget-kcontrols-before-deref.patch +spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch +blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch +tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch +scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch +scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch +scsi-target-fix-crash-with-iscsi-target-and-dvd.patch +netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch +netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch +asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch +drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch +drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch +drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch +blkcg-init-root-blkcg_gq-under-lock.patch +net-hns-avoid-action-name-truncation.patch +vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch +parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch +scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch +scsi-isci-fix-infinite-loop-in-while-loop.patch +mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch +proc-revalidate-kernel-thread-inodes-to-root-root.patch +kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch +mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch +usb-typec-ucsi-fix-tracepoint-related-build-error.patch +s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch +acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch +dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch +powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch +net-phy-marvell-clear-wol-event-before-setting-it.patch +arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch +acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch +drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch +thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch +net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch +arm64-ptrace-remove-addr_limit-manipulation.patch +hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch +hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch +selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch +rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch +perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch +remoteproc-qcom-fix-potential-device-node-leaks.patch +rpmsg-added-module_alias-for-rpmsg_char.patch +hid-intel-ish-hid-use-put_device-instead-of-kfree.patch +blk-mq-fix-sysfs-inflight-counter.patch +arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch +kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch +libahci-allow-drivers-to-override-stop_engine.patch +ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch +x86-cpu-intel-add-missing-tlb-cpuid-values.patch +bpf-fix-uninitialized-variable-in-bpf-tools.patch +i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch +i2c-sprd-fix-the-i2c-count-issue.patch +tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch +nvme-depend-on-infiniband_addr_trans.patch +nvmet-rdma-depend-on-infiniband_addr_trans.patch +ib_srpt-depend-on-infiniband_addr_trans.patch +ib_srp-depend-on-infiniband_addr_trans.patch +ib-make-infiniband_addr_trans-configurable.patch +ib-uverbs-fix-validating-mandatory-attributes.patch +rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch +rdma-iwpm-fix-memory-leak-on-map_info.patch +ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch +ib-rxe-avoid-double-kfree_skb.patch +linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch +ib-core-make-ib_mad_client_id-atomic.patch +arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch +arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch +arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch +arm-davinci-board-dm355-evm-fix-broken-networking.patch +dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch +arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch +arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch +arm-dts-logicpd-som-lv-fix-audio-mute.patch +input-atmel_mxt_ts-fix-the-firmware-update.patch +hexagon-add-memset_io-helper.patch +hexagon-export-csum_partial_copy_nocheck.patch +scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch +bpf-x64-fix-memleak-when-not-converging-after-image.patch +parisc-drivers.c-fix-section-mismatches.patch +stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch +kthread-sched-wait-fix-kthread_parkme-wait-loop.patch +arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch +iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch +nvme-fix-potential-memory-leak-in-option-parsing.patch +nvme-set-integrity-flag-for-user-passthrough-commands.patch +arm-omap1-ams-delta-fix-deferred_fiq-handler.patch +smc-fix-sendpage-call.patch +ib-hfi1-use-correct-type-for-num_user_context.patch +ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch +rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch +spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch +sched-core-introduce-set_special_state.patch +sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch +tee-check-shm-references-are-consistent-in-offset-size.patch +powerpc-trace-syscalls-update-syscall-name-matching-logic.patch +powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch +mac80211-adjust-sae-authentication-timeout.patch +drm-omap-silence-unititialized-variable-warning.patch +drm-omap-fix-uninitialized-ret-variable.patch +drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch +drm-omap-check-return-value-from-soc_device_match.patch +drm-omap-handle-alloc-failures-in-omap_connector.patch +driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch +arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch +mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch +x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch +net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch +can-dev-increase-bus-off-message-severity.patch +arm64-add-midr-encoding-for-nvidia-cpus.patch +cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch +agp-uninorth-make-two-functions-static.patch +tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch +qed-fix-l2-initializations-over-iwarp-personality.patch +qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch +rxrpc-fix-error-reception-on-af_inet6-sockets.patch +rxrpc-fix-the-min-security-level-for-kernel-calls.patch +kvm-extend-max_irq_routes-to-4096-for-all-archs.patch +x86-delay-skip-of-emulated-hypercall-instruction.patch +ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch +net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch +init-fix-false-positives-in-w-x-checking.patch +proc-kcore-don-t-bounds-check-against-address-0.patch +ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch +kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch +uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch +objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch +x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch +x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch +x86-selftests-add-mov_to_ss-test.patch +x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch +x86-pkeys-selftests-stop-using-assert.patch +x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch +x86-pkeys-selftests-allow-faults-on-unknown-keys.patch +x86-pkeys-selftests-factor-out-instruction-page.patch +x86-pkeys-selftests-add-prot_exec-test.patch +x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch +x86-pkeys-selftests-fix-pointer-math.patch +x86-pkeys-selftests-save-off-prot-for-allocations.patch +x86-pkeys-selftests-add-a-test-for-pkey-0.patch +mtd-fix-comparison-in-map_word_andequal.patch +afs-fix-the-non-encryption-of-calls.patch +usb-musb-fix-remote-wakeup-racing-with-suspend.patch +arm-keystone-fix-platform_domain_notifier-array-overrun.patch +i2c-pmcmsp-return-message-count-on-master_xfer-success.patch +i2c-pmcmsp-fix-error-return-from-master_xfer.patch +i2c-viperboard-return-message-count-on-master_xfer-success.patch +arm-davinci-dm646x-fix-timer-interrupt-generation.patch +arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch +arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch +clk-imx6ull-use-osc-clock-during-axi-rate-change.patch +locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch +locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch +drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch +sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch +sched-deadline-make-the-grub_reclaim-function-static.patch +parisc-move-setup_profiling_timer-out-of-init-section.patch +efi-libstub-arm64-handle-randomized-text_offset.patch +arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch +arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch +arm-kexec-fix-kdump-register-saving-on-panic.patch diff --git a/queue-4.14/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch b/queue-4.14/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch new file mode 100644 index 00000000000..94e9e772643 --- /dev/null +++ b/queue-4.14/sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Rich Felker +Date: Sat, 5 May 2018 16:40:23 -0400 +Subject: sh: fix build failure for J2 cpu with SMP disabled + +From: Rich Felker + +[ Upstream commit 6cb465972c4eb6741b3094a58a65e527fc63c100 ] + +The sh asm/smp.h defines a fallback hard_smp_processor_id macro for +the !SMP case, but linux/smp.h never includes asm/smp.h in the !SMP +case. + +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/sh/kernel/cpu/sh2/probe.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/sh/kernel/cpu/sh2/probe.c ++++ b/arch/sh/kernel/cpu/sh2/probe.c +@@ -43,7 +43,11 @@ void __ref cpu_probe(void) + #endif + + #if defined(CONFIG_CPU_J2) ++#if defined(CONFIG_SMP) + unsigned cpu = hard_smp_processor_id(); ++#else ++ unsigned cpu = 0; ++#endif + if (cpu == 0) of_scan_flat_dt(scan_cache, NULL); + if (j2_ccr_base) __raw_writel(0x80000303, j2_ccr_base + 4*cpu); + if (cpu != 0) return; diff --git a/queue-4.14/smc-fix-sendpage-call.patch b/queue-4.14/smc-fix-sendpage-call.patch new file mode 100644 index 00000000000..9249b660905 --- /dev/null +++ b/queue-4.14/smc-fix-sendpage-call.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Stefan Raspl +Date: Thu, 3 May 2018 17:57:39 +0200 +Subject: smc: fix sendpage() call + +From: Stefan Raspl + +[ Upstream commit bda27ff5c4526f80a7620a94ecfe8dca153e3696 ] + +The sendpage() call grabs the sock lock before calling the default +implementation - which tries to grab it once again. + +Signed-off-by: Stefan Raspl +Signed-off-by: Ursula Braun < +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/smc/af_smc.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/smc/af_smc.c ++++ b/net/smc/af_smc.c +@@ -1264,8 +1264,11 @@ static ssize_t smc_sendpage(struct socke + + smc = smc_sk(sk); + lock_sock(sk); +- if (sk->sk_state != SMC_ACTIVE) ++ if (sk->sk_state != SMC_ACTIVE) { ++ release_sock(sk); + goto out; ++ } ++ release_sock(sk); + if (smc->use_fallback) + rc = kernel_sendpage(smc->clcsock, page, offset, + size, flags); +@@ -1273,7 +1276,6 @@ static ssize_t smc_sendpage(struct socke + rc = sock_no_sendpage(sock, page, offset, size, flags); + + out: +- release_sock(sk); + return rc; + } + diff --git a/queue-4.14/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch b/queue-4.14/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch new file mode 100644 index 00000000000..bdba92cb108 --- /dev/null +++ b/queue-4.14/soc-bcm-raspberrypi-power-fix-use-of-__packed.patch @@ -0,0 +1,33 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Florian Fainelli +Date: Sun, 1 Apr 2018 09:42:25 -0700 +Subject: soc: bcm: raspberrypi-power: Fix use of __packed + +From: Florian Fainelli + +[ Upstream commit 0a12e80ce4230434c2ed66ad0d65af0b7ccecea8 ] + +Commit a09cd356586d ("ARM: bcm2835: add rpi power domain driver") +attempted to annotate the structure rpi_power_domain_packet with +__packed but introduced a typo and made it named __packet instead. Just +drop the annotation since the structure is naturally aligned already. + +Fixes: a09cd356586d ("ARM: bcm2835: add rpi power domain driver") +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/soc/bcm/raspberrypi-power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/soc/bcm/raspberrypi-power.c ++++ b/drivers/soc/bcm/raspberrypi-power.c +@@ -45,7 +45,7 @@ struct rpi_power_domains { + struct rpi_power_domain_packet { + u32 domain; + u32 on; +-} __packet; ++}; + + /* + * Asks the firmware to enable or disable power on a specific power diff --git a/queue-4.14/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch b/queue-4.14/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch new file mode 100644 index 00000000000..cc952114c9e --- /dev/null +++ b/queue-4.14/soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch @@ -0,0 +1,54 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Geert Uytterhoeven +Date: Sun, 8 Apr 2018 11:05:15 +0200 +Subject: soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure + +From: Geert Uytterhoeven + +[ Upstream commit 144345a4a8c3b497a3f60d3af9d6071a37660186 ] + +If CONFIG_RASPBERRYPI_FIRMWARE=n: + + drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_polarity’: + drivers/gpio/gpio-raspberrypi-exp.c:71: warning: ‘get.polarity’ is used uninitialized in this function + drivers/gpio/gpio-raspberrypi-exp.c: In function ‘rpi_exp_gpio_get_direction’: + drivers/gpio/gpio-raspberrypi-exp.c:150: warning: ‘get.direction’ is used uninitialized in this function + +The dummy firmware interface functions return 0, which means success, +causing subsequent code to make use of the never initialized output +parameter. + +Fix this by making the dummy functions return an error code (-ENOSYS) +instead. + +Note that this assumes the firmware always fills in the requested data +in the CONFIG_RASPBERRYPI_FIRMWARE=y case. + +Fixes: d45f1a563b92dac7 ("staging: vc04_services: fix up rpi firmware functions") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Eric Anholt +Signed-off-by: Florian Fainelli +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + include/soc/bcm2835/raspberrypi-firmware.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/soc/bcm2835/raspberrypi-firmware.h ++++ b/include/soc/bcm2835/raspberrypi-firmware.h +@@ -125,13 +125,13 @@ struct rpi_firmware *rpi_firmware_get(st + static inline int rpi_firmware_property(struct rpi_firmware *fw, u32 tag, + void *data, size_t len) + { +- return 0; ++ return -ENOSYS; + } + + static inline int rpi_firmware_property_list(struct rpi_firmware *fw, + void *data, size_t tag_size) + { +- return 0; ++ return -ENOSYS; + } + + static inline struct rpi_firmware *rpi_firmware_get(struct device_node *firmware_node) diff --git a/queue-4.14/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch b/queue-4.14/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch new file mode 100644 index 00000000000..a4724b9d00c --- /dev/null +++ b/queue-4.14/spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch @@ -0,0 +1,57 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Rob Herring +Date: Thu, 3 May 2018 13:09:44 -0500 +Subject: spi: bcm2835aux: ensure interrupts are enabled for shared handler + +From: Rob Herring + +[ Upstream commit bc519d9574618e47a0c788000fb78da95e18d953 ] + +The BCM2835 AUX SPI has a shared interrupt line (with AUX UART). +Downstream fixes this with an AUX irqchip to demux the IRQ sources and a +DT change which breaks compatibility with older kernels. The AUX irqchip +was already rejected for upstream[1] and the DT change would break +working systems if the DTB is updated to a newer one. The latter issue +was brought to my attention by Alex Graf. + +The root cause however is a bug in the shared handler. Shared handlers +must check that interrupts are actually enabled before servicing the +interrupt. Add a check that the TXEMPTY or IDLE interrupts are enabled. + +[1] https://patchwork.kernel.org/patch/9781221/ + +Cc: Alexander Graf +Cc: Marc Zyngier +Cc: Mark Brown +Cc: Eric Anholt +Cc: Stefan Wahren +Cc: Florian Fainelli +Cc: Ray Jui +Cc: Scott Branden +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: linux-spi@vger.kernel.org +Cc: linux-rpi-kernel@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Signed-off-by: Rob Herring +Reviewed-by: Eric Anholt +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-bcm2835aux.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/spi/spi-bcm2835aux.c ++++ b/drivers/spi/spi-bcm2835aux.c +@@ -184,6 +184,11 @@ static irqreturn_t bcm2835aux_spi_interr + struct bcm2835aux_spi *bs = spi_master_get_devdata(master); + irqreturn_t ret = IRQ_NONE; + ++ /* IRQ may be shared, so return if our interrupts are disabled */ ++ if (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_CNTL1) & ++ (BCM2835_AUX_SPI_CNTL1_TXEMPTY | BCM2835_AUX_SPI_CNTL1_IDLE))) ++ return ret; ++ + /* check if we have data to read */ + while (bs->rx_len && + (!(bcm2835aux_rd(bs, BCM2835_AUX_SPI_STAT) & diff --git a/queue-4.14/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch b/queue-4.14/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch new file mode 100644 index 00000000000..cc3c0812e0c --- /dev/null +++ b/queue-4.14/spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch @@ -0,0 +1,40 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: sxauwsk +Date: Tue, 17 Apr 2018 04:01:27 +0800 +Subject: spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() + +From: sxauwsk + +[ Upstream commit 49530e6411789c1b9ea3ebc58e520c19d1c3752f ] + +In case of xspi work in busy condition, may send bytes failed. +once something wrong, spi controller did't work any more + +My test found this situation appear in both of read/write process. +so when TX FIFO is full, add one byte delay before send data; + +Signed-off-by: sxauwsk +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-cadence.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -313,6 +313,14 @@ static void cdns_spi_fill_tx_fifo(struct + + while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) && + (xspi->tx_bytes > 0)) { ++ ++ /* When xspi in busy condition, bytes may send failed, ++ * then spi control did't work thoroughly, add one byte delay ++ */ ++ if (cdns_spi_read(xspi, CDNS_SPI_ISR) & ++ CDNS_SPI_IXR_TXFULL) ++ usleep_range(10, 20); ++ + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); + else diff --git a/queue-4.14/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch b/queue-4.14/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch new file mode 100644 index 00000000000..b300a665155 --- /dev/null +++ b/queue-4.14/spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch @@ -0,0 +1,43 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Vladimir Zapolskiy +Date: Fri, 13 Apr 2018 15:44:16 +0300 +Subject: spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR + +From: Vladimir Zapolskiy + +[ Upstream commit 10b4640833e95eeacaef8060bc1b35e636df3218 ] + +The change fixes a bit field overflow which allows to write to higher +bits while calculating SPI transfer clock and setting BRPS and BRDV +bit fields, the problem is reproduced if 'parent_rate' to 'spi_hz' +ratio is greater than 1024, for instance + + p->min_div = 2, + MSO rate = 33333333, + SPI device rate = 10000 + +results in + + k = 5, i.e. BRDV = 0b100 or 1/32 prescaler output, + BRPS = 105, + TSCR value = 0x6804, thus MSSEL and MSIMM bit fields are non-zero. + +Fixes: 65d5665bb260 ("spi: sh-msiof: Update calculation of frequency dividing") +Signed-off-by: Vladimir Zapolskiy +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-sh-msiof.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -277,6 +277,7 @@ static void sh_msiof_spi_set_clk_regs(st + } + + k = min_t(int, k, ARRAY_SIZE(sh_msiof_spi_div_table) - 1); ++ brps = min_t(int, brps, 32); + + scr = sh_msiof_spi_div_table[k].brdv | SCR_BRPS(brps); + sh_msiof_write(p, TSCR, scr); diff --git a/queue-4.14/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch b/queue-4.14/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch new file mode 100644 index 00000000000..44fffd8e8b8 --- /dev/null +++ b/queue-4.14/stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch @@ -0,0 +1,120 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Peter Zijlstra +Date: Fri, 20 Apr 2018 11:50:05 +0200 +Subject: stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock + +From: Peter Zijlstra + +[ Upstream commit 0b26351b910fb8fe6a056f8a1bbccabe50c0e19f ] + +Matt reported the following deadlock: + +CPU0 CPU1 + +schedule(.prev=migrate/0) + pick_next_task() ... + idle_balance() migrate_swap() + active_balance() stop_two_cpus() + spin_lock(stopper0->lock) + spin_lock(stopper1->lock) + ttwu(migrate/0) + smp_cond_load_acquire() -- waits for schedule() + stop_one_cpu(1) + spin_lock(stopper1->lock) -- waits for stopper lock + +Fix this deadlock by taking the wakeups out from under stopper->lock. +This allows the active_balance() to queue the stop work and finish the +context switch, which in turn allows the wakeup from migrate_swap() to +observe the context and complete the wakeup. + +Signed-off-by: Peter Zijlstra (Intel) +Reported-by: Matt Fleming +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Matt Fleming +Cc: Linus Torvalds +Cc: Michal Hocko +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20180420095005.GH4064@hirez.programming.kicks-ass.net +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + kernel/stop_machine.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/kernel/stop_machine.c ++++ b/kernel/stop_machine.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + + /* + * Structure to determine completion condition and record errors. May +@@ -65,27 +66,31 @@ static void cpu_stop_signal_done(struct + } + + static void __cpu_stop_queue_work(struct cpu_stopper *stopper, +- struct cpu_stop_work *work) ++ struct cpu_stop_work *work, ++ struct wake_q_head *wakeq) + { + list_add_tail(&work->list, &stopper->works); +- wake_up_process(stopper->thread); ++ wake_q_add(wakeq, stopper->thread); + } + + /* queue @work to @stopper. if offline, @work is completed immediately */ + static bool cpu_stop_queue_work(unsigned int cpu, struct cpu_stop_work *work) + { + struct cpu_stopper *stopper = &per_cpu(cpu_stopper, cpu); ++ DEFINE_WAKE_Q(wakeq); + unsigned long flags; + bool enabled; + + spin_lock_irqsave(&stopper->lock, flags); + enabled = stopper->enabled; + if (enabled) +- __cpu_stop_queue_work(stopper, work); ++ __cpu_stop_queue_work(stopper, work, &wakeq); + else if (work->done) + cpu_stop_signal_done(work->done); + spin_unlock_irqrestore(&stopper->lock, flags); + ++ wake_up_q(&wakeq); ++ + return enabled; + } + +@@ -229,6 +234,7 @@ static int cpu_stop_queue_two_works(int + { + struct cpu_stopper *stopper1 = per_cpu_ptr(&cpu_stopper, cpu1); + struct cpu_stopper *stopper2 = per_cpu_ptr(&cpu_stopper, cpu2); ++ DEFINE_WAKE_Q(wakeq); + int err; + retry: + spin_lock_irq(&stopper1->lock); +@@ -252,8 +258,8 @@ retry: + goto unlock; + + err = 0; +- __cpu_stop_queue_work(stopper1, work1); +- __cpu_stop_queue_work(stopper2, work2); ++ __cpu_stop_queue_work(stopper1, work1, &wakeq); ++ __cpu_stop_queue_work(stopper2, work2, &wakeq); + unlock: + spin_unlock(&stopper2->lock); + spin_unlock_irq(&stopper1->lock); +@@ -263,6 +269,9 @@ unlock: + cpu_relax(); + goto retry; + } ++ ++ wake_up_q(&wakeq); ++ + return err; + } + /** diff --git a/queue-4.14/tee-check-shm-references-are-consistent-in-offset-size.patch b/queue-4.14/tee-check-shm-references-are-consistent-in-offset-size.patch new file mode 100644 index 00000000000..81d956b2be6 --- /dev/null +++ b/queue-4.14/tee-check-shm-references-are-consistent-in-offset-size.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Etienne Carriere +Date: Sun, 29 Apr 2018 14:22:29 +0200 +Subject: tee: check shm references are consistent in offset/size + +From: Etienne Carriere + +[ Upstream commit ab9d3db5b320a052452b9cd035599ee3c84bbee9 ] + +This change prevents userland from referencing TEE shared memory +outside the area initially allocated by its owner. Prior this change an +application could not reference or access memory it did not own but +it could reference memory not explicitly allocated by owner but still +allocated to the owner due to the memory allocation granule. + +Reported-by: Alexandre Jutras +Signed-off-by: Etienne Carriere +Signed-off-by: Jens Wiklander +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tee/tee_core.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tee/tee_core.c ++++ b/drivers/tee/tee_core.c +@@ -181,6 +181,17 @@ static int params_from_user(struct tee_c + if (IS_ERR(shm)) + return PTR_ERR(shm); + ++ /* ++ * Ensure offset + size does not overflow offset ++ * and does not overflow the size of the referred ++ * shared memory object. ++ */ ++ if ((ip.a + ip.b) < ip.a || ++ (ip.a + ip.b) > shm->size) { ++ tee_shm_put(shm); ++ return -EINVAL; ++ } ++ + params[n].u.memref.shm_offs = ip.a; + params[n].u.memref.size = ip.b; + params[n].u.memref.shm = shm; diff --git a/queue-4.14/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch b/queue-4.14/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch new file mode 100644 index 00000000000..2925dba4fde --- /dev/null +++ b/queue-4.14/thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Hans de Goede +Date: Sun, 22 Apr 2018 19:56:17 +0200 +Subject: thermal: int3403_thermal: Fix NULL pointer deref on module load / probe + +From: Hans de Goede + +[ Upstream commit 13b86f50eaaddaea4bdd2fe476fd12e6a0951add ] + +Starting with kernel 4.17 thermal_cooling_device_register() will call the +get_max_state() op during register. + +Since we deref priv->priv in int3403_get_max_state() this means we must +set priv->priv before calling thermal_cooling_device_register(). + +Signed-off-by: Hans de Goede +Signed-off-by: Zhang Rui +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/int340x_thermal/int3403_thermal.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/thermal/int340x_thermal/int3403_thermal.c ++++ b/drivers/thermal/int340x_thermal/int3403_thermal.c +@@ -194,6 +194,7 @@ static int int3403_cdev_add(struct int34 + return -EFAULT; + } + ++ priv->priv = obj; + obj->max_state = p->package.count - 1; + obj->cdev = + thermal_cooling_device_register(acpi_device_bid(priv->adev), +@@ -201,8 +202,6 @@ static int int3403_cdev_add(struct int34 + if (IS_ERR(obj->cdev)) + result = PTR_ERR(obj->cdev); + +- priv->priv = obj; +- + kfree(buf.pointer); + /* TODO: add ACPI notification support */ + diff --git a/queue-4.14/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch b/queue-4.14/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch new file mode 100644 index 00000000000..dd8d70a911f --- /dev/null +++ b/queue-4.14/tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch @@ -0,0 +1,117 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ying Xue +Date: Tue, 8 May 2018 21:44:06 +0800 +Subject: tipc: eliminate KMSAN uninit-value in strcmp complaint + +From: Ying Xue + +[ Upstream commit 94f6a80c0c11828cb7b3d79294459dd8d761ca89 ] + +When we get link properties through netlink interface with +tipc_nl_node_get_link(), we don't validate TIPC_NLA_LINK_NAME +attribute at all, instead we directly use it. As a consequence, +KMSAN detected the TIPC_NLA_LINK_NAME attribute was an uninitialized +value, and then posted the following complaint: + +================================================================== +BUG: KMSAN: uninit-value in strcmp+0xf7/0x160 lib/string.c:329 +CPU: 1 PID: 4527 Comm: syz-executor655 Not tainted 4.16.0+ #87 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683 + strcmp+0xf7/0x160 lib/string.c:329 + tipc_nl_node_get_link+0x220/0x6f0 net/tipc/node.c:1881 + genl_family_rcv_msg net/netlink/genetlink.c:599 [inline] + genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624 + netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447 + genl_rcv+0x63/0x80 net/netlink/genetlink.c:635 + netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline] + netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337 + netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x445589 +RSP: 002b:00007fb7ee66cdb8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00000000006dac24 RCX: 0000000000445589 +RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003 +RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 +R13: 00007fffa2bf3f3f R14: 00007fb7ee66d9c0 R15: 0000000000000001 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 + kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2737 [inline] + __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369 + __kmalloc_reserve net/core/skbuff.c:138 [inline] + __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206 + alloc_skb include/linux/skbuff.h:984 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline] + netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg net/socket.c:640 [inline] + ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 + __sys_sendmsg net/socket.c:2080 [inline] + SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 + SyS_sendmsg+0x54/0x80 net/socket.c:2087 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +================================================================== + +To quiet the complaint, TIPC_NLA_LINK_NAME attribute has been +validated in tipc_nl_node_get_link() before it's used. + +Reported-by: syzbot+df0257c92ffd4fcc58cd@syzkaller.appspotmail.com +Signed-off-by: Ying Xue +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -1831,6 +1831,7 @@ out: + int tipc_nl_node_get_link(struct sk_buff *skb, struct genl_info *info) + { + struct net *net = genl_info_net(info); ++ struct nlattr *attrs[TIPC_NLA_LINK_MAX + 1]; + struct tipc_nl_msg msg; + char *name; + int err; +@@ -1838,9 +1839,19 @@ int tipc_nl_node_get_link(struct sk_buff + msg.portid = info->snd_portid; + msg.seq = info->snd_seq; + +- if (!info->attrs[TIPC_NLA_LINK_NAME]) ++ if (!info->attrs[TIPC_NLA_LINK]) + return -EINVAL; +- name = nla_data(info->attrs[TIPC_NLA_LINK_NAME]); ++ ++ err = nla_parse_nested(attrs, TIPC_NLA_LINK_MAX, ++ info->attrs[TIPC_NLA_LINK], ++ tipc_nl_link_policy, info->extack); ++ if (err) ++ return err; ++ ++ if (!attrs[TIPC_NLA_LINK_NAME]) ++ return -EINVAL; ++ ++ name = nla_data(attrs[TIPC_NLA_LINK_NAME]); + + msg.skb = nlmsg_new(NLMSG_GOODSIZE, GFP_KERNEL); + if (!msg.skb) diff --git a/queue-4.14/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch b/queue-4.14/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch new file mode 100644 index 00000000000..924a895dc25 --- /dev/null +++ b/queue-4.14/tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch @@ -0,0 +1,38 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Jon Maloy +Date: Wed, 25 Apr 2018 18:29:25 +0200 +Subject: tipc: fix bug in function tipc_nl_node_dump_monitor + +From: Jon Maloy + +[ Upstream commit 7dbc73e6124ce4d0cfbdd6166de388e9367c47ad ] + +Commit 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor +summary") intended to fix a problem with user tool looping when max +number of bearers are enabled. + +Unfortunately, the wrong version of the commit was posted, so the +problem was not solved at all. + +This commit adds the missing part. + +Fixes: 36a50a989ee8 ("tipc: fix infinite loop when dumping link monitor summary") +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/node.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2125,7 +2125,7 @@ int tipc_nl_node_dump_monitor(struct sk_ + + rtnl_lock(); + for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) { +- err = __tipc_nl_add_monitor(net, &msg, prev_bearer); ++ err = __tipc_nl_add_monitor(net, &msg, bearer_id); + if (err) + break; + } diff --git a/queue-4.14/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch b/queue-4.14/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch new file mode 100644 index 00000000000..df5b1b6a894 --- /dev/null +++ b/queue-4.14/tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch @@ -0,0 +1,76 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tung Nguyen +Date: Tue, 17 Apr 2018 21:58:27 +0200 +Subject: tipc: fix infinite loop when dumping link monitor summary + +From: Tung Nguyen + +[ Upstream commit 36a50a989ee8267588de520b8704b85f045a3220 ] + +When configuring the number of used bearers to MAX_BEARER and issuing +command "tipc link monitor summary", the command enters infinite loop +in user space. + +This issue happens because function tipc_nl_node_dump_monitor() returns +the wrong 'prev_bearer' value when all potential monitors have been +scanned. + +The correct behavior is to always try to scan all monitors until either +the netlink message is full, in which case we return the bearer identity +of the affected monitor, or we continue through the whole bearer array +until we can return MAX_BEARERS. This solution also caters for the case +where there may be gaps in the bearer array. + +Signed-off-by: Tung Nguyen +Signed-off-by: Jon Maloy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + net/tipc/monitor.c | 2 +- + net/tipc/node.c | 11 ++++------- + 2 files changed, 5 insertions(+), 8 deletions(-) + +--- a/net/tipc/monitor.c ++++ b/net/tipc/monitor.c +@@ -768,7 +768,7 @@ int __tipc_nl_add_monitor(struct net *ne + + ret = tipc_bearer_get_name(net, bearer_name, bearer_id); + if (ret || !mon) +- return -EINVAL; ++ return 0; + + hdr = genlmsg_put(msg->skb, msg->portid, msg->seq, &tipc_genl_family, + NLM_F_MULTI, TIPC_NL_MON_GET); +--- a/net/tipc/node.c ++++ b/net/tipc/node.c +@@ -2113,8 +2113,8 @@ int tipc_nl_node_dump_monitor(struct sk_ + struct net *net = sock_net(skb->sk); + u32 prev_bearer = cb->args[0]; + struct tipc_nl_msg msg; ++ int bearer_id; + int err; +- int i; + + if (prev_bearer == MAX_BEARERS) + return 0; +@@ -2124,16 +2124,13 @@ int tipc_nl_node_dump_monitor(struct sk_ + msg.seq = cb->nlh->nlmsg_seq; + + rtnl_lock(); +- for (i = prev_bearer; i < MAX_BEARERS; i++) { +- prev_bearer = i; ++ for (bearer_id = prev_bearer; bearer_id < MAX_BEARERS; bearer_id++) { + err = __tipc_nl_add_monitor(net, &msg, prev_bearer); + if (err) +- goto out; ++ break; + } +- +-out: + rtnl_unlock(); +- cb->args[0] = prev_bearer; ++ cb->args[0] = bearer_id; + + return skb->len; + } diff --git a/queue-4.14/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch b/queue-4.14/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch new file mode 100644 index 00000000000..c141f6773d1 --- /dev/null +++ b/queue-4.14/uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch @@ -0,0 +1,50 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Masami Hiramatsu +Date: Wed, 9 May 2018 21:58:45 +0900 +Subject: uprobes/x86: Prohibit probing on MOV SS instruction + +From: Masami Hiramatsu + +[ Upstream commit 13ebe18c94f5b0665c01ae7fad2717ae959f4212 ] + +Since MOV SS and POP SS instructions will delay the exceptions until the +next instruction is executed, single-stepping on it by uprobes must be +prohibited. + +uprobe already rejects probing on POP SS (0x1f), but allows probing on MOV +SS (0x8e and reg == 2). This checks the target instruction and if it is +MOV SS or POP SS, returns -ENOTSUPP to reject probing. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Thomas Gleixner +Acked-by: Oleg Nesterov +Cc: Ricardo Neri +Cc: Francis Deslauriers +Cc: Alexei Starovoitov +Cc: Steven Rostedt +Cc: Andy Lutomirski +Cc: "H . Peter Anvin" +Cc: Yonghong Song +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: "David S . Miller" +Link: https://lkml.kernel.org/r/152587072544.17316.5950935243917346341.stgit@devbox +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/uprobes.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -296,6 +296,10 @@ static int uprobe_init_insn(struct arch_ + if (is_prefix_bad(insn)) + return -ENOTSUPP; + ++ /* We should not singlestep on the exception masking instructions */ ++ if (insn_masking_exception(insn)) ++ return -ENOTSUPP; ++ + if (x86_64) + good_insns = good_insns_64; + else diff --git a/queue-4.14/usb-musb-fix-remote-wakeup-racing-with-suspend.patch b/queue-4.14/usb-musb-fix-remote-wakeup-racing-with-suspend.patch new file mode 100644 index 00000000000..d3d6918fff7 --- /dev/null +++ b/queue-4.14/usb-musb-fix-remote-wakeup-racing-with-suspend.patch @@ -0,0 +1,126 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "Daniel Glöckner" +Date: Mon, 14 May 2018 09:40:05 -0500 +Subject: usb: musb: fix remote wakeup racing with suspend + +From: "Daniel Glöckner" + +[ Upstream commit ebc3dd688cd988754a304147753b13e58de1b5a1 ] + +It has been observed that writing 0xF2 to the power register while it +reads as 0xF4 results in the register having the value 0xF0, i.e. clearing +RESUME and setting SUSPENDM in one go does not work. It might also violate +the USB spec to transition directly from resume to suspend, especially +when not taking T_DRSMDN into account. But this is what happens when a +remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the +root hub and musb_bus_suspend being called. + +This commit returns -EBUSY when musb_bus_suspend is called while remote +wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring +this error when musb_port_suspend is called from musb_hub_control is ok. + +Signed-off-by: Daniel Glöckner +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_host.c | 5 ++++- + drivers/usb/musb/musb_host.h | 7 +++++-- + drivers/usb/musb/musb_virthub.c | 25 +++++++++++++++---------- + 3 files changed, 24 insertions(+), 13 deletions(-) + +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2560,8 +2560,11 @@ static int musb_bus_suspend(struct usb_h + { + struct musb *musb = hcd_to_musb(hcd); + u8 devctl; ++ int ret; + +- musb_port_suspend(musb, true); ++ ret = musb_port_suspend(musb, true); ++ if (ret) ++ return ret; + + if (!is_host_active(musb)) + return 0; +--- a/drivers/usb/musb/musb_host.h ++++ b/drivers/usb/musb/musb_host.h +@@ -92,7 +92,7 @@ extern void musb_host_rx(struct musb *, + extern void musb_root_disconnect(struct musb *musb); + extern void musb_host_resume_root_hub(struct musb *musb); + extern void musb_host_poke_root_hub(struct musb *musb); +-extern void musb_port_suspend(struct musb *musb, bool do_suspend); ++extern int musb_port_suspend(struct musb *musb, bool do_suspend); + extern void musb_port_reset(struct musb *musb, bool do_reset); + extern void musb_host_finish_resume(struct work_struct *work); + #else +@@ -124,7 +124,10 @@ static inline void musb_root_disconnect( + static inline void musb_host_resume_root_hub(struct musb *musb) {} + static inline void musb_host_poll_rh_status(struct musb *musb) {} + static inline void musb_host_poke_root_hub(struct musb *musb) {} +-static inline void musb_port_suspend(struct musb *musb, bool do_suspend) {} ++static inline int musb_port_suspend(struct musb *musb, bool do_suspend) ++{ ++ return 0; ++} + static inline void musb_port_reset(struct musb *musb, bool do_reset) {} + static inline void musb_host_finish_resume(struct work_struct *work) {} + #endif +--- a/drivers/usb/musb/musb_virthub.c ++++ b/drivers/usb/musb/musb_virthub.c +@@ -73,14 +73,14 @@ void musb_host_finish_resume(struct work + spin_unlock_irqrestore(&musb->lock, flags); + } + +-void musb_port_suspend(struct musb *musb, bool do_suspend) ++int musb_port_suspend(struct musb *musb, bool do_suspend) + { + struct usb_otg *otg = musb->xceiv->otg; + u8 power; + void __iomem *mbase = musb->mregs; + + if (!is_host_active(musb)) +- return; ++ return 0; + + /* NOTE: this doesn't necessarily put PHY into low power mode, + * turning off its clock; that's a function of PHY integration and +@@ -91,16 +91,20 @@ void musb_port_suspend(struct musb *musb + if (do_suspend) { + int retries = 10000; + +- power &= ~MUSB_POWER_RESUME; +- power |= MUSB_POWER_SUSPENDM; +- musb_writeb(mbase, MUSB_POWER, power); ++ if (power & MUSB_POWER_RESUME) ++ return -EBUSY; ++ ++ if (!(power & MUSB_POWER_SUSPENDM)) { ++ power |= MUSB_POWER_SUSPENDM; ++ musb_writeb(mbase, MUSB_POWER, power); + +- /* Needed for OPT A tests */ +- power = musb_readb(mbase, MUSB_POWER); +- while (power & MUSB_POWER_SUSPENDM) { ++ /* Needed for OPT A tests */ + power = musb_readb(mbase, MUSB_POWER); +- if (retries-- < 1) +- break; ++ while (power & MUSB_POWER_SUSPENDM) { ++ power = musb_readb(mbase, MUSB_POWER); ++ if (retries-- < 1) ++ break; ++ } + } + + musb_dbg(musb, "Root port suspended, power %02x", power); +@@ -136,6 +140,7 @@ void musb_port_suspend(struct musb *musb + schedule_delayed_work(&musb->finish_resume_work, + msecs_to_jiffies(USB_RESUME_TIMEOUT)); + } ++ return 0; + } + + void musb_port_reset(struct musb *musb, bool do_reset) diff --git a/queue-4.14/usb-typec-ucsi-fix-tracepoint-related-build-error.patch b/queue-4.14/usb-typec-ucsi-fix-tracepoint-related-build-error.patch new file mode 100644 index 00000000000..8a4a413d4e5 --- /dev/null +++ b/queue-4.14/usb-typec-ucsi-fix-tracepoint-related-build-error.patch @@ -0,0 +1,47 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Tobias Regnery +Date: Tue, 10 Apr 2018 10:38:06 +0200 +Subject: usb: typec: ucsi: fix tracepoint related build error + +From: Tobias Regnery + +[ Upstream commit 2f860691c2d2e3af1404ffeb2d22dd5c3dbca811 ] + +There is the following build error with CONFIG_TYPEC_UCSI=m, CONFIG_FTRACE=y +and CONFIG_TRACING=n: + +ERROR: "__tracepoint_ucsi_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_register_port" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_notify" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_reset_ppm" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_run_command" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_ack" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! +ERROR: "__tracepoint_ucsi_connector_change" [drivers/usb/typec/ucsi/typec_ucsi.ko] undefined! + +This compination is quite hard to create because CONFIG_TRACING gets selected +only in rare cases without CONFIG_FTRACE. + +The build failure is caused by conditionally compiling trace.c depending on +the wrong option CONFIG_FTRACE. Change this to depend on CONFIG_TRACING like +other users of tracepoints do. + +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Signed-off-by: Tobias Regnery +Acked-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/Makefile ++++ b/drivers/usb/typec/ucsi/Makefile +@@ -5,6 +5,6 @@ obj-$(CONFIG_TYPEC_UCSI) += typec_ucsi.o + + typec_ucsi-y := ucsi.o + +-typec_ucsi-$(CONFIG_FTRACE) += trace.o ++typec_ucsi-$(CONFIG_TRACING) += trace.o + + obj-$(CONFIG_UCSI_ACPI) += ucsi_acpi.o diff --git a/queue-4.14/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch b/queue-4.14/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch new file mode 100644 index 00000000000..67a5f2cb2b0 --- /dev/null +++ b/queue-4.14/vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch @@ -0,0 +1,34 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: David Howells +Date: Fri, 20 Apr 2018 13:35:02 +0100 +Subject: vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion + +From: David Howells + +[ Upstream commit a9e5b73288cf1595ac2e05cf1acd1924ceea05fa ] + +In do_mount() when the MS_* flags are being converted to MNT_* flags, +MS_RDONLY got accidentally convered to SB_RDONLY. + +Undo this change. + +Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags") +Signed-off-by: David Howells +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/namespace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/namespace.c ++++ b/fs/namespace.c +@@ -2810,7 +2810,7 @@ long do_mount(const char *dev_name, cons + mnt_flags |= MNT_NODIRATIME; + if (flags & MS_STRICTATIME) + mnt_flags &= ~(MNT_RELATIME | MNT_NOATIME); +- if (flags & SB_RDONLY) ++ if (flags & MS_RDONLY) + mnt_flags |= MNT_READONLY; + + /* The default atime for remount is preservation */ diff --git a/queue-4.14/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch b/queue-4.14/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch new file mode 100644 index 00000000000..3b34ca2fbd5 --- /dev/null +++ b/queue-4.14/x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch @@ -0,0 +1,65 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Krish Sadhukhan +Date: Wed, 11 Apr 2018 01:10:16 -0400 +Subject: x86: Add check for APIC access address for vmentry of L2 guests + +From: Krish Sadhukhan + +[ Upstream commit f0f4cf5b306620282db0c59ff963012e1973e025 ] + +According to the sub-section titled 'VM-Execution Control Fields' in the +section titled 'Basic VM-Entry Checks' in Intel SDM vol. 3C, the following +vmentry check must be enforced: + + If the 'virtualize APIC-accesses' VM-execution control is 1, the + APIC-access address must satisfy the following checks: + + - Bits 11:0 of the address must be 0. + - The address should not set any bits beyond the processor's + physical-address width. + +This patch adds the necessary check to conform to this rule. If the check +fails, we cause the L2 VMENTRY to fail which is what the associated unit +test (following patch) expects. + +Reviewed-by: Mihai Carabas +Reviewed-by: Konrad Rzeszutek Wilk +Reviewed-by: Jim Mattson +Reviewed-by: Wanpeng Li +Signed-off-by: Krish Sadhukhan +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/vmx.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10318,6 +10318,16 @@ static inline bool nested_vmx_merge_msr_ + return true; + } + ++static int nested_vmx_check_apic_access_controls(struct kvm_vcpu *vcpu, ++ struct vmcs12 *vmcs12) ++{ ++ if (nested_cpu_has2(vmcs12, SECONDARY_EXEC_VIRTUALIZE_APIC_ACCESSES) && ++ !page_address_valid(vcpu, vmcs12->apic_access_addr)) ++ return -EINVAL; ++ else ++ return 0; ++} ++ + static int nested_vmx_check_apicv_controls(struct kvm_vcpu *vcpu, + struct vmcs12 *vmcs12) + { +@@ -10961,6 +10971,9 @@ static int check_vmentry_prereqs(struct + if (nested_vmx_check_msr_bitmap_controls(vcpu, vmcs12)) + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + ++ if (nested_vmx_check_apic_access_controls(vcpu, vmcs12)) ++ return VMXERR_ENTRY_INVALID_CONTROL_FIELD; ++ + if (nested_vmx_check_tpr_shadow_controls(vcpu, vmcs12)) + return VMXERR_ENTRY_INVALID_CONTROL_FIELD; + diff --git a/queue-4.14/x86-cpu-intel-add-missing-tlb-cpuid-values.patch b/queue-4.14/x86-cpu-intel-add-missing-tlb-cpuid-values.patch new file mode 100644 index 00000000000..42224768bd7 --- /dev/null +++ b/queue-4.14/x86-cpu-intel-add-missing-tlb-cpuid-values.patch @@ -0,0 +1,42 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "jacek.tomaka@poczta.fm" +Date: Tue, 24 Apr 2018 00:14:25 +0800 +Subject: x86/cpu/intel: Add missing TLB cpuid values + +From: "jacek.tomaka@poczta.fm" + +[ Upstream commit b837913fc2d9061bf9b8c0dd6bf2d24e2f98b84a ] + +Make kernel print the correct number of TLB entries on Intel Xeon Phi 7210 +(and others) + +Before: +[ 0.320005] Last level dTLB entries: 4KB 0, 2MB 0, 4MB 0, 1GB 0 +After: +[ 0.320005] Last level dTLB entries: 4KB 256, 2MB 128, 4MB 128, 1GB 16 + +The entries do exist in the official Intel SMD but the type column there is +incorrect (states "Cache" where it should read "TLB"), but the entries for +the values 0x6B, 0x6C and 0x6D are correctly described as 'Data TLB'. + +Signed-off-by: Jacek Tomaka +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20180423161425.24366-1-jacekt@dugeo.com +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/cpu/intel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -751,6 +751,9 @@ static const struct _tlb_table intel_tlb + { 0x5d, TLB_DATA_4K_4M, 256, " TLB_DATA 4 KByte and 4 MByte pages" }, + { 0x61, TLB_INST_4K, 48, " TLB_INST 4 KByte pages, full associative" }, + { 0x63, TLB_DATA_1G, 4, " TLB_DATA 1 GByte pages, 4-way set associative" }, ++ { 0x6b, TLB_DATA_4K, 256, " TLB_DATA 4 KByte pages, 8-way associative" }, ++ { 0x6c, TLB_DATA_2M_4M, 128, " TLB_DATA 2 MByte or 4 MByte pages, 8-way associative" }, ++ { 0x6d, TLB_DATA_1G, 16, " TLB_DATA 1 GByte pages, fully associative" }, + { 0x76, TLB_INST_2M_4M, 8, " TLB_INST 2-MByte or 4-MByte pages, fully associative" }, + { 0xb0, TLB_INST_4K, 128, " TLB_INST 4 KByte pages, 4-way set associative" }, + { 0xb1, TLB_INST_2M_4M, 4, " TLB_INST 2M pages, 4-way, 8 entries or 4M pages, 4-way entries" }, diff --git a/queue-4.14/x86-delay-skip-of-emulated-hypercall-instruction.patch b/queue-4.14/x86-delay-skip-of-emulated-hypercall-instruction.patch new file mode 100644 index 00000000000..bad64818fba --- /dev/null +++ b/queue-4.14/x86-delay-skip-of-emulated-hypercall-instruction.patch @@ -0,0 +1,85 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Marian Rotariu +Date: Mon, 30 Apr 2018 12:23:01 +0300 +Subject: x86: Delay skip of emulated hypercall instruction + +From: Marian Rotariu + +[ Upstream commit 6356ee0c9602004e0a3b4b2dad68ee2ee9385b17 ] + +The IP increment should be done after the hypercall emulation, after +calling the various handlers. In this way, these handlers can accurately +identify the the IP of the VMCALL if they need it. + +This patch keeps the same functionality for the Hyper-V handler which does +not use the return code of the standard kvm_skip_emulated_instruction() +call. + +Signed-off-by: Marian Rotariu +[Hyper-V hypercalls also need kvm_skip_emulated_instruction() - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kvm/hyperv.c | 2 +- + arch/x86/kvm/x86.c | 19 +++++++++++-------- + 2 files changed, 12 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/hyperv.c ++++ b/arch/x86/kvm/hyperv.c +@@ -1223,7 +1223,7 @@ static int kvm_hv_hypercall_complete_use + struct kvm_run *run = vcpu->run; + + kvm_hv_hypercall_set_result(vcpu, run->hyperv.u.hcall.result); +- return 1; ++ return kvm_skip_emulated_instruction(vcpu); + } + + int kvm_hv_hypercall(struct kvm_vcpu *vcpu) +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -6297,12 +6297,13 @@ void kvm_vcpu_deactivate_apicv(struct kv + int kvm_emulate_hypercall(struct kvm_vcpu *vcpu) + { + unsigned long nr, a0, a1, a2, a3, ret; +- int op_64_bit, r; ++ int op_64_bit; + +- r = kvm_skip_emulated_instruction(vcpu); +- +- if (kvm_hv_hypercall_enabled(vcpu->kvm)) +- return kvm_hv_hypercall(vcpu); ++ if (kvm_hv_hypercall_enabled(vcpu->kvm)) { ++ if (!kvm_hv_hypercall(vcpu)) ++ return 0; ++ goto out; ++ } + + nr = kvm_register_read(vcpu, VCPU_REGS_RAX); + a0 = kvm_register_read(vcpu, VCPU_REGS_RBX); +@@ -6323,7 +6324,7 @@ int kvm_emulate_hypercall(struct kvm_vcp + + if (kvm_x86_ops->get_cpl(vcpu) != 0) { + ret = -KVM_EPERM; +- goto out; ++ goto out_error; + } + + switch (nr) { +@@ -6343,12 +6344,14 @@ int kvm_emulate_hypercall(struct kvm_vcp + ret = -KVM_ENOSYS; + break; + } +-out: ++out_error: + if (!op_64_bit) + ret = (u32)ret; + kvm_register_write(vcpu, VCPU_REGS_RAX, ret); ++ ++out: + ++vcpu->stat.hypercalls; +- return r; ++ return kvm_skip_emulated_instruction(vcpu); + } + EXPORT_SYMBOL_GPL(kvm_emulate_hypercall); + diff --git a/queue-4.14/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch b/queue-4.14/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch new file mode 100644 index 00000000000..e70a09f0279 --- /dev/null +++ b/queue-4.14/x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch @@ -0,0 +1,55 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:59:08 +0200 +Subject: x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI + +From: Ingo Molnar + +[ Upstream commit 73bb4d6cd192b8629c5125aaada9892d9fc986b6 ] + +Fix this warning: + + mpx-mini-test.c:422:0: warning: "SEGV_BNDERR" redefined + +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: akpm@linux-foundation.org +Cc: dave.hansen@intel.com +Cc: linux-mm@kvack.org +Cc: linuxram@us.ibm.com +Cc: mpe@ellerman.id.au +Cc: shakeelb@google.com +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180514085908.GA12798@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/mpx-mini-test.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/tools/testing/selftests/x86/mpx-mini-test.c ++++ b/tools/testing/selftests/x86/mpx-mini-test.c +@@ -368,6 +368,11 @@ static int expected_bnd_index = -1; + uint64_t shadow_plb[NR_MPX_BOUNDS_REGISTERS][2]; /* shadow MPX bound registers */ + unsigned long shadow_map[NR_MPX_BOUNDS_REGISTERS]; + ++/* Failed address bound checks: */ ++#ifndef SEGV_BNDERR ++# define SEGV_BNDERR 3 ++#endif ++ + /* + * The kernel is supposed to provide some information about the bounds + * exception in the siginfo. It should match what we have in the bounds +@@ -419,8 +424,6 @@ void handler(int signum, siginfo_t *si, + br_count++; + dprintf1("#BR 0x%jx (total seen: %d)\n", status, br_count); + +-#define SEGV_BNDERR 3 /* failed address bound checks */ +- + dprintf2("Saw a #BR! status 0x%jx at %016lx br_reason: %jx\n", + status, ip, br_reason); + dprintf2("si_signo: %d\n", si->si_signo); diff --git a/queue-4.14/x86-pkeys-selftests-add-a-test-for-pkey-0.patch b/queue-4.14/x86-pkeys-selftests-add-a-test-for-pkey-0.patch new file mode 100644 index 00000000000..86668272d18 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-add-a-test-for-pkey-0.patch @@ -0,0 +1,79 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:56 -0700 +Subject: x86/pkeys/selftests: Add a test for pkey 0 + +From: Dave Hansen + +[ Upstream commit 3488a600d90bcaf061b104dbcfbdc8d99b398312 ] + +Protection key 0 is the default key for all memory and will +not normally come back from pkey_alloc(). But, you might +still want pass it to mprotect_pkey(). + +This check ensures that you can use pkey 0. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171356.9E40B254@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 30 ++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1184,6 +1184,35 @@ void test_pkey_alloc_exhaust(int *ptr, u + } + } + ++/* ++ * pkey 0 is special. It is allocated by default, so you do not ++ * have to call pkey_alloc() to use it first. Make sure that it ++ * is usable. ++ */ ++void test_mprotect_with_pkey_0(int *ptr, u16 pkey) ++{ ++ long size; ++ int prot; ++ ++ assert(pkey_last_malloc_record); ++ size = pkey_last_malloc_record->size; ++ /* ++ * This is a bit of a hack. But mprotect() requires ++ * huge-page-aligned sizes when operating on hugetlbfs. ++ * So, make sure that we use something that's a multiple ++ * of a huge page when we can. ++ */ ++ if (size >= HPAGE_SIZE) ++ size = HPAGE_SIZE; ++ prot = pkey_last_malloc_record->prot; ++ ++ /* Use pkey 0 */ ++ mprotect_pkey(ptr, size, prot, 0); ++ ++ /* Make sure that we can set it back to the original pkey. */ ++ mprotect_pkey(ptr, size, prot, pkey); ++} ++ + void test_ptrace_of_child(int *ptr, u16 pkey) + { + __attribute__((__unused__)) int peek_result; +@@ -1378,6 +1407,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey) + test_kernel_gup_write_to_write_disabled_region, + test_executing_on_unreadable_memory, + test_implicit_mprotect_exec_only_memory, ++ test_mprotect_with_pkey_0, + test_ptrace_of_child, + test_pkey_syscalls_on_non_allocated_pkey, + test_pkey_syscalls_bad_args, diff --git a/queue-4.14/x86-pkeys-selftests-add-prot_exec-test.patch b/queue-4.14/x86-pkeys-selftests-add-prot_exec-test.patch new file mode 100644 index 00000000000..bab34590982 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-add-prot_exec-test.patch @@ -0,0 +1,92 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:48 -0700 +Subject: x86/pkeys/selftests: Add PROT_EXEC test + +From: Dave Hansen + +[ Upstream commit 6af17cf89e99b64cf1f660bf848755442ab2f047 ] + +Under the covers, implement executable-only memory with +protection keys when userspace calls mprotect(PROT_EXEC). + +But, we did not have a selftest for that. Now we do. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171348.9EEE4BEF@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 44 ++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1303,6 +1303,49 @@ void test_executing_on_unreadable_memory + expected_pk_fault(pkey); + } + ++void test_implicit_mprotect_exec_only_memory(int *ptr, u16 pkey) ++{ ++ void *p1; ++ int scratch; ++ int ptr_contents; ++ int ret; ++ ++ dprintf1("%s() start\n", __func__); ++ ++ p1 = get_pointer_to_instructions(); ++ lots_o_noops_around_write(&scratch); ++ ptr_contents = read_ptr(p1); ++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); ++ ++ /* Use a *normal* mprotect(), not mprotect_pkey(): */ ++ ret = mprotect(p1, PAGE_SIZE, PROT_EXEC); ++ pkey_assert(!ret); ++ ++ dprintf2("pkru: %x\n", rdpkru()); ++ ++ /* Make sure this is an *instruction* fault */ ++ madvise(p1, PAGE_SIZE, MADV_DONTNEED); ++ lots_o_noops_around_write(&scratch); ++ do_not_expect_pk_fault("executing on PROT_EXEC memory"); ++ ptr_contents = read_ptr(p1); ++ dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); ++ expected_pk_fault(UNKNOWN_PKEY); ++ ++ /* ++ * Put the memory back to non-PROT_EXEC. Should clear the ++ * exec-only pkey off the VMA and allow it to be readable ++ * again. Go to PROT_NONE first to check for a kernel bug ++ * that did not clear the pkey when doing PROT_NONE. ++ */ ++ ret = mprotect(p1, PAGE_SIZE, PROT_NONE); ++ pkey_assert(!ret); ++ ++ ret = mprotect(p1, PAGE_SIZE, PROT_READ|PROT_EXEC); ++ pkey_assert(!ret); ++ ptr_contents = read_ptr(p1); ++ do_not_expect_pk_fault("plain read on recently PROT_EXEC area"); ++} ++ + void test_mprotect_pkey_on_unsupported_cpu(int *ptr, u16 pkey) + { + int size = PAGE_SIZE; +@@ -1327,6 +1370,7 @@ void (*pkey_tests[])(int *ptr, u16 pkey) + test_kernel_gup_of_access_disabled_region, + test_kernel_gup_write_to_write_disabled_region, + test_executing_on_unreadable_memory, ++ test_implicit_mprotect_exec_only_memory, + test_ptrace_of_child, + test_pkey_syscalls_on_non_allocated_pkey, + test_pkey_syscalls_bad_args, diff --git a/queue-4.14/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch b/queue-4.14/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch new file mode 100644 index 00000000000..3a7bd20024e --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch @@ -0,0 +1,187 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Ingo Molnar +Date: Mon, 14 May 2018 10:56:23 +0200 +Subject: x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI + +From: Ingo Molnar + +[ Upstream commit 0fb96620dce351608aa82eed5942e2f58b07beda ] + +Ubuntu 18.04 started exporting pkeys details in header files, resulting +in build failures and warnings in the pkeys self-tests: + + protection_keys.c:232:0: warning: "SEGV_BNDERR" redefined + protection_keys.c:387:5: error: conflicting types for ‘pkey_get’ + protection_keys.c:409:5: error: conflicting types for ‘pkey_set’ + ... + +Fix these namespace conflicts and double definitions, plus also +clean up the ABI definitions to make it all a bit more readable ... + +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: akpm@linux-foundation.org +Cc: dave.hansen@intel.com +Cc: linux-mm@kvack.org +Cc: linuxram@us.ibm.com +Cc: mpe@ellerman.id.au +Cc: shakeelb@google.com +Cc: shuah@kernel.org +Link: http://lkml.kernel.org/r/20180514085623.GB7094@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 67 +++++++++++++++----------- + 1 file changed, 41 insertions(+), 26 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -191,26 +191,30 @@ void lots_o_noops_around_write(int *writ + #ifdef __i386__ + + #ifndef SYS_mprotect_key +-# define SYS_mprotect_key 380 ++# define SYS_mprotect_key 380 + #endif ++ + #ifndef SYS_pkey_alloc +-# define SYS_pkey_alloc 381 +-# define SYS_pkey_free 382 ++# define SYS_pkey_alloc 381 ++# define SYS_pkey_free 382 + #endif +-#define REG_IP_IDX REG_EIP +-#define si_pkey_offset 0x14 ++ ++#define REG_IP_IDX REG_EIP ++#define si_pkey_offset 0x14 + + #else + + #ifndef SYS_mprotect_key +-# define SYS_mprotect_key 329 ++# define SYS_mprotect_key 329 + #endif ++ + #ifndef SYS_pkey_alloc +-# define SYS_pkey_alloc 330 +-# define SYS_pkey_free 331 ++# define SYS_pkey_alloc 330 ++# define SYS_pkey_free 331 + #endif +-#define REG_IP_IDX REG_RIP +-#define si_pkey_offset 0x20 ++ ++#define REG_IP_IDX REG_RIP ++#define si_pkey_offset 0x20 + + #endif + +@@ -225,8 +229,14 @@ void dump_mem(void *dumpme, int len_byte + } + } + +-#define SEGV_BNDERR 3 /* failed address bound checks */ +-#define SEGV_PKUERR 4 ++/* Failed address bound checks: */ ++#ifndef SEGV_BNDERR ++# define SEGV_BNDERR 3 ++#endif ++ ++#ifndef SEGV_PKUERR ++# define SEGV_PKUERR 4 ++#endif + + static char *si_code_str(int si_code) + { +@@ -393,10 +403,15 @@ pid_t fork_lazy_child(void) + return forkret; + } + +-#define PKEY_DISABLE_ACCESS 0x1 +-#define PKEY_DISABLE_WRITE 0x2 ++#ifndef PKEY_DISABLE_ACCESS ++# define PKEY_DISABLE_ACCESS 0x1 ++#endif ++ ++#ifndef PKEY_DISABLE_WRITE ++# define PKEY_DISABLE_WRITE 0x2 ++#endif + +-u32 pkey_get(int pkey, unsigned long flags) ++static u32 hw_pkey_get(int pkey, unsigned long flags) + { + u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE); + u32 pkru = __rdpkru(); +@@ -418,7 +433,7 @@ u32 pkey_get(int pkey, unsigned long fla + return masked_pkru; + } + +-int pkey_set(int pkey, unsigned long rights, unsigned long flags) ++static int hw_pkey_set(int pkey, unsigned long rights, unsigned long flags) + { + u32 mask = (PKEY_DISABLE_ACCESS|PKEY_DISABLE_WRITE); + u32 old_pkru = __rdpkru(); +@@ -452,15 +467,15 @@ void pkey_disable_set(int pkey, int flag + pkey, flags); + pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); + +- pkey_rights = pkey_get(pkey, syscall_flags); ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); + +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + pkey_assert(pkey_rights >= 0); + + pkey_rights |= flags; + +- ret = pkey_set(pkey, pkey_rights, syscall_flags); ++ ret = hw_pkey_set(pkey, pkey_rights, syscall_flags); + assert(!ret); + /*pkru and flags have the same format */ + shadow_pkru |= flags << (pkey * 2); +@@ -468,8 +483,8 @@ void pkey_disable_set(int pkey, int flag + + pkey_assert(ret >= 0); + +- pkey_rights = pkey_get(pkey, syscall_flags); +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + + dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru()); +@@ -483,24 +498,24 @@ void pkey_disable_clear(int pkey, int fl + { + unsigned long syscall_flags = 0; + int ret; +- int pkey_rights = pkey_get(pkey, syscall_flags); ++ int pkey_rights = hw_pkey_get(pkey, syscall_flags); + u32 orig_pkru = rdpkru(); + + pkey_assert(flags & (PKEY_DISABLE_ACCESS | PKEY_DISABLE_WRITE)); + +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + pkey_assert(pkey_rights >= 0); + + pkey_rights |= flags; + +- ret = pkey_set(pkey, pkey_rights, 0); ++ ret = hw_pkey_set(pkey, pkey_rights, 0); + /* pkru and flags have the same format */ + shadow_pkru &= ~(flags << (pkey * 2)); + pkey_assert(ret >= 0); + +- pkey_rights = pkey_get(pkey, syscall_flags); +- dprintf1("%s(%d) pkey_get(%d): %x\n", __func__, ++ pkey_rights = hw_pkey_get(pkey, syscall_flags); ++ dprintf1("%s(%d) hw_pkey_get(%d): %x\n", __func__, + pkey, pkey, pkey_rights); + + dprintf1("%s(%d) pkru: 0x%x\n", __func__, pkey, rdpkru()); diff --git a/queue-4.14/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch b/queue-4.14/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch new file mode 100644 index 00000000000..6fae35102c7 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-allow-faults-on-unknown-keys.patch @@ -0,0 +1,56 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:46 -0700 +Subject: x86/pkeys/selftests: Allow faults on unknown keys + +From: Dave Hansen + +[ Upstream commit 7e7fd67ca39335a49619729821efb7cbdd674eb0 ] + +The exec-only pkey is allocated inside the kernel and userspace +is not told what it is. So, allow PK faults to occur that have +an unknown key. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171345.7FC7DA00@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -921,13 +921,21 @@ void *malloc_pkey(long size, int prot, u + } + + int last_pkru_faults; ++#define UNKNOWN_PKEY -2 + void expected_pk_fault(int pkey) + { + dprintf2("%s(): last_pkru_faults: %d pkru_faults: %d\n", + __func__, last_pkru_faults, pkru_faults); + dprintf2("%s(%d): last_si_pkey: %d\n", __func__, pkey, last_si_pkey); + pkey_assert(last_pkru_faults + 1 == pkru_faults); +- pkey_assert(last_si_pkey == pkey); ++ ++ /* ++ * For exec-only memory, we do not know the pkey in ++ * advance, so skip this check. ++ */ ++ if (pkey != UNKNOWN_PKEY) ++ pkey_assert(last_si_pkey == pkey); ++ + /* + * The signal handler shold have cleared out PKRU to let the + * test program continue. We now have to restore it. diff --git a/queue-4.14/x86-pkeys-selftests-factor-out-instruction-page.patch b/queue-4.14/x86-pkeys-selftests-factor-out-instruction-page.patch new file mode 100644 index 00000000000..3aba7b72a5f --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-factor-out-instruction-page.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:47 -0700 +Subject: x86/pkeys/selftests: Factor out "instruction page" + +From: Dave Hansen + +[ Upstream commit 3fcd2b2d928904cbf30b01e2c5e4f1dd2f9ab262 ] + +We currently have an execute-only test, but it is for +the explicit mprotect_pkey() interface. We will soon +add a test for the implicit mprotect(PROT_EXEC) +enterface. We need this code in both tests. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171347.C64AB733@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1253,12 +1253,9 @@ void test_ptrace_of_child(int *ptr, u16 + free(plain_ptr_unaligned); + } + +-void test_executing_on_unreadable_memory(int *ptr, u16 pkey) ++void *get_pointer_to_instructions(void) + { + void *p1; +- int scratch; +- int ptr_contents; +- int ret; + + p1 = ALIGN_PTR_UP(&lots_o_noops_around_write, PAGE_SIZE); + dprintf3("&lots_o_noops: %p\n", &lots_o_noops_around_write); +@@ -1268,7 +1265,23 @@ void test_executing_on_unreadable_memory + /* Point 'p1' at the *second* page of the function: */ + p1 += PAGE_SIZE; + ++ /* ++ * Try to ensure we fault this in on next touch to ensure ++ * we get an instruction fault as opposed to a data one ++ */ + madvise(p1, PAGE_SIZE, MADV_DONTNEED); ++ ++ return p1; ++} ++ ++void test_executing_on_unreadable_memory(int *ptr, u16 pkey) ++{ ++ void *p1; ++ int scratch; ++ int ptr_contents; ++ int ret; ++ ++ p1 = get_pointer_to_instructions(); + lots_o_noops_around_write(&scratch); + ptr_contents = read_ptr(p1); + dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); diff --git a/queue-4.14/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch b/queue-4.14/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch new file mode 100644 index 00000000000..ea60291a22e --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch @@ -0,0 +1,60 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:50 -0700 +Subject: x86/pkeys/selftests: Fix pkey exhaustion test off-by-one + +From: Dave Hansen + +[ Upstream commit f50b4878329ab61d8e05796f655adeb6f5fb57c6 ] + +In our "exhaust all pkeys" test, we make sure that there +is the expected number available. Turns out that the +test did not cover the execute-only key, but discussed +it anyway. It did *not* discuss the test-allocated +key. + +Now that we have a test for the mprotect(PROT_EXEC) case, +this off-by-one issue showed itself. Correct the off-by- +one and add the explanation for the case we missed. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171350.E1656B95@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -1163,12 +1163,15 @@ void test_pkey_alloc_exhaust(int *ptr, u + pkey_assert(i < NR_PKEYS*2); + + /* +- * There are 16 pkeys supported in hardware. One is taken +- * up for the default (0) and another can be taken up by +- * an execute-only mapping. Ensure that we can allocate +- * at least 14 (16-2). ++ * There are 16 pkeys supported in hardware. Three are ++ * allocated by the time we get here: ++ * 1. The default key (0) ++ * 2. One possibly consumed by an execute-only mapping. ++ * 3. One allocated by the test code and passed in via ++ * 'pkey' to this function. ++ * Ensure that we can allocate at least another 13 (16-3). + */ +- pkey_assert(i >= NR_PKEYS-2); ++ pkey_assert(i >= NR_PKEYS-3); + + for (i = 0; i < nr_allocated_pkeys; i++) { + err = sys_pkey_free(allocated_pkeys[i]); diff --git a/queue-4.14/x86-pkeys-selftests-fix-pointer-math.patch b/queue-4.14/x86-pkeys-selftests-fix-pointer-math.patch new file mode 100644 index 00000000000..49c37cc6845 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-fix-pointer-math.patch @@ -0,0 +1,67 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:52 -0700 +Subject: x86/pkeys/selftests: Fix pointer math + +From: Dave Hansen + +[ Upstream commit 3d64f4ed15c3c53dba4c514bf59c334464dee373 ] + +We dump out the entire area of the siginfo where the si_pkey_ptr is +supposed to be. But, we do some math on the poitner, which is a u32. +We intended to do byte math, not u32 math on the pointer. + +Cast it over to a u8* so it works. + +Also, move this block of code to below th si_code check. It doesn't +hurt anything, but the si_pkey field is gibberish for other signal +types. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171352.9BE09819@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -303,13 +303,6 @@ void signal_handler(int signum, siginfo_ + dump_mem(pkru_ptr - 128, 256); + pkey_assert(*pkru_ptr); + +- si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset); +- dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr); +- dump_mem(si_pkey_ptr - 8, 24); +- siginfo_pkey = *si_pkey_ptr; +- pkey_assert(siginfo_pkey < NR_PKEYS); +- last_si_pkey = siginfo_pkey; +- + if ((si->si_code == SEGV_MAPERR) || + (si->si_code == SEGV_ACCERR) || + (si->si_code == SEGV_BNDERR)) { +@@ -317,6 +310,13 @@ void signal_handler(int signum, siginfo_ + exit(4); + } + ++ si_pkey_ptr = (u32 *)(((u8 *)si) + si_pkey_offset); ++ dprintf1("si_pkey_ptr: %p\n", si_pkey_ptr); ++ dump_mem((u8 *)si_pkey_ptr - 8, 24); ++ siginfo_pkey = *si_pkey_ptr; ++ pkey_assert(siginfo_pkey < NR_PKEYS); ++ last_si_pkey = siginfo_pkey; ++ + dprintf1("signal pkru from xsave: %08x\n", *pkru_ptr); + /* need __rdpkru() version so we do not do shadow_pkru checking */ + dprintf1("signal pkru from pkru: %08x\n", __rdpkru()); diff --git a/queue-4.14/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch b/queue-4.14/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch new file mode 100644 index 00000000000..68e061ec56b --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch @@ -0,0 +1,72 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:38 -0700 +Subject: x86/pkeys/selftests: Give better unexpected fault error messages + +From: Dave Hansen + +[ Upstream commit 55556b0b2016806b2e16a20b62d143383983a34a ] + +do_not_expect_pk_fault() is a helper that we call when we do not expect +a PK fault to have occurred. But, it is a function, which means that +it obscures the line numbers from pkey_assert(). It also gives no +details. + +Replace it with an implementation that gives nice line numbers and +also lets callers pass in a more descriptive message about what +happened that caused the unexpected fault. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171338.55D13B64@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -954,10 +954,11 @@ void expected_pk_fault(int pkey) + last_si_pkey = -1; + } + +-void do_not_expect_pk_fault(void) +-{ +- pkey_assert(last_pkru_faults == pkru_faults); +-} ++#define do_not_expect_pk_fault(msg) do { \ ++ if (last_pkru_faults != pkru_faults) \ ++ dprintf0("unexpected PK fault: %s\n", msg); \ ++ pkey_assert(last_pkru_faults == pkru_faults); \ ++} while (0) + + int test_fds[10] = { -1 }; + int nr_test_fds; +@@ -1243,7 +1244,7 @@ void test_ptrace_of_child(int *ptr, u16 + pkey_assert(ret != -1); + /* Now access from the current task, and expect NO exception: */ + peek_result = read_ptr(plain_ptr); +- do_not_expect_pk_fault(); ++ do_not_expect_pk_fault("read plain pointer after ptrace"); + + ret = ptrace(PTRACE_DETACH, child_pid, ignored, 0); + pkey_assert(ret != -1); +@@ -1287,7 +1288,7 @@ void test_executing_on_unreadable_memory + */ + madvise(p1, PAGE_SIZE, MADV_DONTNEED); + lots_o_noops_around_write(&scratch); +- do_not_expect_pk_fault(); ++ do_not_expect_pk_fault("executing on PROT_EXEC memory"); + ptr_contents = read_ptr(p1); + dprintf2("ptr (%p) contents@%d: %x\n", p1, __LINE__, ptr_contents); + expected_pk_fault(pkey); diff --git a/queue-4.14/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch b/queue-4.14/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch new file mode 100644 index 00000000000..bde9bb54770 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch @@ -0,0 +1,59 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:42 -0700 +Subject: x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal + +From: Dave Hansen + +[ Upstream commit a50093d60464dd51d1ae0c2267b0abe9e1de77f3 ] + +There is some noisy debug code at the end of the signal handler. It was +disabled by an early, unconditional "return". However, that return also +hid a dprint_in_signal=0, which kept dprint_in_signal=1 and effectively +locked us into permanent dprint_in_signal=1 behavior. + +Remove the return and the dead code, fixing dprint_in_signal. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171342.846B9B2E@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -325,22 +325,6 @@ void signal_handler(int signum, siginfo_ + dprintf1("WARNING: set PRKU=0 to allow faulting instruction to continue\n"); + pkru_faults++; + dprintf1("<<<<==================================================\n"); +- return; +- if (trapno == 14) { +- fprintf(stderr, +- "ERROR: In signal handler, page fault, trapno = %d, ip = %016lx\n", +- trapno, ip); +- fprintf(stderr, "si_addr %p\n", si->si_addr); +- fprintf(stderr, "REG_ERR: %lx\n", +- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]); +- exit(1); +- } else { +- fprintf(stderr, "unexpected trap %d! at 0x%lx\n", trapno, ip); +- fprintf(stderr, "si_addr %p\n", si->si_addr); +- fprintf(stderr, "REG_ERR: %lx\n", +- (unsigned long)uctxt->uc_mcontext.gregs[REG_ERR]); +- exit(2); +- } + dprint_in_signal = 0; + } + diff --git a/queue-4.14/x86-pkeys-selftests-save-off-prot-for-allocations.patch b/queue-4.14/x86-pkeys-selftests-save-off-prot-for-allocations.patch new file mode 100644 index 00000000000..262ac2c60be --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-save-off-prot-for-allocations.patch @@ -0,0 +1,95 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:54 -0700 +Subject: x86/pkeys/selftests: Save off 'prot' for allocations + +From: Dave Hansen + +[ Upstream commit acb25d761d6f2f64e785ccefc71e54f244f1eda4 ] + +This makes it possible to to tell what 'prot' a given allocation +is supposed to have. That way, if we want to change just the +pkey, we know what 'prot' to pass to mprotect_pkey(). + +Also, keep a record of the most recent allocation so the tests +can easily find it. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171354.AA23E228@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -677,10 +677,12 @@ int mprotect_pkey(void *ptr, size_t size + struct pkey_malloc_record { + void *ptr; + long size; ++ int prot; + }; + struct pkey_malloc_record *pkey_malloc_records; ++struct pkey_malloc_record *pkey_last_malloc_record; + long nr_pkey_malloc_records; +-void record_pkey_malloc(void *ptr, long size) ++void record_pkey_malloc(void *ptr, long size, int prot) + { + long i; + struct pkey_malloc_record *rec = NULL; +@@ -712,6 +714,8 @@ void record_pkey_malloc(void *ptr, long + (int)(rec - pkey_malloc_records), rec, ptr, size); + rec->ptr = ptr; + rec->size = size; ++ rec->prot = prot; ++ pkey_last_malloc_record = rec; + nr_pkey_malloc_records++; + } + +@@ -756,7 +760,7 @@ void *malloc_pkey_with_mprotect(long siz + pkey_assert(ptr != (void *)-1); + ret = mprotect_pkey((void *)ptr, PAGE_SIZE, prot, pkey); + pkey_assert(!ret); +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + rdpkru(); + + dprintf1("%s() for pkey %d @ %p\n", __func__, pkey, ptr); +@@ -777,7 +781,7 @@ void *malloc_pkey_anon_huge(long size, i + size = ALIGN_UP(size, HPAGE_SIZE * 2); + ptr = mmap(NULL, size, PROT_NONE, MAP_ANONYMOUS|MAP_PRIVATE, -1, 0); + pkey_assert(ptr != (void *)-1); +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + mprotect_pkey(ptr, size, prot, pkey); + + dprintf1("unaligned ptr: %p\n", ptr); +@@ -850,7 +854,7 @@ void *malloc_pkey_hugetlb(long size, int + pkey_assert(ptr != (void *)-1); + mprotect_pkey(ptr, size, prot, pkey); + +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + + dprintf1("mmap()'d hugetlbfs for pkey %d @ %p\n", pkey, ptr); + return ptr; +@@ -872,7 +876,7 @@ void *malloc_pkey_mmap_dax(long size, in + + mprotect_pkey(ptr, size, prot, pkey); + +- record_pkey_malloc(ptr, size); ++ record_pkey_malloc(ptr, size, prot); + + dprintf1("mmap()'d for pkey %d @ %p\n", pkey, ptr); + close(fd); diff --git a/queue-4.14/x86-pkeys-selftests-stop-using-assert.patch b/queue-4.14/x86-pkeys-selftests-stop-using-assert.patch new file mode 100644 index 00000000000..d6b9f5c6bb5 --- /dev/null +++ b/queue-4.14/x86-pkeys-selftests-stop-using-assert.patch @@ -0,0 +1,64 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Dave Hansen +Date: Wed, 9 May 2018 10:13:40 -0700 +Subject: x86/pkeys/selftests: Stop using assert() + +From: Dave Hansen + +[ Upstream commit 86b9eea230edf4c67d4d4a70fba9b74505867a25 ] + +If we use assert(), the program "crashes". That can be scary to users, +so stop doing it. Just exit with a >0 exit code instead. + +Signed-off-by: Dave Hansen +Cc: Andrew Morton +Cc: Dave Hansen +Cc: Linus Torvalds +Cc: Michael Ellermen +Cc: Peter Zijlstra +Cc: Ram Pai +Cc: Shuah Khan +Cc: Thomas Gleixner +Cc: linux-mm@kvack.org +Link: http://lkml.kernel.org/r/20180509171340.E63EF7DA@viggo.jf.intel.com +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/protection_keys.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/x86/protection_keys.c ++++ b/tools/testing/selftests/x86/protection_keys.c +@@ -72,10 +72,9 @@ extern void abort_hooks(void); + test_nr, iteration_nr); \ + dprintf0("errno at assert: %d", errno); \ + abort_hooks(); \ +- assert(condition); \ ++ exit(__LINE__); \ + } \ + } while (0) +-#define raw_assert(cond) assert(cond) + + void cat_into_file(char *str, char *file) + { +@@ -87,12 +86,17 @@ void cat_into_file(char *str, char *file + * these need to be raw because they are called under + * pkey_assert() + */ +- raw_assert(fd >= 0); ++ if (fd < 0) { ++ fprintf(stderr, "error opening '%s'\n", str); ++ perror("error: "); ++ exit(__LINE__); ++ } ++ + ret = write(fd, str, strlen(str)); + if (ret != strlen(str)) { + perror("write to file failed"); + fprintf(stderr, "filename: '%s' str: '%s'\n", file, str); +- raw_assert(0); ++ exit(__LINE__); + } + close(fd); + } diff --git a/queue-4.14/x86-selftests-add-mov_to_ss-test.patch b/queue-4.14/x86-selftests-add-mov_to_ss-test.patch new file mode 100644 index 00000000000..7ce259e4a11 --- /dev/null +++ b/queue-4.14/x86-selftests-add-mov_to_ss-test.patch @@ -0,0 +1,325 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Andy Lutomirski +Date: Tue, 8 May 2018 10:28:35 -0700 +Subject: x86/selftests: Add mov_to_ss test + +From: Andy Lutomirski + +[ Upstream commit 59c2a7226fc5130032021c99f05ad5c0a56551cd ] + +This exercises a nasty corner case of the x86 ISA. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/67e08b69817171da8026e0eb3af0214b06b4d74f.1525800455.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/x86/Makefile | 2 + tools/testing/selftests/x86/mov_ss_trap.c | 285 ++++++++++++++++++++++++++++++ + 2 files changed, 286 insertions(+), 1 deletion(-) + create mode 100644 tools/testing/selftests/x86/mov_ss_trap.c + +--- a/tools/testing/selftests/x86/Makefile ++++ b/tools/testing/selftests/x86/Makefile +@@ -11,7 +11,7 @@ CAN_BUILD_X86_64 := $(shell ./check_cc.s + + TARGETS_C_BOTHBITS := single_step_syscall sysret_ss_attrs syscall_nt test_mremap_vdso \ + check_initial_reg_state sigreturn iopl mpx-mini-test ioperm \ +- protection_keys test_vdso test_vsyscall ++ protection_keys test_vdso test_vsyscall mov_ss_trap + TARGETS_C_32BIT_ONLY := entry_from_vm86 syscall_arg_fault test_syscall_vdso unwind_vdso \ + test_FCMOV test_FCOMI test_FISTTP \ + vdso_restorer +--- /dev/null ++++ b/tools/testing/selftests/x86/mov_ss_trap.c +@@ -0,0 +1,285 @@ ++/* SPDX-License-Identifier: GPL-2.0 */ ++/* ++ * mov_ss_trap.c: Exercise the bizarre side effects of a watchpoint on MOV SS ++ * ++ * This does MOV SS from a watchpointed address followed by various ++ * types of kernel entries. A MOV SS that hits a watchpoint will queue ++ * up a #DB trap but will not actually deliver that trap. The trap ++ * will be delivered after the next instruction instead. The CPU's logic ++ * seems to be: ++ * ++ * - Any fault: drop the pending #DB trap. ++ * - INT $N, INT3, INTO, SYSCALL, SYSENTER: enter the kernel and then ++ * deliver #DB. ++ * - ICEBP: enter the kernel but do not deliver the watchpoint trap ++ * - breakpoint: only one #DB is delivered (phew!) ++ * ++ * There are plenty of ways for a kernel to handle this incorrectly. This ++ * test tries to exercise all the cases. ++ * ++ * This should mostly cover CVE-2018-1087 and CVE-2018-8897. ++ */ ++#define _GNU_SOURCE ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#define X86_EFLAGS_RF (1UL << 16) ++ ++#if __x86_64__ ++# define REG_IP REG_RIP ++#else ++# define REG_IP REG_EIP ++#endif ++ ++unsigned short ss; ++extern unsigned char breakpoint_insn[]; ++sigjmp_buf jmpbuf; ++static unsigned char altstack_data[SIGSTKSZ]; ++ ++static void enable_watchpoint(void) ++{ ++ pid_t parent = getpid(); ++ int status; ++ ++ pid_t child = fork(); ++ if (child < 0) ++ err(1, "fork"); ++ ++ if (child) { ++ if (waitpid(child, &status, 0) != child) ++ err(1, "waitpid for child"); ++ } else { ++ unsigned long dr0, dr1, dr7; ++ ++ dr0 = (unsigned long)&ss; ++ dr1 = (unsigned long)breakpoint_insn; ++ dr7 = ((1UL << 1) | /* G0 */ ++ (3UL << 16) | /* RW0 = read or write */ ++ (1UL << 18) | /* LEN0 = 2 bytes */ ++ (1UL << 3)); /* G1, RW1 = insn */ ++ ++ if (ptrace(PTRACE_ATTACH, parent, NULL, NULL) != 0) ++ err(1, "PTRACE_ATTACH"); ++ ++ if (waitpid(parent, &status, 0) != parent) ++ err(1, "waitpid for child"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[0]), dr0) != 0) ++ err(1, "PTRACE_POKEUSER DR0"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[1]), dr1) != 0) ++ err(1, "PTRACE_POKEUSER DR1"); ++ ++ if (ptrace(PTRACE_POKEUSER, parent, (void *)offsetof(struct user, u_debugreg[7]), dr7) != 0) ++ err(1, "PTRACE_POKEUSER DR7"); ++ ++ printf("\tDR0 = %lx, DR1 = %lx, DR7 = %lx\n", dr0, dr1, dr7); ++ ++ if (ptrace(PTRACE_DETACH, parent, NULL, NULL) != 0) ++ err(1, "PTRACE_DETACH"); ++ ++ exit(0); ++ } ++} ++ ++static void sethandler(int sig, void (*handler)(int, siginfo_t *, void *), ++ int flags) ++{ ++ struct sigaction sa; ++ memset(&sa, 0, sizeof(sa)); ++ sa.sa_sigaction = handler; ++ sa.sa_flags = SA_SIGINFO | flags; ++ sigemptyset(&sa.sa_mask); ++ if (sigaction(sig, &sa, 0)) ++ err(1, "sigaction"); ++} ++ ++static char const * const signames[] = { ++ [SIGSEGV] = "SIGSEGV", ++ [SIGBUS] = "SIBGUS", ++ [SIGTRAP] = "SIGTRAP", ++ [SIGILL] = "SIGILL", ++}; ++ ++static void sigtrap(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot SIGTRAP with RIP=%lx, EFLAGS.RF=%d\n", ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP], ++ !!(ctx->uc_mcontext.gregs[REG_EFL] & X86_EFLAGS_RF)); ++} ++ ++static void handle_and_return(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot %s with RIP=%lx\n", signames[sig], ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); ++} ++ ++static void handle_and_longjmp(int sig, siginfo_t *si, void *ctx_void) ++{ ++ ucontext_t *ctx = ctx_void; ++ ++ printf("\tGot %s with RIP=%lx\n", signames[sig], ++ (unsigned long)ctx->uc_mcontext.gregs[REG_IP]); ++ ++ siglongjmp(jmpbuf, 1); ++} ++ ++int main() ++{ ++ unsigned long nr; ++ ++ asm volatile ("mov %%ss, %[ss]" : [ss] "=m" (ss)); ++ printf("\tSS = 0x%hx, &SS = 0x%p\n", ss, &ss); ++ ++ if (prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY, 0, 0, 0) == 0) ++ printf("\tPR_SET_PTRACER_ANY succeeded\n"); ++ ++ printf("\tSet up a watchpoint\n"); ++ sethandler(SIGTRAP, sigtrap, 0); ++ enable_watchpoint(); ++ ++ printf("[RUN]\tRead from watched memory (should get SIGTRAP)\n"); ++ asm volatile ("mov %[ss], %[tmp]" : [tmp] "=r" (nr) : [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT3\n"); ++ asm volatile ("mov %[ss], %%ss; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT 3\n"); ++ asm volatile ("mov %[ss], %%ss; .byte 0xcd, 0x3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; CS CS INT3\n"); ++ asm volatile ("mov %[ss], %%ss; .byte 0x2e, 0x2e; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; CSx14 INT3\n"); ++ asm volatile ("mov %[ss], %%ss; .fill 14,1,0x2e; int3" :: [ss] "m" (ss)); ++ ++ printf("[RUN]\tMOV SS; INT 4\n"); ++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; int $4" :: [ss] "m" (ss)); ++ ++#ifdef __i386__ ++ printf("[RUN]\tMOV SS; INTO\n"); ++ sethandler(SIGSEGV, handle_and_return, SA_RESETHAND); ++ nr = -1; ++ asm volatile ("add $1, %[tmp]; mov %[ss], %%ss; into" ++ : [tmp] "+r" (nr) : [ss] "m" (ss)); ++#endif ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; ICEBP\n"); ++ ++ /* Some emulators (e.g. QEMU TCG) don't emulate ICEBP. */ ++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); ++ ++ asm volatile ("mov %[ss], %%ss; .byte 0xf1" :: [ss] "m" (ss)); ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; CLI\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; cli" :: [ss] "m" (ss)); ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; #PF\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; mov (-1), %[tmp]" ++ : [tmp] "=r" (nr) : [ss] "m" (ss)); ++ } ++ ++ /* ++ * INT $1: if #DB has DPL=3 and there isn't special handling, ++ * then the kernel will die. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; INT 1\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ asm volatile ("mov %[ss], %%ss; int $1" :: [ss] "m" (ss)); ++ } ++ ++#ifdef __x86_64__ ++ /* ++ * In principle, we should test 32-bit SYSCALL as well, but ++ * the calling convention is so unpredictable that it's ++ * not obviously worth the effort. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; SYSCALL\n"); ++ sethandler(SIGILL, handle_and_longjmp, SA_RESETHAND); ++ nr = SYS_getpid; ++ /* ++ * Toggle the high bit of RSP to make it noncanonical to ++ * strengthen this test on non-SMAP systems. ++ */ ++ asm volatile ("btc $63, %%rsp\n\t" ++ "mov %[ss], %%ss; syscall\n\t" ++ "btc $63, %%rsp" ++ : "+a" (nr) : [ss] "m" (ss) ++ : "rcx" ++#ifdef __x86_64__ ++ , "r11" ++#endif ++ ); ++ } ++#endif ++ ++ printf("[RUN]\tMOV SS; breakpointed NOP\n"); ++ asm volatile ("mov %[ss], %%ss; breakpoint_insn: nop" :: [ss] "m" (ss)); ++ ++ /* ++ * Invoking SYSENTER directly breaks all the rules. Just handle ++ * the SIGSEGV. ++ */ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; SYSENTER\n"); ++ stack_t stack = { ++ .ss_sp = altstack_data, ++ .ss_size = SIGSTKSZ, ++ }; ++ if (sigaltstack(&stack, NULL) != 0) ++ err(1, "sigaltstack"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND | SA_ONSTACK); ++ nr = SYS_getpid; ++ asm volatile ("mov %[ss], %%ss; SYSENTER" : "+a" (nr) ++ : [ss] "m" (ss) : "flags", "rcx" ++#ifdef __x86_64__ ++ , "r11" ++#endif ++ ); ++ ++ /* We're unreachable here. SYSENTER forgets RIP. */ ++ } ++ ++ if (sigsetjmp(jmpbuf, 1) == 0) { ++ printf("[RUN]\tMOV SS; INT $0x80\n"); ++ sethandler(SIGSEGV, handle_and_longjmp, SA_RESETHAND); ++ nr = 20; /* compat getpid */ ++ asm volatile ("mov %[ss], %%ss; int $0x80" ++ : "+a" (nr) : [ss] "m" (ss) ++ : "flags" ++#ifdef __x86_64__ ++ , "r8", "r9", "r10", "r11" ++#endif ++ ); ++ } ++ ++ printf("[OK]\tI aten't dead\n"); ++ return 0; ++} diff --git a/queue-4.14/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch b/queue-4.14/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch new file mode 100644 index 00000000000..61f56a2de6a --- /dev/null +++ b/queue-4.14/x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch @@ -0,0 +1,94 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: "van der Linden, Frank" +Date: Fri, 4 May 2018 16:11:00 -0400 +Subject: x86/xen: Reset VCPU0 info pointer after shared_info remap + +From: "van der Linden, Frank" + +[ Upstream commit d1ecfa9d1f402366b1776fbf84e635678a51414f ] + +This patch fixes crashes during boot for HVM guests on older (pre HVM +vector callback) Xen versions. Without this, current kernels will always +fail to boot on those Xen versions. + +Sample stack trace: + + BUG: unable to handle kernel paging request at ffffffffff200000 + IP: __xen_evtchn_do_upcall+0x1e/0x80 + PGD 1e0e067 P4D 1e0e067 PUD 1e10067 PMD 235c067 PTE 0 + Oops: 0002 [#1] SMP PTI + Modules linked in: + CPU: 0 PID: 512 Comm: kworker/u2:0 Not tainted 4.14.33-52.13.amzn1.x86_64 #1 + Hardware name: Xen HVM domU, BIOS 3.4.3.amazon 11/11/2016 + task: ffff88002531d700 task.stack: ffffc90000480000 + RIP: 0010:__xen_evtchn_do_upcall+0x1e/0x80 + RSP: 0000:ffff880025403ef0 EFLAGS: 00010046 + RAX: ffffffff813cc760 RBX: ffffffffff200000 RCX: ffffc90000483ef0 + RDX: ffff880020540a00 RSI: ffff880023c78000 RDI: 000000000000001c + RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 + R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 + R13: ffff880025403f5c R14: 0000000000000000 R15: 0000000000000000 + FS: 0000000000000000(0000) GS:ffff880025400000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: ffffffffff200000 CR3: 0000000001e0a000 CR4: 00000000000006f0 + Call Trace: + + do_hvm_evtchn_intr+0xa/0x10 + __handle_irq_event_percpu+0x43/0x1a0 + handle_irq_event_percpu+0x20/0x50 + handle_irq_event+0x39/0x60 + handle_fasteoi_irq+0x80/0x140 + handle_irq+0xaf/0x120 + do_IRQ+0x41/0xd0 + common_interrupt+0x7d/0x7d + + +During boot, the HYPERVISOR_shared_info page gets remapped to make it work +with KASLR. This means that any pointer derived from it needs to be +adjusted. + +The only value that this applies to is the vcpu_info pointer for VCPU 0. +For PV and HVM with the callback vector feature, this gets done via the +smp_ops prepare_boot_cpu callback. Older Xen versions do not support the +HVM callback vector, so there is no Xen-specific smp_ops set up in that +scenario. So, the vcpu_info pointer for VCPU 0 never gets set to the proper +value, and the first reference of it will be bad. Fix this by resetting it +immediately after the remap. + +Signed-off-by: Frank van der Linden +Reviewed-by: Eduardo Valentin +Reviewed-by: Alakesh Haloi +Reviewed-by: Vallish Vaidyeshwara +Reviewed-by: Boris Ostrovsky +Cc: Juergen Gross +Cc: Boris Ostrovsky +Cc: xen-devel@lists.xenproject.org +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/xen/enlighten_hvm.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/arch/x86/xen/enlighten_hvm.c ++++ b/arch/x86/xen/enlighten_hvm.c +@@ -64,6 +64,19 @@ static void __init xen_hvm_init_mem_mapp + { + early_memunmap(HYPERVISOR_shared_info, PAGE_SIZE); + HYPERVISOR_shared_info = __va(PFN_PHYS(shared_info_pfn)); ++ ++ /* ++ * The virtual address of the shared_info page has changed, so ++ * the vcpu_info pointer for VCPU 0 is now stale. ++ * ++ * The prepare_boot_cpu callback will re-initialize it via ++ * xen_vcpu_setup, but we can't rely on that to be called for ++ * old Xen versions (xen_have_vector_callback == 0). ++ * ++ * It is, in any case, bad to have a stale vcpu_info pointer ++ * so reset it now. ++ */ ++ xen_vcpu_info_reset(0); + } + + static void __init init_hvm_pv_info(void) diff --git a/queue-4.14/xen-xenbus_dev_frontend-really-return-response-string.patch b/queue-4.14/xen-xenbus_dev_frontend-really-return-response-string.patch new file mode 100644 index 00000000000..4c0fc4456ef --- /dev/null +++ b/queue-4.14/xen-xenbus_dev_frontend-really-return-response-string.patch @@ -0,0 +1,41 @@ +From foo@baz Sun Jun 17 12:13:49 CEST 2018 +From: Simon Gaiser +Date: Thu, 15 Mar 2018 04:08:03 +0100 +Subject: xen: xenbus_dev_frontend: Really return response string + +From: Simon Gaiser + +[ Upstream commit ebf04f331fa15a966262341a7dc6b1a0efd633e4 ] + +xenbus_command_reply() did not actually copy the response string and +leaked stack content instead. + +Fixes: 9a6161fe73bd ("xen: return xenstore command failures via response instead of rc") +Signed-off-by: Simon Gaiser +Reviewed-by: Juergen Gross +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_dev_frontend.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_dev_frontend.c ++++ b/drivers/xen/xenbus/xenbus_dev_frontend.c +@@ -403,7 +403,7 @@ static int xenbus_command_reply(struct x + { + struct { + struct xsd_sockmsg hdr; +- const char body[16]; ++ char body[16]; + } msg; + int rc; + +@@ -412,6 +412,7 @@ static int xenbus_command_reply(struct x + msg.hdr.len = strlen(reply) + 1; + if (msg.hdr.len > sizeof(msg.body)) + return -E2BIG; ++ memcpy(&msg.body, reply, msg.hdr.len); + + mutex_lock(&u->reply_mutex); + rc = queue_reply(&u->read_buffers, &msg, sizeof(msg.hdr) + msg.hdr.len); diff --git a/queue-4.16/series b/queue-4.16/series new file mode 100644 index 00000000000..7aead6f15c6 --- /dev/null +++ b/queue-4.16/series @@ -0,0 +1,279 @@ +clocksource-drivers-imx-tpm-correct-some-registers-operation-flow.patch +input-synaptics-rmi4-fix-an-unchecked-out-of-memory-error-path.patch +kvm-x86-fix-incorrect-reference-of-trace_kvm_pi_irte_update.patch +asoc-intel-atom-fix-acpi-pci-kconfig.patch +x86-add-check-for-apic-access-address-for-vmentry-of-l2-guests.patch +mips-io-prevent-compiler-reordering-writex.patch +lan78xx-phy-dsp-registers-initialization-to-address-eee-link-drop-issues-with-long-cables.patch +ibmvnic-do-not-notify-peers-on-parameter-change-resets.patch +nfp-ignore-signals-when-communicating-with-management-fw.patch +nfp-flower-split-and-limit-cmsg-skb-lists.patch +perf-report-fix-switching-to-another-perf.data-file.patch +fsnotify-fix-ignore-mask-logic-in-send_to_group.patch +mips-io-add-barrier-after-register-read-in-readx.patch +s390-smsgiucv-disable-smsg-on-module-unload.patch +isofs-fix-potential-memory-leak-in-mount-option-parsing.patch +mips-dts-boston-fix-pci-bus-dtc-warnings.patch +spi-sh-msiof-fix-bit-field-overflow-writes-to-tscr-rscr.patch +doc-add-vendor-prefix-for-kieback-peter-gmbh.patch +dt-bindings-pinctrl-sunxi-fix-reference-to-driver.patch +dt-bindings-net-ravb-add-support-for-r8a77965-soc.patch +dt-bindings-serial-sh-sci-add-support-for-r8a77965-h-scif.patch +dt-bindings-dmaengine-rcar-dmac-document-r8a77965-support.patch +x86-kvm-properly-update-tsc_offset-to-represent-the-running-guest.patch +kvm-x86-move-msr_ia32_tsc-handling-to-x86.c.patch +clk-honor-clk_mux_round_closest-in-generic-clk-mux.patch +asoc-rt5514-add-the-missing-register-in-the-readable-table.patch +arm-dts-fix-cm2-and-prm-sizes-for-omap4.patch +ecryptfs-don-t-pass-up-plaintext-names-when-using-filename-encryption.patch +soc-bcm-raspberrypi-power-fix-use-of-__packed.patch +soc-bcm2835-make-raspberrypi_firmware-dummies-return-failure.patch +powerpc-64s-default-l1d_size-to-64k-in-rfi-fallback-flush.patch +pci-kirin-fix-reset-gpio-name.patch +asoc-topology-fix-bugs-of-freeing-soc-topology.patch +livepatch-initialize-shadow-variables-safely-by-a-custom-callback.patch +livepatch-allow-to-call-a-custom-callback-when-freeing-shadow-variables.patch +kvm-arm-arm64-vgic-kick-new-vcpu-on-interrupt-migration.patch +xen-xenbus_dev_frontend-really-return-response-string.patch +arm64-kasan-avoid-pfn_to_nid-before-page-array-is-initialized.patch +asoc-topology-check-widget-kcontrols-before-deref.patch +spi-cadence-add-usleep_range-for-cdns_spi_fill_tx_fifo.patch +blkcg-don-t-hold-blkcg-lock-when-deactivating-policy.patch +arm64-dts-meson-gxl-add-usb-host-support.patch +arm64-dts-meson-gxm-add-gxm-specific-usb-host-configuration.patch +arm64-dts-meson-gxl-s905x-p212-enable-the-usb-controller.patch +arm64-dts-meson-gx-p23x-q20x-enable-the-usb-controller.patch +arm64-dts-meson-gxl-s905x-libretech-cc-enable-the-usb-controller.patch +arm64-dts-meson-gxl-nexbox-a95x-enable-the-usb-controller.patch +arm64-dts-meson-gxm-khadas-vim2-enable-the-usb-controller.patch +tipc-fix-infinite-loop-when-dumping-link-monitor-summary.patch +arm64-dts-correct-sata-addresses-for-stingray.patch +scsi-iscsi-respond-to-netlink-with-unicast-when-appropriate.patch +scsi-megaraid_sas-do-not-log-an-error-if-fw-successfully-initializes.patch +scsi-target-fix-crash-with-iscsi-target-and-dvd.patch +netfilter-nf_tables-nat-chain-and-extensions-require-nf_tables.patch +netfilter-nf_tables-fix-out-of-bounds-in-nft_chain_commit_update.patch +asoc-msm8916-wcd-analog-use-threaded-context-for-mbhc-events.patch +drm-msm-fix-possible-null-dereference-on-failure-of-get_pages.patch +drm-msm-dsi-use-correct-enum-in-dsi_get_cmd_fmt.patch +drm-msm-don-t-deref-error-pointer-in-the-msm_fbdev_create-error-path.patch +blkcg-init-root-blkcg_gq-under-lock.patch +net-hns-avoid-action-name-truncation.patch +afs-fix-server-record-deletion.patch +vfs-undo-an-overly-zealous-ms_rdonly-sb_rdonly-conversion.patch +parisc-time-convert-read_persistent_clock-to-read_persistent_clock64.patch +scsi-storvsc-set-up-correct-queue-depth-values-for-ide-devices.patch +scsi-isci-fix-infinite-loop-in-while-loop.patch +mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry.patch +proc-revalidate-kernel-thread-inodes-to-root-root.patch +proc-fix-proc-loadavg-regression.patch +kexec_file-do-not-add-extra-alignment-to-efi-memmap.patch +mm-memcg-add-__gfp_nowarn-in-__memcg_schedule_kmem_cache_create.patch +usb-typec-ucsi-fix-tracepoint-related-build-error.patch +s390-qeth-fix-mac-address-update-sequence.patch +s390-qeth-fix-request-side-race-during-cmd-io-timeout.patch +s390-qeth-use-read-device-to-query-hypervisor-for-mac.patch +acpi-pm-blacklist-low-power-s0-idle-_dsm-for-thinkpad-x1-tablet-2016.patch +acpi-scan-initialize-watchdog-before-pnp.patch +dt-bindings-meson-uart-dt-fix-s-clocks-names-clock-names.patch +dt-bindings-mvebu-uart-dt-fix-s-interrupts-names-interrupt-names.patch +powerpc-powernv-memtrace-let-the-arch-hotunplug-code-flush-cache.patch +net-phy-marvell-clear-wol-event-before-setting-it.patch +arm-dts-da850-fix-w-1-warnings-with-pinmux-node.patch +acpi-watchdog-prefer-itco_wdt-on-lenovo-z50-70.patch +drm-amdkfd-fix-clock-counter-retrieval-for-node-without-gpu.patch +cpufreq-brcmstb-avs-cpufreq-remove-development-debug-support.patch +thermal-int3403_thermal-fix-null-pointer-deref-on-module-load-probe.patch +cifs-set-resp_buf_type-to-no_buffer-on-error.patch +arm64-dts-uniphier-fix-input-delay-value-for-legacy-mode-of-emmc.patch +igb-fix-the-transmission-mode-of-queue-0-for-qav-mode.patch +net-ethtool-add-missing-kernel-doc-for-fec-parameters.patch +riscv-select-dma_direct_ops-instead-of-redefining-it.patch +risc-v-build-vdso-dummy.o-with-no-pie.patch +arm64-ptrace-remove-addr_limit-manipulation.patch +arm64-only-advance-singlestep-for-user-instruction-traps.patch +perf-pmu-fix-core-pmu-alias-list-for-x86-platform.patch +hid-lenovo-add-support-for-ibm-lenovo-scrollpoint-mice.patch +hid-wacom-release-device-resource-data-obtained-by-devres_alloc.patch +selftests-ftrace-add-a-testcase-for-multiple-actions-on-trigger.patch +bpf-x64-fix-jit-emission-for-dead-code.patch +rds-ib-fix-missing-call-to-rds_ib_dev_put-in-rds_ib_setup_qp.patch +perf-x86-intel-don-t-enable-freeze-on-smi-for-perfmon-v1.patch +remoteproc-qcom-fix-potential-device-node-leaks.patch +rpmsg-added-module_alias-for-rpmsg_char.patch +hid-intel-ish-hid-use-put_device-instead-of-kfree.patch +blk-mq-fix-sysfs-inflight-counter.patch +arm64-fix-possible-spectre-v1-in-ptrace_hbp_get_event.patch +kvm-arm-arm64-vgic-fix-possible-spectre-v1-in-vgic_mmio_read_apr.patch +libahci-allow-drivers-to-override-stop_engine.patch +ata-ahci-mvebu-override-ahci_stop_engine-for-mvebu-ahci.patch +x86-cpu-intel-add-missing-tlb-cpuid-values.patch +bpf-fix-uninitialized-variable-in-bpf-tools.patch +vti6-change-minimum-mtu-to-ipv4_min_mtu-vti6-can-carry-ipv4-too.patch +powerpc-kvm-booke-fix-altivec-related-build-break.patch +reset-uniphier-fix-usb-clock-line-for-ld20.patch +i2c-sprd-prevent-i2c-accesses-after-suspend-is-called.patch +i2c-sprd-fix-the-i2c-count-issue.patch +rdma-mlx5-properly-check-return-value-of-mlx5_get_uars_page.patch +tipc-fix-bug-in-function-tipc_nl_node_dump_monitor.patch +nfp-don-t-depend-on-eth_tbl-being-available.patch +nvme-depend-on-infiniband_addr_trans.patch +nvmet-rdma-depend-on-infiniband_addr_trans.patch +ib_srpt-depend-on-infiniband_addr_trans.patch +cifs-smbd-depend-on-infiniband_addr_trans.patch +ib_srp-depend-on-infiniband_addr_trans.patch +ib-make-infiniband_addr_trans-configurable.patch +net-mvpp2-fix-clk-error-path-in-mvpp2_probe.patch +kvm-apic-flush-tlb-after-apic-mode-address-change-if-vpids-are-in-use.patch +ib-uverbs-fix-validating-mandatory-attributes.patch +rdma-cma-fix-use-after-destroy-access-to-net-namespace-for-ipoib.patch +rdma-iwpm-fix-memory-leak-on-map_info.patch +ib-rxe-add-rxe_start_mask-for-rxe_opcode-ib_opcode_rc_send_only_inv.patch +ib-rxe-avoid-double-kfree_skb.patch +rdma-hns-bugfix-for-init-hem-table.patch +rdma-hns-intercept-illegal-rdma-operation-when-use-inline-data.patch +rdma-hns-fix-the-qp-context-state-diagram.patch +rdma-hns-submit-bad-wr.patch +linux-stringhash.h-fix-end_name_hash-for-64bit-long.patch +ib-core-make-ib_mad_client_id-atomic.patch +arm-davinci-board-da830-evm-fix-gpio-lookup-for-mmc-sd.patch +arm-davinci-board-da850-evm-fix-gpio-lookup-for-mmc-sd.patch +arm-davinci-board-omapl138-hawk-fix-gpio-numbers-for-mmc-sd-lookup.patch +arm-davinci-board-dm355-evm-fix-broken-networking.patch +dt-bindings-panel-lvds-fix-path-to-display-timing-bindings.patch +arm-omap2-powerdomain-use-raw_smp_processor_id-for-trace.patch +arm-dts-logicpd-som-lv-fix-wl127x-startup-issues.patch +arm-dts-logicpd-som-lv-fix-audio-mute.patch +xprtrdma-fix-list-corruption-dmar-errors-during-mr-recovery.patch +input-atmel_mxt_ts-fix-the-firmware-update.patch +hexagon-add-memset_io-helper.patch +hexagon-export-csum_partial_copy_nocheck.patch +scsi-vmw-pvscsi-return-did_bus_busy-for-adapter-initated-aborts.patch +arm-davinci-fix-gpio-lookup-for-i2c.patch +pinctrl-meson-axg-fix-the-range-of-aobus-bank.patch +pinctrl-cherryview-associate-irq-descriptors-to-irqdomain.patch +mtd-onenand-omap2-disable-dma-for-highmem-buffers.patch +bpf-x64-fix-memleak-when-not-converging-after-image.patch +bpf-x64-fix-memleak-when-not-converging-on-calls.patch +parisc-drivers.c-fix-section-mismatches.patch +stop_machine-sched-fix-migrate_swap-vs.-active_balance-deadlock.patch +kthread-sched-wait-fix-kthread_parkme-wait-loop.patch +kthread-sched-wait-fix-kthread_parkme-completion-issue.patch +arm64-tegra-make-bcm89610-phy-interrupt-as-active-low.patch +iommu-vt-d-fix-usage-of-force-parameter-in-intel_ir_reconfigure_irte.patch +iommu-vt-d-fix-shift-out-of-bounds-in-bug-checking.patch +nvme-fix-potential-memory-leak-in-option-parsing.patch +nvme-set-integrity-flag-for-user-passthrough-commands.patch +nvme-multipath-disable-runtime-writable-enabling-parameter.patch +nvme-multipath-fix-multipath-disabled-naming-collisions.patch +arm-omap1-ams-delta-fix-deferred_fiq-handler.patch +arm-dts-correct-missing-compatible-entry-for-ti81xx-socs.patch +usb-typec-tps6598x-handle-block-reads-separately-with-plain-i2c-adapters.patch +smc-fix-sendpage-call.patch +ib-hfi1-use-correct-type-for-num_user_context.patch +ib-hfi1-rdmavt-fix-memory-leak-in-hfi1_alloc_devdata-upon-failure.patch +ib-hfi1-fix-memory-leak-in-exception-path-in-get_irq_affinity.patch +ib-mlx4-fix-integer-overflow-when-calculating-optimal-mtt-size.patch +rdma-cma-do-not-query-gid-during-qp-state-transition-to-rtr.patch +spi-bcm2835aux-ensure-interrupts-are-enabled-for-shared-handler.patch +bpf-fix-possible-spectre-v1-in-find_and_alloc_map.patch +drm-exynos-mixer-fix-synchronization-check-in-interlaced-mode.patch +drm-exynos-mixer-avoid-oops-in-vp_video_buffer.patch +bpf-use-array_index_nospec-in-find_prog_type.patch +sched-core-introduce-set_special_state.patch +net-phy-broadcom-add-support-for-bcm89610-phy.patch +gcc-plugins-fix-build-condition-of-sancov-plugin.patch +sh-fix-build-failure-for-j2-cpu-with-smp-disabled.patch +tee-check-shm-references-are-consistent-in-offset-size.patch +powerpc-trace-syscalls-update-syscall-name-matching-logic.patch +powerpc-trace-syscalls-update-syscall-name-matching-logic-to-account-for-ppc_-prefix.patch +mac80211-adjust-sae-authentication-timeout.patch +drm-vc4-fix-oops-dereferencing-dpi-s-connector-since-panel_bridge.patch +drm-omap-silence-unititialized-variable-warning.patch +drm-omap-fix-uninitialized-ret-variable.patch +drm-omap-fix-possible-null-ref-issue-in-tiler_reserve_2d.patch +drm-omap-check-return-value-from-soc_device_match.patch +drm-omap-handle-alloc-failures-in-omap_connector.patch +nvme-fix-use-after-free-in-nvme_free_ns_head.patch +driver-core-add-__printf-verification-to-__ata_ehi_pushv_desc.patch +arm-dts-cygnus-fix-irq-type-for-arm-global-timer.patch +mac80211-use-timeout-from-the-addba-response-instead-of-the-request.patch +x86-xen-reset-vcpu0-info-pointer-after-shared_info-remap.patch +net-aquantia-driver-should-correctly-declare-vlan_features-bits.patch +net-aquantia-limit-number-of-vectors-to-actually-allocated-irqs.patch +powerpc-pseries-fix-config_numa-n-build.patch +can-dev-increase-bus-off-message-severity.patch +hid-i2c-hid-add-resend_report_descr-quirk-for-toshiba-click-mini-l9w-b.patch +arm64-add-midr-encoding-for-nvidia-cpus.patch +cifs-allocate-validate-negotiation-request-through-kmalloc.patch +cifs-smb2ops-fix-listxattr-when-there-are-no-eas.patch +drm-amdgpu-switch-to-interruptable-wait-to-recover-from-ring-hang.patch +agp-uninorth-make-two-functions-static.patch +tipc-eliminate-kmsan-uninit-value-in-strcmp-complaint.patch +qed-fix-l2-initializations-over-iwarp-personality.patch +qede-fix-gfp-flags-sent-to-rdma-event-node-allocation.patch +cxgb4-copy-mbox-log-size-to-pf0-3-adap-instances.patch +rxrpc-fix-missing-start-of-call-timeout.patch +rxrpc-fix-error-reception-on-af_inet6-sockets.patch +rxrpc-fix-the-min-security-level-for-kernel-calls.patch +arm-dts-imx51-zii-rdu1-fix-touchscreen-bindings.patch +kvm-extend-max_irq_routes-to-4096-for-all-archs.patch +x86-delay-skip-of-emulated-hypercall-instruction.patch +perf-cs-etm-support-unknown_thread-in-cs_etm_auxtrace.patch +sh-switch-to-no_bootmem.patch +ixgbe-return-error-on-unsupported-sfp-module-when-resetting.patch +ixgbe-fix-memory-leak-on-ipsec-allocation.patch +net-sched-actions-fix-invalid-pointer-dereferencing-if-skbedit-flags-missing.patch +lib-find_bit_benchmark.c-avoid-soft-lockup-in-test_find_first_bit.patch +init-fix-false-positives-in-w-x-checking.patch +proc-kcore-don-t-bounds-check-against-address-0.patch +ocfs2-take-inode-cluster-lock-before-moving-reflinked-inode-from-orphan-dir.patch +kprobes-x86-prohibit-probing-on-exception-masking-instructions.patch +uprobes-x86-prohibit-probing-on-mov-ss-instruction.patch +objtool-kprobes-x86-sync-the-latest-asm-insn.h-header-with-tools-objtool-arch-x86-include-asm-insn.h.patch +x86-pkeys-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-pkeys-abi.patch +x86-mpx-selftests-adjust-the-self-test-to-fresh-distros-that-export-the-mpx-abi.patch +x86-selftests-add-mov_to_ss-test.patch +x86-pkeys-selftests-give-better-unexpected-fault-error-messages.patch +x86-pkeys-selftests-stop-using-assert.patch +x86-pkeys-selftests-remove-dead-debugging-code-fix-dprint_in_signal.patch +x86-pkeys-selftests-avoid-printf-in-signal-deadlocks.patch +x86-pkeys-selftests-allow-faults-on-unknown-keys.patch +x86-pkeys-selftests-factor-out-instruction-page.patch +x86-pkeys-selftests-add-prot_exec-test.patch +x86-pkeys-selftests-fix-pkey-exhaustion-test-off-by-one.patch +x86-pkeys-selftests-fix-pointer-math.patch +x86-pkeys-selftests-save-off-prot-for-allocations.patch +x86-pkeys-selftests-add-a-test-for-pkey-0.patch +afs-fix-address-list-parsing.patch +afs-fix-refcounting-in-callback-registration.patch +afs-fix-server-rotation-s-handling-of-fileserver-probe-failure.patch +mtd-fix-comparison-in-map_word_andequal.patch +afs-fix-vnovol-handling-in-address-rotation.patch +afs-fix-the-handling-of-cb.initcallbackstate3-to-find-the-server-by-uuid.patch +afs-fix-afs_find_server-search-loop.patch +afs-fix-the-non-encryption-of-calls.patch +usb-musb-fix-remote-wakeup-racing-with-suspend.patch +arm-keystone-fix-platform_domain_notifier-array-overrun.patch +i2c-pmcmsp-return-message-count-on-master_xfer-success.patch +i2c-pmcmsp-fix-error-return-from-master_xfer.patch +i2c-viperboard-return-message-count-on-master_xfer-success.patch +arm-davinci-dm646x-fix-timer-interrupt-generation.patch +arm-davinci-board-dm646x-evm-pass-correct-i2c-adapter-id-for-vpif.patch +arm-davinci-board-dm646x-evm-set-vpif-capture-card-name.patch +kvm-x86-lower-the-default-timer-frequency-limit-to-200us.patch +mtd-rawnand-fix-return-type-of-__divide-when-called-with-32-bit.patch +clk-imx6ull-use-osc-clock-during-axi-rate-change.patch +locking-rwsem-add-a-new-rwsem_anonymously_owned-flag.patch +locking-percpu-rwsem-annotate-rwsem-ownership-transfer-by-setting-rwsem_owner_unknown.patch +drm-dumb-buffers-integer-overflow-in-drm_mode_create_ioctl.patch +sched-debug-move-the-print_rt_rq-and-print_dl_rq-declarations-to-kernel-sched-sched.h.patch +sched-deadline-make-the-grub_reclaim-function-static.patch +parisc-move-setup_profiling_timer-out-of-init-section.patch +platform-x86-dell_wmi-use-depends-on-instead-of-select-for-dell_smbios.patch +efi-libstub-arm64-handle-randomized-text_offset.patch +arm-8753-1-decompressor-add-a-missing-parameter-to-the-addruart-macro.patch +arm-8758-1-decompressor-restore-r1-and-r2-just-before-jumping-to-the-kernel.patch +arm-kexec-fix-kdump-register-saving-on-panic.patch +arm-replace-unnecessary-perl-with-sed-and-the-shell-operator.patch +arm-fix-kill-sigfpe-breakage.patch